--- a/Admin/Release/makedist Tue Aug 28 18:46:15 2012 +0200
+++ b/Admin/Release/makedist Tue Aug 28 18:57:32 2012 +0200
@@ -149,7 +149,7 @@
./Admin/build all || fail "Failed to build distribution"
-cp -a doc-src doc-src.orig
+cp -a src/Doc src/Doc.orig
./bin/isabelle build_doc -a || fail "Failed to build documentation"
if [ -n "$ISABELLE_JEDIT_BUILD_HOME" ]; then
@@ -161,9 +161,9 @@
fi
rm -rf Admin
-rm -rf doc-src
+rm -rf src/Doc
-mv doc-src.orig doc-src
+mv src/Doc.orig src/Doc
mkdir -p contrib
cat >contrib/README <<EOF
--- a/ROOTS Tue Aug 28 18:46:15 2012 +0200
+++ b/ROOTS Tue Aug 28 18:57:32 2012 +0200
@@ -8,4 +8,4 @@
src/FOLP
src/LCF
src/Sequents
-doc-src
+src/Doc
--- a/doc-src/Classes/Classes.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,642 +0,0 @@
-theory Classes
-imports Main Setup
-begin
-
-section {* Introduction *}
-
-text {*
- Type classes were introduced by Wadler and Blott \cite{wadler89how}
- into the Haskell language to allow for a reasonable implementation
- of overloading\footnote{throughout this tutorial, we are referring
- to classical Haskell 1.0 type classes, not considering later
- additions in expressiveness}. As a canonical example, a polymorphic
- equality function @{text "eq \<Colon> \<alpha> \<Rightarrow> \<alpha> \<Rightarrow> bool"} which is overloaded on
- different types for @{text "\<alpha>"}, which is achieved by splitting
- introduction of the @{text eq} function from its overloaded
- definitions by means of @{text class} and @{text instance}
- declarations: \footnote{syntax here is a kind of isabellized
- Haskell}
-
- \begin{quote}
-
- \noindent@{text "class eq where"} \\
- \hspace*{2ex}@{text "eq \<Colon> \<alpha> \<Rightarrow> \<alpha> \<Rightarrow> bool"}
-
- \medskip\noindent@{text "instance nat \<Colon> eq where"} \\
- \hspace*{2ex}@{text "eq 0 0 = True"} \\
- \hspace*{2ex}@{text "eq 0 _ = False"} \\
- \hspace*{2ex}@{text "eq _ 0 = False"} \\
- \hspace*{2ex}@{text "eq (Suc n) (Suc m) = eq n m"}
-
- \medskip\noindent@{text "instance (\<alpha>\<Colon>eq, \<beta>\<Colon>eq) pair \<Colon> eq where"} \\
- \hspace*{2ex}@{text "eq (x1, y1) (x2, y2) = eq x1 x2 \<and> eq y1 y2"}
-
- \medskip\noindent@{text "class ord extends eq where"} \\
- \hspace*{2ex}@{text "less_eq \<Colon> \<alpha> \<Rightarrow> \<alpha> \<Rightarrow> bool"} \\
- \hspace*{2ex}@{text "less \<Colon> \<alpha> \<Rightarrow> \<alpha> \<Rightarrow> bool"}
-
- \end{quote}
-
- \noindent Type variables are annotated with (finitely many) classes;
- these annotations are assertions that a particular polymorphic type
- provides definitions for overloaded functions.
-
- Indeed, type classes not only allow for simple overloading but form
- a generic calculus, an instance of order-sorted algebra
- \cite{nipkow-sorts93,Nipkow-Prehofer:1993,Wenzel:1997:TPHOL}.
-
- From a software engineering point of view, type classes roughly
- correspond to interfaces in object-oriented languages like Java; so,
- it is naturally desirable that type classes do not only provide
- functions (class parameters) but also state specifications
- implementations must obey. For example, the @{text "class eq"}
- above could be given the following specification, demanding that
- @{text "class eq"} is an equivalence relation obeying reflexivity,
- symmetry and transitivity:
-
- \begin{quote}
-
- \noindent@{text "class eq where"} \\
- \hspace*{2ex}@{text "eq \<Colon> \<alpha> \<Rightarrow> \<alpha> \<Rightarrow> bool"} \\
- @{text "satisfying"} \\
- \hspace*{2ex}@{text "refl: eq x x"} \\
- \hspace*{2ex}@{text "sym: eq x y \<longleftrightarrow> eq x y"} \\
- \hspace*{2ex}@{text "trans: eq x y \<and> eq y z \<longrightarrow> eq x z"}
-
- \end{quote}
-
- \noindent From a theoretical point of view, type classes are
- lightweight modules; Haskell type classes may be emulated by SML
- functors \cite{classes_modules}. Isabelle/Isar offers a discipline
- of type classes which brings all those aspects together:
-
- \begin{enumerate}
- \item specifying abstract parameters together with
- corresponding specifications,
- \item instantiating those abstract parameters by a particular
- type
- \item in connection with a ``less ad-hoc'' approach to overloading,
- \item with a direct link to the Isabelle module system:
- locales \cite{kammueller-locales}.
- \end{enumerate}
-
- \noindent Isar type classes also directly support code generation in
- a Haskell like fashion. Internally, they are mapped to more
- primitive Isabelle concepts \cite{Haftmann-Wenzel:2006:classes}.
-
- This tutorial demonstrates common elements of structured
- specifications and abstract reasoning with type classes by the
- algebraic hierarchy of semigroups, monoids and groups. Our
- background theory is that of Isabelle/HOL \cite{isa-tutorial}, for
- which some familiarity is assumed.
-*}
-
-section {* A simple algebra example \label{sec:example} *}
-
-subsection {* Class definition *}
-
-text {*
- Depending on an arbitrary type @{text "\<alpha>"}, class @{text
- "semigroup"} introduces a binary operator @{text "(\<otimes>)"} that is
- assumed to be associative:
-*}
-
-class %quote semigroup =
- fixes mult :: "\<alpha> \<Rightarrow> \<alpha> \<Rightarrow> \<alpha>" (infixl "\<otimes>" 70)
- assumes assoc: "(x \<otimes> y) \<otimes> z = x \<otimes> (y \<otimes> z)"
-
-text {*
- \noindent This @{command class} specification consists of two parts:
- the \qn{operational} part names the class parameter (@{element
- "fixes"}), the \qn{logical} part specifies properties on them
- (@{element "assumes"}). The local @{element "fixes"} and @{element
- "assumes"} are lifted to the theory toplevel, yielding the global
- parameter @{term [source] "mult \<Colon> \<alpha>\<Colon>semigroup \<Rightarrow> \<alpha> \<Rightarrow> \<alpha>"} and the
- global theorem @{fact "semigroup.assoc:"}~@{prop [source] "\<And>x y z \<Colon>
- \<alpha>\<Colon>semigroup. (x \<otimes> y) \<otimes> z = x \<otimes> (y \<otimes> z)"}.
-*}
-
-
-subsection {* Class instantiation \label{sec:class_inst} *}
-
-text {*
- The concrete type @{typ int} is made a @{class semigroup} instance
- by providing a suitable definition for the class parameter @{text
- "(\<otimes>)"} and a proof for the specification of @{fact assoc}. This is
- accomplished by the @{command instantiation} target:
-*}
-
-instantiation %quote int :: semigroup
-begin
-
-definition %quote
- mult_int_def: "i \<otimes> j = i + (j\<Colon>int)"
-
-instance %quote proof
- fix i j k :: int have "(i + j) + k = i + (j + k)" by simp
- then show "(i \<otimes> j) \<otimes> k = i \<otimes> (j \<otimes> k)"
- unfolding mult_int_def .
-qed
-
-end %quote
-
-text {*
- \noindent @{command instantiation} defines class parameters at a
- particular instance using common specification tools (here,
- @{command definition}). The concluding @{command instance} opens a
- proof that the given parameters actually conform to the class
- specification. Note that the first proof step is the @{method
- default} method, which for such instance proofs maps to the @{method
- intro_classes} method. This reduces an instance judgement to the
- relevant primitive proof goals; typically it is the first method
- applied in an instantiation proof.
-
- From now on, the type-checker will consider @{typ int} as a @{class
- semigroup} automatically, i.e.\ any general results are immediately
- available on concrete instances.
-
- \medskip Another instance of @{class semigroup} yields the natural
- numbers:
-*}
-
-instantiation %quote nat :: semigroup
-begin
-
-primrec %quote mult_nat where
- "(0\<Colon>nat) \<otimes> n = n"
- | "Suc m \<otimes> n = Suc (m \<otimes> n)"
-
-instance %quote proof
- fix m n q :: nat
- show "m \<otimes> n \<otimes> q = m \<otimes> (n \<otimes> q)"
- by (induct m) auto
-qed
-
-end %quote
-
-text {*
- \noindent Note the occurence of the name @{text mult_nat} in the
- primrec declaration; by default, the local name of a class operation
- @{text f} to be instantiated on type constructor @{text \<kappa>} is
- mangled as @{text f_\<kappa>}. In case of uncertainty, these names may be
- inspected using the @{command "print_context"} command or the
- corresponding ProofGeneral button.
-*}
-
-subsection {* Lifting and parametric types *}
-
-text {*
- Overloaded definitions given at a class instantiation may include
- recursion over the syntactic structure of types. As a canonical
- example, we model product semigroups using our simple algebra:
-*}
-
-instantiation %quote prod :: (semigroup, semigroup) semigroup
-begin
-
-definition %quote
- mult_prod_def: "p\<^isub>1 \<otimes> p\<^isub>2 = (fst p\<^isub>1 \<otimes> fst p\<^isub>2, snd p\<^isub>1 \<otimes> snd p\<^isub>2)"
-
-instance %quote proof
- fix p\<^isub>1 p\<^isub>2 p\<^isub>3 :: "\<alpha>\<Colon>semigroup \<times> \<beta>\<Colon>semigroup"
- show "p\<^isub>1 \<otimes> p\<^isub>2 \<otimes> p\<^isub>3 = p\<^isub>1 \<otimes> (p\<^isub>2 \<otimes> p\<^isub>3)"
- unfolding mult_prod_def by (simp add: assoc)
-qed
-
-end %quote
-
-text {*
- \noindent Associativity of product semigroups is established using
- the definition of @{text "(\<otimes>)"} on products and the hypothetical
- associativity of the type components; these hypotheses are
- legitimate due to the @{class semigroup} constraints imposed on the
- type components by the @{command instance} proposition. Indeed,
- this pattern often occurs with parametric types and type classes.
-*}
-
-
-subsection {* Subclassing *}
-
-text {*
- We define a subclass @{text monoidl} (a semigroup with a left-hand
- neutral) by extending @{class semigroup} with one additional
- parameter @{text neutral} together with its characteristic property:
-*}
-
-class %quote monoidl = semigroup +
- fixes neutral :: "\<alpha>" ("\<one>")
- assumes neutl: "\<one> \<otimes> x = x"
-
-text {*
- \noindent Again, we prove some instances, by providing suitable
- parameter definitions and proofs for the additional specifications.
- Observe that instantiations for types with the same arity may be
- simultaneous:
-*}
-
-instantiation %quote nat and int :: monoidl
-begin
-
-definition %quote
- neutral_nat_def: "\<one> = (0\<Colon>nat)"
-
-definition %quote
- neutral_int_def: "\<one> = (0\<Colon>int)"
-
-instance %quote proof
- fix n :: nat
- show "\<one> \<otimes> n = n"
- unfolding neutral_nat_def by simp
-next
- fix k :: int
- show "\<one> \<otimes> k = k"
- unfolding neutral_int_def mult_int_def by simp
-qed
-
-end %quote
-
-instantiation %quote prod :: (monoidl, monoidl) monoidl
-begin
-
-definition %quote
- neutral_prod_def: "\<one> = (\<one>, \<one>)"
-
-instance %quote proof
- fix p :: "\<alpha>\<Colon>monoidl \<times> \<beta>\<Colon>monoidl"
- show "\<one> \<otimes> p = p"
- unfolding neutral_prod_def mult_prod_def by (simp add: neutl)
-qed
-
-end %quote
-
-text {*
- \noindent Fully-fledged monoids are modelled by another subclass,
- which does not add new parameters but tightens the specification:
-*}
-
-class %quote monoid = monoidl +
- assumes neutr: "x \<otimes> \<one> = x"
-
-instantiation %quote nat and int :: monoid
-begin
-
-instance %quote proof
- fix n :: nat
- show "n \<otimes> \<one> = n"
- unfolding neutral_nat_def by (induct n) simp_all
-next
- fix k :: int
- show "k \<otimes> \<one> = k"
- unfolding neutral_int_def mult_int_def by simp
-qed
-
-end %quote
-
-instantiation %quote prod :: (monoid, monoid) monoid
-begin
-
-instance %quote proof
- fix p :: "\<alpha>\<Colon>monoid \<times> \<beta>\<Colon>monoid"
- show "p \<otimes> \<one> = p"
- unfolding neutral_prod_def mult_prod_def by (simp add: neutr)
-qed
-
-end %quote
-
-text {*
- \noindent To finish our small algebra example, we add a @{text
- group} class with a corresponding instance:
-*}
-
-class %quote group = monoidl +
- fixes inverse :: "\<alpha> \<Rightarrow> \<alpha>" ("(_\<div>)" [1000] 999)
- assumes invl: "x\<div> \<otimes> x = \<one>"
-
-instantiation %quote int :: group
-begin
-
-definition %quote
- inverse_int_def: "i\<div> = - (i\<Colon>int)"
-
-instance %quote proof
- fix i :: int
- have "-i + i = 0" by simp
- then show "i\<div> \<otimes> i = \<one>"
- unfolding mult_int_def neutral_int_def inverse_int_def .
-qed
-
-end %quote
-
-
-section {* Type classes as locales *}
-
-subsection {* A look behind the scenes *}
-
-text {*
- The example above gives an impression how Isar type classes work in
- practice. As stated in the introduction, classes also provide a
- link to Isar's locale system. Indeed, the logical core of a class
- is nothing other than a locale:
-*}
-
-class %quote idem =
- fixes f :: "\<alpha> \<Rightarrow> \<alpha>"
- assumes idem: "f (f x) = f x"
-
-text {*
- \noindent essentially introduces the locale
-*} (*<*)setup %invisible {* Sign.add_path "foo" *}
-(*>*)
-locale %quote idem =
- fixes f :: "\<alpha> \<Rightarrow> \<alpha>"
- assumes idem: "f (f x) = f x"
-
-text {* \noindent together with corresponding constant(s): *}
-
-consts %quote f :: "\<alpha> \<Rightarrow> \<alpha>"
-
-text {*
- \noindent The connection to the type system is done by means
- of a primitive type class
-*} (*<*)setup %invisible {* Sign.add_path "foo" *}
-(*>*)
-classes %quote idem < type
-(*<*)axiomatization where idem: "f (f (x::\<alpha>\<Colon>idem)) = f x"
-setup %invisible {* Sign.parent_path *}(*>*)
-
-text {* \noindent together with a corresponding interpretation: *}
-
-interpretation %quote idem_class:
- idem "f \<Colon> (\<alpha>\<Colon>idem) \<Rightarrow> \<alpha>"
-(*<*)proof qed (rule idem)(*>*)
-
-text {*
- \noindent This gives you the full power of the Isabelle module system;
- conclusions in locale @{text idem} are implicitly propagated
- to class @{text idem}.
-*} (*<*)setup %invisible {* Sign.parent_path *}
-(*>*)
-subsection {* Abstract reasoning *}
-
-text {*
- Isabelle locales enable reasoning at a general level, while results
- are implicitly transferred to all instances. For example, we can
- now establish the @{text "left_cancel"} lemma for groups, which
- states that the function @{text "(x \<otimes>)"} is injective:
-*}
-
-lemma %quote (in group) left_cancel: "x \<otimes> y = x \<otimes> z \<longleftrightarrow> y = z"
-proof
- assume "x \<otimes> y = x \<otimes> z"
- then have "x\<div> \<otimes> (x \<otimes> y) = x\<div> \<otimes> (x \<otimes> z)" by simp
- then have "(x\<div> \<otimes> x) \<otimes> y = (x\<div> \<otimes> x) \<otimes> z" using assoc by simp
- then show "y = z" using neutl and invl by simp
-next
- assume "y = z"
- then show "x \<otimes> y = x \<otimes> z" by simp
-qed
-
-text {*
- \noindent Here the \qt{@{keyword "in"} @{class group}} target
- specification indicates that the result is recorded within that
- context for later use. This local theorem is also lifted to the
- global one @{fact "group.left_cancel:"} @{prop [source] "\<And>x y z \<Colon>
- \<alpha>\<Colon>group. x \<otimes> y = x \<otimes> z \<longleftrightarrow> y = z"}. Since type @{text "int"} has been
- made an instance of @{text "group"} before, we may refer to that
- fact as well: @{prop [source] "\<And>x y z \<Colon> int. x \<otimes> y = x \<otimes> z \<longleftrightarrow> y =
- z"}.
-*}
-
-
-subsection {* Derived definitions *}
-
-text {*
- Isabelle locales are targets which support local definitions:
-*}
-
-primrec %quote (in monoid) pow_nat :: "nat \<Rightarrow> \<alpha> \<Rightarrow> \<alpha>" where
- "pow_nat 0 x = \<one>"
- | "pow_nat (Suc n) x = x \<otimes> pow_nat n x"
-
-text {*
- \noindent If the locale @{text group} is also a class, this local
- definition is propagated onto a global definition of @{term [source]
- "pow_nat \<Colon> nat \<Rightarrow> \<alpha>\<Colon>monoid \<Rightarrow> \<alpha>\<Colon>monoid"} with corresponding theorems
-
- @{thm pow_nat.simps [no_vars]}.
-
- \noindent As you can see from this example, for local definitions
- you may use any specification tool which works together with
- locales, such as Krauss's recursive function package
- \cite{krauss2006}.
-*}
-
-
-subsection {* A functor analogy *}
-
-text {*
- We introduced Isar classes by analogy to type classes in functional
- programming; if we reconsider this in the context of what has been
- said about type classes and locales, we can drive this analogy
- further by stating that type classes essentially correspond to
- functors that have a canonical interpretation as type classes.
- There is also the possibility of other interpretations. For
- example, @{text list}s also form a monoid with @{text append} and
- @{term "[]"} as operations, but it seems inappropriate to apply to
- lists the same operations as for genuinely algebraic types. In such
- a case, we can simply make a particular interpretation of monoids
- for lists:
-*}
-
-interpretation %quote list_monoid: monoid append "[]"
- proof qed auto
-
-text {*
- \noindent This enables us to apply facts on monoids
- to lists, e.g. @{thm list_monoid.neutl [no_vars]}.
-
- When using this interpretation pattern, it may also
- be appropriate to map derived definitions accordingly:
-*}
-
-primrec %quote replicate :: "nat \<Rightarrow> \<alpha> list \<Rightarrow> \<alpha> list" where
- "replicate 0 _ = []"
- | "replicate (Suc n) xs = xs @ replicate n xs"
-
-interpretation %quote list_monoid: monoid append "[]" where
- "monoid.pow_nat append [] = replicate"
-proof -
- interpret monoid append "[]" ..
- show "monoid.pow_nat append [] = replicate"
- proof
- fix n
- show "monoid.pow_nat append [] n = replicate n"
- by (induct n) auto
- qed
-qed intro_locales
-
-text {*
- \noindent This pattern is also helpful to reuse abstract
- specifications on the \emph{same} type. For example, think of a
- class @{text preorder}; for type @{typ nat}, there are at least two
- possible instances: the natural order or the order induced by the
- divides relation. But only one of these instances can be used for
- @{command instantiation}; using the locale behind the class @{text
- preorder}, it is still possible to utilise the same abstract
- specification again using @{command interpretation}.
-*}
-
-subsection {* Additional subclass relations *}
-
-text {*
- Any @{text "group"} is also a @{text "monoid"}; this can be made
- explicit by claiming an additional subclass relation, together with
- a proof of the logical difference:
-*}
-
-subclass %quote (in group) monoid
-proof
- fix x
- from invl have "x\<div> \<otimes> x = \<one>" by simp
- with assoc [symmetric] neutl invl have "x\<div> \<otimes> (x \<otimes> \<one>) = x\<div> \<otimes> x" by simp
- with left_cancel show "x \<otimes> \<one> = x" by simp
-qed
-
-text {*
- The logical proof is carried out on the locale level. Afterwards it
- is propagated to the type system, making @{text group} an instance
- of @{text monoid} by adding an additional edge to the graph of
- subclass relations (\figref{fig:subclass}).
-
- \begin{figure}[htbp]
- \begin{center}
- \small
- \unitlength 0.6mm
- \begin{picture}(40,60)(0,0)
- \put(20,60){\makebox(0,0){@{text semigroup}}}
- \put(20,40){\makebox(0,0){@{text monoidl}}}
- \put(00,20){\makebox(0,0){@{text monoid}}}
- \put(40,00){\makebox(0,0){@{text group}}}
- \put(20,55){\vector(0,-1){10}}
- \put(15,35){\vector(-1,-1){10}}
- \put(25,35){\vector(1,-3){10}}
- \end{picture}
- \hspace{8em}
- \begin{picture}(40,60)(0,0)
- \put(20,60){\makebox(0,0){@{text semigroup}}}
- \put(20,40){\makebox(0,0){@{text monoidl}}}
- \put(00,20){\makebox(0,0){@{text monoid}}}
- \put(40,00){\makebox(0,0){@{text group}}}
- \put(20,55){\vector(0,-1){10}}
- \put(15,35){\vector(-1,-1){10}}
- \put(05,15){\vector(3,-1){30}}
- \end{picture}
- \caption{Subclass relationship of monoids and groups:
- before and after establishing the relationship
- @{text "group \<subseteq> monoid"}; transitive edges are left out.}
- \label{fig:subclass}
- \end{center}
- \end{figure}
-
- For illustration, a derived definition in @{text group} using @{text
- pow_nat}
-*}
-
-definition %quote (in group) pow_int :: "int \<Rightarrow> \<alpha> \<Rightarrow> \<alpha>" where
- "pow_int k x = (if k >= 0
- then pow_nat (nat k) x
- else (pow_nat (nat (- k)) x)\<div>)"
-
-text {*
- \noindent yields the global definition of @{term [source] "pow_int \<Colon>
- int \<Rightarrow> \<alpha>\<Colon>group \<Rightarrow> \<alpha>\<Colon>group"} with the corresponding theorem @{thm
- pow_int_def [no_vars]}.
-*}
-
-subsection {* A note on syntax *}
-
-text {*
- As a convenience, class context syntax allows references to local
- class operations and their global counterparts uniformly; type
- inference resolves ambiguities. For example:
-*}
-
-context %quote semigroup
-begin
-
-term %quote "x \<otimes> y" -- {* example 1 *}
-term %quote "(x\<Colon>nat) \<otimes> y" -- {* example 2 *}
-
-end %quote
-
-term %quote "x \<otimes> y" -- {* example 3 *}
-
-text {*
- \noindent Here in example 1, the term refers to the local class
- operation @{text "mult [\<alpha>]"}, whereas in example 2 the type
- constraint enforces the global class operation @{text "mult [nat]"}.
- In the global context in example 3, the reference is to the
- polymorphic global class operation @{text "mult [?\<alpha> \<Colon> semigroup]"}.
-*}
-
-section {* Further issues *}
-
-subsection {* Type classes and code generation *}
-
-text {*
- Turning back to the first motivation for type classes, namely
- overloading, it is obvious that overloading stemming from @{command
- class} statements and @{command instantiation} targets naturally
- maps to Haskell type classes. The code generator framework
- \cite{isabelle-codegen} takes this into account. If the target
- language (e.g.~SML) lacks type classes, then they are implemented by
- an explicit dictionary construction. As example, let's go back to
- the power function:
-*}
-
-definition %quote example :: int where
- "example = pow_int 10 (-2)"
-
-text {*
- \noindent This maps to Haskell as follows:
-*}
-(*<*)code_include %invisible Haskell "Natural" -(*>*)
-text %quotetypewriter {*
- @{code_stmts example (Haskell)}
-*}
-
-text {*
- \noindent The code in SML has explicit dictionary passing:
-*}
-text %quotetypewriter {*
- @{code_stmts example (SML)}
-*}
-
-
-text {*
- \noindent In Scala, implicts are used as dictionaries:
-*}
-(*<*)code_include %invisible Scala "Natural" -(*>*)
-text %quotetypewriter {*
- @{code_stmts example (Scala)}
-*}
-
-
-subsection {* Inspecting the type class universe *}
-
-text {*
- To facilitate orientation in complex subclass structures, two
- diagnostics commands are provided:
-
- \begin{description}
-
- \item[@{command "print_classes"}] print a list of all classes
- together with associated operations etc.
-
- \item[@{command "class_deps"}] visualizes the subclass relation
- between all classes as a Hasse diagram.
-
- \end{description}
-*}
-
-end
--- a/doc-src/Classes/Setup.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,40 +0,0 @@
-theory Setup
-imports Main "~~/src/HOL/Library/Code_Integer"
-begin
-
-ML_file "../antiquote_setup.ML"
-ML_file "../more_antiquote.ML"
-
-setup {*
- Antiquote_Setup.setup #>
- More_Antiquote.setup #>
- Code_Target.set_default_code_width 74
-*}
-
-syntax
- "_alpha" :: "type" ("\<alpha>")
- "_alpha_ofsort" :: "sort \<Rightarrow> type" ("\<alpha>()\<Colon>_" [0] 1000)
- "_beta" :: "type" ("\<beta>")
- "_beta_ofsort" :: "sort \<Rightarrow> type" ("\<beta>()\<Colon>_" [0] 1000)
-
-parse_ast_translation {*
- let
- fun alpha_ast_tr [] = Ast.Variable "'a"
- | alpha_ast_tr asts = raise Ast.AST ("alpha_ast_tr", asts);
- fun alpha_ofsort_ast_tr [ast] =
- Ast.Appl [Ast.Constant @{syntax_const "_ofsort"}, Ast.Variable "'a", ast]
- | alpha_ofsort_ast_tr asts = raise Ast.AST ("alpha_ast_tr", asts);
- fun beta_ast_tr [] = Ast.Variable "'b"
- | beta_ast_tr asts = raise Ast.AST ("beta_ast_tr", asts);
- fun beta_ofsort_ast_tr [ast] =
- Ast.Appl [Ast.Constant @{syntax_const "_ofsort"}, Ast.Variable "'b", ast]
- | beta_ofsort_ast_tr asts = raise Ast.AST ("beta_ast_tr", asts);
- in
- [(@{syntax_const "_alpha"}, alpha_ast_tr),
- (@{syntax_const "_alpha_ofsort"}, alpha_ofsort_ast_tr),
- (@{syntax_const "_beta"}, beta_ast_tr),
- (@{syntax_const "_beta_ofsort"}, beta_ofsort_ast_tr)]
- end
-*}
-
-end
\ No newline at end of file
--- a/doc-src/Classes/document/build Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,18 +0,0 @@
-#!/bin/bash
-
-set -e
-
-FORMAT="$1"
-VARIANT="$2"
-
-"$ISABELLE_TOOL" logo -o isabelle_isar.pdf Isar
-"$ISABELLE_TOOL" logo -o isabelle_isar.eps Isar
-
-cp "$ISABELLE_HOME/doc-src/iman.sty" .
-cp "$ISABELLE_HOME/doc-src/extra.sty" .
-cp "$ISABELLE_HOME/doc-src/isar.sty" .
-cp "$ISABELLE_HOME/doc-src/proof.sty" .
-cp "$ISABELLE_HOME/doc-src/manual.bib" .
-
-"$ISABELLE_HOME/doc-src/prepare_document" "$FORMAT"
-
--- a/doc-src/Classes/document/root.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,46 +0,0 @@
-\documentclass[12pt,a4paper,fleqn]{article}
-\usepackage{latexsym,graphicx}
-\usepackage{iman,extra,isar,proof}
-\usepackage{isabelle,isabellesym}
-\usepackage{style}
-\usepackage{pdfsetup}
-
-
-\hyphenation{Isabelle}
-\hyphenation{Isar}
-\isadroptag{theory}
-
-\title{\includegraphics[scale=0.5]{isabelle_isar}
- \\[4ex] Haskell-style type classes with Isabelle/Isar}
-\author{\emph{Florian Haftmann}}
-
-\begin{document}
-
-\maketitle
-
-\begin{abstract}
- \noindent This tutorial introduces Isar type classes, which
- are a convenient mechanism for organizing specifications.
- Essentially, they combine an operational aspect (in the
- manner of Haskell) with a logical aspect, both managed uniformly.
-\end{abstract}
-
-\thispagestyle{empty}\clearpage
-
-\pagenumbering{roman}
-\clearfirst
-
-\input{Classes.tex}
-
-\begingroup
-\bibliographystyle{plain} \small\raggedright\frenchspacing
-\bibliography{manual}
-\endgroup
-
-\end{document}
-
-
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: t
-%%% End:
--- a/doc-src/Classes/document/style.sty Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,58 +0,0 @@
-
-%% toc
-\newcommand{\tocentry}[1]{\cleardoublepage\phantomsection\addcontentsline{toc}{chapter}{#1}
-\@mkboth{\MakeUppercase{#1}}{\MakeUppercase{#1}}}
-
-%% paragraphs
-\setlength{\parindent}{1em}
-
-%% references
-\newcommand{\secref}[1]{\S\ref{#1}}
-\newcommand{\figref}[1]{figure~\ref{#1}}
-
-%% logical markup
-\newcommand{\strong}[1]{{\bfseries {#1}}}
-\newcommand{\qn}[1]{\emph{#1}}
-
-%% typographic conventions
-\newcommand{\qt}[1]{``{#1}''}
-\newcommand{\ditem}[1]{\item[\isastyletext #1]}
-
-%% quote environment
-\isakeeptag{quote}
-\renewenvironment{quote}
- {\list{}{\leftmargin2em\rightmargin0pt}\parindent0pt\parskip0pt\item\relax}
- {\endlist}
-\renewcommand{\isatagquote}{\begin{quote}}
-\renewcommand{\endisatagquote}{\end{quote}}
-\newcommand{\quotebreak}{\\[1.2ex]}
-
-%% typewriter text
-\newenvironment{typewriter}{\renewcommand{\isastyletext}{}%
-\renewcommand{\isadigit}[1]{{##1}}%
-\parindent0pt%
-\makeatletter\isa@parindent0pt\makeatother%
-\isabellestyle{tt}\isastyle%
-\fontsize{9pt}{9pt}\selectfont}{}
-
-\isakeeptag{quotetypewriter}
-\renewcommand{\isatagquotetypewriter}{\begin{quote}\begin{typewriter}}
-\renewcommand{\endisatagquotetypewriter}{\end{typewriter}\end{quote}}
-
-%% presentation
-\setcounter{secnumdepth}{2} \setcounter{tocdepth}{2}
-
-%% character detail
-\renewcommand{\isadigit}[1]{\isamath{#1}}
-\binperiod
-\underscoreoff
-
-%% format
-\pagestyle{headings}
-\isabellestyle{it}
-
-
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "implementation"
-%%% End:
--- a/doc-src/Codegen/Adaptation.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,347 +0,0 @@
-theory Adaptation
-imports Setup
-begin
-
-setup %invisible {* Code_Target.extend_target ("\<SML>", ("SML", K I))
- #> Code_Target.extend_target ("\<SMLdummy>", ("Haskell", K I)) *}
-
-section {* Adaptation to target languages \label{sec:adaptation} *}
-
-subsection {* Adapting code generation *}
-
-text {*
- The aspects of code generation introduced so far have two aspects
- in common:
-
- \begin{itemize}
-
- \item They act uniformly, without reference to a specific target
- language.
-
- \item They are \emph{safe} in the sense that as long as you trust
- the code generator meta theory and implementation, you cannot
- produce programs that yield results which are not derivable in
- the logic.
-
- \end{itemize}
-
- \noindent In this section we will introduce means to \emph{adapt}
- the serialiser to a specific target language, i.e.~to print program
- fragments in a way which accommodates \qt{already existing}
- ingredients of a target language environment, for three reasons:
-
- \begin{itemize}
- \item improving readability and aesthetics of generated code
- \item gaining efficiency
- \item interface with language parts which have no direct counterpart
- in @{text "HOL"} (say, imperative data structures)
- \end{itemize}
-
- \noindent Generally, you should avoid using those features yourself
- \emph{at any cost}:
-
- \begin{itemize}
-
- \item The safe configuration methods act uniformly on every target
- language, whereas for adaptation you have to treat each target
- language separately.
-
- \item Application is extremely tedious since there is no
- abstraction which would allow for a static check, making it easy
- to produce garbage.
-
- \item Subtle errors can be introduced unconsciously.
-
- \end{itemize}
-
- \noindent However, even if you ought refrain from setting up
- adaptation yourself, already the @{text "HOL"} comes with some
- reasonable default adaptations (say, using target language list
- syntax). There also some common adaptation cases which you can
- setup by importing particular library theories. In order to
- understand these, we provide some clues here; these however are not
- supposed to replace a careful study of the sources.
-*}
-
-
-subsection {* The adaptation principle *}
-
-text {*
- Figure \ref{fig:adaptation} illustrates what \qt{adaptation} is
- conceptually supposed to be:
-
- \begin{figure}[here]
- \includegraphics{adapt}
- \caption{The adaptation principle}
- \label{fig:adaptation}
- \end{figure}
-
- \noindent In the tame view, code generation acts as broker between
- @{text logic}, @{text "intermediate language"} and @{text "target
- language"} by means of @{text translation} and @{text
- serialisation}; for the latter, the serialiser has to observe the
- structure of the @{text language} itself plus some @{text reserved}
- keywords which have to be avoided for generated code. However, if
- you consider @{text adaptation} mechanisms, the code generated by
- the serializer is just the tip of the iceberg:
-
- \begin{itemize}
-
- \item @{text serialisation} can be \emph{parametrised} such that
- logical entities are mapped to target-specific ones
- (e.g. target-specific list syntax, see also
- \secref{sec:adaptation_mechanisms})
-
- \item Such parametrisations can involve references to a
- target-specific standard @{text library} (e.g. using the @{text
- Haskell} @{verbatim Maybe} type instead of the @{text HOL}
- @{type "option"} type); if such are used, the corresponding
- identifiers (in our example, @{verbatim Maybe}, @{verbatim
- Nothing} and @{verbatim Just}) also have to be considered @{text
- reserved}.
-
- \item Even more, the user can enrich the library of the
- target-language by providing code snippets (\qt{@{text
- "includes"}}) which are prepended to any generated code (see
- \secref{sec:include}); this typically also involves further
- @{text reserved} identifiers.
-
- \end{itemize}
-
- \noindent As figure \ref{fig:adaptation} illustrates, all these
- adaptation mechanisms have to act consistently; it is at the
- discretion of the user to take care for this.
-*}
-
-subsection {* Common adaptation patterns *}
-
-text {*
- The @{theory HOL} @{theory Main} theory already provides a code
- generator setup which should be suitable for most applications.
- Common extensions and modifications are available by certain
- theories of the @{text HOL} library; beside being useful in
- applications, they may serve as a tutorial for customising the code
- generator setup (see below \secref{sec:adaptation_mechanisms}).
-
- \begin{description}
-
- \item[@{text "Code_Integer"}] represents @{text HOL} integers by
- big integer literals in target languages.
-
- \item[@{text "Code_Char"}] represents @{text HOL} characters by
- character literals in target languages.
-
- \item[@{text "Code_Char_chr"}] like @{text "Code_Char"}, but
- also offers treatment of character codes; includes @{text
- "Code_Char"}.
-
- \item[@{text "Efficient_Nat"}] \label{eff_nat} implements
- natural numbers by integers, which in general will result in
- higher efficiency; pattern matching with @{term "0\<Colon>nat"} /
- @{const "Suc"} is eliminated; includes @{text "Code_Integer"}
- and @{text "Code_Numeral"}.
-
- \item[@{theory "Code_Numeral"}] provides an additional datatype
- @{typ index} which is mapped to target-language built-in
- integers. Useful for code setups which involve e.g.~indexing
- of target-language arrays. Part of @{text "HOL-Main"}.
-
- \item[@{theory "String"}] provides an additional datatype @{typ
- String.literal} which is isomorphic to strings; @{typ
- String.literal}s are mapped to target-language strings. Useful
- for code setups which involve e.g.~printing (error) messages.
- Part of @{text "HOL-Main"}.
-
- \end{description}
-
- \begin{warn}
- When importing any of those theories which are not part of
- @{text "HOL-Main"}, they should form the last
- items in an import list. Since these theories adapt the code
- generator setup in a non-conservative fashion, strange effects may
- occur otherwise.
- \end{warn}
-*}
-
-
-subsection {* Parametrising serialisation \label{sec:adaptation_mechanisms} *}
-
-text {*
- Consider the following function and its corresponding SML code:
-*}
-
-primrec %quote in_interval :: "nat \<times> nat \<Rightarrow> nat \<Rightarrow> bool" where
- "in_interval (k, l) n \<longleftrightarrow> k \<le> n \<and> n \<le> l"
-(*<*)
-code_type %invisible bool
- (SML)
-code_const %invisible True and False and "op \<and>" and Not
- (SML and and and)
-(*>*)
-text %quotetypewriter {*
- @{code_stmts in_interval (SML)}
-*}
-
-text {*
- \noindent Though this is correct code, it is a little bit
- unsatisfactory: boolean values and operators are materialised as
- distinguished entities with have nothing to do with the SML-built-in
- notion of \qt{bool}. This results in less readable code;
- additionally, eager evaluation may cause programs to loop or break
- which would perfectly terminate when the existing SML @{verbatim
- "bool"} would be used. To map the HOL @{typ bool} on SML @{verbatim
- "bool"}, we may use \qn{custom serialisations}:
-*}
-
-code_type %quotett bool
- (SML "bool")
-code_const %quotett True and False and "op \<and>"
- (SML "true" and "false" and "_ andalso _")
-
-text {*
- \noindent The @{command_def code_type} command takes a type constructor
- as arguments together with a list of custom serialisations. Each
- custom serialisation starts with a target language identifier
- followed by an expression, which during code serialisation is
- inserted whenever the type constructor would occur. For constants,
- @{command_def code_const} implements the corresponding mechanism. Each
- ``@{verbatim "_"}'' in a serialisation expression is treated as a
- placeholder for the type constructor's (the constant's) arguments.
-*}
-
-text %quotetypewriter {*
- @{code_stmts in_interval (SML)}
-*}
-
-text {*
- \noindent This still is not perfect: the parentheses around the
- \qt{andalso} expression are superfluous. Though the serialiser by
- no means attempts to imitate the rich Isabelle syntax framework, it
- provides some common idioms, notably associative infixes with
- precedences which may be used here:
-*}
-
-code_const %quotett "op \<and>"
- (SML infixl 1 "andalso")
-
-text %quotetypewriter {*
- @{code_stmts in_interval (SML)}
-*}
-
-text {*
- \noindent The attentive reader may ask how we assert that no
- generated code will accidentally overwrite. For this reason the
- serialiser has an internal table of identifiers which have to be
- avoided to be used for new declarations. Initially, this table
- typically contains the keywords of the target language. It can be
- extended manually, thus avoiding accidental overwrites, using the
- @{command_def "code_reserved"} command:
-*}
-
-code_reserved %quote "\<SMLdummy>" bool true false andalso
-
-text {*
- \noindent Next, we try to map HOL pairs to SML pairs, using the
- infix ``@{verbatim "*"}'' type constructor and parentheses:
-*}
-(*<*)
-code_type %invisible prod
- (SML)
-code_const %invisible Pair
- (SML)
-(*>*)
-code_type %quotett prod
- (SML infix 2 "*")
-code_const %quotett Pair
- (SML "!((_),/ (_))")
-
-text {*
- \noindent The initial bang ``@{verbatim "!"}'' tells the serialiser
- never to put parentheses around the whole expression (they are
- already present), while the parentheses around argument place
- holders tell not to put parentheses around the arguments. The slash
- ``@{verbatim "/"}'' (followed by arbitrary white space) inserts a
- space which may be used as a break if necessary during pretty
- printing.
-
- These examples give a glimpse what mechanisms custom serialisations
- provide; however their usage requires careful thinking in order not
- to introduce inconsistencies -- or, in other words: custom
- serialisations are completely axiomatic.
-
- A further noteworthy detail is that any special character in a
- custom serialisation may be quoted using ``@{verbatim "'"}''; thus,
- in ``@{verbatim "fn '_ => _"}'' the first ``@{verbatim "_"}'' is a
- proper underscore while the second ``@{verbatim "_"}'' is a
- placeholder.
-*}
-
-
-subsection {* @{text Haskell} serialisation *}
-
-text {*
- For convenience, the default @{text HOL} setup for @{text Haskell}
- maps the @{class equal} class to its counterpart in @{text Haskell},
- giving custom serialisations for the class @{class equal} (by command
- @{command_def code_class}) and its operation @{const [source] HOL.equal}
-*}
-
-code_class %quotett equal
- (Haskell "Eq")
-
-code_const %quotett "HOL.equal"
- (Haskell infixl 4 "==")
-
-text {*
- \noindent A problem now occurs whenever a type which is an instance
- of @{class equal} in @{text HOL} is mapped on a @{text
- Haskell}-built-in type which is also an instance of @{text Haskell}
- @{text Eq}:
-*}
-
-typedecl %quote bar
-
-instantiation %quote bar :: equal
-begin
-
-definition %quote "HOL.equal (x\<Colon>bar) y \<longleftrightarrow> x = y"
-
-instance %quote by default (simp add: equal_bar_def)
-
-end %quote (*<*)
-
-(*>*) code_type %quotett bar
- (Haskell "Integer")
-
-text {*
- \noindent The code generator would produce an additional instance,
- which of course is rejected by the @{text Haskell} compiler. To
- suppress this additional instance, use @{command_def "code_instance"}:
-*}
-
-code_instance %quotett bar :: equal
- (Haskell -)
-
-
-subsection {* Enhancing the target language context \label{sec:include} *}
-
-text {*
- In rare cases it is necessary to \emph{enrich} the context of a
- target language; this is accomplished using the @{command_def
- "code_include"} command:
-*}
-
-code_include %quotett Haskell "Errno"
-{*errno i = error ("Error number: " ++ show i)*}
-
-code_reserved %quotett Haskell Errno
-
-text {*
- \noindent Such named @{text include}s are then prepended to every
- generated code. Inspect such code in order to find out how
- @{command "code_include"} behaves with respect to a particular
- target language.
-*}
-
-end
-
--- a/doc-src/Codegen/Evaluation.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,287 +0,0 @@
-theory Evaluation
-imports Setup
-begin
-
-section {* Evaluation \label{sec:evaluation} *}
-
-text {*
- Recalling \secref{sec:principle}, code generation turns a system of
- equations into a program with the \emph{same} equational semantics.
- As a consequence, this program can be used as a \emph{rewrite
- engine} for terms: rewriting a term @{term "t"} using a program to a
- term @{term "t'"} yields the theorems @{prop "t \<equiv> t'"}. This
- application of code generation in the following is referred to as
- \emph{evaluation}.
-*}
-
-
-subsection {* Evaluation techniques *}
-
-text {*
- The existing infrastructure provides a rich palette of evaluation
- techniques, each comprising different aspects:
-
- \begin{description}
-
- \item[Expressiveness.] Depending on how good symbolic computation
- is supported, the class of terms which can be evaluated may be
- bigger or smaller.
-
- \item[Efficiency.] The more machine-near the technique, the
- faster it is.
-
- \item[Trustability.] Techniques which a huge (and also probably
- more configurable infrastructure) are more fragile and less
- trustable.
-
- \end{description}
-*}
-
-
-subsubsection {* The simplifier (@{text simp}) *}
-
-text {*
- The simplest way for evaluation is just using the simplifier with
- the original code equations of the underlying program. This gives
- fully symbolic evaluation and highest trustablity, with the usual
- performance of the simplifier. Note that for operations on abstract
- datatypes (cf.~\secref{sec:invariant}), the original theorems as
- given by the users are used, not the modified ones.
-*}
-
-
-subsubsection {* Normalization by evaluation (@{text nbe}) *}
-
-text {*
- Normalization by evaluation \cite{Aehlig-Haftmann-Nipkow:2008:nbe}
- provides a comparably fast partially symbolic evaluation which
- permits also normalization of functions and uninterpreted symbols;
- the stack of code to be trusted is considerable.
-*}
-
-
-subsubsection {* Evaluation in ML (@{text code}) *}
-
-text {*
- Highest performance can be achieved by evaluation in ML, at the cost
- of being restricted to ground results and a layered stack of code to
- be trusted, including code generator configurations by the user.
-
- Evaluation is carried out in a target language \emph{Eval} which
- inherits from \emph{SML} but for convenience uses parts of the
- Isabelle runtime environment. The soundness of computation carried
- out there depends crucially on the correctness of the code
- generator setup; this is one of the reasons why you should not use
- adaptation (see \secref{sec:adaptation}) frivolously.
-*}
-
-
-subsection {* Aspects of evaluation *}
-
-text {*
- Each of the techniques can be combined with different aspects. The
- most important distinction is between dynamic and static evaluation.
- Dynamic evaluation takes the code generator configuration \qt{as it
- is} at the point where evaluation is issued. Best example is the
- @{command_def value} command which allows ad-hoc evaluation of
- terms:
-*}
-
-value %quote "42 / (12 :: rat)"
-
-text {*
- \noindent By default @{command value} tries all available evaluation
- techniques and prints the result of the first succeeding one. A particular
- technique may be specified in square brackets, e.g.
-*}
-
-value %quote [nbe] "42 / (12 :: rat)"
-
-text {*
- To employ dynamic evaluation in the document generation, there is also
- a @{text value} antiquotation. By default, it also tries all available evaluation
- techniques and prints the result of the first succeeding one, unless a particular
- technique is specified in square brackets.
-
- Static evaluation freezes the code generator configuration at a
- certain point and uses this context whenever evaluation is issued
- later on. This is particularly appropriate for proof procedures
- which use evaluation, since then the behaviour of evaluation is not
- changed or even compromised later on by actions of the user.
-
- As a technical complication, terms after evaluation in ML must be
- turned into Isabelle's internal term representation again. Since
- this is also configurable, it is never fully trusted. For this
- reason, evaluation in ML comes with further aspects:
-
- \begin{description}
-
- \item[Plain evaluation.] A term is normalized using the provided
- term reconstruction from ML to Isabelle; for applications which
- do not need to be fully trusted.
-
- \item[Property conversion.] Evaluates propositions; since these
- are monomorphic, the term reconstruction is fixed once and for all
- and therefore trustable.
-
- \item[Conversion.] Evaluates an arbitrary term @{term "t"} first
- by plain evaluation and certifies the result @{term "t'"} by
- checking the equation @{term "t \<equiv> t'"} using property
- conversion.
-
- \end{description}
-
- \noindent The picture is further complicated by the roles of
- exceptions. Here three cases have to be distinguished:
-
- \begin{itemize}
-
- \item Evaluation of @{term t} terminates with a result @{term
- "t'"}.
-
- \item Evaluation of @{term t} terminates which en exception
- indicating a pattern match failure or a non-implemented
- function. As sketched in \secref{sec:partiality}, this can be
- interpreted as partiality.
-
- \item Evaluation raises any other kind of exception.
-
- \end{itemize}
-
- \noindent For conversions, the first case yields the equation @{term
- "t = t'"}, the second defaults to reflexivity @{term "t = t"}.
- Exceptions of the third kind are propagated to the user.
-
- By default return values of plain evaluation are optional, yielding
- @{text "SOME t'"} in the first case, @{text "NONE"} in the
- second, and propagating the exception in the third case. A strict
- variant of plain evaluation either yields @{text "t'"} or propagates
- any exception, a liberal variant caputures any exception in a result
- of type @{text "Exn.result"}.
-
- For property conversion (which coincides with conversion except for
- evaluation in ML), methods are provided which solve a given goal by
- evaluation.
-*}
-
-
-subsection {* Schematic overview *}
-
-text {*
- \newcommand{\ttsize}{\fontsize{5.8pt}{8pt}\selectfont}
- \fontsize{9pt}{12pt}\selectfont
- \begin{tabular}{ll||c|c|c}
- & & @{text simp} & @{text nbe} & @{text code} \tabularnewline \hline \hline
- \multirow{5}{1ex}{\rotatebox{90}{dynamic}}
- & interactive evaluation
- & @{command value} @{text "[simp]"} & @{command value} @{text "[nbe]"} & @{command value} @{text "[code]"}
- \tabularnewline
- & plain evaluation & & & \ttsize@{ML "Code_Evaluation.dynamic_value"} \tabularnewline \cline{2-5}
- & evaluation method & @{method code_simp} & @{method normalization} & @{method eval} \tabularnewline
- & property conversion & & & \ttsize@{ML "Code_Runtime.dynamic_holds_conv"} \tabularnewline \cline{2-5}
- & conversion & \ttsize@{ML "Code_Simp.dynamic_conv"} & \ttsize@{ML "Nbe.dynamic_conv"}
- & \ttsize@{ML "Code_Evaluation.dynamic_conv"} \tabularnewline \hline \hline
- \multirow{3}{1ex}{\rotatebox{90}{static}}
- & plain evaluation & & & \ttsize@{ML "Code_Evaluation.static_value"} \tabularnewline \cline{2-5}
- & property conversion & &
- & \ttsize@{ML "Code_Runtime.static_holds_conv"} \tabularnewline \cline{2-5}
- & conversion & \ttsize@{ML "Code_Simp.static_conv"}
- & \ttsize@{ML "Nbe.static_conv"}
- & \ttsize@{ML "Code_Evaluation.static_conv"}
- \end{tabular}
-*}
-
-
-subsection {* Intimate connection between logic and system runtime *}
-
-text {*
- The toolbox of static evaluation conversions forms a reasonable base
- to interweave generated code and system tools. However in some
- situations more direct interaction is desirable.
-*}
-
-
-subsubsection {* Static embedding of generated code into system runtime -- the @{text code} antiquotation *}
-
-text {*
- The @{text code} antiquotation allows to include constants from
- generated code directly into ML system code, as in the following toy
- example:
-*}
-
-datatype %quote form = T | F | And form form | Or form form (*<*)
-
-(*>*) ML %quotett {*
- fun eval_form @{code T} = true
- | eval_form @{code F} = false
- | eval_form (@{code And} (p, q)) =
- eval_form p andalso eval_form q
- | eval_form (@{code Or} (p, q)) =
- eval_form p orelse eval_form q;
-*}
-
-text {*
- \noindent @{text code} takes as argument the name of a constant;
- after the whole ML is read, the necessary code is generated
- transparently and the corresponding constant names are inserted.
- This technique also allows to use pattern matching on constructors
- stemming from compiled datatypes. Note that the @{text code}
- antiquotation may not refer to constants which carry adaptations;
- here you have to refer to the corresponding adapted code directly.
-
- For a less simplistic example, theory @{text Approximation} in
- the @{text Decision_Procs} session is a good reference.
-*}
-
-
-subsubsection {* Static embedding of generated code into system runtime -- @{text code_reflect} *}
-
-text {*
- The @{text code} antiquoation is lightweight, but the generated code
- is only accessible while the ML section is processed. Sometimes this
- is not appropriate, especially if the generated code contains datatype
- declarations which are shared with other parts of the system. In these
- cases, @{command_def code_reflect} can be used:
-*}
-
-code_reflect %quote Sum_Type
- datatypes sum = Inl | Inr
- functions "Sum_Type.Projl" "Sum_Type.Projr"
-
-text {*
- \noindent @{command_def code_reflect} takes a structure name and
- references to datatypes and functions; for these code is compiled
- into the named ML structure and the \emph{Eval} target is modified
- in a way that future code generation will reference these
- precompiled versions of the given datatypes and functions. This
- also allows to refer to the referenced datatypes and functions from
- arbitrary ML code as well.
-
- A typical example for @{command code_reflect} can be found in the
- @{theory Predicate} theory.
-*}
-
-
-subsubsection {* Separate compilation -- @{text code_reflect} *}
-
-text {*
- For technical reasons it is sometimes necessary to separate
- generation and compilation of code which is supposed to be used in
- the system runtime. For this @{command code_reflect} with an
- optional @{text "file"} argument can be used:
-*}
-
-code_reflect %quote Rat
- datatypes rat = Frct
- functions Fract
- "(plus :: rat \<Rightarrow> rat \<Rightarrow> rat)" "(minus :: rat \<Rightarrow> rat \<Rightarrow> rat)"
- "(times :: rat \<Rightarrow> rat \<Rightarrow> rat)" "(divide :: rat \<Rightarrow> rat \<Rightarrow> rat)"
- file "examples/rat.ML"
-
-text {*
- \noindent This merely generates the referenced code to the given
- file which can be included into the system runtime later on.
-*}
-
-end
-
--- a/doc-src/Codegen/Foundations.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,347 +0,0 @@
-theory Foundations
-imports Introduction
-begin
-
-section {* Code generation foundations \label{sec:foundations} *}
-
-subsection {* Code generator architecture \label{sec:architecture} *}
-
-text {*
- The code generator is actually a framework consisting of different
- components which can be customised individually.
-
- Conceptually all components operate on Isabelle's logic framework
- @{theory Pure}. Practically, the object logic @{theory HOL}
- provides the necessary facilities to make use of the code generator,
- mainly since it is an extension of @{theory Pure}.
-
- The constellation of the different components is visualized in the
- following picture.
-
- \begin{figure}[h]
- \includegraphics{architecture}
- \caption{Code generator architecture}
- \label{fig:arch}
- \end{figure}
-
- \noindent Central to code generation is the notion of \emph{code
- equations}. A code equation as a first approximation is a theorem
- of the form @{text "f t\<^isub>1 t\<^isub>2 \<dots> t\<^isub>n \<equiv> t"} (an equation headed by a
- constant @{text f} with arguments @{text "t\<^isub>1 t\<^isub>2 \<dots> t\<^isub>n"} and right
- hand side @{text t}).
-
- \begin{itemize}
-
- \item Starting point of code generation is a collection of (raw)
- code equations in a theory. It is not relevant where they stem
- from, but typically they were either produced by specification
- tools or proved explicitly by the user.
-
- \item These raw code equations can be subjected to theorem
- transformations. This \qn{preprocessor} (see
- \secref{sec:preproc}) can apply the full expressiveness of
- ML-based theorem transformations to code generation. The result
- of preprocessing is a structured collection of code equations.
-
- \item These code equations are \qn{translated} to a program in an
- abstract intermediate language. Think of it as a kind of
- \qt{Mini-Haskell} with four \qn{statements}: @{text data} (for
- datatypes), @{text fun} (stemming from code equations), also
- @{text class} and @{text inst} (for type classes).
-
- \item Finally, the abstract program is \qn{serialised} into
- concrete source code of a target language. This step only
- produces concrete syntax but does not change the program in
- essence; all conceptual transformations occur in the translation
- step.
-
- \end{itemize}
-
- \noindent From these steps, only the last two are carried out
- outside the logic; by keeping this layer as thin as possible, the
- amount of code to trust is kept to a minimum.
-*}
-
-
-subsection {* The preprocessor \label{sec:preproc} *}
-
-text {*
- Before selected function theorems are turned into abstract code, a
- chain of definitional transformation steps is carried out:
- \emph{preprocessing}. The preprocessor consists of two
- components: a \emph{simpset} and \emph{function transformers}.
-
- The \emph{simpset} can apply the full generality of the Isabelle
- simplifier. Due to the interpretation of theorems as code
- equations, rewrites are applied to the right hand side and the
- arguments of the left hand side of an equation, but never to the
- constant heading the left hand side. An important special case are
- \emph{unfold theorems}, which may be declared and removed using the
- @{attribute code_unfold} or \emph{@{attribute code_unfold} del}
- attribute, respectively.
-
- Some common applications:
-*}
-
-text_raw {*
- \begin{itemize}
-*}
-
-text {*
- \item replacing non-executable constructs by executable ones:
-*}
-
-lemma %quote [code_unfold]:
- "x \<in> set xs \<longleftrightarrow> List.member xs x" by (fact in_set_member)
-
-text {*
- \item replacing executable but inconvenient constructs:
-*}
-
-lemma %quote [code_unfold]:
- "xs = [] \<longleftrightarrow> List.null xs" by (fact eq_Nil_null)
-
-text {*
- \item eliminating disturbing expressions:
-*}
-
-lemma %quote [code_unfold]:
- "1 = Suc 0" by (fact One_nat_def)
-
-text_raw {*
- \end{itemize}
-*}
-
-text {*
- \noindent \emph{Function transformers} provide a very general
- interface, transforming a list of function theorems to another list
- of function theorems, provided that neither the heading constant nor
- its type change. The @{term "0\<Colon>nat"} / @{const Suc} pattern
- elimination implemented in theory @{text Efficient_Nat} (see
- \secref{eff_nat}) uses this interface.
-
- \noindent The current setup of the preprocessor may be inspected
- using the @{command_def print_codeproc} command. @{command_def
- code_thms} (see \secref{sec:equations}) provides a convenient
- mechanism to inspect the impact of a preprocessor setup on code
- equations.
-*}
-
-
-subsection {* Understanding code equations \label{sec:equations} *}
-
-text {*
- As told in \secref{sec:principle}, the notion of code equations is
- vital to code generation. Indeed most problems which occur in
- practice can be resolved by an inspection of the underlying code
- equations.
-
- It is possible to exchange the default code equations for constants
- by explicitly proving alternative ones:
-*}
-
-lemma %quote [code]:
- "dequeue (AQueue xs []) =
- (if xs = [] then (None, AQueue [] [])
- else dequeue (AQueue [] (rev xs)))"
- "dequeue (AQueue xs (y # ys)) =
- (Some y, AQueue xs ys)"
- by (cases xs, simp_all) (cases "rev xs", simp_all)
-
-text {*
- \noindent The annotation @{text "[code]"} is an @{text attribute}
- which states that the given theorems should be considered as code
- equations for a @{text fun} statement -- the corresponding constant
- is determined syntactically. The resulting code:
-*}
-
-text %quotetypewriter {*
- @{code_stmts dequeue (consts) dequeue (Haskell)}
-*}
-
-text {*
- \noindent You may note that the equality test @{term "xs = []"} has
- been replaced by the predicate @{term "List.null xs"}. This is due
- to the default setup of the \qn{preprocessor}.
-
- This possibility to select arbitrary code equations is the key
- technique for program and datatype refinement (see
- \secref{sec:refinement}).
-
- Due to the preprocessor, there is the distinction of raw code
- equations (before preprocessing) and code equations (after
- preprocessing).
-
- The first can be listed (among other data) using the @{command_def
- print_codesetup} command.
-
- The code equations after preprocessing are already are blueprint of
- the generated program and can be inspected using the @{command
- code_thms} command:
-*}
-
-code_thms %quote dequeue
-
-text {*
- \noindent This prints a table with the code equations for @{const
- dequeue}, including \emph{all} code equations those equations depend
- on recursively. These dependencies themselves can be visualized using
- the @{command_def code_deps} command.
-*}
-
-
-subsection {* Equality *}
-
-text {*
- Implementation of equality deserves some attention. Here an example
- function involving polymorphic equality:
-*}
-
-primrec %quote collect_duplicates :: "'a list \<Rightarrow> 'a list \<Rightarrow> 'a list \<Rightarrow> 'a list" where
- "collect_duplicates xs ys [] = xs"
-| "collect_duplicates xs ys (z#zs) = (if z \<in> set xs
- then if z \<in> set ys
- then collect_duplicates xs ys zs
- else collect_duplicates xs (z#ys) zs
- else collect_duplicates (z#xs) (z#ys) zs)"
-
-text {*
- \noindent During preprocessing, the membership test is rewritten,
- resulting in @{const List.member}, which itself performs an explicit
- equality check, as can be seen in the corresponding @{text SML} code:
-*}
-
-text %quotetypewriter {*
- @{code_stmts collect_duplicates (SML)}
-*}
-
-text {*
- \noindent Obviously, polymorphic equality is implemented the Haskell
- way using a type class. How is this achieved? HOL introduces an
- explicit class @{class equal} with a corresponding operation @{const
- HOL.equal} such that @{thm equal [no_vars]}. The preprocessing
- framework does the rest by propagating the @{class equal} constraints
- through all dependent code equations. For datatypes, instances of
- @{class equal} are implicitly derived when possible. For other types,
- you may instantiate @{text equal} manually like any other type class.
-*}
-
-
-subsection {* Explicit partiality \label{sec:partiality} *}
-
-text {*
- Partiality usually enters the game by partial patterns, as
- in the following example, again for amortised queues:
-*}
-
-definition %quote strict_dequeue :: "'a queue \<Rightarrow> 'a \<times> 'a queue" where
- "strict_dequeue q = (case dequeue q
- of (Some x, q') \<Rightarrow> (x, q'))"
-
-lemma %quote strict_dequeue_AQueue [code]:
- "strict_dequeue (AQueue xs (y # ys)) = (y, AQueue xs ys)"
- "strict_dequeue (AQueue xs []) =
- (case rev xs of y # ys \<Rightarrow> (y, AQueue [] ys))"
- by (simp_all add: strict_dequeue_def) (cases xs, simp_all split: list.split)
-
-text {*
- \noindent In the corresponding code, there is no equation
- for the pattern @{term "AQueue [] []"}:
-*}
-
-text %quotetypewriter {*
- @{code_stmts strict_dequeue (consts) strict_dequeue (Haskell)}
-*}
-
-text {*
- \noindent In some cases it is desirable to have this
- pseudo-\qt{partiality} more explicitly, e.g.~as follows:
-*}
-
-axiomatization %quote empty_queue :: 'a
-
-definition %quote strict_dequeue' :: "'a queue \<Rightarrow> 'a \<times> 'a queue" where
- "strict_dequeue' q = (case dequeue q of (Some x, q') \<Rightarrow> (x, q') | _ \<Rightarrow> empty_queue)"
-
-lemma %quote strict_dequeue'_AQueue [code]:
- "strict_dequeue' (AQueue xs []) = (if xs = [] then empty_queue
- else strict_dequeue' (AQueue [] (rev xs)))"
- "strict_dequeue' (AQueue xs (y # ys)) =
- (y, AQueue xs ys)"
- by (simp_all add: strict_dequeue'_def split: list.splits)
-
-text {*
- Observe that on the right hand side of the definition of @{const
- "strict_dequeue'"}, the unspecified constant @{const empty_queue} occurs.
-
- Normally, if constants without any code equations occur in a
- program, the code generator complains (since in most cases this is
- indeed an error). But such constants can also be thought
- of as function definitions which always fail,
- since there is never a successful pattern match on the left hand
- side. In order to categorise a constant into that category
- explicitly, use @{command_def "code_abort"}:
-*}
-
-code_abort %quote empty_queue
-
-text {*
- \noindent Then the code generator will just insert an error or
- exception at the appropriate position:
-*}
-
-text %quotetypewriter {*
- @{code_stmts strict_dequeue' (consts) empty_queue strict_dequeue' (Haskell)}
-*}
-
-text {*
- \noindent This feature however is rarely needed in practice. Note
- also that the HOL default setup already declares @{const undefined}
- as @{command "code_abort"}, which is most likely to be used in such
- situations.
-*}
-
-
-subsection {* If something goes utterly wrong \label{sec:utterly_wrong} *}
-
-text {*
- Under certain circumstances, the code generator fails to produce
- code entirely. To debug these, the following hints may prove
- helpful:
-
- \begin{description}
-
- \ditem{\emph{Check with a different target language}.} Sometimes
- the situation gets more clear if you switch to another target
- language; the code generated there might give some hints what
- prevents the code generator to produce code for the desired
- language.
-
- \ditem{\emph{Inspect code equations}.} Code equations are the central
- carrier of code generation. Most problems occurring while generating
- code can be traced to single equations which are printed as part of
- the error message. A closer inspection of those may offer the key
- for solving issues (cf.~\secref{sec:equations}).
-
- \ditem{\emph{Inspect preprocessor setup}.} The preprocessor might
- transform code equations unexpectedly; to understand an
- inspection of its setup is necessary (cf.~\secref{sec:preproc}).
-
- \ditem{\emph{Generate exceptions}.} If the code generator
- complains about missing code equations, in can be helpful to
- implement the offending constants as exceptions
- (cf.~\secref{sec:partiality}); this allows at least for a formal
- generation of code, whose inspection may then give clues what is
- wrong.
-
- \ditem{\emph{Remove offending code equations}.} If code
- generation is prevented by just a single equation, this can be
- removed (cf.~\secref{sec:equations}) to allow formal code
- generation, whose result in turn can be used to trace the
- problem. The most prominent case here are mismatches in type
- class signatures (\qt{wellsortedness error}).
-
- \end{description}
-*}
-
-end
--- a/doc-src/Codegen/Further.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,351 +0,0 @@
-theory Further
-imports Setup
-begin
-
-section {* Further issues \label{sec:further} *}
-
-subsection {* Specialities of the @{text Scala} target language \label{sec:scala} *}
-
-text {*
- @{text Scala} deviates from languages of the ML family in a couple
- of aspects; those which affect code generation mainly have to do with
- @{text Scala}'s type system:
-
- \begin{itemize}
-
- \item @{text Scala} prefers tupled syntax over curried syntax.
-
- \item @{text Scala} sacrifices Hindely-Milner type inference for a
- much more rich type system with subtyping etc. For this reason
- type arguments sometimes have to be given explicitly in square
- brackets (mimicking System F syntax).
-
- \item In contrast to @{text Haskell} where most specialities of
- the type system are implemented using \emph{type classes},
- @{text Scala} provides a sophisticated system of \emph{implicit
- arguments}.
-
- \end{itemize}
-
- \noindent Concerning currying, the @{text Scala} serializer counts
- arguments in code equations to determine how many arguments
- shall be tupled; remaining arguments and abstractions in terms
- rather than function definitions are always curried.
-
- The second aspect affects user-defined adaptations with @{command
- code_const}. For regular terms, the @{text Scala} serializer prints
- all type arguments explicitly. For user-defined term adaptations
- this is only possible for adaptations which take no arguments: here
- the type arguments are just appended. Otherwise they are ignored;
- hence user-defined adaptations for polymorphic constants have to be
- designed very carefully to avoid ambiguity.
-
- Isabelle's type classes are mapped onto @{text Scala} implicits; in
- cases with diamonds in the subclass hierarchy this can lead to
- ambiguities in the generated code:
-*}
-
-class %quote class1 =
- fixes foo :: "'a \<Rightarrow> 'a"
-
-class %quote class2 = class1
-
-class %quote class3 = class1
-
-text {*
- \noindent Here both @{class class2} and @{class class3} inherit from @{class class1},
- forming the upper part of a diamond.
-*}
-
-definition %quote bar :: "'a :: {class2, class3} \<Rightarrow> 'a" where
- "bar = foo"
-
-text {*
- \noindent This yields the following code:
-*}
-
-text %quotetypewriter {*
- @{code_stmts bar (Scala)}
-*}
-
-text {*
- \noindent This code is rejected by the @{text Scala} compiler: in
- the definition of @{text bar}, it is not clear from where to derive
- the implicit argument for @{text foo}.
-
- The solution to the problem is to close the diamond by a further
- class with inherits from both @{class class2} and @{class class3}:
-*}
-
-class %quote class4 = class2 + class3
-
-text {*
- \noindent Then the offending code equation can be restricted to
- @{class class4}:
-*}
-
-lemma %quote [code]:
- "(bar :: 'a::class4 \<Rightarrow> 'a) = foo"
- by (simp only: bar_def)
-
-text {*
- \noindent with the following code:
-*}
-
-text %quotetypewriter {*
- @{code_stmts bar (Scala)}
-*}
-
-text {*
- \noindent which exposes no ambiguity.
-
- Since the preprocessor (cf.~\secref{sec:preproc}) propagates sort
- constraints through a system of code equations, it is usually not
- very difficult to identify the set of code equations which actually
- needs more restricted sort constraints.
-*}
-
-subsection {* Modules namespace *}
-
-text {*
- When invoking the @{command export_code} command it is possible to
- leave out the @{keyword "module_name"} part; then code is
- distributed over different modules, where the module name space
- roughly is induced by the Isabelle theory name space.
-
- Then sometimes the awkward situation occurs that dependencies
- between definitions introduce cyclic dependencies between modules,
- which in the @{text Haskell} world leaves you to the mercy of the
- @{text Haskell} implementation you are using, while for @{text
- SML}/@{text OCaml} code generation is not possible.
-
- A solution is to declare module names explicitly. Let use assume
- the three cyclically dependent modules are named \emph{A}, \emph{B}
- and \emph{C}. Then, by stating
-*}
-
-code_modulename %quote SML
- A ABC
- B ABC
- C ABC
-
-text {*
- \noindent we explicitly map all those modules on \emph{ABC},
- resulting in an ad-hoc merge of this three modules at serialisation
- time.
-*}
-
-subsection {* Locales and interpretation *}
-
-text {*
- A technical issue comes to surface when generating code from
- specifications stemming from locale interpretation.
-
- Let us assume a locale specifying a power operation on arbitrary
- types:
-*}
-
-locale %quote power =
- fixes power :: "'a \<Rightarrow> 'b \<Rightarrow> 'b"
- assumes power_commute: "power x \<circ> power y = power y \<circ> power x"
-begin
-
-text {*
- \noindent Inside that locale we can lift @{text power} to exponent
- lists by means of specification relative to that locale:
-*}
-
-primrec %quote powers :: "'a list \<Rightarrow> 'b \<Rightarrow> 'b" where
- "powers [] = id"
-| "powers (x # xs) = power x \<circ> powers xs"
-
-lemma %quote powers_append:
- "powers (xs @ ys) = powers xs \<circ> powers ys"
- by (induct xs) simp_all
-
-lemma %quote powers_power:
- "powers xs \<circ> power x = power x \<circ> powers xs"
- by (induct xs)
- (simp_all del: o_apply id_apply add: o_assoc [symmetric],
- simp del: o_apply add: o_assoc power_commute)
-
-lemma %quote powers_rev:
- "powers (rev xs) = powers xs"
- by (induct xs) (simp_all add: powers_append powers_power)
-
-end %quote
-
-text {*
- After an interpretation of this locale (say, @{command_def
- interpretation} @{text "fun_power:"} @{term [source] "power (\<lambda>n (f
- :: 'a \<Rightarrow> 'a). f ^^ n)"}), one would expect to have a constant @{text
- "fun_power.powers :: nat list \<Rightarrow> ('a \<Rightarrow> 'a) \<Rightarrow> 'a \<Rightarrow> 'a"} for which code
- can be generated. But this not the case: internally, the term
- @{text "fun_power.powers"} is an abbreviation for the foundational
- term @{term [source] "power.powers (\<lambda>n (f :: 'a \<Rightarrow> 'a). f ^^ n)"}
- (see \cite{isabelle-locale} for the details behind).
-
- Fortunately, with minor effort the desired behaviour can be
- achieved. First, a dedicated definition of the constant on which
- the local @{text "powers"} after interpretation is supposed to be
- mapped on:
-*}
-
-definition %quote funpows :: "nat list \<Rightarrow> ('a \<Rightarrow> 'a) \<Rightarrow> 'a \<Rightarrow> 'a" where
- [code del]: "funpows = power.powers (\<lambda>n f. f ^^ n)"
-
-text {*
- \noindent In general, the pattern is @{text "c = t"} where @{text c}
- is the name of the future constant and @{text t} the foundational
- term corresponding to the local constant after interpretation.
-
- The interpretation itself is enriched with an equation @{text "t = c"}:
-*}
-
-interpretation %quote fun_power: power "\<lambda>n (f :: 'a \<Rightarrow> 'a). f ^^ n" where
- "power.powers (\<lambda>n f. f ^^ n) = funpows"
- by unfold_locales
- (simp_all add: fun_eq_iff funpow_mult mult_commute funpows_def)
-
-text {*
- \noindent This additional equation is trivially proved by the
- definition itself.
-
- After this setup procedure, code generation can continue as usual:
-*}
-
-text %quotetypewriter {*
- @{code_stmts funpows (consts) Nat.funpow funpows (Haskell)}
-*}
-
-
-subsection {* Imperative data structures *}
-
-text {*
- If you consider imperative data structures as inevitable for a
- specific application, you should consider \emph{Imperative
- Functional Programming with Isabelle/HOL}
- \cite{bulwahn-et-al:2008:imperative}; the framework described there
- is available in session @{text Imperative_HOL}, together with a
- short primer document.
-*}
-
-
-subsection {* ML system interfaces \label{sec:ml} *}
-
-text {*
- Since the code generator framework not only aims to provide a nice
- Isar interface but also to form a base for code-generation-based
- applications, here a short description of the most fundamental ML
- interfaces.
-*}
-
-subsubsection {* Managing executable content *}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML Code.read_const: "theory -> string -> string"} \\
- @{index_ML Code.add_eqn: "thm -> theory -> theory"} \\
- @{index_ML Code.del_eqn: "thm -> theory -> theory"} \\
- @{index_ML Code_Preproc.map_pre: "(simpset -> simpset) -> theory -> theory"} \\
- @{index_ML Code_Preproc.map_post: "(simpset -> simpset) -> theory -> theory"} \\
- @{index_ML Code_Preproc.add_functrans: "
- string * (theory -> (thm * bool) list -> (thm * bool) list option)
- -> theory -> theory"} \\
- @{index_ML Code_Preproc.del_functrans: "string -> theory -> theory"} \\
- @{index_ML Code.add_datatype: "(string * typ) list -> theory -> theory"} \\
- @{index_ML Code.get_type: "theory -> string
- -> ((string * sort) list * (string * ((string * sort) list * typ list)) list) * bool"} \\
- @{index_ML Code.get_type_of_constr_or_abstr: "theory -> string -> (string * bool) option"}
- \end{mldecls}
-
- \begin{description}
-
- \item @{ML Code.read_const}~@{text thy}~@{text s}
- reads a constant as a concrete term expression @{text s}.
-
- \item @{ML Code.add_eqn}~@{text "thm"}~@{text "thy"} adds function
- theorem @{text "thm"} to executable content.
-
- \item @{ML Code.del_eqn}~@{text "thm"}~@{text "thy"} removes function
- theorem @{text "thm"} from executable content, if present.
-
- \item @{ML Code_Preproc.map_pre}~@{text "f"}~@{text "thy"} changes
- the preprocessor simpset.
-
- \item @{ML Code_Preproc.add_functrans}~@{text "(name, f)"}~@{text "thy"} adds
- function transformer @{text f} (named @{text name}) to executable content;
- @{text f} is a transformer of the code equations belonging
- to a certain function definition, depending on the
- current theory context. Returning @{text NONE} indicates that no
- transformation took place; otherwise, the whole process will be iterated
- with the new code equations.
-
- \item @{ML Code_Preproc.del_functrans}~@{text "name"}~@{text "thy"} removes
- function transformer named @{text name} from executable content.
-
- \item @{ML Code.add_datatype}~@{text cs}~@{text thy} adds
- a datatype to executable content, with generation
- set @{text cs}.
-
- \item @{ML Code.get_type_of_constr_or_abstr}~@{text "thy"}~@{text "const"}
- returns type constructor corresponding to
- constructor @{text const}; returns @{text NONE}
- if @{text const} is no constructor.
-
- \end{description}
-*}
-
-
-subsubsection {* Data depending on the theory's executable content *}
-
-text {*
- Implementing code generator applications on top of the framework set
- out so far usually not only involves using those primitive
- interfaces but also storing code-dependent data and various other
- things.
-
- Due to incrementality of code generation, changes in the theory's
- executable content have to be propagated in a certain fashion.
- Additionally, such changes may occur not only during theory
- extension but also during theory merge, which is a little bit nasty
- from an implementation point of view. The framework provides a
- solution to this technical challenge by providing a functorial data
- slot @{ML_functor Code_Data}; on instantiation of this functor, the
- following types and operations are required:
-
- \medskip
- \begin{tabular}{l}
- @{text "type T"} \\
- @{text "val empty: T"} \\
- \end{tabular}
-
- \begin{description}
-
- \item @{text T} the type of data to store.
-
- \item @{text empty} initial (empty) data.
-
- \end{description}
-
- \noindent An instance of @{ML_functor Code_Data} provides the
- following interface:
-
- \medskip
- \begin{tabular}{l}
- @{text "change: theory \<rightarrow> (T \<rightarrow> T) \<rightarrow> T"} \\
- @{text "change_yield: theory \<rightarrow> (T \<rightarrow> 'a * T) \<rightarrow> 'a * T"}
- \end{tabular}
-
- \begin{description}
-
- \item @{text change} update of current data (cached!) by giving a
- continuation.
-
- \item @{text change_yield} update with side result.
-
- \end{description}
-*}
-
-end
-
--- a/doc-src/Codegen/Inductive_Predicate.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,275 +0,0 @@
-theory Inductive_Predicate
-imports Setup
-begin
-
-(*<*)
-hide_const %invisible append
-
-inductive %invisible append where
- "append [] ys ys"
-| "append xs ys zs \<Longrightarrow> append (x # xs) ys (x # zs)"
-
-lemma %invisible append: "append xs ys zs = (xs @ ys = zs)"
- by (induct xs arbitrary: ys zs) (auto elim: append.cases intro: append.intros)
-
-lemmas lexordp_def =
- lexordp_def [unfolded lexord_def mem_Collect_eq split]
-(*>*)
-
-section {* Inductive Predicates \label{sec:inductive} *}
-
-text {*
- The @{text "predicate compiler"} is an extension of the code generator
- which turns inductive specifications into equational ones, from
- which in turn executable code can be generated. The mechanisms of
- this compiler are described in detail in
- \cite{Berghofer-Bulwahn-Haftmann:2009:TPHOL}.
-
- Consider the simple predicate @{const append} given by these two
- introduction rules:
-*}
-
-text %quote {*
- @{thm append.intros(1)[of ys]} \\
- @{thm append.intros(2)[of xs ys zs x]}
-*}
-
-text {*
- \noindent To invoke the compiler, simply use @{command_def "code_pred"}:
-*}
-
-code_pred %quote append .
-
-text {*
- \noindent The @{command "code_pred"} command takes the name of the
- inductive predicate and then you put a period to discharge a trivial
- correctness proof. The compiler infers possible modes for the
- predicate and produces the derived code equations. Modes annotate
- which (parts of the) arguments are to be taken as input, and which
- output. Modes are similar to types, but use the notation @{text "i"}
- for input and @{text "o"} for output.
-
- For @{term "append"}, the compiler can infer the following modes:
- \begin{itemize}
- \item @{text "i \<Rightarrow> i \<Rightarrow> i \<Rightarrow> bool"}
- \item @{text "i \<Rightarrow> i \<Rightarrow> o \<Rightarrow> bool"}
- \item @{text "o \<Rightarrow> o \<Rightarrow> i \<Rightarrow> bool"}
- \end{itemize}
- You can compute sets of predicates using @{command_def "values"}:
-*}
-
-values %quote "{zs. append [(1::nat),2,3] [4,5] zs}"
-
-text {* \noindent outputs @{text "{[1, 2, 3, 4, 5]}"}, and *}
-
-values %quote "{(xs, ys). append xs ys [(2::nat),3]}"
-
-text {* \noindent outputs @{text "{([], [2, 3]), ([2], [3]), ([2, 3], [])}"}. *}
-
-text {*
- \noindent If you are only interested in the first elements of the
- set comprehension (with respect to a depth-first search on the
- introduction rules), you can pass an argument to @{command "values"}
- to specify the number of elements you want:
-*}
-
-values %quote 1 "{(xs, ys). append xs ys [(1::nat), 2, 3, 4]}"
-values %quote 3 "{(xs, ys). append xs ys [(1::nat), 2, 3, 4]}"
-
-text {*
- \noindent The @{command "values"} command can only compute set
- comprehensions for which a mode has been inferred.
-
- The code equations for a predicate are made available as theorems with
- the suffix @{text "equation"}, and can be inspected with:
-*}
-
-thm %quote append.equation
-
-text {*
- \noindent More advanced options are described in the following subsections.
-*}
-
-subsection {* Alternative names for functions *}
-
-text {*
- By default, the functions generated from a predicate are named after
- the predicate with the mode mangled into the name (e.g., @{text
- "append_i_i_o"}). You can specify your own names as follows:
-*}
-
-code_pred %quote (modes: i \<Rightarrow> i \<Rightarrow> o \<Rightarrow> bool as concat,
- o \<Rightarrow> o \<Rightarrow> i \<Rightarrow> bool as split,
- i \<Rightarrow> o \<Rightarrow> i \<Rightarrow> bool as suffix) append .
-
-subsection {* Alternative introduction rules *}
-
-text {*
- Sometimes the introduction rules of an predicate are not executable
- because they contain non-executable constants or specific modes
- could not be inferred. It is also possible that the introduction
- rules yield a function that loops forever due to the execution in a
- depth-first search manner. Therefore, you can declare alternative
- introduction rules for predicates with the attribute @{attribute
- "code_pred_intro"}. For example, the transitive closure is defined
- by:
-*}
-
-text %quote {*
- @{lemma [source] "r a b \<Longrightarrow> tranclp r a b" by (fact tranclp.intros(1))}\\
- @{lemma [source] "tranclp r a b \<Longrightarrow> r b c \<Longrightarrow> tranclp r a c" by (fact tranclp.intros(2))}
-*}
-
-text {*
- \noindent These rules do not suit well for executing the transitive
- closure with the mode @{text "(i \<Rightarrow> o \<Rightarrow> bool) \<Rightarrow> i \<Rightarrow> o \<Rightarrow> bool"}, as
- the second rule will cause an infinite loop in the recursive call.
- This can be avoided using the following alternative rules which are
- declared to the predicate compiler by the attribute @{attribute
- "code_pred_intro"}:
-*}
-
-lemma %quote [code_pred_intro]:
- "r a b \<Longrightarrow> tranclp r a b"
- "r a b \<Longrightarrow> tranclp r b c \<Longrightarrow> tranclp r a c"
-by auto
-
-text {*
- \noindent After declaring all alternative rules for the transitive
- closure, you invoke @{command "code_pred"} as usual. As you have
- declared alternative rules for the predicate, you are urged to prove
- that these introduction rules are complete, i.e., that you can
- derive an elimination rule for the alternative rules:
-*}
-
-code_pred %quote tranclp
-proof -
- case tranclp
- from this converse_tranclpE [OF tranclp.prems] show thesis by metis
-qed
-
-text {*
- \noindent Alternative rules can also be used for constants that have
- not been defined inductively. For example, the lexicographic order
- which is defined as:
-*}
-
-text %quote {*
- @{thm [display] lexordp_def [of r]}
-*}
-
-text {*
- \noindent To make it executable, you can derive the following two
- rules and prove the elimination rule:
-*}
-
-lemma %quote [code_pred_intro]:
- "append xs (a # v) ys \<Longrightarrow> lexordp r xs ys"
-(*<*)unfolding lexordp_def by (auto simp add: append)(*>*)
-
-lemma %quote [code_pred_intro]:
- "append u (a # v) xs \<Longrightarrow> append u (b # w) ys \<Longrightarrow> r a b
- \<Longrightarrow> lexordp r xs ys"
-(*<*)unfolding lexordp_def append apply simp
-apply (rule disjI2) by auto(*>*)
-
-code_pred %quote lexordp
-(*<*)proof -
- fix r xs ys
- assume lexord: "lexordp r xs ys"
- assume 1: "\<And>r' xs' ys' a v. r = r' \<Longrightarrow> xs = xs' \<Longrightarrow> ys = ys'
- \<Longrightarrow> append xs' (a # v) ys' \<Longrightarrow> thesis"
- assume 2: "\<And>r' xs' ys' u a v b w. r = r' \<Longrightarrow> xs = xs' \<Longrightarrow> ys = ys'
- \<Longrightarrow> append u (a # v) xs' \<Longrightarrow> append u (b # w) ys' \<Longrightarrow> r' a b \<Longrightarrow> thesis"
- {
- assume "\<exists>a v. ys = xs @ a # v"
- from this 1 have thesis
- by (fastforce simp add: append)
- } moreover
- {
- assume "\<exists>u a b v w. r a b \<and> xs = u @ a # v \<and> ys = u @ b # w"
- from this 2 have thesis by (fastforce simp add: append)
- } moreover
- note lexord
- ultimately show thesis
- unfolding lexordp_def
- by fastforce
-qed(*>*)
-
-
-subsection {* Options for values *}
-
-text {*
- In the presence of higher-order predicates, multiple modes for some
- predicate could be inferred that are not disambiguated by the
- pattern of the set comprehension. To disambiguate the modes for the
- arguments of a predicate, you can state the modes explicitly in the
- @{command "values"} command. Consider the simple predicate @{term
- "succ"}:
-*}
-
-inductive %quote succ :: "nat \<Rightarrow> nat \<Rightarrow> bool" where
- "succ 0 (Suc 0)"
-| "succ x y \<Longrightarrow> succ (Suc x) (Suc y)"
-
-code_pred %quote succ .
-
-text {*
- \noindent For this, the predicate compiler can infer modes @{text "o
- \<Rightarrow> o \<Rightarrow> bool"}, @{text "i \<Rightarrow> o \<Rightarrow> bool"}, @{text "o \<Rightarrow> i \<Rightarrow> bool"} and
- @{text "i \<Rightarrow> i \<Rightarrow> bool"}. The invocation of @{command "values"}
- @{text "{n. tranclp succ 10 n}"} loops, as multiple modes for the
- predicate @{text "succ"} are possible and here the first mode @{text
- "o \<Rightarrow> o \<Rightarrow> bool"} is chosen. To choose another mode for the argument,
- you can declare the mode for the argument between the @{command
- "values"} and the number of elements.
-*}
-
-values %quote [mode: i \<Rightarrow> o \<Rightarrow> bool] 1 "{n. tranclp succ 10 n}" (*FIMXE does not terminate for n\<ge>1*)
-values %quote [mode: o \<Rightarrow> i \<Rightarrow> bool] 1 "{n. tranclp succ n 10}"
-
-
-subsection {* Embedding into functional code within Isabelle/HOL *}
-
-text {*
- To embed the computation of an inductive predicate into functions
- that are defined in Isabelle/HOL, you have a number of options:
-
- \begin{itemize}
-
- \item You want to use the first-order predicate with the mode
- where all arguments are input. Then you can use the predicate directly, e.g.
-
- \begin{quote}
- @{text "valid_suffix ys zs = "} \\
- @{text "(if append [Suc 0, 2] ys zs then Some ys else None)"}
- \end{quote}
-
- \item If you know that the execution returns only one value (it is
- deterministic), then you can use the combinator @{term
- "Predicate.the"}, e.g., a functional concatenation of lists is
- defined with
-
- \begin{quote}
- @{term "functional_concat xs ys = Predicate.the (append_i_i_o xs ys)"}
- \end{quote}
-
- Note that if the evaluation does not return a unique value, it
- raises a run-time error @{term "not_unique"}.
-
- \end{itemize}
-*}
-
-
-subsection {* Further Examples *}
-
-text {*
- Further examples for compiling inductive predicates can be found in
- the @{text "HOL/ex/Predicate_Compile_ex.thy"} theory file. There are
- also some examples in the Archive of Formal Proofs, notably in the
- @{text "POPLmark-deBruijn"} and the @{text "FeatherweightJava"}
- sessions.
-*}
-
-end
-
--- a/doc-src/Codegen/Introduction.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,242 +0,0 @@
-theory Introduction
-imports Setup
-begin
-
-section {* Introduction *}
-
-text {*
- This tutorial introduces the code generator facilities of @{text
- "Isabelle/HOL"}. It allows to turn (a certain class of) HOL
- specifications into corresponding executable code in the programming
- languages @{text SML} \cite{SML}, @{text OCaml} \cite{OCaml},
- @{text Haskell} \cite{haskell-revised-report} and @{text Scala}
- \cite{scala-overview-tech-report}.
-
- To profit from this tutorial, some familiarity and experience with
- @{theory HOL} \cite{isa-tutorial} and its basic theories is assumed.
-*}
-
-
-subsection {* Code generation principle: shallow embedding \label{sec:principle} *}
-
-text {*
- The key concept for understanding Isabelle's code generation is
- \emph{shallow embedding}: logical entities like constants, types and
- classes are identified with corresponding entities in the target
- language. In particular, the carrier of a generated program's
- semantics are \emph{equational theorems} from the logic. If we view
- a generated program as an implementation of a higher-order rewrite
- system, then every rewrite step performed by the program can be
- simulated in the logic, which guarantees partial correctness
- \cite{Haftmann-Nipkow:2010:code}.
-*}
-
-
-subsection {* A quick start with the Isabelle/HOL toolbox \label{sec:queue_example} *}
-
-text {*
- In a HOL theory, the @{command_def datatype} and @{command_def
- definition}/@{command_def primrec}/@{command_def fun} declarations
- form the core of a functional programming language. By default
- equational theorems stemming from those are used for generated code,
- therefore \qt{naive} code generation can proceed without further
- ado.
-
- For example, here a simple \qt{implementation} of amortised queues:
-*}
-
-datatype %quote 'a queue = AQueue "'a list" "'a list"
-
-definition %quote empty :: "'a queue" where
- "empty = AQueue [] []"
-
-primrec %quote enqueue :: "'a \<Rightarrow> 'a queue \<Rightarrow> 'a queue" where
- "enqueue x (AQueue xs ys) = AQueue (x # xs) ys"
-
-fun %quote dequeue :: "'a queue \<Rightarrow> 'a option \<times> 'a queue" where
- "dequeue (AQueue [] []) = (None, AQueue [] [])"
- | "dequeue (AQueue xs (y # ys)) = (Some y, AQueue xs ys)"
- | "dequeue (AQueue xs []) =
- (case rev xs of y # ys \<Rightarrow> (Some y, AQueue [] ys))" (*<*)
-
-lemma %invisible dequeue_nonempty_Nil [simp]:
- "xs \<noteq> [] \<Longrightarrow> dequeue (AQueue xs []) = (case rev xs of y # ys \<Rightarrow> (Some y, AQueue [] ys))"
- by (cases xs) (simp_all split: list.splits) (*>*)
-
-text {* \noindent Then we can generate code e.g.~for @{text SML} as follows: *}
-
-export_code %quote empty dequeue enqueue in SML
- module_name Example file "examples/example.ML"
-
-text {* \noindent resulting in the following code: *}
-
-text %quotetypewriter {*
- @{code_stmts empty enqueue dequeue (SML)}
-*}
-
-text {*
- \noindent The @{command_def export_code} command takes a
- space-separated list of constants for which code shall be generated;
- anything else needed for those is added implicitly. Then follows a
- target language identifier and a freely chosen module name. A file
- name denotes the destination to store the generated code. Note that
- the semantics of the destination depends on the target language: for
- @{text SML}, @{text OCaml} and @{text Scala} it denotes a \emph{file},
- for @{text Haskell} it denotes a \emph{directory} where a file named as the
- module name (with extension @{text ".hs"}) is written:
-*}
-
-export_code %quote empty dequeue enqueue in Haskell
- module_name Example file "examples/"
-
-text {*
- \noindent This is the corresponding code:
-*}
-
-text %quotetypewriter {*
- @{code_stmts empty enqueue dequeue (Haskell)}
-*}
-
-text {*
- \noindent For more details about @{command export_code} see
- \secref{sec:further}.
-*}
-
-
-subsection {* Type classes *}
-
-text {*
- Code can also be generated from type classes in a Haskell-like
- manner. For illustration here an example from abstract algebra:
-*}
-
-class %quote semigroup =
- fixes mult :: "'a \<Rightarrow> 'a \<Rightarrow> 'a" (infixl "\<otimes>" 70)
- assumes assoc: "(x \<otimes> y) \<otimes> z = x \<otimes> (y \<otimes> z)"
-
-class %quote monoid = semigroup +
- fixes neutral :: 'a ("\<one>")
- assumes neutl: "\<one> \<otimes> x = x"
- and neutr: "x \<otimes> \<one> = x"
-
-instantiation %quote nat :: monoid
-begin
-
-primrec %quote mult_nat where
- "0 \<otimes> n = (0\<Colon>nat)"
- | "Suc m \<otimes> n = n + m \<otimes> n"
-
-definition %quote neutral_nat where
- "\<one> = Suc 0"
-
-lemma %quote add_mult_distrib:
- fixes n m q :: nat
- shows "(n + m) \<otimes> q = n \<otimes> q + m \<otimes> q"
- by (induct n) simp_all
-
-instance %quote proof
- fix m n q :: nat
- show "m \<otimes> n \<otimes> q = m \<otimes> (n \<otimes> q)"
- by (induct m) (simp_all add: add_mult_distrib)
- show "\<one> \<otimes> n = n"
- by (simp add: neutral_nat_def)
- show "m \<otimes> \<one> = m"
- by (induct m) (simp_all add: neutral_nat_def)
-qed
-
-end %quote
-
-text {*
- \noindent We define the natural operation of the natural numbers
- on monoids:
-*}
-
-primrec %quote (in monoid) pow :: "nat \<Rightarrow> 'a \<Rightarrow> 'a" where
- "pow 0 a = \<one>"
- | "pow (Suc n) a = a \<otimes> pow n a"
-
-text {*
- \noindent This we use to define the discrete exponentiation
- function:
-*}
-
-definition %quote bexp :: "nat \<Rightarrow> nat" where
- "bexp n = pow n (Suc (Suc 0))"
-
-text {*
- \noindent The corresponding code in Haskell uses that language's
- native classes:
-*}
-
-text %quotetypewriter {*
- @{code_stmts bexp (Haskell)}
-*}
-
-text {*
- \noindent This is a convenient place to show how explicit dictionary
- construction manifests in generated code -- the same example in
- @{text SML}:
-*}
-
-text %quotetypewriter {*
- @{code_stmts bexp (SML)}
-*}
-
-text {*
- \noindent Note the parameters with trailing underscore (@{verbatim
- "A_"}), which are the dictionary parameters.
-*}
-
-
-subsection {* How to continue from here *}
-
-text {*
- What you have seen so far should be already enough in a lot of
- cases. If you are content with this, you can quit reading here.
-
- Anyway, to understand situations where problems occur or to increase
- the scope of code generation beyond default, it is necessary to gain
- some understanding how the code generator actually works:
-
- \begin{itemize}
-
- \item The foundations of the code generator are described in
- \secref{sec:foundations}.
-
- \item In particular \secref{sec:utterly_wrong} gives hints how to
- debug situations where code generation does not succeed as
- expected.
-
- \item The scope and quality of generated code can be increased
- dramatically by applying refinement techniques, which are
- introduced in \secref{sec:refinement}.
-
- \item Inductive predicates can be turned executable using an
- extension of the code generator \secref{sec:inductive}.
-
- \item If you want to utilize code generation to obtain fast
- evaluators e.g.~for decision procedures, have a look at
- \secref{sec:evaluation}.
-
- \item You may want to skim over the more technical sections
- \secref{sec:adaptation} and \secref{sec:further}.
-
- \item The target language Scala \cite{scala-overview-tech-report}
- comes with some specialities discussed in \secref{sec:scala}.
-
- \item For exhaustive syntax diagrams etc. you should visit the
- Isabelle/Isar Reference Manual \cite{isabelle-isar-ref}.
-
- \end{itemize}
-
- \bigskip
-
- \begin{center}\fbox{\fbox{\begin{minipage}{8cm}
-
- \begin{center}\textit{Happy proving, happy hacking!}\end{center}
-
- \end{minipage}}}\end{center}
-*}
-
-end
-
--- a/doc-src/Codegen/Refinement.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,274 +0,0 @@
-theory Refinement
-imports Setup
-begin
-
-section {* Program and datatype refinement \label{sec:refinement} *}
-
-text {*
- Code generation by shallow embedding (cf.~\secref{sec:principle})
- allows to choose code equations and datatype constructors freely,
- given that some very basic syntactic properties are met; this
- flexibility opens up mechanisms for refinement which allow to extend
- the scope and quality of generated code dramatically.
-*}
-
-
-subsection {* Program refinement *}
-
-text {*
- Program refinement works by choosing appropriate code equations
- explicitly (cf.~\secref{sec:equations}); as example, we use Fibonacci
- numbers:
-*}
-
-fun %quote fib :: "nat \<Rightarrow> nat" where
- "fib 0 = 0"
- | "fib (Suc 0) = Suc 0"
- | "fib (Suc (Suc n)) = fib n + fib (Suc n)"
-
-text {*
- \noindent The runtime of the corresponding code grows exponential due
- to two recursive calls:
-*}
-
-text %quotetypewriter {*
- @{code_stmts fib (consts) fib (Haskell)}
-*}
-
-text {*
- \noindent A more efficient implementation would use dynamic
- programming, e.g.~sharing of common intermediate results between
- recursive calls. This idea is expressed by an auxiliary operation
- which computes a Fibonacci number and its successor simultaneously:
-*}
-
-definition %quote fib_step :: "nat \<Rightarrow> nat \<times> nat" where
- "fib_step n = (fib (Suc n), fib n)"
-
-text {*
- \noindent This operation can be implemented by recursion using
- dynamic programming:
-*}
-
-lemma %quote [code]:
- "fib_step 0 = (Suc 0, 0)"
- "fib_step (Suc n) = (let (m, q) = fib_step n in (m + q, m))"
- by (simp_all add: fib_step_def)
-
-text {*
- \noindent What remains is to implement @{const fib} by @{const
- fib_step} as follows:
-*}
-
-lemma %quote [code]:
- "fib 0 = 0"
- "fib (Suc n) = fst (fib_step n)"
- by (simp_all add: fib_step_def)
-
-text {*
- \noindent The resulting code shows only linear growth of runtime:
-*}
-
-text %quotetypewriter {*
- @{code_stmts fib (consts) fib fib_step (Haskell)}
-*}
-
-
-subsection {* Datatype refinement *}
-
-text {*
- Selecting specific code equations \emph{and} datatype constructors
- leads to datatype refinement. As an example, we will develop an
- alternative representation of the queue example given in
- \secref{sec:queue_example}. The amortised representation is
- convenient for generating code but exposes its \qt{implementation}
- details, which may be cumbersome when proving theorems about it.
- Therefore, here is a simple, straightforward representation of
- queues:
-*}
-
-datatype %quote 'a queue = Queue "'a list"
-
-definition %quote empty :: "'a queue" where
- "empty = Queue []"
-
-primrec %quote enqueue :: "'a \<Rightarrow> 'a queue \<Rightarrow> 'a queue" where
- "enqueue x (Queue xs) = Queue (xs @ [x])"
-
-fun %quote dequeue :: "'a queue \<Rightarrow> 'a option \<times> 'a queue" where
- "dequeue (Queue []) = (None, Queue [])"
- | "dequeue (Queue (x # xs)) = (Some x, Queue xs)"
-
-text {*
- \noindent This we can use directly for proving; for executing,
- we provide an alternative characterisation:
-*}
-
-definition %quote AQueue :: "'a list \<Rightarrow> 'a list \<Rightarrow> 'a queue" where
- "AQueue xs ys = Queue (ys @ rev xs)"
-
-code_datatype %quote AQueue
-
-text {*
- \noindent Here we define a \qt{constructor} @{const "AQueue"} which
- is defined in terms of @{text "Queue"} and interprets its arguments
- according to what the \emph{content} of an amortised queue is supposed
- to be.
-
- The prerequisite for datatype constructors is only syntactical: a
- constructor must be of type @{text "\<tau> = \<dots> \<Rightarrow> \<kappa> \<alpha>\<^isub>1 \<dots> \<alpha>\<^isub>n"} where @{text
- "{\<alpha>\<^isub>1, \<dots>, \<alpha>\<^isub>n}"} is exactly the set of \emph{all} type variables in
- @{text "\<tau>"}; then @{text "\<kappa>"} is its corresponding datatype. The
- HOL datatype package by default registers any new datatype with its
- constructors, but this may be changed using @{command_def
- code_datatype}; the currently chosen constructors can be inspected
- using the @{command print_codesetup} command.
-
- Equipped with this, we are able to prove the following equations
- for our primitive queue operations which \qt{implement} the simple
- queues in an amortised fashion:
-*}
-
-lemma %quote empty_AQueue [code]:
- "empty = AQueue [] []"
- by (simp add: AQueue_def empty_def)
-
-lemma %quote enqueue_AQueue [code]:
- "enqueue x (AQueue xs ys) = AQueue (x # xs) ys"
- by (simp add: AQueue_def)
-
-lemma %quote dequeue_AQueue [code]:
- "dequeue (AQueue xs []) =
- (if xs = [] then (None, AQueue [] [])
- else dequeue (AQueue [] (rev xs)))"
- "dequeue (AQueue xs (y # ys)) = (Some y, AQueue xs ys)"
- by (simp_all add: AQueue_def)
-
-text {*
- \noindent It is good style, although no absolute requirement, to
- provide code equations for the original artefacts of the implemented
- type, if possible; in our case, these are the datatype constructor
- @{const Queue} and the case combinator @{const queue_case}:
-*}
-
-lemma %quote Queue_AQueue [code]:
- "Queue = AQueue []"
- by (simp add: AQueue_def fun_eq_iff)
-
-lemma %quote queue_case_AQueue [code]:
- "queue_case f (AQueue xs ys) = f (ys @ rev xs)"
- by (simp add: AQueue_def)
-
-text {*
- \noindent The resulting code looks as expected:
-*}
-
-text %quotetypewriter {*
- @{code_stmts empty enqueue dequeue Queue queue_case (SML)}
-*}
-
-text {*
- The same techniques can also be applied to types which are not
- specified as datatypes, e.g.~type @{typ int} is originally specified
- as quotient type by means of @{command_def typedef}, but for code
- generation constants allowing construction of binary numeral values
- are used as constructors for @{typ int}.
-
- This approach however fails if the representation of a type demands
- invariants; this issue is discussed in the next section.
-*}
-
-
-subsection {* Datatype refinement involving invariants \label{sec:invariant} *}
-
-text {*
- Datatype representation involving invariants require a dedicated
- setup for the type and its primitive operations. As a running
- example, we implement a type @{text "'a dlist"} of list consisting
- of distinct elements.
-
- The first step is to decide on which representation the abstract
- type (in our example @{text "'a dlist"}) should be implemented.
- Here we choose @{text "'a list"}. Then a conversion from the concrete
- type to the abstract type must be specified, here:
-*}
-
-text %quote {*
- @{term_type Dlist}
-*}
-
-text {*
- \noindent Next follows the specification of a suitable \emph{projection},
- i.e.~a conversion from abstract to concrete type:
-*}
-
-text %quote {*
- @{term_type list_of_dlist}
-*}
-
-text {*
- \noindent This projection must be specified such that the following
- \emph{abstract datatype certificate} can be proven:
-*}
-
-lemma %quote [code abstype]:
- "Dlist (list_of_dlist dxs) = dxs"
- by (fact Dlist_list_of_dlist)
-
-text {*
- \noindent Note that so far the invariant on representations
- (@{term_type distinct}) has never been mentioned explicitly:
- the invariant is only referred to implicitly: all values in
- set @{term "{xs. list_of_dlist (Dlist xs) = xs}"} are invariant,
- and in our example this is exactly @{term "{xs. distinct xs}"}.
-
- The primitive operations on @{typ "'a dlist"} are specified
- indirectly using the projection @{const list_of_dlist}. For
- the empty @{text "dlist"}, @{const Dlist.empty}, we finally want
- the code equation
-*}
-
-text %quote {*
- @{term "Dlist.empty = Dlist []"}
-*}
-
-text {*
- \noindent This we have to prove indirectly as follows:
-*}
-
-lemma %quote [code abstract]:
- "list_of_dlist Dlist.empty = []"
- by (fact list_of_dlist_empty)
-
-text {*
- \noindent This equation logically encodes both the desired code
- equation and that the expression @{const Dlist} is applied to obeys
- the implicit invariant. Equations for insertion and removal are
- similar:
-*}
-
-lemma %quote [code abstract]:
- "list_of_dlist (Dlist.insert x dxs) = List.insert x (list_of_dlist dxs)"
- by (fact list_of_dlist_insert)
-
-lemma %quote [code abstract]:
- "list_of_dlist (Dlist.remove x dxs) = remove1 x (list_of_dlist dxs)"
- by (fact list_of_dlist_remove)
-
-text {*
- \noindent Then the corresponding code is as follows:
-*}
-
-text %quotetypewriter {*
- @{code_stmts Dlist.empty Dlist.insert Dlist.remove list_of_dlist (Haskell)}
-*} (*(types) dlist (consts) dempty dinsert dremove list_of List.member insert remove *)
-
-text {*
- Typical data structures implemented by representations involving
- invariants are available in the library, theory @{theory Mapping}
- specifies key-value-mappings (type @{typ "('a, 'b) mapping"});
- these can be implemented by red-black-trees (theory @{theory RBT}).
-*}
-
-end
-
--- a/doc-src/Codegen/Setup.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,37 +0,0 @@
-theory Setup
-imports
- Complex_Main
- "~~/src/HOL/Library/Dlist"
- "~~/src/HOL/Library/RBT"
- "~~/src/HOL/Library/Mapping"
-begin
-
-(* FIXME avoid writing into source directory *)
-ML {*
- Isabelle_System.mkdirs (Path.append (Thy_Load.master_directory @{theory}) (Path.basic "examples"))
-*}
-
-ML_file "../antiquote_setup.ML"
-ML_file "../more_antiquote.ML"
-
-setup {*
- Antiquote_Setup.setup #>
- More_Antiquote.setup #>
-let
- val typ = Simple_Syntax.read_typ;
-in
- Sign.del_modesyntax_i (Symbol.xsymbolsN, false)
- [("_constrain", typ "logic => type => logic", Mixfix ("_\<Colon>_", [4, 0], 3)),
- ("_constrain", typ "prop' => type => prop'", Mixfix ("_\<Colon>_", [4, 0], 3))] #>
- Sign.add_modesyntax_i (Symbol.xsymbolsN, false)
- [("_constrain", typ "logic => type => logic", Mixfix ("_ \<Colon> _", [4, 0], 3)),
- ("_constrain", typ "prop' => type => prop'", Mixfix ("_ \<Colon> _", [4, 0], 3))]
-end
-*}
-
-setup {* Code_Target.set_default_code_width 74 *}
-
-declare [[names_unique = false]]
-
-end
-
--- a/doc-src/Codegen/document/adapt.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,52 +0,0 @@
-
-\documentclass[12pt]{article}
-\usepackage{tikz}
-
-\begin{document}
-
-\thispagestyle{empty}
-\setlength{\fboxrule}{0.01pt}
-\setlength{\fboxsep}{4pt}
-
-\fcolorbox{white}{white}{
-
-\begin{tikzpicture}[scale = 0.5]
- \tikzstyle water=[color = blue, thick]
- \tikzstyle ice=[color = black, very thick, cap = round, join = round, fill = white]
- \tikzstyle process=[color = green, semithick, ->]
- \tikzstyle adaptation=[color = red, semithick, ->]
- \tikzstyle target=[color = black]
- \foreach \x in {0, ..., 24}
- \draw[style=water] (\x, 0.25) sin + (0.25, 0.25) cos + (0.25, -0.25) sin
- + (0.25, -0.25) cos + (0.25, 0.25);
- \draw[style=ice] (1, 0) --
- (3, 6) node[above, fill=white] {logic} -- (5, 0) -- cycle;
- \draw[style=ice] (9, 0) --
- (11, 6) node[above, fill=white] {intermediate language} -- (13, 0) -- cycle;
- \draw[style=ice] (15, -6) --
- (19, 6) node[above, fill=white] {target language} -- (23, -6) -- cycle;
- \draw[style=process]
- (3.5, 3) .. controls (7, 5) .. node[fill=white] {translation} (10.5, 3);
- \draw[style=process]
- (11.5, 3) .. controls (15, 5) .. node[fill=white] (serialisation) {serialisation} (18.5, 3);
- \node (adaptation) at (11, -2) [style=adaptation] {adaptation};
- \node at (19, 3) [rotate=90] {generated};
- \node at (19.5, -5) {language};
- \node at (19.5, -3) {library};
- \node (includes) at (19.5, -1) {includes};
- \node (reserved) at (16.5, -3) [rotate=72] {reserved}; % proper 71.57
- \draw[style=process]
- (includes) -- (serialisation);
- \draw[style=process]
- (reserved) -- (serialisation);
- \draw[style=adaptation]
- (adaptation) -- (serialisation);
- \draw[style=adaptation]
- (adaptation) -- (includes);
- \draw[style=adaptation]
- (adaptation) -- (reserved);
-\end{tikzpicture}
-
-}
-
-\end{document}
--- a/doc-src/Codegen/document/architecture.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,50 +0,0 @@
-
-\documentclass[12pt]{article}
-\usepackage{tikz}
-\usetikzlibrary{shapes}
-\usetikzlibrary{arrows}
-
-\begin{document}
-
-\thispagestyle{empty}
-\setlength{\fboxrule}{0.01pt}
-\setlength{\fboxsep}{4pt}
-
-\fcolorbox{white}{white}{
-
-\newcommand{\sys}[1]{\emph{#1}}
-
-\begin{tikzpicture}[x = 4cm, y = 1cm]
- \tikzstyle positive=[color = black, fill = white];
- \tikzstyle negative=[color = white, fill = black];
- \tikzstyle entity=[rounded corners, draw, thick];
- \tikzstyle process=[ellipse, draw, thick];
- \tikzstyle arrow=[-stealth, semithick];
- \node (spec) at (0, 3) [entity, positive] {specification tools};
- \node (user) at (1, 3) [entity, positive] {user proofs};
- \node (spec_user_join) at (0.5, 3) [shape=coordinate] {};
- \node (raw) at (0.5, 4) [entity, positive] {raw code equations};
- \node (pre) at (1.5, 4) [process, positive] {preprocessing};
- \node (eqn) at (2.5, 4) [entity, positive] {code equations};
- \node (iml) at (0.5, 0) [entity, positive] {intermediate program};
- \node (seri) at (1.5, 0) [process, positive] {serialisation};
- \node (SML) at (2.5, 3) [entity, positive] {\sys{SML}};
- \node (OCaml) at (2.5, 2) [entity, positive] {\sys{OCaml}};
- \node (Haskell) at (2.5, 1) [entity, positive] {\sys{Haskell}};
- \node (Scala) at (2.5, 0) [entity, positive] {\sys{Scala}};
- \draw [semithick] (spec) -- (spec_user_join);
- \draw [semithick] (user) -- (spec_user_join);
- \draw [-diamond, semithick] (spec_user_join) -- (raw);
- \draw [arrow] (raw) -- (pre);
- \draw [arrow] (pre) -- (eqn);
- \draw [arrow] (eqn) -- node (transl) [process, positive] {translation} (iml);
- \draw [arrow] (iml) -- (seri);
- \draw [arrow] (seri) -- (SML);
- \draw [arrow] (seri) -- (OCaml);
- \draw [arrow] (seri) -- (Haskell);
- \draw [arrow] (seri) -- (Scala);
-\end{tikzpicture}
-
-}
-
-\end{document}
--- a/doc-src/Codegen/document/build Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,25 +0,0 @@
-#!/bin/bash
-
-set -e
-
-FORMAT="$1"
-VARIANT="$2"
-
-"$ISABELLE_TOOL" logo -o isabelle_isar.pdf "Isar"
-"$ISABELLE_TOOL" logo -o isabelle_isar.eps "Isar"
-
-cp "$ISABELLE_HOME/doc-src/iman.sty" .
-cp "$ISABELLE_HOME/doc-src/extra.sty" .
-cp "$ISABELLE_HOME/doc-src/isar.sty" .
-cp "$ISABELLE_HOME/doc-src/proof.sty" .
-cp "$ISABELLE_HOME/doc-src/manual.bib" .
-
-for NAME in architecture adapt
-do
- latex "$NAME"
- $ISABELLE_DVIPS -E -o "$NAME.eps" "$NAME.dvi"
- $ISABELLE_EPSTOPDF "$NAME.eps"
-done
-
-"$ISABELLE_HOME/doc-src/prepare_document" "$FORMAT"
-
--- a/doc-src/Codegen/document/root.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,52 +0,0 @@
-
-\documentclass[12pt,a4paper,fleqn]{article}
-\usepackage{latexsym,graphicx}
-\usepackage{multirow}
-\usepackage{iman,extra,isar,proof}
-\usepackage{isabelle,isabellesym}
-\usepackage{style}
-\usepackage{pdfsetup}
-
-\hyphenation{Isabelle}
-\hyphenation{Isar}
-\isadroptag{theory}
-
-\title{\includegraphics[scale=0.5]{isabelle_isar}
- \\[4ex] Code generation from Isabelle/HOL theories}
-\author{\emph{Florian Haftmann with contributions from Lukas Bulwahn}}
-
-\begin{document}
-
-\maketitle
-
-\begin{abstract}
- \noindent This tutorial introduces the code generator facilities of Isabelle/HOL.
- They empower the user to turn HOL specifications into corresponding executable
- programs in the languages SML, OCaml, Haskell and Scala.
-\end{abstract}
-
-\thispagestyle{empty}\clearpage
-
-\pagenumbering{roman}
-\clearfirst
-
-\input{Introduction.tex}
-\input{Foundations.tex}
-\input{Refinement.tex}
-\input{Inductive_Predicate.tex}
-\input{Adaptation.tex}
-\input{Evaluation.tex}
-\input{Further.tex}
-
-\begingroup
-\bibliographystyle{plain} \small\raggedright\frenchspacing
-\bibliography{manual}
-\endgroup
-
-\end{document}
-
-
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: t
-%%% End:
--- a/doc-src/Codegen/document/style.sty Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,75 +0,0 @@
-
-%% toc
-\newcommand{\tocentry}[1]{\cleardoublepage\phantomsection\addcontentsline{toc}{chapter}{#1}
-\@mkboth{\MakeUppercase{#1}}{\MakeUppercase{#1}}}
-
-%% paragraphs
-\setlength{\parindent}{1em}
-
-%% references
-\newcommand{\secref}[1]{\S\ref{#1}}
-\newcommand{\figref}[1]{figure~\ref{#1}}
-
-%% logical markup
-\newcommand{\strong}[1]{{\bfseries {#1}}}
-\newcommand{\qn}[1]{\emph{#1}}
-
-%% typographic conventions
-\newcommand{\qt}[1]{``{#1}''}
-\newcommand{\ditem}[1]{\item[\isastyletext #1]}
-
-%% quote environment
-\isakeeptag{quote}
-\renewenvironment{quote}
- {\list{}{\leftmargin2em\rightmargin0pt}\parindent0pt\parskip0pt\item\relax}
- {\endlist}
-\renewcommand{\isatagquote}{\begin{quote}}
-\renewcommand{\endisatagquote}{\end{quote}}
-\newcommand{\quotebreak}{\\[1.2ex]}
-
-%% typewriter text
-\newenvironment{typewriter}{\renewcommand{\isastyletext}{}%
-\renewcommand{\isadigit}[1]{{##1}}%
-\parindent0pt%
-\makeatletter\isa@parindent0pt\makeatother%
-\isabellestyle{tt}\isastyle%
-\fontsize{9pt}{9pt}\selectfont}{}
-
-\isakeeptag{quotetypewriter}
-\renewcommand{\isatagquotetypewriter}{\begin{quote}\begin{typewriter}}
-\renewcommand{\endisatagquotetypewriter}{\end{typewriter}\end{quote}}
-
-\isakeeptag{quotett}
-\renewcommand{\isatagquotett}{\begin{quote}\isabellestyle{tt}\isastyle}
-\renewcommand{\endisatagquotett}{\end{quote}}
-
-%% a trick
-\newcommand{\isasymSML}{SML}
-\newcommand{\isasymSMLdummy}{SML}
-
-%% presentation
-\setcounter{secnumdepth}{2} \setcounter{tocdepth}{2}
-
-%% character detail
-\renewcommand{\isadigit}[1]{\isamath{#1}}
-\binperiod
-\underscoreoff
-
-%% format
-\pagestyle{headings}
-\isabellestyle{it}
-
-%% ml reference
-\newenvironment{mldecls}{\par\noindent\begingroup\footnotesize\def\isanewline{\\}\begin{tabular}{l}}{\end{tabular}\smallskip\endgroup}
-
-\isakeeptag{mlref}
-\renewcommand{\isatagmlref}{\subsection*{\makebox[0pt][r]{\fbox{\ML}~~}Reference}\begingroup\def\isastyletext{\rm}\small}
-\renewcommand{\endisatagmlref}{\endgroup}
-
-\isabellestyle{it}
-
-
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "implementation"
-%%% End:
--- a/doc-src/Functions/Functions.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,1190 +0,0 @@
-(* Title: doc-src/IsarAdvanced/Functions/Thy/Fundefs.thy
- Author: Alexander Krauss, TU Muenchen
-
-Tutorial for function definitions with the new "function" package.
-*)
-
-theory Functions
-imports Main
-begin
-
-section {* Function Definitions for Dummies *}
-
-text {*
- In most cases, defining a recursive function is just as simple as other definitions:
-*}
-
-fun fib :: "nat \<Rightarrow> nat"
-where
- "fib 0 = 1"
-| "fib (Suc 0) = 1"
-| "fib (Suc (Suc n)) = fib n + fib (Suc n)"
-
-text {*
- The syntax is rather self-explanatory: We introduce a function by
- giving its name, its type,
- and a set of defining recursive equations.
- If we leave out the type, the most general type will be
- inferred, which can sometimes lead to surprises: Since both @{term
- "1::nat"} and @{text "+"} are overloaded, we would end up
- with @{text "fib :: nat \<Rightarrow> 'a::{one,plus}"}.
-*}
-
-text {*
- The function always terminates, since its argument gets smaller in
- every recursive call.
- Since HOL is a logic of total functions, termination is a
- fundamental requirement to prevent inconsistencies\footnote{From the
- \qt{definition} @{text "f(n) = f(n) + 1"} we could prove
- @{text "0 = 1"} by subtracting @{text "f(n)"} on both sides.}.
- Isabelle tries to prove termination automatically when a definition
- is made. In \S\ref{termination}, we will look at cases where this
- fails and see what to do then.
-*}
-
-subsection {* Pattern matching *}
-
-text {* \label{patmatch}
- Like in functional programming, we can use pattern matching to
- define functions. At the moment we will only consider \emph{constructor
- patterns}, which only consist of datatype constructors and
- variables. Furthermore, patterns must be linear, i.e.\ all variables
- on the left hand side of an equation must be distinct. In
- \S\ref{genpats} we discuss more general pattern matching.
-
- If patterns overlap, the order of the equations is taken into
- account. The following function inserts a fixed element between any
- two elements of a list:
-*}
-
-fun sep :: "'a \<Rightarrow> 'a list \<Rightarrow> 'a list"
-where
- "sep a (x#y#xs) = x # a # sep a (y # xs)"
-| "sep a xs = xs"
-
-text {*
- Overlapping patterns are interpreted as \qt{increments} to what is
- already there: The second equation is only meant for the cases where
- the first one does not match. Consequently, Isabelle replaces it
- internally by the remaining cases, making the patterns disjoint:
-*}
-
-thm sep.simps
-
-text {* @{thm [display] sep.simps[no_vars]} *}
-
-text {*
- \noindent The equations from function definitions are automatically used in
- simplification:
-*}
-
-lemma "sep 0 [1, 2, 3] = [1, 0, 2, 0, 3]"
-by simp
-
-subsection {* Induction *}
-
-text {*
-
- Isabelle provides customized induction rules for recursive
- functions. These rules follow the recursive structure of the
- definition. Here is the rule @{text sep.induct} arising from the
- above definition of @{const sep}:
-
- @{thm [display] sep.induct}
-
- We have a step case for list with at least two elements, and two
- base cases for the zero- and the one-element list. Here is a simple
- proof about @{const sep} and @{const map}
-*}
-
-lemma "map f (sep x ys) = sep (f x) (map f ys)"
-apply (induct x ys rule: sep.induct)
-
-txt {*
- We get three cases, like in the definition.
-
- @{subgoals [display]}
-*}
-
-apply auto
-done
-text {*
-
- With the \cmd{fun} command, you can define about 80\% of the
- functions that occur in practice. The rest of this tutorial explains
- the remaining 20\%.
-*}
-
-
-section {* fun vs.\ function *}
-
-text {*
- The \cmd{fun} command provides a
- convenient shorthand notation for simple function definitions. In
- this mode, Isabelle tries to solve all the necessary proof obligations
- automatically. If any proof fails, the definition is
- rejected. This can either mean that the definition is indeed faulty,
- or that the default proof procedures are just not smart enough (or
- rather: not designed) to handle the definition.
-
- By expanding the abbreviation to the more verbose \cmd{function} command, these proof obligations become visible and can be analyzed or
- solved manually. The expansion from \cmd{fun} to \cmd{function} is as follows:
-
-\end{isamarkuptext}
-
-
-\[\left[\;\begin{minipage}{0.25\textwidth}\vspace{6pt}
-\cmd{fun} @{text "f :: \<tau>"}\\%
-\cmd{where}\\%
-\hspace*{2ex}{\it equations}\\%
-\hspace*{2ex}\vdots\vspace*{6pt}
-\end{minipage}\right]
-\quad\equiv\quad
-\left[\;\begin{minipage}{0.48\textwidth}\vspace{6pt}
-\cmd{function} @{text "("}\cmd{sequential}@{text ") f :: \<tau>"}\\%
-\cmd{where}\\%
-\hspace*{2ex}{\it equations}\\%
-\hspace*{2ex}\vdots\\%
-\cmd{by} @{text "pat_completeness auto"}\\%
-\cmd{termination by} @{text "lexicographic_order"}\vspace{6pt}
-\end{minipage}
-\right]\]
-
-\begin{isamarkuptext}
- \vspace*{1em}
- \noindent Some details have now become explicit:
-
- \begin{enumerate}
- \item The \cmd{sequential} option enables the preprocessing of
- pattern overlaps which we already saw. Without this option, the equations
- must already be disjoint and complete. The automatic completion only
- works with constructor patterns.
-
- \item A function definition produces a proof obligation which
- expresses completeness and compatibility of patterns (we talk about
- this later). The combination of the methods @{text "pat_completeness"} and
- @{text "auto"} is used to solve this proof obligation.
-
- \item A termination proof follows the definition, started by the
- \cmd{termination} command. This will be explained in \S\ref{termination}.
- \end{enumerate}
- Whenever a \cmd{fun} command fails, it is usually a good idea to
- expand the syntax to the more verbose \cmd{function} form, to see
- what is actually going on.
- *}
-
-
-section {* Termination *}
-
-text {*\label{termination}
- The method @{text "lexicographic_order"} is the default method for
- termination proofs. It can prove termination of a
- certain class of functions by searching for a suitable lexicographic
- combination of size measures. Of course, not all functions have such
- a simple termination argument. For them, we can specify the termination
- relation manually.
-*}
-
-subsection {* The {\tt relation} method *}
-text{*
- Consider the following function, which sums up natural numbers up to
- @{text "N"}, using a counter @{text "i"}:
-*}
-
-function sum :: "nat \<Rightarrow> nat \<Rightarrow> nat"
-where
- "sum i N = (if i > N then 0 else i + sum (Suc i) N)"
-by pat_completeness auto
-
-text {*
- \noindent The @{text "lexicographic_order"} method fails on this example, because none of the
- arguments decreases in the recursive call, with respect to the standard size ordering.
- To prove termination manually, we must provide a custom wellfounded relation.
-
- The termination argument for @{text "sum"} is based on the fact that
- the \emph{difference} between @{text "i"} and @{text "N"} gets
- smaller in every step, and that the recursion stops when @{text "i"}
- is greater than @{text "N"}. Phrased differently, the expression
- @{text "N + 1 - i"} always decreases.
-
- We can use this expression as a measure function suitable to prove termination.
-*}
-
-termination sum
-apply (relation "measure (\<lambda>(i,N). N + 1 - i)")
-
-txt {*
- The \cmd{termination} command sets up the termination goal for the
- specified function @{text "sum"}. If the function name is omitted, it
- implicitly refers to the last function definition.
-
- The @{text relation} method takes a relation of
- type @{typ "('a \<times> 'a) set"}, where @{typ "'a"} is the argument type of
- the function. If the function has multiple curried arguments, then
- these are packed together into a tuple, as it happened in the above
- example.
-
- The predefined function @{term[source] "measure :: ('a \<Rightarrow> nat) \<Rightarrow> ('a \<times> 'a) set"} constructs a
- wellfounded relation from a mapping into the natural numbers (a
- \emph{measure function}).
-
- After the invocation of @{text "relation"}, we must prove that (a)
- the relation we supplied is wellfounded, and (b) that the arguments
- of recursive calls indeed decrease with respect to the
- relation:
-
- @{subgoals[display,indent=0]}
-
- These goals are all solved by @{text "auto"}:
-*}
-
-apply auto
-done
-
-text {*
- Let us complicate the function a little, by adding some more
- recursive calls:
-*}
-
-function foo :: "nat \<Rightarrow> nat \<Rightarrow> nat"
-where
- "foo i N = (if i > N
- then (if N = 0 then 0 else foo 0 (N - 1))
- else i + foo (Suc i) N)"
-by pat_completeness auto
-
-text {*
- When @{text "i"} has reached @{text "N"}, it starts at zero again
- and @{text "N"} is decremented.
- This corresponds to a nested
- loop where one index counts up and the other down. Termination can
- be proved using a lexicographic combination of two measures, namely
- the value of @{text "N"} and the above difference. The @{const
- "measures"} combinator generalizes @{text "measure"} by taking a
- list of measure functions.
-*}
-
-termination
-by (relation "measures [\<lambda>(i, N). N, \<lambda>(i,N). N + 1 - i]") auto
-
-subsection {* How @{text "lexicographic_order"} works *}
-
-(*fun fails :: "nat \<Rightarrow> nat list \<Rightarrow> nat"
-where
- "fails a [] = a"
-| "fails a (x#xs) = fails (x + a) (x # xs)"
-*)
-
-text {*
- To see how the automatic termination proofs work, let's look at an
- example where it fails\footnote{For a detailed discussion of the
- termination prover, see \cite{bulwahnKN07}}:
-
-\end{isamarkuptext}
-\cmd{fun} @{text "fails :: \"nat \<Rightarrow> nat list \<Rightarrow> nat\""}\\%
-\cmd{where}\\%
-\hspace*{2ex}@{text "\"fails a [] = a\""}\\%
-|\hspace*{1.5ex}@{text "\"fails a (x#xs) = fails (x + a) (x#xs)\""}\\
-\begin{isamarkuptext}
-
-\noindent Isabelle responds with the following error:
-
-\begin{isabelle}
-*** Unfinished subgoals:\newline
-*** (a, 1, <):\newline
-*** \ 1.~@{text "\<And>x. x = 0"}\newline
-*** (a, 1, <=):\newline
-*** \ 1.~False\newline
-*** (a, 2, <):\newline
-*** \ 1.~False\newline
-*** Calls:\newline
-*** a) @{text "(a, x # xs) -->> (x + a, x # xs)"}\newline
-*** Measures:\newline
-*** 1) @{text "\<lambda>x. size (fst x)"}\newline
-*** 2) @{text "\<lambda>x. size (snd x)"}\newline
-*** Result matrix:\newline
-*** \ \ \ \ 1\ \ 2 \newline
-*** a: ? <= \newline
-*** Could not find lexicographic termination order.\newline
-*** At command "fun".\newline
-\end{isabelle}
-*}
-text {*
- The key to this error message is the matrix at the bottom. The rows
- of that matrix correspond to the different recursive calls (In our
- case, there is just one). The columns are the function's arguments
- (expressed through different measure functions, which map the
- argument tuple to a natural number).
-
- The contents of the matrix summarize what is known about argument
- descents: The second argument has a weak descent (@{text "<="}) at the
- recursive call, and for the first argument nothing could be proved,
- which is expressed by @{text "?"}. In general, there are the values
- @{text "<"}, @{text "<="} and @{text "?"}.
-
- For the failed proof attempts, the unfinished subgoals are also
- printed. Looking at these will often point to a missing lemma.
-*}
-
-subsection {* The @{text size_change} method *}
-
-text {*
- Some termination goals that are beyond the powers of
- @{text lexicographic_order} can be solved automatically by the
- more powerful @{text size_change} method, which uses a variant of
- the size-change principle, together with some other
- techniques. While the details are discussed
- elsewhere\cite{krauss_phd},
- here are a few typical situations where
- @{text lexicographic_order} has difficulties and @{text size_change}
- may be worth a try:
- \begin{itemize}
- \item Arguments are permuted in a recursive call.
- \item Several mutually recursive functions with multiple arguments.
- \item Unusual control flow (e.g., when some recursive calls cannot
- occur in sequence).
- \end{itemize}
-
- Loading the theory @{text Multiset} makes the @{text size_change}
- method a bit stronger: it can then use multiset orders internally.
-*}
-
-section {* Mutual Recursion *}
-
-text {*
- If two or more functions call one another mutually, they have to be defined
- in one step. Here are @{text "even"} and @{text "odd"}:
-*}
-
-function even :: "nat \<Rightarrow> bool"
- and odd :: "nat \<Rightarrow> bool"
-where
- "even 0 = True"
-| "odd 0 = False"
-| "even (Suc n) = odd n"
-| "odd (Suc n) = even n"
-by pat_completeness auto
-
-text {*
- To eliminate the mutual dependencies, Isabelle internally
- creates a single function operating on the sum
- type @{typ "nat + nat"}. Then, @{const even} and @{const odd} are
- defined as projections. Consequently, termination has to be proved
- simultaneously for both functions, by specifying a measure on the
- sum type:
-*}
-
-termination
-by (relation "measure (\<lambda>x. case x of Inl n \<Rightarrow> n | Inr n \<Rightarrow> n)") auto
-
-text {*
- We could also have used @{text lexicographic_order}, which
- supports mutual recursive termination proofs to a certain extent.
-*}
-
-subsection {* Induction for mutual recursion *}
-
-text {*
-
- When functions are mutually recursive, proving properties about them
- generally requires simultaneous induction. The induction rule @{text "even_odd.induct"}
- generated from the above definition reflects this.
-
- Let us prove something about @{const even} and @{const odd}:
-*}
-
-lemma even_odd_mod2:
- "even n = (n mod 2 = 0)"
- "odd n = (n mod 2 = 1)"
-
-txt {*
- We apply simultaneous induction, specifying the induction variable
- for both goals, separated by \cmd{and}: *}
-
-apply (induct n and n rule: even_odd.induct)
-
-txt {*
- We get four subgoals, which correspond to the clauses in the
- definition of @{const even} and @{const odd}:
- @{subgoals[display,indent=0]}
- Simplification solves the first two goals, leaving us with two
- statements about the @{text "mod"} operation to prove:
-*}
-
-apply simp_all
-
-txt {*
- @{subgoals[display,indent=0]}
-
- \noindent These can be handled by Isabelle's arithmetic decision procedures.
-
-*}
-
-apply arith
-apply arith
-done
-
-text {*
- In proofs like this, the simultaneous induction is really essential:
- Even if we are just interested in one of the results, the other
- one is necessary to strengthen the induction hypothesis. If we leave
- out the statement about @{const odd} and just write @{term True} instead,
- the same proof fails:
-*}
-
-lemma failed_attempt:
- "even n = (n mod 2 = 0)"
- "True"
-apply (induct n rule: even_odd.induct)
-
-txt {*
- \noindent Now the third subgoal is a dead end, since we have no
- useful induction hypothesis available:
-
- @{subgoals[display,indent=0]}
-*}
-
-oops
-
-section {* General pattern matching *}
-text{*\label{genpats} *}
-
-subsection {* Avoiding automatic pattern splitting *}
-
-text {*
-
- Up to now, we used pattern matching only on datatypes, and the
- patterns were always disjoint and complete, and if they weren't,
- they were made disjoint automatically like in the definition of
- @{const "sep"} in \S\ref{patmatch}.
-
- This automatic splitting can significantly increase the number of
- equations involved, and this is not always desirable. The following
- example shows the problem:
-
- Suppose we are modeling incomplete knowledge about the world by a
- three-valued datatype, which has values @{term "T"}, @{term "F"}
- and @{term "X"} for true, false and uncertain propositions, respectively.
-*}
-
-datatype P3 = T | F | X
-
-text {* \noindent Then the conjunction of such values can be defined as follows: *}
-
-fun And :: "P3 \<Rightarrow> P3 \<Rightarrow> P3"
-where
- "And T p = p"
-| "And p T = p"
-| "And p F = F"
-| "And F p = F"
-| "And X X = X"
-
-
-text {*
- This definition is useful, because the equations can directly be used
- as simplification rules. But the patterns overlap: For example,
- the expression @{term "And T T"} is matched by both the first and
- the second equation. By default, Isabelle makes the patterns disjoint by
- splitting them up, producing instances:
-*}
-
-thm And.simps
-
-text {*
- @{thm[indent=4] And.simps}
-
- \vspace*{1em}
- \noindent There are several problems with this:
-
- \begin{enumerate}
- \item If the datatype has many constructors, there can be an
- explosion of equations. For @{const "And"}, we get seven instead of
- five equations, which can be tolerated, but this is just a small
- example.
-
- \item Since splitting makes the equations \qt{less general}, they
- do not always match in rewriting. While the term @{term "And x F"}
- can be simplified to @{term "F"} with the original equations, a
- (manual) case split on @{term "x"} is now necessary.
-
- \item The splitting also concerns the induction rule @{text
- "And.induct"}. Instead of five premises it now has seven, which
- means that our induction proofs will have more cases.
-
- \item In general, it increases clarity if we get the same definition
- back which we put in.
- \end{enumerate}
-
- If we do not want the automatic splitting, we can switch it off by
- leaving out the \cmd{sequential} option. However, we will have to
- prove that our pattern matching is consistent\footnote{This prevents
- us from defining something like @{term "f x = True"} and @{term "f x
- = False"} simultaneously.}:
-*}
-
-function And2 :: "P3 \<Rightarrow> P3 \<Rightarrow> P3"
-where
- "And2 T p = p"
-| "And2 p T = p"
-| "And2 p F = F"
-| "And2 F p = F"
-| "And2 X X = X"
-
-txt {*
- \noindent Now let's look at the proof obligations generated by a
- function definition. In this case, they are:
-
- @{subgoals[display,indent=0]}\vspace{-1.2em}\hspace{3cm}\vdots\vspace{1.2em}
-
- The first subgoal expresses the completeness of the patterns. It has
- the form of an elimination rule and states that every @{term x} of
- the function's input type must match at least one of the patterns\footnote{Completeness could
- be equivalently stated as a disjunction of existential statements:
-@{term "(\<exists>p. x = (T, p)) \<or> (\<exists>p. x = (p, T)) \<or> (\<exists>p. x = (p, F)) \<or>
- (\<exists>p. x = (F, p)) \<or> (x = (X, X))"}, and you can use the method @{text atomize_elim} to get that form instead.}. If the patterns just involve
- datatypes, we can solve it with the @{text "pat_completeness"}
- method:
-*}
-
-apply pat_completeness
-
-txt {*
- The remaining subgoals express \emph{pattern compatibility}. We do
- allow that an input value matches multiple patterns, but in this
- case, the result (i.e.~the right hand sides of the equations) must
- also be equal. For each pair of two patterns, there is one such
- subgoal. Usually this needs injectivity of the constructors, which
- is used automatically by @{text "auto"}.
-*}
-
-by auto
-termination by (relation "{}") simp
-
-
-subsection {* Non-constructor patterns *}
-
-text {*
- Most of Isabelle's basic types take the form of inductive datatypes,
- and usually pattern matching works on the constructors of such types.
- However, this need not be always the case, and the \cmd{function}
- command handles other kind of patterns, too.
-
- One well-known instance of non-constructor patterns are
- so-called \emph{$n+k$-patterns}, which are a little controversial in
- the functional programming world. Here is the initial fibonacci
- example with $n+k$-patterns:
-*}
-
-function fib2 :: "nat \<Rightarrow> nat"
-where
- "fib2 0 = 1"
-| "fib2 1 = 1"
-| "fib2 (n + 2) = fib2 n + fib2 (Suc n)"
-
-txt {*
- This kind of matching is again justified by the proof of pattern
- completeness and compatibility.
- The proof obligation for pattern completeness states that every natural number is
- either @{term "0::nat"}, @{term "1::nat"} or @{term "n +
- (2::nat)"}:
-
- @{subgoals[display,indent=0,goals_limit=1]}
-
- This is an arithmetic triviality, but unfortunately the
- @{text arith} method cannot handle this specific form of an
- elimination rule. However, we can use the method @{text
- "atomize_elim"} to do an ad-hoc conversion to a disjunction of
- existentials, which can then be solved by the arithmetic decision procedure.
- Pattern compatibility and termination are automatic as usual.
-*}
-apply atomize_elim
-apply arith
-apply auto
-done
-termination by lexicographic_order
-text {*
- We can stretch the notion of pattern matching even more. The
- following function is not a sensible functional program, but a
- perfectly valid mathematical definition:
-*}
-
-function ev :: "nat \<Rightarrow> bool"
-where
- "ev (2 * n) = True"
-| "ev (2 * n + 1) = False"
-apply atomize_elim
-by arith+
-termination by (relation "{}") simp
-
-text {*
- This general notion of pattern matching gives you a certain freedom
- in writing down specifications. However, as always, such freedom should
- be used with care:
-
- If we leave the area of constructor
- patterns, we have effectively departed from the world of functional
- programming. This means that it is no longer possible to use the
- code generator, and expect it to generate ML code for our
- definitions. Also, such a specification might not work very well together with
- simplification. Your mileage may vary.
-*}
-
-
-subsection {* Conditional equations *}
-
-text {*
- The function package also supports conditional equations, which are
- similar to guards in a language like Haskell. Here is Euclid's
- algorithm written with conditional patterns\footnote{Note that the
- patterns are also overlapping in the base case}:
-*}
-
-function gcd :: "nat \<Rightarrow> nat \<Rightarrow> nat"
-where
- "gcd x 0 = x"
-| "gcd 0 y = y"
-| "x < y \<Longrightarrow> gcd (Suc x) (Suc y) = gcd (Suc x) (y - x)"
-| "\<not> x < y \<Longrightarrow> gcd (Suc x) (Suc y) = gcd (x - y) (Suc y)"
-by (atomize_elim, auto, arith)
-termination by lexicographic_order
-
-text {*
- By now, you can probably guess what the proof obligations for the
- pattern completeness and compatibility look like.
-
- Again, functions with conditional patterns are not supported by the
- code generator.
-*}
-
-
-subsection {* Pattern matching on strings *}
-
-text {*
- As strings (as lists of characters) are normal datatypes, pattern
- matching on them is possible, but somewhat problematic. Consider the
- following definition:
-
-\end{isamarkuptext}
-\noindent\cmd{fun} @{text "check :: \"string \<Rightarrow> bool\""}\\%
-\cmd{where}\\%
-\hspace*{2ex}@{text "\"check (''good'') = True\""}\\%
-@{text "| \"check s = False\""}
-\begin{isamarkuptext}
-
- \noindent An invocation of the above \cmd{fun} command does not
- terminate. What is the problem? Strings are lists of characters, and
- characters are a datatype with a lot of constructors. Splitting the
- catch-all pattern thus leads to an explosion of cases, which cannot
- be handled by Isabelle.
-
- There are two things we can do here. Either we write an explicit
- @{text "if"} on the right hand side, or we can use conditional patterns:
-*}
-
-function check :: "string \<Rightarrow> bool"
-where
- "check (''good'') = True"
-| "s \<noteq> ''good'' \<Longrightarrow> check s = False"
-by auto
-termination by (relation "{}") simp
-
-
-section {* Partiality *}
-
-text {*
- In HOL, all functions are total. A function @{term "f"} applied to
- @{term "x"} always has the value @{term "f x"}, and there is no notion
- of undefinedness.
- This is why we have to do termination
- proofs when defining functions: The proof justifies that the
- function can be defined by wellfounded recursion.
-
- However, the \cmd{function} package does support partiality to a
- certain extent. Let's look at the following function which looks
- for a zero of a given function f.
-*}
-
-function (*<*)(domintros)(*>*)findzero :: "(nat \<Rightarrow> nat) \<Rightarrow> nat \<Rightarrow> nat"
-where
- "findzero f n = (if f n = 0 then n else findzero f (Suc n))"
-by pat_completeness auto
-
-text {*
- \noindent Clearly, any attempt of a termination proof must fail. And without
- that, we do not get the usual rules @{text "findzero.simps"} and
- @{text "findzero.induct"}. So what was the definition good for at all?
-*}
-
-subsection {* Domain predicates *}
-
-text {*
- The trick is that Isabelle has not only defined the function @{const findzero}, but also
- a predicate @{term "findzero_dom"} that characterizes the values where the function
- terminates: the \emph{domain} of the function. If we treat a
- partial function just as a total function with an additional domain
- predicate, we can derive simplification and
- induction rules as we do for total functions. They are guarded
- by domain conditions and are called @{text psimps} and @{text
- pinduct}:
-*}
-
-text {*
- \noindent\begin{minipage}{0.79\textwidth}@{thm[display,margin=85] findzero.psimps}\end{minipage}
- \hfill(@{text "findzero.psimps"})
- \vspace{1em}
-
- \noindent\begin{minipage}{0.79\textwidth}@{thm[display,margin=85] findzero.pinduct}\end{minipage}
- \hfill(@{text "findzero.pinduct"})
-*}
-
-text {*
- Remember that all we
- are doing here is use some tricks to make a total function appear
- as if it was partial. We can still write the term @{term "findzero
- (\<lambda>x. 1) 0"} and like any other term of type @{typ nat} it is equal
- to some natural number, although we might not be able to find out
- which one. The function is \emph{underdefined}.
-
- But it is defined enough to prove something interesting about it. We
- can prove that if @{term "findzero f n"}
- terminates, it indeed returns a zero of @{term f}:
-*}
-
-lemma findzero_zero: "findzero_dom (f, n) \<Longrightarrow> f (findzero f n) = 0"
-
-txt {* \noindent We apply induction as usual, but using the partial induction
- rule: *}
-
-apply (induct f n rule: findzero.pinduct)
-
-txt {* \noindent This gives the following subgoals:
-
- @{subgoals[display,indent=0]}
-
- \noindent The hypothesis in our lemma was used to satisfy the first premise in
- the induction rule. However, we also get @{term
- "findzero_dom (f, n)"} as a local assumption in the induction step. This
- allows unfolding @{term "findzero f n"} using the @{text psimps}
- rule, and the rest is trivial.
- *}
-apply (simp add: findzero.psimps)
-done
-
-text {*
- Proofs about partial functions are often not harder than for total
- functions. Fig.~\ref{findzero_isar} shows a slightly more
- complicated proof written in Isar. It is verbose enough to show how
- partiality comes into play: From the partial induction, we get an
- additional domain condition hypothesis. Observe how this condition
- is applied when calls to @{term findzero} are unfolded.
-*}
-
-text_raw {*
-\begin{figure}
-\hrule\vspace{6pt}
-\begin{minipage}{0.8\textwidth}
-\isabellestyle{it}
-\isastyle\isamarkuptrue
-*}
-lemma "\<lbrakk>findzero_dom (f, n); x \<in> {n ..< findzero f n}\<rbrakk> \<Longrightarrow> f x \<noteq> 0"
-proof (induct rule: findzero.pinduct)
- fix f n assume dom: "findzero_dom (f, n)"
- and IH: "\<lbrakk>f n \<noteq> 0; x \<in> {Suc n ..< findzero f (Suc n)}\<rbrakk> \<Longrightarrow> f x \<noteq> 0"
- and x_range: "x \<in> {n ..< findzero f n}"
- have "f n \<noteq> 0"
- proof
- assume "f n = 0"
- with dom have "findzero f n = n" by (simp add: findzero.psimps)
- with x_range show False by auto
- qed
-
- from x_range have "x = n \<or> x \<in> {Suc n ..< findzero f n}" by auto
- thus "f x \<noteq> 0"
- proof
- assume "x = n"
- with `f n \<noteq> 0` show ?thesis by simp
- next
- assume "x \<in> {Suc n ..< findzero f n}"
- with dom and `f n \<noteq> 0` have "x \<in> {Suc n ..< findzero f (Suc n)}" by (simp add: findzero.psimps)
- with IH and `f n \<noteq> 0`
- show ?thesis by simp
- qed
-qed
-text_raw {*
-\isamarkupfalse\isabellestyle{tt}
-\end{minipage}\vspace{6pt}\hrule
-\caption{A proof about a partial function}\label{findzero_isar}
-\end{figure}
-*}
-
-subsection {* Partial termination proofs *}
-
-text {*
- Now that we have proved some interesting properties about our
- function, we should turn to the domain predicate and see if it is
- actually true for some values. Otherwise we would have just proved
- lemmas with @{term False} as a premise.
-
- Essentially, we need some introduction rules for @{text
- findzero_dom}. The function package can prove such domain
- introduction rules automatically. But since they are not used very
- often (they are almost never needed if the function is total), this
- functionality is disabled by default for efficiency reasons. So we have to go
- back and ask for them explicitly by passing the @{text
- "(domintros)"} option to the function package:
-
-\vspace{1ex}
-\noindent\cmd{function} @{text "(domintros) findzero :: \"(nat \<Rightarrow> nat) \<Rightarrow> nat \<Rightarrow> nat\""}\\%
-\cmd{where}\isanewline%
-\ \ \ldots\\
-
- \noindent Now the package has proved an introduction rule for @{text findzero_dom}:
-*}
-
-thm findzero.domintros
-
-text {*
- @{thm[display] findzero.domintros}
-
- Domain introduction rules allow to show that a given value lies in the
- domain of a function, if the arguments of all recursive calls
- are in the domain as well. They allow to do a \qt{single step} in a
- termination proof. Usually, you want to combine them with a suitable
- induction principle.
-
- Since our function increases its argument at recursive calls, we
- need an induction principle which works \qt{backwards}. We will use
- @{text inc_induct}, which allows to do induction from a fixed number
- \qt{downwards}:
-
- \begin{center}@{thm inc_induct}\hfill(@{text "inc_induct"})\end{center}
-
- Figure \ref{findzero_term} gives a detailed Isar proof of the fact
- that @{text findzero} terminates if there is a zero which is greater
- or equal to @{term n}. First we derive two useful rules which will
- solve the base case and the step case of the induction. The
- induction is then straightforward, except for the unusual induction
- principle.
-
-*}
-
-text_raw {*
-\begin{figure}
-\hrule\vspace{6pt}
-\begin{minipage}{0.8\textwidth}
-\isabellestyle{it}
-\isastyle\isamarkuptrue
-*}
-lemma findzero_termination:
- assumes "x \<ge> n" and "f x = 0"
- shows "findzero_dom (f, n)"
-proof -
- have base: "findzero_dom (f, x)"
- by (rule findzero.domintros) (simp add:`f x = 0`)
-
- have step: "\<And>i. findzero_dom (f, Suc i)
- \<Longrightarrow> findzero_dom (f, i)"
- by (rule findzero.domintros) simp
-
- from `x \<ge> n` show ?thesis
- proof (induct rule:inc_induct)
- show "findzero_dom (f, x)" by (rule base)
- next
- fix i assume "findzero_dom (f, Suc i)"
- thus "findzero_dom (f, i)" by (rule step)
- qed
-qed
-text_raw {*
-\isamarkupfalse\isabellestyle{tt}
-\end{minipage}\vspace{6pt}\hrule
-\caption{Termination proof for @{text findzero}}\label{findzero_term}
-\end{figure}
-*}
-
-text {*
- Again, the proof given in Fig.~\ref{findzero_term} has a lot of
- detail in order to explain the principles. Using more automation, we
- can also have a short proof:
-*}
-
-lemma findzero_termination_short:
- assumes zero: "x >= n"
- assumes [simp]: "f x = 0"
- shows "findzero_dom (f, n)"
-using zero
-by (induct rule:inc_induct) (auto intro: findzero.domintros)
-
-text {*
- \noindent It is simple to combine the partial correctness result with the
- termination lemma:
-*}
-
-lemma findzero_total_correctness:
- "f x = 0 \<Longrightarrow> f (findzero f 0) = 0"
-by (blast intro: findzero_zero findzero_termination)
-
-subsection {* Definition of the domain predicate *}
-
-text {*
- Sometimes it is useful to know what the definition of the domain
- predicate looks like. Actually, @{text findzero_dom} is just an
- abbreviation:
-
- @{abbrev[display] findzero_dom}
-
- The domain predicate is the \emph{accessible part} of a relation @{const
- findzero_rel}, which was also created internally by the function
- package. @{const findzero_rel} is just a normal
- inductive predicate, so we can inspect its definition by
- looking at the introduction rules @{text findzero_rel.intros}.
- In our case there is just a single rule:
-
- @{thm[display] findzero_rel.intros}
-
- The predicate @{const findzero_rel}
- describes the \emph{recursion relation} of the function
- definition. The recursion relation is a binary relation on
- the arguments of the function that relates each argument to its
- recursive calls. In general, there is one introduction rule for each
- recursive call.
-
- The predicate @{term "accp findzero_rel"} is the accessible part of
- that relation. An argument belongs to the accessible part, if it can
- be reached in a finite number of steps (cf.~its definition in @{text
- "Wellfounded.thy"}).
-
- Since the domain predicate is just an abbreviation, you can use
- lemmas for @{const accp} and @{const findzero_rel} directly. Some
- lemmas which are occasionally useful are @{text accpI}, @{text
- accp_downward}, and of course the introduction and elimination rules
- for the recursion relation @{text "findzero.intros"} and @{text "findzero.cases"}.
-*}
-
-section {* Nested recursion *}
-
-text {*
- Recursive calls which are nested in one another frequently cause
- complications, since their termination proof can depend on a partial
- correctness property of the function itself.
-
- As a small example, we define the \qt{nested zero} function:
-*}
-
-function nz :: "nat \<Rightarrow> nat"
-where
- "nz 0 = 0"
-| "nz (Suc n) = nz (nz n)"
-by pat_completeness auto
-
-text {*
- If we attempt to prove termination using the identity measure on
- naturals, this fails:
-*}
-
-termination
- apply (relation "measure (\<lambda>n. n)")
- apply auto
-
-txt {*
- We get stuck with the subgoal
-
- @{subgoals[display]}
-
- Of course this statement is true, since we know that @{const nz} is
- the zero function. And in fact we have no problem proving this
- property by induction.
-*}
-(*<*)oops(*>*)
-lemma nz_is_zero: "nz_dom n \<Longrightarrow> nz n = 0"
- by (induct rule:nz.pinduct) (auto simp: nz.psimps)
-
-text {*
- We formulate this as a partial correctness lemma with the condition
- @{term "nz_dom n"}. This allows us to prove it with the @{text
- pinduct} rule before we have proved termination. With this lemma,
- the termination proof works as expected:
-*}
-
-termination
- by (relation "measure (\<lambda>n. n)") (auto simp: nz_is_zero)
-
-text {*
- As a general strategy, one should prove the statements needed for
- termination as a partial property first. Then they can be used to do
- the termination proof. This also works for less trivial
- examples. Figure \ref{f91} defines the 91-function, a well-known
- challenge problem due to John McCarthy, and proves its termination.
-*}
-
-text_raw {*
-\begin{figure}
-\hrule\vspace{6pt}
-\begin{minipage}{0.8\textwidth}
-\isabellestyle{it}
-\isastyle\isamarkuptrue
-*}
-
-function f91 :: "nat \<Rightarrow> nat"
-where
- "f91 n = (if 100 < n then n - 10 else f91 (f91 (n + 11)))"
-by pat_completeness auto
-
-lemma f91_estimate:
- assumes trm: "f91_dom n"
- shows "n < f91 n + 11"
-using trm by induct (auto simp: f91.psimps)
-
-termination
-proof
- let ?R = "measure (\<lambda>x. 101 - x)"
- show "wf ?R" ..
-
- fix n :: nat assume "\<not> 100 < n" -- "Assumptions for both calls"
-
- thus "(n + 11, n) \<in> ?R" by simp -- "Inner call"
-
- assume inner_trm: "f91_dom (n + 11)" -- "Outer call"
- with f91_estimate have "n + 11 < f91 (n + 11) + 11" .
- with `\<not> 100 < n` show "(f91 (n + 11), n) \<in> ?R" by simp
-qed
-
-text_raw {*
-\isamarkupfalse\isabellestyle{tt}
-\end{minipage}
-\vspace{6pt}\hrule
-\caption{McCarthy's 91-function}\label{f91}
-\end{figure}
-*}
-
-
-section {* Higher-Order Recursion *}
-
-text {*
- Higher-order recursion occurs when recursive calls
- are passed as arguments to higher-order combinators such as @{const
- map}, @{term filter} etc.
- As an example, imagine a datatype of n-ary trees:
-*}
-
-datatype 'a tree =
- Leaf 'a
-| Branch "'a tree list"
-
-
-text {* \noindent We can define a function which swaps the left and right subtrees recursively, using the
- list functions @{const rev} and @{const map}: *}
-
-fun mirror :: "'a tree \<Rightarrow> 'a tree"
-where
- "mirror (Leaf n) = Leaf n"
-| "mirror (Branch l) = Branch (rev (map mirror l))"
-
-text {*
- Although the definition is accepted without problems, let us look at the termination proof:
-*}
-
-termination proof
- txt {*
-
- As usual, we have to give a wellfounded relation, such that the
- arguments of the recursive calls get smaller. But what exactly are
- the arguments of the recursive calls when mirror is given as an
- argument to @{const map}? Isabelle gives us the
- subgoals
-
- @{subgoals[display,indent=0]}
-
- So the system seems to know that @{const map} only
- applies the recursive call @{term "mirror"} to elements
- of @{term "l"}, which is essential for the termination proof.
-
- This knowledge about @{const map} is encoded in so-called congruence rules,
- which are special theorems known to the \cmd{function} command. The
- rule for @{const map} is
-
- @{thm[display] map_cong}
-
- You can read this in the following way: Two applications of @{const
- map} are equal, if the list arguments are equal and the functions
- coincide on the elements of the list. This means that for the value
- @{term "map f l"} we only have to know how @{term f} behaves on
- the elements of @{term l}.
-
- Usually, one such congruence rule is
- needed for each higher-order construct that is used when defining
- new functions. In fact, even basic functions like @{const
- If} and @{const Let} are handled by this mechanism. The congruence
- rule for @{const If} states that the @{text then} branch is only
- relevant if the condition is true, and the @{text else} branch only if it
- is false:
-
- @{thm[display] if_cong}
-
- Congruence rules can be added to the
- function package by giving them the @{term fundef_cong} attribute.
-
- The constructs that are predefined in Isabelle, usually
- come with the respective congruence rules.
- But if you define your own higher-order functions, you may have to
- state and prove the required congruence rules yourself, if you want to use your
- functions in recursive definitions.
-*}
-(*<*)oops(*>*)
-
-subsection {* Congruence Rules and Evaluation Order *}
-
-text {*
- Higher order logic differs from functional programming languages in
- that it has no built-in notion of evaluation order. A program is
- just a set of equations, and it is not specified how they must be
- evaluated.
-
- However for the purpose of function definition, we must talk about
- evaluation order implicitly, when we reason about termination.
- Congruence rules express that a certain evaluation order is
- consistent with the logical definition.
-
- Consider the following function.
-*}
-
-function f :: "nat \<Rightarrow> bool"
-where
- "f n = (n = 0 \<or> f (n - 1))"
-(*<*)by pat_completeness auto(*>*)
-
-text {*
- For this definition, the termination proof fails. The default configuration
- specifies no congruence rule for disjunction. We have to add a
- congruence rule that specifies left-to-right evaluation order:
-
- \vspace{1ex}
- \noindent @{thm disj_cong}\hfill(@{text "disj_cong"})
- \vspace{1ex}
-
- Now the definition works without problems. Note how the termination
- proof depends on the extra condition that we get from the congruence
- rule.
-
- However, as evaluation is not a hard-wired concept, we
- could just turn everything around by declaring a different
- congruence rule. Then we can make the reverse definition:
-*}
-
-lemma disj_cong2[fundef_cong]:
- "(\<not> Q' \<Longrightarrow> P = P') \<Longrightarrow> (Q = Q') \<Longrightarrow> (P \<or> Q) = (P' \<or> Q')"
- by blast
-
-fun f' :: "nat \<Rightarrow> bool"
-where
- "f' n = (f' (n - 1) \<or> n = 0)"
-
-text {*
- \noindent These examples show that, in general, there is no \qt{best} set of
- congruence rules.
-
- However, such tweaking should rarely be necessary in
- practice, as most of the time, the default set of congruence rules
- works well.
-*}
-
-end
--- a/doc-src/Functions/document/build Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,14 +0,0 @@
-#!/bin/bash
-
-set -e
-
-FORMAT="$1"
-VARIANT="$2"
-
-cp "$ISABELLE_HOME/doc-src/iman.sty" .
-cp "$ISABELLE_HOME/doc-src/extra.sty" .
-cp "$ISABELLE_HOME/doc-src/isar.sty" .
-cp "$ISABELLE_HOME/doc-src/manual.bib" .
-
-"$ISABELLE_HOME/doc-src/prepare_document" "$FORMAT"
-
--- a/doc-src/Functions/document/conclusion.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,7 +0,0 @@
-\section{Conclusion}
-
-\fixme{}
-
-
-
-
--- a/doc-src/Functions/document/intro.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,55 +0,0 @@
-\section{Introduction}
-
-Starting from Isabelle 2007, new facilities for recursive
-function definitions~\cite{krauss2006} are available. They provide
-better support for general recursive definitions than previous
-packages. But despite all tool support, function definitions can
-sometimes be a difficult thing.
-
-This tutorial is an example-guided introduction to the practical use
-of the package and related tools. It should help you get started with
-defining functions quickly. For the more difficult definitions we will
-discuss what problems can arise, and how they can be solved.
-
-We assume that you have mastered the fundamentals of Isabelle/HOL
-and are able to write basic specifications and proofs. To start out
-with Isabelle in general, consult the Isabelle/HOL tutorial
-\cite{isa-tutorial}.
-
-
-
-\paragraph{Structure of this tutorial.}
-Section 2 introduces the syntax and basic operation of the \cmd{fun}
-command, which provides full automation with reasonable default
-behavior. The impatient reader can stop after that
-section, and consult the remaining sections only when needed.
-Section 3 introduces the more verbose \cmd{function} command which
-gives fine-grained control. This form should be used
-whenever the short form fails.
-After that we discuss more specialized issues:
-termination, mutual, nested and higher-order recursion, partiality, pattern matching
-and others.
-
-
-\paragraph{Some background.}
-Following the LCF tradition, the package is realized as a definitional
-extension: Recursive definitions are internally transformed into a
-non-recursive form, such that the function can be defined using
-standard definition facilities. Then the recursive specification is
-derived from the primitive definition. This is a complex task, but it
-is fully automated and mostly transparent to the user. Definitional
-extensions are valuable because they are conservative by construction:
-The \qt{new} concept of general wellfounded recursion is completely reduced
-to existing principles.
-
-
-
-
-The new \cmd{function} command, and its short form \cmd{fun} have mostly
-replaced the traditional \cmd{recdef} command \cite{slind-tfl}. They solve
-a few of technical issues around \cmd{recdef}, and allow definitions
-which were not previously possible.
-
-
-
-
--- a/doc-src/Functions/document/mathpartir.sty Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,421 +0,0 @@
-% Mathpartir --- Math Paragraph for Typesetting Inference Rules
-%
-% Copyright (C) 2001, 2002, 2003, 2004, 2005 Didier Rémy
-%
-% Author : Didier Remy
-% Version : 1.2.0
-% Bug Reports : to author
-% Web Site : http://pauillac.inria.fr/~remy/latex/
-%
-% Mathpartir is free software; you can redistribute it and/or modify
-% it under the terms of the GNU General Public License as published by
-% the Free Software Foundation; either version 2, or (at your option)
-% any later version.
-%
-% Mathpartir is distributed in the hope that it will be useful,
-% but WITHOUT ANY WARRANTY; without even the implied warranty of
-% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-% GNU General Public License for more details
-% (http://pauillac.inria.fr/~remy/license/GPL).
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-% File mathpartir.sty (LaTeX macros)
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\NeedsTeXFormat{LaTeX2e}
-\ProvidesPackage{mathpartir}
- [2005/12/20 version 1.2.0 Math Paragraph for Typesetting Inference Rules]
-
-%%
-
-%% Identification
-%% Preliminary declarations
-
-\RequirePackage {keyval}
-
-%% Options
-%% More declarations
-
-%% PART I: Typesetting maths in paragraphe mode
-
-\newdimen \mpr@tmpdim
-
-% To ensure hevea \hva compatibility, \hva should expands to nothing
-% in mathpar or in inferrule
-\let \mpr@hva \empty
-
-%% normal paragraph parametters, should rather be taken dynamically
-\def \mpr@savepar {%
- \edef \MathparNormalpar
- {\noexpand \lineskiplimit \the\lineskiplimit
- \noexpand \lineskip \the\lineskip}%
- }
-
-\def \mpr@rulelineskip {\lineskiplimit=0.3em\lineskip=0.2em plus 0.1em}
-\def \mpr@lesslineskip {\lineskiplimit=0.6em\lineskip=0.5em plus 0.2em}
-\def \mpr@lineskip {\lineskiplimit=1.2em\lineskip=1.2em plus 0.2em}
-\let \MathparLineskip \mpr@lineskip
-\def \mpr@paroptions {\MathparLineskip}
-\let \mpr@prebindings \relax
-
-\newskip \mpr@andskip \mpr@andskip 2em plus 0.5fil minus 0.5em
-
-\def \mpr@goodbreakand
- {\hskip -\mpr@andskip \penalty -1000\hskip \mpr@andskip}
-\def \mpr@and {\hskip \mpr@andskip}
-\def \mpr@andcr {\penalty 50\mpr@and}
-\def \mpr@cr {\penalty -10000\mpr@and}
-\def \mpr@eqno #1{\mpr@andcr #1\hskip 0em plus -1fil \penalty 10}
-
-\def \mpr@bindings {%
- \let \and \mpr@andcr
- \let \par \mpr@andcr
- \let \\\mpr@cr
- \let \eqno \mpr@eqno
- \let \hva \mpr@hva
- }
-\let \MathparBindings \mpr@bindings
-
-% \@ifundefined {ignorespacesafterend}
-% {\def \ignorespacesafterend {\aftergroup \ignorespaces}
-
-\newenvironment{mathpar}[1][]
- {$$\mpr@savepar \parskip 0em \hsize \linewidth \centering
- \vbox \bgroup \mpr@prebindings \mpr@paroptions #1\ifmmode $\else
- \noindent $\displaystyle\fi
- \MathparBindings}
- {\unskip \ifmmode $\fi\egroup $$\ignorespacesafterend}
-
-% \def \math@mathpar #1{\setbox0 \hbox {$\displaystyle #1$}\ifnum
-% \wd0 < \hsize $$\box0$$\else \bmathpar #1\emathpar \fi}
-
-%%% HOV BOXES
-
-\def \mathvbox@ #1{\hbox \bgroup \mpr@normallineskip
- \vbox \bgroup \tabskip 0em \let \\ \cr
- \halign \bgroup \hfil $##$\hfil\cr #1\crcr \egroup \egroup
- \egroup}
-
-\def \mathhvbox@ #1{\setbox0 \hbox {\let \\\qquad $#1$}\ifnum \wd0 < \hsize
- \box0\else \mathvbox {#1}\fi}
-
-
-%% Part II -- operations on lists
-
-\newtoks \mpr@lista
-\newtoks \mpr@listb
-
-\long \def\mpr@cons #1\mpr@to#2{\mpr@lista {\\{#1}}\mpr@listb \expandafter
-{#2}\edef #2{\the \mpr@lista \the \mpr@listb}}
-
-\long \def\mpr@snoc #1\mpr@to#2{\mpr@lista {\\{#1}}\mpr@listb \expandafter
-{#2}\edef #2{\the \mpr@listb\the\mpr@lista}}
-
-\long \def \mpr@concat#1=#2\mpr@to#3{\mpr@lista \expandafter {#2}\mpr@listb
-\expandafter {#3}\edef #1{\the \mpr@listb\the\mpr@lista}}
-
-\def \mpr@head #1\mpr@to #2{\expandafter \mpr@head@ #1\mpr@head@ #1#2}
-\long \def \mpr@head@ #1#2\mpr@head@ #3#4{\def #4{#1}\def#3{#2}}
-
-\def \mpr@flatten #1\mpr@to #2{\expandafter \mpr@flatten@ #1\mpr@flatten@ #1#2}
-\long \def \mpr@flatten@ \\#1\\#2\mpr@flatten@ #3#4{\def #4{#1}\def #3{\\#2}}
-
-\def \mpr@makelist #1\mpr@to #2{\def \mpr@all {#1}%
- \mpr@lista {\\}\mpr@listb \expandafter {\mpr@all}\edef \mpr@all {\the
- \mpr@lista \the \mpr@listb \the \mpr@lista}\let #2\empty
- \def \mpr@stripof ##1##2\mpr@stripend{\def \mpr@stripped{##2}}\loop
- \mpr@flatten \mpr@all \mpr@to \mpr@one
- \expandafter \mpr@snoc \mpr@one \mpr@to #2\expandafter \mpr@stripof
- \mpr@all \mpr@stripend
- \ifx \mpr@stripped \empty \let \mpr@isempty 0\else \let \mpr@isempty 1\fi
- \ifx 1\mpr@isempty
- \repeat
-}
-
-\def \mpr@rev #1\mpr@to #2{\let \mpr@tmp \empty
- \def \\##1{\mpr@cons ##1\mpr@to \mpr@tmp}#1\let #2\mpr@tmp}
-
-%% Part III -- Type inference rules
-
-\newif \if@premisse
-\newbox \mpr@hlist
-\newbox \mpr@vlist
-\newif \ifmpr@center \mpr@centertrue
-\def \mpr@htovlist {%
- \setbox \mpr@hlist
- \hbox {\strut
- \ifmpr@center \hskip -0.5\wd\mpr@hlist\fi
- \unhbox \mpr@hlist}%
- \setbox \mpr@vlist
- \vbox {\if@premisse \box \mpr@hlist \unvbox \mpr@vlist
- \else \unvbox \mpr@vlist \box \mpr@hlist
- \fi}%
-}
-% OLD version
-% \def \mpr@htovlist {%
-% \setbox \mpr@hlist
-% \hbox {\strut \hskip -0.5\wd\mpr@hlist \unhbox \mpr@hlist}%
-% \setbox \mpr@vlist
-% \vbox {\if@premisse \box \mpr@hlist \unvbox \mpr@vlist
-% \else \unvbox \mpr@vlist \box \mpr@hlist
-% \fi}%
-% }
-
-\def \mpr@item #1{$\displaystyle #1$}
-\def \mpr@sep{2em}
-\def \mpr@blank { }
-\def \mpr@hovbox #1#2{\hbox
- \bgroup
- \ifx #1T\@premissetrue
- \else \ifx #1B\@premissefalse
- \else
- \PackageError{mathpartir}
- {Premisse orientation should either be T or B}
- {Fatal error in Package}%
- \fi \fi
- \def \@test {#2}\ifx \@test \mpr@blank\else
- \setbox \mpr@hlist \hbox {}%
- \setbox \mpr@vlist \vbox {}%
- \if@premisse \let \snoc \mpr@cons \else \let \snoc \mpr@snoc \fi
- \let \@hvlist \empty \let \@rev \empty
- \mpr@tmpdim 0em
- \expandafter \mpr@makelist #2\mpr@to \mpr@flat
- \if@premisse \mpr@rev \mpr@flat \mpr@to \@rev \else \let \@rev \mpr@flat \fi
- \def \\##1{%
- \def \@test {##1}\ifx \@test \empty
- \mpr@htovlist
- \mpr@tmpdim 0em %%% last bug fix not extensively checked
- \else
- \setbox0 \hbox{\mpr@item {##1}}\relax
- \advance \mpr@tmpdim by \wd0
- %\mpr@tmpdim 1.02\mpr@tmpdim
- \ifnum \mpr@tmpdim < \hsize
- \ifnum \wd\mpr@hlist > 0
- \if@premisse
- \setbox \mpr@hlist
- \hbox {\unhbox0 \hskip \mpr@sep \unhbox \mpr@hlist}%
- \else
- \setbox \mpr@hlist
- \hbox {\unhbox \mpr@hlist \hskip \mpr@sep \unhbox0}%
- \fi
- \else
- \setbox \mpr@hlist \hbox {\unhbox0}%
- \fi
- \else
- \ifnum \wd \mpr@hlist > 0
- \mpr@htovlist
- \mpr@tmpdim \wd0
- \fi
- \setbox \mpr@hlist \hbox {\unhbox0}%
- \fi
- \advance \mpr@tmpdim by \mpr@sep
- \fi
- }%
- \@rev
- \mpr@htovlist
- \ifmpr@center \hskip \wd\mpr@vlist\fi \box \mpr@vlist
- \fi
- \egroup
-}
-
-%%% INFERENCE RULES
-
-\@ifundefined{@@over}{%
- \let\@@over\over % fallback if amsmath is not loaded
- \let\@@overwithdelims\overwithdelims
- \let\@@atop\atop \let\@@atopwithdelims\atopwithdelims
- \let\@@above\above \let\@@abovewithdelims\abovewithdelims
- }{}
-
-%% The default
-
-\def \mpr@@fraction #1#2{\hbox {\advance \hsize by -0.5em
- $\displaystyle {#1\mpr@over #2}$}}
-\let \mpr@fraction \mpr@@fraction
-
-%% A generic solution to arrow
-
-\def \mpr@make@fraction #1#2#3#4#5{\hbox {%
- \def \mpr@tail{#1}%
- \def \mpr@body{#2}%
- \def \mpr@head{#3}%
- \setbox1=\hbox{$#4$}\setbox2=\hbox{$#5$}%
- \setbox3=\hbox{$\mkern -3mu\mpr@body\mkern -3mu$}%
- \setbox3=\hbox{$\mkern -3mu \mpr@body\mkern -3mu$}%
- \dimen0=\dp1\advance\dimen0 by \ht3\relax\dp1\dimen0\relax
- \dimen0=\ht2\advance\dimen0 by \dp3\relax\ht2\dimen0\relax
- \setbox0=\hbox {$\box1 \@@atop \box2$}%
- \dimen0=\wd0\box0
- \box0 \hskip -\dimen0\relax
- \hbox to \dimen0 {$%
- \mathrel{\mpr@tail}\joinrel
- \xleaders\hbox{\copy3}\hfil\joinrel\mathrel{\mpr@head}%
- $}}}
-
-%% Old stuff should be removed in next version
-\def \mpr@@reduce #1#2{\hbox
- {$\lower 0.01pt \mpr@@fraction {#1}{#2}\mkern -15mu\rightarrow$}}
-\def \mpr@@rewrite #1#2#3{\hbox
- {$\lower 0.01pt \mpr@@fraction {#2}{#3}\mkern -8mu#1$}}
-\def \mpr@infercenter #1{\vcenter {\mpr@hovbox{T}{#1}}}
-
-\def \mpr@empty {}
-\def \mpr@inferrule
- {\bgroup
- \ifnum \linewidth<\hsize \hsize \linewidth\fi
- \mpr@rulelineskip
- \let \and \qquad
- \let \hva \mpr@hva
- \let \@rulename \mpr@empty
- \let \@rule@options \mpr@empty
- \let \mpr@over \@@over
- \mpr@inferrule@}
-\newcommand {\mpr@inferrule@}[3][]
- {\everymath={\displaystyle}%
- \def \@test {#2}\ifx \empty \@test
- \setbox0 \hbox {$\vcenter {\mpr@hovbox{B}{#3}}$}%
- \else
- \def \@test {#3}\ifx \empty \@test
- \setbox0 \hbox {$\vcenter {\mpr@hovbox{T}{#2}}$}%
- \else
- \setbox0 \mpr@fraction {\mpr@hovbox{T}{#2}}{\mpr@hovbox{B}{#3}}%
- \fi \fi
- \def \@test {#1}\ifx \@test\empty \box0
- \else \vbox
-%%% Suggestion de Francois pour les etiquettes longues
-%%% {\hbox to \wd0 {\RefTirName {#1}\hfil}\box0}\fi
- {\hbox {\RefTirName {#1}}\box0}\fi
- \egroup}
-
-\def \mpr@vdotfil #1{\vbox to #1{\leaders \hbox{$\cdot$} \vfil}}
-
-% They are two forms
-% \inferrule [label]{[premisses}{conclusions}
-% or
-% \inferrule* [options]{[premisses}{conclusions}
-%
-% Premisses and conclusions are lists of elements separated by \\
-% Each \\ produces a break, attempting horizontal breaks if possible,
-% and vertical breaks if needed.
-%
-% An empty element obtained by \\\\ produces a vertical break in all cases.
-%
-% The former rule is aligned on the fraction bar.
-% The optional label appears on top of the rule
-% The second form to be used in a derivation tree is aligned on the last
-% line of its conclusion
-%
-% The second form can be parameterized, using the key=val interface. The
-% folloiwng keys are recognized:
-%
-% width set the width of the rule to val
-% narrower set the width of the rule to val\hsize
-% before execute val at the beginning/left
-% lab put a label [Val] on top of the rule
-% lskip add negative skip on the right
-% left put a left label [Val]
-% Left put a left label [Val], ignoring its width
-% right put a right label [Val]
-% Right put a right label [Val], ignoring its width
-% leftskip skip negative space on the left-hand side
-% rightskip skip negative space on the right-hand side
-% vdots lift the rule by val and fill vertical space with dots
-% after execute val at the end/right
-%
-% Note that most options must come in this order to avoid strange
-% typesetting (in particular leftskip must preceed left and Left and
-% rightskip must follow Right or right; vdots must come last
-% or be only followed by rightskip.
-%
-
-%% Keys that make sence in all kinds of rules
-\def \mprset #1{\setkeys{mprset}{#1}}
-\define@key {mprset}{flushleft}[]{\mpr@centerfalse}
-\define@key {mprset}{center}[]{\mpr@centertrue}
-\define@key {mprset}{rewrite}[]{\let \mpr@fraction \mpr@@rewrite}
-\define@key {mprset}{myfraction}[]{\let \mpr@fraction #1}
-\define@key {mprset}{fraction}[]{\def \mpr@fraction {\mpr@make@fraction #1}}
-
-\newbox \mpr@right
-\define@key {mpr}{flushleft}[]{\mpr@centerfalse}
-\define@key {mpr}{center}[]{\mpr@centertrue}
-\define@key {mpr}{rewrite}[]{\let \mpr@fraction \mpr@@rewrite}
-\define@key {mpr}{myfraction}[]{\let \mpr@fraction #1}
-\define@key {mpr}{fraction}[]{\def \mpr@fraction {\mpr@make@fraction #1}}
-\define@key {mpr}{left}{\setbox0 \hbox {$\TirName {#1}\;$}\relax
- \advance \hsize by -\wd0\box0}
-\define@key {mpr}{width}{\hsize #1}
-\define@key {mpr}{sep}{\def\mpr@sep{#1}}
-\define@key {mpr}{before}{#1}
-\define@key {mpr}{lab}{\let \RefTirName \TirName \def \mpr@rulename {#1}}
-\define@key {mpr}{Lab}{\let \RefTirName \TirName \def \mpr@rulename {#1}}
-\define@key {mpr}{narrower}{\hsize #1\hsize}
-\define@key {mpr}{leftskip}{\hskip -#1}
-\define@key {mpr}{reduce}[]{\let \mpr@fraction \mpr@@reduce}
-\define@key {mpr}{rightskip}
- {\setbox \mpr@right \hbox {\unhbox \mpr@right \hskip -#1}}
-\define@key {mpr}{LEFT}{\setbox0 \hbox {$#1$}\relax
- \advance \hsize by -\wd0\box0}
-\define@key {mpr}{left}{\setbox0 \hbox {$\TirName {#1}\;$}\relax
- \advance \hsize by -\wd0\box0}
-\define@key {mpr}{Left}{\llap{$\TirName {#1}\;$}}
-\define@key {mpr}{right}
- {\setbox0 \hbox {$\;\TirName {#1}$}\relax \advance \hsize by -\wd0
- \setbox \mpr@right \hbox {\unhbox \mpr@right \unhbox0}}
-\define@key {mpr}{RIGHT}
- {\setbox0 \hbox {$#1$}\relax \advance \hsize by -\wd0
- \setbox \mpr@right \hbox {\unhbox \mpr@right \unhbox0}}
-\define@key {mpr}{Right}
- {\setbox \mpr@right \hbox {\unhbox \mpr@right \rlap {$\;\TirName {#1}$}}}
-\define@key {mpr}{vdots}{\def \mpr@vdots {\@@atop \mpr@vdotfil{#1}}}
-\define@key {mpr}{after}{\edef \mpr@after {\mpr@after #1}}
-
-\newdimen \rule@dimen
-\newcommand \mpr@inferstar@ [3][]{\setbox0
- \hbox {\let \mpr@rulename \mpr@empty \let \mpr@vdots \relax
- \setbox \mpr@right \hbox{}%
- $\setkeys{mpr}{#1}%
- \ifx \mpr@rulename \mpr@empty \mpr@inferrule {#2}{#3}\else
- \mpr@inferrule [{\mpr@rulename}]{#2}{#3}\fi
- \box \mpr@right \mpr@vdots$}
- \setbox1 \hbox {\strut}
- \rule@dimen \dp0 \advance \rule@dimen by -\dp1
- \raise \rule@dimen \box0}
-
-\def \mpr@infer {\@ifnextchar *{\mpr@inferstar}{\mpr@inferrule}}
-\newcommand \mpr@err@skipargs[3][]{}
-\def \mpr@inferstar*{\ifmmode
- \let \@do \mpr@inferstar@
- \else
- \let \@do \mpr@err@skipargs
- \PackageError {mathpartir}
- {\string\inferrule* can only be used in math mode}{}%
- \fi \@do}
-
-
-%%% Exports
-
-% Envirnonment mathpar
-
-\let \inferrule \mpr@infer
-
-% make a short name \infer is not already defined
-\@ifundefined {infer}{\let \infer \mpr@infer}{}
-
-\def \TirNameStyle #1{\small \textsc{#1}}
-\def \tir@name #1{\hbox {\small \TirNameStyle{#1}}}
-\let \TirName \tir@name
-\let \DefTirName \TirName
-\let \RefTirName \TirName
-
-%%% Other Exports
-
-% \let \listcons \mpr@cons
-% \let \listsnoc \mpr@snoc
-% \let \listhead \mpr@head
-% \let \listmake \mpr@makelist
-
-
-
-
-\endinput
--- a/doc-src/Functions/document/root.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,90 +0,0 @@
-
-\documentclass[a4paper,fleqn]{article}
-
-\usepackage{latexsym,graphicx}
-\usepackage[refpage]{nomencl}
-\usepackage{iman,extra,isar}
-\usepackage{isabelle,isabellesym}
-\usepackage{style}
-\usepackage{mathpartir}
-\usepackage{amsthm}
-\usepackage{pdfsetup}
-
-\newcommand{\cmd}[1]{\isacommand{#1}}
-
-\newcommand{\isasymINFIX}{\cmd{infix}}
-\newcommand{\isasymLOCALE}{\cmd{locale}}
-\newcommand{\isasymINCLUDES}{\cmd{includes}}
-\newcommand{\isasymDATATYPE}{\cmd{datatype}}
-\newcommand{\isasymDEFINES}{\cmd{defines}}
-\newcommand{\isasymNOTES}{\cmd{notes}}
-\newcommand{\isasymCLASS}{\cmd{class}}
-\newcommand{\isasymINSTANCE}{\cmd{instance}}
-\newcommand{\isasymLEMMA}{\cmd{lemma}}
-\newcommand{\isasymPROOF}{\cmd{proof}}
-\newcommand{\isasymQED}{\cmd{qed}}
-\newcommand{\isasymFIX}{\cmd{fix}}
-\newcommand{\isasymASSUME}{\cmd{assume}}
-\newcommand{\isasymSHOW}{\cmd{show}}
-\newcommand{\isasymNOTE}{\cmd{note}}
-\newcommand{\isasymCODEGEN}{\cmd{code\_gen}}
-\newcommand{\isasymPRINTCODETHMS}{\cmd{print\_codethms}}
-\newcommand{\isasymFUN}{\cmd{fun}}
-\newcommand{\isasymFUNCTION}{\cmd{function}}
-\newcommand{\isasymPRIMREC}{\cmd{primrec}}
-\newcommand{\isasymRECDEF}{\cmd{recdef}}
-
-\newcommand{\qt}[1]{``#1''}
-\newcommand{\qtt}[1]{"{}{#1}"{}}
-\newcommand{\qn}[1]{\emph{#1}}
-\newcommand{\strong}[1]{{\bfseries #1}}
-\newcommand{\fixme}[1][!]{\strong{FIXME: #1}}
-
-\newtheorem{exercise}{Exercise}{\bf}{\itshape}
-%\newtheorem*{thmstar}{Theorem}{\bf}{\itshape}
-
-\hyphenation{Isabelle}
-\hyphenation{Isar}
-
-\isadroptag{theory}
-\title{Defining Recursive Functions in Isabelle/HOL}
-\author{Alexander Krauss}
-
-\isabellestyle{tt}
-\renewcommand{\isastyletxt}{\isastyletext}% use same formatting for txt and text
-
-\begin{document}
-
-\date{\ \\}
-\maketitle
-
-\begin{abstract}
- This tutorial describes the use of the new \emph{function} package,
- which provides general recursive function definitions for Isabelle/HOL.
- We start with very simple examples and then gradually move on to more
- advanced topics such as manual termination proofs, nested recursion,
- partiality, tail recursion and congruence rules.
-\end{abstract}
-
-%\thispagestyle{empty}\clearpage
-
-%\pagenumbering{roman}
-%\clearfirst
-
-\input{intro.tex}
-\input{Functions.tex}
-%\input{conclusion.tex}
-
-\begingroup
-%\tocentry{\bibname}
-\bibliographystyle{plain} \small\raggedright\frenchspacing
-\bibliography{manual}
-\endgroup
-
-\end{document}
-
-
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: t
-%%% End:
--- a/doc-src/Functions/document/style.sty Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,46 +0,0 @@
-%% toc
-\newcommand{\tocentry}[1]{\cleardoublepage\phantomsection\addcontentsline{toc}{chapter}{#1}
-\@mkboth{\MakeUppercase{#1}}{\MakeUppercase{#1}}}
-
-%% references
-\newcommand{\secref}[1]{\S\ref{#1}}
-\newcommand{\chref}[1]{chapter~\ref{#1}}
-\newcommand{\figref}[1]{figure~\ref{#1}}
-
-%% math
-\newcommand{\text}[1]{\mbox{#1}}
-\newcommand{\isasymvartheta}{\isamath{\theta}}
-\newcommand{\isactrlvec}[1]{\emph{$\overline{#1}$}}
-
-\setcounter{secnumdepth}{2} \setcounter{tocdepth}{2}
-
-\pagestyle{headings}
-\sloppy
-\binperiod
-\underscoreon
-
-\renewcommand{\isadigit}[1]{\isamath{#1}}
-
-\newenvironment{mldecls}{\par\noindent\begingroup\footnotesize\def\isanewline{\\}\begin{tabular}{l}}{\end{tabular}\smallskip\endgroup}
-
-\isafoldtag{FIXME}
-\isakeeptag{mlref}
-\renewcommand{\isatagmlref}{\subsection*{\makebox[0pt][r]{\fbox{\ML}~~}Reference}\begingroup\def\isastyletext{\rm}\small}
-\renewcommand{\endisatagmlref}{\endgroup}
-
-\newcommand{\isasymGUESS}{\isakeyword{guess}}
-\newcommand{\isasymOBTAIN}{\isakeyword{obtain}}
-\newcommand{\isasymTHEORY}{\isakeyword{theory}}
-\newcommand{\isasymUSES}{\isakeyword{uses}}
-\newcommand{\isasymEND}{\isakeyword{end}}
-\newcommand{\isasymCONSTS}{\isakeyword{consts}}
-\newcommand{\isasymDEFS}{\isakeyword{defs}}
-\newcommand{\isasymTHEOREM}{\isakeyword{theorem}}
-\newcommand{\isasymDEFINITION}{\isakeyword{definition}}
-
-\isabellestyle{it}
-
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "implementation"
-%%% End:
--- a/doc-src/HOL/document/HOL.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,2089 +0,0 @@
-\chapter{Higher-Order Logic}
-\index{higher-order logic|(}
-\index{HOL system@{\sc hol} system}
-
-\begin{figure}
-\begin{constants}
- \it name &\it meta-type & \it description \\
- \cdx{Trueprop}& $bool\To prop$ & coercion to $prop$\\
- \cdx{Not} & $bool\To bool$ & negation ($\lnot$) \\
- \cdx{True} & $bool$ & tautology ($\top$) \\
- \cdx{False} & $bool$ & absurdity ($\bot$) \\
- \cdx{If} & $[bool,\alpha,\alpha]\To\alpha$ & conditional \\
- \cdx{Let} & $[\alpha,\alpha\To\beta]\To\beta$ & let binder
-\end{constants}
-\subcaption{Constants}
-
-\begin{constants}
-\index{"@@{\tt\at} symbol}
-\index{*"! symbol}\index{*"? symbol}
-\index{*"?"! symbol}\index{*"E"X"! symbol}
- \it symbol &\it name &\it meta-type & \it description \\
- \sdx{SOME} or \tt\at & \cdx{Eps} & $(\alpha\To bool)\To\alpha$ &
- Hilbert description ($\varepsilon$) \\
- \sdx{ALL} or {\tt!~} & \cdx{All} & $(\alpha\To bool)\To bool$ &
- universal quantifier ($\forall$) \\
- \sdx{EX} or {\tt?~} & \cdx{Ex} & $(\alpha\To bool)\To bool$ &
- existential quantifier ($\exists$) \\
- \texttt{EX!} or {\tt?!} & \cdx{Ex1} & $(\alpha\To bool)\To bool$ &
- unique existence ($\exists!$)\\
- \texttt{LEAST} & \cdx{Least} & $(\alpha::ord \To bool)\To\alpha$ &
- least element
-\end{constants}
-\subcaption{Binders}
-
-\begin{constants}
-\index{*"= symbol}
-\index{&@{\tt\&} symbol}
-\index{"!@{\tt\char124} symbol} %\char124 is vertical bar. We use ! because | stopped working
-\index{*"-"-"> symbol}
- \it symbol & \it meta-type & \it priority & \it description \\
- \sdx{o} & $[\beta\To\gamma,\alpha\To\beta]\To (\alpha\To\gamma)$ &
- Left 55 & composition ($\circ$) \\
- \tt = & $[\alpha,\alpha]\To bool$ & Left 50 & equality ($=$) \\
- \tt < & $[\alpha::ord,\alpha]\To bool$ & Left 50 & less than ($<$) \\
- \tt <= & $[\alpha::ord,\alpha]\To bool$ & Left 50 &
- less than or equals ($\leq$)\\
- \tt \& & $[bool,bool]\To bool$ & Right 35 & conjunction ($\conj$) \\
- \tt | & $[bool,bool]\To bool$ & Right 30 & disjunction ($\disj$) \\
- \tt --> & $[bool,bool]\To bool$ & Right 25 & implication ($\imp$)
-\end{constants}
-\subcaption{Infixes}
-\caption{Syntax of \texttt{HOL}} \label{hol-constants}
-\end{figure}
-
-
-\begin{figure}
-\index{*let symbol}
-\index{*in symbol}
-\dquotes
-\[\begin{array}{rclcl}
- term & = & \hbox{expression of class~$term$} \\
- & | & "SOME~" id " . " formula
- & | & "\at~" id " . " formula \\
- & | &
- \multicolumn{3}{l}{"let"~id~"="~term";"\dots";"~id~"="~term~"in"~term} \\
- & | &
- \multicolumn{3}{l}{"if"~formula~"then"~term~"else"~term} \\
- & | & "LEAST"~ id " . " formula \\[2ex]
- formula & = & \hbox{expression of type~$bool$} \\
- & | & term " = " term \\
- & | & term " \ttilde= " term \\
- & | & term " < " term \\
- & | & term " <= " term \\
- & | & "\ttilde\ " formula \\
- & | & formula " \& " formula \\
- & | & formula " | " formula \\
- & | & formula " --> " formula \\
- & | & "ALL~" id~id^* " . " formula
- & | & "!~~~" id~id^* " . " formula \\
- & | & "EX~~" id~id^* " . " formula
- & | & "?~~~" id~id^* " . " formula \\
- & | & "EX!~" id~id^* " . " formula
- & | & "?!~~" id~id^* " . " formula \\
- \end{array}
-\]
-\caption{Full grammar for HOL} \label{hol-grammar}
-\end{figure}
-
-
-\section{Syntax}
-
-Figure~\ref{hol-constants} lists the constants (including infixes and
-binders), while Fig.\ts\ref{hol-grammar} presents the grammar of
-higher-order logic. Note that $a$\verb|~=|$b$ is translated to
-$\lnot(a=b)$.
-
-\begin{warn}
- HOL has no if-and-only-if connective; logical equivalence is expressed using
- equality. But equality has a high priority, as befitting a relation, while
- if-and-only-if typically has the lowest priority. Thus, $\lnot\lnot P=P$
- abbreviates $\lnot\lnot (P=P)$ and not $(\lnot\lnot P)=P$. When using $=$
- to mean logical equivalence, enclose both operands in parentheses.
-\end{warn}
-
-\subsection{Types and overloading}
-The universal type class of higher-order terms is called~\cldx{term}.
-By default, explicit type variables have class \cldx{term}. In
-particular the equality symbol and quantifiers are polymorphic over
-class \texttt{term}.
-
-The type of formulae, \tydx{bool}, belongs to class \cldx{term}; thus,
-formulae are terms. The built-in type~\tydx{fun}, which constructs
-function types, is overloaded with arity {\tt(term,\thinspace
- term)\thinspace term}. Thus, $\sigma\To\tau$ belongs to class~{\tt
- term} if $\sigma$ and~$\tau$ do, allowing quantification over
-functions.
-
-HOL allows new types to be declared as subsets of existing types,
-either using the primitive \texttt{typedef} or the more convenient
-\texttt{datatype} (see~{\S}\ref{sec:HOL:datatype}).
-
-Several syntactic type classes --- \cldx{plus}, \cldx{minus},
-\cldx{times} and
-\cldx{power} --- permit overloading of the operators {\tt+},\index{*"+
- symbol} {\tt-}\index{*"- symbol}, {\tt*}.\index{*"* symbol}
-and \verb|^|.\index{^@\verb.^. symbol}
-%
-They are overloaded to denote the obvious arithmetic operations on types
-\tdx{nat}, \tdx{int} and~\tdx{real}. (With the \verb|^| operator, the
-exponent always has type~\tdx{nat}.) Non-arithmetic overloadings are also
-done: the operator {\tt-} can denote set difference, while \verb|^| can
-denote exponentiation of relations (iterated composition). Unary minus is
-also written as~{\tt-} and is overloaded like its 2-place counterpart; it even
-can stand for set complement.
-
-The constant \cdx{0} is also overloaded. It serves as the zero element of
-several types, of which the most important is \tdx{nat} (the natural
-numbers). The type class \cldx{plus_ac0} comprises all types for which 0
-and~+ satisfy the laws $x+y=y+x$, $(x+y)+z = x+(y+z)$ and $0+x = x$. These
-types include the numeric ones \tdx{nat}, \tdx{int} and~\tdx{real} and also
-multisets. The summation operator \cdx{setsum} is available for all types in
-this class.
-
-Theory \thydx{Ord} defines the syntactic class \cldx{ord} of order
-signatures. The relations $<$ and $\leq$ are polymorphic over this
-class, as are the functions \cdx{mono}, \cdx{min} and \cdx{max}, and
-the \cdx{LEAST} operator. \thydx{Ord} also defines a subclass
-\cldx{order} of \cldx{ord} which axiomatizes the types that are partially
-ordered with respect to~$\leq$. A further subclass \cldx{linorder} of
-\cldx{order} axiomatizes linear orderings.
-For details, see the file \texttt{Ord.thy}.
-
-If you state a goal containing overloaded functions, you may need to include
-type constraints. Type inference may otherwise make the goal more
-polymorphic than you intended, with confusing results. For example, the
-variables $i$, $j$ and $k$ in the goal $i \leq j \Imp i \leq j+k$ have type
-$\alpha::\{ord,plus\}$, although you may have expected them to have some
-numeric type, e.g. $nat$. Instead you should have stated the goal as
-$(i::nat) \leq j \Imp i \leq j+k$, which causes all three variables to have
-type $nat$.
-
-\begin{warn}
- If resolution fails for no obvious reason, try setting
- \ttindex{show_types} to \texttt{true}, causing Isabelle to display
- types of terms. Possibly set \ttindex{show_sorts} to \texttt{true} as
- well, causing Isabelle to display type classes and sorts.
-
- \index{unification!incompleteness of}
- Where function types are involved, Isabelle's unification code does not
- guarantee to find instantiations for type variables automatically. Be
- prepared to use \ttindex{res_inst_tac} instead of \texttt{resolve_tac},
- possibly instantiating type variables. Setting
- \ttindex{Unify.trace_types} to \texttt{true} causes Isabelle to report
- omitted search paths during unification.\index{tracing!of unification}
-\end{warn}
-
-
-\subsection{Binders}
-
-Hilbert's {\bf description} operator~$\varepsilon x. P[x]$ stands for some~$x$
-satisfying~$P$, if such exists. Since all terms in HOL denote something, a
-description is always meaningful, but we do not know its value unless $P$
-defines it uniquely. We may write descriptions as \cdx{Eps}($\lambda x.
-P[x]$) or use the syntax \hbox{\tt SOME~$x$.~$P[x]$}.
-
-Existential quantification is defined by
-\[ \exists x. P~x \;\equiv\; P(\varepsilon x. P~x). \]
-The unique existence quantifier, $\exists!x. P$, is defined in terms
-of~$\exists$ and~$\forall$. An Isabelle binder, it admits nested
-quantifications. For instance, $\exists!x\,y. P\,x\,y$ abbreviates
-$\exists!x. \exists!y. P\,x\,y$; note that this does not mean that there
-exists a unique pair $(x,y)$ satisfying~$P\,x\,y$.
-
-\medskip
-
-\index{*"! symbol}\index{*"? symbol}\index{HOL system@{\sc hol} system} The
-basic Isabelle/HOL binders have two notations. Apart from the usual
-\texttt{ALL} and \texttt{EX} for $\forall$ and $\exists$, Isabelle/HOL also
-supports the original notation of Gordon's {\sc hol} system: \texttt{!}\
-and~\texttt{?}. In the latter case, the existential quantifier \emph{must} be
-followed by a space; thus {\tt?x} is an unknown, while \verb'? x. f x=y' is a
-quantification. Both notations are accepted for input. The print mode
-``\ttindexbold{HOL}'' governs the output notation. If enabled (e.g.\ by
-passing option \texttt{-m HOL} to the \texttt{isabelle} executable),
-then~{\tt!}\ and~{\tt?}\ are displayed.
-
-\medskip
-
-If $\tau$ is a type of class \cldx{ord}, $P$ a formula and $x$ a
-variable of type $\tau$, then the term \cdx{LEAST}~$x. P[x]$ is defined
-to be the least (w.r.t.\ $\leq$) $x$ such that $P~x$ holds (see
-Fig.~\ref{hol-defs}). The definition uses Hilbert's $\varepsilon$
-choice operator, so \texttt{Least} is always meaningful, but may yield
-nothing useful in case there is not a unique least element satisfying
-$P$.\footnote{Class $ord$ does not require much of its instances, so
- $\leq$ need not be a well-ordering, not even an order at all!}
-
-\medskip All these binders have priority 10.
-
-\begin{warn}
-The low priority of binders means that they need to be enclosed in
-parenthesis when they occur in the context of other operations. For example,
-instead of $P \land \forall x. Q$ you need to write $P \land (\forall x. Q)$.
-\end{warn}
-
-
-\subsection{The let and case constructions}
-Local abbreviations can be introduced by a \texttt{let} construct whose
-syntax appears in Fig.\ts\ref{hol-grammar}. Internally it is translated into
-the constant~\cdx{Let}. It can be expanded by rewriting with its
-definition, \tdx{Let_def}.
-
-HOL also defines the basic syntax
-\[\dquotes"case"~e~"of"~c@1~"=>"~e@1~"|" \dots "|"~c@n~"=>"~e@n\]
-as a uniform means of expressing \texttt{case} constructs. Therefore \texttt{case}
-and \sdx{of} are reserved words. Initially, this is mere syntax and has no
-logical meaning. By declaring translations, you can cause instances of the
-\texttt{case} construct to denote applications of particular case operators.
-This is what happens automatically for each \texttt{datatype} definition
-(see~{\S}\ref{sec:HOL:datatype}).
-
-\begin{warn}
-Both \texttt{if} and \texttt{case} constructs have as low a priority as
-quantifiers, which requires additional enclosing parentheses in the context
-of most other operations. For example, instead of $f~x = {\tt if\dots
-then\dots else}\dots$ you need to write $f~x = ({\tt if\dots then\dots
-else\dots})$.
-\end{warn}
-
-\section{Rules of inference}
-
-\begin{figure}
-\begin{ttbox}\makeatother
-\tdx{refl} t = (t::'a)
-\tdx{subst} [| s = t; P s |] ==> P (t::'a)
-\tdx{ext} (!!x::'a. (f x :: 'b) = g x) ==> (\%x. f x) = (\%x. g x)
-\tdx{impI} (P ==> Q) ==> P-->Q
-\tdx{mp} [| P-->Q; P |] ==> Q
-\tdx{iff} (P-->Q) --> (Q-->P) --> (P=Q)
-\tdx{someI} P(x::'a) ==> P(@x. P x)
-\tdx{True_or_False} (P=True) | (P=False)
-\end{ttbox}
-\caption{The \texttt{HOL} rules} \label{hol-rules}
-\end{figure}
-
-Figure~\ref{hol-rules} shows the primitive inference rules of~HOL, with
-their~{\ML} names. Some of the rules deserve additional comments:
-\begin{ttdescription}
-\item[\tdx{ext}] expresses extensionality of functions.
-\item[\tdx{iff}] asserts that logically equivalent formulae are
- equal.
-\item[\tdx{someI}] gives the defining property of the Hilbert
- $\varepsilon$-operator. It is a form of the Axiom of Choice. The derived rule
- \tdx{some_equality} (see below) is often easier to use.
-\item[\tdx{True_or_False}] makes the logic classical.\footnote{In
- fact, the $\varepsilon$-operator already makes the logic classical, as
- shown by Diaconescu; see Paulson~\cite{paulson-COLOG} for details.}
-\end{ttdescription}
-
-
-\begin{figure}\hfuzz=4pt%suppress "Overfull \hbox" message
-\begin{ttbox}\makeatother
-\tdx{True_def} True == ((\%x::bool. x)=(\%x. x))
-\tdx{All_def} All == (\%P. P = (\%x. True))
-\tdx{Ex_def} Ex == (\%P. P(@x. P x))
-\tdx{False_def} False == (!P. P)
-\tdx{not_def} not == (\%P. P-->False)
-\tdx{and_def} op & == (\%P Q. !R. (P-->Q-->R) --> R)
-\tdx{or_def} op | == (\%P Q. !R. (P-->R) --> (Q-->R) --> R)
-\tdx{Ex1_def} Ex1 == (\%P. ? x. P x & (! y. P y --> y=x))
-
-\tdx{o_def} op o == (\%(f::'b=>'c) g x::'a. f(g x))
-\tdx{if_def} If P x y ==
- (\%P x y. @z::'a.(P=True --> z=x) & (P=False --> z=y))
-\tdx{Let_def} Let s f == f s
-\tdx{Least_def} Least P == @x. P(x) & (ALL y. P(y) --> x <= y)"
-\end{ttbox}
-\caption{The \texttt{HOL} definitions} \label{hol-defs}
-\end{figure}
-
-
-HOL follows standard practice in higher-order logic: only a few connectives
-are taken as primitive, with the remainder defined obscurely
-(Fig.\ts\ref{hol-defs}). Gordon's {\sc hol} system expresses the
-corresponding definitions \cite[page~270]{mgordon-hol} using
-object-equality~({\tt=}), which is possible because equality in higher-order
-logic may equate formulae and even functions over formulae. But theory~HOL,
-like all other Isabelle theories, uses meta-equality~({\tt==}) for
-definitions.
-\begin{warn}
-The definitions above should never be expanded and are shown for completeness
-only. Instead users should reason in terms of the derived rules shown below
-or, better still, using high-level tactics.
-\end{warn}
-
-Some of the rules mention type variables; for example, \texttt{refl}
-mentions the type variable~{\tt'a}. This allows you to instantiate
-type variables explicitly by calling \texttt{res_inst_tac}.
-
-
-\begin{figure}
-\begin{ttbox}
-\tdx{sym} s=t ==> t=s
-\tdx{trans} [| r=s; s=t |] ==> r=t
-\tdx{ssubst} [| t=s; P s |] ==> P t
-\tdx{box_equals} [| a=b; a=c; b=d |] ==> c=d
-\tdx{arg_cong} x = y ==> f x = f y
-\tdx{fun_cong} f = g ==> f x = g x
-\tdx{cong} [| f = g; x = y |] ==> f x = g y
-\tdx{not_sym} t ~= s ==> s ~= t
-\subcaption{Equality}
-
-\tdx{TrueI} True
-\tdx{FalseE} False ==> P
-
-\tdx{conjI} [| P; Q |] ==> P&Q
-\tdx{conjunct1} [| P&Q |] ==> P
-\tdx{conjunct2} [| P&Q |] ==> Q
-\tdx{conjE} [| P&Q; [| P; Q |] ==> R |] ==> R
-
-\tdx{disjI1} P ==> P|Q
-\tdx{disjI2} Q ==> P|Q
-\tdx{disjE} [| P | Q; P ==> R; Q ==> R |] ==> R
-
-\tdx{notI} (P ==> False) ==> ~ P
-\tdx{notE} [| ~ P; P |] ==> R
-\tdx{impE} [| P-->Q; P; Q ==> R |] ==> R
-\subcaption{Propositional logic}
-
-\tdx{iffI} [| P ==> Q; Q ==> P |] ==> P=Q
-\tdx{iffD1} [| P=Q; P |] ==> Q
-\tdx{iffD2} [| P=Q; Q |] ==> P
-\tdx{iffE} [| P=Q; [| P --> Q; Q --> P |] ==> R |] ==> R
-\subcaption{Logical equivalence}
-
-\end{ttbox}
-\caption{Derived rules for HOL} \label{hol-lemmas1}
-\end{figure}
-%
-%\tdx{eqTrueI} P ==> P=True
-%\tdx{eqTrueE} P=True ==> P
-
-
-\begin{figure}
-\begin{ttbox}\makeatother
-\tdx{allI} (!!x. P x) ==> !x. P x
-\tdx{spec} !x. P x ==> P x
-\tdx{allE} [| !x. P x; P x ==> R |] ==> R
-\tdx{all_dupE} [| !x. P x; [| P x; !x. P x |] ==> R |] ==> R
-
-\tdx{exI} P x ==> ? x. P x
-\tdx{exE} [| ? x. P x; !!x. P x ==> Q |] ==> Q
-
-\tdx{ex1I} [| P a; !!x. P x ==> x=a |] ==> ?! x. P x
-\tdx{ex1E} [| ?! x. P x; !!x. [| P x; ! y. P y --> y=x |] ==> R
- |] ==> R
-
-\tdx{some_equality} [| P a; !!x. P x ==> x=a |] ==> (@x. P x) = a
-\subcaption{Quantifiers and descriptions}
-
-\tdx{ccontr} (~P ==> False) ==> P
-\tdx{classical} (~P ==> P) ==> P
-\tdx{excluded_middle} ~P | P
-
-\tdx{disjCI} (~Q ==> P) ==> P|Q
-\tdx{exCI} (! x. ~ P x ==> P a) ==> ? x. P x
-\tdx{impCE} [| P-->Q; ~ P ==> R; Q ==> R |] ==> R
-\tdx{iffCE} [| P=Q; [| P;Q |] ==> R; [| ~P; ~Q |] ==> R |] ==> R
-\tdx{notnotD} ~~P ==> P
-\tdx{swap} ~P ==> (~Q ==> P) ==> Q
-\subcaption{Classical logic}
-
-\tdx{if_P} P ==> (if P then x else y) = x
-\tdx{if_not_P} ~ P ==> (if P then x else y) = y
-\tdx{split_if} P(if Q then x else y) = ((Q --> P x) & (~Q --> P y))
-\subcaption{Conditionals}
-\end{ttbox}
-\caption{More derived rules} \label{hol-lemmas2}
-\end{figure}
-
-Some derived rules are shown in Figures~\ref{hol-lemmas1}
-and~\ref{hol-lemmas2}, with their {\ML} names. These include natural rules
-for the logical connectives, as well as sequent-style elimination rules for
-conjunctions, implications, and universal quantifiers.
-
-Note the equality rules: \tdx{ssubst} performs substitution in
-backward proofs, while \tdx{box_equals} supports reasoning by
-simplifying both sides of an equation.
-
-The following simple tactics are occasionally useful:
-\begin{ttdescription}
-\item[\ttindexbold{strip_tac} $i$] applies \texttt{allI} and \texttt{impI}
- repeatedly to remove all outermost universal quantifiers and implications
- from subgoal $i$.
-\item[\ttindexbold{case_tac} {\tt"}$P${\tt"} $i$] performs case distinction on
- $P$ for subgoal $i$: the latter is replaced by two identical subgoals with
- the added assumptions $P$ and $\lnot P$, respectively.
-\item[\ttindexbold{smp_tac} $j$ $i$] applies $j$ times \texttt{spec} and then
- \texttt{mp} in subgoal $i$, which is typically useful when forward-chaining
- from an induction hypothesis. As a generalization of \texttt{mp_tac},
- if there are assumptions $\forall \vec{x}. P \vec{x} \imp Q \vec{x}$ and
- $P \vec{a}$, ($\vec{x}$ being a vector of $j$ variables)
- then it replaces the universally quantified implication by $Q \vec{a}$.
- It may instantiate unknowns. It fails if it can do nothing.
-\end{ttdescription}
-
-
-\begin{figure}
-\begin{center}
-\begin{tabular}{rrr}
- \it name &\it meta-type & \it description \\
-\index{{}@\verb'{}' symbol}
- \verb|{}| & $\alpha\,set$ & the empty set \\
- \cdx{insert} & $[\alpha,\alpha\,set]\To \alpha\,set$
- & insertion of element \\
- \cdx{Collect} & $(\alpha\To bool)\To\alpha\,set$
- & comprehension \\
- \cdx{INTER} & $[\alpha\,set,\alpha\To\beta\,set]\To\beta\,set$
- & intersection over a set\\
- \cdx{UNION} & $[\alpha\,set,\alpha\To\beta\,set]\To\beta\,set$
- & union over a set\\
- \cdx{Inter} & $(\alpha\,set)set\To\alpha\,set$
- &set of sets intersection \\
- \cdx{Union} & $(\alpha\,set)set\To\alpha\,set$
- &set of sets union \\
- \cdx{Pow} & $\alpha\,set \To (\alpha\,set)set$
- & powerset \\[1ex]
- \cdx{range} & $(\alpha\To\beta )\To\beta\,set$
- & range of a function \\[1ex]
- \cdx{Ball}~~\cdx{Bex} & $[\alpha\,set,\alpha\To bool]\To bool$
- & bounded quantifiers
-\end{tabular}
-\end{center}
-\subcaption{Constants}
-
-\begin{center}
-\begin{tabular}{llrrr}
- \it symbol &\it name &\it meta-type & \it priority & \it description \\
- \sdx{INT} & \cdx{INTER1} & $(\alpha\To\beta\,set)\To\beta\,set$ & 10 &
- intersection\\
- \sdx{UN} & \cdx{UNION1} & $(\alpha\To\beta\,set)\To\beta\,set$ & 10 &
- union
-\end{tabular}
-\end{center}
-\subcaption{Binders}
-
-\begin{center}
-\index{*"`"` symbol}
-\index{*": symbol}
-\index{*"<"= symbol}
-\begin{tabular}{rrrr}
- \it symbol & \it meta-type & \it priority & \it description \\
- \tt `` & $[\alpha\To\beta ,\alpha\,set]\To \beta\,set$
- & Left 90 & image \\
- \sdx{Int} & $[\alpha\,set,\alpha\,set]\To\alpha\,set$
- & Left 70 & intersection ($\int$) \\
- \sdx{Un} & $[\alpha\,set,\alpha\,set]\To\alpha\,set$
- & Left 65 & union ($\un$) \\
- \tt: & $[\alpha ,\alpha\,set]\To bool$
- & Left 50 & membership ($\in$) \\
- \tt <= & $[\alpha\,set,\alpha\,set]\To bool$
- & Left 50 & subset ($\subseteq$)
-\end{tabular}
-\end{center}
-\subcaption{Infixes}
-\caption{Syntax of the theory \texttt{Set}} \label{hol-set-syntax}
-\end{figure}
-
-
-\begin{figure}
-\begin{center} \tt\frenchspacing
-\index{*"! symbol}
-\begin{tabular}{rrr}
- \it external & \it internal & \it description \\
- $a$ \ttilde: $b$ & \ttilde($a$ : $b$) & \rm not in\\
- {\ttlbrace}$a@1$, $\ldots${\ttrbrace} & insert $a@1$ $\ldots$ {\ttlbrace}{\ttrbrace} & \rm finite set \\
- {\ttlbrace}$x$. $P[x]${\ttrbrace} & Collect($\lambda x. P[x]$) &
- \rm comprehension \\
- \sdx{INT} $x$:$A$. $B[x]$ & INTER $A$ $\lambda x. B[x]$ &
- \rm intersection \\
- \sdx{UN}{\tt\ } $x$:$A$. $B[x]$ & UNION $A$ $\lambda x. B[x]$ &
- \rm union \\
- \sdx{ALL} $x$:$A$.\ $P[x]$ or \texttt{!} $x$:$A$.\ $P[x]$ &
- Ball $A$ $\lambda x.\ P[x]$ &
- \rm bounded $\forall$ \\
- \sdx{EX}{\tt\ } $x$:$A$.\ $P[x]$ or \texttt{?} $x$:$A$.\ $P[x]$ &
- Bex $A$ $\lambda x.\ P[x]$ & \rm bounded $\exists$
-\end{tabular}
-\end{center}
-\subcaption{Translations}
-
-\dquotes
-\[\begin{array}{rclcl}
- term & = & \hbox{other terms\ldots} \\
- & | & "{\ttlbrace}{\ttrbrace}" \\
- & | & "{\ttlbrace} " term\; ("," term)^* " {\ttrbrace}" \\
- & | & "{\ttlbrace} " id " . " formula " {\ttrbrace}" \\
- & | & term " `` " term \\
- & | & term " Int " term \\
- & | & term " Un " term \\
- & | & "INT~~" id ":" term " . " term \\
- & | & "UN~~~" id ":" term " . " term \\
- & | & "INT~~" id~id^* " . " term \\
- & | & "UN~~~" id~id^* " . " term \\[2ex]
- formula & = & \hbox{other formulae\ldots} \\
- & | & term " : " term \\
- & | & term " \ttilde: " term \\
- & | & term " <= " term \\
- & | & "ALL " id ":" term " . " formula
- & | & "!~" id ":" term " . " formula \\
- & | & "EX~~" id ":" term " . " formula
- & | & "?~" id ":" term " . " formula \\
- \end{array}
-\]
-\subcaption{Full Grammar}
-\caption{Syntax of the theory \texttt{Set} (continued)} \label{hol-set-syntax2}
-\end{figure}
-
-
-\section{A formulation of set theory}
-Historically, higher-order logic gives a foundation for Russell and
-Whitehead's theory of classes. Let us use modern terminology and call them
-{\bf sets}, but note that these sets are distinct from those of ZF set theory,
-and behave more like ZF classes.
-\begin{itemize}
-\item
-Sets are given by predicates over some type~$\sigma$. Types serve to
-define universes for sets, but type-checking is still significant.
-\item
-There is a universal set (for each type). Thus, sets have complements, and
-may be defined by absolute comprehension.
-\item
-Although sets may contain other sets as elements, the containing set must
-have a more complex type.
-\end{itemize}
-Finite unions and intersections have the same behaviour in HOL as they do
-in~ZF. In HOL the intersection of the empty set is well-defined, denoting the
-universal set for the given type.
-
-\subsection{Syntax of set theory}\index{*set type}
-HOL's set theory is called \thydx{Set}. The type $\alpha\,set$ is essentially
-the same as $\alpha\To bool$. The new type is defined for clarity and to
-avoid complications involving function types in unification. The isomorphisms
-between the two types are declared explicitly. They are very natural:
-\texttt{Collect} maps $\alpha\To bool$ to $\alpha\,set$, while \hbox{\tt op :}
-maps in the other direction (ignoring argument order).
-
-Figure~\ref{hol-set-syntax} lists the constants, infixes, and syntax
-translations. Figure~\ref{hol-set-syntax2} presents the grammar of the new
-constructs. Infix operators include union and intersection ($A\un B$
-and $A\int B$), the subset and membership relations, and the image
-operator~{\tt``}\@. Note that $a$\verb|~:|$b$ is translated to
-$\lnot(a\in b)$.
-
-The $\{a@1,\ldots\}$ notation abbreviates finite sets constructed in
-the obvious manner using~\texttt{insert} and~$\{\}$:
-\begin{eqnarray*}
- \{a, b, c\} & \equiv &
- \texttt{insert} \, a \, ({\tt insert} \, b \, ({\tt insert} \, c \, \{\}))
-\end{eqnarray*}
-
-The set \hbox{\tt{\ttlbrace}$x$.\ $P[x]${\ttrbrace}} consists of all $x$ (of
-suitable type) that satisfy~$P[x]$, where $P[x]$ is a formula that may contain
-free occurrences of~$x$. This syntax expands to \cdx{Collect}$(\lambda x.
-P[x])$. It defines sets by absolute comprehension, which is impossible in~ZF;
-the type of~$x$ implicitly restricts the comprehension.
-
-The set theory defines two {\bf bounded quantifiers}:
-\begin{eqnarray*}
- \forall x\in A. P[x] &\hbox{abbreviates}& \forall x. x\in A\imp P[x] \\
- \exists x\in A. P[x] &\hbox{abbreviates}& \exists x. x\in A\conj P[x]
-\end{eqnarray*}
-The constants~\cdx{Ball} and~\cdx{Bex} are defined
-accordingly. Instead of \texttt{Ball $A$ $P$} and \texttt{Bex $A$ $P$} we may
-write\index{*"! symbol}\index{*"? symbol}
-\index{*ALL symbol}\index{*EX symbol}
-%
-\hbox{\tt ALL~$x$:$A$.\ $P[x]$} and \hbox{\tt EX~$x$:$A$.\ $P[x]$}. The
-original notation of Gordon's {\sc hol} system is supported as well:
-\texttt{!}\ and \texttt{?}.
-
-Unions and intersections over sets, namely $\bigcup@{x\in A}B[x]$ and
-$\bigcap@{x\in A}B[x]$, are written
-\sdx{UN}~\hbox{\tt$x$:$A$.\ $B[x]$} and
-\sdx{INT}~\hbox{\tt$x$:$A$.\ $B[x]$}.
-
-Unions and intersections over types, namely $\bigcup@x B[x]$ and $\bigcap@x
-B[x]$, are written \sdx{UN}~\hbox{\tt$x$.\ $B[x]$} and
-\sdx{INT}~\hbox{\tt$x$.\ $B[x]$}. They are equivalent to the previous
-union and intersection operators when $A$ is the universal set.
-
-The operators $\bigcup A$ and $\bigcap A$ act upon sets of sets. They are
-not binders, but are equal to $\bigcup@{x\in A}x$ and $\bigcap@{x\in A}x$,
-respectively.
-
-
-
-\begin{figure} \underscoreon
-\begin{ttbox}
-\tdx{mem_Collect_eq} (a : {\ttlbrace}x. P x{\ttrbrace}) = P a
-\tdx{Collect_mem_eq} {\ttlbrace}x. x:A{\ttrbrace} = A
-
-\tdx{empty_def} {\ttlbrace}{\ttrbrace} == {\ttlbrace}x. False{\ttrbrace}
-\tdx{insert_def} insert a B == {\ttlbrace}x. x=a{\ttrbrace} Un B
-\tdx{Ball_def} Ball A P == ! x. x:A --> P x
-\tdx{Bex_def} Bex A P == ? x. x:A & P x
-\tdx{subset_def} A <= B == ! x:A. x:B
-\tdx{Un_def} A Un B == {\ttlbrace}x. x:A | x:B{\ttrbrace}
-\tdx{Int_def} A Int B == {\ttlbrace}x. x:A & x:B{\ttrbrace}
-\tdx{set_diff_def} A - B == {\ttlbrace}x. x:A & x~:B{\ttrbrace}
-\tdx{Compl_def} -A == {\ttlbrace}x. ~ x:A{\ttrbrace}
-\tdx{INTER_def} INTER A B == {\ttlbrace}y. ! x:A. y: B x{\ttrbrace}
-\tdx{UNION_def} UNION A B == {\ttlbrace}y. ? x:A. y: B x{\ttrbrace}
-\tdx{INTER1_def} INTER1 B == INTER {\ttlbrace}x. True{\ttrbrace} B
-\tdx{UNION1_def} UNION1 B == UNION {\ttlbrace}x. True{\ttrbrace} B
-\tdx{Inter_def} Inter S == (INT x:S. x)
-\tdx{Union_def} Union S == (UN x:S. x)
-\tdx{Pow_def} Pow A == {\ttlbrace}B. B <= A{\ttrbrace}
-\tdx{image_def} f``A == {\ttlbrace}y. ? x:A. y=f x{\ttrbrace}
-\tdx{range_def} range f == {\ttlbrace}y. ? x. y=f x{\ttrbrace}
-\end{ttbox}
-\caption{Rules of the theory \texttt{Set}} \label{hol-set-rules}
-\end{figure}
-
-
-\begin{figure} \underscoreon
-\begin{ttbox}
-\tdx{CollectI} [| P a |] ==> a : {\ttlbrace}x. P x{\ttrbrace}
-\tdx{CollectD} [| a : {\ttlbrace}x. P x{\ttrbrace} |] ==> P a
-\tdx{CollectE} [| a : {\ttlbrace}x. P x{\ttrbrace}; P a ==> W |] ==> W
-
-\tdx{ballI} [| !!x. x:A ==> P x |] ==> ! x:A. P x
-\tdx{bspec} [| ! x:A. P x; x:A |] ==> P x
-\tdx{ballE} [| ! x:A. P x; P x ==> Q; ~ x:A ==> Q |] ==> Q
-
-\tdx{bexI} [| P x; x:A |] ==> ? x:A. P x
-\tdx{bexCI} [| ! x:A. ~ P x ==> P a; a:A |] ==> ? x:A. P x
-\tdx{bexE} [| ? x:A. P x; !!x. [| x:A; P x |] ==> Q |] ==> Q
-\subcaption{Comprehension and Bounded quantifiers}
-
-\tdx{subsetI} (!!x. x:A ==> x:B) ==> A <= B
-\tdx{subsetD} [| A <= B; c:A |] ==> c:B
-\tdx{subsetCE} [| A <= B; ~ (c:A) ==> P; c:B ==> P |] ==> P
-
-\tdx{subset_refl} A <= A
-\tdx{subset_trans} [| A<=B; B<=C |] ==> A<=C
-
-\tdx{equalityI} [| A <= B; B <= A |] ==> A = B
-\tdx{equalityD1} A = B ==> A<=B
-\tdx{equalityD2} A = B ==> B<=A
-\tdx{equalityE} [| A = B; [| A<=B; B<=A |] ==> P |] ==> P
-
-\tdx{equalityCE} [| A = B; [| c:A; c:B |] ==> P;
- [| ~ c:A; ~ c:B |] ==> P
- |] ==> P
-\subcaption{The subset and equality relations}
-\end{ttbox}
-\caption{Derived rules for set theory} \label{hol-set1}
-\end{figure}
-
-
-\begin{figure} \underscoreon
-\begin{ttbox}
-\tdx{emptyE} a : {\ttlbrace}{\ttrbrace} ==> P
-
-\tdx{insertI1} a : insert a B
-\tdx{insertI2} a : B ==> a : insert b B
-\tdx{insertE} [| a : insert b A; a=b ==> P; a:A ==> P |] ==> P
-
-\tdx{ComplI} [| c:A ==> False |] ==> c : -A
-\tdx{ComplD} [| c : -A |] ==> ~ c:A
-
-\tdx{UnI1} c:A ==> c : A Un B
-\tdx{UnI2} c:B ==> c : A Un B
-\tdx{UnCI} (~c:B ==> c:A) ==> c : A Un B
-\tdx{UnE} [| c : A Un B; c:A ==> P; c:B ==> P |] ==> P
-
-\tdx{IntI} [| c:A; c:B |] ==> c : A Int B
-\tdx{IntD1} c : A Int B ==> c:A
-\tdx{IntD2} c : A Int B ==> c:B
-\tdx{IntE} [| c : A Int B; [| c:A; c:B |] ==> P |] ==> P
-
-\tdx{UN_I} [| a:A; b: B a |] ==> b: (UN x:A. B x)
-\tdx{UN_E} [| b: (UN x:A. B x); !!x.[| x:A; b:B x |] ==> R |] ==> R
-
-\tdx{INT_I} (!!x. x:A ==> b: B x) ==> b : (INT x:A. B x)
-\tdx{INT_D} [| b: (INT x:A. B x); a:A |] ==> b: B a
-\tdx{INT_E} [| b: (INT x:A. B x); b: B a ==> R; ~ a:A ==> R |] ==> R
-
-\tdx{UnionI} [| X:C; A:X |] ==> A : Union C
-\tdx{UnionE} [| A : Union C; !!X.[| A:X; X:C |] ==> R |] ==> R
-
-\tdx{InterI} [| !!X. X:C ==> A:X |] ==> A : Inter C
-\tdx{InterD} [| A : Inter C; X:C |] ==> A:X
-\tdx{InterE} [| A : Inter C; A:X ==> R; ~ X:C ==> R |] ==> R
-
-\tdx{PowI} A<=B ==> A: Pow B
-\tdx{PowD} A: Pow B ==> A<=B
-
-\tdx{imageI} [| x:A |] ==> f x : f``A
-\tdx{imageE} [| b : f``A; !!x.[| b=f x; x:A |] ==> P |] ==> P
-
-\tdx{rangeI} f x : range f
-\tdx{rangeE} [| b : range f; !!x.[| b=f x |] ==> P |] ==> P
-\end{ttbox}
-\caption{Further derived rules for set theory} \label{hol-set2}
-\end{figure}
-
-
-\subsection{Axioms and rules of set theory}
-Figure~\ref{hol-set-rules} presents the rules of theory \thydx{Set}. The
-axioms \tdx{mem_Collect_eq} and \tdx{Collect_mem_eq} assert
-that the functions \texttt{Collect} and \hbox{\tt op :} are isomorphisms. Of
-course, \hbox{\tt op :} also serves as the membership relation.
-
-All the other axioms are definitions. They include the empty set, bounded
-quantifiers, unions, intersections, complements and the subset relation.
-They also include straightforward constructions on functions: image~({\tt``})
-and \texttt{range}.
-
-%The predicate \cdx{inj_on} is used for simulating type definitions.
-%The statement ${\tt inj_on}~f~A$ asserts that $f$ is injective on the
-%set~$A$, which specifies a subset of its domain type. In a type
-%definition, $f$ is the abstraction function and $A$ is the set of valid
-%representations; we should not expect $f$ to be injective outside of~$A$.
-
-%\begin{figure} \underscoreon
-%\begin{ttbox}
-%\tdx{Inv_f_f} inj f ==> Inv f (f x) = x
-%\tdx{f_Inv_f} y : range f ==> f(Inv f y) = y
-%
-%\tdx{Inv_injective}
-% [| Inv f x=Inv f y; x: range f; y: range f |] ==> x=y
-%
-%
-%\tdx{monoI} [| !!A B. A <= B ==> f A <= f B |] ==> mono f
-%\tdx{monoD} [| mono f; A <= B |] ==> f A <= f B
-%
-%\tdx{injI} [| !! x y. f x = f y ==> x=y |] ==> inj f
-%\tdx{inj_inverseI} (!!x. g(f x) = x) ==> inj f
-%\tdx{injD} [| inj f; f x = f y |] ==> x=y
-%
-%\tdx{inj_onI} (!!x y. [| f x=f y; x:A; y:A |] ==> x=y) ==> inj_on f A
-%\tdx{inj_onD} [| inj_on f A; f x=f y; x:A; y:A |] ==> x=y
-%
-%\tdx{inj_on_inverseI}
-% (!!x. x:A ==> g(f x) = x) ==> inj_on f A
-%\tdx{inj_on_contraD}
-% [| inj_on f A; x~=y; x:A; y:A |] ==> ~ f x=f y
-%\end{ttbox}
-%\caption{Derived rules involving functions} \label{hol-fun}
-%\end{figure}
-
-
-\begin{figure} \underscoreon
-\begin{ttbox}
-\tdx{Union_upper} B:A ==> B <= Union A
-\tdx{Union_least} [| !!X. X:A ==> X<=C |] ==> Union A <= C
-
-\tdx{Inter_lower} B:A ==> Inter A <= B
-\tdx{Inter_greatest} [| !!X. X:A ==> C<=X |] ==> C <= Inter A
-
-\tdx{Un_upper1} A <= A Un B
-\tdx{Un_upper2} B <= A Un B
-\tdx{Un_least} [| A<=C; B<=C |] ==> A Un B <= C
-
-\tdx{Int_lower1} A Int B <= A
-\tdx{Int_lower2} A Int B <= B
-\tdx{Int_greatest} [| C<=A; C<=B |] ==> C <= A Int B
-\end{ttbox}
-\caption{Derived rules involving subsets} \label{hol-subset}
-\end{figure}
-
-
-\begin{figure} \underscoreon \hfuzz=4pt%suppress "Overfull \hbox" message
-\begin{ttbox}
-\tdx{Int_absorb} A Int A = A
-\tdx{Int_commute} A Int B = B Int A
-\tdx{Int_assoc} (A Int B) Int C = A Int (B Int C)
-\tdx{Int_Un_distrib} (A Un B) Int C = (A Int C) Un (B Int C)
-
-\tdx{Un_absorb} A Un A = A
-\tdx{Un_commute} A Un B = B Un A
-\tdx{Un_assoc} (A Un B) Un C = A Un (B Un C)
-\tdx{Un_Int_distrib} (A Int B) Un C = (A Un C) Int (B Un C)
-
-\tdx{Compl_disjoint} A Int (-A) = {\ttlbrace}x. False{\ttrbrace}
-\tdx{Compl_partition} A Un (-A) = {\ttlbrace}x. True{\ttrbrace}
-\tdx{double_complement} -(-A) = A
-\tdx{Compl_Un} -(A Un B) = (-A) Int (-B)
-\tdx{Compl_Int} -(A Int B) = (-A) Un (-B)
-
-\tdx{Union_Un_distrib} Union(A Un B) = (Union A) Un (Union B)
-\tdx{Int_Union} A Int (Union B) = (UN C:B. A Int C)
-
-\tdx{Inter_Un_distrib} Inter(A Un B) = (Inter A) Int (Inter B)
-\tdx{Un_Inter} A Un (Inter B) = (INT C:B. A Un C)
-
-\end{ttbox}
-\caption{Set equalities} \label{hol-equalities}
-\end{figure}
-%\tdx{Un_Union_image} (UN x:C.(A x) Un (B x)) = Union(A``C) Un Union(B``C)
-%\tdx{Int_Inter_image} (INT x:C.(A x) Int (B x)) = Inter(A``C) Int Inter(B``C)
-
-Figures~\ref{hol-set1} and~\ref{hol-set2} present derived rules. Most are
-obvious and resemble rules of Isabelle's ZF set theory. Certain rules, such
-as \tdx{subsetCE}, \tdx{bexCI} and \tdx{UnCI}, are designed for classical
-reasoning; the rules \tdx{subsetD}, \tdx{bexI}, \tdx{Un1} and~\tdx{Un2} are
-not strictly necessary but yield more natural proofs. Similarly,
-\tdx{equalityCE} supports classical reasoning about extensionality, after the
-fashion of \tdx{iffCE}. See the file \texttt{HOL/Set.ML} for proofs
-pertaining to set theory.
-
-Figure~\ref{hol-subset} presents lattice properties of the subset relation.
-Unions form least upper bounds; non-empty intersections form greatest lower
-bounds. Reasoning directly about subsets often yields clearer proofs than
-reasoning about the membership relation. See the file \texttt{HOL/subset.ML}.
-
-Figure~\ref{hol-equalities} presents many common set equalities. They
-include commutative, associative and distributive laws involving unions,
-intersections and complements. For a complete listing see the file {\tt
-HOL/equalities.ML}.
-
-\begin{warn}
-\texttt{Blast_tac} proves many set-theoretic theorems automatically.
-Hence you seldom need to refer to the theorems above.
-\end{warn}
-
-\begin{figure}
-\begin{center}
-\begin{tabular}{rrr}
- \it name &\it meta-type & \it description \\
- \cdx{inj}~~\cdx{surj}& $(\alpha\To\beta )\To bool$
- & injective/surjective \\
- \cdx{inj_on} & $[\alpha\To\beta ,\alpha\,set]\To bool$
- & injective over subset\\
- \cdx{inv} & $(\alpha\To\beta)\To(\beta\To\alpha)$ & inverse function
-\end{tabular}
-\end{center}
-
-\underscoreon
-\begin{ttbox}
-\tdx{inj_def} inj f == ! x y. f x=f y --> x=y
-\tdx{surj_def} surj f == ! y. ? x. y=f x
-\tdx{inj_on_def} inj_on f A == !x:A. !y:A. f x=f y --> x=y
-\tdx{inv_def} inv f == (\%y. @x. f(x)=y)
-\end{ttbox}
-\caption{Theory \thydx{Fun}} \label{fig:HOL:Fun}
-\end{figure}
-
-\subsection{Properties of functions}\nopagebreak
-Figure~\ref{fig:HOL:Fun} presents a theory of simple properties of functions.
-Note that ${\tt inv}~f$ uses Hilbert's $\varepsilon$ to yield an inverse
-of~$f$. See the file \texttt{HOL/Fun.ML} for a complete listing of the derived
-rules. Reasoning about function composition (the operator~\sdx{o}) and the
-predicate~\cdx{surj} is done simply by expanding the definitions.
-
-There is also a large collection of monotonicity theorems for constructions
-on sets in the file \texttt{HOL/mono.ML}.
-
-
-\section{Simplification and substitution}
-
-Simplification tactics tactics such as \texttt{Asm_simp_tac} and \texttt{Full_simp_tac} use the default simpset
-(\texttt{simpset()}), which works for most purposes. A quite minimal
-simplification set for higher-order logic is~\ttindexbold{HOL_ss};
-even more frugal is \ttindexbold{HOL_basic_ss}. Equality~($=$), which
-also expresses logical equivalence, may be used for rewriting. See
-the file \texttt{HOL/simpdata.ML} for a complete listing of the basic
-simplification rules.
-
-See \iflabelundefined{chap:classical}{the {\em Reference Manual\/}}%
-{Chaps.\ts\ref{substitution} and~\ref{simp-chap}} for details of substitution
-and simplification.
-
-\begin{warn}\index{simplification!of conjunctions}%
- Reducing $a=b\conj P(a)$ to $a=b\conj P(b)$ is sometimes advantageous. The
- left part of a conjunction helps in simplifying the right part. This effect
- is not available by default: it can be slow. It can be obtained by
- including \ttindex{conj_cong} in a simpset, \verb$addcongs [conj_cong]$.
-\end{warn}
-
-\begin{warn}\index{simplification!of \texttt{if}}\label{if-simp}%
- By default only the condition of an \ttindex{if} is simplified but not the
- \texttt{then} and \texttt{else} parts. Of course the latter are simplified
- once the condition simplifies to \texttt{True} or \texttt{False}. To ensure
- full simplification of all parts of a conditional you must remove
- \ttindex{if_weak_cong} from the simpset, \verb$delcongs [if_weak_cong]$.
-\end{warn}
-
-If the simplifier cannot use a certain rewrite rule --- either because
-of nontermination or because its left-hand side is too flexible ---
-then you might try \texttt{stac}:
-\begin{ttdescription}
-\item[\ttindexbold{stac} $thm$ $i,$] where $thm$ is of the form $lhs = rhs$,
- replaces in subgoal $i$ instances of $lhs$ by corresponding instances of
- $rhs$. In case of multiple instances of $lhs$ in subgoal $i$, backtracking
- may be necessary to select the desired ones.
-
-If $thm$ is a conditional equality, the instantiated condition becomes an
-additional (first) subgoal.
-\end{ttdescription}
-
-HOL provides the tactic \ttindex{hyp_subst_tac}, which substitutes for an
-equality throughout a subgoal and its hypotheses. This tactic uses HOL's
-general substitution rule.
-
-\subsection{Case splitting}
-\label{subsec:HOL:case:splitting}
-
-HOL also provides convenient means for case splitting during rewriting. Goals
-containing a subterm of the form \texttt{if}~$b$~{\tt then\dots else\dots}
-often require a case distinction on $b$. This is expressed by the theorem
-\tdx{split_if}:
-$$
-\Var{P}(\mbox{\tt if}~\Var{b}~{\tt then}~\Var{x}~\mbox{\tt else}~\Var{y})~=~
-((\Var{b} \to \Var{P}(\Var{x})) \land (\lnot \Var{b} \to \Var{P}(\Var{y})))
-\eqno{(*)}
-$$
-For example, a simple instance of $(*)$ is
-\[
-x \in (\mbox{\tt if}~x \in A~{\tt then}~A~\mbox{\tt else}~\{x\})~=~
-((x \in A \to x \in A) \land (x \notin A \to x \in \{x\}))
-\]
-Because $(*)$ is too general as a rewrite rule for the simplifier (the
-left-hand side is not a higher-order pattern in the sense of
-\iflabelundefined{chap:simplification}{the {\em Reference Manual\/}}%
-{Chap.\ts\ref{chap:simplification}}), there is a special infix function
-\ttindexbold{addsplits} of type \texttt{simpset * thm list -> simpset}
-(analogous to \texttt{addsimps}) that adds rules such as $(*)$ to a
-simpset, as in
-\begin{ttbox}
-by(simp_tac (simpset() addsplits [split_if]) 1);
-\end{ttbox}
-The effect is that after each round of simplification, one occurrence of
-\texttt{if} is split acording to \texttt{split_if}, until all occurences of
-\texttt{if} have been eliminated.
-
-It turns out that using \texttt{split_if} is almost always the right thing to
-do. Hence \texttt{split_if} is already included in the default simpset. If
-you want to delete it from a simpset, use \ttindexbold{delsplits}, which is
-the inverse of \texttt{addsplits}:
-\begin{ttbox}
-by(simp_tac (simpset() delsplits [split_if]) 1);
-\end{ttbox}
-
-In general, \texttt{addsplits} accepts rules of the form
-\[
-\Var{P}(c~\Var{x@1}~\dots~\Var{x@n})~=~ rhs
-\]
-where $c$ is a constant and $rhs$ is arbitrary. Note that $(*)$ is of the
-right form because internally the left-hand side is
-$\Var{P}(\mathtt{If}~\Var{b}~\Var{x}~~\Var{y})$. Important further examples
-are splitting rules for \texttt{case} expressions (see~{\S}\ref{subsec:list}
-and~{\S}\ref{subsec:datatype:basics}).
-
-Analogous to \texttt{Addsimps} and \texttt{Delsimps}, there are also
-imperative versions of \texttt{addsplits} and \texttt{delsplits}
-\begin{ttbox}
-\ttindexbold{Addsplits}: thm list -> unit
-\ttindexbold{Delsplits}: thm list -> unit
-\end{ttbox}
-for adding splitting rules to, and deleting them from the current simpset.
-
-
-\section{Types}\label{sec:HOL:Types}
-This section describes HOL's basic predefined types ($\alpha \times \beta$,
-$\alpha + \beta$, $nat$ and $\alpha \; list$) and ways for introducing new
-types in general. The most important type construction, the
-\texttt{datatype}, is treated separately in {\S}\ref{sec:HOL:datatype}.
-
-
-\subsection{Product and sum types}\index{*"* type}\index{*"+ type}
-\label{subsec:prod-sum}
-
-\begin{figure}[htbp]
-\begin{constants}
- \it symbol & \it meta-type & & \it description \\
- \cdx{Pair} & $[\alpha,\beta]\To \alpha\times\beta$
- & & ordered pairs $(a,b)$ \\
- \cdx{fst} & $\alpha\times\beta \To \alpha$ & & first projection\\
- \cdx{snd} & $\alpha\times\beta \To \beta$ & & second projection\\
- \cdx{split} & $[[\alpha,\beta]\To\gamma, \alpha\times\beta] \To \gamma$
- & & generalized projection\\
- \cdx{Sigma} &
- $[\alpha\,set, \alpha\To\beta\,set]\To(\alpha\times\beta)set$ &
- & general sum of sets
-\end{constants}
-%\tdx{fst_def} fst p == @a. ? b. p = (a,b)
-%\tdx{snd_def} snd p == @b. ? a. p = (a,b)
-%\tdx{split_def} split c p == c (fst p) (snd p)
-\begin{ttbox}\makeatletter
-\tdx{Sigma_def} Sigma A B == UN x:A. UN y:B x. {\ttlbrace}(x,y){\ttrbrace}
-
-\tdx{Pair_eq} ((a,b) = (a',b')) = (a=a' & b=b')
-\tdx{Pair_inject} [| (a, b) = (a',b'); [| a=a'; b=b' |] ==> R |] ==> R
-\tdx{PairE} [| !!x y. p = (x,y) ==> Q |] ==> Q
-
-\tdx{fst_conv} fst (a,b) = a
-\tdx{snd_conv} snd (a,b) = b
-\tdx{surjective_pairing} p = (fst p,snd p)
-
-\tdx{split} split c (a,b) = c a b
-\tdx{split_split} R(split c p) = (! x y. p = (x,y) --> R(c x y))
-
-\tdx{SigmaI} [| a:A; b:B a |] ==> (a,b) : Sigma A B
-
-\tdx{SigmaE} [| c:Sigma A B; !!x y.[| x:A; y:B x; c=(x,y) |] ==> P
- |] ==> P
-\end{ttbox}
-\caption{Type $\alpha\times\beta$}\label{hol-prod}
-\end{figure}
-
-Theory \thydx{Prod} (Fig.\ts\ref{hol-prod}) defines the product type
-$\alpha\times\beta$, with the ordered pair syntax $(a, b)$. General
-tuples are simulated by pairs nested to the right:
-\begin{center}
-\begin{tabular}{c|c}
-external & internal \\
-\hline
-$\tau@1 \times \dots \times \tau@n$ & $\tau@1 \times (\dots (\tau@{n-1} \times \tau@n)\dots)$ \\
-\hline
-$(t@1,\dots,t@n)$ & $(t@1,(\dots,(t@{n-1},t@n)\dots)$ \\
-\end{tabular}
-\end{center}
-In addition, it is possible to use tuples
-as patterns in abstractions:
-\begin{center}
-{\tt\%($x$,$y$). $t$} \quad stands for\quad \texttt{split(\%$x$\thinspace$y$.\ $t$)}
-\end{center}
-Nested patterns are also supported. They are translated stepwise:
-\begin{eqnarray*}
-\hbox{\tt\%($x$,$y$,$z$).\ $t$}
- & \leadsto & \hbox{\tt\%($x$,($y$,$z$)).\ $t$} \\
- & \leadsto & \hbox{\tt split(\%$x$.\%($y$,$z$).\ $t$)}\\
- & \leadsto & \hbox{\tt split(\%$x$.\ split(\%$y$ $z$.\ $t$))}
-\end{eqnarray*}
-The reverse translation is performed upon printing.
-\begin{warn}
- The translation between patterns and \texttt{split} is performed automatically
- by the parser and printer. Thus the internal and external form of a term
- may differ, which can affects proofs. For example the term {\tt
- (\%(x,y).(y,x))(a,b)} requires the theorem \texttt{split} (which is in the
- default simpset) to rewrite to {\tt(b,a)}.
-\end{warn}
-In addition to explicit $\lambda$-abstractions, patterns can be used in any
-variable binding construct which is internally described by a
-$\lambda$-abstraction. Some important examples are
-\begin{description}
-\item[Let:] \texttt{let {\it pattern} = $t$ in $u$}
-\item[Quantifiers:] \texttt{ALL~{\it pattern}:$A$.~$P$}
-\item[Choice:] {\underscoreon \tt SOME~{\it pattern}.~$P$}
-\item[Set operations:] \texttt{UN~{\it pattern}:$A$.~$B$}
-\item[Sets:] \texttt{{\ttlbrace}{\it pattern}.~$P${\ttrbrace}}
-\end{description}
-
-There is a simple tactic which supports reasoning about patterns:
-\begin{ttdescription}
-\item[\ttindexbold{split_all_tac} $i$] replaces in subgoal $i$ all
- {\tt!!}-quantified variables of product type by individual variables for
- each component. A simple example:
-\begin{ttbox}
-{\out 1. !!p. (\%(x,y,z). (x, y, z)) p = p}
-by(split_all_tac 1);
-{\out 1. !!x xa ya. (\%(x,y,z). (x, y, z)) (x, xa, ya) = (x, xa, ya)}
-\end{ttbox}
-\end{ttdescription}
-
-Theory \texttt{Prod} also introduces the degenerate product type \texttt{unit}
-which contains only a single element named {\tt()} with the property
-\begin{ttbox}
-\tdx{unit_eq} u = ()
-\end{ttbox}
-\bigskip
-
-Theory \thydx{Sum} (Fig.~\ref{hol-sum}) defines the sum type $\alpha+\beta$
-which associates to the right and has a lower priority than $*$: $\tau@1 +
-\tau@2 + \tau@3*\tau@4$ means $\tau@1 + (\tau@2 + (\tau@3*\tau@4))$.
-
-The definition of products and sums in terms of existing types is not
-shown. The constructions are fairly standard and can be found in the
-respective theory files. Although the sum and product types are
-constructed manually for foundational reasons, they are represented as
-actual datatypes later.
-
-\begin{figure}
-\begin{constants}
- \it symbol & \it meta-type & & \it description \\
- \cdx{Inl} & $\alpha \To \alpha+\beta$ & & first injection\\
- \cdx{Inr} & $\beta \To \alpha+\beta$ & & second injection\\
- \cdx{sum_case} & $[\alpha\To\gamma, \beta\To\gamma, \alpha+\beta] \To\gamma$
- & & conditional
-\end{constants}
-\begin{ttbox}\makeatletter
-\tdx{Inl_not_Inr} Inl a ~= Inr b
-
-\tdx{inj_Inl} inj Inl
-\tdx{inj_Inr} inj Inr
-
-\tdx{sumE} [| !!x. P(Inl x); !!y. P(Inr y) |] ==> P s
-
-\tdx{sum_case_Inl} sum_case f g (Inl x) = f x
-\tdx{sum_case_Inr} sum_case f g (Inr x) = g x
-
-\tdx{surjective_sum} sum_case (\%x. f(Inl x)) (\%y. f(Inr y)) s = f s
-\tdx{sum.split_case} R(sum_case f g s) = ((! x. s = Inl(x) --> R(f(x))) &
- (! y. s = Inr(y) --> R(g(y))))
-\end{ttbox}
-\caption{Type $\alpha+\beta$}\label{hol-sum}
-\end{figure}
-
-\begin{figure}
-\index{*"< symbol}
-\index{*"* symbol}
-\index{*div symbol}
-\index{*mod symbol}
-\index{*dvd symbol}
-\index{*"+ symbol}
-\index{*"- symbol}
-\begin{constants}
- \it symbol & \it meta-type & \it priority & \it description \\
- \cdx{0} & $\alpha$ & & zero \\
- \cdx{Suc} & $nat \To nat$ & & successor function\\
- \tt * & $[\alpha,\alpha]\To \alpha$ & Left 70 & multiplication \\
- \tt div & $[\alpha,\alpha]\To \alpha$ & Left 70 & division\\
- \tt mod & $[\alpha,\alpha]\To \alpha$ & Left 70 & modulus\\
- \tt dvd & $[\alpha,\alpha]\To bool$ & Left 70 & ``divides'' relation\\
- \tt + & $[\alpha,\alpha]\To \alpha$ & Left 65 & addition\\
- \tt - & $[\alpha,\alpha]\To \alpha$ & Left 65 & subtraction
-\end{constants}
-\subcaption{Constants and infixes}
-
-\begin{ttbox}\makeatother
-\tdx{nat_induct} [| P 0; !!n. P n ==> P(Suc n) |] ==> P n
-
-\tdx{Suc_not_Zero} Suc m ~= 0
-\tdx{inj_Suc} inj Suc
-\tdx{n_not_Suc_n} n~=Suc n
-\subcaption{Basic properties}
-\end{ttbox}
-\caption{The type of natural numbers, \tydx{nat}} \label{hol-nat1}
-\end{figure}
-
-
-\begin{figure}
-\begin{ttbox}\makeatother
- 0+n = n
- (Suc m)+n = Suc(m+n)
-
- m-0 = m
- 0-n = n
- Suc(m)-Suc(n) = m-n
-
- 0*n = 0
- Suc(m)*n = n + m*n
-
-\tdx{mod_less} m<n ==> m mod n = m
-\tdx{mod_geq} [| 0<n; ~m<n |] ==> m mod n = (m-n) mod n
-
-\tdx{div_less} m<n ==> m div n = 0
-\tdx{div_geq} [| 0<n; ~m<n |] ==> m div n = Suc((m-n) div n)
-\end{ttbox}
-\caption{Recursion equations for the arithmetic operators} \label{hol-nat2}
-\end{figure}
-
-\subsection{The type of natural numbers, \textit{nat}}
-\index{nat@{\textit{nat}} type|(}
-
-The theory \thydx{Nat} defines the natural numbers in a roundabout but
-traditional way. The axiom of infinity postulates a type~\tydx{ind} of
-individuals, which is non-empty and closed under an injective operation. The
-natural numbers are inductively generated by choosing an arbitrary individual
-for~0 and using the injective operation to take successors. This is a least
-fixedpoint construction.
-
-Type~\tydx{nat} is an instance of class~\cldx{ord}, which makes the overloaded
-functions of this class (especially \cdx{<} and \cdx{<=}, but also \cdx{min},
-\cdx{max} and \cdx{LEAST}) available on \tydx{nat}. Theory \thydx{Nat}
-also shows that {\tt<=} is a linear order, so \tydx{nat} is
-also an instance of class \cldx{linorder}.
-
-Theory \thydx{NatArith} develops arithmetic on the natural numbers. It defines
-addition, multiplication and subtraction. Theory \thydx{Divides} defines
-division, remainder and the ``divides'' relation. The numerous theorems
-proved include commutative, associative, distributive, identity and
-cancellation laws. See Figs.\ts\ref{hol-nat1} and~\ref{hol-nat2}. The
-recursion equations for the operators \texttt{+}, \texttt{-} and \texttt{*} on
-\texttt{nat} are part of the default simpset.
-
-Functions on \tydx{nat} can be defined by primitive or well-founded recursion;
-see {\S}\ref{sec:HOL:recursive}. A simple example is addition.
-Here, \texttt{op +} is the name of the infix operator~\texttt{+}, following
-the standard convention.
-\begin{ttbox}
-\sdx{primrec}
- "0 + n = n"
- "Suc m + n = Suc (m + n)"
-\end{ttbox}
-There is also a \sdx{case}-construct
-of the form
-\begin{ttbox}
-case \(e\) of 0 => \(a\) | Suc \(m\) => \(b\)
-\end{ttbox}
-Note that Isabelle insists on precisely this format; you may not even change
-the order of the two cases.
-Both \texttt{primrec} and \texttt{case} are realized by a recursion operator
-\cdx{nat_rec}, which is available because \textit{nat} is represented as
-a datatype.
-
-%The predecessor relation, \cdx{pred_nat}, is shown to be well-founded.
-%Recursion along this relation resembles primitive recursion, but is
-%stronger because we are in higher-order logic; using primitive recursion to
-%define a higher-order function, we can easily Ackermann's function, which
-%is not primitive recursive \cite[page~104]{thompson91}.
-%The transitive closure of \cdx{pred_nat} is~$<$. Many functions on the
-%natural numbers are most easily expressed using recursion along~$<$.
-
-Tactic {\tt\ttindex{induct_tac} "$n$" $i$} performs induction on variable~$n$
-in subgoal~$i$ using theorem \texttt{nat_induct}. There is also the derived
-theorem \tdx{less_induct}:
-\begin{ttbox}
-[| !!n. [| ! m. m<n --> P m |] ==> P n |] ==> P n
-\end{ttbox}
-
-
-\subsection{Numerical types and numerical reasoning}
-
-The integers (type \tdx{int}) are also available in HOL, and the reals (type
-\tdx{real}) are available in the logic image \texttt{HOL-Complex}. They support
-the expected operations of addition (\texttt{+}), subtraction (\texttt{-}) and
-multiplication (\texttt{*}), and much else. Type \tdx{int} provides the
-\texttt{div} and \texttt{mod} operators, while type \tdx{real} provides real
-division and other operations. Both types belong to class \cldx{linorder}, so
-they inherit the relational operators and all the usual properties of linear
-orderings. For full details, please survey the theories in subdirectories
-\texttt{Integ}, \texttt{Real}, and \texttt{Complex}.
-
-All three numeric types admit numerals of the form \texttt{$sd\ldots d$},
-where $s$ is an optional minus sign and $d\ldots d$ is a string of digits.
-Numerals are represented internally by a datatype for binary notation, which
-allows numerical calculations to be performed by rewriting. For example, the
-integer division of \texttt{54342339} by \texttt{3452} takes about five
-seconds. By default, the simplifier cancels like terms on the opposite sites
-of relational operators (reducing \texttt{z+x<x+y} to \texttt{z<y}, for
-instance. The simplifier also collects like terms, replacing \texttt{x+y+x*3}
-by \texttt{4*x+y}.
-
-Sometimes numerals are not wanted, because for example \texttt{n+3} does not
-match a pattern of the form \texttt{Suc $k$}. You can re-arrange the form of
-an arithmetic expression by proving (via \texttt{subgoal_tac}) a lemma such as
-\texttt{n+3 = Suc (Suc (Suc n))}. As an alternative, you can disable the
-fancier simplifications by using a basic simpset such as \texttt{HOL_ss}
-rather than the default one, \texttt{simpset()}.
-
-Reasoning about arithmetic inequalities can be tedious. Fortunately, HOL
-provides a decision procedure for \emph{linear arithmetic}: formulae involving
-addition and subtraction. The simplifier invokes a weak version of this
-decision procedure automatically. If this is not sufficent, you can invoke the
-full procedure \ttindex{Lin_Arith.tac} explicitly. It copes with arbitrary
-formulae involving {\tt=}, {\tt<}, {\tt<=}, {\tt+}, {\tt-}, {\tt Suc}, {\tt
- min}, {\tt max} and numerical constants. Other subterms are treated as
-atomic, while subformulae not involving numerical types are ignored. Quantified
-subformulae are ignored unless they are positive universal or negative
-existential. The running time is exponential in the number of
-occurrences of {\tt min}, {\tt max}, and {\tt-} because they require case
-distinctions.
-If {\tt k} is a numeral, then {\tt div k}, {\tt mod k} and
-{\tt k dvd} are also supported. The former two are eliminated
-by case distinctions, again blowing up the running time.
-If the formula involves explicit quantifiers, \texttt{Lin_Arith.tac} may take
-super-exponential time and space.
-
-If \texttt{Lin_Arith.tac} fails, try to find relevant arithmetic results in
-the library. The theories \texttt{Nat} and \texttt{NatArith} contain
-theorems about {\tt<}, {\tt<=}, \texttt{+}, \texttt{-} and \texttt{*}.
-Theory \texttt{Divides} contains theorems about \texttt{div} and
-\texttt{mod}. Use Proof General's \emph{find} button (or other search
-facilities) to locate them.
-
-\index{nat@{\textit{nat}} type|)}
-
-
-\begin{figure}
-\index{#@{\tt[]} symbol}
-\index{#@{\tt\#} symbol}
-\index{"@@{\tt\at} symbol}
-\index{*"! symbol}
-\begin{constants}
- \it symbol & \it meta-type & \it priority & \it description \\
- \tt[] & $\alpha\,list$ & & empty list\\
- \tt \# & $[\alpha,\alpha\,list]\To \alpha\,list$ & Right 65 &
- list constructor \\
- \cdx{null} & $\alpha\,list \To bool$ & & emptiness test\\
- \cdx{hd} & $\alpha\,list \To \alpha$ & & head \\
- \cdx{tl} & $\alpha\,list \To \alpha\,list$ & & tail \\
- \cdx{last} & $\alpha\,list \To \alpha$ & & last element \\
- \cdx{butlast} & $\alpha\,list \To \alpha\,list$ & & drop last element \\
- \tt\at & $[\alpha\,list,\alpha\,list]\To \alpha\,list$ & Left 65 & append \\
- \cdx{map} & $(\alpha\To\beta) \To (\alpha\,list \To \beta\,list)$
- & & apply to all\\
- \cdx{filter} & $(\alpha \To bool) \To (\alpha\,list \To \alpha\,list)$
- & & filter functional\\
- \cdx{set}& $\alpha\,list \To \alpha\,set$ & & elements\\
- \sdx{mem} & $\alpha \To \alpha\,list \To bool$ & Left 55 & membership\\
- \cdx{foldl} & $(\beta\To\alpha\To\beta) \To \beta \To \alpha\,list \To \beta$ &
- & iteration \\
- \cdx{concat} & $(\alpha\,list)list\To \alpha\,list$ & & concatenation \\
- \cdx{rev} & $\alpha\,list \To \alpha\,list$ & & reverse \\
- \cdx{length} & $\alpha\,list \To nat$ & & length \\
- \tt! & $\alpha\,list \To nat \To \alpha$ & Left 100 & indexing \\
- \cdx{take}, \cdx{drop} & $nat \To \alpha\,list \To \alpha\,list$ &&
- take/drop a prefix \\
- \cdx{takeWhile},\\
- \cdx{dropWhile} &
- $(\alpha \To bool) \To \alpha\,list \To \alpha\,list$ &&
- take/drop a prefix
-\end{constants}
-\subcaption{Constants and infixes}
-
-\begin{center} \tt\frenchspacing
-\begin{tabular}{rrr}
- \it external & \it internal & \it description \\{}
- [$x@1$, $\dots$, $x@n$] & $x@1$ \# $\cdots$ \# $x@n$ \# [] &
- \rm finite list \\{}
- [$x$:$l$. $P$] & filter ($\lambda x{.}P$) $l$ &
- \rm list comprehension
-\end{tabular}
-\end{center}
-\subcaption{Translations}
-\caption{The theory \thydx{List}} \label{hol-list}
-\end{figure}
-
-
-\begin{figure}
-\begin{ttbox}\makeatother
-null [] = True
-null (x#xs) = False
-
-hd (x#xs) = x
-
-tl (x#xs) = xs
-tl [] = []
-
-[] @ ys = ys
-(x#xs) @ ys = x # xs @ ys
-
-set [] = \ttlbrace\ttrbrace
-set (x#xs) = insert x (set xs)
-
-x mem [] = False
-x mem (y#ys) = (if y=x then True else x mem ys)
-
-concat([]) = []
-concat(x#xs) = x @ concat(xs)
-
-rev([]) = []
-rev(x#xs) = rev(xs) @ [x]
-
-length([]) = 0
-length(x#xs) = Suc(length(xs))
-
-xs!0 = hd xs
-xs!(Suc n) = (tl xs)!n
-\end{ttbox}
-\caption{Simple list processing functions}
-\label{fig:HOL:list-simps}
-\end{figure}
-
-\begin{figure}
-\begin{ttbox}\makeatother
-map f [] = []
-map f (x#xs) = f x # map f xs
-
-filter P [] = []
-filter P (x#xs) = (if P x then x#filter P xs else filter P xs)
-
-foldl f a [] = a
-foldl f a (x#xs) = foldl f (f a x) xs
-
-take n [] = []
-take n (x#xs) = (case n of 0 => [] | Suc(m) => x # take m xs)
-
-drop n [] = []
-drop n (x#xs) = (case n of 0 => x#xs | Suc(m) => drop m xs)
-
-takeWhile P [] = []
-takeWhile P (x#xs) = (if P x then x#takeWhile P xs else [])
-
-dropWhile P [] = []
-dropWhile P (x#xs) = (if P x then dropWhile P xs else xs)
-\end{ttbox}
-\caption{Further list processing functions}
-\label{fig:HOL:list-simps2}
-\end{figure}
-
-
-\subsection{The type constructor for lists, \textit{list}}
-\label{subsec:list}
-\index{list@{\textit{list}} type|(}
-
-Figure~\ref{hol-list} presents the theory \thydx{List}: the basic list
-operations with their types and syntax. Type $\alpha \; list$ is
-defined as a \texttt{datatype} with the constructors {\tt[]} and {\tt\#}.
-As a result the generic structural induction and case analysis tactics
-\texttt{induct\_tac} and \texttt{cases\_tac} also become available for
-lists. A \sdx{case} construct of the form
-\begin{center}\tt
-case $e$ of [] => $a$ | \(x\)\#\(xs\) => b
-\end{center}
-is defined by translation. For details see~{\S}\ref{sec:HOL:datatype}. There
-is also a case splitting rule \tdx{split_list_case}
-\[
-\begin{array}{l}
-P(\mathtt{case}~e~\mathtt{of}~\texttt{[] =>}~a ~\texttt{|}~
- x\texttt{\#}xs~\texttt{=>}~f~x~xs) ~= \\
-((e = \texttt{[]} \to P(a)) \land
- (\forall x~ xs. e = x\texttt{\#}xs \to P(f~x~xs)))
-\end{array}
-\]
-which can be fed to \ttindex{addsplits} just like
-\texttt{split_if} (see~{\S}\ref{subsec:HOL:case:splitting}).
-
-\texttt{List} provides a basic library of list processing functions defined by
-primitive recursion. The recursion equations
-are shown in Figs.\ts\ref{fig:HOL:list-simps} and~\ref{fig:HOL:list-simps2}.
-
-\index{list@{\textit{list}} type|)}
-
-
-\section{Datatype definitions}
-\label{sec:HOL:datatype}
-\index{*datatype|(}
-
-Inductive datatypes, similar to those of \ML, frequently appear in
-applications of Isabelle/HOL. In principle, such types could be defined by
-hand via \texttt{typedef}, but this would be far too
-tedious. The \ttindex{datatype} definition package of Isabelle/HOL (cf.\
-\cite{Berghofer-Wenzel:1999:TPHOL}) automates such chores. It generates an
-appropriate \texttt{typedef} based on a least fixed-point construction, and
-proves freeness theorems and induction rules, as well as theorems for
-recursion and case combinators. The user just has to give a simple
-specification of new inductive types using a notation similar to {\ML} or
-Haskell.
-
-The current datatype package can handle both mutual and indirect recursion.
-It also offers to represent existing types as datatypes giving the advantage
-of a more uniform view on standard theories.
-
-
-\subsection{Basics}
-\label{subsec:datatype:basics}
-
-A general \texttt{datatype} definition is of the following form:
-\[
-\begin{array}{llcl}
-\mathtt{datatype} & (\vec{\alpha})t@1 & = &
- C^1@1~\tau^1@{1,1}~\ldots~\tau^1@{1,m^1@1} ~\mid~ \ldots ~\mid~
- C^1@{k@1}~\tau^1@{k@1,1}~\ldots~\tau^1@{k@1,m^1@{k@1}} \\
- & & \vdots \\
-\mathtt{and} & (\vec{\alpha})t@n & = &
- C^n@1~\tau^n@{1,1}~\ldots~\tau^n@{1,m^n@1} ~\mid~ \ldots ~\mid~
- C^n@{k@n}~\tau^n@{k@n,1}~\ldots~\tau^n@{k@n,m^n@{k@n}}
-\end{array}
-\]
-where $\vec{\alpha} = (\alpha@1,\ldots,\alpha@h)$ is a list of type variables,
-$C^j@i$ are distinct constructor names and $\tau^j@{i,i'}$ are {\em
- admissible} types containing at most the type variables $\alpha@1, \ldots,
-\alpha@h$. A type $\tau$ occurring in a \texttt{datatype} definition is {\em
- admissible} if and only if
-\begin{itemize}
-\item $\tau$ is non-recursive, i.e.\ $\tau$ does not contain any of the
-newly defined type constructors $t@1,\ldots,t@n$, or
-\item $\tau = (\vec{\alpha})t@{j'}$ where $1 \leq j' \leq n$, or
-\item $\tau = (\tau'@1,\ldots,\tau'@{h'})t'$, where $t'$ is
-the type constructor of an already existing datatype and $\tau'@1,\ldots,\tau'@{h'}$
-are admissible types.
-\item $\tau = \sigma \to \tau'$, where $\tau'$ is an admissible
-type and $\sigma$ is non-recursive (i.e. the occurrences of the newly defined
-types are {\em strictly positive})
-\end{itemize}
-If some $(\vec{\alpha})t@{j'}$ occurs in a type $\tau^j@{i,i'}$
-of the form
-\[
-(\ldots,\ldots ~ (\vec{\alpha})t@{j'} ~ \ldots,\ldots)t'
-\]
-this is called a {\em nested} (or \emph{indirect}) occurrence. A very simple
-example of a datatype is the type \texttt{list}, which can be defined by
-\begin{ttbox}
-datatype 'a list = Nil
- | Cons 'a ('a list)
-\end{ttbox}
-Arithmetic expressions \texttt{aexp} and boolean expressions \texttt{bexp} can be modelled
-by the mutually recursive datatype definition
-\begin{ttbox}
-datatype 'a aexp = If_then_else ('a bexp) ('a aexp) ('a aexp)
- | Sum ('a aexp) ('a aexp)
- | Diff ('a aexp) ('a aexp)
- | Var 'a
- | Num nat
-and 'a bexp = Less ('a aexp) ('a aexp)
- | And ('a bexp) ('a bexp)
- | Or ('a bexp) ('a bexp)
-\end{ttbox}
-The datatype \texttt{term}, which is defined by
-\begin{ttbox}
-datatype ('a, 'b) term = Var 'a
- | App 'b ((('a, 'b) term) list)
-\end{ttbox}
-is an example for a datatype with nested recursion. Using nested recursion
-involving function spaces, we may also define infinitely branching datatypes, e.g.
-\begin{ttbox}
-datatype 'a tree = Atom 'a | Branch "nat => 'a tree"
-\end{ttbox}
-
-\medskip
-
-Types in HOL must be non-empty. Each of the new datatypes
-$(\vec{\alpha})t@j$ with $1 \leq j \leq n$ is non-empty if and only if it has a
-constructor $C^j@i$ with the following property: for all argument types
-$\tau^j@{i,i'}$ of the form $(\vec{\alpha})t@{j'}$ the datatype
-$(\vec{\alpha})t@{j'}$ is non-empty.
-
-If there are no nested occurrences of the newly defined datatypes, obviously
-at least one of the newly defined datatypes $(\vec{\alpha})t@j$
-must have a constructor $C^j@i$ without recursive arguments, a \emph{base
- case}, to ensure that the new types are non-empty. If there are nested
-occurrences, a datatype can even be non-empty without having a base case
-itself. Since \texttt{list} is a non-empty datatype, \texttt{datatype t = C (t
- list)} is non-empty as well.
-
-
-\subsubsection{Freeness of the constructors}
-
-The datatype constructors are automatically defined as functions of their
-respective type:
-\[ C^j@i :: [\tau^j@{i,1},\dots,\tau^j@{i,m^j@i}] \To (\alpha@1,\dots,\alpha@h)t@j \]
-These functions have certain {\em freeness} properties. They construct
-distinct values:
-\[
-C^j@i~x@1~\dots~x@{m^j@i} \neq C^j@{i'}~y@1~\dots~y@{m^j@{i'}} \qquad
-\mbox{for all}~ i \neq i'.
-\]
-The constructor functions are injective:
-\[
-(C^j@i~x@1~\dots~x@{m^j@i} = C^j@i~y@1~\dots~y@{m^j@i}) =
-(x@1 = y@1 \land \dots \land x@{m^j@i} = y@{m^j@i})
-\]
-Since the number of distinctness inequalities is quadratic in the number of
-constructors, the datatype package avoids proving them separately if there are
-too many constructors. Instead, specific inequalities are proved by a suitable
-simplification procedure on demand.\footnote{This procedure, which is already part
-of the default simpset, may be referred to by the ML identifier
-\texttt{DatatypePackage.distinct_simproc}.}
-
-\subsubsection{Structural induction}
-
-The datatype package also provides structural induction rules. For
-datatypes without nested recursion, this is of the following form:
-\[
-\infer{P@1~x@1 \land \dots \land P@n~x@n}
- {\begin{array}{lcl}
- \Forall x@1 \dots x@{m^1@1}.
- \List{P@{s^1@{1,1}}~x@{r^1@{1,1}}; \dots;
- P@{s^1@{1,l^1@1}}~x@{r^1@{1,l^1@1}}} & \Imp &
- P@1~\left(C^1@1~x@1~\dots~x@{m^1@1}\right) \\
- & \vdots \\
- \Forall x@1 \dots x@{m^1@{k@1}}.
- \List{P@{s^1@{k@1,1}}~x@{r^1@{k@1,1}}; \dots;
- P@{s^1@{k@1,l^1@{k@1}}}~x@{r^1@{k@1,l^1@{k@1}}}} & \Imp &
- P@1~\left(C^1@{k@1}~x@1~\ldots~x@{m^1@{k@1}}\right) \\
- & \vdots \\
- \Forall x@1 \dots x@{m^n@1}.
- \List{P@{s^n@{1,1}}~x@{r^n@{1,1}}; \dots;
- P@{s^n@{1,l^n@1}}~x@{r^n@{1,l^n@1}}} & \Imp &
- P@n~\left(C^n@1~x@1~\ldots~x@{m^n@1}\right) \\
- & \vdots \\
- \Forall x@1 \dots x@{m^n@{k@n}}.
- \List{P@{s^n@{k@n,1}}~x@{r^n@{k@n,1}}; \dots
- P@{s^n@{k@n,l^n@{k@n}}}~x@{r^n@{k@n,l^n@{k@n}}}} & \Imp &
- P@n~\left(C^n@{k@n}~x@1~\ldots~x@{m^n@{k@n}}\right)
- \end{array}}
-\]
-where
-\[
-\begin{array}{rcl}
-Rec^j@i & := &
- \left\{\left(r^j@{i,1},s^j@{i,1}\right),\ldots,
- \left(r^j@{i,l^j@i},s^j@{i,l^j@i}\right)\right\} = \\[2ex]
-&& \left\{(i',i'')~\left|~
- 1\leq i' \leq m^j@i \land 1 \leq i'' \leq n \land
- \tau^j@{i,i'} = (\alpha@1,\ldots,\alpha@h)t@{i''}\right.\right\}
-\end{array}
-\]
-i.e.\ the properties $P@j$ can be assumed for all recursive arguments.
-
-For datatypes with nested recursion, such as the \texttt{term} example from
-above, things are a bit more complicated. Conceptually, Isabelle/HOL unfolds
-a definition like
-\begin{ttbox}
-datatype ('a,'b) term = Var 'a
- | App 'b ((('a, 'b) term) list)
-\end{ttbox}
-to an equivalent definition without nesting:
-\begin{ttbox}
-datatype ('a,'b) term = Var
- | App 'b (('a, 'b) term_list)
-and ('a,'b) term_list = Nil'
- | Cons' (('a,'b) term) (('a,'b) term_list)
-\end{ttbox}
-Note however, that the type \texttt{('a,'b) term_list} and the constructors {\tt
- Nil'} and \texttt{Cons'} are not really introduced. One can directly work with
-the original (isomorphic) type \texttt{(('a, 'b) term) list} and its existing
-constructors \texttt{Nil} and \texttt{Cons}. Thus, the structural induction rule for
-\texttt{term} gets the form
-\[
-\infer{P@1~x@1 \land P@2~x@2}
- {\begin{array}{l}
- \Forall x.~P@1~(\mathtt{Var}~x) \\
- \Forall x@1~x@2.~P@2~x@2 \Imp P@1~(\mathtt{App}~x@1~x@2) \\
- P@2~\mathtt{Nil} \\
- \Forall x@1~x@2. \List{P@1~x@1; P@2~x@2} \Imp P@2~(\mathtt{Cons}~x@1~x@2)
- \end{array}}
-\]
-Note that there are two predicates $P@1$ and $P@2$, one for the type \texttt{('a,'b) term}
-and one for the type \texttt{(('a, 'b) term) list}.
-
-For a datatype with function types such as \texttt{'a tree}, the induction rule
-is of the form
-\[
-\infer{P~t}
- {\Forall a.~P~(\mathtt{Atom}~a) &
- \Forall ts.~(\forall x.~P~(ts~x)) \Imp P~(\mathtt{Branch}~ts)}
-\]
-
-\medskip In principle, inductive types are already fully determined by
-freeness and structural induction. For convenience in applications,
-the following derived constructions are automatically provided for any
-datatype.
-
-\subsubsection{The \sdx{case} construct}
-
-The type comes with an \ML-like \texttt{case}-construct:
-\[
-\begin{array}{rrcl}
-\mbox{\tt case}~e~\mbox{\tt of} & C^j@1~x@{1,1}~\dots~x@{1,m^j@1} & \To & e@1 \\
- \vdots \\
- \mid & C^j@{k@j}~x@{k@j,1}~\dots~x@{k@j,m^j@{k@j}} & \To & e@{k@j}
-\end{array}
-\]
-where the $x@{i,j}$ are either identifiers or nested tuple patterns as in
-{\S}\ref{subsec:prod-sum}.
-\begin{warn}
- All constructors must be present, their order is fixed, and nested patterns
- are not supported (with the exception of tuples). Violating this
- restriction results in strange error messages.
-\end{warn}
-
-To perform case distinction on a goal containing a \texttt{case}-construct,
-the theorem $t@j.$\texttt{split} is provided:
-\[
-\begin{array}{@{}rcl@{}}
-P(t@j_\mathtt{case}~f@1~\dots~f@{k@j}~e) &\!\!\!=&
-\!\!\! ((\forall x@1 \dots x@{m^j@1}. e = C^j@1~x@1\dots x@{m^j@1} \to
- P(f@1~x@1\dots x@{m^j@1})) \\
-&&\!\!\! ~\land~ \dots ~\land \\
-&&~\!\!\! (\forall x@1 \dots x@{m^j@{k@j}}. e = C^j@{k@j}~x@1\dots x@{m^j@{k@j}} \to
- P(f@{k@j}~x@1\dots x@{m^j@{k@j}})))
-\end{array}
-\]
-where $t@j$\texttt{_case} is the internal name of the \texttt{case}-construct.
-This theorem can be added to a simpset via \ttindex{addsplits}
-(see~{\S}\ref{subsec:HOL:case:splitting}).
-
-Case splitting on assumption works as well, by using the rule
-$t@j.$\texttt{split_asm} in the same manner. Both rules are available under
-$t@j.$\texttt{splits} (this name is \emph{not} bound in ML, though).
-
-\begin{warn}\index{simplification!of \texttt{case}}%
- By default only the selector expression ($e$ above) in a
- \texttt{case}-construct is simplified, in analogy with \texttt{if} (see
- page~\pageref{if-simp}). Only if that reduces to a constructor is one of
- the arms of the \texttt{case}-construct exposed and simplified. To ensure
- full simplification of all parts of a \texttt{case}-construct for datatype
- $t$, remove $t$\texttt{.}\ttindexbold{case_weak_cong} from the simpset, for
- example by \texttt{delcongs [thm "$t$.weak_case_cong"]}.
-\end{warn}
-
-\subsubsection{The function \cdx{size}}\label{sec:HOL:size}
-
-Theory \texttt{NatArith} declares a generic function \texttt{size} of type
-$\alpha\To nat$. Each datatype defines a particular instance of \texttt{size}
-by overloading according to the following scheme:
-%%% FIXME: This formula is too big and is completely unreadable
-\[
-size(C^j@i~x@1~\dots~x@{m^j@i}) = \!
-\left\{
-\begin{array}{ll}
-0 & \!\mbox{if $Rec^j@i = \emptyset$} \\
-1+\sum\limits@{h=1}^{l^j@i}size~x@{r^j@{i,h}} &
- \!\mbox{if $Rec^j@i = \left\{\left(r^j@{i,1},s^j@{i,1}\right),\ldots,
- \left(r^j@{i,l^j@i},s^j@{i,l^j@i}\right)\right\}$}
-\end{array}
-\right.
-\]
-where $Rec^j@i$ is defined above. Viewing datatypes as generalised trees, the
-size of a leaf is 0 and the size of a node is the sum of the sizes of its
-subtrees ${}+1$.
-
-\subsection{Defining datatypes}
-
-The theory syntax for datatype definitions is given in the
-Isabelle/Isar reference manual. In order to be well-formed, a
-datatype definition has to obey the rules stated in the previous
-section. As a result the theory is extended with the new types, the
-constructors, and the theorems listed in the previous section.
-
-Most of the theorems about datatypes become part of the default simpset and
-you never need to see them again because the simplifier applies them
-automatically. Only induction or case distinction are usually invoked by hand.
-\begin{ttdescription}
-\item[\ttindexbold{induct_tac} {\tt"}$x${\tt"} $i$]
- applies structural induction on variable $x$ to subgoal $i$, provided the
- type of $x$ is a datatype.
-\item[\texttt{induct_tac}
- {\tt"}$x@1$ $\ldots$ $x@n${\tt"} $i$] applies simultaneous
- structural induction on the variables $x@1,\ldots,x@n$ to subgoal $i$. This
- is the canonical way to prove properties of mutually recursive datatypes
- such as \texttt{aexp} and \texttt{bexp}, or datatypes with nested recursion such as
- \texttt{term}.
-\end{ttdescription}
-In some cases, induction is overkill and a case distinction over all
-constructors of the datatype suffices.
-\begin{ttdescription}
-\item[\ttindexbold{case_tac} {\tt"}$u${\tt"} $i$]
- performs a case analysis for the term $u$ whose type must be a datatype.
- If the datatype has $k@j$ constructors $C^j@1$, \dots $C^j@{k@j}$, subgoal
- $i$ is replaced by $k@j$ new subgoals which contain the additional
- assumption $u = C^j@{i'}~x@1~\dots~x@{m^j@{i'}}$ for $i'=1$, $\dots$,~$k@j$.
-\end{ttdescription}
-
-Note that induction is only allowed on free variables that should not occur
-among the premises of the subgoal. Case distinction applies to arbitrary terms.
-
-\bigskip
-
-
-For the technically minded, we exhibit some more details. Processing the
-theory file produces an \ML\ structure which, in addition to the usual
-components, contains a structure named $t$ for each datatype $t$ defined in
-the file. Each structure $t$ contains the following elements:
-\begin{ttbox}
-val distinct : thm list
-val inject : thm list
-val induct : thm
-val exhaust : thm
-val cases : thm list
-val split : thm
-val split_asm : thm
-val recs : thm list
-val size : thm list
-val simps : thm list
-\end{ttbox}
-\texttt{distinct}, \texttt{inject}, \texttt{induct}, \texttt{size}
-and \texttt{split} contain the theorems
-described above. For user convenience, \texttt{distinct} contains
-inequalities in both directions. The reduction rules of the {\tt
- case}-construct are in \texttt{cases}. All theorems from {\tt
- distinct}, \texttt{inject} and \texttt{cases} are combined in \texttt{simps}.
-In case of mutually recursive datatypes, \texttt{recs}, \texttt{size}, \texttt{induct}
-and \texttt{simps} are contained in a separate structure named $t@1_\ldots_t@n$.
-
-
-\section{Old-style recursive function definitions}\label{sec:HOL:recursive}
-\index{recursion!general|(}
-\index{*recdef|(}
-
-Old-style recursive definitions via \texttt{recdef} requires that you
-supply a well-founded relation that governs the recursion. Recursive
-calls are only allowed if they make the argument decrease under the
-relation. Complicated recursion forms, such as nested recursion, can
-be dealt with. Termination can even be proved at a later time, though
-having unsolved termination conditions around can make work
-difficult.%
-\footnote{This facility is based on Konrad Slind's TFL
- package~\cite{slind-tfl}. Thanks are due to Konrad for implementing
- TFL and assisting with its installation.}
-
-Using \texttt{recdef}, you can declare functions involving nested recursion
-and pattern-matching. Recursion need not involve datatypes and there are few
-syntactic restrictions. Termination is proved by showing that each recursive
-call makes the argument smaller in a suitable sense, which you specify by
-supplying a well-founded relation.
-
-Here is a simple example, the Fibonacci function. The first line declares
-\texttt{fib} to be a constant. The well-founded relation is simply~$<$ (on
-the natural numbers). Pattern-matching is used here: \texttt{1} is a
-macro for \texttt{Suc~0}.
-\begin{ttbox}
-consts fib :: "nat => nat"
-recdef fib "less_than"
- "fib 0 = 0"
- "fib 1 = 1"
- "fib (Suc(Suc x)) = (fib x + fib (Suc x))"
-\end{ttbox}
-
-With \texttt{recdef}, function definitions may be incomplete, and patterns may
-overlap, as in functional programming. The \texttt{recdef} package
-disambiguates overlapping patterns by taking the order of rules into account.
-For missing patterns, the function is defined to return a default value.
-
-%For example, here is a declaration of the list function \cdx{hd}:
-%\begin{ttbox}
-%consts hd :: 'a list => 'a
-%recdef hd "\{\}"
-% "hd (x#l) = x"
-%\end{ttbox}
-%Because this function is not recursive, we may supply the empty well-founded
-%relation, $\{\}$.
-
-The well-founded relation defines a notion of ``smaller'' for the function's
-argument type. The relation $\prec$ is \textbf{well-founded} provided it
-admits no infinitely decreasing chains
-\[ \cdots\prec x@n\prec\cdots\prec x@1. \]
-If the function's argument has type~$\tau$, then $\prec$ has to be a relation
-over~$\tau$: it must have type $(\tau\times\tau)set$.
-
-Proving well-foundedness can be tricky, so Isabelle/HOL provides a collection
-of operators for building well-founded relations. The package recognises
-these operators and automatically proves that the constructed relation is
-well-founded. Here are those operators, in order of importance:
-\begin{itemize}
-\item \texttt{less_than} is ``less than'' on the natural numbers.
- (It has type $(nat\times nat)set$, while $<$ has type $[nat,nat]\To bool$.
-
-\item $\mathop{\mathtt{measure}} f$, where $f$ has type $\tau\To nat$, is the
- relation~$\prec$ on type~$\tau$ such that $x\prec y$ if and only if
- $f(x)<f(y)$.
- Typically, $f$ takes the recursive function's arguments (as a tuple) and
- returns a result expressed in terms of the function \texttt{size}. It is
- called a \textbf{measure function}. Recall that \texttt{size} is overloaded
- and is defined on all datatypes (see {\S}\ref{sec:HOL:size}).
-
-\item $\mathop{\mathtt{inv_image}} R\;f$ is a generalisation of
- \texttt{measure}. It specifies a relation such that $x\prec y$ if and only
- if $f(x)$
- is less than $f(y)$ according to~$R$, which must itself be a well-founded
- relation.
-
-\item $R@1\texttt{<*lex*>}R@2$ is the lexicographic product of two relations.
- It
- is a relation on pairs and satisfies $(x@1,x@2)\prec(y@1,y@2)$ if and only
- if $x@1$
- is less than $y@1$ according to~$R@1$ or $x@1=y@1$ and $x@2$
- is less than $y@2$ according to~$R@2$.
-
-\item \texttt{finite_psubset} is the proper subset relation on finite sets.
-\end{itemize}
-
-We can use \texttt{measure} to declare Euclid's algorithm for the greatest
-common divisor. The measure function, $\lambda(m,n). n$, specifies that the
-recursion terminates because argument~$n$ decreases.
-\begin{ttbox}
-recdef gcd "measure ((\%(m,n). n) ::nat*nat=>nat)"
- "gcd (m, n) = (if n=0 then m else gcd(n, m mod n))"
-\end{ttbox}
-
-The general form of a well-founded recursive definition is
-\begin{ttbox}
-recdef {\it function} {\it rel}
- congs {\it congruence rules} {\bf(optional)}
- simpset {\it simplification set} {\bf(optional)}
- {\it reduction rules}
-\end{ttbox}
-where
-\begin{itemize}
-\item \textit{function} is the name of the function, either as an \textit{id}
- or a \textit{string}.
-
-\item \textit{rel} is a HOL expression for the well-founded termination
- relation.
-
-\item \textit{congruence rules} are required only in highly exceptional
- circumstances.
-
-\item The \textit{simplification set} is used to prove that the supplied
- relation is well-founded. It is also used to prove the \textbf{termination
- conditions}: assertions that arguments of recursive calls decrease under
- \textit{rel}. By default, simplification uses \texttt{simpset()}, which
- is sufficient to prove well-foundedness for the built-in relations listed
- above.
-
-\item \textit{reduction rules} specify one or more recursion equations. Each
- left-hand side must have the form $f\,t$, where $f$ is the function and $t$
- is a tuple of distinct variables. If more than one equation is present then
- $f$ is defined by pattern-matching on components of its argument whose type
- is a \texttt{datatype}.
-
- The \ML\ identifier $f$\texttt{.simps} contains the reduction rules as
- a list of theorems.
-\end{itemize}
-
-With the definition of \texttt{gcd} shown above, Isabelle/HOL is unable to
-prove one termination condition. It remains as a precondition of the
-recursion theorems:
-\begin{ttbox}
-gcd.simps;
-{\out ["! m n. n ~= 0 --> m mod n < n}
-{\out ==> gcd (?m,?n) = (if ?n=0 then ?m else gcd (?n, ?m mod ?n))"] }
-{\out : thm list}
-\end{ttbox}
-The theory \texttt{HOL/ex/Primes} illustrates how to prove termination
-conditions afterwards. The function \texttt{Tfl.tgoalw} is like the standard
-function \texttt{goalw}, which sets up a goal to prove, but its argument
-should be the identifier $f$\texttt{.simps} and its effect is to set up a
-proof of the termination conditions:
-\begin{ttbox}
-Tfl.tgoalw thy [] gcd.simps;
-{\out Level 0}
-{\out ! m n. n ~= 0 --> m mod n < n}
-{\out 1. ! m n. n ~= 0 --> m mod n < n}
-\end{ttbox}
-This subgoal has a one-step proof using \texttt{simp_tac}. Once the theorem
-is proved, it can be used to eliminate the termination conditions from
-elements of \texttt{gcd.simps}. Theory \texttt{HOL/Subst/Unify} is a much
-more complicated example of this process, where the termination conditions can
-only be proved by complicated reasoning involving the recursive function
-itself.
-
-Isabelle/HOL can prove the \texttt{gcd} function's termination condition
-automatically if supplied with the right simpset.
-\begin{ttbox}
-recdef gcd "measure ((\%(m,n). n) ::nat*nat=>nat)"
- simpset "simpset() addsimps [mod_less_divisor, zero_less_eq]"
- "gcd (m, n) = (if n=0 then m else gcd(n, m mod n))"
-\end{ttbox}
-
-If all termination conditions were proved automatically, $f$\texttt{.simps}
-is added to the simpset automatically, just as in \texttt{primrec}.
-The simplification rules corresponding to clause $i$ (where counting starts
-at 0) are called $f$\texttt{.}$i$ and can be accessed as \texttt{thms
- "$f$.$i$"},
-which returns a list of theorems. Thus you can, for example, remove specific
-clauses from the simpset. Note that a single clause may give rise to a set of
-simplification rules in order to capture the fact that if clauses overlap,
-their order disambiguates them.
-
-A \texttt{recdef} definition also returns an induction rule specialised for
-the recursive function. For the \texttt{gcd} function above, the induction
-rule is
-\begin{ttbox}
-gcd.induct;
-{\out "(!!m n. n ~= 0 --> ?P n (m mod n) ==> ?P m n) ==> ?P ?u ?v" : thm}
-\end{ttbox}
-This rule should be used to reason inductively about the \texttt{gcd}
-function. It usually makes the induction hypothesis available at all
-recursive calls, leading to very direct proofs. If any termination conditions
-remain unproved, they will become additional premises of this rule.
-
-\index{recursion!general|)}
-\index{*recdef|)}
-
-
-\section{Example: Cantor's Theorem}\label{sec:hol-cantor}
-Cantor's Theorem states that every set has more subsets than it has
-elements. It has become a favourite example in higher-order logic since
-it is so easily expressed:
-\[ \forall f::\alpha \To \alpha \To bool. \exists S::\alpha\To bool.
- \forall x::\alpha. f~x \not= S
-\]
-%
-Viewing types as sets, $\alpha\To bool$ represents the powerset
-of~$\alpha$. This version states that for every function from $\alpha$ to
-its powerset, some subset is outside its range.
-
-The Isabelle proof uses HOL's set theory, with the type $\alpha\,set$ and
-the operator \cdx{range}.
-\begin{ttbox}
-context Set.thy;
-\end{ttbox}
-The set~$S$ is given as an unknown instead of a
-quantified variable so that we may inspect the subset found by the proof.
-\begin{ttbox}
-Goal "?S ~: range\thinspace(f :: 'a=>'a set)";
-{\out Level 0}
-{\out ?S ~: range f}
-{\out 1. ?S ~: range f}
-\end{ttbox}
-The first two steps are routine. The rule \tdx{rangeE} replaces
-$\Var{S}\in \texttt{range} \, f$ by $\Var{S}=f~x$ for some~$x$.
-\begin{ttbox}
-by (resolve_tac [notI] 1);
-{\out Level 1}
-{\out ?S ~: range f}
-{\out 1. ?S : range f ==> False}
-\ttbreak
-by (eresolve_tac [rangeE] 1);
-{\out Level 2}
-{\out ?S ~: range f}
-{\out 1. !!x. ?S = f x ==> False}
-\end{ttbox}
-Next, we apply \tdx{equalityCE}, reasoning that since $\Var{S}=f~x$,
-we have $\Var{c}\in \Var{S}$ if and only if $\Var{c}\in f~x$ for
-any~$\Var{c}$.
-\begin{ttbox}
-by (eresolve_tac [equalityCE] 1);
-{\out Level 3}
-{\out ?S ~: range f}
-{\out 1. !!x. [| ?c3 x : ?S; ?c3 x : f x |] ==> False}
-{\out 2. !!x. [| ?c3 x ~: ?S; ?c3 x ~: f x |] ==> False}
-\end{ttbox}
-Now we use a bit of creativity. Suppose that~$\Var{S}$ has the form of a
-comprehension. Then $\Var{c}\in\{x.\Var{P}~x\}$ implies
-$\Var{P}~\Var{c}$. Destruct-resolution using \tdx{CollectD}
-instantiates~$\Var{S}$ and creates the new assumption.
-\begin{ttbox}
-by (dresolve_tac [CollectD] 1);
-{\out Level 4}
-{\out {\ttlbrace}x. ?P7 x{\ttrbrace} ~: range f}
-{\out 1. !!x. [| ?c3 x : f x; ?P7(?c3 x) |] ==> False}
-{\out 2. !!x. [| ?c3 x ~: {\ttlbrace}x. ?P7 x{\ttrbrace}; ?c3 x ~: f x |] ==> False}
-\end{ttbox}
-Forcing a contradiction between the two assumptions of subgoal~1
-completes the instantiation of~$S$. It is now the set $\{x. x\not\in
-f~x\}$, which is the standard diagonal construction.
-\begin{ttbox}
-by (contr_tac 1);
-{\out Level 5}
-{\out {\ttlbrace}x. x ~: f x{\ttrbrace} ~: range f}
-{\out 1. !!x. [| x ~: {\ttlbrace}x. x ~: f x{\ttrbrace}; x ~: f x |] ==> False}
-\end{ttbox}
-The rest should be easy. To apply \tdx{CollectI} to the negated
-assumption, we employ \ttindex{swap_res_tac}:
-\begin{ttbox}
-by (swap_res_tac [CollectI] 1);
-{\out Level 6}
-{\out {\ttlbrace}x. x ~: f x{\ttrbrace} ~: range f}
-{\out 1. !!x. [| x ~: f x; ~ False |] ==> x ~: f x}
-\ttbreak
-by (assume_tac 1);
-{\out Level 7}
-{\out {\ttlbrace}x. x ~: f x{\ttrbrace} ~: range f}
-{\out No subgoals!}
-\end{ttbox}
-How much creativity is required? As it happens, Isabelle can prove this
-theorem automatically. The default classical set \texttt{claset()} contains
-rules for most of the constructs of HOL's set theory. We must augment it with
-\tdx{equalityCE} to break up set equalities, and then apply best-first search.
-Depth-first search would diverge, but best-first search successfully navigates
-through the large search space. \index{search!best-first}
-\begin{ttbox}
-choplev 0;
-{\out Level 0}
-{\out ?S ~: range f}
-{\out 1. ?S ~: range f}
-\ttbreak
-by (best_tac (claset() addSEs [equalityCE]) 1);
-{\out Level 1}
-{\out {\ttlbrace}x. x ~: f x{\ttrbrace} ~: range f}
-{\out No subgoals!}
-\end{ttbox}
-If you run this example interactively, make sure your current theory contains
-theory \texttt{Set}, for example by executing \ttindex{context}~{\tt Set.thy}.
-Otherwise the default claset may not contain the rules for set theory.
-\index{higher-order logic|)}
-
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "logics-HOL"
-%%% End:
--- a/doc-src/HOL/document/build Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,19 +0,0 @@
-#!/bin/bash
-
-set -e
-
-FORMAT="$1"
-VARIANT="$2"
-
-"$ISABELLE_TOOL" logo -o isabelle_hol.pdf "HOL"
-"$ISABELLE_TOOL" logo -o isabelle_hol.eps "HOL"
-
-cp "$ISABELLE_HOME/doc-src/iman.sty" .
-cp "$ISABELLE_HOME/doc-src/extra.sty" .
-cp "$ISABELLE_HOME/doc-src/ttbox.sty" .
-cp "$ISABELLE_HOME/doc-src/proof.sty" .
-cp "$ISABELLE_HOME/doc-src/manual.bib" .
-cp "$ISABELLE_HOME/doc-src/Logics/document/syntax.tex" .
-
-"$ISABELLE_HOME/doc-src/prepare_document" "$FORMAT"
-
--- a/doc-src/HOL/document/root.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,60 +0,0 @@
-\documentclass[12pt,a4paper]{report}
-\usepackage{isabelle,isabellesym}
-\usepackage{graphicx,iman,extra,ttbox,proof,latexsym,pdfsetup}
-
-%%% to index derived rls: ^\([a-zA-Z0-9][a-zA-Z0-9_]*\) \\tdx{\1}
-%%% to index rulenames: ^ *(\([a-zA-Z0-9][a-zA-Z0-9_]*\), \\tdx{\1}
-%%% to index constants: \\tt \([a-zA-Z0-9][a-zA-Z0-9_]*\) \\cdx{\1}
-%%% to deverbify: \\verb|\([^|]*\)| \\ttindex{\1}
-
-
-\title{\includegraphics[scale=0.5]{isabelle_hol} \\[4ex]
- Isabelle's Logics: HOL%
- \thanks{The research has been funded by the EPSRC (grants GR/G53279,
- GR\slash H40570, GR/K57381, GR/K77051, GR/M75440), by ESPRIT (projects 3245:
- Logical Frameworks, and 6453: Types) and by the DFG Schwerpunktprogramm
- \emph{Deduktion}.}}
-
-\author{Tobias Nipkow\footnote
-{Institut f\"ur Informatik, Technische Universit\"at M\"unchen,
- \texttt{nipkow@in.tum.de}} and
-Lawrence C. Paulson\footnote
-{Computer Laboratory, University of Cambridge, \texttt{lcp@cl.cam.ac.uk}} and
-Markus Wenzel\footnote
-{Institut f\"ur Informatik, Technische Universit\"at M\"unchen,
- \texttt{wenzelm@in.tum.de}}}
-
-\newcommand\subcaption[1]{\par {\centering\normalsize\sc#1\par}\bigskip
- \hrule\bigskip}
-\newenvironment{constants}{\begin{center}\small\begin{tabular}{rrrr}}{\end{tabular}\end{center}}
-
-\newcommand\bs{\char '134 } % A backslash character for \tt font
-
-\makeindex
-
-\underscoreoff
-
-\setcounter{secnumdepth}{2} \setcounter{tocdepth}{2} %% {secnumdepth}{2}???
-
-\pagestyle{headings}
-\sloppy
-\binperiod %%%treat . like a binary operator
-
-\begin{document}
-\maketitle
-
-\begin{abstract}
- This manual describes Isabelle's formalization of Higher-Order Logic, a
- polymorphic version of Church's Simple Theory of Types. HOL can be best
- understood as a simply-typed version of classical set theory. The monograph
- \emph{Isabelle/HOL --- A Proof Assistant for Higher-Order Logic} provides a
- gentle introduction on using Isabelle/HOL in practice.
-\end{abstract}
-
-\pagenumbering{roman} \tableofcontents \clearfirst
-\input{syntax}
-\input{HOL}
-\bibliographystyle{plain}
-\bibliography{manual}
-\printindex
-\end{document}
--- a/doc-src/Intro/document/advanced.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,1249 +0,0 @@
-\part{Advanced Methods}
-Before continuing, it might be wise to try some of your own examples in
-Isabelle, reinforcing your knowledge of the basic functions.
-
-Look through {\em Isabelle's Object-Logics\/} and try proving some
-simple theorems. You probably should begin with first-order logic
-(\texttt{FOL} or~\texttt{LK}). Try working some of the examples provided,
-and others from the literature. Set theory~(\texttt{ZF}) and
-Constructive Type Theory~(\texttt{CTT}) form a richer world for
-mathematical reasoning and, again, many examples are in the
-literature. Higher-order logic~(\texttt{HOL}) is Isabelle's most
-elaborate logic. Its types and functions are identified with those of
-the meta-logic.
-
-Choose a logic that you already understand. Isabelle is a proof
-tool, not a teaching tool; if you do not know how to do a particular proof
-on paper, then you certainly will not be able to do it on the machine.
-Even experienced users plan large proofs on paper.
-
-We have covered only the bare essentials of Isabelle, but enough to perform
-substantial proofs. By occasionally dipping into the {\em Reference
-Manual}, you can learn additional tactics, subgoal commands and tacticals.
-
-
-\section{Deriving rules in Isabelle}
-\index{rules!derived}
-A mathematical development goes through a progression of stages. Each
-stage defines some concepts and derives rules about them. We shall see how
-to derive rules, perhaps involving definitions, using Isabelle. The
-following section will explain how to declare types, constants, rules and
-definitions.
-
-
-\subsection{Deriving a rule using tactics and meta-level assumptions}
-\label{deriving-example}
-\index{examples!of deriving rules}\index{assumptions!of main goal}
-
-The subgoal module supports the derivation of rules, as discussed in
-\S\ref{deriving}. When the \ttindex{Goal} command is supplied a formula of
-the form $\List{\theta@1; \ldots; \theta@k} \Imp \phi$, there are two
-possibilities:
-\begin{itemize}
-\item If all of the premises $\theta@1$, \ldots, $\theta@k$ are simple
- formulae{} (they do not involve the meta-connectives $\Forall$ or
- $\Imp$) then the command sets the goal to be
- $\List{\theta@1; \ldots; \theta@k} \Imp \phi$ and returns the empty list.
-\item If one or more premises involves the meta-connectives $\Forall$ or
- $\Imp$, then the command sets the goal to be $\phi$ and returns a list
- consisting of the theorems ${\theta@i\;[\theta@i]}$, for $i=1$, \ldots,~$k$.
- These meta-level assumptions are also recorded internally, allowing
- \texttt{result} (which is called by \texttt{qed}) to discharge them in the
- original order.
-\end{itemize}
-Rules that discharge assumptions or introduce eigenvariables have complex
-premises, and the second case applies. In this section, many of the
-theorems are subject to meta-level assumptions, so we make them visible by by setting the
-\ttindex{show_hyps} flag:
-\begin{ttbox}
-set show_hyps;
-{\out val it = true : bool}
-\end{ttbox}
-
-Now, we are ready to derive $\conj$ elimination. Until now, calling \texttt{Goal} has
-returned an empty list, which we have ignored. In this example, the list
-contains the two premises of the rule, since one of them involves the $\Imp$
-connective. We bind them to the \ML\ identifiers \texttt{major} and {\tt
- minor}:\footnote{Some ML compilers will print a message such as {\em binding
- not exhaustive}. This warns that \texttt{Goal} must return a 2-element
- list. Otherwise, the pattern-match will fail; ML will raise exception
- \xdx{Match}.}
-\begin{ttbox}
-val [major,minor] = Goal
- "[| P&Q; [| P; Q |] ==> R |] ==> R";
-{\out Level 0}
-{\out R}
-{\out 1. R}
-{\out val major = "P & Q [P & Q]" : thm}
-{\out val minor = "[| P; Q |] ==> R [[| P; Q |] ==> R]" : thm}
-\end{ttbox}
-Look at the minor premise, recalling that meta-level assumptions are
-shown in brackets. Using \texttt{minor}, we reduce $R$ to the subgoals
-$P$ and~$Q$:
-\begin{ttbox}
-by (resolve_tac [minor] 1);
-{\out Level 1}
-{\out R}
-{\out 1. P}
-{\out 2. Q}
-\end{ttbox}
-Deviating from~\S\ref{deriving}, we apply $({\conj}E1)$ forwards from the
-assumption $P\conj Q$ to obtain the theorem~$P\;[P\conj Q]$.
-\begin{ttbox}
-major RS conjunct1;
-{\out val it = "P [P & Q]" : thm}
-\ttbreak
-by (resolve_tac [major RS conjunct1] 1);
-{\out Level 2}
-{\out R}
-{\out 1. Q}
-\end{ttbox}
-Similarly, we solve the subgoal involving~$Q$.
-\begin{ttbox}
-major RS conjunct2;
-{\out val it = "Q [P & Q]" : thm}
-by (resolve_tac [major RS conjunct2] 1);
-{\out Level 3}
-{\out R}
-{\out No subgoals!}
-\end{ttbox}
-Calling \ttindex{topthm} returns the current proof state as a theorem.
-Note that it contains assumptions. Calling \ttindex{qed} discharges
-the assumptions --- both occurrences of $P\conj Q$ are discharged as
-one --- and makes the variables schematic.
-\begin{ttbox}
-topthm();
-{\out val it = "R [P & Q, P & Q, [| P; Q |] ==> R]" : thm}
-qed "conjE";
-{\out val conjE = "[| ?P & ?Q; [| ?P; ?Q |] ==> ?R |] ==> ?R" : thm}
-\end{ttbox}
-
-
-\subsection{Definitions and derived rules} \label{definitions}
-\index{rules!derived}\index{definitions!and derived rules|(}
-
-Definitions are expressed as meta-level equalities. Let us define negation
-and the if-and-only-if connective:
-\begin{eqnarray*}
- \neg \Var{P} & \equiv & \Var{P}\imp\bot \\
- \Var{P}\bimp \Var{Q} & \equiv &
- (\Var{P}\imp \Var{Q}) \conj (\Var{Q}\imp \Var{P})
-\end{eqnarray*}
-\index{meta-rewriting}%
-Isabelle permits {\bf meta-level rewriting} using definitions such as
-these. {\bf Unfolding} replaces every instance
-of $\neg \Var{P}$ by the corresponding instance of ${\Var{P}\imp\bot}$. For
-example, $\forall x.\neg (P(x)\conj \neg R(x,0))$ unfolds to
-\[ \forall x.(P(x)\conj R(x,0)\imp\bot)\imp\bot. \]
-{\bf Folding} a definition replaces occurrences of the right-hand side by
-the left. The occurrences need not be free in the entire formula.
-
-When you define new concepts, you should derive rules asserting their
-abstract properties, and then forget their definitions. This supports
-modularity: if you later change the definitions without affecting their
-abstract properties, then most of your proofs will carry through without
-change. Indiscriminate unfolding makes a subgoal grow exponentially,
-becoming unreadable.
-
-Taking this point of view, Isabelle does not unfold definitions
-automatically during proofs. Rewriting must be explicit and selective.
-Isabelle provides tactics and meta-rules for rewriting, and a version of
-the \texttt{Goal} command that unfolds the conclusion and premises of the rule
-being derived.
-
-For example, the intuitionistic definition of negation given above may seem
-peculiar. Using Isabelle, we shall derive pleasanter negation rules:
-\[ \infer[({\neg}I)]{\neg P}{\infer*{\bot}{[P]}} \qquad
- \infer[({\neg}E)]{Q}{\neg P & P} \]
-This requires proving the following meta-formulae:
-$$ (P\Imp\bot) \Imp \neg P \eqno(\neg I) $$
-$$ \List{\neg P; P} \Imp Q. \eqno(\neg E) $$
-
-
-\subsection{Deriving the $\neg$ introduction rule}
-To derive $(\neg I)$, we may call \texttt{Goal} with the appropriate formula.
-Again, the rule's premises involve a meta-connective, and \texttt{Goal}
-returns one-element list. We bind this list to the \ML\ identifier \texttt{prems}.
-\begin{ttbox}
-val prems = Goal "(P ==> False) ==> ~P";
-{\out Level 0}
-{\out ~P}
-{\out 1. ~P}
-{\out val prems = ["P ==> False [P ==> False]"] : thm list}
-\end{ttbox}
-Calling \ttindex{rewrite_goals_tac} with \tdx{not_def}, which is the
-definition of negation, unfolds that definition in the subgoals. It leaves
-the main goal alone.
-\begin{ttbox}
-not_def;
-{\out val it = "~?P == ?P --> False" : thm}
-by (rewrite_goals_tac [not_def]);
-{\out Level 1}
-{\out ~P}
-{\out 1. P --> False}
-\end{ttbox}
-Using \tdx{impI} and the premise, we reduce subgoal~1 to a triviality:
-\begin{ttbox}
-by (resolve_tac [impI] 1);
-{\out Level 2}
-{\out ~P}
-{\out 1. P ==> False}
-\ttbreak
-by (resolve_tac prems 1);
-{\out Level 3}
-{\out ~P}
-{\out 1. P ==> P}
-\end{ttbox}
-The rest of the proof is routine. Note the form of the final result.
-\begin{ttbox}
-by (assume_tac 1);
-{\out Level 4}
-{\out ~P}
-{\out No subgoals!}
-\ttbreak
-qed "notI";
-{\out val notI = "(?P ==> False) ==> ~?P" : thm}
-\end{ttbox}
-\indexbold{*notI theorem}
-
-There is a simpler way of conducting this proof. The \ttindex{Goalw}
-command starts a backward proof, as does \texttt{Goal}, but it also
-unfolds definitions. Thus there is no need to call
-\ttindex{rewrite_goals_tac}:
-\begin{ttbox}
-val prems = Goalw [not_def]
- "(P ==> False) ==> ~P";
-{\out Level 0}
-{\out ~P}
-{\out 1. P --> False}
-{\out val prems = ["P ==> False [P ==> False]"] : thm list}
-\end{ttbox}
-
-
-\subsection{Deriving the $\neg$ elimination rule}
-Let us derive the rule $(\neg E)$. The proof follows that of~\texttt{conjE}
-above, with an additional step to unfold negation in the major premise.
-The \texttt{Goalw} command is best for this: it unfolds definitions not only
-in the conclusion but the premises.
-\begin{ttbox}
-Goalw [not_def] "[| ~P; P |] ==> R";
-{\out Level 0}
-{\out [| ~ P; P |] ==> R}
-{\out 1. [| P --> False; P |] ==> R}
-\end{ttbox}
-As the first step, we apply \tdx{FalseE}:
-\begin{ttbox}
-by (resolve_tac [FalseE] 1);
-{\out Level 1}
-{\out [| ~ P; P |] ==> R}
-{\out 1. [| P --> False; P |] ==> False}
-\end{ttbox}
-%
-Everything follows from falsity. And we can prove falsity using the
-premises and Modus Ponens:
-\begin{ttbox}
-by (eresolve_tac [mp] 1);
-{\out Level 2}
-{\out [| ~ P; P |] ==> R}
-{\out 1. P ==> P}
-\ttbreak
-by (assume_tac 1);
-{\out Level 3}
-{\out [| ~ P; P |] ==> R}
-{\out No subgoals!}
-\ttbreak
-qed "notE";
-{\out val notE = "[| ~?P; ?P |] ==> ?R" : thm}
-\end{ttbox}
-
-
-\medskip
-\texttt{Goalw} unfolds definitions in the premises even when it has to return
-them as a list. Another way of unfolding definitions in a theorem is by
-applying the function \ttindex{rewrite_rule}.
-
-\index{definitions!and derived rules|)}
-
-
-\section{Defining theories}\label{sec:defining-theories}
-\index{theories!defining|(}
-
-Isabelle makes no distinction between simple extensions of a logic ---
-like specifying a type~$bool$ with constants~$true$ and~$false$ ---
-and defining an entire logic. A theory definition has a form like
-\begin{ttbox}
-\(T\) = \(S@1\) + \(\cdots\) + \(S@n\) +
-classes {\it class declarations}
-default {\it sort}
-types {\it type declarations and synonyms}
-arities {\it type arity declarations}
-consts {\it constant declarations}
-syntax {\it syntactic constant declarations}
-translations {\it ast translation rules}
-defs {\it meta-logical definitions}
-rules {\it rule declarations}
-end
-ML {\it ML code}
-\end{ttbox}
-This declares the theory $T$ to extend the existing theories
-$S@1$,~\ldots,~$S@n$. It may introduce new classes, types, arities
-(of existing types), constants and rules; it can specify the default
-sort for type variables. A constant declaration can specify an
-associated concrete syntax. The translations section specifies
-rewrite rules on abstract syntax trees, handling notations and
-abbreviations. \index{*ML section} The \texttt{ML} section may contain
-code to perform arbitrary syntactic transformations. The main
-declaration forms are discussed below. There are some more sections
-not presented here, the full syntax can be found in
-\iflabelundefined{app:TheorySyntax}{an appendix of the {\it Reference
- Manual}}{App.\ts\ref{app:TheorySyntax}}. Also note that
-object-logics may add further theory sections, for example
-\texttt{typedef}, \texttt{datatype} in HOL.
-
-All the declaration parts can be omitted or repeated and may appear in
-any order, except that the {\ML} section must be last (after the {\tt
- end} keyword). In the simplest case, $T$ is just the union of
-$S@1$,~\ldots,~$S@n$. New theories always extend one or more other
-theories, inheriting their types, constants, syntax, etc. The theory
-\thydx{Pure} contains nothing but Isabelle's meta-logic. The variant
-\thydx{CPure} offers the more usual higher-order function application
-syntax $t\,u@1\ldots\,u@n$ instead of $t(u@1,\ldots,u@n)$ in Pure.
-
-Each theory definition must reside in a separate file, whose name is
-the theory's with {\tt.thy} appended. Calling
-\ttindexbold{use_thy}~{\tt"{\it T\/}"} reads the definition from {\it
- T}{\tt.thy}, writes a corresponding file of {\ML} code {\tt.{\it
- T}.thy.ML}, reads the latter file, and deletes it if no errors
-occurred. This declares the {\ML} structure~$T$, which contains a
-component \texttt{thy} denoting the new theory, a component for each
-rule, and everything declared in {\it ML code}.
-
-Errors may arise during the translation to {\ML} (say, a misspelled
-keyword) or during creation of the new theory (say, a type error in a
-rule). But if all goes well, \texttt{use_thy} will finally read the file
-{\it T}{\tt.ML} (if it exists). This file typically contains proofs
-that refer to the components of~$T$. The structure is automatically
-opened, so its components may be referred to by unqualified names,
-e.g.\ just \texttt{thy} instead of $T$\texttt{.thy}.
-
-\ttindexbold{use_thy} automatically loads a theory's parents before
-loading the theory itself. When a theory file is modified, many
-theories may have to be reloaded. Isabelle records the modification
-times and dependencies of theory files. See
-\iflabelundefined{sec:reloading-theories}{the {\em Reference Manual\/}}%
- {\S\ref{sec:reloading-theories}}
-for more details.
-
-
-\subsection{Declaring constants, definitions and rules}
-\indexbold{constants!declaring}\index{rules!declaring}
-
-Most theories simply declare constants, definitions and rules. The {\bf
- constant declaration part} has the form
-\begin{ttbox}
-consts \(c@1\) :: \(\tau@1\)
- \vdots
- \(c@n\) :: \(\tau@n\)
-\end{ttbox}
-where $c@1$, \ldots, $c@n$ are constants and $\tau@1$, \ldots, $\tau@n$ are
-types. The types must be enclosed in quotation marks if they contain
-user-declared infix type constructors like \texttt{*}. Each
-constant must be enclosed in quotation marks unless it is a valid
-identifier. To declare $c@1$, \ldots, $c@n$ as constants of type $\tau$,
-the $n$ declarations may be abbreviated to a single line:
-\begin{ttbox}
- \(c@1\), \ldots, \(c@n\) :: \(\tau\)
-\end{ttbox}
-The {\bf rule declaration part} has the form
-\begin{ttbox}
-rules \(id@1\) "\(rule@1\)"
- \vdots
- \(id@n\) "\(rule@n\)"
-\end{ttbox}
-where $id@1$, \ldots, $id@n$ are \ML{} identifiers and $rule@1$, \ldots,
-$rule@n$ are expressions of type~$prop$. Each rule {\em must\/} be
-enclosed in quotation marks. Rules are simply axioms; they are
-called \emph{rules} because they are mainly used to specify the inference
-rules when defining a new logic.
-
-\indexbold{definitions} The {\bf definition part} is similar, but with
-the keyword \texttt{defs} instead of \texttt{rules}. {\bf Definitions} are
-rules of the form $s \equiv t$, and should serve only as
-abbreviations. The simplest form of a definition is $f \equiv t$,
-where $f$ is a constant. Also allowed are $\eta$-equivalent forms of
-this, where the arguments of~$f$ appear applied on the left-hand side
-of the equation instead of abstracted on the right-hand side.
-
-Isabelle checks for common errors in definitions, such as extra
-variables on the right-hand side and cyclic dependencies, that could
-least to inconsistency. It is still essential to take care:
-theorems proved on the basis of incorrect definitions are useless,
-your system can be consistent and yet still wrong.
-
-\index{examples!of theories} This example theory extends first-order
-logic by declaring and defining two constants, {\em nand} and {\em
- xor}:
-\begin{ttbox}
-Gate = FOL +
-consts nand,xor :: [o,o] => o
-defs nand_def "nand(P,Q) == ~(P & Q)"
- xor_def "xor(P,Q) == P & ~Q | ~P & Q"
-end
-\end{ttbox}
-
-Declaring and defining constants can be combined:
-\begin{ttbox}
-Gate = FOL +
-constdefs nand :: [o,o] => o
- "nand(P,Q) == ~(P & Q)"
- xor :: [o,o] => o
- "xor(P,Q) == P & ~Q | ~P & Q"
-end
-\end{ttbox}
-\texttt{constdefs} generates the names \texttt{nand_def} and \texttt{xor_def}
-automatically, which is why it is restricted to alphanumeric identifiers. In
-general it has the form
-\begin{ttbox}
-constdefs \(id@1\) :: \(\tau@1\)
- "\(id@1 \equiv \dots\)"
- \vdots
- \(id@n\) :: \(\tau@n\)
- "\(id@n \equiv \dots\)"
-\end{ttbox}
-
-
-\begin{warn}
-A common mistake when writing definitions is to introduce extra free variables
-on the right-hand side as in the following fictitious definition:
-\begin{ttbox}
-defs prime_def "prime(p) == (m divides p) --> (m=1 | m=p)"
-\end{ttbox}
-Isabelle rejects this ``definition'' because of the extra \texttt{m} on the
-right-hand side, which would introduce an inconsistency. What you should have
-written is
-\begin{ttbox}
-defs prime_def "prime(p) == ALL m. (m divides p) --> (m=1 | m=p)"
-\end{ttbox}
-\end{warn}
-
-\subsection{Declaring type constructors}
-\indexbold{types!declaring}\indexbold{arities!declaring}
-%
-Types are composed of type variables and {\bf type constructors}. Each
-type constructor takes a fixed number of arguments. They are declared
-with an \ML-like syntax. If $list$ takes one type argument, $tree$ takes
-two arguments and $nat$ takes no arguments, then these type constructors
-can be declared by
-\begin{ttbox}
-types 'a list
- ('a,'b) tree
- nat
-\end{ttbox}
-
-The {\bf type declaration part} has the general form
-\begin{ttbox}
-types \(tids@1\) \(id@1\)
- \vdots
- \(tids@n\) \(id@n\)
-\end{ttbox}
-where $id@1$, \ldots, $id@n$ are identifiers and $tids@1$, \ldots, $tids@n$
-are type argument lists as shown in the example above. It declares each
-$id@i$ as a type constructor with the specified number of argument places.
-
-The {\bf arity declaration part} has the form
-\begin{ttbox}
-arities \(tycon@1\) :: \(arity@1\)
- \vdots
- \(tycon@n\) :: \(arity@n\)
-\end{ttbox}
-where $tycon@1$, \ldots, $tycon@n$ are identifiers and $arity@1$, \ldots,
-$arity@n$ are arities. Arity declarations add arities to existing
-types; they do not declare the types themselves.
-In the simplest case, for an 0-place type constructor, an arity is simply
-the type's class. Let us declare a type~$bool$ of class $term$, with
-constants $tt$ and~$ff$. (In first-order logic, booleans are
-distinct from formulae, which have type $o::logic$.)
-\index{examples!of theories}
-\begin{ttbox}
-Bool = FOL +
-types bool
-arities bool :: term
-consts tt,ff :: bool
-end
-\end{ttbox}
-A $k$-place type constructor may have arities of the form
-$(s@1,\ldots,s@k)c$, where $s@1,\ldots,s@n$ are sorts and $c$ is a class.
-Each sort specifies a type argument; it has the form $\{c@1,\ldots,c@m\}$,
-where $c@1$, \dots,~$c@m$ are classes. Mostly we deal with singleton
-sorts, and may abbreviate them by dropping the braces. The arity
-$(term)term$ is short for $(\{term\})term$. Recall the discussion in
-\S\ref{polymorphic}.
-
-A type constructor may be overloaded (subject to certain conditions) by
-appearing in several arity declarations. For instance, the function type
-constructor~$fun$ has the arity $(logic,logic)logic$; in higher-order
-logic, it is declared also to have arity $(term,term)term$.
-
-Theory \texttt{List} declares the 1-place type constructor $list$, gives
-it the arity $(term)term$, and declares constants $Nil$ and $Cons$ with
-polymorphic types:%
-\footnote{In the \texttt{consts} part, type variable {\tt'a} has the default
- sort, which is \texttt{term}. See the {\em Reference Manual\/}
-\iflabelundefined{sec:ref-defining-theories}{}%
-{(\S\ref{sec:ref-defining-theories})} for more information.}
-\index{examples!of theories}
-\begin{ttbox}
-List = FOL +
-types 'a list
-arities list :: (term)term
-consts Nil :: 'a list
- Cons :: ['a, 'a list] => 'a list
-end
-\end{ttbox}
-Multiple arity declarations may be abbreviated to a single line:
-\begin{ttbox}
-arities \(tycon@1\), \ldots, \(tycon@n\) :: \(arity\)
-\end{ttbox}
-
-%\begin{warn}
-%Arity declarations resemble constant declarations, but there are {\it no\/}
-%quotation marks! Types and rules must be quoted because the theory
-%translator passes them verbatim to the {\ML} output file.
-%\end{warn}
-
-\subsection{Type synonyms}\indexbold{type synonyms}
-Isabelle supports {\bf type synonyms} ({\bf abbreviations}) which are similar
-to those found in \ML. Such synonyms are defined in the type declaration part
-and are fairly self explanatory:
-\begin{ttbox}
-types gate = [o,o] => o
- 'a pred = 'a => o
- ('a,'b)nuf = 'b => 'a
-\end{ttbox}
-Type declarations and synonyms can be mixed arbitrarily:
-\begin{ttbox}
-types nat
- 'a stream = nat => 'a
- signal = nat stream
- 'a list
-\end{ttbox}
-A synonym is merely an abbreviation for some existing type expression.
-Hence synonyms may not be recursive! Internally all synonyms are
-fully expanded. As a consequence Isabelle output never contains
-synonyms. Their main purpose is to improve the readability of theory
-definitions. Synonyms can be used just like any other type:
-\begin{ttbox}
-consts and,or :: gate
- negate :: signal => signal
-\end{ttbox}
-
-\subsection{Infix and mixfix operators}
-\index{infixes}\index{examples!of theories}
-
-Infix or mixfix syntax may be attached to constants. Consider the
-following theory:
-\begin{ttbox}
-Gate2 = FOL +
-consts "~&" :: [o,o] => o (infixl 35)
- "#" :: [o,o] => o (infixl 30)
-defs nand_def "P ~& Q == ~(P & Q)"
- xor_def "P # Q == P & ~Q | ~P & Q"
-end
-\end{ttbox}
-The constant declaration part declares two left-associating infix operators
-with their priorities, or precedences; they are $\nand$ of priority~35 and
-$\xor$ of priority~30. Hence $P \xor Q \xor R$ is parsed as $(P\xor Q)
-\xor R$ and $P \xor Q \nand R$ as $P \xor (Q \nand R)$. Note the quotation
-marks in \verb|"~&"| and \verb|"#"|.
-
-The constants \hbox{\verb|op ~&|} and \hbox{\verb|op #|} are declared
-automatically, just as in \ML. Hence you may write propositions like
-\verb|op #(True) == op ~&(True)|, which asserts that the functions $\lambda
-Q.True \xor Q$ and $\lambda Q.True \nand Q$ are identical.
-
-\medskip Infix syntax and constant names may be also specified
-independently. For example, consider this version of $\nand$:
-\begin{ttbox}
-consts nand :: [o,o] => o (infixl "~&" 35)
-\end{ttbox}
-
-\bigskip\index{mixfix declarations}
-{\bf Mixfix} operators may have arbitrary context-free syntaxes. Let us
-add a line to the constant declaration part:
-\begin{ttbox}
- If :: [o,o,o] => o ("if _ then _ else _")
-\end{ttbox}
-This declares a constant $If$ of type $[o,o,o] \To o$ with concrete syntax {\tt
- if~$P$ then~$Q$ else~$R$} as well as \texttt{If($P$,$Q$,$R$)}. Underscores
-denote argument positions.
-
-The declaration above does not allow the \texttt{if}-\texttt{then}-{\tt
- else} construct to be printed split across several lines, even if it
-is too long to fit on one line. Pretty-printing information can be
-added to specify the layout of mixfix operators. For details, see
-\iflabelundefined{Defining-Logics}%
- {the {\it Reference Manual}, chapter `Defining Logics'}%
- {Chap.\ts\ref{Defining-Logics}}.
-
-Mixfix declarations can be annotated with priorities, just like
-infixes. The example above is just a shorthand for
-\begin{ttbox}
- If :: [o,o,o] => o ("if _ then _ else _" [0,0,0] 1000)
-\end{ttbox}
-The numeric components determine priorities. The list of integers
-defines, for each argument position, the minimal priority an expression
-at that position must have. The final integer is the priority of the
-construct itself. In the example above, any argument expression is
-acceptable because priorities are non-negative, and conditionals may
-appear everywhere because 1000 is the highest priority. On the other
-hand, the declaration
-\begin{ttbox}
- If :: [o,o,o] => o ("if _ then _ else _" [100,0,0] 99)
-\end{ttbox}
-defines concrete syntax for a conditional whose first argument cannot have
-the form \texttt{if~$P$ then~$Q$ else~$R$} because it must have a priority
-of at least~100. We may of course write
-\begin{quote}\tt
-if (if $P$ then $Q$ else $R$) then $S$ else $T$
-\end{quote}
-because expressions in parentheses have maximal priority.
-
-Binary type constructors, like products and sums, may also be declared as
-infixes. The type declaration below introduces a type constructor~$*$ with
-infix notation $\alpha*\beta$, together with the mixfix notation
-${<}\_,\_{>}$ for pairs. We also see a rule declaration part.
-\index{examples!of theories}\index{mixfix declarations}
-\begin{ttbox}
-Prod = FOL +
-types ('a,'b) "*" (infixl 20)
-arities "*" :: (term,term)term
-consts fst :: "'a * 'b => 'a"
- snd :: "'a * 'b => 'b"
- Pair :: "['a,'b] => 'a * 'b" ("(1<_,/_>)")
-rules fst "fst(<a,b>) = a"
- snd "snd(<a,b>) = b"
-end
-\end{ttbox}
-
-\begin{warn}
- The name of the type constructor is~\texttt{*} and not \texttt{op~*}, as
- it would be in the case of an infix constant. Only infix type
- constructors can have symbolic names like~\texttt{*}. General mixfix
- syntax for types may be introduced via appropriate \texttt{syntax}
- declarations.
-\end{warn}
-
-
-\subsection{Overloading}
-\index{overloading}\index{examples!of theories}
-The {\bf class declaration part} has the form
-\begin{ttbox}
-classes \(id@1\) < \(c@1\)
- \vdots
- \(id@n\) < \(c@n\)
-\end{ttbox}
-where $id@1$, \ldots, $id@n$ are identifiers and $c@1$, \ldots, $c@n$ are
-existing classes. It declares each $id@i$ as a new class, a subclass
-of~$c@i$. In the general case, an identifier may be declared to be a
-subclass of $k$ existing classes:
-\begin{ttbox}
- \(id\) < \(c@1\), \ldots, \(c@k\)
-\end{ttbox}
-Type classes allow constants to be overloaded. As suggested in
-\S\ref{polymorphic}, let us define the class $arith$ of arithmetic
-types with the constants ${+} :: [\alpha,\alpha]\To \alpha$ and $0,1 {::}
-\alpha$, for $\alpha{::}arith$. We introduce $arith$ as a subclass of
-$term$ and add the three polymorphic constants of this class.
-\index{examples!of theories}\index{constants!overloaded}
-\begin{ttbox}
-Arith = FOL +
-classes arith < term
-consts "0" :: 'a::arith ("0")
- "1" :: 'a::arith ("1")
- "+" :: ['a::arith,'a] => 'a (infixl 60)
-end
-\end{ttbox}
-No rules are declared for these constants: we merely introduce their
-names without specifying properties. On the other hand, classes
-with rules make it possible to prove {\bf generic} theorems. Such
-theorems hold for all instances, all types in that class.
-
-We can now obtain distinct versions of the constants of $arith$ by
-declaring certain types to be of class $arith$. For example, let us
-declare the 0-place type constructors $bool$ and $nat$:
-\index{examples!of theories}
-\begin{ttbox}
-BoolNat = Arith +
-types bool nat
-arities bool, nat :: arith
-consts Suc :: nat=>nat
-\ttbreak
-rules add0 "0 + n = n::nat"
- addS "Suc(m)+n = Suc(m+n)"
- nat1 "1 = Suc(0)"
- or0l "0 + x = x::bool"
- or0r "x + 0 = x::bool"
- or1l "1 + x = 1::bool"
- or1r "x + 1 = 1::bool"
-end
-\end{ttbox}
-Because $nat$ and $bool$ have class $arith$, we can use $0$, $1$ and $+$ at
-either type. The type constraints in the axioms are vital. Without
-constraints, the $x$ in $1+x = 1$ (axiom \texttt{or1l})
-would have type $\alpha{::}arith$
-and the axiom would hold for any type of class $arith$. This would
-collapse $nat$ to a trivial type:
-\[ Suc(1) = Suc(0+1) = Suc(0)+1 = 1+1 = 1! \]
-
-
-\section{Theory example: the natural numbers}
-
-We shall now work through a small example of formalized mathematics
-demonstrating many of the theory extension features.
-
-
-\subsection{Extending first-order logic with the natural numbers}
-\index{examples!of theories}
-
-Section\ts\ref{sec:logical-syntax} has formalized a first-order logic,
-including a type~$nat$ and the constants $0::nat$ and $Suc::nat\To nat$.
-Let us introduce the Peano axioms for mathematical induction and the
-freeness of $0$ and~$Suc$:\index{axioms!Peano}
-\[ \vcenter{\infer[(induct)]{P[n/x]}{P[0/x] & \infer*{P[Suc(x)/x]}{[P]}}}
- \qquad \parbox{4.5cm}{provided $x$ is not free in any assumption except~$P$}
-\]
-\[ \infer[(Suc\_inject)]{m=n}{Suc(m)=Suc(n)} \qquad
- \infer[(Suc\_neq\_0)]{R}{Suc(m)=0}
-\]
-Mathematical induction asserts that $P(n)$ is true, for any $n::nat$,
-provided $P(0)$ holds and that $P(x)$ implies $P(Suc(x))$ for all~$x$.
-Some authors express the induction step as $\forall x. P(x)\imp P(Suc(x))$.
-To avoid making induction require the presence of other connectives, we
-formalize mathematical induction as
-$$ \List{P(0); \Forall x. P(x)\Imp P(Suc(x))} \Imp P(n). \eqno(induct) $$
-
-\noindent
-Similarly, to avoid expressing the other rules using~$\forall$, $\imp$
-and~$\neg$, we take advantage of the meta-logic;\footnote
-{On the other hand, the axioms $Suc(m)=Suc(n) \bimp m=n$
-and $\neg(Suc(m)=0)$ are logically equivalent to those given, and work
-better with Isabelle's simplifier.}
-$(Suc\_neq\_0)$ is
-an elimination rule for $Suc(m)=0$:
-$$ Suc(m)=Suc(n) \Imp m=n \eqno(Suc\_inject) $$
-$$ Suc(m)=0 \Imp R \eqno(Suc\_neq\_0) $$
-
-\noindent
-We shall also define a primitive recursion operator, $rec$. Traditionally,
-primitive recursion takes a natural number~$a$ and a 2-place function~$f$,
-and obeys the equations
-\begin{eqnarray*}
- rec(0,a,f) & = & a \\
- rec(Suc(m),a,f) & = & f(m, rec(m,a,f))
-\end{eqnarray*}
-Addition, defined by $m+n \equiv rec(m,n,\lambda x\,y.Suc(y))$,
-should satisfy
-\begin{eqnarray*}
- 0+n & = & n \\
- Suc(m)+n & = & Suc(m+n)
-\end{eqnarray*}
-Primitive recursion appears to pose difficulties: first-order logic has no
-function-valued expressions. We again take advantage of the meta-logic,
-which does have functions. We also generalise primitive recursion to be
-polymorphic over any type of class~$term$, and declare the addition
-function:
-\begin{eqnarray*}
- rec & :: & [nat, \alpha{::}term, [nat,\alpha]\To\alpha] \To\alpha \\
- + & :: & [nat,nat]\To nat
-\end{eqnarray*}
-
-
-\subsection{Declaring the theory to Isabelle}
-\index{examples!of theories}
-Let us create the theory \thydx{Nat} starting from theory~\verb$FOL$,
-which contains only classical logic with no natural numbers. We declare
-the 0-place type constructor $nat$ and the associated constants. Note that
-the constant~0 requires a mixfix annotation because~0 is not a legal
-identifier, and could not otherwise be written in terms:
-\begin{ttbox}\index{mixfix declarations}
-Nat = FOL +
-types nat
-arities nat :: term
-consts "0" :: nat ("0")
- Suc :: nat=>nat
- rec :: [nat, 'a, [nat,'a]=>'a] => 'a
- "+" :: [nat, nat] => nat (infixl 60)
-rules Suc_inject "Suc(m)=Suc(n) ==> m=n"
- Suc_neq_0 "Suc(m)=0 ==> R"
- induct "[| P(0); !!x. P(x) ==> P(Suc(x)) |] ==> P(n)"
- rec_0 "rec(0,a,f) = a"
- rec_Suc "rec(Suc(m), a, f) = f(m, rec(m,a,f))"
- add_def "m+n == rec(m, n, \%x y. Suc(y))"
-end
-\end{ttbox}
-In axiom \texttt{add_def}, recall that \verb|%| stands for~$\lambda$.
-Loading this theory file creates the \ML\ structure \texttt{Nat}, which
-contains the theory and axioms.
-
-\subsection{Proving some recursion equations}
-Theory \texttt{FOL/ex/Nat} contains proofs involving this theory of the
-natural numbers. As a trivial example, let us derive recursion equations
-for \verb$+$. Here is the zero case:
-\begin{ttbox}
-Goalw [add_def] "0+n = n";
-{\out Level 0}
-{\out 0 + n = n}
-{\out 1. rec(0,n,\%x y. Suc(y)) = n}
-\ttbreak
-by (resolve_tac [rec_0] 1);
-{\out Level 1}
-{\out 0 + n = n}
-{\out No subgoals!}
-qed "add_0";
-\end{ttbox}
-And here is the successor case:
-\begin{ttbox}
-Goalw [add_def] "Suc(m)+n = Suc(m+n)";
-{\out Level 0}
-{\out Suc(m) + n = Suc(m + n)}
-{\out 1. rec(Suc(m),n,\%x y. Suc(y)) = Suc(rec(m,n,\%x y. Suc(y)))}
-\ttbreak
-by (resolve_tac [rec_Suc] 1);
-{\out Level 1}
-{\out Suc(m) + n = Suc(m + n)}
-{\out No subgoals!}
-qed "add_Suc";
-\end{ttbox}
-The induction rule raises some complications, which are discussed next.
-\index{theories!defining|)}
-
-
-\section{Refinement with explicit instantiation}
-\index{resolution!with instantiation}
-\index{instantiation|(}
-
-In order to employ mathematical induction, we need to refine a subgoal by
-the rule~$(induct)$. The conclusion of this rule is $\Var{P}(\Var{n})$,
-which is highly ambiguous in higher-order unification. It matches every
-way that a formula can be regarded as depending on a subterm of type~$nat$.
-To get round this problem, we could make the induction rule conclude
-$\forall n.\Var{P}(n)$ --- but putting a subgoal into this form requires
-refinement by~$(\forall E)$, which is equally hard!
-
-The tactic \texttt{res_inst_tac}, like \texttt{resolve_tac}, refines a subgoal by
-a rule. But it also accepts explicit instantiations for the rule's
-schematic variables.
-\begin{description}
-\item[\ttindex{res_inst_tac} {\it insts} {\it thm} {\it i}]
-instantiates the rule {\it thm} with the instantiations {\it insts}, and
-then performs resolution on subgoal~$i$.
-
-\item[\ttindex{eres_inst_tac}]
-and \ttindex{dres_inst_tac} are similar, but perform elim-resolution
-and destruct-resolution, respectively.
-\end{description}
-The list {\it insts} consists of pairs $[(v@1,e@1), \ldots, (v@n,e@n)]$,
-where $v@1$, \ldots, $v@n$ are names of schematic variables in the rule ---
-with no leading question marks! --- and $e@1$, \ldots, $e@n$ are
-expressions giving their instantiations. The expressions are type-checked
-in the context of a particular subgoal: free variables receive the same
-types as they have in the subgoal, and parameters may appear. Type
-variable instantiations may appear in~{\it insts}, but they are seldom
-required: \texttt{res_inst_tac} instantiates type variables automatically
-whenever the type of~$e@i$ is an instance of the type of~$\Var{v@i}$.
-
-\subsection{A simple proof by induction}
-\index{examples!of induction}
-Let us prove that no natural number~$k$ equals its own successor. To
-use~$(induct)$, we instantiate~$\Var{n}$ to~$k$; Isabelle finds a good
-instantiation for~$\Var{P}$.
-\begin{ttbox}
-Goal "~ (Suc(k) = k)";
-{\out Level 0}
-{\out Suc(k) ~= k}
-{\out 1. Suc(k) ~= k}
-\ttbreak
-by (res_inst_tac [("n","k")] induct 1);
-{\out Level 1}
-{\out Suc(k) ~= k}
-{\out 1. Suc(0) ~= 0}
-{\out 2. !!x. Suc(x) ~= x ==> Suc(Suc(x)) ~= Suc(x)}
-\end{ttbox}
-We should check that Isabelle has correctly applied induction. Subgoal~1
-is the base case, with $k$ replaced by~0. Subgoal~2 is the inductive step,
-with $k$ replaced by~$Suc(x)$ and with an induction hypothesis for~$x$.
-The rest of the proof demonstrates~\tdx{notI}, \tdx{notE} and the
-other rules of theory \texttt{Nat}. The base case holds by~\ttindex{Suc_neq_0}:
-\begin{ttbox}
-by (resolve_tac [notI] 1);
-{\out Level 2}
-{\out Suc(k) ~= k}
-{\out 1. Suc(0) = 0 ==> False}
-{\out 2. !!x. Suc(x) ~= x ==> Suc(Suc(x)) ~= Suc(x)}
-\ttbreak
-by (eresolve_tac [Suc_neq_0] 1);
-{\out Level 3}
-{\out Suc(k) ~= k}
-{\out 1. !!x. Suc(x) ~= x ==> Suc(Suc(x)) ~= Suc(x)}
-\end{ttbox}
-The inductive step holds by the contrapositive of~\ttindex{Suc_inject}.
-Negation rules transform the subgoal into that of proving $Suc(x)=x$ from
-$Suc(Suc(x)) = Suc(x)$:
-\begin{ttbox}
-by (resolve_tac [notI] 1);
-{\out Level 4}
-{\out Suc(k) ~= k}
-{\out 1. !!x. [| Suc(x) ~= x; Suc(Suc(x)) = Suc(x) |] ==> False}
-\ttbreak
-by (eresolve_tac [notE] 1);
-{\out Level 5}
-{\out Suc(k) ~= k}
-{\out 1. !!x. Suc(Suc(x)) = Suc(x) ==> Suc(x) = x}
-\ttbreak
-by (eresolve_tac [Suc_inject] 1);
-{\out Level 6}
-{\out Suc(k) ~= k}
-{\out No subgoals!}
-\end{ttbox}
-
-
-\subsection{An example of ambiguity in \texttt{resolve_tac}}
-\index{examples!of induction}\index{unification!higher-order}
-If you try the example above, you may observe that \texttt{res_inst_tac} is
-not actually needed. Almost by chance, \ttindex{resolve_tac} finds the right
-instantiation for~$(induct)$ to yield the desired next state. With more
-complex formulae, our luck fails.
-\begin{ttbox}
-Goal "(k+m)+n = k+(m+n)";
-{\out Level 0}
-{\out k + m + n = k + (m + n)}
-{\out 1. k + m + n = k + (m + n)}
-\ttbreak
-by (resolve_tac [induct] 1);
-{\out Level 1}
-{\out k + m + n = k + (m + n)}
-{\out 1. k + m + n = 0}
-{\out 2. !!x. k + m + n = x ==> k + m + n = Suc(x)}
-\end{ttbox}
-This proof requires induction on~$k$. The occurrence of~0 in subgoal~1
-indicates that induction has been applied to the term~$k+(m+n)$; this
-application is sound but will not lead to a proof here. Fortunately,
-Isabelle can (lazily!) generate all the valid applications of induction.
-The \ttindex{back} command causes backtracking to an alternative outcome of
-the tactic.
-\begin{ttbox}
-back();
-{\out Level 1}
-{\out k + m + n = k + (m + n)}
-{\out 1. k + m + n = k + 0}
-{\out 2. !!x. k + m + n = k + x ==> k + m + n = k + Suc(x)}
-\end{ttbox}
-Now induction has been applied to~$m+n$. This is equally useless. Let us
-call \ttindex{back} again.
-\begin{ttbox}
-back();
-{\out Level 1}
-{\out k + m + n = k + (m + n)}
-{\out 1. k + m + 0 = k + (m + 0)}
-{\out 2. !!x. k + m + x = k + (m + x) ==>}
-{\out k + m + Suc(x) = k + (m + Suc(x))}
-\end{ttbox}
-Now induction has been applied to~$n$. What is the next alternative?
-\begin{ttbox}
-back();
-{\out Level 1}
-{\out k + m + n = k + (m + n)}
-{\out 1. k + m + n = k + (m + 0)}
-{\out 2. !!x. k + m + n = k + (m + x) ==> k + m + n = k + (m + Suc(x))}
-\end{ttbox}
-Inspecting subgoal~1 reveals that induction has been applied to just the
-second occurrence of~$n$. This perfectly legitimate induction is useless
-here.
-
-The main goal admits fourteen different applications of induction. The
-number is exponential in the size of the formula.
-
-\subsection{Proving that addition is associative}
-Let us invoke the induction rule properly, using~{\tt
- res_inst_tac}. At the same time, we shall have a glimpse at Isabelle's
-simplification tactics, which are described in
-\iflabelundefined{simp-chap}%
- {the {\em Reference Manual}}{Chap.\ts\ref{simp-chap}}.
-
-\index{simplification}\index{examples!of simplification}
-
-Isabelle's simplification tactics repeatedly apply equations to a subgoal,
-perhaps proving it. For efficiency, the rewrite rules must be packaged into a
-{\bf simplification set},\index{simplification sets} or {\bf simpset}. We
-augment the implicit simpset of FOL with the equations proved in the previous
-section, namely $0+n=n$ and $\texttt{Suc}(m)+n=\texttt{Suc}(m+n)$:
-\begin{ttbox}
-Addsimps [add_0, add_Suc];
-\end{ttbox}
-We state the goal for associativity of addition, and
-use \ttindex{res_inst_tac} to invoke induction on~$k$:
-\begin{ttbox}
-Goal "(k+m)+n = k+(m+n)";
-{\out Level 0}
-{\out k + m + n = k + (m + n)}
-{\out 1. k + m + n = k + (m + n)}
-\ttbreak
-by (res_inst_tac [("n","k")] induct 1);
-{\out Level 1}
-{\out k + m + n = k + (m + n)}
-{\out 1. 0 + m + n = 0 + (m + n)}
-{\out 2. !!x. x + m + n = x + (m + n) ==>}
-{\out Suc(x) + m + n = Suc(x) + (m + n)}
-\end{ttbox}
-The base case holds easily; both sides reduce to $m+n$. The
-tactic~\ttindex{Simp_tac} rewrites with respect to the current
-simplification set, applying the rewrite rules for addition:
-\begin{ttbox}
-by (Simp_tac 1);
-{\out Level 2}
-{\out k + m + n = k + (m + n)}
-{\out 1. !!x. x + m + n = x + (m + n) ==>}
-{\out Suc(x) + m + n = Suc(x) + (m + n)}
-\end{ttbox}
-The inductive step requires rewriting by the equations for addition
-and with the induction hypothesis, which is also an equation. The
-tactic~\ttindex{Asm_simp_tac} rewrites using the implicit
-simplification set and any useful assumptions:
-\begin{ttbox}
-by (Asm_simp_tac 1);
-{\out Level 3}
-{\out k + m + n = k + (m + n)}
-{\out No subgoals!}
-\end{ttbox}
-\index{instantiation|)}
-
-
-\section{A Prolog interpreter}
-\index{Prolog interpreter|bold}
-To demonstrate the power of tacticals, let us construct a Prolog
-interpreter and execute programs involving lists.\footnote{To run these
-examples, see the file \texttt{FOL/ex/Prolog.ML}.} The Prolog program
-consists of a theory. We declare a type constructor for lists, with an
-arity declaration to say that $(\tau)list$ is of class~$term$
-provided~$\tau$ is:
-\begin{eqnarray*}
- list & :: & (term)term
-\end{eqnarray*}
-We declare four constants: the empty list~$Nil$; the infix list
-constructor~{:}; the list concatenation predicate~$app$; the list reverse
-predicate~$rev$. (In Prolog, functions on lists are expressed as
-predicates.)
-\begin{eqnarray*}
- Nil & :: & \alpha list \\
- {:} & :: & [\alpha,\alpha list] \To \alpha list \\
- app & :: & [\alpha list,\alpha list,\alpha list] \To o \\
- rev & :: & [\alpha list,\alpha list] \To o
-\end{eqnarray*}
-The predicate $app$ should satisfy the Prolog-style rules
-\[ {app(Nil,ys,ys)} \qquad
- {app(xs,ys,zs) \over app(x:xs, ys, x:zs)} \]
-We define the naive version of $rev$, which calls~$app$:
-\[ {rev(Nil,Nil)} \qquad
- {rev(xs,ys)\quad app(ys, x:Nil, zs) \over
- rev(x:xs, zs)}
-\]
-
-\index{examples!of theories}
-Theory \thydx{Prolog} extends first-order logic in order to make use
-of the class~$term$ and the type~$o$. The interpreter does not use the
-rules of~\texttt{FOL}.
-\begin{ttbox}
-Prolog = FOL +
-types 'a list
-arities list :: (term)term
-consts Nil :: 'a list
- ":" :: ['a, 'a list]=> 'a list (infixr 60)
- app :: ['a list, 'a list, 'a list] => o
- rev :: ['a list, 'a list] => o
-rules appNil "app(Nil,ys,ys)"
- appCons "app(xs,ys,zs) ==> app(x:xs, ys, x:zs)"
- revNil "rev(Nil,Nil)"
- revCons "[| rev(xs,ys); app(ys,x:Nil,zs) |] ==> rev(x:xs,zs)"
-end
-\end{ttbox}
-\subsection{Simple executions}
-Repeated application of the rules solves Prolog goals. Let us
-append the lists $[a,b,c]$ and~$[d,e]$. As the rules are applied, the
-answer builds up in~\texttt{?x}.
-\begin{ttbox}
-Goal "app(a:b:c:Nil, d:e:Nil, ?x)";
-{\out Level 0}
-{\out app(a : b : c : Nil, d : e : Nil, ?x)}
-{\out 1. app(a : b : c : Nil, d : e : Nil, ?x)}
-\ttbreak
-by (resolve_tac [appNil,appCons] 1);
-{\out Level 1}
-{\out app(a : b : c : Nil, d : e : Nil, a : ?zs1)}
-{\out 1. app(b : c : Nil, d : e : Nil, ?zs1)}
-\ttbreak
-by (resolve_tac [appNil,appCons] 1);
-{\out Level 2}
-{\out app(a : b : c : Nil, d : e : Nil, a : b : ?zs2)}
-{\out 1. app(c : Nil, d : e : Nil, ?zs2)}
-\end{ttbox}
-At this point, the first two elements of the result are~$a$ and~$b$.
-\begin{ttbox}
-by (resolve_tac [appNil,appCons] 1);
-{\out Level 3}
-{\out app(a : b : c : Nil, d : e : Nil, a : b : c : ?zs3)}
-{\out 1. app(Nil, d : e : Nil, ?zs3)}
-\ttbreak
-by (resolve_tac [appNil,appCons] 1);
-{\out Level 4}
-{\out app(a : b : c : Nil, d : e : Nil, a : b : c : d : e : Nil)}
-{\out No subgoals!}
-\end{ttbox}
-
-Prolog can run functions backwards. Which list can be appended
-with $[c,d]$ to produce $[a,b,c,d]$?
-Using \ttindex{REPEAT}, we find the answer at once, $[a,b]$:
-\begin{ttbox}
-Goal "app(?x, c:d:Nil, a:b:c:d:Nil)";
-{\out Level 0}
-{\out app(?x, c : d : Nil, a : b : c : d : Nil)}
-{\out 1. app(?x, c : d : Nil, a : b : c : d : Nil)}
-\ttbreak
-by (REPEAT (resolve_tac [appNil,appCons] 1));
-{\out Level 1}
-{\out app(a : b : Nil, c : d : Nil, a : b : c : d : Nil)}
-{\out No subgoals!}
-\end{ttbox}
-
-
-\subsection{Backtracking}\index{backtracking!Prolog style}
-Prolog backtracking can answer questions that have multiple solutions.
-Which lists $x$ and $y$ can be appended to form the list $[a,b,c,d]$? This
-question has five solutions. Using \ttindex{REPEAT} to apply the rules, we
-quickly find the first solution, namely $x=[]$ and $y=[a,b,c,d]$:
-\begin{ttbox}
-Goal "app(?x, ?y, a:b:c:d:Nil)";
-{\out Level 0}
-{\out app(?x, ?y, a : b : c : d : Nil)}
-{\out 1. app(?x, ?y, a : b : c : d : Nil)}
-\ttbreak
-by (REPEAT (resolve_tac [appNil,appCons] 1));
-{\out Level 1}
-{\out app(Nil, a : b : c : d : Nil, a : b : c : d : Nil)}
-{\out No subgoals!}
-\end{ttbox}
-Isabelle can lazily generate all the possibilities. The \ttindex{back}
-command returns the tactic's next outcome, namely $x=[a]$ and $y=[b,c,d]$:
-\begin{ttbox}
-back();
-{\out Level 1}
-{\out app(a : Nil, b : c : d : Nil, a : b : c : d : Nil)}
-{\out No subgoals!}
-\end{ttbox}
-The other solutions are generated similarly.
-\begin{ttbox}
-back();
-{\out Level 1}
-{\out app(a : b : Nil, c : d : Nil, a : b : c : d : Nil)}
-{\out No subgoals!}
-\ttbreak
-back();
-{\out Level 1}
-{\out app(a : b : c : Nil, d : Nil, a : b : c : d : Nil)}
-{\out No subgoals!}
-\ttbreak
-back();
-{\out Level 1}
-{\out app(a : b : c : d : Nil, Nil, a : b : c : d : Nil)}
-{\out No subgoals!}
-\end{ttbox}
-
-
-\subsection{Depth-first search}
-\index{search!depth-first}
-Now let us try $rev$, reversing a list.
-Bundle the rules together as the \ML{} identifier \texttt{rules}. Naive
-reverse requires 120 inferences for this 14-element list, but the tactic
-terminates in a few seconds.
-\begin{ttbox}
-Goal "rev(a:b:c:d:e:f:g:h:i:j:k:l:m:n:Nil, ?w)";
-{\out Level 0}
-{\out rev(a : b : c : d : e : f : g : h : i : j : k : l : m : n : Nil, ?w)}
-{\out 1. rev(a : b : c : d : e : f : g : h : i : j : k : l : m : n : Nil,}
-{\out ?w)}
-\ttbreak
-val rules = [appNil,appCons,revNil,revCons];
-\ttbreak
-by (REPEAT (resolve_tac rules 1));
-{\out Level 1}
-{\out rev(a : b : c : d : e : f : g : h : i : j : k : l : m : n : Nil,}
-{\out n : m : l : k : j : i : h : g : f : e : d : c : b : a : Nil)}
-{\out No subgoals!}
-\end{ttbox}
-We may execute $rev$ backwards. This, too, should reverse a list. What
-is the reverse of $[a,b,c]$?
-\begin{ttbox}
-Goal "rev(?x, a:b:c:Nil)";
-{\out Level 0}
-{\out rev(?x, a : b : c : Nil)}
-{\out 1. rev(?x, a : b : c : Nil)}
-\ttbreak
-by (REPEAT (resolve_tac rules 1));
-{\out Level 1}
-{\out rev(?x1 : Nil, a : b : c : Nil)}
-{\out 1. app(Nil, ?x1 : Nil, a : b : c : Nil)}
-\end{ttbox}
-The tactic has failed to find a solution! It reached a dead end at
-subgoal~1: there is no~$\Var{x@1}$ such that [] appended with~$[\Var{x@1}]$
-equals~$[a,b,c]$. Backtracking explores other outcomes.
-\begin{ttbox}
-back();
-{\out Level 1}
-{\out rev(?x1 : a : Nil, a : b : c : Nil)}
-{\out 1. app(Nil, ?x1 : Nil, b : c : Nil)}
-\end{ttbox}
-This too is a dead end, but the next outcome is successful.
-\begin{ttbox}
-back();
-{\out Level 1}
-{\out rev(c : b : a : Nil, a : b : c : Nil)}
-{\out No subgoals!}
-\end{ttbox}
-\ttindex{REPEAT} goes wrong because it is only a repetition tactical, not a
-search tactical. \texttt{REPEAT} stops when it cannot continue, regardless of
-which state is reached. The tactical \ttindex{DEPTH_FIRST} searches for a
-satisfactory state, as specified by an \ML{} predicate. Below,
-\ttindex{has_fewer_prems} specifies that the proof state should have no
-subgoals.
-\begin{ttbox}
-val prolog_tac = DEPTH_FIRST (has_fewer_prems 1)
- (resolve_tac rules 1);
-\end{ttbox}
-Since Prolog uses depth-first search, this tactic is a (slow!)
-Prolog interpreter. We return to the start of the proof using
-\ttindex{choplev}, and apply \texttt{prolog_tac}:
-\begin{ttbox}
-choplev 0;
-{\out Level 0}
-{\out rev(?x, a : b : c : Nil)}
-{\out 1. rev(?x, a : b : c : Nil)}
-\ttbreak
-by prolog_tac;
-{\out Level 1}
-{\out rev(c : b : a : Nil, a : b : c : Nil)}
-{\out No subgoals!}
-\end{ttbox}
-Let us try \texttt{prolog_tac} on one more example, containing four unknowns:
-\begin{ttbox}
-Goal "rev(a:?x:c:?y:Nil, d:?z:b:?u)";
-{\out Level 0}
-{\out rev(a : ?x : c : ?y : Nil, d : ?z : b : ?u)}
-{\out 1. rev(a : ?x : c : ?y : Nil, d : ?z : b : ?u)}
-\ttbreak
-by prolog_tac;
-{\out Level 1}
-{\out rev(a : b : c : d : Nil, d : c : b : a : Nil)}
-{\out No subgoals!}
-\end{ttbox}
-Although Isabelle is much slower than a Prolog system, Isabelle
-tactics can exploit logic programming techniques.
-
--- a/doc-src/Intro/document/build Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,18 +0,0 @@
-#!/bin/bash
-
-set -e
-
-FORMAT="$1"
-VARIANT="$2"
-
-"$ISABELLE_TOOL" logo -o isabelle.pdf ""
-"$ISABELLE_TOOL" logo -o isabelle.eps ""
-
-cp "$ISABELLE_HOME/doc-src/iman.sty" .
-cp "$ISABELLE_HOME/doc-src/extra.sty" .
-cp "$ISABELLE_HOME/doc-src/ttbox.sty" .
-cp "$ISABELLE_HOME/doc-src/proof.sty" .
-cp "$ISABELLE_HOME/doc-src/manual.bib" .
-
-"$ISABELLE_HOME/doc-src/prepare_document" "$FORMAT"
-
--- a/doc-src/Intro/document/foundations.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,1178 +0,0 @@
-\part{Foundations}
-The following sections discuss Isabelle's logical foundations in detail:
-representing logical syntax in the typed $\lambda$-calculus; expressing
-inference rules in Isabelle's meta-logic; combining rules by resolution.
-
-If you wish to use Isabelle immediately, please turn to
-page~\pageref{chap:getting}. You can always read about foundations later,
-either by returning to this point or by looking up particular items in the
-index.
-
-\begin{figure}
-\begin{eqnarray*}
- \neg P & \hbox{abbreviates} & P\imp\bot \\
- P\bimp Q & \hbox{abbreviates} & (P\imp Q) \conj (Q\imp P)
-\end{eqnarray*}
-\vskip 4ex
-
-\(\begin{array}{c@{\qquad\qquad}c}
- \infer[({\conj}I)]{P\conj Q}{P & Q} &
- \infer[({\conj}E1)]{P}{P\conj Q} \qquad
- \infer[({\conj}E2)]{Q}{P\conj Q} \\[4ex]
-
- \infer[({\disj}I1)]{P\disj Q}{P} \qquad
- \infer[({\disj}I2)]{P\disj Q}{Q} &
- \infer[({\disj}E)]{R}{P\disj Q & \infer*{R}{[P]} & \infer*{R}{[Q]}}\\[4ex]
-
- \infer[({\imp}I)]{P\imp Q}{\infer*{Q}{[P]}} &
- \infer[({\imp}E)]{Q}{P\imp Q & P} \\[4ex]
-
- &
- \infer[({\bot}E)]{P}{\bot}\\[4ex]
-
- \infer[({\forall}I)*]{\forall x.P}{P} &
- \infer[({\forall}E)]{P[t/x]}{\forall x.P} \\[3ex]
-
- \infer[({\exists}I)]{\exists x.P}{P[t/x]} &
- \infer[({\exists}E)*]{Q}{{\exists x.P} & \infer*{Q}{[P]} } \\[3ex]
-
- {t=t} \,(refl) & \vcenter{\infer[(subst)]{P[u/x]}{t=u & P[t/x]}}
-\end{array} \)
-
-\bigskip\bigskip
-*{\em Eigenvariable conditions\/}:
-
-$\forall I$: provided $x$ is not free in the assumptions
-
-$\exists E$: provided $x$ is not free in $Q$ or any assumption except $P$
-\caption{Intuitionistic first-order logic} \label{fol-fig}
-\end{figure}
-
-\section{Formalizing logical syntax in Isabelle}\label{sec:logical-syntax}
-\index{first-order logic}
-
-Figure~\ref{fol-fig} presents intuitionistic first-order logic,
-including equality. Let us see how to formalize
-this logic in Isabelle, illustrating the main features of Isabelle's
-polymorphic meta-logic.
-
-\index{lambda calc@$\lambda$-calculus}
-Isabelle represents syntax using the simply typed $\lambda$-calculus. We
-declare a type for each syntactic category of the logic. We declare a
-constant for each symbol of the logic, giving each $n$-place operation an
-$n$-argument curried function type. Most importantly,
-$\lambda$-abstraction represents variable binding in quantifiers.
-
-\index{types!syntax of}\index{types!function}\index{*fun type}
-\index{type constructors}
-Isabelle has \ML-style polymorphic types such as~$(\alpha)list$, where
-$list$ is a type constructor and $\alpha$ is a type variable; for example,
-$(bool)list$ is the type of lists of booleans. Function types have the
-form $(\sigma,\tau)fun$ or $\sigma\To\tau$, where $\sigma$ and $\tau$ are
-types. Curried function types may be abbreviated:
-\[ \sigma@1\To (\cdots \sigma@n\To \tau\cdots) \quad \hbox{as} \quad
-[\sigma@1, \ldots, \sigma@n] \To \tau \]
-
-\index{terms!syntax of} The syntax for terms is summarised below.
-Note that there are two versions of function application syntax
-available in Isabelle: either $t\,u$, which is the usual form for
-higher-order languages, or $t(u)$, trying to look more like
-first-order. The latter syntax is used throughout the manual.
-\[
-\index{lambda abs@$\lambda$-abstractions}\index{function applications}
-\begin{array}{ll}
- t :: \tau & \hbox{type constraint, on a term or bound variable} \\
- \lambda x.t & \hbox{abstraction} \\
- \lambda x@1\ldots x@n.t
- & \hbox{curried abstraction, $\lambda x@1. \ldots \lambda x@n.t$} \\
- t(u) & \hbox{application} \\
- t (u@1, \ldots, u@n) & \hbox{curried application, $t(u@1)\ldots(u@n)$}
-\end{array}
-\]
-
-
-\subsection{Simple types and constants}\index{types!simple|bold}
-
-The syntactic categories of our logic (Fig.\ts\ref{fol-fig}) are {\bf
- formulae} and {\bf terms}. Formulae denote truth values, so (following
-tradition) let us call their type~$o$. To allow~0 and~$Suc(t)$ as terms,
-let us declare a type~$nat$ of natural numbers. Later, we shall see
-how to admit terms of other types.
-
-\index{constants}\index{*nat type}\index{*o type}
-After declaring the types~$o$ and~$nat$, we may declare constants for the
-symbols of our logic. Since $\bot$ denotes a truth value (falsity) and 0
-denotes a number, we put \begin{eqnarray*}
- \bot & :: & o \\
- 0 & :: & nat.
-\end{eqnarray*}
-If a symbol requires operands, the corresponding constant must have a
-function type. In our logic, the successor function
-($Suc$) is from natural numbers to natural numbers, negation ($\neg$) is a
-function from truth values to truth values, and the binary connectives are
-curried functions taking two truth values as arguments:
-\begin{eqnarray*}
- Suc & :: & nat\To nat \\
- {\neg} & :: & o\To o \\
- \conj,\disj,\imp,\bimp & :: & [o,o]\To o
-\end{eqnarray*}
-The binary connectives can be declared as infixes, with appropriate
-precedences, so that we write $P\conj Q\disj R$ instead of
-$\disj(\conj(P,Q), R)$.
-
-Section~\ref{sec:defining-theories} below describes the syntax of Isabelle
-theory files and illustrates it by extending our logic with mathematical
-induction.
-
-
-\subsection{Polymorphic types and constants} \label{polymorphic}
-\index{types!polymorphic|bold}
-\index{equality!polymorphic}
-\index{constants!polymorphic}
-
-Which type should we assign to the equality symbol? If we tried
-$[nat,nat]\To o$, then equality would be restricted to the natural
-numbers; we should have to declare different equality symbols for each
-type. Isabelle's type system is polymorphic, so we could declare
-\begin{eqnarray*}
- {=} & :: & [\alpha,\alpha]\To o,
-\end{eqnarray*}
-where the type variable~$\alpha$ ranges over all types.
-But this is also wrong. The declaration is too polymorphic; $\alpha$
-includes types like~$o$ and $nat\To nat$. Thus, it admits
-$\bot=\neg(\bot)$ and $Suc=Suc$ as formulae, which is acceptable in
-higher-order logic but not in first-order logic.
-
-Isabelle's {\bf type classes}\index{classes} control
-polymorphism~\cite{nipkow-prehofer}. Each type variable belongs to a
-class, which denotes a set of types. Classes are partially ordered by the
-subclass relation, which is essentially the subset relation on the sets of
-types. They closely resemble the classes of the functional language
-Haskell~\cite{haskell-tutorial,haskell-report}.
-
-\index{*logic class}\index{*term class}
-Isabelle provides the built-in class $logic$, which consists of the logical
-types: the ones we want to reason about. Let us declare a class $term$, to
-consist of all legal types of terms in our logic. The subclass structure
-is now $term\le logic$.
-
-\index{*nat type}
-We put $nat$ in class $term$ by declaring $nat{::}term$. We declare the
-equality constant by
-\begin{eqnarray*}
- {=} & :: & [\alpha{::}term,\alpha]\To o
-\end{eqnarray*}
-where $\alpha{::}term$ constrains the type variable~$\alpha$ to class
-$term$. Such type variables resemble Standard~\ML's equality type
-variables.
-
-We give~$o$ and function types the class $logic$ rather than~$term$, since
-they are not legal types for terms. We may introduce new types of class
-$term$ --- for instance, type $string$ or $real$ --- at any time. We can
-even declare type constructors such as~$list$, and state that type
-$(\tau)list$ belongs to class~$term$ provided $\tau$ does; equality
-applies to lists of natural numbers but not to lists of formulae. We may
-summarize this paragraph by a set of {\bf arity declarations} for type
-constructors:\index{arities!declaring}
-\begin{eqnarray*}\index{*o type}\index{*fun type}
- o & :: & logic \\
- fun & :: & (logic,logic)logic \\
- nat, string, real & :: & term \\
- list & :: & (term)term
-\end{eqnarray*}
-(Recall that $fun$ is the type constructor for function types.)
-In \rmindex{higher-order logic}, equality does apply to truth values and
-functions; this requires the arity declarations ${o::term}$
-and ${fun::(term,term)term}$. The class system can also handle
-overloading.\index{overloading|bold} We could declare $arith$ to be the
-subclass of $term$ consisting of the `arithmetic' types, such as~$nat$.
-Then we could declare the operators
-\begin{eqnarray*}
- {+},{-},{\times},{/} & :: & [\alpha{::}arith,\alpha]\To \alpha
-\end{eqnarray*}
-If we declare new types $real$ and $complex$ of class $arith$, then we
-in effect have three sets of operators:
-\begin{eqnarray*}
- {+},{-},{\times},{/} & :: & [nat,nat]\To nat \\
- {+},{-},{\times},{/} & :: & [real,real]\To real \\
- {+},{-},{\times},{/} & :: & [complex,complex]\To complex
-\end{eqnarray*}
-Isabelle will regard these as distinct constants, each of which can be defined
-separately. We could even introduce the type $(\alpha)vector$ and declare
-its arity as $(arith)arith$. Then we could declare the constant
-\begin{eqnarray*}
- {+} & :: & [(\alpha)vector,(\alpha)vector]\To (\alpha)vector
-\end{eqnarray*}
-and specify it in terms of ${+} :: [\alpha,\alpha]\To \alpha$.
-
-A type variable may belong to any finite number of classes. Suppose that
-we had declared yet another class $ord \le term$, the class of all
-`ordered' types, and a constant
-\begin{eqnarray*}
- {\le} & :: & [\alpha{::}ord,\alpha]\To o.
-\end{eqnarray*}
-In this context the variable $x$ in $x \le (x+x)$ will be assigned type
-$\alpha{::}\{arith,ord\}$, which means $\alpha$ belongs to both $arith$ and
-$ord$. Semantically the set $\{arith,ord\}$ should be understood as the
-intersection of the sets of types represented by $arith$ and $ord$. Such
-intersections of classes are called \bfindex{sorts}. The empty
-intersection of classes, $\{\}$, contains all types and is thus the {\bf
- universal sort}.
-
-Even with overloading, each term has a unique, most general type. For this
-to be possible, the class and type declarations must satisfy certain
-technical constraints; see
-\iflabelundefined{sec:ref-defining-theories}%
- {Sect.\ Defining Theories in the {\em Reference Manual}}%
- {\S\ref{sec:ref-defining-theories}}.
-
-
-\subsection{Higher types and quantifiers}
-\index{types!higher|bold}\index{quantifiers}
-Quantifiers are regarded as operations upon functions. Ignoring polymorphism
-for the moment, consider the formula $\forall x. P(x)$, where $x$ ranges
-over type~$nat$. This is true if $P(x)$ is true for all~$x$. Abstracting
-$P(x)$ into a function, this is the same as saying that $\lambda x.P(x)$
-returns true for all arguments. Thus, the universal quantifier can be
-represented by a constant
-\begin{eqnarray*}
- \forall & :: & (nat\To o) \To o,
-\end{eqnarray*}
-which is essentially an infinitary truth table. The representation of $\forall
-x. P(x)$ is $\forall(\lambda x. P(x))$.
-
-The existential quantifier is treated
-in the same way. Other binding operators are also easily handled; for
-instance, the summation operator $\Sigma@{k=i}^j f(k)$ can be represented as
-$\Sigma(i,j,\lambda k.f(k))$, where
-\begin{eqnarray*}
- \Sigma & :: & [nat,nat, nat\To nat] \To nat.
-\end{eqnarray*}
-Quantifiers may be polymorphic. We may define $\forall$ and~$\exists$ over
-all legal types of terms, not just the natural numbers, and
-allow summations over all arithmetic types:
-\begin{eqnarray*}
- \forall,\exists & :: & (\alpha{::}term\To o) \To o \\
- \Sigma & :: & [nat,nat, nat\To \alpha{::}arith] \To \alpha
-\end{eqnarray*}
-Observe that the index variables still have type $nat$, while the values
-being summed may belong to any arithmetic type.
-
-
-\section{Formalizing logical rules in Isabelle}
-\index{meta-implication|bold}
-\index{meta-quantifiers|bold}
-\index{meta-equality|bold}
-
-Object-logics are formalized by extending Isabelle's
-meta-logic~\cite{paulson-found}, which is intuitionistic higher-order logic.
-The meta-level connectives are {\bf implication}, the {\bf universal
- quantifier}, and {\bf equality}.
-\begin{itemize}
- \item The implication \(\phi\Imp \psi\) means `\(\phi\) implies
-\(\psi\)', and expresses logical {\bf entailment}.
-
- \item The quantification \(\Forall x.\phi\) means `\(\phi\) is true for
-all $x$', and expresses {\bf generality} in rules and axiom schemes.
-
-\item The equality \(a\equiv b\) means `$a$ equals $b$', for expressing
- {\bf definitions} (see~\S\ref{definitions}).\index{definitions}
- Equalities left over from the unification process, so called {\bf
- flex-flex constraints},\index{flex-flex constraints} are written $a\qeq
- b$. The two equality symbols have the same logical meaning.
-
-\end{itemize}
-The syntax of the meta-logic is formalized in the same manner
-as object-logics, using the simply typed $\lambda$-calculus. Analogous to
-type~$o$ above, there is a built-in type $prop$ of meta-level truth values.
-Meta-level formulae will have this type. Type $prop$ belongs to
-class~$logic$; also, $\sigma\To\tau$ belongs to $logic$ provided $\sigma$
-and $\tau$ do. Here are the types of the built-in connectives:
-\begin{eqnarray*}\index{*prop type}\index{*logic class}
- \Imp & :: & [prop,prop]\To prop \\
- \Forall & :: & (\alpha{::}logic\To prop) \To prop \\
- {\equiv} & :: & [\alpha{::}\{\},\alpha]\To prop \\
- \qeq & :: & [\alpha{::}\{\},\alpha]\To prop
-\end{eqnarray*}
-The polymorphism in $\Forall$ is restricted to class~$logic$ to exclude
-certain types, those used just for parsing. The type variable
-$\alpha{::}\{\}$ ranges over the universal sort.
-
-In our formalization of first-order logic, we declared a type~$o$ of
-object-level truth values, rather than using~$prop$ for this purpose. If
-we declared the object-level connectives to have types such as
-${\neg}::prop\To prop$, then these connectives would be applicable to
-meta-level formulae. Keeping $prop$ and $o$ as separate types maintains
-the distinction between the meta-level and the object-level. To formalize
-the inference rules, we shall need to relate the two levels; accordingly,
-we declare the constant
-\index{*Trueprop constant}
-\begin{eqnarray*}
- Trueprop & :: & o\To prop.
-\end{eqnarray*}
-We may regard $Trueprop$ as a meta-level predicate, reading $Trueprop(P)$ as
-`$P$ is true at the object-level.' Put another way, $Trueprop$ is a coercion
-from $o$ to $prop$.
-
-
-\subsection{Expressing propositional rules}
-\index{rules!propositional}
-We shall illustrate the use of the meta-logic by formalizing the rules of
-Fig.\ts\ref{fol-fig}. Each object-level rule is expressed as a meta-level
-axiom.
-
-One of the simplest rules is $(\conj E1)$. Making
-everything explicit, its formalization in the meta-logic is
-$$
-\Forall P\;Q. Trueprop(P\conj Q) \Imp Trueprop(P). \eqno(\conj E1)
-$$
-This may look formidable, but it has an obvious reading: for all object-level
-truth values $P$ and~$Q$, if $P\conj Q$ is true then so is~$P$. The
-reading is correct because the meta-logic has simple models, where
-types denote sets and $\Forall$ really means `for all.'
-
-\index{*Trueprop constant}
-Isabelle adopts notational conventions to ease the writing of rules. We may
-hide the occurrences of $Trueprop$ by making it an implicit coercion.
-Outer universal quantifiers may be dropped. Finally, the nested implication
-\index{meta-implication}
-\[ \phi@1\Imp(\cdots \phi@n\Imp\psi\cdots) \]
-may be abbreviated as $\List{\phi@1; \ldots; \phi@n} \Imp \psi$, which
-formalizes a rule of $n$~premises.
-
-Using these conventions, the conjunction rules become the following axioms.
-These fully specify the properties of~$\conj$:
-$$ \List{P; Q} \Imp P\conj Q \eqno(\conj I) $$
-$$ P\conj Q \Imp P \qquad P\conj Q \Imp Q \eqno(\conj E1,2) $$
-
-\noindent
-Next, consider the disjunction rules. The discharge of assumption in
-$(\disj E)$ is expressed using $\Imp$:
-\index{assumptions!discharge of}%
-$$ P \Imp P\disj Q \qquad Q \Imp P\disj Q \eqno(\disj I1,2) $$
-$$ \List{P\disj Q; P\Imp R; Q\Imp R} \Imp R \eqno(\disj E) $$
-%
-To understand this treatment of assumptions in natural
-deduction, look at implication. The rule $({\imp}I)$ is the classic
-example of natural deduction: to prove that $P\imp Q$ is true, assume $P$
-is true and show that $Q$ must then be true. More concisely, if $P$
-implies $Q$ (at the meta-level), then $P\imp Q$ is true (at the
-object-level). Showing the coercion explicitly, this is formalized as
-\[ (Trueprop(P)\Imp Trueprop(Q)) \Imp Trueprop(P\imp Q). \]
-The rule $({\imp}E)$ is straightforward; hiding $Trueprop$, the axioms to
-specify $\imp$ are
-$$ (P \Imp Q) \Imp P\imp Q \eqno({\imp}I) $$
-$$ \List{P\imp Q; P} \Imp Q. \eqno({\imp}E) $$
-
-\noindent
-Finally, the intuitionistic contradiction rule is formalized as the axiom
-$$ \bot \Imp P. \eqno(\bot E) $$
-
-\begin{warn}
-Earlier versions of Isabelle, and certain
-papers~\cite{paulson-found,paulson700}, use $\List{P}$ to mean $Trueprop(P)$.
-\end{warn}
-
-\subsection{Quantifier rules and substitution}
-\index{quantifiers}\index{rules!quantifier}\index{substitution|bold}
-\index{variables!bound}\index{lambda abs@$\lambda$-abstractions}
-\index{function applications}
-
-Isabelle expresses variable binding using $\lambda$-abstraction; for instance,
-$\forall x.P$ is formalized as $\forall(\lambda x.P)$. Recall that $F(t)$
-is Isabelle's syntax for application of the function~$F$ to the argument~$t$;
-it is not a meta-notation for substitution. On the other hand, a substitution
-will take place if $F$ has the form $\lambda x.P$; Isabelle transforms
-$(\lambda x.P)(t)$ to~$P[t/x]$ by $\beta$-conversion. Thus, we can express
-inference rules that involve substitution for bound variables.
-
-\index{parameters|bold}\index{eigenvariables|see{parameters}}
-A logic may attach provisos to certain of its rules, especially quantifier
-rules. We cannot hope to formalize arbitrary provisos. Fortunately, those
-typical of quantifier rules always have the same form, namely `$x$ not free in
-\ldots {\it (some set of formulae)},' where $x$ is a variable (called a {\bf
-parameter} or {\bf eigenvariable}) in some premise. Isabelle treats
-provisos using~$\Forall$, its inbuilt notion of `for all'.
-\index{meta-quantifiers}
-
-The purpose of the proviso `$x$ not free in \ldots' is
-to ensure that the premise may not make assumptions about the value of~$x$,
-and therefore holds for all~$x$. We formalize $(\forall I)$ by
-\[ \left(\Forall x. Trueprop(P(x))\right) \Imp Trueprop(\forall x.P(x)). \]
-This means, `if $P(x)$ is true for all~$x$, then $\forall x.P(x)$ is true.'
-The $\forall E$ rule exploits $\beta$-conversion. Hiding $Trueprop$, the
-$\forall$ axioms are
-$$ \left(\Forall x. P(x)\right) \Imp \forall x.P(x) \eqno(\forall I) $$
-$$ (\forall x.P(x)) \Imp P(t). \eqno(\forall E) $$
-
-\noindent
-We have defined the object-level universal quantifier~($\forall$)
-using~$\Forall$. But we do not require meta-level counterparts of all the
-connectives of the object-logic! Consider the existential quantifier:
-$$ P(t) \Imp \exists x.P(x) \eqno(\exists I) $$
-$$ \List{\exists x.P(x);\; \Forall x. P(x)\Imp Q} \Imp Q \eqno(\exists E) $$
-Let us verify $(\exists E)$ semantically. Suppose that the premises
-hold; since $\exists x.P(x)$ is true, we may choose an~$a$ such that $P(a)$ is
-true. Instantiating $\Forall x. P(x)\Imp Q$ with $a$ yields $P(a)\Imp Q$, and
-we obtain the desired conclusion, $Q$.
-
-The treatment of substitution deserves mention. The rule
-\[ \infer{P[u/t]}{t=u & P} \]
-would be hard to formalize in Isabelle. It calls for replacing~$t$ by $u$
-throughout~$P$, which cannot be expressed using $\beta$-conversion. Our
-rule~$(subst)$ uses~$P$ as a template for substitution, inferring $P[u/x]$
-from~$P[t/x]$. When we formalize this as an axiom, the template becomes a
-function variable:
-$$ \List{t=u; P(t)} \Imp P(u). \eqno(subst) $$
-
-
-\subsection{Signatures and theories}
-\index{signatures|bold}
-
-A {\bf signature} contains the information necessary for type-checking,
-parsing and pretty printing a term. It specifies type classes and their
-relationships, types and their arities, constants and their types, etc. It
-also contains grammar rules, specified using mixfix declarations.
-
-Two signatures can be merged provided their specifications are compatible ---
-they must not, for example, assign different types to the same constant.
-Under similar conditions, a signature can be extended. Signatures are
-managed internally by Isabelle; users seldom encounter them.
-
-\index{theories|bold} A {\bf theory} consists of a signature plus a collection
-of axioms. The Pure theory contains only the meta-logic. Theories can be
-combined provided their signatures are compatible. A theory definition
-extends an existing theory with further signature specifications --- classes,
-types, constants and mixfix declarations --- plus lists of axioms and
-definitions etc., expressed as strings to be parsed. A theory can formalize a
-small piece of mathematics, such as lists and their operations, or an entire
-logic. A mathematical development typically involves many theories in a
-hierarchy. For example, the Pure theory could be extended to form a theory
-for Fig.\ts\ref{fol-fig}; this could be extended in two separate ways to form
-a theory for natural numbers and a theory for lists; the union of these two
-could be extended into a theory defining the length of a list:
-\begin{tt}
-\[
-\begin{array}{c@{}c@{}c@{}c@{}c}
- {} & {} &\hbox{Pure}& {} & {} \\
- {} & {} & \downarrow & {} & {} \\
- {} & {} &\hbox{FOL} & {} & {} \\
- {} & \swarrow & {} & \searrow & {} \\
- \hbox{Nat} & {} & {} & {} & \hbox{List} \\
- {} & \searrow & {} & \swarrow & {} \\
- {} & {} &\hbox{Nat}+\hbox{List}& {} & {} \\
- {} & {} & \downarrow & {} & {} \\
- {} & {} & \hbox{Length} & {} & {}
-\end{array}
-\]
-\end{tt}%
-Each Isabelle proof typically works within a single theory, which is
-associated with the proof state. However, many different theories may
-coexist at the same time, and you may work in each of these during a single
-session.
-
-\begin{warn}\index{constants!clashes with variables}%
- Confusing problems arise if you work in the wrong theory. Each theory
- defines its own syntax. An identifier may be regarded in one theory as a
- constant and in another as a variable, for example.
-\end{warn}
-
-\section{Proof construction in Isabelle}
-I have elsewhere described the meta-logic and demonstrated it by
-formalizing first-order logic~\cite{paulson-found}. There is a one-to-one
-correspondence between meta-level proofs and object-level proofs. To each
-use of a meta-level axiom, such as $(\forall I)$, there is a use of the
-corresponding object-level rule. Object-level assumptions and parameters
-have meta-level counterparts. The meta-level formalization is {\bf
- faithful}, admitting no incorrect object-level inferences, and {\bf
- adequate}, admitting all correct object-level inferences. These
-properties must be demonstrated separately for each object-logic.
-
-The meta-logic is defined by a collection of inference rules, including
-equational rules for the $\lambda$-calculus and logical rules. The rules
-for~$\Imp$ and~$\Forall$ resemble those for~$\imp$ and~$\forall$ in
-Fig.\ts\ref{fol-fig}. Proofs performed using the primitive meta-rules
-would be lengthy; Isabelle proofs normally use certain derived rules.
-{\bf Resolution}, in particular, is convenient for backward proof.
-
-Unification is central to theorem proving. It supports quantifier
-reasoning by allowing certain `unknown' terms to be instantiated later,
-possibly in stages. When proving that the time required to sort $n$
-integers is proportional to~$n^2$, we need not state the constant of
-proportionality; when proving that a hardware adder will deliver the sum of
-its inputs, we need not state how many clock ticks will be required. Such
-quantities often emerge from the proof.
-
-Isabelle provides {\bf schematic variables}, or {\bf
- unknowns},\index{unknowns} for unification. Logically, unknowns are free
-variables. But while ordinary variables remain fixed, unification may
-instantiate unknowns. Unknowns are written with a ?\ prefix and are
-frequently subscripted: $\Var{a}$, $\Var{a@1}$, $\Var{a@2}$, \ldots,
-$\Var{P}$, $\Var{P@1}$, \ldots.
-
-Recall that an inference rule of the form
-\[ \infer{\phi}{\phi@1 & \ldots & \phi@n} \]
-is formalized in Isabelle's meta-logic as the axiom
-$\List{\phi@1; \ldots; \phi@n} \Imp \phi$.\index{resolution}
-Such axioms resemble Prolog's Horn clauses, and can be combined by
-resolution --- Isabelle's principal proof method. Resolution yields both
-forward and backward proof. Backward proof works by unifying a goal with
-the conclusion of a rule, whose premises become new subgoals. Forward proof
-works by unifying theorems with the premises of a rule, deriving a new theorem.
-
-Isabelle formulae require an extended notion of resolution.
-They differ from Horn clauses in two major respects:
-\begin{itemize}
- \item They are written in the typed $\lambda$-calculus, and therefore must be
-resolved using higher-order unification.
-
-\item The constituents of a clause need not be atomic formulae. Any
- formula of the form $Trueprop(\cdots)$ is atomic, but axioms such as
- ${\imp}I$ and $\forall I$ contain non-atomic formulae.
-\end{itemize}
-Isabelle has little in common with classical resolution theorem provers
-such as Otter~\cite{wos-bledsoe}. At the meta-level, Isabelle proves
-theorems in their positive form, not by refutation. However, an
-object-logic that includes a contradiction rule may employ a refutation
-proof procedure.
-
-
-\subsection{Higher-order unification}
-\index{unification!higher-order|bold}
-Unification is equation solving. The solution of $f(\Var{x},c) \qeq
-f(d,\Var{y})$ is $\Var{x}\equiv d$ and $\Var{y}\equiv c$. {\bf
-Higher-order unification} is equation solving for typed $\lambda$-terms.
-To handle $\beta$-conversion, it must reduce $(\lambda x.t)u$ to $t[u/x]$.
-That is easy --- in the typed $\lambda$-calculus, all reduction sequences
-terminate at a normal form. But it must guess the unknown
-function~$\Var{f}$ in order to solve the equation
-\begin{equation} \label{hou-eqn}
- \Var{f}(t) \qeq g(u@1,\ldots,u@k).
-\end{equation}
-Huet's~\cite{huet75} search procedure solves equations by imitation and
-projection. {\bf Imitation} makes~$\Var{f}$ apply the leading symbol (if a
-constant) of the right-hand side. To solve equation~(\ref{hou-eqn}), it
-guesses
-\[ \Var{f} \equiv \lambda x. g(\Var{h@1}(x),\ldots,\Var{h@k}(x)), \]
-where $\Var{h@1}$, \ldots, $\Var{h@k}$ are new unknowns. Assuming there are no
-other occurrences of~$\Var{f}$, equation~(\ref{hou-eqn}) simplifies to the
-set of equations
-\[ \Var{h@1}(t)\qeq u@1 \quad\ldots\quad \Var{h@k}(t)\qeq u@k. \]
-If the procedure solves these equations, instantiating $\Var{h@1}$, \ldots,
-$\Var{h@k}$, then it yields an instantiation for~$\Var{f}$.
-
-{\bf Projection} makes $\Var{f}$ apply one of its arguments. To solve
-equation~(\ref{hou-eqn}), if $t$ expects~$m$ arguments and delivers a
-result of suitable type, it guesses
-\[ \Var{f} \equiv \lambda x. x(\Var{h@1}(x),\ldots,\Var{h@m}(x)), \]
-where $\Var{h@1}$, \ldots, $\Var{h@m}$ are new unknowns. Assuming there are no
-other occurrences of~$\Var{f}$, equation~(\ref{hou-eqn}) simplifies to the
-equation
-\[ t(\Var{h@1}(t),\ldots,\Var{h@m}(t)) \qeq g(u@1,\ldots,u@k). \]
-
-\begin{warn}\index{unification!incompleteness of}%
-Huet's unification procedure is complete. Isabelle's polymorphic version,
-which solves for type unknowns as well as for term unknowns, is incomplete.
-The problem is that projection requires type information. In
-equation~(\ref{hou-eqn}), if the type of~$t$ is unknown, then projections
-are possible for all~$m\geq0$, and the types of the $\Var{h@i}$ will be
-similarly unconstrained. Therefore, Isabelle never attempts such
-projections, and may fail to find unifiers where a type unknown turns out
-to be a function type.
-\end{warn}
-
-\index{unknowns!function|bold}
-Given $\Var{f}(t@1,\ldots,t@n)\qeq u$, Huet's procedure could make up to
-$n+1$ guesses. The search tree and set of unifiers may be infinite. But
-higher-order unification can work effectively, provided you are careful
-with {\bf function unknowns}:
-\begin{itemize}
- \item Equations with no function unknowns are solved using first-order
-unification, extended to treat bound variables. For example, $\lambda x.x
-\qeq \lambda x.\Var{y}$ has no solution because $\Var{y}\equiv x$ would
-capture the free variable~$x$.
-
- \item An occurrence of the term $\Var{f}(x,y,z)$, where the arguments are
-distinct bound variables, causes no difficulties. Its projections can only
-match the corresponding variables.
-
- \item Even an equation such as $\Var{f}(a)\qeq a+a$ is all right. It has
-four solutions, but Isabelle evaluates them lazily, trying projection before
-imitation. The first solution is usually the one desired:
-\[ \Var{f}\equiv \lambda x. x+x \quad
- \Var{f}\equiv \lambda x. a+x \quad
- \Var{f}\equiv \lambda x. x+a \quad
- \Var{f}\equiv \lambda x. a+a \]
- \item Equations such as $\Var{f}(\Var{x},\Var{y})\qeq t$ and
-$\Var{f}(\Var{g}(x))\qeq t$ admit vast numbers of unifiers, and must be
-avoided.
-\end{itemize}
-In problematic cases, you may have to instantiate some unknowns before
-invoking unification.
-
-
-\subsection{Joining rules by resolution} \label{joining}
-\index{resolution|bold}
-Let $\List{\psi@1; \ldots; \psi@m} \Imp \psi$ and $\List{\phi@1; \ldots;
-\phi@n} \Imp \phi$ be two Isabelle theorems, representing object-level rules.
-Choosing some~$i$ from~1 to~$n$, suppose that $\psi$ and $\phi@i$ have a
-higher-order unifier. Writing $Xs$ for the application of substitution~$s$ to
-expression~$X$, this means there is some~$s$ such that $\psi s\equiv \phi@i s$.
-By resolution, we may conclude
-\[ (\List{\phi@1; \ldots; \phi@{i-1}; \psi@1; \ldots; \psi@m;
- \phi@{i+1}; \ldots; \phi@n} \Imp \phi)s.
-\]
-The substitution~$s$ may instantiate unknowns in both rules. In short,
-resolution is the following rule:
-\[ \infer[(\psi s\equiv \phi@i s)]
- {(\List{\phi@1; \ldots; \phi@{i-1}; \psi@1; \ldots; \psi@m;
- \phi@{i+1}; \ldots; \phi@n} \Imp \phi)s}
- {\List{\psi@1; \ldots; \psi@m} \Imp \psi & &
- \List{\phi@1; \ldots; \phi@n} \Imp \phi}
-\]
-It operates at the meta-level, on Isabelle theorems, and is justified by
-the properties of $\Imp$ and~$\Forall$. It takes the number~$i$ (for
-$1\leq i\leq n$) as a parameter and may yield infinitely many conclusions,
-one for each unifier of $\psi$ with $\phi@i$. Isabelle returns these
-conclusions as a sequence (lazy list).
-
-Resolution expects the rules to have no outer quantifiers~($\Forall$).
-It may rename or instantiate any schematic variables, but leaves free
-variables unchanged. When constructing a theory, Isabelle puts the
-rules into a standard form with all free variables converted into
-schematic ones; for instance, $({\imp}E)$ becomes
-\[ \List{\Var{P}\imp \Var{Q}; \Var{P}} \Imp \Var{Q}.
-\]
-When resolving two rules, the unknowns in the first rule are renamed, by
-subscripting, to make them distinct from the unknowns in the second rule. To
-resolve $({\imp}E)$ with itself, the first copy of the rule becomes
-\[ \List{\Var{P@1}\imp \Var{Q@1}; \Var{P@1}} \Imp \Var{Q@1}. \]
-Resolving this with $({\imp}E)$ in the first premise, unifying $\Var{Q@1}$ with
-$\Var{P}\imp \Var{Q}$, is the meta-level inference
-\[ \infer{\List{\Var{P@1}\imp (\Var{P}\imp \Var{Q}); \Var{P@1}; \Var{P}}
- \Imp\Var{Q}.}
- {\List{\Var{P@1}\imp \Var{Q@1}; \Var{P@1}} \Imp \Var{Q@1} & &
- \List{\Var{P}\imp \Var{Q}; \Var{P}} \Imp \Var{Q}}
-\]
-Renaming the unknowns in the resolvent, we have derived the
-object-level rule\index{rules!derived}
-\[ \infer{Q.}{R\imp (P\imp Q) & R & P} \]
-Joining rules in this fashion is a simple way of proving theorems. The
-derived rules are conservative extensions of the object-logic, and may permit
-simpler proofs. Let us consider another example. Suppose we have the axiom
-$$ \forall x\,y. Suc(x)=Suc(y)\imp x=y. \eqno (inject) $$
-
-\noindent
-The standard form of $(\forall E)$ is
-$\forall x.\Var{P}(x) \Imp \Var{P}(\Var{t})$.
-Resolving $(inject)$ with $(\forall E)$ replaces $\Var{P}$ by
-$\lambda x. \forall y. Suc(x)=Suc(y)\imp x=y$ and leaves $\Var{t}$
-unchanged, yielding
-\[ \forall y. Suc(\Var{t})=Suc(y)\imp \Var{t}=y. \]
-Resolving this with $(\forall E)$ puts a subscript on~$\Var{t}$
-and yields
-\[ Suc(\Var{t@1})=Suc(\Var{t})\imp \Var{t@1}=\Var{t}. \]
-Resolving this with $({\imp}E)$ increases the subscripts and yields
-\[ Suc(\Var{t@2})=Suc(\Var{t@1})\Imp \Var{t@2}=\Var{t@1}.
-\]
-We have derived the rule
-\[ \infer{m=n,}{Suc(m)=Suc(n)} \]
-which goes directly from $Suc(m)=Suc(n)$ to $m=n$. It is handy for simplifying
-an equation like $Suc(Suc(Suc(m)))=Suc(Suc(Suc(0)))$.
-
-
-\section{Lifting a rule into a context}
-The rules $({\imp}I)$ and $(\forall I)$ may seem unsuitable for
-resolution. They have non-atomic premises, namely $P\Imp Q$ and $\Forall
-x.P(x)$, while the conclusions of all the rules are atomic (they have the form
-$Trueprop(\cdots)$). Isabelle gets round the problem through a meta-inference
-called \bfindex{lifting}. Let us consider how to construct proofs such as
-\[ \infer[({\imp}I)]{P\imp(Q\imp R)}
- {\infer[({\imp}I)]{Q\imp R}
- {\infer*{R}{[P,Q]}}}
- \qquad
- \infer[(\forall I)]{\forall x\,y.P(x,y)}
- {\infer[(\forall I)]{\forall y.P(x,y)}{P(x,y)}}
-\]
-
-\subsection{Lifting over assumptions}
-\index{assumptions!lifting over}
-Lifting over $\theta\Imp{}$ is the following meta-inference rule:
-\[ \infer{\List{\theta\Imp\phi@1; \ldots; \theta\Imp\phi@n} \Imp
- (\theta \Imp \phi)}
- {\List{\phi@1; \ldots; \phi@n} \Imp \phi} \]
-This is clearly sound: if $\List{\phi@1; \ldots; \phi@n} \Imp \phi$ is true and
-$\theta\Imp\phi@1$, \ldots, $\theta\Imp\phi@n$ and $\theta$ are all true then
-$\phi$ must be true. Iterated lifting over a series of meta-formulae
-$\theta@k$, \ldots, $\theta@1$ yields an object-rule whose conclusion is
-$\List{\theta@1; \ldots; \theta@k} \Imp \phi$. Typically the $\theta@i$ are
-the assumptions in a natural deduction proof; lifting copies them into a rule's
-premises and conclusion.
-
-When resolving two rules, Isabelle lifts the first one if necessary. The
-standard form of $({\imp}I)$ is
-\[ (\Var{P} \Imp \Var{Q}) \Imp \Var{P}\imp \Var{Q}. \]
-To resolve this rule with itself, Isabelle modifies one copy as follows: it
-renames the unknowns to $\Var{P@1}$ and $\Var{Q@1}$, then lifts the rule over
-$\Var{P}\Imp{}$ to obtain
-\[ (\Var{P}\Imp (\Var{P@1} \Imp \Var{Q@1})) \Imp (\Var{P} \Imp
- (\Var{P@1}\imp \Var{Q@1})). \]
-Using the $\List{\cdots}$ abbreviation, this can be written as
-\[ \List{\List{\Var{P}; \Var{P@1}} \Imp \Var{Q@1}; \Var{P}}
- \Imp \Var{P@1}\imp \Var{Q@1}. \]
-Unifying $\Var{P}\Imp \Var{P@1}\imp\Var{Q@1}$ with $\Var{P} \Imp
-\Var{Q}$ instantiates $\Var{Q}$ to ${\Var{P@1}\imp\Var{Q@1}}$.
-Resolution yields
-\[ (\List{\Var{P}; \Var{P@1}} \Imp \Var{Q@1}) \Imp
-\Var{P}\imp(\Var{P@1}\imp\Var{Q@1}). \]
-This represents the derived rule
-\[ \infer{P\imp(Q\imp R).}{\infer*{R}{[P,Q]}} \]
-
-\subsection{Lifting over parameters}
-\index{parameters!lifting over}
-An analogous form of lifting handles premises of the form $\Forall x\ldots\,$.
-Here, lifting prefixes an object-rule's premises and conclusion with $\Forall
-x$. At the same time, lifting introduces a dependence upon~$x$. It replaces
-each unknown $\Var{a}$ in the rule by $\Var{a'}(x)$, where $\Var{a'}$ is a new
-unknown (by subscripting) of suitable type --- necessarily a function type. In
-short, lifting is the meta-inference
-\[ \infer{\List{\Forall x.\phi@1^x; \ldots; \Forall x.\phi@n^x}
- \Imp \Forall x.\phi^x,}
- {\List{\phi@1; \ldots; \phi@n} \Imp \phi} \]
-%
-where $\phi^x$ stands for the result of lifting unknowns over~$x$ in
-$\phi$. It is not hard to verify that this meta-inference is sound. If
-$\phi\Imp\psi$ then $\phi^x\Imp\psi^x$ for all~$x$; so if $\phi^x$ is true
-for all~$x$ then so is $\psi^x$. Thus, from $\phi\Imp\psi$ we conclude
-$(\Forall x.\phi^x) \Imp (\Forall x.\psi^x)$.
-
-For example, $(\disj I)$ might be lifted to
-\[ (\Forall x.\Var{P@1}(x)) \Imp (\Forall x. \Var{P@1}(x)\disj \Var{Q@1}(x))\]
-and $(\forall I)$ to
-\[ (\Forall x\,y.\Var{P@1}(x,y)) \Imp (\Forall x. \forall y.\Var{P@1}(x,y)). \]
-Isabelle has renamed a bound variable in $(\forall I)$ from $x$ to~$y$,
-avoiding a clash. Resolving the above with $(\forall I)$ is the meta-inference
-\[ \infer{\Forall x\,y.\Var{P@1}(x,y)) \Imp \forall x\,y.\Var{P@1}(x,y)) }
- {(\Forall x\,y.\Var{P@1}(x,y)) \Imp
- (\Forall x. \forall y.\Var{P@1}(x,y)) &
- (\Forall x.\Var{P}(x)) \Imp (\forall x.\Var{P}(x))} \]
-Here, $\Var{P}$ is replaced by $\lambda x.\forall y.\Var{P@1}(x,y)$; the
-resolvent expresses the derived rule
-\[ \vcenter{ \infer{\forall x\,y.Q(x,y)}{Q(x,y)} }
- \quad\hbox{provided $x$, $y$ not free in the assumptions}
-\]
-I discuss lifting and parameters at length elsewhere~\cite{paulson-found}.
-Miller goes into even greater detail~\cite{miller-mixed}.
-
-
-\section{Backward proof by resolution}
-\index{resolution!in backward proof}
-
-Resolution is convenient for deriving simple rules and for reasoning
-forward from facts. It can also support backward proof, where we start
-with a goal and refine it to progressively simpler subgoals until all have
-been solved. {\sc lcf} and its descendants {\sc hol} and Nuprl provide
-tactics and tacticals, which constitute a sophisticated language for
-expressing proof searches. {\bf Tactics} refine subgoals while {\bf
- tacticals} combine tactics.
-
-\index{LCF system}
-Isabelle's tactics and tacticals work differently from {\sc lcf}'s. An
-Isabelle rule is bidirectional: there is no distinction between
-inputs and outputs. {\sc lcf} has a separate tactic for each rule;
-Isabelle performs refinement by any rule in a uniform fashion, using
-resolution.
-
-Isabelle works with meta-level theorems of the form
-\( \List{\phi@1; \ldots; \phi@n} \Imp \phi \).
-We have viewed this as the {\bf rule} with premises
-$\phi@1$,~\ldots,~$\phi@n$ and conclusion~$\phi$. It can also be viewed as
-the {\bf proof state}\index{proof state}
-with subgoals $\phi@1$,~\ldots,~$\phi@n$ and main
-goal~$\phi$.
-
-To prove the formula~$\phi$, take $\phi\Imp \phi$ as the initial proof
-state. This assertion is, trivially, a theorem. At a later stage in the
-backward proof, a typical proof state is $\List{\phi@1; \ldots; \phi@n}
-\Imp \phi$. This proof state is a theorem, ensuring that the subgoals
-$\phi@1$,~\ldots,~$\phi@n$ imply~$\phi$. If $n=0$ then we have
-proved~$\phi$ outright. If $\phi$ contains unknowns, they may become
-instantiated during the proof; a proof state may be $\List{\phi@1; \ldots;
-\phi@n} \Imp \phi'$, where $\phi'$ is an instance of~$\phi$.
-
-\subsection{Refinement by resolution}
-To refine subgoal~$i$ of a proof state by a rule, perform the following
-resolution:
-\[ \infer{\hbox{new proof state}}{\hbox{rule} & & \hbox{proof state}} \]
-Suppose the rule is $\List{\psi'@1; \ldots; \psi'@m} \Imp \psi'$ after
-lifting over subgoal~$i$'s assumptions and parameters. If the proof state
-is $\List{\phi@1; \ldots; \phi@n} \Imp \phi$, then the new proof state is
-(for~$1\leq i\leq n$)
-\[ (\List{\phi@1; \ldots; \phi@{i-1}; \psi'@1;
- \ldots; \psi'@m; \phi@{i+1}; \ldots; \phi@n} \Imp \phi)s. \]
-Substitution~$s$ unifies $\psi'$ with~$\phi@i$. In the proof state,
-subgoal~$i$ is replaced by $m$ new subgoals, the rule's instantiated premises.
-If some of the rule's unknowns are left un-instantiated, they become new
-unknowns in the proof state. Refinement by~$(\exists I)$, namely
-\[ \Var{P}(\Var{t}) \Imp \exists x. \Var{P}(x), \]
-inserts a new unknown derived from~$\Var{t}$ by subscripting and lifting.
-We do not have to specify an `existential witness' when
-applying~$(\exists I)$. Further resolutions may instantiate unknowns in
-the proof state.
-
-\subsection{Proof by assumption}
-\index{assumptions!use of}
-In the course of a natural deduction proof, parameters $x@1$, \ldots,~$x@l$ and
-assumptions $\theta@1$, \ldots, $\theta@k$ accumulate, forming a context for
-each subgoal. Repeated lifting steps can lift a rule into any context. To
-aid readability, Isabelle puts contexts into a normal form, gathering the
-parameters at the front:
-\begin{equation} \label{context-eqn}
-\Forall x@1 \ldots x@l. \List{\theta@1; \ldots; \theta@k}\Imp\theta.
-\end{equation}
-Under the usual reading of the connectives, this expresses that $\theta$
-follows from $\theta@1$,~\ldots~$\theta@k$ for arbitrary
-$x@1$,~\ldots,~$x@l$. It is trivially true if $\theta$ equals any of
-$\theta@1$,~\ldots~$\theta@k$, or is unifiable with any of them. This
-models proof by assumption in natural deduction.
-
-Isabelle automates the meta-inference for proof by assumption. Its arguments
-are the meta-theorem $\List{\phi@1; \ldots; \phi@n} \Imp \phi$, and some~$i$
-from~1 to~$n$, where $\phi@i$ has the form~(\ref{context-eqn}). Its results
-are meta-theorems of the form
-\[ (\List{\phi@1; \ldots; \phi@{i-1}; \phi@{i+1}; \phi@n} \Imp \phi)s \]
-for each $s$ and~$j$ such that $s$ unifies $\lambda x@1 \ldots x@l. \theta@j$
-with $\lambda x@1 \ldots x@l. \theta$. Isabelle supplies the parameters
-$x@1$,~\ldots,~$x@l$ to higher-order unification as bound variables, which
-regards them as unique constants with a limited scope --- this enforces
-parameter provisos~\cite{paulson-found}.
-
-The premise represents a proof state with~$n$ subgoals, of which the~$i$th
-is to be solved by assumption. Isabelle searches the subgoal's context for
-an assumption~$\theta@j$ that can solve it. For each unifier, the
-meta-inference returns an instantiated proof state from which the $i$th
-subgoal has been removed. Isabelle searches for a unifying assumption; for
-readability and robustness, proofs do not refer to assumptions by number.
-
-Consider the proof state
-\[ (\List{P(a); P(b)} \Imp P(\Var{x})) \Imp Q(\Var{x}). \]
-Proof by assumption (with $i=1$, the only possibility) yields two results:
-\begin{itemize}
- \item $Q(a)$, instantiating $\Var{x}\equiv a$
- \item $Q(b)$, instantiating $\Var{x}\equiv b$
-\end{itemize}
-Here, proof by assumption affects the main goal. It could also affect
-other subgoals; if we also had the subgoal ${\List{P(b); P(c)} \Imp
- P(\Var{x})}$, then $\Var{x}\equiv a$ would transform it to ${\List{P(b);
- P(c)} \Imp P(a)}$, which might be unprovable.
-
-
-\subsection{A propositional proof} \label{prop-proof}
-\index{examples!propositional}
-Our first example avoids quantifiers. Given the main goal $P\disj P\imp
-P$, Isabelle creates the initial state
-\[ (P\disj P\imp P)\Imp (P\disj P\imp P). \]
-%
-Bear in mind that every proof state we derive will be a meta-theorem,
-expressing that the subgoals imply the main goal. Our aim is to reach the
-state $P\disj P\imp P$; this meta-theorem is the desired result.
-
-The first step is to refine subgoal~1 by (${\imp}I)$, creating a new state
-where $P\disj P$ is an assumption:
-\[ (P\disj P\Imp P)\Imp (P\disj P\imp P) \]
-The next step is $(\disj E)$, which replaces subgoal~1 by three new subgoals.
-Because of lifting, each subgoal contains a copy of the context --- the
-assumption $P\disj P$. (In fact, this assumption is now redundant; we shall
-shortly see how to get rid of it!) The new proof state is the following
-meta-theorem, laid out for clarity:
-\[ \begin{array}{l@{}l@{\qquad\qquad}l}
- \lbrakk\;& P\disj P\Imp \Var{P@1}\disj\Var{Q@1}; & \hbox{(subgoal 1)} \\
- & \List{P\disj P; \Var{P@1}} \Imp P; & \hbox{(subgoal 2)} \\
- & \List{P\disj P; \Var{Q@1}} \Imp P & \hbox{(subgoal 3)} \\
- \rbrakk\;& \Imp (P\disj P\imp P) & \hbox{(main goal)}
- \end{array}
-\]
-Notice the unknowns in the proof state. Because we have applied $(\disj E)$,
-we must prove some disjunction, $\Var{P@1}\disj\Var{Q@1}$. Of course,
-subgoal~1 is provable by assumption. This instantiates both $\Var{P@1}$ and
-$\Var{Q@1}$ to~$P$ throughout the proof state:
-\[ \begin{array}{l@{}l@{\qquad\qquad}l}
- \lbrakk\;& \List{P\disj P; P} \Imp P; & \hbox{(subgoal 1)} \\
- & \List{P\disj P; P} \Imp P & \hbox{(subgoal 2)} \\
- \rbrakk\;& \Imp (P\disj P\imp P) & \hbox{(main goal)}
- \end{array} \]
-Both of the remaining subgoals can be proved by assumption. After two such
-steps, the proof state is $P\disj P\imp P$.
-
-
-\subsection{A quantifier proof}
-\index{examples!with quantifiers}
-To illustrate quantifiers and $\Forall$-lifting, let us prove
-$(\exists x.P(f(x)))\imp(\exists x.P(x))$. The initial proof
-state is the trivial meta-theorem
-\[ (\exists x.P(f(x)))\imp(\exists x.P(x)) \Imp
- (\exists x.P(f(x)))\imp(\exists x.P(x)). \]
-As above, the first step is refinement by (${\imp}I)$:
-\[ (\exists x.P(f(x))\Imp \exists x.P(x)) \Imp
- (\exists x.P(f(x)))\imp(\exists x.P(x))
-\]
-The next step is $(\exists E)$, which replaces subgoal~1 by two new subgoals.
-Both have the assumption $\exists x.P(f(x))$. The new proof
-state is the meta-theorem
-\[ \begin{array}{l@{}l@{\qquad\qquad}l}
- \lbrakk\;& \exists x.P(f(x)) \Imp \exists x.\Var{P@1}(x); & \hbox{(subgoal 1)} \\
- & \Forall x.\List{\exists x.P(f(x)); \Var{P@1}(x)} \Imp
- \exists x.P(x) & \hbox{(subgoal 2)} \\
- \rbrakk\;& \Imp (\exists x.P(f(x)))\imp(\exists x.P(x)) & \hbox{(main goal)}
- \end{array}
-\]
-The unknown $\Var{P@1}$ appears in both subgoals. Because we have applied
-$(\exists E)$, we must prove $\exists x.\Var{P@1}(x)$, where $\Var{P@1}(x)$ may
-become any formula possibly containing~$x$. Proving subgoal~1 by assumption
-instantiates $\Var{P@1}$ to~$\lambda x.P(f(x))$:
-\[ \left(\Forall x.\List{\exists x.P(f(x)); P(f(x))} \Imp
- \exists x.P(x)\right)
- \Imp (\exists x.P(f(x)))\imp(\exists x.P(x))
-\]
-The next step is refinement by $(\exists I)$. The rule is lifted into the
-context of the parameter~$x$ and the assumption $P(f(x))$. This copies
-the context to the subgoal and allows the existential witness to
-depend upon~$x$:
-\[ \left(\Forall x.\List{\exists x.P(f(x)); P(f(x))} \Imp
- P(\Var{x@2}(x))\right)
- \Imp (\exists x.P(f(x)))\imp(\exists x.P(x))
-\]
-The existential witness, $\Var{x@2}(x)$, consists of an unknown
-applied to a parameter. Proof by assumption unifies $\lambda x.P(f(x))$
-with $\lambda x.P(\Var{x@2}(x))$, instantiating $\Var{x@2}$ to $f$. The final
-proof state contains no subgoals: $(\exists x.P(f(x)))\imp(\exists x.P(x))$.
-
-
-\subsection{Tactics and tacticals}
-\index{tactics|bold}\index{tacticals|bold}
-{\bf Tactics} perform backward proof. Isabelle tactics differ from those
-of {\sc lcf}, {\sc hol} and Nuprl by operating on entire proof states,
-rather than on individual subgoals. An Isabelle tactic is a function that
-takes a proof state and returns a sequence (lazy list) of possible
-successor states. Lazy lists are coded in ML as functions, a standard
-technique~\cite{paulson-ml2}. Isabelle represents proof states by theorems.
-
-Basic tactics execute the meta-rules described above, operating on a
-given subgoal. The {\bf resolution tactics} take a list of rules and
-return next states for each combination of rule and unifier. The {\bf
-assumption tactic} examines the subgoal's assumptions and returns next
-states for each combination of assumption and unifier. Lazy lists are
-essential because higher-order resolution may return infinitely many
-unifiers. If there are no matching rules or assumptions then no next
-states are generated; a tactic application that returns an empty list is
-said to {\bf fail}.
-
-Sequences realize their full potential with {\bf tacticals} --- operators
-for combining tactics. Depth-first search, breadth-first search and
-best-first search (where a heuristic function selects the best state to
-explore) return their outcomes as a sequence. Isabelle provides such
-procedures in the form of tacticals. Simpler procedures can be expressed
-directly using the basic tacticals {\tt THEN}, {\tt ORELSE} and {\tt REPEAT}:
-\begin{ttdescription}
-\item[$tac1$ THEN $tac2$] is a tactic for sequential composition. Applied
-to a proof state, it returns all states reachable in two steps by applying
-$tac1$ followed by~$tac2$.
-
-\item[$tac1$ ORELSE $tac2$] is a choice tactic. Applied to a state, it
-tries~$tac1$ and returns the result if non-empty; otherwise, it uses~$tac2$.
-
-\item[REPEAT $tac$] is a repetition tactic. Applied to a state, it
-returns all states reachable by applying~$tac$ as long as possible --- until
-it would fail.
-\end{ttdescription}
-For instance, this tactic repeatedly applies $tac1$ and~$tac2$, giving
-$tac1$ priority:
-\begin{center} \tt
-REPEAT($tac1$ ORELSE $tac2$)
-\end{center}
-
-
-\section{Variations on resolution}
-In principle, resolution and proof by assumption suffice to prove all
-theorems. However, specialized forms of resolution are helpful for working
-with elimination rules. Elim-resolution applies an elimination rule to an
-assumption; destruct-resolution is similar, but applies a rule in a forward
-style.
-
-The last part of the section shows how the techniques for proving theorems
-can also serve to derive rules.
-
-\subsection{Elim-resolution}
-\index{elim-resolution|bold}\index{assumptions!deleting}
-
-Consider proving the theorem $((R\disj R)\disj R)\disj R\imp R$. By
-$({\imp}I)$, we prove~$R$ from the assumption $((R\disj R)\disj R)\disj R$.
-Applying $(\disj E)$ to this assumption yields two subgoals, one that
-assumes~$R$ (and is therefore trivial) and one that assumes $(R\disj
-R)\disj R$. This subgoal admits another application of $(\disj E)$. Since
-natural deduction never discards assumptions, we eventually generate a
-subgoal containing much that is redundant:
-\[ \List{((R\disj R)\disj R)\disj R; (R\disj R)\disj R; R\disj R; R} \Imp R. \]
-In general, using $(\disj E)$ on the assumption $P\disj Q$ creates two new
-subgoals with the additional assumption $P$ or~$Q$. In these subgoals,
-$P\disj Q$ is redundant. Other elimination rules behave
-similarly. In first-order logic, only universally quantified
-assumptions are sometimes needed more than once --- say, to prove
-$P(f(f(a)))$ from the assumptions $\forall x.P(x)\imp P(f(x))$ and~$P(a)$.
-
-Many logics can be formulated as sequent calculi that delete redundant
-assumptions after use. The rule $(\disj E)$ might become
-\[ \infer[\disj\hbox{-left}]
- {\Gamma,P\disj Q,\Delta \turn \Theta}
- {\Gamma,P,\Delta \turn \Theta && \Gamma,Q,\Delta \turn \Theta} \]
-In backward proof, a goal containing $P\disj Q$ on the left of the~$\turn$
-(that is, as an assumption) splits into two subgoals, replacing $P\disj Q$
-by $P$ or~$Q$. But the sequent calculus, with its explicit handling of
-assumptions, can be tiresome to use.
-
-Elim-resolution is Isabelle's way of getting sequent calculus behaviour
-from natural deduction rules. It lets an elimination rule consume an
-assumption. Elim-resolution combines two meta-theorems:
-\begin{itemize}
- \item a rule $\List{\psi@1; \ldots; \psi@m} \Imp \psi$
- \item a proof state $\List{\phi@1; \ldots; \phi@n} \Imp \phi$
-\end{itemize}
-The rule must have at least one premise, thus $m>0$. Write the rule's
-lifted form as $\List{\psi'@1; \ldots; \psi'@m} \Imp \psi'$. Suppose we
-wish to change subgoal number~$i$.
-
-Ordinary resolution would attempt to reduce~$\phi@i$,
-replacing subgoal~$i$ by $m$ new ones. Elim-resolution tries
-simultaneously to reduce~$\phi@i$ and to solve~$\psi'@1$ by assumption; it
-returns a sequence of next states. Each of these replaces subgoal~$i$ by
-instances of $\psi'@2$, \ldots, $\psi'@m$ from which the selected
-assumption has been deleted. Suppose $\phi@i$ has the parameter~$x$ and
-assumptions $\theta@1$,~\ldots,~$\theta@k$. Then $\psi'@1$, the rule's first
-premise after lifting, will be
-\( \Forall x. \List{\theta@1; \ldots; \theta@k}\Imp \psi^{x}@1 \).
-Elim-resolution tries to unify $\psi'\qeq\phi@i$ and
-$\lambda x. \theta@j \qeq \lambda x. \psi^{x}@1$ simultaneously, for
-$j=1$,~\ldots,~$k$.
-
-Let us redo the example from~\S\ref{prop-proof}. The elimination rule
-is~$(\disj E)$,
-\[ \List{\Var{P}\disj \Var{Q};\; \Var{P}\Imp \Var{R};\; \Var{Q}\Imp \Var{R}}
- \Imp \Var{R} \]
-and the proof state is $(P\disj P\Imp P)\Imp (P\disj P\imp P)$. The
-lifted rule is
-\[ \begin{array}{l@{}l}
- \lbrakk\;& P\disj P \Imp \Var{P@1}\disj\Var{Q@1}; \\
- & \List{P\disj P ;\; \Var{P@1}} \Imp \Var{R@1}; \\
- & \List{P\disj P ;\; \Var{Q@1}} \Imp \Var{R@1} \\
- \rbrakk\;& \Imp (P\disj P \Imp \Var{R@1})
- \end{array}
-\]
-Unification takes the simultaneous equations
-$P\disj P \qeq \Var{P@1}\disj\Var{Q@1}$ and $\Var{R@1} \qeq P$, yielding
-$\Var{P@1}\equiv\Var{Q@1}\equiv\Var{R@1} \equiv P$. The new proof state
-is simply
-\[ \List{P \Imp P;\; P \Imp P} \Imp (P\disj P\imp P).
-\]
-Elim-resolution's simultaneous unification gives better control
-than ordinary resolution. Recall the substitution rule:
-$$ \List{\Var{t}=\Var{u}; \Var{P}(\Var{t})} \Imp \Var{P}(\Var{u})
-\eqno(subst) $$
-Unsuitable for ordinary resolution because $\Var{P}(\Var{u})$ admits many
-unifiers, $(subst)$ works well with elim-resolution. It deletes some
-assumption of the form $x=y$ and replaces every~$y$ by~$x$ in the subgoal
-formula. The simultaneous unification instantiates $\Var{u}$ to~$y$; if
-$y$ is not an unknown, then $\Var{P}(y)$ can easily be unified with another
-formula.
-
-In logical parlance, the premise containing the connective to be eliminated
-is called the \bfindex{major premise}. Elim-resolution expects the major
-premise to come first. The order of the premises is significant in
-Isabelle.
-
-\subsection{Destruction rules} \label{destruct}
-\index{rules!destruction}\index{rules!elimination}
-\index{forward proof}
-
-Looking back to Fig.\ts\ref{fol-fig}, notice that there are two kinds of
-elimination rule. The rules $({\conj}E1)$, $({\conj}E2)$, $({\imp}E)$ and
-$({\forall}E)$ extract the conclusion from the major premise. In Isabelle
-parlance, such rules are called {\bf destruction rules}; they are readable
-and easy to use in forward proof. The rules $({\disj}E)$, $({\bot}E)$ and
-$({\exists}E)$ work by discharging assumptions; they support backward proof
-in a style reminiscent of the sequent calculus.
-
-The latter style is the most general form of elimination rule. In natural
-deduction, there is no way to recast $({\disj}E)$, $({\bot}E)$ or
-$({\exists}E)$ as destruction rules. But we can write general elimination
-rules for $\conj$, $\imp$ and~$\forall$:
-\[
-\infer{R}{P\conj Q & \infer*{R}{[P,Q]}} \qquad
-\infer{R}{P\imp Q & P & \infer*{R}{[Q]}} \qquad
-\infer{Q}{\forall x.P & \infer*{Q}{[P[t/x]]}}
-\]
-Because they are concise, destruction rules are simpler to derive than the
-corresponding elimination rules. To facilitate their use in backward
-proof, Isabelle provides a means of transforming a destruction rule such as
-\[ \infer[\quad\hbox{to the elimination rule}\quad]{Q}{P@1 & \ldots & P@m}
- \infer{R.}{P@1 & \ldots & P@m & \infer*{R}{[Q]}}
-\]
-{\bf Destruct-resolution}\index{destruct-resolution} combines this
-transformation with elim-resolution. It applies a destruction rule to some
-assumption of a subgoal. Given the rule above, it replaces the
-assumption~$P@1$ by~$Q$, with new subgoals of showing instances of $P@2$,
-\ldots,~$P@m$. Destruct-resolution works forward from a subgoal's
-assumptions. Ordinary resolution performs forward reasoning from theorems,
-as illustrated in~\S\ref{joining}.
-
-
-\subsection{Deriving rules by resolution} \label{deriving}
-\index{rules!derived|bold}\index{meta-assumptions!syntax of}
-The meta-logic, itself a form of the predicate calculus, is defined by a
-system of natural deduction rules. Each theorem may depend upon
-meta-assumptions. The theorem that~$\phi$ follows from the assumptions
-$\phi@1$, \ldots, $\phi@n$ is written
-\[ \phi \quad [\phi@1,\ldots,\phi@n]. \]
-A more conventional notation might be $\phi@1,\ldots,\phi@n \turn \phi$,
-but Isabelle's notation is more readable with large formulae.
-
-Meta-level natural deduction provides a convenient mechanism for deriving
-new object-level rules. To derive the rule
-\[ \infer{\phi,}{\theta@1 & \ldots & \theta@k} \]
-assume the premises $\theta@1$,~\ldots,~$\theta@k$ at the
-meta-level. Then prove $\phi$, possibly using these assumptions.
-Starting with a proof state $\phi\Imp\phi$, assumptions may accumulate,
-reaching a final state such as
-\[ \phi \quad [\theta@1,\ldots,\theta@k]. \]
-The meta-rule for $\Imp$ introduction discharges an assumption.
-Discharging them in the order $\theta@k,\ldots,\theta@1$ yields the
-meta-theorem $\List{\theta@1; \ldots; \theta@k} \Imp \phi$, with no
-assumptions. This represents the desired rule.
-Let us derive the general $\conj$ elimination rule:
-$$ \infer{R}{P\conj Q & \infer*{R}{[P,Q]}} \eqno(\conj E) $$
-We assume $P\conj Q$ and $\List{P;Q}\Imp R$, and commence backward proof in
-the state $R\Imp R$. Resolving this with the second assumption yields the
-state
-\[ \phantom{\List{P\conj Q;\; P\conj Q}}
- \llap{$\List{P;Q}$}\Imp R \quad [\,\List{P;Q}\Imp R\,]. \]
-Resolving subgoals~1 and~2 with~$({\conj}E1)$ and~$({\conj}E2)$,
-respectively, yields the state
-\[ \List{P\conj \Var{Q@1};\; \Var{P@2}\conj Q}\Imp R
- \quad [\,\List{P;Q}\Imp R\,].
-\]
-The unknowns $\Var{Q@1}$ and~$\Var{P@2}$ arise from unconstrained
-subformulae in the premises of~$({\conj}E1)$ and~$({\conj}E2)$. Resolving
-both subgoals with the assumption $P\conj Q$ instantiates the unknowns to yield
-\[ R \quad [\, \List{P;Q}\Imp R, P\conj Q \,]. \]
-The proof may use the meta-assumptions in any order, and as often as
-necessary; when finished, we discharge them in the correct order to
-obtain the desired form:
-\[ \List{P\conj Q;\; \List{P;Q}\Imp R} \Imp R \]
-We have derived the rule using free variables, which prevents their
-premature instantiation during the proof; we may now replace them by
-schematic variables.
-
-\begin{warn}
- Schematic variables are not allowed in meta-assumptions, for a variety of
- reasons. Meta-assumptions remain fixed throughout a proof.
-\end{warn}
-
--- a/doc-src/Intro/document/getting.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,956 +0,0 @@
-\part{Using Isabelle from the ML Top-Level}\label{chap:getting}
-
-Most Isabelle users write proof scripts using the Isar language, as described in the \emph{Tutorial}, and debug them through the Proof General user interface~\cite{proofgeneral}. Isabelle's original user interface --- based on the \ML{} top-level --- is still available, however.
-Proofs are conducted by
-applying certain \ML{} functions, which update a stored proof state.
-All syntax can be expressed using plain {\sc ascii}
-characters, but Isabelle can support
-alternative syntaxes, for example using mathematical symbols from a
-special screen font. The meta-logic and main object-logics already
-provide such fancy output as an option.
-
-Object-logics are built upon Pure Isabelle, which implements the
-meta-logic and provides certain fundamental data structures: types,
-terms, signatures, theorems and theories, tactics and tacticals.
-These data structures have the corresponding \ML{} types \texttt{typ},
-\texttt{term}, \texttt{Sign.sg}, \texttt{thm}, \texttt{theory} and \texttt{tactic};
-tacticals have function types such as \texttt{tactic->tactic}. Isabelle
-users can operate on these data structures by writing \ML{} programs.
-
-
-\section{Forward proof}\label{sec:forward} \index{forward proof|(}
-This section describes the concrete syntax for types, terms and theorems,
-and demonstrates forward proof. The examples are set in first-order logic.
-The command to start Isabelle running first-order logic is
-\begin{ttbox}
-isabelle FOL
-\end{ttbox}
-Note that just typing \texttt{isabelle} usually brings up higher-order logic
-(HOL) by default.
-
-
-\subsection{Lexical matters}
-\index{identifiers}\index{reserved words}
-An {\bf identifier} is a string of letters, digits, underscores~(\verb|_|)
-and single quotes~({\tt'}), beginning with a letter. Single quotes are
-regarded as primes; for instance \texttt{x'} is read as~$x'$. Identifiers are
-separated by white space and special characters. {\bf Reserved words} are
-identifiers that appear in Isabelle syntax definitions.
-
-An Isabelle theory can declare symbols composed of special characters, such
-as {\tt=}, {\tt==}, {\tt=>} and {\tt==>}. (The latter three are part of
-the syntax of the meta-logic.) Such symbols may be run together; thus if
-\verb|}| and \verb|{| are used for set brackets then \verb|{{a},{a,b}}| is
-valid notation for a set of sets --- but only if \verb|}}| and \verb|{{|
-have not been declared as symbols! The parser resolves any ambiguity by
-taking the longest possible symbol that has been declared. Thus the string
-{\tt==>} is read as a single symbol. But \hbox{\tt= =>} is read as two
-symbols.
-
-Identifiers that are not reserved words may serve as free variables or
-constants. A {\bf type identifier} consists of an identifier prefixed by a
-prime, for example {\tt'a} and \hbox{\tt'hello}. Type identifiers stand
-for (free) type variables, which remain fixed during a proof.
-\index{type identifiers}
-
-An {\bf unknown}\index{unknowns} (or type unknown) consists of a question
-mark, an identifier (or type identifier), and a subscript. The subscript,
-a non-negative integer,
-allows the renaming of unknowns prior to unification.%
-\footnote{The subscript may appear after the identifier, separated by a
- dot; this prevents ambiguity when the identifier ends with a digit. Thus
- {\tt?z6.0} has identifier {\tt"z6"} and subscript~0, while {\tt?a0.5}
- has identifier {\tt"a0"} and subscript~5. If the identifier does not
- end with a digit, then no dot appears and a subscript of~0 is omitted;
- for example, {\tt?hello} has identifier {\tt"hello"} and subscript
- zero, while {\tt?z6} has identifier {\tt"z"} and subscript~6. The same
- conventions apply to type unknowns. The question mark is {\it not\/}
- part of the identifier!}
-
-
-\subsection{Syntax of types and terms}
-\index{classes!built-in|bold}\index{syntax!of types and terms}
-
-Classes are denoted by identifiers; the built-in class \cldx{logic}
-contains the `logical' types. Sorts are lists of classes enclosed in
-braces~\} and \{; singleton sorts may be abbreviated by dropping the braces.
-
-\index{types!syntax of|bold}\index{sort constraints} Types are written
-with a syntax like \ML's. The built-in type \tydx{prop} is the type
-of propositions. Type variables can be constrained to particular
-classes or sorts, for example \texttt{'a::term} and \texttt{?'b::\ttlbrace
- ord, arith\ttrbrace}.
-\[\dquotes
-\index{*:: symbol}\index{*=> symbol}
-\index{{}@{\tt\ttlbrace} symbol}\index{{}@{\tt\ttrbrace} symbol}
-\index{*[ symbol}\index{*] symbol}
-\begin{array}{ll}
- \multicolumn{2}{c}{\hbox{ASCII Notation for Types}} \\ \hline
- \alpha "::" C & \hbox{class constraint} \\
- \alpha "::" "\ttlbrace" C@1 "," \ldots "," C@n "\ttrbrace" &
- \hbox{sort constraint} \\
- \sigma " => " \tau & \hbox{function type } \sigma\To\tau \\
- "[" \sigma@1 "," \ldots "," \sigma@n "] => " \tau
- & \hbox{$n$-argument function type} \\
- "(" \tau@1"," \ldots "," \tau@n ")" tycon & \hbox{type construction}
-\end{array}
-\]
-Terms are those of the typed $\lambda$-calculus.
-\index{terms!syntax of|bold}\index{type constraints}
-\[\dquotes
-\index{%@{\tt\%} symbol}\index{lambda abs@$\lambda$-abstractions}
-\index{*:: symbol}
-\begin{array}{ll}
- \multicolumn{2}{c}{\hbox{ASCII Notation for Terms}} \\ \hline
- t "::" \sigma & \hbox{type constraint} \\
- "\%" x "." t & \hbox{abstraction } \lambda x.t \\
- "\%" x@1\ldots x@n "." t & \hbox{abstraction over several arguments} \\
- t "(" u@1"," \ldots "," u@n ")" &
- \hbox{application to several arguments (FOL and ZF)} \\
- t\; u@1 \ldots\; u@n & \hbox{application to several arguments (HOL)}
-\end{array}
-\]
-Note that HOL uses its traditional ``higher-order'' syntax for application,
-which differs from that used in FOL.
-
-The theorems and rules of an object-logic are represented by theorems in
-the meta-logic, which are expressed using meta-formulae. Since the
-meta-logic is higher-order, meta-formulae~$\phi$, $\psi$, $\theta$,~\ldots{}
-are just terms of type~\texttt{prop}.
-\index{meta-implication}
-\index{meta-quantifiers}\index{meta-equality}
-\index{*"!"! symbol}
-
-\index{["!@{\tt[\char124} symbol} %\char124 is vertical bar. We use ! because | stopped working
-\index{"!]@{\tt\char124]} symbol} % so these are [| and |]
-
-\index{*== symbol}\index{*=?= symbol}\index{*==> symbol}
-\[\dquotes
- \begin{array}{l@{\quad}l@{\quad}l}
- \multicolumn{3}{c}{\hbox{ASCII Notation for Meta-Formulae}} \\ \hline
- a " == " b & a\equiv b & \hbox{meta-equality} \\
- a " =?= " b & a\qeq b & \hbox{flex-flex constraint} \\
- \phi " ==> " \psi & \phi\Imp \psi & \hbox{meta-implication} \\
- "[|" \phi@1 ";" \ldots ";" \phi@n "|] ==> " \psi &
- \List{\phi@1;\ldots;\phi@n} \Imp \psi & \hbox{nested implication} \\
- "!!" x "." \phi & \Forall x.\phi & \hbox{meta-quantification} \\
- "!!" x@1\ldots x@n "." \phi &
- \Forall x@1. \ldots x@n.\phi & \hbox{nested quantification}
- \end{array}
-\]
-Flex-flex constraints are meta-equalities arising from unification; they
-require special treatment. See~\S\ref{flexflex}.
-\index{flex-flex constraints}
-
-\index{*Trueprop constant}
-Most logics define the implicit coercion $Trueprop$ from object-formulae to
-propositions. This could cause an ambiguity: in $P\Imp Q$, do the
-variables $P$ and $Q$ stand for meta-formulae or object-formulae? If the
-latter, $P\Imp Q$ really abbreviates $Trueprop(P)\Imp Trueprop(Q)$. To
-prevent such ambiguities, Isabelle's syntax does not allow a meta-formula
-to consist of a variable. Variables of type~\tydx{prop} are seldom
-useful, but you can make a variable stand for a meta-formula by prefixing
-it with the symbol \texttt{PROP}:\index{*PROP symbol}
-\begin{ttbox}
-PROP ?psi ==> PROP ?theta
-\end{ttbox}
-
-Symbols of object-logics are typically rendered into {\sc ascii} as
-follows:
-\[ \begin{tabular}{l@{\quad}l@{\quad}l}
- \tt True & $\top$ & true \\
- \tt False & $\bot$ & false \\
- \tt $P$ \& $Q$ & $P\conj Q$ & conjunction \\
- \tt $P$ | $Q$ & $P\disj Q$ & disjunction \\
- \verb'~' $P$ & $\neg P$ & negation \\
- \tt $P$ --> $Q$ & $P\imp Q$ & implication \\
- \tt $P$ <-> $Q$ & $P\bimp Q$ & bi-implication \\
- \tt ALL $x\,y\,z$ .\ $P$ & $\forall x\,y\,z.P$ & for all \\
- \tt EX $x\,y\,z$ .\ $P$ & $\exists x\,y\,z.P$ & there exists
- \end{tabular}
-\]
-To illustrate the notation, consider two axioms for first-order logic:
-$$ \List{P; Q} \Imp P\conj Q \eqno(\conj I) $$
-$$ \List{\exists x. P(x); \Forall x. P(x)\imp Q} \Imp Q \eqno(\exists E) $$
-$({\conj}I)$ translates into {\sc ascii} characters as
-\begin{ttbox}
-[| ?P; ?Q |] ==> ?P & ?Q
-\end{ttbox}
-The schematic variables let unification instantiate the rule. To avoid
-cluttering logic definitions with question marks, Isabelle converts any
-free variables in a rule to schematic variables; we normally declare
-$({\conj}I)$ as
-\begin{ttbox}
-[| P; Q |] ==> P & Q
-\end{ttbox}
-This variables convention agrees with the treatment of variables in goals.
-Free variables in a goal remain fixed throughout the proof. After the
-proof is finished, Isabelle converts them to scheme variables in the
-resulting theorem. Scheme variables in a goal may be replaced by terms
-during the proof, supporting answer extraction, program synthesis, and so
-forth.
-
-For a final example, the rule $(\exists E)$ is rendered in {\sc ascii} as
-\begin{ttbox}
-[| EX x. P(x); !!x. P(x) ==> Q |] ==> Q
-\end{ttbox}
-
-
-\subsection{Basic operations on theorems}
-\index{theorems!basic operations on|bold}
-\index{LCF system}
-Meta-level theorems have the \ML{} type \mltydx{thm}. They represent the
-theorems and inference rules of object-logics. Isabelle's meta-logic is
-implemented using the {\sc lcf} approach: each meta-level inference rule is
-represented by a function from theorems to theorems. Object-level rules
-are taken as axioms.
-
-The main theorem printing commands are \texttt{prth}, \texttt{prths} and~{\tt
- prthq}. Of the other operations on theorems, most useful are \texttt{RS}
-and \texttt{RSN}, which perform resolution.
-
-\index{theorems!printing of}
-\begin{ttdescription}
-\item[\ttindex{prth} {\it thm};]
- pretty-prints {\it thm\/} at the terminal.
-
-\item[\ttindex{prths} {\it thms};]
- pretty-prints {\it thms}, a list of theorems.
-
-\item[\ttindex{prthq} {\it thmq};]
- pretty-prints {\it thmq}, a sequence of theorems; this is useful for
- inspecting the output of a tactic.
-
-\item[$thm1$ RS $thm2$] \index{*RS}
- resolves the conclusion of $thm1$ with the first premise of~$thm2$.
-
-\item[$thm1$ RSN $(i,thm2)$] \index{*RSN}
- resolves the conclusion of $thm1$ with the $i$th premise of~$thm2$.
-
-\item[\ttindex{standard} $thm$]
- puts $thm$ into a standard format. It also renames schematic variables
- to have subscript zero, improving readability and reducing subscript
- growth.
-\end{ttdescription}
-The rules of a theory are normally bound to \ML\ identifiers. Suppose we are
-running an Isabelle session containing theory~FOL, natural deduction
-first-order logic.\footnote{For a listing of the FOL rules and their \ML{}
- names, turn to
-\iflabelundefined{fol-rules}{{\em Isabelle's Object-Logics}}%
- {page~\pageref{fol-rules}}.}
-Let us try an example given in~\S\ref{joining}. We
-first print \tdx{mp}, which is the rule~$({\imp}E)$, then resolve it with
-itself.
-\begin{ttbox}
-prth mp;
-{\out [| ?P --> ?Q; ?P |] ==> ?Q}
-{\out val it = "[| ?P --> ?Q; ?P |] ==> ?Q" : thm}
-prth (mp RS mp);
-{\out [| ?P1 --> ?P --> ?Q; ?P1; ?P |] ==> ?Q}
-{\out val it = "[| ?P1 --> ?P --> ?Q; ?P1; ?P |] ==> ?Q" : thm}
-\end{ttbox}
-User input appears in {\footnotesize\tt typewriter characters}, and output
-appears in{\out slanted typewriter characters}. \ML's response {\out val
- }~\ldots{} is compiler-dependent and will sometimes be suppressed. This
-session illustrates two formats for the display of theorems. Isabelle's
-top-level displays theorems as \ML{} values, enclosed in quotes. Printing
-commands like \texttt{prth} omit the quotes and the surrounding \texttt{val
- \ldots :\ thm}. Ignoring their side-effects, the printing commands are
-identity functions.
-
-To contrast \texttt{RS} with \texttt{RSN}, we resolve
-\tdx{conjunct1}, which stands for~$(\conj E1)$, with~\tdx{mp}.
-\begin{ttbox}
-conjunct1 RS mp;
-{\out val it = "[| (?P --> ?Q) & ?Q1; ?P |] ==> ?Q" : thm}
-conjunct1 RSN (2,mp);
-{\out val it = "[| ?P --> ?Q; ?P & ?Q1 |] ==> ?Q" : thm}
-\end{ttbox}
-These correspond to the following proofs:
-\[ \infer[({\imp}E)]{Q}{\infer[({\conj}E1)]{P\imp Q}{(P\imp Q)\conj Q@1} & P}
- \qquad
- \infer[({\imp}E)]{Q}{P\imp Q & \infer[({\conj}E1)]{P}{P\conj Q@1}}
-\]
-%
-Rules can be derived by pasting other rules together. Let us join
-\tdx{spec}, which stands for~$(\forall E)$, with \texttt{mp} and {\tt
- conjunct1}. In \ML{}, the identifier~\texttt{it} denotes the value just
-printed.
-\begin{ttbox}
-spec;
-{\out val it = "ALL x. ?P(x) ==> ?P(?x)" : thm}
-it RS mp;
-{\out val it = "[| ALL x. ?P3(x) --> ?Q2(x); ?P3(?x1) |] ==>}
-{\out ?Q2(?x1)" : thm}
-it RS conjunct1;
-{\out val it = "[| ALL x. ?P4(x) --> ?P6(x) & ?Q5(x); ?P4(?x2) |] ==>}
-{\out ?P6(?x2)" : thm}
-standard it;
-{\out val it = "[| ALL x. ?P(x) --> ?Pa(x) & ?Q(x); ?P(?x) |] ==>}
-{\out ?Pa(?x)" : thm}
-\end{ttbox}
-By resolving $(\forall E)$ with (${\imp}E)$ and (${\conj}E1)$, we have
-derived a destruction rule for formulae of the form $\forall x.
-P(x)\imp(Q(x)\conj R(x))$. Used with destruct-resolution, such specialized
-rules provide a way of referring to particular assumptions.
-\index{assumptions!use of}
-
-\subsection{*Flex-flex constraints} \label{flexflex}
-\index{flex-flex constraints|bold}\index{unknowns!function}
-In higher-order unification, {\bf flex-flex} equations are those where both
-sides begin with a function unknown, such as $\Var{f}(0)\qeq\Var{g}(0)$.
-They admit a trivial unifier, here $\Var{f}\equiv \lambda x.\Var{a}$ and
-$\Var{g}\equiv \lambda y.\Var{a}$, where $\Var{a}$ is a new unknown. They
-admit many other unifiers, such as $\Var{f} \equiv \lambda x.\Var{g}(0)$
-and $\{\Var{f} \equiv \lambda x.x,\, \Var{g} \equiv \lambda x.0\}$. Huet's
-procedure does not enumerate the unifiers; instead, it retains flex-flex
-equations as constraints on future unifications. Flex-flex constraints
-occasionally become attached to a proof state; more frequently, they appear
-during use of \texttt{RS} and~\texttt{RSN}:
-\begin{ttbox}
-refl;
-{\out val it = "?a = ?a" : thm}
-exI;
-{\out val it = "?P(?x) ==> EX x. ?P(x)" : thm}
-refl RS exI;
-{\out val it = "EX x. ?a3(x) = ?a2(x)" [.] : thm}
-\end{ttbox}
-%
-The mysterious symbol \texttt{[.]} indicates that the result is subject to
-a meta-level hypothesis. We can make all such hypotheses visible by setting the
-\ttindexbold{show_hyps} flag:
-\begin{ttbox}
-set show_hyps;
-{\out val it = true : bool}
-refl RS exI;
-{\out val it = "EX x. ?a3(x) = ?a2(x)" ["?a3(?x) =?= ?a2(?x)"] : thm}
-\end{ttbox}
-
-\noindent
-Renaming variables, this is $\exists x.\Var{f}(x)=\Var{g}(x)$ with
-the constraint ${\Var{f}(\Var{u})\qeq\Var{g}(\Var{u})}$. Instances
-satisfying the constraint include $\exists x.\Var{f}(x)=\Var{f}(x)$ and
-$\exists x.x=\Var{u}$. Calling \ttindex{flexflex_rule} removes all
-constraints by applying the trivial unifier:\index{*prthq}
-\begin{ttbox}
-prthq (flexflex_rule it);
-{\out EX x. ?a4 = ?a4}
-\end{ttbox}
-Isabelle simplifies flex-flex equations to eliminate redundant bound
-variables. In $\lambda x\,y.\Var{f}(k(y),x) \qeq \lambda x\,y.\Var{g}(y)$,
-there is no bound occurrence of~$x$ on the right side; thus, there will be
-none on the left in a common instance of these terms. Choosing a new
-variable~$\Var{h}$, Isabelle assigns $\Var{f}\equiv \lambda u\,v.?h(u)$,
-simplifying the left side to $\lambda x\,y.\Var{h}(k(y))$. Dropping $x$
-from the equation leaves $\lambda y.\Var{h}(k(y)) \qeq \lambda
-y.\Var{g}(y)$. By $\eta$-conversion, this simplifies to the assignment
-$\Var{g}\equiv\lambda y.?h(k(y))$.
-
-\begin{warn}
-\ttindex{RS} and \ttindex{RSN} fail (by raising exception \texttt{THM}) unless
-the resolution delivers {\bf exactly one} resolvent. For multiple results,
-use \ttindex{RL} and \ttindex{RLN}, which operate on theorem lists. The
-following example uses \ttindex{read_instantiate} to create an instance
-of \tdx{refl} containing no schematic variables.
-\begin{ttbox}
-val reflk = read_instantiate [("a","k")] refl;
-{\out val reflk = "k = k" : thm}
-\end{ttbox}
-
-\noindent
-A flex-flex constraint is no longer possible; resolution does not find a
-unique unifier:
-\begin{ttbox}
-reflk RS exI;
-{\out uncaught exception}
-{\out THM ("RSN: multiple unifiers", 1,}
-{\out ["k = k", "?P(?x) ==> EX x. ?P(x)"])}
-\end{ttbox}
-Using \ttindex{RL} this time, we discover that there are four unifiers, and
-four resolvents:
-\begin{ttbox}
-[reflk] RL [exI];
-{\out val it = ["EX x. x = x", "EX x. k = x",}
-{\out "EX x. x = k", "EX x. k = k"] : thm list}
-\end{ttbox}
-\end{warn}
-
-\index{forward proof|)}
-
-\section{Backward proof}
-Although \texttt{RS} and \texttt{RSN} are fine for simple forward reasoning,
-large proofs require tactics. Isabelle provides a suite of commands for
-conducting a backward proof using tactics.
-
-\subsection{The basic tactics}
-The tactics \texttt{assume_tac}, {\tt
-resolve_tac}, \texttt{eresolve_tac}, and \texttt{dresolve_tac} suffice for most
-single-step proofs. Although \texttt{eresolve_tac} and \texttt{dresolve_tac} are
-not strictly necessary, they simplify proofs involving elimination and
-destruction rules. All the tactics act on a subgoal designated by a
-positive integer~$i$, failing if~$i$ is out of range. The resolution
-tactics try their list of theorems in left-to-right order.
-
-\begin{ttdescription}
-\item[\ttindex{assume_tac} {\it i}] \index{tactics!assumption}
- is the tactic that attempts to solve subgoal~$i$ by assumption. Proof by
- assumption is not a trivial step; it can falsify other subgoals by
- instantiating shared variables. There may be several ways of solving the
- subgoal by assumption.
-
-\item[\ttindex{resolve_tac} {\it thms} {\it i}]\index{tactics!resolution}
- is the basic resolution tactic, used for most proof steps. The $thms$
- represent object-rules, which are resolved against subgoal~$i$ of the
- proof state. For each rule, resolution forms next states by unifying the
- conclusion with the subgoal and inserting instantiated premises in its
- place. A rule can admit many higher-order unifiers. The tactic fails if
- none of the rules generates next states.
-
-\item[\ttindex{eresolve_tac} {\it thms} {\it i}] \index{elim-resolution}
- performs elim-resolution. Like \texttt{resolve_tac~{\it thms}~{\it i\/}}
- followed by \texttt{assume_tac~{\it i}}, it applies a rule then solves its
- first premise by assumption. But \texttt{eresolve_tac} additionally deletes
- that assumption from any subgoals arising from the resolution.
-
-\item[\ttindex{dresolve_tac} {\it thms} {\it i}]
- \index{forward proof}\index{destruct-resolution}
- performs destruct-resolution with the~$thms$, as described
- in~\S\ref{destruct}. It is useful for forward reasoning from the
- assumptions.
-\end{ttdescription}
-
-\subsection{Commands for backward proof}
-\index{proofs!commands for}
-Tactics are normally applied using the subgoal module, which maintains a
-proof state and manages the proof construction. It allows interactive
-backtracking through the proof space, going away to prove lemmas, etc.; of
-its many commands, most important are the following:
-\begin{ttdescription}
-\item[\ttindex{Goal} {\it formula}; ]
-begins a new proof, where the {\it formula\/} is written as an \ML\ string.
-
-\item[\ttindex{by} {\it tactic}; ]
-applies the {\it tactic\/} to the current proof
-state, raising an exception if the tactic fails.
-
-\item[\ttindex{undo}(); ]
- reverts to the previous proof state. Undo can be repeated but cannot be
- undone. Do not omit the parentheses; typing {\tt\ \ undo;\ \ } merely
- causes \ML\ to echo the value of that function.
-
-\item[\ttindex{result}();]
-returns the theorem just proved, in a standard format. It fails if
-unproved subgoals are left, etc.
-
-\item[\ttindex{qed} {\it name};] is the usual way of ending a proof.
- It gets the theorem using \texttt{result}, stores it in Isabelle's
- theorem database and binds it to an \ML{} identifier.
-
-\end{ttdescription}
-The commands and tactics given above are cumbersome for interactive use.
-Although our examples will use the full commands, you may prefer Isabelle's
-shortcuts:
-\begin{center} \tt
-\index{*br} \index{*be} \index{*bd} \index{*ba}
-\begin{tabular}{l@{\qquad\rm abbreviates\qquad}l}
- ba {\it i}; & by (assume_tac {\it i}); \\
-
- br {\it thm} {\it i}; & by (resolve_tac [{\it thm}] {\it i}); \\
-
- be {\it thm} {\it i}; & by (eresolve_tac [{\it thm}] {\it i}); \\
-
- bd {\it thm} {\it i}; & by (dresolve_tac [{\it thm}] {\it i});
-\end{tabular}
-\end{center}
-
-\subsection{A trivial example in propositional logic}
-\index{examples!propositional}
-
-Directory \texttt{FOL} of the Isabelle distribution defines the theory of
-first-order logic. Let us try the example from \S\ref{prop-proof},
-entering the goal $P\disj P\imp P$ in that theory.\footnote{To run these
- examples, see the file \texttt{FOL/ex/intro.ML}.}
-\begin{ttbox}
-Goal "P|P --> P";
-{\out Level 0}
-{\out P | P --> P}
-{\out 1. P | P --> P}
-\end{ttbox}\index{level of a proof}
-Isabelle responds by printing the initial proof state, which has $P\disj
-P\imp P$ as the main goal and the only subgoal. The {\bf level} of the
-state is the number of \texttt{by} commands that have been applied to reach
-it. We now use \ttindex{resolve_tac} to apply the rule \tdx{impI},
-or~$({\imp}I)$, to subgoal~1:
-\begin{ttbox}
-by (resolve_tac [impI] 1);
-{\out Level 1}
-{\out P | P --> P}
-{\out 1. P | P ==> P}
-\end{ttbox}
-In the new proof state, subgoal~1 is $P$ under the assumption $P\disj P$.
-(The meta-implication {\tt==>} indicates assumptions.) We apply
-\tdx{disjE}, or~(${\disj}E)$, to that subgoal:
-\begin{ttbox}
-by (resolve_tac [disjE] 1);
-{\out Level 2}
-{\out P | P --> P}
-{\out 1. P | P ==> ?P1 | ?Q1}
-{\out 2. [| P | P; ?P1 |] ==> P}
-{\out 3. [| P | P; ?Q1 |] ==> P}
-\end{ttbox}
-At Level~2 there are three subgoals, each provable by assumption. We
-deviate from~\S\ref{prop-proof} by tackling subgoal~3 first, using
-\ttindex{assume_tac}. This affects subgoal~1, updating {\tt?Q1} to~{\tt
- P}.
-\begin{ttbox}
-by (assume_tac 3);
-{\out Level 3}
-{\out P | P --> P}
-{\out 1. P | P ==> ?P1 | P}
-{\out 2. [| P | P; ?P1 |] ==> P}
-\end{ttbox}
-Next we tackle subgoal~2, instantiating {\tt?P1} to~\texttt{P} in subgoal~1.
-\begin{ttbox}
-by (assume_tac 2);
-{\out Level 4}
-{\out P | P --> P}
-{\out 1. P | P ==> P | P}
-\end{ttbox}
-Lastly we prove the remaining subgoal by assumption:
-\begin{ttbox}
-by (assume_tac 1);
-{\out Level 5}
-{\out P | P --> P}
-{\out No subgoals!}
-\end{ttbox}
-Isabelle tells us that there are no longer any subgoals: the proof is
-complete. Calling \texttt{qed} stores the theorem.
-\begin{ttbox}
-qed "mythm";
-{\out val mythm = "?P | ?P --> ?P" : thm}
-\end{ttbox}
-Isabelle has replaced the free variable~\texttt{P} by the scheme
-variable~{\tt?P}\@. Free variables in the proof state remain fixed
-throughout the proof. Isabelle finally converts them to scheme variables
-so that the resulting theorem can be instantiated with any formula.
-
-As an exercise, try doing the proof as in \S\ref{prop-proof}, observing how
-instantiations affect the proof state.
-
-
-\subsection{Part of a distributive law}
-\index{examples!propositional}
-To demonstrate the tactics \ttindex{eresolve_tac}, \ttindex{dresolve_tac}
-and the tactical \texttt{REPEAT}, let us prove part of the distributive
-law
-\[ (P\conj Q)\disj R \,\bimp\, (P\disj R)\conj (Q\disj R). \]
-We begin by stating the goal to Isabelle and applying~$({\imp}I)$ to it:
-\begin{ttbox}
-Goal "(P & Q) | R --> (P | R)";
-{\out Level 0}
-{\out P & Q | R --> P | R}
-{\out 1. P & Q | R --> P | R}
-\ttbreak
-by (resolve_tac [impI] 1);
-{\out Level 1}
-{\out P & Q | R --> P | R}
-{\out 1. P & Q | R ==> P | R}
-\end{ttbox}
-Previously we applied~(${\disj}E)$ using \texttt{resolve_tac}, but
-\ttindex{eresolve_tac} deletes the assumption after use. The resulting proof
-state is simpler.
-\begin{ttbox}
-by (eresolve_tac [disjE] 1);
-{\out Level 2}
-{\out P & Q | R --> P | R}
-{\out 1. P & Q ==> P | R}
-{\out 2. R ==> P | R}
-\end{ttbox}
-Using \ttindex{dresolve_tac}, we can apply~(${\conj}E1)$ to subgoal~1,
-replacing the assumption $P\conj Q$ by~$P$. Normally we should apply the
-rule~(${\conj}E)$, given in~\S\ref{destruct}. That is an elimination rule
-and requires \texttt{eresolve_tac}; it would replace $P\conj Q$ by the two
-assumptions~$P$ and~$Q$. Because the present example does not need~$Q$, we
-may try out \texttt{dresolve_tac}.
-\begin{ttbox}
-by (dresolve_tac [conjunct1] 1);
-{\out Level 3}
-{\out P & Q | R --> P | R}
-{\out 1. P ==> P | R}
-{\out 2. R ==> P | R}
-\end{ttbox}
-The next two steps apply~(${\disj}I1$) and~(${\disj}I2$) in an obvious manner.
-\begin{ttbox}
-by (resolve_tac [disjI1] 1);
-{\out Level 4}
-{\out P & Q | R --> P | R}
-{\out 1. P ==> P}
-{\out 2. R ==> P | R}
-\ttbreak
-by (resolve_tac [disjI2] 2);
-{\out Level 5}
-{\out P & Q | R --> P | R}
-{\out 1. P ==> P}
-{\out 2. R ==> R}
-\end{ttbox}
-Two calls of \texttt{assume_tac} can finish the proof. The
-tactical~\ttindex{REPEAT} here expresses a tactic that calls \texttt{assume_tac~1}
-as many times as possible. We can restrict attention to subgoal~1 because
-the other subgoals move up after subgoal~1 disappears.
-\begin{ttbox}
-by (REPEAT (assume_tac 1));
-{\out Level 6}
-{\out P & Q | R --> P | R}
-{\out No subgoals!}
-\end{ttbox}
-
-
-\section{Quantifier reasoning}
-\index{quantifiers}\index{parameters}\index{unknowns}\index{unknowns!function}
-This section illustrates how Isabelle enforces quantifier provisos.
-Suppose that $x$, $y$ and~$z$ are parameters of a subgoal. Quantifier
-rules create terms such as~$\Var{f}(x,z)$, where~$\Var{f}$ is a function
-unknown. Instantiating $\Var{f}$ to $\lambda x\,z.t$ has the effect of
-replacing~$\Var{f}(x,z)$ by~$t$, where the term~$t$ may contain free
-occurrences of~$x$ and~$z$. On the other hand, no instantiation
-of~$\Var{f}$ can replace~$\Var{f}(x,z)$ by a term containing free
-occurrences of~$y$, since parameters are bound variables.
-
-\subsection{Two quantifier proofs: a success and a failure}
-\index{examples!with quantifiers}
-Let us contrast a proof of the theorem $\forall x.\exists y.x=y$ with an
-attempted proof of the non-theorem $\exists y.\forall x.x=y$. The former
-proof succeeds, and the latter fails, because of the scope of quantified
-variables~\cite{paulson-found}. Unification helps even in these trivial
-proofs. In $\forall x.\exists y.x=y$ the $y$ that `exists' is simply $x$,
-but we need never say so. This choice is forced by the reflexive law for
-equality, and happens automatically.
-
-\paragraph{The successful proof.}
-The proof of $\forall x.\exists y.x=y$ demonstrates the introduction rules
-$(\forall I)$ and~$(\exists I)$. We state the goal and apply $(\forall I)$:
-\begin{ttbox}
-Goal "ALL x. EX y. x=y";
-{\out Level 0}
-{\out ALL x. EX y. x = y}
-{\out 1. ALL x. EX y. x = y}
-\ttbreak
-by (resolve_tac [allI] 1);
-{\out Level 1}
-{\out ALL x. EX y. x = y}
-{\out 1. !!x. EX y. x = y}
-\end{ttbox}
-The variable~\texttt{x} is no longer universally quantified, but is a
-parameter in the subgoal; thus, it is universally quantified at the
-meta-level. The subgoal must be proved for all possible values of~\texttt{x}.
-
-To remove the existential quantifier, we apply the rule $(\exists I)$:
-\begin{ttbox}
-by (resolve_tac [exI] 1);
-{\out Level 2}
-{\out ALL x. EX y. x = y}
-{\out 1. !!x. x = ?y1(x)}
-\end{ttbox}
-The bound variable \texttt{y} has become {\tt?y1(x)}. This term consists of
-the function unknown~{\tt?y1} applied to the parameter~\texttt{x}.
-Instances of {\tt?y1(x)} may or may not contain~\texttt{x}. We resolve the
-subgoal with the reflexivity axiom.
-\begin{ttbox}
-by (resolve_tac [refl] 1);
-{\out Level 3}
-{\out ALL x. EX y. x = y}
-{\out No subgoals!}
-\end{ttbox}
-Let us consider what has happened in detail. The reflexivity axiom is
-lifted over~$x$ to become $\Forall x.\Var{f}(x)=\Var{f}(x)$, which is
-unified with $\Forall x.x=\Var{y@1}(x)$. The function unknowns $\Var{f}$
-and~$\Var{y@1}$ are both instantiated to the identity function, and
-$x=\Var{y@1}(x)$ collapses to~$x=x$ by $\beta$-reduction.
-
-\paragraph{The unsuccessful proof.}
-We state the goal $\exists y.\forall x.x=y$, which is not a theorem, and
-try~$(\exists I)$:
-\begin{ttbox}
-Goal "EX y. ALL x. x=y";
-{\out Level 0}
-{\out EX y. ALL x. x = y}
-{\out 1. EX y. ALL x. x = y}
-\ttbreak
-by (resolve_tac [exI] 1);
-{\out Level 1}
-{\out EX y. ALL x. x = y}
-{\out 1. ALL x. x = ?y}
-\end{ttbox}
-The unknown \texttt{?y} may be replaced by any term, but this can never
-introduce another bound occurrence of~\texttt{x}. We now apply~$(\forall I)$:
-\begin{ttbox}
-by (resolve_tac [allI] 1);
-{\out Level 2}
-{\out EX y. ALL x. x = y}
-{\out 1. !!x. x = ?y}
-\end{ttbox}
-Compare our position with the previous Level~2. Instead of {\tt?y1(x)} we
-have~{\tt?y}, whose instances may not contain the bound variable~\texttt{x}.
-The reflexivity axiom does not unify with subgoal~1.
-\begin{ttbox}
-by (resolve_tac [refl] 1);
-{\out by: tactic failed}
-\end{ttbox}
-There can be no proof of $\exists y.\forall x.x=y$ by the soundness of
-first-order logic. I have elsewhere proved the faithfulness of Isabelle's
-encoding of first-order logic~\cite{paulson-found}; there could, of course, be
-faults in the implementation.
-
-
-\subsection{Nested quantifiers}
-\index{examples!with quantifiers}
-Multiple quantifiers create complex terms. Proving
-\[ (\forall x\,y.P(x,y)) \imp (\forall z\,w.P(w,z)) \]
-will demonstrate how parameters and unknowns develop. If they appear in
-the wrong order, the proof will fail.
-
-This section concludes with a demonstration of \texttt{REPEAT}
-and~\texttt{ORELSE}.
-\begin{ttbox}
-Goal "(ALL x y.P(x,y)) --> (ALL z w.P(w,z))";
-{\out Level 0}
-{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
-{\out 1. (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
-\ttbreak
-by (resolve_tac [impI] 1);
-{\out Level 1}
-{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
-{\out 1. ALL x y. P(x,y) ==> ALL z w. P(w,z)}
-\end{ttbox}
-
-\paragraph{The wrong approach.}
-Using \texttt{dresolve_tac}, we apply the rule $(\forall E)$, bound to the
-\ML\ identifier \tdx{spec}. Then we apply $(\forall I)$.
-\begin{ttbox}
-by (dresolve_tac [spec] 1);
-{\out Level 2}
-{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
-{\out 1. ALL y. P(?x1,y) ==> ALL z w. P(w,z)}
-\ttbreak
-by (resolve_tac [allI] 1);
-{\out Level 3}
-{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
-{\out 1. !!z. ALL y. P(?x1,y) ==> ALL w. P(w,z)}
-\end{ttbox}
-The unknown \texttt{?x1} and the parameter \texttt{z} have appeared. We again
-apply $(\forall E)$ and~$(\forall I)$.
-\begin{ttbox}
-by (dresolve_tac [spec] 1);
-{\out Level 4}
-{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
-{\out 1. !!z. P(?x1,?y3(z)) ==> ALL w. P(w,z)}
-\ttbreak
-by (resolve_tac [allI] 1);
-{\out Level 5}
-{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
-{\out 1. !!z w. P(?x1,?y3(z)) ==> P(w,z)}
-\end{ttbox}
-The unknown \texttt{?y3} and the parameter \texttt{w} have appeared. Each
-unknown is applied to the parameters existing at the time of its creation;
-instances of~\texttt{?x1} cannot contain~\texttt{z} or~\texttt{w}, while instances
-of {\tt?y3(z)} can only contain~\texttt{z}. Due to the restriction on~\texttt{?x1},
-proof by assumption will fail.
-\begin{ttbox}
-by (assume_tac 1);
-{\out by: tactic failed}
-{\out uncaught exception ERROR}
-\end{ttbox}
-
-\paragraph{The right approach.}
-To do this proof, the rules must be applied in the correct order.
-Parameters should be created before unknowns. The
-\ttindex{choplev} command returns to an earlier stage of the proof;
-let us return to the result of applying~$({\imp}I)$:
-\begin{ttbox}
-choplev 1;
-{\out Level 1}
-{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
-{\out 1. ALL x y. P(x,y) ==> ALL z w. P(w,z)}
-\end{ttbox}
-Previously we made the mistake of applying $(\forall E)$ before $(\forall I)$.
-\begin{ttbox}
-by (resolve_tac [allI] 1);
-{\out Level 2}
-{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
-{\out 1. !!z. ALL x y. P(x,y) ==> ALL w. P(w,z)}
-\ttbreak
-by (resolve_tac [allI] 1);
-{\out Level 3}
-{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
-{\out 1. !!z w. ALL x y. P(x,y) ==> P(w,z)}
-\end{ttbox}
-The parameters \texttt{z} and~\texttt{w} have appeared. We now create the
-unknowns:
-\begin{ttbox}
-by (dresolve_tac [spec] 1);
-{\out Level 4}
-{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
-{\out 1. !!z w. ALL y. P(?x3(z,w),y) ==> P(w,z)}
-\ttbreak
-by (dresolve_tac [spec] 1);
-{\out Level 5}
-{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
-{\out 1. !!z w. P(?x3(z,w),?y4(z,w)) ==> P(w,z)}
-\end{ttbox}
-Both {\tt?x3(z,w)} and~{\tt?y4(z,w)} could become any terms containing {\tt
-z} and~\texttt{w}:
-\begin{ttbox}
-by (assume_tac 1);
-{\out Level 6}
-{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
-{\out No subgoals!}
-\end{ttbox}
-
-\paragraph{A one-step proof using tacticals.}
-\index{tacticals} \index{examples!of tacticals}
-
-Repeated application of rules can be effective, but the rules should be
-attempted in the correct order. Let us return to the original goal using
-\ttindex{choplev}:
-\begin{ttbox}
-choplev 0;
-{\out Level 0}
-{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
-{\out 1. (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
-\end{ttbox}
-As we have just seen, \tdx{allI} should be attempted
-before~\tdx{spec}, while \ttindex{assume_tac} generally can be
-attempted first. Such priorities can easily be expressed
-using~\ttindex{ORELSE}, and repeated using~\ttindex{REPEAT}.
-\begin{ttbox}
-by (REPEAT (assume_tac 1 ORELSE resolve_tac [impI,allI] 1
- ORELSE dresolve_tac [spec] 1));
-{\out Level 1}
-{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
-{\out No subgoals!}
-\end{ttbox}
-
-
-\subsection{A realistic quantifier proof}
-\index{examples!with quantifiers}
-To see the practical use of parameters and unknowns, let us prove half of
-the equivalence
-\[ (\forall x. P(x) \imp Q) \,\bimp\, ((\exists x. P(x)) \imp Q). \]
-We state the left-to-right half to Isabelle in the normal way.
-Since $\imp$ is nested to the right, $({\imp}I)$ can be applied twice; we
-use \texttt{REPEAT}:
-\begin{ttbox}
-Goal "(ALL x. P(x) --> Q) --> (EX x. P(x)) --> Q";
-{\out Level 0}
-{\out (ALL x. P(x) --> Q) --> (EX x. P(x)) --> Q}
-{\out 1. (ALL x. P(x) --> Q) --> (EX x. P(x)) --> Q}
-\ttbreak
-by (REPEAT (resolve_tac [impI] 1));
-{\out Level 1}
-{\out (ALL x. P(x) --> Q) --> (EX x. P(x)) --> Q}
-{\out 1. [| ALL x. P(x) --> Q; EX x. P(x) |] ==> Q}
-\end{ttbox}
-We can eliminate the universal or the existential quantifier. The
-existential quantifier should be eliminated first, since this creates a
-parameter. The rule~$(\exists E)$ is bound to the
-identifier~\tdx{exE}.
-\begin{ttbox}
-by (eresolve_tac [exE] 1);
-{\out Level 2}
-{\out (ALL x. P(x) --> Q) --> (EX x. P(x)) --> Q}
-{\out 1. !!x. [| ALL x. P(x) --> Q; P(x) |] ==> Q}
-\end{ttbox}
-The only possibility now is $(\forall E)$, a destruction rule. We use
-\ttindex{dresolve_tac}, which discards the quantified assumption; it is
-only needed once.
-\begin{ttbox}
-by (dresolve_tac [spec] 1);
-{\out Level 3}
-{\out (ALL x. P(x) --> Q) --> (EX x. P(x)) --> Q}
-{\out 1. !!x. [| P(x); P(?x3(x)) --> Q |] ==> Q}
-\end{ttbox}
-Because we applied $(\exists E)$ before $(\forall E)$, the unknown
-term~{\tt?x3(x)} may depend upon the parameter~\texttt{x}.
-
-Although $({\imp}E)$ is a destruction rule, it works with
-\ttindex{eresolve_tac} to perform backward chaining. This technique is
-frequently useful.
-\begin{ttbox}
-by (eresolve_tac [mp] 1);
-{\out Level 4}
-{\out (ALL x. P(x) --> Q) --> (EX x. P(x)) --> Q}
-{\out 1. !!x. P(x) ==> P(?x3(x))}
-\end{ttbox}
-The tactic has reduced~\texttt{Q} to~\texttt{P(?x3(x))}, deleting the
-implication. The final step is trivial, thanks to the occurrence of~\texttt{x}.
-\begin{ttbox}
-by (assume_tac 1);
-{\out Level 5}
-{\out (ALL x. P(x) --> Q) --> (EX x. P(x)) --> Q}
-{\out No subgoals!}
-\end{ttbox}
-
-
-\subsection{The classical reasoner}
-\index{classical reasoner}
-Isabelle provides enough automation to tackle substantial examples.
-The classical
-reasoner can be set up for any classical natural deduction logic;
-see \iflabelundefined{chap:classical}{the {\em Reference Manual\/}}%
- {Chap.\ts\ref{chap:classical}}.
-It cannot compete with fully automatic theorem provers, but it is
-competitive with tools found in other interactive provers.
-
-Rules are packaged into {\bf classical sets}. The classical reasoner
-provides several tactics, which apply rules using naive algorithms.
-Unification handles quantifiers as shown above. The most useful tactic
-is~\ttindex{Blast_tac}.
-
-Let us solve problems~40 and~60 of Pelletier~\cite{pelletier86}. (The
-backslashes~\hbox{\verb|\|\ldots\verb|\|} are an \ML{} string escape
-sequence, to break the long string over two lines.)
-\begin{ttbox}
-Goal "(EX y. ALL x. J(y,x) <-> ~J(x,x)) \ttback
-\ttback --> ~ (ALL x. EX y. ALL z. J(z,y) <-> ~ J(z,x))";
-{\out Level 0}
-{\out (EX y. ALL x. J(y,x) <-> ~J(x,x)) -->}
-{\out ~(ALL x. EX y. ALL z. J(z,y) <-> ~J(z,x))}
-{\out 1. (EX y. ALL x. J(y,x) <-> ~J(x,x)) -->}
-{\out ~(ALL x. EX y. ALL z. J(z,y) <-> ~J(z,x))}
-\end{ttbox}
-\ttindex{Blast_tac} proves subgoal~1 at a stroke.
-\begin{ttbox}
-by (Blast_tac 1);
-{\out Depth = 0}
-{\out Depth = 1}
-{\out Level 1}
-{\out (EX y. ALL x. J(y,x) <-> ~J(x,x)) -->}
-{\out ~(ALL x. EX y. ALL z. J(z,y) <-> ~J(z,x))}
-{\out No subgoals!}
-\end{ttbox}
-Sceptics may examine the proof by calling the package's single-step
-tactics, such as~\texttt{step_tac}. This would take up much space, however,
-so let us proceed to the next example:
-\begin{ttbox}
-Goal "ALL x. P(x,f(x)) <-> \ttback
-\ttback (EX y. (ALL z. P(z,y) --> P(z,f(x))) & P(x,y))";
-{\out Level 0}
-{\out ALL x. P(x,f(x)) <-> (EX y. (ALL z. P(z,y) --> P(z,f(x))) & P(x,y))}
-{\out 1. ALL x. P(x,f(x)) <->}
-{\out (EX y. (ALL z. P(z,y) --> P(z,f(x))) & P(x,y))}
-\end{ttbox}
-Again, subgoal~1 succumbs immediately.
-\begin{ttbox}
-by (Blast_tac 1);
-{\out Depth = 0}
-{\out Depth = 1}
-{\out Level 1}
-{\out ALL x. P(x,f(x)) <-> (EX y. (ALL z. P(z,y) --> P(z,f(x))) & P(x,y))}
-{\out No subgoals!}
-\end{ttbox}
-The classical reasoner is not restricted to the usual logical connectives.
-The natural deduction rules for unions and intersections resemble those for
-disjunction and conjunction. The rules for infinite unions and
-intersections resemble those for quantifiers. Given such rules, the classical
-reasoner is effective for reasoning in set theory.
-
--- a/doc-src/Intro/document/root.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,154 +0,0 @@
-\documentclass[12pt,a4paper]{article}
-\usepackage{graphicx,iman,extra,ttbox,proof,pdfsetup}
-
-%% run bibtex intro to prepare bibliography
-%% run ../sedindex intro to prepare index file
-%prth *(\(.*\)); \1;
-%{\\out \(.*\)} {\\out val it = "\1" : thm}
-
-\title{\includegraphics[scale=0.5]{isabelle} \\[4ex] Old Introduction to Isabelle}
-\author{{\em Lawrence C. Paulson}\\
- Computer Laboratory \\ University of Cambridge \\
- \texttt{lcp@cl.cam.ac.uk}\\[3ex]
- With Contributions by Tobias Nipkow and Markus Wenzel
-}
-\makeindex
-
-\underscoreoff
-
-\setcounter{secnumdepth}{2} \setcounter{tocdepth}{2}
-
-\sloppy
-\binperiod %%%treat . like a binary operator
-
-\newcommand\qeq{\stackrel{?}{\equiv}} %for disagreement pairs in unification
-\newcommand{\nand}{\mathbin{\lnot\&}}
-\newcommand{\xor}{\mathbin{\#}}
-
-\pagenumbering{roman}
-\begin{document}
-\pagestyle{empty}
-\begin{titlepage}
-\maketitle
-\emph{Note}: this document is part of the earlier Isabelle documentation,
-which is largely superseded by the Isabelle/HOL
-\emph{Tutorial}~\cite{isa-tutorial}. It describes the old-style theory
-syntax and shows how to conduct proofs using the
-ML top level. This style of interaction is largely obsolete:
-most Isabelle proofs are now written using the Isar
-language and the Proof General interface. However, this paper contains valuable
-information that is not available elsewhere. Its examples are based
-on first-order logic rather than higher-order logic.
-
-\thispagestyle{empty}
-\vfill
-{\small Copyright \copyright{} \number\year{} by Lawrence C. Paulson}
-\end{titlepage}
-
-\pagestyle{headings}
-\part*{Preface}
-\index{Isabelle!overview} \index{Isabelle!object-logics supported}
-Isabelle~\cite{paulson-natural,paulson-found,paulson700} is a generic theorem
-prover. It has been instantiated to support reasoning in several
-object-logics:
-\begin{itemize}
-\item first-order logic, constructive and classical versions
-\item higher-order logic, similar to that of Gordon's {\sc
-hol}~\cite{mgordon-hol}
-\item Zermelo-Fraenkel set theory~\cite{suppes72}
-\item an extensional version of Martin-L\"of's Type Theory~\cite{nordstrom90}
-\item the classical first-order sequent calculus, {\sc lk}
-\item the modal logics $T$, $S4$, and $S43$
-\item the Logic for Computable Functions~\cite{paulson87}
-\end{itemize}
-A logic's syntax and inference rules are specified declaratively; this
-allows single-step proof construction. Isabelle provides control
-structures for expressing search procedures. Isabelle also provides
-several generic tools, such as simplifiers and classical theorem provers,
-which can be applied to object-logics.
-
-Isabelle is a large system, but beginners can get by with a small
-repertoire of commands and a basic knowledge of how Isabelle works.
-The Isabelle/HOL \emph{Tutorial}~\cite{isa-tutorial} describes how to get started. Advanced Isabelle users will benefit from some
-knowledge of Standard~\ML{}, because Isabelle is written in \ML{};
-\index{ML}
-if you are prepared to writing \ML{}
-code, you can get Isabelle to do almost anything. My book
-on~\ML{}~\cite{paulson-ml2} covers much material connected with Isabelle,
-including a simple theorem prover. Users must be familiar with logic as
-used in computer science; there are many good
-texts~\cite{galton90,reeves90}.
-
-\index{LCF}
-{\sc lcf}, developed by Robin Milner and colleagues~\cite{mgordon79}, is an
-ancestor of {\sc hol}, Nuprl, and several other systems. Isabelle borrows
-ideas from {\sc lcf}: formulae are~\ML{} values; theorems belong to an
-abstract type; tactics and tacticals support backward proof. But {\sc lcf}
-represents object-level rules by functions, while Isabelle represents them
-by terms. You may find my other writings~\cite{paulson87,paulson-handbook}
-helpful in understanding the relationship between {\sc lcf} and Isabelle.
-
-\index{Isabelle!release history} Isabelle was first distributed in 1986.
-The 1987 version introduced a higher-order meta-logic with an improved
-treatment of quantifiers. The 1988 version added limited polymorphism and
-support for natural deduction. The 1989 version included a parser and
-pretty printer generator. The 1992 version introduced type classes, to
-support many-sorted and higher-order logics. The 1994 version introduced
-greater support for theories. The most important recent change is the
-introduction of the Isar proof language, thanks to Markus Wenzel.
-Isabelle is still under
-development and will continue to change.
-
-\subsubsection*{Overview}
-This manual consists of three parts. Part~I discusses the Isabelle's
-foundations. Part~II, presents simple on-line sessions, starting with
-forward proof. It also covers basic tactics and tacticals, and some
-commands for invoking them. Part~III contains further examples for users
-with a bit of experience. It explains how to derive rules define theories,
-and concludes with an extended example: a Prolog interpreter.
-
-Isabelle's Reference Manual and Object-Logics manual contain more details.
-They assume familiarity with the concepts presented here.
-
-
-\subsubsection*{Acknowledgements}
-Tobias Nipkow contributed most of the section on defining theories.
-Stefan Berghofer, Sara Kalvala and Viktor Kuncak suggested improvements.
-
-Tobias Nipkow has made immense contributions to Isabelle, including the parser
-generator, type classes, and the simplifier. Carsten Clasohm and Markus
-Wenzel made major contributions; Sonia Mahjoub and Karin Nimmermann also
-helped. Isabelle was developed using Dave Matthews's Standard~{\sc ml}
-compiler, Poly/{\sc ml}. Many people have contributed to Isabelle's standard
-object-logics, including Martin Coen, Philippe de Groote, Philippe No\"el.
-The research has been funded by the EPSRC (grants GR/G53279, GR/H40570,
-GR/K57381, GR/K77051, GR/M75440) and by ESPRIT (projects 3245: Logical
-Frameworks, and 6453: Types), and by the DFG Schwerpunktprogramm
-\emph{Deduktion}.
-
-\newpage
-\pagestyle{plain} \tableofcontents
-\newpage
-
-\newfont{\sanssi}{cmssi12}
-\vspace*{2.5cm}
-\begin{quote}
-\raggedleft
-{\sanssi
-You can only find truth with logic\\
-if you have already found truth without it.}\\
-\bigskip
-
-G.K. Chesterton, {\em The Man who was Orthodox}
-\end{quote}
-
-\clearfirst \pagestyle{headings}
-\input{foundations}
-\input{getting}
-\input{advanced}
-
-\bibliographystyle{plain} \small\raggedright\frenchspacing
-\bibliography{manual}
-
-\printindex
-\end{document}
--- a/doc-src/IsarImplementation/Base.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,8 +0,0 @@
-theory Base
-imports Main
-begin
-
-ML_file "../antiquote_setup.ML"
-setup {* Antiquote_Setup.setup *}
-
-end
--- a/doc-src/IsarImplementation/Eq.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,85 +0,0 @@
-theory Eq
-imports Base
-begin
-
-chapter {* Equational reasoning *}
-
-text {* Equality is one of the most fundamental concepts of
- mathematics. The Isabelle/Pure logic (\chref{ch:logic}) provides a
- builtin relation @{text "\<equiv> :: \<alpha> \<Rightarrow> \<alpha> \<Rightarrow> prop"} that expresses equality
- of arbitrary terms (or propositions) at the framework level, as
- expressed by certain basic inference rules (\secref{sec:eq-rules}).
-
- Equational reasoning means to replace equals by equals, using
- reflexivity and transitivity to form chains of replacement steps,
- and congruence rules to access sub-structures. Conversions
- (\secref{sec:conv}) provide a convenient framework to compose basic
- equational steps to build specific equational reasoning tools.
-
- Higher-order matching is able to provide suitable instantiations for
- giving equality rules, which leads to the versatile concept of
- @{text "\<lambda>"}-term rewriting (\secref{sec:rewriting}). Internally
- this is based on the general-purpose Simplifier engine of Isabelle,
- which is more specific and more efficient than plain conversions.
-
- Object-logics usually introduce specific notions of equality or
- equivalence, and relate it with the Pure equality. This enables to
- re-use the Pure tools for equational reasoning for particular
- object-logic connectives as well.
-*}
-
-
-section {* Basic equality rules \label{sec:eq-rules} *}
-
-text {* FIXME *}
-
-
-section {* Conversions \label{sec:conv} *}
-
-text {* FIXME *}
-
-
-section {* Rewriting \label{sec:rewriting} *}
-
-text {* Rewriting normalizes a given term (theorem or goal) by
- replacing instances of given equalities @{text "t \<equiv> u"} in subterms.
- Rewriting continues until no rewrites are applicable to any subterm.
- This may be used to unfold simple definitions of the form @{text "f
- x\<^sub>1 \<dots> x\<^sub>n \<equiv> u"}, but is slightly more general than that.
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML rewrite_rule: "thm list -> thm -> thm"} \\
- @{index_ML rewrite_goals_rule: "thm list -> thm -> thm"} \\
- @{index_ML rewrite_goal_tac: "thm list -> int -> tactic"} \\
- @{index_ML rewrite_goals_tac: "thm list -> tactic"} \\
- @{index_ML fold_goals_tac: "thm list -> tactic"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item @{ML rewrite_rule}~@{text "rules thm"} rewrites the whole
- theorem by the given rules.
-
- \item @{ML rewrite_goals_rule}~@{text "rules thm"} rewrites the
- outer premises of the given theorem. Interpreting the same as a
- goal state (\secref{sec:tactical-goals}) it means to rewrite all
- subgoals (in the same manner as @{ML rewrite_goals_tac}).
-
- \item @{ML rewrite_goal_tac}~@{text "rules i"} rewrites subgoal
- @{text "i"} by the given rewrite rules.
-
- \item @{ML rewrite_goals_tac}~@{text "rules"} rewrites all subgoals
- by the given rewrite rules.
-
- \item @{ML fold_goals_tac}~@{text "rules"} essentially uses @{ML
- rewrite_goals_tac} with the symmetric form of each member of @{text
- "rules"}, re-ordered to fold longer expression first. This supports
- to idea to fold primitive definitions that appear in expended form
- in the proof state.
-
- \end{description}
-*}
-
-end
--- a/doc-src/IsarImplementation/Integration.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,307 +0,0 @@
-theory Integration
-imports Base
-begin
-
-chapter {* System integration *}
-
-section {* Isar toplevel \label{sec:isar-toplevel} *}
-
-text {* The Isar toplevel may be considered the central hub of the
- Isabelle/Isar system, where all key components and sub-systems are
- integrated into a single read-eval-print loop of Isar commands,
- which also incorporates the underlying ML compiler.
-
- Isabelle/Isar departs from the original ``LCF system architecture''
- where ML was really The Meta Language for defining theories and
- conducting proofs. Instead, ML now only serves as the
- implementation language for the system (and user extensions), while
- the specific Isar toplevel supports the concepts of theory and proof
- development natively. This includes the graph structure of theories
- and the block structure of proofs, support for unlimited undo,
- facilities for tracing, debugging, timing, profiling etc.
-
- \medskip The toplevel maintains an implicit state, which is
- transformed by a sequence of transitions -- either interactively or
- in batch-mode. In interactive mode, Isar state transitions are
- encapsulated as safe transactions, such that both failure and undo
- are handled conveniently without destroying the underlying draft
- theory (cf.~\secref{sec:context-theory}). In batch mode,
- transitions operate in a linear (destructive) fashion, such that
- error conditions abort the present attempt to construct a theory or
- proof altogether.
-
- The toplevel state is a disjoint sum of empty @{text toplevel}, or
- @{text theory}, or @{text proof}. On entering the main Isar loop we
- start with an empty toplevel. A theory is commenced by giving a
- @{text \<THEORY>} header; within a theory we may issue theory
- commands such as @{text \<DEFINITION>}, or state a @{text
- \<THEOREM>} to be proven. Now we are within a proof state, with a
- rich collection of Isar proof commands for structured proof
- composition, or unstructured proof scripts. When the proof is
- concluded we get back to the theory, which is then updated by
- storing the resulting fact. Further theory declarations or theorem
- statements with proofs may follow, until we eventually conclude the
- theory development by issuing @{text \<END>}. The resulting theory
- is then stored within the theory database and we are back to the
- empty toplevel.
-
- In addition to these proper state transformations, there are also
- some diagnostic commands for peeking at the toplevel state without
- modifying it (e.g.\ \isakeyword{thm}, \isakeyword{term},
- \isakeyword{print-cases}).
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML_type Toplevel.state} \\
- @{index_ML Toplevel.UNDEF: "exn"} \\
- @{index_ML Toplevel.is_toplevel: "Toplevel.state -> bool"} \\
- @{index_ML Toplevel.theory_of: "Toplevel.state -> theory"} \\
- @{index_ML Toplevel.proof_of: "Toplevel.state -> Proof.state"} \\
- @{index_ML Toplevel.debug: "bool Unsynchronized.ref"} \\
- @{index_ML Toplevel.timing: "bool Unsynchronized.ref"} \\
- @{index_ML Toplevel.profiling: "int Unsynchronized.ref"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item Type @{ML_type Toplevel.state} represents Isar toplevel
- states, which are normally manipulated through the concept of
- toplevel transitions only (\secref{sec:toplevel-transition}). Also
- note that a raw toplevel state is subject to the same linearity
- restrictions as a theory context (cf.~\secref{sec:context-theory}).
-
- \item @{ML Toplevel.UNDEF} is raised for undefined toplevel
- operations. Many operations work only partially for certain cases,
- since @{ML_type Toplevel.state} is a sum type.
-
- \item @{ML Toplevel.is_toplevel}~@{text "state"} checks for an empty
- toplevel state.
-
- \item @{ML Toplevel.theory_of}~@{text "state"} selects the
- background theory of @{text "state"}, raises @{ML Toplevel.UNDEF}
- for an empty toplevel state.
-
- \item @{ML Toplevel.proof_of}~@{text "state"} selects the Isar proof
- state if available, otherwise raises @{ML Toplevel.UNDEF}.
-
- \item @{ML "Toplevel.debug := true"} makes the toplevel print further
- details about internal error conditions, exceptions being raised
- etc.
-
- \item @{ML "Toplevel.timing := true"} makes the toplevel print timing
- information for each Isar command being executed.
-
- \item @{ML Toplevel.profiling}~@{ML_text ":="}~@{text "n"} controls
- low-level profiling of the underlying ML runtime system. For
- Poly/ML, @{text "n = 1"} means time and @{text "n = 2"} space
- profiling.
-
- \end{description}
-*}
-
-text %mlantiq {*
- \begin{matharray}{rcl}
- @{ML_antiquotation_def "Isar.state"} & : & @{text ML_antiquotation} \\
- \end{matharray}
-
- \begin{description}
-
- \item @{text "@{Isar.state}"} refers to Isar toplevel state at that
- point --- as abstract value.
-
- This only works for diagnostic ML commands, such as @{command
- ML_val} or @{command ML_command}.
-
- \end{description}
-*}
-
-
-subsection {* Toplevel transitions \label{sec:toplevel-transition} *}
-
-text {*
- An Isar toplevel transition consists of a partial function on the
- toplevel state, with additional information for diagnostics and
- error reporting: there are fields for command name, source position,
- optional source text, as well as flags for interactive-only commands
- (which issue a warning in batch-mode), printing of result state,
- etc.
-
- The operational part is represented as the sequential union of a
- list of partial functions, which are tried in turn until the first
- one succeeds. This acts like an outer case-expression for various
- alternative state transitions. For example, \isakeyword{qed} works
- differently for a local proofs vs.\ the global ending of the main
- proof.
-
- Toplevel transitions are composed via transition transformers.
- Internally, Isar commands are put together from an empty transition
- extended by name and source position. It is then left to the
- individual command parser to turn the given concrete syntax into a
- suitable transition transformer that adjoins actual operations on a
- theory or proof state etc.
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML Toplevel.print: "Toplevel.transition -> Toplevel.transition"} \\
- @{index_ML Toplevel.no_timing: "Toplevel.transition -> Toplevel.transition"} \\
- @{index_ML Toplevel.keep: "(Toplevel.state -> unit) ->
- Toplevel.transition -> Toplevel.transition"} \\
- @{index_ML Toplevel.theory: "(theory -> theory) ->
- Toplevel.transition -> Toplevel.transition"} \\
- @{index_ML Toplevel.theory_to_proof: "(theory -> Proof.state) ->
- Toplevel.transition -> Toplevel.transition"} \\
- @{index_ML Toplevel.proof: "(Proof.state -> Proof.state) ->
- Toplevel.transition -> Toplevel.transition"} \\
- @{index_ML Toplevel.proofs: "(Proof.state -> Proof.state Seq.seq) ->
- Toplevel.transition -> Toplevel.transition"} \\
- @{index_ML Toplevel.end_proof: "(bool -> Proof.state -> Proof.context) ->
- Toplevel.transition -> Toplevel.transition"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item @{ML Toplevel.print}~@{text "tr"} sets the print flag, which
- causes the toplevel loop to echo the result state (in interactive
- mode).
-
- \item @{ML Toplevel.no_timing}~@{text "tr"} indicates that the
- transition should never show timing information, e.g.\ because it is
- a diagnostic command.
-
- \item @{ML Toplevel.keep}~@{text "tr"} adjoins a diagnostic
- function.
-
- \item @{ML Toplevel.theory}~@{text "tr"} adjoins a theory
- transformer.
-
- \item @{ML Toplevel.theory_to_proof}~@{text "tr"} adjoins a global
- goal function, which turns a theory into a proof state. The theory
- may be changed before entering the proof; the generic Isar goal
- setup includes an argument that specifies how to apply the proven
- result to the theory, when the proof is finished.
-
- \item @{ML Toplevel.proof}~@{text "tr"} adjoins a deterministic
- proof command, with a singleton result.
-
- \item @{ML Toplevel.proofs}~@{text "tr"} adjoins a general proof
- command, with zero or more result states (represented as a lazy
- list).
-
- \item @{ML Toplevel.end_proof}~@{text "tr"} adjoins a concluding
- proof command, that returns the resulting theory, after storing the
- resulting facts in the context etc.
-
- \end{description}
-*}
-
-
-section {* Theory database \label{sec:theory-database} *}
-
-text {*
- The theory database maintains a collection of theories, together
- with some administrative information about their original sources,
- which are held in an external store (i.e.\ some directory within the
- regular file system).
-
- The theory database is organized as a directed acyclic graph;
- entries are referenced by theory name. Although some additional
- interfaces allow to include a directory specification as well, this
- is only a hint to the underlying theory loader. The internal theory
- name space is flat!
-
- Theory @{text A} is associated with the main theory file @{text
- A}\verb,.thy,, which needs to be accessible through the theory
- loader path. Any number of additional ML source files may be
- associated with each theory, by declaring these dependencies in the
- theory header as @{text \<USES>}, and loading them consecutively
- within the theory context. The system keeps track of incoming ML
- sources and associates them with the current theory.
-
- The basic internal actions of the theory database are @{text
- "update"} and @{text "remove"}:
-
- \begin{itemize}
-
- \item @{text "update A"} introduces a link of @{text "A"} with a
- @{text "theory"} value of the same name; it asserts that the theory
- sources are now consistent with that value;
-
- \item @{text "remove A"} deletes entry @{text "A"} from the theory
- database.
-
- \end{itemize}
-
- These actions are propagated to sub- or super-graphs of a theory
- entry as expected, in order to preserve global consistency of the
- state of all loaded theories with the sources of the external store.
- This implies certain causalities between actions: @{text "update"}
- or @{text "remove"} of an entry will @{text "remove"} all
- descendants.
-
- \medskip There are separate user-level interfaces to operate on the
- theory database directly or indirectly. The primitive actions then
- just happen automatically while working with the system. In
- particular, processing a theory header @{text "\<THEORY> A
- \<IMPORTS> B\<^sub>1 \<dots> B\<^sub>n \<BEGIN>"} ensures that the
- sub-graph of the collective imports @{text "B\<^sub>1 \<dots> B\<^sub>n"}
- is up-to-date, too. Earlier theories are reloaded as required, with
- @{text update} actions proceeding in topological order according to
- theory dependencies. There may be also a wave of implied @{text
- remove} actions for derived theory nodes until a stable situation
- is achieved eventually.
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML use_thy: "string -> unit"} \\
- @{index_ML use_thys: "string list -> unit"} \\
- @{index_ML Thy_Info.get_theory: "string -> theory"} \\
- @{index_ML Thy_Info.remove_thy: "string -> unit"} \\[1ex]
- @{index_ML Thy_Info.register_thy: "theory -> unit"} \\[1ex]
- @{ML_text "datatype action = Update | Remove"} \\
- @{index_ML Thy_Info.add_hook: "(Thy_Info.action -> string -> unit) -> unit"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item @{ML use_thy}~@{text A} ensures that theory @{text A} is fully
- up-to-date wrt.\ the external file store, reloading outdated
- ancestors as required. In batch mode, the simultaneous @{ML
- use_thys} should be used exclusively.
-
- \item @{ML use_thys} is similar to @{ML use_thy}, but handles
- several theories simultaneously. Thus it acts like processing the
- import header of a theory, without performing the merge of the
- result. By loading a whole sub-graph of theories like that, the
- intrinsic parallelism can be exploited by the system, to speedup
- loading.
-
- \item @{ML Thy_Info.get_theory}~@{text A} retrieves the theory value
- presently associated with name @{text A}. Note that the result
- might be outdated.
-
- \item @{ML Thy_Info.remove_thy}~@{text A} deletes theory @{text A} and all
- descendants from the theory database.
-
- \item @{ML Thy_Info.register_thy}~@{text "text thy"} registers an
- existing theory value with the theory loader database and updates
- source version information according to the current file-system
- state.
-
- \item @{ML "Thy_Info.add_hook"}~@{text f} registers function @{text
- f} as a hook for theory database actions. The function will be
- invoked with the action and theory name being involved; thus derived
- actions may be performed in associated system components, e.g.\
- maintaining the state of an editor for the theory sources.
-
- The kind and order of actions occurring in practice depends both on
- user interactions and the internal process of resolving theory
- imports. Hooks should not rely on a particular policy here! Any
- exceptions raised by the hook are ignored.
-
- \end{description}
-*}
-
-end
--- a/doc-src/IsarImplementation/Isar.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,584 +0,0 @@
-theory Isar
-imports Base
-begin
-
-chapter {* Isar language elements *}
-
-text {* The Isar proof language (see also
- \cite[\S2]{isabelle-isar-ref}) consists of three main categories of
- language elements as follows.
-
- \begin{enumerate}
-
- \item Proof \emph{commands} define the primary language of
- transactions of the underlying Isar/VM interpreter. Typical
- examples are @{command "fix"}, @{command "assume"}, @{command
- "show"}, @{command "proof"}, and @{command "qed"}.
-
- Composing proof commands according to the rules of the Isar/VM leads
- to expressions of structured proof text, such that both the machine
- and the human reader can give it a meaning as formal reasoning.
-
- \item Proof \emph{methods} define a secondary language of mixed
- forward-backward refinement steps involving facts and goals.
- Typical examples are @{method rule}, @{method unfold}, and @{method
- simp}.
-
- Methods can occur in certain well-defined parts of the Isar proof
- language, say as arguments to @{command "proof"}, @{command "qed"},
- or @{command "by"}.
-
- \item \emph{Attributes} define a tertiary language of small
- annotations to theorems being defined or referenced. Attributes can
- modify both the context and the theorem.
-
- Typical examples are @{attribute intro} (which affects the context),
- and @{attribute symmetric} (which affects the theorem).
-
- \end{enumerate}
-*}
-
-
-section {* Proof commands *}
-
-text {* A \emph{proof command} is state transition of the Isar/VM
- proof interpreter.
-
- In principle, Isar proof commands could be defined in user-space as
- well. The system is built like that in the first place: one part of
- the commands are primitive, the other part is defined as derived
- elements. Adding to the genuine structured proof language requires
- profound understanding of the Isar/VM machinery, though, so this is
- beyond the scope of this manual.
-
- What can be done realistically is to define some diagnostic commands
- that inspect the general state of the Isar/VM, and report some
- feedback to the user. Typically this involves checking of the
- linguistic \emph{mode} of a proof state, or peeking at the pending
- goals (if available).
-
- Another common application is to define a toplevel command that
- poses a problem to the user as Isar proof state and processes the
- final result relatively to the context. Thus a proof can be
- incorporated into the context of some user-space tool, without
- modifying the Isar proof language itself. *}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML_type Proof.state} \\
- @{index_ML Proof.assert_forward: "Proof.state -> Proof.state"} \\
- @{index_ML Proof.assert_chain: "Proof.state -> Proof.state"} \\
- @{index_ML Proof.assert_backward: "Proof.state -> Proof.state"} \\
- @{index_ML Proof.simple_goal: "Proof.state -> {context: Proof.context, goal: thm}"} \\
- @{index_ML Proof.goal: "Proof.state ->
- {context: Proof.context, facts: thm list, goal: thm}"} \\
- @{index_ML Proof.raw_goal: "Proof.state ->
- {context: Proof.context, facts: thm list, goal: thm}"} \\
- @{index_ML Proof.theorem: "Method.text option ->
- (thm list list -> Proof.context -> Proof.context) ->
- (term * term list) list list -> Proof.context -> Proof.state"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item Type @{ML_type Proof.state} represents Isar proof states.
- This is a block-structured configuration with proof context,
- linguistic mode, and optional goal. The latter consists of goal
- context, goal facts (``@{text "using"}''), and tactical goal state
- (see \secref{sec:tactical-goals}).
-
- The general idea is that the facts shall contribute to the
- refinement of some parts of the tactical goal --- how exactly is
- defined by the proof method that is applied in that situation.
-
- \item @{ML Proof.assert_forward}, @{ML Proof.assert_chain}, @{ML
- Proof.assert_backward} are partial identity functions that fail
- unless a certain linguistic mode is active, namely ``@{text
- "proof(state)"}'', ``@{text "proof(chain)"}'', ``@{text
- "proof(prove)"}'', respectively (using the terminology of
- \cite{isabelle-isar-ref}).
-
- It is advisable study the implementations of existing proof commands
- for suitable modes to be asserted.
-
- \item @{ML Proof.simple_goal}~@{text "state"} returns the structured
- Isar goal (if available) in the form seen by ``simple'' methods
- (like @{method simp} or @{method blast}). The Isar goal facts are
- already inserted as premises into the subgoals, which are presented
- individually as in @{ML Proof.goal}.
-
- \item @{ML Proof.goal}~@{text "state"} returns the structured Isar
- goal (if available) in the form seen by regular methods (like
- @{method rule}). The auxiliary internal encoding of Pure
- conjunctions is split into individual subgoals as usual.
-
- \item @{ML Proof.raw_goal}~@{text "state"} returns the structured
- Isar goal (if available) in the raw internal form seen by ``raw''
- methods (like @{method induct}). This form is rarely appropriate
- for dignostic tools; @{ML Proof.simple_goal} or @{ML Proof.goal}
- should be used in most situations.
-
- \item @{ML Proof.theorem}~@{text "before_qed after_qed statement ctxt"}
- initializes a toplevel Isar proof state within a given context.
-
- The optional @{text "before_qed"} method is applied at the end of
- the proof, just before extracting the result (this feature is rarely
- used).
-
- The @{text "after_qed"} continuation receives the extracted result
- in order to apply it to the final context in a suitable way (e.g.\
- storing named facts). Note that at this generic level the target
- context is specified as @{ML_type Proof.context}, but the usual
- wrapping of toplevel proofs into command transactions will provide a
- @{ML_type local_theory} here (\chref{ch:local-theory}). This
- affects the way how results are stored.
-
- The @{text "statement"} is given as a nested list of terms, each
- associated with optional @{keyword "is"} patterns as usual in the
- Isar source language. The original nested list structure over terms
- is turned into one over theorems when @{text "after_qed"} is
- invoked.
-
- \end{description}
-*}
-
-
-text %mlantiq {*
- \begin{matharray}{rcl}
- @{ML_antiquotation_def "Isar.goal"} & : & @{text ML_antiquotation} \\
- \end{matharray}
-
- \begin{description}
-
- \item @{text "@{Isar.goal}"} refers to the regular goal state (if
- available) of the current proof state managed by the Isar toplevel
- --- as abstract value.
-
- This only works for diagnostic ML commands, such as @{command
- ML_val} or @{command ML_command}.
-
- \end{description}
-*}
-
-text %mlex {* The following example peeks at a certain goal configuration. *}
-
-notepad
-begin
- have A and B and C
- ML_val {*
- val n = Thm.nprems_of (#goal @{Isar.goal});
- @{assert} (n = 3);
- *}
- oops
-
-text {* Here we see 3 individual subgoals in the same way as regular
- proof methods would do. *}
-
-
-section {* Proof methods *}
-
-text {* A @{text "method"} is a function @{text "context \<rightarrow> thm\<^sup>* \<rightarrow> goal
- \<rightarrow> (cases \<times> goal)\<^sup>*\<^sup>*"} that operates on the full Isar goal
- configuration with context, goal facts, and tactical goal state and
- enumerates possible follow-up goal states, with the potential
- addition of named extensions of the proof context (\emph{cases}).
- The latter feature is rarely used.
-
- This means a proof method is like a structurally enhanced tactic
- (cf.\ \secref{sec:tactics}). The well-formedness conditions for
- tactics need to hold for methods accordingly, with the following
- additions.
-
- \begin{itemize}
-
- \item Goal addressing is further limited either to operate either
- uniformly on \emph{all} subgoals, or specifically on the
- \emph{first} subgoal.
-
- Exception: old-style tactic emulations that are embedded into the
- method space, e.g.\ @{method rule_tac}.
-
- \item A non-trivial method always needs to make progress: an
- identical follow-up goal state has to be avoided.\footnote{This
- enables the user to write method expressions like @{text "meth\<^sup>+"}
- without looping, while the trivial do-nothing case can be recovered
- via @{text "meth\<^sup>?"}.}
-
- Exception: trivial stuttering steps, such as ``@{method -}'' or
- @{method succeed}.
-
- \item Goal facts passed to the method must not be ignored. If there
- is no sensible use of facts outside the goal state, facts should be
- inserted into the subgoals that are addressed by the method.
-
- \end{itemize}
-
- \medskip Syntactically, the language of proof methods appears as
- arguments to Isar commands like @{command "by"} or @{command apply}.
- User-space additions are reasonably easy by plugging suitable
- method-valued parser functions into the framework, using the
- @{command method_setup} command, for example.
-
- To get a better idea about the range of possibilities, consider the
- following Isar proof schemes. This is the general form of
- structured proof text:
-
- \medskip
- \begin{tabular}{l}
- @{command from}~@{text "facts\<^sub>1"}~@{command have}~@{text "props"}~@{command using}~@{text "facts\<^sub>2"} \\
- @{command proof}~@{text "(initial_method)"} \\
- \quad@{text "body"} \\
- @{command qed}~@{text "(terminal_method)"} \\
- \end{tabular}
- \medskip
-
- The goal configuration consists of @{text "facts\<^sub>1"} and
- @{text "facts\<^sub>2"} appended in that order, and various @{text
- "props"} being claimed. The @{text "initial_method"} is invoked
- with facts and goals together and refines the problem to something
- that is handled recursively in the proof @{text "body"}. The @{text
- "terminal_method"} has another chance to finish any remaining
- subgoals, but it does not see the facts of the initial step.
-
- \medskip This pattern illustrates unstructured proof scripts:
-
- \medskip
- \begin{tabular}{l}
- @{command have}~@{text "props"} \\
- \quad@{command using}~@{text "facts\<^sub>1"}~@{command apply}~@{text "method\<^sub>1"} \\
- \quad@{command apply}~@{text "method\<^sub>2"} \\
- \quad@{command using}~@{text "facts\<^sub>3"}~@{command apply}~@{text "method\<^sub>3"} \\
- \quad@{command done} \\
- \end{tabular}
- \medskip
-
- The @{text "method\<^sub>1"} operates on the original claim while
- using @{text "facts\<^sub>1"}. Since the @{command apply} command
- structurally resets the facts, the @{text "method\<^sub>2"} will
- operate on the remaining goal state without facts. The @{text
- "method\<^sub>3"} will see again a collection of @{text
- "facts\<^sub>3"} that has been inserted into the script explicitly.
-
- \medskip Empirically, any Isar proof method can be categorized as
- follows.
-
- \begin{enumerate}
-
- \item \emph{Special method with cases} with named context additions
- associated with the follow-up goal state.
-
- Example: @{method "induct"}, which is also a ``raw'' method since it
- operates on the internal representation of simultaneous claims as
- Pure conjunction (\secref{sec:logic-aux}), instead of separate
- subgoals (\secref{sec:tactical-goals}).
-
- \item \emph{Structured method} with strong emphasis on facts outside
- the goal state.
-
- Example: @{method "rule"}, which captures the key ideas behind
- structured reasoning in Isar in purest form.
-
- \item \emph{Simple method} with weaker emphasis on facts, which are
- inserted into subgoals to emulate old-style tactical as
- ``premises''.
-
- Examples: @{method "simp"}, @{method "blast"}, @{method "auto"}.
-
- \item \emph{Old-style tactic emulation} with detailed numeric goal
- addressing and explicit references to entities of the internal goal
- state (which are otherwise invisible from proper Isar proof text).
- The naming convention @{text "foo_tac"} makes this special
- non-standard status clear.
-
- Example: @{method "rule_tac"}.
-
- \end{enumerate}
-
- When implementing proof methods, it is advisable to study existing
- implementations carefully and imitate the typical ``boiler plate''
- for context-sensitive parsing and further combinators to wrap-up
- tactic expressions as methods.\footnote{Aliases or abbreviations of
- the standard method combinators should be avoided. Note that from
- Isabelle99 until Isabelle2009 the system did provide various odd
- combinations of method wrappers that made user applications more
- complicated than necessary.}
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML_type Proof.method} \\
- @{index_ML METHOD_CASES: "(thm list -> cases_tactic) -> Proof.method"} \\
- @{index_ML METHOD: "(thm list -> tactic) -> Proof.method"} \\
- @{index_ML SIMPLE_METHOD: "tactic -> Proof.method"} \\
- @{index_ML SIMPLE_METHOD': "(int -> tactic) -> Proof.method"} \\
- @{index_ML Method.insert_tac: "thm list -> int -> tactic"} \\
- @{index_ML Method.setup: "binding -> (Proof.context -> Proof.method) context_parser ->
- string -> theory -> theory"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item Type @{ML_type Proof.method} represents proof methods as
- abstract type.
-
- \item @{ML METHOD_CASES}~@{text "(fn facts => cases_tactic)"} wraps
- @{text cases_tactic} depending on goal facts as proof method with
- cases; the goal context is passed via method syntax.
-
- \item @{ML METHOD}~@{text "(fn facts => tactic)"} wraps @{text
- tactic} depending on goal facts as regular proof method; the goal
- context is passed via method syntax.
-
- \item @{ML SIMPLE_METHOD}~@{text "tactic"} wraps a tactic that
- addresses all subgoals uniformly as simple proof method. Goal facts
- are already inserted into all subgoals before @{text "tactic"} is
- applied.
-
- \item @{ML SIMPLE_METHOD'}~@{text "tactic"} wraps a tactic that
- addresses a specific subgoal as simple proof method that operates on
- subgoal 1. Goal facts are inserted into the subgoal then the @{text
- "tactic"} is applied.
-
- \item @{ML Method.insert_tac}~@{text "facts i"} inserts @{text
- "facts"} into subgoal @{text "i"}. This is convenient to reproduce
- part of the @{ML SIMPLE_METHOD} or @{ML SIMPLE_METHOD'} wrapping
- within regular @{ML METHOD}, for example.
-
- \item @{ML Method.setup}~@{text "name parser description"} provides
- the functionality of the Isar command @{command method_setup} as ML
- function.
-
- \end{description}
-*}
-
-text %mlex {* See also @{command method_setup} in
- \cite{isabelle-isar-ref} which includes some abstract examples.
-
- \medskip The following toy examples illustrate how the goal facts
- and state are passed to proof methods. The pre-defined proof method
- called ``@{method tactic}'' wraps ML source of type @{ML_type
- tactic} (abstracted over @{ML_text facts}). This allows immediate
- experimentation without parsing of concrete syntax. *}
-
-notepad
-begin
- assume a: A and b: B
-
- have "A \<and> B"
- apply (tactic {* rtac @{thm conjI} 1 *})
- using a apply (tactic {* resolve_tac facts 1 *})
- using b apply (tactic {* resolve_tac facts 1 *})
- done
-
- have "A \<and> B"
- using a and b
- ML_val "@{Isar.goal}"
- apply (tactic {* Method.insert_tac facts 1 *})
- apply (tactic {* (rtac @{thm conjI} THEN_ALL_NEW atac) 1 *})
- done
-end
-
-text {* \medskip The next example implements a method that simplifies
- the first subgoal by rewrite rules given as arguments. *}
-
-method_setup my_simp = {*
- Attrib.thms >> (fn thms => fn ctxt =>
- SIMPLE_METHOD' (fn i =>
- CHANGED (asm_full_simp_tac
- (HOL_basic_ss addsimps thms) i)))
-*} "rewrite subgoal by given rules"
-
-text {* The concrete syntax wrapping of @{command method_setup} always
- passes-through the proof context at the end of parsing, but it is
- not used in this example.
-
- The @{ML Attrib.thms} parser produces a list of theorems from the
- usual Isar syntax involving attribute expressions etc.\ (syntax
- category @{syntax thmrefs}) \cite{isabelle-isar-ref}. The resulting
- @{ML_text thms} are added to @{ML HOL_basic_ss} which already
- contains the basic Simplifier setup for HOL.
-
- The tactic @{ML asm_full_simp_tac} is the one that is also used in
- method @{method simp} by default. The extra wrapping by the @{ML
- CHANGED} tactical ensures progress of simplification: identical goal
- states are filtered out explicitly to make the raw tactic conform to
- standard Isar method behaviour.
-
- \medskip Method @{method my_simp} can be used in Isar proofs like
- this:
-*}
-
-notepad
-begin
- fix a b c
- assume a: "a = b"
- assume b: "b = c"
- have "a = c" by (my_simp a b)
-end
-
-text {* Here is a similar method that operates on all subgoals,
- instead of just the first one. *}
-
-method_setup my_simp_all = {*
- Attrib.thms >> (fn thms => fn ctxt =>
- SIMPLE_METHOD
- (CHANGED
- (ALLGOALS (asm_full_simp_tac
- (HOL_basic_ss addsimps thms)))))
-*} "rewrite all subgoals by given rules"
-
-notepad
-begin
- fix a b c
- assume a: "a = b"
- assume b: "b = c"
- have "a = c" and "c = b" by (my_simp_all a b)
-end
-
-text {* \medskip Apart from explicit arguments, common proof methods
- typically work with a default configuration provided by the context.
- As a shortcut to rule management we use a cheap solution via functor
- @{ML_functor Named_Thms} (see also @{file
- "~~/src/Pure/Tools/named_thms.ML"}). *}
-
-ML {*
- structure My_Simps =
- Named_Thms
- (val name = @{binding my_simp} val description = "my_simp rule")
-*}
-setup My_Simps.setup
-
-text {* This provides ML access to a list of theorems in canonical
- declaration order via @{ML My_Simps.get}. The user can add or
- delete rules via the attribute @{attribute my_simp}. The actual
- proof method is now defined as before, but we append the explicit
- arguments and the rules from the context. *}
-
-method_setup my_simp' = {*
- Attrib.thms >> (fn thms => fn ctxt =>
- SIMPLE_METHOD' (fn i =>
- CHANGED (asm_full_simp_tac
- (HOL_basic_ss addsimps (thms @ My_Simps.get ctxt)) i)))
-*} "rewrite subgoal by given rules and my_simp rules from the context"
-
-text {*
- \medskip Method @{method my_simp'} can be used in Isar proofs
- like this:
-*}
-
-notepad
-begin
- fix a b c
- assume [my_simp]: "a \<equiv> b"
- assume [my_simp]: "b \<equiv> c"
- have "a \<equiv> c" by my_simp'
-end
-
-text {* \medskip The @{method my_simp} variants defined above are
- ``simple'' methods, i.e.\ the goal facts are merely inserted as goal
- premises by the @{ML SIMPLE_METHOD'} or @{ML SIMPLE_METHOD} wrapper.
- For proof methods that are similar to the standard collection of
- @{method simp}, @{method blast}, @{method fast}, @{method auto}
- there is little more that can be done.
-
- Note that using the primary goal facts in the same manner as the
- method arguments obtained via concrete syntax or the context does
- not meet the requirement of ``strong emphasis on facts'' of regular
- proof methods, because rewrite rules as used above can be easily
- ignored. A proof text ``@{command using}~@{text "foo"}~@{command
- "by"}~@{text "my_simp"}'' where @{text "foo"} is not used would
- deceive the reader.
-
- \medskip The technical treatment of rules from the context requires
- further attention. Above we rebuild a fresh @{ML_type simpset} from
- the arguments and \emph{all} rules retrieved from the context on
- every invocation of the method. This does not scale to really large
- collections of rules, which easily emerges in the context of a big
- theory library, for example.
-
- This is an inherent limitation of the simplistic rule management via
- functor @{ML_functor Named_Thms}, because it lacks tool-specific
- storage and retrieval. More realistic applications require
- efficient index-structures that organize theorems in a customized
- manner, such as a discrimination net that is indexed by the
- left-hand sides of rewrite rules. For variations on the Simplifier,
- re-use of the existing type @{ML_type simpset} is adequate, but
- scalability would require it be maintained statically within the
- context data, not dynamically on each tool invocation. *}
-
-
-section {* Attributes \label{sec:attributes} *}
-
-text {* An \emph{attribute} is a function @{text "context \<times> thm \<rightarrow>
- context \<times> thm"}, which means both a (generic) context and a theorem
- can be modified simultaneously. In practice this mixed form is very
- rare, instead attributes are presented either as \emph{declaration
- attribute:} @{text "thm \<rightarrow> context \<rightarrow> context"} or \emph{rule
- attribute:} @{text "context \<rightarrow> thm \<rightarrow> thm"}.
-
- Attributes can have additional arguments via concrete syntax. There
- is a collection of context-sensitive parsers for various logical
- entities (types, terms, theorems). These already take care of
- applying morphisms to the arguments when attribute expressions are
- moved into a different context (see also \secref{sec:morphisms}).
-
- When implementing declaration attributes, it is important to operate
- exactly on the variant of the generic context that is provided by
- the system, which is either global theory context or local proof
- context. In particular, the background theory of a local context
- must not be modified in this situation! *}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML_type attribute} \\
- @{index_ML Thm.rule_attribute: "(Context.generic -> thm -> thm) -> attribute"} \\
- @{index_ML Thm.declaration_attribute: "
- (thm -> Context.generic -> Context.generic) -> attribute"} \\
- @{index_ML Attrib.setup: "binding -> attribute context_parser ->
- string -> theory -> theory"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item Type @{ML_type attribute} represents attributes as concrete
- type alias.
-
- \item @{ML Thm.rule_attribute}~@{text "(fn context => rule)"} wraps
- a context-dependent rule (mapping on @{ML_type thm}) as attribute.
-
- \item @{ML Thm.declaration_attribute}~@{text "(fn thm => decl)"}
- wraps a theorem-dependent declaration (mapping on @{ML_type
- Context.generic}) as attribute.
-
- \item @{ML Attrib.setup}~@{text "name parser description"} provides
- the functionality of the Isar command @{command attribute_setup} as
- ML function.
-
- \end{description}
-*}
-
-text %mlantiq {*
- \begin{matharray}{rcl}
- @{ML_antiquotation_def attributes} & : & @{text ML_antiquotation} \\
- \end{matharray}
-
- @{rail "
- @@{ML_antiquotation attributes} attributes
- "}
-
- \begin{description}
-
- \item @{text "@{attributes [\<dots>]}"} embeds attribute source
- representation into the ML text, which is particularly useful with
- declarations like @{ML Local_Theory.note}. Attribute names are
- internalized at compile time, but the source is unevaluated. This
- means attributes with formal arguments (types, terms, theorems) may
- be subject to odd effects of dynamic scoping!
-
- \end{description}
-*}
-
-text %mlex {* See also @{command attribute_setup} in
- \cite{isabelle-isar-ref} which includes some abstract examples. *}
-
-end
--- a/doc-src/IsarImplementation/Local_Theory.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,167 +0,0 @@
-theory Local_Theory
-imports Base
-begin
-
-chapter {* Local theory specifications \label{ch:local-theory} *}
-
-text {*
- A \emph{local theory} combines aspects of both theory and proof
- context (cf.\ \secref{sec:context}), such that definitional
- specifications may be given relatively to parameters and
- assumptions. A local theory is represented as a regular proof
- context, augmented by administrative data about the \emph{target
- context}.
-
- The target is usually derived from the background theory by adding
- local @{text "\<FIX>"} and @{text "\<ASSUME>"} elements, plus
- suitable modifications of non-logical context data (e.g.\ a special
- type-checking discipline). Once initialized, the target is ready to
- absorb definitional primitives: @{text "\<DEFINE>"} for terms and
- @{text "\<NOTE>"} for theorems. Such definitions may get
- transformed in a target-specific way, but the programming interface
- hides such details.
-
- Isabelle/Pure provides target mechanisms for locales, type-classes,
- type-class instantiations, and general overloading. In principle,
- users can implement new targets as well, but this rather arcane
- discipline is beyond the scope of this manual. In contrast,
- implementing derived definitional packages to be used within a local
- theory context is quite easy: the interfaces are even simpler and
- more abstract than the underlying primitives for raw theories.
-
- Many definitional packages for local theories are available in
- Isabelle. Although a few old packages only work for global
- theories, the standard way of implementing definitional packages in
- Isabelle is via the local theory interface.
-*}
-
-
-section {* Definitional elements *}
-
-text {*
- There are separate elements @{text "\<DEFINE> c \<equiv> t"} for terms, and
- @{text "\<NOTE> b = thm"} for theorems. Types are treated
- implicitly, according to Hindley-Milner discipline (cf.\
- \secref{sec:variables}). These definitional primitives essentially
- act like @{text "let"}-bindings within a local context that may
- already contain earlier @{text "let"}-bindings and some initial
- @{text "\<lambda>"}-bindings. Thus we gain \emph{dependent definitions}
- that are relative to an initial axiomatic context. The following
- diagram illustrates this idea of axiomatic elements versus
- definitional elements:
-
- \begin{center}
- \begin{tabular}{|l|l|l|}
- \hline
- & @{text "\<lambda>"}-binding & @{text "let"}-binding \\
- \hline
- types & fixed @{text "\<alpha>"} & arbitrary @{text "\<beta>"} \\
- terms & @{text "\<FIX> x :: \<tau>"} & @{text "\<DEFINE> c \<equiv> t"} \\
- theorems & @{text "\<ASSUME> a: A"} & @{text "\<NOTE> b = \<^BG>B\<^EN>"} \\
- \hline
- \end{tabular}
- \end{center}
-
- A user package merely needs to produce suitable @{text "\<DEFINE>"}
- and @{text "\<NOTE>"} elements according to the application. For
- example, a package for inductive definitions might first @{text
- "\<DEFINE>"} a certain predicate as some fixed-point construction,
- then @{text "\<NOTE>"} a proven result about monotonicity of the
- functor involved here, and then produce further derived concepts via
- additional @{text "\<DEFINE>"} and @{text "\<NOTE>"} elements.
-
- The cumulative sequence of @{text "\<DEFINE>"} and @{text "\<NOTE>"}
- produced at package runtime is managed by the local theory
- infrastructure by means of an \emph{auxiliary context}. Thus the
- system holds up the impression of working within a fully abstract
- situation with hypothetical entities: @{text "\<DEFINE> c \<equiv> t"}
- always results in a literal fact @{text "\<^BG>c \<equiv> t\<^EN>"}, where
- @{text "c"} is a fixed variable @{text "c"}. The details about
- global constants, name spaces etc. are handled internally.
-
- So the general structure of a local theory is a sandwich of three
- layers:
-
- \begin{center}
- \framebox{\quad auxiliary context \quad\framebox{\quad target context \quad\framebox{\quad background theory\quad}}}
- \end{center}
-
- When a definitional package is finished, the auxiliary context is
- reset to the target context. The target now holds definitions for
- terms and theorems that stem from the hypothetical @{text
- "\<DEFINE>"} and @{text "\<NOTE>"} elements, transformed by the
- particular target policy (see \cite[\S4--5]{Haftmann-Wenzel:2009}
- for details). *}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML_type local_theory: Proof.context} \\
- @{index_ML Named_Target.init: "(local_theory -> local_theory) ->
- string -> theory -> local_theory"} \\[1ex]
- @{index_ML Local_Theory.define: "(binding * mixfix) * (Attrib.binding * term) ->
- local_theory -> (term * (string * thm)) * local_theory"} \\
- @{index_ML Local_Theory.note: "Attrib.binding * thm list ->
- local_theory -> (string * thm list) * local_theory"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item Type @{ML_type local_theory} represents local theories.
- Although this is merely an alias for @{ML_type Proof.context}, it is
- semantically a subtype of the same: a @{ML_type local_theory} holds
- target information as special context data. Subtyping means that
- any value @{text "lthy:"}~@{ML_type local_theory} can be also used
- with operations on expecting a regular @{text "ctxt:"}~@{ML_type
- Proof.context}.
-
- \item @{ML Named_Target.init}~@{text "before_exit name thy"}
- initializes a local theory derived from the given background theory.
- An empty name refers to a \emph{global theory} context, and a
- non-empty name refers to a @{command locale} or @{command class}
- context (a fully-qualified internal name is expected here). This is
- useful for experimentation --- normally the Isar toplevel already
- takes care to initialize the local theory context. The given @{text
- "before_exit"} function is invoked before leaving the context; in
- most situations plain identity @{ML I} is sufficient.
-
- \item @{ML Local_Theory.define}~@{text "((b, mx), (a, rhs))
- lthy"} defines a local entity according to the specification that is
- given relatively to the current @{text "lthy"} context. In
- particular the term of the RHS may refer to earlier local entities
- from the auxiliary context, or hypothetical parameters from the
- target context. The result is the newly defined term (which is
- always a fixed variable with exactly the same name as specified for
- the LHS), together with an equational theorem that states the
- definition as a hypothetical fact.
-
- Unless an explicit name binding is given for the RHS, the resulting
- fact will be called @{text "b_def"}. Any given attributes are
- applied to that same fact --- immediately in the auxiliary context
- \emph{and} in any transformed versions stemming from target-specific
- policies or any later interpretations of results from the target
- context (think of @{command locale} and @{command interpretation},
- for example). This means that attributes should be usually plain
- declarations such as @{attribute simp}, while non-trivial rules like
- @{attribute simplified} are better avoided.
-
- \item @{ML Local_Theory.note}~@{text "(a, ths) lthy"} is
- analogous to @{ML Local_Theory.define}, but defines facts instead of
- terms. There is also a slightly more general variant @{ML
- Local_Theory.notes} that defines several facts (with attribute
- expressions) simultaneously.
-
- This is essentially the internal version of the @{command lemmas}
- command, or @{command declare} if an empty name binding is given.
-
- \end{description}
-*}
-
-
-section {* Morphisms and declarations \label{sec:morphisms} *}
-
-text {* FIXME
-
- \medskip See also \cite{Chaieb-Wenzel:2007}.
-*}
-
-end
--- a/doc-src/IsarImplementation/Logic.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,1137 +0,0 @@
-theory Logic
-imports Base
-begin
-
-chapter {* Primitive logic \label{ch:logic} *}
-
-text {*
- The logical foundations of Isabelle/Isar are that of the Pure logic,
- which has been introduced as a Natural Deduction framework in
- \cite{paulson700}. This is essentially the same logic as ``@{text
- "\<lambda>HOL"}'' in the more abstract setting of Pure Type Systems (PTS)
- \cite{Barendregt-Geuvers:2001}, although there are some key
- differences in the specific treatment of simple types in
- Isabelle/Pure.
-
- Following type-theoretic parlance, the Pure logic consists of three
- levels of @{text "\<lambda>"}-calculus with corresponding arrows, @{text
- "\<Rightarrow>"} for syntactic function space (terms depending on terms), @{text
- "\<And>"} for universal quantification (proofs depending on terms), and
- @{text "\<Longrightarrow>"} for implication (proofs depending on proofs).
-
- Derivations are relative to a logical theory, which declares type
- constructors, constants, and axioms. Theory declarations support
- schematic polymorphism, which is strictly speaking outside the
- logic.\footnote{This is the deeper logical reason, why the theory
- context @{text "\<Theta>"} is separate from the proof context @{text "\<Gamma>"}
- of the core calculus: type constructors, term constants, and facts
- (proof constants) may involve arbitrary type schemes, but the type
- of a locally fixed term parameter is also fixed!}
-*}
-
-
-section {* Types \label{sec:types} *}
-
-text {*
- The language of types is an uninterpreted order-sorted first-order
- algebra; types are qualified by ordered type classes.
-
- \medskip A \emph{type class} is an abstract syntactic entity
- declared in the theory context. The \emph{subclass relation} @{text
- "c\<^isub>1 \<subseteq> c\<^isub>2"} is specified by stating an acyclic
- generating relation; the transitive closure is maintained
- internally. The resulting relation is an ordering: reflexive,
- transitive, and antisymmetric.
-
- A \emph{sort} is a list of type classes written as @{text "s = {c\<^isub>1,
- \<dots>, c\<^isub>m}"}, it represents symbolic intersection. Notationally, the
- curly braces are omitted for singleton intersections, i.e.\ any
- class @{text "c"} may be read as a sort @{text "{c}"}. The ordering
- on type classes is extended to sorts according to the meaning of
- intersections: @{text "{c\<^isub>1, \<dots> c\<^isub>m} \<subseteq> {d\<^isub>1, \<dots>, d\<^isub>n}"} iff @{text
- "\<forall>j. \<exists>i. c\<^isub>i \<subseteq> d\<^isub>j"}. The empty intersection @{text "{}"} refers to
- the universal sort, which is the largest element wrt.\ the sort
- order. Thus @{text "{}"} represents the ``full sort'', not the
- empty one! The intersection of all (finitely many) classes declared
- in the current theory is the least element wrt.\ the sort ordering.
-
- \medskip A \emph{fixed type variable} is a pair of a basic name
- (starting with a @{text "'"} character) and a sort constraint, e.g.\
- @{text "('a, s)"} which is usually printed as @{text "\<alpha>\<^isub>s"}.
- A \emph{schematic type variable} is a pair of an indexname and a
- sort constraint, e.g.\ @{text "(('a, 0), s)"} which is usually
- printed as @{text "?\<alpha>\<^isub>s"}.
-
- Note that \emph{all} syntactic components contribute to the identity
- of type variables: basic name, index, and sort constraint. The core
- logic handles type variables with the same name but different sorts
- as different, although the type-inference layer (which is outside
- the core) rejects anything like that.
-
- A \emph{type constructor} @{text "\<kappa>"} is a @{text "k"}-ary operator
- on types declared in the theory. Type constructor application is
- written postfix as @{text "(\<alpha>\<^isub>1, \<dots>, \<alpha>\<^isub>k)\<kappa>"}. For
- @{text "k = 0"} the argument tuple is omitted, e.g.\ @{text "prop"}
- instead of @{text "()prop"}. For @{text "k = 1"} the parentheses
- are omitted, e.g.\ @{text "\<alpha> list"} instead of @{text "(\<alpha>)list"}.
- Further notation is provided for specific constructors, notably the
- right-associative infix @{text "\<alpha> \<Rightarrow> \<beta>"} instead of @{text "(\<alpha>,
- \<beta>)fun"}.
-
- The logical category \emph{type} is defined inductively over type
- variables and type constructors as follows: @{text "\<tau> = \<alpha>\<^isub>s | ?\<alpha>\<^isub>s |
- (\<tau>\<^sub>1, \<dots>, \<tau>\<^sub>k)\<kappa>"}.
-
- A \emph{type abbreviation} is a syntactic definition @{text
- "(\<^vec>\<alpha>)\<kappa> = \<tau>"} of an arbitrary type expression @{text "\<tau>"} over
- variables @{text "\<^vec>\<alpha>"}. Type abbreviations appear as type
- constructors in the syntax, but are expanded before entering the
- logical core.
-
- A \emph{type arity} declares the image behavior of a type
- constructor wrt.\ the algebra of sorts: @{text "\<kappa> :: (s\<^isub>1, \<dots>,
- s\<^isub>k)s"} means that @{text "(\<tau>\<^isub>1, \<dots>, \<tau>\<^isub>k)\<kappa>"} is
- of sort @{text "s"} if every argument type @{text "\<tau>\<^isub>i"} is
- of sort @{text "s\<^isub>i"}. Arity declarations are implicitly
- completed, i.e.\ @{text "\<kappa> :: (\<^vec>s)c"} entails @{text "\<kappa> ::
- (\<^vec>s)c'"} for any @{text "c' \<supseteq> c"}.
-
- \medskip The sort algebra is always maintained as \emph{coregular},
- which means that type arities are consistent with the subclass
- relation: for any type constructor @{text "\<kappa>"}, and classes @{text
- "c\<^isub>1 \<subseteq> c\<^isub>2"}, and arities @{text "\<kappa> ::
- (\<^vec>s\<^isub>1)c\<^isub>1"} and @{text "\<kappa> ::
- (\<^vec>s\<^isub>2)c\<^isub>2"} holds @{text "\<^vec>s\<^isub>1 \<subseteq>
- \<^vec>s\<^isub>2"} component-wise.
-
- The key property of a coregular order-sorted algebra is that sort
- constraints can be solved in a most general fashion: for each type
- constructor @{text "\<kappa>"} and sort @{text "s"} there is a most general
- vector of argument sorts @{text "(s\<^isub>1, \<dots>, s\<^isub>k)"} such
- that a type scheme @{text "(\<alpha>\<^bsub>s\<^isub>1\<^esub>, \<dots>,
- \<alpha>\<^bsub>s\<^isub>k\<^esub>)\<kappa>"} is of sort @{text "s"}.
- Consequently, type unification has most general solutions (modulo
- equivalence of sorts), so type-inference produces primary types as
- expected \cite{nipkow-prehofer}.
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML_type class: string} \\
- @{index_ML_type sort: "class list"} \\
- @{index_ML_type arity: "string * sort list * sort"} \\
- @{index_ML_type typ} \\
- @{index_ML Term.map_atyps: "(typ -> typ) -> typ -> typ"} \\
- @{index_ML Term.fold_atyps: "(typ -> 'a -> 'a) -> typ -> 'a -> 'a"} \\
- \end{mldecls}
- \begin{mldecls}
- @{index_ML Sign.subsort: "theory -> sort * sort -> bool"} \\
- @{index_ML Sign.of_sort: "theory -> typ * sort -> bool"} \\
- @{index_ML Sign.add_type: "Proof.context -> binding * int * mixfix -> theory -> theory"} \\
- @{index_ML Sign.add_type_abbrev: "Proof.context ->
- binding * string list * typ -> theory -> theory"} \\
- @{index_ML Sign.primitive_class: "binding * class list -> theory -> theory"} \\
- @{index_ML Sign.primitive_classrel: "class * class -> theory -> theory"} \\
- @{index_ML Sign.primitive_arity: "arity -> theory -> theory"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item Type @{ML_type class} represents type classes.
-
- \item Type @{ML_type sort} represents sorts, i.e.\ finite
- intersections of classes. The empty list @{ML "[]: sort"} refers to
- the empty class intersection, i.e.\ the ``full sort''.
-
- \item Type @{ML_type arity} represents type arities. A triple
- @{text "(\<kappa>, \<^vec>s, s) : arity"} represents @{text "\<kappa> ::
- (\<^vec>s)s"} as described above.
-
- \item Type @{ML_type typ} represents types; this is a datatype with
- constructors @{ML TFree}, @{ML TVar}, @{ML Type}.
-
- \item @{ML Term.map_atyps}~@{text "f \<tau>"} applies the mapping @{text
- "f"} to all atomic types (@{ML TFree}, @{ML TVar}) occurring in
- @{text "\<tau>"}.
-
- \item @{ML Term.fold_atyps}~@{text "f \<tau>"} iterates the operation
- @{text "f"} over all occurrences of atomic types (@{ML TFree}, @{ML
- TVar}) in @{text "\<tau>"}; the type structure is traversed from left to
- right.
-
- \item @{ML Sign.subsort}~@{text "thy (s\<^isub>1, s\<^isub>2)"}
- tests the subsort relation @{text "s\<^isub>1 \<subseteq> s\<^isub>2"}.
-
- \item @{ML Sign.of_sort}~@{text "thy (\<tau>, s)"} tests whether type
- @{text "\<tau>"} is of sort @{text "s"}.
-
- \item @{ML Sign.add_type}~@{text "ctxt (\<kappa>, k, mx)"} declares a
- new type constructors @{text "\<kappa>"} with @{text "k"} arguments and
- optional mixfix syntax.
-
- \item @{ML Sign.add_type_abbrev}~@{text "ctxt (\<kappa>, \<^vec>\<alpha>, \<tau>)"}
- defines a new type abbreviation @{text "(\<^vec>\<alpha>)\<kappa> = \<tau>"}.
-
- \item @{ML Sign.primitive_class}~@{text "(c, [c\<^isub>1, \<dots>,
- c\<^isub>n])"} declares a new class @{text "c"}, together with class
- relations @{text "c \<subseteq> c\<^isub>i"}, for @{text "i = 1, \<dots>, n"}.
-
- \item @{ML Sign.primitive_classrel}~@{text "(c\<^isub>1,
- c\<^isub>2)"} declares the class relation @{text "c\<^isub>1 \<subseteq>
- c\<^isub>2"}.
-
- \item @{ML Sign.primitive_arity}~@{text "(\<kappa>, \<^vec>s, s)"} declares
- the arity @{text "\<kappa> :: (\<^vec>s)s"}.
-
- \end{description}
-*}
-
-text %mlantiq {*
- \begin{matharray}{rcl}
- @{ML_antiquotation_def "class"} & : & @{text ML_antiquotation} \\
- @{ML_antiquotation_def "sort"} & : & @{text ML_antiquotation} \\
- @{ML_antiquotation_def "type_name"} & : & @{text ML_antiquotation} \\
- @{ML_antiquotation_def "type_abbrev"} & : & @{text ML_antiquotation} \\
- @{ML_antiquotation_def "nonterminal"} & : & @{text ML_antiquotation} \\
- @{ML_antiquotation_def "typ"} & : & @{text ML_antiquotation} \\
- \end{matharray}
-
- @{rail "
- @@{ML_antiquotation class} nameref
- ;
- @@{ML_antiquotation sort} sort
- ;
- (@@{ML_antiquotation type_name} |
- @@{ML_antiquotation type_abbrev} |
- @@{ML_antiquotation nonterminal}) nameref
- ;
- @@{ML_antiquotation typ} type
- "}
-
- \begin{description}
-
- \item @{text "@{class c}"} inlines the internalized class @{text
- "c"} --- as @{ML_type string} literal.
-
- \item @{text "@{sort s}"} inlines the internalized sort @{text "s"}
- --- as @{ML_type "string list"} literal.
-
- \item @{text "@{type_name c}"} inlines the internalized type
- constructor @{text "c"} --- as @{ML_type string} literal.
-
- \item @{text "@{type_abbrev c}"} inlines the internalized type
- abbreviation @{text "c"} --- as @{ML_type string} literal.
-
- \item @{text "@{nonterminal c}"} inlines the internalized syntactic
- type~/ grammar nonterminal @{text "c"} --- as @{ML_type string}
- literal.
-
- \item @{text "@{typ \<tau>}"} inlines the internalized type @{text "\<tau>"}
- --- as constructor term for datatype @{ML_type typ}.
-
- \end{description}
-*}
-
-
-section {* Terms \label{sec:terms} *}
-
-text {*
- The language of terms is that of simply-typed @{text "\<lambda>"}-calculus
- with de-Bruijn indices for bound variables (cf.\ \cite{debruijn72}
- or \cite{paulson-ml2}), with the types being determined by the
- corresponding binders. In contrast, free variables and constants
- have an explicit name and type in each occurrence.
-
- \medskip A \emph{bound variable} is a natural number @{text "b"},
- which accounts for the number of intermediate binders between the
- variable occurrence in the body and its binding position. For
- example, the de-Bruijn term @{text "\<lambda>\<^bsub>bool\<^esub>. \<lambda>\<^bsub>bool\<^esub>. 1 \<and> 0"} would
- correspond to @{text "\<lambda>x\<^bsub>bool\<^esub>. \<lambda>y\<^bsub>bool\<^esub>. x \<and> y"} in a named
- representation. Note that a bound variable may be represented by
- different de-Bruijn indices at different occurrences, depending on
- the nesting of abstractions.
-
- A \emph{loose variable} is a bound variable that is outside the
- scope of local binders. The types (and names) for loose variables
- can be managed as a separate context, that is maintained as a stack
- of hypothetical binders. The core logic operates on closed terms,
- without any loose variables.
-
- A \emph{fixed variable} is a pair of a basic name and a type, e.g.\
- @{text "(x, \<tau>)"} which is usually printed @{text "x\<^isub>\<tau>"} here. A
- \emph{schematic variable} is a pair of an indexname and a type,
- e.g.\ @{text "((x, 0), \<tau>)"} which is likewise printed as @{text
- "?x\<^isub>\<tau>"}.
-
- \medskip A \emph{constant} is a pair of a basic name and a type,
- e.g.\ @{text "(c, \<tau>)"} which is usually printed as @{text "c\<^isub>\<tau>"}
- here. Constants are declared in the context as polymorphic families
- @{text "c :: \<sigma>"}, meaning that all substitution instances @{text
- "c\<^isub>\<tau>"} for @{text "\<tau> = \<sigma>\<vartheta>"} are valid.
-
- The vector of \emph{type arguments} of constant @{text "c\<^isub>\<tau>"} wrt.\
- the declaration @{text "c :: \<sigma>"} is defined as the codomain of the
- matcher @{text "\<vartheta> = {?\<alpha>\<^isub>1 \<mapsto> \<tau>\<^isub>1, \<dots>, ?\<alpha>\<^isub>n \<mapsto> \<tau>\<^isub>n}"} presented in
- canonical order @{text "(\<tau>\<^isub>1, \<dots>, \<tau>\<^isub>n)"}, corresponding to the
- left-to-right occurrences of the @{text "\<alpha>\<^isub>i"} in @{text "\<sigma>"}.
- Within a given theory context, there is a one-to-one correspondence
- between any constant @{text "c\<^isub>\<tau>"} and the application @{text "c(\<tau>\<^isub>1,
- \<dots>, \<tau>\<^isub>n)"} of its type arguments. For example, with @{text "plus :: \<alpha>
- \<Rightarrow> \<alpha> \<Rightarrow> \<alpha>"}, the instance @{text "plus\<^bsub>nat \<Rightarrow> nat \<Rightarrow> nat\<^esub>"} corresponds to
- @{text "plus(nat)"}.
-
- Constant declarations @{text "c :: \<sigma>"} may contain sort constraints
- for type variables in @{text "\<sigma>"}. These are observed by
- type-inference as expected, but \emph{ignored} by the core logic.
- This means the primitive logic is able to reason with instances of
- polymorphic constants that the user-level type-checker would reject
- due to violation of type class restrictions.
-
- \medskip An \emph{atomic term} is either a variable or constant.
- The logical category \emph{term} is defined inductively over atomic
- terms, with abstraction and application as follows: @{text "t = b |
- x\<^isub>\<tau> | ?x\<^isub>\<tau> | c\<^isub>\<tau> | \<lambda>\<^isub>\<tau>. t | t\<^isub>1 t\<^isub>2"}. Parsing and printing takes care of
- converting between an external representation with named bound
- variables. Subsequently, we shall use the latter notation instead
- of internal de-Bruijn representation.
-
- The inductive relation @{text "t :: \<tau>"} assigns a (unique) type to a
- term according to the structure of atomic terms, abstractions, and
- applicatins:
- \[
- \infer{@{text "a\<^isub>\<tau> :: \<tau>"}}{}
- \qquad
- \infer{@{text "(\<lambda>x\<^sub>\<tau>. t) :: \<tau> \<Rightarrow> \<sigma>"}}{@{text "t :: \<sigma>"}}
- \qquad
- \infer{@{text "t u :: \<sigma>"}}{@{text "t :: \<tau> \<Rightarrow> \<sigma>"} & @{text "u :: \<tau>"}}
- \]
- A \emph{well-typed term} is a term that can be typed according to these rules.
-
- Typing information can be omitted: type-inference is able to
- reconstruct the most general type of a raw term, while assigning
- most general types to all of its variables and constants.
- Type-inference depends on a context of type constraints for fixed
- variables, and declarations for polymorphic constants.
-
- The identity of atomic terms consists both of the name and the type
- component. This means that different variables @{text
- "x\<^bsub>\<tau>\<^isub>1\<^esub>"} and @{text "x\<^bsub>\<tau>\<^isub>2\<^esub>"} may become the same after
- type instantiation. Type-inference rejects variables of the same
- name, but different types. In contrast, mixed instances of
- polymorphic constants occur routinely.
-
- \medskip The \emph{hidden polymorphism} of a term @{text "t :: \<sigma>"}
- is the set of type variables occurring in @{text "t"}, but not in
- its type @{text "\<sigma>"}. This means that the term implicitly depends
- on type arguments that are not accounted in the result type, i.e.\
- there are different type instances @{text "t\<vartheta> :: \<sigma>"} and
- @{text "t\<vartheta>' :: \<sigma>"} with the same type. This slightly
- pathological situation notoriously demands additional care.
-
- \medskip A \emph{term abbreviation} is a syntactic definition @{text
- "c\<^isub>\<sigma> \<equiv> t"} of a closed term @{text "t"} of type @{text "\<sigma>"},
- without any hidden polymorphism. A term abbreviation looks like a
- constant in the syntax, but is expanded before entering the logical
- core. Abbreviations are usually reverted when printing terms, using
- @{text "t \<rightarrow> c\<^isub>\<sigma>"} as rules for higher-order rewriting.
-
- \medskip Canonical operations on @{text "\<lambda>"}-terms include @{text
- "\<alpha>\<beta>\<eta>"}-conversion: @{text "\<alpha>"}-conversion refers to capture-free
- renaming of bound variables; @{text "\<beta>"}-conversion contracts an
- abstraction applied to an argument term, substituting the argument
- in the body: @{text "(\<lambda>x. b)a"} becomes @{text "b[a/x]"}; @{text
- "\<eta>"}-conversion contracts vacuous application-abstraction: @{text
- "\<lambda>x. f x"} becomes @{text "f"}, provided that the bound variable
- does not occur in @{text "f"}.
-
- Terms are normally treated modulo @{text "\<alpha>"}-conversion, which is
- implicit in the de-Bruijn representation. Names for bound variables
- in abstractions are maintained separately as (meaningless) comments,
- mostly for parsing and printing. Full @{text "\<alpha>\<beta>\<eta>"}-conversion is
- commonplace in various standard operations (\secref{sec:obj-rules})
- that are based on higher-order unification and matching.
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML_type term} \\
- @{index_ML_op "aconv": "term * term -> bool"} \\
- @{index_ML Term.map_types: "(typ -> typ) -> term -> term"} \\
- @{index_ML Term.fold_types: "(typ -> 'a -> 'a) -> term -> 'a -> 'a"} \\
- @{index_ML Term.map_aterms: "(term -> term) -> term -> term"} \\
- @{index_ML Term.fold_aterms: "(term -> 'a -> 'a) -> term -> 'a -> 'a"} \\
- \end{mldecls}
- \begin{mldecls}
- @{index_ML fastype_of: "term -> typ"} \\
- @{index_ML lambda: "term -> term -> term"} \\
- @{index_ML betapply: "term * term -> term"} \\
- @{index_ML incr_boundvars: "int -> term -> term"} \\
- @{index_ML Sign.declare_const: "Proof.context ->
- (binding * typ) * mixfix -> theory -> term * theory"} \\
- @{index_ML Sign.add_abbrev: "string -> binding * term ->
- theory -> (term * term) * theory"} \\
- @{index_ML Sign.const_typargs: "theory -> string * typ -> typ list"} \\
- @{index_ML Sign.const_instance: "theory -> string * typ list -> typ"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item Type @{ML_type term} represents de-Bruijn terms, with comments
- in abstractions, and explicitly named free variables and constants;
- this is a datatype with constructors @{ML Bound}, @{ML Free}, @{ML
- Var}, @{ML Const}, @{ML Abs}, @{ML_op "$"}.
-
- \item @{text "t"}~@{ML_text aconv}~@{text "u"} checks @{text
- "\<alpha>"}-equivalence of two terms. This is the basic equality relation
- on type @{ML_type term}; raw datatype equality should only be used
- for operations related to parsing or printing!
-
- \item @{ML Term.map_types}~@{text "f t"} applies the mapping @{text
- "f"} to all types occurring in @{text "t"}.
-
- \item @{ML Term.fold_types}~@{text "f t"} iterates the operation
- @{text "f"} over all occurrences of types in @{text "t"}; the term
- structure is traversed from left to right.
-
- \item @{ML Term.map_aterms}~@{text "f t"} applies the mapping @{text
- "f"} to all atomic terms (@{ML Bound}, @{ML Free}, @{ML Var}, @{ML
- Const}) occurring in @{text "t"}.
-
- \item @{ML Term.fold_aterms}~@{text "f t"} iterates the operation
- @{text "f"} over all occurrences of atomic terms (@{ML Bound}, @{ML
- Free}, @{ML Var}, @{ML Const}) in @{text "t"}; the term structure is
- traversed from left to right.
-
- \item @{ML fastype_of}~@{text "t"} determines the type of a
- well-typed term. This operation is relatively slow, despite the
- omission of any sanity checks.
-
- \item @{ML lambda}~@{text "a b"} produces an abstraction @{text
- "\<lambda>a. b"}, where occurrences of the atomic term @{text "a"} in the
- body @{text "b"} are replaced by bound variables.
-
- \item @{ML betapply}~@{text "(t, u)"} produces an application @{text
- "t u"}, with topmost @{text "\<beta>"}-conversion if @{text "t"} is an
- abstraction.
-
- \item @{ML incr_boundvars}~@{text "j"} increments a term's dangling
- bound variables by the offset @{text "j"}. This is required when
- moving a subterm into a context where it is enclosed by a different
- number of abstractions. Bound variables with a matching abstraction
- are unaffected.
-
- \item @{ML Sign.declare_const}~@{text "ctxt ((c, \<sigma>), mx)"} declares
- a new constant @{text "c :: \<sigma>"} with optional mixfix syntax.
-
- \item @{ML Sign.add_abbrev}~@{text "print_mode (c, t)"}
- introduces a new term abbreviation @{text "c \<equiv> t"}.
-
- \item @{ML Sign.const_typargs}~@{text "thy (c, \<tau>)"} and @{ML
- Sign.const_instance}~@{text "thy (c, [\<tau>\<^isub>1, \<dots>, \<tau>\<^isub>n])"}
- convert between two representations of polymorphic constants: full
- type instance vs.\ compact type arguments form.
-
- \end{description}
-*}
-
-text %mlantiq {*
- \begin{matharray}{rcl}
- @{ML_antiquotation_def "const_name"} & : & @{text ML_antiquotation} \\
- @{ML_antiquotation_def "const_abbrev"} & : & @{text ML_antiquotation} \\
- @{ML_antiquotation_def "const"} & : & @{text ML_antiquotation} \\
- @{ML_antiquotation_def "term"} & : & @{text ML_antiquotation} \\
- @{ML_antiquotation_def "prop"} & : & @{text ML_antiquotation} \\
- \end{matharray}
-
- @{rail "
- (@@{ML_antiquotation const_name} |
- @@{ML_antiquotation const_abbrev}) nameref
- ;
- @@{ML_antiquotation const} ('(' (type + ',') ')')?
- ;
- @@{ML_antiquotation term} term
- ;
- @@{ML_antiquotation prop} prop
- "}
-
- \begin{description}
-
- \item @{text "@{const_name c}"} inlines the internalized logical
- constant name @{text "c"} --- as @{ML_type string} literal.
-
- \item @{text "@{const_abbrev c}"} inlines the internalized
- abbreviated constant name @{text "c"} --- as @{ML_type string}
- literal.
-
- \item @{text "@{const c(\<^vec>\<tau>)}"} inlines the internalized
- constant @{text "c"} with precise type instantiation in the sense of
- @{ML Sign.const_instance} --- as @{ML Const} constructor term for
- datatype @{ML_type term}.
-
- \item @{text "@{term t}"} inlines the internalized term @{text "t"}
- --- as constructor term for datatype @{ML_type term}.
-
- \item @{text "@{prop \<phi>}"} inlines the internalized proposition
- @{text "\<phi>"} --- as constructor term for datatype @{ML_type term}.
-
- \end{description}
-*}
-
-
-section {* Theorems \label{sec:thms} *}
-
-text {*
- A \emph{proposition} is a well-typed term of type @{text "prop"}, a
- \emph{theorem} is a proven proposition (depending on a context of
- hypotheses and the background theory). Primitive inferences include
- plain Natural Deduction rules for the primary connectives @{text
- "\<And>"} and @{text "\<Longrightarrow>"} of the framework. There is also a builtin
- notion of equality/equivalence @{text "\<equiv>"}.
-*}
-
-
-subsection {* Primitive connectives and rules \label{sec:prim-rules} *}
-
-text {*
- The theory @{text "Pure"} contains constant declarations for the
- primitive connectives @{text "\<And>"}, @{text "\<Longrightarrow>"}, and @{text "\<equiv>"} of
- the logical framework, see \figref{fig:pure-connectives}. The
- derivability judgment @{text "A\<^isub>1, \<dots>, A\<^isub>n \<turnstile> B"} is
- defined inductively by the primitive inferences given in
- \figref{fig:prim-rules}, with the global restriction that the
- hypotheses must \emph{not} contain any schematic variables. The
- builtin equality is conceptually axiomatized as shown in
- \figref{fig:pure-equality}, although the implementation works
- directly with derived inferences.
-
- \begin{figure}[htb]
- \begin{center}
- \begin{tabular}{ll}
- @{text "all :: (\<alpha> \<Rightarrow> prop) \<Rightarrow> prop"} & universal quantification (binder @{text "\<And>"}) \\
- @{text "\<Longrightarrow> :: prop \<Rightarrow> prop \<Rightarrow> prop"} & implication (right associative infix) \\
- @{text "\<equiv> :: \<alpha> \<Rightarrow> \<alpha> \<Rightarrow> prop"} & equality relation (infix) \\
- \end{tabular}
- \caption{Primitive connectives of Pure}\label{fig:pure-connectives}
- \end{center}
- \end{figure}
-
- \begin{figure}[htb]
- \begin{center}
- \[
- \infer[@{text "(axiom)"}]{@{text "\<turnstile> A"}}{@{text "A \<in> \<Theta>"}}
- \qquad
- \infer[@{text "(assume)"}]{@{text "A \<turnstile> A"}}{}
- \]
- \[
- \infer[@{text "(\<And>\<hyphen>intro)"}]{@{text "\<Gamma> \<turnstile> \<And>x. b[x]"}}{@{text "\<Gamma> \<turnstile> b[x]"} & @{text "x \<notin> \<Gamma>"}}
- \qquad
- \infer[@{text "(\<And>\<hyphen>elim)"}]{@{text "\<Gamma> \<turnstile> b[a]"}}{@{text "\<Gamma> \<turnstile> \<And>x. b[x]"}}
- \]
- \[
- \infer[@{text "(\<Longrightarrow>\<hyphen>intro)"}]{@{text "\<Gamma> - A \<turnstile> A \<Longrightarrow> B"}}{@{text "\<Gamma> \<turnstile> B"}}
- \qquad
- \infer[@{text "(\<Longrightarrow>\<hyphen>elim)"}]{@{text "\<Gamma>\<^sub>1 \<union> \<Gamma>\<^sub>2 \<turnstile> B"}}{@{text "\<Gamma>\<^sub>1 \<turnstile> A \<Longrightarrow> B"} & @{text "\<Gamma>\<^sub>2 \<turnstile> A"}}
- \]
- \caption{Primitive inferences of Pure}\label{fig:prim-rules}
- \end{center}
- \end{figure}
-
- \begin{figure}[htb]
- \begin{center}
- \begin{tabular}{ll}
- @{text "\<turnstile> (\<lambda>x. b[x]) a \<equiv> b[a]"} & @{text "\<beta>"}-conversion \\
- @{text "\<turnstile> x \<equiv> x"} & reflexivity \\
- @{text "\<turnstile> x \<equiv> y \<Longrightarrow> P x \<Longrightarrow> P y"} & substitution \\
- @{text "\<turnstile> (\<And>x. f x \<equiv> g x) \<Longrightarrow> f \<equiv> g"} & extensionality \\
- @{text "\<turnstile> (A \<Longrightarrow> B) \<Longrightarrow> (B \<Longrightarrow> A) \<Longrightarrow> A \<equiv> B"} & logical equivalence \\
- \end{tabular}
- \caption{Conceptual axiomatization of Pure equality}\label{fig:pure-equality}
- \end{center}
- \end{figure}
-
- The introduction and elimination rules for @{text "\<And>"} and @{text
- "\<Longrightarrow>"} are analogous to formation of dependently typed @{text
- "\<lambda>"}-terms representing the underlying proof objects. Proof terms
- are irrelevant in the Pure logic, though; they cannot occur within
- propositions. The system provides a runtime option to record
- explicit proof terms for primitive inferences. Thus all three
- levels of @{text "\<lambda>"}-calculus become explicit: @{text "\<Rightarrow>"} for
- terms, and @{text "\<And>/\<Longrightarrow>"} for proofs (cf.\
- \cite{Berghofer-Nipkow:2000:TPHOL}).
-
- Observe that locally fixed parameters (as in @{text
- "\<And>\<hyphen>intro"}) need not be recorded in the hypotheses, because
- the simple syntactic types of Pure are always inhabitable.
- ``Assumptions'' @{text "x :: \<tau>"} for type-membership are only
- present as long as some @{text "x\<^isub>\<tau>"} occurs in the statement
- body.\footnote{This is the key difference to ``@{text "\<lambda>HOL"}'' in
- the PTS framework \cite{Barendregt-Geuvers:2001}, where hypotheses
- @{text "x : A"} are treated uniformly for propositions and types.}
-
- \medskip The axiomatization of a theory is implicitly closed by
- forming all instances of type and term variables: @{text "\<turnstile>
- A\<vartheta>"} holds for any substitution instance of an axiom
- @{text "\<turnstile> A"}. By pushing substitutions through derivations
- inductively, we also get admissible @{text "generalize"} and @{text
- "instantiate"} rules as shown in \figref{fig:subst-rules}.
-
- \begin{figure}[htb]
- \begin{center}
- \[
- \infer{@{text "\<Gamma> \<turnstile> B[?\<alpha>]"}}{@{text "\<Gamma> \<turnstile> B[\<alpha>]"} & @{text "\<alpha> \<notin> \<Gamma>"}}
- \quad
- \infer[\quad@{text "(generalize)"}]{@{text "\<Gamma> \<turnstile> B[?x]"}}{@{text "\<Gamma> \<turnstile> B[x]"} & @{text "x \<notin> \<Gamma>"}}
- \]
- \[
- \infer{@{text "\<Gamma> \<turnstile> B[\<tau>]"}}{@{text "\<Gamma> \<turnstile> B[?\<alpha>]"}}
- \quad
- \infer[\quad@{text "(instantiate)"}]{@{text "\<Gamma> \<turnstile> B[t]"}}{@{text "\<Gamma> \<turnstile> B[?x]"}}
- \]
- \caption{Admissible substitution rules}\label{fig:subst-rules}
- \end{center}
- \end{figure}
-
- Note that @{text "instantiate"} does not require an explicit
- side-condition, because @{text "\<Gamma>"} may never contain schematic
- variables.
-
- In principle, variables could be substituted in hypotheses as well,
- but this would disrupt the monotonicity of reasoning: deriving
- @{text "\<Gamma>\<vartheta> \<turnstile> B\<vartheta>"} from @{text "\<Gamma> \<turnstile> B"} is
- correct, but @{text "\<Gamma>\<vartheta> \<supseteq> \<Gamma>"} does not necessarily hold:
- the result belongs to a different proof context.
-
- \medskip An \emph{oracle} is a function that produces axioms on the
- fly. Logically, this is an instance of the @{text "axiom"} rule
- (\figref{fig:prim-rules}), but there is an operational difference.
- The system always records oracle invocations within derivations of
- theorems by a unique tag.
-
- Axiomatizations should be limited to the bare minimum, typically as
- part of the initial logical basis of an object-logic formalization.
- Later on, theories are usually developed in a strictly definitional
- fashion, by stating only certain equalities over new constants.
-
- A \emph{simple definition} consists of a constant declaration @{text
- "c :: \<sigma>"} together with an axiom @{text "\<turnstile> c \<equiv> t"}, where @{text "t
- :: \<sigma>"} is a closed term without any hidden polymorphism. The RHS
- may depend on further defined constants, but not @{text "c"} itself.
- Definitions of functions may be presented as @{text "c \<^vec>x \<equiv>
- t"} instead of the puristic @{text "c \<equiv> \<lambda>\<^vec>x. t"}.
-
- An \emph{overloaded definition} consists of a collection of axioms
- for the same constant, with zero or one equations @{text
- "c((\<^vec>\<alpha>)\<kappa>) \<equiv> t"} for each type constructor @{text "\<kappa>"} (for
- distinct variables @{text "\<^vec>\<alpha>"}). The RHS may mention
- previously defined constants as above, or arbitrary constants @{text
- "d(\<alpha>\<^isub>i)"} for some @{text "\<alpha>\<^isub>i"} projected from @{text
- "\<^vec>\<alpha>"}. Thus overloaded definitions essentially work by
- primitive recursion over the syntactic structure of a single type
- argument. See also \cite[\S4.3]{Haftmann-Wenzel:2006:classes}.
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML Logic.all: "term -> term -> term"} \\
- @{index_ML Logic.mk_implies: "term * term -> term"} \\
- \end{mldecls}
- \begin{mldecls}
- @{index_ML_type ctyp} \\
- @{index_ML_type cterm} \\
- @{index_ML Thm.ctyp_of: "theory -> typ -> ctyp"} \\
- @{index_ML Thm.cterm_of: "theory -> term -> cterm"} \\
- @{index_ML Thm.apply: "cterm -> cterm -> cterm"} \\
- @{index_ML Thm.lambda: "cterm -> cterm -> cterm"} \\
- @{index_ML Thm.all: "cterm -> cterm -> cterm"} \\
- @{index_ML Drule.mk_implies: "cterm * cterm -> cterm"} \\
- \end{mldecls}
- \begin{mldecls}
- @{index_ML_type thm} \\
- @{index_ML proofs: "int Unsynchronized.ref"} \\
- @{index_ML Thm.transfer: "theory -> thm -> thm"} \\
- @{index_ML Thm.assume: "cterm -> thm"} \\
- @{index_ML Thm.forall_intr: "cterm -> thm -> thm"} \\
- @{index_ML Thm.forall_elim: "cterm -> thm -> thm"} \\
- @{index_ML Thm.implies_intr: "cterm -> thm -> thm"} \\
- @{index_ML Thm.implies_elim: "thm -> thm -> thm"} \\
- @{index_ML Thm.generalize: "string list * string list -> int -> thm -> thm"} \\
- @{index_ML Thm.instantiate: "(ctyp * ctyp) list * (cterm * cterm) list -> thm -> thm"} \\
- @{index_ML Thm.add_axiom: "Proof.context ->
- binding * term -> theory -> (string * thm) * theory"} \\
- @{index_ML Thm.add_oracle: "binding * ('a -> cterm) -> theory ->
- (string * ('a -> thm)) * theory"} \\
- @{index_ML Thm.add_def: "Proof.context -> bool -> bool ->
- binding * term -> theory -> (string * thm) * theory"} \\
- \end{mldecls}
- \begin{mldecls}
- @{index_ML Theory.add_deps: "Proof.context -> string ->
- string * typ -> (string * typ) list -> theory -> theory"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item @{ML Logic.all}~@{text "a B"} produces a Pure quantification
- @{text "\<And>a. B"}, where occurrences of the atomic term @{text "a"} in
- the body proposition @{text "B"} are replaced by bound variables.
- (See also @{ML lambda} on terms.)
-
- \item @{ML Logic.mk_implies}~@{text "(A, B)"} produces a Pure
- implication @{text "A \<Longrightarrow> B"}.
-
- \item Types @{ML_type ctyp} and @{ML_type cterm} represent certified
- types and terms, respectively. These are abstract datatypes that
- guarantee that its values have passed the full well-formedness (and
- well-typedness) checks, relative to the declarations of type
- constructors, constants etc.\ in the background theory. The
- abstract types @{ML_type ctyp} and @{ML_type cterm} are part of the
- same inference kernel that is mainly responsible for @{ML_type thm}.
- Thus syntactic operations on @{ML_type ctyp} and @{ML_type cterm}
- are located in the @{ML_struct Thm} module, even though theorems are
- not yet involved at that stage.
-
- \item @{ML Thm.ctyp_of}~@{text "thy \<tau>"} and @{ML
- Thm.cterm_of}~@{text "thy t"} explicitly checks types and terms,
- respectively. This also involves some basic normalizations, such
- expansion of type and term abbreviations from the theory context.
- Full re-certification is relatively slow and should be avoided in
- tight reasoning loops.
-
- \item @{ML Thm.apply}, @{ML Thm.lambda}, @{ML Thm.all}, @{ML
- Drule.mk_implies} etc.\ compose certified terms (or propositions)
- incrementally. This is equivalent to @{ML Thm.cterm_of} after
- unchecked @{ML_op "$"}, @{ML lambda}, @{ML Logic.all}, @{ML
- Logic.mk_implies} etc., but there can be a big difference in
- performance when large existing entities are composed by a few extra
- constructions on top. There are separate operations to decompose
- certified terms and theorems to produce certified terms again.
-
- \item Type @{ML_type thm} represents proven propositions. This is
- an abstract datatype that guarantees that its values have been
- constructed by basic principles of the @{ML_struct Thm} module.
- Every @{ML_type thm} value contains a sliding back-reference to the
- enclosing theory, cf.\ \secref{sec:context-theory}.
-
- \item @{ML proofs} specifies the detail of proof recording within
- @{ML_type thm} values: @{ML 0} records only the names of oracles,
- @{ML 1} records oracle names and propositions, @{ML 2} additionally
- records full proof terms. Officially named theorems that contribute
- to a result are recorded in any case.
-
- \item @{ML Thm.transfer}~@{text "thy thm"} transfers the given
- theorem to a \emph{larger} theory, see also \secref{sec:context}.
- This formal adjustment of the background context has no logical
- significance, but is occasionally required for formal reasons, e.g.\
- when theorems that are imported from more basic theories are used in
- the current situation.
-
- \item @{ML Thm.assume}, @{ML Thm.forall_intr}, @{ML
- Thm.forall_elim}, @{ML Thm.implies_intr}, and @{ML Thm.implies_elim}
- correspond to the primitive inferences of \figref{fig:prim-rules}.
-
- \item @{ML Thm.generalize}~@{text "(\<^vec>\<alpha>, \<^vec>x)"}
- corresponds to the @{text "generalize"} rules of
- \figref{fig:subst-rules}. Here collections of type and term
- variables are generalized simultaneously, specified by the given
- basic names.
-
- \item @{ML Thm.instantiate}~@{text "(\<^vec>\<alpha>\<^isub>s,
- \<^vec>x\<^isub>\<tau>)"} corresponds to the @{text "instantiate"} rules
- of \figref{fig:subst-rules}. Type variables are substituted before
- term variables. Note that the types in @{text "\<^vec>x\<^isub>\<tau>"}
- refer to the instantiated versions.
-
- \item @{ML Thm.add_axiom}~@{text "ctxt (name, A)"} declares an
- arbitrary proposition as axiom, and retrieves it as a theorem from
- the resulting theory, cf.\ @{text "axiom"} in
- \figref{fig:prim-rules}. Note that the low-level representation in
- the axiom table may differ slightly from the returned theorem.
-
- \item @{ML Thm.add_oracle}~@{text "(binding, oracle)"} produces a named
- oracle rule, essentially generating arbitrary axioms on the fly,
- cf.\ @{text "axiom"} in \figref{fig:prim-rules}.
-
- \item @{ML Thm.add_def}~@{text "ctxt unchecked overloaded (name, c
- \<^vec>x \<equiv> t)"} states a definitional axiom for an existing constant
- @{text "c"}. Dependencies are recorded via @{ML Theory.add_deps},
- unless the @{text "unchecked"} option is set. Note that the
- low-level representation in the axiom table may differ slightly from
- the returned theorem.
-
- \item @{ML Theory.add_deps}~@{text "ctxt name c\<^isub>\<tau> \<^vec>d\<^isub>\<sigma>"}
- declares dependencies of a named specification for constant @{text
- "c\<^isub>\<tau>"}, relative to existing specifications for constants @{text
- "\<^vec>d\<^isub>\<sigma>"}.
-
- \end{description}
-*}
-
-
-text %mlantiq {*
- \begin{matharray}{rcl}
- @{ML_antiquotation_def "ctyp"} & : & @{text ML_antiquotation} \\
- @{ML_antiquotation_def "cterm"} & : & @{text ML_antiquotation} \\
- @{ML_antiquotation_def "cprop"} & : & @{text ML_antiquotation} \\
- @{ML_antiquotation_def "thm"} & : & @{text ML_antiquotation} \\
- @{ML_antiquotation_def "thms"} & : & @{text ML_antiquotation} \\
- @{ML_antiquotation_def "lemma"} & : & @{text ML_antiquotation} \\
- \end{matharray}
-
- @{rail "
- @@{ML_antiquotation ctyp} typ
- ;
- @@{ML_antiquotation cterm} term
- ;
- @@{ML_antiquotation cprop} prop
- ;
- @@{ML_antiquotation thm} thmref
- ;
- @@{ML_antiquotation thms} thmrefs
- ;
- @@{ML_antiquotation lemma} ('(' @'open' ')')? ((prop +) + @'and') \\
- @'by' method method?
- "}
-
- \begin{description}
-
- \item @{text "@{ctyp \<tau>}"} produces a certified type wrt.\ the
- current background theory --- as abstract value of type @{ML_type
- ctyp}.
-
- \item @{text "@{cterm t}"} and @{text "@{cprop \<phi>}"} produce a
- certified term wrt.\ the current background theory --- as abstract
- value of type @{ML_type cterm}.
-
- \item @{text "@{thm a}"} produces a singleton fact --- as abstract
- value of type @{ML_type thm}.
-
- \item @{text "@{thms a}"} produces a general fact --- as abstract
- value of type @{ML_type "thm list"}.
-
- \item @{text "@{lemma \<phi> by meth}"} produces a fact that is proven on
- the spot according to the minimal proof, which imitates a terminal
- Isar proof. The result is an abstract value of type @{ML_type thm}
- or @{ML_type "thm list"}, depending on the number of propositions
- given here.
-
- The internal derivation object lacks a proper theorem name, but it
- is formally closed, unless the @{text "(open)"} option is specified
- (this may impact performance of applications with proof terms).
-
- Since ML antiquotations are always evaluated at compile-time, there
- is no run-time overhead even for non-trivial proofs. Nonetheless,
- the justification is syntactically limited to a single @{command
- "by"} step. More complex Isar proofs should be done in regular
- theory source, before compiling the corresponding ML text that uses
- the result.
-
- \end{description}
-
-*}
-
-
-subsection {* Auxiliary connectives \label{sec:logic-aux} *}
-
-text {* Theory @{text "Pure"} provides a few auxiliary connectives
- that are defined on top of the primitive ones, see
- \figref{fig:pure-aux}. These special constants are useful in
- certain internal encodings, and are normally not directly exposed to
- the user.
-
- \begin{figure}[htb]
- \begin{center}
- \begin{tabular}{ll}
- @{text "conjunction :: prop \<Rightarrow> prop \<Rightarrow> prop"} & (infix @{text "&&&"}) \\
- @{text "\<turnstile> A &&& B \<equiv> (\<And>C. (A \<Longrightarrow> B \<Longrightarrow> C) \<Longrightarrow> C)"} \\[1ex]
- @{text "prop :: prop \<Rightarrow> prop"} & (prefix @{text "#"}, suppressed) \\
- @{text "#A \<equiv> A"} \\[1ex]
- @{text "term :: \<alpha> \<Rightarrow> prop"} & (prefix @{text "TERM"}) \\
- @{text "term x \<equiv> (\<And>A. A \<Longrightarrow> A)"} \\[1ex]
- @{text "TYPE :: \<alpha> itself"} & (prefix @{text "TYPE"}) \\
- @{text "(unspecified)"} \\
- \end{tabular}
- \caption{Definitions of auxiliary connectives}\label{fig:pure-aux}
- \end{center}
- \end{figure}
-
- The introduction @{text "A \<Longrightarrow> B \<Longrightarrow> A &&& B"}, and eliminations
- (projections) @{text "A &&& B \<Longrightarrow> A"} and @{text "A &&& B \<Longrightarrow> B"} are
- available as derived rules. Conjunction allows to treat
- simultaneous assumptions and conclusions uniformly, e.g.\ consider
- @{text "A \<Longrightarrow> B \<Longrightarrow> C &&& D"}. In particular, the goal mechanism
- represents multiple claims as explicit conjunction internally, but
- this is refined (via backwards introduction) into separate sub-goals
- before the user commences the proof; the final result is projected
- into a list of theorems using eliminations (cf.\
- \secref{sec:tactical-goals}).
-
- The @{text "prop"} marker (@{text "#"}) makes arbitrarily complex
- propositions appear as atomic, without changing the meaning: @{text
- "\<Gamma> \<turnstile> A"} and @{text "\<Gamma> \<turnstile> #A"} are interchangeable. See
- \secref{sec:tactical-goals} for specific operations.
-
- The @{text "term"} marker turns any well-typed term into a derivable
- proposition: @{text "\<turnstile> TERM t"} holds unconditionally. Although
- this is logically vacuous, it allows to treat terms and proofs
- uniformly, similar to a type-theoretic framework.
-
- The @{text "TYPE"} constructor is the canonical representative of
- the unspecified type @{text "\<alpha> itself"}; it essentially injects the
- language of types into that of terms. There is specific notation
- @{text "TYPE(\<tau>)"} for @{text "TYPE\<^bsub>\<tau>
- itself\<^esub>"}.
- Although being devoid of any particular meaning, the term @{text
- "TYPE(\<tau>)"} accounts for the type @{text "\<tau>"} within the term
- language. In particular, @{text "TYPE(\<alpha>)"} may be used as formal
- argument in primitive definitions, in order to circumvent hidden
- polymorphism (cf.\ \secref{sec:terms}). For example, @{text "c
- TYPE(\<alpha>) \<equiv> A[\<alpha>]"} defines @{text "c :: \<alpha> itself \<Rightarrow> prop"} in terms of
- a proposition @{text "A"} that depends on an additional type
- argument, which is essentially a predicate on types.
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML Conjunction.intr: "thm -> thm -> thm"} \\
- @{index_ML Conjunction.elim: "thm -> thm * thm"} \\
- @{index_ML Drule.mk_term: "cterm -> thm"} \\
- @{index_ML Drule.dest_term: "thm -> cterm"} \\
- @{index_ML Logic.mk_type: "typ -> term"} \\
- @{index_ML Logic.dest_type: "term -> typ"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item @{ML Conjunction.intr} derives @{text "A &&& B"} from @{text
- "A"} and @{text "B"}.
-
- \item @{ML Conjunction.elim} derives @{text "A"} and @{text "B"}
- from @{text "A &&& B"}.
-
- \item @{ML Drule.mk_term} derives @{text "TERM t"}.
-
- \item @{ML Drule.dest_term} recovers term @{text "t"} from @{text
- "TERM t"}.
-
- \item @{ML Logic.mk_type}~@{text "\<tau>"} produces the term @{text
- "TYPE(\<tau>)"}.
-
- \item @{ML Logic.dest_type}~@{text "TYPE(\<tau>)"} recovers the type
- @{text "\<tau>"}.
-
- \end{description}
-*}
-
-
-section {* Object-level rules \label{sec:obj-rules} *}
-
-text {*
- The primitive inferences covered so far mostly serve foundational
- purposes. User-level reasoning usually works via object-level rules
- that are represented as theorems of Pure. Composition of rules
- involves \emph{backchaining}, \emph{higher-order unification} modulo
- @{text "\<alpha>\<beta>\<eta>"}-conversion of @{text "\<lambda>"}-terms, and so-called
- \emph{lifting} of rules into a context of @{text "\<And>"} and @{text
- "\<Longrightarrow>"} connectives. Thus the full power of higher-order Natural
- Deduction in Isabelle/Pure becomes readily available.
-*}
-
-
-subsection {* Hereditary Harrop Formulae *}
-
-text {*
- The idea of object-level rules is to model Natural Deduction
- inferences in the style of Gentzen \cite{Gentzen:1935}, but we allow
- arbitrary nesting similar to \cite{extensions91}. The most basic
- rule format is that of a \emph{Horn Clause}:
- \[
- \infer{@{text "A"}}{@{text "A\<^sub>1"} & @{text "\<dots>"} & @{text "A\<^sub>n"}}
- \]
- where @{text "A, A\<^sub>1, \<dots>, A\<^sub>n"} are atomic propositions
- of the framework, usually of the form @{text "Trueprop B"}, where
- @{text "B"} is a (compound) object-level statement. This
- object-level inference corresponds to an iterated implication in
- Pure like this:
- \[
- @{text "A\<^sub>1 \<Longrightarrow> \<dots> A\<^sub>n \<Longrightarrow> A"}
- \]
- As an example consider conjunction introduction: @{text "A \<Longrightarrow> B \<Longrightarrow> A \<and>
- B"}. Any parameters occurring in such rule statements are
- conceptionally treated as arbitrary:
- \[
- @{text "\<And>x\<^sub>1 \<dots> x\<^sub>m. A\<^sub>1 x\<^sub>1 \<dots> x\<^sub>m \<Longrightarrow> \<dots> A\<^sub>n x\<^sub>1 \<dots> x\<^sub>m \<Longrightarrow> A x\<^sub>1 \<dots> x\<^sub>m"}
- \]
-
- Nesting of rules means that the positions of @{text "A\<^sub>i"} may
- again hold compound rules, not just atomic propositions.
- Propositions of this format are called \emph{Hereditary Harrop
- Formulae} in the literature \cite{Miller:1991}. Here we give an
- inductive characterization as follows:
-
- \medskip
- \begin{tabular}{ll}
- @{text "\<^bold>x"} & set of variables \\
- @{text "\<^bold>A"} & set of atomic propositions \\
- @{text "\<^bold>H = \<And>\<^bold>x\<^sup>*. \<^bold>H\<^sup>* \<Longrightarrow> \<^bold>A"} & set of Hereditary Harrop Formulas \\
- \end{tabular}
- \medskip
-
- Thus we essentially impose nesting levels on propositions formed
- from @{text "\<And>"} and @{text "\<Longrightarrow>"}. At each level there is a prefix
- of parameters and compound premises, concluding an atomic
- proposition. Typical examples are @{text "\<longrightarrow>"}-introduction @{text
- "(A \<Longrightarrow> B) \<Longrightarrow> A \<longrightarrow> B"} or mathematical induction @{text "P 0 \<Longrightarrow> (\<And>n. P n
- \<Longrightarrow> P (Suc n)) \<Longrightarrow> P n"}. Even deeper nesting occurs in well-founded
- induction @{text "(\<And>x. (\<And>y. y \<prec> x \<Longrightarrow> P y) \<Longrightarrow> P x) \<Longrightarrow> P x"}, but this
- already marks the limit of rule complexity that is usually seen in
- practice.
-
- \medskip Regular user-level inferences in Isabelle/Pure always
- maintain the following canonical form of results:
-
- \begin{itemize}
-
- \item Normalization by @{text "(A \<Longrightarrow> (\<And>x. B x)) \<equiv> (\<And>x. A \<Longrightarrow> B x)"},
- which is a theorem of Pure, means that quantifiers are pushed in
- front of implication at each level of nesting. The normal form is a
- Hereditary Harrop Formula.
-
- \item The outermost prefix of parameters is represented via
- schematic variables: instead of @{text "\<And>\<^vec>x. \<^vec>H \<^vec>x
- \<Longrightarrow> A \<^vec>x"} we have @{text "\<^vec>H ?\<^vec>x \<Longrightarrow> A ?\<^vec>x"}.
- Note that this representation looses information about the order of
- parameters, and vacuous quantifiers vanish automatically.
-
- \end{itemize}
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML Simplifier.norm_hhf: "thm -> thm"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item @{ML Simplifier.norm_hhf}~@{text thm} normalizes the given
- theorem according to the canonical form specified above. This is
- occasionally helpful to repair some low-level tools that do not
- handle Hereditary Harrop Formulae properly.
-
- \end{description}
-*}
-
-
-subsection {* Rule composition *}
-
-text {*
- The rule calculus of Isabelle/Pure provides two main inferences:
- @{inference resolution} (i.e.\ back-chaining of rules) and
- @{inference assumption} (i.e.\ closing a branch), both modulo
- higher-order unification. There are also combined variants, notably
- @{inference elim_resolution} and @{inference dest_resolution}.
-
- To understand the all-important @{inference resolution} principle,
- we first consider raw @{inference_def composition} (modulo
- higher-order unification with substitution @{text "\<vartheta>"}):
- \[
- \infer[(@{inference_def composition})]{@{text "\<^vec>A\<vartheta> \<Longrightarrow> C\<vartheta>"}}
- {@{text "\<^vec>A \<Longrightarrow> B"} & @{text "B' \<Longrightarrow> C"} & @{text "B\<vartheta> = B'\<vartheta>"}}
- \]
- Here the conclusion of the first rule is unified with the premise of
- the second; the resulting rule instance inherits the premises of the
- first and conclusion of the second. Note that @{text "C"} can again
- consist of iterated implications. We can also permute the premises
- of the second rule back-and-forth in order to compose with @{text
- "B'"} in any position (subsequently we shall always refer to
- position 1 w.l.o.g.).
-
- In @{inference composition} the internal structure of the common
- part @{text "B"} and @{text "B'"} is not taken into account. For
- proper @{inference resolution} we require @{text "B"} to be atomic,
- and explicitly observe the structure @{text "\<And>\<^vec>x. \<^vec>H
- \<^vec>x \<Longrightarrow> B' \<^vec>x"} of the premise of the second rule. The
- idea is to adapt the first rule by ``lifting'' it into this context,
- by means of iterated application of the following inferences:
- \[
- \infer[(@{inference_def imp_lift})]{@{text "(\<^vec>H \<Longrightarrow> \<^vec>A) \<Longrightarrow> (\<^vec>H \<Longrightarrow> B)"}}{@{text "\<^vec>A \<Longrightarrow> B"}}
- \]
- \[
- \infer[(@{inference_def all_lift})]{@{text "(\<And>\<^vec>x. \<^vec>A (?\<^vec>a \<^vec>x)) \<Longrightarrow> (\<And>\<^vec>x. B (?\<^vec>a \<^vec>x))"}}{@{text "\<^vec>A ?\<^vec>a \<Longrightarrow> B ?\<^vec>a"}}
- \]
- By combining raw composition with lifting, we get full @{inference
- resolution} as follows:
- \[
- \infer[(@{inference_def resolution})]
- {@{text "(\<And>\<^vec>x. \<^vec>H \<^vec>x \<Longrightarrow> \<^vec>A (?\<^vec>a \<^vec>x))\<vartheta> \<Longrightarrow> C\<vartheta>"}}
- {\begin{tabular}{l}
- @{text "\<^vec>A ?\<^vec>a \<Longrightarrow> B ?\<^vec>a"} \\
- @{text "(\<And>\<^vec>x. \<^vec>H \<^vec>x \<Longrightarrow> B' \<^vec>x) \<Longrightarrow> C"} \\
- @{text "(\<lambda>\<^vec>x. B (?\<^vec>a \<^vec>x))\<vartheta> = B'\<vartheta>"} \\
- \end{tabular}}
- \]
-
- Continued resolution of rules allows to back-chain a problem towards
- more and sub-problems. Branches are closed either by resolving with
- a rule of 0 premises, or by producing a ``short-circuit'' within a
- solved situation (again modulo unification):
- \[
- \infer[(@{inference_def assumption})]{@{text "C\<vartheta>"}}
- {@{text "(\<And>\<^vec>x. \<^vec>H \<^vec>x \<Longrightarrow> A \<^vec>x) \<Longrightarrow> C"} & @{text "A\<vartheta> = H\<^sub>i\<vartheta>"}~~\text{(for some~@{text i})}}
- \]
-
- FIXME @{inference_def elim_resolution}, @{inference_def dest_resolution}
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML_op "RSN": "thm * (int * thm) -> thm"} \\
- @{index_ML_op "RS": "thm * thm -> thm"} \\
-
- @{index_ML_op "RLN": "thm list * (int * thm list) -> thm list"} \\
- @{index_ML_op "RL": "thm list * thm list -> thm list"} \\
-
- @{index_ML_op "MRS": "thm list * thm -> thm"} \\
- @{index_ML_op "OF": "thm * thm list -> thm"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item @{text "rule\<^sub>1 RSN (i, rule\<^sub>2)"} resolves the conclusion of
- @{text "rule\<^sub>1"} with the @{text i}-th premise of @{text "rule\<^sub>2"},
- according to the @{inference resolution} principle explained above.
- Unless there is precisely one resolvent it raises exception @{ML
- THM}.
-
- This corresponds to the rule attribute @{attribute THEN} in Isar
- source language.
-
- \item @{text "rule\<^sub>1 RS rule\<^sub>2"} abbreviates @{text "rule\<^sub>1 RS (1,
- rule\<^sub>2)"}.
-
- \item @{text "rules\<^sub>1 RLN (i, rules\<^sub>2)"} joins lists of rules. For
- every @{text "rule\<^sub>1"} in @{text "rules\<^sub>1"} and @{text "rule\<^sub>2"} in
- @{text "rules\<^sub>2"}, it resolves the conclusion of @{text "rule\<^sub>1"} with
- the @{text "i"}-th premise of @{text "rule\<^sub>2"}, accumulating multiple
- results in one big list. Note that such strict enumerations of
- higher-order unifications can be inefficient compared to the lazy
- variant seen in elementary tactics like @{ML resolve_tac}.
-
- \item @{text "rules\<^sub>1 RL rules\<^sub>2"} abbreviates @{text "rules\<^sub>1 RLN (1,
- rules\<^sub>2)"}.
-
- \item @{text "[rule\<^sub>1, \<dots>, rule\<^sub>n] MRS rule"} resolves @{text "rule\<^isub>i"}
- against premise @{text "i"} of @{text "rule"}, for @{text "i = n, \<dots>,
- 1"}. By working from right to left, newly emerging premises are
- concatenated in the result, without interfering.
-
- \item @{text "rule OF rules"} is an alternative notation for @{text
- "rules MRS rule"}, which makes rule composition look more like
- function application. Note that the argument @{text "rules"} need
- not be atomic.
-
- This corresponds to the rule attribute @{attribute OF} in Isar
- source language.
-
- \end{description}
-*}
-
-end
--- a/doc-src/IsarImplementation/ML.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,1777 +0,0 @@
-theory "ML"
-imports Base
-begin
-
-chapter {* Isabelle/ML *}
-
-text {* Isabelle/ML is best understood as a certain culture based on
- Standard ML. Thus it is not a new programming language, but a
- certain way to use SML at an advanced level within the Isabelle
- environment. This covers a variety of aspects that are geared
- towards an efficient and robust platform for applications of formal
- logic with fully foundational proof construction --- according to
- the well-known \emph{LCF principle}. There is specific
- infrastructure with library modules to address the needs of this
- difficult task. For example, the raw parallel programming model of
- Poly/ML is presented as considerably more abstract concept of
- \emph{future values}, which is then used to augment the inference
- kernel, proof interpreter, and theory loader accordingly.
-
- The main aspects of Isabelle/ML are introduced below. These
- first-hand explanations should help to understand how proper
- Isabelle/ML is to be read and written, and to get access to the
- wealth of experience that is expressed in the source text and its
- history of changes.\footnote{See
- \url{http://isabelle.in.tum.de/repos/isabelle} for the full
- Mercurial history. There are symbolic tags to refer to official
- Isabelle releases, as opposed to arbitrary \emph{tip} versions that
- merely reflect snapshots that are never really up-to-date.} *}
-
-
-section {* Style and orthography *}
-
-text {* The sources of Isabelle/Isar are optimized for
- \emph{readability} and \emph{maintainability}. The main purpose is
- to tell an informed reader what is really going on and how things
- really work. This is a non-trivial aim, but it is supported by a
- certain style of writing Isabelle/ML that has emerged from long
- years of system development.\footnote{See also the interesting style
- guide for OCaml
- \url{http://caml.inria.fr/resources/doc/guides/guidelines.en.html}
- which shares many of our means and ends.}
-
- The main principle behind any coding style is \emph{consistency}.
- For a single author of a small program this merely means ``choose
- your style and stick to it''. A complex project like Isabelle, with
- long years of development and different contributors, requires more
- standardization. A coding style that is changed every few years or
- with every new contributor is no style at all, because consistency
- is quickly lost. Global consistency is hard to achieve, though.
- Nonetheless, one should always strive at least for local consistency
- of modules and sub-systems, without deviating from some general
- principles how to write Isabelle/ML.
-
- In a sense, good coding style is like an \emph{orthography} for the
- sources: it helps to read quickly over the text and see through the
- main points, without getting distracted by accidental presentation
- of free-style code.
-*}
-
-
-subsection {* Header and sectioning *}
-
-text {* Isabelle source files have a certain standardized header
- format (with precise spacing) that follows ancient traditions
- reaching back to the earliest versions of the system by Larry
- Paulson. See @{file "~~/src/Pure/thm.ML"}, for example.
-
- The header includes at least @{verbatim Title} and @{verbatim
- Author} entries, followed by a prose description of the purpose of
- the module. The latter can range from a single line to several
- paragraphs of explanations.
-
- The rest of the file is divided into sections, subsections,
- subsubsections, paragraphs etc.\ using a simple layout via ML
- comments as follows.
-
-\begin{verbatim}
-(*** section ***)
-
-(** subsection **)
-
-(* subsubsection *)
-
-(*short paragraph*)
-
-(*
- long paragraph,
- with more text
-*)
-\end{verbatim}
-
- As in regular typography, there is some extra space \emph{before}
- section headings that are adjacent to plain text (not other headings
- as in the example above).
-
- \medskip The precise wording of the prose text given in these
- headings is chosen carefully to introduce the main theme of the
- subsequent formal ML text.
-*}
-
-
-subsection {* Naming conventions *}
-
-text {* Since ML is the primary medium to express the meaning of the
- source text, naming of ML entities requires special care.
-
- \paragraph{Notation.} A name consists of 1--3 \emph{words} (rarely
- 4, but not more) that are separated by underscore. There are three
- variants concerning upper or lower case letters, which are used for
- certain ML categories as follows:
-
- \medskip
- \begin{tabular}{lll}
- variant & example & ML categories \\\hline
- lower-case & @{ML_text foo_bar} & values, types, record fields \\
- capitalized & @{ML_text Foo_Bar} & datatype constructors, structures, functors \\
- upper-case & @{ML_text FOO_BAR} & special values, exception constructors, signatures \\
- \end{tabular}
- \medskip
-
- For historical reasons, many capitalized names omit underscores,
- e.g.\ old-style @{ML_text FooBar} instead of @{ML_text Foo_Bar}.
- Genuine mixed-case names are \emph{not} used, because clear division
- of words is essential for readability.\footnote{Camel-case was
- invented to workaround the lack of underscore in some early
- non-ASCII character sets. Later it became habitual in some language
- communities that are now strong in numbers.}
-
- A single (capital) character does not count as ``word'' in this
- respect: some Isabelle/ML names are suffixed by extra markers like
- this: @{ML_text foo_barT}.
-
- Name variants are produced by adding 1--3 primes, e.g.\ @{ML_text
- foo'}, @{ML_text foo''}, or @{ML_text foo'''}, but not @{ML_text
- foo''''} or more. Decimal digits scale better to larger numbers,
- e.g.\ @{ML_text foo0}, @{ML_text foo1}, @{ML_text foo42}.
-
- \paragraph{Scopes.} Apart from very basic library modules, ML
- structures are not ``opened'', but names are referenced with
- explicit qualification, as in @{ML Syntax.string_of_term} for
- example. When devising names for structures and their components it
- is important aim at eye-catching compositions of both parts, because
- this is how they are seen in the sources and documentation. For the
- same reasons, aliases of well-known library functions should be
- avoided.
-
- Local names of function abstraction or case/let bindings are
- typically shorter, sometimes using only rudiments of ``words'',
- while still avoiding cryptic shorthands. An auxiliary function
- called @{ML_text helper}, @{ML_text aux}, or @{ML_text f} is
- considered bad style.
-
- Example:
-
- \begin{verbatim}
- (* RIGHT *)
-
- fun print_foo ctxt foo =
- let
- fun print t = ... Syntax.string_of_term ctxt t ...
- in ... end;
-
-
- (* RIGHT *)
-
- fun print_foo ctxt foo =
- let
- val string_of_term = Syntax.string_of_term ctxt;
- fun print t = ... string_of_term t ...
- in ... end;
-
-
- (* WRONG *)
-
- val string_of_term = Syntax.string_of_term;
-
- fun print_foo ctxt foo =
- let
- fun aux t = ... string_of_term ctxt t ...
- in ... end;
-
- \end{verbatim}
-
-
- \paragraph{Specific conventions.} Here are some specific name forms
- that occur frequently in the sources.
-
- \begin{itemize}
-
- \item A function that maps @{ML_text foo} to @{ML_text bar} is
- called @{ML_text foo_to_bar} or @{ML_text bar_of_foo} (never
- @{ML_text foo2bar}, @{ML_text bar_from_foo}, @{ML_text
- bar_for_foo}, or @{ML_text bar4foo}).
-
- \item The name component @{ML_text legacy} means that the operation
- is about to be discontinued soon.
-
- \item The name component @{ML_text old} means that this is historic
- material that might disappear at some later stage.
-
- \item The name component @{ML_text global} means that this works
- with the background theory instead of the regular local context
- (\secref{sec:context}), sometimes for historical reasons, sometimes
- due a genuine lack of locality of the concept involved, sometimes as
- a fall-back for the lack of a proper context in the application
- code. Whenever there is a non-global variant available, the
- application should be migrated to use it with a proper local
- context.
-
- \item Variables of the main context types of the Isabelle/Isar
- framework (\secref{sec:context} and \chref{ch:local-theory}) have
- firm naming conventions as follows:
-
- \begin{itemize}
-
- \item theories are called @{ML_text thy}, rarely @{ML_text theory}
- (never @{ML_text thry})
-
- \item proof contexts are called @{ML_text ctxt}, rarely @{ML_text
- context} (never @{ML_text ctx})
-
- \item generic contexts are called @{ML_text context}, rarely
- @{ML_text ctxt}
-
- \item local theories are called @{ML_text lthy}, except for local
- theories that are treated as proof context (which is a semantic
- super-type)
-
- \end{itemize}
-
- Variations with primed or decimal numbers are always possible, as
- well as sematic prefixes like @{ML_text foo_thy} or @{ML_text
- bar_ctxt}, but the base conventions above need to be preserved.
- This allows to visualize the their data flow via plain regular
- expressions in the editor.
-
- \item The main logical entities (\secref{ch:logic}) have established
- naming convention as follows:
-
- \begin{itemize}
-
- \item sorts are called @{ML_text S}
-
- \item types are called @{ML_text T}, @{ML_text U}, or @{ML_text
- ty} (never @{ML_text t})
-
- \item terms are called @{ML_text t}, @{ML_text u}, or @{ML_text
- tm} (never @{ML_text trm})
-
- \item certified types are called @{ML_text cT}, rarely @{ML_text
- T}, with variants as for types
-
- \item certified terms are called @{ML_text ct}, rarely @{ML_text
- t}, with variants as for terms
-
- \item theorems are called @{ML_text th}, or @{ML_text thm}
-
- \end{itemize}
-
- Proper semantic names override these conventions completely. For
- example, the left-hand side of an equation (as a term) can be called
- @{ML_text lhs} (not @{ML_text lhs_tm}). Or a term that is known
- to be a variable can be called @{ML_text v} or @{ML_text x}.
-
- \item Tactics (\secref{sec:tactics}) are sufficiently important to
- have specific naming conventions. The name of a basic tactic
- definition always has a @{ML_text "_tac"} suffix, the subgoal index
- (if applicable) is always called @{ML_text i}, and the goal state
- (if made explicit) is usually called @{ML_text st} instead of the
- somewhat misleading @{ML_text thm}. Any other arguments are given
- before the latter two, and the general context is given first.
- Example:
-
- \begin{verbatim}
- fun my_tac ctxt arg1 arg2 i st = ...
- \end{verbatim}
-
- Note that the goal state @{ML_text st} above is rarely made
- explicit, if tactic combinators (tacticals) are used as usual.
-
- \end{itemize}
-*}
-
-
-subsection {* General source layout *}
-
-text {* The general Isabelle/ML source layout imitates regular
- type-setting to some extent, augmented by the requirements for
- deeply nested expressions that are commonplace in functional
- programming.
-
- \paragraph{Line length} is 80 characters according to ancient
- standards, but we allow as much as 100 characters (not
- more).\footnote{Readability requires to keep the beginning of a line
- in view while watching its end. Modern wide-screen displays do not
- change the way how the human brain works. Sources also need to be
- printable on plain paper with reasonable font-size.} The extra 20
- characters acknowledge the space requirements due to qualified
- library references in Isabelle/ML.
-
- \paragraph{White-space} is used to emphasize the structure of
- expressions, following mostly standard conventions for mathematical
- typesetting, as can be seen in plain {\TeX} or {\LaTeX}. This
- defines positioning of spaces for parentheses, punctuation, and
- infixes as illustrated here:
-
- \begin{verbatim}
- val x = y + z * (a + b);
- val pair = (a, b);
- val record = {foo = 1, bar = 2};
- \end{verbatim}
-
- Lines are normally broken \emph{after} an infix operator or
- punctuation character. For example:
-
- \begin{verbatim}
- val x =
- a +
- b +
- c;
-
- val tuple =
- (a,
- b,
- c);
- \end{verbatim}
-
- Some special infixes (e.g.\ @{ML_text "|>"}) work better at the
- start of the line, but punctuation is always at the end.
-
- Function application follows the tradition of @{text "\<lambda>"}-calculus,
- not informal mathematics. For example: @{ML_text "f a b"} for a
- curried function, or @{ML_text "g (a, b)"} for a tupled function.
- Note that the space between @{ML_text g} and the pair @{ML_text
- "(a, b)"} follows the important principle of
- \emph{compositionality}: the layout of @{ML_text "g p"} does not
- change when @{ML_text "p"} is refined to the concrete pair
- @{ML_text "(a, b)"}.
-
- \paragraph{Indentation} uses plain spaces, never hard
- tabulators.\footnote{Tabulators were invented to move the carriage
- of a type-writer to certain predefined positions. In software they
- could be used as a primitive run-length compression of consecutive
- spaces, but the precise result would depend on non-standardized
- editor configuration.}
-
- Each level of nesting is indented by 2 spaces, sometimes 1, very
- rarely 4, never 8 or any other odd number.
-
- Indentation follows a simple logical format that only depends on the
- nesting depth, not the accidental length of the text that initiates
- a level of nesting. Example:
-
- \begin{verbatim}
- (* RIGHT *)
-
- if b then
- expr1_part1
- expr1_part2
- else
- expr2_part1
- expr2_part2
-
-
- (* WRONG *)
-
- if b then expr1_part1
- expr1_part2
- else expr2_part1
- expr2_part2
- \end{verbatim}
-
- The second form has many problems: it assumes a fixed-width font
- when viewing the sources, it uses more space on the line and thus
- makes it hard to observe its strict length limit (working against
- \emph{readability}), it requires extra editing to adapt the layout
- to changes of the initial text (working against
- \emph{maintainability}) etc.
-
- \medskip For similar reasons, any kind of two-dimensional or tabular
- layouts, ASCII-art with lines or boxes of asterisks etc.\ should be
- avoided.
-
- \paragraph{Complex expressions} that consist of multi-clausal
- function definitions, @{ML_text handle}, @{ML_text case},
- @{ML_text let} (and combinations) require special attention. The
- syntax of Standard ML is quite ambitious and admits a lot of
- variance that can distort the meaning of the text.
-
- Clauses of @{ML_text fun}, @{ML_text fn}, @{ML_text handle},
- @{ML_text case} get extra indentation to indicate the nesting
- clearly. Example:
-
- \begin{verbatim}
- (* RIGHT *)
-
- fun foo p1 =
- expr1
- | foo p2 =
- expr2
-
-
- (* WRONG *)
-
- fun foo p1 =
- expr1
- | foo p2 =
- expr2
- \end{verbatim}
-
- Body expressions consisting of @{ML_text case} or @{ML_text let}
- require care to maintain compositionality, to prevent loss of
- logical indentation where it is especially important to see the
- structure of the text. Example:
-
- \begin{verbatim}
- (* RIGHT *)
-
- fun foo p1 =
- (case e of
- q1 => ...
- | q2 => ...)
- | foo p2 =
- let
- ...
- in
- ...
- end
-
-
- (* WRONG *)
-
- fun foo p1 = case e of
- q1 => ...
- | q2 => ...
- | foo p2 =
- let
- ...
- in
- ...
- end
- \end{verbatim}
-
- Extra parentheses around @{ML_text case} expressions are optional,
- but help to analyse the nesting based on character matching in the
- editor.
-
- \medskip There are two main exceptions to the overall principle of
- compositionality in the layout of complex expressions.
-
- \begin{enumerate}
-
- \item @{ML_text "if"} expressions are iterated as if there would be
- a multi-branch conditional in SML, e.g.
-
- \begin{verbatim}
- (* RIGHT *)
-
- if b1 then e1
- else if b2 then e2
- else e3
- \end{verbatim}
-
- \item @{ML_text fn} abstractions are often layed-out as if they
- would lack any structure by themselves. This traditional form is
- motivated by the possibility to shift function arguments back and
- forth wrt.\ additional combinators. Example:
-
- \begin{verbatim}
- (* RIGHT *)
-
- fun foo x y = fold (fn z =>
- expr)
- \end{verbatim}
-
- Here the visual appearance is that of three arguments @{ML_text x},
- @{ML_text y}, @{ML_text z}.
-
- \end{enumerate}
-
- Such weakly structured layout should be use with great care. Here
- are some counter-examples involving @{ML_text let} expressions:
-
- \begin{verbatim}
- (* WRONG *)
-
- fun foo x = let
- val y = ...
- in ... end
-
-
- (* WRONG *)
-
- fun foo x = let
- val y = ...
- in ... end
-
-
- (* WRONG *)
-
- fun foo x =
- let
- val y = ...
- in ... end
- \end{verbatim}
-
- \medskip In general the source layout is meant to emphasize the
- structure of complex language expressions, not to pretend that SML
- had a completely different syntax (say that of Haskell or Java).
-*}
-
-
-section {* SML embedded into Isabelle/Isar *}
-
-text {* ML and Isar are intertwined via an open-ended bootstrap
- process that provides more and more programming facilities and
- logical content in an alternating manner. Bootstrapping starts from
- the raw environment of existing implementations of Standard ML
- (mainly Poly/ML, but also SML/NJ).
-
- Isabelle/Pure marks the point where the original ML toplevel is
- superseded by the Isar toplevel that maintains a uniform context for
- arbitrary ML values (see also \secref{sec:context}). This formal
- environment holds ML compiler bindings, logical entities, and many
- other things. Raw SML is never encountered again after the initial
- bootstrap of Isabelle/Pure.
-
- Object-logics like Isabelle/HOL are built within the
- Isabelle/ML/Isar environment by introducing suitable theories with
- associated ML modules, either inlined or as separate files. Thus
- Isabelle/HOL is defined as a regular user-space application within
- the Isabelle framework. Further add-on tools can be implemented in
- ML within the Isar context in the same manner: ML is part of the
- standard repertoire of Isabelle, and there is no distinction between
- ``user'' and ``developer'' in this respect.
-*}
-
-
-subsection {* Isar ML commands *}
-
-text {* The primary Isar source language provides facilities to ``open
- a window'' to the underlying ML compiler. Especially see the Isar
- commands @{command_ref "use"} and @{command_ref "ML"}: both work the
- same way, only the source text is provided via a file vs.\ inlined,
- respectively. Apart from embedding ML into the main theory
- definition like that, there are many more commands that refer to ML
- source, such as @{command_ref setup} or @{command_ref declaration}.
- Even more fine-grained embedding of ML into Isar is encountered in
- the proof method @{method_ref tactic}, which refines the pending
- goal state via a given expression of type @{ML_type tactic}.
-*}
-
-text %mlex {* The following artificial example demonstrates some ML
- toplevel declarations within the implicit Isar theory context. This
- is regular functional programming without referring to logical
- entities yet.
-*}
-
-ML {*
- fun factorial 0 = 1
- | factorial n = n * factorial (n - 1)
-*}
-
-text {* Here the ML environment is already managed by Isabelle, i.e.\
- the @{ML factorial} function is not yet accessible in the preceding
- paragraph, nor in a different theory that is independent from the
- current one in the import hierarchy.
-
- Removing the above ML declaration from the source text will remove
- any trace of this definition as expected. The Isabelle/ML toplevel
- environment is managed in a \emph{stateless} way: unlike the raw ML
- toplevel there are no global side-effects involved
- here.\footnote{Such a stateless compilation environment is also a
- prerequisite for robust parallel compilation within independent
- nodes of the implicit theory development graph.}
-
- \medskip The next example shows how to embed ML into Isar proofs, using
- @{command_ref "ML_prf"} instead of Instead of @{command_ref "ML"}.
- As illustrated below, the effect on the ML environment is local to
- the whole proof body, ignoring the block structure.
-*}
-
-notepad
-begin
- ML_prf %"ML" {* val a = 1 *}
- {
- ML_prf %"ML" {* val b = a + 1 *}
- } -- {* Isar block structure ignored by ML environment *}
- ML_prf %"ML" {* val c = b + 1 *}
-end
-
-text {* By side-stepping the normal scoping rules for Isar proof
- blocks, embedded ML code can refer to the different contexts and
- manipulate corresponding entities, e.g.\ export a fact from a block
- context.
-
- \medskip Two further ML commands are useful in certain situations:
- @{command_ref ML_val} and @{command_ref ML_command} are
- \emph{diagnostic} in the sense that there is no effect on the
- underlying environment, and can thus used anywhere (even outside a
- theory). The examples below produce long strings of digits by
- invoking @{ML factorial}: @{command ML_val} already takes care of
- printing the ML toplevel result, but @{command ML_command} is silent
- so we produce an explicit output message. *}
-
-ML_val {* factorial 100 *}
-ML_command {* writeln (string_of_int (factorial 100)) *}
-
-notepad
-begin
- ML_val {* factorial 100 *} (* FIXME check/fix indentation *)
- ML_command {* writeln (string_of_int (factorial 100)) *}
-end
-
-
-subsection {* Compile-time context *}
-
-text {* Whenever the ML compiler is invoked within Isabelle/Isar, the
- formal context is passed as a thread-local reference variable. Thus
- ML code may access the theory context during compilation, by reading
- or writing the (local) theory under construction. Note that such
- direct access to the compile-time context is rare. In practice it
- is typically done via some derived ML functions instead.
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML ML_Context.the_generic_context: "unit -> Context.generic"} \\
- @{index_ML "Context.>>": "(Context.generic -> Context.generic) -> unit"} \\
- @{index_ML bind_thms: "string * thm list -> unit"} \\
- @{index_ML bind_thm: "string * thm -> unit"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item @{ML "ML_Context.the_generic_context ()"} refers to the theory
- context of the ML toplevel --- at compile time. ML code needs to
- take care to refer to @{ML "ML_Context.the_generic_context ()"}
- correctly. Recall that evaluation of a function body is delayed
- until actual run-time.
-
- \item @{ML "Context.>>"}~@{text f} applies context transformation
- @{text f} to the implicit context of the ML toplevel.
-
- \item @{ML bind_thms}~@{text "(name, thms)"} stores a list of
- theorems produced in ML both in the (global) theory context and the
- ML toplevel, associating it with the provided name. Theorems are
- put into a global ``standard'' format before being stored.
-
- \item @{ML bind_thm} is similar to @{ML bind_thms} but refers to a
- singleton fact.
-
- \end{description}
-
- It is important to note that the above functions are really
- restricted to the compile time, even though the ML compiler is
- invoked at run-time. The majority of ML code either uses static
- antiquotations (\secref{sec:ML-antiq}) or refers to the theory or
- proof context at run-time, by explicit functional abstraction.
-*}
-
-
-subsection {* Antiquotations \label{sec:ML-antiq} *}
-
-text {* A very important consequence of embedding SML into Isar is the
- concept of \emph{ML antiquotation}. The standard token language of
- ML is augmented by special syntactic entities of the following form:
-
- @{rail "
- @{syntax_def antiquote}: '@{' nameref args '}' | '\<lbrace>' | '\<rbrace>'
- "}
-
- Here @{syntax nameref} and @{syntax args} are regular outer syntax
- categories \cite{isabelle-isar-ref}. Attributes and proof methods
- use similar syntax.
-
- \medskip A regular antiquotation @{text "@{name args}"} processes
- its arguments by the usual means of the Isar source language, and
- produces corresponding ML source text, either as literal
- \emph{inline} text (e.g. @{text "@{term t}"}) or abstract
- \emph{value} (e.g. @{text "@{thm th}"}). This pre-compilation
- scheme allows to refer to formal entities in a robust manner, with
- proper static scoping and with some degree of logical checking of
- small portions of the code.
-
- Special antiquotations like @{text "@{let \<dots>}"} or @{text "@{note
- \<dots>}"} augment the compilation context without generating code. The
- non-ASCII braces @{text "\<lbrace>"} and @{text "\<rbrace>"} allow to delimit the
- effect by introducing local blocks within the pre-compilation
- environment.
-
- \medskip See also \cite{Wenzel-Chaieb:2007b} for a broader
- perspective on Isabelle/ML antiquotations. *}
-
-text %mlantiq {*
- \begin{matharray}{rcl}
- @{ML_antiquotation_def "let"} & : & @{text ML_antiquotation} \\
- @{ML_antiquotation_def "note"} & : & @{text ML_antiquotation} \\
- \end{matharray}
-
- @{rail "
- @@{ML_antiquotation let} ((term + @'and') '=' term + @'and')
- ;
- @@{ML_antiquotation note} (thmdef? thmrefs + @'and')
- "}
-
- \begin{description}
-
- \item @{text "@{let p = t}"} binds schematic variables in the
- pattern @{text "p"} by higher-order matching against the term @{text
- "t"}. This is analogous to the regular @{command_ref let} command
- in the Isar proof language. The pre-compilation environment is
- augmented by auxiliary term bindings, without emitting ML source.
-
- \item @{text "@{note a = b\<^sub>1 \<dots> b\<^sub>n}"} recalls existing facts @{text
- "b\<^sub>1, \<dots>, b\<^sub>n"}, binding the result as @{text a}. This is analogous to
- the regular @{command_ref note} command in the Isar proof language.
- The pre-compilation environment is augmented by auxiliary fact
- bindings, without emitting ML source.
-
- \end{description}
-*}
-
-text %mlex {* The following artificial example gives some impression
- about the antiquotation elements introduced so far, together with
- the important @{text "@{thm}"} antiquotation defined later.
-*}
-
-ML {*
- \<lbrace>
- @{let ?t = my_term}
- @{note my_refl = reflexive [of ?t]}
- fun foo th = Thm.transitive th @{thm my_refl}
- \<rbrace>
-*}
-
-text {* The extra block delimiters do not affect the compiled code
- itself, i.e.\ function @{ML foo} is available in the present context
- of this paragraph.
-*}
-
-
-section {* Canonical argument order \label{sec:canonical-argument-order} *}
-
-text {* Standard ML is a language in the tradition of @{text
- "\<lambda>"}-calculus and \emph{higher-order functional programming},
- similar to OCaml, Haskell, or Isabelle/Pure and HOL as logical
- languages. Getting acquainted with the native style of representing
- functions in that setting can save a lot of extra boiler-plate of
- redundant shuffling of arguments, auxiliary abstractions etc.
-
- Functions are usually \emph{curried}: the idea of turning arguments
- of type @{text "\<tau>\<^sub>i"} (for @{text "i \<in> {1, \<dots> n}"}) into a result of
- type @{text "\<tau>"} is represented by the iterated function space
- @{text "\<tau>\<^sub>1 \<rightarrow> \<dots> \<rightarrow> \<tau>\<^sub>n \<rightarrow> \<tau>"}. This is isomorphic to the well-known
- encoding via tuples @{text "\<tau>\<^sub>1 \<times> \<dots> \<times> \<tau>\<^sub>n \<rightarrow> \<tau>"}, but the curried
- version fits more smoothly into the basic calculus.\footnote{The
- difference is even more significant in higher-order logic, because
- the redundant tuple structure needs to be accommodated by formal
- reasoning.}
-
- Currying gives some flexiblity due to \emph{partial application}. A
- function @{text "f: \<tau>\<^sub>1 \<rightarrow> \<tau>\<^bsub>2\<^esub> \<rightarrow> \<tau>"} can be applied to @{text "x: \<tau>\<^sub>1"}
- and the remaining @{text "(f x): \<tau>\<^sub>2 \<rightarrow> \<tau>"} passed to another function
- etc. How well this works in practice depends on the order of
- arguments. In the worst case, arguments are arranged erratically,
- and using a function in a certain situation always requires some
- glue code. Thus we would get exponentially many oppurtunities to
- decorate the code with meaningless permutations of arguments.
-
- This can be avoided by \emph{canonical argument order}, which
- observes certain standard patterns and minimizes adhoc permutations
- in their application. In Isabelle/ML, large portions of text can be
- written without ever using @{text "swap: \<alpha> \<times> \<beta> \<rightarrow> \<beta> \<times> \<alpha>"}, or the
- combinator @{text "C: (\<alpha> \<rightarrow> \<beta> \<rightarrow> \<gamma>) \<rightarrow> (\<beta> \<rightarrow> \<alpha> \<rightarrow> \<gamma>)"} that is not even
- defined in our library.
-
- \medskip The basic idea is that arguments that vary less are moved
- further to the left than those that vary more. Two particularly
- important categories of functions are \emph{selectors} and
- \emph{updates}.
-
- The subsequent scheme is based on a hypothetical set-like container
- of type @{text "\<beta>"} that manages elements of type @{text "\<alpha>"}. Both
- the names and types of the associated operations are canonical for
- Isabelle/ML.
-
- \medskip
- \begin{tabular}{ll}
- kind & canonical name and type \\\hline
- selector & @{text "member: \<beta> \<rightarrow> \<alpha> \<rightarrow> bool"} \\
- update & @{text "insert: \<alpha> \<rightarrow> \<beta> \<rightarrow> \<beta>"} \\
- \end{tabular}
- \medskip
-
- Given a container @{text "B: \<beta>"}, the partially applied @{text
- "member B"} is a predicate over elements @{text "\<alpha> \<rightarrow> bool"}, and
- thus represents the intended denotation directly. It is customary
- to pass the abstract predicate to further operations, not the
- concrete container. The argument order makes it easy to use other
- combinators: @{text "forall (member B) list"} will check a list of
- elements for membership in @{text "B"} etc. Often the explicit
- @{text "list"} is pointless and can be contracted to @{text "forall
- (member B)"} to get directly a predicate again.
-
- In contrast, an update operation varies the container, so it moves
- to the right: @{text "insert a"} is a function @{text "\<beta> \<rightarrow> \<beta>"} to
- insert a value @{text "a"}. These can be composed naturally as
- @{text "insert c \<circ> insert b \<circ> insert a"}. The slightly awkward
- inversion of the composition order is due to conventional
- mathematical notation, which can be easily amended as explained
- below.
-*}
-
-
-subsection {* Forward application and composition *}
-
-text {* Regular function application and infix notation works best for
- relatively deeply structured expressions, e.g.\ @{text "h (f x y + g
- z)"}. The important special case of \emph{linear transformation}
- applies a cascade of functions @{text "f\<^sub>n (\<dots> (f\<^sub>1 x))"}. This
- becomes hard to read and maintain if the functions are themselves
- given as complex expressions. The notation can be significantly
- improved by introducing \emph{forward} versions of application and
- composition as follows:
-
- \medskip
- \begin{tabular}{lll}
- @{text "x |> f"} & @{text "\<equiv>"} & @{text "f x"} \\
- @{text "(f #> g) x"} & @{text "\<equiv>"} & @{text "x |> f |> g"} \\
- \end{tabular}
- \medskip
-
- This enables to write conveniently @{text "x |> f\<^sub>1 |> \<dots> |> f\<^sub>n"} or
- @{text "f\<^sub>1 #> \<dots> #> f\<^sub>n"} for its functional abstraction over @{text
- "x"}.
-
- \medskip There is an additional set of combinators to accommodate
- multiple results (via pairs) that are passed on as multiple
- arguments (via currying).
-
- \medskip
- \begin{tabular}{lll}
- @{text "(x, y) |-> f"} & @{text "\<equiv>"} & @{text "f x y"} \\
- @{text "(f #-> g) x"} & @{text "\<equiv>"} & @{text "x |> f |-> g"} \\
- \end{tabular}
- \medskip
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML_op "|> ": "'a * ('a -> 'b) -> 'b"} \\
- @{index_ML_op "|-> ": "('c * 'a) * ('c -> 'a -> 'b) -> 'b"} \\
- @{index_ML_op "#> ": "('a -> 'b) * ('b -> 'c) -> 'a -> 'c"} \\
- @{index_ML_op "#-> ": "('a -> 'c * 'b) * ('c -> 'b -> 'd) -> 'a -> 'd"} \\
- \end{mldecls}
-
- %FIXME description!?
-*}
-
-
-subsection {* Canonical iteration *}
-
-text {* As explained above, a function @{text "f: \<alpha> \<rightarrow> \<beta> \<rightarrow> \<beta>"} can be
- understood as update on a configuration of type @{text "\<beta>"},
- parametrized by arguments of type @{text "\<alpha>"}. Given @{text "a: \<alpha>"}
- the partial application @{text "(f a): \<beta> \<rightarrow> \<beta>"} operates
- homogeneously on @{text "\<beta>"}. This can be iterated naturally over a
- list of parameters @{text "[a\<^sub>1, \<dots>, a\<^sub>n]"} as @{text "f a\<^sub>1 #> \<dots> #> f
- a\<^bsub>n\<^esub>\<^bsub>\<^esub>"}. The latter expression is again a function @{text "\<beta> \<rightarrow> \<beta>"}.
- It can be applied to an initial configuration @{text "b: \<beta>"} to
- start the iteration over the given list of arguments: each @{text
- "a"} in @{text "a\<^sub>1, \<dots>, a\<^sub>n"} is applied consecutively by updating a
- cumulative configuration.
-
- The @{text fold} combinator in Isabelle/ML lifts a function @{text
- "f"} as above to its iterated version over a list of arguments.
- Lifting can be repeated, e.g.\ @{text "(fold \<circ> fold) f"} iterates
- over a list of lists as expected.
-
- The variant @{text "fold_rev"} works inside-out over the list of
- arguments, such that @{text "fold_rev f \<equiv> fold f \<circ> rev"} holds.
-
- The @{text "fold_map"} combinator essentially performs @{text
- "fold"} and @{text "map"} simultaneously: each application of @{text
- "f"} produces an updated configuration together with a side-result;
- the iteration collects all such side-results as a separate list.
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML fold: "('a -> 'b -> 'b) -> 'a list -> 'b -> 'b"} \\
- @{index_ML fold_rev: "('a -> 'b -> 'b) -> 'a list -> 'b -> 'b"} \\
- @{index_ML fold_map: "('a -> 'b -> 'c * 'b) -> 'a list -> 'b -> 'c list * 'b"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item @{ML fold}~@{text f} lifts the parametrized update function
- @{text "f"} to a list of parameters.
-
- \item @{ML fold_rev}~@{text "f"} is similar to @{ML fold}~@{text
- "f"}, but works inside-out.
-
- \item @{ML fold_map}~@{text "f"} lifts the parametrized update
- function @{text "f"} (with side-result) to a list of parameters and
- cumulative side-results.
-
- \end{description}
-
- \begin{warn}
- The literature on functional programming provides a multitude of
- combinators called @{text "foldl"}, @{text "foldr"} etc. SML97
- provides its own variations as @{ML List.foldl} and @{ML
- List.foldr}, while the classic Isabelle library also has the
- historic @{ML Library.foldl} and @{ML Library.foldr}. To avoid
- further confusion, all of this should be ignored, and @{ML fold} (or
- @{ML fold_rev}) used exclusively.
- \end{warn}
-*}
-
-text %mlex {* The following example shows how to fill a text buffer
- incrementally by adding strings, either individually or from a given
- list.
-*}
-
-ML {*
- val s =
- Buffer.empty
- |> Buffer.add "digits: "
- |> fold (Buffer.add o string_of_int) (0 upto 9)
- |> Buffer.content;
-
- @{assert} (s = "digits: 0123456789");
-*}
-
-text {* Note how @{ML "fold (Buffer.add o string_of_int)"} above saves
- an extra @{ML "map"} over the given list. This kind of peephole
- optimization reduces both the code size and the tree structures in
- memory (``deforestation''), but requires some practice to read and
- write it fluently.
-
- \medskip The next example elaborates the idea of canonical
- iteration, demonstrating fast accumulation of tree content using a
- text buffer.
-*}
-
-ML {*
- datatype tree = Text of string | Elem of string * tree list;
-
- fun slow_content (Text txt) = txt
- | slow_content (Elem (name, ts)) =
- "<" ^ name ^ ">" ^
- implode (map slow_content ts) ^
- "</" ^ name ^ ">"
-
- fun add_content (Text txt) = Buffer.add txt
- | add_content (Elem (name, ts)) =
- Buffer.add ("<" ^ name ^ ">") #>
- fold add_content ts #>
- Buffer.add ("</" ^ name ^ ">");
-
- fun fast_content tree =
- Buffer.empty |> add_content tree |> Buffer.content;
-*}
-
-text {* The slow part of @{ML slow_content} is the @{ML implode} of
- the recursive results, because it copies previously produced strings
- again.
-
- The incremental @{ML add_content} avoids this by operating on a
- buffer that is passed through in a linear fashion. Using @{ML_text
- "#>"} and contraction over the actual buffer argument saves some
- additional boiler-plate. Of course, the two @{ML "Buffer.add"}
- invocations with concatenated strings could have been split into
- smaller parts, but this would have obfuscated the source without
- making a big difference in allocations. Here we have done some
- peephole-optimization for the sake of readability.
-
- Another benefit of @{ML add_content} is its ``open'' form as a
- function on buffers that can be continued in further linear
- transformations, folding etc. Thus it is more compositional than
- the naive @{ML slow_content}. As realistic example, compare the
- old-style @{ML "Term.maxidx_of_term: term -> int"} with the newer
- @{ML "Term.maxidx_term: term -> int -> int"} in Isabelle/Pure.
-
- Note that @{ML fast_content} above is only defined as example. In
- many practical situations, it is customary to provide the
- incremental @{ML add_content} only and leave the initialization and
- termination to the concrete application by the user.
-*}
-
-
-section {* Message output channels \label{sec:message-channels} *}
-
-text {* Isabelle provides output channels for different kinds of
- messages: regular output, high-volume tracing information, warnings,
- and errors.
-
- Depending on the user interface involved, these messages may appear
- in different text styles or colours. The standard output for
- terminal sessions prefixes each line of warnings by @{verbatim
- "###"} and errors by @{verbatim "***"}, but leaves anything else
- unchanged.
-
- Messages are associated with the transaction context of the running
- Isar command. This enables the front-end to manage commands and
- resulting messages together. For example, after deleting a command
- from a given theory document version, the corresponding message
- output can be retracted from the display.
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML writeln: "string -> unit"} \\
- @{index_ML tracing: "string -> unit"} \\
- @{index_ML warning: "string -> unit"} \\
- @{index_ML error: "string -> 'a"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item @{ML writeln}~@{text "text"} outputs @{text "text"} as regular
- message. This is the primary message output operation of Isabelle
- and should be used by default.
-
- \item @{ML tracing}~@{text "text"} outputs @{text "text"} as special
- tracing message, indicating potential high-volume output to the
- front-end (hundreds or thousands of messages issued by a single
- command). The idea is to allow the user-interface to downgrade the
- quality of message display to achieve higher throughput.
-
- Note that the user might have to take special actions to see tracing
- output, e.g.\ switch to a different output window. So this channel
- should not be used for regular output.
-
- \item @{ML warning}~@{text "text"} outputs @{text "text"} as
- warning, which typically means some extra emphasis on the front-end
- side (color highlighting, icons, etc.).
-
- \item @{ML error}~@{text "text"} raises exception @{ML ERROR}~@{text
- "text"} and thus lets the Isar toplevel print @{text "text"} on the
- error channel, which typically means some extra emphasis on the
- front-end side (color highlighting, icons, etc.).
-
- This assumes that the exception is not handled before the command
- terminates. Handling exception @{ML ERROR}~@{text "text"} is a
- perfectly legal alternative: it means that the error is absorbed
- without any message output.
-
- \begin{warn}
- The actual error channel is accessed via @{ML Output.error_msg}, but
- the interaction protocol of Proof~General \emph{crashes} if that
- function is used in regular ML code: error output and toplevel
- command failure always need to coincide.
- \end{warn}
-
- \end{description}
-
- \begin{warn}
- Regular Isabelle/ML code should output messages exclusively by the
- official channels. Using raw I/O on \emph{stdout} or \emph{stderr}
- instead (e.g.\ via @{ML TextIO.output}) is apt to cause problems in
- the presence of parallel and asynchronous processing of Isabelle
- theories. Such raw output might be displayed by the front-end in
- some system console log, with a low chance that the user will ever
- see it. Moreover, as a genuine side-effect on global process
- channels, there is no proper way to retract output when Isar command
- transactions are reset by the system.
- \end{warn}
-
- \begin{warn}
- The message channels should be used in a message-oriented manner.
- This means that multi-line output that logically belongs together is
- issued by a \emph{single} invocation of @{ML writeln} etc.\ with the
- functional concatenation of all message constituents.
- \end{warn}
-*}
-
-text %mlex {* The following example demonstrates a multi-line
- warning. Note that in some situations the user sees only the first
- line, so the most important point should be made first.
-*}
-
-ML_command {*
- warning (cat_lines
- ["Beware the Jabberwock, my son!",
- "The jaws that bite, the claws that catch!",
- "Beware the Jubjub Bird, and shun",
- "The frumious Bandersnatch!"]);
-*}
-
-
-section {* Exceptions \label{sec:exceptions} *}
-
-text {* The Standard ML semantics of strict functional evaluation
- together with exceptions is rather well defined, but some delicate
- points need to be observed to avoid that ML programs go wrong
- despite static type-checking. Exceptions in Isabelle/ML are
- subsequently categorized as follows.
-
- \paragraph{Regular user errors.} These are meant to provide
- informative feedback about malformed input etc.
-
- The \emph{error} function raises the corresponding \emph{ERROR}
- exception, with a plain text message as argument. \emph{ERROR}
- exceptions can be handled internally, in order to be ignored, turned
- into other exceptions, or cascaded by appending messages. If the
- corresponding Isabelle/Isar command terminates with an \emph{ERROR}
- exception state, the toplevel will print the result on the error
- channel (see \secref{sec:message-channels}).
-
- It is considered bad style to refer to internal function names or
- values in ML source notation in user error messages.
-
- Grammatical correctness of error messages can be improved by
- \emph{omitting} final punctuation: messages are often concatenated
- or put into a larger context (e.g.\ augmented with source position).
- By not insisting in the final word at the origin of the error, the
- system can perform its administrative tasks more easily and
- robustly.
-
- \paragraph{Program failures.} There is a handful of standard
- exceptions that indicate general failure situations, or failures of
- core operations on logical entities (types, terms, theorems,
- theories, see \chref{ch:logic}).
-
- These exceptions indicate a genuine breakdown of the program, so the
- main purpose is to determine quickly what has happened where.
- Traditionally, the (short) exception message would include the name
- of an ML function, although this is no longer necessary, because the
- ML runtime system prints a detailed source position of the
- corresponding @{ML_text raise} keyword.
-
- \medskip User modules can always introduce their own custom
- exceptions locally, e.g.\ to organize internal failures robustly
- without overlapping with existing exceptions. Exceptions that are
- exposed in module signatures require extra care, though, and should
- \emph{not} be introduced by default. Surprise by users of a module
- can be often minimized by using plain user errors instead.
-
- \paragraph{Interrupts.} These indicate arbitrary system events:
- both the ML runtime system and the Isabelle/ML infrastructure signal
- various exceptional situations by raising the special
- \emph{Interrupt} exception in user code.
-
- This is the one and only way that physical events can intrude an
- Isabelle/ML program. Such an interrupt can mean out-of-memory,
- stack overflow, timeout, internal signaling of threads, or the user
- producing a console interrupt manually etc. An Isabelle/ML program
- that intercepts interrupts becomes dependent on physical effects of
- the environment. Even worse, exception handling patterns that are
- too general by accident, e.g.\ by mispelled exception constructors,
- will cover interrupts unintentionally and thus render the program
- semantics ill-defined.
-
- Note that the Interrupt exception dates back to the original SML90
- language definition. It was excluded from the SML97 version to
- avoid its malign impact on ML program semantics, but without
- providing a viable alternative. Isabelle/ML recovers physical
- interruptibility (which is an indispensable tool to implement
- managed evaluation of command transactions), but requires user code
- to be strictly transparent wrt.\ interrupts.
-
- \begin{warn}
- Isabelle/ML user code needs to terminate promptly on interruption,
- without guessing at its meaning to the system infrastructure.
- Temporary handling of interrupts for cleanup of global resources
- etc.\ needs to be followed immediately by re-raising of the original
- exception.
- \end{warn}
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML try: "('a -> 'b) -> 'a -> 'b option"} \\
- @{index_ML can: "('a -> 'b) -> 'a -> bool"} \\
- @{index_ML ERROR: "string -> exn"} \\
- @{index_ML Fail: "string -> exn"} \\
- @{index_ML Exn.is_interrupt: "exn -> bool"} \\
- @{index_ML reraise: "exn -> 'a"} \\
- @{index_ML exception_trace: "(unit -> 'a) -> 'a"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item @{ML try}~@{text "f x"} makes the partiality of evaluating
- @{text "f x"} explicit via the option datatype. Interrupts are
- \emph{not} handled here, i.e.\ this form serves as safe replacement
- for the \emph{unsafe} version @{ML_text "(SOME"}~@{text "f
- x"}~@{ML_text "handle _ => NONE)"} that is occasionally seen in
- books about SML.
-
- \item @{ML can} is similar to @{ML try} with more abstract result.
-
- \item @{ML ERROR}~@{text "msg"} represents user errors; this
- exception is normally raised indirectly via the @{ML error} function
- (see \secref{sec:message-channels}).
-
- \item @{ML Fail}~@{text "msg"} represents general program failures.
-
- \item @{ML Exn.is_interrupt} identifies interrupts robustly, without
- mentioning concrete exception constructors in user code. Handled
- interrupts need to be re-raised promptly!
-
- \item @{ML reraise}~@{text "exn"} raises exception @{text "exn"}
- while preserving its implicit position information (if possible,
- depending on the ML platform).
-
- \item @{ML exception_trace}~@{ML_text "(fn () =>"}~@{text
- "e"}@{ML_text ")"} evaluates expression @{text "e"} while printing
- a full trace of its stack of nested exceptions (if possible,
- depending on the ML platform).\footnote{In versions of Poly/ML the
- trace will appear on raw stdout of the Isabelle process.}
-
- Inserting @{ML exception_trace} into ML code temporarily is useful
- for debugging, but not suitable for production code.
-
- \end{description}
-*}
-
-text %mlantiq {*
- \begin{matharray}{rcl}
- @{ML_antiquotation_def "assert"} & : & @{text ML_antiquotation} \\
- \end{matharray}
-
- \begin{description}
-
- \item @{text "@{assert}"} inlines a function
- @{ML_type "bool -> unit"} that raises @{ML Fail} if the argument is
- @{ML false}. Due to inlining the source position of failed
- assertions is included in the error output.
-
- \end{description}
-*}
-
-
-section {* Basic data types *}
-
-text {* The basis library proposal of SML97 needs to be treated with
- caution. Many of its operations simply do not fit with important
- Isabelle/ML conventions (like ``canonical argument order'', see
- \secref{sec:canonical-argument-order}), others cause problems with
- the parallel evaluation model of Isabelle/ML (such as @{ML
- TextIO.print} or @{ML OS.Process.system}).
-
- Subsequently we give a brief overview of important operations on
- basic ML data types.
-*}
-
-
-subsection {* Characters *}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML_type char} \\
- \end{mldecls}
-
- \begin{description}
-
- \item Type @{ML_type char} is \emph{not} used. The smallest textual
- unit in Isabelle is represented as a ``symbol'' (see
- \secref{sec:symbols}).
-
- \end{description}
-*}
-
-
-subsection {* Integers *}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML_type int} \\
- \end{mldecls}
-
- \begin{description}
-
- \item Type @{ML_type int} represents regular mathematical integers,
- which are \emph{unbounded}. Overflow never happens in
- practice.\footnote{The size limit for integer bit patterns in memory
- is 64\,MB for 32-bit Poly/ML, and much higher for 64-bit systems.}
- This works uniformly for all supported ML platforms (Poly/ML and
- SML/NJ).
-
- Literal integers in ML text are forced to be of this one true
- integer type --- overloading of SML97 is disabled.
-
- Structure @{ML_struct IntInf} of SML97 is obsolete and superseded by
- @{ML_struct Int}. Structure @{ML_struct Integer} in @{file
- "~~/src/Pure/General/integer.ML"} provides some additional
- operations.
-
- \end{description}
-*}
-
-
-subsection {* Time *}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML_type Time.time} \\
- @{index_ML seconds: "real -> Time.time"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item Type @{ML_type Time.time} represents time abstractly according
- to the SML97 basis library definition. This is adequate for
- internal ML operations, but awkward in concrete time specifications.
-
- \item @{ML seconds}~@{text "s"} turns the concrete scalar @{text
- "s"} (measured in seconds) into an abstract time value. Floating
- point numbers are easy to use as context parameters (e.g.\ via
- configuration options, see \secref{sec:config-options}) or
- preferences that are maintained by external tools as well.
-
- \end{description}
-*}
-
-
-subsection {* Options *}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML Option.map: "('a -> 'b) -> 'a option -> 'b option"} \\
- @{index_ML is_some: "'a option -> bool"} \\
- @{index_ML is_none: "'a option -> bool"} \\
- @{index_ML the: "'a option -> 'a"} \\
- @{index_ML these: "'a list option -> 'a list"} \\
- @{index_ML the_list: "'a option -> 'a list"} \\
- @{index_ML the_default: "'a -> 'a option -> 'a"} \\
- \end{mldecls}
-*}
-
-text {* Apart from @{ML Option.map} most operations defined in
- structure @{ML_struct Option} are alien to Isabelle/ML. The
- operations shown above are defined in @{file
- "~~/src/Pure/General/basics.ML"}, among others. *}
-
-
-subsection {* Lists *}
-
-text {* Lists are ubiquitous in ML as simple and light-weight
- ``collections'' for many everyday programming tasks. Isabelle/ML
- provides important additions and improvements over operations that
- are predefined in the SML97 library. *}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML cons: "'a -> 'a list -> 'a list"} \\
- @{index_ML member: "('b * 'a -> bool) -> 'a list -> 'b -> bool"} \\
- @{index_ML insert: "('a * 'a -> bool) -> 'a -> 'a list -> 'a list"} \\
- @{index_ML remove: "('b * 'a -> bool) -> 'b -> 'a list -> 'a list"} \\
- @{index_ML update: "('a * 'a -> bool) -> 'a -> 'a list -> 'a list"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item @{ML cons}~@{text "x xs"} evaluates to @{text "x :: xs"}.
-
- Tupled infix operators are a historical accident in Standard ML.
- The curried @{ML cons} amends this, but it should be only used when
- partial application is required.
-
- \item @{ML member}, @{ML insert}, @{ML remove}, @{ML update} treat
- lists as a set-like container that maintains the order of elements.
- See @{file "~~/src/Pure/library.ML"} for the full specifications
- (written in ML). There are some further derived operations like
- @{ML union} or @{ML inter}.
-
- Note that @{ML insert} is conservative about elements that are
- already a @{ML member} of the list, while @{ML update} ensures that
- the latest entry is always put in front. The latter discipline is
- often more appropriate in declarations of context data
- (\secref{sec:context-data}) that are issued by the user in Isar
- source: more recent declarations normally take precedence over
- earlier ones.
-
- \end{description}
-*}
-
-text %mlex {* Using canonical @{ML fold} together with @{ML cons}, or
- similar standard operations, alternates the orientation of data.
- The is quite natural and should not be altered forcible by inserting
- extra applications of @{ML rev}. The alternative @{ML fold_rev} can
- be used in the few situations, where alternation should be
- prevented.
-*}
-
-ML {*
- val items = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10];
-
- val list1 = fold cons items [];
- @{assert} (list1 = rev items);
-
- val list2 = fold_rev cons items [];
- @{assert} (list2 = items);
-*}
-
-text {* The subsequent example demonstrates how to \emph{merge} two
- lists in a natural way. *}
-
-ML {*
- fun merge_lists eq (xs, ys) = fold_rev (insert eq) ys xs;
-*}
-
-text {* Here the first list is treated conservatively: only the new
- elements from the second list are inserted. The inside-out order of
- insertion via @{ML fold_rev} attempts to preserve the order of
- elements in the result.
-
- This way of merging lists is typical for context data
- (\secref{sec:context-data}). See also @{ML merge} as defined in
- @{file "~~/src/Pure/library.ML"}.
-*}
-
-
-subsection {* Association lists *}
-
-text {* The operations for association lists interpret a concrete list
- of pairs as a finite function from keys to values. Redundant
- representations with multiple occurrences of the same key are
- implicitly normalized: lookup and update only take the first
- occurrence into account.
-*}
-
-text {*
- \begin{mldecls}
- @{index_ML AList.lookup: "('a * 'b -> bool) -> ('b * 'c) list -> 'a -> 'c option"} \\
- @{index_ML AList.defined: "('a * 'b -> bool) -> ('b * 'c) list -> 'a -> bool"} \\
- @{index_ML AList.update: "('a * 'a -> bool) -> 'a * 'b -> ('a * 'b) list -> ('a * 'b) list"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item @{ML AList.lookup}, @{ML AList.defined}, @{ML AList.update}
- implement the main ``framework operations'' for mappings in
- Isabelle/ML, following standard conventions for their names and
- types.
-
- Note that a function called @{text lookup} is obliged to express its
- partiality via an explicit option element. There is no choice to
- raise an exception, without changing the name to something like
- @{text "the_element"} or @{text "get"}.
-
- The @{text "defined"} operation is essentially a contraction of @{ML
- is_some} and @{text "lookup"}, but this is sufficiently frequent to
- justify its independent existence. This also gives the
- implementation some opportunity for peep-hole optimization.
-
- \end{description}
-
- Association lists are adequate as simple and light-weight
- implementation of finite mappings in many practical situations. A
- more heavy-duty table structure is defined in @{file
- "~~/src/Pure/General/table.ML"}; that version scales easily to
- thousands or millions of elements.
-*}
-
-
-subsection {* Unsynchronized references *}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML_type "'a Unsynchronized.ref"} \\
- @{index_ML Unsynchronized.ref: "'a -> 'a Unsynchronized.ref"} \\
- @{index_ML "!": "'a Unsynchronized.ref -> 'a"} \\
- @{index_ML_op ":=": "'a Unsynchronized.ref * 'a -> unit"} \\
- \end{mldecls}
-*}
-
-text {* Due to ubiquitous parallelism in Isabelle/ML (see also
- \secref{sec:multi-threading}), the mutable reference cells of
- Standard ML are notorious for causing problems. In a highly
- parallel system, both correctness \emph{and} performance are easily
- degraded when using mutable data.
-
- The unwieldy name of @{ML Unsynchronized.ref} for the constructor
- for references in Isabelle/ML emphasizes the inconveniences caused by
- mutability. Existing operations @{ML "!"} and @{ML_op ":="} are
- unchanged, but should be used with special precautions, say in a
- strictly local situation that is guaranteed to be restricted to
- sequential evaluation --- now and in the future.
-
- \begin{warn}
- Never @{ML_text "open Unsynchronized"}, not even in a local scope!
- Pretending that mutable state is no problem is a very bad idea.
- \end{warn}
-*}
-
-
-section {* Thread-safe programming \label{sec:multi-threading} *}
-
-text {* Multi-threaded execution has become an everyday reality in
- Isabelle since Poly/ML 5.2.1 and Isabelle2008. Isabelle/ML provides
- implicit and explicit parallelism by default, and there is no way
- for user-space tools to ``opt out''. ML programs that are purely
- functional, output messages only via the official channels
- (\secref{sec:message-channels}), and do not intercept interrupts
- (\secref{sec:exceptions}) can participate in the multi-threaded
- environment immediately without further ado.
-
- More ambitious tools with more fine-grained interaction with the
- environment need to observe the principles explained below.
-*}
-
-
-subsection {* Multi-threading with shared memory *}
-
-text {* Multiple threads help to organize advanced operations of the
- system, such as real-time conditions on command transactions,
- sub-components with explicit communication, general asynchronous
- interaction etc. Moreover, parallel evaluation is a prerequisite to
- make adequate use of the CPU resources that are available on
- multi-core systems.\footnote{Multi-core computing does not mean that
- there are ``spare cycles'' to be wasted. It means that the
- continued exponential speedup of CPU performance due to ``Moore's
- Law'' follows different rules: clock frequency has reached its peak
- around 2005, and applications need to be parallelized in order to
- avoid a perceived loss of performance. See also
- \cite{Sutter:2005}.}
-
- Isabelle/Isar exploits the inherent structure of theories and proofs
- to support \emph{implicit parallelism} to a large extent. LCF-style
- theorem provides almost ideal conditions for that, see also
- \cite{Wenzel:2009}. This means, significant parts of theory and
- proof checking is parallelized by default. A maximum speedup-factor
- of 3.0 on 4 cores and 5.0 on 8 cores can be
- expected.\footnote{Further scalability is limited due to garbage
- collection, which is still sequential in Poly/ML 5.2/5.3/5.4. It
- helps to provide initial heap space generously, using the
- \texttt{-H} option. Initial heap size needs to be scaled-up
- together with the number of CPU cores: approximately 1--2\,GB per
- core..}
-
- \medskip ML threads lack the memory protection of separate
- processes, and operate concurrently on shared heap memory. This has
- the advantage that results of independent computations are directly
- available to other threads: abstract values can be passed without
- copying or awkward serialization that is typically required for
- separate processes.
-
- To make shared-memory multi-threading work robustly and efficiently,
- some programming guidelines need to be observed. While the ML
- system is responsible to maintain basic integrity of the
- representation of ML values in memory, the application programmer
- needs to ensure that multi-threaded execution does not break the
- intended semantics.
-
- \begin{warn}
- To participate in implicit parallelism, tools need to be
- thread-safe. A single ill-behaved tool can affect the stability and
- performance of the whole system.
- \end{warn}
-
- Apart from observing the principles of thread-safeness passively,
- advanced tools may also exploit parallelism actively, e.g.\ by using
- ``future values'' (\secref{sec:futures}) or the more basic library
- functions for parallel list operations (\secref{sec:parlist}).
-
- \begin{warn}
- Parallel computing resources are managed centrally by the
- Isabelle/ML infrastructure. User programs must not fork their own
- ML threads to perform computations.
- \end{warn}
-*}
-
-
-subsection {* Critical shared resources *}
-
-text {* Thread-safeness is mainly concerned about concurrent
- read/write access to shared resources, which are outside the purely
- functional world of ML. This covers the following in particular.
-
- \begin{itemize}
-
- \item Global references (or arrays), i.e.\ mutable memory cells that
- persist over several invocations of associated
- operations.\footnote{This is independent of the visibility of such
- mutable values in the toplevel scope.}
-
- \item Global state of the running Isabelle/ML process, i.e.\ raw I/O
- channels, environment variables, current working directory.
-
- \item Writable resources in the file-system that are shared among
- different threads or external processes.
-
- \end{itemize}
-
- Isabelle/ML provides various mechanisms to avoid critical shared
- resources in most situations. As last resort there are some
- mechanisms for explicit synchronization. The following guidelines
- help to make Isabelle/ML programs work smoothly in a concurrent
- environment.
-
- \begin{itemize}
-
- \item Avoid global references altogether. Isabelle/Isar maintains a
- uniform context that incorporates arbitrary data declared by user
- programs (\secref{sec:context-data}). This context is passed as
- plain value and user tools can get/map their own data in a purely
- functional manner. Configuration options within the context
- (\secref{sec:config-options}) provide simple drop-in replacements
- for historic reference variables.
-
- \item Keep components with local state information re-entrant.
- Instead of poking initial values into (private) global references, a
- new state record can be created on each invocation, and passed
- through any auxiliary functions of the component. The state record
- may well contain mutable references, without requiring any special
- synchronizations, as long as each invocation gets its own copy.
-
- \item Avoid raw output on @{text "stdout"} or @{text "stderr"}. The
- Poly/ML library is thread-safe for each individual output operation,
- but the ordering of parallel invocations is arbitrary. This means
- raw output will appear on some system console with unpredictable
- interleaving of atomic chunks.
-
- Note that this does not affect regular message output channels
- (\secref{sec:message-channels}). An official message is associated
- with the command transaction from where it originates, independently
- of other transactions. This means each running Isar command has
- effectively its own set of message channels, and interleaving can
- only happen when commands use parallelism internally (and only at
- message boundaries).
-
- \item Treat environment variables and the current working directory
- of the running process as strictly read-only.
-
- \item Restrict writing to the file-system to unique temporary files.
- Isabelle already provides a temporary directory that is unique for
- the running process, and there is a centralized source of unique
- serial numbers in Isabelle/ML. Thus temporary files that are passed
- to to some external process will be always disjoint, and thus
- thread-safe.
-
- \end{itemize}
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML File.tmp_path: "Path.T -> Path.T"} \\
- @{index_ML serial_string: "unit -> string"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item @{ML File.tmp_path}~@{text "path"} relocates the base
- component of @{text "path"} into the unique temporary directory of
- the running Isabelle/ML process.
-
- \item @{ML serial_string}~@{text "()"} creates a new serial number
- that is unique over the runtime of the Isabelle/ML process.
-
- \end{description}
-*}
-
-text %mlex {* The following example shows how to create unique
- temporary file names.
-*}
-
-ML {*
- val tmp1 = File.tmp_path (Path.basic ("foo" ^ serial_string ()));
- val tmp2 = File.tmp_path (Path.basic ("foo" ^ serial_string ()));
- @{assert} (tmp1 <> tmp2);
-*}
-
-
-subsection {* Explicit synchronization *}
-
-text {* Isabelle/ML also provides some explicit synchronization
- mechanisms, for the rare situations where mutable shared resources
- are really required. These are based on the synchronizations
- primitives of Poly/ML, which have been adapted to the specific
- assumptions of the concurrent Isabelle/ML environment. User code
- must not use the Poly/ML primitives directly!
-
- \medskip The most basic synchronization concept is a single
- \emph{critical section} (also called ``monitor'' in the literature).
- A thread that enters the critical section prevents all other threads
- from doing the same. A thread that is already within the critical
- section may re-enter it in an idempotent manner.
-
- Such centralized locking is convenient, because it prevents
- deadlocks by construction.
-
- \medskip More fine-grained locking works via \emph{synchronized
- variables}. An explicit state component is associated with
- mechanisms for locking and signaling. There are operations to
- await a condition, change the state, and signal the change to all
- other waiting threads.
-
- Here the synchronized access to the state variable is \emph{not}
- re-entrant: direct or indirect nesting within the same thread will
- cause a deadlock!
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML NAMED_CRITICAL: "string -> (unit -> 'a) -> 'a"} \\
- @{index_ML CRITICAL: "(unit -> 'a) -> 'a"} \\
- \end{mldecls}
- \begin{mldecls}
- @{index_ML_type "'a Synchronized.var"} \\
- @{index_ML Synchronized.var: "string -> 'a -> 'a Synchronized.var"} \\
- @{index_ML Synchronized.guarded_access: "'a Synchronized.var ->
- ('a -> ('b * 'a) option) -> 'b"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item @{ML NAMED_CRITICAL}~@{text "name e"} evaluates @{text "e ()"}
- within the central critical section of Isabelle/ML. No other thread
- may do so at the same time, but non-critical parallel execution will
- continue. The @{text "name"} argument is used for tracing and might
- help to spot sources of congestion.
-
- Entering the critical section without contention is very fast, and
- several basic system operations do so frequently. Each thread
- should stay within the critical section quickly only very briefly,
- otherwise parallel performance may degrade.
-
- \item @{ML CRITICAL} is the same as @{ML NAMED_CRITICAL} with empty
- name argument.
-
- \item Type @{ML_type "'a Synchronized.var"} represents synchronized
- variables with state of type @{ML_type 'a}.
-
- \item @{ML Synchronized.var}~@{text "name x"} creates a synchronized
- variable that is initialized with value @{text "x"}. The @{text
- "name"} is used for tracing.
-
- \item @{ML Synchronized.guarded_access}~@{text "var f"} lets the
- function @{text "f"} operate within a critical section on the state
- @{text "x"} as follows: if @{text "f x"} produces @{ML NONE}, it
- continues to wait on the internal condition variable, expecting that
- some other thread will eventually change the content in a suitable
- manner; if @{text "f x"} produces @{ML SOME}~@{text "(y, x')"} it is
- satisfied and assigns the new state value @{text "x'"}, broadcasts a
- signal to all waiting threads on the associated condition variable,
- and returns the result @{text "y"}.
-
- \end{description}
-
- There are some further variants of the @{ML
- Synchronized.guarded_access} combinator, see @{file
- "~~/src/Pure/Concurrent/synchronized.ML"} for details.
-*}
-
-text %mlex {* The following example implements a counter that produces
- positive integers that are unique over the runtime of the Isabelle
- process:
-*}
-
-ML {*
- local
- val counter = Synchronized.var "counter" 0;
- in
- fun next () =
- Synchronized.guarded_access counter
- (fn i =>
- let val j = i + 1
- in SOME (j, j) end);
- end;
-*}
-
-ML {*
- val a = next ();
- val b = next ();
- @{assert} (a <> b);
-*}
-
-text {* \medskip See @{file "~~/src/Pure/Concurrent/mailbox.ML"} how
- to implement a mailbox as synchronized variable over a purely
- functional queue. *}
-
-end
--- a/doc-src/IsarImplementation/Prelim.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,1237 +0,0 @@
-theory Prelim
-imports Base
-begin
-
-chapter {* Preliminaries *}
-
-section {* Contexts \label{sec:context} *}
-
-text {*
- A logical context represents the background that is required for
- formulating statements and composing proofs. It acts as a medium to
- produce formal content, depending on earlier material (declarations,
- results etc.).
-
- For example, derivations within the Isabelle/Pure logic can be
- described as a judgment @{text "\<Gamma> \<turnstile>\<^sub>\<Theta> \<phi>"}, which means that a
- proposition @{text "\<phi>"} is derivable from hypotheses @{text "\<Gamma>"}
- within the theory @{text "\<Theta>"}. There are logical reasons for
- keeping @{text "\<Theta>"} and @{text "\<Gamma>"} separate: theories can be
- liberal about supporting type constructors and schematic
- polymorphism of constants and axioms, while the inner calculus of
- @{text "\<Gamma> \<turnstile> \<phi>"} is strictly limited to Simple Type Theory (with
- fixed type variables in the assumptions).
-
- \medskip Contexts and derivations are linked by the following key
- principles:
-
- \begin{itemize}
-
- \item Transfer: monotonicity of derivations admits results to be
- transferred into a \emph{larger} context, i.e.\ @{text "\<Gamma> \<turnstile>\<^sub>\<Theta>
- \<phi>"} implies @{text "\<Gamma>' \<turnstile>\<^sub>\<Theta>\<^sub>' \<phi>"} for contexts @{text "\<Theta>'
- \<supseteq> \<Theta>"} and @{text "\<Gamma>' \<supseteq> \<Gamma>"}.
-
- \item Export: discharge of hypotheses admits results to be exported
- into a \emph{smaller} context, i.e.\ @{text "\<Gamma>' \<turnstile>\<^sub>\<Theta> \<phi>"}
- implies @{text "\<Gamma> \<turnstile>\<^sub>\<Theta> \<Delta> \<Longrightarrow> \<phi>"} where @{text "\<Gamma>' \<supseteq> \<Gamma>"} and
- @{text "\<Delta> = \<Gamma>' - \<Gamma>"}. Note that @{text "\<Theta>"} remains unchanged here,
- only the @{text "\<Gamma>"} part is affected.
-
- \end{itemize}
-
- \medskip By modeling the main characteristics of the primitive
- @{text "\<Theta>"} and @{text "\<Gamma>"} above, and abstracting over any
- particular logical content, we arrive at the fundamental notions of
- \emph{theory context} and \emph{proof context} in Isabelle/Isar.
- These implement a certain policy to manage arbitrary \emph{context
- data}. There is a strongly-typed mechanism to declare new kinds of
- data at compile time.
-
- The internal bootstrap process of Isabelle/Pure eventually reaches a
- stage where certain data slots provide the logical content of @{text
- "\<Theta>"} and @{text "\<Gamma>"} sketched above, but this does not stop there!
- Various additional data slots support all kinds of mechanisms that
- are not necessarily part of the core logic.
-
- For example, there would be data for canonical introduction and
- elimination rules for arbitrary operators (depending on the
- object-logic and application), which enables users to perform
- standard proof steps implicitly (cf.\ the @{text "rule"} method
- \cite{isabelle-isar-ref}).
-
- \medskip Thus Isabelle/Isar is able to bring forth more and more
- concepts successively. In particular, an object-logic like
- Isabelle/HOL continues the Isabelle/Pure setup by adding specific
- components for automated reasoning (classical reasoner, tableau
- prover, structured induction etc.) and derived specification
- mechanisms (inductive predicates, recursive functions etc.). All of
- this is ultimately based on the generic data management by theory
- and proof contexts introduced here.
-*}
-
-
-subsection {* Theory context \label{sec:context-theory} *}
-
-text {* A \emph{theory} is a data container with explicit name and
- unique identifier. Theories are related by a (nominal) sub-theory
- relation, which corresponds to the dependency graph of the original
- construction; each theory is derived from a certain sub-graph of
- ancestor theories. To this end, the system maintains a set of
- symbolic ``identification stamps'' within each theory.
-
- In order to avoid the full-scale overhead of explicit sub-theory
- identification of arbitrary intermediate stages, a theory is
- switched into @{text "draft"} mode under certain circumstances. A
- draft theory acts like a linear type, where updates invalidate
- earlier versions. An invalidated draft is called \emph{stale}.
-
- The @{text "checkpoint"} operation produces a safe stepping stone
- that will survive the next update without becoming stale: both the
- old and the new theory remain valid and are related by the
- sub-theory relation. Checkpointing essentially recovers purely
- functional theory values, at the expense of some extra internal
- bookkeeping.
-
- The @{text "copy"} operation produces an auxiliary version that has
- the same data content, but is unrelated to the original: updates of
- the copy do not affect the original, neither does the sub-theory
- relation hold.
-
- The @{text "merge"} operation produces the least upper bound of two
- theories, which actually degenerates into absorption of one theory
- into the other (according to the nominal sub-theory relation).
-
- The @{text "begin"} operation starts a new theory by importing
- several parent theories and entering a special mode of nameless
- incremental updates, until the final @{text "end"} operation is
- performed.
-
- \medskip The example in \figref{fig:ex-theory} below shows a theory
- graph derived from @{text "Pure"}, with theory @{text "Length"}
- importing @{text "Nat"} and @{text "List"}. The body of @{text
- "Length"} consists of a sequence of updates, working mostly on
- drafts internally, while transaction boundaries of Isar top-level
- commands (\secref{sec:isar-toplevel}) are guaranteed to be safe
- checkpoints.
-
- \begin{figure}[htb]
- \begin{center}
- \begin{tabular}{rcccl}
- & & @{text "Pure"} \\
- & & @{text "\<down>"} \\
- & & @{text "FOL"} \\
- & $\swarrow$ & & $\searrow$ & \\
- @{text "Nat"} & & & & @{text "List"} \\
- & $\searrow$ & & $\swarrow$ \\
- & & @{text "Length"} \\
- & & \multicolumn{3}{l}{~~@{keyword "imports"}} \\
- & & \multicolumn{3}{l}{~~@{keyword "begin"}} \\
- & & $\vdots$~~ \\
- & & @{text "\<bullet>"}~~ \\
- & & $\vdots$~~ \\
- & & @{text "\<bullet>"}~~ \\
- & & $\vdots$~~ \\
- & & \multicolumn{3}{l}{~~@{command "end"}} \\
- \end{tabular}
- \caption{A theory definition depending on ancestors}\label{fig:ex-theory}
- \end{center}
- \end{figure}
-
- \medskip There is a separate notion of \emph{theory reference} for
- maintaining a live link to an evolving theory context: updates on
- drafts are propagated automatically. Dynamic updating stops when
- the next @{text "checkpoint"} is reached.
-
- Derived entities may store a theory reference in order to indicate
- the formal context from which they are derived. This implicitly
- assumes monotonic reasoning, because the referenced context may
- become larger without further notice.
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML_type theory} \\
- @{index_ML Theory.eq_thy: "theory * theory -> bool"} \\
- @{index_ML Theory.subthy: "theory * theory -> bool"} \\
- @{index_ML Theory.checkpoint: "theory -> theory"} \\
- @{index_ML Theory.copy: "theory -> theory"} \\
- @{index_ML Theory.merge: "theory * theory -> theory"} \\
- @{index_ML Theory.begin_theory: "string * Position.T -> theory list -> theory"} \\
- @{index_ML Theory.parents_of: "theory -> theory list"} \\
- @{index_ML Theory.ancestors_of: "theory -> theory list"} \\
- \end{mldecls}
- \begin{mldecls}
- @{index_ML_type theory_ref} \\
- @{index_ML Theory.deref: "theory_ref -> theory"} \\
- @{index_ML Theory.check_thy: "theory -> theory_ref"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item Type @{ML_type theory} represents theory contexts. This is
- essentially a linear type, with explicit runtime checking.
- Primitive theory operations destroy the original version, which then
- becomes ``stale''. This can be prevented by explicit checkpointing,
- which the system does at least at the boundary of toplevel command
- transactions \secref{sec:isar-toplevel}.
-
- \item @{ML "Theory.eq_thy"}~@{text "(thy\<^sub>1, thy\<^sub>2)"} check strict
- identity of two theories.
-
- \item @{ML "Theory.subthy"}~@{text "(thy\<^sub>1, thy\<^sub>2)"} compares theories
- according to the intrinsic graph structure of the construction.
- This sub-theory relation is a nominal approximation of inclusion
- (@{text "\<subseteq>"}) of the corresponding content (according to the
- semantics of the ML modules that implement the data).
-
- \item @{ML "Theory.checkpoint"}~@{text "thy"} produces a safe
- stepping stone in the linear development of @{text "thy"}. This
- changes the old theory, but the next update will result in two
- related, valid theories.
-
- \item @{ML "Theory.copy"}~@{text "thy"} produces a variant of @{text
- "thy"} with the same data. The copy is not related to the original,
- but the original is unchanged.
-
- \item @{ML "Theory.merge"}~@{text "(thy\<^sub>1, thy\<^sub>2)"} absorbs one theory
- into the other, without changing @{text "thy\<^sub>1"} or @{text "thy\<^sub>2"}.
- This version of ad-hoc theory merge fails for unrelated theories!
-
- \item @{ML "Theory.begin_theory"}~@{text "name parents"} constructs
- a new theory based on the given parents. This ML function is
- normally not invoked directly.
-
- \item @{ML "Theory.parents_of"}~@{text "thy"} returns the direct
- ancestors of @{text thy}.
-
- \item @{ML "Theory.ancestors_of"}~@{text "thy"} returns all
- ancestors of @{text thy} (not including @{text thy} itself).
-
- \item Type @{ML_type theory_ref} represents a sliding reference to
- an always valid theory; updates on the original are propagated
- automatically.
-
- \item @{ML "Theory.deref"}~@{text "thy_ref"} turns a @{ML_type
- "theory_ref"} into an @{ML_type "theory"} value. As the referenced
- theory evolves monotonically over time, later invocations of @{ML
- "Theory.deref"} may refer to a larger context.
-
- \item @{ML "Theory.check_thy"}~@{text "thy"} produces a @{ML_type
- "theory_ref"} from a valid @{ML_type "theory"} value.
-
- \end{description}
-*}
-
-text %mlantiq {*
- \begin{matharray}{rcl}
- @{ML_antiquotation_def "theory"} & : & @{text ML_antiquotation} \\
- \end{matharray}
-
- @{rail "
- @@{ML_antiquotation theory} nameref?
- "}
-
- \begin{description}
-
- \item @{text "@{theory}"} refers to the background theory of the
- current context --- as abstract value.
-
- \item @{text "@{theory A}"} refers to an explicitly named ancestor
- theory @{text "A"} of the background theory of the current context
- --- as abstract value.
-
- \end{description}
-*}
-
-
-subsection {* Proof context \label{sec:context-proof} *}
-
-text {* A proof context is a container for pure data with a
- back-reference to the theory from which it is derived. The @{text
- "init"} operation creates a proof context from a given theory.
- Modifications to draft theories are propagated to the proof context
- as usual, but there is also an explicit @{text "transfer"} operation
- to force resynchronization with more substantial updates to the
- underlying theory.
-
- Entities derived in a proof context need to record logical
- requirements explicitly, since there is no separate context
- identification or symbolic inclusion as for theories. For example,
- hypotheses used in primitive derivations (cf.\ \secref{sec:thms})
- are recorded separately within the sequent @{text "\<Gamma> \<turnstile> \<phi>"}, just to
- make double sure. Results could still leak into an alien proof
- context due to programming errors, but Isabelle/Isar includes some
- extra validity checks in critical positions, notably at the end of a
- sub-proof.
-
- Proof contexts may be manipulated arbitrarily, although the common
- discipline is to follow block structure as a mental model: a given
- context is extended consecutively, and results are exported back
- into the original context. Note that an Isar proof state models
- block-structured reasoning explicitly, using a stack of proof
- contexts internally. For various technical reasons, the background
- theory of an Isar proof state must not be changed while the proof is
- still under construction!
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML_type Proof.context} \\
- @{index_ML Proof_Context.init_global: "theory -> Proof.context"} \\
- @{index_ML Proof_Context.theory_of: "Proof.context -> theory"} \\
- @{index_ML Proof_Context.transfer: "theory -> Proof.context -> Proof.context"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item Type @{ML_type Proof.context} represents proof contexts.
- Elements of this type are essentially pure values, with a sliding
- reference to the background theory.
-
- \item @{ML Proof_Context.init_global}~@{text "thy"} produces a proof context
- derived from @{text "thy"}, initializing all data.
-
- \item @{ML Proof_Context.theory_of}~@{text "ctxt"} selects the
- background theory from @{text "ctxt"}, dereferencing its internal
- @{ML_type theory_ref}.
-
- \item @{ML Proof_Context.transfer}~@{text "thy ctxt"} promotes the
- background theory of @{text "ctxt"} to the super theory @{text
- "thy"}.
-
- \end{description}
-*}
-
-text %mlantiq {*
- \begin{matharray}{rcl}
- @{ML_antiquotation_def "context"} & : & @{text ML_antiquotation} \\
- \end{matharray}
-
- \begin{description}
-
- \item @{text "@{context}"} refers to \emph{the} context at
- compile-time --- as abstract value. Independently of (local) theory
- or proof mode, this always produces a meaningful result.
-
- This is probably the most common antiquotation in interactive
- experimentation with ML inside Isar.
-
- \end{description}
-*}
-
-
-subsection {* Generic contexts \label{sec:generic-context} *}
-
-text {*
- A generic context is the disjoint sum of either a theory or proof
- context. Occasionally, this enables uniform treatment of generic
- context data, typically extra-logical information. Operations on
- generic contexts include the usual injections, partial selections,
- and combinators for lifting operations on either component of the
- disjoint sum.
-
- Moreover, there are total operations @{text "theory_of"} and @{text
- "proof_of"} to convert a generic context into either kind: a theory
- can always be selected from the sum, while a proof context might
- have to be constructed by an ad-hoc @{text "init"} operation, which
- incurs a small runtime overhead.
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML_type Context.generic} \\
- @{index_ML Context.theory_of: "Context.generic -> theory"} \\
- @{index_ML Context.proof_of: "Context.generic -> Proof.context"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item Type @{ML_type Context.generic} is the direct sum of @{ML_type
- "theory"} and @{ML_type "Proof.context"}, with the datatype
- constructors @{ML "Context.Theory"} and @{ML "Context.Proof"}.
-
- \item @{ML Context.theory_of}~@{text "context"} always produces a
- theory from the generic @{text "context"}, using @{ML
- "Proof_Context.theory_of"} as required.
-
- \item @{ML Context.proof_of}~@{text "context"} always produces a
- proof context from the generic @{text "context"}, using @{ML
- "Proof_Context.init_global"} as required (note that this re-initializes the
- context data with each invocation).
-
- \end{description}
-*}
-
-
-subsection {* Context data \label{sec:context-data} *}
-
-text {* The main purpose of theory and proof contexts is to manage
- arbitrary (pure) data. New data types can be declared incrementally
- at compile time. There are separate declaration mechanisms for any
- of the three kinds of contexts: theory, proof, generic.
-
- \paragraph{Theory data} declarations need to implement the following
- SML signature:
-
- \medskip
- \begin{tabular}{ll}
- @{text "\<type> T"} & representing type \\
- @{text "\<val> empty: T"} & empty default value \\
- @{text "\<val> extend: T \<rightarrow> T"} & re-initialize on import \\
- @{text "\<val> merge: T \<times> T \<rightarrow> T"} & join on import \\
- \end{tabular}
- \medskip
-
- The @{text "empty"} value acts as initial default for \emph{any}
- theory that does not declare actual data content; @{text "extend"}
- is acts like a unitary version of @{text "merge"}.
-
- Implementing @{text "merge"} can be tricky. The general idea is
- that @{text "merge (data\<^sub>1, data\<^sub>2)"} inserts those parts of @{text
- "data\<^sub>2"} into @{text "data\<^sub>1"} that are not yet present, while
- keeping the general order of things. The @{ML Library.merge}
- function on plain lists may serve as canonical template.
-
- Particularly note that shared parts of the data must not be
- duplicated by naive concatenation, or a theory graph that is like a
- chain of diamonds would cause an exponential blowup!
-
- \paragraph{Proof context data} declarations need to implement the
- following SML signature:
-
- \medskip
- \begin{tabular}{ll}
- @{text "\<type> T"} & representing type \\
- @{text "\<val> init: theory \<rightarrow> T"} & produce initial value \\
- \end{tabular}
- \medskip
-
- The @{text "init"} operation is supposed to produce a pure value
- from the given background theory and should be somehow
- ``immediate''. Whenever a proof context is initialized, which
- happens frequently, the the system invokes the @{text "init"}
- operation of \emph{all} theory data slots ever declared. This also
- means that one needs to be economic about the total number of proof
- data declarations in the system, i.e.\ each ML module should declare
- at most one, sometimes two data slots for its internal use.
- Repeated data declarations to simulate a record type should be
- avoided!
-
- \paragraph{Generic data} provides a hybrid interface for both theory
- and proof data. The @{text "init"} operation for proof contexts is
- predefined to select the current data value from the background
- theory.
-
- \bigskip Any of the above data declarations over type @{text "T"}
- result in an ML structure with the following signature:
-
- \medskip
- \begin{tabular}{ll}
- @{text "get: context \<rightarrow> T"} \\
- @{text "put: T \<rightarrow> context \<rightarrow> context"} \\
- @{text "map: (T \<rightarrow> T) \<rightarrow> context \<rightarrow> context"} \\
- \end{tabular}
- \medskip
-
- These other operations provide exclusive access for the particular
- kind of context (theory, proof, or generic context). This interface
- observes the ML discipline for types and scopes: there is no other
- way to access the corresponding data slot of a context. By keeping
- these operations private, an Isabelle/ML module may maintain
- abstract values authentically. *}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML_functor Theory_Data} \\
- @{index_ML_functor Proof_Data} \\
- @{index_ML_functor Generic_Data} \\
- \end{mldecls}
-
- \begin{description}
-
- \item @{ML_functor Theory_Data}@{text "(spec)"} declares data for
- type @{ML_type theory} according to the specification provided as
- argument structure. The resulting structure provides data init and
- access operations as described above.
-
- \item @{ML_functor Proof_Data}@{text "(spec)"} is analogous to
- @{ML_functor Theory_Data} for type @{ML_type Proof.context}.
-
- \item @{ML_functor Generic_Data}@{text "(spec)"} is analogous to
- @{ML_functor Theory_Data} for type @{ML_type Context.generic}.
-
- \end{description}
-*}
-
-text %mlex {*
- The following artificial example demonstrates theory
- data: we maintain a set of terms that are supposed to be wellformed
- wrt.\ the enclosing theory. The public interface is as follows:
-*}
-
-ML {*
- signature WELLFORMED_TERMS =
- sig
- val get: theory -> term list
- val add: term -> theory -> theory
- end;
-*}
-
-text {* The implementation uses private theory data internally, and
- only exposes an operation that involves explicit argument checking
- wrt.\ the given theory. *}
-
-ML {*
- structure Wellformed_Terms: WELLFORMED_TERMS =
- struct
-
- structure Terms = Theory_Data
- (
- type T = term Ord_List.T;
- val empty = [];
- val extend = I;
- fun merge (ts1, ts2) =
- Ord_List.union Term_Ord.fast_term_ord ts1 ts2;
- );
-
- val get = Terms.get;
-
- fun add raw_t thy =
- let
- val t = Sign.cert_term thy raw_t;
- in
- Terms.map (Ord_List.insert Term_Ord.fast_term_ord t) thy
- end;
-
- end;
-*}
-
-text {* Type @{ML_type "term Ord_List.T"} is used for reasonably
- efficient representation of a set of terms: all operations are
- linear in the number of stored elements. Here we assume that users
- of this module do not care about the declaration order, since that
- data structure forces its own arrangement of elements.
-
- Observe how the @{ML_text merge} operation joins the data slots of
- the two constituents: @{ML Ord_List.union} prevents duplication of
- common data from different branches, thus avoiding the danger of
- exponential blowup. Plain list append etc.\ must never be used for
- theory data merges!
-
- \medskip Our intended invariant is achieved as follows:
- \begin{enumerate}
-
- \item @{ML Wellformed_Terms.add} only admits terms that have passed
- the @{ML Sign.cert_term} check of the given theory at that point.
-
- \item Wellformedness in the sense of @{ML Sign.cert_term} is
- monotonic wrt.\ the sub-theory relation. So our data can move
- upwards in the hierarchy (via extension or merges), and maintain
- wellformedness without further checks.
-
- \end{enumerate}
-
- Note that all basic operations of the inference kernel (which
- includes @{ML Sign.cert_term}) observe this monotonicity principle,
- but other user-space tools don't. For example, fully-featured
- type-inference via @{ML Syntax.check_term} (cf.\
- \secref{sec:term-check}) is not necessarily monotonic wrt.\ the
- background theory, since constraints of term constants can be
- modified by later declarations, for example.
-
- In most cases, user-space context data does not have to take such
- invariants too seriously. The situation is different in the
- implementation of the inference kernel itself, which uses the very
- same data mechanisms for types, constants, axioms etc.
-*}
-
-
-subsection {* Configuration options \label{sec:config-options} *}
-
-text {* A \emph{configuration option} is a named optional value of
- some basic type (Boolean, integer, string) that is stored in the
- context. It is a simple application of general context data
- (\secref{sec:context-data}) that is sufficiently common to justify
- customized setup, which includes some concrete declarations for
- end-users using existing notation for attributes (cf.\
- \secref{sec:attributes}).
-
- For example, the predefined configuration option @{attribute
- show_types} controls output of explicit type constraints for
- variables in printed terms (cf.\ \secref{sec:read-print}). Its
- value can be modified within Isar text like this:
-*}
-
-declare [[show_types = false]]
- -- {* declaration within (local) theory context *}
-
-notepad
-begin
- note [[show_types = true]]
- -- {* declaration within proof (forward mode) *}
- term x
-
- have "x = x"
- using [[show_types = false]]
- -- {* declaration within proof (backward mode) *}
- ..
-end
-
-text {* Configuration options that are not set explicitly hold a
- default value that can depend on the application context. This
- allows to retrieve the value from another slot within the context,
- or fall back on a global preference mechanism, for example.
-
- The operations to declare configuration options and get/map their
- values are modeled as direct replacements for historic global
- references, only that the context is made explicit. This allows
- easy configuration of tools, without relying on the execution order
- as required for old-style mutable references. *}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML Config.get: "Proof.context -> 'a Config.T -> 'a"} \\
- @{index_ML Config.map: "'a Config.T -> ('a -> 'a) -> Proof.context -> Proof.context"} \\
- @{index_ML Attrib.setup_config_bool: "binding -> (Context.generic -> bool) ->
- bool Config.T"} \\
- @{index_ML Attrib.setup_config_int: "binding -> (Context.generic -> int) ->
- int Config.T"} \\
- @{index_ML Attrib.setup_config_real: "binding -> (Context.generic -> real) ->
- real Config.T"} \\
- @{index_ML Attrib.setup_config_string: "binding -> (Context.generic -> string) ->
- string Config.T"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item @{ML Config.get}~@{text "ctxt config"} gets the value of
- @{text "config"} in the given context.
-
- \item @{ML Config.map}~@{text "config f ctxt"} updates the context
- by updating the value of @{text "config"}.
-
- \item @{text "config ="}~@{ML Attrib.setup_config_bool}~@{text "name
- default"} creates a named configuration option of type @{ML_type
- bool}, with the given @{text "default"} depending on the application
- context. The resulting @{text "config"} can be used to get/map its
- value in a given context. There is an implicit update of the
- background theory that registers the option as attribute with some
- concrete syntax.
-
- \item @{ML Attrib.config_int}, @{ML Attrib.config_real}, and @{ML
- Attrib.config_string} work like @{ML Attrib.config_bool}, but for
- types @{ML_type int} and @{ML_type string}, respectively.
-
- \end{description}
-*}
-
-text %mlex {* The following example shows how to declare and use a
- Boolean configuration option called @{text "my_flag"} with constant
- default value @{ML false}. *}
-
-ML {*
- val my_flag =
- Attrib.setup_config_bool @{binding my_flag} (K false)
-*}
-
-text {* Now the user can refer to @{attribute my_flag} in
- declarations, while ML tools can retrieve the current value from the
- context via @{ML Config.get}. *}
-
-ML_val {* @{assert} (Config.get @{context} my_flag = false) *}
-
-declare [[my_flag = true]]
-
-ML_val {* @{assert} (Config.get @{context} my_flag = true) *}
-
-notepad
-begin
- {
- note [[my_flag = false]]
- ML_val {* @{assert} (Config.get @{context} my_flag = false) *}
- }
- ML_val {* @{assert} (Config.get @{context} my_flag = true) *}
-end
-
-text {* Here is another example involving ML type @{ML_type real}
- (floating-point numbers). *}
-
-ML {*
- val airspeed_velocity =
- Attrib.setup_config_real @{binding airspeed_velocity} (K 0.0)
-*}
-
-declare [[airspeed_velocity = 10]]
-declare [[airspeed_velocity = 9.9]]
-
-
-section {* Names \label{sec:names} *}
-
-text {* In principle, a name is just a string, but there are various
- conventions for representing additional structure. For example,
- ``@{text "Foo.bar.baz"}'' is considered as a long name consisting of
- qualifier @{text "Foo.bar"} and base name @{text "baz"}. The
- individual constituents of a name may have further substructure,
- e.g.\ the string ``\verb,\,\verb,<alpha>,'' encodes as a single
- symbol.
-
- \medskip Subsequently, we shall introduce specific categories of
- names. Roughly speaking these correspond to logical entities as
- follows:
- \begin{itemize}
-
- \item Basic names (\secref{sec:basic-name}): free and bound
- variables.
-
- \item Indexed names (\secref{sec:indexname}): schematic variables.
-
- \item Long names (\secref{sec:long-name}): constants of any kind
- (type constructors, term constants, other concepts defined in user
- space). Such entities are typically managed via name spaces
- (\secref{sec:name-space}).
-
- \end{itemize}
-*}
-
-
-subsection {* Strings of symbols \label{sec:symbols} *}
-
-text {* A \emph{symbol} constitutes the smallest textual unit in
- Isabelle --- raw ML characters are normally not encountered at all!
- Isabelle strings consist of a sequence of symbols, represented as a
- packed string or an exploded list of strings. Each symbol is in
- itself a small string, which has either one of the following forms:
-
- \begin{enumerate}
-
- \item a single ASCII character ``@{text "c"}'', for example
- ``\verb,a,'',
-
- \item a codepoint according to UTF8 (non-ASCII byte sequence),
-
- \item a regular symbol ``\verb,\,\verb,<,@{text "ident"}\verb,>,'',
- for example ``\verb,\,\verb,<alpha>,'',
-
- \item a control symbol ``\verb,\,\verb,<^,@{text "ident"}\verb,>,'',
- for example ``\verb,\,\verb,<^bold>,'',
-
- \item a raw symbol ``\verb,\,\verb,<^raw:,@{text text}\verb,>,''
- where @{text text} consists of printable characters excluding
- ``\verb,.,'' and ``\verb,>,'', for example
- ``\verb,\,\verb,<^raw:$\sum_{i = 1}^n$>,'',
-
- \item a numbered raw control symbol ``\verb,\,\verb,<^raw,@{text
- n}\verb,>, where @{text n} consists of digits, for example
- ``\verb,\,\verb,<^raw42>,''.
-
- \end{enumerate}
-
- The @{text "ident"} syntax for symbol names is @{text "letter
- (letter | digit)\<^sup>*"}, where @{text "letter = A..Za..z"} and @{text
- "digit = 0..9"}. There are infinitely many regular symbols and
- control symbols, but a fixed collection of standard symbols is
- treated specifically. For example, ``\verb,\,\verb,<alpha>,'' is
- classified as a letter, which means it may occur within regular
- Isabelle identifiers.
-
- The character set underlying Isabelle symbols is 7-bit ASCII, but
- 8-bit character sequences are passed-through unchanged. Unicode/UCS
- data in UTF-8 encoding is processed in a non-strict fashion, such
- that well-formed code sequences are recognized
- accordingly.\footnote{Note that ISO-Latin-1 differs from UTF-8 only
- in some special punctuation characters that even have replacements
- within the standard collection of Isabelle symbols. Text consisting
- of ASCII plus accented letters can be processed in either encoding.}
- Unicode provides its own collection of mathematical symbols, but
- within the core Isabelle/ML world there is no link to the standard
- collection of Isabelle regular symbols.
-
- \medskip Output of Isabelle symbols depends on the print mode
- (\cite{isabelle-isar-ref}). For example, the standard {\LaTeX}
- setup of the Isabelle document preparation system would present
- ``\verb,\,\verb,<alpha>,'' as @{text "\<alpha>"}, and
- ``\verb,\,\verb,<^bold>,\verb,\,\verb,<alpha>,'' as @{text "\<^bold>\<alpha>"}.
- On-screen rendering usually works by mapping a finite subset of
- Isabelle symbols to suitable Unicode characters.
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML_type "Symbol.symbol": string} \\
- @{index_ML Symbol.explode: "string -> Symbol.symbol list"} \\
- @{index_ML Symbol.is_letter: "Symbol.symbol -> bool"} \\
- @{index_ML Symbol.is_digit: "Symbol.symbol -> bool"} \\
- @{index_ML Symbol.is_quasi: "Symbol.symbol -> bool"} \\
- @{index_ML Symbol.is_blank: "Symbol.symbol -> bool"} \\
- \end{mldecls}
- \begin{mldecls}
- @{index_ML_type "Symbol.sym"} \\
- @{index_ML Symbol.decode: "Symbol.symbol -> Symbol.sym"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item Type @{ML_type "Symbol.symbol"} represents individual Isabelle
- symbols.
-
- \item @{ML "Symbol.explode"}~@{text "str"} produces a symbol list
- from the packed form. This function supersedes @{ML
- "String.explode"} for virtually all purposes of manipulating text in
- Isabelle!\footnote{The runtime overhead for exploded strings is
- mainly that of the list structure: individual symbols that happen to
- be a singleton string do not require extra memory in Poly/ML.}
-
- \item @{ML "Symbol.is_letter"}, @{ML "Symbol.is_digit"}, @{ML
- "Symbol.is_quasi"}, @{ML "Symbol.is_blank"} classify standard
- symbols according to fixed syntactic conventions of Isabelle, cf.\
- \cite{isabelle-isar-ref}.
-
- \item Type @{ML_type "Symbol.sym"} is a concrete datatype that
- represents the different kinds of symbols explicitly, with
- constructors @{ML "Symbol.Char"}, @{ML "Symbol.Sym"}, @{ML
- "Symbol.UTF8"}, @{ML "Symbol.Ctrl"}, @{ML "Symbol.Raw"}.
-
- \item @{ML "Symbol.decode"} converts the string representation of a
- symbol into the datatype version.
-
- \end{description}
-
- \paragraph{Historical note.} In the original SML90 standard the
- primitive ML type @{ML_type char} did not exists, and the @{ML_text
- "explode: string -> string list"} operation would produce a list of
- singleton strings as does @{ML "raw_explode: string -> string list"}
- in Isabelle/ML today. When SML97 came out, Isabelle did not adopt
- its slightly anachronistic 8-bit characters, but the idea of
- exploding a string into a list of small strings was extended to
- ``symbols'' as explained above. Thus Isabelle sources can refer to
- an infinite store of user-defined symbols, without having to worry
- about the multitude of Unicode encodings. *}
-
-
-subsection {* Basic names \label{sec:basic-name} *}
-
-text {*
- A \emph{basic name} essentially consists of a single Isabelle
- identifier. There are conventions to mark separate classes of basic
- names, by attaching a suffix of underscores: one underscore means
- \emph{internal name}, two underscores means \emph{Skolem name},
- three underscores means \emph{internal Skolem name}.
-
- For example, the basic name @{text "foo"} has the internal version
- @{text "foo_"}, with Skolem versions @{text "foo__"} and @{text
- "foo___"}, respectively.
-
- These special versions provide copies of the basic name space, apart
- from anything that normally appears in the user text. For example,
- system generated variables in Isar proof contexts are usually marked
- as internal, which prevents mysterious names like @{text "xaa"} to
- appear in human-readable text.
-
- \medskip Manipulating binding scopes often requires on-the-fly
- renamings. A \emph{name context} contains a collection of already
- used names. The @{text "declare"} operation adds names to the
- context.
-
- The @{text "invents"} operation derives a number of fresh names from
- a given starting point. For example, the first three names derived
- from @{text "a"} are @{text "a"}, @{text "b"}, @{text "c"}.
-
- The @{text "variants"} operation produces fresh names by
- incrementing tentative names as base-26 numbers (with digits @{text
- "a..z"}) until all clashes are resolved. For example, name @{text
- "foo"} results in variants @{text "fooa"}, @{text "foob"}, @{text
- "fooc"}, \dots, @{text "fooaa"}, @{text "fooab"} etc.; each renaming
- step picks the next unused variant from this sequence.
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML Name.internal: "string -> string"} \\
- @{index_ML Name.skolem: "string -> string"} \\
- \end{mldecls}
- \begin{mldecls}
- @{index_ML_type Name.context} \\
- @{index_ML Name.context: Name.context} \\
- @{index_ML Name.declare: "string -> Name.context -> Name.context"} \\
- @{index_ML Name.invent: "Name.context -> string -> int -> string list"} \\
- @{index_ML Name.variant: "string -> Name.context -> string * Name.context"} \\
- \end{mldecls}
- \begin{mldecls}
- @{index_ML Variable.names_of: "Proof.context -> Name.context"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item @{ML Name.internal}~@{text "name"} produces an internal name
- by adding one underscore.
-
- \item @{ML Name.skolem}~@{text "name"} produces a Skolem name by
- adding two underscores.
-
- \item Type @{ML_type Name.context} represents the context of already
- used names; the initial value is @{ML "Name.context"}.
-
- \item @{ML Name.declare}~@{text "name"} enters a used name into the
- context.
-
- \item @{ML Name.invent}~@{text "context name n"} produces @{text
- "n"} fresh names derived from @{text "name"}.
-
- \item @{ML Name.variant}~@{text "name context"} produces a fresh
- variant of @{text "name"}; the result is declared to the context.
-
- \item @{ML Variable.names_of}~@{text "ctxt"} retrieves the context
- of declared type and term variable names. Projecting a proof
- context down to a primitive name context is occasionally useful when
- invoking lower-level operations. Regular management of ``fresh
- variables'' is done by suitable operations of structure @{ML_struct
- Variable}, which is also able to provide an official status of
- ``locally fixed variable'' within the logical environment (cf.\
- \secref{sec:variables}).
-
- \end{description}
-*}
-
-text %mlex {* The following simple examples demonstrate how to produce
- fresh names from the initial @{ML Name.context}. *}
-
-ML {*
- val list1 = Name.invent Name.context "a" 5;
- @{assert} (list1 = ["a", "b", "c", "d", "e"]);
-
- val list2 =
- #1 (fold_map Name.variant ["x", "x", "a", "a", "'a", "'a"] Name.context);
- @{assert} (list2 = ["x", "xa", "a", "aa", "'a", "'aa"]);
-*}
-
-text {* \medskip The same works relatively to the formal context as
- follows. *}
-
-locale ex = fixes a b c :: 'a
-begin
-
-ML {*
- val names = Variable.names_of @{context};
-
- val list1 = Name.invent names "a" 5;
- @{assert} (list1 = ["d", "e", "f", "g", "h"]);
-
- val list2 =
- #1 (fold_map Name.variant ["x", "x", "a", "a", "'a", "'a"] names);
- @{assert} (list2 = ["x", "xa", "aa", "ab", "'aa", "'ab"]);
-*}
-
-end
-
-
-subsection {* Indexed names \label{sec:indexname} *}
-
-text {*
- An \emph{indexed name} (or @{text "indexname"}) is a pair of a basic
- name and a natural number. This representation allows efficient
- renaming by incrementing the second component only. The canonical
- way to rename two collections of indexnames apart from each other is
- this: determine the maximum index @{text "maxidx"} of the first
- collection, then increment all indexes of the second collection by
- @{text "maxidx + 1"}; the maximum index of an empty collection is
- @{text "-1"}.
-
- Occasionally, basic names are injected into the same pair type of
- indexed names: then @{text "(x, -1)"} is used to encode the basic
- name @{text "x"}.
-
- \medskip Isabelle syntax observes the following rules for
- representing an indexname @{text "(x, i)"} as a packed string:
-
- \begin{itemize}
-
- \item @{text "?x"} if @{text "x"} does not end with a digit and @{text "i = 0"},
-
- \item @{text "?xi"} if @{text "x"} does not end with a digit,
-
- \item @{text "?x.i"} otherwise.
-
- \end{itemize}
-
- Indexnames may acquire large index numbers after several maxidx
- shifts have been applied. Results are usually normalized towards
- @{text "0"} at certain checkpoints, notably at the end of a proof.
- This works by producing variants of the corresponding basic name
- components. For example, the collection @{text "?x1, ?x7, ?x42"}
- becomes @{text "?x, ?xa, ?xb"}.
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML_type indexname: "string * int"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item Type @{ML_type indexname} represents indexed names. This is
- an abbreviation for @{ML_type "string * int"}. The second component
- is usually non-negative, except for situations where @{text "(x,
- -1)"} is used to inject basic names into this type. Other negative
- indexes should not be used.
-
- \end{description}
-*}
-
-
-subsection {* Long names \label{sec:long-name} *}
-
-text {* A \emph{long name} consists of a sequence of non-empty name
- components. The packed representation uses a dot as separator, as
- in ``@{text "A.b.c"}''. The last component is called \emph{base
- name}, the remaining prefix is called \emph{qualifier} (which may be
- empty). The qualifier can be understood as the access path to the
- named entity while passing through some nested block-structure,
- although our free-form long names do not really enforce any strict
- discipline.
-
- For example, an item named ``@{text "A.b.c"}'' may be understood as
- a local entity @{text "c"}, within a local structure @{text "b"},
- within a global structure @{text "A"}. In practice, long names
- usually represent 1--3 levels of qualification. User ML code should
- not make any assumptions about the particular structure of long
- names!
-
- The empty name is commonly used as an indication of unnamed
- entities, or entities that are not entered into the corresponding
- name space, whenever this makes any sense. The basic operations on
- long names map empty names again to empty names.
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML Long_Name.base_name: "string -> string"} \\
- @{index_ML Long_Name.qualifier: "string -> string"} \\
- @{index_ML Long_Name.append: "string -> string -> string"} \\
- @{index_ML Long_Name.implode: "string list -> string"} \\
- @{index_ML Long_Name.explode: "string -> string list"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item @{ML Long_Name.base_name}~@{text "name"} returns the base name
- of a long name.
-
- \item @{ML Long_Name.qualifier}~@{text "name"} returns the qualifier
- of a long name.
-
- \item @{ML Long_Name.append}~@{text "name\<^isub>1 name\<^isub>2"} appends two long
- names.
-
- \item @{ML Long_Name.implode}~@{text "names"} and @{ML
- Long_Name.explode}~@{text "name"} convert between the packed string
- representation and the explicit list form of long names.
-
- \end{description}
-*}
-
-
-subsection {* Name spaces \label{sec:name-space} *}
-
-text {* A @{text "name space"} manages a collection of long names,
- together with a mapping between partially qualified external names
- and fully qualified internal names (in both directions). Note that
- the corresponding @{text "intern"} and @{text "extern"} operations
- are mostly used for parsing and printing only! The @{text
- "declare"} operation augments a name space according to the accesses
- determined by a given binding, and a naming policy from the context.
-
- \medskip A @{text "binding"} specifies details about the prospective
- long name of a newly introduced formal entity. It consists of a
- base name, prefixes for qualification (separate ones for system
- infrastructure and user-space mechanisms), a slot for the original
- source position, and some additional flags.
-
- \medskip A @{text "naming"} provides some additional details for
- producing a long name from a binding. Normally, the naming is
- implicit in the theory or proof context. The @{text "full"}
- operation (and its variants for different context types) produces a
- fully qualified internal name to be entered into a name space. The
- main equation of this ``chemical reaction'' when binding new
- entities in a context is as follows:
-
- \medskip
- \begin{tabular}{l}
- @{text "binding + naming \<longrightarrow> long name + name space accesses"}
- \end{tabular}
-
- \bigskip As a general principle, there is a separate name space for
- each kind of formal entity, e.g.\ fact, logical constant, type
- constructor, type class. It is usually clear from the occurrence in
- concrete syntax (or from the scope) which kind of entity a name
- refers to. For example, the very same name @{text "c"} may be used
- uniformly for a constant, type constructor, and type class.
-
- There are common schemes to name derived entities systematically
- according to the name of the main logical entity involved, e.g.\
- fact @{text "c.intro"} for a canonical introduction rule related to
- constant @{text "c"}. This technique of mapping names from one
- space into another requires some care in order to avoid conflicts.
- In particular, theorem names derived from a type constructor or type
- class should get an additional suffix in addition to the usual
- qualification. This leads to the following conventions for derived
- names:
-
- \medskip
- \begin{tabular}{ll}
- logical entity & fact name \\\hline
- constant @{text "c"} & @{text "c.intro"} \\
- type @{text "c"} & @{text "c_type.intro"} \\
- class @{text "c"} & @{text "c_class.intro"} \\
- \end{tabular}
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML_type binding} \\
- @{index_ML Binding.empty: binding} \\
- @{index_ML Binding.name: "string -> binding"} \\
- @{index_ML Binding.qualify: "bool -> string -> binding -> binding"} \\
- @{index_ML Binding.prefix: "bool -> string -> binding -> binding"} \\
- @{index_ML Binding.conceal: "binding -> binding"} \\
- @{index_ML Binding.print: "binding -> string"} \\
- \end{mldecls}
- \begin{mldecls}
- @{index_ML_type Name_Space.naming} \\
- @{index_ML Name_Space.default_naming: Name_Space.naming} \\
- @{index_ML Name_Space.add_path: "string -> Name_Space.naming -> Name_Space.naming"} \\
- @{index_ML Name_Space.full_name: "Name_Space.naming -> binding -> string"} \\
- \end{mldecls}
- \begin{mldecls}
- @{index_ML_type Name_Space.T} \\
- @{index_ML Name_Space.empty: "string -> Name_Space.T"} \\
- @{index_ML Name_Space.merge: "Name_Space.T * Name_Space.T -> Name_Space.T"} \\
- @{index_ML Name_Space.declare: "Context.generic -> bool ->
- binding -> Name_Space.T -> string * Name_Space.T"} \\
- @{index_ML Name_Space.intern: "Name_Space.T -> string -> string"} \\
- @{index_ML Name_Space.extern: "Proof.context -> Name_Space.T -> string -> string"} \\
- @{index_ML Name_Space.is_concealed: "Name_Space.T -> string -> bool"}
- \end{mldecls}
-
- \begin{description}
-
- \item Type @{ML_type binding} represents the abstract concept of
- name bindings.
-
- \item @{ML Binding.empty} is the empty binding.
-
- \item @{ML Binding.name}~@{text "name"} produces a binding with base
- name @{text "name"}. Note that this lacks proper source position
- information; see also the ML antiquotation @{ML_antiquotation
- binding}.
-
- \item @{ML Binding.qualify}~@{text "mandatory name binding"}
- prefixes qualifier @{text "name"} to @{text "binding"}. The @{text
- "mandatory"} flag tells if this name component always needs to be
- given in name space accesses --- this is mostly @{text "false"} in
- practice. Note that this part of qualification is typically used in
- derived specification mechanisms.
-
- \item @{ML Binding.prefix} is similar to @{ML Binding.qualify}, but
- affects the system prefix. This part of extra qualification is
- typically used in the infrastructure for modular specifications,
- notably ``local theory targets'' (see also \chref{ch:local-theory}).
-
- \item @{ML Binding.conceal}~@{text "binding"} indicates that the
- binding shall refer to an entity that serves foundational purposes
- only. This flag helps to mark implementation details of
- specification mechanism etc. Other tools should not depend on the
- particulars of concealed entities (cf.\ @{ML
- Name_Space.is_concealed}).
-
- \item @{ML Binding.print}~@{text "binding"} produces a string
- representation for human-readable output, together with some formal
- markup that might get used in GUI front-ends, for example.
-
- \item Type @{ML_type Name_Space.naming} represents the abstract
- concept of a naming policy.
-
- \item @{ML Name_Space.default_naming} is the default naming policy.
- In a theory context, this is usually augmented by a path prefix
- consisting of the theory name.
-
- \item @{ML Name_Space.add_path}~@{text "path naming"} augments the
- naming policy by extending its path component.
-
- \item @{ML Name_Space.full_name}~@{text "naming binding"} turns a
- name binding (usually a basic name) into the fully qualified
- internal name, according to the given naming policy.
-
- \item Type @{ML_type Name_Space.T} represents name spaces.
-
- \item @{ML Name_Space.empty}~@{text "kind"} and @{ML Name_Space.merge}~@{text
- "(space\<^isub>1, space\<^isub>2)"} are the canonical operations for
- maintaining name spaces according to theory data management
- (\secref{sec:context-data}); @{text "kind"} is a formal comment
- to characterize the purpose of a name space.
-
- \item @{ML Name_Space.declare}~@{text "context strict binding
- space"} enters a name binding as fully qualified internal name into
- the name space, using the naming of the context.
-
- \item @{ML Name_Space.intern}~@{text "space name"} internalizes a
- (partially qualified) external name.
-
- This operation is mostly for parsing! Note that fully qualified
- names stemming from declarations are produced via @{ML
- "Name_Space.full_name"} and @{ML "Name_Space.declare"}
- (or their derivatives for @{ML_type theory} and
- @{ML_type Proof.context}).
-
- \item @{ML Name_Space.extern}~@{text "ctxt space name"} externalizes a
- (fully qualified) internal name.
-
- This operation is mostly for printing! User code should not rely on
- the precise result too much.
-
- \item @{ML Name_Space.is_concealed}~@{text "space name"} indicates
- whether @{text "name"} refers to a strictly private entity that
- other tools are supposed to ignore!
-
- \end{description}
-*}
-
-text %mlantiq {*
- \begin{matharray}{rcl}
- @{ML_antiquotation_def "binding"} & : & @{text ML_antiquotation} \\
- \end{matharray}
-
- @{rail "
- @@{ML_antiquotation binding} name
- "}
-
- \begin{description}
-
- \item @{text "@{binding name}"} produces a binding with base name
- @{text "name"} and the source position taken from the concrete
- syntax of this antiquotation. In many situations this is more
- appropriate than the more basic @{ML Binding.name} function.
-
- \end{description}
-*}
-
-text %mlex {* The following example yields the source position of some
- concrete binding inlined into the text:
-*}
-
-ML {* Binding.pos_of @{binding here} *}
-
-text {* \medskip That position can be also printed in a message as
- follows: *}
-
-ML_command {*
- writeln
- ("Look here" ^ Position.str_of (Binding.pos_of @{binding here}))
-*}
-
-text {* This illustrates a key virtue of formalized bindings as
- opposed to raw specifications of base names: the system can use this
- additional information for feedback given to the user (error
- messages etc.). *}
-
-end
--- a/doc-src/IsarImplementation/Proof.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,497 +0,0 @@
-theory Proof
-imports Base
-begin
-
-chapter {* Structured proofs *}
-
-section {* Variables \label{sec:variables} *}
-
-text {*
- Any variable that is not explicitly bound by @{text "\<lambda>"}-abstraction
- is considered as ``free''. Logically, free variables act like
- outermost universal quantification at the sequent level: @{text
- "A\<^isub>1(x), \<dots>, A\<^isub>n(x) \<turnstile> B(x)"} means that the result
- holds \emph{for all} values of @{text "x"}. Free variables for
- terms (not types) can be fully internalized into the logic: @{text
- "\<turnstile> B(x)"} and @{text "\<turnstile> \<And>x. B(x)"} are interchangeable, provided
- that @{text "x"} does not occur elsewhere in the context.
- Inspecting @{text "\<turnstile> \<And>x. B(x)"} more closely, we see that inside the
- quantifier, @{text "x"} is essentially ``arbitrary, but fixed'',
- while from outside it appears as a place-holder for instantiation
- (thanks to @{text "\<And>"} elimination).
-
- The Pure logic represents the idea of variables being either inside
- or outside the current scope by providing separate syntactic
- categories for \emph{fixed variables} (e.g.\ @{text "x"}) vs.\
- \emph{schematic variables} (e.g.\ @{text "?x"}). Incidently, a
- universal result @{text "\<turnstile> \<And>x. B(x)"} has the HHF normal form @{text
- "\<turnstile> B(?x)"}, which represents its generality without requiring an
- explicit quantifier. The same principle works for type variables:
- @{text "\<turnstile> B(?\<alpha>)"} represents the idea of ``@{text "\<turnstile> \<forall>\<alpha>. B(\<alpha>)"}''
- without demanding a truly polymorphic framework.
-
- \medskip Additional care is required to treat type variables in a
- way that facilitates type-inference. In principle, term variables
- depend on type variables, which means that type variables would have
- to be declared first. For example, a raw type-theoretic framework
- would demand the context to be constructed in stages as follows:
- @{text "\<Gamma> = \<alpha>: type, x: \<alpha>, a: A(x\<^isub>\<alpha>)"}.
-
- We allow a slightly less formalistic mode of operation: term
- variables @{text "x"} are fixed without specifying a type yet
- (essentially \emph{all} potential occurrences of some instance
- @{text "x\<^isub>\<tau>"} are fixed); the first occurrence of @{text "x"}
- within a specific term assigns its most general type, which is then
- maintained consistently in the context. The above example becomes
- @{text "\<Gamma> = x: term, \<alpha>: type, A(x\<^isub>\<alpha>)"}, where type @{text
- "\<alpha>"} is fixed \emph{after} term @{text "x"}, and the constraint
- @{text "x :: \<alpha>"} is an implicit consequence of the occurrence of
- @{text "x\<^isub>\<alpha>"} in the subsequent proposition.
-
- This twist of dependencies is also accommodated by the reverse
- operation of exporting results from a context: a type variable
- @{text "\<alpha>"} is considered fixed as long as it occurs in some fixed
- term variable of the context. For example, exporting @{text "x:
- term, \<alpha>: type \<turnstile> x\<^isub>\<alpha> \<equiv> x\<^isub>\<alpha>"} produces in the first step @{text "x: term
- \<turnstile> x\<^isub>\<alpha> \<equiv> x\<^isub>\<alpha>"} for fixed @{text "\<alpha>"}, and only in the second step
- @{text "\<turnstile> ?x\<^isub>?\<^isub>\<alpha> \<equiv> ?x\<^isub>?\<^isub>\<alpha>"} for schematic @{text "?x"} and @{text "?\<alpha>"}.
- The following Isar source text illustrates this scenario.
-*}
-
-notepad
-begin
- {
- fix x -- {* all potential occurrences of some @{text "x::\<tau>"} are fixed *}
- {
- have "x::'a \<equiv> x" -- {* implicit type assigment by concrete occurrence *}
- by (rule reflexive)
- }
- thm this -- {* result still with fixed type @{text "'a"} *}
- }
- thm this -- {* fully general result for arbitrary @{text "?x::?'a"} *}
-end
-
-text {* The Isabelle/Isar proof context manages the details of term
- vs.\ type variables, with high-level principles for moving the
- frontier between fixed and schematic variables.
-
- The @{text "add_fixes"} operation explictly declares fixed
- variables; the @{text "declare_term"} operation absorbs a term into
- a context by fixing new type variables and adding syntactic
- constraints.
-
- The @{text "export"} operation is able to perform the main work of
- generalizing term and type variables as sketched above, assuming
- that fixing variables and terms have been declared properly.
-
- There @{text "import"} operation makes a generalized fact a genuine
- part of the context, by inventing fixed variables for the schematic
- ones. The effect can be reversed by using @{text "export"} later,
- potentially with an extended context; the result is equivalent to
- the original modulo renaming of schematic variables.
-
- The @{text "focus"} operation provides a variant of @{text "import"}
- for nested propositions (with explicit quantification): @{text
- "\<And>x\<^isub>1 \<dots> x\<^isub>n. B(x\<^isub>1, \<dots>, x\<^isub>n)"} is
- decomposed by inventing fixed variables @{text "x\<^isub>1, \<dots>,
- x\<^isub>n"} for the body.
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML Variable.add_fixes: "
- string list -> Proof.context -> string list * Proof.context"} \\
- @{index_ML Variable.variant_fixes: "
- string list -> Proof.context -> string list * Proof.context"} \\
- @{index_ML Variable.declare_term: "term -> Proof.context -> Proof.context"} \\
- @{index_ML Variable.declare_constraints: "term -> Proof.context -> Proof.context"} \\
- @{index_ML Variable.export: "Proof.context -> Proof.context -> thm list -> thm list"} \\
- @{index_ML Variable.polymorphic: "Proof.context -> term list -> term list"} \\
- @{index_ML Variable.import: "bool -> thm list -> Proof.context ->
- (((ctyp * ctyp) list * (cterm * cterm) list) * thm list) * Proof.context"} \\
- @{index_ML Variable.focus: "term -> Proof.context ->
- ((string * (string * typ)) list * term) * Proof.context"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item @{ML Variable.add_fixes}~@{text "xs ctxt"} fixes term
- variables @{text "xs"}, returning the resulting internal names. By
- default, the internal representation coincides with the external
- one, which also means that the given variables must not be fixed
- already. There is a different policy within a local proof body: the
- given names are just hints for newly invented Skolem variables.
-
- \item @{ML Variable.variant_fixes} is similar to @{ML
- Variable.add_fixes}, but always produces fresh variants of the given
- names.
-
- \item @{ML Variable.declare_term}~@{text "t ctxt"} declares term
- @{text "t"} to belong to the context. This automatically fixes new
- type variables, but not term variables. Syntactic constraints for
- type and term variables are declared uniformly, though.
-
- \item @{ML Variable.declare_constraints}~@{text "t ctxt"} declares
- syntactic constraints from term @{text "t"}, without making it part
- of the context yet.
-
- \item @{ML Variable.export}~@{text "inner outer thms"} generalizes
- fixed type and term variables in @{text "thms"} according to the
- difference of the @{text "inner"} and @{text "outer"} context,
- following the principles sketched above.
-
- \item @{ML Variable.polymorphic}~@{text "ctxt ts"} generalizes type
- variables in @{text "ts"} as far as possible, even those occurring
- in fixed term variables. The default policy of type-inference is to
- fix newly introduced type variables, which is essentially reversed
- with @{ML Variable.polymorphic}: here the given terms are detached
- from the context as far as possible.
-
- \item @{ML Variable.import}~@{text "open thms ctxt"} invents fixed
- type and term variables for the schematic ones occurring in @{text
- "thms"}. The @{text "open"} flag indicates whether the fixed names
- should be accessible to the user, otherwise newly introduced names
- are marked as ``internal'' (\secref{sec:names}).
-
- \item @{ML Variable.focus}~@{text B} decomposes the outermost @{text
- "\<And>"} prefix of proposition @{text "B"}.
-
- \end{description}
-*}
-
-text %mlex {* The following example shows how to work with fixed term
- and type parameters and with type-inference. *}
-
-ML {*
- (*static compile-time context -- for testing only*)
- val ctxt0 = @{context};
-
- (*locally fixed parameters -- no type assignment yet*)
- val ([x, y], ctxt1) = ctxt0 |> Variable.add_fixes ["x", "y"];
-
- (*t1: most general fixed type; t1': most general arbitrary type*)
- val t1 = Syntax.read_term ctxt1 "x";
- val t1' = singleton (Variable.polymorphic ctxt1) t1;
-
- (*term u enforces specific type assignment*)
- val u = Syntax.read_term ctxt1 "(x::nat) \<equiv> y";
-
- (*official declaration of u -- propagates constraints etc.*)
- val ctxt2 = ctxt1 |> Variable.declare_term u;
- val t2 = Syntax.read_term ctxt2 "x"; (*x::nat is enforced*)
-*}
-
-text {* In the above example, the starting context is derived from the
- toplevel theory, which means that fixed variables are internalized
- literally: @{text "x"} is mapped again to @{text "x"}, and
- attempting to fix it again in the subsequent context is an error.
- Alternatively, fixed parameters can be renamed explicitly as
- follows: *}
-
-ML {*
- val ctxt0 = @{context};
- val ([x1, x2, x3], ctxt1) =
- ctxt0 |> Variable.variant_fixes ["x", "x", "x"];
-*}
-
-text {* The following ML code can now work with the invented names of
- @{text x1}, @{text x2}, @{text x3}, without depending on
- the details on the system policy for introducing these variants.
- Recall that within a proof body the system always invents fresh
- ``skolem constants'', e.g.\ as follows: *}
-
-notepad
-begin
- ML_prf %"ML" {*
- val ctxt0 = @{context};
-
- val ([x1], ctxt1) = ctxt0 |> Variable.add_fixes ["x"];
- val ([x2], ctxt2) = ctxt1 |> Variable.add_fixes ["x"];
- val ([x3], ctxt3) = ctxt2 |> Variable.add_fixes ["x"];
-
- val ([y1, y2], ctxt4) =
- ctxt3 |> Variable.variant_fixes ["y", "y"];
- *}
-end
-
-text {* In this situation @{ML Variable.add_fixes} and @{ML
- Variable.variant_fixes} are very similar, but identical name
- proposals given in a row are only accepted by the second version.
- *}
-
-
-section {* Assumptions \label{sec:assumptions} *}
-
-text {*
- An \emph{assumption} is a proposition that it is postulated in the
- current context. Local conclusions may use assumptions as
- additional facts, but this imposes implicit hypotheses that weaken
- the overall statement.
-
- Assumptions are restricted to fixed non-schematic statements, i.e.\
- all generality needs to be expressed by explicit quantifiers.
- Nevertheless, the result will be in HHF normal form with outermost
- quantifiers stripped. For example, by assuming @{text "\<And>x :: \<alpha>. P
- x"} we get @{text "\<And>x :: \<alpha>. P x \<turnstile> P ?x"} for schematic @{text "?x"}
- of fixed type @{text "\<alpha>"}. Local derivations accumulate more and
- more explicit references to hypotheses: @{text "A\<^isub>1, \<dots>,
- A\<^isub>n \<turnstile> B"} where @{text "A\<^isub>1, \<dots>, A\<^isub>n"} needs to
- be covered by the assumptions of the current context.
-
- \medskip The @{text "add_assms"} operation augments the context by
- local assumptions, which are parameterized by an arbitrary @{text
- "export"} rule (see below).
-
- The @{text "export"} operation moves facts from a (larger) inner
- context into a (smaller) outer context, by discharging the
- difference of the assumptions as specified by the associated export
- rules. Note that the discharged portion is determined by the
- difference of contexts, not the facts being exported! There is a
- separate flag to indicate a goal context, where the result is meant
- to refine an enclosing sub-goal of a structured proof state.
-
- \medskip The most basic export rule discharges assumptions directly
- by means of the @{text "\<Longrightarrow>"} introduction rule:
- \[
- \infer[(@{text "\<Longrightarrow>\<hyphen>intro"})]{@{text "\<Gamma> - A \<turnstile> A \<Longrightarrow> B"}}{@{text "\<Gamma> \<turnstile> B"}}
- \]
-
- The variant for goal refinements marks the newly introduced
- premises, which causes the canonical Isar goal refinement scheme to
- enforce unification with local premises within the goal:
- \[
- \infer[(@{text "#\<Longrightarrow>\<hyphen>intro"})]{@{text "\<Gamma> - A \<turnstile> #A \<Longrightarrow> B"}}{@{text "\<Gamma> \<turnstile> B"}}
- \]
-
- \medskip Alternative versions of assumptions may perform arbitrary
- transformations on export, as long as the corresponding portion of
- hypotheses is removed from the given facts. For example, a local
- definition works by fixing @{text "x"} and assuming @{text "x \<equiv> t"},
- with the following export rule to reverse the effect:
- \[
- \infer[(@{text "\<equiv>\<hyphen>expand"})]{@{text "\<Gamma> - (x \<equiv> t) \<turnstile> B t"}}{@{text "\<Gamma> \<turnstile> B x"}}
- \]
- This works, because the assumption @{text "x \<equiv> t"} was introduced in
- a context with @{text "x"} being fresh, so @{text "x"} does not
- occur in @{text "\<Gamma>"} here.
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML_type Assumption.export} \\
- @{index_ML Assumption.assume: "cterm -> thm"} \\
- @{index_ML Assumption.add_assms:
- "Assumption.export ->
- cterm list -> Proof.context -> thm list * Proof.context"} \\
- @{index_ML Assumption.add_assumes: "
- cterm list -> Proof.context -> thm list * Proof.context"} \\
- @{index_ML Assumption.export: "bool -> Proof.context -> Proof.context -> thm -> thm"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item Type @{ML_type Assumption.export} represents arbitrary export
- rules, which is any function of type @{ML_type "bool -> cterm list
- -> thm -> thm"}, where the @{ML_type "bool"} indicates goal mode,
- and the @{ML_type "cterm list"} the collection of assumptions to be
- discharged simultaneously.
-
- \item @{ML Assumption.assume}~@{text "A"} turns proposition @{text
- "A"} into a primitive assumption @{text "A \<turnstile> A'"}, where the
- conclusion @{text "A'"} is in HHF normal form.
-
- \item @{ML Assumption.add_assms}~@{text "r As"} augments the context
- by assumptions @{text "As"} with export rule @{text "r"}. The
- resulting facts are hypothetical theorems as produced by the raw
- @{ML Assumption.assume}.
-
- \item @{ML Assumption.add_assumes}~@{text "As"} is a special case of
- @{ML Assumption.add_assms} where the export rule performs @{text
- "\<Longrightarrow>\<hyphen>intro"} or @{text "#\<Longrightarrow>\<hyphen>intro"}, depending on goal
- mode.
-
- \item @{ML Assumption.export}~@{text "is_goal inner outer thm"}
- exports result @{text "thm"} from the the @{text "inner"} context
- back into the @{text "outer"} one; @{text "is_goal = true"} means
- this is a goal context. The result is in HHF normal form. Note
- that @{ML "Proof_Context.export"} combines @{ML "Variable.export"}
- and @{ML "Assumption.export"} in the canonical way.
-
- \end{description}
-*}
-
-text %mlex {* The following example demonstrates how rules can be
- derived by building up a context of assumptions first, and exporting
- some local fact afterwards. We refer to @{theory Pure} equality
- here for testing purposes.
-*}
-
-ML {*
- (*static compile-time context -- for testing only*)
- val ctxt0 = @{context};
-
- val ([eq], ctxt1) =
- ctxt0 |> Assumption.add_assumes [@{cprop "x \<equiv> y"}];
- val eq' = Thm.symmetric eq;
-
- (*back to original context -- discharges assumption*)
- val r = Assumption.export false ctxt1 ctxt0 eq';
-*}
-
-text {* Note that the variables of the resulting rule are not
- generalized. This would have required to fix them properly in the
- context beforehand, and export wrt.\ variables afterwards (cf.\ @{ML
- Variable.export} or the combined @{ML "Proof_Context.export"}). *}
-
-
-section {* Structured goals and results \label{sec:struct-goals} *}
-
-text {*
- Local results are established by monotonic reasoning from facts
- within a context. This allows common combinations of theorems,
- e.g.\ via @{text "\<And>/\<Longrightarrow>"} elimination, resolution rules, or equational
- reasoning, see \secref{sec:thms}. Unaccounted context manipulations
- should be avoided, notably raw @{text "\<And>/\<Longrightarrow>"} introduction or ad-hoc
- references to free variables or assumptions not present in the proof
- context.
-
- \medskip The @{text "SUBPROOF"} combinator allows to structure a
- tactical proof recursively by decomposing a selected sub-goal:
- @{text "(\<And>x. A(x) \<Longrightarrow> B(x)) \<Longrightarrow> \<dots>"} is turned into @{text "B(x) \<Longrightarrow> \<dots>"}
- after fixing @{text "x"} and assuming @{text "A(x)"}. This means
- the tactic needs to solve the conclusion, but may use the premise as
- a local fact, for locally fixed variables.
-
- The family of @{text "FOCUS"} combinators is similar to @{text
- "SUBPROOF"}, but allows to retain schematic variables and pending
- subgoals in the resulting goal state.
-
- The @{text "prove"} operation provides an interface for structured
- backwards reasoning under program control, with some explicit sanity
- checks of the result. The goal context can be augmented by
- additional fixed variables (cf.\ \secref{sec:variables}) and
- assumptions (cf.\ \secref{sec:assumptions}), which will be available
- as local facts during the proof and discharged into implications in
- the result. Type and term variables are generalized as usual,
- according to the context.
-
- The @{text "obtain"} operation produces results by eliminating
- existing facts by means of a given tactic. This acts like a dual
- conclusion: the proof demonstrates that the context may be augmented
- by parameters and assumptions, without affecting any conclusions
- that do not mention these parameters. See also
- \cite{isabelle-isar-ref} for the user-level @{command obtain} and
- @{command guess} elements. Final results, which may not refer to
- the parameters in the conclusion, need to exported explicitly into
- the original context. *}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML SELECT_GOAL: "tactic -> int -> tactic"} \\
- @{index_ML SUBPROOF: "(Subgoal.focus -> tactic) ->
- Proof.context -> int -> tactic"} \\
- @{index_ML Subgoal.FOCUS: "(Subgoal.focus -> tactic) ->
- Proof.context -> int -> tactic"} \\
- @{index_ML Subgoal.FOCUS_PREMS: "(Subgoal.focus -> tactic) ->
- Proof.context -> int -> tactic"} \\
- @{index_ML Subgoal.FOCUS_PARAMS: "(Subgoal.focus -> tactic) ->
- Proof.context -> int -> tactic"} \\
- @{index_ML Subgoal.focus: "Proof.context -> int -> thm -> Subgoal.focus * thm"} \\
- @{index_ML Subgoal.focus_prems: "Proof.context -> int -> thm -> Subgoal.focus * thm"} \\
- @{index_ML Subgoal.focus_params: "Proof.context -> int -> thm -> Subgoal.focus * thm"} \\
- \end{mldecls}
-
- \begin{mldecls}
- @{index_ML Goal.prove: "Proof.context -> string list -> term list -> term ->
- ({prems: thm list, context: Proof.context} -> tactic) -> thm"} \\
- @{index_ML Goal.prove_multi: "Proof.context -> string list -> term list -> term list ->
- ({prems: thm list, context: Proof.context} -> tactic) -> thm list"} \\
- \end{mldecls}
- \begin{mldecls}
- @{index_ML Obtain.result: "(Proof.context -> tactic) -> thm list ->
- Proof.context -> ((string * cterm) list * thm list) * Proof.context"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item @{ML SELECT_GOAL}~@{text "tac i"} confines a tactic to the
- specified subgoal @{text "i"}. This introduces a nested goal state,
- without decomposing the internal structure of the subgoal yet.
-
- \item @{ML SUBPROOF}~@{text "tac ctxt i"} decomposes the structure
- of the specified sub-goal, producing an extended context and a
- reduced goal, which needs to be solved by the given tactic. All
- schematic parameters of the goal are imported into the context as
- fixed ones, which may not be instantiated in the sub-proof.
-
- \item @{ML Subgoal.FOCUS}, @{ML Subgoal.FOCUS_PREMS}, and @{ML
- Subgoal.FOCUS_PARAMS} are similar to @{ML SUBPROOF}, but are
- slightly more flexible: only the specified parts of the subgoal are
- imported into the context, and the body tactic may introduce new
- subgoals and schematic variables.
-
- \item @{ML Subgoal.focus}, @{ML Subgoal.focus_prems}, @{ML
- Subgoal.focus_params} extract the focus information from a goal
- state in the same way as the corresponding tacticals above. This is
- occasionally useful to experiment without writing actual tactics
- yet.
-
- \item @{ML Goal.prove}~@{text "ctxt xs As C tac"} states goal @{text
- "C"} in the context augmented by fixed variables @{text "xs"} and
- assumptions @{text "As"}, and applies tactic @{text "tac"} to solve
- it. The latter may depend on the local assumptions being presented
- as facts. The result is in HHF normal form.
-
- \item @{ML Goal.prove_multi} is simular to @{ML Goal.prove}, but
- states several conclusions simultaneously. The goal is encoded by
- means of Pure conjunction; @{ML Goal.conjunction_tac} will turn this
- into a collection of individual subgoals.
-
- \item @{ML Obtain.result}~@{text "tac thms ctxt"} eliminates the
- given facts using a tactic, which results in additional fixed
- variables and assumptions in the context. Final results need to be
- exported explicitly.
-
- \end{description}
-*}
-
-text %mlex {* The following minimal example illustrates how to access
- the focus information of a structured goal state. *}
-
-notepad
-begin
- fix A B C :: "'a \<Rightarrow> bool"
-
- have "\<And>x. A x \<Longrightarrow> B x \<Longrightarrow> C x"
- ML_val
- {*
- val {goal, context = goal_ctxt, ...} = @{Isar.goal};
- val (focus as {params, asms, concl, ...}, goal') =
- Subgoal.focus goal_ctxt 1 goal;
- val [A, B] = #prems focus;
- val [(_, x)] = #params focus;
- *}
- oops
-
-text {* \medskip The next example demonstrates forward-elimination in
- a local context, using @{ML Obtain.result}. *}
-
-notepad
-begin
- assume ex: "\<exists>x. B x"
-
- ML_prf %"ML" {*
- val ctxt0 = @{context};
- val (([(_, x)], [B]), ctxt1) = ctxt0
- |> Obtain.result (fn _ => etac @{thm exE} 1) [@{thm ex}];
- *}
- ML_prf %"ML" {*
- singleton (Proof_Context.export ctxt1 ctxt0) @{thm refl};
- *}
- ML_prf %"ML" {*
- Proof_Context.export ctxt1 ctxt0 [Thm.reflexive x]
- handle ERROR msg => (warning msg; []);
- *}
-end
-
-end
--- a/doc-src/IsarImplementation/Syntax.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,163 +0,0 @@
-theory Syntax
-imports Base
-begin
-
-chapter {* Concrete syntax and type-checking *}
-
-text {* Pure @{text "\<lambda>"}-calculus as introduced in \chref{ch:logic} is
- an adequate foundation for logical languages --- in the tradition of
- \emph{higher-order abstract syntax} --- but end-users require
- additional means for reading and printing of terms and types. This
- important add-on outside the logical core is called \emph{inner
- syntax} in Isabelle jargon, as opposed to the \emph{outer syntax} of
- the theory and proof language (cf.\ \cite{isabelle-isar-ref}).
-
- For example, according to \cite{church40} quantifiers are
- represented as higher-order constants @{text "All :: ('a \<Rightarrow> bool) \<Rightarrow>
- bool"} such that @{text "All (\<lambda>x::'a. B x)"} faithfully represents
- the idea that is displayed as @{text "\<forall>x::'a. B x"} via @{keyword
- "binder"} notation. Moreover, type-inference in the style of
- Hindley-Milner \cite{hindleymilner} (and extensions) enables users
- to write @{text "\<forall>x. B x"} concisely, when the type @{text "'a"} is
- already clear from the context.\footnote{Type-inference taken to the
- extreme can easily confuse users, though. Beginners often stumble
- over unexpectedly general types inferred by the system.}
-
- \medskip The main inner syntax operations are \emph{read} for
- parsing together with type-checking, and \emph{pretty} for formatted
- output. See also \secref{sec:read-print}.
-
- Furthermore, the input and output syntax layers are sub-divided into
- separate phases for \emph{concrete syntax} versus \emph{abstract
- syntax}, see also \secref{sec:parse-unparse} and
- \secref{sec:term-check}, respectively. This results in the
- following decomposition of the main operations:
-
- \begin{itemize}
-
- \item @{text "read = parse; check"}
-
- \item @{text "pretty = uncheck; unparse"}
-
- \end{itemize}
-
- Some specification package might thus intercept syntax processing at
- a well-defined stage after @{text "parse"}, to a augment the
- resulting pre-term before full type-reconstruction is performed by
- @{text "check"}, for example. Note that the formal status of bound
- variables, versus free variables, versus constants must not be
- changed here! *}
-
-
-section {* Reading and pretty printing \label{sec:read-print} *}
-
-text {* Read and print operations are roughly dual to each other, such
- that for the user @{text "s' = pretty (read s)"} looks similar to
- the original source text @{text "s"}, but the details depend on many
- side-conditions. There are also explicit options to control
- suppressing of type information in the output. The default
- configuration routinely looses information, so @{text "t' = read
- (pretty t)"} might fail, produce a differently typed term, or a
- completely different term in the face of syntactic overloading! *}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML Syntax.read_typ: "Proof.context -> string -> typ"} \\
- @{index_ML Syntax.read_term: "Proof.context -> string -> term"} \\
- @{index_ML Syntax.read_prop: "Proof.context -> string -> term"} \\
- @{index_ML Syntax.pretty_typ: "Proof.context -> typ -> Pretty.T"} \\
- @{index_ML Syntax.pretty_term: "Proof.context -> term -> Pretty.T"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item FIXME
-
- \end{description}
-*}
-
-
-section {* Parsing and unparsing \label{sec:parse-unparse} *}
-
-text {* Parsing and unparsing converts between actual source text and
- a certain \emph{pre-term} format, where all bindings and scopes are
- resolved faithfully. Thus the names of free variables or constants
- are already determined in the sense of the logical context, but type
- information might is still missing. Pre-terms support an explicit
- language of \emph{type constraints} that may be augmented by user
- code to guide the later \emph{check} phase, for example.
-
- Actual parsing is based on traditional lexical analysis and Earley
- parsing for arbitrary context-free grammars. The user can specify
- this via mixfix annotations. Moreover, there are \emph{syntax
- translations} that can be augmented by the user, either
- declaratively via @{command translations} or programmatically via
- @{command parse_translation}, @{command print_translation} etc. The
- final scope resolution is performed by the system, according to name
- spaces for types, constants etc.\ determined by the context.
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML Syntax.parse_typ: "Proof.context -> string -> typ"} \\
- @{index_ML Syntax.parse_term: "Proof.context -> string -> term"} \\
- @{index_ML Syntax.parse_prop: "Proof.context -> string -> term"} \\
- @{index_ML Syntax.unparse_typ: "Proof.context -> typ -> Pretty.T"} \\
- @{index_ML Syntax.unparse_term: "Proof.context -> term -> Pretty.T"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item FIXME
-
- \end{description}
-*}
-
-
-section {* Checking and unchecking \label{sec:term-check} *}
-
-text {* These operations define the transition from pre-terms and
- fully-annotated terms in the sense of the logical core
- (\chref{ch:logic}).
-
- The \emph{check} phase is meant to subsume a variety of mechanisms
- in the manner of ``type-inference'' or ``type-reconstruction'' or
- ``type-improvement'', not just type-checking in the narrow sense.
- The \emph{uncheck} phase is roughly dual, it prunes type-information
- before pretty printing.
-
- A typical add-on for the check/uncheck syntax layer is the @{command
- abbreviation} mechanism. Here the user specifies syntactic
- definitions that are managed by the system as polymorphic @{text
- "let"} bindings. These are expanded during the @{text "check"}
- phase, and contracted during the @{text "uncheck"} phase, without
- affecting the type-assignment of the given terms.
-
- \medskip The precise meaning of type checking depends on the context
- --- additional check/uncheck plugins might be defined in user space!
-
- For example, the @{command class} command defines a context where
- @{text "check"} treats certain type instances of overloaded
- constants according to the ``dictionary construction'' of its
- logical foundation. This involves ``type improvement''
- (specialization of slightly too general types) and replacement by
- certain locale parameters. See also \cite{Haftmann-Wenzel:2009}.
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML Syntax.check_typs: "Proof.context -> typ list -> typ list"} \\
- @{index_ML Syntax.check_terms: "Proof.context -> term list -> term list"} \\
- @{index_ML Syntax.check_props: "Proof.context -> term list -> term list"} \\
- @{index_ML Syntax.uncheck_typs: "Proof.context -> typ list -> typ list"} \\
- @{index_ML Syntax.uncheck_terms: "Proof.context -> term list -> term list"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item FIXME
-
- \end{description}
-*}
-
-end
--- a/doc-src/IsarImplementation/Tactic.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,861 +0,0 @@
-theory Tactic
-imports Base
-begin
-
-chapter {* Tactical reasoning *}
-
-text {* Tactical reasoning works by refining an initial claim in a
- backwards fashion, until a solved form is reached. A @{text "goal"}
- consists of several subgoals that need to be solved in order to
- achieve the main statement; zero subgoals means that the proof may
- be finished. A @{text "tactic"} is a refinement operation that maps
- a goal to a lazy sequence of potential successors. A @{text
- "tactical"} is a combinator for composing tactics. *}
-
-
-section {* Goals \label{sec:tactical-goals} *}
-
-text {*
- Isabelle/Pure represents a goal as a theorem stating that the
- subgoals imply the main goal: @{text "A\<^sub>1 \<Longrightarrow> \<dots> \<Longrightarrow> A\<^sub>n \<Longrightarrow>
- C"}. The outermost goal structure is that of a Horn Clause: i.e.\
- an iterated implication without any quantifiers\footnote{Recall that
- outermost @{text "\<And>x. \<phi>[x]"} is always represented via schematic
- variables in the body: @{text "\<phi>[?x]"}. These variables may get
- instantiated during the course of reasoning.}. For @{text "n = 0"}
- a goal is called ``solved''.
-
- The structure of each subgoal @{text "A\<^sub>i"} is that of a
- general Hereditary Harrop Formula @{text "\<And>x\<^sub>1 \<dots>
- \<And>x\<^sub>k. H\<^sub>1 \<Longrightarrow> \<dots> \<Longrightarrow> H\<^sub>m \<Longrightarrow> B"}. Here @{text
- "x\<^sub>1, \<dots>, x\<^sub>k"} are goal parameters, i.e.\
- arbitrary-but-fixed entities of certain types, and @{text
- "H\<^sub>1, \<dots>, H\<^sub>m"} are goal hypotheses, i.e.\ facts that may
- be assumed locally. Together, this forms the goal context of the
- conclusion @{text B} to be established. The goal hypotheses may be
- again arbitrary Hereditary Harrop Formulas, although the level of
- nesting rarely exceeds 1--2 in practice.
-
- The main conclusion @{text C} is internally marked as a protected
- proposition, which is represented explicitly by the notation @{text
- "#C"} here. This ensures that the decomposition into subgoals and
- main conclusion is well-defined for arbitrarily structured claims.
-
- \medskip Basic goal management is performed via the following
- Isabelle/Pure rules:
-
- \[
- \infer[@{text "(init)"}]{@{text "C \<Longrightarrow> #C"}}{} \qquad
- \infer[@{text "(finish)"}]{@{text "C"}}{@{text "#C"}}
- \]
-
- \medskip The following low-level variants admit general reasoning
- with protected propositions:
-
- \[
- \infer[@{text "(protect)"}]{@{text "#C"}}{@{text "C"}} \qquad
- \infer[@{text "(conclude)"}]{@{text "A\<^sub>1 \<Longrightarrow> \<dots> \<Longrightarrow> A\<^sub>n \<Longrightarrow> C"}}{@{text "A\<^sub>1 \<Longrightarrow> \<dots> \<Longrightarrow> A\<^sub>n \<Longrightarrow> #C"}}
- \]
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML Goal.init: "cterm -> thm"} \\
- @{index_ML Goal.finish: "Proof.context -> thm -> thm"} \\
- @{index_ML Goal.protect: "thm -> thm"} \\
- @{index_ML Goal.conclude: "thm -> thm"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item @{ML "Goal.init"}~@{text C} initializes a tactical goal from
- the well-formed proposition @{text C}.
-
- \item @{ML "Goal.finish"}~@{text "ctxt thm"} checks whether theorem
- @{text "thm"} is a solved goal (no subgoals), and concludes the
- result by removing the goal protection. The context is only
- required for printing error messages.
-
- \item @{ML "Goal.protect"}~@{text "thm"} protects the full statement
- of theorem @{text "thm"}.
-
- \item @{ML "Goal.conclude"}~@{text "thm"} removes the goal
- protection, even if there are pending subgoals.
-
- \end{description}
-*}
-
-
-section {* Tactics\label{sec:tactics} *}
-
-text {* A @{text "tactic"} is a function @{text "goal \<rightarrow> goal\<^sup>*\<^sup>*"} that
- maps a given goal state (represented as a theorem, cf.\
- \secref{sec:tactical-goals}) to a lazy sequence of potential
- successor states. The underlying sequence implementation is lazy
- both in head and tail, and is purely functional in \emph{not}
- supporting memoing.\footnote{The lack of memoing and the strict
- nature of SML requires some care when working with low-level
- sequence operations, to avoid duplicate or premature evaluation of
- results. It also means that modified runtime behavior, such as
- timeout, is very hard to achieve for general tactics.}
-
- An \emph{empty result sequence} means that the tactic has failed: in
- a compound tactic expression other tactics might be tried instead,
- or the whole refinement step might fail outright, producing a
- toplevel error message in the end. When implementing tactics from
- scratch, one should take care to observe the basic protocol of
- mapping regular error conditions to an empty result; only serious
- faults should emerge as exceptions.
-
- By enumerating \emph{multiple results}, a tactic can easily express
- the potential outcome of an internal search process. There are also
- combinators for building proof tools that involve search
- systematically, see also \secref{sec:tacticals}.
-
- \medskip As explained before, a goal state essentially consists of a
- list of subgoals that imply the main goal (conclusion). Tactics may
- operate on all subgoals or on a particularly specified subgoal, but
- must not change the main conclusion (apart from instantiating
- schematic goal variables).
-
- Tactics with explicit \emph{subgoal addressing} are of the form
- @{text "int \<rightarrow> tactic"} and may be applied to a particular subgoal
- (counting from 1). If the subgoal number is out of range, the
- tactic should fail with an empty result sequence, but must not raise
- an exception!
-
- Operating on a particular subgoal means to replace it by an interval
- of zero or more subgoals in the same place; other subgoals must not
- be affected, apart from instantiating schematic variables ranging
- over the whole goal state.
-
- A common pattern of composing tactics with subgoal addressing is to
- try the first one, and then the second one only if the subgoal has
- not been solved yet. Special care is required here to avoid bumping
- into unrelated subgoals that happen to come after the original
- subgoal. Assuming that there is only a single initial subgoal is a
- very common error when implementing tactics!
-
- Tactics with internal subgoal addressing should expose the subgoal
- index as @{text "int"} argument in full generality; a hardwired
- subgoal 1 is not acceptable.
-
- \medskip The main well-formedness conditions for proper tactics are
- summarized as follows.
-
- \begin{itemize}
-
- \item General tactic failure is indicated by an empty result, only
- serious faults may produce an exception.
-
- \item The main conclusion must not be changed, apart from
- instantiating schematic variables.
-
- \item A tactic operates either uniformly on all subgoals, or
- specifically on a selected subgoal (without bumping into unrelated
- subgoals).
-
- \item Range errors in subgoal addressing produce an empty result.
-
- \end{itemize}
-
- Some of these conditions are checked by higher-level goal
- infrastructure (\secref{sec:struct-goals}); others are not checked
- explicitly, and violating them merely results in ill-behaved tactics
- experienced by the user (e.g.\ tactics that insist in being
- applicable only to singleton goals, or prevent composition via
- standard tacticals such as @{ML REPEAT}).
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML_type tactic: "thm -> thm Seq.seq"} \\
- @{index_ML no_tac: tactic} \\
- @{index_ML all_tac: tactic} \\
- @{index_ML print_tac: "string -> tactic"} \\[1ex]
- @{index_ML PRIMITIVE: "(thm -> thm) -> tactic"} \\[1ex]
- @{index_ML SUBGOAL: "(term * int -> tactic) -> int -> tactic"} \\
- @{index_ML CSUBGOAL: "(cterm * int -> tactic) -> int -> tactic"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item Type @{ML_type tactic} represents tactics. The
- well-formedness conditions described above need to be observed. See
- also @{file "~~/src/Pure/General/seq.ML"} for the underlying
- implementation of lazy sequences.
-
- \item Type @{ML_type "int -> tactic"} represents tactics with
- explicit subgoal addressing, with well-formedness conditions as
- described above.
-
- \item @{ML no_tac} is a tactic that always fails, returning the
- empty sequence.
-
- \item @{ML all_tac} is a tactic that always succeeds, returning a
- singleton sequence with unchanged goal state.
-
- \item @{ML print_tac}~@{text "message"} is like @{ML all_tac}, but
- prints a message together with the goal state on the tracing
- channel.
-
- \item @{ML PRIMITIVE}~@{text rule} turns a primitive inference rule
- into a tactic with unique result. Exception @{ML THM} is considered
- a regular tactic failure and produces an empty result; other
- exceptions are passed through.
-
- \item @{ML SUBGOAL}~@{text "(fn (subgoal, i) => tactic)"} is the
- most basic form to produce a tactic with subgoal addressing. The
- given abstraction over the subgoal term and subgoal number allows to
- peek at the relevant information of the full goal state. The
- subgoal range is checked as required above.
-
- \item @{ML CSUBGOAL} is similar to @{ML SUBGOAL}, but passes the
- subgoal as @{ML_type cterm} instead of raw @{ML_type term}. This
- avoids expensive re-certification in situations where the subgoal is
- used directly for primitive inferences.
-
- \end{description}
-*}
-
-
-subsection {* Resolution and assumption tactics \label{sec:resolve-assume-tac} *}
-
-text {* \emph{Resolution} is the most basic mechanism for refining a
- subgoal using a theorem as object-level rule.
- \emph{Elim-resolution} is particularly suited for elimination rules:
- it resolves with a rule, proves its first premise by assumption, and
- finally deletes that assumption from any new subgoals.
- \emph{Destruct-resolution} is like elim-resolution, but the given
- destruction rules are first turned into canonical elimination
- format. \emph{Forward-resolution} is like destruct-resolution, but
- without deleting the selected assumption. The @{text "r/e/d/f"}
- naming convention is maintained for several different kinds of
- resolution rules and tactics.
-
- Assumption tactics close a subgoal by unifying some of its premises
- against its conclusion.
-
- \medskip All the tactics in this section operate on a subgoal
- designated by a positive integer. Other subgoals might be affected
- indirectly, due to instantiation of schematic variables.
-
- There are various sources of non-determinism, the tactic result
- sequence enumerates all possibilities of the following choices (if
- applicable):
-
- \begin{enumerate}
-
- \item selecting one of the rules given as argument to the tactic;
-
- \item selecting a subgoal premise to eliminate, unifying it against
- the first premise of the rule;
-
- \item unifying the conclusion of the subgoal to the conclusion of
- the rule.
-
- \end{enumerate}
-
- Recall that higher-order unification may produce multiple results
- that are enumerated here.
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML resolve_tac: "thm list -> int -> tactic"} \\
- @{index_ML eresolve_tac: "thm list -> int -> tactic"} \\
- @{index_ML dresolve_tac: "thm list -> int -> tactic"} \\
- @{index_ML forward_tac: "thm list -> int -> tactic"} \\[1ex]
- @{index_ML assume_tac: "int -> tactic"} \\
- @{index_ML eq_assume_tac: "int -> tactic"} \\[1ex]
- @{index_ML match_tac: "thm list -> int -> tactic"} \\
- @{index_ML ematch_tac: "thm list -> int -> tactic"} \\
- @{index_ML dmatch_tac: "thm list -> int -> tactic"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item @{ML resolve_tac}~@{text "thms i"} refines the goal state
- using the given theorems, which should normally be introduction
- rules. The tactic resolves a rule's conclusion with subgoal @{text
- i}, replacing it by the corresponding versions of the rule's
- premises.
-
- \item @{ML eresolve_tac}~@{text "thms i"} performs elim-resolution
- with the given theorems, which are normally be elimination rules.
-
- Note that @{ML "eresolve_tac [asm_rl]"} is equivalent to @{ML
- assume_tac}, which facilitates mixing of assumption steps with
- genuine eliminations.
-
- \item @{ML dresolve_tac}~@{text "thms i"} performs
- destruct-resolution with the given theorems, which should normally
- be destruction rules. This replaces an assumption by the result of
- applying one of the rules.
-
- \item @{ML forward_tac} is like @{ML dresolve_tac} except that the
- selected assumption is not deleted. It applies a rule to an
- assumption, adding the result as a new assumption.
-
- \item @{ML assume_tac}~@{text i} attempts to solve subgoal @{text i}
- by assumption (modulo higher-order unification).
-
- \item @{ML eq_assume_tac} is similar to @{ML assume_tac}, but checks
- only for immediate @{text "\<alpha>"}-convertibility instead of using
- unification. It succeeds (with a unique next state) if one of the
- assumptions is equal to the subgoal's conclusion. Since it does not
- instantiate variables, it cannot make other subgoals unprovable.
-
- \item @{ML match_tac}, @{ML ematch_tac}, and @{ML dmatch_tac} are
- similar to @{ML resolve_tac}, @{ML eresolve_tac}, and @{ML
- dresolve_tac}, respectively, but do not instantiate schematic
- variables in the goal state.
-
- Flexible subgoals are not updated at will, but are left alone.
- Strictly speaking, matching means to treat the unknowns in the goal
- state as constants; these tactics merely discard unifiers that would
- update the goal state.
-
- \end{description}
-*}
-
-
-subsection {* Explicit instantiation within a subgoal context *}
-
-text {* The main resolution tactics (\secref{sec:resolve-assume-tac})
- use higher-order unification, which works well in many practical
- situations despite its daunting theoretical properties.
- Nonetheless, there are important problem classes where unguided
- higher-order unification is not so useful. This typically involves
- rules like universal elimination, existential introduction, or
- equational substitution. Here the unification problem involves
- fully flexible @{text "?P ?x"} schemes, which are hard to manage
- without further hints.
-
- By providing a (small) rigid term for @{text "?x"} explicitly, the
- remaining unification problem is to assign a (large) term to @{text
- "?P"}, according to the shape of the given subgoal. This is
- sufficiently well-behaved in most practical situations.
-
- \medskip Isabelle provides separate versions of the standard @{text
- "r/e/d/f"} resolution tactics that allow to provide explicit
- instantiations of unknowns of the given rule, wrt.\ terms that refer
- to the implicit context of the selected subgoal.
-
- An instantiation consists of a list of pairs of the form @{text
- "(?x, t)"}, where @{text ?x} is a schematic variable occurring in
- the given rule, and @{text t} is a term from the current proof
- context, augmented by the local goal parameters of the selected
- subgoal; cf.\ the @{text "focus"} operation described in
- \secref{sec:variables}.
-
- Entering the syntactic context of a subgoal is a brittle operation,
- because its exact form is somewhat accidental, and the choice of
- bound variable names depends on the presence of other local and
- global names. Explicit renaming of subgoal parameters prior to
- explicit instantiation might help to achieve a bit more robustness.
-
- Type instantiations may be given as well, via pairs like @{text
- "(?'a, \<tau>)"}. Type instantiations are distinguished from term
- instantiations by the syntactic form of the schematic variable.
- Types are instantiated before terms are. Since term instantiation
- already performs simple type-inference, so explicit type
- instantiations are seldom necessary.
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML res_inst_tac: "Proof.context -> (indexname * string) list -> thm -> int -> tactic"} \\
- @{index_ML eres_inst_tac: "Proof.context -> (indexname * string) list -> thm -> int -> tactic"} \\
- @{index_ML dres_inst_tac: "Proof.context -> (indexname * string) list -> thm -> int -> tactic"} \\
- @{index_ML forw_inst_tac: "Proof.context -> (indexname * string) list -> thm -> int -> tactic"} \\
- @{index_ML subgoal_tac: "Proof.context -> string -> int -> tactic"} \\
- @{index_ML thin_tac: "Proof.context -> string -> int -> tactic"} \\
- @{index_ML rename_tac: "string list -> int -> tactic"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item @{ML res_inst_tac}~@{text "ctxt insts thm i"} instantiates the
- rule @{text thm} with the instantiations @{text insts}, as described
- above, and then performs resolution on subgoal @{text i}.
-
- \item @{ML eres_inst_tac} is like @{ML res_inst_tac}, but performs
- elim-resolution.
-
- \item @{ML dres_inst_tac} is like @{ML res_inst_tac}, but performs
- destruct-resolution.
-
- \item @{ML forw_inst_tac} is like @{ML dres_inst_tac} except that
- the selected assumption is not deleted.
-
- \item @{ML subgoal_tac}~@{text "ctxt \<phi> i"} adds the proposition
- @{text "\<phi>"} as local premise to subgoal @{text "i"}, and poses the
- same as a new subgoal @{text "i + 1"} (in the original context).
-
- \item @{ML thin_tac}~@{text "ctxt \<phi> i"} deletes the specified
- premise from subgoal @{text i}. Note that @{text \<phi>} may contain
- schematic variables, to abbreviate the intended proposition; the
- first matching subgoal premise will be deleted. Removing useless
- premises from a subgoal increases its readability and can make
- search tactics run faster.
-
- \item @{ML rename_tac}~@{text "names i"} renames the innermost
- parameters of subgoal @{text i} according to the provided @{text
- names} (which need to be distinct indentifiers).
-
- \end{description}
-
- For historical reasons, the above instantiation tactics take
- unparsed string arguments, which makes them hard to use in general
- ML code. The slightly more advanced @{ML Subgoal.FOCUS} combinator
- of \secref{sec:struct-goals} allows to refer to internal goal
- structure with explicit context management.
-*}
-
-
-subsection {* Rearranging goal states *}
-
-text {* In rare situations there is a need to rearrange goal states:
- either the overall collection of subgoals, or the local structure of
- a subgoal. Various administrative tactics allow to operate on the
- concrete presentation these conceptual sets of formulae. *}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML rotate_tac: "int -> int -> tactic"} \\
- @{index_ML distinct_subgoals_tac: tactic} \\
- @{index_ML flexflex_tac: tactic} \\
- \end{mldecls}
-
- \begin{description}
-
- \item @{ML rotate_tac}~@{text "n i"} rotates the premises of subgoal
- @{text i} by @{text n} positions: from right to left if @{text n} is
- positive, and from left to right if @{text n} is negative.
-
- \item @{ML distinct_subgoals_tac} removes duplicate subgoals from a
- proof state. This is potentially inefficient.
-
- \item @{ML flexflex_tac} removes all flex-flex pairs from the proof
- state by applying the trivial unifier. This drastic step loses
- information. It is already part of the Isar infrastructure for
- facts resulting from goals, and rarely needs to be invoked manually.
-
- Flex-flex constraints arise from difficult cases of higher-order
- unification. To prevent this, use @{ML res_inst_tac} to instantiate
- some variables in a rule. Normally flex-flex constraints can be
- ignored; they often disappear as unknowns get instantiated.
-
- \end{description}
-*}
-
-section {* Tacticals \label{sec:tacticals} *}
-
-text {* A \emph{tactical} is a functional combinator for building up
- complex tactics from simpler ones. Common tacticals perform
- sequential composition, disjunctive choice, iteration, or goal
- addressing. Various search strategies may be expressed via
- tacticals.
-*}
-
-
-subsection {* Combining tactics *}
-
-text {* Sequential composition and alternative choices are the most
- basic ways to combine tactics, similarly to ``@{verbatim ","}'' and
- ``@{verbatim "|"}'' in Isar method notation. This corresponds to
- @{ML_op "THEN"} and @{ML_op "ORELSE"} in ML, but there are further
- possibilities for fine-tuning alternation of tactics such as @{ML_op
- "APPEND"}. Further details become visible in ML due to explicit
- subgoal addressing.
-*}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML_op "THEN": "tactic * tactic -> tactic"} \\
- @{index_ML_op "ORELSE": "tactic * tactic -> tactic"} \\
- @{index_ML_op "APPEND": "tactic * tactic -> tactic"} \\
- @{index_ML "EVERY": "tactic list -> tactic"} \\
- @{index_ML "FIRST": "tactic list -> tactic"} \\[0.5ex]
-
- @{index_ML_op "THEN'": "('a -> tactic) * ('a -> tactic) -> 'a -> tactic"} \\
- @{index_ML_op "ORELSE'": "('a -> tactic) * ('a -> tactic) -> 'a -> tactic"} \\
- @{index_ML_op "APPEND'": "('a -> tactic) * ('a -> tactic) -> 'a -> tactic"} \\
- @{index_ML "EVERY'": "('a -> tactic) list -> 'a -> tactic"} \\
- @{index_ML "FIRST'": "('a -> tactic) list -> 'a -> tactic"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item @{text "tac\<^sub>1"}~@{ML_op THEN}~@{text "tac\<^sub>2"} is the sequential
- composition of @{text "tac\<^sub>1"} and @{text "tac\<^sub>2"}. Applied to a goal
- state, it returns all states reachable in two steps by applying
- @{text "tac\<^sub>1"} followed by @{text "tac\<^sub>2"}. First, it applies @{text
- "tac\<^sub>1"} to the goal state, getting a sequence of possible next
- states; then, it applies @{text "tac\<^sub>2"} to each of these and
- concatenates the results to produce again one flat sequence of
- states.
-
- \item @{text "tac\<^sub>1"}~@{ML_op ORELSE}~@{text "tac\<^sub>2"} makes a choice
- between @{text "tac\<^sub>1"} and @{text "tac\<^sub>2"}. Applied to a state, it
- tries @{text "tac\<^sub>1"} and returns the result if non-empty; if @{text
- "tac\<^sub>1"} fails then it uses @{text "tac\<^sub>2"}. This is a deterministic
- choice: if @{text "tac\<^sub>1"} succeeds then @{text "tac\<^sub>2"} is excluded
- from the result.
-
- \item @{text "tac\<^sub>1"}~@{ML_op APPEND}~@{text "tac\<^sub>2"} concatenates the
- possible results of @{text "tac\<^sub>1"} and @{text "tac\<^sub>2"}. Unlike
- @{ML_op "ORELSE"} there is \emph{no commitment} to either tactic, so
- @{ML_op "APPEND"} helps to avoid incompleteness during search, at
- the cost of potential inefficiencies.
-
- \item @{ML EVERY}~@{text "[tac\<^sub>1, \<dots>, tac\<^sub>n]"} abbreviates @{text
- "tac\<^sub>1"}~@{ML_op THEN}~@{text "\<dots>"}~@{ML_op THEN}~@{text "tac\<^sub>n"}.
- Note that @{ML "EVERY []"} is the same as @{ML all_tac}: it always
- succeeds.
-
- \item @{ML FIRST}~@{text "[tac\<^sub>1, \<dots>, tac\<^sub>n]"} abbreviates @{text
- "tac\<^sub>1"}~@{ML_op ORELSE}~@{text "\<dots>"}~@{ML_op "ORELSE"}~@{text
- "tac\<^sub>n"}. Note that @{ML "FIRST []"} is the same as @{ML no_tac}: it
- always fails.
-
- \item @{ML_op "THEN'"} is the lifted version of @{ML_op "THEN"}, for
- tactics with explicit subgoal addressing. So @{text
- "(tac\<^sub>1"}~@{ML_op THEN'}~@{text "tac\<^sub>2) i"} is the same as @{text
- "(tac\<^sub>1 i"}~@{ML_op THEN}~@{text "tac\<^sub>2 i)"}.
-
- The other primed tacticals work analogously.
-
- \end{description}
-*}
-
-
-subsection {* Repetition tacticals *}
-
-text {* These tacticals provide further control over repetition of
- tactics, beyond the stylized forms of ``@{verbatim "?"}'' and
- ``@{verbatim "+"}'' in Isar method expressions. *}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML "TRY": "tactic -> tactic"} \\
- @{index_ML "REPEAT": "tactic -> tactic"} \\
- @{index_ML "REPEAT1": "tactic -> tactic"} \\
- @{index_ML "REPEAT_DETERM": "tactic -> tactic"} \\
- @{index_ML "REPEAT_DETERM_N": "int -> tactic -> tactic"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item @{ML TRY}~@{text "tac"} applies @{text "tac"} to the goal
- state and returns the resulting sequence, if non-empty; otherwise it
- returns the original state. Thus, it applies @{text "tac"} at most
- once.
-
- Note that for tactics with subgoal addressing, the combinator can be
- applied via functional composition: @{ML "TRY"}~@{ML_op o}~@{text
- "tac"}. There is no need for @{verbatim TRY'}.
-
- \item @{ML REPEAT}~@{text "tac"} applies @{text "tac"} to the goal
- state and, recursively, to each element of the resulting sequence.
- The resulting sequence consists of those states that make @{text
- "tac"} fail. Thus, it applies @{text "tac"} as many times as
- possible (including zero times), and allows backtracking over each
- invocation of @{text "tac"}. @{ML REPEAT} is more general than @{ML
- REPEAT_DETERM}, but requires more space.
-
- \item @{ML REPEAT1}~@{text "tac"} is like @{ML REPEAT}~@{text "tac"}
- but it always applies @{text "tac"} at least once, failing if this
- is impossible.
-
- \item @{ML REPEAT_DETERM}~@{text "tac"} applies @{text "tac"} to the
- goal state and, recursively, to the head of the resulting sequence.
- It returns the first state to make @{text "tac"} fail. It is
- deterministic, discarding alternative outcomes.
-
- \item @{ML REPEAT_DETERM_N}~@{text "n tac"} is like @{ML
- REPEAT_DETERM}~@{text "tac"} but the number of repetitions is bound
- by @{text "n"} (where @{ML "~1"} means @{text "\<infinity>"}).
-
- \end{description}
-*}
-
-text %mlex {* The basic tactics and tacticals considered above follow
- some algebraic laws:
-
- \begin{itemize}
-
- \item @{ML all_tac} is the identity element of the tactical @{ML_op
- "THEN"}.
-
- \item @{ML no_tac} is the identity element of @{ML_op "ORELSE"} and
- @{ML_op "APPEND"}. Also, it is a zero element for @{ML_op "THEN"},
- which means that @{text "tac"}~@{ML_op THEN}~@{ML no_tac} is
- equivalent to @{ML no_tac}.
-
- \item @{ML TRY} and @{ML REPEAT} can be expressed as (recursive)
- functions over more basic combinators (ignoring some internal
- implementation tricks):
-
- \end{itemize}
-*}
-
-ML {*
- fun TRY tac = tac ORELSE all_tac;
- fun REPEAT tac st = ((tac THEN REPEAT tac) ORELSE all_tac) st;
-*}
-
-text {* If @{text "tac"} can return multiple outcomes then so can @{ML
- REPEAT}~@{text "tac"}. @{ML REPEAT} uses @{ML_op "ORELSE"} and not
- @{ML_op "APPEND"}, it applies @{text "tac"} as many times as
- possible in each outcome.
-
- \begin{warn}
- Note the explicit abstraction over the goal state in the ML
- definition of @{ML REPEAT}. Recursive tacticals must be coded in
- this awkward fashion to avoid infinite recursion of eager functional
- evaluation in Standard ML. The following attempt would make @{ML
- REPEAT}~@{text "tac"} loop:
- \end{warn}
-*}
-
-ML {*
- (*BAD -- does not terminate!*)
- fun REPEAT tac = (tac THEN REPEAT tac) ORELSE all_tac;
-*}
-
-
-subsection {* Applying tactics to subgoal ranges *}
-
-text {* Tactics with explicit subgoal addressing
- @{ML_type "int -> tactic"} can be used together with tacticals that
- act like ``subgoal quantifiers'': guided by success of the body
- tactic a certain range of subgoals is covered. Thus the body tactic
- is applied to \emph{all} subgoals, \emph{some} subgoal etc.
-
- Suppose that the goal state has @{text "n \<ge> 0"} subgoals. Many of
- these tacticals address subgoal ranges counting downwards from
- @{text "n"} towards @{text "1"}. This has the fortunate effect that
- newly emerging subgoals are concatenated in the result, without
- interfering each other. Nonetheless, there might be situations
- where a different order is desired. *}
-
-text %mlref {*
- \begin{mldecls}
- @{index_ML ALLGOALS: "(int -> tactic) -> tactic"} \\
- @{index_ML SOMEGOAL: "(int -> tactic) -> tactic"} \\
- @{index_ML FIRSTGOAL: "(int -> tactic) -> tactic"} \\
- @{index_ML HEADGOAL: "(int -> tactic) -> tactic"} \\
- @{index_ML REPEAT_SOME: "(int -> tactic) -> tactic"} \\
- @{index_ML REPEAT_FIRST: "(int -> tactic) -> tactic"} \\
- @{index_ML RANGE: "(int -> tactic) list -> int -> tactic"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item @{ML ALLGOALS}~@{text "tac"} is equivalent to @{text "tac
- n"}~@{ML_op THEN}~@{text "\<dots>"}~@{ML_op THEN}~@{text "tac 1"}. It
- applies the @{text tac} to all the subgoals, counting downwards.
-
- \item @{ML SOMEGOAL}~@{text "tac"} is equivalent to @{text "tac
- n"}~@{ML_op ORELSE}~@{text "\<dots>"}~@{ML_op ORELSE}~@{text "tac 1"}. It
- applies @{text "tac"} to one subgoal, counting downwards.
-
- \item @{ML FIRSTGOAL}~@{text "tac"} is equivalent to @{text "tac
- 1"}~@{ML_op ORELSE}~@{text "\<dots>"}~@{ML_op ORELSE}~@{text "tac n"}. It
- applies @{text "tac"} to one subgoal, counting upwards.
-
- \item @{ML HEADGOAL}~@{text "tac"} is equivalent to @{text "tac 1"}.
- It applies @{text "tac"} unconditionally to the first subgoal.
-
- \item @{ML REPEAT_SOME}~@{text "tac"} applies @{text "tac"} once or
- more to a subgoal, counting downwards.
-
- \item @{ML REPEAT_FIRST}~@{text "tac"} applies @{text "tac"} once or
- more to a subgoal, counting upwards.
-
- \item @{ML RANGE}~@{text "[tac\<^sub>1, \<dots>, tac\<^sub>k] i"} is equivalent to
- @{text "tac\<^sub>k (i + k - 1)"}~@{ML_op THEN}~@{text "\<dots>"}~@{ML_op
- THEN}~@{text "tac\<^sub>1 i"}. It applies the given list of tactics to the
- corresponding range of subgoals, counting downwards.
-
- \end{description}
-*}
-
-
-subsection {* Control and search tacticals *}
-
-text {* A predicate on theorems @{ML_type "thm -> bool"} can test
- whether a goal state enjoys some desirable property --- such as
- having no subgoals. Tactics that search for satisfactory goal
- states are easy to express. The main search procedures,
- depth-first, breadth-first and best-first, are provided as
- tacticals. They generate the search tree by repeatedly applying a
- given tactic. *}
-
-
-text %mlref ""
-
-subsubsection {* Filtering a tactic's results *}
-
-text {*
- \begin{mldecls}
- @{index_ML FILTER: "(thm -> bool) -> tactic -> tactic"} \\
- @{index_ML CHANGED: "tactic -> tactic"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item @{ML FILTER}~@{text "sat tac"} applies @{text "tac"} to the
- goal state and returns a sequence consisting of those result goal
- states that are satisfactory in the sense of @{text "sat"}.
-
- \item @{ML CHANGED}~@{text "tac"} applies @{text "tac"} to the goal
- state and returns precisely those states that differ from the
- original state (according to @{ML Thm.eq_thm}). Thus @{ML
- CHANGED}~@{text "tac"} always has some effect on the state.
-
- \end{description}
-*}
-
-
-subsubsection {* Depth-first search *}
-
-text {*
- \begin{mldecls}
- @{index_ML DEPTH_FIRST: "(thm -> bool) -> tactic -> tactic"} \\
- @{index_ML DEPTH_SOLVE: "tactic -> tactic"} \\
- @{index_ML DEPTH_SOLVE_1: "tactic -> tactic"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item @{ML DEPTH_FIRST}~@{text "sat tac"} returns the goal state if
- @{text "sat"} returns true. Otherwise it applies @{text "tac"},
- then recursively searches from each element of the resulting
- sequence. The code uses a stack for efficiency, in effect applying
- @{text "tac"}~@{ML_op THEN}~@{ML DEPTH_FIRST}~@{text "sat tac"} to
- the state.
-
- \item @{ML DEPTH_SOLVE}@{text "tac"} uses @{ML DEPTH_FIRST} to
- search for states having no subgoals.
-
- \item @{ML DEPTH_SOLVE_1}~@{text "tac"} uses @{ML DEPTH_FIRST} to
- search for states having fewer subgoals than the given state. Thus,
- it insists upon solving at least one subgoal.
-
- \end{description}
-*}
-
-
-subsubsection {* Other search strategies *}
-
-text {*
- \begin{mldecls}
- @{index_ML BREADTH_FIRST: "(thm -> bool) -> tactic -> tactic"} \\
- @{index_ML BEST_FIRST: "(thm -> bool) * (thm -> int) -> tactic -> tactic"} \\
- @{index_ML THEN_BEST_FIRST: "tactic -> (thm -> bool) * (thm -> int) -> tactic -> tactic"} \\
- \end{mldecls}
-
- These search strategies will find a solution if one exists.
- However, they do not enumerate all solutions; they terminate after
- the first satisfactory result from @{text "tac"}.
-
- \begin{description}
-
- \item @{ML BREADTH_FIRST}~@{text "sat tac"} uses breadth-first
- search to find states for which @{text "sat"} is true. For most
- applications, it is too slow.
-
- \item @{ML BEST_FIRST}~@{text "(sat, dist) tac"} does a heuristic
- search, using @{text "dist"} to estimate the distance from a
- satisfactory state (in the sense of @{text "sat"}). It maintains a
- list of states ordered by distance. It applies @{text "tac"} to the
- head of this list; if the result contains any satisfactory states,
- then it returns them. Otherwise, @{ML BEST_FIRST} adds the new
- states to the list, and continues.
-
- The distance function is typically @{ML size_of_thm}, which computes
- the size of the state. The smaller the state, the fewer and simpler
- subgoals it has.
-
- \item @{ML THEN_BEST_FIRST}~@{text "tac\<^sub>0 (sat, dist) tac"} is like
- @{ML BEST_FIRST}, except that the priority queue initially contains
- the result of applying @{text "tac\<^sub>0"} to the goal state. This
- tactical permits separate tactics for starting the search and
- continuing the search.
-
- \end{description}
-*}
-
-
-subsubsection {* Auxiliary tacticals for searching *}
-
-text {*
- \begin{mldecls}
- @{index_ML COND: "(thm -> bool) -> tactic -> tactic -> tactic"} \\
- @{index_ML IF_UNSOLVED: "tactic -> tactic"} \\
- @{index_ML SOLVE: "tactic -> tactic"} \\
- @{index_ML DETERM: "tactic -> tactic"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item @{ML COND}~@{text "sat tac\<^sub>1 tac\<^sub>2"} applies @{text "tac\<^sub>1"} to
- the goal state if it satisfies predicate @{text "sat"}, and applies
- @{text "tac\<^sub>2"}. It is a conditional tactical in that only one of
- @{text "tac\<^sub>1"} and @{text "tac\<^sub>2"} is applied to a goal state.
- However, both @{text "tac\<^sub>1"} and @{text "tac\<^sub>2"} are evaluated
- because ML uses eager evaluation.
-
- \item @{ML IF_UNSOLVED}~@{text "tac"} applies @{text "tac"} to the
- goal state if it has any subgoals, and simply returns the goal state
- otherwise. Many common tactics, such as @{ML resolve_tac}, fail if
- applied to a goal state that has no subgoals.
-
- \item @{ML SOLVE}~@{text "tac"} applies @{text "tac"} to the goal
- state and then fails iff there are subgoals left.
-
- \item @{ML DETERM}~@{text "tac"} applies @{text "tac"} to the goal
- state and returns the head of the resulting sequence. @{ML DETERM}
- limits the search space by making its argument deterministic.
-
- \end{description}
-*}
-
-
-subsubsection {* Predicates and functions useful for searching *}
-
-text {*
- \begin{mldecls}
- @{index_ML has_fewer_prems: "int -> thm -> bool"} \\
- @{index_ML Thm.eq_thm: "thm * thm -> bool"} \\
- @{index_ML Thm.eq_thm_prop: "thm * thm -> bool"} \\
- @{index_ML size_of_thm: "thm -> int"} \\
- \end{mldecls}
-
- \begin{description}
-
- \item @{ML has_fewer_prems}~@{text "n thm"} reports whether @{text
- "thm"} has fewer than @{text "n"} premises.
-
- \item @{ML Thm.eq_thm}~@{text "(thm\<^sub>1, thm\<^sub>2)"} reports whether @{text
- "thm\<^sub>1"} and @{text "thm\<^sub>2"} are equal. Both theorems must have
- compatible background theories. Both theorems must have the same
- conclusions, the same set of hypotheses, and the same set of sort
- hypotheses. Names of bound variables are ignored as usual.
-
- \item @{ML Thm.eq_thm_prop}~@{text "(thm\<^sub>1, thm\<^sub>2)"} reports whether
- the propositions of @{text "thm\<^sub>1"} and @{text "thm\<^sub>2"} are equal.
- Names of bound variables are ignored.
-
- \item @{ML size_of_thm}~@{text "thm"} computes the size of @{text
- "thm"}, namely the number of variables, constants and abstractions
- in its conclusion. It may serve as a distance function for
- @{ML BEST_FIRST}.
-
- \end{description}
-*}
-
-end
--- a/doc-src/IsarImplementation/document/build Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,20 +0,0 @@
-#!/bin/bash
-
-set -e
-
-FORMAT="$1"
-VARIANT="$2"
-
-"$ISABELLE_TOOL" logo -o isabelle_isar.pdf Isar
-"$ISABELLE_TOOL" logo -o isabelle_isar.eps Isar
-
-cp "$ISABELLE_HOME/doc-src/iman.sty" .
-cp "$ISABELLE_HOME/doc-src/extra.sty" .
-cp "$ISABELLE_HOME/doc-src/isar.sty" .
-cp "$ISABELLE_HOME/doc-src/proof.sty" .
-cp "$ISABELLE_HOME/doc-src/ttbox.sty" .
-cp "$ISABELLE_HOME/doc-src/underscore.sty" .
-cp "$ISABELLE_HOME/doc-src/manual.bib" .
-
-"$ISABELLE_HOME/doc-src/prepare_document" "$FORMAT"
-
--- a/doc-src/IsarImplementation/document/root.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,110 +0,0 @@
-\documentclass[12pt,a4paper,fleqn]{report}
-\usepackage{latexsym,graphicx}
-\usepackage[refpage]{nomencl}
-\usepackage{iman,extra,isar,proof}
-\usepackage[nohyphen,strings]{underscore}
-\usepackage{isabelle}
-\usepackage{isabellesym}
-\usepackage{railsetup}
-\usepackage{ttbox}
-\usepackage{style}
-\usepackage{pdfsetup}
-
-
-\hyphenation{Isabelle}
-\hyphenation{Isar}
-
-\isadroptag{theory}
-\title{\includegraphics[scale=0.5]{isabelle_isar}
- \\[4ex] The Isabelle/Isar Implementation}
-\author{\emph{Makarius Wenzel} \\[3ex]
- With Contributions by
- Florian Haftmann
- and Larry Paulson
-}
-
-\makeindex
-
-
-\begin{document}
-
-\maketitle
-
-\begin{abstract}
- We describe the key concepts underlying the Isabelle/Isar
- implementation, including ML references for the most important
- functions. The aim is to give some insight into the overall system
- architecture, and provide clues on implementing applications within
- this framework.
-\end{abstract}
-
-\vspace*{2.5cm}
-\begin{quote}
-
- {\small\em Isabelle was not designed; it evolved. Not everyone
- likes this idea. Specification experts rightly abhor
- trial-and-error programming. They suggest that no one should
- write a program without first writing a complete formal
- specification. But university departments are not software houses.
- Programs like Isabelle are not products: when they have served
- their purpose, they are discarded.}
-
- Lawrence C. Paulson, ``Isabelle: The Next 700 Theorem Provers''
-
- \vspace*{1cm}
-
- {\small\em As I did 20 years ago, I still fervently believe that the
- only way to make software secure, reliable, and fast is to make it
- small. Fight features.}
-
- Andrew S. Tanenbaum
-
- \vspace*{1cm}
-
- {\small\em One thing that UNIX does not need is more features. It is
- successful in part because it has a small number of good ideas
- that work well together. Merely adding features does not make it
- easier for users to do things --- it just makes the manual
- thicker. The right solution in the right place is always more
- effective than haphazard hacking.}
-
- Rob Pike and Brian W. Kernighan
-
-\end{quote}
-
-\thispagestyle{empty}\clearpage
-
-\pagenumbering{roman}
-\tableofcontents
-\listoffigures
-\clearfirst
-
-\setcounter{chapter}{-1}
-
-\input{ML.tex}
-\input{Prelim.tex}
-\input{Logic.tex}
-\input{Syntax.tex}
-\input{Tactic.tex}
-\input{Eq.tex}
-\input{Proof.tex}
-\input{Isar.tex}
-\input{Local_Theory.tex}
-\input{Integration.tex}
-
-\begingroup
-\tocentry{\bibname}
-\bibliographystyle{abbrv} \small\raggedright\frenchspacing
-\bibliography{manual}
-\endgroup
-
-\tocentry{\indexname}
-\printindex
-
-\end{document}
-
-
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: t
-%%% End:
--- a/doc-src/IsarImplementation/document/style.sty Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,71 +0,0 @@
-%% toc
-\newcommand{\tocentry}[1]{\cleardoublepage\phantomsection\addcontentsline{toc}{chapter}{#1}
-\@mkboth{\MakeUppercase{#1}}{\MakeUppercase{#1}}}
-
-%% references
-\newcommand{\secref}[1]{\S\ref{#1}}
-\newcommand{\chref}[1]{chapter~\ref{#1}}
-\newcommand{\figref}[1]{figure~\ref{#1}}
-
-%% math
-\newcommand{\text}[1]{\mbox{#1}}
-\newcommand{\isasymvartheta}{\isamath{\theta}}
-\newcommand{\isactrlvec}[1]{\emph{$\vec{#1}$}}
-\newcommand{\isactrlBG}{\isacharbackquoteopen}
-\newcommand{\isactrlEN}{\isacharbackquoteclose}
-
-\setcounter{secnumdepth}{2} \setcounter{tocdepth}{2}
-
-\pagestyle{headings}
-\sloppy
-\binperiod
-
-\parindent 0pt\parskip 0.5ex
-
-\renewcommand{\isadigit}[1]{\isamath{#1}}
-
-\renewcommand{\isaantiqopen}{\isasymlbrace}
-\renewcommand{\isaantiqclose}{\isasymrbrace}
-
-\newenvironment{mldecls}{\par\noindent\begingroup\footnotesize\def\isanewline{\\}\begin{tabular}{l}}{\end{tabular}\smallskip\endgroup}
-
-\isafoldtag{FIXME}
-
-\isakeeptag{mlref}
-\renewcommand{\isatagmlref}{\subsection*{\makebox[0pt][r]{\fbox{ML}~~}Reference}}
-\renewcommand{\endisatagmlref}{}
-
-\isakeeptag{mlantiq}
-\renewcommand{\isatagmlantiq}{\subsection*{\makebox[0pt][r]{\fbox{ML}~~}Antiquotations}}
-\renewcommand{\endisatagmlantiq}{}
-
-\isakeeptag{mlex}
-\renewcommand{\isatagmlex}{\subsection*{\makebox[0pt][r]{\fbox{ML}~~}Examples}}
-\renewcommand{\endisatagmlex}{}
-
-\renewcommand{\isatagML}{\begingroup\isabellestyle{default}\isastyle\def\isadigit##1{##1}}
-\renewcommand{\endisatagML}{\endgroup}
-
-\newcommand{\minorcmd}[1]{{\sf #1}}
-\newcommand{\isasymtype}{\minorcmd{type}}
-\newcommand{\isasymval}{\minorcmd{val}}
-
-\newcommand{\isasymFIX}{\isakeyword{fix}}
-\newcommand{\isasymASSUME}{\isakeyword{assume}}
-\newcommand{\isasymDEFINE}{\isakeyword{define}}
-\newcommand{\isasymNOTE}{\isakeyword{note}}
-\newcommand{\isasymGUESS}{\isakeyword{guess}}
-\newcommand{\isasymOBTAIN}{\isakeyword{obtain}}
-\newcommand{\isasymTHEORY}{\isakeyword{theory}}
-\newcommand{\isasymUSES}{\isakeyword{uses}}
-\newcommand{\isasymEND}{\isakeyword{end}}
-\newcommand{\isasymCONSTS}{\isakeyword{consts}}
-\newcommand{\isasymDEFS}{\isakeyword{defs}}
-\newcommand{\isasymTHEOREM}{\isakeyword{theorem}}
-\newcommand{\isasymDEFINITION}{\isakeyword{definition}}
-
-\isabellestyle{literal}
-
-\railtermfont{\isabellestyle{tt}}
-\railnontermfont{\isabellestyle{itunderscore}}
-\railnamefont{\isabellestyle{itunderscore}}
--- a/doc-src/IsarRef/Base.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,8 +0,0 @@
-theory Base
-imports Pure
-begin
-
-ML_file "../antiquote_setup.ML"
-setup Antiquote_Setup.setup
-
-end
--- a/doc-src/IsarRef/Document_Preparation.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,611 +0,0 @@
-theory Document_Preparation
-imports Base Main
-begin
-
-chapter {* Document preparation \label{ch:document-prep} *}
-
-text {* Isabelle/Isar provides a simple document preparation system
- based on regular {PDF-\LaTeX} technology, with full support for
- hyper-links and bookmarks. Thus the results are well suited for WWW
- browsing and as printed copies.
-
- \medskip Isabelle generates {\LaTeX} output while running a
- \emph{logic session} (see also \cite{isabelle-sys}). Getting
- started with a working configuration for common situations is quite
- easy by using the Isabelle @{verbatim mkdir} and @{verbatim make}
- tools. First invoke
-\begin{ttbox}
- isabelle mkdir Foo
-\end{ttbox}
- to initialize a separate directory for session @{verbatim Foo} (it
- is safe to experiment, since @{verbatim "isabelle mkdir"} never
- overwrites existing files). Ensure that @{verbatim "Foo/ROOT.ML"}
- holds ML commands to load all theories required for this session;
- furthermore @{verbatim "Foo/document/root.tex"} should include any
- special {\LaTeX} macro packages required for your document (the
- default is usually sufficient as a start).
-
- The session is controlled by a separate @{verbatim IsaMakefile}
- (with crude source dependencies by default). This file is located
- one level up from the @{verbatim Foo} directory location. Now
- invoke
-\begin{ttbox}
- isabelle make Foo
-\end{ttbox}
- to run the @{verbatim Foo} session, with browser information and
- document preparation enabled. Unless any errors are reported by
- Isabelle or {\LaTeX}, the output will appear inside the directory
- defined by the @{verbatim ISABELLE_BROWSER_INFO} setting (as
- reported by the batch job in verbose mode).
-
- \medskip You may also consider to tune the @{verbatim usedir}
- options in @{verbatim IsaMakefile}, for example to switch the output
- format between @{verbatim pdf} and @{verbatim dvi}, or activate the
- @{verbatim "-D"} option to retain a second copy of the generated
- {\LaTeX} sources (for manual inspection or separate runs of
- @{executable latex}).
-
- \medskip See \emph{The Isabelle System Manual} \cite{isabelle-sys}
- for further details on Isabelle logic sessions and theory
- presentation. The Isabelle/HOL tutorial \cite{isabelle-hol-book}
- also covers theory presentation to some extent.
-*}
-
-
-section {* Markup commands \label{sec:markup} *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def "header"} & : & @{text "toplevel \<rightarrow> toplevel"} \\[0.5ex]
- @{command_def "chapter"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
- @{command_def "section"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
- @{command_def "subsection"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
- @{command_def "subsubsection"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
- @{command_def "text"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
- @{command_def "text_raw"} & : & @{text "local_theory \<rightarrow> local_theory"} \\[0.5ex]
- @{command_def "sect"} & : & @{text "proof \<rightarrow> proof"} \\
- @{command_def "subsect"} & : & @{text "proof \<rightarrow> proof"} \\
- @{command_def "subsubsect"} & : & @{text "proof \<rightarrow> proof"} \\
- @{command_def "txt"} & : & @{text "proof \<rightarrow> proof"} \\
- @{command_def "txt_raw"} & : & @{text "proof \<rightarrow> proof"} \\
- \end{matharray}
-
- Markup commands provide a structured way to insert text into the
- document generated from a theory. Each markup command takes a
- single @{syntax text} argument, which is passed as argument to a
- corresponding {\LaTeX} macro. The default macros provided by
- @{file "~~/lib/texinputs/isabelle.sty"} can be redefined according
- to the needs of the underlying document and {\LaTeX} styles.
-
- Note that formal comments (\secref{sec:comments}) are similar to
- markup commands, but have a different status within Isabelle/Isar
- syntax.
-
- @{rail "
- (@@{command chapter} | @@{command section} | @@{command subsection} |
- @@{command subsubsection} | @@{command text}) @{syntax target}? @{syntax text}
- ;
- (@@{command header} | @@{command text_raw} | @@{command sect} | @@{command subsect} |
- @@{command subsubsect} | @@{command txt} | @@{command txt_raw}) @{syntax text}
- "}
-
- \begin{description}
-
- \item @{command header} provides plain text markup just preceding
- the formal beginning of a theory. The corresponding {\LaTeX} macro
- is @{verbatim "\\isamarkupheader"}, which acts like @{command
- section} by default.
-
- \item @{command chapter}, @{command section}, @{command subsection},
- and @{command subsubsection} mark chapter and section headings
- within the main theory body or local theory targets. The
- corresponding {\LaTeX} macros are @{verbatim "\\isamarkupchapter"},
- @{verbatim "\\isamarkupsection"}, @{verbatim
- "\\isamarkupsubsection"} etc.
-
- \item @{command sect}, @{command subsect}, and @{command subsubsect}
- mark section headings within proofs. The corresponding {\LaTeX}
- macros are @{verbatim "\\isamarkupsect"}, @{verbatim
- "\\isamarkupsubsect"} etc.
-
- \item @{command text} and @{command txt} specify paragraphs of plain
- text. This corresponds to a {\LaTeX} environment @{verbatim
- "\\begin{isamarkuptext}"} @{text "\<dots>"} @{verbatim
- "\\end{isamarkuptext}"} etc.
-
- \item @{command text_raw} and @{command txt_raw} insert {\LaTeX}
- source into the output, without additional markup. Thus the full
- range of document manipulations becomes available, at the risk of
- messing up document output.
-
- \end{description}
-
- Except for @{command "text_raw"} and @{command "txt_raw"}, the text
- passed to any of the above markup commands may refer to formal
- entities via \emph{document antiquotations}, see also
- \secref{sec:antiq}. These are interpreted in the present theory or
- proof context, or the named @{text "target"}.
-
- \medskip The proof markup commands closely resemble those for theory
- specifications, but have a different formal status and produce
- different {\LaTeX} macros. The default definitions coincide for
- analogous commands such as @{command section} and @{command sect}.
-*}
-
-
-section {* Document Antiquotations \label{sec:antiq} *}
-
-text {*
- \begin{matharray}{rcl}
- @{antiquotation_def "theory"} & : & @{text antiquotation} \\
- @{antiquotation_def "thm"} & : & @{text antiquotation} \\
- @{antiquotation_def "lemma"} & : & @{text antiquotation} \\
- @{antiquotation_def "prop"} & : & @{text antiquotation} \\
- @{antiquotation_def "term"} & : & @{text antiquotation} \\
- @{antiquotation_def term_type} & : & @{text antiquotation} \\
- @{antiquotation_def typeof} & : & @{text antiquotation} \\
- @{antiquotation_def const} & : & @{text antiquotation} \\
- @{antiquotation_def abbrev} & : & @{text antiquotation} \\
- @{antiquotation_def typ} & : & @{text antiquotation} \\
- @{antiquotation_def type} & : & @{text antiquotation} \\
- @{antiquotation_def class} & : & @{text antiquotation} \\
- @{antiquotation_def "text"} & : & @{text antiquotation} \\
- @{antiquotation_def goals} & : & @{text antiquotation} \\
- @{antiquotation_def subgoals} & : & @{text antiquotation} \\
- @{antiquotation_def prf} & : & @{text antiquotation} \\
- @{antiquotation_def full_prf} & : & @{text antiquotation} \\
- @{antiquotation_def ML} & : & @{text antiquotation} \\
- @{antiquotation_def ML_op} & : & @{text antiquotation} \\
- @{antiquotation_def ML_type} & : & @{text antiquotation} \\
- @{antiquotation_def ML_struct} & : & @{text antiquotation} \\
- @{antiquotation_def "file"} & : & @{text antiquotation} \\
- \end{matharray}
-
- The overall content of an Isabelle/Isar theory may alternate between
- formal and informal text. The main body consists of formal
- specification and proof commands, interspersed with markup commands
- (\secref{sec:markup}) or document comments (\secref{sec:comments}).
- The argument of markup commands quotes informal text to be printed
- in the resulting document, but may again refer to formal entities
- via \emph{document antiquotations}.
-
- For example, embedding of ``@{text [source=false] "@{term [show_types] \"f x = a + x\"}"}''
- within a text block makes
- \isa{{\isacharparenleft}f{\isasymColon}{\isacharprime}a\ {\isasymRightarrow}\ {\isacharprime}a{\isacharparenright}\ {\isacharparenleft}x{\isasymColon}{\isacharprime}a{\isacharparenright}\ {\isacharequal}\ {\isacharparenleft}a{\isasymColon}{\isacharprime}a{\isacharparenright}\ {\isacharplus}\ x} appear in the final {\LaTeX} document.
-
- Antiquotations usually spare the author tedious typing of logical
- entities in full detail. Even more importantly, some degree of
- consistency-checking between the main body of formal text and its
- informal explanation is achieved, since terms and types appearing in
- antiquotations are checked within the current theory or proof
- context.
-
- %% FIXME less monolithic presentation, move to individual sections!?
- @{rail "
- '@{' antiquotation '}'
- ;
- @{syntax_def antiquotation}:
- @@{antiquotation theory} options @{syntax name} |
- @@{antiquotation thm} options styles @{syntax thmrefs} |
- @@{antiquotation lemma} options @{syntax prop} @'by' @{syntax method} @{syntax method}? |
- @@{antiquotation prop} options styles @{syntax prop} |
- @@{antiquotation term} options styles @{syntax term} |
- @@{antiquotation (HOL) value} options styles @{syntax term} |
- @@{antiquotation term_type} options styles @{syntax term} |
- @@{antiquotation typeof} options styles @{syntax term} |
- @@{antiquotation const} options @{syntax term} |
- @@{antiquotation abbrev} options @{syntax term} |
- @@{antiquotation typ} options @{syntax type} |
- @@{antiquotation type} options @{syntax name} |
- @@{antiquotation class} options @{syntax name} |
- @@{antiquotation text} options @{syntax name}
- ;
- @{syntax antiquotation}:
- @@{antiquotation goals} options |
- @@{antiquotation subgoals} options |
- @@{antiquotation prf} options @{syntax thmrefs} |
- @@{antiquotation full_prf} options @{syntax thmrefs} |
- @@{antiquotation ML} options @{syntax name} |
- @@{antiquotation ML_op} options @{syntax name} |
- @@{antiquotation ML_type} options @{syntax name} |
- @@{antiquotation ML_struct} options @{syntax name} |
- @@{antiquotation \"file\"} options @{syntax name}
- ;
- options: '[' (option * ',') ']'
- ;
- option: @{syntax name} | @{syntax name} '=' @{syntax name}
- ;
- styles: '(' (style + ',') ')'
- ;
- style: (@{syntax name} +)
- "}
-
- Note that the syntax of antiquotations may \emph{not} include source
- comments @{verbatim "(*"}~@{text "\<dots>"}~@{verbatim "*)"} nor verbatim
- text @{verbatim "{"}@{verbatim "*"}~@{text "\<dots>"}~@{verbatim
- "*"}@{verbatim "}"}.
-
- \begin{description}
-
- \item @{text "@{theory A}"} prints the name @{text "A"}, which is
- guaranteed to refer to a valid ancestor theory in the current
- context.
-
- \item @{text "@{thm a\<^sub>1 \<dots> a\<^sub>n}"} prints theorems @{text "a\<^sub>1 \<dots> a\<^sub>n"}.
- Full fact expressions are allowed here, including attributes
- (\secref{sec:syn-att}).
-
- \item @{text "@{prop \<phi>}"} prints a well-typed proposition @{text
- "\<phi>"}.
-
- \item @{text "@{lemma \<phi> by m}"} proves a well-typed proposition
- @{text "\<phi>"} by method @{text m} and prints the original @{text "\<phi>"}.
-
- \item @{text "@{term t}"} prints a well-typed term @{text "t"}.
-
- \item @{text "@{value t}"} evaluates a term @{text "t"} and prints
- its result, see also @{command_ref (HOL) value}.
-
- \item @{text "@{term_type t}"} prints a well-typed term @{text "t"}
- annotated with its type.
-
- \item @{text "@{typeof t}"} prints the type of a well-typed term
- @{text "t"}.
-
- \item @{text "@{const c}"} prints a logical or syntactic constant
- @{text "c"}.
-
- \item @{text "@{abbrev c x\<^sub>1 \<dots> x\<^sub>n}"} prints a constant abbreviation
- @{text "c x\<^sub>1 \<dots> x\<^sub>n \<equiv> rhs"} as defined in the current context.
-
- \item @{text "@{typ \<tau>}"} prints a well-formed type @{text "\<tau>"}.
-
- \item @{text "@{type \<kappa>}"} prints a (logical or syntactic) type
- constructor @{text "\<kappa>"}.
-
- \item @{text "@{class c}"} prints a class @{text c}.
-
- \item @{text "@{text s}"} prints uninterpreted source text @{text
- s}. This is particularly useful to print portions of text according
- to the Isabelle document style, without demanding well-formedness,
- e.g.\ small pieces of terms that should not be parsed or
- type-checked yet.
-
- \item @{text "@{goals}"} prints the current \emph{dynamic} goal
- state. This is mainly for support of tactic-emulation scripts
- within Isar. Presentation of goal states does not conform to the
- idea of human-readable proof documents!
-
- When explaining proofs in detail it is usually better to spell out
- the reasoning via proper Isar proof commands, instead of peeking at
- the internal machine configuration.
-
- \item @{text "@{subgoals}"} is similar to @{text "@{goals}"}, but
- does not print the main goal.
-
- \item @{text "@{prf a\<^sub>1 \<dots> a\<^sub>n}"} prints the (compact) proof terms
- corresponding to the theorems @{text "a\<^sub>1 \<dots> a\<^sub>n"}. Note that this
- requires proof terms to be switched on for the current logic
- session.
-
- \item @{text "@{full_prf a\<^sub>1 \<dots> a\<^sub>n}"} is like @{text "@{prf a\<^sub>1 \<dots>
- a\<^sub>n}"}, but prints the full proof terms, i.e.\ also displays
- information omitted in the compact proof term, which is denoted by
- ``@{text _}'' placeholders there.
-
- \item @{text "@{ML s}"}, @{text "@{ML_op s}"}, @{text "@{ML_type
- s}"}, and @{text "@{ML_struct s}"} check text @{text s} as ML value,
- infix operator, type, and structure, respectively. The source is
- printed verbatim.
-
- \item @{text "@{file path}"} checks that @{text "path"} refers to a
- file (or directory) and prints it verbatim.
-
- \end{description}
-*}
-
-
-subsection {* Styled antiquotations *}
-
-text {* The antiquotations @{text thm}, @{text prop} and @{text
- term} admit an extra \emph{style} specification to modify the
- printed result. A style is specified by a name with a possibly
- empty number of arguments; multiple styles can be sequenced with
- commas. The following standard styles are available:
-
- \begin{description}
-
- \item @{text lhs} extracts the first argument of any application
- form with at least two arguments --- typically meta-level or
- object-level equality, or any other binary relation.
-
- \item @{text rhs} is like @{text lhs}, but extracts the second
- argument.
-
- \item @{text "concl"} extracts the conclusion @{text C} from a rule
- in Horn-clause normal form @{text "A\<^sub>1 \<Longrightarrow> \<dots> A\<^sub>n \<Longrightarrow> C"}.
-
- \item @{text "prem"} @{text n} extract premise number
- @{text "n"} from from a rule in Horn-clause
- normal form @{text "A\<^sub>1 \<Longrightarrow> \<dots> A\<^sub>n \<Longrightarrow> C"}
-
- \end{description}
-*}
-
-
-subsection {* General options *}
-
-text {* The following options are available to tune the printed output
- of antiquotations. Note that many of these coincide with global ML
- flags of the same names.
-
- \begin{description}
-
- \item @{antiquotation_option_def show_types}~@{text "= bool"} and
- @{antiquotation_option_def show_sorts}~@{text "= bool"} control
- printing of explicit type and sort constraints.
-
- \item @{antiquotation_option_def show_structs}~@{text "= bool"}
- controls printing of implicit structures.
-
- \item @{antiquotation_option_def show_abbrevs}~@{text "= bool"}
- controls folding of abbreviations.
-
- \item @{antiquotation_option_def names_long}~@{text "= bool"} forces
- names of types and constants etc.\ to be printed in their fully
- qualified internal form.
-
- \item @{antiquotation_option_def names_short}~@{text "= bool"}
- forces names of types and constants etc.\ to be printed unqualified.
- Note that internalizing the output again in the current context may
- well yield a different result.
-
- \item @{antiquotation_option_def names_unique}~@{text "= bool"}
- determines whether the printed version of qualified names should be
- made sufficiently long to avoid overlap with names declared further
- back. Set to @{text false} for more concise output.
-
- \item @{antiquotation_option_def eta_contract}~@{text "= bool"}
- prints terms in @{text \<eta>}-contracted form.
-
- \item @{antiquotation_option_def display}~@{text "= bool"} indicates
- if the text is to be output as multi-line ``display material'',
- rather than a small piece of text without line breaks (which is the
- default).
-
- In this mode the embedded entities are printed in the same style as
- the main theory text.
-
- \item @{antiquotation_option_def break}~@{text "= bool"} controls
- line breaks in non-display material.
-
- \item @{antiquotation_option_def quotes}~@{text "= bool"} indicates
- if the output should be enclosed in double quotes.
-
- \item @{antiquotation_option_def mode}~@{text "= name"} adds @{text
- name} to the print mode to be used for presentation. Note that the
- standard setup for {\LaTeX} output is already present by default,
- including the modes @{text latex} and @{text xsymbols}.
-
- \item @{antiquotation_option_def margin}~@{text "= nat"} and
- @{antiquotation_option_def indent}~@{text "= nat"} change the margin
- or indentation for pretty printing of display material.
-
- \item @{antiquotation_option_def goals_limit}~@{text "= nat"}
- determines the maximum number of goals to be printed (for goal-based
- antiquotation).
-
- \item @{antiquotation_option_def source}~@{text "= bool"} prints the
- original source text of the antiquotation arguments, rather than its
- internal representation. Note that formal checking of
- @{antiquotation "thm"}, @{antiquotation "term"}, etc. is still
- enabled; use the @{antiquotation "text"} antiquotation for unchecked
- output.
-
- Regular @{text "term"} and @{text "typ"} antiquotations with @{text
- "source = false"} involve a full round-trip from the original source
- to an internalized logical entity back to a source form, according
- to the syntax of the current context. Thus the printed output is
- not under direct control of the author, it may even fluctuate a bit
- as the underlying theory is changed later on.
-
- In contrast, @{antiquotation_option source}~@{text "= true"}
- admits direct printing of the given source text, with the desirable
- well-formedness check in the background, but without modification of
- the printed text.
-
- \end{description}
-
- For boolean flags, ``@{text "name = true"}'' may be abbreviated as
- ``@{text name}''. All of the above flags are disabled by default,
- unless changed from ML, say in the @{verbatim "ROOT.ML"} of the
- logic session.
-*}
-
-
-section {* Markup via command tags \label{sec:tags} *}
-
-text {* Each Isabelle/Isar command may be decorated by additional
- presentation tags, to indicate some modification in the way it is
- printed in the document.
-
- @{rail "
- @{syntax_def tags}: ( tag * )
- ;
- tag: '%' (@{syntax ident} | @{syntax string})
- "}
-
- Some tags are pre-declared for certain classes of commands, serving
- as default markup if no tags are given in the text:
-
- \medskip
- \begin{tabular}{ll}
- @{text "theory"} & theory begin/end \\
- @{text "proof"} & all proof commands \\
- @{text "ML"} & all commands involving ML code \\
- \end{tabular}
-
- \medskip The Isabelle document preparation system
- \cite{isabelle-sys} allows tagged command regions to be presented
- specifically, e.g.\ to fold proof texts, or drop parts of the text
- completely.
-
- For example ``@{command "by"}~@{text "%invisible auto"}'' causes
- that piece of proof to be treated as @{text invisible} instead of
- @{text "proof"} (the default), which may be shown or hidden
- depending on the document setup. In contrast, ``@{command
- "by"}~@{text "%visible auto"}'' forces this text to be shown
- invariably.
-
- Explicit tag specifications within a proof apply to all subsequent
- commands of the same level of nesting. For example, ``@{command
- "proof"}~@{text "%visible \<dots>"}~@{command "qed"}'' forces the whole
- sub-proof to be typeset as @{text visible} (unless some of its parts
- are tagged differently).
-
- \medskip Command tags merely produce certain markup environments for
- type-setting. The meaning of these is determined by {\LaTeX}
- macros, as defined in @{file "~~/lib/texinputs/isabelle.sty"} or
- by the document author. The Isabelle document preparation tools
- also provide some high-level options to specify the meaning of
- arbitrary tags to ``keep'', ``drop'', or ``fold'' the corresponding
- parts of the text. Logic sessions may also specify ``document
- versions'', where given tags are interpreted in some particular way.
- Again see \cite{isabelle-sys} for further details.
-*}
-
-
-section {* Railroad diagrams *}
-
-text {*
- \begin{matharray}{rcl}
- @{antiquotation_def "rail"} & : & @{text antiquotation} \\
- \end{matharray}
-
- @{rail "'rail' string"}
-
- The @{antiquotation rail} antiquotation allows to include syntax
- diagrams into Isabelle documents. {\LaTeX} requires the style file
- @{"file" "~~/lib/texinputs/pdfsetup.sty"}, which can be used via
- @{verbatim "\\usepackage{pdfsetup}"} in @{verbatim "root.tex"}, for
- example.
-
- The rail specification language is quoted here as Isabelle @{syntax
- string}; it has its own grammar given below.
-
- @{rail "
- rule? + ';'
- ;
- rule: ((identifier | @{syntax antiquotation}) ':')? body
- ;
- body: concatenation + '|'
- ;
- concatenation: ((atom '?'?) +) (('*' | '+') atom?)?
- ;
- atom: '(' body? ')' | identifier |
- '@'? (string | @{syntax antiquotation}) |
- '\\\\\\\\'
- "}
-
- The lexical syntax of @{text "identifier"} coincides with that of
- @{syntax ident} in regular Isabelle syntax, but @{text string} uses
- single quotes instead of double quotes of the standard @{syntax
- string} category, to avoid extra escapes.
-
- Each @{text rule} defines a formal language (with optional name),
- using a notation that is similar to EBNF or regular expressions with
- recursion. The meaning and visual appearance of these rail language
- elements is illustrated by the following representative examples.
-
- \begin{itemize}
-
- \item Empty @{verbatim "()"}
-
- @{rail "()"}
-
- \item Nonterminal @{verbatim "A"}
-
- @{rail "A"}
-
- \item Nonterminal via Isabelle antiquotation
- @{verbatim "@{syntax method}"}
-
- @{rail "@{syntax method}"}
-
- \item Terminal @{verbatim "'xyz'"}
-
- @{rail "'xyz'"}
-
- \item Terminal in keyword style @{verbatim "@'xyz'"}
-
- @{rail "@'xyz'"}
-
- \item Terminal via Isabelle antiquotation
- @{verbatim "@@{method rule}"}
-
- @{rail "@@{method rule}"}
-
- \item Concatenation @{verbatim "A B C"}
-
- @{rail "A B C"}
-
- \item Linebreak @{verbatim "\\\\"} inside
- concatenation\footnote{Strictly speaking, this is only a single
- backslash, but the enclosing @{syntax string} syntax requires a
- second one for escaping.} @{verbatim "A B C \\\\ D E F"}
-
- @{rail "A B C \\ D E F"}
-
- \item Variants @{verbatim "A | B | C"}
-
- @{rail "A | B | C"}
-
- \item Option @{verbatim "A ?"}
-
- @{rail "A ?"}
-
- \item Repetition @{verbatim "A *"}
-
- @{rail "A *"}
-
- \item Repetition with separator @{verbatim "A * sep"}
-
- @{rail "A * sep"}
-
- \item Strict repetition @{verbatim "A +"}
-
- @{rail "A +"}
-
- \item Strict repetition with separator @{verbatim "A + sep"}
-
- @{rail "A + sep"}
-
- \end{itemize}
-*}
-
-
-section {* Draft presentation *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def "display_drafts"}@{text "\<^sup>*"} & : & @{text "any \<rightarrow>"} \\
- @{command_def "print_drafts"}@{text "\<^sup>*"} & : & @{text "any \<rightarrow>"} \\
- \end{matharray}
-
- @{rail "
- (@@{command display_drafts} | @@{command print_drafts}) (@{syntax name} +)
-
- "}
-
- \begin{description}
-
- \item @{command "display_drafts"}~@{text paths} and @{command
- "print_drafts"}~@{text paths} perform simple output of a given list
- of raw source files. Only those symbols that do not require
- additional {\LaTeX} packages are displayed properly, everything else
- is left verbatim.
-
- \end{description}
-*}
-
-end
--- a/doc-src/IsarRef/First_Order_Logic.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,520 +0,0 @@
-
-header {* Example: First-Order Logic *}
-
-theory %visible First_Order_Logic
-imports Base (* FIXME Pure!? *)
-begin
-
-text {*
- \noindent In order to commence a new object-logic within
- Isabelle/Pure we introduce abstract syntactic categories @{text "i"}
- for individuals and @{text "o"} for object-propositions. The latter
- is embedded into the language of Pure propositions by means of a
- separate judgment.
-*}
-
-typedecl i
-typedecl o
-
-judgment
- Trueprop :: "o \<Rightarrow> prop" ("_" 5)
-
-text {*
- \noindent Note that the object-logic judgement is implicit in the
- syntax: writing @{prop A} produces @{term "Trueprop A"} internally.
- From the Pure perspective this means ``@{prop A} is derivable in the
- object-logic''.
-*}
-
-
-subsection {* Equational reasoning \label{sec:framework-ex-equal} *}
-
-text {*
- Equality is axiomatized as a binary predicate on individuals, with
- reflexivity as introduction, and substitution as elimination
- principle. Note that the latter is particularly convenient in a
- framework like Isabelle, because syntactic congruences are
- implicitly produced by unification of @{term "B x"} against
- expressions containing occurrences of @{term x}.
-*}
-
-axiomatization
- equal :: "i \<Rightarrow> i \<Rightarrow> o" (infix "=" 50)
-where
- refl [intro]: "x = x" and
- subst [elim]: "x = y \<Longrightarrow> B x \<Longrightarrow> B y"
-
-text {*
- \noindent Substitution is very powerful, but also hard to control in
- full generality. We derive some common symmetry~/ transitivity
- schemes of @{term equal} as particular consequences.
-*}
-
-theorem sym [sym]:
- assumes "x = y"
- shows "y = x"
-proof -
- have "x = x" ..
- with `x = y` show "y = x" ..
-qed
-
-theorem forw_subst [trans]:
- assumes "y = x" and "B x"
- shows "B y"
-proof -
- from `y = x` have "x = y" ..
- from this and `B x` show "B y" ..
-qed
-
-theorem back_subst [trans]:
- assumes "B x" and "x = y"
- shows "B y"
-proof -
- from `x = y` and `B x`
- show "B y" ..
-qed
-
-theorem trans [trans]:
- assumes "x = y" and "y = z"
- shows "x = z"
-proof -
- from `y = z` and `x = y`
- show "x = z" ..
-qed
-
-
-subsection {* Basic group theory *}
-
-text {*
- As an example for equational reasoning we consider some bits of
- group theory. The subsequent locale definition postulates group
- operations and axioms; we also derive some consequences of this
- specification.
-*}
-
-locale group =
- fixes prod :: "i \<Rightarrow> i \<Rightarrow> i" (infix "\<circ>" 70)
- and inv :: "i \<Rightarrow> i" ("(_\<inverse>)" [1000] 999)
- and unit :: i ("1")
- assumes assoc: "(x \<circ> y) \<circ> z = x \<circ> (y \<circ> z)"
- and left_unit: "1 \<circ> x = x"
- and left_inv: "x\<inverse> \<circ> x = 1"
-begin
-
-theorem right_inv: "x \<circ> x\<inverse> = 1"
-proof -
- have "x \<circ> x\<inverse> = 1 \<circ> (x \<circ> x\<inverse>)" by (rule left_unit [symmetric])
- also have "\<dots> = (1 \<circ> x) \<circ> x\<inverse>" by (rule assoc [symmetric])
- also have "1 = (x\<inverse>)\<inverse> \<circ> x\<inverse>" by (rule left_inv [symmetric])
- also have "\<dots> \<circ> x = (x\<inverse>)\<inverse> \<circ> (x\<inverse> \<circ> x)" by (rule assoc)
- also have "x\<inverse> \<circ> x = 1" by (rule left_inv)
- also have "((x\<inverse>)\<inverse> \<circ> \<dots>) \<circ> x\<inverse> = (x\<inverse>)\<inverse> \<circ> (1 \<circ> x\<inverse>)" by (rule assoc)
- also have "1 \<circ> x\<inverse> = x\<inverse>" by (rule left_unit)
- also have "(x\<inverse>)\<inverse> \<circ> \<dots> = 1" by (rule left_inv)
- finally show "x \<circ> x\<inverse> = 1" .
-qed
-
-theorem right_unit: "x \<circ> 1 = x"
-proof -
- have "1 = x\<inverse> \<circ> x" by (rule left_inv [symmetric])
- also have "x \<circ> \<dots> = (x \<circ> x\<inverse>) \<circ> x" by (rule assoc [symmetric])
- also have "x \<circ> x\<inverse> = 1" by (rule right_inv)
- also have "\<dots> \<circ> x = x" by (rule left_unit)
- finally show "x \<circ> 1 = x" .
-qed
-
-text {*
- \noindent Reasoning from basic axioms is often tedious. Our proofs
- work by producing various instances of the given rules (potentially
- the symmetric form) using the pattern ``@{command have}~@{text
- eq}~@{command "by"}~@{text "(rule r)"}'' and composing the chain of
- results via @{command also}/@{command finally}. These steps may
- involve any of the transitivity rules declared in
- \secref{sec:framework-ex-equal}, namely @{thm trans} in combining
- the first two results in @{thm right_inv} and in the final steps of
- both proofs, @{thm forw_subst} in the first combination of @{thm
- right_unit}, and @{thm back_subst} in all other calculational steps.
-
- Occasional substitutions in calculations are adequate, but should
- not be over-emphasized. The other extreme is to compose a chain by
- plain transitivity only, with replacements occurring always in
- topmost position. For example:
-*}
-
-(*<*)
-theorem "\<And>A. PROP A \<Longrightarrow> PROP A"
-proof -
- assume [symmetric, defn]: "\<And>x y. (x \<equiv> y) \<equiv> Trueprop (x = y)"
-(*>*)
- have "x \<circ> 1 = x \<circ> (x\<inverse> \<circ> x)" unfolding left_inv ..
- also have "\<dots> = (x \<circ> x\<inverse>) \<circ> x" unfolding assoc ..
- also have "\<dots> = 1 \<circ> x" unfolding right_inv ..
- also have "\<dots> = x" unfolding left_unit ..
- finally have "x \<circ> 1 = x" .
-(*<*)
-qed
-(*>*)
-
-text {*
- \noindent Here we have re-used the built-in mechanism for unfolding
- definitions in order to normalize each equational problem. A more
- realistic object-logic would include proper setup for the Simplifier
- (\secref{sec:simplifier}), the main automated tool for equational
- reasoning in Isabelle. Then ``@{command unfolding}~@{thm
- left_inv}~@{command ".."}'' would become ``@{command "by"}~@{text
- "(simp only: left_inv)"}'' etc.
-*}
-
-end
-
-
-subsection {* Propositional logic \label{sec:framework-ex-prop} *}
-
-text {*
- We axiomatize basic connectives of propositional logic: implication,
- disjunction, and conjunction. The associated rules are modeled
- after Gentzen's system of Natural Deduction \cite{Gentzen:1935}.
-*}
-
-axiomatization
- imp :: "o \<Rightarrow> o \<Rightarrow> o" (infixr "\<longrightarrow>" 25) where
- impI [intro]: "(A \<Longrightarrow> B) \<Longrightarrow> A \<longrightarrow> B" and
- impD [dest]: "(A \<longrightarrow> B) \<Longrightarrow> A \<Longrightarrow> B"
-
-axiomatization
- disj :: "o \<Rightarrow> o \<Rightarrow> o" (infixr "\<or>" 30) where
- disjI\<^isub>1 [intro]: "A \<Longrightarrow> A \<or> B" and
- disjI\<^isub>2 [intro]: "B \<Longrightarrow> A \<or> B" and
- disjE [elim]: "A \<or> B \<Longrightarrow> (A \<Longrightarrow> C) \<Longrightarrow> (B \<Longrightarrow> C) \<Longrightarrow> C"
-
-axiomatization
- conj :: "o \<Rightarrow> o \<Rightarrow> o" (infixr "\<and>" 35) where
- conjI [intro]: "A \<Longrightarrow> B \<Longrightarrow> A \<and> B" and
- conjD\<^isub>1: "A \<and> B \<Longrightarrow> A" and
- conjD\<^isub>2: "A \<and> B \<Longrightarrow> B"
-
-text {*
- \noindent The conjunctive destructions have the disadvantage that
- decomposing @{prop "A \<and> B"} involves an immediate decision which
- component should be projected. The more convenient simultaneous
- elimination @{prop "A \<and> B \<Longrightarrow> (A \<Longrightarrow> B \<Longrightarrow> C) \<Longrightarrow> C"} can be derived as
- follows:
-*}
-
-theorem conjE [elim]:
- assumes "A \<and> B"
- obtains A and B
-proof
- from `A \<and> B` show A by (rule conjD\<^isub>1)
- from `A \<and> B` show B by (rule conjD\<^isub>2)
-qed
-
-text {*
- \noindent Here is an example of swapping conjuncts with a single
- intermediate elimination step:
-*}
-
-(*<*)
-lemma "\<And>A. PROP A \<Longrightarrow> PROP A"
-proof -
-(*>*)
- assume "A \<and> B"
- then obtain B and A ..
- then have "B \<and> A" ..
-(*<*)
-qed
-(*>*)
-
-text {*
- \noindent Note that the analogous elimination rule for disjunction
- ``@{text "\<ASSUMES> A \<or> B \<OBTAINS> A \<BBAR> B"}'' coincides with
- the original axiomatization of @{thm disjE}.
-
- \medskip We continue propositional logic by introducing absurdity
- with its characteristic elimination. Plain truth may then be
- defined as a proposition that is trivially true.
-*}
-
-axiomatization
- false :: o ("\<bottom>") where
- falseE [elim]: "\<bottom> \<Longrightarrow> A"
-
-definition
- true :: o ("\<top>") where
- "\<top> \<equiv> \<bottom> \<longrightarrow> \<bottom>"
-
-theorem trueI [intro]: \<top>
- unfolding true_def ..
-
-text {*
- \medskip\noindent Now negation represents an implication towards
- absurdity:
-*}
-
-definition
- not :: "o \<Rightarrow> o" ("\<not> _" [40] 40) where
- "\<not> A \<equiv> A \<longrightarrow> \<bottom>"
-
-theorem notI [intro]:
- assumes "A \<Longrightarrow> \<bottom>"
- shows "\<not> A"
-unfolding not_def
-proof
- assume A
- then show \<bottom> by (rule `A \<Longrightarrow> \<bottom>`)
-qed
-
-theorem notE [elim]:
- assumes "\<not> A" and A
- shows B
-proof -
- from `\<not> A` have "A \<longrightarrow> \<bottom>" unfolding not_def .
- from `A \<longrightarrow> \<bottom>` and `A` have \<bottom> ..
- then show B ..
-qed
-
-
-subsection {* Classical logic *}
-
-text {*
- Subsequently we state the principle of classical contradiction as a
- local assumption. Thus we refrain from forcing the object-logic
- into the classical perspective. Within that context, we may derive
- well-known consequences of the classical principle.
-*}
-
-locale classical =
- assumes classical: "(\<not> C \<Longrightarrow> C) \<Longrightarrow> C"
-begin
-
-theorem double_negation:
- assumes "\<not> \<not> C"
- shows C
-proof (rule classical)
- assume "\<not> C"
- with `\<not> \<not> C` show C ..
-qed
-
-theorem tertium_non_datur: "C \<or> \<not> C"
-proof (rule double_negation)
- show "\<not> \<not> (C \<or> \<not> C)"
- proof
- assume "\<not> (C \<or> \<not> C)"
- have "\<not> C"
- proof
- assume C then have "C \<or> \<not> C" ..
- with `\<not> (C \<or> \<not> C)` show \<bottom> ..
- qed
- then have "C \<or> \<not> C" ..
- with `\<not> (C \<or> \<not> C)` show \<bottom> ..
- qed
-qed
-
-text {*
- \noindent These examples illustrate both classical reasoning and
- non-trivial propositional proofs in general. All three rules
- characterize classical logic independently, but the original rule is
- already the most convenient to use, because it leaves the conclusion
- unchanged. Note that @{prop "(\<not> C \<Longrightarrow> C) \<Longrightarrow> C"} fits again into our
- format for eliminations, despite the additional twist that the
- context refers to the main conclusion. So we may write @{thm
- classical} as the Isar statement ``@{text "\<OBTAINS> \<not> thesis"}''.
- This also explains nicely how classical reasoning really works:
- whatever the main @{text thesis} might be, we may always assume its
- negation!
-*}
-
-end
-
-
-subsection {* Quantifiers \label{sec:framework-ex-quant} *}
-
-text {*
- Representing quantifiers is easy, thanks to the higher-order nature
- of the underlying framework. According to the well-known technique
- introduced by Church \cite{church40}, quantifiers are operators on
- predicates, which are syntactically represented as @{text "\<lambda>"}-terms
- of type @{typ "i \<Rightarrow> o"}. Binder notation turns @{text "All (\<lambda>x. B
- x)"} into @{text "\<forall>x. B x"} etc.
-*}
-
-axiomatization
- All :: "(i \<Rightarrow> o) \<Rightarrow> o" (binder "\<forall>" 10) where
- allI [intro]: "(\<And>x. B x) \<Longrightarrow> \<forall>x. B x" and
- allD [dest]: "(\<forall>x. B x) \<Longrightarrow> B a"
-
-axiomatization
- Ex :: "(i \<Rightarrow> o) \<Rightarrow> o" (binder "\<exists>" 10) where
- exI [intro]: "B a \<Longrightarrow> (\<exists>x. B x)" and
- exE [elim]: "(\<exists>x. B x) \<Longrightarrow> (\<And>x. B x \<Longrightarrow> C) \<Longrightarrow> C"
-
-text {*
- \noindent The statement of @{thm exE} corresponds to ``@{text
- "\<ASSUMES> \<exists>x. B x \<OBTAINS> x \<WHERE> B x"}'' in Isar. In the
- subsequent example we illustrate quantifier reasoning involving all
- four rules:
-*}
-
-theorem
- assumes "\<exists>x. \<forall>y. R x y"
- shows "\<forall>y. \<exists>x. R x y"
-proof -- {* @{text "\<forall>"} introduction *}
- obtain x where "\<forall>y. R x y" using `\<exists>x. \<forall>y. R x y` .. -- {* @{text "\<exists>"} elimination *}
- fix y have "R x y" using `\<forall>y. R x y` .. -- {* @{text "\<forall>"} destruction *}
- then show "\<exists>x. R x y" .. -- {* @{text "\<exists>"} introduction *}
-qed
-
-
-subsection {* Canonical reasoning patterns *}
-
-text {*
- The main rules of first-order predicate logic from
- \secref{sec:framework-ex-prop} and \secref{sec:framework-ex-quant}
- can now be summarized as follows, using the native Isar statement
- format of \secref{sec:framework-stmt}.
-
- \medskip
- \begin{tabular}{l}
- @{text "impI: \<ASSUMES> A \<Longrightarrow> B \<SHOWS> A \<longrightarrow> B"} \\
- @{text "impD: \<ASSUMES> A \<longrightarrow> B \<AND> A \<SHOWS> B"} \\[1ex]
-
- @{text "disjI\<^isub>1: \<ASSUMES> A \<SHOWS> A \<or> B"} \\
- @{text "disjI\<^isub>2: \<ASSUMES> B \<SHOWS> A \<or> B"} \\
- @{text "disjE: \<ASSUMES> A \<or> B \<OBTAINS> A \<BBAR> B"} \\[1ex]
-
- @{text "conjI: \<ASSUMES> A \<AND> B \<SHOWS> A \<and> B"} \\
- @{text "conjE: \<ASSUMES> A \<and> B \<OBTAINS> A \<AND> B"} \\[1ex]
-
- @{text "falseE: \<ASSUMES> \<bottom> \<SHOWS> A"} \\
- @{text "trueI: \<SHOWS> \<top>"} \\[1ex]
-
- @{text "notI: \<ASSUMES> A \<Longrightarrow> \<bottom> \<SHOWS> \<not> A"} \\
- @{text "notE: \<ASSUMES> \<not> A \<AND> A \<SHOWS> B"} \\[1ex]
-
- @{text "allI: \<ASSUMES> \<And>x. B x \<SHOWS> \<forall>x. B x"} \\
- @{text "allE: \<ASSUMES> \<forall>x. B x \<SHOWS> B a"} \\[1ex]
-
- @{text "exI: \<ASSUMES> B a \<SHOWS> \<exists>x. B x"} \\
- @{text "exE: \<ASSUMES> \<exists>x. B x \<OBTAINS> a \<WHERE> B a"}
- \end{tabular}
- \medskip
-
- \noindent This essentially provides a declarative reading of Pure
- rules as Isar reasoning patterns: the rule statements tells how a
- canonical proof outline shall look like. Since the above rules have
- already been declared as @{attribute (Pure) intro}, @{attribute
- (Pure) elim}, @{attribute (Pure) dest} --- each according to its
- particular shape --- we can immediately write Isar proof texts as
- follows:
-*}
-
-(*<*)
-theorem "\<And>A. PROP A \<Longrightarrow> PROP A"
-proof -
-(*>*)
-
- txt_raw {*\begin{minipage}[t]{0.4\textwidth}*}(*<*)next(*>*)
-
- have "A \<longrightarrow> B"
- proof
- assume A
- show B sorry %noproof
- qed
-
- txt_raw {*\end{minipage}\qquad\begin{minipage}[t]{0.4\textwidth}*}(*<*)next(*>*)
-
- have "A \<longrightarrow> B" and A sorry %noproof
- then have B ..
-
- txt_raw {*\end{minipage}\\[3ex]\begin{minipage}[t]{0.4\textwidth}*}(*<*)next(*>*)
-
- have A sorry %noproof
- then have "A \<or> B" ..
-
- have B sorry %noproof
- then have "A \<or> B" ..
-
- txt_raw {*\end{minipage}\qquad\begin{minipage}[t]{0.4\textwidth}*}(*<*)next(*>*)
-
- have "A \<or> B" sorry %noproof
- then have C
- proof
- assume A
- then show C sorry %noproof
- next
- assume B
- then show C sorry %noproof
- qed
-
- txt_raw {*\end{minipage}\\[3ex]\begin{minipage}[t]{0.4\textwidth}*}(*<*)next(*>*)
-
- have A and B sorry %noproof
- then have "A \<and> B" ..
-
- txt_raw {*\end{minipage}\qquad\begin{minipage}[t]{0.4\textwidth}*}(*<*)next(*>*)
-
- have "A \<and> B" sorry %noproof
- then obtain A and B ..
-
- txt_raw {*\end{minipage}\\[3ex]\begin{minipage}[t]{0.4\textwidth}*}(*<*)next(*>*)
-
- have "\<bottom>" sorry %noproof
- then have A ..
-
- txt_raw {*\end{minipage}\qquad\begin{minipage}[t]{0.4\textwidth}*}(*<*)next(*>*)
-
- have "\<top>" ..
-
- txt_raw {*\end{minipage}\\[3ex]\begin{minipage}[t]{0.4\textwidth}*}(*<*)next(*>*)
-
- have "\<not> A"
- proof
- assume A
- then show "\<bottom>" sorry %noproof
- qed
-
- txt_raw {*\end{minipage}\qquad\begin{minipage}[t]{0.4\textwidth}*}(*<*)next(*>*)
-
- have "\<not> A" and A sorry %noproof
- then have B ..
-
- txt_raw {*\end{minipage}\\[3ex]\begin{minipage}[t]{0.4\textwidth}*}(*<*)next(*>*)
-
- have "\<forall>x. B x"
- proof
- fix x
- show "B x" sorry %noproof
- qed
-
- txt_raw {*\end{minipage}\qquad\begin{minipage}[t]{0.4\textwidth}*}(*<*)next(*>*)
-
- have "\<forall>x. B x" sorry %noproof
- then have "B a" ..
-
- txt_raw {*\end{minipage}\\[3ex]\begin{minipage}[t]{0.4\textwidth}*}(*<*)next(*>*)
-
- have "\<exists>x. B x"
- proof
- show "B a" sorry %noproof
- qed
-
- txt_raw {*\end{minipage}\qquad\begin{minipage}[t]{0.4\textwidth}*}(*<*)next(*>*)
-
- have "\<exists>x. B x" sorry %noproof
- then obtain a where "B a" ..
-
- txt_raw {*\end{minipage}*}
-
-(*<*)
-qed
-(*>*)
-
-text {*
- \bigskip\noindent Of course, these proofs are merely examples. As
- sketched in \secref{sec:framework-subproof}, there is a fair amount
- of flexibility in expressing Pure deductions in Isar. Here the user
- is asked to express himself adequately, aiming at proof texts of
- literary quality.
-*}
-
-end %visible
--- a/doc-src/IsarRef/Framework.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,1016 +0,0 @@
-theory Framework
-imports Base Main
-begin
-
-chapter {* The Isabelle/Isar Framework \label{ch:isar-framework} *}
-
-text {*
- Isabelle/Isar
- \cite{Wenzel:1999:TPHOL,Wenzel-PhD,Nipkow-TYPES02,Wenzel-Paulson:2006,Wenzel:2006:Festschrift}
- is intended as a generic framework for developing formal
- mathematical documents with full proof checking. Definitions and
- proofs are organized as theories. An assembly of theory sources may
- be presented as a printed document; see also
- \chref{ch:document-prep}.
-
- The main objective of Isar is the design of a human-readable
- structured proof language, which is called the ``primary proof
- format'' in Isar terminology. Such a primary proof language is
- somewhere in the middle between the extremes of primitive proof
- objects and actual natural language. In this respect, Isar is a bit
- more formalistic than Mizar
- \cite{Trybulec:1993:MizarFeatures,Rudnicki:1992:MizarOverview,Wiedijk:1999:Mizar},
- using logical symbols for certain reasoning schemes where Mizar
- would prefer English words; see \cite{Wenzel-Wiedijk:2002} for
- further comparisons of these systems.
-
- So Isar challenges the traditional way of recording informal proofs
- in mathematical prose, as well as the common tendency to see fully
- formal proofs directly as objects of some logical calculus (e.g.\
- @{text "\<lambda>"}-terms in a version of type theory). In fact, Isar is
- better understood as an interpreter of a simple block-structured
- language for describing the data flow of local facts and goals,
- interspersed with occasional invocations of proof methods.
- Everything is reduced to logical inferences internally, but these
- steps are somewhat marginal compared to the overall bookkeeping of
- the interpretation process. Thanks to careful design of the syntax
- and semantics of Isar language elements, a formal record of Isar
- instructions may later appear as an intelligible text to the
- attentive reader.
-
- The Isar proof language has emerged from careful analysis of some
- inherent virtues of the existing logical framework of Isabelle/Pure
- \cite{paulson-found,paulson700}, notably composition of higher-order
- natural deduction rules, which is a generalization of Gentzen's
- original calculus \cite{Gentzen:1935}. The approach of generic
- inference systems in Pure is continued by Isar towards actual proof
- texts.
-
- Concrete applications require another intermediate layer: an
- object-logic. Isabelle/HOL \cite{isa-tutorial} (simply-typed
- set-theory) is being used most of the time; Isabelle/ZF
- \cite{isabelle-ZF} is less extensively developed, although it would
- probably fit better for classical mathematics.
-
- \medskip In order to illustrate natural deduction in Isar, we shall
- refer to the background theory and library of Isabelle/HOL. This
- includes common notions of predicate logic, naive set-theory etc.\
- using fairly standard mathematical notation. From the perspective
- of generic natural deduction there is nothing special about the
- logical connectives of HOL (@{text "\<and>"}, @{text "\<or>"}, @{text "\<forall>"},
- @{text "\<exists>"}, etc.), only the resulting reasoning principles are
- relevant to the user. There are similar rules available for
- set-theory operators (@{text "\<inter>"}, @{text "\<union>"}, @{text "\<Inter>"}, @{text
- "\<Union>"}, etc.), or any other theory developed in the library (lattice
- theory, topology etc.).
-
- Subsequently we briefly review fragments of Isar proof texts
- corresponding directly to such general deduction schemes. The
- examples shall refer to set-theory, to minimize the danger of
- understanding connectives of predicate logic as something special.
-
- \medskip The following deduction performs @{text "\<inter>"}-introduction,
- working forwards from assumptions towards the conclusion. We give
- both the Isar text, and depict the primitive rule involved, as
- determined by unification of the problem against rules that are
- declared in the library context.
-*}
-
-text_raw {*\medskip\begin{minipage}{0.6\textwidth}*}
-
-(*<*)
-notepad
-begin
-(*>*)
- assume "x \<in> A" and "x \<in> B"
- then have "x \<in> A \<inter> B" ..
-(*<*)
-end
-(*>*)
-
-text_raw {*\end{minipage}\begin{minipage}{0.4\textwidth}*}
-
-text {*
- \infer{@{prop "x \<in> A \<inter> B"}}{@{prop "x \<in> A"} & @{prop "x \<in> B"}}
-*}
-
-text_raw {*\end{minipage}*}
-
-text {*
- \medskip\noindent Note that @{command assume} augments the proof
- context, @{command then} indicates that the current fact shall be
- used in the next step, and @{command have} states an intermediate
- goal. The two dots ``@{command ".."}'' refer to a complete proof of
- this claim, using the indicated facts and a canonical rule from the
- context. We could have been more explicit here by spelling out the
- final proof step via the @{command "by"} command:
-*}
-
-(*<*)
-notepad
-begin
-(*>*)
- assume "x \<in> A" and "x \<in> B"
- then have "x \<in> A \<inter> B" by (rule IntI)
-(*<*)
-end
-(*>*)
-
-text {*
- \noindent The format of the @{text "\<inter>"}-introduction rule represents
- the most basic inference, which proceeds from given premises to a
- conclusion, without any nested proof context involved.
-
- The next example performs backwards introduction on @{term "\<Inter>\<A>"},
- the intersection of all sets within a given set. This requires a
- nested proof of set membership within a local context, where @{term
- A} is an arbitrary-but-fixed member of the collection:
-*}
-
-text_raw {*\medskip\begin{minipage}{0.6\textwidth}*}
-
-(*<*)
-notepad
-begin
-(*>*)
- have "x \<in> \<Inter>\<A>"
- proof
- fix A
- assume "A \<in> \<A>"
- show "x \<in> A" sorry %noproof
- qed
-(*<*)
-end
-(*>*)
-
-text_raw {*\end{minipage}\begin{minipage}{0.4\textwidth}*}
-
-text {*
- \infer{@{prop "x \<in> \<Inter>\<A>"}}{\infer*{@{prop "x \<in> A"}}{@{text "[A][A \<in> \<A>]"}}}
-*}
-
-text_raw {*\end{minipage}*}
-
-text {*
- \medskip\noindent This Isar reasoning pattern again refers to the
- primitive rule depicted above. The system determines it in the
- ``@{command proof}'' step, which could have been spelt out more
- explicitly as ``@{command proof}~@{text "(rule InterI)"}''. Note
- that the rule involves both a local parameter @{term "A"} and an
- assumption @{prop "A \<in> \<A>"} in the nested reasoning. This kind of
- compound rule typically demands a genuine sub-proof in Isar, working
- backwards rather than forwards as seen before. In the proof body we
- encounter the @{command fix}-@{command assume}-@{command show}
- outline of nested sub-proofs that is typical for Isar. The final
- @{command show} is like @{command have} followed by an additional
- refinement of the enclosing claim, using the rule derived from the
- proof body.
-
- \medskip The next example involves @{term "\<Union>\<A>"}, which can be
- characterized as the set of all @{term "x"} such that @{prop "\<exists>A. x
- \<in> A \<and> A \<in> \<A>"}. The elimination rule for @{prop "x \<in> \<Union>\<A>"} does
- not mention @{text "\<exists>"} and @{text "\<and>"} at all, but admits to obtain
- directly a local @{term "A"} such that @{prop "x \<in> A"} and @{prop "A
- \<in> \<A>"} hold. This corresponds to the following Isar proof and
- inference rule, respectively:
-*}
-
-text_raw {*\medskip\begin{minipage}{0.6\textwidth}*}
-
-(*<*)
-notepad
-begin
-(*>*)
- assume "x \<in> \<Union>\<A>"
- then have C
- proof
- fix A
- assume "x \<in> A" and "A \<in> \<A>"
- show C sorry %noproof
- qed
-(*<*)
-end
-(*>*)
-
-text_raw {*\end{minipage}\begin{minipage}{0.4\textwidth}*}
-
-text {*
- \infer{@{prop "C"}}{@{prop "x \<in> \<Union>\<A>"} & \infer*{@{prop "C"}~}{@{text "[A][x \<in> A, A \<in> \<A>]"}}}
-*}
-
-text_raw {*\end{minipage}*}
-
-text {*
- \medskip\noindent Although the Isar proof follows the natural
- deduction rule closely, the text reads not as natural as
- anticipated. There is a double occurrence of an arbitrary
- conclusion @{prop "C"}, which represents the final result, but is
- irrelevant for now. This issue arises for any elimination rule
- involving local parameters. Isar provides the derived language
- element @{command obtain}, which is able to perform the same
- elimination proof more conveniently:
-*}
-
-(*<*)
-notepad
-begin
-(*>*)
- assume "x \<in> \<Union>\<A>"
- then obtain A where "x \<in> A" and "A \<in> \<A>" ..
-(*<*)
-end
-(*>*)
-
-text {*
- \noindent Here we avoid to mention the final conclusion @{prop "C"}
- and return to plain forward reasoning. The rule involved in the
- ``@{command ".."}'' proof is the same as before.
-*}
-
-
-section {* The Pure framework \label{sec:framework-pure} *}
-
-text {*
- The Pure logic \cite{paulson-found,paulson700} is an intuitionistic
- fragment of higher-order logic \cite{church40}. In type-theoretic
- parlance, there are three levels of @{text "\<lambda>"}-calculus with
- corresponding arrows @{text "\<Rightarrow>"}/@{text "\<And>"}/@{text "\<Longrightarrow>"}:
-
- \medskip
- \begin{tabular}{ll}
- @{text "\<alpha> \<Rightarrow> \<beta>"} & syntactic function space (terms depending on terms) \\
- @{text "\<And>x. B(x)"} & universal quantification (proofs depending on terms) \\
- @{text "A \<Longrightarrow> B"} & implication (proofs depending on proofs) \\
- \end{tabular}
- \medskip
-
- \noindent Here only the types of syntactic terms, and the
- propositions of proof terms have been shown. The @{text
- "\<lambda>"}-structure of proofs can be recorded as an optional feature of
- the Pure inference kernel \cite{Berghofer-Nipkow:2000:TPHOL}, but
- the formal system can never depend on them due to \emph{proof
- irrelevance}.
-
- On top of this most primitive layer of proofs, Pure implements a
- generic calculus for nested natural deduction rules, similar to
- \cite{Schroeder-Heister:1984}. Here object-logic inferences are
- internalized as formulae over @{text "\<And>"} and @{text "\<Longrightarrow>"}.
- Combining such rule statements may involve higher-order unification
- \cite{paulson-natural}.
-*}
-
-
-subsection {* Primitive inferences *}
-
-text {*
- Term syntax provides explicit notation for abstraction @{text "\<lambda>x ::
- \<alpha>. b(x)"} and application @{text "b a"}, while types are usually
- implicit thanks to type-inference; terms of type @{text "prop"} are
- called propositions. Logical statements are composed via @{text "\<And>x
- :: \<alpha>. B(x)"} and @{text "A \<Longrightarrow> B"}. Primitive reasoning operates on
- judgments of the form @{text "\<Gamma> \<turnstile> \<phi>"}, with standard introduction
- and elimination rules for @{text "\<And>"} and @{text "\<Longrightarrow>"} that refer to
- fixed parameters @{text "x\<^isub>1, \<dots>, x\<^isub>m"} and hypotheses
- @{text "A\<^isub>1, \<dots>, A\<^isub>n"} from the context @{text "\<Gamma>"};
- the corresponding proof terms are left implicit. The subsequent
- inference rules define @{text "\<Gamma> \<turnstile> \<phi>"} inductively, relative to a
- collection of axioms:
-
- \[
- \infer{@{text "\<turnstile> A"}}{(@{text "A"} \text{~axiom})}
- \qquad
- \infer{@{text "A \<turnstile> A"}}{}
- \]
-
- \[
- \infer{@{text "\<Gamma> \<turnstile> \<And>x. B(x)"}}{@{text "\<Gamma> \<turnstile> B(x)"} & @{text "x \<notin> \<Gamma>"}}
- \qquad
- \infer{@{text "\<Gamma> \<turnstile> B(a)"}}{@{text "\<Gamma> \<turnstile> \<And>x. B(x)"}}
- \]
-
- \[
- \infer{@{text "\<Gamma> - A \<turnstile> A \<Longrightarrow> B"}}{@{text "\<Gamma> \<turnstile> B"}}
- \qquad
- \infer{@{text "\<Gamma>\<^sub>1 \<union> \<Gamma>\<^sub>2 \<turnstile> B"}}{@{text "\<Gamma>\<^sub>1 \<turnstile> A \<Longrightarrow> B"} & @{text "\<Gamma>\<^sub>2 \<turnstile> A"}}
- \]
-
- Furthermore, Pure provides a built-in equality @{text "\<equiv> :: \<alpha> \<Rightarrow> \<alpha> \<Rightarrow>
- prop"} with axioms for reflexivity, substitution, extensionality,
- and @{text "\<alpha>\<beta>\<eta>"}-conversion on @{text "\<lambda>"}-terms.
-
- \medskip An object-logic introduces another layer on top of Pure,
- e.g.\ with types @{text "i"} for individuals and @{text "o"} for
- propositions, term constants @{text "Trueprop :: o \<Rightarrow> prop"} as
- (implicit) derivability judgment and connectives like @{text "\<and> :: o
- \<Rightarrow> o \<Rightarrow> o"} or @{text "\<forall> :: (i \<Rightarrow> o) \<Rightarrow> o"}, and axioms for object-level
- rules such as @{text "conjI: A \<Longrightarrow> B \<Longrightarrow> A \<and> B"} or @{text "allI: (\<And>x. B
- x) \<Longrightarrow> \<forall>x. B x"}. Derived object rules are represented as theorems of
- Pure. After the initial object-logic setup, further axiomatizations
- are usually avoided; plain definitions and derived principles are
- used exclusively.
-*}
-
-
-subsection {* Reasoning with rules \label{sec:framework-resolution} *}
-
-text {*
- Primitive inferences mostly serve foundational purposes. The main
- reasoning mechanisms of Pure operate on nested natural deduction
- rules expressed as formulae, using @{text "\<And>"} to bind local
- parameters and @{text "\<Longrightarrow>"} to express entailment. Multiple
- parameters and premises are represented by repeating these
- connectives in a right-associative manner.
-
- Since @{text "\<And>"} and @{text "\<Longrightarrow>"} commute thanks to the theorem
- @{prop "(A \<Longrightarrow> (\<And>x. B x)) \<equiv> (\<And>x. A \<Longrightarrow> B x)"}, we may assume w.l.o.g.\
- that rule statements always observe the normal form where
- quantifiers are pulled in front of implications at each level of
- nesting. This means that any Pure proposition may be presented as a
- \emph{Hereditary Harrop Formula} \cite{Miller:1991} which is of the
- form @{text "\<And>x\<^isub>1 \<dots> x\<^isub>m. H\<^isub>1 \<Longrightarrow> \<dots> H\<^isub>n \<Longrightarrow>
- A"} for @{text "m, n \<ge> 0"}, and @{text "A"} atomic, and @{text
- "H\<^isub>1, \<dots>, H\<^isub>n"} being recursively of the same format.
- Following the convention that outermost quantifiers are implicit,
- Horn clauses @{text "A\<^isub>1 \<Longrightarrow> \<dots> A\<^isub>n \<Longrightarrow> A"} are a special
- case of this.
-
- For example, @{text "\<inter>"}-introduction rule encountered before is
- represented as a Pure theorem as follows:
- \[
- @{text "IntI:"}~@{prop "x \<in> A \<Longrightarrow> x \<in> B \<Longrightarrow> x \<in> A \<inter> B"}
- \]
-
- \noindent This is a plain Horn clause, since no further nesting on
- the left is involved. The general @{text "\<Inter>"}-introduction
- corresponds to a Hereditary Harrop Formula with one additional level
- of nesting:
- \[
- @{text "InterI:"}~@{prop "(\<And>A. A \<in> \<A> \<Longrightarrow> x \<in> A) \<Longrightarrow> x \<in> \<Inter>\<A>"}
- \]
-
- \medskip Goals are also represented as rules: @{text "A\<^isub>1 \<Longrightarrow>
- \<dots> A\<^isub>n \<Longrightarrow> C"} states that the sub-goals @{text "A\<^isub>1, \<dots>,
- A\<^isub>n"} entail the result @{text "C"}; for @{text "n = 0"} the
- goal is finished. To allow @{text "C"} being a rule statement
- itself, we introduce the protective marker @{text "# :: prop \<Rightarrow>
- prop"}, which is defined as identity and hidden from the user. We
- initialize and finish goal states as follows:
-
- \[
- \begin{array}{c@ {\qquad}c}
- \infer[(@{inference_def init})]{@{text "C \<Longrightarrow> #C"}}{} &
- \infer[(@{inference_def finish})]{@{text C}}{@{text "#C"}}
- \end{array}
- \]
-
- \noindent Goal states are refined in intermediate proof steps until
- a finished form is achieved. Here the two main reasoning principles
- are @{inference resolution}, for back-chaining a rule against a
- sub-goal (replacing it by zero or more sub-goals), and @{inference
- assumption}, for solving a sub-goal (finding a short-circuit with
- local assumptions). Below @{text "\<^vec>x"} stands for @{text
- "x\<^isub>1, \<dots>, x\<^isub>n"} (@{text "n \<ge> 0"}).
-
- \[
- \infer[(@{inference_def resolution})]
- {@{text "(\<And>\<^vec>x. \<^vec>H \<^vec>x \<Longrightarrow> \<^vec>A (\<^vec>a \<^vec>x))\<vartheta> \<Longrightarrow> C\<vartheta>"}}
- {\begin{tabular}{rl}
- @{text "rule:"} &
- @{text "\<^vec>A \<^vec>a \<Longrightarrow> B \<^vec>a"} \\
- @{text "goal:"} &
- @{text "(\<And>\<^vec>x. \<^vec>H \<^vec>x \<Longrightarrow> B' \<^vec>x) \<Longrightarrow> C"} \\
- @{text "goal unifier:"} &
- @{text "(\<lambda>\<^vec>x. B (\<^vec>a \<^vec>x))\<vartheta> = B'\<vartheta>"} \\
- \end{tabular}}
- \]
-
- \medskip
-
- \[
- \infer[(@{inference_def assumption})]{@{text "C\<vartheta>"}}
- {\begin{tabular}{rl}
- @{text "goal:"} &
- @{text "(\<And>\<^vec>x. \<^vec>H \<^vec>x \<Longrightarrow> A \<^vec>x) \<Longrightarrow> C"} \\
- @{text "assm unifier:"} & @{text "A\<vartheta> = H\<^sub>i\<vartheta>"}~~\text{(for some~@{text "H\<^sub>i"})} \\
- \end{tabular}}
- \]
-
- The following trace illustrates goal-oriented reasoning in
- Isabelle/Pure:
-
- {\footnotesize
- \medskip
- \begin{tabular}{r@ {\quad}l}
- @{text "(A \<and> B \<Longrightarrow> B \<and> A) \<Longrightarrow> #(A \<and> B \<Longrightarrow> B \<and> A)"} & @{text "(init)"} \\
- @{text "(A \<and> B \<Longrightarrow> B) \<Longrightarrow> (A \<and> B \<Longrightarrow> A) \<Longrightarrow> #\<dots>"} & @{text "(resolution B \<Longrightarrow> A \<Longrightarrow> B \<and> A)"} \\
- @{text "(A \<and> B \<Longrightarrow> A \<and> B) \<Longrightarrow> (A \<and> B \<Longrightarrow> A) \<Longrightarrow> #\<dots>"} & @{text "(resolution A \<and> B \<Longrightarrow> B)"} \\
- @{text "(A \<and> B \<Longrightarrow> A) \<Longrightarrow> #\<dots>"} & @{text "(assumption)"} \\
- @{text "(A \<and> B \<Longrightarrow> A \<and> B) \<Longrightarrow> #\<dots>"} & @{text "(resolution A \<and> B \<Longrightarrow> A)"} \\
- @{text "#\<dots>"} & @{text "(assumption)"} \\
- @{text "A \<and> B \<Longrightarrow> B \<and> A"} & @{text "(finish)"} \\
- \end{tabular}
- \medskip
- }
-
- Compositions of @{inference assumption} after @{inference
- resolution} occurs quite often, typically in elimination steps.
- Traditional Isabelle tactics accommodate this by a combined
- @{inference_def elim_resolution} principle. In contrast, Isar uses
- a slightly more refined combination, where the assumptions to be
- closed are marked explicitly, using again the protective marker
- @{text "#"}:
-
- \[
- \infer[(@{inference refinement})]
- {@{text "(\<And>\<^vec>x. \<^vec>H \<^vec>x \<Longrightarrow> \<^vec>G' (\<^vec>a \<^vec>x))\<vartheta> \<Longrightarrow> C\<vartheta>"}}
- {\begin{tabular}{rl}
- @{text "sub\<hyphen>proof:"} &
- @{text "\<^vec>G \<^vec>a \<Longrightarrow> B \<^vec>a"} \\
- @{text "goal:"} &
- @{text "(\<And>\<^vec>x. \<^vec>H \<^vec>x \<Longrightarrow> B' \<^vec>x) \<Longrightarrow> C"} \\
- @{text "goal unifier:"} &
- @{text "(\<lambda>\<^vec>x. B (\<^vec>a \<^vec>x))\<vartheta> = B'\<vartheta>"} \\
- @{text "assm unifiers:"} &
- @{text "(\<lambda>\<^vec>x. G\<^sub>j (\<^vec>a \<^vec>x))\<vartheta> = #H\<^sub>i\<vartheta>"} \\
- & \quad (for each marked @{text "G\<^sub>j"} some @{text "#H\<^sub>i"}) \\
- \end{tabular}}
- \]
-
- \noindent Here the @{text "sub\<hyphen>proof"} rule stems from the
- main @{command fix}-@{command assume}-@{command show} outline of
- Isar (cf.\ \secref{sec:framework-subproof}): each assumption
- indicated in the text results in a marked premise @{text "G"} above.
- The marking enforces resolution against one of the sub-goal's
- premises. Consequently, @{command fix}-@{command assume}-@{command
- show} enables to fit the result of a sub-proof quite robustly into a
- pending sub-goal, while maintaining a good measure of flexibility.
-*}
-
-
-section {* The Isar proof language \label{sec:framework-isar} *}
-
-text {*
- Structured proofs are presented as high-level expressions for
- composing entities of Pure (propositions, facts, and goals). The
- Isar proof language allows to organize reasoning within the
- underlying rule calculus of Pure, but Isar is not another logical
- calculus!
-
- Isar is an exercise in sound minimalism. Approximately half of the
- language is introduced as primitive, the rest defined as derived
- concepts. The following grammar describes the core language
- (category @{text "proof"}), which is embedded into theory
- specification elements such as @{command theorem}; see also
- \secref{sec:framework-stmt} for the separate category @{text
- "statement"}.
-
- \medskip
- \begin{tabular}{rcl}
- @{text "theory\<hyphen>stmt"} & = & @{command "theorem"}~@{text "statement proof |"}~~@{command "definition"}~@{text "\<dots> | \<dots>"} \\[1ex]
-
- @{text "proof"} & = & @{text "prfx\<^sup>*"}~@{command "proof"}~@{text "method\<^sup>? stmt\<^sup>*"}~@{command "qed"}~@{text "method\<^sup>?"} \\[1ex]
-
- @{text prfx} & = & @{command "using"}~@{text "facts"} \\
- & @{text "|"} & @{command "unfolding"}~@{text "facts"} \\
-
- @{text stmt} & = & @{command "{"}~@{text "stmt\<^sup>*"}~@{command "}"} \\
- & @{text "|"} & @{command "next"} \\
- & @{text "|"} & @{command "note"}~@{text "name = facts"} \\
- & @{text "|"} & @{command "let"}~@{text "term = term"} \\
- & @{text "|"} & @{command "fix"}~@{text "var\<^sup>+"} \\
- & @{text "|"} & @{command assume}~@{text "\<guillemotleft>inference\<guillemotright> name: props"} \\
- & @{text "|"} & @{command "then"}@{text "\<^sup>?"}~@{text goal} \\
- @{text goal} & = & @{command "have"}~@{text "name: props proof"} \\
- & @{text "|"} & @{command "show"}~@{text "name: props proof"} \\
- \end{tabular}
-
- \medskip Simultaneous propositions or facts may be separated by the
- @{keyword "and"} keyword.
-
- \medskip The syntax for terms and propositions is inherited from
- Pure (and the object-logic). A @{text "pattern"} is a @{text
- "term"} with schematic variables, to be bound by higher-order
- matching.
-
- \medskip Facts may be referenced by name or proposition. For
- example, the result of ``@{command have}~@{text "a: A \<langle>proof\<rangle>"}''
- becomes available both as @{text "a"} and
- \isacharbackquoteopen@{text "A"}\isacharbackquoteclose. Moreover,
- fact expressions may involve attributes that modify either the
- theorem or the background context. For example, the expression
- ``@{text "a [OF b]"}'' refers to the composition of two facts
- according to the @{inference resolution} inference of
- \secref{sec:framework-resolution}, while ``@{text "a [intro]"}''
- declares a fact as introduction rule in the context.
-
- The special fact called ``@{fact this}'' always refers to the last
- result, as produced by @{command note}, @{command assume}, @{command
- have}, or @{command show}. Since @{command note} occurs
- frequently together with @{command then} we provide some
- abbreviations:
-
- \medskip
- \begin{tabular}{rcl}
- @{command from}~@{text a} & @{text "\<equiv>"} & @{command note}~@{text a}~@{command then} \\
- @{command with}~@{text a} & @{text "\<equiv>"} & @{command from}~@{text "a \<AND> this"} \\
- \end{tabular}
- \medskip
-
- The @{text "method"} category is essentially a parameter and may be
- populated later. Methods use the facts indicated by @{command
- "then"} or @{command using}, and then operate on the goal state.
- Some basic methods are predefined: ``@{method "-"}'' leaves the goal
- unchanged, ``@{method this}'' applies the facts as rules to the
- goal, ``@{method (Pure) "rule"}'' applies the facts to another rule and the
- result to the goal (both ``@{method this}'' and ``@{method (Pure) rule}''
- refer to @{inference resolution} of
- \secref{sec:framework-resolution}). The secondary arguments to
- ``@{method (Pure) rule}'' may be specified explicitly as in ``@{text "(rule
- a)"}'', or picked from the context. In the latter case, the system
- first tries rules declared as @{attribute (Pure) elim} or
- @{attribute (Pure) dest}, followed by those declared as @{attribute
- (Pure) intro}.
-
- The default method for @{command proof} is ``@{method (Pure) rule}''
- (arguments picked from the context), for @{command qed} it is
- ``@{method "-"}''. Further abbreviations for terminal proof steps
- are ``@{command "by"}~@{text "method\<^sub>1 method\<^sub>2"}'' for
- ``@{command proof}~@{text "method\<^sub>1"}~@{command qed}~@{text
- "method\<^sub>2"}'', and ``@{command ".."}'' for ``@{command
- "by"}~@{method (Pure) rule}, and ``@{command "."}'' for ``@{command
- "by"}~@{method this}''. The @{command unfolding} element operates
- directly on the current facts and goal by applying equalities.
-
- \medskip Block structure can be indicated explicitly by ``@{command
- "{"}~@{text "\<dots>"}~@{command "}"}'', although the body of a sub-proof
- already involves implicit nesting. In any case, @{command next}
- jumps into the next section of a block, i.e.\ it acts like closing
- an implicit block scope and opening another one; there is no direct
- correspondence to subgoals here.
-
- The remaining elements @{command fix} and @{command assume} build up
- a local context (see \secref{sec:framework-context}), while
- @{command show} refines a pending sub-goal by the rule resulting
- from a nested sub-proof (see \secref{sec:framework-subproof}).
- Further derived concepts will support calculational reasoning (see
- \secref{sec:framework-calc}).
-*}
-
-
-subsection {* Context elements \label{sec:framework-context} *}
-
-text {*
- In judgments @{text "\<Gamma> \<turnstile> \<phi>"} of the primitive framework, @{text "\<Gamma>"}
- essentially acts like a proof context. Isar elaborates this idea
- towards a higher-level notion, with additional information for
- type-inference, term abbreviations, local facts, hypotheses etc.
-
- The element @{command fix}~@{text "x :: \<alpha>"} declares a local
- parameter, i.e.\ an arbitrary-but-fixed entity of a given type; in
- results exported from the context, @{text "x"} may become anything.
- The @{command assume}~@{text "\<guillemotleft>inference\<guillemotright>"} element provides a
- general interface to hypotheses: ``@{command assume}~@{text
- "\<guillemotleft>inference\<guillemotright> A"}'' produces @{text "A \<turnstile> A"} locally, while the
- included inference tells how to discharge @{text A} from results
- @{text "A \<turnstile> B"} later on. There is no user-syntax for @{text
- "\<guillemotleft>inference\<guillemotright>"}, i.e.\ it may only occur internally when derived
- commands are defined in ML.
-
- At the user-level, the default inference for @{command assume} is
- @{inference discharge} as given below. The additional variants
- @{command presume} and @{command def} are defined as follows:
-
- \medskip
- \begin{tabular}{rcl}
- @{command presume}~@{text A} & @{text "\<equiv>"} & @{command assume}~@{text "\<guillemotleft>weak\<hyphen>discharge\<guillemotright> A"} \\
- @{command def}~@{text "x \<equiv> a"} & @{text "\<equiv>"} & @{command fix}~@{text x}~@{command assume}~@{text "\<guillemotleft>expansion\<guillemotright> x \<equiv> a"} \\
- \end{tabular}
- \medskip
-
- \[
- \infer[(@{inference_def discharge})]{@{text "\<strut>\<Gamma> - A \<turnstile> #A \<Longrightarrow> B"}}{@{text "\<strut>\<Gamma> \<turnstile> B"}}
- \]
- \[
- \infer[(@{inference_def "weak\<hyphen>discharge"})]{@{text "\<strut>\<Gamma> - A \<turnstile> A \<Longrightarrow> B"}}{@{text "\<strut>\<Gamma> \<turnstile> B"}}
- \]
- \[
- \infer[(@{inference_def expansion})]{@{text "\<strut>\<Gamma> - (x \<equiv> a) \<turnstile> B a"}}{@{text "\<strut>\<Gamma> \<turnstile> B x"}}
- \]
-
- \medskip Note that @{inference discharge} and @{inference
- "weak\<hyphen>discharge"} differ in the marker for @{prop A}, which is
- relevant when the result of a @{command fix}-@{command
- assume}-@{command show} outline is composed with a pending goal,
- cf.\ \secref{sec:framework-subproof}.
-
- The most interesting derived context element in Isar is @{command
- obtain} \cite[\S5.3]{Wenzel-PhD}, which supports generalized
- elimination steps in a purely forward manner. The @{command obtain}
- command takes a specification of parameters @{text "\<^vec>x"} and
- assumptions @{text "\<^vec>A"} to be added to the context, together
- with a proof of a case rule stating that this extension is
- conservative (i.e.\ may be removed from closed results later on):
-
- \medskip
- \begin{tabular}{l}
- @{text "\<langle>facts\<rangle>"}~~@{command obtain}~@{text "\<^vec>x \<WHERE> \<^vec>A \<^vec>x \<langle>proof\<rangle> \<equiv>"} \\[0.5ex]
- \quad @{command have}~@{text "case: \<And>thesis. (\<And>\<^vec>x. \<^vec>A \<^vec>x \<Longrightarrow> thesis) \<Longrightarrow> thesis\<rangle>"} \\
- \quad @{command proof}~@{method "-"} \\
- \qquad @{command fix}~@{text thesis} \\
- \qquad @{command assume}~@{text "[intro]: \<And>\<^vec>x. \<^vec>A \<^vec>x \<Longrightarrow> thesis"} \\
- \qquad @{command show}~@{text thesis}~@{command using}~@{text "\<langle>facts\<rangle> \<langle>proof\<rangle>"} \\
- \quad @{command qed} \\
- \quad @{command fix}~@{text "\<^vec>x"}~@{command assume}~@{text "\<guillemotleft>elimination case\<guillemotright> \<^vec>A \<^vec>x"} \\
- \end{tabular}
- \medskip
-
- \[
- \infer[(@{inference elimination})]{@{text "\<Gamma> \<turnstile> B"}}{
- \begin{tabular}{rl}
- @{text "case:"} &
- @{text "\<Gamma> \<turnstile> \<And>thesis. (\<And>\<^vec>x. \<^vec>A \<^vec>x \<Longrightarrow> thesis) \<Longrightarrow> thesis"} \\[0.2ex]
- @{text "result:"} &
- @{text "\<Gamma> \<union> \<^vec>A \<^vec>y \<turnstile> B"} \\[0.2ex]
- \end{tabular}}
- \]
-
- \noindent Here the name ``@{text thesis}'' is a specific convention
- for an arbitrary-but-fixed proposition; in the primitive natural
- deduction rules shown before we have occasionally used @{text C}.
- The whole statement of ``@{command obtain}~@{text x}~@{keyword
- "where"}~@{text "A x"}'' may be read as a claim that @{text "A x"}
- may be assumed for some arbitrary-but-fixed @{text "x"}. Also note
- that ``@{command obtain}~@{text "A \<AND> B"}'' without parameters
- is similar to ``@{command have}~@{text "A \<AND> B"}'', but the
- latter involves multiple sub-goals.
-
- \medskip The subsequent Isar proof texts explain all context
- elements introduced above using the formal proof language itself.
- After finishing a local proof within a block, we indicate the
- exported result via @{command note}.
-*}
-
-(*<*)
-theorem True
-proof
-(*>*)
- txt_raw {* \begin{minipage}[t]{0.45\textwidth} *}
- {
- fix x
- have "B x" sorry %noproof
- }
- note `\<And>x. B x`
- txt_raw {* \end{minipage}\quad\begin{minipage}[t]{0.45\textwidth} *}(*<*)next(*>*)
- {
- assume A
- have B sorry %noproof
- }
- note `A \<Longrightarrow> B`
- txt_raw {* \end{minipage}\\[3ex]\begin{minipage}[t]{0.45\textwidth} *}(*<*)next(*>*)
- {
- def x \<equiv> a
- have "B x" sorry %noproof
- }
- note `B a`
- txt_raw {* \end{minipage}\quad\begin{minipage}[t]{0.45\textwidth} *}(*<*)next(*>*)
- {
- obtain x where "A x" sorry %noproof
- have B sorry %noproof
- }
- note `B`
- txt_raw {* \end{minipage} *}
-(*<*)
-qed
-(*>*)
-
-text {*
- \bigskip\noindent This illustrates the meaning of Isar context
- elements without goals getting in between.
-*}
-
-subsection {* Structured statements \label{sec:framework-stmt} *}
-
-text {*
- The category @{text "statement"} of top-level theorem specifications
- is defined as follows:
-
- \medskip
- \begin{tabular}{rcl}
- @{text "statement"} & @{text "\<equiv>"} & @{text "name: props \<AND> \<dots>"} \\
- & @{text "|"} & @{text "context\<^sup>* conclusion"} \\[0.5ex]
-
- @{text "context"} & @{text "\<equiv>"} & @{text "\<FIXES> vars \<AND> \<dots>"} \\
- & @{text "|"} & @{text "\<ASSUMES> name: props \<AND> \<dots>"} \\
-
- @{text "conclusion"} & @{text "\<equiv>"} & @{text "\<SHOWS> name: props \<AND> \<dots>"} \\
- & @{text "|"} & @{text "\<OBTAINS> vars \<AND> \<dots> \<WHERE> name: props \<AND> \<dots>"} \\
- & & \quad @{text "\<BBAR> \<dots>"} \\
- \end{tabular}
-
- \medskip\noindent A simple @{text "statement"} consists of named
- propositions. The full form admits local context elements followed
- by the actual conclusions, such as ``@{keyword "fixes"}~@{text
- x}~@{keyword "assumes"}~@{text "A x"}~@{keyword "shows"}~@{text "B
- x"}''. The final result emerges as a Pure rule after discharging
- the context: @{prop "\<And>x. A x \<Longrightarrow> B x"}.
-
- The @{keyword "obtains"} variant is another abbreviation defined
- below; unlike @{command obtain} (cf.\
- \secref{sec:framework-context}) there may be several ``cases''
- separated by ``@{text "\<BBAR>"}'', each consisting of several
- parameters (@{text "vars"}) and several premises (@{text "props"}).
- This specifies multi-branch elimination rules.
-
- \medskip
- \begin{tabular}{l}
- @{text "\<OBTAINS> \<^vec>x \<WHERE> \<^vec>A \<^vec>x \<BBAR> \<dots> \<equiv>"} \\[0.5ex]
- \quad @{text "\<FIXES> thesis"} \\
- \quad @{text "\<ASSUMES> [intro]: \<And>\<^vec>x. \<^vec>A \<^vec>x \<Longrightarrow> thesis \<AND> \<dots>"} \\
- \quad @{text "\<SHOWS> thesis"} \\
- \end{tabular}
- \medskip
-
- Presenting structured statements in such an ``open'' format usually
- simplifies the subsequent proof, because the outer structure of the
- problem is already laid out directly. E.g.\ consider the following
- canonical patterns for @{text "\<SHOWS>"} and @{text "\<OBTAINS>"},
- respectively:
-*}
-
-text_raw {*\begin{minipage}{0.5\textwidth}*}
-
-theorem
- fixes x and y
- assumes "A x" and "B y"
- shows "C x y"
-proof -
- from `A x` and `B y`
- show "C x y" sorry %noproof
-qed
-
-text_raw {*\end{minipage}\begin{minipage}{0.5\textwidth}*}
-
-theorem
- obtains x and y
- where "A x" and "B y"
-proof -
- have "A a" and "B b" sorry %noproof
- then show thesis ..
-qed
-
-text_raw {*\end{minipage}*}
-
-text {*
- \medskip\noindent Here local facts \isacharbackquoteopen@{text "A
- x"}\isacharbackquoteclose\ and \isacharbackquoteopen@{text "B
- y"}\isacharbackquoteclose\ are referenced immediately; there is no
- need to decompose the logical rule structure again. In the second
- proof the final ``@{command then}~@{command show}~@{text
- thesis}~@{command ".."}'' involves the local rule case @{text "\<And>x
- y. A x \<Longrightarrow> B y \<Longrightarrow> thesis"} for the particular instance of terms @{text
- "a"} and @{text "b"} produced in the body.
-*}
-
-
-subsection {* Structured proof refinement \label{sec:framework-subproof} *}
-
-text {*
- By breaking up the grammar for the Isar proof language, we may
- understand a proof text as a linear sequence of individual proof
- commands. These are interpreted as transitions of the Isar virtual
- machine (Isar/VM), which operates on a block-structured
- configuration in single steps. This allows users to write proof
- texts in an incremental manner, and inspect intermediate
- configurations for debugging.
-
- The basic idea is analogous to evaluating algebraic expressions on a
- stack machine: @{text "(a + b) \<cdot> c"} then corresponds to a sequence
- of single transitions for each symbol @{text "(, a, +, b, ), \<cdot>, c"}.
- In Isar the algebraic values are facts or goals, and the operations
- are inferences.
-
- \medskip The Isar/VM state maintains a stack of nodes, each node
- contains the local proof context, the linguistic mode, and a pending
- goal (optional). The mode determines the type of transition that
- may be performed next, it essentially alternates between forward and
- backward reasoning, with an intermediate stage for chained facts
- (see \figref{fig:isar-vm}).
-
- \begin{figure}[htb]
- \begin{center}
- \includegraphics[width=0.8\textwidth]{isar-vm}
- \end{center}
- \caption{Isar/VM modes}\label{fig:isar-vm}
- \end{figure}
-
- For example, in @{text "state"} mode Isar acts like a mathematical
- scratch-pad, accepting declarations like @{command fix}, @{command
- assume}, and claims like @{command have}, @{command show}. A goal
- statement changes the mode to @{text "prove"}, which means that we
- may now refine the problem via @{command unfolding} or @{command
- proof}. Then we are again in @{text "state"} mode of a proof body,
- which may issue @{command show} statements to solve pending
- sub-goals. A concluding @{command qed} will return to the original
- @{text "state"} mode one level upwards. The subsequent Isar/VM
- trace indicates block structure, linguistic mode, goal state, and
- inferences:
-*}
-
-text_raw {* \begingroup\footnotesize *}
-(*<*)notepad begin
-(*>*)
- txt_raw {* \begin{minipage}[t]{0.18\textwidth} *}
- have "A \<longrightarrow> B"
- proof
- assume A
- show B
- sorry %noproof
- qed
- txt_raw {* \end{minipage}\quad
-\begin{minipage}[t]{0.06\textwidth}
-@{text "begin"} \\
-\\
-\\
-@{text "begin"} \\
-@{text "end"} \\
-@{text "end"} \\
-\end{minipage}
-\begin{minipage}[t]{0.08\textwidth}
-@{text "prove"} \\
-@{text "state"} \\
-@{text "state"} \\
-@{text "prove"} \\
-@{text "state"} \\
-@{text "state"} \\
-\end{minipage}\begin{minipage}[t]{0.35\textwidth}
-@{text "(A \<longrightarrow> B) \<Longrightarrow> #(A \<longrightarrow> B)"} \\
-@{text "(A \<Longrightarrow> B) \<Longrightarrow> #(A \<longrightarrow> B)"} \\
-\\
-\\
-@{text "#(A \<longrightarrow> B)"} \\
-@{text "A \<longrightarrow> B"} \\
-\end{minipage}\begin{minipage}[t]{0.4\textwidth}
-@{text "(init)"} \\
-@{text "(resolution impI)"} \\
-\\
-\\
-@{text "(refinement #A \<Longrightarrow> B)"} \\
-@{text "(finish)"} \\
-\end{minipage} *}
-(*<*)
-end
-(*>*)
-text_raw {* \endgroup *}
-
-text {*
- \noindent Here the @{inference refinement} inference from
- \secref{sec:framework-resolution} mediates composition of Isar
- sub-proofs nicely. Observe that this principle incorporates some
- degree of freedom in proof composition. In particular, the proof
- body allows parameters and assumptions to be re-ordered, or commuted
- according to Hereditary Harrop Form. Moreover, context elements
- that are not used in a sub-proof may be omitted altogether. For
- example:
-*}
-
-text_raw {*\begin{minipage}{0.5\textwidth}*}
-
-(*<*)
-notepad
-begin
-(*>*)
- have "\<And>x y. A x \<Longrightarrow> B y \<Longrightarrow> C x y"
- proof -
- fix x and y
- assume "A x" and "B y"
- show "C x y" sorry %noproof
- qed
-
-txt_raw {*\end{minipage}\begin{minipage}{0.5\textwidth}*}
-
-(*<*)
-next
-(*>*)
- have "\<And>x y. A x \<Longrightarrow> B y \<Longrightarrow> C x y"
- proof -
- fix x assume "A x"
- fix y assume "B y"
- show "C x y" sorry %noproof
- qed
-
-txt_raw {*\end{minipage}\\[3ex]\begin{minipage}{0.5\textwidth}*}
-
-(*<*)
-next
-(*>*)
- have "\<And>x y. A x \<Longrightarrow> B y \<Longrightarrow> C x y"
- proof -
- fix y assume "B y"
- fix x assume "A x"
- show "C x y" sorry
- qed
-
-txt_raw {*\end{minipage}\begin{minipage}{0.5\textwidth}*}
-(*<*)
-next
-(*>*)
- have "\<And>x y. A x \<Longrightarrow> B y \<Longrightarrow> C x y"
- proof -
- fix y assume "B y"
- fix x
- show "C x y" sorry
- qed
-(*<*)
-end
-(*>*)
-
-text_raw {*\end{minipage}*}
-
-text {*
- \medskip\noindent Such ``peephole optimizations'' of Isar texts are
- practically important to improve readability, by rearranging
- contexts elements according to the natural flow of reasoning in the
- body, while still observing the overall scoping rules.
-
- \medskip This illustrates the basic idea of structured proof
- processing in Isar. The main mechanisms are based on natural
- deduction rule composition within the Pure framework. In
- particular, there are no direct operations on goal states within the
- proof body. Moreover, there is no hidden automated reasoning
- involved, just plain unification.
-*}
-
-
-subsection {* Calculational reasoning \label{sec:framework-calc} *}
-
-text {*
- The existing Isar infrastructure is sufficiently flexible to support
- calculational reasoning (chains of transitivity steps) as derived
- concept. The generic proof elements introduced below depend on
- rules declared as @{attribute trans} in the context. It is left to
- the object-logic to provide a suitable rule collection for mixed
- relations of @{text "="}, @{text "<"}, @{text "\<le>"}, @{text "\<subset>"},
- @{text "\<subseteq>"} etc. Due to the flexibility of rule composition
- (\secref{sec:framework-resolution}), substitution of equals by
- equals is covered as well, even substitution of inequalities
- involving monotonicity conditions; see also \cite[\S6]{Wenzel-PhD}
- and \cite{Bauer-Wenzel:2001}.
-
- The generic calculational mechanism is based on the observation that
- rules such as @{text "trans:"}~@{prop "x = y \<Longrightarrow> y = z \<Longrightarrow> x = z"}
- proceed from the premises towards the conclusion in a deterministic
- fashion. Thus we may reason in forward mode, feeding intermediate
- results into rules selected from the context. The course of
- reasoning is organized by maintaining a secondary fact called
- ``@{fact calculation}'', apart from the primary ``@{fact this}''
- already provided by the Isar primitives. In the definitions below,
- @{attribute OF} refers to @{inference resolution}
- (\secref{sec:framework-resolution}) with multiple rule arguments,
- and @{text "trans"} represents to a suitable rule from the context:
-
- \begin{matharray}{rcl}
- @{command "also"}@{text "\<^sub>0"} & \equiv & @{command "note"}~@{text "calculation = this"} \\
- @{command "also"}@{text "\<^sub>n\<^sub>+\<^sub>1"} & \equiv & @{command "note"}~@{text "calculation = trans [OF calculation this]"} \\[0.5ex]
- @{command "finally"} & \equiv & @{command "also"}~@{command "from"}~@{text calculation} \\
- \end{matharray}
-
- \noindent The start of a calculation is determined implicitly in the
- text: here @{command also} sets @{fact calculation} to the current
- result; any subsequent occurrence will update @{fact calculation} by
- combination with the next result and a transitivity rule. The
- calculational sequence is concluded via @{command finally}, where
- the final result is exposed for use in a concluding claim.
-
- Here is a canonical proof pattern, using @{command have} to
- establish the intermediate results:
-*}
-
-(*<*)
-notepad
-begin
-(*>*)
- have "a = b" sorry
- also have "\<dots> = c" sorry
- also have "\<dots> = d" sorry
- finally have "a = d" .
-(*<*)
-end
-(*>*)
-
-text {*
- \noindent The term ``@{text "\<dots>"}'' above is a special abbreviation
- provided by the Isabelle/Isar syntax layer: it statically refers to
- the right-hand side argument of the previous statement given in the
- text. Thus it happens to coincide with relevant sub-expressions in
- the calculational chain, but the exact correspondence is dependent
- on the transitivity rules being involved.
-
- \medskip Symmetry rules such as @{prop "x = y \<Longrightarrow> y = x"} are like
- transitivities with only one premise. Isar maintains a separate
- rule collection declared via the @{attribute sym} attribute, to be
- used in fact expressions ``@{text "a [symmetric]"}'', or single-step
- proofs ``@{command assume}~@{text "x = y"}~@{command then}~@{command
- have}~@{text "y = x"}~@{command ".."}''.
-*}
-
-end
\ No newline at end of file
--- a/doc-src/IsarRef/Generic.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,1279 +0,0 @@
-theory Generic
-imports Base Main
-begin
-
-chapter {* Generic tools and packages \label{ch:gen-tools} *}
-
-section {* Configuration options \label{sec:config} *}
-
-text {* Isabelle/Pure maintains a record of named configuration
- options within the theory or proof context, with values of type
- @{ML_type bool}, @{ML_type int}, @{ML_type real}, or @{ML_type
- string}. Tools may declare options in ML, and then refer to these
- values (relative to the context). Thus global reference variables
- are easily avoided. The user may change the value of a
- configuration option by means of an associated attribute of the same
- name. This form of context declaration works particularly well with
- commands such as @{command "declare"} or @{command "using"} like
- this:
-*}
-
-declare [[show_main_goal = false]]
-
-notepad
-begin
- note [[show_main_goal = true]]
-end
-
-text {* For historical reasons, some tools cannot take the full proof
- context into account and merely refer to the background theory.
- This is accommodated by configuration options being declared as
- ``global'', which may not be changed within a local context.
-
- \begin{matharray}{rcll}
- @{command_def "print_configs"} & : & @{text "context \<rightarrow>"} \\
- \end{matharray}
-
- @{rail "
- @{syntax name} ('=' ('true' | 'false' | @{syntax int} | @{syntax float} | @{syntax name}))?
- "}
-
- \begin{description}
-
- \item @{command "print_configs"} prints the available configuration
- options, with names, types, and current values.
-
- \item @{text "name = value"} as an attribute expression modifies the
- named option, with the syntax of the value depending on the option's
- type. For @{ML_type bool} the default value is @{text true}. Any
- attempt to change a global option in a local context is ignored.
-
- \end{description}
-*}
-
-
-section {* Basic proof tools *}
-
-subsection {* Miscellaneous methods and attributes \label{sec:misc-meth-att} *}
-
-text {*
- \begin{matharray}{rcl}
- @{method_def unfold} & : & @{text method} \\
- @{method_def fold} & : & @{text method} \\
- @{method_def insert} & : & @{text method} \\[0.5ex]
- @{method_def erule}@{text "\<^sup>*"} & : & @{text method} \\
- @{method_def drule}@{text "\<^sup>*"} & : & @{text method} \\
- @{method_def frule}@{text "\<^sup>*"} & : & @{text method} \\
- @{method_def intro} & : & @{text method} \\
- @{method_def elim} & : & @{text method} \\
- @{method_def succeed} & : & @{text method} \\
- @{method_def fail} & : & @{text method} \\
- \end{matharray}
-
- @{rail "
- (@@{method fold} | @@{method unfold} | @@{method insert}) @{syntax thmrefs}
- ;
- (@@{method erule} | @@{method drule} | @@{method frule})
- ('(' @{syntax nat} ')')? @{syntax thmrefs}
- ;
- (@@{method intro} | @@{method elim}) @{syntax thmrefs}?
- "}
-
- \begin{description}
-
- \item @{method unfold}~@{text "a\<^sub>1 \<dots> a\<^sub>n"} and @{method fold}~@{text
- "a\<^sub>1 \<dots> a\<^sub>n"} expand (or fold back) the given definitions throughout
- all goals; any chained facts provided are inserted into the goal and
- subject to rewriting as well.
-
- \item @{method insert}~@{text "a\<^sub>1 \<dots> a\<^sub>n"} inserts theorems as facts
- into all goals of the proof state. Note that current facts
- indicated for forward chaining are ignored.
-
- \item @{method erule}~@{text "a\<^sub>1 \<dots> a\<^sub>n"}, @{method
- drule}~@{text "a\<^sub>1 \<dots> a\<^sub>n"}, and @{method frule}~@{text
- "a\<^sub>1 \<dots> a\<^sub>n"} are similar to the basic @{method rule}
- method (see \secref{sec:pure-meth-att}), but apply rules by
- elim-resolution, destruct-resolution, and forward-resolution,
- respectively \cite{isabelle-implementation}. The optional natural
- number argument (default 0) specifies additional assumption steps to
- be performed here.
-
- Note that these methods are improper ones, mainly serving for
- experimentation and tactic script emulation. Different modes of
- basic rule application are usually expressed in Isar at the proof
- language level, rather than via implicit proof state manipulations.
- For example, a proper single-step elimination would be done using
- the plain @{method rule} method, with forward chaining of current
- facts.
-
- \item @{method intro} and @{method elim} repeatedly refine some goal
- by intro- or elim-resolution, after having inserted any chained
- facts. Exactly the rules given as arguments are taken into account;
- this allows fine-tuned decomposition of a proof problem, in contrast
- to common automated tools.
-
- \item @{method succeed} yields a single (unchanged) result; it is
- the identity of the ``@{text ","}'' method combinator (cf.\
- \secref{sec:proof-meth}).
-
- \item @{method fail} yields an empty result sequence; it is the
- identity of the ``@{text "|"}'' method combinator (cf.\
- \secref{sec:proof-meth}).
-
- \end{description}
-
- \begin{matharray}{rcl}
- @{attribute_def tagged} & : & @{text attribute} \\
- @{attribute_def untagged} & : & @{text attribute} \\[0.5ex]
- @{attribute_def THEN} & : & @{text attribute} \\
- @{attribute_def unfolded} & : & @{text attribute} \\
- @{attribute_def folded} & : & @{text attribute} \\
- @{attribute_def abs_def} & : & @{text attribute} \\[0.5ex]
- @{attribute_def rotated} & : & @{text attribute} \\
- @{attribute_def (Pure) elim_format} & : & @{text attribute} \\
- @{attribute_def standard}@{text "\<^sup>*"} & : & @{text attribute} \\
- @{attribute_def no_vars}@{text "\<^sup>*"} & : & @{text attribute} \\
- \end{matharray}
-
- @{rail "
- @@{attribute tagged} @{syntax name} @{syntax name}
- ;
- @@{attribute untagged} @{syntax name}
- ;
- @@{attribute THEN} ('[' @{syntax nat} ']')? @{syntax thmref}
- ;
- (@@{attribute unfolded} | @@{attribute folded}) @{syntax thmrefs}
- ;
- @@{attribute rotated} @{syntax int}?
- "}
-
- \begin{description}
-
- \item @{attribute tagged}~@{text "name value"} and @{attribute
- untagged}~@{text name} add and remove \emph{tags} of some theorem.
- Tags may be any list of string pairs that serve as formal comment.
- The first string is considered the tag name, the second its value.
- Note that @{attribute untagged} removes any tags of the same name.
-
- \item @{attribute THEN}~@{text a} composes rules by resolution; it
- resolves with the first premise of @{text a} (an alternative
- position may be also specified). See also @{ML_op "RS"} in
- \cite{isabelle-implementation}.
-
- \item @{attribute unfolded}~@{text "a\<^sub>1 \<dots> a\<^sub>n"} and @{attribute
- folded}~@{text "a\<^sub>1 \<dots> a\<^sub>n"} expand and fold back again the given
- definitions throughout a rule.
-
- \item @{attribute abs_def} turns an equation of the form @{prop "f x
- y \<equiv> t"} into @{prop "f \<equiv> \<lambda>x y. t"}, which ensures that @{method
- simp} or @{method unfold} steps always expand it. This also works
- for object-logic equality.
-
- \item @{attribute rotated}~@{text n} rotate the premises of a
- theorem by @{text n} (default 1).
-
- \item @{attribute (Pure) elim_format} turns a destruction rule into
- elimination rule format, by resolving with the rule @{prop "PROP A \<Longrightarrow>
- (PROP A \<Longrightarrow> PROP B) \<Longrightarrow> PROP B"}.
-
- Note that the Classical Reasoner (\secref{sec:classical}) provides
- its own version of this operation.
-
- \item @{attribute standard} puts a theorem into the standard form of
- object-rules at the outermost theory level. Note that this
- operation violates the local proof context (including active
- locales).
-
- \item @{attribute no_vars} replaces schematic variables by free
- ones; this is mainly for tuning output of pretty printed theorems.
-
- \end{description}
-*}
-
-
-subsection {* Low-level equational reasoning *}
-
-text {*
- \begin{matharray}{rcl}
- @{method_def subst} & : & @{text method} \\
- @{method_def hypsubst} & : & @{text method} \\
- @{method_def split} & : & @{text method} \\
- \end{matharray}
-
- @{rail "
- @@{method subst} ('(' 'asm' ')')? \\ ('(' (@{syntax nat}+) ')')? @{syntax thmref}
- ;
- @@{method split} @{syntax thmrefs}
- "}
-
- These methods provide low-level facilities for equational reasoning
- that are intended for specialized applications only. Normally,
- single step calculations would be performed in a structured text
- (see also \secref{sec:calculation}), while the Simplifier methods
- provide the canonical way for automated normalization (see
- \secref{sec:simplifier}).
-
- \begin{description}
-
- \item @{method subst}~@{text eq} performs a single substitution step
- using rule @{text eq}, which may be either a meta or object
- equality.
-
- \item @{method subst}~@{text "(asm) eq"} substitutes in an
- assumption.
-
- \item @{method subst}~@{text "(i \<dots> j) eq"} performs several
- substitutions in the conclusion. The numbers @{text i} to @{text j}
- indicate the positions to substitute at. Positions are ordered from
- the top of the term tree moving down from left to right. For
- example, in @{text "(a + b) + (c + d)"} there are three positions
- where commutativity of @{text "+"} is applicable: 1 refers to @{text
- "a + b"}, 2 to the whole term, and 3 to @{text "c + d"}.
-
- If the positions in the list @{text "(i \<dots> j)"} are non-overlapping
- (e.g.\ @{text "(2 3)"} in @{text "(a + b) + (c + d)"}) you may
- assume all substitutions are performed simultaneously. Otherwise
- the behaviour of @{text subst} is not specified.
-
- \item @{method subst}~@{text "(asm) (i \<dots> j) eq"} performs the
- substitutions in the assumptions. The positions refer to the
- assumptions in order from left to right. For example, given in a
- goal of the form @{text "P (a + b) \<Longrightarrow> P (c + d) \<Longrightarrow> \<dots>"}, position 1 of
- commutativity of @{text "+"} is the subterm @{text "a + b"} and
- position 2 is the subterm @{text "c + d"}.
-
- \item @{method hypsubst} performs substitution using some
- assumption; this only works for equations of the form @{text "x =
- t"} where @{text x} is a free or bound variable.
-
- \item @{method split}~@{text "a\<^sub>1 \<dots> a\<^sub>n"} performs single-step case
- splitting using the given rules. Splitting is performed in the
- conclusion or some assumption of the subgoal, depending of the
- structure of the rule.
-
- Note that the @{method simp} method already involves repeated
- application of split rules as declared in the current context, using
- @{attribute split}, for example.
-
- \end{description}
-*}
-
-
-subsection {* Further tactic emulations \label{sec:tactics} *}
-
-text {*
- The following improper proof methods emulate traditional tactics.
- These admit direct access to the goal state, which is normally
- considered harmful! In particular, this may involve both numbered
- goal addressing (default 1), and dynamic instantiation within the
- scope of some subgoal.
-
- \begin{warn}
- Dynamic instantiations refer to universally quantified parameters
- of a subgoal (the dynamic context) rather than fixed variables and
- term abbreviations of a (static) Isar context.
- \end{warn}
-
- Tactic emulation methods, unlike their ML counterparts, admit
- simultaneous instantiation from both dynamic and static contexts.
- If names occur in both contexts goal parameters hide locally fixed
- variables. Likewise, schematic variables refer to term
- abbreviations, if present in the static context. Otherwise the
- schematic variable is interpreted as a schematic variable and left
- to be solved by unification with certain parts of the subgoal.
-
- Note that the tactic emulation proof methods in Isabelle/Isar are
- consistently named @{text foo_tac}. Note also that variable names
- occurring on left hand sides of instantiations must be preceded by a
- question mark if they coincide with a keyword or contain dots. This
- is consistent with the attribute @{attribute "where"} (see
- \secref{sec:pure-meth-att}).
-
- \begin{matharray}{rcl}
- @{method_def rule_tac}@{text "\<^sup>*"} & : & @{text method} \\
- @{method_def erule_tac}@{text "\<^sup>*"} & : & @{text method} \\
- @{method_def drule_tac}@{text "\<^sup>*"} & : & @{text method} \\
- @{method_def frule_tac}@{text "\<^sup>*"} & : & @{text method} \\
- @{method_def cut_tac}@{text "\<^sup>*"} & : & @{text method} \\
- @{method_def thin_tac}@{text "\<^sup>*"} & : & @{text method} \\
- @{method_def subgoal_tac}@{text "\<^sup>*"} & : & @{text method} \\
- @{method_def rename_tac}@{text "\<^sup>*"} & : & @{text method} \\
- @{method_def rotate_tac}@{text "\<^sup>*"} & : & @{text method} \\
- @{method_def tactic}@{text "\<^sup>*"} & : & @{text method} \\
- @{method_def raw_tactic}@{text "\<^sup>*"} & : & @{text method} \\
- \end{matharray}
-
- @{rail "
- (@@{method rule_tac} | @@{method erule_tac} | @@{method drule_tac} |
- @@{method frule_tac} | @@{method cut_tac} | @@{method thin_tac}) @{syntax goal_spec}? \\
- ( dynamic_insts @'in' @{syntax thmref} | @{syntax thmrefs} )
- ;
- @@{method subgoal_tac} @{syntax goal_spec}? (@{syntax prop} +)
- ;
- @@{method rename_tac} @{syntax goal_spec}? (@{syntax name} +)
- ;
- @@{method rotate_tac} @{syntax goal_spec}? @{syntax int}?
- ;
- (@@{method tactic} | @@{method raw_tactic}) @{syntax text}
- ;
-
- dynamic_insts: ((@{syntax name} '=' @{syntax term}) + @'and')
- "}
-
-\begin{description}
-
- \item @{method rule_tac} etc. do resolution of rules with explicit
- instantiation. This works the same way as the ML tactics @{ML
- res_inst_tac} etc. (see \cite{isabelle-implementation})
-
- Multiple rules may be only given if there is no instantiation; then
- @{method rule_tac} is the same as @{ML resolve_tac} in ML (see
- \cite{isabelle-implementation}).
-
- \item @{method cut_tac} inserts facts into the proof state as
- assumption of a subgoal; instantiations may be given as well. Note
- that the scope of schematic variables is spread over the main goal
- statement and rule premises are turned into new subgoals. This is
- in contrast to the regular method @{method insert} which inserts
- closed rule statements.
-
- \item @{method thin_tac}~@{text \<phi>} deletes the specified premise
- from a subgoal. Note that @{text \<phi>} may contain schematic
- variables, to abbreviate the intended proposition; the first
- matching subgoal premise will be deleted. Removing useless premises
- from a subgoal increases its readability and can make search tactics
- run faster.
-
- \item @{method subgoal_tac}~@{text "\<phi>\<^sub>1 \<dots> \<phi>\<^sub>n"} adds the propositions
- @{text "\<phi>\<^sub>1 \<dots> \<phi>\<^sub>n"} as local premises to a subgoal, and poses the same
- as new subgoals (in the original context).
-
- \item @{method rename_tac}~@{text "x\<^sub>1 \<dots> x\<^sub>n"} renames parameters of a
- goal according to the list @{text "x\<^sub>1, \<dots>, x\<^sub>n"}, which refers to the
- \emph{suffix} of variables.
-
- \item @{method rotate_tac}~@{text n} rotates the premises of a
- subgoal by @{text n} positions: from right to left if @{text n} is
- positive, and from left to right if @{text n} is negative; the
- default value is 1.
-
- \item @{method tactic}~@{text "text"} produces a proof method from
- any ML text of type @{ML_type tactic}. Apart from the usual ML
- environment and the current proof context, the ML code may refer to
- the locally bound values @{ML_text facts}, which indicates any
- current facts used for forward-chaining.
-
- \item @{method raw_tactic} is similar to @{method tactic}, but
- presents the goal state in its raw internal form, where simultaneous
- subgoals appear as conjunction of the logical framework instead of
- the usual split into several subgoals. While feature this is useful
- for debugging of complex method definitions, it should not never
- appear in production theories.
-
- \end{description}
-*}
-
-
-section {* The Simplifier \label{sec:simplifier} *}
-
-subsection {* Simplification methods *}
-
-text {*
- \begin{matharray}{rcl}
- @{method_def simp} & : & @{text method} \\
- @{method_def simp_all} & : & @{text method} \\
- \end{matharray}
-
- @{rail "
- (@@{method simp} | @@{method simp_all}) opt? (@{syntax simpmod} * )
- ;
-
- opt: '(' ('no_asm' | 'no_asm_simp' | 'no_asm_use' | 'asm_lr' ) ')'
- ;
- @{syntax_def simpmod}: ('add' | 'del' | 'only' | 'cong' (() | 'add' | 'del') |
- 'split' (() | 'add' | 'del')) ':' @{syntax thmrefs}
- "}
-
- \begin{description}
-
- \item @{method simp} invokes the Simplifier, after declaring
- additional rules according to the arguments given. Note that the
- @{text only} modifier first removes all other rewrite rules,
- congruences, and looper tactics (including splits), and then behaves
- like @{text add}.
-
- \medskip The @{text cong} modifiers add or delete Simplifier
- congruence rules (see also \secref{sec:simp-cong}), the default is
- to add.
-
- \medskip The @{text split} modifiers add or delete rules for the
- Splitter (see also \cite{isabelle-ref}), the default is to add.
- This works only if the Simplifier method has been properly setup to
- include the Splitter (all major object logics such HOL, HOLCF, FOL,
- ZF do this already).
-
- \item @{method simp_all} is similar to @{method simp}, but acts on
- all goals (backwards from the last to the first one).
-
- \end{description}
-
- By default the Simplifier methods take local assumptions fully into
- account, using equational assumptions in the subsequent
- normalization process, or simplifying assumptions themselves (cf.\
- @{ML asm_full_simp_tac} in \cite{isabelle-ref}). In structured
- proofs this is usually quite well behaved in practice: just the
- local premises of the actual goal are involved, additional facts may
- be inserted via explicit forward-chaining (via @{command "then"},
- @{command "from"}, @{command "using"} etc.).
-
- Additional Simplifier options may be specified to tune the behavior
- further (mostly for unstructured scripts with many accidental local
- facts): ``@{text "(no_asm)"}'' means assumptions are ignored
- completely (cf.\ @{ML simp_tac}), ``@{text "(no_asm_simp)"}'' means
- assumptions are used in the simplification of the conclusion but are
- not themselves simplified (cf.\ @{ML asm_simp_tac}), and ``@{text
- "(no_asm_use)"}'' means assumptions are simplified but are not used
- in the simplification of each other or the conclusion (cf.\ @{ML
- full_simp_tac}). For compatibility reasons, there is also an option
- ``@{text "(asm_lr)"}'', which means that an assumption is only used
- for simplifying assumptions which are to the right of it (cf.\ @{ML
- asm_lr_simp_tac}).
-
- The configuration option @{text "depth_limit"} limits the number of
- recursive invocations of the simplifier during conditional
- rewriting.
-
- \medskip The Splitter package is usually configured to work as part
- of the Simplifier. The effect of repeatedly applying @{ML
- split_tac} can be simulated by ``@{text "(simp only: split:
- a\<^sub>1 \<dots> a\<^sub>n)"}''. There is also a separate @{text split}
- method available for single-step case splitting.
-*}
-
-
-subsection {* Declaring rules *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def "print_simpset"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- @{attribute_def simp} & : & @{text attribute} \\
- @{attribute_def split} & : & @{text attribute} \\
- \end{matharray}
-
- @{rail "
- (@@{attribute simp} | @@{attribute split}) (() | 'add' | 'del')
- "}
-
- \begin{description}
-
- \item @{command "print_simpset"} prints the collection of rules
- declared to the Simplifier, which is also known as ``simpset''
- internally \cite{isabelle-ref}.
-
- \item @{attribute simp} declares simplification rules.
-
- \item @{attribute split} declares case split rules.
-
- \end{description}
-*}
-
-
-subsection {* Congruence rules\label{sec:simp-cong} *}
-
-text {*
- \begin{matharray}{rcl}
- @{attribute_def cong} & : & @{text attribute} \\
- \end{matharray}
-
- @{rail "
- @@{attribute cong} (() | 'add' | 'del')
- "}
-
- \begin{description}
-
- \item @{attribute cong} declares congruence rules to the Simplifier
- context.
-
- \end{description}
-
- Congruence rules are equalities of the form @{text [display]
- "\<dots> \<Longrightarrow> f ?x\<^sub>1 \<dots> ?x\<^sub>n = f ?y\<^sub>1 \<dots> ?y\<^sub>n"}
-
- This controls the simplification of the arguments of @{text f}. For
- example, some arguments can be simplified under additional
- assumptions: @{text [display] "?P\<^sub>1 \<longleftrightarrow> ?Q\<^sub>1 \<Longrightarrow> (?Q\<^sub>1 \<Longrightarrow> ?P\<^sub>2 \<longleftrightarrow> ?Q\<^sub>2) \<Longrightarrow>
- (?P\<^sub>1 \<longrightarrow> ?P\<^sub>2) \<longleftrightarrow> (?Q\<^sub>1 \<longrightarrow> ?Q\<^sub>2)"}
-
- Given this rule, the simplifier assumes @{text "?Q\<^sub>1"} and extracts
- rewrite rules from it when simplifying @{text "?P\<^sub>2"}. Such local
- assumptions are effective for rewriting formulae such as @{text "x =
- 0 \<longrightarrow> y + x = y"}.
-
- %FIXME
- %The local assumptions are also provided as theorems to the solver;
- %see \secref{sec:simp-solver} below.
-
- \medskip The following congruence rule for bounded quantifiers also
- supplies contextual information --- about the bound variable:
- @{text [display] "(?A = ?B) \<Longrightarrow> (\<And>x. x \<in> ?B \<Longrightarrow> ?P x \<longleftrightarrow> ?Q x) \<Longrightarrow>
- (\<forall>x \<in> ?A. ?P x) \<longleftrightarrow> (\<forall>x \<in> ?B. ?Q x)"}
-
- \medskip This congruence rule for conditional expressions can
- supply contextual information for simplifying the arms:
- @{text [display] "?p = ?q \<Longrightarrow> (?q \<Longrightarrow> ?a = ?c) \<Longrightarrow> (\<not> ?q \<Longrightarrow> ?b = ?d) \<Longrightarrow>
- (if ?p then ?a else ?b) = (if ?q then ?c else ?d)"}
-
- A congruence rule can also \emph{prevent} simplification of some
- arguments. Here is an alternative congruence rule for conditional
- expressions that conforms to non-strict functional evaluation:
- @{text [display] "?p = ?q \<Longrightarrow> (if ?p then ?a else ?b) = (if ?q then ?a else ?b)"}
-
- Only the first argument is simplified; the others remain unchanged.
- This can make simplification much faster, but may require an extra
- case split over the condition @{text "?q"} to prove the goal.
-*}
-
-
-subsection {* Simplification procedures *}
-
-text {* Simplification procedures are ML functions that produce proven
- rewrite rules on demand. They are associated with higher-order
- patterns that approximate the left-hand sides of equations. The
- Simplifier first matches the current redex against one of the LHS
- patterns; if this succeeds, the corresponding ML function is
- invoked, passing the Simplifier context and redex term. Thus rules
- may be specifically fashioned for particular situations, resulting
- in a more powerful mechanism than term rewriting by a fixed set of
- rules.
-
- Any successful result needs to be a (possibly conditional) rewrite
- rule @{text "t \<equiv> u"} that is applicable to the current redex. The
- rule will be applied just as any ordinary rewrite rule. It is
- expected to be already in \emph{internal form}, bypassing the
- automatic preprocessing of object-level equivalences.
-
- \begin{matharray}{rcl}
- @{command_def "simproc_setup"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
- simproc & : & @{text attribute} \\
- \end{matharray}
-
- @{rail "
- @@{command simproc_setup} @{syntax name} '(' (@{syntax term} + '|') ')' '='
- @{syntax text} \\ (@'identifier' (@{syntax nameref}+))?
- ;
-
- @@{attribute simproc} (('add' ':')? | 'del' ':') (@{syntax name}+)
- "}
-
- \begin{description}
-
- \item @{command "simproc_setup"} defines a named simplification
- procedure that is invoked by the Simplifier whenever any of the
- given term patterns match the current redex. The implementation,
- which is provided as ML source text, needs to be of type @{ML_type
- "morphism -> simpset -> cterm -> thm option"}, where the @{ML_type
- cterm} represents the current redex @{text r} and the result is
- supposed to be some proven rewrite rule @{text "r \<equiv> r'"} (or a
- generalized version), or @{ML NONE} to indicate failure. The
- @{ML_type simpset} argument holds the full context of the current
- Simplifier invocation, including the actual Isar proof context. The
- @{ML_type morphism} informs about the difference of the original
- compilation context wrt.\ the one of the actual application later
- on. The optional @{keyword "identifier"} specifies theorems that
- represent the logical content of the abstract theory of this
- simproc.
-
- Morphisms and identifiers are only relevant for simprocs that are
- defined within a local target context, e.g.\ in a locale.
-
- \item @{text "simproc add: name"} and @{text "simproc del: name"}
- add or delete named simprocs to the current Simplifier context. The
- default is to add a simproc. Note that @{command "simproc_setup"}
- already adds the new simproc to the subsequent context.
-
- \end{description}
-*}
-
-
-subsubsection {* Example *}
-
-text {* The following simplification procedure for @{thm
- [source=false, show_types] unit_eq} in HOL performs fine-grained
- control over rule application, beyond higher-order pattern matching.
- Declaring @{thm unit_eq} as @{attribute simp} directly would make
- the simplifier loop! Note that a version of this simplification
- procedure is already active in Isabelle/HOL. *}
-
-simproc_setup unit ("x::unit") = {*
- fn _ => fn _ => fn ct =>
- if HOLogic.is_unit (term_of ct) then NONE
- else SOME (mk_meta_eq @{thm unit_eq})
-*}
-
-text {* Since the Simplifier applies simplification procedures
- frequently, it is important to make the failure check in ML
- reasonably fast. *}
-
-
-subsection {* Forward simplification *}
-
-text {*
- \begin{matharray}{rcl}
- @{attribute_def simplified} & : & @{text attribute} \\
- \end{matharray}
-
- @{rail "
- @@{attribute simplified} opt? @{syntax thmrefs}?
- ;
-
- opt: '(' ('no_asm' | 'no_asm_simp' | 'no_asm_use') ')'
- "}
-
- \begin{description}
-
- \item @{attribute simplified}~@{text "a\<^sub>1 \<dots> a\<^sub>n"} causes a theorem to
- be simplified, either by exactly the specified rules @{text "a\<^sub>1, \<dots>,
- a\<^sub>n"}, or the implicit Simplifier context if no arguments are given.
- The result is fully simplified by default, including assumptions and
- conclusion; the options @{text no_asm} etc.\ tune the Simplifier in
- the same way as the for the @{text simp} method.
-
- Note that forward simplification restricts the simplifier to its
- most basic operation of term rewriting; solver and looper tactics
- \cite{isabelle-ref} are \emph{not} involved here. The @{text
- simplified} attribute should be only rarely required under normal
- circumstances.
-
- \end{description}
-*}
-
-
-section {* The Classical Reasoner \label{sec:classical} *}
-
-subsection {* Basic concepts *}
-
-text {* Although Isabelle is generic, many users will be working in
- some extension of classical first-order logic. Isabelle/ZF is built
- upon theory FOL, while Isabelle/HOL conceptually contains
- first-order logic as a fragment. Theorem-proving in predicate logic
- is undecidable, but many automated strategies have been developed to
- assist in this task.
-
- Isabelle's classical reasoner is a generic package that accepts
- certain information about a logic and delivers a suite of automatic
- proof tools, based on rules that are classified and declared in the
- context. These proof procedures are slow and simplistic compared
- with high-end automated theorem provers, but they can save
- considerable time and effort in practice. They can prove theorems
- such as Pelletier's \cite{pelletier86} problems 40 and 41 in a few
- milliseconds (including full proof reconstruction): *}
-
-lemma "(\<exists>y. \<forall>x. F x y \<longleftrightarrow> F x x) \<longrightarrow> \<not> (\<forall>x. \<exists>y. \<forall>z. F z y \<longleftrightarrow> \<not> F z x)"
- by blast
-
-lemma "(\<forall>z. \<exists>y. \<forall>x. f x y \<longleftrightarrow> f x z \<and> \<not> f x x) \<longrightarrow> \<not> (\<exists>z. \<forall>x. f x z)"
- by blast
-
-text {* The proof tools are generic. They are not restricted to
- first-order logic, and have been heavily used in the development of
- the Isabelle/HOL library and applications. The tactics can be
- traced, and their components can be called directly; in this manner,
- any proof can be viewed interactively. *}
-
-
-subsubsection {* The sequent calculus *}
-
-text {* Isabelle supports natural deduction, which is easy to use for
- interactive proof. But natural deduction does not easily lend
- itself to automation, and has a bias towards intuitionism. For
- certain proofs in classical logic, it can not be called natural.
- The \emph{sequent calculus}, a generalization of natural deduction,
- is easier to automate.
-
- A \textbf{sequent} has the form @{text "\<Gamma> \<turnstile> \<Delta>"}, where @{text "\<Gamma>"}
- and @{text "\<Delta>"} are sets of formulae.\footnote{For first-order
- logic, sequents can equivalently be made from lists or multisets of
- formulae.} The sequent @{text "P\<^sub>1, \<dots>, P\<^sub>m \<turnstile> Q\<^sub>1, \<dots>, Q\<^sub>n"} is
- \textbf{valid} if @{text "P\<^sub>1 \<and> \<dots> \<and> P\<^sub>m"} implies @{text "Q\<^sub>1 \<or> \<dots> \<or>
- Q\<^sub>n"}. Thus @{text "P\<^sub>1, \<dots>, P\<^sub>m"} represent assumptions, each of which
- is true, while @{text "Q\<^sub>1, \<dots>, Q\<^sub>n"} represent alternative goals. A
- sequent is \textbf{basic} if its left and right sides have a common
- formula, as in @{text "P, Q \<turnstile> Q, R"}; basic sequents are trivially
- valid.
-
- Sequent rules are classified as \textbf{right} or \textbf{left},
- indicating which side of the @{text "\<turnstile>"} symbol they operate on.
- Rules that operate on the right side are analogous to natural
- deduction's introduction rules, and left rules are analogous to
- elimination rules. The sequent calculus analogue of @{text "(\<longrightarrow>I)"}
- is the rule
- \[
- \infer[@{text "(\<longrightarrow>R)"}]{@{text "\<Gamma> \<turnstile> \<Delta>, P \<longrightarrow> Q"}}{@{text "P, \<Gamma> \<turnstile> \<Delta>, Q"}}
- \]
- Applying the rule backwards, this breaks down some implication on
- the right side of a sequent; @{text "\<Gamma>"} and @{text "\<Delta>"} stand for
- the sets of formulae that are unaffected by the inference. The
- analogue of the pair @{text "(\<or>I1)"} and @{text "(\<or>I2)"} is the
- single rule
- \[
- \infer[@{text "(\<or>R)"}]{@{text "\<Gamma> \<turnstile> \<Delta>, P \<or> Q"}}{@{text "\<Gamma> \<turnstile> \<Delta>, P, Q"}}
- \]
- This breaks down some disjunction on the right side, replacing it by
- both disjuncts. Thus, the sequent calculus is a kind of
- multiple-conclusion logic.
-
- To illustrate the use of multiple formulae on the right, let us
- prove the classical theorem @{text "(P \<longrightarrow> Q) \<or> (Q \<longrightarrow> P)"}. Working
- backwards, we reduce this formula to a basic sequent:
- \[
- \infer[@{text "(\<or>R)"}]{@{text "\<turnstile> (P \<longrightarrow> Q) \<or> (Q \<longrightarrow> P)"}}
- {\infer[@{text "(\<longrightarrow>R)"}]{@{text "\<turnstile> (P \<longrightarrow> Q), (Q \<longrightarrow> P)"}}
- {\infer[@{text "(\<longrightarrow>R)"}]{@{text "P \<turnstile> Q, (Q \<longrightarrow> P)"}}
- {@{text "P, Q \<turnstile> Q, P"}}}}
- \]
-
- This example is typical of the sequent calculus: start with the
- desired theorem and apply rules backwards in a fairly arbitrary
- manner. This yields a surprisingly effective proof procedure.
- Quantifiers add only few complications, since Isabelle handles
- parameters and schematic variables. See \cite[Chapter
- 10]{paulson-ml2} for further discussion. *}
-
-
-subsubsection {* Simulating sequents by natural deduction *}
-
-text {* Isabelle can represent sequents directly, as in the
- object-logic LK. But natural deduction is easier to work with, and
- most object-logics employ it. Fortunately, we can simulate the
- sequent @{text "P\<^sub>1, \<dots>, P\<^sub>m \<turnstile> Q\<^sub>1, \<dots>, Q\<^sub>n"} by the Isabelle formula
- @{text "P\<^sub>1 \<Longrightarrow> \<dots> \<Longrightarrow> P\<^sub>m \<Longrightarrow> \<not> Q\<^sub>2 \<Longrightarrow> ... \<Longrightarrow> \<not> Q\<^sub>n \<Longrightarrow> Q\<^sub>1"} where the order of
- the assumptions and the choice of @{text "Q\<^sub>1"} are arbitrary.
- Elim-resolution plays a key role in simulating sequent proofs.
-
- We can easily handle reasoning on the left. Elim-resolution with
- the rules @{text "(\<or>E)"}, @{text "(\<bottom>E)"} and @{text "(\<exists>E)"} achieves
- a similar effect as the corresponding sequent rules. For the other
- connectives, we use sequent-style elimination rules instead of
- destruction rules such as @{text "(\<and>E1, 2)"} and @{text "(\<forall>E)"}.
- But note that the rule @{text "(\<not>L)"} has no effect under our
- representation of sequents!
- \[
- \infer[@{text "(\<not>L)"}]{@{text "\<not> P, \<Gamma> \<turnstile> \<Delta>"}}{@{text "\<Gamma> \<turnstile> \<Delta>, P"}}
- \]
-
- What about reasoning on the right? Introduction rules can only
- affect the formula in the conclusion, namely @{text "Q\<^sub>1"}. The
- other right-side formulae are represented as negated assumptions,
- @{text "\<not> Q\<^sub>2, \<dots>, \<not> Q\<^sub>n"}. In order to operate on one of these, it
- must first be exchanged with @{text "Q\<^sub>1"}. Elim-resolution with the
- @{text swap} rule has this effect: @{text "\<not> P \<Longrightarrow> (\<not> R \<Longrightarrow> P) \<Longrightarrow> R"}
-
- To ensure that swaps occur only when necessary, each introduction
- rule is converted into a swapped form: it is resolved with the
- second premise of @{text "(swap)"}. The swapped form of @{text
- "(\<and>I)"}, which might be called @{text "(\<not>\<and>E)"}, is
- @{text [display] "\<not> (P \<and> Q) \<Longrightarrow> (\<not> R \<Longrightarrow> P) \<Longrightarrow> (\<not> R \<Longrightarrow> Q) \<Longrightarrow> R"}
-
- Similarly, the swapped form of @{text "(\<longrightarrow>I)"} is
- @{text [display] "\<not> (P \<longrightarrow> Q) \<Longrightarrow> (\<not> R \<Longrightarrow> P \<Longrightarrow> Q) \<Longrightarrow> R"}
-
- Swapped introduction rules are applied using elim-resolution, which
- deletes the negated formula. Our representation of sequents also
- requires the use of ordinary introduction rules. If we had no
- regard for readability of intermediate goal states, we could treat
- the right side more uniformly by representing sequents as @{text
- [display] "P\<^sub>1 \<Longrightarrow> \<dots> \<Longrightarrow> P\<^sub>m \<Longrightarrow> \<not> Q\<^sub>1 \<Longrightarrow> \<dots> \<Longrightarrow> \<not> Q\<^sub>n \<Longrightarrow> \<bottom>"}
-*}
-
-
-subsubsection {* Extra rules for the sequent calculus *}
-
-text {* As mentioned, destruction rules such as @{text "(\<and>E1, 2)"} and
- @{text "(\<forall>E)"} must be replaced by sequent-style elimination rules.
- In addition, we need rules to embody the classical equivalence
- between @{text "P \<longrightarrow> Q"} and @{text "\<not> P \<or> Q"}. The introduction
- rules @{text "(\<or>I1, 2)"} are replaced by a rule that simulates
- @{text "(\<or>R)"}: @{text [display] "(\<not> Q \<Longrightarrow> P) \<Longrightarrow> P \<or> Q"}
-
- The destruction rule @{text "(\<longrightarrow>E)"} is replaced by @{text [display]
- "(P \<longrightarrow> Q) \<Longrightarrow> (\<not> P \<Longrightarrow> R) \<Longrightarrow> (Q \<Longrightarrow> R) \<Longrightarrow> R"}
-
- Quantifier replication also requires special rules. In classical
- logic, @{text "\<exists>x. P x"} is equivalent to @{text "\<not> (\<forall>x. \<not> P x)"};
- the rules @{text "(\<exists>R)"} and @{text "(\<forall>L)"} are dual:
- \[
- \infer[@{text "(\<exists>R)"}]{@{text "\<Gamma> \<turnstile> \<Delta>, \<exists>x. P x"}}{@{text "\<Gamma> \<turnstile> \<Delta>, \<exists>x. P x, P t"}}
- \qquad
- \infer[@{text "(\<forall>L)"}]{@{text "\<forall>x. P x, \<Gamma> \<turnstile> \<Delta>"}}{@{text "P t, \<forall>x. P x, \<Gamma> \<turnstile> \<Delta>"}}
- \]
- Thus both kinds of quantifier may be replicated. Theorems requiring
- multiple uses of a universal formula are easy to invent; consider
- @{text [display] "(\<forall>x. P x \<longrightarrow> P (f x)) \<and> P a \<longrightarrow> P (f\<^sup>n a)"} for any
- @{text "n > 1"}. Natural examples of the multiple use of an
- existential formula are rare; a standard one is @{text "\<exists>x. \<forall>y. P x
- \<longrightarrow> P y"}.
-
- Forgoing quantifier replication loses completeness, but gains
- decidability, since the search space becomes finite. Many useful
- theorems can be proved without replication, and the search generally
- delivers its verdict in a reasonable time. To adopt this approach,
- represent the sequent rules @{text "(\<exists>R)"}, @{text "(\<exists>L)"} and
- @{text "(\<forall>R)"} by @{text "(\<exists>I)"}, @{text "(\<exists>E)"} and @{text "(\<forall>I)"},
- respectively, and put @{text "(\<forall>E)"} into elimination form: @{text
- [display] "\<forall>x. P x \<Longrightarrow> (P t \<Longrightarrow> Q) \<Longrightarrow> Q"}
-
- Elim-resolution with this rule will delete the universal formula
- after a single use. To replicate universal quantifiers, replace the
- rule by @{text [display] "\<forall>x. P x \<Longrightarrow> (P t \<Longrightarrow> \<forall>x. P x \<Longrightarrow> Q) \<Longrightarrow> Q"}
-
- To replicate existential quantifiers, replace @{text "(\<exists>I)"} by
- @{text [display] "(\<not> (\<exists>x. P x) \<Longrightarrow> P t) \<Longrightarrow> \<exists>x. P x"}
-
- All introduction rules mentioned above are also useful in swapped
- form.
-
- Replication makes the search space infinite; we must apply the rules
- with care. The classical reasoner distinguishes between safe and
- unsafe rules, applying the latter only when there is no alternative.
- Depth-first search may well go down a blind alley; best-first search
- is better behaved in an infinite search space. However, quantifier
- replication is too expensive to prove any but the simplest theorems.
-*}
-
-
-subsection {* Rule declarations *}
-
-text {* The proof tools of the Classical Reasoner depend on
- collections of rules declared in the context, which are classified
- as introduction, elimination or destruction and as \emph{safe} or
- \emph{unsafe}. In general, safe rules can be attempted blindly,
- while unsafe rules must be used with care. A safe rule must never
- reduce a provable goal to an unprovable set of subgoals.
-
- The rule @{text "P \<Longrightarrow> P \<or> Q"} is unsafe because it reduces @{text "P
- \<or> Q"} to @{text "P"}, which might turn out as premature choice of an
- unprovable subgoal. Any rule is unsafe whose premises contain new
- unknowns. The elimination rule @{text "\<forall>x. P x \<Longrightarrow> (P t \<Longrightarrow> Q) \<Longrightarrow> Q"} is
- unsafe, since it is applied via elim-resolution, which discards the
- assumption @{text "\<forall>x. P x"} and replaces it by the weaker
- assumption @{text "P t"}. The rule @{text "P t \<Longrightarrow> \<exists>x. P x"} is
- unsafe for similar reasons. The quantifier duplication rule @{text
- "\<forall>x. P x \<Longrightarrow> (P t \<Longrightarrow> \<forall>x. P x \<Longrightarrow> Q) \<Longrightarrow> Q"} is unsafe in a different sense:
- since it keeps the assumption @{text "\<forall>x. P x"}, it is prone to
- looping. In classical first-order logic, all rules are safe except
- those mentioned above.
-
- The safe~/ unsafe distinction is vague, and may be regarded merely
- as a way of giving some rules priority over others. One could argue
- that @{text "(\<or>E)"} is unsafe, because repeated application of it
- could generate exponentially many subgoals. Induction rules are
- unsafe because inductive proofs are difficult to set up
- automatically. Any inference is unsafe that instantiates an unknown
- in the proof state --- thus matching must be used, rather than
- unification. Even proof by assumption is unsafe if it instantiates
- unknowns shared with other subgoals.
-
- \begin{matharray}{rcl}
- @{command_def "print_claset"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- @{attribute_def intro} & : & @{text attribute} \\
- @{attribute_def elim} & : & @{text attribute} \\
- @{attribute_def dest} & : & @{text attribute} \\
- @{attribute_def rule} & : & @{text attribute} \\
- @{attribute_def iff} & : & @{text attribute} \\
- @{attribute_def swapped} & : & @{text attribute} \\
- \end{matharray}
-
- @{rail "
- (@@{attribute intro} | @@{attribute elim} | @@{attribute dest}) ('!' | () | '?') @{syntax nat}?
- ;
- @@{attribute rule} 'del'
- ;
- @@{attribute iff} (((() | 'add') '?'?) | 'del')
- "}
-
- \begin{description}
-
- \item @{command "print_claset"} prints the collection of rules
- declared to the Classical Reasoner, i.e.\ the @{ML_type claset}
- within the context.
-
- \item @{attribute intro}, @{attribute elim}, and @{attribute dest}
- declare introduction, elimination, and destruction rules,
- respectively. By default, rules are considered as \emph{unsafe}
- (i.e.\ not applied blindly without backtracking), while ``@{text
- "!"}'' classifies as \emph{safe}. Rule declarations marked by
- ``@{text "?"}'' coincide with those of Isabelle/Pure, cf.\
- \secref{sec:pure-meth-att} (i.e.\ are only applied in single steps
- of the @{method rule} method). The optional natural number
- specifies an explicit weight argument, which is ignored by the
- automated reasoning tools, but determines the search order of single
- rule steps.
-
- Introduction rules are those that can be applied using ordinary
- resolution. Their swapped forms are generated internally, which
- will be applied using elim-resolution. Elimination rules are
- applied using elim-resolution. Rules are sorted by the number of
- new subgoals they will yield; rules that generate the fewest
- subgoals will be tried first. Otherwise, later declarations take
- precedence over earlier ones.
-
- Rules already present in the context with the same classification
- are ignored. A warning is printed if the rule has already been
- added with some other classification, but the rule is added anyway
- as requested.
-
- \item @{attribute rule}~@{text del} deletes all occurrences of a
- rule from the classical context, regardless of its classification as
- introduction~/ elimination~/ destruction and safe~/ unsafe.
-
- \item @{attribute iff} declares logical equivalences to the
- Simplifier and the Classical reasoner at the same time.
- Non-conditional rules result in a safe introduction and elimination
- pair; conditional ones are considered unsafe. Rules with negative
- conclusion are automatically inverted (using @{text "\<not>"}-elimination
- internally).
-
- The ``@{text "?"}'' version of @{attribute iff} declares rules to
- the Isabelle/Pure context only, and omits the Simplifier
- declaration.
-
- \item @{attribute swapped} turns an introduction rule into an
- elimination, by resolving with the classical swap principle @{text
- "\<not> P \<Longrightarrow> (\<not> R \<Longrightarrow> P) \<Longrightarrow> R"} in the second position. This is mainly for
- illustrative purposes: the Classical Reasoner already swaps rules
- internally as explained above.
-
- \end{description}
-*}
-
-
-subsection {* Structured methods *}
-
-text {*
- \begin{matharray}{rcl}
- @{method_def rule} & : & @{text method} \\
- @{method_def contradiction} & : & @{text method} \\
- \end{matharray}
-
- @{rail "
- @@{method rule} @{syntax thmrefs}?
- "}
-
- \begin{description}
-
- \item @{method rule} as offered by the Classical Reasoner is a
- refinement over the Pure one (see \secref{sec:pure-meth-att}). Both
- versions work the same, but the classical version observes the
- classical rule context in addition to that of Isabelle/Pure.
-
- Common object logics (HOL, ZF, etc.) declare a rich collection of
- classical rules (even if these would qualify as intuitionistic
- ones), but only few declarations to the rule context of
- Isabelle/Pure (\secref{sec:pure-meth-att}).
-
- \item @{method contradiction} solves some goal by contradiction,
- deriving any result from both @{text "\<not> A"} and @{text A}. Chained
- facts, which are guaranteed to participate, may appear in either
- order.
-
- \end{description}
-*}
-
-
-subsection {* Automated methods *}
-
-text {*
- \begin{matharray}{rcl}
- @{method_def blast} & : & @{text method} \\
- @{method_def auto} & : & @{text method} \\
- @{method_def force} & : & @{text method} \\
- @{method_def fast} & : & @{text method} \\
- @{method_def slow} & : & @{text method} \\
- @{method_def best} & : & @{text method} \\
- @{method_def fastforce} & : & @{text method} \\
- @{method_def slowsimp} & : & @{text method} \\
- @{method_def bestsimp} & : & @{text method} \\
- @{method_def deepen} & : & @{text method} \\
- \end{matharray}
-
- @{rail "
- @@{method blast} @{syntax nat}? (@{syntax clamod} * )
- ;
- @@{method auto} (@{syntax nat} @{syntax nat})? (@{syntax clasimpmod} * )
- ;
- @@{method force} (@{syntax clasimpmod} * )
- ;
- (@@{method fast} | @@{method slow} | @@{method best}) (@{syntax clamod} * )
- ;
- (@@{method fastforce} | @@{method slowsimp} | @@{method bestsimp})
- (@{syntax clasimpmod} * )
- ;
- @@{method deepen} (@{syntax nat} ?) (@{syntax clamod} * )
- ;
- @{syntax_def clamod}:
- (('intro' | 'elim' | 'dest') ('!' | () | '?') | 'del') ':' @{syntax thmrefs}
- ;
- @{syntax_def clasimpmod}: ('simp' (() | 'add' | 'del' | 'only') |
- ('cong' | 'split') (() | 'add' | 'del') |
- 'iff' (((() | 'add') '?'?) | 'del') |
- (('intro' | 'elim' | 'dest') ('!' | () | '?') | 'del')) ':' @{syntax thmrefs}
- "}
-
- \begin{description}
-
- \item @{method blast} is a separate classical tableau prover that
- uses the same classical rule declarations as explained before.
-
- Proof search is coded directly in ML using special data structures.
- A successful proof is then reconstructed using regular Isabelle
- inferences. It is faster and more powerful than the other classical
- reasoning tools, but has major limitations too.
-
- \begin{itemize}
-
- \item It does not use the classical wrapper tacticals, such as the
- integration with the Simplifier of @{method fastforce}.
-
- \item It does not perform higher-order unification, as needed by the
- rule @{thm [source=false] rangeI} in HOL. There are often
- alternatives to such rules, for example @{thm [source=false]
- range_eqI}.
-
- \item Function variables may only be applied to parameters of the
- subgoal. (This restriction arises because the prover does not use
- higher-order unification.) If other function variables are present
- then the prover will fail with the message \texttt{Function Var's
- argument not a bound variable}.
-
- \item Its proof strategy is more general than @{method fast} but can
- be slower. If @{method blast} fails or seems to be running forever,
- try @{method fast} and the other proof tools described below.
-
- \end{itemize}
-
- The optional integer argument specifies a bound for the number of
- unsafe steps used in a proof. By default, @{method blast} starts
- with a bound of 0 and increases it successively to 20. In contrast,
- @{text "(blast lim)"} tries to prove the goal using a search bound
- of @{text "lim"}. Sometimes a slow proof using @{method blast} can
- be made much faster by supplying the successful search bound to this
- proof method instead.
-
- \item @{method auto} combines classical reasoning with
- simplification. It is intended for situations where there are a lot
- of mostly trivial subgoals; it proves all the easy ones, leaving the
- ones it cannot prove. Occasionally, attempting to prove the hard
- ones may take a long time.
-
- The optional depth arguments in @{text "(auto m n)"} refer to its
- builtin classical reasoning procedures: @{text m} (default 4) is for
- @{method blast}, which is tried first, and @{text n} (default 2) is
- for a slower but more general alternative that also takes wrappers
- into account.
-
- \item @{method force} is intended to prove the first subgoal
- completely, using many fancy proof tools and performing a rather
- exhaustive search. As a result, proof attempts may take rather long
- or diverge easily.
-
- \item @{method fast}, @{method best}, @{method slow} attempt to
- prove the first subgoal using sequent-style reasoning as explained
- before. Unlike @{method blast}, they construct proofs directly in
- Isabelle.
-
- There is a difference in search strategy and back-tracking: @{method
- fast} uses depth-first search and @{method best} uses best-first
- search (guided by a heuristic function: normally the total size of
- the proof state).
-
- Method @{method slow} is like @{method fast}, but conducts a broader
- search: it may, when backtracking from a failed proof attempt, undo
- even the step of proving a subgoal by assumption.
-
- \item @{method fastforce}, @{method slowsimp}, @{method bestsimp}
- are like @{method fast}, @{method slow}, @{method best},
- respectively, but use the Simplifier as additional wrapper. The name
- @{method fastforce}, reflects the behaviour of this popular method
- better without requiring an understanding of its implementation.
-
- \item @{method deepen} works by exhaustive search up to a certain
- depth. The start depth is 4 (unless specified explicitly), and the
- depth is increased iteratively up to 10. Unsafe rules are modified
- to preserve the formula they act on, so that it be used repeatedly.
- This method can prove more goals than @{method fast}, but is much
- slower, for example if the assumptions have many universal
- quantifiers.
-
- \end{description}
-
- Any of the above methods support additional modifiers of the context
- of classical (and simplifier) rules, but the ones related to the
- Simplifier are explicitly prefixed by @{text simp} here. The
- semantics of these ad-hoc rule declarations is analogous to the
- attributes given before. Facts provided by forward chaining are
- inserted into the goal before commencing proof search.
-*}
-
-
-subsection {* Semi-automated methods *}
-
-text {* These proof methods may help in situations when the
- fully-automated tools fail. The result is a simpler subgoal that
- can be tackled by other means, such as by manual instantiation of
- quantifiers.
-
- \begin{matharray}{rcl}
- @{method_def safe} & : & @{text method} \\
- @{method_def clarify} & : & @{text method} \\
- @{method_def clarsimp} & : & @{text method} \\
- \end{matharray}
-
- @{rail "
- (@@{method safe} | @@{method clarify}) (@{syntax clamod} * )
- ;
- @@{method clarsimp} (@{syntax clasimpmod} * )
- "}
-
- \begin{description}
-
- \item @{method safe} repeatedly performs safe steps on all subgoals.
- It is deterministic, with at most one outcome.
-
- \item @{method clarify} performs a series of safe steps without
- splitting subgoals; see also @{ML clarify_step_tac}.
-
- \item @{method clarsimp} acts like @{method clarify}, but also does
- simplification. Note that if the Simplifier context includes a
- splitter for the premises, the subgoal may still be split.
-
- \end{description}
-*}
-
-
-subsection {* Single-step tactics *}
-
-text {*
- \begin{matharray}{rcl}
- @{index_ML safe_step_tac: "Proof.context -> int -> tactic"} \\
- @{index_ML inst_step_tac: "Proof.context -> int -> tactic"} \\
- @{index_ML step_tac: "Proof.context -> int -> tactic"} \\
- @{index_ML slow_step_tac: "Proof.context -> int -> tactic"} \\
- @{index_ML clarify_step_tac: "Proof.context -> int -> tactic"} \\
- \end{matharray}
-
- These are the primitive tactics behind the (semi)automated proof
- methods of the Classical Reasoner. By calling them yourself, you
- can execute these procedures one step at a time.
-
- \begin{description}
-
- \item @{ML safe_step_tac}~@{text "ctxt i"} performs a safe step on
- subgoal @{text i}. The safe wrapper tacticals are applied to a
- tactic that may include proof by assumption or Modus Ponens (taking
- care not to instantiate unknowns), or substitution.
-
- \item @{ML inst_step_tac} is like @{ML safe_step_tac}, but allows
- unknowns to be instantiated.
-
- \item @{ML step_tac}~@{text "ctxt i"} is the basic step of the proof
- procedure. The unsafe wrapper tacticals are applied to a tactic
- that tries @{ML safe_tac}, @{ML inst_step_tac}, or applies an unsafe
- rule from the context.
-
- \item @{ML slow_step_tac} resembles @{ML step_tac}, but allows
- backtracking between using safe rules with instantiation (@{ML
- inst_step_tac}) and using unsafe rules. The resulting search space
- is larger.
-
- \item @{ML clarify_step_tac}~@{text "ctxt i"} performs a safe step
- on subgoal @{text i}. No splitting step is applied; for example,
- the subgoal @{text "A \<and> B"} is left as a conjunction. Proof by
- assumption, Modus Ponens, etc., may be performed provided they do
- not instantiate unknowns. Assumptions of the form @{text "x = t"}
- may be eliminated. The safe wrapper tactical is applied.
-
- \end{description}
-*}
-
-
-section {* Object-logic setup \label{sec:object-logic} *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def "judgment"} & : & @{text "theory \<rightarrow> theory"} \\
- @{method_def atomize} & : & @{text method} \\
- @{attribute_def atomize} & : & @{text attribute} \\
- @{attribute_def rule_format} & : & @{text attribute} \\
- @{attribute_def rulify} & : & @{text attribute} \\
- \end{matharray}
-
- The very starting point for any Isabelle object-logic is a ``truth
- judgment'' that links object-level statements to the meta-logic
- (with its minimal language of @{text prop} that covers universal
- quantification @{text "\<And>"} and implication @{text "\<Longrightarrow>"}).
-
- Common object-logics are sufficiently expressive to internalize rule
- statements over @{text "\<And>"} and @{text "\<Longrightarrow>"} within their own
- language. This is useful in certain situations where a rule needs
- to be viewed as an atomic statement from the meta-level perspective,
- e.g.\ @{text "\<And>x. x \<in> A \<Longrightarrow> P x"} versus @{text "\<forall>x \<in> A. P x"}.
-
- From the following language elements, only the @{method atomize}
- method and @{attribute rule_format} attribute are occasionally
- required by end-users, the rest is for those who need to setup their
- own object-logic. In the latter case existing formulations of
- Isabelle/FOL or Isabelle/HOL may be taken as realistic examples.
-
- Generic tools may refer to the information provided by object-logic
- declarations internally.
-
- @{rail "
- @@{command judgment} @{syntax name} '::' @{syntax type} @{syntax mixfix}?
- ;
- @@{attribute atomize} ('(' 'full' ')')?
- ;
- @@{attribute rule_format} ('(' 'noasm' ')')?
- "}
-
- \begin{description}
-
- \item @{command "judgment"}~@{text "c :: \<sigma> (mx)"} declares constant
- @{text c} as the truth judgment of the current object-logic. Its
- type @{text \<sigma>} should specify a coercion of the category of
- object-level propositions to @{text prop} of the Pure meta-logic;
- the mixfix annotation @{text "(mx)"} would typically just link the
- object language (internally of syntactic category @{text logic})
- with that of @{text prop}. Only one @{command "judgment"}
- declaration may be given in any theory development.
-
- \item @{method atomize} (as a method) rewrites any non-atomic
- premises of a sub-goal, using the meta-level equations declared via
- @{attribute atomize} (as an attribute) beforehand. As a result,
- heavily nested goals become amenable to fundamental operations such
- as resolution (cf.\ the @{method (Pure) rule} method). Giving the ``@{text
- "(full)"}'' option here means to turn the whole subgoal into an
- object-statement (if possible), including the outermost parameters
- and assumptions as well.
-
- A typical collection of @{attribute atomize} rules for a particular
- object-logic would provide an internalization for each of the
- connectives of @{text "\<And>"}, @{text "\<Longrightarrow>"}, and @{text "\<equiv>"}.
- Meta-level conjunction should be covered as well (this is
- particularly important for locales, see \secref{sec:locale}).
-
- \item @{attribute rule_format} rewrites a theorem by the equalities
- declared as @{attribute rulify} rules in the current object-logic.
- By default, the result is fully normalized, including assumptions
- and conclusions at any depth. The @{text "(no_asm)"} option
- restricts the transformation to the conclusion of a rule.
-
- In common object-logics (HOL, FOL, ZF), the effect of @{attribute
- rule_format} is to replace (bounded) universal quantification
- (@{text "\<forall>"}) and implication (@{text "\<longrightarrow>"}) by the corresponding
- rule statements over @{text "\<And>"} and @{text "\<Longrightarrow>"}.
-
- \end{description}
-*}
-
-end
--- a/doc-src/IsarRef/HOL_Specific.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,2366 +0,0 @@
-theory HOL_Specific
-imports Base Main "~~/src/HOL/Library/Old_Recdef"
-begin
-
-chapter {* Isabelle/HOL \label{ch:hol} *}
-
-section {* Higher-Order Logic *}
-
-text {* Isabelle/HOL is based on Higher-Order Logic, a polymorphic
- version of Church's Simple Theory of Types. HOL can be best
- understood as a simply-typed version of classical set theory. The
- logic was first implemented in Gordon's HOL system
- \cite{mgordon-hol}. It extends Church's original logic
- \cite{church40} by explicit type variables (naive polymorphism) and
- a sound axiomatization scheme for new types based on subsets of
- existing types.
-
- Andrews's book \cite{andrews86} is a full description of the
- original Church-style higher-order logic, with proofs of correctness
- and completeness wrt.\ certain set-theoretic interpretations. The
- particular extensions of Gordon-style HOL are explained semantically
- in two chapters of the 1993 HOL book \cite{pitts93}.
-
- Experience with HOL over decades has demonstrated that higher-order
- logic is widely applicable in many areas of mathematics and computer
- science. In a sense, Higher-Order Logic is simpler than First-Order
- Logic, because there are fewer restrictions and special cases. Note
- that HOL is \emph{weaker} than FOL with axioms for ZF set theory,
- which is traditionally considered the standard foundation of regular
- mathematics, but for most applications this does not matter. If you
- prefer ML to Lisp, you will probably prefer HOL to ZF.
-
- \medskip The syntax of HOL follows @{text "\<lambda>"}-calculus and
- functional programming. Function application is curried. To apply
- the function @{text f} of type @{text "\<tau>\<^sub>1 \<Rightarrow> \<tau>\<^sub>2 \<Rightarrow> \<tau>\<^sub>3"} to the
- arguments @{text a} and @{text b} in HOL, you simply write @{text "f
- a b"} (as in ML or Haskell). There is no ``apply'' operator; the
- existing application of the Pure @{text "\<lambda>"}-calculus is re-used.
- Note that in HOL @{text "f (a, b)"} means ``@{text "f"} applied to
- the pair @{text "(a, b)"} (which is notation for @{text "Pair a
- b"}). The latter typically introduces extra formal efforts that can
- be avoided by currying functions by default. Explicit tuples are as
- infrequent in HOL formalizations as in good ML or Haskell programs.
-
- \medskip Isabelle/HOL has a distinct feel, compared to other
- object-logics like Isabelle/ZF. It identifies object-level types
- with meta-level types, taking advantage of the default
- type-inference mechanism of Isabelle/Pure. HOL fully identifies
- object-level functions with meta-level functions, with native
- abstraction and application.
-
- These identifications allow Isabelle to support HOL particularly
- nicely, but they also mean that HOL requires some sophistication
- from the user. In particular, an understanding of Hindley-Milner
- type-inference with type-classes, which are both used extensively in
- the standard libraries and applications. Beginners can set
- @{attribute show_types} or even @{attribute show_sorts} to get more
- explicit information about the result of type-inference. *}
-
-
-section {* Inductive and coinductive definitions \label{sec:hol-inductive} *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def (HOL) "inductive"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
- @{command_def (HOL) "inductive_set"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
- @{command_def (HOL) "coinductive"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
- @{command_def (HOL) "coinductive_set"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
- @{attribute_def (HOL) mono} & : & @{text attribute} \\
- \end{matharray}
-
- An \emph{inductive definition} specifies the least predicate or set
- @{text R} closed under given rules: applying a rule to elements of
- @{text R} yields a result within @{text R}. For example, a
- structural operational semantics is an inductive definition of an
- evaluation relation.
-
- Dually, a \emph{coinductive definition} specifies the greatest
- predicate or set @{text R} that is consistent with given rules:
- every element of @{text R} can be seen as arising by applying a rule
- to elements of @{text R}. An important example is using
- bisimulation relations to formalise equivalence of processes and
- infinite data structures.
-
- Both inductive and coinductive definitions are based on the
- Knaster-Tarski fixed-point theorem for complete lattices. The
- collection of introduction rules given by the user determines a
- functor on subsets of set-theoretic relations. The required
- monotonicity of the recursion scheme is proven as a prerequisite to
- the fixed-point definition and the resulting consequences. This
- works by pushing inclusion through logical connectives and any other
- operator that might be wrapped around recursive occurrences of the
- defined relation: there must be a monotonicity theorem of the form
- @{text "A \<le> B \<Longrightarrow> \<M> A \<le> \<M> B"}, for each premise @{text "\<M> R t"} in an
- introduction rule. The default rule declarations of Isabelle/HOL
- already take care of most common situations.
-
- @{rail "
- (@@{command (HOL) inductive} | @@{command (HOL) inductive_set} |
- @@{command (HOL) coinductive} | @@{command (HOL) coinductive_set})
- @{syntax target}? \\
- @{syntax \"fixes\"} (@'for' @{syntax \"fixes\"})? (@'where' clauses)? \\
- (@'monos' @{syntax thmrefs})?
- ;
- clauses: (@{syntax thmdecl}? @{syntax prop} + '|')
- ;
- @@{attribute (HOL) mono} (() | 'add' | 'del')
- "}
-
- \begin{description}
-
- \item @{command (HOL) "inductive"} and @{command (HOL)
- "coinductive"} define (co)inductive predicates from the introduction
- rules.
-
- The propositions given as @{text "clauses"} in the @{keyword
- "where"} part are either rules of the usual @{text "\<And>/\<Longrightarrow>"} format
- (with arbitrary nesting), or equalities using @{text "\<equiv>"}. The
- latter specifies extra-logical abbreviations in the sense of
- @{command_ref abbreviation}. Introducing abstract syntax
- simultaneously with the actual introduction rules is occasionally
- useful for complex specifications.
-
- The optional @{keyword "for"} part contains a list of parameters of
- the (co)inductive predicates that remain fixed throughout the
- definition, in contrast to arguments of the relation that may vary
- in each occurrence within the given @{text "clauses"}.
-
- The optional @{keyword "monos"} declaration contains additional
- \emph{monotonicity theorems}, which are required for each operator
- applied to a recursive set in the introduction rules.
-
- \item @{command (HOL) "inductive_set"} and @{command (HOL)
- "coinductive_set"} are wrappers for to the previous commands for
- native HOL predicates. This allows to define (co)inductive sets,
- where multiple arguments are simulated via tuples.
-
- \item @{attribute (HOL) mono} declares monotonicity rules in the
- context. These rule are involved in the automated monotonicity
- proof of the above inductive and coinductive definitions.
-
- \end{description}
-*}
-
-
-subsection {* Derived rules *}
-
-text {* A (co)inductive definition of @{text R} provides the following
- main theorems:
-
- \begin{description}
-
- \item @{text R.intros} is the list of introduction rules as proven
- theorems, for the recursive predicates (or sets). The rules are
- also available individually, using the names given them in the
- theory file;
-
- \item @{text R.cases} is the case analysis (or elimination) rule;
-
- \item @{text R.induct} or @{text R.coinduct} is the (co)induction
- rule;
-
- \item @{text R.simps} is the equation unrolling the fixpoint of the
- predicate one step.
-
- \end{description}
-
- When several predicates @{text "R\<^sub>1, \<dots>, R\<^sub>n"} are
- defined simultaneously, the list of introduction rules is called
- @{text "R\<^sub>1_\<dots>_R\<^sub>n.intros"}, the case analysis rules are
- called @{text "R\<^sub>1.cases, \<dots>, R\<^sub>n.cases"}, and the list
- of mutual induction rules is called @{text
- "R\<^sub>1_\<dots>_R\<^sub>n.inducts"}.
-*}
-
-
-subsection {* Monotonicity theorems *}
-
-text {* The context maintains a default set of theorems that are used
- in monotonicity proofs. New rules can be declared via the
- @{attribute (HOL) mono} attribute. See the main Isabelle/HOL
- sources for some examples. The general format of such monotonicity
- theorems is as follows:
-
- \begin{itemize}
-
- \item Theorems of the form @{text "A \<le> B \<Longrightarrow> \<M> A \<le> \<M> B"}, for proving
- monotonicity of inductive definitions whose introduction rules have
- premises involving terms such as @{text "\<M> R t"}.
-
- \item Monotonicity theorems for logical operators, which are of the
- general form @{text "(\<dots> \<longrightarrow> \<dots>) \<Longrightarrow> \<dots> (\<dots> \<longrightarrow> \<dots>) \<Longrightarrow> \<dots> \<longrightarrow> \<dots>"}. For example, in
- the case of the operator @{text "\<or>"}, the corresponding theorem is
- \[
- \infer{@{text "P\<^sub>1 \<or> P\<^sub>2 \<longrightarrow> Q\<^sub>1 \<or> Q\<^sub>2"}}{@{text "P\<^sub>1 \<longrightarrow> Q\<^sub>1"} & @{text "P\<^sub>2 \<longrightarrow> Q\<^sub>2"}}
- \]
-
- \item De Morgan style equations for reasoning about the ``polarity''
- of expressions, e.g.
- \[
- @{prop "\<not> \<not> P \<longleftrightarrow> P"} \qquad\qquad
- @{prop "\<not> (P \<and> Q) \<longleftrightarrow> \<not> P \<or> \<not> Q"}
- \]
-
- \item Equations for reducing complex operators to more primitive
- ones whose monotonicity can easily be proved, e.g.
- \[
- @{prop "(P \<longrightarrow> Q) \<longleftrightarrow> \<not> P \<or> Q"} \qquad\qquad
- @{prop "Ball A P \<equiv> \<forall>x. x \<in> A \<longrightarrow> P x"}
- \]
-
- \end{itemize}
-*}
-
-subsubsection {* Examples *}
-
-text {* The finite powerset operator can be defined inductively like this: *}
-
-inductive_set Fin :: "'a set \<Rightarrow> 'a set set" for A :: "'a set"
-where
- empty: "{} \<in> Fin A"
-| insert: "a \<in> A \<Longrightarrow> B \<in> Fin A \<Longrightarrow> insert a B \<in> Fin A"
-
-text {* The accessible part of a relation is defined as follows: *}
-
-inductive acc :: "('a \<Rightarrow> 'a \<Rightarrow> bool) \<Rightarrow> 'a \<Rightarrow> bool"
- for r :: "'a \<Rightarrow> 'a \<Rightarrow> bool" (infix "\<prec>" 50)
-where acc: "(\<And>y. y \<prec> x \<Longrightarrow> acc r y) \<Longrightarrow> acc r x"
-
-text {* Common logical connectives can be easily characterized as
-non-recursive inductive definitions with parameters, but without
-arguments. *}
-
-inductive AND for A B :: bool
-where "A \<Longrightarrow> B \<Longrightarrow> AND A B"
-
-inductive OR for A B :: bool
-where "A \<Longrightarrow> OR A B"
- | "B \<Longrightarrow> OR A B"
-
-inductive EXISTS for B :: "'a \<Rightarrow> bool"
-where "B a \<Longrightarrow> EXISTS B"
-
-text {* Here the @{text "cases"} or @{text "induct"} rules produced by
- the @{command inductive} package coincide with the expected
- elimination rules for Natural Deduction. Already in the original
- article by Gerhard Gentzen \cite{Gentzen:1935} there is a hint that
- each connective can be characterized by its introductions, and the
- elimination can be constructed systematically. *}
-
-
-section {* Recursive functions \label{sec:recursion} *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def (HOL) "primrec"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
- @{command_def (HOL) "fun"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
- @{command_def (HOL) "function"} & : & @{text "local_theory \<rightarrow> proof(prove)"} \\
- @{command_def (HOL) "termination"} & : & @{text "local_theory \<rightarrow> proof(prove)"} \\
- \end{matharray}
-
- @{rail "
- @@{command (HOL) primrec} @{syntax target}? @{syntax \"fixes\"} @'where' equations
- ;
- (@@{command (HOL) fun} | @@{command (HOL) function}) @{syntax target}? functionopts?
- @{syntax \"fixes\"} \\ @'where' equations
- ;
-
- equations: (@{syntax thmdecl}? @{syntax prop} + '|')
- ;
- functionopts: '(' (('sequential' | 'domintros') + ',') ')'
- ;
- @@{command (HOL) termination} @{syntax term}?
- "}
-
- \begin{description}
-
- \item @{command (HOL) "primrec"} defines primitive recursive
- functions over datatypes (see also @{command_ref (HOL) datatype} and
- @{command_ref (HOL) rep_datatype}). The given @{text equations}
- specify reduction rules that are produced by instantiating the
- generic combinator for primitive recursion that is available for
- each datatype.
-
- Each equation needs to be of the form:
-
- @{text [display] "f x\<^sub>1 \<dots> x\<^sub>m (C y\<^sub>1 \<dots> y\<^sub>k) z\<^sub>1 \<dots> z\<^sub>n = rhs"}
-
- such that @{text C} is a datatype constructor, @{text rhs} contains
- only the free variables on the left-hand side (or from the context),
- and all recursive occurrences of @{text "f"} in @{text "rhs"} are of
- the form @{text "f \<dots> y\<^sub>i \<dots>"} for some @{text i}. At most one
- reduction rule for each constructor can be given. The order does
- not matter. For missing constructors, the function is defined to
- return a default value, but this equation is made difficult to
- access for users.
-
- The reduction rules are declared as @{attribute simp} by default,
- which enables standard proof methods like @{method simp} and
- @{method auto} to normalize expressions of @{text "f"} applied to
- datatype constructions, by simulating symbolic computation via
- rewriting.
-
- \item @{command (HOL) "function"} defines functions by general
- wellfounded recursion. A detailed description with examples can be
- found in \cite{isabelle-function}. The function is specified by a
- set of (possibly conditional) recursive equations with arbitrary
- pattern matching. The command generates proof obligations for the
- completeness and the compatibility of patterns.
-
- The defined function is considered partial, and the resulting
- simplification rules (named @{text "f.psimps"}) and induction rule
- (named @{text "f.pinduct"}) are guarded by a generated domain
- predicate @{text "f_dom"}. The @{command (HOL) "termination"}
- command can then be used to establish that the function is total.
-
- \item @{command (HOL) "fun"} is a shorthand notation for ``@{command
- (HOL) "function"}~@{text "(sequential)"}, followed by automated
- proof attempts regarding pattern matching and termination. See
- \cite{isabelle-function} for further details.
-
- \item @{command (HOL) "termination"}~@{text f} commences a
- termination proof for the previously defined function @{text f}. If
- this is omitted, the command refers to the most recent function
- definition. After the proof is closed, the recursive equations and
- the induction principle is established.
-
- \end{description}
-
- Recursive definitions introduced by the @{command (HOL) "function"}
- command accommodate reasoning by induction (cf.\ @{method induct}):
- rule @{text "f.induct"} refers to a specific induction rule, with
- parameters named according to the user-specified equations. Cases
- are numbered starting from 1. For @{command (HOL) "primrec"}, the
- induction principle coincides with structural recursion on the
- datatype where the recursion is carried out.
-
- The equations provided by these packages may be referred later as
- theorem list @{text "f.simps"}, where @{text f} is the (collective)
- name of the functions defined. Individual equations may be named
- explicitly as well.
-
- The @{command (HOL) "function"} command accepts the following
- options.
-
- \begin{description}
-
- \item @{text sequential} enables a preprocessor which disambiguates
- overlapping patterns by making them mutually disjoint. Earlier
- equations take precedence over later ones. This allows to give the
- specification in a format very similar to functional programming.
- Note that the resulting simplification and induction rules
- correspond to the transformed specification, not the one given
- originally. This usually means that each equation given by the user
- may result in several theorems. Also note that this automatic
- transformation only works for ML-style datatype patterns.
-
- \item @{text domintros} enables the automated generation of
- introduction rules for the domain predicate. While mostly not
- needed, they can be helpful in some proofs about partial functions.
-
- \end{description}
-*}
-
-subsubsection {* Example: evaluation of expressions *}
-
-text {* Subsequently, we define mutual datatypes for arithmetic and
- boolean expressions, and use @{command primrec} for evaluation
- functions that follow the same recursive structure. *}
-
-datatype 'a aexp =
- IF "'a bexp" "'a aexp" "'a aexp"
- | Sum "'a aexp" "'a aexp"
- | Diff "'a aexp" "'a aexp"
- | Var 'a
- | Num nat
-and 'a bexp =
- Less "'a aexp" "'a aexp"
- | And "'a bexp" "'a bexp"
- | Neg "'a bexp"
-
-
-text {* \medskip Evaluation of arithmetic and boolean expressions *}
-
-primrec evala :: "('a \<Rightarrow> nat) \<Rightarrow> 'a aexp \<Rightarrow> nat"
- and evalb :: "('a \<Rightarrow> nat) \<Rightarrow> 'a bexp \<Rightarrow> bool"
-where
- "evala env (IF b a1 a2) = (if evalb env b then evala env a1 else evala env a2)"
-| "evala env (Sum a1 a2) = evala env a1 + evala env a2"
-| "evala env (Diff a1 a2) = evala env a1 - evala env a2"
-| "evala env (Var v) = env v"
-| "evala env (Num n) = n"
-| "evalb env (Less a1 a2) = (evala env a1 < evala env a2)"
-| "evalb env (And b1 b2) = (evalb env b1 \<and> evalb env b2)"
-| "evalb env (Neg b) = (\<not> evalb env b)"
-
-text {* Since the value of an expression depends on the value of its
- variables, the functions @{const evala} and @{const evalb} take an
- additional parameter, an \emph{environment} that maps variables to
- their values.
-
- \medskip Substitution on expressions can be defined similarly. The
- mapping @{text f} of type @{typ "'a \<Rightarrow> 'a aexp"} given as a
- parameter is lifted canonically on the types @{typ "'a aexp"} and
- @{typ "'a bexp"}, respectively.
-*}
-
-primrec substa :: "('a \<Rightarrow> 'b aexp) \<Rightarrow> 'a aexp \<Rightarrow> 'b aexp"
- and substb :: "('a \<Rightarrow> 'b aexp) \<Rightarrow> 'a bexp \<Rightarrow> 'b bexp"
-where
- "substa f (IF b a1 a2) = IF (substb f b) (substa f a1) (substa f a2)"
-| "substa f (Sum a1 a2) = Sum (substa f a1) (substa f a2)"
-| "substa f (Diff a1 a2) = Diff (substa f a1) (substa f a2)"
-| "substa f (Var v) = f v"
-| "substa f (Num n) = Num n"
-| "substb f (Less a1 a2) = Less (substa f a1) (substa f a2)"
-| "substb f (And b1 b2) = And (substb f b1) (substb f b2)"
-| "substb f (Neg b) = Neg (substb f b)"
-
-text {* In textbooks about semantics one often finds substitution
- theorems, which express the relationship between substitution and
- evaluation. For @{typ "'a aexp"} and @{typ "'a bexp"}, we can prove
- such a theorem by mutual induction, followed by simplification.
-*}
-
-lemma subst_one:
- "evala env (substa (Var (v := a')) a) = evala (env (v := evala env a')) a"
- "evalb env (substb (Var (v := a')) b) = evalb (env (v := evala env a')) b"
- by (induct a and b) simp_all
-
-lemma subst_all:
- "evala env (substa s a) = evala (\<lambda>x. evala env (s x)) a"
- "evalb env (substb s b) = evalb (\<lambda>x. evala env (s x)) b"
- by (induct a and b) simp_all
-
-
-subsubsection {* Example: a substitution function for terms *}
-
-text {* Functions on datatypes with nested recursion are also defined
- by mutual primitive recursion. *}
-
-datatype ('a, 'b) "term" = Var 'a | App 'b "('a, 'b) term list"
-
-text {* A substitution function on type @{typ "('a, 'b) term"} can be
- defined as follows, by working simultaneously on @{typ "('a, 'b)
- term list"}: *}
-
-primrec subst_term :: "('a \<Rightarrow> ('a, 'b) term) \<Rightarrow> ('a, 'b) term \<Rightarrow> ('a, 'b) term" and
- subst_term_list :: "('a \<Rightarrow> ('a, 'b) term) \<Rightarrow> ('a, 'b) term list \<Rightarrow> ('a, 'b) term list"
-where
- "subst_term f (Var a) = f a"
-| "subst_term f (App b ts) = App b (subst_term_list f ts)"
-| "subst_term_list f [] = []"
-| "subst_term_list f (t # ts) = subst_term f t # subst_term_list f ts"
-
-text {* The recursion scheme follows the structure of the unfolded
- definition of type @{typ "('a, 'b) term"}. To prove properties of this
- substitution function, mutual induction is needed:
-*}
-
-lemma "subst_term (subst_term f1 \<circ> f2) t = subst_term f1 (subst_term f2 t)" and
- "subst_term_list (subst_term f1 \<circ> f2) ts = subst_term_list f1 (subst_term_list f2 ts)"
- by (induct t and ts) simp_all
-
-
-subsubsection {* Example: a map function for infinitely branching trees *}
-
-text {* Defining functions on infinitely branching datatypes by
- primitive recursion is just as easy.
-*}
-
-datatype 'a tree = Atom 'a | Branch "nat \<Rightarrow> 'a tree"
-
-primrec map_tree :: "('a \<Rightarrow> 'b) \<Rightarrow> 'a tree \<Rightarrow> 'b tree"
-where
- "map_tree f (Atom a) = Atom (f a)"
-| "map_tree f (Branch ts) = Branch (\<lambda>x. map_tree f (ts x))"
-
-text {* Note that all occurrences of functions such as @{text ts}
- above must be applied to an argument. In particular, @{term
- "map_tree f \<circ> ts"} is not allowed here. *}
-
-text {* Here is a simple composition lemma for @{term map_tree}: *}
-
-lemma "map_tree g (map_tree f t) = map_tree (g \<circ> f) t"
- by (induct t) simp_all
-
-
-subsection {* Proof methods related to recursive definitions *}
-
-text {*
- \begin{matharray}{rcl}
- @{method_def (HOL) pat_completeness} & : & @{text method} \\
- @{method_def (HOL) relation} & : & @{text method} \\
- @{method_def (HOL) lexicographic_order} & : & @{text method} \\
- @{method_def (HOL) size_change} & : & @{text method} \\
- @{method_def (HOL) induction_schema} & : & @{text method} \\
- \end{matharray}
-
- @{rail "
- @@{method (HOL) relation} @{syntax term}
- ;
- @@{method (HOL) lexicographic_order} (@{syntax clasimpmod} * )
- ;
- @@{method (HOL) size_change} ( orders (@{syntax clasimpmod} * ) )
- ;
- @@{method (HOL) induction_schema}
- ;
- orders: ( 'max' | 'min' | 'ms' ) *
- "}
-
- \begin{description}
-
- \item @{method (HOL) pat_completeness} is a specialized method to
- solve goals regarding the completeness of pattern matching, as
- required by the @{command (HOL) "function"} package (cf.\
- \cite{isabelle-function}).
-
- \item @{method (HOL) relation}~@{text R} introduces a termination
- proof using the relation @{text R}. The resulting proof state will
- contain goals expressing that @{text R} is wellfounded, and that the
- arguments of recursive calls decrease with respect to @{text R}.
- Usually, this method is used as the initial proof step of manual
- termination proofs.
-
- \item @{method (HOL) "lexicographic_order"} attempts a fully
- automated termination proof by searching for a lexicographic
- combination of size measures on the arguments of the function. The
- method accepts the same arguments as the @{method auto} method,
- which it uses internally to prove local descents. The @{syntax
- clasimpmod} modifiers are accepted (as for @{method auto}).
-
- In case of failure, extensive information is printed, which can help
- to analyse the situation (cf.\ \cite{isabelle-function}).
-
- \item @{method (HOL) "size_change"} also works on termination goals,
- using a variation of the size-change principle, together with a
- graph decomposition technique (see \cite{krauss_phd} for details).
- Three kinds of orders are used internally: @{text max}, @{text min},
- and @{text ms} (multiset), which is only available when the theory
- @{text Multiset} is loaded. When no order kinds are given, they are
- tried in order. The search for a termination proof uses SAT solving
- internally.
-
- For local descent proofs, the @{syntax clasimpmod} modifiers are
- accepted (as for @{method auto}).
-
- \item @{method (HOL) induction_schema} derives user-specified
- induction rules from well-founded induction and completeness of
- patterns. This factors out some operations that are done internally
- by the function package and makes them available separately. See
- @{file "~~/src/HOL/ex/Induction_Schema.thy"} for examples.
-
- \end{description}
-*}
-
-
-subsection {* Functions with explicit partiality *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def (HOL) "partial_function"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
- @{attribute_def (HOL) "partial_function_mono"} & : & @{text attribute} \\
- \end{matharray}
-
- @{rail "
- @@{command (HOL) partial_function} @{syntax target}?
- '(' @{syntax nameref} ')' @{syntax \"fixes\"} \\
- @'where' @{syntax thmdecl}? @{syntax prop}
- "}
-
- \begin{description}
-
- \item @{command (HOL) "partial_function"}~@{text "(mode)"} defines
- recursive functions based on fixpoints in complete partial
- orders. No termination proof is required from the user or
- constructed internally. Instead, the possibility of non-termination
- is modelled explicitly in the result type, which contains an
- explicit bottom element.
-
- Pattern matching and mutual recursion are currently not supported.
- Thus, the specification consists of a single function described by a
- single recursive equation.
-
- There are no fixed syntactic restrictions on the body of the
- function, but the induced functional must be provably monotonic
- wrt.\ the underlying order. The monotonicitity proof is performed
- internally, and the definition is rejected when it fails. The proof
- can be influenced by declaring hints using the
- @{attribute (HOL) partial_function_mono} attribute.
-
- The mandatory @{text mode} argument specifies the mode of operation
- of the command, which directly corresponds to a complete partial
- order on the result type. By default, the following modes are
- defined:
-
- \begin{description}
-
- \item @{text option} defines functions that map into the @{type
- option} type. Here, the value @{term None} is used to model a
- non-terminating computation. Monotonicity requires that if @{term
- None} is returned by a recursive call, then the overall result must
- also be @{term None}. This is best achieved through the use of the
- monadic operator @{const "Option.bind"}.
-
- \item @{text tailrec} defines functions with an arbitrary result
- type and uses the slightly degenerated partial order where @{term
- "undefined"} is the bottom element. Now, monotonicity requires that
- if @{term undefined} is returned by a recursive call, then the
- overall result must also be @{term undefined}. In practice, this is
- only satisfied when each recursive call is a tail call, whose result
- is directly returned. Thus, this mode of operation allows the
- definition of arbitrary tail-recursive functions.
-
- \end{description}
-
- Experienced users may define new modes by instantiating the locale
- @{const "partial_function_definitions"} appropriately.
-
- \item @{attribute (HOL) partial_function_mono} declares rules for
- use in the internal monononicity proofs of partial function
- definitions.
-
- \end{description}
-
-*}
-
-
-subsection {* Old-style recursive function definitions (TFL) *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def (HOL) "recdef"} & : & @{text "theory \<rightarrow> theory)"} \\
- @{command_def (HOL) "recdef_tc"}@{text "\<^sup>*"} & : & @{text "theory \<rightarrow> proof(prove)"} \\
- \end{matharray}
-
- The old TFL commands @{command (HOL) "recdef"} and @{command (HOL)
- "recdef_tc"} for defining recursive are mostly obsolete; @{command
- (HOL) "function"} or @{command (HOL) "fun"} should be used instead.
-
- @{rail "
- @@{command (HOL) recdef} ('(' @'permissive' ')')? \\
- @{syntax name} @{syntax term} (@{syntax prop} +) hints?
- ;
- recdeftc @{syntax thmdecl}? tc
- ;
- hints: '(' @'hints' ( recdefmod * ) ')'
- ;
- recdefmod: (('recdef_simp' | 'recdef_cong' | 'recdef_wf')
- (() | 'add' | 'del') ':' @{syntax thmrefs}) | @{syntax clasimpmod}
- ;
- tc: @{syntax nameref} ('(' @{syntax nat} ')')?
- "}
-
- \begin{description}
-
- \item @{command (HOL) "recdef"} defines general well-founded
- recursive functions (using the TFL package), see also
- \cite{isabelle-HOL}. The ``@{text "(permissive)"}'' option tells
- TFL to recover from failed proof attempts, returning unfinished
- results. The @{text recdef_simp}, @{text recdef_cong}, and @{text
- recdef_wf} hints refer to auxiliary rules to be used in the internal
- automated proof process of TFL. Additional @{syntax clasimpmod}
- declarations may be given to tune the context of the Simplifier
- (cf.\ \secref{sec:simplifier}) and Classical reasoner (cf.\
- \secref{sec:classical}).
-
- \item @{command (HOL) "recdef_tc"}~@{text "c (i)"} recommences the
- proof for leftover termination condition number @{text i} (default
- 1) as generated by a @{command (HOL) "recdef"} definition of
- constant @{text c}.
-
- Note that in most cases, @{command (HOL) "recdef"} is able to finish
- its internal proofs without manual intervention.
-
- \end{description}
-
- \medskip Hints for @{command (HOL) "recdef"} may be also declared
- globally, using the following attributes.
-
- \begin{matharray}{rcl}
- @{attribute_def (HOL) recdef_simp} & : & @{text attribute} \\
- @{attribute_def (HOL) recdef_cong} & : & @{text attribute} \\
- @{attribute_def (HOL) recdef_wf} & : & @{text attribute} \\
- \end{matharray}
-
- @{rail "
- (@@{attribute (HOL) recdef_simp} | @@{attribute (HOL) recdef_cong} |
- @@{attribute (HOL) recdef_wf}) (() | 'add' | 'del')
- "}
-*}
-
-
-section {* Datatypes \label{sec:hol-datatype} *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def (HOL) "datatype"} & : & @{text "theory \<rightarrow> theory"} \\
- @{command_def (HOL) "rep_datatype"} & : & @{text "theory \<rightarrow> proof(prove)"} \\
- \end{matharray}
-
- @{rail "
- @@{command (HOL) datatype} (spec + @'and')
- ;
- @@{command (HOL) rep_datatype} ('(' (@{syntax name} +) ')')? (@{syntax term} +)
- ;
-
- spec: @{syntax typespec_sorts} @{syntax mixfix}? '=' (cons + '|')
- ;
- cons: @{syntax name} (@{syntax type} * ) @{syntax mixfix}?
- "}
-
- \begin{description}
-
- \item @{command (HOL) "datatype"} defines inductive datatypes in
- HOL.
-
- \item @{command (HOL) "rep_datatype"} represents existing types as
- datatypes.
-
- For foundational reasons, some basic types such as @{typ nat}, @{typ
- "'a \<times> 'b"}, @{typ "'a + 'b"}, @{typ bool} and @{typ unit} are
- introduced by more primitive means using @{command_ref typedef}. To
- recover the rich infrastructure of @{command datatype} (e.g.\ rules
- for @{method cases} and @{method induct} and the primitive recursion
- combinators), such types may be represented as actual datatypes
- later. This is done by specifying the constructors of the desired
- type, and giving a proof of the induction rule, distinctness and
- injectivity of constructors.
-
- For example, see @{file "~~/src/HOL/Sum_Type.thy"} for the
- representation of the primitive sum type as fully-featured datatype.
-
- \end{description}
-
- The generated rules for @{method induct} and @{method cases} provide
- case names according to the given constructors, while parameters are
- named after the types (see also \secref{sec:cases-induct}).
-
- See \cite{isabelle-HOL} for more details on datatypes, but beware of
- the old-style theory syntax being used there! Apart from proper
- proof methods for case-analysis and induction, there are also
- emulations of ML tactics @{method (HOL) case_tac} and @{method (HOL)
- induct_tac} available, see \secref{sec:hol-induct-tac}; these admit
- to refer directly to the internal structure of subgoals (including
- internally bound parameters).
-*}
-
-
-subsubsection {* Examples *}
-
-text {* We define a type of finite sequences, with slightly different
- names than the existing @{typ "'a list"} that is already in @{theory
- Main}: *}
-
-datatype 'a seq = Empty | Seq 'a "'a seq"
-
-text {* We can now prove some simple lemma by structural induction: *}
-
-lemma "Seq x xs \<noteq> xs"
-proof (induct xs arbitrary: x)
- case Empty
- txt {* This case can be proved using the simplifier: the freeness
- properties of the datatype are already declared as @{attribute
- simp} rules. *}
- show "Seq x Empty \<noteq> Empty"
- by simp
-next
- case (Seq y ys)
- txt {* The step case is proved similarly. *}
- show "Seq x (Seq y ys) \<noteq> Seq y ys"
- using `Seq y ys \<noteq> ys` by simp
-qed
-
-text {* Here is a more succinct version of the same proof: *}
-
-lemma "Seq x xs \<noteq> xs"
- by (induct xs arbitrary: x) simp_all
-
-
-section {* Records \label{sec:hol-record} *}
-
-text {*
- In principle, records merely generalize the concept of tuples, where
- components may be addressed by labels instead of just position. The
- logical infrastructure of records in Isabelle/HOL is slightly more
- advanced, though, supporting truly extensible record schemes. This
- admits operations that are polymorphic with respect to record
- extension, yielding ``object-oriented'' effects like (single)
- inheritance. See also \cite{NaraschewskiW-TPHOLs98} for more
- details on object-oriented verification and record subtyping in HOL.
-*}
-
-
-subsection {* Basic concepts *}
-
-text {*
- Isabelle/HOL supports both \emph{fixed} and \emph{schematic} records
- at the level of terms and types. The notation is as follows:
-
- \begin{center}
- \begin{tabular}{l|l|l}
- & record terms & record types \\ \hline
- fixed & @{text "\<lparr>x = a, y = b\<rparr>"} & @{text "\<lparr>x :: A, y :: B\<rparr>"} \\
- schematic & @{text "\<lparr>x = a, y = b, \<dots> = m\<rparr>"} &
- @{text "\<lparr>x :: A, y :: B, \<dots> :: M\<rparr>"} \\
- \end{tabular}
- \end{center}
-
- \noindent The ASCII representation of @{text "\<lparr>x = a\<rparr>"} is @{text
- "(| x = a |)"}.
-
- A fixed record @{text "\<lparr>x = a, y = b\<rparr>"} has field @{text x} of value
- @{text a} and field @{text y} of value @{text b}. The corresponding
- type is @{text "\<lparr>x :: A, y :: B\<rparr>"}, assuming that @{text "a :: A"}
- and @{text "b :: B"}.
-
- A record scheme like @{text "\<lparr>x = a, y = b, \<dots> = m\<rparr>"} contains fields
- @{text x} and @{text y} as before, but also possibly further fields
- as indicated by the ``@{text "\<dots>"}'' notation (which is actually part
- of the syntax). The improper field ``@{text "\<dots>"}'' of a record
- scheme is called the \emph{more part}. Logically it is just a free
- variable, which is occasionally referred to as ``row variable'' in
- the literature. The more part of a record scheme may be
- instantiated by zero or more further components. For example, the
- previous scheme may get instantiated to @{text "\<lparr>x = a, y = b, z =
- c, \<dots> = m'\<rparr>"}, where @{text m'} refers to a different more part.
- Fixed records are special instances of record schemes, where
- ``@{text "\<dots>"}'' is properly terminated by the @{text "() :: unit"}
- element. In fact, @{text "\<lparr>x = a, y = b\<rparr>"} is just an abbreviation
- for @{text "\<lparr>x = a, y = b, \<dots> = ()\<rparr>"}.
-
- \medskip Two key observations make extensible records in a simply
- typed language like HOL work out:
-
- \begin{enumerate}
-
- \item the more part is internalized, as a free term or type
- variable,
-
- \item field names are externalized, they cannot be accessed within
- the logic as first-class values.
-
- \end{enumerate}
-
- \medskip In Isabelle/HOL record types have to be defined explicitly,
- fixing their field names and types, and their (optional) parent
- record. Afterwards, records may be formed using above syntax, while
- obeying the canonical order of fields as given by their declaration.
- The record package provides several standard operations like
- selectors and updates. The common setup for various generic proof
- tools enable succinct reasoning patterns. See also the Isabelle/HOL
- tutorial \cite{isabelle-hol-book} for further instructions on using
- records in practice.
-*}
-
-
-subsection {* Record specifications *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def (HOL) "record"} & : & @{text "theory \<rightarrow> theory"} \\
- \end{matharray}
-
- @{rail "
- @@{command (HOL) record} @{syntax typespec_sorts} '=' \\
- (@{syntax type} '+')? (constdecl +)
- ;
- constdecl: @{syntax name} '::' @{syntax type} @{syntax mixfix}?
- "}
-
- \begin{description}
-
- \item @{command (HOL) "record"}~@{text "(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>m) t = \<tau> + c\<^sub>1 :: \<sigma>\<^sub>1
- \<dots> c\<^sub>n :: \<sigma>\<^sub>n"} defines extensible record type @{text "(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>m) t"},
- derived from the optional parent record @{text "\<tau>"} by adding new
- field components @{text "c\<^sub>i :: \<sigma>\<^sub>i"} etc.
-
- The type variables of @{text "\<tau>"} and @{text "\<sigma>\<^sub>i"} need to be
- covered by the (distinct) parameters @{text "\<alpha>\<^sub>1, \<dots>,
- \<alpha>\<^sub>m"}. Type constructor @{text t} has to be new, while @{text
- \<tau>} needs to specify an instance of an existing record type. At
- least one new field @{text "c\<^sub>i"} has to be specified.
- Basically, field names need to belong to a unique record. This is
- not a real restriction in practice, since fields are qualified by
- the record name internally.
-
- The parent record specification @{text \<tau>} is optional; if omitted
- @{text t} becomes a root record. The hierarchy of all records
- declared within a theory context forms a forest structure, i.e.\ a
- set of trees starting with a root record each. There is no way to
- merge multiple parent records!
-
- For convenience, @{text "(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>m) t"} is made a
- type abbreviation for the fixed record type @{text "\<lparr>c\<^sub>1 ::
- \<sigma>\<^sub>1, \<dots>, c\<^sub>n :: \<sigma>\<^sub>n\<rparr>"}, likewise is @{text
- "(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>m, \<zeta>) t_scheme"} made an abbreviation for
- @{text "\<lparr>c\<^sub>1 :: \<sigma>\<^sub>1, \<dots>, c\<^sub>n :: \<sigma>\<^sub>n, \<dots> ::
- \<zeta>\<rparr>"}.
-
- \end{description}
-*}
-
-
-subsection {* Record operations *}
-
-text {*
- Any record definition of the form presented above produces certain
- standard operations. Selectors and updates are provided for any
- field, including the improper one ``@{text more}''. There are also
- cumulative record constructor functions. To simplify the
- presentation below, we assume for now that @{text "(\<alpha>\<^sub>1, \<dots>,
- \<alpha>\<^sub>m) t"} is a root record with fields @{text "c\<^sub>1 ::
- \<sigma>\<^sub>1, \<dots>, c\<^sub>n :: \<sigma>\<^sub>n"}.
-
- \medskip \textbf{Selectors} and \textbf{updates} are available for
- any field (including ``@{text more}''):
-
- \begin{matharray}{lll}
- @{text "c\<^sub>i"} & @{text "::"} & @{text "\<lparr>\<^vec>c :: \<^vec>\<sigma>, \<dots> :: \<zeta>\<rparr> \<Rightarrow> \<sigma>\<^sub>i"} \\
- @{text "c\<^sub>i_update"} & @{text "::"} & @{text "\<sigma>\<^sub>i \<Rightarrow> \<lparr>\<^vec>c :: \<^vec>\<sigma>, \<dots> :: \<zeta>\<rparr> \<Rightarrow> \<lparr>\<^vec>c :: \<^vec>\<sigma>, \<dots> :: \<zeta>\<rparr>"} \\
- \end{matharray}
-
- There is special syntax for application of updates: @{text "r\<lparr>x :=
- a\<rparr>"} abbreviates term @{text "x_update a r"}. Further notation for
- repeated updates is also available: @{text "r\<lparr>x := a\<rparr>\<lparr>y := b\<rparr>\<lparr>z :=
- c\<rparr>"} may be written @{text "r\<lparr>x := a, y := b, z := c\<rparr>"}. Note that
- because of postfix notation the order of fields shown here is
- reverse than in the actual term. Since repeated updates are just
- function applications, fields may be freely permuted in @{text "\<lparr>x
- := a, y := b, z := c\<rparr>"}, as far as logical equality is concerned.
- Thus commutativity of independent updates can be proven within the
- logic for any two fields, but not as a general theorem.
-
- \medskip The \textbf{make} operation provides a cumulative record
- constructor function:
-
- \begin{matharray}{lll}
- @{text "t.make"} & @{text "::"} & @{text "\<sigma>\<^sub>1 \<Rightarrow> \<dots> \<sigma>\<^sub>n \<Rightarrow> \<lparr>\<^vec>c :: \<^vec>\<sigma>\<rparr>"} \\
- \end{matharray}
-
- \medskip We now reconsider the case of non-root records, which are
- derived of some parent. In general, the latter may depend on
- another parent as well, resulting in a list of \emph{ancestor
- records}. Appending the lists of fields of all ancestors results in
- a certain field prefix. The record package automatically takes care
- of this by lifting operations over this context of ancestor fields.
- Assuming that @{text "(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>m) t"} has ancestor
- fields @{text "b\<^sub>1 :: \<rho>\<^sub>1, \<dots>, b\<^sub>k :: \<rho>\<^sub>k"},
- the above record operations will get the following types:
-
- \medskip
- \begin{tabular}{lll}
- @{text "c\<^sub>i"} & @{text "::"} & @{text "\<lparr>\<^vec>b :: \<^vec>\<rho>, \<^vec>c :: \<^vec>\<sigma>, \<dots> :: \<zeta>\<rparr> \<Rightarrow> \<sigma>\<^sub>i"} \\
- @{text "c\<^sub>i_update"} & @{text "::"} & @{text "\<sigma>\<^sub>i \<Rightarrow>
- \<lparr>\<^vec>b :: \<^vec>\<rho>, \<^vec>c :: \<^vec>\<sigma>, \<dots> :: \<zeta>\<rparr> \<Rightarrow>
- \<lparr>\<^vec>b :: \<^vec>\<rho>, \<^vec>c :: \<^vec>\<sigma>, \<dots> :: \<zeta>\<rparr>"} \\
- @{text "t.make"} & @{text "::"} & @{text "\<rho>\<^sub>1 \<Rightarrow> \<dots> \<rho>\<^sub>k \<Rightarrow> \<sigma>\<^sub>1 \<Rightarrow> \<dots> \<sigma>\<^sub>n \<Rightarrow>
- \<lparr>\<^vec>b :: \<^vec>\<rho>, \<^vec>c :: \<^vec>\<sigma>\<rparr>"} \\
- \end{tabular}
- \medskip
-
- \noindent Some further operations address the extension aspect of a
- derived record scheme specifically: @{text "t.fields"} produces a
- record fragment consisting of exactly the new fields introduced here
- (the result may serve as a more part elsewhere); @{text "t.extend"}
- takes a fixed record and adds a given more part; @{text
- "t.truncate"} restricts a record scheme to a fixed record.
-
- \medskip
- \begin{tabular}{lll}
- @{text "t.fields"} & @{text "::"} & @{text "\<sigma>\<^sub>1 \<Rightarrow> \<dots> \<sigma>\<^sub>n \<Rightarrow> \<lparr>\<^vec>c :: \<^vec>\<sigma>\<rparr>"} \\
- @{text "t.extend"} & @{text "::"} & @{text "\<lparr>\<^vec>b :: \<^vec>\<rho>, \<^vec>c :: \<^vec>\<sigma>\<rparr> \<Rightarrow>
- \<zeta> \<Rightarrow> \<lparr>\<^vec>b :: \<^vec>\<rho>, \<^vec>c :: \<^vec>\<sigma>, \<dots> :: \<zeta>\<rparr>"} \\
- @{text "t.truncate"} & @{text "::"} & @{text "\<lparr>\<^vec>b :: \<^vec>\<rho>, \<^vec>c :: \<^vec>\<sigma>, \<dots> :: \<zeta>\<rparr> \<Rightarrow> \<lparr>\<^vec>b :: \<^vec>\<rho>, \<^vec>c :: \<^vec>\<sigma>\<rparr>"} \\
- \end{tabular}
- \medskip
-
- \noindent Note that @{text "t.make"} and @{text "t.fields"} coincide
- for root records.
-*}
-
-
-subsection {* Derived rules and proof tools *}
-
-text {*
- The record package proves several results internally, declaring
- these facts to appropriate proof tools. This enables users to
- reason about record structures quite conveniently. Assume that
- @{text t} is a record type as specified above.
-
- \begin{enumerate}
-
- \item Standard conversions for selectors or updates applied to
- record constructor terms are made part of the default Simplifier
- context; thus proofs by reduction of basic operations merely require
- the @{method simp} method without further arguments. These rules
- are available as @{text "t.simps"}, too.
-
- \item Selectors applied to updated records are automatically reduced
- by an internal simplification procedure, which is also part of the
- standard Simplifier setup.
-
- \item Inject equations of a form analogous to @{prop "(x, y) = (x',
- y') \<equiv> x = x' \<and> y = y'"} are declared to the Simplifier and Classical
- Reasoner as @{attribute iff} rules. These rules are available as
- @{text "t.iffs"}.
-
- \item The introduction rule for record equality analogous to @{text
- "x r = x r' \<Longrightarrow> y r = y r' \<dots> \<Longrightarrow> r = r'"} is declared to the Simplifier,
- and as the basic rule context as ``@{attribute intro}@{text "?"}''.
- The rule is called @{text "t.equality"}.
-
- \item Representations of arbitrary record expressions as canonical
- constructor terms are provided both in @{method cases} and @{method
- induct} format (cf.\ the generic proof methods of the same name,
- \secref{sec:cases-induct}). Several variations are available, for
- fixed records, record schemes, more parts etc.
-
- The generic proof methods are sufficiently smart to pick the most
- sensible rule according to the type of the indicated record
- expression: users just need to apply something like ``@{text "(cases
- r)"}'' to a certain proof problem.
-
- \item The derived record operations @{text "t.make"}, @{text
- "t.fields"}, @{text "t.extend"}, @{text "t.truncate"} are \emph{not}
- treated automatically, but usually need to be expanded by hand,
- using the collective fact @{text "t.defs"}.
-
- \end{enumerate}
-*}
-
-
-subsubsection {* Examples *}
-
-text {* See @{file "~~/src/HOL/ex/Records.thy"}, for example. *}
-
-
-section {* Adhoc tuples *}
-
-text {*
- \begin{matharray}{rcl}
- @{attribute_def (HOL) split_format}@{text "\<^sup>*"} & : & @{text attribute} \\
- \end{matharray}
-
- @{rail "
- @@{attribute (HOL) split_format} ('(' 'complete' ')')?
- "}
-
- \begin{description}
-
- \item @{attribute (HOL) split_format}\ @{text "(complete)"} causes
- arguments in function applications to be represented canonically
- according to their tuple type structure.
-
- Note that this operation tends to invent funny names for new local
- parameters introduced.
-
- \end{description}
-*}
-
-
-section {* Typedef axiomatization \label{sec:hol-typedef} *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def (HOL) "typedef"} & : & @{text "local_theory \<rightarrow> proof(prove)"} \\
- \end{matharray}
-
- A Gordon/HOL-style type definition is a certain axiom scheme that
- identifies a new type with a subset of an existing type. More
- precisely, the new type is defined by exhibiting an existing type
- @{text \<tau>}, a set @{text "A :: \<tau> set"}, and a theorem that proves
- @{prop "\<exists>x. x \<in> A"}. Thus @{text A} is a non-empty subset of @{text
- \<tau>}, and the new type denotes this subset. New functions are
- postulated that establish an isomorphism between the new type and
- the subset. In general, the type @{text \<tau>} may involve type
- variables @{text "\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>n"} which means that the type definition
- produces a type constructor @{text "(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>n) t"} depending on
- those type arguments.
-
- The axiomatization can be considered a ``definition'' in the sense
- of the particular set-theoretic interpretation of HOL
- \cite{pitts93}, where the universe of types is required to be
- downwards-closed wrt.\ arbitrary non-empty subsets. Thus genuinely
- new types introduced by @{command "typedef"} stay within the range
- of HOL models by construction. Note that @{command_ref
- type_synonym} from Isabelle/Pure merely introduces syntactic
- abbreviations, without any logical significance.
-
- @{rail "
- @@{command (HOL) typedef} alt_name? abs_type '=' rep_set
- ;
-
- alt_name: '(' (@{syntax name} | @'open' | @'open' @{syntax name}) ')'
- ;
- abs_type: @{syntax typespec_sorts} @{syntax mixfix}?
- ;
- rep_set: @{syntax term} (@'morphisms' @{syntax name} @{syntax name})?
- "}
-
- \begin{description}
-
- \item @{command (HOL) "typedef"}~@{text "(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>n) t = A"}
- axiomatizes a type definition in the background theory of the
- current context, depending on a non-emptiness result of the set
- @{text A} that needs to be proven here. The set @{text A} may
- contain type variables @{text "\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>n"} as specified on the LHS,
- but no term variables.
-
- Even though a local theory specification, the newly introduced type
- constructor cannot depend on parameters or assumptions of the
- context: this is structurally impossible in HOL. In contrast, the
- non-emptiness proof may use local assumptions in unusual situations,
- which could result in different interpretations in target contexts:
- the meaning of the bijection between the representing set @{text A}
- and the new type @{text t} may then change in different application
- contexts.
-
- By default, @{command (HOL) "typedef"} defines both a type
- constructor @{text t} for the new type, and a term constant @{text
- t} for the representing set within the old type. Use the ``@{text
- "(open)"}'' option to suppress a separate constant definition
- altogether. The injection from type to set is called @{text Rep_t},
- its inverse @{text Abs_t}, unless explicit @{keyword (HOL)
- "morphisms"} specification provides alternative names.
-
- The core axiomatization uses the locale predicate @{const
- type_definition} as defined in Isabelle/HOL. Various basic
- consequences of that are instantiated accordingly, re-using the
- locale facts with names derived from the new type constructor. Thus
- the generic @{thm type_definition.Rep} is turned into the specific
- @{text "Rep_t"}, for example.
-
- Theorems @{thm type_definition.Rep}, @{thm
- type_definition.Rep_inverse}, and @{thm type_definition.Abs_inverse}
- provide the most basic characterization as a corresponding
- injection/surjection pair (in both directions). The derived rules
- @{thm type_definition.Rep_inject} and @{thm
- type_definition.Abs_inject} provide a more convenient version of
- injectivity, suitable for automated proof tools (e.g.\ in
- declarations involving @{attribute simp} or @{attribute iff}).
- Furthermore, the rules @{thm type_definition.Rep_cases}~/ @{thm
- type_definition.Rep_induct}, and @{thm type_definition.Abs_cases}~/
- @{thm type_definition.Abs_induct} provide alternative views on
- surjectivity. These rules are already declared as set or type rules
- for the generic @{method cases} and @{method induct} methods,
- respectively.
-
- An alternative name for the set definition (and other derived
- entities) may be specified in parentheses; the default is to use
- @{text t} directly.
-
- \end{description}
-
- \begin{warn}
- If you introduce a new type axiomatically, i.e.\ via @{command_ref
- typedecl} and @{command_ref axiomatization}, the minimum requirement
- is that it has a non-empty model, to avoid immediate collapse of the
- HOL logic. Moreover, one needs to demonstrate that the
- interpretation of such free-form axiomatizations can coexist with
- that of the regular @{command_def typedef} scheme, and any extension
- that other people might have introduced elsewhere (e.g.\ in HOLCF
- \cite{MuellerNvOS99}).
- \end{warn}
-*}
-
-subsubsection {* Examples *}
-
-text {* Type definitions permit the introduction of abstract data
- types in a safe way, namely by providing models based on already
- existing types. Given some abstract axiomatic description @{text P}
- of a type, this involves two steps:
-
- \begin{enumerate}
-
- \item Find an appropriate type @{text \<tau>} and subset @{text A} which
- has the desired properties @{text P}, and make a type definition
- based on this representation.
-
- \item Prove that @{text P} holds for @{text \<tau>} by lifting @{text P}
- from the representation.
-
- \end{enumerate}
-
- You can later forget about the representation and work solely in
- terms of the abstract properties @{text P}.
-
- \medskip The following trivial example pulls a three-element type
- into existence within the formal logical environment of HOL. *}
-
-typedef three = "{(True, True), (True, False), (False, True)}"
- by blast
-
-definition "One = Abs_three (True, True)"
-definition "Two = Abs_three (True, False)"
-definition "Three = Abs_three (False, True)"
-
-lemma three_distinct: "One \<noteq> Two" "One \<noteq> Three" "Two \<noteq> Three"
- by (simp_all add: One_def Two_def Three_def Abs_three_inject three_def)
-
-lemma three_cases:
- fixes x :: three obtains "x = One" | "x = Two" | "x = Three"
- by (cases x) (auto simp: One_def Two_def Three_def Abs_three_inject three_def)
-
-text {* Note that such trivial constructions are better done with
- derived specification mechanisms such as @{command datatype}: *}
-
-datatype three' = One' | Two' | Three'
-
-text {* This avoids re-doing basic definitions and proofs from the
- primitive @{command typedef} above. *}
-
-
-section {* Functorial structure of types *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def (HOL) "enriched_type"} & : & @{text "local_theory \<rightarrow> proof(prove)"}
- \end{matharray}
-
- @{rail "
- @@{command (HOL) enriched_type} (@{syntax name} ':')? @{syntax term}
- ;
- "}
-
- \begin{description}
-
- \item @{command (HOL) "enriched_type"}~@{text "prefix: m"} allows to
- prove and register properties about the functorial structure of type
- constructors. These properties then can be used by other packages
- to deal with those type constructors in certain type constructions.
- Characteristic theorems are noted in the current local theory. By
- default, they are prefixed with the base name of the type
- constructor, an explicit prefix can be given alternatively.
-
- The given term @{text "m"} is considered as \emph{mapper} for the
- corresponding type constructor and must conform to the following
- type pattern:
-
- \begin{matharray}{lll}
- @{text "m"} & @{text "::"} &
- @{text "\<sigma>\<^isub>1 \<Rightarrow> \<dots> \<sigma>\<^isub>k \<Rightarrow> (\<^vec>\<alpha>\<^isub>n) t \<Rightarrow> (\<^vec>\<beta>\<^isub>n) t"} \\
- \end{matharray}
-
- \noindent where @{text t} is the type constructor, @{text
- "\<^vec>\<alpha>\<^isub>n"} and @{text "\<^vec>\<beta>\<^isub>n"} are distinct
- type variables free in the local theory and @{text "\<sigma>\<^isub>1"},
- \ldots, @{text "\<sigma>\<^isub>k"} is a subsequence of @{text "\<alpha>\<^isub>1 \<Rightarrow>
- \<beta>\<^isub>1"}, @{text "\<beta>\<^isub>1 \<Rightarrow> \<alpha>\<^isub>1"}, \ldots,
- @{text "\<alpha>\<^isub>n \<Rightarrow> \<beta>\<^isub>n"}, @{text "\<beta>\<^isub>n \<Rightarrow>
- \<alpha>\<^isub>n"}.
-
- \end{description}
-*}
-
-
-section {* Transfer package *}
-
-text {*
- \begin{matharray}{rcl}
- @{method_def (HOL) "transfer"} & : & @{text method} \\
- @{method_def (HOL) "transfer'"} & : & @{text method} \\
- @{method_def (HOL) "transfer_prover"} & : & @{text method} \\
- @{attribute_def (HOL) "transfer_rule"} & : & @{text attribute} \\
- @{attribute_def (HOL) "relator_eq"} & : & @{text attribute} \\
- \end{matharray}
-
- \begin{description}
-
- \item @{method (HOL) "transfer"} method replaces the current subgoal
- with a logically equivalent one that uses different types and
- constants. The replacement of types and constants is guided by the
- database of transfer rules. Goals are generalized over all free
- variables by default; this is necessary for variables whose types
- change, but can be overridden for specific variables with e.g.
- @{text "transfer fixing: x y z"}.
-
- \item @{method (HOL) "transfer'"} is a variant of @{method (HOL)
- transfer} that allows replacing a subgoal with one that is
- logically stronger (rather than equivalent). For example, a
- subgoal involving equality on a quotient type could be replaced
- with a subgoal involving equality (instead of the corresponding
- equivalence relation) on the underlying raw type.
-
- \item @{method (HOL) "transfer_prover"} method assists with proving
- a transfer rule for a new constant, provided the constant is
- defined in terms of other constants that already have transfer
- rules. It should be applied after unfolding the constant
- definitions.
-
- \item @{attribute (HOL) "transfer_rule"} attribute maintains a
- collection of transfer rules, which relate constants at two
- different types. Typical transfer rules may relate different type
- instances of the same polymorphic constant, or they may relate an
- operation on a raw type to a corresponding operation on an
- abstract type (quotient or subtype). For example:
-
- @{text "((A ===> B) ===> list_all2 A ===> list_all2 B) map map"}\\
- @{text "(cr_int ===> cr_int ===> cr_int) (\<lambda>(x,y) (u,v). (x+u, y+v)) plus"}
-
- Lemmas involving predicates on relations can also be registered
- using the same attribute. For example:
-
- @{text "bi_unique A \<Longrightarrow> (list_all2 A ===> op =) distinct distinct"}\\
- @{text "\<lbrakk>bi_unique A; bi_unique B\<rbrakk> \<Longrightarrow> bi_unique (prod_rel A B)"}
-
- \item @{attribute (HOL) relator_eq} attribute collects identity laws
- for relators of various type constructors, e.g. @{text "list_all2
- (op =) = (op =)"}. The @{method (HOL) transfer} method uses these
- lemmas to infer transfer rules for non-polymorphic constants on
- the fly.
-
- \end{description}
-
-*}
-
-
-section {* Lifting package *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def (HOL) "setup_lifting"} & : & @{text "local_theory \<rightarrow> local_theory"}\\
- @{command_def (HOL) "lift_definition"} & : & @{text "local_theory \<rightarrow> proof(prove)"}\\
- @{command_def (HOL) "print_quotmaps"} & : & @{text "context \<rightarrow>"}\\
- @{command_def (HOL) "print_quotients"} & : & @{text "context \<rightarrow>"}\\
- @{attribute_def (HOL) "quot_map"} & : & @{text attribute} \\
- @{attribute_def (HOL) "invariant_commute"} & : & @{text attribute} \\
- \end{matharray}
-
- @{rail "
- @@{command (HOL) setup_lifting} ('(' 'no_abs_code' ')')? \\
- @{syntax thmref} @{syntax thmref}?;
- "}
-
- @{rail "
- @@{command (HOL) lift_definition} @{syntax name} '::' @{syntax type} @{syntax mixfix}? \\
- 'is' @{syntax term};
- "}
-
- \begin{description}
-
- \item @{command (HOL) "setup_lifting"} Sets up the Lifting package
- to work with a user-defined type. The user must provide either a
- quotient theorem @{text "Quotient R Abs Rep T"} or a
- type_definition theorem @{text "type_definition Rep Abs A"}. The
- package configures transfer rules for equality and quantifiers on
- the type, and sets up the @{command_def (HOL) "lift_definition"}
- command to work with the type. In the case of a quotient theorem,
- an optional theorem @{text "reflp R"} can be provided as a second
- argument. This allows the package to generate stronger transfer
- rules.
-
- @{command (HOL) "setup_lifting"} is called automatically if a
- quotient type is defined by the command @{command (HOL)
- "quotient_type"} from the Quotient package.
-
- If @{command (HOL) "setup_lifting"} is called with a
- type_definition theorem, the abstract type implicitly defined by
- the theorem is declared as an abstract type in the code
- generator. This allows @{command (HOL) "lift_definition"} to
- register (generated) code certificate theorems as abstract code
- equations in the code generator. The option @{text "no_abs_code"}
- of the command @{command (HOL) "setup_lifting"} can turn off that
- behavior and causes that code certificate theorems generated by
- @{command (HOL) "lift_definition"} are not registred as abstract
- code equations.
-
- \item @{command (HOL) "lift_definition"} @{text "f :: \<tau> is t"}
- Defines a new function @{text f} with an abstract type @{text \<tau>}
- in terms of a corresponding operation @{text t} on a
- representation type. The term @{text t} doesn't have to be
- necessarily a constant but it can be any term.
-
- Users must discharge a respectfulness proof obligation when each
- constant is defined. For a type copy, i.e. a typedef with @{text
- UNIV}, the proof is discharged automatically. The obligation is
- presented in a user-friendly, readable form. A respectfulness
- theorem in the standard format @{text f.rsp} and a transfer rule
- @{text f.tranfer} for the Transfer package are generated by the
- package.
-
- Integration with code_abstype: For typedefs (e.g. subtypes
- corresponding to a datatype invariant, such as dlist), @{command
- (HOL) "lift_definition"} generates a code certificate theorem
- @{text f.rep_eq} and sets up code generation for each constant.
-
- \item @{command (HOL) "print_quotmaps"} prints stored quotient map
- theorems.
-
- \item @{command (HOL) "print_quotients"} prints stored quotient
- theorems.
-
- \item @{attribute (HOL) quot_map} registers a quotient map
- theorem. For examples see @{file
- "~~/src/HOL/Library/Quotient_List.thy"} or other Quotient_*.thy
- files.
-
- \item @{attribute (HOL) invariant_commute} registers a theorem which
- shows a relationship between the constant @{text
- Lifting.invariant} (used for internal encoding of proper subtypes)
- and a relator. Such theorems allows the package to hide @{text
- Lifting.invariant} from a user in a user-readable form of a
- respectfulness theorem. For examples see @{file
- "~~/src/HOL/Library/Quotient_List.thy"} or other Quotient_*.thy
- files.
-
- \end{description}
-*}
-
-
-section {* Quotient types *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def (HOL) "quotient_type"} & : & @{text "local_theory \<rightarrow> proof(prove)"}\\
- @{command_def (HOL) "quotient_definition"} & : & @{text "local_theory \<rightarrow> proof(prove)"}\\
- @{command_def (HOL) "print_quotmapsQ3"} & : & @{text "context \<rightarrow>"}\\
- @{command_def (HOL) "print_quotientsQ3"} & : & @{text "context \<rightarrow>"}\\
- @{command_def (HOL) "print_quotconsts"} & : & @{text "context \<rightarrow>"}\\
- @{method_def (HOL) "lifting"} & : & @{text method} \\
- @{method_def (HOL) "lifting_setup"} & : & @{text method} \\
- @{method_def (HOL) "descending"} & : & @{text method} \\
- @{method_def (HOL) "descending_setup"} & : & @{text method} \\
- @{method_def (HOL) "partiality_descending"} & : & @{text method} \\
- @{method_def (HOL) "partiality_descending_setup"} & : & @{text method} \\
- @{method_def (HOL) "regularize"} & : & @{text method} \\
- @{method_def (HOL) "injection"} & : & @{text method} \\
- @{method_def (HOL) "cleaning"} & : & @{text method} \\
- @{attribute_def (HOL) "quot_thm"} & : & @{text attribute} \\
- @{attribute_def (HOL) "quot_lifted"} & : & @{text attribute} \\
- @{attribute_def (HOL) "quot_respect"} & : & @{text attribute} \\
- @{attribute_def (HOL) "quot_preserve"} & : & @{text attribute} \\
- \end{matharray}
-
- The quotient package defines a new quotient type given a raw type
- and a partial equivalence relation. It also includes automation for
- transporting definitions and theorems. It can automatically produce
- definitions and theorems on the quotient type, given the
- corresponding constants and facts on the raw type.
-
- @{rail "
- @@{command (HOL) quotient_type} (spec + @'and');
-
- spec: @{syntax typespec} @{syntax mixfix}? '=' \\
- @{syntax type} '/' ('partial' ':')? @{syntax term} \\
- (@'morphisms' @{syntax name} @{syntax name})?;
- "}
-
- @{rail "
- @@{command (HOL) quotient_definition} constdecl? @{syntax thmdecl}? \\
- @{syntax term} 'is' @{syntax term};
-
- constdecl: @{syntax name} ('::' @{syntax type})? @{syntax mixfix}?
- "}
-
- @{rail "
- @@{method (HOL) lifting} @{syntax thmrefs}?
- ;
-
- @@{method (HOL) lifting_setup} @{syntax thmrefs}?
- ;
- "}
-
- \begin{description}
-
- \item @{command (HOL) "quotient_type"} defines quotient types. The
- injection from a quotient type to a raw type is called @{text
- rep_t}, its inverse @{text abs_t} unless explicit @{keyword (HOL)
- "morphisms"} specification provides alternative names. @{command
- (HOL) "quotient_type"} requires the user to prove that the relation
- is an equivalence relation (predicate @{text equivp}), unless the
- user specifies explicitely @{text partial} in which case the
- obligation is @{text part_equivp}. A quotient defined with @{text
- partial} is weaker in the sense that less things can be proved
- automatically.
-
- \item @{command (HOL) "quotient_definition"} defines a constant on
- the quotient type.
-
- \item @{command (HOL) "print_quotmapsQ3"} prints quotient map
- functions.
-
- \item @{command (HOL) "print_quotientsQ3"} prints quotients.
-
- \item @{command (HOL) "print_quotconsts"} prints quotient constants.
-
- \item @{method (HOL) "lifting"} and @{method (HOL) "lifting_setup"}
- methods match the current goal with the given raw theorem to be
- lifted producing three new subgoals: regularization, injection and
- cleaning subgoals. @{method (HOL) "lifting"} tries to apply the
- heuristics for automatically solving these three subgoals and
- leaves only the subgoals unsolved by the heuristics to the user as
- opposed to @{method (HOL) "lifting_setup"} which leaves the three
- subgoals unsolved.
-
- \item @{method (HOL) "descending"} and @{method (HOL)
- "descending_setup"} try to guess a raw statement that would lift
- to the current subgoal. Such statement is assumed as a new subgoal
- and @{method (HOL) "descending"} continues in the same way as
- @{method (HOL) "lifting"} does. @{method (HOL) "descending"} tries
- to solve the arising regularization, injection and cleaning
- subgoals with the analoguous method @{method (HOL)
- "descending_setup"} which leaves the four unsolved subgoals.
-
- \item @{method (HOL) "partiality_descending"} finds the regularized
- theorem that would lift to the current subgoal, lifts it and
- leaves as a subgoal. This method can be used with partial
- equivalence quotients where the non regularized statements would
- not be true. @{method (HOL) "partiality_descending_setup"} leaves
- the injection and cleaning subgoals unchanged.
-
- \item @{method (HOL) "regularize"} applies the regularization
- heuristics to the current subgoal.
-
- \item @{method (HOL) "injection"} applies the injection heuristics
- to the current goal using the stored quotient respectfulness
- theorems.
-
- \item @{method (HOL) "cleaning"} applies the injection cleaning
- heuristics to the current subgoal using the stored quotient
- preservation theorems.
-
- \item @{attribute (HOL) quot_lifted} attribute tries to
- automatically transport the theorem to the quotient type.
- The attribute uses all the defined quotients types and quotient
- constants often producing undesired results or theorems that
- cannot be lifted.
-
- \item @{attribute (HOL) quot_respect} and @{attribute (HOL)
- quot_preserve} attributes declare a theorem as a respectfulness
- and preservation theorem respectively. These are stored in the
- local theory store and used by the @{method (HOL) "injection"}
- and @{method (HOL) "cleaning"} methods respectively.
-
- \item @{attribute (HOL) quot_thm} declares that a certain theorem
- is a quotient extension theorem. Quotient extension theorems
- allow for quotienting inside container types. Given a polymorphic
- type that serves as a container, a map function defined for this
- container using @{command (HOL) "enriched_type"} and a relation
- map defined for for the container type, the quotient extension
- theorem should be @{term "Quotient3 R Abs Rep \<Longrightarrow> Quotient3
- (rel_map R) (map Abs) (map Rep)"}. Quotient extension theorems
- are stored in a database and are used all the steps of lifting
- theorems.
-
- \end{description}
-*}
-
-
-section {* Coercive subtyping *}
-
-text {*
- \begin{matharray}{rcl}
- @{attribute_def (HOL) coercion} & : & @{text attribute} \\
- @{attribute_def (HOL) coercion_enabled} & : & @{text attribute} \\
- @{attribute_def (HOL) coercion_map} & : & @{text attribute} \\
- \end{matharray}
-
- Coercive subtyping allows the user to omit explicit type
- conversions, also called \emph{coercions}. Type inference will add
- them as necessary when parsing a term. See
- \cite{traytel-berghofer-nipkow-2011} for details.
-
- @{rail "
- @@{attribute (HOL) coercion} (@{syntax term})?
- ;
- "}
- @{rail "
- @@{attribute (HOL) coercion_map} (@{syntax term})?
- ;
- "}
-
- \begin{description}
-
- \item @{attribute (HOL) "coercion"}~@{text "f"} registers a new
- coercion function @{text "f :: \<sigma>\<^isub>1 \<Rightarrow> \<sigma>\<^isub>2"} where @{text "\<sigma>\<^isub>1"} and
- @{text "\<sigma>\<^isub>2"} are type constructors without arguments. Coercions are
- composed by the inference algorithm if needed. Note that the type
- inference algorithm is complete only if the registered coercions
- form a lattice.
-
- \item @{attribute (HOL) "coercion_map"}~@{text "map"} registers a
- new map function to lift coercions through type constructors. The
- function @{text "map"} must conform to the following type pattern
-
- \begin{matharray}{lll}
- @{text "map"} & @{text "::"} &
- @{text "f\<^isub>1 \<Rightarrow> \<dots> \<Rightarrow> f\<^isub>n \<Rightarrow> (\<alpha>\<^isub>1, \<dots>, \<alpha>\<^isub>n) t \<Rightarrow> (\<beta>\<^isub>1, \<dots>, \<beta>\<^isub>n) t"} \\
- \end{matharray}
-
- where @{text "t"} is a type constructor and @{text "f\<^isub>i"} is of type
- @{text "\<alpha>\<^isub>i \<Rightarrow> \<beta>\<^isub>i"} or @{text "\<beta>\<^isub>i \<Rightarrow> \<alpha>\<^isub>i"}. Registering a map function
- overwrites any existing map function for this particular type
- constructor.
-
- \item @{attribute (HOL) "coercion_enabled"} enables the coercion
- inference algorithm.
-
- \end{description}
-*}
-
-
-section {* Arithmetic proof support *}
-
-text {*
- \begin{matharray}{rcl}
- @{method_def (HOL) arith} & : & @{text method} \\
- @{attribute_def (HOL) arith} & : & @{text attribute} \\
- @{attribute_def (HOL) arith_split} & : & @{text attribute} \\
- \end{matharray}
-
- \begin{description}
-
- \item @{method (HOL) arith} decides linear arithmetic problems (on
- types @{text nat}, @{text int}, @{text real}). Any current facts
- are inserted into the goal before running the procedure.
-
- \item @{attribute (HOL) arith} declares facts that are supplied to
- the arithmetic provers implicitly.
-
- \item @{attribute (HOL) arith_split} attribute declares case split
- rules to be expanded before @{method (HOL) arith} is invoked.
-
- \end{description}
-
- Note that a simpler (but faster) arithmetic prover is already
- invoked by the Simplifier.
-*}
-
-
-section {* Intuitionistic proof search *}
-
-text {*
- \begin{matharray}{rcl}
- @{method_def (HOL) iprover} & : & @{text method} \\
- \end{matharray}
-
- @{rail "
- @@{method (HOL) iprover} ( @{syntax rulemod} * )
- "}
-
- \begin{description}
-
- \item @{method (HOL) iprover} performs intuitionistic proof search,
- depending on specifically declared rules from the context, or given
- as explicit arguments. Chained facts are inserted into the goal
- before commencing proof search.
-
- Rules need to be classified as @{attribute (Pure) intro},
- @{attribute (Pure) elim}, or @{attribute (Pure) dest}; here the
- ``@{text "!"}'' indicator refers to ``safe'' rules, which may be
- applied aggressively (without considering back-tracking later).
- Rules declared with ``@{text "?"}'' are ignored in proof search (the
- single-step @{method (Pure) rule} method still observes these). An
- explicit weight annotation may be given as well; otherwise the
- number of rule premises will be taken into account here.
-
- \end{description}
-*}
-
-
-section {* Model Elimination and Resolution *}
-
-text {*
- \begin{matharray}{rcl}
- @{method_def (HOL) "meson"} & : & @{text method} \\
- @{method_def (HOL) "metis"} & : & @{text method} \\
- \end{matharray}
-
- @{rail "
- @@{method (HOL) meson} @{syntax thmrefs}?
- ;
-
- @@{method (HOL) metis}
- ('(' ('partial_types' | 'full_types' | 'no_types' | @{syntax name}) ')')?
- @{syntax thmrefs}?
- "}
-
- \begin{description}
-
- \item @{method (HOL) meson} implements Loveland's model elimination
- procedure \cite{loveland-78}. See @{file
- "~~/src/HOL/ex/Meson_Test.thy"} for examples.
-
- \item @{method (HOL) metis} combines ordered resolution and ordered
- paramodulation to find first-order (or mildly higher-order) proofs.
- The first optional argument specifies a type encoding; see the
- Sledgehammer manual \cite{isabelle-sledgehammer} for details. The
- directory @{file "~~/src/HOL/Metis_Examples"} contains several small
- theories developed to a large extent using @{method (HOL) metis}.
-
- \end{description}
-*}
-
-
-section {* Coherent Logic *}
-
-text {*
- \begin{matharray}{rcl}
- @{method_def (HOL) "coherent"} & : & @{text method} \\
- \end{matharray}
-
- @{rail "
- @@{method (HOL) coherent} @{syntax thmrefs}?
- "}
-
- \begin{description}
-
- \item @{method (HOL) coherent} solves problems of \emph{Coherent
- Logic} \cite{Bezem-Coquand:2005}, which covers applications in
- confluence theory, lattice theory and projective geometry. See
- @{file "~~/src/HOL/ex/Coherent.thy"} for some examples.
-
- \end{description}
-*}
-
-
-section {* Proving propositions *}
-
-text {*
- In addition to the standard proof methods, a number of diagnosis
- tools search for proofs and provide an Isar proof snippet on success.
- These tools are available via the following commands.
-
- \begin{matharray}{rcl}
- @{command_def (HOL) "solve_direct"}@{text "\<^sup>*"} & : & @{text "proof \<rightarrow>"} \\
- @{command_def (HOL) "try"}@{text "\<^sup>*"} & : & @{text "proof \<rightarrow>"} \\
- @{command_def (HOL) "try0"}@{text "\<^sup>*"} & : & @{text "proof \<rightarrow>"} \\
- @{command_def (HOL) "sledgehammer"}@{text "\<^sup>*"} & : & @{text "proof \<rightarrow>"} \\
- @{command_def (HOL) "sledgehammer_params"} & : & @{text "theory \<rightarrow> theory"}
- \end{matharray}
-
- @{rail "
- @@{command (HOL) try}
- ;
-
- @@{command (HOL) try0} ( ( ( 'simp' | 'intro' | 'elim' | 'dest' ) ':' @{syntax thmrefs} ) + ) ?
- @{syntax nat}?
- ;
-
- @@{command (HOL) sledgehammer} ( '[' args ']' )? facts? @{syntax nat}?
- ;
-
- @@{command (HOL) sledgehammer_params} ( ( '[' args ']' ) ? )
- ;
-
- args: ( @{syntax name} '=' value + ',' )
- ;
-
- facts: '(' ( ( ( ( 'add' | 'del' ) ':' ) ? @{syntax thmrefs} ) + ) ? ')'
- ;
- "} % FIXME check args "value"
-
- \begin{description}
-
- \item @{command (HOL) "solve_direct"} checks whether the current
- subgoals can be solved directly by an existing theorem. Duplicate
- lemmas can be detected in this way.
-
- \item @{command (HOL) "try0"} attempts to prove a subgoal
- using a combination of standard proof methods (@{method auto},
- @{method simp}, @{method blast}, etc.). Additional facts supplied
- via @{text "simp:"}, @{text "intro:"}, @{text "elim:"}, and @{text
- "dest:"} are passed to the appropriate proof methods.
-
- \item @{command (HOL) "try"} attempts to prove or disprove a subgoal
- using a combination of provers and disprovers (@{command (HOL)
- "solve_direct"}, @{command (HOL) "quickcheck"}, @{command (HOL)
- "try0"}, @{command (HOL) "sledgehammer"}, @{command (HOL)
- "nitpick"}).
-
- \item @{command (HOL) "sledgehammer"} attempts to prove a subgoal
- using external automatic provers (resolution provers and SMT
- solvers). See the Sledgehammer manual \cite{isabelle-sledgehammer}
- for details.
-
- \item @{command (HOL) "sledgehammer_params"} changes @{command (HOL)
- "sledgehammer"} configuration options persistently.
-
- \end{description}
-*}
-
-
-section {* Checking and refuting propositions *}
-
-text {*
- Identifying incorrect propositions usually involves evaluation of
- particular assignments and systematic counterexample search. This
- is supported by the following commands.
-
- \begin{matharray}{rcl}
- @{command_def (HOL) "value"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- @{command_def (HOL) "values"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- @{command_def (HOL) "quickcheck"}@{text "\<^sup>*"} & : & @{text "proof \<rightarrow>"} \\
- @{command_def (HOL) "refute"}@{text "\<^sup>*"} & : & @{text "proof \<rightarrow>"} \\
- @{command_def (HOL) "nitpick"}@{text "\<^sup>*"} & : & @{text "proof \<rightarrow>"} \\
- @{command_def (HOL) "quickcheck_params"} & : & @{text "theory \<rightarrow> theory"} \\
- @{command_def (HOL) "refute_params"} & : & @{text "theory \<rightarrow> theory"} \\
- @{command_def (HOL) "nitpick_params"} & : & @{text "theory \<rightarrow> theory"} \\
- @{command_def (HOL) "quickcheck_generator"} & : & @{text "theory \<rightarrow> theory"} \\
- @{command_def (HOL) "find_unused_assms"} & : & @{text "context \<rightarrow>"}
- \end{matharray}
-
- @{rail "
- @@{command (HOL) value} ( '[' @{syntax name} ']' )? modes? @{syntax term}
- ;
-
- @@{command (HOL) values} modes? @{syntax nat}? @{syntax term}
- ;
-
- (@@{command (HOL) quickcheck} | @@{command (HOL) refute} | @@{command (HOL) nitpick})
- ( '[' args ']' )? @{syntax nat}?
- ;
-
- (@@{command (HOL) quickcheck_params} | @@{command (HOL) refute_params} |
- @@{command (HOL) nitpick_params}) ( '[' args ']' )?
- ;
-
- @@{command (HOL) quickcheck_generator} @{syntax nameref} \\
- 'operations:' ( @{syntax term} +)
- ;
-
- @@{command (HOL) find_unused_assms} @{syntax name}?
- ;
-
- modes: '(' (@{syntax name} +) ')'
- ;
-
- args: ( @{syntax name} '=' value + ',' )
- ;
- "} % FIXME check "value"
-
- \begin{description}
-
- \item @{command (HOL) "value"}~@{text t} evaluates and prints a
- term; optionally @{text modes} can be specified, which are appended
- to the current print mode; see \secref{sec:print-modes}.
- Internally, the evaluation is performed by registered evaluators,
- which are invoked sequentially until a result is returned.
- Alternatively a specific evaluator can be selected using square
- brackets; typical evaluators use the current set of code equations
- to normalize and include @{text simp} for fully symbolic evaluation
- using the simplifier, @{text nbe} for \emph{normalization by
- evaluation} and \emph{code} for code generation in SML.
-
- \item @{command (HOL) "values"}~@{text t} enumerates a set
- comprehension by evaluation and prints its values up to the given
- number of solutions; optionally @{text modes} can be specified,
- which are appended to the current print mode; see
- \secref{sec:print-modes}.
-
- \item @{command (HOL) "quickcheck"} tests the current goal for
- counterexamples using a series of assignments for its free
- variables; by default the first subgoal is tested, an other can be
- selected explicitly using an optional goal index. Assignments can
- be chosen exhausting the search space upto a given size, or using a
- fixed number of random assignments in the search space, or exploring
- the search space symbolically using narrowing. By default,
- quickcheck uses exhaustive testing. A number of configuration
- options are supported for @{command (HOL) "quickcheck"}, notably:
-
- \begin{description}
-
- \item[@{text tester}] specifies which testing approach to apply.
- There are three testers, @{text exhaustive}, @{text random}, and
- @{text narrowing}. An unknown configuration option is treated as
- an argument to tester, making @{text "tester ="} optional. When
- multiple testers are given, these are applied in parallel. If no
- tester is specified, quickcheck uses the testers that are set
- active, i.e., configurations @{attribute
- quickcheck_exhaustive_active}, @{attribute
- quickcheck_random_active}, @{attribute
- quickcheck_narrowing_active} are set to true.
-
- \item[@{text size}] specifies the maximum size of the search space
- for assignment values.
-
- \item[@{text genuine_only}] sets quickcheck only to return genuine
- counterexample, but not potentially spurious counterexamples due
- to underspecified functions.
-
- \item[@{text abort_potential}] sets quickcheck to abort once it
- found a potentially spurious counterexample and to not continue
- to search for a further genuine counterexample.
- For this option to be effective, the @{text genuine_only} option
- must be set to false.
-
- \item[@{text eval}] takes a term or a list of terms and evaluates
- these terms under the variable assignment found by quickcheck.
- This option is currently only supported by the default
- (exhaustive) tester.
-
- \item[@{text iterations}] sets how many sets of assignments are
- generated for each particular size.
-
- \item[@{text no_assms}] specifies whether assumptions in
- structured proofs should be ignored.
-
- \item[@{text locale}] specifies how to process conjectures in
- a locale context, i.e., they can be interpreted or expanded.
- The option is a whitespace-separated list of the two words
- @{text interpret} and @{text expand}. The list determines the
- order they are employed. The default setting is to first use
- interpretations and then test the expanded conjecture.
- The option is only provided as attribute declaration, but not
- as parameter to the command.
-
- \item[@{text timeout}] sets the time limit in seconds.
-
- \item[@{text default_type}] sets the type(s) generally used to
- instantiate type variables.
-
- \item[@{text report}] if set quickcheck reports how many tests
- fulfilled the preconditions.
-
- \item[@{text use_subtype}] if set quickcheck automatically lifts
- conjectures to registered subtypes if possible, and tests the
- lifted conjecture.
-
- \item[@{text quiet}] if set quickcheck does not output anything
- while testing.
-
- \item[@{text verbose}] if set quickcheck informs about the current
- size and cardinality while testing.
-
- \item[@{text expect}] can be used to check if the user's
- expectation was met (@{text no_expectation}, @{text
- no_counterexample}, or @{text counterexample}).
-
- \end{description}
-
- These option can be given within square brackets.
-
- \item @{command (HOL) "quickcheck_params"} changes @{command (HOL)
- "quickcheck"} configuration options persistently.
-
- \item @{command (HOL) "quickcheck_generator"} creates random and
- exhaustive value generators for a given type and operations. It
- generates values by using the operations as if they were
- constructors of that type.
-
- \item @{command (HOL) "refute"} tests the current goal for
- counterexamples using a reduction to SAT. The following
- configuration options are supported:
-
- \begin{description}
-
- \item[@{text minsize}] specifies the minimum size (cardinality) of
- the models to search for.
-
- \item[@{text maxsize}] specifies the maximum size (cardinality) of
- the models to search for. Nonpositive values mean @{text "\<infinity>"}.
-
- \item[@{text maxvars}] specifies the maximum number of Boolean
- variables to use when transforming the term into a propositional
- formula. Nonpositive values mean @{text "\<infinity>"}.
-
- \item[@{text satsolver}] specifies the SAT solver to use.
-
- \item[@{text no_assms}] specifies whether assumptions in
- structured proofs should be ignored.
-
- \item[@{text maxtime}] sets the time limit in seconds.
-
- \item[@{text expect}] can be used to check if the user's
- expectation was met (@{text genuine}, @{text potential}, @{text
- none}, or @{text unknown}).
-
- \end{description}
-
- These option can be given within square brackets.
-
- \item @{command (HOL) "refute_params"} changes @{command (HOL)
- "refute"} configuration options persistently.
-
- \item @{command (HOL) "nitpick"} tests the current goal for
- counterexamples using a reduction to first-order relational
- logic. See the Nitpick manual \cite{isabelle-nitpick} for details.
-
- \item @{command (HOL) "nitpick_params"} changes @{command (HOL)
- "nitpick"} configuration options persistently.
-
- \item @{command (HOL) "find_unused_assms"} finds potentially superfluous
- assumptions in theorems using quickcheck.
- It takes the theory name to be checked for superfluous assumptions as
- optional argument. If not provided, it checks the current theory.
- Options to the internal quickcheck invocations can be changed with
- common configuration declarations.
-
- \end{description}
-*}
-
-
-section {* Unstructured case analysis and induction \label{sec:hol-induct-tac} *}
-
-text {*
- The following tools of Isabelle/HOL support cases analysis and
- induction in unstructured tactic scripts; see also
- \secref{sec:cases-induct} for proper Isar versions of similar ideas.
-
- \begin{matharray}{rcl}
- @{method_def (HOL) case_tac}@{text "\<^sup>*"} & : & @{text method} \\
- @{method_def (HOL) induct_tac}@{text "\<^sup>*"} & : & @{text method} \\
- @{method_def (HOL) ind_cases}@{text "\<^sup>*"} & : & @{text method} \\
- @{command_def (HOL) "inductive_cases"}@{text "\<^sup>*"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
- \end{matharray}
-
- @{rail "
- @@{method (HOL) case_tac} @{syntax goal_spec}? @{syntax term} rule?
- ;
- @@{method (HOL) induct_tac} @{syntax goal_spec}? (@{syntax insts} * @'and') rule?
- ;
- @@{method (HOL) ind_cases} (@{syntax prop}+) (@'for' (@{syntax name}+))?
- ;
- @@{command (HOL) inductive_cases} (@{syntax thmdecl}? (@{syntax prop}+) + @'and')
- ;
-
- rule: 'rule' ':' @{syntax thmref}
- "}
-
- \begin{description}
-
- \item @{method (HOL) case_tac} and @{method (HOL) induct_tac} admit
- to reason about inductive types. Rules are selected according to
- the declarations by the @{attribute cases} and @{attribute induct}
- attributes, cf.\ \secref{sec:cases-induct}. The @{command (HOL)
- datatype} package already takes care of this.
-
- These unstructured tactics feature both goal addressing and dynamic
- instantiation. Note that named rule cases are \emph{not} provided
- as would be by the proper @{method cases} and @{method induct} proof
- methods (see \secref{sec:cases-induct}). Unlike the @{method
- induct} method, @{method induct_tac} does not handle structured rule
- statements, only the compact object-logic conclusion of the subgoal
- being addressed.
-
- \item @{method (HOL) ind_cases} and @{command (HOL)
- "inductive_cases"} provide an interface to the internal @{ML_text
- mk_cases} operation. Rules are simplified in an unrestricted
- forward manner.
-
- While @{method (HOL) ind_cases} is a proof method to apply the
- result immediately as elimination rules, @{command (HOL)
- "inductive_cases"} provides case split theorems at the theory level
- for later use. The @{keyword "for"} argument of the @{method (HOL)
- ind_cases} method allows to specify a list of variables that should
- be generalized before applying the resulting rule.
-
- \end{description}
-*}
-
-
-section {* Executable code *}
-
-text {* For validation purposes, it is often useful to \emph{execute}
- specifications. In principle, execution could be simulated by
- Isabelle's inference kernel, i.e. by a combination of resolution and
- simplification. Unfortunately, this approach is rather inefficient.
- A more efficient way of executing specifications is to translate
- them into a functional programming language such as ML.
-
- Isabelle provides a generic framework to support code generation
- from executable specifications. Isabelle/HOL instantiates these
- mechanisms in a way that is amenable to end-user applications. Code
- can be generated for functional programs (including overloading
- using type classes) targeting SML \cite{SML}, OCaml \cite{OCaml},
- Haskell \cite{haskell-revised-report} and Scala
- \cite{scala-overview-tech-report}. Conceptually, code generation is
- split up in three steps: \emph{selection} of code theorems,
- \emph{translation} into an abstract executable view and
- \emph{serialization} to a specific \emph{target language}.
- Inductive specifications can be executed using the predicate
- compiler which operates within HOL. See \cite{isabelle-codegen} for
- an introduction.
-
- \begin{matharray}{rcl}
- @{command_def (HOL) "export_code"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- @{attribute_def (HOL) code} & : & @{text attribute} \\
- @{command_def (HOL) "code_abort"} & : & @{text "theory \<rightarrow> theory"} \\
- @{command_def (HOL) "code_datatype"} & : & @{text "theory \<rightarrow> theory"} \\
- @{command_def (HOL) "print_codesetup"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- @{attribute_def (HOL) code_unfold} & : & @{text attribute} \\
- @{attribute_def (HOL) code_post} & : & @{text attribute} \\
- @{attribute_def (HOL) code_abbrev} & : & @{text attribute} \\
- @{command_def (HOL) "print_codeproc"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- @{command_def (HOL) "code_thms"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- @{command_def (HOL) "code_deps"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- @{command_def (HOL) "code_const"} & : & @{text "theory \<rightarrow> theory"} \\
- @{command_def (HOL) "code_type"} & : & @{text "theory \<rightarrow> theory"} \\
- @{command_def (HOL) "code_class"} & : & @{text "theory \<rightarrow> theory"} \\
- @{command_def (HOL) "code_instance"} & : & @{text "theory \<rightarrow> theory"} \\
- @{command_def (HOL) "code_reserved"} & : & @{text "theory \<rightarrow> theory"} \\
- @{command_def (HOL) "code_monad"} & : & @{text "theory \<rightarrow> theory"} \\
- @{command_def (HOL) "code_include"} & : & @{text "theory \<rightarrow> theory"} \\
- @{command_def (HOL) "code_modulename"} & : & @{text "theory \<rightarrow> theory"} \\
- @{command_def (HOL) "code_reflect"} & : & @{text "theory \<rightarrow> theory"} \\
- @{command_def (HOL) "code_pred"} & : & @{text "theory \<rightarrow> proof(prove)"}
- \end{matharray}
-
- @{rail "
- @@{command (HOL) export_code} ( constexpr + ) \\
- ( ( @'in' target ( @'module_name' @{syntax string} ) ? \\
- ( @'file' ( @{syntax string} | '-' ) ) ? ( '(' args ')' ) ?) + ) ?
- ;
-
- const: @{syntax term}
- ;
-
- constexpr: ( const | 'name._' | '_' )
- ;
-
- typeconstructor: @{syntax nameref}
- ;
-
- class: @{syntax nameref}
- ;
-
- target: 'SML' | 'OCaml' | 'Haskell' | 'Scala'
- ;
-
- @@{attribute (HOL) code} ( 'del' | 'abstype' | 'abstract' )?
- ;
-
- @@{command (HOL) code_abort} ( const + )
- ;
-
- @@{command (HOL) code_datatype} ( const + )
- ;
-
- @@{attribute (HOL) code_unfold} ( 'del' ) ?
- ;
-
- @@{attribute (HOL) code_post} ( 'del' ) ?
- ;
-
- @@{attribute (HOL) code_abbrev}
- ;
-
- @@{command (HOL) code_thms} ( constexpr + ) ?
- ;
-
- @@{command (HOL) code_deps} ( constexpr + ) ?
- ;
-
- @@{command (HOL) code_const} (const + @'and') \\
- ( ( '(' target ( syntax ? + @'and' ) ')' ) + )
- ;
-
- @@{command (HOL) code_type} (typeconstructor + @'and') \\
- ( ( '(' target ( syntax ? + @'and' ) ')' ) + )
- ;
-
- @@{command (HOL) code_class} (class + @'and') \\
- ( ( '(' target \\ ( @{syntax string} ? + @'and' ) ')' ) + )
- ;
-
- @@{command (HOL) code_instance} (( typeconstructor '::' class ) + @'and') \\
- ( ( '(' target ( '-' ? + @'and' ) ')' ) + )
- ;
-
- @@{command (HOL) code_reserved} target ( @{syntax string} + )
- ;
-
- @@{command (HOL) code_monad} const const target
- ;
-
- @@{command (HOL) code_include} target ( @{syntax string} ( @{syntax string} | '-') )
- ;
-
- @@{command (HOL) code_modulename} target ( ( @{syntax string} @{syntax string} ) + )
- ;
-
- @@{command (HOL) code_reflect} @{syntax string} \\
- ( @'datatypes' ( @{syntax string} '=' ( '_' | ( @{syntax string} + '|' ) + @'and' ) ) ) ? \\
- ( @'functions' ( @{syntax string} + ) ) ? ( @'file' @{syntax string} ) ?
- ;
-
- @@{command (HOL) code_pred} \\( '(' @'modes' ':' modedecl ')')? \\ const
- ;
-
- syntax: @{syntax string} | ( @'infix' | @'infixl' | @'infixr' ) @{syntax nat} @{syntax string}
- ;
-
- modedecl: (modes | ((const ':' modes) \\
- (@'and' ((const ':' modes @'and') +))?))
- ;
-
- modes: mode @'as' const
- "}
-
- \begin{description}
-
- \item @{command (HOL) "export_code"} generates code for a given list
- of constants in the specified target language(s). If no
- serialization instruction is given, only abstract code is generated
- internally.
-
- Constants may be specified by giving them literally, referring to
- all executable contants within a certain theory by giving @{text
- "name.*"}, or referring to \emph{all} executable constants currently
- available by giving @{text "*"}.
-
- By default, for each involved theory one corresponding name space
- module is generated. Alternativly, a module name may be specified
- after the @{keyword "module_name"} keyword; then \emph{all} code is
- placed in this module.
-
- For \emph{SML}, \emph{OCaml} and \emph{Scala} the file specification
- refers to a single file; for \emph{Haskell}, it refers to a whole
- directory, where code is generated in multiple files reflecting the
- module hierarchy. Omitting the file specification denotes standard
- output.
-
- Serializers take an optional list of arguments in parentheses. For
- \emph{SML} and \emph{OCaml}, ``@{text no_signatures}`` omits
- explicit module signatures.
-
- For \emph{Haskell} a module name prefix may be given using the
- ``@{text "root:"}'' argument; ``@{text string_classes}'' adds a
- ``@{verbatim "deriving (Read, Show)"}'' clause to each appropriate
- datatype declaration.
-
- \item @{attribute (HOL) code} explicitly selects (or with option
- ``@{text "del"}'' deselects) a code equation for code generation.
- Usually packages introducing code equations provide a reasonable
- default setup for selection. Variants @{text "code abstype"} and
- @{text "code abstract"} declare abstract datatype certificates or
- code equations on abstract datatype representations respectively.
-
- \item @{command (HOL) "code_abort"} declares constants which are not
- required to have a definition by means of code equations; if needed
- these are implemented by program abort instead.
-
- \item @{command (HOL) "code_datatype"} specifies a constructor set
- for a logical type.
-
- \item @{command (HOL) "print_codesetup"} gives an overview on
- selected code equations and code generator datatypes.
-
- \item @{attribute (HOL) code_unfold} declares (or with option
- ``@{text "del"}'' removes) theorems which during preprocessing
- are applied as rewrite rules to any code equation or evaluation
- input.
-
- \item @{attribute (HOL) code_post} declares (or with option ``@{text
- "del"}'' removes) theorems which are applied as rewrite rules to any
- result of an evaluation.
-
- \item @{attribute (HOL) code_abbrev} declares equations which are
- applied as rewrite rules to any result of an evaluation and
- symmetrically during preprocessing to any code equation or evaluation
- input.
-
- \item @{command (HOL) "print_codeproc"} prints the setup of the code
- generator preprocessor.
-
- \item @{command (HOL) "code_thms"} prints a list of theorems
- representing the corresponding program containing all given
- constants after preprocessing.
-
- \item @{command (HOL) "code_deps"} visualizes dependencies of
- theorems representing the corresponding program containing all given
- constants after preprocessing.
-
- \item @{command (HOL) "code_const"} associates a list of constants
- with target-specific serializations; omitting a serialization
- deletes an existing serialization.
-
- \item @{command (HOL) "code_type"} associates a list of type
- constructors with target-specific serializations; omitting a
- serialization deletes an existing serialization.
-
- \item @{command (HOL) "code_class"} associates a list of classes
- with target-specific class names; omitting a serialization deletes
- an existing serialization. This applies only to \emph{Haskell}.
-
- \item @{command (HOL) "code_instance"} declares a list of type
- constructor / class instance relations as ``already present'' for a
- given target. Omitting a ``@{text "-"}'' deletes an existing
- ``already present'' declaration. This applies only to
- \emph{Haskell}.
-
- \item @{command (HOL) "code_reserved"} declares a list of names as
- reserved for a given target, preventing it to be shadowed by any
- generated code.
-
- \item @{command (HOL) "code_monad"} provides an auxiliary mechanism
- to generate monadic code for Haskell.
-
- \item @{command (HOL) "code_include"} adds arbitrary named content
- (``include'') to generated code. A ``@{text "-"}'' as last argument
- will remove an already added ``include''.
-
- \item @{command (HOL) "code_modulename"} declares aliasings from one
- module name onto another.
-
- \item @{command (HOL) "code_reflect"} without a ``@{text "file"}''
- argument compiles code into the system runtime environment and
- modifies the code generator setup that future invocations of system
- runtime code generation referring to one of the ``@{text
- "datatypes"}'' or ``@{text "functions"}'' entities use these
- precompiled entities. With a ``@{text "file"}'' argument, the
- corresponding code is generated into that specified file without
- modifying the code generator setup.
-
- \item @{command (HOL) "code_pred"} creates code equations for a
- predicate given a set of introduction rules. Optional mode
- annotations determine which arguments are supposed to be input or
- output. If alternative introduction rules are declared, one must
- prove a corresponding elimination rule.
-
- \end{description}
-*}
-
-
-section {* Definition by specification \label{sec:hol-specification} *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def (HOL) "specification"} & : & @{text "theory \<rightarrow> proof(prove)"} \\
- @{command_def (HOL) "ax_specification"} & : & @{text "theory \<rightarrow> proof(prove)"} \\
- \end{matharray}
-
- @{rail "
- (@@{command (HOL) specification} | @@{command (HOL) ax_specification})
- '(' (decl +) ')' \\ (@{syntax thmdecl}? @{syntax prop} +)
- ;
- decl: ((@{syntax name} ':')? @{syntax term} '(' @'overloaded' ')'?)
- "}
-
- \begin{description}
-
- \item @{command (HOL) "specification"}~@{text "decls \<phi>"} sets up a
- goal stating the existence of terms with the properties specified to
- hold for the constants given in @{text decls}. After finishing the
- proof, the theory will be augmented with definitions for the given
- constants, as well as with theorems stating the properties for these
- constants.
-
- \item @{command (HOL) "ax_specification"}~@{text "decls \<phi>"} sets up
- a goal stating the existence of terms with the properties specified
- to hold for the constants given in @{text decls}. After finishing
- the proof, the theory will be augmented with axioms expressing the
- properties given in the first place.
-
- \item @{text decl} declares a constant to be defined by the
- specification given. The definition for the constant @{text c} is
- bound to the name @{text c_def} unless a theorem name is given in
- the declaration. Overloaded constants should be declared as such.
-
- \end{description}
-
- Whether to use @{command (HOL) "specification"} or @{command (HOL)
- "ax_specification"} is to some extent a matter of style. @{command
- (HOL) "specification"} introduces no new axioms, and so by
- construction cannot introduce inconsistencies, whereas @{command
- (HOL) "ax_specification"} does introduce axioms, but only after the
- user has explicitly proven it to be safe. A practical issue must be
- considered, though: After introducing two constants with the same
- properties using @{command (HOL) "specification"}, one can prove
- that the two constants are, in fact, equal. If this might be a
- problem, one should use @{command (HOL) "ax_specification"}.
-*}
-
-end
--- a/doc-src/IsarRef/Inner_Syntax.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,1574 +0,0 @@
-theory Inner_Syntax
-imports Base Main
-begin
-
-chapter {* Inner syntax --- the term language \label{ch:inner-syntax} *}
-
-text {* The inner syntax of Isabelle provides concrete notation for
- the main entities of the logical framework, notably @{text
- "\<lambda>"}-terms with types and type classes. Applications may either
- extend existing syntactic categories by additional notation, or
- define new sub-languages that are linked to the standard term
- language via some explicit markers. For example @{verbatim
- FOO}~@{text "foo"} could embed the syntax corresponding for some
- user-defined nonterminal @{text "foo"} --- within the bounds of the
- given lexical syntax of Isabelle/Pure.
-
- The most basic way to specify concrete syntax for logical entities
- works via mixfix annotations (\secref{sec:mixfix}), which may be
- usually given as part of the original declaration or via explicit
- notation commands later on (\secref{sec:notation}). This already
- covers many needs of concrete syntax without having to understand
- the full complexity of inner syntax layers.
-
- Further details of the syntax engine involves the classical
- distinction of lexical language versus context-free grammar (see
- \secref{sec:pure-syntax}), and various mechanisms for \emph{syntax
- transformations} (see \secref{sec:syntax-transformations}).
-*}
-
-
-section {* Printing logical entities *}
-
-subsection {* Diagnostic commands \label{sec:print-diag} *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def "typ"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- @{command_def "term"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- @{command_def "prop"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- @{command_def "thm"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- @{command_def "prf"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- @{command_def "full_prf"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- @{command_def "pr"}@{text "\<^sup>*"} & : & @{text "any \<rightarrow>"} \\
- \end{matharray}
-
- These diagnostic commands assist interactive development by printing
- internal logical entities in a human-readable fashion.
-
- @{rail "
- @@{command typ} @{syntax modes}? @{syntax type} ('::' @{syntax sort})?
- ;
- @@{command term} @{syntax modes}? @{syntax term}
- ;
- @@{command prop} @{syntax modes}? @{syntax prop}
- ;
- @@{command thm} @{syntax modes}? @{syntax thmrefs}
- ;
- ( @@{command prf} | @@{command full_prf} ) @{syntax modes}? @{syntax thmrefs}?
- ;
- @@{command pr} @{syntax modes}? @{syntax nat}?
- ;
-
- @{syntax_def modes}: '(' (@{syntax name} + ) ')'
- "}
-
- \begin{description}
-
- \item @{command "typ"}~@{text \<tau>} reads and prints a type expression
- according to the current context.
-
- \item @{command "typ"}~@{text "\<tau> :: s"} uses type-inference to
- determine the most general way to make @{text "\<tau>"} conform to sort
- @{text "s"}. For concrete @{text "\<tau>"} this checks if the type
- belongs to that sort. Dummy type parameters ``@{text "_"}''
- (underscore) are assigned to fresh type variables with most general
- sorts, according the the principles of type-inference.
-
- \item @{command "term"}~@{text t} and @{command "prop"}~@{text \<phi>}
- read, type-check and print terms or propositions according to the
- current theory or proof context; the inferred type of @{text t} is
- output as well. Note that these commands are also useful in
- inspecting the current environment of term abbreviations.
-
- \item @{command "thm"}~@{text "a\<^sub>1 \<dots> a\<^sub>n"} retrieves
- theorems from the current theory or proof context. Note that any
- attributes included in the theorem specifications are applied to a
- temporary context derived from the current theory or proof; the
- result is discarded, i.e.\ attributes involved in @{text "a\<^sub>1,
- \<dots>, a\<^sub>n"} do not have any permanent effect.
-
- \item @{command "prf"} displays the (compact) proof term of the
- current proof state (if present), or of the given theorems. Note
- that this requires proof terms to be switched on for the current
- object logic (see the ``Proof terms'' section of the Isabelle
- reference manual for information on how to do this).
-
- \item @{command "full_prf"} is like @{command "prf"}, but displays
- the full proof term, i.e.\ also displays information omitted in the
- compact proof term, which is denoted by ``@{text _}'' placeholders
- there.
-
- \item @{command "pr"}~@{text "goals"} prints the current proof state
- (if present), including current facts and goals. The optional limit
- arguments affect the number of goals to be displayed, which is
- initially 10. Omitting limit value leaves the current setting
- unchanged.
-
- \end{description}
-
- All of the diagnostic commands above admit a list of @{text modes}
- to be specified, which is appended to the current print mode; see
- also \secref{sec:print-modes}. Thus the output behavior may be
- modified according particular print mode features. For example,
- @{command "pr"}~@{text "(latex xsymbols)"} would print the current
- proof state with mathematical symbols and special characters
- represented in {\LaTeX} source, according to the Isabelle style
- \cite{isabelle-sys}.
-
- Note that antiquotations (cf.\ \secref{sec:antiq}) provide a more
- systematic way to include formal items into the printed text
- document.
-*}
-
-
-subsection {* Details of printed content *}
-
-text {*
- \begin{tabular}{rcll}
- @{attribute_def show_types} & : & @{text attribute} & default @{text false} \\
- @{attribute_def show_sorts} & : & @{text attribute} & default @{text false} \\
- @{attribute_def show_consts} & : & @{text attribute} & default @{text false} \\
- @{attribute_def show_abbrevs} & : & @{text attribute} & default @{text true} \\
- @{attribute_def show_brackets} & : & @{text attribute} & default @{text false} \\
- @{attribute_def names_long} & : & @{text attribute} & default @{text false} \\
- @{attribute_def names_short} & : & @{text attribute} & default @{text false} \\
- @{attribute_def names_unique} & : & @{text attribute} & default @{text true} \\
- @{attribute_def eta_contract} & : & @{text attribute} & default @{text true} \\
- @{attribute_def goals_limit} & : & @{text attribute} & default @{text 10} \\
- @{attribute_def show_main_goal} & : & @{text attribute} & default @{text false} \\
- @{attribute_def show_hyps} & : & @{text attribute} & default @{text false} \\
- @{attribute_def show_tags} & : & @{text attribute} & default @{text false} \\
- @{attribute_def show_question_marks} & : & @{text attribute} & default @{text true} \\
- \end{tabular}
- \medskip
-
- These configuration options control the detail of information that
- is displayed for types, terms, theorems, goals etc. See also
- \secref{sec:config}.
-
- \begin{description}
-
- \item @{attribute show_types} and @{attribute show_sorts} control
- printing of type constraints for term variables, and sort
- constraints for type variables. By default, neither of these are
- shown in output. If @{attribute show_sorts} is enabled, types are
- always shown as well.
-
- Note that displaying types and sorts may explain why a polymorphic
- inference rule fails to resolve with some goal, or why a rewrite
- rule does not apply as expected.
-
- \item @{attribute show_consts} controls printing of types of
- constants when displaying a goal state.
-
- Note that the output can be enormous, because polymorphic constants
- often occur at several different type instances.
-
- \item @{attribute show_abbrevs} controls folding of constant
- abbreviations.
-
- \item @{attribute show_brackets} controls bracketing in pretty
- printed output. If enabled, all sub-expressions of the pretty
- printing tree will be parenthesized, even if this produces malformed
- term syntax! This crude way of showing the internal structure of
- pretty printed entities may occasionally help to diagnose problems
- with operator priorities, for example.
-
- \item @{attribute names_long}, @{attribute names_short}, and
- @{attribute names_unique} control the way of printing fully
- qualified internal names in external form. See also
- \secref{sec:antiq} for the document antiquotation options of the
- same names.
-
- \item @{attribute eta_contract} controls @{text "\<eta>"}-contracted
- printing of terms.
-
- The @{text \<eta>}-contraction law asserts @{prop "(\<lambda>x. f x) \<equiv> f"},
- provided @{text x} is not free in @{text f}. It asserts
- \emph{extensionality} of functions: @{prop "f \<equiv> g"} if @{prop "f x \<equiv>
- g x"} for all @{text x}. Higher-order unification frequently puts
- terms into a fully @{text \<eta>}-expanded form. For example, if @{text
- F} has type @{text "(\<tau> \<Rightarrow> \<tau>) \<Rightarrow> \<tau>"} then its expanded form is @{term
- "\<lambda>h. F (\<lambda>x. h x)"}.
-
- Enabling @{attribute eta_contract} makes Isabelle perform @{text
- \<eta>}-contractions before printing, so that @{term "\<lambda>h. F (\<lambda>x. h x)"}
- appears simply as @{text F}.
-
- Note that the distinction between a term and its @{text \<eta>}-expanded
- form occasionally matters. While higher-order resolution and
- rewriting operate modulo @{text "\<alpha>\<beta>\<eta>"}-conversion, some other tools
- might look at terms more discretely.
-
- \item @{attribute goals_limit} controls the maximum number of
- subgoals to be shown in goal output.
-
- \item @{attribute show_main_goal} controls whether the main result
- to be proven should be displayed. This information might be
- relevant for schematic goals, to inspect the current claim that has
- been synthesized so far.
-
- \item @{attribute show_hyps} controls printing of implicit
- hypotheses of local facts. Normally, only those hypotheses are
- displayed that are \emph{not} covered by the assumptions of the
- current context: this situation indicates a fault in some tool being
- used.
-
- By enabling @{attribute show_hyps}, output of \emph{all} hypotheses
- can be enforced, which is occasionally useful for diagnostic
- purposes.
-
- \item @{attribute show_tags} controls printing of extra annotations
- within theorems, such as internal position information, or the case
- names being attached by the attribute @{attribute case_names}.
-
- Note that the @{attribute tagged} and @{attribute untagged}
- attributes provide low-level access to the collection of tags
- associated with a theorem.
-
- \item @{attribute show_question_marks} controls printing of question
- marks for schematic variables, such as @{text ?x}. Only the leading
- question mark is affected, the remaining text is unchanged
- (including proper markup for schematic variables that might be
- relevant for user interfaces).
-
- \end{description}
-*}
-
-
-subsection {* Alternative print modes \label{sec:print-modes} *}
-
-text {*
- \begin{mldecls}
- @{index_ML print_mode_value: "unit -> string list"} \\
- @{index_ML Print_Mode.with_modes: "string list -> ('a -> 'b) -> 'a -> 'b"} \\
- \end{mldecls}
-
- The \emph{print mode} facility allows to modify various operations
- for printing. Commands like @{command typ}, @{command term},
- @{command thm} (see \secref{sec:print-diag}) take additional print
- modes as optional argument. The underlying ML operations are as
- follows.
-
- \begin{description}
-
- \item @{ML "print_mode_value ()"} yields the list of currently
- active print mode names. This should be understood as symbolic
- representation of certain individual features for printing (with
- precedence from left to right).
-
- \item @{ML Print_Mode.with_modes}~@{text "modes f x"} evaluates
- @{text "f x"} in an execution context where the print mode is
- prepended by the given @{text "modes"}. This provides a thread-safe
- way to augment print modes. It is also monotonic in the set of mode
- names: it retains the default print mode that certain
- user-interfaces might have installed for their proper functioning!
-
- \end{description}
-
- \begin{warn}
- The old global reference @{ML print_mode} should never be used
- directly in applications. Its main reason for being publicly
- accessible is to support historic versions of Proof~General.
- \end{warn}
-
- \medskip The pretty printer for inner syntax maintains alternative
- mixfix productions for any print mode name invented by the user, say
- in commands like @{command notation} or @{command abbreviation}.
- Mode names can be arbitrary, but the following ones have a specific
- meaning by convention:
-
- \begin{itemize}
-
- \item @{verbatim "\"\""} (the empty string): default mode;
- implicitly active as last element in the list of modes.
-
- \item @{verbatim input}: dummy print mode that is never active; may
- be used to specify notation that is only available for input.
-
- \item @{verbatim internal} dummy print mode that is never active;
- used internally in Isabelle/Pure.
-
- \item @{verbatim xsymbols}: enable proper mathematical symbols
- instead of ASCII art.\footnote{This traditional mode name stems from
- the ``X-Symbol'' package for old versions Proof~General with XEmacs,
- although that package has been superseded by Unicode in recent
- years.}
-
- \item @{verbatim HTML}: additional mode that is active in HTML
- presentation of Isabelle theory sources; allows to provide
- alternative output notation.
-
- \item @{verbatim latex}: additional mode that is active in {\LaTeX}
- document preparation of Isabelle theory sources; allows to provide
- alternative output notation.
-
- \end{itemize}
-*}
-
-
-subsection {* Printing limits *}
-
-text {*
- \begin{mldecls}
- @{index_ML Pretty.margin_default: "int Unsynchronized.ref"} \\
- @{index_ML print_depth: "int -> unit"} \\
- \end{mldecls}
-
- These ML functions set limits for pretty printed text.
-
- \begin{description}
-
- \item @{ML Pretty.margin_default} indicates the global default for
- the right margin of the built-in pretty printer, with initial value
- 76. Note that user-interfaces typically control margins
- automatically when resizing windows, or even bypass the formatting
- engine of Isabelle/ML altogether and do it within the front end via
- Isabelle/Scala.
-
- \item @{ML print_depth}~@{text n} limits the printing depth of the
- ML toplevel pretty printer; the precise effect depends on the ML
- compiler and run-time system. Typically @{text n} should be less
- than 10. Bigger values such as 100--1000 are useful for debugging.
-
- \end{description}
-*}
-
-
-section {* Mixfix annotations \label{sec:mixfix} *}
-
-text {* Mixfix annotations specify concrete \emph{inner syntax} of
- Isabelle types and terms. Locally fixed parameters in toplevel
- theorem statements, locale and class specifications also admit
- mixfix annotations in a fairly uniform manner. A mixfix annotation
- describes describes the concrete syntax, the translation to abstract
- syntax, and the pretty printing. Special case annotations provide a
- simple means of specifying infix operators and binders.
-
- Isabelle mixfix syntax is inspired by {\OBJ} \cite{OBJ}. It allows
- to specify any context-free priority grammar, which is more general
- than the fixity declarations of ML and Prolog.
-
- @{rail "
- @{syntax_def mixfix}: '(' mfix ')'
- ;
- @{syntax_def struct_mixfix}: '(' ( mfix | @'structure' ) ')'
- ;
-
- mfix: @{syntax template} prios? @{syntax nat}? |
- (@'infix' | @'infixl' | @'infixr') @{syntax template} @{syntax nat} |
- @'binder' @{syntax template} prios? @{syntax nat}
- ;
- template: string
- ;
- prios: '[' (@{syntax nat} + ',') ']'
- "}
-
- The string given as @{text template} may include literal text,
- spacing, blocks, and arguments (denoted by ``@{text _}''); the
- special symbol ``@{verbatim "\<index>"}'' (printed as ``@{text "\<index>"}'')
- represents an index argument that specifies an implicit structure
- reference (see also \secref{sec:locale}). Infix and binder
- declarations provide common abbreviations for particular mixfix
- declarations. So in practice, mixfix templates mostly degenerate to
- literal text for concrete syntax, such as ``@{verbatim "++"}'' for
- an infix symbol.
-*}
-
-
-subsection {* The general mixfix form *}
-
-text {* In full generality, mixfix declarations work as follows.
- Suppose a constant @{text "c :: \<tau>\<^sub>1 \<Rightarrow> \<dots> \<tau>\<^sub>n \<Rightarrow> \<tau>"} is annotated by
- @{text "(mixfix [p\<^sub>1, \<dots>, p\<^sub>n] p)"}, where @{text "mixfix"} is a string
- @{text "d\<^sub>0 _ d\<^sub>1 _ \<dots> _ d\<^sub>n"} consisting of delimiters that surround
- argument positions as indicated by underscores.
-
- Altogether this determines a production for a context-free priority
- grammar, where for each argument @{text "i"} the syntactic category
- is determined by @{text "\<tau>\<^sub>i"} (with priority @{text "p\<^sub>i"}), and the
- result category is determined from @{text "\<tau>"} (with priority @{text
- "p"}). Priority specifications are optional, with default 0 for
- arguments and 1000 for the result.\footnote{Omitting priorities is
- prone to syntactic ambiguities unless the delimiter tokens determine
- fully bracketed notation, as in @{text "if _ then _ else _ fi"}.}
-
- Since @{text "\<tau>"} may be again a function type, the constant
- type scheme may have more argument positions than the mixfix
- pattern. Printing a nested application @{text "c t\<^sub>1 \<dots> t\<^sub>m"} for
- @{text "m > n"} works by attaching concrete notation only to the
- innermost part, essentially by printing @{text "(c t\<^sub>1 \<dots> t\<^sub>n) \<dots> t\<^sub>m"}
- instead. If a term has fewer arguments than specified in the mixfix
- template, the concrete syntax is ignored.
-
- \medskip A mixfix template may also contain additional directives
- for pretty printing, notably spaces, blocks, and breaks. The
- general template format is a sequence over any of the following
- entities.
-
- \begin{description}
-
- \item @{text "d"} is a delimiter, namely a non-empty sequence of
- characters other than the following special characters:
-
- \smallskip
- \begin{tabular}{ll}
- @{verbatim "'"} & single quote \\
- @{verbatim "_"} & underscore \\
- @{text "\<index>"} & index symbol \\
- @{verbatim "("} & open parenthesis \\
- @{verbatim ")"} & close parenthesis \\
- @{verbatim "/"} & slash \\
- \end{tabular}
- \medskip
-
- \item @{verbatim "'"} escapes the special meaning of these
- meta-characters, producing a literal version of the following
- character, unless that is a blank.
-
- A single quote followed by a blank separates delimiters, without
- affecting printing, but input tokens may have additional white space
- here.
-
- \item @{verbatim "_"} is an argument position, which stands for a
- certain syntactic category in the underlying grammar.
-
- \item @{text "\<index>"} is an indexed argument position; this is the place
- where implicit structure arguments can be attached.
-
- \item @{text "s"} is a non-empty sequence of spaces for printing.
- This and the following specifications do not affect parsing at all.
-
- \item @{verbatim "("}@{text n} opens a pretty printing block. The
- optional number specifies how much indentation to add when a line
- break occurs within the block. If the parenthesis is not followed
- by digits, the indentation defaults to 0. A block specified via
- @{verbatim "(00"} is unbreakable.
-
- \item @{verbatim ")"} closes a pretty printing block.
-
- \item @{verbatim "//"} forces a line break.
-
- \item @{verbatim "/"}@{text s} allows a line break. Here @{text s}
- stands for the string of spaces (zero or more) right after the
- slash. These spaces are printed if the break is \emph{not} taken.
-
- \end{description}
-
- The general idea of pretty printing with blocks and breaks is also
- described in \cite{paulson-ml2}; it goes back to \cite{Oppen:1980}.
-*}
-
-
-subsection {* Infixes *}
-
-text {* Infix operators are specified by convenient short forms that
- abbreviate general mixfix annotations as follows:
-
- \begin{center}
- \begin{tabular}{lll}
-
- @{verbatim "("}@{keyword_def "infix"}~@{verbatim "\""}@{text sy}@{verbatim "\""} @{text "p"}@{verbatim ")"}
- & @{text "\<mapsto>"} &
- @{verbatim "(\"(_ "}@{text sy}@{verbatim "/ _)\" ["}@{text "p + 1"}@{verbatim ", "}@{text "p + 1"}@{verbatim "]"}@{text " p"}@{verbatim ")"} \\
- @{verbatim "("}@{keyword_def "infixl"}~@{verbatim "\""}@{text sy}@{verbatim "\""} @{text "p"}@{verbatim ")"}
- & @{text "\<mapsto>"} &
- @{verbatim "(\"(_ "}@{text sy}@{verbatim "/ _)\" ["}@{text "p"}@{verbatim ", "}@{text "p + 1"}@{verbatim "]"}@{text " p"}@{verbatim ")"} \\
- @{verbatim "("}@{keyword_def "infixr"}~@{verbatim "\""}@{text sy}@{verbatim "\""} @{text "p"}@{verbatim ")"}
- & @{text "\<mapsto>"} &
- @{verbatim "(\"(_ "}@{text sy}@{verbatim "/ _)\" ["}@{text "p + 1"}@{verbatim ", "}@{text "p"}@{verbatim "]"}@{text " p"}@{verbatim ")"} \\
-
- \end{tabular}
- \end{center}
-
- The mixfix template @{verbatim "\"(_ "}@{text sy}@{verbatim "/ _)\""}
- specifies two argument positions; the delimiter is preceded by a
- space and followed by a space or line break; the entire phrase is a
- pretty printing block.
-
- The alternative notation @{verbatim "op"}~@{text sy} is introduced
- in addition. Thus any infix operator may be written in prefix form
- (as in ML), independently of the number of arguments in the term.
-*}
-
-
-subsection {* Binders *}
-
-text {* A \emph{binder} is a variable-binding construct such as a
- quantifier. The idea to formalize @{text "\<forall>x. b"} as @{text "All
- (\<lambda>x. b)"} for @{text "All :: ('a \<Rightarrow> bool) \<Rightarrow> bool"} already goes back
- to \cite{church40}. Isabelle declarations of certain higher-order
- operators may be annotated with @{keyword_def "binder"} annotations
- as follows:
-
- \begin{center}
- @{text "c :: "}@{verbatim "\""}@{text "(\<tau>\<^sub>1 \<Rightarrow> \<tau>\<^sub>2) \<Rightarrow> \<tau>\<^sub>3"}@{verbatim "\" ("}@{keyword "binder"}@{verbatim " \""}@{text "sy"}@{verbatim "\" ["}@{text "p"}@{verbatim "] "}@{text "q"}@{verbatim ")"}
- \end{center}
-
- This introduces concrete binder syntax @{text "sy x. b"}, where
- @{text x} is a bound variable of type @{text "\<tau>\<^sub>1"}, the body @{text
- b} has type @{text "\<tau>\<^sub>2"} and the whole term has type @{text "\<tau>\<^sub>3"}.
- The optional integer @{text p} specifies the syntactic priority of
- the body; the default is @{text "q"}, which is also the priority of
- the whole construct.
-
- Internally, the binder syntax is expanded to something like this:
- \begin{center}
- @{text "c_binder :: "}@{verbatim "\""}@{text "idts \<Rightarrow> \<tau>\<^sub>2 \<Rightarrow> \<tau>\<^sub>3"}@{verbatim "\" (\"(3"}@{text sy}@{verbatim "_./ _)\" [0, "}@{text "p"}@{verbatim "] "}@{text "q"}@{verbatim ")"}
- \end{center}
-
- Here @{syntax (inner) idts} is the nonterminal symbol for a list of
- identifiers with optional type constraints (see also
- \secref{sec:pure-grammar}). The mixfix template @{verbatim
- "\"(3"}@{text sy}@{verbatim "_./ _)\""} defines argument positions
- for the bound identifiers and the body, separated by a dot with
- optional line break; the entire phrase is a pretty printing block of
- indentation level 3. Note that there is no extra space after @{text
- "sy"}, so it needs to be included user specification if the binder
- syntax ends with a token that may be continued by an identifier
- token at the start of @{syntax (inner) idts}.
-
- Furthermore, a syntax translation to transforms @{text "c_binder x\<^sub>1
- \<dots> x\<^sub>n b"} into iterated application @{text "c (\<lambda>x\<^sub>1. \<dots> c (\<lambda>x\<^sub>n. b)\<dots>)"}.
- This works in both directions, for parsing and printing. *}
-
-
-section {* Explicit notation \label{sec:notation} *}
-
-text {*
- \begin{matharray}{rcll}
- @{command_def "type_notation"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
- @{command_def "no_type_notation"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
- @{command_def "notation"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
- @{command_def "no_notation"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
- @{command_def "write"} & : & @{text "proof(state) \<rightarrow> proof(state)"} \\
- \end{matharray}
-
- Commands that introduce new logical entities (terms or types)
- usually allow to provide mixfix annotations on the spot, which is
- convenient for default notation. Nonetheless, the syntax may be
- modified later on by declarations for explicit notation. This
- allows to add or delete mixfix annotations for of existing logical
- entities within the current context.
-
- @{rail "
- (@@{command type_notation} | @@{command no_type_notation}) @{syntax target}?
- @{syntax mode}? \\ (@{syntax nameref} @{syntax mixfix} + @'and')
- ;
- (@@{command notation} | @@{command no_notation}) @{syntax target}? @{syntax mode}? \\
- (@{syntax nameref} @{syntax struct_mixfix} + @'and')
- ;
- @@{command write} @{syntax mode}? (@{syntax nameref} @{syntax struct_mixfix} + @'and')
- "}
-
- \begin{description}
-
- \item @{command "type_notation"}~@{text "c (mx)"} associates mixfix
- syntax with an existing type constructor. The arity of the
- constructor is retrieved from the context.
-
- \item @{command "no_type_notation"} is similar to @{command
- "type_notation"}, but removes the specified syntax annotation from
- the present context.
-
- \item @{command "notation"}~@{text "c (mx)"} associates mixfix
- syntax with an existing constant or fixed variable. The type
- declaration of the given entity is retrieved from the context.
-
- \item @{command "no_notation"} is similar to @{command "notation"},
- but removes the specified syntax annotation from the present
- context.
-
- \item @{command "write"} is similar to @{command "notation"}, but
- works within an Isar proof body.
-
- \end{description}
-*}
-
-
-section {* The Pure syntax \label{sec:pure-syntax} *}
-
-subsection {* Lexical matters \label{sec:inner-lex} *}
-
-text {* The inner lexical syntax vaguely resembles the outer one
- (\secref{sec:outer-lex}), but some details are different. There are
- two main categories of inner syntax tokens:
-
- \begin{enumerate}
-
- \item \emph{delimiters} --- the literal tokens occurring in
- productions of the given priority grammar (cf.\
- \secref{sec:priority-grammar});
-
- \item \emph{named tokens} --- various categories of identifiers etc.
-
- \end{enumerate}
-
- Delimiters override named tokens and may thus render certain
- identifiers inaccessible. Sometimes the logical context admits
- alternative ways to refer to the same entity, potentially via
- qualified names.
-
- \medskip The categories for named tokens are defined once and for
- all as follows, reusing some categories of the outer token syntax
- (\secref{sec:outer-lex}).
-
- \begin{center}
- \begin{supertabular}{rcl}
- @{syntax_def (inner) id} & = & @{syntax_ref ident} \\
- @{syntax_def (inner) longid} & = & @{syntax_ref longident} \\
- @{syntax_def (inner) var} & = & @{syntax_ref var} \\
- @{syntax_def (inner) tid} & = & @{syntax_ref typefree} \\
- @{syntax_def (inner) tvar} & = & @{syntax_ref typevar} \\
- @{syntax_def (inner) num_token} & = & @{syntax_ref nat}@{text " | "}@{verbatim "-"}@{syntax_ref nat} \\
- @{syntax_def (inner) float_token} & = & @{syntax_ref nat}@{verbatim "."}@{syntax_ref nat}@{text " | "}@{verbatim "-"}@{syntax_ref nat}@{verbatim "."}@{syntax_ref nat} \\
- @{syntax_def (inner) xnum_token} & = & @{verbatim "#"}@{syntax_ref nat}@{text " | "}@{verbatim "#-"}@{syntax_ref nat} \\
-
- @{syntax_def (inner) str_token} & = & @{verbatim "''"} @{text "\<dots>"} @{verbatim "''"} \\
- \end{supertabular}
- \end{center}
-
- The token categories @{syntax (inner) num_token}, @{syntax (inner)
- float_token}, @{syntax (inner) xnum_token}, and @{syntax (inner)
- str_token} are not used in Pure. Object-logics may implement numerals
- and string constants by adding appropriate syntax declarations,
- together with some translation functions (e.g.\ see Isabelle/HOL).
-
- The derived categories @{syntax_def (inner) num_const}, @{syntax_def
- (inner) float_const}, and @{syntax_def (inner) num_const} provide
- robust access to the respective tokens: the syntax tree holds a
- syntactic constant instead of a free variable.
-*}
-
-
-subsection {* Priority grammars \label{sec:priority-grammar} *}
-
-text {* A context-free grammar consists of a set of \emph{terminal
- symbols}, a set of \emph{nonterminal symbols} and a set of
- \emph{productions}. Productions have the form @{text "A = \<gamma>"},
- where @{text A} is a nonterminal and @{text \<gamma>} is a string of
- terminals and nonterminals. One designated nonterminal is called
- the \emph{root symbol}. The language defined by the grammar
- consists of all strings of terminals that can be derived from the
- root symbol by applying productions as rewrite rules.
-
- The standard Isabelle parser for inner syntax uses a \emph{priority
- grammar}. Each nonterminal is decorated by an integer priority:
- @{text "A\<^sup>(\<^sup>p\<^sup>)"}. In a derivation, @{text "A\<^sup>(\<^sup>p\<^sup>)"} may be rewritten
- using a production @{text "A\<^sup>(\<^sup>q\<^sup>) = \<gamma>"} only if @{text "p \<le> q"}. Any
- priority grammar can be translated into a normal context-free
- grammar by introducing new nonterminals and productions.
-
- \medskip Formally, a set of context free productions @{text G}
- induces a derivation relation @{text "\<longrightarrow>\<^sub>G"} as follows. Let @{text
- \<alpha>} and @{text \<beta>} denote strings of terminal or nonterminal symbols.
- Then @{text "\<alpha> A\<^sup>(\<^sup>p\<^sup>) \<beta> \<longrightarrow>\<^sub>G \<alpha> \<gamma> \<beta>"} holds if and only if @{text G}
- contains some production @{text "A\<^sup>(\<^sup>q\<^sup>) = \<gamma>"} for @{text "p \<le> q"}.
-
- \medskip The following grammar for arithmetic expressions
- demonstrates how binding power and associativity of operators can be
- enforced by priorities.
-
- \begin{center}
- \begin{tabular}{rclr}
- @{text "A\<^sup>(\<^sup>1\<^sup>0\<^sup>0\<^sup>0\<^sup>)"} & @{text "="} & @{verbatim "("} @{text "A\<^sup>(\<^sup>0\<^sup>)"} @{verbatim ")"} \\
- @{text "A\<^sup>(\<^sup>1\<^sup>0\<^sup>0\<^sup>0\<^sup>)"} & @{text "="} & @{verbatim 0} \\
- @{text "A\<^sup>(\<^sup>0\<^sup>)"} & @{text "="} & @{text "A\<^sup>(\<^sup>0\<^sup>)"} @{verbatim "+"} @{text "A\<^sup>(\<^sup>1\<^sup>)"} \\
- @{text "A\<^sup>(\<^sup>2\<^sup>)"} & @{text "="} & @{text "A\<^sup>(\<^sup>3\<^sup>)"} @{verbatim "*"} @{text "A\<^sup>(\<^sup>2\<^sup>)"} \\
- @{text "A\<^sup>(\<^sup>3\<^sup>)"} & @{text "="} & @{verbatim "-"} @{text "A\<^sup>(\<^sup>3\<^sup>)"} \\
- \end{tabular}
- \end{center}
- The choice of priorities determines that @{verbatim "-"} binds
- tighter than @{verbatim "*"}, which binds tighter than @{verbatim
- "+"}. Furthermore @{verbatim "+"} associates to the left and
- @{verbatim "*"} to the right.
-
- \medskip For clarity, grammars obey these conventions:
- \begin{itemize}
-
- \item All priorities must lie between 0 and 1000.
-
- \item Priority 0 on the right-hand side and priority 1000 on the
- left-hand side may be omitted.
-
- \item The production @{text "A\<^sup>(\<^sup>p\<^sup>) = \<alpha>"} is written as @{text "A = \<alpha>
- (p)"}, i.e.\ the priority of the left-hand side actually appears in
- a column on the far right.
-
- \item Alternatives are separated by @{text "|"}.
-
- \item Repetition is indicated by dots @{text "(\<dots>)"} in an informal
- but obvious way.
-
- \end{itemize}
-
- Using these conventions, the example grammar specification above
- takes the form:
- \begin{center}
- \begin{tabular}{rclc}
- @{text A} & @{text "="} & @{verbatim "("} @{text A} @{verbatim ")"} \\
- & @{text "|"} & @{verbatim 0} & \qquad\qquad \\
- & @{text "|"} & @{text A} @{verbatim "+"} @{text "A\<^sup>(\<^sup>1\<^sup>)"} & @{text "(0)"} \\
- & @{text "|"} & @{text "A\<^sup>(\<^sup>3\<^sup>)"} @{verbatim "*"} @{text "A\<^sup>(\<^sup>2\<^sup>)"} & @{text "(2)"} \\
- & @{text "|"} & @{verbatim "-"} @{text "A\<^sup>(\<^sup>3\<^sup>)"} & @{text "(3)"} \\
- \end{tabular}
- \end{center}
-*}
-
-
-subsection {* The Pure grammar \label{sec:pure-grammar} *}
-
-text {* The priority grammar of the @{text "Pure"} theory is defined
- approximately like this:
-
- \begin{center}
- \begin{supertabular}{rclr}
-
- @{syntax_def (inner) any} & = & @{text "prop | logic"} \\\\
-
- @{syntax_def (inner) prop} & = & @{verbatim "("} @{text prop} @{verbatim ")"} \\
- & @{text "|"} & @{text "prop\<^sup>(\<^sup>4\<^sup>)"} @{verbatim "::"} @{text type} & @{text "(3)"} \\
- & @{text "|"} & @{text "any\<^sup>(\<^sup>3\<^sup>)"} @{verbatim "=="} @{text "any\<^sup>(\<^sup>2\<^sup>)"} & @{text "(2)"} \\
- & @{text "|"} & @{text "any\<^sup>(\<^sup>3\<^sup>)"} @{text "\<equiv>"} @{text "any\<^sup>(\<^sup>2\<^sup>)"} & @{text "(2)"} \\
- & @{text "|"} & @{text "prop\<^sup>(\<^sup>3\<^sup>)"} @{verbatim "&&&"} @{text "prop\<^sup>(\<^sup>2\<^sup>)"} & @{text "(2)"} \\
- & @{text "|"} & @{text "prop\<^sup>(\<^sup>2\<^sup>)"} @{verbatim "==>"} @{text "prop\<^sup>(\<^sup>1\<^sup>)"} & @{text "(1)"} \\
- & @{text "|"} & @{text "prop\<^sup>(\<^sup>2\<^sup>)"} @{text "\<Longrightarrow>"} @{text "prop\<^sup>(\<^sup>1\<^sup>)"} & @{text "(1)"} \\
- & @{text "|"} & @{verbatim "[|"} @{text prop} @{verbatim ";"} @{text "\<dots>"} @{verbatim ";"} @{text prop} @{verbatim "|]"} @{verbatim "==>"} @{text "prop\<^sup>(\<^sup>1\<^sup>)"} & @{text "(1)"} \\
- & @{text "|"} & @{text "\<lbrakk>"} @{text prop} @{verbatim ";"} @{text "\<dots>"} @{verbatim ";"} @{text prop} @{text "\<rbrakk>"} @{text "\<Longrightarrow>"} @{text "prop\<^sup>(\<^sup>1\<^sup>)"} & @{text "(1)"} \\
- & @{text "|"} & @{verbatim "!!"} @{text idts} @{verbatim "."} @{text prop} & @{text "(0)"} \\
- & @{text "|"} & @{text "\<And>"} @{text idts} @{verbatim "."} @{text prop} & @{text "(0)"} \\
- & @{text "|"} & @{verbatim OFCLASS} @{verbatim "("} @{text type} @{verbatim ","} @{text logic} @{verbatim ")"} \\
- & @{text "|"} & @{verbatim SORT_CONSTRAINT} @{verbatim "("} @{text type} @{verbatim ")"} \\
- & @{text "|"} & @{verbatim TERM} @{text logic} \\
- & @{text "|"} & @{verbatim PROP} @{text aprop} \\\\
-
- @{syntax_def (inner) aprop} & = & @{verbatim "("} @{text aprop} @{verbatim ")"} \\
- & @{text "|"} & @{text "id | longid | var | "}@{verbatim "_"}@{text " | "}@{verbatim "..."} \\
- & @{text "|"} & @{verbatim CONST} @{text "id | "}@{verbatim CONST} @{text "longid"} \\
- & @{text "|"} & @{verbatim XCONST} @{text "id | "}@{verbatim XCONST} @{text "longid"} \\
- & @{text "|"} & @{text "logic\<^sup>(\<^sup>1\<^sup>0\<^sup>0\<^sup>0\<^sup>) any\<^sup>(\<^sup>1\<^sup>0\<^sup>0\<^sup>0\<^sup>) \<dots> any\<^sup>(\<^sup>1\<^sup>0\<^sup>0\<^sup>0\<^sup>)"} & @{text "(999)"} \\\\
-
- @{syntax_def (inner) logic} & = & @{verbatim "("} @{text logic} @{verbatim ")"} \\
- & @{text "|"} & @{text "logic\<^sup>(\<^sup>4\<^sup>)"} @{verbatim "::"} @{text type} & @{text "(3)"} \\
- & @{text "|"} & @{text "id | longid | var | "}@{verbatim "_"}@{text " | "}@{verbatim "..."} \\
- & @{text "|"} & @{verbatim CONST} @{text "id | "}@{verbatim CONST} @{text "longid"} \\
- & @{text "|"} & @{verbatim XCONST} @{text "id | "}@{verbatim XCONST} @{text "longid"} \\
- & @{text "|"} & @{text "logic\<^sup>(\<^sup>1\<^sup>0\<^sup>0\<^sup>0\<^sup>) any\<^sup>(\<^sup>1\<^sup>0\<^sup>0\<^sup>0\<^sup>) \<dots> any\<^sup>(\<^sup>1\<^sup>0\<^sup>0\<^sup>0\<^sup>)"} & @{text "(999)"} \\
- & @{text "|"} & @{text "\<struct> index\<^sup>(\<^sup>1\<^sup>0\<^sup>0\<^sup>0\<^sup>)"} \\
- & @{text "|"} & @{verbatim "%"} @{text pttrns} @{verbatim "."} @{text "any\<^sup>(\<^sup>3\<^sup>)"} & @{text "(3)"} \\
- & @{text "|"} & @{text \<lambda>} @{text pttrns} @{verbatim "."} @{text "any\<^sup>(\<^sup>3\<^sup>)"} & @{text "(3)"} \\
- & @{text "|"} & @{verbatim op} @{verbatim "=="}@{text " | "}@{verbatim op} @{text "\<equiv>"}@{text " | "}@{verbatim op} @{verbatim "&&&"} \\
- & @{text "|"} & @{verbatim op} @{verbatim "==>"}@{text " | "}@{verbatim op} @{text "\<Longrightarrow>"} \\
- & @{text "|"} & @{verbatim TYPE} @{verbatim "("} @{text type} @{verbatim ")"} \\\\
-
- @{syntax_def (inner) idt} & = & @{verbatim "("} @{text idt} @{verbatim ")"}@{text " | id | "}@{verbatim "_"} \\
- & @{text "|"} & @{text id} @{verbatim "::"} @{text type} & @{text "(0)"} \\
- & @{text "|"} & @{verbatim "_"} @{verbatim "::"} @{text type} & @{text "(0)"} \\\\
-
- @{syntax_def (inner) index} & = & @{verbatim "\<^bsub>"} @{text "logic\<^sup>(\<^sup>0\<^sup>)"} @{verbatim "\<^esub>"}@{text " | | \<index>"} \\\\
-
- @{syntax_def (inner) idts} & = & @{text "idt | idt\<^sup>(\<^sup>1\<^sup>) idts"} & @{text "(0)"} \\\\
-
- @{syntax_def (inner) pttrn} & = & @{text idt} \\\\
-
- @{syntax_def (inner) pttrns} & = & @{text "pttrn | pttrn\<^sup>(\<^sup>1\<^sup>) pttrns"} & @{text "(0)"} \\\\
-
- @{syntax_def (inner) type} & = & @{verbatim "("} @{text type} @{verbatim ")"} \\
- & @{text "|"} & @{text "tid | tvar | "}@{verbatim "_"} \\
- & @{text "|"} & @{text "tid"} @{verbatim "::"} @{text "sort | tvar "}@{verbatim "::"} @{text "sort | "}@{verbatim "_"} @{verbatim "::"} @{text "sort"} \\
- & @{text "|"} & @{text "type_name | type\<^sup>(\<^sup>1\<^sup>0\<^sup>0\<^sup>0\<^sup>) type_name"} \\
- & @{text "|"} & @{verbatim "("} @{text type} @{verbatim ","} @{text "\<dots>"} @{verbatim ","} @{text type} @{verbatim ")"} @{text type_name} \\
- & @{text "|"} & @{text "type\<^sup>(\<^sup>1\<^sup>)"} @{verbatim "=>"} @{text type} & @{text "(0)"} \\
- & @{text "|"} & @{text "type\<^sup>(\<^sup>1\<^sup>)"} @{text "\<Rightarrow>"} @{text type} & @{text "(0)"} \\
- & @{text "|"} & @{verbatim "["} @{text type} @{verbatim ","} @{text "\<dots>"} @{verbatim ","} @{text type} @{verbatim "]"} @{verbatim "=>"} @{text type} & @{text "(0)"} \\
- & @{text "|"} & @{verbatim "["} @{text type} @{verbatim ","} @{text "\<dots>"} @{verbatim ","} @{text type} @{verbatim "]"} @{text "\<Rightarrow>"} @{text type} & @{text "(0)"} \\
- @{syntax_def (inner) type_name} & = & @{text "id | longid"} \\\\
-
- @{syntax_def (inner) sort} & = & @{syntax class_name}~@{text " | "}@{verbatim "{}"} \\
- & @{text "|"} & @{verbatim "{"} @{syntax class_name} @{verbatim ","} @{text "\<dots>"} @{verbatim ","} @{syntax class_name} @{verbatim "}"} \\
- @{syntax_def (inner) class_name} & = & @{text "id | longid"} \\
- \end{supertabular}
- \end{center}
-
- \medskip Here literal terminals are printed @{verbatim "verbatim"};
- see also \secref{sec:inner-lex} for further token categories of the
- inner syntax. The meaning of the nonterminals defined by the above
- grammar is as follows:
-
- \begin{description}
-
- \item @{syntax_ref (inner) any} denotes any term.
-
- \item @{syntax_ref (inner) prop} denotes meta-level propositions,
- which are terms of type @{typ prop}. The syntax of such formulae of
- the meta-logic is carefully distinguished from usual conventions for
- object-logics. In particular, plain @{text "\<lambda>"}-term notation is
- \emph{not} recognized as @{syntax (inner) prop}.
-
- \item @{syntax_ref (inner) aprop} denotes atomic propositions, which
- are embedded into regular @{syntax (inner) prop} by means of an
- explicit @{verbatim PROP} token.
-
- Terms of type @{typ prop} with non-constant head, e.g.\ a plain
- variable, are printed in this form. Constants that yield type @{typ
- prop} are expected to provide their own concrete syntax; otherwise
- the printed version will appear like @{syntax (inner) logic} and
- cannot be parsed again as @{syntax (inner) prop}.
-
- \item @{syntax_ref (inner) logic} denotes arbitrary terms of a
- logical type, excluding type @{typ prop}. This is the main
- syntactic category of object-logic entities, covering plain @{text
- \<lambda>}-term notation (variables, abstraction, application), plus
- anything defined by the user.
-
- When specifying notation for logical entities, all logical types
- (excluding @{typ prop}) are \emph{collapsed} to this single category
- of @{syntax (inner) logic}.
-
- \item @{syntax_ref (inner) index} denotes an optional index term for
- indexed syntax. If omitted, it refers to the first @{keyword
- "structure"} variable in the context. The special dummy ``@{text
- "\<index>"}'' serves as pattern variable in mixfix annotations that
- introduce indexed notation.
-
- \item @{syntax_ref (inner) idt} denotes identifiers, possibly
- constrained by types.
-
- \item @{syntax_ref (inner) idts} denotes a sequence of @{syntax_ref
- (inner) idt}. This is the most basic category for variables in
- iterated binders, such as @{text "\<lambda>"} or @{text "\<And>"}.
-
- \item @{syntax_ref (inner) pttrn} and @{syntax_ref (inner) pttrns}
- denote patterns for abstraction, cases bindings etc. In Pure, these
- categories start as a merely copy of @{syntax (inner) idt} and
- @{syntax (inner) idts}, respectively. Object-logics may add
- additional productions for binding forms.
-
- \item @{syntax_ref (inner) type} denotes types of the meta-logic.
-
- \item @{syntax_ref (inner) sort} denotes meta-level sorts.
-
- \end{description}
-
- Here are some further explanations of certain syntax features.
-
- \begin{itemize}
-
- \item In @{syntax (inner) idts}, note that @{text "x :: nat y"} is
- parsed as @{text "x :: (nat y)"}, treating @{text y} like a type
- constructor applied to @{text nat}. To avoid this interpretation,
- write @{text "(x :: nat) y"} with explicit parentheses.
-
- \item Similarly, @{text "x :: nat y :: nat"} is parsed as @{text "x ::
- (nat y :: nat)"}. The correct form is @{text "(x :: nat) (y ::
- nat)"}, or @{text "(x :: nat) y :: nat"} if @{text y} is last in the
- sequence of identifiers.
-
- \item Type constraints for terms bind very weakly. For example,
- @{text "x < y :: nat"} is normally parsed as @{text "(x < y) ::
- nat"}, unless @{text "<"} has a very low priority, in which case the
- input is likely to be ambiguous. The correct form is @{text "x < (y
- :: nat)"}.
-
- \item Constraints may be either written with two literal colons
- ``@{verbatim "::"}'' or the double-colon symbol @{verbatim "\<Colon>"},
- which actually looks exactly the same in some {\LaTeX} styles.
-
- \item Dummy variables (written as underscore) may occur in different
- roles.
-
- \begin{description}
-
- \item A type ``@{text "_"}'' or ``@{text "_ :: sort"}'' acts like an
- anonymous inference parameter, which is filled-in according to the
- most general type produced by the type-checking phase.
-
- \item A bound ``@{text "_"}'' refers to a vacuous abstraction, where
- the body does not refer to the binding introduced here. As in the
- term @{term "\<lambda>x _. x"}, which is @{text "\<alpha>"}-equivalent to @{text
- "\<lambda>x y. x"}.
-
- \item A free ``@{text "_"}'' refers to an implicit outer binding.
- Higher definitional packages usually allow forms like @{text "f x _
- = x"}.
-
- \item A schematic ``@{text "_"}'' (within a term pattern, see
- \secref{sec:term-decls}) refers to an anonymous variable that is
- implicitly abstracted over its context of locally bound variables.
- For example, this allows pattern matching of @{text "{x. f x = g
- x}"} against @{text "{x. _ = _}"}, or even @{text "{_. _ = _}"} by
- using both bound and schematic dummies.
-
- \end{description}
-
- \item The three literal dots ``@{verbatim "..."}'' may be also
- written as ellipsis symbol @{verbatim "\<dots>"}. In both cases this
- refers to a special schematic variable, which is bound in the
- context. This special term abbreviation works nicely with
- calculational reasoning (\secref{sec:calculation}).
-
- \item @{verbatim CONST} ensures that the given identifier is treated
- as constant term, and passed through the parse tree in fully
- internalized form. This is particularly relevant for translation
- rules (\secref{sec:syn-trans}), notably on the RHS.
-
- \item @{verbatim XCONST} is similar to @{verbatim CONST}, but
- retains the constant name as given. This is only relevant to
- translation rules (\secref{sec:syn-trans}), notably on the LHS.
-
- \end{itemize}
-*}
-
-
-subsection {* Inspecting the syntax *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def "print_syntax"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- \end{matharray}
-
- \begin{description}
-
- \item @{command "print_syntax"} prints the inner syntax of the
- current context. The output can be quite large; the most important
- sections are explained below.
-
- \begin{description}
-
- \item @{text "lexicon"} lists the delimiters of the inner token
- language; see \secref{sec:inner-lex}.
-
- \item @{text "prods"} lists the productions of the underlying
- priority grammar; see \secref{sec:priority-grammar}.
-
- The nonterminal @{text "A\<^sup>(\<^sup>p\<^sup>)"} is rendered in plain text as @{text
- "A[p]"}; delimiters are quoted. Many productions have an extra
- @{text "\<dots> => name"}. These names later become the heads of parse
- trees; they also guide the pretty printer.
-
- Productions without such parse tree names are called \emph{copy
- productions}. Their right-hand side must have exactly one
- nonterminal symbol (or named token). The parser does not create a
- new parse tree node for copy productions, but simply returns the
- parse tree of the right-hand symbol.
-
- If the right-hand side of a copy production consists of a single
- nonterminal without any delimiters, then it is called a \emph{chain
- production}. Chain productions act as abbreviations: conceptually,
- they are removed from the grammar by adding new productions.
- Priority information attached to chain productions is ignored; only
- the dummy value @{text "-1"} is displayed.
-
- \item @{text "print modes"} lists the alternative print modes
- provided by this grammar; see \secref{sec:print-modes}.
-
- \item @{text "parse_rules"} and @{text "print_rules"} relate to
- syntax translations (macros); see \secref{sec:syn-trans}.
-
- \item @{text "parse_ast_translation"} and @{text
- "print_ast_translation"} list sets of constants that invoke
- translation functions for abstract syntax trees, which are only
- required in very special situations; see \secref{sec:tr-funs}.
-
- \item @{text "parse_translation"} and @{text "print_translation"}
- list the sets of constants that invoke regular translation
- functions; see \secref{sec:tr-funs}.
-
- \end{description}
-
- \end{description}
-*}
-
-
-subsection {* Ambiguity of parsed expressions *}
-
-text {*
- \begin{tabular}{rcll}
- @{attribute_def syntax_ambiguity_warning} & : & @{text attribute} & default @{text true} \\
- @{attribute_def syntax_ambiguity_limit} & : & @{text attribute} & default @{text 10} \\
- \end{tabular}
-
- Depending on the grammar and the given input, parsing may be
- ambiguous. Isabelle lets the Earley parser enumerate all possible
- parse trees, and then tries to make the best out of the situation.
- Terms that cannot be type-checked are filtered out, which often
- leads to a unique result in the end. Unlike regular type
- reconstruction, which is applied to the whole collection of input
- terms simultaneously, the filtering stage only treats each given
- term in isolation. Filtering is also not attempted for individual
- types or raw ASTs (as required for @{command translations}).
-
- Certain warning or error messages are printed, depending on the
- situation and the given configuration options. Parsing ultimately
- fails, if multiple results remain after the filtering phase.
-
- \begin{description}
-
- \item @{attribute syntax_ambiguity_warning} controls output of
- explicit warning messages about syntax ambiguity.
-
- \item @{attribute syntax_ambiguity_limit} determines the number of
- resulting parse trees that are shown as part of the printed message
- in case of an ambiguity.
-
- \end{description}
-*}
-
-
-section {* Syntax transformations \label{sec:syntax-transformations} *}
-
-text {* The inner syntax engine of Isabelle provides separate
- mechanisms to transform parse trees either as rewrite systems on
- first-order ASTs (\secref{sec:syn-trans}), or ML functions on ASTs
- or syntactic @{text "\<lambda>"}-terms (\secref{sec:tr-funs}). This works
- both for parsing and printing, as outlined in
- \figref{fig:parse-print}.
-
- \begin{figure}[htbp]
- \begin{center}
- \begin{tabular}{cl}
- string & \\
- @{text "\<down>"} & lexer + parser \\
- parse tree & \\
- @{text "\<down>"} & parse AST translation \\
- AST & \\
- @{text "\<down>"} & AST rewriting (macros) \\
- AST & \\
- @{text "\<down>"} & parse translation \\
- --- pre-term --- & \\
- @{text "\<down>"} & print translation \\
- AST & \\
- @{text "\<down>"} & AST rewriting (macros) \\
- AST & \\
- @{text "\<down>"} & print AST translation \\
- string &
- \end{tabular}
- \end{center}
- \caption{Parsing and printing with translations}\label{fig:parse-print}
- \end{figure}
-
- These intermediate syntax tree formats eventually lead to a pre-term
- with all names and binding scopes resolved, but most type
- information still missing. Explicit type constraints might be given by
- the user, or implicit position information by the system --- both
- need to be passed-through carefully by syntax transformations.
-
- Pre-terms are further processed by the so-called \emph{check} and
- \emph{unckeck} phases that are intertwined with type-inference (see
- also \cite{isabelle-implementation}). The latter allows to operate
- on higher-order abstract syntax with proper binding and type
- information already available.
-
- As a rule of thumb, anything that manipulates bindings of variables
- or constants needs to be implemented as syntax transformation (see
- below). Anything else is better done via check/uncheck: a prominent
- example application is the @{command abbreviation} concept of
- Isabelle/Pure. *}
-
-
-subsection {* Abstract syntax trees \label{sec:ast} *}
-
-text {* The ML datatype @{ML_type Ast.ast} explicitly represents the
- intermediate AST format that is used for syntax rewriting
- (\secref{sec:syn-trans}). It is defined in ML as follows:
- \begin{ttbox}
- datatype ast =
- Constant of string |
- Variable of string |
- Appl of ast list
- \end{ttbox}
-
- An AST is either an atom (constant or variable) or a list of (at
- least two) subtrees. Occasional diagnostic output of ASTs uses
- notation that resembles S-expression of LISP. Constant atoms are
- shown as quoted strings, variable atoms as non-quoted strings and
- applications as a parenthesized list of subtrees. For example, the
- AST
- @{ML [display] "Ast.Appl
- [Ast.Constant \"_abs\", Ast.Variable \"x\", Ast.Variable \"t\"]"}
- is pretty-printed as @{verbatim "(\"_abs\" x t)"}. Note that
- @{verbatim "()"} and @{verbatim "(x)"} are excluded as ASTs, because
- they have too few subtrees.
-
- \medskip AST application is merely a pro-forma mechanism to indicate
- certain syntactic structures. Thus @{verbatim "(c a b)"} could mean
- either term application or type application, depending on the
- syntactic context.
-
- Nested application like @{verbatim "((\"_abs\" x t) u)"} is also
- possible, but ASTs are definitely first-order: the syntax constant
- @{verbatim "\"_abs\""} does not bind the @{verbatim x} in any way.
- Proper bindings are introduced in later stages of the term syntax,
- where @{verbatim "(\"_abs\" x t)"} becomes an @{ML Abs} node and
- occurrences of @{verbatim x} in @{verbatim t} are replaced by bound
- variables (represented as de-Bruijn indices).
-*}
-
-
-subsubsection {* AST constants versus variables *}
-
-text {* Depending on the situation --- input syntax, output syntax,
- translation patterns --- the distinction of atomic asts as @{ML
- Ast.Constant} versus @{ML Ast.Variable} serves slightly different
- purposes.
-
- Input syntax of a term such as @{text "f a b = c"} does not yet
- indicate the scopes of atomic entities @{text "f, a, b, c"}: they
- could be global constants or local variables, even bound ones
- depending on the context of the term. @{ML Ast.Variable} leaves
- this choice still open: later syntax layers (or translation
- functions) may capture such a variable to determine its role
- specifically, to make it a constant, bound variable, free variable
- etc. In contrast, syntax translations that introduce already known
- constants would rather do it via @{ML Ast.Constant} to prevent
- accidental re-interpretation later on.
-
- Output syntax turns term constants into @{ML Ast.Constant} and
- variables (free or schematic) into @{ML Ast.Variable}. This
- information is precise when printing fully formal @{text "\<lambda>"}-terms.
-
- In AST translation patterns (\secref{sec:syn-trans}) the system
- guesses from the current theory context which atoms should be
- treated as constant versus variable for the matching process.
- Sometimes this needs to be indicated more explicitly using @{text
- "CONST c"} inside the term language. It is also possible to use
- @{command syntax} declarations (without mixfix annotation) to
- enforce that certain unqualified names are always treated as
- constant within the syntax machinery.
-
- \medskip For ASTs that represent the language of types or sorts, the
- situation is much simpler, since the concrete syntax already
- distinguishes type variables from type constants (constructors). So
- @{text "('a, 'b) foo"} corresponds to an AST application of some
- constant for @{text foo} and variable arguments for @{text "'a"} and
- @{text "'b"}. Note that the postfix application is merely a feature
- of the concrete syntax, while in the AST the constructor occurs in
- head position. *}
-
-
-subsubsection {* Authentic syntax names *}
-
-text {* Naming constant entities within ASTs is another delicate
- issue. Unqualified names are looked up in the name space tables in
- the last stage of parsing, after all translations have been applied.
- Since syntax transformations do not know about this later name
- resolution yet, there can be surprises in boundary cases.
-
- \emph{Authentic syntax names} for @{ML Ast.Constant} avoid this
- problem: the fully-qualified constant name with a special prefix for
- its formal category (@{text "class"}, @{text "type"}, @{text
- "const"}, @{text "fixed"}) represents the information faithfully
- within the untyped AST format. Accidental overlap with free or
- bound variables is excluded as well. Authentic syntax names work
- implicitly in the following situations:
-
- \begin{itemize}
-
- \item Input of term constants (or fixed variables) that are
- introduced by concrete syntax via @{command notation}: the
- correspondence of a particular grammar production to some known term
- entity is preserved.
-
- \item Input of type constants (constructors) and type classes ---
- thanks to explicit syntactic distinction independently on the
- context.
-
- \item Output of term constants, type constants, type classes ---
- this information is already available from the internal term to be
- printed.
-
- \end{itemize}
-
- In other words, syntax transformations that operate on input terms
- written as prefix applications are difficult to make robust.
- Luckily, this case rarely occurs in practice, because syntax forms
- to be translated usually correspond to some bits of concrete
- notation. *}
-
-
-subsection {* Raw syntax and translations \label{sec:syn-trans} *}
-
-text {*
- \begin{tabular}{rcll}
- @{command_def "nonterminal"} & : & @{text "theory \<rightarrow> theory"} \\
- @{command_def "syntax"} & : & @{text "theory \<rightarrow> theory"} \\
- @{command_def "no_syntax"} & : & @{text "theory \<rightarrow> theory"} \\
- @{command_def "translations"} & : & @{text "theory \<rightarrow> theory"} \\
- @{command_def "no_translations"} & : & @{text "theory \<rightarrow> theory"} \\
- @{attribute_def syntax_ast_trace} & : & @{text attribute} & default @{text false} \\
- @{attribute_def syntax_ast_stats} & : & @{text attribute} & default @{text false} \\
- \end{tabular}
-
- Unlike mixfix notation for existing formal entities
- (\secref{sec:notation}), raw syntax declarations provide full access
- to the priority grammar of the inner syntax, without any sanity
- checks. This includes additional syntactic categories (via
- @{command nonterminal}) and free-form grammar productions (via
- @{command syntax}). Additional syntax translations (or macros, via
- @{command translations}) are required to turn resulting parse trees
- into proper representations of formal entities again.
-
- @{rail "
- @@{command nonterminal} (@{syntax name} + @'and')
- ;
- (@@{command syntax} | @@{command no_syntax}) @{syntax mode}? (constdecl +)
- ;
- (@@{command translations} | @@{command no_translations})
- (transpat ('==' | '=>' | '<=' | '\<rightleftharpoons>' | '\<rightharpoonup>' | '\<leftharpoondown>') transpat +)
- ;
-
- constdecl: @{syntax name} '::' @{syntax type} @{syntax mixfix}?
- ;
- mode: ('(' ( @{syntax name} | @'output' | @{syntax name} @'output' ) ')')
- ;
- transpat: ('(' @{syntax nameref} ')')? @{syntax string}
- "}
-
- \begin{description}
-
- \item @{command "nonterminal"}~@{text c} declares a type
- constructor @{text c} (without arguments) to act as purely syntactic
- type: a nonterminal symbol of the inner syntax.
-
- \item @{command "syntax"}~@{text "(mode) c :: \<sigma> (mx)"} augments the
- priority grammar and the pretty printer table for the given print
- mode (default @{verbatim "\"\""}). An optional keyword @{keyword_ref
- "output"} means that only the pretty printer table is affected.
-
- Following \secref{sec:mixfix}, the mixfix annotation @{text "mx =
- template ps q"} together with type @{text "\<sigma> = \<tau>\<^sub>1 \<Rightarrow> \<dots> \<tau>\<^sub>n \<Rightarrow> \<tau>"} and
- specify a grammar production. The @{text template} contains
- delimiter tokens that surround @{text "n"} argument positions
- (@{verbatim "_"}). The latter correspond to nonterminal symbols
- @{text "A\<^sub>i"} derived from the argument types @{text "\<tau>\<^sub>i"} as
- follows:
- \begin{itemize}
-
- \item @{text "prop"} if @{text "\<tau>\<^sub>i = prop"}
-
- \item @{text "logic"} if @{text "\<tau>\<^sub>i = (\<dots>)\<kappa>"} for logical type
- constructor @{text "\<kappa> \<noteq> prop"}
-
- \item @{text any} if @{text "\<tau>\<^sub>i = \<alpha>"} for type variables
-
- \item @{text "\<kappa>"} if @{text "\<tau>\<^sub>i = \<kappa>"} for nonterminal @{text "\<kappa>"}
- (syntactic type constructor)
-
- \end{itemize}
-
- Each @{text "A\<^sub>i"} is decorated by priority @{text "p\<^sub>i"} from the
- given list @{text "ps"}; misssing priorities default to 0.
-
- The resulting nonterminal of the production is determined similarly
- from type @{text "\<tau>"}, with priority @{text "q"} and default 1000.
-
- \medskip Parsing via this production produces parse trees @{text
- "t\<^sub>1, \<dots>, t\<^sub>n"} for the argument slots. The resulting parse tree is
- composed as @{text "c t\<^sub>1 \<dots> t\<^sub>n"}, by using the syntax constant @{text
- "c"} of the syntax declaration.
-
- Such syntactic constants are invented on the spot, without formal
- check wrt.\ existing declarations. It is conventional to use plain
- identifiers prefixed by a single underscore (e.g.\ @{text
- "_foobar"}). Names should be chosen with care, to avoid clashes
- with other syntax declarations.
-
- \medskip The special case of copy production is specified by @{text
- "c = "}@{verbatim "\"\""} (empty string). It means that the
- resulting parse tree @{text "t"} is copied directly, without any
- further decoration.
-
- \item @{command "no_syntax"}~@{text "(mode) decls"} removes grammar
- declarations (and translations) resulting from @{text decls}, which
- are interpreted in the same manner as for @{command "syntax"} above.
-
- \item @{command "translations"}~@{text rules} specifies syntactic
- translation rules (i.e.\ macros) as first-order rewrite rules on
- ASTs (\secref{sec:ast}). The theory context maintains two
- independent lists translation rules: parse rules (@{verbatim "=>"}
- or @{text "\<rightharpoonup>"}) and print rules (@{verbatim "<="} or @{text "\<leftharpoondown>"}).
- For convenience, both can be specified simultaneously as parse~/
- print rules (@{verbatim "=="} or @{text "\<rightleftharpoons>"}).
-
- Translation patterns may be prefixed by the syntactic category to be
- used for parsing; the default is @{text logic} which means that
- regular term syntax is used. Both sides of the syntax translation
- rule undergo parsing and parse AST translations
- \secref{sec:tr-funs}, in order to perform some fundamental
- normalization like @{text "\<lambda>x y. b \<leadsto> \<lambda>x. \<lambda>y. b"}, but other AST
- translation rules are \emph{not} applied recursively here.
-
- When processing AST patterns, the inner syntax lexer runs in a
- different mode that allows identifiers to start with underscore.
- This accommodates the usual naming convention for auxiliary syntax
- constants --- those that do not have a logical counter part --- by
- allowing to specify arbitrary AST applications within the term
- syntax, independently of the corresponding concrete syntax.
-
- Atomic ASTs are distinguished as @{ML Ast.Constant} versus @{ML
- Ast.Variable} as follows: a qualified name or syntax constant
- declared via @{command syntax}, or parse tree head of concrete
- notation becomes @{ML Ast.Constant}, anything else @{ML
- Ast.Variable}. Note that @{text CONST} and @{text XCONST} within
- the term language (\secref{sec:pure-grammar}) allow to enforce
- treatment as constants.
-
- AST rewrite rules @{text "(lhs, rhs)"} need to obey the following
- side-conditions:
-
- \begin{itemize}
-
- \item Rules must be left linear: @{text "lhs"} must not contain
- repeated variables.\footnote{The deeper reason for this is that AST
- equality is not well-defined: different occurrences of the ``same''
- AST could be decorated differently by accidental type-constraints or
- source position information, for example.}
-
- \item Every variable in @{text "rhs"} must also occur in @{text
- "lhs"}.
-
- \end{itemize}
-
- \item @{command "no_translations"}~@{text rules} removes syntactic
- translation rules, which are interpreted in the same manner as for
- @{command "translations"} above.
-
- \item @{attribute syntax_ast_trace} and @{attribute
- syntax_ast_stats} control diagnostic output in the AST normalization
- process, when translation rules are applied to concrete input or
- output.
-
- \end{description}
-
- Raw syntax and translations provides a slightly more low-level
- access to the grammar and the form of resulting parse trees. It is
- often possible to avoid this untyped macro mechanism, and use
- type-safe @{command abbreviation} or @{command notation} instead.
- Some important situations where @{command syntax} and @{command
- translations} are really need are as follows:
-
- \begin{itemize}
-
- \item Iterated replacement via recursive @{command translations}.
- For example, consider list enumeration @{term "[a, b, c, d]"} as
- defined in theory @{theory List} in Isabelle/HOL.
-
- \item Change of binding status of variables: anything beyond the
- built-in @{keyword "binder"} mixfix annotation requires explicit
- syntax translations. For example, consider list filter
- comprehension @{term "[x \<leftarrow> xs . P]"} as defined in theory @{theory
- List} in Isabelle/HOL.
-
- \end{itemize}
-*}
-
-subsubsection {* Applying translation rules *}
-
-text {* As a term is being parsed or printed, an AST is generated as
- an intermediate form according to \figref{fig:parse-print}. The AST
- is normalized by applying translation rules in the manner of a
- first-order term rewriting system. We first examine how a single
- rule is applied.
-
- Let @{text "t"} be the abstract syntax tree to be normalized and
- @{text "(lhs, rhs)"} some translation rule. A subtree @{text "u"}
- of @{text "t"} is called \emph{redex} if it is an instance of @{text
- "lhs"}; in this case the pattern @{text "lhs"} is said to match the
- object @{text "u"}. A redex matched by @{text "lhs"} may be
- replaced by the corresponding instance of @{text "rhs"}, thus
- \emph{rewriting} the AST @{text "t"}. Matching requires some notion
- of \emph{place-holders} in rule patterns: @{ML Ast.Variable} serves
- this purpose.
-
- More precisely, the matching of the object @{text "u"} against the
- pattern @{text "lhs"} is performed as follows:
-
- \begin{itemize}
-
- \item Objects of the form @{ML Ast.Variable}~@{text "x"} or @{ML
- Ast.Constant}~@{text "x"} are matched by pattern @{ML
- Ast.Constant}~@{text "x"}. Thus all atomic ASTs in the object are
- treated as (potential) constants, and a successful match makes them
- actual constants even before name space resolution (see also
- \secref{sec:ast}).
-
- \item Object @{text "u"} is matched by pattern @{ML
- Ast.Variable}~@{text "x"}, binding @{text "x"} to @{text "u"}.
-
- \item Object @{ML Ast.Appl}~@{text "us"} is matched by @{ML
- Ast.Appl}~@{text "ts"} if @{text "us"} and @{text "ts"} have the
- same length and each corresponding subtree matches.
-
- \item In every other case, matching fails.
-
- \end{itemize}
-
- A successful match yields a substitution that is applied to @{text
- "rhs"}, generating the instance that replaces @{text "u"}.
-
- Normalizing an AST involves repeatedly applying translation rules
- until none are applicable. This works yoyo-like: top-down,
- bottom-up, top-down, etc. At each subtree position, rules are
- chosen in order of appearance in the theory definitions.
-
- The configuration options @{attribute syntax_ast_trace} and
- @{attribute syntax_ast_stats} might help to understand this process
- and diagnose problems.
-
- \begin{warn}
- If syntax translation rules work incorrectly, the output of
- @{command_ref print_syntax} with its \emph{rules} sections reveals the
- actual internal forms of AST pattern, without potentially confusing
- concrete syntax. Recall that AST constants appear as quoted strings
- and variables without quotes.
- \end{warn}
-
- \begin{warn}
- If @{attribute_ref eta_contract} is set to @{text "true"}, terms
- will be @{text "\<eta>"}-contracted \emph{before} the AST rewriter sees
- them. Thus some abstraction nodes needed for print rules to match
- may vanish. For example, @{text "Ball A (\<lambda>x. P x)"} would contract
- to @{text "Ball A P"} and the standard print rule would fail to
- apply. This problem can be avoided by hand-written ML translation
- functions (see also \secref{sec:tr-funs}), which is in fact the same
- mechanism used in built-in @{keyword "binder"} declarations.
- \end{warn}
-*}
-
-
-subsection {* Syntax translation functions \label{sec:tr-funs} *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def "parse_ast_translation"} & : & @{text "theory \<rightarrow> theory"} \\
- @{command_def "parse_translation"} & : & @{text "theory \<rightarrow> theory"} \\
- @{command_def "print_translation"} & : & @{text "theory \<rightarrow> theory"} \\
- @{command_def "typed_print_translation"} & : & @{text "theory \<rightarrow> theory"} \\
- @{command_def "print_ast_translation"} & : & @{text "theory \<rightarrow> theory"} \\
- @{ML_antiquotation_def "class_syntax"} & : & @{text ML_antiquotation} \\
- @{ML_antiquotation_def "type_syntax"} & : & @{text ML_antiquotation} \\
- @{ML_antiquotation_def "const_syntax"} & : & @{text ML_antiquotation} \\
- @{ML_antiquotation_def "syntax_const"} & : & @{text ML_antiquotation} \\
- \end{matharray}
-
- Syntax translation functions written in ML admit almost arbitrary
- manipulations of inner syntax, at the expense of some complexity and
- obscurity in the implementation.
-
- @{rail "
- ( @@{command parse_ast_translation} | @@{command parse_translation} |
- @@{command print_translation} | @@{command typed_print_translation} |
- @@{command print_ast_translation}) ('(' @'advanced' ')')? @{syntax text}
- ;
- (@@{ML_antiquotation class_syntax} |
- @@{ML_antiquotation type_syntax} |
- @@{ML_antiquotation const_syntax} |
- @@{ML_antiquotation syntax_const}) name
- "}
-
- \begin{description}
-
- \item @{command parse_translation} etc. declare syntax translation
- functions to the theory. Any of these commands have a single
- @{syntax text} argument that refers to an ML expression of
- appropriate type, which are as follows by default:
-
- \medskip
- {\footnotesize
- \begin{tabular}{ll}
- @{command parse_ast_translation} & : @{ML_type "(string * (Ast.ast list -> Ast.ast)) list"} \\
- @{command parse_translation} & : @{ML_type "(string * (term list -> term)) list"} \\
- @{command print_translation} & : @{ML_type "(string * (term list -> term)) list"} \\
- @{command typed_print_translation} & : @{ML_type "(string * (typ -> term list -> term)) list"} \\
- @{command print_ast_translation} & : @{ML_type "(string * (Ast.ast list -> Ast.ast)) list"} \\
- \end{tabular}}
- \medskip
-
- The argument list consists of @{text "(c, tr)"} pairs, where @{text
- "c"} is the syntax name of the formal entity involved, and @{text
- "tr"} a function that translates a syntax form @{text "c args"} into
- @{text "tr args"}. The ML naming convention for parse translations
- is @{text "c_tr"} and for print translations @{text "c_tr'"}.
-
- The @{command_ref print_syntax} command displays the sets of names
- associated with the translation functions of a theory under @{text
- "parse_ast_translation"} etc.
-
- If the @{verbatim "("}@{keyword "advanced"}@{verbatim ")"} option is
- given, the corresponding translation functions depend on the current
- theory or proof context as additional argument. This allows to
- implement advanced syntax mechanisms, as translations functions may
- refer to specific theory declarations or auxiliary proof data.
-
- \item @{text "@{class_syntax c}"}, @{text "@{type_syntax c}"},
- @{text "@{const_syntax c}"} inline the authentic syntax name of the
- given formal entities into the ML source. This is the
- fully-qualified logical name prefixed by a special marker to
- indicate its kind: thus different logical name spaces are properly
- distinguished within parse trees.
-
- \item @{text "@{const_syntax c}"} inlines the name @{text "c"} of
- the given syntax constant, having checked that it has been declared
- via some @{command syntax} commands within the theory context. Note
- that the usual naming convention makes syntax constants start with
- underscore, to reduce the chance of accidental clashes with other
- names occurring in parse trees (unqualified constants etc.).
-
- \end{description}
-*}
-
-
-subsubsection {* The translation strategy *}
-
-text {* The different kinds of translation functions are invoked during
- the transformations between parse trees, ASTs and syntactic terms
- (cf.\ \figref{fig:parse-print}). Whenever a combination of the form
- @{text "c x\<^sub>1 \<dots> x\<^sub>n"} is encountered, and a translation function
- @{text "f"} of appropriate kind is declared for @{text "c"}, the
- result is produced by evaluation of @{text "f [x\<^sub>1, \<dots>, x\<^sub>n]"} in ML.
-
- For AST translations, the arguments @{text "x\<^sub>1, \<dots>, x\<^sub>n"} are ASTs. A
- combination has the form @{ML "Ast.Constant"}~@{text "c"} or @{ML
- "Ast.Appl"}~@{text "["}@{ML Ast.Constant}~@{text "c, x\<^sub>1, \<dots>, x\<^sub>n]"}.
- For term translations, the arguments are terms and a combination has
- the form @{ML Const}~@{text "(c, \<tau>)"} or @{ML Const}~@{text "(c, \<tau>)
- $ x\<^sub>1 $ \<dots> $ x\<^sub>n"}. Terms allow more sophisticated transformations
- than ASTs do, typically involving abstractions and bound
- variables. \emph{Typed} print translations may even peek at the type
- @{text "\<tau>"} of the constant they are invoked on, although that information
- may be inaccurate.
-
- Regardless of whether they act on ASTs or terms, translation
- functions called during the parsing process differ from those for
- printing in their overall behaviour:
-
- \begin{description}
-
- \item [Parse translations] are applied bottom-up. The arguments are
- already in translated form. The translations must not fail;
- exceptions trigger an error message. There may be at most one
- function associated with any syntactic name.
-
- \item [Print translations] are applied top-down. They are supplied
- with arguments that are partly still in internal form. The result
- again undergoes translation; therefore a print translation should
- not introduce as head the very constant that invoked it. The
- function may raise exception @{ML Match} to indicate failure; in
- this event it has no effect. Multiple functions associated with
- some syntactic name are tried in the order of declaration in the
- theory.
-
- \end{description}
-
- Only constant atoms --- constructor @{ML Ast.Constant} for ASTs and
- @{ML Const} for terms --- can invoke translation functions. This
- means that parse translations can only be associated with parse tree
- heads of concrete syntax, or syntactic constants introduced via
- other translations. For plain identifiers within the term language,
- the status of constant versus variable is not yet know during
- parsing. This is in contrast to print translations, where constants
- are explicitly known from the given term in its fully internal form.
-*}
-
-end
--- a/doc-src/IsarRef/ML_Tactic.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,180 +0,0 @@
-theory ML_Tactic
-imports Base Main
-begin
-
-chapter {* ML tactic expressions *}
-
-text {*
- Isar Proof methods closely resemble traditional tactics, when used
- in unstructured sequences of @{command "apply"} commands.
- Isabelle/Isar provides emulations for all major ML tactics of
- classic Isabelle --- mostly for the sake of easy porting of existing
- developments, as actual Isar proof texts would demand much less
- diversity of proof methods.
-
- Unlike tactic expressions in ML, Isar proof methods provide proper
- concrete syntax for additional arguments, options, modifiers etc.
- Thus a typical method text is usually more concise than the
- corresponding ML tactic. Furthermore, the Isar versions of classic
- Isabelle tactics often cover several variant forms by a single
- method with separate options to tune the behavior. For example,
- method @{method simp} replaces all of @{ML simp_tac}~/ @{ML
- asm_simp_tac}~/ @{ML full_simp_tac}~/ @{ML asm_full_simp_tac}, there
- is also concrete syntax for augmenting the Simplifier context (the
- current ``simpset'') in a convenient way.
-*}
-
-
-section {* Resolution tactics *}
-
-text {*
- Classic Isabelle provides several variant forms of tactics for
- single-step rule applications (based on higher-order resolution).
- The space of resolution tactics has the following main dimensions.
-
- \begin{enumerate}
-
- \item The ``mode'' of resolution: intro, elim, destruct, or forward
- (e.g.\ @{ML resolve_tac}, @{ML eresolve_tac}, @{ML dresolve_tac},
- @{ML forward_tac}).
-
- \item Optional explicit instantiation (e.g.\ @{ML resolve_tac} vs.\
- @{ML res_inst_tac}).
-
- \item Abbreviations for singleton arguments (e.g.\ @{ML resolve_tac}
- vs.\ @{ML rtac}).
-
- \end{enumerate}
-
- Basically, the set of Isar tactic emulations @{method rule_tac},
- @{method erule_tac}, @{method drule_tac}, @{method frule_tac} (see
- \secref{sec:tactics}) would be sufficient to cover the four modes,
- either with or without instantiation, and either with single or
- multiple arguments. Although it is more convenient in most cases to
- use the plain @{method_ref (Pure) rule} method, or any of its
- ``improper'' variants @{method erule}, @{method drule}, @{method
- frule}. Note that explicit goal addressing is only supported by the
- actual @{method rule_tac} version.
-
- With this in mind, plain resolution tactics correspond to Isar
- methods as follows.
-
- \medskip
- \begin{tabular}{lll}
- @{ML rtac}~@{text "a 1"} & & @{text "rule a"} \\
- @{ML resolve_tac}~@{text "[a\<^sub>1, \<dots>] 1"} & & @{text "rule a\<^sub>1 \<dots>"} \\
- @{ML res_inst_tac}~@{text "ctxt [(x\<^sub>1, t\<^sub>1), \<dots>] a 1"} & &
- @{text "rule_tac x\<^sub>1 = t\<^sub>1 \<AND> \<dots> \<IN> a"} \\[0.5ex]
- @{ML rtac}~@{text "a i"} & & @{text "rule_tac [i] a"} \\
- @{ML resolve_tac}~@{text "[a\<^sub>1, \<dots>] i"} & & @{text "rule_tac [i] a\<^sub>1 \<dots>"} \\
- @{ML res_inst_tac}~@{text "ctxt [(x\<^sub>1, t\<^sub>1), \<dots>] a i"} & &
- @{text "rule_tac [i] x\<^sub>1 = t\<^sub>1 \<AND> \<dots> \<IN> a"} \\
- \end{tabular}
- \medskip
-
- Note that explicit goal addressing may be usually avoided by
- changing the order of subgoals with @{command "defer"} or @{command
- "prefer"} (see \secref{sec:tactic-commands}).
-*}
-
-
-section {* Simplifier tactics *}
-
-text {*
- The main Simplifier tactics @{ML simp_tac} and variants (cf.\
- \cite{isabelle-ref}) are all covered by the @{method simp} and
- @{method simp_all} methods (see \secref{sec:simplifier}). Note that
- there is no individual goal addressing available, simplification
- acts either on the first goal (@{method simp}) or all goals
- (@{method simp_all}).
-
- \medskip
- \begin{tabular}{lll}
- @{ML asm_full_simp_tac}~@{text "@{simpset} 1"} & & @{method simp} \\
- @{ML ALLGOALS}~(@{ML asm_full_simp_tac}~@{text "@{simpset}"}) & & @{method simp_all} \\[0.5ex]
- @{ML simp_tac}~@{text "@{simpset} 1"} & & @{method simp}~@{text "(no_asm)"} \\
- @{ML asm_simp_tac}~@{text "@{simpset} 1"} & & @{method simp}~@{text "(no_asm_simp)"} \\
- @{ML full_simp_tac}~@{text "@{simpset} 1"} & & @{method simp}~@{text "(no_asm_use)"} \\
- @{ML asm_lr_simp_tac}~@{text "@{simpset} 1"} & & @{method simp}~@{text "(asm_lr)"} \\
- \end{tabular}
- \medskip
-*}
-
-
-section {* Classical Reasoner tactics *}
-
-text {* The Classical Reasoner provides a rather large number of
- variations of automated tactics, such as @{ML blast_tac}, @{ML
- fast_tac}, @{ML clarify_tac} etc. The corresponding Isar methods
- usually share the same base name, such as @{method blast}, @{method
- fast}, @{method clarify} etc.\ (see \secref{sec:classical}). *}
-
-
-section {* Miscellaneous tactics *}
-
-text {*
- There are a few additional tactics defined in various theories of
- Isabelle/HOL, some of these also in Isabelle/FOL or Isabelle/ZF.
- The most common ones of these may be ported to Isar as follows.
-
- \medskip
- \begin{tabular}{lll}
- @{ML stac}~@{text "a 1"} & & @{text "subst a"} \\
- @{ML hyp_subst_tac}~@{text 1} & & @{text hypsubst} \\
- @{ML strip_tac}~@{text 1} & @{text "\<approx>"} & @{text "intro strip"} \\
- @{ML split_all_tac}~@{text 1} & & @{text "simp (no_asm_simp) only: split_tupled_all"} \\
- & @{text "\<approx>"} & @{text "simp only: split_tupled_all"} \\
- & @{text "\<lless>"} & @{text "clarify"} \\
- \end{tabular}
-*}
-
-
-section {* Tacticals *}
-
-text {*
- Classic Isabelle provides a huge amount of tacticals for combination
- and modification of existing tactics. This has been greatly reduced
- in Isar, providing the bare minimum of combinators only: ``@{text
- ","}'' (sequential composition), ``@{text "|"}'' (alternative
- choices), ``@{text "?"}'' (try), ``@{text "+"}'' (repeat at least
- once). These are usually sufficient in practice; if all fails,
- arbitrary ML tactic code may be invoked via the @{method tactic}
- method (see \secref{sec:tactics}).
-
- \medskip Common ML tacticals may be expressed directly in Isar as
- follows:
-
- \medskip
- \begin{tabular}{lll}
- @{text "tac\<^sub>1"}~@{ML_text THEN}~@{text "tac\<^sub>2"} & & @{text "meth\<^sub>1, meth\<^sub>2"} \\
- @{text "tac\<^sub>1"}~@{ML_text ORELSE}~@{text "tac\<^sub>2"} & & @{text "meth\<^sub>1 | meth\<^sub>2"} \\
- @{ML TRY}~@{text tac} & & @{text "meth?"} \\
- @{ML REPEAT1}~@{text tac} & & @{text "meth+"} \\
- @{ML REPEAT}~@{text tac} & & @{text "(meth+)?"} \\
- @{ML EVERY}~@{text "[tac\<^sub>1, \<dots>]"} & & @{text "meth\<^sub>1, \<dots>"} \\
- @{ML FIRST}~@{text "[tac\<^sub>1, \<dots>]"} & & @{text "meth\<^sub>1 | \<dots>"} \\
- \end{tabular}
- \medskip
-
- \medskip @{ML CHANGED} (see \cite{isabelle-implementation}) is
- usually not required in Isar, since most basic proof methods already
- fail unless there is an actual change in the goal state.
- Nevertheless, ``@{text "?"}'' (try) may be used to accept
- \emph{unchanged} results as well.
-
- \medskip @{ML ALLGOALS}, @{ML SOMEGOAL} etc.\ (see
- \cite{isabelle-implementation}) are not available in Isar, since
- there is no direct goal addressing. Nevertheless, some basic
- methods address all goals internally, notably @{method simp_all}
- (see \secref{sec:simplifier}). Also note that @{ML ALLGOALS} can be
- often replaced by ``@{text "+"}'' (repeat at least once), although
- this usually has a different operational behavior: subgoals are
- solved in a different order.
-
- \medskip Iterated resolution, such as
- @{ML_text "REPEAT (FIRSTGOAL (resolve_tac ...))"}, is usually better
- expressed using the @{method intro} and @{method elim} methods of
- Isar (see \secref{sec:classical}).
-*}
-
-end
--- a/doc-src/IsarRef/Misc.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,151 +0,0 @@
-theory Misc
-imports Base Main
-begin
-
-chapter {* Other commands *}
-
-section {* Inspecting the context *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def "print_commands"}@{text "\<^sup>*"} & : & @{text "any \<rightarrow>"} \\
- @{command_def "print_theory"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- @{command_def "print_methods"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- @{command_def "print_attributes"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- @{command_def "print_theorems"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- @{command_def "find_theorems"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- @{command_def "find_consts"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- @{command_def "thm_deps"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- @{command_def "unused_thms"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- @{command_def "print_facts"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- @{command_def "print_binds"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- \end{matharray}
-
- @{rail "
- (@@{command print_theory} | @@{command print_theorems}) ('!'?)
- ;
-
- @@{command find_theorems} ('(' @{syntax nat}? 'with_dups'? ')')? \\ (thmcriterion * )
- ;
- thmcriterion: ('-'?) ('name' ':' @{syntax nameref} | 'intro' | 'elim' | 'dest' |
- 'solves' | 'simp' ':' @{syntax term} | @{syntax term})
- ;
- @@{command find_consts} (constcriterion * )
- ;
- constcriterion: ('-'?)
- ('name' ':' @{syntax nameref} | 'strict' ':' @{syntax type} | @{syntax type})
- ;
- @@{command thm_deps} @{syntax thmrefs}
- ;
- @@{command unused_thms} ((@{syntax name} +) '-' (@{syntax name} * ))?
- "}
-
- These commands print certain parts of the theory and proof context.
- Note that there are some further ones available, such as for the set
- of rules declared for simplifications.
-
- \begin{description}
-
- \item @{command "print_commands"} prints Isabelle's outer theory
- syntax, including keywords and command.
-
- \item @{command "print_theory"} prints the main logical content of
- the theory context; the ``@{text "!"}'' option indicates extra
- verbosity.
-
- \item @{command "print_methods"} prints all proof methods
- available in the current theory context.
-
- \item @{command "print_attributes"} prints all attributes
- available in the current theory context.
-
- \item @{command "print_theorems"} prints theorems resulting from the
- last command; the ``@{text "!"}'' option indicates extra verbosity.
-
- \item @{command "find_theorems"}~@{text criteria} retrieves facts
- from the theory or proof context matching all of given search
- criteria. The criterion @{text "name: p"} selects all theorems
- whose fully qualified name matches pattern @{text p}, which may
- contain ``@{text "*"}'' wildcards. The criteria @{text intro},
- @{text elim}, and @{text dest} select theorems that match the
- current goal as introduction, elimination or destruction rules,
- respectively. The criterion @{text "solves"} returns all rules
- that would directly solve the current goal. The criterion
- @{text "simp: t"} selects all rewrite rules whose left-hand side
- matches the given term. The criterion term @{text t} selects all
- theorems that contain the pattern @{text t} -- as usual, patterns
- may contain occurrences of the dummy ``@{text _}'', schematic
- variables, and type constraints.
-
- Criteria can be preceded by ``@{text "-"}'' to select theorems that
- do \emph{not} match. Note that giving the empty list of criteria
- yields \emph{all} currently known facts. An optional limit for the
- number of printed facts may be given; the default is 40. By
- default, duplicates are removed from the search result. Use
- @{text with_dups} to display duplicates.
-
- \item @{command "find_consts"}~@{text criteria} prints all constants
- whose type meets all of the given criteria. The criterion @{text
- "strict: ty"} is met by any type that matches the type pattern
- @{text ty}. Patterns may contain both the dummy type ``@{text _}''
- and sort constraints. The criterion @{text ty} is similar, but it
- also matches against subtypes. The criterion @{text "name: p"} and
- the prefix ``@{text "-"}'' function as described for @{command
- "find_theorems"}.
-
- \item @{command "thm_deps"}~@{text "a\<^sub>1 \<dots> a\<^sub>n"}
- visualizes dependencies of facts, using Isabelle's graph browser
- tool (see also \cite{isabelle-sys}).
-
- \item @{command "unused_thms"}~@{text "A\<^isub>1 \<dots> A\<^isub>m - B\<^isub>1 \<dots> B\<^isub>n"}
- displays all unused theorems in theories @{text "B\<^isub>1 \<dots> B\<^isub>n"}
- or their parents, but not in @{text "A\<^isub>1 \<dots> A\<^isub>m"} or their parents.
- If @{text n} is @{text 0}, the end of the range of theories
- defaults to the current theory. If no range is specified,
- only the unused theorems in the current theory are displayed.
-
- \item @{command "print_facts"} prints all local facts of the
- current context, both named and unnamed ones.
-
- \item @{command "print_binds"} prints all term abbreviations
- present in the context.
-
- \end{description}
-*}
-
-
-section {* System commands *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def "cd"}@{text "\<^sup>*"} & : & @{text "any \<rightarrow>"} \\
- @{command_def "pwd"}@{text "\<^sup>*"} & : & @{text "any \<rightarrow>"} \\
- @{command_def "use_thy"}@{text "\<^sup>*"} & : & @{text "any \<rightarrow>"} \\
- \end{matharray}
-
- @{rail "
- (@@{command cd} | @@{command use_thy}) @{syntax name}
- "}
-
- \begin{description}
-
- \item @{command "cd"}~@{text path} changes the current directory
- of the Isabelle process.
-
- \item @{command "pwd"} prints the current working directory.
-
- \item @{command "use_thy"}~@{text A} preload theory @{text A}.
- These system commands are scarcely used when working interactively,
- since loading of theories is done automatically as required.
-
- \end{description}
-
- %FIXME proper place (!?)
- Isabelle file specification may contain path variables (e.g.\
- @{verbatim "$ISABELLE_HOME"}) that are expanded accordingly. Note
- that @{verbatim "~"} abbreviates @{verbatim "$USER_HOME"}, and
- @{verbatim "~~"} abbreviates @{verbatim "$ISABELLE_HOME"}. The
- general syntax for path specifications follows POSIX conventions.
-*}
-
-end
--- a/doc-src/IsarRef/Outer_Syntax.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,427 +0,0 @@
-theory Outer_Syntax
-imports Base Main
-begin
-
-chapter {* Outer syntax --- the theory language \label{ch:outer-syntax} *}
-
-text {*
- The rather generic framework of Isabelle/Isar syntax emerges from
- three main syntactic categories: \emph{commands} of the top-level
- Isar engine (covering theory and proof elements), \emph{methods} for
- general goal refinements (analogous to traditional ``tactics''), and
- \emph{attributes} for operations on facts (within a certain
- context). Subsequently we give a reference of basic syntactic
- entities underlying Isabelle/Isar syntax in a bottom-up manner.
- Concrete theory and proof language elements will be introduced later
- on.
-
- \medskip In order to get started with writing well-formed
- Isabelle/Isar documents, the most important aspect to be noted is
- the difference of \emph{inner} versus \emph{outer} syntax. Inner
- syntax is that of Isabelle types and terms of the logic, while outer
- syntax is that of Isabelle/Isar theory sources (specifications and
- proofs). As a general rule, inner syntax entities may occur only as
- \emph{atomic entities} within outer syntax. For example, the string
- @{verbatim "\"x + y\""} and identifier @{verbatim z} are legal term
- specifications within a theory, while @{verbatim "x + y"} without
- quotes is not.
-
- Printed theory documents usually omit quotes to gain readability
- (this is a matter of {\LaTeX} macro setup, say via @{verbatim
- "\\isabellestyle"}, see also \cite{isabelle-sys}). Experienced
- users of Isabelle/Isar may easily reconstruct the lost technical
- information, while mere readers need not care about quotes at all.
-
- \medskip Isabelle/Isar input may contain any number of input
- termination characters ``@{verbatim ";"}'' (semicolon) to separate
- commands explicitly. This is particularly useful in interactive
- shell sessions to make clear where the current command is intended
- to end. Otherwise, the interpreter loop will continue to issue a
- secondary prompt ``@{verbatim "#"}'' until an end-of-command is
- clearly recognized from the input syntax, e.g.\ encounter of the
- next command keyword.
-
- More advanced interfaces such as Proof~General \cite{proofgeneral}
- do not require explicit semicolons, the amount of input text is
- determined automatically by inspecting the present content of the
- Emacs text buffer. In the printed presentation of Isabelle/Isar
- documents semicolons are omitted altogether for readability.
-
- \begin{warn}
- Proof~General requires certain syntax classification tables in
- order to achieve properly synchronized interaction with the
- Isabelle/Isar process. These tables need to be consistent with
- the Isabelle version and particular logic image to be used in a
- running session (common object-logics may well change the outer
- syntax). The standard setup should work correctly with any of the
- ``official'' logic images derived from Isabelle/HOL (including
- HOLCF etc.). Users of alternative logics may need to tell
- Proof~General explicitly, e.g.\ by giving an option @{verbatim "-k ZF"}
- (in conjunction with @{verbatim "-l ZF"}, to specify the default
- logic image). Note that option @{verbatim "-L"} does both
- of this at the same time.
- \end{warn}
-*}
-
-
-section {* Lexical matters \label{sec:outer-lex} *}
-
-text {* The outer lexical syntax consists of three main categories of
- syntax tokens:
-
- \begin{enumerate}
-
- \item \emph{major keywords} --- the command names that are available
- in the present logic session;
-
- \item \emph{minor keywords} --- additional literal tokens required
- by the syntax of commands;
-
- \item \emph{named tokens} --- various categories of identifiers etc.
-
- \end{enumerate}
-
- Major keywords and minor keywords are guaranteed to be disjoint.
- This helps user-interfaces to determine the overall structure of a
- theory text, without knowing the full details of command syntax.
- Internally, there is some additional information about the kind of
- major keywords, which approximates the command type (theory command,
- proof command etc.).
-
- Keywords override named tokens. For example, the presence of a
- command called @{verbatim term} inhibits the identifier @{verbatim
- term}, but the string @{verbatim "\"term\""} can be used instead.
- By convention, the outer syntax always allows quoted strings in
- addition to identifiers, wherever a named entity is expected.
-
- When tokenizing a given input sequence, the lexer repeatedly takes
- the longest prefix of the input that forms a valid token. Spaces,
- tabs, newlines and formfeeds between tokens serve as explicit
- separators.
-
- \medskip The categories for named tokens are defined once and for
- all as follows.
-
- \begin{center}
- \begin{supertabular}{rcl}
- @{syntax_def ident} & = & @{text "letter quasiletter\<^sup>*"} \\
- @{syntax_def longident} & = & @{text "ident("}@{verbatim "."}@{text "ident)\<^sup>+"} \\
- @{syntax_def symident} & = & @{text "sym\<^sup>+ | "}@{verbatim "\\"}@{verbatim "<"}@{text ident}@{verbatim ">"} \\
- @{syntax_def nat} & = & @{text "digit\<^sup>+"} \\
- @{syntax_def float} & = & @{syntax_ref nat}@{verbatim "."}@{syntax_ref nat}@{text " | "}@{verbatim "-"}@{syntax_ref nat}@{verbatim "."}@{syntax_ref nat} \\
- @{syntax_def var} & = & @{verbatim "?"}@{text "ident | "}@{verbatim "?"}@{text ident}@{verbatim "."}@{text nat} \\
- @{syntax_def typefree} & = & @{verbatim "'"}@{text ident} \\
- @{syntax_def typevar} & = & @{verbatim "?"}@{text "typefree | "}@{verbatim "?"}@{text typefree}@{verbatim "."}@{text nat} \\
- @{syntax_def string} & = & @{verbatim "\""} @{text "\<dots>"} @{verbatim "\""} \\
- @{syntax_def altstring} & = & @{verbatim "`"} @{text "\<dots>"} @{verbatim "`"} \\
- @{syntax_def verbatim} & = & @{verbatim "{*"} @{text "\<dots>"} @{verbatim "*"}@{verbatim "}"} \\[1ex]
-
- @{text letter} & = & @{text "latin | "}@{verbatim "\\"}@{verbatim "<"}@{text latin}@{verbatim ">"}@{text " | "}@{verbatim "\\"}@{verbatim "<"}@{text "latin latin"}@{verbatim ">"}@{text " | greek |"} \\
- & & @{verbatim "\<^isub>"}@{text " | "}@{verbatim "\<^isup>"} \\
- @{text quasiletter} & = & @{text "letter | digit | "}@{verbatim "_"}@{text " | "}@{verbatim "'"} \\
- @{text latin} & = & @{verbatim a}@{text " | \<dots> | "}@{verbatim z}@{text " | "}@{verbatim A}@{text " | \<dots> | "}@{verbatim Z} \\
- @{text digit} & = & @{verbatim "0"}@{text " | \<dots> | "}@{verbatim "9"} \\
- @{text sym} & = & @{verbatim "!"}@{text " | "}@{verbatim "#"}@{text " | "}@{verbatim "$"}@{text " | "}@{verbatim "%"}@{text " | "}@{verbatim "&"}@{text " | "}@{verbatim "*"}@{text " | "}@{verbatim "+"}@{text " | "}@{verbatim "-"}@{text " | "}@{verbatim "/"}@{text " |"} \\
- & & @{verbatim "<"}@{text " | "}@{verbatim "="}@{text " | "}@{verbatim ">"}@{text " | "}@{verbatim "?"}@{text " | "}@{verbatim "@"}@{text " | "}@{verbatim "^"}@{text " | "}@{verbatim "_"}@{text " | "}@{verbatim "|"}@{text " | "}@{verbatim "~"} \\
- @{text greek} & = & @{verbatim "\<alpha>"}@{text " | "}@{verbatim "\<beta>"}@{text " | "}@{verbatim "\<gamma>"}@{text " | "}@{verbatim "\<delta>"}@{text " |"} \\
- & & @{verbatim "\<epsilon>"}@{text " | "}@{verbatim "\<zeta>"}@{text " | "}@{verbatim "\<eta>"}@{text " | "}@{verbatim "\<theta>"}@{text " |"} \\
- & & @{verbatim "\<iota>"}@{text " | "}@{verbatim "\<kappa>"}@{text " | "}@{verbatim "\<mu>"}@{text " | "}@{verbatim "\<nu>"}@{text " |"} \\
- & & @{verbatim "\<xi>"}@{text " | "}@{verbatim "\<pi>"}@{text " | "}@{verbatim "\<rho>"}@{text " | "}@{verbatim "\<sigma>"}@{text " | "}@{verbatim "\<tau>"}@{text " |"} \\
- & & @{verbatim "\<upsilon>"}@{text " | "}@{verbatim "\<phi>"}@{text " | "}@{verbatim "\<chi>"}@{text " | "}@{verbatim "\<psi>"}@{text " |"} \\
- & & @{verbatim "\<omega>"}@{text " | "}@{verbatim "\<Gamma>"}@{text " | "}@{verbatim "\<Delta>"}@{text " | "}@{verbatim "\<Theta>"}@{text " |"} \\
- & & @{verbatim "\<Lambda>"}@{text " | "}@{verbatim "\<Xi>"}@{text " | "}@{verbatim "\<Pi>"}@{text " | "}@{verbatim "\<Sigma>"}@{text " |"} \\
- & & @{verbatim "\<Upsilon>"}@{text " | "}@{verbatim "\<Phi>"}@{text " | "}@{verbatim "\<Psi>"}@{text " | "}@{verbatim "\<Omega>"} \\
- \end{supertabular}
- \end{center}
-
- A @{syntax_ref var} or @{syntax_ref typevar} describes an unknown,
- which is internally a pair of base name and index (ML type @{ML_type
- indexname}). These components are either separated by a dot as in
- @{text "?x.1"} or @{text "?x7.3"} or run together as in @{text
- "?x1"}. The latter form is possible if the base name does not end
- with digits. If the index is 0, it may be dropped altogether:
- @{text "?x"} and @{text "?x0"} and @{text "?x.0"} all refer to the
- same unknown, with basename @{text "x"} and index 0.
-
- The syntax of @{syntax_ref string} admits any characters, including
- newlines; ``@{verbatim "\""}'' (double-quote) and ``@{verbatim
- "\\"}'' (backslash) need to be escaped by a backslash; arbitrary
- character codes may be specified as ``@{verbatim "\\"}@{text ddd}'',
- with three decimal digits. Alternative strings according to
- @{syntax_ref altstring} are analogous, using single back-quotes
- instead.
-
- The body of @{syntax_ref verbatim} may consist of any text not
- containing ``@{verbatim "*"}@{verbatim "}"}''; this allows
- convenient inclusion of quotes without further escapes. There is no
- way to escape ``@{verbatim "*"}@{verbatim "}"}''. If the quoted
- text is {\LaTeX} source, one may usually add some blank or comment
- to avoid the critical character sequence.
-
- Source comments take the form @{verbatim "(*"}~@{text
- "\<dots>"}~@{verbatim "*)"} and may be nested, although the user-interface
- might prevent this. Note that this form indicates source comments
- only, which are stripped after lexical analysis of the input. The
- Isar syntax also provides proper \emph{document comments} that are
- considered as part of the text (see \secref{sec:comments}).
-
- Common mathematical symbols such as @{text \<forall>} are represented in
- Isabelle as @{verbatim \<forall>}. There are infinitely many Isabelle
- symbols like this, although proper presentation is left to front-end
- tools such as {\LaTeX}, Proof~General, or Isabelle/jEdit. A list of
- predefined Isabelle symbols that work well with these tools is given
- in \appref{app:symbols}. Note that @{verbatim "\<lambda>"} does not belong
- to the @{text letter} category, since it is already used differently
- in the Pure term language. *}
-
-
-section {* Common syntax entities *}
-
-text {*
- We now introduce several basic syntactic entities, such as names,
- terms, and theorem specifications, which are factored out of the
- actual Isar language elements to be described later.
-*}
-
-
-subsection {* Names *}
-
-text {* Entity @{syntax name} usually refers to any name of types,
- constants, theorems etc.\ that are to be \emph{declared} or
- \emph{defined} (so qualified identifiers are excluded here). Quoted
- strings provide an escape for non-identifier names or those ruled
- out by outer syntax keywords (e.g.\ quoted @{verbatim "\"let\""}).
- Already existing objects are usually referenced by @{syntax
- nameref}.
-
- @{rail "
- @{syntax_def name}: @{syntax ident} | @{syntax symident} |
- @{syntax string} | @{syntax nat}
- ;
- @{syntax_def parname}: '(' @{syntax name} ')'
- ;
- @{syntax_def nameref}: @{syntax name} | @{syntax longident}
- "}
-*}
-
-
-subsection {* Numbers *}
-
-text {* The outer lexical syntax (\secref{sec:outer-lex}) admits
- natural numbers and floating point numbers. These are combined as
- @{syntax int} and @{syntax real} as follows.
-
- @{rail "
- @{syntax_def int}: @{syntax nat} | '-' @{syntax nat}
- ;
- @{syntax_def real}: @{syntax float} | @{syntax int}
- "}
-
- Note that there is an overlap with the category @{syntax name},
- which also includes @{syntax nat}.
-*}
-
-
-subsection {* Comments \label{sec:comments} *}
-
-text {* Large chunks of plain @{syntax text} are usually given
- @{syntax verbatim}, i.e.\ enclosed in @{verbatim "{"}@{verbatim
- "*"}~@{text "\<dots>"}~@{verbatim "*"}@{verbatim "}"}. For convenience,
- any of the smaller text units conforming to @{syntax nameref} are
- admitted as well. A marginal @{syntax comment} is of the form
- @{verbatim "--"}~@{syntax text}. Any number of these may occur
- within Isabelle/Isar commands.
-
- @{rail "
- @{syntax_def text}: @{syntax verbatim} | @{syntax nameref}
- ;
- @{syntax_def comment}: '--' @{syntax text}
- "}
-*}
-
-
-subsection {* Type classes, sorts and arities *}
-
-text {*
- Classes are specified by plain names. Sorts have a very simple
- inner syntax, which is either a single class name @{text c} or a
- list @{text "{c\<^sub>1, \<dots>, c\<^sub>n}"} referring to the
- intersection of these classes. The syntax of type arities is given
- directly at the outer level.
-
- @{rail "
- @{syntax_def classdecl}: @{syntax name} (('<' | '\<subseteq>') (@{syntax nameref} + ','))?
- ;
- @{syntax_def sort}: @{syntax nameref}
- ;
- @{syntax_def arity}: ('(' (@{syntax sort} + ',') ')')? @{syntax sort}
- "}
-*}
-
-
-subsection {* Types and terms \label{sec:types-terms} *}
-
-text {*
- The actual inner Isabelle syntax, that of types and terms of the
- logic, is far too sophisticated in order to be modelled explicitly
- at the outer theory level. Basically, any such entity has to be
- quoted to turn it into a single token (the parsing and type-checking
- is performed internally later). For convenience, a slightly more
- liberal convention is adopted: quotes may be omitted for any type or
- term that is already atomic at the outer level. For example, one
- may just write @{verbatim x} instead of quoted @{verbatim "\"x\""}.
- Note that symbolic identifiers (e.g.\ @{verbatim "++"} or @{text
- "\<forall>"} are available as well, provided these have not been superseded
- by commands or other keywords already (such as @{verbatim "="} or
- @{verbatim "+"}).
-
- @{rail "
- @{syntax_def type}: @{syntax nameref} | @{syntax typefree} |
- @{syntax typevar}
- ;
- @{syntax_def term}: @{syntax nameref} | @{syntax var}
- ;
- @{syntax_def prop}: @{syntax term}
- "}
-
- Positional instantiations are indicated by giving a sequence of
- terms, or the placeholder ``@{text _}'' (underscore), which means to
- skip a position.
-
- @{rail "
- @{syntax_def inst}: '_' | @{syntax term}
- ;
- @{syntax_def insts}: (@{syntax inst} *)
- "}
-
- Type declarations and definitions usually refer to @{syntax
- typespec} on the left-hand side. This models basic type constructor
- application at the outer syntax level. Note that only plain postfix
- notation is available here, but no infixes.
-
- @{rail "
- @{syntax_def typespec}:
- (() | @{syntax typefree} | '(' ( @{syntax typefree} + ',' ) ')') @{syntax name}
- ;
- @{syntax_def typespec_sorts}:
- (() | (@{syntax typefree} ('::' @{syntax sort})?) |
- '(' ( (@{syntax typefree} ('::' @{syntax sort})?) + ',' ) ')') @{syntax name}
- "}
-*}
-
-
-subsection {* Term patterns and declarations \label{sec:term-decls} *}
-
-text {* Wherever explicit propositions (or term fragments) occur in a
- proof text, casual binding of schematic term variables may be given
- specified via patterns of the form ``@{text "(\<IS> p\<^sub>1 \<dots> p\<^sub>n)"}''.
- This works both for @{syntax term} and @{syntax prop}.
-
- @{rail "
- @{syntax_def term_pat}: '(' (@'is' @{syntax term} +) ')'
- ;
- @{syntax_def prop_pat}: '(' (@'is' @{syntax prop} +) ')'
- "}
-
- \medskip Declarations of local variables @{text "x :: \<tau>"} and
- logical propositions @{text "a : \<phi>"} represent different views on
- the same principle of introducing a local scope. In practice, one
- may usually omit the typing of @{syntax vars} (due to
- type-inference), and the naming of propositions (due to implicit
- references of current facts). In any case, Isar proof elements
- usually admit to introduce multiple such items simultaneously.
-
- @{rail "
- @{syntax_def vars}: (@{syntax name} +) ('::' @{syntax type})?
- ;
- @{syntax_def props}: @{syntax thmdecl}? (@{syntax prop} @{syntax prop_pat}? +)
- "}
-
- The treatment of multiple declarations corresponds to the
- complementary focus of @{syntax vars} versus @{syntax props}. In
- ``@{text "x\<^sub>1 \<dots> x\<^sub>n :: \<tau>"}'' the typing refers to all variables, while
- in @{text "a: \<phi>\<^sub>1 \<dots> \<phi>\<^sub>n"} the naming refers to all propositions
- collectively. Isar language elements that refer to @{syntax vars}
- or @{syntax props} typically admit separate typings or namings via
- another level of iteration, with explicit @{keyword_ref "and"}
- separators; e.g.\ see @{command "fix"} and @{command "assume"} in
- \secref{sec:proof-context}.
-*}
-
-
-subsection {* Attributes and theorems \label{sec:syn-att} *}
-
-text {* Attributes have their own ``semi-inner'' syntax, in the sense
- that input conforming to @{syntax args} below is parsed by the
- attribute a second time. The attribute argument specifications may
- be any sequence of atomic entities (identifiers, strings etc.), or
- properly bracketed argument lists. Below @{syntax atom} refers to
- any atomic entity, including any @{syntax keyword} conforming to
- @{syntax symident}.
-
- @{rail "
- @{syntax_def atom}: @{syntax nameref} | @{syntax typefree} |
- @{syntax typevar} | @{syntax var} | @{syntax nat} | @{syntax float} |
- @{syntax keyword}
- ;
- arg: @{syntax atom} | '(' @{syntax args} ')' | '[' @{syntax args} ']'
- ;
- @{syntax_def args}: arg *
- ;
- @{syntax_def attributes}: '[' (@{syntax nameref} @{syntax args} * ',') ']'
- "}
-
- Theorem specifications come in several flavors: @{syntax axmdecl}
- and @{syntax thmdecl} usually refer to axioms, assumptions or
- results of goal statements, while @{syntax thmdef} collects lists of
- existing theorems. Existing theorems are given by @{syntax thmref}
- and @{syntax thmrefs}, the former requires an actual singleton
- result.
-
- There are three forms of theorem references:
- \begin{enumerate}
-
- \item named facts @{text "a"},
-
- \item selections from named facts @{text "a(i)"} or @{text "a(j - k)"},
-
- \item literal fact propositions using @{syntax_ref altstring} syntax
- @{verbatim "`"}@{text "\<phi>"}@{verbatim "`"} (see also method
- @{method_ref fact}).
-
- \end{enumerate}
-
- Any kind of theorem specification may include lists of attributes
- both on the left and right hand sides; attributes are applied to any
- immediately preceding fact. If names are omitted, the theorems are
- not stored within the theorem database of the theory or proof
- context, but any given attributes are applied nonetheless.
-
- An extra pair of brackets around attributes (like ``@{text
- "[[simproc a]]"}'') abbreviates a theorem reference involving an
- internal dummy fact, which will be ignored later on. So only the
- effect of the attribute on the background context will persist.
- This form of in-place declarations is particularly useful with
- commands like @{command "declare"} and @{command "using"}.
-
- @{rail "
- @{syntax_def axmdecl}: @{syntax name} @{syntax attributes}? ':'
- ;
- @{syntax_def thmdecl}: thmbind ':'
- ;
- @{syntax_def thmdef}: thmbind '='
- ;
- @{syntax_def thmref}:
- (@{syntax nameref} selection? | @{syntax altstring}) @{syntax attributes}? |
- '[' @{syntax attributes} ']'
- ;
- @{syntax_def thmrefs}: @{syntax thmref} +
- ;
-
- thmbind: @{syntax name} @{syntax attributes} | @{syntax name} | @{syntax attributes}
- ;
- selection: '(' ((@{syntax nat} | @{syntax nat} '-' @{syntax nat}?) + ',') ')'
- "}
-*}
-
-end
--- a/doc-src/IsarRef/Preface.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,70 +0,0 @@
-theory Preface
-imports Base Main
-begin
-
-chapter {* Preface *}
-
-text {*
- The \emph{Isabelle} system essentially provides a generic
- infrastructure for building deductive systems (programmed in
- Standard ML), with a special focus on interactive theorem proving in
- higher-order logics. Many years ago, even end-users would refer to
- certain ML functions (goal commands, tactics, tacticals etc.) to
- pursue their everyday theorem proving tasks.
-
- In contrast \emph{Isar} provides an interpreted language environment
- of its own, which has been specifically tailored for the needs of
- theory and proof development. Compared to raw ML, the Isabelle/Isar
- top-level provides a more robust and comfortable development
- platform, with proper support for theory development graphs, managed
- transactions with unlimited undo etc. The Isabelle/Isar version of
- the \emph{Proof~General} user interface
- \cite{proofgeneral,Aspinall:TACAS:2000} provides a decent front-end
- for interactive theory and proof development in this advanced
- theorem proving environment, even though it is somewhat biased
- towards old-style proof scripts.
-
- \medskip Apart from the technical advances over bare-bones ML
- programming, the main purpose of the Isar language is to provide a
- conceptually different view on machine-checked proofs
- \cite{Wenzel:1999:TPHOL,Wenzel-PhD}. \emph{Isar} stands for
- \emph{Intelligible semi-automated reasoning}. Drawing from both the
- traditions of informal mathematical proof texts and high-level
- programming languages, Isar offers a versatile environment for
- structured formal proof documents. Thus properly written Isar
- proofs become accessible to a broader audience than unstructured
- tactic scripts (which typically only provide operational information
- for the machine). Writing human-readable proof texts certainly
- requires some additional efforts by the writer to achieve a good
- presentation, both of formal and informal parts of the text. On the
- other hand, human-readable formal texts gain some value in their own
- right, independently of the mechanic proof-checking process.
-
- Despite its grand design of structured proof texts, Isar is able to
- assimilate the old tactical style as an ``improper'' sub-language.
- This provides an easy upgrade path for existing tactic scripts, as
- well as some means for interactive experimentation and debugging of
- structured proofs. Isabelle/Isar supports a broad range of proof
- styles, both readable and unreadable ones.
-
- \medskip The generic Isabelle/Isar framework (see
- \chref{ch:isar-framework}) works reasonably well for any Isabelle
- object-logic that conforms to the natural deduction view of the
- Isabelle/Pure framework. Specific language elements introduced by
- Isabelle/HOL are described in \chref{ch:hol}. Although the main
- language elements are already provided by the Isabelle/Pure
- framework, examples given in the generic parts will usually refer to
- Isabelle/HOL.
-
- \medskip Isar commands may be either \emph{proper} document
- constructors, or \emph{improper commands}. Some proof methods and
- attributes introduced later are classified as improper as well.
- Improper Isar language elements, which are marked by ``@{text
- "\<^sup>*"}'' in the subsequent chapters; they are often helpful
- when developing proof documents, but their use is discouraged for
- the final human-readable outcome. Typical examples are diagnostic
- commands that print terms or theorems according to the current
- context; other commands emulate old-style tactical theorem proving.
-*}
-
-end
--- a/doc-src/IsarRef/Proof.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,1522 +0,0 @@
-theory Proof
-imports Base Main
-begin
-
-chapter {* Proofs \label{ch:proofs} *}
-
-text {*
- Proof commands perform transitions of Isar/VM machine
- configurations, which are block-structured, consisting of a stack of
- nodes with three main components: logical proof context, current
- facts, and open goals. Isar/VM transitions are typed according to
- the following three different modes of operation:
-
- \begin{description}
-
- \item @{text "proof(prove)"} means that a new goal has just been
- stated that is now to be \emph{proven}; the next command may refine
- it by some proof method, and enter a sub-proof to establish the
- actual result.
-
- \item @{text "proof(state)"} is like a nested theory mode: the
- context may be augmented by \emph{stating} additional assumptions,
- intermediate results etc.
-
- \item @{text "proof(chain)"} is intermediate between @{text
- "proof(state)"} and @{text "proof(prove)"}: existing facts (i.e.\
- the contents of the special ``@{fact_ref this}'' register) have been
- just picked up in order to be used when refining the goal claimed
- next.
-
- \end{description}
-
- The proof mode indicator may be understood as an instruction to the
- writer, telling what kind of operation may be performed next. The
- corresponding typings of proof commands restricts the shape of
- well-formed proof texts to particular command sequences. So dynamic
- arrangements of commands eventually turn out as static texts of a
- certain structure.
-
- \Appref{ap:refcard} gives a simplified grammar of the (extensible)
- language emerging that way from the different types of proof
- commands. The main ideas of the overall Isar framework are
- explained in \chref{ch:isar-framework}.
-*}
-
-
-section {* Proof structure *}
-
-subsection {* Formal notepad *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def "notepad"} & : & @{text "local_theory \<rightarrow> proof(state)"} \\
- \end{matharray}
-
- @{rail "
- @@{command notepad} @'begin'
- ;
- @@{command end}
- "}
-
- \begin{description}
-
- \item @{command "notepad"}~@{keyword "begin"} opens a proof state
- without any goal statement. This allows to experiment with Isar,
- without producing any persistent result.
-
- The notepad can be closed by @{command "end"} or discontinued by
- @{command "oops"}.
-
- \end{description}
-*}
-
-
-subsection {* Blocks *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def "next"} & : & @{text "proof(state) \<rightarrow> proof(state)"} \\
- @{command_def "{"} & : & @{text "proof(state) \<rightarrow> proof(state)"} \\
- @{command_def "}"} & : & @{text "proof(state) \<rightarrow> proof(state)"} \\
- \end{matharray}
-
- While Isar is inherently block-structured, opening and closing
- blocks is mostly handled rather casually, with little explicit
- user-intervention. Any local goal statement automatically opens
- \emph{two} internal blocks, which are closed again when concluding
- the sub-proof (by @{command "qed"} etc.). Sections of different
- context within a sub-proof may be switched via @{command "next"},
- which is just a single block-close followed by block-open again.
- The effect of @{command "next"} is to reset the local proof context;
- there is no goal focus involved here!
-
- For slightly more advanced applications, there are explicit block
- parentheses as well. These typically achieve a stronger forward
- style of reasoning.
-
- \begin{description}
-
- \item @{command "next"} switches to a fresh block within a
- sub-proof, resetting the local context to the initial one.
-
- \item @{command "{"} and @{command "}"} explicitly open and close
- blocks. Any current facts pass through ``@{command "{"}''
- unchanged, while ``@{command "}"}'' causes any result to be
- \emph{exported} into the enclosing context. Thus fixed variables
- are generalized, assumptions discharged, and local definitions
- unfolded (cf.\ \secref{sec:proof-context}). There is no difference
- of @{command "assume"} and @{command "presume"} in this mode of
- forward reasoning --- in contrast to plain backward reasoning with
- the result exported at @{command "show"} time.
-
- \end{description}
-*}
-
-
-subsection {* Omitting proofs *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def "oops"} & : & @{text "proof \<rightarrow> local_theory | theory"} \\
- \end{matharray}
-
- The @{command "oops"} command discontinues the current proof
- attempt, while considering the partial proof text as properly
- processed. This is conceptually quite different from ``faking''
- actual proofs via @{command_ref "sorry"} (see
- \secref{sec:proof-steps}): @{command "oops"} does not observe the
- proof structure at all, but goes back right to the theory level.
- Furthermore, @{command "oops"} does not produce any result theorem
- --- there is no intended claim to be able to complete the proof
- in any way.
-
- A typical application of @{command "oops"} is to explain Isar proofs
- \emph{within} the system itself, in conjunction with the document
- preparation tools of Isabelle described in \chref{ch:document-prep}.
- Thus partial or even wrong proof attempts can be discussed in a
- logically sound manner. Note that the Isabelle {\LaTeX} macros can
- be easily adapted to print something like ``@{text "\<dots>"}'' instead of
- the keyword ``@{command "oops"}''.
-*}
-
-
-section {* Statements *}
-
-subsection {* Context elements \label{sec:proof-context} *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def "fix"} & : & @{text "proof(state) \<rightarrow> proof(state)"} \\
- @{command_def "assume"} & : & @{text "proof(state) \<rightarrow> proof(state)"} \\
- @{command_def "presume"} & : & @{text "proof(state) \<rightarrow> proof(state)"} \\
- @{command_def "def"} & : & @{text "proof(state) \<rightarrow> proof(state)"} \\
- \end{matharray}
-
- The logical proof context consists of fixed variables and
- assumptions. The former closely correspond to Skolem constants, or
- meta-level universal quantification as provided by the Isabelle/Pure
- logical framework. Introducing some \emph{arbitrary, but fixed}
- variable via ``@{command "fix"}~@{text x}'' results in a local value
- that may be used in the subsequent proof as any other variable or
- constant. Furthermore, any result @{text "\<turnstile> \<phi>[x]"} exported from
- the context will be universally closed wrt.\ @{text x} at the
- outermost level: @{text "\<turnstile> \<And>x. \<phi>[x]"} (this is expressed in normal
- form using Isabelle's meta-variables).
-
- Similarly, introducing some assumption @{text \<chi>} has two effects.
- On the one hand, a local theorem is created that may be used as a
- fact in subsequent proof steps. On the other hand, any result
- @{text "\<chi> \<turnstile> \<phi>"} exported from the context becomes conditional wrt.\
- the assumption: @{text "\<turnstile> \<chi> \<Longrightarrow> \<phi>"}. Thus, solving an enclosing goal
- using such a result would basically introduce a new subgoal stemming
- from the assumption. How this situation is handled depends on the
- version of assumption command used: while @{command "assume"}
- insists on solving the subgoal by unification with some premise of
- the goal, @{command "presume"} leaves the subgoal unchanged in order
- to be proved later by the user.
-
- Local definitions, introduced by ``@{command "def"}~@{text "x \<equiv>
- t"}'', are achieved by combining ``@{command "fix"}~@{text x}'' with
- another version of assumption that causes any hypothetical equation
- @{text "x \<equiv> t"} to be eliminated by the reflexivity rule. Thus,
- exporting some result @{text "x \<equiv> t \<turnstile> \<phi>[x]"} yields @{text "\<turnstile>
- \<phi>[t]"}.
-
- @{rail "
- @@{command fix} (@{syntax vars} + @'and')
- ;
- (@@{command assume} | @@{command presume}) (@{syntax props} + @'and')
- ;
- @@{command def} (def + @'and')
- ;
- def: @{syntax thmdecl}? \\ @{syntax name} ('==' | '\<equiv>') @{syntax term} @{syntax term_pat}?
- "}
-
- \begin{description}
-
- \item @{command "fix"}~@{text x} introduces a local variable @{text
- x} that is \emph{arbitrary, but fixed.}
-
- \item @{command "assume"}~@{text "a: \<phi>"} and @{command
- "presume"}~@{text "a: \<phi>"} introduce a local fact @{text "\<phi> \<turnstile> \<phi>"} by
- assumption. Subsequent results applied to an enclosing goal (e.g.\
- by @{command_ref "show"}) are handled as follows: @{command
- "assume"} expects to be able to unify with existing premises in the
- goal, while @{command "presume"} leaves @{text \<phi>} as new subgoals.
-
- Several lists of assumptions may be given (separated by
- @{keyword_ref "and"}; the resulting list of current facts consists
- of all of these concatenated.
-
- \item @{command "def"}~@{text "x \<equiv> t"} introduces a local
- (non-polymorphic) definition. In results exported from the context,
- @{text x} is replaced by @{text t}. Basically, ``@{command
- "def"}~@{text "x \<equiv> t"}'' abbreviates ``@{command "fix"}~@{text
- x}~@{command "assume"}~@{text "x \<equiv> t"}'', with the resulting
- hypothetical equation solved by reflexivity.
-
- The default name for the definitional equation is @{text x_def}.
- Several simultaneous definitions may be given at the same time.
-
- \end{description}
-
- The special name @{fact_ref prems} refers to all assumptions of the
- current context as a list of theorems. This feature should be used
- with great care! It is better avoided in final proof texts.
-*}
-
-
-subsection {* Term abbreviations \label{sec:term-abbrev} *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def "let"} & : & @{text "proof(state) \<rightarrow> proof(state)"} \\
- @{keyword_def "is"} & : & syntax \\
- \end{matharray}
-
- Abbreviations may be either bound by explicit @{command
- "let"}~@{text "p \<equiv> t"} statements, or by annotating assumptions or
- goal statements with a list of patterns ``@{text "(\<IS> p\<^sub>1 \<dots>
- p\<^sub>n)"}''. In both cases, higher-order matching is invoked to
- bind extra-logical term variables, which may be either named
- schematic variables of the form @{text ?x}, or nameless dummies
- ``@{variable _}'' (underscore). Note that in the @{command "let"}
- form the patterns occur on the left-hand side, while the @{keyword
- "is"} patterns are in postfix position.
-
- Polymorphism of term bindings is handled in Hindley-Milner style,
- similar to ML. Type variables referring to local assumptions or
- open goal statements are \emph{fixed}, while those of finished
- results or bound by @{command "let"} may occur in \emph{arbitrary}
- instances later. Even though actual polymorphism should be rarely
- used in practice, this mechanism is essential to achieve proper
- incremental type-inference, as the user proceeds to build up the
- Isar proof text from left to right.
-
- \medskip Term abbreviations are quite different from local
- definitions as introduced via @{command "def"} (see
- \secref{sec:proof-context}). The latter are visible within the
- logic as actual equations, while abbreviations disappear during the
- input process just after type checking. Also note that @{command
- "def"} does not support polymorphism.
-
- @{rail "
- @@{command let} ((@{syntax term} + @'and') '=' @{syntax term} + @'and')
- "}
-
- The syntax of @{keyword "is"} patterns follows @{syntax term_pat} or
- @{syntax prop_pat} (see \secref{sec:term-decls}).
-
- \begin{description}
-
- \item @{command "let"}~@{text "p\<^sub>1 = t\<^sub>1 \<AND> \<dots> p\<^sub>n = t\<^sub>n"} binds any
- text variables in patterns @{text "p\<^sub>1, \<dots>, p\<^sub>n"} by simultaneous
- higher-order matching against terms @{text "t\<^sub>1, \<dots>, t\<^sub>n"}.
-
- \item @{text "(\<IS> p\<^sub>1 \<dots> p\<^sub>n)"} resembles @{command "let"}, but
- matches @{text "p\<^sub>1, \<dots>, p\<^sub>n"} against the preceding statement. Also
- note that @{keyword "is"} is not a separate command, but part of
- others (such as @{command "assume"}, @{command "have"} etc.).
-
- \end{description}
-
- Some \emph{implicit} term abbreviations\index{term abbreviations}
- for goals and facts are available as well. For any open goal,
- @{variable_ref thesis} refers to its object-level statement,
- abstracted over any meta-level parameters (if present). Likewise,
- @{variable_ref this} is bound for fact statements resulting from
- assumptions or finished goals. In case @{variable this} refers to
- an object-logic statement that is an application @{text "f t"}, then
- @{text t} is bound to the special text variable ``@{variable "\<dots>"}''
- (three dots). The canonical application of this convenience are
- calculational proofs (see \secref{sec:calculation}).
-*}
-
-
-subsection {* Facts and forward chaining \label{sec:proof-facts} *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def "note"} & : & @{text "proof(state) \<rightarrow> proof(state)"} \\
- @{command_def "then"} & : & @{text "proof(state) \<rightarrow> proof(chain)"} \\
- @{command_def "from"} & : & @{text "proof(state) \<rightarrow> proof(chain)"} \\
- @{command_def "with"} & : & @{text "proof(state) \<rightarrow> proof(chain)"} \\
- @{command_def "using"} & : & @{text "proof(prove) \<rightarrow> proof(prove)"} \\
- @{command_def "unfolding"} & : & @{text "proof(prove) \<rightarrow> proof(prove)"} \\
- \end{matharray}
-
- New facts are established either by assumption or proof of local
- statements. Any fact will usually be involved in further proofs,
- either as explicit arguments of proof methods, or when forward
- chaining towards the next goal via @{command "then"} (and variants);
- @{command "from"} and @{command "with"} are composite forms
- involving @{command "note"}. The @{command "using"} elements
- augments the collection of used facts \emph{after} a goal has been
- stated. Note that the special theorem name @{fact_ref this} refers
- to the most recently established facts, but only \emph{before}
- issuing a follow-up claim.
-
- @{rail "
- @@{command note} (@{syntax thmdef}? @{syntax thmrefs} + @'and')
- ;
- (@@{command from} | @@{command with} | @@{command using} | @@{command unfolding})
- (@{syntax thmrefs} + @'and')
- "}
-
- \begin{description}
-
- \item @{command "note"}~@{text "a = b\<^sub>1 \<dots> b\<^sub>n"} recalls existing facts
- @{text "b\<^sub>1, \<dots>, b\<^sub>n"}, binding the result as @{text a}. Note that
- attributes may be involved as well, both on the left and right hand
- sides.
-
- \item @{command "then"} indicates forward chaining by the current
- facts in order to establish the goal to be claimed next. The
- initial proof method invoked to refine that will be offered the
- facts to do ``anything appropriate'' (see also
- \secref{sec:proof-steps}). For example, method @{method (Pure) rule}
- (see \secref{sec:pure-meth-att}) would typically do an elimination
- rather than an introduction. Automatic methods usually insert the
- facts into the goal state before operation. This provides a simple
- scheme to control relevance of facts in automated proof search.
-
- \item @{command "from"}~@{text b} abbreviates ``@{command
- "note"}~@{text b}~@{command "then"}''; thus @{command "then"} is
- equivalent to ``@{command "from"}~@{text this}''.
-
- \item @{command "with"}~@{text "b\<^sub>1 \<dots> b\<^sub>n"} abbreviates ``@{command
- "from"}~@{text "b\<^sub>1 \<dots> b\<^sub>n \<AND> this"}''; thus the forward chaining
- is from earlier facts together with the current ones.
-
- \item @{command "using"}~@{text "b\<^sub>1 \<dots> b\<^sub>n"} augments the facts being
- currently indicated for use by a subsequent refinement step (such as
- @{command_ref "apply"} or @{command_ref "proof"}).
-
- \item @{command "unfolding"}~@{text "b\<^sub>1 \<dots> b\<^sub>n"} is structurally
- similar to @{command "using"}, but unfolds definitional equations
- @{text "b\<^sub>1, \<dots> b\<^sub>n"} throughout the goal state and facts.
-
- \end{description}
-
- Forward chaining with an empty list of theorems is the same as not
- chaining at all. Thus ``@{command "from"}~@{text nothing}'' has no
- effect apart from entering @{text "prove(chain)"} mode, since
- @{fact_ref nothing} is bound to the empty list of theorems.
-
- Basic proof methods (such as @{method_ref (Pure) rule}) expect multiple
- facts to be given in their proper order, corresponding to a prefix
- of the premises of the rule involved. Note that positions may be
- easily skipped using something like @{command "from"}~@{text "_
- \<AND> a \<AND> b"}, for example. This involves the trivial rule
- @{text "PROP \<psi> \<Longrightarrow> PROP \<psi>"}, which is bound in Isabelle/Pure as
- ``@{fact_ref "_"}'' (underscore).
-
- Automated methods (such as @{method simp} or @{method auto}) just
- insert any given facts before their usual operation. Depending on
- the kind of procedure involved, the order of facts is less
- significant here.
-*}
-
-
-subsection {* Goals \label{sec:goals} *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def "lemma"} & : & @{text "local_theory \<rightarrow> proof(prove)"} \\
- @{command_def "theorem"} & : & @{text "local_theory \<rightarrow> proof(prove)"} \\
- @{command_def "corollary"} & : & @{text "local_theory \<rightarrow> proof(prove)"} \\
- @{command_def "schematic_lemma"} & : & @{text "local_theory \<rightarrow> proof(prove)"} \\
- @{command_def "schematic_theorem"} & : & @{text "local_theory \<rightarrow> proof(prove)"} \\
- @{command_def "schematic_corollary"} & : & @{text "local_theory \<rightarrow> proof(prove)"} \\
- @{command_def "have"} & : & @{text "proof(state) | proof(chain) \<rightarrow> proof(prove)"} \\
- @{command_def "show"} & : & @{text "proof(state) | proof(chain) \<rightarrow> proof(prove)"} \\
- @{command_def "hence"} & : & @{text "proof(state) \<rightarrow> proof(prove)"} \\
- @{command_def "thus"} & : & @{text "proof(state) \<rightarrow> proof(prove)"} \\
- @{command_def "print_statement"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- \end{matharray}
-
- From a theory context, proof mode is entered by an initial goal
- command such as @{command "lemma"}, @{command "theorem"}, or
- @{command "corollary"}. Within a proof, new claims may be
- introduced locally as well; four variants are available here to
- indicate whether forward chaining of facts should be performed
- initially (via @{command_ref "then"}), and whether the final result
- is meant to solve some pending goal.
-
- Goals may consist of multiple statements, resulting in a list of
- facts eventually. A pending multi-goal is internally represented as
- a meta-level conjunction (@{text "&&&"}), which is usually
- split into the corresponding number of sub-goals prior to an initial
- method application, via @{command_ref "proof"}
- (\secref{sec:proof-steps}) or @{command_ref "apply"}
- (\secref{sec:tactic-commands}). The @{method_ref induct} method
- covered in \secref{sec:cases-induct} acts on multiple claims
- simultaneously.
-
- Claims at the theory level may be either in short or long form. A
- short goal merely consists of several simultaneous propositions
- (often just one). A long goal includes an explicit context
- specification for the subsequent conclusion, involving local
- parameters and assumptions. Here the role of each part of the
- statement is explicitly marked by separate keywords (see also
- \secref{sec:locale}); the local assumptions being introduced here
- are available as @{fact_ref assms} in the proof. Moreover, there
- are two kinds of conclusions: @{element_def "shows"} states several
- simultaneous propositions (essentially a big conjunction), while
- @{element_def "obtains"} claims several simultaneous simultaneous
- contexts of (essentially a big disjunction of eliminated parameters
- and assumptions, cf.\ \secref{sec:obtain}).
-
- @{rail "
- (@@{command lemma} | @@{command theorem} | @@{command corollary} |
- @@{command schematic_lemma} | @@{command schematic_theorem} |
- @@{command schematic_corollary}) @{syntax target}? (goal | longgoal)
- ;
- (@@{command have} | @@{command show} | @@{command hence} | @@{command thus}) goal
- ;
- @@{command print_statement} @{syntax modes}? @{syntax thmrefs}
- ;
-
- goal: (@{syntax props} + @'and')
- ;
- longgoal: @{syntax thmdecl}? (@{syntax_ref \"includes\"}?) (@{syntax context_elem} * ) conclusion
- ;
- conclusion: @'shows' goal | @'obtains' (@{syntax parname}? case + '|')
- ;
- case: (@{syntax vars} + @'and') @'where' (@{syntax props} + @'and')
- "}
-
- \begin{description}
-
- \item @{command "lemma"}~@{text "a: \<phi>"} enters proof mode with
- @{text \<phi>} as main goal, eventually resulting in some fact @{text "\<turnstile>
- \<phi>"} to be put back into the target context. An additional @{syntax
- context} specification may build up an initial proof context for the
- subsequent claim; this includes local definitions and syntax as
- well, see also @{syntax "includes"} in \secref{sec:bundle} and
- @{syntax context_elem} in \secref{sec:locale}.
-
- \item @{command "theorem"}~@{text "a: \<phi>"} and @{command
- "corollary"}~@{text "a: \<phi>"} are essentially the same as @{command
- "lemma"}~@{text "a: \<phi>"}, but the facts are internally marked as
- being of a different kind. This discrimination acts like a formal
- comment.
-
- \item @{command "schematic_lemma"}, @{command "schematic_theorem"},
- @{command "schematic_corollary"} are similar to @{command "lemma"},
- @{command "theorem"}, @{command "corollary"}, respectively but allow
- the statement to contain unbound schematic variables.
-
- Under normal circumstances, an Isar proof text needs to specify
- claims explicitly. Schematic goals are more like goals in Prolog,
- where certain results are synthesized in the course of reasoning.
- With schematic statements, the inherent compositionality of Isar
- proofs is lost, which also impacts performance, because proof
- checking is forced into sequential mode.
-
- \item @{command "have"}~@{text "a: \<phi>"} claims a local goal,
- eventually resulting in a fact within the current logical context.
- This operation is completely independent of any pending sub-goals of
- an enclosing goal statements, so @{command "have"} may be freely
- used for experimental exploration of potential results within a
- proof body.
-
- \item @{command "show"}~@{text "a: \<phi>"} is like @{command
- "have"}~@{text "a: \<phi>"} plus a second stage to refine some pending
- sub-goal for each one of the finished result, after having been
- exported into the corresponding context (at the head of the
- sub-proof of this @{command "show"} command).
-
- To accommodate interactive debugging, resulting rules are printed
- before being applied internally. Even more, interactive execution
- of @{command "show"} predicts potential failure and displays the
- resulting error as a warning beforehand. Watch out for the
- following message:
-
- %FIXME proper antiquitation
- \begin{ttbox}
- Problem! Local statement will fail to solve any pending goal
- \end{ttbox}
-
- \item @{command "hence"} abbreviates ``@{command "then"}~@{command
- "have"}'', i.e.\ claims a local goal to be proven by forward
- chaining the current facts. Note that @{command "hence"} is also
- equivalent to ``@{command "from"}~@{text this}~@{command "have"}''.
-
- \item @{command "thus"} abbreviates ``@{command "then"}~@{command
- "show"}''. Note that @{command "thus"} is also equivalent to
- ``@{command "from"}~@{text this}~@{command "show"}''.
-
- \item @{command "print_statement"}~@{text a} prints facts from the
- current theory or proof context in long statement form, according to
- the syntax for @{command "lemma"} given above.
-
- \end{description}
-
- Any goal statement causes some term abbreviations (such as
- @{variable_ref "?thesis"}) to be bound automatically, see also
- \secref{sec:term-abbrev}.
-
- The optional case names of @{element_ref "obtains"} have a twofold
- meaning: (1) during the of this claim they refer to the the local
- context introductions, (2) the resulting rule is annotated
- accordingly to support symbolic case splits when used with the
- @{method_ref cases} method (cf.\ \secref{sec:cases-induct}).
-*}
-
-
-section {* Refinement steps *}
-
-subsection {* Proof method expressions \label{sec:proof-meth} *}
-
-text {* Proof methods are either basic ones, or expressions composed
- of methods via ``@{verbatim ","}'' (sequential composition),
- ``@{verbatim "|"}'' (alternative choices), ``@{verbatim "?"}''
- (try), ``@{verbatim "+"}'' (repeat at least once), ``@{verbatim
- "["}@{text n}@{verbatim "]"}'' (restriction to first @{text n}
- sub-goals, with default @{text "n = 1"}). In practice, proof
- methods are usually just a comma separated list of @{syntax
- nameref}~@{syntax args} specifications. Note that parentheses may
- be dropped for single method specifications (with no arguments).
-
- @{rail "
- @{syntax_def method}:
- (@{syntax nameref} | '(' methods ')') (() | '?' | '+' | '[' @{syntax nat}? ']')
- ;
- methods: (@{syntax nameref} @{syntax args} | @{syntax method}) + (',' | '|')
- "}
-
- Proper Isar proof methods do \emph{not} admit arbitrary goal
- addressing, but refer either to the first sub-goal or all sub-goals
- uniformly. The goal restriction operator ``@{text "[n]"}''
- evaluates a method expression within a sandbox consisting of the
- first @{text n} sub-goals (which need to exist). For example, the
- method ``@{text "simp_all[3]"}'' simplifies the first three
- sub-goals, while ``@{text "(rule foo, simp_all)[]"}'' simplifies all
- new goals that emerge from applying rule @{text "foo"} to the
- originally first one.
-
- Improper methods, notably tactic emulations, offer a separate
- low-level goal addressing scheme as explicit argument to the
- individual tactic being involved. Here ``@{text "[!]"}'' refers to
- all goals, and ``@{text "[n-]"}'' to all goals starting from @{text
- "n"}.
-
- @{rail "
- @{syntax_def goal_spec}:
- '[' (@{syntax nat} '-' @{syntax nat} | @{syntax nat} '-' | @{syntax nat} | '!' ) ']'
- "}
-*}
-
-
-subsection {* Initial and terminal proof steps \label{sec:proof-steps} *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def "proof"} & : & @{text "proof(prove) \<rightarrow> proof(state)"} \\
- @{command_def "qed"} & : & @{text "proof(state) \<rightarrow> proof(state) | local_theory | theory"} \\
- @{command_def "by"} & : & @{text "proof(prove) \<rightarrow> proof(state) | local_theory | theory"} \\
- @{command_def ".."} & : & @{text "proof(prove) \<rightarrow> proof(state) | local_theory | theory"} \\
- @{command_def "."} & : & @{text "proof(prove) \<rightarrow> proof(state) | local_theory | theory"} \\
- @{command_def "sorry"} & : & @{text "proof(prove) \<rightarrow> proof(state) | local_theory | theory"} \\
- \end{matharray}
-
- Arbitrary goal refinement via tactics is considered harmful.
- Structured proof composition in Isar admits proof methods to be
- invoked in two places only.
-
- \begin{enumerate}
-
- \item An \emph{initial} refinement step @{command_ref
- "proof"}~@{text "m\<^sub>1"} reduces a newly stated goal to a number
- of sub-goals that are to be solved later. Facts are passed to
- @{text "m\<^sub>1"} for forward chaining, if so indicated by @{text
- "proof(chain)"} mode.
-
- \item A \emph{terminal} conclusion step @{command_ref "qed"}~@{text
- "m\<^sub>2"} is intended to solve remaining goals. No facts are
- passed to @{text "m\<^sub>2"}.
-
- \end{enumerate}
-
- The only other (proper) way to affect pending goals in a proof body
- is by @{command_ref "show"}, which involves an explicit statement of
- what is to be solved eventually. Thus we avoid the fundamental
- problem of unstructured tactic scripts that consist of numerous
- consecutive goal transformations, with invisible effects.
-
- \medskip As a general rule of thumb for good proof style, initial
- proof methods should either solve the goal completely, or constitute
- some well-understood reduction to new sub-goals. Arbitrary
- automatic proof tools that are prone leave a large number of badly
- structured sub-goals are no help in continuing the proof document in
- an intelligible manner.
-
- Unless given explicitly by the user, the default initial method is
- @{method_ref (Pure) rule} (or its classical variant @{method_ref
- rule}), which applies a single standard elimination or introduction
- rule according to the topmost symbol involved. There is no separate
- default terminal method. Any remaining goals are always solved by
- assumption in the very last step.
-
- @{rail "
- @@{command proof} method?
- ;
- @@{command qed} method?
- ;
- @@{command \"by\"} method method?
- ;
- (@@{command \".\"} | @@{command \"..\"} | @@{command sorry})
- "}
-
- \begin{description}
-
- \item @{command "proof"}~@{text "m\<^sub>1"} refines the goal by proof
- method @{text "m\<^sub>1"}; facts for forward chaining are passed if so
- indicated by @{text "proof(chain)"} mode.
-
- \item @{command "qed"}~@{text "m\<^sub>2"} refines any remaining goals by
- proof method @{text "m\<^sub>2"} and concludes the sub-proof by assumption.
- If the goal had been @{text "show"} (or @{text "thus"}), some
- pending sub-goal is solved as well by the rule resulting from the
- result \emph{exported} into the enclosing goal context. Thus @{text
- "qed"} may fail for two reasons: either @{text "m\<^sub>2"} fails, or the
- resulting rule does not fit to any pending goal\footnote{This
- includes any additional ``strong'' assumptions as introduced by
- @{command "assume"}.} of the enclosing context. Debugging such a
- situation might involve temporarily changing @{command "show"} into
- @{command "have"}, or weakening the local context by replacing
- occurrences of @{command "assume"} by @{command "presume"}.
-
- \item @{command "by"}~@{text "m\<^sub>1 m\<^sub>2"} is a \emph{terminal
- proof}\index{proof!terminal}; it abbreviates @{command
- "proof"}~@{text "m\<^sub>1"}~@{command "qed"}~@{text "m\<^sub>2"}, but with
- backtracking across both methods. Debugging an unsuccessful
- @{command "by"}~@{text "m\<^sub>1 m\<^sub>2"} command can be done by expanding its
- definition; in many cases @{command "proof"}~@{text "m\<^sub>1"} (or even
- @{text "apply"}~@{text "m\<^sub>1"}) is already sufficient to see the
- problem.
-
- \item ``@{command ".."}'' is a \emph{default
- proof}\index{proof!default}; it abbreviates @{command "by"}~@{text
- "rule"}.
-
- \item ``@{command "."}'' is a \emph{trivial
- proof}\index{proof!trivial}; it abbreviates @{command "by"}~@{text
- "this"}.
-
- \item @{command "sorry"} is a \emph{fake proof}\index{proof!fake}
- pretending to solve the pending claim without further ado. This
- only works in interactive development, or if the @{ML
- quick_and_dirty} flag is enabled (in ML). Facts emerging from fake
- proofs are not the real thing. Internally, each theorem container
- is tainted by an oracle invocation, which is indicated as ``@{text
- "[!]"}'' in the printed result.
-
- The most important application of @{command "sorry"} is to support
- experimentation and top-down proof development.
-
- \end{description}
-*}
-
-
-subsection {* Fundamental methods and attributes \label{sec:pure-meth-att} *}
-
-text {*
- The following proof methods and attributes refer to basic logical
- operations of Isar. Further methods and attributes are provided by
- several generic and object-logic specific tools and packages (see
- \chref{ch:gen-tools} and \chref{ch:hol}).
-
- \begin{matharray}{rcl}
- @{method_def "-"} & : & @{text method} \\
- @{method_def "fact"} & : & @{text method} \\
- @{method_def "assumption"} & : & @{text method} \\
- @{method_def "this"} & : & @{text method} \\
- @{method_def (Pure) "rule"} & : & @{text method} \\
- @{attribute_def (Pure) "intro"} & : & @{text attribute} \\
- @{attribute_def (Pure) "elim"} & : & @{text attribute} \\
- @{attribute_def (Pure) "dest"} & : & @{text attribute} \\
- @{attribute_def (Pure) "rule"} & : & @{text attribute} \\[0.5ex]
- @{attribute_def "OF"} & : & @{text attribute} \\
- @{attribute_def "of"} & : & @{text attribute} \\
- @{attribute_def "where"} & : & @{text attribute} \\
- \end{matharray}
-
- @{rail "
- @@{method fact} @{syntax thmrefs}?
- ;
- @@{method (Pure) rule} @{syntax thmrefs}?
- ;
- rulemod: ('intro' | 'elim' | 'dest')
- ((('!' | () | '?') @{syntax nat}?) | 'del') ':' @{syntax thmrefs}
- ;
- (@@{attribute intro} | @@{attribute elim} | @@{attribute dest})
- ('!' | () | '?') @{syntax nat}?
- ;
- @@{attribute (Pure) rule} 'del'
- ;
- @@{attribute OF} @{syntax thmrefs}
- ;
- @@{attribute of} @{syntax insts} ('concl' ':' @{syntax insts})?
- ;
- @@{attribute \"where\"}
- ((@{syntax name} | @{syntax var} | @{syntax typefree} | @{syntax typevar}) '='
- (@{syntax type} | @{syntax term}) * @'and')
- "}
-
- \begin{description}
-
- \item ``@{method "-"}'' (minus) does nothing but insert the forward
- chaining facts as premises into the goal. Note that command
- @{command_ref "proof"} without any method actually performs a single
- reduction step using the @{method_ref (Pure) rule} method; thus a plain
- \emph{do-nothing} proof step would be ``@{command "proof"}~@{text
- "-"}'' rather than @{command "proof"} alone.
-
- \item @{method "fact"}~@{text "a\<^sub>1 \<dots> a\<^sub>n"} composes some fact from
- @{text "a\<^sub>1, \<dots>, a\<^sub>n"} (or implicitly from the current proof context)
- modulo unification of schematic type and term variables. The rule
- structure is not taken into account, i.e.\ meta-level implication is
- considered atomic. This is the same principle underlying literal
- facts (cf.\ \secref{sec:syn-att}): ``@{command "have"}~@{text
- "\<phi>"}~@{command "by"}~@{text fact}'' is equivalent to ``@{command
- "note"}~@{verbatim "`"}@{text \<phi>}@{verbatim "`"}'' provided that
- @{text "\<turnstile> \<phi>"} is an instance of some known @{text "\<turnstile> \<phi>"} in the
- proof context.
-
- \item @{method assumption} solves some goal by a single assumption
- step. All given facts are guaranteed to participate in the
- refinement; this means there may be only 0 or 1 in the first place.
- Recall that @{command "qed"} (\secref{sec:proof-steps}) already
- concludes any remaining sub-goals by assumption, so structured
- proofs usually need not quote the @{method assumption} method at
- all.
-
- \item @{method this} applies all of the current facts directly as
- rules. Recall that ``@{command "."}'' (dot) abbreviates ``@{command
- "by"}~@{text this}''.
-
- \item @{method (Pure) rule}~@{text "a\<^sub>1 \<dots> a\<^sub>n"} applies some rule given as
- argument in backward manner; facts are used to reduce the rule
- before applying it to the goal. Thus @{method (Pure) rule} without facts
- is plain introduction, while with facts it becomes elimination.
-
- When no arguments are given, the @{method (Pure) rule} method tries to pick
- appropriate rules automatically, as declared in the current context
- using the @{attribute (Pure) intro}, @{attribute (Pure) elim},
- @{attribute (Pure) dest} attributes (see below). This is the
- default behavior of @{command "proof"} and ``@{command ".."}''
- (double-dot) steps (see \secref{sec:proof-steps}).
-
- \item @{attribute (Pure) intro}, @{attribute (Pure) elim}, and
- @{attribute (Pure) dest} declare introduction, elimination, and
- destruct rules, to be used with method @{method (Pure) rule}, and similar
- tools. Note that the latter will ignore rules declared with
- ``@{text "?"}'', while ``@{text "!"}'' are used most aggressively.
-
- The classical reasoner (see \secref{sec:classical}) introduces its
- own variants of these attributes; use qualified names to access the
- present versions of Isabelle/Pure, i.e.\ @{attribute (Pure)
- "Pure.intro"}.
-
- \item @{attribute (Pure) rule}~@{text del} undeclares introduction,
- elimination, or destruct rules.
-
- \item @{attribute OF}~@{text "a\<^sub>1 \<dots> a\<^sub>n"} applies some theorem to all
- of the given rules @{text "a\<^sub>1, \<dots>, a\<^sub>n"} in canonical right-to-left
- order, which means that premises stemming from the @{text "a\<^sub>i"}
- emerge in parallel in the result, without interfering with each
- other. In many practical situations, the @{text "a\<^sub>i"} do not have
- premises themselves, so @{text "rule [OF a\<^sub>1 \<dots> a\<^sub>n]"} can be actually
- read as functional application (modulo unification).
-
- Argument positions may be effectively skipped by using ``@{text _}''
- (underscore), which refers to the propositional identity rule in the
- Pure theory.
-
- \item @{attribute of}~@{text "t\<^sub>1 \<dots> t\<^sub>n"} performs positional
- instantiation of term variables. The terms @{text "t\<^sub>1, \<dots>, t\<^sub>n"} are
- substituted for any schematic variables occurring in a theorem from
- left to right; ``@{text _}'' (underscore) indicates to skip a
- position. Arguments following a ``@{text "concl:"}'' specification
- refer to positions of the conclusion of a rule.
-
- \item @{attribute "where"}~@{text "x\<^sub>1 = t\<^sub>1 \<AND> \<dots> x\<^sub>n = t\<^sub>n"}
- performs named instantiation of schematic type and term variables
- occurring in a theorem. Schematic variables have to be specified on
- the left-hand side (e.g.\ @{text "?x1.3"}). The question mark may
- be omitted if the variable name is a plain identifier without index.
- As type instantiations are inferred from term instantiations,
- explicit type instantiations are seldom necessary.
-
- \end{description}
-*}
-
-
-subsection {* Emulating tactic scripts \label{sec:tactic-commands} *}
-
-text {*
- The Isar provides separate commands to accommodate tactic-style
- proof scripts within the same system. While being outside the
- orthodox Isar proof language, these might come in handy for
- interactive exploration and debugging, or even actual tactical proof
- within new-style theories (to benefit from document preparation, for
- example). See also \secref{sec:tactics} for actual tactics, that
- have been encapsulated as proof methods. Proper proof methods may
- be used in scripts, too.
-
- \begin{matharray}{rcl}
- @{command_def "apply"}@{text "\<^sup>*"} & : & @{text "proof(prove) \<rightarrow> proof(prove)"} \\
- @{command_def "apply_end"}@{text "\<^sup>*"} & : & @{text "proof(state) \<rightarrow> proof(state)"} \\
- @{command_def "done"}@{text "\<^sup>*"} & : & @{text "proof(prove) \<rightarrow> proof(state) | local_theory | theory"} \\
- @{command_def "defer"}@{text "\<^sup>*"} & : & @{text "proof \<rightarrow> proof"} \\
- @{command_def "prefer"}@{text "\<^sup>*"} & : & @{text "proof \<rightarrow> proof"} \\
- @{command_def "back"}@{text "\<^sup>*"} & : & @{text "proof \<rightarrow> proof"} \\
- \end{matharray}
-
- @{rail "
- ( @@{command apply} | @@{command apply_end} ) @{syntax method}
- ;
- @@{command defer} @{syntax nat}?
- ;
- @@{command prefer} @{syntax nat}
- "}
-
- \begin{description}
-
- \item @{command "apply"}~@{text m} applies proof method @{text m} in
- initial position, but unlike @{command "proof"} it retains ``@{text
- "proof(prove)"}'' mode. Thus consecutive method applications may be
- given just as in tactic scripts.
-
- Facts are passed to @{text m} as indicated by the goal's
- forward-chain mode, and are \emph{consumed} afterwards. Thus any
- further @{command "apply"} command would always work in a purely
- backward manner.
-
- \item @{command "apply_end"}~@{text "m"} applies proof method @{text
- m} as if in terminal position. Basically, this simulates a
- multi-step tactic script for @{command "qed"}, but may be given
- anywhere within the proof body.
-
- No facts are passed to @{text m} here. Furthermore, the static
- context is that of the enclosing goal (as for actual @{command
- "qed"}). Thus the proof method may not refer to any assumptions
- introduced in the current body, for example.
-
- \item @{command "done"} completes a proof script, provided that the
- current goal state is solved completely. Note that actual
- structured proof commands (e.g.\ ``@{command "."}'' or @{command
- "sorry"}) may be used to conclude proof scripts as well.
-
- \item @{command "defer"}~@{text n} and @{command "prefer"}~@{text n}
- shuffle the list of pending goals: @{command "defer"} puts off
- sub-goal @{text n} to the end of the list (@{text "n = 1"} by
- default), while @{command "prefer"} brings sub-goal @{text n} to the
- front.
-
- \item @{command "back"} does back-tracking over the result sequence
- of the latest proof command. Basically, any proof command may
- return multiple results.
-
- \end{description}
-
- Any proper Isar proof method may be used with tactic script commands
- such as @{command "apply"}. A few additional emulations of actual
- tactics are provided as well; these would be never used in actual
- structured proofs, of course.
-*}
-
-
-subsection {* Defining proof methods *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def "method_setup"} & : & @{text "theory \<rightarrow> theory"} \\
- \end{matharray}
-
- @{rail "
- @@{command method_setup} @{syntax name} '=' @{syntax text} @{syntax text}?
- ;
- "}
-
- \begin{description}
-
- \item @{command "method_setup"}~@{text "name = text description"}
- defines a proof method in the current theory. The given @{text
- "text"} has to be an ML expression of type
- @{ML_type "(Proof.context -> Proof.method) context_parser"}, cf.\
- basic parsers defined in structure @{ML_struct Args} and @{ML_struct
- Attrib}. There are also combinators like @{ML METHOD} and @{ML
- SIMPLE_METHOD} to turn certain tactic forms into official proof
- methods; the primed versions refer to tactics with explicit goal
- addressing.
-
- Here are some example method definitions:
-
- \end{description}
-*}
-
- method_setup my_method1 = {*
- Scan.succeed (K (SIMPLE_METHOD' (fn i: int => no_tac)))
- *} "my first method (without any arguments)"
-
- method_setup my_method2 = {*
- Scan.succeed (fn ctxt: Proof.context =>
- SIMPLE_METHOD' (fn i: int => no_tac))
- *} "my second method (with context)"
-
- method_setup my_method3 = {*
- Attrib.thms >> (fn thms: thm list => fn ctxt: Proof.context =>
- SIMPLE_METHOD' (fn i: int => no_tac))
- *} "my third method (with theorem arguments and context)"
-
-
-section {* Generalized elimination \label{sec:obtain} *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def "obtain"} & : & @{text "proof(state) | proof(chain) \<rightarrow> proof(prove)"} \\
- @{command_def "guess"}@{text "\<^sup>*"} & : & @{text "proof(state) | proof(chain) \<rightarrow> proof(prove)"} \\
- \end{matharray}
-
- Generalized elimination means that additional elements with certain
- properties may be introduced in the current context, by virtue of a
- locally proven ``soundness statement''. Technically speaking, the
- @{command "obtain"} language element is like a declaration of
- @{command "fix"} and @{command "assume"} (see also see
- \secref{sec:proof-context}), together with a soundness proof of its
- additional claim. According to the nature of existential reasoning,
- assumptions get eliminated from any result exported from the context
- later, provided that the corresponding parameters do \emph{not}
- occur in the conclusion.
-
- @{rail "
- @@{command obtain} @{syntax parname}? (@{syntax vars} + @'and')
- @'where' (@{syntax props} + @'and')
- ;
- @@{command guess} (@{syntax vars} + @'and')
- "}
-
- The derived Isar command @{command "obtain"} is defined as follows
- (where @{text "b\<^sub>1, \<dots>, b\<^sub>k"} shall refer to (optional)
- facts indicated for forward chaining).
- \begin{matharray}{l}
- @{text "\<langle>using b\<^sub>1 \<dots> b\<^sub>k\<rangle>"}~~@{command "obtain"}~@{text "x\<^sub>1 \<dots> x\<^sub>m \<WHERE> a: \<phi>\<^sub>1 \<dots> \<phi>\<^sub>n \<langle>proof\<rangle> \<equiv>"} \\[1ex]
- \quad @{command "have"}~@{text "\<And>thesis. (\<And>x\<^sub>1 \<dots> x\<^sub>m. \<phi>\<^sub>1 \<Longrightarrow> \<dots> \<phi>\<^sub>n \<Longrightarrow> thesis) \<Longrightarrow> thesis"} \\
- \quad @{command "proof"}~@{method succeed} \\
- \qquad @{command "fix"}~@{text thesis} \\
- \qquad @{command "assume"}~@{text "that [Pure.intro?]: \<And>x\<^sub>1 \<dots> x\<^sub>m. \<phi>\<^sub>1 \<Longrightarrow> \<dots> \<phi>\<^sub>n \<Longrightarrow> thesis"} \\
- \qquad @{command "then"}~@{command "show"}~@{text thesis} \\
- \quad\qquad @{command "apply"}~@{text -} \\
- \quad\qquad @{command "using"}~@{text "b\<^sub>1 \<dots> b\<^sub>k \<langle>proof\<rangle>"} \\
- \quad @{command "qed"} \\
- \quad @{command "fix"}~@{text "x\<^sub>1 \<dots> x\<^sub>m"}~@{command "assume"}@{text "\<^sup>* a: \<phi>\<^sub>1 \<dots> \<phi>\<^sub>n"} \\
- \end{matharray}
-
- Typically, the soundness proof is relatively straight-forward, often
- just by canonical automated tools such as ``@{command "by"}~@{text
- simp}'' or ``@{command "by"}~@{text blast}''. Accordingly, the
- ``@{text that}'' reduction above is declared as simplification and
- introduction rule.
-
- In a sense, @{command "obtain"} represents at the level of Isar
- proofs what would be meta-logical existential quantifiers and
- conjunctions. This concept has a broad range of useful
- applications, ranging from plain elimination (or introduction) of
- object-level existential and conjunctions, to elimination over
- results of symbolic evaluation of recursive definitions, for
- example. Also note that @{command "obtain"} without parameters acts
- much like @{command "have"}, where the result is treated as a
- genuine assumption.
-
- An alternative name to be used instead of ``@{text that}'' above may
- be given in parentheses.
-
- \medskip The improper variant @{command "guess"} is similar to
- @{command "obtain"}, but derives the obtained statement from the
- course of reasoning! The proof starts with a fixed goal @{text
- thesis}. The subsequent proof may refine this to anything of the
- form like @{text "\<And>x\<^sub>1 \<dots> x\<^sub>m. \<phi>\<^sub>1 \<Longrightarrow> \<dots>
- \<phi>\<^sub>n \<Longrightarrow> thesis"}, but must not introduce new subgoals. The
- final goal state is then used as reduction rule for the obtain
- scheme described above. Obtained parameters @{text "x\<^sub>1, \<dots>,
- x\<^sub>m"} are marked as internal by default, which prevents the
- proof context from being polluted by ad-hoc variables. The variable
- names and type constraints given as arguments for @{command "guess"}
- specify a prefix of obtained parameters explicitly in the text.
-
- It is important to note that the facts introduced by @{command
- "obtain"} and @{command "guess"} may not be polymorphic: any
- type-variables occurring here are fixed in the present context!
-*}
-
-
-section {* Calculational reasoning \label{sec:calculation} *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def "also"} & : & @{text "proof(state) \<rightarrow> proof(state)"} \\
- @{command_def "finally"} & : & @{text "proof(state) \<rightarrow> proof(chain)"} \\
- @{command_def "moreover"} & : & @{text "proof(state) \<rightarrow> proof(state)"} \\
- @{command_def "ultimately"} & : & @{text "proof(state) \<rightarrow> proof(chain)"} \\
- @{command_def "print_trans_rules"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- @{attribute trans} & : & @{text attribute} \\
- @{attribute sym} & : & @{text attribute} \\
- @{attribute symmetric} & : & @{text attribute} \\
- \end{matharray}
-
- Calculational proof is forward reasoning with implicit application
- of transitivity rules (such those of @{text "="}, @{text "\<le>"},
- @{text "<"}). Isabelle/Isar maintains an auxiliary fact register
- @{fact_ref calculation} for accumulating results obtained by
- transitivity composed with the current result. Command @{command
- "also"} updates @{fact calculation} involving @{fact this}, while
- @{command "finally"} exhibits the final @{fact calculation} by
- forward chaining towards the next goal statement. Both commands
- require valid current facts, i.e.\ may occur only after commands
- that produce theorems such as @{command "assume"}, @{command
- "note"}, or some finished proof of @{command "have"}, @{command
- "show"} etc. The @{command "moreover"} and @{command "ultimately"}
- commands are similar to @{command "also"} and @{command "finally"},
- but only collect further results in @{fact calculation} without
- applying any rules yet.
-
- Also note that the implicit term abbreviation ``@{text "\<dots>"}'' has
- its canonical application with calculational proofs. It refers to
- the argument of the preceding statement. (The argument of a curried
- infix expression happens to be its right-hand side.)
-
- Isabelle/Isar calculations are implicitly subject to block structure
- in the sense that new threads of calculational reasoning are
- commenced for any new block (as opened by a local goal, for
- example). This means that, apart from being able to nest
- calculations, there is no separate \emph{begin-calculation} command
- required.
-
- \medskip The Isar calculation proof commands may be defined as
- follows:\footnote{We suppress internal bookkeeping such as proper
- handling of block-structure.}
-
- \begin{matharray}{rcl}
- @{command "also"}@{text "\<^sub>0"} & \equiv & @{command "note"}~@{text "calculation = this"} \\
- @{command "also"}@{text "\<^sub>n+1"} & \equiv & @{command "note"}~@{text "calculation = trans [OF calculation this]"} \\[0.5ex]
- @{command "finally"} & \equiv & @{command "also"}~@{command "from"}~@{text calculation} \\[0.5ex]
- @{command "moreover"} & \equiv & @{command "note"}~@{text "calculation = calculation this"} \\
- @{command "ultimately"} & \equiv & @{command "moreover"}~@{command "from"}~@{text calculation} \\
- \end{matharray}
-
- @{rail "
- (@@{command also} | @@{command finally}) ('(' @{syntax thmrefs} ')')?
- ;
- @@{attribute trans} (() | 'add' | 'del')
- "}
-
- \begin{description}
-
- \item @{command "also"}~@{text "(a\<^sub>1 \<dots> a\<^sub>n)"} maintains the auxiliary
- @{fact calculation} register as follows. The first occurrence of
- @{command "also"} in some calculational thread initializes @{fact
- calculation} by @{fact this}. Any subsequent @{command "also"} on
- the same level of block-structure updates @{fact calculation} by
- some transitivity rule applied to @{fact calculation} and @{fact
- this} (in that order). Transitivity rules are picked from the
- current context, unless alternative rules are given as explicit
- arguments.
-
- \item @{command "finally"}~@{text "(a\<^sub>1 \<dots> a\<^sub>n)"} maintaining @{fact
- calculation} in the same way as @{command "also"}, and concludes the
- current calculational thread. The final result is exhibited as fact
- for forward chaining towards the next goal. Basically, @{command
- "finally"} just abbreviates @{command "also"}~@{command
- "from"}~@{fact calculation}. Typical idioms for concluding
- calculational proofs are ``@{command "finally"}~@{command
- "show"}~@{text ?thesis}~@{command "."}'' and ``@{command
- "finally"}~@{command "have"}~@{text \<phi>}~@{command "."}''.
-
- \item @{command "moreover"} and @{command "ultimately"} are
- analogous to @{command "also"} and @{command "finally"}, but collect
- results only, without applying rules.
-
- \item @{command "print_trans_rules"} prints the list of transitivity
- rules (for calculational commands @{command "also"} and @{command
- "finally"}) and symmetry rules (for the @{attribute symmetric}
- operation and single step elimination patters) of the current
- context.
-
- \item @{attribute trans} declares theorems as transitivity rules.
-
- \item @{attribute sym} declares symmetry rules, as well as
- @{attribute "Pure.elim"}@{text "?"} rules.
-
- \item @{attribute symmetric} resolves a theorem with some rule
- declared as @{attribute sym} in the current context. For example,
- ``@{command "assume"}~@{text "[symmetric]: x = y"}'' produces a
- swapped fact derived from that assumption.
-
- In structured proof texts it is often more appropriate to use an
- explicit single-step elimination proof, such as ``@{command
- "assume"}~@{text "x = y"}~@{command "then"}~@{command "have"}~@{text
- "y = x"}~@{command ".."}''.
-
- \end{description}
-*}
-
-
-section {* Proof by cases and induction \label{sec:cases-induct} *}
-
-subsection {* Rule contexts *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def "case"} & : & @{text "proof(state) \<rightarrow> proof(state)"} \\
- @{command_def "print_cases"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- @{attribute_def case_names} & : & @{text attribute} \\
- @{attribute_def case_conclusion} & : & @{text attribute} \\
- @{attribute_def params} & : & @{text attribute} \\
- @{attribute_def consumes} & : & @{text attribute} \\
- \end{matharray}
-
- The puristic way to build up Isar proof contexts is by explicit
- language elements like @{command "fix"}, @{command "assume"},
- @{command "let"} (see \secref{sec:proof-context}). This is adequate
- for plain natural deduction, but easily becomes unwieldy in concrete
- verification tasks, which typically involve big induction rules with
- several cases.
-
- The @{command "case"} command provides a shorthand to refer to a
- local context symbolically: certain proof methods provide an
- environment of named ``cases'' of the form @{text "c: x\<^sub>1, \<dots>,
- x\<^sub>m, \<phi>\<^sub>1, \<dots>, \<phi>\<^sub>n"}; the effect of ``@{command
- "case"}~@{text c}'' is then equivalent to ``@{command "fix"}~@{text
- "x\<^sub>1 \<dots> x\<^sub>m"}~@{command "assume"}~@{text "c: \<phi>\<^sub>1 \<dots>
- \<phi>\<^sub>n"}''. Term bindings may be covered as well, notably
- @{variable ?case} for the main conclusion.
-
- By default, the ``terminology'' @{text "x\<^sub>1, \<dots>, x\<^sub>m"} of
- a case value is marked as hidden, i.e.\ there is no way to refer to
- such parameters in the subsequent proof text. After all, original
- rule parameters stem from somewhere outside of the current proof
- text. By using the explicit form ``@{command "case"}~@{text "(c
- y\<^sub>1 \<dots> y\<^sub>m)"}'' instead, the proof author is able to
- chose local names that fit nicely into the current context.
-
- \medskip It is important to note that proper use of @{command
- "case"} does not provide means to peek at the current goal state,
- which is not directly observable in Isar! Nonetheless, goal
- refinement commands do provide named cases @{text "goal\<^sub>i"}
- for each subgoal @{text "i = 1, \<dots>, n"} of the resulting goal state.
- Using this extra feature requires great care, because some bits of
- the internal tactical machinery intrude the proof text. In
- particular, parameter names stemming from the left-over of automated
- reasoning tools are usually quite unpredictable.
-
- Under normal circumstances, the text of cases emerge from standard
- elimination or induction rules, which in turn are derived from
- previous theory specifications in a canonical way (say from
- @{command "inductive"} definitions).
-
- \medskip Proper cases are only available if both the proof method
- and the rules involved support this. By using appropriate
- attributes, case names, conclusions, and parameters may be also
- declared by hand. Thus variant versions of rules that have been
- derived manually become ready to use in advanced case analysis
- later.
-
- @{rail "
- @@{command case} (caseref | '(' caseref (('_' | @{syntax name}) +) ')')
- ;
- caseref: nameref attributes?
- ;
-
- @@{attribute case_names} ((@{syntax name} ( '[' (('_' | @{syntax name}) +) ']' ) ? ) +)
- ;
- @@{attribute case_conclusion} @{syntax name} (@{syntax name} * )
- ;
- @@{attribute params} ((@{syntax name} * ) + @'and')
- ;
- @@{attribute consumes} @{syntax nat}?
- "}
-
- \begin{description}
-
- \item @{command "case"}~@{text "(c x\<^sub>1 \<dots> x\<^sub>m)"} invokes a named local
- context @{text "c: x\<^sub>1, \<dots>, x\<^sub>m, \<phi>\<^sub>1, \<dots>, \<phi>\<^sub>m"}, as provided by an
- appropriate proof method (such as @{method_ref cases} and
- @{method_ref induct}). The command ``@{command "case"}~@{text "(c
- x\<^sub>1 \<dots> x\<^sub>m)"}'' abbreviates ``@{command "fix"}~@{text "x\<^sub>1 \<dots>
- x\<^sub>m"}~@{command "assume"}~@{text "c: \<phi>\<^sub>1 \<dots> \<phi>\<^sub>n"}''.
-
- \item @{command "print_cases"} prints all local contexts of the
- current state, using Isar proof language notation.
-
- \item @{attribute case_names}~@{text "c\<^sub>1 \<dots> c\<^sub>k"} declares names for
- the local contexts of premises of a theorem; @{text "c\<^sub>1, \<dots>, c\<^sub>k"}
- refers to the \emph{prefix} of the list of premises. Each of the
- cases @{text "c\<^isub>i"} can be of the form @{text "c[h\<^isub>1 \<dots> h\<^isub>n]"} where
- the @{text "h\<^isub>1 \<dots> h\<^isub>n"} are the names of the hypotheses in case @{text "c\<^isub>i"}
- from left to right.
-
- \item @{attribute case_conclusion}~@{text "c d\<^sub>1 \<dots> d\<^sub>k"} declares
- names for the conclusions of a named premise @{text c}; here @{text
- "d\<^sub>1, \<dots>, d\<^sub>k"} refers to the prefix of arguments of a logical formula
- built by nesting a binary connective (e.g.\ @{text "\<or>"}).
-
- Note that proof methods such as @{method induct} and @{method
- coinduct} already provide a default name for the conclusion as a
- whole. The need to name subformulas only arises with cases that
- split into several sub-cases, as in common co-induction rules.
-
- \item @{attribute params}~@{text "p\<^sub>1 \<dots> p\<^sub>m \<AND> \<dots> q\<^sub>1 \<dots> q\<^sub>n"} renames
- the innermost parameters of premises @{text "1, \<dots>, n"} of some
- theorem. An empty list of names may be given to skip positions,
- leaving the present parameters unchanged.
-
- Note that the default usage of case rules does \emph{not} directly
- expose parameters to the proof context.
-
- \item @{attribute consumes}~@{text n} declares the number of ``major
- premises'' of a rule, i.e.\ the number of facts to be consumed when
- it is applied by an appropriate proof method. The default value of
- @{attribute consumes} is @{text "n = 1"}, which is appropriate for
- the usual kind of cases and induction rules for inductive sets (cf.\
- \secref{sec:hol-inductive}). Rules without any @{attribute
- consumes} declaration given are treated as if @{attribute
- consumes}~@{text 0} had been specified.
-
- Note that explicit @{attribute consumes} declarations are only
- rarely needed; this is already taken care of automatically by the
- higher-level @{attribute cases}, @{attribute induct}, and
- @{attribute coinduct} declarations.
-
- \end{description}
-*}
-
-
-subsection {* Proof methods *}
-
-text {*
- \begin{matharray}{rcl}
- @{method_def cases} & : & @{text method} \\
- @{method_def induct} & : & @{text method} \\
- @{method_def induction} & : & @{text method} \\
- @{method_def coinduct} & : & @{text method} \\
- \end{matharray}
-
- The @{method cases}, @{method induct}, @{method induction},
- and @{method coinduct}
- methods provide a uniform interface to common proof techniques over
- datatypes, inductive predicates (or sets), recursive functions etc.
- The corresponding rules may be specified and instantiated in a
- casual manner. Furthermore, these methods provide named local
- contexts that may be invoked via the @{command "case"} proof command
- within the subsequent proof text. This accommodates compact proof
- texts even when reasoning about large specifications.
-
- The @{method induct} method also provides some additional
- infrastructure in order to be applicable to structure statements
- (either using explicit meta-level connectives, or including facts
- and parameters separately). This avoids cumbersome encoding of
- ``strengthened'' inductive statements within the object-logic.
-
- Method @{method induction} differs from @{method induct} only in
- the names of the facts in the local context invoked by the @{command "case"}
- command.
-
- @{rail "
- @@{method cases} ('(' 'no_simp' ')')? \\
- (@{syntax insts} * @'and') rule?
- ;
- (@@{method induct} | @@{method induction}) ('(' 'no_simp' ')')? (definsts * @'and') \\ arbitrary? taking? rule?
- ;
- @@{method coinduct} @{syntax insts} taking rule?
- ;
-
- rule: ('type' | 'pred' | 'set') ':' (@{syntax nameref} +) | 'rule' ':' (@{syntax thmref} +)
- ;
- definst: @{syntax name} ('==' | '\<equiv>') @{syntax term} | '(' @{syntax term} ')' | @{syntax inst}
- ;
- definsts: ( definst * )
- ;
- arbitrary: 'arbitrary' ':' ((@{syntax term} * ) @'and' +)
- ;
- taking: 'taking' ':' @{syntax insts}
- "}
-
- \begin{description}
-
- \item @{method cases}~@{text "insts R"} applies method @{method
- rule} with an appropriate case distinction theorem, instantiated to
- the subjects @{text insts}. Symbolic case names are bound according
- to the rule's local contexts.
-
- The rule is determined as follows, according to the facts and
- arguments passed to the @{method cases} method:
-
- \medskip
- \begin{tabular}{llll}
- facts & & arguments & rule \\\hline
- & @{method cases} & & classical case split \\
- & @{method cases} & @{text t} & datatype exhaustion (type of @{text t}) \\
- @{text "\<turnstile> A t"} & @{method cases} & @{text "\<dots>"} & inductive predicate/set elimination (of @{text A}) \\
- @{text "\<dots>"} & @{method cases} & @{text "\<dots> rule: R"} & explicit rule @{text R} \\
- \end{tabular}
- \medskip
-
- Several instantiations may be given, referring to the \emph{suffix}
- of premises of the case rule; within each premise, the \emph{prefix}
- of variables is instantiated. In most situations, only a single
- term needs to be specified; this refers to the first variable of the
- last premise (it is usually the same for all cases). The @{text
- "(no_simp)"} option can be used to disable pre-simplification of
- cases (see the description of @{method induct} below for details).
-
- \item @{method induct}~@{text "insts R"} and
- @{method induction}~@{text "insts R"} are analogous to the
- @{method cases} method, but refer to induction rules, which are
- determined as follows:
-
- \medskip
- \begin{tabular}{llll}
- facts & & arguments & rule \\\hline
- & @{method induct} & @{text "P x"} & datatype induction (type of @{text x}) \\
- @{text "\<turnstile> A x"} & @{method induct} & @{text "\<dots>"} & predicate/set induction (of @{text A}) \\
- @{text "\<dots>"} & @{method induct} & @{text "\<dots> rule: R"} & explicit rule @{text R} \\
- \end{tabular}
- \medskip
-
- Several instantiations may be given, each referring to some part of
- a mutual inductive definition or datatype --- only related partial
- induction rules may be used together, though. Any of the lists of
- terms @{text "P, x, \<dots>"} refers to the \emph{suffix} of variables
- present in the induction rule. This enables the writer to specify
- only induction variables, or both predicates and variables, for
- example.
-
- Instantiations may be definitional: equations @{text "x \<equiv> t"}
- introduce local definitions, which are inserted into the claim and
- discharged after applying the induction rule. Equalities reappear
- in the inductive cases, but have been transformed according to the
- induction principle being involved here. In order to achieve
- practically useful induction hypotheses, some variables occurring in
- @{text t} need to be fixed (see below). Instantiations of the form
- @{text t}, where @{text t} is not a variable, are taken as a
- shorthand for \mbox{@{text "x \<equiv> t"}}, where @{text x} is a fresh
- variable. If this is not intended, @{text t} has to be enclosed in
- parentheses. By default, the equalities generated by definitional
- instantiations are pre-simplified using a specific set of rules,
- usually consisting of distinctness and injectivity theorems for
- datatypes. This pre-simplification may cause some of the parameters
- of an inductive case to disappear, or may even completely delete
- some of the inductive cases, if one of the equalities occurring in
- their premises can be simplified to @{text False}. The @{text
- "(no_simp)"} option can be used to disable pre-simplification.
- Additional rules to be used in pre-simplification can be declared
- using the @{attribute_def induct_simp} attribute.
-
- The optional ``@{text "arbitrary: x\<^sub>1 \<dots> x\<^sub>m"}''
- specification generalizes variables @{text "x\<^sub>1, \<dots>,
- x\<^sub>m"} of the original goal before applying induction. One can
- separate variables by ``@{text "and"}'' to generalize them in other
- goals then the first. Thus induction hypotheses may become
- sufficiently general to get the proof through. Together with
- definitional instantiations, one may effectively perform induction
- over expressions of a certain structure.
-
- The optional ``@{text "taking: t\<^sub>1 \<dots> t\<^sub>n"}''
- specification provides additional instantiations of a prefix of
- pending variables in the rule. Such schematic induction rules
- rarely occur in practice, though.
-
- \item @{method coinduct}~@{text "inst R"} is analogous to the
- @{method induct} method, but refers to coinduction rules, which are
- determined as follows:
-
- \medskip
- \begin{tabular}{llll}
- goal & & arguments & rule \\\hline
- & @{method coinduct} & @{text x} & type coinduction (type of @{text x}) \\
- @{text "A x"} & @{method coinduct} & @{text "\<dots>"} & predicate/set coinduction (of @{text A}) \\
- @{text "\<dots>"} & @{method coinduct} & @{text "\<dots> rule: R"} & explicit rule @{text R} \\
- \end{tabular}
-
- Coinduction is the dual of induction. Induction essentially
- eliminates @{text "A x"} towards a generic result @{text "P x"},
- while coinduction introduces @{text "A x"} starting with @{text "B
- x"}, for a suitable ``bisimulation'' @{text B}. The cases of a
- coinduct rule are typically named after the predicates or sets being
- covered, while the conclusions consist of several alternatives being
- named after the individual destructor patterns.
-
- The given instantiation refers to the \emph{suffix} of variables
- occurring in the rule's major premise, or conclusion if unavailable.
- An additional ``@{text "taking: t\<^sub>1 \<dots> t\<^sub>n"}''
- specification may be required in order to specify the bisimulation
- to be used in the coinduction step.
-
- \end{description}
-
- Above methods produce named local contexts, as determined by the
- instantiated rule as given in the text. Beyond that, the @{method
- induct} and @{method coinduct} methods guess further instantiations
- from the goal specification itself. Any persisting unresolved
- schematic variables of the resulting rule will render the the
- corresponding case invalid. The term binding @{variable ?case} for
- the conclusion will be provided with each case, provided that term
- is fully specified.
-
- The @{command "print_cases"} command prints all named cases present
- in the current proof state.
-
- \medskip Despite the additional infrastructure, both @{method cases}
- and @{method coinduct} merely apply a certain rule, after
- instantiation, while conforming due to the usual way of monotonic
- natural deduction: the context of a structured statement @{text
- "\<And>x\<^sub>1 \<dots> x\<^sub>m. \<phi>\<^sub>1 \<Longrightarrow> \<dots> \<phi>\<^sub>n \<Longrightarrow> \<dots>"}
- reappears unchanged after the case split.
-
- The @{method induct} method is fundamentally different in this
- respect: the meta-level structure is passed through the
- ``recursive'' course involved in the induction. Thus the original
- statement is basically replaced by separate copies, corresponding to
- the induction hypotheses and conclusion; the original goal context
- is no longer available. Thus local assumptions, fixed parameters
- and definitions effectively participate in the inductive rephrasing
- of the original statement.
-
- In @{method induct} proofs, local assumptions introduced by cases are split
- into two different kinds: @{text hyps} stemming from the rule and
- @{text prems} from the goal statement. This is reflected in the
- extracted cases accordingly, so invoking ``@{command "case"}~@{text
- c}'' will provide separate facts @{text c.hyps} and @{text c.prems},
- as well as fact @{text c} to hold the all-inclusive list.
-
- In @{method induction} proofs, local assumptions introduced by cases are
- split into three different kinds: @{text IH}, the induction hypotheses,
- @{text hyps}, the remaining hypotheses stemming from the rule, and
- @{text prems}, the assumptions from the goal statement. The names are
- @{text c.IH}, @{text c.hyps} and @{text c.prems}, as above.
-
-
- \medskip Facts presented to either method are consumed according to
- the number of ``major premises'' of the rule involved, which is
- usually 0 for plain cases and induction rules of datatypes etc.\ and
- 1 for rules of inductive predicates or sets and the like. The
- remaining facts are inserted into the goal verbatim before the
- actual @{text cases}, @{text induct}, or @{text coinduct} rule is
- applied.
-*}
-
-
-subsection {* Declaring rules *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def "print_induct_rules"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- @{attribute_def cases} & : & @{text attribute} \\
- @{attribute_def induct} & : & @{text attribute} \\
- @{attribute_def coinduct} & : & @{text attribute} \\
- \end{matharray}
-
- @{rail "
- @@{attribute cases} spec
- ;
- @@{attribute induct} spec
- ;
- @@{attribute coinduct} spec
- ;
-
- spec: (('type' | 'pred' | 'set') ':' @{syntax nameref}) | 'del'
- "}
-
- \begin{description}
-
- \item @{command "print_induct_rules"} prints cases and induct rules
- for predicates (or sets) and types of the current context.
-
- \item @{attribute cases}, @{attribute induct}, and @{attribute
- coinduct} (as attributes) declare rules for reasoning about
- (co)inductive predicates (or sets) and types, using the
- corresponding methods of the same name. Certain definitional
- packages of object-logics usually declare emerging cases and
- induction rules as expected, so users rarely need to intervene.
-
- Rules may be deleted via the @{text "del"} specification, which
- covers all of the @{text "type"}/@{text "pred"}/@{text "set"}
- sub-categories simultaneously. For example, @{attribute
- cases}~@{text del} removes any @{attribute cases} rules declared for
- some type, predicate, or set.
-
- Manual rule declarations usually refer to the @{attribute
- case_names} and @{attribute params} attributes to adjust names of
- cases and parameters of a rule; the @{attribute consumes}
- declaration is taken care of automatically: @{attribute
- consumes}~@{text 0} is specified for ``type'' rules and @{attribute
- consumes}~@{text 1} for ``predicate'' / ``set'' rules.
-
- \end{description}
-*}
-
-end
--- a/doc-src/IsarRef/Quick_Reference.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,231 +0,0 @@
-theory Quick_Reference
-imports Base Main
-begin
-
-chapter {* Isabelle/Isar quick reference \label{ap:refcard} *}
-
-section {* Proof commands *}
-
-subsection {* Primitives and basic syntax *}
-
-text {*
- \begin{tabular}{ll}
- @{command "fix"}~@{text x} & augment context by @{text "\<And>x. \<box>"} \\
- @{command "assume"}~@{text "a: \<phi>"} & augment context by @{text "\<phi> \<Longrightarrow> \<box>"} \\
- @{command "then"} & indicate forward chaining of facts \\
- @{command "have"}~@{text "a: \<phi>"} & prove local result \\
- @{command "show"}~@{text "a: \<phi>"} & prove local result, refining some goal \\
- @{command "using"}~@{text a} & indicate use of additional facts \\
- @{command "unfolding"}~@{text a} & unfold definitional equations \\
- @{command "proof"}~@{text "m\<^sub>1"}~\dots~@{command "qed"}~@{text "m\<^sub>2"} & indicate proof structure and refinements \\
- @{command "{"}~@{text "\<dots>"}~@{command "}"} & indicate explicit blocks \\
- @{command "next"} & switch blocks \\
- @{command "note"}~@{text "a = b"} & reconsider facts \\
- @{command "let"}~@{text "p = t"} & abbreviate terms by higher-order matching \\
- @{command "write"}~@{text "c (mx)"} & declare local mixfix syntax \\
- \end{tabular}
-
- \medskip
-
- \begin{tabular}{rcl}
- @{text "proof"} & = & @{text "prfx\<^sup>*"}~@{command "proof"}~@{text "method\<^sup>? stmt\<^sup>*"}~@{command "qed"}~@{text "method\<^sup>?"} \\
- & @{text "|"} & @{text "prfx\<^sup>*"}~@{command "done"} \\
- @{text prfx} & = & @{command "apply"}~@{text method} \\
- & @{text "|"} & @{command "using"}~@{text "facts"} \\
- & @{text "|"} & @{command "unfolding"}~@{text "facts"} \\
- @{text stmt} & = & @{command "{"}~@{text "stmt\<^sup>*"}~@{command "}"} \\
- & @{text "|"} & @{command "next"} \\
- & @{text "|"} & @{command "note"}~@{text "name = facts"} \\
- & @{text "|"} & @{command "let"}~@{text "term = term"} \\
- & @{text "|"} & @{command "write"}~@{text "name (mixfix)"} \\
- & @{text "|"} & @{command "fix"}~@{text "var\<^sup>+"} \\
- & @{text "|"} & @{command "assume"}~@{text "name: props"} \\
- & @{text "|"} & @{command "then"}@{text "\<^sup>?"}~@{text goal} \\
- @{text goal} & = & @{command "have"}~@{text "name: props proof"} \\
- & @{text "|"} & @{command "show"}~@{text "name: props proof"} \\
- \end{tabular}
-*}
-
-
-subsection {* Abbreviations and synonyms *}
-
-text {*
- \begin{tabular}{rcl}
- @{command "by"}~@{text "m\<^sub>1 m\<^sub>2"} & @{text "\<equiv>"} &
- @{command "proof"}~@{text "m\<^sub>1"}~@{command "qed"}~@{text "m\<^sub>2"} \\
- @{command ".."} & @{text "\<equiv>"} & @{command "by"}~@{text rule} \\
- @{command "."} & @{text "\<equiv>"} & @{command "by"}~@{text this} \\
- @{command "hence"} & @{text "\<equiv>"} & @{command "then"}~@{command "have"} \\
- @{command "thus"} & @{text "\<equiv>"} & @{command "then"}~@{command "show"} \\
- @{command "from"}~@{text a} & @{text "\<equiv>"} & @{command "note"}~@{text a}~@{command "then"} \\
- @{command "with"}~@{text a} & @{text "\<equiv>"} & @{command "from"}~@{text "a \<AND> this"} \\
- @{command "from"}~@{text this} & @{text "\<equiv>"} & @{command "then"} \\
- @{command "from"}~@{text this}~@{command "have"} & @{text "\<equiv>"} & @{command "hence"} \\
- @{command "from"}~@{text this}~@{command "show"} & @{text "\<equiv>"} & @{command "thus"} \\
- \end{tabular}
-*}
-
-
-subsection {* Derived elements *}
-
-text {*
- \begin{tabular}{rcl}
- @{command "also"}@{text "\<^sub>0"} & @{text "\<approx>"} &
- @{command "note"}~@{text "calculation = this"} \\
- @{command "also"}@{text "\<^sub>n\<^sub>+\<^sub>1"} & @{text "\<approx>"} &
- @{command "note"}~@{text "calculation = trans [OF calculation this]"} \\
- @{command "finally"} & @{text "\<approx>"} &
- @{command "also"}~@{command "from"}~@{text calculation} \\[0.5ex]
- @{command "moreover"} & @{text "\<approx>"} &
- @{command "note"}~@{text "calculation = calculation this"} \\
- @{command "ultimately"} & @{text "\<approx>"} &
- @{command "moreover"}~@{command "from"}~@{text calculation} \\[0.5ex]
- @{command "presume"}~@{text "a: \<phi>"} & @{text "\<approx>"} &
- @{command "assume"}~@{text "a: \<phi>"} \\
- @{command "def"}~@{text "a: x \<equiv> t"} & @{text "\<approx>"} &
- @{command "fix"}~@{text x}~@{command "assume"}~@{text "a: x \<equiv> t"} \\
- @{command "obtain"}~@{text "x \<WHERE> a: \<phi>"} & @{text "\<approx>"} &
- @{text "\<dots>"}~@{command "fix"}~@{text x}~@{command "assume"}~@{text "a: \<phi>"} \\
- @{command "case"}~@{text c} & @{text "\<approx>"} &
- @{command "fix"}~@{text x}~@{command "assume"}~@{text "c: \<phi>"} \\
- @{command "sorry"} & @{text "\<approx>"} &
- @{command "by"}~@{text cheating} \\
- \end{tabular}
-*}
-
-
-subsection {* Diagnostic commands *}
-
-text {*
- \begin{tabular}{ll}
- @{command "pr"} & print current state \\
- @{command "thm"}~@{text a} & print fact \\
- @{command "prop"}~@{text \<phi>} & print proposition \\
- @{command "term"}~@{text t} & print term \\
- @{command "typ"}~@{text \<tau>} & print type \\
- \end{tabular}
-*}
-
-
-section {* Proof methods *}
-
-text {*
- \begin{tabular}{ll}
- \multicolumn{2}{l}{\textbf{Single steps (forward-chaining facts)}} \\[0.5ex]
- @{method assumption} & apply some assumption \\
- @{method this} & apply current facts \\
- @{method rule}~@{text a} & apply some rule \\
- @{method rule} & apply standard rule (default for @{command "proof"}) \\
- @{method contradiction} & apply @{text "\<not>"} elimination rule (any order) \\
- @{method cases}~@{text t} & case analysis (provides cases) \\
- @{method induct}~@{text x} & proof by induction (provides cases) \\[2ex]
-
- \multicolumn{2}{l}{\textbf{Repeated steps (inserting facts)}} \\[0.5ex]
- @{method "-"} & no rules \\
- @{method intro}~@{text a} & introduction rules \\
- @{method intro_classes} & class introduction rules \\
- @{method elim}~@{text a} & elimination rules \\
- @{method unfold}~@{text a} & definitional rewrite rules \\[2ex]
-
- \multicolumn{2}{l}{\textbf{Automated proof tools (inserting facts)}} \\[0.5ex]
- @{method iprover} & intuitionistic proof search \\
- @{method blast}, @{method fast} & Classical Reasoner \\
- @{method simp}, @{method simp_all} & Simplifier (+ Splitter) \\
- @{method auto}, @{method force} & Simplifier + Classical Reasoner \\
- @{method arith} & Arithmetic procedures \\
- \end{tabular}
-*}
-
-
-section {* Attributes *}
-
-text {*
- \begin{tabular}{ll}
- \multicolumn{2}{l}{\textbf{Rules}} \\[0.5ex]
- @{attribute OF}~@{text a} & rule resolved with facts (skipping ``@{text _}'') \\
- @{attribute of}~@{text t} & rule instantiated with terms (skipping ``@{text _}'') \\
- @{attribute "where"}~@{text "x = t"} & rule instantiated with terms, by variable name \\
- @{attribute symmetric} & resolution with symmetry rule \\
- @{attribute THEN}~@{text b} & resolution with another rule \\
- @{attribute rule_format} & result put into standard rule format \\
- @{attribute elim_format} & destruct rule turned into elimination rule format \\[1ex]
-
- \multicolumn{2}{l}{\textbf{Declarations}} \\[0.5ex]
- @{attribute simp} & Simplifier rule \\
- @{attribute intro}, @{attribute elim}, @{attribute dest} & Pure or Classical Reasoner rule \\
- @{attribute iff} & Simplifier + Classical Reasoner rule \\
- @{attribute split} & case split rule \\
- @{attribute trans} & transitivity rule \\
- @{attribute sym} & symmetry rule \\
- \end{tabular}
-*}
-
-
-section {* Rule declarations and methods *}
-
-text {*
- \begin{tabular}{l|lllll}
- & @{method rule} & @{method iprover} & @{method blast} & @{method simp} & @{method auto} \\
- & & & @{method fast} & @{method simp_all} & @{method force} \\
- \hline
- @{attribute Pure.elim}@{text "!"} @{attribute Pure.intro}@{text "!"}
- & @{text "\<times>"} & @{text "\<times>"} \\
- @{attribute Pure.elim} @{attribute Pure.intro}
- & @{text "\<times>"} & @{text "\<times>"} \\
- @{attribute elim}@{text "!"} @{attribute intro}@{text "!"}
- & @{text "\<times>"} & & @{text "\<times>"} & & @{text "\<times>"} \\
- @{attribute elim} @{attribute intro}
- & @{text "\<times>"} & & @{text "\<times>"} & & @{text "\<times>"} \\
- @{attribute iff}
- & @{text "\<times>"} & & @{text "\<times>"} & @{text "\<times>"} & @{text "\<times>"} \\
- @{attribute iff}@{text "?"}
- & @{text "\<times>"} \\
- @{attribute elim}@{text "?"} @{attribute intro}@{text "?"}
- & @{text "\<times>"} \\
- @{attribute simp}
- & & & & @{text "\<times>"} & @{text "\<times>"} \\
- @{attribute cong}
- & & & & @{text "\<times>"} & @{text "\<times>"} \\
- @{attribute split}
- & & & & @{text "\<times>"} & @{text "\<times>"} \\
- \end{tabular}
-*}
-
-
-section {* Emulating tactic scripts *}
-
-subsection {* Commands *}
-
-text {*
- \begin{tabular}{ll}
- @{command "apply"}~@{text m} & apply proof method at initial position \\
- @{command "apply_end"}~@{text m} & apply proof method near terminal position \\
- @{command "done"} & complete proof \\
- @{command "defer"}~@{text n} & move subgoal to end \\
- @{command "prefer"}~@{text n} & move subgoal to beginning \\
- @{command "back"} & backtrack last command \\
- \end{tabular}
-*}
-
-
-subsection {* Methods *}
-
-text {*
- \begin{tabular}{ll}
- @{method rule_tac}~@{text insts} & resolution (with instantiation) \\
- @{method erule_tac}~@{text insts} & elim-resolution (with instantiation) \\
- @{method drule_tac}~@{text insts} & destruct-resolution (with instantiation) \\
- @{method frule_tac}~@{text insts} & forward-resolution (with instantiation) \\
- @{method cut_tac}~@{text insts} & insert facts (with instantiation) \\
- @{method thin_tac}~@{text \<phi>} & delete assumptions \\
- @{method subgoal_tac}~@{text \<phi>} & new claims \\
- @{method rename_tac}~@{text x} & rename innermost goal parameters \\
- @{method rotate_tac}~@{text n} & rotate assumptions of goal \\
- @{method tactic}~@{text "text"} & arbitrary ML tactic \\
- @{method case_tac}~@{text t} & exhaustion (datatypes) \\
- @{method induct_tac}~@{text x} & induction (datatypes) \\
- @{method ind_cases}~@{text t} & exhaustion + simplification (inductive predicates) \\
- \end{tabular}
-*}
-
-end
--- a/doc-src/IsarRef/Spec.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,1337 +0,0 @@
-theory Spec
-imports Base Main
-begin
-
-chapter {* Specifications *}
-
-text {*
- The Isabelle/Isar theory format integrates specifications and
- proofs, supporting interactive development with unlimited undo
- operation. There is an integrated document preparation system (see
- \chref{ch:document-prep}), for typesetting formal developments
- together with informal text. The resulting hyper-linked PDF
- documents can be used both for WWW presentation and printed copies.
-
- The Isar proof language (see \chref{ch:proofs}) is embedded into the
- theory language as a proper sub-language. Proof mode is entered by
- stating some @{command theorem} or @{command lemma} at the theory
- level, and left again with the final conclusion (e.g.\ via @{command
- qed}). Some theory specification mechanisms also require a proof,
- such as @{command typedef} in HOL, which demands non-emptiness of
- the representing sets.
-*}
-
-
-section {* Defining theories \label{sec:begin-thy} *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def "theory"} & : & @{text "toplevel \<rightarrow> theory"} \\
- @{command_def (global) "end"} & : & @{text "theory \<rightarrow> toplevel"} \\
- \end{matharray}
-
- Isabelle/Isar theories are defined via theory files, which may
- contain both specifications and proofs; occasionally definitional
- mechanisms also require some explicit proof. The theory body may be
- sub-structured by means of \emph{local theory targets}, such as
- @{command "locale"} and @{command "class"}.
-
- The first proper command of a theory is @{command "theory"}, which
- indicates imports of previous theories and optional dependencies on
- other source files (usually in ML). Just preceding the initial
- @{command "theory"} command there may be an optional @{command
- "header"} declaration, which is only relevant to document
- preparation: see also the other section markup commands in
- \secref{sec:markup}.
-
- A theory is concluded by a final @{command (global) "end"} command,
- one that does not belong to a local theory target. No further
- commands may follow such a global @{command (global) "end"},
- although some user-interfaces might pretend that trailing input is
- admissible.
-
- @{rail "
- @@{command theory} @{syntax name} imports \\ keywords? uses? @'begin'
- ;
- imports: @'imports' (@{syntax name} +)
- ;
- keywords: @'keywords' ((@{syntax string} +) ('::' @{syntax name} @{syntax tags})? + @'and')
- ;
- uses: @'uses' ((@{syntax name} | @{syntax parname}) +)
- "}
-
- \begin{description}
-
- \item @{command "theory"}~@{text "A \<IMPORTS> B\<^sub>1 \<dots> B\<^sub>n \<BEGIN>"}
- starts a new theory @{text A} based on the merge of existing
- theories @{text "B\<^sub>1 \<dots> B\<^sub>n"}. Due to the possibility to import more
- than one ancestor, the resulting theory structure of an Isabelle
- session forms a directed acyclic graph (DAG). Isabelle takes care
- that sources contributing to the development graph are always
- up-to-date: changed files are automatically rechecked whenever a
- theory header specification is processed.
-
- The optional @{keyword_def "keywords"} specification declares outer
- syntax (\chref{ch:outer-syntax}) that is introduced in this theory
- later on (rare in end-user applications). Both minor keywords and
- major keywords of the Isar command language need to be specified, in
- order to make parsing of proof documents work properly. Command
- keywords need to be classified according to their structural role in
- the formal text. Examples may be seen in Isabelle/HOL sources
- itself, such as @{keyword "keywords"}~@{verbatim "\"typedef\""}
- @{text ":: thy_goal"} or @{keyword "keywords"}~@{verbatim
- "\"datatype\""} @{text ":: thy_decl"} for theory-level declarations
- with and without proof, respectively. Additional @{syntax tags}
- provide defaults for document preparation (\secref{sec:tags}).
-
- The optional @{keyword_def "uses"} specification declares additional
- dependencies on external files (notably ML sources). Files will be
- loaded immediately (as ML), unless the name is parenthesized. The
- latter case records a dependency that needs to be resolved later in
- the text, usually via explicit @{command_ref "use"} for ML files;
- other file formats require specific load commands defined by the
- corresponding tools or packages.
-
- \item @{command (global) "end"} concludes the current theory
- definition. Note that some other commands, e.g.\ local theory
- targets @{command locale} or @{command class} may involve a
- @{keyword "begin"} that needs to be matched by @{command (local)
- "end"}, according to the usual rules for nested blocks.
-
- \end{description}
-*}
-
-
-section {* Local theory targets \label{sec:target} *}
-
-text {*
- \begin{matharray}{rcll}
- @{command_def "context"} & : & @{text "theory \<rightarrow> local_theory"} \\
- @{command_def (local) "end"} & : & @{text "local_theory \<rightarrow> theory"} \\
- \end{matharray}
-
- A local theory target is a context managed separately within the
- enclosing theory. Contexts may introduce parameters (fixed
- variables) and assumptions (hypotheses). Definitions and theorems
- depending on the context may be added incrementally later on.
-
- \emph{Named contexts} refer to locales (cf.\ \secref{sec:locale}) or
- type classes (cf.\ \secref{sec:class}); the name ``@{text "-"}''
- signifies the global theory context.
-
- \emph{Unnamed contexts} may introduce additional parameters and
- assumptions, and results produced in the context are generalized
- accordingly. Such auxiliary contexts may be nested within other
- targets, like @{command "locale"}, @{command "class"}, @{command
- "instantiation"}, @{command "overloading"}.
-
- @{rail "
- @@{command context} @{syntax nameref} @'begin'
- ;
- @@{command context} @{syntax_ref \"includes\"}? (@{syntax context_elem} * ) @'begin'
- ;
- @{syntax_def target}: '(' @'in' @{syntax nameref} ')'
- "}
-
- \begin{description}
-
- \item @{command "context"}~@{text "c \<BEGIN>"} opens a named
- context, by recommencing an existing locale or class @{text c}.
- Note that locale and class definitions allow to include the
- @{keyword "begin"} keyword as well, in order to continue the local
- theory immediately after the initial specification.
-
- \item @{command "context"}~@{text "bundles elements \<BEGIN>"} opens
- an unnamed context, by extending the enclosing global or local
- theory target by the given declaration bundles (\secref{sec:bundle})
- and context elements (@{text "\<FIXES>"}, @{text "\<ASSUMES>"}
- etc.). This means any results stemming from definitions and proofs
- in the extended context will be exported into the enclosing target
- by lifting over extra parameters and premises.
-
- \item @{command (local) "end"} concludes the current local theory,
- according to the nesting of contexts. Note that a global @{command
- (global) "end"} has a different meaning: it concludes the theory
- itself (\secref{sec:begin-thy}).
-
- \item @{text "("}@{keyword_def "in"}~@{text "c)"} given after any
- local theory command specifies an immediate target, e.g.\
- ``@{command "definition"}~@{text "(\<IN> c) \<dots>"}'' or ``@{command
- "theorem"}~@{text "(\<IN> c) \<dots>"}''. This works both in a local or
- global theory context; the current target context will be suspended
- for this command only. Note that ``@{text "(\<IN> -)"}'' will
- always produce a global result independently of the current target
- context.
-
- \end{description}
-
- The exact meaning of results produced within a local theory context
- depends on the underlying target infrastructure (locale, type class
- etc.). The general idea is as follows, considering a context named
- @{text c} with parameter @{text x} and assumption @{text "A[x]"}.
-
- Definitions are exported by introducing a global version with
- additional arguments; a syntactic abbreviation links the long form
- with the abstract version of the target context. For example,
- @{text "a \<equiv> t[x]"} becomes @{text "c.a ?x \<equiv> t[?x]"} at the theory
- level (for arbitrary @{text "?x"}), together with a local
- abbreviation @{text "c \<equiv> c.a x"} in the target context (for the
- fixed parameter @{text x}).
-
- Theorems are exported by discharging the assumptions and
- generalizing the parameters of the context. For example, @{text "a:
- B[x]"} becomes @{text "c.a: A[?x] \<Longrightarrow> B[?x]"}, again for arbitrary
- @{text "?x"}.
-
- \medskip The Isabelle/HOL library contains numerous applications of
- locales and classes, e.g.\ see @{file "~~/src/HOL/Algebra"}. An
- example for an unnamed auxiliary contexts is given in @{file
- "~~/src/HOL/Isar_Examples/Group_Context.thy"}. *}
-
-
-section {* Bundled declarations \label{sec:bundle} *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def "bundle"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
- @{command_def "print_bundles"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow> "} \\
- @{command_def "include"} & : & @{text "proof(state) \<rightarrow> proof(state)"} \\
- @{command_def "including"} & : & @{text "proof(prove) \<rightarrow> proof(prove)"} \\
- @{keyword_def "includes"} & : & syntax \\
- \end{matharray}
-
- The outer syntax of fact expressions (\secref{sec:syn-att}) involves
- theorems and attributes, which are evaluated in the context and
- applied to it. Attributes may declare theorems to the context, as
- in @{text "this_rule [intro] that_rule [elim]"} for example.
- Configuration options (\secref{sec:config}) are special declaration
- attributes that operate on the context without a theorem, as in
- @{text "[[show_types = false]]"} for example.
-
- Expressions of this form may be defined as \emph{bundled
- declarations} in the context, and included in other situations later
- on. Including declaration bundles augments a local context casually
- without logical dependencies, which is in contrast to locales and
- locale interpretation (\secref{sec:locale}).
-
- @{rail "
- @@{command bundle} @{syntax target}? \\
- @{syntax name} '=' @{syntax thmrefs} (@'for' (@{syntax vars} + @'and'))?
- ;
- (@@{command include} | @@{command including}) (@{syntax nameref}+)
- ;
- @{syntax_def \"includes\"}: @'includes' (@{syntax nameref}+)
- "}
-
- \begin{description}
-
- \item @{command bundle}~@{text "b = decls"} defines a bundle of
- declarations in the current context. The RHS is similar to the one
- of the @{command declare} command. Bundles defined in local theory
- targets are subject to transformations via morphisms, when moved
- into different application contexts; this works analogously to any
- other local theory specification.
-
- \item @{command print_bundles} prints the named bundles that are
- available in the current context.
-
- \item @{command include}~@{text "b\<^sub>1 \<dots> b\<^sub>n"} includes the declarations
- from the given bundles into the current proof body context. This is
- analogous to @{command "note"} (\secref{sec:proof-facts}) with the
- expanded bundles.
-
- \item @{command including} is similar to @{command include}, but
- works in proof refinement (backward mode). This is analogous to
- @{command "using"} (\secref{sec:proof-facts}) with the expanded
- bundles.
-
- \item @{keyword "includes"}~@{text "b\<^sub>1 \<dots> b\<^sub>n"} is similar to
- @{command include}, but works in situations where a specification
- context is constructed, notably for @{command context} and long
- statements of @{command theorem} etc.
-
- \end{description}
-
- Here is an artificial example of bundling various configuration
- options: *}
-
-bundle trace = [[simp_trace, blast_trace, linarith_trace, metis_trace, smt_trace]]
-
-lemma "x = x"
- including trace by metis
-
-
-section {* Basic specification elements *}
-
-text {*
- \begin{matharray}{rcll}
- @{command_def "axiomatization"} & : & @{text "theory \<rightarrow> theory"} & (axiomatic!) \\
- @{command_def "definition"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
- @{attribute_def "defn"} & : & @{text attribute} \\
- @{command_def "abbreviation"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
- @{command_def "print_abbrevs"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow> "} \\
- \end{matharray}
-
- These specification mechanisms provide a slightly more abstract view
- than the underlying primitives of @{command "consts"}, @{command
- "defs"} (see \secref{sec:consts}), and @{command "axioms"} (see
- \secref{sec:axms-thms}). In particular, type-inference is commonly
- available, and result names need not be given.
-
- @{rail "
- @@{command axiomatization} @{syntax \"fixes\"}? (@'where' specs)?
- ;
- @@{command definition} @{syntax target}? \\
- (decl @'where')? @{syntax thmdecl}? @{syntax prop}
- ;
- @@{command abbreviation} @{syntax target}? @{syntax mode}? \\
- (decl @'where')? @{syntax prop}
- ;
-
- @{syntax_def \"fixes\"}: ((@{syntax name} ('::' @{syntax type})?
- @{syntax mixfix}? | @{syntax vars}) + @'and')
- ;
- specs: (@{syntax thmdecl}? @{syntax props} + @'and')
- ;
- decl: @{syntax name} ('::' @{syntax type})? @{syntax mixfix}?
- "}
-
- \begin{description}
-
- \item @{command "axiomatization"}~@{text "c\<^sub>1 \<dots> c\<^sub>m \<WHERE> \<phi>\<^sub>1 \<dots> \<phi>\<^sub>n"}
- introduces several constants simultaneously and states axiomatic
- properties for these. The constants are marked as being specified
- once and for all, which prevents additional specifications being
- issued later on.
-
- Note that axiomatic specifications are only appropriate when
- declaring a new logical system; axiomatic specifications are
- restricted to global theory contexts. Normal applications should
- only use definitional mechanisms!
-
- \item @{command "definition"}~@{text "c \<WHERE> eq"} produces an
- internal definition @{text "c \<equiv> t"} according to the specification
- given as @{text eq}, which is then turned into a proven fact. The
- given proposition may deviate from internal meta-level equality
- according to the rewrite rules declared as @{attribute defn} by the
- object-logic. This usually covers object-level equality @{text "x =
- y"} and equivalence @{text "A \<leftrightarrow> B"}. End-users normally need not
- change the @{attribute defn} setup.
-
- Definitions may be presented with explicit arguments on the LHS, as
- well as additional conditions, e.g.\ @{text "f x y = t"} instead of
- @{text "f \<equiv> \<lambda>x y. t"} and @{text "y \<noteq> 0 \<Longrightarrow> g x y = u"} instead of an
- unrestricted @{text "g \<equiv> \<lambda>x y. u"}.
-
- \item @{command "abbreviation"}~@{text "c \<WHERE> eq"} introduces a
- syntactic constant which is associated with a certain term according
- to the meta-level equality @{text eq}.
-
- Abbreviations participate in the usual type-inference process, but
- are expanded before the logic ever sees them. Pretty printing of
- terms involves higher-order rewriting with rules stemming from
- reverted abbreviations. This needs some care to avoid overlapping
- or looping syntactic replacements!
-
- The optional @{text mode} specification restricts output to a
- particular print mode; using ``@{text input}'' here achieves the
- effect of one-way abbreviations. The mode may also include an
- ``@{keyword "output"}'' qualifier that affects the concrete syntax
- declared for abbreviations, cf.\ @{command "syntax"} in
- \secref{sec:syn-trans}.
-
- \item @{command "print_abbrevs"} prints all constant abbreviations
- of the current context.
-
- \end{description}
-*}
-
-
-section {* Generic declarations *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def "declaration"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
- @{command_def "syntax_declaration"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
- @{command_def "declare"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
- \end{matharray}
-
- Arbitrary operations on the background context may be wrapped-up as
- generic declaration elements. Since the underlying concept of local
- theories may be subject to later re-interpretation, there is an
- additional dependency on a morphism that tells the difference of the
- original declaration context wrt.\ the application context
- encountered later on. A fact declaration is an important special
- case: it consists of a theorem which is applied to the context by
- means of an attribute.
-
- @{rail "
- (@@{command declaration} | @@{command syntax_declaration})
- ('(' @'pervasive' ')')? \\ @{syntax target}? @{syntax text}
- ;
- @@{command declare} @{syntax target}? (@{syntax thmrefs} + @'and')
- "}
-
- \begin{description}
-
- \item @{command "declaration"}~@{text d} adds the declaration
- function @{text d} of ML type @{ML_type declaration}, to the current
- local theory under construction. In later application contexts, the
- function is transformed according to the morphisms being involved in
- the interpretation hierarchy.
-
- If the @{text "(pervasive)"} option is given, the corresponding
- declaration is applied to all possible contexts involved, including
- the global background theory.
-
- \item @{command "syntax_declaration"} is similar to @{command
- "declaration"}, but is meant to affect only ``syntactic'' tools by
- convention (such as notation and type-checking information).
-
- \item @{command "declare"}~@{text thms} declares theorems to the
- current local theory context. No theorem binding is involved here,
- unlike @{command "theorems"} or @{command "lemmas"} (cf.\
- \secref{sec:axms-thms}), so @{command "declare"} only has the effect
- of applying attributes as included in the theorem specification.
-
- \end{description}
-*}
-
-
-section {* Locales \label{sec:locale} *}
-
-text {*
- Locales are parametric named local contexts, consisting of a list of
- declaration elements that are modeled after the Isar proof context
- commands (cf.\ \secref{sec:proof-context}).
-*}
-
-
-subsection {* Locale expressions \label{sec:locale-expr} *}
-
-text {*
- A \emph{locale expression} denotes a structured context composed of
- instances of existing locales. The context consists of a list of
- instances of declaration elements from the locales. Two locale
- instances are equal if they are of the same locale and the
- parameters are instantiated with equivalent terms. Declaration
- elements from equal instances are never repeated, thus avoiding
- duplicate declarations. More precisely, declarations from instances
- that are subsumed by earlier instances are omitted.
-
- @{rail "
- @{syntax_def locale_expr}: (instance + '+') (@'for' (@{syntax \"fixes\"} + @'and'))?
- ;
- instance: (qualifier ':')? @{syntax nameref} (pos_insts | named_insts)
- ;
- qualifier: @{syntax name} ('?' | '!')?
- ;
- pos_insts: ('_' | @{syntax term})*
- ;
- named_insts: @'where' (@{syntax name} '=' @{syntax term} + @'and')
- "}
-
- A locale instance consists of a reference to a locale and either
- positional or named parameter instantiations. Identical
- instantiations (that is, those that instante a parameter by itself)
- may be omitted. The notation `@{text "_"}' enables to omit the
- instantiation for a parameter inside a positional instantiation.
-
- Terms in instantiations are from the context the locale expressions
- is declared in. Local names may be added to this context with the
- optional @{keyword "for"} clause. This is useful for shadowing names
- bound in outer contexts, and for declaring syntax. In addition,
- syntax declarations from one instance are effective when parsing
- subsequent instances of the same expression.
-
- Instances have an optional qualifier which applies to names in
- declarations. Names include local definitions and theorem names.
- If present, the qualifier itself is either optional
- (``\texttt{?}''), which means that it may be omitted on input of the
- qualified name, or mandatory (``\texttt{!}''). If neither
- ``\texttt{?}'' nor ``\texttt{!}'' are present, the command's default
- is used. For @{command "interpretation"} and @{command "interpret"}
- the default is ``mandatory'', for @{command "locale"} and @{command
- "sublocale"} the default is ``optional''.
-*}
-
-
-subsection {* Locale declarations *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def "locale"} & : & @{text "theory \<rightarrow> local_theory"} \\
- @{command_def "print_locale"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- @{command_def "print_locales"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- @{method_def intro_locales} & : & @{text method} \\
- @{method_def unfold_locales} & : & @{text method} \\
- \end{matharray}
-
- \indexisarelem{fixes}\indexisarelem{constrains}\indexisarelem{assumes}
- \indexisarelem{defines}\indexisarelem{notes}
- @{rail "
- @@{command locale} @{syntax name} ('=' @{syntax locale})? @'begin'?
- ;
- @@{command print_locale} '!'? @{syntax nameref}
- ;
- @{syntax_def locale}: @{syntax context_elem}+ |
- @{syntax locale_expr} ('+' (@{syntax context_elem}+))?
- ;
- @{syntax_def context_elem}:
- @'fixes' (@{syntax \"fixes\"} + @'and') |
- @'constrains' (@{syntax name} '::' @{syntax type} + @'and') |
- @'assumes' (@{syntax props} + @'and') |
- @'defines' (@{syntax thmdecl}? @{syntax prop} @{syntax prop_pat}? + @'and') |
- @'notes' (@{syntax thmdef}? @{syntax thmrefs} + @'and')
- "}
-
- \begin{description}
-
- \item @{command "locale"}~@{text "loc = import + body"} defines a
- new locale @{text loc} as a context consisting of a certain view of
- existing locales (@{text import}) plus some additional elements
- (@{text body}). Both @{text import} and @{text body} are optional;
- the degenerate form @{command "locale"}~@{text loc} defines an empty
- locale, which may still be useful to collect declarations of facts
- later on. Type-inference on locale expressions automatically takes
- care of the most general typing that the combined context elements
- may acquire.
-
- The @{text import} consists of a structured locale expression; see
- \secref{sec:proof-context} above. Its for clause defines the local
- parameters of the @{text import}. In addition, locale parameters
- whose instantance is omitted automatically extend the (possibly
- empty) for clause: they are inserted at its beginning. This means
- that these parameters may be referred to from within the expression
- and also in the subsequent context elements and provides a
- notational convenience for the inheritance of parameters in locale
- declarations.
-
- The @{text body} consists of context elements.
-
- \begin{description}
-
- \item @{element "fixes"}~@{text "x :: \<tau> (mx)"} declares a local
- parameter of type @{text \<tau>} and mixfix annotation @{text mx} (both
- are optional). The special syntax declaration ``@{text
- "(\<STRUCTURE>)"}'' means that @{text x} may be referenced
- implicitly in this context.
-
- \item @{element "constrains"}~@{text "x :: \<tau>"} introduces a type
- constraint @{text \<tau>} on the local parameter @{text x}. This
- element is deprecated. The type constraint should be introduced in
- the for clause or the relevant @{element "fixes"} element.
-
- \item @{element "assumes"}~@{text "a: \<phi>\<^sub>1 \<dots> \<phi>\<^sub>n"}
- introduces local premises, similar to @{command "assume"} within a
- proof (cf.\ \secref{sec:proof-context}).
-
- \item @{element "defines"}~@{text "a: x \<equiv> t"} defines a previously
- declared parameter. This is similar to @{command "def"} within a
- proof (cf.\ \secref{sec:proof-context}), but @{element "defines"}
- takes an equational proposition instead of variable-term pair. The
- left-hand side of the equation may have additional arguments, e.g.\
- ``@{element "defines"}~@{text "f x\<^sub>1 \<dots> x\<^sub>n \<equiv> t"}''.
-
- \item @{element "notes"}~@{text "a = b\<^sub>1 \<dots> b\<^sub>n"}
- reconsiders facts within a local context. Most notably, this may
- include arbitrary declarations in any attribute specifications
- included here, e.g.\ a local @{attribute simp} rule.
-
- The initial @{text import} specification of a locale expression
- maintains a dynamic relation to the locales being referenced
- (benefiting from any later fact declarations in the obvious manner).
-
- \end{description}
-
- Note that ``@{text "(\<IS> p\<^sub>1 \<dots> p\<^sub>n)"}'' patterns given
- in the syntax of @{element "assumes"} and @{element "defines"} above
- are illegal in locale definitions. In the long goal format of
- \secref{sec:goals}, term bindings may be included as expected,
- though.
-
- \medskip Locale specifications are ``closed up'' by
- turning the given text into a predicate definition @{text
- loc_axioms} and deriving the original assumptions as local lemmas
- (modulo local definitions). The predicate statement covers only the
- newly specified assumptions, omitting the content of included locale
- expressions. The full cumulative view is only provided on export,
- involving another predicate @{text loc} that refers to the complete
- specification text.
-
- In any case, the predicate arguments are those locale parameters
- that actually occur in the respective piece of text. Also note that
- these predicates operate at the meta-level in theory, but the locale
- packages attempts to internalize statements according to the
- object-logic setup (e.g.\ replacing @{text \<And>} by @{text \<forall>}, and
- @{text "\<Longrightarrow>"} by @{text "\<longrightarrow>"} in HOL; see also
- \secref{sec:object-logic}). Separate introduction rules @{text
- loc_axioms.intro} and @{text loc.intro} are provided as well.
-
- \item @{command "print_locale"}~@{text "locale"} prints the
- contents of the named locale. The command omits @{element "notes"}
- elements by default. Use @{command "print_locale"}@{text "!"} to
- have them included.
-
- \item @{command "print_locales"} prints the names of all locales
- of the current theory.
-
- \item @{method intro_locales} and @{method unfold_locales}
- repeatedly expand all introduction rules of locale predicates of the
- theory. While @{method intro_locales} only applies the @{text
- loc.intro} introduction rules and therefore does not decend to
- assumptions, @{method unfold_locales} is more aggressive and applies
- @{text loc_axioms.intro} as well. Both methods are aware of locale
- specifications entailed by the context, both from target statements,
- and from interpretations (see below). New goals that are entailed
- by the current context are discharged automatically.
-
- \end{description}
-*}
-
-
-subsection {* Locale interpretation *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def "interpretation"} & : & @{text "theory \<rightarrow> proof(prove)"} \\
- @{command_def "interpret"} & : & @{text "proof(state) | proof(chain) \<rightarrow> proof(prove)"} \\
- @{command_def "sublocale"} & : & @{text "theory \<rightarrow> proof(prove)"} \\
- @{command_def "print_dependencies"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- @{command_def "print_interps"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- \end{matharray}
-
- Locale expressions may be instantiated, and the instantiated facts
- added to the current context. This requires a proof of the
- instantiated specification and is called \emph{locale
- interpretation}. Interpretation is possible in locales (command
- @{command "sublocale"}), theories (command @{command
- "interpretation"}) and also within proof bodies (command @{command
- "interpret"}).
-
- @{rail "
- @@{command interpretation} @{syntax locale_expr} equations?
- ;
- @@{command interpret} @{syntax locale_expr} equations?
- ;
- @@{command sublocale} @{syntax nameref} ('<' | '\<subseteq>') @{syntax locale_expr} \\
- equations?
- ;
- @@{command print_dependencies} '!'? @{syntax locale_expr}
- ;
- @@{command print_interps} @{syntax nameref}
- ;
-
- equations: @'where' (@{syntax thmdecl}? @{syntax prop} + @'and')
- "}
-
- \begin{description}
-
- \item @{command "interpretation"}~@{text "expr \<WHERE> eqns"}
- interprets @{text expr} in the theory. The command generates proof
- obligations for the instantiated specifications (assumes and defines
- elements). Once these are discharged by the user, instantiated
- facts are added to the theory in a post-processing phase.
-
- Free variables in the interpreted expression are allowed. They are
- turned into schematic variables in the generated declarations. In
- order to use a free variable whose name is already bound in the
- context --- for example, because a constant of that name exists ---
- it may be added to the @{keyword "for"} clause.
-
- Additional equations, which are unfolded during
- post-processing, may be given after the keyword @{keyword "where"}.
- This is useful for interpreting concepts introduced through
- definitions. The equations must be proved.
-
- The command is aware of interpretations already active in the
- theory, but does not simplify the goal automatically. In order to
- simplify the proof obligations use methods @{method intro_locales}
- or @{method unfold_locales}. Post-processing is not applied to
- facts of interpretations that are already active. This avoids
- duplication of interpreted facts, in particular. Note that, in the
- case of a locale with import, parts of the interpretation may
- already be active. The command will only process facts for new
- parts.
-
- Adding facts to locales has the effect of adding interpreted facts
- to the theory for all interpretations as well. That is,
- interpretations dynamically participate in any facts added to
- locales. Note that if a theory inherits additional facts for a
- locale through one parent and an interpretation of that locale
- through another parent, the additional facts will not be
- interpreted.
-
- \item @{command "interpret"}~@{text "expr \<WHERE> eqns"} interprets
- @{text expr} in the proof context and is otherwise similar to
- interpretation in theories. Note that rewrite rules given to
- @{command "interpret"} after the @{keyword "where"} keyword should be
- explicitly universally quantified.
-
- \item @{command "sublocale"}~@{text "name \<subseteq> expr \<WHERE>
- eqns"}
- interprets @{text expr} in the locale @{text name}. A proof that
- the specification of @{text name} implies the specification of
- @{text expr} is required. As in the localized version of the
- theorem command, the proof is in the context of @{text name}. After
- the proof obligation has been discharged, the facts of @{text expr}
- become part of locale @{text name} as \emph{derived} context
- elements and are available when the context @{text name} is
- subsequently entered. Note that, like import, this is dynamic:
- facts added to a locale part of @{text expr} after interpretation
- become also available in @{text name}.
-
- Only specification fragments of @{text expr} that are not already
- part of @{text name} (be it imported, derived or a derived fragment
- of the import) are considered in this process. This enables
- circular interpretations provided that no infinite chains are
- generated in the locale hierarchy.
-
- If interpretations of @{text name} exist in the current theory, the
- command adds interpretations for @{text expr} as well, with the same
- qualifier, although only for fragments of @{text expr} that are not
- interpreted in the theory already.
-
- Equations given after @{keyword "where"} amend the morphism through
- which @{text expr} is interpreted. This enables to map definitions
- from the interpreted locales to entities of @{text name}. This
- feature is experimental.
-
- \item @{command "print_dependencies"}~@{text "expr"} is useful for
- understanding the effect of an interpretation of @{text "expr"}. It
- lists all locale instances for which interpretations would be added
- to the current context. Variant @{command
- "print_dependencies"}@{text "!"} prints all locale instances that
- would be considered for interpretation, and would be interpreted in
- an empty context (that is, without interpretations).
-
- \item @{command "print_interps"}~@{text "locale"} lists all
- interpretations of @{text "locale"} in the current theory or proof
- context, including those due to a combination of a @{command
- "interpretation"} or @{command "interpret"} and one or several
- @{command "sublocale"} declarations.
-
- \end{description}
-
- \begin{warn}
- Since attributes are applied to interpreted theorems,
- interpretation may modify the context of common proof tools, e.g.\
- the Simplifier or Classical Reasoner. As the behavior of such
- tools is \emph{not} stable under interpretation morphisms, manual
- declarations might have to be added to the target context of the
- interpretation to revert such declarations.
- \end{warn}
-
- \begin{warn}
- An interpretation in a theory or proof context may subsume previous
- interpretations. This happens if the same specification fragment
- is interpreted twice and the instantiation of the second
- interpretation is more general than the interpretation of the
- first. The locale package does not attempt to remove subsumed
- interpretations.
- \end{warn}
-*}
-
-
-section {* Classes \label{sec:class} *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def "class"} & : & @{text "theory \<rightarrow> local_theory"} \\
- @{command_def "instantiation"} & : & @{text "theory \<rightarrow> local_theory"} \\
- @{command_def "instance"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
- @{command "instance"} & : & @{text "theory \<rightarrow> proof(prove)"} \\
- @{command_def "subclass"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
- @{command_def "print_classes"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- @{command_def "class_deps"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- @{method_def intro_classes} & : & @{text method} \\
- \end{matharray}
-
- A class is a particular locale with \emph{exactly one} type variable
- @{text \<alpha>}. Beyond the underlying locale, a corresponding type class
- is established which is interpreted logically as axiomatic type
- class \cite{Wenzel:1997:TPHOL} whose logical content are the
- assumptions of the locale. Thus, classes provide the full
- generality of locales combined with the commodity of type classes
- (notably type-inference). See \cite{isabelle-classes} for a short
- tutorial.
-
- @{rail "
- @@{command class} class_spec @'begin'?
- ;
- class_spec: @{syntax name} '='
- ((@{syntax nameref} '+' (@{syntax context_elem}+)) |
- @{syntax nameref} | (@{syntax context_elem}+))
- ;
- @@{command instantiation} (@{syntax nameref} + @'and') '::' @{syntax arity} @'begin'
- ;
- @@{command instance} (() | (@{syntax nameref} + @'and') '::' @{syntax arity} |
- @{syntax nameref} ('<' | '\<subseteq>') @{syntax nameref} )
- ;
- @@{command subclass} @{syntax target}? @{syntax nameref}
- "}
-
- \begin{description}
-
- \item @{command "class"}~@{text "c = superclasses + body"} defines
- a new class @{text c}, inheriting from @{text superclasses}. This
- introduces a locale @{text c} with import of all locales @{text
- superclasses}.
-
- Any @{element "fixes"} in @{text body} are lifted to the global
- theory level (\emph{class operations} @{text "f\<^sub>1, \<dots>,
- f\<^sub>n"} of class @{text c}), mapping the local type parameter
- @{text \<alpha>} to a schematic type variable @{text "?\<alpha> :: c"}.
-
- Likewise, @{element "assumes"} in @{text body} are also lifted,
- mapping each local parameter @{text "f :: \<tau>[\<alpha>]"} to its
- corresponding global constant @{text "f :: \<tau>[?\<alpha> :: c]"}. The
- corresponding introduction rule is provided as @{text
- c_class_axioms.intro}. This rule should be rarely needed directly
- --- the @{method intro_classes} method takes care of the details of
- class membership proofs.
-
- \item @{command "instantiation"}~@{text "t :: (s\<^sub>1, \<dots>, s\<^sub>n)s
- \<BEGIN>"} opens a theory target (cf.\ \secref{sec:target}) which
- allows to specify class operations @{text "f\<^sub>1, \<dots>, f\<^sub>n"} corresponding
- to sort @{text s} at the particular type instance @{text "(\<alpha>\<^sub>1 :: s\<^sub>1,
- \<dots>, \<alpha>\<^sub>n :: s\<^sub>n) t"}. A plain @{command "instance"} command in the
- target body poses a goal stating these type arities. The target is
- concluded by an @{command_ref (local) "end"} command.
-
- Note that a list of simultaneous type constructors may be given;
- this corresponds nicely to mutually recursive type definitions, e.g.\
- in Isabelle/HOL.
-
- \item @{command "instance"} in an instantiation target body sets
- up a goal stating the type arities claimed at the opening @{command
- "instantiation"}. The proof would usually proceed by @{method
- intro_classes}, and then establish the characteristic theorems of
- the type classes involved. After finishing the proof, the
- background theory will be augmented by the proven type arities.
-
- On the theory level, @{command "instance"}~@{text "t :: (s\<^sub>1, \<dots>,
- s\<^sub>n)s"} provides a convenient way to instantiate a type class with no
- need to specify operations: one can continue with the
- instantiation proof immediately.
-
- \item @{command "subclass"}~@{text c} in a class context for class
- @{text d} sets up a goal stating that class @{text c} is logically
- contained in class @{text d}. After finishing the proof, class
- @{text d} is proven to be subclass @{text c} and the locale @{text
- c} is interpreted into @{text d} simultaneously.
-
- A weakend form of this is available through a further variant of
- @{command instance}: @{command instance}~@{text "c\<^sub>1 \<subseteq> c\<^sub>2"} opens
- a proof that class @{text "c\<^isub>2"} implies @{text "c\<^isub>1"} without reference
- to the underlying locales; this is useful if the properties to prove
- the logical connection are not sufficent on the locale level but on
- the theory level.
-
- \item @{command "print_classes"} prints all classes in the current
- theory.
-
- \item @{command "class_deps"} visualizes all classes and their
- subclass relations as a Hasse diagram.
-
- \item @{method intro_classes} repeatedly expands all class
- introduction rules of this theory. Note that this method usually
- needs not be named explicitly, as it is already included in the
- default proof step (e.g.\ of @{command "proof"}). In particular,
- instantiation of trivial (syntactic) classes may be performed by a
- single ``@{command ".."}'' proof step.
-
- \end{description}
-*}
-
-
-subsection {* The class target *}
-
-text {*
- %FIXME check
-
- A named context may refer to a locale (cf.\ \secref{sec:target}).
- If this locale is also a class @{text c}, apart from the common
- locale target behaviour the following happens.
-
- \begin{itemize}
-
- \item Local constant declarations @{text "g[\<alpha>]"} referring to the
- local type parameter @{text \<alpha>} and local parameters @{text "f[\<alpha>]"}
- are accompanied by theory-level constants @{text "g[?\<alpha> :: c]"}
- referring to theory-level class operations @{text "f[?\<alpha> :: c]"}.
-
- \item Local theorem bindings are lifted as are assumptions.
-
- \item Local syntax refers to local operations @{text "g[\<alpha>]"} and
- global operations @{text "g[?\<alpha> :: c]"} uniformly. Type inference
- resolves ambiguities. In rare cases, manual type annotations are
- needed.
-
- \end{itemize}
-*}
-
-
-subsection {* Co-regularity of type classes and arities *}
-
-text {* The class relation together with the collection of
- type-constructor arities must obey the principle of
- \emph{co-regularity} as defined below.
-
- \medskip For the subsequent formulation of co-regularity we assume
- that the class relation is closed by transitivity and reflexivity.
- Moreover the collection of arities @{text "t :: (\<^vec>s)c"} is
- completed such that @{text "t :: (\<^vec>s)c"} and @{text "c \<subseteq> c'"}
- implies @{text "t :: (\<^vec>s)c'"} for all such declarations.
-
- Treating sorts as finite sets of classes (meaning the intersection),
- the class relation @{text "c\<^sub>1 \<subseteq> c\<^sub>2"} is extended to sorts as
- follows:
- \[
- @{text "s\<^sub>1 \<subseteq> s\<^sub>2 \<equiv> \<forall>c\<^sub>2 \<in> s\<^sub>2. \<exists>c\<^sub>1 \<in> s\<^sub>1. c\<^sub>1 \<subseteq> c\<^sub>2"}
- \]
-
- This relation on sorts is further extended to tuples of sorts (of
- the same length) in the component-wise way.
-
- \smallskip Co-regularity of the class relation together with the
- arities relation means:
- \[
- @{text "t :: (\<^vec>s\<^sub>1)c\<^sub>1 \<Longrightarrow> t :: (\<^vec>s\<^sub>2)c\<^sub>2 \<Longrightarrow> c\<^sub>1 \<subseteq> c\<^sub>2 \<Longrightarrow> \<^vec>s\<^sub>1 \<subseteq> \<^vec>s\<^sub>2"}
- \]
- \noindent for all such arities. In other words, whenever the result
- classes of some type-constructor arities are related, then the
- argument sorts need to be related in the same way.
-
- \medskip Co-regularity is a very fundamental property of the
- order-sorted algebra of types. For example, it entails principle
- types and most general unifiers, e.g.\ see \cite{nipkow-prehofer}.
-*}
-
-
-section {* Unrestricted overloading *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def "overloading"} & : & @{text "theory \<rightarrow> local_theory"} \\
- \end{matharray}
-
- Isabelle/Pure's definitional schemes support certain forms of
- overloading (see \secref{sec:consts}). Overloading means that a
- constant being declared as @{text "c :: \<alpha> decl"} may be
- defined separately on type instances
- @{text "c :: (\<beta>\<^sub>1, \<dots>, \<beta>\<^sub>n) t decl"}
- for each type constructor @{text t}. At most occassions
- overloading will be used in a Haskell-like fashion together with
- type classes by means of @{command "instantiation"} (see
- \secref{sec:class}). Sometimes low-level overloading is desirable.
- The @{command "overloading"} target provides a convenient view for
- end-users.
-
- @{rail "
- @@{command overloading} ( spec + ) @'begin'
- ;
- spec: @{syntax name} ( '==' | '\<equiv>' ) @{syntax term} ( '(' @'unchecked' ')' )?
- "}
-
- \begin{description}
-
- \item @{command "overloading"}~@{text "x\<^sub>1 \<equiv> c\<^sub>1 :: \<tau>\<^sub>1 \<AND> \<dots> x\<^sub>n \<equiv> c\<^sub>n :: \<tau>\<^sub>n \<BEGIN>"}
- opens a theory target (cf.\ \secref{sec:target}) which allows to
- specify constants with overloaded definitions. These are identified
- by an explicitly given mapping from variable names @{text "x\<^sub>i"} to
- constants @{text "c\<^sub>i"} at particular type instances. The
- definitions themselves are established using common specification
- tools, using the names @{text "x\<^sub>i"} as reference to the
- corresponding constants. The target is concluded by @{command
- (local) "end"}.
-
- A @{text "(unchecked)"} option disables global dependency checks for
- the corresponding definition, which is occasionally useful for
- exotic overloading (see \secref{sec:consts} for a precise description).
- It is at the discretion of the user to avoid
- malformed theory specifications!
-
- \end{description}
-*}
-
-
-section {* Incorporating ML code \label{sec:ML} *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def "ML_file"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
- @{command_def "ML"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
- @{command_def "ML_prf"} & : & @{text "proof \<rightarrow> proof"} \\
- @{command_def "ML_val"} & : & @{text "any \<rightarrow>"} \\
- @{command_def "ML_command"} & : & @{text "any \<rightarrow>"} \\
- @{command_def "setup"} & : & @{text "theory \<rightarrow> theory"} \\
- @{command_def "local_setup"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
- @{command_def "attribute_setup"} & : & @{text "theory \<rightarrow> theory"} \\
- \end{matharray}
-
- @{rail "
- @@{command ML_file} @{syntax name}
- ;
- (@@{command ML} | @@{command ML_prf} | @@{command ML_val} |
- @@{command ML_command} | @@{command setup} | @@{command local_setup}) @{syntax text}
- ;
- @@{command attribute_setup} @{syntax name} '=' @{syntax text} @{syntax text}?
- "}
-
- \begin{description}
-
- \item @{command "ML_file"}~@{text "name"} reads and evaluates the
- given ML file. The current theory context is passed down to the ML
- toplevel and may be modified, using @{ML "Context.>>"} or derived ML
- commands. Top-level ML bindings are stored within the (global or
- local) theory context.
-
- \item @{command "ML"}~@{text "text"} is similar to @{command
- "ML_file"}, but evaluates directly the given @{text "text"}.
- Top-level ML bindings are stored within the (global or local) theory
- context.
-
- \item @{command "ML_prf"} is analogous to @{command "ML"} but works
- within a proof context. Top-level ML bindings are stored within the
- proof context in a purely sequential fashion, disregarding the
- nested proof structure. ML bindings introduced by @{command
- "ML_prf"} are discarded at the end of the proof.
-
- \item @{command "ML_val"} and @{command "ML_command"} are diagnostic
- versions of @{command "ML"}, which means that the context may not be
- updated. @{command "ML_val"} echos the bindings produced at the ML
- toplevel, but @{command "ML_command"} is silent.
-
- \item @{command "setup"}~@{text "text"} changes the current theory
- context by applying @{text "text"}, which refers to an ML expression
- of type @{ML_type "theory -> theory"}. This enables to initialize
- any object-logic specific tools and packages written in ML, for
- example.
-
- \item @{command "local_setup"} is similar to @{command "setup"} for
- a local theory context, and an ML expression of type @{ML_type
- "local_theory -> local_theory"}. This allows to
- invoke local theory specification packages without going through
- concrete outer syntax, for example.
-
- \item @{command "attribute_setup"}~@{text "name = text description"}
- defines an attribute in the current theory. The given @{text
- "text"} has to be an ML expression of type
- @{ML_type "attribute context_parser"}, cf.\ basic parsers defined in
- structure @{ML_struct Args} and @{ML_struct Attrib}.
-
- In principle, attributes can operate both on a given theorem and the
- implicit context, although in practice only one is modified and the
- other serves as parameter. Here are examples for these two cases:
-
- \end{description}
-*}
-
- attribute_setup my_rule = {*
- Attrib.thms >> (fn ths =>
- Thm.rule_attribute
- (fn context: Context.generic => fn th: thm =>
- let val th' = th OF ths
- in th' end)) *}
-
- attribute_setup my_declaration = {*
- Attrib.thms >> (fn ths =>
- Thm.declaration_attribute
- (fn th: thm => fn context: Context.generic =>
- let val context' = context
- in context' end)) *}
-
-
-section {* Primitive specification elements *}
-
-subsection {* Type classes and sorts \label{sec:classes} *}
-
-text {*
- \begin{matharray}{rcll}
- @{command_def "classes"} & : & @{text "theory \<rightarrow> theory"} \\
- @{command_def "classrel"} & : & @{text "theory \<rightarrow> theory"} & (axiomatic!) \\
- @{command_def "default_sort"} & : & @{text "local_theory \<rightarrow> local_theory"}
- \end{matharray}
-
- @{rail "
- @@{command classes} (@{syntax classdecl} +)
- ;
- @@{command classrel} (@{syntax nameref} ('<' | '\<subseteq>') @{syntax nameref} + @'and')
- ;
- @@{command default_sort} @{syntax sort}
- "}
-
- \begin{description}
-
- \item @{command "classes"}~@{text "c \<subseteq> c\<^sub>1, \<dots>, c\<^sub>n"} declares class
- @{text c} to be a subclass of existing classes @{text "c\<^sub>1, \<dots>, c\<^sub>n"}.
- Isabelle implicitly maintains the transitive closure of the class
- hierarchy. Cyclic class structures are not permitted.
-
- \item @{command "classrel"}~@{text "c\<^sub>1 \<subseteq> c\<^sub>2"} states subclass
- relations between existing classes @{text "c\<^sub>1"} and @{text "c\<^sub>2"}.
- This is done axiomatically! The @{command_ref "subclass"} and
- @{command_ref "instance"} commands (see \secref{sec:class}) provide
- a way to introduce proven class relations.
-
- \item @{command "default_sort"}~@{text s} makes sort @{text s} the
- new default sort for any type variable that is given explicitly in
- the text, but lacks a sort constraint (wrt.\ the current context).
- Type variables generated by type inference are not affected.
-
- Usually the default sort is only changed when defining a new
- object-logic. For example, the default sort in Isabelle/HOL is
- @{class type}, the class of all HOL types.
-
- When merging theories, the default sorts of the parents are
- logically intersected, i.e.\ the representations as lists of classes
- are joined.
-
- \end{description}
-*}
-
-
-subsection {* Types and type abbreviations \label{sec:types-pure} *}
-
-text {*
- \begin{matharray}{rcll}
- @{command_def "type_synonym"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
- @{command_def "typedecl"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
- @{command_def "arities"} & : & @{text "theory \<rightarrow> theory"} & (axiomatic!) \\
- \end{matharray}
-
- @{rail "
- @@{command type_synonym} (@{syntax typespec} '=' @{syntax type} @{syntax mixfix}?)
- ;
- @@{command typedecl} @{syntax typespec} @{syntax mixfix}?
- ;
- @@{command arities} (@{syntax nameref} '::' @{syntax arity} +)
- "}
-
- \begin{description}
-
- \item @{command "type_synonym"}~@{text "(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>n) t = \<tau>"}
- introduces a \emph{type synonym} @{text "(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>n) t"} for the
- existing type @{text "\<tau>"}. Unlike actual type definitions, as are
- available in Isabelle/HOL for example, type synonyms are merely
- syntactic abbreviations without any logical significance.
- Internally, type synonyms are fully expanded.
-
- \item @{command "typedecl"}~@{text "(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>n) t"} declares a new
- type constructor @{text t}. If the object-logic defines a base sort
- @{text s}, then the constructor is declared to operate on that, via
- the axiomatic specification @{command arities}~@{text "t :: (s, \<dots>,
- s)s"}.
-
- \item @{command "arities"}~@{text "t :: (s\<^sub>1, \<dots>, s\<^sub>n)s"} augments
- Isabelle's order-sorted signature of types by new type constructor
- arities. This is done axiomatically! The @{command_ref "instantiation"}
- target (see \secref{sec:class}) provides a way to introduce
- proven type arities.
-
- \end{description}
-*}
-
-
-subsection {* Constants and definitions \label{sec:consts} *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def "consts"} & : & @{text "theory \<rightarrow> theory"} \\
- @{command_def "defs"} & : & @{text "theory \<rightarrow> theory"} \\
- \end{matharray}
-
- Definitions essentially express abbreviations within the logic. The
- simplest form of a definition is @{text "c :: \<sigma> \<equiv> t"}, where @{text
- c} is a newly declared constant. Isabelle also allows derived forms
- where the arguments of @{text c} appear on the left, abbreviating a
- prefix of @{text \<lambda>}-abstractions, e.g.\ @{text "c \<equiv> \<lambda>x y. t"} may be
- written more conveniently as @{text "c x y \<equiv> t"}. Moreover,
- definitions may be weakened by adding arbitrary pre-conditions:
- @{text "A \<Longrightarrow> c x y \<equiv> t"}.
-
- \medskip The built-in well-formedness conditions for definitional
- specifications are:
-
- \begin{itemize}
-
- \item Arguments (on the left-hand side) must be distinct variables.
-
- \item All variables on the right-hand side must also appear on the
- left-hand side.
-
- \item All type variables on the right-hand side must also appear on
- the left-hand side; this prohibits @{text "0 :: nat \<equiv> length ([] ::
- \<alpha> list)"} for example.
-
- \item The definition must not be recursive. Most object-logics
- provide definitional principles that can be used to express
- recursion safely.
-
- \end{itemize}
-
- The right-hand side of overloaded definitions may mention overloaded constants
- recursively at type instances corresponding to the immediate
- argument types @{text "\<beta>\<^sub>1, \<dots>, \<beta>\<^sub>n"}. Incomplete
- specification patterns impose global constraints on all occurrences,
- e.g.\ @{text "d :: \<alpha> \<times> \<alpha>"} on the left-hand side means that all
- corresponding occurrences on some right-hand side need to be an
- instance of this, general @{text "d :: \<alpha> \<times> \<beta>"} will be disallowed.
-
- @{rail "
- @@{command consts} ((@{syntax name} '::' @{syntax type} @{syntax mixfix}?) +)
- ;
- @@{command defs} opt? (@{syntax axmdecl} @{syntax prop} +)
- ;
- opt: '(' @'unchecked'? @'overloaded'? ')'
- "}
-
- \begin{description}
-
- \item @{command "consts"}~@{text "c :: \<sigma>"} declares constant @{text
- c} to have any instance of type scheme @{text \<sigma>}. The optional
- mixfix annotations may attach concrete syntax to the constants
- declared.
-
- \item @{command "defs"}~@{text "name: eqn"} introduces @{text eqn}
- as a definitional axiom for some existing constant.
-
- The @{text "(unchecked)"} option disables global dependency checks
- for this definition, which is occasionally useful for exotic
- overloading. It is at the discretion of the user to avoid malformed
- theory specifications!
-
- The @{text "(overloaded)"} option declares definitions to be
- potentially overloaded. Unless this option is given, a warning
- message would be issued for any definitional equation with a more
- special type than that of the corresponding constant declaration.
-
- \end{description}
-*}
-
-
-section {* Axioms and theorems \label{sec:axms-thms} *}
-
-text {*
- \begin{matharray}{rcll}
- @{command_def "axioms"} & : & @{text "theory \<rightarrow> theory"} & (axiomatic!) \\
- @{command_def "lemmas"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
- @{command_def "theorems"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
- \end{matharray}
-
- @{rail "
- @@{command axioms} (@{syntax axmdecl} @{syntax prop} +)
- ;
- (@@{command lemmas} | @@{command theorems}) @{syntax target}? \\
- (@{syntax thmdef}? @{syntax thmrefs} + @'and')
- (@'for' (@{syntax vars} + @'and'))?
- "}
-
- \begin{description}
-
- \item @{command "axioms"}~@{text "a: \<phi>"} introduces arbitrary
- statements as axioms of the meta-logic. In fact, axioms are
- ``axiomatic theorems'', and may be referred later just as any other
- theorem.
-
- Axioms are usually only introduced when declaring new logical
- systems. Everyday work is typically done the hard way, with proper
- definitions and proven theorems.
-
- \item @{command "lemmas"}~@{text "a = b\<^sub>1 \<dots> b\<^sub>n"}~@{keyword_def
- "for"}~@{text "x\<^sub>1 \<dots> x\<^sub>m"} evaluates given facts (with attributes) in
- the current context, which may be augmented by local variables.
- Results are standardized before being stored, i.e.\ schematic
- variables are renamed to enforce index @{text "0"} uniformly.
-
- \item @{command "theorems"} is the same as @{command "lemmas"}, but
- marks the result as a different kind of facts.
-
- \end{description}
-*}
-
-
-section {* Oracles *}
-
-text {*
- \begin{matharray}{rcll}
- @{command_def "oracle"} & : & @{text "theory \<rightarrow> theory"} & (axiomatic!) \\
- \end{matharray}
-
- Oracles allow Isabelle to take advantage of external reasoners such
- as arithmetic decision procedures, model checkers, fast tautology
- checkers or computer algebra systems. Invoked as an oracle, an
- external reasoner can create arbitrary Isabelle theorems.
-
- It is the responsibility of the user to ensure that the external
- reasoner is as trustworthy as the application requires. Another
- typical source of errors is the linkup between Isabelle and the
- external tool, not just its concrete implementation, but also the
- required translation between two different logical environments.
-
- Isabelle merely guarantees well-formedness of the propositions being
- asserted, and records within the internal derivation object how
- presumed theorems depend on unproven suppositions.
-
- @{rail "
- @@{command oracle} @{syntax name} '=' @{syntax text}
- "}
-
- \begin{description}
-
- \item @{command "oracle"}~@{text "name = text"} turns the given ML
- expression @{text "text"} of type @{ML_text "'a -> cterm"} into an
- ML function of type @{ML_text "'a -> thm"}, which is bound to the
- global identifier @{ML_text name}. This acts like an infinitary
- specification of axioms! Invoking the oracle only works within the
- scope of the resulting theory.
-
- \end{description}
-
- See @{file "~~/src/HOL/ex/Iff_Oracle.thy"} for a worked example of
- defining a new primitive rule as oracle, and turning it into a proof
- method.
-*}
-
-
-section {* Name spaces *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def "hide_class"} & : & @{text "theory \<rightarrow> theory"} \\
- @{command_def "hide_type"} & : & @{text "theory \<rightarrow> theory"} \\
- @{command_def "hide_const"} & : & @{text "theory \<rightarrow> theory"} \\
- @{command_def "hide_fact"} & : & @{text "theory \<rightarrow> theory"} \\
- \end{matharray}
-
- @{rail "
- ( @{command hide_class} | @{command hide_type} |
- @{command hide_const} | @{command hide_fact} ) ('(' @'open' ')')? (@{syntax nameref} + )
- "}
-
- Isabelle organizes any kind of name declarations (of types,
- constants, theorems etc.) by separate hierarchically structured name
- spaces. Normally the user does not have to control the behavior of
- name spaces by hand, yet the following commands provide some way to
- do so.
-
- \begin{description}
-
- \item @{command "hide_class"}~@{text names} fully removes class
- declarations from a given name space; with the @{text "(open)"}
- option, only the base name is hidden.
-
- Note that hiding name space accesses has no impact on logical
- declarations --- they remain valid internally. Entities that are no
- longer accessible to the user are printed with the special qualifier
- ``@{text "??"}'' prefixed to the full internal name.
-
- \item @{command "hide_type"}, @{command "hide_const"}, and @{command
- "hide_fact"} are similar to @{command "hide_class"}, but hide types,
- constants, and facts, respectively.
-
- \end{description}
-*}
-
-end
--- a/doc-src/IsarRef/Symbols.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,46 +0,0 @@
-theory Symbols
-imports Base Main
-begin
-
-chapter {* Predefined Isabelle symbols \label{app:symbols} *}
-
-text {*
- Isabelle supports an infinite number of non-ASCII symbols, which are
- represented in source text as @{verbatim "\\"}@{verbatim "<"}@{text
- name}@{verbatim ">"} (where @{text name} may be any identifier). It
- is left to front-end tools how to present these symbols to the user.
- The collection of predefined standard symbols given below is
- available by default for Isabelle document output, due to
- appropriate definitions of @{verbatim "\\"}@{verbatim isasym}@{text
- name} for each @{verbatim "\\"}@{verbatim "<"}@{text name}@{verbatim
- ">"} in the @{verbatim isabellesym.sty} file. Most of these symbols
- are displayed properly in Proof~General and Isabelle/jEdit.
-
- Moreover, any single symbol (or ASCII character) may be prefixed by
- @{verbatim "\\"}@{verbatim "<^sup>"}, for superscript and @{verbatim
- "\\"}@{verbatim "<^sub>"}, for subscript, such as @{verbatim
- "A\\"}@{verbatim "<^sup>\<star>"}, for @{text "A\<^sup>\<star>"} the alternative
- versions @{verbatim "\\"}@{verbatim "<^isub>"} and @{verbatim
- "\\"}@{verbatim "<^isup>"} are considered as quasi letters and may
- be used within identifiers. Sub- and superscripts that span a
- region of text are marked up with @{verbatim "\\"}@{verbatim
- "<^bsub>"}@{text "\<dots>"}@{verbatim "\\"}@{verbatim "<^esub>"}, and
- @{verbatim "\\"}@{verbatim "<^bsup>"}@{text "\<dots>"}@{verbatim
- "\\"}@{verbatim "<^esup>"} respectively. Furthermore, all ASCII
- characters and most other symbols may be printed in bold by
- prefixing @{verbatim "\\"}@{verbatim "<^bold>"} such as @{verbatim
- "\\"}@{verbatim "<^bold>\\"}@{verbatim "<alpha>"} for @{text
- "\<^bold>\<alpha>"}. Note that @{verbatim "\\"}@{verbatim "<^bold>"}, may
- \emph{not} be combined with sub- or superscripts for single symbols.
-
- Further details of Isabelle document preparation are covered in
- \chref{ch:document-prep}.
-
- \begin{center}
- \begin{isabellebody}
- \input{syms}
- \end{isabellebody}
- \end{center}
-*}
-
-end
\ No newline at end of file
--- a/doc-src/IsarRef/Synopsis.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,1108 +0,0 @@
-theory Synopsis
-imports Base Main
-begin
-
-chapter {* Synopsis *}
-
-section {* Notepad *}
-
-text {*
- An Isar proof body serves as mathematical notepad to compose logical
- content, consisting of types, terms, facts.
-*}
-
-
-subsection {* Types and terms *}
-
-notepad
-begin
- txt {* Locally fixed entities: *}
- fix x -- {* local constant, without any type information yet *}
- fix x :: 'a -- {* variant with explicit type-constraint for subsequent use*}
-
- fix a b
- assume "a = b" -- {* type assignment at first occurrence in concrete term *}
-
- txt {* Definitions (non-polymorphic): *}
- def x \<equiv> "t::'a"
-
- txt {* Abbreviations (polymorphic): *}
- let ?f = "\<lambda>x. x"
- term "?f ?f"
-
- txt {* Notation: *}
- write x ("***")
-end
-
-
-subsection {* Facts *}
-
-text {*
- A fact is a simultaneous list of theorems.
-*}
-
-
-subsubsection {* Producing facts *}
-
-notepad
-begin
-
- txt {* Via assumption (``lambda''): *}
- assume a: A
-
- txt {* Via proof (``let''): *}
- have b: B sorry
-
- txt {* Via abbreviation (``let''): *}
- note c = a b
-
-end
-
-
-subsubsection {* Referencing facts *}
-
-notepad
-begin
- txt {* Via explicit name: *}
- assume a: A
- note a
-
- txt {* Via implicit name: *}
- assume A
- note this
-
- txt {* Via literal proposition (unification with results from the proof text): *}
- assume A
- note `A`
-
- assume "\<And>x. B x"
- note `B a`
- note `B b`
-end
-
-
-subsubsection {* Manipulating facts *}
-
-notepad
-begin
- txt {* Instantiation: *}
- assume a: "\<And>x. B x"
- note a
- note a [of b]
- note a [where x = b]
-
- txt {* Backchaining: *}
- assume 1: A
- assume 2: "A \<Longrightarrow> C"
- note 2 [OF 1]
- note 1 [THEN 2]
-
- txt {* Symmetric results: *}
- assume "x = y"
- note this [symmetric]
-
- assume "x \<noteq> y"
- note this [symmetric]
-
- txt {* Adhoc-simplification (take care!): *}
- assume "P ([] @ xs)"
- note this [simplified]
-end
-
-
-subsubsection {* Projections *}
-
-text {*
- Isar facts consist of multiple theorems. There is notation to project
- interval ranges.
-*}
-
-notepad
-begin
- assume stuff: A B C D
- note stuff(1)
- note stuff(2-3)
- note stuff(2-)
-end
-
-
-subsubsection {* Naming conventions *}
-
-text {*
- \begin{itemize}
-
- \item Lower-case identifiers are usually preferred.
-
- \item Facts can be named after the main term within the proposition.
-
- \item Facts should \emph{not} be named after the command that
- introduced them (@{command "assume"}, @{command "have"}). This is
- misleading and hard to maintain.
-
- \item Natural numbers can be used as ``meaningless'' names (more
- appropriate than @{text "a1"}, @{text "a2"} etc.)
-
- \item Symbolic identifiers are supported (e.g. @{text "*"}, @{text
- "**"}, @{text "***"}).
-
- \end{itemize}
-*}
-
-
-subsection {* Block structure *}
-
-text {*
- The formal notepad is block structured. The fact produced by the last
- entry of a block is exported into the outer context.
-*}
-
-notepad
-begin
- {
- have a: A sorry
- have b: B sorry
- note a b
- }
- note this
- note `A`
- note `B`
-end
-
-text {* Explicit blocks as well as implicit blocks of nested goal
- statements (e.g.\ @{command have}) automatically introduce one extra
- pair of parentheses in reserve. The @{command next} command allows
- to ``jump'' between these sub-blocks. *}
-
-notepad
-begin
-
- {
- have a: A sorry
- next
- have b: B
- proof -
- show B sorry
- next
- have c: C sorry
- next
- have d: D sorry
- qed
- }
-
- txt {* Alternative version with explicit parentheses everywhere: *}
-
- {
- {
- have a: A sorry
- }
- {
- have b: B
- proof -
- {
- show B sorry
- }
- {
- have c: C sorry
- }
- {
- have d: D sorry
- }
- qed
- }
- }
-
-end
-
-
-section {* Calculational reasoning \label{sec:calculations-synopsis} *}
-
-text {*
- For example, see @{file "~~/src/HOL/Isar_Examples/Group.thy"}.
-*}
-
-
-subsection {* Special names in Isar proofs *}
-
-text {*
- \begin{itemize}
-
- \item term @{text "?thesis"} --- the main conclusion of the
- innermost pending claim
-
- \item term @{text "\<dots>"} --- the argument of the last explicitly
- stated result (for infix application this is the right-hand side)
-
- \item fact @{text "this"} --- the last result produced in the text
-
- \end{itemize}
-*}
-
-notepad
-begin
- have "x = y"
- proof -
- term ?thesis
- show ?thesis sorry
- term ?thesis -- {* static! *}
- qed
- term "\<dots>"
- thm this
-end
-
-text {* Calculational reasoning maintains the special fact called
- ``@{text calculation}'' in the background. Certain language
- elements combine primary @{text this} with secondary @{text
- calculation}. *}
-
-
-subsection {* Transitive chains *}
-
-text {* The Idea is to combine @{text this} and @{text calculation}
- via typical @{text trans} rules (see also @{command
- print_trans_rules}): *}
-
-thm trans
-thm less_trans
-thm less_le_trans
-
-notepad
-begin
- txt {* Plain bottom-up calculation: *}
- have "a = b" sorry
- also
- have "b = c" sorry
- also
- have "c = d" sorry
- finally
- have "a = d" .
-
- txt {* Variant using the @{text "\<dots>"} abbreviation: *}
- have "a = b" sorry
- also
- have "\<dots> = c" sorry
- also
- have "\<dots> = d" sorry
- finally
- have "a = d" .
-
- txt {* Top-down version with explicit claim at the head: *}
- have "a = d"
- proof -
- have "a = b" sorry
- also
- have "\<dots> = c" sorry
- also
- have "\<dots> = d" sorry
- finally
- show ?thesis .
- qed
-next
- txt {* Mixed inequalities (require suitable base type): *}
- fix a b c d :: nat
-
- have "a < b" sorry
- also
- have "b \<le> c" sorry
- also
- have "c = d" sorry
- finally
- have "a < d" .
-end
-
-
-subsubsection {* Notes *}
-
-text {*
- \begin{itemize}
-
- \item The notion of @{text trans} rule is very general due to the
- flexibility of Isabelle/Pure rule composition.
-
- \item User applications may declare their own rules, with some care
- about the operational details of higher-order unification.
-
- \end{itemize}
-*}
-
-
-subsection {* Degenerate calculations and bigstep reasoning *}
-
-text {* The Idea is to append @{text this} to @{text calculation},
- without rule composition. *}
-
-notepad
-begin
- txt {* A vacuous proof: *}
- have A sorry
- moreover
- have B sorry
- moreover
- have C sorry
- ultimately
- have A and B and C .
-next
- txt {* Slightly more content (trivial bigstep reasoning): *}
- have A sorry
- moreover
- have B sorry
- moreover
- have C sorry
- ultimately
- have "A \<and> B \<and> C" by blast
-next
- txt {* More ambitious bigstep reasoning involving structured results: *}
- have "A \<or> B \<or> C" sorry
- moreover
- { assume A have R sorry }
- moreover
- { assume B have R sorry }
- moreover
- { assume C have R sorry }
- ultimately
- have R by blast -- {* ``big-bang integration'' of proof blocks (occasionally fragile) *}
-end
-
-
-section {* Induction *}
-
-subsection {* Induction as Natural Deduction *}
-
-text {* In principle, induction is just a special case of Natural
- Deduction (see also \secref{sec:natural-deduction-synopsis}). For
- example: *}
-
-thm nat.induct
-print_statement nat.induct
-
-notepad
-begin
- fix n :: nat
- have "P n"
- proof (rule nat.induct) -- {* fragile rule application! *}
- show "P 0" sorry
- next
- fix n :: nat
- assume "P n"
- show "P (Suc n)" sorry
- qed
-end
-
-text {*
- In practice, much more proof infrastructure is required.
-
- The proof method @{method induct} provides:
- \begin{itemize}
-
- \item implicit rule selection and robust instantiation
-
- \item context elements via symbolic case names
-
- \item support for rule-structured induction statements, with local
- parameters, premises, etc.
-
- \end{itemize}
-*}
-
-notepad
-begin
- fix n :: nat
- have "P n"
- proof (induct n)
- case 0
- show ?case sorry
- next
- case (Suc n)
- from Suc.hyps show ?case sorry
- qed
-end
-
-
-subsubsection {* Example *}
-
-text {*
- The subsequent example combines the following proof patterns:
- \begin{itemize}
-
- \item outermost induction (over the datatype structure of natural
- numbers), to decompose the proof problem in top-down manner
-
- \item calculational reasoning (\secref{sec:calculations-synopsis})
- to compose the result in each case
-
- \item solving local claims within the calculation by simplification
-
- \end{itemize}
-*}
-
-lemma
- fixes n :: nat
- shows "(\<Sum>i=0..n. i) = n * (n + 1) div 2"
-proof (induct n)
- case 0
- have "(\<Sum>i=0..0. i) = (0::nat)" by simp
- also have "\<dots> = 0 * (0 + 1) div 2" by simp
- finally show ?case .
-next
- case (Suc n)
- have "(\<Sum>i=0..Suc n. i) = (\<Sum>i=0..n. i) + (n + 1)" by simp
- also have "\<dots> = n * (n + 1) div 2 + (n + 1)" by (simp add: Suc.hyps)
- also have "\<dots> = (n * (n + 1) + 2 * (n + 1)) div 2" by simp
- also have "\<dots> = (Suc n * (Suc n + 1)) div 2" by simp
- finally show ?case .
-qed
-
-text {* This demonstrates how induction proofs can be done without
- having to consider the raw Natural Deduction structure. *}
-
-
-subsection {* Induction with local parameters and premises *}
-
-text {* Idea: Pure rule statements are passed through the induction
- rule. This achieves convenient proof patterns, thanks to some
- internal trickery in the @{method induct} method.
-
- Important: Using compact HOL formulae with @{text "\<forall>/\<longrightarrow>"} is a
- well-known anti-pattern! It would produce useless formal noise.
-*}
-
-notepad
-begin
- fix n :: nat
- fix P :: "nat \<Rightarrow> bool"
- fix Q :: "'a \<Rightarrow> nat \<Rightarrow> bool"
-
- have "P n"
- proof (induct n)
- case 0
- show "P 0" sorry
- next
- case (Suc n)
- from `P n` show "P (Suc n)" sorry
- qed
-
- have "A n \<Longrightarrow> P n"
- proof (induct n)
- case 0
- from `A 0` show "P 0" sorry
- next
- case (Suc n)
- from `A n \<Longrightarrow> P n`
- and `A (Suc n)` show "P (Suc n)" sorry
- qed
-
- have "\<And>x. Q x n"
- proof (induct n)
- case 0
- show "Q x 0" sorry
- next
- case (Suc n)
- from `\<And>x. Q x n` show "Q x (Suc n)" sorry
- txt {* Local quantification admits arbitrary instances: *}
- note `Q a n` and `Q b n`
- qed
-end
-
-
-subsection {* Implicit induction context *}
-
-text {* The @{method induct} method can isolate local parameters and
- premises directly from the given statement. This is convenient in
- practical applications, but requires some understanding of what is
- going on internally (as explained above). *}
-
-notepad
-begin
- fix n :: nat
- fix Q :: "'a \<Rightarrow> nat \<Rightarrow> bool"
-
- fix x :: 'a
- assume "A x n"
- then have "Q x n"
- proof (induct n arbitrary: x)
- case 0
- from `A x 0` show "Q x 0" sorry
- next
- case (Suc n)
- from `\<And>x. A x n \<Longrightarrow> Q x n` -- {* arbitrary instances can be produced here *}
- and `A x (Suc n)` show "Q x (Suc n)" sorry
- qed
-end
-
-
-subsection {* Advanced induction with term definitions *}
-
-text {* Induction over subexpressions of a certain shape are delicate
- to formalize. The Isar @{method induct} method provides
- infrastructure for this.
-
- Idea: sub-expressions of the problem are turned into a defined
- induction variable; often accompanied with fixing of auxiliary
- parameters in the original expression. *}
-
-notepad
-begin
- fix a :: "'a \<Rightarrow> nat"
- fix A :: "nat \<Rightarrow> bool"
-
- assume "A (a x)"
- then have "P (a x)"
- proof (induct "a x" arbitrary: x)
- case 0
- note prem = `A (a x)`
- and defn = `0 = a x`
- show "P (a x)" sorry
- next
- case (Suc n)
- note hyp = `\<And>x. n = a x \<Longrightarrow> A (a x) \<Longrightarrow> P (a x)`
- and prem = `A (a x)`
- and defn = `Suc n = a x`
- show "P (a x)" sorry
- qed
-end
-
-
-section {* Natural Deduction \label{sec:natural-deduction-synopsis} *}
-
-subsection {* Rule statements *}
-
-text {*
- Isabelle/Pure ``theorems'' are always natural deduction rules,
- which sometimes happen to consist of a conclusion only.
-
- The framework connectives @{text "\<And>"} and @{text "\<Longrightarrow>"} indicate the
- rule structure declaratively. For example: *}
-
-thm conjI
-thm impI
-thm nat.induct
-
-text {*
- The object-logic is embedded into the Pure framework via an implicit
- derivability judgment @{term "Trueprop :: bool \<Rightarrow> prop"}.
-
- Thus any HOL formulae appears atomic to the Pure framework, while
- the rule structure outlines the corresponding proof pattern.
-
- This can be made explicit as follows:
-*}
-
-notepad
-begin
- write Trueprop ("Tr")
-
- thm conjI
- thm impI
- thm nat.induct
-end
-
-text {*
- Isar provides first-class notation for rule statements as follows.
-*}
-
-print_statement conjI
-print_statement impI
-print_statement nat.induct
-
-
-subsubsection {* Examples *}
-
-text {*
- Introductions and eliminations of some standard connectives of
- the object-logic can be written as rule statements as follows. (The
- proof ``@{command "by"}~@{method blast}'' serves as sanity check.)
-*}
-
-lemma "(P \<Longrightarrow> False) \<Longrightarrow> \<not> P" by blast
-lemma "\<not> P \<Longrightarrow> P \<Longrightarrow> Q" by blast
-
-lemma "P \<Longrightarrow> Q \<Longrightarrow> P \<and> Q" by blast
-lemma "P \<and> Q \<Longrightarrow> (P \<Longrightarrow> Q \<Longrightarrow> R) \<Longrightarrow> R" by blast
-
-lemma "P \<Longrightarrow> P \<or> Q" by blast
-lemma "Q \<Longrightarrow> P \<or> Q" by blast
-lemma "P \<or> Q \<Longrightarrow> (P \<Longrightarrow> R) \<Longrightarrow> (Q \<Longrightarrow> R) \<Longrightarrow> R" by blast
-
-lemma "(\<And>x. P x) \<Longrightarrow> (\<forall>x. P x)" by blast
-lemma "(\<forall>x. P x) \<Longrightarrow> P x" by blast
-
-lemma "P x \<Longrightarrow> (\<exists>x. P x)" by blast
-lemma "(\<exists>x. P x) \<Longrightarrow> (\<And>x. P x \<Longrightarrow> R) \<Longrightarrow> R" by blast
-
-lemma "x \<in> A \<Longrightarrow> x \<in> B \<Longrightarrow> x \<in> A \<inter> B" by blast
-lemma "x \<in> A \<inter> B \<Longrightarrow> (x \<in> A \<Longrightarrow> x \<in> B \<Longrightarrow> R) \<Longrightarrow> R" by blast
-
-lemma "x \<in> A \<Longrightarrow> x \<in> A \<union> B" by blast
-lemma "x \<in> B \<Longrightarrow> x \<in> A \<union> B" by blast
-lemma "x \<in> A \<union> B \<Longrightarrow> (x \<in> A \<Longrightarrow> R) \<Longrightarrow> (x \<in> B \<Longrightarrow> R) \<Longrightarrow> R" by blast
-
-
-subsection {* Isar context elements *}
-
-text {* We derive some results out of the blue, using Isar context
- elements and some explicit blocks. This illustrates their meaning
- wrt.\ Pure connectives, without goal states getting in the way. *}
-
-notepad
-begin
- {
- fix x
- have "B x" sorry
- }
- have "\<And>x. B x" by fact
-
-next
-
- {
- assume A
- have B sorry
- }
- have "A \<Longrightarrow> B" by fact
-
-next
-
- {
- def x \<equiv> t
- have "B x" sorry
- }
- have "B t" by fact
-
-next
-
- {
- obtain x :: 'a where "B x" sorry
- have C sorry
- }
- have C by fact
-
-end
-
-
-subsection {* Pure rule composition *}
-
-text {*
- The Pure framework provides means for:
-
- \begin{itemize}
-
- \item backward-chaining of rules by @{inference resolution}
-
- \item closing of branches by @{inference assumption}
-
- \end{itemize}
-
- Both principles involve higher-order unification of @{text \<lambda>}-terms
- modulo @{text "\<alpha>\<beta>\<eta>"}-equivalence (cf.\ Huet and Miller). *}
-
-notepad
-begin
- assume a: A and b: B
- thm conjI
- thm conjI [of A B] -- "instantiation"
- thm conjI [of A B, OF a b] -- "instantiation and composition"
- thm conjI [OF a b] -- "composition via unification (trivial)"
- thm conjI [OF `A` `B`]
-
- thm conjI [OF disjI1]
-end
-
-text {* Note: Low-level rule composition is tedious and leads to
- unreadable~/ unmaintainable expressions in the text. *}
-
-
-subsection {* Structured backward reasoning *}
-
-text {* Idea: Canonical proof decomposition via @{command fix}~/
- @{command assume}~/ @{command show}, where the body produces a
- natural deduction rule to refine some goal. *}
-
-notepad
-begin
- fix A B :: "'a \<Rightarrow> bool"
-
- have "\<And>x. A x \<Longrightarrow> B x"
- proof -
- fix x
- assume "A x"
- show "B x" sorry
- qed
-
- have "\<And>x. A x \<Longrightarrow> B x"
- proof -
- {
- fix x
- assume "A x"
- show "B x" sorry
- } -- "implicit block structure made explicit"
- note `\<And>x. A x \<Longrightarrow> B x`
- -- "side exit for the resulting rule"
- qed
-end
-
-
-subsection {* Structured rule application *}
-
-text {*
- Idea: Previous facts and new claims are composed with a rule from
- the context (or background library).
-*}
-
-notepad
-begin
- assume r1: "A \<Longrightarrow> B \<Longrightarrow> C" -- {* simple rule (Horn clause) *}
-
- have A sorry -- "prefix of facts via outer sub-proof"
- then have C
- proof (rule r1)
- show B sorry -- "remaining rule premises via inner sub-proof"
- qed
-
- have C
- proof (rule r1)
- show A sorry
- show B sorry
- qed
-
- have A and B sorry
- then have C
- proof (rule r1)
- qed
-
- have A and B sorry
- then have C by (rule r1)
-
-next
-
- assume r2: "A \<Longrightarrow> (\<And>x. B1 x \<Longrightarrow> B2 x) \<Longrightarrow> C" -- {* nested rule *}
-
- have A sorry
- then have C
- proof (rule r2)
- fix x
- assume "B1 x"
- show "B2 x" sorry
- qed
-
- txt {* The compound rule premise @{prop "\<And>x. B1 x \<Longrightarrow> B2 x"} is better
- addressed via @{command fix}~/ @{command assume}~/ @{command show}
- in the nested proof body. *}
-end
-
-
-subsection {* Example: predicate logic *}
-
-text {*
- Using the above principles, standard introduction and elimination proofs
- of predicate logic connectives of HOL work as follows.
-*}
-
-notepad
-begin
- have "A \<longrightarrow> B" and A sorry
- then have B ..
-
- have A sorry
- then have "A \<or> B" ..
-
- have B sorry
- then have "A \<or> B" ..
-
- have "A \<or> B" sorry
- then have C
- proof
- assume A
- then show C sorry
- next
- assume B
- then show C sorry
- qed
-
- have A and B sorry
- then have "A \<and> B" ..
-
- have "A \<and> B" sorry
- then have A ..
-
- have "A \<and> B" sorry
- then have B ..
-
- have False sorry
- then have A ..
-
- have True ..
-
- have "\<not> A"
- proof
- assume A
- then show False sorry
- qed
-
- have "\<not> A" and A sorry
- then have B ..
-
- have "\<forall>x. P x"
- proof
- fix x
- show "P x" sorry
- qed
-
- have "\<forall>x. P x" sorry
- then have "P a" ..
-
- have "\<exists>x. P x"
- proof
- show "P a" sorry
- qed
-
- have "\<exists>x. P x" sorry
- then have C
- proof
- fix a
- assume "P a"
- show C sorry
- qed
-
- txt {* Less awkward version using @{command obtain}: *}
- have "\<exists>x. P x" sorry
- then obtain a where "P a" ..
-end
-
-text {* Further variations to illustrate Isar sub-proofs involving
- @{command show}: *}
-
-notepad
-begin
- have "A \<and> B"
- proof -- {* two strictly isolated subproofs *}
- show A sorry
- next
- show B sorry
- qed
-
- have "A \<and> B"
- proof -- {* one simultaneous sub-proof *}
- show A and B sorry
- qed
-
- have "A \<and> B"
- proof -- {* two subproofs in the same context *}
- show A sorry
- show B sorry
- qed
-
- have "A \<and> B"
- proof -- {* swapped order *}
- show B sorry
- show A sorry
- qed
-
- have "A \<and> B"
- proof -- {* sequential subproofs *}
- show A sorry
- show B using `A` sorry
- qed
-end
-
-
-subsubsection {* Example: set-theoretic operators *}
-
-text {* There is nothing special about logical connectives (@{text
- "\<and>"}, @{text "\<or>"}, @{text "\<forall>"}, @{text "\<exists>"} etc.). Operators from
- set-theory or lattice-theory work analogously. It is only a matter
- of rule declarations in the library; rules can be also specified
- explicitly.
-*}
-
-notepad
-begin
- have "x \<in> A" and "x \<in> B" sorry
- then have "x \<in> A \<inter> B" ..
-
- have "x \<in> A" sorry
- then have "x \<in> A \<union> B" ..
-
- have "x \<in> B" sorry
- then have "x \<in> A \<union> B" ..
-
- have "x \<in> A \<union> B" sorry
- then have C
- proof
- assume "x \<in> A"
- then show C sorry
- next
- assume "x \<in> B"
- then show C sorry
- qed
-
-next
- have "x \<in> \<Inter>A"
- proof
- fix a
- assume "a \<in> A"
- show "x \<in> a" sorry
- qed
-
- have "x \<in> \<Inter>A" sorry
- then have "x \<in> a"
- proof
- show "a \<in> A" sorry
- qed
-
- have "a \<in> A" and "x \<in> a" sorry
- then have "x \<in> \<Union>A" ..
-
- have "x \<in> \<Union>A" sorry
- then obtain a where "a \<in> A" and "x \<in> a" ..
-end
-
-
-section {* Generalized elimination and cases *}
-
-subsection {* General elimination rules *}
-
-text {*
- The general format of elimination rules is illustrated by the
- following typical representatives:
-*}
-
-thm exE -- {* local parameter *}
-thm conjE -- {* local premises *}
-thm disjE -- {* split into cases *}
-
-text {*
- Combining these characteristics leads to the following general scheme
- for elimination rules with cases:
-
- \begin{itemize}
-
- \item prefix of assumptions (or ``major premises'')
-
- \item one or more cases that enable to establish the main conclusion
- in an augmented context
-
- \end{itemize}
-*}
-
-notepad
-begin
- assume r:
- "A1 \<Longrightarrow> A2 \<Longrightarrow> (* assumptions *)
- (\<And>x y. B1 x y \<Longrightarrow> C1 x y \<Longrightarrow> R) \<Longrightarrow> (* case 1 *)
- (\<And>x y. B2 x y \<Longrightarrow> C2 x y \<Longrightarrow> R) \<Longrightarrow> (* case 2 *)
- R (* main conclusion *)"
-
- have A1 and A2 sorry
- then have R
- proof (rule r)
- fix x y
- assume "B1 x y" and "C1 x y"
- show ?thesis sorry
- next
- fix x y
- assume "B2 x y" and "C2 x y"
- show ?thesis sorry
- qed
-end
-
-text {* Here @{text "?thesis"} is used to refer to the unchanged goal
- statement. *}
-
-
-subsection {* Rules with cases *}
-
-text {*
- Applying an elimination rule to some goal, leaves that unchanged
- but allows to augment the context in the sub-proof of each case.
-
- Isar provides some infrastructure to support this:
-
- \begin{itemize}
-
- \item native language elements to state eliminations
-
- \item symbolic case names
-
- \item method @{method cases} to recover this structure in a
- sub-proof
-
- \end{itemize}
-*}
-
-print_statement exE
-print_statement conjE
-print_statement disjE
-
-lemma
- assumes A1 and A2 -- {* assumptions *}
- obtains
- (case1) x y where "B1 x y" and "C1 x y"
- | (case2) x y where "B2 x y" and "C2 x y"
- sorry
-
-
-subsubsection {* Example *}
-
-lemma tertium_non_datur:
- obtains
- (T) A
- | (F) "\<not> A"
- by blast
-
-notepad
-begin
- fix x y :: 'a
- have C
- proof (cases "x = y" rule: tertium_non_datur)
- case T
- from `x = y` show ?thesis sorry
- next
- case F
- from `x \<noteq> y` show ?thesis sorry
- qed
-end
-
-
-subsubsection {* Example *}
-
-text {*
- Isabelle/HOL specification mechanisms (datatype, inductive, etc.)
- provide suitable derived cases rules.
-*}
-
-datatype foo = Foo | Bar foo
-
-notepad
-begin
- fix x :: foo
- have C
- proof (cases x)
- case Foo
- from `x = Foo` show ?thesis sorry
- next
- case (Bar a)
- from `x = Bar a` show ?thesis sorry
- qed
-end
-
-
-subsection {* Obtaining local contexts *}
-
-text {* A single ``case'' branch may be inlined into Isar proof text
- via @{command obtain}. This proves @{prop "(\<And>x. B x \<Longrightarrow> thesis) \<Longrightarrow>
- thesis"} on the spot, and augments the context afterwards. *}
-
-notepad
-begin
- fix B :: "'a \<Rightarrow> bool"
-
- obtain x where "B x" sorry
- note `B x`
-
- txt {* Conclusions from this context may not mention @{term x} again! *}
- {
- obtain x where "B x" sorry
- from `B x` have C sorry
- }
- note `C`
-end
-
-end
--- a/doc-src/IsarRef/document/build Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,22 +0,0 @@
-#!/bin/bash
-
-set -e
-
-FORMAT="$1"
-VARIANT="$2"
-
-"$ISABELLE_TOOL" logo -o isabelle_isar.pdf "Isar"
-"$ISABELLE_TOOL" logo -o isabelle_isar.eps "Isar"
-
-cp "$ISABELLE_HOME/doc-src/iman.sty" .
-cp "$ISABELLE_HOME/doc-src/extra.sty" .
-cp "$ISABELLE_HOME/doc-src/isar.sty" .
-cp "$ISABELLE_HOME/doc-src/ttbox.sty" .
-cp "$ISABELLE_HOME/doc-src/isar.sty" .
-cp "$ISABELLE_HOME/doc-src/underscore.sty" .
-cp "$ISABELLE_HOME/doc-src/manual.bib" .
-
-./showsymbols "$ISABELLE_HOME/lib/texinputs/isabellesym.sty" > syms.tex
-
-"$ISABELLE_HOME/doc-src/prepare_document" "$FORMAT"
-
--- a/doc-src/IsarRef/document/isar-vm.eps Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,2694 +0,0 @@
-%!PS-Adobe-3.0 EPSF-3.0
-%%Creator: inkscape 0.46
-%%Pages: 1
-%%Orientation: Portrait
-%%BoundingBox: 0 0 435 173
-%%HiResBoundingBox: 0 0 435 173
-%%EndComments
-%%BeginSetup
-%%EndSetup
-%%Page: 1 1
-0 173 translate
-0.8 -0.8 scale
-0 0 0 setrgbcolor
-[] 0 setdash
-1 setlinewidth
-0 setlinejoin
-0 setlinecap
-gsave [1 0 0 1 0 0] concat
-gsave [1 0 0 1 -44.641342 -76.87234] concat
-gsave [1 0 0 1 70.838012 79.725562] concat
-0 0 0 setrgbcolor
-[] 0 setdash
-0.99921262 setlinewidth
-1 setlinejoin
-1 setlinecap
-newpath
-229.77649 131.52507 moveto
-265.28729 131.52507 lineto
-275.08072 131.52507 282.96496 139.40931 282.96496 149.20274 curveto
-282.96496 166.99701 lineto
-282.96496 176.79043 275.08072 184.67467 265.28729 184.67467 curveto
-229.77649 184.67467 lineto
-219.98306 184.67467 212.09882 176.79043 212.09882 166.99701 curveto
-212.09882 149.20274 lineto
-212.09882 139.40931 219.98306 131.52507 229.77649 131.52507 curveto
-closepath
-stroke
-gsave
-0 0 0 setrgbcolor
-newpath
-231.92252 155.58815 moveto
-231.92252 157.8694 lineto
-231.5423 157.60899 231.15949 157.41628 230.77408 157.29128 curveto
-230.39386 157.16628 229.99803 157.10378 229.58658 157.10378 curveto
-228.80532 157.10378 228.19595 157.33295 227.75845 157.79128 curveto
-227.32616 158.24441 227.11001 158.87982 227.11002 159.69753 curveto
-227.11001 160.51524 227.32616 161.15326 227.75845 161.61159 curveto
-228.19595 162.06471 228.80532 162.29128 229.58658 162.29128 curveto
-230.02407 162.29128 230.43813 162.22617 230.82877 162.09596 curveto
-231.22459 161.96576 231.58917 161.77305 231.92252 161.51784 curveto
-231.92252 163.8069 lineto
-231.48501 163.96836 231.0397 164.08815 230.58658 164.16628 curveto
-230.13866 164.24961 229.68813 164.29127 229.23502 164.29128 curveto
-227.65689 164.29127 226.42251 163.88763 225.53189 163.08034 curveto
-224.64126 162.26784 224.19595 161.14024 224.19595 159.69753 curveto
-224.19595 158.25482 224.64126 157.12982 225.53189 156.32253 curveto
-226.42251 155.51003 227.65689 155.10378 229.23502 155.10378 curveto
-229.69334 155.10378 230.14386 155.14545 230.58658 155.22878 curveto
-231.03449 155.30691 231.4798 155.4267 231.92252 155.58815 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-243.14908 158.73659 moveto
-243.14908 164.06471 lineto
-240.33658 164.06471 lineto
-240.33658 163.19753 lineto
-240.33658 160.00221 lineto
-240.33657 159.23659 240.31834 158.71055 240.28189 158.42409 curveto
-240.25063 158.13764 240.19334 157.9267 240.11002 157.79128 curveto
-240.00063 157.60899 239.8522 157.46836 239.6647 157.3694 curveto
-239.4772 157.26524 239.26366 157.21316 239.02408 157.21315 curveto
-238.44074 157.21316 237.98241 157.43972 237.64908 157.89284 curveto
-237.31574 158.34076 237.14907 158.96316 237.14908 159.76003 curveto
-237.14908 164.06471 lineto
-234.3522 164.06471 lineto
-234.3522 151.90846 lineto
-237.14908 151.90846 lineto
-237.14908 156.59596 lineto
-237.57095 156.08555 238.01887 155.71055 238.49283 155.47096 curveto
-238.96678 155.22618 239.49022 155.10378 240.06314 155.10378 curveto
-241.07355 155.10378 241.83917 155.41368 242.36002 156.03346 curveto
-242.88605 156.65326 243.14907 157.5543 243.14908 158.73659 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-249.68033 160.12721 moveto
-249.09699 160.12722 248.65689 160.22617 248.36002 160.42409 curveto
-248.06835 160.62201 247.92251 160.91367 247.92252 161.29909 curveto
-247.92251 161.65326 248.0397 161.9319 248.27408 162.13503 curveto
-248.51366 162.33294 248.84439 162.4319 249.26627 162.4319 curveto
-249.7923 162.4319 250.23501 162.2444 250.59439 161.8694 curveto
-250.95376 161.48919 251.13345 161.01524 251.13345 160.44753 curveto
-251.13345 160.12721 lineto
-249.68033 160.12721 lineto
-253.95377 159.07253 moveto
-253.95377 164.06471 lineto
-251.13345 164.06471 lineto
-251.13345 162.76784 lineto
-250.75845 163.29909 250.33657 163.68711 249.86783 163.9319 curveto
-249.39907 164.17148 248.82876 164.29127 248.15689 164.29128 curveto
-247.25064 164.29127 246.51366 164.02825 245.94595 163.50221 curveto
-245.38345 162.97096 245.1022 162.28346 245.1022 161.43971 curveto
-245.1022 160.41367 245.45376 159.66107 246.15689 159.1819 curveto
-246.86522 158.70274 247.9746 158.46316 249.48502 158.46315 curveto
-251.13345 158.46315 lineto
-251.13345 158.2444 lineto
-251.13345 157.8017 250.95897 157.47878 250.61002 157.27565 curveto
-250.26105 157.06732 249.71678 156.96316 248.9772 156.96315 curveto
-248.37824 156.96316 247.82095 157.02305 247.30533 157.14284 curveto
-246.7897 157.26264 246.31053 157.44232 245.86783 157.6819 curveto
-245.86783 155.54909 lineto
-246.46678 155.40326 247.06835 155.29389 247.67252 155.22096 curveto
-248.27668 155.14285 248.88084 155.10378 249.48502 155.10378 curveto
-251.06313 155.10378 252.20115 155.41628 252.89908 156.04128 curveto
-253.60219 156.66107 253.95376 157.67149 253.95377 159.07253 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-256.57095 155.31471 moveto
-259.36783 155.31471 lineto
-259.36783 164.06471 lineto
-256.57095 164.06471 lineto
-256.57095 155.31471 lineto
-256.57095 151.90846 moveto
-259.36783 151.90846 lineto
-259.36783 154.18971 lineto
-256.57095 154.18971 lineto
-256.57095 151.90846 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-270.86783 158.73659 moveto
-270.86783 164.06471 lineto
-268.05533 164.06471 lineto
-268.05533 163.19753 lineto
-268.05533 159.98659 lineto
-268.05532 159.23138 268.03709 158.71055 268.00064 158.42409 curveto
-267.96938 158.13764 267.91209 157.9267 267.82877 157.79128 curveto
-267.71938 157.60899 267.57095 157.46836 267.38345 157.3694 curveto
-267.19595 157.26524 266.98241 157.21316 266.74283 157.21315 curveto
-266.15949 157.21316 265.70116 157.43972 265.36783 157.89284 curveto
-265.03449 158.34076 264.86782 158.96316 264.86783 159.76003 curveto
-264.86783 164.06471 lineto
-262.07095 164.06471 lineto
-262.07095 155.31471 lineto
-264.86783 155.31471 lineto
-264.86783 156.59596 lineto
-265.2897 156.08555 265.73762 155.71055 266.21158 155.47096 curveto
-266.68553 155.22618 267.20897 155.10378 267.78189 155.10378 curveto
-268.7923 155.10378 269.55792 155.41368 270.07877 156.03346 curveto
-270.6048 156.65326 270.86782 157.5543 270.86783 158.73659 curveto
-fill
-grestore
-grestore
-0 0 0 setrgbcolor
-[] 0 setdash
-0.99921262 setlinewidth
-0 setlinejoin
-0 setlinecap
-newpath
-424.72469 236.82544 moveto
-356.83209 236.82544 lineto
-356.83209 236.82544 lineto
-stroke
-gsave [-0.39968505 4.8945685e-17 -4.8945685e-17 -0.39968505 356.83209 236.82544] concat
-gsave
-0 0 0 setrgbcolor
-newpath
-5.77 0 moveto
--2.88 5 lineto
--2.88 -5 lineto
-5.77 0 lineto
-closepath
-eofill
-grestore
-0 0 0 setrgbcolor
-[] 0 setdash
-1.25 setlinewidth
-0 setlinejoin
-0 setlinecap
-newpath
-5.77 0 moveto
--2.88 5 lineto
--2.88 -5 lineto
-5.77 0 lineto
-closepath
-stroke
-grestore
-0 0 0 setrgbcolor
-[] 0 setdash
-0.99921268 setlinewidth
-0 setlinejoin
-0 setlinecap
-newpath
-282.35183 236.82544 moveto
-215.11403 236.82544 lineto
-215.11403 236.82544 lineto
-stroke
-gsave [-0.39968507 4.8945688e-17 -4.8945688e-17 -0.39968507 215.11403 236.82544] concat
-gsave
-0 0 0 setrgbcolor
-newpath
-5.77 0 moveto
--2.88 5 lineto
--2.88 -5 lineto
-5.77 0 lineto
-closepath
-eofill
-grestore
-0 0 0 setrgbcolor
-[] 0 setdash
-1.25 setlinewidth
-0 setlinejoin
-0 setlinecap
-newpath
-5.77 0 moveto
--2.88 5 lineto
--2.88 -5 lineto
-5.77 0 lineto
-closepath
-stroke
-grestore
-0 0 0 setrgbcolor
-[] 0 setdash
-0.99999994 setlinewidth
-0 setlinejoin
-0 setlinecap
-newpath
-424.69726 192.5341 moveto
-215.13005 192.5341 lineto
-stroke
-gsave [-0.39999998 4.8984251e-17 -4.8984251e-17 -0.39999998 215.13005 192.5341] concat
-gsave
-0 0 0 setrgbcolor
-newpath
-5.77 0 moveto
--2.88 5 lineto
--2.88 -5 lineto
-5.77 0 lineto
-closepath
-eofill
-grestore
-0 0 0 setrgbcolor
-[] 0 setdash
-1.25 setlinewidth
-0 setlinejoin
-0 setlinecap
-newpath
-5.77 0 moveto
--2.88 5 lineto
--2.88 -5 lineto
-5.77 0 lineto
-closepath
-stroke
-grestore
-0 0 0 setrgbcolor
-[] 0 setdash
-1 setlinewidth
-0 setlinejoin
-0 setlinecap
-newpath
-211.98429 148.24276 moveto
-422.13162 148.24276 lineto
-stroke
-gsave [0.4 0 0 0.4 422.13162 148.24276] concat
-gsave
-0 0 0 setrgbcolor
-newpath
-5.77 0 moveto
--2.88 5 lineto
--2.88 -5 lineto
-5.77 0 lineto
-closepath
-eofill
-grestore
-0 0 0 setrgbcolor
-[] 0 setdash
-1.25 setlinewidth
-0 setlinejoin
-0 setlinecap
-newpath
-5.77 0 moveto
--2.88 5 lineto
--2.88 -5 lineto
-5.77 0 lineto
-closepath
-stroke
-grestore
-gsave [1 0 0 1 70.866146 78.725567] concat
-0 0 0 setrgbcolor
-[] 0 setdash
-0.99921262 setlinewidth
-1 setlinejoin
-1 setlinecap
-newpath
-88.044201 42.942394 moveto
-123.555 42.942394 lineto
-133.34843 42.942394 141.23267 50.826635 141.23267 60.620064 curveto
-141.23267 166.99701 lineto
-141.23267 176.79044 133.34843 184.67468 123.555 184.67468 curveto
-88.044201 184.67468 lineto
-78.250772 184.67468 70.366531 176.79044 70.366531 166.99701 curveto
-70.366531 60.620064 lineto
-70.366531 50.826635 78.250772 42.942394 88.044201 42.942394 curveto
-closepath
-stroke
-gsave
-0 0 0 setrgbcolor
-newpath
-83.823044 115.35931 moveto
-83.823044 119.95306 lineto
-81.026169 119.95306 lineto
-81.026169 107.87494 lineto
-83.823044 107.87494 lineto
-83.823044 109.15619 lineto
-84.208456 108.64578 84.635539 108.27078 85.104294 108.03119 curveto
-85.573038 107.78641 86.1121 107.66401 86.721481 107.664 curveto
-87.799598 107.66401 88.685014 108.0937 89.377731 108.95306 curveto
-90.070429 109.80724 90.416783 110.9088 90.416794 112.25775 curveto
-90.416783 113.60671 90.070429 114.71088 89.377731 115.57025 curveto
-88.685014 116.42442 87.799598 116.8515 86.721481 116.8515 curveto
-86.1121 116.8515 85.573038 116.73171 85.104294 116.49213 curveto
-84.635539 116.24734 84.208456 115.86973 83.823044 115.35931 curveto
-85.682419 109.69525 moveto
-85.083455 109.69526 84.622518 109.91661 84.299606 110.35931 curveto
-83.981894 110.79682 83.82304 111.42963 83.823044 112.25775 curveto
-83.82304 113.08588 83.981894 113.7213 84.299606 114.164 curveto
-84.622518 114.6015 85.083455 114.82025 85.682419 114.82025 curveto
-86.281371 114.82025 86.737099 114.6015 87.049606 114.164 curveto
-87.367307 113.7265 87.526161 113.09109 87.526169 112.25775 curveto
-87.526161 111.42442 87.367307 110.78901 87.049606 110.3515 curveto
-86.737099 109.91401 86.281371 109.69526 85.682419 109.69525 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-98.994919 110.25775 moveto
-98.75012 110.14317 98.505328 110.05984 98.260544 110.00775 curveto
-98.020954 109.95047 97.778766 109.92182 97.533981 109.92181 curveto
-96.815226 109.92182 96.260539 110.15359 95.869919 110.61713 curveto
-95.484498 111.07547 95.29179 111.73432 95.291794 112.59369 curveto
-95.291794 116.62494 lineto
-92.494919 116.62494 lineto
-92.494919 107.87494 lineto
-95.291794 107.87494 lineto
-95.291794 109.31244 lineto
-95.651164 108.73953 96.062622 108.32286 96.526169 108.06244 curveto
-96.994913 107.79682 97.554808 107.66401 98.205856 107.664 curveto
-98.299599 107.66401 98.401162 107.66922 98.510544 107.67963 curveto
-98.619911 107.68484 98.778765 107.70047 98.987106 107.7265 curveto
-98.994919 110.25775 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-104.56523 109.664 moveto
-103.94543 109.66401 103.47148 109.88797 103.14336 110.33588 curveto
-102.82044 110.77859 102.65898 111.41922 102.65898 112.25775 curveto
-102.65898 113.0963 102.82044 113.73953 103.14336 114.18744 curveto
-103.47148 114.63015 103.94543 114.8515 104.56523 114.8515 curveto
-105.1746 114.8515 105.64075 114.63015 105.96367 114.18744 curveto
-106.28658 113.73953 106.44804 113.0963 106.44804 112.25775 curveto
-106.44804 111.41922 106.28658 110.77859 105.96367 110.33588 curveto
-105.64075 109.88797 105.1746 109.66401 104.56523 109.664 curveto
-104.56523 107.664 moveto
-106.07043 107.66401 107.24491 108.07026 108.08867 108.88275 curveto
-108.93762 109.69526 109.3621 110.82026 109.36211 112.25775 curveto
-109.3621 113.69525 108.93762 114.82025 108.08867 115.63275 curveto
-107.24491 116.44525 106.07043 116.8515 104.56523 116.8515 curveto
-103.05481 116.8515 101.87252 116.44525 101.01836 115.63275 curveto
-100.1694 114.82025 99.744918 113.69525 99.744919 112.25775 curveto
-99.744918 110.82026 100.1694 109.69526 101.01836 108.88275 curveto
-101.87252 108.07026 103.05481 107.66401 104.56523 107.664 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-110.29961 107.87494 moveto
-113.09648 107.87494 lineto
-115.27617 113.92181 lineto
-117.44804 107.87494 lineto
-120.25273 107.87494 lineto
-116.80742 116.62494 lineto
-113.73711 116.62494 lineto
-110.29961 107.87494 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-130.57304 112.2265 moveto
-130.57304 113.02338 lineto
-124.03398 113.02338 lineto
-124.10169 113.67963 124.33866 114.17182 124.74492 114.49994 curveto
-125.15116 114.82807 125.71887 114.99213 126.44804 114.99213 curveto
-127.03658 114.99213 127.63814 114.90619 128.25273 114.73431 curveto
-128.87251 114.55723 129.50793 114.29161 130.15898 113.93744 curveto
-130.15898 116.09369 lineto
-129.49751 116.34369 128.83606 116.53119 128.17461 116.65619 curveto
-127.51314 116.7864 126.85168 116.8515 126.19023 116.8515 curveto
-124.60689 116.8515 123.37512 116.45046 122.49492 115.64838 curveto
-121.61992 114.84109 121.18242 113.71088 121.18242 112.25775 curveto
-121.18242 110.83067 121.61211 109.70828 122.47148 108.89056 curveto
-123.33606 108.07286 124.52356 107.66401 126.03398 107.664 curveto
-127.40897 107.66401 128.50793 108.07807 129.33086 108.90619 curveto
-130.15897 109.73432 130.57303 110.84109 130.57304 112.2265 curveto
-127.69804 111.29681 moveto
-127.69804 110.76557 127.54179 110.33849 127.22929 110.01556 curveto
-126.922 109.68745 126.51835 109.52338 126.01836 109.52338 curveto
-125.47668 109.52338 125.03658 109.67703 124.69804 109.98431 curveto
-124.3595 110.2864 124.14856 110.7239 124.06523 111.29681 curveto
-127.69804 111.29681 lineto
-fill
-grestore
-grestore
-0 0 0 setrgbcolor
-[] 0 setdash
-1 setlinewidth
-0 setlinejoin
-0 setlinecap
-newpath
-176.66575 92.035445 moveto
-176.66575 118.61025 lineto
-stroke
-gsave [2.4492127e-17 0.4 -0.4 2.4492127e-17 176.66575 118.61025] concat
-gsave
-0 0 0 setrgbcolor
-newpath
-5.77 0 moveto
--2.88 5 lineto
--2.88 -5 lineto
-5.77 0 lineto
-closepath
-eofill
-grestore
-0 0 0 setrgbcolor
-[] 0 setdash
-1.25 setlinewidth
-0 setlinejoin
-0 setlinecap
-newpath
-5.77 0 moveto
--2.88 5 lineto
--2.88 -5 lineto
-5.77 0 lineto
-closepath
-stroke
-grestore
-gsave [0.2378166 0 0 -0.2269133 90.621413 253.06251] concat
-0 0 0 setrgbcolor
-[] 0 setdash
-4.3013706 setlinewidth
-1 setlinejoin
-1 setlinecap
-newpath
-208.65508 282.05865 moveto
-193.86388 310.15339 141.95677 326.09523 92.790977 317.64312 curveto
-43.625187 309.19101 15.726964 279.5298 30.518156 251.43506 curveto
-45.309349 223.34033 97.216466 207.39848 146.38226 215.85059 curveto
-177.29043 221.16403 199.42278 233.82562 208.68579 251.49353 curveto
-stroke
-gsave [0.79891445 1.5238182 -1.5238182 0.79891445 208.68579 251.49353] concat
-gsave
-0 0 0 setrgbcolor
-newpath
-5.77 0 moveto
--2.88 5 lineto
--2.88 -5 lineto
-5.77 0 lineto
-closepath
-eofill
-grestore
-0 0 0 setrgbcolor
-[] 0 setdash
-1.25 setlinewidth
-0 setlinejoin
-0 setlinecap
-newpath
-5.77 0 moveto
--2.88 5 lineto
--2.88 -5 lineto
-5.77 0 lineto
-closepath
-stroke
-grestore
-grestore
-gsave [1 0 0 1 70.866151 78.725565] concat
-0 0 0 setrgbcolor
-[] 0 setdash
-0.99921262 setlinewidth
-1 setlinejoin
-1 setlinecap
-newpath
-371.50879 42.942394 moveto
-407.01959 42.942394 lineto
-416.81302 42.942394 424.69726 50.826635 424.69726 60.620064 curveto
-424.69726 166.99701 lineto
-424.69726 176.79044 416.81302 184.67468 407.01959 184.67468 curveto
-371.50879 184.67468 lineto
-361.71536 184.67468 353.83112 176.79044 353.83112 166.99701 curveto
-353.83112 60.620064 lineto
-353.83112 50.826635 361.71536 42.942394 371.50879 42.942394 curveto
-closepath
-stroke
-gsave
-0 0 0 setrgbcolor
-newpath
-374.16263 110.83588 moveto
-374.16263 112.96088 lineto
-373.56366 112.71088 372.98554 112.52338 372.42825 112.39838 curveto
-371.87096 112.27338 371.34491 112.21088 370.85013 112.21088 curveto
-370.31887 112.21088 369.92304 112.27859 369.66263 112.414 curveto
-369.40742 112.54422 369.27981 112.74734 369.27982 113.02338 curveto
-369.27981 113.24734 369.37617 113.41922 369.56888 113.539 curveto
-369.76679 113.6588 370.11835 113.74734 370.62357 113.80463 curveto
-371.11575 113.87494 lineto
-372.54804 114.05724 373.51158 114.35671 374.00638 114.77338 curveto
-374.50116 115.19005 374.74856 115.84369 374.74857 116.73431 curveto
-374.74856 117.66661 374.40481 118.36713 373.71732 118.83588 curveto
-373.02981 119.30463 372.00377 119.539 370.63919 119.539 curveto
-370.06106 119.539 369.4621 119.49213 368.84232 119.39838 curveto
-368.22773 119.30983 367.59492 119.17442 366.94388 118.99213 curveto
-366.94388 116.86713 lineto
-367.50117 117.13796 368.07148 117.34109 368.65482 117.4765 curveto
-369.24335 117.61192 369.83971 117.67963 370.44388 117.67963 curveto
-370.99075 117.67963 371.40221 117.60411 371.67825 117.45306 curveto
-371.95429 117.30202 372.09231 117.07807 372.09232 116.78119 curveto
-372.09231 116.53119 371.99596 116.3463 371.80325 116.2265 curveto
-371.61575 116.1015 371.23814 116.00515 370.67044 115.93744 curveto
-370.17825 115.87494 lineto
-368.93346 115.71869 368.06106 115.42963 367.56107 115.00775 curveto
-367.06106 114.58588 366.81106 113.94526 366.81107 113.08588 curveto
-366.81106 112.1588 367.12877 111.4713 367.76419 111.02338 curveto
-368.3996 110.57547 369.37356 110.35151 370.68607 110.3515 curveto
-371.20169 110.35151 371.74335 110.39057 372.31107 110.46869 curveto
-372.87877 110.54682 373.49595 110.66922 374.16263 110.83588 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-379.91263 108.07806 moveto
-379.91263 110.56244 lineto
-382.79544 110.56244 lineto
-382.79544 112.56244 lineto
-379.91263 112.56244 lineto
-379.91263 116.27338 lineto
-379.91262 116.67963 379.99335 116.95567 380.15482 117.1015 curveto
-380.31627 117.24213 380.63658 117.31244 381.11575 117.31244 curveto
-382.55325 117.31244 lineto
-382.55325 119.31244 lineto
-380.15482 119.31244 lineto
-379.05065 119.31244 378.26679 119.08327 377.80325 118.62494 curveto
-377.34492 118.1614 377.11575 117.37755 377.11575 116.27338 curveto
-377.11575 112.56244 lineto
-375.72513 112.56244 lineto
-375.72513 110.56244 lineto
-377.11575 110.56244 lineto
-377.11575 108.07806 lineto
-379.91263 108.07806 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-388.43607 115.37494 moveto
-387.85273 115.37494 387.41262 115.4739 387.11575 115.67181 curveto
-386.82408 115.86973 386.67825 116.1614 386.67825 116.54681 curveto
-386.67825 116.90098 386.79544 117.17963 387.02982 117.38275 curveto
-387.26939 117.58067 387.60012 117.67963 388.022 117.67963 curveto
-388.54804 117.67963 388.99075 117.49213 389.35013 117.11713 curveto
-389.7095 116.73692 389.88918 116.26296 389.88919 115.69525 curveto
-389.88919 115.37494 lineto
-388.43607 115.37494 lineto
-392.7095 114.32025 moveto
-392.7095 119.31244 lineto
-389.88919 119.31244 lineto
-389.88919 118.01556 lineto
-389.51418 118.54681 389.09231 118.93484 388.62357 119.17963 curveto
-388.15481 119.41921 387.5845 119.539 386.91263 119.539 curveto
-386.00638 119.539 385.2694 119.27598 384.70169 118.74994 curveto
-384.13919 118.21869 383.85794 117.53119 383.85794 116.68744 curveto
-383.85794 115.6614 384.2095 114.9088 384.91263 114.42963 curveto
-385.62096 113.95047 386.73033 113.71088 388.24075 113.71088 curveto
-389.88919 113.71088 lineto
-389.88919 113.49213 lineto
-389.88918 113.04942 389.7147 112.72651 389.36575 112.52338 curveto
-389.01679 112.31505 388.47252 112.21088 387.73294 112.21088 curveto
-387.13398 112.21088 386.57669 112.27078 386.06107 112.39056 curveto
-385.54544 112.51036 385.06627 112.69005 384.62357 112.92963 curveto
-384.62357 110.79681 lineto
-385.22252 110.65099 385.82408 110.54161 386.42825 110.46869 curveto
-387.03242 110.39057 387.63658 110.35151 388.24075 110.3515 curveto
-389.81887 110.35151 390.95689 110.66401 391.65482 111.289 curveto
-392.35793 111.9088 392.70949 112.91922 392.7095 114.32025 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-398.38138 108.07806 moveto
-398.38138 110.56244 lineto
-401.26419 110.56244 lineto
-401.26419 112.56244 lineto
-398.38138 112.56244 lineto
-398.38138 116.27338 lineto
-398.38137 116.67963 398.4621 116.95567 398.62357 117.1015 curveto
-398.78502 117.24213 399.10533 117.31244 399.5845 117.31244 curveto
-401.022 117.31244 lineto
-401.022 119.31244 lineto
-398.62357 119.31244 lineto
-397.5194 119.31244 396.73554 119.08327 396.272 118.62494 curveto
-395.81367 118.1614 395.5845 117.37755 395.5845 116.27338 curveto
-395.5845 112.56244 lineto
-394.19388 112.56244 lineto
-394.19388 110.56244 lineto
-395.5845 110.56244 lineto
-395.5845 108.07806 lineto
-398.38138 108.07806 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-411.71732 114.914 moveto
-411.71732 115.71088 lineto
-405.17825 115.71088 lineto
-405.24596 116.36713 405.48294 116.85932 405.88919 117.18744 curveto
-406.29544 117.51557 406.86314 117.67963 407.59232 117.67963 curveto
-408.18085 117.67963 408.78241 117.59369 409.397 117.42181 curveto
-410.01679 117.24473 410.6522 116.97911 411.30325 116.62494 curveto
-411.30325 118.78119 lineto
-410.64179 119.03119 409.98033 119.21869 409.31888 119.34369 curveto
-408.65741 119.4739 407.99596 119.539 407.3345 119.539 curveto
-405.75117 119.539 404.5194 119.13796 403.63919 118.33588 curveto
-402.76419 117.52859 402.32669 116.39838 402.32669 114.94525 curveto
-402.32669 113.51817 402.75638 112.39578 403.61575 111.57806 curveto
-404.48033 110.76036 405.66783 110.35151 407.17825 110.3515 curveto
-408.55325 110.35151 409.6522 110.76557 410.47513 111.59369 curveto
-411.30324 112.42182 411.71731 113.52859 411.71732 114.914 curveto
-408.84232 113.98431 moveto
-408.84231 113.45307 408.68606 113.02599 408.37357 112.70306 curveto
-408.06627 112.37495 407.66262 112.21088 407.16263 112.21088 curveto
-406.62096 112.21088 406.18085 112.36453 405.84232 112.67181 curveto
-405.50377 112.9739 405.29283 113.4114 405.2095 113.98431 curveto
-408.84232 113.98431 lineto
-fill
-grestore
-grestore
-0 0 0 setrgbcolor
-[] 0 setdash
-1 setlinewidth
-0 setlinejoin
-0 setlinecap
-newpath
-460.13031 263.40024 moveto
-460.13031 289.97505 lineto
-stroke
-gsave [2.4492127e-17 0.4 -0.4 2.4492127e-17 460.13031 289.97505] concat
-gsave
-0 0 0 setrgbcolor
-newpath
-5.77 0 moveto
--2.88 5 lineto
--2.88 -5 lineto
-5.77 0 lineto
-closepath
-eofill
-grestore
-0 0 0 setrgbcolor
-[] 0 setdash
-1.25 setlinewidth
-0 setlinejoin
-0 setlinecap
-newpath
-5.77 0 moveto
--2.88 5 lineto
--2.88 -5 lineto
-5.77 0 lineto
-closepath
-stroke
-grestore
-gsave [-0.2378166 0 0 0.2269133 546.17466 132.00569] concat
-0 0 0 setrgbcolor
-[] 0 setdash
-4.3013706 setlinewidth
-1 setlinejoin
-1 setlinecap
-newpath
-208.65508 282.05865 moveto
-193.86388 310.15339 141.95677 326.09523 92.790977 317.64312 curveto
-43.625187 309.19101 15.726964 279.5298 30.518156 251.43506 curveto
-45.309349 223.34033 97.216466 207.39848 146.38226 215.85059 curveto
-177.29043 221.16403 199.42278 233.82562 208.68579 251.49353 curveto
-stroke
-gsave [0.79891445 1.5238182 -1.5238182 0.79891445 208.68579 251.49353] concat
-gsave
-0 0 0 setrgbcolor
-newpath
-5.77 0 moveto
--2.88 5 lineto
--2.88 -5 lineto
-5.77 0 lineto
-closepath
-eofill
-grestore
-0 0 0 setrgbcolor
-[] 0 setdash
-1.25 setlinewidth
-0 setlinejoin
-0 setlinecap
-newpath
-5.77 0 moveto
--2.88 5 lineto
--2.88 -5 lineto
-5.77 0 lineto
-closepath
-stroke
-grestore
-grestore
-gsave [-0.2378166 0 0 0.2269133 546.17465 87.714359] concat
-0 0 0 setrgbcolor
-[] 0 setdash
-4.3013706 setlinewidth
-2 setlinejoin
-1 setlinecap
-newpath
-208.65508 282.05865 moveto
-193.86388 310.15339 141.95677 326.09523 92.790977 317.64312 curveto
-43.625187 309.19101 15.726964 279.5298 30.518156 251.43506 curveto
-45.309349 223.34033 97.216466 207.39848 146.38226 215.85059 curveto
-177.29043 221.16403 199.42278 233.82562 208.68579 251.49353 curveto
-stroke
-gsave [0.79891445 1.5238182 -1.5238182 0.79891445 208.68579 251.49353] concat
-gsave
-0 0 0 setrgbcolor
-newpath
-5.77 0 moveto
--2.88 5 lineto
--2.88 -5 lineto
-5.77 0 lineto
-closepath
-eofill
-grestore
-0 0 0 setrgbcolor
-[] 0 setdash
-1.25 setlinewidth
-0 setlinejoin
-0 setlinecap
-newpath
-5.77 0 moveto
--2.88 5 lineto
--2.88 -5 lineto
-5.77 0 lineto
-closepath
-stroke
-grestore
-grestore
-gsave [-0.2378166 0 0 0.2269133 546.17465 176.29703] concat
-0 0 0 setrgbcolor
-[] 0 setdash
-4.3013706 setlinewidth
-1 setlinejoin
-1 setlinecap
-newpath
-208.65508 282.05865 moveto
-193.86388 310.15339 141.95677 326.09523 92.790977 317.64312 curveto
-43.625187 309.19101 15.726964 279.5298 30.518156 251.43506 curveto
-45.309349 223.34033 97.216466 207.39848 146.38226 215.85059 curveto
-177.29043 221.16403 199.42278 233.82562 208.68579 251.49353 curveto
-stroke
-gsave [0.79891445 1.5238182 -1.5238182 0.79891445 208.68579 251.49353] concat
-gsave
-0 0 0 setrgbcolor
-newpath
-5.77 0 moveto
--2.88 5 lineto
--2.88 -5 lineto
-5.77 0 lineto
-closepath
-eofill
-grestore
-0 0 0 setrgbcolor
-[] 0 setdash
-1.25 setlinewidth
-0 setlinejoin
-0 setlinecap
-newpath
-5.77 0 moveto
--2.88 5 lineto
--2.88 -5 lineto
-5.77 0 lineto
-closepath
-stroke
-grestore
-grestore
-gsave [0 0.2378166 0.2269133 0 399.60191 71.056696] concat
-0 0 0 setrgbcolor
-[] 0 setdash
-4.3013706 setlinewidth
-1 setlinejoin
-1 setlinecap
-newpath
-208.65508 282.05865 moveto
-193.86388 310.15339 141.95677 326.09523 92.790977 317.64312 curveto
-43.625187 309.19101 15.726964 279.5298 30.518156 251.43506 curveto
-45.309349 223.34033 97.216466 207.39848 146.38226 215.85059 curveto
-177.29043 221.16403 199.42278 233.82562 208.68579 251.49353 curveto
-stroke
-gsave [0.79891445 1.5238182 -1.5238182 0.79891445 208.68579 251.49353] concat
-gsave
-0 0 0 setrgbcolor
-newpath
-5.77 0 moveto
--2.88 5 lineto
--2.88 -5 lineto
-5.77 0 lineto
-closepath
-eofill
-grestore
-0 0 0 setrgbcolor
-[] 0 setdash
-1.25 setlinewidth
-0 setlinejoin
-0 setlinecap
-newpath
-5.77 0 moveto
--2.88 5 lineto
--2.88 -5 lineto
-5.77 0 lineto
-closepath
-stroke
-grestore
-grestore
-gsave [1 0 0 1 17.216929 6.5104864] concat
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-187.35507 103.05839 moveto
-187.35507 104.61112 lineto
-189.20566 104.61112 lineto
-189.20566 105.30936 lineto
-187.35507 105.30936 lineto
-187.35507 108.27811 lineto
-187.35507 108.72408 187.41529 109.01054 187.53574 109.13749 curveto
-187.65943 109.26444 187.90846 109.32792 188.28281 109.32792 curveto
-189.20566 109.32792 lineto
-189.20566 110.07987 lineto
-188.28281 110.07987 lineto
-187.58944 110.07987 187.11093 109.95129 186.84726 109.69413 curveto
-186.58359 109.43371 186.45175 108.96171 186.45175 108.27811 curveto
-186.45175 105.30936 lineto
-185.79257 105.30936 lineto
-185.79257 104.61112 lineto
-186.45175 104.61112 lineto
-186.45175 103.05839 lineto
-187.35507 103.05839 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-194.93808 106.77909 moveto
-194.93808 110.07987 lineto
-194.03964 110.07987 lineto
-194.03964 106.80839 lineto
-194.03964 106.29081 193.93873 105.90344 193.73691 105.64628 curveto
-193.53508 105.38912 193.23235 105.26054 192.8287 105.26054 curveto
-192.34368 105.26054 191.96119 105.41516 191.68124 105.7244 curveto
-191.40129 106.03365 191.26132 106.4552 191.26132 106.98905 curveto
-191.26132 110.07987 lineto
-190.358 110.07987 lineto
-190.358 102.48222 lineto
-191.26132 102.48222 lineto
-191.26132 105.46073 lineto
-191.47616 105.13196 191.72844 104.88619 192.01816 104.72343 curveto
-192.31112 104.56067 192.64804 104.47929 193.0289 104.47929 curveto
-193.65715 104.47929 194.13241 104.6746 194.45468 105.06522 curveto
-194.77694 105.4526 194.93807 106.02389 194.93808 106.77909 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-201.41757 107.12089 moveto
-201.41757 107.56034 lineto
-197.28671 107.56034 lineto
-197.32577 108.17883 197.51132 108.65084 197.84335 108.97636 curveto
-198.17864 109.29862 198.64413 109.45976 199.23984 109.45975 curveto
-199.58489 109.45976 199.91854 109.41744 200.24081 109.3328 curveto
-200.56633 109.24817 200.8886 109.12121 201.20761 108.95194 curveto
-201.20761 109.80155 lineto
-200.88534 109.93827 200.55494 110.04244 200.2164 110.11405 curveto
-199.87785 110.18567 199.53443 110.22147 199.18613 110.22147 curveto
-198.31373 110.22147 197.622 109.96757 197.11093 109.45975 curveto
-196.60312 108.95194 196.34921 108.2651 196.34921 107.39921 curveto
-196.34921 106.50403 196.5901 105.79439 197.07187 105.2703 curveto
-197.55689 104.74296 198.20956 104.47929 199.02988 104.47929 curveto
-199.76555 104.47929 200.3466 104.71692 200.77304 105.19218 curveto
-201.20272 105.66419 201.41757 106.30709 201.41757 107.12089 curveto
-200.51913 106.85722 moveto
-200.51262 106.36568 200.37427 105.97343 200.1041 105.68046 curveto
-199.83716 105.38749 199.48235 105.24101 199.03964 105.241 curveto
-198.53834 105.24101 198.13632 105.38261 197.83359 105.66581 curveto
-197.53411 105.94902 197.36158 106.34778 197.31601 106.8621 curveto
-200.51913 106.85722 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-205.01132 105.241 moveto
-204.52955 105.24101 204.14869 105.42981 203.86874 105.80741 curveto
-203.58879 106.18176 203.44882 106.69609 203.44882 107.35038 curveto
-203.44882 108.00468 203.58717 108.52063 203.86386 108.89823 curveto
-204.14381 109.27258 204.52629 109.45976 205.01132 109.45975 curveto
-205.48983 109.45976 205.86907 109.27095 206.14902 108.89335 curveto
-206.42896 108.51575 206.56893 108.00142 206.56894 107.35038 curveto
-206.56893 106.7026 206.42896 106.1899 206.14902 105.81229 curveto
-205.86907 105.43144 205.48983 105.24101 205.01132 105.241 curveto
-205.01132 104.47929 moveto
-205.79257 104.47929 206.40617 104.7332 206.85214 105.241 curveto
-207.2981 105.74882 207.52108 106.45195 207.52109 107.35038 curveto
-207.52108 108.24556 207.2981 108.94869 206.85214 109.45975 curveto
-206.40617 109.96757 205.79257 110.22147 205.01132 110.22147 curveto
-204.22681 110.22147 203.61158 109.96757 203.16562 109.45975 curveto
-202.72291 108.94869 202.50156 108.24556 202.50156 107.35038 curveto
-202.50156 106.45195 202.72291 105.74882 203.16562 105.241 curveto
-203.61158 104.7332 204.22681 104.47929 205.01132 104.47929 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-212.17441 105.45097 moveto
-212.07349 105.39238 211.96282 105.35006 211.84238 105.32401 curveto
-211.72519 105.29472 211.59498 105.28007 211.45175 105.28007 curveto
-210.94394 105.28007 210.55331 105.44609 210.27988 105.77811 curveto
-210.00969 106.10689 209.8746 106.58053 209.8746 107.19901 curveto
-209.8746 110.07987 lineto
-208.97128 110.07987 lineto
-208.97128 104.61112 lineto
-209.8746 104.61112 lineto
-209.8746 105.46073 lineto
-210.0634 105.12871 210.30917 104.88294 210.61191 104.72343 curveto
-210.91464 104.56067 211.28248 104.47929 211.71542 104.47929 curveto
-211.77727 104.47929 211.84563 104.48417 211.9205 104.49393 curveto
-211.99537 104.50045 212.07838 104.51184 212.16953 104.52811 curveto
-212.17441 105.45097 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-217.58945 107.12089 moveto
-217.58945 107.56034 lineto
-213.45859 107.56034 lineto
-213.49765 108.17883 213.6832 108.65084 214.01523 108.97636 curveto
-214.35051 109.29862 214.81601 109.45976 215.41171 109.45975 curveto
-215.75676 109.45976 216.09042 109.41744 216.41269 109.3328 curveto
-216.73821 109.24817 217.06047 109.12121 217.37949 108.95194 curveto
-217.37949 109.80155 lineto
-217.05722 109.93827 216.72681 110.04244 216.38828 110.11405 curveto
-216.04973 110.18567 215.70631 110.22147 215.358 110.22147 curveto
-214.4856 110.22147 213.79387 109.96757 213.28281 109.45975 curveto
-212.77499 108.95194 212.52109 108.2651 212.52109 107.39921 curveto
-212.52109 106.50403 212.76197 105.79439 213.24374 105.2703 curveto
-213.72877 104.74296 214.38144 104.47929 215.20175 104.47929 curveto
-215.93742 104.47929 216.51848 104.71692 216.94492 105.19218 curveto
-217.3746 105.66419 217.58944 106.30709 217.58945 107.12089 curveto
-216.69101 106.85722 moveto
-216.68449 106.36568 216.54615 105.97343 216.27597 105.68046 curveto
-216.00904 105.38749 215.65422 105.24101 215.21152 105.241 curveto
-214.71021 105.24101 214.30819 105.38261 214.00546 105.66581 curveto
-213.70598 105.94902 213.53346 106.34778 213.48788 106.8621 curveto
-216.69101 106.85722 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-223.32187 105.66093 moveto
-223.54647 105.25729 223.81503 104.95943 224.12753 104.76737 curveto
-224.44003 104.57532 224.80786 104.47929 225.23105 104.47929 curveto
-225.8007 104.47929 226.24016 104.67949 226.54941 105.07987 curveto
-226.85864 105.47701 227.01327 106.04342 227.01328 106.77909 curveto
-227.01328 110.07987 lineto
-226.10995 110.07987 lineto
-226.10995 106.80839 lineto
-226.10995 106.2843 226.01717 105.89531 225.83163 105.6414 curveto
-225.64608 105.38749 225.36288 105.26054 224.98203 105.26054 curveto
-224.51652 105.26054 224.14869 105.41516 223.87851 105.7244 curveto
-223.60832 106.03365 223.47323 106.4552 223.47324 106.98905 curveto
-223.47324 110.07987 lineto
-222.56992 110.07987 lineto
-222.56992 106.80839 lineto
-222.56991 106.28105 222.47714 105.89205 222.2916 105.6414 curveto
-222.10604 105.38749 221.81959 105.26054 221.43222 105.26054 curveto
-220.97323 105.26054 220.60865 105.41679 220.33847 105.72929 curveto
-220.06829 106.03854 219.9332 106.45846 219.9332 106.98905 curveto
-219.9332 110.07987 lineto
-219.02988 110.07987 lineto
-219.02988 104.61112 lineto
-219.9332 104.61112 lineto
-219.9332 105.46073 lineto
-220.13827 105.12545 220.38404 104.87805 220.6705 104.71854 curveto
-220.95696 104.55904 221.29713 104.47929 221.69101 104.47929 curveto
-222.08814 104.47929 222.42505 104.5802 222.70175 104.78202 curveto
-222.98169 104.98385 223.1884 105.27682 223.32187 105.66093 curveto
-fill
-grestore
-gsave [1 0 0 1 17.216929 6.5104864] concat
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-470.46808 277.74594 moveto
-470.46808 278.40675 470.60317 278.92596 470.87335 279.30356 curveto
-471.14679 279.67791 471.52114 279.86508 471.9964 279.86508 curveto
-472.47166 279.86508 472.846 279.67791 473.11945 279.30356 curveto
-473.39288 278.92596 473.5296 278.40675 473.5296 277.74594 curveto
-473.5296 277.08514 473.39288 276.56756 473.11945 276.19321 curveto
-472.846 275.81561 472.47166 275.62681 471.9964 275.6268 curveto
-471.52114 275.62681 471.14679 275.81561 470.87335 276.19321 curveto
-470.60317 276.56756 470.46808 277.08514 470.46808 277.74594 curveto
-473.5296 279.65512 moveto
-473.3408 279.98064 473.10154 280.22315 472.81183 280.38266 curveto
-472.52537 280.53891 472.18032 280.61703 471.77667 280.61703 curveto
-471.11586 280.61703 470.57713 280.35336 470.16046 279.82602 curveto
-469.74705 279.29868 469.54034 278.60532 469.54034 277.74594 curveto
-469.54034 276.88657 469.74705 276.19321 470.16046 275.66586 curveto
-470.57713 275.13852 471.11586 274.87485 471.77667 274.87485 curveto
-472.18032 274.87485 472.52537 274.95461 472.81183 275.11411 curveto
-473.10154 275.27036 473.3408 275.51125 473.5296 275.83676 curveto
-473.5296 275.00668 lineto
-474.42804 275.00668 lineto
-474.42804 282.55551 lineto
-473.5296 282.55551 lineto
-473.5296 279.65512 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-480.95636 277.51645 moveto
-480.95636 277.9559 lineto
-476.8255 277.9559 lineto
-476.86456 278.57439 477.05011 279.0464 477.38214 279.37192 curveto
-477.71743 279.69418 478.18292 279.85532 478.77863 279.85532 curveto
-479.12367 279.85532 479.45733 279.813 479.7796 279.72836 curveto
-480.10512 279.64373 480.42738 279.51678 480.7464 279.3475 curveto
-480.7464 280.19711 lineto
-480.42413 280.33383 480.09372 280.438 479.75519 280.50961 curveto
-479.41664 280.58123 479.07322 280.61703 478.72491 280.61703 curveto
-477.85252 280.61703 477.16079 280.36313 476.64972 279.85532 curveto
-476.14191 279.3475 475.888 278.66066 475.888 277.79477 curveto
-475.888 276.89959 476.12889 276.18996 476.61066 275.66586 curveto
-477.09568 275.13852 477.74835 274.87485 478.56866 274.87485 curveto
-479.30434 274.87485 479.88539 275.11248 480.31183 275.58774 curveto
-480.74151 276.05975 480.95635 276.70265 480.95636 277.51645 curveto
-480.05792 277.25278 moveto
-480.05141 276.76124 479.91306 276.36899 479.64288 276.07602 curveto
-479.37595 275.78306 479.02113 275.63657 478.57843 275.63657 curveto
-478.07713 275.63657 477.67511 275.77817 477.37238 276.06137 curveto
-477.07289 276.34458 476.90037 276.74334 476.8548 277.25766 curveto
-480.05792 277.25278 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-486.0296 275.83676 moveto
-486.0296 272.87778 lineto
-486.92804 272.87778 lineto
-486.92804 280.47543 lineto
-486.0296 280.47543 lineto
-486.0296 279.65512 lineto
-485.8408 279.98064 485.60154 280.22315 485.31183 280.38266 curveto
-485.02537 280.53891 484.68032 280.61703 484.27667 280.61703 curveto
-483.61586 280.61703 483.07713 280.35336 482.66046 279.82602 curveto
-482.24705 279.29868 482.04034 278.60532 482.04034 277.74594 curveto
-482.04034 276.88657 482.24705 276.19321 482.66046 275.66586 curveto
-483.07713 275.13852 483.61586 274.87485 484.27667 274.87485 curveto
-484.68032 274.87485 485.02537 274.95461 485.31183 275.11411 curveto
-485.60154 275.27036 485.8408 275.51125 486.0296 275.83676 curveto
-482.96808 277.74594 moveto
-482.96808 278.40675 483.10317 278.92596 483.37335 279.30356 curveto
-483.64679 279.67791 484.02114 279.86508 484.4964 279.86508 curveto
-484.97166 279.86508 485.346 279.67791 485.61945 279.30356 curveto
-485.89288 278.92596 486.0296 278.40675 486.0296 277.74594 curveto
-486.0296 277.08514 485.89288 276.56756 485.61945 276.19321 curveto
-485.346 275.81561 484.97166 275.62681 484.4964 275.6268 curveto
-484.02114 275.62681 483.64679 275.81561 483.37335 276.19321 curveto
-483.10317 276.56756 482.96808 277.08514 482.96808 277.74594 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-550.54895 236.85474 moveto
-550.54895 237.51555 550.68404 238.03475 550.95422 238.41235 curveto
-551.22766 238.7867 551.60201 238.97388 552.07727 238.97388 curveto
-552.55253 238.97388 552.92688 238.7867 553.20032 238.41235 curveto
-553.47375 238.03475 553.61047 237.51555 553.61047 236.85474 curveto
-553.61047 236.19393 553.47375 235.67635 553.20032 235.302 curveto
-552.92688 234.9244 552.55253 234.7356 552.07727 234.7356 curveto
-551.60201 234.7356 551.22766 234.9244 550.95422 235.302 curveto
-550.68404 235.67635 550.54895 236.19393 550.54895 236.85474 curveto
-553.61047 238.76392 moveto
-553.42167 239.08944 553.18241 239.33195 552.8927 239.49146 curveto
-552.60624 239.64771 552.26119 239.72583 551.85754 239.72583 curveto
-551.19673 239.72583 550.658 239.46216 550.24133 238.93481 curveto
-549.82792 238.40747 549.62122 237.71411 549.62122 236.85474 curveto
-549.62122 235.99536 549.82792 235.30201 550.24133 234.77466 curveto
-550.658 234.24732 551.19673 233.98365 551.85754 233.98364 curveto
-552.26119 233.98365 552.60624 234.0634 552.8927 234.2229 curveto
-553.18241 234.37916 553.42167 234.62004 553.61047 234.94556 curveto
-553.61047 234.11548 lineto
-554.50891 234.11548 lineto
-554.50891 241.66431 lineto
-553.61047 241.66431 lineto
-553.61047 238.76392 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-561.03723 236.62524 moveto
-561.03723 237.0647 lineto
-556.90637 237.0647 lineto
-556.94543 237.68319 557.13098 238.15519 557.46301 238.48071 curveto
-557.7983 238.80298 558.26379 238.96411 558.8595 238.96411 curveto
-559.20455 238.96411 559.5382 238.92179 559.86047 238.83716 curveto
-560.18599 238.75252 560.50825 238.62557 560.82727 238.4563 curveto
-560.82727 239.30591 lineto
-560.505 239.44263 560.1746 239.54679 559.83606 239.61841 curveto
-559.49751 239.69002 559.15409 239.72583 558.80579 239.72583 curveto
-557.93339 239.72583 557.24166 239.47192 556.73059 238.96411 curveto
-556.22278 238.4563 555.96887 237.76945 555.96887 236.90356 curveto
-555.96887 236.00839 556.20976 235.29875 556.69153 234.77466 curveto
-557.17655 234.24732 557.82922 233.98365 558.64954 233.98364 curveto
-559.38521 233.98365 559.96626 234.22128 560.3927 234.69653 curveto
-560.82238 235.16854 561.03723 235.81145 561.03723 236.62524 curveto
-560.13879 236.36157 moveto
-560.13228 235.87004 559.99393 235.47779 559.72375 235.18481 curveto
-559.45682 234.89185 559.10201 234.74537 558.6593 234.74536 curveto
-558.158 234.74537 557.75598 234.88697 557.45325 235.17017 curveto
-557.15377 235.45337 556.98124 235.85214 556.93567 236.36646 curveto
-560.13879 236.36157 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-566.11047 234.94556 moveto
-566.11047 231.98657 lineto
-567.00891 231.98657 lineto
-567.00891 239.58423 lineto
-566.11047 239.58423 lineto
-566.11047 238.76392 lineto
-565.92167 239.08944 565.68241 239.33195 565.3927 239.49146 curveto
-565.10624 239.64771 564.76119 239.72583 564.35754 239.72583 curveto
-563.69673 239.72583 563.158 239.46216 562.74133 238.93481 curveto
-562.32792 238.40747 562.12122 237.71411 562.12122 236.85474 curveto
-562.12122 235.99536 562.32792 235.30201 562.74133 234.77466 curveto
-563.158 234.24732 563.69673 233.98365 564.35754 233.98364 curveto
-564.76119 233.98365 565.10624 234.0634 565.3927 234.2229 curveto
-565.68241 234.37916 565.92167 234.62004 566.11047 234.94556 curveto
-563.04895 236.85474 moveto
-563.04895 237.51555 563.18404 238.03475 563.45422 238.41235 curveto
-563.72766 238.7867 564.10201 238.97388 564.57727 238.97388 curveto
-565.05253 238.97388 565.42688 238.7867 565.70032 238.41235 curveto
-565.97375 238.03475 566.11047 237.51555 566.11047 236.85474 curveto
-566.11047 236.19393 565.97375 235.67635 565.70032 235.302 curveto
-565.42688 234.9244 565.05253 234.7356 564.57727 234.7356 curveto
-564.10201 234.7356 563.72766 234.9244 563.45422 235.302 curveto
-563.18404 235.67635 563.04895 236.19393 563.04895 236.85474 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-553.10266 183.66447 moveto
-553.10266 184.41154 lineto
-552.24329 184.41154 lineto
-551.92102 184.41155 551.69641 184.47666 551.56946 184.60686 curveto
-551.44576 184.73707 551.38391 184.97145 551.38391 185.30998 curveto
-551.38391 185.79338 lineto
-552.8634 185.79338 lineto
-552.8634 186.49162 lineto
-551.38391 186.49162 lineto
-551.38391 191.26213 lineto
-550.48059 191.26213 lineto
-550.48059 186.49162 lineto
-549.62122 186.49162 lineto
-549.62122 185.79338 lineto
-550.48059 185.79338 lineto
-550.48059 185.41252 lineto
-550.48059 184.8038 550.62219 184.3611 550.9054 184.0844 curveto
-551.1886 183.80446 551.63782 183.66448 552.25305 183.66447 curveto
-553.10266 183.66447 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-553.84973 185.79338 moveto
-554.74817 185.79338 lineto
-554.74817 191.26213 lineto
-553.84973 191.26213 lineto
-553.84973 185.79338 lineto
-553.84973 183.66447 moveto
-554.74817 183.66447 lineto
-554.74817 184.80217 lineto
-553.84973 184.80217 lineto
-553.84973 183.66447 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-561.16907 185.79338 moveto
-559.19153 188.45451 lineto
-561.27161 191.26213 lineto
-560.21204 191.26213 lineto
-558.62024 189.11369 lineto
-557.02844 191.26213 lineto
-555.96887 191.26213 lineto
-558.0929 188.4008 lineto
-556.14954 185.79338 lineto
-557.20911 185.79338 lineto
-558.6593 187.74162 lineto
-560.1095 185.79338 lineto
-561.16907 185.79338 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-552.81946 198.51311 moveto
-552.09354 198.51311 551.59061 198.59612 551.31067 198.76213 curveto
-551.03072 198.92815 550.89075 199.21135 550.89075 199.61174 curveto
-550.89075 199.93075 550.99491 200.18466 551.20325 200.37346 curveto
-551.41483 200.55901 551.70129 200.65178 552.06262 200.65178 curveto
-552.56067 200.65178 552.95943 200.476 553.25891 200.12444 curveto
-553.56164 199.76962 553.71301 199.29924 553.71301 198.7133 curveto
-553.71301 198.51311 lineto
-552.81946 198.51311 lineto
-554.61145 198.14201 moveto
-554.61145 201.26213 lineto
-553.71301 201.26213 lineto
-553.71301 200.43205 lineto
-553.50793 200.76408 553.2524 201.00985 552.94641 201.16936 curveto
-552.64042 201.32561 552.26607 201.40373 551.82336 201.40373 curveto
-551.26347 201.40373 550.8175 201.24748 550.48547 200.93498 curveto
-550.1567 200.61923 549.99231 200.19768 549.99231 199.67033 curveto
-549.99231 199.0551 550.19739 198.59123 550.60754 198.27873 curveto
-551.02095 197.96624 551.63619 197.80999 552.45325 197.80998 curveto
-553.71301 197.80998 lineto
-553.71301 197.72209 lineto
-553.71301 197.30868 553.57629 196.98967 553.30286 196.76506 curveto
-553.03267 196.5372 552.65181 196.42327 552.16028 196.42326 curveto
-551.84778 196.42327 551.54341 196.4607 551.24719 196.53557 curveto
-550.95097 196.61044 550.66614 196.72275 550.3927 196.87248 curveto
-550.3927 196.0424 lineto
-550.72147 195.91546 551.04049 195.82106 551.34973 195.7592 curveto
-551.65897 195.6941 551.96008 195.66155 552.25305 195.66154 curveto
-553.04406 195.66155 553.63488 195.86663 554.02551 196.27678 curveto
-554.41613 196.68694 554.61144 197.30868 554.61145 198.14201 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-559.95325 195.95451 moveto
-559.95325 196.80412 lineto
-559.69934 196.67392 559.43567 196.57626 559.16223 196.51115 curveto
-558.88879 196.44605 558.60559 196.4135 558.31262 196.4135 curveto
-557.86666 196.4135 557.53137 196.48186 557.30676 196.61858 curveto
-557.08541 196.7553 556.97473 196.96038 556.97473 197.23381 curveto
-556.97473 197.44215 557.05448 197.60654 557.21399 197.72697 curveto
-557.37349 197.84417 557.69413 197.95647 558.1759 198.06389 curveto
-558.48352 198.13225 lineto
-559.12154 198.26897 559.57401 198.46265 559.84094 198.7133 curveto
-560.11112 198.9607 560.24621 199.30738 560.24622 199.75334 curveto
-560.24621 200.26116 560.04439 200.66317 559.64075 200.9594 curveto
-559.24035 201.25562 558.6886 201.40373 557.98547 201.40373 curveto
-557.6925 201.40373 557.38651 201.37444 557.0675 201.31584 curveto
-556.75175 201.2605 556.41809 201.17587 556.06653 201.06194 curveto
-556.06653 200.1342 lineto
-556.39856 200.30673 556.72571 200.43694 557.04797 200.52483 curveto
-557.37024 200.60946 557.68925 200.65178 558.005 200.65178 curveto
-558.42818 200.65178 558.7537 200.58017 558.98157 200.43694 curveto
-559.20943 200.29045 559.32336 200.08537 559.32336 199.8217 curveto
-559.32336 199.57756 559.24035 199.39039 559.07434 199.26018 curveto
-558.91158 199.12997 558.55188 199.00465 557.99524 198.8842 curveto
-557.68274 198.81096 lineto
-557.1261 198.69377 556.72408 198.51474 556.47668 198.27385 curveto
-556.22929 198.02971 556.10559 197.69605 556.10559 197.27287 curveto
-556.10559 196.75855 556.28788 196.36142 556.65247 196.08147 curveto
-557.01705 195.80152 557.53463 195.66155 558.2052 195.66154 curveto
-558.53723 195.66155 558.84973 195.68596 559.1427 195.73479 curveto
-559.43567 195.78362 559.70585 195.85686 559.95325 195.95451 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-565.16809 195.95451 moveto
-565.16809 196.80412 lineto
-564.91418 196.67392 564.65051 196.57626 564.37708 196.51115 curveto
-564.10363 196.44605 563.82043 196.4135 563.52747 196.4135 curveto
-563.0815 196.4135 562.74621 196.48186 562.52161 196.61858 curveto
-562.30025 196.7553 562.18957 196.96038 562.18958 197.23381 curveto
-562.18957 197.44215 562.26933 197.60654 562.42883 197.72697 curveto
-562.58834 197.84417 562.90897 197.95647 563.39075 198.06389 curveto
-563.69836 198.13225 lineto
-564.33638 198.26897 564.78886 198.46265 565.05579 198.7133 curveto
-565.32596 198.9607 565.46105 199.30738 565.46106 199.75334 curveto
-565.46105 200.26116 565.25923 200.66317 564.85559 200.9594 curveto
-564.4552 201.25562 563.90344 201.40373 563.20032 201.40373 curveto
-562.90735 201.40373 562.60136 201.37444 562.28235 201.31584 curveto
-561.96659 201.2605 561.63293 201.17587 561.28137 201.06194 curveto
-561.28137 200.1342 lineto
-561.6134 200.30673 561.94055 200.43694 562.26282 200.52483 curveto
-562.58508 200.60946 562.90409 200.65178 563.21985 200.65178 curveto
-563.64302 200.65178 563.96854 200.58017 564.19641 200.43694 curveto
-564.42427 200.29045 564.5382 200.08537 564.53821 199.8217 curveto
-564.5382 199.57756 564.4552 199.39039 564.28918 199.26018 curveto
-564.12642 199.12997 563.76672 199.00465 563.21008 198.8842 curveto
-562.89758 198.81096 lineto
-562.34094 198.69377 561.93892 198.51474 561.69153 198.27385 curveto
-561.44413 198.02971 561.32043 197.69605 561.32043 197.27287 curveto
-561.32043 196.75855 561.50273 196.36142 561.86731 196.08147 curveto
-562.23189 195.80152 562.74947 195.66155 563.42004 195.66154 curveto
-563.75207 195.66155 564.06457 195.68596 564.35754 195.73479 curveto
-564.65051 195.78362 564.92069 195.85686 565.16809 195.95451 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-566.80383 199.10393 moveto
-566.80383 195.79338 lineto
-567.70227 195.79338 lineto
-567.70227 199.06975 lineto
-567.70227 199.58733 567.80318 199.97632 568.005 200.23674 curveto
-568.20683 200.4939 568.50956 200.62248 568.91321 200.62248 curveto
-569.39823 200.62248 569.78072 200.46786 570.06067 200.15862 curveto
-570.34387 199.84937 570.48547 199.42782 570.48547 198.89397 curveto
-570.48547 195.79338 lineto
-571.38391 195.79338 lineto
-571.38391 201.26213 lineto
-570.48547 201.26213 lineto
-570.48547 200.42229 lineto
-570.26737 200.75432 570.01346 201.00171 569.72375 201.16447 curveto
-569.43729 201.32398 569.10363 201.40373 568.72278 201.40373 curveto
-568.09452 201.40373 567.61763 201.20842 567.29211 200.81779 curveto
-566.96659 200.42717 566.80383 199.85588 566.80383 199.10393 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-577.50208 196.84319 moveto
-577.72668 196.43954 577.99523 196.14169 578.30774 195.94963 curveto
-578.62023 195.75758 578.98807 195.66155 579.41125 195.66154 curveto
-579.98091 195.66155 580.42036 195.86175 580.72961 196.26213 curveto
-581.03885 196.65927 581.19347 197.22568 581.19348 197.96135 curveto
-581.19348 201.26213 lineto
-580.29016 201.26213 lineto
-580.29016 197.99065 lineto
-580.29015 197.46656 580.19738 197.07756 580.01184 196.82365 curveto
-579.82629 196.56975 579.54308 196.4428 579.16223 196.44279 curveto
-578.69673 196.4428 578.32889 196.59742 578.05872 196.90666 curveto
-577.78853 197.21591 577.65344 197.63746 577.65344 198.17131 curveto
-577.65344 201.26213 lineto
-576.75012 201.26213 lineto
-576.75012 197.99065 lineto
-576.75012 197.46331 576.65734 197.07431 576.4718 196.82365 curveto
-576.28625 196.56975 575.99979 196.4428 575.61243 196.44279 curveto
-575.15344 196.4428 574.78886 196.59905 574.51868 196.91154 curveto
-574.24849 197.22079 574.1134 197.64072 574.1134 198.17131 curveto
-574.1134 201.26213 lineto
-573.21008 201.26213 lineto
-573.21008 195.79338 lineto
-574.1134 195.79338 lineto
-574.1134 196.64299 lineto
-574.31848 196.30771 574.56425 196.06031 574.85071 195.9008 curveto
-575.13716 195.7413 575.47733 195.66155 575.87122 195.66154 curveto
-576.26835 195.66155 576.60526 195.76246 576.88196 195.96428 curveto
-577.1619 196.16611 577.36861 196.45908 577.50208 196.84319 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-587.66809 198.30315 moveto
-587.66809 198.7426 lineto
-583.53723 198.7426 lineto
-583.57629 199.36109 583.76184 199.8331 584.09387 200.15862 curveto
-584.42916 200.48088 584.89465 200.64201 585.49036 200.64201 curveto
-585.8354 200.64201 586.16906 200.5997 586.49133 200.51506 curveto
-586.81685 200.43043 587.13911 200.30347 587.45813 200.1342 curveto
-587.45813 200.98381 lineto
-587.13586 201.12053 586.80546 201.2247 586.46692 201.29631 curveto
-586.12837 201.36792 585.78495 201.40373 585.43665 201.40373 curveto
-584.56425 201.40373 583.87252 201.14983 583.36145 200.64201 curveto
-582.85364 200.1342 582.59973 199.44735 582.59973 198.58147 curveto
-582.59973 197.68629 582.84062 196.97665 583.32239 196.45256 curveto
-583.80741 195.92522 584.46008 195.66155 585.2804 195.66154 curveto
-586.01607 195.66155 586.59712 195.89918 587.02356 196.37444 curveto
-587.45324 196.84645 587.66809 197.48935 587.66809 198.30315 curveto
-586.76965 198.03947 moveto
-586.76314 197.54794 586.62479 197.15569 586.35461 196.86272 curveto
-586.08768 196.56975 585.73287 196.42327 585.29016 196.42326 curveto
-584.78886 196.42327 584.38684 196.56487 584.08411 196.84807 curveto
-583.78463 197.13128 583.6121 197.53004 583.56653 198.04436 curveto
-586.76965 198.03947 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-553.82532 147.89853 moveto
-553.82532 148.60165 lineto
-553.52258 148.60165 lineto
-552.71203 148.60165 552.16841 148.48121 551.89172 148.24033 curveto
-551.61828 147.99944 551.48156 147.5193 551.48157 146.7999 curveto
-551.48157 145.6329 lineto
-551.48156 145.14137 551.39367 144.8012 551.2179 144.6124 curveto
-551.04211 144.4236 550.7231 144.3292 550.26086 144.32919 curveto
-549.96301 144.32919 lineto
-549.96301 143.63095 lineto
-550.26086 143.63095 lineto
-550.72636 143.63095 551.04537 143.53818 551.2179 143.35263 curveto
-551.39367 143.16383 551.48156 142.82692 551.48157 142.34189 curveto
-551.48157 141.17001 lineto
-551.48156 140.45062 551.61828 139.9721 551.89172 139.73447 curveto
-552.16841 139.49359 552.71203 139.37315 553.52258 139.37314 curveto
-553.82532 139.37314 lineto
-553.82532 140.07138 lineto
-553.49329 140.07138 lineto
-553.0343 140.07139 552.73482 140.143 552.59485 140.28622 curveto
-552.45487 140.42946 552.38488 140.73057 552.38489 141.18954 curveto
-552.38489 142.40048 lineto
-552.38488 142.91155 552.31001 143.28265 552.16028 143.51376 curveto
-552.01379 143.74489 551.76151 143.90114 551.40344 143.98251 curveto
-551.76477 144.07041 552.01867 144.22991 552.16516 144.46103 curveto
-552.31164 144.69215 552.38488 145.06162 552.38489 145.56943 curveto
-552.38489 146.78036 lineto
-552.38488 147.23935 552.45487 147.54046 552.59485 147.68369 curveto
-552.73482 147.82691 553.0343 147.89853 553.49329 147.89853 curveto
-553.82532 147.89853 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-559.51379 147.89853 moveto
-559.85559 147.89853 lineto
-560.31132 147.89853 560.60754 147.82854 560.74426 147.68857 curveto
-560.88423 147.54859 560.95422 147.24586 560.95422 146.78036 curveto
-560.95422 145.56943 lineto
-560.95422 145.06162 561.02746 144.69215 561.17395 144.46103 curveto
-561.32043 144.22991 561.57434 144.07041 561.93567 143.98251 curveto
-561.57434 143.90114 561.32043 143.74489 561.17395 143.51376 curveto
-561.02746 143.28265 560.95422 142.91155 560.95422 142.40048 curveto
-560.95422 141.18954 lineto
-560.95422 140.72731 560.88423 140.4262 560.74426 140.28622 curveto
-560.60754 140.143 560.31132 140.07139 559.85559 140.07138 curveto
-559.51379 140.07138 lineto
-559.51379 139.37314 lineto
-559.82141 139.37314 lineto
-560.63196 139.37315 561.17232 139.49359 561.4425 139.73447 curveto
-561.71594 139.9721 561.85266 140.45062 561.85266 141.17001 curveto
-561.85266 142.34189 lineto
-561.85266 142.82692 561.94055 143.16383 562.11633 143.35263 curveto
-562.29211 143.53818 562.61112 143.63095 563.07336 143.63095 curveto
-563.3761 143.63095 lineto
-563.3761 144.32919 lineto
-563.07336 144.32919 lineto
-562.61112 144.3292 562.29211 144.4236 562.11633 144.6124 curveto
-561.94055 144.8012 561.85266 145.14137 561.85266 145.6329 curveto
-561.85266 146.7999 lineto
-561.85266 147.5193 561.71594 147.99944 561.4425 148.24033 curveto
-561.17232 148.48121 560.63196 148.60165 559.82141 148.60165 curveto
-559.51379 148.60165 lineto
-559.51379 147.89853 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-554.20129 153.67001 moveto
-554.20129 156.97079 lineto
-553.30286 156.97079 lineto
-553.30286 153.69931 lineto
-553.30285 153.18174 553.20194 152.79437 553.00012 152.5372 curveto
-552.7983 152.28004 552.49556 152.15146 552.09192 152.15146 curveto
-551.60689 152.15146 551.2244 152.30609 550.94446 152.61533 curveto
-550.66451 152.92457 550.52453 153.34612 550.52454 153.87997 curveto
-550.52454 156.97079 lineto
-549.62122 156.97079 lineto
-549.62122 151.50204 lineto
-550.52454 151.50204 lineto
-550.52454 152.35165 lineto
-550.73938 152.02288 550.99166 151.77711 551.28137 151.61435 curveto
-551.57434 151.45159 551.91125 151.37021 552.29211 151.37021 curveto
-552.92037 151.37021 553.39563 151.56553 553.7179 151.95615 curveto
-554.04016 152.34352 554.20129 152.91481 554.20129 153.67001 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-560.68079 154.01181 moveto
-560.68079 154.45126 lineto
-556.54993 154.45126 lineto
-556.58899 155.06975 556.77453 155.54176 557.10657 155.86728 curveto
-557.44185 156.18955 557.90735 156.35068 558.50305 156.35068 curveto
-558.8481 156.35068 559.18176 156.30836 559.50403 156.22372 curveto
-559.82954 156.13909 560.15181 156.01214 560.47083 155.84286 curveto
-560.47083 156.69247 lineto
-560.14855 156.82919 559.81815 156.93336 559.47961 157.00497 curveto
-559.14107 157.07659 558.79764 157.1124 558.44934 157.1124 curveto
-557.57694 157.1124 556.88521 156.85849 556.37415 156.35068 curveto
-555.86633 155.84287 555.61243 155.15602 555.61243 154.29013 curveto
-555.61243 153.39495 555.85331 152.68532 556.33508 152.16122 curveto
-556.82011 151.63389 557.47278 151.37021 558.29309 151.37021 curveto
-559.02876 151.37021 559.60982 151.60784 560.03625 152.0831 curveto
-560.46594 152.55511 560.68078 153.19801 560.68079 154.01181 curveto
-559.78235 153.74814 moveto
-559.77583 153.25661 559.63749 152.86435 559.36731 152.57138 curveto
-559.10038 152.27842 558.74556 152.13193 558.30286 152.13193 curveto
-557.80155 152.13193 557.39953 152.27353 557.0968 152.55673 curveto
-556.79732 152.83994 556.62479 153.2387 556.57922 153.75302 curveto
-559.78235 153.74814 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-566.52551 151.50204 moveto
-564.54797 154.16318 lineto
-566.62805 156.97079 lineto
-565.56848 156.97079 lineto
-563.97668 154.82236 lineto
-562.38489 156.97079 lineto
-561.32532 156.97079 lineto
-563.44934 154.10947 lineto
-561.50598 151.50204 lineto
-562.56555 151.50204 lineto
-564.01575 153.45029 lineto
-565.46594 151.50204 lineto
-566.52551 151.50204 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-568.78625 149.94931 moveto
-568.78625 151.50204 lineto
-570.63684 151.50204 lineto
-570.63684 152.20029 lineto
-568.78625 152.20029 lineto
-568.78625 155.16904 lineto
-568.78625 155.615 568.84647 155.90146 568.96692 156.02841 curveto
-569.09061 156.15537 569.33964 156.21884 569.71399 156.21884 curveto
-570.63684 156.21884 lineto
-570.63684 156.97079 lineto
-569.71399 156.97079 lineto
-569.02063 156.97079 568.54211 156.84221 568.27844 156.58505 curveto
-568.01477 156.32464 567.88293 155.85263 567.88293 155.16904 curveto
-567.88293 152.20029 lineto
-567.22375 152.20029 lineto
-567.22375 151.50204 lineto
-567.88293 151.50204 lineto
-567.88293 149.94931 lineto
-568.78625 149.94931 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-483.33514 94.963516 moveto
-483.33514 98.264297 lineto
-482.43671 98.264297 lineto
-482.43671 94.992813 lineto
-482.4367 94.475239 482.33579 94.087869 482.13397 93.830704 curveto
-481.93215 93.573547 481.62941 93.444966 481.22577 93.444962 curveto
-480.74074 93.444966 480.35825 93.599589 480.07831 93.908829 curveto
-479.79836 94.218078 479.65838 94.639627 479.65839 95.173477 curveto
-479.65839 98.264297 lineto
-478.75507 98.264297 lineto
-478.75507 92.795547 lineto
-479.65839 92.795547 lineto
-479.65839 93.645157 lineto
-479.87323 93.316386 480.12551 93.070618 480.41522 92.907852 curveto
-480.70819 92.745097 481.0451 92.663717 481.42596 92.663712 curveto
-482.05422 92.663717 482.52948 92.859029 482.85175 93.249649 curveto
-483.17401 93.637023 483.33514 94.208312 483.33514 94.963516 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-487.25604 93.42543 moveto
-486.77427 93.425435 486.39341 93.614237 486.11346 93.991837 curveto
-485.83351 94.366189 485.69354 94.880512 485.69354 95.534805 curveto
-485.69354 96.189104 485.83189 96.705054 486.10858 97.082657 curveto
-486.38853 97.457007 486.77101 97.644181 487.25604 97.64418 curveto
-487.73455 97.644181 488.11379 97.455379 488.39374 97.077774 curveto
-488.67368 96.700171 488.81366 96.185849 488.81366 95.534805 curveto
-488.81366 94.887022 488.67368 94.374327 488.39374 93.996719 curveto
-488.11379 93.615865 487.73455 93.425435 487.25604 93.42543 curveto
-487.25604 92.663712 moveto
-488.03729 92.663717 488.65089 92.917623 489.09686 93.42543 curveto
-489.54282 93.933247 489.7658 94.636371 489.76581 95.534805 curveto
-489.7658 96.429989 489.54282 97.133114 489.09686 97.64418 curveto
-488.65089 98.151993 488.03729 98.405899 487.25604 98.405899 curveto
-486.47153 98.405899 485.8563 98.151993 485.41034 97.64418 curveto
-484.96763 97.133114 484.74628 96.429989 484.74628 95.534805 curveto
-484.74628 94.636371 484.96763 93.933247 485.41034 93.42543 curveto
-485.8563 92.917623 486.47153 92.663717 487.25604 92.663712 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-492.13885 91.242813 moveto
-492.13885 92.795547 lineto
-493.98944 92.795547 lineto
-493.98944 93.49379 lineto
-492.13885 93.49379 lineto
-492.13885 96.46254 lineto
-492.13885 96.908505 492.19907 97.194963 492.31952 97.321915 curveto
-492.44321 97.448869 492.69224 97.512345 493.06659 97.512344 curveto
-493.98944 97.512344 lineto
-493.98944 98.264297 lineto
-493.06659 98.264297 lineto
-492.37323 98.264297 491.89471 98.135717 491.63104 97.878555 curveto
-491.36737 97.618139 491.23553 97.146135 491.23553 96.46254 curveto
-491.23553 93.49379 lineto
-490.57635 93.49379 lineto
-490.57635 92.795547 lineto
-491.23553 92.795547 lineto
-491.23553 91.242813 lineto
-492.13885 91.242813 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-499.8537 95.305313 moveto
-499.8537 95.744766 lineto
-495.72284 95.744766 lineto
-495.7619 96.363258 495.94745 96.835262 496.27948 97.160782 curveto
-496.61476 97.483048 497.08026 97.644181 497.67596 97.64418 curveto
-498.02101 97.644181 498.35467 97.601863 498.67694 97.517227 curveto
-499.00246 97.432593 499.32472 97.30564 499.64374 97.136368 curveto
-499.64374 97.985977 lineto
-499.32147 98.122696 498.99106 98.226863 498.65253 98.298477 curveto
-498.31398 98.370092 497.97056 98.405899 497.62225 98.405899 curveto
-496.74986 98.405899 496.05812 98.151993 495.54706 97.64418 curveto
-495.03924 97.136369 494.78534 96.449521 494.78534 95.583633 curveto
-494.78534 94.688455 495.02622 93.97882 495.508 93.454727 curveto
-495.99302 92.927389 496.64569 92.663717 497.466 92.663712 curveto
-498.20168 92.663717 498.78273 92.901347 499.20917 93.376602 curveto
-499.63885 93.848612 499.85369 94.491515 499.8537 95.305313 curveto
-498.95526 95.041641 moveto
-498.94875 94.550108 498.8104 94.157856 498.54022 93.864883 curveto
-498.27329 93.571919 497.91847 93.425435 497.47577 93.42543 curveto
-496.97446 93.425435 496.57245 93.567037 496.26971 93.850235 curveto
-495.97023 94.133442 495.79771 94.532205 495.75214 95.046524 curveto
-498.95526 95.041641 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-478.78925 100.66664 moveto
-479.68768 100.66664 lineto
-479.68768 108.2643 lineto
-478.78925 108.2643 lineto
-478.78925 100.66664 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-486.24042 105.30531 moveto
-486.24042 105.74477 lineto
-482.10956 105.74477 lineto
-482.14862 106.36326 482.33417 106.83526 482.6662 107.16078 curveto
-483.00148 107.48305 483.46698 107.64418 484.06268 107.64418 curveto
-484.40773 107.64418 484.74139 107.60186 485.06366 107.51723 curveto
-485.38918 107.43259 485.71144 107.30564 486.03046 107.13637 curveto
-486.03046 107.98598 lineto
-485.70819 108.1227 485.37778 108.22686 485.03925 108.29848 curveto
-484.7007 108.37009 484.35728 108.4059 484.00897 108.4059 curveto
-483.13657 108.4059 482.44484 108.15199 481.93378 107.64418 curveto
-481.42596 107.13637 481.17206 106.44952 481.17206 105.58363 curveto
-481.17206 104.68845 481.41294 103.97882 481.89471 103.45473 curveto
-482.37974 102.92739 483.03241 102.66372 483.85272 102.66371 curveto
-484.5884 102.66372 485.16945 102.90135 485.59589 103.3766 curveto
-486.02557 103.84861 486.24041 104.49151 486.24042 105.30531 curveto
-485.34198 105.04164 moveto
-485.33546 104.55011 485.19712 104.15786 484.92694 103.86488 curveto
-484.66001 103.57192 484.30519 103.42544 483.86249 103.42543 curveto
-483.36118 103.42544 482.95917 103.56704 482.65643 103.85023 curveto
-482.35695 104.13344 482.18443 104.5322 482.13885 105.04652 curveto
-485.34198 105.04164 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-488.6037 101.24281 moveto
-488.6037 102.79555 lineto
-490.45428 102.79555 lineto
-490.45428 103.49379 lineto
-488.6037 103.49379 lineto
-488.6037 106.46254 lineto
-488.6037 106.9085 488.66392 107.19496 488.78436 107.32191 curveto
-488.90806 107.44887 489.15708 107.51235 489.53143 107.51234 curveto
-490.45428 107.51234 lineto
-490.45428 108.2643 lineto
-489.53143 108.2643 lineto
-488.83807 108.2643 488.35956 108.13572 488.09589 107.87856 curveto
-487.83221 107.61814 487.70038 107.14613 487.70038 106.46254 curveto
-487.70038 103.49379 lineto
-487.0412 103.49379 lineto
-487.0412 102.79555 lineto
-487.70038 102.79555 lineto
-487.70038 101.24281 lineto
-488.6037 101.24281 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-44.641342 188.13469 moveto
-44.641342 184.82414 lineto
-45.53978 184.82414 lineto
-45.53978 188.10051 lineto
-45.539778 188.61809 45.640689 189.00709 45.842514 189.2675 curveto
-46.044335 189.52466 46.347069 189.65324 46.750717 189.65324 curveto
-47.23574 189.65324 47.618226 189.49862 47.898178 189.18938 curveto
-48.181377 188.88013 48.322978 188.45858 48.322983 187.92473 curveto
-48.322983 184.82414 lineto
-49.22142 184.82414 lineto
-49.22142 190.29289 lineto
-48.322983 190.29289 lineto
-48.322983 189.45305 lineto
-48.10488 189.78508 47.850974 190.03248 47.561264 190.19524 curveto
-47.274802 190.35474 46.941144 190.43449 46.560287 190.43449 curveto
-45.93203 190.43449 45.455143 190.23918 45.129623 189.84856 curveto
-44.804102 189.45793 44.641341 188.88664 44.641342 188.13469 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-54.5681 184.98528 moveto
-54.5681 185.83488 lineto
-54.31419 185.70468 54.050518 185.60702 53.777084 185.54192 curveto
-53.503643 185.47682 53.220441 185.44426 52.927475 185.44426 curveto
-52.481509 185.44426 52.146223 185.51262 51.921616 185.64934 curveto
-51.70026 185.78606 51.589583 185.99114 51.589584 186.26457 curveto
-51.589583 186.47291 51.669335 186.6373 51.828842 186.75774 curveto
-51.988346 186.87493 52.308983 186.98723 52.790756 187.09465 curveto
-53.098373 187.16301 lineto
-53.736391 187.29973 54.188864 187.49342 54.455795 187.74406 curveto
-54.725973 187.99146 54.861064 188.33814 54.861069 188.7841 curveto
-54.861064 189.29192 54.659241 189.69393 54.2556 189.99016 curveto
-53.855206 190.28638 53.303448 190.43449 52.600327 190.43449 curveto
-52.307356 190.43449 52.001366 190.4052 51.682358 190.3466 curveto
-51.366601 190.29126 51.032943 190.20663 50.681381 190.0927 curveto
-50.681381 189.16496 lineto
-51.013412 189.33749 51.34056 189.4677 51.662827 189.55559 curveto
-51.98509 189.64022 52.3041 189.68254 52.619858 189.68254 curveto
-53.043032 189.68254 53.368552 189.61093 53.59642 189.4677 curveto
-53.824281 189.32121 53.938213 189.11614 53.938217 188.85246 curveto
-53.938213 188.60832 53.855206 188.42115 53.689194 188.29094 curveto
-53.52643 188.16073 53.16673 188.03541 52.610092 187.91496 curveto
-52.297592 187.84172 lineto
-51.74095 187.72454 51.338932 187.5455 51.091537 187.30461 curveto
-50.844141 187.06047 50.720443 186.72682 50.720444 186.30363 curveto
-50.720443 185.78932 50.902735 185.39218 51.267319 185.11223 curveto
-51.631901 184.83229 52.149478 184.69231 52.820053 184.69231 curveto
-53.152081 184.69231 53.464581 184.71673 53.757553 184.76555 curveto
-54.050518 184.81438 54.3207 184.88762 54.5681 184.98528 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-56.296616 184.82414 moveto
-57.195053 184.82414 lineto
-57.195053 190.29289 lineto
-56.296616 190.29289 lineto
-56.296616 184.82414 lineto
-56.296616 182.69524 moveto
-57.195053 182.69524 lineto
-57.195053 183.83293 lineto
-56.296616 183.83293 lineto
-56.296616 182.69524 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-63.615952 186.99211 moveto
-63.615952 190.29289 lineto
-62.717514 190.29289 lineto
-62.717514 187.02141 lineto
-62.717509 186.50383 62.616598 186.11646 62.41478 185.8593 curveto
-62.212953 185.60214 61.910219 185.47356 61.506577 185.47356 curveto
-61.021548 185.47356 60.639061 185.62818 60.359116 185.93742 curveto
-60.079166 186.24667 59.939192 186.66822 59.939194 187.20207 curveto
-59.939194 190.29289 lineto
-59.035873 190.29289 lineto
-59.035873 184.82414 lineto
-59.939194 184.82414 lineto
-59.939194 185.67375 lineto
-60.154035 185.34498 60.406314 185.09921 60.69603 184.93645 curveto
-60.988996 184.77369 61.325909 184.69231 61.706772 184.69231 curveto
-62.335023 184.69231 62.810283 184.88762 63.132553 185.27824 curveto
-63.454813 185.66562 63.615946 186.23691 63.615952 186.99211 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-69.016342 187.49504 moveto
-69.016338 186.844 68.881247 186.33945 68.611069 185.98137 curveto
-68.344138 185.6233 67.968162 185.44426 67.483139 185.44426 curveto
-67.001366 185.44426 66.625389 185.6233 66.355209 185.98137 curveto
-66.088281 186.33945 65.954817 186.844 65.954819 187.49504 curveto
-65.954817 188.14283 66.088281 188.64576 66.355209 189.00383 curveto
-66.625389 189.3619 67.001366 189.54094 67.483139 189.54094 curveto
-67.968162 189.54094 68.344138 189.3619 68.611069 189.00383 curveto
-68.881247 188.64576 69.016338 188.14283 69.016342 187.49504 curveto
-69.91478 189.61418 moveto
-69.914774 190.54517 69.708069 191.2369 69.294662 191.68938 curveto
-68.881247 192.1451 68.248109 192.37297 67.395248 192.37297 curveto
-67.079491 192.37297 66.781639 192.34855 66.501694 192.29973 curveto
-66.221744 192.25415 65.949934 192.18254 65.686264 192.08488 curveto
-65.686264 191.21086 lineto
-65.949934 191.35409 66.210351 191.45988 66.467514 191.52824 curveto
-66.724673 191.5966 66.986717 191.63078 67.253647 191.63078 curveto
-67.842836 191.63078 68.283916 191.47616 68.576889 191.16692 curveto
-68.869853 190.86093 69.016338 190.39706 69.016342 189.77531 curveto
-69.016342 189.33098 lineto
-68.830791 189.65324 68.593161 189.89413 68.303452 190.05363 curveto
-68.013734 190.21314 67.667055 190.29289 67.263412 190.29289 curveto
-66.592837 190.29289 66.052473 190.03736 65.642319 189.52629 curveto
-65.232162 189.01522 65.027084 188.33814 65.027084 187.49504 curveto
-65.027084 186.64869 65.232162 185.96998 65.642319 185.45891 curveto
-66.052473 184.94785 66.592837 184.69231 67.263412 184.69231 curveto
-67.667055 184.69231 68.013734 184.77206 68.303452 184.93156 curveto
-68.593161 185.09107 68.830791 185.33196 69.016342 185.65422 curveto
-69.016342 184.82414 lineto
-69.91478 184.82414 lineto
-69.91478 189.61418 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-44.641342 198.13469 moveto
-44.641342 194.82414 lineto
-45.53978 194.82414 lineto
-45.53978 198.10051 lineto
-45.539778 198.61809 45.640689 199.00709 45.842514 199.2675 curveto
-46.044335 199.52466 46.347069 199.65324 46.750717 199.65324 curveto
-47.23574 199.65324 47.618226 199.49862 47.898178 199.18938 curveto
-48.181377 198.88013 48.322978 198.45858 48.322983 197.92473 curveto
-48.322983 194.82414 lineto
-49.22142 194.82414 lineto
-49.22142 200.29289 lineto
-48.322983 200.29289 lineto
-48.322983 199.45305 lineto
-48.10488 199.78508 47.850974 200.03248 47.561264 200.19524 curveto
-47.274802 200.35474 46.941144 200.43449 46.560287 200.43449 curveto
-45.93203 200.43449 45.455143 200.23918 45.129623 199.84856 curveto
-44.804102 199.45793 44.641341 198.88664 44.641342 198.13469 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-55.62767 196.99211 moveto
-55.62767 200.29289 lineto
-54.729233 200.29289 lineto
-54.729233 197.02141 lineto
-54.729228 196.50383 54.628317 196.11646 54.426498 195.8593 curveto
-54.224671 195.60214 53.921937 195.47356 53.518295 195.47356 curveto
-53.033266 195.47356 52.65078 195.62818 52.370834 195.93742 curveto
-52.090884 196.24667 51.950911 196.66822 51.950912 197.20207 curveto
-51.950912 200.29289 lineto
-51.047592 200.29289 lineto
-51.047592 194.82414 lineto
-51.950912 194.82414 lineto
-51.950912 195.67375 lineto
-52.165754 195.34498 52.418033 195.09921 52.707748 194.93645 curveto
-53.000714 194.77369 53.337628 194.69231 53.718491 194.69231 curveto
-54.346742 194.69231 54.822002 194.88762 55.144272 195.27824 curveto
-55.466532 195.66562 55.627665 196.23691 55.62767 196.99211 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-60.197983 192.69524 moveto
-60.197983 193.44231 lineto
-59.338608 193.44231 lineto
-59.01634 193.44231 58.79173 193.50742 58.66478 193.63762 curveto
-58.54108 193.76783 58.479231 194.00221 58.479233 194.34074 curveto
-58.479233 194.82414 lineto
-59.958725 194.82414 lineto
-59.958725 195.52238 lineto
-58.479233 195.52238 lineto
-58.479233 200.29289 lineto
-57.575912 200.29289 lineto
-57.575912 195.52238 lineto
-56.716537 195.52238 lineto
-56.716537 194.82414 lineto
-57.575912 194.82414 lineto
-57.575912 194.44328 lineto
-57.575911 193.83457 57.717513 193.39186 58.000717 193.11516 curveto
-58.283918 192.83522 58.733137 192.69524 59.348373 192.69524 curveto
-60.197983 192.69524 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-63.064194 195.45403 moveto
-62.58242 195.45403 62.201561 195.64283 61.921616 196.02043 curveto
-61.641666 196.39478 61.501692 196.90911 61.501694 197.5634 curveto
-61.501692 198.2177 61.640038 198.73365 61.916733 199.11125 curveto
-62.196679 199.4856 62.579165 199.67278 63.064194 199.67278 curveto
-63.542706 199.67278 63.921937 199.48397 64.201889 199.10637 curveto
-64.481832 198.72877 64.621806 198.21444 64.621811 197.5634 curveto
-64.621806 196.91562 64.481832 196.40292 64.201889 196.02531 curveto
-63.921937 195.64446 63.542706 195.45403 63.064194 195.45403 curveto
-63.064194 194.69231 moveto
-63.84544 194.69231 64.459046 194.94622 64.905014 195.45403 curveto
-65.350972 195.96184 65.573954 196.66497 65.573959 197.5634 curveto
-65.573954 198.45858 65.350972 199.16171 64.905014 199.67278 curveto
-64.459046 200.18059 63.84544 200.43449 63.064194 200.43449 curveto
-62.279686 200.43449 61.664452 200.18059 61.218491 199.67278 curveto
-60.775781 199.16171 60.554428 198.45858 60.554428 197.5634 curveto
-60.554428 196.66497 60.775781 195.96184 61.218491 195.45403 curveto
-61.664452 194.94622 62.279686 194.69231 63.064194 194.69231 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-67.058334 192.69524 moveto
-67.956772 192.69524 lineto
-67.956772 200.29289 lineto
-67.058334 200.29289 lineto
-67.058334 192.69524 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-73.430405 195.65422 moveto
-73.430405 192.69524 lineto
-74.328842 192.69524 lineto
-74.328842 200.29289 lineto
-73.430405 200.29289 lineto
-73.430405 199.47258 lineto
-73.241598 199.7981 73.002341 200.04061 72.712631 200.20012 curveto
-72.426169 200.35637 72.081118 200.43449 71.677475 200.43449 curveto
-71.016666 200.43449 70.477929 200.17082 70.061264 199.64348 curveto
-69.647852 199.11614 69.441146 198.42278 69.441147 197.5634 curveto
-69.441146 196.70403 69.647852 196.01067 70.061264 195.48332 curveto
-70.477929 194.95598 71.016666 194.69231 71.677475 194.69231 curveto
-72.081118 194.69231 72.426169 194.77206 72.712631 194.93156 curveto
-73.002341 195.08782 73.241598 195.3287 73.430405 195.65422 curveto
-70.368881 197.5634 moveto
-70.36888 198.22421 70.503971 198.74341 70.774155 199.12102 curveto
-71.04759 199.49537 71.421939 199.68254 71.897202 199.68254 curveto
-72.372458 199.68254 72.746807 199.49537 73.020248 199.12102 curveto
-73.293682 198.74341 73.4304 198.22421 73.430405 197.5634 curveto
-73.4304 196.9026 73.293682 196.38502 73.020248 196.01067 curveto
-72.746807 195.63307 72.372458 195.44426 71.897202 195.44426 curveto
-71.421939 195.44426 71.04759 195.63307 70.774155 196.01067 curveto
-70.503971 196.38502 70.36888 196.9026 70.368881 197.5634 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-76.179428 194.82414 moveto
-77.077866 194.82414 lineto
-77.077866 200.29289 lineto
-76.179428 200.29289 lineto
-76.179428 194.82414 lineto
-76.179428 192.69524 moveto
-77.077866 192.69524 lineto
-77.077866 193.83293 lineto
-76.179428 193.83293 lineto
-76.179428 192.69524 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-83.498764 196.99211 moveto
-83.498764 200.29289 lineto
-82.600327 200.29289 lineto
-82.600327 197.02141 lineto
-82.600322 196.50383 82.499411 196.11646 82.297592 195.8593 curveto
-82.095765 195.60214 81.793031 195.47356 81.389389 195.47356 curveto
-80.90436 195.47356 80.521874 195.62818 80.241928 195.93742 curveto
-79.961978 196.24667 79.822004 196.66822 79.822006 197.20207 curveto
-79.822006 200.29289 lineto
-78.918686 200.29289 lineto
-78.918686 194.82414 lineto
-79.822006 194.82414 lineto
-79.822006 195.67375 lineto
-80.036848 195.34498 80.289126 195.09921 80.578842 194.93645 curveto
-80.871808 194.77369 81.208722 194.69231 81.589584 194.69231 curveto
-82.217835 194.69231 82.693095 194.88762 83.015366 195.27824 curveto
-83.337626 195.66562 83.498759 196.23691 83.498764 196.99211 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-88.899155 197.49504 moveto
-88.89915 196.844 88.764059 196.33945 88.493881 195.98137 curveto
-88.22695 195.6233 87.850974 195.44426 87.365952 195.44426 curveto
-86.884178 195.44426 86.508202 195.6233 86.238022 195.98137 curveto
-85.971093 196.33945 85.83763 196.844 85.837631 197.49504 curveto
-85.83763 198.14283 85.971093 198.64576 86.238022 199.00383 curveto
-86.508202 199.3619 86.884178 199.54094 87.365952 199.54094 curveto
-87.850974 199.54094 88.22695 199.3619 88.493881 199.00383 curveto
-88.764059 198.64576 88.89915 198.14283 88.899155 197.49504 curveto
-89.797592 199.61418 moveto
-89.797587 200.54517 89.590881 201.2369 89.177475 201.68938 curveto
-88.764059 202.1451 88.130922 202.37297 87.278061 202.37297 curveto
-86.962303 202.37297 86.664452 202.34855 86.384506 202.29973 curveto
-86.104557 202.25415 85.832747 202.18254 85.569077 202.08488 curveto
-85.569077 201.21086 lineto
-85.832747 201.35409 86.093163 201.45988 86.350327 201.52824 curveto
-86.607486 201.5966 86.86953 201.63078 87.136459 201.63078 curveto
-87.725649 201.63078 88.166729 201.47616 88.459702 201.16692 curveto
-88.752666 200.86093 88.89915 200.39706 88.899155 199.77531 curveto
-88.899155 199.33098 lineto
-88.713603 199.65324 88.475973 199.89413 88.186264 200.05363 curveto
-87.896547 200.21314 87.549868 200.29289 87.146225 200.29289 curveto
-86.47565 200.29289 85.935286 200.03736 85.525131 199.52629 curveto
-85.114974 199.01522 84.909896 198.33814 84.909897 197.49504 curveto
-84.909896 196.64869 85.114974 195.96998 85.525131 195.45891 curveto
-85.935286 194.94785 86.47565 194.69231 87.146225 194.69231 curveto
-87.549868 194.69231 87.896547 194.77206 88.186264 194.93156 curveto
-88.475973 195.09107 88.713603 195.33196 88.899155 195.65422 curveto
-88.899155 194.82414 lineto
-89.797592 194.82414 lineto
-89.797592 199.61418 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-380.48996 223.50369 moveto
-380.48996 225.05643 lineto
-382.34055 225.05643 lineto
-382.34055 225.75467 lineto
-380.48996 225.75467 lineto
-380.48996 228.72342 lineto
-380.48996 229.16938 380.55018 229.45584 380.67062 229.58279 curveto
-380.79432 229.70975 381.04334 229.77322 381.41769 229.77322 curveto
-382.34055 229.77322 lineto
-382.34055 230.52518 lineto
-381.41769 230.52518 lineto
-380.72433 230.52518 380.24582 230.3966 379.98215 230.13943 curveto
-379.71847 229.87902 379.58664 229.40701 379.58664 228.72342 curveto
-379.58664 225.75467 lineto
-378.92746 225.75467 lineto
-378.92746 225.05643 lineto
-379.58664 225.05643 lineto
-379.58664 223.50369 lineto
-380.48996 223.50369 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-388.07297 227.2244 moveto
-388.07297 230.52518 lineto
-387.17453 230.52518 lineto
-387.17453 227.25369 lineto
-387.17453 226.73612 387.07361 226.34875 386.8718 226.09158 curveto
-386.66997 225.83443 386.36723 225.70585 385.96359 225.70584 curveto
-385.47856 225.70585 385.09608 225.86047 384.81613 226.16971 curveto
-384.53618 226.47896 384.39621 226.90051 384.39621 227.43436 curveto
-384.39621 230.52518 lineto
-383.49289 230.52518 lineto
-383.49289 222.92752 lineto
-384.39621 222.92752 lineto
-384.39621 225.90604 lineto
-384.61105 225.57727 384.86333 225.3315 385.15305 225.16873 curveto
-385.44601 225.00598 385.78293 224.9246 386.16379 224.92459 curveto
-386.79204 224.9246 387.2673 225.11991 387.58957 225.51053 curveto
-387.91183 225.8979 388.07296 226.46919 388.07297 227.2244 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-394.55246 227.56619 moveto
-394.55246 228.00565 lineto
-390.4216 228.00565 lineto
-390.46066 228.62414 390.64621 229.09614 390.97824 229.42166 curveto
-391.31353 229.74393 391.77902 229.90506 392.37473 229.90506 curveto
-392.71977 229.90506 393.05343 229.86274 393.3757 229.77811 curveto
-393.70122 229.69347 394.02348 229.56652 394.3425 229.39725 curveto
-394.3425 230.24686 lineto
-394.02023 230.38358 393.68982 230.48774 393.35129 230.55936 curveto
-393.01274 230.63097 392.66932 230.66678 392.32101 230.66678 curveto
-391.44862 230.66678 390.75688 230.41287 390.24582 229.90506 curveto
-389.73801 229.39725 389.4841 228.7104 389.4841 227.84451 curveto
-389.4841 226.94933 389.72498 226.2397 390.20676 225.71561 curveto
-390.69178 225.18827 391.34445 224.9246 392.16476 224.92459 curveto
-392.90044 224.9246 393.48149 225.16223 393.90793 225.63748 curveto
-394.33761 226.10949 394.55245 226.75239 394.55246 227.56619 curveto
-393.65402 227.30252 moveto
-393.64751 226.81099 393.50916 226.41874 393.23898 226.12576 curveto
-392.97205 225.8328 392.61723 225.68631 392.17453 225.68631 curveto
-391.67323 225.68631 391.27121 225.82792 390.96848 226.11111 curveto
-390.66899 226.39432 390.49647 226.79308 390.4509 227.3074 curveto
-393.65402 227.30252 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-400.57297 227.2244 moveto
-400.57297 230.52518 lineto
-399.67453 230.52518 lineto
-399.67453 227.25369 lineto
-399.67453 226.73612 399.57361 226.34875 399.3718 226.09158 curveto
-399.16997 225.83443 398.86723 225.70585 398.46359 225.70584 curveto
-397.97856 225.70585 397.59608 225.86047 397.31613 226.16971 curveto
-397.03618 226.47896 396.89621 226.90051 396.89621 227.43436 curveto
-396.89621 230.52518 lineto
-395.99289 230.52518 lineto
-395.99289 225.05643 lineto
-396.89621 225.05643 lineto
-396.89621 225.90604 lineto
-397.11105 225.57727 397.36333 225.3315 397.65305 225.16873 curveto
-397.94601 225.00598 398.28293 224.9246 398.66379 224.92459 curveto
-399.29204 224.9246 399.7673 225.11991 400.08957 225.51053 curveto
-400.41183 225.8979 400.57296 226.46919 400.57297 227.2244 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-239.47623 229.75269 moveto
-239.47623 233.05347 lineto
-238.57779 233.05347 lineto
-238.57779 229.78198 lineto
-238.57778 229.26441 238.47687 228.87704 238.27505 228.61987 curveto
-238.07323 228.36272 237.77049 228.23414 237.36685 228.23413 curveto
-236.88182 228.23414 236.49934 228.38876 236.21939 228.698 curveto
-235.93944 229.00725 235.79947 229.4288 235.79947 229.96265 curveto
-235.79947 233.05347 lineto
-234.89615 233.05347 lineto
-234.89615 225.45581 lineto
-235.79947 225.45581 lineto
-235.79947 228.43433 lineto
-236.01431 228.10556 236.26659 227.85979 236.5563 227.69702 curveto
-236.84927 227.53427 237.18618 227.45289 237.56705 227.45288 curveto
-238.1953 227.45289 238.67056 227.6482 238.99283 228.03882 curveto
-239.31509 228.42619 239.47622 228.99748 239.47623 229.75269 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-243.76334 230.30444 moveto
-243.03742 230.30445 242.53449 230.38745 242.25455 230.55347 curveto
-241.9746 230.71948 241.83462 231.00269 241.83463 231.40308 curveto
-241.83462 231.72209 241.93879 231.97599 242.14713 232.16479 curveto
-242.35871 232.35034 242.64517 232.44312 243.0065 232.44312 curveto
-243.50454 232.44312 243.90331 232.26733 244.20279 231.91577 curveto
-244.50552 231.56096 244.65689 231.09058 244.65689 230.50464 curveto
-244.65689 230.30444 lineto
-243.76334 230.30444 lineto
-245.55533 229.93335 moveto
-245.55533 233.05347 lineto
-244.65689 233.05347 lineto
-244.65689 232.22339 lineto
-244.45181 232.55542 244.19628 232.80119 243.89029 232.96069 curveto
-243.5843 233.11694 243.20995 233.19507 242.76724 233.19507 curveto
-242.20734 233.19507 241.76138 233.03882 241.42935 232.72632 curveto
-241.10057 232.41056 240.93619 231.98901 240.93619 231.46167 curveto
-240.93619 230.84644 241.14127 230.38257 241.55142 230.07007 curveto
-241.96483 229.75757 242.58007 229.60132 243.39713 229.60132 curveto
-244.65689 229.60132 lineto
-244.65689 229.51343 lineto
-244.65689 229.10002 244.52017 228.78101 244.24673 228.5564 curveto
-243.97655 228.32854 243.59569 228.2146 243.10416 228.2146 curveto
-242.79165 228.2146 242.48729 228.25204 242.19107 228.3269 curveto
-241.89485 228.40178 241.61001 228.51408 241.33658 228.66382 curveto
-241.33658 227.83374 lineto
-241.66535 227.70679 241.98436 227.61239 242.29361 227.55054 curveto
-242.60285 227.48544 242.90396 227.45289 243.19693 227.45288 curveto
-243.98794 227.45289 244.57876 227.65796 244.96939 228.06812 curveto
-245.36001 228.47828 245.55532 229.10002 245.55533 229.93335 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-246.76627 227.58472 moveto
-247.71841 227.58472 lineto
-249.4274 232.17456 lineto
-251.13638 227.58472 lineto
-252.08853 227.58472 lineto
-250.03775 233.05347 lineto
-248.81705 233.05347 lineto
-246.76627 227.58472 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-258.0065 230.09448 moveto
-258.0065 230.53394 lineto
-253.87564 230.53394 lineto
-253.9147 231.15243 254.10025 231.62443 254.43228 231.94995 curveto
-254.76757 232.27222 255.23306 232.43335 255.82877 232.43335 curveto
-256.17381 232.43335 256.50747 232.39103 256.82974 232.3064 curveto
-257.15526 232.22176 257.47752 232.09481 257.79654 231.92554 curveto
-257.79654 232.77515 lineto
-257.47427 232.91187 257.14387 233.01603 256.80533 233.08765 curveto
-256.46678 233.15926 256.12336 233.19507 255.77505 233.19507 curveto
-254.90266 233.19507 254.21093 232.94116 253.69986 232.43335 curveto
-253.19205 231.92554 252.93814 231.23869 252.93814 230.3728 curveto
-252.93814 229.47762 253.17903 228.76799 253.6608 228.2439 curveto
-254.14582 227.71656 254.79849 227.45289 255.6188 227.45288 curveto
-256.35448 227.45289 256.93553 227.69052 257.36197 228.16577 curveto
-257.79165 228.63778 258.00649 229.28068 258.0065 230.09448 curveto
-257.10806 229.83081 moveto
-257.10155 229.33928 256.9632 228.94703 256.69302 228.65405 curveto
-256.42609 228.36109 256.07128 228.2146 255.62857 228.2146 curveto
-255.12727 228.2146 254.72525 228.35621 254.42252 228.6394 curveto
-254.12303 228.92261 253.95051 229.32137 253.90494 229.83569 curveto
-257.10806 229.83081 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-238.41666 242.74585 moveto
-238.41666 243.59546 lineto
-238.16275 243.46526 237.89907 243.3676 237.62564 243.30249 curveto
-237.3522 243.23739 237.069 243.20484 236.77603 243.20483 curveto
-236.33007 243.20484 235.99478 243.2732 235.77017 243.40991 curveto
-235.54882 243.54664 235.43814 243.75171 235.43814 244.02515 curveto
-235.43814 244.23348 235.51789 244.39787 235.6774 244.51831 curveto
-235.8369 244.6355 236.15754 244.74781 236.63931 244.85522 curveto
-236.94693 244.92358 lineto
-237.58495 245.06031 238.03742 245.25399 238.30435 245.50464 curveto
-238.57453 245.75204 238.70962 246.09872 238.70963 246.54468 curveto
-238.70962 247.05249 238.5078 247.45451 238.10416 247.75073 curveto
-237.70376 248.04696 237.152 248.19507 236.44888 248.19507 curveto
-236.15591 248.19507 235.84992 248.16577 235.53091 248.10718 curveto
-235.21516 248.05184 234.8815 247.9672 234.52994 247.85327 curveto
-234.52994 246.92554 lineto
-234.86197 247.09806 235.18912 247.22827 235.51138 247.31616 curveto
-235.83365 247.4008 236.15266 247.44312 236.46841 247.44312 curveto
-236.89159 247.44312 237.21711 247.3715 237.44498 247.22827 curveto
-237.67284 247.08179 237.78677 246.87671 237.78677 246.61304 curveto
-237.78677 246.3689 237.70376 246.18172 237.53775 246.05151 curveto
-237.37499 245.92131 237.01529 245.79598 236.45865 245.67554 curveto
-236.14615 245.60229 lineto
-235.58951 245.48511 235.18749 245.30607 234.94009 245.06519 curveto
-234.6927 244.82105 234.569 244.48739 234.569 244.06421 curveto
-234.569 243.54989 234.75129 243.15276 235.11588 242.8728 curveto
-235.48046 242.59286 235.99803 242.45289 236.66861 242.45288 curveto
-237.00064 242.45289 237.31314 242.4773 237.60611 242.52612 curveto
-237.89907 242.57496 238.16926 242.6482 238.41666 242.74585 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-244.69107 244.75269 moveto
-244.69107 248.05347 lineto
-243.79263 248.05347 lineto
-243.79263 244.78198 lineto
-243.79263 244.26441 243.69172 243.87704 243.4899 243.61987 curveto
-243.28807 243.36272 242.98534 243.23414 242.5817 243.23413 curveto
-242.09667 243.23414 241.71418 243.38876 241.43423 243.698 curveto
-241.15428 244.00725 241.01431 244.4288 241.01431 244.96265 curveto
-241.01431 248.05347 lineto
-240.11099 248.05347 lineto
-240.11099 240.45581 lineto
-241.01431 240.45581 lineto
-241.01431 243.43433 lineto
-241.22915 243.10556 241.48143 242.85979 241.77115 242.69702 curveto
-242.06411 242.53427 242.40103 242.45289 242.78189 242.45288 curveto
-243.41014 242.45289 243.8854 242.6482 244.20767 243.03882 curveto
-244.52993 243.42619 244.69107 243.99748 244.69107 244.75269 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-248.61197 243.2146 moveto
-248.1302 243.2146 247.74934 243.40341 247.46939 243.78101 curveto
-247.18944 244.15536 247.04947 244.66968 247.04947 245.32397 curveto
-247.04947 245.97827 247.18781 246.49422 247.46451 246.87183 curveto
-247.74445 247.24618 248.12694 247.43335 248.61197 247.43335 curveto
-249.09048 247.43335 249.46971 247.24455 249.74966 246.86694 curveto
-250.02961 246.48934 250.16958 245.97502 250.16959 245.32397 curveto
-250.16958 244.67619 250.02961 244.1635 249.74966 243.78589 curveto
-249.46971 243.40503 249.09048 243.2146 248.61197 243.2146 curveto
-248.61197 242.45288 moveto
-249.39322 242.45289 250.00682 242.70679 250.45279 243.2146 curveto
-250.89875 243.72242 251.12173 244.42554 251.12173 245.32397 curveto
-251.12173 246.21916 250.89875 246.92228 250.45279 247.43335 curveto
-250.00682 247.94116 249.39322 248.19507 248.61197 248.19507 curveto
-247.82746 248.19507 247.21223 247.94116 246.76627 247.43335 curveto
-246.32356 246.92228 246.1022 246.21916 246.1022 245.32397 curveto
-246.1022 244.42554 246.32356 243.72242 246.76627 243.2146 curveto
-247.21223 242.70679 247.82746 242.45289 248.61197 242.45288 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-252.08365 242.58472 moveto
-252.98209 242.58472 lineto
-254.10513 246.85229 lineto
-255.2233 242.58472 lineto
-256.28287 242.58472 lineto
-257.40591 246.85229 lineto
-258.52408 242.58472 lineto
-259.42252 242.58472 lineto
-257.99185 248.05347 lineto
-256.93228 248.05347 lineto
-255.75552 243.57104 lineto
-254.57388 248.05347 lineto
-253.51431 248.05347 lineto
-252.08365 242.58472 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-311.38464 185.46135 moveto
-311.38464 188.76213 lineto
-310.48621 188.76213 lineto
-310.48621 185.49065 lineto
-310.4862 184.97307 310.38529 184.5857 310.18347 184.32854 curveto
-309.98164 184.07138 309.67891 183.9428 309.27527 183.94279 curveto
-308.79024 183.9428 308.40775 184.09742 308.12781 184.40666 curveto
-307.84786 184.71591 307.70788 185.13746 307.70789 185.67131 curveto
-307.70789 188.76213 lineto
-306.80457 188.76213 lineto
-306.80457 181.16447 lineto
-307.70789 181.16447 lineto
-307.70789 184.14299 lineto
-307.92273 183.81422 308.17501 183.56845 308.46472 183.40569 curveto
-308.75769 183.24293 309.0946 183.16155 309.47546 183.16154 curveto
-310.10371 183.16155 310.57897 183.35686 310.90125 183.74748 curveto
-311.22351 184.13486 311.38464 184.70615 311.38464 185.46135 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-315.67175 186.01311 moveto
-314.94584 186.01311 314.44291 186.09612 314.16296 186.26213 curveto
-313.88301 186.42815 313.74304 186.71135 313.74304 187.11174 curveto
-313.74304 187.43075 313.84721 187.68466 314.05554 187.87346 curveto
-314.26713 188.05901 314.55359 188.15178 314.91492 188.15178 curveto
-315.41296 188.15178 315.81172 187.976 316.11121 187.62444 curveto
-316.41394 187.26962 316.5653 186.79924 316.56531 186.2133 curveto
-316.56531 186.01311 lineto
-315.67175 186.01311 lineto
-317.46375 185.64201 moveto
-317.46375 188.76213 lineto
-316.56531 188.76213 lineto
-316.56531 187.93205 lineto
-316.36023 188.26408 316.10469 188.50985 315.79871 188.66936 curveto
-315.49271 188.82561 315.11836 188.90373 314.67566 188.90373 curveto
-314.11576 188.90373 313.6698 188.74748 313.33777 188.43498 curveto
-313.00899 188.11923 312.8446 187.69768 312.8446 187.17033 curveto
-312.8446 186.5551 313.04968 186.09123 313.45984 185.77873 curveto
-313.87325 185.46624 314.48848 185.30999 315.30554 185.30998 curveto
-316.56531 185.30998 lineto
-316.56531 185.22209 lineto
-316.5653 184.80868 316.42858 184.48967 316.15515 184.26506 curveto
-315.88497 184.0372 315.50411 183.92327 315.01257 183.92326 curveto
-314.70007 183.92327 314.39571 183.9607 314.09949 184.03557 curveto
-313.80326 184.11044 313.51843 184.22275 313.245 184.37248 curveto
-313.245 183.5424 lineto
-313.57377 183.41546 313.89278 183.32106 314.20203 183.2592 curveto
-314.51127 183.1941 314.81238 183.16155 315.10535 183.16154 curveto
-315.89636 183.16155 316.48718 183.36663 316.87781 183.77678 curveto
-317.26843 184.18694 317.46374 184.80868 317.46375 185.64201 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-318.67468 183.29338 moveto
-319.62683 183.29338 lineto
-321.33582 187.88322 lineto
-323.0448 183.29338 lineto
-323.99695 183.29338 lineto
-321.94617 188.76213 lineto
-320.72546 188.76213 lineto
-318.67468 183.29338 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-329.91492 185.80315 moveto
-329.91492 186.2426 lineto
-325.78406 186.2426 lineto
-325.82312 186.86109 326.00867 187.3331 326.3407 187.65862 curveto
-326.67598 187.98088 327.14148 188.14201 327.73718 188.14201 curveto
-328.08223 188.14201 328.41589 188.0997 328.73816 188.01506 curveto
-329.06368 187.93043 329.38594 187.80347 329.70496 187.6342 curveto
-329.70496 188.48381 lineto
-329.38269 188.62053 329.05228 188.7247 328.71375 188.79631 curveto
-328.3752 188.86792 328.03178 188.90373 327.68347 188.90373 curveto
-326.81107 188.90373 326.11934 188.64983 325.60828 188.14201 curveto
-325.10046 187.6342 324.84656 186.94735 324.84656 186.08147 curveto
-324.84656 185.18629 325.08744 184.47665 325.56921 183.95256 curveto
-326.05424 183.42522 326.70691 183.16155 327.52722 183.16154 curveto
-328.26289 183.16155 328.84395 183.39918 329.27039 183.87444 curveto
-329.70007 184.34645 329.91491 184.98935 329.91492 185.80315 curveto
-329.01648 185.53947 moveto
-329.00996 185.04794 328.87162 184.65569 328.60144 184.36272 curveto
-328.33451 184.06975 327.97969 183.92327 327.53699 183.92326 curveto
-327.03568 183.92327 326.63366 184.06487 326.33093 184.34807 curveto
-326.03145 184.63128 325.85893 185.03004 325.81335 185.54436 curveto
-329.01648 185.53947 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-310.32507 198.45451 moveto
-310.32507 199.30412 lineto
-310.07116 199.17392 309.80749 199.07626 309.53406 199.01115 curveto
-309.26062 198.94605 308.97741 198.9135 308.68445 198.9135 curveto
-308.23848 198.9135 307.9032 198.98186 307.67859 199.11858 curveto
-307.45723 199.2553 307.34656 199.46038 307.34656 199.73381 curveto
-307.34656 199.94215 307.42631 200.10654 307.58582 200.22697 curveto
-307.74532 200.34417 308.06596 200.45647 308.54773 200.56389 curveto
-308.85535 200.63225 lineto
-309.49336 200.76897 309.94584 200.96265 310.21277 201.2133 curveto
-310.48295 201.4607 310.61804 201.80738 310.61804 202.25334 curveto
-310.61804 202.76116 310.41621 203.16317 310.01257 203.4594 curveto
-309.61218 203.75562 309.06042 203.90373 308.3573 203.90373 curveto
-308.06433 203.90373 307.75834 203.87444 307.43933 203.81584 curveto
-307.12357 203.7605 306.78992 203.67587 306.43835 203.56194 curveto
-306.43835 202.6342 lineto
-306.77038 202.80673 307.09753 202.93694 307.4198 203.02483 curveto
-307.74206 203.10946 308.06107 203.15178 308.37683 203.15178 curveto
-308.80001 203.15178 309.12553 203.08017 309.35339 202.93694 curveto
-309.58125 202.79045 309.69519 202.58537 309.69519 202.3217 curveto
-309.69519 202.07756 309.61218 201.89039 309.44617 201.76018 curveto
-309.2834 201.62997 308.9237 201.50465 308.36707 201.3842 curveto
-308.05457 201.31096 lineto
-307.49792 201.19377 307.09591 201.01474 306.84851 200.77385 curveto
-306.60111 200.52971 306.47742 200.19605 306.47742 199.77287 curveto
-306.47742 199.25855 306.65971 198.86142 307.02429 198.58147 curveto
-307.38887 198.30152 307.90645 198.16155 308.57703 198.16154 curveto
-308.90905 198.16155 309.22155 198.18596 309.51453 198.23479 curveto
-309.80749 198.28362 310.07767 198.35686 310.32507 198.45451 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-316.59949 200.46135 moveto
-316.59949 203.76213 lineto
-315.70105 203.76213 lineto
-315.70105 200.49065 lineto
-315.70105 199.97307 315.60013 199.5857 315.39832 199.32854 curveto
-315.19649 199.07138 314.89375 198.9428 314.49011 198.94279 curveto
-314.00508 198.9428 313.6226 199.09742 313.34265 199.40666 curveto
-313.0627 199.71591 312.92273 200.13746 312.92273 200.67131 curveto
-312.92273 203.76213 lineto
-312.01941 203.76213 lineto
-312.01941 196.16447 lineto
-312.92273 196.16447 lineto
-312.92273 199.14299 lineto
-313.13757 198.81422 313.38985 198.56845 313.67957 198.40569 curveto
-313.97253 198.24293 314.30945 198.16155 314.69031 198.16154 curveto
-315.31856 198.16155 315.79382 198.35686 316.11609 198.74748 curveto
-316.43835 199.13486 316.59948 199.70615 316.59949 200.46135 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-320.52039 198.92326 moveto
-320.03861 198.92327 319.65775 199.11207 319.37781 199.48967 curveto
-319.09786 199.86402 318.95788 200.37835 318.95789 201.03264 curveto
-318.95788 201.68694 319.09623 202.20289 319.37292 202.58049 curveto
-319.65287 202.95484 320.03536 203.14201 320.52039 203.14201 curveto
-320.9989 203.14201 321.37813 202.95321 321.65808 202.57561 curveto
-321.93802 202.198 322.078 201.68368 322.078 201.03264 curveto
-322.078 200.38486 321.93802 199.87216 321.65808 199.49455 curveto
-321.37813 199.1137 320.9989 198.92327 320.52039 198.92326 curveto
-320.52039 198.16154 moveto
-321.30163 198.16155 321.91524 198.41546 322.36121 198.92326 curveto
-322.80716 199.43108 323.03015 200.1342 323.03015 201.03264 curveto
-323.03015 201.92782 322.80716 202.63095 322.36121 203.14201 curveto
-321.91524 203.64983 321.30163 203.90373 320.52039 203.90373 curveto
-319.73588 203.90373 319.12064 203.64983 318.67468 203.14201 curveto
-318.23197 202.63095 318.01062 201.92782 318.01062 201.03264 curveto
-318.01062 200.1342 318.23197 199.43108 318.67468 198.92326 curveto
-319.12064 198.41546 319.73588 198.16155 320.52039 198.16154 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-323.99207 198.29338 moveto
-324.8905 198.29338 lineto
-326.01355 202.56096 lineto
-327.13171 198.29338 lineto
-328.19128 198.29338 lineto
-329.31433 202.56096 lineto
-330.4325 198.29338 lineto
-331.33093 198.29338 lineto
-329.90027 203.76213 lineto
-328.8407 203.76213 lineto
-327.66394 199.27971 lineto
-326.4823 203.76213 lineto
-325.42273 203.76213 lineto
-323.99207 198.29338 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-305.63477 140.25864 moveto
-305.63477 143.15903 lineto
-304.73145 143.15903 lineto
-304.73145 135.6102 lineto
-305.63477 135.6102 lineto
-305.63477 136.44028 lineto
-305.82357 136.11476 306.0612 135.87388 306.34766 135.71762 curveto
-306.63737 135.55812 306.98242 135.47837 307.38281 135.47836 curveto
-308.04687 135.47837 308.58561 135.74204 308.99902 136.26938 curveto
-309.41568 136.79673 309.62402 137.49009 309.62402 138.34946 curveto
-309.62402 139.20883 309.41568 139.90219 308.99902 140.42953 curveto
-308.58561 140.95688 308.04687 141.22055 307.38281 141.22055 curveto
-306.98242 141.22055 306.63737 141.14243 306.34766 140.98618 curveto
-306.0612 140.82667 305.82357 140.58416 305.63477 140.25864 curveto
-308.69141 138.34946 moveto
-308.6914 137.68865 308.55468 137.17108 308.28125 136.79672 curveto
-308.01106 136.41912 307.63834 136.23032 307.16309 136.23032 curveto
-306.68782 136.23032 306.31347 136.41912 306.04004 136.79672 curveto
-305.76985 137.17108 305.63476 137.68865 305.63477 138.34946 curveto
-305.63476 139.01027 305.76985 139.52947 306.04004 139.90707 curveto
-306.31347 140.28142 306.68782 140.4686 307.16309 140.4686 curveto
-307.63834 140.4686 308.01106 140.28142 308.28125 139.90707 curveto
-308.55468 139.52947 308.6914 139.01027 308.69141 138.34946 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-314.28223 136.45004 moveto
-314.18131 136.39145 314.07063 136.34914 313.9502 136.32309 curveto
-313.833 136.2938 313.7028 136.27915 313.55957 136.27914 curveto
-313.05175 136.27915 312.66113 136.44516 312.3877 136.77719 curveto
-312.11751 137.10597 311.98242 137.5796 311.98242 138.19809 curveto
-311.98242 141.07895 lineto
-311.0791 141.07895 lineto
-311.0791 135.6102 lineto
-311.98242 135.6102 lineto
-311.98242 136.45981 lineto
-312.17122 136.12778 312.41699 135.88201 312.71973 135.7225 curveto
-313.02246 135.55975 313.3903 135.47837 313.82324 135.47836 curveto
-313.88509 135.47837 313.95345 135.48325 314.02832 135.49301 curveto
-314.10319 135.49953 314.18619 135.51092 314.27734 135.52719 curveto
-314.28223 136.45004 lineto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-317.13867 136.24008 moveto
-316.6569 136.24009 316.27604 136.42889 315.99609 136.80649 curveto
-315.71614 137.18084 315.57617 137.69516 315.57617 138.34946 curveto
-315.57617 139.00376 315.71452 139.51971 315.99121 139.89731 curveto
-316.27116 140.27166 316.65364 140.45883 317.13867 140.45883 curveto
-317.61718 140.45883 317.99642 140.27003 318.27637 139.89243 curveto
-318.55631 139.51482 318.69628 139.0005 318.69629 138.34946 curveto
-318.69628 137.70167 318.55631 137.18898 318.27637 136.81137 curveto
-317.99642 136.43052 317.61718 136.24009 317.13867 136.24008 curveto
-317.13867 135.47836 moveto
-317.91992 135.47837 318.53352 135.73227 318.97949 136.24008 curveto
-319.42545 136.7479 319.64843 137.45102 319.64844 138.34946 curveto
-319.64843 139.24464 319.42545 139.94777 318.97949 140.45883 curveto
-318.53352 140.96664 317.91992 141.22055 317.13867 141.22055 curveto
-316.35416 141.22055 315.73893 140.96664 315.29297 140.45883 curveto
-314.85026 139.94777 314.62891 139.24464 314.62891 138.34946 curveto
-314.62891 137.45102 314.85026 136.7479 315.29297 136.24008 curveto
-315.73893 135.73227 316.35416 135.47837 317.13867 135.47836 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-323.25195 136.24008 moveto
-322.77018 136.24009 322.38932 136.42889 322.10938 136.80649 curveto
-321.82943 137.18084 321.68945 137.69516 321.68945 138.34946 curveto
-321.68945 139.00376 321.8278 139.51971 322.10449 139.89731 curveto
-322.38444 140.27166 322.76692 140.45883 323.25195 140.45883 curveto
-323.73047 140.45883 324.1097 140.27003 324.38965 139.89243 curveto
-324.66959 139.51482 324.80957 139.0005 324.80957 138.34946 curveto
-324.80957 137.70167 324.66959 137.18898 324.38965 136.81137 curveto
-324.1097 136.43052 323.73047 136.24009 323.25195 136.24008 curveto
-323.25195 135.47836 moveto
-324.0332 135.47837 324.64681 135.73227 325.09277 136.24008 curveto
-325.53873 136.7479 325.76171 137.45102 325.76172 138.34946 curveto
-325.76171 139.24464 325.53873 139.94777 325.09277 140.45883 curveto
-324.64681 140.96664 324.0332 141.22055 323.25195 141.22055 curveto
-322.46745 141.22055 321.85221 140.96664 321.40625 140.45883 curveto
-320.96354 139.94777 320.74219 139.24464 320.74219 138.34946 curveto
-320.74219 137.45102 320.96354 136.7479 321.40625 136.24008 curveto
-321.85221 135.73227 322.46745 135.47837 323.25195 135.47836 curveto
-fill
-grestore
-gsave
-0 0 0 setrgbcolor
-newpath
-330.01465 133.48129 moveto
-330.01465 134.22836 lineto
-329.15527 134.22836 lineto
-328.83301 134.22837 328.6084 134.29347 328.48145 134.42368 curveto
-328.35775 134.55389 328.2959 134.78827 328.2959 135.1268 curveto
-328.2959 135.6102 lineto
-329.77539 135.6102 lineto
-329.77539 136.30844 lineto
-328.2959 136.30844 lineto
-328.2959 141.07895 lineto
-327.39258 141.07895 lineto
-327.39258 136.30844 lineto
-326.5332 136.30844 lineto
-326.5332 135.6102 lineto
-327.39258 135.6102 lineto
-327.39258 135.22934 lineto
-327.39258 134.62062 327.53418 134.17791 327.81738 133.90121 curveto
-328.10058 133.62127 328.5498 133.4813 329.16504 133.48129 curveto
-330.01465 133.48129 lineto
-fill
-grestore
-grestore
-grestore
-showpage
-%%EOF
Binary file doc-src/IsarRef/document/isar-vm.pdf has changed
--- a/doc-src/IsarRef/document/isar-vm.svg Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,460 +0,0 @@
-<?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<!-- Created with Inkscape (http://www.inkscape.org/) -->
-<svg
- xmlns:dc="http://purl.org/dc/elements/1.1/"
- xmlns:cc="http://creativecommons.org/ns#"
- xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
- xmlns:svg="http://www.w3.org/2000/svg"
- xmlns="http://www.w3.org/2000/svg"
- xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
- xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
- width="543.02673"
- height="215.66071"
- id="svg2"
- sodipodi:version="0.32"
- inkscape:version="0.46"
- version="1.0"
- sodipodi:docname="isar-vm.svg"
- inkscape:output_extension="org.inkscape.output.svg.inkscape">
- <defs
- id="defs4">
- <marker
- inkscape:stockid="TriangleOutM"
- orient="auto"
- refY="0"
- refX="0"
- id="TriangleOutM"
- style="overflow:visible">
- <path
- id="path4130"
- d="M 5.77,0 L -2.88,5 L -2.88,-5 L 5.77,0 z"
- style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;marker-start:none"
- transform="scale(0.4,0.4)" />
- </marker>
- <marker
- inkscape:stockid="Arrow1Mend"
- orient="auto"
- refY="0"
- refX="0"
- id="Arrow1Mend"
- style="overflow:visible">
- <path
- id="path3993"
- d="M 0,0 L 5,-5 L -12.5,0 L 5,5 L 0,0 z"
- style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;marker-start:none"
- transform="matrix(-0.4,0,0,-0.4,-4,0)" />
- </marker>
- <marker
- inkscape:stockid="Arrow1Lend"
- orient="auto"
- refY="0"
- refX="0"
- id="Arrow1Lend"
- style="overflow:visible">
- <path
- id="path3207"
- d="M 0,0 L 5,-5 L -12.5,0 L 5,5 L 0,0 z"
- style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;marker-start:none"
- transform="matrix(-0.8,0,0,-0.8,-10,0)" />
- </marker>
- <marker
- inkscape:stockid="Arrow1Lstart"
- orient="auto"
- refY="0"
- refX="0"
- id="Arrow1Lstart"
- style="overflow:visible">
- <path
- id="path3204"
- d="M 0,0 L 5,-5 L -12.5,0 L 5,5 L 0,0 z"
- style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;marker-start:none"
- transform="matrix(0.8,0,0,0.8,10,0)" />
- </marker>
- <inkscape:perspective
- sodipodi:type="inkscape:persp3d"
- inkscape:vp_x="0 : 526.18109 : 1"
- inkscape:vp_y="0 : 1000 : 0"
- inkscape:vp_z="744.09448 : 526.18109 : 1"
- inkscape:persp3d-origin="372.04724 : 350.78739 : 1"
- id="perspective10" />
- </defs>
- <sodipodi:namedview
- id="base"
- pagecolor="#ffffff"
- bordercolor="#666666"
- borderopacity="1.0"
- gridtolerance="10"
- guidetolerance="10"
- objecttolerance="10"
- inkscape:pageopacity="0.0"
- inkscape:pageshadow="2"
- inkscape:zoom="1.4142136"
- inkscape:cx="305.44602"
- inkscape:cy="38.897723"
- inkscape:document-units="mm"
- inkscape:current-layer="layer1"
- showgrid="true"
- inkscape:snap-global="true"
- units="mm"
- inkscape:window-width="1226"
- inkscape:window-height="951"
- inkscape:window-x="28"
- inkscape:window-y="47">
- <inkscape:grid
- type="xygrid"
- id="grid2383"
- visible="true"
- enabled="true"
- units="mm"
- spacingx="2.5mm"
- spacingy="2.5mm"
- empspacing="2" />
- </sodipodi:namedview>
- <metadata
- id="metadata7">
- <rdf:RDF>
- <cc:Work
- rdf:about="">
- <dc:format>image/svg+xml</dc:format>
- <dc:type
- rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
- </cc:Work>
- </rdf:RDF>
- </metadata>
- <g
- inkscape:label="Layer 1"
- inkscape:groupmode="layer"
- id="layer1"
- transform="translate(-44.641342,-76.87234)">
- <g
- id="g3448"
- transform="translate(70.838012,79.725562)">
- <rect
- ry="17.67767"
- y="131.52507"
- x="212.09882"
- height="53.149605"
- width="70.866142"
- id="rect3407"
- style="fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.99921262;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
- <text
- sodipodi:linespacing="100%"
- id="text3409"
- y="164.06471"
- x="223.50845"
- style="font-size:18px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans"
- xml:space="preserve"><tspan
- style="font-size:16px;font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans Bold"
- y="164.06471"
- x="223.50845"
- id="tspan3411"
- sodipodi:role="line">chain</tspan></text>
- </g>
- <path
- style="fill:none;fill-opacity:0.75;fill-rule:evenodd;stroke:#000000;stroke-width:0.99921262;stroke-linecap:butt;stroke-linejoin:miter;marker-end:url(#TriangleOutM);stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
- d="M 424.72469,236.82544 L 356.83209,236.82544 L 356.83209,236.82544"
- id="path3458" />
- <path
- style="fill:none;fill-opacity:0.75;fill-rule:evenodd;stroke:#000000;stroke-width:0.99921268;stroke-linecap:butt;stroke-linejoin:miter;marker-end:url(#TriangleOutM);stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
- d="M 282.35183,236.82544 L 215.11403,236.82544 L 215.11403,236.82544"
- id="path4771" />
- <path
- style="fill:none;fill-opacity:0.75;fill-rule:evenodd;stroke:#000000;stroke-width:0.99999994px;stroke-linecap:butt;stroke-linejoin:miter;marker-start:none;marker-mid:none;marker-end:url(#TriangleOutM);stroke-opacity:1"
- d="M 424.69726,192.5341 L 215.13005,192.5341"
- id="path4773" />
- <path
- style="fill:none;fill-opacity:0.75;fill-rule:evenodd;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;marker-end:url(#TriangleOutM);stroke-opacity:1"
- d="M 211.98429,148.24276 L 422.13162,148.24276"
- id="path6883" />
- <g
- id="g3443"
- transform="translate(70.866146,78.725567)">
- <rect
- ry="17.67767"
- y="42.942394"
- x="70.366531"
- height="141.73228"
- width="70.866142"
- id="rect2586"
- style="fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.99921262;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
- <text
- sodipodi:linespacing="100%"
- id="text3370"
- y="116.62494"
- x="79.682419"
- style="font-size:18px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans"
- xml:space="preserve"><tspan
- style="font-size:16px;font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans Bold"
- y="116.62494"
- x="79.682419"
- id="tspan3372"
- sodipodi:role="line">prove</tspan></text>
- </g>
- <path
- style="fill:none;fill-opacity:0.75;fill-rule:evenodd;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;marker-end:url(#TriangleOutM);stroke-opacity:1"
- d="M 176.66575,92.035445 L 176.66575,118.61025"
- id="path7412" />
- <path
- sodipodi:type="arc"
- style="fill:none;fill-opacity:1;stroke:#000000;stroke-width:4.30137062;stroke-linecap:round;stroke-linejoin:round;marker-end:url(#TriangleOutM);stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
- id="path9011"
- sodipodi:cx="119.58662"
- sodipodi:cy="266.74686"
- sodipodi:rx="93.01181"
- sodipodi:ry="53.149605"
- d="M 208.65508,282.05865 A 93.01181,53.149605 0 1 1 208.68579,251.49353"
- transform="matrix(0.2378166,0,0,-0.2269133,90.621413,253.06251)"
- sodipodi:start="0.29223018"
- sodipodi:end="5.9921036"
- sodipodi:open="true" />
- <g
- id="g3453"
- transform="translate(70.866151,78.725565)">
- <rect
- ry="17.67767"
- y="42.942394"
- x="353.83112"
- height="141.73228"
- width="70.866142"
- id="rect3381"
- style="fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.99921262;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
- <text
- sodipodi:linespacing="100%"
- id="text3383"
- y="119.31244"
- x="365.98294"
- style="font-size:18px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans"
- xml:space="preserve"><tspan
- style="font-size:16px;font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans Bold"
- y="119.31244"
- x="365.98294"
- sodipodi:role="line"
- id="tspan3387">state</tspan></text>
- </g>
- <path
- style="fill:none;fill-opacity:0.75;fill-rule:evenodd;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;marker-end:url(#TriangleOutM);stroke-opacity:1"
- d="M 460.13031,263.40024 L 460.13031,289.97505"
- id="path7941" />
- <path
- sodipodi:type="arc"
- style="fill:none;fill-opacity:1;stroke:#000000;stroke-width:4.30137062;stroke-linecap:round;stroke-linejoin:round;marker-end:url(#TriangleOutM);stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
- id="path10594"
- sodipodi:cx="119.58662"
- sodipodi:cy="266.74686"
- sodipodi:rx="93.01181"
- sodipodi:ry="53.149605"
- d="M 208.65508,282.05865 A 93.01181,53.149605 0 1 1 208.68579,251.49353"
- transform="matrix(-0.2378166,0,0,0.2269133,546.17466,132.00569)"
- sodipodi:start="0.29223018"
- sodipodi:end="5.9921036"
- sodipodi:open="true" />
- <path
- sodipodi:type="arc"
- style="fill:none;fill-opacity:1;stroke:#000000;stroke-width:4.30137062;stroke-linecap:round;stroke-linejoin:bevel;marker-end:url(#TriangleOutM);stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
- id="path12210"
- sodipodi:cx="119.58662"
- sodipodi:cy="266.74686"
- sodipodi:rx="93.01181"
- sodipodi:ry="53.149605"
- d="M 208.65508,282.05865 A 93.01181,53.149605 0 1 1 208.68579,251.49353"
- transform="matrix(-0.2378166,0,0,0.2269133,546.17465,87.714359)"
- sodipodi:start="0.29223018"
- sodipodi:end="5.9921036"
- sodipodi:open="true" />
- <path
- sodipodi:type="arc"
- style="fill:none;fill-opacity:1;stroke:#000000;stroke-width:4.30137062;stroke-linecap:round;stroke-linejoin:round;marker-start:none;marker-end:url(#TriangleOutM);stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
- id="path12212"
- sodipodi:cx="119.58662"
- sodipodi:cy="266.74686"
- sodipodi:rx="93.01181"
- sodipodi:ry="53.149605"
- d="M 208.65508,282.05865 A 93.01181,53.149605 0 1 1 208.68579,251.49353"
- transform="matrix(-0.2378166,0,0,0.2269133,546.17465,176.29703)"
- sodipodi:start="0.29223018"
- sodipodi:end="5.9921036"
- sodipodi:open="true" />
- <path
- sodipodi:type="arc"
- style="fill:none;fill-opacity:1;stroke:#000000;stroke-width:4.30137062;stroke-linecap:round;stroke-linejoin:round;marker-end:url(#TriangleOutM);stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
- id="path12214"
- sodipodi:cx="119.58662"
- sodipodi:cy="266.74686"
- sodipodi:rx="93.01181"
- sodipodi:ry="53.149605"
- d="M 208.65508,282.05865 A 93.01181,53.149605 0 1 1 208.68579,251.49353"
- transform="matrix(0,0.2378166,0.2269133,0,399.60191,71.056696)"
- sodipodi:start="0.29223018"
- sodipodi:end="5.9921036"
- sodipodi:open="true" />
- <text
- xml:space="preserve"
- style="font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans"
- x="173.49998"
- y="97.094513"
- id="text19307"
- sodipodi:linespacing="100%"
- transform="translate(17.216929,6.5104864)"><tspan
- sodipodi:role="line"
- id="tspan19309"
- x="173.49998"
- y="97.094513" /></text>
- <text
- xml:space="preserve"
- style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans"
- x="185.52402"
- y="110.07987"
- id="text19311"
- sodipodi:linespacing="100%"><tspan
- sodipodi:role="line"
- id="tspan19313"
- x="185.52402"
- y="110.07987">theorem</tspan></text>
- <text
- xml:space="preserve"
- style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans"
- x="389.99997"
- y="11.594519"
- id="text19315"
- sodipodi:linespacing="100%"
- transform="translate(17.216929,6.5104864)"><tspan
- sodipodi:role="line"
- id="tspan19317"
- x="389.99997"
- y="11.594519" /></text>
- <text
- xml:space="preserve"
- style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans"
- x="468.98859"
- y="280.47543"
- id="text19319"
- sodipodi:linespacing="100%"><tspan
- sodipodi:role="line"
- id="tspan19321"
- x="468.98859"
- y="280.47543">qed</tspan></text>
- <text
- xml:space="preserve"
- style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans"
- x="549.06946"
- y="239.58423"
- id="text19323"
- sodipodi:linespacing="100%"><tspan
- sodipodi:role="line"
- id="tspan19325"
- x="549.06946"
- y="239.58423">qed</tspan></text>
- <text
- xml:space="preserve"
- style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans"
- x="549.39172"
- y="191.26213"
- id="text19327"
- sodipodi:linespacing="100%"><tspan
- sodipodi:role="line"
- id="tspan19329"
- x="549.39172"
- y="191.26213">fix</tspan><tspan
- sodipodi:role="line"
- x="549.39172"
- y="201.26213"
- id="tspan19331">assume</tspan></text>
- <text
- xml:space="preserve"
- style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans"
- x="548.71301"
- y="146.97079"
- id="text19333"
- sodipodi:linespacing="100%"><tspan
- sodipodi:role="line"
- id="tspan19335"
- x="548.71301"
- y="146.97079">{ }</tspan><tspan
- sodipodi:role="line"
- x="548.71301"
- y="156.97079"
- id="tspan19337">next</tspan></text>
- <text
- xml:space="preserve"
- style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans"
- x="477.84686"
- y="98.264297"
- id="text19339"
- sodipodi:linespacing="100%"><tspan
- sodipodi:role="line"
- x="477.84686"
- y="98.264297"
- id="tspan19343">note</tspan><tspan
- sodipodi:role="line"
- x="477.84686"
- y="108.2643"
- id="tspan19358">let</tspan></text>
- <text
- xml:space="preserve"
- style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans"
- x="43.791733"
- y="190.29289"
- id="text19345"
- sodipodi:linespacing="100%"><tspan
- sodipodi:role="line"
- id="tspan19347"
- x="43.791733"
- y="190.29289">using</tspan><tspan
- sodipodi:role="line"
- x="43.791733"
- y="200.29289"
- id="tspan19349">unfolding</tspan></text>
- <text
- xml:space="preserve"
- style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans"
- x="378.65891"
- y="230.52518"
- id="text19360"
- sodipodi:linespacing="100%"><tspan
- sodipodi:role="line"
- id="tspan19362"
- x="378.65891"
- y="230.52518">then</tspan></text>
- <text
- xml:space="preserve"
- style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:150%;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans"
- x="233.98795"
- y="233.05347"
- id="text19364"
- sodipodi:linespacing="150%"><tspan
- sodipodi:role="line"
- x="233.98795"
- y="233.05347"
- id="tspan19368">have</tspan><tspan
- sodipodi:role="line"
- x="233.98795"
- y="248.05347"
- id="tspan19370">show</tspan></text>
- <text
- xml:space="preserve"
- style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:150%;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans"
- x="305.89636"
- y="188.76213"
- id="text19374"
- sodipodi:linespacing="150%"><tspan
- sodipodi:role="line"
- x="305.89636"
- y="188.76213"
- id="tspan19376">have</tspan><tspan
- sodipodi:role="line"
- x="305.89636"
- y="203.76213"
- id="tspan19378">show</tspan></text>
- <text
- xml:space="preserve"
- style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans"
- x="303.82324"
- y="141.07895"
- id="text19380"
- sodipodi:linespacing="100%"><tspan
- sodipodi:role="line"
- id="tspan19382"
- x="303.82324"
- y="141.07895">proof</tspan></text>
- </g>
-</svg>
--- a/doc-src/IsarRef/document/root.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,91 +0,0 @@
-\documentclass[12pt,a4paper,fleqn]{report}
-\usepackage{amssymb}
-\usepackage{eurosym}
-\usepackage[english]{babel}
-\usepackage[only,bigsqcap]{stmaryrd}
-\usepackage{textcomp}
-\usepackage{latexsym}
-\usepackage{graphicx}
-\let\intorig=\int %iman.sty redefines \int
-\usepackage{iman,extra,isar,proof}
-\usepackage[nohyphen,strings]{underscore}
-\usepackage{isabelle}
-\usepackage{isabellesym}
-\usepackage{railsetup}
-\usepackage{ttbox}
-\usepackage{supertabular}
-\usepackage{style}
-\usepackage{pdfsetup}
-
-\hyphenation{Isabelle}
-\hyphenation{Isar}
-
-\isadroptag{theory}
-\title{\includegraphics[scale=0.5]{isabelle_isar} \\[4ex] The Isabelle/Isar Reference Manual}
-\author{\emph{Makarius Wenzel} \\[3ex]
- With Contributions by
- Clemens Ballarin,
- Stefan Berghofer, \\
- Jasmin Blanchette,
- Timothy Bourke,
- Lukas Bulwahn, \\
- Lucas Dixon,
- Florian Haftmann,
- Brian Huffman, \\
- Gerwin Klein,
- Alexander Krauss,
- Ond\v{r}ej Kun\v{c}ar, \\
- Tobias Nipkow,
- Lars Noschinski,
- David von Oheimb, \\
- Larry Paulson,
- Sebastian Skalberg
-}
-
-\makeindex
-
-\chardef\charbackquote=`\`
-\newcommand{\backquote}{\mbox{\tt\charbackquote}}
-
-
-\begin{document}
-
-\maketitle
-
-\pagenumbering{roman}
-{\def\isamarkupchapter#1{\chapter*{#1}}\input{Preface.tex}}
-\tableofcontents
-\clearfirst
-
-\part{Basic Concepts}
-\input{Synopsis.tex}
-\input{Framework.tex}
-\input{First_Order_Logic.tex}
-\part{General Language Elements}
-\input{Outer_Syntax.tex}
-\input{Document_Preparation.tex}
-\input{Spec.tex}
-\input{Proof.tex}
-\input{Inner_Syntax.tex}
-\input{Misc.tex}
-\input{Generic.tex}
-\part{Object-Logic}
-\input{HOL_Specific.tex}
-
-\part{Appendix}
-\appendix
-\input{Quick_Reference.tex}
-\let\int\intorig
-\input{Symbols.tex}
-\input{ML_Tactic.tex}
-
-\begingroup
- \tocentry{\bibname}
- \bibliographystyle{abbrv} \small\raggedright\frenchspacing
- \bibliography{manual}
-\endgroup
-
-\tocentry{\indexname}
-\printindex
-
-\end{document}
--- a/doc-src/IsarRef/document/showsymbols Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,26 +0,0 @@
-#!/usr/bin/env perl
-
-print "\\begin{supertabular}{ll\@{\\qquad}ll}\n";
-
-$eol = "&";
-
-while (<ARGV>) {
- if (m/^\\newcommand\{\\isasym([A-Za-z]+)\}/) {
- print "\\verb,\\<$1>, & {\\isasym$1} $eol\n";
-# print "\\verb,\\<$1>, & \\isactrlbold{\\isasym$1}~{\\isasym$1} $eol\n";
-# print "\\verb,\\<$1>, & B\\isactrlsup{\\isasym$1} $eol\n";
-# print "\\verb,\\<$1>, & B\\isactrlsub{\\isasym$1} $eol\n";
- if ("$eol" eq "&") {
- $eol = "\\\\";
- } else {
- $eol = "&";
- }
- }
-}
-
-if ("$eol" eq "\\\\") {
- print "$eol\n";
-}
-
-print "\\end{supertabular}\n";
-
--- a/doc-src/IsarRef/document/style.sty Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,47 +0,0 @@
-%% toc
-\newcommand{\tocentry}[1]{\cleardoublepage\phantomsection\addcontentsline{toc}{chapter}{#1}
-\@mkboth{\MakeUppercase{#1}}{\MakeUppercase{#1}}}
-
-\setcounter{secnumdepth}{2} \setcounter{tocdepth}{2}
-
-%% references
-\newcommand{\secref}[1]{\S\ref{#1}}
-\newcommand{\chref}[1]{chapter~\ref{#1}}
-\newcommand{\Chref}[1]{Chapter~\ref{#1}}
-\newcommand{\appref}[1]{appendix~\ref{#1}}
-\newcommand{\Appref}[1]{Appendix~\ref{#1}}
-\newcommand{\figref}[1]{figure~\ref{#1}}
-\newcommand{\Figref}[1]{Figure~\ref{#1}}
-
-%% Isar
-\newcommand{\isasymBBAR}{{\,\newdimen{\tmpheight}\settoheight\tmpheight{\isacharbar}\rule{1pt}{\tmpheight}\,}}
-\isafoldtag{noproof}\def\isafoldnoproof{~\isafold{proof}}
-\newcommand{\isadigitreset}{\def\isadigit##1{##1}}
-\renewcommand{\isacommand}[1]{\isakeyword{\isadigitreset#1}}
-
-%% ML
-\newenvironment{mldecls}{\par\noindent\begingroup\def\isanewline{\\}\begin{tabular}{ll}}{\end{tabular}\medskip\endgroup}
-
-\renewcommand{\isatagML}{\begingroup\isabellestyle{default}\isastyle\isadigitreset}
-\renewcommand{\endisatagML}{\endgroup}
-
-%% math
-\newcommand{\isasymstrut}{\isamath{\mathstrut}}
-\newcommand{\isasymvartheta}{\isamath{\,\theta}}
-\newcommand{\isactrlvec}[1]{\emph{$\overline{#1}$}}
-\renewcommand{\isadigit}[1]{\isamath{#1}}
-\newcommand{\text}[1]{\mbox{#1}}
-
-%% global style options
-\pagestyle{headings}
-\sloppy
-
-\parindent 0pt\parskip 0.5ex
-
-\isabellestyle{literal}
-
-\newcommand{\isasymdash}{\isatext{\mbox{-}}}
-
-\railtermfont{\isabellestyle{tt}}
-\railnontermfont{\isabellestyle{literal}}
-\railnamefont{\isabellestyle{literal}}
--- a/doc-src/LaTeXsugar/Sugar.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,461 +0,0 @@
-(*<*)
-theory Sugar
-imports "~~/src/HOL/Library/LaTeXsugar" "~~/src/HOL/Library/OptionalSugar"
-begin
-(*>*)
-
-section "Introduction"
-
-text{* This document is for those Isabelle users who have mastered
-the art of mixing \LaTeX\ text and Isabelle theories and never want to
-typeset a theorem by hand anymore because they have experienced the
-bliss of writing \verb!@!\verb!{thm[display]setsum_cartesian_product[no_vars]}!
-and seeing Isabelle typeset it for them:
-@{thm[display,eta_contract=false] setsum_cartesian_product[no_vars]}
-No typos, no omissions, no sweat.
-If you have not experienced that joy, read Chapter 4, \emph{Presenting
-Theories}, \cite{LNCS2283} first.
-
-If you have mastered the art of Isabelle's \emph{antiquotations},
-i.e.\ things like the above \verb!@!\verb!{thm...}!, beware: in your vanity
-you may be tempted to think that all readers of the stunning ps or pdf
-documents you can now produce at the drop of a hat will be struck with
-awe at the beauty unfolding in front of their eyes. Until one day you
-come across that very critical of readers known as the ``common referee''.
-He has the nasty habit of refusing to understand unfamiliar notation
-like Isabelle's infamous @{text"\<lbrakk> \<rbrakk> \<Longrightarrow>"} no matter how many times you
-explain it in your paper. Even worse, he thinks that using @{text"\<lbrakk>
-\<rbrakk>"} for anything other than denotational semantics is a cardinal sin
-that must be punished by instant rejection.
-
-
-This document shows you how to make Isabelle and \LaTeX\ cooperate to
-produce ordinary looking mathematics that hides the fact that it was
-typeset by a machine. You merely need to load the right files:
-\begin{itemize}
-\item Import theory \texttt{LaTeXsugar} in the header of your own
-theory. You may also want bits of \texttt{OptionalSugar}, which you can
-copy selectively into your own theory or import as a whole. Both
-theories live in \texttt{HOL/Library} and are found automatically.
-
-\item Should you need additional \LaTeX\ packages (the text will tell
-you so), you include them at the beginning of your \LaTeX\ document,
-typically in \texttt{root.tex}. For a start, you should
-\verb!\usepackage{amssymb}! --- otherwise typesetting
-@{prop[source]"\<not>(\<exists>x. P x)"} will fail because the AMS symbol
-@{text"\<nexists>"} is missing.
-\end{itemize}
-*}
-
-section{* HOL syntax*}
-
-subsection{* Logic *}
-
-text{*
- The formula @{prop[source]"\<not>(\<exists>x. P x)"} is typeset as @{prop"~(EX x. P x)"}.
-
-The predefined constructs @{text"if"}, @{text"let"} and
-@{text"case"} are set in sans serif font to distinguish them from
-other functions. This improves readability:
-\begin{itemize}
-\item @{term"if b then e\<^isub>1 else e\<^isub>2"} instead of @{text"if b then e\<^isub>1 else e\<^isub>2"}.
-\item @{term"let x = e\<^isub>1 in e\<^isub>2"} instead of @{text"let x = e\<^isub>1 in e\<^isub>2"}.
-\item @{term"case x of True \<Rightarrow> e\<^isub>1 | False \<Rightarrow> e\<^isub>2"} instead of\\
- @{text"case x of True \<Rightarrow> e\<^isub>1 | False \<Rightarrow> e\<^isub>2"}.
-\end{itemize}
-*}
-
-subsection{* Sets *}
-
-text{* Although set syntax in HOL is already close to
-standard, we provide a few further improvements:
-\begin{itemize}
-\item @{term"{x. P}"} instead of @{text"{x. P}"}.
-\item @{term"{}"} instead of @{text"{}"}, where
- @{term"{}"} is also input syntax.
-\item @{term"insert a (insert b (insert c M))"} instead of @{text"insert a (insert b (insert c M))"}.
-\end{itemize}
-*}
-
-subsection{* Lists *}
-
-text{* If lists are used heavily, the following notations increase readability:
-\begin{itemize}
-\item @{term"x # xs"} instead of @{text"x # xs"},
- where @{term"x # xs"} is also input syntax.
-If you prefer more space around the $\cdot$ you have to redefine
-\verb!\isasymcdot! in \LaTeX:
-\verb!\renewcommand{\isasymcdot}{\isamath{\,\cdot\,}}!
-
-\item @{term"length xs"} instead of @{text"length xs"}.
-\item @{term"nth xs n"} instead of @{text"nth xs n"},
- the $n$th element of @{text xs}.
-
-\item Human readers are good at converting automatically from lists to
-sets. Hence \texttt{OptionalSugar} contains syntax for suppressing the
-conversion function @{const set}: for example, @{prop[source]"x \<in> set xs"}
-becomes @{prop"x \<in> set xs"}.
-
-\item The @{text"@"} operation associates implicitly to the right,
-which leads to unpleasant line breaks if the term is too long for one
-line. To avoid this, \texttt{OptionalSugar} contains syntax to group
-@{text"@"}-terms to the left before printing, which leads to better
-line breaking behaviour:
-@{term[display]"term\<^isub>0 @ term\<^isub>1 @ term\<^isub>2 @ term\<^isub>3 @ term\<^isub>4 @ term\<^isub>5 @ term\<^isub>6 @ term\<^isub>7 @ term\<^isub>8 @ term\<^isub>9 @ term\<^isub>1\<^isub>0"}
-
-\end{itemize}
-*}
-
-subsection{* Numbers *}
-
-text{* Coercions between numeric types are alien to mathematicians who
-consider, for example, @{typ nat} as a subset of @{typ int}.
-\texttt{OptionalSugar} contains syntax for suppressing numeric coercions such
-as @{const int} @{text"::"} @{typ"nat \<Rightarrow> int"}. For example,
-@{term[source]"int 5"} is printed as @{term "int 5"}. Embeddings of types
-@{typ nat}, @{typ int}, @{typ real} are covered; non-injective coercions such
-as @{const nat} @{text"::"} @{typ"int \<Rightarrow> nat"} are not and should not be
-hidden. *}
-
-section "Printing theorems"
-
-subsection "Question marks"
-
-text{* If you print anything, especially theorems, containing
-schematic variables they are prefixed with a question mark:
-\verb!@!\verb!{thm conjI}! results in @{thm conjI}. Most of the time
-you would rather not see the question marks. There is an attribute
-\verb!no_vars! that you can attach to the theorem that turns its
-schematic into ordinary free variables: \verb!@!\verb!{thm conjI[no_vars]}!
-results in @{thm conjI[no_vars]}.
-
-This \verb!no_vars! business can become a bit tedious.
-If you would rather never see question marks, simply put
-\begin{quote}
-@{ML "Printer.show_question_marks_default := false"}\verb!;!
-\end{quote}
-at the beginning of your file \texttt{ROOT.ML}.
-The rest of this document is produced with this flag set to \texttt{false}.
-
-Hint: Setting @{ML Printer.show_question_marks_default} to \texttt{false} only
-suppresses question marks; variables that end in digits,
-e.g. @{text"x1"}, are still printed with a trailing @{text".0"},
-e.g. @{text"x1.0"}, their internal index. This can be avoided by
-turning the last digit into a subscript: write \verb!x\<^isub>1! and
-obtain the much nicer @{text"x\<^isub>1"}. *}
-
-(*<*)declare [[show_question_marks = false]](*>*)
-
-subsection {*Qualified names*}
-
-text{* If there are multiple declarations of the same name, Isabelle prints
-the qualified name, for example @{text "T.length"}, where @{text T} is the
-theory it is defined in, to distinguish it from the predefined @{const[source]
-"List.length"}. In case there is no danger of confusion, you can insist on
-short names (no qualifiers) by setting the \verb!names_short!
-configuration option in the context.
-*}
-
-subsection {*Variable names\label{sec:varnames}*}
-
-text{* It sometimes happens that you want to change the name of a
-variable in a theorem before printing it. This can easily be achieved
-with the help of Isabelle's instantiation attribute \texttt{where}:
-@{thm conjI[where P = \<phi> and Q = \<psi>]} is the result of
-\begin{quote}
-\verb!@!\verb!{thm conjI[where P = \<phi> and Q = \<psi>]}!
-\end{quote}
-To support the ``\_''-notation for irrelevant variables
-the constant \texttt{DUMMY} has been introduced:
-@{thm fst_conv[where b = DUMMY]} is produced by
-\begin{quote}
-\verb!@!\verb!{thm fst_conv[where b = DUMMY]}!
-\end{quote}
-Variables that are bound by quantifiers or lambdas cannot be renamed
-like this. Instead, the attribute \texttt{rename\_abs} does the
-job. It expects a list of names or underscores, similar to the
-\texttt{of} attribute:
-\begin{quote}
-\verb!@!\verb!{thm split_paired_All[rename_abs _ l r]}!
-\end{quote}
-produces @{thm split_paired_All[rename_abs _ l r]}.
-*}
-
-subsection "Inference rules"
-
-text{* To print theorems as inference rules you need to include Didier
-R\'emy's \texttt{mathpartir} package~\cite{mathpartir}
-for typesetting inference rules in your \LaTeX\ file.
-
-Writing \verb!@!\verb!{thm[mode=Rule] conjI}! produces
-@{thm[mode=Rule] conjI}, even in the middle of a sentence.
-If you prefer your inference rule on a separate line, maybe with a name,
-\begin{center}
-@{thm[mode=Rule] conjI} {\sc conjI}
-\end{center}
-is produced by
-\begin{quote}
-\verb!\begin{center}!\\
-\verb!@!\verb!{thm[mode=Rule] conjI} {\sc conjI}!\\
-\verb!\end{center}!
-\end{quote}
-It is not recommended to use the standard \texttt{display} option
-together with \texttt{Rule} because centering does not work and because
-the line breaking mechanisms of \texttt{display} and \texttt{mathpartir} can
-clash.
-
-Of course you can display multiple rules in this fashion:
-\begin{quote}
-\verb!\begin{center}!\\
-\verb!@!\verb!{thm[mode=Rule] conjI} {\sc conjI} \\[1ex]!\\
-\verb!@!\verb!{thm[mode=Rule] conjE} {\sc disjI$_1$} \qquad!\\
-\verb!@!\verb!{thm[mode=Rule] disjE} {\sc disjI$_2$}!\\
-\verb!\end{center}!
-\end{quote}
-yields
-\begin{center}\small
-@{thm[mode=Rule] conjI} {\sc conjI} \\[1ex]
-@{thm[mode=Rule] disjI1} {\sc disjI$_1$} \qquad
-@{thm[mode=Rule] disjI2} {\sc disjI$_2$}
-\end{center}
-
-The \texttt{mathpartir} package copes well if there are too many
-premises for one line:
-\begin{center}
-@{prop[mode=Rule] "\<lbrakk> A \<longrightarrow> B; B \<longrightarrow> C; C \<longrightarrow> D; D \<longrightarrow> E; E \<longrightarrow> F; F \<longrightarrow> G;
- G \<longrightarrow> H; H \<longrightarrow> I; I \<longrightarrow> J; J \<longrightarrow> K \<rbrakk> \<Longrightarrow> A \<longrightarrow> K"}
-\end{center}
-
-Limitations: 1. Premises and conclusion must each not be longer than
-the line. 2. Premises that are @{text"\<Longrightarrow>"}-implications are again
-displayed with a horizontal line, which looks at least unusual.
-
-
-In case you print theorems without premises no rule will be printed by the
-\texttt{Rule} print mode. However, you can use \texttt{Axiom} instead:
-\begin{quote}
-\verb!\begin{center}!\\
-\verb!@!\verb!{thm[mode=Axiom] refl} {\sc refl}! \\
-\verb!\end{center}!
-\end{quote}
-yields
-\begin{center}
-@{thm[mode=Axiom] refl} {\sc refl}
-\end{center}
-*}
-
-subsection "Displays and font sizes"
-
-text{* When displaying theorems with the \texttt{display} option, e.g.
-\verb!@!\verb!{thm[display] refl}! @{thm[display] refl} the theorem is
-set in small font. It uses the \LaTeX-macro \verb!\isastyle!,
-which is also the style that regular theory text is set in, e.g. *}
-
-lemma "t = t"
-(*<*)oops(*>*)
-
-text{* \noindent Otherwise \verb!\isastyleminor! is used,
-which does not modify the font size (assuming you stick to the default
-\verb!\isabellestyle{it}! in \texttt{root.tex}). If you prefer
-normal font size throughout your text, include
-\begin{quote}
-\verb!\renewcommand{\isastyle}{\isastyleminor}!
-\end{quote}
-in \texttt{root.tex}. On the other hand, if you like the small font,
-just put \verb!\isastyle! in front of the text in question,
-e.g.\ at the start of one of the center-environments above.
-
-The advantage of the display option is that you can display a whole
-list of theorems in one go. For example,
-\verb!@!\verb!{thm[display] append.simps}!
-generates @{thm[display] append.simps}
-*}
-
-subsection "If-then"
-
-text{* If you prefer a fake ``natural language'' style you can produce
-the body of
-\newtheorem{theorem}{Theorem}
-\begin{theorem}
-@{thm[mode=IfThen] le_trans}
-\end{theorem}
-by typing
-\begin{quote}
-\verb!@!\verb!{thm[mode=IfThen] le_trans}!
-\end{quote}
-
-In order to prevent odd line breaks, the premises are put into boxes.
-At times this is too drastic:
-\begin{theorem}
-@{prop[mode=IfThen] "longpremise \<Longrightarrow> longerpremise \<Longrightarrow> P(f(f(f(f(f(f(f(f(f(x)))))))))) \<Longrightarrow> longestpremise \<Longrightarrow> conclusion"}
-\end{theorem}
-In which case you should use \texttt{IfThenNoBox} instead of
-\texttt{IfThen}:
-\begin{theorem}
-@{prop[mode=IfThenNoBox] "longpremise \<Longrightarrow> longerpremise \<Longrightarrow> P(f(f(f(f(f(f(f(f(f(x)))))))))) \<Longrightarrow> longestpremise \<Longrightarrow> conclusion"}
-\end{theorem}
-*}
-
-subsection{* Doing it yourself\label{sec:yourself}*}
-
-text{* If for some reason you want or need to present theorems your
-own way, you can extract the premises and the conclusion explicitly
-and combine them as you like:
-\begin{itemize}
-\item \verb!@!\verb!{thm (prem 1)! $thm$\verb!}!
-prints premise 1 of $thm$.
-\item \verb!@!\verb!{thm (concl)! $thm$\verb!}!
-prints the conclusion of $thm$.
-\end{itemize}
-For example, ``from @{thm (prem 2) conjI} and
-@{thm (prem 1) conjI} we conclude @{thm (concl) conjI}''
-is produced by
-\begin{quote}
-\verb!from !\verb!@!\verb!{thm (prem 2) conjI}! \verb!and !\verb!@!\verb!{thm (prem 1) conjI}!\\
-\verb!we conclude !\verb!@!\verb!{thm (concl) conjI}!
-\end{quote}
-Thus you can rearrange or hide premises and typeset the theorem as you like.
-Styles like \verb!(prem 1)! are a general mechanism explained
-in \S\ref{sec:styles}.
-*}
-
-subsection "Patterns"
-
-text {*
-
- In \S\ref{sec:varnames} we shows how to create patterns containing
- ``@{term DUMMY}''.
- You can drive this game even further and extend the syntax of let
- bindings such that certain functions like @{term fst}, @{term hd},
- etc.\ are printed as patterns. \texttt{OptionalSugar} provides the
- following:
-
- \begin{center}
- \begin{tabular}{l@ {~~produced by~~}l}
- @{term "let x = fst p in t"} & \verb!@!\verb!{term "let x = fst p in t"}!\\
- @{term "let x = snd p in t"} & \verb!@!\verb!{term "let x = snd p in t"}!\\
- @{term "let x = hd xs in t"} & \verb!@!\verb!{term "let x = hd xs in t"}!\\
- @{term "let x = tl xs in t"} & \verb!@!\verb!{term "let x = tl xs in t"}!\\
- @{term "let x = the y in t"} & \verb!@!\verb!{term "let x = the y in t"}!\\
- \end{tabular}
- \end{center}
-*}
-
-section "Proofs"
-
-text {* Full proofs, even if written in beautiful Isar style, are
-likely to be too long and detailed to be included in conference
-papers, but some key lemmas might be of interest.
-It is usually easiest to put them in figures like the one in Fig.\
-\ref{fig:proof}. This was achieved with the \isakeyword{text\_raw} command:
-*}
-text_raw {*
- \begin{figure}
- \begin{center}\begin{minipage}{0.6\textwidth}
- \isastyleminor\isamarkuptrue
-*}
-lemma True
-proof -
- -- "pretty trivial"
- show True by force
-qed
-text_raw {*
- \end{minipage}\end{center}
- \caption{Example proof in a figure.}\label{fig:proof}
- \end{figure}
-*}
-text {*
-
-\begin{quote}
-\small
-\verb!text_raw {!\verb!*!\\
-\verb! \begin{figure}!\\
-\verb! \begin{center}\begin{minipage}{0.6\textwidth}!\\
-\verb! \isastyleminor\isamarkuptrue!\\
-\verb!*!\verb!}!\\
-\verb!lemma True!\\
-\verb!proof -!\\
-\verb! -- "pretty trivial"!\\
-\verb! show True by force!\\
-\verb!qed!\\
-\verb!text_raw {!\verb!*!\\
-\verb! \end{minipage}\end{center}!\\
-\verb! \caption{Example proof in a figure.}\label{fig:proof}!\\
-\verb! \end{figure}!\\
-\verb!*!\verb!}!
-\end{quote}
-
-Other theory text, e.g.\ definitions, can be put in figures, too.
-*}
-
-section {*Styles\label{sec:styles}*}
-
-text {*
- The \verb!thm! antiquotation works nicely for single theorems, but
- sets of equations as used in definitions are more difficult to
- typeset nicely: people tend to prefer aligned @{text "="} signs.
-
- To deal with such cases where it is desirable to dive into the structure
- of terms and theorems, Isabelle offers antiquotations featuring
- ``styles'':
-
- \begin{quote}
- \verb!@!\verb!{thm (style) thm}!\\
- \verb!@!\verb!{prop (style) thm}!\\
- \verb!@!\verb!{term (style) term}!\\
- \verb!@!\verb!{term_type (style) term}!\\
- \verb!@!\verb!{typeof (style) term}!\\
- \end{quote}
-
- A ``style'' is a transformation of a term. There are predefined
- styles, namely \verb!lhs! and \verb!rhs!, \verb!prem! with one argument, and \verb!concl!.
- For example,
- the output
- \begin{center}
- \begin{tabular}{l@ {~~@{text "="}~~}l}
- @{thm (lhs) append_Nil} & @{thm (rhs) append_Nil}\\
- @{thm (lhs) append_Cons} & @{thm (rhs) append_Cons}
- \end{tabular}
- \end{center}
- is produced by the following code:
- \begin{quote}
- \verb!\begin{center}!\\
- \verb!\begin{tabular}{l@ {~~!\verb!@!\verb!{text "="}~~}l}!\\
- \verb!@!\verb!{thm (lhs) append_Nil} & @!\verb!{thm (rhs) append_Nil}\\!\\
- \verb!@!\verb!{thm (lhs) append_Cons} & @!\verb!{thm (rhs) append_Cons}!\\
- \verb!\end{tabular}!\\
- \verb!\end{center}!
- \end{quote}
- Note the space between \verb!@! and \verb!{! in the tabular argument.
- It prevents Isabelle from interpreting \verb!@ {~~...~~}!
- as an antiquotation. The styles \verb!lhs! and \verb!rhs!
- extract the left hand side (or right hand side respectively) from the
- conclusion of propositions consisting of a binary operator
- (e.~g.~@{text "="}, @{text "\<equiv>"}, @{text "<"}).
-
- Likewise, \verb!concl! may be used as a style to show just the
- conclusion of a proposition. For example, take \verb!hd_Cons_tl!:
- \begin{center}
- @{thm hd_Cons_tl}
- \end{center}
- To print just the conclusion,
- \begin{center}
- @{thm (concl) hd_Cons_tl}
- \end{center}
- type
- \begin{quote}
- \verb!\begin{center}!\\
- \verb!@!\verb!{thm (concl) hd_Cons_tl}!\\
- \verb!\end{center}!
- \end{quote}
- Beware that any options must be placed \emph{before}
- the style, as in this example.
-
- Further use cases can be found in \S\ref{sec:yourself}.
- If you are not afraid of ML, you may also define your own styles.
- Have a look at module @{ML_struct Term_Style}.
-*}
-
-(*<*)
-end
-(*>*)
--- a/doc-src/LaTeXsugar/document/build Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,9 +0,0 @@
-#!/bin/bash
-
-set -e
-
-FORMAT="$1"
-VARIANT="$2"
-
-"$ISABELLE_HOME/doc-src/prepare_document" "$FORMAT"
-
--- a/doc-src/LaTeXsugar/document/mathpartir.sty Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,388 +0,0 @@
-% Mathpartir --- Math Paragraph for Typesetting Inference Rules
-%
-% Copyright (C) 2001, 2002, 2003 Didier Rémy
-%
-% Author : Didier Remy
-% Version : 1.1.1
-% Bug Reports : to author
-% Web Site : http://pauillac.inria.fr/~remy/latex/
-%
-% WhizzyTeX is free software; you can redistribute it and/or modify
-% it under the terms of the GNU General Public License as published by
-% the Free Software Foundation; either version 2, or (at your option)
-% any later version.
-%
-% Mathpartir is distributed in the hope that it will be useful,
-% but WITHOUT ANY WARRANTY; without even the implied warranty of
-% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-% GNU General Public License for more details
-% (http://pauillac.inria.fr/~remy/license/GPL).
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-% File mathpartir.sty (LaTeX macros)
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\NeedsTeXFormat{LaTeX2e}
-\ProvidesPackage{mathpartir}
- [2003/07/10 version 1.1.1 Math Paragraph for Typesetting Inference Rules]
-
-%%
-
-%% Identification
-%% Preliminary declarations
-
-\RequirePackage {keyval}
-
-%% Options
-%% More declarations
-
-%% PART I: Typesetting maths in paragraphe mode
-
-\newdimen \mpr@tmpdim
-
-% To ensure hevea \hva compatibility, \hva should expands to nothing
-% in mathpar or in inferrule
-\let \mpr@hva \empty
-
-%% normal paragraph parametters, should rather be taken dynamically
-\def \mpr@savepar {%
- \edef \MathparNormalpar
- {\noexpand \lineskiplimit \the\lineskiplimit
- \noexpand \lineskip \the\lineskip}%
- }
-
-\def \mpr@rulelineskip {\lineskiplimit=0.3em\lineskip=0.2em plus 0.1em}
-\def \mpr@lesslineskip {\lineskiplimit=0.6em\lineskip=0.5em plus 0.2em}
-\def \mpr@lineskip {\lineskiplimit=1.2em\lineskip=1.2em plus 0.2em}
-\let \MathparLineskip \mpr@lineskip
-\def \mpr@paroptions {\MathparLineskip}
-\let \mpr@prebindings \relax
-
-\newskip \mpr@andskip \mpr@andskip 2em plus 0.5fil minus 0.5em
-
-\def \mpr@goodbreakand
- {\hskip -\mpr@andskip \penalty -1000\hskip \mpr@andskip}
-\def \mpr@and {\hskip \mpr@andskip}
-\def \mpr@andcr {\penalty 50\mpr@and}
-\def \mpr@cr {\penalty -10000\mpr@and}
-\def \mpr@eqno #1{\mpr@andcr #1\hskip 0em plus -1fil \penalty 10}
-
-\def \mpr@bindings {%
- \let \and \mpr@andcr
- \let \par \mpr@andcr
- \let \\\mpr@cr
- \let \eqno \mpr@eqno
- \let \hva \mpr@hva
- }
-\let \MathparBindings \mpr@bindings
-
-% \@ifundefined {ignorespacesafterend}
-% {\def \ignorespacesafterend {\aftergroup \ignorespaces}
-
-\newenvironment{mathpar}[1][]
- {$$\mpr@savepar \parskip 0em \hsize \linewidth \centering
- \vbox \bgroup \mpr@prebindings \mpr@paroptions #1\ifmmode $\else
- \noindent $\displaystyle\fi
- \MathparBindings}
- {\unskip \ifmmode $\fi\egroup $$\ignorespacesafterend}
-
-% \def \math@mathpar #1{\setbox0 \hbox {$\displaystyle #1$}\ifnum
-% \wd0 < \hsize $$\box0$$\else \bmathpar #1\emathpar \fi}
-
-%%% HOV BOXES
-
-\def \mathvbox@ #1{\hbox \bgroup \mpr@normallineskip
- \vbox \bgroup \tabskip 0em \let \\ \cr
- \halign \bgroup \hfil $##$\hfil\cr #1\crcr \egroup \egroup
- \egroup}
-
-\def \mathhvbox@ #1{\setbox0 \hbox {\let \\\qquad $#1$}\ifnum \wd0 < \hsize
- \box0\else \mathvbox {#1}\fi}
-
-
-%% Part II -- operations on lists
-
-\newtoks \mpr@lista
-\newtoks \mpr@listb
-
-\long \def\mpr@cons #1\mpr@to#2{\mpr@lista {\\{#1}}\mpr@listb \expandafter
-{#2}\edef #2{\the \mpr@lista \the \mpr@listb}}
-
-\long \def\mpr@snoc #1\mpr@to#2{\mpr@lista {\\{#1}}\mpr@listb \expandafter
-{#2}\edef #2{\the \mpr@listb\the\mpr@lista}}
-
-\long \def \mpr@concat#1=#2\mpr@to#3{\mpr@lista \expandafter {#2}\mpr@listb
-\expandafter {#3}\edef #1{\the \mpr@listb\the\mpr@lista}}
-
-\def \mpr@head #1\mpr@to #2{\expandafter \mpr@head@ #1\mpr@head@ #1#2}
-\long \def \mpr@head@ #1#2\mpr@head@ #3#4{\def #4{#1}\def#3{#2}}
-
-\def \mpr@flatten #1\mpr@to #2{\expandafter \mpr@flatten@ #1\mpr@flatten@ #1#2}
-\long \def \mpr@flatten@ \\#1\\#2\mpr@flatten@ #3#4{\def #4{#1}\def #3{\\#2}}
-
-\def \mpr@makelist #1\mpr@to #2{\def \mpr@all {#1}%
- \mpr@lista {\\}\mpr@listb \expandafter {\mpr@all}\edef \mpr@all {\the
- \mpr@lista \the \mpr@listb \the \mpr@lista}\let #2\empty
- \def \mpr@stripof ##1##2\mpr@stripend{\def \mpr@stripped{##2}}\loop
- \mpr@flatten \mpr@all \mpr@to \mpr@one
- \expandafter \mpr@snoc \mpr@one \mpr@to #2\expandafter \mpr@stripof
- \mpr@all \mpr@stripend
- \ifx \mpr@stripped \empty \let \mpr@isempty 0\else \let \mpr@isempty 1\fi
- \ifx 1\mpr@isempty
- \repeat
-}
-
-%% Part III -- Type inference rules
-
-\def \mpr@rev #1\mpr@to #2{\let \mpr@tmp \empty
- \def \\##1{\mpr@cons ##1\mpr@to \mpr@tmp}#1\let #2\mpr@tmp}
-
-\newif \if@premisse
-\newbox \mpr@hlist
-\newbox \mpr@vlist
-\newif \ifmpr@center \mpr@centertrue
-\def \mpr@htovlist {%
- \setbox \mpr@hlist
- \hbox {\strut
- \ifmpr@center \hskip -0.5\wd\mpr@hlist\fi
- \unhbox \mpr@hlist}%
- \setbox \mpr@vlist
- \vbox {\if@premisse \box \mpr@hlist \unvbox \mpr@vlist
- \else \unvbox \mpr@vlist \box \mpr@hlist
- \fi}%
-}
-% OLD version
-% \def \mpr@htovlist {%
-% \setbox \mpr@hlist
-% \hbox {\strut \hskip -0.5\wd\mpr@hlist \unhbox \mpr@hlist}%
-% \setbox \mpr@vlist
-% \vbox {\if@premisse \box \mpr@hlist \unvbox \mpr@vlist
-% \else \unvbox \mpr@vlist \box \mpr@hlist
-% \fi}%
-% }
-
-\def \mpr@sep{2em}
-\def \mpr@blank { }
-\def \mpr@hovbox #1#2{\hbox
- \bgroup
- \ifx #1T\@premissetrue
- \else \ifx #1B\@premissefalse
- \else
- \PackageError{mathpartir}
- {Premisse orientation should either be P or B}
- {Fatal error in Package}%
- \fi \fi
- \def \@test {#2}\ifx \@test \mpr@blank\else
- \setbox \mpr@hlist \hbox {}%
- \setbox \mpr@vlist \vbox {}%
- \if@premisse \let \snoc \mpr@cons \else \let \snoc \mpr@snoc \fi
- \let \@hvlist \empty \let \@rev \empty
- \mpr@tmpdim 0em
- \expandafter \mpr@makelist #2\mpr@to \mpr@flat
- \if@premisse \mpr@rev \mpr@flat \mpr@to \@rev \else \let \@rev \mpr@flat \fi
- \def \\##1{%
- \def \@test {##1}\ifx \@test \empty
- \mpr@htovlist
- \mpr@tmpdim 0em %%% last bug fix not extensively checked
- \else
- \setbox0 \hbox{$\displaystyle {##1}$}\relax
- \advance \mpr@tmpdim by \wd0
- %\mpr@tmpdim 1.02\mpr@tmpdim
- \ifnum \mpr@tmpdim < \hsize
- \ifnum \wd\mpr@hlist > 0
- \if@premisse
- \setbox \mpr@hlist
- \hbox {\unhbox0 \hskip \mpr@sep \unhbox \mpr@hlist}%
- \else
- \setbox \mpr@hlist
- \hbox {\unhbox \mpr@hlist \hskip \mpr@sep \unhbox0}%
- \fi
- \else
- \setbox \mpr@hlist \hbox {\unhbox0}%
- \fi
- \else
- \ifnum \wd \mpr@hlist > 0
- \mpr@htovlist
- \mpr@tmpdim \wd0
- \fi
- \setbox \mpr@hlist \hbox {\unhbox0}%
- \fi
- \advance \mpr@tmpdim by \mpr@sep
- \fi
- }%
- \@rev
- \mpr@htovlist
- \ifmpr@center \hskip \wd\mpr@vlist\fi \box \mpr@vlist
- \fi
- \egroup
-}
-
-%%% INFERENCE RULES
-
-\@ifundefined{@@over}{%
- \let\@@over\over % fallback if amsmath is not loaded
- \let\@@overwithdelims\overwithdelims
- \let\@@atop\atop \let\@@atopwithdelims\atopwithdelims
- \let\@@above\above \let\@@abovewithdelims\abovewithdelims
- }{}
-
-
-\def \mpr@@fraction #1#2{\hbox {\advance \hsize by -0.5em
- $\displaystyle {#1\@@over #2}$}}
-\let \mpr@fraction \mpr@@fraction
-\def \mpr@@reduce #1#2{\hbox
- {$\lower 0.01pt \mpr@@fraction {#1}{#2}\mkern -15mu\rightarrow$}}
-\def \mpr@@rewrite #1#2#3{\hbox
- {$\lower 0.01pt \mpr@@fraction {#2}{#3}\mkern -8mu#1$}}
-\def \mpr@infercenter #1{\vcenter {\mpr@hovbox{T}{#1}}}
-
-\def \mpr@empty {}
-\def \mpr@inferrule
- {\bgroup
- \ifnum \linewidth<\hsize \hsize \linewidth\fi
- \mpr@rulelineskip
- \let \and \qquad
- \let \hva \mpr@hva
- \let \@rulename \mpr@empty
- \let \@rule@options \mpr@empty
- \mpr@inferrule@}
-\newcommand {\mpr@inferrule@}[3][]
- {\everymath={\displaystyle}%
- \def \@test {#2}\ifx \empty \@test
- \setbox0 \hbox {$\vcenter {\mpr@hovbox{B}{#3}}$}%
- \else
- \def \@test {#3}\ifx \empty \@test
- \setbox0 \hbox {$\vcenter {\mpr@hovbox{T}{#2}}$}%
- \else
- \setbox0 \mpr@fraction {\mpr@hovbox{T}{#2}}{\mpr@hovbox{B}{#3}}%
- \fi \fi
- \def \@test {#1}\ifx \@test\empty \box0
- \else \vbox
-%%% Suggestion de Francois pour les etiquettes longues
-%%% {\hbox to \wd0 {\RefTirName {#1}\hfil}\box0}\fi
- {\hbox {\RefTirName {#1}}\box0}\fi
- \egroup}
-
-\def \mpr@vdotfil #1{\vbox to #1{\leaders \hbox{$\cdot$} \vfil}}
-
-% They are two forms
-% \inferrule [label]{[premisses}{conclusions}
-% or
-% \inferrule* [options]{[premisses}{conclusions}
-%
-% Premisses and conclusions are lists of elements separated by \\
-% Each \\ produces a break, attempting horizontal breaks if possible,
-% and vertical breaks if needed.
-%
-% An empty element obtained by \\\\ produces a vertical break in all cases.
-%
-% The former rule is aligned on the fraction bar.
-% The optional label appears on top of the rule
-% The second form to be used in a derivation tree is aligned on the last
-% line of its conclusion
-%
-% The second form can be parameterized, using the key=val interface. The
-% folloiwng keys are recognized:
-%
-% width set the width of the rule to val
-% narrower set the width of the rule to val\hsize
-% before execute val at the beginning/left
-% lab put a label [Val] on top of the rule
-% lskip add negative skip on the right
-% left put a left label [Val]
-% Left put a left label [Val], ignoring its width
-% right put a right label [Val]
-% Right put a right label [Val], ignoring its width
-% leftskip skip negative space on the left-hand side
-% rightskip skip negative space on the right-hand side
-% vdots lift the rule by val and fill vertical space with dots
-% after execute val at the end/right
-%
-% Note that most options must come in this order to avoid strange
-% typesetting (in particular leftskip must preceed left and Left and
-% rightskip must follow Right or right; vdots must come last
-% or be only followed by rightskip.
-%
-
-\define@key {mprset}{flushleft}[]{\mpr@centerfalse}
-\define@key {mprset}{center}[]{\mpr@centertrue}
-\def \mprset #1{\setkeys{mprset}{#1}}
-
-\newbox \mpr@right
-\define@key {mpr}{flushleft}[]{\mpr@centerfalse}
-\define@key {mpr}{center}[]{\mpr@centertrue}
-\define@key {mpr}{left}{\setbox0 \hbox {$\TirName {#1}\;$}\relax
- \advance \hsize by -\wd0\box0}
-\define@key {mpr}{width}{\hsize #1}
-\define@key {mpr}{sep}{\def\mpr@sep{#1}}
-\define@key {mpr}{before}{#1}
-\define@key {mpr}{lab}{\let \RefTirName \TirName \def \mpr@rulename {#1}}
-\define@key {mpr}{Lab}{\let \RefTirName \TirName \def \mpr@rulename {#1}}
-\define@key {mpr}{narrower}{\hsize #1\hsize}
-\define@key {mpr}{leftskip}{\hskip -#1}
-\define@key {mpr}{reduce}[]{\let \mpr@fraction \mpr@@reduce}
-\define@key {mpr}{rightskip}
- {\setbox \mpr@right \hbox {\unhbox \mpr@right \hskip -#1}}
-\define@key {mpr}{LEFT}{\setbox0 \hbox {$#1$}\relax
- \advance \hsize by -\wd0\box0}
-\define@key {mpr}{left}{\setbox0 \hbox {$\TirName {#1}\;$}\relax
- \advance \hsize by -\wd0\box0}
-\define@key {mpr}{Left}{\llap{$\TirName {#1}\;$}}
-\define@key {mpr}{right}
- {\setbox0 \hbox {$\;\TirName {#1}$}\relax \advance \hsize by -\wd0
- \setbox \mpr@right \hbox {\unhbox \mpr@right \unhbox0}}
-\define@key {mpr}{RIGHT}
- {\setbox0 \hbox {$#1$}\relax \advance \hsize by -\wd0
- \setbox \mpr@right \hbox {\unhbox \mpr@right \unhbox0}}
-\define@key {mpr}{Right}
- {\setbox \mpr@right \hbox {\unhbox \mpr@right \rlap {$\;\TirName {#1}$}}}
-\define@key {mpr}{vdots}{\def \mpr@vdots {\@@atop \mpr@vdotfil{#1}}}
-\define@key {mpr}{after}{\edef \mpr@after {\mpr@after #1}}
-
-\newdimen \rule@dimen
-\newcommand \mpr@inferstar@ [3][]{\setbox0
- \hbox {\let \mpr@rulename \mpr@empty \let \mpr@vdots \relax
- \setbox \mpr@right \hbox{}%
- $\setkeys{mpr}{#1}%
- \ifx \mpr@rulename \mpr@empty \mpr@inferrule {#2}{#3}\else
- \mpr@inferrule [{\mpr@rulename}]{#2}{#3}\fi
- \box \mpr@right \mpr@vdots$}
- \setbox1 \hbox {\strut}
- \rule@dimen \dp0 \advance \rule@dimen by -\dp1
- \raise \rule@dimen \box0}
-
-\def \mpr@infer {\@ifnextchar *{\mpr@inferstar}{\mpr@inferrule}}
-\newcommand \mpr@err@skipargs[3][]{}
-\def \mpr@inferstar*{\ifmmode
- \let \@do \mpr@inferstar@
- \else
- \let \@do \mpr@err@skipargs
- \PackageError {mathpartir}
- {\string\inferrule* can only be used in math mode}{}%
- \fi \@do}
-
-
-%%% Exports
-
-% Envirnonment mathpar
-
-\let \inferrule \mpr@infer
-
-% make a short name \infer is not already defined
-\@ifundefined {infer}{\let \infer \mpr@infer}{}
-
-\def \tir@name #1{\hbox {\small \sc #1}}
-\let \TirName \tir@name
-\let \RefTirName \tir@name
-
-%%% Other Exports
-
-% \let \listcons \mpr@cons
-% \let \listsnoc \mpr@snoc
-% \let \listhead \mpr@head
-% \let \listmake \mpr@makelist
-
-
-
-
-\endinput
--- a/doc-src/LaTeXsugar/document/root.bib Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,12 +0,0 @@
-@book{LNCS2283,author={Tobias Nipkow and Lawrence Paulson and Markus Wenzel},
-title="Isabelle/HOL --- A Proof Assistant for Higher-Order Logic",
-publisher=Springer,series=LNCS,volume=2283,year=2002,
-note={\url{http://www.in.tum.de/~nipkow/LNCS2283/}}}
-
-@misc{mathpartir,author={Didier R\'emy},title={mathpartir},
-note={\url{http://cristal.inria.fr/~remy/latex/}}}
-
-@misc{tar,author={Gerwin Klein and Norber Schirmer and Tobias Nipkow},
-title={{LaTeX} sugar theories and support files},
-note={\url{http://isabelle.in.tum.de/sugar.tar.gz}}}
-
--- a/doc-src/LaTeXsugar/document/root.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,43 +0,0 @@
-\documentclass[11pt,a4paper]{article}
-\usepackage{isabelle,isabellesym}
-
-% further packages required for unusual symbols (see also isabellesym.sty)
-% use only when needed
-\usepackage{amssymb}
-
-\usepackage{mathpartir}
-
-% this should be the last package used
-\usepackage{pdfsetup}
-
-% urls in roman style, theory text in math-similar italics
-\urlstyle{rm}
-\isabellestyle{it}
-
-\hyphenation{Isa-belle}
-\begin{document}
-
-\title{\LaTeX\ Sugar for Isabelle Documents}
-\author{Florian Haftmann, Gerwin Klein, Tobias Nipkow, Norbert Schirmer}
-\maketitle
-
-\begin{abstract}
-This document shows how to typset mathematics in Isabelle-based
-documents in a style close to that in ordinary computer science papers.
-\end{abstract}
-
-%\tableofcontents
-
-% generated text of all theories
-\input{Sugar.tex}
-
-% optional bibliography
-\bibliographystyle{abbrv}
-\bibliography{root}
-
-\end{document}
-
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: t
-%%% End:
--- a/doc-src/Locales/Examples.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,768 +0,0 @@
-theory Examples
-imports Main
-begin
-
-(*
-text {* The following presentation will use notation of
- Isabelle's meta logic, hence a few sentences to explain this.
- The logical
- primitives are universal quantification (@{text "\<And>"}), entailment
- (@{text "\<Longrightarrow>"}) and equality (@{text "\<equiv>"}). Variables (not bound
- variables) are sometimes preceded by a question mark. The logic is
- typed. Type variables are denoted by~@{text "'a"},~@{text "'b"}
- etc., and~@{text "\<Rightarrow>"} is the function type. Double brackets~@{text
- "\<lbrakk>"} and~@{text "\<rbrakk>"} are used to abbreviate nested entailment.
-*}
-*)
-
-section {* Introduction *}
-
-text {*
- Locales are based on contexts. A \emph{context} can be seen as a
- formula schema
-\[
- @{text "\<And>x\<^sub>1\<dots>x\<^sub>n. \<lbrakk> A\<^sub>1; \<dots> ;A\<^sub>m \<rbrakk> \<Longrightarrow> \<dots>"}
-\]
- where the variables~@{text "x\<^sub>1"}, \ldots,~@{text "x\<^sub>n"} are called
- \emph{parameters} and the premises $@{text "A\<^sub>1"}, \ldots,~@{text
- "A\<^sub>m"}$ \emph{assumptions}. A formula~@{text "C"}
- is a \emph{theorem} in the context if it is a conclusion
-\[
- @{text "\<And>x\<^sub>1\<dots>x\<^sub>n. \<lbrakk> A\<^sub>1; \<dots> ;A\<^sub>m \<rbrakk> \<Longrightarrow> C"}.
-\]
- Isabelle/Isar's notion of context goes beyond this logical view.
- Its contexts record, in a consecutive order, proved
- conclusions along with \emph{attributes}, which can provide context
- specific configuration information for proof procedures and concrete
- syntax. From a logical perspective, locales are just contexts that
- have been made persistent. To the user, though, they provide
- powerful means for declaring and combining contexts, and for the
- reuse of theorems proved in these contexts.
- *}
-
-section {* Simple Locales *}
-
-text {*
- In its simplest form, a
- \emph{locale declaration} consists of a sequence of context elements
- declaring parameters (keyword \isakeyword{fixes}) and assumptions
- (keyword \isakeyword{assumes}). The following is the specification of
- partial orders, as locale @{text partial_order}.
- *}
-
- locale partial_order =
- fixes le :: "'a \<Rightarrow> 'a \<Rightarrow> bool" (infixl "\<sqsubseteq>" 50)
- assumes refl [intro, simp]: "x \<sqsubseteq> x"
- and anti_sym [intro]: "\<lbrakk> x \<sqsubseteq> y; y \<sqsubseteq> x \<rbrakk> \<Longrightarrow> x = y"
- and trans [trans]: "\<lbrakk> x \<sqsubseteq> y; y \<sqsubseteq> z \<rbrakk> \<Longrightarrow> x \<sqsubseteq> z"
-
-text (in partial_order) {* The parameter of this locale is~@{text le},
- which is a binary predicate with infix syntax~@{text \<sqsubseteq>}. The
- parameter syntax is available in the subsequent
- assumptions, which are the familiar partial order axioms.
-
- Isabelle recognises unbound names as free variables. In locale
- assumptions, these are implicitly universally quantified. That is,
- @{term "\<lbrakk> x \<sqsubseteq> y; y \<sqsubseteq> z \<rbrakk> \<Longrightarrow> x \<sqsubseteq> z"} in fact means
- @{term "\<And>x y z. \<lbrakk> x \<sqsubseteq> y; y \<sqsubseteq> z \<rbrakk> \<Longrightarrow> x \<sqsubseteq> z"}.
-
- Two commands are provided to inspect locales:
- \isakeyword{print\_locales} lists the names of all locales of the
- current theory; \isakeyword{print\_locale}~$n$ prints the parameters
- and assumptions of locale $n$; the variation \isakeyword{print\_locale!}~$n$
- additionally outputs the conclusions that are stored in the locale.
- We may inspect the new locale
- by issuing \isakeyword{print\_locale!} @{term partial_order}. The output
- is the following list of context elements.
-\begin{small}
-\begin{alltt}
- \isakeyword{fixes} le :: "'a \(\Rightarrow\) 'a \(\Rightarrow\) bool" (\isakeyword{infixl} "\(\sqsubseteq\)" 50)
- \isakeyword{assumes} "partial_order op \(\sqsubseteq\)"
- \isakeyword{notes} assumption
- refl [intro, simp] = `?x \(\sqsubseteq\) ?x`
- \isakeyword{and}
- anti_sym [intro] = `\(\isasymlbrakk\)?x \(\sqsubseteq\) ?y; ?y \(\sqsubseteq\) ?x\(\isasymrbrakk\) \(\Longrightarrow\) ?x = ?y`
- \isakeyword{and}
- trans [trans] = `\(\isasymlbrakk\)?x \(\sqsubseteq\) ?y; ?y \(\sqsubseteq\) ?z\(\isasymrbrakk\) \(\Longrightarrow\) ?x \(\sqsubseteq\) ?z`
-\end{alltt}
-\end{small}
- The keyword \isakeyword{notes} denotes a conclusion element. There
- is one conclusion, which was added automatically. Instead, there is
- only one assumption, namely @{term "partial_order le"}. The locale
- declaration has introduced the predicate @{term
- partial_order} to the theory. This predicate is the
- \emph{locale predicate}. Its definition may be inspected by
- issuing \isakeyword{thm} @{thm [source] partial_order_def}.
- @{thm [display, indent=2] partial_order_def}
- In our example, this is a unary predicate over the parameter of the
- locale. It is equivalent to the original assumptions, which have
- been turned into conclusions and are
- available as theorems in the context of the locale. The names and
- attributes from the locale declaration are associated to these
- theorems and are effective in the context of the locale.
-
- Each conclusion has a \emph{foundational theorem} as counterpart
- in the theory. Technically, this is simply the theorem composed
- of context and conclusion. For the transitivity theorem, this is
- @{thm [source] partial_order.trans}:
- @{thm [display, indent=2] partial_order.trans}
-*}
-
-subsection {* Targets: Extending Locales *}
-
-text {*
- The specification of a locale is fixed, but its list of conclusions
- may be extended through Isar commands that take a \emph{target} argument.
- In the following, \isakeyword{definition} and
- \isakeyword{theorem} are illustrated.
- Table~\ref{tab:commands-with-target} lists Isar commands that accept
- a target. Isar provides various ways of specifying the target. A
- target for a single command may be indicated with keyword
- \isakeyword{in} in the following way:
-
-\begin{table}
-\hrule
-\vspace{2ex}
-\begin{center}
-\begin{tabular}{ll}
- \isakeyword{definition} & definition through an equation \\
- \isakeyword{inductive} & inductive definition \\
- \isakeyword{primrec} & primitive recursion \\
- \isakeyword{fun}, \isakeyword{function} & general recursion \\
- \isakeyword{abbreviation} & syntactic abbreviation \\
- \isakeyword{theorem}, etc.\ & theorem statement with proof \\
- \isakeyword{theorems}, etc.\ & redeclaration of theorems \\
- \isakeyword{text}, etc.\ & document markup
-\end{tabular}
-\end{center}
-\hrule
-\caption{Isar commands that accept a target.}
-\label{tab:commands-with-target}
-\end{table}
- *}
-
- definition (in partial_order)
- less :: "'a \<Rightarrow> 'a \<Rightarrow> bool" (infixl "\<sqsubset>" 50)
- where "(x \<sqsubset> y) = (x \<sqsubseteq> y \<and> x \<noteq> y)"
-
-text (in partial_order) {* The strict order @{text less} with infix
- syntax~@{text \<sqsubset>} is
- defined in terms of the locale parameter~@{text le} and the general
- equality of the object logic we work in. The definition generates a
- \emph{foundational constant}
- @{term partial_order.less} with definition @{thm [source]
- partial_order.less_def}:
- @{thm [display, indent=2] partial_order.less_def}
- At the same time, the locale is extended by syntax transformations
- hiding this construction in the context of the locale. Here, the
- abbreviation @{text less} is available for
- @{text "partial_order.less le"}, and it is printed
- and parsed as infix~@{text \<sqsubset>}. Finally, the conclusion @{thm [source]
- less_def} is added to the locale:
- @{thm [display, indent=2] less_def}
-*}
-
-text {* The treatment of theorem statements is more straightforward.
- As an example, here is the derivation of a transitivity law for the
- strict order relation. *}
-
- lemma (in partial_order) less_le_trans [trans]:
- "\<lbrakk> x \<sqsubset> y; y \<sqsubseteq> z \<rbrakk> \<Longrightarrow> x \<sqsubset> z"
- unfolding %visible less_def by %visible (blast intro: trans)
-
-text {* In the context of the proof, conclusions of the
- locale may be used like theorems. Attributes are effective: @{text
- anti_sym} was
- declared as introduction rule, hence it is in the context's set of
- rules used by the classical reasoner by default. *}
-
-subsection {* Context Blocks *}
-
-text {* When working with locales, sequences of commands with the same
- target are frequent. A block of commands, delimited by
- \isakeyword{begin} and \isakeyword{end}, makes a theory-like style
- of working possible. All commands inside the block refer to the
- same target. A block may immediately follow a locale
- declaration, which makes that locale the target. Alternatively the
- target for a block may be given with the \isakeyword{context}
- command.
-
- This style of working is illustrated in the block below, where
- notions of infimum and supremum for partial orders are introduced,
- together with theorems about their uniqueness. *}
-
- context partial_order
- begin
-
- definition
- is_inf where "is_inf x y i =
- (i \<sqsubseteq> x \<and> i \<sqsubseteq> y \<and> (\<forall>z. z \<sqsubseteq> x \<and> z \<sqsubseteq> y \<longrightarrow> z \<sqsubseteq> i))"
-
- definition
- is_sup where "is_sup x y s =
- (x \<sqsubseteq> s \<and> y \<sqsubseteq> s \<and> (\<forall>z. x \<sqsubseteq> z \<and> y \<sqsubseteq> z \<longrightarrow> s \<sqsubseteq> z))"
-
- lemma %invisible is_infI [intro?]: "i \<sqsubseteq> x \<Longrightarrow> i \<sqsubseteq> y \<Longrightarrow>
- (\<And>z. z \<sqsubseteq> x \<Longrightarrow> z \<sqsubseteq> y \<Longrightarrow> z \<sqsubseteq> i) \<Longrightarrow> is_inf x y i"
- by (unfold is_inf_def) blast
-
- lemma %invisible is_inf_lower [elim?]:
- "is_inf x y i \<Longrightarrow> (i \<sqsubseteq> x \<Longrightarrow> i \<sqsubseteq> y \<Longrightarrow> C) \<Longrightarrow> C"
- by (unfold is_inf_def) blast
-
- lemma %invisible is_inf_greatest [elim?]:
- "is_inf x y i \<Longrightarrow> z \<sqsubseteq> x \<Longrightarrow> z \<sqsubseteq> y \<Longrightarrow> z \<sqsubseteq> i"
- by (unfold is_inf_def) blast
-
- theorem is_inf_uniq: "\<lbrakk>is_inf x y i; is_inf x y i'\<rbrakk> \<Longrightarrow> i = i'"
- proof -
- assume inf: "is_inf x y i"
- assume inf': "is_inf x y i'"
- show ?thesis
- proof (rule anti_sym)
- from inf' show "i \<sqsubseteq> i'"
- proof (rule is_inf_greatest)
- from inf show "i \<sqsubseteq> x" ..
- from inf show "i \<sqsubseteq> y" ..
- qed
- from inf show "i' \<sqsubseteq> i"
- proof (rule is_inf_greatest)
- from inf' show "i' \<sqsubseteq> x" ..
- from inf' show "i' \<sqsubseteq> y" ..
- qed
- qed
- qed
-
- theorem %invisible is_inf_related [elim?]: "x \<sqsubseteq> y \<Longrightarrow> is_inf x y x"
- proof -
- assume "x \<sqsubseteq> y"
- show ?thesis
- proof
- show "x \<sqsubseteq> x" ..
- show "x \<sqsubseteq> y" by fact
- fix z assume "z \<sqsubseteq> x" and "z \<sqsubseteq> y" show "z \<sqsubseteq> x" by fact
- qed
- qed
-
- lemma %invisible is_supI [intro?]: "x \<sqsubseteq> s \<Longrightarrow> y \<sqsubseteq> s \<Longrightarrow>
- (\<And>z. x \<sqsubseteq> z \<Longrightarrow> y \<sqsubseteq> z \<Longrightarrow> s \<sqsubseteq> z) \<Longrightarrow> is_sup x y s"
- by (unfold is_sup_def) blast
-
- lemma %invisible is_sup_least [elim?]:
- "is_sup x y s \<Longrightarrow> x \<sqsubseteq> z \<Longrightarrow> y \<sqsubseteq> z \<Longrightarrow> s \<sqsubseteq> z"
- by (unfold is_sup_def) blast
-
- lemma %invisible is_sup_upper [elim?]:
- "is_sup x y s \<Longrightarrow> (x \<sqsubseteq> s \<Longrightarrow> y \<sqsubseteq> s \<Longrightarrow> C) \<Longrightarrow> C"
- by (unfold is_sup_def) blast
-
- theorem is_sup_uniq: "\<lbrakk>is_sup x y s; is_sup x y s'\<rbrakk> \<Longrightarrow> s = s'"
- proof -
- assume sup: "is_sup x y s"
- assume sup': "is_sup x y s'"
- show ?thesis
- proof (rule anti_sym)
- from sup show "s \<sqsubseteq> s'"
- proof (rule is_sup_least)
- from sup' show "x \<sqsubseteq> s'" ..
- from sup' show "y \<sqsubseteq> s'" ..
- qed
- from sup' show "s' \<sqsubseteq> s"
- proof (rule is_sup_least)
- from sup show "x \<sqsubseteq> s" ..
- from sup show "y \<sqsubseteq> s" ..
- qed
- qed
- qed
-
- theorem %invisible is_sup_related [elim?]: "x \<sqsubseteq> y \<Longrightarrow> is_sup x y y"
- proof -
- assume "x \<sqsubseteq> y"
- show ?thesis
- proof
- show "x \<sqsubseteq> y" by fact
- show "y \<sqsubseteq> y" ..
- fix z assume "x \<sqsubseteq> z" and "y \<sqsubseteq> z"
- show "y \<sqsubseteq> z" by fact
- qed
- qed
-
- end
-
-text {* The syntax of the locale commands discussed in this tutorial is
- shown in Table~\ref{tab:commands}. The grammar is complete with the
- exception of the context elements \isakeyword{constrains} and
- \isakeyword{defines}, which are provided for backward
- compatibility. See the Isabelle/Isar Reference
- Manual~\cite{IsarRef} for full documentation. *}
-
-
-section {* Import \label{sec:import} *}
-
-text {*
- Algebraic structures are commonly defined by adding operations and
- properties to existing structures. For example, partial orders
- are extended to lattices and total orders. Lattices are extended to
- distributive lattices. *}
-
-text {*
- With locales, this kind of inheritance is achieved through
- \emph{import} of locales. The import part of a locale declaration,
- if present, precedes the context elements. Here is an example,
- where partial orders are extended to lattices.
- *}
-
- locale lattice = partial_order +
- assumes ex_inf: "\<exists>inf. is_inf x y inf"
- and ex_sup: "\<exists>sup. is_sup x y sup"
- begin
-
-text {* These assumptions refer to the predicates for infimum
- and supremum defined for @{text partial_order} in the previous
- section. We now introduce the notions of meet and join. *}
-
- definition
- meet (infixl "\<sqinter>" 70) where "x \<sqinter> y = (THE inf. is_inf x y inf)"
- definition
- join (infixl "\<squnion>" 65) where "x \<squnion> y = (THE sup. is_sup x y sup)"
-
- lemma %invisible meet_equality [elim?]: "is_inf x y i \<Longrightarrow> x \<sqinter> y = i"
- proof (unfold meet_def)
- assume "is_inf x y i"
- then show "(THE i. is_inf x y i) = i"
- by (rule the_equality) (rule is_inf_uniq [OF _ `is_inf x y i`])
- qed
-
- lemma %invisible meetI [intro?]:
- "i \<sqsubseteq> x \<Longrightarrow> i \<sqsubseteq> y \<Longrightarrow> (\<And>z. z \<sqsubseteq> x \<Longrightarrow> z \<sqsubseteq> y \<Longrightarrow> z \<sqsubseteq> i) \<Longrightarrow> x \<sqinter> y = i"
- by (rule meet_equality, rule is_infI) blast+
-
- lemma %invisible is_inf_meet [intro?]: "is_inf x y (x \<sqinter> y)"
- proof (unfold meet_def)
- from ex_inf obtain i where "is_inf x y i" ..
- then show "is_inf x y (THE i. is_inf x y i)"
- by (rule theI) (rule is_inf_uniq [OF _ `is_inf x y i`])
- qed
-
- lemma %invisible meet_left [intro?]:
- "x \<sqinter> y \<sqsubseteq> x"
- by (rule is_inf_lower) (rule is_inf_meet)
-
- lemma %invisible meet_right [intro?]:
- "x \<sqinter> y \<sqsubseteq> y"
- by (rule is_inf_lower) (rule is_inf_meet)
-
- lemma %invisible meet_le [intro?]:
- "\<lbrakk> z \<sqsubseteq> x; z \<sqsubseteq> y \<rbrakk> \<Longrightarrow> z \<sqsubseteq> x \<sqinter> y"
- by (rule is_inf_greatest) (rule is_inf_meet)
-
- lemma %invisible join_equality [elim?]: "is_sup x y s \<Longrightarrow> x \<squnion> y = s"
- proof (unfold join_def)
- assume "is_sup x y s"
- then show "(THE s. is_sup x y s) = s"
- by (rule the_equality) (rule is_sup_uniq [OF _ `is_sup x y s`])
- qed
-
- lemma %invisible joinI [intro?]: "x \<sqsubseteq> s \<Longrightarrow> y \<sqsubseteq> s \<Longrightarrow>
- (\<And>z. x \<sqsubseteq> z \<Longrightarrow> y \<sqsubseteq> z \<Longrightarrow> s \<sqsubseteq> z) \<Longrightarrow> x \<squnion> y = s"
- by (rule join_equality, rule is_supI) blast+
-
- lemma %invisible is_sup_join [intro?]: "is_sup x y (x \<squnion> y)"
- proof (unfold join_def)
- from ex_sup obtain s where "is_sup x y s" ..
- then show "is_sup x y (THE s. is_sup x y s)"
- by (rule theI) (rule is_sup_uniq [OF _ `is_sup x y s`])
- qed
-
- lemma %invisible join_left [intro?]:
- "x \<sqsubseteq> x \<squnion> y"
- by (rule is_sup_upper) (rule is_sup_join)
-
- lemma %invisible join_right [intro?]:
- "y \<sqsubseteq> x \<squnion> y"
- by (rule is_sup_upper) (rule is_sup_join)
-
- lemma %invisible join_le [intro?]:
- "\<lbrakk> x \<sqsubseteq> z; y \<sqsubseteq> z \<rbrakk> \<Longrightarrow> x \<squnion> y \<sqsubseteq> z"
- by (rule is_sup_least) (rule is_sup_join)
-
- theorem %invisible meet_assoc: "(x \<sqinter> y) \<sqinter> z = x \<sqinter> (y \<sqinter> z)"
- proof (rule meetI)
- show "x \<sqinter> (y \<sqinter> z) \<sqsubseteq> x \<sqinter> y"
- proof
- show "x \<sqinter> (y \<sqinter> z) \<sqsubseteq> x" ..
- show "x \<sqinter> (y \<sqinter> z) \<sqsubseteq> y"
- proof -
- have "x \<sqinter> (y \<sqinter> z) \<sqsubseteq> y \<sqinter> z" ..
- also have "\<dots> \<sqsubseteq> y" ..
- finally show ?thesis .
- qed
- qed
- show "x \<sqinter> (y \<sqinter> z) \<sqsubseteq> z"
- proof -
- have "x \<sqinter> (y \<sqinter> z) \<sqsubseteq> y \<sqinter> z" ..
- also have "\<dots> \<sqsubseteq> z" ..
- finally show ?thesis .
- qed
- fix w assume "w \<sqsubseteq> x \<sqinter> y" and "w \<sqsubseteq> z"
- show "w \<sqsubseteq> x \<sqinter> (y \<sqinter> z)"
- proof
- show "w \<sqsubseteq> x"
- proof -
- have "w \<sqsubseteq> x \<sqinter> y" by fact
- also have "\<dots> \<sqsubseteq> x" ..
- finally show ?thesis .
- qed
- show "w \<sqsubseteq> y \<sqinter> z"
- proof
- show "w \<sqsubseteq> y"
- proof -
- have "w \<sqsubseteq> x \<sqinter> y" by fact
- also have "\<dots> \<sqsubseteq> y" ..
- finally show ?thesis .
- qed
- show "w \<sqsubseteq> z" by fact
- qed
- qed
- qed
-
- theorem %invisible meet_commute: "x \<sqinter> y = y \<sqinter> x"
- proof (rule meetI)
- show "y \<sqinter> x \<sqsubseteq> x" ..
- show "y \<sqinter> x \<sqsubseteq> y" ..
- fix z assume "z \<sqsubseteq> y" and "z \<sqsubseteq> x"
- then show "z \<sqsubseteq> y \<sqinter> x" ..
- qed
-
- theorem %invisible meet_join_absorb: "x \<sqinter> (x \<squnion> y) = x"
- proof (rule meetI)
- show "x \<sqsubseteq> x" ..
- show "x \<sqsubseteq> x \<squnion> y" ..
- fix z assume "z \<sqsubseteq> x" and "z \<sqsubseteq> x \<squnion> y"
- show "z \<sqsubseteq> x" by fact
- qed
-
- theorem %invisible join_assoc: "(x \<squnion> y) \<squnion> z = x \<squnion> (y \<squnion> z)"
- proof (rule joinI)
- show "x \<squnion> y \<sqsubseteq> x \<squnion> (y \<squnion> z)"
- proof
- show "x \<sqsubseteq> x \<squnion> (y \<squnion> z)" ..
- show "y \<sqsubseteq> x \<squnion> (y \<squnion> z)"
- proof -
- have "y \<sqsubseteq> y \<squnion> z" ..
- also have "... \<sqsubseteq> x \<squnion> (y \<squnion> z)" ..
- finally show ?thesis .
- qed
- qed
- show "z \<sqsubseteq> x \<squnion> (y \<squnion> z)"
- proof -
- have "z \<sqsubseteq> y \<squnion> z" ..
- also have "... \<sqsubseteq> x \<squnion> (y \<squnion> z)" ..
- finally show ?thesis .
- qed
- fix w assume "x \<squnion> y \<sqsubseteq> w" and "z \<sqsubseteq> w"
- show "x \<squnion> (y \<squnion> z) \<sqsubseteq> w"
- proof
- show "x \<sqsubseteq> w"
- proof -
- have "x \<sqsubseteq> x \<squnion> y" ..
- also have "\<dots> \<sqsubseteq> w" by fact
- finally show ?thesis .
- qed
- show "y \<squnion> z \<sqsubseteq> w"
- proof
- show "y \<sqsubseteq> w"
- proof -
- have "y \<sqsubseteq> x \<squnion> y" ..
- also have "... \<sqsubseteq> w" by fact
- finally show ?thesis .
- qed
- show "z \<sqsubseteq> w" by fact
- qed
- qed
- qed
-
- theorem %invisible join_commute: "x \<squnion> y = y \<squnion> x"
- proof (rule joinI)
- show "x \<sqsubseteq> y \<squnion> x" ..
- show "y \<sqsubseteq> y \<squnion> x" ..
- fix z assume "y \<sqsubseteq> z" and "x \<sqsubseteq> z"
- then show "y \<squnion> x \<sqsubseteq> z" ..
- qed
-
- theorem %invisible join_meet_absorb: "x \<squnion> (x \<sqinter> y) = x"
- proof (rule joinI)
- show "x \<sqsubseteq> x" ..
- show "x \<sqinter> y \<sqsubseteq> x" ..
- fix z assume "x \<sqsubseteq> z" and "x \<sqinter> y \<sqsubseteq> z"
- show "x \<sqsubseteq> z" by fact
- qed
-
- theorem %invisible meet_idem: "x \<sqinter> x = x"
- proof -
- have "x \<sqinter> (x \<squnion> (x \<sqinter> x)) = x" by (rule meet_join_absorb)
- also have "x \<squnion> (x \<sqinter> x) = x" by (rule join_meet_absorb)
- finally show ?thesis .
- qed
-
- theorem %invisible meet_related [elim?]: "x \<sqsubseteq> y \<Longrightarrow> x \<sqinter> y = x"
- proof (rule meetI)
- assume "x \<sqsubseteq> y"
- show "x \<sqsubseteq> x" ..
- show "x \<sqsubseteq> y" by fact
- fix z assume "z \<sqsubseteq> x" and "z \<sqsubseteq> y"
- show "z \<sqsubseteq> x" by fact
- qed
-
- theorem %invisible meet_related2 [elim?]: "y \<sqsubseteq> x \<Longrightarrow> x \<sqinter> y = y"
- by (drule meet_related) (simp add: meet_commute)
-
- theorem %invisible join_related [elim?]: "x \<sqsubseteq> y \<Longrightarrow> x \<squnion> y = y"
- proof (rule joinI)
- assume "x \<sqsubseteq> y"
- show "y \<sqsubseteq> y" ..
- show "x \<sqsubseteq> y" by fact
- fix z assume "x \<sqsubseteq> z" and "y \<sqsubseteq> z"
- show "y \<sqsubseteq> z" by fact
- qed
-
- theorem %invisible join_related2 [elim?]: "y \<sqsubseteq> x \<Longrightarrow> x \<squnion> y = x"
- by (drule join_related) (simp add: join_commute)
-
- theorem %invisible meet_connection: "(x \<sqsubseteq> y) = (x \<sqinter> y = x)"
- proof
- assume "x \<sqsubseteq> y"
- then have "is_inf x y x" ..
- then show "x \<sqinter> y = x" ..
- next
- have "x \<sqinter> y \<sqsubseteq> y" ..
- also assume "x \<sqinter> y = x"
- finally show "x \<sqsubseteq> y" .
- qed
-
- theorem %invisible join_connection: "(x \<sqsubseteq> y) = (x \<squnion> y = y)"
- proof
- assume "x \<sqsubseteq> y"
- then have "is_sup x y y" ..
- then show "x \<squnion> y = y" ..
- next
- have "x \<sqsubseteq> x \<squnion> y" ..
- also assume "x \<squnion> y = y"
- finally show "x \<sqsubseteq> y" .
- qed
-
- theorem %invisible meet_connection2: "(x \<sqsubseteq> y) = (y \<sqinter> x = x)"
- using meet_commute meet_connection by simp
-
- theorem %invisible join_connection2: "(x \<sqsubseteq> y) = (x \<squnion> y = y)"
- using join_commute join_connection by simp
-
- text %invisible {* Naming according to Jacobson I, p.\ 459. *}
- lemmas %invisible L1 = join_commute meet_commute
- lemmas %invisible L2 = join_assoc meet_assoc
- (* lemmas L3 = join_idem meet_idem *)
- lemmas %invisible L4 = join_meet_absorb meet_join_absorb
-
- end
-
-text {* Locales for total orders and distributive lattices follow to
- establish a sufficiently rich landscape of locales for
- further examples in this tutorial. Each comes with an example
- theorem. *}
-
- locale total_order = partial_order +
- assumes total: "x \<sqsubseteq> y \<or> y \<sqsubseteq> x"
-
- lemma (in total_order) less_total: "x \<sqsubset> y \<or> x = y \<or> y \<sqsubset> x"
- using total
- by (unfold less_def) blast
-
- locale distrib_lattice = lattice +
- assumes meet_distr: "x \<sqinter> (y \<squnion> z) = x \<sqinter> y \<squnion> x \<sqinter> z"
-
- lemma (in distrib_lattice) join_distr:
- "x \<squnion> (y \<sqinter> z) = (x \<squnion> y) \<sqinter> (x \<squnion> z)" (* txt {* Jacobson I, p.\ 462 *} *)
- proof -
- have "x \<squnion> (y \<sqinter> z) = (x \<squnion> (x \<sqinter> z)) \<squnion> (y \<sqinter> z)" by (simp add: L4)
- also have "... = x \<squnion> ((x \<sqinter> z) \<squnion> (y \<sqinter> z))" by (simp add: L2)
- also have "... = x \<squnion> ((x \<squnion> y) \<sqinter> z)" by (simp add: L1 meet_distr)
- also have "... = ((x \<squnion> y) \<sqinter> x) \<squnion> ((x \<squnion> y) \<sqinter> z)" by (simp add: L1 L4)
- also have "... = (x \<squnion> y) \<sqinter> (x \<squnion> z)" by (simp add: meet_distr)
- finally show ?thesis .
- qed
-
-text {*
- The locale hierarchy obtained through these declarations is shown in
- Figure~\ref{fig:lattices}(a).
-
-\begin{figure}
-\hrule \vspace{2ex}
-\begin{center}
-\subfigure[Declared hierarchy]{
-\begin{tikzpicture}
- \node (po) at (0,0) {@{text partial_order}};
- \node (lat) at (-1.5,-1) {@{text lattice}};
- \node (dlat) at (-1.5,-2) {@{text distrib_lattice}};
- \node (to) at (1.5,-1) {@{text total_order}};
- \draw (po) -- (lat);
- \draw (lat) -- (dlat);
- \draw (po) -- (to);
-% \draw[->, dashed] (lat) -- (to);
-\end{tikzpicture}
-} \\
-\subfigure[Total orders are lattices]{
-\begin{tikzpicture}
- \node (po) at (0,0) {@{text partial_order}};
- \node (lat) at (0,-1) {@{text lattice}};
- \node (dlat) at (-1.5,-2) {@{text distrib_lattice}};
- \node (to) at (1.5,-2) {@{text total_order}};
- \draw (po) -- (lat);
- \draw (lat) -- (dlat);
- \draw (lat) -- (to);
-% \draw[->, dashed] (dlat) -- (to);
-\end{tikzpicture}
-} \quad
-\subfigure[Total orders are distributive lattices]{
-\begin{tikzpicture}
- \node (po) at (0,0) {@{text partial_order}};
- \node (lat) at (0,-1) {@{text lattice}};
- \node (dlat) at (0,-2) {@{text distrib_lattice}};
- \node (to) at (0,-3) {@{text total_order}};
- \draw (po) -- (lat);
- \draw (lat) -- (dlat);
- \draw (dlat) -- (to);
-\end{tikzpicture}
-}
-\end{center}
-\hrule
-\caption{Hierarchy of Lattice Locales.}
-\label{fig:lattices}
-\end{figure}
- *}
-
-section {* Changing the Locale Hierarchy
- \label{sec:changing-the-hierarchy} *}
-
-text {*
- Locales enable to prove theorems abstractly, relative to
- sets of assumptions. These theorems can then be used in other
- contexts where the assumptions themselves, or
- instances of the assumptions, are theorems. This form of theorem
- reuse is called \emph{interpretation}. Locales generalise
- interpretation from theorems to conclusions, enabling the reuse of
- definitions and other constructs that are not part of the
- specifications of the locales.
-
- The first form of interpretation we will consider in this tutorial
- is provided by the \isakeyword{sublocale} command. It enables to
- modify the import hierarchy to reflect the \emph{logical} relation
- between locales.
-
- Consider the locale hierarchy from Figure~\ref{fig:lattices}(a).
- Total orders are lattices, although this is not reflected here, and
- definitions, theorems and other conclusions
- from @{term lattice} are not available in @{term total_order}. To
- obtain the situation in Figure~\ref{fig:lattices}(b), it is
- sufficient to add the conclusions of the latter locale to the former.
- The \isakeyword{sublocale} command does exactly this.
- The declaration \isakeyword{sublocale} $l_1
- \subseteq l_2$ causes locale $l_2$ to be \emph{interpreted} in the
- context of $l_1$. This means that all conclusions of $l_2$ are made
- available in $l_1$.
-
- Of course, the change of hierarchy must be supported by a theorem
- that reflects, in our example, that total orders are indeed
- lattices. Therefore the \isakeyword{sublocale} command generates a
- goal, which must be discharged by the user. This is illustrated in
- the following paragraphs. First the sublocale relation is stated.
-*}
-
- sublocale %visible total_order \<subseteq> lattice
-
-txt {* \normalsize
- This enters the context of locale @{text total_order}, in
- which the goal @{subgoals [display]} must be shown.
- Now the
- locale predicate needs to be unfolded --- for example, using its
- definition or by introduction rules
- provided by the locale package. For automation, the locale package
- provides the methods @{text intro_locales} and @{text
- unfold_locales}. They are aware of the
- current context and dependencies between locales and automatically
- discharge goals implied by these. While @{text unfold_locales}
- always unfolds locale predicates to assumptions, @{text
- intro_locales} only unfolds definitions along the locale
- hierarchy, leaving a goal consisting of predicates defined by the
- locale package. Occasionally the latter is of advantage since the goal
- is smaller.
-
- For the current goal, we would like to get hold of
- the assumptions of @{text lattice}, which need to be shown, hence
- @{text unfold_locales} is appropriate. *}
-
- proof unfold_locales
-
-txt {* \normalsize
- Since the fact that both lattices and total orders are partial
- orders is already reflected in the locale hierarchy, the assumptions
- of @{text partial_order} are discharged automatically, and only the
- assumptions introduced in @{text lattice} remain as subgoals
- @{subgoals [display]}
- The proof for the first subgoal is obtained by constructing an
- infimum, whose existence is implied by totality. *}
-
- fix x y
- from total have "is_inf x y (if x \<sqsubseteq> y then x else y)"
- by (auto simp: is_inf_def)
- then show "\<exists>inf. is_inf x y inf" ..
-txt {* \normalsize
- The proof for the second subgoal is analogous and not
- reproduced here. *}
- next %invisible
- fix x y
- from total have "is_sup x y (if x \<sqsubseteq> y then y else x)"
- by (auto simp: is_sup_def)
- then show "\<exists>sup. is_sup x y sup" .. qed %visible
-
-text {* Similarly, we may establish that total orders are distributive
- lattices with a second \isakeyword{sublocale} statement. *}
-
- sublocale total_order \<subseteq> distrib_lattice
- proof unfold_locales
- fix %"proof" x y z
- show "x \<sqinter> (y \<squnion> z) = x \<sqinter> y \<squnion> x \<sqinter> z" (is "?l = ?r")
- txt {* Jacobson I, p.\ 462 *}
- proof -
- { assume c: "y \<sqsubseteq> x" "z \<sqsubseteq> x"
- from c have "?l = y \<squnion> z"
- by (metis c join_connection2 join_related2 meet_related2 total)
- also from c have "... = ?r" by (metis meet_related2)
- finally have "?l = ?r" . }
- moreover
- { assume c: "x \<sqsubseteq> y \<or> x \<sqsubseteq> z"
- from c have "?l = x"
- by (metis join_connection2 join_related2 meet_connection total trans)
- also from c have "... = ?r"
- by (metis join_commute join_related2 meet_connection meet_related2 total)
- finally have "?l = ?r" . }
- moreover note total
- ultimately show ?thesis by blast
- qed
- qed
-
-text {* The locale hierarchy is now as shown in
- Figure~\ref{fig:lattices}(c). *}
-
-text {*
- Locale interpretation is \emph{dynamic}. The statement
- \isakeyword{sublocale} $l_1 \subseteq l_2$ will not just add the
- current conclusions of $l_2$ to $l_1$. Rather the dependency is
- stored, and conclusions that will be
- added to $l_2$ in future are automatically propagated to $l_1$.
- The sublocale relation is transitive --- that is, propagation takes
- effect along chains of sublocales. Even cycles in the sublocale relation are
- supported, as long as these cycles do not lead to infinite chains.
- Details are discussed in the technical report \cite{Ballarin2006a}.
- See also Section~\ref{sec:infinite-chains} of this tutorial. *}
-
-end
--- a/doc-src/Locales/Examples1.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,89 +0,0 @@
-theory Examples1
-imports Examples
-begin
-text {* \vspace{-5ex} *}
-section {* Use of Locales in Theories and Proofs
- \label{sec:interpretation} *}
-
-text {*
- Locales can be interpreted in the contexts of theories and
- structured proofs. These interpretations are dynamic, too.
- Conclusions of locales will be propagated to the current theory or
- the current proof context.%
-\footnote{Strictly speaking, only interpretation in theories is
- dynamic since it is not possible to change locales or the locale
- hierarchy from within a proof.}
- The focus of this section is on
- interpretation in theories, but we will also encounter
- interpretations in proofs, in
- Section~\ref{sec:local-interpretation}.
-
- As an example, consider the type of integers @{typ int}. The
- relation @{term "op \<le>"} is a total order over @{typ int}. We start
- with the interpretation that @{term "op \<le>"} is a partial order. The
- facilities of the interpretation command are explored gradually in
- three versions.
- *}
-
-
-subsection {* First Version: Replacement of Parameters Only
- \label{sec:po-first} *}
-
-text {*
- The command \isakeyword{interpretation} is for the interpretation of
- locale in theories. In the following example, the parameter of locale
- @{text partial_order} is replaced by @{term "op \<le> :: int \<Rightarrow> int \<Rightarrow>
- bool"} and the locale instance is interpreted in the current
- theory. *}
-
- interpretation %visible int: partial_order "op \<le> :: int \<Rightarrow> int \<Rightarrow> bool"
-txt {* \normalsize
- The argument of the command is a simple \emph{locale expression}
- consisting of the name of the interpreted locale, which is
- preceded by the qualifier @{text "int:"} and succeeded by a
- white-space-separated list of terms, which provide a full
- instantiation of the locale parameters. The parameters are referred
- to by order of declaration, which is also the order in which
- \isakeyword{print\_locale} outputs them. The locale has only a
- single parameter, hence the list of instantiation terms is a
- singleton.
-
- The command creates the goal
- @{subgoals [display]} which can be shown easily:
- *}
- by unfold_locales auto
-
-text {* The effect of the command is that instances of all
- conclusions of the locale are available in the theory, where names
- are prefixed by the qualifier. For example, transitivity for @{typ
- int} is named @{thm [source] int.trans} and is the following
- theorem:
- @{thm [display, indent=2] int.trans}
- It is not possible to reference this theorem simply as @{text
- trans}. This prevents unwanted hiding of existing theorems of the
- theory by an interpretation. *}
-
-
-subsection {* Second Version: Replacement of Definitions *}
-
-text {* Not only does the above interpretation qualify theorem names.
- The prefix @{text int} is applied to all names introduced in locale
- conclusions including names introduced in definitions. The
- qualified name @{text int.less} is short for
- the interpretation of the definition, which is @{term int.less}.
- Qualified name and expanded form may be used almost
- interchangeably.%
-\footnote{Since @{term "op \<le>"} is polymorphic, for @{term int.less} a
- more general type will be inferred than for @{text int.less} which
- is over type @{typ int}.}
- The latter is preferred on output, as for example in the theorem
- @{thm [source] int.less_le_trans}: @{thm [display, indent=2]
- int.less_le_trans}
- Both notations for the strict order are not satisfactory. The
- constant @{term "op <"} is the strict order for @{typ int}.
- In order to allow for the desired replacement, interpretation
- accepts \emph{equations} in addition to the parameter instantiation.
- These follow the locale expression and are indicated with the
- keyword \isakeyword{where}. This is the revised interpretation:
- *}
-end
--- a/doc-src/Locales/Examples2.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,24 +0,0 @@
-theory Examples2
-imports Examples
-begin
-text {* \vspace{-5ex} *}
- interpretation %visible int: partial_order "op \<le> :: [int, int] \<Rightarrow> bool"
- where "int.less x y = (x < y)"
- proof -
- txt {* \normalsize The goals are now:
- @{subgoals [display]}
- The proof that~@{text \<le>} is a partial order is as above. *}
- show "partial_order (op \<le> :: int \<Rightarrow> int \<Rightarrow> bool)"
- by unfold_locales auto
- txt {* \normalsize The second goal is shown by unfolding the
- definition of @{term "partial_order.less"}. *}
- show "partial_order.less op \<le> x y = (x < y)"
- unfolding partial_order.less_def [OF `partial_order op \<le>`]
- by auto
- qed
-
-text {* Note that the above proof is not in the context of the
- interpreted locale. Hence, the premise of @{text
- "partial_order.less_def"} is discharged manually with @{text OF}.
- *}
-end
--- a/doc-src/Locales/Examples3.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,659 +0,0 @@
-theory Examples3
-imports Examples
-begin
-text {* \vspace{-5ex} *}
-subsection {* Third Version: Local Interpretation
- \label{sec:local-interpretation} *}
-
-text {* In the above example, the fact that @{term "op \<le>"} is a partial
- order for the integers was used in the second goal to
- discharge the premise in the definition of @{text "op \<sqsubset>"}. In
- general, proofs of the equations not only may involve definitions
- from the interpreted locale but arbitrarily complex arguments in the
- context of the locale. Therefore it would be convenient to have the
- interpreted locale conclusions temporarily available in the proof.
- This can be achieved by a locale interpretation in the proof body.
- The command for local interpretations is \isakeyword{interpret}. We
- repeat the example from the previous section to illustrate this. *}
-
- interpretation %visible int: partial_order "op \<le> :: int \<Rightarrow> int \<Rightarrow> bool"
- where "int.less x y = (x < y)"
- proof -
- show "partial_order (op \<le> :: int \<Rightarrow> int \<Rightarrow> bool)"
- by unfold_locales auto
- then interpret int: partial_order "op \<le> :: [int, int] \<Rightarrow> bool" .
- show "int.less x y = (x < y)"
- unfolding int.less_def by auto
- qed
-
-text {* The inner interpretation is immediate from the preceding fact
- and proved by assumption (Isar short hand ``.''). It enriches the
- local proof context by the theorems
- also obtained in the interpretation from Section~\ref{sec:po-first},
- and @{text int.less_def} may directly be used to unfold the
- definition. Theorems from the local interpretation disappear after
- leaving the proof context --- that is, after the succeeding
- \isakeyword{next} or \isakeyword{qed} statement. *}
-
-
-subsection {* Further Interpretations *}
-
-text {* Further interpretations are necessary for
- the other locales. In @{text lattice} the operations~@{text \<sqinter>}
- and~@{text \<squnion>} are substituted by @{term "min :: int \<Rightarrow> int \<Rightarrow> int"}
- and @{term "max :: int \<Rightarrow> int \<Rightarrow> int"}. The entire proof for the
- interpretation is reproduced to give an example of a more
- elaborate interpretation proof. Note that the equations are named
- so they can be used in a later example. *}
-
- interpretation %visible int: lattice "op \<le> :: int \<Rightarrow> int \<Rightarrow> bool"
- where int_min_eq: "int.meet x y = min x y"
- and int_max_eq: "int.join x y = max x y"
- proof -
- show "lattice (op \<le> :: int \<Rightarrow> int \<Rightarrow> bool)"
- txt {* \normalsize We have already shown that this is a partial
- order, *}
- apply unfold_locales
- txt {* \normalsize hence only the lattice axioms remain to be
- shown.
- @{subgoals [display]}
- By @{text is_inf} and @{text is_sup}, *}
- apply (unfold int.is_inf_def int.is_sup_def)
- txt {* \normalsize the goals are transformed to these
- statements:
- @{subgoals [display]}
- This is Presburger arithmetic, which can be solved by the
- method @{text arith}. *}
- by arith+
- txt {* \normalsize In order to show the equations, we put ourselves
- in a situation where the lattice theorems can be used in a
- convenient way. *}
- then interpret int: lattice "op \<le> :: int \<Rightarrow> int \<Rightarrow> bool" .
- show "int.meet x y = min x y"
- by (bestsimp simp: int.meet_def int.is_inf_def)
- show "int.join x y = max x y"
- by (bestsimp simp: int.join_def int.is_sup_def)
- qed
-
-text {* Next follows that @{text "op \<le>"} is a total order, again for
- the integers. *}
-
- interpretation %visible int: total_order "op \<le> :: int \<Rightarrow> int \<Rightarrow> bool"
- by unfold_locales arith
-
-text {* Theorems that are available in the theory at this point are shown in
- Table~\ref{tab:int-lattice}. Two points are worth noting:
-
-\begin{table}
-\hrule
-\vspace{2ex}
-\begin{center}
-\begin{tabular}{l}
- @{thm [source] int.less_def} from locale @{text partial_order}: \\
- \quad @{thm int.less_def} \\
- @{thm [source] int.meet_left} from locale @{text lattice}: \\
- \quad @{thm int.meet_left} \\
- @{thm [source] int.join_distr} from locale @{text distrib_lattice}: \\
- \quad @{thm int.join_distr} \\
- @{thm [source] int.less_total} from locale @{text total_order}: \\
- \quad @{thm int.less_total}
-\end{tabular}
-\end{center}
-\hrule
-\caption{Interpreted theorems for~@{text \<le>} on the integers.}
-\label{tab:int-lattice}
-\end{table}
-
-\begin{itemize}
-\item
- Locale @{text distrib_lattice} was also interpreted. Since the
- locale hierarchy reflects that total orders are distributive
- lattices, the interpretation of the latter was inserted
- automatically with the interpretation of the former. In general,
- interpretation traverses the locale hierarchy upwards and interprets
- all encountered locales, regardless whether imported or proved via
- the \isakeyword{sublocale} command. Existing interpretations are
- skipped avoiding duplicate work.
-\item
- The predicate @{term "op <"} appears in theorem @{thm [source]
- int.less_total}
- although an equation for the replacement of @{text "op \<sqsubset>"} was only
- given in the interpretation of @{text partial_order}. The
- interpretation equations are pushed downwards the hierarchy for
- related interpretations --- that is, for interpretations that share
- the instances of parameters they have in common.
-\end{itemize}
- *}
-
-text {* The interpretations for a locale $n$ within the current
- theory may be inspected with \isakeyword{print\_interps}~$n$. This
- prints the list of instances of $n$, for which interpretations exist.
- For example, \isakeyword{print\_interps} @{term partial_order}
- outputs the following:
-\begin{small}
-\begin{alltt}
- int! : partial_order "op \(\le\)"
-\end{alltt}
-\end{small}
- Of course, there is only one interpretation.
- The interpretation qualifier on the left is decorated with an
- exclamation point. This means that it is mandatory. Qualifiers
- can either be \emph{mandatory} or \emph{optional}, designated by
- ``!'' or ``?'' respectively. Mandatory qualifiers must occur in a
- name reference while optional ones need not. Mandatory qualifiers
- prevent accidental hiding of names, while optional qualifiers can be
- more convenient to use. For \isakeyword{interpretation}, the
- default is ``!''.
-*}
-
-
-section {* Locale Expressions \label{sec:expressions} *}
-
-text {*
- A map~@{term \<phi>} between partial orders~@{text \<sqsubseteq>} and~@{text \<preceq>}
- is called order preserving if @{text "x \<sqsubseteq> y"} implies @{text "\<phi> x \<preceq>
- \<phi> y"}. This situation is more complex than those encountered so
- far: it involves two partial orders, and it is desirable to use the
- existing locale for both.
-
- A locale for order preserving maps requires three parameters: @{text
- le}~(\isakeyword{infixl}~@{text \<sqsubseteq>}) and @{text
- le'}~(\isakeyword{infixl}~@{text \<preceq>}) for the orders and~@{text \<phi>}
- for the map.
-
- In order to reuse the existing locale for partial orders, which has
- the single parameter~@{text le}, it must be imported twice, once
- mapping its parameter to~@{text le} from the new locale and once
- to~@{text le'}. This can be achieved with a compound locale
- expression.
-
- In general, a locale expression is a sequence of \emph{locale instances}
- separated by~``$\textbf{+}$'' and followed by a \isakeyword{for}
- clause.
- An instance has the following format:
-\begin{quote}
- \textit{qualifier} \textbf{:} \textit{locale-name}
- \textit{parameter-instantiation}
-\end{quote}
- We have already seen locale instances as arguments to
- \isakeyword{interpretation} in Section~\ref{sec:interpretation}.
- As before, the qualifier serves to disambiguate names from
- different instances of the same locale. While in
- \isakeyword{interpretation} qualifiers default to mandatory, in
- import and in the \isakeyword{sublocale} command, they default to
- optional.
-
- Since the parameters~@{text le} and~@{text le'} are to be partial
- orders, our locale for order preserving maps will import the these
- instances:
-\begin{small}
-\begin{alltt}
- le: partial_order le
- le': partial_order le'
-\end{alltt}
-\end{small}
- For matter of convenience we choose to name parameter names and
- qualifiers alike. This is an arbitrary decision. Technically, qualifiers
- and parameters are unrelated.
-
- Having determined the instances, let us turn to the \isakeyword{for}
- clause. It serves to declare locale parameters in the same way as
- the context element \isakeyword{fixes} does. Context elements can
- only occur after the import section, and therefore the parameters
- referred to in the instances must be declared in the \isakeyword{for}
- clause. The \isakeyword{for} clause is also where the syntax of these
- parameters is declared.
-
- Two context elements for the map parameter~@{text \<phi>} and the
- assumptions that it is order preserving complete the locale
- declaration. *}
-
- locale order_preserving =
- le: partial_order le + le': partial_order le'
- for le (infixl "\<sqsubseteq>" 50) and le' (infixl "\<preceq>" 50) +
- fixes \<phi>
- assumes hom_le: "x \<sqsubseteq> y \<Longrightarrow> \<phi> x \<preceq> \<phi> y"
-
-text (in order_preserving) {* Here are examples of theorems that are
- available in the locale:
-
- \hspace*{1em}@{thm [source] hom_le}: @{thm hom_le}
-
- \hspace*{1em}@{thm [source] le.less_le_trans}: @{thm le.less_le_trans}
-
- \hspace*{1em}@{thm [source] le'.less_le_trans}:
- @{thm [display, indent=4] le'.less_le_trans}
- While there is infix syntax for the strict operation associated to
- @{term "op \<sqsubseteq>"}, there is none for the strict version of @{term
- "op \<preceq>"}. The abbreviation @{text less} with its infix syntax is only
- available for the original instance it was declared for. We may
- introduce the abbreviation @{text less'} with infix syntax~@{text \<prec>}
- with the following declaration: *}
-
- abbreviation (in order_preserving)
- less' (infixl "\<prec>" 50) where "less' \<equiv> partial_order.less le'"
-
-text (in order_preserving) {* Now the theorem is displayed nicely as
- @{thm [source] le'.less_le_trans}:
- @{thm [display, indent=2] le'.less_le_trans} *}
-
-text {* There are short notations for locale expressions. These are
- discussed in the following. *}
-
-
-subsection {* Default Instantiations *}
-
-text {*
- It is possible to omit parameter instantiations. The
- instantiation then defaults to the name of
- the parameter itself. For example, the locale expression @{text
- partial_order} is short for @{text "partial_order le"}, since the
- locale's single parameter is~@{text le}. We took advantage of this
- in the \isakeyword{sublocale} declarations of
- Section~\ref{sec:changing-the-hierarchy}. *}
-
-
-subsection {* Implicit Parameters \label{sec:implicit-parameters} *}
-
-text {* In a locale expression that occurs within a locale
- declaration, omitted parameters additionally extend the (possibly
- empty) \isakeyword{for} clause.
-
- The \isakeyword{for} clause is a general construct of Isabelle/Isar
- to mark names occurring in the preceding declaration as ``arbitrary
- but fixed''. This is necessary for example, if the name is already
- bound in a surrounding context. In a locale expression, names
- occurring in parameter instantiations should be bound by a
- \isakeyword{for} clause whenever these names are not introduced
- elsewhere in the context --- for example, on the left hand side of a
- \isakeyword{sublocale} declaration.
-
- There is an exception to this rule in locale declarations, where the
- \isakeyword{for} clause serves to declare locale parameters. Here,
- locale parameters for which no parameter instantiation is given are
- implicitly added, with their mixfix syntax, at the beginning of the
- \isakeyword{for} clause. For example, in a locale declaration, the
- expression @{text partial_order} is short for
-\begin{small}
-\begin{alltt}
- partial_order le \isakeyword{for} le (\isakeyword{infixl} "\(\sqsubseteq\)" 50)\textrm{.}
-\end{alltt}
-\end{small}
- This short hand was used in the locale declarations throughout
- Section~\ref{sec:import}.
- *}
-
-text{*
- The following locale declarations provide more examples. A
- map~@{text \<phi>} is a lattice homomorphism if it preserves meet and
- join. *}
-
- locale lattice_hom =
- le: lattice + le': lattice le' for le' (infixl "\<preceq>" 50) +
- fixes \<phi>
- assumes hom_meet: "\<phi> (x \<sqinter> y) = le'.meet (\<phi> x) (\<phi> y)"
- and hom_join: "\<phi> (x \<squnion> y) = le'.join (\<phi> x) (\<phi> y)"
-
-text {* The parameter instantiation in the first instance of @{term
- lattice} is omitted. This causes the parameter~@{text le} to be
- added to the \isakeyword{for} clause, and the locale has
- parameters~@{text le},~@{text le'} and, of course,~@{text \<phi>}.
-
- Before turning to the second example, we complete the locale by
- providing infix syntax for the meet and join operations of the
- second lattice.
-*}
-
- context lattice_hom
- begin
- abbreviation meet' (infixl "\<sqinter>''" 50) where "meet' \<equiv> le'.meet"
- abbreviation join' (infixl "\<squnion>''" 50) where "join' \<equiv> le'.join"
- end
-
-text {* The next example makes radical use of the short hand
- facilities. A homomorphism is an endomorphism if both orders
- coincide. *}
-
- locale lattice_end = lattice_hom _ le
-
-text {* The notation~@{text _} enables to omit a parameter in a
- positional instantiation. The omitted parameter,~@{text le} becomes
- the parameter of the declared locale and is, in the following
- position, used to instantiate the second parameter of @{text
- lattice_hom}. The effect is that of identifying the first in second
- parameter of the homomorphism locale. *}
-
-text {* The inheritance diagram of the situation we have now is shown
- in Figure~\ref{fig:hom}, where the dashed line depicts an
- interpretation which is introduced below. Parameter instantiations
- are indicated by $\sqsubseteq \mapsto \preceq$ etc. By looking at
- the inheritance diagram it would seem
- that two identical copies of each of the locales @{text
- partial_order} and @{text lattice} are imported by @{text
- lattice_end}. This is not the case! Inheritance paths with
- identical morphisms are automatically detected and
- the conclusions of the respective locales appear only once.
-
-\begin{figure}
-\hrule \vspace{2ex}
-\begin{center}
-\begin{tikzpicture}
- \node (o) at (0,0) {@{text partial_order}};
- \node (oh) at (1.5,-2) {@{text order_preserving}};
- \node (oh1) at (1.5,-0.7) {$\scriptscriptstyle \sqsubseteq \mapsto \sqsubseteq$};
- \node (oh2) at (0,-1.3) {$\scriptscriptstyle \sqsubseteq \mapsto \preceq$};
- \node (l) at (-1.5,-2) {@{text lattice}};
- \node (lh) at (0,-4) {@{text lattice_hom}};
- \node (lh1) at (0,-2.7) {$\scriptscriptstyle \sqsubseteq \mapsto \sqsubseteq$};
- \node (lh2) at (-1.5,-3.3) {$\scriptscriptstyle \sqsubseteq \mapsto \preceq$};
- \node (le) at (0,-6) {@{text lattice_end}};
- \node (le1) at (0,-4.8)
- [anchor=west]{$\scriptscriptstyle \sqsubseteq \mapsto \sqsubseteq$};
- \node (le2) at (0,-5.2)
- [anchor=west]{$\scriptscriptstyle \preceq \mapsto \sqsubseteq$};
- \draw (o) -- (l);
- \draw[dashed] (oh) -- (lh);
- \draw (lh) -- (le);
- \draw (o) .. controls (oh1.south west) .. (oh);
- \draw (o) .. controls (oh2.north east) .. (oh);
- \draw (l) .. controls (lh1.south west) .. (lh);
- \draw (l) .. controls (lh2.north east) .. (lh);
-\end{tikzpicture}
-\end{center}
-\hrule
-\caption{Hierarchy of Homomorphism Locales.}
-\label{fig:hom}
-\end{figure}
- *}
-
-text {* It can be shown easily that a lattice homomorphism is order
- preserving. As the final example of this section, a locale
- interpretation is used to assert this: *}
-
- sublocale lattice_hom \<subseteq> order_preserving
- proof unfold_locales
- fix x y
- assume "x \<sqsubseteq> y"
- then have "y = (x \<squnion> y)" by (simp add: le.join_connection)
- then have "\<phi> y = (\<phi> x \<squnion>' \<phi> y)" by (simp add: hom_join [symmetric])
- then show "\<phi> x \<preceq> \<phi> y" by (simp add: le'.join_connection)
- qed
-
-text (in lattice_hom) {*
- Theorems and other declarations --- syntax, in particular --- from
- the locale @{text order_preserving} are now active in @{text
- lattice_hom}, for example
- @{thm [source] hom_le}:
- @{thm [display, indent=2] hom_le}
- This theorem will be useful in the following section.
- *}
-
-
-section {* Conditional Interpretation *}
-
-text {* There are situations where an interpretation is not possible
- in the general case since the desired property is only valid if
- certain conditions are fulfilled. Take, for example, the function
- @{text "\<lambda>i. n * i"} that scales its argument by a constant factor.
- This function is order preserving (and even a lattice endomorphism)
- with respect to @{term "op \<le>"} provided @{text "n \<ge> 0"}.
-
- It is not possible to express this using a global interpretation,
- because it is in general unspecified whether~@{term n} is
- non-negative, but one may make an interpretation in an inner context
- of a proof where full information is available.
- This is not fully satisfactory either, since potentially
- interpretations may be required to make interpretations in many
- contexts. What is
- required is an interpretation that depends on the condition --- and
- this can be done with the \isakeyword{sublocale} command. For this
- purpose, we introduce a locale for the condition. *}
-
- locale non_negative =
- fixes n :: int
- assumes non_neg: "0 \<le> n"
-
-text {* It is again convenient to make the interpretation in an
- incremental fashion, first for order preserving maps, the for
- lattice endomorphisms. *}
-
- sublocale non_negative \<subseteq>
- order_preserving "op \<le>" "op \<le>" "\<lambda>i. n * i"
- using non_neg by unfold_locales (rule mult_left_mono)
-
-text {* While the proof of the previous interpretation
- is straightforward from monotonicity lemmas for~@{term "op *"}, the
- second proof follows a useful pattern. *}
-
- sublocale %visible non_negative \<subseteq> lattice_end "op \<le>" "\<lambda>i. n * i"
- proof (unfold_locales, unfold int_min_eq int_max_eq)
- txt {* \normalsize Unfolding the locale predicates \emph{and} the
- interpretation equations immediately yields two subgoals that
- reflect the core conjecture.
- @{subgoals [display]}
- It is now necessary to show, in the context of @{term
- non_negative}, that multiplication by~@{term n} commutes with
- @{term min} and @{term max}. *}
- qed (auto simp: hom_le)
-
-text (in order_preserving) {* The lemma @{thm [source] hom_le}
- simplifies a proof that would have otherwise been lengthy and we may
- consider making it a default rule for the simplifier: *}
-
- lemmas (in order_preserving) hom_le [simp]
-
-
-subsection {* Avoiding Infinite Chains of Interpretations
- \label{sec:infinite-chains} *}
-
-text {* Similar situations arise frequently in formalisations of
- abstract algebra where it is desirable to express that certain
- constructions preserve certain properties. For example, polynomials
- over rings are rings, or --- an example from the domain where the
- illustrations of this tutorial are taken from --- a partial order
- may be obtained for a function space by point-wise lifting of the
- partial order of the co-domain. This corresponds to the following
- interpretation: *}
-
- sublocale %visible partial_order \<subseteq> f: partial_order "\<lambda>f g. \<forall>x. f x \<sqsubseteq> g x"
- oops
-
-text {* Unfortunately this is a cyclic interpretation that leads to an
- infinite chain, namely
- @{text [display, indent=2] "partial_order \<subseteq> partial_order (\<lambda>f g. \<forall>x. f x \<sqsubseteq> g x) \<subseteq>
- partial_order (\<lambda>f g. \<forall>x y. f x y \<sqsubseteq> g x y) \<subseteq> \<dots>"}
- and the interpretation is rejected.
-
- Instead it is necessary to declare a locale that is logically
- equivalent to @{term partial_order} but serves to collect facts
- about functions spaces where the co-domain is a partial order, and
- to make the interpretation in its context: *}
-
- locale fun_partial_order = partial_order
-
- sublocale fun_partial_order \<subseteq>
- f: partial_order "\<lambda>f g. \<forall>x. f x \<sqsubseteq> g x"
- by unfold_locales (fast,rule,fast,blast intro: trans)
-
-text {* It is quite common in abstract algebra that such a construction
- maps a hierarchy of algebraic structures (or specifications) to a
- related hierarchy. By means of the same lifting, a function space
- is a lattice if its co-domain is a lattice: *}
-
- locale fun_lattice = fun_partial_order + lattice
-
- sublocale fun_lattice \<subseteq> f: lattice "\<lambda>f g. \<forall>x. f x \<sqsubseteq> g x"
- proof unfold_locales
- fix f g
- have "partial_order.is_inf (\<lambda>f g. \<forall>x. f x \<sqsubseteq> g x) f g (\<lambda>x. f x \<sqinter> g x)"
- apply (rule is_infI) apply rule+ apply (drule spec, assumption)+ done
- then show "\<exists>inf. partial_order.is_inf (\<lambda>f g. \<forall>x. f x \<sqsubseteq> g x) f g inf"
- by fast
- next
- fix f g
- have "partial_order.is_sup (\<lambda>f g. \<forall>x. f x \<sqsubseteq> g x) f g (\<lambda>x. f x \<squnion> g x)"
- apply (rule is_supI) apply rule+ apply (drule spec, assumption)+ done
- then show "\<exists>sup. partial_order.is_sup (\<lambda>f g. \<forall>x. f x \<sqsubseteq> g x) f g sup"
- by fast
- qed
-
-
-section {* Further Reading *}
-
-text {* More information on locales and their interpretation is
- available. For the locale hierarchy of import and interpretation
- dependencies see~\cite{Ballarin2006a}; interpretations in theories
- and proofs are covered in~\cite{Ballarin2006b}. In the latter, I
- show how interpretation in proofs enables to reason about families
- of algebraic structures, which cannot be expressed with locales
- directly.
-
- Haftmann and Wenzel~\cite{HaftmannWenzel2007} overcome a restriction
- of axiomatic type classes through a combination with locale
- interpretation. The result is a Haskell-style class system with a
- facility to generate ML and Haskell code. Classes are sufficient for
- simple specifications with a single type parameter. The locales for
- orders and lattices presented in this tutorial fall into this
- category. Order preserving maps, homomorphisms and vector spaces,
- on the other hand, do not.
-
- The locales reimplementation for Isabelle 2009 provides, among other
- improvements, a clean integration with Isabelle/Isar's local theory
- mechanisms, which are described in another paper by Haftmann and
- Wenzel~\cite{HaftmannWenzel2009}.
-
- The original work of Kamm\"uller on locales~\cite{KammullerEtAl1999}
- may be of interest from a historical perspective. My previous
- report on locales and locale expressions~\cite{Ballarin2004a}
- describes a simpler form of expressions than available now and is
- outdated. The mathematical background on orders and lattices is
- taken from Jacobson's textbook on algebra~\cite[Chapter~8]{Jacobson1985}.
-
- The sources of this tutorial, which include all proofs, are
- available with the Isabelle distribution at
- \url{http://isabelle.in.tum.de}.
- *}
-
-text {*
-\begin{table}
-\hrule
-\vspace{2ex}
-\begin{center}
-\begin{tabular}{l>$c<$l}
- \multicolumn{3}{l}{Miscellaneous} \\
-
- \textit{attr-name} & ::=
- & \textit{name} $|$ \textit{attribute} $|$
- \textit{name} \textit{attribute} \\
- \textit{qualifier} & ::=
- & \textit{name} [``\textbf{?}'' $|$ ``\textbf{!}''] \\[2ex]
-
- \multicolumn{3}{l}{Context Elements} \\
-
- \textit{fixes} & ::=
- & \textit{name} [ ``\textbf{::}'' \textit{type} ]
- [ ``\textbf{(}'' \textbf{structure} ``\textbf{)}'' $|$
- \textit{mixfix} ] \\
-\begin{comment}
- \textit{constrains} & ::=
- & \textit{name} ``\textbf{::}'' \textit{type} \\
-\end{comment}
- \textit{assumes} & ::=
- & [ \textit{attr-name} ``\textbf{:}'' ] \textit{proposition} \\
-\begin{comment}
- \textit{defines} & ::=
- & [ \textit{attr-name} ``\textbf{:}'' ] \textit{proposition} \\
- \textit{notes} & ::=
- & [ \textit{attr-name} ``\textbf{=}'' ]
- ( \textit{qualified-name} [ \textit{attribute} ] )$^+$ \\
-\end{comment}
-
- \textit{element} & ::=
- & \textbf{fixes} \textit{fixes} ( \textbf{and} \textit{fixes} )$^*$ \\
-\begin{comment}
- & |
- & \textbf{constrains} \textit{constrains}
- ( \textbf{and} \textit{constrains} )$^*$ \\
-\end{comment}
- & |
- & \textbf{assumes} \textit{assumes} ( \textbf{and} \textit{assumes} )$^*$ \\[2ex]
-%\begin{comment}
-% & |
-% & \textbf{defines} \textit{defines} ( \textbf{and} \textit{defines} )$^*$ \\
-% & |
-% & \textbf{notes} \textit{notes} ( \textbf{and} \textit{notes} )$^*$ \\
-%\end{comment}
-
- \multicolumn{3}{l}{Locale Expressions} \\
-
- \textit{pos-insts} & ::=
- & ( \textit{term} $|$ ``\textbf{\_}'' )$^*$ \\
- \textit{named-insts} & ::=
- & \textbf{where} \textit{name} ``\textbf{=}'' \textit{term}
- ( \textbf{and} \textit{name} ``\textbf{=}'' \textit{term} )$^*$ \\
- \textit{instance} & ::=
- & [ \textit{qualifier} ``\textbf{:}'' ]
- \textit{name} ( \textit{pos-insts} $|$ \textit{named-inst} ) \\
- \textit{expression} & ::=
- & \textit{instance} ( ``\textbf{+}'' \textit{instance} )$^*$
- [ \textbf{for} \textit{fixes} ( \textbf{and} \textit{fixes} )$^*$ ] \\[2ex]
-
- \multicolumn{3}{l}{Declaration of Locales} \\
-
- \textit{locale} & ::=
- & \textit{element}$^+$ \\
- & | & \textit{expression} [ ``\textbf{+}'' \textit{element}$^+$ ] \\
- \textit{toplevel} & ::=
- & \textbf{locale} \textit{name} [ ``\textbf{=}''
- \textit{locale} ] \\[2ex]
-
- \multicolumn{3}{l}{Interpretation} \\
-
- \textit{equation} & ::= & [ \textit{attr-name} ``\textbf{:}'' ]
- \textit{prop} \\
- \textit{equations} & ::= & \textbf{where} \textit{equation} ( \textbf{and}
- \textit{equation} )$^*$ \\
- \textit{toplevel} & ::=
- & \textbf{sublocale} \textit{name} ( ``$<$'' $|$
- ``$\subseteq$'' ) \textit{expression} \textit{proof} \\
- & |
- & \textbf{interpretation}
- \textit{expression} [ \textit{equations} ] \textit{proof} \\
- & |
- & \textbf{interpret}
- \textit{expression} \textit{proof} \\[2ex]
-
- \multicolumn{3}{l}{Diagnostics} \\
-
- \textit{toplevel} & ::=
- & \textbf{print\_locales} \\
- & | & \textbf{print\_locale} [ ``\textbf{!}'' ] \textit{name} \\
- & | & \textbf{print\_interps} \textit{name}
-\end{tabular}
-\end{center}
-\hrule
-\caption{Syntax of Locale Commands.}
-\label{tab:commands}
-\end{table}
- *}
-
-text {* \textbf{Revision History.} For the present third revision of
- the tutorial, much of the explanatory text
- was rewritten. Inheritance of interpretation equations is
- available with the forthcoming release of Isabelle, which at the
- time of editing these notes is expected for the end of 2009.
- The second revision accommodates changes introduced by the locales
- reimplementation for Isabelle 2009. Most notably locale expressions
- have been generalised from renaming to instantiation. *}
-
-text {* \textbf{Acknowledgements.} Alexander Krauss, Tobias Nipkow,
- Randy Pollack, Andreas Schropp, Christian Sternagel and Makarius Wenzel
- have made
- useful comments on earlier versions of this document. The section
- on conditional interpretation was inspired by a number of e-mail
- enquiries the author received from locale users, and which suggested
- that this use case is important enough to deserve explicit
- explanation. The term \emph{conditional interpretation} is due to
- Larry Paulson. *}
-
-end
--- a/doc-src/Locales/document/build Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,9 +0,0 @@
-#!/bin/bash
-
-set -e
-
-FORMAT="$1"
-VARIANT="$2"
-
-"$ISABELLE_HOME/doc-src/prepare_document" "$FORMAT"
-
--- a/doc-src/Locales/document/root.bib Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,117 +0,0 @@
-@unpublished{IsarRef,
- author = "Markus Wenzel",
- title = "The {Isabelle/Isar} Reference Manual",
- note = "Part of the Isabelle distribution, \url{http://isabelle.in.tum.de/doc/isar-ref.pdf}."
-}
-
-@book {Jacobson1985,
- author = "Nathan Jacobson",
- title = "Basic Algebra",
- volume = "I",
- publisher = "Freeman",
- edition = "2nd",
- year = 1985,
- available = { CB }
-}
-
-% TYPES 2006
-
-@inproceedings{HaftmannWenzel2007,
- author = "Florian Haftmann and Makarius Wenzel",
- title = "Constructive Type Classes in {Isabelle}",
- pages = "160--174",
- crossref = "AltenkirchMcBride2007",
- available = { CB }
-}
-
-@proceedings{AltenkirchMcBride2007,
- editor = "Thorsten Altenkirch and Connor McBride",
- title = "Types for Proofs and Programs, TYPES 2006, Nottingham, UK",
- booktitle = "Types for Proofs and Programs, TYPES 2006, Nottingham, UK",
- publisher = "Springer",
- series = "LNCS 4502",
- year = 2007
-}
-
-
-@techreport{Ballarin2006a,
- author = "Clemens Ballarin",
- title = "Interpretation of Locales in {Isabelle}: Managing Dependencies between Locales",
- institution = "Technische Universit{\"a}t M{\"u}nchen",
- number = "TUM-I0607",
- year = 2006
-}
-
-% TYPES 2003
-
-@inproceedings{Ballarin2004a,
- author = "Clemens Ballarin",
- title = "Locales and Locale Expressions in {Isabelle/Isar}",
- pages = "34--50",
- crossref = "BerardiEtAl2004"
-}
-
-@proceedings{BerardiEtAl2004,
- editor = "Stefano Berardi and Mario Coppo and Ferruccio Damiani",
- title = "Types for Proofs and Programs, TYPES 2003, Torino, Italy",
- booktitle = "Types for Proofs and Programs, TYPES 2003, Torino, Italy",
- publisher = "Springer",
- series = "LNCS 3085",
- year = 2004
-}
-
-% TYPES 2008
-
-@inproceedings{HaftmannWenzel2009,
- author = "Florian Haftmann and Makarius Wenzel",
- title = "Local theory specifications in {Isabelle}/{Isar}",
- pages = "153--168",
- crossref = "BerardiEtAl2009"
-}
-
-@proceedings{BerardiEtAl2009,
- editor = "Stefano Berardi and Ferruccio Damiani and Ugo de Liguoro",
- title = "Types for Proofs and Programs, TYPES 2008, Torino, Italy",
- booktitle = "Types for Proofs and Programs, TYPES 2008, Torino, Italy",
- series = "LNCS 5497",
- publisher = "Springer",
- year = 2009
-}
-
-% MKM 2006
-
-@inproceedings{Ballarin2006b,
- author = "Clemens Ballarin",
- title = "Interpretation of Locales in {Isabelle}: Theories and Proof Contexts",
- pages = "31--43",
- crossref = "BorweinFarmer2006"
-}
-
-@proceedings{BorweinFarmer2006,
- editor = "Jonathan M. Borwein and William M. Farmer",
- title = "Mathematical knowledge management, MKM 2006, Wokingham, UK",
- booktitle = "Mathematical knowledge management, MKM 2006, Wokingham, UK",
- series = "LNCS 4108",
- publisher = "Springer",
- year = 2006,
- available = { CB }
-}
-
-% TPHOLs 1999
-
-@inproceedings{KammullerEtAl1999,
- author = "Florian Kamm{\"u}ller and Markus Wenzel and Lawrence C. Paulson",
- title = "Locales: A Sectioning Concept for {Isabelle}",
- pages = "149--165",
- crossref = "BertotEtAl1999",
- available = { CB }
-}
-
-@book{BertotEtAl1999,
- editor = "Y. Bertot and G. Dowek and A. Hirschowitz and C. Paulin and L. Th{\'e}ry",
- title = "Theorem Proving in Higher Order Logics: TPHOLs'99, Nice, France",
- booktitle = "Theorem Proving in Higher Order Logics: TPHOLs'99, Nice, France",
- publisher = "Springer",
- series = "LNCS 1690",
- year = 1999
-}
--- a/doc-src/Locales/document/root.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,62 +0,0 @@
-\documentclass[11pt,a4paper]{article}
-\usepackage{amsmath}
-\usepackage{isabelle,isabellesym}
-\usepackage{verbatim}
-\usepackage{alltt}
-\usepackage{array}
-
-\usepackage{amssymb}
-
-\usepackage{pdfsetup}
-
-\usepackage{ifpdf}
-\ifpdf\relax\else\def\pgfsysdriver{pgfsys-dvi.def}\fi
-\usepackage{tikz}
-\usepackage{subfigure}
-
-\isadroptag{theory}
-\isafoldtag{proof}
-
-% urls in roman style, theory text in typewriter
-\urlstyle{rm}
-\isabellestyle{tt}
-
-
-\begin{document}
-
-\title{Tutorial to Locales and Locale Interpretation%
-\thanks{Published in L.~Lamb\'an, A.~Romero, J.~Rubio, editors, {\em Contribuciones Cient\'{\i}ficas en honor de Mirian Andr\'es.} Servicio de Publicaciones de la Universidad de La Rioja, Logro\~no, Spain, 2010. Reproduced by permission.}}
-\author{Clemens Ballarin}
-\date{}
-
-\maketitle
-
-\begin{abstract}
- Locales are Isabelle's approach for dealing with parametric
- theories. They have been designed as a module system for a
- theorem prover that can adequately represent the complex
- inter-dependencies between structures found in abstract algebra, but
- have proven fruitful also in other applications --- for example,
- software verification.
-
- Both design and implementation of locales have evolved considerably
- since Kamm\"uller did his initial experiments. Today, locales
- are a simple yet powerful extension of the Isar proof language.
- The present tutorial covers all major facilities of locales. It is
- intended for locale novices; familiarity with Isabelle and Isar is
- presumed.
-\end{abstract}
-
-\parindent 0pt\parskip 0.5ex
-
-\input{session}
-
-\bibliographystyle{abbrv}
-\bibliography{root}
-
-\end{document}
-
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: t
-%%% End:
--- a/doc-src/Logics/abstract.txt Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,8 +0,0 @@
-Isabelle's Object-Logics. Report 286.
-
-This is the third of the Isabelle manuals. It covers Isabelle's built-in
-object logics: first-order logic (FOL), Zermelo-Fraenkel set theory (ZF),
-higher-order logic (HOL), the classical sequent calculus (LK), and
-constructive type theory (CTT). The final chapter discusses how to define
-new logics. This manual assumes familiarity with Report 280, Introduction
-to Isabelle.
--- a/doc-src/Logics/document/CTT.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,1257 +0,0 @@
-\chapter{Constructive Type Theory}
-\index{Constructive Type Theory|(}
-
-\underscoreoff %this file contains _ in rule names
-
-Martin-L\"of's Constructive Type Theory \cite{martinlof84,nordstrom90} can
-be viewed at many different levels. It is a formal system that embodies
-the principles of intuitionistic mathematics; it embodies the
-interpretation of propositions as types; it is a vehicle for deriving
-programs from proofs.
-
-Thompson's book~\cite{thompson91} gives a readable and thorough account of
-Type Theory. Nuprl is an elaborate implementation~\cite{constable86}.
-{\sc alf} is a more recent tool that allows proof terms to be edited
-directly~\cite{alf}.
-
-Isabelle's original formulation of Type Theory was a kind of sequent
-calculus, following Martin-L\"of~\cite{martinlof84}. It included rules for
-building the context, namely variable bindings with their types. A typical
-judgement was
-\[ a(x@1,\ldots,x@n)\in A(x@1,\ldots,x@n) \;
- [ x@1\in A@1, x@2\in A@2(x@1), \ldots, x@n\in A@n(x@1,\ldots,x@{n-1}) ]
-\]
-This sequent calculus was not satisfactory because assumptions like
-`suppose $A$ is a type' or `suppose $B(x)$ is a type for all $x$ in $A$'
-could not be formalized.
-
-The theory~\thydx{CTT} implements Constructive Type Theory, using
-natural deduction. The judgement above is expressed using $\Forall$ and
-$\Imp$:
-\[ \begin{array}{r@{}l}
- \Forall x@1\ldots x@n. &
- \List{x@1\in A@1;
- x@2\in A@2(x@1); \cdots \;
- x@n\in A@n(x@1,\ldots,x@{n-1})} \Imp \\
- & \qquad\qquad a(x@1,\ldots,x@n)\in A(x@1,\ldots,x@n)
- \end{array}
-\]
-Assumptions can use all the judgement forms, for instance to express that
-$B$ is a family of types over~$A$:
-\[ \Forall x . x\in A \Imp B(x)\;{\rm type} \]
-To justify the CTT formulation it is probably best to appeal directly to the
-semantic explanations of the rules~\cite{martinlof84}, rather than to the
-rules themselves. The order of assumptions no longer matters, unlike in
-standard Type Theory. Contexts, which are typical of many modern type
-theories, are difficult to represent in Isabelle. In particular, it is
-difficult to enforce that all the variables in a context are distinct.
-\index{assumptions!in CTT}
-
-The theory does not use polymorphism. Terms in CTT have type~\tydx{i}, the
-type of individuals. Types in CTT have type~\tydx{t}.
-
-\begin{figure} \tabcolsep=1em %wider spacing in tables
-\begin{center}
-\begin{tabular}{rrr}
- \it name & \it meta-type & \it description \\
- \cdx{Type} & $t \to prop$ & judgement form \\
- \cdx{Eqtype} & $[t,t]\to prop$ & judgement form\\
- \cdx{Elem} & $[i, t]\to prop$ & judgement form\\
- \cdx{Eqelem} & $[i, i, t]\to prop$ & judgement form\\
- \cdx{Reduce} & $[i, i]\to prop$ & extra judgement form\\[2ex]
-
- \cdx{N} & $t$ & natural numbers type\\
- \cdx{0} & $i$ & constructor\\
- \cdx{succ} & $i\to i$ & constructor\\
- \cdx{rec} & $[i,i,[i,i]\to i]\to i$ & eliminator\\[2ex]
- \cdx{Prod} & $[t,i\to t]\to t$ & general product type\\
- \cdx{lambda} & $(i\to i)\to i$ & constructor\\[2ex]
- \cdx{Sum} & $[t, i\to t]\to t$ & general sum type\\
- \cdx{pair} & $[i,i]\to i$ & constructor\\
- \cdx{split} & $[i,[i,i]\to i]\to i$ & eliminator\\
- \cdx{fst} \cdx{snd} & $i\to i$ & projections\\[2ex]
- \cdx{inl} \cdx{inr} & $i\to i$ & constructors for $+$\\
- \cdx{when} & $[i,i\to i, i\to i]\to i$ & eliminator for $+$\\[2ex]
- \cdx{Eq} & $[t,i,i]\to t$ & equality type\\
- \cdx{eq} & $i$ & constructor\\[2ex]
- \cdx{F} & $t$ & empty type\\
- \cdx{contr} & $i\to i$ & eliminator\\[2ex]
- \cdx{T} & $t$ & singleton type\\
- \cdx{tt} & $i$ & constructor
-\end{tabular}
-\end{center}
-\caption{The constants of CTT} \label{ctt-constants}
-\end{figure}
-
-
-CTT supports all of Type Theory apart from list types, well-ordering types,
-and universes. Universes could be introduced {\em\`a la Tarski}, adding new
-constants as names for types. The formulation {\em\`a la Russell}, where
-types denote themselves, is only possible if we identify the meta-types~{\tt
- i} and~{\tt t}. Most published formulations of well-ordering types have
-difficulties involving extensionality of functions; I suggest that you use
-some other method for defining recursive types. List types are easy to
-introduce by declaring new rules.
-
-CTT uses the 1982 version of Type Theory, with extensional equality. The
-computation $a=b\in A$ and the equality $c\in Eq(A,a,b)$ are interchangeable.
-Its rewriting tactics prove theorems of the form $a=b\in A$. It could be
-modified to have intensional equality, but rewriting tactics would have to
-prove theorems of the form $c\in Eq(A,a,b)$ and the computation rules might
-require a separate simplifier.
-
-
-\begin{figure} \tabcolsep=1em %wider spacing in tables
-\index{lambda abs@$\lambda$-abstractions!in CTT}
-\begin{center}
-\begin{tabular}{llrrr}
- \it symbol &\it name &\it meta-type & \it priority & \it description \\
- \sdx{lam} & \cdx{lambda} & $(i\To o)\To i$ & 10 & $\lambda$-abstraction
-\end{tabular}
-\end{center}
-\subcaption{Binders}
-
-\begin{center}
-\index{*"` symbol}\index{function applications!in CTT}
-\index{*"+ symbol}
-\begin{tabular}{rrrr}
- \it symbol & \it meta-type & \it priority & \it description \\
- \tt ` & $[i,i]\to i$ & Left 55 & function application\\
- \tt + & $[t,t]\to t$ & Right 30 & sum of two types
-\end{tabular}
-\end{center}
-\subcaption{Infixes}
-
-\index{*"* symbol}
-\index{*"-"-"> symbol}
-\begin{center} \tt\frenchspacing
-\begin{tabular}{rrr}
- \it external & \it internal & \it standard notation \\
- \sdx{PROD} $x$:$A$ . $B[x]$ & Prod($A$, $\lambda x. B[x]$) &
- \rm product $\prod@{x\in A}B[x]$ \\
- \sdx{SUM} $x$:$A$ . $B[x]$ & Sum($A$, $\lambda x. B[x]$) &
- \rm sum $\sum@{x\in A}B[x]$ \\
- $A$ --> $B$ & Prod($A$, $\lambda x. B$) &
- \rm function space $A\to B$ \\
- $A$ * $B$ & Sum($A$, $\lambda x. B$) &
- \rm binary product $A\times B$
-\end{tabular}
-\end{center}
-\subcaption{Translations}
-
-\index{*"= symbol}
-\begin{center}
-\dquotes
-\[ \begin{array}{rcl}
-prop & = & type " type" \\
- & | & type " = " type \\
- & | & term " : " type \\
- & | & term " = " term " : " type
-\\[2ex]
-type & = & \hbox{expression of type~$t$} \\
- & | & "PROD~" id " : " type " . " type \\
- & | & "SUM~~" id " : " type " . " type
-\\[2ex]
-term & = & \hbox{expression of type~$i$} \\
- & | & "lam " id~id^* " . " term \\
- & | & "< " term " , " term " >"
-\end{array}
-\]
-\end{center}
-\subcaption{Grammar}
-\caption{Syntax of CTT} \label{ctt-syntax}
-\end{figure}
-
-%%%%\section{Generic Packages} typedsimp.ML????????????????
-
-
-\section{Syntax}
-The constants are shown in Fig.\ts\ref{ctt-constants}. The infixes include
-the function application operator (sometimes called `apply'), and the 2-place
-type operators. Note that meta-level abstraction and application, $\lambda
-x.b$ and $f(a)$, differ from object-level abstraction and application,
-\hbox{\tt lam $x$. $b$} and $b{\tt`}a$. A CTT function~$f$ is simply an
-individual as far as Isabelle is concerned: its Isabelle type is~$i$, not say
-$i\To i$.
-
-The notation for~CTT (Fig.\ts\ref{ctt-syntax}) is based on that of Nordstr\"om
-et al.~\cite{nordstrom90}. The empty type is called $F$ and the one-element
-type is $T$; other finite types are built as $T+T+T$, etc.
-
-\index{*SUM symbol}\index{*PROD symbol}
-Quantification is expressed by sums $\sum@{x\in A}B[x]$ and
-products $\prod@{x\in A}B[x]$. Instead of {\tt Sum($A$,$B$)} and {\tt
- Prod($A$,$B$)} we may write \hbox{\tt SUM $x$:$A$.\ $B[x]$} and \hbox{\tt
- PROD $x$:$A$.\ $B[x]$}. For example, we may write
-\begin{ttbox}
-SUM y:B. PROD x:A. C(x,y) {\rm for} Sum(B, \%y. Prod(A, \%x. C(x,y)))
-\end{ttbox}
-The special cases as \hbox{\tt$A$*$B$} and \hbox{\tt$A$-->$B$} abbreviate
-general sums and products over a constant family.\footnote{Unlike normal
-infix operators, {\tt*} and {\tt-->} merely define abbreviations; there are
-no constants~{\tt op~*} and~\hbox{\tt op~-->}.} Isabelle accepts these
-abbreviations in parsing and uses them whenever possible for printing.
-
-
-\begin{figure}
-\begin{ttbox}
-\tdx{refl_type} A type ==> A = A
-\tdx{refl_elem} a : A ==> a = a : A
-
-\tdx{sym_type} A = B ==> B = A
-\tdx{sym_elem} a = b : A ==> b = a : A
-
-\tdx{trans_type} [| A = B; B = C |] ==> A = C
-\tdx{trans_elem} [| a = b : A; b = c : A |] ==> a = c : A
-
-\tdx{equal_types} [| a : A; A = B |] ==> a : B
-\tdx{equal_typesL} [| a = b : A; A = B |] ==> a = b : B
-
-\tdx{subst_type} [| a : A; !!z. z:A ==> B(z) type |] ==> B(a) type
-\tdx{subst_typeL} [| a = c : A; !!z. z:A ==> B(z) = D(z)
- |] ==> B(a) = D(c)
-
-\tdx{subst_elem} [| a : A; !!z. z:A ==> b(z):B(z) |] ==> b(a):B(a)
-\tdx{subst_elemL} [| a = c : A; !!z. z:A ==> b(z) = d(z) : B(z)
- |] ==> b(a) = d(c) : B(a)
-
-\tdx{refl_red} Reduce(a,a)
-\tdx{red_if_equal} a = b : A ==> Reduce(a,b)
-\tdx{trans_red} [| a = b : A; Reduce(b,c) |] ==> a = c : A
-\end{ttbox}
-\caption{General equality rules} \label{ctt-equality}
-\end{figure}
-
-
-\begin{figure}
-\begin{ttbox}
-\tdx{NF} N type
-
-\tdx{NI0} 0 : N
-\tdx{NI_succ} a : N ==> succ(a) : N
-\tdx{NI_succL} a = b : N ==> succ(a) = succ(b) : N
-
-\tdx{NE} [| p: N; a: C(0);
- !!u v. [| u: N; v: C(u) |] ==> b(u,v): C(succ(u))
- |] ==> rec(p, a, \%u v. b(u,v)) : C(p)
-
-\tdx{NEL} [| p = q : N; a = c : C(0);
- !!u v. [| u: N; v: C(u) |] ==> b(u,v)=d(u,v): C(succ(u))
- |] ==> rec(p, a, \%u v. b(u,v)) = rec(q,c,d) : C(p)
-
-\tdx{NC0} [| a: C(0);
- !!u v. [| u: N; v: C(u) |] ==> b(u,v): C(succ(u))
- |] ==> rec(0, a, \%u v. b(u,v)) = a : C(0)
-
-\tdx{NC_succ} [| p: N; a: C(0);
- !!u v. [| u: N; v: C(u) |] ==> b(u,v): C(succ(u))
- |] ==> rec(succ(p), a, \%u v. b(u,v)) =
- b(p, rec(p, a, \%u v. b(u,v))) : C(succ(p))
-
-\tdx{zero_ne_succ} [| a: N; 0 = succ(a) : N |] ==> 0: F
-\end{ttbox}
-\caption{Rules for type~$N$} \label{ctt-N}
-\end{figure}
-
-
-\begin{figure}
-\begin{ttbox}
-\tdx{ProdF} [| A type; !!x. x:A ==> B(x) type |] ==> PROD x:A. B(x) type
-\tdx{ProdFL} [| A = C; !!x. x:A ==> B(x) = D(x) |] ==>
- PROD x:A. B(x) = PROD x:C. D(x)
-
-\tdx{ProdI} [| A type; !!x. x:A ==> b(x):B(x)
- |] ==> lam x. b(x) : PROD x:A. B(x)
-\tdx{ProdIL} [| A type; !!x. x:A ==> b(x) = c(x) : B(x)
- |] ==> lam x. b(x) = lam x. c(x) : PROD x:A. B(x)
-
-\tdx{ProdE} [| p : PROD x:A. B(x); a : A |] ==> p`a : B(a)
-\tdx{ProdEL} [| p=q: PROD x:A. B(x); a=b : A |] ==> p`a = q`b : B(a)
-
-\tdx{ProdC} [| a : A; !!x. x:A ==> b(x) : B(x)
- |] ==> (lam x. b(x)) ` a = b(a) : B(a)
-
-\tdx{ProdC2} p : PROD x:A. B(x) ==> (lam x. p`x) = p : PROD x:A. B(x)
-\end{ttbox}
-\caption{Rules for the product type $\prod\sb{x\in A}B[x]$} \label{ctt-prod}
-\end{figure}
-
-
-\begin{figure}
-\begin{ttbox}
-\tdx{SumF} [| A type; !!x. x:A ==> B(x) type |] ==> SUM x:A. B(x) type
-\tdx{SumFL} [| A = C; !!x. x:A ==> B(x) = D(x)
- |] ==> SUM x:A. B(x) = SUM x:C. D(x)
-
-\tdx{SumI} [| a : A; b : B(a) |] ==> <a,b> : SUM x:A. B(x)
-\tdx{SumIL} [| a=c:A; b=d:B(a) |] ==> <a,b> = <c,d> : SUM x:A. B(x)
-
-\tdx{SumE} [| p: SUM x:A. B(x);
- !!x y. [| x:A; y:B(x) |] ==> c(x,y): C(<x,y>)
- |] ==> split(p, \%x y. c(x,y)) : C(p)
-
-\tdx{SumEL} [| p=q : SUM x:A. B(x);
- !!x y. [| x:A; y:B(x) |] ==> c(x,y)=d(x,y): C(<x,y>)
- |] ==> split(p, \%x y. c(x,y)) = split(q, \%x y. d(x,y)) : C(p)
-
-\tdx{SumC} [| a: A; b: B(a);
- !!x y. [| x:A; y:B(x) |] ==> c(x,y): C(<x,y>)
- |] ==> split(<a,b>, \%x y. c(x,y)) = c(a,b) : C(<a,b>)
-
-\tdx{fst_def} fst(a) == split(a, \%x y. x)
-\tdx{snd_def} snd(a) == split(a, \%x y. y)
-\end{ttbox}
-\caption{Rules for the sum type $\sum\sb{x\in A}B[x]$} \label{ctt-sum}
-\end{figure}
-
-
-\begin{figure}
-\begin{ttbox}
-\tdx{PlusF} [| A type; B type |] ==> A+B type
-\tdx{PlusFL} [| A = C; B = D |] ==> A+B = C+D
-
-\tdx{PlusI_inl} [| a : A; B type |] ==> inl(a) : A+B
-\tdx{PlusI_inlL} [| a = c : A; B type |] ==> inl(a) = inl(c) : A+B
-
-\tdx{PlusI_inr} [| A type; b : B |] ==> inr(b) : A+B
-\tdx{PlusI_inrL} [| A type; b = d : B |] ==> inr(b) = inr(d) : A+B
-
-\tdx{PlusE} [| p: A+B;
- !!x. x:A ==> c(x): C(inl(x));
- !!y. y:B ==> d(y): C(inr(y))
- |] ==> when(p, \%x. c(x), \%y. d(y)) : C(p)
-
-\tdx{PlusEL} [| p = q : A+B;
- !!x. x: A ==> c(x) = e(x) : C(inl(x));
- !!y. y: B ==> d(y) = f(y) : C(inr(y))
- |] ==> when(p, \%x. c(x), \%y. d(y)) =
- when(q, \%x. e(x), \%y. f(y)) : C(p)
-
-\tdx{PlusC_inl} [| a: A;
- !!x. x:A ==> c(x): C(inl(x));
- !!y. y:B ==> d(y): C(inr(y))
- |] ==> when(inl(a), \%x. c(x), \%y. d(y)) = c(a) : C(inl(a))
-
-\tdx{PlusC_inr} [| b: B;
- !!x. x:A ==> c(x): C(inl(x));
- !!y. y:B ==> d(y): C(inr(y))
- |] ==> when(inr(b), \%x. c(x), \%y. d(y)) = d(b) : C(inr(b))
-\end{ttbox}
-\caption{Rules for the binary sum type $A+B$} \label{ctt-plus}
-\end{figure}
-
-
-\begin{figure}
-\begin{ttbox}
-\tdx{FF} F type
-\tdx{FE} [| p: F; C type |] ==> contr(p) : C
-\tdx{FEL} [| p = q : F; C type |] ==> contr(p) = contr(q) : C
-
-\tdx{TF} T type
-\tdx{TI} tt : T
-\tdx{TE} [| p : T; c : C(tt) |] ==> c : C(p)
-\tdx{TEL} [| p = q : T; c = d : C(tt) |] ==> c = d : C(p)
-\tdx{TC} p : T ==> p = tt : T)
-\end{ttbox}
-
-\caption{Rules for types $F$ and $T$} \label{ctt-ft}
-\end{figure}
-
-
-\begin{figure}
-\begin{ttbox}
-\tdx{EqF} [| A type; a : A; b : A |] ==> Eq(A,a,b) type
-\tdx{EqFL} [| A=B; a=c: A; b=d : A |] ==> Eq(A,a,b) = Eq(B,c,d)
-\tdx{EqI} a = b : A ==> eq : Eq(A,a,b)
-\tdx{EqE} p : Eq(A,a,b) ==> a = b : A
-\tdx{EqC} p : Eq(A,a,b) ==> p = eq : Eq(A,a,b)
-\end{ttbox}
-\caption{Rules for the equality type $Eq(A,a,b)$} \label{ctt-eq}
-\end{figure}
-
-
-\begin{figure}
-\begin{ttbox}
-\tdx{replace_type} [| B = A; a : A |] ==> a : B
-\tdx{subst_eqtyparg} [| a=c : A; !!z. z:A ==> B(z) type |] ==> B(a)=B(c)
-
-\tdx{subst_prodE} [| p: Prod(A,B); a: A; !!z. z: B(a) ==> c(z): C(z)
- |] ==> c(p`a): C(p`a)
-
-\tdx{SumIL2} [| c=a : A; d=b : B(a) |] ==> <c,d> = <a,b> : Sum(A,B)
-
-\tdx{SumE_fst} p : Sum(A,B) ==> fst(p) : A
-
-\tdx{SumE_snd} [| p: Sum(A,B); A type; !!x. x:A ==> B(x) type
- |] ==> snd(p) : B(fst(p))
-\end{ttbox}
-
-\caption{Derived rules for CTT} \label{ctt-derived}
-\end{figure}
-
-
-\section{Rules of inference}
-The rules obey the following naming conventions. Type formation rules have
-the suffix~{\tt F}\@. Introduction rules have the suffix~{\tt I}\@.
-Elimination rules have the suffix~{\tt E}\@. Computation rules, which
-describe the reduction of eliminators, have the suffix~{\tt C}\@. The
-equality versions of the rules (which permit reductions on subterms) are
-called {\bf long} rules; their names have the suffix~{\tt L}\@.
-Introduction and computation rules are often further suffixed with
-constructor names.
-
-Figure~\ref{ctt-equality} presents the equality rules. Most of them are
-straightforward: reflexivity, symmetry, transitivity and substitution. The
-judgement \cdx{Reduce} does not belong to Type Theory proper; it has
-been added to implement rewriting. The judgement ${\tt Reduce}(a,b)$ holds
-when $a=b:A$ holds. It also holds when $a$ and $b$ are syntactically
-identical, even if they are ill-typed, because rule {\tt refl_red} does
-not verify that $a$ belongs to $A$.
-
-The {\tt Reduce} rules do not give rise to new theorems about the standard
-judgements. The only rule with {\tt Reduce} in a premise is
-{\tt trans_red}, whose other premise ensures that $a$ and~$b$ (and thus
-$c$) are well-typed.
-
-Figure~\ref{ctt-N} presents the rules for~$N$, the type of natural numbers.
-They include \tdx{zero_ne_succ}, which asserts $0\not=n+1$. This is
-the fourth Peano axiom and cannot be derived without universes \cite[page
-91]{martinlof84}.
-
-The constant \cdx{rec} constructs proof terms when mathematical
-induction, rule~\tdx{NE}, is applied. It can also express primitive
-recursion. Since \cdx{rec} can be applied to higher-order functions,
-it can even express Ackermann's function, which is not primitive recursive
-\cite[page~104]{thompson91}.
-
-Figure~\ref{ctt-prod} shows the rules for general product types, which
-include function types as a special case. The rules correspond to the
-predicate calculus rules for universal quantifiers and implication. They
-also permit reasoning about functions, with the rules of a typed
-$\lambda$-calculus.
-
-Figure~\ref{ctt-sum} shows the rules for general sum types, which
-include binary product types as a special case. The rules correspond to the
-predicate calculus rules for existential quantifiers and conjunction. They
-also permit reasoning about ordered pairs, with the projections
-\cdx{fst} and~\cdx{snd}.
-
-Figure~\ref{ctt-plus} shows the rules for binary sum types. They
-correspond to the predicate calculus rules for disjunction. They also
-permit reasoning about disjoint sums, with the injections \cdx{inl}
-and~\cdx{inr} and case analysis operator~\cdx{when}.
-
-Figure~\ref{ctt-ft} shows the rules for the empty and unit types, $F$
-and~$T$. They correspond to the predicate calculus rules for absurdity and
-truth.
-
-Figure~\ref{ctt-eq} shows the rules for equality types. If $a=b\in A$ is
-provable then \cdx{eq} is a canonical element of the type $Eq(A,a,b)$,
-and vice versa. These rules define extensional equality; the most recent
-versions of Type Theory use intensional equality~\cite{nordstrom90}.
-
-Figure~\ref{ctt-derived} presents the derived rules. The rule
-\tdx{subst_prodE} is derived from {\tt prodE}, and is easier to use
-in backwards proof. The rules \tdx{SumE_fst} and \tdx{SumE_snd}
-express the typing of~\cdx{fst} and~\cdx{snd}; together, they are
-roughly equivalent to~{\tt SumE} with the advantage of creating no
-parameters. Section~\ref{ctt-choice} below demonstrates these rules in a
-proof of the Axiom of Choice.
-
-All the rules are given in $\eta$-expanded form. For instance, every
-occurrence of $\lambda u\,v. b(u,v)$ could be abbreviated to~$b$ in the
-rules for~$N$. The expanded form permits Isabelle to preserve bound
-variable names during backward proof. Names of bound variables in the
-conclusion (here, $u$ and~$v$) are matched with corresponding bound
-variables in the premises.
-
-
-\section{Rule lists}
-The Type Theory tactics provide rewriting, type inference, and logical
-reasoning. Many proof procedures work by repeatedly resolving certain Type
-Theory rules against a proof state. CTT defines lists --- each with
-type
-\hbox{\tt thm list} --- of related rules.
-\begin{ttdescription}
-\item[\ttindexbold{form_rls}]
-contains formation rules for the types $N$, $\Pi$, $\Sigma$, $+$, $Eq$,
-$F$, and $T$.
-
-\item[\ttindexbold{formL_rls}]
-contains long formation rules for $\Pi$, $\Sigma$, $+$, and $Eq$. (For
-other types use \tdx{refl_type}.)
-
-\item[\ttindexbold{intr_rls}]
-contains introduction rules for the types $N$, $\Pi$, $\Sigma$, $+$, and
-$T$.
-
-\item[\ttindexbold{intrL_rls}]
-contains long introduction rules for $N$, $\Pi$, $\Sigma$, and $+$. (For
-$T$ use \tdx{refl_elem}.)
-
-\item[\ttindexbold{elim_rls}]
-contains elimination rules for the types $N$, $\Pi$, $\Sigma$, $+$, and
-$F$. The rules for $Eq$ and $T$ are omitted because they involve no
-eliminator.
-
-\item[\ttindexbold{elimL_rls}]
-contains long elimination rules for $N$, $\Pi$, $\Sigma$, $+$, and $F$.
-
-\item[\ttindexbold{comp_rls}]
-contains computation rules for the types $N$, $\Pi$, $\Sigma$, and $+$.
-Those for $Eq$ and $T$ involve no eliminator.
-
-\item[\ttindexbold{basic_defs}]
-contains the definitions of {\tt fst} and {\tt snd}.
-\end{ttdescription}
-
-
-\section{Tactics for subgoal reordering}
-\begin{ttbox}
-test_assume_tac : int -> tactic
-typechk_tac : thm list -> tactic
-equal_tac : thm list -> tactic
-intr_tac : thm list -> tactic
-\end{ttbox}
-Blind application of CTT rules seldom leads to a proof. The elimination
-rules, especially, create subgoals containing new unknowns. These subgoals
-unify with anything, creating a huge search space. The standard tactic
-\ttindex{filt_resolve_tac}
-(see \iflabelundefined{filt_resolve_tac}{the {\em Reference Manual\/}}%
- {\S\ref{filt_resolve_tac}})
-%
-fails for goals that are too flexible; so does the CTT tactic {\tt
- test_assume_tac}. Used with the tactical \ttindex{REPEAT_FIRST} they
-achieve a simple kind of subgoal reordering: the less flexible subgoals are
-attempted first. Do some single step proofs, or study the examples below,
-to see why this is necessary.
-\begin{ttdescription}
-\item[\ttindexbold{test_assume_tac} $i$]
-uses {\tt assume_tac} to solve the subgoal by assumption, but only if
-subgoal~$i$ has the form $a\in A$ and the head of $a$ is not an unknown.
-Otherwise, it fails.
-
-\item[\ttindexbold{typechk_tac} $thms$]
-uses $thms$ with formation, introduction, and elimination rules to check
-the typing of constructions. It is designed to solve goals of the form
-$a\in \Var{A}$, where $a$ is rigid and $\Var{A}$ is flexible; thus it
-performs type inference. The tactic can also solve goals of
-the form $A\;\rm type$.
-
-\item[\ttindexbold{equal_tac} $thms$]
-uses $thms$ with the long introduction and elimination rules to solve goals
-of the form $a=b\in A$, where $a$ is rigid. It is intended for deriving
-the long rules for defined constants such as the arithmetic operators. The
-tactic can also perform type-checking.
-
-\item[\ttindexbold{intr_tac} $thms$]
-uses $thms$ with the introduction rules to break down a type. It is
-designed for goals like $\Var{a}\in A$ where $\Var{a}$ is flexible and $A$
-rigid. These typically arise when trying to prove a proposition~$A$,
-expressed as a type.
-\end{ttdescription}
-
-
-
-\section{Rewriting tactics}
-\begin{ttbox}
-rew_tac : thm list -> tactic
-hyp_rew_tac : thm list -> tactic
-\end{ttbox}
-Object-level simplification is accomplished through proof, using the {\tt
- CTT} equality rules and the built-in rewriting functor
-{\tt TSimpFun}.%
-\footnote{This should not be confused with Isabelle's main simplifier; {\tt
- TSimpFun} is only useful for CTT and similar logics with type inference
- rules. At present it is undocumented.}
-%
-The rewrites include the computation rules and other equations. The long
-versions of the other rules permit rewriting of subterms and subtypes.
-Also used are transitivity and the extra judgement form \cdx{Reduce}.
-Meta-level simplification handles only definitional equality.
-\begin{ttdescription}
-\item[\ttindexbold{rew_tac} $thms$]
-applies $thms$ and the computation rules as left-to-right rewrites. It
-solves the goal $a=b\in A$ by rewriting $a$ to $b$. If $b$ is an unknown
-then it is assigned the rewritten form of~$a$. All subgoals are rewritten.
-
-\item[\ttindexbold{hyp_rew_tac} $thms$]
-is like {\tt rew_tac}, but includes as rewrites any equations present in
-the assumptions.
-\end{ttdescription}
-
-
-\section{Tactics for logical reasoning}
-Interpreting propositions as types lets CTT express statements of
-intuitionistic logic. However, Constructive Type Theory is not just another
-syntax for first-order logic. There are fundamental differences.
-
-\index{assumptions!in CTT}
-Can assumptions be deleted after use? Not every occurrence of a type
-represents a proposition, and Type Theory assumptions declare variables.
-In first-order logic, $\disj$-elimination with the assumption $P\disj Q$
-creates one subgoal assuming $P$ and another assuming $Q$, and $P\disj Q$
-can be deleted safely. In Type Theory, $+$-elimination with the assumption
-$z\in A+B$ creates one subgoal assuming $x\in A$ and another assuming $y\in
-B$ (for arbitrary $x$ and $y$). Deleting $z\in A+B$ when other assumptions
-refer to $z$ may render the subgoal unprovable: arguably,
-meaningless.
-
-Isabelle provides several tactics for predicate calculus reasoning in CTT:
-\begin{ttbox}
-mp_tac : int -> tactic
-add_mp_tac : int -> tactic
-safestep_tac : thm list -> int -> tactic
-safe_tac : thm list -> int -> tactic
-step_tac : thm list -> int -> tactic
-pc_tac : thm list -> int -> tactic
-\end{ttbox}
-These are loosely based on the intuitionistic proof procedures
-of~\thydx{FOL}. For the reasons discussed above, a rule that is safe for
-propositional reasoning may be unsafe for type-checking; thus, some of the
-`safe' tactics are misnamed.
-\begin{ttdescription}
-\item[\ttindexbold{mp_tac} $i$]
-searches in subgoal~$i$ for assumptions of the form $f\in\Pi(A,B)$ and
-$a\in A$, where~$A$ may be found by unification. It replaces
-$f\in\Pi(A,B)$ by $z\in B(a)$, where~$z$ is a new parameter. The tactic
-can produce multiple outcomes for each suitable pair of assumptions. In
-short, {\tt mp_tac} performs Modus Ponens among the assumptions.
-
-\item[\ttindexbold{add_mp_tac} $i$]
-is like {\tt mp_tac}~$i$ but retains the assumption $f\in\Pi(A,B)$. It
-avoids information loss but obviously loops if repeated.
-
-\item[\ttindexbold{safestep_tac} $thms$ $i$]
-attacks subgoal~$i$ using formation rules and certain other `safe' rules
-(\tdx{FE}, \tdx{ProdI}, \tdx{SumE}, \tdx{PlusE}), calling
-{\tt mp_tac} when appropriate. It also uses~$thms$,
-which are typically premises of the rule being derived.
-
-\item[\ttindexbold{safe_tac} $thms$ $i$] attempts to solve subgoal~$i$ by
- means of backtracking, using {\tt safestep_tac}.
-
-\item[\ttindexbold{step_tac} $thms$ $i$]
-tries to reduce subgoal~$i$ using {\tt safestep_tac}, then tries unsafe
-rules. It may produce multiple outcomes.
-
-\item[\ttindexbold{pc_tac} $thms$ $i$]
-tries to solve subgoal~$i$ by backtracking, using {\tt step_tac}.
-\end{ttdescription}
-
-
-
-\begin{figure}
-\index{#+@{\tt\#+} symbol}
-\index{*"- symbol}
-\index{#*@{\tt\#*} symbol}
-\index{*div symbol}
-\index{*mod symbol}
-
-\index{absolute difference}
-\index{"!-"!@{\tt\char124-\char124} symbol}
-%\char124 is vertical bar. We use ! because | stopped working
-
-\begin{constants}
- \it symbol & \it meta-type & \it priority & \it description \\
- \tt \#* & $[i,i]\To i$ & Left 70 & multiplication \\
- \tt div & $[i,i]\To i$ & Left 70 & division\\
- \tt mod & $[i,i]\To i$ & Left 70 & modulus\\
- \tt \#+ & $[i,i]\To i$ & Left 65 & addition\\
- \tt - & $[i,i]\To i$ & Left 65 & subtraction\\
- \verb'|-|' & $[i,i]\To i$ & Left 65 & absolute difference
-\end{constants}
-
-\begin{ttbox}
-\tdx{add_def} a#+b == rec(a, b, \%u v. succ(v))
-\tdx{diff_def} a-b == rec(b, a, \%u v. rec(v, 0, \%x y. x))
-\tdx{absdiff_def} a|-|b == (a-b) #+ (b-a)
-\tdx{mult_def} a#*b == rec(a, 0, \%u v. b #+ v)
-
-\tdx{mod_def} a mod b ==
- rec(a, 0, \%u v. rec(succ(v) |-| b, 0, \%x y. succ(v)))
-
-\tdx{div_def} a div b ==
- rec(a, 0, \%u v. rec(succ(u) mod b, succ(v), \%x y. v))
-
-\tdx{add_typing} [| a:N; b:N |] ==> a #+ b : N
-\tdx{addC0} b:N ==> 0 #+ b = b : N
-\tdx{addC_succ} [| a:N; b:N |] ==> succ(a) #+ b = succ(a #+ b) : N
-
-\tdx{add_assoc} [| a:N; b:N; c:N |] ==>
- (a #+ b) #+ c = a #+ (b #+ c) : N
-
-\tdx{add_commute} [| a:N; b:N |] ==> a #+ b = b #+ a : N
-
-\tdx{mult_typing} [| a:N; b:N |] ==> a #* b : N
-\tdx{multC0} b:N ==> 0 #* b = 0 : N
-\tdx{multC_succ} [| a:N; b:N |] ==> succ(a) #* b = b #+ (a#*b) : N
-\tdx{mult_commute} [| a:N; b:N |] ==> a #* b = b #* a : N
-
-\tdx{add_mult_dist} [| a:N; b:N; c:N |] ==>
- (a #+ b) #* c = (a #* c) #+ (b #* c) : N
-
-\tdx{mult_assoc} [| a:N; b:N; c:N |] ==>
- (a #* b) #* c = a #* (b #* c) : N
-
-\tdx{diff_typing} [| a:N; b:N |] ==> a - b : N
-\tdx{diffC0} a:N ==> a - 0 = a : N
-\tdx{diff_0_eq_0} b:N ==> 0 - b = 0 : N
-\tdx{diff_succ_succ} [| a:N; b:N |] ==> succ(a) - succ(b) = a - b : N
-\tdx{diff_self_eq_0} a:N ==> a - a = 0 : N
-\tdx{add_inverse_diff} [| a:N; b:N; b-a=0 : N |] ==> b #+ (a-b) = a : N
-\end{ttbox}
-\caption{The theory of arithmetic} \label{ctt_arith}
-\end{figure}
-
-
-\section{A theory of arithmetic}
-\thydx{Arith} is a theory of elementary arithmetic. It proves the
-properties of addition, multiplication, subtraction, division, and
-remainder, culminating in the theorem
-\[ a \bmod b + (a/b)\times b = a. \]
-Figure~\ref{ctt_arith} presents the definitions and some of the key
-theorems, including commutative, distributive, and associative laws.
-
-The operators~\verb'#+', \verb'-', \verb'|-|', \verb'#*', \verb'mod'
-and~\verb'div' stand for sum, difference, absolute difference, product,
-remainder and quotient, respectively. Since Type Theory has only primitive
-recursion, some of their definitions may be obscure.
-
-The difference~$a-b$ is computed by taking $b$ predecessors of~$a$, where
-the predecessor function is $\lambda v. {\tt rec}(v, 0, \lambda x\,y. x)$.
-
-The remainder $a\bmod b$ counts up to~$a$ in a cyclic fashion, using 0
-as the successor of~$b-1$. Absolute difference is used to test the
-equality $succ(v)=b$.
-
-The quotient $a/b$ is computed by adding one for every number $x$
-such that $0\leq x \leq a$ and $x\bmod b = 0$.
-
-
-
-\section{The examples directory}
-This directory contains examples and experimental proofs in CTT.
-\begin{ttdescription}
-\item[CTT/ex/typechk.ML]
-contains simple examples of type-checking and type deduction.
-
-\item[CTT/ex/elim.ML]
-contains some examples from Martin-L\"of~\cite{martinlof84}, proved using
-{\tt pc_tac}.
-
-\item[CTT/ex/equal.ML]
-contains simple examples of rewriting.
-
-\item[CTT/ex/synth.ML]
-demonstrates the use of unknowns with some trivial examples of program
-synthesis.
-\end{ttdescription}
-
-
-\section{Example: type inference}
-Type inference involves proving a goal of the form $a\in\Var{A}$, where $a$
-is a term and $\Var{A}$ is an unknown standing for its type. The type,
-initially
-unknown, takes shape in the course of the proof. Our example is the
-predecessor function on the natural numbers.
-\begin{ttbox}
-Goal "lam n. rec(n, 0, \%x y. x) : ?A";
-{\out Level 0}
-{\out lam n. rec(n,0,\%x y. x) : ?A}
-{\out 1. lam n. rec(n,0,\%x y. x) : ?A}
-\end{ttbox}
-Since the term is a Constructive Type Theory $\lambda$-abstraction (not to
-be confused with a meta-level abstraction), we apply the rule
-\tdx{ProdI}, for $\Pi$-introduction. This instantiates~$\Var{A}$ to a
-product type of unknown domain and range.
-\begin{ttbox}
-by (resolve_tac [ProdI] 1);
-{\out Level 1}
-{\out lam n. rec(n,0,\%x y. x) : PROD x:?A1. ?B1(x)}
-{\out 1. ?A1 type}
-{\out 2. !!n. n : ?A1 ==> rec(n,0,\%x y. x) : ?B1(n)}
-\end{ttbox}
-Subgoal~1 is too flexible. It can be solved by instantiating~$\Var{A@1}$
-to any type, but most instantiations will invalidate subgoal~2. We
-therefore tackle the latter subgoal. It asks the type of a term beginning
-with {\tt rec}, which can be found by $N$-elimination.%
-\index{*NE theorem}
-\begin{ttbox}
-by (eresolve_tac [NE] 2);
-{\out Level 2}
-{\out lam n. rec(n,0,\%x y. x) : PROD x:N. ?C2(x,x)}
-{\out 1. N type}
-{\out 2. !!n. 0 : ?C2(n,0)}
-{\out 3. !!n x y. [| x : N; y : ?C2(n,x) |] ==> x : ?C2(n,succ(x))}
-\end{ttbox}
-Subgoal~1 is no longer flexible: we now know~$\Var{A@1}$ is the type of
-natural numbers. However, let us continue proving nontrivial subgoals.
-Subgoal~2 asks, what is the type of~0?\index{*NIO theorem}
-\begin{ttbox}
-by (resolve_tac [NI0] 2);
-{\out Level 3}
-{\out lam n. rec(n,0,\%x y. x) : N --> N}
-{\out 1. N type}
-{\out 2. !!n x y. [| x : N; y : N |] ==> x : N}
-\end{ttbox}
-The type~$\Var{A}$ is now fully determined. It is the product type
-$\prod@{x\in N}N$, which is shown as the function type $N\to N$ because
-there is no dependence on~$x$. But we must prove all the subgoals to show
-that the original term is validly typed. Subgoal~2 is provable by
-assumption and the remaining subgoal falls by $N$-formation.%
-\index{*NF theorem}
-\begin{ttbox}
-by (assume_tac 2);
-{\out Level 4}
-{\out lam n. rec(n,0,\%x y. x) : N --> N}
-{\out 1. N type}
-\ttbreak
-by (resolve_tac [NF] 1);
-{\out Level 5}
-{\out lam n. rec(n,0,\%x y. x) : N --> N}
-{\out No subgoals!}
-\end{ttbox}
-Calling \ttindex{typechk_tac} can prove this theorem in one step.
-
-Even if the original term is ill-typed, one can infer a type for it, but
-unprovable subgoals will be left. As an exercise, try to prove the
-following invalid goal:
-\begin{ttbox}
-Goal "lam n. rec(n, 0, \%x y. tt) : ?A";
-\end{ttbox}
-
-
-
-\section{An example of logical reasoning}
-Logical reasoning in Type Theory involves proving a goal of the form
-$\Var{a}\in A$, where type $A$ expresses a proposition and $\Var{a}$ stands
-for its proof term, a value of type $A$. The proof term is initially
-unknown and takes shape during the proof.
-
-Our example expresses a theorem about quantifiers in a sorted logic:
-\[ \infer{(\ex{x\in A}P(x)) \disj (\ex{x\in A}Q(x))}
- {\ex{x\in A}P(x)\disj Q(x)}
-\]
-By the propositions-as-types principle, this is encoded
-using~$\Sigma$ and~$+$ types. A special case of it expresses a
-distributive law of Type Theory:
-\[ \infer{(A\times B) + (A\times C)}{A\times(B+C)} \]
-Generalizing this from $\times$ to $\Sigma$, and making the typing
-conditions explicit, yields the rule we must derive:
-\[ \infer{\Var{a} \in (\sum@{x\in A} B(x)) + (\sum@{x\in A} C(x))}
- {\hbox{$A$ type} &
- \infer*{\hbox{$B(x)$ type}}{[x\in A]} &
- \infer*{\hbox{$C(x)$ type}}{[x\in A]} &
- p\in \sum@{x\in A} B(x)+C(x)}
-\]
-To begin, we bind the rule's premises --- returned by the~{\tt goal}
-command --- to the {\ML} variable~{\tt prems}.
-\begin{ttbox}
-val prems = Goal
- "[| A type; \ttback
-\ttback !!x. x:A ==> B(x) type; \ttback
-\ttback !!x. x:A ==> C(x) type; \ttback
-\ttback p: SUM x:A. B(x) + C(x) \ttback
-\ttback |] ==> ?a : (SUM x:A. B(x)) + (SUM x:A. C(x))";
-{\out Level 0}
-{\out ?a : (SUM x:A. B(x)) + (SUM x:A. C(x))}
-{\out 1. ?a : (SUM x:A. B(x)) + (SUM x:A. C(x))}
-\ttbreak
-{\out val prems = ["A type [A type]",}
-{\out "?x : A ==> B(?x) type [!!x. x : A ==> B(x) type]",}
-{\out "?x : A ==> C(?x) type [!!x. x : A ==> C(x) type]",}
-{\out "p : SUM x:A. B(x) + C(x) [p : SUM x:A. B(x) + C(x)]"]}
-{\out : thm list}
-\end{ttbox}
-The last premise involves the sum type~$\Sigma$. Since it is a premise
-rather than the assumption of a goal, it cannot be found by {\tt
- eresolve_tac}. We could insert it (and the other atomic premise) by
-calling
-\begin{ttbox}
-cut_facts_tac prems 1;
-\end{ttbox}
-A forward proof step is more straightforward here. Let us resolve the
-$\Sigma$-elimination rule with the premises using~\ttindex{RL}. This
-inference yields one result, which we supply to {\tt
- resolve_tac}.\index{*SumE theorem}
-\begin{ttbox}
-by (resolve_tac (prems RL [SumE]) 1);
-{\out Level 1}
-{\out split(p,?c1) : (SUM x:A. B(x)) + (SUM x:A. C(x))}
-{\out 1. !!x y.}
-{\out [| x : A; y : B(x) + C(x) |] ==>}
-{\out ?c1(x,y) : (SUM x:A. B(x)) + (SUM x:A. C(x))}
-\end{ttbox}
-The subgoal has two new parameters, $x$ and~$y$. In the main goal,
-$\Var{a}$ has been instantiated with a \cdx{split} term. The
-assumption $y\in B(x) + C(x)$ is eliminated next, causing a case split and
-creating the parameter~$xa$. This inference also inserts~\cdx{when}
-into the main goal.\index{*PlusE theorem}
-\begin{ttbox}
-by (eresolve_tac [PlusE] 1);
-{\out Level 2}
-{\out split(p,\%x y. when(y,?c2(x,y),?d2(x,y)))}
-{\out : (SUM x:A. B(x)) + (SUM x:A. C(x))}
-{\out 1. !!x y xa.}
-{\out [| x : A; xa : B(x) |] ==>}
-{\out ?c2(x,y,xa) : (SUM x:A. B(x)) + (SUM x:A. C(x))}
-\ttbreak
-{\out 2. !!x y ya.}
-{\out [| x : A; ya : C(x) |] ==>}
-{\out ?d2(x,y,ya) : (SUM x:A. B(x)) + (SUM x:A. C(x))}
-\end{ttbox}
-To complete the proof object for the main goal, we need to instantiate the
-terms $\Var{c@2}(x,y,xa)$ and $\Var{d@2}(x,y,xa)$. We attack subgoal~1 by
-a~$+$-introduction rule; since the goal assumes $xa\in B(x)$, we take the left
-injection~(\cdx{inl}).
-\index{*PlusI_inl theorem}
-\begin{ttbox}
-by (resolve_tac [PlusI_inl] 1);
-{\out Level 3}
-{\out split(p,\%x y. when(y,\%xa. inl(?a3(x,y,xa)),?d2(x,y)))}
-{\out : (SUM x:A. B(x)) + (SUM x:A. C(x))}
-{\out 1. !!x y xa. [| x : A; xa : B(x) |] ==> ?a3(x,y,xa) : SUM x:A. B(x)}
-{\out 2. !!x y xa. [| x : A; xa : B(x) |] ==> SUM x:A. C(x) type}
-\ttbreak
-{\out 3. !!x y ya.}
-{\out [| x : A; ya : C(x) |] ==>}
-{\out ?d2(x,y,ya) : (SUM x:A. B(x)) + (SUM x:A. C(x))}
-\end{ttbox}
-A new subgoal~2 has appeared, to verify that $\sum@{x\in A}C(x)$ is a type.
-Continuing to work on subgoal~1, we apply the $\Sigma$-introduction rule.
-This instantiates the term $\Var{a@3}(x,y,xa)$; the main goal now contains
-an ordered pair, whose components are two new unknowns.%
-\index{*SumI theorem}
-\begin{ttbox}
-by (resolve_tac [SumI] 1);
-{\out Level 4}
-{\out split(p,\%x y. when(y,\%xa. inl(<?a4(x,y,xa),?b4(x,y,xa)>),?d2(x,y)))}
-{\out : (SUM x:A. B(x)) + (SUM x:A. C(x))}
-{\out 1. !!x y xa. [| x : A; xa : B(x) |] ==> ?a4(x,y,xa) : A}
-{\out 2. !!x y xa. [| x : A; xa : B(x) |] ==> ?b4(x,y,xa) : B(?a4(x,y,xa))}
-{\out 3. !!x y xa. [| x : A; xa : B(x) |] ==> SUM x:A. C(x) type}
-{\out 4. !!x y ya.}
-{\out [| x : A; ya : C(x) |] ==>}
-{\out ?d2(x,y,ya) : (SUM x:A. B(x)) + (SUM x:A. C(x))}
-\end{ttbox}
-The two new subgoals both hold by assumption. Observe how the unknowns
-$\Var{a@4}$ and $\Var{b@4}$ are instantiated throughout the proof state.
-\begin{ttbox}
-by (assume_tac 1);
-{\out Level 5}
-{\out split(p,\%x y. when(y,\%xa. inl(<x,?b4(x,y,xa)>),?d2(x,y)))}
-{\out : (SUM x:A. B(x)) + (SUM x:A. C(x))}
-\ttbreak
-{\out 1. !!x y xa. [| x : A; xa : B(x) |] ==> ?b4(x,y,xa) : B(x)}
-{\out 2. !!x y xa. [| x : A; xa : B(x) |] ==> SUM x:A. C(x) type}
-{\out 3. !!x y ya.}
-{\out [| x : A; ya : C(x) |] ==>}
-{\out ?d2(x,y,ya) : (SUM x:A. B(x)) + (SUM x:A. C(x))}
-\ttbreak
-by (assume_tac 1);
-{\out Level 6}
-{\out split(p,\%x y. when(y,\%xa. inl(<x,xa>),?d2(x,y)))}
-{\out : (SUM x:A. B(x)) + (SUM x:A. C(x))}
-{\out 1. !!x y xa. [| x : A; xa : B(x) |] ==> SUM x:A. C(x) type}
-{\out 2. !!x y ya.}
-{\out [| x : A; ya : C(x) |] ==>}
-{\out ?d2(x,y,ya) : (SUM x:A. B(x)) + (SUM x:A. C(x))}
-\end{ttbox}
-Subgoal~1 is an example of a well-formedness subgoal~\cite{constable86}.
-Such subgoals are usually trivial; this one yields to
-\ttindex{typechk_tac}, given the current list of premises.
-\begin{ttbox}
-by (typechk_tac prems);
-{\out Level 7}
-{\out split(p,\%x y. when(y,\%xa. inl(<x,xa>),?d2(x,y)))}
-{\out : (SUM x:A. B(x)) + (SUM x:A. C(x))}
-{\out 1. !!x y ya.}
-{\out [| x : A; ya : C(x) |] ==>}
-{\out ?d2(x,y,ya) : (SUM x:A. B(x)) + (SUM x:A. C(x))}
-\end{ttbox}
-This subgoal is the other case from the $+$-elimination above, and can be
-proved similarly. Quicker is to apply \ttindex{pc_tac}. The main goal
-finally gets a fully instantiated proof object.
-\begin{ttbox}
-by (pc_tac prems 1);
-{\out Level 8}
-{\out split(p,\%x y. when(y,\%xa. inl(<x,xa>),\%y. inr(<x,y>)))}
-{\out : (SUM x:A. B(x)) + (SUM x:A. C(x))}
-{\out No subgoals!}
-\end{ttbox}
-Calling \ttindex{pc_tac} after the first $\Sigma$-elimination above also
-proves this theorem.
-
-
-\section{Example: deriving a currying functional}
-In simply-typed languages such as {\ML}, a currying functional has the type
-\[ (A\times B \to C) \to (A\to (B\to C)). \]
-Let us generalize this to the dependent types~$\Sigma$ and~$\Pi$.
-The functional takes a function~$f$ that maps $z:\Sigma(A,B)$
-to~$C(z)$; the resulting function maps $x\in A$ and $y\in B(x)$ to
-$C(\langle x,y\rangle)$.
-
-Formally, there are three typing premises. $A$ is a type; $B$ is an
-$A$-indexed family of types; $C$ is a family of types indexed by
-$\Sigma(A,B)$. The goal is expressed using \hbox{\tt PROD f} to ensure
-that the parameter corresponding to the functional's argument is really
-called~$f$; Isabelle echoes the type using \verb|-->| because there is no
-explicit dependence upon~$f$.
-\begin{ttbox}
-val prems = Goal
- "[| A type; !!x. x:A ==> B(x) type; \ttback
-\ttback !!z. z: (SUM x:A. B(x)) ==> C(z) type \ttback
-\ttback |] ==> ?a : PROD f: (PROD z : (SUM x:A . B(x)) . C(z)). \ttback
-\ttback (PROD x:A . PROD y:B(x) . C(<x,y>))";
-\ttbreak
-{\out Level 0}
-{\out ?a : (PROD z:SUM x:A. B(x). C(z)) -->}
-{\out (PROD x:A. PROD y:B(x). C(<x,y>))}
-{\out 1. ?a : (PROD z:SUM x:A. B(x). C(z)) -->}
-{\out (PROD x:A. PROD y:B(x). C(<x,y>))}
-\ttbreak
-{\out val prems = ["A type [A type]",}
-{\out "?x : A ==> B(?x) type [!!x. x : A ==> B(x) type]",}
-{\out "?z : SUM x:A. B(x) ==> C(?z) type}
-{\out [!!z. z : SUM x:A. B(x) ==> C(z) type]"] : thm list}
-\end{ttbox}
-This is a chance to demonstrate \ttindex{intr_tac}. Here, the tactic
-repeatedly applies $\Pi$-introduction and proves the rather
-tiresome typing conditions.
-
-Note that $\Var{a}$ becomes instantiated to three nested
-$\lambda$-abstractions. It would be easier to read if the bound variable
-names agreed with the parameters in the subgoal. Isabelle attempts to give
-parameters the same names as corresponding bound variables in the goal, but
-this does not always work. In any event, the goal is logically correct.
-\begin{ttbox}
-by (intr_tac prems);
-{\out Level 1}
-{\out lam x xa xb. ?b7(x,xa,xb)}
-{\out : (PROD z:SUM x:A. B(x). C(z)) --> (PROD x:A. PROD y:B(x). C(<x,y>))}
-{\out 1. !!f x y.}
-{\out [| f : PROD z:SUM x:A. B(x). C(z); x : A; y : B(x) |] ==>}
-{\out ?b7(f,x,y) : C(<x,y>)}
-\end{ttbox}
-Using $\Pi$-elimination, we solve subgoal~1 by applying the function~$f$.
-\index{*ProdE theorem}
-\begin{ttbox}
-by (eresolve_tac [ProdE] 1);
-{\out Level 2}
-{\out lam x xa xb. x ` <xa,xb>}
-{\out : (PROD z:SUM x:A. B(x). C(z)) --> (PROD x:A. PROD y:B(x). C(<x,y>))}
-{\out 1. !!f x y. [| x : A; y : B(x) |] ==> <x,y> : SUM x:A. B(x)}
-\end{ttbox}
-Finally, we verify that the argument's type is suitable for the function
-application. This is straightforward using introduction rules.
-\index{*intr_tac}
-\begin{ttbox}
-by (intr_tac prems);
-{\out Level 3}
-{\out lam x xa xb. x ` <xa,xb>}
-{\out : (PROD z:SUM x:A. B(x). C(z)) --> (PROD x:A. PROD y:B(x). C(<x,y>))}
-{\out No subgoals!}
-\end{ttbox}
-Calling~\ttindex{pc_tac} would have proved this theorem in one step; it can
-also prove an example by Martin-L\"of, related to $\disj$-elimination
-\cite[page~58]{martinlof84}.
-
-
-\section{Example: proving the Axiom of Choice} \label{ctt-choice}
-Suppose we have a function $h\in \prod@{x\in A}\sum@{y\in B(x)} C(x,y)$,
-which takes $x\in A$ to some $y\in B(x)$ paired with some $z\in C(x,y)$.
-Interpreting propositions as types, this asserts that for all $x\in A$
-there exists $y\in B(x)$ such that $C(x,y)$. The Axiom of Choice asserts
-that we can construct a function $f\in \prod@{x\in A}B(x)$ such that
-$C(x,f{\tt`}x)$ for all $x\in A$, where the latter property is witnessed by a
-function $g\in \prod@{x\in A}C(x,f{\tt`}x)$.
-
-In principle, the Axiom of Choice is simple to derive in Constructive Type
-Theory. The following definitions work:
-\begin{eqnarray*}
- f & \equiv & {\tt fst} \circ h \\
- g & \equiv & {\tt snd} \circ h
-\end{eqnarray*}
-But a completely formal proof is hard to find. The rules can be applied in
-countless ways, yielding many higher-order unifiers. The proof can get
-bogged down in the details. But with a careful selection of derived rules
-(recall Fig.\ts\ref{ctt-derived}) and the type-checking tactics, we can
-prove the theorem in nine steps.
-\begin{ttbox}
-val prems = Goal
- "[| A type; !!x. x:A ==> B(x) type; \ttback
-\ttback !!x y.[| x:A; y:B(x) |] ==> C(x,y) type \ttback
-\ttback |] ==> ?a : PROD h: (PROD x:A. SUM y:B(x). C(x,y)). \ttback
-\ttback (SUM f: (PROD x:A. B(x)). PROD x:A. C(x, f`x))";
-{\out Level 0}
-{\out ?a : (PROD x:A. SUM y:B(x). C(x,y)) -->}
-{\out (SUM f:PROD x:A. B(x). PROD x:A. C(x,f ` x))}
-{\out 1. ?a : (PROD x:A. SUM y:B(x). C(x,y)) -->}
-{\out (SUM f:PROD x:A. B(x). PROD x:A. C(x,f ` x))}
-\ttbreak
-{\out val prems = ["A type [A type]",}
-{\out "?x : A ==> B(?x) type [!!x. x : A ==> B(x) type]",}
-{\out "[| ?x : A; ?y : B(?x) |] ==> C(?x, ?y) type}
-{\out [!!x y. [| x : A; y : B(x) |] ==> C(x, y) type]"]}
-{\out : thm list}
-\end{ttbox}
-First, \ttindex{intr_tac} applies introduction rules and performs routine
-type-checking. This instantiates~$\Var{a}$ to a construction involving
-a $\lambda$-abstraction and an ordered pair. The pair's components are
-themselves $\lambda$-abstractions and there is a subgoal for each.
-\begin{ttbox}
-by (intr_tac prems);
-{\out Level 1}
-{\out lam x. <lam xa. ?b7(x,xa),lam xa. ?b8(x,xa)>}
-{\out : (PROD x:A. SUM y:B(x). C(x,y)) -->}
-{\out (SUM f:PROD x:A. B(x). PROD x:A. C(x,f ` x))}
-\ttbreak
-{\out 1. !!h x.}
-{\out [| h : PROD x:A. SUM y:B(x). C(x,y); x : A |] ==>}
-{\out ?b7(h,x) : B(x)}
-\ttbreak
-{\out 2. !!h x.}
-{\out [| h : PROD x:A. SUM y:B(x). C(x,y); x : A |] ==>}
-{\out ?b8(h,x) : C(x,(lam x. ?b7(h,x)) ` x)}
-\end{ttbox}
-Subgoal~1 asks to find the choice function itself, taking $x\in A$ to some
-$\Var{b@7}(h,x)\in B(x)$. Subgoal~2 asks, given $x\in A$, for a proof
-object $\Var{b@8}(h,x)$ to witness that the choice function's argument and
-result lie in the relation~$C$. This latter task will take up most of the
-proof.
-\index{*ProdE theorem}\index{*SumE_fst theorem}\index{*RS}
-\begin{ttbox}
-by (eresolve_tac [ProdE RS SumE_fst] 1);
-{\out Level 2}
-{\out lam x. <lam xa. fst(x ` xa),lam xa. ?b8(x,xa)>}
-{\out : (PROD x:A. SUM y:B(x). C(x,y)) -->}
-{\out (SUM f:PROD x:A. B(x). PROD x:A. C(x,f ` x))}
-\ttbreak
-{\out 1. !!h x. x : A ==> x : A}
-{\out 2. !!h x.}
-{\out [| h : PROD x:A. SUM y:B(x). C(x,y); x : A |] ==>}
-{\out ?b8(h,x) : C(x,(lam x. fst(h ` x)) ` x)}
-\end{ttbox}
-Above, we have composed {\tt fst} with the function~$h$. Unification
-has deduced that the function must be applied to $x\in A$. We have our
-choice function.
-\begin{ttbox}
-by (assume_tac 1);
-{\out Level 3}
-{\out lam x. <lam xa. fst(x ` xa),lam xa. ?b8(x,xa)>}
-{\out : (PROD x:A. SUM y:B(x). C(x,y)) -->}
-{\out (SUM f:PROD x:A. B(x). PROD x:A. C(x,f ` x))}
-{\out 1. !!h x.}
-{\out [| h : PROD x:A. SUM y:B(x). C(x,y); x : A |] ==>}
-{\out ?b8(h,x) : C(x,(lam x. fst(h ` x)) ` x)}
-\end{ttbox}
-Before we can compose {\tt snd} with~$h$, the arguments of $C$ must be
-simplified. The derived rule \tdx{replace_type} lets us replace a type
-by any equivalent type, shown below as the schematic term $\Var{A@{13}}(h,x)$:
-\begin{ttbox}
-by (resolve_tac [replace_type] 1);
-{\out Level 4}
-{\out lam x. <lam xa. fst(x ` xa),lam xa. ?b8(x,xa)>}
-{\out : (PROD x:A. SUM y:B(x). C(x,y)) -->}
-{\out (SUM f:PROD x:A. B(x). PROD x:A. C(x,f ` x))}
-\ttbreak
-{\out 1. !!h x.}
-{\out [| h : PROD x:A. SUM y:B(x). C(x,y); x : A |] ==>}
-{\out C(x,(lam x. fst(h ` x)) ` x) = ?A13(h,x)}
-\ttbreak
-{\out 2. !!h x.}
-{\out [| h : PROD x:A. SUM y:B(x). C(x,y); x : A |] ==>}
-{\out ?b8(h,x) : ?A13(h,x)}
-\end{ttbox}
-The derived rule \tdx{subst_eqtyparg} lets us simplify a type's
-argument (by currying, $C(x)$ is a unary type operator):
-\begin{ttbox}
-by (resolve_tac [subst_eqtyparg] 1);
-{\out Level 5}
-{\out lam x. <lam xa. fst(x ` xa),lam xa. ?b8(x,xa)>}
-{\out : (PROD x:A. SUM y:B(x). C(x,y)) -->}
-{\out (SUM f:PROD x:A. B(x). PROD x:A. C(x,f ` x))}
-\ttbreak
-{\out 1. !!h x.}
-{\out [| h : PROD x:A. SUM y:B(x). C(x,y); x : A |] ==>}
-{\out (lam x. fst(h ` x)) ` x = ?c14(h,x) : ?A14(h,x)}
-\ttbreak
-{\out 2. !!h x z.}
-{\out [| h : PROD x:A. SUM y:B(x). C(x,y); x : A;}
-{\out z : ?A14(h,x) |] ==>}
-{\out C(x,z) type}
-\ttbreak
-{\out 3. !!h x.}
-{\out [| h : PROD x:A. SUM y:B(x). C(x,y); x : A |] ==>}
-{\out ?b8(h,x) : C(x,?c14(h,x))}
-\end{ttbox}
-Subgoal~1 requires simply $\beta$-contraction, which is the rule
-\tdx{ProdC}. The term $\Var{c@{14}}(h,x)$ in the last subgoal
-receives the contracted result.
-\begin{ttbox}
-by (resolve_tac [ProdC] 1);
-{\out Level 6}
-{\out lam x. <lam xa. fst(x ` xa),lam xa. ?b8(x,xa)>}
-{\out : (PROD x:A. SUM y:B(x). C(x,y)) -->}
-{\out (SUM f:PROD x:A. B(x). PROD x:A. C(x,f ` x))}
-\ttbreak
-{\out 1. !!h x.}
-{\out [| h : PROD x:A. SUM y:B(x). C(x,y); x : A |] ==>}
-{\out x : ?A15(h,x)}
-\ttbreak
-{\out 2. !!h x xa.}
-{\out [| h : PROD x:A. SUM y:B(x). C(x,y); x : A;}
-{\out xa : ?A15(h,x) |] ==>}
-{\out fst(h ` xa) : ?B15(h,x,xa)}
-\ttbreak
-{\out 3. !!h x z.}
-{\out [| h : PROD x:A. SUM y:B(x). C(x,y); x : A;}
-{\out z : ?B15(h,x,x) |] ==>}
-{\out C(x,z) type}
-\ttbreak
-{\out 4. !!h x.}
-{\out [| h : PROD x:A. SUM y:B(x). C(x,y); x : A |] ==>}
-{\out ?b8(h,x) : C(x,fst(h ` x))}
-\end{ttbox}
-Routine type-checking goals proliferate in Constructive Type Theory, but
-\ttindex{typechk_tac} quickly solves them. Note the inclusion of
-\tdx{SumE_fst} along with the premises.
-\begin{ttbox}
-by (typechk_tac (SumE_fst::prems));
-{\out Level 7}
-{\out lam x. <lam xa. fst(x ` xa),lam xa. ?b8(x,xa)>}
-{\out : (PROD x:A. SUM y:B(x). C(x,y)) -->}
-{\out (SUM f:PROD x:A. B(x). PROD x:A. C(x,f ` x))}
-\ttbreak
-{\out 1. !!h x.}
-{\out [| h : PROD x:A. SUM y:B(x). C(x,y); x : A |] ==>}
-{\out ?b8(h,x) : C(x,fst(h ` x))}
-\end{ttbox}
-We are finally ready to compose {\tt snd} with~$h$.
-\index{*ProdE theorem}\index{*SumE_snd theorem}\index{*RS}
-\begin{ttbox}
-by (eresolve_tac [ProdE RS SumE_snd] 1);
-{\out Level 8}
-{\out lam x. <lam xa. fst(x ` xa),lam xa. snd(x ` xa)>}
-{\out : (PROD x:A. SUM y:B(x). C(x,y)) -->}
-{\out (SUM f:PROD x:A. B(x). PROD x:A. C(x,f ` x))}
-\ttbreak
-{\out 1. !!h x. x : A ==> x : A}
-{\out 2. !!h x. x : A ==> B(x) type}
-{\out 3. !!h x xa. [| x : A; xa : B(x) |] ==> C(x,xa) type}
-\end{ttbox}
-The proof object has reached its final form. We call \ttindex{typechk_tac}
-to finish the type-checking.
-\begin{ttbox}
-by (typechk_tac prems);
-{\out Level 9}
-{\out lam x. <lam xa. fst(x ` xa),lam xa. snd(x ` xa)>}
-{\out : (PROD x:A. SUM y:B(x). C(x,y)) -->}
-{\out (SUM f:PROD x:A. B(x). PROD x:A. C(x,f ` x))}
-{\out No subgoals!}
-\end{ttbox}
-It might be instructive to compare this proof with Martin-L\"of's forward
-proof of the Axiom of Choice \cite[page~50]{martinlof84}.
-
-\index{Constructive Type Theory|)}
--- a/doc-src/Logics/document/LK.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,711 +0,0 @@
-\chapter{First-Order Sequent Calculus}
-\index{sequent calculus|(}
-
-The theory~\thydx{LK} implements classical first-order logic through Gentzen's
-sequent calculus (see Gallier~\cite{gallier86} or Takeuti~\cite{takeuti87}).
-Resembling the method of semantic tableaux, the calculus is well suited for
-backwards proof. Assertions have the form \(\Gamma\turn \Delta\), where
-\(\Gamma\) and \(\Delta\) are lists of formulae. Associative unification,
-simulated by higher-order unification, handles lists
-(\S\ref{sec:assoc-unification} presents details, if you are interested).
-
-The logic is many-sorted, using Isabelle's type classes. The class of
-first-order terms is called \cldx{term}. No types of individuals are
-provided, but extensions can define types such as {\tt nat::term} and type
-constructors such as {\tt list::(term)term}. Below, the type variable
-$\alpha$ ranges over class {\tt term}; the equality symbol and quantifiers
-are polymorphic (many-sorted). The type of formulae is~\tydx{o}, which
-belongs to class {\tt logic}.
-
-LK implements a classical logic theorem prover that is nearly as powerful as
-the generic classical reasoner. The simplifier is now available too.
-
-To work in LK, start up Isabelle specifying \texttt{Sequents} as the
-object-logic. Once in Isabelle, change the context to theory \texttt{LK.thy}:
-\begin{ttbox}
-isabelle Sequents
-context LK.thy;
-\end{ttbox}
-Modal logic and linear logic are also available, but unfortunately they are
-not documented.
-
-
-\begin{figure}
-\begin{center}
-\begin{tabular}{rrr}
- \it name &\it meta-type & \it description \\
- \cdx{Trueprop}& $[sobj\To sobj, sobj\To sobj]\To prop$ & coercion to $prop$\\
- \cdx{Seqof} & $[o,sobj]\To sobj$ & singleton sequence \\
- \cdx{Not} & $o\To o$ & negation ($\neg$) \\
- \cdx{True} & $o$ & tautology ($\top$) \\
- \cdx{False} & $o$ & absurdity ($\bot$)
-\end{tabular}
-\end{center}
-\subcaption{Constants}
-
-\begin{center}
-\begin{tabular}{llrrr}
- \it symbol &\it name &\it meta-type & \it priority & \it description \\
- \sdx{ALL} & \cdx{All} & $(\alpha\To o)\To o$ & 10 &
- universal quantifier ($\forall$) \\
- \sdx{EX} & \cdx{Ex} & $(\alpha\To o)\To o$ & 10 &
- existential quantifier ($\exists$) \\
- \sdx{THE} & \cdx{The} & $(\alpha\To o)\To \alpha$ & 10 &
- definite description ($\iota$)
-\end{tabular}
-\end{center}
-\subcaption{Binders}
-
-\begin{center}
-\index{*"= symbol}
-\index{&@{\tt\&} symbol}
-\index{"!@{\tt\char124} symbol} %\char124 is vertical bar. We use ! because | stopped working
-\index{*"-"-"> symbol}
-\index{*"<"-"> symbol}
-\begin{tabular}{rrrr}
- \it symbol & \it meta-type & \it priority & \it description \\
- \tt = & $[\alpha,\alpha]\To o$ & Left 50 & equality ($=$) \\
- \tt \& & $[o,o]\To o$ & Right 35 & conjunction ($\conj$) \\
- \tt | & $[o,o]\To o$ & Right 30 & disjunction ($\disj$) \\
- \tt --> & $[o,o]\To o$ & Right 25 & implication ($\imp$) \\
- \tt <-> & $[o,o]\To o$ & Right 25 & biconditional ($\bimp$)
-\end{tabular}
-\end{center}
-\subcaption{Infixes}
-
-\begin{center}
-\begin{tabular}{rrr}
- \it external & \it internal & \it description \\
- \tt $\Gamma$ |- $\Delta$ & \tt Trueprop($\Gamma$, $\Delta$) &
- sequent $\Gamma\turn \Delta$
-\end{tabular}
-\end{center}
-\subcaption{Translations}
-\caption{Syntax of {\tt LK}} \label{lk-syntax}
-\end{figure}
-
-
-\begin{figure}
-\dquotes
-\[\begin{array}{rcl}
- prop & = & sequence " |- " sequence
-\\[2ex]
-sequence & = & elem \quad (", " elem)^* \\
- & | & empty
-\\[2ex]
- elem & = & "\$ " term \\
- & | & formula \\
- & | & "<<" sequence ">>"
-\\[2ex]
- formula & = & \hbox{expression of type~$o$} \\
- & | & term " = " term \\
- & | & "\ttilde\ " formula \\
- & | & formula " \& " formula \\
- & | & formula " | " formula \\
- & | & formula " --> " formula \\
- & | & formula " <-> " formula \\
- & | & "ALL~" id~id^* " . " formula \\
- & | & "EX~~" id~id^* " . " formula \\
- & | & "THE~" id~ " . " formula
- \end{array}
-\]
-\caption{Grammar of {\tt LK}} \label{lk-grammar}
-\end{figure}
-
-
-
-
-\begin{figure}
-\begin{ttbox}
-\tdx{basic} $H, P, $G |- $E, P, $F
-
-\tdx{contRS} $H |- $E, $S, $S, $F ==> $H |- $E, $S, $F
-\tdx{contLS} $H, $S, $S, $G |- $E ==> $H, $S, $G |- $E
-
-\tdx{thinRS} $H |- $E, $F ==> $H |- $E, $S, $F
-\tdx{thinLS} $H, $G |- $E ==> $H, $S, $G |- $E
-
-\tdx{cut} [| $H |- $E, P; $H, P |- $E |] ==> $H |- $E
-\subcaption{Structural rules}
-
-\tdx{refl} $H |- $E, a=a, $F
-\tdx{subst} $H(a), $G(a) |- $E(a) ==> $H(b), a=b, $G(b) |- $E(b)
-\subcaption{Equality rules}
-\end{ttbox}
-
-\caption{Basic Rules of {\tt LK}} \label{lk-basic-rules}
-\end{figure}
-
-\begin{figure}
-\begin{ttbox}
-\tdx{True_def} True == False-->False
-\tdx{iff_def} P<->Q == (P-->Q) & (Q-->P)
-
-\tdx{conjR} [| $H|- $E, P, $F; $H|- $E, Q, $F |] ==> $H|- $E, P&Q, $F
-\tdx{conjL} $H, P, Q, $G |- $E ==> $H, P & Q, $G |- $E
-
-\tdx{disjR} $H |- $E, P, Q, $F ==> $H |- $E, P|Q, $F
-\tdx{disjL} [| $H, P, $G |- $E; $H, Q, $G |- $E |] ==> $H, P|Q, $G |- $E
-
-\tdx{impR} $H, P |- $E, Q, $F ==> $H |- $E, P-->Q, $F
-\tdx{impL} [| $H,$G |- $E,P; $H, Q, $G |- $E |] ==> $H, P-->Q, $G |- $E
-
-\tdx{notR} $H, P |- $E, $F ==> $H |- $E, ~P, $F
-\tdx{notL} $H, $G |- $E, P ==> $H, ~P, $G |- $E
-
-\tdx{FalseL} $H, False, $G |- $E
-
-\tdx{allR} (!!x. $H|- $E, P(x), $F) ==> $H|- $E, ALL x. P(x), $F
-\tdx{allL} $H, P(x), $G, ALL x. P(x) |- $E ==> $H, ALL x. P(x), $G|- $E
-
-\tdx{exR} $H|- $E, P(x), $F, EX x. P(x) ==> $H|- $E, EX x. P(x), $F
-\tdx{exL} (!!x. $H, P(x), $G|- $E) ==> $H, EX x. P(x), $G|- $E
-
-\tdx{The} [| $H |- $E, P(a), $F; !!x. $H, P(x) |- $E, x=a, $F |] ==>
- $H |- $E, P(THE x. P(x)), $F
-\subcaption{Logical rules}
-\end{ttbox}
-
-\caption{Rules of {\tt LK}} \label{lk-rules}
-\end{figure}
-
-
-\section{Syntax and rules of inference}
-\index{*sobj type}
-
-Figure~\ref{lk-syntax} gives the syntax for {\tt LK}, which is complicated
-by the representation of sequents. Type $sobj\To sobj$ represents a list
-of formulae.
-
-The \textbf{definite description} operator~$\iota x. P[x]$ stands for some~$a$
-satisfying~$P[a]$, if one exists and is unique. Since all terms in LK denote
-something, a description is always meaningful, but we do not know its value
-unless $P[x]$ defines it uniquely. The Isabelle notation is \hbox{\tt THE
- $x$.\ $P[x]$}. The corresponding rule (Fig.\ts\ref{lk-rules}) does not
-entail the Axiom of Choice because it requires uniqueness.
-
-Conditional expressions are available with the notation
-\[ \dquotes
- "if"~formula~"then"~term~"else"~term. \]
-
-Figure~\ref{lk-grammar} presents the grammar of LK. Traditionally,
-\(\Gamma\) and \(\Delta\) are meta-variables for sequences. In Isabelle's
-notation, the prefix~\verb|$| on a term makes it range over sequences.
-In a sequent, anything not prefixed by \verb|$| is taken as a formula.
-
-The notation \texttt{<<$sequence$>>} stands for a sequence of formul\ae{}.
-For example, you can declare the constant \texttt{imps} to consist of two
-implications:
-\begin{ttbox}
-consts P,Q,R :: o
-constdefs imps :: seq'=>seq'
- "imps == <<P --> Q, Q --> R>>"
-\end{ttbox}
-Then you can use it in axioms and goals, for example
-\begin{ttbox}
-Goalw [imps_def] "P, $imps |- R";
-{\out Level 0}
-{\out P, $imps |- R}
-{\out 1. P, P --> Q, Q --> R |- R}
-by (Fast_tac 1);
-{\out Level 1}
-{\out P, $imps |- R}
-{\out No subgoals!}
-\end{ttbox}
-
-Figures~\ref{lk-basic-rules} and~\ref{lk-rules} present the rules of theory
-\thydx{LK}. The connective $\bimp$ is defined using $\conj$ and $\imp$. The
-axiom for basic sequents is expressed in a form that provides automatic
-thinning: redundant formulae are simply ignored. The other rules are
-expressed in the form most suitable for backward proof; exchange and
-contraction rules are not normally required, although they are provided
-anyway.
-
-
-\begin{figure}
-\begin{ttbox}
-\tdx{thinR} $H |- $E, $F ==> $H |- $E, P, $F
-\tdx{thinL} $H, $G |- $E ==> $H, P, $G |- $E
-
-\tdx{contR} $H |- $E, P, P, $F ==> $H |- $E, P, $F
-\tdx{contL} $H, P, P, $G |- $E ==> $H, P, $G |- $E
-
-\tdx{symR} $H |- $E, $F, a=b ==> $H |- $E, b=a, $F
-\tdx{symL} $H, $G, b=a |- $E ==> $H, a=b, $G |- $E
-
-\tdx{transR} [| $H|- $E, $F, a=b; $H|- $E, $F, b=c |]
- ==> $H|- $E, a=c, $F
-
-\tdx{TrueR} $H |- $E, True, $F
-
-\tdx{iffR} [| $H, P |- $E, Q, $F; $H, Q |- $E, P, $F |]
- ==> $H |- $E, P<->Q, $F
-
-\tdx{iffL} [| $H, $G |- $E, P, Q; $H, Q, P, $G |- $E |]
- ==> $H, P<->Q, $G |- $E
-
-\tdx{allL_thin} $H, P(x), $G |- $E ==> $H, ALL x. P(x), $G |- $E
-\tdx{exR_thin} $H |- $E, P(x), $F ==> $H |- $E, EX x. P(x), $F
-
-\tdx{the_equality} [| $H |- $E, P(a), $F;
- !!x. $H, P(x) |- $E, x=a, $F |]
- ==> $H |- $E, (THE x. P(x)) = a, $F
-\end{ttbox}
-
-\caption{Derived rules for {\tt LK}} \label{lk-derived}
-\end{figure}
-
-Figure~\ref{lk-derived} presents derived rules, including rules for
-$\bimp$. The weakened quantifier rules discard each quantification after a
-single use; in an automatic proof procedure, they guarantee termination,
-but are incomplete. Multiple use of a quantifier can be obtained by a
-contraction rule, which in backward proof duplicates a formula. The tactic
-{\tt res_inst_tac} can instantiate the variable~{\tt?P} in these rules,
-specifying the formula to duplicate.
-See theory {\tt Sequents/LK0} in the sources for complete listings of
-the rules and derived rules.
-
-To support the simplifier, hundreds of equivalences are proved for
-the logical connectives and for if-then-else expressions. See the file
-\texttt{Sequents/simpdata.ML}.
-
-\section{Automatic Proof}
-
-LK instantiates Isabelle's simplifier. Both equality ($=$) and the
-biconditional ($\bimp$) may be used for rewriting. The tactic
-\texttt{Simp_tac} refers to the default simpset (\texttt{simpset()}). With
-sequents, the \texttt{full_} and \texttt{asm_} forms of the simplifier are not
-required; all the formulae{} in the sequent will be simplified. The left-hand
-formulae{} are taken as rewrite rules. (Thus, the behaviour is what you would
-normally expect from calling \texttt{Asm_full_simp_tac}.)
-
-For classical reasoning, several tactics are available:
-\begin{ttbox}
-Safe_tac : int -> tactic
-Step_tac : int -> tactic
-Fast_tac : int -> tactic
-Best_tac : int -> tactic
-Pc_tac : int -> tactic
-\end{ttbox}
-These refer not to the standard classical reasoner but to a separate one
-provided for the sequent calculus. Two commands are available for adding new
-sequent calculus rules, safe or unsafe, to the default ``theorem pack'':
-\begin{ttbox}
-Add_safes : thm list -> unit
-Add_unsafes : thm list -> unit
-\end{ttbox}
-To control the set of rules for individual invocations, lower-case versions of
-all these primitives are available. Sections~\ref{sec:thm-pack}
-and~\ref{sec:sequent-provers} give full details.
-
-
-\section{Tactics for the cut rule}
-
-According to the cut-elimination theorem, the cut rule can be eliminated
-from proofs of sequents. But the rule is still essential. It can be used
-to structure a proof into lemmas, avoiding repeated proofs of the same
-formula. More importantly, the cut rule cannot be eliminated from
-derivations of rules. For example, there is a trivial cut-free proof of
-the sequent \(P\conj Q\turn Q\conj P\).
-Noting this, we might want to derive a rule for swapping the conjuncts
-in a right-hand formula:
-\[ \Gamma\turn \Delta, P\conj Q\over \Gamma\turn \Delta, Q\conj P \]
-The cut rule must be used, for $P\conj Q$ is not a subformula of $Q\conj
-P$. Most cuts directly involve a premise of the rule being derived (a
-meta-assumption). In a few cases, the cut formula is not part of any
-premise, but serves as a bridge between the premises and the conclusion.
-In such proofs, the cut formula is specified by calling an appropriate
-tactic.
-
-\begin{ttbox}
-cutR_tac : string -> int -> tactic
-cutL_tac : string -> int -> tactic
-\end{ttbox}
-These tactics refine a subgoal into two by applying the cut rule. The cut
-formula is given as a string, and replaces some other formula in the sequent.
-\begin{ttdescription}
-\item[\ttindexbold{cutR_tac} {\it P\/} {\it i}] reads an LK formula~$P$, and
- applies the cut rule to subgoal~$i$. It then deletes some formula from the
- right side of subgoal~$i$, replacing that formula by~$P$.
-
-\item[\ttindexbold{cutL_tac} {\it P\/} {\it i}] reads an LK formula~$P$, and
- applies the cut rule to subgoal~$i$. It then deletes some formula from the
- left side of the new subgoal $i+1$, replacing that formula by~$P$.
-\end{ttdescription}
-All the structural rules --- cut, contraction, and thinning --- can be
-applied to particular formulae using {\tt res_inst_tac}.
-
-
-\section{Tactics for sequents}
-\begin{ttbox}
-forms_of_seq : term -> term list
-could_res : term * term -> bool
-could_resolve_seq : term * term -> bool
-filseq_resolve_tac : thm list -> int -> int -> tactic
-\end{ttbox}
-Associative unification is not as efficient as it might be, in part because
-the representation of lists defeats some of Isabelle's internal
-optimisations. The following operations implement faster rule application,
-and may have other uses.
-\begin{ttdescription}
-\item[\ttindexbold{forms_of_seq} {\it t}]
-returns the list of all formulae in the sequent~$t$, removing sequence
-variables.
-
-\item[\ttindexbold{could_res} ($t$,$u$)]
-tests whether two formula lists could be resolved. List $t$ is from a
-premise or subgoal, while $u$ is from the conclusion of an object-rule.
-Assuming that each formula in $u$ is surrounded by sequence variables, it
-checks that each conclusion formula is unifiable (using {\tt could_unify})
-with some subgoal formula.
-
-\item[\ttindexbold{could_resolve_seq} ($t$,$u$)]
- tests whether two sequents could be resolved. Sequent $t$ is a premise
- or subgoal, while $u$ is the conclusion of an object-rule. It simply
- calls {\tt could_res} twice to check that both the left and the right
- sides of the sequents are compatible.
-
-\item[\ttindexbold{filseq_resolve_tac} {\it thms} {\it maxr} {\it i}]
-uses {\tt filter_thms could_resolve} to extract the {\it thms} that are
-applicable to subgoal~$i$. If more than {\it maxr\/} theorems are
-applicable then the tactic fails. Otherwise it calls {\tt resolve_tac}.
-Thus, it is the sequent calculus analogue of \ttindex{filt_resolve_tac}.
-\end{ttdescription}
-
-
-\section{A simple example of classical reasoning}
-The theorem $\turn\ex{y}\all{x}P(y)\imp P(x)$ is a standard example of the
-classical treatment of the existential quantifier. Classical reasoning is
-easy using~LK, as you can see by comparing this proof with the one given in
-the FOL manual~\cite{isabelle-ZF}. From a logical point of view, the proofs
-are essentially the same; the key step here is to use \tdx{exR} rather than
-the weaker~\tdx{exR_thin}.
-\begin{ttbox}
-Goal "|- EX y. ALL x. P(y)-->P(x)";
-{\out Level 0}
-{\out |- EX y. ALL x. P(y) --> P(x)}
-{\out 1. |- EX y. ALL x. P(y) --> P(x)}
-by (resolve_tac [exR] 1);
-{\out Level 1}
-{\out |- EX y. ALL x. P(y) --> P(x)}
-{\out 1. |- ALL x. P(?x) --> P(x), EX x. ALL xa. P(x) --> P(xa)}
-\end{ttbox}
-There are now two formulae on the right side. Keeping the existential one
-in reserve, we break down the universal one.
-\begin{ttbox}
-by (resolve_tac [allR] 1);
-{\out Level 2}
-{\out |- EX y. ALL x. P(y) --> P(x)}
-{\out 1. !!x. |- P(?x) --> P(x), EX x. ALL xa. P(x) --> P(xa)}
-by (resolve_tac [impR] 1);
-{\out Level 3}
-{\out |- EX y. ALL x. P(y) --> P(x)}
-{\out 1. !!x. P(?x) |- P(x), EX x. ALL xa. P(x) --> P(xa)}
-\end{ttbox}
-Because LK is a sequent calculus, the formula~$P(\Var{x})$ does not become an
-assumption; instead, it moves to the left side. The resulting subgoal cannot
-be instantiated to a basic sequent: the bound variable~$x$ is not unifiable
-with the unknown~$\Var{x}$.
-\begin{ttbox}
-by (resolve_tac [basic] 1);
-{\out by: tactic failed}
-\end{ttbox}
-We reuse the existential formula using~\tdx{exR_thin}, which discards
-it; we shall not need it a third time. We again break down the resulting
-formula.
-\begin{ttbox}
-by (resolve_tac [exR_thin] 1);
-{\out Level 4}
-{\out |- EX y. ALL x. P(y) --> P(x)}
-{\out 1. !!x. P(?x) |- P(x), ALL xa. P(?x7(x)) --> P(xa)}
-by (resolve_tac [allR] 1);
-{\out Level 5}
-{\out |- EX y. ALL x. P(y) --> P(x)}
-{\out 1. !!x xa. P(?x) |- P(x), P(?x7(x)) --> P(xa)}
-by (resolve_tac [impR] 1);
-{\out Level 6}
-{\out |- EX y. ALL x. P(y) --> P(x)}
-{\out 1. !!x xa. P(?x), P(?x7(x)) |- P(x), P(xa)}
-\end{ttbox}
-Subgoal~1 seems to offer lots of possibilities. Actually the only useful
-step is instantiating~$\Var{x@7}$ to $\lambda x. x$,
-transforming~$\Var{x@7}(x)$ into~$x$.
-\begin{ttbox}
-by (resolve_tac [basic] 1);
-{\out Level 7}
-{\out |- EX y. ALL x. P(y) --> P(x)}
-{\out No subgoals!}
-\end{ttbox}
-This theorem can be proved automatically. Because it involves quantifier
-duplication, we employ best-first search:
-\begin{ttbox}
-Goal "|- EX y. ALL x. P(y)-->P(x)";
-{\out Level 0}
-{\out |- EX y. ALL x. P(y) --> P(x)}
-{\out 1. |- EX y. ALL x. P(y) --> P(x)}
-by (best_tac LK_dup_pack 1);
-{\out Level 1}
-{\out |- EX y. ALL x. P(y) --> P(x)}
-{\out No subgoals!}
-\end{ttbox}
-
-
-
-\section{A more complex proof}
-Many of Pelletier's test problems for theorem provers \cite{pelletier86}
-can be solved automatically. Problem~39 concerns set theory, asserting
-that there is no Russell set --- a set consisting of those sets that are
-not members of themselves:
-\[ \turn \neg (\exists x. \forall y. y\in x \bimp y\not\in y) \]
-This does not require special properties of membership; we may generalize
-$x\in y$ to an arbitrary predicate~$F(x,y)$. The theorem, which is trivial
-for \texttt{Fast_tac}, has a short manual proof. See the directory {\tt
- Sequents/LK} for many more examples.
-
-We set the main goal and move the negated formula to the left.
-\begin{ttbox}
-Goal "|- ~ (EX x. ALL y. F(y,x) <-> ~F(y,y))";
-{\out Level 0}
-{\out |- ~ (EX x. ALL y. F(y,x) <-> ~ F(y,y))}
-{\out 1. |- ~ (EX x. ALL y. F(y,x) <-> ~ F(y,y))}
-by (resolve_tac [notR] 1);
-{\out Level 1}
-{\out |- ~ (EX x. ALL y. F(y,x) <-> ~ F(y,y))}
-{\out 1. EX x. ALL y. F(y,x) <-> ~ F(y,y) |-}
-\end{ttbox}
-The right side is empty; we strip both quantifiers from the formula on the
-left.
-\begin{ttbox}
-by (resolve_tac [exL] 1);
-{\out Level 2}
-{\out |- ~ (EX x. ALL y. F(y,x) <-> ~ F(y,y))}
-{\out 1. !!x. ALL y. F(y,x) <-> ~ F(y,y) |-}
-by (resolve_tac [allL_thin] 1);
-{\out Level 3}
-{\out |- ~ (EX x. ALL y. F(y,x) <-> ~ F(y,y))}
-{\out 1. !!x. F(?x2(x),x) <-> ~ F(?x2(x),?x2(x)) |-}
-\end{ttbox}
-The rule \tdx{iffL} says, if $P\bimp Q$ then $P$ and~$Q$ are either
-both true or both false. It yields two subgoals.
-\begin{ttbox}
-by (resolve_tac [iffL] 1);
-{\out Level 4}
-{\out |- ~ (EX x. ALL y. F(y,x) <-> ~ F(y,y))}
-{\out 1. !!x. |- F(?x2(x),x), ~ F(?x2(x),?x2(x))}
-{\out 2. !!x. ~ F(?x2(x),?x2(x)), F(?x2(x),x) |-}
-\end{ttbox}
-We must instantiate~$\Var{x@2}$, the shared unknown, to satisfy both
-subgoals. Beginning with subgoal~2, we move a negated formula to the left
-and create a basic sequent.
-\begin{ttbox}
-by (resolve_tac [notL] 2);
-{\out Level 5}
-{\out |- ~ (EX x. ALL y. F(y,x) <-> ~ F(y,y))}
-{\out 1. !!x. |- F(?x2(x),x), ~ F(?x2(x),?x2(x))}
-{\out 2. !!x. F(?x2(x),x) |- F(?x2(x),?x2(x))}
-by (resolve_tac [basic] 2);
-{\out Level 6}
-{\out |- ~ (EX x. ALL y. F(y,x) <-> ~ F(y,y))}
-{\out 1. !!x. |- F(x,x), ~ F(x,x)}
-\end{ttbox}
-Thanks to the instantiation of~$\Var{x@2}$, subgoal~1 is obviously true.
-\begin{ttbox}
-by (resolve_tac [notR] 1);
-{\out Level 7}
-{\out |- ~ (EX x. ALL y. F(y,x) <-> ~ F(y,y))}
-{\out 1. !!x. F(x,x) |- F(x,x)}
-by (resolve_tac [basic] 1);
-{\out Level 8}
-{\out |- ~ (EX x. ALL y. F(y,x) <-> ~ F(y,y))}
-{\out No subgoals!}
-\end{ttbox}
-
-\section{*Unification for lists}\label{sec:assoc-unification}
-
-Higher-order unification includes associative unification as a special
-case, by an encoding that involves function composition
-\cite[page~37]{huet78}. To represent lists, let $C$ be a new constant.
-The empty list is $\lambda x. x$, while $[t@1,t@2,\ldots,t@n]$ is
-represented by
-\[ \lambda x. C(t@1,C(t@2,\ldots,C(t@n,x))). \]
-The unifiers of this with $\lambda x.\Var{f}(\Var{g}(x))$ give all the ways
-of expressing $[t@1,t@2,\ldots,t@n]$ as the concatenation of two lists.
-
-Unlike orthodox associative unification, this technique can represent certain
-infinite sets of unifiers by flex-flex equations. But note that the term
-$\lambda x. C(t,\Var{a})$ does not represent any list. Flex-flex constraints
-containing such garbage terms may accumulate during a proof.
-\index{flex-flex constraints}
-
-This technique lets Isabelle formalize sequent calculus rules,
-where the comma is the associative operator:
-\[ \infer[(\conj\hbox{-left})]
- {\Gamma,P\conj Q,\Delta \turn \Theta}
- {\Gamma,P,Q,\Delta \turn \Theta} \]
-Multiple unifiers occur whenever this is resolved against a goal containing
-more than one conjunction on the left.
-
-LK exploits this representation of lists. As an alternative, the sequent
-calculus can be formalized using an ordinary representation of lists, with a
-logic program for removing a formula from a list. Amy Felty has applied this
-technique using the language $\lambda$Prolog~\cite{felty91a}.
-
-Explicit formalization of sequents can be tiresome. But it gives precise
-control over contraction and weakening, and is essential to handle relevant
-and linear logics.
-
-
-\section{*Packaging sequent rules}\label{sec:thm-pack}
-
-The sequent calculi come with simple proof procedures. These are incomplete
-but are reasonably powerful for interactive use. They expect rules to be
-classified as \textbf{safe} or \textbf{unsafe}. A rule is safe if applying it to a
-provable goal always yields provable subgoals. If a rule is safe then it can
-be applied automatically to a goal without destroying our chances of finding a
-proof. For instance, all the standard rules of the classical sequent calculus
-{\sc lk} are safe. An unsafe rule may render the goal unprovable; typical
-examples are the weakened quantifier rules {\tt allL_thin} and {\tt exR_thin}.
-
-Proof procedures use safe rules whenever possible, using an unsafe rule as a
-last resort. Those safe rules are preferred that generate the fewest
-subgoals. Safe rules are (by definition) deterministic, while the unsafe
-rules require a search strategy, such as backtracking.
-
-A \textbf{pack} is a pair whose first component is a list of safe rules and
-whose second is a list of unsafe rules. Packs can be extended in an obvious
-way to allow reasoning with various collections of rules. For clarity, LK
-declares \mltydx{pack} as an \ML{} datatype, although is essentially a type
-synonym:
-\begin{ttbox}
-datatype pack = Pack of thm list * thm list;
-\end{ttbox}
-Pattern-matching using constructor {\tt Pack} can inspect a pack's
-contents. Packs support the following operations:
-\begin{ttbox}
-pack : unit -> pack
-pack_of : theory -> pack
-empty_pack : pack
-prop_pack : pack
-LK_pack : pack
-LK_dup_pack : pack
-add_safes : pack * thm list -> pack \hfill\textbf{infix 4}
-add_unsafes : pack * thm list -> pack \hfill\textbf{infix 4}
-\end{ttbox}
-\begin{ttdescription}
-\item[\ttindexbold{pack}] returns the pack attached to the current theory.
-
-\item[\ttindexbold{pack_of $thy$}] returns the pack attached to theory $thy$.
-
-\item[\ttindexbold{empty_pack}] is the empty pack.
-
-\item[\ttindexbold{prop_pack}] contains the propositional rules, namely
-those for $\conj$, $\disj$, $\neg$, $\imp$ and~$\bimp$, along with the
-rules {\tt basic} and {\tt refl}. These are all safe.
-
-\item[\ttindexbold{LK_pack}]
-extends {\tt prop_pack} with the safe rules {\tt allR}
-and~{\tt exL} and the unsafe rules {\tt allL_thin} and
-{\tt exR_thin}. Search using this is incomplete since quantified
-formulae are used at most once.
-
-\item[\ttindexbold{LK_dup_pack}]
-extends {\tt prop_pack} with the safe rules {\tt allR}
-and~{\tt exL} and the unsafe rules \tdx{allL} and~\tdx{exR}.
-Search using this is complete, since quantified formulae may be reused, but
-frequently fails to terminate. It is generally unsuitable for depth-first
-search.
-
-\item[$pack$ \ttindexbold{add_safes} $rules$]
-adds some safe~$rules$ to the pack~$pack$.
-
-\item[$pack$ \ttindexbold{add_unsafes} $rules$]
-adds some unsafe~$rules$ to the pack~$pack$.
-\end{ttdescription}
-
-
-\section{*Proof procedures}\label{sec:sequent-provers}
-
-The LK proof procedure is similar to the classical reasoner described in
-\iflabelundefined{chap:classical}{the {\em Reference Manual\/}}%
- {Chap.\ts\ref{chap:classical}}.
-%
-In fact it is simpler, since it works directly with sequents rather than
-simulating them. There is no need to distinguish introduction rules from
-elimination rules, and of course there is no swap rule. As always,
-Isabelle's classical proof procedures are less powerful than resolution
-theorem provers. But they are more natural and flexible, working with an
-open-ended set of rules.
-
-Backtracking over the choice of a safe rule accomplishes nothing: applying
-them in any order leads to essentially the same result. Backtracking may
-be necessary over basic sequents when they perform unification. Suppose
-that~0, 1, 2,~3 are constants in the subgoals
-\[ \begin{array}{c}
- P(0), P(1), P(2) \turn P(\Var{a}) \\
- P(0), P(2), P(3) \turn P(\Var{a}) \\
- P(1), P(3), P(2) \turn P(\Var{a})
- \end{array}
-\]
-The only assignment that satisfies all three subgoals is $\Var{a}\mapsto 2$,
-and this can only be discovered by search. The tactics given below permit
-backtracking only over axioms, such as {\tt basic} and {\tt refl};
-otherwise they are deterministic.
-
-
-\subsection{Method A}
-\begin{ttbox}
-reresolve_tac : thm list -> int -> tactic
-repeat_goal_tac : pack -> int -> tactic
-pc_tac : pack -> int -> tactic
-\end{ttbox}
-These tactics use a method developed by Philippe de Groote. A subgoal is
-refined and the resulting subgoals are attempted in reverse order. For
-some reason, this is much faster than attempting the subgoals in order.
-The method is inherently depth-first.
-
-At present, these tactics only work for rules that have no more than two
-premises. They fail --- return no next state --- if they can do nothing.
-\begin{ttdescription}
-\item[\ttindexbold{reresolve_tac} $thms$ $i$]
-repeatedly applies the $thms$ to subgoal $i$ and the resulting subgoals.
-
-\item[\ttindexbold{repeat_goal_tac} $pack$ $i$]
-applies the safe rules in the pack to a goal and the resulting subgoals.
-If no safe rule is applicable then it applies an unsafe rule and continues.
-
-\item[\ttindexbold{pc_tac} $pack$ $i$]
-applies {\tt repeat_goal_tac} using depth-first search to solve subgoal~$i$.
-\end{ttdescription}
-
-
-\subsection{Method B}
-\begin{ttbox}
-safe_tac : pack -> int -> tactic
-step_tac : pack -> int -> tactic
-fast_tac : pack -> int -> tactic
-best_tac : pack -> int -> tactic
-\end{ttbox}
-These tactics are analogous to those of the generic classical
-reasoner. They use `Method~A' only on safe rules. They fail if they
-can do nothing.
-\begin{ttdescription}
-\item[\ttindexbold{safe_goal_tac} $pack$ $i$]
-applies the safe rules in the pack to a goal and the resulting subgoals.
-It ignores the unsafe rules.
-
-\item[\ttindexbold{step_tac} $pack$ $i$]
-either applies safe rules (using {\tt safe_goal_tac}) or applies one unsafe
-rule.
-
-\item[\ttindexbold{fast_tac} $pack$ $i$]
-applies {\tt step_tac} using depth-first search to solve subgoal~$i$.
-Despite its name, it is frequently slower than {\tt pc_tac}.
-
-\item[\ttindexbold{best_tac} $pack$ $i$]
-applies {\tt step_tac} using best-first search to solve subgoal~$i$. It is
-particularly useful for quantifier duplication (using \ttindex{LK_dup_pack}).
-\end{ttdescription}
-
-
-
-\index{sequent calculus|)}
--- a/doc-src/Logics/document/Sequents.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,200 +0,0 @@
-\chapter{Defining A Sequent-Based Logic}
-\label{chap:sequents}
-
-\underscoreon %this file contains the @ character
-
-The Isabelle theory \texttt{Sequents.thy} provides facilities for using
-sequent notation in users' object logics. This theory allows users to
-easily interface the surface syntax of sequences with an underlying
-representation suitable for higher-order unification.
-
-\section{Concrete syntax of sequences}
-
-Mathematicians and logicians have used sequences in an informal way
-much before proof systems such as Isabelle were created. It seems
-sensible to allow people using Isabelle to express sequents and
-perform proofs in this same informal way, and without requiring the
-theory developer to spend a lot of time in \ML{} programming.
-
-By using {\tt Sequents.thy}
-appropriately, a logic developer can allow users to refer to sequences
-in several ways:
-%
-\begin{itemize}
-\item A sequence variable is any alphanumeric string with the first
- character being a \verb%$% sign.
-So, consider the sequent \verb%$A |- B%, where \verb%$A%
-is intended to match a sequence of zero or more items.
-
-\item A sequence with unspecified sub-sequences and unspecified or
-individual items is written as a comma-separated list of regular
-variables (representing items), particular items, and
-sequence variables, as in
-\begin{ttbox}
-$A, B, C, $D(x) |- E
-\end{ttbox}
-Here both \verb%$A% and \verb%$D(x)%
-are allowed to match any subsequences of items on either side of the
-two items that match $B$ and $C$. Moreover, the sequence matching
-\verb%$D(x)% may contain occurrences of~$x$.
-
-\item An empty sequence can be represented by a blank space, as in
-\verb? |- true?.
-\end{itemize}
-
-These syntactic constructs need to be assimilated into the object
-theory being developed. The type that we use for these visible objects
-is given the name {\tt seq}.
-A {\tt seq} is created either by the empty space, a {\tt seqobj} or a
-{\tt seqobj} followed by a {\tt seq}, with a comma between them. A
-{\tt seqobj} is either an item or a variable representing a
-sequence. Thus, a theory designer can specify a function that takes
-two sequences and returns a meta-level proposition by giving it the
-Isabelle type \verb|[seq, seq] => prop|.
-
-This is all part of the concrete syntax, but one may wish to
-exploit Isabelle's higher-order abstract syntax by actually having a
-different, more powerful {\em internal} syntax.
-
-
-
-\section{ Basis}
-
-One could opt to represent sequences as first-order objects (such as
-simple lists), but this would not allow us to use many facilities
-Isabelle provides for matching. By using a slightly more complex
-representation, users of the logic can reap many benefits in
-facilities for proofs and ease of reading logical terms.
-
-A sequence can be represented as a function --- a constructor for
-further sequences --- by defining a binary {\em abstract} function
-\verb|Seq0'| with type \verb|[o,seq']=>seq'|, and translating a
-sequence such as \verb|A, B, C| into
-\begin{ttbox}
-\%s. Seq0'(A, SeqO'(B, SeqO'(C, s)))
-\end{ttbox}
-This sequence can therefore be seen as a constructor
-for further sequences. The constructor \verb|Seq0'| is never given a
-value, and therefore it is not possible to evaluate this expression
-into a basic value.
-
-Furthermore, if we want to represent the sequence \verb|A, $B, C|,
-we note that \verb|$B| already represents a sequence, so we can use
-\verb|B| itself to refer to the function, and therefore the sequence
-can be mapped to the internal form:
-\verb|%s. SeqO'(A, B(SeqO'(C, s)))|.
-
-So, while we wish to continue with the standard, well-liked {\em
-external} representation of sequences, we can represent them {\em
-internally} as functions of type \verb|seq'=>seq'|.
-
-
-\section{Object logics}
-
-Recall that object logics are defined by mapping elements of
-particular types to the Isabelle type \verb|prop|, usually with a
-function called {\tt Trueprop}. So, an object
-logic proposition {\tt P} is matched to the Isabelle proposition
-{\tt Trueprop(P)}\@. The name of the function is often hidden, so the
-user just sees {\tt P}\@. Isabelle is eager to make types match, so it
-inserts {\tt Trueprop} automatically when an object of type {\tt prop}
-is expected. This mechanism can be observed in most of the object
-logics which are direct descendants of {\tt Pure}.
-
-In order to provide the desired syntactic facilities for sequent
-calculi, rather than use just one function that maps object-level
-propositions to meta-level propositions, we use two functions, and
-separate internal from the external representation.
-
-These functions need to be given a type that is appropriate for the particular
-form of sequents required: single or multiple conclusions. So
-multiple-conclusion sequents (used in the LK logic) can be
-specified by the following two definitions, which are lifted from the inbuilt
-{\tt Sequents/LK.thy}:
-\begin{ttbox}
- Trueprop :: two_seqi
- "@Trueprop" :: two_seqe ("((_)/ |- (_))" [6,6] 5)
-\end{ttbox}
-%
-where the types used are defined in {\tt Sequents.thy} as
-abbreviations:
-\begin{ttbox}
- two_seqi = [seq'=>seq', seq'=>seq'] => prop
- two_seqe = [seq, seq] => prop
-\end{ttbox}
-
-The next step is to actually create links into the low-level parsing
-and pretty-printing mechanisms, which map external and internal
-representations. These functions go below the user level and capture
-the underlying structure of Isabelle terms in \ML{}\@. Fortunately the
-theory developer need not delve in this level; {\tt Sequents.thy}
-provides the necessary facilities. All the theory developer needs to
-add in the \ML{} section is a specification of the two translation
-functions:
-\begin{ttbox}
-ML
-val parse_translation = [("@Trueprop",Sequents.two_seq_tr "Trueprop")];
-val print_translation = [("Trueprop",Sequents.two_seq_tr' "@Trueprop")];
-\end{ttbox}
-
-In summary: in the logic theory being developed, the developer needs
-to specify the types for the internal and external representation of
-the sequences, and use the appropriate parsing and pretty-printing
-functions.
-
-\section{What's in \texttt{Sequents.thy}}
-
-Theory \texttt{Sequents.thy} makes many declarations that you need to know
-about:
-\begin{enumerate}
-\item The Isabelle types given below, which can be used for the
-constants that map object-level sequents and meta-level propositions:
-%
-\begin{ttbox}
- single_seqe = [seq,seqobj] => prop
- single_seqi = [seq'=>seq',seq'=>seq'] => prop
- two_seqi = [seq'=>seq', seq'=>seq'] => prop
- two_seqe = [seq, seq] => prop
- three_seqi = [seq'=>seq', seq'=>seq', seq'=>seq'] => prop
- three_seqe = [seq, seq, seq] => prop
- four_seqi = [seq'=>seq', seq'=>seq', seq'=>seq', seq'=>seq'] => prop
- four_seqe = [seq, seq, seq, seq] => prop
-\end{ttbox}
-
-The \verb|single_| and \verb|two_| sets of mappings for internal and
-external representations are the ones used for, say single and
-multiple conclusion sequents. The other functions are provided to
-allow rules that manipulate more than two functions, as can be seen in
-the inbuilt object logics.
-
-\item An auxiliary syntactic constant has been
-defined that directly maps a sequence to its internal representation:
-\begin{ttbox}
-"@Side" :: seq=>(seq'=>seq') ("<<(_)>>")
-\end{ttbox}
-Whenever a sequence (such as \verb|<< A, $B, $C>>|) is entered using this
-syntax, it is translated into the appropriate internal representation. This
-form can be used only where a sequence is expected.
-
-\item The \ML{} functions \texttt{single\_tr}, \texttt{two\_seq\_tr},
- \texttt{three\_seq\_tr}, \texttt{four\_seq\_tr} for parsing, that is, the
- translation from external to internal form. Analogously there are
- \texttt{single\_tr'}, \texttt{two\_seq\_tr'}, \texttt{three\_seq\_tr'},
- \texttt{four\_seq\_tr'} for pretty-printing, that is, the translation from
- internal to external form. These functions can be used in the \ML{} section
- of a theory file to specify the translations to be used. As an example of
- use, note that in {\tt LK.thy} we declare two identifiers:
-\begin{ttbox}
-val parse_translation =
- [("@Trueprop",Sequents.two_seq_tr "Trueprop")];
-val print_translation =
- [("Trueprop",Sequents.two_seq_tr' "@Trueprop")];
-\end{ttbox}
-The given parse translation will be applied whenever a \verb|@Trueprop|
-constant is found, translating using \verb|two_seq_tr| and inserting the
-constant \verb|Trueprop|. The pretty-printing translation is applied
-analogously; a term that contains \verb|Trueprop| is printed as a
-\verb|@Trueprop|.
-\end{enumerate}
-
-
--- a/doc-src/Logics/document/build Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,18 +0,0 @@
-#!/bin/bash
-
-set -e
-
-FORMAT="$1"
-VARIANT="$2"
-
-"$ISABELLE_TOOL" logo -o isabelle.pdf ""
-"$ISABELLE_TOOL" logo -o isabelle.eps ""
-
-cp "$ISABELLE_HOME/doc-src/iman.sty" .
-cp "$ISABELLE_HOME/doc-src/extra.sty" .
-cp "$ISABELLE_HOME/doc-src/ttbox.sty" .
-cp "$ISABELLE_HOME/doc-src/proof.sty" .
-cp "$ISABELLE_HOME/doc-src/manual.bib" .
-
-"$ISABELLE_HOME/doc-src/prepare_document" "$FORMAT"
-
--- a/doc-src/Logics/document/preface.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,75 +0,0 @@
-\chapter*{Preface}
-Several logics come with Isabelle. Many of them are sufficiently developed
-to serve as comfortable reasoning environments. They are also good
-starting points for defining new logics. Each logic is distributed with
-sample proofs, some of which are described in this document.
-
-\texttt{HOL} is currently the best developed Isabelle object-logic, including
-an extensive library of (concrete) mathematics, and various packages for
-advanced definitional concepts (like (co-)inductive sets and types,
-well-founded recursion etc.). The distribution also includes some large
-applications. See the separate manual \emph{Isabelle's Logics: HOL}. There
-is also a comprehensive tutorial on Isabelle/HOL available.
-
-\texttt{ZF} provides another starting point for applications, with a slightly
-less developed library than \texttt{HOL}. \texttt{ZF}'s definitional packages
-are similar to those of \texttt{HOL}. Untyped \texttt{ZF} set theory provides
-more advanced constructions for sets than simply-typed \texttt{HOL}.
-\texttt{ZF} is built on \texttt{FOL} (first-order logic), both are described
-in a separate manual \emph{Isabelle's Logics: FOL and ZF}~\cite{isabelle-ZF}.
-
-\medskip There are some further logics distributed with Isabelle:
-\begin{ttdescription}
-\item[\thydx{CCL}] is Martin Coen's Classical Computational Logic,
- which is the basis of a preliminary method for deriving programs from
- proofs~\cite{coen92}. It is built upon classical~FOL.
-
-\item[\thydx{LCF}] is a version of Scott's Logic for Computable
- Functions, which is also implemented by the~{\sc lcf}
- system~\cite{paulson87}. It is built upon classical~FOL.
-
-\item[\thydx{HOLCF}] is a version of {\sc lcf}, defined as an extension of
- \texttt{HOL}\@. See \cite{MuellerNvOS99} for more details on \texttt{HOLCF}.
-
-\item[\thydx{CTT}] is a version of Martin-L\"of's Constructive Type
-Theory~\cite{nordstrom90}, with extensional equality. Universes are not
-included.
-
-\item[\thydx{Cube}] is Barendregt's $\lambda$-cube.
- \end{ttdescription}
-
-The directory \texttt{Sequents} contains several logics based
- upon the sequent calculus. Sequents have the form $A@1,\ldots,A@m\turn
-B@1,\ldots,B@n$; rules are applied using associative matching.
-\begin{ttdescription}
-\item[\thydx{LK}] is classical first-order logic as a sequent calculus.
-
-\item[\thydx{Modal}] implements the modal logics $T$, $S4$, and~$S43$.
-
-\item[\thydx{ILL}] implements intuitionistic linear logic.
-\end{ttdescription}
-
-The logics \texttt{CCL}, \texttt{LCF}, \texttt{Modal}, \texttt{ILL} and {\tt
- Cube} are undocumented. All object-logics' sources are distributed with
-Isabelle (see the directory \texttt{src}). They are also available for
-browsing on the WWW at
-
-\begin{center}\small
- \begin{tabular}{l}
- \url{http://www.cl.cam.ac.uk/Research/HVG/Isabelle/library/} \\
- \url{http://isabelle.in.tum.de/library/} \\
- \end{tabular}
-\end{center}
-
-Note that this is not necessarily consistent with your local sources!
-
-\medskip Do not read the \emph{Isabelle's Logics} manuals before reading
-\emph{Isabelle/HOL --- The Tutorial} or \emph{Introduction to Isabelle}, and
-performing some Isabelle proofs. Consult the {\em Reference Manual} for more
-information on tactics, packages, etc.
-
-
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "logics"
-%%% End:
--- a/doc-src/Logics/document/root.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,51 +0,0 @@
-\documentclass[12pt,a4paper]{report}
-\usepackage{graphicx,iman,extra,ttbox,proof,latexsym,pdfsetup}
-
-%%%STILL NEEDS MODAL, LCF
-%%% to index derived rls: ^\([a-zA-Z0-9][a-zA-Z0-9_]*\) \\tdx{\1}
-%%% to index rulenames: ^ *(\([a-zA-Z0-9][a-zA-Z0-9_]*\), \\tdx{\1}
-%%% to index constants: \\tt \([a-zA-Z0-9][a-zA-Z0-9_]*\) \\cdx{\1}
-%%% to deverbify: \\verb|\([^|]*\)| \\ttindex{\1}
-%% run ../sedindex logics to prepare index file
-\title{\includegraphics[scale=0.5]{isabelle} \\[4ex] Isabelle's Logics}
-
-\author{{\em Lawrence C. Paulson}\\
- Computer Laboratory \\ University of Cambridge \\
- \texttt{lcp@cl.cam.ac.uk}\\[3ex]
- With Contributions by Tobias Nipkow and Markus Wenzel%
- \thanks{Markus Wenzel made numerous improvements. Sara Kalvala
- contributed Chap.\ts\ref{chap:sequents}. Philippe de Groote
- wrote the first version of the logic~LK. Tobias Nipkow developed
- LCF and~Cube. Martin Coen developed~Modal with assistance
- from Rajeev Gor\'e. The research has been funded by the EPSRC
- (grants GR/G53279, GR/H40570, GR/K57381, GR/K77051, GR/M75440) and by ESPRIT
- (projects 3245: Logical Frameworks, and 6453: Types), and by the DFG
- Schwerpunktprogramm \emph{Deduktion}.} }
-
-\newcommand\subcaption[1]{\par {\centering\normalsize\sc#1\par}\bigskip
- \hrule\bigskip}
-\newenvironment{constants}{\begin{center}\small\begin{tabular}{rrrr}}{\end{tabular}\end{center}}
-
-\makeindex
-
-\underscoreoff
-
-\setcounter{secnumdepth}{2} \setcounter{tocdepth}{2} %% {secnumdepth}{2}???
-
-\pagestyle{headings}
-\sloppy
-\binperiod %%%treat . like a binary operator
-
-\begin{document}
-\maketitle
-\pagenumbering{roman} \tableofcontents \clearfirst
-\input{preface}
-\input{syntax}
-\input{LK}
-\input{Sequents}
-%%\input{Modal}
-\input{CTT}
-\bibliographystyle{plain}
-\bibliography{manual}
-\printindex
-\end{document}
--- a/doc-src/Logics/document/syntax.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,60 +0,0 @@
-%% THIS FILE IS COMMON TO ALL LOGIC MANUALS
-
-\chapter{Syntax definitions}
-The syntax of each logic is presented using a context-free grammar.
-These grammars obey the following conventions:
-\begin{itemize}
-\item identifiers denote nonterminal symbols
-\item \texttt{typewriter} font denotes terminal symbols
-\item parentheses $(\ldots)$ express grouping
-\item constructs followed by a Kleene star, such as $id^*$ and $(\ldots)^*$
-can be repeated~0 or more times
-\item alternatives are separated by a vertical bar,~$|$
-\item the symbol for alphanumeric identifiers is~{\it id\/}
-\item the symbol for scheme variables is~{\it var}
-\end{itemize}
-To reduce the number of nonterminals and grammar rules required, Isabelle's
-syntax module employs {\bf priorities},\index{priorities} or precedences.
-Each grammar rule is given by a mixfix declaration, which has a priority,
-and each argument place has a priority. This general approach handles
-infix operators that associate either to the left or to the right, as well
-as prefix and binding operators.
-
-In a syntactically valid expression, an operator's arguments never involve
-an operator of lower priority unless brackets are used. Consider
-first-order logic, where $\exists$ has lower priority than $\disj$,
-which has lower priority than $\conj$. There, $P\conj Q \disj R$
-abbreviates $(P\conj Q) \disj R$ rather than $P\conj (Q\disj R)$. Also,
-$\exists x.P\disj Q$ abbreviates $\exists x.(P\disj Q)$ rather than
-$(\exists x.P)\disj Q$. Note especially that $P\disj(\exists x.Q)$
-becomes syntactically invalid if the brackets are removed.
-
-A {\bf binder} is a symbol associated with a constant of type
-$(\sigma\To\tau)\To\tau'$. For instance, we may declare~$\forall$ as a binder
-for the constant~$All$, which has type $(\alpha\To o)\To o$. This defines the
-syntax $\forall x.t$ to mean $All(\lambda x.t)$. We can also write $\forall
-x@1\ldots x@m.t$ to abbreviate $\forall x@1. \ldots \forall x@m.t$; this is
-possible for any constant provided that $\tau$ and $\tau'$ are the same type.
-The Hilbert description operator $\varepsilon x.P\,x$ has type $(\alpha\To
-bool)\To\alpha$ and normally binds only one variable.
-ZF's bounded quantifier $\forall x\in A.P(x)$ cannot be declared as a
-binder because it has type $[i, i\To o]\To o$. The syntax for binders allows
-type constraints on bound variables, as in
-\[ \forall (x{::}\alpha) \; (y{::}\beta) \; z{::}\gamma. Q(x,y,z) \]
-
-To avoid excess detail, the logic descriptions adopt a semi-formal style.
-Infix operators and binding operators are listed in separate tables, which
-include their priorities. Grammar descriptions do not include numeric
-priorities; instead, the rules appear in order of decreasing priority.
-This should suffice for most purposes; for full details, please consult the
-actual syntax definitions in the {\tt.thy} files.
-
-Each nonterminal symbol is associated with some Isabelle type. For
-example, the formulae of first-order logic have type~$o$. Every
-Isabelle expression of type~$o$ is therefore a formula. These include
-atomic formulae such as $P$, where $P$ is a variable of type~$o$, and more
-generally expressions such as $P(t,u)$, where $P$, $t$ and~$u$ have
-suitable types. Therefore, `expression of type~$o$' is listed as a
-separate possibility in the grammar for formulae.
-
-
--- a/doc-src/Main/Main_Doc.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,596 +0,0 @@
-(*<*)
-theory Main_Doc
-imports Main
-begin
-
-setup {*
- let
- fun pretty_term_type_only ctxt (t, T) =
- (if fastype_of t = Sign.certify_typ (Proof_Context.theory_of ctxt) T then ()
- else error "term_type_only: type mismatch";
- Syntax.pretty_typ ctxt T)
- in
- Thy_Output.antiquotation @{binding term_type_only}
- (Args.term -- Args.typ_abbrev)
- (fn {source, context = ctxt, ...} => fn arg =>
- Thy_Output.output ctxt
- (Thy_Output.maybe_pretty_source pretty_term_type_only ctxt source [arg]))
- end
-*}
-setup {*
- Thy_Output.antiquotation @{binding expanded_typ} (Args.typ >> single)
- (fn {source, context, ...} => Thy_Output.output context o
- Thy_Output.maybe_pretty_source Syntax.pretty_typ context source)
-*}
-(*>*)
-text{*
-
-\begin{abstract}
-This document lists the main types, functions and syntax provided by theory @{theory Main}. It is meant as a quick overview of what is available. The sophisticated class structure is only hinted at. For details see \url{http://isabelle.in.tum.de/library/HOL/}.
-\end{abstract}
-
-\section{HOL}
-
-The basic logic: @{prop "x = y"}, @{const True}, @{const False}, @{prop"Not P"}, @{prop"P & Q"}, @{prop "P | Q"}, @{prop "P --> Q"}, @{prop"ALL x. P"}, @{prop"EX x. P"}, @{prop"EX! x. P"}, @{term"THE x. P"}.
-\smallskip
-
-\begin{tabular}{@ {} l @ {~::~} l @ {}}
-@{const HOL.undefined} & @{typeof HOL.undefined}\\
-@{const HOL.default} & @{typeof HOL.default}\\
-\end{tabular}
-
-\subsubsection*{Syntax}
-
-\begin{supertabular}{@ {} l @ {\quad$\equiv$\quad} l l @ {}}
-@{term"~(x = y)"} & @{term[source]"\<not> (x = y)"} & (\verb$~=$)\\
-@{term[source]"P \<longleftrightarrow> Q"} & @{term"P \<longleftrightarrow> Q"} \\
-@{term"If x y z"} & @{term[source]"If x y z"}\\
-@{term"Let e\<^isub>1 (%x. e\<^isub>2)"} & @{term[source]"Let e\<^isub>1 (\<lambda>x. e\<^isub>2)"}\\
-\end{supertabular}
-
-
-\section{Orderings}
-
-A collection of classes defining basic orderings:
-preorder, partial order, linear order, dense linear order and wellorder.
-\smallskip
-
-\begin{supertabular}{@ {} l @ {~::~} l l @ {}}
-@{const Orderings.less_eq} & @{typeof Orderings.less_eq} & (\verb$<=$)\\
-@{const Orderings.less} & @{typeof Orderings.less}\\
-@{const Orderings.Least} & @{typeof Orderings.Least}\\
-@{const Orderings.min} & @{typeof Orderings.min}\\
-@{const Orderings.max} & @{typeof Orderings.max}\\
-@{const[source] top} & @{typeof Orderings.top}\\
-@{const[source] bot} & @{typeof Orderings.bot}\\
-@{const Orderings.mono} & @{typeof Orderings.mono}\\
-@{const Orderings.strict_mono} & @{typeof Orderings.strict_mono}\\
-\end{supertabular}
-
-\subsubsection*{Syntax}
-
-\begin{supertabular}{@ {} l @ {\quad$\equiv$\quad} l l @ {}}
-@{term[source]"x \<ge> y"} & @{term"x \<ge> y"} & (\verb$>=$)\\
-@{term[source]"x > y"} & @{term"x > y"}\\
-@{term"ALL x<=y. P"} & @{term[source]"\<forall>x. x \<le> y \<longrightarrow> P"}\\
-@{term"EX x<=y. P"} & @{term[source]"\<exists>x. x \<le> y \<and> P"}\\
-\multicolumn{2}{@ {}l@ {}}{Similarly for $<$, $\ge$ and $>$}\\
-@{term"LEAST x. P"} & @{term[source]"Least (\<lambda>x. P)"}\\
-\end{supertabular}
-
-
-\section{Lattices}
-
-Classes semilattice, lattice, distributive lattice and complete lattice (the
-latter in theory @{theory Set}).
-
-\begin{tabular}{@ {} l @ {~::~} l @ {}}
-@{const Lattices.inf} & @{typeof Lattices.inf}\\
-@{const Lattices.sup} & @{typeof Lattices.sup}\\
-@{const Complete_Lattices.Inf} & @{term_type_only Complete_Lattices.Inf "'a set \<Rightarrow> 'a::Inf"}\\
-@{const Complete_Lattices.Sup} & @{term_type_only Complete_Lattices.Sup "'a set \<Rightarrow> 'a::Sup"}\\
-\end{tabular}
-
-\subsubsection*{Syntax}
-
-Available by loading theory @{text Lattice_Syntax} in directory @{text
-Library}.
-
-\begin{supertabular}{@ {} l @ {\quad$\equiv$\quad} l @ {}}
-@{text[source]"x \<sqsubseteq> y"} & @{term"x \<le> y"}\\
-@{text[source]"x \<sqsubset> y"} & @{term"x < y"}\\
-@{text[source]"x \<sqinter> y"} & @{term"inf x y"}\\
-@{text[source]"x \<squnion> y"} & @{term"sup x y"}\\
-@{text[source]"\<Sqinter> A"} & @{term"Sup A"}\\
-@{text[source]"\<Squnion> A"} & @{term"Inf A"}\\
-@{text[source]"\<top>"} & @{term[source] top}\\
-@{text[source]"\<bottom>"} & @{term[source] bot}\\
-\end{supertabular}
-
-
-\section{Set}
-
-%Sets are predicates: @{text[source]"'a set = 'a \<Rightarrow> bool"}
-%\bigskip
-
-\begin{supertabular}{@ {} l @ {~::~} l l @ {}}
-@{const Set.empty} & @{term_type_only "Set.empty" "'a set"}\\
-@{const Set.insert} & @{term_type_only insert "'a\<Rightarrow>'a set\<Rightarrow>'a set"}\\
-@{const Collect} & @{term_type_only Collect "('a\<Rightarrow>bool)\<Rightarrow>'a set"}\\
-@{const Set.member} & @{term_type_only Set.member "'a\<Rightarrow>'a set\<Rightarrow>bool"} & (\texttt{:})\\
-@{const Set.union} & @{term_type_only Set.union "'a set\<Rightarrow>'a set \<Rightarrow> 'a set"} & (\texttt{Un})\\
-@{const Set.inter} & @{term_type_only Set.inter "'a set\<Rightarrow>'a set \<Rightarrow> 'a set"} & (\texttt{Int})\\
-@{const UNION} & @{term_type_only UNION "'a set\<Rightarrow>('a \<Rightarrow> 'b set) \<Rightarrow> 'b set"}\\
-@{const INTER} & @{term_type_only INTER "'a set\<Rightarrow>('a \<Rightarrow> 'b set) \<Rightarrow> 'b set"}\\
-@{const Union} & @{term_type_only Union "'a set set\<Rightarrow>'a set"}\\
-@{const Inter} & @{term_type_only Inter "'a set set\<Rightarrow>'a set"}\\
-@{const Pow} & @{term_type_only Pow "'a set \<Rightarrow>'a set set"}\\
-@{const UNIV} & @{term_type_only UNIV "'a set"}\\
-@{const image} & @{term_type_only image "('a\<Rightarrow>'b)\<Rightarrow>'a set\<Rightarrow>'b set"}\\
-@{const Ball} & @{term_type_only Ball "'a set\<Rightarrow>('a\<Rightarrow>bool)\<Rightarrow>bool"}\\
-@{const Bex} & @{term_type_only Bex "'a set\<Rightarrow>('a\<Rightarrow>bool)\<Rightarrow>bool"}\\
-\end{supertabular}
-
-\subsubsection*{Syntax}
-
-\begin{supertabular}{@ {} l @ {\quad$\equiv$\quad} l l @ {}}
-@{text"{x\<^isub>1,\<dots>,x\<^isub>n}"} & @{text"insert x\<^isub>1 (\<dots> (insert x\<^isub>n {})\<dots>)"}\\
-@{term"x ~: A"} & @{term[source]"\<not>(x \<in> A)"}\\
-@{term"A \<subseteq> B"} & @{term[source]"A \<le> B"}\\
-@{term"A \<subset> B"} & @{term[source]"A < B"}\\
-@{term[source]"A \<supseteq> B"} & @{term[source]"B \<le> A"}\\
-@{term[source]"A \<supset> B"} & @{term[source]"B < A"}\\
-@{term"{x. P}"} & @{term[source]"Collect (\<lambda>x. P)"}\\
-@{term[mode=xsymbols]"UN x:I. A"} & @{term[source]"UNION I (\<lambda>x. A)"} & (\texttt{UN})\\
-@{term[mode=xsymbols]"UN x. A"} & @{term[source]"UNION UNIV (\<lambda>x. A)"}\\
-@{term[mode=xsymbols]"INT x:I. A"} & @{term[source]"INTER I (\<lambda>x. A)"} & (\texttt{INT})\\
-@{term[mode=xsymbols]"INT x. A"} & @{term[source]"INTER UNIV (\<lambda>x. A)"}\\
-@{term"ALL x:A. P"} & @{term[source]"Ball A (\<lambda>x. P)"}\\
-@{term"EX x:A. P"} & @{term[source]"Bex A (\<lambda>x. P)"}\\
-@{term"range f"} & @{term[source]"f ` UNIV"}\\
-\end{supertabular}
-
-
-\section{Fun}
-
-\begin{supertabular}{@ {} l @ {~::~} l l @ {}}
-@{const "Fun.id"} & @{typeof Fun.id}\\
-@{const "Fun.comp"} & @{typeof Fun.comp} & (\texttt{o})\\
-@{const "Fun.inj_on"} & @{term_type_only Fun.inj_on "('a\<Rightarrow>'b)\<Rightarrow>'a set\<Rightarrow>bool"}\\
-@{const "Fun.inj"} & @{typeof Fun.inj}\\
-@{const "Fun.surj"} & @{typeof Fun.surj}\\
-@{const "Fun.bij"} & @{typeof Fun.bij}\\
-@{const "Fun.bij_betw"} & @{term_type_only Fun.bij_betw "('a\<Rightarrow>'b)\<Rightarrow>'a set\<Rightarrow>'b set\<Rightarrow>bool"}\\
-@{const "Fun.fun_upd"} & @{typeof Fun.fun_upd}\\
-\end{supertabular}
-
-\subsubsection*{Syntax}
-
-\begin{tabular}{@ {} l @ {\quad$\equiv$\quad} l @ {}}
-@{term"fun_upd f x y"} & @{term[source]"fun_upd f x y"}\\
-@{text"f(x\<^isub>1:=y\<^isub>1,\<dots>,x\<^isub>n:=y\<^isub>n)"} & @{text"f(x\<^isub>1:=y\<^isub>1)\<dots>(x\<^isub>n:=y\<^isub>n)"}\\
-\end{tabular}
-
-
-\section{Hilbert\_Choice}
-
-Hilbert's selection ($\varepsilon$) operator: @{term"SOME x. P"}.
-\smallskip
-
-\begin{tabular}{@ {} l @ {~::~} l @ {}}
-@{const Hilbert_Choice.inv_into} & @{term_type_only Hilbert_Choice.inv_into "'a set \<Rightarrow> ('a \<Rightarrow> 'b) \<Rightarrow> ('b \<Rightarrow> 'a)"}
-\end{tabular}
-
-\subsubsection*{Syntax}
-
-\begin{tabular}{@ {} l @ {\quad$\equiv$\quad} l @ {}}
-@{term inv} & @{term[source]"inv_into UNIV"}
-\end{tabular}
-
-\section{Fixed Points}
-
-Theory: @{theory Inductive}.
-
-Least and greatest fixed points in a complete lattice @{typ 'a}:
-
-\begin{tabular}{@ {} l @ {~::~} l @ {}}
-@{const Inductive.lfp} & @{typeof Inductive.lfp}\\
-@{const Inductive.gfp} & @{typeof Inductive.gfp}\\
-\end{tabular}
-
-Note that in particular sets (@{typ"'a \<Rightarrow> bool"}) are complete lattices.
-
-\section{Sum\_Type}
-
-Type constructor @{text"+"}.
-
-\begin{tabular}{@ {} l @ {~::~} l @ {}}
-@{const Sum_Type.Inl} & @{typeof Sum_Type.Inl}\\
-@{const Sum_Type.Inr} & @{typeof Sum_Type.Inr}\\
-@{const Sum_Type.Plus} & @{term_type_only Sum_Type.Plus "'a set\<Rightarrow>'b set\<Rightarrow>('a+'b)set"}
-\end{tabular}
-
-
-\section{Product\_Type}
-
-Types @{typ unit} and @{text"\<times>"}.
-
-\begin{supertabular}{@ {} l @ {~::~} l @ {}}
-@{const Product_Type.Unity} & @{typeof Product_Type.Unity}\\
-@{const Pair} & @{typeof Pair}\\
-@{const fst} & @{typeof fst}\\
-@{const snd} & @{typeof snd}\\
-@{const split} & @{typeof split}\\
-@{const curry} & @{typeof curry}\\
-@{const Product_Type.Sigma} & @{term_type_only Product_Type.Sigma "'a set\<Rightarrow>('a\<Rightarrow>'b set)\<Rightarrow>('a*'b)set"}\\
-\end{supertabular}
-
-\subsubsection*{Syntax}
-
-\begin{tabular}{@ {} l @ {\quad$\equiv$\quad} ll @ {}}
-@{term"Pair a b"} & @{term[source]"Pair a b"}\\
-@{term"split (\<lambda>x y. t)"} & @{term[source]"split (\<lambda>x y. t)"}\\
-@{term"A <*> B"} & @{text"Sigma A (\<lambda>\<^raw:\_>. B)"} & (\verb$<*>$)
-\end{tabular}
-
-Pairs may be nested. Nesting to the right is printed as a tuple,
-e.g.\ \mbox{@{term"(a,b,c)"}} is really \mbox{@{text"(a, (b, c))"}.}
-Pattern matching with pairs and tuples extends to all binders,
-e.g.\ \mbox{@{prop"ALL (x,y):A. P"},} @{term"{(x,y). P}"}, etc.
-
-
-\section{Relation}
-
-\begin{tabular}{@ {} l @ {~::~} l @ {}}
-@{const Relation.converse} & @{term_type_only Relation.converse "('a * 'b)set \<Rightarrow> ('b*'a)set"}\\
-@{const Relation.relcomp} & @{term_type_only Relation.relcomp "('a*'b)set\<Rightarrow>('b*'c)set\<Rightarrow>('a*'c)set"}\\
-@{const Relation.Image} & @{term_type_only Relation.Image "('a*'b)set\<Rightarrow>'a set\<Rightarrow>'b set"}\\
-@{const Relation.inv_image} & @{term_type_only Relation.inv_image "('a*'a)set\<Rightarrow>('b\<Rightarrow>'a)\<Rightarrow>('b*'b)set"}\\
-@{const Relation.Id_on} & @{term_type_only Relation.Id_on "'a set\<Rightarrow>('a*'a)set"}\\
-@{const Relation.Id} & @{term_type_only Relation.Id "('a*'a)set"}\\
-@{const Relation.Domain} & @{term_type_only Relation.Domain "('a*'b)set\<Rightarrow>'a set"}\\
-@{const Relation.Range} & @{term_type_only Relation.Range "('a*'b)set\<Rightarrow>'b set"}\\
-@{const Relation.Field} & @{term_type_only Relation.Field "('a*'a)set\<Rightarrow>'a set"}\\
-@{const Relation.refl_on} & @{term_type_only Relation.refl_on "'a set\<Rightarrow>('a*'a)set\<Rightarrow>bool"}\\
-@{const Relation.refl} & @{term_type_only Relation.refl "('a*'a)set\<Rightarrow>bool"}\\
-@{const Relation.sym} & @{term_type_only Relation.sym "('a*'a)set\<Rightarrow>bool"}\\
-@{const Relation.antisym} & @{term_type_only Relation.antisym "('a*'a)set\<Rightarrow>bool"}\\
-@{const Relation.trans} & @{term_type_only Relation.trans "('a*'a)set\<Rightarrow>bool"}\\
-@{const Relation.irrefl} & @{term_type_only Relation.irrefl "('a*'a)set\<Rightarrow>bool"}\\
-@{const Relation.total_on} & @{term_type_only Relation.total_on "'a set\<Rightarrow>('a*'a)set\<Rightarrow>bool"}\\
-@{const Relation.total} & @{term_type_only Relation.total "('a*'a)set\<Rightarrow>bool"}\\
-\end{tabular}
-
-\subsubsection*{Syntax}
-
-\begin{tabular}{@ {} l @ {\quad$\equiv$\quad} l l @ {}}
-@{term"converse r"} & @{term[source]"converse r"} & (\verb$^-1$)
-\end{tabular}
-\medskip
-
-\noindent
-Type synonym \ @{typ"'a rel"} @{text"="} @{expanded_typ "'a rel"}
-
-\section{Equiv\_Relations}
-
-\begin{supertabular}{@ {} l @ {~::~} l @ {}}
-@{const Equiv_Relations.equiv} & @{term_type_only Equiv_Relations.equiv "'a set \<Rightarrow> ('a*'a)set\<Rightarrow>bool"}\\
-@{const Equiv_Relations.quotient} & @{term_type_only Equiv_Relations.quotient "'a set \<Rightarrow> ('a \<times> 'a) set \<Rightarrow> 'a set set"}\\
-@{const Equiv_Relations.congruent} & @{term_type_only Equiv_Relations.congruent "('a*'a)set\<Rightarrow>('a\<Rightarrow>'b)\<Rightarrow>bool"}\\
-@{const Equiv_Relations.congruent2} & @{term_type_only Equiv_Relations.congruent2 "('a*'a)set\<Rightarrow>('b*'b)set\<Rightarrow>('a\<Rightarrow>'b\<Rightarrow>'c)\<Rightarrow>bool"}\\
-%@ {const Equiv_Relations.} & @ {term_type_only Equiv_Relations. ""}\\
-\end{supertabular}
-
-\subsubsection*{Syntax}
-
-\begin{tabular}{@ {} l @ {\quad$\equiv$\quad} l @ {}}
-@{term"congruent r f"} & @{term[source]"congruent r f"}\\
-@{term"congruent2 r r f"} & @{term[source]"congruent2 r r f"}\\
-\end{tabular}
-
-
-\section{Transitive\_Closure}
-
-\begin{tabular}{@ {} l @ {~::~} l @ {}}
-@{const Transitive_Closure.rtrancl} & @{term_type_only Transitive_Closure.rtrancl "('a*'a)set\<Rightarrow>('a*'a)set"}\\
-@{const Transitive_Closure.trancl} & @{term_type_only Transitive_Closure.trancl "('a*'a)set\<Rightarrow>('a*'a)set"}\\
-@{const Transitive_Closure.reflcl} & @{term_type_only Transitive_Closure.reflcl "('a*'a)set\<Rightarrow>('a*'a)set"}\\
-@{const Transitive_Closure.acyclic} & @{term_type_only Transitive_Closure.acyclic "('a*'a)set\<Rightarrow>bool"}\\
-@{const compower} & @{term_type_only "op ^^ :: ('a*'a)set\<Rightarrow>nat\<Rightarrow>('a*'a)set" "('a*'a)set\<Rightarrow>nat\<Rightarrow>('a*'a)set"}\\
-\end{tabular}
-
-\subsubsection*{Syntax}
-
-\begin{tabular}{@ {} l @ {\quad$\equiv$\quad} l l @ {}}
-@{term"rtrancl r"} & @{term[source]"rtrancl r"} & (\verb$^*$)\\
-@{term"trancl r"} & @{term[source]"trancl r"} & (\verb$^+$)\\
-@{term"reflcl r"} & @{term[source]"reflcl r"} & (\verb$^=$)
-\end{tabular}
-
-
-\section{Algebra}
-
-Theories @{theory Groups}, @{theory Rings}, @{theory Fields} and @{theory
-Divides} define a large collection of classes describing common algebraic
-structures from semigroups up to fields. Everything is done in terms of
-overloaded operators:
-
-\begin{supertabular}{@ {} l @ {~::~} l l @ {}}
-@{text "0"} & @{typeof zero}\\
-@{text "1"} & @{typeof one}\\
-@{const plus} & @{typeof plus}\\
-@{const minus} & @{typeof minus}\\
-@{const uminus} & @{typeof uminus} & (\verb$-$)\\
-@{const times} & @{typeof times}\\
-@{const inverse} & @{typeof inverse}\\
-@{const divide} & @{typeof divide}\\
-@{const abs} & @{typeof abs}\\
-@{const sgn} & @{typeof sgn}\\
-@{const dvd_class.dvd} & @{typeof "dvd_class.dvd"}\\
-@{const div_class.div} & @{typeof "div_class.div"}\\
-@{const div_class.mod} & @{typeof "div_class.mod"}\\
-\end{supertabular}
-
-\subsubsection*{Syntax}
-
-\begin{tabular}{@ {} l @ {\quad$\equiv$\quad} l @ {}}
-@{term"abs x"} & @{term[source]"abs x"}
-\end{tabular}
-
-
-\section{Nat}
-
-@{datatype nat}
-\bigskip
-
-\begin{tabular}{@ {} lllllll @ {}}
-@{term "op + :: nat \<Rightarrow> nat \<Rightarrow> nat"} &
-@{term "op - :: nat \<Rightarrow> nat \<Rightarrow> nat"} &
-@{term "op * :: nat \<Rightarrow> nat \<Rightarrow> nat"} &
-@{term "op ^ :: nat \<Rightarrow> nat \<Rightarrow> nat"} &
-@{term "op div :: nat \<Rightarrow> nat \<Rightarrow> nat"}&
-@{term "op mod :: nat \<Rightarrow> nat \<Rightarrow> nat"}&
-@{term "op dvd :: nat \<Rightarrow> nat \<Rightarrow> bool"}\\
-@{term "op \<le> :: nat \<Rightarrow> nat \<Rightarrow> bool"} &
-@{term "op < :: nat \<Rightarrow> nat \<Rightarrow> bool"} &
-@{term "min :: nat \<Rightarrow> nat \<Rightarrow> nat"} &
-@{term "max :: nat \<Rightarrow> nat \<Rightarrow> nat"} &
-@{term "Min :: nat set \<Rightarrow> nat"} &
-@{term "Max :: nat set \<Rightarrow> nat"}\\
-\end{tabular}
-
-\begin{tabular}{@ {} l @ {~::~} l @ {}}
-@{const Nat.of_nat} & @{typeof Nat.of_nat}\\
-@{term "op ^^ :: ('a \<Rightarrow> 'a) \<Rightarrow> nat \<Rightarrow> 'a \<Rightarrow> 'a"} &
- @{term_type_only "op ^^ :: ('a \<Rightarrow> 'a) \<Rightarrow> nat \<Rightarrow> 'a \<Rightarrow> 'a" "('a \<Rightarrow> 'a) \<Rightarrow> nat \<Rightarrow> 'a \<Rightarrow> 'a"}
-\end{tabular}
-
-\section{Int}
-
-Type @{typ int}
-\bigskip
-
-\begin{tabular}{@ {} llllllll @ {}}
-@{term "op + :: int \<Rightarrow> int \<Rightarrow> int"} &
-@{term "op - :: int \<Rightarrow> int \<Rightarrow> int"} &
-@{term "uminus :: int \<Rightarrow> int"} &
-@{term "op * :: int \<Rightarrow> int \<Rightarrow> int"} &
-@{term "op ^ :: int \<Rightarrow> nat \<Rightarrow> int"} &
-@{term "op div :: int \<Rightarrow> int \<Rightarrow> int"}&
-@{term "op mod :: int \<Rightarrow> int \<Rightarrow> int"}&
-@{term "op dvd :: int \<Rightarrow> int \<Rightarrow> bool"}\\
-@{term "op \<le> :: int \<Rightarrow> int \<Rightarrow> bool"} &
-@{term "op < :: int \<Rightarrow> int \<Rightarrow> bool"} &
-@{term "min :: int \<Rightarrow> int \<Rightarrow> int"} &
-@{term "max :: int \<Rightarrow> int \<Rightarrow> int"} &
-@{term "Min :: int set \<Rightarrow> int"} &
-@{term "Max :: int set \<Rightarrow> int"}\\
-@{term "abs :: int \<Rightarrow> int"} &
-@{term "sgn :: int \<Rightarrow> int"}\\
-\end{tabular}
-
-\begin{tabular}{@ {} l @ {~::~} l l @ {}}
-@{const Int.nat} & @{typeof Int.nat}\\
-@{const Int.of_int} & @{typeof Int.of_int}\\
-@{const Int.Ints} & @{term_type_only Int.Ints "'a::ring_1 set"} & (\verb$Ints$)
-\end{tabular}
-
-\subsubsection*{Syntax}
-
-\begin{tabular}{@ {} l @ {\quad$\equiv$\quad} l @ {}}
-@{term"of_nat::nat\<Rightarrow>int"} & @{term[source]"of_nat"}\\
-\end{tabular}
-
-
-\section{Finite\_Set}
-
-
-\begin{supertabular}{@ {} l @ {~::~} l @ {}}
-@{const Finite_Set.finite} & @{term_type_only Finite_Set.finite "'a set\<Rightarrow>bool"}\\
-@{const Finite_Set.card} & @{term_type_only Finite_Set.card "'a set => nat"}\\
-@{const Finite_Set.fold} & @{term_type_only Finite_Set.fold "('a \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> 'b \<Rightarrow> 'a set \<Rightarrow> 'b"}\\
-@{const Finite_Set.fold_image} & @{typ "('b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> ('a \<Rightarrow> 'b) \<Rightarrow> 'b \<Rightarrow> 'a set \<Rightarrow> 'b"}\\
-@{const Big_Operators.setsum} & @{term_type_only Big_Operators.setsum "('a => 'b) => 'a set => 'b::comm_monoid_add"}\\
-@{const Big_Operators.setprod} & @{term_type_only Big_Operators.setprod "('a => 'b) => 'a set => 'b::comm_monoid_mult"}\\
-\end{supertabular}
-
-
-\subsubsection*{Syntax}
-
-\begin{supertabular}{@ {} l @ {\quad$\equiv$\quad} l l @ {}}
-@{term"setsum (%x. x) A"} & @{term[source]"setsum (\<lambda>x. x) A"} & (\verb$SUM$)\\
-@{term"setsum (%x. t) A"} & @{term[source]"setsum (\<lambda>x. t) A"}\\
-@{term[source]"\<Sum>x|P. t"} & @{term"\<Sum>x|P. t"}\\
-\multicolumn{2}{@ {}l@ {}}{Similarly for @{text"\<Prod>"} instead of @{text"\<Sum>"}} & (\verb$PROD$)\\
-\end{supertabular}
-
-
-\section{Wellfounded}
-
-\begin{supertabular}{@ {} l @ {~::~} l @ {}}
-@{const Wellfounded.wf} & @{term_type_only Wellfounded.wf "('a*'a)set\<Rightarrow>bool"}\\
-@{const Wellfounded.acc} & @{term_type_only Wellfounded.acc "('a*'a)set\<Rightarrow>'a set"}\\
-@{const Wellfounded.measure} & @{term_type_only Wellfounded.measure "('a\<Rightarrow>nat)\<Rightarrow>('a*'a)set"}\\
-@{const Wellfounded.lex_prod} & @{term_type_only Wellfounded.lex_prod "('a*'a)set\<Rightarrow>('b*'b)set\<Rightarrow>(('a*'b)*('a*'b))set"}\\
-@{const Wellfounded.mlex_prod} & @{term_type_only Wellfounded.mlex_prod "('a\<Rightarrow>nat)\<Rightarrow>('a*'a)set\<Rightarrow>('a*'a)set"}\\
-@{const Wellfounded.less_than} & @{term_type_only Wellfounded.less_than "(nat*nat)set"}\\
-@{const Wellfounded.pred_nat} & @{term_type_only Wellfounded.pred_nat "(nat*nat)set"}\\
-\end{supertabular}
-
-
-\section{SetInterval}
-
-\begin{supertabular}{@ {} l @ {~::~} l @ {}}
-@{const lessThan} & @{term_type_only lessThan "'a::ord \<Rightarrow> 'a set"}\\
-@{const atMost} & @{term_type_only atMost "'a::ord \<Rightarrow> 'a set"}\\
-@{const greaterThan} & @{term_type_only greaterThan "'a::ord \<Rightarrow> 'a set"}\\
-@{const atLeast} & @{term_type_only atLeast "'a::ord \<Rightarrow> 'a set"}\\
-@{const greaterThanLessThan} & @{term_type_only greaterThanLessThan "'a::ord \<Rightarrow> 'a \<Rightarrow> 'a set"}\\
-@{const atLeastLessThan} & @{term_type_only atLeastLessThan "'a::ord \<Rightarrow> 'a \<Rightarrow> 'a set"}\\
-@{const greaterThanAtMost} & @{term_type_only greaterThanAtMost "'a::ord \<Rightarrow> 'a \<Rightarrow> 'a set"}\\
-@{const atLeastAtMost} & @{term_type_only atLeastAtMost "'a::ord \<Rightarrow> 'a \<Rightarrow> 'a set"}\\
-\end{supertabular}
-
-\subsubsection*{Syntax}
-
-\begin{supertabular}{@ {} l @ {\quad$\equiv$\quad} l @ {}}
-@{term "lessThan y"} & @{term[source] "lessThan y"}\\
-@{term "atMost y"} & @{term[source] "atMost y"}\\
-@{term "greaterThan x"} & @{term[source] "greaterThan x"}\\
-@{term "atLeast x"} & @{term[source] "atLeast x"}\\
-@{term "greaterThanLessThan x y"} & @{term[source] "greaterThanLessThan x y"}\\
-@{term "atLeastLessThan x y"} & @{term[source] "atLeastLessThan x y"}\\
-@{term "greaterThanAtMost x y"} & @{term[source] "greaterThanAtMost x y"}\\
-@{term "atLeastAtMost x y"} & @{term[source] "atLeastAtMost x y"}\\
-@{term[mode=xsymbols] "UN i:{..n}. A"} & @{term[source] "\<Union> i \<in> {..n}. A"}\\
-@{term[mode=xsymbols] "UN i:{..<n}. A"} & @{term[source] "\<Union> i \<in> {..<n}. A"}\\
-\multicolumn{2}{@ {}l@ {}}{Similarly for @{text"\<Inter>"} instead of @{text"\<Union>"}}\\
-@{term "setsum (%x. t) {a..b}"} & @{term[source] "setsum (\<lambda>x. t) {a..b}"}\\
-@{term "setsum (%x. t) {a..<b}"} & @{term[source] "setsum (\<lambda>x. t) {a..<b}"}\\
-@{term "setsum (%x. t) {..b}"} & @{term[source] "setsum (\<lambda>x. t) {..b}"}\\
-@{term "setsum (%x. t) {..<b}"} & @{term[source] "setsum (\<lambda>x. t) {..<b}"}\\
-\multicolumn{2}{@ {}l@ {}}{Similarly for @{text"\<Prod>"} instead of @{text"\<Sum>"}}\\
-\end{supertabular}
-
-
-\section{Power}
-
-\begin{tabular}{@ {} l @ {~::~} l @ {}}
-@{const Power.power} & @{typeof Power.power}
-\end{tabular}
-
-
-\section{Option}
-
-@{datatype option}
-\bigskip
-
-\begin{tabular}{@ {} l @ {~::~} l @ {}}
-@{const Option.the} & @{typeof Option.the}\\
-@{const Option.map} & @{typ[source]"('a \<Rightarrow> 'b) \<Rightarrow> 'a option \<Rightarrow> 'b option"}\\
-@{const Option.set} & @{term_type_only Option.set "'a option \<Rightarrow> 'a set"}\\
-@{const Option.bind} & @{term_type_only Option.bind "'a option \<Rightarrow> ('a \<Rightarrow> 'b option) \<Rightarrow> 'b option"}
-\end{tabular}
-
-\section{List}
-
-@{datatype list}
-\bigskip
-
-\begin{supertabular}{@ {} l @ {~::~} l @ {}}
-@{const List.append} & @{typeof List.append}\\
-@{const List.butlast} & @{typeof List.butlast}\\
-@{const List.concat} & @{typeof List.concat}\\
-@{const List.distinct} & @{typeof List.distinct}\\
-@{const List.drop} & @{typeof List.drop}\\
-@{const List.dropWhile} & @{typeof List.dropWhile}\\
-@{const List.filter} & @{typeof List.filter}\\
-@{const List.find} & @{typeof List.find}\\
-@{const List.fold} & @{typeof List.fold}\\
-@{const List.foldr} & @{typeof List.foldr}\\
-@{const List.foldl} & @{typeof List.foldl}\\
-@{const List.hd} & @{typeof List.hd}\\
-@{const List.last} & @{typeof List.last}\\
-@{const List.length} & @{typeof List.length}\\
-@{const List.lenlex} & @{term_type_only List.lenlex "('a*'a)set\<Rightarrow>('a list * 'a list)set"}\\
-@{const List.lex} & @{term_type_only List.lex "('a*'a)set\<Rightarrow>('a list * 'a list)set"}\\
-@{const List.lexn} & @{term_type_only List.lexn "('a*'a)set\<Rightarrow>nat\<Rightarrow>('a list * 'a list)set"}\\
-@{const List.lexord} & @{term_type_only List.lexord "('a*'a)set\<Rightarrow>('a list * 'a list)set"}\\
-@{const List.listrel} & @{term_type_only List.listrel "('a*'b)set\<Rightarrow>('a list * 'b list)set"}\\
-@{const List.listrel1} & @{term_type_only List.listrel1 "('a*'a)set\<Rightarrow>('a list * 'a list)set"}\\
-@{const List.lists} & @{term_type_only List.lists "'a set\<Rightarrow>'a list set"}\\
-@{const List.listset} & @{term_type_only List.listset "'a set list \<Rightarrow> 'a list set"}\\
-@{const List.listsum} & @{typeof List.listsum}\\
-@{const List.list_all2} & @{typeof List.list_all2}\\
-@{const List.list_update} & @{typeof List.list_update}\\
-@{const List.map} & @{typeof List.map}\\
-@{const List.measures} & @{term_type_only List.measures "('a\<Rightarrow>nat)list\<Rightarrow>('a*'a)set"}\\
-@{const List.nth} & @{typeof List.nth}\\
-@{const List.remdups} & @{typeof List.remdups}\\
-@{const List.removeAll} & @{typeof List.removeAll}\\
-@{const List.remove1} & @{typeof List.remove1}\\
-@{const List.replicate} & @{typeof List.replicate}\\
-@{const List.rev} & @{typeof List.rev}\\
-@{const List.rotate} & @{typeof List.rotate}\\
-@{const List.rotate1} & @{typeof List.rotate1}\\
-@{const List.set} & @{term_type_only List.set "'a list \<Rightarrow> 'a set"}\\
-@{const List.sort} & @{typeof List.sort}\\
-@{const List.sorted} & @{typeof List.sorted}\\
-@{const List.splice} & @{typeof List.splice}\\
-@{const List.sublist} & @{typeof List.sublist}\\
-@{const List.take} & @{typeof List.take}\\
-@{const List.takeWhile} & @{typeof List.takeWhile}\\
-@{const List.tl} & @{typeof List.tl}\\
-@{const List.upt} & @{typeof List.upt}\\
-@{const List.upto} & @{typeof List.upto}\\
-@{const List.zip} & @{typeof List.zip}\\
-\end{supertabular}
-
-\subsubsection*{Syntax}
-
-\begin{supertabular}{@ {} l @ {\quad$\equiv$\quad} l @ {}}
-@{text"[x\<^isub>1,\<dots>,x\<^isub>n]"} & @{text"x\<^isub>1 # \<dots> # x\<^isub>n # []"}\\
-@{term"[m..<n]"} & @{term[source]"upt m n"}\\
-@{term"[i..j]"} & @{term[source]"upto i j"}\\
-@{text"[e. x \<leftarrow> xs]"} & @{term"map (%x. e) xs"}\\
-@{term"[x \<leftarrow> xs. b]"} & @{term[source]"filter (\<lambda>x. b) xs"} \\
-@{term"xs[n := x]"} & @{term[source]"list_update xs n x"}\\
-@{term"\<Sum>x\<leftarrow>xs. e"} & @{term[source]"listsum (map (\<lambda>x. e) xs)"}\\
-\end{supertabular}
-\medskip
-
-List comprehension: @{text"[e. q\<^isub>1, \<dots>, q\<^isub>n]"} where each
-qualifier @{text q\<^isub>i} is either a generator \mbox{@{text"pat \<leftarrow> e"}} or a
-guard, i.e.\ boolean expression.
-
-\section{Map}
-
-Maps model partial functions and are often used as finite tables. However,
-the domain of a map may be infinite.
-
-\begin{supertabular}{@ {} l @ {~::~} l @ {}}
-@{const Map.empty} & @{typeof Map.empty}\\
-@{const Map.map_add} & @{typeof Map.map_add}\\
-@{const Map.map_comp} & @{typeof Map.map_comp}\\
-@{const Map.restrict_map} & @{term_type_only Map.restrict_map "('a\<Rightarrow>'b option)\<Rightarrow>'a set\<Rightarrow>('a\<Rightarrow>'b option)"}\\
-@{const Map.dom} & @{term_type_only Map.dom "('a\<Rightarrow>'b option)\<Rightarrow>'a set"}\\
-@{const Map.ran} & @{term_type_only Map.ran "('a\<Rightarrow>'b option)\<Rightarrow>'b set"}\\
-@{const Map.map_le} & @{typeof Map.map_le}\\
-@{const Map.map_of} & @{typeof Map.map_of}\\
-@{const Map.map_upds} & @{typeof Map.map_upds}\\
-\end{supertabular}
-
-\subsubsection*{Syntax}
-
-\begin{tabular}{@ {} l @ {\quad$\equiv$\quad} l @ {}}
-@{term"Map.empty"} & @{term"\<lambda>x. None"}\\
-@{term"m(x:=Some y)"} & @{term[source]"m(x:=Some y)"}\\
-@{text"m(x\<^isub>1\<mapsto>y\<^isub>1,\<dots>,x\<^isub>n\<mapsto>y\<^isub>n)"} & @{text[source]"m(x\<^isub>1\<mapsto>y\<^isub>1)\<dots>(x\<^isub>n\<mapsto>y\<^isub>n)"}\\
-@{text"[x\<^isub>1\<mapsto>y\<^isub>1,\<dots>,x\<^isub>n\<mapsto>y\<^isub>n]"} & @{text[source]"Map.empty(x\<^isub>1\<mapsto>y\<^isub>1,\<dots>,x\<^isub>n\<mapsto>y\<^isub>n)"}\\
-@{term"map_upds m xs ys"} & @{term[source]"map_upds m xs ys"}\\
-\end{tabular}
-
-*}
-(*<*)
-end
-(*>*)
\ No newline at end of file
--- a/doc-src/Main/document/build Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,13 +0,0 @@
-#!/bin/bash
-
-set -e
-
-FORMAT="$1"
-VARIANT="$2"
-
-"$ISABELLE_TOOL" latex -o sty
-cp "$ISABELLE_HOME/doc-src/pdfsetup.sty" .
-
-"$ISABELLE_TOOL" latex -o "$FORMAT"
-"$ISABELLE_TOOL" latex -o "$FORMAT"
-
--- a/doc-src/Main/document/root.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,38 +0,0 @@
-\documentclass[12pt,a4paper]{article}
-
-\oddsidemargin=4.6mm
-\evensidemargin=4.6mm
-\textwidth=150mm
-\topmargin=4.6mm
-\headheight=0mm
-\headsep=0mm
-\textheight=234mm
-
-\usepackage{isabelle,isabellesym}
-\usepackage{amssymb}
-\usepackage[only,bigsqcap]{stmaryrd}
-
-% this should be the last package used
-\usepackage{pdfsetup}
-
-% urls in roman style, theory text in math-similar italics
-\urlstyle{rm}
-\isabellestyle{it}
-
-% for uniform font size
-\renewcommand{\isastyle}{\isastyleminor}
-
-\parindent 0pt\parskip 0.5ex
-
-\usepackage{supertabular}
-
-\begin{document}
-
-\title{What's in Main}
-\author{Tobias Nipkow}
-\date{\today}
-\maketitle
-
-\input{Main_Doc.tex}
-
-\end{document}
--- a/doc-src/Nitpick/document/build Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,15 +0,0 @@
-#!/bin/bash
-
-set -e
-
-FORMAT="$1"
-VARIANT="$2"
-
-"$ISABELLE_TOOL" logo -o isabelle_nitpick.pdf "Nitpick"
-"$ISABELLE_TOOL" logo -o isabelle_nitpick.eps "Nitpick"
-
-cp "$ISABELLE_HOME/doc-src/iman.sty" .
-cp "$ISABELLE_HOME/doc-src/manual.bib" .
-
-"$ISABELLE_HOME/doc-src/prepare_document" "$FORMAT"
-
--- a/doc-src/Nitpick/document/root.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,2906 +0,0 @@
-\documentclass[a4paper,12pt]{article}
-\usepackage[T1]{fontenc}
-\usepackage{amsmath}
-\usepackage{amssymb}
-\usepackage[english,french]{babel}
-\usepackage{color}
-\usepackage{footmisc}
-\usepackage{graphicx}
-%\usepackage{mathpazo}
-\usepackage{multicol}
-\usepackage{stmaryrd}
-%\usepackage[scaled=.85]{beramono}
-\usepackage{isabelle,iman,pdfsetup}
-
-%\oddsidemargin=4.6mm
-%\evensidemargin=4.6mm
-%\textwidth=150mm
-%\topmargin=4.6mm
-%\headheight=0mm
-%\headsep=0mm
-%\textheight=234mm
-
-\def\Colon{\mathord{:\mkern-1.5mu:}}
-%\def\lbrakk{\mathopen{\lbrack\mkern-3.25mu\lbrack}}
-%\def\rbrakk{\mathclose{\rbrack\mkern-3.255mu\rbrack}}
-\def\lparr{\mathopen{(\mkern-4mu\mid}}
-\def\rparr{\mathclose{\mid\mkern-4mu)}}
-
-\def\unk{{?}}
-\def\unkef{(\lambda x.\; \unk)}
-\def\undef{(\lambda x.\; \_)}
-%\def\unr{\textit{others}}
-\def\unr{\ldots}
-\def\Abs#1{\hbox{\rm{\flqq}}{\,#1\,}\hbox{\rm{\frqq}}}
-\def\Q{{\smash{\lower.2ex\hbox{$\scriptstyle?$}}}}
-
-\hyphenation{Mini-Sat size-change First-Steps grand-parent nit-pick
-counter-example counter-examples data-type data-types co-data-type
-co-data-types in-duc-tive co-in-duc-tive}
-
-\urlstyle{tt}
-
-\begin{document}
-
-%%% TYPESETTING
-%\renewcommand\labelitemi{$\bullet$}
-\renewcommand\labelitemi{\raise.065ex\hbox{\small\textbullet}}
-
-\selectlanguage{english}
-
-\title{\includegraphics[scale=0.5]{isabelle_nitpick} \\[4ex]
-Picking Nits \\[\smallskipamount]
-\Large A User's Guide to Nitpick for Isabelle/HOL}
-\author{\hbox{} \\
-Jasmin Christian Blanchette \\
-{\normalsize Institut f\"ur Informatik, Technische Universit\"at M\"unchen} \\
-\hbox{}}
-
-\maketitle
-
-\tableofcontents
-
-\setlength{\parskip}{.7em plus .2em minus .1em}
-\setlength{\parindent}{0pt}
-\setlength{\abovedisplayskip}{\parskip}
-\setlength{\abovedisplayshortskip}{.9\parskip}
-\setlength{\belowdisplayskip}{\parskip}
-\setlength{\belowdisplayshortskip}{.9\parskip}
-
-% General-purpose enum environment with correct spacing
-\newenvironment{enum}%
- {\begin{list}{}{%
- \setlength{\topsep}{.1\parskip}%
- \setlength{\partopsep}{.1\parskip}%
- \setlength{\itemsep}{\parskip}%
- \advance\itemsep by-\parsep}}
- {\end{list}}
-
-\def\pre{\begingroup\vskip0pt plus1ex\advance\leftskip by\leftmargin
-\advance\rightskip by\leftmargin}
-\def\post{\vskip0pt plus1ex\endgroup}
-
-\def\prew{\pre\advance\rightskip by-\leftmargin}
-\def\postw{\post}
-
-\section{Introduction}
-\label{introduction}
-
-Nitpick \cite{blanchette-nipkow-2010} is a counterexample generator for
-Isabelle/HOL \cite{isa-tutorial} that is designed to handle formulas
-combining (co)in\-duc\-tive datatypes, (co)in\-duc\-tively defined predicates, and
-quantifiers. It builds on Kodkod \cite{torlak-jackson-2007}, a highly optimized
-first-order relational model finder developed by the Software Design Group at
-MIT. It is conceptually similar to Refute \cite{weber-2008}, from which it
-borrows many ideas and code fragments, but it benefits from Kodkod's
-optimizations and a new encoding scheme. The name Nitpick is shamelessly
-appropriated from a now retired Alloy precursor.
-
-Nitpick is easy to use---you simply enter \textbf{nitpick} after a putative
-theorem and wait a few seconds. Nonetheless, there are situations where knowing
-how it works under the hood and how it reacts to various options helps
-increase the test coverage. This manual also explains how to install the tool on
-your workstation. Should the motivation fail you, think of the many hours of
-hard work Nitpick will save you. Proving non-theorems is \textsl{hard work}.
-
-Another common use of Nitpick is to find out whether the axioms of a locale are
-satisfiable, while the locale is being developed. To check this, it suffices to
-write
-
-\prew
-\textbf{lemma}~``$\textit{False\/}$'' \\
-\textbf{nitpick}~[\textit{show\_all}]
-\postw
-
-after the locale's \textbf{begin} keyword. To falsify \textit{False}, Nitpick
-must find a model for the axioms. If it finds no model, we have an indication
-that the axioms might be unsatisfiable.
-
-You can also invoke Nitpick from the ``Commands'' submenu of the
-``Isabelle'' menu in Proof General or by pressing the Emacs key sequence C-c C-a
-C-n. This is equivalent to entering the \textbf{nitpick} command with no
-arguments in the theory text.
-
-Throughout this manual, we will explicitly invoke the \textbf{nitpick} command.
-Nitpick also provides an automatic mode that can be enabled via the ``Auto
-Nitpick'' option from the ``Isabelle'' menu in Proof General. In this mode,
-Nitpick is run on every newly entered theorem. The time limit for Auto Nitpick
-and other automatic tools can be set using the ``Auto Tools Time Limit'' option.
-
-\newbox\boxA
-\setbox\boxA=\hbox{\texttt{nospam}}
-
-\newcommand\authoremail{\texttt{blan{\color{white}nospam}\kern-\wd\boxA{}chette@\allowbreak
-in.\allowbreak tum.\allowbreak de}}
-
-To run Nitpick, you must also make sure that the theory \textit{Nitpick} is
-imported---this is rarely a problem in practice since it is part of
-\textit{Main}. The examples presented in this manual can be found
-in Isabelle's \texttt{src/HOL/\allowbreak Nitpick\_Examples/Manual\_Nits.thy} theory.
-The known bugs and limitations at the time of writing are listed in
-\S\ref{known-bugs-and-limitations}. Comments and bug reports concerning either
-the tool or the manual should be directed to the author at \authoremail.
-
-\vskip2.5\smallskipamount
-
-\textbf{Acknowledgment.} The author would like to thank Mark Summerfield for
-suggesting several textual improvements.
-% and Perry James for reporting a typo.
-
-\section{Installation}
-\label{installation}
-
-Sledgehammer is part of Isabelle, so you don't need to install it. However, it
-relies on a third-party Kodkod front-end called Kodkodi as well as a Java
-virtual machine called \texttt{java} (version 1.5 or above).
-
-There are two main ways of installing Kodkodi:
-
-\begin{enum}
-\item[\labelitemi] If you installed an official Isabelle package,
-it should already include a properly setup version of Kodkodi.
-
-\item[\labelitemi] If you use a repository or snapshot version of Isabelle, you
-an official Isabelle package, you can download the Isabelle-aware Kodkodi package
-from \url{http://www21.in.tum.de/~blanchet/\#software}. Extract the archive, then add a
-line to your \texttt{\$ISABELLE\_HOME\_USER\slash etc\slash components}%
-\footnote{The variable \texttt{\$ISABELLE\_HOME\_USER} is set by Isabelle at
-startup. Its value can be retrieved by executing \texttt{isabelle}
-\texttt{getenv} \texttt{ISABELLE\_HOME\_USER} on the command line.}
-file with the absolute path to Kodkodi. For example, if the
-\texttt{components} file does not exist yet and you extracted Kodkodi to
-\texttt{/usr/local/kodkodi-1.5.1}, create it with the single line
-
-\prew
-\texttt{/usr/local/kodkodi-1.5.1}
-\postw
-
-(including an invisible newline character) in it.
-\end{enum}
-
-To check whether Kodkodi is successfully installed, you can try out the example
-in \S\ref{propositional-logic}.
-
-\section{First Steps}
-\label{first-steps}
-
-This section introduces Nitpick by presenting small examples. If possible, you
-should try out the examples on your workstation. Your theory file should start
-as follows:
-
-\prew
-\textbf{theory}~\textit{Scratch} \\
-\textbf{imports}~\textit{Main~Quotient\_Product~RealDef} \\
-\textbf{begin}
-\postw
-
-The results presented here were obtained using the JNI (Java Native Interface)
-version of MiniSat and with multithreading disabled to reduce nondeterminism.
-This was done by adding the line
-
-\prew
-\textbf{nitpick\_params} [\textit{sat\_solver}~= \textit{MiniSat\_JNI}, \,\textit{max\_threads}~= 1]
-\postw
-
-after the \textbf{begin} keyword. The JNI version of MiniSat is bundled with
-Kodkodi and is precompiled for Linux, Mac~OS~X, and Windows (Cygwin). Other SAT
-solvers can also be installed, as explained in \S\ref{optimizations}. If you
-have already configured SAT solvers in Isabelle (e.g., for Refute), these will
-also be available to Nitpick.
-
-\subsection{Propositional Logic}
-\label{propositional-logic}
-
-Let's start with a trivial example from propositional logic:
-
-\prew
-\textbf{lemma}~``$P \longleftrightarrow Q$'' \\
-\textbf{nitpick}
-\postw
-
-You should get the following output:
-
-\prew
-\slshape
-Nitpick found a counterexample: \\[2\smallskipamount]
-\hbox{}\qquad Free variables: \nopagebreak \\
-\hbox{}\qquad\qquad $P = \textit{True}$ \\
-\hbox{}\qquad\qquad $Q = \textit{False}$
-\postw
-
-Nitpick can also be invoked on individual subgoals, as in the example below:
-
-\prew
-\textbf{apply}~\textit{auto} \\[2\smallskipamount]
-{\slshape goal (2 subgoals): \\
-\phantom{0}1. $P\,\Longrightarrow\, Q$ \\
-\phantom{0}2. $Q\,\Longrightarrow\, P$} \\[2\smallskipamount]
-\textbf{nitpick}~1 \\[2\smallskipamount]
-{\slshape Nitpick found a counterexample: \\[2\smallskipamount]
-\hbox{}\qquad Free variables: \nopagebreak \\
-\hbox{}\qquad\qquad $P = \textit{True}$ \\
-\hbox{}\qquad\qquad $Q = \textit{False}$} \\[2\smallskipamount]
-\textbf{nitpick}~2 \\[2\smallskipamount]
-{\slshape Nitpick found a counterexample: \\[2\smallskipamount]
-\hbox{}\qquad Free variables: \nopagebreak \\
-\hbox{}\qquad\qquad $P = \textit{False}$ \\
-\hbox{}\qquad\qquad $Q = \textit{True}$} \\[2\smallskipamount]
-\textbf{oops}
-\postw
-
-\subsection{Type Variables}
-\label{type-variables}
-
-If you are left unimpressed by the previous example, don't worry. The next
-one is more mind- and computer-boggling:
-
-\prew
-\textbf{lemma} ``$x \in A\,\Longrightarrow\, (\textrm{THE}~y.\;y \in A) \in A$''
-\postw
-\pagebreak[2] %% TYPESETTING
-
-The putative lemma involves the definite description operator, {THE}, presented
-in section 5.10.1 of the Isabelle tutorial \cite{isa-tutorial}. The
-operator is defined by the axiom $(\textrm{THE}~x.\; x = a) = a$. The putative
-lemma is merely asserting the indefinite description operator axiom with {THE}
-substituted for {SOME}.
-
-The free variable $x$ and the bound variable $y$ have type $'a$. For formulas
-containing type variables, Nitpick enumerates the possible domains for each type
-variable, up to a given cardinality (10 by default), looking for a finite
-countermodel:
-
-\prew
-\textbf{nitpick} [\textit{verbose}] \\[2\smallskipamount]
-\slshape
-Trying 10 scopes: \nopagebreak \\
-\hbox{}\qquad \textit{card}~$'a$~= 1; \\
-\hbox{}\qquad \textit{card}~$'a$~= 2; \\
-\hbox{}\qquad $\qquad\vdots$ \\[.5\smallskipamount]
-\hbox{}\qquad \textit{card}~$'a$~= 10. \\[2\smallskipamount]
-Nitpick found a counterexample for \textit{card} $'a$~= 3: \\[2\smallskipamount]
-\hbox{}\qquad Free variables: \nopagebreak \\
-\hbox{}\qquad\qquad $A = \{a_2,\, a_3\}$ \\
-\hbox{}\qquad\qquad $x = a_3$ \\[2\smallskipamount]
-Total time: 963 ms.
-\postw
-
-Nitpick found a counterexample in which $'a$ has cardinality 3. (For
-cardinalities 1 and 2, the formula holds.) In the counterexample, the three
-values of type $'a$ are written $a_1$, $a_2$, and $a_3$.
-
-The message ``Trying $n$ scopes: {\ldots}''\ is shown only if the option
-\textit{verbose} is enabled. You can specify \textit{verbose} each time you
-invoke \textbf{nitpick}, or you can set it globally using the command
-
-\prew
-\textbf{nitpick\_params} [\textit{verbose}]
-\postw
-
-This command also displays the current default values for all of the options
-supported by Nitpick. The options are listed in \S\ref{option-reference}.
-
-\subsection{Constants}
-\label{constants}
-
-By just looking at Nitpick's output, it might not be clear why the
-counterexample in \S\ref{type-variables} is genuine. Let's invoke Nitpick again,
-this time telling it to show the values of the constants that occur in the
-formula:
-
-\prew
-\textbf{lemma} ``$x \in A\,\Longrightarrow\, (\textrm{THE}~y.\;y \in A) \in A$'' \\
-\textbf{nitpick}~[\textit{show\_consts}] \\[2\smallskipamount]
-\slshape
-Nitpick found a counterexample for \textit{card} $'a$~= 3: \\[2\smallskipamount]
-\hbox{}\qquad Free variables: \nopagebreak \\
-\hbox{}\qquad\qquad $A = \{a_2,\, a_3\}$ \\
-\hbox{}\qquad\qquad $x = a_3$ \\
-\hbox{}\qquad Constant: \nopagebreak \\
-\hbox{}\qquad\qquad $\hbox{\slshape THE}~y.\;y \in A = a_1$
-\postw
-
-As the result of an optimization, Nitpick directly assigned a value to the
-subterm $\textrm{THE}~y.\;y \in A$, rather than to the \textit{The} constant. We
-can disable this optimization by using the command
-
-\prew
-\textbf{nitpick}~[\textit{dont\_specialize},\, \textit{show\_consts}]
-\postw
-
-Our misadventures with THE suggest adding `$\exists!x{.}$' (``there exists a
-unique $x$ such that'') at the front of our putative lemma's assumption:
-
-\prew
-\textbf{lemma} ``$\exists {!}x.\; x \in A\,\Longrightarrow\, (\textrm{THE}~y.\;y \in A) \in A$''
-\postw
-
-The fix appears to work:
-
-\prew
-\textbf{nitpick} \\[2\smallskipamount]
-\slshape Nitpick found no counterexample.
-\postw
-
-We can further increase our confidence in the formula by exhausting all
-cardinalities up to 50:
-
-\prew
-\textbf{nitpick} [\textit{card} $'a$~= 1--50]\footnote{The symbol `--'
-can be entered as \texttt{-} (hyphen) or
-\texttt{\char`\\\char`\<emdash\char`\>}.} \\[2\smallskipamount]
-\slshape Nitpick found no counterexample.
-\postw
-
-Let's see if Sledgehammer can find a proof:
-
-\prew
-\textbf{sledgehammer} \\[2\smallskipamount]
-{\slshape Sledgehammer: ``$e$'' on goal \\
-Try this: \textbf{by}~(\textit{metis~theI}) (42 ms).} \\
-\hbox{}\qquad\vdots \\[2\smallskipamount]
-\textbf{by}~(\textit{metis~theI\/})
-\postw
-
-This must be our lucky day.
-
-\subsection{Skolemization}
-\label{skolemization}
-
-Are all invertible functions onto? Let's find out:
-
-\prew
-\textbf{lemma} ``$\exists g.\; \forall x.~g~(f~x) = x
- \,\Longrightarrow\, \forall y.\; \exists x.~y = f~x$'' \\
-\textbf{nitpick} \\[2\smallskipamount]
-\slshape
-Nitpick found a counterexample for \textit{card} $'a$~= 2 and \textit{card} $'b$~=~1: \\[2\smallskipamount]
-\hbox{}\qquad Free variable: \nopagebreak \\
-\hbox{}\qquad\qquad $f = \undef{}(b_1 := a_1)$ \\
-\hbox{}\qquad Skolem constants: \nopagebreak \\
-\hbox{}\qquad\qquad $g = \undef{}(a_1 := b_1,\> a_2 := b_1)$ \\
-\hbox{}\qquad\qquad $y = a_2$
-\postw
-
-(The Isabelle/HOL notation $f(x := y)$ denotes the function that maps $x$ to $y$
-and that otherwise behaves like $f$.)
-Although $f$ is the only free variable occurring in the formula, Nitpick also
-displays values for the bound variables $g$ and $y$. These values are available
-to Nitpick because it performs skolemization as a preprocessing step.
-
-In the previous example, skolemization only affected the outermost quantifiers.
-This is not always the case, as illustrated below:
-
-\prew
-\textbf{lemma} ``$\exists x.\; \forall f.\; f~x = x$'' \\
-\textbf{nitpick} \\[2\smallskipamount]
-\slshape
-Nitpick found a counterexample for \textit{card} $'a$~= 2: \\[2\smallskipamount]
-\hbox{}\qquad Skolem constant: \nopagebreak \\
-\hbox{}\qquad\qquad $\lambda x.\; f =
- \undef{}(\!\begin{aligned}[t]
- & a_1 := \undef{}(a_1 := a_2,\> a_2 := a_1), \\[-2pt]
- & a_2 := \undef{}(a_1 := a_1,\> a_2 := a_1))\end{aligned}$
-\postw
-
-The variable $f$ is bound within the scope of $x$; therefore, $f$ depends on
-$x$, as suggested by the notation $\lambda x.\,f$. If $x = a_1$, then $f$ is the
-function that maps $a_1$ to $a_2$ and vice versa; otherwise, $x = a_2$ and $f$
-maps both $a_1$ and $a_2$ to $a_1$. In both cases, $f~x \not= x$.
-
-The source of the Skolem constants is sometimes more obscure:
-
-\prew
-\textbf{lemma} ``$\mathit{refl}~r\,\Longrightarrow\, \mathit{sym}~r$'' \\
-\textbf{nitpick} \\[2\smallskipamount]
-\slshape
-Nitpick found a counterexample for \textit{card} $'a$~= 2: \\[2\smallskipamount]
-\hbox{}\qquad Free variable: \nopagebreak \\
-\hbox{}\qquad\qquad $r = \{(a_1, a_1),\, (a_2, a_1),\, (a_2, a_2)\}$ \\
-\hbox{}\qquad Skolem constants: \nopagebreak \\
-\hbox{}\qquad\qquad $\mathit{sym}.x = a_2$ \\
-\hbox{}\qquad\qquad $\mathit{sym}.y = a_1$
-\postw
-
-What happened here is that Nitpick expanded \textit{sym} to its definition:
-
-\prew
-$\mathit{sym}~r \,\equiv\,
- \forall x\> y.\,\> (x, y) \in r \longrightarrow (y, x) \in r.$
-\postw
-
-As their names suggest, the Skolem constants $\mathit{sym}.x$ and
-$\mathit{sym}.y$ are simply the bound variables $x$ and $y$
-from \textit{sym}'s definition.
-
-\subsection{Natural Numbers and Integers}
-\label{natural-numbers-and-integers}
-
-Because of the axiom of infinity, the type \textit{nat} does not admit any
-finite models. To deal with this, Nitpick's approach is to consider finite
-subsets $N$ of \textit{nat} and maps all numbers $\notin N$ to the undefined
-value (displayed as `$\unk$'). The type \textit{int} is handled similarly.
-Internally, undefined values lead to a three-valued logic.
-
-Here is an example involving \textit{int\/}:
-
-\prew
-\textbf{lemma} ``$\lbrakk i \le j;\> n \le (m{\Colon}\mathit{int})\rbrakk \,\Longrightarrow\, i * n + j * m \le i * m + j * n$'' \\
-\textbf{nitpick} \\[2\smallskipamount]
-\slshape Nitpick found a counterexample: \\[2\smallskipamount]
-\hbox{}\qquad Free variables: \nopagebreak \\
-\hbox{}\qquad\qquad $i = 0$ \\
-\hbox{}\qquad\qquad $j = 1$ \\
-\hbox{}\qquad\qquad $m = 1$ \\
-\hbox{}\qquad\qquad $n = 0$
-\postw
-
-Internally, Nitpick uses either a unary or a binary representation of numbers.
-The unary representation is more efficient but only suitable for numbers very
-close to zero. By default, Nitpick attempts to choose the more appropriate
-encoding by inspecting the formula at hand. This behavior can be overridden by
-passing either \textit{unary\_ints} or \textit{binary\_ints} as option. For
-binary notation, the number of bits to use can be specified using
-the \textit{bits} option. For example:
-
-\prew
-\textbf{nitpick} [\textit{binary\_ints}, \textit{bits}${} = 16$]
-\postw
-
-With infinite types, we don't always have the luxury of a genuine counterexample
-and must often content ourselves with a potentially spurious one. The tedious
-task of finding out whether the potentially spurious counterexample is in fact
-genuine can be delegated to \textit{auto} by passing \textit{check\_potential}.
-For example:
-
-\prew
-\textbf{lemma} ``$\forall n.\; \textit{Suc}~n \mathbin{\not=} n \,\Longrightarrow\, P$'' \\
-\textbf{nitpick} [\textit{card~nat}~= 50, \textit{check\_potential}] \\[2\smallskipamount]
-\slshape Warning: The conjecture either trivially holds for the given scopes or lies outside Nitpick's supported
-fragment. Only potentially spurious counterexamples may be found. \\[2\smallskipamount]
-Nitpick found a potentially spurious counterexample: \\[2\smallskipamount]
-\hbox{}\qquad Free variable: \nopagebreak \\
-\hbox{}\qquad\qquad $P = \textit{False}$ \\[2\smallskipamount]
-Confirmation by ``\textit{auto}'': The above counterexample is genuine.
-\postw
-
-You might wonder why the counterexample is first reported as potentially
-spurious. The root of the problem is that the bound variable in $\forall n.\;
-\textit{Suc}~n \mathbin{\not=} n$ ranges over an infinite type. If Nitpick finds
-an $n$ such that $\textit{Suc}~n \mathbin{=} n$, it evaluates the assumption to
-\textit{False}; but otherwise, it does not know anything about values of $n \ge
-\textit{card~nat}$ and must therefore evaluate the assumption to~$\unk$, not
-\textit{True}. Since the assumption can never be satisfied, the putative lemma
-can never be falsified.
-
-Incidentally, if you distrust the so-called genuine counterexamples, you can
-enable \textit{check\_\allowbreak genuine} to verify them as well. However, be
-aware that \textit{auto} will usually fail to prove that the counterexample is
-genuine or spurious.
-
-Some conjectures involving elementary number theory make Nitpick look like a
-giant with feet of clay:
-
-\prew
-\textbf{lemma} ``$P~\textit{Suc\/}$'' \\
-\textbf{nitpick} \\[2\smallskipamount]
-\slshape
-Nitpick found no counterexample.
-\postw
-
-On any finite set $N$, \textit{Suc} is a partial function; for example, if $N =
-\{0, 1, \ldots, k\}$, then \textit{Suc} is $\{0 \mapsto 1,\, 1 \mapsto 2,\,
-\ldots,\, k \mapsto \unk\}$, which evaluates to $\unk$ when passed as
-argument to $P$. As a result, $P~\textit{Suc}$ is always $\unk$. The next
-example is similar:
-
-\prew
-\textbf{lemma} ``$P~(\textit{op}~{+}\Colon
-\textit{nat}\mathbin{\Rightarrow}\textit{nat}\mathbin{\Rightarrow}\textit{nat})$'' \\
-\textbf{nitpick} [\textit{card nat} = 1] \\[2\smallskipamount]
-{\slshape Nitpick found a counterexample:} \\[2\smallskipamount]
-\hbox{}\qquad Free variable: \nopagebreak \\
-\hbox{}\qquad\qquad $P = \unkef(\unkef(0 := \unkef(0 := 0)) := \mathit{False})$ \\[2\smallskipamount]
-\textbf{nitpick} [\textit{card nat} = 2] \\[2\smallskipamount]
-{\slshape Nitpick found no counterexample.}
-\postw
-
-The problem here is that \textit{op}~+ is total when \textit{nat} is taken to be
-$\{0\}$ but becomes partial as soon as we add $1$, because
-$1 + 1 \notin \{0, 1\}$.
-
-Because numbers are infinite and are approximated using a three-valued logic,
-there is usually no need to systematically enumerate domain sizes. If Nitpick
-cannot find a genuine counterexample for \textit{card~nat}~= $k$, it is very
-unlikely that one could be found for smaller domains. (The $P~(\textit{op}~{+})$
-example above is an exception to this principle.) Nitpick nonetheless enumerates
-all cardinalities from 1 to 10 for \textit{nat}, mainly because smaller
-cardinalities are fast to handle and give rise to simpler counterexamples. This
-is explained in more detail in \S\ref{scope-monotonicity}.
-
-\subsection{Inductive Datatypes}
-\label{inductive-datatypes}
-
-Like natural numbers and integers, inductive datatypes with recursive
-constructors admit no finite models and must be approximated by a subterm-closed
-subset. For example, using a cardinality of 10 for ${'}a~\textit{list}$,
-Nitpick looks for all counterexamples that can be built using at most 10
-different lists.
-
-Let's see with an example involving \textit{hd} (which returns the first element
-of a list) and $@$ (which concatenates two lists):
-
-\prew
-\textbf{lemma} ``$\textit{hd}~(\textit{xs} \mathbin{@} [y, y]) = \textit{hd}~\textit{xs\/}$'' \\
-\textbf{nitpick} \\[2\smallskipamount]
-\slshape Nitpick found a counterexample for \textit{card} $'a$~= 3: \\[2\smallskipamount]
-\hbox{}\qquad Free variables: \nopagebreak \\
-\hbox{}\qquad\qquad $\textit{xs} = []$ \\
-\hbox{}\qquad\qquad $\textit{y} = a_1$
-\postw
-
-To see why the counterexample is genuine, we enable \textit{show\_consts}
-and \textit{show\_\allowbreak datatypes}:
-
-\prew
-{\slshape Datatype:} \\
-\hbox{}\qquad $'a$~\textit{list}~= $\{[],\, [a_1],\, [a_1, a_1],\, \unr\}$ \\
-{\slshape Constants:} \\
-\hbox{}\qquad $\lambda x_1.\; x_1 \mathbin{@} [y, y] = \unkef([] := [a_1, a_1])$ \\
-\hbox{}\qquad $\textit{hd} = \unkef([] := a_2,\> [a_1] := a_1,\> [a_1, a_1] := a_1)$
-\postw
-
-Since $\mathit{hd}~[]$ is undefined in the logic, it may be given any value,
-including $a_2$.
-
-The second constant, $\lambda x_1.\; x_1 \mathbin{@} [y, y]$, is simply the
-append operator whose second argument is fixed to be $[y, y]$. Appending $[a_1,
-a_1]$ to $[a_1]$ would normally give $[a_1, a_1, a_1]$, but this value is not
-representable in the subset of $'a$~\textit{list} considered by Nitpick, which
-is shown under the ``Datatype'' heading; hence the result is $\unk$. Similarly,
-appending $[a_1, a_1]$ to itself gives $\unk$.
-
-Given \textit{card}~$'a = 3$ and \textit{card}~$'a~\textit{list} = 3$, Nitpick
-considers the following subsets:
-
-\kern-.5\smallskipamount %% TYPESETTING
-
-\prew
-\begin{multicols}{3}
-$\{[],\, [a_1],\, [a_2]\}$; \\
-$\{[],\, [a_1],\, [a_3]\}$; \\
-$\{[],\, [a_2],\, [a_3]\}$; \\
-$\{[],\, [a_1],\, [a_1, a_1]\}$; \\
-$\{[],\, [a_1],\, [a_2, a_1]\}$; \\
-$\{[],\, [a_1],\, [a_3, a_1]\}$; \\
-$\{[],\, [a_2],\, [a_1, a_2]\}$; \\
-$\{[],\, [a_2],\, [a_2, a_2]\}$; \\
-$\{[],\, [a_2],\, [a_3, a_2]\}$; \\
-$\{[],\, [a_3],\, [a_1, a_3]\}$; \\
-$\{[],\, [a_3],\, [a_2, a_3]\}$; \\
-$\{[],\, [a_3],\, [a_3, a_3]\}$.
-\end{multicols}
-\postw
-
-\kern-2\smallskipamount %% TYPESETTING
-
-All subterm-closed subsets of $'a~\textit{list}$ consisting of three values
-are listed and only those. As an example of a non-subterm-closed subset,
-consider $\mathcal{S} = \{[],\, [a_1],\,\allowbreak [a_1, a_2]\}$, and observe
-that $[a_1, a_2]$ (i.e., $a_1 \mathbin{\#} [a_2]$) has $[a_2] \notin
-\mathcal{S}$ as a subterm.
-
-Here's another m\"ochtegern-lemma that Nitpick can refute without a blink:
-
-\prew
-\textbf{lemma} ``$\lbrakk \textit{length}~\textit{xs} = 1;\> \textit{length}~\textit{ys} = 1
-\rbrakk \,\Longrightarrow\, \textit{xs} = \textit{ys\/}$''
-\\
-\textbf{nitpick} [\textit{show\_datatypes}] \\[2\smallskipamount]
-\slshape Nitpick found a counterexample for \textit{card} $'a$~= 3: \\[2\smallskipamount]
-\hbox{}\qquad Free variables: \nopagebreak \\
-\hbox{}\qquad\qquad $\textit{xs} = [a_2]$ \\
-\hbox{}\qquad\qquad $\textit{ys} = [a_1]$ \\
-\hbox{}\qquad Datatypes: \\
-\hbox{}\qquad\qquad $\textit{nat} = \{0,\, 1,\, 2,\, \unr\}$ \\
-\hbox{}\qquad\qquad $'a$~\textit{list} = $\{[],\, [a_1],\, [a_2],\, \unr\}$
-\postw
-
-Because datatypes are approximated using a three-valued logic, there is usually
-no need to systematically enumerate cardinalities: If Nitpick cannot find a
-genuine counterexample for \textit{card}~$'a~\textit{list}$~= 10, it is very
-unlikely that one could be found for smaller cardinalities.
-
-\subsection{Typedefs, Quotient Types, Records, Rationals, and Reals}
-\label{typedefs-quotient-types-records-rationals-and-reals}
-
-Nitpick generally treats types declared using \textbf{typedef} as datatypes
-whose single constructor is the corresponding \textit{Abs\_\kern.1ex} function.
-For example:
-
-\prew
-\textbf{typedef}~\textit{three} = ``$\{0\Colon\textit{nat},\, 1,\, 2\}$'' \\
-\textbf{by}~\textit{blast} \\[2\smallskipamount]
-\textbf{definition}~$A \mathbin{\Colon} \textit{three}$ \textbf{where} ``\kern-.1em$A \,\equiv\, \textit{Abs\_\allowbreak three}~0$'' \\
-\textbf{definition}~$B \mathbin{\Colon} \textit{three}$ \textbf{where} ``$B \,\equiv\, \textit{Abs\_three}~1$'' \\
-\textbf{definition}~$C \mathbin{\Colon} \textit{three}$ \textbf{where} ``$C \,\equiv\, \textit{Abs\_three}~2$'' \\[2\smallskipamount]
-\textbf{lemma} ``$\lbrakk A \in X;\> B \in X\rbrakk \,\Longrightarrow\, c \in X$'' \\
-\textbf{nitpick} [\textit{show\_datatypes}] \\[2\smallskipamount]
-\slshape Nitpick found a counterexample: \\[2\smallskipamount]
-\hbox{}\qquad Free variables: \nopagebreak \\
-\hbox{}\qquad\qquad $X = \{\Abs{0},\, \Abs{1}\}$ \\
-\hbox{}\qquad\qquad $c = \Abs{2}$ \\
-\hbox{}\qquad Datatypes: \\
-\hbox{}\qquad\qquad $\textit{nat} = \{0,\, 1,\, 2,\, \unr\}$ \\
-\hbox{}\qquad\qquad $\textit{three} = \{\Abs{0},\, \Abs{1},\, \Abs{2},\, \unr\}$
-\postw
-
-In the output above, $\Abs{n}$ abbreviates $\textit{Abs\_three}~n$.
-
-Quotient types are handled in much the same way. The following fragment defines
-the integer type \textit{my\_int} by encoding the integer $x$ by a pair of
-natural numbers $(m, n)$ such that $x + n = m$:
-
-\prew
-\textbf{fun} \textit{my\_int\_rel} \textbf{where} \\
-``$\textit{my\_int\_rel}~(x,\, y)~(u,\, v) = (x + v = u + y)$'' \\[2\smallskipamount]
-%
-\textbf{quotient\_type}~\textit{my\_int} = ``$\textit{nat} \times \textit{nat\/}$''$\;{/}\;$\textit{my\_int\_rel} \\
-\textbf{by}~(\textit{auto simp add\/}:\ \textit{equivp\_def fun\_eq\_iff}) \\[2\smallskipamount]
-%
-\textbf{definition}~\textit{add\_raw}~\textbf{where} \\
-``$\textit{add\_raw} \,\equiv\, \lambda(x,\, y)~(u,\, v).\; (x + (u\Colon\textit{nat}), y + (v\Colon\textit{nat}))$'' \\[2\smallskipamount]
-%
-\textbf{quotient\_definition} ``$\textit{add\/}\Colon\textit{my\_int} \Rightarrow \textit{my\_int} \Rightarrow \textit{my\_int\/}$'' \textbf{is} \textit{add\_raw} \\[2\smallskipamount]
-%
-\textbf{lemma} ``$\textit{add}~x~y = \textit{add}~x~x$'' \\
-\textbf{nitpick} [\textit{show\_datatypes}] \\[2\smallskipamount]
-\slshape Nitpick found a counterexample: \\[2\smallskipamount]
-\hbox{}\qquad Free variables: \nopagebreak \\
-\hbox{}\qquad\qquad $x = \Abs{(0,\, 0)}$ \\
-\hbox{}\qquad\qquad $y = \Abs{(0,\, 1)}$ \\
-\hbox{}\qquad Datatypes: \\
-\hbox{}\qquad\qquad $\textit{nat} = \{0,\, 1,\, \unr\}$ \\
-\hbox{}\qquad\qquad $\textit{nat} \times \textit{nat}~[\textsl{boxed\/}] = \{(0,\, 0),\> (1,\, 0),\> \unr\}$ \\
-\hbox{}\qquad\qquad $\textit{my\_int} = \{\Abs{(0,\, 0)},\> \Abs{(0,\, 1)},\> \unr\}$
-\postw
-
-The values $\Abs{(0,\, 0)}$ and $\Abs{(0,\, 1)}$ represent the
-integers $0$ and $-1$, respectively. Other representants would have been
-possible---e.g., $\Abs{(5,\, 5)}$ and $\Abs{(11,\, 12)}$. If we are going to
-use \textit{my\_int} extensively, it pays off to install a term postprocessor
-that converts the pair notation to the standard mathematical notation:
-
-\prew
-$\textbf{ML}~\,\{{*} \\
-\!\begin{aligned}[t]
-%& ({*}~\,\textit{Proof.context} \rightarrow \textit{string} \rightarrow (\textit{typ} \rightarrow \textit{term~list\/}) \rightarrow \textit{typ} \rightarrow \textit{term} \\[-2pt]
-%& \phantom{(*}~\,{\rightarrow}\;\textit{term}~\,{*}) \\[-2pt]
-& \textbf{fun}\,~\textit{my\_int\_postproc}~\_~\_~\_~T~(\textit{Const}~\_~\$~(\textit{Const}~\_~\$~\textit{t1}~\$~\textit{t2\/})) = {} \\[-2pt]
-& \phantom{fun}\,~\textit{HOLogic.mk\_number}~T~(\textit{snd}~(\textit{HOLogic.dest\_number~t1}) \\[-2pt]
-& \phantom{fun\,~\textit{HOLogic.mk\_number}~T~(}{-}~\textit{snd}~(\textit{HOLogic.dest\_number~t2\/})) \\[-2pt]
-& \phantom{fun}\!{\mid}\,~\textit{my\_int\_postproc}~\_~\_~\_~\_~t = t \\[-2pt]
-{*}\}\end{aligned}$ \\[2\smallskipamount]
-$\textbf{declaration}~\,\{{*} \\
-\!\begin{aligned}[t]
-& \textit{Nitpick\_Model.register\_term\_postprocessor}~\!\begin{aligned}[t]
- & @\{\textrm{typ}~\textit{my\_int}\} \\[-2pt]
- & \textit{my\_int\_postproc}\end{aligned} \\[-2pt]
-{*}\}\end{aligned}$
-\postw
-
-Records are handled as datatypes with a single constructor:
-
-\prew
-\textbf{record} \textit{point} = \\
-\hbox{}\quad $\textit{Xcoord} \mathbin{\Colon} \textit{int}$ \\
-\hbox{}\quad $\textit{Ycoord} \mathbin{\Colon} \textit{int}$ \\[2\smallskipamount]
-\textbf{lemma} ``$\textit{Xcoord}~(p\Colon\textit{point}) = \textit{Xcoord}~(q\Colon\textit{point})$'' \\
-\textbf{nitpick} [\textit{show\_datatypes}] \\[2\smallskipamount]
-\slshape Nitpick found a counterexample: \\[2\smallskipamount]
-\hbox{}\qquad Free variables: \nopagebreak \\
-\hbox{}\qquad\qquad $p = \lparr\textit{Xcoord} = 1,\> \textit{Ycoord} = 1\rparr$ \\
-\hbox{}\qquad\qquad $q = \lparr\textit{Xcoord} = 0,\> \textit{Ycoord} = 0\rparr$ \\
-\hbox{}\qquad Datatypes: \\
-\hbox{}\qquad\qquad $\textit{int} = \{0,\, 1,\, \unr\}$ \\
-\hbox{}\qquad\qquad $\textit{point} = \{\!\begin{aligned}[t]
-& \lparr\textit{Xcoord} = 0,\> \textit{Ycoord} = 0\rparr, \\[-2pt] %% TYPESETTING
-& \lparr\textit{Xcoord} = 1,\> \textit{Ycoord} = 1\rparr,\, \unr\}\end{aligned}$
-\postw
-
-Finally, Nitpick provides rudimentary support for rationals and reals using a
-similar approach:
-
-\prew
-\textbf{lemma} ``$4 * x + 3 * (y\Colon\textit{real}) \not= 1/2$'' \\
-\textbf{nitpick} [\textit{show\_datatypes}] \\[2\smallskipamount]
-\slshape Nitpick found a counterexample: \\[2\smallskipamount]
-\hbox{}\qquad Free variables: \nopagebreak \\
-\hbox{}\qquad\qquad $x = 1/2$ \\
-\hbox{}\qquad\qquad $y = -1/2$ \\
-\hbox{}\qquad Datatypes: \\
-\hbox{}\qquad\qquad $\textit{nat} = \{0,\, 1,\, 2,\, 3,\, 4,\, 5,\, 6,\, 7,\, \unr\}$ \\
-\hbox{}\qquad\qquad $\textit{int} = \{-3,\, -2,\, -1,\, 0,\, 1,\, 2,\, 3,\, 4,\, \unr\}$ \\
-\hbox{}\qquad\qquad $\textit{real} = \{-3/2,\, -1/2,\, 0,\, 1/2,\, 1,\, 2,\, 3,\, 4,\, \unr\}$
-\postw
-
-\subsection{Inductive and Coinductive Predicates}
-\label{inductive-and-coinductive-predicates}
-
-Inductively defined predicates (and sets) are particularly problematic for
-counterexample generators. They can make Quickcheck~\cite{berghofer-nipkow-2004}
-loop forever and Refute~\cite{weber-2008} run out of resources. The crux of
-the problem is that they are defined using a least fixed-point construction.
-
-Nitpick's philosophy is that not all inductive predicates are equal. Consider
-the \textit{even} predicate below:
-
-\prew
-\textbf{inductive}~\textit{even}~\textbf{where} \\
-``\textit{even}~0'' $\,\mid$ \\
-``\textit{even}~$n\,\Longrightarrow\, \textit{even}~(\textit{Suc}~(\textit{Suc}~n))$''
-\postw
-
-This predicate enjoys the desirable property of being well-founded, which means
-that the introduction rules don't give rise to infinite chains of the form
-
-\prew
-$\cdots\,\Longrightarrow\, \textit{even}~k''
- \,\Longrightarrow\, \textit{even}~k'
- \,\Longrightarrow\, \textit{even}~k.$
-\postw
-
-For \textit{even}, this is obvious: Any chain ending at $k$ will be of length
-$k/2 + 1$:
-
-\prew
-$\textit{even}~0\,\Longrightarrow\, \textit{even}~2\,\Longrightarrow\, \cdots
- \,\Longrightarrow\, \textit{even}~(k - 2)
- \,\Longrightarrow\, \textit{even}~k.$
-\postw
-
-Wellfoundedness is desirable because it enables Nitpick to use a very efficient
-fixed-point computation.%
-\footnote{If an inductive predicate is
-well-founded, then it has exactly one fixed point, which is simultaneously the
-least and the greatest fixed point. In these circumstances, the computation of
-the least fixed point amounts to the computation of an arbitrary fixed point,
-which can be performed using a straightforward recursive equation.}
-Moreover, Nitpick can prove wellfoundedness of most well-founded predicates,
-just as Isabelle's \textbf{function} package usually discharges termination
-proof obligations automatically.
-
-Let's try an example:
-
-\prew
-\textbf{lemma} ``$\exists n.\; \textit{even}~n \mathrel{\land} \textit{even}~(\textit{Suc}~n)$'' \\
-\textbf{nitpick}~[\textit{card nat}~= 50, \textit{unary\_ints}, \textit{verbose}] \\[2\smallskipamount]
-\slshape The inductive predicate ``\textit{even}'' was proved well-founded.
-Nitpick can compute it efficiently. \\[2\smallskipamount]
-Trying 1 scope: \\
-\hbox{}\qquad \textit{card nat}~= 50. \\[2\smallskipamount]
-Warning: The conjecture either trivially holds for the given scopes or lies outside Nitpick's supported fragment. Only
-potentially spurious counterexamples may be found. \\[2\smallskipamount]
-Nitpick found a potentially spurious counterexample for \textit{card nat}~= 50: \\[2\smallskipamount]
-\hbox{}\qquad Empty assignment \\[2\smallskipamount]
-Nitpick could not find a better counterexample. It checked 1 of 1 scope. \\[2\smallskipamount]
-Total time: 1.62 s.
-\postw
-
-No genuine counterexample is possible because Nitpick cannot rule out the
-existence of a natural number $n \ge 50$ such that both $\textit{even}~n$ and
-$\textit{even}~(\textit{Suc}~n)$ are true. To help Nitpick, we can bound the
-existential quantifier:
-
-\prew
-\textbf{lemma} ``$\exists n \mathbin{\le} 49.\; \textit{even}~n \mathrel{\land} \textit{even}~(\textit{Suc}~n)$'' \\
-\textbf{nitpick}~[\textit{card nat}~= 50, \textit{unary\_ints}] \\[2\smallskipamount]
-\slshape Nitpick found a counterexample: \\[2\smallskipamount]
-\hbox{}\qquad Empty assignment
-\postw
-
-So far we were blessed by the wellfoundedness of \textit{even}. What happens if
-we use the following definition instead?
-
-\prew
-\textbf{inductive} $\textit{even}'$ \textbf{where} \\
-``$\textit{even}'~(0{\Colon}\textit{nat})$'' $\,\mid$ \\
-``$\textit{even}'~2$'' $\,\mid$ \\
-``$\lbrakk\textit{even}'~m;\> \textit{even}'~n\rbrakk \,\Longrightarrow\, \textit{even}'~(m + n)$''
-\postw
-
-This definition is not well-founded: From $\textit{even}'~0$ and
-$\textit{even}'~0$, we can derive that $\textit{even}'~0$. Nonetheless, the
-predicates $\textit{even}$ and $\textit{even}'$ are equivalent.
-
-Let's check a property involving $\textit{even}'$. To make up for the
-foreseeable computational hurdles entailed by non-wellfoundedness, we decrease
-\textit{nat}'s cardinality to a mere 10:
-
-\prew
-\textbf{lemma}~``$\exists n \in \{0, 2, 4, 6, 8\}.\;
-\lnot\;\textit{even}'~n$'' \\
-\textbf{nitpick}~[\textit{card nat}~= 10,\, \textit{verbose},\, \textit{show\_consts}] \\[2\smallskipamount]
-\slshape
-The inductive predicate ``$\textit{even}'\!$'' could not be proved well-founded.
-Nitpick might need to unroll it. \\[2\smallskipamount]
-Trying 6 scopes: \\
-\hbox{}\qquad \textit{card nat}~= 10 and \textit{iter} $\textit{even}'$~= 0; \\
-\hbox{}\qquad \textit{card nat}~= 10 and \textit{iter} $\textit{even}'$~= 1; \\
-\hbox{}\qquad \textit{card nat}~= 10 and \textit{iter} $\textit{even}'$~= 2; \\
-\hbox{}\qquad \textit{card nat}~= 10 and \textit{iter} $\textit{even}'$~= 4; \\
-\hbox{}\qquad \textit{card nat}~= 10 and \textit{iter} $\textit{even}'$~= 8; \\
-\hbox{}\qquad \textit{card nat}~= 10 and \textit{iter} $\textit{even}'$~= 9. \\[2\smallskipamount]
-Nitpick found a counterexample for \textit{card nat}~= 10 and \textit{iter} $\textit{even}'$~= 2: \\[2\smallskipamount]
-\hbox{}\qquad Constant: \nopagebreak \\
-\hbox{}\qquad\qquad $\lambda i.\; \textit{even}'$ = $\unkef(\!\begin{aligned}[t]
-& 0 := \unkef(0 := \textit{True},\, 2 := \textit{True}),\, \\[-2pt]
-& 1 := \unkef(0 := \textit{True},\, 2 := \textit{True},\, 4 := \textit{True}),\, \\[-2pt]
-& 2 := \unkef(0 := \textit{True},\, 2 := \textit{True},\, 4 := \textit{True},\, \\[-2pt]
-& \phantom{2 := \unkef(}6 := \textit{True},\, 8 := \textit{True}))\end{aligned}$ \\[2\smallskipamount]
-Total time: 1.87 s.
-\postw
-
-Nitpick's output is very instructive. First, it tells us that the predicate is
-unrolled, meaning that it is computed iteratively from the empty set. Then it
-lists six scopes specifying different bounds on the numbers of iterations:\ 0,
-1, 2, 4, 8, and~9.
-
-The output also shows how each iteration contributes to $\textit{even}'$. The
-notation $\lambda i.\; \textit{even}'$ indicates that the value of the
-predicate depends on an iteration counter. Iteration 0 provides the basis
-elements, $0$ and $2$. Iteration 1 contributes $4$ ($= 2 + 2$). Iteration 2
-throws $6$ ($= 2 + 4 = 4 + 2$) and $8$ ($= 4 + 4$) into the mix. Further
-iterations would not contribute any new elements.
-The predicate $\textit{even}'$ evaluates to either \textit{True} or $\unk$,
-never \textit{False}.
-
-%Some values are marked with superscripted question
-%marks~(`\lower.2ex\hbox{$^\Q$}'). These are the elements for which the
-%predicate evaluates to $\unk$.
-
-When unrolling a predicate, Nitpick tries 0, 1, 2, 4, 8, 12, 16, 20, 24, and 28
-iterations. However, these numbers are bounded by the cardinality of the
-predicate's domain. With \textit{card~nat}~= 10, no more than 9 iterations are
-ever needed to compute the value of a \textit{nat} predicate. You can specify
-the number of iterations using the \textit{iter} option, as explained in
-\S\ref{scope-of-search}.
-
-In the next formula, $\textit{even}'$ occurs both positively and negatively:
-
-\prew
-\textbf{lemma} ``$\textit{even}'~(n - 2) \,\Longrightarrow\, \textit{even}'~n$'' \\
-\textbf{nitpick} [\textit{card nat} = 10, \textit{show\_consts}] \\[2\smallskipamount]
-\slshape Nitpick found a counterexample: \\[2\smallskipamount]
-\hbox{}\qquad Free variable: \nopagebreak \\
-\hbox{}\qquad\qquad $n = 1$ \\
-\hbox{}\qquad Constants: \nopagebreak \\
-\hbox{}\qquad\qquad $\lambda i.\; \textit{even}'$ = $\unkef(\!\begin{aligned}[t]
-& 0 := \unkef(0 := \mathit{True},\, 2 := \mathit{True}))\end{aligned}$ \\
-\hbox{}\qquad\qquad $\textit{even}' \leq \unkef(\!\begin{aligned}[t]
-& 0 := \mathit{True},\, 1 := \mathit{False},\, 2 := \mathit{True},\, \\[-2pt]
-& 4 := \mathit{True},\, 6 := \mathit{True},\, 8 := \mathit{True})\end{aligned}$
-\postw
-
-Notice the special constraint $\textit{even}' \leq \ldots$ in the output, whose
-right-hand side represents an arbitrary fixed point (not necessarily the least
-one). It is used to falsify $\textit{even}'~n$. In contrast, the unrolled
-predicate is used to satisfy $\textit{even}'~(n - 2)$.
-
-Coinductive predicates are handled dually. For example:
-
-\prew
-\textbf{coinductive} \textit{nats} \textbf{where} \\
-``$\textit{nats}~(x\Colon\textit{nat}) \,\Longrightarrow\, \textit{nats}~x$'' \\[2\smallskipamount]
-\textbf{lemma} ``$\textit{nats} = (\lambda n.\; n \mathbin\in \{0, 1, 2, 3, 4\})$'' \\
-\textbf{nitpick}~[\textit{card nat} = 10,\, \textit{show\_consts}] \\[2\smallskipamount]
-\slshape Nitpick found a counterexample:
-\\[2\smallskipamount]
-\hbox{}\qquad Constants: \nopagebreak \\
-\hbox{}\qquad\qquad $\lambda i.\; \textit{nats} = \unkef(0 := \unkef,\, 1 := \unkef,\, 2 := \unkef)$ \\
-\hbox{}\qquad\qquad $\textit{nats} \geq \unkef(3 := \textit{True},\, 4 := \textit{False},\, 5 := \textit{True})$
-\postw
-
-As a special case, Nitpick uses Kodkod's transitive closure operator to encode
-negative occurrences of non-well-founded ``linear inductive predicates,'' i.e.,
-inductive predicates for which each the predicate occurs in at most one
-assumption of each introduction rule. For example:
-
-\prew
-\textbf{inductive} \textit{odd} \textbf{where} \\
-``$\textit{odd}~1$'' $\,\mid$ \\
-``$\lbrakk \textit{odd}~m;\>\, \textit{even}~n\rbrakk \,\Longrightarrow\, \textit{odd}~(m + n)$'' \\[2\smallskipamount]
-\textbf{lemma}~``$\textit{odd}~n \,\Longrightarrow\, \textit{odd}~(n - 2)$'' \\
-\textbf{nitpick}~[\textit{card nat} = 4,\, \textit{show\_consts}] \\[2\smallskipamount]
-\slshape Nitpick found a counterexample:
-\\[2\smallskipamount]
-\hbox{}\qquad Free variable: \nopagebreak \\
-\hbox{}\qquad\qquad $n = 1$ \\
-\hbox{}\qquad Constants: \nopagebreak \\
-\hbox{}\qquad\qquad $\textit{even} = (λx. ?)(0 := True, 1 := False, 2 := True, 3 := False)$ \\
-\hbox{}\qquad\qquad $\textit{odd}_{\textsl{base}} = {}$ \\
-\hbox{}\qquad\qquad\quad $\unkef(0 := \textit{False},\, 1 := \textit{True},\, 2 := \textit{False},\, 3 := \textit{False})$ \\
-\hbox{}\qquad\qquad $\textit{odd}_{\textsl{step}} = \unkef$\\
-\hbox{}\qquad\qquad\quad $(
-\!\begin{aligned}[t]
-& 0 := \unkef(0 := \textit{True},\, 1 := \textit{False},\, 2 := \textit{True},\, 3 := \textit{False}), \\[-2pt]
-& 1 := \unkef(0 := \textit{False},\, 1 := \textit{True},\, 2 := \textit{False},\, 3 := \textit{True}), \\[-2pt]
-& 2 := \unkef(0 := \textit{False},\, 1 := \textit{False},\, 2 := \textit{True},\, 3 := \textit{False}), \\[-2pt]
-& 3 := \unkef(0 := \textit{False},\, 1 := \textit{False},\, 2 := \textit{False},\, 3 := \textit{True}))
-\end{aligned}$ \\
-\hbox{}\qquad\qquad $\textit{odd} \leq \unkef(0 := \textit{False},\, 1 := \textit{True},\, 2 := \textit{False},\, 3 := \textit{True})$
-\postw
-
-\noindent
-In the output, $\textit{odd}_{\textrm{base}}$ represents the base elements and
-$\textit{odd}_{\textrm{step}}$ is a transition relation that computes new
-elements from known ones. The set $\textit{odd}$ consists of all the values
-reachable through the reflexive transitive closure of
-$\textit{odd}_{\textrm{step}}$ starting with any element from
-$\textit{odd}_{\textrm{base}}$, namely 1 and 3. Using Kodkod's
-transitive closure to encode linear predicates is normally either more thorough
-or more efficient than unrolling (depending on the value of \textit{iter}), but
-you can disable it by passing the \textit{dont\_star\_linear\_preds} option.
-
-\subsection{Coinductive Datatypes}
-\label{coinductive-datatypes}
-
-While Isabelle regrettably lacks a high-level mechanism for defining coinductive
-datatypes, the \textit{Coinductive\_List} theory from Andreas Lochbihler's
-\textit{Coinductive} AFP entry \cite{lochbihler-2010} provides a coinductive
-``lazy list'' datatype, $'a~\textit{llist}$, defined the hard way. Nitpick
-supports these lazy lists seamlessly and provides a hook, described in
-\S\ref{registration-of-coinductive-datatypes}, to register custom coinductive
-datatypes.
-
-(Co)intuitively, a coinductive datatype is similar to an inductive datatype but
-allows infinite objects. Thus, the infinite lists $\textit{ps}$ $=$ $[a, a, a,
-\ldots]$, $\textit{qs}$ $=$ $[a, b, a, b, \ldots]$, and $\textit{rs}$ $=$ $[0,
-1, 2, 3, \ldots]$ can be defined as lazy lists using the
-$\textit{LNil}\mathbin{\Colon}{'}a~\textit{llist}$ and
-$\textit{LCons}\mathbin{\Colon}{'}a \mathbin{\Rightarrow} {'}a~\textit{llist}
-\mathbin{\Rightarrow} {'}a~\textit{llist}$ constructors.
-
-Although it is otherwise no friend of infinity, Nitpick can find counterexamples
-involving cyclic lists such as \textit{ps} and \textit{qs} above as well as
-finite lists:
-
-\prew
-\textbf{lemma} ``$\textit{xs} \not= \textit{LCons}~a~\textit{xs\/}$'' \\
-\textbf{nitpick} \\[2\smallskipamount]
-\slshape Nitpick found a counterexample for {\itshape card}~$'a$ = 1: \\[2\smallskipamount]
-\hbox{}\qquad Free variables: \nopagebreak \\
-\hbox{}\qquad\qquad $\textit{a} = a_1$ \\
-\hbox{}\qquad\qquad $\textit{xs} = \textsl{THE}~\omega.\; \omega = \textit{LCons}~a_1~\omega$
-\postw
-
-The notation $\textrm{THE}~\omega.\; \omega = t(\omega)$ stands
-for the infinite term $t(t(t(\ldots)))$. Hence, \textit{xs} is simply the
-infinite list $[a_1, a_1, a_1, \ldots]$.
-
-The next example is more interesting:
-
-\prew
-\textbf{lemma}~``$\lbrakk\textit{xs} = \textit{LCons}~a~\textit{xs};\>\,
-\textit{ys} = \textit{iterates}~(\lambda b.\> a)~b\rbrakk \,\Longrightarrow\, \textit{xs} = \textit{ys\/}$'' \\
-\textbf{nitpick} [\textit{verbose}] \\[2\smallskipamount]
-\slshape The type $'a$ passed the monotonicity test. Nitpick might be able to skip
-some scopes. \\[2\smallskipamount]
-Trying 10 scopes: \\
-\hbox{}\qquad \textit{card} $'a$~= 1, \textit{card} ``\kern1pt$'a~\textit{list\/}$''~= 1,
-and \textit{bisim\_depth}~= 0. \\
-\hbox{}\qquad $\qquad\vdots$ \\[.5\smallskipamount]
-\hbox{}\qquad \textit{card} $'a$~= 10, \textit{card} ``\kern1pt$'a~\textit{list\/}$''~= 10,
-and \textit{bisim\_depth}~= 9. \\[2\smallskipamount]
-Nitpick found a counterexample for {\itshape card}~$'a$ = 2,
-\textit{card}~``\kern1pt$'a~\textit{llist\/}$''~= 2, and \textit{bisim\_\allowbreak
-depth}~= 1:
-\\[2\smallskipamount]
-\hbox{}\qquad Free variables: \nopagebreak \\
-\hbox{}\qquad\qquad $\textit{a} = a_1$ \\
-\hbox{}\qquad\qquad $\textit{b} = a_2$ \\
-\hbox{}\qquad\qquad $\textit{xs} = \textsl{THE}~\omega.\; \omega = \textit{LCons}~a_1~\omega$ \\
-\hbox{}\qquad\qquad $\textit{ys} = \textit{LCons}~a_2~(\textsl{THE}~\omega.\; \omega = \textit{LCons}~a_1~\omega)$ \\[2\smallskipamount]
-Total time: 1.11 s.
-\postw
-
-The lazy list $\textit{xs}$ is simply $[a_1, a_1, a_1, \ldots]$, whereas
-$\textit{ys}$ is $[a_2, a_1, a_1, a_1, \ldots]$, i.e., a lasso-shaped list with
-$[a_2]$ as its stem and $[a_1]$ as its cycle. In general, the list segment
-within the scope of the {THE} binder corresponds to the lasso's cycle, whereas
-the segment leading to the binder is the stem.
-
-A salient property of coinductive datatypes is that two objects are considered
-equal if and only if they lead to the same observations. For example, the two
-lazy lists
-%
-\begin{gather*}
-\textrm{THE}~\omega.\; \omega = \textit{LCons}~a~(\textit{LCons}~b~\omega) \\
-\textit{LCons}~a~(\textrm{THE}~\omega.\; \omega = \textit{LCons}~b~(\textit{LCons}~a~\omega))
-\end{gather*}
-%
-are identical, because both lead
-to the sequence of observations $a$, $b$, $a$, $b$, \hbox{\ldots} (or,
-equivalently, both encode the infinite list $[a, b, a, b, \ldots]$). This
-concept of equality for coinductive datatypes is called bisimulation and is
-defined coinductively.
-
-Internally, Nitpick encodes the coinductive bisimilarity predicate as part of
-the Kodkod problem to ensure that distinct objects lead to different
-observations. This precaution is somewhat expensive and often unnecessary, so it
-can be disabled by setting the \textit{bisim\_depth} option to $-1$. The
-bisimilarity check is then performed \textsl{after} the counterexample has been
-found to ensure correctness. If this after-the-fact check fails, the
-counterexample is tagged as ``quasi genuine'' and Nitpick recommends to try
-again with \textit{bisim\_depth} set to a nonnegative integer.
-
-The next formula illustrates the need for bisimilarity (either as a Kodkod
-predicate or as an after-the-fact check) to prevent spurious counterexamples:
-
-\prew
-\textbf{lemma} ``$\lbrakk xs = \textit{LCons}~a~\textit{xs};\>\, \textit{ys} = \textit{LCons}~a~\textit{ys}\rbrakk
-\,\Longrightarrow\, \textit{xs} = \textit{ys\/}$'' \\
-\textbf{nitpick} [\textit{bisim\_depth} = $-1$, \textit{show\_datatypes}] \\[2\smallskipamount]
-\slshape Nitpick found a quasi genuine counterexample for $\textit{card}~'a$ = 2: \\[2\smallskipamount]
-\hbox{}\qquad Free variables: \nopagebreak \\
-\hbox{}\qquad\qquad $a = a_1$ \\
-\hbox{}\qquad\qquad $\textit{xs} = \textsl{THE}~\omega.\; \omega =
-\textit{LCons}~a_1~\omega$ \\
-\hbox{}\qquad\qquad $\textit{ys} = \textsl{THE}~\omega.\; \omega = \textit{LCons}~a_1~\omega$ \\
-\hbox{}\qquad Codatatype:\strut \nopagebreak \\
-\hbox{}\qquad\qquad $'a~\textit{llist} =
-\{\!\begin{aligned}[t]
- & \textsl{THE}~\omega.\; \omega = \textit{LCons}~a_1~\omega, \\[-2pt]
- & \textsl{THE}~\omega.\; \omega = \textit{LCons}~a_1~\omega,\> \unr\}\end{aligned}$
-\\[2\smallskipamount]
-Try again with ``\textit{bisim\_depth}'' set to a nonnegative value to confirm
-that the counterexample is genuine. \\[2\smallskipamount]
-{\upshape\textbf{nitpick}} \\[2\smallskipamount]
-\slshape Nitpick found no counterexample.
-\postw
-
-In the first \textbf{nitpick} invocation, the after-the-fact check discovered
-that the two known elements of type $'a~\textit{llist}$ are bisimilar, prompting
-Nitpick to label the example ``quasi genuine.''
-
-A compromise between leaving out the bisimilarity predicate from the Kodkod
-problem and performing the after-the-fact check is to specify a lower
-nonnegative \textit{bisim\_depth} value than the default one provided by
-Nitpick. In general, a value of $K$ means that Nitpick will require all lists to
-be distinguished from each other by their prefixes of length $K$. Be aware that
-setting $K$ to a too low value can overconstrain Nitpick, preventing it from
-finding any counterexamples.
-
-\subsection{Boxing}
-\label{boxing}
-
-Nitpick normally maps function and product types directly to the corresponding
-Kodkod concepts. As a consequence, if $'a$ has cardinality 3 and $'b$ has
-cardinality 4, then $'a \times {'}b$ has cardinality 12 ($= 4 \times 3$) and $'a
-\Rightarrow {'}b$ has cardinality 64 ($= 4^3$). In some circumstances, it pays
-off to treat these types in the same way as plain datatypes, by approximating
-them by a subset of a given cardinality. This technique is called ``boxing'' and
-is particularly useful for functions passed as arguments to other functions, for
-high-arity functions, and for large tuples. Under the hood, boxing involves
-wrapping occurrences of the types $'a \times {'}b$ and $'a \Rightarrow {'}b$ in
-isomorphic datatypes, as can be seen by enabling the \textit{debug} option.
-
-To illustrate boxing, we consider a formalization of $\lambda$-terms represented
-using de Bruijn's notation:
-
-\prew
-\textbf{datatype} \textit{tm} = \textit{Var}~\textit{nat}~$\mid$~\textit{Lam}~\textit{tm} $\mid$ \textit{App~tm~tm}
-\postw
-
-The $\textit{lift}~t~k$ function increments all variables with indices greater
-than or equal to $k$ by one:
-
-\prew
-\textbf{primrec} \textit{lift} \textbf{where} \\
-``$\textit{lift}~(\textit{Var}~j)~k = \textit{Var}~(\textrm{if}~j < k~\textrm{then}~j~\textrm{else}~j + 1)$'' $\mid$ \\
-``$\textit{lift}~(\textit{Lam}~t)~k = \textit{Lam}~(\textit{lift}~t~(k + 1))$'' $\mid$ \\
-``$\textit{lift}~(\textit{App}~t~u)~k = \textit{App}~(\textit{lift}~t~k)~(\textit{lift}~u~k)$''
-\postw
-
-The $\textit{loose}~t~k$ predicate returns \textit{True} if and only if
-term $t$ has a loose variable with index $k$ or more:
-
-\prew
-\textbf{primrec}~\textit{loose} \textbf{where} \\
-``$\textit{loose}~(\textit{Var}~j)~k = (j \ge k)$'' $\mid$ \\
-``$\textit{loose}~(\textit{Lam}~t)~k = \textit{loose}~t~(\textit{Suc}~k)$'' $\mid$ \\
-``$\textit{loose}~(\textit{App}~t~u)~k = (\textit{loose}~t~k \mathrel{\lor} \textit{loose}~u~k)$''
-\postw
-
-Next, the $\textit{subst}~\sigma~t$ function applies the substitution $\sigma$
-on $t$:
-
-\prew
-\textbf{primrec}~\textit{subst} \textbf{where} \\
-``$\textit{subst}~\sigma~(\textit{Var}~j) = \sigma~j$'' $\mid$ \\
-``$\textit{subst}~\sigma~(\textit{Lam}~t) = {}$\phantom{''} \\
-\phantom{``}$\textit{Lam}~(\textit{subst}~(\lambda n.\> \textrm{case}~n~\textrm{of}~0 \Rightarrow \textit{Var}~0 \mid \textit{Suc}~m \Rightarrow \textit{lift}~(\sigma~m)~1)~t)$'' $\mid$ \\
-``$\textit{subst}~\sigma~(\textit{App}~t~u) = \textit{App}~(\textit{subst}~\sigma~t)~(\textit{subst}~\sigma~u)$''
-\postw
-
-A substitution is a function that maps variable indices to terms. Observe that
-$\sigma$ is a function passed as argument and that Nitpick can't optimize it
-away, because the recursive call for the \textit{Lam} case involves an altered
-version. Also notice the \textit{lift} call, which increments the variable
-indices when moving under a \textit{Lam}.
-
-A reasonable property to expect of substitution is that it should leave closed
-terms unchanged. Alas, even this simple property does not hold:
-
-\pre
-\textbf{lemma}~``$\lnot\,\textit{loose}~t~0 \,\Longrightarrow\, \textit{subst}~\sigma~t = t$'' \\
-\textbf{nitpick} [\textit{verbose}] \\[2\smallskipamount]
-\slshape
-Trying 10 scopes: \nopagebreak \\
-\hbox{}\qquad \textit{card~nat}~= 1, \textit{card tm}~= 1, and \textit{card} ``$\textit{nat} \Rightarrow \textit{tm\/}$'' = 1; \\
-\hbox{}\qquad \textit{card~nat}~= 2, \textit{card tm}~= 2, and \textit{card} ``$\textit{nat} \Rightarrow \textit{tm\/}$'' = 2; \\
-\hbox{}\qquad $\qquad\vdots$ \\[.5\smallskipamount]
-\hbox{}\qquad \textit{card~nat}~= 10, \textit{card tm}~= 10, and \textit{card} ``$\textit{nat} \Rightarrow \textit{tm\/}$'' = 10. \\[2\smallskipamount]
-Nitpick found a counterexample for \textit{card~nat}~= 6, \textit{card~tm}~= 6,
-and \textit{card}~``$\textit{nat} \Rightarrow \textit{tm\/}$''~= 6: \\[2\smallskipamount]
-\hbox{}\qquad Free variables: \nopagebreak \\
-\hbox{}\qquad\qquad $\sigma = \unkef(\!\begin{aligned}[t]
-& 0 := \textit{Var}~0,\>
- 1 := \textit{Var}~0,\>
- 2 := \textit{Var}~0, \\[-2pt]
-& 3 := \textit{Var}~0,\>
- 4 := \textit{Var}~0,\>
- 5 := \textit{Lam}~(\textit{Lam}~(\textit{Var}~0)))\end{aligned}$ \\
-\hbox{}\qquad\qquad $t = \textit{Lam}~(\textit{Lam}~(\textit{Var}~1))$ \\[2\smallskipamount]
-Total time: 3.08 s.
-\postw
-
-Using \textit{eval}, we find out that $\textit{subst}~\sigma~t =
-\textit{Lam}~(\textit{Lam}~(\textit{Var}~0))$. Using the traditional
-$\lambda$-calculus notation, $t$ is
-$\lambda x\, y.\> x$ whereas $\textit{subst}~\sigma~t$ is (wrongly) $\lambda x\, y.\> y$.
-The bug is in \textit{subst\/}: The $\textit{lift}~(\sigma~m)~1$ call should be
-replaced with $\textit{lift}~(\sigma~m)~0$.
-
-An interesting aspect of Nitpick's verbose output is that it assigned inceasing
-cardinalities from 1 to 10 to the type $\textit{nat} \Rightarrow \textit{tm}$
-of the higher-order argument $\sigma$ of \textit{subst}.
-For the formula of interest, knowing 6 values of that type was enough to find
-the counterexample. Without boxing, $6^6 = 46\,656$ values must be
-considered, a hopeless undertaking:
-
-\prew
-\textbf{nitpick} [\textit{dont\_box}] \\[2\smallskipamount]
-{\slshape Nitpick ran out of time after checking 3 of 10 scopes.}
-\postw
-
-Boxing can be enabled or disabled globally or on a per-type basis using the
-\textit{box} option. Nitpick usually performs reasonable choices about which
-types should be boxed, but option tweaking sometimes helps.
-
-%A related optimization,
-%``finitization,'' attempts to wrap functions that are constant at all but finitely
-%many points (e.g., finite sets); see the documentation for the \textit{finitize}
-%option in \S\ref{scope-of-search} for details.
-
-\subsection{Scope Monotonicity}
-\label{scope-monotonicity}
-
-The \textit{card} option (together with \textit{iter}, \textit{bisim\_depth},
-and \textit{max}) controls which scopes are actually tested. In general, to
-exhaust all models below a certain cardinality bound, the number of scopes that
-Nitpick must consider increases exponentially with the number of type variables
-(and \textbf{typedecl}'d types) occurring in the formula. Given the default
-cardinality specification of 1--10, no fewer than $10^4 = 10\,000$ scopes must be
-considered for a formula involving $'a$, $'b$, $'c$, and $'d$.
-
-Fortunately, many formulas exhibit a property called \textsl{scope
-monotonicity}, meaning that if the formula is falsifiable for a given scope,
-it is also falsifiable for all larger scopes \cite[p.~165]{jackson-2006}.
-
-Consider the formula
-
-\prew
-\textbf{lemma}~``$\textit{length~xs} = \textit{length~ys} \,\Longrightarrow\, \textit{rev}~(\textit{zip~xs~ys}) = \textit{zip~xs}~(\textit{rev~ys})$''
-\postw
-
-where \textit{xs} is of type $'a~\textit{list}$ and \textit{ys} is of type
-$'b~\textit{list}$. A priori, Nitpick would need to consider $1\,000$ scopes to
-exhaust the specification \textit{card}~= 1--10 (10 cardinalies for $'a$
-$\times$ 10 cardinalities for $'b$ $\times$ 10 cardinalities for the datatypes).
-However, our intuition tells us that any counterexample found with a small scope
-would still be a counterexample in a larger scope---by simply ignoring the fresh
-$'a$ and $'b$ values provided by the larger scope. Nitpick comes to the same
-conclusion after a careful inspection of the formula and the relevant
-definitions:
-
-\prew
-\textbf{nitpick}~[\textit{verbose}] \\[2\smallskipamount]
-\slshape
-The types $'a$ and $'b$ passed the monotonicity test.
-Nitpick might be able to skip some scopes.
- \\[2\smallskipamount]
-Trying 10 scopes: \\
-\hbox{}\qquad \textit{card} $'a$~= 1, \textit{card} $'b$~= 1,
-\textit{card} \textit{nat}~= 1, \textit{card} ``$('a \times {'}b)$
-\textit{list\/}''~= 1, \\
-\hbox{}\qquad\quad \textit{card} ``\kern1pt$'a$ \textit{list\/}''~= 1, and
-\textit{card} ``\kern1pt$'b$ \textit{list\/}''~= 1. \\
-\hbox{}\qquad \textit{card} $'a$~= 2, \textit{card} $'b$~= 2,
-\textit{card} \textit{nat}~= 2, \textit{card} ``$('a \times {'}b)$
-\textit{list\/}''~= 2, \\
-\hbox{}\qquad\quad \textit{card} ``\kern1pt$'a$ \textit{list\/}''~= 2, and
-\textit{card} ``\kern1pt$'b$ \textit{list\/}''~= 2. \\
-\hbox{}\qquad $\qquad\vdots$ \\[.5\smallskipamount]
-\hbox{}\qquad \textit{card} $'a$~= 10, \textit{card} $'b$~= 10,
-\textit{card} \textit{nat}~= 10, \textit{card} ``$('a \times {'}b)$
-\textit{list\/}''~= 10, \\
-\hbox{}\qquad\quad \textit{card} ``\kern1pt$'a$ \textit{list\/}''~= 10, and
-\textit{card} ``\kern1pt$'b$ \textit{list\/}''~= 10.
-\\[2\smallskipamount]
-Nitpick found a counterexample for
-\textit{card} $'a$~= 5, \textit{card} $'b$~= 5,
-\textit{card} \textit{nat}~= 5, \textit{card} ``$('a \times {'}b)$
-\textit{list\/}''~= 5, \textit{card} ``\kern1pt$'a$ \textit{list\/}''~= 5, and
-\textit{card} ``\kern1pt$'b$ \textit{list\/}''~= 5:
-\\[2\smallskipamount]
-\hbox{}\qquad Free variables: \nopagebreak \\
-\hbox{}\qquad\qquad $\textit{xs} = [a_1, a_2]$ \\
-\hbox{}\qquad\qquad $\textit{ys} = [b_1, b_1]$ \\[2\smallskipamount]
-Total time: 1.63 s.
-\postw
-
-In theory, it should be sufficient to test a single scope:
-
-\prew
-\textbf{nitpick}~[\textit{card}~= 10]
-\postw
-
-However, this is often less efficient in practice and may lead to overly complex
-counterexamples.
-
-If the monotonicity check fails but we believe that the formula is monotonic (or
-we don't mind missing some counterexamples), we can pass the
-\textit{mono} option. To convince yourself that this option is risky,
-simply consider this example from \S\ref{skolemization}:
-
-\prew
-\textbf{lemma} ``$\exists g.\; \forall x\Colon 'b.~g~(f~x) = x
- \,\Longrightarrow\, \forall y\Colon {'}a.\; \exists x.~y = f~x$'' \\
-\textbf{nitpick} [\textit{mono}] \\[2\smallskipamount]
-{\slshape Nitpick found no counterexample.} \\[2\smallskipamount]
-\textbf{nitpick} \\[2\smallskipamount]
-\slshape
-Nitpick found a counterexample for \textit{card} $'a$~= 2 and \textit{card} $'b$~=~1: \\
-\hbox{}\qquad $\vdots$
-\postw
-
-(It turns out the formula holds if and only if $\textit{card}~'a \le
-\textit{card}~'b$.) Although this is rarely advisable, the automatic
-monotonicity checks can be disabled by passing \textit{non\_mono}
-(\S\ref{optimizations}).
-
-As insinuated in \S\ref{natural-numbers-and-integers} and
-\S\ref{inductive-datatypes}, \textit{nat}, \textit{int}, and inductive datatypes
-are normally monotonic and treated as such. The same is true for record types,
-\textit{rat}, and \textit{real}. Thus, given the
-cardinality specification 1--10, a formula involving \textit{nat}, \textit{int},
-\textit{int~list}, \textit{rat}, and \textit{rat~list} will lead Nitpick to
-consider only 10~scopes instead of $10^4 = 10\,000$. On the other hand,
-\textbf{typedef}s and quotient types are generally nonmonotonic.
-
-\subsection{Inductive Properties}
-\label{inductive-properties}
-
-Inductive properties are a particular pain to prove, because the failure to
-establish an induction step can mean several things:
-%
-\begin{enumerate}
-\item The property is invalid.
-\item The property is valid but is too weak to support the induction step.
-\item The property is valid and strong enough; it's just that we haven't found
-the proof yet.
-\end{enumerate}
-%
-Depending on which scenario applies, we would take the appropriate course of
-action:
-%
-\begin{enumerate}
-\item Repair the statement of the property so that it becomes valid.
-\item Generalize the property and/or prove auxiliary properties.
-\item Work harder on a proof.
-\end{enumerate}
-%
-How can we distinguish between the three scenarios? Nitpick's normal mode of
-operation can often detect scenario 1, and Isabelle's automatic tactics help with
-scenario 3. Using appropriate techniques, it is also often possible to use
-Nitpick to identify scenario 2. Consider the following transition system,
-in which natural numbers represent states:
-
-\prew
-\textbf{inductive\_set}~\textit{reach}~\textbf{where} \\
-``$(4\Colon\textit{nat}) \in \textit{reach\/}$'' $\mid$ \\
-``$\lbrakk n < 4;\> n \in \textit{reach\/}\rbrakk \,\Longrightarrow\, 3 * n + 1 \in \textit{reach\/}$'' $\mid$ \\
-``$n \in \textit{reach} \,\Longrightarrow n + 2 \in \textit{reach\/}$''
-\postw
-
-We will try to prove that only even numbers are reachable:
-
-\prew
-\textbf{lemma}~``$n \in \textit{reach} \,\Longrightarrow\, 2~\textrm{dvd}~n$''
-\postw
-
-Does this property hold? Nitpick cannot find a counterexample within 30 seconds,
-so let's attempt a proof by induction:
-
-\prew
-\textbf{apply}~(\textit{induct~set}{:}~\textit{reach\/}) \\
-\textbf{apply}~\textit{auto}
-\postw
-
-This leaves us in the following proof state:
-
-\prew
-{\slshape goal (2 subgoals): \\
-\phantom{0}1. ${\bigwedge}n.\;\, \lbrakk n \in \textit{reach\/};\, n < 4;\, 2~\textsl{dvd}~n\rbrakk \,\Longrightarrow\, 2~\textsl{dvd}~\textit{Suc}~(3 * n)$ \\
-\phantom{0}2. ${\bigwedge}n.\;\, \lbrakk n \in \textit{reach\/};\, 2~\textsl{dvd}~n\rbrakk \,\Longrightarrow\, 2~\textsl{dvd}~\textit{Suc}~(\textit{Suc}~n)$
-}
-\postw
-
-If we run Nitpick on the first subgoal, it still won't find any
-counterexample; and yet, \textit{auto} fails to go further, and \textit{arith}
-is helpless. However, notice the $n \in \textit{reach}$ assumption, which
-strengthens the induction hypothesis but is not immediately usable in the proof.
-If we remove it and invoke Nitpick, this time we get a counterexample:
-
-\prew
-\textbf{apply}~(\textit{thin\_tac}~``$n \in \textit{reach\/}$'') \\
-\textbf{nitpick} \\[2\smallskipamount]
-\slshape Nitpick found a counterexample: \\[2\smallskipamount]
-\hbox{}\qquad Skolem constant: \nopagebreak \\
-\hbox{}\qquad\qquad $n = 0$
-\postw
-
-Indeed, 0 < 4, 2 divides 0, but 2 does not divide 1. We can use this information
-to strength the lemma:
-
-\prew
-\textbf{lemma}~``$n \in \textit{reach} \,\Longrightarrow\, 2~\textrm{dvd}~n \mathrel{\lor} n \not= 0$''
-\postw
-
-Unfortunately, the proof by induction still gets stuck, except that Nitpick now
-finds the counterexample $n = 2$. We generalize the lemma further to
-
-\prew
-\textbf{lemma}~``$n \in \textit{reach} \,\Longrightarrow\, 2~\textrm{dvd}~n \mathrel{\lor} n \ge 4$''
-\postw
-
-and this time \textit{arith} can finish off the subgoals.
-
-A similar technique can be employed for structural induction. The
-following mini formalization of full binary trees will serve as illustration:
-
-\prew
-\textbf{datatype} $\kern1pt'a$~\textit{bin\_tree} = $\textit{Leaf}~{\kern1pt'a}$ $\mid$ $\textit{Branch}$ ``\kern1pt$'a$ \textit{bin\_tree}'' ``\kern1pt$'a$ \textit{bin\_tree}'' \\[2\smallskipamount]
-\textbf{primrec}~\textit{labels}~\textbf{where} \\
-``$\textit{labels}~(\textit{Leaf}~a) = \{a\}$'' $\mid$ \\
-``$\textit{labels}~(\textit{Branch}~t~u) = \textit{labels}~t \mathrel{\cup} \textit{labels}~u$'' \\[2\smallskipamount]
-\textbf{primrec}~\textit{swap}~\textbf{where} \\
-``$\textit{swap}~(\textit{Leaf}~c)~a~b =$ \\
-\phantom{``}$(\textrm{if}~c = a~\textrm{then}~\textit{Leaf}~b~\textrm{else~if}~c = b~\textrm{then}~\textit{Leaf}~a~\textrm{else}~\textit{Leaf}~c)$'' $\mid$ \\
-``$\textit{swap}~(\textit{Branch}~t~u)~a~b = \textit{Branch}~(\textit{swap}~t~a~b)~(\textit{swap}~u~a~b)$''
-\postw
-
-The \textit{labels} function returns the set of labels occurring on leaves of a
-tree, and \textit{swap} exchanges two labels. Intuitively, if two distinct
-labels $a$ and $b$ occur in a tree $t$, they should also occur in the tree
-obtained by swapping $a$ and $b$:
-
-\prew
-\textbf{lemma} $``\{a, b\} \subseteq \textit{labels}~t \,\Longrightarrow\, \textit{labels}~(\textit{swap}~t~a~b) = \textit{labels}~t$''
-\postw
-
-Nitpick can't find any counterexample, so we proceed with induction
-(this time favoring a more structured style):
-
-\prew
-\textbf{proof}~(\textit{induct}~$t$) \\
-\hbox{}\quad \textbf{case}~\textit{Leaf}~\textbf{thus}~\textit{?case}~\textbf{by}~\textit{simp} \\
-\textbf{next} \\
-\hbox{}\quad \textbf{case}~$(\textit{Branch}~t~u)$~\textbf{thus} \textit{?case}
-\postw
-
-Nitpick can't find any counterexample at this point either, but it makes the
-following suggestion:
-
-\prew
-\slshape
-Hint: To check that the induction hypothesis is general enough, try this command:
-\textbf{nitpick}~[\textit{non\_std}, \textit{show\_all}].
-\postw
-
-If we follow the hint, we get a ``nonstandard'' counterexample for the step:
-
-\prew
-\slshape Nitpick found a nonstandard counterexample for \textit{card} $'a$ = 3: \\[2\smallskipamount]
-\hbox{}\qquad Free variables: \nopagebreak \\
-\hbox{}\qquad\qquad $a = a_1$ \\
-\hbox{}\qquad\qquad $b = a_2$ \\
-\hbox{}\qquad\qquad $t = \xi_1$ \\
-\hbox{}\qquad\qquad $u = \xi_2$ \\
-\hbox{}\qquad Datatype: \nopagebreak \\
-\hbox{}\qquad\qquad $'a~\textit{bin\_tree} =
-\{\!\begin{aligned}[t]
-& \xi_1 \mathbin{=} \textit{Branch}~\xi_1~\xi_1,\> \xi_2 \mathbin{=} \textit{Branch}~\xi_2~\xi_2,\> \\[-2pt]
-& \textit{Branch}~\xi_1~\xi_2,\> \unr\}\end{aligned}$ \\
-\hbox{}\qquad {\slshape Constants:} \nopagebreak \\
-\hbox{}\qquad\qquad $\textit{labels} = \unkef
- (\!\begin{aligned}[t]%
- & \xi_1 := \{a_2, a_3\},\> \xi_2 := \{a_1\},\> \\[-2pt]
- & \textit{Branch}~\xi_1~\xi_2 := \{a_1, a_2, a_3\})\end{aligned}$ \\
-\hbox{}\qquad\qquad $\lambda x_1.\> \textit{swap}~x_1~a~b = \unkef
- (\!\begin{aligned}[t]%
- & \xi_1 := \xi_2,\> \xi_2 := \xi_2, \\[-2pt]
- & \textit{Branch}~\xi_1~\xi_2 := \xi_2)\end{aligned}$ \\[2\smallskipamount]
-The existence of a nonstandard model suggests that the induction hypothesis is not general enough or may even
-be wrong. See the Nitpick manual's ``Inductive Properties'' section for details (``\textit{isabelle doc nitpick}'').
-\postw
-
-Reading the Nitpick manual is a most excellent idea.
-But what's going on? The \textit{non\_std} option told the tool to look for
-nonstandard models of binary trees, which means that new ``nonstandard'' trees
-$\xi_1, \xi_2, \ldots$, are now allowed in addition to the standard trees
-generated by the \textit{Leaf} and \textit{Branch} constructors.%
-\footnote{Notice the similarity between allowing nonstandard trees here and
-allowing unreachable states in the preceding example (by removing the ``$n \in
-\textit{reach\/}$'' assumption). In both cases, we effectively enlarge the
-set of objects over which the induction is performed while doing the step
-in order to test the induction hypothesis's strength.}
-Unlike standard trees, these new trees contain cycles. We will see later that
-every property of acyclic trees that can be proved without using induction also
-holds for cyclic trees. Hence,
-%
-\begin{quote}
-\textsl{If the induction
-hypothesis is strong enough, the induction step will hold even for nonstandard
-objects, and Nitpick won't find any nonstandard counterexample.}
-\end{quote}
-%
-But here the tool find some nonstandard trees $t = \xi_1$
-and $u = \xi_2$ such that $a \notin \textit{labels}~t$, $b \in
-\textit{labels}~t$, $a \in \textit{labels}~u$, and $b \notin \textit{labels}~u$.
-Because neither tree contains both $a$ and $b$, the induction hypothesis tells
-us nothing about the labels of $\textit{swap}~t~a~b$ and $\textit{swap}~u~a~b$,
-and as a result we know nothing about the labels of the tree
-$\textit{swap}~(\textit{Branch}~t~u)~a~b$, which by definition equals
-$\textit{Branch}$ $(\textit{swap}~t~a~b)$ $(\textit{swap}~u~a~b)$, whose
-labels are $\textit{labels}$ $(\textit{swap}~t~a~b) \mathrel{\cup}
-\textit{labels}$ $(\textit{swap}~u~a~b)$.
-
-The solution is to ensure that we always know what the labels of the subtrees
-are in the inductive step, by covering the cases where $a$ and/or~$b$ is not in
-$t$ in the statement of the lemma:
-
-\prew
-\textbf{lemma} ``$\textit{labels}~(\textit{swap}~t~a~b) = {}$ \\
-\phantom{\textbf{lemma} ``}$(\textrm{if}~a \in \textit{labels}~t~\textrm{then}$ \nopagebreak \\
-\phantom{\textbf{lemma} ``(\quad}$\textrm{if}~b \in \textit{labels}~t~\textrm{then}~\textit{labels}~t~\textrm{else}~(\textit{labels}~t - \{a\}) \mathrel{\cup} \{b\}$ \\
-\phantom{\textbf{lemma} ``(}$\textrm{else}$ \\
-\phantom{\textbf{lemma} ``(\quad}$\textrm{if}~b \in \textit{labels}~t~\textrm{then}~(\textit{labels}~t - \{b\}) \mathrel{\cup} \{a\}~\textrm{else}~\textit{labels}~t)$''
-\postw
-
-This time, Nitpick won't find any nonstandard counterexample, and we can perform
-the induction step using \textit{auto}.
-
-\section{Case Studies}
-\label{case-studies}
-
-As a didactic device, the previous section focused mostly on toy formulas whose
-validity can easily be assessed just by looking at the formula. We will now
-review two somewhat more realistic case studies that are within Nitpick's
-reach:\ a context-free grammar modeled by mutually inductive sets and a
-functional implementation of AA trees. The results presented in this
-section were produced with the following settings:
-
-\prew
-\textbf{nitpick\_params} [\textit{max\_potential}~= 0]
-\postw
-
-\subsection{A Context-Free Grammar}
-\label{a-context-free-grammar}
-
-Our first case study is taken from section 7.4 in the Isabelle tutorial
-\cite{isa-tutorial}. The following grammar, originally due to Hopcroft and
-Ullman, produces all strings with an equal number of $a$'s and $b$'s:
-
-\prew
-\begin{tabular}{@{}r@{$\;\,$}c@{$\;\,$}l@{}}
-$S$ & $::=$ & $\epsilon \mid bA \mid aB$ \\
-$A$ & $::=$ & $aS \mid bAA$ \\
-$B$ & $::=$ & $bS \mid aBB$
-\end{tabular}
-\postw
-
-The intuition behind the grammar is that $A$ generates all strings with one more
-$a$ than $b$'s and $B$ generates all strings with one more $b$ than $a$'s.
-
-The alphabet consists exclusively of $a$'s and $b$'s:
-
-\prew
-\textbf{datatype} \textit{alphabet}~= $a$ $\mid$ $b$
-\postw
-
-Strings over the alphabet are represented by \textit{alphabet list}s.
-Nonterminals in the grammar become sets of strings. The production rules
-presented above can be expressed as a mutually inductive definition:
-
-\prew
-\textbf{inductive\_set} $S$ \textbf{and} $A$ \textbf{and} $B$ \textbf{where} \\
-\textit{R1}:\kern.4em ``$[] \in S$'' $\,\mid$ \\
-\textit{R2}:\kern.4em ``$w \in A\,\Longrightarrow\, b \mathbin{\#} w \in S$'' $\,\mid$ \\
-\textit{R3}:\kern.4em ``$w \in B\,\Longrightarrow\, a \mathbin{\#} w \in S$'' $\,\mid$ \\
-\textit{R4}:\kern.4em ``$w \in S\,\Longrightarrow\, a \mathbin{\#} w \in A$'' $\,\mid$ \\
-\textit{R5}:\kern.4em ``$w \in S\,\Longrightarrow\, b \mathbin{\#} w \in S$'' $\,\mid$ \\
-\textit{R6}:\kern.4em ``$\lbrakk v \in B;\> v \in B\rbrakk \,\Longrightarrow\, a \mathbin{\#} v \mathbin{@} w \in B$''
-\postw
-
-The conversion of the grammar into the inductive definition was done manually by
-Joe Blow, an underpaid undergraduate student. As a result, some errors might
-have sneaked in.
-
-Debugging faulty specifications is at the heart of Nitpick's \textsl{raison
-d'\^etre}. A good approach is to state desirable properties of the specification
-(here, that $S$ is exactly the set of strings over $\{a, b\}$ with as many $a$'s
-as $b$'s) and check them with Nitpick. If the properties are correctly stated,
-counterexamples will point to bugs in the specification. For our grammar
-example, we will proceed in two steps, separating the soundness and the
-completeness of the set $S$. First, soundness:
-
-\prew
-\textbf{theorem}~\textit{S\_sound\/}: \\
-``$w \in S \longrightarrow \textit{length}~[x\mathbin{\leftarrow} w.\; x = a] =
- \textit{length}~[x\mathbin{\leftarrow} w.\; x = b]$'' \\
-\textbf{nitpick} \\[2\smallskipamount]
-\slshape Nitpick found a counterexample: \\[2\smallskipamount]
-\hbox{}\qquad Free variable: \nopagebreak \\
-\hbox{}\qquad\qquad $w = [b]$
-\postw
-
-It would seem that $[b] \in S$. How could this be? An inspection of the
-introduction rules reveals that the only rule with a right-hand side of the form
-$b \mathbin{\#} {\ldots} \in S$ that could have introduced $[b]$ into $S$ is
-\textit{R5}:
-
-\prew
-``$w \in S\,\Longrightarrow\, b \mathbin{\#} w \in S$''
-\postw
-
-On closer inspection, we can see that this rule is wrong. To match the
-production $B ::= bS$, the second $S$ should be a $B$. We fix the typo and try
-again:
-
-\prew
-\textbf{nitpick} \\[2\smallskipamount]
-\slshape Nitpick found a counterexample: \\[2\smallskipamount]
-\hbox{}\qquad Free variable: \nopagebreak \\
-\hbox{}\qquad\qquad $w = [a, a, b]$
-\postw
-
-Some detective work is necessary to find out what went wrong here. To get $[a,
-a, b] \in S$, we need $[a, b] \in B$ by \textit{R3}, which in turn can only come
-from \textit{R6}:
-
-\prew
-``$\lbrakk v \in B;\> v \in B\rbrakk \,\Longrightarrow\, a \mathbin{\#} v \mathbin{@} w \in B$''
-\postw
-
-Now, this formula must be wrong: The same assumption occurs twice, and the
-variable $w$ is unconstrained. Clearly, one of the two occurrences of $v$ in
-the assumptions should have been a $w$.
-
-With the correction made, we don't get any counterexample from Nitpick. Let's
-move on and check completeness:
-
-\prew
-\textbf{theorem}~\textit{S\_complete}: \\
-``$\textit{length}~[x\mathbin{\leftarrow} w.\; x = a] =
- \textit{length}~[x\mathbin{\leftarrow} w.\; x = b]
- \longrightarrow w \in S$'' \\
-\textbf{nitpick} \\[2\smallskipamount]
-\slshape Nitpick found a counterexample: \\[2\smallskipamount]
-\hbox{}\qquad Free variable: \nopagebreak \\
-\hbox{}\qquad\qquad $w = [b, b, a, a]$
-\postw
-
-Apparently, $[b, b, a, a] \notin S$, even though it has the same numbers of
-$a$'s and $b$'s. But since our inductive definition passed the soundness check,
-the introduction rules we have are probably correct. Perhaps we simply lack an
-introduction rule. Comparing the grammar with the inductive definition, our
-suspicion is confirmed: Joe Blow simply forgot the production $A ::= bAA$,
-without which the grammar cannot generate two or more $b$'s in a row. So we add
-the rule
-
-\prew
-``$\lbrakk v \in A;\> w \in A\rbrakk \,\Longrightarrow\, b \mathbin{\#} v \mathbin{@} w \in A$''
-\postw
-
-With this last change, we don't get any counterexamples from Nitpick for either
-soundness or completeness. We can even generalize our result to cover $A$ and
-$B$ as well:
-
-\prew
-\textbf{theorem} \textit{S\_A\_B\_sound\_and\_complete}: \\
-``$w \in S \longleftrightarrow \textit{length}~[x \mathbin{\leftarrow} w.\; x = a] = \textit{length}~[x \mathbin{\leftarrow} w.\; x = b]$'' \\
-``$w \in A \longleftrightarrow \textit{length}~[x \mathbin{\leftarrow} w.\; x = a] = \textit{length}~[x \mathbin{\leftarrow} w.\; x = b] + 1$'' \\
-``$w \in B \longleftrightarrow \textit{length}~[x \mathbin{\leftarrow} w.\; x = b] = \textit{length}~[x \mathbin{\leftarrow} w.\; x = a] + 1$'' \\
-\textbf{nitpick} \\[2\smallskipamount]
-\slshape Nitpick found no counterexample.
-\postw
-
-\subsection{AA Trees}
-\label{aa-trees}
-
-AA trees are a kind of balanced trees discovered by Arne Andersson that provide
-similar performance to red-black trees, but with a simpler implementation
-\cite{andersson-1993}. They can be used to store sets of elements equipped with
-a total order $<$. We start by defining the datatype and some basic extractor
-functions:
-
-\prew
-\textbf{datatype} $'a$~\textit{aa\_tree} = \\
-\hbox{}\quad $\Lambda$ $\mid$ $N$ ``\kern1pt$'a\Colon \textit{linorder\/}$'' \textit{nat} ``\kern1pt$'a$ \textit{aa\_tree}'' ``\kern1pt$'a$ \textit{aa\_tree}'' \\[2\smallskipamount]
-\textbf{primrec} \textit{data} \textbf{where} \\
-``$\textit{data}~\Lambda = \unkef$'' $\,\mid$ \\
-``$\textit{data}~(N~x~\_~\_~\_) = x$'' \\[2\smallskipamount]
-\textbf{primrec} \textit{dataset} \textbf{where} \\
-``$\textit{dataset}~\Lambda = \{\}$'' $\,\mid$ \\
-``$\textit{dataset}~(N~x~\_~t~u) = \{x\} \cup \textit{dataset}~t \mathrel{\cup} \textit{dataset}~u$'' \\[2\smallskipamount]
-\textbf{primrec} \textit{level} \textbf{where} \\
-``$\textit{level}~\Lambda = 0$'' $\,\mid$ \\
-``$\textit{level}~(N~\_~k~\_~\_) = k$'' \\[2\smallskipamount]
-\textbf{primrec} \textit{left} \textbf{where} \\
-``$\textit{left}~\Lambda = \Lambda$'' $\,\mid$ \\
-``$\textit{left}~(N~\_~\_~t~\_) = t$'' \\[2\smallskipamount]
-\textbf{primrec} \textit{right} \textbf{where} \\
-``$\textit{right}~\Lambda = \Lambda$'' $\,\mid$ \\
-``$\textit{right}~(N~\_~\_~\_~u) = u$''
-\postw
-
-The wellformedness criterion for AA trees is fairly complex. Wikipedia states it
-as follows \cite{wikipedia-2009-aa-trees}:
-
-\kern.2\parskip %% TYPESETTING
-
-\pre
-Each node has a level field, and the following invariants must remain true for
-the tree to be valid:
-
-\raggedright
-
-\kern-.4\parskip %% TYPESETTING
-
-\begin{enum}
-\item[]
-\begin{enum}
-\item[1.] The level of a leaf node is one.
-\item[2.] The level of a left child is strictly less than that of its parent.
-\item[3.] The level of a right child is less than or equal to that of its parent.
-\item[4.] The level of a right grandchild is strictly less than that of its grandparent.
-\item[5.] Every node of level greater than one must have two children.
-\end{enum}
-\end{enum}
-\post
-
-\kern.4\parskip %% TYPESETTING
-
-The \textit{wf} predicate formalizes this description:
-
-\prew
-\textbf{primrec} \textit{wf} \textbf{where} \\
-``$\textit{wf}~\Lambda = \textit{True\/}$'' $\,\mid$ \\
-``$\textit{wf}~(N~\_~k~t~u) =$ \\
-\phantom{``}$(\textrm{if}~t = \Lambda~\textrm{then}$ \\
-\phantom{``$(\quad$}$k = 1 \mathrel{\land} (u = \Lambda \mathrel{\lor} (\textit{level}~u = 1 \mathrel{\land} \textit{left}~u = \Lambda \mathrel{\land} \textit{right}~u = \Lambda))$ \\
-\phantom{``$($}$\textrm{else}$ \\
-\hbox{}\phantom{``$(\quad$}$\textit{wf}~t \mathrel{\land} \textit{wf}~u
-\mathrel{\land} u \not= \Lambda \mathrel{\land} \textit{level}~t < k
-\mathrel{\land} \textit{level}~u \le k$ \\
-\hbox{}\phantom{``$(\quad$}${\land}\; \textit{level}~(\textit{right}~u) < k)$''
-\postw
-
-Rebalancing the tree upon insertion and removal of elements is performed by two
-auxiliary functions called \textit{skew} and \textit{split}, defined below:
-
-\prew
-\textbf{primrec} \textit{skew} \textbf{where} \\
-``$\textit{skew}~\Lambda = \Lambda$'' $\,\mid$ \\
-``$\textit{skew}~(N~x~k~t~u) = {}$ \\
-\phantom{``}$(\textrm{if}~t \not= \Lambda \mathrel{\land} k =
-\textit{level}~t~\textrm{then}$ \\
-\phantom{``(\quad}$N~(\textit{data}~t)~k~(\textit{left}~t)~(N~x~k~
-(\textit{right}~t)~u)$ \\
-\phantom{``(}$\textrm{else}$ \\
-\phantom{``(\quad}$N~x~k~t~u)$''
-\postw
-
-\prew
-\textbf{primrec} \textit{split} \textbf{where} \\
-``$\textit{split}~\Lambda = \Lambda$'' $\,\mid$ \\
-``$\textit{split}~(N~x~k~t~u) = {}$ \\
-\phantom{``}$(\textrm{if}~u \not= \Lambda \mathrel{\land} k =
-\textit{level}~(\textit{right}~u)~\textrm{then}$ \\
-\phantom{``(\quad}$N~(\textit{data}~u)~(\textit{Suc}~k)~
-(N~x~k~t~(\textit{left}~u))~(\textit{right}~u)$ \\
-\phantom{``(}$\textrm{else}$ \\
-\phantom{``(\quad}$N~x~k~t~u)$''
-\postw
-
-Performing a \textit{skew} or a \textit{split} should have no impact on the set
-of elements stored in the tree:
-
-\prew
-\textbf{theorem}~\textit{dataset\_skew\_split\/}:\\
-``$\textit{dataset}~(\textit{skew}~t) = \textit{dataset}~t$'' \\
-``$\textit{dataset}~(\textit{split}~t) = \textit{dataset}~t$'' \\
-\textbf{nitpick} \\[2\smallskipamount]
-{\slshape Nitpick ran out of time after checking 9 of 10 scopes.}
-\postw
-
-Furthermore, applying \textit{skew} or \textit{split} on a well-formed tree
-should not alter the tree:
-
-\prew
-\textbf{theorem}~\textit{wf\_skew\_split\/}:\\
-``$\textit{wf}~t\,\Longrightarrow\, \textit{skew}~t = t$'' \\
-``$\textit{wf}~t\,\Longrightarrow\, \textit{split}~t = t$'' \\
-\textbf{nitpick} \\[2\smallskipamount]
-{\slshape Nitpick found no counterexample.}
-\postw
-
-Insertion is implemented recursively. It preserves the sort order:
-
-\prew
-\textbf{primrec}~\textit{insort} \textbf{where} \\
-``$\textit{insort}~\Lambda~x = N~x~1~\Lambda~\Lambda$'' $\,\mid$ \\
-``$\textit{insort}~(N~y~k~t~u)~x =$ \\
-\phantom{``}$({*}~(\textit{split} \circ \textit{skew})~{*})~(N~y~k~(\textrm{if}~x < y~\textrm{then}~\textit{insort}~t~x~\textrm{else}~t)$ \\
-\phantom{``$({*}~(\textit{split} \circ \textit{skew})~{*})~(N~y~k~$}$(\textrm{if}~x > y~\textrm{then}~\textit{insort}~u~x~\textrm{else}~u))$''
-\postw
-
-Notice that we deliberately commented out the application of \textit{skew} and
-\textit{split}. Let's see if this causes any problems:
-
-\prew
-\textbf{theorem}~\textit{wf\_insort\/}:\kern.4em ``$\textit{wf}~t\,\Longrightarrow\, \textit{wf}~(\textit{insort}~t~x)$'' \\
-\textbf{nitpick} \\[2\smallskipamount]
-\slshape Nitpick found a counterexample for \textit{card} $'a$ = 4: \\[2\smallskipamount]
-\hbox{}\qquad Free variables: \nopagebreak \\
-\hbox{}\qquad\qquad $t = N~a_1~1~\Lambda~\Lambda$ \\
-\hbox{}\qquad\qquad $x = a_2$
-\postw
-
-It's hard to see why this is a counterexample. To improve readability, we will
-restrict the theorem to \textit{nat}, so that we don't need to look up the value
-of the $\textit{op}~{<}$ constant to find out which element is smaller than the
-other. In addition, we will tell Nitpick to display the value of
-$\textit{insort}~t~x$ using the \textit{eval} option. This gives
-
-\prew
-\textbf{theorem} \textit{wf\_insort\_nat\/}:\kern.4em ``$\textit{wf}~t\,\Longrightarrow\, \textit{wf}~(\textit{insort}~t~(x\Colon\textit{nat}))$'' \\
-\textbf{nitpick} [\textit{eval} = ``$\textit{insort}~t~x$''] \\[2\smallskipamount]
-\slshape Nitpick found a counterexample: \\[2\smallskipamount]
-\hbox{}\qquad Free variables: \nopagebreak \\
-\hbox{}\qquad\qquad $t = N~1~1~\Lambda~\Lambda$ \\
-\hbox{}\qquad\qquad $x = 0$ \\
-\hbox{}\qquad Evaluated term: \\
-\hbox{}\qquad\qquad $\textit{insort}~t~x = N~1~1~(N~0~1~\Lambda~\Lambda)~\Lambda$
-\postw
-
-Nitpick's output reveals that the element $0$ was added as a left child of $1$,
-where both nodes have a level of 1. This violates the second AA tree invariant,
-which states that a left child's level must be less than its parent's. This
-shouldn't come as a surprise, considering that we commented out the tree
-rebalancing code. Reintroducing the code seems to solve the problem:
-
-\prew
-\textbf{theorem}~\textit{wf\_insort\/}:\kern.4em ``$\textit{wf}~t\,\Longrightarrow\, \textit{wf}~(\textit{insort}~t~x)$'' \\
-\textbf{nitpick} \\[2\smallskipamount]
-{\slshape Nitpick ran out of time after checking 8 of 10 scopes.}
-\postw
-
-Insertion should transform the set of elements represented by the tree in the
-obvious way:
-
-\prew
-\textbf{theorem} \textit{dataset\_insort\/}:\kern.4em
-``$\textit{dataset}~(\textit{insort}~t~x) = \{x\} \cup \textit{dataset}~t$'' \\
-\textbf{nitpick} \\[2\smallskipamount]
-{\slshape Nitpick ran out of time after checking 7 of 10 scopes.}
-\postw
-
-We could continue like this and sketch a full-blown theory of AA trees. Once the
-definitions and main theorems are in place and have been thoroughly tested using
-Nitpick, we could start working on the proofs. Developing theories this way
-usually saves time, because faulty theorems and definitions are discovered much
-earlier in the process.
-
-\section{Option Reference}
-\label{option-reference}
-
-\def\defl{\{}
-\def\defr{\}}
-
-\def\flushitem#1{\item[]\noindent\kern-\leftmargin \textbf{#1}}
-\def\qty#1{$\left<\textit{#1}\right>$}
-\def\qtybf#1{$\mathbf{\left<\textbf{\textit{#1}}\right>}$}
-\def\optrue#1#2{\flushitem{\textit{#1} $\bigl[$= \qtybf{bool}$\bigr]$\enskip \defl\textit{true}\defr\hfill (neg.: \textit{#2})}\nopagebreak\\[\parskip]}
-\def\opfalse#1#2{\flushitem{\textit{#1} $\bigl[$= \qtybf{bool}$\bigr]$\enskip \defl\textit{false}\defr\hfill (neg.: \textit{#2})}\nopagebreak\\[\parskip]}
-\def\opsmart#1#2{\flushitem{\textit{#1} $\bigl[$= \qtybf{smart\_bool}$\bigr]$\enskip \defl\textit{smart}\defr\hfill (neg.: \textit{#2})}\nopagebreak\\[\parskip]}
-\def\opnodefault#1#2{\flushitem{\textit{#1} = \qtybf{#2}} \nopagebreak\\[\parskip]}
-\def\opdefault#1#2#3{\flushitem{\textit{#1} = \qtybf{#2}\enskip \defl\textit{#3}\defr} \nopagebreak\\[\parskip]}
-\def\oparg#1#2#3{\flushitem{\textit{#1} \qtybf{#2} = \qtybf{#3}} \nopagebreak\\[\parskip]}
-\def\opargbool#1#2#3{\flushitem{\textit{#1} \qtybf{#2} $\bigl[$= \qtybf{bool}$\bigr]$\hfill (neg.: \textit{#3})}\nopagebreak\\[\parskip]}
-\def\opargboolorsmart#1#2#3{\flushitem{\textit{#1} \qtybf{#2} $\bigl[$= \qtybf{smart\_bool}$\bigr]$\hfill (neg.: \textit{#3})}\nopagebreak\\[\parskip]}
-
-Nitpick's behavior can be influenced by various options, which can be specified
-in brackets after the \textbf{nitpick} command. Default values can be set
-using \textbf{nitpick\_\allowbreak params}. For example:
-
-\prew
-\textbf{nitpick\_params} [\textit{verbose}, \,\textit{timeout} = 60]
-\postw
-
-The options are categorized as follows:\ mode of operation
-(\S\ref{mode-of-operation}), scope of search (\S\ref{scope-of-search}), output
-format (\S\ref{output-format}), automatic counterexample checks
-(\S\ref{authentication}), optimizations
-(\S\ref{optimizations}), and timeouts (\S\ref{timeouts}).
-
-You can instruct Nitpick to run automatically on newly entered theorems by
-enabling the ``Auto Nitpick'' option from the ``Isabelle'' menu in Proof
-General. For automatic runs, \textit{user\_axioms} (\S\ref{mode-of-operation}),
-\textit{assms} (\S\ref{mode-of-operation}), and \textit{mono}
-(\S\ref{scope-of-search}) are implicitly enabled, \textit{blocking}
-(\S\ref{mode-of-operation}), \textit{verbose} (\S\ref{output-format}), and
-\textit{debug} (\S\ref{output-format}) are disabled, \textit{max\_threads}
-(\S\ref{optimizations}) is taken to be 1, \textit{max\_potential}
-(\S\ref{output-format}) is taken to be 0, and \textit{timeout}
-(\S\ref{timeouts}) is superseded by the ``Auto Tools Time Limit'' in
-Proof General's ``Isabelle'' menu. Nitpick's output is also more concise.
-
-The number of options can be overwhelming at first glance. Do not let that worry
-you: Nitpick's defaults have been chosen so that it almost always does the right
-thing, and the most important options have been covered in context in
-\S\ref{first-steps}.
-
-The descriptions below refer to the following syntactic quantities:
-
-\begin{enum}
-\item[\labelitemi] \qtybf{string}: A string.
-\item[\labelitemi] \qtybf{string\_list\/}: A space-separated list of strings
-(e.g., ``\textit{ichi ni san}'').
-\item[\labelitemi] \qtybf{bool\/}: \textit{true} or \textit{false}.
-\item[\labelitemi] \qtybf{smart\_bool\/}: \textit{true}, \textit{false}, or \textit{smart}.
-\item[\labelitemi] \qtybf{int\/}: An integer. Negative integers are prefixed with a hyphen.
-\item[\labelitemi] \qtybf{smart\_int\/}: An integer or \textit{smart}.
-\item[\labelitemi] \qtybf{int\_range}: An integer (e.g., 3) or a range
-of nonnegative integers (e.g., $1$--$4$). The range symbol `--' can be entered as \texttt{-} (hyphen) or \texttt{\char`\\\char`\<emdash\char`\>}.
-\item[\labelitemi] \qtybf{int\_seq}: A comma-separated sequence of ranges of integers (e.g.,~1{,}3{,}\allowbreak6--8).
-\item[\labelitemi] \qtybf{float\_or\_none}: An integer (e.g., 60) or floating-point number
-(e.g., 0.5) expressing a number of seconds, or the keyword \textit{none}
-($\infty$ seconds).
-\item[\labelitemi] \qtybf{const\/}: The name of a HOL constant.
-\item[\labelitemi] \qtybf{term}: A HOL term (e.g., ``$f~x$'').
-\item[\labelitemi] \qtybf{term\_list\/}: A space-separated list of HOL terms (e.g.,
-``$f~x$''~``$g~y$'').
-\item[\labelitemi] \qtybf{type}: A HOL type.
-\end{enum}
-
-Default values are indicated in curly brackets (\textrm{\{\}}). Boolean options
-have a negated counterpart (e.g., \textit{blocking} vs.\
-\textit{non\_blocking}). When setting them, ``= \textit{true}'' may be omitted.
-
-\subsection{Mode of Operation}
-\label{mode-of-operation}
-
-\begin{enum}
-\optrue{blocking}{non\_blocking}
-Specifies whether the \textbf{nitpick} command should operate synchronously.
-The asynchronous (non-blocking) mode lets the user start proving the putative
-theorem while Nitpick looks for a counterexample, but it can also be more
-confusing. For technical reasons, automatic runs currently always block.
-
-\optrue{falsify}{satisfy}
-Specifies whether Nitpick should look for falsifying examples (countermodels) or
-satisfying examples (models). This manual assumes throughout that
-\textit{falsify} is enabled.
-
-\opsmart{user\_axioms}{no\_user\_axioms}
-Specifies whether the user-defined axioms (specified using
-\textbf{axiomatization} and \textbf{axioms}) should be considered. If the option
-is set to \textit{smart}, Nitpick performs an ad hoc axiom selection based on
-the constants that occur in the formula to falsify. The option is implicitly set
-to \textit{true} for automatic runs.
-
-\textbf{Warning:} If the option is set to \textit{true}, Nitpick might
-nonetheless ignore some polymorphic axioms. Counterexamples generated under
-these conditions are tagged as ``quasi genuine.'' The \textit{debug}
-(\S\ref{output-format}) option can be used to find out which axioms were
-considered.
-
-\nopagebreak
-{\small See also \textit{assms} (\S\ref{mode-of-operation}) and \textit{debug}
-(\S\ref{output-format}).}
-
-\optrue{assms}{no\_assms}
-Specifies whether the relevant assumptions in structured proofs should be
-considered. The option is implicitly enabled for automatic runs.
-
-\nopagebreak
-{\small See also \textit{user\_axioms} (\S\ref{mode-of-operation}).}
-
-\opfalse{overlord}{no\_overlord}
-Specifies whether Nitpick should put its temporary files in
-\texttt{\$ISABELLE\_\allowbreak HOME\_\allowbreak USER}, which is useful for
-debugging Nitpick but also unsafe if several instances of the tool are run
-simultaneously. The files are identified by the extensions
-\texttt{.kki}, \texttt{.cnf}, \texttt{.out}, and
-\texttt{.err}; you may safely remove them after Nitpick has run.
-
-\nopagebreak
-{\small See also \textit{debug} (\S\ref{output-format}).}
-\end{enum}
-
-\subsection{Scope of Search}
-\label{scope-of-search}
-
-\begin{enum}
-\oparg{card}{type}{int\_seq}
-Specifies the sequence of cardinalities to use for a given type.
-For free types, and often also for \textbf{typedecl}'d types, it usually makes
-sense to specify cardinalities as a range of the form \textit{$1$--$n$}.
-
-\nopagebreak
-{\small See also \textit{box} (\S\ref{scope-of-search}) and \textit{mono}
-(\S\ref{scope-of-search}).}
-
-\opdefault{card}{int\_seq}{\upshape 1--10}
-Specifies the default sequence of cardinalities to use. This can be overridden
-on a per-type basis using the \textit{card}~\qty{type} option described above.
-
-\oparg{max}{const}{int\_seq}
-Specifies the sequence of maximum multiplicities to use for a given
-(co)in\-duc\-tive datatype constructor. A constructor's multiplicity is the
-number of distinct values that it can construct. Nonsensical values (e.g.,
-\textit{max}~[]~$=$~2) are silently repaired. This option is only available for
-datatypes equipped with several constructors.
-
-\opnodefault{max}{int\_seq}
-Specifies the default sequence of maximum multiplicities to use for
-(co)in\-duc\-tive datatype constructors. This can be overridden on a per-constructor
-basis using the \textit{max}~\qty{const} option described above.
-
-\opsmart{binary\_ints}{unary\_ints}
-Specifies whether natural numbers and integers should be encoded using a unary
-or binary notation. In unary mode, the cardinality fully specifies the subset
-used to approximate the type. For example:
-%
-$$\hbox{\begin{tabular}{@{}rll@{}}%
-\textit{card nat} = 4 & induces & $\{0,\, 1,\, 2,\, 3\}$ \\
-\textit{card int} = 4 & induces & $\{-1,\, 0,\, +1,\, +2\}$ \\
-\textit{card int} = 5 & induces & $\{-2,\, -1,\, 0,\, +1,\, +2\}.$%
-\end{tabular}}$$
-%
-In general:
-%
-$$\hbox{\begin{tabular}{@{}rll@{}}%
-\textit{card nat} = $K$ & induces & $\{0,\, \ldots,\, K - 1\}$ \\
-\textit{card int} = $K$ & induces & $\{-\lceil K/2 \rceil + 1,\, \ldots,\, +\lfloor K/2 \rfloor\}.$%
-\end{tabular}}$$
-%
-In binary mode, the cardinality specifies the number of distinct values that can
-be constructed. Each of these value is represented by a bit pattern whose length
-is specified by the \textit{bits} (\S\ref{scope-of-search}) option. By default,
-Nitpick attempts to choose the more appropriate encoding by inspecting the
-formula at hand, preferring the binary notation for problems involving
-multiplicative operators or large constants.
-
-\textbf{Warning:} For technical reasons, Nitpick always reverts to unary for
-problems that refer to the types \textit{rat} or \textit{real} or the constants
-\textit{Suc}, \textit{gcd}, or \textit{lcm}.
-
-{\small See also \textit{bits} (\S\ref{scope-of-search}) and
-\textit{show\_datatypes} (\S\ref{output-format}).}
-
-\opdefault{bits}{int\_seq}{\upshape 1,2,3,4,6,8,10,12,14,16}
-Specifies the number of bits to use to represent natural numbers and integers in
-binary, excluding the sign bit. The minimum is 1 and the maximum is 31.
-
-{\small See also \textit{binary\_ints} (\S\ref{scope-of-search}).}
-
-\opargboolorsmart{wf}{const}{non\_wf}
-Specifies whether the specified (co)in\-duc\-tively defined predicate is
-well-founded. The option can take the following values:
-
-\begin{enum}
-\item[\labelitemi] \textbf{\textit{true}:} Tentatively treat the (co)in\-duc\-tive
-predicate as if it were well-founded. Since this is generally not sound when the
-predicate is not well-founded, the counterexamples are tagged as ``quasi
-genuine.''
-
-\item[\labelitemi] \textbf{\textit{false}:} Treat the (co)in\-duc\-tive predicate
-as if it were not well-founded. The predicate is then unrolled as prescribed by
-the \textit{star\_linear\_preds}, \textit{iter}~\qty{const}, and \textit{iter}
-options.
-
-\item[\labelitemi] \textbf{\textit{smart}:} Try to prove that the inductive
-predicate is well-founded using Isabelle's \textit{lexicographic\_order} and
-\textit{size\_change} tactics. If this succeeds (or the predicate occurs with an
-appropriate polarity in the formula to falsify), use an efficient fixed-point
-equation as specification of the predicate; otherwise, unroll the predicates
-according to the \textit{iter}~\qty{const} and \textit{iter} options.
-\end{enum}
-
-\nopagebreak
-{\small See also \textit{iter} (\S\ref{scope-of-search}),
-\textit{star\_linear\_preds} (\S\ref{optimizations}), and \textit{tac\_timeout}
-(\S\ref{timeouts}).}
-
-\opsmart{wf}{non\_wf}
-Specifies the default wellfoundedness setting to use. This can be overridden on
-a per-predicate basis using the \textit{wf}~\qty{const} option above.
-
-\oparg{iter}{const}{int\_seq}
-Specifies the sequence of iteration counts to use when unrolling a given
-(co)in\-duc\-tive predicate. By default, unrolling is applied for inductive
-predicates that occur negatively and coinductive predicates that occur
-positively in the formula to falsify and that cannot be proved to be
-well-founded, but this behavior is influenced by the \textit{wf} option. The
-iteration counts are automatically bounded by the cardinality of the predicate's
-domain.
-
-{\small See also \textit{wf} (\S\ref{scope-of-search}) and
-\textit{star\_linear\_preds} (\S\ref{optimizations}).}
-
-\opdefault{iter}{int\_seq}{\upshape 0{,}1{,}2{,}4{,}8{,}12{,}16{,}20{,}24{,}28}
-Specifies the sequence of iteration counts to use when unrolling (co)in\-duc\-tive
-predicates. This can be overridden on a per-predicate basis using the
-\textit{iter} \qty{const} option above.
-
-\opdefault{bisim\_depth}{int\_seq}{\upshape 9}
-Specifies the sequence of iteration counts to use when unrolling the
-bisimilarity predicate generated by Nitpick for coinductive datatypes. A value
-of $-1$ means that no predicate is generated, in which case Nitpick performs an
-after-the-fact check to see if the known coinductive datatype values are
-bidissimilar. If two values are found to be bisimilar, the counterexample is
-tagged as ``quasi genuine.'' The iteration counts are automatically bounded by
-the sum of the cardinalities of the coinductive datatypes occurring in the
-formula to falsify.
-
-\opargboolorsmart{box}{type}{dont\_box}
-Specifies whether Nitpick should attempt to wrap (``box'') a given function or
-product type in an isomorphic datatype internally. Boxing is an effective mean
-to reduce the search space and speed up Nitpick, because the isomorphic datatype
-is approximated by a subset of the possible function or pair values.
-Like other drastic optimizations, it can also prevent the discovery of
-counterexamples. The option can take the following values:
-
-\begin{enum}
-\item[\labelitemi] \textbf{\textit{true}:} Box the specified type whenever
-practicable.
-\item[\labelitemi] \textbf{\textit{false}:} Never box the type.
-\item[\labelitemi] \textbf{\textit{smart}:} Box the type only in contexts where it
-is likely to help. For example, $n$-tuples where $n > 2$ and arguments to
-higher-order functions are good candidates for boxing.
-\end{enum}
-
-\nopagebreak
-{\small See also \textit{finitize} (\S\ref{scope-of-search}), \textit{verbose}
-(\S\ref{output-format}), and \textit{debug} (\S\ref{output-format}).}
-
-\opsmart{box}{dont\_box}
-Specifies the default boxing setting to use. This can be overridden on a
-per-type basis using the \textit{box}~\qty{type} option described above.
-
-\opargboolorsmart{finitize}{type}{dont\_finitize}
-Specifies whether Nitpick should attempt to finitize an infinite datatype. The
-option can then take the following values:
-
-\begin{enum}
-\item[\labelitemi] \textbf{\textit{true}:} Finitize the datatype. Since this is
-unsound, counterexamples generated under these conditions are tagged as ``quasi
-genuine.''
-\item[\labelitemi] \textbf{\textit{false}:} Don't attempt to finitize the datatype.
-\item[\labelitemi] \textbf{\textit{smart}:}
-If the datatype's constructors don't appear in the problem, perform a
-monotonicity analysis to detect whether the datatype can be soundly finitized;
-otherwise, don't finitize it.
-\end{enum}
-
-\nopagebreak
-{\small See also \textit{box} (\S\ref{scope-of-search}), \textit{mono}
-(\S\ref{scope-of-search}), \textit{verbose} (\S\ref{output-format}), and
-\textit{debug} (\S\ref{output-format}).}
-
-\opsmart{finitize}{dont\_finitize}
-Specifies the default finitization setting to use. This can be overridden on a
-per-type basis using the \textit{finitize}~\qty{type} option described above.
-
-\opargboolorsmart{mono}{type}{non\_mono}
-Specifies whether the given type should be considered monotonic when enumerating
-scopes and finitizing types. If the option is set to \textit{smart}, Nitpick
-performs a monotonicity check on the type. Setting this option to \textit{true}
-can reduce the number of scopes tried, but it can also diminish the chance of
-finding a counterexample, as demonstrated in \S\ref{scope-monotonicity}. The
-option is implicitly set to \textit{true} for automatic runs.
-
-\nopagebreak
-{\small See also \textit{card} (\S\ref{scope-of-search}),
-\textit{finitize} (\S\ref{scope-of-search}),
-\textit{merge\_type\_vars} (\S\ref{scope-of-search}), and \textit{verbose}
-(\S\ref{output-format}).}
-
-\opsmart{mono}{non\_mono}
-Specifies the default monotonicity setting to use. This can be overridden on a
-per-type basis using the \textit{mono}~\qty{type} option described above.
-
-\opfalse{merge\_type\_vars}{dont\_merge\_type\_vars}
-Specifies whether type variables with the same sort constraints should be
-merged. Setting this option to \textit{true} can reduce the number of scopes
-tried and the size of the generated Kodkod formulas, but it also diminishes the
-theoretical chance of finding a counterexample.
-
-{\small See also \textit{mono} (\S\ref{scope-of-search}).}
-
-\opargbool{std}{type}{non\_std}
-Specifies whether the given (recursive) datatype should be given standard
-models. Nonstandard models are unsound but can help debug structural induction
-proofs, as explained in \S\ref{inductive-properties}.
-
-\optrue{std}{non\_std}
-Specifies the default standardness to use. This can be overridden on a per-type
-basis using the \textit{std}~\qty{type} option described above.
-\end{enum}
-
-\subsection{Output Format}
-\label{output-format}
-
-\begin{enum}
-\opfalse{verbose}{quiet}
-Specifies whether the \textbf{nitpick} command should explain what it does. This
-option is useful to determine which scopes are tried or which SAT solver is
-used. This option is implicitly disabled for automatic runs.
-
-\opfalse{debug}{no\_debug}
-Specifies whether Nitpick should display additional debugging information beyond
-what \textit{verbose} already displays. Enabling \textit{debug} also enables
-\textit{verbose} and \textit{show\_all} behind the scenes. The \textit{debug}
-option is implicitly disabled for automatic runs.
-
-\nopagebreak
-{\small See also \textit{overlord} (\S\ref{mode-of-operation}) and
-\textit{batch\_size} (\S\ref{optimizations}).}
-
-\opfalse{show\_datatypes}{hide\_datatypes}
-Specifies whether the subsets used to approximate (co)in\-duc\-tive data\-types should
-be displayed as part of counterexamples. Such subsets are sometimes helpful when
-investigating whether a potentially spurious counterexample is genuine, but
-their potential for clutter is real.
-
-\optrue{show\_skolems}{hide\_skolem}
-Specifies whether the values of Skolem constants should be displayed as part of
-counterexamples. Skolem constants correspond to bound variables in the original
-formula and usually help us to understand why the counterexample falsifies the
-formula.
-
-\opfalse{show\_consts}{hide\_consts}
-Specifies whether the values of constants occurring in the formula (including
-its axioms) should be displayed along with any counterexample. These values are
-sometimes helpful when investigating why a counterexample is
-genuine, but they can clutter the output.
-
-\opnodefault{show\_all}{bool}
-Abbreviation for \textit{show\_datatypes}, \textit{show\_skolems}, and
-\textit{show\_consts}.
-
-\opdefault{max\_potential}{int}{\upshape 1}
-Specifies the maximum number of potentially spurious counterexamples to display.
-Setting this option to 0 speeds up the search for a genuine counterexample. This
-option is implicitly set to 0 for automatic runs. If you set this option to a
-value greater than 1, you will need an incremental SAT solver, such as
-\textit{MiniSat\_JNI} (recommended) and \textit{SAT4J}. Be aware that many of
-the counterexamples may be identical.
-
-\nopagebreak
-{\small See also \textit{check\_potential} (\S\ref{authentication}) and
-\textit{sat\_solver} (\S\ref{optimizations}).}
-
-\opdefault{max\_genuine}{int}{\upshape 1}
-Specifies the maximum number of genuine counterexamples to display. If you set
-this option to a value greater than 1, you will need an incremental SAT solver,
-such as \textit{MiniSat\_JNI} (recommended) and \textit{SAT4J}. Be aware that
-many of the counterexamples may be identical.
-
-\nopagebreak
-{\small See also \textit{check\_genuine} (\S\ref{authentication}) and
-\textit{sat\_solver} (\S\ref{optimizations}).}
-
-\opnodefault{eval}{term\_list}
-Specifies the list of terms whose values should be displayed along with
-counterexamples. This option suffers from an ``observer effect'': Nitpick might
-find different counterexamples for different values of this option.
-
-\oparg{atoms}{type}{string\_list}
-Specifies the names to use to refer to the atoms of the given type. By default,
-Nitpick generates names of the form $a_1, \ldots, a_n$, where $a$ is the first
-letter of the type's name.
-
-\opnodefault{atoms}{string\_list}
-Specifies the default names to use to refer to atoms of any type. For example,
-to call the three atoms of type ${'}a$ \textit{ichi}, \textit{ni}, and
-\textit{san} instead of $a_1$, $a_2$, $a_3$, specify the option
-``\textit{atoms}~${'}a$ = \textit{ichi~ni~san}''. The default names can be
-overridden on a per-type basis using the \textit{atoms}~\qty{type} option
-described above.
-
-\oparg{format}{term}{int\_seq}
-Specifies how to uncurry the value displayed for a variable or constant.
-Uncurrying sometimes increases the readability of the output for high-arity
-functions. For example, given the variable $y \mathbin{\Colon} {'a}\Rightarrow
-{'b}\Rightarrow {'c}\Rightarrow {'d}\Rightarrow {'e}\Rightarrow {'f}\Rightarrow
-{'g}$, setting \textit{format}~$y$ = 3 tells Nitpick to group the last three
-arguments, as if the type had been ${'a}\Rightarrow {'b}\Rightarrow
-{'c}\Rightarrow {'d}\times {'e}\times {'f}\Rightarrow {'g}$. In general, a list
-of values $n_1,\ldots,n_k$ tells Nitpick to show the last $n_k$ arguments as an
-$n_k$-tuple, the previous $n_{k-1}$ arguments as an $n_{k-1}$-tuple, and so on;
-arguments that are not accounted for are left alone, as if the specification had
-been $1,\ldots,1,n_1,\ldots,n_k$.
-
-\opdefault{format}{int\_seq}{\upshape 1}
-Specifies the default format to use. Irrespective of the default format, the
-extra arguments to a Skolem constant corresponding to the outer bound variables
-are kept separated from the remaining arguments, the \textbf{for} arguments of
-an inductive definitions are kept separated from the remaining arguments, and
-the iteration counter of an unrolled inductive definition is shown alone. The
-default format can be overridden on a per-variable or per-constant basis using
-the \textit{format}~\qty{term} option described above.
-\end{enum}
-
-\subsection{Authentication}
-\label{authentication}
-
-\begin{enum}
-\opfalse{check\_potential}{trust\_potential}
-Specifies whether potentially spurious counterexamples should be given to
-Isabelle's \textit{auto} tactic to assess their validity. If a potentially
-spurious counterexample is shown to be genuine, Nitpick displays a message to
-this effect and terminates.
-
-\nopagebreak
-{\small See also \textit{max\_potential} (\S\ref{output-format}).}
-
-\opfalse{check\_genuine}{trust\_genuine}
-Specifies whether genuine and quasi genuine counterexamples should be given to
-Isabelle's \textit{auto} tactic to assess their validity. If a ``genuine''
-counterexample is shown to be spurious, the user is kindly asked to send a bug
-report to the author at \authoremail.
-
-\nopagebreak
-{\small See also \textit{max\_genuine} (\S\ref{output-format}).}
-
-\opnodefault{expect}{string}
-Specifies the expected outcome, which must be one of the following:
-
-\begin{enum}
-\item[\labelitemi] \textbf{\textit{genuine}:} Nitpick found a genuine counterexample.
-\item[\labelitemi] \textbf{\textit{quasi\_genuine}:} Nitpick found a ``quasi
-genuine'' counterexample (i.e., a counterexample that is genuine unless
-it contradicts a missing axiom or a dangerous option was used inappropriately).
-\item[\labelitemi] \textbf{\textit{potential}:} Nitpick found a potentially
-spurious counterexample.
-\item[\labelitemi] \textbf{\textit{none}:} Nitpick found no counterexample.
-\item[\labelitemi] \textbf{\textit{unknown}:} Nitpick encountered some problem (e.g.,
-Kodkod ran out of memory).
-\end{enum}
-
-Nitpick emits an error if the actual outcome differs from the expected outcome.
-This option is useful for regression testing.
-\end{enum}
-
-\subsection{Optimizations}
-\label{optimizations}
-
-\def\cpp{C\nobreak\raisebox{.1ex}{+}\nobreak\raisebox{.1ex}{+}}
-
-\sloppy
-
-\begin{enum}
-\opdefault{sat\_solver}{string}{smart}
-Specifies which SAT solver to use. SAT solvers implemented in C or \cpp{} tend
-to be faster than their Java counterparts, but they can be more difficult to
-install. Also, if you set the \textit{max\_potential} (\S\ref{output-format}) or
-\textit{max\_genuine} (\S\ref{output-format}) option to a value greater than 1,
-you will need an incremental SAT solver, such as \textit{MiniSat\_JNI}
-(recommended) or \textit{SAT4J}.
-
-The supported solvers are listed below:
-
-\begin{enum}
-
-\item[\labelitemi] \textbf{\textit{CryptoMiniSat}:} CryptoMiniSat is the winner of
-the 2010 SAT Race. To use CryptoMiniSat, set the environment variable
-\texttt{CRYPTO\-MINISAT\_}\discretionary{}{}{}\texttt{HOME} to the directory that contains the \texttt{crypto\-minisat}
-executable.%
-\footnote{Important note for Cygwin users: The path must be specified using
-native Windows syntax. Make sure to escape backslashes properly.%
-\label{cygwin-paths}}
-The \cpp{} sources and executables for Crypto\-Mini\-Sat are available at
-\url{http://planete.inrialpes.fr/~soos/}\allowbreak\url{CryptoMiniSat2/index.php}.
-Nitpick has been tested with version 2.51.
-
-\item[\labelitemi] \textbf{\textit{CryptoMiniSat\_JNI}:} The JNI (Java Native
-Interface) version of CryptoMiniSat is bundled with Kodkodi and is precompiled
-for Linux and Mac~OS~X. It is also available from the Kodkod web site
-\cite{kodkod-2009}.
-
-\item[\labelitemi] \textbf{\textit{Lingeling\_JNI}:}
-Lingeling is an efficient solver written in C. The JNI (Java Native Interface)
-version of Lingeling is bundled with Kodkodi and is precompiled for Linux and
-Mac~OS~X. It is also available from the Kodkod web site \cite{kodkod-2009}.
-
-\item[\labelitemi] \textbf{\textit{MiniSat}:} MiniSat is an efficient solver
-written in \cpp{}. To use MiniSat, set the environment variable
-\texttt{MINISAT\_HOME} to the directory that contains the \texttt{minisat}
-executable.%
-\footref{cygwin-paths}
-The \cpp{} sources and executables for MiniSat are available at
-\url{http://minisat.se/MiniSat.html}. Nitpick has been tested with versions 1.14
-and 2.2.
-
-\item[\labelitemi] \textbf{\textit{MiniSat\_JNI}:} The JNI
-version of MiniSat is bundled with Kodkodi and is precompiled for Linux,
-Mac~OS~X, and Windows (Cygwin). It is also available from the Kodkod web site
-\cite{kodkod-2009}. Unlike the standard version of MiniSat, the JNI version can
-be used incrementally.
-
-\item[\labelitemi] \textbf{\textit{zChaff}:} zChaff is an older solver written
-in \cpp{}. To use zChaff, set the environment variable \texttt{ZCHAFF\_HOME} to
-the directory that contains the \texttt{zchaff} executable.%
-\footref{cygwin-paths}
-The \cpp{} sources and executables for zChaff are available at
-\url{http://www.princeton.edu/~chaff/zchaff.html}. Nitpick has been tested with
-versions 2004-05-13, 2004-11-15, and 2007-03-12.
-
-\item[\labelitemi] \textbf{\textit{RSat}:} RSat is an efficient solver written in
-\cpp{}. To use RSat, set the environment variable \texttt{RSAT\_HOME} to the
-directory that contains the \texttt{rsat} executable.%
-\footref{cygwin-paths}
-The \cpp{} sources for RSat are available at
-\url{http://reasoning.cs.ucla.edu/rsat/}. Nitpick has been tested with version
-2.01.
-
-\item[\labelitemi] \textbf{\textit{BerkMin}:} BerkMin561 is an efficient solver
-written in C. To use BerkMin, set the environment variable
-\texttt{BERKMIN\_HOME} to the directory that contains the \texttt{BerkMin561}
-executable.\footref{cygwin-paths}
-The BerkMin executables are available at
-\url{http://eigold.tripod.com/BerkMin.html}.
-
-\item[\labelitemi] \textbf{\textit{BerkMin\_Alloy}:} Variant of BerkMin that is
-included with Alloy 4 and calls itself ``sat56'' in its banner text. To use this
-version of BerkMin, set the environment variable
-\texttt{BERKMINALLOY\_HOME} to the directory that contains the \texttt{berkmin}
-executable.%
-\footref{cygwin-paths}
-
-\item[\labelitemi] \textbf{\textit{SAT4J}:} SAT4J is a reasonably efficient solver
-written in Java that can be used incrementally. It is bundled with Kodkodi and
-requires no further installation or configuration steps. Do not attempt to
-install the official SAT4J packages, because their API is incompatible with
-Kodkod.
-
-\item[\labelitemi] \textbf{\textit{SAT4J\_Light}:} Variant of SAT4J that is
-optimized for small problems. It can also be used incrementally.
-
-\item[\labelitemi] \textbf{\textit{smart}:} If \textit{sat\_solver} is set to
-\textit{smart}, Nitpick selects the first solver among the above that is
-recognized by Isabelle. If \textit{verbose} (\S\ref{output-format}) is enabled,
-Nitpick displays which SAT solver was chosen.
-\end{enum}
-\fussy
-
-\opdefault{batch\_size}{smart\_int}{smart}
-Specifies the maximum number of Kodkod problems that should be lumped together
-when invoking Kodkodi. Each problem corresponds to one scope. Lumping problems
-together ensures that Kodkodi is launched less often, but it makes the verbose
-output less readable and is sometimes detrimental to performance. If
-\textit{batch\_size} is set to \textit{smart}, the actual value used is 1 if
-\textit{debug} (\S\ref{output-format}) is set and 50 otherwise.
-
-\optrue{destroy\_constrs}{dont\_destroy\_constrs}
-Specifies whether formulas involving (co)in\-duc\-tive datatype constructors should
-be rewritten to use (automatically generated) discriminators and destructors.
-This optimization can drastically reduce the size of the Boolean formulas given
-to the SAT solver.
-
-\nopagebreak
-{\small See also \textit{debug} (\S\ref{output-format}).}
-
-\optrue{specialize}{dont\_specialize}
-Specifies whether functions invoked with static arguments should be specialized.
-This optimization can drastically reduce the search space, especially for
-higher-order functions.
-
-\nopagebreak
-{\small See also \textit{debug} (\S\ref{output-format}) and
-\textit{show\_consts} (\S\ref{output-format}).}
-
-\optrue{star\_linear\_preds}{dont\_star\_linear\_preds}
-Specifies whether Nitpick should use Kodkod's transitive closure operator to
-encode non-well-founded ``linear inductive predicates,'' i.e., inductive
-predicates for which each the predicate occurs in at most one assumption of each
-introduction rule. Using the reflexive transitive closure is in principle
-equivalent to setting \textit{iter} to the cardinality of the predicate's
-domain, but it is usually more efficient.
-
-{\small See also \textit{wf} (\S\ref{scope-of-search}), \textit{debug}
-(\S\ref{output-format}), and \textit{iter} (\S\ref{scope-of-search}).}
-
-\opnodefault{whack}{term\_list}
-Specifies a list of atomic terms (usually constants, but also free and schematic
-variables) that should be taken as being $\unk$ (unknown). This can be useful to
-reduce the size of the Kodkod problem if you can guess in advance that a
-constant might not be needed to find a countermodel.
-
-{\small See also \textit{debug} (\S\ref{output-format}).}
-
-\opnodefault{need}{term\_list}
-Specifies a list of datatype values (normally ground constructor terms) that
-should be part of the subterm-closed subsets used to approximate datatypes. If
-you know that a value must necessarily belong to the subset of representable
-values that approximates a datatype, specifying it can speed up the search,
-especially for high cardinalities.
-%By default, Nitpick inspects the conjecture to infer needed datatype values.
-
-\opsmart{total\_consts}{partial\_consts}
-Specifies whether constants occurring in the problem other than constructors can
-be assumed to be considered total for the representable values that approximate
-a datatype. This option is highly incomplete; it should be used only for
-problems that do not construct datatype values explicitly. Since this option is
-(in rare cases) unsound, counterexamples generated under these conditions are
-tagged as ``quasi genuine.''
-
-\opdefault{datatype\_sym\_break}{int}{\upshape 5}
-Specifies an upper bound on the number of datatypes for which Nitpick generates
-symmetry breaking predicates. Symmetry breaking can speed up the SAT solver
-considerably, especially for unsatisfiable problems, but too much of it can slow
-it down.
-
-\opdefault{kodkod\_sym\_break}{int}{\upshape 15}
-Specifies an upper bound on the number of relations for which Kodkod generates
-symmetry breaking predicates. Symmetry breaking can speed up the SAT solver
-considerably, especially for unsatisfiable problems, but too much of it can slow
-it down.
-
-\optrue{peephole\_optim}{no\_peephole\_optim}
-Specifies whether Nitpick should simplify the generated Kodkod formulas using a
-peephole optimizer. These optimizations can make a significant difference.
-Unless you are tracking down a bug in Nitpick or distrust the peephole
-optimizer, you should leave this option enabled.
-
-\opdefault{max\_threads}{int}{\upshape 0}
-Specifies the maximum number of threads to use in Kodkod. If this option is set
-to 0, Kodkod will compute an appropriate value based on the number of processor
-cores available. The option is implicitly set to 1 for automatic runs.
-
-\nopagebreak
-{\small See also \textit{batch\_size} (\S\ref{optimizations}) and
-\textit{timeout} (\S\ref{timeouts}).}
-\end{enum}
-
-\subsection{Timeouts}
-\label{timeouts}
-
-\begin{enum}
-\opdefault{timeout}{float\_or\_none}{\upshape 30}
-Specifies the maximum number of seconds that the \textbf{nitpick} command should
-spend looking for a counterexample. Nitpick tries to honor this constraint as
-well as it can but offers no guarantees. For automatic runs,
-\textit{timeout} is ignored; instead, Auto Quickcheck and Auto Nitpick share
-a time slot whose length is specified by the ``Auto Counterexample Time
-Limit'' option in Proof General.
-
-\nopagebreak
-{\small See also \textit{max\_threads} (\S\ref{optimizations}).}
-
-\opdefault{tac\_timeout}{float\_or\_none}{\upshape 0.5}
-Specifies the maximum number of seconds that should be used by internal
-tactics---\textit{lexicographic\_order} and \textit{size\_change} when checking
-whether a (co)in\-duc\-tive predicate is well-founded, \textit{auto} tactic when
-checking a counterexample, or the monotonicity inference. Nitpick tries to honor
-this constraint but offers no guarantees.
-
-\nopagebreak
-{\small See also \textit{wf} (\S\ref{scope-of-search}),
-\textit{mono} (\S\ref{scope-of-search}),
-\textit{check\_potential} (\S\ref{authentication}),
-and \textit{check\_genuine} (\S\ref{authentication}).}
-\end{enum}
-
-\section{Attribute Reference}
-\label{attribute-reference}
-
-Nitpick needs to consider the definitions of all constants occurring in a
-formula in order to falsify it. For constants introduced using the
-\textbf{definition} command, the definition is simply the associated
-\textit{\_def} axiom. In contrast, instead of using the internal representation
-of functions synthesized by Isabelle's \textbf{primrec}, \textbf{function}, and
-\textbf{nominal\_primrec} packages, Nitpick relies on the more natural
-equational specification entered by the user.
-
-Behind the scenes, Isabelle's built-in packages and theories rely on the
-following attributes to affect Nitpick's behavior:
-
-\begin{enum}
-\flushitem{\textit{nitpick\_unfold}}
-
-\nopagebreak
-This attribute specifies an equation that Nitpick should use to expand a
-constant. The equation should be logically equivalent to the constant's actual
-definition and should be of the form
-
-\qquad $c~{?}x_1~\ldots~{?}x_n \,=\, t$,
-
-or
-
-\qquad $c~{?}x_1~\ldots~{?}x_n \,\equiv\, t$,
-
-where ${?}x_1, \ldots, {?}x_n$ are distinct variables and $c$ does not occur in
-$t$. Each occurrence of $c$ in the problem is expanded to $\lambda x_1\,\ldots
-x_n.\; t$.
-
-\flushitem{\textit{nitpick\_simp}}
-
-\nopagebreak
-This attribute specifies the equations that constitute the specification of a
-constant. The \textbf{primrec}, \textbf{function}, and
-\textbf{nominal\_\allowbreak primrec} packages automatically attach this
-attribute to their \textit{simps} rules. The equations must be of the form
-
-\qquad $c~t_1~\ldots\ t_n \;\bigl[{=}\; u\bigr]$
-
-or
-
-\qquad $c~t_1~\ldots\ t_n \,\equiv\, u.$
-
-\flushitem{\textit{nitpick\_psimp}}
-
-\nopagebreak
-This attribute specifies the equations that constitute the partial specification
-of a constant. The \textbf{function} package automatically attaches this
-attribute to its \textit{psimps} rules. The conditional equations must be of the
-form
-
-\qquad $\lbrakk P_1;\> \ldots;\> P_m\rbrakk \,\Longrightarrow\, c\ t_1\ \ldots\ t_n \;\bigl[{=}\; u\bigr]$
-
-or
-
-\qquad $\lbrakk P_1;\> \ldots;\> P_m\rbrakk \,\Longrightarrow\, c\ t_1\ \ldots\ t_n \,\equiv\, u$.
-
-\flushitem{\textit{nitpick\_choice\_spec}}
-
-\nopagebreak
-This attribute specifies the (free-form) specification of a constant defined
-using the \hbox{(\textbf{ax\_})}\allowbreak\textbf{specification} command.
-\end{enum}
-
-When faced with a constant, Nitpick proceeds as follows:
-
-\begin{enum}
-\item[1.] If the \textit{nitpick\_simp} set associated with the constant
-is not empty, Nitpick uses these rules as the specification of the constant.
-
-\item[2.] Otherwise, if the \textit{nitpick\_psimp} set associated with
-the constant is not empty, it uses these rules as the specification of the
-constant.
-
-\item[3.] Otherwise, if the constant was defined using the
-\hbox{(\textbf{ax\_})}\allowbreak\textbf{specification} command and the
-\textit{nitpick\_choice\_spec} set associated with the constant is not empty, it
-uses these theorems as the specification of the constant.
-
-\item[4.] Otherwise, it looks up the definition of the constant. If the
-\textit{nitpick\_unfold} set associated with the constant is not empty, it uses
-the latest rule added to the set as the definition of the constant; otherwise it
-uses the actual definition axiom.
-
-\begin{enum}
-\item[1.] If the definition is of the form
-
-\qquad $c~{?}x_1~\ldots~{?}x_m \,\equiv\, \lambda y_1~\ldots~y_n.\; \textit{lfp}~(\lambda f.\; t)$
-
-or
-
-\qquad $c~{?}x_1~\ldots~{?}x_m \,\equiv\, \lambda y_1~\ldots~y_n.\; \textit{gfp}~(\lambda f.\; t).$
-
-Nitpick assumes that the definition was made using a (co)inductive package
-based on the user-specified introduction rules registered in Isabelle's internal
-\textit{Spec\_Rules} table. The tool uses the introduction rules to ascertain
-whether the definition is well-founded and the definition to generate a
-fixed-point equation or an unrolled equation.
-
-\item[2.] If the definition is compact enough, the constant is \textsl{unfolded}
-wherever it appears; otherwise, it is defined equationally, as with
-the \textit{nitpick\_simp} attribute.
-\end{enum}
-\end{enum}
-
-As an illustration, consider the inductive definition
-
-\prew
-\textbf{inductive}~\textit{odd}~\textbf{where} \\
-``\textit{odd}~1'' $\,\mid$ \\
-``\textit{odd}~$n\,\Longrightarrow\, \textit{odd}~(\textit{Suc}~(\textit{Suc}~n))$''
-\postw
-
-By default, Nitpick uses the \textit{lfp}-based definition in conjunction with
-the introduction rules. To override this, you can specify an alternative
-definition as follows:
-
-\prew
-\textbf{lemma} $\mathit{odd\_alt\_unfold}$ [\textit{nitpick\_unfold}]:\kern.4em ``$\textit{odd}~n \,\equiv\, n~\textrm{mod}~2 = 1$''
-\postw
-
-Nitpick then expands all occurrences of $\mathit{odd}~n$ to $n~\textrm{mod}~2
-= 1$. Alternatively, you can specify an equational specification of the constant:
-
-\prew
-\textbf{lemma} $\mathit{odd\_simp}$ [\textit{nitpick\_simp}]:\kern.4em ``$\textit{odd}~n = (n~\textrm{mod}~2 = 1)$''
-\postw
-
-Such tweaks should be done with great care, because Nitpick will assume that the
-constant is completely defined by its equational specification. For example, if
-you make ``$\textit{odd}~(2 * k + 1)$'' a \textit{nitpick\_simp} rule and neglect to provide rules to handle the $2 * k$ case, Nitpick will define
-$\textit{odd}~n$ arbitrarily for even values of $n$. The \textit{debug}
-(\S\ref{output-format}) option is extremely useful to understand what is going
-on when experimenting with \textit{nitpick\_} attributes.
-
-Because of its internal three-valued logic, Nitpick tends to lose a
-lot of precision in the presence of partially specified constants. For example,
-
-\prew
-\textbf{lemma} \textit{odd\_simp} [\textit{nitpick\_simp}]:\kern.4em ``$\textit{odd~x} = \lnot\, \textit{even}~x$''
-\postw
-
-is superior to
-
-\prew
-\textbf{lemma} \textit{odd\_psimps} [\textit{nitpick\_simp}]: \\
-``$\textit{even~x} \,\Longrightarrow\, \textit{odd~x} = \textit{False\/}$'' \\
-``$\lnot\, \textit{even~x} \,\Longrightarrow\, \textit{odd~x} = \textit{True\/}$''
-\postw
-
-Because Nitpick sometimes unfolds definitions but never simplification rules,
-you can ensure that a constant is defined explicitly using the
-\textit{nitpick\_simp}. For example:
-
-\prew
-\textbf{definition}~\textit{optimum} \textbf{where} [\textit{nitpick\_simp}]: \\
-``$\textit{optimum}~t =
- (\forall u.\; \textit{consistent}~u \mathrel{\land} \textit{alphabet}~t = \textit{alphabet}~u$ \\
-\phantom{``$\textit{optimum}~t = (\forall u.\;$}${\mathrel{\land}}\; \textit{freq}~t = \textit{freq}~u \longrightarrow
- \textit{cost}~t \le \textit{cost}~u)$''
-\postw
-
-In some rare occasions, you might want to provide an inductive or coinductive
-view on top of an existing constant $c$. The easiest way to achieve this is to
-define a new constant $c'$ (co)inductively. Then prove that $c$ equals $c'$
-and let Nitpick know about it:
-
-\prew
-\textbf{lemma} \textit{c\_alt\_unfold} [\textit{nitpick\_unfold}]:\kern.4em ``$c \equiv c'$\kern2pt ''
-\postw
-
-This ensures that Nitpick will substitute $c'$ for $c$ and use the (co)inductive
-definition.
-
-\section{Standard ML Interface}
-\label{standard-ml-interface}
-
-Nitpick provides a rich Standard ML interface used mainly for internal purposes
-and debugging. Among the most interesting functions exported by Nitpick are
-those that let you invoke the tool programmatically and those that let you
-register and unregister custom coinductive datatypes as well as term
-postprocessors.
-
-\subsection{Invocation of Nitpick}
-\label{invocation-of-nitpick}
-
-The \textit{Nitpick} structure offers the following functions for invoking your
-favorite counterexample generator:
-
-\prew
-$\textbf{val}\,~\textit{pick\_nits\_in\_term} : \\
-\hbox{}\quad\textit{Proof.state} \rightarrow \textit{params} \rightarrow \textit{mode}
-\rightarrow \textit{int} \rightarrow \textit{int} \rightarrow \textit{int}$ \\
-$\hbox{}\quad{\rightarrow}\; (\textit{term} * \textit{term})~\textit{list}
-\rightarrow \textit{term~list} \rightarrow \textit{term} \rightarrow \textit{string} * \textit{Proof.state}$ \\
-$\textbf{val}\,~\textit{pick\_nits\_in\_subgoal} : \\
-\hbox{}\quad\textit{Proof.state} \rightarrow \textit{params} \rightarrow \textit{mode} \rightarrow \textit{int} \rightarrow \textit{int} \rightarrow \textit{string} * \textit{Proof.state}$
-\postw
-
-The return value is a new proof state paired with an outcome string
-(``genuine'', ``quasi\_genuine'', ``potential'', ``none'', or ``unknown''). The
-\textit{params} type is a large record that lets you set Nitpick's options. The
-current default options can be retrieved by calling the following function
-defined in the \textit{Nitpick\_Isar} structure:
-
-\prew
-$\textbf{val}\,~\textit{default\_params} :\,
-\textit{theory} \rightarrow (\textit{string} * \textit{string})~\textit{list} \rightarrow \textit{params}$
-\postw
-
-The second argument lets you override option values before they are parsed and
-put into a \textit{params} record. Here is an example where Nitpick is invoked
-on subgoal $i$ of $n$ with no time limit:
-
-\prew
-$\textbf{val}\,~\textit{params} = \textit{Nitpick\_Isar.default\_params}~\textit{thy}~[(\textrm{``}\textrm{timeout\/}\textrm{''},\, \textrm{``}\textrm{none}\textrm{''})]$ \\
-$\textbf{val}\,~(\textit{outcome},\, \textit{state}') = {}$ \\
-$\hbox{}\quad\textit{Nitpick.pick\_nits\_in\_subgoal}~\textit{state}~\textit{params}~\textit{Nitpick.Normal}~\textit{i}~\textit{n}$
-\postw
-
-\let\antiq=\textrm
-
-\subsection{Registration of Coinductive Datatypes}
-\label{registration-of-coinductive-datatypes}
-
-If you have defined a custom coinductive datatype, you can tell Nitpick about
-it, so that it can use an efficient Kodkod axiomatization similar to the one it
-uses for lazy lists. The interface for registering and unregistering coinductive
-datatypes consists of the following pair of functions defined in the
-\textit{Nitpick\_HOL} structure:
-
-\prew
-$\textbf{val}\,~\textit{register\_codatatype\/} : {}$ \\
-$\hbox{}\quad\textit{morphism} \rightarrow \textit{typ} \rightarrow \textit{string} \rightarrow (\textit{string} \times \textit{typ})\;\textit{list} \rightarrow \textit{Context.generic} {}$ \\
-$\hbox{}\quad{\rightarrow}\; \textit{Context.generic}$ \\
-$\textbf{val}\,~\textit{unregister\_codatatype\/} : {}$ \\
-$\hbox{}\quad\textit{morphism} \rightarrow \textit{typ} \rightarrow \textit{Context.generic} \rightarrow \textit{Context.generic} {}$
-\postw
-
-The type $'a~\textit{llist}$ of lazy lists is already registered; had it
-not been, you could have told Nitpick about it by adding the following line
-to your theory file:
-
-\prew
-$\textbf{declaration}~\,\{{*}$ \\
-$\hbox{}\quad\textit{Nitpick\_HOL.register\_codatatype}~@\{\antiq{typ}~``\kern1pt'a~\textit{llist\/}\textrm{''}\}$ \\
-$\hbox{}\qquad\quad @\{\antiq{const\_name}~ \textit{llist\_case}\}$ \\
-$\hbox{}\qquad\quad (\textit{map}~\textit{dest\_Const}~[@\{\antiq{term}~\textit{LNil}\},\, @\{\antiq{term}~\textit{LCons}\}])$ \\
-${*}\}$
-\postw
-
-The \textit{register\_codatatype} function takes a coinductive datatype, its
-case function, and the list of its constructors (in addition to the current
-morphism and generic proof context). The case function must take its arguments
-in the order that the constructors are listed. If no case function with the
-correct signature is available, simply pass the empty string.
-
-On the other hand, if your goal is to cripple Nitpick, add the following line to
-your theory file and try to check a few conjectures about lazy lists:
-
-\prew
-$\textbf{declaration}~\,\{{*}$ \\
-$\hbox{}\quad\textit{Nitpick\_HOL.unregister\_codatatype}~@\{\antiq{typ}~``\kern1pt'a~\textit{llist\/}\textrm{''}\}$ \\
-${*}\}$
-\postw
-
-Inductive datatypes can be registered as coinductive datatypes, given
-appropriate coinductive constructors. However, doing so precludes
-the use of the inductive constructors---Nitpick will generate an error if they
-are needed.
-
-\subsection{Registration of Term Postprocessors}
-\label{registration-of-term-postprocessors}
-
-It is possible to change the output of any term that Nitpick considers a
-datatype by registering a term postprocessor. The interface for registering and
-unregistering postprocessors consists of the following pair of functions defined
-in the \textit{Nitpick\_Model} structure:
-
-\prew
-$\textbf{type}\,~\textit{term\_postprocessor}\,~{=} {}$ \\
-$\hbox{}\quad\textit{Proof.context} \rightarrow \textit{string} \rightarrow (\textit{typ} \rightarrow \textit{term~list\/}) \rightarrow \textit{typ} \rightarrow \textit{term} \rightarrow \textit{term}$ \\
-$\textbf{val}\,~\textit{register\_term\_postprocessor} : {}$ \\
-$\hbox{}\quad\textit{typ} \rightarrow \textit{term\_postprocessor} \rightarrow \textit{morphism} \rightarrow \textit{Context.generic}$ \\
-$\hbox{}\quad{\rightarrow}\; \textit{Context.generic}$ \\
-$\textbf{val}\,~\textit{unregister\_term\_postprocessor} : {}$ \\
-$\hbox{}\quad\textit{typ} \rightarrow \textit{morphism} \rightarrow \textit{Context.generic} \rightarrow \textit{Context.generic}$
-\postw
-
-\S\ref{typedefs-quotient-types-records-rationals-and-reals} and
-\texttt{src/HOL/Library/Multiset.thy} illustrate this feature in context.
-
-\section{Known Bugs and Limitations}
-\label{known-bugs-and-limitations}
-
-Here are the known bugs and limitations in Nitpick at the time of writing:
-
-\begin{enum}
-\item[\labelitemi] Underspecified functions defined using the \textbf{primrec},
-\textbf{function}, or \textbf{nominal\_\allowbreak primrec} packages can lead
-Nitpick to generate spurious counterexamples for theorems that refer to values
-for which the function is not defined. For example:
-
-\prew
-\textbf{primrec} \textit{prec} \textbf{where} \\
-``$\textit{prec}~(\textit{Suc}~n) = n$'' \\[2\smallskipamount]
-\textbf{lemma} ``$\textit{prec}~0 = \textit{undefined\/}$'' \\
-\textbf{nitpick} \\[2\smallskipamount]
-\quad{\slshape Nitpick found a counterexample for \textit{card nat}~= 2:
-\nopagebreak
-\\[2\smallskipamount]
-\hbox{}\qquad Empty assignment} \nopagebreak\\[2\smallskipamount]
-\textbf{by}~(\textit{auto simp}:~\textit{prec\_def})
-\postw
-
-Such theorems are generally considered bad style because they rely on the
-internal representation of functions synthesized by Isabelle, an implementation
-detail.
-
-\item[\labelitemi] Similarly, Nitpick might find spurious counterexamples for
-theorems that rely on the use of the indefinite description operator internally
-by \textbf{specification} and \textbf{quot\_type}.
-
-\item[\labelitemi] Axioms or definitions that restrict the possible values of the
-\textit{undefined} constant or other partially specified built-in Isabelle
-constants (e.g., \textit{Abs\_} and \textit{Rep\_} constants) are in general
-ignored. Again, such nonconservative extensions are generally considered bad
-style.
-
-\item[\labelitemi] Nitpick maintains a global cache of wellfoundedness conditions,
-which can become invalid if you change the definition of an inductive predicate
-that is registered in the cache. To clear the cache,
-run Nitpick with the \textit{tac\_timeout} option set to a new value (e.g.,
-$0.51$).
-
-\item[\labelitemi] Nitpick produces spurious counterexamples when invoked after a
-\textbf{guess} command in a structured proof.
-
-\item[\labelitemi] The \textit{nitpick\_xxx} attributes and the
-\textit{Nitpick\_xxx.register\_yyy} functions can cause havoc if used
-improperly.
-
-\item[\labelitemi] Although this has never been observed, arbitrary theorem
-morphisms could possibly confuse Nitpick, resulting in spurious counterexamples.
-
-\item[\labelitemi] All constants, types, free variables, and schematic variables
-whose names start with \textit{Nitpick}{.} are reserved for internal use.
-\end{enum}
-
-\let\em=\sl
-\bibliography{manual}{}
-\bibliographystyle{abbrv}
-
-\end{document}
--- a/doc-src/ProgProve/Basics.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,149 +0,0 @@
-(*<*)
-theory Basics
-imports Main
-begin
-(*>*)
-text{*
-This chapter introduces HOL as a functional programming language and shows
-how to prove properties of functional programs by induction.
-
-\section{Basics}
-
-\subsection{Types, Terms and Formulae}
-\label{sec:TypesTermsForms}
-
-HOL is a typed logic whose type system resembles that of functional
-programming languages. Thus there are
-\begin{description}
-\item[base types,]
-in particular @{typ bool}, the type of truth values,
-@{typ nat}, the type of natural numbers ($\mathbb{N}$), and @{typ int},
-the type of mathematical integers ($\mathbb{Z}$).
-\item[type constructors,]
- in particular @{text list}, the type of
-lists, and @{text set}, the type of sets. Type constructors are written
-postfix, e.g.\ @{typ "nat list"} is the type of lists whose elements are
-natural numbers.
-\item[function types,]
-denoted by @{text"\<Rightarrow>"}.
-\item[type variables,]
- denoted by @{typ 'a}, @{typ 'b} etc., just like in ML\@.
-\end{description}
-
-\concept{Terms} are formed as in functional programming by
-applying functions to arguments. If @{text f} is a function of type
-@{text"\<tau>\<^isub>1 \<Rightarrow> \<tau>\<^isub>2"} and @{text t} is a term of type
-@{text"\<tau>\<^isub>1"} then @{term"f t"} is a term of type @{text"\<tau>\<^isub>2"}. We write @{text "t :: \<tau>"} to mean that term @{text t} has type @{text \<tau>}.
-
-\begin{warn}
-There are many predefined infix symbols like @{text "+"} and @{text"\<le>"}.
-The name of the corresponding binary function is @{term"op +"},
-not just @{text"+"}. That is, @{term"x + y"} is syntactic sugar for
-\noquotes{@{term[source]"op + x y"}}.
-\end{warn}
-
-HOL also supports some basic constructs from functional programming:
-\begin{quote}
-@{text "(if b then t\<^isub>1 else t\<^isub>2)"}\\
-@{text "(let x = t in u)"}\\
-@{text "(case t of pat\<^isub>1 \<Rightarrow> t\<^isub>1 | \<dots> | pat\<^isub>n \<Rightarrow> t\<^isub>n)"}
-\end{quote}
-\begin{warn}
-The above three constructs must always be enclosed in parentheses
-if they occur inside other constructs.
-\end{warn}
-Terms may also contain @{text "\<lambda>"}-abstractions. For example,
-@{term "\<lambda>x. x"} is the identity function.
-
-\concept{Formulae} are terms of type @{text bool}.
-There are the basic constants @{term True} and @{term False} and
-the usual logical connectives (in decreasing order of precedence):
-@{text"\<not>"}, @{text"\<and>"}, @{text"\<or>"}, @{text"\<longrightarrow>"}.
-
-\concept{Equality} is available in the form of the infix function @{text "="}
-of type @{typ "'a \<Rightarrow> 'a \<Rightarrow> bool"}. It also works for formulas, where
-it means ``if and only if''.
-
-\concept{Quantifiers} are written @{prop"\<forall>x. P"} and @{prop"\<exists>x. P"}.
-
-Isabelle automatically computes the type of each variable in a term. This is
-called \concept{type inference}. Despite type inference, it is sometimes
-necessary to attach explicit \concept{type constraints} (or \concept{type
-annotations}) to a variable or term. The syntax is @{text "t :: \<tau>"} as in
-\mbox{\noquotes{@{prop[source] "m < (n::nat)"}}}. Type constraints may be
-needed to
-disambiguate terms involving overloaded functions such as @{text "+"}, @{text
-"*"} and @{text"\<le>"}.
-
-Finally there are the universal quantifier @{text"\<And>"} and the implication
-@{text"\<Longrightarrow>"}. They are part of the Isabelle framework, not the logic
-HOL. Logically, they agree with their HOL counterparts @{text"\<forall>"} and
-@{text"\<longrightarrow>"}, but operationally they behave differently. This will become
-clearer as we go along.
-\begin{warn}
-Right-arrows of all kinds always associate to the right. In particular,
-the formula
-@{text"A\<^isub>1 \<Longrightarrow> A\<^isub>2 \<Longrightarrow> A\<^isub>3"} means @{text "A\<^isub>1 \<Longrightarrow> (A\<^isub>2 \<Longrightarrow> A\<^isub>3)"}.
-The (Isabelle specific) notation \mbox{@{text"\<lbrakk> A\<^isub>1; \<dots>; A\<^isub>n \<rbrakk> \<Longrightarrow> A"}}
-is short for the iterated implication \mbox{@{text"A\<^isub>1 \<Longrightarrow> \<dots> \<Longrightarrow> A\<^isub>n \<Longrightarrow> A"}}.
-Sometimes we also employ inference rule notation:
-\inferrule{\mbox{@{text "A\<^isub>1"}}\\ \mbox{@{text "\<dots>"}}\\ \mbox{@{text "A\<^isub>n"}}}
-{\mbox{@{text A}}}
-\end{warn}
-
-
-\subsection{Theories}
-\label{sec:Basic:Theories}
-
-Roughly speaking, a \concept{theory} is a named collection of types,
-functions, and theorems, much like a module in a programming language.
-All the Isabelle text that you ever type needs to go into a theory.
-The general format of a theory @{text T} is
-\begin{quote}
-\isacom{theory} @{text T}\\
-\isacom{imports} @{text "T\<^isub>1 \<dots> T\<^isub>n"}\\
-\isacom{begin}\\
-\emph{definitions, theorems and proofs}\\
-\isacom{end}
-\end{quote}
-where @{text "T\<^isub>1 \<dots> T\<^isub>n"} are the names of existing
-theories that @{text T} is based on. The @{text "T\<^isub>i"} are the
-direct \concept{parent theories} of @{text T}.
-Everything defined in the parent theories (and their parents, recursively) is
-automatically visible. Each theory @{text T} must
-reside in a \concept{theory file} named @{text "T.thy"}.
-
-\begin{warn}
-HOL contains a theory @{text Main}, the union of all the basic
-predefined theories like arithmetic, lists, sets, etc.
-Unless you know what you are doing, always include @{text Main}
-as a direct or indirect parent of all your theories.
-\end{warn}
-
-In addition to the theories that come with the Isabelle/HOL distribution
-(see \url{http://isabelle.in.tum.de/library/HOL/})
-there is also the \emph{Archive of Formal Proofs}
-at \url{http://afp.sourceforge.net}, a growing collection of Isabelle theories
-that everybody can contribute to.
-
-\subsection{Quotation Marks}
-
-The textual definition of a theory follows a fixed syntax with keywords like
-\isacommand{begin} and \isacommand{datatype}. Embedded in this syntax are
-the types and formulae of HOL. To distinguish the two levels, everything
-HOL-specific (terms and types) must be enclosed in quotation marks:
-\texttt{"}\dots\texttt{"}. To lessen this burden, quotation marks around a
-single identifier can be dropped. When Isabelle prints a syntax error
-message, it refers to the HOL syntax as the \concept{inner syntax} and the
-enclosing theory language as the \concept{outer syntax}.
-\sem
-\begin{warn}
-For reasons of readability, we almost never show the quotation marks in this
-book. Consult the accompanying theory files to see where they need to go.
-\end{warn}
-\endsem
-%
-*}
-(*<*)
-end
-(*>*)
\ No newline at end of file
--- a/doc-src/ProgProve/Bool_nat_list.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,420 +0,0 @@
-(*<*)
-theory Bool_nat_list
-imports Main
-begin
-(*>*)
-
-text{*
-\vspace{-4ex}
-\section{\texorpdfstring{Types @{typ bool}, @{typ nat} and @{text list}}{Types bool, nat and list}}
-
-These are the most important predefined types. We go through them one by one.
-Based on examples we learn how to define (possibly recursive) functions and
-prove theorems about them by induction and simplification.
-
-\subsection{Type @{typ bool}}
-
-The type of boolean values is a predefined datatype
-@{datatype[display] bool}
-with the two values @{const True} and @{const False} and
-with many predefined functions: @{text "\<not>"}, @{text "\<and>"}, @{text "\<or>"}, @{text
-"\<longrightarrow>"} etc. Here is how conjunction could be defined by pattern matching:
-*}
-
-fun conj :: "bool \<Rightarrow> bool \<Rightarrow> bool" where
-"conj True True = True" |
-"conj _ _ = False"
-
-text{* Both the datatype and function definitions roughly follow the syntax
-of functional programming languages.
-
-\subsection{Type @{typ nat}}
-
-Natural numbers are another predefined datatype:
-@{datatype[display] nat}
-All values of type @{typ nat} are generated by the constructors
-@{text 0} and @{const Suc}. Thus the values of type @{typ nat} are
-@{text 0}, @{term"Suc 0"}, @{term"Suc(Suc 0)"} etc.
-There are many predefined functions: @{text "+"}, @{text "*"}, @{text
-"\<le>"}, etc. Here is how you could define your own addition:
-*}
-
-fun add :: "nat \<Rightarrow> nat \<Rightarrow> nat" where
-"add 0 n = n" |
-"add (Suc m) n = Suc(add m n)"
-
-text{* And here is a proof of the fact that @{prop"add m 0 = m"}: *}
-
-lemma add_02: "add m 0 = m"
-apply(induction m)
-apply(auto)
-done
-(*<*)
-lemma "add m 0 = m"
-apply(induction m)
-(*>*)
-txt{* The \isacom{lemma} command starts the proof and gives the lemma
-a name, @{text add_02}. Properties of recursively defined functions
-need to be established by induction in most cases.
-Command \isacom{apply}@{text"(induction m)"} instructs Isabelle to
-start a proof by induction on @{text m}. In response, it will show the
-following proof state:
-@{subgoals[display,indent=0]}
-The numbered lines are known as \emph{subgoals}.
-The first subgoal is the base case, the second one the induction step.
-The prefix @{text"\<And>m."} is Isabelle's way of saying ``for an arbitrary but fixed @{text m}''. The @{text"\<Longrightarrow>"} separates assumptions from the conclusion.
-The command \isacom{apply}@{text"(auto)"} instructs Isabelle to try
-and prove all subgoals automatically, essentially by simplifying them.
-Because both subgoals are easy, Isabelle can do it.
-The base case @{prop"add 0 0 = 0"} holds by definition of @{const add},
-and the induction step is almost as simple:
-@{text"add\<^raw:~>(Suc m) 0 = Suc(add m 0) = Suc m"}
-using first the definition of @{const add} and then the induction hypothesis.
-In summary, both subproofs rely on simplification with function definitions and
-the induction hypothesis.
-As a result of that final \isacom{done}, Isabelle associates the lemma
-just proved with its name. You can now inspect the lemma with the command
-*}
-
-thm add_02
-
-txt{* which displays @{thm[show_question_marks,display] add_02} The free
-variable @{text m} has been replaced by the \concept{unknown}
-@{text"?m"}. There is no logical difference between the two but an
-operational one: unknowns can be instantiated, which is what you want after
-some lemma has been proved.
-
-Note that there is also a proof method @{text induct}, which behaves almost
-like @{text induction}; the difference is explained in \autoref{ch:Isar}.
-
-\begin{warn}
-Terminology: We use \concept{lemma}, \concept{theorem} and \concept{rule}
-interchangeably for propositions that have been proved.
-\end{warn}
-\begin{warn}
- Numerals (@{text 0}, @{text 1}, @{text 2}, \dots) and most of the standard
- arithmetic operations (@{text "+"}, @{text "-"}, @{text "*"}, @{text"\<le>"},
- @{text"<"} etc) are overloaded: they are available
- not just for natural numbers but for other types as well.
- For example, given the goal @{text"x + 0 = x"}, there is nothing to indicate
- that you are talking about natural numbers. Hence Isabelle can only infer
- that @{term x} is of some arbitrary type where @{text 0} and @{text"+"}
- exist. As a consequence, you will be unable to prove the
- goal. To alert you to such pitfalls, Isabelle flags numerals without a
- fixed type in its output: @{prop"x+0 = x"}. In this particular example,
- you need to include
- an explicit type constraint, for example @{text"x+0 = (x::nat)"}. If there
- is enough contextual information this may not be necessary: @{prop"Suc x =
- x"} automatically implies @{text"x::nat"} because @{term Suc} is not
- overloaded.
-\end{warn}
-
-\subsubsection{An informal proof}
-
-Above we gave some terse informal explanation of the proof of
-@{prop"add m 0 = m"}. A more detailed informal exposition of the lemma
-might look like this:
-\bigskip
-
-\noindent
-\textbf{Lemma} @{prop"add m 0 = m"}
-
-\noindent
-\textbf{Proof} by induction on @{text m}.
-\begin{itemize}
-\item Case @{text 0} (the base case): @{prop"add 0 0 = 0"}
- holds by definition of @{const add}.
-\item Case @{term"Suc m"} (the induction step):
- We assume @{prop"add m 0 = m"}, the induction hypothesis (IH),
- and we need to show @{text"add (Suc m) 0 = Suc m"}.
- The proof is as follows:\smallskip
-
- \begin{tabular}{@ {}rcl@ {\quad}l@ {}}
- @{term "add (Suc m) 0"} &@{text"="}& @{term"Suc(add m 0)"}
- & by definition of @{text add}\\
- &@{text"="}& @{term "Suc m"} & by IH
- \end{tabular}
-\end{itemize}
-Throughout this book, \concept{IH} will stand for ``induction hypothesis''.
-
-We have now seen three proofs of @{prop"add m 0 = 0"}: the Isabelle one, the
-terse four lines explaining the base case and the induction step, and just now a
-model of a traditional inductive proof. The three proofs differ in the level
-of detail given and the intended reader: the Isabelle proof is for the
-machine, the informal proofs are for humans. Although this book concentrates
-on Isabelle proofs, it is important to be able to rephrase those proofs
-as informal text comprehensible to a reader familiar with traditional
-mathematical proofs. Later on we will introduce an Isabelle proof language
-that is closer to traditional informal mathematical language and is often
-directly readable.
-
-\subsection{Type @{text list}}
-
-Although lists are already predefined, we define our own copy just for
-demonstration purposes:
-*}
-(*<*)
-apply(auto)
-done
-declare [[names_short]]
-(*>*)
-datatype 'a list = Nil | Cons 'a "'a list"
-
-text{*
-\begin{itemize}
-\item Type @{typ "'a list"} is the type of lists over elements of type @{typ 'a}. Because @{typ 'a} is a type variable, lists are in fact \concept{polymorphic}: the elements of a list can be of arbitrary type (but must all be of the same type).
-\item Lists have two constructors: @{const Nil}, the empty list, and @{const Cons}, which puts an element (of type @{typ 'a}) in front of a list (of type @{typ "'a list"}).
-Hence all lists are of the form @{const Nil}, or @{term"Cons x Nil"},
-or @{term"Cons x (Cons y Nil)"} etc.
-\item \isacom{datatype} requires no quotation marks on the
-left-hand side, but on the right-hand side each of the argument
-types of a constructor needs to be enclosed in quotation marks, unless
-it is just an identifier (e.g.\ @{typ nat} or @{typ 'a}).
-\end{itemize}
-We also define two standard functions, append and reverse: *}
-
-fun app :: "'a list \<Rightarrow> 'a list \<Rightarrow> 'a list" where
-"app Nil ys = ys" |
-"app (Cons x xs) ys = Cons x (app xs ys)"
-
-fun rev :: "'a list \<Rightarrow> 'a list" where
-"rev Nil = Nil" |
-"rev (Cons x xs) = app (rev xs) (Cons x Nil)"
-
-text{* By default, variables @{text xs}, @{text ys} and @{text zs} are of
-@{text list} type.
-
-Command \isacom{value} evaluates a term. For example, *}
-
-value "rev(Cons True (Cons False Nil))"
-
-text{* yields the result @{value "rev(Cons True (Cons False Nil))"}. This works symbolically, too: *}
-
-value "rev(Cons a (Cons b Nil))"
-
-text{* yields @{value "rev(Cons a (Cons b Nil))"}.
-\medskip
-
-Figure~\ref{fig:MyList} shows the theory created so far.
-Because @{text list}, @{const Nil}, @{const Cons} etc are already predefined,
- Isabelle prints qualified (long) names when executing this theory, for example, @{text MyList.Nil}
- instead of @{const Nil}.
- To suppress the qualified names you can insert the command
- \texttt{declare [[names\_short]]}.
- This is not recommended in general but just for this unusual example.
-% Notice where the
-%quotations marks are needed that we mostly sweep under the carpet. In
-%particular, notice that \isacom{datatype} requires no quotation marks on the
-%left-hand side, but that on the right-hand side each of the argument
-%types of a constructor needs to be enclosed in quotation marks.
-
-\begin{figure}[htbp]
-\begin{alltt}
-\input{MyList.thy}\end{alltt}
-\caption{A Theory of Lists}
-\label{fig:MyList}
-\end{figure}
-
-\subsubsection{Structural Induction for Lists}
-
-Just as for natural numbers, there is a proof principle of induction for
-lists. Induction over a list is essentially induction over the length of
-the list, although the length remains implicit. To prove that some property
-@{text P} holds for all lists @{text xs}, i.e.\ \mbox{@{prop"P(xs)"}},
-you need to prove
-\begin{enumerate}
-\item the base case @{prop"P(Nil)"} and
-\item the inductive case @{prop"P(Cons x xs)"} under the assumption @{prop"P(xs)"}, for some arbitrary but fixed @{text x} and @{text xs}.
-\end{enumerate}
-This is often called \concept{structural induction}.
-
-\subsection{The Proof Process}
-
-We will now demonstrate the typical proof process, which involves
-the formulation and proof of auxiliary lemmas.
-Our goal is to show that reversing a list twice produces the original
-list. *}
-
-theorem rev_rev [simp]: "rev(rev xs) = xs"
-
-txt{* Commands \isacom{theorem} and \isacom{lemma} are
-interchangeable and merely indicate the importance we attach to a
-proposition. Via the bracketed attribute @{text simp} we also tell Isabelle
-to make the eventual theorem a \concept{simplification rule}: future proofs
-involving simplification will replace occurrences of @{term"rev(rev xs)"} by
-@{term"xs"}. The proof is by induction: *}
-
-apply(induction xs)
-
-txt{*
-As explained above, we obtain two subgoals, namely the base case (@{const Nil}) and the induction step (@{const Cons}):
-@{subgoals[display,indent=0,margin=65]}
-Let us try to solve both goals automatically:
-*}
-
-apply(auto)
-
-txt{*Subgoal~1 is proved, and disappears; the simplified version
-of subgoal~2 becomes the new subgoal~1:
-@{subgoals[display,indent=0,margin=70]}
-In order to simplify this subgoal further, a lemma suggests itself.
-
-\subsubsection{A First Lemma}
-
-We insert the following lemma in front of the main theorem:
-*}
-(*<*)
-oops
-(*>*)
-lemma rev_app [simp]: "rev(app xs ys) = app (rev ys) (rev xs)"
-
-txt{* There are two variables that we could induct on: @{text xs} and
-@{text ys}. Because @{const app} is defined by recursion on
-the first argument, @{text xs} is the correct one:
-*}
-
-apply(induction xs)
-
-txt{* This time not even the base case is solved automatically: *}
-apply(auto)
-txt{*
-\vspace{-5ex}
-@{subgoals[display,goals_limit=1]}
-Again, we need to abandon this proof attempt and prove another simple lemma
-first.
-
-\subsubsection{A Second Lemma}
-
-We again try the canonical proof procedure:
-*}
-(*<*)
-oops
-(*>*)
-lemma app_Nil2 [simp]: "app xs Nil = xs"
-apply(induction xs)
-apply(auto)
-done
-
-text{*
-Thankfully, this worked.
-Now we can continue with our stuck proof attempt of the first lemma:
-*}
-
-lemma rev_app [simp]: "rev(app xs ys) = app (rev ys) (rev xs)"
-apply(induction xs)
-apply(auto)
-
-txt{*
-We find that this time @{text"auto"} solves the base case, but the
-induction step merely simplifies to
-@{subgoals[display,indent=0,goals_limit=1]}
-The missing lemma is associativity of @{const app},
-which we insert in front of the failed lemma @{text rev_app}.
-
-\subsubsection{Associativity of @{const app}}
-
-The canonical proof procedure succeeds without further ado:
-*}
-(*<*)oops(*>*)
-lemma app_assoc [simp]: "app (app xs ys) zs = app xs (app ys zs)"
-apply(induction xs)
-apply(auto)
-done
-(*<*)
-lemma rev_app [simp]: "rev(app xs ys) = app (rev ys)(rev xs)"
-apply(induction xs)
-apply(auto)
-done
-
-theorem rev_rev [simp]: "rev(rev xs) = xs"
-apply(induction xs)
-apply(auto)
-done
-(*>*)
-text{*
-Finally the proofs of @{thm[source] rev_app} and @{thm[source] rev_rev}
-succeed, too.
-
-\subsubsection{Another informal proof}
-
-Here is the informal proof of associativity of @{const app}
-corresponding to the Isabelle proof above.
-\bigskip
-
-\noindent
-\textbf{Lemma} @{prop"app (app xs ys) zs = app xs (app ys zs)"}
-
-\noindent
-\textbf{Proof} by induction on @{text xs}.
-\begin{itemize}
-\item Case @{text Nil}: \ @{prop"app (app Nil ys) zs = app ys zs"} @{text"="}
- \mbox{@{term"app Nil (app ys zs)"}} \ holds by definition of @{text app}.
-\item Case @{text"Cons x xs"}: We assume
- \begin{center} \hfill @{term"app (app xs ys) zs"} @{text"="}
- @{term"app xs (app ys zs)"} \hfill (IH) \end{center}
- and we need to show
- \begin{center} @{prop"app (app (Cons x xs) ys) zs = app (Cons x xs) (app ys zs)"}.\end{center}
- The proof is as follows:\smallskip
-
- \begin{tabular}{@ {}l@ {\quad}l@ {}}
- @{term"app (app (Cons x xs) ys) zs"}\\
- @{text"= app (Cons x (app xs ys)) zs"} & by definition of @{text app}\\
- @{text"= Cons x (app (app xs ys) zs)"} & by definition of @{text app}\\
- @{text"= Cons x (app xs (app ys zs))"} & by IH\\
- @{text"= app (Cons x xs) (app ys zs)"} & by definition of @{text app}
- \end{tabular}
-\end{itemize}
-\medskip
-
-\noindent Didn't we say earlier that all proofs are by simplification? But
-in both cases, going from left to right, the last equality step is not a
-simplification at all! In the base case it is @{prop"app ys zs = app Nil (app
-ys zs)"}. It appears almost mysterious because we suddenly complicate the
-term by appending @{text Nil} on the left. What is really going on is this:
-when proving some equality \mbox{@{prop"s = t"}}, both @{text s} and @{text t} are
-simplified to some common term @{text u}. This heuristic for equality proofs
-works well for a functional programming context like ours. In the base case
-@{text s} is @{term"app (app Nil ys) zs"}, @{text t} is @{term"app Nil (app
-ys zs)"}, and @{text u} is @{term"app ys zs"}.
-
-\subsection{Predefined lists}
-\label{sec:predeflists}
-
-Isabelle's predefined lists are the same as the ones above, but with
-more syntactic sugar:
-\begin{itemize}
-\item @{text "[]"} is @{const Nil},
-\item @{term"x # xs"} is @{term"Cons x xs"},
-\item @{text"[x\<^isub>1, \<dots>, x\<^isub>n]"} is @{text"x\<^isub>1 # \<dots> # x\<^isub>n # []"}, and
-\item @{term "xs @ ys"} is @{term"app xs ys"}.
-\end{itemize}
-There is also a large library of predefined functions.
-The most important ones are the length function
-@{text"length :: 'a list \<Rightarrow> nat"} (with the obvious definition),
-and the map function that applies a function to all elements of a list:
-\begin{isabelle}
-\isacom{fun} @{const map} @{text"::"} @{typ[source] "('a \<Rightarrow> 'b) \<Rightarrow> 'a list \<Rightarrow> 'b list"}\\
-@{text"\""}@{thm map.simps(1)}@{text"\" |"}\\
-@{text"\""}@{thm map.simps(2)}@{text"\""}
-\end{isabelle}
-\sem
-Also useful are the \concept{head} of a list, its first element,
-and the \concept{tail}, the rest of the list:
-\begin{isabelle}
-\isacom{fun} @{text"hd :: 'a list \<Rightarrow> 'a"}\\
-@{prop"hd(x#xs) = x"}
-\end{isabelle}
-\begin{isabelle}
-\isacom{fun} @{text"tl :: 'a list \<Rightarrow> 'a list"}\\
-@{prop"tl [] = []"} @{text"|"}\\
-@{prop"tl(x#xs) = xs"}
-\end{isabelle}
-Note that since HOL is a logic of total functions, @{term"hd []"} is defined,
-but we do now know what the result is. That is, @{term"hd []"} is not undefined
-but underdefined.
-\endsem
-%
-*}
-(*<*)
-end
-(*>*)
--- a/doc-src/ProgProve/Isar.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,997 +0,0 @@
-(*<*)
-theory Isar
-imports LaTeXsugar
-begin
-ML{* quick_and_dirty := true *}
-(*>*)
-text{*
-Apply-scripts are unreadable and hard to maintain. The language of choice
-for larger proofs is \concept{Isar}. The two key features of Isar are:
-\begin{itemize}
-\item It is structured, not linear.
-\item It is readable without running it because
-you need to state what you are proving at any given point.
-\end{itemize}
-Whereas apply-scripts are like assembly language programs, Isar proofs
-are like structured programs with comments. A typical Isar proof looks like this:
-*}text{*
-\begin{tabular}{@ {}l}
-\isacom{proof}\\
-\quad\isacom{assume} @{text"\""}$\mathit{formula}_0$@{text"\""}\\
-\quad\isacom{have} @{text"\""}$\mathit{formula}_1$@{text"\""} \quad\isacom{by} @{text simp}\\
-\quad\vdots\\
-\quad\isacom{have} @{text"\""}$\mathit{formula}_n$@{text"\""} \quad\isacom{by} @{text blast}\\
-\quad\isacom{show} @{text"\""}$\mathit{formula}_{n+1}$@{text"\""} \quad\isacom{by} @{text \<dots>}\\
-\isacom{qed}
-\end{tabular}
-*}text{*
-It proves $\mathit{formula}_0 \Longrightarrow \mathit{formula}_{n+1}$
-(provided each proof step succeeds).
-The intermediate \isacom{have} statements are merely stepping stones
-on the way towards the \isacom{show} statement that proves the actual
-goal. In more detail, this is the Isar core syntax:
-\medskip
-
-\begin{tabular}{@ {}lcl@ {}}
-\textit{proof} &=& \isacom{by} \textit{method}\\
- &$\mid$& \isacom{proof} [\textit{method}] \ \textit{step}$^*$ \ \isacom{qed}
-\end{tabular}
-\medskip
-
-\begin{tabular}{@ {}lcl@ {}}
-\textit{step} &=& \isacom{fix} \textit{variables} \\
- &$\mid$& \isacom{assume} \textit{proposition} \\
- &$\mid$& [\isacom{from} \textit{fact}$^+$] (\isacom{have} $\mid$ \isacom{show}) \ \textit{proposition} \ \textit{proof}
-\end{tabular}
-\medskip
-
-\begin{tabular}{@ {}lcl@ {}}
-\textit{proposition} &=& [\textit{name}:] @{text"\""}\textit{formula}@{text"\""}
-\end{tabular}
-\medskip
-
-\begin{tabular}{@ {}lcl@ {}}
-\textit{fact} &=& \textit{name} \ $\mid$ \ \dots
-\end{tabular}
-\medskip
-
-\noindent A proof can either be an atomic \isacom{by} with a single proof
-method which must finish off the statement being proved, for example @{text
-auto}. Or it can be a \isacom{proof}--\isacom{qed} block of multiple
-steps. Such a block can optionally begin with a proof method that indicates
-how to start off the proof, e.g.\ \mbox{@{text"(induction xs)"}}.
-
-A step either assumes a proposition or states a proposition
-together with its proof. The optional \isacom{from} clause
-indicates which facts are to be used in the proof.
-Intermediate propositions are stated with \isacom{have}, the overall goal
-with \isacom{show}. A step can also introduce new local variables with
-\isacom{fix}. Logically, \isacom{fix} introduces @{text"\<And>"}-quantified
-variables, \isacom{assume} introduces the assumption of an implication
-(@{text"\<Longrightarrow>"}) and \isacom{have}/\isacom{show} the conclusion.
-
-Propositions are optionally named formulas. These names can be referred to in
-later \isacom{from} clauses. In the simplest case, a fact is such a name.
-But facts can also be composed with @{text OF} and @{text of} as shown in
-\S\ref{sec:forward-proof}---hence the \dots\ in the above grammar. Note
-that assumptions, intermediate \isacom{have} statements and global lemmas all
-have the same status and are thus collectively referred to as
-\concept{facts}.
-
-Fact names can stand for whole lists of facts. For example, if @{text f} is
-defined by command \isacom{fun}, @{text"f.simps"} refers to the whole list of
-recursion equations defining @{text f}. Individual facts can be selected by
-writing @{text"f.simps(2)"}, whole sublists by @{text"f.simps(2-4)"}.
-
-
-\section{Isar by example}
-
-We show a number of proofs of Cantor's theorem that a function from a set to
-its powerset cannot be surjective, illustrating various features of Isar. The
-constant @{const surj} is predefined.
-*}
-
-lemma "\<not> surj(f :: 'a \<Rightarrow> 'a set)"
-proof
- assume 0: "surj f"
- from 0 have 1: "\<forall>A. \<exists>a. A = f a" by(simp add: surj_def)
- from 1 have 2: "\<exists>a. {x. x \<notin> f x} = f a" by blast
- from 2 show "False" by blast
-qed
-
-text{*
-The \isacom{proof} command lacks an explicit method how to perform
-the proof. In such cases Isabelle tries to use some standard introduction
-rule, in the above case for @{text"\<not>"}:
-\[
-\inferrule{
-\mbox{@{thm (prem 1) notI}}}
-{\mbox{@{thm (concl) notI}}}
-\]
-In order to prove @{prop"~ P"}, assume @{text P} and show @{text False}.
-Thus we may assume @{prop"surj f"}. The proof shows that names of propositions
-may be (single!) digits---meaningful names are hard to invent and are often
-not necessary. Both \isacom{have} steps are obvious. The second one introduces
-the diagonal set @{term"{x. x \<notin> f x}"}, the key idea in the proof.
-If you wonder why @{text 2} directly implies @{text False}: from @{text 2}
-it follows that @{prop"a \<notin> f a \<longleftrightarrow> a \<in> f a"}.
-
-\subsection{@{text this}, @{text then}, @{text hence} and @{text thus}}
-
-Labels should be avoided. They interrupt the flow of the reader who has to
-scan the context for the point where the label was introduced. Ideally, the
-proof is a linear flow, where the output of one step becomes the input of the
-next step, piping the previously proved fact into the next proof, just like
-in a UNIX pipe. In such cases the predefined name @{text this} can be used
-to refer to the proposition proved in the previous step. This allows us to
-eliminate all labels from our proof (we suppress the \isacom{lemma} statement):
-*}
-(*<*)
-lemma "\<not> surj(f :: 'a \<Rightarrow> 'a set)"
-(*>*)
-proof
- assume "surj f"
- from this have "\<exists>a. {x. x \<notin> f x} = f a" by(auto simp: surj_def)
- from this show "False" by blast
-qed
-
-text{* We have also taken the opportunity to compress the two \isacom{have}
-steps into one.
-
-To compact the text further, Isar has a few convenient abbreviations:
-\medskip
-
-\begin{tabular}{rcl}
-\isacom{then} &=& \isacom{from} @{text this}\\
-\isacom{thus} &=& \isacom{then} \isacom{show}\\
-\isacom{hence} &=& \isacom{then} \isacom{have}
-\end{tabular}
-\medskip
-
-\noindent
-With the help of these abbreviations the proof becomes
-*}
-(*<*)
-lemma "\<not> surj(f :: 'a \<Rightarrow> 'a set)"
-(*>*)
-proof
- assume "surj f"
- hence "\<exists>a. {x. x \<notin> f x} = f a" by(auto simp: surj_def)
- thus "False" by blast
-qed
-text{*
-
-There are two further linguistic variations:
-\medskip
-
-\begin{tabular}{rcl}
-(\isacom{have}$\mid$\isacom{show}) \ \textit{prop} \ \isacom{using} \ \textit{facts}
-&=&
-\isacom{from} \ \textit{facts} \ (\isacom{have}$\mid$\isacom{show}) \ \textit{prop}\\
-\isacom{with} \ \textit{facts} &=& \isacom{from} \ \textit{facts} \isa{this}
-\end{tabular}
-\medskip
-
-\noindent The \isacom{using} idiom de-emphasizes the used facts by moving them
-behind the proposition.
-
-\subsection{Structured lemma statements: \isacom{fixes}, \isacom{assumes}, \isacom{shows}}
-
-Lemmas can also be stated in a more structured fashion. To demonstrate this
-feature with Cantor's theorem, we rephrase @{prop"\<not> surj f"}
-a little:
-*}
-
-lemma
- fixes f :: "'a \<Rightarrow> 'a set"
- assumes s: "surj f"
- shows "False"
-
-txt{* The optional \isacom{fixes} part allows you to state the types of
-variables up front rather than by decorating one of their occurrences in the
-formula with a type constraint. The key advantage of the structured format is
-the \isacom{assumes} part that allows you to name each assumption; multiple
-assumptions can be separated by \isacom{and}. The
-\isacom{shows} part gives the goal. The actual theorem that will come out of
-the proof is @{prop"surj f \<Longrightarrow> False"}, but during the proof the assumption
-@{prop"surj f"} is available under the name @{text s} like any other fact.
-*}
-
-proof -
- have "\<exists> a. {x. x \<notin> f x} = f a" using s
- by(auto simp: surj_def)
- thus "False" by blast
-qed
-
-text{* In the \isacom{have} step the assumption @{prop"surj f"} is now
-referenced by its name @{text s}. The duplication of @{prop"surj f"} in the
-above proofs (once in the statement of the lemma, once in its proof) has been
-eliminated.
-
-\begin{warn}
-Note the dash after the \isacom{proof}
-command. It is the null method that does nothing to the goal. Leaving it out
-would ask Isabelle to try some suitable introduction rule on the goal @{const
-False}---but there is no suitable introduction rule and \isacom{proof}
-would fail.
-\end{warn}
-
-Stating a lemma with \isacom{assumes}-\isacom{shows} implicitly introduces the
-name @{text assms} that stands for the list of all assumptions. You can refer
-to individual assumptions by @{text"assms(1)"}, @{text"assms(2)"} etc,
-thus obviating the need to name them individually.
-
-\section{Proof patterns}
-
-We show a number of important basic proof patterns. Many of them arise from
-the rules of natural deduction that are applied by \isacom{proof} by
-default. The patterns are phrased in terms of \isacom{show} but work for
-\isacom{have} and \isacom{lemma}, too.
-
-We start with two forms of \concept{case analysis}:
-starting from a formula @{text P} we have the two cases @{text P} and
-@{prop"~P"}, and starting from a fact @{prop"P \<or> Q"}
-we have the two cases @{text P} and @{text Q}:
-*}text_raw{*
-\begin{tabular}{@ {}ll@ {}}
-\begin{minipage}[t]{.4\textwidth}
-\isa{%
-*}
-(*<*)lemma "R" proof-(*>*)
-show "R"
-proof cases
- assume "P"
- txt_raw{*\\\mbox{}\quad$\vdots$\\\mbox{}\hspace{-1.4ex}*}
- show "R" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
-next
- assume "\<not> P"
- txt_raw{*\\\mbox{}\quad$\vdots$\\\mbox{}\hspace{-1.4ex}*}
- show "R" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
-qed(*<*)oops(*>*)
-text_raw {* }
-\end{minipage}
-&
-\begin{minipage}[t]{.4\textwidth}
-\isa{%
-*}
-(*<*)lemma "R" proof-(*>*)
-have "P \<or> Q" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
-then show "R"
-proof
- assume "P"
- txt_raw{*\\\mbox{}\quad$\vdots$\\\mbox{}\hspace{-1.4ex}*}
- show "R" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
-next
- assume "Q"
- txt_raw{*\\\mbox{}\quad$\vdots$\\\mbox{}\hspace{-1.4ex}*}
- show "R" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
-qed(*<*)oops(*>*)
-
-text_raw {* }
-\end{minipage}
-\end{tabular}
-\medskip
-\begin{isamarkuptext}%
-How to prove a logical equivalence:
-\end{isamarkuptext}%
-\isa{%
-*}
-(*<*)lemma "P\<longleftrightarrow>Q" proof-(*>*)
-show "P \<longleftrightarrow> Q"
-proof
- assume "P"
- txt_raw{*\\\mbox{}\quad$\vdots$\\\mbox{}\hspace{-1.4ex}*}
- show "Q" (*<*)sorry(*>*) txt_raw{*\ $\dots$\\*}
-next
- assume "Q"
- txt_raw{*\\\mbox{}\quad$\vdots$\\\mbox{}\hspace{-1.4ex}*}
- show "P" (*<*)sorry(*>*) txt_raw{*\ $\dots$\\*}
-qed(*<*)qed(*>*)
-text_raw {* }
-\medskip
-\begin{isamarkuptext}%
-Proofs by contradiction:
-\end{isamarkuptext}%
-\begin{tabular}{@ {}ll@ {}}
-\begin{minipage}[t]{.4\textwidth}
-\isa{%
-*}
-(*<*)lemma "\<not> P" proof-(*>*)
-show "\<not> P"
-proof
- assume "P"
- txt_raw{*\\\mbox{}\quad$\vdots$\\\mbox{}\hspace{-1.4ex}*}
- show "False" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
-qed(*<*)oops(*>*)
-
-text_raw {* }
-\end{minipage}
-&
-\begin{minipage}[t]{.4\textwidth}
-\isa{%
-*}
-(*<*)lemma "P" proof-(*>*)
-show "P"
-proof (rule ccontr)
- assume "\<not>P"
- txt_raw{*\\\mbox{}\quad$\vdots$\\\mbox{}\hspace{-1.4ex}*}
- show "False" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
-qed(*<*)oops(*>*)
-
-text_raw {* }
-\end{minipage}
-\end{tabular}
-\medskip
-\begin{isamarkuptext}%
-The name @{thm[source] ccontr} stands for ``classical contradiction''.
-
-How to prove quantified formulas:
-\end{isamarkuptext}%
-\begin{tabular}{@ {}ll@ {}}
-\begin{minipage}[t]{.4\textwidth}
-\isa{%
-*}
-(*<*)lemma "ALL x. P x" proof-(*>*)
-show "\<forall>x. P(x)"
-proof
- fix x
- txt_raw{*\\\mbox{}\quad$\vdots$\\\mbox{}\hspace{-1.4ex}*}
- show "P(x)" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
-qed(*<*)oops(*>*)
-
-text_raw {* }
-\end{minipage}
-&
-\begin{minipage}[t]{.4\textwidth}
-\isa{%
-*}
-(*<*)lemma "EX x. P(x)" proof-(*>*)
-show "\<exists>x. P(x)"
-proof
- txt_raw{*\\\mbox{}\quad$\vdots$\\\mbox{}\hspace{-1.4ex}*}
- show "P(witness)" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
-qed
-(*<*)oops(*>*)
-
-text_raw {* }
-\end{minipage}
-\end{tabular}
-\medskip
-\begin{isamarkuptext}%
-In the proof of \noquotes{@{prop[source]"\<forall>x. P(x)"}},
-the step \isacom{fix}~@{text x} introduces a locally fixed variable @{text x}
-into the subproof, the proverbial ``arbitrary but fixed value''.
-Instead of @{text x} we could have chosen any name in the subproof.
-In the proof of \noquotes{@{prop[source]"\<exists>x. P(x)"}},
-@{text witness} is some arbitrary
-term for which we can prove that it satisfies @{text P}.
-
-How to reason forward from \noquotes{@{prop[source] "\<exists>x. P(x)"}}:
-\end{isamarkuptext}%
-*}
-(*<*)lemma True proof- assume 1: "EX x. P x"(*>*)
-have "\<exists>x. P(x)" (*<*)by(rule 1)(*>*)txt_raw{*\ $\dots$\\*}
-then obtain x where p: "P(x)" by blast
-(*<*)oops(*>*)
-text{*
-After the \isacom{obtain} step, @{text x} (we could have chosen any name)
-is a fixed local
-variable, and @{text p} is the name of the fact
-\noquotes{@{prop[source] "P(x)"}}.
-This pattern works for one or more @{text x}.
-As an example of the \isacom{obtain} command, here is the proof of
-Cantor's theorem in more detail:
-*}
-
-lemma "\<not> surj(f :: 'a \<Rightarrow> 'a set)"
-proof
- assume "surj f"
- hence "\<exists>a. {x. x \<notin> f x} = f a" by(auto simp: surj_def)
- then obtain a where "{x. x \<notin> f x} = f a" by blast
- hence "a \<notin> f a \<longleftrightarrow> a \<in> f a" by blast
- thus "False" by blast
-qed
-
-text_raw{*
-\begin{isamarkuptext}%
-
-Finally, how to prove set equality and subset relationship:
-\end{isamarkuptext}%
-\begin{tabular}{@ {}ll@ {}}
-\begin{minipage}[t]{.4\textwidth}
-\isa{%
-*}
-(*<*)lemma "A = (B::'a set)" proof-(*>*)
-show "A = B"
-proof
- show "A \<subseteq> B" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
-next
- show "B \<subseteq> A" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
-qed(*<*)qed(*>*)
-
-text_raw {* }
-\end{minipage}
-&
-\begin{minipage}[t]{.4\textwidth}
-\isa{%
-*}
-(*<*)lemma "A <= (B::'a set)" proof-(*>*)
-show "A \<subseteq> B"
-proof
- fix x
- assume "x \<in> A"
- txt_raw{*\\\mbox{}\quad$\vdots$\\\mbox{}\hspace{-1.4ex}*}
- show "x \<in> B" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
-qed(*<*)qed(*>*)
-
-text_raw {* }
-\end{minipage}
-\end{tabular}
-\begin{isamarkuptext}%
-\section{Streamlining proofs}
-
-\subsection{Pattern matching and quotations}
-
-In the proof patterns shown above, formulas are often duplicated.
-This can make the text harder to read, write and maintain. Pattern matching
-is an abbreviation mechanism to avoid such duplication. Writing
-\begin{quote}
-\isacom{show} \ \textit{formula} @{text"("}\isacom{is} \textit{pattern}@{text")"}
-\end{quote}
-matches the pattern against the formula, thus instantiating the unknowns in
-the pattern for later use. As an example, consider the proof pattern for
-@{text"\<longleftrightarrow>"}:
-\end{isamarkuptext}%
-*}
-(*<*)lemma "formula\<^isub>1 \<longleftrightarrow> formula\<^isub>2" proof-(*>*)
-show "formula\<^isub>1 \<longleftrightarrow> formula\<^isub>2" (is "?L \<longleftrightarrow> ?R")
-proof
- assume "?L"
- txt_raw{*\\\mbox{}\quad$\vdots$\\\mbox{}\hspace{-1.4ex}*}
- show "?R" (*<*)sorry(*>*) txt_raw{*\ $\dots$\\*}
-next
- assume "?R"
- txt_raw{*\\\mbox{}\quad$\vdots$\\\mbox{}\hspace{-1.4ex}*}
- show "?L" (*<*)sorry(*>*) txt_raw{*\ $\dots$\\*}
-qed(*<*)qed(*>*)
-
-text{* Instead of duplicating @{text"formula\<^isub>i"} in the text, we introduce
-the two abbreviations @{text"?L"} and @{text"?R"} by pattern matching.
-Pattern matching works wherever a formula is stated, in particular
-with \isacom{have} and \isacom{lemma}.
-
-The unknown @{text"?thesis"} is implicitly matched against any goal stated by
-\isacom{lemma} or \isacom{show}. Here is a typical example: *}
-
-lemma "formula"
-proof -
- txt_raw{*\\\mbox{}\quad$\vdots$\\\mbox{}\hspace{-1.4ex}*}
- show ?thesis (*<*)sorry(*>*) txt_raw{*\ $\dots$\\*}
-qed
-
-text{*
-Unknowns can also be instantiated with \isacom{let} commands
-\begin{quote}
-\isacom{let} @{text"?t"} = @{text"\""}\textit{some-big-term}@{text"\""}
-\end{quote}
-Later proof steps can refer to @{text"?t"}:
-\begin{quote}
-\isacom{have} @{text"\""}\dots @{text"?t"} \dots@{text"\""}
-\end{quote}
-\begin{warn}
-Names of facts are introduced with @{text"name:"} and refer to proved
-theorems. Unknowns @{text"?X"} refer to terms or formulas.
-\end{warn}
-
-Although abbreviations shorten the text, the reader needs to remember what
-they stand for. Similarly for names of facts. Names like @{text 1}, @{text 2}
-and @{text 3} are not helpful and should only be used in short proofs. For
-longer proofs, descriptive names are better. But look at this example:
-\begin{quote}
-\isacom{have} \ @{text"x_gr_0: \"x > 0\""}\\
-$\vdots$\\
-\isacom{from} @{text "x_gr_0"} \dots
-\end{quote}
-The name is longer than the fact it stands for! Short facts do not need names,
-one can refer to them easily by quoting them:
-\begin{quote}
-\isacom{have} \ @{text"\"x > 0\""}\\
-$\vdots$\\
-\isacom{from} @{text "`x>0`"} \dots
-\end{quote}
-Note that the quotes around @{text"x>0"} are \concept{back quotes}.
-They refer to the fact not by name but by value.
-
-\subsection{\isacom{moreover}}
-
-Sometimes one needs a number of facts to enable some deduction. Of course
-one can name these facts individually, as shown on the right,
-but one can also combine them with \isacom{moreover}, as shown on the left:
-*}text_raw{*
-\begin{tabular}{@ {}ll@ {}}
-\begin{minipage}[t]{.4\textwidth}
-\isa{%
-*}
-(*<*)lemma "P" proof-(*>*)
-have "P\<^isub>1" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
-moreover have "P\<^isub>2" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
-moreover
-txt_raw{*\\$\vdots$\\\hspace{-1.4ex}*}(*<*)have "True" ..(*>*)
-moreover have "P\<^isub>n" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
-ultimately have "P" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
-(*<*)oops(*>*)
-
-text_raw {* }
-\end{minipage}
-&
-\qquad
-\begin{minipage}[t]{.4\textwidth}
-\isa{%
-*}
-(*<*)lemma "P" proof-(*>*)
-have lab\<^isub>1: "P\<^isub>1" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
-have lab\<^isub>2: "P\<^isub>2" (*<*)sorry(*>*)txt_raw{*\ $\dots$*}
-txt_raw{*\\$\vdots$\\\hspace{-1.4ex}*}
-have lab\<^isub>n: "P\<^isub>n" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
-from lab\<^isub>1 lab\<^isub>2 txt_raw{*\ $\dots$\\*}
-have "P" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
-(*<*)oops(*>*)
-
-text_raw {* }
-\end{minipage}
-\end{tabular}
-\begin{isamarkuptext}%
-The \isacom{moreover} version is no shorter but expresses the structure more
-clearly and avoids new names.
-
-\subsection{Raw proof blocks}
-
-Sometimes one would like to prove some lemma locally within a proof.
-A lemma that shares the current context of assumptions but that
-has its own assumptions and is generalized over its locally fixed
-variables at the end. This is what a \concept{raw proof block} does:
-\begin{quote}
-@{text"{"} \isacom{fix} @{text"x\<^isub>1 \<dots> x\<^isub>n"}\\
-\mbox{}\ \ \ \isacom{assume} @{text"A\<^isub>1 \<dots> A\<^isub>m"}\\
-\mbox{}\ \ \ $\vdots$\\
-\mbox{}\ \ \ \isacom{have} @{text"B"}\\
-@{text"}"}
-\end{quote}
-proves @{text"\<lbrakk> A\<^isub>1; \<dots> ; A\<^isub>m \<rbrakk> \<Longrightarrow> B"}
-where all @{text"x\<^isub>i"} have been replaced by unknowns @{text"?x\<^isub>i"}.
-\begin{warn}
-The conclusion of a raw proof block is \emph{not} indicated by \isacom{show}
-but is simply the final \isacom{have}.
-\end{warn}
-
-As an example we prove a simple fact about divisibility on integers.
-The definition of @{text "dvd"} is @{thm dvd_def}.
-\end{isamarkuptext}%
-*}
-
-lemma fixes a b :: int assumes "b dvd (a+b)" shows "b dvd a"
-proof -
- { fix k assume k: "a+b = b*k"
- have "\<exists>k'. a = b*k'"
- proof
- show "a = b*(k - 1)" using k by(simp add: algebra_simps)
- qed }
- then show ?thesis using assms by(auto simp add: dvd_def)
-qed
-
-text{* Note that the result of a raw proof block has no name. In this example
-it was directly piped (via \isacom{then}) into the final proof, but it can
-also be named for later reference: you simply follow the block directly by a
-\isacom{note} command:
-\begin{quote}
-\isacom{note} \ @{text"name = this"}
-\end{quote}
-This introduces a new name @{text name} that refers to @{text this},
-the fact just proved, in this case the preceding block. In general,
-\isacom{note} introduces a new name for one or more facts.
-
-\section{Case analysis and induction}
-
-\subsection{Datatype case analysis}
-
-We have seen case analysis on formulas. Now we want to distinguish
-which form some term takes: is it @{text 0} or of the form @{term"Suc n"},
-is it @{term"[]"} or of the form @{term"x#xs"}, etc. Here is a typical example
-proof by case analysis on the form of @{text xs}:
-*}
-
-lemma "length(tl xs) = length xs - 1"
-proof (cases xs)
- assume "xs = []"
- thus ?thesis by simp
-next
- fix y ys assume "xs = y#ys"
- thus ?thesis by simp
-qed
-
-text{* Function @{text tl} (''tail'') is defined by @{thm tl.simps(1)} and
-@{thm tl.simps(2)}. Note that the result type of @{const length} is @{typ nat}
-and @{prop"0 - 1 = (0::nat)"}.
-
-This proof pattern works for any term @{text t} whose type is a datatype.
-The goal has to be proved for each constructor @{text C}:
-\begin{quote}
-\isacom{fix} \ @{text"x\<^isub>1 \<dots> x\<^isub>n"} \isacom{assume} @{text"\"t = C x\<^isub>1 \<dots> x\<^isub>n\""}
-\end{quote}
-Each case can be written in a more compact form by means of the \isacom{case}
-command:
-\begin{quote}
-\isacom{case} @{text "(C x\<^isub>1 \<dots> x\<^isub>n)"}
-\end{quote}
-This is equivalent to the explicit \isacom{fix}-\isacom{assume} line
-but also gives the assumption @{text"\"t = C x\<^isub>1 \<dots> x\<^isub>n\""} a name: @{text C},
-like the constructor.
-Here is the \isacom{case} version of the proof above:
-*}
-(*<*)lemma "length(tl xs) = length xs - 1"(*>*)
-proof (cases xs)
- case Nil
- thus ?thesis by simp
-next
- case (Cons y ys)
- thus ?thesis by simp
-qed
-
-text{* Remember that @{text Nil} and @{text Cons} are the alphanumeric names
-for @{text"[]"} and @{text"#"}. The names of the assumptions
-are not used because they are directly piped (via \isacom{thus})
-into the proof of the claim.
-
-\subsection{Structural induction}
-
-We illustrate structural induction with an example based on natural numbers:
-the sum (@{text"\<Sum>"}) of the first @{text n} natural numbers
-(@{text"{0..n::nat}"}) is equal to \mbox{@{term"n*(n+1) div 2::nat"}}.
-Never mind the details, just focus on the pattern:
-*}
-
-lemma "\<Sum>{0..n::nat} = n*(n+1) div 2"
-proof (induction n)
- show "\<Sum>{0..0::nat} = 0*(0+1) div 2" by simp
-next
- fix n assume "\<Sum>{0..n::nat} = n*(n+1) div 2"
- thus "\<Sum>{0..Suc n} = Suc n*(Suc n+1) div 2" by simp
-qed
-
-text{* Except for the rewrite steps, everything is explicitly given. This
-makes the proof easily readable, but the duplication means it is tedious to
-write and maintain. Here is how pattern
-matching can completely avoid any duplication: *}
-
-lemma "\<Sum>{0..n::nat} = n*(n+1) div 2" (is "?P n")
-proof (induction n)
- show "?P 0" by simp
-next
- fix n assume "?P n"
- thus "?P(Suc n)" by simp
-qed
-
-text{* The first line introduces an abbreviation @{text"?P n"} for the goal.
-Pattern matching @{text"?P n"} with the goal instantiates @{text"?P"} to the
-function @{term"\<lambda>n. \<Sum>{0..n::nat} = n*(n+1) div 2"}. Now the proposition to
-be proved in the base case can be written as @{text"?P 0"}, the induction
-hypothesis as @{text"?P n"}, and the conclusion of the induction step as
-@{text"?P(Suc n)"}.
-
-Induction also provides the \isacom{case} idiom that abbreviates
-the \isacom{fix}-\isacom{assume} step. The above proof becomes
-*}
-(*<*)lemma "\<Sum>{0..n::nat} = n*(n+1) div 2"(*>*)
-proof (induction n)
- case 0
- show ?case by simp
-next
- case (Suc n)
- thus ?case by simp
-qed
-
-text{*
-The unknown @{text "?case"} is set in each case to the required
-claim, i.e.\ @{text"?P 0"} and \mbox{@{text"?P(Suc n)"}} in the above proof,
-without requiring the user to define a @{text "?P"}. The general
-pattern for induction over @{typ nat} is shown on the left-hand side:
-*}text_raw{*
-\begin{tabular}{@ {}ll@ {}}
-\begin{minipage}[t]{.4\textwidth}
-\isa{%
-*}
-(*<*)lemma "P(n::nat)" proof -(*>*)
-show "P(n)"
-proof (induction n)
- case 0
- txt_raw{*\\\mbox{}\ \ $\vdots$\\\mbox{}\hspace{-1ex}*}
- show ?case (*<*)sorry(*>*) txt_raw{*\ $\dots$\\*}
-next
- case (Suc n)
- txt_raw{*\\\mbox{}\ \ $\vdots$\\\mbox{}\hspace{-1ex}*}
- show ?case (*<*)sorry(*>*) txt_raw{*\ $\dots$\\*}
-qed(*<*)qed(*>*)
-
-text_raw {* }
-\end{minipage}
-&
-\begin{minipage}[t]{.4\textwidth}
-~\\
-~\\
-\isacom{let} @{text"?case = \"P(0)\""}\\
-~\\
-~\\
-~\\[1ex]
-\isacom{fix} @{text n} \isacom{assume} @{text"Suc: \"P(n)\""}\\
-\isacom{let} @{text"?case = \"P(Suc n)\""}\\
-\end{minipage}
-\end{tabular}
-\medskip
-*}
-text{*
-On the right side you can see what the \isacom{case} command
-on the left stands for.
-
-In case the goal is an implication, induction does one more thing: the
-proposition to be proved in each case is not the whole implication but only
-its conclusion; the premises of the implication are immediately made
-assumptions of that case. That is, if in the above proof we replace
-\isacom{show}~@{text"P(n)"} by
-\mbox{\isacom{show}~@{text"A(n) \<Longrightarrow> P(n)"}}
-then \isacom{case}~@{text 0} stands for
-\begin{quote}
-\isacom{assume} \ @{text"0: \"A(0)\""}\\
-\isacom{let} @{text"?case = \"P(0)\""}
-\end{quote}
-and \isacom{case}~@{text"(Suc n)"} stands for
-\begin{quote}
-\isacom{fix} @{text n}\\
-\isacom{assume} @{text"Suc:"}
- \begin{tabular}[t]{l}@{text"\"A(n) \<Longrightarrow> P(n)\""}\\@{text"\"A(Suc n)\""}\end{tabular}\\
-\isacom{let} @{text"?case = \"P(Suc n)\""}
-\end{quote}
-The list of assumptions @{text Suc} is actually subdivided
-into @{text"Suc.IH"}, the induction hypotheses (here @{text"A(n) \<Longrightarrow> P(n)"})
-and @{text"Suc.prems"}, the premises of the goal being proved
-(here @{text"A(Suc n)"}).
-
-Induction works for any datatype.
-Proving a goal @{text"\<lbrakk> A\<^isub>1(x); \<dots>; A\<^isub>k(x) \<rbrakk> \<Longrightarrow> P(x)"}
-by induction on @{text x} generates a proof obligation for each constructor
-@{text C} of the datatype. The command @{text"case (C x\<^isub>1 \<dots> x\<^isub>n)"}
-performs the following steps:
-\begin{enumerate}
-\item \isacom{fix} @{text"x\<^isub>1 \<dots> x\<^isub>n"}
-\item \isacom{assume} the induction hypotheses (calling them @{text C.IH})
- and the premises \mbox{@{text"A\<^isub>i(C x\<^isub>1 \<dots> x\<^isub>n)"}} (calling them @{text"C.prems"})
- and calling the whole list @{text C}
-\item \isacom{let} @{text"?case = \"P(C x\<^isub>1 \<dots> x\<^isub>n)\""}
-\end{enumerate}
-
-\subsection{Rule induction}
-
-Recall the inductive and recursive definitions of even numbers in
-\autoref{sec:inductive-defs}:
-*}
-
-inductive ev :: "nat \<Rightarrow> bool" where
-ev0: "ev 0" |
-evSS: "ev n \<Longrightarrow> ev(Suc(Suc n))"
-
-fun even :: "nat \<Rightarrow> bool" where
-"even 0 = True" |
-"even (Suc 0) = False" |
-"even (Suc(Suc n)) = even n"
-
-text{* We recast the proof of @{prop"ev n \<Longrightarrow> even n"} in Isar. The
-left column shows the actual proof text, the right column shows
-the implicit effect of the two \isacom{case} commands:*}text_raw{*
-\begin{tabular}{@ {}l@ {\qquad}l@ {}}
-\begin{minipage}[t]{.5\textwidth}
-\isa{%
-*}
-
-lemma "ev n \<Longrightarrow> even n"
-proof(induction rule: ev.induct)
- case ev0
- show ?case by simp
-next
- case evSS
-
-
-
- thus ?case by simp
-qed
-
-text_raw {* }
-\end{minipage}
-&
-\begin{minipage}[t]{.5\textwidth}
-~\\
-~\\
-\isacom{let} @{text"?case = \"even 0\""}\\
-~\\
-~\\
-\isacom{fix} @{text n}\\
-\isacom{assume} @{text"evSS:"}
- \begin{tabular}[t]{l} @{text"\"ev n\""}\\@{text"\"even n\""}\end{tabular}\\
-\isacom{let} @{text"?case = \"even(Suc(Suc n))\""}\\
-\end{minipage}
-\end{tabular}
-\medskip
-*}
-text{*
-The proof resembles structural induction, but the induction rule is given
-explicitly and the names of the cases are the names of the rules in the
-inductive definition.
-Let us examine the two assumptions named @{thm[source]evSS}:
-@{prop "ev n"} is the premise of rule @{thm[source]evSS}, which we may assume
-because we are in the case where that rule was used; @{prop"even n"}
-is the induction hypothesis.
-\begin{warn}
-Because each \isacom{case} command introduces a list of assumptions
-named like the case name, which is the name of a rule of the inductive
-definition, those rules now need to be accessed with a qualified name, here
-@{thm[source] ev.ev0} and @{thm[source] ev.evSS}
-\end{warn}
-
-In the case @{thm[source]evSS} of the proof above we have pretended that the
-system fixes a variable @{text n}. But unless the user provides the name
-@{text n}, the system will just invent its own name that cannot be referred
-to. In the above proof, we do not need to refer to it, hence we do not give
-it a specific name. In case one needs to refer to it one writes
-\begin{quote}
-\isacom{case} @{text"(evSS m)"}
-\end{quote}
-just like \isacom{case}~@{text"(Suc n)"} in earlier structural inductions.
-The name @{text m} is an arbitrary choice. As a result,
-case @{thm[source] evSS} is derived from a renamed version of
-rule @{thm[source] evSS}: @{text"ev m \<Longrightarrow> ev(Suc(Suc m))"}.
-Here is an example with a (contrived) intermediate step that refers to @{text m}:
-*}
-
-lemma "ev n \<Longrightarrow> even n"
-proof(induction rule: ev.induct)
- case ev0 show ?case by simp
-next
- case (evSS m)
- have "even(Suc(Suc m)) = even m" by simp
- thus ?case using `even m` by blast
-qed
-
-text{*
-\indent
-In general, let @{text I} be a (for simplicity unary) inductively defined
-predicate and let the rules in the definition of @{text I}
-be called @{text "rule\<^isub>1"}, \dots, @{text "rule\<^isub>n"}. A proof by rule
-induction follows this pattern:
-*}
-
-(*<*)
-inductive I where rule\<^isub>1: "I()" | rule\<^isub>2: "I()" | rule\<^isub>n: "I()"
-lemma "I x \<Longrightarrow> P x" proof-(*>*)
-show "I x \<Longrightarrow> P x"
-proof(induction rule: I.induct)
- case rule\<^isub>1
- txt_raw{*\\[-.4ex]\mbox{}\ \ $\vdots$\\[-.4ex]\mbox{}\hspace{-1ex}*}
- show ?case (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
-next
- txt_raw{*\\[-.4ex]$\vdots$\\[-.4ex]\mbox{}\hspace{-1ex}*}
-(*<*)
- case rule\<^isub>2
- show ?case sorry
-(*>*)
-next
- case rule\<^isub>n
- txt_raw{*\\[-.4ex]\mbox{}\ \ $\vdots$\\[-.4ex]\mbox{}\hspace{-1ex}*}
- show ?case (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
-qed(*<*)qed(*>*)
-
-text{*
-One can provide explicit variable names by writing
-\isacom{case}~@{text"(rule\<^isub>i x\<^isub>1 \<dots> x\<^isub>k)"}, thus renaming the first @{text k}
-free variables in rule @{text i} to @{text"x\<^isub>1 \<dots> x\<^isub>k"},
-going through rule @{text i} from left to right.
-
-\subsection{Assumption naming}
-
-In any induction, \isacom{case}~@{text name} sets up a list of assumptions
-also called @{text name}, which is subdivided into three parts:
-\begin{description}
-\item[@{text name.IH}] contains the induction hypotheses.
-\item[@{text name.hyps}] contains all the other hypotheses of this case in the
-induction rule. For rule inductions these are the hypotheses of rule
-@{text name}, for structural inductions these are empty.
-\item[@{text name.prems}] contains the (suitably instantiated) premises
-of the statement being proved, i.e. the @{text A\<^isub>i} when
-proving @{text"\<lbrakk> A\<^isub>1; \<dots>; A\<^isub>n \<rbrakk> \<Longrightarrow> A"}.
-\end{description}
-\begin{warn}
-Proof method @{text induct} differs from @{text induction}
-only in this naming policy: @{text induct} does not distinguish
-@{text IH} from @{text hyps} but subsumes @{text IH} under @{text hyps}.
-\end{warn}
-
-More complicated inductive proofs than the ones we have seen so far
-often need to refer to specific assumptions---just @{text name} or even
-@{text name.prems} and @{text name.IH} can be too unspecific.
-This is where the indexing of fact lists comes in handy, e.g.\
-@{text"name.IH(2)"} or @{text"name.prems(1-2)"}.
-
-\subsection{Rule inversion}
-
-Rule inversion is case analysis of which rule could have been used to
-derive some fact. The name \concept{rule inversion} emphasizes that we are
-reasoning backwards: by which rules could some given fact have been proved?
-For the inductive definition of @{const ev}, rule inversion can be summarized
-like this:
-@{prop[display]"ev n \<Longrightarrow> n = 0 \<or> (EX k. n = Suc(Suc k) \<and> ev k)"}
-The realisation in Isabelle is a case analysis.
-A simple example is the proof that @{prop"ev n \<Longrightarrow> ev (n - 2)"}. We
-already went through the details informally in \autoref{sec:Logic:even}. This
-is the Isar proof:
-*}
-(*<*)
-notepad
-begin fix n
-(*>*)
- assume "ev n"
- from this have "ev(n - 2)"
- proof cases
- case ev0 thus "ev(n - 2)" by (simp add: ev.ev0)
- next
- case (evSS k) thus "ev(n - 2)" by (simp add: ev.evSS)
- qed
-(*<*)
-end
-(*>*)
-
-text{* The key point here is that a case analysis over some inductively
-defined predicate is triggered by piping the given fact
-(here: \isacom{from}~@{text this}) into a proof by @{text cases}.
-Let us examine the assumptions available in each case. In case @{text ev0}
-we have @{text"n = 0"} and in case @{text evSS} we have @{prop"n = Suc(Suc k)"}
-and @{prop"ev k"}. In each case the assumptions are available under the name
-of the case; there is no fine grained naming schema like for induction.
-
-Sometimes some rules could not have been used to derive the given fact
-because constructors clash. As an extreme example consider
-rule inversion applied to @{prop"ev(Suc 0)"}: neither rule @{text ev0} nor
-rule @{text evSS} can yield @{prop"ev(Suc 0)"} because @{text"Suc 0"} unifies
-neither with @{text 0} nor with @{term"Suc(Suc n)"}. Impossible cases do not
-have to be proved. Hence we can prove anything from @{prop"ev(Suc 0)"}:
-*}
-(*<*)
-notepad begin fix P
-(*>*)
- assume "ev(Suc 0)" then have P by cases
-(*<*)
-end
-(*>*)
-
-text{* That is, @{prop"ev(Suc 0)"} is simply not provable: *}
-
-lemma "\<not> ev(Suc 0)"
-proof
- assume "ev(Suc 0)" then show False by cases
-qed
-
-text{* Normally not all cases will be impossible. As a simple exercise,
-prove that \mbox{@{prop"\<not> ev(Suc(Suc(Suc 0)))"}.}
-*}
-
-(*
-lemma "\<not> ev(Suc(Suc(Suc 0)))"
-proof
- assume "ev(Suc(Suc(Suc 0)))"
- then show False
- proof cases
- case evSS
- from `ev(Suc 0)` show False by cases
- qed
-qed
-*)
-
-(*<*)
-end
-(*>*)
--- a/doc-src/ProgProve/LaTeXsugar.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,47 +0,0 @@
-(* Title: HOL/Library/LaTeXsugar.thy
- Author: Gerwin Klain, Tobias Nipkow, Norbert Schirmer
- Copyright 2005 NICTA and TUM
-*)
-
-(*<*)
-theory LaTeXsugar
-imports Main
-begin
-
-(* DUMMY *)
-consts DUMMY :: 'a ("\<^raw:\_>")
-
-(* THEOREMS *)
-notation (Rule output)
- "==>" ("\<^raw:\mbox{}\inferrule{\mbox{>_\<^raw:}}>\<^raw:{\mbox{>_\<^raw:}}>")
-
-syntax (Rule output)
- "_bigimpl" :: "asms \<Rightarrow> prop \<Rightarrow> prop"
- ("\<^raw:\mbox{}\inferrule{>_\<^raw:}>\<^raw:{\mbox{>_\<^raw:}}>")
-
- "_asms" :: "prop \<Rightarrow> asms \<Rightarrow> asms"
- ("\<^raw:\mbox{>_\<^raw:}\\>/ _")
-
- "_asm" :: "prop \<Rightarrow> asms" ("\<^raw:\mbox{>_\<^raw:}>")
-
-notation (Axiom output)
- "Trueprop" ("\<^raw:\mbox{}\inferrule{\mbox{}}{\mbox{>_\<^raw:}}>")
-
-notation (IfThen output)
- "==>" ("\<^raw:{\normalsize{}>If\<^raw:\,}> _/ \<^raw:{\normalsize \,>then\<^raw:\,}>/ _.")
-syntax (IfThen output)
- "_bigimpl" :: "asms \<Rightarrow> prop \<Rightarrow> prop"
- ("\<^raw:{\normalsize{}>If\<^raw:\,}> _ /\<^raw:{\normalsize \,>then\<^raw:\,}>/ _.")
- "_asms" :: "prop \<Rightarrow> asms \<Rightarrow> asms" ("\<^raw:\mbox{>_\<^raw:}> /\<^raw:{\normalsize \,>and\<^raw:\,}>/ _")
- "_asm" :: "prop \<Rightarrow> asms" ("\<^raw:\mbox{>_\<^raw:}>")
-
-notation (IfThenNoBox output)
- "==>" ("\<^raw:{\normalsize{}>If\<^raw:\,}> _/ \<^raw:{\normalsize \,>then\<^raw:\,}>/ _.")
-syntax (IfThenNoBox output)
- "_bigimpl" :: "asms \<Rightarrow> prop \<Rightarrow> prop"
- ("\<^raw:{\normalsize{}>If\<^raw:\,}> _ /\<^raw:{\normalsize \,>then\<^raw:\,}>/ _.")
- "_asms" :: "prop \<Rightarrow> asms \<Rightarrow> asms" ("_ /\<^raw:{\normalsize \,>and\<^raw:\,}>/ _")
- "_asm" :: "prop \<Rightarrow> asms" ("_")
-
-end
-(*>*)
\ No newline at end of file
--- a/doc-src/ProgProve/Logic.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,734 +0,0 @@
-(*<*)
-theory Logic
-imports LaTeXsugar
-begin
-(*>*)
-text{*
-\vspace{-5ex}
-\section{Logic and proof beyond equality}
-\label{sec:Logic}
-
-\subsection{Formulas}
-
-The core syntax of formulas (\textit{form} below)
-provides the standard logical constructs, in decreasing order of precedence:
-\[
-\begin{array}{rcl}
-
-\mathit{form} & ::= &
- @{text"(form)"} ~\mid~
- @{const True} ~\mid~
- @{const False} ~\mid~
- @{prop "term = term"}\\
- &\mid& @{prop"\<not> form"} ~\mid~
- @{prop "form \<and> form"} ~\mid~
- @{prop "form \<or> form"} ~\mid~
- @{prop "form \<longrightarrow> form"}\\
- &\mid& @{prop"\<forall>x. form"} ~\mid~ @{prop"\<exists>x. form"}
-\end{array}
-\]
-Terms are the ones we have seen all along, built from constants, variables,
-function application and @{text"\<lambda>"}-abstraction, including all the syntactic
-sugar like infix symbols, @{text "if"}, @{text "case"} etc.
-\begin{warn}
-Remember that formulas are simply terms of type @{text bool}. Hence
-@{text "="} also works for formulas. Beware that @{text"="} has a higher
-precedence than the other logical operators. Hence @{prop"s = t \<and> A"} means
-@{text"(s = t) \<and> A"}, and @{prop"A\<and>B = B\<and>A"} means @{text"A \<and> (B = B) \<and> A"}.
-Logical equivalence can also be written with
-@{text "\<longleftrightarrow>"} instead of @{text"="}, where @{text"\<longleftrightarrow>"} has the same low
-precedence as @{text"\<longrightarrow>"}. Hence @{text"A \<and> B \<longleftrightarrow> B \<and> A"} really means
-@{text"(A \<and> B) \<longleftrightarrow> (B \<and> A)"}.
-\end{warn}
-\begin{warn}
-Quantifiers need to be enclosed in parentheses if they are nested within
-other constructs (just like @{text "if"}, @{text case} and @{text let}).
-\end{warn}
-The most frequent logical symbols have the following ASCII representations:
-\begin{center}
-\begin{tabular}{l@ {\qquad}l@ {\qquad}l}
-@{text "\<forall>"} & \xsymbol{forall} & \texttt{ALL}\\
-@{text "\<exists>"} & \xsymbol{exists} & \texttt{EX}\\
-@{text "\<lambda>"} & \xsymbol{lambda} & \texttt{\%}\\
-@{text "\<longrightarrow>"} & \texttt{-{}->}\\
-@{text "\<longleftrightarrow>"} & \texttt{<->}\\
-@{text "\<and>"} & \texttt{/\char`\\} & \texttt{\&}\\
-@{text "\<or>"} & \texttt{\char`\\/} & \texttt{|}\\
-@{text "\<not>"} & \xsymbol{not} & \texttt{\char`~}\\
-@{text "\<noteq>"} & \xsymbol{noteq} & \texttt{\char`~=}
-\end{tabular}
-\end{center}
-The first column shows the symbols, the second column ASCII representations
-that Isabelle interfaces convert into the corresponding symbol,
-and the third column shows ASCII representations that stay fixed.
-\begin{warn}
-The implication @{text"\<Longrightarrow>"} is part of the Isabelle framework. It structures
-theorems and proof states, separating assumptions from conclusions.
-The implication @{text"\<longrightarrow>"} is part of the logic HOL and can occur inside the
-formulas that make up the assumptions and conclusion.
-Theorems should be of the form @{text"\<lbrakk> A\<^isub>1; \<dots>; A\<^isub>n \<rbrakk> \<Longrightarrow> A"},
-not @{text"A\<^isub>1 \<and> \<dots> \<and> A\<^isub>n \<longrightarrow> A"}. Both are logically equivalent
-but the first one works better when using the theorem in further proofs.
-\end{warn}
-
-\subsection{Sets}
-
-Sets of elements of type @{typ 'a} have type @{typ"'a set"}.
-They can be finite or infinite. Sets come with the usual notation:
-\begin{itemize}
-\item @{term"{}"},\quad @{text"{e\<^isub>1,\<dots>,e\<^isub>n}"}
-\item @{prop"e \<in> A"},\quad @{prop"A \<subseteq> B"}
-\item @{term"A \<union> B"},\quad @{term"A \<inter> B"},\quad @{term"A - B"},\quad @{term"-A"}
-\end{itemize}
-and much more. @{const UNIV} is the set of all elements of some type.
-Set comprehension is written @{term"{x. P}"}
-rather than @{text"{x | P}"}, to emphasize the variable binding nature
-of the construct.
-\begin{warn}
-In @{term"{x. P}"} the @{text x} must be a variable. Set comprehension
-involving a proper term @{text t} must be written
-@{term[source]"{t | x y z. P}"},
-where @{text "x y z"} are the free variables in @{text t}.
-This is just a shorthand for @{term"{v. EX x y z. v = t \<and> P}"}, where
-@{text v} is a new variable.
-\end{warn}
-
-Here are the ASCII representations of the mathematical symbols:
-\begin{center}
-\begin{tabular}{l@ {\quad}l@ {\quad}l}
-@{text "\<in>"} & \texttt{\char`\\\char`\<in>} & \texttt{:}\\
-@{text "\<subseteq>"} & \texttt{\char`\\\char`\<subseteq>} & \texttt{<=}\\
-@{text "\<union>"} & \texttt{\char`\\\char`\<union>} & \texttt{Un}\\
-@{text "\<inter>"} & \texttt{\char`\\\char`\<inter>} & \texttt{Int}
-\end{tabular}
-\end{center}
-Sets also allow bounded quantifications @{prop"ALL x : A. P"} and
-@{prop"EX x : A. P"}.
-
-\subsection{Proof automation}
-
-So far we have only seen @{text simp} and @{text auto}: Both perform
-rewriting, both can also prove linear arithmetic facts (no multiplication),
-and @{text auto} is also able to prove simple logical or set-theoretic goals:
-*}
-
-lemma "\<forall>x. \<exists>y. x = y"
-by auto
-
-lemma "A \<subseteq> B \<inter> C \<Longrightarrow> A \<subseteq> B \<union> C"
-by auto
-
-text{* where
-\begin{quote}
-\isacom{by} \textit{proof-method}
-\end{quote}
-is short for
-\begin{quote}
-\isacom{apply} \textit{proof-method}\\
-\isacom{done}
-\end{quote}
-The key characteristics of both @{text simp} and @{text auto} are
-\begin{itemize}
-\item They show you were they got stuck, giving you an idea how to continue.
-\item They perform the obvious steps but are highly incomplete.
-\end{itemize}
-A proof method is \concept{complete} if it can prove all true formulas.
-There is no complete proof method for HOL, not even in theory.
-Hence all our proof methods only differ in how incomplete they are.
-
-A proof method that is still incomplete but tries harder than @{text auto} is
-@{text fastforce}. It either succeeds or fails, it acts on the first
-subgoal only, and it can be modified just like @{text auto}, e.g.\
-with @{text "simp add"}. Here is a typical example of what @{text fastforce}
-can do:
-*}
-
-lemma "\<lbrakk> \<forall>xs \<in> A. \<exists>ys. xs = ys @ ys; us \<in> A \<rbrakk>
- \<Longrightarrow> \<exists>n. length us = n+n"
-by fastforce
-
-text{* This lemma is out of reach for @{text auto} because of the
-quantifiers. Even @{text fastforce} fails when the quantifier structure
-becomes more complicated. In a few cases, its slow version @{text force}
-succeeds where @{text fastforce} fails.
-
-The method of choice for complex logical goals is @{text blast}. In the
-following example, @{text T} and @{text A} are two binary predicates. It
-is shown that if @{text T} is total, @{text A} is antisymmetric and @{text T} is
-a subset of @{text A}, then @{text A} is a subset of @{text T}:
-*}
-
-lemma
- "\<lbrakk> \<forall>x y. T x y \<or> T y x;
- \<forall>x y. A x y \<and> A y x \<longrightarrow> x = y;
- \<forall>x y. T x y \<longrightarrow> A x y \<rbrakk>
- \<Longrightarrow> \<forall>x y. A x y \<longrightarrow> T x y"
-by blast
-
-text{*
-We leave it to the reader to figure out why this lemma is true.
-Method @{text blast}
-\begin{itemize}
-\item is (in principle) a complete proof procedure for first-order formulas,
- a fragment of HOL. In practice there is a search bound.
-\item does no rewriting and knows very little about equality.
-\item covers logic, sets and relations.
-\item either succeeds or fails.
-\end{itemize}
-Because of its strength in logic and sets and its weakness in equality reasoning, it complements the earlier proof methods.
-
-
-\subsubsection{Sledgehammer}
-
-Command \isacom{sledgehammer} calls a number of external automatic
-theorem provers (ATPs) that run for up to 30 seconds searching for a
-proof. Some of these ATPs are part of the Isabelle installation, others are
-queried over the internet. If successful, a proof command is generated and can
-be inserted into your proof. The biggest win of \isacom{sledgehammer} is
-that it will take into account the whole lemma library and you do not need to
-feed in any lemma explicitly. For example,*}
-
-lemma "\<lbrakk> xs @ ys = ys @ xs; length xs = length ys \<rbrakk> \<Longrightarrow> xs = ys"
-
-txt{* cannot be solved by any of the standard proof methods, but
-\isacom{sledgehammer} finds the following proof: *}
-
-by (metis append_eq_conv_conj)
-
-text{* We do not explain how the proof was found but what this command
-means. For a start, Isabelle does not trust external tools (and in particular
-not the translations from Isabelle's logic to those tools!)
-and insists on a proof that it can check. This is what @{text metis} does.
-It is given a list of lemmas and tries to find a proof just using those lemmas
-(and pure logic). In contrast to @{text simp} and friends that know a lot of
-lemmas already, using @{text metis} manually is tedious because one has
-to find all the relevant lemmas first. But that is precisely what
-\isacom{sledgehammer} does for us.
-In this case lemma @{thm[source]append_eq_conv_conj} alone suffices:
-@{thm[display] append_eq_conv_conj}
-We leave it to the reader to figure out why this lemma suffices to prove
-the above lemma, even without any knowledge of what the functions @{const take}
-and @{const drop} do. Keep in mind that the variables in the two lemmas
-are independent of each other, despite the same names, and that you can
-substitute arbitrary values for the free variables in a lemma.
-
-Just as for the other proof methods we have seen, there is no guarantee that
-\isacom{sledgehammer} will find a proof if it exists. Nor is
-\isacom{sledgehammer} superior to the other proof methods. They are
-incomparable. Therefore it is recommended to apply @{text simp} or @{text
-auto} before invoking \isacom{sledgehammer} on what is left.
-
-\subsubsection{Arithmetic}
-
-By arithmetic formulas we mean formulas involving variables, numbers, @{text
-"+"}, @{text"-"}, @{text "="}, @{text "<"}, @{text "\<le>"} and the usual logical
-connectives @{text"\<not>"}, @{text"\<and>"}, @{text"\<or>"}, @{text"\<longrightarrow>"},
-@{text"\<longleftrightarrow>"}. Strictly speaking, this is known as \concept{linear arithmetic}
-because it does not involve multiplication, although multiplication with
-numbers, e.g.\ @{text"2*n"} is allowed. Such formulas can be proved by
-@{text arith}:
-*}
-
-lemma "\<lbrakk> (a::nat) \<le> x + b; 2*x < c \<rbrakk> \<Longrightarrow> 2*a + 1 \<le> 2*b + c"
-by arith
-
-text{* In fact, @{text auto} and @{text simp} can prove many linear
-arithmetic formulas already, like the one above, by calling a weak but fast
-version of @{text arith}. Hence it is usually not necessary to invoke
-@{text arith} explicitly.
-
-The above example involves natural numbers, but integers (type @{typ int})
-and real numbers (type @{text real}) are supported as well. As are a number
-of further operators like @{const min} and @{const max}. On @{typ nat} and
-@{typ int}, @{text arith} can even prove theorems with quantifiers in them,
-but we will not enlarge on that here.
-
-
-\subsubsection{Trying them all}
-
-If you want to try all of the above automatic proof methods you simply type
-\begin{isabelle}
-\isacom{try}
-\end{isabelle}
-You can also add specific simplification and introduction rules:
-\begin{isabelle}
-\isacom{try} @{text"simp: \<dots> intro: \<dots>"}
-\end{isabelle}
-There is also a lightweight variant \isacom{try0} that does not call
-sledgehammer.
-
-\subsection{Single step proofs}
-
-Although automation is nice, it often fails, at least initially, and you need
-to find out why. When @{text fastforce} or @{text blast} simply fail, you have
-no clue why. At this point, the stepwise
-application of proof rules may be necessary. For example, if @{text blast}
-fails on @{prop"A \<and> B"}, you want to attack the two
-conjuncts @{text A} and @{text B} separately. This can
-be achieved by applying \emph{conjunction introduction}
-\[ @{thm[mode=Rule,show_question_marks]conjI}\ @{text conjI}
-\]
-to the proof state. We will now examine the details of this process.
-
-\subsubsection{Instantiating unknowns}
-
-We had briefly mentioned earlier that after proving some theorem,
-Isabelle replaces all free variables @{text x} by so called \concept{unknowns}
-@{text "?x"}. We can see this clearly in rule @{thm[source] conjI}.
-These unknowns can later be instantiated explicitly or implicitly:
-\begin{itemize}
-\item By hand, using @{text of}.
-The expression @{text"conjI[of \"a=b\" \"False\"]"}
-instantiates the unknowns in @{thm[source] conjI} from left to right with the
-two formulas @{text"a=b"} and @{text False}, yielding the rule
-@{thm[display,mode=Rule]conjI[of "a=b" False]}
-
-In general, @{text"th[of string\<^isub>1 \<dots> string\<^isub>n]"} instantiates
-the unknowns in the theorem @{text th} from left to right with the terms
-@{text string\<^isub>1} to @{text string\<^isub>n}.
-
-\item By unification. \concept{Unification} is the process of making two
-terms syntactically equal by suitable instantiations of unknowns. For example,
-unifying @{text"?P \<and> ?Q"} with \mbox{@{prop"a=b \<and> False"}} instantiates
-@{text "?P"} with @{prop "a=b"} and @{text "?Q"} with @{prop False}.
-\end{itemize}
-We need not instantiate all unknowns. If we want to skip a particular one we
-can just write @{text"_"} instead, for example @{text "conjI[of _ \"False\"]"}.
-Unknowns can also be instantiated by name, for example
-@{text "conjI[where ?P = \"a=b\" and ?Q = \"False\"]"}.
-
-
-\subsubsection{Rule application}
-
-\concept{Rule application} means applying a rule backwards to a proof state.
-For example, applying rule @{thm[source]conjI} to a proof state
-\begin{quote}
-@{text"1. \<dots> \<Longrightarrow> A \<and> B"}
-\end{quote}
-results in two subgoals, one for each premise of @{thm[source]conjI}:
-\begin{quote}
-@{text"1. \<dots> \<Longrightarrow> A"}\\
-@{text"2. \<dots> \<Longrightarrow> B"}
-\end{quote}
-In general, the application of a rule @{text"\<lbrakk> A\<^isub>1; \<dots>; A\<^isub>n \<rbrakk> \<Longrightarrow> A"}
-to a subgoal \mbox{@{text"\<dots> \<Longrightarrow> C"}} proceeds in two steps:
-\begin{enumerate}
-\item
-Unify @{text A} and @{text C}, thus instantiating the unknowns in the rule.
-\item
-Replace the subgoal @{text C} with @{text n} new subgoals @{text"A\<^isub>1"} to @{text"A\<^isub>n"}.
-\end{enumerate}
-This is the command to apply rule @{text xyz}:
-\begin{quote}
-\isacom{apply}@{text"(rule xyz)"}
-\end{quote}
-This is also called \concept{backchaining} with rule @{text xyz}.
-
-\subsubsection{Introduction rules}
-
-Conjunction introduction (@{thm[source] conjI}) is one example of a whole
-class of rules known as \concept{introduction rules}. They explain under which
-premises some logical construct can be introduced. Here are some further
-useful introduction rules:
-\[
-\inferrule*[right=\mbox{@{text impI}}]{\mbox{@{text"?P \<Longrightarrow> ?Q"}}}{\mbox{@{text"?P \<longrightarrow> ?Q"}}}
-\qquad
-\inferrule*[right=\mbox{@{text allI}}]{\mbox{@{text"\<And>x. ?P x"}}}{\mbox{@{text"\<forall>x. ?P x"}}}
-\]
-\[
-\inferrule*[right=\mbox{@{text iffI}}]{\mbox{@{text"?P \<Longrightarrow> ?Q"}} \\ \mbox{@{text"?Q \<Longrightarrow> ?P"}}}
- {\mbox{@{text"?P = ?Q"}}}
-\]
-These rules are part of the logical system of \concept{natural deduction}
-(e.g.\ \cite{HuthRyan}). Although we intentionally de-emphasize the basic rules
-of logic in favour of automatic proof methods that allow you to take bigger
-steps, these rules are helpful in locating where and why automation fails.
-When applied backwards, these rules decompose the goal:
-\begin{itemize}
-\item @{thm[source] conjI} and @{thm[source]iffI} split the goal into two subgoals,
-\item @{thm[source] impI} moves the left-hand side of a HOL implication into the list of assumptions,
-\item and @{thm[source] allI} removes a @{text "\<forall>"} by turning the quantified variable into a fixed local variable of the subgoal.
-\end{itemize}
-Isabelle knows about these and a number of other introduction rules.
-The command
-\begin{quote}
-\isacom{apply} @{text rule}
-\end{quote}
-automatically selects the appropriate rule for the current subgoal.
-
-You can also turn your own theorems into introduction rules by giving them
-the @{text"intro"} attribute, analogous to the @{text simp} attribute. In
-that case @{text blast}, @{text fastforce} and (to a limited extent) @{text
-auto} will automatically backchain with those theorems. The @{text intro}
-attribute should be used with care because it increases the search space and
-can lead to nontermination. Sometimes it is better to use it only in
-specific calls of @{text blast} and friends. For example,
-@{thm[source] le_trans}, transitivity of @{text"\<le>"} on type @{typ nat},
-is not an introduction rule by default because of the disastrous effect
-on the search space, but can be useful in specific situations:
-*}
-
-lemma "\<lbrakk> (a::nat) \<le> b; b \<le> c; c \<le> d; d \<le> e \<rbrakk> \<Longrightarrow> a \<le> e"
-by(blast intro: le_trans)
-
-text{*
-Of course this is just an example and could be proved by @{text arith}, too.
-
-\subsubsection{Forward proof}
-\label{sec:forward-proof}
-
-Forward proof means deriving new theorems from old theorems. We have already
-seen a very simple form of forward proof: the @{text of} operator for
-instantiating unknowns in a theorem. The big brother of @{text of} is @{text
-OF} for applying one theorem to others. Given a theorem @{prop"A \<Longrightarrow> B"} called
-@{text r} and a theorem @{text A'} called @{text r'}, the theorem @{text
-"r[OF r']"} is the result of applying @{text r} to @{text r'}, where @{text
-r} should be viewed as a function taking a theorem @{text A} and returning
-@{text B}. More precisely, @{text A} and @{text A'} are unified, thus
-instantiating the unknowns in @{text B}, and the result is the instantiated
-@{text B}. Of course, unification may also fail.
-\begin{warn}
-Application of rules to other rules operates in the forward direction: from
-the premises to the conclusion of the rule; application of rules to proof
-states operates in the backward direction, from the conclusion to the
-premises.
-\end{warn}
-
-In general @{text r} can be of the form @{text"\<lbrakk> A\<^isub>1; \<dots>; A\<^isub>n \<rbrakk> \<Longrightarrow> A"}
-and there can be multiple argument theorems @{text r\<^isub>1} to @{text r\<^isub>m}
-(with @{text"m \<le> n"}), in which case @{text "r[OF r\<^isub>1 \<dots> r\<^isub>m]"} is obtained
-by unifying and thus proving @{text "A\<^isub>i"} with @{text "r\<^isub>i"}, @{text"i = 1\<dots>m"}.
-Here is an example, where @{thm[source]refl} is the theorem
-@{thm[show_question_marks] refl}:
-*}
-
-thm conjI[OF refl[of "a"] refl[of "b"]]
-
-text{* yields the theorem @{thm conjI[OF refl[of "a"] refl[of "b"]]}.
-The command \isacom{thm} merely displays the result.
-
-Forward reasoning also makes sense in connection with proof states.
-Therefore @{text blast}, @{text fastforce} and @{text auto} support a modifier
-@{text dest} which instructs the proof method to use certain rules in a
-forward fashion. If @{text r} is of the form \mbox{@{text "A \<Longrightarrow> B"}}, the modifier
-\mbox{@{text"dest: r"}}
-allows proof search to reason forward with @{text r}, i.e.\
-to replace an assumption @{text A'}, where @{text A'} unifies with @{text A},
-with the correspondingly instantiated @{text B}. For example, @{thm[source,show_question_marks] Suc_leD} is the theorem \mbox{@{thm Suc_leD}}, which works well for forward reasoning:
-*}
-
-lemma "Suc(Suc(Suc a)) \<le> b \<Longrightarrow> a \<le> b"
-by(blast dest: Suc_leD)
-
-text{* In this particular example we could have backchained with
-@{thm[source] Suc_leD}, too, but because the premise is more complicated than the conclusion this can easily lead to nontermination.
-
-\subsubsection{Finding theorems}
-
-Command \isacom{find\_theorems} searches for specific theorems in the current
-theory. Search criteria include pattern matching on terms and on names.
-For details see the Isabelle/Isar Reference Manual~\cite{IsarRef}.
-\bigskip
-
-\begin{warn}
-To ease readability we will drop the question marks
-in front of unknowns from now on.
-\end{warn}
-
-
-\section{Inductive definitions}
-\label{sec:inductive-defs}
-
-Inductive definitions are the third important definition facility, after
-datatypes and recursive function.
-\sem
-In fact, they are the key construct in the
-definition of operational semantics in the second part of the book.
-\endsem
-
-\subsection{An example: even numbers}
-\label{sec:Logic:even}
-
-Here is a simple example of an inductively defined predicate:
-\begin{itemize}
-\item 0 is even
-\item If $n$ is even, so is $n+2$.
-\end{itemize}
-The operative word ``inductive'' means that these are the only even numbers.
-In Isabelle we give the two rules the names @{text ev0} and @{text evSS}
-and write
-*}
-
-inductive ev :: "nat \<Rightarrow> bool" where
-ev0: "ev 0" |
-evSS: (*<*)"ev n \<Longrightarrow> ev (Suc(Suc n))"(*>*)
-text_raw{* @{prop[source]"ev n \<Longrightarrow> ev (n + 2)"} *}
-
-text{* To get used to inductive definitions, we will first prove a few
-properties of @{const ev} informally before we descend to the Isabelle level.
-
-How do we prove that some number is even, e.g.\ @{prop "ev 4"}? Simply by combining the defining rules for @{const ev}:
-\begin{quote}
-@{text "ev 0 \<Longrightarrow> ev (0 + 2) \<Longrightarrow> ev((0 + 2) + 2) = ev 4"}
-\end{quote}
-
-\subsubsection{Rule induction}
-
-Showing that all even numbers have some property is more complicated. For
-example, let us prove that the inductive definition of even numbers agrees
-with the following recursive one:*}
-
-fun even :: "nat \<Rightarrow> bool" where
-"even 0 = True" |
-"even (Suc 0) = False" |
-"even (Suc(Suc n)) = even n"
-
-text{* We prove @{prop"ev m \<Longrightarrow> even m"}. That is, we
-assume @{prop"ev m"} and by induction on the form of its derivation
-prove @{prop"even m"}. There are two cases corresponding to the two rules
-for @{const ev}:
-\begin{description}
-\item[Case @{thm[source]ev0}:]
- @{prop"ev m"} was derived by rule @{prop "ev 0"}: \\
- @{text"\<Longrightarrow>"} @{prop"m=(0::nat)"} @{text"\<Longrightarrow>"} @{text "even m = even 0 = True"}
-\item[Case @{thm[source]evSS}:]
- @{prop"ev m"} was derived by rule @{prop "ev n \<Longrightarrow> ev(n+2)"}: \\
-@{text"\<Longrightarrow>"} @{prop"m=n+(2::nat)"} and by induction hypothesis @{prop"even n"}\\
-@{text"\<Longrightarrow>"} @{text"even m = even(n + 2) = even n = True"}
-\end{description}
-
-What we have just seen is a special case of \concept{rule induction}.
-Rule induction applies to propositions of this form
-\begin{quote}
-@{prop "ev n \<Longrightarrow> P n"}
-\end{quote}
-That is, we want to prove a property @{prop"P n"}
-for all even @{text n}. But if we assume @{prop"ev n"}, then there must be
-some derivation of this assumption using the two defining rules for
-@{const ev}. That is, we must prove
-\begin{description}
-\item[Case @{thm[source]ev0}:] @{prop"P(0::nat)"}
-\item[Case @{thm[source]evSS}:] @{prop"\<lbrakk> ev n; P n \<rbrakk> \<Longrightarrow> P(n + 2::nat)"}
-\end{description}
-The corresponding rule is called @{thm[source] ev.induct} and looks like this:
-\[
-\inferrule{
-\mbox{@{thm (prem 1) ev.induct[of "n"]}}\\
-\mbox{@{thm (prem 2) ev.induct}}\\
-\mbox{@{prop"!!n. \<lbrakk> ev n; P n \<rbrakk> \<Longrightarrow> P(n+2)"}}}
-{\mbox{@{thm (concl) ev.induct[of "n"]}}}
-\]
-The first premise @{prop"ev n"} enforces that this rule can only be applied
-in situations where we know that @{text n} is even.
-
-Note that in the induction step we may not just assume @{prop"P n"} but also
-\mbox{@{prop"ev n"}}, which is simply the premise of rule @{thm[source]
-evSS}. Here is an example where the local assumption @{prop"ev n"} comes in
-handy: we prove @{prop"ev m \<Longrightarrow> ev(m - 2)"} by induction on @{prop"ev m"}.
-Case @{thm[source]ev0} requires us to prove @{prop"ev(0 - 2)"}, which follows
-from @{prop"ev 0"} because @{prop"0 - 2 = (0::nat)"} on type @{typ nat}. In
-case @{thm[source]evSS} we have \mbox{@{prop"m = n+(2::nat)"}} and may assume
-@{prop"ev n"}, which implies @{prop"ev (m - 2)"} because @{text"m - 2 = (n +
-2) - 2 = n"}. We did not need the induction hypothesis at all for this proof,
-it is just a case analysis of which rule was used, but having @{prop"ev
-n"} at our disposal in case @{thm[source]evSS} was essential.
-This case analysis of rules is also called ``rule inversion''
-and is discussed in more detail in \autoref{ch:Isar}.
-
-\subsubsection{In Isabelle}
-
-Let us now recast the above informal proofs in Isabelle. For a start,
-we use @{const Suc} terms instead of numerals in rule @{thm[source]evSS}:
-@{thm[display] evSS}
-This avoids the difficulty of unifying @{text"n+2"} with some numeral,
-which is not automatic.
-
-The simplest way to prove @{prop"ev(Suc(Suc(Suc(Suc 0))))"} is in a forward
-direction: @{text "evSS[OF evSS[OF ev0]]"} yields the theorem @{thm evSS[OF
-evSS[OF ev0]]}. Alternatively, you can also prove it as a lemma in backwards
-fashion. Although this is more verbose, it allows us to demonstrate how each
-rule application changes the proof state: *}
-
-lemma "ev(Suc(Suc(Suc(Suc 0))))"
-txt{*
-@{subgoals[display,indent=0,goals_limit=1]}
-*}
-apply(rule evSS)
-txt{*
-@{subgoals[display,indent=0,goals_limit=1]}
-*}
-apply(rule evSS)
-txt{*
-@{subgoals[display,indent=0,goals_limit=1]}
-*}
-apply(rule ev0)
-done
-
-text{* \indent
-Rule induction is applied by giving the induction rule explicitly via the
-@{text"rule:"} modifier:*}
-
-lemma "ev m \<Longrightarrow> even m"
-apply(induction rule: ev.induct)
-by(simp_all)
-
-text{* Both cases are automatic. Note that if there are multiple assumptions
-of the form @{prop"ev t"}, method @{text induction} will induct on the leftmost
-one.
-
-As a bonus, we also prove the remaining direction of the equivalence of
-@{const ev} and @{const even}:
-*}
-
-lemma "even n \<Longrightarrow> ev n"
-apply(induction n rule: even.induct)
-
-txt{* This is a proof by computation induction on @{text n} (see
-\autoref{sec:recursive-funs}) that sets up three subgoals corresponding to
-the three equations for @{const even}:
-@{subgoals[display,indent=0]}
-The first and third subgoals follow with @{thm[source]ev0} and @{thm[source]evSS}, and the second subgoal is trivially true because @{prop"even(Suc 0)"} is @{const False}:
-*}
-
-by (simp_all add: ev0 evSS)
-
-text{* The rules for @{const ev} make perfect simplification and introduction
-rules because their premises are always smaller than the conclusion. It
-makes sense to turn them into simplification and introduction rules
-permanently, to enhance proof automation: *}
-
-declare ev.intros[simp,intro]
-
-text{* The rules of an inductive definition are not simplification rules by
-default because, in contrast to recursive functions, there is no termination
-requirement for inductive definitions.
-
-\subsubsection{Inductive versus recursive}
-
-We have seen two definitions of the notion of evenness, an inductive and a
-recursive one. Which one is better? Much of the time, the recursive one is
-more convenient: it allows us to do rewriting in the middle of terms, and it
-expresses both the positive information (which numbers are even) and the
-negative information (which numbers are not even) directly. An inductive
-definition only expresses the positive information directly. The negative
-information, for example, that @{text 1} is not even, has to be proved from
-it (by induction or rule inversion). On the other hand, rule induction is
-tailor-made for proving \mbox{@{prop"ev n \<Longrightarrow> P n"}} because it only asks you
-to prove the positive cases. In the proof of @{prop"even n \<Longrightarrow> P n"} by
-computation induction via @{thm[source]even.induct}, we are also presented
-with the trivial negative cases. If you want the convenience of both
-rewriting and rule induction, you can make two definitions and show their
-equivalence (as above) or make one definition and prove additional properties
-from it, for example rule induction from computation induction.
-
-But many concepts do not admit a recursive definition at all because there is
-no datatype for the recursion (for example, the transitive closure of a
-relation), or the recursion would not terminate (for example,
-an interpreter for a programming language). Even if there is a recursive
-definition, if we are only interested in the positive information, the
-inductive definition may be much simpler.
-
-\subsection{The reflexive transitive closure}
-\label{sec:star}
-
-Evenness is really more conveniently expressed recursively than inductively.
-As a second and very typical example of an inductive definition we define the
-reflexive transitive closure.
-\sem
-It will also be an important building block for
-some of the semantics considered in the second part of the book.
-\endsem
-
-The reflexive transitive closure, called @{text star} below, is a function
-that maps a binary predicate to another binary predicate: if @{text r} is of
-type @{text"\<tau> \<Rightarrow> \<tau> \<Rightarrow> bool"} then @{term "star r"} is again of type @{text"\<tau> \<Rightarrow>
-\<tau> \<Rightarrow> bool"}, and @{prop"star r x y"} means that @{text x} and @{text y} are in
-the relation @{term"star r"}. Think @{term"r^*"} when you see @{term"star
-r"}, because @{text"star r"} is meant to be the reflexive transitive closure.
-That is, @{prop"star r x y"} is meant to be true if from @{text x} we can
-reach @{text y} in finitely many @{text r} steps. This concept is naturally
-defined inductively: *}
-
-inductive star :: "('a \<Rightarrow> 'a \<Rightarrow> bool) \<Rightarrow> 'a \<Rightarrow> 'a \<Rightarrow> bool" for r where
-refl: "star r x x" |
-step: "r x y \<Longrightarrow> star r y z \<Longrightarrow> star r x z"
-
-text{* The base case @{thm[source] refl} is reflexivity: @{term "x=y"}. The
-step case @{thm[source]step} combines an @{text r} step (from @{text x} to
-@{text y}) and a @{term"star r"} step (from @{text y} to @{text z}) into a
-@{term"star r"} step (from @{text x} to @{text z}).
-The ``\isacom{for}~@{text r}'' in the header is merely a hint to Isabelle
-that @{text r} is a fixed parameter of @{const star}, in contrast to the
-further parameters of @{const star}, which change. As a result, Isabelle
-generates a simpler induction rule.
-
-By definition @{term"star r"} is reflexive. It is also transitive, but we
-need rule induction to prove that: *}
-
-lemma star_trans: "star r x y \<Longrightarrow> star r y z \<Longrightarrow> star r x z"
-apply(induction rule: star.induct)
-(*<*)
-defer
-apply(rename_tac u x y)
-defer
-(*>*)
-txt{* The induction is over @{prop"star r x y"} and we try to prove
-\mbox{@{prop"star r y z \<Longrightarrow> star r x z"}},
-which we abbreviate by @{prop"P x y"}. These are our two subgoals:
-@{subgoals[display,indent=0]}
-The first one is @{prop"P x x"}, the result of case @{thm[source]refl},
-and it is trivial.
-*}
-apply(assumption)
-txt{* Let us examine subgoal @{text 2}, case @{thm[source] step}.
-Assumptions @{prop"r u x"} and \mbox{@{prop"star r x y"}}
-are the premises of rule @{thm[source]step}.
-Assumption @{prop"star r y z \<Longrightarrow> star r x z"} is \mbox{@{prop"P x y"}},
-the IH coming from @{prop"star r x y"}. We have to prove @{prop"P u y"},
-which we do by assuming @{prop"star r y z"} and proving @{prop"star r u z"}.
-The proof itself is straightforward: from \mbox{@{prop"star r y z"}} the IH
-leads to @{prop"star r x z"} which, together with @{prop"r u x"},
-leads to \mbox{@{prop"star r u z"}} via rule @{thm[source]step}:
-*}
-apply(metis step)
-done
-
-text{*
-
-\subsection{The general case}
-
-Inductive definitions have approximately the following general form:
-\begin{quote}
-\isacom{inductive} @{text"I :: \"\<tau> \<Rightarrow> bool\""} \isacom{where}
-\end{quote}
-followed by a sequence of (possibly named) rules of the form
-\begin{quote}
-@{text "\<lbrakk> I a\<^isub>1; \<dots>; I a\<^isub>n \<rbrakk> \<Longrightarrow> I a"}
-\end{quote}
-separated by @{text"|"}. As usual, @{text n} can be 0.
-The corresponding rule induction principle
-@{text I.induct} applies to propositions of the form
-\begin{quote}
-@{prop "I x \<Longrightarrow> P x"}
-\end{quote}
-where @{text P} may itself be a chain of implications.
-\begin{warn}
-Rule induction is always on the leftmost premise of the goal.
-Hence @{text "I x"} must be the first premise.
-\end{warn}
-Proving @{prop "I x \<Longrightarrow> P x"} by rule induction means proving
-for every rule of @{text I} that @{text P} is invariant:
-\begin{quote}
-@{text "\<lbrakk> I a\<^isub>1; P a\<^isub>1; \<dots>; I a\<^isub>n; P a\<^isub>n \<rbrakk> \<Longrightarrow> P a"}
-\end{quote}
-
-The above format for inductive definitions is simplified in a number of
-respects. @{text I} can have any number of arguments and each rule can have
-additional premises not involving @{text I}, so-called \concept{side
-conditions}. In rule inductions, these side-conditions appear as additional
-assumptions. The \isacom{for} clause seen in the definition of the reflexive
-transitive closure merely simplifies the form of the induction rule.
-*}
-(*<*)
-end
-(*>*)
--- a/doc-src/ProgProve/MyList.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,17 +0,0 @@
-theory MyList
-imports Main
-begin
-
-datatype 'a list = Nil | Cons 'a "'a list"
-
-fun app :: "'a list => 'a list => 'a list" where
-"app Nil ys = ys" |
-"app (Cons x xs) ys = Cons x (app xs ys)"
-
-fun rev :: "'a list => 'a list" where
-"rev Nil = Nil" |
-"rev (Cons x xs) = app (rev xs) (Cons x Nil)"
-
-value "rev(Cons True (Cons False Nil))"
-
-end
--- a/doc-src/ProgProve/Types_and_funs.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,479 +0,0 @@
-(*<*)
-theory Types_and_funs
-imports Main
-begin
-(*>*)
-text{*
-\vspace{-5ex}
-\section{Type and function definitions}
-
-Type synonyms are abbreviations for existing types, for example
-*}
-
-type_synonym string = "char list"
-
-text{*
-Type synonyms are expanded after parsing and are not present in internal representation and output. They are mere conveniences for the reader.
-
-\subsection{Datatypes}
-
-The general form of a datatype definition looks like this:
-\begin{quote}
-\begin{tabular}{@ {}rclcll}
-\isacom{datatype} @{text "('a\<^isub>1,\<dots>,'a\<^isub>n)t"}
- & = & $C_1 \ @{text"\""}\tau_{1,1}@{text"\""} \dots @{text"\""}\tau_{1,n_1}@{text"\""}$ \\
- & $|$ & \dots \\
- & $|$ & $C_k \ @{text"\""}\tau_{k,1}@{text"\""} \dots @{text"\""}\tau_{k,n_k}@{text"\""}$
-\end{tabular}
-\end{quote}
-It introduces the constructors \
-$C_i :: \tau_{i,1}\Rightarrow \cdots \Rightarrow \tau_{i,n_i} \Rightarrow$~@{text "('a\<^isub>1,\<dots>,'a\<^isub>n)t"} \ and expresses that any value of this type is built from these constructors in a unique manner. Uniqueness is implied by the following
-properties of the constructors:
-\begin{itemize}
-\item \emph{Distinctness:} $C_i\ \ldots \neq C_j\ \dots$ \quad if $i \neq j$
-\item \emph{Injectivity:}
-\begin{tabular}[t]{l}
- $(C_i \ x_1 \dots x_{n_i} = C_i \ y_1 \dots y_{n_i}) =$\\
- $(x_1 = y_1 \land \dots \land x_{n_i} = y_{n_i})$
-\end{tabular}
-\end{itemize}
-The fact that any value of the datatype is built from the constructors implies
-the structural induction rule: to show
-$P~x$ for all $x$ of type @{text "('a\<^isub>1,\<dots>,'a\<^isub>n)t"},
-one needs to show $P(C_i\ x_1 \dots x_{n_i})$ (for each $i$) assuming
-$P(x_j)$ for all $j$ where $\tau_{i,j} =$~@{text "('a\<^isub>1,\<dots>,'a\<^isub>n)t"}.
-Distinctness and injectivity are applied automatically by @{text auto}
-and other proof methods. Induction must be applied explicitly.
-
-Datatype values can be taken apart with case-expressions, for example
-\begin{quote}
-\noquotes{@{term[source] "(case xs of [] \<Rightarrow> 0 | x # _ \<Rightarrow> Suc x)"}}
-\end{quote}
-just like in functional programming languages. Case expressions
-must be enclosed in parentheses.
-
-As an example, consider binary trees:
-*}
-
-datatype 'a tree = Tip | Node "'a tree" 'a "'a tree"
-
-text{* with a mirror function: *}
-
-fun mirror :: "'a tree \<Rightarrow> 'a tree" where
-"mirror Tip = Tip" |
-"mirror (Node l a r) = Node (mirror r) a (mirror l)"
-
-text{* The following lemma illustrates induction: *}
-
-lemma "mirror(mirror t) = t"
-apply(induction t)
-
-txt{* yields
-@{subgoals[display]}
-The induction step contains two induction hypotheses, one for each subtree.
-An application of @{text auto} finishes the proof.
-
-A very simple but also very useful datatype is the predefined
-@{datatype[display] option}
-Its sole purpose is to add a new element @{const None} to an existing
-type @{typ 'a}. To make sure that @{const None} is distinct from all the
-elements of @{typ 'a}, you wrap them up in @{const Some} and call
-the new type @{typ"'a option"}. A typical application is a lookup function
-on a list of key-value pairs, often called an association list:
-*}
-(*<*)
-apply auto
-done
-(*>*)
-fun lookup :: "('a * 'b) list \<Rightarrow> 'a \<Rightarrow> 'b option" where
-"lookup [] x = None" |
-"lookup ((a,b) # ps) x = (if a = x then Some b else lookup ps x)"
-
-text{*
-Note that @{text"\<tau>\<^isub>1 * \<tau>\<^isub>2"} is the type of pairs, also written @{text"\<tau>\<^isub>1 \<times> \<tau>\<^isub>2"}.
-
-\subsection{Definitions}
-
-Non recursive functions can be defined as in the following example:
-*}
-
-definition sq :: "nat \<Rightarrow> nat" where
-"sq n = n * n"
-
-text{* Such definitions do not allow pattern matching but only
-@{text"f x\<^isub>1 \<dots> x\<^isub>n = t"}, where @{text f} does not occur in @{text t}.
-
-\subsection{Abbreviations}
-
-Abbreviations are similar to definitions:
-*}
-
-abbreviation sq' :: "nat \<Rightarrow> nat" where
-"sq' n == n * n"
-
-text{* The key difference is that @{const sq'} is only syntactic sugar:
-@{term"sq' t"} is replaced by \mbox{@{term"t*t"}} after parsing, and every
-occurrence of a term @{term"u*u"} is replaced by \mbox{@{term"sq' u"}} before
-printing. Internally, @{const sq'} does not exist. This is also the
-advantage of abbreviations over definitions: definitions need to be expanded
-explicitly (see \autoref{sec:rewr-defs}) whereas abbreviations are already
-expanded upon parsing. However, abbreviations should be introduced sparingly:
-if abused, they can lead to a confusing discrepancy between the internal and
-external view of a term.
-
-\subsection{Recursive functions}
-\label{sec:recursive-funs}
-
-Recursive functions are defined with \isacom{fun} by pattern matching
-over datatype constructors. The order of equations matters. Just as in
-functional programming languages. However, all HOL functions must be
-total. This simplifies the logic---terms are always defined---but means
-that recursive functions must terminate. Otherwise one could define a
-function @{prop"f n = f n + (1::nat)"} and conclude \mbox{@{prop"(0::nat) = 1"}} by
-subtracting @{term"f n"} on both sides.
-
-Isabelle's automatic termination checker requires that the arguments of
-recursive calls on the right-hand side must be strictly smaller than the
-arguments on the left-hand side. In the simplest case, this means that one
-fixed argument position decreases in size with each recursive call. The size
-is measured as the number of constructors (excluding 0-ary ones, e.g.\ @{text
-Nil}). Lexicographic combinations are also recognized. In more complicated
-situations, the user may have to prove termination by hand. For details
-see~\cite{Krauss}.
-
-Functions defined with \isacom{fun} come with their own induction schema
-that mirrors the recursion schema and is derived from the termination
-order. For example,
-*}
-
-fun div2 :: "nat \<Rightarrow> nat" where
-"div2 0 = 0" |
-"div2 (Suc 0) = Suc 0" |
-"div2 (Suc(Suc n)) = Suc(div2 n)"
-
-text{* does not just define @{const div2} but also proves a
-customized induction rule:
-\[
-\inferrule{
-\mbox{@{thm (prem 1) div2.induct}}\\
-\mbox{@{thm (prem 2) div2.induct}}\\
-\mbox{@{thm (prem 3) div2.induct}}}
-{\mbox{@{thm (concl) div2.induct[of _ "m"]}}}
-\]
-This customized induction rule can simplify inductive proofs. For example,
-*}
-
-lemma "div2(n+n) = n"
-apply(induction n rule: div2.induct)
-
-txt{* yields the 3 subgoals
-@{subgoals[display,margin=65]}
-An application of @{text auto} finishes the proof.
-Had we used ordinary structural induction on @{text n},
-the proof would have needed an additional
-case analysis in the induction step.
-
-The general case is often called \concept{computation induction},
-because the induction follows the (terminating!) computation.
-For every defining equation
-\begin{quote}
-@{text "f(e) = \<dots> f(r\<^isub>1) \<dots> f(r\<^isub>k) \<dots>"}
-\end{quote}
-where @{text"f(r\<^isub>i)"}, @{text"i=1\<dots>k"}, are all the recursive calls,
-the induction rule @{text"f.induct"} contains one premise of the form
-\begin{quote}
-@{text"P(r\<^isub>1) \<Longrightarrow> \<dots> \<Longrightarrow> P(r\<^isub>k) \<Longrightarrow> P(e)"}
-\end{quote}
-If @{text "f :: \<tau>\<^isub>1 \<Rightarrow> \<dots> \<Rightarrow> \<tau>\<^isub>n \<Rightarrow> \<tau>"} then @{text"f.induct"} is applied like this:
-\begin{quote}
-\isacom{apply}@{text"(induction x\<^isub>1 \<dots> x\<^isub>n rule: f.induct)"}
-\end{quote}
-where typically there is a call @{text"f x\<^isub>1 \<dots> x\<^isub>n"} in the goal.
-But note that the induction rule does not mention @{text f} at all,
-except in its name, and is applicable independently of @{text f}.
-
-\section{Induction heuristics}
-
-We have already noted that theorems about recursive functions are proved by
-induction. In case the function has more than one argument, we have followed
-the following heuristic in the proofs about the append function:
-\begin{quote}
-\emph{Perform induction on argument number $i$\\
- if the function is defined by recursion on argument number $i$.}
-\end{quote}
-The key heuristic, and the main point of this section, is to
-\emph{generalize the goal before induction}.
-The reason is simple: if the goal is
-too specific, the induction hypothesis is too weak to allow the induction
-step to go through. Let us illustrate the idea with an example.
-
-Function @{const rev} has quadratic worst-case running time
-because it calls append for each element of the list and
-append is linear in its first argument. A linear time version of
-@{const rev} requires an extra argument where the result is accumulated
-gradually, using only~@{text"#"}:
-*}
-(*<*)
-apply auto
-done
-(*>*)
-fun itrev :: "'a list \<Rightarrow> 'a list \<Rightarrow> 'a list" where
-"itrev [] ys = ys" |
-"itrev (x#xs) ys = itrev xs (x#ys)"
-
-text{* The behaviour of @{const itrev} is simple: it reverses
-its first argument by stacking its elements onto the second argument,
-and it returns that second argument when the first one becomes
-empty. Note that @{const itrev} is tail-recursive: it can be
-compiled into a loop, no stack is necessary for executing it.
-
-Naturally, we would like to show that @{const itrev} does indeed reverse
-its first argument provided the second one is empty:
-*}
-
-lemma "itrev xs [] = rev xs"
-
-txt{* There is no choice as to the induction variable:
-*}
-
-apply(induction xs)
-apply(auto)
-
-txt{*
-Unfortunately, this attempt does not prove
-the induction step:
-@{subgoals[display,margin=70]}
-The induction hypothesis is too weak. The fixed
-argument,~@{term"[]"}, prevents it from rewriting the conclusion.
-This example suggests a heuristic:
-\begin{quote}
-\emph{Generalize goals for induction by replacing constants by variables.}
-\end{quote}
-Of course one cannot do this na\"{\i}vely: @{prop"itrev xs ys = rev xs"} is
-just not true. The correct generalization is
-*};
-(*<*)oops;(*>*)
-lemma "itrev xs ys = rev xs @ ys"
-(*<*)apply(induction xs, auto)(*>*)
-txt{*
-If @{text ys} is replaced by @{term"[]"}, the right-hand side simplifies to
-@{term"rev xs"}, as required.
-In this instance it was easy to guess the right generalization.
-Other situations can require a good deal of creativity.
-
-Although we now have two variables, only @{text xs} is suitable for
-induction, and we repeat our proof attempt. Unfortunately, we are still
-not there:
-@{subgoals[display,margin=65]}
-The induction hypothesis is still too weak, but this time it takes no
-intuition to generalize: the problem is that the @{text ys}
-in the induction hypothesis is fixed,
-but the induction hypothesis needs to be applied with
-@{term"a # ys"} instead of @{text ys}. Hence we prove the theorem
-for all @{text ys} instead of a fixed one. We can instruct induction
-to perform this generalization for us by adding @{text "arbitrary: ys"}.
-*}
-(*<*)oops
-lemma "itrev xs ys = rev xs @ ys"
-(*>*)
-apply(induction xs arbitrary: ys)
-
-txt{* The induction hypothesis in the induction step is now universally quantified over @{text ys}:
-@{subgoals[display,margin=65]}
-Thus the proof succeeds:
-*}
-
-apply auto
-done
-
-text{*
-This leads to another heuristic for generalization:
-\begin{quote}
-\emph{Generalize induction by generalizing all free
-variables\\ {\em(except the induction variable itself)}.}
-\end{quote}
-Generalization is best performed with @{text"arbitrary: y\<^isub>1 \<dots> y\<^isub>k"}.
-This heuristic prevents trivial failures like the one above.
-However, it should not be applied blindly.
-It is not always required, and the additional quantifiers can complicate
-matters in some cases. The variables that need to be quantified are typically
-those that change in recursive calls.
-
-\section{Simplification}
-
-So far we have talked a lot about simplifying terms without explaining the concept. \concept{Simplification} means
-\begin{itemize}
-\item using equations $l = r$ from left to right (only),
-\item as long as possible.
-\end{itemize}
-To emphasize the directionality, equations that have been given the
-@{text"simp"} attribute are called \concept{simplification}
-rules. Logically, they are still symmetric, but proofs by
-simplification use them only in the left-to-right direction. The proof tool
-that performs simplifications is called the \concept{simplifier}. It is the
-basis of @{text auto} and other related proof methods.
-
-The idea of simplification is best explained by an example. Given the
-simplification rules
-\[
-\begin{array}{rcl@ {\quad}l}
-@{term"0 + n::nat"} &@{text"="}& @{text n} & (1) \\
-@{term"(Suc m) + n"} &@{text"="}& @{term"Suc (m + n)"} & (2) \\
-@{text"(Suc m \<le> Suc n)"} &@{text"="}& @{text"(m \<le> n)"} & (3)\\
-@{text"(0 \<le> m)"} &@{text"="}& @{const True} & (4)
-\end{array}
-\]
-the formula @{prop"0 + Suc 0 \<le> Suc 0 + x"} is simplified to @{const True}
-as follows:
-\[
-\begin{array}{r@ {}c@ {}l@ {\quad}l}
-@{text"(0 + Suc 0"} & \leq & @{text"Suc 0 + x)"} & \stackrel{(1)}{=} \\
-@{text"(Suc 0"} & \leq & @{text"Suc 0 + x)"} & \stackrel{(2)}{=} \\
-@{text"(Suc 0"} & \leq & @{text"Suc (0 + x)"} & \stackrel{(3)}{=} \\
-@{text"(0"} & \leq & @{text"0 + x)"} & \stackrel{(4)}{=} \\[1ex]
- & @{const True}
-\end{array}
-\]
-Simplification is often also called \concept{rewriting}
-and simplification rules \concept{rewrite rules}.
-
-\subsection{Simplification rules}
-
-The attribute @{text"simp"} declares theorems to be simplification rules,
-which the simplifier will use automatically. In addition,
-\isacom{datatype} and \isacom{fun} commands implicitly declare some
-simplification rules: \isacom{datatype} the distinctness and injectivity
-rules, \isacom{fun} the defining equations. Definitions are not declared
-as simplification rules automatically! Nearly any theorem can become a
-simplification rule. The simplifier will try to transform it into an
-equation. For example, the theorem @{prop"\<not> P"} is turned into @{prop"P = False"}.
-
-Only equations that really simplify, like @{prop"rev (rev xs) = xs"} and
-@{prop"xs @ [] = xs"}, should be declared as simplification
-rules. Equations that may be counterproductive as simplification rules
-should only be used in specific proof steps (see \S\ref{sec:simp} below).
-Distributivity laws, for example, alter the structure of terms
-and can produce an exponential blow-up.
-
-\subsection{Conditional simplification rules}
-
-Simplification rules can be conditional. Before applying such a rule, the
-simplifier will first try to prove the preconditions, again by
-simplification. For example, given the simplification rules
-\begin{quote}
-@{prop"p(0::nat) = True"}\\
-@{prop"p(x) \<Longrightarrow> f(x) = g(x)"},
-\end{quote}
-the term @{term"f(0::nat)"} simplifies to @{term"g(0::nat)"}
-but @{term"f(1::nat)"} does not simplify because @{prop"p(1::nat)"}
-is not provable.
-
-\subsection{Termination}
-
-Simplification can run forever, for example if both @{prop"f x = g x"} and
-@{prop"g(x) = f(x)"} are simplification rules. It is the user's
-responsibility not to include simplification rules that can lead to
-nontermination, either on their own or in combination with other
-simplification rules. The right-hand side of a simplification rule should
-always be ``simpler'' than the left-hand side---in some sense. But since
-termination is undecidable, such a check cannot be automated completely
-and Isabelle makes little attempt to detect nontermination.
-
-When conditional simplification rules are applied, their preconditions are
-proved first. Hence all preconditions need to be
-simpler than the left-hand side of the conclusion. For example
-\begin{quote}
-@{prop "n < m \<Longrightarrow> (n < Suc m) = True"}
-\end{quote}
-is suitable as a simplification rule: both @{prop"n<m"} and @{const True}
-are simpler than \mbox{@{prop"n < Suc m"}}. But
-\begin{quote}
-@{prop "Suc n < m \<Longrightarrow> (n < m) = True"}
-\end{quote}
-leads to nontermination: when trying to rewrite @{prop"n<m"} to @{const True}
-one first has to prove \mbox{@{prop"Suc n < m"}}, which can be rewritten to @{const True} provided @{prop"Suc(Suc n) < m"}, \emph{ad infinitum}.
-
-\subsection{The @{text simp} proof method}
-\label{sec:simp}
-
-So far we have only used the proof method @{text auto}. Method @{text simp}
-is the key component of @{text auto}, but @{text auto} can do much more. In
-some cases, @{text auto} is overeager and modifies the proof state too much.
-In such cases the more predictable @{text simp} method should be used.
-Given a goal
-\begin{quote}
-@{text"1. \<lbrakk> P\<^isub>1; \<dots>; P\<^isub>m \<rbrakk> \<Longrightarrow> C"}
-\end{quote}
-the command
-\begin{quote}
-\isacom{apply}@{text"(simp add: th\<^isub>1 \<dots> th\<^isub>n)"}
-\end{quote}
-simplifies the assumptions @{text "P\<^isub>i"} and the conclusion @{text C} using
-\begin{itemize}
-\item all simplification rules, including the ones coming from \isacom{datatype} and \isacom{fun},
-\item the additional lemmas @{text"th\<^isub>1 \<dots> th\<^isub>n"}, and
-\item the assumptions.
-\end{itemize}
-In addition to or instead of @{text add} there is also @{text del} for removing
-simplification rules temporarily. Both are optional. Method @{text auto}
-can be modified similarly:
-\begin{quote}
-\isacom{apply}@{text"(auto simp add: \<dots> simp del: \<dots>)"}
-\end{quote}
-Here the modifiers are @{text"simp add"} and @{text"simp del"}
-instead of just @{text add} and @{text del} because @{text auto}
-does not just perform simplification.
-
-Note that @{text simp} acts only on subgoal 1, @{text auto} acts on all
-subgoals. There is also @{text simp_all}, which applies @{text simp} to
-all subgoals.
-
-\subsection{Rewriting with definitions}
-\label{sec:rewr-defs}
-
-Definitions introduced by the command \isacom{definition}
-can also be used as simplification rules,
-but by default they are not: the simplifier does not expand them
-automatically. Definitions are intended for introducing abstract concepts and
-not merely as abbreviations. Of course, we need to expand the definition
-initially, but once we have proved enough abstract properties of the new
-constant, we can forget its original definition. This style makes proofs more
-robust: if the definition has to be changed, only the proofs of the abstract
-properties will be affected.
-
-The definition of a function @{text f} is a theorem named @{text f_def}
-and can be added to a call of @{text simp} just like any other theorem:
-\begin{quote}
-\isacom{apply}@{text"(simp add: f_def)"}
-\end{quote}
-In particular, let-expressions can be unfolded by
-making @{thm[source] Let_def} a simplification rule.
-
-\subsection{Case splitting with @{text simp}}
-
-Goals containing if-expressions are automatically split into two cases by
-@{text simp} using the rule
-\begin{quote}
-@{prop"P(if A then s else t) = ((A \<longrightarrow> P(s)) \<and> (~A \<longrightarrow> P(t)))"}
-\end{quote}
-For example, @{text simp} can prove
-\begin{quote}
-@{prop"(A \<and> B) = (if A then B else False)"}
-\end{quote}
-because both @{prop"A \<longrightarrow> (A & B) = B"} and @{prop"~A \<longrightarrow> (A & B) = False"}
-simplify to @{const True}.
-
-We can split case-expressions similarly. For @{text nat} the rule looks like this:
-@{prop[display,margin=65,indent=4]"P(case e of 0 \<Rightarrow> a | Suc n \<Rightarrow> b n) = ((e = 0 \<longrightarrow> P a) & (ALL n. e = Suc n \<longrightarrow> P(b n)))"}
-Case expressions are not split automatically by @{text simp}, but @{text simp}
-can be instructed to do so:
-\begin{quote}
-\isacom{apply}@{text"(simp split: nat.split)"}
-\end{quote}
-splits all case-expressions over natural numbers. For an arbitrary
-datatype @{text t} it is @{text "t.split"} instead of @{thm[source] nat.split}.
-Method @{text auto} can be modified in exactly the same way.
-*}
-(*<*)
-end
-(*>*)
--- a/doc-src/ProgProve/document/bang.eps Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,94 +0,0 @@
-%!PS-Adobe-3.0 EPSF-3.0
-%%BoundingBox: 0 0 24 40
-%%HiResBoundingBox: 0.000000 0.000000 23.040001 39.420002
-%.............................................
-%%Creator: GPL Ghostscript 871 (epswrite)
-%%CreationDate: 2012/04/02 04:50:05
-%%DocumentData: Clean7Bit
-%%LanguageLevel: 2
-%%EndComments
-%%BeginProlog
-% This copyright applies to everything between here and the %%EndProlog:
-% Copyright (C) 2010 Artifex Software, Inc. All rights reserved.
-%%BeginResource: procset GS_epswrite_2_0_1001 1.001 0
-/GS_epswrite_2_0_1001 80 dict dup begin
-/PageSize 2 array def/setpagesize{ PageSize aload pop 3 index eq exch
-4 index eq and{ pop pop pop}{ PageSize dup 1
-5 -1 roll put 0 4 -1 roll put dup null eq {false} {dup where} ifelse{ exch get exec}
-{ pop/setpagedevice where
-{ pop 1 dict dup /PageSize PageSize put setpagedevice}
-{ /setpage where{ pop PageSize aload pop pageparams 3 {exch pop} repeat
-setpage}if}ifelse}ifelse}ifelse} bind def
-/!{bind def}bind def/#{load def}!/N/counttomark #
-/rG{3{3 -1 roll 255 div}repeat setrgbcolor}!/G{255 div setgray}!/K{0 G}!
-/r6{dup 3 -1 roll rG}!/r5{dup 3 1 roll rG}!/r3{dup rG}!
-/w/setlinewidth #/J/setlinecap #
-/j/setlinejoin #/M/setmiterlimit #/d/setdash #/i/setflat #
-/m/moveto #/l/lineto #/c/rcurveto #
-/p{N 2 idiv{N -2 roll rlineto}repeat}!
-/P{N 0 gt{N -2 roll moveto p}if}!
-/h{p closepath}!/H{P closepath}!
-/lx{0 rlineto}!/ly{0 exch rlineto}!/v{0 0 6 2 roll c}!/y{2 copy c}!
-/re{4 -2 roll m exch dup lx exch ly neg lx h}!
-/^{3 index neg 3 index neg}!
-/f{P fill}!/f*{P eofill}!/s{H stroke}!/S{P stroke}!
-/q/gsave #/Q/grestore #/rf{re fill}!
-/Y{P clip newpath}!/Y*{P eoclip newpath}!/rY{re Y}!
-/|={pop exch 4 1 roll 1 array astore cvx 3 array astore cvx exch 1 index def exec}!
-/|{exch string readstring |=}!
-/+{dup type/nametype eq{2 index 7 add -3 bitshift 2 index mul}if}!
-/@/currentfile #/${+ @ |}!
-/B{{2 copy string{readstring pop}aload pop 4 array astore cvx
-3 1 roll}repeat pop pop true}!
-/Ix{[1 0 0 1 11 -2 roll exch neg exch neg]exch}!
-/,{true exch Ix imagemask}!/If{false exch Ix imagemask}!/I{exch Ix image}!
-/Ic{exch Ix false 3 colorimage}!
-/F{/Columns counttomark 3 add -2 roll/Rows exch/K -1/BlackIs1 true>>
-/CCITTFaxDecode filter}!/FX{<</EndOfBlock false F}!
-/X{/ASCII85Decode filter}!/@X{@ X}!/&2{2 index 2 index}!
-/@F{@ &2<<F}!/@C{@X &2 FX}!
-/$X{+ @X |}!/&4{4 index 4 index}!/$F{+ @ &4<<F |}!/$C{+ @X &4 FX |}!
-/IC{3 1 roll 10 dict begin 1{/ImageType/Interpolate/Decode/DataSource
-/ImageMatrix/BitsPerComponent/Height/Width}{exch def}forall
-currentdict end image}!
-/~{@ read {pop} if}!
-end def
-%%EndResource
-/pagesave null def
-%%EndProlog
-%%Page: 1 1
-%%BeginPageSetup
-GS_epswrite_2_0_1001 begin
-/pagesave save store 197 dict begin
-0.18 0.18 scale
-%%EndPageSetup
-gsave mark
-Q q
-0 0 128 0 0 219 ^ Y
-197 209 208 rG
-0 0 127.777 219.445 re
-f
-Q q
-0 0 128 0 0 219 ^ Y
-K
-46.21 53.45 m
-0 4.82 1.73 8.96 5.18 12.45 c
-3.45 3.48 7.62 5.23 12.5 5.23 c
-4.88 0 9.05 -1.74 12.5 -5.23 c
-3.45 -3.48 5.17 -7.63 5.17 -12.45 c
-0 -4.88 -1.74 -9.05 -5.22 -12.5 c
--3.48 -3.45 -7.63 -5.18 -12.45 -5.18 c
--4.82 0 -8.97 1.73 -12.45 5.18 c
--3.48 3.45 -5.22 7.62 -5.22 12.5 c
-f
-54.73 86.27 -15.52 70.88 P
--0.99 4.8 -1.49 8.32 -1.49 10.55 c
-0 10.65 8.64 15.97 25.92 15.97 c
-17.61 0 26.42 -4.77 26.42 -14.3 c
-0 -3 -0.5 -6.82 -1.48 -11.48 c
--15.52 -71.62 p f
-cleartomark end end pagesave restore
- showpage
-%%PageTrailer
-%%Trailer
-%%Pages: 1
Binary file doc-src/ProgProve/document/bang.pdf has changed
--- a/doc-src/ProgProve/document/build Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,14 +0,0 @@
-#!/bin/bash
-
-set -e
-
-FORMAT="$1"
-VARIANT="$2"
-
-"$ISABELLE_TOOL" logo -o isabelle_hol.pdf "HOL"
-"$ISABELLE_TOOL" logo -o isabelle_hol.eps "HOL"
-
-cp "$ISABELLE_HOME/doc-src/ProgProve/MyList.thy" .
-
-"$ISABELLE_HOME/doc-src/prepare_document" "$FORMAT"
-
--- a/doc-src/ProgProve/document/intro-isabelle.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,47 +0,0 @@
-Isabelle is a generic system for
-implementing logical formalisms, and Isabelle/HOL is the specialization
-of Isabelle for HOL, which abbreviates Higher-Order Logic. We introduce
-HOL step by step following the equation
-\[ \mbox{HOL} = \mbox{Functional Programming} + \mbox{Logic}. \]
-We assume that the reader is familiar with the basic concepts of functional
-programming and is used to logical and set theoretic notation.
-
-\autoref{sec:FP} introduces HOL as a functional programming language and
-explains how to write simple inductive proofs of mostly equational properties
-of recursive functions.
-\sem
-\autoref{sec:CaseStudyExp} contains a
-little case study: arithmetic and boolean expressions, their evaluation,
-optimization and compilation.
-\endsem
-\autoref{ch:Logic} introduces the rest of HOL: the
-language of formulas beyond equality, automatic proof tools, single
-step proofs, and inductive definitions, an essential specification construct.
-\autoref{ch:Isar} introduces Isar, Isabelle's language for writing structured
-proofs.
-
-%Further material (slides, demos etc) can be found online at
-%\url{http://www.in.tum.de/~nipkow}.
-
-% Relics:
-% We aim to minimise the amount of background knowledge of logic we expect
-% from the reader
-% We have focussed on the core material
-% in the intersection of computation and logic.
-
-This introduction to the core of Isabelle is intentionally concrete and
-example-based: we concentrate on examples that illustrate the typical cases;
-we do not explain the general case if it can be inferred from the examples.
-For a comprehensive treatment of all things Isabelle we recommend the
-\emph{Isabelle/Isar Reference Manual}~\cite{IsarRef}, which comes with the
-Isabelle distribution.
-The tutorial by Nipkow, Paulson and Wenzel~\cite{LNCS2283} (in its updated version that comes with the Isabelle distribution) is still recommended for the wealth of examples and material, but its proof style is outdated. In particular it fails to cover the structured proof language Isar.
-
-This introduction has grown out of many years of teaching Isabelle courses.
-It tries to cover the essentials (from a functional programming point of
-view) as quickly and compactly as possible. There is also an accompanying
-set of \LaTeX-based slides available from the author on request.
-
-\paragraph{Acknowledgements}
-I wish to thank the following people for their comments on this text:
-Florian Haftmann, Ren\'{e} Thiemann and Christian Sternagel.
\ No newline at end of file
--- a/doc-src/ProgProve/document/mathpartir.sty Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,388 +0,0 @@
-% Mathpartir --- Math Paragraph for Typesetting Inference Rules
-%
-% Copyright (C) 2001, 2002, 2003 Didier Rémy
-%
-% Author : Didier Remy
-% Version : 1.1.1
-% Bug Reports : to author
-% Web Site : http://pauillac.inria.fr/~remy/latex/
-%
-% WhizzyTeX is free software; you can redistribute it and/or modify
-% it under the terms of the GNU General Public License as published by
-% the Free Software Foundation; either version 2, or (at your option)
-% any later version.
-%
-% Mathpartir is distributed in the hope that it will be useful,
-% but WITHOUT ANY WARRANTY; without even the implied warranty of
-% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-% GNU General Public License for more details
-% (http://pauillac.inria.fr/~remy/license/GPL).
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-% File mathpartir.sty (LaTeX macros)
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\NeedsTeXFormat{LaTeX2e}
-\ProvidesPackage{mathpartir}
- [2003/07/10 version 1.1.1 Math Paragraph for Typesetting Inference Rules]
-
-%%
-
-%% Identification
-%% Preliminary declarations
-
-\RequirePackage {keyval}
-
-%% Options
-%% More declarations
-
-%% PART I: Typesetting maths in paragraphe mode
-
-\newdimen \mpr@tmpdim
-
-% To ensure hevea \hva compatibility, \hva should expands to nothing
-% in mathpar or in inferrule
-\let \mpr@hva \empty
-
-%% normal paragraph parametters, should rather be taken dynamically
-\def \mpr@savepar {%
- \edef \MathparNormalpar
- {\noexpand \lineskiplimit \the\lineskiplimit
- \noexpand \lineskip \the\lineskip}%
- }
-
-\def \mpr@rulelineskip {\lineskiplimit=0.3em\lineskip=0.2em plus 0.1em}
-\def \mpr@lesslineskip {\lineskiplimit=0.6em\lineskip=0.5em plus 0.2em}
-\def \mpr@lineskip {\lineskiplimit=1.2em\lineskip=1.2em plus 0.2em}
-\let \MathparLineskip \mpr@lineskip
-\def \mpr@paroptions {\MathparLineskip}
-\let \mpr@prebindings \relax
-
-\newskip \mpr@andskip \mpr@andskip 2em plus 0.5fil minus 0.5em
-
-\def \mpr@goodbreakand
- {\hskip -\mpr@andskip \penalty -1000\hskip \mpr@andskip}
-\def \mpr@and {\hskip \mpr@andskip}
-\def \mpr@andcr {\penalty 50\mpr@and}
-\def \mpr@cr {\penalty -10000\mpr@and}
-\def \mpr@eqno #1{\mpr@andcr #1\hskip 0em plus -1fil \penalty 10}
-
-\def \mpr@bindings {%
- \let \and \mpr@andcr
- \let \par \mpr@andcr
- \let \\\mpr@cr
- \let \eqno \mpr@eqno
- \let \hva \mpr@hva
- }
-\let \MathparBindings \mpr@bindings
-
-% \@ifundefined {ignorespacesafterend}
-% {\def \ignorespacesafterend {\aftergroup \ignorespaces}
-
-\newenvironment{mathpar}[1][]
- {$$\mpr@savepar \parskip 0em \hsize \linewidth \centering
- \vbox \bgroup \mpr@prebindings \mpr@paroptions #1\ifmmode $\else
- \noindent $\displaystyle\fi
- \MathparBindings}
- {\unskip \ifmmode $\fi\egroup $$\ignorespacesafterend}
-
-% \def \math@mathpar #1{\setbox0 \hbox {$\displaystyle #1$}\ifnum
-% \wd0 < \hsize $$\box0$$\else \bmathpar #1\emathpar \fi}
-
-%%% HOV BOXES
-
-\def \mathvbox@ #1{\hbox \bgroup \mpr@normallineskip
- \vbox \bgroup \tabskip 0em \let \\ \cr
- \halign \bgroup \hfil $##$\hfil\cr #1\crcr \egroup \egroup
- \egroup}
-
-\def \mathhvbox@ #1{\setbox0 \hbox {\let \\\qquad $#1$}\ifnum \wd0 < \hsize
- \box0\else \mathvbox {#1}\fi}
-
-
-%% Part II -- operations on lists
-
-\newtoks \mpr@lista
-\newtoks \mpr@listb
-
-\long \def\mpr@cons #1\mpr@to#2{\mpr@lista {\\{#1}}\mpr@listb \expandafter
-{#2}\edef #2{\the \mpr@lista \the \mpr@listb}}
-
-\long \def\mpr@snoc #1\mpr@to#2{\mpr@lista {\\{#1}}\mpr@listb \expandafter
-{#2}\edef #2{\the \mpr@listb\the\mpr@lista}}
-
-\long \def \mpr@concat#1=#2\mpr@to#3{\mpr@lista \expandafter {#2}\mpr@listb
-\expandafter {#3}\edef #1{\the \mpr@listb\the\mpr@lista}}
-
-\def \mpr@head #1\mpr@to #2{\expandafter \mpr@head@ #1\mpr@head@ #1#2}
-\long \def \mpr@head@ #1#2\mpr@head@ #3#4{\def #4{#1}\def#3{#2}}
-
-\def \mpr@flatten #1\mpr@to #2{\expandafter \mpr@flatten@ #1\mpr@flatten@ #1#2}
-\long \def \mpr@flatten@ \\#1\\#2\mpr@flatten@ #3#4{\def #4{#1}\def #3{\\#2}}
-
-\def \mpr@makelist #1\mpr@to #2{\def \mpr@all {#1}%
- \mpr@lista {\\}\mpr@listb \expandafter {\mpr@all}\edef \mpr@all {\the
- \mpr@lista \the \mpr@listb \the \mpr@lista}\let #2\empty
- \def \mpr@stripof ##1##2\mpr@stripend{\def \mpr@stripped{##2}}\loop
- \mpr@flatten \mpr@all \mpr@to \mpr@one
- \expandafter \mpr@snoc \mpr@one \mpr@to #2\expandafter \mpr@stripof
- \mpr@all \mpr@stripend
- \ifx \mpr@stripped \empty \let \mpr@isempty 0\else \let \mpr@isempty 1\fi
- \ifx 1\mpr@isempty
- \repeat
-}
-
-%% Part III -- Type inference rules
-
-\def \mpr@rev #1\mpr@to #2{\let \mpr@tmp \empty
- \def \\##1{\mpr@cons ##1\mpr@to \mpr@tmp}#1\let #2\mpr@tmp}
-
-\newif \if@premisse
-\newbox \mpr@hlist
-\newbox \mpr@vlist
-\newif \ifmpr@center \mpr@centertrue
-\def \mpr@htovlist {%
- \setbox \mpr@hlist
- \hbox {\strut
- \ifmpr@center \hskip -0.5\wd\mpr@hlist\fi
- \unhbox \mpr@hlist}%
- \setbox \mpr@vlist
- \vbox {\if@premisse \box \mpr@hlist \unvbox \mpr@vlist
- \else \unvbox \mpr@vlist \box \mpr@hlist
- \fi}%
-}
-% OLD version
-% \def \mpr@htovlist {%
-% \setbox \mpr@hlist
-% \hbox {\strut \hskip -0.5\wd\mpr@hlist \unhbox \mpr@hlist}%
-% \setbox \mpr@vlist
-% \vbox {\if@premisse \box \mpr@hlist \unvbox \mpr@vlist
-% \else \unvbox \mpr@vlist \box \mpr@hlist
-% \fi}%
-% }
-
-\def \mpr@sep{1.5em}
-\def \mpr@blank { }
-\def \mpr@hovbox #1#2{\hbox
- \bgroup
- \ifx #1T\@premissetrue
- \else \ifx #1B\@premissefalse
- \else
- \PackageError{mathpartir}
- {Premisse orientation should either be P or B}
- {Fatal error in Package}%
- \fi \fi
- \def \@test {#2}\ifx \@test \mpr@blank\else
- \setbox \mpr@hlist \hbox {}%
- \setbox \mpr@vlist \vbox {}%
- \if@premisse \let \snoc \mpr@cons \else \let \snoc \mpr@snoc \fi
- \let \@hvlist \empty \let \@rev \empty
- \mpr@tmpdim 0em
- \expandafter \mpr@makelist #2\mpr@to \mpr@flat
- \if@premisse \mpr@rev \mpr@flat \mpr@to \@rev \else \let \@rev \mpr@flat \fi
- \def \\##1{%
- \def \@test {##1}\ifx \@test \empty
- \mpr@htovlist
- \mpr@tmpdim 0em %%% last bug fix not extensively checked
- \else
- \setbox0 \hbox{$\displaystyle {##1}$}\relax
- \advance \mpr@tmpdim by \wd0
- %\mpr@tmpdim 1.02\mpr@tmpdim
- \ifnum \mpr@tmpdim < \hsize
- \ifnum \wd\mpr@hlist > 0
- \if@premisse
- \setbox \mpr@hlist
- \hbox {\unhbox0 \hskip \mpr@sep \unhbox \mpr@hlist}%
- \else
- \setbox \mpr@hlist
- \hbox {\unhbox \mpr@hlist \hskip \mpr@sep \unhbox0}%
- \fi
- \else
- \setbox \mpr@hlist \hbox {\unhbox0}%
- \fi
- \else
- \ifnum \wd \mpr@hlist > 0
- \mpr@htovlist
- \mpr@tmpdim \wd0
- \fi
- \setbox \mpr@hlist \hbox {\unhbox0}%
- \fi
- \advance \mpr@tmpdim by \mpr@sep
- \fi
- }%
- \@rev
- \mpr@htovlist
- \ifmpr@center \hskip \wd\mpr@vlist\fi \box \mpr@vlist
- \fi
- \egroup
-}
-
-%%% INFERENCE RULES
-
-\@ifundefined{@@over}{%
- \let\@@over\over % fallback if amsmath is not loaded
- \let\@@overwithdelims\overwithdelims
- \let\@@atop\atop \let\@@atopwithdelims\atopwithdelims
- \let\@@above\above \let\@@abovewithdelims\abovewithdelims
- }{}
-
-
-\def \mpr@@fraction #1#2{\hbox {\advance \hsize by -0.5em
- $\displaystyle {#1\@@over #2}$}}
-\let \mpr@fraction \mpr@@fraction
-\def \mpr@@reduce #1#2{\hbox
- {$\lower 0.01pt \mpr@@fraction {#1}{#2}\mkern -15mu\rightarrow$}}
-\def \mpr@@rewrite #1#2#3{\hbox
- {$\lower 0.01pt \mpr@@fraction {#2}{#3}\mkern -8mu#1$}}
-\def \mpr@infercenter #1{\vcenter {\mpr@hovbox{T}{#1}}}
-
-\def \mpr@empty {}
-\def \mpr@inferrule
- {\bgroup
- \ifnum \linewidth<\hsize \hsize \linewidth\fi
- \mpr@rulelineskip
- \let \and \qquad
- \let \hva \mpr@hva
- \let \@rulename \mpr@empty
- \let \@rule@options \mpr@empty
- \mpr@inferrule@}
-\newcommand {\mpr@inferrule@}[3][]
- {\everymath={\displaystyle}%
- \def \@test {#2}\ifx \empty \@test
- \setbox0 \hbox {$\vcenter {\mpr@hovbox{B}{#3}}$}%
- \else
- \def \@test {#3}\ifx \empty \@test
- \setbox0 \hbox {$\vcenter {\mpr@hovbox{T}{#2}}$}%
- \else
- \setbox0 \mpr@fraction {\mpr@hovbox{T}{#2}}{\mpr@hovbox{B}{#3}}%
- \fi \fi
- \def \@test {#1}\ifx \@test\empty \box0
- \else \vbox
-%%% Suggestion de Francois pour les etiquettes longues
-%%% {\hbox to \wd0 {\RefTirName {#1}\hfil}\box0}\fi
- {\hbox {\RefTirName {#1}}\box0}\fi
- \egroup}
-
-\def \mpr@vdotfil #1{\vbox to #1{\leaders \hbox{$\cdot$} \vfil}}
-
-% They are two forms
-% \inferrule [label]{[premisses}{conclusions}
-% or
-% \inferrule* [options]{[premisses}{conclusions}
-%
-% Premisses and conclusions are lists of elements separated by \\
-% Each \\ produces a break, attempting horizontal breaks if possible,
-% and vertical breaks if needed.
-%
-% An empty element obtained by \\\\ produces a vertical break in all cases.
-%
-% The former rule is aligned on the fraction bar.
-% The optional label appears on top of the rule
-% The second form to be used in a derivation tree is aligned on the last
-% line of its conclusion
-%
-% The second form can be parameterized, using the key=val interface. The
-% folloiwng keys are recognized:
-%
-% width set the width of the rule to val
-% narrower set the width of the rule to val\hsize
-% before execute val at the beginning/left
-% lab put a label [Val] on top of the rule
-% lskip add negative skip on the right
-% left put a left label [Val]
-% Left put a left label [Val], ignoring its width
-% right put a right label [Val]
-% Right put a right label [Val], ignoring its width
-% leftskip skip negative space on the left-hand side
-% rightskip skip negative space on the right-hand side
-% vdots lift the rule by val and fill vertical space with dots
-% after execute val at the end/right
-%
-% Note that most options must come in this order to avoid strange
-% typesetting (in particular leftskip must preceed left and Left and
-% rightskip must follow Right or right; vdots must come last
-% or be only followed by rightskip.
-%
-
-\define@key {mprset}{flushleft}[]{\mpr@centerfalse}
-\define@key {mprset}{center}[]{\mpr@centertrue}
-\def \mprset #1{\setkeys{mprset}{#1}}
-
-\newbox \mpr@right
-\define@key {mpr}{flushleft}[]{\mpr@centerfalse}
-\define@key {mpr}{center}[]{\mpr@centertrue}
-\define@key {mpr}{left}{\setbox0 \hbox {$\TirName {#1}\;$}\relax
- \advance \hsize by -\wd0\box0}
-\define@key {mpr}{width}{\hsize #1}
-\define@key {mpr}{sep}{\def\mpr@sep{#1}}
-\define@key {mpr}{before}{#1}
-\define@key {mpr}{lab}{\let \RefTirName \TirName \def \mpr@rulename {#1}}
-\define@key {mpr}{Lab}{\let \RefTirName \TirName \def \mpr@rulename {#1}}
-\define@key {mpr}{narrower}{\hsize #1\hsize}
-\define@key {mpr}{leftskip}{\hskip -#1}
-\define@key {mpr}{reduce}[]{\let \mpr@fraction \mpr@@reduce}
-\define@key {mpr}{rightskip}
- {\setbox \mpr@right \hbox {\unhbox \mpr@right \hskip -#1}}
-\define@key {mpr}{LEFT}{\setbox0 \hbox {$#1$}\relax
- \advance \hsize by -\wd0\box0}
-\define@key {mpr}{left}{\setbox0 \hbox {$\TirName {#1}\;$}\relax
- \advance \hsize by -\wd0\box0}
-\define@key {mpr}{Left}{\llap{$\TirName {#1}\;$}}
-\define@key {mpr}{right}
- {\setbox0 \hbox {$\;\TirName {#1}$}\relax \advance \hsize by -\wd0
- \setbox \mpr@right \hbox {\unhbox \mpr@right \unhbox0}}
-\define@key {mpr}{RIGHT}
- {\setbox0 \hbox {$#1$}\relax \advance \hsize by -\wd0
- \setbox \mpr@right \hbox {\unhbox \mpr@right \unhbox0}}
-\define@key {mpr}{Right}
- {\setbox \mpr@right \hbox {\unhbox \mpr@right \rlap {$\;\TirName {#1}$}}}
-\define@key {mpr}{vdots}{\def \mpr@vdots {\@@atop \mpr@vdotfil{#1}}}
-\define@key {mpr}{after}{\edef \mpr@after {\mpr@after #1}}
-
-\newdimen \rule@dimen
-\newcommand \mpr@inferstar@ [3][]{\setbox0
- \hbox {\let \mpr@rulename \mpr@empty \let \mpr@vdots \relax
- \setbox \mpr@right \hbox{}%
- $\setkeys{mpr}{#1}%
- \ifx \mpr@rulename \mpr@empty \mpr@inferrule {#2}{#3}\else
- \mpr@inferrule [{\mpr@rulename}]{#2}{#3}\fi
- \box \mpr@right \mpr@vdots$}
- \setbox1 \hbox {\strut}
- \rule@dimen \dp0 \advance \rule@dimen by -\dp1
- \raise \rule@dimen \box0}
-
-\def \mpr@infer {\@ifnextchar *{\mpr@inferstar}{\mpr@inferrule}}
-\newcommand \mpr@err@skipargs[3][]{}
-\def \mpr@inferstar*{\ifmmode
- \let \@do \mpr@inferstar@
- \else
- \let \@do \mpr@err@skipargs
- \PackageError {mathpartir}
- {\string\inferrule* can only be used in math mode}{}%
- \fi \@do}
-
-
-%%% Exports
-
-% Envirnonment mathpar
-
-\let \inferrule \mpr@infer
-
-% make a short name \infer is not already defined
-\@ifundefined {infer}{\let \infer \mpr@infer}{}
-
-\def \tir@name #1{\hbox {\small \sc #1}}
-\let \TirName \tir@name
-\let \RefTirName \tir@name
-
-%%% Other Exports
-
-% \let \listcons \mpr@cons
-% \let \listsnoc \mpr@snoc
-% \let \listhead \mpr@head
-% \let \listmake \mpr@makelist
-
-
-
-
-\endinput
--- a/doc-src/ProgProve/document/prelude.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,98 +0,0 @@
-\usepackage{makeidx} % allows index generation
-\usepackage{graphicx} % standard LaTeX graphics tool
- % when including figure files
-\usepackage{multicol} % used for the two-column index
-\usepackage[bottom]{footmisc}% places footnotes at page bottom
-\usepackage{alltt}
-
-\usepackage[T1]{fontenc}
-\usepackage{ccfonts}
-\usepackage[euler-digits]{eulervm}
-
-\let\bfdefaultold=\bfdefault
-\def\bfdefault{sbc} % make sans serif the default bold font
-
-\usepackage{isabelle,isabellesym}
-\usepackage{mathpartir}
-\usepackage{amssymb}
-
-% Enables fixmes
-\newif \ifDraft \Drafttrue
-
-\ifDraft
- \newcommand{\FIXME}[1]{\textbf{\textsl{FIXME: #1}}}
-\else
- \newcommand{\FIXME}[1]{\relax}
-\fi
-
-\renewcommand*\descriptionlabel[1]{\hspace\labelsep \textbf{#1}\hfil}
-
-% this should be the last package used
-\usepackage{color}
-\definecolor{linkcolor}{rgb}{0,0,0.4}
-\usepackage[colorlinks=true,linkcolor=linkcolor,citecolor=linkcolor,
- filecolor=linkcolor,pagecolor=linkcolor,
- urlcolor=linkcolor]{hyperref}
-
-% urls in roman style, theory text in math-similar italics
-\urlstyle{tt}
-\isabellestyle{it}
-
-\renewcommand{\isadigit}[1]{\ensuremath{#1}}
-
-% font size
-\renewcommand{\isastyle}{\isastyleminor}
-
-% indexing
-\usepackage{ifthen}
-\newcommand{\indexdef}[3]%
-{\ifthenelse{\equal{}{#1}}{\index{#3 (#2)|bold}}{\index{#3 (#1\ #2)|bold}}}
-
-% section commands
-\renewcommand{\chapterautorefname}{Chapter}
-\renewcommand{\sectionautorefname}{Section}
-
-\renewcommand{\isamarkupheader}[1]{{\rmfamily\subsection{#1}}}
-\renewcommand{\isamarkupsection}[1]{{\rmfamily\subsection{#1}}}
-\renewcommand{\isamarkupsubsection}[1]{{\rmfamily\subsubsection{#1}}}
-% isabelle in-text command font
-\newcommand{\isacom}[1]{\isa{\isacommand{#1}}}
-% isabelle keyword, adapted from isabelle.sty
-\renewcommand{\isakeyword}[1]
-{\emph{\def\isachardot{.}%
-\def\isacharbraceleft{\{}\def\isacharbraceright{\}}\textbf{#1}}}
-\renewcommand{\isacharunderscore}{\_}
-\renewcommand{\isacharunderscorekeyword}{\_}
-
-% add \noindent to text blocks automatically
-\renewenvironment{isamarkuptext}{\par\isastyletext\begin{isapar}\noindent}{\end{isapar}}
-\renewenvironment{isamarkuptxt}{\par\isastyletext\begin{isapar}\noindent}{\end{isapar}}
-
-\newcommand{\noquotes}[1]{{\renewcommand{\isachardoublequote}{}#1}}
-\newcommand{\concept}[1]{\textbf{#1}}
-\newcommand{\xsymbol}[1]{\texttt{\char`\\\char`<#1>}}
-
-\newcommand{\isabox}{\fbox}
-\newcommand{\bigisabox}[1]
-{\isabox{\renewcommand{\isanewline}{\\}%
- \begin{tabular}{l}#1\end{tabular}}}
-
-%%%% ``WARNING'' environment: 2 ! characters separated by negative thin space
-%\def\warnbang{\vtop to 0pt{\vss\hbox{\let\bfdefault=\bfdefaultold\Huge\textbf{!$\!$!}}\vss}}
-
-\def\warnbang{\vtop to 0pt{\vss\hbox{\includegraphics[width=3ex, height=5.5ex]{bang}}\vss}}
-
-\newenvironment{warn}{\begin{trivlist}\small\item[]\noindent%
- \begingroup\hangindent=\parindent\hangafter=-2%\clubpenalty=10000%
- \def\par{\endgraf\endgroup}%
- \hbox to0pt{\hskip-\hangindent\warnbang\hfill}\ignorespaces}
- {\par\end{trivlist}}
-
-\chardef\isachardoublequote=`\"%
-\chardef\isachardoublequoteopen=`\"%
-\chardef\isachardoublequoteclose=`\"%
-
-\renewcommand{\isacharbackquoteopen}{\isacharbackquote}
-\renewcommand{\isacharbackquoteclose}{\isacharbackquote}
-
-\hyphenation{Isa-belle}
--- a/doc-src/ProgProve/document/root.bib Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,19 +0,0 @@
-@string{CUP="Cambridge University Press"}
-@string{LNCS="Lect.\ Notes in Comp.\ Sci."}
-@string{Springer="Springer-Verlag"}
-
-@book{HuthRyan,author="Michael Huth and Mark Ryan",
-title={Logic in Computer Science},publisher=CUP,year=2004}
-
-@manual{Krauss,author={Alexander Krauss},
-title={Defining Recursive Functions in Isabelle/HOL},
-note={\url{http://isabelle.in.tum.de/doc/functions.pdf}}}
-
-@book{LNCS2283,author={Tobias Nipkow and Lawrence Paulson and Markus Wenzel},
-title="Isabelle/HOL --- A Proof Assistant for Higher-Order Logic",
-publisher=Springer,series=LNCS,volume=2283,year=2002}
-
-@manual{IsarRef,author={Makarius Wenzel},
-title={The Isabelle/Isar Reference Manual},
-note={\url{http://isabelle.in.tum.de/doc/isar-ref.pdf}}}
-
--- a/doc-src/ProgProve/document/root.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,52 +0,0 @@
-\documentclass[envcountsame,envcountchap]{svmono}
-
-\input{prelude}
-
-\excludecomment{sem}
-
-\begin{document}
-
-\title{Programming and Proving in Isabelle/HOL}
-\subtitle{\includegraphics[scale=.7]{isabelle_hol}}
-\author{Tobias Nipkow}
-\maketitle
-
-\frontmatter%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\setcounter{tocdepth}{1}
-\tableofcontents
-
-
-\mainmatter%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%\part{Isabelle}
-
-\chapter{Introduction}
-\input{intro-isabelle.tex}
-
-\chapter{Programming and Proving}
-\label{sec:FP}
-\input{Basics.tex}
-\input{Bool_nat_list}
-\input{Types_and_funs}
-
-%\chapter{Case Study: IMP Expressions}
-%\label{sec:CaseStudyExp}
-%\input{../generated/Expressions}
-
-\chapter{Logic}
-\label{ch:Logic}
-\input{Logic}
-
-\chapter{Isar: A Language for Structured Proofs}
-\label{ch:Isar}
-\input{Isar}
-
-\backmatter%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\bibliographystyle{plain}
-\bibliography{root}
-
-%\printindex
-
-\end{document}
--- a/doc-src/ProgProve/document/svmono.cls Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,1691 +0,0 @@
-% SVMONO DOCUMENT CLASS -- version 4.17 (31-Oct-06)
-% Springer Verlag global LaTeX2e support for monographs
-%%
-%%
-%% \CharacterTable
-%% {Upper-case \A\B\C\D\E\F\G\H\I\J\K\L\M\N\O\P\Q\R\S\T\U\V\W\X\Y\Z
-%% Lower-case \a\b\c\d\e\f\g\h\i\j\k\l\m\n\o\p\q\r\s\t\u\v\w\x\y\z
-%% Digits \0\1\2\3\4\5\6\7\8\9
-%% Exclamation \! Double quote \" Hash (number) \#
-%% Dollar \$ Percent \% Ampersand \&
-%% Acute accent \' Left paren \( Right paren \)
-%% Asterisk \* Plus \+ Comma \,
-%% Minus \- Point \. Solidus \/
-%% Colon \: Semicolon \; Less than \<
-%% Equals \= Greater than \> Question mark \?
-%% Commercial at \@ Left bracket \[ Backslash \\
-%% Right bracket \] Circumflex \^ Underscore \_
-%% Grave accent \` Left brace \{ Vertical bar \|
-%% Right brace \} Tilde \~}
-%%
-\NeedsTeXFormat{LaTeX2e}[1995/12/01]
-\ProvidesClass{svmono}[2006/10/31 v4.17
-^^JSpringer Verlag global LaTeX document class for monographs]
-
-% Options
-% citations
-\DeclareOption{natbib}{\ExecuteOptions{oribibl}%
-\AtEndOfClass{% Loading package 'NATBIB'
-\RequirePackage{natbib}
-% Changing some parameters of NATBIB
-\setlength{\bibhang}{\parindent}
-%\setlength{\bibsep}{0mm}
-\let\bibfont=\small
-\def\@biblabel#1{#1.}
-\newcommand{\etal}{\textit{et al}.}
-%\bibpunct[,]{(}{)}{;}{a}{}{,}}}
-}}
-% Springer environment
-\let\if@spthms\iftrue
-\DeclareOption{nospthms}{\let\if@spthms\iffalse}
-%
-\let\envankh\@empty % no anchor for "theorems"
-%
-\let\if@envcntreset\iffalse % environment counter is not reset
-\let\if@envcntresetsect=\iffalse % reset each section?
-\DeclareOption{envcountresetchap}{\let\if@envcntreset\iftrue}
-\DeclareOption{envcountresetsect}{\let\if@envcntreset\iftrue
-\let\if@envcntresetsect=\iftrue}
-%
-\let\if@envcntsame\iffalse % NOT all environments work like "Theorem",
- % each using its own counter
-\DeclareOption{envcountsame}{\let\if@envcntsame\iftrue}
-%
-\let\if@envcntshowhiercnt=\iffalse % do not show hierarchy counter at all
-%
-% enhance theorem counter
-\DeclareOption{envcountchap}{\def\envankh{chapter}% show \thechapter along with theorem number
-\let\if@envcntshowhiercnt=\iftrue
-\ExecuteOptions{envcountreset}}
-%
-\DeclareOption{envcountsect}{\def\envankh{section}% show \thesection along with theorem number
-\let\if@envcntshowhiercnt=\iftrue
-\ExecuteOptions{envcountreset}}
-%
-% languages
-\let\switcht@@therlang\relax
-\let\svlanginfo\relax
-\def\ds@deutsch{\def\switcht@@therlang{\switcht@deutsch}%
-\gdef\svlanginfo{\typeout{Man spricht deutsch.}\global\let\svlanginfo\relax}}
-\def\ds@francais{\def\switcht@@therlang{\switcht@francais}%
-\gdef\svlanginfo{\typeout{On parle francais.}\global\let\svlanginfo\relax}}
-%
-\AtBeginDocument{\@ifpackageloaded{babel}{%
-\@ifundefined{extrasamerican}{}{\addto\extrasamerican{\switcht@albion}}%
-\@ifundefined{extrasaustralian}{}{\addto\extrasaustralian{\switcht@albion}}%
-\@ifundefined{extrasbritish}{}{\addto\extrasbritish{\switcht@albion}}%
-\@ifundefined{extrascanadian}{}{\addto\extrascanadian{\switcht@albion}}%
-\@ifundefined{extrasenglish}{}{\addto\extrasenglish{\switcht@albion}}%
-\@ifundefined{extrasnewzealand}{}{\addto\extrasnewzealand{\switcht@albion}}%
-\@ifundefined{extrasUKenglish}{}{\addto\extrasUKenglish{\switcht@albion}}%
-\@ifundefined{extrasUSenglish}{}{\addto\extrasUSenglish{\switcht@albion}}%
-\@ifundefined{captionsfrench}{}{\addto\captionsfrench{\switcht@francais}}%
-\@ifundefined{extrasgerman}{}{\addto\extrasgerman{\switcht@deutsch}}%
-\@ifundefined{extrasngerman}{}{\addto\extrasngerman{\switcht@deutsch}}%
-}{\switcht@@therlang}%
-}
-% numbering style of floats, equations
-\newif\if@numart \@numartfalse
-\DeclareOption{numart}{\@numarttrue}
-\def\set@numbering{\if@numart\else\num@book\fi}
-\AtEndOfClass{\set@numbering}
-% style for vectors
-\DeclareOption{vecphys}{\def\vec@style{phys}}
-\DeclareOption{vecarrow}{\def\vec@style{arrow}}
-% running heads
-\let\if@runhead\iftrue
-\DeclareOption{norunningheads}{\let\if@runhead\iffalse}
-% referee option
-\let\if@referee\iffalse
-\def\makereferee{\def\baselinestretch{2}\selectfont
-\newbox\refereebox
-\setbox\refereebox=\vbox to\z@{\vskip0.5cm%
- \hbox to\textwidth{\normalsize\tt\hrulefill\lower0.5ex
- \hbox{\kern5\p@ referee's copy\kern5\p@}\hrulefill}\vss}%
-\def\@oddfoot{\copy\refereebox}\let\@evenfoot=\@oddfoot}
-\DeclareOption{referee}{\let\if@referee\iftrue
-\AtBeginDocument{\makereferee\small\normalsize}}
-% modification of thebibliography
-\let\if@openbib\iffalse
-\DeclareOption{openbib}{\let\if@openbib\iftrue}
-% LaTeX standard, sectionwise references
-\DeclareOption{oribibl}{\let\oribibl=Y}
-\DeclareOption{sectrefs}{\let\secbibl=Y}
-%
-% footinfo option (provides an informatory line on every page)
-\def\SpringerMacroPackageNameA{svmono.cls}
-% \thetime, \thedate and \timstamp are macros to include
-% time, date (or both) of the TeX run in the document
-\def\maketimestamp{\count255=\time
-\divide\count255 by 60\relax
-\edef\thetime{\the\count255:}%
-\multiply\count255 by-60\relax
-\advance\count255 by\time
-\edef\thetime{\thetime\ifnum\count255<10 0\fi\the\count255}
-\edef\thedate{\number\day-\ifcase\month\or Jan\or Feb\or Mar\or
- Apr\or May\or Jun\or Jul\or Aug\or Sep\or Oct\or
- Nov\or Dec\fi-\number\year}
-\def\timstamp{\hbox to\hsize{\tt\hfil\thedate\hfil\thetime\hfil}}}
-\maketimestamp
-%
-% \footinfo generates a info footline on every page containing
-% pagenumber, jobname, macroname, and timestamp
-\DeclareOption{footinfo}{\AtBeginDocument{\maketimestamp
- \def\ps@empty{\let\@mkboth\@gobbletwo
- \let\@oddhead\@empty\let\@evenhead\@empty}%
- \def\@oddfoot{\scriptsize\tt Page:\,\thepage\space\hfil
- job:\,\jobname\space\hfil
- macro:\,\SpringerMacroPackageNameA\space\hfil
- date/time:\,\thedate/\thetime}%
- \let\@evenfoot=\@oddfoot}}
-%
-% start new chapter on any page
-\newif\if@openright \@openrighttrue
-\DeclareOption{openany}{\@openrightfalse}
-%
-% no size changing allowed
-\DeclareOption{11pt}{\OptionNotUsed}
-\DeclareOption{12pt}{\OptionNotUsed}
-% options for the article class
-\def\@rticle@options{10pt,twoside}
-% fleqn
-\DeclareOption{fleqn}{\def\@rticle@options{10pt,twoside,fleqn}%
-\AtEndOfClass{\let\leftlegendglue\relax}%
-\AtBeginDocument{\mathindent\parindent}}
-% hanging sectioning titles
-\let\if@sechang\iffalse
-\DeclareOption{sechang}{\let\if@sechang\iftrue}
-\def\ClassInfoNoLine#1#2{%
- \ClassInfo{#1}{#2\@gobble}%
-}
-\let\SVMonoOpt\@empty
-\DeclareOption*{\InputIfFileExists{sv\CurrentOption.clo}{%
-\global\let\SVMonoOpt\CurrentOption}{%
-\ClassWarning{Springer-SVMono}{Specified option or subpackage
-"\CurrentOption" \MessageBreak not found
-passing it to article class \MessageBreak
--}\PassOptionsToClass{\CurrentOption}{article}%
-}}
-\ProcessOptions\relax
-\ifx\SVMonoOpt\@empty\relax
-\ClassInfoNoLine{Springer-SVMono}{extra/valid Springer sub-package
-\MessageBreak not found in option list - using "global" style}{}
-\fi
-\LoadClass[\@rticle@options]{article}
-\raggedbottom
-
-% various sizes and settings for monographs
-
-\setlength{\textwidth}{28pc} % 11.8cm
-%\setlength{\textheight}{12pt}\multiply\textheight by 45\relax
-\setlength{\textheight}{540\p@}
-\setlength{\topmargin}{0cm}
-\setlength\oddsidemargin {63\p@}
-\setlength\evensidemargin {63\p@}
-\setlength\marginparwidth{90\p@}
-\setlength\headsep {12\p@}
-
-\setlength{\parindent}{15\p@}
-\setlength{\parskip}{\z@ \@plus \p@}
-\setlength{\hfuzz}{2\p@}
-\setlength{\arraycolsep}{1.5\p@}
-
-\frenchspacing
-
-\tolerance=500
-
-\predisplaypenalty=0
-\clubpenalty=10000
-\widowpenalty=10000
-
-\setlength\footnotesep{7.7\p@}
-
-\newdimen\betweenumberspace % dimension for space between
-\betweenumberspace=5\p@ % number and text of titles
-\newdimen\headlineindent % dimension for space of
-\headlineindent=2.5cc % number and gap of running heads
-
-% fonts, sizes, and the like
-\renewcommand\small{%
- \@setfontsize\small\@ixpt{11}%
- \abovedisplayskip 8.5\p@ \@plus3\p@ \@minus4\p@
- \abovedisplayshortskip \z@ \@plus2\p@
- \belowdisplayshortskip 4\p@ \@plus2\p@ \@minus2\p@
- \def\@listi{\leftmargin\leftmargini
- \parsep \z@ \@plus\p@ \@minus\p@
- \topsep 6\p@ \@plus2\p@ \@minus4\p@
- \itemsep\z@}%
- \belowdisplayskip \abovedisplayskip
-}
-%
-\let\footnotesize=\small
-%
-\newenvironment{petit}{\par\addvspace{6\p@}\small}{\par\addvspace{6\p@}}
-%
-
-% modification of automatic positioning of floating objects
-\setlength\@fptop{\z@ }
-\setlength\@fpsep{12\p@ }
-\setlength\@fpbot{\z@ \@plus 1fil }
-\def\textfraction{.01}
-\def\floatpagefraction{.8}
-\setlength{\intextsep}{20\p@ \@plus 2\p@ \@minus 2\p@}
-\setcounter{topnumber}{4}
-\def\topfraction{.9}
-\setcounter{bottomnumber}{2}
-\def\bottomfraction{.7}
-\setcounter{totalnumber}{6}
-%
-% size and style of headings
-\newcommand{\partsize}{\Large}
-\newcommand{\partstyle}{\bfseries\boldmath}
-\newcommand{\chapsize}{\Large}
-\newcommand{\chapstyle}{\bfseries\boldmath}
-\newcommand{\chapshooksize}{\small}
-\newcommand{\chapshookstyle}{\itshape\unboldmath}
-\newcommand{\secsize}{\large}
-\newcommand{\secstyle}{\bfseries\boldmath}
-\newcommand{\subsecsize}{\normalsize}
-\newcommand{\subsecstyle}{\bfseries\boldmath}
-%
-\def\cleardoublepage{\clearpage\if@twoside \ifodd\c@page\else
- \hbox{}\newpage\if@twocolumn\hbox{}\newpage\fi\fi\fi}
-
-\newcommand{\clearemptydoublepage}{%
- \clearpage{\pagestyle{empty}\cleardoublepage}}
-\newcommand{\startnewpage}{\if@openright\clearemptydoublepage\else\clearpage\fi}
-
-% redefinition of \part
-\renewcommand\part{\clearemptydoublepage
- \thispagestyle{empty}
- \if@twocolumn
- \onecolumn
- \@tempswatrue
- \else
- \@tempswafalse
- \fi
- \@ifundefined{thispagecropped}{}{\thispagecropped}
- \secdef\@part\@spart}
-
-\def\@part[#1]#2{\ifnum \c@secnumdepth >-2\relax
- \refstepcounter{part}
- \addcontentsline{toc}{part}{\partname\
- \thepart\thechapterend\hspace{\betweenumberspace}%
- #1}\else
- \addcontentsline{toc}{part}{#1}\fi
- \markboth{}{}
- {\raggedleft
- \ifnum \c@secnumdepth >-2\relax
- \normalfont\partstyle\partsize\vrule height 34pt width 0pt depth 0pt%
- \partname\ \thepart\llap{\smash{\lower 5pt\hbox to\textwidth{\hrulefill}}}
- \par
- \vskip 128.3\p@ \fi
- #2\par}\@endpart}
-%
-% \@endpart finishes the part page
-%
-\def\@endpart{\vfil\newpage
- \if@twoside
- \hbox{}
- \thispagestyle{empty}
- \newpage
- \fi
- \if@tempswa
- \twocolumn
- \fi}
-%
-\def\@spart#1{{\raggedleft
- \normalfont\partsize\partstyle
- #1\par}\@endpart}
-%
-\newenvironment{partbacktext}{\def\@endpart{\vfil\newpage}}
-{\thispagestyle{empty} \newpage \if@tempswa\twocolumn\fi}
-%
-% (re)define sectioning
-\setcounter{secnumdepth}{2}
-
-\def\seccounterend{}
-\def\seccountergap{\hskip\betweenumberspace}
-\def\@seccntformat#1{\csname the#1\endcsname\seccounterend\seccountergap\ignorespaces}
-%
-\let\firstmark=\botmark
-%
-\@ifundefined{thechapterend}{\def\thechapterend{}}{}
-%
-\if@sechang
- \def\sec@hangfrom#1{\setbox\@tempboxa\hbox{#1}%
- \hangindent\wd\@tempboxa\noindent\box\@tempboxa}
-\else
- \def\sec@hangfrom#1{\setbox\@tempboxa\hbox{#1}%
- \hangindent\z@\noindent\box\@tempboxa}
-\fi
-
-\def\chap@hangfrom#1{\noindent\vrule height 34pt width 0pt depth 0pt
-\rlap{\smash{\lower 5pt\hbox to\textwidth{\hrulefill}}}\hbox{#1}
-\vskip10pt}
-\def\schap@hangfrom{\chap@hangfrom{}}
-
-\newcounter{chapter}
-%
-\@addtoreset{section}{chapter}
-\@addtoreset{footnote}{chapter}
-
-\newif\if@mainmatter \@mainmattertrue
-\newcommand\frontmatter{\startnewpage
- \@mainmatterfalse\pagenumbering{Roman}
- \setcounter{page}{5}}
-%
-\newcommand\mainmatter{\clearemptydoublepage
- \@mainmattertrue\pagenumbering{arabic}}
-%
-\newcommand\backmatter{\clearemptydoublepage\@mainmatterfalse}
-
-\def\@chapapp{\chaptername}
-
-\newdimen\chapstarthookwidth
-\newcommand\chapstarthook[2][0.66\textwidth]{%
-\setlength{\chapstarthookwidth}{#1}%
-\gdef\chapst@rthook{#2}}
-
-\newcommand{\processchapstarthook}{\@ifundefined{chapst@rthook}{}{%
- \setbox0=\hbox{\vbox{\hyphenpenalty=50
- \begin{flushright}
- \begin{minipage}{\chapstarthookwidth}
- \vrule\@width\z@\@height21\p@\@depth\z@
- \normalfont\chapshooksize\chapshookstyle\chapst@rthook
- \end{minipage}
- \end{flushright}}}%
- \@tempdima=\pagetotal
- \advance\@tempdima by\ht0
- \ifdim\@tempdima<106\p@
- \multiply\@tempdima by-1
- \advance\@tempdima by106\p@
- \vskip\@tempdima
- \fi
- \box0\par
- \global\let\chapst@rthook=\undefined}}
-
-\newcommand\chapter{\startnewpage
- \@ifundefined{thispagecropped}{}{\thispagecropped}
- \thispagestyle{empty}%
- \global\@topnum\z@
- \@afterindentfalse
- \secdef\@chapter\@schapter}
-
-\def\@chapter[#1]#2{\ifnum \c@secnumdepth >\m@ne
- \refstepcounter{chapter}%
- \if@mainmatter
- \typeout{\@chapapp\space\thechapter.}%
- \addcontentsline{toc}{chapter}{\protect
- \numberline{\thechapter\thechapterend}#1}%
- \else
- \addcontentsline{toc}{chapter}{#1}%
- \fi
- \else
- \addcontentsline{toc}{chapter}{#1}%
- \fi
- \chaptermark{#1}%
- \addtocontents{lof}{\protect\addvspace{10\p@}}%
- \addtocontents{lot}{\protect\addvspace{10\p@}}%
- \if@twocolumn
- \@topnewpage[\@makechapterhead{#2}]%
- \else
- \@makechapterhead{#2}%
- \@afterheading
- \fi}
-
-\def\@schapter#1{\if@twocolumn
- \@topnewpage[\@makeschapterhead{#1}]%
- \else
- \@makeschapterhead{#1}%
- \@afterheading
- \fi}
-
-%%changes position and layout of numbered chapter headings
-\def\@makechapterhead#1{{\parindent\z@\raggedright\normalfont
- \hyphenpenalty \@M
- \interlinepenalty\@M
- \chapsize\chapstyle
- \chap@hangfrom{\thechapter\thechapterend\hskip\betweenumberspace}%!!!
- \ignorespaces#1\par\nobreak
- \processchapstarthook
- \ifdim\pagetotal>157\p@
- \vskip 11\p@
- \else
- \@tempdima=168\p@\advance\@tempdima by-\pagetotal
- \vskip\@tempdima
- \fi}}
-
-%%changes position and layout of unnumbered chapter headings
-\def\@makeschapterhead#1{{\parindent \z@ \raggedright\normalfont
- \hyphenpenalty \@M
- \interlinepenalty\@M
- \chapsize\chapstyle
- \schap@hangfrom
- \ignorespaces#1\par\nobreak
- \processchapstarthook
- \ifdim\pagetotal>157\p@
- \vskip 11\p@
- \else
- \@tempdima=168\p@\advance\@tempdima by-\pagetotal
- \vskip\@tempdima
- \fi}}
-
-% predefined unnumbered headings
-\newcommand{\preface}[1][\prefacename]{\chapter*{#1}\markboth{#1}{#1}}
-% same with TOC entry
-\newcommand{\Preface}[1][\prefacename]{\chapter*{#1}\markboth{#1}{#1}%
-\addcontentsline{toc}{chapter}{#1}}
-
-% measures and setting of sections
-\renewcommand\section{\@startsection{section}{1}{\z@}%
- {-24\p@ \@plus -4\p@ \@minus -4\p@}%
- {12\p@ \@plus 4\p@ \@minus 4\p@}%
- {\normalfont\secsize\secstyle
- \rightskip=\z@ \@plus 8em\pretolerance=10000 }}
-\renewcommand\subsection{\@startsection{subsection}{2}{\z@}%
- {-17\p@ \@plus -4\p@ \@minus -4\p@}%
- {10\p@ \@plus 4\p@ \@minus 4\p@}%
- {\normalfont\subsecsize\subsecstyle
- \rightskip=\z@ \@plus 8em\pretolerance=10000 }}
-\renewcommand\subsubsection{\@startsection{subsubsection}{3}{\z@}%
- {-17\p@ \@plus -4\p@ \@minus -4\p@}%
- {10\p@ \@plus 4\p@ \@minus 4\p@}%
- {\normalfont\normalsize\subsecstyle
- \rightskip=\z@ \@plus 8em\pretolerance=10000 }}
-\renewcommand\paragraph{\@startsection{paragraph}{4}{\z@}%
- {-10\p@ \@plus -4\p@ \@minus -4\p@}%
- {10\p@ \@plus 4\p@ \@minus 4\p@}%
- {\normalfont\normalsize\itshape
- \rightskip=\z@ \@plus 8em\pretolerance=10000 }}
-\def\subparagraph{\@startsection{subparagraph}{5}{\z@}%
- {-5.388\p@ \@plus-4\p@ \@minus-4\p@}{-5\p@}{\normalfont\normalsize\itshape}}
-
-% Appendix
-\renewcommand\appendix{\par
- \stepcounter{chapter}
- \setcounter{chapter}{0}
- \stepcounter{section}
- \setcounter{section}{0}
- \setcounter{equation}{0}
- \setcounter{figure}{0}
- \setcounter{table}{0}
- \setcounter{footnote}{0}
- \def\@chapapp{\appendixname}%
- \renewcommand\thechapter{\@Alph\c@chapter}}
-
-% definition of sections
-% \hyphenpenalty and \raggedright added, so that there is no
-% hyphenation and the text is set ragged-right in sectioning
-
-\def\runinsep{}
-\def\aftertext{\unskip\runinsep}
-%
-\def\thesection{\thechapter.\arabic{section}}
-\def\thesubsection{\thesection.\arabic{subsection}}
-\def\thesubsubsection{\thesubsection.\arabic{subsubsection}}
-\def\theparagraph{\thesubsubsection.\arabic{paragraph}}
-\def\thesubparagraph{\theparagraph.\arabic{subparagraph}}
-\def\chaptermark#1{}
-%
-\def\@ssect#1#2#3#4#5{%
- \@tempskipa #3\relax
- \ifdim \@tempskipa>\z@
- \begingroup
- #4{%
- \@hangfrom{\hskip #1}%
- \raggedright
- \hyphenpenalty \@M
- \interlinepenalty \@M #5\@@par}%
- \endgroup
- \else
- \def\@svsechd{#4{\hskip #1\relax #5}}%
- \fi
- \@xsect{#3}}
-%
-\def\@sect#1#2#3#4#5#6[#7]#8{%
- \ifnum #2>\c@secnumdepth
- \let\@svsec\@empty
- \else
- \refstepcounter{#1}%
- \protected@edef\@svsec{\@seccntformat{#1}\relax}%
- \fi
- \@tempskipa #5\relax
- \ifdim \@tempskipa>\z@
- \begingroup #6\relax
- \sec@hangfrom{\hskip #3\relax\@svsec}%
- {\raggedright
- \hyphenpenalty \@M
- \interlinepenalty \@M #8\@@par}%
- \endgroup
- \csname #1mark\endcsname{#7\seccounterend}%
- \addcontentsline{toc}{#1}{\ifnum #2>\c@secnumdepth
- \else
- \protect\numberline{\csname the#1\endcsname\seccounterend}%
- \fi
- #7}%
- \else
- \def\@svsechd{%
- #6\hskip #3\relax
- \@svsec #8\aftertext\ignorespaces
- \csname #1mark\endcsname{#7}%
- \addcontentsline{toc}{#1}{%
- \ifnum #2>\c@secnumdepth \else
- \protect\numberline{\csname the#1\endcsname\seccounterend}%
- \fi
- #7}}%
- \fi
- \@xsect{#5}}
-
-% figures and tables are processed in small print
-\def \@floatboxreset {%
- \reset@font
- \small
- \@setnobreak
- \@setminipage
-}
-\def\fps@figure{htbp}
-\def\fps@table{htbp}
-
-% Frame for paste-in figures or tables
-\def\mpicplace#1#2{% #1 =width #2 =height
-\vbox{\hbox to #1{\vrule\@width \fboxrule \@height #2\hfill}}}
-
-% labels of enumerate
-\renewcommand\labelenumii{\theenumii)}
-\renewcommand\theenumii{\@alph\c@enumii}
-
-% labels of itemize
-\renewcommand\labelitemi{\textbullet}
-\renewcommand\labelitemii{\textendash}
-\let\labelitemiii=\labelitemiv
-
-% labels of description
-\renewcommand*\descriptionlabel[1]{\hspace\labelsep #1\hfil}
-
-% fixed indentation for standard itemize-environment
-\newdimen\svitemindent \setlength{\svitemindent}{\parindent}
-
-
-% make indentations changeable
-
-\def\setitemindent#1{\settowidth{\labelwidth}{#1}%
- \let\setit@m=Y%
- \leftmargini\labelwidth
- \advance\leftmargini\labelsep
- \def\@listi{\leftmargin\leftmargini
- \labelwidth\leftmargini\advance\labelwidth by -\labelsep
- \parsep=\parskip
- \topsep=\medskipamount
- \itemsep=\parskip \advance\itemsep by -\parsep}}
-\def\setitemitemindent#1{\settowidth{\labelwidth}{#1}%
- \let\setit@m=Y%
- \leftmarginii\labelwidth
- \advance\leftmarginii\labelsep
-\def\@listii{\leftmargin\leftmarginii
- \labelwidth\leftmarginii\advance\labelwidth by -\labelsep
- \parsep=\parskip
- \topsep=\z@
- \itemsep=\parskip \advance\itemsep by -\parsep}}
-%
-% adjusted environment "description"
-% if an optional parameter (at the first two levels of lists)
-% is present, its width is considered to be the widest mark
-% throughout the current list.
-\def\description{\@ifnextchar[{\@describe}{\list{}{\labelwidth\z@
- \itemindent-\leftmargin \let\makelabel\descriptionlabel}}}
-%
-\def\describelabel#1{#1\hfil}
-\def\@describe[#1]{\relax\ifnum\@listdepth=0
-\setitemindent{#1}\else\ifnum\@listdepth=1
-\setitemitemindent{#1}\fi\fi
-\list{--}{\let\makelabel\describelabel}}
-%
-\def\itemize{%
- \ifnum \@itemdepth >\thr@@\@toodeep\else
- \advance\@itemdepth\@ne
- \ifx\setit@m\undefined
- \ifnum \@itemdepth=1 \leftmargini=\svitemindent
- \labelwidth\leftmargini\advance\labelwidth-\labelsep
- \leftmarginii=\leftmargini \leftmarginiii=\leftmargini
- \fi
- \fi
- \edef\@itemitem{labelitem\romannumeral\the\@itemdepth}%
- \expandafter\list
- \csname\@itemitem\endcsname
- {\def\makelabel##1{\rlap{##1}\hss}}%
- \fi}
-%
-\newdimen\verbatimindent \verbatimindent\parindent
-\def\verbatim{\advance\@totalleftmargin by\verbatimindent
-\@verbatim \frenchspacing\@vobeyspaces \@xverbatim}
-
-%
-% special signs and characters
-\newcommand{\D}{\mathrm{d}}
-\newcommand{\E}{\mathrm{e}}
-\let\eul=\E
-\newcommand{\I}{{\rm i}}
-\let\imag=\I
-%
-% the definition of uppercase Greek characters
-% Springer likes them as italics to depict variables
-\DeclareMathSymbol{\Gamma}{\mathalpha}{letters}{"00}
-\DeclareMathSymbol{\Delta}{\mathalpha}{letters}{"01}
-\DeclareMathSymbol{\Theta}{\mathalpha}{letters}{"02}
-\DeclareMathSymbol{\Lambda}{\mathalpha}{letters}{"03}
-\DeclareMathSymbol{\Xi}{\mathalpha}{letters}{"04}
-\DeclareMathSymbol{\Pi}{\mathalpha}{letters}{"05}
-\DeclareMathSymbol{\Sigma}{\mathalpha}{letters}{"06}
-\DeclareMathSymbol{\Upsilon}{\mathalpha}{letters}{"07}
-\DeclareMathSymbol{\Phi}{\mathalpha}{letters}{"08}
-\DeclareMathSymbol{\Psi}{\mathalpha}{letters}{"09}
-\DeclareMathSymbol{\Omega}{\mathalpha}{letters}{"0A}
-% the upright forms are defined here as \var<Character>
-\DeclareMathSymbol{\varGamma}{\mathalpha}{operators}{"00}
-\DeclareMathSymbol{\varDelta}{\mathalpha}{operators}{"01}
-\DeclareMathSymbol{\varTheta}{\mathalpha}{operators}{"02}
-\DeclareMathSymbol{\varLambda}{\mathalpha}{operators}{"03}
-\DeclareMathSymbol{\varXi}{\mathalpha}{operators}{"04}
-\DeclareMathSymbol{\varPi}{\mathalpha}{operators}{"05}
-\DeclareMathSymbol{\varSigma}{\mathalpha}{operators}{"06}
-\DeclareMathSymbol{\varUpsilon}{\mathalpha}{operators}{"07}
-\DeclareMathSymbol{\varPhi}{\mathalpha}{operators}{"08}
-\DeclareMathSymbol{\varPsi}{\mathalpha}{operators}{"09}
-\DeclareMathSymbol{\varOmega}{\mathalpha}{operators}{"0A}
-% Upright Lower Case Greek letters without using a new MathAlphabet
-\newcommand{\greeksym}[1]{\usefont{U}{psy}{m}{n}#1}
-\newcommand{\greeksymbold}[1]{{\usefont{U}{psy}{b}{n}#1}}
-\newcommand{\allmodesymb}[2]{\relax\ifmmode{\mathchoice
-{\mbox{\fontsize{\tf@size}{\tf@size}#1{#2}}}
-{\mbox{\fontsize{\tf@size}{\tf@size}#1{#2}}}
-{\mbox{\fontsize{\sf@size}{\sf@size}#1{#2}}}
-{\mbox{\fontsize{\ssf@size}{\ssf@size}#1{#2}}}}
-\else
-\mbox{#1{#2}}\fi}
-% Definition of lower case Greek letters
-\newcommand{\ualpha}{\allmodesymb{\greeksym}{a}}
-\newcommand{\ubeta}{\allmodesymb{\greeksym}{b}}
-\newcommand{\uchi}{\allmodesymb{\greeksym}{c}}
-\newcommand{\udelta}{\allmodesymb{\greeksym}{d}}
-\newcommand{\ugamma}{\allmodesymb{\greeksym}{g}}
-\newcommand{\umu}{\allmodesymb{\greeksym}{m}}
-\newcommand{\unu}{\allmodesymb{\greeksym}{n}}
-\newcommand{\upi}{\allmodesymb{\greeksym}{p}}
-\newcommand{\utau}{\allmodesymb{\greeksym}{t}}
-% redefines the \vec accent to a bold character - if desired
-\def\fig@type{arrow}% temporarily abused
-\ifx\vec@style\fig@type\else
-\@ifundefined{vec@style}{%
- \def\vec#1{\ensuremath{\mathchoice
- {\mbox{\boldmath$\displaystyle\mathbf{#1}$}}
- {\mbox{\boldmath$\textstyle\mathbf{#1}$}}
- {\mbox{\boldmath$\scriptstyle\mathbf{#1}$}}
- {\mbox{\boldmath$\scriptscriptstyle\mathbf{#1}$}}}}%
-}
-{\def\vec#1{\ensuremath{\mathchoice
- {\mbox{\boldmath$\displaystyle#1$}}
- {\mbox{\boldmath$\textstyle#1$}}
- {\mbox{\boldmath$\scriptstyle#1$}}
- {\mbox{\boldmath$\scriptscriptstyle#1$}}}}%
-}
-\fi
-% tensor
-\def\tens#1{\relax\ifmmode\mathsf{#1}\else\textsf{#1}\fi}
-
-% end of proof symbol
-\newcommand\qedsymbol{\hbox{\rlap{$\sqcap$}$\sqcup$}}
-\newcommand\qed{\relax\ifmmode\else\unskip\quad\fi\qedsymbol}
-\newcommand\smartqed{\renewcommand\qed{\relax\ifmmode\qedsymbol\else
- {\unskip\nobreak\hfil\penalty50\hskip1em\null\nobreak\hfil\qedsymbol
- \parfillskip=\z@\finalhyphendemerits=0\endgraf}\fi}}
-%
-\def\num@book{%
-\renewcommand\thesection{\thechapter.\@arabic\c@section}%
-\renewcommand\thesubsection{\thesection.\@arabic\c@subsection}%
-\renewcommand\theequation{\thechapter.\@arabic\c@equation}%
-\renewcommand\thefigure{\thechapter.\@arabic\c@figure}%
-\renewcommand\thetable{\thechapter.\@arabic\c@table}%
-\@addtoreset{section}{chapter}%
-\@addtoreset{figure}{chapter}%
-\@addtoreset{table}{chapter}%
-\@addtoreset{equation}{chapter}}
-%
-% Ragged bottom for the actual page
-\def\thisbottomragged{\def\@textbottom{\vskip\z@ \@plus.0001fil
-\global\let\@textbottom\relax}}
-
-% This is texte.tex
-% it defines various texts and their translations
-% called up with documentstyle options
-\def\switcht@albion{%
-\def\abstractname{Summary.}%
-\def\ackname{Acknowledgement.}%
-\def\andname{and}%
-\def\bibname{References}%
-\def\lastandname{, and}%
-\def\appendixname{Appendix}%
-\def\chaptername{Chapter}%
-\def\claimname{Claim}%
-\def\conjecturename{Conjecture}%
-\def\contentsname{Contents}%
-\def\corollaryname{Corollary}%
-\def\definitionname{Definition}%
-\def\examplename{Example}%
-\def\exercisename{Exercise}%
-\def\figurename{Fig.}%
-\def\keywordname{{\bf Key words:}}%
-\def\indexname{Index}%
-\def\lemmaname{Lemma}%
-\def\contriblistname{List of Contributors}%
-\def\listfigurename{List of Figures}%
-\def\listtablename{List of Tables}%
-\def\mailname{{\it Correspondence to\/}:}%
-\def\noteaddname{Note added in proof}%
-\def\notename{Note}%
-\def\partname{Part}%
-\def\prefacename{Preface}%
-\def\problemname{Problem}%
-\def\proofname{Proof}%
-\def\propertyname{Property}%
-\def\propositionname{Proposition}%
-\def\questionname{Question}%
-\def\refname{References}%
-\def\remarkname{Remark}%
-\def\seename{see}%
-\def\solutionname{Solution}%
-\def\subclassname{{\it Subject Classifications\/}:}%
-\def\tablename{Table}%
-\def\theoremname{Theorem}}
-\switcht@albion
-% Names of theorem like environments are already defined
-% but must be translated if another language is chosen
-%
-% French section
-\def\switcht@francais{\svlanginfo
- \def\abstractname{R\'esum\'e.}%
- \def\ackname{Remerciements.}%
- \def\andname{et}%
- \def\lastandname{ et}%
- \def\appendixname{Appendice}%
- \def\bibname{Bibliographie}%
- \def\chaptername{Chapitre}%
- \def\claimname{Pr\'etention}%
- \def\conjecturename{Hypoth\`ese}%
- \def\contentsname{Table des mati\`eres}%
- \def\corollaryname{Corollaire}%
- \def\definitionname{D\'efinition}%
- \def\examplename{Exemple}%
- \def\exercisename{Exercice}%
- \def\figurename{Fig.}%
- \def\keywordname{{\bf Mots-cl\'e:}}%
- \def\indexname{Index}%
- \def\lemmaname{Lemme}%
- \def\contriblistname{Liste des contributeurs}%
- \def\listfigurename{Liste des figures}%
- \def\listtablename{Liste des tables}%
- \def\mailname{{\it Correspondence to\/}:}%
- \def\noteaddname{Note ajout\'ee \`a l'\'epreuve}%
- \def\notename{Remarque}%
- \def\partname{Partie}%
- \def\prefacename{Avant-propos}% ou Pr\'eface
- \def\problemname{Probl\`eme}%
- \def\proofname{Preuve}%
- \def\propertyname{Caract\'eristique}%
-%\def\propositionname{Proposition}%
- \def\questionname{Question}%
- \def\refname{Litt\'erature}%
- \def\remarkname{Remarque}%
- \def\seename{voir}%
- \def\solutionname{Solution}%
- \def\subclassname{{\it Subject Classifications\/}:}%
- \def\tablename{Tableau}%
- \def\theoremname{Th\'eor\`eme}%
-}
-%
-% German section
-\def\switcht@deutsch{\svlanginfo
- \def\abstractname{Zusammenfassung.}%
- \def\ackname{Danksagung.}%
- \def\andname{und}%
- \def\lastandname{ und}%
- \def\appendixname{Anhang}%
- \def\bibname{Literaturverzeichnis}%
- \def\chaptername{Kapitel}%
- \def\claimname{Behauptung}%
- \def\conjecturename{Hypothese}%
- \def\contentsname{Inhaltsverzeichnis}%
- \def\corollaryname{Korollar}%
-%\def\definitionname{Definition}%
- \def\examplename{Beispiel}%
- \def\exercisename{\"Ubung}%
- \def\figurename{Abb.}%
- \def\keywordname{{\bf Schl\"usselw\"orter:}}%
- \def\indexname{Sachverzeichnis}%
-%\def\lemmaname{Lemma}%
- \def\contriblistname{Mitarbeiter}%
- \def\listfigurename{Abbildungsverzeichnis}%
- \def\listtablename{Tabellenverzeichnis}%
- \def\mailname{{\it Correspondence to\/}:}%
- \def\noteaddname{Nachtrag}%
- \def\notename{Anmerkung}%
- \def\partname{Teil}%
- \def\prefacename{Vorwort}%
-%\def\problemname{Problem}%
- \def\proofname{Beweis}%
- \def\propertyname{Eigenschaft}%
-%\def\propositionname{Proposition}%
- \def\questionname{Frage}%
- \def\refname{Literaturverzeichnis}%
- \def\remarkname{Anmerkung}%
- \def\seename{siehe}%
- \def\solutionname{L\"osung}%
- \def\subclassname{{\it Subject Classifications\/}:}%
- \def\tablename{Tabelle}%
-%\def\theoremname{Theorem}%
-}
-
-\def\getsto{\mathrel{\mathchoice {\vcenter{\offinterlineskip
-\halign{\hfil
-$\displaystyle##$\hfil\cr\gets\cr\to\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr\gets
-\cr\to\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr\gets
-\cr\to\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr
-\gets\cr\to\cr}}}}}
-\def\lid{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil
-$\displaystyle##$\hfil\cr<\cr\noalign{\vskip1.2\p@}=\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr<\cr
-\noalign{\vskip1.2\p@}=\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr<\cr
-\noalign{\vskip\p@}=\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr
-<\cr
-\noalign{\vskip0.9\p@}=\cr}}}}}
-\def\gid{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil
-$\displaystyle##$\hfil\cr>\cr\noalign{\vskip1.2\p@}=\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr>\cr
-\noalign{\vskip1.2\p@}=\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr>\cr
-\noalign{\vskip\p@}=\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr
->\cr
-\noalign{\vskip0.9\p@}=\cr}}}}}
-\def\grole{\mathrel{\mathchoice {\vcenter{\offinterlineskip
-\halign{\hfil
-$\displaystyle##$\hfil\cr>\cr\noalign{\vskip-\p@}<\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr
->\cr\noalign{\vskip-\p@}<\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr
->\cr\noalign{\vskip-0.8\p@}<\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr
->\cr\noalign{\vskip-0.3\p@}<\cr}}}}}
-\def\bbbr{{\rm I\!R}} %reelle Zahlen
-\def\bbbm{{\rm I\!M}}
-\def\bbbn{{\rm I\!N}} %natuerliche Zahlen
-\def\bbbf{{\rm I\!F}}
-\def\bbbh{{\rm I\!H}}
-\def\bbbk{{\rm I\!K}}
-\def\bbbp{{\rm I\!P}}
-\def\bbbone{{\mathchoice {\rm 1\mskip-4mu l} {\rm 1\mskip-4mu l}
-{\rm 1\mskip-4.5mu l} {\rm 1\mskip-5mu l}}}
-\def\bbbc{{\mathchoice {\setbox0=\hbox{$\displaystyle\rm C$}\hbox{\hbox
-to\z@{\kern0.4\wd0\vrule\@height0.9\ht0\hss}\box0}}
-{\setbox0=\hbox{$\textstyle\rm C$}\hbox{\hbox
-to\z@{\kern0.4\wd0\vrule\@height0.9\ht0\hss}\box0}}
-{\setbox0=\hbox{$\scriptstyle\rm C$}\hbox{\hbox
-to\z@{\kern0.4\wd0\vrule\@height0.9\ht0\hss}\box0}}
-{\setbox0=\hbox{$\scriptscriptstyle\rm C$}\hbox{\hbox
-to\z@{\kern0.4\wd0\vrule\@height0.9\ht0\hss}\box0}}}}
-\def\bbbq{{\mathchoice {\setbox0=\hbox{$\displaystyle\rm
-Q$}\hbox{\raise
-0.15\ht0\hbox to\z@{\kern0.4\wd0\vrule\@height0.8\ht0\hss}\box0}}
-{\setbox0=\hbox{$\textstyle\rm Q$}\hbox{\raise
-0.15\ht0\hbox to\z@{\kern0.4\wd0\vrule\@height0.8\ht0\hss}\box0}}
-{\setbox0=\hbox{$\scriptstyle\rm Q$}\hbox{\raise
-0.15\ht0\hbox to\z@{\kern0.4\wd0\vrule\@height0.7\ht0\hss}\box0}}
-{\setbox0=\hbox{$\scriptscriptstyle\rm Q$}\hbox{\raise
-0.15\ht0\hbox to\z@{\kern0.4\wd0\vrule\@height0.7\ht0\hss}\box0}}}}
-\def\bbbt{{\mathchoice {\setbox0=\hbox{$\displaystyle\rm
-T$}\hbox{\hbox to\z@{\kern0.3\wd0\vrule\@height0.9\ht0\hss}\box0}}
-{\setbox0=\hbox{$\textstyle\rm T$}\hbox{\hbox
-to\z@{\kern0.3\wd0\vrule\@height0.9\ht0\hss}\box0}}
-{\setbox0=\hbox{$\scriptstyle\rm T$}\hbox{\hbox
-to\z@{\kern0.3\wd0\vrule\@height0.9\ht0\hss}\box0}}
-{\setbox0=\hbox{$\scriptscriptstyle\rm T$}\hbox{\hbox
-to\z@{\kern0.3\wd0\vrule\@height0.9\ht0\hss}\box0}}}}
-\def\bbbs{{\mathchoice
-{\setbox0=\hbox{$\displaystyle \rm S$}\hbox{\raise0.5\ht0\hbox
-to\z@{\kern0.35\wd0\vrule\@height0.45\ht0\hss}\hbox
-to\z@{\kern0.55\wd0\vrule\@height0.5\ht0\hss}\box0}}
-{\setbox0=\hbox{$\textstyle \rm S$}\hbox{\raise0.5\ht0\hbox
-to\z@{\kern0.35\wd0\vrule\@height0.45\ht0\hss}\hbox
-to\z@{\kern0.55\wd0\vrule\@height0.5\ht0\hss}\box0}}
-{\setbox0=\hbox{$\scriptstyle \rm S$}\hbox{\raise0.5\ht0\hbox
-to\z@{\kern0.35\wd0\vrule\@height0.45\ht0\hss}\raise0.05\ht0\hbox
-to\z@{\kern0.5\wd0\vrule\@height0.45\ht0\hss}\box0}}
-{\setbox0=\hbox{$\scriptscriptstyle\rm S$}\hbox{\raise0.5\ht0\hbox
-to\z@{\kern0.4\wd0\vrule\@height0.45\ht0\hss}\raise0.05\ht0\hbox
-to\z@{\kern0.55\wd0\vrule\@height0.45\ht0\hss}\box0}}}}
-\def\bbbz{{\mathchoice {\hbox{$\textstyle\sf Z\kern-0.4em Z$}}
-{\hbox{$\textstyle\sf Z\kern-0.4em Z$}}
-{\hbox{$\scriptstyle\sf Z\kern-0.3em Z$}}
-{\hbox{$\scriptscriptstyle\sf Z\kern-0.2em Z$}}}}
-
-\let\ts\,
-
-\setlength \labelsep {5\p@}
-\setlength\leftmargini {17\p@}
-\setlength\leftmargin {\leftmargini}
-\setlength\leftmarginii {\leftmargini}
-\setlength\leftmarginiii {\leftmargini}
-\setlength\leftmarginiv {\leftmargini}
-\setlength\labelwidth {\leftmargini}
-\addtolength\labelwidth{-\labelsep}
-
-\def\@listI{\leftmargin\leftmargini
- \parsep=\parskip
- \topsep=\medskipamount
- \itemsep=\parskip \advance\itemsep by -\parsep}
-\let\@listi\@listI
-\@listi
-
-\def\@listii{\leftmargin\leftmarginii
- \labelwidth\leftmarginii
- \advance\labelwidth by -\labelsep
- \parsep=\parskip
- \topsep=\z@
- \itemsep=\parskip
- \advance\itemsep by -\parsep}
-
-\def\@listiii{\leftmargin\leftmarginiii
- \labelwidth\leftmarginiii\advance\labelwidth by -\labelsep
- \parsep=\parskip
- \topsep=\z@
- \itemsep=\parskip
- \advance\itemsep by -\parsep
- \partopsep=\topsep}
-
-\setlength\arraycolsep{1.5\p@}
-\setlength\tabcolsep{1.5\p@}
-
-\def\tableofcontents{\@restonecolfalse\if@twocolumn\@restonecoltrue\onecolumn
- \fi\chapter*{\contentsname \@mkboth{{\contentsname}}{{\contentsname}}}
- \@starttoc{toc}\if@restonecol\twocolumn\fi}
-
-\setcounter{tocdepth}{2}
-
-\def\l@part#1#2{\addpenalty{\@secpenalty}%
- \addvspace{2em \@plus\p@}%
- \begingroup
- \parindent \z@
- \rightskip \z@ \@plus 5em
- \hrule\vskip5\p@
- \bfseries\boldmath
- \leavevmode
- #1\par
- \vskip5\p@
- \hrule
- \vskip\p@
- \nobreak
- \endgroup}
-
-\def\@dotsep{2}
-
-\def\addnumcontentsmark#1#2#3{%
-\addtocontents{#1}{\protect\contentsline{#2}{\protect\numberline
- {\thechapter}#3}{\thepage}}}
-\def\addcontentsmark#1#2#3{%
-\addtocontents{#1}{\protect\contentsline{#2}{#3}{\thepage}}}
-\def\addcontentsmarkwop#1#2#3{%
-\addtocontents{#1}{\protect\contentsline{#2}{#3}{0}}}
-
-\def\@adcmk[#1]{\ifcase #1 \or
-\def\@gtempa{\addnumcontentsmark}%
- \or \def\@gtempa{\addcontentsmark}%
- \or \def\@gtempa{\addcontentsmarkwop}%
- \fi\@gtempa{toc}{chapter}}
-\def\addtocmark{\@ifnextchar[{\@adcmk}{\@adcmk[3]}}
-
-\def\l@chapter#1#2{\par\addpenalty{-\@highpenalty}
- \addvspace{1.0em \@plus \p@}
- \@tempdima \tocchpnum \begingroup
- \parindent \z@ \rightskip \@tocrmarg
- \advance\rightskip by \z@ \@plus 2cm
- \parfillskip -\rightskip \pretolerance=10000
- \leavevmode \advance\leftskip\@tempdima \hskip -\leftskip
- {\bfseries\boldmath#1}\ifx0#2\hfil\null
- \else
- \nobreak
- \leaders\hbox{$\m@th \mkern \@dotsep mu\hbox{.}\mkern
- \@dotsep mu$}\hfill
- \nobreak\hbox to\@pnumwidth{\hfil #2}%
- \fi\par
- \penalty\@highpenalty \endgroup}
-
-\newdimen\tocchpnum
-\newdimen\tocsecnum
-\newdimen\tocsectotal
-\newdimen\tocsubsecnum
-\newdimen\tocsubsectotal
-\newdimen\tocsubsubsecnum
-\newdimen\tocsubsubsectotal
-\newdimen\tocparanum
-\newdimen\tocparatotal
-\newdimen\tocsubparanum
-\tocchpnum=20\p@ % chapter {\bf 88.} \@plus 5.3\p@
-\tocsecnum=22.5\p@ % section 88.8. plus 4.722\p@
-\tocsubsecnum=30.5\p@ % subsection 88.8.8 plus 4.944\p@
-\tocsubsubsecnum=38\p@ % subsubsection 88.8.8.8 plus 4.666\p@
-\tocparanum=45\p@ % paragraph 88.8.8.8.8 plus 3.888\p@
-\tocsubparanum=53\p@ % subparagraph 88.8.8.8.8.8 plus 4.11\p@
-\def\calctocindent{%
-\tocsectotal=\tocchpnum
-\advance\tocsectotal by\tocsecnum
-\tocsubsectotal=\tocsectotal
-\advance\tocsubsectotal by\tocsubsecnum
-\tocsubsubsectotal=\tocsubsectotal
-\advance\tocsubsubsectotal by\tocsubsubsecnum
-\tocparatotal=\tocsubsubsectotal
-\advance\tocparatotal by\tocparanum}
-\calctocindent
-
-\def\@dottedtocline#1#2#3#4#5{%
- \ifnum #1>\c@tocdepth \else
- \vskip \z@ \@plus.2\p@
- {\leftskip #2\relax \rightskip \@tocrmarg \advance\rightskip by \z@ \@plus 2cm
- \parfillskip -\rightskip \pretolerance=10000
- \parindent #2\relax\@afterindenttrue
- \interlinepenalty\@M
- \leavevmode
- \@tempdima #3\relax
- \advance\leftskip \@tempdima \null\nobreak\hskip -\leftskip
- {#4}\nobreak
- \leaders\hbox{$\m@th
- \mkern \@dotsep mu\hbox{.}\mkern \@dotsep
- mu$}\hfill
- \nobreak
- \hb@xt@\@pnumwidth{\hfil\normalfont \normalcolor #5}%
- \par}%
- \fi}
-%
-\def\l@section{\@dottedtocline{1}{\tocchpnum}{\tocsecnum}}
-\def\l@subsection{\@dottedtocline{2}{\tocsectotal}{\tocsubsecnum}}
-\def\l@subsubsection{\@dottedtocline{3}{\tocsubsectotal}{\tocsubsubsecnum}}
-\def\l@paragraph{\@dottedtocline{4}{\tocsubsubsectotal}{\tocparanum}}
-\def\l@subparagraph{\@dottedtocline{5}{\tocparatotal}{\tocsubparanum}}
-
-\renewcommand\listoffigures{%
- \chapter*{\listfigurename
- \@mkboth{\listfigurename}{\listfigurename}}%
- \@starttoc{lof}%
- }
-
-\renewcommand\listoftables{%
- \chapter*{\listtablename
- \@mkboth{\listtablename}{\listtablename}}%
- \@starttoc{lot}%
- }
-
-\renewcommand\footnoterule{%
- \kern-3\p@
- \hrule\@width 50\p@
- \kern2.6\p@}
-
-\newdimen\foot@parindent
-\foot@parindent 10.83\p@
-
-\AtBeginDocument{%
-\long\def\@makefntext#1{\@setpar{\@@par\@tempdima \hsize
- \advance\@tempdima-\foot@parindent\parshape\@ne\foot@parindent
- \@tempdima}\par
- \parindent \foot@parindent\noindent \hbox to \z@{%
- \hss\hss$^{\@thefnmark}$ }#1}}
-
-\if@spthms
-% Definition of the "\spnewtheorem" command.
-%
-% Usage:
-%
-% \spnewtheorem{env_nam}{caption}[within]{cap_font}{body_font}
-% or \spnewtheorem{env_nam}[numbered_like]{caption}{cap_font}{body_font}
-% or \spnewtheorem*{env_nam}{caption}{cap_font}{body_font}
-%
-% New is "cap_font" and "body_font". It stands for
-% fontdefinition of the caption and the text itself.
-%
-% "\spnewtheorem*" gives a theorem without number.
-%
-% A defined spnewthoerem environment is used as described
-% by Lamport.
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\def\@thmcountersep{.}
-\def\@thmcounterend{.}
-\newcommand\nocaption{\noexpand\@gobble}
-\newdimen\spthmsep \spthmsep=3pt
-
-\def\spnewtheorem{\@ifstar{\@sthm}{\@Sthm}}
-
-% definition of \spnewtheorem with number
-
-\def\@spnthm#1#2{%
- \@ifnextchar[{\@spxnthm{#1}{#2}}{\@spynthm{#1}{#2}}}
-\def\@Sthm#1{\@ifnextchar[{\@spothm{#1}}{\@spnthm{#1}}}
-
-\def\@spxnthm#1#2[#3]#4#5{\expandafter\@ifdefinable\csname #1\endcsname
- {\@definecounter{#1}\@addtoreset{#1}{#3}%
- \expandafter\xdef\csname the#1\endcsname{\expandafter\noexpand
- \csname the#3\endcsname \noexpand\@thmcountersep \@thmcounter{#1}}%
- \expandafter\xdef\csname #1name\endcsname{#2}%
- \global\@namedef{#1}{\@spthm{#1}{\csname #1name\endcsname}{#4}{#5}}%
- \global\@namedef{end#1}{\@endtheorem}}}
-
-\def\@spynthm#1#2#3#4{\expandafter\@ifdefinable\csname #1\endcsname
- {\@definecounter{#1}%
- \expandafter\xdef\csname the#1\endcsname{\@thmcounter{#1}}%
- \expandafter\xdef\csname #1name\endcsname{#2}%
- \global\@namedef{#1}{\@spthm{#1}{\csname #1name\endcsname}{#3}{#4}}%
- \global\@namedef{end#1}{\@endtheorem}}}
-
-\def\@spothm#1[#2]#3#4#5{%
- \@ifundefined{c@#2}{\@latexerr{No theorem environment `#2' defined}\@eha}%
- {\expandafter\@ifdefinable\csname #1\endcsname
- {\global\@namedef{the#1}{\@nameuse{the#2}}%
- \expandafter\xdef\csname #1name\endcsname{#3}%
- \global\@namedef{#1}{\@spthm{#2}{\csname #1name\endcsname}{#4}{#5}}%
- \global\@namedef{end#1}{\@endtheorem}}}}
-
-\def\@spthm#1#2#3#4{\topsep 7\p@ \@plus2\p@ \@minus4\p@
-\labelsep=\spthmsep\refstepcounter{#1}%
-\@ifnextchar[{\@spythm{#1}{#2}{#3}{#4}}{\@spxthm{#1}{#2}{#3}{#4}}}
-
-\def\@spxthm#1#2#3#4{\@spbegintheorem{#2}{\csname the#1\endcsname}{#3}{#4}%
- \ignorespaces}
-
-\def\@spythm#1#2#3#4[#5]{\@spopargbegintheorem{#2}{\csname
- the#1\endcsname}{#5}{#3}{#4}\ignorespaces}
-
-\def\normalthmheadings{\def\@spbegintheorem##1##2##3##4{\trivlist
- \item[\hskip\labelsep{##3##1\ ##2\@thmcounterend}]##4}
-\def\@spopargbegintheorem##1##2##3##4##5{\trivlist
- \item[\hskip\labelsep{##4##1\ ##2}]{##4(##3)\@thmcounterend\ }##5}}
-\normalthmheadings
-
-\def\reversethmheadings{\def\@spbegintheorem##1##2##3##4{\trivlist
- \item[\hskip\labelsep{##3##2\ ##1\@thmcounterend}]##4}
-\def\@spopargbegintheorem##1##2##3##4##5{\trivlist
- \item[\hskip\labelsep{##4##2\ ##1}]{##4(##3)\@thmcounterend\ }##5}}
-
-% definition of \spnewtheorem* without number
-
-\def\@sthm#1#2{\@Ynthm{#1}{#2}}
-
-\def\@Ynthm#1#2#3#4{\expandafter\@ifdefinable\csname #1\endcsname
- {\global\@namedef{#1}{\@Thm{\csname #1name\endcsname}{#3}{#4}}%
- \expandafter\xdef\csname #1name\endcsname{#2}%
- \global\@namedef{end#1}{\@endtheorem}}}
-
-\def\@Thm#1#2#3{\topsep 7\p@ \@plus2\p@ \@minus4\p@
-\@ifnextchar[{\@Ythm{#1}{#2}{#3}}{\@Xthm{#1}{#2}{#3}}}
-
-\def\@Xthm#1#2#3{\@Begintheorem{#1}{#2}{#3}\ignorespaces}
-
-\def\@Ythm#1#2#3[#4]{\@Opargbegintheorem{#1}
- {#4}{#2}{#3}\ignorespaces}
-
-\def\@Begintheorem#1#2#3{#3\trivlist
- \item[\hskip\labelsep{#2#1\@thmcounterend}]}
-
-\def\@Opargbegintheorem#1#2#3#4{#4\trivlist
- \item[\hskip\labelsep{#3#1}]{#3(#2)\@thmcounterend\ }}
-
-% initialize theorem environment
-
-\if@envcntshowhiercnt % show hierarchy counter
- \def\@thmcountersep{.}
- \spnewtheorem{theorem}{Theorem}[\envankh]{\bfseries}{\itshape}
- \@addtoreset{theorem}{chapter}
-\else % theorem counter only
- \spnewtheorem{theorem}{Theorem}{\bfseries}{\itshape}
- \if@envcntreset
- \@addtoreset{theorem}{chapter}
- \if@envcntresetsect
- \@addtoreset{theorem}{section}
- \fi
- \fi
-\fi
-
-%definition of divers theorem environments
-\spnewtheorem*{claim}{Claim}{\itshape}{\rmfamily}
-\spnewtheorem*{proof}{Proof}{\itshape}{\rmfamily}
-%
-\if@envcntsame % all environments like "Theorem" - using its counter
- \def\spn@wtheorem#1#2#3#4{\@spothm{#1}[theorem]{#2}{#3}{#4}}
-\else % all environments with their own counter
- \if@envcntshowhiercnt % show hierarchy counter
- \def\spn@wtheorem#1#2#3#4{\@spxnthm{#1}{#2}[\envankh]{#3}{#4}}
- \else % environment counter only
- \if@envcntreset % environment counter is reset each section
- \if@envcntresetsect
- \def\spn@wtheorem#1#2#3#4{\@spynthm{#1}{#2}{#3}{#4}
- \@addtoreset{#1}{chapter}\@addtoreset{#1}{section}}
- \else
- \def\spn@wtheorem#1#2#3#4{\@spynthm{#1}{#2}{#3}{#4}
- \@addtoreset{#1}{chapter}}
- \fi
- \else
- \let\spn@wtheorem=\@spynthm
- \fi
- \fi
-\fi
-%
-\let\spdefaulttheorem=\spn@wtheorem
-%
-\spn@wtheorem{case}{Case}{\itshape}{\rmfamily}
-\spn@wtheorem{conjecture}{Conjecture}{\itshape}{\rmfamily}
-\spn@wtheorem{corollary}{Corollary}{\bfseries}{\itshape}
-\spn@wtheorem{definition}{Definition}{\bfseries}{\itshape}
-\spn@wtheorem{example}{Example}{\itshape}{\rmfamily}
-\spn@wtheorem{exercise}{Exercise}{\bfseries}{\rmfamily}
-\spn@wtheorem{lemma}{Lemma}{\bfseries}{\itshape}
-\spn@wtheorem{note}{Note}{\itshape}{\rmfamily}
-\spn@wtheorem{problem}{Problem}{\bfseries}{\rmfamily}
-\spn@wtheorem{property}{Property}{\itshape}{\rmfamily}
-\spn@wtheorem{proposition}{Proposition}{\bfseries}{\itshape}
-\spn@wtheorem{question}{Question}{\itshape}{\rmfamily}
-\spn@wtheorem{solution}{Solution}{\bfseries}{\rmfamily}
-\spn@wtheorem{remark}{Remark}{\itshape}{\rmfamily}
-%
-\newenvironment{theopargself}
- {\def\@spopargbegintheorem##1##2##3##4##5{\trivlist
- \item[\hskip\labelsep{##4##1\ ##2}]{##4##3\@thmcounterend\ }##5}
- \def\@Opargbegintheorem##1##2##3##4{##4\trivlist
- \item[\hskip\labelsep{##3##1}]{##3##2\@thmcounterend\ }}}{}
-\newenvironment{theopargself*}
- {\def\@spopargbegintheorem##1##2##3##4##5{\trivlist
- \item[\hskip\labelsep{##4##1\ ##2}]{\hspace*{-\labelsep}##4##3\@thmcounterend}##5}
- \def\@Opargbegintheorem##1##2##3##4{##4\trivlist
- \item[\hskip\labelsep{##3##1}]{\hspace*{-\labelsep}##3##2\@thmcounterend}}}{}
-%
-\spnewtheorem{prob}{\nocaption}[chapter]{\bfseries}{\rmfamily}
-\newcommand{\probref}[1]{\textbf{\ref{#1}} }
-\newenvironment{sol}{\par\addvspace{6pt}\noindent\probref}{\par\addvspace{6pt}}
-%
-\fi
-
-\def\@takefromreset#1#2{%
- \def\@tempa{#1}%
- \let\@tempd\@elt
- \def\@elt##1{%
- \def\@tempb{##1}%
- \ifx\@tempa\@tempb\else
- \@addtoreset{##1}{#2}%
- \fi}%
- \expandafter\expandafter\let\expandafter\@tempc\csname cl@#2\endcsname
- \expandafter\def\csname cl@#2\endcsname{}%
- \@tempc
- \let\@elt\@tempd}
-
-% redefininition of the captions for "figure" and "table" environments
-%
-\@ifundefined{floatlegendstyle}{\def\floatlegendstyle{\bfseries}}{}
-\def\floatcounterend{.\ }
-\def\capstrut{\vrule\@width\z@\@height\topskip}
-\@ifundefined{captionstyle}{\def\captionstyle{\normalfont\small}}{}
-\@ifundefined{instindent}{\newdimen\instindent}{}
-
-\long\def\@caption#1[#2]#3{\par\addcontentsline{\csname
- ext@#1\endcsname}{#1}{\protect\numberline{\csname
- the#1\endcsname}{\ignorespaces #2}}\begingroup
- \@parboxrestore\if@minipage\@setminipage\fi
- \@makecaption{\csname fnum@#1\endcsname}{\ignorespaces #3}\par
- \endgroup}
-
-\def\twocaptionwidth#1#2{\def\first@capwidth{#1}\def\second@capwidth{#2}}
-% Default: .46\textwidth
-\twocaptionwidth{.46\textwidth}{.46\textwidth}
-
-\def\leftcaption{\refstepcounter\@captype\@dblarg%
- {\@leftcaption\@captype}}
-
-\def\rightcaption{\refstepcounter\@captype\@dblarg%
- {\@rightcaption\@captype}}
-
-\long\def\@leftcaption#1[#2]#3{\addcontentsline{\csname
- ext@#1\endcsname}{#1}{\protect\numberline{\csname
- the#1\endcsname}{\ignorespaces #2}}\begingroup
- \@parboxrestore
- \vskip\figcapgap
- \@maketwocaptions{\csname fnum@#1\endcsname}{\ignorespaces #3}%
- {\first@capwidth}\ignorespaces\hspace{.073\textwidth}\hfill%
- \endgroup}
-
-\long\def\@rightcaption#1[#2]#3{\addcontentsline{\csname
- ext@#1\endcsname}{#1}{\protect\numberline{\csname
- the#1\endcsname}{\ignorespaces #2}}\begingroup
- \@parboxrestore
- \@maketwocaptions{\csname fnum@#1\endcsname}{\ignorespaces #3}%
- {\second@capwidth}\par
- \endgroup}
-
-\long\def\@maketwocaptions#1#2#3{%
- \parbox[t]{#3}{{\floatlegendstyle #1\floatcounterend}#2}}
-
-\def\fig@pos{l}
-\newcommand{\leftfigure}[2][\fig@pos]{\makebox[.4635\textwidth][#1]{#2}}
-\let\rightfigure\leftfigure
-
-\newdimen\figgap\figgap=0.5cm % hgap between figure and sidecaption
-%
-\long\def\@makesidecaption#1#2{%
- \setbox0=\vbox{\hsize=\@tempdimb
- \captionstyle{\floatlegendstyle
- #1\floatcounterend}#2}%
- \ifdim\instindent<\z@
- \ifdim\ht0>-\instindent
- \advance\instindent by\ht0
- \typeout{^^JClass-Warning: Legend of \string\sidecaption\space for
- \@captype\space\csname the\@captype\endcsname
- ^^Jis \the\instindent\space taller than the corresponding float -
- ^^Jyou'd better switch the environment. }%
- \instindent\z@
- \fi
- \else
- \ifdim\ht0<\instindent
- \advance\instindent by-\ht0
- \advance\instindent by-\dp0\relax
- \advance\instindent by\topskip
- \advance\instindent by-11\p@
- \else
- \advance\instindent by-\ht0
- \instindent=-\instindent
- \typeout{^^JClass-Warning: Legend of \string\sidecaption\space for
- \@captype\space\csname the\@captype\endcsname
- ^^Jis \the\instindent\space taller than the corresponding float -
- ^^Jyou'd better switch the environment. }%
- \instindent\z@
- \fi
- \fi
- \parbox[b]{\@tempdimb}{\captionstyle{\floatlegendstyle
- #1\floatcounterend}#2%
- \ifdim\instindent>\z@ \\
- \vrule\@width\z@\@height\instindent
- \@depth\z@
- \fi}}
-\def\sidecaption{\@ifnextchar[\sidec@ption{\sidec@ption[b]}}
-\def\sidec@ption[#1]#2\caption{%
-\setbox\@tempboxa=\hbox{\ignorespaces#2\unskip}%
-\if@twocolumn
- \ifdim\hsize<\textwidth\else
- \ifdim\wd\@tempboxa<\columnwidth
- \typeout{Double column float fits into single column -
- ^^Jyou'd better switch the environment. }%
- \fi
- \fi
-\fi
- \instindent=\ht\@tempboxa
- \advance\instindent by\dp\@tempboxa
-\if t#1
-\else
- \instindent=-\instindent
-\fi
-\@tempdimb=\hsize
-\advance\@tempdimb by-\figgap
-\advance\@tempdimb by-\wd\@tempboxa
-\ifdim\@tempdimb<3cm
- \ClassWarning{SVMono}{\string\sidecaption: No sufficient room for the legend;
- ^^Jusing normal \string\caption}%
- \unhbox\@tempboxa
- \let\@capcommand=\@caption
-\else
- \ifdim\@tempdimb<4.5cm
- \ClassWarning{SVMono}{\string\sidecaption: Room for the legend very narrow;
- ^^Jusing \string\raggedright}%
- \toks@\expandafter{\captionstyle\sloppy
- \rightskip=\z@\@plus6mm\relax}%
- \def\captionstyle{\the\toks@}%
- \fi
- \let\@capcommand=\@sidecaption
- \leavevmode
- \unhbox\@tempboxa
- \hfill
-\fi
-\refstepcounter\@captype
-\@dblarg{\@capcommand\@captype}}
-\long\def\@sidecaption#1[#2]#3{\addcontentsline{\csname
- ext@#1\endcsname}{#1}{\protect\numberline{\csname
- the#1\endcsname}{\ignorespaces #2}}\begingroup
- \@parboxrestore
- \@makesidecaption{\csname fnum@#1\endcsname}{\ignorespaces #3}\par
- \endgroup}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\def\fig@type{figure}
-
-\def\leftlegendglue{\hfil}
-\newdimen\figcapgap\figcapgap=5\p@ % vgap between figure and caption
-\newdimen\tabcapgap\tabcapgap=5.5\p@ % vgap between caption and table
-
-\long\def\@makecaption#1#2{%
- \captionstyle
- \ifx\@captype\fig@type
- \vskip\figcapgap
- \fi
- \setbox\@tempboxa\hbox{{\floatlegendstyle #1\floatcounterend}%
- \capstrut #2}%
- \ifdim \wd\@tempboxa >\hsize
- {\floatlegendstyle #1\floatcounterend}\capstrut #2\par
- \else
- \hbox to\hsize{\leftlegendglue\unhbox\@tempboxa\hfil}%
- \fi
- \ifx\@captype\fig@type\else
- \vskip\tabcapgap
- \fi}
-
-\newcounter{merk}
-
-\def\endfigure{\resetsubfig\end@float}
-
-\@namedef{endfigure*}{\resetsubfig\end@dblfloat}
-
-\def\resetsubfig{\global\let\last@subfig=\undefined}
-
-\def\r@setsubfig{\xdef\last@subfig{\number\value{figure}}%
-\setcounter{figure}{\value{merk}}%
-\setcounter{merk}{0}}
-
-\def\subfigures{\refstepcounter{figure}%
- \@tempcnta=\value{merk}%
- \setcounter{merk}{\value{figure}}%
- \setcounter{figure}{\the\@tempcnta}%
- \def\thefigure{\if@numart\else\thechapter.\fi
- \@arabic\c@merk\alph{figure}}%
- \let\resetsubfig=\r@setsubfig}
-
-\def\samenumber{\addtocounter{\@captype}{-1}%
-\@ifundefined{last@subfig}{}{\setcounter{merk}{\last@subfig}}}
-
-% redefinition of the "bibliography" environment
-%
-\def\biblstarthook#1{\gdef\biblst@rthook{#1}}
-%
-\AtBeginDocument{%
-\ifx\secbibl\undefined
- \def\bibsection{\chapter*{\refname}\markboth{\refname}{\refname}%
- \addcontentsline{toc}{chapter}{\refname}%
- \csname biblst@rthook\endcsname}
-\else
- \def\bibsection{\section*{\refname}\markright{\refname}%
- \addcontentsline{toc}{section}{\refname}%
- \csname biblst@rthook\endcsname}
-\fi}
-\ifx\oribibl\undefined % Springer way of life
- \renewenvironment{thebibliography}[1]{\bibsection
- \global\let\biblst@rthook=\undefined
- \def\@biblabel##1{##1.}
- \small
- \list{\@biblabel{\@arabic\c@enumiv}}%
- {\settowidth\labelwidth{\@biblabel{#1}}%
- \leftmargin\labelwidth
- \advance\leftmargin\labelsep
- \if@openbib
- \advance\leftmargin\bibindent
- \itemindent -\bibindent
- \listparindent \itemindent
- \parsep \z@
- \fi
- \usecounter{enumiv}%
- \let\p@enumiv\@empty
- \renewcommand\theenumiv{\@arabic\c@enumiv}}%
- \if@openbib
- \renewcommand\newblock{\par}%
- \else
- \renewcommand\newblock{\hskip .11em \@plus.33em \@minus.07em}%
- \fi
- \sloppy\clubpenalty4000\widowpenalty4000%
- \sfcode`\.=\@m}
- {\def\@noitemerr
- {\@latex@warning{Empty `thebibliography' environment}}%
- \endlist}
- \def\@lbibitem[#1]#2{\item[{[#1]}\hfill]\if@filesw
- {\let\protect\noexpand\immediate
- \write\@auxout{\string\bibcite{#2}{#1}}}\fi\ignorespaces}
-\else % original bibliography is required
- \let\bibname=\refname
- \renewenvironment{thebibliography}[1]
- {\chapter*{\bibname
- \@mkboth{\bibname}{\bibname}}%
- \list{\@biblabel{\@arabic\c@enumiv}}%
- {\settowidth\labelwidth{\@biblabel{#1}}%
- \leftmargin\labelwidth
- \advance\leftmargin\labelsep
- \@openbib@code
- \usecounter{enumiv}%
- \let\p@enumiv\@empty
- \renewcommand\theenumiv{\@arabic\c@enumiv}}%
- \sloppy
- \clubpenalty4000
- \@clubpenalty \clubpenalty
- \widowpenalty4000%
- \sfcode`\.\@m}
- {\def\@noitemerr
- {\@latex@warning{Empty `thebibliography' environment}}%
- \endlist}
-\fi
-
-\let\if@threecolind\iffalse
-\def\threecolindex{\let\if@threecolind\iftrue}
-\def\indexstarthook#1{\gdef\indexst@rthook{#1}}
-\renewenvironment{theindex}
- {\if@twocolumn
- \@restonecolfalse
- \else
- \@restonecoltrue
- \fi
- \columnseprule \z@
- \columnsep 1cc
- \@nobreaktrue
- \if@threecolind
- \begin{multicols}{3}[\chapter*{\indexname}%
- \else
- \begin{multicols}{2}[\chapter*{\indexname}%
- \fi
- {\csname indexst@rthook\endcsname}]%
- \global\let\indexst@rthook=\undefined
- \markboth{\indexname}{\indexname}%
- \addcontentsline{toc}{chapter}{\indexname}%
- \flushbottom
- \parindent\z@
- \rightskip\z@ \@plus 40\p@
- \parskip\z@ \@plus .3\p@\relax
- \flushbottom
- \let\item\@idxitem
- \def\,{\relax\ifmmode\mskip\thinmuskip
- \else\hskip0.2em\ignorespaces\fi}%
- \normalfont\small}
- {\end{multicols}
- \global\let\if@threecolind\iffalse
- \if@restonecol\onecolumn\else\clearpage\fi}
-
-\def\idxquad{\hskip 10\p@}% space that divides entry from number
-
-\def\@idxitem{\par\setbox0=\hbox{--\,--\,--\enspace}%
- \hangindent\wd0\relax}
-
-\def\subitem{\par\noindent\setbox0=\hbox{--\enspace}% second order
- \kern\wd0\setbox0=\hbox{--\,--\,--\enspace}%
- \hangindent\wd0\relax}% indexentry
-
-\def\subsubitem{\par\noindent\setbox0=\hbox{--\,--\enspace}% third order
- \kern\wd0\setbox0=\hbox{--\,--\,--\enspace}%
- \hangindent\wd0\relax}% indexentry
-
-\def\indexspace{\par \vskip 10\p@ \@plus5\p@ \@minus3\p@\relax}
-
-\def\subtitle#1{\gdef\@subtitle{#1}}
-\def\@subtitle{}
-
-\def\maketitle{\par
- \begingroup
- \def\thefootnote{\fnsymbol{footnote}}%
- \def\@makefnmark{\hbox
- to\z@{$\m@th^{\@thefnmark}$\hss}}%
- \if@twocolumn
- \twocolumn[\@maketitle]%
- \else \newpage
- \global\@topnum\z@ % Prevents figures from going at top of page.
- \@maketitle \fi\thispagestyle{empty}\@thanks
- \par\penalty -\@M
- \endgroup
- \setcounter{footnote}{0}%
- \let\maketitle\relax
- \let\@maketitle\relax
- \gdef\@thanks{}\gdef\@author{}\gdef\@title{}\let\thanks\relax}
-
-\def\@maketitle{\newpage
- \null
- \vskip 2em % Vertical space above title.
-\begingroup
- \def\and{\unskip, }
- \parindent=\z@
- \pretolerance=10000
- \rightskip=\z@ \@plus 3cm
- {\LARGE % each author set in \LARGE
- \lineskip .5em
- \@author
- \par}%
- \vskip 2cm % Vertical space after author.
- {\Huge \@title \par}% % Title set in \Huge size.
- \vskip 1cm % Vertical space after title.
- \if!\@subtitle!\else
- {\LARGE\ignorespaces\@subtitle \par}
- \vskip 1cm % Vertical space after subtitle.
- \fi
- \if!\@date!\else
- {\large \@date}% % Date set in \large size.
- \par
- \vskip 1.5em % Vertical space after date.
- \fi
- \vfill
-% {\Large Springer\par}
-%\vskip 5\p@
-%\large
-% Berlin\enspace Heidelberg\enspace New\kern0.1em York\\
-% Hong\thinspace Kong\enspace London\\
-% Milan\enspace Paris\enspace Tokyo\par
-\endgroup}
-
-% Useful environments
-\newenvironment{acknowledgement}{\par\addvspace{17\p@}\small\rm
-\trivlist\item[\hskip\labelsep{\it\ackname}]}
-{\endtrivlist\addvspace{6\p@}}
-%
-\newenvironment{noteadd}{\par\addvspace{17\p@}\small\rm
-\trivlist\item[\hskip\labelsep{\it\noteaddname}]}
-{\endtrivlist\addvspace{6\p@}}
-%
-\renewenvironment{abstract}{%
- \advance\topsep by0.35cm\relax\small
- \labelwidth=\z@
- \listparindent=\z@
- \itemindent\listparindent
- \trivlist\item[\hskip\labelsep\bfseries\abstractname]%
- \if!\abstractname!\hskip-\labelsep\fi
- }
- {\endtrivlist}
-
-% define the running headings of a twoside text
-\def\runheadsize{\small}
-\def\runheadstyle{\rmfamily\upshape}
-\def\customizhead{\hspace{\headlineindent}}
-
-\def\ps@headings{\let\@mkboth\markboth
- \let\@oddfoot\@empty\let\@evenfoot\@empty
- \def\@evenhead{\runheadsize\runheadstyle\rlap{\thepage}\customizhead
- \leftmark\hfil}
- \def\@oddhead{\runheadsize\runheadstyle\hfil\rightmark\customizhead
- \llap{\thepage}}
- \def\chaptermark##1{\markboth{{\ifnum\c@secnumdepth>\m@ne
- \thechapter\thechapterend\hskip\betweenumberspace\fi ##1}}{{\ifnum %!!!
- \c@secnumdepth>\m@ne\thechapter\thechapterend\hskip\betweenumberspace\fi ##1}}}%!!!
- \def\sectionmark##1{\markright{{\ifnum\c@secnumdepth>\z@
- \thesection\seccounterend\hskip\betweenumberspace\fi ##1}}}}
-
-\def\ps@myheadings{\let\@mkboth\@gobbletwo
- \let\@oddfoot\@empty\let\@evenfoot\@empty
- \def\@evenhead{\runheadsize\runheadstyle\rlap{\thepage}\customizhead
- \leftmark\hfil}
- \def\@oddhead{\runheadsize\runheadstyle\hfil\rightmark\customizhead
- \llap{\thepage}}
- \let\chaptermark\@gobble
- \let\sectionmark\@gobble
- \let\subsectionmark\@gobble}
-
-
-\ps@headings
-
-\endinput
-%end of file svmono.cls
--- a/doc-src/ROOT Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,387 +0,0 @@
-session Classes (doc) in "Classes" = HOL +
- options [document_variants = "classes"]
- theories [document = false] Setup
- theories Classes
- files
- "../prepare_document"
- "../pdfsetup.sty"
- "document/build"
- "document/root.tex"
- "document/style.sty"
-
-session Codegen (doc) in "Codegen" = "HOL-Library" +
- options [document_variants = "codegen", print_mode = "no_brackets,iff"]
- theories [document = false] Setup
- theories
- Introduction
- Foundations
- Refinement
- Inductive_Predicate
- Evaluation
- Adaptation
- Further
- files
- "../prepare_document"
- "../pdfsetup.sty"
- "document/adapt.tex"
- "document/architecture.tex"
- "document/build"
- "document/root.tex"
- "document/style.sty"
-
-session Functions (doc) in "Functions" = HOL +
- options [document_variants = "functions"]
- theories Functions
- files
- "../prepare_document"
- "../pdfsetup.sty"
- "../iman.sty"
- "../extra.sty"
- "../isar.sty"
- "../manual.bib"
- "document/build"
- "document/conclusion.tex"
- "document/intro.tex"
- "document/mathpartir.sty"
- "document/root.tex"
- "document/style.sty"
-
-session Intro (doc) in "Intro" = Pure +
- options [document_variants = "intro"]
- theories
- files
- "../prepare_document"
- "../pdfsetup.sty"
- "../iman.sty"
- "../extra.sty"
- "../ttbox.sty"
- "../proof.sty"
- "../manual.bib"
- "document/build"
- "document/root.tex"
-
-session IsarImplementation (doc) in "IsarImplementation" = HOL +
- options [document_variants = "implementation"]
- theories
- Eq
- Integration
- Isar
- Local_Theory
- Logic
- ML
- Prelim
- Proof
- Syntax
- Tactic
- files
- "../prepare_document"
- "../pdfsetup.sty"
- "../iman.sty"
- "../extra.sty"
- "../isar.sty"
- "../proof.sty"
- "../underscore.sty"
- "../ttbox.sty"
- "../manual.bib"
- "document/build"
- "document/root.tex"
- "document/style.sty"
-
-session IsarRef (doc) in "IsarRef" = HOL +
- options [document_variants = "isar-ref", quick_and_dirty, thy_output_source]
- theories
- Preface
- Synopsis
- Framework
- First_Order_Logic
- Outer_Syntax
- Document_Preparation
- Spec
- Proof
- Inner_Syntax
- Misc
- Generic
- HOL_Specific
- Quick_Reference
- Symbols
- ML_Tactic
- files
- "../prepare_document"
- "../pdfsetup.sty"
- "../iman.sty"
- "../extra.sty"
- "../ttbox.sty"
- "../proof.sty"
- "../isar.sty"
- "../manual.bib"
- "document/build"
- "document/isar-vm.eps"
- "document/isar-vm.pdf"
- "document/isar-vm.svg"
- "document/root.tex"
- "document/showsymbols"
- "document/style.sty"
-
-session LaTeXsugar (doc) in "LaTeXsugar" = HOL +
- options [document_variants = "sugar"]
- theories [document = ""]
- "~~/src/HOL/Library/LaTeXsugar"
- "~~/src/HOL/Library/OptionalSugar"
- theories Sugar
- files
- "../prepare_document"
- "../pdfsetup.sty"
- "document/build"
- "document/mathpartir.sty"
- "document/root.bib"
- "document/root.tex"
-
-session Locales (doc) in "Locales" = HOL +
- options [document_variants = "locales", pretty_margin = 65]
- theories
- Examples1
- Examples2
- Examples3
- files
- "../prepare_document"
- "../pdfsetup.sty"
- "document/build"
- "document/root.tex"
-
-session Logics (doc) in "Logics" = Pure +
- options [document_variants = "logics"]
- theories
- files
- "../prepare_document"
- "../pdfsetup.sty"
- "../iman.sty"
- "../extra.sty"
- "../ttbox.sty"
- "../proof.sty"
- "../manual.bib"
- "document/build"
- "document/root.tex"
-
-session "Logics-HOL" (doc) in "HOL" = Pure +
- options [document_variants = "logics-HOL"]
- theories
- files
- "../prepare_document"
- "../pdfsetup.sty"
- "../iman.sty"
- "../extra.sty"
- "../ttbox.sty"
- "../proof.sty"
- "../manual.bib"
- "../Logics/document/syntax.tex"
- "document/build"
- "document/root.tex"
-
-session "Logics-ZF" (doc) in "ZF" = ZF +
- options [document_variants = "logics-ZF", print_mode = "brackets",
- thy_output_source]
- theories
- IFOL_examples
- FOL_examples
- ZF_examples
- If
- ZF_Isar
- files
- "../prepare_document"
- "../pdfsetup.sty"
- "../isar.sty"
- "../ttbox.sty"
- "../proof.sty"
- "../manual.bib"
- "../Logics/document/syntax.tex"
- "document/build"
- "document/root.tex"
-
-session Main (doc) in "Main" = HOL +
- options [document_variants = "main"]
- theories Main_Doc
- files
- "../prepare_document"
- "../pdfsetup.sty"
- "document/build"
- "document/root.tex"
-
-session Nitpick (doc) in "Nitpick" = Pure +
- options [document_variants = "nitpick"]
- theories
- files
- "../prepare_document"
- "../pdfsetup.sty"
- "../iman.sty"
- "../manual.bib"
- "document/build"
- "document/root.tex"
-
-session ProgProve (doc) in "ProgProve" = HOL +
- options [document_variants = "prog-prove", show_question_marks = false]
- theories
- Basics
- Bool_nat_list
- MyList
- Types_and_funs
- Logic
- Isar
- files
- "../prepare_document"
- "../pdfsetup.sty"
- "document/bang.eps"
- "document/bang.pdf"
- "document/build"
- "document/intro-isabelle.tex"
- "document/mathpartir.sty"
- "document/prelude.tex"
- "document/root.bib"
- "document/root.tex"
- "document/svmono.cls"
-
-session Ref (doc) in "Ref" = Pure +
- options [document_variants = "ref"]
- theories
- files
- "../prepare_document"
- "../pdfsetup.sty"
- "../iman.sty"
- "../extra.sty"
- "../ttbox.sty"
- "../proof.sty"
- "../manual.bib"
- "document/build"
- "document/classical.tex"
- "document/root.tex"
- "document/simplifier.tex"
- "document/substitution.tex"
- "document/syntax.tex"
- "document/tactic.tex"
- "document/thm.tex"
-
-session Sledgehammer (doc) in "Sledgehammer" = Pure +
- options [document_variants = "sledgehammer"]
- theories
- files
- "../prepare_document"
- "../pdfsetup.sty"
- "../iman.sty"
- "../manual.bib"
- "document/build"
- "document/root.tex"
-
-session System (doc) in "System" = Pure +
- options [document_variants = "system", thy_output_source]
- theories
- Basics
- Interfaces
- Sessions
- Presentation
- Scala
- Misc
- files
- "../prepare_document"
- "../IsarRef/document/style.sty"
- "../pdfsetup.sty"
- "../iman.sty"
- "../extra.sty"
- "../ttbox.sty"
- "../isar.sty"
- "../underscore.sty"
- "../manual.bib"
- "document/browser_screenshot.eps"
- "document/browser_screenshot.png"
- "document/build"
- "document/root.tex"
-
-session Tutorial (doc) in "TutorialI" = HOL +
- options [document_variants = "tutorial", print_mode = "brackets"]
- theories [thy_output_indent = 5]
- "ToyList/ToyList"
- "Ifexpr/Ifexpr"
- "CodeGen/CodeGen"
- "Trie/Trie"
- "Datatype/ABexpr"
- "Datatype/unfoldnested"
- "Datatype/Nested"
- "Datatype/Fundata"
- "Fun/fun0"
- "Advanced/simp2"
- "CTL/PDL"
- "CTL/CTL"
- "CTL/CTLind"
- "Inductive/Even"
- "Inductive/Mutual"
- "Inductive/Star"
- "Inductive/AB"
- "Inductive/Advanced"
- "Misc/Tree"
- "Misc/Tree2"
- "Misc/Plus"
- "Misc/case_exprs"
- "Misc/fakenat"
- "Misc/natsum"
- "Misc/pairs2"
- "Misc/Option2"
- "Misc/types"
- "Misc/prime_def"
- "Misc/simp"
- "Misc/Itrev"
- "Misc/AdvancedInd"
- "Misc/appendix"
- theories
- "Protocol/NS_Public"
- "Documents/Documents"
- theories [document = ""]
- "Types/Setup"
- theories [pretty_margin = 64, thy_output_indent = 0]
- "Types/Numbers"
- "Types/Pairs"
- "Types/Records"
- "Types/Typedefs"
- "Types/Overloading"
- "Types/Axioms"
- "Rules/Basic"
- "Rules/Blast"
- "Rules/Force"
- theories [pretty_margin = 64, thy_output_indent = 5]
- "Rules/Primes"
- "Rules/Forward"
- "Rules/Tacticals"
- "Rules/find2"
- "Sets/Examples"
- "Sets/Functions"
- "Sets/Relations"
- "Sets/Recur"
- files
- "ToyList/ToyList1"
- "ToyList/ToyList2"
- "../pdfsetup.sty"
- "../proof.sty"
- "../ttbox.sty"
- "../manual.bib"
- "document/advanced0.tex"
- "document/appendix0.tex"
- "document/basics.tex"
- "document/build"
- "document/cl2emono-modified.sty"
- "document/ctl0.tex"
- "document/documents0.tex"
- "document/fp.tex"
- "document/inductive0.tex"
- "document/isa-index"
- "document/Isa-logics.eps"
- "document/Isa-logics.pdf"
- "document/numerics.tex"
- "document/pghead.eps"
- "document/pghead.pdf"
- "document/preface.tex"
- "document/protocol.tex"
- "document/root.tex"
- "document/rules.tex"
- "document/sets.tex"
- "document/tutorial.sty"
- "document/typedef.pdf"
- "document/typedef.ps"
- "document/types0.tex"
-
--- a/doc-src/Ref/abstract.txt Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,8 +0,0 @@
-Isabelle Reference Manual. Report 283
-
-This manual is a comprehensive description of Isabelle, including all
-commands, functions and packages. Functions are organized according to the
-task they perform. In each section, basic functions appear before advanced
-ones. The Index provides an alphabetical listing. It is intended as a
-reference, not for casual reading. The manual assumes familiarity with the
-basic concepts explained in Report 280, Introduction to Isabelle.
--- a/doc-src/Ref/document/build Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,18 +0,0 @@
-#!/bin/bash
-
-set -e
-
-FORMAT="$1"
-VARIANT="$2"
-
-"$ISABELLE_TOOL" logo -o isabelle.pdf ""
-"$ISABELLE_TOOL" logo -o isabelle.eps ""
-
-cp "$ISABELLE_HOME/doc-src/iman.sty" .
-cp "$ISABELLE_HOME/doc-src/extra.sty" .
-cp "$ISABELLE_HOME/doc-src/ttbox.sty" .
-cp "$ISABELLE_HOME/doc-src/proof.sty" .
-cp "$ISABELLE_HOME/doc-src/manual.bib" .
-
-"$ISABELLE_HOME/doc-src/prepare_document" "$FORMAT"
-
--- a/doc-src/Ref/document/classical.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,224 +0,0 @@
-
-\chapter{The Classical Reasoner}\label{chap:classical}
-\index{classical reasoner|(}
-\newcommand\ainfer[2]{\begin{array}{r@{\,}l}#2\\ \hline#1\end{array}}
-
-\section{Classical rule sets}
-\index{classical sets}
-
-For elimination and destruction rules there are variants of the add operations
-adding a rule in a way such that it is applied only if also its second premise
-can be unified with an assumption of the current proof state:
-\indexbold{*addSE2}\indexbold{*addSD2}\indexbold{*addE2}\indexbold{*addD2}
-\begin{ttbox}
-addSE2 : claset * (string * thm) -> claset \hfill{\bf infix 4}
-addSD2 : claset * (string * thm) -> claset \hfill{\bf infix 4}
-addE2 : claset * (string * thm) -> claset \hfill{\bf infix 4}
-addD2 : claset * (string * thm) -> claset \hfill{\bf infix 4}
-\end{ttbox}
-\begin{warn}
- A rule to be added in this special way must be given a name, which is used
- to delete it again -- when desired -- using \texttt{delSWrappers} or
- \texttt{delWrappers}, respectively. This is because these add operations
- are implemented as wrappers (see \ref{sec:modifying-search} below).
-\end{warn}
-
-
-\subsection{Modifying the search step}
-\label{sec:modifying-search}
-For a given classical set, the proof strategy is simple. Perform as many safe
-inferences as possible; or else, apply certain safe rules, allowing
-instantiation of unknowns; or else, apply an unsafe rule. The tactics also
-eliminate assumptions of the form $x=t$ by substitution if they have been set
-up to do so (see \texttt{hyp_subst_tacs} in~{\S}\ref{sec:classical-setup} below).
-They may perform a form of Modus Ponens: if there are assumptions $P\imp Q$
-and~$P$, then replace $P\imp Q$ by~$Q$.
-
-The classical reasoning tactics --- except \texttt{blast_tac}! --- allow
-you to modify this basic proof strategy by applying two lists of arbitrary
-{\bf wrapper tacticals} to it.
-The first wrapper list, which is considered to contain safe wrappers only,
-affects \ttindex{safe_step_tac} and all the tactics that call it.
-The second one, which may contain unsafe wrappers, affects the unsafe parts
-of \ttindex{step_tac}, \ttindex{slow_step_tac}, and the tactics that call them.
-A wrapper transforms each step of the search, for example
-by attempting other tactics before or after the original step tactic.
-All members of a wrapper list are applied in turn to the respective step tactic.
-
-Initially the two wrapper lists are empty, which means no modification of the
-step tactics. Safe and unsafe wrappers are added to a claset
-with the functions given below, supplying them with wrapper names.
-These names may be used to selectively delete wrappers.
-
-\begin{ttbox}
-type wrapper = (int -> tactic) -> (int -> tactic);
-
-addSWrapper : claset * (string * wrapper ) -> claset \hfill{\bf infix 4}
-addSbefore : claset * (string * (int -> tactic)) -> claset \hfill{\bf infix 4}
-addSafter : claset * (string * (int -> tactic)) -> claset \hfill{\bf infix 4}
-delSWrapper : claset * string -> claset \hfill{\bf infix 4}
-
-addWrapper : claset * (string * wrapper ) -> claset \hfill{\bf infix 4}
-addbefore : claset * (string * (int -> tactic)) -> claset \hfill{\bf infix 4}
-addafter : claset * (string * (int -> tactic)) -> claset \hfill{\bf infix 4}
-delWrapper : claset * string -> claset \hfill{\bf infix 4}
-
-addSss : claset * simpset -> claset \hfill{\bf infix 4}
-addss : claset * simpset -> claset \hfill{\bf infix 4}
-\end{ttbox}
-%
-
-\begin{ttdescription}
-\item[$cs$ addSWrapper $(name,wrapper)$] \indexbold{*addSWrapper}
-adds a new wrapper, which should yield a safe tactic,
-to modify the existing safe step tactic.
-
-\item[$cs$ addSbefore $(name,tac)$] \indexbold{*addSbefore}
-adds the given tactic as a safe wrapper, such that it is tried
-{\em before} each safe step of the search.
-
-\item[$cs$ addSafter $(name,tac)$] \indexbold{*addSafter}
-adds the given tactic as a safe wrapper, such that it is tried
-when a safe step of the search would fail.
-
-\item[$cs$ delSWrapper $name$] \indexbold{*delSWrapper}
-deletes the safe wrapper with the given name.
-
-\item[$cs$ addWrapper $(name,wrapper)$] \indexbold{*addWrapper}
-adds a new wrapper to modify the existing (unsafe) step tactic.
-
-\item[$cs$ addbefore $(name,tac)$] \indexbold{*addbefore}
-adds the given tactic as an unsafe wrapper, such that it its result is
-concatenated {\em before} the result of each unsafe step.
-
-\item[$cs$ addafter $(name,tac)$] \indexbold{*addafter}
-adds the given tactic as an unsafe wrapper, such that it its result is
-concatenated {\em after} the result of each unsafe step.
-
-\item[$cs$ delWrapper $name$] \indexbold{*delWrapper}
-deletes the unsafe wrapper with the given name.
-
-\item[$cs$ addSss $ss$] \indexbold{*addss}
-adds the simpset~$ss$ to the classical set. The assumptions and goal will be
-simplified, in a rather safe way, after each safe step of the search.
-
-\item[$cs$ addss $ss$] \indexbold{*addss}
-adds the simpset~$ss$ to the classical set. The assumptions and goal will be
-simplified, before the each unsafe step of the search.
-
-\end{ttdescription}
-
-\index{simplification!from classical reasoner}
-Strictly speaking, the operators \texttt{addss} and \texttt{addSss}
-are not part of the classical reasoner.
-, which are used as primitives
-for the automatic tactics described in {\S}\ref{sec:automatic-tactics}, are
-implemented as wrapper tacticals.
-they
-\begin{warn}
-Being defined as wrappers, these operators are inappropriate for adding more
-than one simpset at a time: the simpset added last overwrites any earlier ones.
-When a simpset combined with a claset is to be augmented, this should done
-{\em before} combining it with the claset.
-\end{warn}
-
-
-\section{The classical tactics}
-
-\subsection{Other classical tactics}
-\begin{ttbox}
-slow_best_tac : claset -> int -> tactic
-\end{ttbox}
-
-\begin{ttdescription}
-\item[\ttindexbold{slow_best_tac} $cs$ $i$] applies \texttt{slow_step_tac} with
-best-first search to prove subgoal~$i$.
-\end{ttdescription}
-
-
-\subsection{Other useful tactics}
-\index{tactics!for contradiction}
-\index{tactics!for Modus Ponens}
-\begin{ttbox}
-contr_tac : int -> tactic
-mp_tac : int -> tactic
-eq_mp_tac : int -> tactic
-swap_res_tac : thm list -> int -> tactic
-\end{ttbox}
-These can be used in the body of a specialized search.
-\begin{ttdescription}
-\item[\ttindexbold{contr_tac} {\it i}]\index{assumptions!contradictory}
- solves subgoal~$i$ by detecting a contradiction among two assumptions of
- the form $P$ and~$\neg P$, or fail. It may instantiate unknowns. The
- tactic can produce multiple outcomes, enumerating all possible
- contradictions.
-
-\item[\ttindexbold{mp_tac} {\it i}]
-is like \texttt{contr_tac}, but also attempts to perform Modus Ponens in
-subgoal~$i$. If there are assumptions $P\imp Q$ and~$P$, then it replaces
-$P\imp Q$ by~$Q$. It may instantiate unknowns. It fails if it can do
-nothing.
-
-\item[\ttindexbold{eq_mp_tac} {\it i}]
-is like \texttt{mp_tac} {\it i}, but may not instantiate unknowns --- thus, it
-is safe.
-
-\item[\ttindexbold{swap_res_tac} {\it thms} {\it i}] refines subgoal~$i$ of
-the proof state using {\it thms}, which should be a list of introduction
-rules. First, it attempts to prove the goal using \texttt{assume_tac} or
-\texttt{contr_tac}. It then attempts to apply each rule in turn, attempting
-resolution and also elim-resolution with the swapped form.
-\end{ttdescription}
-
-
-\section{Setting up the classical reasoner}\label{sec:classical-setup}
-\index{classical reasoner!setting up}
-Isabelle's classical object-logics, including \texttt{FOL} and \texttt{HOL},
-have the classical reasoner already set up.
-When defining a new classical logic, you should set up the reasoner yourself.
-It consists of the \ML{} functor \ttindex{ClassicalFun}, which takes the
-argument signature \texttt{CLASSICAL_DATA}:
-\begin{ttbox}
-signature CLASSICAL_DATA =
- sig
- val mp : thm
- val not_elim : thm
- val swap : thm
- val sizef : thm -> int
- val hyp_subst_tacs : (int -> tactic) list
- end;
-\end{ttbox}
-Thus, the functor requires the following items:
-\begin{ttdescription}
-\item[\tdxbold{mp}] should be the Modus Ponens rule
-$\List{\Var{P}\imp\Var{Q};\; \Var{P}} \Imp \Var{Q}$.
-
-\item[\tdxbold{not_elim}] should be the contradiction rule
-$\List{\neg\Var{P};\; \Var{P}} \Imp \Var{R}$.
-
-\item[\tdxbold{swap}] should be the swap rule
-$\List{\neg \Var{P}; \; \neg \Var{R}\Imp \Var{P}} \Imp \Var{R}$.
-
-\item[\ttindexbold{sizef}] is the heuristic function used for best-first
-search. It should estimate the size of the remaining subgoals. A good
-heuristic function is \ttindex{size_of_thm}, which measures the size of the
-proof state. Another size function might ignore certain subgoals (say,
-those concerned with type-checking). A heuristic function might simply
-count the subgoals.
-
-\item[\ttindexbold{hyp_subst_tacs}] is a list of tactics for substitution in
-the hypotheses, typically created by \ttindex{HypsubstFun} (see
-Chapter~\ref{substitution}). This list can, of course, be empty. The
-tactics are assumed to be safe!
-\end{ttdescription}
-The functor is not at all sensitive to the formalization of the
-object-logic. It does not even examine the rules, but merely applies
-them according to its fixed strategy. The functor resides in {\tt
- Provers/classical.ML} in the Isabelle sources.
-
-\index{classical reasoner|)}
-
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "ref"
-%%% End:
--- a/doc-src/Ref/document/root.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,65 +0,0 @@
-\documentclass[12pt,a4paper]{report}
-\usepackage{graphicx,iman,extra,ttbox,proof,pdfsetup}
-
-%%% to index ids: \[\\tt \([a-zA-Z0-9][a-zA-Z0-9_'.]*\) [\\ttindexbold{\1}
-%%% to delete old ones: \\indexbold{\*[^}]*}
-%% run sedindex ref to prepare index file
-%%% needs chapter on Provers/typedsimp.ML?
-\title{\includegraphics[scale=0.5]{isabelle} \\[4ex] Old Isabelle Reference Manual}
-
-\author{{\em Lawrence C. Paulson}\\
- Computer Laboratory \\ University of Cambridge \\
- \texttt{lcp@cl.cam.ac.uk}\\[3ex]
- With Contributions by Tobias Nipkow and Markus Wenzel}
-
-\makeindex
-
-\setcounter{secnumdepth}{2} \setcounter{tocdepth}{2}
-
-\pagestyle{headings}
-\sloppy
-\binperiod %%%treat . like a binary operator
-
-\begin{document}
-\underscoreoff
-
-\index{definitions|see{rewriting, meta-level}}
-\index{rewriting!object-level|see{simplification}}
-\index{meta-rules|see{meta-rules}}
-
-\maketitle
-\emph{Note}: this document is part of the earlier Isabelle
-documentation and is mostly outdated. Fully obsolete parts of the
-original text have already been removed. The remaining material
-covers some aspects that did not make it into the newer manuals yet.
-
-\subsubsection*{Acknowledgements}
-Tobias Nipkow, of T. U. Munich, wrote most of
- Chapters~\protect\ref{Defining-Logics} and~\protect\ref{chap:simplification}.
- Markus Wenzel contributed to Chapter~\protect\ref{chap:syntax}.
- Jeremy Dawson, Sara Kalvala, Martin
- Simons and others suggested changes
- and corrections. The research has been funded by the EPSRC (grants
- GR/G53279, GR/H40570, GR/K57381, GR/K77051, GR/M75440) and by ESPRIT
- (projects 3245: Logical Frameworks, and 6453: Types), and by the DFG
- Schwerpunktprogramm \emph{Deduktion}.
-
-\pagenumbering{roman} \tableofcontents \clearfirst
-
-\input{tactic}
-\input{thm}
-\input{syntax}
-\input{substitution}
-\input{simplifier}
-\input{classical}
-
-%%seealso's must be last so that they appear last in the index entries
-\index{meta-rewriting|seealso{tactics, theorems}}
-
-\begingroup
- \bibliographystyle{plain} \small\raggedright\frenchspacing
- \bibliography{manual}
-\endgroup
-
-\printindex
-\end{document}
--- a/doc-src/Ref/document/simplifier.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,1032 +0,0 @@
-
-\chapter{Simplification}
-\label{chap:simplification}
-\index{simplification|(}
-
-This chapter describes Isabelle's generic simplification package. It performs
-conditional and unconditional rewriting and uses contextual information
-(`local assumptions'). It provides several general hooks, which can provide
-automatic case splits during rewriting, for example. The simplifier is
-already set up for many of Isabelle's logics: FOL, ZF, HOL, HOLCF.
-
-The first section is a quick introduction to the simplifier that
-should be sufficient to get started. The later sections explain more
-advanced features.
-
-
-\section{Simplification for dummies}
-\label{sec:simp-for-dummies}
-
-Basic use of the simplifier is particularly easy because each theory
-is equipped with sensible default information controlling the rewrite
-process --- namely the implicit {\em current
- simpset}\index{simpset!current}. A suite of simple commands is
-provided that refer to the implicit simpset of the current theory
-context.
-
-\begin{warn}
- Make sure that you are working within the correct theory context.
- Executing proofs interactively, or loading them from ML files
- without associated theories may require setting the current theory
- manually via the \ttindex{context} command.
-\end{warn}
-
-\subsection{Simplification tactics} \label{sec:simp-for-dummies-tacs}
-\begin{ttbox}
-Simp_tac : int -> tactic
-Asm_simp_tac : int -> tactic
-Full_simp_tac : int -> tactic
-Asm_full_simp_tac : int -> tactic
-trace_simp : bool ref \hfill{\bf initially false}
-debug_simp : bool ref \hfill{\bf initially false}
-\end{ttbox}
-
-\begin{ttdescription}
-\item[\ttindexbold{Simp_tac} $i$] simplifies subgoal~$i$ using the
- current simpset. It may solve the subgoal completely if it has
- become trivial, using the simpset's solver tactic.
-
-\item[\ttindexbold{Asm_simp_tac}]\index{assumptions!in simplification}
- is like \verb$Simp_tac$, but extracts additional rewrite rules from
- the local assumptions.
-
-\item[\ttindexbold{Full_simp_tac}] is like \verb$Simp_tac$, but also
- simplifies the assumptions (without using the assumptions to
- simplify each other or the actual goal).
-
-\item[\ttindexbold{Asm_full_simp_tac}] is like \verb$Asm_simp_tac$,
- but also simplifies the assumptions. In particular, assumptions can
- simplify each other.
-\footnote{\texttt{Asm_full_simp_tac} used to process the assumptions from
- left to right. For backwards compatibilty reasons only there is now
- \texttt{Asm_lr_simp_tac} that behaves like the old \texttt{Asm_full_simp_tac}.}
-\item[set \ttindexbold{trace_simp};] makes the simplifier output internal
- operations. This includes rewrite steps, but also bookkeeping like
- modifications of the simpset.
-\item[set \ttindexbold{debug_simp};] makes the simplifier output some extra
- information about internal operations. This includes any attempted
- invocation of simplification procedures.
-\end{ttdescription}
-
-\medskip
-
-As an example, consider the theory of arithmetic in HOL. The (rather trivial)
-goal $0 + (x + 0) = x + 0 + 0$ can be solved by a single call of
-\texttt{Simp_tac} as follows:
-\begin{ttbox}
-context Arith.thy;
-Goal "0 + (x + 0) = x + 0 + 0";
-{\out 1. 0 + (x + 0) = x + 0 + 0}
-by (Simp_tac 1);
-{\out Level 1}
-{\out 0 + (x + 0) = x + 0 + 0}
-{\out No subgoals!}
-\end{ttbox}
-
-The simplifier uses the current simpset of \texttt{Arith.thy}, which
-contains suitable theorems like $\Var{n}+0 = \Var{n}$ and $0+\Var{n} =
-\Var{n}$.
-
-\medskip In many cases, assumptions of a subgoal are also needed in
-the simplification process. For example, \texttt{x = 0 ==> x + x = 0}
-is solved by \texttt{Asm_simp_tac} as follows:
-\begin{ttbox}
-{\out 1. x = 0 ==> x + x = 0}
-by (Asm_simp_tac 1);
-\end{ttbox}
-
-\medskip \texttt{Asm_full_simp_tac} is the most powerful of this quartet
-of tactics but may also loop where some of the others terminate. For
-example,
-\begin{ttbox}
-{\out 1. ALL x. f x = g (f (g x)) ==> f 0 = f 0 + 0}
-\end{ttbox}
-is solved by \texttt{Simp_tac}, but \texttt{Asm_simp_tac} and {\tt
- Asm_full_simp_tac} loop because the rewrite rule $f\,\Var{x} =
-g\,(f\,(g\,\Var{x}))$ extracted from the assumption does not
-terminate. Isabelle notices certain simple forms of nontermination,
-but not this one. Because assumptions may simplify each other, there can be
-very subtle cases of nontermination. For example, invoking
-{\tt Asm_full_simp_tac} on
-\begin{ttbox}
-{\out 1. [| P (f x); y = x; f x = f y |] ==> Q}
-\end{ttbox}
-gives rise to the infinite reduction sequence
-\[
-P\,(f\,x) \stackrel{f\,x = f\,y}{\longmapsto} P\,(f\,y) \stackrel{y = x}{\longmapsto}
-P\,(f\,x) \stackrel{f\,x = f\,y}{\longmapsto} \cdots
-\]
-whereas applying the same tactic to
-\begin{ttbox}
-{\out 1. [| y = x; f x = f y; P (f x) |] ==> Q}
-\end{ttbox}
-terminates.
-
-\medskip
-
-Using the simplifier effectively may take a bit of experimentation.
-Set the \verb$trace_simp$\index{tracing!of simplification} flag to get
-a better idea of what is going on. The resulting output can be
-enormous, especially since invocations of the simplifier are often
-nested (e.g.\ when solving conditions of rewrite rules).
-
-
-\subsection{Modifying the current simpset}
-\begin{ttbox}
-Addsimps : thm list -> unit
-Delsimps : thm list -> unit
-Addsimprocs : simproc list -> unit
-Delsimprocs : simproc list -> unit
-Addcongs : thm list -> unit
-Delcongs : thm list -> unit
-Addsplits : thm list -> unit
-Delsplits : thm list -> unit
-\end{ttbox}
-
-Depending on the theory context, the \texttt{Add} and \texttt{Del}
-functions manipulate basic components of the associated current
-simpset. Internally, all rewrite rules have to be expressed as
-(conditional) meta-equalities. This form is derived automatically
-from object-level equations that are supplied by the user. Another
-source of rewrite rules are \emph{simplification procedures}, that is
-\ML\ functions that produce suitable theorems on demand, depending on
-the current redex. Congruences are a more advanced feature; see
-{\S}\ref{sec:simp-congs}.
-
-\begin{ttdescription}
-
-\item[\ttindexbold{Addsimps} $thms$;] adds rewrite rules derived from
- $thms$ to the current simpset.
-
-\item[\ttindexbold{Delsimps} $thms$;] deletes rewrite rules derived
- from $thms$ from the current simpset.
-
-\item[\ttindexbold{Addsimprocs} $procs$;] adds simplification
- procedures $procs$ to the current simpset.
-
-\item[\ttindexbold{Delsimprocs} $procs$;] deletes simplification
- procedures $procs$ from the current simpset.
-
-\item[\ttindexbold{Addcongs} $thms$;] adds congruence rules to the
- current simpset.
-
-\item[\ttindexbold{Delcongs} $thms$;] deletes congruence rules from the
- current simpset.
-
-\item[\ttindexbold{Addsplits} $thms$;] adds splitting rules to the
- current simpset.
-
-\item[\ttindexbold{Delsplits} $thms$;] deletes splitting rules from the
- current simpset.
-
-\end{ttdescription}
-
-When a new theory is built, its implicit simpset is initialized by the union
-of the respective simpsets of its parent theories. In addition, certain
-theory definition constructs (e.g.\ \ttindex{datatype} and \ttindex{primrec}
-in HOL) implicitly augment the current simpset. Ordinary definitions are not
-added automatically!
-
-It is up the user to manipulate the current simpset further by
-explicitly adding or deleting theorems and simplification procedures.
-
-\medskip
-
-Good simpsets are hard to design. Rules that obviously simplify,
-like $\Var{n}+0 = \Var{n}$, should be added to the current simpset right after
-they have been proved. More specific ones (such as distributive laws, which
-duplicate subterms) should be added only for specific proofs and deleted
-afterwards. Conversely, sometimes a rule needs
-to be removed for a certain proof and restored afterwards. The need of
-frequent additions or deletions may indicate a badly designed
-simpset.
-
-\begin{warn}
- The union of the parent simpsets (as described above) is not always
- a good starting point for the new theory. If some ancestors have
- deleted simplification rules because they are no longer wanted,
- while others have left those rules in, then the union will contain
- the unwanted rules. After this union is formed, changes to
- a parent simpset have no effect on the child simpset.
-\end{warn}
-
-
-\section{Simplification sets}\index{simplification sets}
-
-The simplifier is controlled by information contained in {\bf
- simpsets}. These consist of several components, including rewrite
-rules, simplification procedures, congruence rules, and the subgoaler,
-solver and looper tactics. The simplifier should be set up with
-sensible defaults so that most simplifier calls specify only rewrite
-rules or simplification procedures. Experienced users can exploit the
-other components to streamline proofs in more sophisticated manners.
-
-\subsection{Inspecting simpsets}
-\begin{ttbox}
-print_ss : simpset -> unit
-rep_ss : simpset -> \{mss : meta_simpset,
- subgoal_tac: simpset -> int -> tactic,
- loop_tacs : (string * (int -> tactic))list,
- finish_tac : solver list,
- unsafe_finish_tac : solver list\}
-\end{ttbox}
-\begin{ttdescription}
-
-\item[\ttindexbold{print_ss} $ss$;] displays the printable contents of
- simpset $ss$. This includes the rewrite rules and congruences in
- their internal form expressed as meta-equalities. The names of the
- simplification procedures and the patterns they are invoked on are
- also shown. The other parts, functions and tactics, are
- non-printable.
-
-\item[\ttindexbold{rep_ss} $ss$;] decomposes $ss$ as a record of its internal
- components, namely the meta_simpset, the subgoaler, the loop, and the safe
- and unsafe solvers.
-
-\end{ttdescription}
-
-
-\subsection{Building simpsets}
-\begin{ttbox}
-empty_ss : simpset
-merge_ss : simpset * simpset -> simpset
-\end{ttbox}
-\begin{ttdescription}
-
-\item[\ttindexbold{empty_ss}] is the empty simpset. This is not very useful
- under normal circumstances because it doesn't contain suitable tactics
- (subgoaler etc.). When setting up the simplifier for a particular
- object-logic, one will typically define a more appropriate ``almost empty''
- simpset. For example, in HOL this is called \ttindexbold{HOL_basic_ss}.
-
-\item[\ttindexbold{merge_ss} ($ss@1$, $ss@2$)] merges simpsets $ss@1$
- and $ss@2$ by building the union of their respective rewrite rules,
- simplification procedures and congruences. The other components
- (tactics etc.) cannot be merged, though; they are taken from either
- simpset\footnote{Actually from $ss@1$, but it would unwise to count
- on that.}.
-
-\end{ttdescription}
-
-
-\subsection{Rewrite rules}
-\begin{ttbox}
-addsimps : simpset * thm list -> simpset \hfill{\bf infix 4}
-delsimps : simpset * thm list -> simpset \hfill{\bf infix 4}
-\end{ttbox}
-
-\index{rewrite rules|(} Rewrite rules are theorems expressing some
-form of equality, for example:
-\begin{eqnarray*}
- Suc(\Var{m}) + \Var{n} &=& \Var{m} + Suc(\Var{n}) \\
- \Var{P}\conj\Var{P} &\bimp& \Var{P} \\
- \Var{A} \un \Var{B} &\equiv& \{x.x\in \Var{A} \disj x\in \Var{B}\}
-\end{eqnarray*}
-Conditional rewrites such as $\Var{m}<\Var{n} \Imp \Var{m}/\Var{n} =
-0$ are also permitted; the conditions can be arbitrary formulas.
-
-Internally, all rewrite rules are translated into meta-equalities,
-theorems with conclusion $lhs \equiv rhs$. Each simpset contains a
-function for extracting equalities from arbitrary theorems. For
-example, $\neg(\Var{x}\in \{\})$ could be turned into $\Var{x}\in \{\}
-\equiv False$. This function can be installed using
-\ttindex{setmksimps} but only the definer of a logic should need to do
-this; see {\S}\ref{sec:setmksimps}. The function processes theorems
-added by \texttt{addsimps} as well as local assumptions.
-
-\begin{ttdescription}
-
-\item[$ss$ \ttindexbold{addsimps} $thms$] adds rewrite rules derived
- from $thms$ to the simpset $ss$.
-
-\item[$ss$ \ttindexbold{delsimps} $thms$] deletes rewrite rules
- derived from $thms$ from the simpset $ss$.
-
-\end{ttdescription}
-
-\begin{warn}
- The simplifier will accept all standard rewrite rules: those where
- all unknowns are of base type. Hence ${\Var{i}+(\Var{j}+\Var{k})} =
- {(\Var{i}+\Var{j})+\Var{k}}$ is OK.
-
- It will also deal gracefully with all rules whose left-hand sides
- are so-called {\em higher-order patterns}~\cite{nipkow-patterns}.
- \indexbold{higher-order pattern}\indexbold{pattern, higher-order}
- These are terms in $\beta$-normal form (this will always be the case
- unless you have done something strange) where each occurrence of an
- unknown is of the form $\Var{F}(x@1,\dots,x@n)$, where the $x@i$ are
- distinct bound variables. Hence $(\forall x.\Var{P}(x) \land
- \Var{Q}(x)) \bimp (\forall x.\Var{P}(x)) \land (\forall
- x.\Var{Q}(x))$ is also OK, in both directions.
-
- In some rare cases the rewriter will even deal with quite general
- rules: for example ${\Var{f}(\Var{x})\in range(\Var{f})} = True$
- rewrites $g(a) \in range(g)$ to $True$, but will fail to match
- $g(h(b)) \in range(\lambda x.g(h(x)))$. However, you can replace
- the offending subterms (in our case $\Var{f}(\Var{x})$, which is not
- a pattern) by adding new variables and conditions: $\Var{y} =
- \Var{f}(\Var{x}) \Imp \Var{y}\in range(\Var{f}) = True$ is
- acceptable as a conditional rewrite rule since conditions can be
- arbitrary terms.
-
- There is basically no restriction on the form of the right-hand
- sides. They may not contain extraneous term or type variables,
- though.
-\end{warn}
-\index{rewrite rules|)}
-
-
-\subsection{*The subgoaler}\label{sec:simp-subgoaler}
-\begin{ttbox}
-setsubgoaler :
- simpset * (simpset -> int -> tactic) -> simpset \hfill{\bf infix 4}
-prems_of_ss : simpset -> thm list
-\end{ttbox}
-
-The subgoaler is the tactic used to solve subgoals arising out of
-conditional rewrite rules or congruence rules. The default should be
-simplification itself. Occasionally this strategy needs to be
-changed. For example, if the premise of a conditional rule is an
-instance of its conclusion, as in $Suc(\Var{m}) < \Var{n} \Imp \Var{m}
-< \Var{n}$, the default strategy could loop.
-
-\begin{ttdescription}
-
-\item[$ss$ \ttindexbold{setsubgoaler} $tacf$] sets the subgoaler of
- $ss$ to $tacf$. The function $tacf$ will be applied to the current
- simplifier context expressed as a simpset.
-
-\item[\ttindexbold{prems_of_ss} $ss$] retrieves the current set of
- premises from simplifier context $ss$. This may be non-empty only
- if the simplifier has been told to utilize local assumptions in the
- first place, e.g.\ if invoked via \texttt{asm_simp_tac}.
-
-\end{ttdescription}
-
-As an example, consider the following subgoaler:
-\begin{ttbox}
-fun subgoaler ss =
- assume_tac ORELSE'
- resolve_tac (prems_of_ss ss) ORELSE'
- asm_simp_tac ss;
-\end{ttbox}
-This tactic first tries to solve the subgoal by assumption or by
-resolving with with one of the premises, calling simplification only
-if that fails.
-
-
-\subsection{*The solver}\label{sec:simp-solver}
-\begin{ttbox}
-mk_solver : string -> (thm list -> int -> tactic) -> solver
-setSolver : simpset * solver -> simpset \hfill{\bf infix 4}
-addSolver : simpset * solver -> simpset \hfill{\bf infix 4}
-setSSolver : simpset * solver -> simpset \hfill{\bf infix 4}
-addSSolver : simpset * solver -> simpset \hfill{\bf infix 4}
-\end{ttbox}
-
-A solver is a tactic that attempts to solve a subgoal after
-simplification. Typically it just proves trivial subgoals such as
-\texttt{True} and $t=t$. It could use sophisticated means such as {\tt
- blast_tac}, though that could make simplification expensive.
-To keep things more abstract, solvers are packaged up in type
-\texttt{solver}. The only way to create a solver is via \texttt{mk_solver}.
-
-Rewriting does not instantiate unknowns. For example, rewriting
-cannot prove $a\in \Var{A}$ since this requires
-instantiating~$\Var{A}$. The solver, however, is an arbitrary tactic
-and may instantiate unknowns as it pleases. This is the only way the
-simplifier can handle a conditional rewrite rule whose condition
-contains extra variables. When a simplification tactic is to be
-combined with other provers, especially with the classical reasoner,
-it is important whether it can be considered safe or not. For this
-reason a simpset contains two solvers, a safe and an unsafe one.
-
-The standard simplification strategy solely uses the unsafe solver,
-which is appropriate in most cases. For special applications where
-the simplification process is not allowed to instantiate unknowns
-within the goal, simplification starts with the safe solver, but may
-still apply the ordinary unsafe one in nested simplifications for
-conditional rules or congruences. Note that in this way the overall
-tactic is not totally safe: it may instantiate unknowns that appear also
-in other subgoals.
-
-\begin{ttdescription}
-\item[\ttindexbold{mk_solver} $s$ $tacf$] converts $tacf$ into a new solver;
- the string $s$ is only attached as a comment and has no other significance.
-
-\item[$ss$ \ttindexbold{setSSolver} $tacf$] installs $tacf$ as the
- \emph{safe} solver of $ss$.
-
-\item[$ss$ \ttindexbold{addSSolver} $tacf$] adds $tacf$ as an
- additional \emph{safe} solver; it will be tried after the solvers
- which had already been present in $ss$.
-
-\item[$ss$ \ttindexbold{setSolver} $tacf$] installs $tacf$ as the
- unsafe solver of $ss$.
-
-\item[$ss$ \ttindexbold{addSolver} $tacf$] adds $tacf$ as an
- additional unsafe solver; it will be tried after the solvers which
- had already been present in $ss$.
-
-\end{ttdescription}
-
-\medskip
-
-\index{assumptions!in simplification} The solver tactic is invoked
-with a list of theorems, namely assumptions that hold in the local
-context. This may be non-empty only if the simplifier has been told
-to utilize local assumptions in the first place, e.g.\ if invoked via
-\texttt{asm_simp_tac}. The solver is also presented the full goal
-including its assumptions in any case. Thus it can use these (e.g.\
-by calling \texttt{assume_tac}), even if the list of premises is not
-passed.
-
-\medskip
-
-As explained in {\S}\ref{sec:simp-subgoaler}, the subgoaler is also used
-to solve the premises of congruence rules. These are usually of the
-form $s = \Var{x}$, where $s$ needs to be simplified and $\Var{x}$
-needs to be instantiated with the result. Typically, the subgoaler
-will invoke the simplifier at some point, which will eventually call
-the solver. For this reason, solver tactics must be prepared to solve
-goals of the form $t = \Var{x}$, usually by reflexivity. In
-particular, reflexivity should be tried before any of the fancy
-tactics like \texttt{blast_tac}.
-
-It may even happen that due to simplification the subgoal is no longer
-an equality. For example $False \bimp \Var{Q}$ could be rewritten to
-$\neg\Var{Q}$. To cover this case, the solver could try resolving
-with the theorem $\neg False$.
-
-\medskip
-
-\begin{warn}
- If a premise of a congruence rule cannot be proved, then the
- congruence is ignored. This should only happen if the rule is
- \emph{conditional} --- that is, contains premises not of the form $t
- = \Var{x}$; otherwise it indicates that some congruence rule, or
- possibly the subgoaler or solver, is faulty.
-\end{warn}
-
-
-\subsection{*The looper}\label{sec:simp-looper}
-\begin{ttbox}
-setloop : simpset * (int -> tactic) -> simpset \hfill{\bf infix 4}
-addloop : simpset * (string * (int -> tactic)) -> simpset \hfill{\bf infix 4}
-delloop : simpset * string -> simpset \hfill{\bf infix 4}
-addsplits : simpset * thm list -> simpset \hfill{\bf infix 4}
-delsplits : simpset * thm list -> simpset \hfill{\bf infix 4}
-\end{ttbox}
-
-The looper is a list of tactics that are applied after simplification, in case
-the solver failed to solve the simplified goal. If the looper
-succeeds, the simplification process is started all over again. Each
-of the subgoals generated by the looper is attacked in turn, in
-reverse order.
-
-A typical looper is \index{case splitting}: the expansion of a conditional.
-Another possibility is to apply an elimination rule on the
-assumptions. More adventurous loopers could start an induction.
-
-\begin{ttdescription}
-
-\item[$ss$ \ttindexbold{setloop} $tacf$] installs $tacf$ as the only looper
- tactic of $ss$.
-
-\item[$ss$ \ttindexbold{addloop} $(name,tacf)$] adds $tacf$ as an additional
- looper tactic with name $name$; it will be tried after the looper tactics
- that had already been present in $ss$.
-
-\item[$ss$ \ttindexbold{delloop} $name$] deletes the looper tactic $name$
- from $ss$.
-
-\item[$ss$ \ttindexbold{addsplits} $thms$] adds
- split tactics for $thms$ as additional looper tactics of $ss$.
-
-\item[$ss$ \ttindexbold{addsplits} $thms$] deletes the
- split tactics for $thms$ from the looper tactics of $ss$.
-
-\end{ttdescription}
-
-The splitter replaces applications of a given function; the right-hand side
-of the replacement can be anything. For example, here is a splitting rule
-for conditional expressions:
-\[ \Var{P}(if(\Var{Q},\Var{x},\Var{y})) \bimp (\Var{Q} \imp \Var{P}(\Var{x}))
-\conj (\neg\Var{Q} \imp \Var{P}(\Var{y}))
-\]
-Another example is the elimination operator for Cartesian products (which
-happens to be called~$split$):
-\[ \Var{P}(split(\Var{f},\Var{p})) \bimp (\forall a~b. \Var{p} =
-\langle a,b\rangle \imp \Var{P}(\Var{f}(a,b)))
-\]
-
-For technical reasons, there is a distinction between case splitting in the
-conclusion and in the premises of a subgoal. The former is done by
-\texttt{split_tac} with rules like \texttt{split_if} or \texttt{option.split},
-which do not split the subgoal, while the latter is done by
-\texttt{split_asm_tac} with rules like \texttt{split_if_asm} or
-\texttt{option.split_asm}, which split the subgoal.
-The operator \texttt{addsplits} automatically takes care of which tactic to
-call, analyzing the form of the rules given as argument.
-\begin{warn}
-Due to \texttt{split_asm_tac}, the simplifier may split subgoals!
-\end{warn}
-
-Case splits should be allowed only when necessary; they are expensive
-and hard to control. Here is an example of use, where \texttt{split_if}
-is the first rule above:
-\begin{ttbox}
-by (simp_tac (simpset()
- addloop ("split if", split_tac [split_if])) 1);
-\end{ttbox}
-Users would usually prefer the following shortcut using \texttt{addsplits}:
-\begin{ttbox}
-by (simp_tac (simpset() addsplits [split_if]) 1);
-\end{ttbox}
-Case-splitting on conditional expressions is usually beneficial, so it is
-enabled by default in the object-logics \texttt{HOL} and \texttt{FOL}.
-
-
-\section{The simplification tactics}\label{simp-tactics}
-\index{simplification!tactics}\index{tactics!simplification}
-\begin{ttbox}
-generic_simp_tac : bool -> bool * bool * bool ->
- simpset -> int -> tactic
-simp_tac : simpset -> int -> tactic
-asm_simp_tac : simpset -> int -> tactic
-full_simp_tac : simpset -> int -> tactic
-asm_full_simp_tac : simpset -> int -> tactic
-safe_asm_full_simp_tac : simpset -> int -> tactic
-\end{ttbox}
-
-\texttt{generic_simp_tac} is the basic tactic that is underlying any actual
-simplification work. The others are just instantiations of it. The rewriting
-strategy is always strictly bottom up, except for congruence rules,
-which are applied while descending into a term. Conditions in conditional
-rewrite rules are solved recursively before the rewrite rule is applied.
-
-\begin{ttdescription}
-
-\item[\ttindexbold{generic_simp_tac} $safe$ ($simp\_asm$, $use\_asm$, $mutual$)]
- gives direct access to the various simplification modes:
- \begin{itemize}
- \item if $safe$ is {\tt true}, the safe solver is used as explained in
- {\S}\ref{sec:simp-solver},
- \item $simp\_asm$ determines whether the local assumptions are simplified,
- \item $use\_asm$ determines whether the assumptions are used as local rewrite
- rules, and
- \item $mutual$ determines whether assumptions can simplify each other rather
- than being processed from left to right.
- \end{itemize}
- This generic interface is intended
- for building special tools, e.g.\ for combining the simplifier with the
- classical reasoner. It is rarely used directly.
-
-\item[\ttindexbold{simp_tac}, \ttindexbold{asm_simp_tac},
- \ttindexbold{full_simp_tac}, \ttindexbold{asm_full_simp_tac}] are
- the basic simplification tactics that work exactly like their
- namesakes in {\S}\ref{sec:simp-for-dummies}, except that they are
- explicitly supplied with a simpset.
-
-\end{ttdescription}
-
-\medskip
-
-Local modifications of simpsets within a proof are often much cleaner
-by using above tactics in conjunction with explicit simpsets, rather
-than their capitalized counterparts. For example
-\begin{ttbox}
-Addsimps \(thms\);
-by (Simp_tac \(i\));
-Delsimps \(thms\);
-\end{ttbox}
-can be expressed more appropriately as
-\begin{ttbox}
-by (simp_tac (simpset() addsimps \(thms\)) \(i\));
-\end{ttbox}
-
-\medskip
-
-Also note that functions depending implicitly on the current theory
-context (like capital \texttt{Simp_tac} and the other commands of
-{\S}\ref{sec:simp-for-dummies}) should be considered harmful outside of
-actual proof scripts. In particular, ML programs like theory
-definition packages or special tactics should refer to simpsets only
-explicitly, via the above tactics used in conjunction with
-\texttt{simpset_of} or the \texttt{SIMPSET} tacticals.
-
-
-\section{Forward rules and conversions}
-\index{simplification!forward rules}\index{simplification!conversions}
-\begin{ttbox}\index{*simplify}\index{*asm_simplify}\index{*full_simplify}\index{*asm_full_simplify}\index{*Simplifier.rewrite}\index{*Simplifier.asm_rewrite}\index{*Simplifier.full_rewrite}\index{*Simplifier.asm_full_rewrite}
-simplify : simpset -> thm -> thm
-asm_simplify : simpset -> thm -> thm
-full_simplify : simpset -> thm -> thm
-asm_full_simplify : simpset -> thm -> thm\medskip
-Simplifier.rewrite : simpset -> cterm -> thm
-Simplifier.asm_rewrite : simpset -> cterm -> thm
-Simplifier.full_rewrite : simpset -> cterm -> thm
-Simplifier.asm_full_rewrite : simpset -> cterm -> thm
-\end{ttbox}
-
-The first four of these functions provide \emph{forward} rules for
-simplification. Their effect is analogous to the corresponding
-tactics described in {\S}\ref{simp-tactics}, but affect the whole
-theorem instead of just a certain subgoal. Also note that the
-looper~/ solver process as described in {\S}\ref{sec:simp-looper} and
-{\S}\ref{sec:simp-solver} is omitted in forward simplification.
-
-The latter four are \emph{conversions}, establishing proven equations
-of the form $t \equiv u$ where the l.h.s.\ $t$ has been given as
-argument.
-
-\begin{warn}
- Forward simplification rules and conversions should be used rarely
- in ordinary proof scripts. The main intention is to provide an
- internal interface to the simplifier for special utilities.
-\end{warn}
-
-
-\section{Permutative rewrite rules}
-\index{rewrite rules!permutative|(}
-
-A rewrite rule is {\bf permutative} if the left-hand side and right-hand
-side are the same up to renaming of variables. The most common permutative
-rule is commutativity: $x+y = y+x$. Other examples include $(x-y)-z =
-(x-z)-y$ in arithmetic and $insert(x,insert(y,A)) = insert(y,insert(x,A))$
-for sets. Such rules are common enough to merit special attention.
-
-Because ordinary rewriting loops given such rules, the simplifier
-employs a special strategy, called {\bf ordered
- rewriting}\index{rewriting!ordered}. There is a standard
-lexicographic ordering on terms. This should be perfectly OK in most
-cases, but can be changed for special applications.
-
-\begin{ttbox}
-settermless : simpset * (term * term -> bool) -> simpset \hfill{\bf infix 4}
-\end{ttbox}
-\begin{ttdescription}
-
-\item[$ss$ \ttindexbold{settermless} $rel$] installs relation $rel$ as
- term order in simpset $ss$.
-
-\end{ttdescription}
-
-\medskip
-
-A permutative rewrite rule is applied only if it decreases the given
-term with respect to this ordering. For example, commutativity
-rewrites~$b+a$ to $a+b$, but then stops because $a+b$ is strictly less
-than $b+a$. The Boyer-Moore theorem prover~\cite{bm88book} also
-employs ordered rewriting.
-
-Permutative rewrite rules are added to simpsets just like other
-rewrite rules; the simplifier recognizes their special status
-automatically. They are most effective in the case of
-associative-commutative operators. (Associativity by itself is not
-permutative.) When dealing with an AC-operator~$f$, keep the
-following points in mind:
-\begin{itemize}\index{associative-commutative operators}
-
-\item The associative law must always be oriented from left to right,
- namely $f(f(x,y),z) = f(x,f(y,z))$. The opposite orientation, if
- used with commutativity, leads to looping in conjunction with the
- standard term order.
-
-\item To complete your set of rewrite rules, you must add not just
- associativity~(A) and commutativity~(C) but also a derived rule, {\bf
- left-com\-mut\-ativ\-ity} (LC): $f(x,f(y,z)) = f(y,f(x,z))$.
-\end{itemize}
-Ordered rewriting with the combination of A, C, and~LC sorts a term
-lexicographically:
-\[\def\maps#1{\stackrel{#1}{\longmapsto}}
- (b+c)+a \maps{A} b+(c+a) \maps{C} b+(a+c) \maps{LC} a+(b+c) \]
-Martin and Nipkow~\cite{martin-nipkow} discuss the theory and give many
-examples; other algebraic structures are amenable to ordered rewriting,
-such as boolean rings.
-
-\subsection{Example: sums of natural numbers}
-
-This example is again set in HOL (see \texttt{HOL/ex/NatSum}). Theory
-\thydx{Arith} contains natural numbers arithmetic. Its associated simpset
-contains many arithmetic laws including distributivity of~$\times$ over~$+$,
-while \texttt{add_ac} is a list consisting of the A, C and LC laws for~$+$ on
-type \texttt{nat}. Let us prove the theorem
-\[ \sum@{i=1}^n i = n\times(n+1)/2. \]
-%
-A functional~\texttt{sum} represents the summation operator under the
-interpretation $\texttt{sum} \, f \, (n + 1) = \sum@{i=0}^n f\,i$. We
-extend \texttt{Arith} as follows:
-\begin{ttbox}
-NatSum = Arith +
-consts sum :: [nat=>nat, nat] => nat
-primrec
- "sum f 0 = 0"
- "sum f (Suc n) = f(n) + sum f n"
-end
-\end{ttbox}
-The \texttt{primrec} declaration automatically adds rewrite rules for
-\texttt{sum} to the default simpset. We now remove the
-\texttt{nat_cancel} simplification procedures (in order not to spoil
-the example) and insert the AC-rules for~$+$:
-\begin{ttbox}
-Delsimprocs nat_cancel;
-Addsimps add_ac;
-\end{ttbox}
-Our desired theorem now reads $\texttt{sum} \, (\lambda i.i) \, (n+1) =
-n\times(n+1)/2$. The Isabelle goal has both sides multiplied by~$2$:
-\begin{ttbox}
-Goal "2 * sum (\%i.i) (Suc n) = n * Suc n";
-{\out Level 0}
-{\out 2 * sum (\%i. i) (Suc n) = n * Suc n}
-{\out 1. 2 * sum (\%i. i) (Suc n) = n * Suc n}
-\end{ttbox}
-Induction should not be applied until the goal is in the simplest
-form:
-\begin{ttbox}
-by (Simp_tac 1);
-{\out Level 1}
-{\out 2 * sum (\%i. i) (Suc n) = n * Suc n}
-{\out 1. n + (sum (\%i. i) n + sum (\%i. i) n) = n * n}
-\end{ttbox}
-Ordered rewriting has sorted the terms in the left-hand side. The
-subgoal is now ready for induction:
-\begin{ttbox}
-by (induct_tac "n" 1);
-{\out Level 2}
-{\out 2 * sum (\%i. i) (Suc n) = n * Suc n}
-{\out 1. 0 + (sum (\%i. i) 0 + sum (\%i. i) 0) = 0 * 0}
-\ttbreak
-{\out 2. !!n. n + (sum (\%i. i) n + sum (\%i. i) n) = n * n}
-{\out ==> Suc n + (sum (\%i. i) (Suc n) + sum (\%i.\,i) (Suc n)) =}
-{\out Suc n * Suc n}
-\end{ttbox}
-Simplification proves both subgoals immediately:\index{*ALLGOALS}
-\begin{ttbox}
-by (ALLGOALS Asm_simp_tac);
-{\out Level 3}
-{\out 2 * sum (\%i. i) (Suc n) = n * Suc n}
-{\out No subgoals!}
-\end{ttbox}
-Simplification cannot prove the induction step if we omit \texttt{add_ac} from
-the simpset. Observe that like terms have not been collected:
-\begin{ttbox}
-{\out Level 3}
-{\out 2 * sum (\%i. i) (Suc n) = n * Suc n}
-{\out 1. !!n. n + sum (\%i. i) n + (n + sum (\%i. i) n) = n + n * n}
-{\out ==> n + (n + sum (\%i. i) n) + (n + (n + sum (\%i.\,i) n)) =}
-{\out n + (n + (n + n * n))}
-\end{ttbox}
-Ordered rewriting proves this by sorting the left-hand side. Proving
-arithmetic theorems without ordered rewriting requires explicit use of
-commutativity. This is tedious; try it and see!
-
-Ordered rewriting is equally successful in proving
-$\sum@{i=1}^n i^3 = n^2\times(n+1)^2/4$.
-
-
-\subsection{Re-orienting equalities}
-Ordered rewriting with the derived rule \texttt{symmetry} can reverse
-equations:
-\begin{ttbox}
-val symmetry = prove_goal HOL.thy "(x=y) = (y=x)"
- (fn _ => [Blast_tac 1]);
-\end{ttbox}
-This is frequently useful. Assumptions of the form $s=t$, where $t$ occurs
-in the conclusion but not~$s$, can often be brought into the right form.
-For example, ordered rewriting with \texttt{symmetry} can prove the goal
-\[ f(a)=b \conj f(a)=c \imp b=c. \]
-Here \texttt{symmetry} reverses both $f(a)=b$ and $f(a)=c$
-because $f(a)$ is lexicographically greater than $b$ and~$c$. These
-re-oriented equations, as rewrite rules, replace $b$ and~$c$ in the
-conclusion by~$f(a)$.
-
-Another example is the goal $\neg(t=u) \imp \neg(u=t)$.
-The differing orientations make this appear difficult to prove. Ordered
-rewriting with \texttt{symmetry} makes the equalities agree. (Without
-knowing more about~$t$ and~$u$ we cannot say whether they both go to $t=u$
-or~$u=t$.) Then the simplifier can prove the goal outright.
-
-\index{rewrite rules!permutative|)}
-
-
-\section{*Setting up the Simplifier}\label{sec:setting-up-simp}
-\index{simplification!setting up}
-
-Setting up the simplifier for new logics is complicated in the general case.
-This section describes how the simplifier is installed for intuitionistic
-first-order logic; the code is largely taken from {\tt FOL/simpdata.ML} of the
-Isabelle sources.
-
-The case splitting tactic, which resides on a separate files, is not part of
-Pure Isabelle. It needs to be loaded explicitly by the object-logic as
-follows (below \texttt{\~\relax\~\relax} refers to \texttt{\$ISABELLE_HOME}):
-\begin{ttbox}
-use "\~\relax\~\relax/src/Provers/splitter.ML";
-\end{ttbox}
-
-Simplification requires converting object-equalities to meta-level rewrite
-rules. This demands rules stating that equal terms and equivalent formulae
-are also equal at the meta-level. The rule declaration part of the file
-\texttt{FOL/IFOL.thy} contains the two lines
-\begin{ttbox}\index{*eq_reflection theorem}\index{*iff_reflection theorem}
-eq_reflection "(x=y) ==> (x==y)"
-iff_reflection "(P<->Q) ==> (P==Q)"
-\end{ttbox}
-Of course, you should only assert such rules if they are true for your
-particular logic. In Constructive Type Theory, equality is a ternary
-relation of the form $a=b\in A$; the type~$A$ determines the meaning
-of the equality essentially as a partial equivalence relation. The
-present simplifier cannot be used. Rewriting in \texttt{CTT} uses
-another simplifier, which resides in the file {\tt
- Provers/typedsimp.ML} and is not documented. Even this does not
-work for later variants of Constructive Type Theory that use
-intensional equality~\cite{nordstrom90}.
-
-
-\subsection{A collection of standard rewrite rules}
-
-We first prove lots of standard rewrite rules about the logical
-connectives. These include cancellation and associative laws. We
-define a function that echoes the desired law and then supplies it the
-prover for intuitionistic FOL:
-\begin{ttbox}
-fun int_prove_fun s =
- (writeln s;
- prove_goal IFOL.thy s
- (fn prems => [ (cut_facts_tac prems 1),
- (IntPr.fast_tac 1) ]));
-\end{ttbox}
-The following rewrite rules about conjunction are a selection of those
-proved on \texttt{FOL/simpdata.ML}. Later, these will be supplied to the
-standard simpset.
-\begin{ttbox}
-val conj_simps = map int_prove_fun
- ["P & True <-> P", "True & P <-> P",
- "P & False <-> False", "False & P <-> False",
- "P & P <-> P",
- "P & ~P <-> False", "~P & P <-> False",
- "(P & Q) & R <-> P & (Q & R)"];
-\end{ttbox}
-The file also proves some distributive laws. As they can cause exponential
-blowup, they will not be included in the standard simpset. Instead they
-are merely bound to an \ML{} identifier, for user reference.
-\begin{ttbox}
-val distrib_simps = map int_prove_fun
- ["P & (Q | R) <-> P&Q | P&R",
- "(Q | R) & P <-> Q&P | R&P",
- "(P | Q --> R) <-> (P --> R) & (Q --> R)"];
-\end{ttbox}
-
-
-\subsection{Functions for preprocessing the rewrite rules}
-\label{sec:setmksimps}
-\begin{ttbox}\indexbold{*setmksimps}
-setmksimps : simpset * (thm -> thm list) -> simpset \hfill{\bf infix 4}
-\end{ttbox}
-The next step is to define the function for preprocessing rewrite rules.
-This will be installed by calling \texttt{setmksimps} below. Preprocessing
-occurs whenever rewrite rules are added, whether by user command or
-automatically. Preprocessing involves extracting atomic rewrites at the
-object-level, then reflecting them to the meta-level.
-
-To start, the function \texttt{gen_all} strips any meta-level
-quantifiers from the front of the given theorem.
-
-The function \texttt{atomize} analyses a theorem in order to extract
-atomic rewrite rules. The head of all the patterns, matched by the
-wildcard~\texttt{_}, is the coercion function \texttt{Trueprop}.
-\begin{ttbox}
-fun atomize th = case concl_of th of
- _ $ (Const("op &",_) $ _ $ _) => atomize(th RS conjunct1) \at
- atomize(th RS conjunct2)
- | _ $ (Const("op -->",_) $ _ $ _) => atomize(th RS mp)
- | _ $ (Const("All",_) $ _) => atomize(th RS spec)
- | _ $ (Const("True",_)) => []
- | _ $ (Const("False",_)) => []
- | _ => [th];
-\end{ttbox}
-There are several cases, depending upon the form of the conclusion:
-\begin{itemize}
-\item Conjunction: extract rewrites from both conjuncts.
-\item Implication: convert $P\imp Q$ to the meta-implication $P\Imp Q$ and
- extract rewrites from~$Q$; these will be conditional rewrites with the
- condition~$P$.
-\item Universal quantification: remove the quantifier, replacing the bound
- variable by a schematic variable, and extract rewrites from the body.
-\item \texttt{True} and \texttt{False} contain no useful rewrites.
-\item Anything else: return the theorem in a singleton list.
-\end{itemize}
-The resulting theorems are not literally atomic --- they could be
-disjunctive, for example --- but are broken down as much as possible.
-See the file \texttt{ZF/simpdata.ML} for a sophisticated translation of
-set-theoretic formulae into rewrite rules.
-
-For standard situations like the above,
-there is a generic auxiliary function \ttindexbold{mk_atomize} that takes a
-list of pairs $(name, thms)$, where $name$ is an operator name and
-$thms$ is a list of theorems to resolve with in case the pattern matches,
-and returns a suitable \texttt{atomize} function.
-
-
-The simplified rewrites must now be converted into meta-equalities. The
-rule \texttt{eq_reflection} converts equality rewrites, while {\tt
- iff_reflection} converts if-and-only-if rewrites. The latter possibility
-can arise in two other ways: the negative theorem~$\neg P$ is converted to
-$P\equiv\texttt{False}$, and any other theorem~$P$ is converted to
-$P\equiv\texttt{True}$. The rules \texttt{iff_reflection_F} and {\tt
- iff_reflection_T} accomplish this conversion.
-\begin{ttbox}
-val P_iff_F = int_prove_fun "~P ==> (P <-> False)";
-val iff_reflection_F = P_iff_F RS iff_reflection;
-\ttbreak
-val P_iff_T = int_prove_fun "P ==> (P <-> True)";
-val iff_reflection_T = P_iff_T RS iff_reflection;
-\end{ttbox}
-The function \texttt{mk_eq} converts a theorem to a meta-equality
-using the case analysis described above.
-\begin{ttbox}
-fun mk_eq th = case concl_of th of
- _ $ (Const("op =",_)$_$_) => th RS eq_reflection
- | _ $ (Const("op <->",_)$_$_) => th RS iff_reflection
- | _ $ (Const("Not",_)$_) => th RS iff_reflection_F
- | _ => th RS iff_reflection_T;
-\end{ttbox}
-The
-three functions \texttt{gen_all}, \texttt{atomize} and \texttt{mk_eq}
-will be composed together and supplied below to \texttt{setmksimps}.
-
-
-\subsection{Making the initial simpset}
-
-It is time to assemble these items. The list \texttt{IFOL_simps} contains the
-default rewrite rules for intuitionistic first-order logic. The first of
-these is the reflexive law expressed as the equivalence
-$(a=a)\bimp\texttt{True}$; the rewrite rule $a=a$ is clearly useless.
-\begin{ttbox}
-val IFOL_simps =
- [refl RS P_iff_T] \at conj_simps \at disj_simps \at not_simps \at
- imp_simps \at iff_simps \at quant_simps;
-\end{ttbox}
-The list \texttt{triv_rls} contains trivial theorems for the solver. Any
-subgoal that is simplified to one of these will be removed.
-\begin{ttbox}
-val notFalseI = int_prove_fun "~False";
-val triv_rls = [TrueI,refl,iff_refl,notFalseI];
-\end{ttbox}
-We also define the function \ttindex{mk_meta_cong} to convert the conclusion
-of congruence rules into meta-equalities.
-\begin{ttbox}
-fun mk_meta_cong rl = standard (mk_meta_eq (mk_meta_prems rl));
-\end{ttbox}
-%
-The basic simpset for intuitionistic FOL is \ttindexbold{FOL_basic_ss}. It
-preprocess rewrites using
-{\tt gen_all}, \texttt{atomize} and \texttt{mk_eq}.
-It solves simplified subgoals using \texttt{triv_rls} and assumptions, and by
-detecting contradictions. It uses \ttindex{asm_simp_tac} to tackle subgoals
-of conditional rewrites.
-
-Other simpsets built from \texttt{FOL_basic_ss} will inherit these items.
-In particular, \ttindexbold{IFOL_ss}, which introduces {\tt
- IFOL_simps} as rewrite rules. \ttindexbold{FOL_ss} will later
-extend \texttt{IFOL_ss} with classical rewrite rules such as $\neg\neg
-P\bimp P$.
-\index{*setmksimps}\index{*setSSolver}\index{*setSolver}\index{*setsubgoaler}
-\index{*addsimps}\index{*addcongs}
-\begin{ttbox}
-fun unsafe_solver prems = FIRST'[resolve_tac (triv_rls {\at} prems),
- atac, etac FalseE];
-
-fun safe_solver prems = FIRST'[match_tac (triv_rls {\at} prems),
- eq_assume_tac, ematch_tac [FalseE]];
-
-val FOL_basic_ss =
- empty_ss setsubgoaler asm_simp_tac
- addsimprocs [defALL_regroup, defEX_regroup]
- setSSolver safe_solver
- setSolver unsafe_solver
- setmksimps (map mk_eq o atomize o gen_all)
- setmkcong mk_meta_cong;
-
-val IFOL_ss =
- FOL_basic_ss addsimps (IFOL_simps {\at}
- int_ex_simps {\at} int_all_simps)
- addcongs [imp_cong];
-\end{ttbox}
-This simpset takes \texttt{imp_cong} as a congruence rule in order to use
-contextual information to simplify the conclusions of implications:
-\[ \List{\Var{P}\bimp\Var{P'};\; \Var{P'} \Imp \Var{Q}\bimp\Var{Q'}} \Imp
- (\Var{P}\imp\Var{Q}) \bimp (\Var{P'}\imp\Var{Q'})
-\]
-By adding the congruence rule \texttt{conj_cong}, we could obtain a similar
-effect for conjunctions.
-
-
-\index{simplification|)}
-
-
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "ref"
-%%% End:
--- a/doc-src/Ref/document/substitution.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,217 +0,0 @@
-
-\chapter{Substitution Tactics} \label{substitution}
-\index{tactics!substitution|(}\index{equality|(}
-
-Replacing equals by equals is a basic form of reasoning. Isabelle supports
-several kinds of equality reasoning. {\bf Substitution} means replacing
-free occurrences of~$t$ by~$u$ in a subgoal. This is easily done, given an
-equality $t=u$, provided the logic possesses the appropriate rule. The
-tactic \texttt{hyp_subst_tac} performs substitution even in the assumptions.
-But it works via object-level implication, and therefore must be specially
-set up for each suitable object-logic.
-
-Substitution should not be confused with object-level {\bf rewriting}.
-Given equalities of the form $t=u$, rewriting replaces instances of~$t$ by
-corresponding instances of~$u$, and continues until it reaches a normal
-form. Substitution handles `one-off' replacements by particular
-equalities while rewriting handles general equations.
-Chapter~\ref{chap:simplification} discusses Isabelle's rewriting tactics.
-
-
-\section{Substitution rules}
-\index{substitution!rules}\index{*subst theorem}
-Many logics include a substitution rule of the form
-$$
-\List{\Var{a}=\Var{b}; \Var{P}(\Var{a})} \Imp
-\Var{P}(\Var{b}) \eqno(subst)
-$$
-In backward proof, this may seem difficult to use: the conclusion
-$\Var{P}(\Var{b})$ admits far too many unifiers. But, if the theorem {\tt
-eqth} asserts $t=u$, then \hbox{\tt eqth RS subst} is the derived rule
-\[ \Var{P}(t) \Imp \Var{P}(u). \]
-Provided $u$ is not an unknown, resolution with this rule is
-well-behaved.\footnote{Unifying $\Var{P}(u)$ with a formula~$Q$
-expresses~$Q$ in terms of its dependence upon~$u$. There are still $2^k$
-unifiers, if $Q$ has $k$ occurrences of~$u$, but Isabelle ensures that
-the first unifier includes all the occurrences.} To replace $u$ by~$t$ in
-subgoal~$i$, use
-\begin{ttbox}
-resolve_tac [eqth RS subst] \(i\){\it.}
-\end{ttbox}
-To replace $t$ by~$u$ in
-subgoal~$i$, use
-\begin{ttbox}
-resolve_tac [eqth RS ssubst] \(i\){\it,}
-\end{ttbox}
-where \tdxbold{ssubst} is the `swapped' substitution rule
-$$
-\List{\Var{a}=\Var{b}; \Var{P}(\Var{b})} \Imp
-\Var{P}(\Var{a}). \eqno(ssubst)
-$$
-If \tdx{sym} denotes the symmetry rule
-\(\Var{a}=\Var{b}\Imp\Var{b}=\Var{a}\), then \texttt{ssubst} is just
-\hbox{\tt sym RS subst}. Many logics with equality include the rules {\tt
-subst} and \texttt{ssubst}, as well as \texttt{refl}, \texttt{sym} and \texttt{trans}
-(for the usual equality laws). Examples include \texttt{FOL} and \texttt{HOL},
-but not \texttt{CTT} (Constructive Type Theory).
-
-Elim-resolution is well-behaved with assumptions of the form $t=u$.
-To replace $u$ by~$t$ or $t$ by~$u$ in subgoal~$i$, use
-\begin{ttbox}
-eresolve_tac [subst] \(i\) {\rm or} eresolve_tac [ssubst] \(i\){\it.}
-\end{ttbox}
-
-Logics HOL, FOL and ZF define the tactic \ttindexbold{stac} by
-\begin{ttbox}
-fun stac eqth = CHANGED o rtac (eqth RS ssubst);
-\end{ttbox}
-Now \texttt{stac~eqth} is like \texttt{resolve_tac [eqth RS ssubst]} but with the
-valuable property of failing if the substitution has no effect.
-
-
-\section{Substitution in the hypotheses}
-\index{assumptions!substitution in}
-Substitution rules, like other rules of natural deduction, do not affect
-the assumptions. This can be inconvenient. Consider proving the subgoal
-\[ \List{c=a; c=b} \Imp a=b. \]
-Calling \texttt{eresolve_tac\ts[ssubst]\ts\(i\)} simply discards the
-assumption~$c=a$, since $c$ does not occur in~$a=b$. Of course, we can
-work out a solution. First apply \texttt{eresolve_tac\ts[subst]\ts\(i\)},
-replacing~$a$ by~$c$:
-\[ c=b \Imp c=b \]
-Equality reasoning can be difficult, but this trivial proof requires
-nothing more sophisticated than substitution in the assumptions.
-Object-logics that include the rule~$(subst)$ provide tactics for this
-purpose:
-\begin{ttbox}
-hyp_subst_tac : int -> tactic
-bound_hyp_subst_tac : int -> tactic
-\end{ttbox}
-\begin{ttdescription}
-\item[\ttindexbold{hyp_subst_tac} {\it i}]
- selects an equality assumption of the form $t=u$ or $u=t$, where $t$ is a
- free variable or parameter. Deleting this assumption, it replaces $t$
- by~$u$ throughout subgoal~$i$, including the other assumptions.
-
-\item[\ttindexbold{bound_hyp_subst_tac} {\it i}]
- is similar but only substitutes for parameters (bound variables).
- Uses for this are discussed below.
-\end{ttdescription}
-The term being replaced must be a free variable or parameter. Substitution
-for constants is usually unhelpful, since they may appear in other
-theorems. For instance, the best way to use the assumption $0=1$ is to
-contradict a theorem that states $0\not=1$, rather than to replace 0 by~1
-in the subgoal!
-
-Substitution for unknowns, such as $\Var{x}=0$, is a bad idea: we might prove
-the subgoal more easily by instantiating~$\Var{x}$ to~1.
-Substitution for free variables is unhelpful if they appear in the
-premises of a rule being derived: the substitution affects object-level
-assumptions, not meta-level assumptions. For instance, replacing~$a$
-by~$b$ could make the premise~$P(a)$ worthless. To avoid this problem, use
-\texttt{bound_hyp_subst_tac}; alternatively, call \ttindex{cut_facts_tac} to
-insert the atomic premises as object-level assumptions.
-
-
-\section{Setting up the package}
-Many Isabelle object-logics, such as \texttt{FOL}, \texttt{HOL} and their
-descendants, come with \texttt{hyp_subst_tac} already defined. A few others,
-such as \texttt{CTT}, do not support this tactic because they lack the
-rule~$(subst)$. When defining a new logic that includes a substitution
-rule and implication, you must set up \texttt{hyp_subst_tac} yourself. It
-is packaged as the \ML{} functor \ttindex{HypsubstFun}, which takes the
-argument signature~\texttt{HYPSUBST_DATA}:
-\begin{ttbox}
-signature HYPSUBST_DATA =
- sig
- structure Simplifier : SIMPLIFIER
- val dest_Trueprop : term -> term
- val dest_eq : term -> (term*term)*typ
- val dest_imp : term -> term*term
- val eq_reflection : thm (* a=b ==> a==b *)
- val rev_eq_reflection: thm (* a==b ==> a=b *)
- val imp_intr : thm (*(P ==> Q) ==> P-->Q *)
- val rev_mp : thm (* [| P; P-->Q |] ==> Q *)
- val subst : thm (* [| a=b; P(a) |] ==> P(b) *)
- val sym : thm (* a=b ==> b=a *)
- val thin_refl : thm (* [|x=x; P|] ==> P *)
- end;
-\end{ttbox}
-Thus, the functor requires the following items:
-\begin{ttdescription}
-\item[Simplifier] should be an instance of the simplifier (see
- Chapter~\ref{chap:simplification}).
-
-\item[\ttindexbold{dest_Trueprop}] should coerce a meta-level formula to the
- corresponding object-level one. Typically, it should return $P$ when
- applied to the term $\texttt{Trueprop}\,P$ (see example below).
-
-\item[\ttindexbold{dest_eq}] should return the triple~$((t,u),T)$, where $T$ is
- the type of~$t$ and~$u$, when applied to the \ML{} term that
- represents~$t=u$. For other terms, it should raise an exception.
-
-\item[\ttindexbold{dest_imp}] should return the pair~$(P,Q)$ when applied to
- the \ML{} term that represents the implication $P\imp Q$. For other terms,
- it should raise an exception.
-
-\item[\tdxbold{eq_reflection}] is the theorem discussed
- in~\S\ref{sec:setting-up-simp}.
-
-\item[\tdxbold{rev_eq_reflection}] is the reverse of \texttt{eq_reflection}.
-
-\item[\tdxbold{imp_intr}] should be the implies introduction
-rule $(\Var{P}\Imp\Var{Q})\Imp \Var{P}\imp\Var{Q}$.
-
-\item[\tdxbold{rev_mp}] should be the `reversed' implies elimination
-rule $\List{\Var{P}; \;\Var{P}\imp\Var{Q}} \Imp \Var{Q}$.
-
-\item[\tdxbold{subst}] should be the substitution rule
-$\List{\Var{a}=\Var{b};\; \Var{P}(\Var{a})} \Imp \Var{P}(\Var{b})$.
-
-\item[\tdxbold{sym}] should be the symmetry rule
-$\Var{a}=\Var{b}\Imp\Var{b}=\Var{a}$.
-
-\item[\tdxbold{thin_refl}] should be the rule
-$\List{\Var{a}=\Var{a};\; \Var{P}} \Imp \Var{P}$, which is used to erase
-trivial equalities.
-\end{ttdescription}
-%
-The functor resides in file \texttt{Provers/hypsubst.ML} in the Isabelle
-distribution directory. It is not sensitive to the precise formalization
-of the object-logic. It is not concerned with the names of the equality
-and implication symbols, or the types of formula and terms.
-
-Coding the functions \texttt{dest_Trueprop}, \texttt{dest_eq} and
-\texttt{dest_imp} requires knowledge of Isabelle's representation of terms.
-For \texttt{FOL}, they are declared by
-\begin{ttbox}
-fun dest_Trueprop (Const ("Trueprop", _) $ P) = P
- | dest_Trueprop t = raise TERM ("dest_Trueprop", [t]);
-
-fun dest_eq (Const("op =",T) $ t $ u) = ((t, u), domain_type T)
-
-fun dest_imp (Const("op -->",_) $ A $ B) = (A, B)
- | dest_imp t = raise TERM ("dest_imp", [t]);
-\end{ttbox}
-Recall that \texttt{Trueprop} is the coercion from type~$o$ to type~$prop$,
-while \hbox{\tt op =} is the internal name of the infix operator~\texttt{=}.
-Function \ttindexbold{domain_type}, given the function type $S\To T$, returns
-the type~$S$. Pattern-matching expresses the function concisely, using
-wildcards~({\tt_}) for the types.
-
-The tactic \texttt{hyp_subst_tac} works as follows. First, it identifies a
-suitable equality assumption, possibly re-orienting it using~\texttt{sym}.
-Then it moves other assumptions into the conclusion of the goal, by repeatedly
-calling \texttt{etac~rev_mp}. Then, it uses \texttt{asm_full_simp_tac} or
-\texttt{ssubst} to substitute throughout the subgoal. (If the equality
-involves unknowns then it must use \texttt{ssubst}.) Then, it deletes the
-equality. Finally, it moves the assumptions back to their original positions
-by calling \hbox{\tt resolve_tac\ts[imp_intr]}.
-
-\index{equality|)}\index{tactics!substitution|)}
-
-
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "ref"
-%%% End:
--- a/doc-src/Ref/document/syntax.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,240 +0,0 @@
-
-\chapter{Syntax Transformations} \label{chap:syntax}
-\newcommand\ttapp{\mathrel{\hbox{\tt\$}}}
-\newcommand\mtt[1]{\mbox{\tt #1}}
-\newcommand\ttfct[1]{\mathop{\mtt{#1}}\nolimits}
-\newcommand\Constant{\ttfct{Constant}}
-\newcommand\Variable{\ttfct{Variable}}
-\newcommand\Appl[1]{\ttfct{Appl}\,[#1]}
-\index{syntax!transformations|(}
-
-
-\section{Transforming parse trees to ASTs}\label{sec:astofpt}
-\index{ASTs!made from parse trees}
-\newcommand\astofpt[1]{\lbrakk#1\rbrakk}
-
-The parse tree is the raw output of the parser. Translation functions,
-called {\bf parse AST translations}\indexbold{translations!parse AST},
-transform the parse tree into an abstract syntax tree.
-
-The parse tree is constructed by nesting the right-hand sides of the
-productions used to recognize the input. Such parse trees are simply lists
-of tokens and constituent parse trees, the latter representing the
-nonterminals of the productions. Let us refer to the actual productions in
-the form displayed by {\tt print_syntax} (see \S\ref{sec:inspct-thy} for an
-example).
-
-Ignoring parse \AST{} translations, parse trees are transformed to \AST{}s
-by stripping out delimiters and copy productions. More precisely, the
-mapping $\astofpt{-}$ is derived from the productions as follows:
-\begin{itemize}
-\item Name tokens: $\astofpt{t} = \Variable s$, where $t$ is an \ndx{id},
- \ndx{var}, \ndx{tid}, \ndx{tvar}, \ndx{num}, \ndx{xnum} or \ndx{xstr} token,
- and $s$ its associated string. Note that for {\tt xstr} this does not
- include the quotes.
-
-\item Copy productions:\index{productions!copy}
- $\astofpt{\ldots P \ldots} = \astofpt{P}$. Here $\ldots$ stands for
- strings of delimiters, which are discarded. $P$ stands for the single
- constituent that is not a delimiter; it is either a nonterminal symbol or
- a name token.
-
- \item 0-ary productions: $\astofpt{\ldots \mtt{=>} c} = \Constant c$.
- Here there are no constituents other than delimiters, which are
- discarded.
-
- \item $n$-ary productions, where $n \ge 1$: delimiters are discarded and
- the remaining constituents $P@1$, \ldots, $P@n$ are built into an
- application whose head constant is~$c$:
- \[ \astofpt{\ldots P@1 \ldots P@n \ldots \mtt{=>} c} =
- \Appl{\Constant c, \astofpt{P@1}, \ldots, \astofpt{P@n}}
- \]
-\end{itemize}
-Figure~\ref{fig:parse_ast} presents some simple examples, where {\tt ==},
-{\tt _appl}, {\tt _args}, and so forth name productions of the Pure syntax.
-These examples illustrate the need for further translations to make \AST{}s
-closer to the typed $\lambda$-calculus. The Pure syntax provides
-predefined parse \AST{} translations\index{translations!parse AST} for
-ordinary applications, type applications, nested abstractions, meta
-implications and function types. Figure~\ref{fig:parse_ast_tr} shows their
-effect on some representative input strings.
-
-
-\begin{figure}
-\begin{center}
-\tt\begin{tabular}{ll}
-\rm input string & \rm \AST \\\hline
-"f" & f \\
-"'a" & 'a \\
-"t == u" & ("==" t u) \\
-"f(x)" & ("_appl" f x) \\
-"f(x, y)" & ("_appl" f ("_args" x y)) \\
-"f(x, y, z)" & ("_appl" f ("_args" x ("_args" y z))) \\
-"\%x y.\ t" & ("_lambda" ("_idts" x y) t) \\
-\end{tabular}
-\end{center}
-\caption{Parsing examples using the Pure syntax}\label{fig:parse_ast}
-\end{figure}
-
-\begin{figure}
-\begin{center}
-\tt\begin{tabular}{ll}
-\rm input string & \rm \AST{} \\\hline
-"f(x, y, z)" & (f x y z) \\
-"'a ty" & (ty 'a) \\
-"('a, 'b) ty" & (ty 'a 'b) \\
-"\%x y z.\ t" & ("_abs" x ("_abs" y ("_abs" z t))) \\
-"\%x ::\ 'a.\ t" & ("_abs" ("_constrain" x 'a) t) \\
-"[| P; Q; R |] => S" & ("==>" P ("==>" Q ("==>" R S))) \\
-"['a, 'b, 'c] => 'd" & ("fun" 'a ("fun" 'b ("fun" 'c 'd)))
-\end{tabular}
-\end{center}
-\caption{Built-in parse \AST{} translations}\label{fig:parse_ast_tr}
-\end{figure}
-
-The names of constant heads in the \AST{} control the translation process.
-The list of constants invoking parse \AST{} translations appears in the
-output of {\tt print_syntax} under {\tt parse_ast_translation}.
-
-
-\section{Transforming ASTs to terms}\label{sec:termofast}
-\index{terms!made from ASTs}
-\newcommand\termofast[1]{\lbrakk#1\rbrakk}
-
-The \AST{}, after application of macros (see \S\ref{sec:macros}), is
-transformed into a term. This term is probably ill-typed since type
-inference has not occurred yet. The term may contain type constraints
-consisting of applications with head {\tt "_constrain"}; the second
-argument is a type encoded as a term. Type inference later introduces
-correct types or rejects the input.
-
-Another set of translation functions, namely parse
-translations\index{translations!parse}, may affect this process. If we
-ignore parse translations for the time being, then \AST{}s are transformed
-to terms by mapping \AST{} constants to constants, \AST{} variables to
-schematic or free variables and \AST{} applications to applications.
-
-More precisely, the mapping $\termofast{-}$ is defined by
-\begin{itemize}
-\item Constants: $\termofast{\Constant x} = \ttfct{Const} (x,
- \mtt{dummyT})$.
-
-\item Schematic variables: $\termofast{\Variable \mtt{"?}xi\mtt"} =
- \ttfct{Var} ((x, i), \mtt{dummyT})$, where $x$ is the base name and $i$
- the index extracted from~$xi$.
-
-\item Free variables: $\termofast{\Variable x} = \ttfct{Free} (x,
- \mtt{dummyT})$.
-
-\item Function applications with $n$ arguments:
- \[ \termofast{\Appl{f, x@1, \ldots, x@n}} =
- \termofast{f} \ttapp
- \termofast{x@1} \ttapp \ldots \ttapp \termofast{x@n}
- \]
-\end{itemize}
-Here \ttindex{Const}, \ttindex{Var}, \ttindex{Free} and
-\verb|$|\index{$@{\tt\$}} are constructors of the datatype \mltydx{term},
-while \ttindex{dummyT} stands for some dummy type that is ignored during
-type inference.
-
-So far the outcome is still a first-order term. Abstractions and bound
-variables (constructors \ttindex{Abs} and \ttindex{Bound}) are introduced
-by parse translations. Such translations are attached to {\tt "_abs"},
-{\tt "!!"} and user-defined binders.
-
-
-\section{Printing of terms}
-\newcommand\astofterm[1]{\lbrakk#1\rbrakk}\index{ASTs!made from terms}
-
-The output phase is essentially the inverse of the input phase. Terms are
-translated via abstract syntax trees into strings. Finally the strings are
-pretty printed.
-
-Print translations (\S\ref{sec:tr_funs}) may affect the transformation of
-terms into \AST{}s. Ignoring those, the transformation maps
-term constants, variables and applications to the corresponding constructs
-on \AST{}s. Abstractions are mapped to applications of the special
-constant {\tt _abs}.
-
-More precisely, the mapping $\astofterm{-}$ is defined as follows:
-\begin{itemize}
- \item $\astofterm{\ttfct{Const} (x, \tau)} = \Constant x$.
-
- \item $\astofterm{\ttfct{Free} (x, \tau)} = constrain (\Variable x,
- \tau)$.
-
- \item $\astofterm{\ttfct{Var} ((x, i), \tau)} = constrain (\Variable
- \mtt{"?}xi\mtt", \tau)$, where $\mtt?xi$ is the string representation of
- the {\tt indexname} $(x, i)$.
-
- \item For the abstraction $\lambda x::\tau.t$, let $x'$ be a variant
- of~$x$ renamed to differ from all names occurring in~$t$, and let $t'$
- be obtained from~$t$ by replacing all bound occurrences of~$x$ by
- the free variable $x'$. This replaces corresponding occurrences of the
- constructor \ttindex{Bound} by the term $\ttfct{Free} (x',
- \mtt{dummyT})$:
- \[ \astofterm{\ttfct{Abs} (x, \tau, t)} =
- \Appl{\Constant \mtt{"_abs"},
- constrain(\Variable x', \tau), \astofterm{t'}}
- \]
-
- \item $\astofterm{\ttfct{Bound} i} = \Variable \mtt{"B.}i\mtt"$.
- The occurrence of constructor \ttindex{Bound} should never happen
- when printing well-typed terms; it indicates a de Bruijn index with no
- matching abstraction.
-
- \item Where $f$ is not an application,
- \[ \astofterm{f \ttapp x@1 \ttapp \ldots \ttapp x@n} =
- \Appl{\astofterm{f}, \astofterm{x@1}, \ldots,\astofterm{x@n}}
- \]
-\end{itemize}
-%
-Type constraints\index{type constraints} are inserted to allow the printing
-of types. This is governed by the boolean variable \ttindex{show_types}:
-\begin{itemize}
- \item $constrain(x, \tau) = x$ \ if $\tau = \mtt{dummyT}$ \index{*dummyT} or
- \ttindex{show_types} is set to {\tt false}.
-
- \item $constrain(x, \tau) = \Appl{\Constant \mtt{"_constrain"}, x,
- \astofterm{\tau}}$ \ otherwise.
-
- Here, $\astofterm{\tau}$ is the \AST{} encoding of $\tau$: type
- constructors go to {\tt Constant}s; type identifiers go to {\tt
- Variable}s; type applications go to {\tt Appl}s with the type
- constructor as the first element. If \ttindex{show_sorts} is set to
- {\tt true}, some type variables are decorated with an \AST{} encoding
- of their sort.
-\end{itemize}
-%
-The \AST{}, after application of macros (see \S\ref{sec:macros}), is
-transformed into the final output string. The built-in {\bf print AST
- translations}\indexbold{translations!print AST} reverse the
-parse \AST{} translations of Fig.\ts\ref{fig:parse_ast_tr}.
-
-For the actual printing process, the names attached to productions
-of the form $\ldots A^{(p@1)}@1 \ldots A^{(p@n)}@n \ldots \mtt{=>} c$ play
-a vital role. Each \AST{} with constant head $c$, namely $\mtt"c\mtt"$ or
-$(\mtt"c\mtt"~ x@1 \ldots x@n)$, is printed according to the production
-for~$c$. Each argument~$x@i$ is converted to a string, and put in
-parentheses if its priority~$(p@i)$ requires this. The resulting strings
-and their syntactic sugar (denoted by \dots{} above) are joined to make a
-single string.
-
-If an application $(\mtt"c\mtt"~ x@1 \ldots x@m)$ has more arguments
-than the corresponding production, it is first split into
-$((\mtt"c\mtt"~ x@1 \ldots x@n) ~ x@{n+1} \ldots x@m)$. Applications
-with too few arguments or with non-constant head or without a
-corresponding production are printed as $f(x@1, \ldots, x@l)$ or
-$(\alpha@1, \ldots, \alpha@l) ty$. Multiple productions associated
-with some name $c$ are tried in order of appearance. An occurrence of
-$\Variable x$ is simply printed as~$x$.
-
-Blanks are {\em not\/} inserted automatically. If blanks are required to
-separate tokens, specify them in the mixfix declaration, possibly preceded
-by a slash~({\tt/}) to allow a line break.
-\index{ASTs|)}
-
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "ref"
-%%% End:
--- a/doc-src/Ref/document/tactic.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,173 +0,0 @@
-
-\chapter{Tactics} \label{tactics}
-\index{tactics|(}
-
-\section{Other basic tactics}
-
-\subsection{Inserting premises and facts}\label{cut_facts_tac}
-\index{tactics!for inserting facts}\index{assumptions!inserting}
-\begin{ttbox}
-cut_facts_tac : thm list -> int -> tactic
-\end{ttbox}
-These tactics add assumptions to a subgoal.
-\begin{ttdescription}
-\item[\ttindexbold{cut_facts_tac} {\it thms} {\it i}]
- adds the {\it thms} as new assumptions to subgoal~$i$. Once they have
- been inserted as assumptions, they become subject to tactics such as {\tt
- eresolve_tac} and {\tt rewrite_goals_tac}. Only rules with no premises
- are inserted: Isabelle cannot use assumptions that contain $\Imp$
- or~$\Forall$. Sometimes the theorems are premises of a rule being
- derived, returned by~{\tt goal}; instead of calling this tactic, you
- could state the goal with an outermost meta-quantifier.
-
-\end{ttdescription}
-
-
-\subsection{Composition: resolution without lifting}
-\index{tactics!for composition}
-\begin{ttbox}
-compose_tac: (bool * thm * int) -> int -> tactic
-\end{ttbox}
-{\bf Composing} two rules means resolving them without prior lifting or
-renaming of unknowns. This low-level operation, which underlies the
-resolution tactics, may occasionally be useful for special effects.
-A typical application is \ttindex{res_inst_tac}, which lifts and instantiates a
-rule, then passes the result to {\tt compose_tac}.
-\begin{ttdescription}
-\item[\ttindexbold{compose_tac} ($flag$, $rule$, $m$) $i$]
-refines subgoal~$i$ using $rule$, without lifting. The $rule$ is taken to
-have the form $\List{\psi@1; \ldots; \psi@m} \Imp \psi$, where $\psi$ need
-not be atomic; thus $m$ determines the number of new subgoals. If
-$flag$ is {\tt true} then it performs elim-resolution --- it solves the
-first premise of~$rule$ by assumption and deletes that assumption.
-\end{ttdescription}
-
-
-\section{*Managing lots of rules}
-These operations are not intended for interactive use. They are concerned
-with the processing of large numbers of rules in automatic proof
-strategies. Higher-order resolution involving a long list of rules is
-slow. Filtering techniques can shorten the list of rules given to
-resolution, and can also detect whether a subgoal is too flexible,
-with too many rules applicable.
-
-\subsection{Combined resolution and elim-resolution} \label{biresolve_tac}
-\index{tactics!resolution}
-\begin{ttbox}
-biresolve_tac : (bool*thm)list -> int -> tactic
-bimatch_tac : (bool*thm)list -> int -> tactic
-subgoals_of_brl : bool*thm -> int
-lessb : (bool*thm) * (bool*thm) -> bool
-\end{ttbox}
-{\bf Bi-resolution} takes a list of $\it (flag,rule)$ pairs. For each
-pair, it applies resolution if the flag is~{\tt false} and
-elim-resolution if the flag is~{\tt true}. A single tactic call handles a
-mixture of introduction and elimination rules.
-
-\begin{ttdescription}
-\item[\ttindexbold{biresolve_tac} {\it brls} {\it i}]
-refines the proof state by resolution or elim-resolution on each rule, as
-indicated by its flag. It affects subgoal~$i$ of the proof state.
-
-\item[\ttindexbold{bimatch_tac}]
-is like {\tt biresolve_tac}, but performs matching: unknowns in the
-proof state are never updated (see~{\S}\ref{match_tac}).
-
-\item[\ttindexbold{subgoals_of_brl}({\it flag},{\it rule})]
-returns the number of new subgoals that bi-res\-o\-lu\-tion would yield for the
-pair (if applied to a suitable subgoal). This is $n$ if the flag is
-{\tt false} and $n-1$ if the flag is {\tt true}, where $n$ is the number
-of premises of the rule. Elim-resolution yields one fewer subgoal than
-ordinary resolution because it solves the major premise by assumption.
-
-\item[\ttindexbold{lessb} ({\it brl1},{\it brl2})]
-returns the result of
-\begin{ttbox}
-subgoals_of_brl{\it brl1} < subgoals_of_brl{\it brl2}
-\end{ttbox}
-\end{ttdescription}
-Note that \hbox{\tt sort lessb {\it brls}} sorts a list of $\it
-(flag,rule)$ pairs by the number of new subgoals they will yield. Thus,
-those that yield the fewest subgoals should be tried first.
-
-
-\subsection{Discrimination nets for fast resolution}\label{filt_resolve_tac}
-\index{discrimination nets|bold}
-\index{tactics!resolution}
-\begin{ttbox}
-net_resolve_tac : thm list -> int -> tactic
-net_match_tac : thm list -> int -> tactic
-net_biresolve_tac: (bool*thm) list -> int -> tactic
-net_bimatch_tac : (bool*thm) list -> int -> tactic
-filt_resolve_tac : thm list -> int -> int -> tactic
-could_unify : term*term->bool
-filter_thms : (term*term->bool) -> int*term*thm list -> thm{\ts}list
-\end{ttbox}
-The module {\tt Net} implements a discrimination net data structure for
-fast selection of rules \cite[Chapter 14]{charniak80}. A term is
-classified by the symbol list obtained by flattening it in preorder.
-The flattening takes account of function applications, constants, and free
-and bound variables; it identifies all unknowns and also regards
-\index{lambda abs@$\lambda$-abstractions}
-$\lambda$-abstractions as unknowns, since they could $\eta$-contract to
-anything.
-
-A discrimination net serves as a polymorphic dictionary indexed by terms.
-The module provides various functions for inserting and removing items from
-nets. It provides functions for returning all items whose term could match
-or unify with a target term. The matching and unification tests are
-overly lax (due to the identifications mentioned above) but they serve as
-useful filters.
-
-A net can store introduction rules indexed by their conclusion, and
-elimination rules indexed by their major premise. Isabelle provides
-several functions for `compiling' long lists of rules into fast
-resolution tactics. When supplied with a list of theorems, these functions
-build a discrimination net; the net is used when the tactic is applied to a
-goal. To avoid repeatedly constructing the nets, use currying: bind the
-resulting tactics to \ML{} identifiers.
-
-\begin{ttdescription}
-\item[\ttindexbold{net_resolve_tac} {\it thms}]
-builds a discrimination net to obtain the effect of a similar call to {\tt
-resolve_tac}.
-
-\item[\ttindexbold{net_match_tac} {\it thms}]
-builds a discrimination net to obtain the effect of a similar call to {\tt
-match_tac}.
-
-\item[\ttindexbold{net_biresolve_tac} {\it brls}]
-builds a discrimination net to obtain the effect of a similar call to {\tt
-biresolve_tac}.
-
-\item[\ttindexbold{net_bimatch_tac} {\it brls}]
-builds a discrimination net to obtain the effect of a similar call to {\tt
-bimatch_tac}.
-
-\item[\ttindexbold{filt_resolve_tac} {\it thms} {\it maxr} {\it i}]
-uses discrimination nets to extract the {\it thms} that are applicable to
-subgoal~$i$. If more than {\it maxr\/} theorems are applicable then the
-tactic fails. Otherwise it calls {\tt resolve_tac}.
-
-This tactic helps avoid runaway instantiation of unknowns, for example in
-type inference.
-
-\item[\ttindexbold{could_unify} ({\it t},{\it u})]
-returns {\tt false} if~$t$ and~$u$ are `obviously' non-unifiable, and
-otherwise returns~{\tt true}. It assumes all variables are distinct,
-reporting that {\tt ?a=?a} may unify with {\tt 0=1}.
-
-\item[\ttindexbold{filter_thms} $could\; (limit,prem,thms)$]
-returns the list of potentially resolvable rules (in {\it thms\/}) for the
-subgoal {\it prem}, using the predicate {\it could\/} to compare the
-conclusion of the subgoal with the conclusion of each rule. The resulting list
-is no longer than {\it limit}.
-\end{ttdescription}
-
-\index{tactics|)}
-
-
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "ref"
-%%% End:
--- a/doc-src/Ref/document/thm.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,636 +0,0 @@
-
-\chapter{Theorems and Forward Proof}
-\index{theorems|(}
-
-Theorems, which represent the axioms, theorems and rules of
-object-logics, have type \mltydx{thm}. This chapter describes
-operations that join theorems in forward proof. Most theorem
-operations are intended for advanced applications, such as programming
-new proof procedures.
-
-
-\subsection{Instantiating unknowns in a theorem} \label{sec:instantiate}
-\index{instantiation}
-\begin{alltt}\footnotesize
-read_instantiate : (string*string) list -> thm -> thm
-read_instantiate_sg : Sign.sg -> (string*string) list -> thm -> thm
-cterm_instantiate : (cterm*cterm) list -> thm -> thm
-instantiate' : ctyp option list -> cterm option list -> thm -> thm
-\end{alltt}
-These meta-rules instantiate type and term unknowns in a theorem. They are
-occasionally useful. They can prevent difficulties with higher-order
-unification, and define specialized versions of rules.
-\begin{ttdescription}
-\item[\ttindexbold{read_instantiate} {\it insts} {\it thm}]
-processes the instantiations {\it insts} and instantiates the rule~{\it
-thm}. The processing of instantiations is described
-in \S\ref{res_inst_tac}, under {\tt res_inst_tac}.
-
-Use {\tt res_inst_tac}, not {\tt read_instantiate}, to instantiate a rule
-and refine a particular subgoal. The tactic allows instantiation by the
-subgoal's parameters, and reads the instantiations using the signature
-associated with the proof state.
-
-Use {\tt read_instantiate_sg} below if {\it insts\/} appears to be treated
-incorrectly.
-
-\item[\ttindexbold{read_instantiate_sg} {\it sg} {\it insts} {\it thm}]
- is like \texttt{read_instantiate {\it insts}~{\it thm}}, but it reads
- the instantiations under signature~{\it sg}. This is necessary to
- instantiate a rule from a general theory, such as first-order logic,
- using the notation of some specialized theory. Use the function {\tt
- sign_of} to get a theory's signature.
-
-\item[\ttindexbold{cterm_instantiate} {\it ctpairs} {\it thm}]
-is similar to {\tt read_instantiate}, but the instantiations are provided
-as pairs of certified terms, not as strings to be read.
-
-\item[\ttindexbold{instantiate'} {\it ctyps} {\it cterms} {\it thm}]
- instantiates {\it thm} according to the positional arguments {\it
- ctyps} and {\it cterms}. Counting from left to right, schematic
- variables $?x$ are either replaced by $t$ for any argument
- \texttt{Some\(\;t\)}, or left unchanged in case of \texttt{None} or
- if the end of the argument list is encountered. Types are
- instantiated before terms.
-
-\end{ttdescription}
-
-
-\subsection{Miscellaneous forward rules}\label{MiscellaneousForwardRules}
-\index{theorems!standardizing}
-\begin{ttbox}
-standard : thm -> thm
-zero_var_indexes : thm -> thm
-make_elim : thm -> thm
-rule_by_tactic : tactic -> thm -> thm
-rotate_prems : int -> thm -> thm
-permute_prems : int -> int -> thm -> thm
-rearrange_prems : int list -> thm -> thm
-\end{ttbox}
-\begin{ttdescription}
-\item[\ttindexbold{standard} $thm$] puts $thm$ into the standard form
- of object-rules. It discharges all meta-assumptions, replaces free
- variables by schematic variables, renames schematic variables to
- have subscript zero, also strips outer (meta) quantifiers and
- removes dangling sort hypotheses.
-
-\item[\ttindexbold{zero_var_indexes} $thm$]
-makes all schematic variables have subscript zero, renaming them to avoid
-clashes.
-
-\item[\ttindexbold{make_elim} $thm$]
-\index{rules!converting destruction to elimination}
-converts $thm$, which should be a destruction rule of the form
-$\List{P@1;\ldots;P@m}\Imp
-Q$, to the elimination rule $\List{P@1; \ldots; P@m; Q\Imp R}\Imp R$. This
-is the basis for destruct-resolution: {\tt dresolve_tac}, etc.
-
-\item[\ttindexbold{rule_by_tactic} {\it tac} {\it thm}]
- applies {\it tac\/} to the {\it thm}, freezing its variables first, then
- yields the proof state returned by the tactic. In typical usage, the
- {\it thm\/} represents an instance of a rule with several premises, some
- with contradictory assumptions (because of the instantiation). The
- tactic proves those subgoals and does whatever else it can, and returns
- whatever is left.
-
-\item[\ttindexbold{rotate_prems} $k$ $thm$] rotates the premises of $thm$ to
- the left by~$k$ positions (to the right if $k<0$). It simply calls
- \texttt{permute_prems}, below, with $j=0$. Used with
- \texttt{eresolve_tac}\index{*eresolve_tac!on other than first premise}, it
- gives the effect of applying the tactic to some other premise of $thm$ than
- the first.
-
-\item[\ttindexbold{permute_prems} $j$ $k$ $thm$] rotates the premises of $thm$
- leaving the first $j$ premises unchanged. It
- requires $0\leq j\leq n$, where $n$ is the number of premises. If $k$ is
- positive then it rotates the remaining $n-j$ premises to the left; if $k$ is
- negative then it rotates the premises to the right.
-
-\item[\ttindexbold{rearrange_prems} $ps$ $thm$] permutes the premises of $thm$
- where the value at the $i$-th position (counting from $0$) in the list $ps$
- gives the position within the original thm to be transferred to position $i$.
- Any remaining trailing positions are left unchanged.
-\end{ttdescription}
-
-
-\subsection{Taking a theorem apart}
-\index{theorems!taking apart}
-\index{flex-flex constraints}
-\begin{ttbox}
-cprop_of : thm -> cterm
-concl_of : thm -> term
-prems_of : thm -> term list
-cprems_of : thm -> cterm list
-nprems_of : thm -> int
-tpairs_of : thm -> (term*term) list
-theory_of_thm : thm -> theory
-\end{ttbox}
-\begin{ttdescription}
-\item[\ttindexbold{cprop_of} $thm$] returns the statement of $thm$ as
- a certified term.
-
-\item[\ttindexbold{concl_of} $thm$] returns the conclusion of $thm$ as
- a term.
-
-\item[\ttindexbold{prems_of} $thm$] returns the premises of $thm$ as a
- list of terms.
-
-\item[\ttindexbold{cprems_of} $thm$] returns the premises of $thm$ as
- a list of certified terms.
-
-\item[\ttindexbold{nprems_of} $thm$]
-returns the number of premises in $thm$, and is equivalent to {\tt
- length~(prems_of~$thm$)}.
-
-\item[\ttindexbold{tpairs_of} $thm$] returns the flex-flex constraints
- of $thm$.
-
-\item[\ttindexbold{theory_of_thm} $thm$] returns the theory associated
- with $thm$. Note that this does a lookup in Isabelle's global
- database of loaded theories.
-
-\end{ttdescription}
-
-
-\subsection{*Sort hypotheses} \label{sec:sort-hyps}
-\index{sort hypotheses}
-\begin{ttbox}
-strip_shyps : thm -> thm
-strip_shyps_warning : thm -> thm
-\end{ttbox}
-
-Isabelle's type variables are decorated with sorts, constraining them to
-certain ranges of types. This has little impact when sorts only serve for
-syntactic classification of types --- for example, FOL distinguishes between
-terms and other types. But when type classes are introduced through axioms,
-this may result in some sorts becoming {\em empty\/}: where one cannot exhibit
-a type belonging to it because certain sets of axioms are unsatisfiable.
-
-If a theorem contains a type variable that is constrained by an empty
-sort, then that theorem has no instances. It is basically an instance
-of {\em ex falso quodlibet}. But what if it is used to prove another
-theorem that no longer involves that sort? The latter theorem holds
-only if under an additional non-emptiness assumption.
-
-Therefore, Isabelle's theorems carry around sort hypotheses. The {\tt
-shyps} field is a list of sorts occurring in type variables in the current
-{\tt prop} and {\tt hyps} fields. It may also includes sorts used in the
-theorem's proof that no longer appear in the {\tt prop} or {\tt hyps}
-fields --- so-called {\em dangling\/} sort constraints. These are the
-critical ones, asserting non-emptiness of the corresponding sorts.
-
-Isabelle automatically removes extraneous sorts from the {\tt shyps} field at
-the end of a proof, provided that non-emptiness can be established by looking
-at the theorem's signature: from the {\tt classes} and {\tt arities}
-information. This operation is performed by \texttt{strip_shyps} and
-\texttt{strip_shyps_warning}.
-
-\begin{ttdescription}
-
-\item[\ttindexbold{strip_shyps} $thm$] removes any extraneous sort hypotheses
- that can be witnessed from the type signature.
-
-\item[\ttindexbold{strip_shyps_warning}] is like \texttt{strip_shyps}, but
- issues a warning message of any pending sort hypotheses that do not have a
- (syntactic) witness.
-
-\end{ttdescription}
-
-
-\subsection{Tracing flags for unification}
-\index{tracing!of unification}
-\begin{ttbox}
-Unify.trace_simp : bool ref \hfill\textbf{initially false}
-Unify.trace_types : bool ref \hfill\textbf{initially false}
-Unify.trace_bound : int ref \hfill\textbf{initially 10}
-Unify.search_bound : int ref \hfill\textbf{initially 20}
-\end{ttbox}
-Tracing the search may be useful when higher-order unification behaves
-unexpectedly. Letting {\tt res_inst_tac} circumvent the problem is easier,
-though.
-\begin{ttdescription}
-\item[set Unify.trace_simp;]
-causes tracing of the simplification phase.
-
-\item[set Unify.trace_types;]
-generates warnings of incompleteness, when unification is not considering
-all possible instantiations of type unknowns.
-
-\item[Unify.trace_bound := $n$;]
-causes unification to print tracing information once it reaches depth~$n$.
-Use $n=0$ for full tracing. At the default value of~10, tracing
-information is almost never printed.
-
-\item[Unify.search_bound := $n$;] prevents unification from
- searching past the depth~$n$. Because of this bound, higher-order
- unification cannot return an infinite sequence, though it can return
- an exponentially long one. The search rarely approaches the default value
- of~20. If the search is cut off, unification prints a warning
- \texttt{Unification bound exceeded}.
-\end{ttdescription}
-
-
-\section{*Primitive meta-level inference rules}
-\index{meta-rules|(}
-
-\subsection{Logical equivalence rules}
-\index{meta-equality}
-\begin{ttbox}
-equal_intr : thm -> thm -> thm
-equal_elim : thm -> thm -> thm
-\end{ttbox}
-\begin{ttdescription}
-\item[\ttindexbold{equal_intr} $thm@1$ $thm@2$]
-applies $({\equiv}I)$ to $thm@1$ and~$thm@2$. It maps the premises~$\psi$
-and~$\phi$ to the conclusion~$\phi\equiv\psi$; the assumptions are those of
-the first premise with~$\phi$ removed, plus those of
-the second premise with~$\psi$ removed.
-
-\item[\ttindexbold{equal_elim} $thm@1$ $thm@2$]
-applies $({\equiv}E)$ to $thm@1$ and~$thm@2$. It maps the premises
-$\phi\equiv\psi$ and $\phi$ to the conclusion~$\psi$.
-\end{ttdescription}
-
-
-\subsection{Equality rules}
-\index{meta-equality}
-\begin{ttbox}
-reflexive : cterm -> thm
-symmetric : thm -> thm
-transitive : thm -> thm -> thm
-\end{ttbox}
-\begin{ttdescription}
-\item[\ttindexbold{reflexive} $ct$]
-makes the theorem \(ct\equiv ct\).
-
-\item[\ttindexbold{symmetric} $thm$]
-maps the premise $a\equiv b$ to the conclusion $b\equiv a$.
-
-\item[\ttindexbold{transitive} $thm@1$ $thm@2$]
-maps the premises $a\equiv b$ and $b\equiv c$ to the conclusion~${a\equiv c}$.
-\end{ttdescription}
-
-
-\subsection{The $\lambda$-conversion rules}
-\index{lambda calc@$\lambda$-calculus}
-\begin{ttbox}
-beta_conversion : cterm -> thm
-extensional : thm -> thm
-abstract_rule : string -> cterm -> thm -> thm
-combination : thm -> thm -> thm
-\end{ttbox}
-There is no rule for $\alpha$-conversion because Isabelle regards
-$\alpha$-convertible theorems as equal.
-\begin{ttdescription}
-\item[\ttindexbold{beta_conversion} $ct$]
-makes the theorem $((\lambda x.a)(b)) \equiv a[b/x]$, where $ct$ is the
-term $(\lambda x.a)(b)$.
-
-\item[\ttindexbold{extensional} $thm$]
-maps the premise $f(x) \equiv g(x)$ to the conclusion $f\equiv g$.
-Parameter~$x$ is taken from the premise. It may be an unknown or a free
-variable (provided it does not occur in the assumptions); it must not occur
-in $f$ or~$g$.
-
-\item[\ttindexbold{abstract_rule} $v$ $x$ $thm$]
-maps the premise $a\equiv b$ to the conclusion $(\lambda x.a) \equiv
-(\lambda x.b)$, abstracting over all occurrences (if any!) of~$x$.
-Parameter~$x$ is supplied as a cterm. It may be an unknown or a free
-variable (provided it does not occur in the assumptions). In the
-conclusion, the bound variable is named~$v$.
-
-\item[\ttindexbold{combination} $thm@1$ $thm@2$]
-maps the premises $f\equiv g$ and $a\equiv b$ to the conclusion~$f(a)\equiv
-g(b)$.
-\end{ttdescription}
-
-
-\section{Derived rules for goal-directed proof}
-Most of these rules have the sole purpose of implementing particular
-tactics. There are few occasions for applying them directly to a theorem.
-
-\subsection{Resolution}
-\index{resolution}
-\begin{ttbox}
-biresolution : bool -> (bool*thm)list -> int -> thm
- -> thm Seq.seq
-\end{ttbox}
-\begin{ttdescription}
-\item[\ttindexbold{biresolution} $match$ $rules$ $i$ $state$]
-performs bi-resolution on subgoal~$i$ of $state$, using the list of $\it
-(flag,rule)$ pairs. For each pair, it applies resolution if the flag
-is~{\tt false} and elim-resolution if the flag is~{\tt true}. If $match$
-is~{\tt true}, the $state$ is not instantiated.
-\end{ttdescription}
-
-
-\subsection{Composition: resolution without lifting}
-\index{resolution!without lifting}
-\begin{ttbox}
-compose : thm * int * thm -> thm list
-COMP : thm * thm -> thm
-bicompose : bool -> bool * thm * int -> int -> thm
- -> thm Seq.seq
-\end{ttbox}
-In forward proof, a typical use of composition is to regard an assertion of
-the form $\phi\Imp\psi$ as atomic. Schematic variables are not renamed, so
-beware of clashes!
-\begin{ttdescription}
-\item[\ttindexbold{compose} ($thm@1$, $i$, $thm@2$)]
-uses $thm@1$, regarded as an atomic formula, to solve premise~$i$
-of~$thm@2$. Let $thm@1$ and $thm@2$ be $\psi$ and $\List{\phi@1; \ldots;
-\phi@n} \Imp \phi$. For each $s$ that unifies~$\psi$ and $\phi@i$, the
-result list contains the theorem
-\[ (\List{\phi@1; \ldots; \phi@{i-1}; \phi@{i+1}; \ldots; \phi@n} \Imp \phi)s.
-\]
-
-\item[$thm@1$ \ttindexbold{COMP} $thm@2$]
-calls \hbox{\tt compose ($thm@1$, 1, $thm@2$)} and returns the result, if
-unique; otherwise, it raises exception~\xdx{THM}\@. It is
-analogous to {\tt RS}\@.
-
-For example, suppose that $thm@1$ is $a=b\Imp b=a$, a symmetry rule, and
-that $thm@2$ is $\List{P\Imp Q; \neg Q} \Imp\neg P$, which is the
-principle of contrapositives. Then the result would be the
-derived rule $\neg(b=a)\Imp\neg(a=b)$.
-
-\item[\ttindexbold{bicompose} $match$ ($flag$, $rule$, $m$) $i$ $state$]
-refines subgoal~$i$ of $state$ using $rule$, without lifting. The $rule$
-is taken to have the form $\List{\psi@1; \ldots; \psi@m} \Imp \psi$, where
-$\psi$ need not be atomic; thus $m$ determines the number of new
-subgoals. If $flag$ is {\tt true} then it performs elim-resolution --- it
-solves the first premise of~$rule$ by assumption and deletes that
-assumption. If $match$ is~{\tt true}, the $state$ is not instantiated.
-\end{ttdescription}
-
-
-\subsection{Other meta-rules}
-\begin{ttbox}
-rename_params_rule : string list * int -> thm -> thm
-\end{ttbox}
-\begin{ttdescription}
-
-\item[\ttindexbold{rename_params_rule} ({\it names}, {\it i}) $thm$]
-uses the $names$ to rename the parameters of premise~$i$ of $thm$. The
-names must be distinct. If there are fewer names than parameters, then the
-rule renames the innermost parameters and may modify the remaining ones to
-ensure that all the parameters are distinct.
-\index{parameters!renaming}
-
-\end{ttdescription}
-\index{meta-rules|)}
-
-
-\section{Proof terms}\label{sec:proofObjects}
-\index{proof terms|(} Isabelle can record the full meta-level proof of each
-theorem. The proof term contains all logical inferences in detail.
-%while
-%omitting bookkeeping steps that have no logical meaning to an outside
-%observer. Rewriting steps are recorded in similar detail as the output of
-%simplifier tracing.
-Resolution and rewriting steps are broken down to primitive rules of the
-meta-logic. The proof term can be inspected by a separate proof-checker,
-for example.
-
-According to the well-known {\em Curry-Howard isomorphism}, a proof can
-be viewed as a $\lambda$-term. Following this idea, proofs
-in Isabelle are internally represented by a datatype similar to the one for
-terms described in \S\ref{sec:terms}.
-\begin{ttbox}
-infix 8 % %%;
-
-datatype proof =
- PBound of int
- | Abst of string * typ option * proof
- | AbsP of string * term option * proof
- | op % of proof * term option
- | op %% of proof * proof
- | Hyp of term
- | PThm of (string * (string * string list) list) *
- proof * term * typ list option
- | PAxm of string * term * typ list option
- | Oracle of string * term * typ list option
- | MinProof of proof list;
-\end{ttbox}
-
-\begin{ttdescription}
-\item[\ttindexbold{Abst} ($a$, $\tau$, $prf$)] is the abstraction over
-a {\it term variable} of type $\tau$ in the body $prf$. Logically, this
-corresponds to $\bigwedge$ introduction. The name $a$ is used only for
-parsing and printing.
-\item[\ttindexbold{AbsP} ($a$, $\varphi$, $prf$)] is the abstraction
-over a {\it proof variable} standing for a proof of proposition $\varphi$
-in the body $prf$. This corresponds to $\Longrightarrow$ introduction.
-\item[$prf$ \% $t$] \index{\%@{\tt\%}|bold}
-is the application of proof $prf$ to term $t$
-which corresponds to $\bigwedge$ elimination.
-\item[$prf@1$ \%\% $prf@2$] \index{\%\%@{\tt\%\%}|bold}
-is the application of proof $prf@1$ to
-proof $prf@2$ which corresponds to $\Longrightarrow$ elimination.
-\item[\ttindexbold{PBound} $i$] is a {\em proof variable} with de Bruijn
-\cite{debruijn72} index $i$.
-\item[\ttindexbold{Hyp} $\varphi$] corresponds to the use of a meta level
-hypothesis $\varphi$.
-\item[\ttindexbold{PThm} (($name$, $tags$), $prf$, $\varphi$, $\overline{\tau}$)]
-stands for a pre-proved theorem, where $name$ is the name of the theorem,
-$prf$ is its actual proof, $\varphi$ is the proven proposition,
-and $\overline{\tau}$ is
-a type assignment for the type variables occurring in the proposition.
-\item[\ttindexbold{PAxm} ($name$, $\varphi$, $\overline{\tau}$)]
-corresponds to the use of an axiom with name $name$ and proposition
-$\varphi$, where $\overline{\tau}$ is a type assignment for the type
-variables occurring in the proposition.
-\item[\ttindexbold{Oracle} ($name$, $\varphi$, $\overline{\tau}$)]
-denotes the invocation of an oracle with name $name$ which produced
-a proposition $\varphi$, where $\overline{\tau}$ is a type assignment
-for the type variables occurring in the proposition.
-\item[\ttindexbold{MinProof} $prfs$]
-represents a {\em minimal proof} where $prfs$ is a list of theorems,
-axioms or oracles.
-\end{ttdescription}
-Note that there are no separate constructors
-for abstraction and application on the level of {\em types}, since
-instantiation of type variables is accomplished via the type assignments
-attached to {\tt Thm}, {\tt Axm} and {\tt Oracle}.
-
-Each theorem's derivation is stored as the {\tt der} field of its internal
-record:
-\begin{ttbox}
-#2 (#der (rep_thm conjI));
-{\out PThm (("HOL.conjI", []),}
-{\out AbsP ("H", None, AbsP ("H", None, \dots)), \dots, None) %}
-{\out None % None : Proofterm.proof}
-\end{ttbox}
-This proof term identifies a labelled theorem, {\tt conjI} of theory
-\texttt{HOL}, whose underlying proof is
-{\tt AbsP ("H", None, AbsP ("H", None, $\dots$))}.
-The theorem is applied to two (implicit) term arguments, which correspond
-to the two variables occurring in its proposition.
-
-Isabelle's inference kernel can produce proof objects with different
-levels of detail. This is controlled via the global reference variable
-\ttindexbold{proofs}:
-\begin{ttdescription}
-\item[proofs := 0;] only record uses of oracles
-\item[proofs := 1;] record uses of oracles as well as dependencies
- on other theorems and axioms
-\item[proofs := 2;] record inferences in full detail
-\end{ttdescription}
-Reconstruction and checking of proofs as described in \S\ref{sec:reconstruct_proofs}
-will not work for proofs constructed with {\tt proofs} set to
-{\tt 0} or {\tt 1}.
-Theorems involving oracles will be printed with a
-suffixed \verb|[!]| to point out the different quality of confidence achieved.
-
-\medskip
-
-The dependencies of theorems can be viewed using the function
-\ttindexbold{thm_deps}\index{theorems!dependencies}:
-\begin{ttbox}
-thm_deps [\(thm@1\), \(\ldots\), \(thm@n\)];
-\end{ttbox}
-generates the dependency graph of the theorems $thm@1$, $\ldots$, $thm@n$ and
-displays it using Isabelle's graph browser. For this to work properly,
-the theorems in question have to be proved with {\tt proofs} set to a value
-greater than {\tt 0}. You can use
-\begin{ttbox}
-ThmDeps.enable : unit -> unit
-ThmDeps.disable : unit -> unit
-\end{ttbox}
-to set \texttt{proofs} appropriately.
-
-\subsection{Reconstructing and checking proof terms}\label{sec:reconstruct_proofs}
-\index{proof terms!reconstructing}
-\index{proof terms!checking}
-
-When looking at the above datatype of proofs more closely, one notices that
-some arguments of constructors are {\it optional}. The reason for this is that
-keeping a full proof term for each theorem would result in enormous memory
-requirements. Fortunately, typical proof terms usually contain quite a lot of
-redundant information that can be reconstructed from the context. Therefore,
-Isabelle's inference kernel creates only {\em partial} (or {\em implicit})
-\index{proof terms!partial} proof terms, in which
-all typing information in terms, all term and type labels of abstractions
-{\tt AbsP} and {\tt Abst}, and (if possible) some argument terms of
-\verb!%! are omitted. The following functions are available for
-reconstructing and checking proof terms:
-\begin{ttbox}
-Reconstruct.reconstruct_proof :
- Sign.sg -> term -> Proofterm.proof -> Proofterm.proof
-Reconstruct.expand_proof :
- Sign.sg -> string list -> Proofterm.proof -> Proofterm.proof
-ProofChecker.thm_of_proof : theory -> Proofterm.proof -> thm
-\end{ttbox}
-
-\begin{ttdescription}
-\item[Reconstruct.reconstruct_proof $sg$ $t$ $prf$]
-turns the partial proof $prf$ into a full proof of the
-proposition denoted by $t$, with respect to signature $sg$.
-Reconstruction will fail with an error message if $prf$
-is not a proof of $t$, is ill-formed, or does not contain
-sufficient information for reconstruction by
-{\em higher order pattern unification}
-\cite{nipkow-patterns, Berghofer-Nipkow:2000:TPHOL}.
-The latter may only happen for proofs
-built up ``by hand'' but not for those produced automatically
-by Isabelle's inference kernel.
-\item[Reconstruct.expand_proof $sg$
- \ttlbrack$name@1$, $\ldots$, $name@n${\ttrbrack} $prf$]
-expands and reconstructs the proofs of all theorems with names
-$name@1$, $\ldots$, $name@n$ in the (full) proof $prf$.
-\item[ProofChecker.thm_of_proof $thy$ $prf$] turns the (full) proof
-$prf$ into a theorem with respect to theory $thy$ by replaying
-it using only primitive rules from Isabelle's inference kernel.
-\end{ttdescription}
-
-\subsection{Parsing and printing proof terms}
-\index{proof terms!parsing}
-\index{proof terms!printing}
-
-Isabelle offers several functions for parsing and printing
-proof terms. The concrete syntax for proof terms is described
-in Fig.\ts\ref{fig:proof_gram}.
-Implicit term arguments in partial proofs are indicated
-by ``{\tt _}''.
-Type arguments for theorems and axioms may be specified using
-\verb!%! or ``$\cdot$'' with an argument of the form {\tt TYPE($type$)}
-(see \S\ref{sec:basic_syntax}).
-They must appear before any other term argument of a theorem
-or axiom. In contrast to term arguments, type arguments may
-be completely omitted.
-\begin{ttbox}
-ProofSyntax.read_proof : theory -> bool -> string -> Proofterm.proof
-ProofSyntax.pretty_proof : Sign.sg -> Proofterm.proof -> Pretty.T
-ProofSyntax.pretty_proof_of : bool -> thm -> Pretty.T
-ProofSyntax.print_proof_of : bool -> thm -> unit
-\end{ttbox}
-\begin{figure}
-\begin{center}
-\begin{tabular}{rcl}
-$proof$ & $=$ & {\tt Lam} $params${\tt .} $proof$ ~~$|$~~
- $\Lambda params${\tt .} $proof$ \\
- & $|$ & $proof$ \verb!%! $any$ ~~$|$~~
- $proof$ $\cdot$ $any$ \\
- & $|$ & $proof$ \verb!%%! $proof$ ~~$|$~~
- $proof$ {\boldmath$\cdot$} $proof$ \\
- & $|$ & $id$ ~~$|$~~ $longid$ \\\\
-$param$ & $=$ & $idt$ ~~$|$~~ $idt$ {\tt :} $prop$ ~~$|$~~
- {\tt (} $param$ {\tt )} \\\\
-$params$ & $=$ & $param$ ~~$|$~~ $param$ $params$
-\end{tabular}
-\end{center}
-\caption{Proof term syntax}\label{fig:proof_gram}
-\end{figure}
-The function {\tt read_proof} reads in a proof term with
-respect to a given theory. The boolean flag indicates whether
-the proof term to be parsed contains explicit typing information
-to be taken into account.
-Usually, typing information is left implicit and
-is inferred during proof reconstruction. The pretty printing
-functions operating on theorems take a boolean flag as an
-argument which indicates whether the proof term should
-be reconstructed before printing.
-
-The following example (based on Isabelle/HOL) illustrates how
-to parse and check proof terms. We start by parsing a partial
-proof term
-\begin{ttbox}
-val prf = ProofSyntax.read_proof Main.thy false
- "impI % _ % _ %% (Lam H : _. conjE % _ % _ % _ %% H %%
- (Lam (H1 : _) H2 : _. conjI % _ % _ %% H2 %% H1))";
-{\out val prf = PThm (("HOL.impI", []), \dots, \dots, None) % None % None %%}
-{\out AbsP ("H", None, PThm (("HOL.conjE", []), \dots, \dots, None) %}
-{\out None % None % None %% PBound 0 %%}
-{\out AbsP ("H1", None, AbsP ("H2", None, \dots))) : Proofterm.proof}
-\end{ttbox}
-The statement to be established by this proof is
-\begin{ttbox}
-val t = term_of
- (read_cterm (sign_of Main.thy) ("A & B --> B & A", propT));
-{\out val t = Const ("Trueprop", "bool => prop") $}
-{\out (Const ("op -->", "[bool, bool] => bool") $}
-{\out \dots $ \dots : Term.term}
-\end{ttbox}
-Using {\tt t} we can reconstruct the full proof
-\begin{ttbox}
-val prf' = Reconstruct.reconstruct_proof (sign_of Main.thy) t prf;
-{\out val prf' = PThm (("HOL.impI", []), \dots, \dots, Some []) %}
-{\out Some (Const ("op &", \dots) $ Free ("A", \dots) $ Free ("B", \dots)) %}
-{\out Some (Const ("op &", \dots) $ Free ("B", \dots) $ Free ("A", \dots)) %%}
-{\out AbsP ("H", Some (Const ("Trueprop", \dots) $ \dots), \dots)}
-{\out : Proofterm.proof}
-\end{ttbox}
-This proof can finally be turned into a theorem
-\begin{ttbox}
-val thm = ProofChecker.thm_of_proof Main.thy prf';
-{\out val thm = "A & B --> B & A" : Thm.thm}
-\end{ttbox}
-
-\index{proof terms|)}
-\index{theorems|)}
-
-
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: "ref"
-%%% End:
--- a/doc-src/Ref/undocumented.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,268 +0,0 @@
-%%%%Currently UNDOCUMENTED low-level functions! from previous manual
-
-%%%%Low level information about terms and module Logic.
-%%%%Mainly used for implementation of Pure.
-
-%move to ML sources?
-
-\subsection{Basic declarations}
-The implication symbol is {\tt implies}.
-
-The term \verb|all T| is the universal quantifier for type {\tt T}\@.
-
-The term \verb|equals T| is the equality predicate for type {\tt T}\@.
-
-
-There are a number of basic functions on terms and types.
-
-\index{--->}
-\beginprog
-op ---> : typ list * typ -> typ
-\endprog
-Given types \([ \tau_1, \ldots, \tau_n]\) and \(\tau\), it
-forms the type \(\tau_1\to \cdots \to (\tau_n\to\tau)\).
-
-Calling {\prog{}type_of \${t}}\index{type_of} computes the type of the
-term~$t$. Raises exception {\tt TYPE} unless applications are well-typed.
-
-
-Calling \verb|subst_bounds|$([u_{n-1},\ldots,u_0],\,t)$\index{subst_bounds}
-substitutes the $u_i$ for loose bound variables in $t$. This achieves
-\(\beta\)-reduction of \(u_{n-1} \cdots u_0\) into $t$, replacing {\tt
-Bound~i} with $u_i$. For \((\lambda x y.t)(u,v)\), the bound variable
-indices in $t$ are $x:1$ and $y:0$. The appropriate call is
-\verb|subst_bounds([v,u],t)|. Loose bound variables $\geq n$ are reduced
-by $n$ to compensate for the disappearance of $n$ lambdas.
-
-\index{maxidx_of_term}
-\beginprog
-maxidx_of_term: term -> int
-\endprog
-Computes the maximum index of all the {\tt Var}s in a term.
-If there are no {\tt Var}s, the result is \(-1\).
-
-\index{term_match}
-\beginprog
-term_match: (term*term)list * term*term -> (term*term)list
-\endprog
-Calling \verb|term_match(vts,t,u)| instantiates {\tt Var}s in {\tt t} to
-match it with {\tt u}. The resulting list of variable/term pairs extends
-{\tt vts}, which is typically empty. First-order pattern matching is used
-to implement meta-level rewriting.
-
-
-\subsection{The representation of object-rules}
-The module {\tt Logic} contains operations concerned with inference ---
-especially, for constructing and destructing terms that represent
-object-rules.
-
-\index{occs}
-\beginprog
-op occs: term*term -> bool
-\endprog
-Does one term occur in the other?
-(This is a reflexive relation.)
-
-\index{add_term_vars}
-\beginprog
-add_term_vars: term*term list -> term list
-\endprog
-Accumulates the {\tt Var}s in the term, suppressing duplicates.
-The second argument should be the list of {\tt Var}s found so far.
-
-\index{add_term_frees}
-\beginprog
-add_term_frees: term*term list -> term list
-\endprog
-Accumulates the {\tt Free}s in the term, suppressing duplicates.
-The second argument should be the list of {\tt Free}s found so far.
-
-\index{mk_equals}
-\beginprog
-mk_equals: term*term -> term
-\endprog
-Given $t$ and $u$ makes the term $t\equiv u$.
-
-\index{dest_equals}
-\beginprog
-dest_equals: term -> term*term
-\endprog
-Given $t\equiv u$ returns the pair $(t,u)$.
-
-\index{list_implies:}
-\beginprog
-list_implies: term list * term -> term
-\endprog
-Given the pair $([\phi_1,\ldots, \phi_m], \phi)$
-makes the term \([\phi_1;\ldots; \phi_m] \Imp \phi\).
-
-\index{strip_imp_prems}
-\beginprog
-strip_imp_prems: term -> term list
-\endprog
-Given \([\phi_1;\ldots; \phi_m] \Imp \phi\)
-returns the list \([\phi_1,\ldots, \phi_m]\).
-
-\index{strip_imp_concl}
-\beginprog
-strip_imp_concl: term -> term
-\endprog
-Given \([\phi_1;\ldots; \phi_m] \Imp \phi\)
-returns the term \(\phi\).
-
-\index{list_equals}
-\beginprog
-list_equals: (term*term)list * term -> term
-\endprog
-For adding flex-flex constraints to an object-rule.
-Given $([(t_1,u_1),\ldots, (t_k,u_k)], \phi)$,
-makes the term \([t_1\equiv u_1;\ldots; t_k\equiv u_k]\Imp \phi\).
-
-\index{strip_equals}
-\beginprog
-strip_equals: term -> (term*term) list * term
-\endprog
-Given \([t_1\equiv u_1;\ldots; t_k\equiv u_k]\Imp \phi\),
-returns $([(t_1,u_1),\ldots, (t_k,u_k)], \phi)$.
-
-\index{rule_of}
-\beginprog
-rule_of: (term*term)list * term list * term -> term
-\endprog
-Makes an object-rule: given the triple
-\[ ([(t_1,u_1),\ldots, (t_k,u_k)], [\phi_1,\ldots, \phi_m], \phi) \]
-returns the term
-\([t_1\equiv u_1;\ldots; t_k\equiv u_k; \phi_1;\ldots; \phi_m]\Imp \phi\)
-
-\index{strip_horn}
-\beginprog
-strip_horn: term -> (term*term)list * term list * term
-\endprog
-Breaks an object-rule into its parts: given
-\[ [t_1\equiv u_1;\ldots; t_k\equiv u_k; \phi_1;\ldots; \phi_m] \Imp \phi \]
-returns the triple
-\(([(t_k,u_k),\ldots, (t_1,u_1)], [\phi_1,\ldots, \phi_m], \phi).\)
-
-\index{strip_assums}
-\beginprog
-strip_assums: term -> (term*int) list * (string*typ) list * term
-\endprog
-Strips premises of a rule allowing a more general form,
-where $\Forall$ and $\Imp$ may be intermixed.
-This is typical of assumptions of a subgoal in natural deduction.
-Returns additional information about the number, names,
-and types of quantified variables.
-
-
-\index{strip_prems}
-\beginprog
-strip_prems: int * term list * term -> term list * term
-\endprog
-For finding premise (or subgoal) $i$: given the triple
-\( (i, [], \phi_1;\ldots \phi_i\Imp \phi) \)
-it returns another triple,
-\((\phi_i, [\phi_{i-1},\ldots, \phi_1], \phi)\),
-where $\phi$ need not be atomic. Raises an exception if $i$ is out of
-range.
-
-
-\subsection{Environments}
-The module {\tt Envir} (which is normally closed)
-declares a type of environments.
-An environment holds variable assignments
-and the next index to use when generating a variable.
-\par\indent\vbox{\small \begin{verbatim}
- datatype env = Envir of {asol: term xolist, maxidx: int}
-\end{verbatim}}
-The operations of lookup, update, and generation of variables
-are used during unification.
-
-\beginprog
-empty: int->env
-\endprog
-Creates the environment with no assignments
-and the given index.
-
-\beginprog
-lookup: env * indexname -> term option
-\endprog
-Looks up a variable, specified by its indexname,
-and returns {\tt None} or {\tt Some} as appropriate.
-
-\beginprog
-update: (indexname * term) * env -> env
-\endprog
-Given a variable, term, and environment,
-produces {\em a new environment\/} where the variable has been updated.
-This has no side effect on the given environment.
-
-\beginprog
-genvar: env * typ -> env * term
-\endprog
-Generates a variable of the given type and returns it,
-paired with a new environment (with incremented {\tt maxidx} field).
-
-\beginprog
-alist_of: env -> (indexname * term) list
-\endprog
-Converts an environment into an association list
-containing the assignments.
-
-\beginprog
-norm_term: env -> term -> term
-\endprog
-
-Copies a term,
-following assignments in the environment,
-and performing all possible \(\beta\)-reductions.
-
-\beginprog
-rewrite: (env * (term*term)list) -> term -> term
-\endprog
-Rewrites a term using the given term pairs as rewrite rules. Assignments
-are ignored; the environment is used only with {\tt genvar}, to generate
-unique {\tt Var}s as placeholders for bound variables.
-
-
-\subsection{The unification functions}
-
-
-\beginprog
-unifiers: env * ((term*term)list) -> (env * (term*term)list) Seq.seq
-\endprog
-This is the main unification function.
-Given an environment and a list of disagreement pairs,
-it returns a sequence of outcomes.
-Each outcome consists of an updated environment and
-a list of flex-flex pairs (these are discussed below).
-
-\beginprog
-smash_unifiers: env * (term*term)list -> env Seq.seq
-\endprog
-This unification function maps an environment and a list of disagreement
-pairs to a sequence of updated environments. The function obliterates
-flex-flex pairs by choosing the obvious unifier. It may be used to tidy up
-any flex-flex pairs remaining at the end of a proof.
-
-
-\subsubsection{Multiple unifiers}
-The unification procedure performs Huet's {\sc match} operation
-\cite{huet75} in big steps.
-It solves \(\Var{f}(t_1,\ldots,t_p) \equiv u\) for \(\Var{f}\) by finding
-all ways of copying \(u\), first trying projection on the arguments
-\(t_i\). It never copies below any variable in \(u\); instead it returns a
-new variable, resulting in a flex-flex disagreement pair.
-
-
-\beginprog
-type_assign: cterm -> cterm
-\endprog
-Produces a cterm by updating the signature of its argument
-to include all variable/type assignments.
-Type inference under the resulting signature will assume the
-same type assignments as in the argument.
-This is used in the goal package to give persistence to type assignments
-within each proof.
-(Contrast with {\sc lcf}'s sticky types \cite[page 148]{paulson-book}.)
-
-
--- a/doc-src/Sledgehammer/document/build Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,15 +0,0 @@
-#!/bin/bash
-
-set -e
-
-FORMAT="$1"
-VARIANT="$2"
-
-"$ISABELLE_TOOL" logo -o isabelle_sledgehammer.pdf "S/H"
-"$ISABELLE_TOOL" logo -o isabelle_sledgehammer.eps "S/H"
-
-cp "$ISABELLE_HOME/doc-src/iman.sty" .
-cp "$ISABELLE_HOME/doc-src/manual.bib" .
-
-"$ISABELLE_HOME/doc-src/prepare_document" "$FORMAT"
-
--- a/doc-src/Sledgehammer/document/root.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,1360 +0,0 @@
-\documentclass[a4paper,12pt]{article}
-\usepackage[T1]{fontenc}
-\usepackage{amsmath}
-\usepackage{amssymb}
-\usepackage[english,french]{babel}
-\usepackage{color}
-\usepackage{footmisc}
-\usepackage{graphicx}
-%\usepackage{mathpazo}
-\usepackage{multicol}
-\usepackage{stmaryrd}
-%\usepackage[scaled=.85]{beramono}
-\usepackage{isabelle,iman,pdfsetup}
-
-\newcommand\download{\url{http://www21.in.tum.de/~blanchet/\#software}}
-
-\def\qty#1{\ensuremath{\left<\mathit{#1\/}\right>}}
-\def\qtybf#1{$\mathbf{\left<\textbf{\textit{#1\/}}\right>}$}
-
-\newcommand\const[1]{\textsf{#1}}
-
-%\oddsidemargin=4.6mm
-%\evensidemargin=4.6mm
-%\textwidth=150mm
-%\topmargin=4.6mm
-%\headheight=0mm
-%\headsep=0mm
-%\textheight=234mm
-
-\def\Colon{\mathord{:\mkern-1.5mu:}}
-%\def\lbrakk{\mathopen{\lbrack\mkern-3.25mu\lbrack}}
-%\def\rbrakk{\mathclose{\rbrack\mkern-3.255mu\rbrack}}
-\def\lparr{\mathopen{(\mkern-4mu\mid}}
-\def\rparr{\mathclose{\mid\mkern-4mu)}}
-
-\def\unk{{?}}
-\def\undef{(\lambda x.\; \unk)}
-%\def\unr{\textit{others}}
-\def\unr{\ldots}
-\def\Abs#1{\hbox{\rm{\flqq}}{\,#1\,}\hbox{\rm{\frqq}}}
-\def\Q{{\smash{\lower.2ex\hbox{$\scriptstyle?$}}}}
-
-\urlstyle{tt}
-
-\begin{document}
-
-%%% TYPESETTING
-%\renewcommand\labelitemi{$\bullet$}
-\renewcommand\labelitemi{\raise.065ex\hbox{\small\textbullet}}
-
-\selectlanguage{english}
-
-\title{\includegraphics[scale=0.5]{isabelle_sledgehammer} \\[4ex]
-Hammering Away \\[\smallskipamount]
-\Large A User's Guide to Sledgehammer for Isabelle/HOL}
-\author{\hbox{} \\
-Jasmin Christian Blanchette \\
-{\normalsize Institut f\"ur Informatik, Technische Universit\"at M\"unchen} \\[4\smallskipamount]
-{\normalsize with contributions from} \\[4\smallskipamount]
-Lawrence C. Paulson \\
-{\normalsize Computer Laboratory, University of Cambridge} \\
-\hbox{}}
-
-\maketitle
-
-\tableofcontents
-
-\setlength{\parskip}{.7em plus .2em minus .1em}
-\setlength{\parindent}{0pt}
-\setlength{\abovedisplayskip}{\parskip}
-\setlength{\abovedisplayshortskip}{.9\parskip}
-\setlength{\belowdisplayskip}{\parskip}
-\setlength{\belowdisplayshortskip}{.9\parskip}
-
-% General-purpose enum environment with correct spacing
-\newenvironment{enum}%
- {\begin{list}{}{%
- \setlength{\topsep}{.1\parskip}%
- \setlength{\partopsep}{.1\parskip}%
- \setlength{\itemsep}{\parskip}%
- \advance\itemsep by-\parsep}}
- {\end{list}}
-
-\def\pre{\begingroup\vskip0pt plus1ex\advance\leftskip by\leftmargin
-\advance\rightskip by\leftmargin}
-\def\post{\vskip0pt plus1ex\endgroup}
-
-\def\prew{\pre\advance\rightskip by-\leftmargin}
-\def\postw{\post}
-
-\section{Introduction}
-\label{introduction}
-
-Sledgehammer is a tool that applies automatic theorem provers (ATPs)
-and satisfiability-modulo-theories (SMT) solvers on the current goal.%
-\footnote{The distinction between ATPs and SMT solvers is convenient but mostly
-historical. The two communities are converging, with more and more ATPs
-supporting typical SMT features such as arithmetic and sorts, and a few SMT
-solvers parsing ATP syntaxes. There is also a strong technological connection
-between instantiation-based ATPs (such as iProver and iProver-Eq) and SMT
-solvers.}
-%
-The supported ATPs are E \cite{schulz-2002}, E-SInE \cite{sine}, E-ToFoF
-\cite{tofof}, iProver \cite{korovin-2009}, iProver-Eq
-\cite{korovin-sticksel-2010}, LEO-II \cite{leo2}, Satallax \cite{satallax},
-SNARK \cite{snark}, SPASS \cite{weidenbach-et-al-2009}, Vampire
-\cite{riazanov-voronkov-2002}, and Waldmeister \cite{waldmeister}. The ATPs are
-run either locally or remotely via the System\-On\-TPTP web service
-\cite{sutcliffe-2000}. In addition to the ATPs, a selection of the SMT solvers
-CVC3 \cite{cvc3}, Yices \cite{yices}, and Z3 \cite{z3} are run by default, and
-you can tell Sledgehammer to try Alt-Ergo \cite{alt-ergo} as well; these are run
-either locally or (for CVC3 and Z3) on a server at the TU M\"unchen.
-
-The problem passed to the automatic provers consists of your current goal
-together with a heuristic selection of hundreds of facts (theorems) from the
-current theory context, filtered by relevance. Because jobs are run in the
-background, you can continue to work on your proof by other means. Provers can
-be run in parallel. Any reply (which may arrive half a minute later) will appear
-in the Proof General response buffer.
-
-The result of a successful proof search is some source text that usually (but
-not always) reconstructs the proof within Isabelle. For ATPs, the reconstructed
-proof relies on the general-purpose \textit{metis} proof method, which
-integrates the Metis ATP in Isabelle/HOL with explicit inferences going through
-the kernel. Thus its results are correct by construction.
-
-In this manual, we will explicitly invoke the \textbf{sledgehammer} command.
-Sledgehammer also provides an automatic mode that can be enabled via the ``Auto
-Sledgehammer'' option in Proof General's ``Isabelle'' menu. In this mode,
-Sledgehammer is run on every newly entered theorem. The time limit for Auto
-Sledgehammer and other automatic tools can be set using the ``Auto Tools Time
-Limit'' option.
-
-\newbox\boxA
-\setbox\boxA=\hbox{\texttt{NOSPAM}}
-
-\newcommand\authoremail{\texttt{blan{\color{white}NOSPAM}\kern-\wd\boxA{}chette@\allowbreak
-in.\allowbreak tum.\allowbreak de}}
-
-To run Sledgehammer, you must make sure that the theory \textit{Sledgehammer} is
-imported---this is rarely a problem in practice since it is part of
-\textit{Main}. Examples of Sledgehammer use can be found in Isabelle's
-\texttt{src/HOL/Metis\_Examples} directory.
-Comments and bug reports concerning Sledgehammer or this manual should be
-directed to the author at \authoremail.
-
-\vskip2.5\smallskipamount
-
-%\textbf{Acknowledgment.} The author would like to thank Mark Summerfield for
-%suggesting several textual improvements.
-
-\section{Installation}
-\label{installation}
-
-Sledgehammer is part of Isabelle, so you do not need to install it. However, it
-relies on third-party automatic provers (ATPs and SMT solvers).
-
-Among the ATPs, E, LEO-II, Satallax, SPASS, and Vampire can be run locally; in
-addition, E, E-SInE, E-ToFoF, iProver, iProver-Eq, LEO-II, Satallax, SNARK,
-Vampire, and Waldmeister are available remotely via System\-On\-TPTP
-\cite{sutcliffe-2000}. If you want better performance, you should at least
-install E and SPASS locally.
-
-The SMT solvers Alt-Ergo, CVC3, Yices, and Z3 can be run locally, and CVC3 and
-Z3 can be run remotely on a TU M\"unchen server. If you want better performance
-and get the ability to replay proofs that rely on the \emph{smt} proof method
-without an Internet connection, you should at least have Z3 locally installed.
-
-There are three main ways to install automatic provers on your machine:
-
-\begin{sloppy}
-\begin{enum}
-\item[\labelitemi] If you installed an official Isabelle package, it should
-already include properly setup executables for CVC3, E, SPASS, and Z3, ready to use.%
-\footnote{Vampire's and Yices's licenses prevent us from doing the same for
-these otherwise remarkable tools.}
-For Z3, you must additionally set the variable
-\texttt{Z3\_NON\_COMMERCIAL} to ``yes'' to confirm that you are a
-noncommercial user, either in the environment in which Isabelle is
-launched or in your
-\texttt{\$ISABELLE\_HOME\_USER/etc/settings} file.
-
-\item[\labelitemi] Alternatively, you can download the Isabelle-aware CVC3, E,
-SPASS, and Z3 binary packages from \download. Extract the archives, then add a
-line to your \texttt{\$ISABELLE\_HOME\_USER\slash etc\slash components}%
-\footnote{The variable \texttt{\$ISABELLE\_HOME\_USER} is set by Isabelle at
-startup. Its value can be retrieved by executing \texttt{isabelle}
-\texttt{getenv} \texttt{ISABELLE\_HOME\_USER} on the command line.}
-file with the absolute path to CVC3, E, SPASS, or Z3. For example, if the
-\texttt{components} file does not exist yet and you extracted SPASS to
-\texttt{/usr/local/spass-3.8ds}, create it with the single line
-
-\prew
-\texttt{/usr/local/spass-3.8ds}
-\postw
-
-in it.
-
-\item[\labelitemi] If you prefer to build E, LEO-II, Satallax, or SPASS
-manually, or found a Vampire executable somewhere (e.g.,
-\url{http://www.vprover.org/}), set the environment variable \texttt{E\_HOME},
-\texttt{LEO2\_HOME}, \texttt{SATALLAX\_HOME}, \texttt{SPASS\_HOME}, or
-\texttt{VAMPIRE\_HOME} to the directory that contains the \texttt{eproof},
-\texttt{leo}, \texttt{satallax}, \texttt{SPASS}, or \texttt{vampire} executable.
-Sledgehammer has been tested with E 1.0 to 1.4, LEO-II 1.3.4, Satallax 2.2, 2.3,
-and 2.4, SPASS 3.8ds, and Vampire 0.6 to 2.6.%
-\footnote{Following the rewrite of Vampire, the counter for version numbers was
-reset to 0; hence the (new) Vampire versions 0.6, 1.0, 1.8, and 2.6 are more
-recent than 9.0 or 11.5.}%
-Since the ATPs' output formats are neither documented nor stable, other
-versions might not work well with Sledgehammer. Ideally,
-you should also set \texttt{E\_VERSION}, \texttt{LEO2\_VERSION},
-\texttt{SATALLAX\_VERSION}, \texttt{SPASS\_VERSION}, or
-\texttt{VAMPIRE\_VERSION} to the prover's version number (e.g., ``1.4'').
-
-Similarly, if you want to build Alt-Ergo or CVC3, or found a
-Yices or Z3 executable somewhere (e.g.,
-\url{http://yices.csl.sri.com/download.shtml} or
-\url{http://research.microsoft.com/en-us/um/redmond/projects/z3/download.html}),
-set the environment variable \texttt{CVC3\_\allowbreak SOLVER},
-\texttt{YICES\_SOLVER}, or \texttt{Z3\_SOLVER} to the complete path of
-the executable, \emph{including the file name};
-for Alt-Ergo, set the
-environment variable \texttt{WHY3\_HOME} to the directory that contains the
-\texttt{why3} executable.
-Sledgehammer has been tested with Alt-Ergo 0.93 and 0.94, CVC3 2.2 and 2.4.1,
-Yices 1.0.28 and 1.0.33, and Z3 3.0 to 4.0. Since the SMT solvers' output
-formats are somewhat unstable, other versions of the solvers might not work well
-with Sledgehammer. Ideally, also set \texttt{CVC3\_VERSION},
-\texttt{YICES\_VERSION}, or \texttt{Z3\_VERSION} to the solver's version number
-(e.g., ``4.0'').
-\end{enum}
-\end{sloppy}
-
-To check whether E, SPASS, Vampire, and/or Z3 are successfully installed, try
-out the example in \S\ref{first-steps}. If the remote versions of any of these
-provers is used (identified by the prefix ``\emph{remote\_\/}''), or if the
-local versions fail to solve the easy goal presented there, something must be
-wrong with the installation.
-
-Remote prover invocation requires Perl with the World Wide Web Library
-(\texttt{libwww-perl}) installed. If you must use a proxy server to access the
-Internet, set the \texttt{http\_proxy} environment variable to the proxy, either
-in the environment in which Isabelle is launched or in your
-\texttt{\$ISABELLE\_HOME\_USER/etc/settings} file. Here are a few
-examples:
-
-\prew
-\texttt{http\_proxy=http://proxy.example.org} \\
-\texttt{http\_proxy=http://proxy.example.org:8080} \\
-\texttt{http\_proxy=http://joeblow:pAsSwRd@proxy.example.org}
-\postw
-
-\section{First Steps}
-\label{first-steps}
-
-To illustrate Sledgehammer in context, let us start a theory file and
-attempt to prove a simple lemma:
-
-\prew
-\textbf{theory}~\textit{Scratch} \\
-\textbf{imports}~\textit{Main} \\
-\textbf{begin} \\[2\smallskipamount]
-%
-\textbf{lemma} ``$[a] = [b] \,\Longrightarrow\, a = b$'' \\
-\textbf{sledgehammer}
-\postw
-
-Instead of issuing the \textbf{sledgehammer} command, you can also find
-Sledgehammer in the ``Commands'' submenu of the ``Isabelle'' menu in Proof
-General or press the Emacs key sequence C-c C-a C-s.
-Either way, Sledgehammer produces the following output after a few seconds:
-
-\prew
-\slshape
-Sledgehammer: ``\textit{e\/}'' on goal \\
-$[a] = [b] \,\Longrightarrow\, a = b$ \\
-Try this: \textbf{by} (\textit{metis last\_ConsL}) (64 ms). \\[3\smallskipamount]
-%
-Sledgehammer: ``\textit{z3\/}'' on goal \\
-$[a] = [b] \,\Longrightarrow\, a = b$ \\
-Try this: \textbf{by} (\textit{metis list.inject}) (20 ms). \\[3\smallskipamount]
-%
-Sledgehammer: ``\textit{vampire\/}'' on goal \\
-$[a] = [b] \,\Longrightarrow\, a = b$ \\
-Try this: \textbf{by} (\textit{metis hd.simps}) (14 ms). \\[3\smallskipamount]
-%
-Sledgehammer: ``\textit{spass\/}'' on goal \\
-$[a] = [b] \,\Longrightarrow\, a = b$ \\
-Try this: \textbf{by} (\textit{metis list.inject}) (17 ms). \\[3\smallskipamount]
-%
-Sledgehammer: ``\textit{remote\_waldmeister\/}'' on goal \\
-$[a] = [b] \,\Longrightarrow\, a = b$ \\
-Try this: \textbf{by} (\textit{metis hd.simps}) (15 ms). \\[3\smallskipamount]
-%
-Sledgehammer: ``\textit{remote\_e\_sine\/}'' on goal \\
-$[a] = [b] \,\Longrightarrow\, a = b$ \\
-Try this: \textbf{by} (\textit{metis hd.simps}) (18 ms).
-\postw
-
-Sledgehammer ran E, E-SInE, SPASS, Vampire, Waldmeister, and Z3 in parallel.
-Depending on which provers are installed and how many processor cores are
-available, some of the provers might be missing or present with a
-\textit{remote\_} prefix. Waldmeister is run only for unit equational problems,
-where the goal's conclusion is a (universally quantified) equation.
-
-For each successful prover, Sledgehammer gives a one-liner \textit{metis} or
-\textit{smt} method call. Rough timings are shown in parentheses, indicating how
-fast the call is. You can click the proof to insert it into the theory text.
-
-In addition, you can ask Sledgehammer for an Isar text proof by passing the
-\textit{isar\_proof} option (\S\ref{output-format}):
-
-\prew
-\textbf{sledgehammer} [\textit{isar\_proof}]
-\postw
-
-When Isar proof construction is successful, it can yield proofs that are more
-readable and also faster than the \textit{metis} or \textit{smt} one-liners.
-This feature is experimental and is only available for ATPs.
-
-\section{Hints}
-\label{hints}
-
-This section presents a few hints that should help you get the most out of
-Sledgehammer. Frequently asked questions are answered in
-\S\ref{frequently-asked-questions}.
-
-%\newcommand\point[1]{\medskip\par{\sl\bfseries#1}\par\nopagebreak}
-\newcommand\point[1]{\subsection{\emph{#1}}}
-
-\point{Presimplify the goal}
-
-For best results, first simplify your problem by calling \textit{auto} or at
-least \textit{safe} followed by \textit{simp\_all}. The SMT solvers provide
-arithmetic decision procedures, but the ATPs typically do not (or if they do,
-Sledgehammer does not use it yet). Apart from Waldmeister, they are not
-especially good at heavy rewriting, but because they regard equations as
-undirected, they often prove theorems that require the reverse orientation of a
-\textit{simp} rule. Higher-order problems can be tackled, but the success rate
-is better for first-order problems. Hence, you may get better results if you
-first simplify the problem to remove higher-order features.
-
-\point{Make sure E, SPASS, Vampire, and Z3 are locally installed}
-
-Locally installed provers are faster and more reliable than those running on
-servers. See \S\ref{installation} for details on how to install them.
-
-\point{Familiarize yourself with the most important options}
-
-Sledgehammer's options are fully documented in \S\ref{command-syntax}. Many of
-the options are very specialized, but serious users of the tool should at least
-familiarize themselves with the following options:
-
-\begin{enum}
-\item[\labelitemi] \textbf{\textit{provers}} (\S\ref{mode-of-operation}) specifies
-the automatic provers (ATPs and SMT solvers) that should be run whenever
-Sledgehammer is invoked (e.g., ``\textit{provers}~= \textit{e spass
-remote\_vampire\/}''). For convenience, you can omit ``\textit{provers}~=''
-and simply write the prover names as a space-separated list (e.g., ``\textit{e
-spass remote\_vampire\/}'').
-
-\item[\labelitemi] \textbf{\textit{max\_facts}} (\S\ref{relevance-filter})
-specifies the maximum number of facts that should be passed to the provers. By
-default, the value is prover-dependent but varies between about 50 and 1000. If
-the provers time out, you can try lowering this value to, say, 25 or 50 and see
-if that helps.
-
-\item[\labelitemi] \textbf{\textit{isar\_proof}} (\S\ref{output-format}) specifies
-that Isar proofs should be generated, instead of one-liner \textit{metis} or
-\textit{smt} proofs. The length of the Isar proofs can be controlled by setting
-\textit{isar\_shrink\_factor} (\S\ref{output-format}).
-
-\item[\labelitemi] \textbf{\textit{timeout}} (\S\ref{timeouts}) controls the
-provers' time limit. It is set to 30 seconds, but since Sledgehammer runs
-asynchronously you should not hesitate to raise this limit to 60 or 120 seconds
-if you are the kind of user who can think clearly while ATPs are active.
-\end{enum}
-
-Options can be set globally using \textbf{sledgehammer\_params}
-(\S\ref{command-syntax}). The command also prints the list of all available
-options with their current value. Fact selection can be influenced by specifying
-``$(\textit{add}{:}~\textit{my\_facts})$'' after the \textbf{sledgehammer} call
-to ensure that certain facts are included, or simply ``$(\textit{my\_facts})$''
-to force Sledgehammer to run only with $\textit{my\_facts}$.
-
-\section{Frequently Asked Questions}
-\label{frequently-asked-questions}
-
-This sections answers frequently (and infrequently) asked questions about
-Sledgehammer. It is a good idea to skim over it now even if you do not have any
-questions at this stage. And if you have any further questions not listed here,
-send them to the author at \authoremail.
-
-\point{Which facts are passed to the automatic provers?}
-
-Sledgehammer heuristically selects a few hundred relevant lemmas from the
-currently loaded libraries. The component that performs this selection is
-called \emph{relevance filter}.
-
-\begin{enum}
-\item[\labelitemi]
-The traditional relevance filter, called \emph{MePo}
-(\underline{Me}ng--\underline{Pau}lson), assigns a score to every available fact
-(lemma, theorem, definition, or axiom) based upon how many constants that fact
-shares with the conjecture. This process iterates to include facts relevant to
-those just accepted. The constants are weighted to give unusual ones greater
-significance. MePo copes best when the conjecture contains some unusual
-constants; if all the constants are common, it is unable to discriminate among
-the hundreds of facts that are picked up. The filter is also memoryless: It has
-no information about how many times a particular fact has been used in a proof,
-and it cannot learn.
-
-\item[\labelitemi]
-An experimental, memoryful alternative to MePo is \emph{MaSh}
-(\underline{Ma}chine Learner for \underline{S}ledge\underline{h}ammer). It
-relies on an external tool called \texttt{mash} that applies machine learning to
-the problem of finding relevant facts.
-
-\item[\labelitemi] The \emph{Mesh} filter combines MePo and MaSh.
-\end{enum}
-
-The default is either MePo or Mesh, depending on whether \texttt{mash} is
-installed and what class of provers the target prover belongs to
-(\S\ref{relevance-filter}).
-
-The number of facts included in a problem varies from prover to prover, since
-some provers get overwhelmed more easily than others. You can show the number of
-facts given using the \textit{verbose} option (\S\ref{output-format}) and the
-actual facts using \textit{debug} (\S\ref{output-format}).
-
-Sledgehammer is good at finding short proofs combining a handful of existing
-lemmas. If you are looking for longer proofs, you must typically restrict the
-number of facts, by setting the \textit{max\_facts} option
-(\S\ref{relevance-filter}) to, say, 25 or 50.
-
-You can also influence which facts are actually selected in a number of ways. If
-you simply want to ensure that a fact is included, you can specify it using the
-``$(\textit{add}{:}~\textit{my\_facts})$'' syntax. For example:
-%
-\prew
-\textbf{sledgehammer} (\textit{add}: \textit{hd.simps} \textit{tl.simps})
-\postw
-%
-The specified facts then replace the least relevant facts that would otherwise be
-included; the other selected facts remain the same.
-If you want to direct the selection in a particular direction, you can specify
-the facts via \textbf{using}:
-%
-\prew
-\textbf{using} \textit{hd.simps} \textit{tl.simps} \\
-\textbf{sledgehammer}
-\postw
-%
-The facts are then more likely to be selected than otherwise, and if they are
-selected at iteration $j$ they also influence which facts are selected at
-iterations $j + 1$, $j + 2$, etc. To give them even more weight, try
-%
-\prew
-\textbf{using} \textit{hd.simps} \textit{tl.simps} \\
-\textbf{apply}~\textbf{--} \\
-\textbf{sledgehammer}
-\postw
-
-\point{Why does Metis fail to reconstruct the proof?}
-
-There are many reasons. If Metis runs seemingly forever, that is a sign that the
-proof is too difficult for it. Metis's search is complete, so it should
-eventually find it, but that's little consolation. There are several possible
-solutions:
-
-\begin{enum}
-\item[\labelitemi] Try the \textit{isar\_proof} option (\S\ref{output-format}) to
-obtain a step-by-step Isar proof where each step is justified by \textit{metis}.
-Since the steps are fairly small, \textit{metis} is more likely to be able to
-replay them.
-
-\item[\labelitemi] Try the \textit{smt} proof method instead of \textit{metis}.
-It is usually stronger, but you need to either have Z3 available to replay the
-proofs, trust the SMT solver, or use certificates. See the documentation in the
-\emph{SMT} theory (\texttt{\$ISABELLE\_HOME/src/HOL/SMT.thy}) for details.
-
-\item[\labelitemi] Try the \textit{blast} or \textit{auto} proof methods, passing
-the necessary facts via \textbf{unfolding}, \textbf{using}, \textit{intro}{:},
-\textit{elim}{:}, \textit{dest}{:}, or \textit{simp}{:}, as appropriate.
-\end{enum}
-
-In some rare cases, \textit{metis} fails fairly quickly, and you get the error
-message
-
-\prew
-\slshape
-One-line proof reconstruction failed.
-\postw
-
-This message indicates that Sledgehammer determined that the goal is provable,
-but the proof is, for technical reasons, beyond \textit{metis}'s power. You can
-then try again with the \textit{strict} option (\S\ref{problem-encoding}).
-
-If the goal is actually unprovable and you did not specify an unsound encoding
-using \textit{type\_enc} (\S\ref{problem-encoding}), this is a bug, and you are
-strongly encouraged to report this to the author at \authoremail.
-
-\point{Why are the generated Isar proofs so ugly/broken?}
-
-The current implementation of the Isar proof feature,
-enabled by the \textit{isar\_proof} option (\S\ref{output-format}),
-is highly experimental. Work on a new implementation has begun. There is a large body of
-research into transforming resolution proofs into natural deduction proofs (such
-as Isar proofs), which we hope to leverage. In the meantime, a workaround is to
-set the \textit{isar\_shrink\_factor} option (\S\ref{output-format}) to a larger
-value or to try several provers and keep the nicest-looking proof.
-
-\point{How can I tell whether a suggested proof is sound?}
-
-Earlier versions of Sledgehammer often suggested unsound proofs---either proofs
-of nontheorems or simply proofs that rely on type-unsound inferences. This
-is a thing of the past, unless you explicitly specify an unsound encoding
-using \textit{type\_enc} (\S\ref{problem-encoding}).
-%
-Officially, the only form of ``unsoundness'' that lurks in the sound
-encodings is related to missing characteristic theorems of datatypes. For
-example,
-
-\prew
-\textbf{lemma}~``$\exists \mathit{xs}.\; \mathit{xs} \neq []$'' \\
-\textbf{sledgehammer} ()
-\postw
-
-suggests an argumentless \textit{metis} call that fails. However, the conjecture
-does actually hold, and the \textit{metis} call can be repaired by adding
-\textit{list.distinct}.
-%
-We hope to address this problem in a future version of Isabelle. In the
-meantime, you can avoid it by passing the \textit{strict} option
-(\S\ref{problem-encoding}).
-
-\point{What are the \textit{full\_types}, \textit{no\_types}, and
-\textit{mono\_tags} arguments to Metis?}
-
-The \textit{metis}~(\textit{full\_types}) proof method
-and its cousin \textit{metis}~(\textit{mono\_tags}) are fully-typed
-version of Metis. It is somewhat slower than \textit{metis}, but the proof
-search is fully typed, and it also includes more powerful rules such as the
-axiom ``$x = \const{True} \mathrel{\lor} x = \const{False}$'' for reasoning in
-higher-order places (e.g., in set comprehensions). The method kicks in
-automatically as a fallback when \textit{metis} fails, and it is sometimes
-generated by Sledgehammer instead of \textit{metis} if the proof obviously
-requires type information or if \textit{metis} failed when Sledgehammer
-preplayed the proof. (By default, Sledgehammer tries to run \textit{metis} with
-various options for up to 3 seconds each time to ensure that the generated
-one-line proofs actually work and to display timing information. This can be
-configured using the \textit{preplay\_timeout} and \textit{dont\_preplay}
-options (\S\ref{timeouts}).)
-%
-At the other end of the soundness spectrum, \textit{metis} (\textit{no\_types})
-uses no type information at all during the proof search, which is more efficient
-but often fails. Calls to \textit{metis} (\textit{no\_types}) are occasionally
-generated by Sledgehammer.
-%
-See the \textit{type\_enc} option (\S\ref{problem-encoding}) for details.
-
-Incidentally, if you ever see warnings such as
-
-\prew
-\slshape
-Metis: Falling back on ``\textit{metis} (\textit{full\_types})''.
-\postw
-
-for a successful \textit{metis} proof, you can advantageously pass the
-\textit{full\_types} option to \textit{metis} directly.
-
-\point{And what are the \textit{lifting} and \textit{hide\_lams} arguments
-to Metis?}
-
-Orthogonally to the encoding of types, it is important to choose an appropriate
-translation of $\lambda$-abstractions. Metis supports three translation schemes,
-in decreasing order of power: Curry combinators (the default),
-$\lambda$-lifting, and a ``hiding'' scheme that disables all reasoning under
-$\lambda$-abstractions. The more powerful schemes also give the automatic
-provers more rope to hang themselves. See the \textit{lam\_trans} option (\S\ref{problem-encoding}) for details.
-
-\point{Are generated proofs minimal?}
-
-Automatic provers frequently use many more facts than are necessary.
-Sledgehammer inclues a minimization tool that takes a set of facts returned by a
-given prover and repeatedly calls the same prover, \textit{metis}, or
-\textit{smt} with subsets of those axioms in order to find a minimal set.
-Reducing the number of axioms typically improves Metis's speed and success rate,
-while also removing superfluous clutter from the proof scripts.
-
-In earlier versions of Sledgehammer, generated proofs were systematically
-accompanied by a suggestion to invoke the minimization tool. This step is now
-performed implicitly if it can be done in a reasonable amount of time (something
-that can be guessed from the number of facts in the original proof and the time
-it took to find or preplay it).
-
-In addition, some provers (e.g., Yices) do not provide proofs or sometimes
-produce incomplete proofs. The minimizer is then invoked to find out which facts
-are actually needed from the (large) set of facts that was initially given to
-the prover. Finally, if a prover returns a proof with lots of facts, the
-minimizer is invoked automatically since Metis would be unlikely to re-find the
-proof.
-%
-Automatic minimization can be forced or disabled using the \textit{minimize}
-option (\S\ref{mode-of-operation}).
-
-\point{A strange error occurred---what should I do?}
-
-Sledgehammer tries to give informative error messages. Please report any strange
-error to the author at \authoremail. This applies double if you get the message
-
-\prew
-\slshape
-The prover found a type-unsound proof involving ``\textit{foo\/}'',
-``\textit{bar\/}'', and ``\textit{baz\/}'' even though a supposedly type-sound
-encoding was used (or, less likely, your axioms are inconsistent). You might
-want to report this to the Isabelle developers.
-\postw
-
-\point{Auto can solve it---why not Sledgehammer?}
-
-Problems can be easy for \textit{auto} and difficult for automatic provers, but
-the reverse is also true, so do not be discouraged if your first attempts fail.
-Because the system refers to all theorems known to Isabelle, it is particularly
-suitable when your goal has a short proof from lemmas that you do not know
-about.
-
-\point{Why are there so many options?}
-
-Sledgehammer's philosophy should work out of the box, without user guidance.
-Many of the options are meant to be used mostly by the Sledgehammer developers
-for experimentation purposes. Of course, feel free to experiment with them if
-you are so inclined.
-
-\section{Command Syntax}
-\label{command-syntax}
-
-\subsection{Sledgehammer}
-
-Sledgehammer can be invoked at any point when there is an open goal by entering
-the \textbf{sledgehammer} command in the theory file. Its general syntax is as
-follows:
-
-\prew
-\textbf{sledgehammer} \qty{subcommand}$^?$ \qty{options}$^?$ \qty{facts\_override}$^?$ \qty{num}$^?$
-\postw
-
-For convenience, Sledgehammer is also available in the ``Commands'' submenu of
-the ``Isabelle'' menu in Proof General or by pressing the Emacs key sequence C-c
-C-a C-s. This is equivalent to entering the \textbf{sledgehammer} command with
-no arguments in the theory text.
-
-In the general syntax, the \qty{subcommand} may be any of the following:
-
-\begin{enum}
-\item[\labelitemi] \textbf{\textit{run} (the default):} Runs Sledgehammer on
-subgoal number \qty{num} (1 by default), with the given options and facts.
-
-\item[\labelitemi] \textbf{\textit{min}:} Attempts to minimize the facts
-specified in the \qty{facts\_override} argument to obtain a simpler proof
-involving fewer facts. The options and goal number are as for \textit{run}.
-
-\item[\labelitemi] \textbf{\textit{messages}:} Redisplays recent messages issued
-by Sledgehammer. This allows you to examine results that might have been lost
-due to Sledgehammer's asynchronous nature. The \qty{num} argument specifies a
-limit on the number of messages to display (10 by default).
-
-\item[\labelitemi] \textbf{\textit{supported\_provers}:} Prints the list of
-automatic provers supported by Sledgehammer. See \S\ref{installation} and
-\S\ref{mode-of-operation} for more information on how to install automatic
-provers.
-
-\item[\labelitemi] \textbf{\textit{running\_provers}:} Prints information about
-currently running automatic provers, including elapsed runtime and remaining
-time until timeout.
-
-\item[\labelitemi] \textbf{\textit{kill\_provers}:} Terminates all running
-automatic provers.
-
-\item[\labelitemi] \textbf{\textit{refresh\_tptp}:} Refreshes the list of remote
-ATPs available at System\-On\-TPTP \cite{sutcliffe-2000}.
-\end{enum}
-
-In addition, the following subcommands provide fine control over machine
-learning with MaSh:
-
-\begin{enum}
-\item[\labelitemi] \textbf{\textit{unlearn}:} Resets MaSh, erasing any
-persistent state.
-
-\item[\labelitemi] \textbf{\textit{learn\_isar}:} Invokes MaSh on the current
-theory to process all the available facts, learning from their Isabelle/Isar
-proofs. This happens automatically at Sledgehammer invocations if the
-\textit{learn} option (\S\ref{relevance-filter}) is enabled.
-
-\item[\labelitemi] \textbf{\textit{learn\_atp}:} Invokes MaSh on the current
-theory to process all the available facts, learning from ATP-generated proofs.
-The ATP to use and its timeout can be set using the
-\textit{prover} (\S\ref{mode-of-operation}) and \textit{timeout}
-(\S\ref{timeouts}) options. It is recommended to perform learning using an
-efficient first-order ATP (such as E, SPASS, and Vampire) as opposed to a
-higher-order ATP or an SMT solver.
-
-\item[\labelitemi] \textbf{\textit{relearn\_isar}:} Same as \textit{unlearn}
-followed by \textit{learn\_isar}.
-
-\item[\labelitemi] \textbf{\textit{relearn\_atp}:} Same as \textit{unlearn}
-followed by \textit{learn\_atp}.
-
-\item[\labelitemi] \textbf{\textit{running\_learners}:} Prints information about
-currently running machine learners, including elapsed runtime and remaining
-time until timeout.
-
-\item[\labelitemi] \textbf{\textit{kill\_learners}:} Terminates all running
-machine learners.
-\end{enum}
-
-Sledgehammer's behavior can be influenced by various \qty{options}, which can be
-specified in brackets after the \textbf{sledgehammer} command. The
-\qty{options} are a list of key--value pairs of the form ``[$k_1 = v_1,
-\ldots, k_n = v_n$]''. For Boolean options, ``= \textit{true\/}'' is optional. For
-example:
-
-\prew
-\textbf{sledgehammer} [\textit{isar\_proof}, \,\textit{timeout} = 120]
-\postw
-
-Default values can be set using \textbf{sledgehammer\_\allowbreak params}:
-
-\prew
-\textbf{sledgehammer\_params} \qty{options}
-\postw
-
-The supported options are described in \S\ref{option-reference}.
-
-The \qty{facts\_override} argument lets you alter the set of facts that go
-through the relevance filter. It may be of the form ``(\qty{facts})'', where
-\qty{facts} is a space-separated list of Isabelle facts (theorems, local
-assumptions, etc.), in which case the relevance filter is bypassed and the given
-facts are used. It may also be of the form ``(\textit{add}:\ \qty{facts\/_{\mathrm{1}}})'',
-``(\textit{del}:\ \qty{facts\/_{\mathrm{2}}})'', or ``(\textit{add}:\ \qty{facts\/_{\mathrm{1}}}\
-\textit{del}:\ \qty{facts\/_{\mathrm{2}}})'', where the relevance filter is instructed to
-proceed as usual except that it should consider \qty{facts\/_{\mathrm{1}}}
-highly-relevant and \qty{facts\/_{\mathrm{2}}} fully irrelevant.
-
-You can instruct Sledgehammer to run automatically on newly entered theorems by
-enabling the ``Auto Sledgehammer'' option in Proof General's ``Isabelle'' menu.
-For automatic runs, only the first prover set using \textit{provers}
-(\S\ref{mode-of-operation}) is considered, fewer facts are passed to the prover,
-\textit{slice} (\S\ref{mode-of-operation}) is disabled, \textit{strict}
-(\S\ref{problem-encoding}) is enabled, \textit{verbose} (\S\ref{output-format})
-and \textit{debug} (\S\ref{output-format}) are disabled, and \textit{timeout}
-(\S\ref{timeouts}) is superseded by the ``Auto Tools Time Limit'' in Proof
-General's ``Isabelle'' menu. Sledgehammer's output is also more concise.
-
-\subsection{Metis}
-
-The \textit{metis} proof method has the syntax
-
-\prew
-\textbf{\textit{metis}}~(\qty{options})${}^?$~\qty{facts}${}^?$
-\postw
-
-where \qty{facts} is a list of arbitrary facts and \qty{options} is a
-comma-separated list consisting of at most one $\lambda$ translation scheme
-specification with the same semantics as Sledgehammer's \textit{lam\_trans}
-option (\S\ref{problem-encoding}) and at most one type encoding specification
-with the same semantics as Sledgehammer's \textit{type\_enc} option
-(\S\ref{problem-encoding}).
-%
-The supported $\lambda$ translation schemes are \textit{hide\_lams},
-\textit{lifting}, and \textit{combs} (the default).
-%
-All the untyped type encodings listed in \S\ref{problem-encoding} are supported.
-For convenience, the following aliases are provided:
-\begin{enum}
-\item[\labelitemi] \textbf{\textit{full\_types}:} Alias for \textit{poly\_guards\_query}.
-\item[\labelitemi] \textbf{\textit{partial\_types}:} Alias for \textit{poly\_args}.
-\item[\labelitemi] \textbf{\textit{no\_types}:} Alias for \textit{erased}.
-\end{enum}
-
-\section{Option Reference}
-\label{option-reference}
-
-\def\defl{\{}
-\def\defr{\}}
-
-\def\flushitem#1{\item[]\noindent\kern-\leftmargin \textbf{#1}}
-\def\optrueonly#1{\flushitem{\textit{#1} $\bigl[$= \textit{true}$\bigr]$\enskip}\nopagebreak\\[\parskip]}
-\def\optrue#1#2{\flushitem{\textit{#1} $\bigl[$= \qtybf{bool}$\bigr]$\enskip \defl\textit{true}\defr\hfill (neg.: \textit{#2})}\nopagebreak\\[\parskip]}
-\def\opfalse#1#2{\flushitem{\textit{#1} $\bigl[$= \qtybf{bool}$\bigr]$\enskip \defl\textit{false}\defr\hfill (neg.: \textit{#2})}\nopagebreak\\[\parskip]}
-\def\opsmart#1#2{\flushitem{\textit{#1} $\bigl[$= \qtybf{smart\_bool}$\bigr]$\enskip \defl\textit{smart}\defr\hfill (neg.: \textit{#2})}\nopagebreak\\[\parskip]}
-\def\opsmartx#1#2{\flushitem{\textit{#1} $\bigl[$= \qtybf{smart\_bool}$\bigr]$\enskip \defl\textit{smart}\defr\\\hbox{}\hfill (neg.: \textit{#2})}\nopagebreak\\[\parskip]}
-\def\opnodefault#1#2{\flushitem{\textit{#1} = \qtybf{#2}} \nopagebreak\\[\parskip]}
-\def\opnodefaultbrk#1#2{\flushitem{$\bigl[$\textit{#1} =$\bigr]$ \qtybf{#2}} \nopagebreak\\[\parskip]}
-\def\opdefault#1#2#3{\flushitem{\textit{#1} = \qtybf{#2}\enskip \defl\textit{#3}\defr} \nopagebreak\\[\parskip]}
-\def\oparg#1#2#3{\flushitem{\textit{#1} \qtybf{#2} = \qtybf{#3}} \nopagebreak\\[\parskip]}
-\def\opargbool#1#2#3{\flushitem{\textit{#1} \qtybf{#2} $\bigl[$= \qtybf{bool}$\bigr]$\hfill (neg.: \textit{#3})}\nopagebreak\\[\parskip]}
-\def\opargboolorsmart#1#2#3{\flushitem{\textit{#1} \qtybf{#2} $\bigl[$= \qtybf{smart\_bool}$\bigr]$\hfill (neg.: \textit{#3})}\nopagebreak\\[\parskip]}
-
-Sledgehammer's options are categorized as follows:\ mode of operation
-(\S\ref{mode-of-operation}), problem encoding (\S\ref{problem-encoding}),
-relevance filter (\S\ref{relevance-filter}), output format
-(\S\ref{output-format}), authentication (\S\ref{authentication}), and timeouts
-(\S\ref{timeouts}).
-
-The descriptions below refer to the following syntactic quantities:
-
-\begin{enum}
-\item[\labelitemi] \qtybf{string}: A string.
-\item[\labelitemi] \qtybf{bool\/}: \textit{true} or \textit{false}.
-\item[\labelitemi] \qtybf{smart\_bool\/}: \textit{true}, \textit{false}, or
-\textit{smart}.
-\item[\labelitemi] \qtybf{int\/}: An integer.
-%\item[\labelitemi] \qtybf{float\/}: A floating-point number (e.g., 2.5).
-\item[\labelitemi] \qtybf{float\_pair\/}: A pair of floating-point numbers
-(e.g., 0.6 0.95).
-\item[\labelitemi] \qtybf{smart\_int\/}: An integer or \textit{smart}.
-\item[\labelitemi] \qtybf{float\_or\_none\/}: A floating-point number (e.g., 60 or
-0.5) expressing a number of seconds, or the keyword \textit{none} ($\infty$
-seconds).
-\end{enum}
-
-Default values are indicated in curly brackets (\textrm{\{\}}). Boolean options
-have a negative counterpart (e.g., \textit{blocking} vs.\
-\textit{non\_blocking}). When setting Boolean options or their negative
-counterparts, ``= \textit{true\/}'' may be omitted.
-
-\subsection{Mode of Operation}
-\label{mode-of-operation}
-
-\begin{enum}
-\opnodefaultbrk{provers}{string}
-Specifies the automatic provers to use as a space-separated list (e.g.,
-``\textit{e}~\textit{spass}~\textit{remote\_vampire\/}'').
-Provers can be run locally or remotely; see \S\ref{installation} for
-installation instructions.
-
-The following local provers are supported:
-
-\begin{sloppy}
-\begin{enum}
-\item[\labelitemi] \textbf{\textit{alt\_ergo}:} Alt-Ergo is a polymorphic
-SMT solver developed by Bobot et al.\ \cite{alt-ergo}.
-It supports the TPTP polymorphic typed first-order format (TFF1) via Why3
-\cite{why3}. It is included for experimental purposes. To use Alt-Ergo, set the
-environment variable \texttt{WHY3\_HOME} to the directory that contains the
-\texttt{why3} executable. Sledgehammer has been tested with Alt-Ergo 0.93 and an
-unidentified development version of Why3.
-
-\item[\labelitemi] \textbf{\textit{cvc3}:} CVC3 is an SMT solver developed by
-Clark Barrett, Cesare Tinelli, and their colleagues \cite{cvc3}. To use CVC3,
-set the environment variable \texttt{CVC3\_SOLVER} to the complete path of the
-executable, including the file name, or install the prebuilt CVC3 package from
-\download. Sledgehammer has been tested with version 2.2 and 2.4.1.
-
-\item[\labelitemi] \textbf{\textit{e}:} E is a first-order resolution prover
-developed by Stephan Schulz \cite{schulz-2002}. To use E, set the environment
-variable \texttt{E\_HOME} to the directory that contains the \texttt{eproof}
-executable and \texttt{E\_VERSION} to the version number (e.g., ``1.4''), or
-install the prebuilt E package from \download. Sledgehammer has been tested with
-versions 1.0 to 1.6.
-
-\item[\labelitemi] \textbf{\textit{e\_males}:} E-MaLeS is a metaprover developed
-by Daniel K\"uhlwein that implements strategy scheduling on top of E. To use
-E-MaLeS, set the environment variable \texttt{E\_MALES\_HOME} to the directory
-that contains the \texttt{emales.py} script. Sledgehammer has been tested with
-version 1.1.
-
-\item[\labelitemi] \textbf{\textit{iprover}:} iProver is a pure
-instantiation-based prover developed by Konstantin Korovin \cite{korovin-2009}.
-To use iProver, set the environment variable \texttt{IPROVER\_HOME} to the
-directory that contains the \texttt{iprover} and \texttt{vclausify\_rel}
-executables. Sledgehammer has been tested with version 0.99.
-
-\item[\labelitemi] \textbf{\textit{iprover\_eq}:} iProver-Eq is an
-instantiation-based prover with native support for equality developed by
-Konstantin Korovin and Christoph Sticksel \cite{korovin-sticksel-2010}. To use
-iProver-Eq, set the environment variable \texttt{IPROVER\_EQ\_HOME} to the
-directory that contains the \texttt{iprover-eq} and \texttt{vclausify\_rel}
-executables. Sledgehammer has been tested with version 0.8.
-
-\item[\labelitemi] \textbf{\textit{leo2}:} LEO-II is an automatic
-higher-order prover developed by Christoph Benzm\"uller et al.\ \cite{leo2},
-with support for the TPTP typed higher-order syntax (THF0). To use LEO-II, set
-the environment variable \texttt{LEO2\_HOME} to the directory that contains the
-\texttt{leo} executable. Sledgehammer requires version 1.2.9 or above.
-
-\item[\labelitemi] \textbf{\textit{metis}:} Although it is less powerful than
-the external provers, Metis itself can be used for proof search.
-
-\item[\labelitemi] \textbf{\textit{satallax}:} Satallax is an automatic
-higher-order prover developed by Chad Brown et al.\ \cite{satallax}, with
-support for the TPTP typed higher-order syntax (THF0). To use Satallax, set the
-environment variable \texttt{SATALLAX\_HOME} to the directory that contains the
-\texttt{satallax} executable. Sledgehammer requires version 2.2 or above.
-
-\item[\labelitemi] \textbf{\textit{smt}:} The \textit{smt} proof method with the
-current settings (usually:\ Z3 with proof reconstruction) can be used for proof
-search.
-
-\item[\labelitemi] \textbf{\textit{spass}:} SPASS is a first-order resolution
-prover developed by Christoph Weidenbach et al.\ \cite{weidenbach-et-al-2009}.
-To use SPASS, set the environment variable \texttt{SPASS\_HOME} to the directory
-that contains the \texttt{SPASS} executable and \texttt{SPASS\_VERSION} to the
-version number (e.g., ``3.8ds''), or install the prebuilt SPASS package from
-\download. Sledgehammer requires version 3.8ds or above.
-
-\item[\labelitemi] \textbf{\textit{vampire}:} Vampire is a first-order
-resolution prover developed by Andrei Voronkov and his colleagues
-\cite{riazanov-voronkov-2002}. To use Vampire, set the environment variable
-\texttt{VAMPIRE\_HOME} to the directory that contains the \texttt{vampire}
-executable and \texttt{VAMPIRE\_VERSION} to the version number (e.g.,
-``1.8rev1435'', ``2.6''). Sledgehammer has been tested with versions 0.6, 1.0,
-and 1.8. Versions strictly above 1.8 (e.g., ``1.8rev1435'') support the TPTP
-typed first-order format (TFF0).
-
-\item[\labelitemi] \textbf{\textit{yices}:} Yices is an SMT solver developed at
-SRI \cite{yices}. To use Yices, set the environment variable
-\texttt{YICES\_SOLVER} to the complete path of the executable, including the
-file name. Sledgehammer has been tested with version 1.0.28.
-
-\item[\labelitemi] \textbf{\textit{z3}:} Z3 is an SMT solver developed at
-Microsoft Research \cite{z3}. To use Z3, set the environment variable
-\texttt{Z3\_SOLVER} to the complete path of the executable, including the file
-name, and set \texttt{Z3\_NON\_COMMERCIAL} to ``yes'' to confirm that you are a
-noncommercial user. Sledgehammer has been tested with versions 3.0, 3.1, 3.2,
-and 4.0.
-\end{enum}
-\end{sloppy}
-
-The following remote provers are supported:
-
-\begin{enum}
-\item[\labelitemi] \textbf{\textit{remote\_cvc3}:} The remote version of CVC3 runs
-on servers at the TU M\"unchen (or wherever \texttt{REMOTE\_SMT\_URL} is set to
-point).
-
-\item[\labelitemi] \textbf{\textit{remote\_e}:} The remote version of E runs
-on Geoff Sutcliffe's Miami servers \cite{sutcliffe-2000}.
-
-\item[\labelitemi] \textbf{\textit{remote\_e\_sine}:} E-SInE is a metaprover
-developed by Kry\v stof Hoder \cite{sine} based on E. It runs on Geoff
-Sutcliffe's Miami servers.
-
-\item[\labelitemi] \textbf{\textit{remote\_e\_tofof}:} E-ToFoF is a metaprover
-developed by Geoff Sutcliffe \cite{tofof} based on E running on his Miami
-servers. This ATP supports the TPTP typed first-order format (TFF0). The
-remote version of E-ToFoF runs on Geoff Sutcliffe's Miami servers.
-
-\item[\labelitemi] \textbf{\textit{remote\_iprover}:} The
-remote version of iProver runs on Geoff Sutcliffe's Miami servers
-\cite{sutcliffe-2000}.
-
-\item[\labelitemi] \textbf{\textit{remote\_iprover\_eq}:} The
-remote version of iProver-Eq runs on Geoff Sutcliffe's Miami servers
-\cite{sutcliffe-2000}.
-
-\item[\labelitemi] \textbf{\textit{remote\_leo2}:} The remote version of LEO-II
-runs on Geoff Sutcliffe's Miami servers \cite{sutcliffe-2000}.
-
-\item[\labelitemi] \textbf{\textit{remote\_satallax}:} The remote version of
-Satallax runs on Geoff Sutcliffe's Miami servers \cite{sutcliffe-2000}.
-
-\item[\labelitemi] \textbf{\textit{remote\_snark}:} SNARK is a first-order
-resolution prover developed by Stickel et al.\ \cite{snark}. It supports the
-TPTP typed first-order format (TFF0). The remote version of SNARK runs on
-Geoff Sutcliffe's Miami servers.
-
-\item[\labelitemi] \textbf{\textit{remote\_vampire}:} The remote version of
-Vampire runs on Geoff Sutcliffe's Miami servers.
-
-\item[\labelitemi] \textbf{\textit{remote\_waldmeister}:} Waldmeister is a unit
-equality prover developed by Hillenbrand et al.\ \cite{waldmeister}. It can be
-used to prove universally quantified equations using unconditional equations,
-corresponding to the TPTP CNF UEQ division. The remote version of Waldmeister
-runs on Geoff Sutcliffe's Miami servers.
-
-\item[\labelitemi] \textbf{\textit{remote\_z3}:} The remote version of Z3 runs on
-servers at the TU M\"unchen (or wherever \texttt{REMOTE\_SMT\_URL} is set to
-point).
-\end{enum}
-
-By default, Sledgehammer runs a selection of CVC3, E, E-SInE, SPASS, Vampire,
-Yices, Z3, and (if appropriate) Waldmeister in parallel---either locally or
-remotely, depending on the number of processor cores available. For historical
-reasons, the default value of this option can be overridden using the option
-``Sledgehammer: Provers'' in Proof General's ``Isabelle'' menu.
-
-It is generally a good idea to run several provers in parallel. Running E,
-SPASS, and Vampire for 5~seconds yields a similar success rate to running the
-most effective of these for 120~seconds \cite{boehme-nipkow-2010}.
-
-For the \textit{min} subcommand, the default prover is \textit{metis}. If
-several provers are set, the first one is used.
-
-\opnodefault{prover}{string}
-Alias for \textit{provers}.
-
-\opfalse{blocking}{non\_blocking}
-Specifies whether the \textbf{sledgehammer} command should operate
-synchronously. The asynchronous (non-blocking) mode lets the user start proving
-the putative theorem manually while Sledgehammer looks for a proof, but it can
-also be more confusing. Irrespective of the value of this option, Sledgehammer
-is always run synchronously for the new jEdit-based user interface or if
-\textit{debug} (\S\ref{output-format}) is enabled.
-
-\optrue{slice}{dont\_slice}
-Specifies whether the time allocated to a prover should be sliced into several
-segments, each of which has its own set of possibly prover-dependent options.
-For SPASS and Vampire, the first slice tries the fast but incomplete
-set-of-support (SOS) strategy, whereas the second slice runs without it. For E,
-up to three slices are tried, with different weighted search strategies and
-number of facts. For SMT solvers, several slices are tried with the same options
-each time but fewer and fewer facts. According to benchmarks with a timeout of
-30 seconds, slicing is a valuable optimization, and you should probably leave it
-enabled unless you are conducting experiments. This option is implicitly
-disabled for (short) automatic runs.
-
-\nopagebreak
-{\small See also \textit{verbose} (\S\ref{output-format}).}
-
-\opsmart{minimize}{dont\_minimize}
-Specifies whether the minimization tool should be invoked automatically after
-proof search. By default, automatic minimization takes place only if
-it can be done in a reasonable amount of time (as determined by
-the number of facts in the original proof and the time it took to find or
-preplay it) or the proof involves an unreasonably large number of facts.
-
-\nopagebreak
-{\small See also \textit{preplay\_timeout} (\S\ref{timeouts})
-and \textit{dont\_preplay} (\S\ref{timeouts}).}
-
-\opfalse{overlord}{no\_overlord}
-Specifies whether Sledgehammer should put its temporary files in
-\texttt{\$ISA\-BELLE\_\allowbreak HOME\_\allowbreak USER}, which is useful for
-debugging Sledgehammer but also unsafe if several instances of the tool are run
-simultaneously. The files are identified by the prefixes \texttt{prob\_} and
-\texttt{mash\_}; you may safely remove them after Sledgehammer has run.
-
-\nopagebreak
-{\small See also \textit{debug} (\S\ref{output-format}).}
-\end{enum}
-
-\subsection{Relevance Filter}
-\label{relevance-filter}
-
-\begin{enum}
-\opdefault{fact\_filter}{string}{smart}
-Specifies the relevance filter to use. The following filters are available:
-
-\begin{enum}
-\item[\labelitemi] \textbf{\textit{mepo}:}
-The traditional memoryless MePo relevance filter.
-
-\item[\labelitemi] \textbf{\textit{mash}:}
-The memoryful MaSh machine learner. MaSh relies on the external program
-\texttt{mash}, which can be obtained from the author at \authoremail. To install
-it, set the environment variable \texttt{MASH\_HOME} to the directory that
-contains the \texttt{mash} executable.
-Persistent data is stored in the \texttt{\$ISABELLE\_HOME\_USER/mash} directory.
-
-\item[\labelitemi] \textbf{\textit{mesh}:} A combination of MePo and MaSh.
-
-\item[\labelitemi] \textbf{\textit{smart}:} Use Mesh if \texttt{mash} is
-installed and the target prover is an ATP; otherwise, use MePo.
-\end{enum}
-
-\opdefault{max\_facts}{smart\_int}{smart}
-Specifies the maximum number of facts that may be returned by the relevance
-filter. If the option is set to \textit{smart}, it is set to a value that was
-empirically found to be appropriate for the prover. Typical values range between
-50 and 1000.
-
-\opdefault{fact\_thresholds}{float\_pair}{\upshape 0.45~0.85}
-Specifies the thresholds above which facts are considered relevant by the
-relevance filter. The first threshold is used for the first iteration of the
-relevance filter and the second threshold is used for the last iteration (if it
-is reached). The effective threshold is quadratically interpolated for the other
-iterations. Each threshold ranges from 0 to 1, where 0 means that all theorems
-are relevant and 1 only theorems that refer to previously seen constants.
-
-\optrue{learn}{dont\_learn}
-Specifies whether MaSh should be run automatically by Sledgehammer to learn the
-available theories (and hence provide more accurate results). Learning only
-takes place if \texttt{mash} is installed.
-
-\opdefault{max\_new\_mono\_instances}{int}{smart}
-Specifies the maximum number of monomorphic instances to generate beyond
-\textit{max\_facts}. The higher this limit is, the more monomorphic instances
-are potentially generated. Whether monomorphization takes place depends on the
-type encoding used. If the option is set to \textit{smart}, it is set to a value
-that was empirically found to be appropriate for the prover. For most provers,
-this value is 200.
-
-\nopagebreak
-{\small See also \textit{type\_enc} (\S\ref{problem-encoding}).}
-
-\opdefault{max\_mono\_iters}{int}{smart}
-Specifies the maximum number of iterations for the monomorphization fixpoint
-construction. The higher this limit is, the more monomorphic instances are
-potentially generated. Whether monomorphization takes place depends on the
-type encoding used. If the option is set to \textit{smart}, it is set to a value
-that was empirically found to be appropriate for the prover. For most provers,
-this value is 3.
-
-\nopagebreak
-{\small See also \textit{type\_enc} (\S\ref{problem-encoding}).}
-\end{enum}
-
-\subsection{Problem Encoding}
-\label{problem-encoding}
-
-\newcommand\comb[1]{\const{#1}}
-
-\begin{enum}
-\opdefault{lam\_trans}{string}{smart}
-Specifies the $\lambda$ translation scheme to use in ATP problems. The supported
-translation schemes are listed below:
-
-\begin{enum}
-\item[\labelitemi] \textbf{\textit{hide\_lams}:} Hide the $\lambda$-abstractions
-by replacing them by unspecified fresh constants, effectively disabling all
-reasoning under $\lambda$-abstractions.
-
-\item[\labelitemi] \textbf{\textit{lifting}:} Introduce a new
-supercombinator \const{c} for each cluster of $n$~$\lambda$-abstractions,
-defined using an equation $\const{c}~x_1~\ldots~x_n = t$ ($\lambda$-lifting).
-
-\item[\labelitemi] \textbf{\textit{combs}:} Rewrite lambdas to the Curry
-combinators (\comb{I}, \comb{K}, \comb{S}, \comb{B}, \comb{C}). Combinators
-enable the ATPs to synthesize $\lambda$-terms but tend to yield bulkier formulas
-than $\lambda$-lifting: The translation is quadratic in the worst case, and the
-equational definitions of the combinators are very prolific in the context of
-resolution.
-
-\item[\labelitemi] \textbf{\textit{combs\_and\_lifting}:} Introduce a new
-supercombinator \const{c} for each cluster of $\lambda$-abstractions and characterize it both using a
-lifted equation $\const{c}~x_1~\ldots~x_n = t$ and via Curry combinators.
-
-\item[\labelitemi] \textbf{\textit{combs\_or\_lifting}:} For each cluster of
-$\lambda$-abstractions, heuristically choose between $\lambda$-lifting and Curry
-combinators.
-
-\item[\labelitemi] \textbf{\textit{keep\_lams}:}
-Keep the $\lambda$-abstractions in the generated problems. This is available
-only with provers that support the THF0 syntax.
-
-\item[\labelitemi] \textbf{\textit{smart}:} The actual translation scheme used
-depends on the ATP and should be the most efficient scheme for that ATP.
-\end{enum}
-
-For SMT solvers, the $\lambda$ translation scheme is always \textit{lifting},
-irrespective of the value of this option.
-
-\opsmartx{uncurried\_aliases}{no\_uncurried\_aliases}
-Specifies whether fresh function symbols should be generated as aliases for
-applications of curried functions in ATP problems.
-
-\opdefault{type\_enc}{string}{smart}
-Specifies the type encoding to use in ATP problems. Some of the type encodings
-are unsound, meaning that they can give rise to spurious proofs
-(unreconstructible using \textit{metis}). The type encodings are
-listed below, with an indication of their soundness in parentheses.
-An asterisk (*) indicates that the encoding is slightly incomplete for
-reconstruction with \textit{metis}, unless the \emph{strict} option (described
-below) is enabled.
-
-\begin{enum}
-\item[\labelitemi] \textbf{\textit{erased} (unsound):} No type information is
-supplied to the ATP, not even to resolve overloading. Types are simply erased.
-
-\item[\labelitemi] \textbf{\textit{poly\_guards} (sound):} Types are encoded using
-a predicate \const{g}$(\tau, t)$ that guards bound
-variables. Constants are annotated with their types, supplied as extra
-arguments, to resolve overloading.
-
-\item[\labelitemi] \textbf{\textit{poly\_tags} (sound):} Each term and subterm is
-tagged with its type using a function $\const{t\/}(\tau, t)$.
-
-\item[\labelitemi] \textbf{\textit{poly\_args} (unsound):}
-Like for \textit{poly\_guards} constants are annotated with their types to
-resolve overloading, but otherwise no type information is encoded. This
-is the default encoding used by the \textit{metis} command.
-
-\item[\labelitemi]
-\textbf{%
-\textit{raw\_mono\_guards}, \textit{raw\_mono\_tags} (sound); \\
-\textit{raw\_mono\_args} (unsound):} \\
-Similar to \textit{poly\_guards}, \textit{poly\_tags}, and \textit{poly\_args},
-respectively, but the problem is additionally monomorphized, meaning that type
-variables are instantiated with heuristically chosen ground types.
-Monomorphization can simplify reasoning but also leads to larger fact bases,
-which can slow down the ATPs.
-
-\item[\labelitemi]
-\textbf{%
-\textit{mono\_guards}, \textit{mono\_tags} (sound);
-\textit{mono\_args} (unsound):} \\
-Similar to
-\textit{raw\_mono\_guards}, \textit{raw\_mono\_tags}, and
-\textit{raw\_mono\_args}, respectively but types are mangled in constant names
-instead of being supplied as ground term arguments. The binary predicate
-$\const{g}(\tau, t)$ becomes a unary predicate
-$\const{g\_}\tau(t)$, and the binary function
-$\const{t}(\tau, t)$ becomes a unary function
-$\const{t\_}\tau(t)$.
-
-\item[\labelitemi] \textbf{\textit{mono\_native} (sound):} Exploits native
-first-order types if the prover supports the TFF0, TFF1, or THF0 syntax;
-otherwise, falls back on \textit{mono\_guards}. The problem is monomorphized.
-
-\item[\labelitemi] \textbf{\textit{mono\_native\_higher} (sound):} Exploits
-native higher-order types if the prover supports the THF0 syntax; otherwise,
-falls back on \textit{mono\_native} or \textit{mono\_guards}. The problem is
-monomorphized.
-
-\item[\labelitemi] \textbf{\textit{poly\_native} (sound):} Exploits native
-first-order polymorphic types if the prover supports the TFF1 syntax; otherwise,
-falls back on \textit{mono\_native}.
-
-\item[\labelitemi]
-\textbf{%
-\textit{poly\_guards}?, \textit{poly\_tags}?, \textit{raw\_mono\_guards}?, \\
-\textit{raw\_mono\_tags}?, \textit{mono\_guards}?, \textit{mono\_tags}?, \\
-\textit{mono\_native}? (sound*):} \\
-The type encodings \textit{poly\_guards}, \textit{poly\_tags},
-\textit{raw\_mono\_guards}, \textit{raw\_mono\_tags}, \textit{mono\_guards},
-\textit{mono\_tags}, and \textit{mono\_native} are fully typed and sound. For
-each of these, Sledgehammer also provides a lighter variant identified by a
-question mark (`\hbox{?}')\ that detects and erases monotonic types, notably
-infinite types. (For \textit{mono\_native}, the types are not actually erased
-but rather replaced by a shared uniform type of individuals.) As argument to the
-\textit{metis} proof method, the question mark is replaced by a
-\hbox{``\textit{\_query\/}''} suffix.
-
-\item[\labelitemi]
-\textbf{%
-\textit{poly\_guards}??, \textit{poly\_tags}??, \textit{raw\_mono\_guards}??, \\
-\textit{raw\_mono\_tags}??, \textit{mono\_guards}??, \textit{mono\_tags}?? \\
-(sound*):} \\
-Even lighter versions of the `\hbox{?}' encodings. As argument to the
-\textit{metis} proof method, the `\hbox{??}' suffix is replaced by
-\hbox{``\textit{\_query\_query\/}''}.
-
-\item[\labelitemi]
-\textbf{%
-\textit{poly\_guards}@, \textit{poly\_tags}@, \textit{raw\_mono\_guards}@, \\
-\textit{raw\_mono\_tags}@ (sound*):} \\
-Alternative versions of the `\hbox{??}' encodings. As argument to the
-\textit{metis} proof method, the `\hbox{@}' suffix is replaced by
-\hbox{``\textit{\_at\/}''}.
-
-\item[\labelitemi] \textbf{\textit{poly\_args}?, \textit{raw\_mono\_args}? (unsound):} \\
-Lighter versions of \textit{poly\_args} and \textit{raw\_mono\_args}.
-
-\item[\labelitemi] \textbf{\textit{smart}:} The actual encoding used depends on
-the ATP and should be the most efficient sound encoding for that ATP.
-\end{enum}
-
-For SMT solvers, the type encoding is always \textit{mono\_native}, irrespective
-of the value of this option.
-
-\nopagebreak
-{\small See also \textit{max\_new\_mono\_instances} (\S\ref{relevance-filter})
-and \textit{max\_mono\_iters} (\S\ref{relevance-filter}).}
-
-\opfalse{strict}{non\_strict}
-Specifies whether Sledgehammer should run in its strict mode. In that mode,
-sound type encodings marked with an asterisk (*) above are made complete
-for reconstruction with \textit{metis}, at the cost of some clutter in the
-generated problems. This option has no effect if \textit{type\_enc} is
-deliberately set to an unsound encoding.
-\end{enum}
-
-\subsection{Output Format}
-\label{output-format}
-
-\begin{enum}
-
-\opfalse{verbose}{quiet}
-Specifies whether the \textbf{sledgehammer} command should explain what it does.
-This option is implicitly disabled for automatic runs.
-
-\opfalse{debug}{no\_debug}
-Specifies whether Sledgehammer should display additional debugging information
-beyond what \textit{verbose} already displays. Enabling \textit{debug} also
-enables \textit{verbose} and \textit{blocking} (\S\ref{mode-of-operation})
-behind the scenes. The \textit{debug} option is implicitly disabled for
-automatic runs.
-
-\nopagebreak
-{\small See also \textit{overlord} (\S\ref{mode-of-operation}).}
-
-\opfalse{isar\_proof}{no\_isar\_proof}
-Specifies whether Isar proofs should be output in addition to one-liner
-\textit{metis} proofs. Isar proof construction is still experimental and often
-fails; however, they are usually faster and sometimes more robust than
-\textit{metis} proofs.
-
-\opdefault{isar\_shrink\_factor}{int}{\upshape 1}
-Specifies the granularity of the Isar proof. A value of $n$ indicates that each
-Isar proof step should correspond to a group of up to $n$ consecutive proof
-steps in the ATP proof.
-\end{enum}
-
-\subsection{Authentication}
-\label{authentication}
-
-\begin{enum}
-\opnodefault{expect}{string}
-Specifies the expected outcome, which must be one of the following:
-
-\begin{enum}
-\item[\labelitemi] \textbf{\textit{some}:} Sledgehammer found a proof.
-\item[\labelitemi] \textbf{\textit{none}:} Sledgehammer found no proof.
-\item[\labelitemi] \textbf{\textit{timeout}:} Sledgehammer timed out.
-\item[\labelitemi] \textbf{\textit{unknown}:} Sledgehammer encountered some
-problem.
-\end{enum}
-
-Sledgehammer emits an error (if \textit{blocking} is enabled) or a warning
-(otherwise) if the actual outcome differs from the expected outcome. This option
-is useful for regression testing.
-
-\nopagebreak
-{\small See also \textit{blocking} (\S\ref{mode-of-operation}) and
-\textit{timeout} (\S\ref{timeouts}).}
-\end{enum}
-
-\subsection{Timeouts}
-\label{timeouts}
-
-\begin{enum}
-\opdefault{timeout}{float\_or\_none}{\upshape 30}
-Specifies the maximum number of seconds that the automatic provers should spend
-searching for a proof. This excludes problem preparation and is a soft limit.
-For historical reasons, the default value of this option can be overridden using
-the option ``Sledgehammer: Time Limit'' in Proof General's ``Isabelle'' menu.
-
-\opdefault{preplay\_timeout}{float\_or\_none}{\upshape 3}
-Specifies the maximum number of seconds that \textit{metis} or \textit{smt}
-should spend trying to ``preplay'' the found proof. If this option is set to 0,
-no preplaying takes place, and no timing information is displayed next to the
-suggested \textit{metis} calls.
-
-\nopagebreak
-{\small See also \textit{minimize} (\S\ref{mode-of-operation}).}
-
-\optrueonly{dont\_preplay}
-Alias for ``\textit{preplay\_timeout} = 0''.
-
-\end{enum}
-
-\let\em=\sl
-\bibliography{manual}{}
-\bibliographystyle{abbrv}
-
-\end{document}
--- a/doc-src/System/Base.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,8 +0,0 @@
-theory Base
-imports Pure
-begin
-
-ML_file "../antiquote_setup.ML"
-setup Antiquote_Setup.setup
-
-end
--- a/doc-src/System/Basics.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,554 +0,0 @@
-theory Basics
-imports Base
-begin
-
-chapter {* The Isabelle system environment *}
-
-text {* This manual describes Isabelle together with related tools and
- user interfaces as seen from a system oriented view. See also the
- \emph{Isabelle/Isar Reference Manual}~\cite{isabelle-isar-ref} for
- the actual Isabelle input language and related concepts, and
- \emph{The Isabelle/Isar Implementation
- Manual}~\cite{isabelle-implementation} for the main concepts of the
- underlying implementation in Isabelle/ML.
-
- \medskip The Isabelle system environment provides the following
- basic infrastructure to integrate tools smoothly.
-
- \begin{enumerate}
-
- \item The \emph{Isabelle settings} mechanism provides process
- environment variables to all Isabelle executables (including tools
- and user interfaces).
-
- \item The raw \emph{Isabelle process} (@{executable_ref
- "isabelle-process"}) runs logic sessions either interactively or in
- batch mode. In particular, this view abstracts over the invocation
- of the actual ML system to be used. Regular users rarely need to
- care about the low-level process.
-
- \item The main \emph{Isabelle tool wrapper} (@{executable_ref
- isabelle}) provides a generic startup environment Isabelle related
- utilities, user interfaces etc. Such tools automatically benefit
- from the settings mechanism.
-
- \end{enumerate}
-*}
-
-
-section {* Isabelle settings \label{sec:settings} *}
-
-text {*
- The Isabelle system heavily depends on the \emph{settings
- mechanism}\indexbold{settings}. Essentially, this is a statically
- scoped collection of environment variables, such as @{setting
- ISABELLE_HOME}, @{setting ML_SYSTEM}, @{setting ML_HOME}. These
- variables are \emph{not} intended to be set directly from the shell,
- though. Isabelle employs a somewhat more sophisticated scheme of
- \emph{settings files} --- one for site-wide defaults, another for
- additional user-specific modifications. With all configuration
- variables in clearly defined places, this scheme is more
- maintainable and user-friendly than global shell environment
- variables.
-
- In particular, we avoid the typical situation where prospective
- users of a software package are told to put several things into
- their shell startup scripts, before being able to actually run the
- program. Isabelle requires none such administrative chores of its
- end-users --- the executables can be invoked straight away.
- Occasionally, users would still want to put the @{file
- "$ISABELLE_HOME/bin"} directory into their shell's search path, but
- this is not required.
-*}
-
-
-subsection {* Bootstrapping the environment \label{sec:boot} *}
-
-text {* Isabelle executables need to be run within a proper settings
- environment. This is bootstrapped as described below, on the first
- invocation of one of the outer wrapper scripts (such as
- @{executable_ref isabelle}). This happens only once for each
- process tree, i.e.\ the environment is passed to subprocesses
- according to regular Unix conventions.
-
- \begin{enumerate}
-
- \item The special variable @{setting_def ISABELLE_HOME} is
- determined automatically from the location of the binary that has
- been run.
-
- You should not try to set @{setting ISABELLE_HOME} manually. Also
- note that the Isabelle executables either have to be run from their
- original location in the distribution directory, or via the
- executable objects created by the @{tool install} tool. Symbolic
- links are admissible, but a plain copy of the @{file
- "$ISABELLE_HOME/bin"} files will not work!
-
- \item The file @{file "$ISABELLE_HOME/etc/settings"} is run as a
- @{executable_ref bash} shell script with the auto-export option for
- variables enabled.
-
- This file holds a rather long list of shell variable assigments,
- thus providing the site-wide default settings. The Isabelle
- distribution already contains a global settings file with sensible
- defaults for most variables. When installing the system, only a few
- of these may have to be adapted (probably @{setting ML_SYSTEM}
- etc.).
-
- \item The file @{verbatim "$ISABELLE_HOME_USER/etc/settings"} (if it
- exists) is run in the same way as the site default settings. Note
- that the variable @{setting ISABELLE_HOME_USER} has already been set
- before --- usually to something like @{verbatim
- "$USER_HOME/.isabelle/IsabelleXXXX"}.
-
- Thus individual users may override the site-wide defaults. See also
- file @{file "$ISABELLE_HOME/etc/user-settings.sample"} in the
- distribution. Typically, a user settings file would contain only a
- few lines, just the assigments that are really changed. One should
- definitely \emph{not} start with a full copy the basic @{file
- "$ISABELLE_HOME/etc/settings"}. This could cause very annoying
- maintainance problems later, when the Isabelle installation is
- updated or changed otherwise.
-
- \end{enumerate}
-
- Since settings files are regular GNU @{executable_def bash} scripts,
- one may use complex shell commands, such as @{verbatim "if"} or
- @{verbatim "case"} statements to set variables depending on the
- system architecture or other environment variables. Such advanced
- features should be added only with great care, though. In
- particular, external environment references should be kept at a
- minimum.
-
- \medskip A few variables are somewhat special:
-
- \begin{itemize}
-
- \item @{setting_def ISABELLE_PROCESS} and @{setting_def ISABELLE_TOOL} are set
- automatically to the absolute path names of the @{executable
- "isabelle-process"} and @{executable isabelle} executables,
- respectively.
-
- \item @{setting_ref ISABELLE_OUTPUT} will have the identifiers of
- the Isabelle distribution (cf.\ @{setting ISABELLE_IDENTIFIER}) and
- the ML system (cf.\ @{setting ML_IDENTIFIER}) appended automatically
- to its value.
-
- \end{itemize}
-
- \medskip Note that the settings environment may be inspected with
- the @{tool getenv} tool. This might help to figure out the effect
- of complex settings scripts. *}
-
-
-subsection {* Common variables *}
-
-text {*
- This is a reference of common Isabelle settings variables. Note that
- the list is somewhat open-ended. Third-party utilities or interfaces
- may add their own selection. Variables that are special in some
- sense are marked with @{text "\<^sup>*"}.
-
- \begin{description}
-
- \item[@{setting_def USER_HOME}@{text "\<^sup>*"}] Is the cross-platform
- user home directory. On Unix systems this is usually the same as
- @{setting HOME}, but on Windows it is the regular home directory of
- the user, not the one of within the Cygwin root
- file-system.\footnote{Cygwin itself offers another choice whether
- its HOME should point to the \texttt{/home} directory tree or the
- Windows user home.}
-
- \item[@{setting_def ISABELLE_HOME}@{text "\<^sup>*"}] is the location of the
- top-level Isabelle distribution directory. This is automatically
- determined from the Isabelle executable that has been invoked. Do
- not attempt to set @{setting ISABELLE_HOME} yourself from the shell!
-
- \item[@{setting_def ISABELLE_HOME_USER}] is the user-specific
- counterpart of @{setting ISABELLE_HOME}. The default value is
- relative to @{verbatim "$USER_HOME/.isabelle"}, under rare
- circumstances this may be changed in the global setting file.
- Typically, the @{setting ISABELLE_HOME_USER} directory mimics
- @{setting ISABELLE_HOME} to some extend. In particular, site-wide
- defaults may be overridden by a private @{verbatim
- "$ISABELLE_HOME_USER/etc/settings"}.
-
- \item[@{setting_def ISABELLE_PLATFORM}@{text "\<^sup>*"}] is automatically
- set to a symbolic identifier for the underlying hardware and
- operating system. The Isabelle platform identification always
- refers to the 32 bit variant, even this is a 64 bit machine. Note
- that the ML or Java runtime may have a different idea, depending on
- which binaries are actually run.
-
- \item[@{setting_def ISABELLE_PLATFORM64}@{text "\<^sup>*"}] is similar to
- @{setting ISABELLE_PLATFORM} but refers to the proper 64 bit variant
- on a platform that supports this; the value is empty for 32 bit.
- Note that the following bash expression (including the quotes)
- prefers the 64 bit platform, if that is available:
-
- @{verbatim [display] "\"${ISABELLE_PLATFORM64:-$ISABELLE_PLATFORM}\""}
-
- \item[@{setting_def ISABELLE_PROCESS}@{text "\<^sup>*"}, @{setting
- ISABELLE_TOOL}@{text "\<^sup>*"}] are automatically set to the full path
- names of the @{executable "isabelle-process"} and @{executable
- isabelle} executables, respectively. Thus other tools and scripts
- need not assume that the @{file "$ISABELLE_HOME/bin"} directory is
- on the current search path of the shell.
-
- \item[@{setting_def ISABELLE_IDENTIFIER}@{text "\<^sup>*"}] refers
- to the name of this Isabelle distribution, e.g.\ ``@{verbatim
- Isabelle2012}''.
-
- \item[@{setting_def ML_SYSTEM}, @{setting_def ML_HOME},
- @{setting_def ML_OPTIONS}, @{setting_def ML_PLATFORM}, @{setting_def
- ML_IDENTIFIER}@{text "\<^sup>*"}] specify the underlying ML system
- to be used for Isabelle. There is only a fixed set of admissable
- @{setting ML_SYSTEM} names (see the @{file
- "$ISABELLE_HOME/etc/settings"} file of the distribution).
-
- The actual compiler binary will be run from the directory @{setting
- ML_HOME}, with @{setting ML_OPTIONS} as first arguments on the
- command line. The optional @{setting ML_PLATFORM} may specify the
- binary format of ML heap images, which is useful for cross-platform
- installations. The value of @{setting ML_IDENTIFIER} is
- automatically obtained by composing the values of @{setting
- ML_SYSTEM}, @{setting ML_PLATFORM} and the Isabelle version values.
-
- \item[@{setting_def ISABELLE_JDK_HOME}] needs to point to a full JDK
- (Java Development Kit) installation with @{verbatim javac} and
- @{verbatim jar} executables. This is essential for Isabelle/Scala
- and other JVM-based tools to work properly. Note that conventional
- @{verbatim JAVA_HOME} usually points to the JRE (Java Runtime
- Environment), not JDK.
-
- \item[@{setting_def ISABELLE_PATH}] is a list of directories
- (separated by colons) where Isabelle logic images may reside. When
- looking up heaps files, the value of @{setting ML_IDENTIFIER} is
- appended to each component internally.
-
- \item[@{setting_def ISABELLE_OUTPUT}@{text "\<^sup>*"}] is a
- directory where output heap files should be stored by default. The
- ML system and Isabelle version identifier is appended here, too.
-
- \item[@{setting_def ISABELLE_BROWSER_INFO}] is the directory where
- theory browser information (HTML text, graph data, and printable
- documents) is stored (see also \secref{sec:info}). The default
- value is @{verbatim "$ISABELLE_HOME_USER/browser_info"}.
-
- \item[@{setting_def ISABELLE_LOGIC}] specifies the default logic to
- load if none is given explicitely by the user. The default value is
- @{verbatim HOL}.
-
- \item[@{setting_def ISABELLE_LINE_EDITOR}] specifies the default
- line editor for the @{tool_ref tty} interface.
-
- \item[@{setting_def ISABELLE_USEDIR_OPTIONS}] is implicitly prefixed
- to the command line of any @{tool_ref usedir} invocation. This
- typically contains compilation options for object-logics --- @{tool
- usedir} is the basic tool for managing logic sessions (cf.\ the
- @{verbatim IsaMakefile}s in the distribution).
-
- \item[@{setting_def ISABELLE_LATEX}, @{setting_def
- ISABELLE_PDFLATEX}, @{setting_def ISABELLE_BIBTEX}, @{setting_def
- ISABELLE_DVIPS}] refer to {\LaTeX} related tools for Isabelle
- document preparation (see also \secref{sec:tool-latex}).
-
- \item[@{setting_def ISABELLE_TOOLS}] is a colon separated list of
- directories that are scanned by @{executable isabelle} for external
- utility programs (see also \secref{sec:isabelle-tool}).
-
- \item[@{setting_def ISABELLE_DOCS}] is a colon separated list of
- directories with documentation files.
-
- \item[@{setting_def ISABELLE_DOC_FORMAT}] specifies the preferred
- document format, typically @{verbatim dvi} or @{verbatim pdf}.
-
- \item[@{setting_def DVI_VIEWER}] specifies the command to be used
- for displaying @{verbatim dvi} files.
-
- \item[@{setting_def PDF_VIEWER}] specifies the command to be used
- for displaying @{verbatim pdf} files.
-
- \item[@{setting_def PRINT_COMMAND}] specifies the standard printer
- spool command, which is expected to accept @{verbatim ps} files.
-
- \item[@{setting_def ISABELLE_TMP_PREFIX}@{text "\<^sup>*"}] is the
- prefix from which any running @{executable "isabelle-process"}
- derives an individual directory for temporary files. The default is
- somewhere in @{verbatim "/tmp"}.
-
- \end{description}
-*}
-
-
-subsection {* Additional components \label{sec:components} *}
-
-text {* Any directory may be registered as an explicit \emph{Isabelle
- component}. The general layout conventions are that of the main
- Isabelle distribution itself, and the following two files (both
- optional) have a special meaning:
-
- \begin{itemize}
-
- \item @{verbatim "etc/settings"} holds additional settings that are
- initialized when bootstrapping the overall Isabelle environment,
- cf.\ \secref{sec:boot}. As usual, the content is interpreted as a
- @{verbatim bash} script. It may refer to the component's enclosing
- directory via the @{verbatim "COMPONENT"} shell variable.
-
- For example, the following setting allows to refer to files within
- the component later on, without having to hardwire absolute paths:
-
-\begin{ttbox}
-MY_COMPONENT_HOME="$COMPONENT"
-\end{ttbox}
-
- Components can also add to existing Isabelle settings such as
- @{setting_def ISABELLE_TOOLS}, in order to provide
- component-specific tools that can be invoked by end-users. For
- example:
-
-\begin{ttbox}
-ISABELLE_TOOLS="$ISABELLE_TOOLS:$COMPONENT/lib/Tools"
-\end{ttbox}
-
- \item @{verbatim "etc/components"} holds a list of further
- sub-components of the same structure. The directory specifications
- given here can be either absolute (with leading @{verbatim "/"}) or
- relative to the component's main directory.
-
- \end{itemize}
-
- The root of component initialization is @{setting ISABELLE_HOME}
- itself. After initializing all of its sub-components recursively,
- @{setting ISABELLE_HOME_USER} is included in the same manner (if
- that directory exists). This allows to install private components
- via @{verbatim "$ISABELLE_HOME_USER/etc/components"}, although it is
- often more convenient to do that programmatically via the
- \verb,init_component, shell function in the \verb,etc/settings,
- script of \verb,$ISABELLE_HOME_USER, (or any other component
- directory). For example:
-\begin{ttbox}
-init_component "$HOME/screwdriver-2.0"
-\end{ttbox}
-
- This is tolerant wrt.\ missing component directories, but might
- produce a warning.
-
- \medskip More complex situations may be addressed by initializing
- components listed in a given catalog file, relatively to some base
- directory:
-
-\begin{ttbox}
-init_components "$HOME/my_component_store" "some_catalog_file"
-\end{ttbox}
-
- The component directories listed in the catalog file are treated as
- relative to the given base directory.
-
- See also \secref{sec:tool-components} for some tool-support for
- resolving components that are formally initialized but not installed
- yet.
-*}
-
-
-section {* The raw Isabelle process *}
-
-text {*
- The @{executable_def "isabelle-process"} executable runs bare-bones
- Isabelle logic sessions --- either interactively or in batch mode.
- It provides an abstraction over the underlying ML system, and over
- the actual heap file locations. Its usage is:
-
-\begin{ttbox}
-Usage: isabelle-process [OPTIONS] [INPUT] [OUTPUT]
-
- Options are:
- -I startup Isar interaction mode
- -P startup Proof General interaction mode
- -S secure mode -- disallow critical operations
- -T ADDR startup process wrapper, with socket address
- -W IN:OUT startup process wrapper, with input/output fifos
- -X startup PGIP interaction mode
- -e MLTEXT pass MLTEXT to the ML session
- -f pass 'Session.finish();' to the ML session
- -m MODE add print mode for output
- -q non-interactive session
- -r open heap file read-only
- -u pass 'use"ROOT.ML";' to the ML session
- -w reset write permissions on OUTPUT
-
- INPUT (default "\$ISABELLE_LOGIC") and OUTPUT specify in/out heaps.
- These are either names to be searched in the Isabelle path, or
- actual file names (containing at least one /).
- If INPUT is "RAW_ML_SYSTEM", just start the bare bones ML system.
-\end{ttbox}
-
- Input files without path specifications are looked up in the
- @{setting ISABELLE_PATH} setting, which may consist of multiple
- components separated by colons --- these are tried in the given
- order with the value of @{setting ML_IDENTIFIER} appended
- internally. In a similar way, base names are relative to the
- directory specified by @{setting ISABELLE_OUTPUT}. In any case,
- actual file locations may also be given by including at least one
- slash (@{verbatim "/"}) in the name (hint: use @{verbatim "./"} to
- refer to the current directory).
-*}
-
-
-subsubsection {* Options *}
-
-text {*
- If the input heap file does not have write permission bits set, or
- the @{verbatim "-r"} option is given explicitely, then the session
- started will be read-only. That is, the ML world cannot be
- committed back into the image file. Otherwise, a writable session
- enables commits into either the input file, or into another output
- heap file (if that is given as the second argument on the command
- line).
-
- The read-write state of sessions is determined at startup only, it
- cannot be changed intermediately. Also note that heap images may
- require considerable amounts of disk space (approximately
- 50--200~MB). Users are responsible for themselves to dispose their
- heap files when they are no longer needed.
-
- \medskip The @{verbatim "-w"} option makes the output heap file
- read-only after terminating. Thus subsequent invocations cause the
- logic image to be read-only automatically.
-
- \medskip Using the @{verbatim "-e"} option, arbitrary ML code may be
- passed to the Isabelle session from the command line. Multiple
- @{verbatim "-e"}'s are evaluated in the given order. Strange things
- may happen when errorneous ML code is provided. Also make sure that
- the ML commands are terminated properly by semicolon.
-
- \medskip The @{verbatim "-u"} option is a shortcut for @{verbatim
- "-e"} passing ``@{verbatim "use \"ROOT.ML\";"}'' to the ML session.
- The @{verbatim "-f"} option passes ``@{verbatim
- "Session.finish();"}'', which is intended mainly for administrative
- purposes.
-
- \medskip The @{verbatim "-m"} option adds identifiers of print modes
- to be made active for this session. Typically, this is used by some
- user interface, e.g.\ to enable output of proper mathematical
- symbols.
-
- \medskip Isabelle normally enters an interactive top-level loop
- (after processing the @{verbatim "-e"} texts). The @{verbatim "-q"}
- option inhibits interaction, thus providing a pure batch mode
- facility.
-
- \medskip The @{verbatim "-I"} option makes Isabelle enter Isar
- interaction mode on startup, instead of the primitive ML top-level.
- The @{verbatim "-P"} option configures the top-level loop for
- interaction with the Proof General user interface, and the
- @{verbatim "-X"} option enables XML-based PGIP communication.
-
- \medskip The @{verbatim "-T"} or @{verbatim "-W"} option makes
- Isabelle enter a special process wrapper for interaction via the
- Isabelle/Scala layer, see also @{file
- "~~/src/Pure/System/isabelle_process.scala"}. The protocol between
- the ML and JVM process is private to the implementation.
-
- \medskip The @{verbatim "-S"} option makes the Isabelle process more
- secure by disabling some critical operations, notably runtime
- compilation and evaluation of ML source code.
-*}
-
-
-subsubsection {* Examples *}
-
-text {*
- Run an interactive session of the default object-logic (as specified
- by the @{setting ISABELLE_LOGIC} setting) like this:
-\begin{ttbox}
-isabelle-process
-\end{ttbox}
-
- Usually @{setting ISABELLE_LOGIC} refers to one of the standard
- logic images, which are read-only by default. A writable session
- --- based on @{verbatim HOL}, but output to @{verbatim Test} (in the
- directory specified by the @{setting ISABELLE_OUTPUT} setting) ---
- may be invoked as follows:
-\begin{ttbox}
-isabelle-process HOL Test
-\end{ttbox}
- Ending this session normally (e.g.\ by typing control-D) dumps the
- whole ML system state into @{verbatim Test} (be prepared for more
- than 100\,MB):
-
- The @{verbatim Test} session may be continued later (still in
- writable state) by:
-\begin{ttbox}
-isabelle-process Test
-\end{ttbox}
- A read-only @{verbatim Test} session may be started by:
-\begin{ttbox}
-isabelle-process -r Test
-\end{ttbox}
-
- \medskip Note that manual session management like this does
- \emph{not} provide proper setup for theory presentation. This would
- require @{tool usedir}.
-
- \bigskip The next example demonstrates batch execution of Isabelle.
- We retrieve the @{verbatim Main} theory value from the theory loader
- within ML (observe the delicate quoting rules for the Bash shell
- vs.\ ML):
-\begin{ttbox}
-isabelle-process -e 'Thy_Info.get_theory "Main";' -q -r HOL
-\end{ttbox}
- Note that the output text will be interspersed with additional junk
- messages by the ML runtime environment. The @{verbatim "-W"} option
- allows to communicate with the Isabelle process via an external
- program in a more robust fashion.
-*}
-
-
-section {* The Isabelle tool wrapper \label{sec:isabelle-tool} *}
-
-text {*
- All Isabelle related tools and interfaces are called via a common
- wrapper --- @{executable isabelle}:
-
-\begin{ttbox}
-Usage: isabelle TOOL [ARGS ...]
-
- Start Isabelle tool NAME with ARGS; pass "-?" for tool specific help.
-
-Available tools:
- \dots
-\end{ttbox}
-
- In principle, Isabelle tools are ordinary executable scripts that
- are run within the Isabelle settings environment, see
- \secref{sec:settings}. The set of available tools is collected by
- @{executable isabelle} from the directories listed in the @{setting
- ISABELLE_TOOLS} setting. Do not try to call the scripts directly
- from the shell. Neither should you add the tool directories to your
- shell's search path!
-*}
-
-
-subsubsection {* Examples *}
-
-text {* Show the list of available documentation of the Isabelle
- distribution:
-
-\begin{ttbox}
- isabelle doc
-\end{ttbox}
-
- View a certain document as follows:
-\begin{ttbox}
- isabelle doc system
-\end{ttbox}
-
- Query the Isabelle settings environment:
-\begin{ttbox}
- isabelle getenv ISABELLE_HOME_USER
-\end{ttbox}
-*}
-
-end
\ No newline at end of file
--- a/doc-src/System/Interfaces.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,281 +0,0 @@
-theory Interfaces
-imports Base
-begin
-
-chapter {* User interfaces *}
-
-section {* Isabelle/jEdit Prover IDE \label{sec:tool-jedit} *}
-
-text {* The @{tool_def jedit} tool invokes a version of
- jEdit\footnote{\url{http://www.jedit.org/}} that has been augmented
- with some components to provide a fully-featured Prover IDE:
-\begin{ttbox} Usage: isabelle jedit [OPTIONS]
- [FILES ...]
-
- Options are:
- -J OPTION add JVM runtime option (default JEDIT_JAVA_OPTIONS)
- -b build only
- -d DIR include session directory
- -f fresh build
- -j OPTION add jEdit runtime option (default JEDIT_OPTIONS)
- -l NAME logic image name (default ISABELLE_LOGIC)
- -m MODE add print mode for output
-
-Start jEdit with Isabelle plugin setup and opens theory FILES
-(default Scratch.thy).
-\end{ttbox}
-
- The @{verbatim "-l"} option specifies the session name of the logic
- image to be used for proof processing. Additional session root
- directories may be included via option @{verbatim "-d"} to augment
- that name space (see also \secref{sec:tool-build}).
-
- The @{verbatim "-m"} option specifies additional print modes.
-
- The @{verbatim "-J"} and @{verbatim "-j"} options allow to pass
- additional low-level options to the JVM or jEdit, respectively. The
- defaults are provided by the Isabelle settings environment
- (\secref{sec:settings}).
-
- The @{verbatim "-b"} and @{verbatim "-f"} options control the
- self-build mechanism of Isabelle/jEdit. This is only relevant for
- building from sources, which also requires an auxiliary @{verbatim
- jedit_build}
- component.\footnote{\url{http://isabelle.in.tum.de/components}} Note
- that official Isabelle releases already include a version of
- Isabelle/jEdit that is built properly. *}
-
-
-section {* Proof General / Emacs *}
-
-text {* The @{tool_def emacs} tool invokes a version of Emacs and
- Proof General\footnote{http://proofgeneral.inf.ed.ac.uk/} within the
- regular Isabelle settings environment (\secref{sec:settings}). This
- is more convenient than starting Emacs separately, loading the Proof
- General LISP files, and then attempting to start Isabelle with
- dynamic @{setting PATH} lookup etc.
-
- The actual interface script is part of the Proof General
- distribution; its usage depends on the particular version. There
- are some options available, such as @{verbatim "-l"} for passing the
- logic image to be used by default, or @{verbatim "-m"} to tune the
- standard print mode. The following Isabelle settings are
- particularly important for Proof General:
-
- \begin{description}
-
- \item[@{setting_def PROOFGENERAL_HOME}] points to the main
- installation directory of the Proof General distribution. This is
- implicitly provided for versions of Proof General that are
- distributed as Isabelle component, see also \secref{sec:components};
- otherwise it needs to be configured manually.
-
- \item[@{setting_def PROOFGENERAL_OPTIONS}] is implicitly prefixed to
- the command line of any invocation of the Proof General @{verbatim
- interface} script. This allows to provide persistent default
- options for the invocation of \texttt{isabelle emacs}.
-
- \end{description}
-*}
-
-
-section {* Plain TTY interaction \label{sec:tool-tty} *}
-
-text {*
- The @{tool_def tty} tool runs the Isabelle process interactively
- within a plain terminal session:
-\begin{ttbox}
-Usage: isabelle tty [OPTIONS]
-
- Options are:
- -l NAME logic image name (default ISABELLE_LOGIC)
- -m MODE add print mode for output
- -p NAME line editor program name (default ISABELLE_LINE_EDITOR)
-
- Run Isabelle process with plain tty interaction and line editor.
-\end{ttbox}
-
- The @{verbatim "-l"} option specifies the logic image. The
- @{verbatim "-m"} option specifies additional print modes. The
- @{verbatim "-p"} option specifies an alternative line editor (such
- as the @{executable_def rlwrap} wrapper for GNU readline); the
- fall-back is to use raw standard input.
-
- Regular interaction works via the standard Isabelle/Isar toplevel
- loop. The Isar command @{command exit} drops out into the
- bare-bones ML system, which is occasionally useful for debugging of
- the Isar infrastructure itself. Invoking @{ML Isar.loop}~@{verbatim
- "();"} in ML will return to the Isar toplevel. *}
-
-
-
-section {* Theory graph browser \label{sec:browse} *}
-
-text {* The Isabelle graph browser is a general tool for visualizing
- dependency graphs. Certain nodes of the graph (i.e.\ theories) can
- be grouped together in ``directories'', whose contents may be
- hidden, thus enabling the user to collapse irrelevant portions of
- information. The browser is written in Java, it can be used both as
- a stand-alone application and as an applet. *}
-
-
-subsection {* Invoking the graph browser *}
-
-text {* The stand-alone version of the graph browser is wrapped up as
- @{tool_def browser}:
-\begin{ttbox}
-Usage: isabelle browser [OPTIONS] [GRAPHFILE]
-
- Options are:
- -b Admin/build only
- -c cleanup -- remove GRAPHFILE after use
- -o FILE output to FILE (ps, eps, pdf)
-\end{ttbox}
- When no filename is specified, the browser automatically changes to
- the directory @{setting ISABELLE_BROWSER_INFO}.
-
- \medskip The @{verbatim "-b"} option indicates that this is for
- administrative build only, i.e.\ no browser popup if no files are
- given.
-
- The @{verbatim "-c"} option causes the input file to be removed
- after use.
-
- The @{verbatim "-o"} option indicates batch-mode operation, with the
- output written to the indicated file; note that @{verbatim pdf}
- produces an @{verbatim eps} copy as well.
-
- \medskip The applet version of the browser is part of the standard
- WWW theory presentation, see the link ``theory dependencies'' within
- each session index.
-*}
-
-
-subsection {* Using the graph browser *}
-
-text {*
- The browser's main window, which is shown in
- \figref{fig:browserwindow}, consists of two sub-windows. In the
- left sub-window, the directory tree is displayed. The graph itself
- is displayed in the right sub-window.
-
- \begin{figure}[ht]
- \includegraphics[width=\textwidth]{browser_screenshot}
- \caption{\label{fig:browserwindow} Browser main window}
- \end{figure}
-*}
-
-
-subsubsection {* The directory tree window *}
-
-text {*
- We describe the usage of the directory browser and the meaning of
- the different items in the browser window.
-
- \begin{itemize}
-
- \item A red arrow before a directory name indicates that the
- directory is currently ``folded'', i.e.~the nodes in this directory
- are collapsed to one single node. In the right sub-window, the names
- of nodes corresponding to folded directories are enclosed in square
- brackets and displayed in red color.
-
- \item A green downward arrow before a directory name indicates that
- the directory is currently ``unfolded''. It can be folded by
- clicking on the directory name. Clicking on the name for a second
- time unfolds the directory again. Alternatively, a directory can
- also be unfolded by clicking on the corresponding node in the right
- sub-window.
-
- \item Blue arrows stand before ordinary node names. When clicking on
- such a name (i.e.\ that of a theory), the graph display window
- focuses to the corresponding node. Double clicking invokes a text
- viewer window in which the contents of the theory file are
- displayed.
-
- \end{itemize}
-*}
-
-
-subsubsection {* The graph display window *}
-
-text {*
- When pointing on an ordinary node, an upward and a downward arrow is
- shown. Initially, both of these arrows are green. Clicking on the
- upward or downward arrow collapses all predecessor or successor
- nodes, respectively. The arrow's color then changes to red,
- indicating that the predecessor or successor nodes are currently
- collapsed. The node corresponding to the collapsed nodes has the
- name ``@{verbatim "[....]"}''. To uncollapse the nodes again, simply
- click on the red arrow or on the node with the name ``@{verbatim
- "[....]"}''. Similar to the directory browser, the contents of
- theory files can be displayed by double clicking on the
- corresponding node.
-*}
-
-
-subsubsection {* The ``File'' menu *}
-
-text {*
- Due to Java Applet security restrictions this menu is only available
- in the full application version. The meaning of the menu items is as
- follows:
-
- \begin{description}
-
- \item[Open \dots] Open a new graph file.
-
- \item[Export to PostScript] Outputs the current graph in Postscript
- format, appropriately scaled to fit on one single sheet of A4 paper.
- The resulting file can be printed directly.
-
- \item[Export to EPS] Outputs the current graph in Encapsulated
- Postscript format. The resulting file can be included in other
- documents.
-
- \item[Quit] Quit the graph browser.
-
- \end{description}
-*}
-
-
-subsection {* Syntax of graph definition files *}
-
-text {*
- A graph definition file has the following syntax:
-
- \begin{center}\small
- \begin{tabular}{rcl}
- @{text graph} & @{text "="} & @{text "{ vertex"}~@{verbatim ";"}~@{text "}+"} \\
- @{text vertex} & @{text "="} & @{text "vertex_name vertex_ID dir_name ["}~@{verbatim "+"}~@{text "] path ["}~@{verbatim "<"}~@{text "|"}~@{verbatim ">"}~@{text "] { vertex_ID }*"}
- \end{tabular}
- \end{center}
-
- The meaning of the items in a vertex description is as follows:
-
- \begin{description}
-
- \item[@{text vertex_name}] The name of the vertex.
-
- \item[@{text vertex_ID}] The vertex identifier. Note that there may
- be several vertices with equal names, whereas identifiers must be
- unique.
-
- \item[@{text dir_name}] The name of the ``directory'' the vertex
- should be placed in. A ``@{verbatim "+"}'' sign after @{text
- dir_name} indicates that the nodes in the directory are initially
- visible. Directories are initially invisible by default.
-
- \item[@{text path}] The path of the corresponding theory file. This
- is specified relatively to the path of the graph definition file.
-
- \item[List of successor/predecessor nodes] A ``@{verbatim "<"}''
- sign before the list means that successor nodes are listed, a
- ``@{verbatim ">"}'' sign means that predecessor nodes are listed. If
- neither ``@{verbatim "<"}'' nor ``@{verbatim ">"}'' is found, the
- browser assumes that successor nodes are listed.
-
- \end{description}
-*}
-
-end
\ No newline at end of file
--- a/doc-src/System/Misc.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,598 +0,0 @@
-theory Misc
-imports Base
-begin
-
-chapter {* Miscellaneous tools \label{ch:tools} *}
-
-text {*
- Subsequently we describe various Isabelle related utilities, given
- in alphabetical order.
-*}
-
-
-section {* Resolving Isabelle components \label{sec:tool-components} *}
-
-text {*
- The @{tool_def components} tool resolves Isabelle components:
-\begin{ttbox}
-Usage: isabelle components [OPTIONS] [COMPONENTS ...]
-
- Options are:
- -R URL component repository
- (default $ISABELLE_COMPONENT_REPOSITORY)
- -a all missing components
- -l list status
-
- Resolve Isabelle components via download and installation.
- COMPONENTS are identified via base name.
-
- ISABELLE_COMPONENT_REPOSITORY="http://isabelle.in.tum.de/components"
-\end{ttbox}
-
- Components are initialized as described in \secref{sec:components}
- in a permissive manner, which can mark components as ``missing''.
- This state is amended by letting @{tool "components"} download and
- unpack components that are published on the default component
- repository \url{http://isabelle.in.tum.de/components/} in
- particular.
-
- Option @{verbatim "-R"} specifies an alternative component
- repository. Note that @{verbatim "file:///"} URLs can be used for
- local directories.
-
- Option @{verbatim "-a"} selects all missing components to be
- installed. Explicit components may be named as command
- line-arguments as well. Note that components are uniquely
- identified by their base name, while the installation takes place in
- the location that was specified in the attempt to initialize the
- component before.
-
- Option @{verbatim "-l"} lists the current state of available and
- missing components with their location (full name) within the
- file-system. *}
-
-
-section {* Displaying documents *}
-
-text {* The @{tool_def display} tool displays documents in DVI or PDF
- format:
-\begin{ttbox}
-Usage: isabelle display [OPTIONS] FILE
-
- Options are:
- -c cleanup -- remove FILE after use
-
- Display document FILE (in DVI format).
-\end{ttbox}
-
- \medskip The @{verbatim "-c"} option causes the input file to be
- removed after use. The program for viewing @{verbatim dvi} files is
- determined by the @{setting DVI_VIEWER} setting.
-*}
-
-
-section {* Viewing documentation \label{sec:tool-doc} *}
-
-text {*
- The @{tool_def doc} tool displays online documentation:
-\begin{ttbox}
-Usage: isabelle doc [DOC]
-
- View Isabelle documentation DOC, or show list of available documents.
-\end{ttbox}
- If called without arguments, it lists all available documents. Each
- line starts with an identifier, followed by a short description. Any
- of these identifiers may be specified as the first argument in order
- to have the corresponding document displayed.
-
- \medskip The @{setting ISABELLE_DOCS} setting specifies the list of
- directories (separated by colons) to be scanned for documentations.
- The program for viewing @{verbatim dvi} files is determined by the
- @{setting DVI_VIEWER} setting.
-*}
-
-
-section {* Shell commands within the settings environment \label{sec:tool-env} *}
-
-text {* The @{tool_def env} tool is a direct wrapper for the standard
- @{verbatim "/usr/bin/env"} command on POSIX systems, running within
- the Isabelle settings environment (\secref{sec:settings}).
-
- The command-line arguments are that of the underlying version of
- @{verbatim env}. For example, the following invokes an instance of
- the GNU Bash shell within the Isabelle environment:
-\begin{alltt}
- isabelle env bash
-\end{alltt}
-*}
-
-
-section {* Getting logic images *}
-
-text {* The @{tool_def findlogics} tool traverses all directories
- specified in @{setting ISABELLE_PATH}, looking for Isabelle logic
- images. Its usage is:
-\begin{ttbox}
-Usage: isabelle findlogics
-
- Collect heap file names from ISABELLE_PATH.
-\end{ttbox}
-
- The base names of all files found on the path are printed --- sorted
- and with duplicates removed. Also note that lookup in @{setting
- ISABELLE_PATH} includes the current values of @{setting ML_SYSTEM}
- and @{setting ML_PLATFORM}. Thus switching to another ML compiler
- may change the set of logic images available.
-*}
-
-
-section {* Inspecting the settings environment \label{sec:tool-getenv} *}
-
-text {* The Isabelle settings environment --- as provided by the
- site-default and user-specific settings files --- can be inspected
- with the @{tool_def getenv} tool:
-\begin{ttbox}
-Usage: isabelle getenv [OPTIONS] [VARNAMES ...]
-
- Options are:
- -a display complete environment
- -b print values only (doesn't work for -a)
- -d FILE dump complete environment to FILE
- (null terminated entries)
-
- Get value of VARNAMES from the Isabelle settings.
-\end{ttbox}
-
- With the @{verbatim "-a"} option, one may inspect the full process
- environment that Isabelle related programs are run in. This usually
- contains much more variables than are actually Isabelle settings.
- Normally, output is a list of lines of the form @{text
- name}@{verbatim "="}@{text value}. The @{verbatim "-b"} option
- causes only the values to be printed.
-
- Option @{verbatim "-d"} produces a dump of the complete environment
- to the specified file. Entries are terminated by the ASCII null
- character, i.e.\ the C string terminator.
-*}
-
-
-subsubsection {* Examples *}
-
-text {* Get the location of @{setting ISABELLE_HOME_USER} where
- user-specific information is stored:
-\begin{ttbox}
-isabelle getenv ISABELLE_HOME_USER
-\end{ttbox}
-
- \medskip Get the value only of the same settings variable, which is
-particularly useful in shell scripts:
-\begin{ttbox}
-isabelle getenv -b ISABELLE_OUTPUT
-\end{ttbox}
-*}
-
-
-section {* Installing standalone Isabelle executables \label{sec:tool-install} *}
-
-text {* By default, the main Isabelle binaries (@{executable
- "isabelle"} etc.) are just run from their location within the
- distribution directory, probably indirectly by the shell through its
- @{setting PATH}. Other schemes of installation are supported by the
- @{tool_def install} tool:
-\begin{ttbox}
-Usage: isabelle install [OPTIONS]
-
- Options are:
- -d DISTDIR use DISTDIR as Isabelle distribution
- (default ISABELLE_HOME)
- -p DIR install standalone binaries in DIR
-
- Install Isabelle executables with absolute references to the current
- distribution directory.
-\end{ttbox}
-
- The @{verbatim "-d"} option overrides the current Isabelle
- distribution directory as determined by @{setting ISABELLE_HOME}.
-
- The @{verbatim "-p"} option installs executable wrapper scripts for
- @{executable "isabelle-process"}, @{executable isabelle}, containing
- proper absolute references to the Isabelle distribution directory.
- A typical @{verbatim DIR} specification would be some directory
- expected to be in the shell's @{setting PATH}, such as @{verbatim
- "$HOME/bin"}.
-
- It is possible to make symbolic links of the main Isabelle
- executables, but making separate copies outside the Isabelle
- distribution directory will not work.
-*}
-
-
-section {* Creating instances of the Isabelle logo *}
-
-text {* The @{tool_def logo} tool creates any instance of the generic
- Isabelle logo as EPS or PDF.
-\begin{ttbox}
-Usage: isabelle logo [OPTIONS] NAME
-
- Create instance NAME of the Isabelle logo (as EPS or PDF).
-
- Options are:
- -o OUTFILE specify output file and format
- (default "isabelle_name.pdf")
- -q quiet mode
-\end{ttbox}
-
- Option @{verbatim "-o"} specifies an explicit output file name and
- format, e.g.\ @{verbatim "mylogo.eps"} for an EPS logo. The default
- is @{verbatim "isabelle_"}@{text name}@{verbatim ".pdf"}, with the
- lower-case version of the given name and PDF output.
-
- Option @{verbatim "-q"} omits printing of the result file name.
-
- \medskip Implementors of Isabelle tools and applications are
- encouraged to make derived Isabelle logos for their own projects
- using this template. *}
-
-
-section {* Isabelle wrapper for make \label{sec:tool-make} *}
-
-text {* The old @{tool_def make} tool is a very simple wrapper for
- ordinary Unix @{executable make}:
-\begin{ttbox}
-Usage: isabelle make [ARGS ...]
-
- Compile the logic in current directory using IsaMakefile.
- ARGS are directly passed to the system make program.
-\end{ttbox}
-
- Note that the Isabelle settings environment is also active. Thus one
- may refer to its values within the @{verbatim IsaMakefile}, e.g.\
- @{verbatim "$(ISABELLE_HOME)"}. Furthermore, programs started from
- the make file also inherit this environment.
-*}
-
-
-section {* Creating Isabelle session directories
- \label{sec:tool-mkdir} *}
-
-text {* The old @{tool_def mkdir} tool prepares Isabelle session
- source directories, including a sensible default setup of @{verbatim
- IsaMakefile}, @{verbatim ROOT.ML}, and a @{verbatim document}
- directory with a minimal @{verbatim root.tex} that is sufficient to
- print all theories of the session (in the order of appearance); see
- \secref{sec:tool-document} for further information on Isabelle
- document preparation. The usage of @{tool mkdir} is:
-
-\begin{ttbox}
-Usage: isabelle mkdir [OPTIONS] [LOGIC] NAME
-
- Options are:
- -I FILE alternative IsaMakefile output
- -P include parent logic target
- -b setup build mode (session outputs heap image)
- -q quiet mode
-
- Prepare session directory, including IsaMakefile and document source,
- with parent LOGIC (default ISABELLE_LOGIC=\$ISABELLE_LOGIC)
-\end{ttbox}
-
- The @{tool mkdir} tool is conservative in the sense that any
- existing @{verbatim IsaMakefile} etc.\ is left unchanged. Thus it
- is safe to invoke it multiple times, although later runs may not
- have the desired effect.
-
- Note that @{tool mkdir} is unable to change @{verbatim IsaMakefile}
- incrementally --- manual changes are required for multiple
- sub-sessions. On order to get an initial working session, the only
- editing needed is to add appropriate @{ML use_thy} calls to the
- generated @{verbatim ROOT.ML} file.
-*}
-
-
-subsubsection {* Options *}
-
-text {*
- The @{verbatim "-I"} option specifies an alternative to @{verbatim
- IsaMakefile} for dependencies. Note that ``@{verbatim "-"}'' refers
- to \emph{stdout}, i.e.\ ``@{verbatim "-I-"}'' provides an easy way
- to peek at @{tool mkdir}'s idea of @{tool make} setup required for
- some particular of Isabelle session.
-
- \medskip The @{verbatim "-P"} option includes a target for the
- parent @{verbatim LOGIC} session in the generated @{verbatim
- IsaMakefile}. The corresponding sources are assumed to be located
- within the Isabelle distribution.
-
- \medskip The @{verbatim "-b"} option sets up the current directory
- as the base for a new session that provides an actual logic image,
- as opposed to one that only runs several theories based on an
- existing image. Note that in the latter case, everything except
- @{verbatim IsaMakefile} would be placed into a separate directory
- @{verbatim NAME}, rather than the current one. See
- \secref{sec:tool-usedir} for further information on \emph{build
- mode} vs.\ \emph{example mode} of @{tool usedir}.
-
- \medskip The @{verbatim "-q"} option enables quiet mode, suppressing
- further notes on how to proceed.
-*}
-
-
-section {* Printing documents *}
-
-text {*
- The @{tool_def print} tool prints documents:
-\begin{ttbox}
-Usage: isabelle print [OPTIONS] FILE
-
- Options are:
- -c cleanup -- remove FILE after use
-
- Print document FILE.
-\end{ttbox}
-
- The @{verbatim "-c"} option causes the input file to be removed
- after use. The printer spool command is determined by the @{setting
- PRINT_COMMAND} setting.
-*}
-
-
-section {* Remove awkward symbol names from theory sources *}
-
-text {*
- The @{tool_def unsymbolize} tool tunes Isabelle theory sources to
- improve readability for plain ASCII output (e.g.\ in email
- communication). Most notably, @{tool unsymbolize} replaces awkward
- arrow symbols such as @{verbatim "\\"}@{verbatim "<Longrightarrow>"}
- by @{verbatim "==>"}.
-\begin{ttbox}
-Usage: isabelle unsymbolize [FILES|DIRS...]
-
- Recursively find .thy/.ML files, removing unreadable symbol names.
- Note: this is an ad-hoc script; there is no systematic way to replace
- symbols independently of the inner syntax of a theory!
-
- Renames old versions of FILES by appending "~~".
-\end{ttbox}
-*}
-
-
-section {* Running Isabelle sessions \label{sec:tool-usedir} *}
-
-text {* The old @{tool_def usedir} tool builds object-logic images, or
- runs example sessions based on existing logics. Its usage is:
-\begin{ttbox}
-Usage: isabelle usedir [OPTIONS] LOGIC NAME
-
- Options are:
- -C BOOL copy existing document directory to -D PATH (default true)
- -D PATH dump generated document sources into PATH
- -M MAX multithreading: maximum number of worker threads (default 1)
- -P PATH set path for remote theory browsing information
- -Q INT set threshold for sub-proof parallelization (default 50)
- -T LEVEL multithreading: trace level (default 0)
- -V VARIANT declare alternative document VARIANT
- -b build mode (output heap image, using current dir)
- -d FORMAT build document as FORMAT (default false)
- -f NAME use ML file NAME (default ROOT.ML)
- -g BOOL generate session graph image for document (default false)
- -i BOOL generate theory browser information (default false)
- -m MODE add print mode for output
- -p LEVEL set level of detail for proof objects (default 0)
- -q LEVEL set level of parallel proof checking (default 1)
- -r reset session path
- -s NAME override session NAME
- -t BOOL internal session timing (default false)
- -v BOOL be verbose (default false)
-
- Build object-logic or run examples. Also creates browsing
- information (HTML etc.) according to settings.
-
- ISABELLE_USEDIR_OPTIONS=...
-
- ML_PLATFORM=...
- ML_HOME=...
- ML_SYSTEM=...
- ML_OPTIONS=...
-\end{ttbox}
-
- Note that the value of the @{setting_ref ISABELLE_USEDIR_OPTIONS}
- setting is implicitly prefixed to \emph{any} @{tool usedir}
- call. Since the @{verbatim IsaMakefile}s of all object-logics
- distributed with Isabelle just invoke @{tool usedir} for the real
- work, one may control compilation options globally via above
- variable. In particular, generation of \rmindex{HTML} browsing
- information and document preparation is controlled here.
-*}
-
-
-subsubsection {* Options *}
-
-text {*
- Basically, there are two different modes of operation: \emph{build
- mode} (enabled through the @{verbatim "-b"} option) and
- \emph{example mode} (default).
-
- Calling @{tool usedir} with @{verbatim "-b"} runs @{executable
- "isabelle-process"} with input image @{verbatim LOGIC} and output to
- @{verbatim NAME}, as provided on the command line. This will be a
- batch session, running @{verbatim ROOT.ML} from the current
- directory and then quitting. It is assumed that @{verbatim ROOT.ML}
- contains all ML commands required to build the logic.
-
- In example mode, @{tool usedir} runs a read-only session of
- @{verbatim LOGIC} and automatically runs @{verbatim ROOT.ML} from
- within directory @{verbatim NAME}. It assumes that this file
- contains appropriate ML commands to run the desired examples.
-
- \medskip The @{verbatim "-i"} option controls theory browser data
- generation. It may be explicitly turned on or off --- as usual, the
- last occurrence of @{verbatim "-i"} on the command line wins.
-
- The @{verbatim "-P"} option specifies a path (or actual URL) to be
- prefixed to any \emph{non-local} reference of existing theories.
- Thus user sessions may easily link to existing Isabelle libraries
- already present on the WWW.
-
- The @{verbatim "-m"} options specifies additional print modes to be
- activated temporarily while the session is processed.
-
- \medskip The @{verbatim "-d"} option controls document preparation.
- Valid arguments are @{verbatim false} (do not prepare any document;
- this is default), or any of @{verbatim dvi}, @{verbatim dvi.gz},
- @{verbatim ps}, @{verbatim ps.gz}, @{verbatim pdf}. The logic
- session has to provide a properly setup @{verbatim document}
- directory. See \secref{sec:tool-document} and
- \secref{sec:tool-latex} for more details.
-
- \medskip The @{verbatim "-V"} option declares alternative document
- variants, consisting of name/tags pairs (cf.\ options @{verbatim
- "-n"} and @{verbatim "-t"} of @{tool_ref document}). The standard
- document is equivalent to ``@{verbatim
- "document=theory,proof,ML"}'', which means that all theory begin/end
- commands, proof body texts, and ML code will be presented
- faithfully.
-
- An alternative variant ``@{verbatim "outline=/proof/ML"}'' would
- fold proof and ML parts, replacing the original text by a short
- place-holder. The form ``@{text name}@{verbatim "=-"},'' means to
- remove document @{text name} from the list of variants to be
- processed. Any number of @{verbatim "-V"} options may be given;
- later declarations have precedence over earlier ones.
-
- Some document variant @{text name} may use an alternative {\LaTeX}
- entry point called @{verbatim "document/root_"}@{text
- "name"}@{verbatim ".tex"} if that file exists; otherwise the common
- @{verbatim "document/root.tex"} is used.
-
- \medskip The @{verbatim "-g"} option produces images of the theory
- dependency graph (cf.\ \secref{sec:browse}) for inclusion in the
- generated document, both as @{verbatim session_graph.eps} and
- @{verbatim session_graph.pdf} at the same time. To include this in
- the final {\LaTeX} document one could say @{verbatim
- "\\includegraphics{session_graph}"} in @{verbatim
- "document/root.tex"} (omitting the file-name extension enables
- {\LaTeX} to select to correct version, either for the DVI or PDF
- output path).
-
- \medskip The @{verbatim "-D"} option causes the generated document
- sources to be dumped at location @{verbatim PATH}; this path is
- relative to the session's main directory. If the @{verbatim "-C"}
- option is true, this will include a copy of an existing @{verbatim
- document} directory as provided by the user. For example, @{tool
- usedir}~@{verbatim "-D generated HOL Foo"} produces a complete set
- of document sources at @{verbatim "Foo/generated"}. Subsequent
- invocation of @{tool document}~@{verbatim "Foo/generated"} (see also
- \secref{sec:tool-document}) will process the final result
- independently of an Isabelle job. This decoupled mode of operation
- facilitates debugging of serious {\LaTeX} errors, for example.
-
- \medskip The @{verbatim "-p"} option determines the level of detail
- for internal proof objects, see also the \emph{Isabelle Reference
- Manual}~\cite{isabelle-ref}.
-
- \medskip The @{verbatim "-q"} option specifies the level of parallel
- proof checking: @{verbatim 0} no proofs, @{verbatim 1} toplevel
- proofs (default), @{verbatim 2} toplevel and nested Isar proofs.
- The option @{verbatim "-Q"} specifies a threshold for @{verbatim
- "-q2"}: nested proofs are only parallelized when the current number
- of forked proofs falls below the given value (default 50),
- multiplied by the number of worker threads (see option @{verbatim
- "-M"}).
-
- \medskip The @{verbatim "-t"} option produces a more detailed
- internal timing report of the session.
-
- \medskip The @{verbatim "-v"} option causes additional information
- to be printed while running the session, notably the location of
- prepared documents.
-
- \medskip The @{verbatim "-M"} option specifies the maximum number of
- parallel worker threads used for processing independent tasks when
- checking theory sources (multithreading only works on suitable ML
- platforms). The special value of @{verbatim 0} or @{verbatim max}
- refers to the number of actual CPU cores of the underlying machine,
- which is a good starting point for optimal performance tuning. The
- @{verbatim "-T"} option determines the level of detail in tracing
- output concerning the internal locking and scheduling in
- multithreaded operation. This may be helpful in isolating
- performance bottle-necks, e.g.\ due to excessive wait states when
- locking critical code sections.
-
- \medskip Any @{tool usedir} session is named by some \emph{session
- identifier}. These accumulate, documenting the way sessions depend
- on others. For example, consider @{verbatim "Pure/FOL/ex"}, which
- refers to the examples of FOL, which in turn is built upon Pure.
-
- The current session's identifier is by default just the base name of
- the @{verbatim LOGIC} argument (in build mode), or of the @{verbatim
- NAME} argument (in example mode). This may be overridden explicitly
- via the @{verbatim "-s"} option.
-*}
-
-
-section {* Output the version identifier of the Isabelle distribution *}
-
-text {*
- The @{tool_def version} tool displays Isabelle version information:
-\begin{ttbox}
-Usage: isabelle version [OPTIONS]
-
- Options are:
- -i short identification (derived from Mercurial id)
-
- Display Isabelle version information.
-\end{ttbox}
-
- \medskip The default is to output the full version string of the
- Isabelle distribution, e.g.\ ``@{verbatim "Isabelle2012: May 2012"}.
-
- The @{verbatim "-i"} option produces a short identification derived
- from the Mercurial id of the @{setting ISABELLE_HOME} directory.
-*}
-
-
-section {* Convert XML to YXML *}
-
-text {*
- The @{tool_def yxml} tool converts a standard XML document (stdin)
- to the much simpler and more efficient YXML format of Isabelle
- (stdout). The YXML format is defined as follows.
-
- \begin{enumerate}
-
- \item The encoding is always UTF-8.
-
- \item Body text is represented verbatim (no escaping, no special
- treatment of white space, no named entities, no CDATA chunks, no
- comments).
-
- \item Markup elements are represented via ASCII control characters
- @{text "\<^bold>X = 5"} and @{text "\<^bold>Y = 6"} as follows:
-
- \begin{tabular}{ll}
- XML & YXML \\\hline
- @{verbatim "<"}@{text "name attribute"}@{verbatim "="}@{text "value \<dots>"}@{verbatim ">"} &
- @{text "\<^bold>X\<^bold>Yname\<^bold>Yattribute"}@{verbatim "="}@{text "value\<dots>\<^bold>X"} \\
- @{verbatim "</"}@{text name}@{verbatim ">"} & @{text "\<^bold>X\<^bold>Y\<^bold>X"} \\
- \end{tabular}
-
- There is no special case for empty body text, i.e.\ @{verbatim
- "<foo/>"} is treated like @{verbatim "<foo></foo>"}. Also note that
- @{text "\<^bold>X"} and @{text "\<^bold>Y"} may never occur in
- well-formed XML documents.
-
- \end{enumerate}
-
- Parsing YXML is pretty straight-forward: split the text into chunks
- separated by @{text "\<^bold>X"}, then split each chunk into
- sub-chunks separated by @{text "\<^bold>Y"}. Markup chunks start
- with an empty sub-chunk, and a second empty sub-chunk indicates
- close of an element. Any other non-empty chunk consists of plain
- text. For example, see @{file "~~/src/Pure/PIDE/yxml.ML"} or
- @{file "~~/src/Pure/PIDE/yxml.scala"}.
-
- YXML documents may be detected quickly by checking that the first
- two characters are @{text "\<^bold>X\<^bold>Y"}.
-*}
-
-end
\ No newline at end of file
--- a/doc-src/System/Presentation.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,319 +0,0 @@
-theory Presentation
-imports Base
-begin
-
-chapter {* Presenting theories \label{ch:present} *}
-
-text {* Isabelle provides several ways to present the outcome of
- formal developments, including WWW-based browsable libraries or
- actual printable documents. Presentation is centered around the
- concept of \emph{sessions} (\chref{ch:session}). The global session
- structure is that of a tree, with Isabelle Pure at its root, further
- object-logics derived (e.g.\ HOLCF from HOL, and HOL from Pure), and
- application sessions further on in the hierarchy.
-
- The tools @{tool_ref mkroot} and @{tool_ref build} provide the
- primary means for managing Isabelle sessions, including proper setup
- for presentation; @{tool build} takes care to have @{executable_ref
- "isabelle-process"} run any additional stages required for document
- preparation, notably the @{tool_ref document} and @{tool_ref latex}.
- The complete tool chain for managing batch-mode Isabelle sessions is
- illustrated in \figref{fig:session-tools}.
-
- \begin{figure}[htbp]
- \begin{center}
- \begin{tabular}{lp{0.6\textwidth}}
-
- @{tool_ref mkroot} & invoked once by the user to initialize the
- session @{verbatim ROOT} with optional @{verbatim document}
- directory; \\
-
- @{tool_ref build} & invoked repeatedly by the user to keep
- session output up-to-date (HTML, documents etc.); \\
-
- @{executable "isabelle-process"} & run through @{tool_ref
- build}; \\
-
- @{tool_ref document} & run by the Isabelle process if document
- preparation is enabled; \\
-
- @{tool_ref latex} & universal {\LaTeX} tool wrapper invoked
- multiple times by @{tool_ref document}; also useful for manual
- experiments; \\
-
- \end{tabular}
- \caption{The tool chain of Isabelle session presentation} \label{fig:session-tools}
- \end{center}
- \end{figure}
-*}
-
-
-section {* Generating theory browser information \label{sec:info} *}
-
-text {*
- \index{theory browsing information|bold}
-
- As a side-effect of building sessions, Isabelle is able to generate
- theory browsing information, including HTML documents that show the
- theory sources and the relationship with its ancestors and
- descendants. Besides the HTML file that is generated for every
- theory, Isabelle stores links to all theories in an index
- file. These indexes are linked with other indexes to represent the
- overall tree structure of the sessions.
-
- Isabelle also generates graph files that represent the theory
- dependencies within a session. There is a graph browser Java applet
- embedded in the generated HTML pages, and also a stand-alone
- application that allows browsing theory graphs without having to
- start a WWW client first. The latter version also includes features
- such as generating Postscript files, which are not available in the
- applet version. See \secref{sec:browse} for further information.
-
- \medskip
-
- The easiest way to let Isabelle generate theory browsing information
- for existing sessions is to invoke @{tool build} with suitable
- options:
-
-\begin{ttbox}
-isabelle build -o browser_info -v -c FOL
-\end{ttbox}
-
- The presentation output will appear in @{verbatim
- "$ISABELLE_BROWSER_INFO/FOL"} as reported by the above verbose
- invocation of the build process.
-
- Many Isabelle sessions (such as @{verbatim "HOL-Library"} in @{file
- "~~/src/HOL/Library"}) also provide actual printable documents.
- These are prepared automatically as well if enabled like this:
-\begin{ttbox}
-isabelle build -o browser_info -o document=pdf -v -c HOL-Library
-\end{ttbox}
-
- Enabling both browser info and document preparation simultaneously
- causes an appropriate ``document'' link to be included in the HTML
- index. Documents may be generated independently of browser
- information as well, see \secref{sec:tool-document} for further
- details.
-
- \bigskip The theory browsing information is stored in a
- sub-directory directory determined by the @{setting_ref
- ISABELLE_BROWSER_INFO} setting plus a prefix corresponding to the
- session identifier (according to the tree structure of sub-sessions
- by default). In order to present Isabelle applications on the web,
- the corresponding subdirectory from @{setting ISABELLE_BROWSER_INFO}
- can be put on a WWW server.
-*}
-
-section {* Preparing session root directories \label{sec:tool-mkroot} *}
-
-text {* The @{tool_def mkroot} tool configures a given directory as
- session root, with some @{verbatim ROOT} file and optional document
- source directory. Its usage is:
-\begin{ttbox}
-Usage: isabelle mkroot [OPTIONS] [DIR]
-
- Options are:
- -d enable document preparation
- -n NAME alternative session name (default: DIR base name)
-
- Prepare session root DIR (default: current directory).
-\end{ttbox}
-
- The results are placed in the given directory @{text dir}, which
- refers to the current directory by default. The @{tool mkroot} tool
- is conservative in the sense that it does not overwrite existing
- files or directories. Earlier attempts to generate a session root
- need to be deleted manually.
-
- \medskip Option @{verbatim "-d"} indicates that the session shall be
- accompanied by a formal document, with @{text dir}@{verbatim
- "/document/root.tex"} as its {\LaTeX} entry point (see also
- \chref{ch:present}).
-
- Option @{verbatim "-n"} allows to specify an alternative session
- name; otherwise the base name of the given directory is used.
-
- \medskip The implicit Isabelle settings variable @{setting
- ISABELLE_LOGIC} specifies the parent session, and @{setting
- ISABELLE_DOCUMENT_FORMAT} the document format to be filled filled
- into the generated @{verbatim ROOT} file. *}
-
-
-subsubsection {* Examples *}
-
-text {* Produce session @{verbatim Test} (with document preparation)
- within a separate directory of the same name:
-\begin{ttbox}
-isabelle mkroot -d Test && isabelle build -D Test
-\end{ttbox}
-
- \medskip Upgrade the current directory into a session ROOT with
- document preparation, and build it:
-\begin{ttbox}
-isabelle mkroot -d && isabelle build -D .
-\end{ttbox}
-*}
-
-
-section {* Preparing Isabelle session documents
- \label{sec:tool-document} *}
-
-text {* The @{tool_def document} tool prepares logic session
- documents, processing the sources both as provided by the user and
- generated by Isabelle. Its usage is:
-\begin{ttbox}
-Usage: isabelle document [OPTIONS] [DIR]
-
- Options are:
- -c cleanup -- be aggressive in removing old stuff
- -n NAME specify document name (default 'document')
- -o FORMAT specify output format: dvi (default), dvi.gz, ps,
- ps.gz, pdf
- -t TAGS specify tagged region markup
-
- Prepare the theory session document in DIR (default 'document')
- producing the specified output format.
-\end{ttbox}
- This tool is usually run automatically as part of the Isabelle build
- process, provided document preparation has been enabled via suitable
- options. It may be manually invoked on the generated browser
- information document output as well, e.g.\ in case of errors
- encountered in the batch run.
-
- \medskip The @{verbatim "-c"} option tells @{tool document} to
- dispose the document sources after successful operation! This is
- the right thing to do for sources generated by an Isabelle process,
- but take care of your files in manual document preparation!
-
- \medskip The @{verbatim "-n"} and @{verbatim "-o"} option specify
- the final output file name and format, the default is ``@{verbatim
- document.dvi}''. Note that the result will appear in the parent of
- the target @{verbatim DIR}.
-
- \medskip The @{verbatim "-t"} option tells {\LaTeX} how to interpret
- tagged Isabelle command regions. Tags are specified as a comma
- separated list of modifier/name pairs: ``@{verbatim "+"}@{text
- foo}'' (or just ``@{text foo}'') means to keep, ``@{verbatim
- "-"}@{text foo}'' to drop, and ``@{verbatim "/"}@{text foo}'' to
- fold text tagged as @{text foo}. The builtin default is equivalent
- to the tag specification ``@{verbatim
- "+theory,+proof,+ML,+visible,-invisible"}''; see also the {\LaTeX}
- macros @{verbatim "\\isakeeptag"}, @{verbatim "\\isadroptag"}, and
- @{verbatim "\\isafoldtag"}, in @{file
- "~~/lib/texinputs/isabelle.sty"}.
-
- \medskip Document preparation requires a @{verbatim document}
- directory within the session sources. This directory is supposed to
- contain all the files needed to produce the final document --- apart
- from the actual theories which are generated by Isabelle.
-
- \medskip For most practical purposes, @{tool document} is smart
- enough to create any of the specified output formats, taking
- @{verbatim root.tex} supplied by the user as a starting point. This
- even includes multiple runs of {\LaTeX} to accommodate references
- and bibliographies (the latter assumes @{verbatim root.bib} within
- the same directory).
-
- In more complex situations, a separate @{verbatim build} script for
- the document sources may be given. It is invoked with command-line
- arguments for the document format and the document variant name.
- The script needs to produce corresponding output files, e.g.\
- @{verbatim root.pdf} for target format @{verbatim pdf} (and default
- default variants). The main work can be again delegated to @{tool
- latex}, but it is also possible to harvest generated {\LaTeX}
- sources and copy them elsewhere, for example.
-
- \medskip When running the session, Isabelle copies the content of
- the original @{verbatim document} directory into its proper place
- within @{setting ISABELLE_BROWSER_INFO}, according to the session
- path and document variant. Then, for any processed theory @{text A}
- some {\LaTeX} source is generated and put there as @{text
- A}@{verbatim ".tex"}. Furthermore, a list of all generated theory
- files is put into @{verbatim session.tex}. Typically, the root
- {\LaTeX} file provided by the user would include @{verbatim
- session.tex} to get a document containing all the theories.
-
- The {\LaTeX} versions of the theories require some macros defined in
- @{file "~~/lib/texinputs/isabelle.sty"}. Doing @{verbatim
- "\\usepackage{isabelle}"} in @{verbatim root.tex} should be fine;
- the underlying @{tool latex} already includes an appropriate path
- specification for {\TeX} inputs.
-
- If the text contains any references to Isabelle symbols (such as
- @{verbatim "\\"}@{verbatim "<forall>"}) then @{verbatim
- "isabellesym.sty"} should be included as well. This package
- contains a standard set of {\LaTeX} macro definitions @{verbatim
- "\\isasym"}@{text foo} corresponding to @{verbatim "\\"}@{verbatim
- "<"}@{text foo}@{verbatim ">"}, see \cite{isabelle-implementation} for a
- complete list of predefined Isabelle symbols. Users may invent
- further symbols as well, just by providing {\LaTeX} macros in a
- similar fashion as in @{file "~~/lib/texinputs/isabellesym.sty"} of
- the distribution.
-
- For proper setup of DVI and PDF documents (with hyperlinks and
- bookmarks), we recommend to include @{file
- "~~/lib/texinputs/pdfsetup.sty"} as well.
-
- \medskip As a final step of Isabelle document preparation, @{tool
- document}~@{verbatim "-c"} is run on the resulting copy of the
- @{verbatim document} directory. Thus the actual output document is
- built and installed in its proper place. The generated sources are
- deleted after successful run of {\LaTeX} and friends.
-
- Some care is needed if the document output location is configured
- differently, say within a directory whose content is still required
- afterwards!
-*}
-
-
-section {* Running {\LaTeX} within the Isabelle environment
- \label{sec:tool-latex} *}
-
-text {* The @{tool_def latex} tool provides the basic interface for
- Isabelle document preparation. Its usage is:
-\begin{ttbox}
-Usage: isabelle latex [OPTIONS] [FILE]
-
- Options are:
- -o FORMAT specify output format: dvi (default), dvi.gz, ps,
- ps.gz, pdf, bbl, idx, sty, syms
-
- Run LaTeX (and related tools) on FILE (default root.tex),
- producing the specified output format.
-\end{ttbox}
-
- Appropriate {\LaTeX}-related programs are run on the input file,
- according to the given output format: @{executable latex},
- @{executable pdflatex}, @{executable dvips}, @{executable bibtex}
- (for @{verbatim bbl}), and @{executable makeindex} (for @{verbatim
- idx}). The actual commands are determined from the settings
- environment (@{setting ISABELLE_LATEX} etc.).
-
- The @{verbatim sty} output format causes the Isabelle style files to
- be updated from the distribution. This is useful in special
- situations where the document sources are to be processed another
- time by separate tools.
-
- The @{verbatim syms} output is for internal use; it generates lists
- of symbols that are available without loading additional {\LaTeX}
- packages.
-*}
-
-
-subsubsection {* Examples *}
-
-text {* Invoking @{tool latex} by hand may be occasionally useful when
- debugging failed attempts of the automatic document preparation
- stage of batch-mode Isabelle. The abortive process leaves the
- sources at a certain place within @{setting ISABELLE_BROWSER_INFO},
- see the runtime error message for details. This enables users to
- inspect {\LaTeX} runs in further detail, e.g.\ like this:
-
-\begin{ttbox}
- cd ~/.isabelle/IsabelleXXXX/browser_info/HOL/Test/document
- isabelle latex -o pdf
-\end{ttbox}
-*}
-
-end
\ No newline at end of file
--- a/doc-src/System/Scala.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,72 +0,0 @@
-theory Scala
-imports Base
-begin
-
-chapter {* Isabelle/Scala development tools *}
-
-text {* Isabelle/ML and Isabelle/Scala are the two main language
-environments for Isabelle tool implementations. There are some basic
-command-line tools to work with the underlying Java Virtual Machine,
-the Scala toplevel and compiler. Note that Isabelle/jEdit
-(\secref{sec:tool-tty}) provides a Scala Console for interactive
-experimentation within the running application. *}
-
-
-section {* Java Runtime Environment within Isabelle \label{sec:tool-java} *}
-
-text {* The @{tool_def java} tool is a direct wrapper for the Java
- Runtime Environment, within the regular Isabelle settings
- environment (\secref{sec:settings}). The command line arguments are
- that of the underlying Java version. It is run in @{verbatim
- "-server"} mode if possible, to improve performance (at the cost of
- extra startup time).
-
- The @{verbatim java} executable is the one within @{setting
- ISABELLE_JDK_HOME}, according to the standard directory layout for
- official JDK distributions. The class loader is augmented such that
- the name space of @{verbatim "Isabelle/Pure.jar"} is available,
- which is the main Isabelle/Scala module.
-
- For example, the following command-line invokes the main method of
- class @{verbatim isabelle.GUI_Setup}, which opens a windows with
- some diagnostic information about the Isabelle environment:
-\begin{alltt}
- isabelle java isabelle.GUI_Setup
-\end{alltt}
-*}
-
-
-section {* Scala toplevel \label{sec:tool-scala} *}
-
-text {* The @{tool_def scala} tool is a direct wrapper for the Scala
- toplevel; see also @{tool java} above. The command line arguments
- are that of the underlying Scala version.
-
- This allows to interact with Isabelle/Scala in TTY mode like this:
-\begin{alltt}
- isabelle scala
- scala> isabelle.Isabelle_System.getenv("ISABELLE_HOME")
- scala> val options = isabelle.Options.init()
- scala> options.bool("browser_info")
-\end{alltt}
-*}
-
-
-section {* Scala compiler \label{sec:tool-scalac} *}
-
-text {* The @{tool_def scalac} tool is a direct wrapper for the Scala
- compiler; see also @{tool scala} above. The command line arguments
- are that of the underlying Scala version.
-
- This allows to compile further Scala modules, depending on existing
- Isabelle/Scala functionality. The resulting class or jar files can
- be added to the @{setting CLASSPATH} via the @{verbatim classpath}
- Bash function that is provided by the Isabelle process environment.
- Thus add-on components can register themselves in a modular manner,
- see also \secref{sec:components}.
-
- Note that jEdit (\secref{sec:tool-jedit}) has its own mechanisms for
- adding plugin components, which needs special attention since
- it overrides the standard Java class loader. *}
-
-end
--- a/doc-src/System/Sessions.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,324 +0,0 @@
-theory Sessions
-imports Base
-begin
-
-chapter {* Isabelle sessions and build management \label{ch:session} *}
-
-text {* An Isabelle \emph{session} consists of a collection of related
- theories that may be associated with formal documents (see also
- \chref{ch:present}). There is also a notion of \emph{persistent
- heap} image to capture the state of a session, similar to
- object-code in compiled programming languages. Thus the concept of
- session resembles that of a ``project'' in common IDE environments,
- but the specific name emphasizes the connection to interactive
- theorem proving: the session wraps-up the results of
- user-interaction with the prover in a persistent form.
-
- Application sessions are built on a given parent session, which may
- be built recursively on other parents. Following this path in the
- hierarchy eventually leads to some major object-logic session like
- @{text "HOL"}, which itself is based on @{text "Pure"} as the common
- root of all sessions.
-
- Processing sessions may take considerable time. Isabelle build
- management helps to organize this efficiently. This includes
- support for parallel build jobs, in addition to the multithreaded
- theory and proof checking that is already provided by the prover
- process itself. *}
-
-
-section {* Session ROOT specifications \label{sec:session-root} *}
-
-text {* Session specifications reside in files called @{verbatim ROOT}
- within certain directories, such as the home locations of registered
- Isabelle components or additional project directories given by the
- user.
-
- The ROOT file format follows the lexical conventions of the
- \emph{outer syntax} of Isabelle/Isar, see also
- \cite{isabelle-isar-ref}. This defines common forms like
- identifiers, names, quoted strings, verbatim text, nested comments
- etc. The grammar for a single @{syntax session_entry} is given as
- syntax diagram below; each ROOT file may contain multiple session
- specifications like this.
-
- Isabelle/jEdit (\secref{sec:tool-jedit}) includes a simple editing
- mode @{verbatim "isabelle-root"} for session ROOT files.
-
- @{rail "
- @{syntax_def session_entry}: @'session' spec '=' (@{syntax name} '+')? body
- ;
- body: description? options? ( theories + ) files?
- ;
- spec: @{syntax name} groups? dir?
- ;
- groups: '(' (@{syntax name} +) ')'
- ;
- dir: @'in' @{syntax name}
- ;
- description: @'description' @{syntax text}
- ;
- options: @'options' opts
- ;
- opts: '[' ( (@{syntax name} '=' value | @{syntax name}) + ',' ) ']'
- ;
- value: @{syntax name} | @{syntax real}
- ;
- theories: @'theories' opts? ( @{syntax name} * )
- ;
- files: @'files' ( @{syntax name} + )
- "}
-
- \begin{description}
-
- \item \isakeyword{session}~@{text "A = B + body"} defines a new
- session @{text "A"} based on parent session @{text "B"}, with its
- content given in @{text body} (theories and auxiliary source files).
- Note that a parent (like @{text "HOL"}) is mandatory in practical
- applications: only Isabelle/Pure can bootstrap itself from nothing.
-
- All such session specifications together describe a hierarchy (tree)
- of sessions, with globally unique names. The new session name
- @{text "A"} should be sufficiently long to stand on its own in a
- potentially large library.
-
- \item \isakeyword{session}~@{text "A (groups)"} indicates a
- collection of groups where the new session is a member. Group names
- are uninterpreted and merely follow certain conventions. For
- example, the Isabelle distribution tags some important sessions by
- the group name called ``@{text "main"}''. Other projects may invent
- their own conventions, but this requires some care to avoid clashes
- within this unchecked name space.
-
- \item \isakeyword{session}~@{text "A"}~\isakeyword{in}~@{text "dir"}
- specifies an explicit directory for this session; by default this is
- the current directory of the @{verbatim ROOT} file.
-
- All theories and auxiliary source files are located relatively to
- the session directory. The prover process is run within the same as
- its current working directory.
-
- \item \isakeyword{description}~@{text "text"} is a free-form
- annotation for this session.
-
- \item \isakeyword{options}~@{text "[x = a, y = b, z]"} defines
- separate options (\secref{sec:system-options}) that are used when
- processing this session, but \emph{without} propagation to child
- sessions. Note that @{text "z"} abbreviates @{text "z = true"} for
- Boolean options.
-
- \item \isakeyword{theories}~@{text "options names"} specifies a
- block of theories that are processed within an environment that is
- augmented by the given options, in addition to the global session
- options given before. Any number of blocks of \isakeyword{theories}
- may be given. Options are only active for each
- \isakeyword{theories} block separately.
-
- \item \isakeyword{files}~@{text "files"} lists additional source
- files that are involved in the processing of this session. This
- should cover anything outside the formal content of the theory
- sources, say some auxiliary {\TeX} files that are required for
- document processing. In contrast, files that are specified in
- formal theory headers as @{keyword "uses"} need not be declared
- again.
-
- \end{description}
-*}
-
-subsubsection {* Examples *}
-
-text {* See @{file "~~/src/HOL/ROOT"} for a diversity of practically
- relevant situations, but it uses relatively complex quasi-hierarchic
- naming conventions like @{text "HOL\<dash>SPARK"}, @{text
- "HOL\<dash>SPARK\<dash>Examples"}. An alternative is to use
- unqualified names that are relatively long and descriptive, as in
- the Archive of Formal Proofs (\url{http://afp.sf.net}), for
- example. *}
-
-
-section {* System build options \label{sec:system-options} *}
-
-text {* See @{file "~~/etc/options"} for the main defaults provided by
- the Isabelle distribution. Isabelle/jEdit (\secref{sec:tool-jedit})
- includes a simple editing mode @{verbatim "isabelle-options"} for
- this file-format.
-
- The @{tool_def options} tool prints Isabelle system options. Its
- command-line usage is:
-\begin{ttbox}
-Usage: isabelle options [OPTIONS] [MORE_OPTIONS ...]
-
- Options are:
- -b include $ISABELLE_BUILD_OPTIONS
- -x FILE export to FILE in YXML format
-
- Print Isabelle system options, augmented by MORE_OPTIONS given as
- arguments NAME=VAL or NAME.
-\end{ttbox}
-
- The command line arguments provide additional system options of the
- form @{text "name"}@{verbatim "="}@{text "value"} or @{text name}
- for Boolean options.
-
- Option @{verbatim "-b"} augments the implicit environment of system
- options by the ones of @{setting ISABELLE_BUILD_OPTIONS}, cf.\
- \secref{sec:tool-build}.
-
- Option @{verbatim "-x"} specifies a file to export the result in
- YXML format, instead of printing it in human-readable form.
-*}
-
-
-section {* Invoking the build process \label{sec:tool-build} *}
-
-text {* The @{tool_def build} tool invokes the build process for
- Isabelle sessions. It manages dependencies between sessions,
- related sources of theories and auxiliary files, and target heap
- images. Accordingly, it runs instances of the prover process with
- optional document preparation. Its command-line usage
- is:\footnote{Isabelle/Scala provides the same functionality via
- \texttt{isabelle.Build.build}.}
-\begin{ttbox}
-Usage: isabelle build [OPTIONS] [SESSIONS ...]
-
- Options are:
- -D DIR include session directory and select its sessions
- -a select all sessions
- -b build heap images
- -c clean build
- -d DIR include session directory
- -g NAME select session group NAME
- -j INT maximum number of parallel jobs (default 1)
- -l list session source files
- -n no build -- test dependencies only
- -o OPTION override session configuration OPTION
- (via NAME=VAL or NAME)
- -s system build mode: produce output in ISABELLE_HOME
- -v verbose
-
- Build and manage Isabelle sessions, depending on implicit
- ISABELLE_BUILD_OPTIONS="..."
-
- ML_PLATFORM="..."
- ML_HOME="..."
- ML_SYSTEM="..."
- ML_OPTIONS="..."
-\end{ttbox}
-
- \medskip Isabelle sessions are defined via session ROOT files as
- described in (\secref{sec:session-root}). The totality of sessions
- is determined by collecting such specifications from all Isabelle
- component directories (\secref{sec:components}), augmented by more
- directories given via options @{verbatim "-d"}~@{text "DIR"} on the
- command line. Each such directory may contain a session
- \texttt{ROOT} file with several session specifications.
-
- Any session root directory may refer recursively to further
- directories of the same kind, by listing them in a catalog file
- @{verbatim "ROOTS"} line-by-line. This helps to organize large
- collections of session specifications, or to make @{verbatim "-d"}
- command line options persistent (say within @{verbatim
- "$ISABELLE_HOME_USER/ROOTS"}).
-
- \medskip The subset of sessions to be managed is determined via
- individual @{text "SESSIONS"} given as command-line arguments, or
- session groups that are given via one or more options @{verbatim
- "-g"}~@{text "NAME"}. Option @{verbatim "-a"} selects all sessions.
- The build tool takes session dependencies into account: the set of
- selected sessions is completed by including all ancestors.
-
- \medskip Option @{verbatim "-D"} is similar to @{verbatim "-d"}, but
- selects all sessions that are defined in the given directories.
-
- \medskip The build process depends on additional options
- (\secref{sec:system-options}) that are passed to the prover
- eventually. The settings variable @{setting_ref
- ISABELLE_BUILD_OPTIONS} allows to provide additional defaults, e.g.\
- \texttt{ISABELLE_BUILD_OPTIONS="document=pdf threads=4"}. Moreover,
- the environment of system build options may be augmented on the
- command line via @{verbatim "-o"}~@{text "name"}@{verbatim
- "="}@{text "value"} or @{verbatim "-o"}~@{text "name"}, which
- abbreviates @{verbatim "-o"}~@{text "name"}@{verbatim"=true"} for
- Boolean options. Multiple occurrences of @{verbatim "-o"} on the
- command-line are applied in the given order.
-
- \medskip Option @{verbatim "-b"} ensures that heap images are
- produced for all selected sessions. By default, images are only
- saved for inner nodes of the hierarchy of sessions, as required for
- other sessions to continue later on.
-
- \medskip Option @{verbatim "-c"} cleans all descendants of the
- selected sessions before performing the specified build operation.
-
- \medskip Option @{verbatim "-n"} omits the actual build process
- after the preparatory stage (including optional cleanup). Note that
- the return code always indicates the status of the set of selected
- sessions.
-
- \medskip Option @{verbatim "-j"} specifies the maximum number of
- parallel build jobs (prover processes). Each prover process is
- subject to a separate limit of parallel worker threads, cf.\ system
- option @{system_option_ref threads}.
-
- \medskip Option @{verbatim "-s"} enables \emph{system mode}, which
- means that resulting heap images and log files are stored in
- @{verbatim "$ISABELLE_HOME/heaps"} instead of the default location
- @{setting ISABELLE_OUTPUT} (which is normally in @{setting
- ISABELLE_HOME_USER}, i.e.\ the user's home directory).
-
- \medskip Option @{verbatim "-v"} increases the general level of
- verbosity. Option @{verbatim "-l"} lists the source files that
- contribute to a session.
-*}
-
-subsubsection {* Examples *}
-
-text {*
- Build a specific logic image:
-\begin{ttbox}
-isabelle build -b HOLCF
-\end{ttbox}
-
- \smallskip Build the main group of logic images:
-\begin{ttbox}
-isabelle build -b -g main
-\end{ttbox}
-
- \smallskip Provide a general overview of the status of all Isabelle
- sessions, without building anything:
-\begin{ttbox}
-isabelle build -a -n -v
-\end{ttbox}
-
- \smallskip Build all sessions with HTML browser info and PDF
- document preparation:
-\begin{ttbox}
-isabelle build -a -o browser_info -o document=pdf
-\end{ttbox}
-
- \smallskip Build all sessions with a maximum of 8 parallel prover
- processes and 4 worker threads each (on a machine with many cores):
-\begin{ttbox}
-isabelle build -a -j8 -o threads=4
-\end{ttbox}
-
- \smallskip Build some session images with cleanup of their
- descendants, while retaining their ancestry:
-\begin{ttbox}
-isabelle build -b -c HOL-Boogie HOL-SPARK
-\end{ttbox}
-
- \smallskip Clean all sessions without building anything:
-\begin{ttbox}
-isabelle build -a -n -c
-\end{ttbox}
-
- \smallskip Build all sessions from some other directory hierarchy,
- according to the settings variable @{verbatim "AFP"} that happens to
- be defined inside the Isabelle environment:
-\begin{ttbox}
-isabelle build -D '$AFP'
-\end{ttbox}
-*}
-
-end
--- a/doc-src/System/document/browser_screenshot.eps Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,11222 +0,0 @@
-%!PS-Adobe-3.0 EPSF-3.0
-%%Creator: (ImageMagick)
-%%Title: (/home/makarius/isabelle/src/Doc/System/browser_screenshot.eps)
-%%CreationDate: (Tue Sep 16 13:50:28 2008)
-%%BoundingBox: 0 0 458 269
-%%HiResBoundingBox: 0 0 458.484 269
-%%DocumentData: Clean7Bit
-%%LanguageLevel: 1
-%%Pages: 1
-%%EndComments
-
-%%BeginDefaults
-%%EndDefaults
-
-%%BeginProlog
-%
-% Display a color image. The image is displayed in color on
-% Postscript viewers or printers that support color, otherwise
-% it is displayed as grayscale.
-%
-/DirectClassPacket
-{
- %
- % Get a DirectClass packet.
- %
- % Parameters:
- % red.
- % green.
- % blue.
- % length: number of pixels minus one of this color (optional).
- %
- currentfile color_packet readhexstring pop pop
- compression 0 eq
- {
- /number_pixels 3 def
- }
- {
- currentfile byte readhexstring pop 0 get
- /number_pixels exch 1 add 3 mul def
- } ifelse
- 0 3 number_pixels 1 sub
- {
- pixels exch color_packet putinterval
- } for
- pixels 0 number_pixels getinterval
-} bind def
-
-/DirectClassImage
-{
- %
- % Display a DirectClass image.
- %
- systemdict /colorimage known
- {
- columns rows 8
- [
- columns 0 0
- rows neg 0 rows
- ]
- { DirectClassPacket } false 3 colorimage
- }
- {
- %
- % No colorimage operator; convert to grayscale.
- %
- columns rows 8
- [
- columns 0 0
- rows neg 0 rows
- ]
- { GrayDirectClassPacket } image
- } ifelse
-} bind def
-
-/GrayDirectClassPacket
-{
- %
- % Get a DirectClass packet; convert to grayscale.
- %
- % Parameters:
- % red
- % green
- % blue
- % length: number of pixels minus one of this color (optional).
- %
- currentfile color_packet readhexstring pop pop
- color_packet 0 get 0.299 mul
- color_packet 1 get 0.587 mul add
- color_packet 2 get 0.114 mul add
- cvi
- /gray_packet exch def
- compression 0 eq
- {
- /number_pixels 1 def
- }
- {
- currentfile byte readhexstring pop 0 get
- /number_pixels exch 1 add def
- } ifelse
- 0 1 number_pixels 1 sub
- {
- pixels exch gray_packet put
- } for
- pixels 0 number_pixels getinterval
-} bind def
-
-/GrayPseudoClassPacket
-{
- %
- % Get a PseudoClass packet; convert to grayscale.
- %
- % Parameters:
- % index: index into the colormap.
- % length: number of pixels minus one of this color (optional).
- %
- currentfile byte readhexstring pop 0 get
- /offset exch 3 mul def
- /color_packet colormap offset 3 getinterval def
- color_packet 0 get 0.299 mul
- color_packet 1 get 0.587 mul add
- color_packet 2 get 0.114 mul add
- cvi
- /gray_packet exch def
- compression 0 eq
- {
- /number_pixels 1 def
- }
- {
- currentfile byte readhexstring pop 0 get
- /number_pixels exch 1 add def
- } ifelse
- 0 1 number_pixels 1 sub
- {
- pixels exch gray_packet put
- } for
- pixels 0 number_pixels getinterval
-} bind def
-
-/PseudoClassPacket
-{
- %
- % Get a PseudoClass packet.
- %
- % Parameters:
- % index: index into the colormap.
- % length: number of pixels minus one of this color (optional).
- %
- currentfile byte readhexstring pop 0 get
- /offset exch 3 mul def
- /color_packet colormap offset 3 getinterval def
- compression 0 eq
- {
- /number_pixels 3 def
- }
- {
- currentfile byte readhexstring pop 0 get
- /number_pixels exch 1 add 3 mul def
- } ifelse
- 0 3 number_pixels 1 sub
- {
- pixels exch color_packet putinterval
- } for
- pixels 0 number_pixels getinterval
-} bind def
-
-/PseudoClassImage
-{
- %
- % Display a PseudoClass image.
- %
- % Parameters:
- % class: 0-PseudoClass or 1-Grayscale.
- %
- currentfile buffer readline pop
- token pop /class exch def pop
- class 0 gt
- {
- currentfile buffer readline pop
- token pop /depth exch def pop
- /grays columns 8 add depth sub depth mul 8 idiv string def
- columns rows depth
- [
- columns 0 0
- rows neg 0 rows
- ]
- { currentfile grays readhexstring pop } image
- }
- {
- %
- % Parameters:
- % colors: number of colors in the colormap.
- % colormap: red, green, blue color packets.
- %
- currentfile buffer readline pop
- token pop /colors exch def pop
- /colors colors 3 mul def
- /colormap colors string def
- currentfile colormap readhexstring pop pop
- systemdict /colorimage known
- {
- columns rows 8
- [
- columns 0 0
- rows neg 0 rows
- ]
- { PseudoClassPacket } false 3 colorimage
- }
- {
- %
- % No colorimage operator; convert to grayscale.
- %
- columns rows 8
- [
- columns 0 0
- rows neg 0 rows
- ]
- { GrayPseudoClassPacket } image
- } ifelse
- } ifelse
-} bind def
-
-/DisplayImage
-{
- %
- % Display a DirectClass or PseudoClass image.
- %
- % Parameters:
- % x & y translation.
- % x & y scale.
- % label pointsize.
- % image label.
- % image columns & rows.
- % class: 0-DirectClass or 1-PseudoClass.
- % compression: 0-none or 1-RunlengthEncoded.
- % hex color packets.
- %
- gsave
- /buffer 512 string def
- /byte 1 string def
- /color_packet 3 string def
- /pixels 768 string def
-
- currentfile buffer readline pop
- token pop /x exch def
- token pop /y exch def pop
- x y translate
- currentfile buffer readline pop
- token pop /x exch def
- token pop /y exch def pop
- currentfile buffer readline pop
- token pop /pointsize exch def pop
- /Times-Roman findfont pointsize scalefont setfont
- x y scale
- currentfile buffer readline pop
- token pop /columns exch def
- token pop /rows exch def pop
- currentfile buffer readline pop
- token pop /class exch def pop
- currentfile buffer readline pop
- token pop /compression exch def pop
- class 0 gt { PseudoClassImage } { DirectClassImage } ifelse
- grestore
-} bind def
-%%EndProlog
-%%Page: 1 1
-%%PageBoundingBox: 0 0 458 269
-userdict begin
-DisplayImage
-0 0
-458.484 269.21
-12.000000
-818 481
-1
-0
-0
-12
-000000
-797979
-7F7F7F
-FF0000
-00FF00
-0000FF
-808080
-C0C0C0
-DFDFDF
-E0E0E0
-F2F2F2
-FFFFFF
-0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
-0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
-0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
-0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
-0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
-0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
-0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
-0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
-0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
-0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
-0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
-0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
-0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
-0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
-0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
-0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
-0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
-0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
-0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
-0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
-0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
-0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
-0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808020A08080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808020A0808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808020A080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808020A08080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808020A0808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08020A080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808020A08080808080808
-080808000000000808000808000808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808020A0808080808080808080800080808080808
-080800080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808020A080808080808080808080008080808080008080008080800000008
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808020A08
-080808080808080808000808080808000808000808000808080008080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808020A0808080808080808080800
-000000080800080800080800080808000808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808020A080808080808080808080008080808080008080008
-080000000000080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808020A08080808080808080808000808080808000808000808000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808020A0808080808
-080808080800080808080800080800080800080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808020A080808080808080808080008080808
-080008080008080800000000080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808020A08080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080802
-0A0808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808020A080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808020A08080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808020A0808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808020A080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808020A08080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808020A0202020202020202020202020202020202020202020202
-020202020202020202020202020202020202020202020202020202020202020202020202
-020202020202020202020202020202020202020202020202020202020202020202020202
-020202020202020202020202020202020202020202020202020202020202020202020202
-020202020202020202020202020202020202020202020202020202020202020202020202
-020202020202020202020202020202020202020202020202020202020202020202020202
-020202020202020202020202020202020202020202020202020202020202020202020202
-020202020202020202020202020202020202020202020202020202020202020202020202
-020202020202020202020202020202020202020202020202020202020202020202020202
-020202020202020202020202020202020202020202020202020202020202020202020202
-020202020202020202020202020202020202020202020202020202020202020202020202
-020202020202020202020202020202020202020202020202020202020202020202020202
-020202020202020202020202020202020202020202020202020202020202020202020202
-020202020202020202020202020202020202020202020202020202020202020202020202
-020202020202020202020202020202020202020202020202020202020202020202020202
-020202020202020202020202020202020202020202020202020202020202020202020202
-020202020202020202020202020202020202020202020202020202020202020202020202
-020202020202020202020202020202020202020202020202020202020202020202020202
-020202020202020202020202020202020202020202020202020202020202020202020202
-020202020202020202020202020202020202020202020202020202020202020202020202
-020202020202020202020202020202020202020202020202020202020202020202020202
-020202020202020202020202020202020202020202020202020202020202020202020202
-020202020202020202020202020202020202020202020202020202020202020202020202
-020208080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080809090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090808080808080808080809090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090808080808080808080909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090906080808080808
-080808080909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090906
-080808080808080808090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909060608080808080808080808090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909090909090909090909090909
-090909090909090909090909090909090909090909090909060608080808080808080809
-090908080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080606060808080808080808080809090908080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080606060808080808080808080909090801010101010101
-010101010101010101010101010101010101010101010101010101010101010101010101
-010101010101010101010101010101010101010101010101010101010101010101010101
-010101010101010101010101010101010101010101010101010101010101010101010101
-010101010101010101010101010101010101010101010101010101010101010101010101
-010101010101010101010101010101010101010101010101010101010101010101010101
-010101010101010101010101010101010101010101010101010101010101010101010101
-010101010101010101010101010101010101010101010101010101010101010B08060606
-080808080808080808080909090801010101010101010101010101010101010101010101
-010101010101010101010101010101010101010101010101010101010101010101010101
-010101010101010101010101010101010101010101010101010101010101010101010101
-010101010101010101010101010101010101010101010101010101010101010101010101
-010101010101010101010101010101010101010101010101010101010101010101010101
-010101010101010101010101010101010101010101010101010101010101010101010101
-010101010101010101010101010101010101010101010101010101010101010101010101
-010101010101010101010101010101010101010101010101010101010101010101010101
-010101010101010101010101010101010101010101010101010101010101010101010101
-010101010101010101010101010101010101010101010101010101010101010101010101
-010101010101010101010101010101010101010101010101010101010101010101010101
-010101010101010101010101010101010101010101010101010101010101010101010101
-010101010101010101010101010101010101010101010101010101010101010101010101
-010101010101010101010101010101010101010101010101010101010101010101010101
-010101010101010101010101010101010101010101010101010101010101010101010101
-010B08060606080808080808080808090909080108080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080808
-090909080108080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080809090908010808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080809090908010808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080909090801
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808080909090801080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808090909080108080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080808090909080108080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080809090908010808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080809090908
-010808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080909090801080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808080909090801080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808090909080108080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080808090909080108080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080809090908010808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080809090908010808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080909090801080808080808080804040404040404040404040808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808080909090801080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808090909
-080108080808080808080804040404040404040404080808080808080000000000080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080808090909080108080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080809090908010808080808080808
-080804040404040404040808080808080808000808080800080808080808080808080808
-080808080008080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080809090908010808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080909090801080808080808080808080804040404040408
-080808080808080800080808080008080800000008080808000000080800000008080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808080909
-090801080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808090909080108080808080808080808080404040404080808080808080808080008
-080800080808000808080008080008080800080800080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080808090909080108080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080809090908010808
-080808080808080808080404040808080808080808080808000000000808080800080808
-000808000808080008080008080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080809090908010808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080909090801080808080808080808080808
-080408080808080808080808080800080800080808080008080800080800080808000808
-000808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808080909090801080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808090909080108080808080808080808080808080808080808080808
-080808080008080800080808000808080008080008080800080800080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080808090909080108
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080809
-090908010808080808080808080808080808080808080808080808080808000808080800
-080800080808000808000808080008080008080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080809090908010808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080909090801080808080808
-080808080808080808080808080808080808080800080808080800080800000008080808
-000000080808080008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808080909090801080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808090909080108080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080808
-090909080108080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080809090908010808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080809090908010808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080909090801
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808080909090801080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808090909080108080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080808090909080108080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080800000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000008080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080809090908010808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080809090908
-010808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080007070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707000808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080909090801080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808080909090801080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808000707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070700
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808090909080108080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080808090909080108080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080800
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070008080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080809090908010808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080809090908010808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080007070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707000808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080909090801080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808080909090801080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808000707070707070707070707070707070707070707
-070707070707070707070707030307070303030307070707070707070707070707070707
-070707070707030307070707070707070707070707070707070707070707070707070707
-070707070700080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808090909
-080108080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080808090909080108080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080800070707070707070707070707070707070707070707070707070707070707
-070703070707030707070307070707070707070707070707070707070707070707030707
-070707070707070707070707070707070707070707070707070707070707070008080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080809090908010808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080809090908010808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080007070707
-070707070707070707070707070707070707070707070707070707070307070703070707
-030707030707070307070307030307070303030707070703070707070707070707070707
-070707070707070707070707070707070707070707000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080909090801080808080808080808080808080808080808
-080808080808080808030308080808080808080808080808080808000000000808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808080909
-090801080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808000707070707070707070707070707
-070707070707070707070707070707070707030707070307070703070703070707030707
-030307070703070707030707070307070707070707070707070707070707070707070707
-070707070707070707070700080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808090909080108080808080808080808080808080808080808080808080808080803
-030308080808080808080808080808080800080808000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080808090909080108080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080800070707070707070707070707070707070707070707070707
-070707070707070703070707030303030707070307070703070703070707070307070703
-070707030707070707070707070707070707070707070707070707070707070707070707
-070008080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080809090908010808
-080808080808080808080808080808080808080808080808080303030303080808080808
-080808080808080008080800080800080808000808000800000808000000080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080809090908010808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080007070707070707070707070707070707070707070707070707070707070707070307
-070703070707070707030707070307070307070707030303030307070703070707070707
-070707070707070707070707070707070707070707070707070707000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080909090801080808080808080808080808
-080808080808080808080808080808030303030303080808080808080808080808000808
-080008080008080800080800000808080008080800080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808080909090801080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808000707070707070707
-070707070707070707070707070707070707070707070707030707070307070707070703
-070707030707030707070703070707070707070307070707070707070707070707070707
-070707070707070707070707070707070700080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808090909080108080808080808080808080808080808080808080808
-080808080803030303030303080808080808080808080800000000080808000808080008
-080008080808000808080008080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080808090909080108
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080800070707070707070707070707070707070707
-070707070707070707070707070703070707030707070707070307070303070703070707
-070307070707070707030707070707070707070707070707070707070707070707070707
-070707070707070008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080809
-090908010808080808080808080808080808080808080808080808080808080303030303
-030808080808080808080808080008080808080800080808000808000808080800000000
-000808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080809090908010808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080007070707070707070707070707070707070707070707070707070707
-070707070307070703070707070707070303070307070307070707070303030307070703
-070707070707070707070707070707070707070707070707070707070707070707000808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080909090801080808080808
-080808080808080808080808080808080808080808030303030308080808080808080808
-080808000808080808080008080800080800080808080008080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808080909090801080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808000707
-070707070707070707070707070707070707070707070707070707070707030707070707
-070707070707070707070707070707070707070707070707070307070707070707070707
-070707070707070707070707070707070707070707070700080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808090909080108080808080808080808080808080808
-080808080808080808080803030303080808080808080808080808080800080808080808
-000808000008080008080808000808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080808
-090909080108080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080800070707070707070707070707
-070707070707070707070707070707070707070703030707070707070707070707070707
-070707070707070707070707070703030707070707070707070707070707070707070707
-070707070707070707070707070008080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080809090908010808080808080808080808080808080808080808080808080808
-080303030808080808080808080808080808080008080808080808000008000808000808
-080808000000000808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080809090908010808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080007070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707000808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080909090801
-080808080808080808080808080808080808080808080808080808030308080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808080909090801080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808000707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070700080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808090909080108080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080808090909080108080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080800070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070008080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080809090908010808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080809090908
-010808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080909090801080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808080909090801080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080008080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808090909080108080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080808090909080108080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808000808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080809090908010808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080809090908010808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080800080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080909090801080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808080909090801080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080008080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808090909
-080108080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080808090909080108080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080809090908010808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080809090908010808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080800080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080909090801080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808080909
-090801080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080008
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808090909080108080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080808090909080108080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808000808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080809090908010808
-080808080808080808080808080808080808080808080808080303080808080808080808
-080808080808080008080808080008080808000000080808080008080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080809090908010808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080800080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080909090801080808080808080808080808
-080808080808080808080808080808030303080808080808080808080808080808000808
-080808000808080008080800080808000808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808080909090801080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080008080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808090909080108080808080808080808080808080808080808080808
-080808080803030303030808080808080808080808080800080808080800080800080808
-080800080800080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080808090909080108
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808000808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080809
-090908010808080808080808080808080808080808080808080808080808080303030303
-030808080808080808080808080008080808080008080008080808080008080008080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080809090908010808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080800080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080909090801080808080808
-080808080808080808080808080808080808080808030303030303030808080808080808
-080808000000000000000808000808080808000808000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808080909090801080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080008080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808090909080108080808080808080808080808080808
-080808080808080808080803030303030308080808080808080808080800080808080800
-080800080808080800080800080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080808
-090909080108080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-000808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080809090908010808080808080808080808080808080808080808080808080808
-080303030303080808080808080808080808080008080808080008080008080808080008
-080008080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080809090908010808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080800080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080909090801
-080808080808080808080808080808080808080808080808080808030303030808080808
-080808080808080808000808080808000808080008080800080808000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808080909090801080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080008080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808090909080108080808080808080808
-080808080808080808080808080808080803030308080808080808080808080808080800
-080808080800080808080000000808080800000000000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080808090909080108080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808000808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080809090908010808080808080808080808080808080808080808
-080808080808080303080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080809090908
-010808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080800080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080909090801080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808080909090801080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080008080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808090909080108080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080808090909080108080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808000808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080809090908010808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080809090908010808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080800080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080909090801080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808080909090801080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080008080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808090909
-080108080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080808090909080108080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080809090908010808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080809090908010808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080800080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080909090801080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808080909
-090801080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080008
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808090909080108080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080808090909080108080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808000808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080809090908010808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080809090908010808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080800080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080909090801080808080808080808080808
-080808080808080808080808080808040404040404040404040408080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808080909090801080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080008080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808090909080108080808080808080808080808080808080808080808
-080808080808040404040404040404040808080808080800080808080808080808080808
-080808080808080808080800080808080808080808080808000808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080808090909080108
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808000808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080809
-090908010808080808080808080808080808080808080808080808080808080808040404
-040404040408080808080808080008080808080808080808080808080808080808080808
-080008080808080808080808080800080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080809090908010808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080800080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080909090801080808080808
-080808080808080808080808080808080808080808080808040404040404080808080808
-080808000808080808080000000808080008000008080000080808000800000008080808
-000000080008080800000008080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808080909090801080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080008080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808090909080108080808080808080808080808080808
-080808080808080808080808080804040404040808080808080808080800080808080800
-080808000808000008080000080800080800000808080008080008080800000808000808
-080008080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080808
-090909080108080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-000808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080809090908010808080808080808080808080808080808080808080808080808
-080808080804040408080808080808080808080008080808080808080800080800080808
-000808080008080008080808000808000808080800080808080808000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080809090908010808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080800080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080909090801
-080808080808080808080808080808080808080808080808080808080808080804080808
-080808080808080808000808080808080000000008080008080800080808000808000808
-080800080800080808080008080800000000080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808080909090801080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080008080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808090909080108080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080800
-080808080800080808000808000808080008080800080800080808080008080008080808
-000808000808080008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080808090909080108080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080800000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000008080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080809090908010808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080008080808080008080800
-080800080808000808080008080000080808000808000808080000080800080808000808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080809090908
-010808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080007070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707000808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080909090801080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808000000000008080000000000080008080800080808
-000808000800000008080808000000080008080800000000000808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808080909090801080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808000707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070700
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808090909080108080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080808090909080108080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080800
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070008080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080809090908010808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080809090908010808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080007070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707000808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080909090801080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808080909090801080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808000707070707070707070707070707070707070707
-070707070707070707070707070303070703070707070703070707070303030707070703
-070707070703030707070707070707070707070707070707070707070707070707070707
-070707070700080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808090909
-080108080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080808090909080108080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080800070707070707070707070707070707070707070707070707070707070707
-070707030707070307070707070307070703070707030707070307070707070703070707
-070707070707070707070707070707070707070707070707070707070707070008080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080809090908010808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080809090908010808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080007070707
-070707070707070707070707070707070707070707070707070707070703070707030707
-070707030707030707070707030707030707070707070307070707070707070707070707
-070707070707070707070707070707070707070707000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080909090801080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808080909
-090801080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808000707070707070707070707070707
-070707070707070707070707070707070707070307070703070707070703070703070707
-070703070703070707070707030707070707070707070707070707070707070707070707
-070707070707070707070700080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808090909080108080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080808090909080108080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080800070707070707070707070707070707070707070707070707
-070707070707070707030707070303030303030307070307070707070307070307070707
-070703070707070707070707070707070707070707070707070707070707070707070707
-070008080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080809090908010808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080809090908010808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080007070707070707070707070707070707070707070707070707070707070707070703
-070707030707070707030707030707070707030707030707070707070307070707070707
-070707070707070707070707070707070707070707070707070707000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080909090801080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808080909090801080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808000707070707070707
-070707070707070707070707070707070707070707070707070307070703070707070703
-070703070707070703070703070707070707030707070707070707070707070707070707
-070707070707070707070707070707070700080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808090909080108080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080808090909080108
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080800070707070707070707070707070707070707
-070707070707070707070707070707030707070307070707070307070703070707030707
-070307070707070703070707070707070707070707070707070707070707070707070707
-070707070707070008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080809
-090908010808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080809090908010808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080007070707070707070707070707070707070707070707070707070707
-070707070703070707030707070707030707070703030307070707030303030307070307
-070707070707070707070707070707070707070707070707070707070707070707000808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080909090801080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080505080808080808080808080808080808080808000000000808080808080808
-080808080808000808080808080808080808080808080008080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808080909090801080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808000707
-070707070707070707070707070707070707070707070707070707070707070307070707
-070707070707070707070707070707070707070707070707030707070707070707070707
-070707070707070707070707070707070707070707070700080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808090909080108080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808050505080808
-080808080808080808080808080008080808080808080808080808080808080800080808
-080808080808080808080808000808080808080808080008080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080808
-090909080108080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080800070707070707070707070707
-070707070707070707070707070707070707070707030307070707070707070707070707
-070707070707070707070707070303070707070707070707070707070707070707070707
-070707070707070707070707070008080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080809090908010808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080805050505050808080808080808080808
-080800080808080808080800000008080808000000080008080800000008080808080808
-080800080800080000080800000008080800000008080808000000000808080000000808
-080008000008080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080809090908010808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080007070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707000808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080909090801
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080505050505050808080808080808080808080008080808080808
-000808080008080008080800000808000808080008080808080808080008080000080800
-080800080808000808080008080008080800080800080808000808000008080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808080909090801080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808000707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070700080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808090909080108080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-050505050505050808080808080808080808000808080808080800080808000808000808
-080800080800080808000808080808080808000808000808080008080008080800080808
-000808000808080008080008080800080800080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080808090909080108080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080800070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070008080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080809090908010808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080805050505050508080808
-080808080808080800080808080808080008080800080800080808080008080000000000
-080808080808080800080800080808000808000808080000000000080800080808000808
-000000000008080008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080809090908
-010808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080909090801080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080505050505080808080808080808080808080008
-080808080808000808080008080008080808000808000808080808080808080808080008
-080008080800080800080808000808080808080008080800080800080808080808000808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808080909090801080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808000000000000000800000000000000080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808090909080108080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808050505050808080808080808080808080808080008080808080800080808
-000808000808080000080800080808080808080808080808000808000808080008080008
-080800080808080808000808000008080008080808080800080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080808090909080108080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-000000000008080800000808080808000008080800000000000808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080809090908010808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080805050508
-080808080808080808080808080808080000000008080800000008080808000000080008
-080800000000080808080808080800080800080808000808080008080800000000080808
-000008000808080000000008080008080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080809090908010808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808000000000008080808080808000808
-080808080808080008080808080808000000000008080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080909090801080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080505080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080000
-000008080808080808080808080808080808080808080808080808080800080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808080909090801080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808000000000008080808080808080808000008080808080808080808080000
-080808080808080808080000000000080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808090909
-080108080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808000000000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080808090909080108080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808000000000008080808
-080808080808080808000008080808080808080808080808080800000808080808080808
-080808080800000000000808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080809090908010808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080809090908010808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808000000000008080808080808080808080808080808080008
-080808080808080808080808080808080808000808080808080808080808080808080808
-000000000008080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080909090801080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808080909
-090801080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808000000
-000008080808080808080808080808080808080808080000080808080808080808080808
-080808080808080808000008080808080808080808080808080808080808080000000000
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808090909080108080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080808090909080108080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808000000000008080808080808080808080808
-080808080808080808080000080808080808080808080808080808080808080808080808
-080000080808080808080808080808080808080808080808080800000000000808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080809090908010808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080809090908010808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080800000000000008080808080808080808080808080808080808080808080808080000
-080808080808080808080808080808080808080808080808080808080800000808080808
-080808080808080808080808080808080808080808000000000000080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080909090801080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808080909090801080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080800000000000808080808080808
-080808080808080808080808080808080808080808080800080808080808080808080808
-080808080808080808080808080808080808080808000808080808080808080808080808
-080808080808080808080808080808080800000000000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808090909080108080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080808090909080108
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080800000000000808080808080808080808080808080808080808080808
-080808080808080808080800000808080808080808080808080808080808080808080808
-080808080808080808080808000008080808080808080808080808080808080808080808
-080808080808080808080808000000000008080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080809
-090908010808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080809090908010808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080800000000000808
-080808080808080808080808080808080808080808080808080808080808080808080800
-000808080808080808080808080808080808080808080808080808080808080808080808
-080808080000080808080808080808080808080808080808080808080808080808080808
-080808080808080000000000080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080909090801080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808080909090801080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080800000000000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808000808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080800080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080800000000000808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808090909080108080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080808
-090909080108080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080800
-000000000808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808000008080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080800000808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808000000
-000008080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080809090908010808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080805050808080808080808080808080808
-080800080808080808080808080808080808080808080808080800080808080808080808
-080808000808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080809090908010808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080800000000000808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-000008080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808000008080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080000000000080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080909090801
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080505050808080808080808080808080808080008080808080808
-080808080808080808080808080808080008080808080808080808080800080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808080909090801080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080800000000000808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080008080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080800000000000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808090909080108080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-050505050508080808080808080808080808000808080808080000000808080008000008
-080000080808000800000008080808000000080008080800000008080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080808090909080108080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080800000000000808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080000080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080000
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808000000000008080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080809090908010808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080805050505050508080808
-080808080808080800080808080800080808000808000008080000080800080800000808
-080008080008080800000808000808080008080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080809090908
-010808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080800000000000808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080000080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080800000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080000000000080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080909090801080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080505050505050508080808080808080808080008
-080808080808080800080800080808000808080008080008080808000808000808080800
-080808080808000808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808080909090801080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080800000000
-000808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080800080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080800000000000808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808090909080108080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808050505050505080808080808080808080808000808080808080000000008
-080008080800080808000808000808080800080800080808080008080800000000080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080808090909080108080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080800000000000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080800000808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808000008080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808000000000008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080809090908010808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080805050505
-050808080808080808080808080800080808080800080808000808000808080008080800
-080800080808080008080008080808000808000808080008080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080809090908010808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080800000000000808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080800000808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080000080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080000
-000000080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080909090801080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080505050508080808080808080808
-080808080008080808080008080800080800080808000808080008080000080808000808
-000808080000080800080808000808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808080909090801080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080800000000000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080800080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080800000000000808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808090909
-080108080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808050505080808080808080808080808080808000000000008
-080000000000080008080800080808000808000800000008080808000000080008080800
-000000000808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080808090909080108080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080800000000000808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808000008080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080800000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808000000000008080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080809090908010808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080805050808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080809090908010808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080800000000000808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808000008080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808000008080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080000000000080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080909090801080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808080909
-090801080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080800000000000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080008080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080008080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080800000000000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808090909080108080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080808090909080108080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080000
-000000000808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080000080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080000080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808000000000000080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080809090908010808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080809090908010808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080000000000080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080000080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080800000808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080800000000000808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080909090801080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808080909090801080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080000000000080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080000080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808000008080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-000000000008080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808090909080108080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080808090909080108
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080000000000080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080800080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080000000000
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080809
-090908010808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080809090908010808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080000000000080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080800000808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080000
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080800000000000808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080909090801080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808080909090801080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080000000000
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080800000808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080800000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808000000000008080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808090909080108080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080808
-090909080108080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080000000000080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080000000000080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080809090908010808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080809090908010808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080000000000080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808000008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808000008080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080800000000000808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080909090801
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808080909090801080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080000000000080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808000008080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080000080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808000000000008080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808090909080108080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-050508080808080808080808080808080808080800000000080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080800080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080808090909080108080808080808080808080808080808080808080800000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000008080808080808080808080808
-080808080808000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000080808
-080808080808080808080808080808080000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000808080808080808080808080808080808080800000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000008080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080809090908010808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080805050508080808080808
-080808080808080808000808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080008080808080808080808000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080809090908
-010808080808080808080808080808080808080808080007070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707000808080808080808080808080808080808080800070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070008080808080808080808080808
-080808080808000707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070700080808
-080808080808080808080808080808080007070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707000808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080909090801080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080505050505080808080808080808080808080008
-080808080808080000000808080008000008080000080808000800000808000008080800
-080808000800000008080800000008080000000808000808080000000808080008000008
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808080909090801080808080808080808
-080808080808080808080808000707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070700080808080808080808080808080808080808080007070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707000808080808080808080808080808080808080800070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070008080808080808080808080808
-080808080808000707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070700080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808090909080108080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808050505050505080808080808080808080808000808080808080800080808
-000808000008080000080800080800000808000008080008080008080800080800080808
-000808080008080008080800080800080808000808000008080008080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080808090909080108080808080808080808080808080808080808
-080800070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070008080808080808
-080808080808080808080808000707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070700080808080808080808080808080808080808080007070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707000808080808080808080808080808080808080800070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070008080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080809090908010808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080805050505
-050505080808080808080808080800080808080808080008080800080800080808000808
-080008080008080800080808000808000808080008080008080808080808000808000808
-080008080008080800080800080808000808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080809090908010808080808080808080808080808080808080808080007070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707000808080808080808080808080808080808
-080800070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070008080808080808
-080808080808080808080808000707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070700080808080808080808080808080808080808080007070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707000808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080909090801080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080505050505050808080808080808
-080808080008080808080808000808080008080008080800080808000808000808080008
-080800080800080808000808000808080800000000080800080808000808000808080008
-080008080800080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808080909090801080808
-080808080808080808080808080808080808000707070707070707070707070700000000
-070707070707070707070707070700070707070707070707070707070707000707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070700080808080808080808080808080808080808080007070707070707
-070707070707070707070707070707070707070007070707070707070707070707070707
-070707070707070007070707070707070707070700070707070707070707070707070707
-070707070707070707070707070707070707000808080808080808080808080808080808
-080800070707070707070707070707070000000007070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070007070707070707070707070707070707070707070707070707070008080808080808
-080808080808080808080808000707070707070707070707070707070707070707070707
-000707070707000707070707070707070707070707000000070707070707070707070707
-070700070707070707070707070707070707070707070707070707070707070707070707
-070700080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808090909
-080108080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808050505050508080808080808080808080808000808080808
-080800080808000808000808080008080800080800080808000808080008080008080800
-080800080808000808080008080008080800080800080808000808000808080008080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080808090909080108080808080808080808080808
-080808080808080800070707070707070707070707000707070707070707070707070707
-070707070007070707070707070707070707070700070707070707070707000707070707
-070707070707070707070707070707070707070707070707070707070707070707070008
-080808080808080808080808080808080808000707070707070707070707070707070707
-070707070707070707000707070707070707070707070707070707070707070707000707
-070707070707070707070007070707070707070707070707070707070707070707070707
-070707070707070700080808080808080808080808080808080808080007070707070707
-070707070700070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707000707070707070707070700070707070707070707070707
-070707070707070707070707070707070707000808080808080808080808080808080808
-080800070707070707070707070707070707070707070707070700070707070707070707
-070707070700070707070007070700070707070707070707070707070007070707070707
-070707070707070707070707070707070707070707070707070707070008080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080809090908010808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080805050505080808080808080808080808080808000808080808080008080800080800
-080808000808080008080008080800080808000808000808000008080008080800080808
-000808000808080008080008080800080800080808000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080809090908010808080808080808080808080808080808080808080007
-070707070707070707070007070707070707070000000707070700000007000707070000
-000707070707070707070007070007000007070000000707070000000707070700000000
-070707000000070707000700000707070707070707070707000808080808080808080808
-080808080808080800070707070707070707070707070707070707070707070707070700
-070707070707000000070707000700000707000007070700070000000707070700000007
-000707070000000707070707070707070707070707070707070707070707070707070008
-080808080808080808080808080808080808000707070707070707070707000707070707
-070707000000070707000700000707000007070700070000070700000707070007070700
-070000000707070000000707000000070700070707000000070707000700000707070707
-070707070707070700080808080808080808080808080808080808080007070707070707
-070707070707070707070707070707070007070707070007070700000007000000070700
-070707070700070700070000070700000007000707070000000707070007000007070707
-070707070707070707070707070707070707000808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080909090801080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080505050808080808
-080808080808080808080808000000000808080000000808080008080800080808000808
-000808080008080800080808000008000808080008080800000000000808000808000808
-080000000808080008080800080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808080909
-090801080808080808080808080808080808080808080808000707070707070707070707
-000707070707070700070707000707000707070000070700070707000707070707070707
-000707000007070007070007070700070707000707000707070007070007070700070700
-000707070707070707070707070700080808080808080808080808080808080808080007
-070707070707070707070707070707070707070707070707070007070707070007070700
-070700000707000007070007070000070707000707000707070000070700070707000707
-070707070707070707070707070707070707070707070707000808080808080808080808
-080808080808080800070707070707070707070700070707070707070007070700070700
-000707000007070007070000070700000707000707000707070007070007070700070707
-000707000707070007070007070700070700000707000707070707070707070707070008
-080808080808080808080808080808080808000707070707070707070707070707070707
-070707070707000707070707000707000707070707000707070007070707070007070000
-070707000707070000070700070707000707000007070707070707070707070707070707
-070707070707070700080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808090909080108080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808050508080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080808090909080108080808080808
-080808080808080808080808080800070707070707070707070700070707070707070007
-070700070700070707070007070007070700070707070707070700070700070707000707
-000707070007070700070700070707000707000707070007070007070707070707070707
-070707070008080808080808080808080808080808080808000707070707070707070707
-070707070707070707070707070707000707070707070707070007070007070700070707
-000707000707070700070700070707070007070707070700070707070707070707070707
-070707070707070707070707070700080808080808080808080808080808080808080007
-070707070707070707070007070707070707000707070007070007070700070707000707
-000707070007070700070700070707000707000707070707070700070700070707000707
-000707070007070007070700070707070707070707070707000808080808080808080808
-080808080808080800070707070707070707070707070707070707070707070700070707
-070700070700070707070700070707000707070707000707000707070700070707070007
-070007070700070700070707070707070707070707070707070707070707070707070008
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080809090908010808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080809090908010808080808080808080808080808080808
-080808080007070707070707070707070007070707070707000707070007070007070707
-000707000000000007070707070707070007070007070700070700070707000000000007
-070007070700070700000000000707000707070707070707070707070707000808080808
-080808080808080808080808080800070707070707070707070707070707070707070707
-070707070700070707070707000000000707000707070007070700070700070707070007
-070007070707000707070000000007070707070707070707070707070707070707070707
-070707070008080808080808080808080808080808080808000707070707070707070707
-000707070707070700070707000707000707070007070700070700070707000707070007
-070007070700070700070707070000000007070007070700070700070707000707000707
-070007070707070707070707070700080808080808080808080808080808080808080007
-070707070707070707070707070707070707070707070007070707070007070700000707
-070007070700070707070700070700070707070007070707000707000000000007070007
-070707070707070707070707070707070707070707070707000808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080909090801080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808080909090801080808080808080808080808080808080808080808000707070707
-070707070707000707070707070700070707000707000707070700070700070707070707
-070707070707000707000707070007070007070700070707070707000707070007070007
-070707070700070707070707070707070707070700080808080808080808080808080808
-080808080007070707070707070707070707070707070707070707070707070007070707
-070007070700070700070707000707070007070007070707000707000707070700070700
-070707000707070707070707070707070707070707070707070707070707000808080808
-080808080808080808080808080800070707070707070707070700070707070707070007
-070700070700070707000707070007070007070700070707000707000707070007070007
-070700070707000707000707070007070007070700070700070707000707070707070707
-070707070008080808080808080808080808080808080808000707070707070707070707
-070707070707070707070707000707070707000707070707000707000707070007070707
-070007070007070707000707070700070700070707070707000707070707070707070707
-070707070707070707070707070700080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808090909080108080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080808090909080108
-080808080808080808080808080808080808080800070707070707070707070707000707
-070707070007070700070700070707000007070007070707070707070707070700070700
-070707000707000707070007070707070700070700000707000707070707070007070707
-070707070707070707070008080808080808080808080808080808080808000707070707
-070707070707070707070707070707070707070707000707070707000707070007070007
-070700070707000707000007070700070700070707000007070007070700070707070707
-070707070707070707070707070707070707070700080808080808080808080808080808
-080808080007070707070707070707070700070707070707000707070007070007070700
-070707000707000707070007070700070700070700000707000707070007070700070700
-070707000707000707070007070007070700070707070707070707070707000808080808
-080808080808080808080808080800070707070707070707070707070707070707070707
-070700070707070700070707070700070700070707070007070700070707000707070700
-070707000007070007070707070700070707070707070707070707070707070707070707
-070707070008080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080809
-090908010808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080809090908010808080808080808080808
-080808080808080808080007070707070707070707070707000000000707070000000707
-070700000007000707070000000007070707070707070007070007070700070707000707
-070000000007070700000700070707000000000707000707070707070707070707070707
-000808080808080808080808080808080808080800070707070707070707070707070707
-070707070707070707070700000000000707000000000007000707070007070700070700
-070000000707070700000007000707070000000000070707070707070707070707070707
-070707070707070707070008080808080808080808080808080808080808000707070707
-070707070707070700000000070707000000070707000707070007070700070700070707
-000707070007070700000700070707000707070000000000070700070700070707000000
-070707000707070007070707070707070707070700080808080808080808080808080808
-080808080007070707070707070707070707070707070707070707070000000000070007
-070000000707070700070707070000000707070700070707070700000007000707070000
-000007070007070707070707070707070707070707070707070707070707000808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080909090801080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808080909090801080808080808080808080808080808080808080808
-000707070707070707070707070707070707070707070707070707070707070707070707
-070707070707000000000707070707070707070707070707070707070707070707070707
-070007070707070707070707070707070707070707070707070700080808080808080808
-080808080808080808080007070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-000808080808080808080808080808080808080800070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070008080808080808080808080808080808080808000707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070700080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808090909080108080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080808
-090909080108080808080808080808080808080808080808080800070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070700000000070707070707070707
-070707070707070707070707070707070008080808080808080808080808080808080808
-000707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070700080808080808080808
-080808080808080808080007070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-000808080808080808080808080808080808080800070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070008080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080809090908010808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080809090908010808080808
-080808080808080808080808080808080007070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707000808080808080808080808080808080808080800070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070008080808080808080808080808080808080808
-000707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070700080808080808080808
-080808080808080808080007070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-000808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080909090801
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808080909090801080808080808080808080808080808
-080808080808000707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070700080808
-080808080808080808080808080808080007070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707000808080808080808080808080808080808080800070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070008080808080808080808080808080808080808
-000707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070700080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808090909080108080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080808090909080108080808080808080808080808080808080808080800070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070008080808080808080808080808
-080808080808000707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070700080808
-080808080808080808080808080808080007070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707000808080808080808080808080808080808080800070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070008080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080809090908010808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080809090908
-010808080808080808080808080808080808080808080000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000808080808080808080808080808080808080800000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000008080808080808080808080808
-080808080808000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000080808
-080808080808080808080808080808080000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080909090801080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080505080808080808080808080808080808080000
-000008080808080808080808080808080800000000000808080808080808080808080808
-080008080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808080909090801080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080008080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080008
-080000080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080800080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808090909080108080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808050505080808080808080808080808080808000808080008080808080808
-080808080808080008080808000808080808080808080808080808000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080808090909080108080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808000808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080800080808080800000008080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808000808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080809090908010808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080805050505
-050808080808080808080808080800080808000808080000000808080008000008000808
-080800080808000000080808080000000800080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080809090908010808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080800080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080008080808080808080000080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080800080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080800080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080909090801080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080505050505050808080808080808
-080808080008080800080800080808000808000008080800080808000808080008080800
-080800080808000008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808080909090801080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080008080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080800080808080808080808080800000008080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808000808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808090909
-080108080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808050505050505050808080808080808080808000000000808
-080808080800080800080808080000000008080808000808080008080008080808000808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080808090909080108080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080800080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808000808080808080808
-080808080808080000080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080008080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080800080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080809090908010808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080805050505050508080808080808080808080800080808080808080000000008080008
-080808000808000808080800000000000808000808080800080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080809090908010808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080008080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080008080808080808080808080808080808080800
-000008080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080800080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-000808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080909090801080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080505050505080808
-080808080808080808080008080808080800080808000808000808080800080808000808
-080008080808080800080808080008080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808080909
-090801080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-000808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080800080808080808080808080808080808080808080808080000000808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808000808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080008080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808090909080108080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808050505050808080808080808080808080808
-000808080808080008080800080800080808080008080808000808000808080808080008
-080800000808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080808090909080108080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080800080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808000808080808
-080808080808080808080808080808080808080808000008080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080008080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080800080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080809090908010808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080805050508080808080808080808080808080800080808080808080000
-000000080008080808000808080808000808000000000808080000000800080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080809090908010808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080008080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080800080808080808080808080808080808
-080808080808080808080808080000000808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808000808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808000808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080909090801080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080505
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808080909090801080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808000808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808000808080808080808080808080808080808080808080808080808
-080808080808000008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080008080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080008080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808090909080108080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080808090909080108
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080800080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080008
-080808080808080808080808080808080808080808080808080808080808080808080000
-000808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080800080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080800080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080809
-090908010808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080809090908010808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080008080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080800080808080808080808080808
-080808080808080808080808080808080808080808080808080808000008080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808000808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808000808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080909090801080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808080909090801080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080800080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808000808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080000000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080008080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080800080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808090909080108080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080808
-090909080108080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080008080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080008080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808000008080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080800080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080809090908010808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080809090908010808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080000000808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080008080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080008080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080909090801
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808080909090801080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080800080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080008080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808000008
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080800080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080800
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808090909080108080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080808090909080108080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080800080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080000000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808000808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808000808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080809090908010808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080809090908
-010808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808000808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808000808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808000000080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080008080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080008080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080909090801080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808080909090801080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080800080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080008080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080800000808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080800080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080800000808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808090909080108080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080808090909080108080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808000808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080800080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808000000080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080809090908010808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080805050808
-080808080808080808080808080800000000000008080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080809090908010808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080800080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080008
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080800000808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080800080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080800080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080909090801080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080505050808080808080808080808
-080808080008080808080800080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808080909090801080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080008080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080800080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808000000080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808000808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808000808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808090909
-080108080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808050505050508080808080808080808080808000808080808
-000000080808000000080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080808090909080108080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808000808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080800000808080808080808080808080808080808
-080808080808080808080808080808080808080808080008080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080008080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080809090908010808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080805050505050508080808080808080808080800080808080808000808080008080800
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080809090908010808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080800080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080008080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808000000080808080808080808080808080808080808080808080808
-080808080808080808080800080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080909090801080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080505050505050508
-080808080808080808080000000000080800080808080808080008080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808080909
-090801080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080008
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080800080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080800000808080808080808080808080808080808080808080808080808080808080808
-000808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808000008080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808090909080108080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808050505050505080808080808080808080808
-000808080808080008080808000000000808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080808090909080108080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808000808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808000808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808000000080808
-080808080808080808080808080808080808080808080808080008080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080800
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080809090908010808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080805050505050808080808080808080808080800080808080808000808
-080008080800080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080809090908010808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080008080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080800080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080800000808080808080808080808
-080808080808080808080808080808000808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808000808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080909090801080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080505
-050508080808080808080808080808080008080808080800080808000808080008080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808080909090801080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808000808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808000808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808000000080808080808080808080808080808080808
-080808080008080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080008080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808090909080108080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808050505080808080808080808
-080808080808000000000000080800080808000000000008080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080808090909080108
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080800080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080008080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080800000008080808080808080808080808080808080800080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808000808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080809
-090908010808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080805050808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080809090908010808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080008080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080800080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080000080808080808080808080808080808000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080008080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080909090801080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808080909090801080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808000808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808000808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080800000008080808
-080808080808080008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080800080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808090909080108080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080808
-090909080108080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080800
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080008080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080000080808080808080800080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080809090908010808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080809090908010808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080008080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808000808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080800000008080808080008080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080800080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080909090801
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808080909090801080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080800080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080008080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080000080800080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808090909080108080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080808090909080108080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080008080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000808080808080808080808080808080808080800000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000008080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080800080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080809090908010808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080809090908
-010808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808000808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808000707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070700080808080808
-080808080808080808080808080007070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707000808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-000808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080909090801080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808080909090801080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080800080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080800070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070008080808080808080808080808080808
-080808000707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070700080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080008080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808090909080108080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080808090909080108080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080008080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080007070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707000808080808080808080808080808080808080800070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070008080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808000808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080809090908010808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080809090908010808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-000808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808000707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070700
-080808080808080808080808080808080808080007070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707000808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080008080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080909090801080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808080909090801080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080800080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080800
-070707070707070700070707070700070707070707070707070707070707000707070707
-070707070707070707070707070707000707000707070707070707070707070707070707
-070700070707070707070707070707070707070707070707070008080808080808080808
-080808080808080808000707070707070707070707070707070707070707070707070707
-070700000000070707070707070707070707070707000000000007070707070707070707
-070707070700070707070707070707070707070707070707070707070707070707070700
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080800080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808090909
-080108080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808050508080808080808080808080808080808000808080808
-000808080808080808080808080808080008080808080808080808080808080808080808
-080008080008080808080808080808080808080808080808000808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080808090909080108080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080008080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080007070707070707070007
-070707070707070707070707070007070707070700070707070707070707070707070707
-070707070700070707070707070707070707070707070707000707070707070707070707
-070707070707070707070707070707000808080808080808080808080808080808080800
-070707070707070707070707070707070707070707070707070707070007070700070707
-070707070707070707070700070707070007070707070707070707070707070007070707
-070707070707070707070707070707070707070707070707070008080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080008080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080809090908010808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080805050508080808080808080808080808080800080808080808080808080808080800
-080808080808000808080808080808080808080808080808080808000808080808080808
-080808080808080808080008080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080809090908010808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080800080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808000707070707070707000707070707000707070000
-000700000007070707000700070707000700000007070700070000000707070007070007
-070700000007070700000007070000000707000707070000000707070007000007070707
-070707070700080808080808080808080808080808080808080007070707070707070707
-070707070707070707070707070707070707000707070007070700000007070700070000
-070007070707000707070000000707070700000007000707070707070707070707070707
-070707070707070707070707070707000808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080800080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080909090801080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080505050505080808
-080808080808080808080008080808080008080800000008000000080808080008000808
-080008000000080808000800000008080800080800080808000000080808000000080800
-000008080008080800000008080800080000080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808080909
-090801080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080008080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080800070707070707070700070707070700070700070707070700070707070700
-070007070700000707070007070000070707000707000707000707000707070707000707
-070007070007070700070700070707000707000007070007070707070707070008080808
-080808080808080808080808080808000707070707070707070707070707070707070707
-070707070707070700070707000707000707070007070000070707000707070007070700
-070707000707000707070000070707070707070707070707070707070707070707070707
-070707070700080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808000808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808090909080108080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808050505050505080808080808080808080808
-000808080808000808000808080808000808080808000800080808000008080800080800
-000808080008080008080008080008080808080008080800080800080808000808000808
-080008080000080800080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080808090909080108080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080007070707
-070707070007070707070007070007070707070007070707000707070007070007070707
-000707000707070700070700070700070700070707070707070707000707000707070007
-070007070700070700070707000707070707070707000808080808080808080808080808
-080808080800070707070707070707070707070707070707070707070707070707070000
-000007070707070707000707000707070700000000070707070007070700070700070707
-070007070707070707070707070707070707070707070707070707070707070008080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080800080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080809090908010808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080805050505050505080808080808080808080800080808080800080800
-080808080800080808080008080800080800080808080008080008080808000808000808
-000808000808080808080808080008080008080800080800080808000808000808080008
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080809090908010808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080800080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808000707070707070707000707070707
-000707070000070707000707070700070707000707000707070700070700070707070007
-070007070007070007070707070700000000070700070707000707000707070007070007
-070700070707070707070700080808080808080808080808080808080808080007070707
-070707070707070707070707070707070707070707070707000707070707070700000000
-070700070707070007070007070707000000000007070007070707000707070707070707
-070707070707070707070707070707070707070707000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808000808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080909090801080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080505
-050505050808080808080808080808080008080808080008080800000808080008080808
-000808080008080008080808000808000808080800080800080800080800080808080808
-000000000808000808080008080008080800080800080808000808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808080909090801080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080008080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080800070707070707070700070707070700070707070700070700
-070707000000000000000700070707070007070007070707000707000707000707000707
-070707000707070007070007070700070700070707000707000707070007070707070707
-070008080808080808080808080808080808080808000707070707070707070707070707
-070707070707070707070707070700070707070707000707070007070007070707000707
-070007070700070707070707000707070700070707070707070707070707070707070707
-070707070707070707070700080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080008080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808090909080108080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808050505050508080808080808
-080808080808000808080808000808080808000808000808080000000000000008000808
-080800080800080808080008080008080008080008080808080008080800080800080808
-000808000808080008080008080800080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080808090909080108
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080007070707070707070007070707070007070707070007070007070700070707070700
-070000070707000707000007070700070700070700070700070707070700070707000707
-000707070007070007070700070700070707000707070707070707000808080808080808
-080808080808080808080800070707070707070707070707070707070707070707070707
-070707070007070707070700070707000707000707070700070707070007070007070707
-070700070707000007070707070707070707070707070707070707070707070707070707
-070008080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080809
-090908010808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080805050505080808080808080808080808080800080808
-080800080808080800080800080808000808080808000800000808080008080000080808
-000808000808000808000808080808000808080008080008080800080800080808000808
-000808080008080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080809090908010808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080800080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808000707070707070707
-000000000007000707000000070707070007000707070707070700000700000007070700
-070000000707070007070007070700000007070700000000000707000707000707070000
-000707070007070700070707070707070700080808080808080808080808080808080808
-080007070707070707070707070707070707070707070707070707070707000707070707
-070700000000000700070707070007070707070007070000000007070700000007000707
-070707070707070707070707070707070707070707070707070707000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080008080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080909090801080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080505050808080808080808080808080808080000000000080008080000000808
-080800080008080808080808000008000000080808000800000008080800080800080808
-000000080808000000000008080008080008080800000008080800080808000808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808080909090801080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808000808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080800070707070707070707070707070707070707
-070707070707070707070707070707070700070707070707070007070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070008080808080808080808080808080808080808000707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070700080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080800080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808090909080108080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808050508080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808000808080808080800080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080808
-090909080108080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080800080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080007070707070707070707070707070707070707070707070707070707
-070707070707070007070707070707000707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707000808
-080808080808080808080808080808080800070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080008080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080809090908010808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080800080808080808
-080008080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080809090908010808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080008080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808000707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070700080808080808080808080808
-080808080808080007070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707000808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080800080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080909090801
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808080909090801080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808000808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080800070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070008080808080808080808080808080808080808000707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070700080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080008080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808090909080108080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080808090909080108080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080800080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080007070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707000808080808080808080808080808080808080800070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070008080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080800
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080809090908010808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080809090908
-010808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080008080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000080808080808
-080808080808080808080808080000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080008080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080909090801080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808080909090801080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080800080808000000000000080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808000808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080800080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808090909080108080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080808090909080108080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080800080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808000808080808
-080808080800000000000008080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080008080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808000808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080809090908010808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080809090908010808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080008
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080008080808080808080808080808080808
-080000000000000808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080800080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080800080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080909090801080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808080909090801080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080800080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080800080808080808080808080808080808080808080808080808000000
-000000080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808090909
-080108080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080808090909080108080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080008080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080008
-080808080808080808080808080808080808080808080808080808080800000000000008
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080800080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080809090908010808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080809090908010808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808000808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080800080808080808080808080808
-080808080808080808080808080808080808080808080808080000000000000808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808000808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808000808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080909090801080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080505080808080808
-080808080808080808000000000000000808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808080909
-090801080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080800080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808000808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808000000000008080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080008080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080800080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808090909080108080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808050505080808080808080808080808080808
-080800080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080808090909080108080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080008080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080008080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080000000000000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080800080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808000808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080809090908010808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080805050505050808080808080808080808080808080008080808000808
-080808000008000000080808080000000808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080809090908010808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808000808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080800080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808000000000000080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-000808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080800080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080909090801080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080505
-050505050808080808080808080808080808000808080800080808080800000008080800
-080800080808000808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808080909090801080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080800
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808000808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080800000000000008080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080008080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808090909080108080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808050505050505050808080808
-080808080808080800080808080800080808000800080808080008080008080800080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080808090909080108
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080008080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080008080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080000000000000808080808080808080808080808080808080808080808080808
-080808080808080808080808080800080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080800080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080809
-090908010808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080805050505050508080808080808080808080808080008
-080808080008080800080008080808000808000000000008080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080809090908010808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808000808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080800080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-000000000000080808080808080808080808080808080808080808080808080808080808
-080808000808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808000808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080909090801080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080505050505080808080808080808080808080808000808080808080008000808
-000808080800080800080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808080909090801080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080800080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080800000000
-000008080808080808080808080808080808080808080808080808080008080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080800080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808090909080108080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808050505050808
-080808080808080808080808080800080808080808000800080800000808080008080008
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080808
-090909080108080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080008080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080800080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080000000000080808
-080808080808080808080808080808080808000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080809090908010808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080805050508080808080808080808080808
-080808080008080808080808000808080008000000080808080000000008080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080809090908010808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808000808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080800000000000008080808080808
-080808080808080008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080008080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080909090801
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080505080808080808080808080808080808080808080808080808
-080800080808000808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808080909090801080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080800080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080008080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080000000000000808080808080800080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-000808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808090909080108080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808000808080800080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080808090909080108080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080008080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080800080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808000000000000000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080008080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080809090908010808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080809090908
-010808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-000808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080000000000000008080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808000808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080909090801080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808080909090801080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080800080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080008080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080800
-080808080808080000000000000808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080008080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808090909080108080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080808090909080108080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080800080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808000808080808080808080808
-080808000000000000080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808000808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080809090908010808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080809090908010808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808000808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808000808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080008080808080808080808080808080808080808080800
-000000000808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080008080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080909090801080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808080909090801080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080800080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080800080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808000808080808080808080808080808080808080808080808080808000000000000
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080800080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808090909
-080108080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080808090909080108080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080008080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080008080808080808
-080808080808080808080808080808080808080808080808080800000000000008080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080008
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080809090908010808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080809090908010808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080008080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080800080808080808080808080808080808080808
-080808080808080808080808080808080808080808080000000000000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080800080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080909090801080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808080909
-090801080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808000808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080800080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808000808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808000000000000080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080008080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808090909080108080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080808090909080108080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080800080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080008080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080800000000000008080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080800080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080809090908010808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080805050808080808080808080808080808080800080808080800080808
-080808080808080808080800000008080808080808080808080808080008080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080809090908010808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080008080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080008080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080800080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080000000000000808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080008080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080909090801080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080505
-050808080808080808080808080808080008080808080808080808080808080008080808
-000808080008080808080808080808080808000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808080909090801080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-000808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080800
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808000808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808000000000008080808080808080808080808080808080808080808080808
-080808080808080808080808080808080800080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808090909080108080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808050505050508080808080808
-080808080808000808080808000808080000000800000008080008080808080008080008
-000008080000000800080808000000080808000800000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080808090909080108
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808000808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080008
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080000000000000808080808080808080808080808080808080808080808080808080808
-080808080808000808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080809
-090908010808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080805050505050508080808080808080808080800080808
-080800080800080808080800080808000808080808000808000008080800080808000008
-080008080800080800000808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080809090908010808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080800080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080008080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080800080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808000000
-000000080808080808080808080808080808080808080808080808080808080800080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080909090801080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080505050505050508080808080808080808080008080808080008080008080808
-080008080800080808080800080800080808080008080808000808000808080008080008
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808080909090801080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808000808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080008080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080800000000000008
-080808080808080808080808080808080808080808000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808090909080108080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808050505050505
-080808080808080808080808000808080808000808080000080808000808080008080808
-080008080008080808000808080800080800000000000808000808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080808
-090909080108080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808000808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080008080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080800080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080000000000000808080808
-080808080808080808080800080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080809090908010808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080805050505050808080808080808080808
-080800080808080800080808080800080800080808000808080808000808000808080800
-080808080008080008080808080800080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080809090908010808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808000808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080800080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808000000000000080808080808080808
-000808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080909090801
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080505050508080808080808080808080808080008080808080008
-080808080008080008080808000808080008080800080808080008080800000808000808
-080808080008080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808080909090801080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080800080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808000808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080008080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080800000000000008080800080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808090909080108080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-050505080808080808080808080808080808000000000008000808000000080808080008
-080808000000080808080008080808080000000800080808000000000808000808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080808090909080108080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080800080808080808080808080808000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000080808080808080808080808080808080808080000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000808080808080808080808080808080808
-080800000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000008080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080809090908010808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080805050808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080809090908
-010808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080008080808
-080808080808080800070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070008
-080808080808080808080808080808080808000707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070700080808080808080808080808080808080808080007070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080909090801080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808080909090801080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808000808080808080808080808080007
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707000808080808080808080808
-080808080808080800070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070008
-080808080808080808080808080808080808000707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070700080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808090909080108080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080808090909080108080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808000808080808080808080808000707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070700080808080808080808080808080808080808080007
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707000808080808080808080808
-080808080808080800070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070008
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080809090908010808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080809090908010808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080800080808080808080808080800070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070008080808080808080808080808080808080808000707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070700080808080808080808080808080808080808080007
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707000808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080909090801080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808080909090801080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080800080808080808
-080808080007070707070707070707070707070707070707070707070707070707070707
-070707000000000000000707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707000808080808
-080808080808080808080808080800070707070707070707070707070707070707070707
-070707070707070707070707070707070707070000000000000707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070008080808080808080808080808080808080808000707070707070707070707
-070707070707070707070707070707070007070707070007070707070707070707070700
-000000070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070700080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808090909
-080108080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080808090909080108080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080008080808080808080808000707070707
-070707070707070707070707070707070707070707070707070707070707070700070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070700080808080808080808080808080808
-080808080007070707070707070707070707070707070707070707070707070707070707
-070707070707070707000707070707070007070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707000808080808
-080808080808080808080808080800070707070707070707070707070707070707070707
-070707070707000707070707070707070707070707000707070007070700070707070707
-070707000707070707070707070707070707070707070707070707070707070707070707
-070707070008080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080809090908010808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080809090908010808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080008080808080808080800070707070707070707070707070707
-070707070707070707070707070707070707070707070007070707000707070707000007
-000000070707070000000707070707070707070707070707070707070707070707070707
-070707070707070707070008080808080808080808080808080808080808000707070707
-070707070707070707070707070707070707070707070707070707070707070707070700
-070707070700000007070700000007070707070707070707070707070707070707070707
-070707070707070707070707070707070707070700080808080808080808080808080808
-080808080007070707070707070707070707070707070707070707070707070700070707
-070700070707000000070000000707000707070007070700000007070000000707070000
-000707070707070707070707070707070707070707070707070707070707000808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080909090801080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808080909
-090801080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-000808080808080808080007070707070707070707070707070707070707070707070707
-070707070707070707070707000707070700070707070700000007070700070700070707
-000707070707070707070707070707070707070707070707070707070707070707070707
-000808080808080808080808080808080808080800070707070707070707070707070707
-070707070707070707070707070707070707070707070707070007070707070700070707
-000707070007070707070707070707070707070707070707070707070707070707070707
-070707070707070707070008080808080808080808080808080808080808000707070707
-070707070707070707070707070707070707070707070007070707070007070007070707
-070007070700070707000707000707070007070007070700070707000707070707070707
-070707070707070707070707070707070707070700080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808090909080108080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080808090909080108080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808000808080808080808
-000707070707070707070707070707070707070707070707070707070707070707070707
-070700070707070700070707000700070707070007070007070700070707070707070707
-070707070707070707070707070707070707070707070707070700080808080808080808
-080808080808080808080007070707070707070707070707070707070707070707070707
-070707070707070707070707070707000000000007070007070707070707000707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-000808080808080808080808080808080808080800070707070707070707070707070707
-070707070707070707070707000707070707000707000707070707000707070000000007
-070700070707000707000707070707070700070707070707070707070707070707070707
-070707070707070707070008080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080809090908010808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080809090908010808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080800080808080808080800070707070707070707
-070707070707070707070707070707070707070707070707070707070007070707070007
-070700070007070707000707000000000007070707070707070707070707070707070707
-070707070707070707070707070707070008080808080808080808080808080808080808
-000707070707070707070707070707070707070707070707070707070707070707070707
-070707070700070707070707000707070700000000070707070707070707070707070707
-070707070707070707070707070707070707070707070707070700080808080808080808
-080808080808080808080007070707070707070707070707070707070707070707070707
-070700070707070700070707000007070700070707000707070007070000000000070700
-070707070000000007070707070707070707070707070707070707070707070707070707
-000808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080909090801080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808080909090801080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080800080808080808080007070707070707070707070707070707070707
-070707070707070707070707070707070707000707070707070007000707000707070700
-070700070707070707070707070707070707070707070707070707070707070707070707
-070707070707000808080808080808080808080808080808080800070707070707070707
-070707070707070707070707070707070707070707070707070707070707070007070707
-070700070707000707070007070707070707070707070707070707070707070707070707
-070707070707070707070707070707070008080808080808080808080808080808080808
-000707070707070707070707070707070707070707070707070707070007070707070007
-070707070007070007070700070707000707000707070707070007070700070707000707
-070707070707070707070707070707070707070707070707070700080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808090909080108080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808050508080808080808080808
-080808080808000808080808000808080808080808080808080000000008080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080808090909080108
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080008
-080808080808000707070707070707070707070707070707070707070707070707070707
-070707070707070700070707070707000700070700000707070007070007070707070707
-070707070707070707070707070707070707070707070707070707070707070700080808
-080808080808080808080808080808080007070707070707070707070707070707070707
-070707070707070707070707070707070707070707000707070707070007070700070707
-000707070707070707070707070707070707070707070707070707070707070707070707
-070707070707000808080808080808080808080808080808080800070707070707070707
-070707070707070707070707070707070707000707070707000707070707000707000707
-070007070700070700070707070707000707070007070700070707070707070707070707
-070707070707070707070707070707070008080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080809
-090908010808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080805050508080808080808080808080808080800080808
-080808080808080808080800080808000808080008080808080808080800080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080809090908010808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080008080808080800070707
-070707070707070707070707070707070707070707070707070707070707070707070007
-070707070707000707070007000000070707070000000007070707070707070707070707
-070707070707070707070707070707070707070707070008080808080808080808080808
-080808080808000707070707070707070707070707070707070707070707070707070707
-070707070707070707070700000000000007070007070700000000000707070707070707
-070707070707070707070707070707070707070707070707070707070707070700080808
-080808080808080808080808080808080007070707070707070707070707070707070707
-070707070707070700000000000700070700000007070707000707000000000707070700
-000000070707000707070000000000070707070707070707070707070707070707070707
-070707070707000808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080909090801080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080505050505080808080808080808080808080008080808080008080800000008
-000000080800080808000808080000000808000000080808000000080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808080909090801080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808000808080808080007070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070700070707
-000707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707000808080808080808080808080808080808080800070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070008080808080808080808080808
-080808080808000707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070700080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808090909080108080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808050505050505
-080808080808080808080808000808080808000808000808080808000808080008080800
-080800080808000808000808080008080800080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080808
-090909080108080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808000808080808000707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707000707070700070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070700080808080808080808080808080808080808080007070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707000808080808080808080808080808080808080800070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070008080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080809090908010808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080805050505050505080808080808080808
-080800080808080800080800080808080800080808000000000808080008080800080800
-080808080808080008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080809090908010808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808000808
-080800070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070008080808080808
-080808080808080808080808000707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070700080808080808080808080808080808080808080007070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707000808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080909090801
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080505050505050808080808080808080808080008080808080008
-080800000808080008080800080808000808000000000008080008080808000000000808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808080909090801080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080800080808080007070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707000808080808080808080808080808080808
-080800070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070008080808080808
-080808080808080808080808000707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070700080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808090909080108080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-050505050508080808080808080808080808000808080808000808080808000808000808
-080008080800080800080808080808000808080008080800080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080808090909080108080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080800080808000707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070700080808080808080808080808080808080808080007070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707000808080808080808080808080808080808
-080800070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070008080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080809090908010808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080805050505080808080808
-080808080808080800080808080800080808080800080800080808000808080008080008
-080808080800080808000808080008080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080809090908
-010808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080800080800000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000008
-080808080808080808080808080808080808000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000080808080808080808080808080808080808080000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080909090801080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080505050808080808080808080808080808080000
-000000080008080000000808080800080800000000080808080000000008080800080808
-000000000008080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808080909090801080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080008080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080800080000080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080800000800000808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808090909080108080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808050508080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080808090909080108080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080008080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080800080800000808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080800000808080808000008080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080809090908010808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080809090908010808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080008080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080008080808000008
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808000808080808080808080008080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080909090801080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808080909090801080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080008080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808000808080808080000080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808000008080808
-080808080808080000080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808090909
-080108080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080808090909080108080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080008080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808000808080808080800000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808000008080808080808080808080808080800
-000808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080809090908010808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080809090908010808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080800
-080808080808080808000008080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080008080808080808080808080808080808080808000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080909090801080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808080909
-090801080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808000808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080008080808080808080808
-080000080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080000080808
-080808080808080808080808080808080808000008080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808090909080108080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080808090909080108080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808000808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080008080808080808080808080800000808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080000080808080808080808080808080808
-080808080808080808080000080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080809090908010808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080809090908010808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808000808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808000808080808080808080808080808000000080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080000080808080808080808080808080808080808080808080808080808
-080800000808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080909090801080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808080909090801080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808000808
-080808080808080808080808080800000808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080800080808
-080808080808080808080808080808080808080808080808080808080808000808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808090909080108080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080808090909080108
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080800080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080800080808080808080808080808
-080808080808000008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080800000808080808080808080808080808
-080808080808080808080808080808080808080808000008080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080809
-090908010808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080809090908010808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080800080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080008080808080808080808080808080808080808080000
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080800000808080808080808080808080808080808080808080808080808
-080808080808080808080808080000080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080909090801080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080505080808080808080808080808080808080008080808080808080808080808
-080008080808080808080808080808080808080800000000000000080808080808080808
-080808080808080808080808080808080008080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808080909090801080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080800080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080008080808080808080808080808080808080808080800000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808000808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080800080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808090909080108080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808050505080808
-080808080808080808080808000808080808080808080808080808000808080808080808
-080808080808080008080808080008080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080808
-090909080108080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080800080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808000808080808
-080808080808080808080808080808080808000008080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808000008080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080800000808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080809090908010808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080805050505050808080808080808080808
-080800080800080000080808080000000800080800080808000808080000000800000008
-080808000808080808080000000808080008000008000800000808000008080800080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080809090908010808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080800080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080800080808080808080808080808080808
-080808080808080808080000080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808000008080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808000008080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080909090801
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080505050505050808080808080808080808080008080000080800
-080800080808000008080008080800080800080808080800080808080800080808080800
-080808000808000008080800000808000008080008080008080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808080909090801080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080008080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080800080808080808080808080808080808080808080808080808
-080800000808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080008
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080008080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808090909080108080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-050505050505050808080808080808080808000808000808080008080008080808000808
-000808080008080008080808080008080808080008080808080008080800080800080808
-080008080800080808000808000808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080808090909080108080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080008080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080008080808080808080808080808080808080808080808080808080808000008080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080000080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080000080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080809090908010808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080805050505050508080808
-080808080808080800080800080808000808000808080800080800080808000808000808
-080808000808080808000808080808000000000008080008080808000808080008080800
-080800080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080809090908
-010808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080008080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808000808080808080808
-080808080808080808080808080808080808080808080000080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080000080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080800
-000808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080909090801080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080505050505080808080808080808080808080008
-080008080800080800080808080008080008080800080800080808080800080808080800
-080808080800080808080808000808080800080808000808080008080008080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808080909090801080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080008080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808000808080808080808080808080808080808
-080808080808080808080808080800000808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080800
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808090909080108080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808050505050808080808080808080808080808000808000808080008080008
-080800000808000808000008080008080808080008080808080008080808080008080808
-080800080808080008080800080808000808000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080808090909080108080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080000080808080808080808080808080808080808080808080808080808080808080808
-080808080808080800080808080808080808080808080808080808080808080808080808
-080808080808000008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080800000808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808000008080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080809090908010808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080805050508
-080808080808080808080808080800080800080808000808080000000800080808000008
-000808080000000808080008080808000808080808080000000008080008080808000808
-080008080800080800080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080809090908010808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080008080808080808
-080808080808080808080808080808080808080808080808080808080808080808080008
-080808080808080808080808080808080808080808080808080808080808080808080000
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080800000808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080000080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080909090801080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080505080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808080909090801080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080008080808080808080808080808080808
-080808080808080808080808080808080808080808080808080008080808080808080808
-080808080808080808080808080808080808080808080808080800000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-000808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080800080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808090909
-080108080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080808090909080108080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080008080808080808080808080808080808080808080808080808
-080808080808080808080808080808000808080808080808080808080808080808080808
-080808080808080808080808080808080808000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808000008080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080800000808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080809090908010808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080809090908010808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080008080808080808080808080808080808080808080808080808080808080808080808
-080808080800080808080808080808080808080808080808080808080808080808080808
-080808080808080808000008080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808000008080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808000008080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080909090801080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808080909
-090801080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080008080808080808
-080808080808080808080808080808080808080808080808080808080808080800080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080000080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080008080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080008080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808090909080108080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080808090909080108080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808000808080808080808080808080808080808
-080808080808080808080808080808080808080808080008080808080808080808080808
-080808080808080808080808080808080808080808080808080808080800000808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080000080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080000080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080809090908010808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080809090908010808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808000808080808080808080808080808080808080808080808080808
-080808080808080808080808000808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080000080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080800000808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080909090801080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808080909090801080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-000808080808080808080808080808080808080808080808080808080808080808080808
-080800080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808000008080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080000080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808000008080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808090909080108080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080808090909080108
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808000808080808080808
-080808080808080808080808080808080808080808080808080808080800080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080000080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080800080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080008080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080809
-090908010808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080809090908010808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808000808080808080808080808080808080808
-080808080808080808080808080808080808080008080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080800080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080800000808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080000080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080909090801080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808080909090801080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808000808080808080808080808080808080808080808080808080808
-080808080808080808000808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080800000808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080800000808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080800
-000808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808090909080108080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080808
-090909080108080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080800
-080808080808080808080808080808080808080808080808080808080808080808080808
-000808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808000808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080809090908010808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080805050808080808080808080808080808
-080800000000000808080808080808080808080808080808080808080808080808080808
-080800080808080800080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080809090908010808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080800080808080808080808
-080808080808080808080808080808080808080808080808080800080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808000008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808000008080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808000008080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080909090801
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080505050808080808080808080808080808000808080808080008
-080808080808080808080808080808080808080808080808080808080000080808080008
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808080909090801080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080800080808080808080808080808080808080808
-080808080808080808080808080808080008080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080008
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808000008080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080000080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808090909080108080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-050505050508080808080808080808080800080808080800000008080008000008080000
-000808080008000008080808000000000808000800080808000808080000000808080008
-000008000800000808000008080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080808090909080108080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080800080808080808080808080808080808080808080808080808080808
-080808080808000808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080000080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000080808080808080808080808080808080808080000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080809090908010808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080805050505050508080808
-080808080808080800080808080800080808000008080800080808000808000008080008
-080008080800080800080008080800080800080808000808000008080800000808000008
-080008080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080809090908
-010808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080800
-080808080808080808080808080808080808080808080808080808080808080808000808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080800080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080800070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070008080808
-080808080808080808080808080808000707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070700080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080909090801080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080505050505050508080808080808080808080800
-000808080008080800080808080008080800080800080808000808000808080008080008
-080008080008080008080800080800080808080008080800080808000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808080909090801080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080008080808080808080808
-080808080808080808080808080808080808080808080800080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080800000808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080007070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707000808080808080808080808080808
-080808080800070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070008080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808090909080108080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808050505050505080808080808080808080808080808000808000808080008
-080808000808080008080008080800080800080808000808000808080008000808000808
-080008080008080808000808080008080800080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080808090909080108080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080008080808080808080808080808080808080808
-080808080808080808080808080008080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-000808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808000707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070700080808080808080808080808080808080808080007070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080809090908010808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080805050505
-050808080808080808080808080808080800080800080808000808080800080808000808
-000808080008080008080800080800080808000800080800080808000808000808080800
-080808000808080008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080809090908010808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080008080808080808080808080808080808080808080808080808080808
-080808000808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808000008080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080800070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070008080808080808080808080808080808080808000707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070700080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080909090801080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080505050508080808080808080808
-080808080808080008080008080800080808080008080800080800080808000808000808
-000008080008080808000008080008080800080800080808080008080800080808000808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808080909090801080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080008
-080808080808080808080808080808080808080808080808080808080808000808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080008080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080007070707070707070707070707070700070707070707070707070707070700070707
-070707070707070707070707070707000000000000000707070707070707070707070707
-070707070707070707070700070707070707070707070707070707000808080808080808
-080808080808080808080800070707070707070707070707070700070707070700070707
-070707070707070707070707070707070707070707070707070707070700070700000000
-070707070707070707070707070707070707070707070707070707070707070707070707
-070008080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808090909
-080108080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808050505080808080808080808080808080800000000080808
-080008080008080808080000000808080008080800080808000008000808000808080808
-000808080000000808080008080808000808080008080800080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080808090909080108080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080008080808080808080808
-080808080808080808080808080808080808080800080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080000080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808000707070707070707
-070707070707070007070707070707070707070707070007070707070707070707070707
-070700070707070700070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070700080808080808080808080808080808080808
-080007070707070707070707070707070000070707070007070707070707070707070707
-070707070707070707070707070707070707070007070007070707070707070707070707
-070707070707070707070707070707070707070707070707070707000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080809090908010808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080805050808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080800080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080809090908010808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080008080808080808080808080808080808080808
-080808080808080808080008080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080800080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080800070707070707070707070707070707000707
-000700000707070700000007000707000707070007070700000007000000070707070007
-070707070700000007070700070000070007000007070000070707000707070707070707
-070707070707070008080808080808080808080808080808080808000707070707070707
-070707070707000700070707000707070000000707070007000007000700000707000007
-070707000000070707000707000707070707070000000707070007000007000700000707
-000007070707070707070707070707070700080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080909090801080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808000000000808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808080909
-090801080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808000808080808080808080808080808080808080808080808080808080808
-000808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080800080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080007070707070707070707070707070700070700000707000707000707
-070000070700070707000707000707070707000707070707000707070707000707070007
-070000070707000007070000070700070700070707070707070707070707070707000808
-080808080808080808080808080808080800070707070707070707070707070700070007
-070700070700070707000707000007070700000707000007070007070007070700070700
-070700070707070700070707000707000007070700000707000007070007070707070707
-070707070707070008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808090909080108080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080808090909080108080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808000808
-080808080808080808080808080808080808080808080808080808000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080800000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808000707
-070707070707070707070707070007070007070700070700070707070007070007070700
-070700070707070700070707070700070707070700070707000707000707070700070707
-000707070007070007070707070707070707070707070700080808080808080808080808
-080808080808080007070707070707070707070707070007070007070007070007070700
-070700070707070007070700070707000707070707070007070007070000000007070007
-070700070700070707070007070700070707000707070707070707070707070707000808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080809090908010808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080809090908010808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808000808080808080808080808
-080808080808080808080808080808080800080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808000808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080800070707070707070707070707
-070707000707000707070007070007070707000707000707070007070007070707070007
-070707070007070707070000000000070700070707070007070700070707000707000707
-070707070707070707070707070008080808080808080808080808080808080808000707
-070707070707070707070707000707070007000707000707070007070007070707000707
-070007070700070707000000000707000707000707070707000707070007070007070707
-000707070007070700070707070707070707070707070700080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080909090801080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808080909090801080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808000808080808080808080808080808080808080808
-080808080808080008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808000808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080007070707070707070707070707070700070700070707
-000707000707070700070700070707000707000707070707000707070707000707070707
-000707070707070007070707000707070007070700070700070707070707070707070707
-070707000808080808080808080808080808080808080800070707070707070707070707
-070700070707000700070700070707000707000707070700070707000707070007070007
-070700070700070700070707070700070707000707000707070700070707000707070007
-070707070707070707070707070008080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808090909080108080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080808090909080108
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808000808080808080808080808080808080808080808080808080808000808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808000008080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808000707070707070707070707070707070007070007070700070700070707000007
-070007070000070700070707070700070707070700070707070700070707070707000707
-070700070707000707070007070007070707070707070707070707070700080808080808
-080808080808080808080808080007070707070707070707070707070007070707000007
-070007070700070700070707070007070700070707000707000707070007070007070007
-070707070007070700070700070707070007070700070707000707070707070707070707
-070707000808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080809
-090908010808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080809090908010808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808000808
-080808080808080808080808080808080808080808080808000808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080008080808080808080808080808
-080808080808080808080808080808080808080808080808080808080800070707070707
-070707070707070707000707000707070007070700000007000707070000070007070700
-000007070700070707070007070707070700000000070700070707070007070700070707
-000707000707070707070707070707070707070008080808080808080808080808080808
-080808000707070707070707070707070707000707070707000707070000000707070007
-070707000707070007070700070707000000000007000707000707070707070000000707
-070007070707000707070007070700070707070707070707070707070700080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080909090801080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808080909090801080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080800080808080808080808080808
-080808080808080808080808080800080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080008080808080808080808080808080808080808080808
-080808080808080808080808080808080808080007070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707000808080808080808080808080808080808080800070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070008080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808090909080108080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080808
-090909080108080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080800080808080808080808080808080808080808080808
-080808080008080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080000080808080808080808080808080808080808080808080808080808080808
-080808080808080808000707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070700
-080808080808080808080808080808080808080007070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707000808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080809090908010808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080809090908010808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080800080808080808080808080808080808080808080808080808000808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080800080808
-080808080808080808080808080808080808080808080808080808080808080808080800
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070008080808080808080808
-080808080808080808000707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070700
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080909090801
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808080909090801080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080800080808
-080808080808080808080808080808080808080800080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080800080808080808080808080808
-080808080808080808080808080808080808080808080808080007070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707000808080808080808080808080808080808080800
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070008080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808090909080108080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-050508080808080808080808080808080808000808080808000808080808080808080808
-080808080808080808080808080808080808080808000808000000000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080808090909080108080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080008080808080808080808080808
-080808080808080808080800080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080800000808080808080808080808080808080808080808
-080808080808080808080808080808000707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070700080808080808080808080808080808080808080007070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707000808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080809090908010808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080805050508080808080808
-080808080808080800000808080800080808080808080808080808080808080808080808
-080808080808080808080800080800080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080809090908
-010808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080008080808080808080808080808080808080808080808
-080008080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808000808080808080808080808080808080808080808080808080808080808
-080808080800000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000008080808
-080808080808080808080808080808000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080909090801080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080505050505080808080808080808080808080008
-000808080008080800000008080800080000080008000008080000080808080000000808
-080008080008080808080800000008080800080000080008000008080000080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808080909090801080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080008080808080808080808080808080808080808080808000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808000808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808000000000000080808000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808090909080108080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808050505050505080808080808080808080808000800080808000808000808
-080008080000080808000008080000080800080800080808000808000808000808080808
-000808080008080000080808000008080000080800080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080808090909080108080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808000808080808
-080808080808080808080808080808080800080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808000808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080800080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080000000000000008
-080808080808080800080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080809090908010808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080805050505
-050505080808080808080808080800080800080800080800080808000808000808080800
-080808000808080008080808080800080800080800000000080800080808000808000808
-080800080808000808080008080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080809090908010808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808000808080808080808080808080808
-080808080808080008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808000008080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808000000000000080808080808080808080808080808080008
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080909090801080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080505050505050808080808080808
-080808080008080800080008080008080800080800080808080008080800080808000808
-080000000008080008080008080808080008080800080800080808080008080800080808
-000808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808080909090801080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808000808080808080808080808080808080808080808080008
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080800080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080000000000
-000008080808080808080808080808080808080808080808000808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808090909
-080108080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808050505050508080808080808080808080808000808080008
-000808000808080008080008080808000808080008080800080800080808000808000808
-000808080808000808080008080008080808000808080008080800080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080808090909080108080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808000808080808080808080808080808080808080808000808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080008
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-000808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808000000000000080808080808080808080808080808
-080808080808080808080808080800080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080809090908010808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080805050505080808080808080808080808080800080808080000080800080808000808
-000808080800080808000808080008080008080800080800080800080808080800080808
-000808000808080800080808000808080008080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080809090908010808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808000808080808
-080808080808080808080808080800080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080008080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080008080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080800
-000000000008080808080808080808080808080808080808080808080808080808080808
-080808080008080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080909090801080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080505050808080808
-080808080808080808080008080808080008080800000008080800080808080008080800
-080808000808080000000000080008080008080808080800000008080800080808080008
-080800080808000808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808080909
-090801080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808000808080808080808080808080808
-080808080008080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080008080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080800080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808000000000000000808080808080808080808
-080808080808080808080808080808080808080808080808080808080808000808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808090909080108080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808050508080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080808090909080108080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080800080808080808080808080808080808080808080008080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080000080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808000808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080800000000000008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080800080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080809090908010808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080809090908010808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080800080808080808080808080808080808080808000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080800
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080008080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808000000000000000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080008080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080909090801080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808080909090801080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080800080808080808
-080808080808080808080800080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080800080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080800000000000008080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-000808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808090909080108080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080808090909080108
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080800080808080808080808080808080808
-080008080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080800080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808000000000000000808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080800080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080809
-090908010808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080809090908010808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080800080808080808080808080808080808000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080800080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080800080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080800000000000008080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080008080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080909090801080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808080909090801080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080008080808080808080808080808080808000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080800
-000808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808000000000000000808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808000808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808090909080108080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080808
-090909080108080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080008080808080808
-080808080808080800080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080008080808080808080808080808080808080808080808080808
-080808080808080808080800000000000008080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080800080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080809090908010808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080809090908010808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080008080808080808080808080808080008
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080800
-080808080808080808080808080808080808080808080808080808080808000000000000
-000808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080008080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080909090801
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808080909090801080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080008080808080808080808080808000808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808000808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080008080808080808080808
-080808080808080808080808080800000000000008080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808000808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808090909080108080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080808090909080108080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-000808080808080808080808080800080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-000808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080800080808080808080808080808080808080808080000
-000000000808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080800080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080809090908010808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080809090908
-010808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808000808080808080808
-080808080800080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808000808080808080808080808080800000000000000080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080008080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080909090801080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080505080808080808080808080808080808080000
-000000080808080808080808080808080808080808080808080808000808080808080808
-080808080808080808080800080800080808080808080808080808080808080808080800
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808080909090801080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808000808080808080808080808080008080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080008080808080808
-080000000000000808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808090909080108080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808050505080808080808080808080808080800080808080808000808080808
-080808080808080808080808080808080800080808080808080808080808080808080808
-080008080808080808080808080808080808080808000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080808090909080108080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808000808080808080808080808000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808000008080808080808080808080808080808080808080808080808
-080808080808080808080808080808080800080800000000000000080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080800080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080809090908010808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080805050505
-050808080808080808080808080008080808080000000808080000000808080008000008
-080808000000080008080800000008080800080000080800000008000808000808000000
-000008080800000008080000000808000808080000000808080008000008080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080809090908010808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080800
-080808080808080808080800080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080008080808080808080808080808080808080808080808080808080808080808080808
-080808080000000000000808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080008
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080909090801080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080505050505050808080808080808
-080808080008080808080008080800080808000808000008080008080008080800000808
-000808080008080000080808000808080000080800080808080808000808000808080008
-080008080800080800080808000808000008080008080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808080909090801080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080800080808080808080808
-080008080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080008080808080808
-080808080808080808080808080808080808080808080800000000000000080800080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808000808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808090909
-080108080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808050505050505050808080808080808080808080000080808
-000808080808080800080800080808000808000808080800080808080808000808000808
-080800080808080008080008080808080008080808080808000808000808080008080008
-080800080800080808000808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080808090909080108080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080800080808080808080808000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080008080808080808080808080808080808
-080808080808080000000000000808080808080808000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080800080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080809090908010808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080805050505050508080808080808080808080808080800080800080808080000000008
-080008080800080800080808080008080800000000080800080808080008080808000808
-000808080800080808080800000000080800080808000808000808080008080008080800
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080809090908010808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080800080808080808080808000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080008080808080808080808080808080800000000000000080808
-080808080808080808080008080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080008080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080909090801080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080505050505080808
-080808080808080808080808080008080008080800080808000808000808080008080008
-080808000808000808080008080008080808000808080800080800080808000808080808
-000808080008080008080800080800080808000808000808080008080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808080909
-090801080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080008
-080808080808080800080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080008080808080808080000000000000808080808080808080808080808080808080800
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808000808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808090909080108080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808050505050808080808080808080808080808
-080808000808000808080008080800080800080808000808000808080000080800080808
-000808000808080800080808000008080008080008080808080800080808000808000808
-080008080008080800080800080808000808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080808090909080108080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080008080808080808080008
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080000000000000000
-080808080808080808080808080808080808080808080808000808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080800080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080809090908010808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080805050508080808080808080808080808080000000008080808000808
-080000000000080008080800080808000000080008080800000000000800080808080800
-000008000808000808000000000008080800000000000808000808000808080000000808
-080008080800080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080809090908010808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080008080808080808000808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080000000000000000080808080808080808080808080808
-080808080808080808080808080008080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080008080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080909090801080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080505
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808080909090801080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080008080808080800080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808000000
-000000080808080808080800080808080808080808080808080808080808080808080808
-080808000808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-000808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808090909080108080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080808090909080108
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808000808
-080808080800080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080000000000000008080808080808080808080808
-080800080808080808080808080808080808080808080808080808080008080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080800080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080809
-090908010808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080809090908010808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808000808080808080008080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-000000000000080808080808080808080808080808080808080808080800080808080808
-080808080808080808080808080808080800080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080008080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080909090801080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808080909090801080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808000808080808000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080000000000000008080808080808080808
-080808080808080808080808080808080808080800080808080808080808080808080808
-080808080808000808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808000808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808090909080108080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080808
-090909080108080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808000808080800080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808000000000000080808080808080808080808080808080808080808080808080808
-080808080808080808080800000808080808080808080808080808080808080008080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080800080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080809090908010808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080809090908010808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080800080808
-080008080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080000000000000008080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808000808080808080808080808080808080800080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080008080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080909090801
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808080909090801080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080800080808080008080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808000000000000080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808000808080808
-080808080808080808080008080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808000808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808090909080108080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080808090909080108080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080800080808000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080000000000000008080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808000808080808080808080808080800
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080800080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080809090908010808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080809090908
-010808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080800080800080808080808080808080808080808080808080808080808080808
-080808080808080808000000000000080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808000808080808080808080808000808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080008080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080909090801080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808080909090801080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080008080008
-080808080808080808080808080808080808080808080808080808080800000000000008
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808000808080808080808080008080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808090909080108080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080808090909080108080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080008000808080808080808080808
-080808080808080808080808000000000000000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808000808080808
-080800080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080800080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080809090908010808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080805050808
-080808080808080808080808080800080808000808080008080808080808080808080808
-080800080808080808000808080808000808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080809090908010808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080000080808080808080808080808080808080800000000
-000008080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808000008080808000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080008
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080909090801080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080505050808080808080808080808
-080808080008080800080808000808080808080808080808080808080008080808080800
-000808080800080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808080909090801080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080000080808080808080808000000000000000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080008080800080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808000808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808090909
-080108080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808050505050508080808080808080808080808080008000800
-080008080800000008080808000000080808000808080008080008000808080008080800
-000008080800080000080008000008080000080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080808090909080108080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808000008080800
-000000000008080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080008000808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080800080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080809090908010808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080805050505050508080808080808080808080808000800080008000808000808080008
-080008080800080800080800080808000800080808000808000808080008080000080808
-000008080000080800080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080809090908010808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080800000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000008
-080808080808080808080808080808080808000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080909090801080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080505050505050508
-080808080808080808080800080008000800080800080808000808080808080008080008
-000808080800080800080800080800080808000808000808080800080808000808080008
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808080909
-090801080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080007
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707000808080808080808080808
-080808080808080800070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070008
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080800070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808090909080108080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808050505050505080808080808080808080808
-080008000800080008080000000000080808000000000808000000080808080008080800
-080008080008080800080800080808080008080800080808000808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080808090909080108080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808000707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070700080808080808080808080808080808080808080007
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707000808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080007070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707000808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080809090908010808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080805050505050808080808080808080808080808000800080008000808
-000808080808080008080800080800080800080808000808080008000808000808080008
-080008080808000808080008080800080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080809090908010808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080800070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070008080808080808080808080808080808080808000707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070700080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808000707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070700080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080909090801080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080505
-050508080808080808080808080808080808000808080008080800080808080808000808
-080008080008080800080800080808080000080800080808000808000808080800080808
-000808080008080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808080909090801080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080007070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707000808080808
-080808080808080808080808080800070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070008080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080800070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070008080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808090909080108080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808050505080808080808080808
-080808080808080800080808000808080800000000080808000000000008000808080800
-080008080808080008080800000008080800080808080008080800080808000808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080808090909080108
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808000707070707
-070707070707070707070707070007070700070707000707070707070707070707070707
-070007070707070700070707070700070707070707070707070707070707070707070707
-070707070707070707070707070707070707070700080808080808080808080808080808
-080808080007070707070707070707070707070700000000000707070707070707070707
-070707070707070707070707070707070707070700070707070700070707070707070707
-070707070707070707070707070707070707070707070707070707070707000808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080007070707000000000007070707070707070707070707
-070707070707070707070700070707070707070707070707070707070707070007070007
-070707070707070707070707070707070707070007070707070707070707070707070707
-070707000808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080809
-090908010808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080805050808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080809090908010808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080800070707070707070707070707070707
-070707000707070007070700070707070707070707070707070707000707070707070000
-070707070007070707070707070707070707070707070707070707070707070707070707
-070707070707070707070008080808080808080808080808080808080808000707070707
-070707070707070707000707070707070007070707070707070707070707070707070707
-070707070707070707070000070707070007070707070707070707070707070707070707
-070707070707070707070707070707070707070700080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808000707070007070707070700070707070707070707070707070707070707070707
-070007070707070707070707070707070707070707000707070707070707070707070707
-070707070700070707070707070707070707070707070707070707070700080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080909090801080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808080909090801080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080007070707070707070707070707070707070707000700070007
-000707070000000707070700000007070700070707000707000700070707000707070000
-000707070007000007000700000707000007070707070707070707070707070707070707
-000808080808080808080808080808080808080800070707070707070707070707070700
-070707070700000007070007000007070000000707070007000007070707000000000707
-000700070707000707070000000707070007000007000700000707000007070707070707
-070707070707070707070008080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080800070707000707
-070707000000070707000000070707000700000707070700000007000707070000000707
-070007000007070000000700070700070700000000000707070000000707000000070700
-070707000000070707000700000707070707070008080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808090909080108080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080808
-090909080108080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-000707070707070707070707070707070707070700070007000700070700070707000707
-000707070007070007070007070700070007070700070700070707000707000007070700
-000707000007070007070707070707070707070707070707070700080808080808080808
-080808080808080808080007070707070707070707070707070700070707070700070707
-000007070700070707000707000007070007070007070700070700070007070700070700
-070707000707000007070700000707000007070007070707070707070707070707070707
-000808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080007070707000707070707000707070007
-070700070700000707000707000707070000070700070707000707000007070700070707
-000007070007070707070700070700070707000707000707070007070007070700070700
-000707000707070707000808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080809090908010808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080809090908010808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080800070707070707070707
-070707070707070707070007000700070007070007070700070707070707000707000700
-070707070007070007070007070007070700070700070707070007070700070707000707
-070707070707070707070707070707070008080808080808080808080808080808080808
-000707070707070707070707070707070700000707070007070700070707070007070700
-070700070707000707000707070007070007070007070007070007070700070700070707
-070007070700070707000707070707070707070707070707070700080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808000707070707000007070700070707070707070007070007070700
-070700070707070007070707070700070700070707070007070707000707000707070707
-000707070707070700070700070707000707000707070007070007070700070707070700
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080909090801
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808080909090801080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080007070707070707070707070707070707070707
-000700070007000707000000000007070700000000070700000007070707000707070007
-000707000707070007070007070707000707070007070700070707070707070707070707
-070707070707000808080808080808080808080808080808080800070707070707070707
-070707070707070707000707000707070007070707000707070007070007070700070700
-070707000707000707070007000707000707070007070007070707000707070007070700
-070707070707070707070707070707070008080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080800
-070707070707070007070007070707000000000707000707070007070007070707000707
-070000000007070007070707000707070700070700070707070007070707070000000007
-070007070700070700070707000707000707070007070707070008080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808090909080108080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080808090909080108080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808000707070707070707070707070707070707070700070007000700070700
-070707070707000707070007070007070007070700070707000700070700070707000707
-000707070700070707000707070007070707070707070707070707070707070700080808
-080808080808080808080808080808080007070707070707070707070707070707070700
-070700070707000707070700070707000707000707070007070007070700070700070707
-000700070700070707000707000707070700070707000707070007070707070707070707
-070707070707000808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080007070707070707000707
-000707070007070700070700070707000707000707070700070700070707000707000707
-070700070707070007070007070700070707070700070707000707000707070007070007
-070700070700070707000707070707000808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080809090908010808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080809090908
-010808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080800070707
-070707070707070707070707070707070700070707000707070007070707070700070707
-000707000707070007070007070707000007070007070700070700070707070007070700
-070707000707070707070707070707070707070707070008080808080808080808080808
-080808080808000707070707070707070707070707070707070007070007070700070707
-070007070700070700070707000707000707000007070007070707000007070007070700
-070700070707070007070700070707000707070707070707070707070707070700080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808000707070707070700070700070707000707070007
-070007070700070700070707000007070007070700070700070707070007070700000707
-000707000707070707070007070700070700070707000707000707070007070007070700
-070707070700080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080909090801080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808080909090801080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080007070707070707070707070707
-070707070707070007070700070707070000000007070700000000000700070707070007
-000707070707000707070000000707070007070707000707070007070700070707070707
-070707070707070707070707000808080808080808080808080808080808080800070707
-070707070707070707070700000000070707070007070007070707070000000707070007
-070700070707000007000707000707070707000707070000000707070007070707000707
-070007070700070707070707070707070707070707070008080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080800070707000000000707070700070707000000000007000707070007070700
-000007000707070000000000070007070707070000000700070700070700000000000707
-070000000000070700070700070707000000070707000707070007070707070008080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808090909080108080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080808090909080108080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808000707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070700080808080808080808080808080808080808080007070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070700
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707000808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080007070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707000808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080809090908010808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080809090908010808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080800070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070008080808080808
-080808080808080808080808000707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707000000000707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070700080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808000707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070700080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080909090801080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808080909090801080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080007070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707000808080808080808080808080808080808
-080800070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070008080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080800070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070008080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808090909
-080108080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080808090909080108080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808000707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070700080808080808080808080808080808080808080007070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707000808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080007070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707000808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080809090908010808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080809090908010808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080800070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070008
-080808080808080808080808080808080808000707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070700080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808000707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070707070707070707070707070707070707070707
-070707070707070707070707070707070700080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080909090801080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808080909
-090801080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000808080808080808080808
-080808080808080800000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000008
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080800000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000000000000000000000000000000000000000000000000000000000000
-000000000000000008080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808090909080108080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080808090909080108080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080809090908010808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080809090908010808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080909090801080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808080909090801080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808090909080108080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080808090909080108
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080809
-090908010808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080809090908010808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080909090801080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808080909090801080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808090909080108080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080808
-090909080108080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080809090908010808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080809090908010808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080909090801
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808080909090801080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808090909080108080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080808090909080108080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080809090908010808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080809090908
-010808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080909090801080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808080909090801080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808090909080108080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080808090909080108080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080809090908010808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080809090908010808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080909090801080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808080909090801080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808090909
-080108080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080808090909080108080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080809090908010808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080809090908010808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080909090801080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808080909
-090801080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808090909080108080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080808090909080108080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080809090908010808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080809090908010808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080909090801080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808080909090801080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808090909080108080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080808090909080108
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080809
-090908010808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080809090908010808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080909090801080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808080909090801080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808090909080108080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080808
-090909080108080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080809090908010808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080809090908010808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080909090801
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808080909090801080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808090909080108080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080808090909080108080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080809090908010808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080809090908
-010808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080909090801080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808080909090801080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808090909080108080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080808090909080108080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080809090908010808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080809090908010808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080909090801080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808080909090801080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808090909
-080108080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080808090909080108080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080809090908010808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080809090908010808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080909090801080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808080909
-090801080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808090909080108080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080808090909080108080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080809090908010808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080809090908010808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080909090801080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808080909090801080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808090909080108080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080808090909080108
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080809
-090908010808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080809090908010808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080909090801080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808080909090801080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808090909080108080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080808
-090909080108080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080809090908010808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080809090908010808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080909090801
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808080909090801080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808090909080108080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080808090909080108080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080809090908010808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080809090908
-010808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080909090801080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808080909090801080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808090909080108080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080808090909080108080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080809090908010808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080B080606060808080808080808
-080809090908010808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080909090801080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080B08060606080808080808080808080909090801080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808090909
-080108080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080B0806060608080808080808080808090909080108080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080809090908010808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080B080606060808
-080808080808080809090908010808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080909090801080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080B08060606080808080808080808080909
-090801080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808090909080108080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080B0806060608080808080808080808090909080108080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080809090908010808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080808080808080808080808080808080808080B
-080606060808080808080808080809090908010808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080909090801080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080B08060606080808080808
-080808080909090801080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808090909080108080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080B0806060608080808080808080808090909080108
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080809
-090908010808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080B080606060808080808080808080809090908010808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080909090801080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080B08060606
-080808080808080808080909090801080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808090909080108080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080B0806060608080808080808080808
-090909080108080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080809090908010808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080B080606060808080808080808080809090908010808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-08080808080808080808080808080808080B080606060808080808080808080909090801
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080B08060606080808080808080808080909090801080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080B08060606080808080808080808090909080108080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080B0806060608080808
-080808080808090909080108080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808080808080808080808080808080808080808080B0806
-060608080808080808080809090908010B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
-0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
-0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
-0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
-0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
-0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
-0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
-0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B080606060808080808080808080809090908
-010B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
-0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
-0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
-0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
-0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
-0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
-0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
-0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
-0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
-0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
-0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
-0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
-0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
-0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
-0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B080606060808080808080808
-080909090808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808060606080808080808080808080909090808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808060606080808080808080808090909060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060608080808080808080808090909060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060608080808080808080809090606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060808080808080808
-080809090606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060808
-080808080808080906060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606080808080808080808080906060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606060606060606060606060606
-060606060606060606060606060606060606060606060606080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-080808080808080808080808080808080808080808080808080808080808080808080808
-0808080808080808080808080808
-end
-%%PageTrailer
-%%Trailer
-%%EOF
Binary file doc-src/System/document/browser_screenshot.png has changed
--- a/doc-src/System/document/build Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,20 +0,0 @@
-#!/bin/bash
-
-set -e
-
-FORMAT="$1"
-VARIANT="$2"
-
-"$ISABELLE_TOOL" logo -o isabelle.pdf ""
-"$ISABELLE_TOOL" logo -o isabelle.eps ""
-
-cp "$ISABELLE_HOME/doc-src/IsarRef/document/style.sty" .
-cp "$ISABELLE_HOME/doc-src/iman.sty" .
-cp "$ISABELLE_HOME/doc-src/extra.sty" .
-cp "$ISABELLE_HOME/doc-src/isar.sty" .
-cp "$ISABELLE_HOME/doc-src/ttbox.sty" .
-cp "$ISABELLE_HOME/doc-src/underscore.sty" .
-cp "$ISABELLE_HOME/doc-src/manual.bib" .
-
-"$ISABELLE_HOME/doc-src/prepare_document" "$FORMAT"
-
--- a/doc-src/System/document/root.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,47 +0,0 @@
-\documentclass[12pt,a4paper]{report}
-\usepackage{supertabular}
-\usepackage{graphicx}
-\usepackage{iman,extra,isar,ttbox}
-\usepackage[nohyphen,strings]{underscore}
-\usepackage{isabelle,isabellesym}
-\usepackage{railsetup}
-\usepackage{style}
-\usepackage{pdfsetup}
-
-\hyphenation{Isabelle}
-\hyphenation{Isar}
-
-\isadroptag{theory}
-
-\isabellestyle{literal}
-
-\title{\includegraphics[scale=0.5]{isabelle} \\[4ex] The Isabelle System Manual}
-
-\author{\emph{Makarius Wenzel} and \emph{Stefan Berghofer} \\
- TU M\"unchen}
-
-\makeindex
-
-
-\begin{document}
-
-\maketitle
-\pagenumbering{roman} \tableofcontents \clearfirst
-
-\input{Basics.tex}
-\input{Interfaces.tex}
-\input{Sessions.tex}
-\input{Presentation.tex}
-\input{Scala.tex}
-\input{Misc.tex}
-
-\begingroup
- \tocentry{\bibname}
- \bibliographystyle{abbrv} \small\raggedright\frenchspacing
- \bibliography{manual}
-\endgroup
-
-\tocentry{\indexname}
-\printindex
-
-\end{document}
--- a/doc-src/TutorialI/Advanced/Partial.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,224 +0,0 @@
-(*<*)theory Partial imports While_Combinator begin(*>*)
-
-text{*\noindent Throughout this tutorial, we have emphasized
-that all functions in HOL are total. We cannot hope to define
-truly partial functions, but must make them total. A straightforward
-method is to lift the result type of the function from $\tau$ to
-$\tau$~@{text option} (see \ref{sec:option}), where @{term None} is
-returned if the function is applied to an argument not in its
-domain. Function @{term assoc} in \S\ref{sec:Trie} is a simple example.
-We do not pursue this schema further because it should be clear
-how it works. Its main drawback is that the result of such a lifted
-function has to be unpacked first before it can be processed
-further. Its main advantage is that you can distinguish if the
-function was applied to an argument in its domain or not. If you do
-not need to make this distinction, for example because the function is
-never used outside its domain, it is easier to work with
-\emph{underdefined}\index{functions!underdefined} functions: for
-certain arguments we only know that a result exists, but we do not
-know what it is. When defining functions that are normally considered
-partial, underdefinedness turns out to be a very reasonable
-alternative.
-
-We have already seen an instance of underdefinedness by means of
-non-exhaustive pattern matching: the definition of @{term last} in
-\S\ref{sec:fun}. The same is allowed for \isacommand{primrec}
-*}
-
-consts hd :: "'a list \<Rightarrow> 'a"
-primrec "hd (x#xs) = x"
-
-text{*\noindent
-although it generates a warning.
-Even ordinary definitions allow underdefinedness, this time by means of
-preconditions:
-*}
-
-definition subtract :: "nat \<Rightarrow> nat \<Rightarrow> nat" where
-"n \<le> m \<Longrightarrow> subtract m n \<equiv> m - n"
-
-text{*
-The rest of this section is devoted to the question of how to define
-partial recursive functions by other means than non-exhaustive pattern
-matching.
-*}
-
-subsubsection{*Guarded Recursion*}
-
-text{*
-\index{recursion!guarded}%
-Neither \isacommand{primrec} nor \isacommand{recdef} allow to
-prefix an equation with a condition in the way ordinary definitions do
-(see @{const subtract} above). Instead we have to move the condition over
-to the right-hand side of the equation. Given a partial function $f$
-that should satisfy the recursion equation $f(x) = t$ over its domain
-$dom(f)$, we turn this into the \isacommand{recdef}
-@{prop[display]"f(x) = (if x \<in> dom(f) then t else arbitrary)"}
-where @{term arbitrary} is a predeclared constant of type @{typ 'a}
-which has no definition. Thus we know nothing about its value,
-which is ideal for specifying underdefined functions on top of it.
-
-As a simple example we define division on @{typ nat}:
-*}
-
-consts divi :: "nat \<times> nat \<Rightarrow> nat"
-recdef divi "measure(\<lambda>(m,n). m)"
- "divi(m,0) = arbitrary"
- "divi(m,n) = (if m < n then 0 else divi(m-n,n)+1)"
-
-text{*\noindent Of course we could also have defined
-@{term"divi(m,0)"} to be some specific number, for example 0. The
-latter option is chosen for the predefined @{text div} function, which
-simplifies proofs at the expense of deviating from the
-standard mathematical division function.
-
-As a more substantial example we consider the problem of searching a graph.
-For simplicity our graph is given by a function @{term f} of
-type @{typ"'a \<Rightarrow> 'a"} which
-maps each node to its successor; the graph has out-degree 1.
-The task is to find the end of a chain, modelled by a node pointing to
-itself. Here is a first attempt:
-@{prop[display]"find(f,x) = (if f x = x then x else find(f, f x))"}
-This may be viewed as a fixed point finder or as the second half of the well
-known \emph{Union-Find} algorithm.
-The snag is that it may not terminate if @{term f} has non-trivial cycles.
-Phrased differently, the relation
-*}
-
-definition step1 :: "('a \<Rightarrow> 'a) \<Rightarrow> ('a \<times> 'a)set" where
- "step1 f \<equiv> {(y,x). y = f x \<and> y \<noteq> x}"
-
-text{*\noindent
-must be well-founded. Thus we make the following definition:
-*}
-
-consts find :: "('a \<Rightarrow> 'a) \<times> 'a \<Rightarrow> 'a"
-recdef find "same_fst (\<lambda>f. wf(step1 f)) step1"
- "find(f,x) = (if wf(step1 f)
- then if f x = x then x else find(f, f x)
- else arbitrary)"
-(hints recdef_simp: step1_def)
-
-text{*\noindent
-The recursion equation itself should be clear enough: it is our aborted
-first attempt augmented with a check that there are no non-trivial loops.
-To express the required well-founded relation we employ the
-predefined combinator @{term same_fst} of type
-@{text[display]"('a \<Rightarrow> bool) \<Rightarrow> ('a \<Rightarrow> ('b\<times>'b)set) \<Rightarrow> (('a\<times>'b) \<times> ('a\<times>'b))set"}
-defined as
-@{thm[display]same_fst_def[no_vars]}
-This combinator is designed for
-recursive functions on pairs where the first component of the argument is
-passed unchanged to all recursive calls. Given a constraint on the first
-component and a relation on the second component, @{term same_fst} builds the
-required relation on pairs. The theorem
-@{thm[display]wf_same_fst[no_vars]}
-is known to the well-foundedness prover of \isacommand{recdef}. Thus
-well-foundedness of the relation given to \isacommand{recdef} is immediate.
-Furthermore, each recursive call descends along that relation: the first
-argument stays unchanged and the second one descends along @{term"step1
-f"}. The proof requires unfolding the definition of @{const step1},
-as specified in the \isacommand{hints} above.
-
-Normally you will then derive the following conditional variant from
-the recursion equation:
-*}
-
-lemma [simp]:
- "wf(step1 f) \<Longrightarrow> find(f,x) = (if f x = x then x else find(f, f x))"
-by simp
-
-text{*\noindent Then you should disable the original recursion equation:*}
-
-declare find.simps[simp del]
-
-text{*
-Reasoning about such underdefined functions is like that for other
-recursive functions. Here is a simple example of recursion induction:
-*}
-
-lemma "wf(step1 f) \<longrightarrow> f(find(f,x)) = find(f,x)"
-apply(induct_tac f x rule: find.induct);
-apply simp
-done
-
-subsubsection{*The {\tt\slshape while} Combinator*}
-
-text{*If the recursive function happens to be tail recursive, its
-definition becomes a triviality if based on the predefined \cdx{while}
-combinator. The latter lives in the Library theory \thydx{While_Combinator}.
-% which is not part of {text Main} but needs to
-% be included explicitly among the ancestor theories.
-
-Constant @{term while} is of type @{text"('a \<Rightarrow> bool) \<Rightarrow> ('a \<Rightarrow> 'a) \<Rightarrow> 'a"}
-and satisfies the recursion equation @{thm[display]while_unfold[no_vars]}
-That is, @{term"while b c s"} is equivalent to the imperative program
-\begin{verbatim}
- x := s; while b(x) do x := c(x); return x
-\end{verbatim}
-In general, @{term s} will be a tuple or record. As an example
-consider the following definition of function @{const find}:
-*}
-
-definition find2 :: "('a \<Rightarrow> 'a) \<Rightarrow> 'a \<Rightarrow> 'a" where
- "find2 f x \<equiv>
- fst(while (\<lambda>(x,x'). x' \<noteq> x) (\<lambda>(x,x'). (x',f x')) (x,f x))"
-
-text{*\noindent
-The loop operates on two ``local variables'' @{term x} and @{term x'}
-containing the ``current'' and the ``next'' value of function @{term f}.
-They are initialized with the global @{term x} and @{term"f x"}. At the
-end @{term fst} selects the local @{term x}.
-
-Although the definition of tail recursive functions via @{term while} avoids
-termination proofs, there is no free lunch. When proving properties of
-functions defined by @{term while}, termination rears its ugly head
-again. Here is \tdx{while_rule}, the well known proof rule for total
-correctness of loops expressed with @{term while}:
-@{thm[display,margin=50]while_rule[no_vars]} @{term P} needs to be true of
-the initial state @{term s} and invariant under @{term c} (premises 1
-and~2). The post-condition @{term Q} must become true when leaving the loop
-(premise~3). And each loop iteration must descend along a well-founded
-relation @{term r} (premises 4 and~5).
-
-Let us now prove that @{const find2} does indeed find a fixed point. Instead
-of induction we apply the above while rule, suitably instantiated.
-Only the final premise of @{thm[source]while_rule} is left unproved
-by @{text auto} but falls to @{text simp}:
-*}
-
-lemma lem: "wf(step1 f) \<Longrightarrow>
- \<exists>y. while (\<lambda>(x,x'). x' \<noteq> x) (\<lambda>(x,x'). (x',f x')) (x,f x) = (y,y) \<and>
- f y = y"
-apply(rule_tac P = "\<lambda>(x,x'). x' = f x" and
- r = "inv_image (step1 f) fst" in while_rule);
-apply auto
-apply(simp add: inv_image_def step1_def)
-done
-
-text{*
-The theorem itself is a simple consequence of this lemma:
-*}
-
-theorem "wf(step1 f) \<Longrightarrow> f(find2 f x) = find2 f x"
-apply(drule_tac x = x in lem)
-apply(auto simp add: find2_def)
-done
-
-text{* Let us conclude this section on partial functions by a
-discussion of the merits of the @{term while} combinator. We have
-already seen that the advantage of not having to
-provide a termination argument when defining a function via @{term
-while} merely puts off the evil hour. On top of that, tail recursive
-functions tend to be more complicated to reason about. So why use
-@{term while} at all? The only reason is executability: the recursion
-equation for @{term while} is a directly executable functional
-program. This is in stark contrast to guarded recursion as introduced
-above which requires an explicit test @{prop"x \<in> dom f"} in the
-function body. Unless @{term dom} is trivial, this leads to a
-definition that is impossible to execute or prohibitively slow.
-Thus, if you are aiming for an efficiently executable definition
-of a partial function, you are likely to need @{term while}.
-*}
-
-(*<*)end(*>*)
--- a/doc-src/TutorialI/Advanced/WFrec.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,119 +0,0 @@
-(*<*)theory WFrec imports Main begin(*>*)
-
-text{*\noindent
-So far, all recursive definitions were shown to terminate via measure
-functions. Sometimes this can be inconvenient or
-impossible. Fortunately, \isacommand{recdef} supports much more
-general definitions. For example, termination of Ackermann's function
-can be shown by means of the \rmindex{lexicographic product} @{text"<*lex*>"}:
-*}
-
-consts ack :: "nat\<times>nat \<Rightarrow> nat"
-recdef ack "measure(\<lambda>m. m) <*lex*> measure(\<lambda>n. n)"
- "ack(0,n) = Suc n"
- "ack(Suc m,0) = ack(m, 1)"
- "ack(Suc m,Suc n) = ack(m,ack(Suc m,n))"
-
-text{*\noindent
-The lexicographic product decreases if either its first component
-decreases (as in the second equation and in the outer call in the
-third equation) or its first component stays the same and the second
-component decreases (as in the inner call in the third equation).
-
-In general, \isacommand{recdef} supports termination proofs based on
-arbitrary well-founded relations as introduced in \S\ref{sec:Well-founded}.
-This is called \textbf{well-founded
-recursion}\indexbold{recursion!well-founded}. A function definition
-is total if and only if the set of
-all pairs $(r,l)$, where $l$ is the argument on the
-left-hand side of an equation and $r$ the argument of some recursive call on
-the corresponding right-hand side, induces a well-founded relation. For a
-systematic account of termination proofs via well-founded relations see, for
-example, Baader and Nipkow~\cite{Baader-Nipkow}.
-
-Each \isacommand{recdef} definition should be accompanied (after the function's
-name) by a well-founded relation on the function's argument type.
-Isabelle/HOL formalizes some of the most important
-constructions of well-founded relations (see \S\ref{sec:Well-founded}). For
-example, @{term"measure f"} is always well-founded. The lexicographic
-product of two well-founded relations is again well-founded, which we relied
-on when defining Ackermann's function above.
-Of course the lexicographic product can also be iterated:
-*}
-
-consts contrived :: "nat \<times> nat \<times> nat \<Rightarrow> nat"
-recdef contrived
- "measure(\<lambda>i. i) <*lex*> measure(\<lambda>j. j) <*lex*> measure(\<lambda>k. k)"
-"contrived(i,j,Suc k) = contrived(i,j,k)"
-"contrived(i,Suc j,0) = contrived(i,j,j)"
-"contrived(Suc i,0,0) = contrived(i,i,i)"
-"contrived(0,0,0) = 0"
-
-text{*
-Lexicographic products of measure functions already go a long
-way. Furthermore, you may embed a type in an
-existing well-founded relation via the inverse image construction @{term
-inv_image}. All these constructions are known to \isacommand{recdef}. Thus you
-will never have to prove well-foundedness of any relation composed
-solely of these building blocks. But of course the proof of
-termination of your function definition --- that the arguments
-decrease with every recursive call --- may still require you to provide
-additional lemmas.
-
-It is also possible to use your own well-founded relations with
-\isacommand{recdef}. For example, the greater-than relation can be made
-well-founded by cutting it off at a certain point. Here is an example
-of a recursive function that calls itself with increasing values up to ten:
-*}
-
-consts f :: "nat \<Rightarrow> nat"
-recdef (*<*)(permissive)(*>*)f "{(i,j). j<i \<and> i \<le> (10::nat)}"
-"f i = (if 10 \<le> i then 0 else i * f(Suc i))"
-
-text{*\noindent
-Since \isacommand{recdef} is not prepared for the relation supplied above,
-Isabelle rejects the definition. We should first have proved that
-our relation was well-founded:
-*}
-
-lemma wf_greater: "wf {(i,j). j<i \<and> i \<le> (N::nat)}"
-
-txt{*\noindent
-The proof is by showing that our relation is a subset of another well-founded
-relation: one given by a measure function.\index{*wf_subset (theorem)}
-*}
-
-apply (rule wf_subset [of "measure (\<lambda>k::nat. N-k)"], blast)
-
-txt{*
-@{subgoals[display,indent=0,margin=65]}
-
-\noindent
-The inclusion remains to be proved. After unfolding some definitions,
-we are left with simple arithmetic that is dispatched automatically.
-*}
-
-by (clarify, simp add: measure_def inv_image_def)
-
-text{*\noindent
-
-Armed with this lemma, we use the \attrdx{recdef_wf} attribute to attach a
-crucial hint\cmmdx{hints} to our definition:
-*}
-(*<*)
-consts g :: "nat \<Rightarrow> nat"
-recdef g "{(i,j). j<i \<and> i \<le> (10::nat)}"
-"g i = (if 10 \<le> i then 0 else i * g(Suc i))"
-(*>*)
-(hints recdef_wf: wf_greater)
-
-text{*\noindent
-Alternatively, we could have given @{text "measure (\<lambda>k::nat. 10-k)"} for the
-well-founded relation in our \isacommand{recdef}. However, the arithmetic
-goal in the lemma above would have arisen instead in the \isacommand{recdef}
-termination proof, where we have less control. A tailor-made termination
-relation makes even more sense when it can be used in several function
-declarations.
-*}
-
-(*<*)end(*>*)
--- a/doc-src/TutorialI/Advanced/simp2.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,189 +0,0 @@
-(*<*)
-theory simp2 imports Main begin
-(*>*)
-
-section{*Simplification*}
-
-text{*\label{sec:simplification-II}\index{simplification|(}
-This section describes features not covered until now. It also
-outlines the simplification process itself, which can be helpful
-when the simplifier does not do what you expect of it.
-*}
-
-subsection{*Advanced Features*}
-
-subsubsection{*Congruence Rules*}
-
-text{*\label{sec:simp-cong}
-While simplifying the conclusion $Q$
-of $P \Imp Q$, it is legal to use the assumption $P$.
-For $\Imp$ this policy is hardwired, but
-contextual information can also be made available for other
-operators. For example, @{prop"xs = [] --> xs@xs = xs"} simplifies to @{term
-True} because we may use @{prop"xs = []"} when simplifying @{prop"xs@xs =
-xs"}. The generation of contextual information during simplification is
-controlled by so-called \bfindex{congruence rules}. This is the one for
-@{text"\<longrightarrow>"}:
-@{thm[display]imp_cong[no_vars]}
-It should be read as follows:
-In order to simplify @{prop"P-->Q"} to @{prop"P'-->Q'"},
-simplify @{prop P} to @{prop P'}
-and assume @{prop"P'"} when simplifying @{prop Q} to @{prop"Q'"}.
-
-Here are some more examples. The congruence rules for bounded
-quantifiers supply contextual information about the bound variable:
-@{thm[display,eta_contract=false,margin=60]ball_cong[no_vars]}
-One congruence rule for conditional expressions supplies contextual
-information for simplifying the @{text then} and @{text else} cases:
-@{thm[display]if_cong[no_vars]}
-An alternative congruence rule for conditional expressions
-actually \emph{prevents} simplification of some arguments:
-@{thm[display]if_weak_cong[no_vars]}
-Only the first argument is simplified; the others remain unchanged.
-This makes simplification much faster and is faithful to the evaluation
-strategy in programming languages, which is why this is the default
-congruence rule for @{text "if"}. Analogous rules control the evaluation of
-@{text case} expressions.
-
-You can declare your own congruence rules with the attribute \attrdx{cong},
-either globally, in the usual manner,
-\begin{quote}
-\isacommand{declare} \textit{theorem-name} @{text"[cong]"}
-\end{quote}
-or locally in a @{text"simp"} call by adding the modifier
-\begin{quote}
-@{text"cong:"} \textit{list of theorem names}
-\end{quote}
-The effect is reversed by @{text"cong del"} instead of @{text cong}.
-
-\begin{warn}
-The congruence rule @{thm[source]conj_cong}
-@{thm[display]conj_cong[no_vars]}
-\par\noindent
-is occasionally useful but is not a default rule; you have to declare it explicitly.
-\end{warn}
-*}
-
-subsubsection{*Permutative Rewrite Rules*}
-
-text{*
-\index{rewrite rules!permutative|bold}%
-An equation is a \textbf{permutative rewrite rule} if the left-hand
-side and right-hand side are the same up to renaming of variables. The most
-common permutative rule is commutativity: @{prop"x+y = y+x"}. Other examples
-include @{prop"(x-y)-z = (x-z)-y"} in arithmetic and @{prop"insert x (insert
-y A) = insert y (insert x A)"} for sets. Such rules are problematic because
-once they apply, they can be used forever. The simplifier is aware of this
-danger and treats permutative rules by means of a special strategy, called
-\bfindex{ordered rewriting}: a permutative rewrite
-rule is only applied if the term becomes smaller with respect to a fixed
-lexicographic ordering on terms. For example, commutativity rewrites
-@{term"b+a"} to @{term"a+b"}, but then stops because @{term"a+b"} is strictly
-smaller than @{term"b+a"}. Permutative rewrite rules can be turned into
-simplification rules in the usual manner via the @{text simp} attribute; the
-simplifier recognizes their special status automatically.
-
-Permutative rewrite rules are most effective in the case of
-associative-commutative functions. (Associativity by itself is not
-permutative.) When dealing with an AC-function~$f$, keep the
-following points in mind:
-\begin{itemize}\index{associative-commutative function}
-
-\item The associative law must always be oriented from left to right,
- namely $f(f(x,y),z) = f(x,f(y,z))$. The opposite orientation, if
- used with commutativity, can lead to nontermination.
-
-\item To complete your set of rewrite rules, you must add not just
- associativity~(A) and commutativity~(C) but also a derived rule, {\bf
- left-com\-mut\-ativ\-ity} (LC): $f(x,f(y,z)) = f(y,f(x,z))$.
-\end{itemize}
-Ordered rewriting with the combination of A, C, and LC sorts a term
-lexicographically:
-\[\def\maps#1{~\stackrel{#1}{\leadsto}~}
- f(f(b,c),a) \maps{A} f(b,f(c,a)) \maps{C} f(b,f(a,c)) \maps{LC} f(a,f(b,c)) \]
-
-Note that ordered rewriting for @{text"+"} and @{text"*"} on numbers is rarely
-necessary because the built-in arithmetic prover often succeeds without
-such tricks.
-*}
-
-subsection{*How the Simplifier Works*}
-
-text{*\label{sec:SimpHow}
-Roughly speaking, the simplifier proceeds bottom-up: subterms are simplified
-first. A conditional equation is only applied if its condition can be
-proved, again by simplification. Below we explain some special features of
-the rewriting process.
-*}
-
-subsubsection{*Higher-Order Patterns*}
-
-text{*\index{simplification rule|(}
-So far we have pretended the simplifier can deal with arbitrary
-rewrite rules. This is not quite true. For reasons of feasibility,
-the simplifier expects the
-left-hand side of each rule to be a so-called \emph{higher-order
-pattern}~\cite{nipkow-patterns}\indexbold{patterns!higher-order}.
-This restricts where
-unknowns may occur. Higher-order patterns are terms in $\beta$-normal
-form. (This means there are no subterms of the form $(\lambda x. M)(N)$.)
-Each occurrence of an unknown is of the form
-$\Var{f}~x@1~\dots~x@n$, where the $x@i$ are distinct bound
-variables. Thus all ordinary rewrite rules, where all unknowns are
-of base type, for example @{thm add_assoc}, are acceptable: if an unknown is
-of base type, it cannot have any arguments. Additionally, the rule
-@{text"(\<forall>x. ?P x \<and> ?Q x) = ((\<forall>x. ?P x) \<and> (\<forall>x. ?Q x))"} is also acceptable, in
-both directions: all arguments of the unknowns @{text"?P"} and
-@{text"?Q"} are distinct bound variables.
-
-If the left-hand side is not a higher-order pattern, all is not lost.
-The simplifier will still try to apply the rule provided it
-matches directly: without much $\lambda$-calculus hocus
-pocus. For example, @{text"(?f ?x \<in> range ?f) = True"} rewrites
-@{term"g a \<in> range g"} to @{const True}, but will fail to match
-@{text"g(h b) \<in> range(\<lambda>x. g(h x))"}. However, you can
-eliminate the offending subterms --- those that are not patterns ---
-by adding new variables and conditions.
-In our example, we eliminate @{text"?f ?x"} and obtain
- @{text"?y =
-?f ?x \<Longrightarrow> (?y \<in> range ?f) = True"}, which is fine
-as a conditional rewrite rule since conditions can be arbitrary
-terms. However, this trick is not a panacea because the newly
-introduced conditions may be hard to solve.
-
-There is no restriction on the form of the right-hand
-sides. They may not contain extraneous term or type variables, though.
-*}
-
-subsubsection{*The Preprocessor*}
-
-text{*\label{sec:simp-preprocessor}
-When a theorem is declared a simplification rule, it need not be a
-conditional equation already. The simplifier will turn it into a set of
-conditional equations automatically. For example, @{prop"f x =
-g x & h x = k x"} becomes the two separate
-simplification rules @{prop"f x = g x"} and @{prop"h x = k x"}. In
-general, the input theorem is converted as follows:
-\begin{eqnarray}
-\neg P &\mapsto& P = \hbox{\isa{False}} \nonumber\\
-P \longrightarrow Q &\mapsto& P \Longrightarrow Q \nonumber\\
-P \land Q &\mapsto& P,\ Q \nonumber\\
-\forall x.~P~x &\mapsto& P~\Var{x}\nonumber\\
-\forall x \in A.\ P~x &\mapsto& \Var{x} \in A \Longrightarrow P~\Var{x} \nonumber\\
-@{text "if"}\ P\ @{text then}\ Q\ @{text else}\ R &\mapsto&
- P \Longrightarrow Q,\ \neg P \Longrightarrow R \nonumber
-\end{eqnarray}
-Once this conversion process is finished, all remaining non-equations
-$P$ are turned into trivial equations $P =\isa{True}$.
-For example, the formula
-\begin{center}@{prop"(p \<longrightarrow> t=u \<and> ~r) \<and> s"}\end{center}
-is converted into the three rules
-\begin{center}
-@{prop"p \<Longrightarrow> t = u"},\quad @{prop"p \<Longrightarrow> r = False"},\quad @{prop"s = True"}.
-\end{center}
-\index{simplification rule|)}
-\index{simplification|)}
-*}
-(*<*)
-end
-(*>*)
--- a/doc-src/TutorialI/CTL/Base.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,91 +0,0 @@
-(*<*)theory Base imports Main begin(*>*)
-
-section{*Case Study: Verified Model Checking*}
-
-text{*\label{sec:VMC}
-This chapter ends with a case study concerning model checking for
-Computation Tree Logic (CTL), a temporal logic.
-Model checking is a popular technique for the verification of finite
-state systems (implementations) with respect to temporal logic formulae
-(specifications) \cite{ClarkeGP-book,Huth-Ryan-book}. Its foundations are set theoretic
-and this section will explore them in HOL\@. This is done in two steps. First
-we consider a simple modal logic called propositional dynamic
-logic (PDL)\@. We then proceed to the temporal logic CTL, which is
-used in many real
-model checkers. In each case we give both a traditional semantics (@{text \<Turnstile>}) and a
-recursive function @{term mc} that maps a formula into the set of all states of
-the system where the formula is valid. If the system has a finite number of
-states, @{term mc} is directly executable: it is a model checker, albeit an
-inefficient one. The main proof obligation is to show that the semantics
-and the model checker agree.
-
-\underscoreon
-
-Our models are \emph{transition systems}:\index{transition systems}
-sets of \emph{states} with
-transitions between them. Here is a simple example:
-\begin{center}
-\unitlength.5mm
-\thicklines
-\begin{picture}(100,60)
-\put(50,50){\circle{20}}
-\put(50,50){\makebox(0,0){$p,q$}}
-\put(61,55){\makebox(0,0)[l]{$s_0$}}
-\put(44,42){\vector(-1,-1){26}}
-\put(16,18){\vector(1,1){26}}
-\put(57,43){\vector(1,-1){26}}
-\put(10,10){\circle{20}}
-\put(10,10){\makebox(0,0){$q,r$}}
-\put(-1,15){\makebox(0,0)[r]{$s_1$}}
-\put(20,10){\vector(1,0){60}}
-\put(90,10){\circle{20}}
-\put(90,10){\makebox(0,0){$r$}}
-\put(98, 5){\line(1,0){10}}
-\put(108, 5){\line(0,1){10}}
-\put(108,15){\vector(-1,0){10}}
-\put(91,21){\makebox(0,0)[bl]{$s_2$}}
-\end{picture}
-\end{center}
-Each state has a unique name or number ($s_0,s_1,s_2$), and in each state
-certain \emph{atomic propositions} ($p,q,r$) hold. The aim of temporal logic
-is to formalize statements such as ``there is no path starting from $s_2$
-leading to a state where $p$ or $q$ holds,'' which is true, and ``on all paths
-starting from $s_0$, $q$ always holds,'' which is false.
-
-Abstracting from this concrete example, we assume there is a type of
-states:
-*}
-
-typedecl state
-
-text{*\noindent
-Command \commdx{typedecl} merely declares a new type but without
-defining it (see \S\ref{sec:typedecl}). Thus we know nothing
-about the type other than its existence. That is exactly what we need
-because @{typ state} really is an implicit parameter of our model. Of
-course it would have been more generic to make @{typ state} a type
-parameter of everything but declaring @{typ state} globally as above
-reduces clutter. Similarly we declare an arbitrary but fixed
-transition system, i.e.\ a relation between states:
-*}
-
-consts M :: "(state \<times> state)set";
-
-text{*\noindent
-This is Isabelle's way of declaring a constant without defining it.
-Finally we introduce a type of atomic propositions
-*}
-
-typedecl "atom"
-
-text{*\noindent
-and a \emph{labelling function}
-*}
-
-consts L :: "state \<Rightarrow> atom set"
-
-text{*\noindent
-telling us which atomic propositions are true in each state.
-*}
-
-(*<*)end(*>*)
--- a/doc-src/TutorialI/CTL/CTL.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,449 +0,0 @@
-(*<*)theory CTL imports Base begin(*>*)
-
-subsection{*Computation Tree Logic --- CTL*};
-
-text{*\label{sec:CTL}
-\index{CTL|(}%
-The semantics of PDL only needs reflexive transitive closure.
-Let us be adventurous and introduce a more expressive temporal operator.
-We extend the datatype
-@{text formula} by a new constructor
-*};
-(*<*)
-datatype formula = Atom "atom"
- | Neg formula
- | And formula formula
- | AX formula
- | EF formula(*>*)
- | AF formula;
-
-text{*\noindent
-which stands for ``\emph{A}lways in the \emph{F}uture'':
-on all infinite paths, at some point the formula holds.
-Formalizing the notion of an infinite path is easy
-in HOL: it is simply a function from @{typ nat} to @{typ state}.
-*};
-
-definition Paths :: "state \<Rightarrow> (nat \<Rightarrow> state)set" where
-"Paths s \<equiv> {p. s = p 0 \<and> (\<forall>i. (p i, p(i+1)) \<in> M)}"
-
-text{*\noindent
-This definition allows a succinct statement of the semantics of @{const AF}:
-\footnote{Do not be misled: neither datatypes nor recursive functions can be
-extended by new constructors or equations. This is just a trick of the
-presentation (see \S\ref{sec:doc-prep-suppress}). In reality one has to define
-a new datatype and a new function.}
-*};
-(*<*)
-primrec valid :: "state \<Rightarrow> formula \<Rightarrow> bool" ("(_ \<Turnstile> _)" [80,80] 80) where
-"s \<Turnstile> Atom a = (a \<in> L s)" |
-"s \<Turnstile> Neg f = (~(s \<Turnstile> f))" |
-"s \<Turnstile> And f g = (s \<Turnstile> f \<and> s \<Turnstile> g)" |
-"s \<Turnstile> AX f = (\<forall>t. (s,t) \<in> M \<longrightarrow> t \<Turnstile> f)" |
-"s \<Turnstile> EF f = (\<exists>t. (s,t) \<in> M\<^sup>* \<and> t \<Turnstile> f)" |
-(*>*)
-"s \<Turnstile> AF f = (\<forall>p \<in> Paths s. \<exists>i. p i \<Turnstile> f)"
-
-text{*\noindent
-Model checking @{const AF} involves a function which
-is just complicated enough to warrant a separate definition:
-*};
-
-definition af :: "state set \<Rightarrow> state set \<Rightarrow> state set" where
-"af A T \<equiv> A \<union> {s. \<forall>t. (s, t) \<in> M \<longrightarrow> t \<in> T}"
-
-text{*\noindent
-Now we define @{term "mc(AF f)"} as the least set @{term T} that includes
-@{term"mc f"} and all states all of whose direct successors are in @{term T}:
-*};
-(*<*)
-primrec mc :: "formula \<Rightarrow> state set" where
-"mc(Atom a) = {s. a \<in> L s}" |
-"mc(Neg f) = -mc f" |
-"mc(And f g) = mc f \<inter> mc g" |
-"mc(AX f) = {s. \<forall>t. (s,t) \<in> M \<longrightarrow> t \<in> mc f}" |
-"mc(EF f) = lfp(\<lambda>T. mc f \<union> M\<inverse> `` T)"|(*>*)
-"mc(AF f) = lfp(af(mc f))";
-
-text{*\noindent
-Because @{const af} is monotone in its second argument (and also its first, but
-that is irrelevant), @{term"af A"} has a least fixed point:
-*};
-
-lemma mono_af: "mono(af A)";
-apply(simp add: mono_def af_def);
-apply blast;
-done
-(*<*)
-lemma mono_ef: "mono(\<lambda>T. A \<union> M\<inverse> `` T)";
-apply(rule monoI);
-by(blast);
-
-lemma EF_lemma:
- "lfp(\<lambda>T. A \<union> M\<inverse> `` T) = {s. \<exists>t. (s,t) \<in> M\<^sup>* \<and> t \<in> A}";
-apply(rule equalityI);
- apply(rule subsetI);
- apply(simp);
- apply(erule lfp_induct_set);
- apply(rule mono_ef);
- apply(simp);
- apply(blast intro: rtrancl_trans);
-apply(rule subsetI);
-apply(simp, clarify);
-apply(erule converse_rtrancl_induct);
- apply(subst lfp_unfold[OF mono_ef]);
- apply(blast);
-apply(subst lfp_unfold[OF mono_ef]);
-by(blast);
-(*>*)
-text{*
-All we need to prove now is @{prop"mc(AF f) = {s. s \<Turnstile> AF f}"}, which states
-that @{term mc} and @{text"\<Turnstile>"} agree for @{const AF}\@.
-This time we prove the two inclusions separately, starting
-with the easy one:
-*};
-
-theorem AF_lemma1: "lfp(af A) \<subseteq> {s. \<forall>p \<in> Paths s. \<exists>i. p i \<in> A}"
-
-txt{*\noindent
-In contrast to the analogous proof for @{const EF}, and just
-for a change, we do not use fixed point induction. Park-induction,
-named after David Park, is weaker but sufficient for this proof:
-\begin{center}
-@{thm lfp_lowerbound[of _ "S",no_vars]} \hfill (@{thm[source]lfp_lowerbound})
-\end{center}
-The instance of the premise @{prop"f S \<subseteq> S"} is proved pointwise,
-a decision that \isa{auto} takes for us:
-*};
-apply(rule lfp_lowerbound);
-apply(auto simp add: af_def Paths_def);
-
-txt{*
-@{subgoals[display,indent=0,margin=70,goals_limit=1]}
-In this remaining case, we set @{term t} to @{term"p(1::nat)"}.
-The rest is automatic, which is surprising because it involves
-finding the instantiation @{term"\<lambda>i::nat. p(i+1)"}
-for @{text"\<forall>p"}.
-*};
-
-apply(erule_tac x = "p 1" in allE);
-apply(auto);
-done;
-
-
-text{*
-The opposite inclusion is proved by contradiction: if some state
-@{term s} is not in @{term"lfp(af A)"}, then we can construct an
-infinite @{term A}-avoiding path starting from~@{term s}. The reason is
-that by unfolding @{const lfp} we find that if @{term s} is not in
-@{term"lfp(af A)"}, then @{term s} is not in @{term A} and there is a
-direct successor of @{term s} that is again not in \mbox{@{term"lfp(af
-A)"}}. Iterating this argument yields the promised infinite
-@{term A}-avoiding path. Let us formalize this sketch.
-
-The one-step argument in the sketch above
-is proved by a variant of contraposition:
-*};
-
-lemma not_in_lfp_afD:
- "s \<notin> lfp(af A) \<Longrightarrow> s \<notin> A \<and> (\<exists> t. (s,t) \<in> M \<and> t \<notin> lfp(af A))";
-apply(erule contrapos_np);
-apply(subst lfp_unfold[OF mono_af]);
-apply(simp add: af_def);
-done;
-
-text{*\noindent
-We assume the negation of the conclusion and prove @{term"s : lfp(af A)"}.
-Unfolding @{const lfp} once and
-simplifying with the definition of @{const af} finishes the proof.
-
-Now we iterate this process. The following construction of the desired
-path is parameterized by a predicate @{term Q} that should hold along the path:
-*};
-
-primrec path :: "state \<Rightarrow> (state \<Rightarrow> bool) \<Rightarrow> (nat \<Rightarrow> state)" where
-"path s Q 0 = s" |
-"path s Q (Suc n) = (SOME t. (path s Q n,t) \<in> M \<and> Q t)"
-
-text{*\noindent
-Element @{term"n+1::nat"} on this path is some arbitrary successor
-@{term t} of element @{term n} such that @{term"Q t"} holds. Remember that @{text"SOME t. R t"}
-is some arbitrary but fixed @{term t} such that @{prop"R t"} holds (see \S\ref{sec:SOME}). Of
-course, such a @{term t} need not exist, but that is of no
-concern to us since we will only use @{const path} when a
-suitable @{term t} does exist.
-
-Let us show that if each state @{term s} that satisfies @{term Q}
-has a successor that again satisfies @{term Q}, then there exists an infinite @{term Q}-path:
-*};
-
-lemma infinity_lemma:
- "\<lbrakk> Q s; \<forall>s. Q s \<longrightarrow> (\<exists> t. (s,t) \<in> M \<and> Q t) \<rbrakk> \<Longrightarrow>
- \<exists>p\<in>Paths s. \<forall>i. Q(p i)";
-
-txt{*\noindent
-First we rephrase the conclusion slightly because we need to prove simultaneously
-both the path property and the fact that @{term Q} holds:
-*};
-
-apply(subgoal_tac
- "\<exists>p. s = p 0 \<and> (\<forall>i::nat. (p i, p(i+1)) \<in> M \<and> Q(p i))");
-
-txt{*\noindent
-From this proposition the original goal follows easily:
-*};
-
- apply(simp add: Paths_def, blast);
-
-txt{*\noindent
-The new subgoal is proved by providing the witness @{term "path s Q"} for @{term p}:
-*};
-
-apply(rule_tac x = "path s Q" in exI);
-apply(clarsimp);
-
-txt{*\noindent
-After simplification and clarification, the subgoal has the following form:
-@{subgoals[display,indent=0,margin=70,goals_limit=1]}
-It invites a proof by induction on @{term i}:
-*};
-
-apply(induct_tac i);
- apply(simp);
-
-txt{*\noindent
-After simplification, the base case boils down to
-@{subgoals[display,indent=0,margin=70,goals_limit=1]}
-The conclusion looks exceedingly trivial: after all, @{term t} is chosen such that @{prop"(s,t):M"}
-holds. However, we first have to show that such a @{term t} actually exists! This reasoning
-is embodied in the theorem @{thm[source]someI2_ex}:
-@{thm[display,eta_contract=false]someI2_ex}
-When we apply this theorem as an introduction rule, @{text"?P x"} becomes
-@{prop"(s, x) : M & Q x"} and @{text"?Q x"} becomes @{prop"(s,x) : M"} and we have to prove
-two subgoals: @{prop"EX a. (s, a) : M & Q a"}, which follows from the assumptions, and
-@{prop"(s, x) : M & Q x ==> (s,x) : M"}, which is trivial. Thus it is not surprising that
-@{text fast} can prove the base case quickly:
-*};
-
- apply(fast intro: someI2_ex);
-
-txt{*\noindent
-What is worth noting here is that we have used \methdx{fast} rather than
-@{text blast}. The reason is that @{text blast} would fail because it cannot
-cope with @{thm[source]someI2_ex}: unifying its conclusion with the current
-subgoal is non-trivial because of the nested schematic variables. For
-efficiency reasons @{text blast} does not even attempt such unifications.
-Although @{text fast} can in principle cope with complicated unification
-problems, in practice the number of unifiers arising is often prohibitive and
-the offending rule may need to be applied explicitly rather than
-automatically. This is what happens in the step case.
-
-The induction step is similar, but more involved, because now we face nested
-occurrences of @{text SOME}. As a result, @{text fast} is no longer able to
-solve the subgoal and we apply @{thm[source]someI2_ex} by hand. We merely
-show the proof commands but do not describe the details:
-*};
-
-apply(simp);
-apply(rule someI2_ex);
- apply(blast);
-apply(rule someI2_ex);
- apply(blast);
-apply(blast);
-done;
-
-text{*
-Function @{const path} has fulfilled its purpose now and can be forgotten.
-It was merely defined to provide the witness in the proof of the
-@{thm[source]infinity_lemma}. Aficionados of minimal proofs might like to know
-that we could have given the witness without having to define a new function:
-the term
-@{term[display]"nat_rec s (\<lambda>n t. SOME u. (t,u)\<in>M \<and> Q u)"}
-is extensionally equal to @{term"path s Q"},
-where @{term nat_rec} is the predefined primitive recursor on @{typ nat}.
-*};
-(*<*)
-lemma
-"\<lbrakk> Q s; \<forall> s. Q s \<longrightarrow> (\<exists> t. (s,t)\<in>M \<and> Q t) \<rbrakk> \<Longrightarrow>
- \<exists> p\<in>Paths s. \<forall> i. Q(p i)";
-apply(subgoal_tac
- "\<exists> p. s = p 0 \<and> (\<forall> i. (p i,p(Suc i))\<in>M \<and> Q(p i))");
- apply(simp add: Paths_def);
- apply(blast);
-apply(rule_tac x = "nat_rec s (\<lambda>n t. SOME u. (t,u)\<in>M \<and> Q u)" in exI);
-apply(simp);
-apply(intro strip);
-apply(induct_tac i);
- apply(simp);
- apply(fast intro: someI2_ex);
-apply(simp);
-apply(rule someI2_ex);
- apply(blast);
-apply(rule someI2_ex);
- apply(blast);
-by(blast);
-(*>*)
-
-text{*
-At last we can prove the opposite direction of @{thm[source]AF_lemma1}:
-*};
-
-theorem AF_lemma2: "{s. \<forall>p \<in> Paths s. \<exists>i. p i \<in> A} \<subseteq> lfp(af A)";
-
-txt{*\noindent
-The proof is again pointwise and then by contraposition:
-*};
-
-apply(rule subsetI);
-apply(erule contrapos_pp);
-apply simp;
-
-txt{*
-@{subgoals[display,indent=0,goals_limit=1]}
-Applying the @{thm[source]infinity_lemma} as a destruction rule leaves two subgoals, the second
-premise of @{thm[source]infinity_lemma} and the original subgoal:
-*};
-
-apply(drule infinity_lemma);
-
-txt{*
-@{subgoals[display,indent=0,margin=65]}
-Both are solved automatically:
-*};
-
- apply(auto dest: not_in_lfp_afD);
-done;
-
-text{*
-If you find these proofs too complicated, we recommend that you read
-\S\ref{sec:CTL-revisited}, where we show how inductive definitions lead to
-simpler arguments.
-
-The main theorem is proved as for PDL, except that we also derive the
-necessary equality @{text"lfp(af A) = ..."} by combining
-@{thm[source]AF_lemma1} and @{thm[source]AF_lemma2} on the spot:
-*}
-
-theorem "mc f = {s. s \<Turnstile> f}";
-apply(induct_tac f);
-apply(auto simp add: EF_lemma equalityI[OF AF_lemma1 AF_lemma2]);
-done
-
-text{*
-
-The language defined above is not quite CTL\@. The latter also includes an
-until-operator @{term"EU f g"} with semantics ``there \emph{E}xists a path
-where @{term f} is true \emph{U}ntil @{term g} becomes true''. We need
-an auxiliary function:
-*}
-
-primrec
-until:: "state set \<Rightarrow> state set \<Rightarrow> state \<Rightarrow> state list \<Rightarrow> bool" where
-"until A B s [] = (s \<in> B)" |
-"until A B s (t#p) = (s \<in> A \<and> (s,t) \<in> M \<and> until A B t p)"
-(*<*)definition
- eusem :: "state set \<Rightarrow> state set \<Rightarrow> state set" where
-"eusem A B \<equiv> {s. \<exists>p. until A B s p}"(*>*)
-
-text{*\noindent
-Expressing the semantics of @{term EU} is now straightforward:
-@{prop[display]"s \<Turnstile> EU f g = (\<exists>p. until {t. t \<Turnstile> f} {t. t \<Turnstile> g} s p)"}
-Note that @{term EU} is not definable in terms of the other operators!
-
-Model checking @{term EU} is again a least fixed point construction:
-@{text[display]"mc(EU f g) = lfp(\<lambda>T. mc g \<union> mc f \<inter> (M\<inverse> `` T))"}
-
-\begin{exercise}
-Extend the datatype of formulae by the above until operator
-and prove the equivalence between semantics and model checking, i.e.\ that
-@{prop[display]"mc(EU f g) = {s. s \<Turnstile> EU f g}"}
-%For readability you may want to annotate {term EU} with its customary syntax
-%{text[display]"| EU formula formula E[_ U _]"}
-%which enables you to read and write {text"E[f U g]"} instead of {term"EU f g"}.
-\end{exercise}
-For more CTL exercises see, for example, Huth and Ryan \cite{Huth-Ryan-book}.
-*}
-
-(*<*)
-definition eufix :: "state set \<Rightarrow> state set \<Rightarrow> state set \<Rightarrow> state set" where
-"eufix A B T \<equiv> B \<union> A \<inter> (M\<inverse> `` T)"
-
-lemma "lfp(eufix A B) \<subseteq> eusem A B"
-apply(rule lfp_lowerbound)
-apply(auto simp add: eusem_def eufix_def)
- apply(rule_tac x = "[]" in exI)
- apply simp
-apply(rule_tac x = "xa#xb" in exI)
-apply simp
-done
-
-lemma mono_eufix: "mono(eufix A B)";
-apply(simp add: mono_def eufix_def);
-apply blast;
-done
-
-lemma "eusem A B \<subseteq> lfp(eufix A B)";
-apply(clarsimp simp add: eusem_def);
-apply(erule rev_mp);
-apply(rule_tac x = x in spec);
-apply(induct_tac p);
- apply(subst lfp_unfold[OF mono_eufix])
- apply(simp add: eufix_def);
-apply(clarsimp);
-apply(subst lfp_unfold[OF mono_eufix])
-apply(simp add: eufix_def);
-apply blast;
-done
-
-(*
-definition eusem :: "state set \<Rightarrow> state set \<Rightarrow> state set" where
-"eusem A B \<equiv> {s. \<exists>p\<in>Paths s. \<exists>j. p j \<in> B \<and> (\<forall>i < j. p i \<in> A)}"
-
-axioms
-M_total: "\<exists>t. (s,t) \<in> M"
-
-consts apath :: "state \<Rightarrow> (nat \<Rightarrow> state)"
-primrec
-"apath s 0 = s"
-"apath s (Suc i) = (SOME t. (apath s i,t) \<in> M)"
-
-lemma [iff]: "apath s \<in> Paths s";
-apply(simp add: Paths_def);
-apply(blast intro: M_total[THEN someI_ex])
-done
-
-definition pcons :: "state \<Rightarrow> (nat \<Rightarrow> state) \<Rightarrow> (nat \<Rightarrow> state)" where
-"pcons s p == \<lambda>i. case i of 0 \<Rightarrow> s | Suc j \<Rightarrow> p j"
-
-lemma pcons_PathI: "[| (s,t) : M; p \<in> Paths t |] ==> pcons s p \<in> Paths s";
-by(simp add: Paths_def pcons_def split: nat.split);
-
-lemma "lfp(eufix A B) \<subseteq> eusem A B"
-apply(rule lfp_lowerbound)
-apply(clarsimp simp add: eusem_def eufix_def);
-apply(erule disjE);
- apply(rule_tac x = "apath x" in bexI);
- apply(rule_tac x = 0 in exI);
- apply simp;
- apply simp;
-apply(clarify);
-apply(rule_tac x = "pcons xb p" in bexI);
- apply(rule_tac x = "j+1" in exI);
- apply (simp add: pcons_def split: nat.split);
-apply (simp add: pcons_PathI)
-done
-*)
-(*>*)
-
-text{* Let us close this section with a few words about the executability of
-our model checkers. It is clear that if all sets are finite, they can be
-represented as lists and the usual set operations are easily
-implemented. Only @{const lfp} requires a little thought. Fortunately, theory
-@{text While_Combinator} in the Library~\cite{HOL-Library} provides a
-theorem stating that in the case of finite sets and a monotone
-function~@{term F}, the value of \mbox{@{term"lfp F"}} can be computed by
-iterated application of @{term F} to~@{term"{}"} until a fixed point is
-reached. It is actually possible to generate executable functional programs
-from HOL definitions, but that is beyond the scope of the tutorial.%
-\index{CTL|)} *}
-(*<*)end(*>*)
--- a/doc-src/TutorialI/CTL/CTLind.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,148 +0,0 @@
-(*<*)theory CTLind imports CTL begin(*>*)
-
-subsection{*CTL Revisited*}
-
-text{*\label{sec:CTL-revisited}
-\index{CTL|(}%
-The purpose of this section is twofold: to demonstrate
-some of the induction principles and heuristics discussed above and to
-show how inductive definitions can simplify proofs.
-In \S\ref{sec:CTL} we gave a fairly involved proof of the correctness of a
-model checker for CTL\@. In particular the proof of the
-@{thm[source]infinity_lemma} on the way to @{thm[source]AF_lemma2} is not as
-simple as one might expect, due to the @{text SOME} operator
-involved. Below we give a simpler proof of @{thm[source]AF_lemma2}
-based on an auxiliary inductive definition.
-
-Let us call a (finite or infinite) path \emph{@{term A}-avoiding} if it does
-not touch any node in the set @{term A}. Then @{thm[source]AF_lemma2} says
-that if no infinite path from some state @{term s} is @{term A}-avoiding,
-then @{prop"s \<in> lfp(af A)"}. We prove this by inductively defining the set
-@{term"Avoid s A"} of states reachable from @{term s} by a finite @{term
-A}-avoiding path:
-% Second proof of opposite direction, directly by well-founded induction
-% on the initial segment of M that avoids A.
-*}
-
-inductive_set
- Avoid :: "state \<Rightarrow> state set \<Rightarrow> state set"
- for s :: state and A :: "state set"
-where
- "s \<in> Avoid s A"
- | "\<lbrakk> t \<in> Avoid s A; t \<notin> A; (t,u) \<in> M \<rbrakk> \<Longrightarrow> u \<in> Avoid s A";
-
-text{*
-It is easy to see that for any infinite @{term A}-avoiding path @{term f}
-with @{prop"f(0::nat) \<in> Avoid s A"} there is an infinite @{term A}-avoiding path
-starting with @{term s} because (by definition of @{const Avoid}) there is a
-finite @{term A}-avoiding path from @{term s} to @{term"f(0::nat)"}.
-The proof is by induction on @{prop"f(0::nat) \<in> Avoid s A"}. However,
-this requires the following
-reformulation, as explained in \S\ref{sec:ind-var-in-prems} above;
-the @{text rule_format} directive undoes the reformulation after the proof.
-*}
-
-lemma ex_infinite_path[rule_format]:
- "t \<in> Avoid s A \<Longrightarrow>
- \<forall>f\<in>Paths t. (\<forall>i. f i \<notin> A) \<longrightarrow> (\<exists>p\<in>Paths s. \<forall>i. p i \<notin> A)";
-apply(erule Avoid.induct);
- apply(blast);
-apply(clarify);
-apply(drule_tac x = "\<lambda>i. case i of 0 \<Rightarrow> t | Suc i \<Rightarrow> f i" in bspec);
-apply(simp_all add: Paths_def split: nat.split);
-done
-
-text{*\noindent
-The base case (@{prop"t = s"}) is trivial and proved by @{text blast}.
-In the induction step, we have an infinite @{term A}-avoiding path @{term f}
-starting from @{term u}, a successor of @{term t}. Now we simply instantiate
-the @{text"\<forall>f\<in>Paths t"} in the induction hypothesis by the path starting with
-@{term t} and continuing with @{term f}. That is what the above $\lambda$-term
-expresses. Simplification shows that this is a path starting with @{term t}
-and that the instantiated induction hypothesis implies the conclusion.
-
-Now we come to the key lemma. Assuming that no infinite @{term A}-avoiding
-path starts from @{term s}, we want to show @{prop"s \<in> lfp(af A)"}. For the
-inductive proof this must be generalized to the statement that every point @{term t}
-``between'' @{term s} and @{term A}, in other words all of @{term"Avoid s A"},
-is contained in @{term"lfp(af A)"}:
-*}
-
-lemma Avoid_in_lfp[rule_format(no_asm)]:
- "\<forall>p\<in>Paths s. \<exists>i. p i \<in> A \<Longrightarrow> t \<in> Avoid s A \<longrightarrow> t \<in> lfp(af A)";
-
-txt{*\noindent
-The proof is by induction on the ``distance'' between @{term t} and @{term
-A}. Remember that @{prop"lfp(af A) = A \<union> M\<inverse> `` lfp(af A)"}.
-If @{term t} is already in @{term A}, then @{prop"t \<in> lfp(af A)"} is
-trivial. If @{term t} is not in @{term A} but all successors are in
-@{term"lfp(af A)"} (induction hypothesis), then @{prop"t \<in> lfp(af A)"} is
-again trivial.
-
-The formal counterpart of this proof sketch is a well-founded induction
-on~@{term M} restricted to @{term"Avoid s A - A"}, roughly speaking:
-@{term[display]"{(y,x). (x,y) \<in> M \<and> x \<in> Avoid s A \<and> x \<notin> A}"}
-As we shall see presently, the absence of infinite @{term A}-avoiding paths
-starting from @{term s} implies well-foundedness of this relation. For the
-moment we assume this and proceed with the induction:
-*}
-
-apply(subgoal_tac "wf{(y,x). (x,y) \<in> M \<and> x \<in> Avoid s A \<and> x \<notin> A}");
- apply(erule_tac a = t in wf_induct);
- apply(clarsimp);
-(*<*)apply(rename_tac t)(*>*)
-
-txt{*\noindent
-@{subgoals[display,indent=0,margin=65]}
-Now the induction hypothesis states that if @{prop"t \<notin> A"}
-then all successors of @{term t} that are in @{term"Avoid s A"} are in
-@{term"lfp (af A)"}. Unfolding @{term lfp} in the conclusion of the first
-subgoal once, we have to prove that @{term t} is in @{term A} or all successors
-of @{term t} are in @{term"lfp (af A)"}. But if @{term t} is not in @{term A},
-the second
-@{const Avoid}-rule implies that all successors of @{term t} are in
-@{term"Avoid s A"}, because we also assume @{prop"t \<in> Avoid s A"}.
-Hence, by the induction hypothesis, all successors of @{term t} are indeed in
-@{term"lfp(af A)"}. Mechanically:
-*}
-
- apply(subst lfp_unfold[OF mono_af]);
- apply(simp (no_asm) add: af_def);
- apply(blast intro: Avoid.intros);
-
-txt{*
-Having proved the main goal, we return to the proof obligation that the
-relation used above is indeed well-founded. This is proved by contradiction: if
-the relation is not well-founded then there exists an infinite @{term
-A}-avoiding path all in @{term"Avoid s A"}, by theorem
-@{thm[source]wf_iff_no_infinite_down_chain}:
-@{thm[display]wf_iff_no_infinite_down_chain[no_vars]}
-From lemma @{thm[source]ex_infinite_path} the existence of an infinite
-@{term A}-avoiding path starting in @{term s} follows, contradiction.
-*}
-
-apply(erule contrapos_pp);
-apply(simp add: wf_iff_no_infinite_down_chain);
-apply(erule exE);
-apply(rule ex_infinite_path);
-apply(auto simp add: Paths_def);
-done
-
-text{*
-The @{text"(no_asm)"} modifier of the @{text"rule_format"} directive in the
-statement of the lemma means
-that the assumption is left unchanged; otherwise the @{text"\<forall>p"}
-would be turned
-into a @{text"\<And>p"}, which would complicate matters below. As it is,
-@{thm[source]Avoid_in_lfp} is now
-@{thm[display]Avoid_in_lfp[no_vars]}
-The main theorem is simply the corollary where @{prop"t = s"},
-when the assumption @{prop"t \<in> Avoid s A"} is trivially true
-by the first @{const Avoid}-rule. Isabelle confirms this:%
-\index{CTL|)}*}
-
-theorem AF_lemma2: "{s. \<forall>p \<in> Paths s. \<exists> i. p i \<in> A} \<subseteq> lfp(af A)";
-by(auto elim: Avoid_in_lfp intro: Avoid.intros);
-
-
-(*<*)end(*>*)
--- a/doc-src/TutorialI/CTL/PDL.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,205 +0,0 @@
-(*<*)theory PDL imports Base begin(*>*)
-
-subsection{*Propositional Dynamic Logic --- PDL*}
-
-text{*\index{PDL|(}
-The formulae of PDL are built up from atomic propositions via
-negation and conjunction and the two temporal
-connectives @{text AX} and @{text EF}\@. Since formulae are essentially
-syntax trees, they are naturally modelled as a datatype:%
-\footnote{The customary definition of PDL
-\cite{HarelKT-DL} looks quite different from ours, but the two are easily
-shown to be equivalent.}
-*}
-
-datatype formula = Atom "atom"
- | Neg formula
- | And formula formula
- | AX formula
- | EF formula
-
-text{*\noindent
-This resembles the boolean expression case study in
-\S\ref{sec:boolex}.
-A validity relation between states and formulae specifies the semantics.
-The syntax annotation allows us to write @{text"s \<Turnstile> f"} instead of
-\hbox{@{text"valid s f"}}. The definition is by recursion over the syntax:
-*}
-
-primrec valid :: "state \<Rightarrow> formula \<Rightarrow> bool" ("(_ \<Turnstile> _)" [80,80] 80)
-where
-"s \<Turnstile> Atom a = (a \<in> L s)" |
-"s \<Turnstile> Neg f = (\<not>(s \<Turnstile> f))" |
-"s \<Turnstile> And f g = (s \<Turnstile> f \<and> s \<Turnstile> g)" |
-"s \<Turnstile> AX f = (\<forall>t. (s,t) \<in> M \<longrightarrow> t \<Turnstile> f)" |
-"s \<Turnstile> EF f = (\<exists>t. (s,t) \<in> M\<^sup>* \<and> t \<Turnstile> f)"
-
-text{*\noindent
-The first three equations should be self-explanatory. The temporal formula
-@{term"AX f"} means that @{term f} is true in \emph{A}ll ne\emph{X}t states whereas
-@{term"EF f"} means that there \emph{E}xists some \emph{F}uture state in which @{term f} is
-true. The future is expressed via @{text"\<^sup>*"}, the reflexive transitive
-closure. Because of reflexivity, the future includes the present.
-
-Now we come to the model checker itself. It maps a formula into the
-set of states where the formula is true. It too is defined by
-recursion over the syntax: *}
-
-primrec mc :: "formula \<Rightarrow> state set" where
-"mc(Atom a) = {s. a \<in> L s}" |
-"mc(Neg f) = -mc f" |
-"mc(And f g) = mc f \<inter> mc g" |
-"mc(AX f) = {s. \<forall>t. (s,t) \<in> M \<longrightarrow> t \<in> mc f}" |
-"mc(EF f) = lfp(\<lambda>T. mc f \<union> (M\<inverse> `` T))"
-
-text{*\noindent
-Only the equation for @{term EF} deserves some comments. Remember that the
-postfix @{text"\<inverse>"} and the infix @{text"``"} are predefined and denote the
-converse of a relation and the image of a set under a relation. Thus
-@{term "M\<inverse> `` T"} is the set of all predecessors of @{term T} and the least
-fixed point (@{term lfp}) of @{term"\<lambda>T. mc f \<union> M\<inverse> `` T"} is the least set
-@{term T} containing @{term"mc f"} and all predecessors of @{term T}. If you
-find it hard to see that @{term"mc(EF f)"} contains exactly those states from
-which there is a path to a state where @{term f} is true, do not worry --- this
-will be proved in a moment.
-
-First we prove monotonicity of the function inside @{term lfp}
-in order to make sure it really has a least fixed point.
-*}
-
-lemma mono_ef: "mono(\<lambda>T. A \<union> (M\<inverse> `` T))"
-apply(rule monoI)
-apply blast
-done
-
-text{*\noindent
-Now we can relate model checking and semantics. For the @{text EF} case we need
-a separate lemma:
-*}
-
-lemma EF_lemma:
- "lfp(\<lambda>T. A \<union> (M\<inverse> `` T)) = {s. \<exists>t. (s,t) \<in> M\<^sup>* \<and> t \<in> A}"
-
-txt{*\noindent
-The equality is proved in the canonical fashion by proving that each set
-includes the other; the inclusion is shown pointwise:
-*}
-
-apply(rule equalityI)
- apply(rule subsetI)
- apply(simp)(*<*)apply(rename_tac s)(*>*)
-
-txt{*\noindent
-Simplification leaves us with the following first subgoal
-@{subgoals[display,indent=0,goals_limit=1]}
-which is proved by @{term lfp}-induction:
-*}
-
- apply(erule lfp_induct_set)
- apply(rule mono_ef)
- apply(simp)
-(*pr(latex xsymbols symbols);*)
-txt{*\noindent
-Having disposed of the monotonicity subgoal,
-simplification leaves us with the following goal:
-\begin{isabelle}
-\ {\isadigit{1}}{\isachardot}\ {\isasymAnd}x{\isachardot}\ x\ {\isasymin}\ A\ {\isasymor}\isanewline
-\ \ \ \ \ \ \ \ \ x\ {\isasymin}\ M{\isasyminverse}\ {\isacharbackquote}{\isacharbackquote}\ {\isacharparenleft}lfp\ {\isacharparenleft}\dots{\isacharparenright}\ {\isasyminter}\ {\isacharbraceleft}x{\isachardot}\ {\isasymexists}t{\isachardot}\ {\isacharparenleft}x{\isacharcomma}\ t{\isacharparenright}\ {\isasymin}\ M\isactrlsup {\isacharasterisk}\ {\isasymand}\ t\ {\isasymin}\ A{\isacharbraceright}{\isacharparenright}\isanewline
-\ \ \ \ \ \ \ \ {\isasymLongrightarrow}\ {\isasymexists}t{\isachardot}\ {\isacharparenleft}x{\isacharcomma}\ t{\isacharparenright}\ {\isasymin}\ M\isactrlsup {\isacharasterisk}\ {\isasymand}\ t\ {\isasymin}\ A
-\end{isabelle}
-It is proved by @{text blast}, using the transitivity of
-\isa{M\isactrlsup {\isacharasterisk}}.
-*}
-
- apply(blast intro: rtrancl_trans)
-
-txt{*
-We now return to the second set inclusion subgoal, which is again proved
-pointwise:
-*}
-
-apply(rule subsetI)
-apply(simp, clarify)
-
-txt{*\noindent
-After simplification and clarification we are left with
-@{subgoals[display,indent=0,goals_limit=1]}
-This goal is proved by induction on @{term"(s,t)\<in>M\<^sup>*"}. But since the model
-checker works backwards (from @{term t} to @{term s}), we cannot use the
-induction theorem @{thm[source]rtrancl_induct}: it works in the
-forward direction. Fortunately the converse induction theorem
-@{thm[source]converse_rtrancl_induct} already exists:
-@{thm[display,margin=60]converse_rtrancl_induct[no_vars]}
-It says that if @{prop"(a,b):r\<^sup>*"} and we know @{prop"P b"} then we can infer
-@{prop"P a"} provided each step backwards from a predecessor @{term z} of
-@{term b} preserves @{term P}.
-*}
-
-apply(erule converse_rtrancl_induct)
-
-txt{*\noindent
-The base case
-@{subgoals[display,indent=0,goals_limit=1]}
-is solved by unrolling @{term lfp} once
-*}
-
- apply(subst lfp_unfold[OF mono_ef])
-
-txt{*
-@{subgoals[display,indent=0,goals_limit=1]}
-and disposing of the resulting trivial subgoal automatically:
-*}
-
- apply(blast)
-
-txt{*\noindent
-The proof of the induction step is identical to the one for the base case:
-*}
-
-apply(subst lfp_unfold[OF mono_ef])
-apply(blast)
-done
-
-text{*
-The main theorem is proved in the familiar manner: induction followed by
-@{text auto} augmented with the lemma as a simplification rule.
-*}
-
-theorem "mc f = {s. s \<Turnstile> f}"
-apply(induct_tac f)
-apply(auto simp add: EF_lemma)
-done
-
-text{*
-\begin{exercise}
-@{term AX} has a dual operator @{term EN}
-(``there exists a next state such that'')%
-\footnote{We cannot use the customary @{text EX}: it is reserved
-as the \textsc{ascii}-equivalent of @{text"\<exists>"}.}
-with the intended semantics
-@{prop[display]"(s \<Turnstile> EN f) = (EX t. (s,t) : M & t \<Turnstile> f)"}
-Fortunately, @{term"EN f"} can already be expressed as a PDL formula. How?
-
-Show that the semantics for @{term EF} satisfies the following recursion equation:
-@{prop[display]"(s \<Turnstile> EF f) = (s \<Turnstile> f | s \<Turnstile> EN(EF f))"}
-\end{exercise}
-\index{PDL|)}
-*}
-(*<*)
-theorem main: "mc f = {s. s \<Turnstile> f}"
-apply(induct_tac f)
-apply(auto simp add: EF_lemma)
-done
-
-lemma aux: "s \<Turnstile> f = (s : mc f)"
-apply(simp add: main)
-done
-
-lemma "(s \<Turnstile> EF f) = (s \<Turnstile> f | s \<Turnstile> Neg(AX(Neg(EF f))))"
-apply(simp only: aux)
-apply(simp)
-apply(subst lfp_unfold[OF mono_ef], fast)
-done
-
-end
-(*>*)
--- a/doc-src/TutorialI/CodeGen/CodeGen.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,135 +0,0 @@
-(*<*)
-theory CodeGen imports Main begin
-(*>*)
-
-section{*Case Study: Compiling Expressions*}
-
-text{*\label{sec:ExprCompiler}
-\index{compiling expressions example|(}%
-The task is to develop a compiler from a generic type of expressions (built
-from variables, constants and binary operations) to a stack machine. This
-generic type of expressions is a generalization of the boolean expressions in
-\S\ref{sec:boolex}. This time we do not commit ourselves to a particular
-type of variables or values but make them type parameters. Neither is there
-a fixed set of binary operations: instead the expression contains the
-appropriate function itself.
-*}
-
-type_synonym 'v binop = "'v \<Rightarrow> 'v \<Rightarrow> 'v";
-datatype ('a,'v)expr = Cex 'v
- | Vex 'a
- | Bex "'v binop" "('a,'v)expr" "('a,'v)expr";
-
-text{*\noindent
-The three constructors represent constants, variables and the application of
-a binary operation to two subexpressions.
-
-The value of an expression with respect to an environment that maps variables to
-values is easily defined:
-*}
-
-primrec "value" :: "('a,'v)expr \<Rightarrow> ('a \<Rightarrow> 'v) \<Rightarrow> 'v" where
-"value (Cex v) env = v" |
-"value (Vex a) env = env a" |
-"value (Bex f e1 e2) env = f (value e1 env) (value e2 env)"
-
-text{*
-The stack machine has three instructions: load a constant value onto the
-stack, load the contents of an address onto the stack, and apply a
-binary operation to the two topmost elements of the stack, replacing them by
-the result. As for @{text"expr"}, addresses and values are type parameters:
-*}
-
-datatype ('a,'v) instr = Const 'v
- | Load 'a
- | Apply "'v binop";
-
-text{*
-The execution of the stack machine is modelled by a function
-@{text"exec"} that takes a list of instructions, a store (modelled as a
-function from addresses to values, just like the environment for
-evaluating expressions), and a stack (modelled as a list) of values,
-and returns the stack at the end of the execution --- the store remains
-unchanged:
-*}
-
-primrec exec :: "('a,'v)instr list \<Rightarrow> ('a\<Rightarrow>'v) \<Rightarrow> 'v list \<Rightarrow> 'v list"
-where
-"exec [] s vs = vs" |
-"exec (i#is) s vs = (case i of
- Const v \<Rightarrow> exec is s (v#vs)
- | Load a \<Rightarrow> exec is s ((s a)#vs)
- | Apply f \<Rightarrow> exec is s ((f (hd vs) (hd(tl vs)))#(tl(tl vs))))"
-
-text{*\noindent
-Recall that @{term"hd"} and @{term"tl"}
-return the first element and the remainder of a list.
-Because all functions are total, \cdx{hd} is defined even for the empty
-list, although we do not know what the result is. Thus our model of the
-machine always terminates properly, although the definition above does not
-tell us much about the result in situations where @{term"Apply"} was executed
-with fewer than two elements on the stack.
-
-The compiler is a function from expressions to a list of instructions. Its
-definition is obvious:
-*}
-
-primrec compile :: "('a,'v)expr \<Rightarrow> ('a,'v)instr list" where
-"compile (Cex v) = [Const v]" |
-"compile (Vex a) = [Load a]" |
-"compile (Bex f e1 e2) = (compile e2) @ (compile e1) @ [Apply f]"
-
-text{*
-Now we have to prove the correctness of the compiler, i.e.\ that the
-execution of a compiled expression results in the value of the expression:
-*}
-theorem "exec (compile e) s [] = [value e s]";
-(*<*)oops;(*>*)
-text{*\noindent
-This theorem needs to be generalized:
-*}
-
-theorem "\<forall>vs. exec (compile e) s vs = (value e s) # vs";
-
-txt{*\noindent
-It will be proved by induction on @{term"e"} followed by simplification.
-First, we must prove a lemma about executing the concatenation of two
-instruction sequences:
-*}
-(*<*)oops;(*>*)
-lemma exec_app[simp]:
- "\<forall>vs. exec (xs@ys) s vs = exec ys s (exec xs s vs)";
-
-txt{*\noindent
-This requires induction on @{term"xs"} and ordinary simplification for the
-base cases. In the induction step, simplification leaves us with a formula
-that contains two @{text"case"}-expressions over instructions. Thus we add
-automatic case splitting, which finishes the proof:
-*}
-apply(induct_tac xs, simp, simp split: instr.split);
-(*<*)done(*>*)
-text{*\noindent
-Note that because both \methdx{simp_all} and \methdx{auto} perform simplification, they can
-be modified in the same way as @{text simp}. Thus the proof can be
-rewritten as
-*}
-(*<*)
-declare exec_app[simp del];
-lemma [simp]: "\<forall>vs. exec (xs@ys) s vs = exec ys s (exec xs s vs)";
-(*>*)
-apply(induct_tac xs, simp_all split: instr.split);
-(*<*)done(*>*)
-text{*\noindent
-Although this is more compact, it is less clear for the reader of the proof.
-
-We could now go back and prove @{prop"exec (compile e) s [] = [value e s]"}
-merely by simplification with the generalized version we just proved.
-However, this is unnecessary because the generalized version fully subsumes
-its instance.%
-\index{compiling expressions example|)}
-*}
-(*<*)
-theorem "\<forall>vs. exec (compile e) s vs = (value e s) # vs";
-by(induct_tac e, auto);
-end
-(*>*)
--- a/doc-src/TutorialI/Datatype/ABexpr.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,163 +0,0 @@
-(*<*)
-theory ABexpr imports Main begin;
-(*>*)
-
-text{*
-\index{datatypes!mutually recursive}%
-Sometimes it is necessary to define two datatypes that depend on each
-other. This is called \textbf{mutual recursion}. As an example consider a
-language of arithmetic and boolean expressions where
-\begin{itemize}
-\item arithmetic expressions contain boolean expressions because there are
- conditional expressions like ``if $m<n$ then $n-m$ else $m-n$'',
- and
-\item boolean expressions contain arithmetic expressions because of
- comparisons like ``$m<n$''.
-\end{itemize}
-In Isabelle this becomes
-*}
-
-datatype 'a aexp = IF "'a bexp" "'a aexp" "'a aexp"
- | Sum "'a aexp" "'a aexp"
- | Diff "'a aexp" "'a aexp"
- | Var 'a
- | Num nat
-and 'a bexp = Less "'a aexp" "'a aexp"
- | And "'a bexp" "'a bexp"
- | Neg "'a bexp";
-
-text{*\noindent
-Type @{text"aexp"} is similar to @{text"expr"} in \S\ref{sec:ExprCompiler},
-except that we have added an @{text IF} constructor,
-fixed the values to be of type @{typ"nat"} and declared the two binary
-operations @{text Sum} and @{term"Diff"}. Boolean
-expressions can be arithmetic comparisons, conjunctions and negations.
-The semantics is given by two evaluation functions:
-*}
-
-primrec evala :: "'a aexp \<Rightarrow> ('a \<Rightarrow> nat) \<Rightarrow> nat" and
- evalb :: "'a bexp \<Rightarrow> ('a \<Rightarrow> nat) \<Rightarrow> bool" where
-"evala (IF b a1 a2) env =
- (if evalb b env then evala a1 env else evala a2 env)" |
-"evala (Sum a1 a2) env = evala a1 env + evala a2 env" |
-"evala (Diff a1 a2) env = evala a1 env - evala a2 env" |
-"evala (Var v) env = env v" |
-"evala (Num n) env = n" |
-
-"evalb (Less a1 a2) env = (evala a1 env < evala a2 env)" |
-"evalb (And b1 b2) env = (evalb b1 env \<and> evalb b2 env)" |
-"evalb (Neg b) env = (\<not> evalb b env)"
-
-text{*\noindent
-
-Both take an expression and an environment (a mapping from variables
-@{typ"'a"} to values @{typ"nat"}) and return its arithmetic/boolean
-value. Since the datatypes are mutually recursive, so are functions
-that operate on them. Hence they need to be defined in a single
-\isacommand{primrec} section. Notice the \isakeyword{and} separating
-the declarations of @{const evala} and @{const evalb}. Their defining
-equations need not be split into two groups;
-the empty line is purely for readability.
-
-In the same fashion we also define two functions that perform substitution:
-*}
-
-primrec substa :: "('a \<Rightarrow> 'b aexp) \<Rightarrow> 'a aexp \<Rightarrow> 'b aexp" and
- substb :: "('a \<Rightarrow> 'b aexp) \<Rightarrow> 'a bexp \<Rightarrow> 'b bexp" where
-"substa s (IF b a1 a2) =
- IF (substb s b) (substa s a1) (substa s a2)" |
-"substa s (Sum a1 a2) = Sum (substa s a1) (substa s a2)" |
-"substa s (Diff a1 a2) = Diff (substa s a1) (substa s a2)" |
-"substa s (Var v) = s v" |
-"substa s (Num n) = Num n" |
-
-"substb s (Less a1 a2) = Less (substa s a1) (substa s a2)" |
-"substb s (And b1 b2) = And (substb s b1) (substb s b2)" |
-"substb s (Neg b) = Neg (substb s b)"
-
-text{*\noindent
-Their first argument is a function mapping variables to expressions, the
-substitution. It is applied to all variables in the second argument. As a
-result, the type of variables in the expression may change from @{typ"'a"}
-to @{typ"'b"}. Note that there are only arithmetic and no boolean variables.
-
-Now we can prove a fundamental theorem about the interaction between
-evaluation and substitution: applying a substitution $s$ to an expression $a$
-and evaluating the result in an environment $env$ yields the same result as
-evaluation $a$ in the environment that maps every variable $x$ to the value
-of $s(x)$ under $env$. If you try to prove this separately for arithmetic or
-boolean expressions (by induction), you find that you always need the other
-theorem in the induction step. Therefore you need to state and prove both
-theorems simultaneously:
-*}
-
-lemma "evala (substa s a) env = evala a (\<lambda>x. evala (s x) env) \<and>
- evalb (substb s b) env = evalb b (\<lambda>x. evala (s x) env)";
-apply(induct_tac a and b);
-
-txt{*\noindent The resulting 8 goals (one for each constructor) are proved in one fell swoop:
-*}
-
-apply simp_all;
-(*<*)done(*>*)
-
-text{*
-In general, given $n$ mutually recursive datatypes $\tau@1$, \dots, $\tau@n$,
-an inductive proof expects a goal of the form
-\[ P@1(x@1)\ \land \dots \land P@n(x@n) \]
-where each variable $x@i$ is of type $\tau@i$. Induction is started by
-\begin{isabelle}
-\isacommand{apply}@{text"(induct_tac"} $x@1$ \isacommand{and} \dots\ \isacommand{and} $x@n$@{text ")"}
-\end{isabelle}
-
-\begin{exercise}
- Define a function @{text"norma"} of type @{typ"'a aexp => 'a aexp"} that
- replaces @{term"IF"}s with complex boolean conditions by nested
- @{term"IF"}s; it should eliminate the constructors
- @{term"And"} and @{term"Neg"}, leaving only @{term"Less"}.
- Prove that @{text"norma"}
- preserves the value of an expression and that the result of @{text"norma"}
- is really normal, i.e.\ no more @{term"And"}s and @{term"Neg"}s occur in
- it. ({\em Hint:} proceed as in \S\ref{sec:boolex} and read the discussion
- of type annotations following lemma @{text subst_id} below).
-\end{exercise}
-*}
-(*<*)
-primrec norma :: "'a aexp \<Rightarrow> 'a aexp" and
- normb :: "'a bexp \<Rightarrow> 'a aexp \<Rightarrow> 'a aexp \<Rightarrow> 'a aexp" where
-"norma (IF b t e) = (normb b (norma t) (norma e))" |
-"norma (Sum a1 a2) = Sum (norma a1) (norma a2)" |
-"norma (Diff a1 a2) = Diff (norma a1) (norma a2)" |
-"norma (Var v) = Var v" |
-"norma (Num n) = Num n" |
-
-"normb (Less a1 a2) t e = IF (Less (norma a1) (norma a2)) t e" |
-"normb (And b1 b2) t e = normb b1 (normb b2 t e) e" |
-"normb (Neg b) t e = normb b e t"
-
-lemma " evala (norma a) env = evala a env
- \<and> (\<forall> t e. evala (normb b t e) env = evala (IF b t e) env)"
-apply (induct_tac a and b)
-apply (simp_all)
-done
-
-primrec normala :: "'a aexp \<Rightarrow> bool" and
- normalb :: "'a bexp \<Rightarrow> bool" where
-"normala (IF b t e) = (normalb b \<and> normala t \<and> normala e)" |
-"normala (Sum a1 a2) = (normala a1 \<and> normala a2)" |
-"normala (Diff a1 a2) = (normala a1 \<and> normala a2)" |
-"normala (Var v) = True" |
-"normala (Num n) = True" |
-
-"normalb (Less a1 a2) = (normala a1 \<and> normala a2)" |
-"normalb (And b1 b2) = False" |
-"normalb (Neg b) = False"
-
-lemma "normala (norma (a::'a aexp)) \<and>
- (\<forall> (t::'a aexp) e. (normala t \<and> normala e) \<longrightarrow> normala (normb b t e))"
-apply (induct_tac a and b)
-apply (auto)
-done
-
-end
-(*>*)
--- a/doc-src/TutorialI/Datatype/Fundata.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,50 +0,0 @@
-(*<*)
-theory Fundata imports Main begin
-(*>*)
-datatype ('a,'i)bigtree = Tip | Br 'a "'i \<Rightarrow> ('a,'i)bigtree"
-
-text{*\noindent
-Parameter @{typ"'a"} is the type of values stored in
-the @{term Br}anches of the tree, whereas @{typ"'i"} is the index
-type over which the tree branches. If @{typ"'i"} is instantiated to
-@{typ"bool"}, the result is a binary tree; if it is instantiated to
-@{typ"nat"}, we have an infinitely branching tree because each node
-has as many subtrees as there are natural numbers. How can we possibly
-write down such a tree? Using functional notation! For example, the term
-@{term[display]"Br (0::nat) (\<lambda>i. Br i (\<lambda>n. Tip))"}
-of type @{typ"(nat,nat)bigtree"} is the tree whose
-root is labeled with 0 and whose $i$th subtree is labeled with $i$ and
-has merely @{term"Tip"}s as further subtrees.
-
-Function @{term"map_bt"} applies a function to all labels in a @{text"bigtree"}:
-*}
-
-primrec map_bt :: "('a \<Rightarrow> 'b) \<Rightarrow> ('a,'i)bigtree \<Rightarrow> ('b,'i)bigtree"
-where
-"map_bt f Tip = Tip" |
-"map_bt f (Br a F) = Br (f a) (\<lambda>i. map_bt f (F i))"
-
-text{*\noindent This is a valid \isacommand{primrec} definition because the
-recursive calls of @{term"map_bt"} involve only subtrees of
-@{term"F"}, which is itself a subterm of the left-hand side. Thus termination
-is assured. The seasoned functional programmer might try expressing
-@{term"%i. map_bt f (F i)"} as @{term"map_bt f o F"}, which Isabelle
-however will reject. Applying @{term"map_bt"} to only one of its arguments
-makes the termination proof less obvious.
-
-The following lemma has a simple proof by induction: *}
-
-lemma "map_bt (g o f) T = map_bt g (map_bt f T)";
-apply(induct_tac T, simp_all)
-done
-(*<*)lemma "map_bt (g o f) T = map_bt g (map_bt f T)";
-apply(induct_tac T, rename_tac[2] F)(*>*)
-txt{*\noindent
-Because of the function type, the proof state after induction looks unusual.
-Notice the quantified induction hypothesis:
-@{subgoals[display,indent=0]}
-*}
-(*<*)
-oops
-end
-(*>*)
--- a/doc-src/TutorialI/Datatype/Nested.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,159 +0,0 @@
-(*<*)
-theory Nested imports ABexpr begin
-(*>*)
-
-text{*
-\index{datatypes!and nested recursion}%
-So far, all datatypes had the property that on the right-hand side of their
-definition they occurred only at the top-level: directly below a
-constructor. Now we consider \emph{nested recursion}, where the recursive
-datatype occurs nested in some other datatype (but not inside itself!).
-Consider the following model of terms
-where function symbols can be applied to a list of arguments:
-*}
-(*<*)hide_const Var(*>*)
-datatype ('v,'f)"term" = Var 'v | App 'f "('v,'f)term list";
-
-text{*\noindent
-Note that we need to quote @{text term} on the left to avoid confusion with
-the Isabelle command \isacommand{term}.
-Parameter @{typ"'v"} is the type of variables and @{typ"'f"} the type of
-function symbols.
-A mathematical term like $f(x,g(y))$ becomes @{term"App f [Var x, App g
- [Var y]]"}, where @{term f}, @{term g}, @{term x}, @{term y} are
-suitable values, e.g.\ numbers or strings.
-
-What complicates the definition of @{text term} is the nested occurrence of
-@{text term} inside @{text list} on the right-hand side. In principle,
-nested recursion can be eliminated in favour of mutual recursion by unfolding
-the offending datatypes, here @{text list}. The result for @{text term}
-would be something like
-\medskip
-
-\input{unfoldnested.tex}
-\medskip
-
-\noindent
-Although we do not recommend this unfolding to the user, it shows how to
-simulate nested recursion by mutual recursion.
-Now we return to the initial definition of @{text term} using
-nested recursion.
-
-Let us define a substitution function on terms. Because terms involve term
-lists, we need to define two substitution functions simultaneously:
-*}
-
-primrec
-subst :: "('v\<Rightarrow>('v,'f)term) \<Rightarrow> ('v,'f)term \<Rightarrow> ('v,'f)term" and
-substs:: "('v\<Rightarrow>('v,'f)term) \<Rightarrow> ('v,'f)term list \<Rightarrow> ('v,'f)term list"
-where
-"subst s (Var x) = s x" |
- subst_App:
-"subst s (App f ts) = App f (substs s ts)" |
-
-"substs s [] = []" |
-"substs s (t # ts) = subst s t # substs s ts"
-
-text{*\noindent
-Individual equations in a \commdx{primrec} definition may be
-named as shown for @{thm[source]subst_App}.
-The significance of this device will become apparent below.
-
-Similarly, when proving a statement about terms inductively, we need
-to prove a related statement about term lists simultaneously. For example,
-the fact that the identity substitution does not change a term needs to be
-strengthened and proved as follows:
-*}
-
-lemma subst_id(*<*)(*referred to from ABexpr*)(*>*): "subst Var t = (t ::('v,'f)term) \<and>
- substs Var ts = (ts::('v,'f)term list)";
-apply(induct_tac t and ts, simp_all);
-done
-
-text{*\noindent
-Note that @{term Var} is the identity substitution because by definition it
-leaves variables unchanged: @{prop"subst Var (Var x) = Var x"}. Note also
-that the type annotations are necessary because otherwise there is nothing in
-the goal to enforce that both halves of the goal talk about the same type
-parameters @{text"('v,'f)"}. As a result, induction would fail
-because the two halves of the goal would be unrelated.
-
-\begin{exercise}
-The fact that substitution distributes over composition can be expressed
-roughly as follows:
-@{text[display]"subst (f \<circ> g) t = subst f (subst g t)"}
-Correct this statement (you will find that it does not type-check),
-strengthen it, and prove it. (Note: @{text"\<circ>"} is function composition;
-its definition is found in theorem @{thm[source]o_def}).
-\end{exercise}
-\begin{exercise}\label{ex:trev-trev}
- Define a function @{term trev} of type @{typ"('v,'f)term => ('v,'f)term"}
-that recursively reverses the order of arguments of all function symbols in a
- term. Prove that @{prop"trev(trev t) = t"}.
-\end{exercise}
-
-The experienced functional programmer may feel that our definition of
-@{term subst} is too complicated in that @{const substs} is
-unnecessary. The @{term App}-case can be defined directly as
-@{term[display]"subst s (App f ts) = App f (map (subst s) ts)"}
-where @{term"map"} is the standard list function such that
-@{text"map f [x1,...,xn] = [f x1,...,f xn]"}. This is true, but Isabelle
-insists on the conjunctive format. Fortunately, we can easily \emph{prove}
-that the suggested equation holds:
-*}
-(*<*)
-(* Exercise 1: *)
-lemma "subst ((subst f) \<circ> g) t = subst f (subst g t) \<and>
- substs ((subst f) \<circ> g) ts = substs f (substs g ts)"
-apply (induct_tac t and ts)
-apply (simp_all)
-done
-
-(* Exercise 2: *)
-
-primrec trev :: "('v,'f) term \<Rightarrow> ('v,'f) term"
- and trevs:: "('v,'f) term list \<Rightarrow> ('v,'f) term list"
-where
- "trev (Var v) = Var v"
-| "trev (App f ts) = App f (trevs ts)"
-| "trevs [] = []"
-| "trevs (t#ts) = (trevs ts) @ [(trev t)]"
-
-lemma [simp]: "\<forall> ys. trevs (xs @ ys) = (trevs ys) @ (trevs xs)"
-apply (induct_tac xs, auto)
-done
-
-lemma "trev (trev t) = (t::('v,'f)term) \<and>
- trevs (trevs ts) = (ts::('v,'f)term list)"
-apply (induct_tac t and ts, simp_all)
-done
-(*>*)
-
-lemma [simp]: "subst s (App f ts) = App f (map (subst s) ts)"
-apply(induct_tac ts, simp_all)
-done
-
-text{*\noindent
-What is more, we can now disable the old defining equation as a
-simplification rule:
-*}
-
-declare subst_App [simp del]
-
-text{*\noindent The advantage is that now we have replaced @{const
-substs} by @{const map}, we can profit from the large number of
-pre-proved lemmas about @{const map}. Unfortunately, inductive proofs
-about type @{text term} are still awkward because they expect a
-conjunction. One could derive a new induction principle as well (see
-\S\ref{sec:derive-ind}), but simpler is to stop using
-\isacommand{primrec} and to define functions with \isacommand{fun}
-instead. Simple uses of \isacommand{fun} are described in
-\S\ref{sec:fun} below. Advanced applications, including functions
-over nested datatypes like @{text term}, are discussed in a
-separate tutorial~\cite{isabelle-function}.
-
-Of course, you may also combine mutual and nested recursion of datatypes. For example,
-constructor @{text Sum} in \S\ref{sec:datatype-mut-rec} could take a list of
-expressions as its argument: @{text Sum}~@{typ[quotes]"'a aexp list"}.
-*}
-(*<*)end(*>*)
--- a/doc-src/TutorialI/Datatype/unfoldnested.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,8 +0,0 @@
-(*<*)
-theory unfoldnested imports Main begin;
-(*>*)
-datatype ('v,'f)"term" = Var 'v | App 'f "('v,'f)term_list"
-and ('v,'f)term_list = Nil | Cons "('v,'f)term" "('v,'f)term_list"
-(*<*)
-end
-(*>*)
--- a/doc-src/TutorialI/Documents/Documents.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,787 +0,0 @@
-(*<*)
-theory Documents imports Main begin
-(*>*)
-
-section {* Concrete Syntax \label{sec:concrete-syntax} *}
-
-text {*
- The core concept of Isabelle's framework for concrete syntax is that
- of \bfindex{mixfix annotations}. Associated with any kind of
- constant declaration, mixfixes affect both the grammar productions
- for the parser and output templates for the pretty printer.
-
- In full generality, parser and pretty printer configuration is a
- subtle affair~\cite{isabelle-ref}. Your syntax specifications need
- to interact properly with the existing setup of Isabelle/Pure and
- Isabelle/HOL\@. To avoid creating ambiguities with existing
- elements, it is particularly important to give new syntactic
- constructs the right precedence.
-
- Below we introduce a few simple syntax declaration
- forms that already cover many common situations fairly well.
-*}
-
-
-subsection {* Infix Annotations *}
-
-text {*
- Syntax annotations may be included wherever constants are declared,
- such as \isacommand{definition} and \isacommand{primrec} --- and also
- \isacommand{datatype}, which declares constructor operations.
- Type-constructors may be annotated as well, although this is less
- frequently encountered in practice (the infix type @{text "\<times>"} comes
- to mind).
-
- Infix declarations\index{infix annotations} provide a useful special
- case of mixfixes. The following example of the exclusive-or
- operation on boolean values illustrates typical infix declarations.
-*}
-
-definition xor :: "bool \<Rightarrow> bool \<Rightarrow> bool" (infixl "[+]" 60)
-where "A [+] B \<equiv> (A \<and> \<not> B) \<or> (\<not> A \<and> B)"
-
-text {*
- \noindent Now @{text "xor A B"} and @{text "A [+] B"} refer to the
- same expression internally. Any curried function with at least two
- arguments may be given infix syntax. For partial applications with
- fewer than two operands, there is a notation using the prefix~@{text
- op}. For instance, @{text xor} without arguments is represented as
- @{text "op [+]"}; together with ordinary function application, this
- turns @{text "xor A"} into @{text "op [+] A"}.
-
- The keyword \isakeyword{infixl} seen above specifies an
- infix operator that is nested to the \emph{left}: in iterated
- applications the more complex expression appears on the left-hand
- side, and @{term "A [+] B [+] C"} stands for @{text "(A [+] B) [+]
- C"}. Similarly, \isakeyword{infixr} means nesting to the
- \emph{right}, reading @{term "A [+] B [+] C"} as @{text "A [+] (B
- [+] C)"}. A \emph{non-oriented} declaration via \isakeyword{infix}
- would render @{term "A [+] B [+] C"} illegal, but demand explicit
- parentheses to indicate the intended grouping.
-
- The string @{text [source] "[+]"} in our annotation refers to the
- concrete syntax to represent the operator (a literal token), while
- the number @{text 60} determines the precedence of the construct:
- the syntactic priorities of the arguments and result. Isabelle/HOL
- already uses up many popular combinations of ASCII symbols for its
- own use, including both @{text "+"} and @{text "++"}. Longer
- character combinations are more likely to be still available for
- user extensions, such as our~@{text "[+]"}.
-
- Operator precedences have a range of 0--1000. Very low or high
- priorities are reserved for the meta-logic. HOL syntax mainly uses
- the range of 10--100: the equality infix @{text "="} is centered at
- 50; logical connectives (like @{text "\<or>"} and @{text "\<and>"}) are
- below 50; algebraic ones (like @{text "+"} and @{text "*"}) are
- above 50. User syntax should strive to coexist with common HOL
- forms, or use the mostly unused range 100--900.
-*}
-
-
-subsection {* Mathematical Symbols \label{sec:syntax-symbols} *}
-
-text {*
- Concrete syntax based on ASCII characters has inherent limitations.
- Mathematical notation demands a larger repertoire of glyphs.
- Several standards of extended character sets have been proposed over
- decades, but none has become universally available so far. Isabelle
- has its own notion of \bfindex{symbols} as the smallest entities of
- source text, without referring to internal encodings. There are
- three kinds of such ``generalized characters'':
-
- \begin{enumerate}
-
- \item 7-bit ASCII characters
-
- \item named symbols: \verb,\,\verb,<,$ident$\verb,>,
-
- \item named control symbols: \verb,\,\verb,<^,$ident$\verb,>,
-
- \end{enumerate}
-
- Here $ident$ is any sequence of letters.
- This results in an infinite store of symbols, whose
- interpretation is left to further front-end tools. For example, the
- user-interface of Proof~General + X-Symbol and the Isabelle document
- processor (see \S\ref{sec:document-preparation}) display the
- \verb,\,\verb,<forall>, symbol as~@{text \<forall>}.
-
- A list of standard Isabelle symbols is given in
- \cite{isabelle-isar-ref}. You may introduce your own
- interpretation of further symbols by configuring the appropriate
- front-end tool accordingly, e.g.\ by defining certain {\LaTeX}
- macros (see also \S\ref{sec:doc-prep-symbols}). There are also a
- few predefined control symbols, such as \verb,\,\verb,<^sub>, and
- \verb,\,\verb,<^sup>, for sub- and superscript of the subsequent
- printable symbol, respectively. For example, \verb,A\<^sup>\<star>, is
- output as @{text "A\<^sup>\<star>"}.
-
- A number of symbols are considered letters by the Isabelle lexer and
- can be used as part of identifiers. These are the greek letters
- @{text "\<alpha>"} (\verb+\+\verb+<alpha>+), @{text "\<beta>"}
- (\verb+\+\verb+<beta>+), etc. (excluding @{text "\<lambda>"}),
- special letters like @{text "\<A>"} (\verb+\+\verb+<A>+) and @{text
- "\<AA>"} (\verb+\+\verb+<AA>+), and the control symbols
- \verb+\+\verb+<^isub>+ and \verb+\+\verb+<^isup>+ for single letter
- sub and super scripts. This means that the input
-
- \medskip
- {\small\noindent \verb,\,\verb,<forall>\,\verb,<alpha>\<^isub>1.,~\verb,\,\verb,<alpha>\<^isub>1 = \,\verb,<Pi>\<^isup>\<A>,}
-
- \medskip
- \noindent is recognized as the term @{term "\<forall>\<alpha>\<^isub>1. \<alpha>\<^isub>1 = \<Pi>\<^isup>\<A>"}
- by Isabelle. Note that @{text "\<Pi>\<^isup>\<A>"} is a single
- syntactic entity, not an exponentiation.
-
- Replacing our previous definition of @{text xor} by the
- following specifies an Isabelle symbol for the new operator:
-*}
-
-(*<*)
-hide_const xor
-setup {* Sign.add_path "version1" *}
-(*>*)
-definition xor :: "bool \<Rightarrow> bool \<Rightarrow> bool" (infixl "\<oplus>" 60)
-where "A \<oplus> B \<equiv> (A \<and> \<not> B) \<or> (\<not> A \<and> B)"
-(*<*)
-setup {* Sign.local_path *}
-(*>*)
-
-text {*
- \noindent Proof~General provides several input methods to enter
- @{text \<oplus>} in the text. If all fails one may just type a named
- entity \verb,\,\verb,<oplus>, by hand; the corresponding symbol will
- be displayed after further input.
-
- More flexible is to provide alternative syntax forms
- through the \bfindex{print mode} concept~\cite{isabelle-ref}. By
- convention, the mode of ``$xsymbols$'' is enabled whenever
- Proof~General's X-Symbol mode or {\LaTeX} output is active. Now
- consider the following hybrid declaration of @{text xor}:
-*}
-
-(*<*)
-hide_const xor
-setup {* Sign.add_path "version2" *}
-(*>*)
-definition xor :: "bool \<Rightarrow> bool \<Rightarrow> bool" (infixl "[+]\<ignore>" 60)
-where "A [+]\<ignore> B \<equiv> (A \<and> \<not> B) \<or> (\<not> A \<and> B)"
-
-notation (xsymbols) xor (infixl "\<oplus>\<ignore>" 60)
-(*<*)
-setup {* Sign.local_path *}
-(*>*)
-
-text {*\noindent
-The \commdx{notation} command associates a mixfix
-annotation with a known constant. The print mode specification,
-here @{text "(xsymbols)"}, is optional.
-
-We may now write @{text "A [+] B"} or @{text "A \<oplus> B"} in input, while
-output uses the nicer syntax of $xsymbols$ whenever that print mode is
-active. Such an arrangement is particularly useful for interactive
-development, where users may type ASCII text and see mathematical
-symbols displayed during proofs. *}
-
-
-subsection {* Prefix Annotations *}
-
-text {*
- Prefix syntax annotations\index{prefix annotation} are another form
- of mixfixes \cite{isabelle-ref}, without any template arguments or
- priorities --- just some literal syntax. The following example
- associates common symbols with the constructors of a datatype.
-*}
-
-datatype currency =
- Euro nat ("\<euro>")
- | Pounds nat ("\<pounds>")
- | Yen nat ("\<yen>")
- | Dollar nat ("$")
-
-text {*
- \noindent Here the mixfix annotations on the rightmost column happen
- to consist of a single Isabelle symbol each: \verb,\,\verb,<euro>,,
- \verb,\,\verb,<pounds>,, \verb,\,\verb,<yen>,, and \verb,$,. Recall
- that a constructor like @{text Euro} actually is a function @{typ
- "nat \<Rightarrow> currency"}. The expression @{text "Euro 10"} will be
- printed as @{term "\<euro> 10"}; only the head of the application is
- subject to our concrete syntax. This rather simple form already
- achieves conformance with notational standards of the European
- Commission.
-
- Prefix syntax works the same way for other commands that introduce new constants, e.g. \isakeyword{primrec}.
-*}
-
-
-subsection {* Abbreviations \label{sec:abbreviations} *}
-
-text{* Mixfix syntax annotations merely decorate particular constant
-application forms with concrete syntax, for instance replacing
-@{text "xor A B"} by @{text "A \<oplus> B"}. Occasionally, the relationship
-between some piece of notation and its internal form is more
-complicated. Here we need \emph{abbreviations}.
-
-Command \commdx{abbreviation} introduces an uninterpreted notational
-constant as an abbreviation for a complex term. Abbreviations are
-unfolded upon parsing and re-introduced upon printing. This provides a
-simple mechanism for syntactic macros.
-
-A typical use of abbreviations is to introduce relational notation for
-membership in a set of pairs, replacing @{text "(x, y) \<in> sim"} by
-@{text "x \<approx> y"}. We assume that a constant @{text sim } of type
-@{typ"('a \<times> 'a) set"} has been introduced at this point. *}
-(*<*)consts sim :: "('a \<times> 'a) set"(*>*)
-abbreviation sim2 :: "'a \<Rightarrow> 'a \<Rightarrow> bool" (infix "\<approx>" 50)
-where "x \<approx> y \<equiv> (x, y) \<in> sim"
-
-text {* \noindent The given meta-equality is used as a rewrite rule
-after parsing (replacing \mbox{@{prop"x \<approx> y"}} by @{text"(x,y) \<in>
-sim"}) and before printing (turning @{text"(x,y) \<in> sim"} back into
-\mbox{@{prop"x \<approx> y"}}). The name of the dummy constant @{text "sim2"}
-does not matter, as long as it is unique.
-
-Another common application of abbreviations is to
-provide variant versions of fundamental relational expressions, such
-as @{text \<noteq>} for negated equalities. The following declaration
-stems from Isabelle/HOL itself:
-*}
-
-abbreviation not_equal :: "'a \<Rightarrow> 'a \<Rightarrow> bool" (infixl "~=\<ignore>" 50)
-where "x ~=\<ignore> y \<equiv> \<not> (x = y)"
-
-notation (xsymbols) not_equal (infix "\<noteq>\<ignore>" 50)
-
-text {* \noindent The notation @{text \<noteq>} is introduced separately to restrict it
-to the \emph{xsymbols} mode.
-
-Abbreviations are appropriate when the defined concept is a
-simple variation on an existing one. But because of the automatic
-folding and unfolding of abbreviations, they do not scale up well to
-large hierarchies of concepts. Abbreviations do not replace
-definitions.
-
-Abbreviations are a simplified form of the general concept of
-\emph{syntax translations}; even heavier transformations may be
-written in ML \cite{isabelle-ref}.
-*}
-
-
-section {* Document Preparation \label{sec:document-preparation} *}
-
-text {*
- Isabelle/Isar is centered around the concept of \bfindex{formal
- proof documents}\index{documents|bold}. The outcome of a formal
- development effort is meant to be a human-readable record, presented
- as browsable PDF file or printed on paper. The overall document
- structure follows traditional mathematical articles, with sections,
- intermediate explanations, definitions, theorems and proofs.
-
- \medskip The Isabelle document preparation system essentially acts
- as a front-end to {\LaTeX}. After checking specifications and
- proofs formally, the theory sources are turned into typesetting
- instructions in a schematic manner. This lets you write authentic
- reports on theory developments with little effort: many technical
- consistency checks are handled by the system.
-
- Here is an example to illustrate the idea of Isabelle document
- preparation.
-*}
-
-text_raw {* \begin{quotation} *}
-
-text {*
- The following datatype definition of @{text "'a bintree"} models
- binary trees with nodes being decorated by elements of type @{typ
- 'a}.
-*}
-
-datatype 'a bintree =
- Leaf | Branch 'a "'a bintree" "'a bintree"
-
-text {*
- \noindent The datatype induction rule generated here is of the form
- @{thm [indent = 1, display] bintree.induct [no_vars]}
-*}
-
-text_raw {* \end{quotation} *}
-
-text {*
- \noindent The above document output has been produced as follows:
-
- \begin{ttbox}
- text {\ttlbrace}*
- The following datatype definition of {\at}{\ttlbrace}text "'a bintree"{\ttrbrace}
- models binary trees with nodes being decorated by elements
- of type {\at}{\ttlbrace}typ 'a{\ttrbrace}.
- *{\ttrbrace}
-
- datatype 'a bintree =
- Leaf | Branch 'a "'a bintree" "'a bintree"
- \end{ttbox}
- \begin{ttbox}
- text {\ttlbrace}*
- {\ttback}noindent The datatype induction rule generated here is
- of the form {\at}{\ttlbrace}thm [display] bintree.induct [no_vars]{\ttrbrace}
- *{\ttrbrace}
- \end{ttbox}\vspace{-\medskipamount}
-
- \noindent Here we have augmented the theory by formal comments
- (using \isakeyword{text} blocks), the informal parts may again refer
- to formal entities by means of ``antiquotations'' (such as
- \texttt{\at}\verb,{text "'a bintree"}, or
- \texttt{\at}\verb,{typ 'a},), see also \S\ref{sec:doc-prep-text}.
-*}
-
-
-subsection {* Isabelle Sessions *}
-
-text {*
- In contrast to the highly interactive mode of Isabelle/Isar theory
- development, the document preparation stage essentially works in
- batch-mode. An Isabelle \bfindex{session} consists of a collection
- of source files that may contribute to an output document. Each
- session is derived from a single parent, usually an object-logic
- image like \texttt{HOL}. This results in an overall tree structure,
- which is reflected by the output location in the file system
- (usually rooted at \verb,~/.isabelle/IsabelleXXXX/browser_info,).
-
- \medskip The easiest way to manage Isabelle sessions is via
- \texttt{isabelle mkdir} (generates an initial session source setup)
- and \texttt{isabelle make} (run sessions controlled by
- \texttt{IsaMakefile}). For example, a new session
- \texttt{MySession} derived from \texttt{HOL} may be produced as
- follows:
-
-\begin{verbatim}
- isabelle mkdir HOL MySession
- isabelle make
-\end{verbatim}
-
- The \texttt{isabelle make} job also informs about the file-system
- location of the ultimate results. The above dry run should be able
- to produce some \texttt{document.pdf} (with dummy title, empty table
- of contents etc.). Any failure at this stage usually indicates
- technical problems of the {\LaTeX} installation.
-
- \medskip The detailed arrangement of the session sources is as
- follows.
-
- \begin{itemize}
-
- \item Directory \texttt{MySession} holds the required theory files
- $T@1$\texttt{.thy}, \dots, $T@n$\texttt{.thy}.
-
- \item File \texttt{MySession/ROOT.ML} holds appropriate ML commands
- for loading all wanted theories, usually just
- ``\texttt{use_thy"$T@i$";}'' for any $T@i$ in leaf position of the
- dependency graph.
-
- \item Directory \texttt{MySession/document} contains everything
- required for the {\LaTeX} stage; only \texttt{root.tex} needs to be
- provided initially.
-
- The latter file holds appropriate {\LaTeX} code to commence a
- document (\verb,\documentclass, etc.), and to include the generated
- files $T@i$\texttt{.tex} for each theory. Isabelle will generate a
- file \texttt{session.tex} holding {\LaTeX} commands to include all
- generated theory output files in topologically sorted order, so
- \verb,\input{session}, in the body of \texttt{root.tex} does the job
- in most situations.
-
- \item \texttt{IsaMakefile} holds appropriate dependencies and
- invocations of Isabelle tools to control the batch job. In fact,
- several sessions may be managed by the same \texttt{IsaMakefile}.
- See the \emph{Isabelle System Manual} \cite{isabelle-sys}
- for further details, especially on
- \texttt{isabelle usedir} and \texttt{isabelle make}.
-
- \end{itemize}
-
- One may now start to populate the directory \texttt{MySession}, and
- the file \texttt{MySession/ROOT.ML} accordingly. The file
- \texttt{MySession/document/root.tex} should also be adapted at some
- point; the default version is mostly self-explanatory. Note that
- \verb,\isabellestyle, enables fine-tuning of the general appearance
- of characters and mathematical symbols (see also
- \S\ref{sec:doc-prep-symbols}).
-
- Especially observe the included {\LaTeX} packages \texttt{isabelle}
- (mandatory), \texttt{isabellesym} (required for mathematical
- symbols), and the final \texttt{pdfsetup} (provides sane defaults
- for \texttt{hyperref}, including URL markup). All three are
- distributed with Isabelle. Further packages may be required in
- particular applications, say for unusual mathematical symbols.
-
- \medskip Any additional files for the {\LaTeX} stage go into the
- \texttt{MySession/document} directory as well. In particular,
- adding a file named \texttt{root.bib} causes an automatic run of
- \texttt{bibtex} to process a bibliographic database; see also
- \texttt{isabelle document} \cite{isabelle-sys}.
-
- \medskip Any failure of the document preparation phase in an
- Isabelle batch session leaves the generated sources in their target
- location, identified by the accompanying error message. This lets
- you trace {\LaTeX} problems with the generated files at hand.
-*}
-
-
-subsection {* Structure Markup *}
-
-text {*
- The large-scale structure of Isabelle documents follows existing
- {\LaTeX} conventions, with chapters, sections, subsubsections etc.
- The Isar language includes separate \bfindex{markup commands}, which
- do not affect the formal meaning of a theory (or proof), but result
- in corresponding {\LaTeX} elements.
-
- There are separate markup commands depending on the textual context:
- in header position (just before \isakeyword{theory}), within the
- theory body, or within a proof. The header needs to be treated
- specially here, since ordinary theory and proof commands may only
- occur \emph{after} the initial \isakeyword{theory} specification.
-
- \medskip
-
- \begin{tabular}{llll}
- header & theory & proof & default meaning \\\hline
- & \commdx{chapter} & & \verb,\chapter, \\
- \commdx{header} & \commdx{section} & \commdx{sect} & \verb,\section, \\
- & \commdx{subsection} & \commdx{subsect} & \verb,\subsection, \\
- & \commdx{subsubsection} & \commdx{subsubsect} & \verb,\subsubsection, \\
- \end{tabular}
-
- \medskip
-
- From the Isabelle perspective, each markup command takes a single
- $text$ argument (delimited by \verb,",~@{text \<dots>}~\verb,", or
- \verb,{,\verb,*,~@{text \<dots>}~\verb,*,\verb,},). After stripping any
- surrounding white space, the argument is passed to a {\LaTeX} macro
- \verb,\isamarkupXYZ, for command \isakeyword{XYZ}. These macros are
- defined in \verb,isabelle.sty, according to the meaning given in the
- rightmost column above.
-
- \medskip The following source fragment illustrates structure markup
- of a theory. Note that {\LaTeX} labels may be included inside of
- section headings as well.
-
- \begin{ttbox}
- header {\ttlbrace}* Some properties of Foo Bar elements *{\ttrbrace}
-
- theory Foo_Bar
- imports Main
- begin
-
- subsection {\ttlbrace}* Basic definitions *{\ttrbrace}
-
- definition foo :: \dots
-
- definition bar :: \dots
-
- subsection {\ttlbrace}* Derived rules *{\ttrbrace}
-
- lemma fooI: \dots
- lemma fooE: \dots
-
- subsection {\ttlbrace}* Main theorem {\ttback}label{\ttlbrace}sec:main-theorem{\ttrbrace} *{\ttrbrace}
-
- theorem main: \dots
-
- end
- \end{ttbox}\vspace{-\medskipamount}
-
- You may occasionally want to change the meaning of markup commands,
- say via \verb,\renewcommand, in \texttt{root.tex}. For example,
- \verb,\isamarkupheader, is a good candidate for some tuning. We
- could move it up in the hierarchy to become \verb,\chapter,.
-
-\begin{verbatim}
- \renewcommand{\isamarkupheader}[1]{\chapter{#1}}
-\end{verbatim}
-
- \noindent Now we must change the document class given in
- \texttt{root.tex} to something that supports chapters. A suitable
- command is \verb,\documentclass{report},.
-
- \medskip The {\LaTeX} macro \verb,\isabellecontext, is maintained to
- hold the name of the current theory context. This is particularly
- useful for document headings:
-
-\begin{verbatim}
- \renewcommand{\isamarkupheader}[1]
- {\chapter{#1}\markright{THEORY~\isabellecontext}}
-\end{verbatim}
-
- \noindent Make sure to include something like
- \verb,\pagestyle{headings}, in \texttt{root.tex}; the document
- should have more than two pages to show the effect.
-*}
-
-
-subsection {* Formal Comments and Antiquotations \label{sec:doc-prep-text} *}
-
-text {*
- Isabelle \bfindex{source comments}, which are of the form
- \verb,(,\verb,*,~@{text \<dots>}~\verb,*,\verb,),, essentially act like
- white space and do not really contribute to the content. They
- mainly serve technical purposes to mark certain oddities in the raw
- input text. In contrast, \bfindex{formal comments} are portions of
- text that are associated with formal Isabelle/Isar commands
- (\bfindex{marginal comments}), or as standalone paragraphs within a
- theory or proof context (\bfindex{text blocks}).
-
- \medskip Marginal comments are part of each command's concrete
- syntax \cite{isabelle-ref}; the common form is ``\verb,--,~$text$''
- where $text$ is delimited by \verb,",@{text \<dots>}\verb,", or
- \verb,{,\verb,*,~@{text \<dots>}~\verb,*,\verb,}, as before. Multiple
- marginal comments may be given at the same time. Here is a simple
- example:
-*}
-
-lemma "A --> A"
- -- "a triviality of propositional logic"
- -- "(should not really bother)"
- by (rule impI) -- "implicit assumption step involved here"
-
-text {*
- \noindent The above output has been produced as follows:
-
-\begin{verbatim}
- lemma "A --> A"
- -- "a triviality of propositional logic"
- -- "(should not really bother)"
- by (rule impI) -- "implicit assumption step involved here"
-\end{verbatim}
-
- From the {\LaTeX} viewpoint, ``\verb,--,'' acts like a markup
- command, associated with the macro \verb,\isamarkupcmt, (taking a
- single argument).
-
- \medskip Text blocks are introduced by the commands \bfindex{text}
- and \bfindex{txt}, for theory and proof contexts, respectively.
- Each takes again a single $text$ argument, which is interpreted as a
- free-form paragraph in {\LaTeX} (surrounded by some additional
- vertical space). This behavior may be changed by redefining the
- {\LaTeX} environments of \verb,isamarkuptext, or
- \verb,isamarkuptxt,, respectively (via \verb,\renewenvironment,) The
- text style of the body is determined by \verb,\isastyletext, and
- \verb,\isastyletxt,; the default setup uses a smaller font within
- proofs. This may be changed as follows:
-
-\begin{verbatim}
- \renewcommand{\isastyletxt}{\isastyletext}
-\end{verbatim}
-
- \medskip The $text$ part of Isabelle markup commands essentially
- inserts \emph{quoted material} into a formal text, mainly for
- instruction of the reader. An \bfindex{antiquotation} is again a
- formal object embedded into such an informal portion. The
- interpretation of antiquotations is limited to some well-formedness
- checks, with the result being pretty printed to the resulting
- document. Quoted text blocks together with antiquotations provide
- an attractive means of referring to formal entities, with good
- confidence in getting the technical details right (especially syntax
- and types).
-
- The general syntax of antiquotations is as follows:
- \texttt{{\at}{\ttlbrace}$name$ $arguments${\ttrbrace}}, or
- \texttt{{\at}{\ttlbrace}$name$ [$options$] $arguments${\ttrbrace}}
- for a comma-separated list of options consisting of a $name$ or
- \texttt{$name$=$value$} each. The syntax of $arguments$ depends on
- the kind of antiquotation, it generally follows the same conventions
- for types, terms, or theorems as in the formal part of a theory.
-
- \medskip This sentence demonstrates quotations and antiquotations:
- @{term "%x y. x"} is a well-typed term.
-
- \medskip\noindent The output above was produced as follows:
- \begin{ttbox}
-text {\ttlbrace}*
- This sentence demonstrates quotations and antiquotations:
- {\at}{\ttlbrace}term "%x y. x"{\ttrbrace} is a well-typed term.
-*{\ttrbrace}
- \end{ttbox}\vspace{-\medskipamount}
-
- The notational change from the ASCII character~\verb,%, to the
- symbol~@{text \<lambda>} reveals that Isabelle printed this term, after
- parsing and type-checking. Document preparation enables symbolic
- output by default.
-
- \medskip The next example includes an option to show the type of all
- variables. The antiquotation
- \texttt{{\at}}\verb,{term [show_types] "%x y. x"}, produces the
- output @{term [show_types] "%x y. x"}. Type inference has figured
- out the most general typings in the present theory context. Terms
- may acquire different typings due to constraints imposed by their
- environment; within a proof, for example, variables are given the
- same types as they have in the main goal statement.
-
- \medskip Several further kinds of antiquotations and options are
- available \cite{isabelle-isar-ref}. Here are a few commonly used
- combinations:
-
- \medskip
-
- \begin{tabular}{ll}
- \texttt{\at}\verb,{typ,~$\tau$\verb,}, & print type $\tau$ \\
- \texttt{\at}\verb,{const,~$c$\verb,}, & check existence of $c$ and print it \\
- \texttt{\at}\verb,{term,~$t$\verb,}, & print term $t$ \\
- \texttt{\at}\verb,{prop,~$\phi$\verb,}, & print proposition $\phi$ \\
- \texttt{\at}\verb,{prop [display],~$\phi$\verb,}, & print large proposition $\phi$ (with linebreaks) \\
- \texttt{\at}\verb,{prop [source],~$\phi$\verb,}, & check proposition $\phi$, print its input \\
- \texttt{\at}\verb,{thm,~$a$\verb,}, & print fact $a$ \\
- \texttt{\at}\verb,{thm,~$a$~\verb,[no_vars]}, & print fact $a$, fixing schematic variables \\
- \texttt{\at}\verb,{thm [source],~$a$\verb,}, & check availability of fact $a$, print its name \\
- \texttt{\at}\verb,{text,~$s$\verb,}, & print uninterpreted text $s$ \\
- \end{tabular}
-
- \medskip
-
- Note that \attrdx{no_vars} given above is \emph{not} an
- antiquotation option, but an attribute of the theorem argument given
- here. This might be useful with a diagnostic command like
- \isakeyword{thm}, too.
-
- \medskip The \texttt{\at}\verb,{text, $s$\verb,}, antiquotation is
- particularly interesting. Embedding uninterpreted text within an
- informal body might appear useless at first sight. Here the key
- virtue is that the string $s$ is processed as Isabelle output,
- interpreting Isabelle symbols appropriately.
-
- For example, \texttt{\at}\verb,{text "\<forall>\<exists>"}, produces @{text
- "\<forall>\<exists>"}, according to the standard interpretation of these symbol
- (cf.\ \S\ref{sec:doc-prep-symbols}). Thus we achieve consistent
- mathematical notation in both the formal and informal parts of the
- document very easily, independently of the term language of
- Isabelle. Manual {\LaTeX} code would leave more control over the
- typesetting, but is also slightly more tedious.
-*}
-
-
-subsection {* Interpretation of Symbols \label{sec:doc-prep-symbols} *}
-
-text {*
- As has been pointed out before (\S\ref{sec:syntax-symbols}),
- Isabelle symbols are the smallest syntactic entities --- a
- straightforward generalization of ASCII characters. While Isabelle
- does not impose any interpretation of the infinite collection of
- named symbols, {\LaTeX} documents use canonical glyphs for certain
- standard symbols \cite{isabelle-isar-ref}.
-
- The {\LaTeX} code produced from Isabelle text follows a simple
- scheme. You can tune the final appearance by redefining certain
- macros, say in \texttt{root.tex} of the document.
-
- \begin{enumerate}
-
- \item 7-bit ASCII characters: letters \texttt{A\dots Z} and
- \texttt{a\dots z} are output directly, digits are passed as an
- argument to the \verb,\isadigit, macro, other characters are
- replaced by specifically named macros of the form
- \verb,\isacharXYZ,.
-
- \item Named symbols: \verb,\,\verb,<XYZ>, is turned into
- \verb,{\isasymXYZ},; note the additional braces.
-
- \item Named control symbols: \verb,\,\verb,<^XYZ>, is turned into
- \verb,\isactrlXYZ,; subsequent symbols may act as arguments if the
- control macro is defined accordingly.
-
- \end{enumerate}
-
- You may occasionally wish to give new {\LaTeX} interpretations of
- named symbols. This merely requires an appropriate definition of
- \verb,\isasymXYZ,, for \verb,\,\verb,<XYZ>, (see
- \texttt{isabelle.sty} for working examples). Control symbols are
- slightly more difficult to get right, though.
-
- \medskip The \verb,\isabellestyle, macro provides a high-level
- interface to tune the general appearance of individual symbols. For
- example, \verb,\isabellestyle{it}, uses the italics text style to
- mimic the general appearance of the {\LaTeX} math mode; double
- quotes are not printed at all. The resulting quality of typesetting
- is quite good, so this should be the default style for work that
- gets distributed to a broader audience.
-*}
-
-
-subsection {* Suppressing Output \label{sec:doc-prep-suppress} *}
-
-text {*
- By default, Isabelle's document system generates a {\LaTeX} file for
- each theory that gets loaded while running the session. The
- generated \texttt{session.tex} will include all of these in order of
- appearance, which in turn gets included by the standard
- \texttt{root.tex}. Certainly one may change the order or suppress
- unwanted theories by ignoring \texttt{session.tex} and load
- individual files directly in \texttt{root.tex}. On the other hand,
- such an arrangement requires additional maintenance whenever the
- collection of theories changes.
-
- Alternatively, one may tune the theory loading process in
- \texttt{ROOT.ML} itself: traversal of the theory dependency graph
- may be fine-tuned by adding \verb,use_thy, invocations, although
- topological sorting still has to be observed. Moreover, the ML
- operator \verb,no_document, temporarily disables document generation
- while executing a theory loader command. Its usage is like this:
-
-\begin{verbatim}
- no_document use_thy "T";
-\end{verbatim}
-
- \medskip Theory output may be suppressed more selectively, either
- via \bfindex{tagged command regions} or \bfindex{ignored material}.
-
- Tagged command regions works by annotating commands with named tags,
- which correspond to certain {\LaTeX} markup that tells how to treat
- particular parts of a document when doing the actual type-setting.
- By default, certain Isabelle/Isar commands are implicitly marked up
- using the predefined tags ``\emph{theory}'' (for theory begin and
- end), ``\emph{proof}'' (for proof commands), and ``\emph{ML}'' (for
- commands involving ML code). Users may add their own tags using the
- \verb,%,\emph{tag} notation right after a command name. In the
- subsequent example we hide a particularly irrelevant proof:
-*}
-
-lemma "x = x" by %invisible (simp)
-
-text {*
- The original source has been ``\verb,lemma "x = x" by %invisible (simp),''.
- Tags observe the structure of proofs; adjacent commands with the
- same tag are joined into a single region. The Isabelle document
- preparation system allows the user to specify how to interpret a
- tagged region, in order to keep, drop, or fold the corresponding
- parts of the document. See the \emph{Isabelle System Manual}
- \cite{isabelle-sys} for further details, especially on
- \texttt{isabelle usedir} and \texttt{isabelle document}.
-
- Ignored material is specified by delimiting the original formal
- source with special source comments
- \verb,(,\verb,*,\verb,<,\verb,*,\verb,), and
- \verb,(,\verb,*,\verb,>,\verb,*,\verb,),. These parts are stripped
- before the type-setting phase, without affecting the formal checking
- of the theory, of course. For example, we may hide parts of a proof
- that seem unfit for general public inspection. The following
- ``fully automatic'' proof is actually a fake:
-*}
-
-lemma "x \<noteq> (0::int) \<Longrightarrow> 0 < x * x"
- by (auto(*<*)simp add: zero_less_mult_iff(*>*))
-
-text {*
- \noindent The real source of the proof has been as follows:
-
-\begin{verbatim}
- by (auto(*<*)simp add: zero_less_mult_iff(*>*))
-\end{verbatim}
-%(*
-
- \medskip Suppressing portions of printed text demands care. You
- should not misrepresent the underlying theory development. It is
- easy to invalidate the visible text by hiding references to
- questionable axioms, for example.
-*}
-
-(*<*)
-end
-(*>*)
--- a/doc-src/TutorialI/Fun/fun0.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,261 +0,0 @@
-(*<*)
-theory fun0 imports Main begin
-(*>*)
-
-text{*
-\subsection{Definition}
-\label{sec:fun-examples}
-
-Here is a simple example, the \rmindex{Fibonacci function}:
-*}
-
-fun fib :: "nat \<Rightarrow> nat" where
-"fib 0 = 0" |
-"fib (Suc 0) = 1" |
-"fib (Suc(Suc x)) = fib x + fib (Suc x)"
-
-text{*\noindent
-This resembles ordinary functional programming languages. Note the obligatory
-\isacommand{where} and \isa{|}. Command \isacommand{fun} declares and
-defines the function in one go. Isabelle establishes termination automatically
-because @{const fib}'s argument decreases in every recursive call.
-
-Slightly more interesting is the insertion of a fixed element
-between any two elements of a list:
-*}
-
-fun sep :: "'a \<Rightarrow> 'a list \<Rightarrow> 'a list" where
-"sep a [] = []" |
-"sep a [x] = [x]" |
-"sep a (x#y#zs) = x # a # sep a (y#zs)";
-
-text{*\noindent
-This time the length of the list decreases with the
-recursive call; the first argument is irrelevant for termination.
-
-Pattern matching\index{pattern matching!and \isacommand{fun}}
-need not be exhaustive and may employ wildcards:
-*}
-
-fun last :: "'a list \<Rightarrow> 'a" where
-"last [x] = x" |
-"last (_#y#zs) = last (y#zs)"
-
-text{*
-Overlapping patterns are disambiguated by taking the order of equations into
-account, just as in functional programming:
-*}
-
-fun sep1 :: "'a \<Rightarrow> 'a list \<Rightarrow> 'a list" where
-"sep1 a (x#y#zs) = x # a # sep1 a (y#zs)" |
-"sep1 _ xs = xs"
-
-text{*\noindent
-To guarantee that the second equation can only be applied if the first
-one does not match, Isabelle internally replaces the second equation
-by the two possibilities that are left: @{prop"sep1 a [] = []"} and
-@{prop"sep1 a [x] = [x]"}. Thus the functions @{const sep} and
-@{const sep1} are identical.
-
-Because of its pattern matching syntax, \isacommand{fun} is also useful
-for the definition of non-recursive functions:
-*}
-
-fun swap12 :: "'a list \<Rightarrow> 'a list" where
-"swap12 (x#y#zs) = y#x#zs" |
-"swap12 zs = zs"
-
-text{*
-After a function~$f$ has been defined via \isacommand{fun},
-its defining equations (or variants derived from them) are available
-under the name $f$@{text".simps"} as theorems.
-For example, look (via \isacommand{thm}) at
-@{thm[source]sep.simps} and @{thm[source]sep1.simps} to see that they define
-the same function. What is more, those equations are automatically declared as
-simplification rules.
-
-\subsection{Termination}
-
-Isabelle's automatic termination prover for \isacommand{fun} has a
-fixed notion of the \emph{size} (of type @{typ nat}) of an
-argument. The size of a natural number is the number itself. The size
-of a list is its length. For the general case see \S\ref{sec:general-datatype}.
-A recursive function is accepted if \isacommand{fun} can
-show that the size of one fixed argument becomes smaller with each
-recursive call.
-
-More generally, \isacommand{fun} allows any \emph{lexicographic
-combination} of size measures in case there are multiple
-arguments. For example, the following version of \rmindex{Ackermann's
-function} is accepted: *}
-
-fun ack2 :: "nat \<Rightarrow> nat \<Rightarrow> nat" where
-"ack2 n 0 = Suc n" |
-"ack2 0 (Suc m) = ack2 (Suc 0) m" |
-"ack2 (Suc n) (Suc m) = ack2 (ack2 n (Suc m)) m"
-
-text{* The order of arguments has no influence on whether
-\isacommand{fun} can prove termination of a function. For more details
-see elsewhere~\cite{bulwahnKN07}.
-
-\subsection{Simplification}
-\label{sec:fun-simplification}
-
-Upon a successful termination proof, the recursion equations become
-simplification rules, just as with \isacommand{primrec}.
-In most cases this works fine, but there is a subtle
-problem that must be mentioned: simplification may not
-terminate because of automatic splitting of @{text "if"}.
-\index{*if expressions!splitting of}
-Let us look at an example:
-*}
-
-fun gcd :: "nat \<Rightarrow> nat \<Rightarrow> nat" where
-"gcd m n = (if n=0 then m else gcd n (m mod n))"
-
-text{*\noindent
-The second argument decreases with each recursive call.
-The termination condition
-@{prop[display]"n ~= (0::nat) ==> m mod n < n"}
-is proved automatically because it is already present as a lemma in
-HOL\@. Thus the recursion equation becomes a simplification
-rule. Of course the equation is nonterminating if we are allowed to unfold
-the recursive call inside the @{text else} branch, which is why programming
-languages and our simplifier don't do that. Unfortunately the simplifier does
-something else that leads to the same problem: it splits
-each @{text "if"}-expression unless its
-condition simplifies to @{term True} or @{term False}. For
-example, simplification reduces
-@{prop[display]"gcd m n = k"}
-in one step to
-@{prop[display]"(if n=0 then m else gcd n (m mod n)) = k"}
-where the condition cannot be reduced further, and splitting leads to
-@{prop[display]"(n=0 --> m=k) & (n ~= 0 --> gcd n (m mod n)=k)"}
-Since the recursive call @{term"gcd n (m mod n)"} is no longer protected by
-an @{text "if"}, it is unfolded again, which leads to an infinite chain of
-simplification steps. Fortunately, this problem can be avoided in many
-different ways.
-
-The most radical solution is to disable the offending theorem
-@{thm[source]split_if},
-as shown in \S\ref{sec:AutoCaseSplits}. However, we do not recommend this
-approach: you will often have to invoke the rule explicitly when
-@{text "if"} is involved.
-
-If possible, the definition should be given by pattern matching on the left
-rather than @{text "if"} on the right. In the case of @{term gcd} the
-following alternative definition suggests itself:
-*}
-
-fun gcd1 :: "nat \<Rightarrow> nat \<Rightarrow> nat" where
-"gcd1 m 0 = m" |
-"gcd1 m n = gcd1 n (m mod n)"
-
-text{*\noindent
-The order of equations is important: it hides the side condition
-@{prop"n ~= (0::nat)"}. Unfortunately, not all conditionals can be
-expressed by pattern matching.
-
-A simple alternative is to replace @{text "if"} by @{text case},
-which is also available for @{typ bool} and is not split automatically:
-*}
-
-fun gcd2 :: "nat \<Rightarrow> nat \<Rightarrow> nat" where
-"gcd2 m n = (case n=0 of True \<Rightarrow> m | False \<Rightarrow> gcd2 n (m mod n))"
-
-text{*\noindent
-This is probably the neatest solution next to pattern matching, and it is
-always available.
-
-A final alternative is to replace the offending simplification rules by
-derived conditional ones. For @{term gcd} it means we have to prove
-these lemmas:
-*}
-
-lemma [simp]: "gcd m 0 = m"
-apply(simp)
-done
-
-lemma [simp]: "n \<noteq> 0 \<Longrightarrow> gcd m n = gcd n (m mod n)"
-apply(simp)
-done
-
-text{*\noindent
-Simplification terminates for these proofs because the condition of the @{text
-"if"} simplifies to @{term True} or @{term False}.
-Now we can disable the original simplification rule:
-*}
-
-declare gcd.simps [simp del]
-
-text{*
-\index{induction!recursion|(}
-\index{recursion induction|(}
-
-\subsection{Induction}
-\label{sec:fun-induction}
-
-Having defined a function we might like to prove something about it.
-Since the function is recursive, the natural proof principle is
-again induction. But this time the structural form of induction that comes
-with datatypes is unlikely to work well --- otherwise we could have defined the
-function by \isacommand{primrec}. Therefore \isacommand{fun} automatically
-proves a suitable induction rule $f$@{text".induct"} that follows the
-recursion pattern of the particular function $f$. We call this
-\textbf{recursion induction}. Roughly speaking, it
-requires you to prove for each \isacommand{fun} equation that the property
-you are trying to establish holds for the left-hand side provided it holds
-for all recursive calls on the right-hand side. Here is a simple example
-involving the predefined @{term"map"} functional on lists:
-*}
-
-lemma "map f (sep x xs) = sep (f x) (map f xs)"
-
-txt{*\noindent
-Note that @{term"map f xs"}
-is the result of applying @{term"f"} to all elements of @{term"xs"}. We prove
-this lemma by recursion induction over @{term"sep"}:
-*}
-
-apply(induct_tac x xs rule: sep.induct);
-
-txt{*\noindent
-The resulting proof state has three subgoals corresponding to the three
-clauses for @{term"sep"}:
-@{subgoals[display,indent=0]}
-The rest is pure simplification:
-*}
-
-apply simp_all;
-done
-
-text{*\noindent The proof goes smoothly because the induction rule
-follows the recursion of @{const sep}. Try proving the above lemma by
-structural induction, and you find that you need an additional case
-distinction.
-
-In general, the format of invoking recursion induction is
-\begin{quote}
-\isacommand{apply}@{text"(induct_tac"} $x@1 \dots x@n$ @{text"rule:"} $f$@{text".induct)"}
-\end{quote}\index{*induct_tac (method)}%
-where $x@1~\dots~x@n$ is a list of free variables in the subgoal and $f$ the
-name of a function that takes $n$ arguments. Usually the subgoal will
-contain the term $f x@1 \dots x@n$ but this need not be the case. The
-induction rules do not mention $f$ at all. Here is @{thm[source]sep.induct}:
-\begin{isabelle}
-{\isasymlbrakk}~{\isasymAnd}a.~P~a~[];\isanewline
-~~{\isasymAnd}a~x.~P~a~[x];\isanewline
-~~{\isasymAnd}a~x~y~zs.~P~a~(y~\#~zs)~{\isasymLongrightarrow}~P~a~(x~\#~y~\#~zs){\isasymrbrakk}\isanewline
-{\isasymLongrightarrow}~P~u~v%
-\end{isabelle}
-It merely says that in order to prove a property @{term"P"} of @{term"u"} and
-@{term"v"} you need to prove it for the three cases where @{term"v"} is the
-empty list, the singleton list, and the list with at least two elements.
-The final case has an induction hypothesis: you may assume that @{term"P"}
-holds for the tail of that list.
-\index{induction!recursion|)}
-\index{recursion induction|)}
-*}
-(*<*)
-end
-(*>*)
--- a/doc-src/TutorialI/Ifexpr/Ifexpr.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,221 +0,0 @@
-(*<*)
-theory Ifexpr imports Main begin;
-(*>*)
-
-subsection{*Case Study: Boolean Expressions*}
-
-text{*\label{sec:boolex}\index{boolean expressions example|(}
-The aim of this case study is twofold: it shows how to model boolean
-expressions and some algorithms for manipulating them, and it demonstrates
-the constructs introduced above.
-*}
-
-subsubsection{*Modelling Boolean Expressions*}
-
-text{*
-We want to represent boolean expressions built up from variables and
-constants by negation and conjunction. The following datatype serves exactly
-that purpose:
-*}
-
-datatype boolex = Const bool | Var nat | Neg boolex
- | And boolex boolex;
-
-text{*\noindent
-The two constants are represented by @{term"Const True"} and
-@{term"Const False"}. Variables are represented by terms of the form
-@{term"Var n"}, where @{term"n"} is a natural number (type @{typ"nat"}).
-For example, the formula $P@0 \land \neg P@1$ is represented by the term
-@{term"And (Var 0) (Neg(Var 1))"}.
-
-\subsubsection{The Value of a Boolean Expression}
-
-The value of a boolean expression depends on the value of its variables.
-Hence the function @{text"value"} takes an additional parameter, an
-\emph{environment} of type @{typ"nat => bool"}, which maps variables to their
-values:
-*}
-
-primrec "value" :: "boolex \<Rightarrow> (nat \<Rightarrow> bool) \<Rightarrow> bool" where
-"value (Const b) env = b" |
-"value (Var x) env = env x" |
-"value (Neg b) env = (\<not> value b env)" |
-"value (And b c) env = (value b env \<and> value c env)"
-
-text{*\noindent
-\subsubsection{If-Expressions}
-
-An alternative and often more efficient (because in a certain sense
-canonical) representation are so-called \emph{If-expressions} built up
-from constants (@{term"CIF"}), variables (@{term"VIF"}) and conditionals
-(@{term"IF"}):
-*}
-
-datatype ifex = CIF bool | VIF nat | IF ifex ifex ifex;
-
-text{*\noindent
-The evaluation of If-expressions proceeds as for @{typ"boolex"}:
-*}
-
-primrec valif :: "ifex \<Rightarrow> (nat \<Rightarrow> bool) \<Rightarrow> bool" where
-"valif (CIF b) env = b" |
-"valif (VIF x) env = env x" |
-"valif (IF b t e) env = (if valif b env then valif t env
- else valif e env)"
-
-text{*
-\subsubsection{Converting Boolean and If-Expressions}
-
-The type @{typ"boolex"} is close to the customary representation of logical
-formulae, whereas @{typ"ifex"} is designed for efficiency. It is easy to
-translate from @{typ"boolex"} into @{typ"ifex"}:
-*}
-
-primrec bool2if :: "boolex \<Rightarrow> ifex" where
-"bool2if (Const b) = CIF b" |
-"bool2if (Var x) = VIF x" |
-"bool2if (Neg b) = IF (bool2if b) (CIF False) (CIF True)" |
-"bool2if (And b c) = IF (bool2if b) (bool2if c) (CIF False)"
-
-text{*\noindent
-At last, we have something we can verify: that @{term"bool2if"} preserves the
-value of its argument:
-*}
-
-lemma "valif (bool2if b) env = value b env";
-
-txt{*\noindent
-The proof is canonical:
-*}
-
-apply(induct_tac b);
-apply(auto);
-done
-
-text{*\noindent
-In fact, all proofs in this case study look exactly like this. Hence we do
-not show them below.
-
-More interesting is the transformation of If-expressions into a normal form
-where the first argument of @{term"IF"} cannot be another @{term"IF"} but
-must be a constant or variable. Such a normal form can be computed by
-repeatedly replacing a subterm of the form @{term"IF (IF b x y) z u"} by
-@{term"IF b (IF x z u) (IF y z u)"}, which has the same value. The following
-primitive recursive functions perform this task:
-*}
-
-primrec normif :: "ifex \<Rightarrow> ifex \<Rightarrow> ifex \<Rightarrow> ifex" where
-"normif (CIF b) t e = IF (CIF b) t e" |
-"normif (VIF x) t e = IF (VIF x) t e" |
-"normif (IF b t e) u f = normif b (normif t u f) (normif e u f)"
-
-primrec norm :: "ifex \<Rightarrow> ifex" where
-"norm (CIF b) = CIF b" |
-"norm (VIF x) = VIF x" |
-"norm (IF b t e) = normif b (norm t) (norm e)"
-
-text{*\noindent
-Their interplay is tricky; we leave it to you to develop an
-intuitive understanding. Fortunately, Isabelle can help us to verify that the
-transformation preserves the value of the expression:
-*}
-
-theorem "valif (norm b) env = valif b env";(*<*)oops;(*>*)
-
-text{*\noindent
-The proof is canonical, provided we first show the following simplification
-lemma, which also helps to understand what @{term"normif"} does:
-*}
-
-lemma [simp]:
- "\<forall>t e. valif (normif b t e) env = valif (IF b t e) env";
-(*<*)
-apply(induct_tac b);
-by(auto);
-
-theorem "valif (norm b) env = valif b env";
-apply(induct_tac b);
-by(auto);
-(*>*)
-text{*\noindent
-Note that the lemma does not have a name, but is implicitly used in the proof
-of the theorem shown above because of the @{text"[simp]"} attribute.
-
-But how can we be sure that @{term"norm"} really produces a normal form in
-the above sense? We define a function that tests If-expressions for normality:
-*}
-
-primrec normal :: "ifex \<Rightarrow> bool" where
-"normal(CIF b) = True" |
-"normal(VIF x) = True" |
-"normal(IF b t e) = (normal t \<and> normal e \<and>
- (case b of CIF b \<Rightarrow> True | VIF x \<Rightarrow> True | IF x y z \<Rightarrow> False))"
-
-text{*\noindent
-Now we prove @{term"normal(norm b)"}. Of course, this requires a lemma about
-normality of @{term"normif"}:
-*}
-
-lemma [simp]: "\<forall>t e. normal(normif b t e) = (normal t \<and> normal e)";
-(*<*)
-apply(induct_tac b);
-by(auto);
-
-theorem "normal(norm b)";
-apply(induct_tac b);
-by(auto);
-(*>*)
-
-text{*\medskip
-How do we come up with the required lemmas? Try to prove the main theorems
-without them and study carefully what @{text auto} leaves unproved. This
-can provide the clue. The necessity of universal quantification
-(@{text"\<forall>t e"}) in the two lemmas is explained in
-\S\ref{sec:InductionHeuristics}
-
-\begin{exercise}
- We strengthen the definition of a @{const normal} If-expression as follows:
- the first argument of all @{term IF}s must be a variable. Adapt the above
- development to this changed requirement. (Hint: you may need to formulate
- some of the goals as implications (@{text"\<longrightarrow>"}) rather than
- equalities (@{text"="}).)
-\end{exercise}
-\index{boolean expressions example|)}
-*}
-(*<*)
-
-primrec normif2 :: "ifex => ifex => ifex => ifex" where
-"normif2 (CIF b) t e = (if b then t else e)" |
-"normif2 (VIF x) t e = IF (VIF x) t e" |
-"normif2 (IF b t e) u f = normif2 b (normif2 t u f) (normif2 e u f)"
-
-primrec norm2 :: "ifex => ifex" where
-"norm2 (CIF b) = CIF b" |
-"norm2 (VIF x) = VIF x" |
-"norm2 (IF b t e) = normif2 b (norm2 t) (norm2 e)"
-
-primrec normal2 :: "ifex => bool" where
-"normal2(CIF b) = True" |
-"normal2(VIF x) = True" |
-"normal2(IF b t e) = (normal2 t & normal2 e &
- (case b of CIF b => False | VIF x => True | IF x y z => False))"
-
-lemma [simp]:
- "ALL t e. valif (normif2 b t e) env = valif (IF b t e) env"
-apply(induct b)
-by(auto)
-
-theorem "valif (norm2 b) env = valif b env"
-apply(induct b)
-by(auto)
-
-lemma [simp]: "ALL t e. normal2 t & normal2 e --> normal2(normif2 b t e)"
-apply(induct b)
-by(auto)
-
-theorem "normal2(norm2 b)"
-apply(induct b)
-by(auto)
-
-end
-(*>*)
--- a/doc-src/TutorialI/Inductive/AB.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,309 +0,0 @@
-(*<*)theory AB imports Main begin(*>*)
-
-section{*Case Study: A Context Free Grammar*}
-
-text{*\label{sec:CFG}
-\index{grammars!defining inductively|(}%
-Grammars are nothing but shorthands for inductive definitions of nonterminals
-which represent sets of strings. For example, the production
-$A \to B c$ is short for
-\[ w \in B \Longrightarrow wc \in A \]
-This section demonstrates this idea with an example
-due to Hopcroft and Ullman, a grammar for generating all words with an
-equal number of $a$'s and~$b$'s:
-\begin{eqnarray}
-S &\to& \epsilon \mid b A \mid a B \nonumber\\
-A &\to& a S \mid b A A \nonumber\\
-B &\to& b S \mid a B B \nonumber
-\end{eqnarray}
-At the end we say a few words about the relationship between
-the original proof \cite[p.\ts81]{HopcroftUllman} and our formal version.
-
-We start by fixing the alphabet, which consists only of @{term a}'s
-and~@{term b}'s:
-*}
-
-datatype alfa = a | b
-
-text{*\noindent
-For convenience we include the following easy lemmas as simplification rules:
-*}
-
-lemma [simp]: "(x \<noteq> a) = (x = b) \<and> (x \<noteq> b) = (x = a)"
-by (case_tac x, auto)
-
-text{*\noindent
-Words over this alphabet are of type @{typ"alfa list"}, and
-the three nonterminals are declared as sets of such words.
-The productions above are recast as a \emph{mutual} inductive
-definition\index{inductive definition!simultaneous}
-of @{term S}, @{term A} and~@{term B}:
-*}
-
-inductive_set
- S :: "alfa list set" and
- A :: "alfa list set" and
- B :: "alfa list set"
-where
- "[] \<in> S"
-| "w \<in> A \<Longrightarrow> b#w \<in> S"
-| "w \<in> B \<Longrightarrow> a#w \<in> S"
-
-| "w \<in> S \<Longrightarrow> a#w \<in> A"
-| "\<lbrakk> v\<in>A; w\<in>A \<rbrakk> \<Longrightarrow> b#v@w \<in> A"
-
-| "w \<in> S \<Longrightarrow> b#w \<in> B"
-| "\<lbrakk> v \<in> B; w \<in> B \<rbrakk> \<Longrightarrow> a#v@w \<in> B"
-
-text{*\noindent
-First we show that all words in @{term S} contain the same number of @{term
-a}'s and @{term b}'s. Since the definition of @{term S} is by mutual
-induction, so is the proof: we show at the same time that all words in
-@{term A} contain one more @{term a} than @{term b} and all words in @{term
-B} contain one more @{term b} than @{term a}.
-*}
-
-lemma correctness:
- "(w \<in> S \<longrightarrow> size[x\<leftarrow>w. x=a] = size[x\<leftarrow>w. x=b]) \<and>
- (w \<in> A \<longrightarrow> size[x\<leftarrow>w. x=a] = size[x\<leftarrow>w. x=b] + 1) \<and>
- (w \<in> B \<longrightarrow> size[x\<leftarrow>w. x=b] = size[x\<leftarrow>w. x=a] + 1)"
-
-txt{*\noindent
-These propositions are expressed with the help of the predefined @{term
-filter} function on lists, which has the convenient syntax @{text"[x\<leftarrow>xs. P
-x]"}, the list of all elements @{term x} in @{term xs} such that @{prop"P x"}
-holds. Remember that on lists @{text size} and @{text length} are synonymous.
-
-The proof itself is by rule induction and afterwards automatic:
-*}
-
-by (rule S_A_B.induct, auto)
-
-text{*\noindent
-This may seem surprising at first, and is indeed an indication of the power
-of inductive definitions. But it is also quite straightforward. For example,
-consider the production $A \to b A A$: if $v,w \in A$ and the elements of $A$
-contain one more $a$ than~$b$'s, then $bvw$ must again contain one more $a$
-than~$b$'s.
-
-As usual, the correctness of syntactic descriptions is easy, but completeness
-is hard: does @{term S} contain \emph{all} words with an equal number of
-@{term a}'s and @{term b}'s? It turns out that this proof requires the
-following lemma: every string with two more @{term a}'s than @{term
-b}'s can be cut somewhere such that each half has one more @{term a} than
-@{term b}. This is best seen by imagining counting the difference between the
-number of @{term a}'s and @{term b}'s starting at the left end of the
-word. We start with 0 and end (at the right end) with 2. Since each move to the
-right increases or decreases the difference by 1, we must have passed through
-1 on our way from 0 to 2. Formally, we appeal to the following discrete
-intermediate value theorem @{thm[source]nat0_intermed_int_val}
-@{thm[display,margin=60]nat0_intermed_int_val[no_vars]}
-where @{term f} is of type @{typ"nat \<Rightarrow> int"}, @{typ int} are the integers,
-@{text"\<bar>.\<bar>"} is the absolute value function\footnote{See
-Table~\ref{tab:ascii} in the Appendix for the correct \textsc{ascii}
-syntax.}, and @{term"1::int"} is the integer 1 (see \S\ref{sec:numbers}).
-
-First we show that our specific function, the difference between the
-numbers of @{term a}'s and @{term b}'s, does indeed only change by 1 in every
-move to the right. At this point we also start generalizing from @{term a}'s
-and @{term b}'s to an arbitrary property @{term P}. Otherwise we would have
-to prove the desired lemma twice, once as stated above and once with the
-roles of @{term a}'s and @{term b}'s interchanged.
-*}
-
-lemma step1: "\<forall>i < size w.
- \<bar>(int(size[x\<leftarrow>take (i+1) w. P x])-int(size[x\<leftarrow>take (i+1) w. \<not>P x]))
- - (int(size[x\<leftarrow>take i w. P x])-int(size[x\<leftarrow>take i w. \<not>P x]))\<bar> \<le> 1"
-
-txt{*\noindent
-The lemma is a bit hard to read because of the coercion function
-@{text"int :: nat \<Rightarrow> int"}. It is required because @{term size} returns
-a natural number, but subtraction on type~@{typ nat} will do the wrong thing.
-Function @{term take} is predefined and @{term"take i xs"} is the prefix of
-length @{term i} of @{term xs}; below we also need @{term"drop i xs"}, which
-is what remains after that prefix has been dropped from @{term xs}.
-
-The proof is by induction on @{term w}, with a trivial base case, and a not
-so trivial induction step. Since it is essentially just arithmetic, we do not
-discuss it.
-*}
-
-apply(induct_tac w)
-apply(auto simp add: abs_if take_Cons split: nat.split)
-done
-
-text{*
-Finally we come to the above-mentioned lemma about cutting in half a word with two more elements of one sort than of the other sort:
-*}
-
-lemma part1:
- "size[x\<leftarrow>w. P x] = size[x\<leftarrow>w. \<not>P x]+2 \<Longrightarrow>
- \<exists>i\<le>size w. size[x\<leftarrow>take i w. P x] = size[x\<leftarrow>take i w. \<not>P x]+1"
-
-txt{*\noindent
-This is proved by @{text force} with the help of the intermediate value theorem,
-instantiated appropriately and with its first premise disposed of by lemma
-@{thm[source]step1}:
-*}
-
-apply(insert nat0_intermed_int_val[OF step1, of "P" "w" "1"])
-by force
-
-text{*\noindent
-
-Lemma @{thm[source]part1} tells us only about the prefix @{term"take i w"}.
-An easy lemma deals with the suffix @{term"drop i w"}:
-*}
-
-
-lemma part2:
- "\<lbrakk>size[x\<leftarrow>take i w @ drop i w. P x] =
- size[x\<leftarrow>take i w @ drop i w. \<not>P x]+2;
- size[x\<leftarrow>take i w. P x] = size[x\<leftarrow>take i w. \<not>P x]+1\<rbrakk>
- \<Longrightarrow> size[x\<leftarrow>drop i w. P x] = size[x\<leftarrow>drop i w. \<not>P x]+1"
-by(simp del: append_take_drop_id)
-
-text{*\noindent
-In the proof we have disabled the normally useful lemma
-\begin{isabelle}
-@{thm append_take_drop_id[no_vars]}
-\rulename{append_take_drop_id}
-\end{isabelle}
-to allow the simplifier to apply the following lemma instead:
-@{text[display]"[x\<in>xs@ys. P x] = [x\<in>xs. P x] @ [x\<in>ys. P x]"}
-
-To dispose of trivial cases automatically, the rules of the inductive
-definition are declared simplification rules:
-*}
-
-declare S_A_B.intros[simp]
-
-text{*\noindent
-This could have been done earlier but was not necessary so far.
-
-The completeness theorem tells us that if a word has the same number of
-@{term a}'s and @{term b}'s, then it is in @{term S}, and similarly
-for @{term A} and @{term B}:
-*}
-
-theorem completeness:
- "(size[x\<leftarrow>w. x=a] = size[x\<leftarrow>w. x=b] \<longrightarrow> w \<in> S) \<and>
- (size[x\<leftarrow>w. x=a] = size[x\<leftarrow>w. x=b] + 1 \<longrightarrow> w \<in> A) \<and>
- (size[x\<leftarrow>w. x=b] = size[x\<leftarrow>w. x=a] + 1 \<longrightarrow> w \<in> B)"
-
-txt{*\noindent
-The proof is by induction on @{term w}. Structural induction would fail here
-because, as we can see from the grammar, we need to make bigger steps than
-merely appending a single letter at the front. Hence we induct on the length
-of @{term w}, using the induction rule @{thm[source]length_induct}:
-*}
-
-apply(induct_tac w rule: length_induct)
-apply(rename_tac w)
-
-txt{*\noindent
-The @{text rule} parameter tells @{text induct_tac} explicitly which induction
-rule to use. For details see \S\ref{sec:complete-ind} below.
-In this case the result is that we may assume the lemma already
-holds for all words shorter than @{term w}. Because the induction step renames
-the induction variable we rename it back to @{text w}.
-
-The proof continues with a case distinction on @{term w},
-on whether @{term w} is empty or not.
-*}
-
-apply(case_tac w)
- apply(simp_all)
-(*<*)apply(rename_tac x v)(*>*)
-
-txt{*\noindent
-Simplification disposes of the base case and leaves only a conjunction
-of two step cases to be proved:
-if @{prop"w = a#v"} and @{prop[display]"size[x\<in>v. x=a] = size[x\<in>v. x=b]+2"} then
-@{prop"b#v \<in> A"}, and similarly for @{prop"w = b#v"}.
-We only consider the first case in detail.
-
-After breaking the conjunction up into two cases, we can apply
-@{thm[source]part1} to the assumption that @{term w} contains two more @{term
-a}'s than @{term b}'s.
-*}
-
-apply(rule conjI)
- apply(clarify)
- apply(frule part1[of "\<lambda>x. x=a", simplified])
- apply(clarify)
-txt{*\noindent
-This yields an index @{prop"i \<le> length v"} such that
-@{prop[display]"length [x\<leftarrow>take i v . x = a] = length [x\<leftarrow>take i v . x = b] + 1"}
-With the help of @{thm[source]part2} it follows that
-@{prop[display]"length [x\<leftarrow>drop i v . x = a] = length [x\<leftarrow>drop i v . x = b] + 1"}
-*}
-
- apply(drule part2[of "\<lambda>x. x=a", simplified])
- apply(assumption)
-
-txt{*\noindent
-Now it is time to decompose @{term v} in the conclusion @{prop"b#v \<in> A"}
-into @{term"take i v @ drop i v"},
-*}
-
- apply(rule_tac n1=i and t=v in subst[OF append_take_drop_id])
-
-txt{*\noindent
-(the variables @{term n1} and @{term t} are the result of composing the
-theorems @{thm[source]subst} and @{thm[source]append_take_drop_id})
-after which the appropriate rule of the grammar reduces the goal
-to the two subgoals @{prop"take i v \<in> A"} and @{prop"drop i v \<in> A"}:
-*}
-
- apply(rule S_A_B.intros)
-
-txt{*
-Both subgoals follow from the induction hypothesis because both @{term"take i
-v"} and @{term"drop i v"} are shorter than @{term w}:
-*}
-
- apply(force simp add: min_less_iff_disj)
- apply(force split add: nat_diff_split)
-
-txt{*
-The case @{prop"w = b#v"} is proved analogously:
-*}
-
-apply(clarify)
-apply(frule part1[of "\<lambda>x. x=b", simplified])
-apply(clarify)
-apply(drule part2[of "\<lambda>x. x=b", simplified])
- apply(assumption)
-apply(rule_tac n1=i and t=v in subst[OF append_take_drop_id])
-apply(rule S_A_B.intros)
- apply(force simp add: min_less_iff_disj)
-by(force simp add: min_less_iff_disj split add: nat_diff_split)
-
-text{*
-We conclude this section with a comparison of our proof with
-Hopcroft\index{Hopcroft, J. E.} and Ullman's\index{Ullman, J. D.}
-\cite[p.\ts81]{HopcroftUllman}.
-For a start, the textbook
-grammar, for no good reason, excludes the empty word, thus complicating
-matters just a little bit: they have 8 instead of our 7 productions.
-
-More importantly, the proof itself is different: rather than
-separating the two directions, they perform one induction on the
-length of a word. This deprives them of the beauty of rule induction,
-and in the easy direction (correctness) their reasoning is more
-detailed than our @{text auto}. For the hard part (completeness), they
-consider just one of the cases that our @{text simp_all} disposes of
-automatically. Then they conclude the proof by saying about the
-remaining cases: ``We do this in a manner similar to our method of
-proof for part (1); this part is left to the reader''. But this is
-precisely the part that requires the intermediate value theorem and
-thus is not at all similar to the other cases (which are automatic in
-Isabelle). The authors are at least cavalier about this point and may
-even have overlooked the slight difficulty lurking in the omitted
-cases. Such errors are found in many pen-and-paper proofs when they
-are scrutinized formally.%
-\index{grammars!defining inductively|)}
-*}
-
-(*<*)end(*>*)
--- a/doc-src/TutorialI/Inductive/Advanced.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,407 +0,0 @@
-(*<*)theory Advanced imports Even begin
-ML_file "../../antiquote_setup.ML"
-setup Antiquote_Setup.setup
-(*>*)
-
-text {*
-The premises of introduction rules may contain universal quantifiers and
-monotone functions. A universal quantifier lets the rule
-refer to any number of instances of
-the inductively defined set. A monotone function lets the rule refer
-to existing constructions (such as ``list of'') over the inductively defined
-set. The examples below show how to use the additional expressiveness
-and how to reason from the resulting definitions.
-*}
-
-subsection{* Universal Quantifiers in Introduction Rules \label{sec:gterm-datatype} *}
-
-text {*
-\index{ground terms example|(}%
-\index{quantifiers!and inductive definitions|(}%
-As a running example, this section develops the theory of \textbf{ground
-terms}: terms constructed from constant and function
-symbols but not variables. To simplify matters further, we regard a
-constant as a function applied to the null argument list. Let us declare a
-datatype @{text gterm} for the type of ground terms. It is a type constructor
-whose argument is a type of function symbols.
-*}
-
-datatype 'f gterm = Apply 'f "'f gterm list"
-
-text {*
-To try it out, we declare a datatype of some integer operations:
-integer constants, the unary minus operator and the addition
-operator.
-*}
-
-datatype integer_op = Number int | UnaryMinus | Plus
-
-text {*
-Now the type @{typ "integer_op gterm"} denotes the ground
-terms built over those symbols.
-
-The type constructor @{text gterm} can be generalized to a function
-over sets. It returns
-the set of ground terms that can be formed over a set @{text F} of function symbols. For
-example, we could consider the set of ground terms formed from the finite
-set @{text "{Number 2, UnaryMinus, Plus}"}.
-
-This concept is inductive. If we have a list @{text args} of ground terms
-over~@{text F} and a function symbol @{text f} in @{text F}, then we
-can apply @{text f} to @{text args} to obtain another ground term.
-The only difficulty is that the argument list may be of any length. Hitherto,
-each rule in an inductive definition referred to the inductively
-defined set a fixed number of times, typically once or twice.
-A universal quantifier in the premise of the introduction rule
-expresses that every element of @{text args} belongs
-to our inductively defined set: is a ground term
-over~@{text F}. The function @{term set} denotes the set of elements in a given
-list.
-*}
-
-inductive_set
- gterms :: "'f set \<Rightarrow> 'f gterm set"
- for F :: "'f set"
-where
-step[intro!]: "\<lbrakk>\<forall>t \<in> set args. t \<in> gterms F; f \<in> F\<rbrakk>
- \<Longrightarrow> (Apply f args) \<in> gterms F"
-
-text {*
-To demonstrate a proof from this definition, let us
-show that the function @{term gterms}
-is \textbf{monotone}. We shall need this concept shortly.
-*}
-
-lemma gterms_mono: "F\<subseteq>G \<Longrightarrow> gterms F \<subseteq> gterms G"
-apply clarify
-apply (erule gterms.induct)
-apply blast
-done
-(*<*)
-lemma gterms_mono: "F\<subseteq>G \<Longrightarrow> gterms F \<subseteq> gterms G"
-apply clarify
-apply (erule gterms.induct)
-(*>*)
-txt{*
-Intuitively, this theorem says that
-enlarging the set of function symbols enlarges the set of ground
-terms. The proof is a trivial rule induction.
-First we use the @{text clarify} method to assume the existence of an element of
-@{term "gterms F"}. (We could have used @{text "intro subsetI"}.) We then
-apply rule induction. Here is the resulting subgoal:
-@{subgoals[display,indent=0]}
-The assumptions state that @{text f} belongs
-to~@{text F}, which is included in~@{text G}, and that every element of the list @{text args} is
-a ground term over~@{text G}. The @{text blast} method finds this chain of reasoning easily.
-*}
-(*<*)oops(*>*)
-text {*
-\begin{warn}
-Why do we call this function @{text gterms} instead
-of @{text gterm}? A constant may have the same name as a type. However,
-name clashes could arise in the theorems that Isabelle generates.
-Our choice of names keeps @{text gterms.induct} separate from
-@{text gterm.induct}.
-\end{warn}
-
-Call a term \textbf{well-formed} if each symbol occurring in it is applied
-to the correct number of arguments. (This number is called the symbol's
-\textbf{arity}.) We can express well-formedness by
-generalizing the inductive definition of
-\isa{gterms}.
-Suppose we are given a function called @{text arity}, specifying the arities
-of all symbols. In the inductive step, we have a list @{text args} of such
-terms and a function symbol~@{text f}. If the length of the list matches the
-function's arity then applying @{text f} to @{text args} yields a well-formed
-term.
-*}
-
-inductive_set
- well_formed_gterm :: "('f \<Rightarrow> nat) \<Rightarrow> 'f gterm set"
- for arity :: "'f \<Rightarrow> nat"
-where
-step[intro!]: "\<lbrakk>\<forall>t \<in> set args. t \<in> well_formed_gterm arity;
- length args = arity f\<rbrakk>
- \<Longrightarrow> (Apply f args) \<in> well_formed_gterm arity"
-
-text {*
-The inductive definition neatly captures the reasoning above.
-The universal quantification over the
-@{text set} of arguments expresses that all of them are well-formed.%
-\index{quantifiers!and inductive definitions|)}
-*}
-
-subsection{* Alternative Definition Using a Monotone Function *}
-
-text {*
-\index{monotone functions!and inductive definitions|(}%
-An inductive definition may refer to the
-inductively defined set through an arbitrary monotone function. To
-demonstrate this powerful feature, let us
-change the inductive definition above, replacing the
-quantifier by a use of the function @{term lists}. This
-function, from the Isabelle theory of lists, is analogous to the
-function @{term gterms} declared above: if @{text A} is a set then
-@{term "lists A"} is the set of lists whose elements belong to
-@{term A}.
-
-In the inductive definition of well-formed terms, examine the one
-introduction rule. The first premise states that @{text args} belongs to
-the @{text lists} of well-formed terms. This formulation is more
-direct, if more obscure, than using a universal quantifier.
-*}
-
-inductive_set
- well_formed_gterm' :: "('f \<Rightarrow> nat) \<Rightarrow> 'f gterm set"
- for arity :: "'f \<Rightarrow> nat"
-where
-step[intro!]: "\<lbrakk>args \<in> lists (well_formed_gterm' arity);
- length args = arity f\<rbrakk>
- \<Longrightarrow> (Apply f args) \<in> well_formed_gterm' arity"
-monos lists_mono
-
-text {*
-We cite the theorem @{text lists_mono} to justify
-using the function @{term lists}.%
-\footnote{This particular theorem is installed by default already, but we
-include the \isakeyword{monos} declaration in order to illustrate its syntax.}
-@{named_thms [display,indent=0] lists_mono [no_vars] (lists_mono)}
-Why must the function be monotone? An inductive definition describes
-an iterative construction: each element of the set is constructed by a
-finite number of introduction rule applications. For example, the
-elements of \isa{even} are constructed by finitely many applications of
-the rules
-@{thm [display,indent=0] even.intros [no_vars]}
-All references to a set in its
-inductive definition must be positive. Applications of an
-introduction rule cannot invalidate previous applications, allowing the
-construction process to converge.
-The following pair of rules do not constitute an inductive definition:
-\begin{trivlist}
-\item @{term "0 \<in> even"}
-\item @{term "n \<notin> even \<Longrightarrow> (Suc n) \<in> even"}
-\end{trivlist}
-Showing that 4 is even using these rules requires showing that 3 is not
-even. It is far from trivial to show that this set of rules
-characterizes the even numbers.
-
-Even with its use of the function \isa{lists}, the premise of our
-introduction rule is positive:
-@{thm [display,indent=0] (prem 1) step [no_vars]}
-To apply the rule we construct a list @{term args} of previously
-constructed well-formed terms. We obtain a
-new term, @{term "Apply f args"}. Because @{term lists} is monotone,
-applications of the rule remain valid as new terms are constructed.
-Further lists of well-formed
-terms become available and none are taken away.%
-\index{monotone functions!and inductive definitions|)}
-*}
-
-subsection{* A Proof of Equivalence *}
-
-text {*
-We naturally hope that these two inductive definitions of ``well-formed''
-coincide. The equality can be proved by separate inclusions in
-each direction. Each is a trivial rule induction.
-*}
-
-lemma "well_formed_gterm arity \<subseteq> well_formed_gterm' arity"
-apply clarify
-apply (erule well_formed_gterm.induct)
-apply auto
-done
-(*<*)
-lemma "well_formed_gterm arity \<subseteq> well_formed_gterm' arity"
-apply clarify
-apply (erule well_formed_gterm.induct)
-(*>*)
-txt {*
-The @{text clarify} method gives
-us an element of @{term "well_formed_gterm arity"} on which to perform
-induction. The resulting subgoal can be proved automatically:
-@{subgoals[display,indent=0]}
-This proof resembles the one given in
-{\S}\ref{sec:gterm-datatype} above, especially in the form of the
-induction hypothesis. Next, we consider the opposite inclusion:
-*}
-(*<*)oops(*>*)
-lemma "well_formed_gterm' arity \<subseteq> well_formed_gterm arity"
-apply clarify
-apply (erule well_formed_gterm'.induct)
-apply auto
-done
-(*<*)
-lemma "well_formed_gterm' arity \<subseteq> well_formed_gterm arity"
-apply clarify
-apply (erule well_formed_gterm'.induct)
-(*>*)
-txt {*
-The proof script is virtually identical,
-but the subgoal after applying induction may be surprising:
-@{subgoals[display,indent=0,margin=65]}
-The induction hypothesis contains an application of @{term lists}. Using a
-monotone function in the inductive definition always has this effect. The
-subgoal may look uninviting, but fortunately
-@{term lists} distributes over intersection:
-@{named_thms [display,indent=0] lists_Int_eq [no_vars] (lists_Int_eq)}
-Thanks to this default simplification rule, the induction hypothesis
-is quickly replaced by its two parts:
-\begin{trivlist}
-\item @{term "args \<in> lists (well_formed_gterm' arity)"}
-\item @{term "args \<in> lists (well_formed_gterm arity)"}
-\end{trivlist}
-Invoking the rule @{text well_formed_gterm.step} completes the proof. The
-call to @{text auto} does all this work.
-
-This example is typical of how monotone functions
-\index{monotone functions} can be used. In particular, many of them
-distribute over intersection. Monotonicity implies one direction of
-this set equality; we have this theorem:
-@{named_thms [display,indent=0] mono_Int [no_vars] (mono_Int)}
-*}
-(*<*)oops(*>*)
-
-
-subsection{* Another Example of Rule Inversion *}
-
-text {*
-\index{rule inversion|(}%
-Does @{term gterms} distribute over intersection? We have proved that this
-function is monotone, so @{text mono_Int} gives one of the inclusions. The
-opposite inclusion asserts that if @{term t} is a ground term over both of the
-sets
-@{term F} and~@{term G} then it is also a ground term over their intersection,
-@{term "F \<inter> G"}.
-*}
-
-lemma gterms_IntI:
- "t \<in> gterms F \<Longrightarrow> t \<in> gterms G \<longrightarrow> t \<in> gterms (F\<inter>G)"
-(*<*)oops(*>*)
-text {*
-Attempting this proof, we get the assumption
-@{term "Apply f args \<in> gterms G"}, which cannot be broken down.
-It looks like a job for rule inversion:\cmmdx{inductive\protect\_cases}
-*}
-
-inductive_cases gterm_Apply_elim [elim!]: "Apply f args \<in> gterms F"
-
-text {*
-Here is the result.
-@{named_thms [display,indent=0,margin=50] gterm_Apply_elim [no_vars] (gterm_Apply_elim)}
-This rule replaces an assumption about @{term "Apply f args"} by
-assumptions about @{term f} and~@{term args}.
-No cases are discarded (there was only one to begin
-with) but the rule applies specifically to the pattern @{term "Apply f args"}.
-It can be applied repeatedly as an elimination rule without looping, so we
-have given the @{text "elim!"} attribute.
-
-Now we can prove the other half of that distributive law.
-*}
-
-lemma gterms_IntI [rule_format, intro!]:
- "t \<in> gterms F \<Longrightarrow> t \<in> gterms G \<longrightarrow> t \<in> gterms (F\<inter>G)"
-apply (erule gterms.induct)
-apply blast
-done
-(*<*)
-lemma "t \<in> gterms F \<Longrightarrow> t \<in> gterms G \<longrightarrow> t \<in> gterms (F\<inter>G)"
-apply (erule gterms.induct)
-(*>*)
-txt {*
-The proof begins with rule induction over the definition of
-@{term gterms}, which leaves a single subgoal:
-@{subgoals[display,indent=0,margin=65]}
-To prove this, we assume @{term "Apply f args \<in> gterms G"}. Rule inversion,
-in the form of @{text gterm_Apply_elim}, infers
-that every element of @{term args} belongs to
-@{term "gterms G"}; hence (by the induction hypothesis) it belongs
-to @{term "gterms (F \<inter> G)"}. Rule inversion also yields
-@{term "f \<in> G"} and hence @{term "f \<in> F \<inter> G"}.
-All of this reasoning is done by @{text blast}.
-
-\smallskip
-Our distributive law is a trivial consequence of previously-proved results:
-*}
-(*<*)oops(*>*)
-lemma gterms_Int_eq [simp]:
- "gterms (F \<inter> G) = gterms F \<inter> gterms G"
-by (blast intro!: mono_Int monoI gterms_mono)
-
-text_raw {*
-\index{rule inversion|)}%
-\index{ground terms example|)}
-
-
-\begin{isamarkuptext}
-\begin{exercise}
-A function mapping function symbols to their
-types is called a \textbf{signature}. Given a type
-ranging over type symbols, we can represent a function's type by a
-list of argument types paired with the result type.
-Complete this inductive definition:
-\begin{isabelle}
-*}
-
-inductive_set
- well_typed_gterm :: "('f \<Rightarrow> 't list * 't) \<Rightarrow> ('f gterm * 't)set"
- for sig :: "'f \<Rightarrow> 't list * 't"
-(*<*)
-where
-step[intro!]:
- "\<lbrakk>\<forall>pair \<in> set args. pair \<in> well_typed_gterm sig;
- sig f = (map snd args, rtype)\<rbrakk>
- \<Longrightarrow> (Apply f (map fst args), rtype)
- \<in> well_typed_gterm sig"
-(*>*)
-text_raw {*
-\end{isabelle}
-\end{exercise}
-\end{isamarkuptext}
-*}
-
-(*<*)
-
-text{*the following declaration isn't actually used*}
-primrec
- integer_arity :: "integer_op \<Rightarrow> nat"
-where
- "integer_arity (Number n) = 0"
-| "integer_arity UnaryMinus = 1"
-| "integer_arity Plus = 2"
-
-text{* the rest isn't used: too complicated. OK for an exercise though.*}
-
-inductive_set
- integer_signature :: "(integer_op * (unit list * unit)) set"
-where
- Number: "(Number n, ([], ())) \<in> integer_signature"
-| UnaryMinus: "(UnaryMinus, ([()], ())) \<in> integer_signature"
-| Plus: "(Plus, ([(),()], ())) \<in> integer_signature"
-
-inductive_set
- well_typed_gterm' :: "('f \<Rightarrow> 't list * 't) \<Rightarrow> ('f gterm * 't)set"
- for sig :: "'f \<Rightarrow> 't list * 't"
-where
-step[intro!]:
- "\<lbrakk>args \<in> lists(well_typed_gterm' sig);
- sig f = (map snd args, rtype)\<rbrakk>
- \<Longrightarrow> (Apply f (map fst args), rtype)
- \<in> well_typed_gterm' sig"
-monos lists_mono
-
-
-lemma "well_typed_gterm sig \<subseteq> well_typed_gterm' sig"
-apply clarify
-apply (erule well_typed_gterm.induct)
-apply auto
-done
-
-lemma "well_typed_gterm' sig \<subseteq> well_typed_gterm sig"
-apply clarify
-apply (erule well_typed_gterm'.induct)
-apply auto
-done
-
-
-end
-(*>*)
--- a/doc-src/TutorialI/Inductive/Even.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,291 +0,0 @@
-(*<*)theory Even imports Main begin
-ML_file "../../antiquote_setup.ML"
-setup Antiquote_Setup.setup
-(*>*)
-
-section{* The Set of Even Numbers *}
-
-text {*
-\index{even numbers!defining inductively|(}%
-The set of even numbers can be inductively defined as the least set
-containing 0 and closed under the operation $+2$. Obviously,
-\emph{even} can also be expressed using the divides relation (@{text dvd}).
-We shall prove below that the two formulations coincide. On the way we
-shall examine the primary means of reasoning about inductively defined
-sets: rule induction.
-*}
-
-subsection{* Making an Inductive Definition *}
-
-text {*
-Using \commdx{inductive\protect\_set}, we declare the constant @{text even} to be
-a set of natural numbers with the desired properties.
-*}
-
-inductive_set even :: "nat set" where
-zero[intro!]: "0 \<in> even" |
-step[intro!]: "n \<in> even \<Longrightarrow> (Suc (Suc n)) \<in> even"
-
-text {*
-An inductive definition consists of introduction rules. The first one
-above states that 0 is even; the second states that if $n$ is even, then so
-is~$n+2$. Given this declaration, Isabelle generates a fixed point
-definition for @{term even} and proves theorems about it,
-thus following the definitional approach (see {\S}\ref{sec:definitional}).
-These theorems
-include the introduction rules specified in the declaration, an elimination
-rule for case analysis and an induction rule. We can refer to these
-theorems by automatically-generated names. Here are two examples:
-@{named_thms[display,indent=0] even.zero[no_vars] (even.zero) even.step[no_vars] (even.step)}
-
-The introduction rules can be given attributes. Here
-both rules are specified as \isa{intro!},%
-\index{intro"!@\isa {intro"!} (attribute)}
-directing the classical reasoner to
-apply them aggressively. Obviously, regarding 0 as even is safe. The
-@{text step} rule is also safe because $n+2$ is even if and only if $n$ is
-even. We prove this equivalence later.
-*}
-
-subsection{*Using Introduction Rules*}
-
-text {*
-Our first lemma states that numbers of the form $2\times k$ are even.
-Introduction rules are used to show that specific values belong to the
-inductive set. Such proofs typically involve
-induction, perhaps over some other inductive set.
-*}
-
-lemma two_times_even[intro!]: "2*k \<in> even"
-apply (induct_tac k)
- apply auto
-done
-(*<*)
-lemma "2*k \<in> even"
-apply (induct_tac k)
-(*>*)
-txt {*
-\noindent
-The first step is induction on the natural number @{text k}, which leaves
-two subgoals:
-@{subgoals[display,indent=0,margin=65]}
-Here @{text auto} simplifies both subgoals so that they match the introduction
-rules, which are then applied automatically.
-
-Our ultimate goal is to prove the equivalence between the traditional
-definition of @{text even} (using the divides relation) and our inductive
-definition. One direction of this equivalence is immediate by the lemma
-just proved, whose @{text "intro!"} attribute ensures it is applied automatically.
-*}
-(*<*)oops(*>*)
-lemma dvd_imp_even: "2 dvd n \<Longrightarrow> n \<in> even"
-by (auto simp add: dvd_def)
-
-subsection{* Rule Induction \label{sec:rule-induction} *}
-
-text {*
-\index{rule induction|(}%
-From the definition of the set
-@{term even}, Isabelle has
-generated an induction rule:
-@{named_thms [display,indent=0,margin=40] even.induct [no_vars] (even.induct)}
-A property @{term P} holds for every even number provided it
-holds for~@{text 0} and is closed under the operation
-\isa{Suc(Suc \(\cdot\))}. Then @{term P} is closed under the introduction
-rules for @{term even}, which is the least set closed under those rules.
-This type of inductive argument is called \textbf{rule induction}.
-
-Apart from the double application of @{term Suc}, the induction rule above
-resembles the familiar mathematical induction, which indeed is an instance
-of rule induction; the natural numbers can be defined inductively to be
-the least set containing @{text 0} and closed under~@{term Suc}.
-
-Induction is the usual way of proving a property of the elements of an
-inductively defined set. Let us prove that all members of the set
-@{term even} are multiples of two.
-*}
-
-lemma even_imp_dvd: "n \<in> even \<Longrightarrow> 2 dvd n"
-txt {*
-We begin by applying induction. Note that @{text even.induct} has the form
-of an elimination rule, so we use the method @{text erule}. We get two
-subgoals:
-*}
-apply (erule even.induct)
-txt {*
-@{subgoals[display,indent=0]}
-We unfold the definition of @{text dvd} in both subgoals, proving the first
-one and simplifying the second:
-*}
-apply (simp_all add: dvd_def)
-txt {*
-@{subgoals[display,indent=0]}
-The next command eliminates the existential quantifier from the assumption
-and replaces @{text n} by @{text "2 * k"}.
-*}
-apply clarify
-txt {*
-@{subgoals[display,indent=0]}
-To conclude, we tell Isabelle that the desired value is
-@{term "Suc k"}. With this hint, the subgoal falls to @{text simp}.
-*}
-apply (rule_tac x = "Suc k" in exI, simp)
-(*<*)done(*>*)
-
-text {*
-Combining the previous two results yields our objective, the
-equivalence relating @{term even} and @{text dvd}.
-%
-%we don't want [iff]: discuss?
-*}
-
-theorem even_iff_dvd: "(n \<in> even) = (2 dvd n)"
-by (blast intro: dvd_imp_even even_imp_dvd)
-
-
-subsection{* Generalization and Rule Induction \label{sec:gen-rule-induction} *}
-
-text {*
-\index{generalizing for induction}%
-Before applying induction, we typically must generalize
-the induction formula. With rule induction, the required generalization
-can be hard to find and sometimes requires a complete reformulation of the
-problem. In this example, our first attempt uses the obvious statement of
-the result. It fails:
-*}
-
-lemma "Suc (Suc n) \<in> even \<Longrightarrow> n \<in> even"
-apply (erule even.induct)
-oops
-(*<*)
-lemma "Suc (Suc n) \<in> even \<Longrightarrow> n \<in> even"
-apply (erule even.induct)
-(*>*)
-txt {*
-Rule induction finds no occurrences of @{term "Suc(Suc n)"} in the
-conclusion, which it therefore leaves unchanged. (Look at
-@{text even.induct} to see why this happens.) We have these subgoals:
-@{subgoals[display,indent=0]}
-The first one is hopeless. Rule induction on
-a non-variable term discards information, and usually fails.
-How to deal with such situations
-in general is described in {\S}\ref{sec:ind-var-in-prems} below.
-In the current case the solution is easy because
-we have the necessary inverse, subtraction:
-*}
-(*<*)oops(*>*)
-lemma even_imp_even_minus_2: "n \<in> even \<Longrightarrow> n - 2 \<in> even"
-apply (erule even.induct)
- apply auto
-done
-(*<*)
-lemma "n \<in> even \<Longrightarrow> n - 2 \<in> even"
-apply (erule even.induct)
-(*>*)
-txt {*
-This lemma is trivially inductive. Here are the subgoals:
-@{subgoals[display,indent=0]}
-The first is trivial because @{text "0 - 2"} simplifies to @{text 0}, which is
-even. The second is trivial too: @{term "Suc (Suc n) - 2"} simplifies to
-@{term n}, matching the assumption.%
-\index{rule induction|)} %the sequel isn't really about induction
-
-\medskip
-Using our lemma, we can easily prove the result we originally wanted:
-*}
-(*<*)oops(*>*)
-lemma Suc_Suc_even_imp_even: "Suc (Suc n) \<in> even \<Longrightarrow> n \<in> even"
-by (drule even_imp_even_minus_2, simp)
-
-text {*
-We have just proved the converse of the introduction rule @{text even.step}.
-This suggests proving the following equivalence. We give it the
-\attrdx{iff} attribute because of its obvious value for simplification.
-*}
-
-lemma [iff]: "((Suc (Suc n)) \<in> even) = (n \<in> even)"
-by (blast dest: Suc_Suc_even_imp_even)
-
-
-subsection{* Rule Inversion \label{sec:rule-inversion} *}
-
-text {*
-\index{rule inversion|(}%
-Case analysis on an inductive definition is called \textbf{rule
-inversion}. It is frequently used in proofs about operational
-semantics. It can be highly effective when it is applied
-automatically. Let us look at how rule inversion is done in
-Isabelle/HOL\@.
-
-Recall that @{term even} is the minimal set closed under these two rules:
-@{thm [display,indent=0] even.intros [no_vars]}
-Minimality means that @{term even} contains only the elements that these
-rules force it to contain. If we are told that @{term a}
-belongs to
-@{term even} then there are only two possibilities. Either @{term a} is @{text 0}
-or else @{term a} has the form @{term "Suc(Suc n)"}, for some suitable @{term n}
-that belongs to
-@{term even}. That is the gist of the @{term cases} rule, which Isabelle proves
-for us when it accepts an inductive definition:
-@{named_thms [display,indent=0,margin=40] even.cases [no_vars] (even.cases)}
-This general rule is less useful than instances of it for
-specific patterns. For example, if @{term a} has the form
-@{term "Suc(Suc n)"} then the first case becomes irrelevant, while the second
-case tells us that @{term n} belongs to @{term even}. Isabelle will generate
-this instance for us:
-*}
-
-inductive_cases Suc_Suc_cases [elim!]: "Suc(Suc n) \<in> even"
-
-text {*
-The \commdx{inductive\protect\_cases} command generates an instance of
-the @{text cases} rule for the supplied pattern and gives it the supplied name:
-@{named_thms [display,indent=0] Suc_Suc_cases [no_vars] (Suc_Suc_cases)}
-Applying this as an elimination rule yields one case where @{text even.cases}
-would yield two. Rule inversion works well when the conclusions of the
-introduction rules involve datatype constructors like @{term Suc} and @{text "#"}
-(list ``cons''); freeness reasoning discards all but one or two cases.
-
-In the \isacommand{inductive\_cases} command we supplied an
-attribute, @{text "elim!"},
-\index{elim"!@\isa {elim"!} (attribute)}%
-indicating that this elimination rule can be
-applied aggressively. The original
-@{term cases} rule would loop if used in that manner because the
-pattern~@{term a} matches everything.
-
-The rule @{text Suc_Suc_cases} is equivalent to the following implication:
-@{term [display,indent=0] "Suc (Suc n) \<in> even \<Longrightarrow> n \<in> even"}
-Just above we devoted some effort to reaching precisely
-this result. Yet we could have obtained it by a one-line declaration,
-dispensing with the lemma @{text even_imp_even_minus_2}.
-This example also justifies the terminology
-\textbf{rule inversion}: the new rule inverts the introduction rule
-@{text even.step}. In general, a rule can be inverted when the set of elements
-it introduces is disjoint from those of the other introduction rules.
-
-For one-off applications of rule inversion, use the \methdx{ind_cases} method.
-Here is an example:
-*}
-
-(*<*)lemma "Suc(Suc n) \<in> even \<Longrightarrow> P"(*>*)
-apply (ind_cases "Suc(Suc n) \<in> even")
-(*<*)oops(*>*)
-
-text {*
-The specified instance of the @{text cases} rule is generated, then applied
-as an elimination rule.
-
-To summarize, every inductive definition produces a @{text cases} rule. The
-\commdx{inductive\protect\_cases} command stores an instance of the
-@{text cases} rule for a given pattern. Within a proof, the
-@{text ind_cases} method applies an instance of the @{text cases}
-rule.
-
-The even numbers example has shown how inductive definitions can be
-used. Later examples will show that they are actually worth using.%
-\index{rule inversion|)}%
-\index{even numbers!defining inductively|)}
-*}
-
-(*<*)end(*>*)
--- a/doc-src/TutorialI/Inductive/Mutual.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,80 +0,0 @@
-(*<*)theory Mutual imports Main begin(*>*)
-
-subsection{*Mutually Inductive Definitions*}
-
-text{*
-Just as there are datatypes defined by mutual recursion, there are sets defined
-by mutual induction. As a trivial example we consider the even and odd
-natural numbers:
-*}
-
-inductive_set
- Even :: "nat set" and
- Odd :: "nat set"
-where
- zero: "0 \<in> Even"
-| EvenI: "n \<in> Odd \<Longrightarrow> Suc n \<in> Even"
-| OddI: "n \<in> Even \<Longrightarrow> Suc n \<in> Odd"
-
-text{*\noindent
-The mutually inductive definition of multiple sets is no different from
-that of a single set, except for induction: just as for mutually recursive
-datatypes, induction needs to involve all the simultaneously defined sets. In
-the above case, the induction rule is called @{thm[source]Even_Odd.induct}
-(simply concatenate the names of the sets involved) and has the conclusion
-@{text[display]"(?x \<in> Even \<longrightarrow> ?P ?x) \<and> (?y \<in> Odd \<longrightarrow> ?Q ?y)"}
-
-If we want to prove that all even numbers are divisible by two, we have to
-generalize the statement as follows:
-*}
-
-lemma "(m \<in> Even \<longrightarrow> 2 dvd m) \<and> (n \<in> Odd \<longrightarrow> 2 dvd (Suc n))"
-
-txt{*\noindent
-The proof is by rule induction. Because of the form of the induction theorem,
-it is applied by @{text rule} rather than @{text erule} as for ordinary
-inductive definitions:
-*}
-
-apply(rule Even_Odd.induct)
-
-txt{*
-@{subgoals[display,indent=0]}
-The first two subgoals are proved by simplification and the final one can be
-proved in the same manner as in \S\ref{sec:rule-induction}
-where the same subgoal was encountered before.
-We do not show the proof script.
-*}
-(*<*)
- apply simp
- apply simp
-apply(simp add: dvd_def)
-apply(clarify)
-apply(rule_tac x = "Suc k" in exI)
-apply simp
-done
-(*>*)
-
-subsection{*Inductively Defined Predicates\label{sec:ind-predicates}*}
-
-text{*\index{inductive predicates|(}
-Instead of a set of even numbers one can also define a predicate on @{typ nat}:
-*}
-
-inductive evn :: "nat \<Rightarrow> bool" where
-zero: "evn 0" |
-step: "evn n \<Longrightarrow> evn(Suc(Suc n))"
-
-text{*\noindent Everything works as before, except that
-you write \commdx{inductive} instead of \isacommand{inductive\_set} and
-@{prop"evn n"} instead of @{prop"n : even"}.
-When defining an n-ary relation as a predicate, it is recommended to curry
-the predicate: its type should be \mbox{@{text"\<tau>\<^isub>1 \<Rightarrow> \<dots> \<Rightarrow> \<tau>\<^isub>n \<Rightarrow> bool"}}
-rather than
-@{text"\<tau>\<^isub>1 \<times> \<dots> \<times> \<tau>\<^isub>n \<Rightarrow> bool"}. The curried version facilitates inductions.
-
-When should you choose sets and when predicates? If you intend to combine your notion with set theoretic notation, define it as an inductive set. If not, define it as an inductive predicate, thus avoiding the @{text"\<in>"} notation. But note that predicates of more than one argument cannot be combined with the usual set theoretic operators: @{term"P \<union> Q"} is not well-typed if @{text"P, Q :: \<tau>\<^isub>1 \<Rightarrow> \<tau>\<^isub>2 \<Rightarrow> bool"}, you have to write @{term"%x y. P x y & Q x y"} instead.
-\index{inductive predicates|)}
-*}
-
-(*<*)end(*>*)
--- a/doc-src/TutorialI/Inductive/Star.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,176 +0,0 @@
-(*<*)theory Star imports Main begin(*>*)
-
-section{*The Reflexive Transitive Closure*}
-
-text{*\label{sec:rtc}
-\index{reflexive transitive closure!defining inductively|(}%
-An inductive definition may accept parameters, so it can express
-functions that yield sets.
-Relations too can be defined inductively, since they are just sets of pairs.
-A perfect example is the function that maps a relation to its
-reflexive transitive closure. This concept was already
-introduced in \S\ref{sec:Relations}, where the operator @{text"\<^sup>*"} was
-defined as a least fixed point because inductive definitions were not yet
-available. But now they are:
-*}
-
-inductive_set
- rtc :: "('a \<times> 'a)set \<Rightarrow> ('a \<times> 'a)set" ("_*" [1000] 999)
- for r :: "('a \<times> 'a)set"
-where
- rtc_refl[iff]: "(x,x) \<in> r*"
-| rtc_step: "\<lbrakk> (x,y) \<in> r; (y,z) \<in> r* \<rbrakk> \<Longrightarrow> (x,z) \<in> r*"
-
-text{*\noindent
-The function @{term rtc} is annotated with concrete syntax: instead of
-@{text"rtc r"} we can write @{term"r*"}. The actual definition
-consists of two rules. Reflexivity is obvious and is immediately given the
-@{text iff} attribute to increase automation. The
-second rule, @{thm[source]rtc_step}, says that we can always add one more
-@{term r}-step to the left. Although we could make @{thm[source]rtc_step} an
-introduction rule, this is dangerous: the recursion in the second premise
-slows down and may even kill the automatic tactics.
-
-The above definition of the concept of reflexive transitive closure may
-be sufficiently intuitive but it is certainly not the only possible one:
-for a start, it does not even mention transitivity.
-The rest of this section is devoted to proving that it is equivalent to
-the standard definition. We start with a simple lemma:
-*}
-
-lemma [intro]: "(x,y) \<in> r \<Longrightarrow> (x,y) \<in> r*"
-by(blast intro: rtc_step);
-
-text{*\noindent
-Although the lemma itself is an unremarkable consequence of the basic rules,
-it has the advantage that it can be declared an introduction rule without the
-danger of killing the automatic tactics because @{term"r*"} occurs only in
-the conclusion and not in the premise. Thus some proofs that would otherwise
-need @{thm[source]rtc_step} can now be found automatically. The proof also
-shows that @{text blast} is able to handle @{thm[source]rtc_step}. But
-some of the other automatic tactics are more sensitive, and even @{text
-blast} can be lead astray in the presence of large numbers of rules.
-
-To prove transitivity, we need rule induction, i.e.\ theorem
-@{thm[source]rtc.induct}:
-@{thm[display]rtc.induct}
-It says that @{text"?P"} holds for an arbitrary pair @{thm (prem 1) rtc.induct}
-if @{text"?P"} is preserved by all rules of the inductive definition,
-i.e.\ if @{text"?P"} holds for the conclusion provided it holds for the
-premises. In general, rule induction for an $n$-ary inductive relation $R$
-expects a premise of the form $(x@1,\dots,x@n) \in R$.
-
-Now we turn to the inductive proof of transitivity:
-*}
-
-lemma rtc_trans: "\<lbrakk> (x,y) \<in> r*; (y,z) \<in> r* \<rbrakk> \<Longrightarrow> (x,z) \<in> r*"
-apply(erule rtc.induct)
-
-txt{*\noindent
-Unfortunately, even the base case is a problem:
-@{subgoals[display,indent=0,goals_limit=1]}
-We have to abandon this proof attempt.
-To understand what is going on, let us look again at @{thm[source]rtc.induct}.
-In the above application of @{text erule}, the first premise of
-@{thm[source]rtc.induct} is unified with the first suitable assumption, which
-is @{term"(x,y) \<in> r*"} rather than @{term"(y,z) \<in> r*"}. Although that
-is what we want, it is merely due to the order in which the assumptions occur
-in the subgoal, which it is not good practice to rely on. As a result,
-@{text"?xb"} becomes @{term x}, @{text"?xa"} becomes
-@{term y} and @{text"?P"} becomes @{term"%u v. (u,z) : r*"}, thus
-yielding the above subgoal. So what went wrong?
-
-When looking at the instantiation of @{text"?P"} we see that it does not
-depend on its second parameter at all. The reason is that in our original
-goal, of the pair @{term"(x,y)"} only @{term x} appears also in the
-conclusion, but not @{term y}. Thus our induction statement is too
-general. Fortunately, it can easily be specialized:
-transfer the additional premise @{prop"(y,z):r*"} into the conclusion:*}
-(*<*)oops(*>*)
-lemma rtc_trans[rule_format]:
- "(x,y) \<in> r* \<Longrightarrow> (y,z) \<in> r* \<longrightarrow> (x,z) \<in> r*"
-
-txt{*\noindent
-This is not an obscure trick but a generally applicable heuristic:
-\begin{quote}\em
-When proving a statement by rule induction on $(x@1,\dots,x@n) \in R$,
-pull all other premises containing any of the $x@i$ into the conclusion
-using $\longrightarrow$.
-\end{quote}
-A similar heuristic for other kinds of inductions is formulated in
-\S\ref{sec:ind-var-in-prems}. The @{text rule_format} directive turns
-@{text"\<longrightarrow>"} back into @{text"\<Longrightarrow>"}: in the end we obtain the original
-statement of our lemma.
-*}
-
-apply(erule rtc.induct)
-
-txt{*\noindent
-Now induction produces two subgoals which are both proved automatically:
-@{subgoals[display,indent=0]}
-*}
-
- apply(blast);
-apply(blast intro: rtc_step);
-done
-
-text{*
-Let us now prove that @{term"r*"} is really the reflexive transitive closure
-of @{term r}, i.e.\ the least reflexive and transitive
-relation containing @{term r}. The latter is easily formalized
-*}
-
-inductive_set
- rtc2 :: "('a \<times> 'a)set \<Rightarrow> ('a \<times> 'a)set"
- for r :: "('a \<times> 'a)set"
-where
- "(x,y) \<in> r \<Longrightarrow> (x,y) \<in> rtc2 r"
-| "(x,x) \<in> rtc2 r"
-| "\<lbrakk> (x,y) \<in> rtc2 r; (y,z) \<in> rtc2 r \<rbrakk> \<Longrightarrow> (x,z) \<in> rtc2 r"
-
-text{*\noindent
-and the equivalence of the two definitions is easily shown by the obvious rule
-inductions:
-*}
-
-lemma "(x,y) \<in> rtc2 r \<Longrightarrow> (x,y) \<in> r*"
-apply(erule rtc2.induct);
- apply(blast);
- apply(blast);
-apply(blast intro: rtc_trans);
-done
-
-lemma "(x,y) \<in> r* \<Longrightarrow> (x,y) \<in> rtc2 r"
-apply(erule rtc.induct);
- apply(blast intro: rtc2.intros);
-apply(blast intro: rtc2.intros);
-done
-
-text{*
-So why did we start with the first definition? Because it is simpler. It
-contains only two rules, and the single step rule is simpler than
-transitivity. As a consequence, @{thm[source]rtc.induct} is simpler than
-@{thm[source]rtc2.induct}. Since inductive proofs are hard enough
-anyway, we should always pick the simplest induction schema available.
-Hence @{term rtc} is the definition of choice.
-\index{reflexive transitive closure!defining inductively|)}
-
-\begin{exercise}\label{ex:converse-rtc-step}
-Show that the converse of @{thm[source]rtc_step} also holds:
-@{prop[display]"[| (x,y) : r*; (y,z) : r |] ==> (x,z) : r*"}
-\end{exercise}
-\begin{exercise}
-Repeat the development of this section, but starting with a definition of
-@{term rtc} where @{thm[source]rtc_step} is replaced by its converse as shown
-in exercise~\ref{ex:converse-rtc-step}.
-\end{exercise}
-*}
-(*<*)
-lemma rtc_step2[rule_format]: "(x,y) : r* \<Longrightarrow> (y,z) : r --> (x,z) : r*"
-apply(erule rtc.induct);
- apply blast;
-apply(blast intro: rtc_step)
-done
-
-end
-(*>*)
--- a/doc-src/TutorialI/Misc/AdvancedInd.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,285 +0,0 @@
-(*<*)
-theory AdvancedInd imports Main begin;
-(*>*)
-
-text{*\noindent
-Now that we have learned about rules and logic, we take another look at the
-finer points of induction. We consider two questions: what to do if the
-proposition to be proved is not directly amenable to induction
-(\S\ref{sec:ind-var-in-prems}), and how to utilize (\S\ref{sec:complete-ind})
-and even derive (\S\ref{sec:derive-ind}) new induction schemas. We conclude
-with an extended example of induction (\S\ref{sec:CTL-revisited}).
-*};
-
-subsection{*Massaging the Proposition*};
-
-text{*\label{sec:ind-var-in-prems}
-Often we have assumed that the theorem to be proved is already in a form
-that is amenable to induction, but sometimes it isn't.
-Here is an example.
-Since @{term"hd"} and @{term"last"} return the first and last element of a
-non-empty list, this lemma looks easy to prove:
-*};
-
-lemma "xs \<noteq> [] \<Longrightarrow> hd(rev xs) = last xs"
-apply(induct_tac xs)
-
-txt{*\noindent
-But induction produces the warning
-\begin{quote}\tt
-Induction variable occurs also among premises!
-\end{quote}
-and leads to the base case
-@{subgoals[display,indent=0,goals_limit=1]}
-Simplification reduces the base case to this:
-\begin{isabelle}
-\ 1.\ xs\ {\isasymnoteq}\ []\ {\isasymLongrightarrow}\ hd\ []\ =\ last\ []
-\end{isabelle}
-We cannot prove this equality because we do not know what @{term hd} and
-@{term last} return when applied to @{term"[]"}.
-
-We should not have ignored the warning. Because the induction
-formula is only the conclusion, induction does not affect the occurrence of @{term xs} in the premises.
-Thus the case that should have been trivial
-becomes unprovable. Fortunately, the solution is easy:\footnote{A similar
-heuristic applies to rule inductions; see \S\ref{sec:rtc}.}
-\begin{quote}
-\emph{Pull all occurrences of the induction variable into the conclusion
-using @{text"\<longrightarrow>"}.}
-\end{quote}
-Thus we should state the lemma as an ordinary
-implication~(@{text"\<longrightarrow>"}), letting
-\attrdx{rule_format} (\S\ref{sec:forward}) convert the
-result to the usual @{text"\<Longrightarrow>"} form:
-*};
-(*<*)oops;(*>*)
-lemma hd_rev [rule_format]: "xs \<noteq> [] \<longrightarrow> hd(rev xs) = last xs";
-(*<*)
-apply(induct_tac xs);
-(*>*)
-
-txt{*\noindent
-This time, induction leaves us with a trivial base case:
-@{subgoals[display,indent=0,goals_limit=1]}
-And @{text"auto"} completes the proof.
-
-If there are multiple premises $A@1$, \dots, $A@n$ containing the
-induction variable, you should turn the conclusion $C$ into
-\[ A@1 \longrightarrow \cdots A@n \longrightarrow C. \]
-Additionally, you may also have to universally quantify some other variables,
-which can yield a fairly complex conclusion. However, @{text rule_format}
-can remove any number of occurrences of @{text"\<forall>"} and
-@{text"\<longrightarrow>"}.
-
-\index{induction!on a term}%
-A second reason why your proposition may not be amenable to induction is that
-you want to induct on a complex term, rather than a variable. In
-general, induction on a term~$t$ requires rephrasing the conclusion~$C$
-as
-\begin{equation}\label{eqn:ind-over-term}
-\forall y@1 \dots y@n.~ x = t \longrightarrow C.
-\end{equation}
-where $y@1 \dots y@n$ are the free variables in $t$ and $x$ is a new variable.
-Now you can perform induction on~$x$. An example appears in
-\S\ref{sec:complete-ind} below.
-
-The very same problem may occur in connection with rule induction. Remember
-that it requires a premise of the form $(x@1,\dots,x@k) \in R$, where $R$ is
-some inductively defined set and the $x@i$ are variables. If instead we have
-a premise $t \in R$, where $t$ is not just an $n$-tuple of variables, we
-replace it with $(x@1,\dots,x@k) \in R$, and rephrase the conclusion $C$ as
-\[ \forall y@1 \dots y@n.~ (x@1,\dots,x@k) = t \longrightarrow C. \]
-For an example see \S\ref{sec:CTL-revisited} below.
-
-Of course, all premises that share free variables with $t$ need to be pulled into
-the conclusion as well, under the @{text"\<forall>"}, again using @{text"\<longrightarrow>"} as shown above.
-
-Readers who are puzzled by the form of statement
-(\ref{eqn:ind-over-term}) above should remember that the
-transformation is only performed to permit induction. Once induction
-has been applied, the statement can be transformed back into something quite
-intuitive. For example, applying wellfounded induction on $x$ (w.r.t.\
-$\prec$) to (\ref{eqn:ind-over-term}) and transforming the result a
-little leads to the goal
-\[ \bigwedge\overline{y}.\
- \forall \overline{z}.\ t\,\overline{z} \prec t\,\overline{y}\ \longrightarrow\ C\,\overline{z}
- \ \Longrightarrow\ C\,\overline{y} \]
-where $\overline{y}$ stands for $y@1 \dots y@n$ and the dependence of $t$ and
-$C$ on the free variables of $t$ has been made explicit.
-Unfortunately, this induction schema cannot be expressed as a
-single theorem because it depends on the number of free variables in $t$ ---
-the notation $\overline{y}$ is merely an informal device.
-*}
-(*<*)by auto(*>*)
-
-subsection{*Beyond Structural and Recursion Induction*};
-
-text{*\label{sec:complete-ind}
-So far, inductive proofs were by structural induction for
-primitive recursive functions and recursion induction for total recursive
-functions. But sometimes structural induction is awkward and there is no
-recursive function that could furnish a more appropriate
-induction schema. In such cases a general-purpose induction schema can
-be helpful. We show how to apply such induction schemas by an example.
-
-Structural induction on @{typ"nat"} is
-usually known as mathematical induction. There is also \textbf{complete}
-\index{induction!complete}%
-induction, where you prove $P(n)$ under the assumption that $P(m)$
-holds for all $m<n$. In Isabelle, this is the theorem \tdx{nat_less_induct}:
-@{thm[display]"nat_less_induct"[no_vars]}
-As an application, we prove a property of the following
-function:
-*};
-
-consts f :: "nat \<Rightarrow> nat";
-axioms f_ax: "f(f(n)) < f(Suc(n))";
-
-text{*
-\begin{warn}
-We discourage the use of axioms because of the danger of
-inconsistencies. Axiom @{text f_ax} does
-not introduce an inconsistency because, for example, the identity function
-satisfies it. Axioms can be useful in exploratory developments, say when
-you assume some well-known theorems so that you can quickly demonstrate some
-point about methodology. If your example turns into a substantial proof
-development, you should replace axioms by theorems.
-\end{warn}\noindent
-The axiom for @{term"f"} implies @{prop"n <= f n"}, which can
-be proved by induction on \mbox{@{term"f n"}}. Following the recipe outlined
-above, we have to phrase the proposition as follows to allow induction:
-*};
-
-lemma f_incr_lem: "\<forall>i. k = f i \<longrightarrow> i \<le> f i";
-
-txt{*\noindent
-To perform induction on @{term k} using @{thm[source]nat_less_induct}, we use
-the same general induction method as for recursion induction (see
-\S\ref{sec:fun-induction}):
-*};
-
-apply(induct_tac k rule: nat_less_induct);
-
-txt{*\noindent
-We get the following proof state:
-@{subgoals[display,indent=0,margin=65]}
-After stripping the @{text"\<forall>i"}, the proof continues with a case
-distinction on @{term"i"}. The case @{prop"i = (0::nat)"} is trivial and we focus on
-the other case:
-*}
-
-apply(rule allI)
-apply(case_tac i)
- apply(simp)
-txt{*
-@{subgoals[display,indent=0]}
-*}
-by(blast intro!: f_ax Suc_leI intro: le_less_trans)
-
-text{*\noindent
-If you find the last step puzzling, here are the two lemmas it employs:
-\begin{isabelle}
-@{thm Suc_leI[no_vars]}
-\rulename{Suc_leI}\isanewline
-@{thm le_less_trans[no_vars]}
-\rulename{le_less_trans}
-\end{isabelle}
-%
-The proof goes like this (writing @{term"j"} instead of @{typ"nat"}).
-Since @{prop"i = Suc j"} it suffices to show
-\hbox{@{prop"j < f(Suc j)"}},
-by @{thm[source]Suc_leI}\@. This is
-proved as follows. From @{thm[source]f_ax} we have @{prop"f (f j) < f (Suc j)"}
-(1) which implies @{prop"f j <= f (f j)"} by the induction hypothesis.
-Using (1) once more we obtain @{prop"f j < f(Suc j)"} (2) by the transitivity
-rule @{thm[source]le_less_trans}.
-Using the induction hypothesis once more we obtain @{prop"j <= f j"}
-which, together with (2) yields @{prop"j < f (Suc j)"} (again by
-@{thm[source]le_less_trans}).
-
-This last step shows both the power and the danger of automatic proofs. They
-will usually not tell you how the proof goes, because it can be hard to
-translate the internal proof into a human-readable format. Automatic
-proofs are easy to write but hard to read and understand.
-
-The desired result, @{prop"i <= f i"}, follows from @{thm[source]f_incr_lem}:
-*};
-
-lemmas f_incr = f_incr_lem[rule_format, OF refl];
-
-text{*\noindent
-The final @{thm[source]refl} gets rid of the premise @{text"?k = f ?i"}.
-We could have included this derivation in the original statement of the lemma:
-*};
-
-lemma f_incr[rule_format, OF refl]: "\<forall>i. k = f i \<longrightarrow> i \<le> f i";
-(*<*)oops;(*>*)
-
-text{*
-\begin{exercise}
-From the axiom and lemma for @{term"f"}, show that @{term"f"} is the
-identity function.
-\end{exercise}
-
-Method \methdx{induct_tac} can be applied with any rule $r$
-whose conclusion is of the form ${?}P~?x@1 \dots ?x@n$, in which case the
-format is
-\begin{quote}
-\isacommand{apply}@{text"(induct_tac"} $y@1 \dots y@n$ @{text"rule:"} $r$@{text")"}
-\end{quote}
-where $y@1, \dots, y@n$ are variables in the conclusion of the first subgoal.
-
-A further useful induction rule is @{thm[source]length_induct},
-induction on the length of a list\indexbold{*length_induct}
-@{thm[display]length_induct[no_vars]}
-which is a special case of @{thm[source]measure_induct}
-@{thm[display]measure_induct[no_vars]}
-where @{term f} may be any function into type @{typ nat}.
-*}
-
-subsection{*Derivation of New Induction Schemas*};
-
-text{*\label{sec:derive-ind}
-\index{induction!deriving new schemas}%
-Induction schemas are ordinary theorems and you can derive new ones
-whenever you wish. This section shows you how, using the example
-of @{thm[source]nat_less_induct}. Assume we only have structural induction
-available for @{typ"nat"} and want to derive complete induction. We
-must generalize the statement as shown:
-*};
-
-lemma induct_lem: "(\<And>n::nat. \<forall>m<n. P m \<Longrightarrow> P n) \<Longrightarrow> \<forall>m<n. P m";
-apply(induct_tac n);
-
-txt{*\noindent
-The base case is vacuously true. For the induction step (@{prop"m <
-Suc n"}) we distinguish two cases: case @{prop"m < n"} is true by induction
-hypothesis and case @{prop"m = n"} follows from the assumption, again using
-the induction hypothesis:
-*};
- apply(blast);
-by(blast elim: less_SucE)
-
-text{*\noindent
-The elimination rule @{thm[source]less_SucE} expresses the case distinction:
-@{thm[display]"less_SucE"[no_vars]}
-
-Now it is straightforward to derive the original version of
-@{thm[source]nat_less_induct} by manipulating the conclusion of the above
-lemma: instantiate @{term"n"} by @{term"Suc n"} and @{term"m"} by @{term"n"}
-and remove the trivial condition @{prop"n < Suc n"}. Fortunately, this
-happens automatically when we add the lemma as a new premise to the
-desired goal:
-*};
-
-theorem nat_less_induct: "(\<And>n::nat. \<forall>m<n. P m \<Longrightarrow> P n) \<Longrightarrow> P n";
-by(insert induct_lem, blast);
-
-text{*
-HOL already provides the mother of
-all inductions, well-founded induction (see \S\ref{sec:Well-founded}). For
-example theorem @{thm[source]nat_less_induct} is
-a special case of @{thm[source]wf_induct} where @{term r} is @{text"<"} on
-@{typ nat}. The details can be found in theory \isa{Wellfounded_Recursion}.
-*}
-(*<*)end(*>*)
--- a/doc-src/TutorialI/Misc/Itrev.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,146 +0,0 @@
-(*<*)
-theory Itrev
-imports Main
-begin
-declare [[names_unique = false]]
-(*>*)
-
-section{*Induction Heuristics*}
-
-text{*\label{sec:InductionHeuristics}
-\index{induction heuristics|(}%
-The purpose of this section is to illustrate some simple heuristics for
-inductive proofs. The first one we have already mentioned in our initial
-example:
-\begin{quote}
-\emph{Theorems about recursive functions are proved by induction.}
-\end{quote}
-In case the function has more than one argument
-\begin{quote}
-\emph{Do induction on argument number $i$ if the function is defined by
-recursion in argument number $i$.}
-\end{quote}
-When we look at the proof of @{text"(xs@ys) @ zs = xs @ (ys@zs)"}
-in \S\ref{sec:intro-proof} we find
-\begin{itemize}
-\item @{text"@"} is recursive in
-the first argument
-\item @{term xs} occurs only as the first argument of
-@{text"@"}
-\item both @{term ys} and @{term zs} occur at least once as
-the second argument of @{text"@"}
-\end{itemize}
-Hence it is natural to perform induction on~@{term xs}.
-
-The key heuristic, and the main point of this section, is to
-\emph{generalize the goal before induction}.
-The reason is simple: if the goal is
-too specific, the induction hypothesis is too weak to allow the induction
-step to go through. Let us illustrate the idea with an example.
-
-Function \cdx{rev} has quadratic worst-case running time
-because it calls function @{text"@"} for each element of the list and
-@{text"@"} is linear in its first argument. A linear time version of
-@{term"rev"} reqires an extra argument where the result is accumulated
-gradually, using only~@{text"#"}:
-*}
-
-primrec itrev :: "'a list \<Rightarrow> 'a list \<Rightarrow> 'a list" where
-"itrev [] ys = ys" |
-"itrev (x#xs) ys = itrev xs (x#ys)"
-
-text{*\noindent
-The behaviour of \cdx{itrev} is simple: it reverses
-its first argument by stacking its elements onto the second argument,
-and returning that second argument when the first one becomes
-empty. Note that @{term"itrev"} is tail-recursive: it can be
-compiled into a loop.
-
-Naturally, we would like to show that @{term"itrev"} does indeed reverse
-its first argument provided the second one is empty:
-*};
-
-lemma "itrev xs [] = rev xs";
-
-txt{*\noindent
-There is no choice as to the induction variable, and we immediately simplify:
-*};
-
-apply(induct_tac xs, simp_all);
-
-txt{*\noindent
-Unfortunately, this attempt does not prove
-the induction step:
-@{subgoals[display,indent=0,margin=70]}
-The induction hypothesis is too weak. The fixed
-argument,~@{term"[]"}, prevents it from rewriting the conclusion.
-This example suggests a heuristic:
-\begin{quote}\index{generalizing induction formulae}%
-\emph{Generalize goals for induction by replacing constants by variables.}
-\end{quote}
-Of course one cannot do this na\"{\i}vely: @{term"itrev xs ys = rev xs"} is
-just not true. The correct generalization is
-*};
-(*<*)oops;(*>*)
-lemma "itrev xs ys = rev xs @ ys";
-(*<*)apply(induct_tac xs, simp_all)(*>*)
-txt{*\noindent
-If @{term"ys"} is replaced by @{term"[]"}, the right-hand side simplifies to
-@{term"rev xs"}, as required.
-
-In this instance it was easy to guess the right generalization.
-Other situations can require a good deal of creativity.
-
-Although we now have two variables, only @{term"xs"} is suitable for
-induction, and we repeat our proof attempt. Unfortunately, we are still
-not there:
-@{subgoals[display,indent=0,goals_limit=1]}
-The induction hypothesis is still too weak, but this time it takes no
-intuition to generalize: the problem is that @{term"ys"} is fixed throughout
-the subgoal, but the induction hypothesis needs to be applied with
-@{term"a # ys"} instead of @{term"ys"}. Hence we prove the theorem
-for all @{term"ys"} instead of a fixed one:
-*};
-(*<*)oops;(*>*)
-lemma "\<forall>ys. itrev xs ys = rev xs @ ys";
-(*<*)
-by(induct_tac xs, simp_all);
-(*>*)
-
-text{*\noindent
-This time induction on @{term"xs"} followed by simplification succeeds. This
-leads to another heuristic for generalization:
-\begin{quote}
-\emph{Generalize goals for induction by universally quantifying all free
-variables {\em(except the induction variable itself!)}.}
-\end{quote}
-This prevents trivial failures like the one above and does not affect the
-validity of the goal. However, this heuristic should not be applied blindly.
-It is not always required, and the additional quantifiers can complicate
-matters in some cases. The variables that should be quantified are typically
-those that change in recursive calls.
-
-A final point worth mentioning is the orientation of the equation we just
-proved: the more complex notion (@{const itrev}) is on the left-hand
-side, the simpler one (@{term rev}) on the right-hand side. This constitutes
-another, albeit weak heuristic that is not restricted to induction:
-\begin{quote}
- \emph{The right-hand side of an equation should (in some sense) be simpler
- than the left-hand side.}
-\end{quote}
-This heuristic is tricky to apply because it is not obvious that
-@{term"rev xs @ ys"} is simpler than @{term"itrev xs ys"}. But see what
-happens if you try to prove @{prop"rev xs @ ys = itrev xs ys"}!
-
-If you have tried these heuristics and still find your
-induction does not go through, and no obvious lemma suggests itself, you may
-need to generalize your proposition even further. This requires insight into
-the problem at hand and is beyond simple rules of thumb.
-Additionally, you can read \S\ref{sec:advanced-ind}
-to learn about some advanced techniques for inductive proofs.%
-\index{induction heuristics|)}
-*}
-(*<*)
-declare [[names_unique = true]]
-end
-(*>*)
--- a/doc-src/TutorialI/Misc/Option2.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,33 +0,0 @@
-(*<*)
-theory Option2 imports Main begin
-hide_const None Some
-hide_type option
-(*>*)
-
-text{*\indexbold{*option (type)}\indexbold{*None (constant)}%
-\indexbold{*Some (constant)}
-Our final datatype is very simple but still eminently useful:
-*}
-
-datatype 'a option = None | Some 'a;
-
-text{*\noindent
-Frequently one needs to add a distinguished element to some existing type.
-For example, type @{text"t option"} can model the result of a computation that
-may either terminate with an error (represented by @{const None}) or return
-some value @{term v} (represented by @{term"Some v"}).
-Similarly, @{typ nat} extended with $\infty$ can be modeled by type
-@{typ"nat option"}. In both cases one could define a new datatype with
-customized constructors like @{term Error} and @{term Infinity},
-but it is often simpler to use @{text option}. For an application see
-\S\ref{sec:Trie}.
-*}
-(*<*)
-(*
-definition infplus :: "nat option \<Rightarrow> nat option \<Rightarrow> nat option" where
-"infplus x y \<equiv> case x of None \<Rightarrow> None
- | Some m \<Rightarrow> (case y of None \<Rightarrow> None | Some n \<Rightarrow> Some(m+n))"
-
-*)
-end
-(*>*)
--- a/doc-src/TutorialI/Misc/Plus.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,22 +0,0 @@
-(*<*)
-theory Plus imports Main begin
-(*>*)
-
-text{*\noindent Define the following addition function *}
-
-primrec add :: "nat \<Rightarrow> nat \<Rightarrow> nat" where
-"add m 0 = m" |
-"add m (Suc n) = add (Suc m) n"
-
-text{*\noindent and prove*}
-(*<*)
-lemma [simp]: "!m. add m n = m+n"
-apply(induct_tac n)
-by(auto)
-(*>*)
-lemma "add m n = m+n"
-(*<*)
-by(simp)
-
-end
-(*>*)
--- a/doc-src/TutorialI/Misc/Tree.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,41 +0,0 @@
-(*<*)
-theory Tree imports Main begin
-(*>*)
-
-text{*\noindent
-Define the datatype of \rmindex{binary trees}:
-*}
-
-datatype 'a tree = Tip | Node "'a tree" 'a "'a tree";(*<*)
-
-primrec mirror :: "'a tree \<Rightarrow> 'a tree" where
-"mirror Tip = Tip" |
-"mirror (Node l x r) = Node (mirror r) x (mirror l)";(*>*)
-
-text{*\noindent
-Define a function @{term"mirror"} that mirrors a binary tree
-by swapping subtrees recursively. Prove
-*}
-
-lemma mirror_mirror: "mirror(mirror t) = t";
-(*<*)
-apply(induct_tac t);
-by(auto);
-
-primrec flatten :: "'a tree => 'a list" where
-"flatten Tip = []" |
-"flatten (Node l x r) = flatten l @ [x] @ flatten r";
-(*>*)
-
-text{*\noindent
-Define a function @{term"flatten"} that flattens a tree into a list
-by traversing it in infix order. Prove
-*}
-
-lemma "flatten(mirror t) = rev(flatten t)";
-(*<*)
-apply(induct_tac t);
-by(auto);
-
-end
-(*>*)
--- a/doc-src/TutorialI/Misc/Tree2.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,26 +0,0 @@
-(*<*)
-theory Tree2 imports Tree begin
-(*>*)
-
-text{*\noindent In Exercise~\ref{ex:Tree} we defined a function
-@{term"flatten"} from trees to lists. The straightforward version of
-@{term"flatten"} is based on @{text"@"} and is thus, like @{term"rev"},
-quadratic. A linear time version of @{term"flatten"} again reqires an extra
-argument, the accumulator. Define *}
-(*<*)primrec(*>*)flatten2 :: "'a tree \<Rightarrow> 'a list \<Rightarrow> 'a list"(*<*)where
-"flatten2 Tip xs = xs" |
-"flatten2 (Node l x r) xs = flatten2 l (x#(flatten2 r xs))"
-(*>*)
-
-text{*\noindent and prove*}
-(*<*)
-lemma [simp]: "!xs. flatten2 t xs = flatten t @ xs"
-apply(induct_tac t)
-by(auto);
-(*>*)
-lemma "flatten2 t [] = flatten t"
-(*<*)
-by(simp)
-
-end
-(*>*)
--- a/doc-src/TutorialI/Misc/appendix.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,33 +0,0 @@
-(*<*)theory appendix
-imports Main
-begin(*>*)
-
-text{*
-\begin{table}[htbp]
-\begin{center}
-\begin{tabular}{lll}
-Constant & Type & Syntax \\
-\hline
-@{term [source] 0} & @{typeof [show_sorts] "0"} \\
-@{term [source] 1} & @{typeof [show_sorts] "1"} \\
-@{term [source] plus} & @{typeof [show_sorts] "plus"} & (infixl $+$ 65) \\
-@{term [source] minus} & @{typeof [show_sorts] "minus"} & (infixl $-$ 65) \\
-@{term [source] uminus} & @{typeof [show_sorts] "uminus"} & $- x$ \\
-@{term [source] times} & @{typeof [show_sorts] "times"} & (infixl $*$ 70) \\
-@{term [source] divide} & @{typeof [show_sorts] "divide"} & (infixl $/$ 70) \\
-@{term [source] Divides.div} & @{typeof [show_sorts] "Divides.div"} & (infixl $div$ 70) \\
-@{term [source] Divides.mod} & @{typeof [show_sorts] "Divides.mod"} & (infixl $mod$ 70) \\
-@{term [source] abs} & @{typeof [show_sorts] "abs"} & ${\mid} x {\mid}$ \\
-@{term [source] sgn} & @{typeof [show_sorts] "sgn"} \\
-@{term [source] less_eq} & @{typeof [show_sorts] "less_eq"} & (infixl $\le$ 50) \\
-@{term [source] less} & @{typeof [show_sorts] "less"} & (infixl $<$ 50) \\
-@{term [source] top} & @{typeof [show_sorts] "top"} \\
-@{term [source] bot} & @{typeof [show_sorts] "bot"}
-\end{tabular}
-\caption{Important Overloaded Constants in Main}
-\label{tab:overloading}
-\end{center}
-\end{table}
-*}
-
-(*<*)end(*>*)
--- a/doc-src/TutorialI/Misc/case_exprs.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,88 +0,0 @@
-(*<*)
-theory case_exprs imports Main begin
-(*>*)
-
-text{*
-\subsection{Case Expressions}
-\label{sec:case-expressions}\index{*case expressions}%
-HOL also features \isa{case}-expressions for analyzing
-elements of a datatype. For example,
-@{term[display]"case xs of [] => [] | y#ys => y"}
-evaluates to @{term"[]"} if @{term"xs"} is @{term"[]"} and to @{term"y"} if
-@{term"xs"} is @{term"y#ys"}. (Since the result in both branches must be of
-the same type, it follows that @{term y} is of type @{typ"'a list"} and hence
-that @{term xs} is of type @{typ"'a list list"}.)
-
-In general, case expressions are of the form
-\[
-\begin{array}{c}
-@{text"case"}~e~@{text"of"}\ pattern@1~@{text"\<Rightarrow>"}~e@1\ @{text"|"}\ \dots\
- @{text"|"}~pattern@m~@{text"\<Rightarrow>"}~e@m
-\end{array}
-\]
-Like in functional programming, patterns are expressions consisting of
-datatype constructors (e.g. @{term"[]"} and @{text"#"})
-and variables, including the wildcard ``\verb$_$''.
-Not all cases need to be covered and the order of cases matters.
-However, one is well-advised not to wallow in complex patterns because
-complex case distinctions tend to induce complex proofs.
-
-\begin{warn}
-Internally Isabelle only knows about exhaustive case expressions with
-non-nested patterns: $pattern@i$ must be of the form
-$C@i~x@ {i1}~\dots~x@ {ik@i}$ and $C@1, \dots, C@m$ must be exactly the
-constructors of the type of $e$.
-%
-More complex case expressions are automatically
-translated into the simpler form upon parsing but are not translated
-back for printing. This may lead to surprising output.
-\end{warn}
-
-\begin{warn}
-Like @{text"if"}, @{text"case"}-expressions may need to be enclosed in
-parentheses to indicate their scope.
-\end{warn}
-
-\subsection{Structural Induction and Case Distinction}
-\label{sec:struct-ind-case}
-\index{case distinctions}\index{induction!structural}%
-Induction is invoked by \methdx{induct_tac}, as we have seen above;
-it works for any datatype. In some cases, induction is overkill and a case
-distinction over all constructors of the datatype suffices. This is performed
-by \methdx{case_tac}. Here is a trivial example:
-*}
-
-lemma "(case xs of [] \<Rightarrow> [] | y#ys \<Rightarrow> xs) = xs";
-apply(case_tac xs);
-
-txt{*\noindent
-results in the proof state
-@{subgoals[display,indent=0,margin=65]}
-which is solved automatically:
-*}
-
-apply(auto)
-(*<*)done(*>*)
-text{*
-Note that we do not need to give a lemma a name if we do not intend to refer
-to it explicitly in the future.
-Other basic laws about a datatype are applied automatically during
-simplification, so no special methods are provided for them.
-
-\begin{warn}
- Induction is only allowed on free (or \isasymAnd-bound) variables that
- should not occur among the assumptions of the subgoal; see
- \S\ref{sec:ind-var-in-prems} for details. Case distinction
- (@{text"case_tac"}) works for arbitrary terms, which need to be
- quoted if they are non-atomic. However, apart from @{text"\<And>"}-bound
- variables, the terms must not contain variables that are bound outside.
- For example, given the goal @{prop"\<forall>xs. xs = [] \<or> (\<exists>y ys. xs = y#ys)"},
- @{text"case_tac xs"} will not work as expected because Isabelle interprets
- the @{term xs} as a new free variable distinct from the bound
- @{term xs} in the goal.
-\end{warn}
-*}
-
-(*<*)
-end
-(*>*)
--- a/doc-src/TutorialI/Misc/fakenat.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,13 +0,0 @@
-(*<*)
-theory fakenat imports Main begin;
-(*>*)
-
-text{*\noindent
-The type \tydx{nat} of natural
-numbers is predefined to have the constructors \cdx{0} and~\cdx{Suc}. It behaves as if it were declared like this:
-*}
-
-datatype nat = 0 | Suc nat
-(*<*)
-end
-(*>*)
--- a/doc-src/TutorialI/Misc/natsum.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,129 +0,0 @@
-(*<*)
-theory natsum imports Main begin
-(*>*)
-text{*\noindent
-In particular, there are @{text"case"}-expressions, for example
-@{term[display]"case n of 0 => 0 | Suc m => m"}
-primitive recursion, for example
-*}
-
-primrec sum :: "nat \<Rightarrow> nat" where
-"sum 0 = 0" |
-"sum (Suc n) = Suc n + sum n"
-
-text{*\noindent
-and induction, for example
-*}
-
-lemma "sum n + sum n = n*(Suc n)"
-apply(induct_tac n)
-apply(auto)
-done
-
-text{*\newcommand{\mystar}{*%
-}
-\index{arithmetic operations!for \protect\isa{nat}}%
-The arithmetic operations \isadxboldpos{+}{$HOL2arithfun},
-\isadxboldpos{-}{$HOL2arithfun}, \isadxboldpos{\mystar}{$HOL2arithfun},
-\sdx{div}, \sdx{mod}, \cdx{min} and
-\cdx{max} are predefined, as are the relations
-\isadxboldpos{\isasymle}{$HOL2arithrel} and
-\isadxboldpos{<}{$HOL2arithrel}. As usual, @{prop"m-n = (0::nat)"} if
-@{prop"m<n"}. There is even a least number operation
-\sdx{LEAST}\@. For example, @{prop"(LEAST n. 0 < n) = Suc 0"}.
-\begin{warn}\index{overloading}
- The constants \cdx{0} and \cdx{1} and the operations
- \isadxboldpos{+}{$HOL2arithfun}, \isadxboldpos{-}{$HOL2arithfun},
- \isadxboldpos{\mystar}{$HOL2arithfun}, \cdx{min},
- \cdx{max}, \isadxboldpos{\isasymle}{$HOL2arithrel} and
- \isadxboldpos{<}{$HOL2arithrel} are overloaded: they are available
- not just for natural numbers but for other types as well.
- For example, given the goal @{text"x + 0 = x"}, there is nothing to indicate
- that you are talking about natural numbers. Hence Isabelle can only infer
- that @{term x} is of some arbitrary type where @{text 0} and @{text"+"} are
- declared. As a consequence, you will be unable to prove the
- goal. To alert you to such pitfalls, Isabelle flags numerals without a
- fixed type in its output: @{prop"x+0 = x"}. (In the absence of a numeral,
- it may take you some time to realize what has happened if \pgmenu{Show
- Types} is not set). In this particular example, you need to include
- an explicit type constraint, for example @{text"x+0 = (x::nat)"}. If there
- is enough contextual information this may not be necessary: @{prop"Suc x =
- x"} automatically implies @{text"x::nat"} because @{term Suc} is not
- overloaded.
-
- For details on overloading see \S\ref{sec:overloading}.
- Table~\ref{tab:overloading} in the appendix shows the most important
- overloaded operations.
-\end{warn}
-\begin{warn}
- The symbols \isadxboldpos{>}{$HOL2arithrel} and
- \isadxboldpos{\isasymge}{$HOL2arithrel} are merely syntax: @{text"x > y"}
- stands for @{prop"y < x"} and similary for @{text"\<ge>"} and
- @{text"\<le>"}.
-\end{warn}
-\begin{warn}
- Constant @{text"1::nat"} is defined to equal @{term"Suc 0"}. This definition
- (see \S\ref{sec:ConstDefinitions}) is unfolded automatically by some
- tactics (like @{text auto}, @{text simp} and @{text arith}) but not by
- others (especially the single step tactics in Chapter~\ref{chap:rules}).
- If you need the full set of numerals, see~\S\ref{sec:numerals}.
- \emph{Novices are advised to stick to @{term"0::nat"} and @{term Suc}.}
-\end{warn}
-
-Both @{text auto} and @{text simp}
-(a method introduced below, \S\ref{sec:Simplification}) prove
-simple arithmetic goals automatically:
-*}
-
-lemma "\<lbrakk> \<not> m < n; m < n + (1::nat) \<rbrakk> \<Longrightarrow> m = n"
-(*<*)by(auto)(*>*)
-
-text{*\noindent
-For efficiency's sake, this built-in prover ignores quantified formulae,
-many logical connectives, and all arithmetic operations apart from addition.
-In consequence, @{text auto} and @{text simp} cannot prove this slightly more complex goal:
-*}
-
-lemma "m \<noteq> (n::nat) \<Longrightarrow> m < n \<or> n < m"
-(*<*)by(arith)(*>*)
-
-text{*\noindent The method \methdx{arith} is more general. It attempts to
-prove the first subgoal provided it is a \textbf{linear arithmetic} formula.
-Such formulas may involve the usual logical connectives (@{text"\<not>"},
-@{text"\<and>"}, @{text"\<or>"}, @{text"\<longrightarrow>"}, @{text"="},
-@{text"\<forall>"}, @{text"\<exists>"}), the relations @{text"="},
-@{text"\<le>"} and @{text"<"}, and the operations @{text"+"}, @{text"-"},
-@{term min} and @{term max}. For example, *}
-
-lemma "min i (max j (k*k)) = max (min (k*k) i) (min i (j::nat))"
-apply(arith)
-(*<*)done(*>*)
-
-text{*\noindent
-succeeds because @{term"k*k"} can be treated as atomic. In contrast,
-*}
-
-lemma "n*n = n+1 \<Longrightarrow> n=0"
-(*<*)oops(*>*)
-
-text{*\noindent
-is not proved by @{text arith} because the proof relies
-on properties of multiplication. Only multiplication by numerals (which is
-the same as iterated addition) is taken into account.
-
-\begin{warn} The running time of @{text arith} is exponential in the number
- of occurrences of \ttindexboldpos{-}{$HOL2arithfun}, \cdx{min} and
- \cdx{max} because they are first eliminated by case distinctions.
-
-If @{text k} is a numeral, \sdx{div}~@{text k}, \sdx{mod}~@{text k} and
-@{text k}~\sdx{dvd} are also supported, where the former two are eliminated
-by case distinctions, again blowing up the running time.
-
-If the formula involves quantifiers, @{text arith} may take
-super-exponential time and space.
-\end{warn}
-*}
-
-(*<*)
-end
-(*>*)
--- a/doc-src/TutorialI/Misc/pairs2.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,35 +0,0 @@
-(*<*)
-theory pairs2 imports Main begin;
-(*>*)
-text{*\label{sec:pairs}\index{pairs and tuples}
-HOL also has ordered pairs: \isa{($a@1$,$a@2$)} is of type $\tau@1$
-\indexboldpos{\isasymtimes}{$Isatype} $\tau@2$ provided each $a@i$ is of type
-$\tau@i$. The functions \cdx{fst} and
-\cdx{snd} extract the components of a pair:
- \isa{fst($x$,$y$) = $x$} and \isa{snd($x$,$y$) = $y$}. Tuples
-are simulated by pairs nested to the right: \isa{($a@1$,$a@2$,$a@3$)} stands
-for \isa{($a@1$,($a@2$,$a@3$))} and $\tau@1 \times \tau@2 \times \tau@3$ for
-$\tau@1 \times (\tau@2 \times \tau@3)$. Therefore we have
-\isa{fst(snd($a@1$,$a@2$,$a@3$)) = $a@2$}.
-
-Remarks:
-\begin{itemize}
-\item
-There is also the type \tydx{unit}, which contains exactly one
-element denoted by~\cdx{()}. This type can be viewed
-as a degenerate product with 0 components.
-\item
-Products, like type @{typ nat}, are datatypes, which means
-in particular that @{text induct_tac} and @{text case_tac} are applicable to
-terms of product type.
-Both split the term into a number of variables corresponding to the tuple structure
-(up to 7 components).
-\item
-Tuples with more than two or three components become unwieldy;
-records are preferable.
-\end{itemize}
-For more information on pairs and records see Chapter~\ref{ch:more-types}.
-*}
-(*<*)
-end
-(*>*)
--- a/doc-src/TutorialI/Misc/prime_def.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,20 +0,0 @@
-(*<*)
-theory prime_def imports Main begin;
-consts prime :: "nat \<Rightarrow> bool"
-(*>*)
-text{*
-\begin{warn}
-A common mistake when writing definitions is to introduce extra free
-variables on the right-hand side. Consider the following, flawed definition
-(where @{text"dvd"} means ``divides''):
-@{term[display,quotes]"prime(p) == 1 < p & (m dvd p --> (m=1 | m=p))"}
-\par\noindent\hangindent=0pt
-Isabelle rejects this ``definition'' because of the extra @{term"m"} on the
-right-hand side, which would introduce an inconsistency (why?).
-The correct version is
-@{term[display,quotes]"prime(p) == 1 < p & (!m. m dvd p --> (m=1 | m=p))"}
-\end{warn}
-*}
-(*<*)
-end
-(*>*)
--- a/doc-src/TutorialI/Misc/simp.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,518 +0,0 @@
-(*<*)
-theory simp imports Main begin
-(*>*)
-
-subsection{*Simplification Rules*}
-
-text{*\index{simplification rules}
-To facilitate simplification,
-the attribute @{text"[simp]"}\index{*simp (attribute)}
-declares theorems to be simplification rules, which the simplifier
-will use automatically. In addition, \isacommand{datatype} and
-\isacommand{primrec} declarations (and a few others)
-implicitly declare some simplification rules.
-Explicit definitions are \emph{not} declared as
-simplification rules automatically!
-
-Nearly any theorem can become a simplification
-rule. The simplifier will try to transform it into an equation.
-For example, the theorem
-@{prop"~P"} is turned into @{prop"P = False"}. The details
-are explained in \S\ref{sec:SimpHow}.
-
-The simplification attribute of theorems can be turned on and off:%
-\index{*simp del (attribute)}
-\begin{quote}
-\isacommand{declare} \textit{theorem-name}@{text"[simp]"}\\
-\isacommand{declare} \textit{theorem-name}@{text"[simp del]"}
-\end{quote}
-Only equations that really simplify, like \isa{rev\
-{\isacharparenleft}rev\ xs{\isacharparenright}\ {\isacharequal}\ xs} and
-\isa{xs\ {\isacharat}\ {\isacharbrackleft}{\isacharbrackright}\
-{\isacharequal}\ xs}, should be declared as default simplification rules.
-More specific ones should only be used selectively and should
-not be made default. Distributivity laws, for example, alter
-the structure of terms and can produce an exponential blow-up instead of
-simplification. A default simplification rule may
-need to be disabled in certain proofs. Frequent changes in the simplification
-status of a theorem may indicate an unwise use of defaults.
-\begin{warn}
- Simplification can run forever, for example if both $f(x) = g(x)$ and
- $g(x) = f(x)$ are simplification rules. It is the user's responsibility not
- to include simplification rules that can lead to nontermination, either on
- their own or in combination with other simplification rules.
-\end{warn}
-\begin{warn}
- It is inadvisable to toggle the simplification attribute of a
- theorem from a parent theory $A$ in a child theory $B$ for good.
- The reason is that if some theory $C$ is based both on $B$ and (via a
- different path) on $A$, it is not defined what the simplification attribute
- of that theorem will be in $C$: it could be either.
-\end{warn}
-*}
-
-subsection{*The {\tt\slshape simp} Method*}
-
-text{*\index{*simp (method)|bold}
-The general format of the simplification method is
-\begin{quote}
-@{text simp} \textit{list of modifiers}
-\end{quote}
-where the list of \emph{modifiers} fine tunes the behaviour and may
-be empty. Specific modifiers are discussed below. Most if not all of the
-proofs seen so far could have been performed
-with @{text simp} instead of \isa{auto}, except that @{text simp} attacks
-only the first subgoal and may thus need to be repeated --- use
-\methdx{simp_all} to simplify all subgoals.
-If nothing changes, @{text simp} fails.
-*}
-
-subsection{*Adding and Deleting Simplification Rules*}
-
-text{*
-\index{simplification rules!adding and deleting}%
-If a certain theorem is merely needed in a few proofs by simplification,
-we do not need to make it a global simplification rule. Instead we can modify
-the set of simplification rules used in a simplification step by adding rules
-to it and/or deleting rules from it. The two modifiers for this are
-\begin{quote}
-@{text"add:"} \textit{list of theorem names}\index{*add (modifier)}\\
-@{text"del:"} \textit{list of theorem names}\index{*del (modifier)}
-\end{quote}
-Or you can use a specific list of theorems and omit all others:
-\begin{quote}
-@{text"only:"} \textit{list of theorem names}\index{*only (modifier)}
-\end{quote}
-In this example, we invoke the simplifier, adding two distributive
-laws:
-\begin{quote}
-\isacommand{apply}@{text"(simp add: mod_mult_distrib add_mult_distrib)"}
-\end{quote}
-*}
-
-subsection{*Assumptions*}
-
-text{*\index{simplification!with/of assumptions}
-By default, assumptions are part of the simplification process: they are used
-as simplification rules and are simplified themselves. For example:
-*}
-
-lemma "\<lbrakk> xs @ zs = ys @ xs; [] @ xs = [] @ [] \<rbrakk> \<Longrightarrow> ys = zs"
-apply simp
-done
-
-text{*\noindent
-The second assumption simplifies to @{term"xs = []"}, which in turn
-simplifies the first assumption to @{term"zs = ys"}, thus reducing the
-conclusion to @{term"ys = ys"} and hence to @{term"True"}.
-
-In some cases, using the assumptions can lead to nontermination:
-*}
-
-lemma "\<forall>x. f x = g (f (g x)) \<Longrightarrow> f [] = f [] @ []"
-
-txt{*\noindent
-An unmodified application of @{text"simp"} loops. The culprit is the
-simplification rule @{term"f x = g (f (g x))"}, which is extracted from
-the assumption. (Isabelle notices certain simple forms of
-nontermination but not this one.) The problem can be circumvented by
-telling the simplifier to ignore the assumptions:
-*}
-
-apply(simp (no_asm))
-done
-
-text{*\noindent
-Three modifiers influence the treatment of assumptions:
-\begin{description}
-\item[@{text"(no_asm)"}]\index{*no_asm (modifier)}
- means that assumptions are completely ignored.
-\item[@{text"(no_asm_simp)"}]\index{*no_asm_simp (modifier)}
- means that the assumptions are not simplified but
- are used in the simplification of the conclusion.
-\item[@{text"(no_asm_use)"}]\index{*no_asm_use (modifier)}
- means that the assumptions are simplified but are not
- used in the simplification of each other or the conclusion.
-\end{description}
-Only one of the modifiers is allowed, and it must precede all
-other modifiers.
-%\begin{warn}
-%Assumptions are simplified in a left-to-right fashion. If an
-%assumption can help in simplifying one to the left of it, this may get
-%overlooked. In such cases you have to rotate the assumptions explicitly:
-%\isacommand{apply}@ {text"("}\methdx{rotate_tac}~$n$@ {text")"}
-%causes a cyclic shift by $n$ positions from right to left, if $n$ is
-%positive, and from left to right, if $n$ is negative.
-%Beware that such rotations make proofs quite brittle.
-%\end{warn}
-*}
-
-subsection{*Rewriting with Definitions*}
-
-text{*\label{sec:Simp-with-Defs}\index{simplification!with definitions}
-Constant definitions (\S\ref{sec:ConstDefinitions}) can be used as
-simplification rules, but by default they are not: the simplifier does not
-expand them automatically. Definitions are intended for introducing abstract
-concepts and not merely as abbreviations. Of course, we need to expand
-the definition initially, but once we have proved enough abstract properties
-of the new constant, we can forget its original definition. This style makes
-proofs more robust: if the definition has to be changed,
-only the proofs of the abstract properties will be affected.
-
-For example, given *}
-
-definition xor :: "bool \<Rightarrow> bool \<Rightarrow> bool" where
-"xor A B \<equiv> (A \<and> \<not>B) \<or> (\<not>A \<and> B)"
-
-text{*\noindent
-we may want to prove
-*}
-
-lemma "xor A (\<not>A)"
-
-txt{*\noindent
-Typically, we begin by unfolding some definitions:
-\indexbold{definitions!unfolding}
-*}
-
-apply(simp only: xor_def)
-
-txt{*\noindent
-In this particular case, the resulting goal
-@{subgoals[display,indent=0]}
-can be proved by simplification. Thus we could have proved the lemma outright by
-*}(*<*)oops lemma "xor A (\<not>A)"(*>*)
-apply(simp add: xor_def)
-(*<*)done(*>*)
-text{*\noindent
-Of course we can also unfold definitions in the middle of a proof.
-
-\begin{warn}
- If you have defined $f\,x\,y~\isasymequiv~t$ then you can only unfold
- occurrences of $f$ with at least two arguments. This may be helpful for unfolding
- $f$ selectively, but it may also get in the way. Defining
- $f$~\isasymequiv~\isasymlambda$x\,y.\;t$ allows to unfold all occurrences of $f$.
-\end{warn}
-
-There is also the special method \isa{unfold}\index{*unfold (method)|bold}
-which merely unfolds
-one or several definitions, as in \isacommand{apply}\isa{(unfold xor_def)}.
-This is can be useful in situations where \isa{simp} does too much.
-Warning: \isa{unfold} acts on all subgoals!
-*}
-
-subsection{*Simplifying {\tt\slshape let}-Expressions*}
-
-text{*\index{simplification!of \isa{let}-expressions}\index{*let expressions}%
-Proving a goal containing \isa{let}-expressions almost invariably requires the
-@{text"let"}-con\-structs to be expanded at some point. Since
-@{text"let"}\ldots\isa{=}\ldots@{text"in"}{\ldots} is just syntactic sugar for
-the predefined constant @{term"Let"}, expanding @{text"let"}-constructs
-means rewriting with \tdx{Let_def}: *}
-
-lemma "(let xs = [] in xs@ys@xs) = ys"
-apply(simp add: Let_def)
-done
-
-text{*
-If, in a particular context, there is no danger of a combinatorial explosion
-of nested @{text"let"}s, you could even simplify with @{thm[source]Let_def} by
-default:
-*}
-declare Let_def [simp]
-
-subsection{*Conditional Simplification Rules*}
-
-text{*
-\index{conditional simplification rules}%
-So far all examples of rewrite rules were equations. The simplifier also
-accepts \emph{conditional} equations, for example
-*}
-
-lemma hd_Cons_tl[simp]: "xs \<noteq> [] \<Longrightarrow> hd xs # tl xs = xs"
-apply(case_tac xs, simp, simp)
-done
-
-text{*\noindent
-Note the use of ``\ttindexboldpos{,}{$Isar}'' to string together a
-sequence of methods. Assuming that the simplification rule
-@{term"(rev xs = []) = (xs = [])"}
-is present as well,
-the lemma below is proved by plain simplification:
-*}
-
-lemma "xs \<noteq> [] \<Longrightarrow> hd(rev xs) # tl(rev xs) = rev xs"
-(*<*)
-by(simp)
-(*>*)
-text{*\noindent
-The conditional equation @{thm[source]hd_Cons_tl} above
-can simplify @{term"hd(rev xs) # tl(rev xs)"} to @{term"rev xs"}
-because the corresponding precondition @{term"rev xs ~= []"}
-simplifies to @{term"xs ~= []"}, which is exactly the local
-assumption of the subgoal.
-*}
-
-
-subsection{*Automatic Case Splits*}
-
-text{*\label{sec:AutoCaseSplits}\indexbold{case splits}%
-Goals containing @{text"if"}-expressions\index{*if expressions!splitting of}
-are usually proved by case
-distinction on the boolean condition. Here is an example:
-*}
-
-lemma "\<forall>xs. if xs = [] then rev xs = [] else rev xs \<noteq> []"
-
-txt{*\noindent
-The goal can be split by a special method, \methdx{split}:
-*}
-
-apply(split split_if)
-
-txt{*\noindent
-@{subgoals[display,indent=0]}
-where \tdx{split_if} is a theorem that expresses splitting of
-@{text"if"}s. Because
-splitting the @{text"if"}s is usually the right proof strategy, the
-simplifier does it automatically. Try \isacommand{apply}@{text"(simp)"}
-on the initial goal above.
-
-This splitting idea generalizes from @{text"if"} to \sdx{case}.
-Let us simplify a case analysis over lists:\index{*list.split (theorem)}
-*}(*<*)by simp(*>*)
-lemma "(case xs of [] \<Rightarrow> zs | y#ys \<Rightarrow> y#(ys@zs)) = xs@zs"
-apply(split list.split)
-
-txt{*
-@{subgoals[display,indent=0]}
-The simplifier does not split
-@{text"case"}-expressions, as it does @{text"if"}-expressions,
-because with recursive datatypes it could lead to nontermination.
-Instead, the simplifier has a modifier
-@{text split}\index{*split (modifier)}
-for adding splitting rules explicitly. The
-lemma above can be proved in one step by
-*}
-(*<*)oops
-lemma "(case xs of [] \<Rightarrow> zs | y#ys \<Rightarrow> y#(ys@zs)) = xs@zs"
-(*>*)
-apply(simp split: list.split)
-(*<*)done(*>*)
-text{*\noindent
-whereas \isacommand{apply}@{text"(simp)"} alone will not succeed.
-
-Every datatype $t$ comes with a theorem
-$t$@{text".split"} which can be declared to be a \bfindex{split rule} either
-locally as above, or by giving it the \attrdx{split} attribute globally:
-*}
-
-declare list.split [split]
-
-text{*\noindent
-The @{text"split"} attribute can be removed with the @{text"del"} modifier,
-either locally
-*}
-(*<*)
-lemma "dummy=dummy"
-(*>*)
-apply(simp split del: split_if)
-(*<*)
-oops
-(*>*)
-text{*\noindent
-or globally:
-*}
-declare list.split [split del]
-
-text{*
-Polished proofs typically perform splitting within @{text simp} rather than
-invoking the @{text split} method. However, if a goal contains
-several @{text "if"} and @{text case} expressions,
-the @{text split} method can be
-helpful in selectively exploring the effects of splitting.
-
-The split rules shown above are intended to affect only the subgoal's
-conclusion. If you want to split an @{text"if"} or @{text"case"}-expression
-in the assumptions, you have to apply \tdx{split_if_asm} or
-$t$@{text".split_asm"}: *}
-
-lemma "if xs = [] then ys \<noteq> [] else ys = [] \<Longrightarrow> xs @ ys \<noteq> []"
-apply(split split_if_asm)
-
-txt{*\noindent
-Unlike splitting the conclusion, this step creates two
-separate subgoals, which here can be solved by @{text"simp_all"}:
-@{subgoals[display,indent=0]}
-If you need to split both in the assumptions and the conclusion,
-use $t$@{text".splits"} which subsumes $t$@{text".split"} and
-$t$@{text".split_asm"}. Analogously, there is @{thm[source]if_splits}.
-
-\begin{warn}
- The simplifier merely simplifies the condition of an
- \isa{if}\index{*if expressions!simplification of} but not the
- \isa{then} or \isa{else} parts. The latter are simplified only after the
- condition reduces to \isa{True} or \isa{False}, or after splitting. The
- same is true for \sdx{case}-expressions: only the selector is
- simplified at first, until either the expression reduces to one of the
- cases or it is split.
-\end{warn}
-*}
-(*<*)
-by(simp_all)
-(*>*)
-
-subsection{*Tracing*}
-text{*\indexbold{tracing the simplifier}
-Using the simplifier effectively may take a bit of experimentation. Set the
-Proof General flag \pgmenu{Isabelle} $>$ \pgmenu{Settings} $>$ \pgmenu{Trace Simplifier} to get a better idea of what is going on:
-*}
-
-lemma "rev [a] = []"
-apply(simp)
-(*<*)oops(*>*)
-
-text{*\noindent
-produces the following trace in Proof General's \pgmenu{Trace} buffer:
-
-\begin{ttbox}\makeatother
-[1]Applying instance of rewrite rule "List.rev.simps_2":
-rev (?x1 # ?xs1) \(\equiv\) rev ?xs1 @ [?x1]
-
-[1]Rewriting:
-rev [a] \(\equiv\) rev [] @ [a]
-
-[1]Applying instance of rewrite rule "List.rev.simps_1":
-rev [] \(\equiv\) []
-
-[1]Rewriting:
-rev [] \(\equiv\) []
-
-[1]Applying instance of rewrite rule "List.op @.append_Nil":
-[] @ ?y \(\equiv\) ?y
-
-[1]Rewriting:
-[] @ [a] \(\equiv\) [a]
-
-[1]Applying instance of rewrite rule
-?x2 # ?t1 = ?t1 \(\equiv\) False
-
-[1]Rewriting:
-[a] = [] \(\equiv\) False
-\end{ttbox}
-The trace lists each rule being applied, both in its general form and
-the instance being used. The \texttt{[}$i$\texttt{]} in front (where
-above $i$ is always \texttt{1}) indicates that we are inside the $i$th
-invocation of the simplifier. Each attempt to apply a
-conditional rule shows the rule followed by the trace of the
-(recursive!) simplification of the conditions, the latter prefixed by
-\texttt{[}$i+1$\texttt{]} instead of \texttt{[}$i$\texttt{]}.
-Another source of recursive invocations of the simplifier are
-proofs of arithmetic formulae. By default, recursive invocations are not shown,
-you must increase the trace depth via \pgmenu{Isabelle} $>$ \pgmenu{Settings} $>$ \pgmenu{Trace Simplifier Depth}.
-
-Many other hints about the simplifier's actions may appear.
-
-In more complicated cases, the trace can be very lengthy. Thus it is
-advisable to reset the \pgmenu{Trace Simplifier} flag after having
-obtained the desired trace.
-Since this is easily forgotten (and may have the unpleasant effect of
-swamping the interface with trace information), here is how you can switch
-the trace on locally in a proof: *}
-
-(*<*)lemma "x=x"
-(*>*)
-using [[simp_trace=true]]
-apply simp
-(*<*)oops(*>*)
-
-text{* \noindent
-Within the current proof, all simplifications in subsequent proof steps
-will be traced, but the text reminds you to remove the \isa{using} clause
-after it has done its job. *}
-
-subsection{*Finding Theorems\label{sec:find}*}
-
-text{*\indexbold{finding theorems}\indexbold{searching theorems}
-Isabelle's large database of proved theorems
-offers a powerful search engine. Its chief limitation is
-its restriction to the theories currently loaded.
-
-\begin{pgnote}
-The search engine is started by clicking on Proof General's \pgmenu{Find} icon.
-You specify your search textually in the input buffer at the bottom
-of the window.
-\end{pgnote}
-
-The simplest form of search finds theorems containing specified
-patterns. A pattern can be any term (even
-a single identifier). It may contain ``\texttt{\_}'', a wildcard standing
-for any term. Here are some
-examples:
-\begin{ttbox}
-length
-"_ # _ = _ # _"
-"_ + _"
-"_ * (_ - (_::nat))"
-\end{ttbox}
-Specifying types, as shown in the last example,
-constrains searches involving overloaded operators.
-
-\begin{warn}
-Always use ``\texttt{\_}'' rather than variable names: searching for
-\texttt{"x + y"} will usually not find any matching theorems
-because they would need to contain \texttt{x} and~\texttt{y} literally.
-When searching for infix operators, do not just type in the symbol,
-such as~\texttt{+}, but a proper term such as \texttt{"_ + _"}.
-This remark applies to more complicated syntaxes, too.
-\end{warn}
-
-If you are looking for rewrite rules (possibly conditional) that could
-simplify some term, prefix the pattern with \texttt{simp:}.
-\begin{ttbox}
-simp: "_ * (_ + _)"
-\end{ttbox}
-This finds \emph{all} equations---not just those with a \isa{simp} attribute---whose conclusion has the form
-@{text[display]"_ * (_ + _) = \<dots>"}
-It only finds equations that can simplify the given pattern
-at the root, not somewhere inside: for example, equations of the form
-@{text"_ + _ = \<dots>"} do not match.
-
-You may also search for theorems by name---you merely
-need to specify a substring. For example, you could search for all
-commutativity theorems like this:
-\begin{ttbox}
-name: comm
-\end{ttbox}
-This retrieves all theorems whose name contains \texttt{comm}.
-
-Search criteria can also be negated by prefixing them with ``\texttt{-}''.
-For example,
-\begin{ttbox}
--name: List
-\end{ttbox}
-finds theorems whose name does not contain \texttt{List}. You can use this
-to exclude particular theories from the search: the long name of
-a theorem contains the name of the theory it comes from.
-
-Finallly, different search criteria can be combined arbitrarily.
-The effect is conjuctive: Find returns the theorems that satisfy all of
-the criteria. For example,
-\begin{ttbox}
-"_ + _" -"_ - _" -simp: "_ * (_ + _)" name: assoc
-\end{ttbox}
-looks for theorems containing plus but not minus, and which do not simplify
-\mbox{@{text"_ * (_ + _)"}} at the root, and whose name contains \texttt{assoc}.
-
-Further search criteria are explained in \S\ref{sec:find2}.
-
-\begin{pgnote}
-Proof General keeps a history of all your search expressions.
-If you click on \pgmenu{Find}, you can use the arrow keys to scroll
-through previous searches and just modify them. This saves you having
-to type in lengthy expressions again and again.
-\end{pgnote}
-*}
-(*<*)
-end
-(*>*)
--- a/doc-src/TutorialI/Misc/types.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,32 +0,0 @@
-(*<*)theory "types" imports Main begin(*>*)
-type_synonym number = nat
-type_synonym gate = "bool \<Rightarrow> bool \<Rightarrow> bool"
-type_synonym ('a, 'b) alist = "('a \<times> 'b) list"
-
-text{*\noindent
-Internally all synonyms are fully expanded. As a consequence Isabelle's
-output never contains synonyms. Their main purpose is to improve the
-readability of theories. Synonyms can be used just like any other
-type.
-*}
-
-subsection{*Constant Definitions*}
-
-text{*\label{sec:ConstDefinitions}\indexbold{definitions}%
-Nonrecursive definitions can be made with the \commdx{definition}
-command, for example @{text nand} and @{text xor} gates
-(based on type @{typ gate} above):
-*}
-
-definition nand :: gate where "nand A B \<equiv> \<not>(A \<and> B)"
-definition xor :: gate where "xor A B \<equiv> A \<and> \<not>B \<or> \<not>A \<and> B"
-
-text{*\noindent%
-The symbol \indexboldpos{\isasymequiv}{$IsaEq} is a special form of equality
-that must be used in constant definitions.
-Pattern-matching is not allowed: each definition must be of
-the form $f\,x@1\,\dots\,x@n~\isasymequiv~t$.
-Section~\ref{sec:Simp-with-Defs} explains how definitions are used
-in proofs. The default name of each definition is $f$@{text"_def"}, where
-$f$ is the name of the defined constant.*}
-(*<*)end(*>*)
--- a/doc-src/TutorialI/Protocol/Event.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,387 +0,0 @@
-(* Title: HOL/Auth/Event
- Author: Lawrence C Paulson, Cambridge University Computer Laboratory
- Copyright 1996 University of Cambridge
-
-Datatype of events; function "spies"; freshness
-
-"bad" agents have been broken by the Spy; their private keys and internal
- stores are visible to him
-*)(*<*)
-
-header{*Theory of Events for Security Protocols*}
-
-theory Event imports Message begin
-
-consts (*Initial states of agents -- parameter of the construction*)
- initState :: "agent => msg set"
-
-datatype
- event = Says agent agent msg
- | Gets agent msg
- | Notes agent msg
-
-consts
- bad :: "agent set" -- {* compromised agents *}
-
-
-text{*The constant "spies" is retained for compatibility's sake*}
-
-primrec
- knows :: "agent => event list => msg set"
-where
- knows_Nil: "knows A [] = initState A"
-| knows_Cons:
- "knows A (ev # evs) =
- (if A = Spy then
- (case ev of
- Says A' B X => insert X (knows Spy evs)
- | Gets A' X => knows Spy evs
- | Notes A' X =>
- if A' \<in> bad then insert X (knows Spy evs) else knows Spy evs)
- else
- (case ev of
- Says A' B X =>
- if A'=A then insert X (knows A evs) else knows A evs
- | Gets A' X =>
- if A'=A then insert X (knows A evs) else knows A evs
- | Notes A' X =>
- if A'=A then insert X (knows A evs) else knows A evs))"
-
-abbreviation (input)
- spies :: "event list => msg set" where
- "spies == knows Spy"
-
-text{*Spy has access to his own key for spoof messages, but Server is secure*}
-specification (bad)
- Spy_in_bad [iff]: "Spy \<in> bad"
- Server_not_bad [iff]: "Server \<notin> bad"
- by (rule exI [of _ "{Spy}"], simp)
-
-(*
- Case A=Spy on the Gets event
- enforces the fact that if a message is received then it must have been sent,
- therefore the oops case must use Notes
-*)
-
-primrec
- (*Set of items that might be visible to somebody:
- complement of the set of fresh items*)
- used :: "event list => msg set"
-where
- used_Nil: "used [] = (UN B. parts (initState B))"
-| used_Cons: "used (ev # evs) =
- (case ev of
- Says A B X => parts {X} \<union> used evs
- | Gets A X => used evs
- | Notes A X => parts {X} \<union> used evs)"
- --{*The case for @{term Gets} seems anomalous, but @{term Gets} always
- follows @{term Says} in real protocols. Seems difficult to change.
- See @{text Gets_correct} in theory @{text "Guard/Extensions.thy"}. *}
-
-lemma Notes_imp_used [rule_format]: "Notes A X \<in> set evs --> X \<in> used evs"
-apply (induct_tac evs)
-apply (auto split: event.split)
-done
-
-lemma Says_imp_used [rule_format]: "Says A B X \<in> set evs --> X \<in> used evs"
-apply (induct_tac evs)
-apply (auto split: event.split)
-done
-
-
-subsection{*Function @{term knows}*}
-
-(*Simplifying
- parts(insert X (knows Spy evs)) = parts{X} \<union> parts(knows Spy evs).
- This version won't loop with the simplifier.*)
-lemmas parts_insert_knows_A = parts_insert [of _ "knows A evs", standard]
-
-lemma knows_Spy_Says [simp]:
- "knows Spy (Says A B X # evs) = insert X (knows Spy evs)"
-by simp
-
-text{*Letting the Spy see "bad" agents' notes avoids redundant case-splits
- on whether @{term "A=Spy"} and whether @{term "A\<in>bad"}*}
-lemma knows_Spy_Notes [simp]:
- "knows Spy (Notes A X # evs) =
- (if A:bad then insert X (knows Spy evs) else knows Spy evs)"
-by simp
-
-lemma knows_Spy_Gets [simp]: "knows Spy (Gets A X # evs) = knows Spy evs"
-by simp
-
-lemma knows_Spy_subset_knows_Spy_Says:
- "knows Spy evs \<subseteq> knows Spy (Says A B X # evs)"
-by (simp add: subset_insertI)
-
-lemma knows_Spy_subset_knows_Spy_Notes:
- "knows Spy evs \<subseteq> knows Spy (Notes A X # evs)"
-by force
-
-lemma knows_Spy_subset_knows_Spy_Gets:
- "knows Spy evs \<subseteq> knows Spy (Gets A X # evs)"
-by (simp add: subset_insertI)
-
-text{*Spy sees what is sent on the traffic*}
-lemma Says_imp_knows_Spy [rule_format]:
- "Says A B X \<in> set evs --> X \<in> knows Spy evs"
-apply (induct_tac "evs")
-apply (simp_all (no_asm_simp) split add: event.split)
-done
-
-lemma Notes_imp_knows_Spy [rule_format]:
- "Notes A X \<in> set evs --> A: bad --> X \<in> knows Spy evs"
-apply (induct_tac "evs")
-apply (simp_all (no_asm_simp) split add: event.split)
-done
-
-
-text{*Elimination rules: derive contradictions from old Says events containing
- items known to be fresh*}
-lemmas knows_Spy_partsEs =
- Says_imp_knows_Spy [THEN parts.Inj, elim_format]
- parts.Body [elim_format]
-
-lemmas Says_imp_analz_Spy = Says_imp_knows_Spy [THEN analz.Inj]
-
-text{*Compatibility for the old "spies" function*}
-lemmas spies_partsEs = knows_Spy_partsEs
-lemmas Says_imp_spies = Says_imp_knows_Spy
-lemmas parts_insert_spies = parts_insert_knows_A [of _ Spy]
-
-
-subsection{*Knowledge of Agents*}
-
-lemma knows_Says: "knows A (Says A B X # evs) = insert X (knows A evs)"
-by simp
-
-lemma knows_Notes: "knows A (Notes A X # evs) = insert X (knows A evs)"
-by simp
-
-lemma knows_Gets:
- "A \<noteq> Spy --> knows A (Gets A X # evs) = insert X (knows A evs)"
-by simp
-
-
-lemma knows_subset_knows_Says: "knows A evs \<subseteq> knows A (Says A' B X # evs)"
-by (simp add: subset_insertI)
-
-lemma knows_subset_knows_Notes: "knows A evs \<subseteq> knows A (Notes A' X # evs)"
-by (simp add: subset_insertI)
-
-lemma knows_subset_knows_Gets: "knows A evs \<subseteq> knows A (Gets A' X # evs)"
-by (simp add: subset_insertI)
-
-text{*Agents know what they say*}
-lemma Says_imp_knows [rule_format]: "Says A B X \<in> set evs --> X \<in> knows A evs"
-apply (induct_tac "evs")
-apply (simp_all (no_asm_simp) split add: event.split)
-apply blast
-done
-
-text{*Agents know what they note*}
-lemma Notes_imp_knows [rule_format]: "Notes A X \<in> set evs --> X \<in> knows A evs"
-apply (induct_tac "evs")
-apply (simp_all (no_asm_simp) split add: event.split)
-apply blast
-done
-
-text{*Agents know what they receive*}
-lemma Gets_imp_knows_agents [rule_format]:
- "A \<noteq> Spy --> Gets A X \<in> set evs --> X \<in> knows A evs"
-apply (induct_tac "evs")
-apply (simp_all (no_asm_simp) split add: event.split)
-done
-
-
-text{*What agents DIFFERENT FROM Spy know
- was either said, or noted, or got, or known initially*}
-lemma knows_imp_Says_Gets_Notes_initState [rule_format]:
- "[| X \<in> knows A evs; A \<noteq> Spy |] ==> EX B.
- Says A B X \<in> set evs | Gets A X \<in> set evs | Notes A X \<in> set evs | X \<in> initState A"
-apply (erule rev_mp)
-apply (induct_tac "evs")
-apply (simp_all (no_asm_simp) split add: event.split)
-apply blast
-done
-
-text{*What the Spy knows -- for the time being --
- was either said or noted, or known initially*}
-lemma knows_Spy_imp_Says_Notes_initState [rule_format]:
- "[| X \<in> knows Spy evs |] ==> EX A B.
- Says A B X \<in> set evs | Notes A X \<in> set evs | X \<in> initState Spy"
-apply (erule rev_mp)
-apply (induct_tac "evs")
-apply (simp_all (no_asm_simp) split add: event.split)
-apply blast
-done
-
-lemma parts_knows_Spy_subset_used: "parts (knows Spy evs) \<subseteq> used evs"
-apply (induct_tac "evs", force)
-apply (simp add: parts_insert_knows_A knows_Cons add: event.split, blast)
-done
-
-lemmas usedI = parts_knows_Spy_subset_used [THEN subsetD, intro]
-
-lemma initState_into_used: "X \<in> parts (initState B) ==> X \<in> used evs"
-apply (induct_tac "evs")
-apply (simp_all add: parts_insert_knows_A split add: event.split, blast)
-done
-
-lemma used_Says [simp]: "used (Says A B X # evs) = parts{X} \<union> used evs"
-by simp
-
-lemma used_Notes [simp]: "used (Notes A X # evs) = parts{X} \<union> used evs"
-by simp
-
-lemma used_Gets [simp]: "used (Gets A X # evs) = used evs"
-by simp
-
-lemma used_nil_subset: "used [] \<subseteq> used evs"
-apply simp
-apply (blast intro: initState_into_used)
-done
-
-text{*NOTE REMOVAL--laws above are cleaner, as they don't involve "case"*}
-declare knows_Cons [simp del]
- used_Nil [simp del] used_Cons [simp del]
-
-
-text{*For proving theorems of the form @{term "X \<notin> analz (knows Spy evs) --> P"}
- New events added by induction to "evs" are discarded. Provided
- this information isn't needed, the proof will be much shorter, since
- it will omit complicated reasoning about @{term analz}.*}
-
-lemmas analz_mono_contra =
- knows_Spy_subset_knows_Spy_Says [THEN analz_mono, THEN contra_subsetD]
- knows_Spy_subset_knows_Spy_Notes [THEN analz_mono, THEN contra_subsetD]
- knows_Spy_subset_knows_Spy_Gets [THEN analz_mono, THEN contra_subsetD]
-
-lemmas analz_impI = impI [where P = "Y \<notin> analz (knows Spy evs)", standard]
-
-ML
-{*
-val analz_mono_contra_tac =
- rtac @{thm analz_impI} THEN'
- REPEAT1 o (dresolve_tac @{thms analz_mono_contra})
- THEN' mp_tac
-*}
-
-lemma knows_subset_knows_Cons: "knows A evs \<subseteq> knows A (e # evs)"
-by (induct e, auto simp: knows_Cons)
-
-lemma initState_subset_knows: "initState A \<subseteq> knows A evs"
-apply (induct_tac evs, simp)
-apply (blast intro: knows_subset_knows_Cons [THEN subsetD])
-done
-
-
-text{*For proving @{text new_keys_not_used}*}
-lemma keysFor_parts_insert:
- "[| K \<in> keysFor (parts (insert X G)); X \<in> synth (analz H) |]
- ==> K \<in> keysFor (parts (G \<union> H)) | Key (invKey K) \<in> parts H";
-by (force
- dest!: parts_insert_subset_Un [THEN keysFor_mono, THEN [2] rev_subsetD]
- analz_subset_parts [THEN keysFor_mono, THEN [2] rev_subsetD]
- intro: analz_subset_parts [THEN subsetD] parts_mono [THEN [2] rev_subsetD])
-
-method_setup analz_mono_contra = {*
- Scan.succeed (K (SIMPLE_METHOD (REPEAT_FIRST analz_mono_contra_tac))) *}
- "for proving theorems of the form X \<notin> analz (knows Spy evs) --> P"
-
-subsubsection{*Useful for case analysis on whether a hash is a spoof or not*}
-
-lemmas syan_impI = impI [where P = "Y \<notin> synth (analz (knows Spy evs))", standard]
-
-ML
-{*
-val knows_Cons = @{thm knows_Cons};
-val used_Nil = @{thm used_Nil};
-val used_Cons = @{thm used_Cons};
-
-val Notes_imp_used = @{thm Notes_imp_used};
-val Says_imp_used = @{thm Says_imp_used};
-val Says_imp_knows_Spy = @{thm Says_imp_knows_Spy};
-val Notes_imp_knows_Spy = @{thm Notes_imp_knows_Spy};
-val knows_Spy_partsEs = @{thms knows_Spy_partsEs};
-val spies_partsEs = @{thms spies_partsEs};
-val Says_imp_spies = @{thm Says_imp_spies};
-val parts_insert_spies = @{thm parts_insert_spies};
-val Says_imp_knows = @{thm Says_imp_knows};
-val Notes_imp_knows = @{thm Notes_imp_knows};
-val Gets_imp_knows_agents = @{thm Gets_imp_knows_agents};
-val knows_imp_Says_Gets_Notes_initState = @{thm knows_imp_Says_Gets_Notes_initState};
-val knows_Spy_imp_Says_Notes_initState = @{thm knows_Spy_imp_Says_Notes_initState};
-val usedI = @{thm usedI};
-val initState_into_used = @{thm initState_into_used};
-val used_Says = @{thm used_Says};
-val used_Notes = @{thm used_Notes};
-val used_Gets = @{thm used_Gets};
-val used_nil_subset = @{thm used_nil_subset};
-val analz_mono_contra = @{thms analz_mono_contra};
-val knows_subset_knows_Cons = @{thm knows_subset_knows_Cons};
-val initState_subset_knows = @{thm initState_subset_knows};
-val keysFor_parts_insert = @{thm keysFor_parts_insert};
-
-
-val synth_analz_mono = @{thm synth_analz_mono};
-
-val knows_Spy_subset_knows_Spy_Says = @{thm knows_Spy_subset_knows_Spy_Says};
-val knows_Spy_subset_knows_Spy_Notes = @{thm knows_Spy_subset_knows_Spy_Notes};
-val knows_Spy_subset_knows_Spy_Gets = @{thm knows_Spy_subset_knows_Spy_Gets};
-
-
-val synth_analz_mono_contra_tac =
- rtac @{thm syan_impI} THEN'
- REPEAT1 o
- (dresolve_tac
- [@{thm knows_Spy_subset_knows_Spy_Says} RS @{thm synth_analz_mono} RS @{thm contra_subsetD},
- @{thm knows_Spy_subset_knows_Spy_Notes} RS @{thm synth_analz_mono} RS @{thm contra_subsetD},
- @{thm knows_Spy_subset_knows_Spy_Gets} RS @{thm synth_analz_mono} RS @{thm contra_subsetD}])
- THEN'
- mp_tac
-*}
-
-method_setup synth_analz_mono_contra = {*
- Scan.succeed (K (SIMPLE_METHOD (REPEAT_FIRST synth_analz_mono_contra_tac))) *}
- "for proving theorems of the form X \<notin> synth (analz (knows Spy evs)) --> P"
-(*>*)
-
-section{* Event Traces \label{sec:events} *}
-
-text {*
-The system's behaviour is formalized as a set of traces of
-\emph{events}. The most important event, @{text "Says A B X"}, expresses
-$A\to B : X$, which is the attempt by~$A$ to send~$B$ the message~$X$.
-A trace is simply a list, constructed in reverse
-using~@{text "#"}. Other event types include reception of messages (when
-we want to make it explicit) and an agent's storing a fact.
-
-Sometimes the protocol requires an agent to generate a new nonce. The
-probability that a 20-byte random number has appeared before is effectively
-zero. To formalize this important property, the set @{term "used evs"}
-denotes the set of all items mentioned in the trace~@{text evs}.
-The function @{text used} has a straightforward
-recursive definition. Here is the case for @{text Says} event:
-@{thm [display,indent=5] used_Says [no_vars]}
-
-The function @{text knows} formalizes an agent's knowledge. Mostly we only
-care about the spy's knowledge, and @{term "knows Spy evs"} is the set of items
-available to the spy in the trace~@{text evs}. Already in the empty trace,
-the spy starts with some secrets at his disposal, such as the private keys
-of compromised users. After each @{text Says} event, the spy learns the
-message that was sent:
-@{thm [display,indent=5] knows_Spy_Says [no_vars]}
-Combinations of functions express other important
-sets of messages derived from~@{text evs}:
-\begin{itemize}
-\item @{term "analz (knows Spy evs)"} is everything that the spy could
-learn by decryption
-\item @{term "synth (analz (knows Spy evs))"} is everything that the spy
-could generate
-\end{itemize}
-*}
-
-(*<*)
-end
-(*>*)
\ No newline at end of file
--- a/doc-src/TutorialI/Protocol/Message.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,923 +0,0 @@
-(* Title: HOL/Auth/Message
- Author: Lawrence C Paulson, Cambridge University Computer Laboratory
- Copyright 1996 University of Cambridge
-
-Datatypes of agents and messages;
-Inductive relations "parts", "analz" and "synth"
-*)(*<*)
-
-header{*Theory of Agents and Messages for Security Protocols*}
-
-theory Message imports Main begin
-ML_file "../../antiquote_setup.ML"
-setup Antiquote_Setup.setup
-
-(*Needed occasionally with spy_analz_tac, e.g. in analz_insert_Key_newK*)
-lemma [simp] : "A \<union> (B \<union> A) = B \<union> A"
-by blast
-(*>*)
-
-section{* Agents and Messages *}
-
-text {*
-All protocol specifications refer to a syntactic theory of messages.
-Datatype
-@{text agent} introduces the constant @{text Server} (a trusted central
-machine, needed for some protocols), an infinite population of
-friendly agents, and the~@{text Spy}:
-*}
-
-datatype agent = Server | Friend nat | Spy
-
-text {*
-Keys are just natural numbers. Function @{text invKey} maps a public key to
-the matching private key, and vice versa:
-*}
-
-type_synonym key = nat
-consts invKey :: "key \<Rightarrow> key"
-(*<*)
-consts all_symmetric :: bool --{*true if all keys are symmetric*}
-
-specification (invKey)
- invKey [simp]: "invKey (invKey K) = K"
- invKey_symmetric: "all_symmetric --> invKey = id"
- by (rule exI [of _ id], auto)
-
-
-text{*The inverse of a symmetric key is itself; that of a public key
- is the private key and vice versa*}
-
-definition symKeys :: "key set" where
- "symKeys == {K. invKey K = K}"
-(*>*)
-
-text {*
-Datatype
-@{text msg} introduces the message forms, which include agent names, nonces,
-keys, compound messages, and encryptions.
-*}
-
-datatype
- msg = Agent agent
- | Nonce nat
- | Key key
- | MPair msg msg
- | Crypt key msg
-
-text {*
-\noindent
-The notation $\comp{X\sb 1,\ldots X\sb{n-1},X\sb n}$
-abbreviates
-$\isa{MPair}\,X\sb 1\,\ldots\allowbreak(\isa{MPair}\,X\sb{n-1}\,X\sb n)$.
-
-Since datatype constructors are injective, we have the theorem
-@{thm [display,indent=0] msg.inject(5) [THEN iffD1, of K X K' X']}
-A ciphertext can be decrypted using only one key and
-can yield only one plaintext. In the real world, decryption with the
-wrong key succeeds but yields garbage. Our model of encryption is
-realistic if encryption adds some redundancy to the plaintext, such as a
-checksum, so that garbage can be detected.
-*}
-
-(*<*)
-text{*Concrete syntax: messages appear as {|A,B,NA|}, etc...*}
-syntax
- "_MTuple" :: "['a, args] => 'a * 'b" ("(2{|_,/ _|})")
-
-syntax (xsymbols)
- "_MTuple" :: "['a, args] => 'a * 'b" ("(2\<lbrace>_,/ _\<rbrace>)")
-
-translations
- "{|x, y, z|}" == "{|x, {|y, z|}|}"
- "{|x, y|}" == "CONST MPair x y"
-
-
-definition keysFor :: "msg set => key set" where
- --{*Keys useful to decrypt elements of a message set*}
- "keysFor H == invKey ` {K. \<exists>X. Crypt K X \<in> H}"
-
-
-subsubsection{*Inductive Definition of All Parts" of a Message*}
-
-inductive_set
- parts :: "msg set => msg set"
- for H :: "msg set"
- where
- Inj [intro]: "X \<in> H ==> X \<in> parts H"
- | Fst: "{|X,Y|} \<in> parts H ==> X \<in> parts H"
- | Snd: "{|X,Y|} \<in> parts H ==> Y \<in> parts H"
- | Body: "Crypt K X \<in> parts H ==> X \<in> parts H"
-
-
-text{*Monotonicity*}
-lemma parts_mono: "G \<subseteq> H ==> parts(G) \<subseteq> parts(H)"
-apply auto
-apply (erule parts.induct)
-apply (blast dest: parts.Fst parts.Snd parts.Body)+
-done
-
-
-text{*Equations hold because constructors are injective.*}
-lemma Friend_image_eq [simp]: "(Friend x \<in> Friend`A) = (x:A)"
-by auto
-
-lemma Key_image_eq [simp]: "(Key x \<in> Key`A) = (x\<in>A)"
-by auto
-
-lemma Nonce_Key_image_eq [simp]: "(Nonce x \<notin> Key`A)"
-by auto
-
-
-subsubsection{*Inverse of keys *}
-
-lemma invKey_eq [simp]: "(invKey K = invKey K') = (K=K')"
-apply safe
-apply (drule_tac f = invKey in arg_cong, simp)
-done
-
-
-subsection{*keysFor operator*}
-
-lemma keysFor_empty [simp]: "keysFor {} = {}"
-by (unfold keysFor_def, blast)
-
-lemma keysFor_Un [simp]: "keysFor (H \<union> H') = keysFor H \<union> keysFor H'"
-by (unfold keysFor_def, blast)
-
-lemma keysFor_UN [simp]: "keysFor (\<Union>i\<in>A. H i) = (\<Union>i\<in>A. keysFor (H i))"
-by (unfold keysFor_def, blast)
-
-text{*Monotonicity*}
-lemma keysFor_mono: "G \<subseteq> H ==> keysFor(G) \<subseteq> keysFor(H)"
-by (unfold keysFor_def, blast)
-
-lemma keysFor_insert_Agent [simp]: "keysFor (insert (Agent A) H) = keysFor H"
-by (unfold keysFor_def, auto)
-
-lemma keysFor_insert_Nonce [simp]: "keysFor (insert (Nonce N) H) = keysFor H"
-by (unfold keysFor_def, auto)
-
-lemma keysFor_insert_Key [simp]: "keysFor (insert (Key K) H) = keysFor H"
-by (unfold keysFor_def, auto)
-
-lemma keysFor_insert_MPair [simp]: "keysFor (insert {|X,Y|} H) = keysFor H"
-by (unfold keysFor_def, auto)
-
-lemma keysFor_insert_Crypt [simp]:
- "keysFor (insert (Crypt K X) H) = insert (invKey K) (keysFor H)"
-by (unfold keysFor_def, auto)
-
-lemma keysFor_image_Key [simp]: "keysFor (Key`E) = {}"
-by (unfold keysFor_def, auto)
-
-lemma Crypt_imp_invKey_keysFor: "Crypt K X \<in> H ==> invKey K \<in> keysFor H"
-by (unfold keysFor_def, blast)
-
-
-subsection{*Inductive relation "parts"*}
-
-lemma MPair_parts:
- "[| {|X,Y|} \<in> parts H;
- [| X \<in> parts H; Y \<in> parts H |] ==> P |] ==> P"
-by (blast dest: parts.Fst parts.Snd)
-
-declare MPair_parts [elim!] parts.Body [dest!]
-text{*NB These two rules are UNSAFE in the formal sense, as they discard the
- compound message. They work well on THIS FILE.
- @{text MPair_parts} is left as SAFE because it speeds up proofs.
- The Crypt rule is normally kept UNSAFE to avoid breaking up certificates.*}
-
-lemma parts_increasing: "H \<subseteq> parts(H)"
-by blast
-
-lemmas parts_insertI = subset_insertI [THEN parts_mono, THEN subsetD, standard]
-
-lemma parts_empty [simp]: "parts{} = {}"
-apply safe
-apply (erule parts.induct, blast+)
-done
-
-lemma parts_emptyE [elim!]: "X\<in> parts{} ==> P"
-by simp
-
-text{*WARNING: loops if H = {Y}, therefore must not be repeated!*}
-lemma parts_singleton: "X\<in> parts H ==> \<exists>Y\<in>H. X\<in> parts {Y}"
-by (erule parts.induct, fast+)
-
-
-subsubsection{*Unions *}
-
-lemma parts_Un_subset1: "parts(G) \<union> parts(H) \<subseteq> parts(G \<union> H)"
-by (intro Un_least parts_mono Un_upper1 Un_upper2)
-
-lemma parts_Un_subset2: "parts(G \<union> H) \<subseteq> parts(G) \<union> parts(H)"
-apply (rule subsetI)
-apply (erule parts.induct, blast+)
-done
-
-lemma parts_Un [simp]: "parts(G \<union> H) = parts(G) \<union> parts(H)"
-by (intro equalityI parts_Un_subset1 parts_Un_subset2)
-
-lemma parts_insert: "parts (insert X H) = parts {X} \<union> parts H"
-apply (subst insert_is_Un [of _ H])
-apply (simp only: parts_Un)
-done
-
-text{*TWO inserts to avoid looping. This rewrite is better than nothing.
- Not suitable for Addsimps: its behaviour can be strange.*}
-lemma parts_insert2:
- "parts (insert X (insert Y H)) = parts {X} \<union> parts {Y} \<union> parts H"
-apply (simp add: Un_assoc)
-apply (simp add: parts_insert [symmetric])
-done
-
-lemma parts_UN_subset1: "(\<Union>x\<in>A. parts(H x)) \<subseteq> parts(\<Union>x\<in>A. H x)"
-by (intro UN_least parts_mono UN_upper)
-
-lemma parts_UN_subset2: "parts(\<Union>x\<in>A. H x) \<subseteq> (\<Union>x\<in>A. parts(H x))"
-apply (rule subsetI)
-apply (erule parts.induct, blast+)
-done
-
-lemma parts_UN [simp]: "parts(\<Union>x\<in>A. H x) = (\<Union>x\<in>A. parts(H x))"
-by (intro equalityI parts_UN_subset1 parts_UN_subset2)
-
-text{*Added to simplify arguments to parts, analz and synth.
- NOTE: the UN versions are no longer used!*}
-
-
-text{*This allows @{text blast} to simplify occurrences of
- @{term "parts(G\<union>H)"} in the assumption.*}
-lemmas in_parts_UnE = parts_Un [THEN equalityD1, THEN subsetD, THEN UnE]
-declare in_parts_UnE [elim!]
-
-
-lemma parts_insert_subset: "insert X (parts H) \<subseteq> parts(insert X H)"
-by (blast intro: parts_mono [THEN [2] rev_subsetD])
-
-subsubsection{*Idempotence and transitivity *}
-
-lemma parts_partsD [dest!]: "X\<in> parts (parts H) ==> X\<in> parts H"
-by (erule parts.induct, blast+)
-
-lemma parts_idem [simp]: "parts (parts H) = parts H"
-by blast
-
-lemma parts_subset_iff [simp]: "(parts G \<subseteq> parts H) = (G \<subseteq> parts H)"
-apply (rule iffI)
-apply (iprover intro: subset_trans parts_increasing)
-apply (frule parts_mono, simp)
-done
-
-lemma parts_trans: "[| X\<in> parts G; G \<subseteq> parts H |] ==> X\<in> parts H"
-by (drule parts_mono, blast)
-
-text{*Cut*}
-lemma parts_cut:
- "[| Y\<in> parts (insert X G); X\<in> parts H |] ==> Y\<in> parts (G \<union> H)"
-by (blast intro: parts_trans)
-
-
-lemma parts_cut_eq [simp]: "X\<in> parts H ==> parts (insert X H) = parts H"
-by (force dest!: parts_cut intro: parts_insertI)
-
-
-subsubsection{*Rewrite rules for pulling out atomic messages *}
-
-lemmas parts_insert_eq_I = equalityI [OF subsetI parts_insert_subset]
-
-
-lemma parts_insert_Agent [simp]:
- "parts (insert (Agent agt) H) = insert (Agent agt) (parts H)"
-apply (rule parts_insert_eq_I)
-apply (erule parts.induct, auto)
-done
-
-lemma parts_insert_Nonce [simp]:
- "parts (insert (Nonce N) H) = insert (Nonce N) (parts H)"
-apply (rule parts_insert_eq_I)
-apply (erule parts.induct, auto)
-done
-
-lemma parts_insert_Key [simp]:
- "parts (insert (Key K) H) = insert (Key K) (parts H)"
-apply (rule parts_insert_eq_I)
-apply (erule parts.induct, auto)
-done
-
-lemma parts_insert_Crypt [simp]:
- "parts (insert (Crypt K X) H) = insert (Crypt K X) (parts (insert X H))"
-apply (rule equalityI)
-apply (rule subsetI)
-apply (erule parts.induct, auto)
-apply (blast intro: parts.Body)
-done
-
-lemma parts_insert_MPair [simp]:
- "parts (insert {|X,Y|} H) =
- insert {|X,Y|} (parts (insert X (insert Y H)))"
-apply (rule equalityI)
-apply (rule subsetI)
-apply (erule parts.induct, auto)
-apply (blast intro: parts.Fst parts.Snd)+
-done
-
-lemma parts_image_Key [simp]: "parts (Key`N) = Key`N"
-apply auto
-apply (erule parts.induct, auto)
-done
-
-
-text{*In any message, there is an upper bound N on its greatest nonce.*}
-lemma msg_Nonce_supply: "\<exists>N. \<forall>n. N\<le>n --> Nonce n \<notin> parts {msg}"
-apply (induct_tac "msg")
-apply (simp_all (no_asm_simp) add: exI parts_insert2)
- txt{*MPair case: blast works out the necessary sum itself!*}
- prefer 2 apply auto apply (blast elim!: add_leE)
-txt{*Nonce case*}
-apply (rule_tac x = "N + Suc nat" in exI, auto)
-done
-(*>*)
-
-section{* Modelling the Adversary *}
-
-text {*
-The spy is part of the system and must be built into the model. He is
-a malicious user who does not have to follow the protocol. He
-watches the network and uses any keys he knows to decrypt messages.
-Thus he accumulates additional keys and nonces. These he can use to
-compose new messages, which he may send to anybody.
-
-Two functions enable us to formalize this behaviour: @{text analz} and
-@{text synth}. Each function maps a sets of messages to another set of
-messages. The set @{text "analz H"} formalizes what the adversary can learn
-from the set of messages~$H$. The closure properties of this set are
-defined inductively.
-*}
-
-inductive_set
- analz :: "msg set \<Rightarrow> msg set"
- for H :: "msg set"
- where
- Inj [intro,simp] : "X \<in> H \<Longrightarrow> X \<in> analz H"
- | Fst: "\<lbrace>X,Y\<rbrace> \<in> analz H \<Longrightarrow> X \<in> analz H"
- | Snd: "\<lbrace>X,Y\<rbrace> \<in> analz H \<Longrightarrow> Y \<in> analz H"
- | Decrypt [dest]:
- "\<lbrakk>Crypt K X \<in> analz H; Key(invKey K) \<in> analz H\<rbrakk>
- \<Longrightarrow> X \<in> analz H"
-(*<*)
-text{*Monotonicity; Lemma 1 of Lowe's paper*}
-lemma analz_mono: "G\<subseteq>H ==> analz(G) \<subseteq> analz(H)"
-apply auto
-apply (erule analz.induct)
-apply (auto dest: analz.Fst analz.Snd)
-done
-
-text{*Making it safe speeds up proofs*}
-lemma MPair_analz [elim!]:
- "[| {|X,Y|} \<in> analz H;
- [| X \<in> analz H; Y \<in> analz H |] ==> P
- |] ==> P"
-by (blast dest: analz.Fst analz.Snd)
-
-lemma analz_increasing: "H \<subseteq> analz(H)"
-by blast
-
-lemma analz_subset_parts: "analz H \<subseteq> parts H"
-apply (rule subsetI)
-apply (erule analz.induct, blast+)
-done
-
-lemmas analz_into_parts = analz_subset_parts [THEN subsetD, standard]
-
-lemmas not_parts_not_analz = analz_subset_parts [THEN contra_subsetD, standard]
-
-
-lemma parts_analz [simp]: "parts (analz H) = parts H"
-apply (rule equalityI)
-apply (rule analz_subset_parts [THEN parts_mono, THEN subset_trans], simp)
-apply (blast intro: analz_increasing [THEN parts_mono, THEN subsetD])
-done
-
-lemma analz_parts [simp]: "analz (parts H) = parts H"
-apply auto
-apply (erule analz.induct, auto)
-done
-
-lemmas analz_insertI = subset_insertI [THEN analz_mono, THEN [2] rev_subsetD, standard]
-
-subsubsection{*General equational properties *}
-
-lemma analz_empty [simp]: "analz{} = {}"
-apply safe
-apply (erule analz.induct, blast+)
-done
-
-text{*Converse fails: we can analz more from the union than from the
- separate parts, as a key in one might decrypt a message in the other*}
-lemma analz_Un: "analz(G) \<union> analz(H) \<subseteq> analz(G \<union> H)"
-by (intro Un_least analz_mono Un_upper1 Un_upper2)
-
-lemma analz_insert: "insert X (analz H) \<subseteq> analz(insert X H)"
-by (blast intro: analz_mono [THEN [2] rev_subsetD])
-
-subsubsection{*Rewrite rules for pulling out atomic messages *}
-
-lemmas analz_insert_eq_I = equalityI [OF subsetI analz_insert]
-
-lemma analz_insert_Agent [simp]:
- "analz (insert (Agent agt) H) = insert (Agent agt) (analz H)"
-apply (rule analz_insert_eq_I)
-apply (erule analz.induct, auto)
-done
-
-lemma analz_insert_Nonce [simp]:
- "analz (insert (Nonce N) H) = insert (Nonce N) (analz H)"
-apply (rule analz_insert_eq_I)
-apply (erule analz.induct, auto)
-done
-
-text{*Can only pull out Keys if they are not needed to decrypt the rest*}
-lemma analz_insert_Key [simp]:
- "K \<notin> keysFor (analz H) ==>
- analz (insert (Key K) H) = insert (Key K) (analz H)"
-apply (unfold keysFor_def)
-apply (rule analz_insert_eq_I)
-apply (erule analz.induct, auto)
-done
-
-lemma analz_insert_MPair [simp]:
- "analz (insert {|X,Y|} H) =
- insert {|X,Y|} (analz (insert X (insert Y H)))"
-apply (rule equalityI)
-apply (rule subsetI)
-apply (erule analz.induct, auto)
-apply (erule analz.induct)
-apply (blast intro: analz.Fst analz.Snd)+
-done
-
-text{*Can pull out enCrypted message if the Key is not known*}
-lemma analz_insert_Crypt:
- "Key (invKey K) \<notin> analz H
- ==> analz (insert (Crypt K X) H) = insert (Crypt K X) (analz H)"
-apply (rule analz_insert_eq_I)
-apply (erule analz.induct, auto)
-
-done
-
-lemma lemma1: "Key (invKey K) \<in> analz H ==>
- analz (insert (Crypt K X) H) \<subseteq>
- insert (Crypt K X) (analz (insert X H))"
-apply (rule subsetI)
-apply (erule_tac x = x in analz.induct, auto)
-done
-
-lemma lemma2: "Key (invKey K) \<in> analz H ==>
- insert (Crypt K X) (analz (insert X H)) \<subseteq>
- analz (insert (Crypt K X) H)"
-apply auto
-apply (erule_tac x = x in analz.induct, auto)
-apply (blast intro: analz_insertI analz.Decrypt)
-done
-
-lemma analz_insert_Decrypt:
- "Key (invKey K) \<in> analz H ==>
- analz (insert (Crypt K X) H) =
- insert (Crypt K X) (analz (insert X H))"
-by (intro equalityI lemma1 lemma2)
-
-text{*Case analysis: either the message is secure, or it is not! Effective,
-but can cause subgoals to blow up! Use with @{text "split_if"}; apparently
-@{text "split_tac"} does not cope with patterns such as @{term"analz (insert
-(Crypt K X) H)"} *}
-lemma analz_Crypt_if [simp]:
- "analz (insert (Crypt K X) H) =
- (if (Key (invKey K) \<in> analz H)
- then insert (Crypt K X) (analz (insert X H))
- else insert (Crypt K X) (analz H))"
-by (simp add: analz_insert_Crypt analz_insert_Decrypt)
-
-
-text{*This rule supposes "for the sake of argument" that we have the key.*}
-lemma analz_insert_Crypt_subset:
- "analz (insert (Crypt K X) H) \<subseteq>
- insert (Crypt K X) (analz (insert X H))"
-apply (rule subsetI)
-apply (erule analz.induct, auto)
-done
-
-
-lemma analz_image_Key [simp]: "analz (Key`N) = Key`N"
-apply auto
-apply (erule analz.induct, auto)
-done
-
-
-subsubsection{*Idempotence and transitivity *}
-
-lemma analz_analzD [dest!]: "X\<in> analz (analz H) ==> X\<in> analz H"
-by (erule analz.induct, blast+)
-
-lemma analz_idem [simp]: "analz (analz H) = analz H"
-by blast
-
-lemma analz_subset_iff [simp]: "(analz G \<subseteq> analz H) = (G \<subseteq> analz H)"
-apply (rule iffI)
-apply (iprover intro: subset_trans analz_increasing)
-apply (frule analz_mono, simp)
-done
-
-lemma analz_trans: "[| X\<in> analz G; G \<subseteq> analz H |] ==> X\<in> analz H"
-by (drule analz_mono, blast)
-
-text{*Cut; Lemma 2 of Lowe*}
-lemma analz_cut: "[| Y\<in> analz (insert X H); X\<in> analz H |] ==> Y\<in> analz H"
-by (erule analz_trans, blast)
-
-(*Cut can be proved easily by induction on
- "Y: analz (insert X H) ==> X: analz H --> Y: analz H"
-*)
-
-text{*This rewrite rule helps in the simplification of messages that involve
- the forwarding of unknown components (X). Without it, removing occurrences
- of X can be very complicated. *}
-lemma analz_insert_eq: "X\<in> analz H ==> analz (insert X H) = analz H"
-by (blast intro: analz_cut analz_insertI)
-
-
-text{*A congruence rule for "analz" *}
-
-lemma analz_subset_cong:
- "[| analz G \<subseteq> analz G'; analz H \<subseteq> analz H' |]
- ==> analz (G \<union> H) \<subseteq> analz (G' \<union> H')"
-apply simp
-apply (iprover intro: conjI subset_trans analz_mono Un_upper1 Un_upper2)
-done
-
-lemma analz_cong:
- "[| analz G = analz G'; analz H = analz H' |]
- ==> analz (G \<union> H) = analz (G' \<union> H')"
-by (intro equalityI analz_subset_cong, simp_all)
-
-lemma analz_insert_cong:
- "analz H = analz H' ==> analz(insert X H) = analz(insert X H')"
-by (force simp only: insert_def intro!: analz_cong)
-
-text{*If there are no pairs or encryptions then analz does nothing*}
-lemma analz_trivial:
- "[| \<forall>X Y. {|X,Y|} \<notin> H; \<forall>X K. Crypt K X \<notin> H |] ==> analz H = H"
-apply safe
-apply (erule analz.induct, blast+)
-done
-
-text{*These two are obsolete (with a single Spy) but cost little to prove...*}
-lemma analz_UN_analz_lemma:
- "X\<in> analz (\<Union>i\<in>A. analz (H i)) ==> X\<in> analz (\<Union>i\<in>A. H i)"
-apply (erule analz.induct)
-apply (blast intro: analz_mono [THEN [2] rev_subsetD])+
-done
-
-lemma analz_UN_analz [simp]: "analz (\<Union>i\<in>A. analz (H i)) = analz (\<Union>i\<in>A. H i)"
-by (blast intro: analz_UN_analz_lemma analz_mono [THEN [2] rev_subsetD])
-(*>*)
-text {*
-Note the @{text Decrypt} rule: the spy can decrypt a
-message encrypted with key~$K$ if he has the matching key,~$K^{-1}$.
-Properties proved by rule induction include the following:
-@{named_thms [display,indent=0] analz_mono [no_vars] (analz_mono) analz_idem [no_vars] (analz_idem)}
-
-The set of fake messages that an intruder could invent
-starting from~@{text H} is @{text "synth(analz H)"}, where @{text "synth H"}
-formalizes what the adversary can build from the set of messages~$H$.
-*}
-
-inductive_set
- synth :: "msg set \<Rightarrow> msg set"
- for H :: "msg set"
- where
- Inj [intro]: "X \<in> H \<Longrightarrow> X \<in> synth H"
- | Agent [intro]: "Agent agt \<in> synth H"
- | MPair [intro]:
- "\<lbrakk>X \<in> synth H; Y \<in> synth H\<rbrakk> \<Longrightarrow> \<lbrace>X,Y\<rbrace> \<in> synth H"
- | Crypt [intro]:
- "\<lbrakk>X \<in> synth H; Key K \<in> H\<rbrakk> \<Longrightarrow> Crypt K X \<in> synth H"
-(*<*)
-lemma synth_mono: "G\<subseteq>H ==> synth(G) \<subseteq> synth(H)"
- by (auto, erule synth.induct, auto)
-
-inductive_cases Key_synth [elim!]: "Key K \<in> synth H"
-inductive_cases MPair_synth [elim!]: "{|X,Y|} \<in> synth H"
-inductive_cases Crypt_synth [elim!]: "Crypt K X \<in> synth H"
-
-lemma analz_synth_Un [simp]: "analz (synth G \<union> H) = analz (G \<union> H) \<union> synth G"
-apply (rule equalityI)
-apply (rule subsetI)
-apply (erule analz.induct)
-prefer 5 apply (blast intro: analz_mono [THEN [2] rev_subsetD])
-apply (blast intro: analz.Fst analz.Snd analz.Decrypt)+
-done
-
-lemma analz_synth [simp]: "analz (synth H) = analz H \<union> synth H"
-apply (cut_tac H = "{}" in analz_synth_Un)
-apply (simp (no_asm_use))
-done
-(*>*)
-text {*
-The set includes all agent names. Nonces and keys are assumed to be
-unguessable, so none are included beyond those already in~$H$. Two
-elements of @{term "synth H"} can be combined, and an element can be encrypted
-using a key present in~$H$.
-
-Like @{text analz}, this set operator is monotone and idempotent. It also
-satisfies an interesting equation involving @{text analz}:
-@{named_thms [display,indent=0] analz_synth [no_vars] (analz_synth)}
-Rule inversion plays a major role in reasoning about @{text synth}, through
-declarations such as this one:
-*}
-
-inductive_cases Nonce_synth [elim!]: "Nonce n \<in> synth H"
-
-text {*
-\noindent
-The resulting elimination rule replaces every assumption of the form
-@{term "Nonce n \<in> synth H"} by @{term "Nonce n \<in> H"},
-expressing that a nonce cannot be guessed.
-
-A third operator, @{text parts}, is useful for stating correctness
-properties. The set
-@{term "parts H"} consists of the components of elements of~$H$. This set
-includes~@{text H} and is closed under the projections from a compound
-message to its immediate parts.
-Its definition resembles that of @{text analz} except in the rule
-corresponding to the constructor @{text Crypt}:
-@{thm [display,indent=5] parts.Body [no_vars]}
-The body of an encrypted message is always regarded as part of it. We can
-use @{text parts} to express general well-formedness properties of a protocol,
-for example, that an uncompromised agent's private key will never be
-included as a component of any message.
-*}
-(*<*)
-lemma synth_increasing: "H \<subseteq> synth(H)"
-by blast
-
-subsubsection{*Unions *}
-
-text{*Converse fails: we can synth more from the union than from the
- separate parts, building a compound message using elements of each.*}
-lemma synth_Un: "synth(G) \<union> synth(H) \<subseteq> synth(G \<union> H)"
-by (intro Un_least synth_mono Un_upper1 Un_upper2)
-
-lemma synth_insert: "insert X (synth H) \<subseteq> synth(insert X H)"
-by (blast intro: synth_mono [THEN [2] rev_subsetD])
-
-subsubsection{*Idempotence and transitivity *}
-
-lemma synth_synthD [dest!]: "X\<in> synth (synth H) ==> X\<in> synth H"
-by (erule synth.induct, blast+)
-
-lemma synth_idem: "synth (synth H) = synth H"
-by blast
-
-lemma synth_subset_iff [simp]: "(synth G \<subseteq> synth H) = (G \<subseteq> synth H)"
-apply (rule iffI)
-apply (iprover intro: subset_trans synth_increasing)
-apply (frule synth_mono, simp add: synth_idem)
-done
-
-lemma synth_trans: "[| X\<in> synth G; G \<subseteq> synth H |] ==> X\<in> synth H"
-by (drule synth_mono, blast)
-
-text{*Cut; Lemma 2 of Lowe*}
-lemma synth_cut: "[| Y\<in> synth (insert X H); X\<in> synth H |] ==> Y\<in> synth H"
-by (erule synth_trans, blast)
-
-lemma Agent_synth [simp]: "Agent A \<in> synth H"
-by blast
-
-lemma Nonce_synth_eq [simp]: "(Nonce N \<in> synth H) = (Nonce N \<in> H)"
-by blast
-
-lemma Key_synth_eq [simp]: "(Key K \<in> synth H) = (Key K \<in> H)"
-by blast
-
-lemma Crypt_synth_eq [simp]:
- "Key K \<notin> H ==> (Crypt K X \<in> synth H) = (Crypt K X \<in> H)"
-by blast
-
-
-lemma keysFor_synth [simp]:
- "keysFor (synth H) = keysFor H \<union> invKey`{K. Key K \<in> H}"
-by (unfold keysFor_def, blast)
-
-
-subsubsection{*Combinations of parts, analz and synth *}
-
-lemma parts_synth [simp]: "parts (synth H) = parts H \<union> synth H"
-apply (rule equalityI)
-apply (rule subsetI)
-apply (erule parts.induct)
-apply (blast intro: synth_increasing [THEN parts_mono, THEN subsetD]
- parts.Fst parts.Snd parts.Body)+
-done
-
-lemma analz_analz_Un [simp]: "analz (analz G \<union> H) = analz (G \<union> H)"
-apply (intro equalityI analz_subset_cong)+
-apply simp_all
-done
-
-
-subsubsection{*For reasoning about the Fake rule in traces *}
-
-lemma parts_insert_subset_Un: "X\<in> G ==> parts(insert X H) \<subseteq> parts G \<union> parts H"
-by (rule subset_trans [OF parts_mono parts_Un_subset2], blast)
-
-text{*More specifically for Fake. Very occasionally we could do with a version
- of the form @{term"parts{X} \<subseteq> synth (analz H) \<union> parts H"} *}
-lemma Fake_parts_insert:
- "X \<in> synth (analz H) ==>
- parts (insert X H) \<subseteq> synth (analz H) \<union> parts H"
-apply (drule parts_insert_subset_Un)
-apply (simp (no_asm_use))
-apply blast
-done
-
-lemma Fake_parts_insert_in_Un:
- "[|Z \<in> parts (insert X H); X: synth (analz H)|]
- ==> Z \<in> synth (analz H) \<union> parts H";
-by (blast dest: Fake_parts_insert [THEN subsetD, dest])
-
-text{*@{term H} is sometimes @{term"Key ` KK \<union> spies evs"}, so can't put
- @{term "G=H"}.*}
-lemma Fake_analz_insert:
- "X\<in> synth (analz G) ==>
- analz (insert X H) \<subseteq> synth (analz G) \<union> analz (G \<union> H)"
-apply (rule subsetI)
-apply (subgoal_tac "x \<in> analz (synth (analz G) \<union> H) ")
-prefer 2 apply (blast intro: analz_mono [THEN [2] rev_subsetD] analz_mono [THEN synth_mono, THEN [2] rev_subsetD])
-apply (simp (no_asm_use))
-apply blast
-done
-
-lemma analz_conj_parts [simp]:
- "(X \<in> analz H & X \<in> parts H) = (X \<in> analz H)"
-by (blast intro: analz_subset_parts [THEN subsetD])
-
-lemma analz_disj_parts [simp]:
- "(X \<in> analz H | X \<in> parts H) = (X \<in> parts H)"
-by (blast intro: analz_subset_parts [THEN subsetD])
-
-text{*Without this equation, other rules for synth and analz would yield
- redundant cases*}
-lemma MPair_synth_analz [iff]:
- "({|X,Y|} \<in> synth (analz H)) =
- (X \<in> synth (analz H) & Y \<in> synth (analz H))"
-by blast
-
-lemma Crypt_synth_analz:
- "[| Key K \<in> analz H; Key (invKey K) \<in> analz H |]
- ==> (Crypt K X \<in> synth (analz H)) = (X \<in> synth (analz H))"
-by blast
-
-
-text{*We do NOT want Crypt... messages broken up in protocols!!*}
-declare parts.Body [rule del]
-
-
-text{*Rewrites to push in Key and Crypt messages, so that other messages can
- be pulled out using the @{text analz_insert} rules*}
-
-lemmas pushKeys [standard] =
- insert_commute [of "Key K" "Agent C"]
- insert_commute [of "Key K" "Nonce N"]
- insert_commute [of "Key K" "Number N"]
- insert_commute [of "Key K" "Hash X"]
- insert_commute [of "Key K" "MPair X Y"]
- insert_commute [of "Key K" "Crypt X K'"]
-
-lemmas pushCrypts [standard] =
- insert_commute [of "Crypt X K" "Agent C"]
- insert_commute [of "Crypt X K" "Agent C"]
- insert_commute [of "Crypt X K" "Nonce N"]
- insert_commute [of "Crypt X K" "Number N"]
- insert_commute [of "Crypt X K" "Hash X'"]
- insert_commute [of "Crypt X K" "MPair X' Y"]
-
-text{*Cannot be added with @{text "[simp]"} -- messages should not always be
- re-ordered. *}
-lemmas pushes = pushKeys pushCrypts
-
-
-subsection{*Tactics useful for many protocol proofs*}
-ML
-{*
-val invKey = @{thm invKey};
-val keysFor_def = @{thm keysFor_def};
-val symKeys_def = @{thm symKeys_def};
-val parts_mono = @{thm parts_mono};
-val analz_mono = @{thm analz_mono};
-val synth_mono = @{thm synth_mono};
-val analz_increasing = @{thm analz_increasing};
-
-val analz_insertI = @{thm analz_insertI};
-val analz_subset_parts = @{thm analz_subset_parts};
-val Fake_parts_insert = @{thm Fake_parts_insert};
-val Fake_analz_insert = @{thm Fake_analz_insert};
-val pushes = @{thms pushes};
-
-
-(*Analysis of Fake cases. Also works for messages that forward unknown parts,
- but this application is no longer necessary if analz_insert_eq is used.
- Abstraction over i is ESSENTIAL: it delays the dereferencing of claset
- DEPENDS UPON "X" REFERRING TO THE FRADULENT MESSAGE *)
-
-(*Apply rules to break down assumptions of the form
- Y \<in> parts(insert X H) and Y \<in> analz(insert X H)
-*)
-fun impOfSubs th = th RSN (2, @{thm rev_subsetD})
-
-val Fake_insert_tac =
- dresolve_tac [impOfSubs Fake_analz_insert,
- impOfSubs Fake_parts_insert] THEN'
- eresolve_tac [asm_rl, @{thm synth.Inj}];
-
-fun Fake_insert_simp_tac ss i =
- REPEAT (Fake_insert_tac i) THEN asm_full_simp_tac ss i;
-
-fun atomic_spy_analz_tac ctxt =
- SELECT_GOAL
- (Fake_insert_simp_tac (simpset_of ctxt) 1 THEN
- IF_UNSOLVED (Blast.depth_tac (ctxt addIs [analz_insertI, impOfSubs analz_subset_parts]) 4 1));
-
-fun spy_analz_tac ctxt i =
- DETERM
- (SELECT_GOAL
- (EVERY
- [ (*push in occurrences of X...*)
- (REPEAT o CHANGED)
- (res_inst_tac ctxt [(("x", 1), "X")] (insert_commute RS ssubst) 1),
- (*...allowing further simplifications*)
- simp_tac (simpset_of ctxt) 1,
- REPEAT (FIRSTGOAL (resolve_tac [allI,impI,notI,conjI,iffI])),
- DEPTH_SOLVE (atomic_spy_analz_tac ctxt 1)]) i);
-*}
-
-text{*By default only @{text o_apply} is built-in. But in the presence of
-eta-expansion this means that some terms displayed as @{term "f o g"} will be
-rewritten, and others will not!*}
-declare o_def [simp]
-
-
-lemma Crypt_notin_image_Key [simp]: "Crypt K X \<notin> Key ` A"
-by auto
-
-lemma synth_analz_mono: "G\<subseteq>H ==> synth (analz(G)) \<subseteq> synth (analz(H))"
-by (iprover intro: synth_mono analz_mono)
-
-lemma Fake_analz_eq [simp]:
- "X \<in> synth(analz H) ==> synth (analz (insert X H)) = synth (analz H)"
-apply (drule Fake_analz_insert[of _ _ "H"])
-apply (simp add: synth_increasing[THEN Un_absorb2])
-apply (drule synth_mono)
-apply (simp add: synth_idem)
-apply (rule equalityI)
-apply (simp add: );
-apply (rule synth_analz_mono, blast)
-done
-
-text{*Two generalizations of @{text analz_insert_eq}*}
-lemma gen_analz_insert_eq [rule_format]:
- "X \<in> analz H ==> ALL G. H \<subseteq> G --> analz (insert X G) = analz G";
-by (blast intro: analz_cut analz_insertI analz_mono [THEN [2] rev_subsetD])
-
-lemma synth_analz_insert_eq [rule_format]:
- "X \<in> synth (analz H)
- ==> ALL G. H \<subseteq> G --> (Key K \<in> analz (insert X G)) = (Key K \<in> analz G)";
-apply (erule synth.induct)
-apply (simp_all add: gen_analz_insert_eq subset_trans [OF _ subset_insertI])
-done
-
-lemma Fake_parts_sing:
- "X \<in> synth (analz H) ==> parts{X} \<subseteq> synth (analz H) \<union> parts H";
-apply (rule subset_trans)
- apply (erule_tac [2] Fake_parts_insert)
-apply (rule parts_mono, blast)
-done
-
-lemmas Fake_parts_sing_imp_Un = Fake_parts_sing [THEN [2] rev_subsetD]
-
-method_setup spy_analz = {*
- Scan.succeed (SIMPLE_METHOD' o spy_analz_tac) *}
- "for proving the Fake case when analz is involved"
-
-method_setup atomic_spy_analz = {*
- Scan.succeed (SIMPLE_METHOD' o atomic_spy_analz_tac) *}
- "for debugging spy_analz"
-
-method_setup Fake_insert_simp = {*
- Scan.succeed (SIMPLE_METHOD' o Fake_insert_simp_tac o simpset_of) *}
- "for debugging spy_analz"
-
-
-end
-(*>*)
\ No newline at end of file
--- a/doc-src/TutorialI/Protocol/NS_Public.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,402 +0,0 @@
-(* Title: HOL/Auth/NS_Public
- Author: Lawrence C Paulson, Cambridge University Computer Laboratory
- Copyright 1996 University of Cambridge
-
-Inductive relation "ns_public" for the Needham-Schroeder Public-Key protocol.
-Version incorporating Lowe's fix (inclusion of B's identity in round 2).
-*)(*<*)
-theory NS_Public imports Public begin(*>*)
-
-section{* Modelling the Protocol \label{sec:modelling} *}
-
-text_raw {*
-\begin{figure}
-\begin{isabelle}
-*}
-
-inductive_set ns_public :: "event list set"
- where
-
- Nil: "[] \<in> ns_public"
-
-
- | Fake: "\<lbrakk>evsf \<in> ns_public; X \<in> synth (analz (knows Spy evsf))\<rbrakk>
- \<Longrightarrow> Says Spy B X # evsf \<in> ns_public"
-
-
- | NS1: "\<lbrakk>evs1 \<in> ns_public; Nonce NA \<notin> used evs1\<rbrakk>
- \<Longrightarrow> Says A B (Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>)
- # evs1 \<in> ns_public"
-
-
- | NS2: "\<lbrakk>evs2 \<in> ns_public; Nonce NB \<notin> used evs2;
- Says A' B (Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs2\<rbrakk>
- \<Longrightarrow> Says B A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>)
- # evs2 \<in> ns_public"
-
-
- | NS3: "\<lbrakk>evs3 \<in> ns_public;
- Says A B (Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs3;
- Says B' A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>)
- \<in> set evs3\<rbrakk>
- \<Longrightarrow> Says A B (Crypt (pubK B) (Nonce NB)) # evs3 \<in> ns_public"
-
-text_raw {*
-\end{isabelle}
-\caption{An Inductive Protocol Definition}\label{fig:ns_public}
-\end{figure}
-*}
-
-text {*
-Let us formalize the Needham-Schroeder public-key protocol, as corrected by
-Lowe:
-\begin{alignat*%
-}{2}
- &1.&\quad A\to B &: \comp{Na,A}\sb{Kb} \\
- &2.&\quad B\to A &: \comp{Na,Nb,B}\sb{Ka} \\
- &3.&\quad A\to B &: \comp{Nb}\sb{Kb}
-\end{alignat*%
-}
-
-Each protocol step is specified by a rule of an inductive definition. An
-event trace has type @{text "event list"}, so we declare the constant
-@{text ns_public} to be a set of such traces.
-
-Figure~\ref{fig:ns_public} presents the inductive definition. The
-@{text Nil} rule introduces the empty trace. The @{text Fake} rule models the
-adversary's sending a message built from components taken from past
-traffic, expressed using the functions @{text synth} and
-@{text analz}.
-The next three rules model how honest agents would perform the three
-protocol steps.
-
-Here is a detailed explanation of rule @{text NS2}.
-A trace containing an event of the form
-@{term [display,indent=5] "Says A' B (Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>)"}
-may be extended by an event of the form
-@{term [display,indent=5] "Says B A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>)"}
-where @{text NB} is a fresh nonce: @{term "Nonce NB \<notin> used evs2"}.
-Writing the sender as @{text A'} indicates that @{text B} does not
-know who sent the message. Calling the trace variable @{text evs2} rather
-than simply @{text evs} helps us know where we are in a proof after many
-case-splits: every subgoal mentioning @{text evs2} involves message~2 of the
-protocol.
-
-Benefits of this approach are simplicity and clarity. The semantic model
-is set theory, proofs are by induction and the translation from the informal
-notation to the inductive rules is straightforward.
-*}
-
-section{* Proving Elementary Properties \label{sec:regularity} *}
-
-(*<*)
-declare knows_Spy_partsEs [elim]
-declare analz_subset_parts [THEN subsetD, dest]
-declare Fake_parts_insert [THEN subsetD, dest]
-declare image_eq_UN [simp] (*accelerates proofs involving nested images*)
-
-(*A "possibility property": there are traces that reach the end*)
-lemma "\<exists>NB. \<exists>evs \<in> ns_public. Says A B (Crypt (pubK B) (Nonce NB)) \<in> set evs"
-apply (intro exI bexI)
-apply (rule_tac [2] ns_public.Nil [THEN ns_public.NS1, THEN ns_public.NS2,
- THEN ns_public.NS3])
-by possibility
-
-
-(**** Inductive proofs about ns_public ****)
-
-(** Theorems of the form X \<notin> parts (knows Spy evs) imply that NOBODY
- sends messages containing X! **)
-
-(*Spy never sees another agent's private key! (unless it's bad at start)*)
-(*>*)
-
-text {*
-Secrecy properties can be hard to prove. The conclusion of a typical
-secrecy theorem is
-@{term "X \<notin> analz (knows Spy evs)"}. The difficulty arises from
-having to reason about @{text analz}, or less formally, showing that the spy
-can never learn~@{text X}. Much easier is to prove that @{text X} can never
-occur at all. Such \emph{regularity} properties are typically expressed
-using @{text parts} rather than @{text analz}.
-
-The following lemma states that @{text A}'s private key is potentially
-known to the spy if and only if @{text A} belongs to the set @{text bad} of
-compromised agents. The statement uses @{text parts}: the very presence of
-@{text A}'s private key in a message, whether protected by encryption or
-not, is enough to confirm that @{text A} is compromised. The proof, like
-nearly all protocol proofs, is by induction over traces.
-*}
-
-lemma Spy_see_priK [simp]:
- "evs \<in> ns_public
- \<Longrightarrow> (Key (priK A) \<in> parts (knows Spy evs)) = (A \<in> bad)"
-apply (erule ns_public.induct, simp_all)
-txt {*
-The induction yields five subgoals, one for each rule in the definition of
-@{text ns_public}. The idea is to prove that the protocol property holds initially
-(rule @{text Nil}), is preserved by each of the legitimate protocol steps (rules
-@{text NS1}--@{text 3}), and even is preserved in the face of anything the
-spy can do (rule @{text Fake}).
-
-The proof is trivial. No legitimate protocol rule sends any keys
-at all, so only @{text Fake} is relevant. Indeed, simplification leaves
-only the @{text Fake} case, as indicated by the variable name @{text evsf}:
-@{subgoals[display,indent=0,margin=65]}
-*}
-by blast
-(*<*)
-lemma Spy_analz_priK [simp]:
- "evs \<in> ns_public \<Longrightarrow> (Key (priK A) \<in> analz (knows Spy evs)) = (A \<in> bad)"
-by auto
-(*>*)
-
-text {*
-The @{text Fake} case is proved automatically. If
-@{term "priK A"} is in the extended trace then either (1) it was already in the
-original trace or (2) it was
-generated by the spy, who must have known this key already.
-Either way, the induction hypothesis applies.
-
-\emph{Unicity} lemmas are regularity lemmas stating that specified items
-can occur only once in a trace. The following lemma states that a nonce
-cannot be used both as $Na$ and as $Nb$ unless
-it is known to the spy. Intuitively, it holds because honest agents
-always choose fresh values as nonces; only the spy might reuse a value,
-and he doesn't know this particular value. The proof script is short:
-induction, simplification, @{text blast}. The first line uses the rule
-@{text rev_mp} to prepare the induction by moving two assumptions into the
-induction formula.
-*}
-
-lemma no_nonce_NS1_NS2:
- "\<lbrakk>Crypt (pubK C) \<lbrace>NA', Nonce NA, Agent D\<rbrace> \<in> parts (knows Spy evs);
- Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace> \<in> parts (knows Spy evs);
- evs \<in> ns_public\<rbrakk>
- \<Longrightarrow> Nonce NA \<in> analz (knows Spy evs)"
-apply (erule rev_mp, erule rev_mp)
-apply (erule ns_public.induct, simp_all)
-apply (blast intro: analz_insertI)+
-done
-
-text {*
-The following unicity lemma states that, if \isa{NA} is secret, then its
-appearance in any instance of message~1 determines the other components.
-The proof is similar to the previous one.
-*}
-
-lemma unique_NA:
- "\<lbrakk>Crypt(pubK B) \<lbrace>Nonce NA, Agent A \<rbrace> \<in> parts(knows Spy evs);
- Crypt(pubK B') \<lbrace>Nonce NA, Agent A'\<rbrace> \<in> parts(knows Spy evs);
- Nonce NA \<notin> analz (knows Spy evs); evs \<in> ns_public\<rbrakk>
- \<Longrightarrow> A=A' \<and> B=B'"
-(*<*)
-apply (erule rev_mp, erule rev_mp, erule rev_mp)
-apply (erule ns_public.induct, simp_all)
-(*Fake, NS1*)
-apply (blast intro: analz_insertI)+
-done
-(*>*)
-
-section{* Proving Secrecy Theorems \label{sec:secrecy} *}
-
-(*<*)
-(*Secrecy: Spy does not see the nonce sent in msg NS1 if A and B are secure
- The major premise "Says A B ..." makes it a dest-rule, so we use
- (erule rev_mp) rather than rule_format. *)
-theorem Spy_not_see_NA:
- "\<lbrakk>Says A B (Crypt(pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs;
- A \<notin> bad; B \<notin> bad; evs \<in> ns_public\<rbrakk>
- \<Longrightarrow> Nonce NA \<notin> analz (knows Spy evs)"
-apply (erule rev_mp)
-apply (erule ns_public.induct, simp_all)
-apply spy_analz
-apply (blast dest: unique_NA intro: no_nonce_NS1_NS2)+
-done
-
-
-(*Authentication for A: if she receives message 2 and has used NA
- to start a run, then B has sent message 2.*)
-lemma A_trusts_NS2_lemma [rule_format]:
- "\<lbrakk>A \<notin> bad; B \<notin> bad; evs \<in> ns_public\<rbrakk>
- \<Longrightarrow> Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace> \<in> parts (knows Spy evs) \<longrightarrow>
- Says A B (Crypt(pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs \<longrightarrow>
- Says B A (Crypt(pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) \<in> set evs"
-apply (erule ns_public.induct, simp_all)
-(*Fake, NS1*)
-apply (blast dest: Spy_not_see_NA)+
-done
-
-theorem A_trusts_NS2:
- "\<lbrakk>Says A B (Crypt(pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs;
- Says B' A (Crypt(pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) \<in> set evs;
- A \<notin> bad; B \<notin> bad; evs \<in> ns_public\<rbrakk>
- \<Longrightarrow> Says B A (Crypt(pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) \<in> set evs"
-by (blast intro: A_trusts_NS2_lemma)
-
-
-(*If the encrypted message appears then it originated with Alice in NS1*)
-lemma B_trusts_NS1 [rule_format]:
- "evs \<in> ns_public
- \<Longrightarrow> Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace> \<in> parts (knows Spy evs) \<longrightarrow>
- Nonce NA \<notin> analz (knows Spy evs) \<longrightarrow>
- Says A B (Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs"
-apply (erule ns_public.induct, simp_all)
-(*Fake*)
-apply (blast intro!: analz_insertI)
-done
-
-
-
-(*** Authenticity properties obtained from NS2 ***)
-
-(*Unicity for NS2: nonce NB identifies nonce NA and agents A, B
- [unicity of B makes Lowe's fix work]
- [proof closely follows that for unique_NA] *)
-
-lemma unique_NB [dest]:
- "\<lbrakk>Crypt(pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace> \<in> parts(knows Spy evs);
- Crypt(pubK A') \<lbrace>Nonce NA', Nonce NB, Agent B'\<rbrace> \<in> parts(knows Spy evs);
- Nonce NB \<notin> analz (knows Spy evs); evs \<in> ns_public\<rbrakk>
- \<Longrightarrow> A=A' \<and> NA=NA' \<and> B=B'"
-apply (erule rev_mp, erule rev_mp, erule rev_mp)
-apply (erule ns_public.induct, simp_all)
-(*Fake, NS2*)
-apply (blast intro: analz_insertI)+
-done
-(*>*)
-
-text {*
-The secrecy theorems for Bob (the second participant) are especially
-important because they fail for the original protocol. The following
-theorem states that if Bob sends message~2 to Alice, and both agents are
-uncompromised, then Bob's nonce will never reach the spy.
-*}
-
-theorem Spy_not_see_NB [dest]:
- "\<lbrakk>Says B A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) \<in> set evs;
- A \<notin> bad; B \<notin> bad; evs \<in> ns_public\<rbrakk>
- \<Longrightarrow> Nonce NB \<notin> analz (knows Spy evs)"
-txt {*
-To prove it, we must formulate the induction properly (one of the
-assumptions mentions~@{text evs}), apply induction, and simplify:
-*}
-
-apply (erule rev_mp, erule ns_public.induct, simp_all)
-(*<*)
-apply spy_analz
-defer
-apply (blast intro: no_nonce_NS1_NS2)
-apply (blast intro: no_nonce_NS1_NS2)
-(*>*)
-
-txt {*
-The proof states are too complicated to present in full.
-Let's examine the simplest subgoal, that for message~1. The following
-event has just occurred:
-\[ 1.\quad A'\to B' : \comp{Na',A'}\sb{Kb'} \]
-The variables above have been primed because this step
-belongs to a different run from that referred to in the theorem
-statement --- the theorem
-refers to a past instance of message~2, while this subgoal
-concerns message~1 being sent just now.
-In the Isabelle subgoal, instead of primed variables like $B'$ and $Na'$
-we have @{text Ba} and~@{text NAa}:
-@{subgoals[display,indent=0]}
-The simplifier has used a
-default simplification rule that does a case
-analysis for each encrypted message on whether or not the decryption key
-is compromised.
-@{named_thms [display,indent=0,margin=50] analz_Crypt_if [no_vars] (analz_Crypt_if)}
-The simplifier has also used @{text Spy_see_priK}, proved in
-{\S}\ref{sec:regularity} above, to yield @{term "Ba \<in> bad"}.
-
-Recall that this subgoal concerns the case
-where the last message to be sent was
-\[ 1.\quad A'\to B' : \comp{Na',A'}\sb{Kb'}. \]
-This message can compromise $Nb$ only if $Nb=Na'$ and $B'$ is compromised,
-allowing the spy to decrypt the message. The Isabelle subgoal says
-precisely this, if we allow for its choice of variable names.
-Proving @{term "NB \<noteq> NAa"} is easy: @{text NB} was
-sent earlier, while @{text NAa} is fresh; formally, we have
-the assumption @{term "Nonce NAa \<notin> used evs1"}.
-
-Note that our reasoning concerned @{text B}'s participation in another
-run. Agents may engage in several runs concurrently, and some attacks work
-by interleaving the messages of two runs. With model checking, this
-possibility can cause a state-space explosion, and for us it
-certainly complicates proofs. The biggest subgoal concerns message~2. It
-splits into several cases, such as whether or not the message just sent is
-the very message mentioned in the theorem statement.
-Some of the cases are proved by unicity, others by
-the induction hypothesis. For all those complications, the proofs are
-automatic by @{text blast} with the theorem @{text no_nonce_NS1_NS2}.
-
-The remaining theorems about the protocol are not hard to prove. The
-following one asserts a form of \emph{authenticity}: if
-@{text B} has sent an instance of message~2 to~@{text A} and has received the
-expected reply, then that reply really originated with~@{text A}. The
-proof is a simple induction.
-*}
-
-(*<*)
-by (blast intro: no_nonce_NS1_NS2)
-
-lemma B_trusts_NS3_lemma [rule_format]:
- "\<lbrakk>A \<notin> bad; B \<notin> bad; evs \<in> ns_public\<rbrakk> \<Longrightarrow>
- Crypt (pubK B) (Nonce NB) \<in> parts (knows Spy evs) \<longrightarrow>
- Says B A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) \<in> set evs \<longrightarrow>
- Says A B (Crypt (pubK B) (Nonce NB)) \<in> set evs"
-by (erule ns_public.induct, auto)
-(*>*)
-theorem B_trusts_NS3:
- "\<lbrakk>Says B A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) \<in> set evs;
- Says A' B (Crypt (pubK B) (Nonce NB)) \<in> set evs;
- A \<notin> bad; B \<notin> bad; evs \<in> ns_public\<rbrakk>
- \<Longrightarrow> Says A B (Crypt (pubK B) (Nonce NB)) \<in> set evs"
-(*<*)
-by (blast intro: B_trusts_NS3_lemma)
-
-(*** Overall guarantee for B ***)
-
-
-(*If NS3 has been sent and the nonce NB agrees with the nonce B joined with
- NA, then A initiated the run using NA.*)
-theorem B_trusts_protocol [rule_format]:
- "\<lbrakk>A \<notin> bad; B \<notin> bad; evs \<in> ns_public\<rbrakk> \<Longrightarrow>
- Crypt (pubK B) (Nonce NB) \<in> parts (knows Spy evs) \<longrightarrow>
- Says B A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) \<in> set evs \<longrightarrow>
- Says A B (Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs"
-by (erule ns_public.induct, auto)
-(*>*)
-
-text {*
-From similar assumptions, we can prove that @{text A} started the protocol
-run by sending an instance of message~1 involving the nonce~@{text NA}\@.
-For this theorem, the conclusion is
-@{thm [display] (concl) B_trusts_protocol [no_vars]}
-Analogous theorems can be proved for~@{text A}, stating that nonce~@{text NA}
-remains secret and that message~2 really originates with~@{text B}. Even the
-flawed protocol establishes these properties for~@{text A};
-the flaw only harms the second participant.
-
-\medskip
-
-Detailed information on this protocol verification technique can be found
-elsewhere~\cite{paulson-jcs}, including proofs of an Internet
-protocol~\cite{paulson-tls}. We must stress that the protocol discussed
-in this chapter is trivial. There are only three messages; no keys are
-exchanged; we merely have to prove that encrypted data remains secret.
-Real world protocols are much longer and distribute many secrets to their
-participants. To be realistic, the model has to include the possibility
-of keys being lost dynamically due to carelessness. If those keys have
-been used to encrypt other sensitive information, there may be cascading
-losses. We may still be able to establish a bound on the losses and to
-prove that other protocol runs function
-correctly~\cite{paulson-yahalom}. Proofs of real-world protocols follow
-the strategy illustrated above, but the subgoals can
-be much bigger and there are more of them.
-\index{protocols!security|)}
-*}
-
-(*<*)end(*>*)
--- a/doc-src/TutorialI/Protocol/Public.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,172 +0,0 @@
-(* Title: HOL/Auth/Public
- Author: Lawrence C Paulson, Cambridge University Computer Laboratory
- Copyright 1996 University of Cambridge
-
-Theory of Public Keys (common to all public-key protocols)
-
-Private and public keys; initial states of agents
-*)(*<*)
-theory Public imports Event
-begin
-(*>*)
-
-text {*
-The function
-@{text pubK} maps agents to their public keys. The function
-@{text priK} maps agents to their private keys. It is merely
-an abbreviation (cf.\ \S\ref{sec:abbreviations}) defined in terms of
-@{text invKey} and @{text pubK}.
-*}
-
-consts pubK :: "agent \<Rightarrow> key"
-abbreviation priK :: "agent \<Rightarrow> key"
-where "priK x \<equiv> invKey(pubK x)"
-(*<*)
-overloading initState \<equiv> initState
-begin
-
-primrec initState where
- (*Agents know their private key and all public keys*)
- initState_Server: "initState Server =
- insert (Key (priK Server)) (Key ` range pubK)"
-| initState_Friend: "initState (Friend i) =
- insert (Key (priK (Friend i))) (Key ` range pubK)"
-| initState_Spy: "initState Spy =
- (Key`invKey`pubK`bad) Un (Key ` range pubK)"
-
-end
-(*>*)
-
-text {*
-\noindent
-The set @{text bad} consists of those agents whose private keys are known to
-the spy.
-
-Two axioms are asserted about the public-key cryptosystem.
-No two agents have the same public key, and no private key equals
-any public key.
-*}
-
-axioms
- inj_pubK: "inj pubK"
- priK_neq_pubK: "priK A \<noteq> pubK B"
-(*<*)
-lemmas [iff] = inj_pubK [THEN inj_eq]
-
-lemma priK_inj_eq[iff]: "(priK A = priK B) = (A=B)"
- apply safe
- apply (drule_tac f=invKey in arg_cong)
- apply simp
- done
-
-lemmas [iff] = priK_neq_pubK priK_neq_pubK [THEN not_sym]
-
-lemma not_symKeys_pubK[iff]: "pubK A \<notin> symKeys"
- by (simp add: symKeys_def)
-
-lemma not_symKeys_priK[iff]: "priK A \<notin> symKeys"
- by (simp add: symKeys_def)
-
-lemma symKeys_neq_imp_neq: "(K \<in> symKeys) \<noteq> (K' \<in> symKeys) \<Longrightarrow> K \<noteq> K'"
- by blast
-
-lemma analz_symKeys_Decrypt: "[| Crypt K X \<in> analz H; K \<in> symKeys; Key K \<in> analz H |]
- ==> X \<in> analz H"
- by (auto simp add: symKeys_def)
-
-
-(** "Image" equations that hold for injective functions **)
-
-lemma invKey_image_eq[simp]: "(invKey x : invKey`A) = (x:A)"
- by auto
-
-(*holds because invKey is injective*)
-lemma pubK_image_eq[simp]: "(pubK x : pubK`A) = (x:A)"
- by auto
-
-lemma priK_pubK_image_eq[simp]: "(priK x ~: pubK`A)"
- by auto
-
-
-(** Rewrites should not refer to initState(Friend i)
- -- not in normal form! **)
-
-lemma keysFor_parts_initState[simp]: "keysFor (parts (initState C)) = {}"
- apply (unfold keysFor_def)
- apply (induct C)
- apply (auto intro: range_eqI)
- done
-
-
-(*** Function "spies" ***)
-
-(*Agents see their own private keys!*)
-lemma priK_in_initState[iff]: "Key (priK A) : initState A"
- by (induct A) auto
-
-(*All public keys are visible*)
-lemma spies_pubK[iff]: "Key (pubK A) : spies evs"
- by (induct evs) (simp_all add: imageI knows_Cons split: event.split)
-
-(*Spy sees private keys of bad agents!*)
-lemma Spy_spies_bad[intro!]: "A: bad ==> Key (priK A) : spies evs"
- by (induct evs) (simp_all add: imageI knows_Cons split: event.split)
-
-lemmas [iff] = spies_pubK [THEN analz.Inj]
-
-
-(*** Fresh nonces ***)
-
-lemma Nonce_notin_initState[iff]: "Nonce N ~: parts (initState B)"
- by (induct B) auto
-
-lemma Nonce_notin_used_empty[simp]: "Nonce N ~: used []"
- by (simp add: used_Nil)
-
-
-(*** Supply fresh nonces for possibility theorems. ***)
-
-(*In any trace, there is an upper bound N on the greatest nonce in use.*)
-lemma Nonce_supply_lemma: "EX N. ALL n. N<=n --> Nonce n \<notin> used evs"
-apply (induct_tac "evs")
-apply (rule_tac x = 0 in exI)
-apply (simp_all (no_asm_simp) add: used_Cons split add: event.split)
-apply safe
-apply (rule msg_Nonce_supply [THEN exE], blast elim!: add_leE)+
-done
-
-lemma Nonce_supply1: "EX N. Nonce N \<notin> used evs"
-by (rule Nonce_supply_lemma [THEN exE], blast)
-
-lemma Nonce_supply: "Nonce (@ N. Nonce N \<notin> used evs) \<notin> used evs"
-apply (rule Nonce_supply_lemma [THEN exE])
-apply (rule someI, fast)
-done
-
-
-(*** Specialized rewriting for the analz_image_... theorems ***)
-
-lemma insert_Key_singleton: "insert (Key K) H = Key ` {K} Un H"
- by blast
-
-lemma insert_Key_image: "insert (Key K) (Key`KK Un C) = Key ` (insert K KK) Un C"
- by blast
-
-
-(*Specialized methods*)
-
-(*Tactic for possibility theorems*)
-ML {*
-fun possibility_tac ctxt =
- REPEAT (*omit used_Says so that Nonces start from different traces!*)
- (ALLGOALS (simp_tac (simpset_of ctxt delsimps [used_Says]))
- THEN
- REPEAT_FIRST (eq_assume_tac ORELSE'
- resolve_tac [refl, conjI, @{thm Nonce_supply}]));
-*}
-
-method_setup possibility = {* Scan.succeed (SIMPLE_METHOD o possibility_tac) *}
- "for proving possibility theorems"
-
-end
-(*>*)
\ No newline at end of file
--- a/doc-src/TutorialI/Recdef/Induction.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,71 +0,0 @@
-(*<*)
-theory Induction imports examples simplification begin;
-(*>*)
-
-text{*
-Assuming we have defined our function such that Isabelle could prove
-termination and that the recursion equations (or some suitable derived
-equations) are simplification rules, we might like to prove something about
-our function. Since the function is recursive, the natural proof principle is
-again induction. But this time the structural form of induction that comes
-with datatypes is unlikely to work well --- otherwise we could have defined the
-function by \isacommand{primrec}. Therefore \isacommand{recdef} automatically
-proves a suitable induction rule $f$@{text".induct"} that follows the
-recursion pattern of the particular function $f$. We call this
-\textbf{recursion induction}. Roughly speaking, it
-requires you to prove for each \isacommand{recdef} equation that the property
-you are trying to establish holds for the left-hand side provided it holds
-for all recursive calls on the right-hand side. Here is a simple example
-involving the predefined @{term"map"} functional on lists:
-*}
-
-lemma "map f (sep(x,xs)) = sep(f x, map f xs)";
-
-txt{*\noindent
-Note that @{term"map f xs"}
-is the result of applying @{term"f"} to all elements of @{term"xs"}. We prove
-this lemma by recursion induction over @{term"sep"}:
-*}
-
-apply(induct_tac x xs rule: sep.induct);
-
-txt{*\noindent
-The resulting proof state has three subgoals corresponding to the three
-clauses for @{term"sep"}:
-@{subgoals[display,indent=0]}
-The rest is pure simplification:
-*}
-
-apply simp_all;
-done
-
-text{*
-Try proving the above lemma by structural induction, and you find that you
-need an additional case distinction. What is worse, the names of variables
-are invented by Isabelle and have nothing to do with the names in the
-definition of @{term"sep"}.
-
-In general, the format of invoking recursion induction is
-\begin{quote}
-\isacommand{apply}@{text"(induct_tac"} $x@1 \dots x@n$ @{text"rule:"} $f$@{text".induct)"}
-\end{quote}\index{*induct_tac (method)}%
-where $x@1~\dots~x@n$ is a list of free variables in the subgoal and $f$ the
-name of a function that takes an $n$-tuple. Usually the subgoal will
-contain the term $f(x@1,\dots,x@n)$ but this need not be the case. The
-induction rules do not mention $f$ at all. Here is @{thm[source]sep.induct}:
-\begin{isabelle}
-{\isasymlbrakk}~{\isasymAnd}a.~P~a~[];\isanewline
-~~{\isasymAnd}a~x.~P~a~[x];\isanewline
-~~{\isasymAnd}a~x~y~zs.~P~a~(y~\#~zs)~{\isasymLongrightarrow}~P~a~(x~\#~y~\#~zs){\isasymrbrakk}\isanewline
-{\isasymLongrightarrow}~P~u~v%
-\end{isabelle}
-It merely says that in order to prove a property @{term"P"} of @{term"u"} and
-@{term"v"} you need to prove it for the three cases where @{term"v"} is the
-empty list, the singleton list, and the list with at least two elements.
-The final case has an induction hypothesis: you may assume that @{term"P"}
-holds for the tail of that list.
-*}
-
-(*<*)
-end
-(*>*)
--- a/doc-src/TutorialI/Recdef/Nested0.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,24 +0,0 @@
-(*<*)
-theory Nested0 imports Main begin
-(*>*)
-
-text{*
-\index{datatypes!nested}%
-In \S\ref{sec:nested-datatype} we defined the datatype of terms
-*}
-
-datatype ('a,'b)"term" = Var 'a | App 'b "('a,'b)term list"
-
-text{*\noindent
-and closed with the observation that the associated schema for the definition
-of primitive recursive functions leads to overly verbose definitions. Moreover,
-if you have worked exercise~\ref{ex:trev-trev} you will have noticed that
-you needed to declare essentially the same function as @{term"rev"}
-and prove many standard properties of list reversal all over again.
-We will now show you how \isacommand{recdef} can simplify
-definitions and proofs about nested recursive datatypes. As an example we
-choose exercise~\ref{ex:trev-trev}:
-*}
-
-consts trev :: "('a,'b)term \<Rightarrow> ('a,'b)term"
-(*<*)end(*>*)
--- a/doc-src/TutorialI/Recdef/Nested1.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,43 +0,0 @@
-(*<*)
-theory Nested1 imports Nested0 begin
-(*>*)
-
-text{*\noindent
-Although the definition of @{term trev} below is quite natural, we will have
-to overcome a minor difficulty in convincing Isabelle of its termination.
-It is precisely this difficulty that is the \textit{raison d'\^etre} of
-this subsection.
-
-Defining @{term trev} by \isacommand{recdef} rather than \isacommand{primrec}
-simplifies matters because we are now free to use the recursion equation
-suggested at the end of \S\ref{sec:nested-datatype}:
-*}
-
-recdef (*<*)(permissive)(*>*)trev "measure size"
- "trev (Var x) = Var x"
- "trev (App f ts) = App f (rev(map trev ts))"
-
-text{*\noindent
-Remember that function @{term size} is defined for each \isacommand{datatype}.
-However, the definition does not succeed. Isabelle complains about an
-unproved termination condition
-@{prop[display]"t : set ts --> size t < Suc (term_list_size ts)"}
-where @{term set} returns the set of elements of a list
-and @{text"term_list_size :: term list \<Rightarrow> nat"} is an auxiliary
-function automatically defined by Isabelle
-(while processing the declaration of @{text term}). Why does the
-recursive call of @{const trev} lead to this
-condition? Because \isacommand{recdef} knows that @{term map}
-will apply @{const trev} only to elements of @{term ts}. Thus the
-condition expresses that the size of the argument @{prop"t : set ts"} of any
-recursive call of @{const trev} is strictly less than @{term"size(App f ts)"},
-which equals @{term"Suc(term_list_size ts)"}. We will now prove the termination condition and
-continue with our definition. Below we return to the question of how
-\isacommand{recdef} knows about @{term map}.
-
-The termination condition is easily proved by induction:
-*}
-
-(*<*)
-end
-(*>*)
--- a/doc-src/TutorialI/Recdef/Nested2.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,91 +0,0 @@
-(*<*)
-theory Nested2 imports Nested0 begin
-(*>*)
-
-lemma [simp]: "t \<in> set ts \<longrightarrow> size t < Suc(term_list_size ts)"
-by(induct_tac ts, auto)
-(*<*)
-recdef trev "measure size"
- "trev (Var x) = Var x"
- "trev (App f ts) = App f (rev(map trev ts))"
-(*>*)
-text{*\noindent
-By making this theorem a simplification rule, \isacommand{recdef}
-applies it automatically and the definition of @{term"trev"}
-succeeds now. As a reward for our effort, we can now prove the desired
-lemma directly. We no longer need the verbose
-induction schema for type @{text"term"} and can use the simpler one arising from
-@{term"trev"}:
-*}
-
-lemma "trev(trev t) = t"
-apply(induct_tac t rule: trev.induct)
-txt{*
-@{subgoals[display,indent=0]}
-Both the base case and the induction step fall to simplification:
-*}
-
-by(simp_all add: rev_map sym[OF map_compose] cong: map_cong)
-
-text{*\noindent
-If the proof of the induction step mystifies you, we recommend that you go through
-the chain of simplification steps in detail; you will probably need the help of
-@{text"simp_trace"}. Theorem @{thm[source]map_cong} is discussed below.
-%\begin{quote}
-%{term[display]"trev(trev(App f ts))"}\\
-%{term[display]"App f (rev(map trev (rev(map trev ts))))"}\\
-%{term[display]"App f (map trev (rev(rev(map trev ts))))"}\\
-%{term[display]"App f (map trev (map trev ts))"}\\
-%{term[display]"App f (map (trev o trev) ts)"}\\
-%{term[display]"App f (map (%x. x) ts)"}\\
-%{term[display]"App f ts"}
-%\end{quote}
-
-The definition of @{term"trev"} above is superior to the one in
-\S\ref{sec:nested-datatype} because it uses @{term"rev"}
-and lets us use existing facts such as \hbox{@{prop"rev(rev xs) = xs"}}.
-Thus this proof is a good example of an important principle:
-\begin{quote}
-\emph{Chose your definitions carefully\\
-because they determine the complexity of your proofs.}
-\end{quote}
-
-Let us now return to the question of how \isacommand{recdef} can come up with
-sensible termination conditions in the presence of higher-order functions
-like @{term"map"}. For a start, if nothing were known about @{term"map"}, then
-@{term"map trev ts"} might apply @{term"trev"} to arbitrary terms, and thus
-\isacommand{recdef} would try to prove the unprovable @{term"size t < Suc
-(term_list_size ts)"}, without any assumption about @{term"t"}. Therefore
-\isacommand{recdef} has been supplied with the congruence theorem
-@{thm[source]map_cong}:
-@{thm[display,margin=50]"map_cong"[no_vars]}
-Its second premise expresses that in @{term"map f xs"},
-function @{term"f"} is only applied to elements of list @{term"xs"}. Congruence
-rules for other higher-order functions on lists are similar. If you get
-into a situation where you need to supply \isacommand{recdef} with new
-congruence rules, you can append a hint after the end of
-the recursion equations:\cmmdx{hints}
-*}
-(*<*)
-consts dummy :: "nat => nat"
-recdef dummy "{}"
-"dummy n = n"
-(*>*)
-(hints recdef_cong: map_cong)
-
-text{*\noindent
-Or you can declare them globally
-by giving them the \attrdx{recdef_cong} attribute:
-*}
-
-declare map_cong[recdef_cong]
-
-text{*
-The @{text cong} and @{text recdef_cong} attributes are
-intentionally kept apart because they control different activities, namely
-simplification and making recursive definitions.
-%The simplifier's congruence rules cannot be used by recdef.
-%For example the weak congruence rules for if and case would prevent
-%recdef from generating sensible termination conditions.
-*}
-(*<*)end(*>*)
--- a/doc-src/TutorialI/Recdef/examples.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,95 +0,0 @@
-(*<*)
-theory examples imports Main begin;
-(*>*)
-
-text{*
-Here is a simple example, the \rmindex{Fibonacci function}:
-*}
-
-consts fib :: "nat \<Rightarrow> nat";
-recdef fib "measure(\<lambda>n. n)"
- "fib 0 = 0"
- "fib (Suc 0) = 1"
- "fib (Suc(Suc x)) = fib x + fib (Suc x)";
-
-text{*\noindent
-\index{measure functions}%
-The definition of @{term"fib"} is accompanied by a \textbf{measure function}
-@{term"%n. n"} which maps the argument of @{term"fib"} to a
-natural number. The requirement is that in each equation the measure of the
-argument on the left-hand side is strictly greater than the measure of the
-argument of each recursive call. In the case of @{term"fib"} this is
-obviously true because the measure function is the identity and
-@{term"Suc(Suc x)"} is strictly greater than both @{term"x"} and
-@{term"Suc x"}.
-
-Slightly more interesting is the insertion of a fixed element
-between any two elements of a list:
-*}
-
-consts sep :: "'a \<times> 'a list \<Rightarrow> 'a list";
-recdef sep "measure (\<lambda>(a,xs). length xs)"
- "sep(a, []) = []"
- "sep(a, [x]) = [x]"
- "sep(a, x#y#zs) = x # a # sep(a,y#zs)";
-
-text{*\noindent
-This time the measure is the length of the list, which decreases with the
-recursive call; the first component of the argument tuple is irrelevant.
-The details of tupled $\lambda$-abstractions @{text"\<lambda>(x\<^sub>1,\<dots>,x\<^sub>n)"} are
-explained in \S\ref{sec:products}, but for now your intuition is all you need.
-
-Pattern matching\index{pattern matching!and \isacommand{recdef}}
-need not be exhaustive:
-*}
-
-consts last :: "'a list \<Rightarrow> 'a";
-recdef last "measure (\<lambda>xs. length xs)"
- "last [x] = x"
- "last (x#y#zs) = last (y#zs)";
-
-text{*
-Overlapping patterns are disambiguated by taking the order of equations into
-account, just as in functional programming:
-*}
-
-consts sep1 :: "'a \<times> 'a list \<Rightarrow> 'a list";
-recdef sep1 "measure (\<lambda>(a,xs). length xs)"
- "sep1(a, x#y#zs) = x # a # sep1(a,y#zs)"
- "sep1(a, xs) = xs";
-
-text{*\noindent
-To guarantee that the second equation can only be applied if the first
-one does not match, Isabelle internally replaces the second equation
-by the two possibilities that are left: @{prop"sep1(a,[]) = []"} and
-@{prop"sep1(a, [x]) = [x]"}. Thus the functions @{term sep} and
-@{const sep1} are identical.
-
-\begin{warn}
- \isacommand{recdef} only takes the first argument of a (curried)
- recursive function into account. This means both the termination measure
- and pattern matching can only use that first argument. In general, you will
- therefore have to combine several arguments into a tuple. In case only one
- argument is relevant for termination, you can also rearrange the order of
- arguments as in the following definition:
-\end{warn}
-*}
-consts sep2 :: "'a list \<Rightarrow> 'a \<Rightarrow> 'a list";
-recdef sep2 "measure length"
- "sep2 (x#y#zs) = (\<lambda>a. x # a # sep2 (y#zs) a)"
- "sep2 xs = (\<lambda>a. xs)";
-
-text{*
-Because of its pattern-matching syntax, \isacommand{recdef} is also useful
-for the definition of non-recursive functions, where the termination measure
-degenerates to the empty set @{term"{}"}:
-*}
-
-consts swap12 :: "'a list \<Rightarrow> 'a list";
-recdef swap12 "{}"
- "swap12 (x#y#zs) = y#x#zs"
- "swap12 zs = zs";
-
-(*<*)
-end
-(*>*)
--- a/doc-src/TutorialI/Recdef/simplification.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,99 +0,0 @@
-(*<*)
-theory simplification imports Main begin;
-(*>*)
-
-text{*
-Once we have proved all the termination conditions, the \isacommand{recdef}
-recursion equations become simplification rules, just as with
-\isacommand{primrec}. In most cases this works fine, but there is a subtle
-problem that must be mentioned: simplification may not
-terminate because of automatic splitting of @{text "if"}.
-\index{*if expressions!splitting of}
-Let us look at an example:
-*}
-
-consts gcd :: "nat\<times>nat \<Rightarrow> nat";
-recdef gcd "measure (\<lambda>(m,n).n)"
- "gcd (m, n) = (if n=0 then m else gcd(n, m mod n))";
-
-text{*\noindent
-According to the measure function, the second argument should decrease with
-each recursive call. The resulting termination condition
-@{term[display]"n ~= (0::nat) ==> m mod n < n"}
-is proved automatically because it is already present as a lemma in
-HOL\@. Thus the recursion equation becomes a simplification
-rule. Of course the equation is nonterminating if we are allowed to unfold
-the recursive call inside the @{text else} branch, which is why programming
-languages and our simplifier don't do that. Unfortunately the simplifier does
-something else that leads to the same problem: it splits
-each @{text "if"}-expression unless its
-condition simplifies to @{term True} or @{term False}. For
-example, simplification reduces
-@{term[display]"gcd(m,n) = k"}
-in one step to
-@{term[display]"(if n=0 then m else gcd(n, m mod n)) = k"}
-where the condition cannot be reduced further, and splitting leads to
-@{term[display]"(n=0 --> m=k) & (n ~= 0 --> gcd(n, m mod n)=k)"}
-Since the recursive call @{term"gcd(n, m mod n)"} is no longer protected by
-an @{text "if"}, it is unfolded again, which leads to an infinite chain of
-simplification steps. Fortunately, this problem can be avoided in many
-different ways.
-
-The most radical solution is to disable the offending theorem
-@{thm[source]split_if},
-as shown in \S\ref{sec:AutoCaseSplits}. However, we do not recommend this
-approach: you will often have to invoke the rule explicitly when
-@{text "if"} is involved.
-
-If possible, the definition should be given by pattern matching on the left
-rather than @{text "if"} on the right. In the case of @{term gcd} the
-following alternative definition suggests itself:
-*}
-
-consts gcd1 :: "nat\<times>nat \<Rightarrow> nat";
-recdef gcd1 "measure (\<lambda>(m,n).n)"
- "gcd1 (m, 0) = m"
- "gcd1 (m, n) = gcd1(n, m mod n)";
-
-
-text{*\noindent
-The order of equations is important: it hides the side condition
-@{prop"n ~= (0::nat)"}. Unfortunately, in general the case distinction
-may not be expressible by pattern matching.
-
-A simple alternative is to replace @{text "if"} by @{text case},
-which is also available for @{typ bool} and is not split automatically:
-*}
-
-consts gcd2 :: "nat\<times>nat \<Rightarrow> nat";
-recdef gcd2 "measure (\<lambda>(m,n).n)"
- "gcd2(m,n) = (case n=0 of True \<Rightarrow> m | False \<Rightarrow> gcd2(n,m mod n))";
-
-text{*\noindent
-This is probably the neatest solution next to pattern matching, and it is
-always available.
-
-A final alternative is to replace the offending simplification rules by
-derived conditional ones. For @{term gcd} it means we have to prove
-these lemmas:
-*}
-
-lemma [simp]: "gcd (m, 0) = m";
-apply(simp);
-done
-
-lemma [simp]: "n \<noteq> 0 \<Longrightarrow> gcd(m, n) = gcd(n, m mod n)";
-apply(simp);
-done
-
-text{*\noindent
-Simplification terminates for these proofs because the condition of the @{text
-"if"} simplifies to @{term True} or @{term False}.
-Now we can disable the original simplification rule:
-*}
-
-declare gcd.simps [simp del]
-
-(*<*)
-end
-(*>*)
--- a/doc-src/TutorialI/Recdef/termination.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,70 +0,0 @@
-(*<*)
-theory "termination" imports examples begin
-(*>*)
-
-text{*
-When a function~$f$ is defined via \isacommand{recdef}, Isabelle tries to prove
-its termination with the help of the user-supplied measure. Each of the examples
-above is simple enough that Isabelle can automatically prove that the
-argument's measure decreases in each recursive call. As a result,
-$f$@{text".simps"} will contain the defining equations (or variants derived
-from them) as theorems. For example, look (via \isacommand{thm}) at
-@{thm[source]sep.simps} and @{thm[source]sep1.simps} to see that they define
-the same function. What is more, those equations are automatically declared as
-simplification rules.
-
-Isabelle may fail to prove the termination condition for some
-recursive call. Let us try to define Quicksort:*}
-
-consts qs :: "nat list \<Rightarrow> nat list"
-recdef(*<*)(permissive)(*>*) qs "measure length"
- "qs [] = []"
- "qs(x#xs) = qs(filter (\<lambda>y. y\<le>x) xs) @ [x] @ qs(filter (\<lambda>y. x<y) xs)"
-
-text{*\noindent where @{term filter} is predefined and @{term"filter P xs"}
-is the list of elements of @{term xs} satisfying @{term P}.
-This definition of @{term qs} fails, and Isabelle prints an error message
-showing you what it was unable to prove:
-@{text[display]"length (filter ... xs) < Suc (length xs)"}
-We can either prove this as a separate lemma, or try to figure out which
-existing lemmas may help. We opt for the second alternative. The theory of
-lists contains the simplification rule @{thm length_filter_le[no_vars]},
-which is what we need, provided we turn \mbox{@{text"< Suc"}}
-into
-@{text"\<le>"} so that the rule applies. Lemma
-@{thm[source]less_Suc_eq_le} does just that: @{thm less_Suc_eq_le[no_vars]}.
-
-Now we retry the above definition but supply the lemma(s) just found (or
-proved). Because \isacommand{recdef}'s termination prover involves
-simplification, we include in our second attempt a hint: the
-\attrdx{recdef_simp} attribute says to use @{thm[source]less_Suc_eq_le} as a
-simplification rule.\cmmdx{hints} *}
-
-(*<*)global consts qs :: "nat list \<Rightarrow> nat list" (*>*)
-recdef qs "measure length"
- "qs [] = []"
- "qs(x#xs) = qs(filter (\<lambda>y. y\<le>x) xs) @ [x] @ qs(filter (\<lambda>y. x<y) xs)"
-(hints recdef_simp: less_Suc_eq_le)
-(*<*)local(*>*)
-text{*\noindent
-This time everything works fine. Now @{thm[source]qs.simps} contains precisely
-the stated recursion equations for @{text qs} and they have become
-simplification rules.
-Thus we can automatically prove results such as this one:
-*}
-
-theorem "qs[2,3,0] = qs[3,0,2]"
-apply(simp)
-done
-
-text{*\noindent
-More exciting theorems require induction, which is discussed below.
-
-If the termination proof requires a lemma that is of general use, you can
-turn it permanently into a simplification rule, in which case the above
-\isacommand{hint} is not necessary. But in the case of
-@{thm[source]less_Suc_eq_le} this would be of dubious value.
-*}
-(*<*)
-end
-(*>*)
--- a/doc-src/TutorialI/Rules/Basic.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,454 +0,0 @@
-theory Basic imports Main begin
-
-lemma conj_rule: "\<lbrakk> P; Q \<rbrakk> \<Longrightarrow> P \<and> (Q \<and> P)"
-apply (rule conjI)
- apply assumption
-apply (rule conjI)
- apply assumption
-apply assumption
-done
-
-
-lemma disj_swap: "P | Q \<Longrightarrow> Q | P"
-apply (erule disjE)
- apply (rule disjI2)
- apply assumption
-apply (rule disjI1)
-apply assumption
-done
-
-lemma conj_swap: "P \<and> Q \<Longrightarrow> Q \<and> P"
-apply (rule conjI)
- apply (drule conjunct2)
- apply assumption
-apply (drule conjunct1)
-apply assumption
-done
-
-lemma imp_uncurry: "P \<longrightarrow> Q \<longrightarrow> R \<Longrightarrow> P \<and> Q \<longrightarrow> R"
-apply (rule impI)
-apply (erule conjE)
-apply (drule mp)
- apply assumption
-apply (drule mp)
- apply assumption
- apply assumption
-done
-
-text {*
-by eliminates uses of assumption and done
-*}
-
-lemma imp_uncurry': "P \<longrightarrow> Q \<longrightarrow> R \<Longrightarrow> P \<and> Q \<longrightarrow> R"
-apply (rule impI)
-apply (erule conjE)
-apply (drule mp)
- apply assumption
-by (drule mp)
-
-
-text {*
-substitution
-
-@{thm[display] ssubst}
-\rulename{ssubst}
-*}
-
-lemma "\<lbrakk> x = f x; P(f x) \<rbrakk> \<Longrightarrow> P x"
-by (erule ssubst)
-
-text {*
-also provable by simp (re-orients)
-*}
-
-text {*
-the subst method
-
-@{thm[display] mult_commute}
-\rulename{mult_commute}
-
-this would fail:
-apply (simp add: mult_commute)
-*}
-
-
-lemma "\<lbrakk>P x y z; Suc x < y\<rbrakk> \<Longrightarrow> f z = x*y"
-txt{*
-@{subgoals[display,indent=0,margin=65]}
-*}
-apply (subst mult_commute)
-txt{*
-@{subgoals[display,indent=0,margin=65]}
-*}
-oops
-
-(*exercise involving THEN*)
-lemma "\<lbrakk>P x y z; Suc x < y\<rbrakk> \<Longrightarrow> f z = x*y"
-apply (rule mult_commute [THEN ssubst])
-oops
-
-
-lemma "\<lbrakk>x = f x; triple (f x) (f x) x\<rbrakk> \<Longrightarrow> triple x x x"
-apply (erule ssubst)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-back --{* @{subgoals[display,indent=0,margin=65]} *}
-back --{* @{subgoals[display,indent=0,margin=65]} *}
-back --{* @{subgoals[display,indent=0,margin=65]} *}
-back --{* @{subgoals[display,indent=0,margin=65]} *}
-apply assumption
-done
-
-lemma "\<lbrakk> x = f x; triple (f x) (f x) x \<rbrakk> \<Longrightarrow> triple x x x"
-apply (erule ssubst, assumption)
-done
-
-text{*
-or better still
-*}
-
-lemma "\<lbrakk> x = f x; triple (f x) (f x) x \<rbrakk> \<Longrightarrow> triple x x x"
-by (erule ssubst)
-
-
-lemma "\<lbrakk> x = f x; triple (f x) (f x) x \<rbrakk> \<Longrightarrow> triple x x x"
-apply (erule_tac P="\<lambda>u. triple u u x" in ssubst)
-apply (assumption)
-done
-
-
-lemma "\<lbrakk> x = f x; triple (f x) (f x) x \<rbrakk> \<Longrightarrow> triple x x x"
-by (erule_tac P="\<lambda>u. triple u u x" in ssubst)
-
-
-text {*
-negation
-
-@{thm[display] notI}
-\rulename{notI}
-
-@{thm[display] notE}
-\rulename{notE}
-
-@{thm[display] classical}
-\rulename{classical}
-
-@{thm[display] contrapos_pp}
-\rulename{contrapos_pp}
-
-@{thm[display] contrapos_pn}
-\rulename{contrapos_pn}
-
-@{thm[display] contrapos_np}
-\rulename{contrapos_np}
-
-@{thm[display] contrapos_nn}
-\rulename{contrapos_nn}
-*}
-
-
-lemma "\<lbrakk>\<not>(P\<longrightarrow>Q); \<not>(R\<longrightarrow>Q)\<rbrakk> \<Longrightarrow> R"
-apply (erule_tac Q="R\<longrightarrow>Q" in contrapos_np)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (intro impI)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-by (erule notE)
-
-text {*
-@{thm[display] disjCI}
-\rulename{disjCI}
-*}
-
-lemma "(P \<or> Q) \<and> R \<Longrightarrow> P \<or> Q \<and> R"
-apply (intro disjCI conjI)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-
-apply (elim conjE disjE)
- apply assumption
- --{* @{subgoals[display,indent=0,margin=65]} *}
-
-by (erule contrapos_np, rule conjI)
-text{*
-proof\ {\isacharparenleft}prove{\isacharparenright}{\isacharcolon}\ step\ {\isadigit{6}}\isanewline
-\isanewline
-goal\ {\isacharparenleft}lemma{\isacharparenright}{\isacharcolon}\isanewline
-{\isacharparenleft}P\ {\isasymor}\ Q{\isacharparenright}\ {\isasymand}\ R\ {\isasymLongrightarrow}\ P\ {\isasymor}\ Q\ {\isasymand}\ R\isanewline
-\ {\isadigit{1}}{\isachardot}\ {\isasymlbrakk}R{\isacharsemicolon}\ Q{\isacharsemicolon}\ {\isasymnot}\ P{\isasymrbrakk}\ {\isasymLongrightarrow}\ Q\isanewline
-\ {\isadigit{2}}{\isachardot}\ {\isasymlbrakk}R{\isacharsemicolon}\ Q{\isacharsemicolon}\ {\isasymnot}\ P{\isasymrbrakk}\ {\isasymLongrightarrow}\ R
-*}
-
-
-text{*rule_tac, etc.*}
-
-
-lemma "P&Q"
-apply (rule_tac P=P and Q=Q in conjI)
-oops
-
-
-text{*unification failure trace *}
-
-ML "trace_unify_fail := true"
-
-lemma "P(a, f(b, g(e,a), b), a) \<Longrightarrow> P(a, f(b, g(c,a), b), a)"
-txt{*
-@{subgoals[display,indent=0,margin=65]}
-apply assumption
-Clash: e =/= c
-
-Clash: == =/= Trueprop
-*}
-oops
-
-lemma "\<forall>x y. P(x,y) --> P(y,x)"
-apply auto
-txt{*
-@{subgoals[display,indent=0,margin=65]}
-apply assumption
-
-Clash: bound variable x (depth 1) =/= bound variable y (depth 0)
-
-Clash: == =/= Trueprop
-Clash: == =/= Trueprop
-*}
-oops
-
-ML "trace_unify_fail := false"
-
-
-text{*Quantifiers*}
-
-text {*
-@{thm[display] allI}
-\rulename{allI}
-
-@{thm[display] allE}
-\rulename{allE}
-
-@{thm[display] spec}
-\rulename{spec}
-*}
-
-lemma "\<forall>x. P x \<longrightarrow> P x"
-apply (rule allI)
-by (rule impI)
-
-lemma "(\<forall>x. P \<longrightarrow> Q x) \<Longrightarrow> P \<longrightarrow> (\<forall>x. Q x)"
-apply (rule impI, rule allI)
-apply (drule spec)
-by (drule mp)
-
-text{*rename_tac*}
-lemma "x < y \<Longrightarrow> \<forall>x y. P x (f y)"
-apply (intro allI)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (rename_tac v w)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-oops
-
-
-lemma "\<lbrakk>\<forall>x. P x \<longrightarrow> P (h x); P a\<rbrakk> \<Longrightarrow> P(h (h a))"
-apply (frule spec)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (drule mp, assumption)
-apply (drule spec)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-by (drule mp)
-
-lemma "\<lbrakk>\<forall>x. P x \<longrightarrow> P (f x); P a\<rbrakk> \<Longrightarrow> P(f (f a))"
-by blast
-
-
-text{*
-the existential quantifier*}
-
-text {*
-@{thm[display]"exI"}
-\rulename{exI}
-
-@{thm[display]"exE"}
-\rulename{exE}
-*}
-
-
-text{*
-instantiating quantifiers explicitly by rule_tac and erule_tac*}
-
-lemma "\<lbrakk>\<forall>x. P x \<longrightarrow> P (h x); P a\<rbrakk> \<Longrightarrow> P(h (h a))"
-apply (frule spec)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (drule mp, assumption)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (drule_tac x = "h a" in spec)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-by (drule mp)
-
-text {*
-@{thm[display]"dvd_def"}
-\rulename{dvd_def}
-*}
-
-lemma mult_dvd_mono: "\<lbrakk>i dvd m; j dvd n\<rbrakk> \<Longrightarrow> i*j dvd (m*n :: nat)"
-apply (simp add: dvd_def)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (erule exE)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (erule exE)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (rename_tac l)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (rule_tac x="k*l" in exI)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply simp
-done
-
-text{*
-Hilbert-epsilon theorems*}
-
-text{*
-@{thm[display] the_equality[no_vars]}
-\rulename{the_equality}
-
-@{thm[display] some_equality[no_vars]}
-\rulename{some_equality}
-
-@{thm[display] someI[no_vars]}
-\rulename{someI}
-
-@{thm[display] someI2[no_vars]}
-\rulename{someI2}
-
-@{thm[display] someI_ex[no_vars]}
-\rulename{someI_ex}
-
-needed for examples
-
-@{thm[display] inv_def[no_vars]}
-\rulename{inv_def}
-
-@{thm[display] Least_def[no_vars]}
-\rulename{Least_def}
-
-@{thm[display] order_antisym[no_vars]}
-\rulename{order_antisym}
-*}
-
-
-lemma "inv Suc (Suc n) = n"
-by (simp add: inv_def)
-
-text{*but we know nothing about inv Suc 0*}
-
-theorem Least_equality:
- "\<lbrakk> P (k::nat); \<forall>x. P x \<longrightarrow> k \<le> x \<rbrakk> \<Longrightarrow> (LEAST x. P(x)) = k"
-apply (simp add: Least_def)
-
-txt{*
-@{subgoals[display,indent=0,margin=65]}
-*}
-
-apply (rule the_equality)
-
-txt{*
-@{subgoals[display,indent=0,margin=65]}
-
-first subgoal is existence; second is uniqueness
-*}
-by (auto intro: order_antisym)
-
-
-theorem axiom_of_choice:
- "(\<forall>x. \<exists>y. P x y) \<Longrightarrow> \<exists>f. \<forall>x. P x (f x)"
-apply (rule exI, rule allI)
-
-txt{*
-@{subgoals[display,indent=0,margin=65]}
-
-state after intro rules
-*}
-apply (drule spec, erule exE)
-
-txt{*
-@{subgoals[display,indent=0,margin=65]}
-
-applying @text{someI} automatically instantiates
-@{term f} to @{term "\<lambda>x. SOME y. P x y"}
-*}
-
-by (rule someI)
-
-(*both can be done by blast, which however hasn't been introduced yet*)
-lemma "[| P (k::nat); \<forall>x. P x \<longrightarrow> k \<le> x |] ==> (LEAST x. P(x)) = k"
-apply (simp add: Least_def LeastM_def)
-by (blast intro: some_equality order_antisym)
-
-theorem axiom_of_choice': "(\<forall>x. \<exists>y. P x y) \<Longrightarrow> \<exists>f. \<forall>x. P x (f x)"
-apply (rule exI [of _ "\<lambda>x. SOME y. P x y"])
-by (blast intro: someI)
-
-text{*end of Epsilon section*}
-
-
-lemma "(\<exists>x. P x) \<or> (\<exists>x. Q x) \<Longrightarrow> \<exists>x. P x \<or> Q x"
-apply (elim exE disjE)
- apply (intro exI disjI1)
- apply assumption
-apply (intro exI disjI2)
-apply assumption
-done
-
-lemma "(P\<longrightarrow>Q) \<or> (Q\<longrightarrow>P)"
-apply (intro disjCI impI)
-apply (elim notE)
-apply (intro impI)
-apply assumption
-done
-
-lemma "(P\<or>Q)\<and>(P\<or>R) \<Longrightarrow> P \<or> (Q\<and>R)"
-apply (intro disjCI conjI)
-apply (elim conjE disjE)
-apply blast
-apply blast
-apply blast
-apply blast
-(*apply elim*)
-done
-
-lemma "(\<exists>x. P \<and> Q x) \<Longrightarrow> P \<and> (\<exists>x. Q x)"
-apply (erule exE)
-apply (erule conjE)
-apply (rule conjI)
- apply assumption
-apply (rule exI)
- apply assumption
-done
-
-lemma "(\<exists>x. P x) \<and> (\<exists>x. Q x) \<Longrightarrow> \<exists>x. P x \<and> Q x"
-apply (erule conjE)
-apply (erule exE)
-apply (erule exE)
-apply (rule exI)
-apply (rule conjI)
- apply assumption
-oops
-
-lemma "\<forall>y. R y y \<Longrightarrow> \<exists>x. \<forall>y. R x y"
-apply (rule exI)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (rule allI)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (drule spec)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-oops
-
-lemma "\<forall>x. \<exists>y. x=y"
-apply (rule allI)
-apply (rule exI)
-apply (rule refl)
-done
-
-lemma "\<exists>x. \<forall>y. x=y"
-apply (rule exI)
-apply (rule allI)
-oops
-
-end
--- a/doc-src/TutorialI/Rules/Blast.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,37 +0,0 @@
-theory Blast imports Main begin
-
-lemma "((\<exists>x. \<forall>y. p(x)=p(y)) = ((\<exists>x. q(x))=(\<forall>y. p(y)))) =
- ((\<exists>x. \<forall>y. q(x)=q(y)) = ((\<exists>x. p(x))=(\<forall>y. q(y))))"
-by blast
-
-text{*\noindent Until now, we have proved everything using only induction and
-simplification. Substantial proofs require more elaborate types of
-inference.*}
-
-lemma "(\<forall>x. honest(x) \<and> industrious(x) \<longrightarrow> healthy(x)) \<and>
- \<not> (\<exists>x. grocer(x) \<and> healthy(x)) \<and>
- (\<forall>x. industrious(x) \<and> grocer(x) \<longrightarrow> honest(x)) \<and>
- (\<forall>x. cyclist(x) \<longrightarrow> industrious(x)) \<and>
- (\<forall>x. \<not>healthy(x) \<and> cyclist(x) \<longrightarrow> \<not>honest(x))
- \<longrightarrow> (\<forall>x. grocer(x) \<longrightarrow> \<not>cyclist(x))";
-by blast
-
-lemma "(\<Union>i\<in>I. A(i)) \<inter> (\<Union>j\<in>J. B(j)) =
- (\<Union>i\<in>I. \<Union>j\<in>J. A(i) \<inter> B(j))"
-by blast
-
-text {*
-@{thm[display] mult_is_0}
- \rulename{mult_is_0}}
-
-@{thm[display] finite_Un}
- \rulename{finite_Un}}
-*};
-
-
-lemma [iff]: "(xs@ys = []) = (xs=[] & ys=[])"
- apply (induct_tac xs)
- by (simp_all);
-
-(*ideas for uses of intro, etc.: ex/Primes/is_gcd_unique?*)
-end
--- a/doc-src/TutorialI/Rules/Force.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,50 +0,0 @@
-theory Force imports Main begin
- (*Use Divides rather than Main to experiment with the first proof.
- Otherwise, it is done by the nat_divide_cancel_factor simprocs.*)
-
-declare div_mult_self_is_m [simp del];
-
-lemma div_mult_self_is_m:
- "0<n \<Longrightarrow> (m*n) div n = (m::nat)"
-apply (insert mod_div_equality [of "m*n" n])
-apply simp
-done
-
-
-lemma "(\<forall>x. P x) \<and> (\<exists>x. Q x) \<longrightarrow> (\<forall>x. P x \<and> Q x)"
-apply clarify
-oops
-
-text {*
-proof\ {\isacharparenleft}prove{\isacharparenright}{\isacharcolon}\ step\ {\isadigit{1}}\isanewline
-\isanewline
-goal\ {\isacharparenleft}lemma{\isacharparenright}{\isacharcolon}\isanewline
-{\isacharparenleft}{\isasymforall}x{\isachardot}\ P\ x{\isacharparenright}\ {\isasymand}\ {\isacharparenleft}{\isasymexists}x{\isachardot}\ Q\ x{\isacharparenright}\ {\isasymlongrightarrow}\ {\isacharparenleft}{\isasymforall}x{\isachardot}\ P\ x\ {\isasymand}\ Q\ x{\isacharparenright}\isanewline
-\ {\isadigit{1}}{\isachardot}\ {\isasymAnd}x\ xa{\isachardot}\ {\isasymlbrakk}{\isasymforall}x{\isachardot}\ P\ x{\isacharsemicolon}\ Q\ xa{\isasymrbrakk}\ {\isasymLongrightarrow}\ P\ x\ {\isasymand}\ Q\ x
-*};
-
-text {*
-couldn't find a good example of clarsimp
-
-@{thm[display]"someI"}
-\rulename{someI}
-*};
-
-lemma "\<lbrakk>Q a; P a\<rbrakk> \<Longrightarrow> P (SOME x. P x \<and> Q x) \<and> Q (SOME x. P x \<and> Q x)"
-apply (rule someI)
-oops
-
-lemma "\<lbrakk>Q a; P a\<rbrakk> \<Longrightarrow> P (SOME x. P x \<and> Q x) \<and> Q (SOME x. P x \<and> Q x)"
-apply (fast intro!: someI)
-done
-
-text{*
-proof\ {\isacharparenleft}prove{\isacharparenright}{\isacharcolon}\ step\ \isadigit{1}\isanewline
-\isanewline
-goal\ {\isacharparenleft}lemma{\isacharparenright}{\isacharcolon}\isanewline
-{\isasymlbrakk}Q\ a{\isacharsemicolon}\ P\ a{\isasymrbrakk}\ {\isasymLongrightarrow}\ P\ {\isacharparenleft}SOME\ x{\isachardot}\ P\ x\ {\isasymand}\ Q\ x{\isacharparenright}\ {\isasymand}\ Q\ {\isacharparenleft}SOME\ x{\isachardot}\ P\ x\ {\isasymand}\ Q\ x{\isacharparenright}\isanewline
-\ \isadigit{1}{\isachardot}\ {\isasymlbrakk}Q\ a{\isacharsemicolon}\ P\ a{\isasymrbrakk}\ {\isasymLongrightarrow}\ P\ {\isacharquery}x\ {\isasymand}\ Q\ {\isacharquery}x
-*}
-
-end
-
--- a/doc-src/TutorialI/Rules/Forward.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,236 +0,0 @@
-theory Forward imports Primes begin
-
-text{*\noindent
-Forward proof material: of, OF, THEN, simplify, rule_format.
-*}
-
-text{*\noindent
-SKIP most developments...
-*}
-
-(** Commutativity **)
-
-lemma is_gcd_commute: "is_gcd k m n = is_gcd k n m"
-apply (auto simp add: is_gcd_def);
-done
-
-lemma gcd_commute: "gcd m n = gcd n m"
-apply (rule is_gcd_unique)
-apply (rule is_gcd)
-apply (subst is_gcd_commute)
-apply (simp add: is_gcd)
-done
-
-lemma gcd_1 [simp]: "gcd m (Suc 0) = Suc 0"
-apply simp
-done
-
-lemma gcd_1_left [simp]: "gcd (Suc 0) m = Suc 0"
-apply (simp add: gcd_commute [of "Suc 0"])
-done
-
-text{*\noindent
-as far as HERE.
-*}
-
-text{*\noindent
-SKIP THIS PROOF
-*}
-
-lemma gcd_mult_distrib2: "k * gcd m n = gcd (k*m) (k*n)"
-apply (induct_tac m n rule: gcd.induct)
-apply (case_tac "n=0")
-apply simp
-apply (case_tac "k=0")
-apply simp_all
-done
-
-text {*
-@{thm[display] gcd_mult_distrib2}
-\rulename{gcd_mult_distrib2}
-*};
-
-text{*\noindent
-of, simplified
-*}
-
-
-lemmas gcd_mult_0 = gcd_mult_distrib2 [of k 1];
-lemmas gcd_mult_1 = gcd_mult_0 [simplified];
-
-lemmas where1 = gcd_mult_distrib2 [where m=1]
-
-lemmas where2 = gcd_mult_distrib2 [where m=1 and k=1]
-
-lemmas where3 = gcd_mult_distrib2 [where m=1 and k="j+k"]
-
-text {*
-example using ``of'':
-@{thm[display] gcd_mult_distrib2 [of _ 1]}
-
-example using ``where'':
-@{thm[display] gcd_mult_distrib2 [where m=1]}
-
-example using ``where'', ``and'':
-@{thm[display] gcd_mult_distrib2 [where m=1 and k="j+k"]}
-
-@{thm[display] gcd_mult_0}
-\rulename{gcd_mult_0}
-
-@{thm[display] gcd_mult_1}
-\rulename{gcd_mult_1}
-
-@{thm[display] sym}
-\rulename{sym}
-*};
-
-lemmas gcd_mult0 = gcd_mult_1 [THEN sym];
- (*not quite right: we need ?k but this gives k*)
-
-lemmas gcd_mult0' = gcd_mult_distrib2 [of k 1, simplified, THEN sym];
- (*better in one step!*)
-
-text {*
-more legible, and variables properly generalized
-*};
-
-lemma gcd_mult [simp]: "gcd k (k*n) = k"
-by (rule gcd_mult_distrib2 [of k 1, simplified, THEN sym])
-
-
-lemmas gcd_self0 = gcd_mult [of k 1, simplified];
-
-
-text {*
-@{thm[display] gcd_mult}
-\rulename{gcd_mult}
-
-@{thm[display] gcd_self0}
-\rulename{gcd_self0}
-*};
-
-text {*
-Rules handy with THEN
-
-@{thm[display] iffD1}
-\rulename{iffD1}
-
-@{thm[display] iffD2}
-\rulename{iffD2}
-*};
-
-
-text {*
-again: more legible, and variables properly generalized
-*};
-
-lemma gcd_self [simp]: "gcd k k = k"
-by (rule gcd_mult [of k 1, simplified])
-
-
-text{*
-NEXT SECTION: Methods for Forward Proof
-
-NEW
-
-theorem arg_cong, useful in forward steps
-@{thm[display] arg_cong[no_vars]}
-\rulename{arg_cong}
-*}
-
-lemma "2 \<le> u \<Longrightarrow> u*m \<noteq> Suc(u*n)"
-apply (intro notI)
-txt{*
-before using arg_cong
-@{subgoals[display,indent=0,margin=65]}
-*};
-apply (drule_tac f="\<lambda>x. x mod u" in arg_cong)
-txt{*
-after using arg_cong
-@{subgoals[display,indent=0,margin=65]}
-*};
-apply (simp add: mod_Suc)
-done
-
-text{*
-have just used this rule:
-@{thm[display] mod_Suc[no_vars]}
-\rulename{mod_Suc}
-
-@{thm[display] mult_le_mono1[no_vars]}
-\rulename{mult_le_mono1}
-*}
-
-
-text{*
-example of "insert"
-*}
-
-lemma relprime_dvd_mult:
- "\<lbrakk> gcd k n = 1; k dvd m*n \<rbrakk> \<Longrightarrow> k dvd m"
-apply (insert gcd_mult_distrib2 [of m k n])
-txt{*@{subgoals[display,indent=0,margin=65]}*}
-apply simp
-txt{*@{subgoals[display,indent=0,margin=65]}*}
-apply (erule_tac t="m" in ssubst);
-apply simp
-done
-
-
-text {*
-@{thm[display] relprime_dvd_mult}
-\rulename{relprime_dvd_mult}
-
-Another example of "insert"
-
-@{thm[display] mod_div_equality}
-\rulename{mod_div_equality}
-*};
-
-(*MOVED to Force.thy, which now depends only on Divides.thy
-lemma div_mult_self_is_m: "0<n \<Longrightarrow> (m*n) div n = (m::nat)"
-*)
-
-lemma relprime_dvd_mult_iff: "gcd k n = 1 \<Longrightarrow> (k dvd m*n) = (k dvd m)";
-by (auto intro: relprime_dvd_mult elim: dvdE)
-
-lemma relprime_20_81: "gcd 20 81 = 1";
-by (simp add: gcd.simps)
-
-text {*
-Examples of 'OF'
-
-@{thm[display] relprime_dvd_mult}
-\rulename{relprime_dvd_mult}
-
-@{thm[display] relprime_dvd_mult [OF relprime_20_81]}
-
-@{thm[display] dvd_refl}
-\rulename{dvd_refl}
-
-@{thm[display] dvd_add}
-\rulename{dvd_add}
-
-@{thm[display] dvd_add [OF dvd_refl dvd_refl]}
-
-@{thm[display] dvd_add [OF _ dvd_refl]}
-*};
-
-lemma "\<lbrakk>(z::int) < 37; 66 < 2*z; z*z \<noteq> 1225; Q(34); Q(36)\<rbrakk> \<Longrightarrow> Q(z)";
-apply (subgoal_tac "z = 34 \<or> z = 36")
-txt{*
-the tactic leaves two subgoals:
-@{subgoals[display,indent=0,margin=65]}
-*};
-apply blast
-apply (subgoal_tac "z \<noteq> 35")
-txt{*
-the tactic leaves two subgoals:
-@{subgoals[display,indent=0,margin=65]}
-*};
-apply arith
-apply force
-done
-
-
-end
--- a/doc-src/TutorialI/Rules/Primes.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,155 +0,0 @@
-(* EXTRACT from HOL/ex/Primes.thy*)
-
-(*Euclid's algorithm
- This material now appears AFTER that of Forward.thy *)
-theory Primes imports Main begin
-
-fun gcd :: "nat \<Rightarrow> nat \<Rightarrow> nat" where
- "gcd m n = (if n=0 then m else gcd n (m mod n))"
-
-
-text {*Now in Basic.thy!
-@{thm[display]"dvd_def"}
-\rulename{dvd_def}
-*};
-
-
-(*** Euclid's Algorithm ***)
-
-lemma gcd_0 [simp]: "gcd m 0 = m"
-apply (simp);
-done
-
-lemma gcd_non_0 [simp]: "0<n \<Longrightarrow> gcd m n = gcd n (m mod n)"
-apply (simp)
-done;
-
-declare gcd.simps [simp del];
-
-(*gcd(m,n) divides m and n. The conjunctions don't seem provable separately*)
-lemma gcd_dvd_both: "(gcd m n dvd m) \<and> (gcd m n dvd n)"
-apply (induct_tac m n rule: gcd.induct)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (case_tac "n=0")
-txt{*subgoals after the case tac
-@{subgoals[display,indent=0,margin=65]}
-*};
-apply (simp_all)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-by (blast dest: dvd_mod_imp_dvd)
-
-
-
-text {*
-@{thm[display] dvd_mod_imp_dvd}
-\rulename{dvd_mod_imp_dvd}
-
-@{thm[display] dvd_trans}
-\rulename{dvd_trans}
-*}
-
-lemmas gcd_dvd1 [iff] = gcd_dvd_both [THEN conjunct1]
-lemmas gcd_dvd2 [iff] = gcd_dvd_both [THEN conjunct2];
-
-
-text {*
-\begin{quote}
-@{thm[display] gcd_dvd1}
-\rulename{gcd_dvd1}
-
-@{thm[display] gcd_dvd2}
-\rulename{gcd_dvd2}
-\end{quote}
-*};
-
-(*Maximality: for all m,n,k naturals,
- if k divides m and k divides n then k divides gcd(m,n)*)
-lemma gcd_greatest [rule_format]:
- "k dvd m \<longrightarrow> k dvd n \<longrightarrow> k dvd gcd m n"
-apply (induct_tac m n rule: gcd.induct)
-apply (case_tac "n=0")
-txt{*subgoals after the case tac
-@{subgoals[display,indent=0,margin=65]}
-*};
-apply (simp_all add: dvd_mod)
-done
-
-text {*
-@{thm[display] dvd_mod}
-\rulename{dvd_mod}
-*}
-
-(*just checking the claim that case_tac "n" works too*)
-lemma "k dvd m \<longrightarrow> k dvd n \<longrightarrow> k dvd gcd m n"
-apply (induct_tac m n rule: gcd.induct)
-apply (case_tac "n")
-apply (simp_all add: dvd_mod)
-done
-
-
-theorem gcd_greatest_iff [iff]:
- "(k dvd gcd m n) = (k dvd m \<and> k dvd n)"
-by (blast intro!: gcd_greatest intro: dvd_trans)
-
-
-(**** The material below was omitted from the book ****)
-
-definition is_gcd :: "[nat,nat,nat] \<Rightarrow> bool" where (*gcd as a relation*)
- "is_gcd p m n == p dvd m \<and> p dvd n \<and>
- (ALL d. d dvd m \<and> d dvd n \<longrightarrow> d dvd p)"
-
-(*Function gcd yields the Greatest Common Divisor*)
-lemma is_gcd: "is_gcd (gcd m n) m n"
-apply (simp add: is_gcd_def gcd_greatest);
-done
-
-(*uniqueness of GCDs*)
-lemma is_gcd_unique: "\<lbrakk> is_gcd m a b; is_gcd n a b \<rbrakk> \<Longrightarrow> m=n"
-apply (simp add: is_gcd_def);
-apply (blast intro: dvd_antisym)
-done
-
-
-text {*
-@{thm[display] dvd_antisym}
-\rulename{dvd_antisym}
-
-\begin{isabelle}
-proof\ (prove):\ step\ 1\isanewline
-\isanewline
-goal\ (lemma\ is_gcd_unique):\isanewline
-\isasymlbrakk is_gcd\ m\ a\ b;\ is_gcd\ n\ a\ b\isasymrbrakk \ \isasymLongrightarrow \ m\ =\ n\isanewline
-\ 1.\ \isasymlbrakk m\ dvd\ a\ \isasymand \ m\ dvd\ b\ \isasymand \ (\isasymforall d.\ d\ dvd\ a\ \isasymand \ d\ dvd\ b\ \isasymlongrightarrow \ d\ dvd\ m);\isanewline
-\ \ \ \ \ \ \ n\ dvd\ a\ \isasymand \ n\ dvd\ b\ \isasymand \ (\isasymforall d.\ d\ dvd\ a\ \isasymand \ d\ dvd\ b\ \isasymlongrightarrow \ d\ dvd\ n)\isasymrbrakk \isanewline
-\ \ \ \ \isasymLongrightarrow \ m\ =\ n
-\end{isabelle}
-*};
-
-lemma gcd_assoc: "gcd (gcd k m) n = gcd k (gcd m n)"
- apply (rule is_gcd_unique)
- apply (rule is_gcd)
- apply (simp add: is_gcd_def);
- apply (blast intro: dvd_trans);
- done
-
-text{*
-\begin{isabelle}
-proof\ (prove):\ step\ 3\isanewline
-\isanewline
-goal\ (lemma\ gcd_assoc):\isanewline
-gcd\ (gcd\ (k,\ m),\ n)\ =\ gcd\ (k,\ gcd\ (m,\ n))\isanewline
-\ 1.\ gcd\ (k,\ gcd\ (m,\ n))\ dvd\ k\ \isasymand \isanewline
-\ \ \ \ gcd\ (k,\ gcd\ (m,\ n))\ dvd\ m\ \isasymand \ gcd\ (k,\ gcd\ (m,\ n))\ dvd\ n
-\end{isabelle}
-*}
-
-
-lemma gcd_dvd_gcd_mult: "gcd m n dvd gcd (k*m) n"
- apply (auto intro: dvd_trans [of _ m])
- done
-
-(*This is half of the proof (by dvd_antisym) of*)
-lemma gcd_mult_cancel: "gcd k n = 1 \<Longrightarrow> gcd (k*m) n = gcd m n"
- oops
-
-end
--- a/doc-src/TutorialI/Rules/Tacticals.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,58 +0,0 @@
-theory Tacticals imports Main begin
-
-text{*REPEAT*}
-lemma "\<lbrakk>P\<longrightarrow>Q; Q\<longrightarrow>R; R\<longrightarrow>S; P\<rbrakk> \<Longrightarrow> S"
-apply (drule mp, assumption)
-apply (drule mp, assumption)
-apply (drule mp, assumption)
-apply (assumption)
-done
-
-lemma "\<lbrakk>P\<longrightarrow>Q; Q\<longrightarrow>R; R\<longrightarrow>S; P\<rbrakk> \<Longrightarrow> S"
-by (drule mp, assumption)+
-
-text{*ORELSE with REPEAT*}
-lemma "\<lbrakk>Q\<longrightarrow>R; P\<longrightarrow>Q; x<5\<longrightarrow>P; Suc x < 5\<rbrakk> \<Longrightarrow> R"
-by (drule mp, (assumption|arith))+
-
-text{*exercise: what's going on here?*}
-lemma "\<lbrakk>P\<and>Q\<longrightarrow>R; P\<longrightarrow>Q; P\<rbrakk> \<Longrightarrow> R"
-by (drule mp, (intro conjI)?, assumption+)+
-
-text{*defer and prefer*}
-
-lemma "hard \<and> (P \<or> ~P) \<and> (Q\<longrightarrow>Q)"
-apply (intro conjI) --{* @{subgoals[display,indent=0,margin=65]} *}
-defer 1 --{* @{subgoals[display,indent=0,margin=65]} *}
-apply blast+ --{* @{subgoals[display,indent=0,margin=65]} *}
-oops
-
-lemma "ok1 \<and> ok2 \<and> doubtful"
-apply (intro conjI) --{* @{subgoals[display,indent=0,margin=65]} *}
-prefer 3 --{* @{subgoals[display,indent=0,margin=65]} *}
-oops
-
-lemma "bigsubgoal1 \<and> bigsubgoal2 \<and> bigsubgoal3 \<and> bigsubgoal4 \<and> bigsubgoal5 \<and> bigsubgoal6"
-apply (intro conjI) --{* @{subgoals[display,indent=0,margin=65]} *}
-txt{* @{subgoals[display,indent=0,margin=65]}
-A total of 6 subgoals...
-*}
-oops
-
-
-
-(*needed??*)
-
-lemma "(P\<or>Q) \<and> (R\<or>S) \<Longrightarrow> PP"
-apply (elim conjE disjE)
-oops
-
-lemma "((P\<or>Q) \<and> R) \<and> (Q \<and> (P\<or>S)) \<Longrightarrow> PP"
-apply (elim conjE)
-oops
-
-lemma "((P\<or>Q) \<and> R) \<and> (Q \<and> (P\<or>S)) \<Longrightarrow> PP"
-apply (erule conjE)+
-oops
-
-end
--- a/doc-src/TutorialI/Rules/find2.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,43 +0,0 @@
-(*<*)
-theory find2 imports Main begin
-lemma "A \<and> B"
-(*>*)
-
-txt{*\index{finding theorems}\index{searching theorems} In
-\S\ref{sec:find}, we introduced Proof General's \pgmenu{Find} button
-for finding theorems in the database via pattern matching. If we are
-inside a proof, we can be more specific; we can search for introduction,
-elimination and destruction rules \emph{with respect to the current goal}.
-For this purpose, \pgmenu{Find} provides three aditional search criteria:
-\texttt{intro}, \texttt{elim} and \texttt{dest}.
-
-For example, given the goal @{subgoals[display,indent=0,margin=65]}
-you can click on \pgmenu{Find} and type in the search expression
-\texttt{intro}. You will be shown a few rules ending in @{text"\<Longrightarrow> ?P \<and> ?Q"},
-among them @{thm[source]conjI}\@. You may even discover that
-the very theorem you are trying to prove is already in the
-database. Given the goal *}
-(*<*)
-oops
-lemma "A \<longrightarrow> A"
-(*>*)
-txt{*\vspace{-\bigskipamount}
-@{subgoals[display,indent=0,margin=65]}
-the search for \texttt{intro} finds not just @{thm[source] impI}
-but also @{thm[source] imp_refl}: @{thm imp_refl}.
-
-As before, search criteria can be combined freely: for example,
-\begin{ttbox}
-"_ \at\ _" intro
-\end{ttbox}
-searches for all introduction rules that match the current goal and
-mention the @{text"@"} function.
-
-Searching for elimination and destruction rules via \texttt{elim} and
-\texttt{dest} is analogous to \texttt{intro} but takes the assumptions
-into account, too.
-*}
-(*<*)
-oops
-end
-(*>*)
--- a/doc-src/TutorialI/Sets/Examples.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,254 +0,0 @@
-theory Examples imports Main "~~/src/HOL/Library/Binomial" begin
-
-declare [[eta_contract = false]]
-
-text{*membership, intersection *}
-text{*difference and empty set*}
-text{*complement, union and universal set*}
-
-lemma "(x \<in> A \<inter> B) = (x \<in> A \<and> x \<in> B)"
-by blast
-
-text{*
-@{thm[display] IntI[no_vars]}
-\rulename{IntI}
-
-@{thm[display] IntD1[no_vars]}
-\rulename{IntD1}
-
-@{thm[display] IntD2[no_vars]}
-\rulename{IntD2}
-*}
-
-lemma "(x \<in> -A) = (x \<notin> A)"
-by blast
-
-text{*
-@{thm[display] Compl_iff[no_vars]}
-\rulename{Compl_iff}
-*}
-
-lemma "- (A \<union> B) = -A \<inter> -B"
-by blast
-
-text{*
-@{thm[display] Compl_Un[no_vars]}
-\rulename{Compl_Un}
-*}
-
-lemma "A-A = {}"
-by blast
-
-text{*
-@{thm[display] Diff_disjoint[no_vars]}
-\rulename{Diff_disjoint}
-*}
-
-
-
-lemma "A \<union> -A = UNIV"
-by blast
-
-text{*
-@{thm[display] Compl_partition[no_vars]}
-\rulename{Compl_partition}
-*}
-
-text{*subset relation*}
-
-
-text{*
-@{thm[display] subsetI[no_vars]}
-\rulename{subsetI}
-
-@{thm[display] subsetD[no_vars]}
-\rulename{subsetD}
-*}
-
-lemma "((A \<union> B) \<subseteq> C) = (A \<subseteq> C \<and> B \<subseteq> C)"
-by blast
-
-text{*
-@{thm[display] Un_subset_iff[no_vars]}
-\rulename{Un_subset_iff}
-*}
-
-lemma "(A \<subseteq> -B) = (B \<subseteq> -A)"
-by blast
-
-lemma "(A <= -B) = (B <= -A)"
- oops
-
-text{*ASCII version: blast fails because of overloading because
- it doesn't have to be sets*}
-
-lemma "((A:: 'a set) <= -B) = (B <= -A)"
-by blast
-
-text{*A type constraint lets it work*}
-
-text{*An issue here: how do we discuss the distinction between ASCII and
-symbol notation? Here the latter disambiguates.*}
-
-
-text{*
-set extensionality
-
-@{thm[display] set_eqI[no_vars]}
-\rulename{set_eqI}
-
-@{thm[display] equalityI[no_vars]}
-\rulename{equalityI}
-
-@{thm[display] equalityE[no_vars]}
-\rulename{equalityE}
-*}
-
-
-text{*finite sets: insertion and membership relation*}
-text{*finite set notation*}
-
-lemma "insert x A = {x} \<union> A"
-by blast
-
-text{*
-@{thm[display] insert_is_Un[no_vars]}
-\rulename{insert_is_Un}
-*}
-
-lemma "{a,b} \<union> {c,d} = {a,b,c,d}"
-by blast
-
-lemma "{a,b} \<inter> {b,c} = {b}"
-apply auto
-oops
-text{*fails because it isn't valid*}
-
-lemma "{a,b} \<inter> {b,c} = (if a=c then {a,b} else {b})"
-apply simp
-by blast
-
-text{*or just force or auto. blast alone can't handle the if-then-else*}
-
-text{*next: some comprehension examples*}
-
-lemma "(a \<in> {z. P z}) = P a"
-by blast
-
-text{*
-@{thm[display] mem_Collect_eq[no_vars]}
-\rulename{mem_Collect_eq}
-*}
-
-lemma "{x. x \<in> A} = A"
-by blast
-
-text{*
-@{thm[display] Collect_mem_eq[no_vars]}
-\rulename{Collect_mem_eq}
-*}
-
-lemma "{x. P x \<or> x \<in> A} = {x. P x} \<union> A"
-by blast
-
-lemma "{x. P x \<longrightarrow> Q x} = -{x. P x} \<union> {x. Q x}"
-by blast
-
-definition prime :: "nat set" where
- "prime == {p. 1<p & (ALL m. m dvd p --> m=1 | m=p)}"
-
-lemma "{p*q | p q. p\<in>prime \<and> q\<in>prime} =
- {z. \<exists>p q. z = p*q \<and> p\<in>prime \<and> q\<in>prime}"
-by (rule refl)
-
-text{*binders*}
-
-text{*bounded quantifiers*}
-
-lemma "(\<exists>x\<in>A. P x) = (\<exists>x. x\<in>A \<and> P x)"
-by blast
-
-text{*
-@{thm[display] bexI[no_vars]}
-\rulename{bexI}
-*}
-
-text{*
-@{thm[display] bexE[no_vars]}
-\rulename{bexE}
-*}
-
-lemma "(\<forall>x\<in>A. P x) = (\<forall>x. x\<in>A \<longrightarrow> P x)"
-by blast
-
-text{*
-@{thm[display] ballI[no_vars]}
-\rulename{ballI}
-*}
-
-text{*
-@{thm[display] bspec[no_vars]}
-\rulename{bspec}
-*}
-
-text{*indexed unions and variations*}
-
-lemma "(\<Union>x. B x) = (\<Union>x\<in>UNIV. B x)"
-by blast
-
-text{*
-@{thm[display] UN_iff[no_vars]}
-\rulename{UN_iff}
-*}
-
-text{*
-@{thm[display] Union_iff[no_vars]}
-\rulename{Union_iff}
-*}
-
-lemma "(\<Union>x\<in>A. B x) = {y. \<exists>x\<in>A. y \<in> B x}"
-by blast
-
-lemma "\<Union>S = (\<Union>x\<in>S. x)"
-by blast
-
-text{*
-@{thm[display] UN_I[no_vars]}
-\rulename{UN_I}
-*}
-
-text{*
-@{thm[display] UN_E[no_vars]}
-\rulename{UN_E}
-*}
-
-text{*indexed intersections*}
-
-lemma "(\<Inter>x. B x) = {y. \<forall>x. y \<in> B x}"
-by blast
-
-text{*
-@{thm[display] INT_iff[no_vars]}
-\rulename{INT_iff}
-*}
-
-text{*
-@{thm[display] Inter_iff[no_vars]}
-\rulename{Inter_iff}
-*}
-
-text{*mention also card, Pow, etc.*}
-
-
-text{*
-@{thm[display] card_Un_Int[no_vars]}
-\rulename{card_Un_Int}
-
-@{thm[display] card_Pow[no_vars]}
-\rulename{card_Pow}
-
-@{thm[display] n_subsets[no_vars]}
-\rulename{n_subsets}
-*}
-
-end
--- a/doc-src/TutorialI/Sets/Functions.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,143 +0,0 @@
-theory Functions imports Main begin
-
-
-text{*
-@{thm[display] id_def[no_vars]}
-\rulename{id_def}
-
-@{thm[display] o_def[no_vars]}
-\rulename{o_def}
-
-@{thm[display] o_assoc[no_vars]}
-\rulename{o_assoc}
-*}
-
-text{*
-@{thm[display] fun_upd_apply[no_vars]}
-\rulename{fun_upd_apply}
-
-@{thm[display] fun_upd_upd[no_vars]}
-\rulename{fun_upd_upd}
-*}
-
-
-text{*
-definitions of injective, surjective, bijective
-
-@{thm[display] inj_on_def[no_vars]}
-\rulename{inj_on_def}
-
-@{thm[display] surj_def[no_vars]}
-\rulename{surj_def}
-
-@{thm[display] bij_def[no_vars]}
-\rulename{bij_def}
-*}
-
-
-
-text{*
-possibly interesting theorems about inv
-*}
-
-text{*
-@{thm[display] inv_f_f[no_vars]}
-\rulename{inv_f_f}
-
-@{thm[display] inj_imp_surj_inv[no_vars]}
-\rulename{inj_imp_surj_inv}
-
-@{thm[display] surj_imp_inj_inv[no_vars]}
-\rulename{surj_imp_inj_inv}
-
-@{thm[display] surj_f_inv_f[no_vars]}
-\rulename{surj_f_inv_f}
-
-@{thm[display] bij_imp_bij_inv[no_vars]}
-\rulename{bij_imp_bij_inv}
-
-@{thm[display] inv_inv_eq[no_vars]}
-\rulename{inv_inv_eq}
-
-@{thm[display] o_inv_distrib[no_vars]}
-\rulename{o_inv_distrib}
-*}
-
-text{*
-small sample proof
-
-@{thm[display] ext[no_vars]}
-\rulename{ext}
-
-@{thm[display] fun_eq_iff[no_vars]}
-\rulename{fun_eq_iff}
-*}
-
-lemma "inj f \<Longrightarrow> (f o g = f o h) = (g = h)";
- apply (simp add: fun_eq_iff inj_on_def)
- apply (auto)
- done
-
-text{*
-\begin{isabelle}
-inj\ f\ \isasymLongrightarrow \ (f\ \isasymcirc \ g\ =\ f\ \isasymcirc \ h)\ =\ (g\ =\ h)\isanewline
-\ 1.\ \isasymforall x\ y.\ f\ x\ =\ f\ y\ \isasymlongrightarrow \ x\ =\ y\ \isasymLongrightarrow \isanewline
-\ \ \ \ (\isasymforall x.\ f\ (g\ x)\ =\ f\ (h\ x))\ =\ (\isasymforall x.\ g\ x\ =\ h\ x)
-\end{isabelle}
-*}
-
-
-text{*image, inverse image*}
-
-text{*
-@{thm[display] image_def[no_vars]}
-\rulename{image_def}
-*}
-
-text{*
-@{thm[display] image_Un[no_vars]}
-\rulename{image_Un}
-*}
-
-text{*
-@{thm[display] image_compose[no_vars]}
-\rulename{image_compose}
-
-@{thm[display] image_Int[no_vars]}
-\rulename{image_Int}
-
-@{thm[display] bij_image_Compl_eq[no_vars]}
-\rulename{bij_image_Compl_eq}
-*}
-
-
-text{*
-illustrates Union as well as image
-*}
-
-lemma "f`A \<union> g`A = (\<Union>x\<in>A. {f x, g x})"
-by blast
-
-lemma "f ` {(x,y). P x y} = {f(x,y) | x y. P x y}"
-by blast
-
-text{*actually a macro!*}
-
-lemma "range f = f`UNIV"
-by blast
-
-
-text{*
-inverse image
-*}
-
-text{*
-@{thm[display] vimage_def[no_vars]}
-\rulename{vimage_def}
-
-@{thm[display] vimage_Compl[no_vars]}
-\rulename{vimage_Compl}
-*}
-
-
-end
--- a/doc-src/TutorialI/Sets/Recur.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,80 +0,0 @@
-theory Recur imports Main begin
-
-
-text{*
-@{thm[display] mono_def[no_vars]}
-\rulename{mono_def}
-
-@{thm[display] monoI[no_vars]}
-\rulename{monoI}
-
-@{thm[display] monoD[no_vars]}
-\rulename{monoD}
-
-@{thm[display] lfp_unfold[no_vars]}
-\rulename{lfp_unfold}
-
-@{thm[display] lfp_induct[no_vars]}
-\rulename{lfp_induct}
-
-@{thm[display] gfp_unfold[no_vars]}
-\rulename{gfp_unfold}
-
-@{thm[display] coinduct[no_vars]}
-\rulename{coinduct}
-*}
-
-text{*\noindent
-A relation $<$ is
-\bfindex{wellfounded} if it has no infinite descending chain $\cdots <
-a@2 < a@1 < a@0$. Clearly, a function definition is total iff the set
-of all pairs $(r,l)$, where $l$ is the argument on the left-hand side
-of an equation and $r$ the argument of some recursive call on the
-corresponding right-hand side, induces a wellfounded relation.
-
-The HOL library formalizes
-some of the theory of wellfounded relations. For example
-@{prop"wf r"}\index{*wf|bold} means that relation @{term[show_types]"r::('a*'a)set"} is
-wellfounded.
-Finally we should mention that HOL already provides the mother of all
-inductions, \textbf{wellfounded
-induction}\indexbold{induction!wellfounded}\index{wellfounded
-induction|see{induction, wellfounded}} (@{thm[source]wf_induct}):
-@{thm[display]wf_induct[no_vars]}
-where @{term"wf r"} means that the relation @{term r} is wellfounded
-
-*}
-
-text{*
-
-@{thm[display] wf_induct[no_vars]}
-\rulename{wf_induct}
-
-@{thm[display] less_than_iff[no_vars]}
-\rulename{less_than_iff}
-
-@{thm[display] inv_image_def[no_vars]}
-\rulename{inv_image_def}
-
-@{thm[display] measure_def[no_vars]}
-\rulename{measure_def}
-
-@{thm[display] wf_less_than[no_vars]}
-\rulename{wf_less_than}
-
-@{thm[display] wf_inv_image[no_vars]}
-\rulename{wf_inv_image}
-
-@{thm[display] wf_measure[no_vars]}
-\rulename{wf_measure}
-
-@{thm[display] lex_prod_def[no_vars]}
-\rulename{lex_prod_def}
-
-@{thm[display] wf_lex_prod[no_vars]}
-\rulename{wf_lex_prod}
-
-*}
-
-end
-
--- a/doc-src/TutorialI/Sets/Relations.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,154 +0,0 @@
-theory Relations imports Main begin
-
-(*Id is only used in UNITY*)
-(*refl, antisym,trans,univalent,\<dots> ho hum*)
-
-text{*
-@{thm[display] Id_def[no_vars]}
-\rulename{Id_def}
-*}
-
-text{*
-@{thm[display] relcomp_unfold[no_vars]}
-\rulename{relcomp_unfold}
-*}
-
-text{*
-@{thm[display] R_O_Id[no_vars]}
-\rulename{R_O_Id}
-*}
-
-text{*
-@{thm[display] relcomp_mono[no_vars]}
-\rulename{relcomp_mono}
-*}
-
-text{*
-@{thm[display] converse_iff[no_vars]}
-\rulename{converse_iff}
-*}
-
-text{*
-@{thm[display] converse_relcomp[no_vars]}
-\rulename{converse_relcomp}
-*}
-
-text{*
-@{thm[display] Image_iff[no_vars]}
-\rulename{Image_iff}
-*}
-
-text{*
-@{thm[display] Image_UN[no_vars]}
-\rulename{Image_UN}
-*}
-
-text{*
-@{thm[display] Domain_iff[no_vars]}
-\rulename{Domain_iff}
-*}
-
-text{*
-@{thm[display] Range_iff[no_vars]}
-\rulename{Range_iff}
-*}
-
-text{*
-@{thm[display] relpow.simps[no_vars]}
-\rulename{relpow.simps}
-
-@{thm[display] rtrancl_refl[no_vars]}
-\rulename{rtrancl_refl}
-
-@{thm[display] r_into_rtrancl[no_vars]}
-\rulename{r_into_rtrancl}
-
-@{thm[display] rtrancl_trans[no_vars]}
-\rulename{rtrancl_trans}
-
-@{thm[display] rtrancl_induct[no_vars]}
-\rulename{rtrancl_induct}
-
-@{thm[display] rtrancl_idemp[no_vars]}
-\rulename{rtrancl_idemp}
-
-@{thm[display] r_into_trancl[no_vars]}
-\rulename{r_into_trancl}
-
-@{thm[display] trancl_trans[no_vars]}
-\rulename{trancl_trans}
-
-@{thm[display] trancl_into_rtrancl[no_vars]}
-\rulename{trancl_into_rtrancl}
-
-@{thm[display] trancl_converse[no_vars]}
-\rulename{trancl_converse}
-*}
-
-text{*Relations. transitive closure*}
-
-lemma rtrancl_converseD: "(x,y) \<in> (r\<inverse>)\<^sup>* \<Longrightarrow> (y,x) \<in> r\<^sup>*"
-apply (erule rtrancl_induct)
-txt{*
-@{subgoals[display,indent=0,margin=65]}
-*};
- apply (rule rtrancl_refl)
-apply (blast intro: rtrancl_trans)
-done
-
-
-lemma rtrancl_converseI: "(y,x) \<in> r\<^sup>* \<Longrightarrow> (x,y) \<in> (r\<inverse>)\<^sup>*"
-apply (erule rtrancl_induct)
- apply (rule rtrancl_refl)
-apply (blast intro: rtrancl_trans)
-done
-
-lemma rtrancl_converse: "(r\<inverse>)\<^sup>* = (r\<^sup>*)\<inverse>"
-by (auto intro: rtrancl_converseI dest: rtrancl_converseD)
-
-lemma rtrancl_converse: "(r\<inverse>)\<^sup>* = (r\<^sup>*)\<inverse>"
-apply (intro equalityI subsetI)
-txt{*
-after intro rules
-
-@{subgoals[display,indent=0,margin=65]}
-*};
-apply clarify
-txt{*
-after splitting
-@{subgoals[display,indent=0,margin=65]}
-*};
-oops
-
-
-lemma "(\<forall>u v. (u,v) \<in> A \<longrightarrow> u=v) \<Longrightarrow> A \<subseteq> Id"
-apply (rule subsetI)
-txt{*
-@{subgoals[display,indent=0,margin=65]}
-
-after subsetI
-*};
-apply clarify
-txt{*
-@{subgoals[display,indent=0,margin=65]}
-
-subgoals after clarify
-*};
-by blast
-
-
-
-
-text{*rejects*}
-
-lemma "(a \<in> {z. P z} \<union> {y. Q y}) = P a \<or> Q a"
-apply (blast)
-done
-
-text{*Pow, Inter too little used*}
-
-lemma "(A \<subset> B) = (A \<subseteq> B \<and> A \<noteq> B)"
-apply (simp add: psubset_eq)
-done
-
-end
--- a/doc-src/TutorialI/ToyList/ToyList.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,368 +0,0 @@
-theory ToyList
-imports Datatype
-begin
-
-(*<*)
-ML {*
- let
- val texts =
- map (File.read o Path.append (Thy_Load.master_directory @{theory}) o Path.explode)
- ["ToyList1", "ToyList2"];
- val trs = Outer_Syntax.parse Position.start (implode texts);
- in @{assert} (Toplevel.is_toplevel (fold Toplevel.command trs Toplevel.toplevel)) end;
-*}
-(*>*)
-
-text{*\noindent
-HOL already has a predefined theory of lists called @{text List} ---
-@{text ToyList} is merely a small fragment of it chosen as an example. In
-contrast to what is recommended in \S\ref{sec:Basic:Theories},
-@{text ToyList} is not based on @{text Main} but on @{text Datatype}, a
-theory that contains pretty much everything but lists, thus avoiding
-ambiguities caused by defining lists twice.
-*}
-
-datatype 'a list = Nil ("[]")
- | Cons 'a "'a list" (infixr "#" 65);
-
-text{*\noindent
-The datatype\index{datatype@\isacommand {datatype} (command)}
-\tydx{list} introduces two
-constructors \cdx{Nil} and \cdx{Cons}, the
-empty~list and the operator that adds an element to the front of a list. For
-example, the term \isa{Cons True (Cons False Nil)} is a value of
-type @{typ"bool list"}, namely the list with the elements @{term"True"} and
-@{term"False"}. Because this notation quickly becomes unwieldy, the
-datatype declaration is annotated with an alternative syntax: instead of
-@{term[source]Nil} and \isa{Cons x xs} we can write
-@{term"[]"}\index{$HOL2list@\isa{[]}|bold} and
-@{term"x # xs"}\index{$HOL2list@\isa{\#}|bold}. In fact, this
-alternative syntax is the familiar one. Thus the list \isa{Cons True
-(Cons False Nil)} becomes @{term"True # False # []"}. The annotation
-\isacommand{infixr}\index{infixr@\isacommand{infixr} (annotation)}
-means that @{text"#"} associates to
-the right: the term @{term"x # y # z"} is read as @{text"x # (y # z)"}
-and not as @{text"(x # y) # z"}.
-The @{text 65} is the priority of the infix @{text"#"}.
-
-\begin{warn}
- Syntax annotations can be powerful, but they are difficult to master and
- are never necessary. You
- could drop them from theory @{text"ToyList"} and go back to the identifiers
- @{term[source]Nil} and @{term[source]Cons}. Novices should avoid using
- syntax annotations in their own theories.
-\end{warn}
-Next, two functions @{text"app"} and \cdx{rev} are defined recursively,
-in this order, because Isabelle insists on definition before use:
-*}
-
-primrec app :: "'a list \<Rightarrow> 'a list \<Rightarrow> 'a list" (infixr "@" 65) where
-"[] @ ys = ys" |
-"(x # xs) @ ys = x # (xs @ ys)"
-
-primrec rev :: "'a list \<Rightarrow> 'a list" where
-"rev [] = []" |
-"rev (x # xs) = (rev xs) @ (x # [])"
-
-text{*\noindent
-Each function definition is of the form
-\begin{center}
-\isacommand{primrec} \textit{name} @{text"::"} \textit{type} \textit{(optional syntax)} \isakeyword{where} \textit{equations}
-\end{center}
-The equations must be separated by @{text"|"}.
-%
-Function @{text"app"} is annotated with concrete syntax. Instead of the
-prefix syntax @{text"app xs ys"} the infix
-@{term"xs @ ys"}\index{$HOL2list@\isa{\at}|bold} becomes the preferred
-form.
-
-\index{*rev (constant)|(}\index{append function|(}
-The equations for @{text"app"} and @{term"rev"} hardly need comments:
-@{text"app"} appends two lists and @{term"rev"} reverses a list. The
-keyword \commdx{primrec} indicates that the recursion is
-of a particularly primitive kind where each recursive call peels off a datatype
-constructor from one of the arguments. Thus the
-recursion always terminates, i.e.\ the function is \textbf{total}.
-\index{functions!total}
-
-The termination requirement is absolutely essential in HOL, a logic of total
-functions. If we were to drop it, inconsistencies would quickly arise: the
-``definition'' $f(n) = f(n)+1$ immediately leads to $0 = 1$ by subtracting
-$f(n)$ on both sides.
-% However, this is a subtle issue that we cannot discuss here further.
-
-\begin{warn}
- As we have indicated, the requirement for total functions is an essential characteristic of HOL\@. It is only
- because of totality that reasoning in HOL is comparatively easy. More
- generally, the philosophy in HOL is to refrain from asserting arbitrary axioms (such as
- function definitions whose totality has not been proved) because they
- quickly lead to inconsistencies. Instead, fixed constructs for introducing
- types and functions are offered (such as \isacommand{datatype} and
- \isacommand{primrec}) which are guaranteed to preserve consistency.
-\end{warn}
-
-\index{syntax}%
-A remark about syntax. The textual definition of a theory follows a fixed
-syntax with keywords like \isacommand{datatype} and \isacommand{end}.
-% (see Fig.~\ref{fig:keywords} in Appendix~\ref{sec:Appendix} for a full list).
-Embedded in this syntax are the types and formulae of HOL, whose syntax is
-extensible (see \S\ref{sec:concrete-syntax}), e.g.\ by new user-defined infix operators.
-To distinguish the two levels, everything
-HOL-specific (terms and types) should be enclosed in
-\texttt{"}\dots\texttt{"}.
-To lessen this burden, quotation marks around a single identifier can be
-dropped, unless the identifier happens to be a keyword, for example
-\isa{"end"}.
-When Isabelle prints a syntax error message, it refers to the HOL syntax as
-the \textbf{inner syntax} and the enclosing theory language as the \textbf{outer syntax}.
-
-Comments\index{comment} must be in enclosed in \texttt{(* }and\texttt{ *)}.
-
-\section{Evaluation}
-\index{evaluation}
-
-Assuming you have processed the declarations and definitions of
-\texttt{ToyList} presented so far, you may want to test your
-functions by running them. For example, what is the value of
-@{term"rev(True#False#[])"}? Command
-*}
-
-value "rev (True # False # [])"
-
-text{* \noindent yields the correct result @{term"False # True # []"}.
-But we can go beyond mere functional programming and evaluate terms with
-variables in them, executing functions symbolically: *}
-
-value "rev (a # b # c # [])"
-
-text{*\noindent yields @{term"c # b # a # []"}.
-
-\section{An Introductory Proof}
-\label{sec:intro-proof}
-
-Having convinced ourselves (as well as one can by testing) that our
-definitions capture our intentions, we are ready to prove a few simple
-theorems. This will illustrate not just the basic proof commands but
-also the typical proof process.
-
-\subsubsection*{Main Goal.}
-
-Our goal is to show that reversing a list twice produces the original
-list.
-*}
-
-theorem rev_rev [simp]: "rev(rev xs) = xs";
-
-txt{*\index{theorem@\isacommand {theorem} (command)|bold}%
-\noindent
-This \isacommand{theorem} command does several things:
-\begin{itemize}
-\item
-It establishes a new theorem to be proved, namely @{prop"rev(rev xs) = xs"}.
-\item
-It gives that theorem the name @{text"rev_rev"}, for later reference.
-\item
-It tells Isabelle (via the bracketed attribute \attrdx{simp}) to take the eventual theorem as a simplification rule: future proofs involving
-simplification will replace occurrences of @{term"rev(rev xs)"} by
-@{term"xs"}.
-\end{itemize}
-The name and the simplification attribute are optional.
-Isabelle's response is to print the initial proof state consisting
-of some header information (like how many subgoals there are) followed by
-@{subgoals[display,indent=0]}
-For compactness reasons we omit the header in this tutorial.
-Until we have finished a proof, the \rmindex{proof state} proper
-always looks like this:
-\begin{isabelle}
-~1.~$G\sb{1}$\isanewline
-~~\vdots~~\isanewline
-~$n$.~$G\sb{n}$
-\end{isabelle}
-The numbered lines contain the subgoals $G\sb{1}$, \dots, $G\sb{n}$
-that we need to prove to establish the main goal.\index{subgoals}
-Initially there is only one subgoal, which is identical with the
-main goal. (If you always want to see the main goal as well,
-set the flag \isa{Proof.show_main_goal}\index{*show_main_goal (flag)}
---- this flag used to be set by default.)
-
-Let us now get back to @{prop"rev(rev xs) = xs"}. Properties of recursively
-defined functions are best established by induction. In this case there is
-nothing obvious except induction on @{term"xs"}:
-*}
-
-apply(induct_tac xs);
-
-txt{*\noindent\index{*induct_tac (method)}%
-This tells Isabelle to perform induction on variable @{term"xs"}. The suffix
-@{term"tac"} stands for \textbf{tactic},\index{tactics}
-a synonym for ``theorem proving function''.
-By default, induction acts on the first subgoal. The new proof state contains
-two subgoals, namely the base case (@{term[source]Nil}) and the induction step
-(@{term[source]Cons}):
-@{subgoals[display,indent=0,margin=65]}
-
-The induction step is an example of the general format of a subgoal:\index{subgoals}
-\begin{isabelle}
-~$i$.~{\isasymAnd}$x\sb{1}$~\dots$x\sb{n}$.~{\it assumptions}~{\isasymLongrightarrow}~{\it conclusion}
-\end{isabelle}\index{$IsaAnd@\isasymAnd|bold}
-The prefix of bound variables \isasymAnd$x\sb{1}$~\dots~$x\sb{n}$ can be
-ignored most of the time, or simply treated as a list of variables local to
-this subgoal. Their deeper significance is explained in Chapter~\ref{chap:rules}.
-The {\it assumptions}\index{assumptions!of subgoal}
-are the local assumptions for this subgoal and {\it
- conclusion}\index{conclusion!of subgoal} is the actual proposition to be proved.
-Typical proof steps
-that add new assumptions are induction and case distinction. In our example
-the only assumption is the induction hypothesis @{term"rev (rev list) =
- list"}, where @{term"list"} is a variable name chosen by Isabelle. If there
-are multiple assumptions, they are enclosed in the bracket pair
-\indexboldpos{\isasymlbrakk}{$Isabrl} and
-\indexboldpos{\isasymrbrakk}{$Isabrr} and separated by semicolons.
-
-Let us try to solve both goals automatically:
-*}
-
-apply(auto);
-
-txt{*\noindent
-This command tells Isabelle to apply a proof strategy called
-@{text"auto"} to all subgoals. Essentially, @{text"auto"} tries to
-simplify the subgoals. In our case, subgoal~1 is solved completely (thanks
-to the equation @{prop"rev [] = []"}) and disappears; the simplified version
-of subgoal~2 becomes the new subgoal~1:
-@{subgoals[display,indent=0,margin=70]}
-In order to simplify this subgoal further, a lemma suggests itself.
-*}
-(*<*)
-oops
-(*>*)
-
-subsubsection{*First Lemma*}
-
-text{*
-\indexbold{abandoning a proof}\indexbold{proofs!abandoning}
-After abandoning the above proof attempt (at the shell level type
-\commdx{oops}) we start a new proof:
-*}
-
-lemma rev_app [simp]: "rev(xs @ ys) = (rev ys) @ (rev xs)";
-
-txt{*\noindent The keywords \commdx{theorem} and
-\commdx{lemma} are interchangeable and merely indicate
-the importance we attach to a proposition. Therefore we use the words
-\emph{theorem} and \emph{lemma} pretty much interchangeably, too.
-
-There are two variables that we could induct on: @{term"xs"} and
-@{term"ys"}. Because @{text"@"} is defined by recursion on
-the first argument, @{term"xs"} is the correct one:
-*}
-
-apply(induct_tac xs);
-
-txt{*\noindent
-This time not even the base case is solved automatically:
-*}
-
-apply(auto);
-
-txt{*
-@{subgoals[display,indent=0,goals_limit=1]}
-Again, we need to abandon this proof attempt and prove another simple lemma
-first. In the future the step of abandoning an incomplete proof before
-embarking on the proof of a lemma usually remains implicit.
-*}
-(*<*)
-oops
-(*>*)
-
-subsubsection{*Second Lemma*}
-
-text{*
-We again try the canonical proof procedure:
-*}
-
-lemma app_Nil2 [simp]: "xs @ [] = xs";
-apply(induct_tac xs);
-apply(auto);
-
-txt{*
-\noindent
-It works, yielding the desired message @{text"No subgoals!"}:
-@{goals[display,indent=0]}
-We still need to confirm that the proof is now finished:
-*}
-
-done
-
-text{*\noindent
-As a result of that final \commdx{done}, Isabelle associates the lemma just proved
-with its name. In this tutorial, we sometimes omit to show that final \isacommand{done}
-if it is obvious from the context that the proof is finished.
-
-% Instead of \isacommand{apply} followed by a dot, you can simply write
-% \isacommand{by}\indexbold{by}, which we do most of the time.
-Notice that in lemma @{thm[source]app_Nil2},
-as printed out after the final \isacommand{done}, the free variable @{term"xs"} has been
-replaced by the unknown @{text"?xs"}, just as explained in
-\S\ref{sec:variables}.
-
-Going back to the proof of the first lemma
-*}
-
-lemma rev_app [simp]: "rev(xs @ ys) = (rev ys) @ (rev xs)";
-apply(induct_tac xs);
-apply(auto);
-
-txt{*
-\noindent
-we find that this time @{text"auto"} solves the base case, but the
-induction step merely simplifies to
-@{subgoals[display,indent=0,goals_limit=1]}
-Now we need to remember that @{text"@"} associates to the right, and that
-@{text"#"} and @{text"@"} have the same priority (namely the @{text"65"}
-in their \isacommand{infixr} annotation). Thus the conclusion really is
-\begin{isabelle}
-~~~~~(rev~ys~@~rev~list)~@~(a~\#~[])~=~rev~ys~@~(rev~list~@~(a~\#~[]))
-\end{isabelle}
-and the missing lemma is associativity of @{text"@"}.
-*}
-(*<*)oops(*>*)
-
-subsubsection{*Third Lemma*}
-
-text{*
-Abandoning the previous attempt, the canonical proof procedure
-succeeds without further ado.
-*}
-
-lemma app_assoc [simp]: "(xs @ ys) @ zs = xs @ (ys @ zs)";
-apply(induct_tac xs);
-apply(auto);
-done
-
-text{*
-\noindent
-Now we can prove the first lemma:
-*}
-
-lemma rev_app [simp]: "rev(xs @ ys) = (rev ys) @ (rev xs)";
-apply(induct_tac xs);
-apply(auto);
-done
-
-text{*\noindent
-Finally, we prove our main theorem:
-*}
-
-theorem rev_rev [simp]: "rev(rev xs) = xs";
-apply(induct_tac xs);
-apply(auto);
-done
-
-text{*\noindent
-The final \commdx{end} tells Isabelle to close the current theory because
-we are finished with its development:%
-\index{*rev (constant)|)}\index{append function|)}
-*}
-
-end
--- a/doc-src/TutorialI/ToyList/ToyList1 Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,16 +0,0 @@
-theory ToyList
-imports Datatype
-begin
-
-datatype 'a list = Nil ("[]")
- | Cons 'a "'a list" (infixr "#" 65)
-
-(* This is the append function: *)
-primrec app :: "'a list => 'a list => 'a list" (infixr "@" 65)
-where
-"[] @ ys = ys" |
-"(x # xs) @ ys = x # (xs @ ys)"
-
-primrec rev :: "'a list => 'a list" where
-"rev [] = []" |
-"rev (x # xs) = (rev xs) @ (x # [])"
--- a/doc-src/TutorialI/ToyList/ToyList2 Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,21 +0,0 @@
-lemma app_Nil2 [simp]: "xs @ [] = xs"
-apply(induct_tac xs)
-apply(auto)
-done
-
-lemma app_assoc [simp]: "(xs @ ys) @ zs = xs @ (ys @ zs)"
-apply(induct_tac xs)
-apply(auto)
-done
-
-lemma rev_app [simp]: "rev(xs @ ys) = (rev ys) @ (rev xs)"
-apply(induct_tac xs)
-apply(auto)
-done
-
-theorem rev_rev [simp]: "rev(rev xs) = xs"
-apply(induct_tac xs)
-apply(auto)
-done
-
-end
--- a/doc-src/TutorialI/Trie/Trie.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,245 +0,0 @@
-(*<*)
-theory Trie imports Main begin;
-(*>*)
-text{*
-To minimize running time, each node of a trie should contain an array that maps
-letters to subtries. We have chosen a
-representation where the subtries are held in an association list, i.e.\ a
-list of (letter,trie) pairs. Abstracting over the alphabet @{typ"'a"} and the
-values @{typ"'v"} we define a trie as follows:
-*};
-
-datatype ('a,'v)trie = Trie "'v option" "('a * ('a,'v)trie)list";
-
-text{*\noindent
-\index{datatypes!and nested recursion}%
-The first component is the optional value, the second component the
-association list of subtries. This is an example of nested recursion involving products,
-which is fine because products are datatypes as well.
-We define two selector functions:
-*};
-
-primrec "value" :: "('a,'v)trie \<Rightarrow> 'v option" where
-"value(Trie ov al) = ov"
-primrec alist :: "('a,'v)trie \<Rightarrow> ('a * ('a,'v)trie)list" where
-"alist(Trie ov al) = al"
-
-text{*\noindent
-Association lists come with a generic lookup function. Its result
-involves type @{text option} because a lookup can fail:
-*};
-
-primrec assoc :: "('key * 'val)list \<Rightarrow> 'key \<Rightarrow> 'val option" where
-"assoc [] x = None" |
-"assoc (p#ps) x =
- (let (a,b) = p in if a=x then Some b else assoc ps x)"
-
-text{*
-Now we can define the lookup function for tries. It descends into the trie
-examining the letters of the search string one by one. As
-recursion on lists is simpler than on tries, let us express this as primitive
-recursion on the search string argument:
-*};
-
-primrec lookup :: "('a,'v)trie \<Rightarrow> 'a list \<Rightarrow> 'v option" where
-"lookup t [] = value t" |
-"lookup t (a#as) = (case assoc (alist t) a of
- None \<Rightarrow> None
- | Some at \<Rightarrow> lookup at as)"
-
-text{*
-As a first simple property we prove that looking up a string in the empty
-trie @{term"Trie None []"} always returns @{const None}. The proof merely
-distinguishes the two cases whether the search string is empty or not:
-*};
-
-lemma [simp]: "lookup (Trie None []) as = None";
-apply(case_tac as, simp_all);
-done
-
-text{*
-Things begin to get interesting with the definition of an update function
-that adds a new (string, value) pair to a trie, overwriting the old value
-associated with that string:
-*};
-
-primrec update:: "('a,'v)trie \<Rightarrow> 'a list \<Rightarrow> 'v \<Rightarrow> ('a,'v)trie" where
-"update t [] v = Trie (Some v) (alist t)" |
-"update t (a#as) v =
- (let tt = (case assoc (alist t) a of
- None \<Rightarrow> Trie None [] | Some at \<Rightarrow> at)
- in Trie (value t) ((a,update tt as v) # alist t))"
-
-text{*\noindent
-The base case is obvious. In the recursive case the subtrie
-@{term tt} associated with the first letter @{term a} is extracted,
-recursively updated, and then placed in front of the association list.
-The old subtrie associated with @{term a} is still in the association list
-but no longer accessible via @{const assoc}. Clearly, there is room here for
-optimizations!
-
-Before we start on any proofs about @{const update} we tell the simplifier to
-expand all @{text let}s and to split all @{text case}-constructs over
-options:
-*};
-
-declare Let_def[simp] option.split[split]
-
-text{*\noindent
-The reason becomes clear when looking (probably after a failed proof
-attempt) at the body of @{const update}: it contains both
-@{text let} and a case distinction over type @{text option}.
-
-Our main goal is to prove the correct interaction of @{const update} and
-@{const lookup}:
-*};
-
-theorem "\<forall>t v bs. lookup (update t as v) bs =
- (if as=bs then Some v else lookup t bs)";
-
-txt{*\noindent
-Our plan is to induct on @{term as}; hence the remaining variables are
-quantified. From the definitions it is clear that induction on either
-@{term as} or @{term bs} is required. The choice of @{term as} is
-guided by the intuition that simplification of @{const lookup} might be easier
-if @{const update} has already been simplified, which can only happen if
-@{term as} is instantiated.
-The start of the proof is conventional:
-*};
-apply(induct_tac as, auto);
-
-txt{*\noindent
-Unfortunately, this time we are left with three intimidating looking subgoals:
-\begin{isabelle}
-~1.~\dots~{\isasymLongrightarrow}~lookup~\dots~bs~=~lookup~t~bs\isanewline
-~2.~\dots~{\isasymLongrightarrow}~lookup~\dots~bs~=~lookup~t~bs\isanewline
-~3.~\dots~{\isasymLongrightarrow}~lookup~\dots~bs~=~lookup~t~bs
-\end{isabelle}
-Clearly, if we want to make headway we have to instantiate @{term bs} as
-well now. It turns out that instead of induction, case distinction
-suffices:
-*};
-apply(case_tac[!] bs, auto);
-done
-
-text{*\noindent
-\index{subgoal numbering}%
-All methods ending in @{text tac} take an optional first argument that
-specifies the range of subgoals they are applied to, where @{text"[!]"} means
-all subgoals, i.e.\ @{text"[1-3]"} in our case. Individual subgoal numbers,
-e.g. @{text"[2]"} are also allowed.
-
-This proof may look surprisingly straightforward. However, note that this
-comes at a cost: the proof script is unreadable because the intermediate
-proof states are invisible, and we rely on the (possibly brittle) magic of
-@{text auto} (@{text simp_all} will not do --- try it) to split the subgoals
-of the induction up in such a way that case distinction on @{term bs} makes
-sense and solves the proof.
-
-\begin{exercise}
- Modify @{const update} (and its type) such that it allows both insertion and
- deletion of entries with a single function. Prove the corresponding version
- of the main theorem above.
- Optimize your function such that it shrinks tries after
- deletion if possible.
-\end{exercise}
-
-\begin{exercise}
- Write an improved version of @{const update} that does not suffer from the
- space leak (pointed out above) caused by not deleting overwritten entries
- from the association list. Prove the main theorem for your improved
- @{const update}.
-\end{exercise}
-
-\begin{exercise}
- Conceptually, each node contains a mapping from letters to optional
- subtries. Above we have implemented this by means of an association
- list. Replay the development replacing @{typ "('a * ('a,'v)trie)list"}
- with @{typ"'a \<Rightarrow> ('a,'v)trie option"}.
-\end{exercise}
-
-*};
-
-(*<*)
-
-(* Exercise 1. Solution by Getrud Bauer *)
-
-primrec update1 :: "('a, 'v) trie \<Rightarrow> 'a list \<Rightarrow> 'v option \<Rightarrow> ('a, 'v) trie"
-where
- "update1 t [] vo = Trie vo (alist t)" |
- "update1 t (a#as) vo =
- (let tt = (case assoc (alist t) a of
- None \<Rightarrow> Trie None []
- | Some at \<Rightarrow> at)
- in Trie (value t) ((a, update1 tt as vo) # alist t))"
-
-theorem [simp]: "\<forall>t v bs. lookup (update1 t as v) bs =
- (if as = bs then v else lookup t bs)";
-apply (induct_tac as, auto);
-apply (case_tac[!] bs, auto);
-done
-
-
-(* Exercise 2. Solution by Getrud Bauer *)
-
-primrec overwrite :: "'a \<Rightarrow> 'b \<Rightarrow> ('a * 'b) list \<Rightarrow> ('a * 'b) list" where
-"overwrite a v [] = [(a,v)]" |
-"overwrite a v (p#ps) = (if a = fst p then (a,v)#ps else p # overwrite a v ps)"
-
-lemma [simp]: "\<forall> a v b. assoc (overwrite a v ps) b = assoc ((a,v)#ps) b"
-apply (induct_tac ps, auto)
-apply (case_tac[!] a)
-done
-
-primrec update2 :: "('a, 'v) trie \<Rightarrow> 'a list \<Rightarrow> 'v option \<Rightarrow> ('a, 'v) trie"
-where
- "update2 t [] vo = Trie vo (alist t)" |
- "update2 t (a#as) vo =
- (let tt = (case assoc (alist t) a of
- None \<Rightarrow> Trie None []
- | Some at \<Rightarrow> at)
- in Trie (value t) (overwrite a (update2 tt as vo) (alist t)))";
-
-theorem "\<forall>t v bs. lookup (update2 t as vo) bs =
- (if as = bs then vo else lookup t bs)";
-apply (induct_tac as, auto);
-apply (case_tac[!] bs, auto);
-done
-
-
-(* Exercise 3. Solution by Getrud Bauer *)
-datatype ('a,'v) triem = Triem "'v option" "'a \<Rightarrow> ('a,'v) triem option";
-
-primrec valuem :: "('a, 'v) triem \<Rightarrow> 'v option" where
-"valuem (Triem ov m) = ov"
-
-primrec mapping :: "('a,'v) triem \<Rightarrow> 'a \<Rightarrow> ('a, 'v) triem option" where
-"mapping (Triem ov m) = m"
-
-primrec lookupm :: "('a,'v) triem \<Rightarrow> 'a list \<Rightarrow> 'v option" where
- "lookupm t [] = valuem t" |
- "lookupm t (a#as) = (case mapping t a of
- None \<Rightarrow> None
- | Some at \<Rightarrow> lookupm at as)";
-
-lemma [simp]: "lookupm (Triem None (\<lambda>c. None)) as = None";
-apply (case_tac as, simp_all);
-done
-
-primrec updatem :: "('a,'v)triem \<Rightarrow> 'a list \<Rightarrow> 'v \<Rightarrow> ('a,'v)triem" where
- "updatem t [] v = Triem (Some v) (mapping t)" |
- "updatem t (a#as) v =
- (let tt = (case mapping t a of
- None \<Rightarrow> Triem None (\<lambda>c. None)
- | Some at \<Rightarrow> at)
- in Triem (valuem t)
- (\<lambda>c. if c = a then Some (updatem tt as v) else mapping t c))";
-
-theorem "\<forall>t v bs. lookupm (updatem t as v) bs =
- (if as = bs then Some v else lookupm t bs)";
-apply (induct_tac as, auto);
-apply (case_tac[!] bs, auto);
-done
-
-end;
-(*>*)
--- a/doc-src/TutorialI/Types/Axioms.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,261 +0,0 @@
-(*<*)theory Axioms imports Overloading Setup begin(*>*)
-
-subsection {* Axioms *}
-
-text {* Attaching axioms to our classes lets us reason on the level of
-classes. The results will be applicable to all types in a class, just
-as in axiomatic mathematics.
-
-\begin{warn}
-Proofs in this section use structured \emph{Isar} proofs, which are not
-covered in this tutorial; but see \cite{Nipkow-TYPES02}.%
-\end{warn} *}
-
-subsubsection {* Semigroups *}
-
-text{* We specify \emph{semigroups} as subclass of @{class plus}: *}
-
-class semigroup = plus +
- assumes assoc: "(x \<oplus> y) \<oplus> z = x \<oplus> (y \<oplus> z)"
-
-text {* \noindent This @{command class} specification requires that
-all instances of @{class semigroup} obey @{fact "assoc:"}~@{prop
-[source] "\<And>x y z \<Colon> 'a\<Colon>semigroup. (x \<oplus> y) \<oplus> z = x \<oplus> (y \<oplus> z)"}.
-
-We can use this class axiom to derive further abstract theorems
-relative to class @{class semigroup}: *}
-
-lemma assoc_left:
- fixes x y z :: "'a\<Colon>semigroup"
- shows "x \<oplus> (y \<oplus> z) = (x \<oplus> y) \<oplus> z"
- using assoc by (rule sym)
-
-text {* \noindent The @{class semigroup} constraint on type @{typ
-"'a"} restricts instantiations of @{typ "'a"} to types of class
-@{class semigroup} and during the proof enables us to use the fact
-@{fact assoc} whose type parameter is itself constrained to class
-@{class semigroup}. The main advantage of classes is that theorems
-can be proved in the abstract and freely reused for each instance.
-
-On instantiation, we have to give a proof that the given operations
-obey the class axioms: *}
-
-instantiation nat :: semigroup
-begin
-
-instance proof
-
-txt {* \noindent The proof opens with a default proof step, which for
-instance judgements invokes method @{method intro_classes}. *}
-
-
- fix m n q :: nat
- show "(m \<oplus> n) \<oplus> q = m \<oplus> (n \<oplus> q)"
- by (induct m) simp_all
-qed
-
-end
-
-text {* \noindent Again, the interesting things enter the stage with
-parametric types: *}
-
-instantiation prod :: (semigroup, semigroup) semigroup
-begin
-
-instance proof
- fix p\<^isub>1 p\<^isub>2 p\<^isub>3 :: "'a\<Colon>semigroup \<times> 'b\<Colon>semigroup"
- show "p\<^isub>1 \<oplus> p\<^isub>2 \<oplus> p\<^isub>3 = p\<^isub>1 \<oplus> (p\<^isub>2 \<oplus> p\<^isub>3)"
- by (cases p\<^isub>1, cases p\<^isub>2, cases p\<^isub>3) (simp add: assoc)
-
-txt {* \noindent Associativity of product semigroups is established
-using the hypothetical associativity @{fact assoc} of the type
-components, which holds due to the @{class semigroup} constraints
-imposed on the type components by the @{command instance} proposition.
-Indeed, this pattern often occurs with parametric types and type
-classes. *}
-
-qed
-
-end
-
-subsubsection {* Monoids *}
-
-text {* We define a subclass @{text monoidl} (a semigroup with a
-left-hand neutral) by extending @{class semigroup} with one additional
-parameter @{text neutral} together with its property: *}
-
-class monoidl = semigroup +
- fixes neutral :: "'a" ("\<zero>")
- assumes neutl: "\<zero> \<oplus> x = x"
-
-text {* \noindent Again, we prove some instances, by providing
-suitable parameter definitions and proofs for the additional
-specifications. *}
-
-instantiation nat :: monoidl
-begin
-
-definition
- neutral_nat_def: "\<zero> = (0\<Colon>nat)"
-
-instance proof
- fix n :: nat
- show "\<zero> \<oplus> n = n"
- unfolding neutral_nat_def by simp
-qed
-
-end
-
-text {* \noindent In contrast to the examples above, we here have both
-specification of class operations and a non-trivial instance proof.
-
-This covers products as well:
-*}
-
-instantiation prod :: (monoidl, monoidl) monoidl
-begin
-
-definition
- neutral_prod_def: "\<zero> = (\<zero>, \<zero>)"
-
-instance proof
- fix p :: "'a\<Colon>monoidl \<times> 'b\<Colon>monoidl"
- show "\<zero> \<oplus> p = p"
- by (cases p) (simp add: neutral_prod_def neutl)
-qed
-
-end
-
-text {* \noindent Fully-fledged monoids are modelled by another
-subclass which does not add new parameters but tightens the
-specification: *}
-
-class monoid = monoidl +
- assumes neutr: "x \<oplus> \<zero> = x"
-
-text {* \noindent Corresponding instances for @{typ nat} and products
-are left as an exercise to the reader. *}
-
-subsubsection {* Groups *}
-
-text {* \noindent To finish our small algebra example, we add a @{text
-group} class: *}
-
-class group = monoidl +
- fixes inv :: "'a \<Rightarrow> 'a" ("\<div> _" [81] 80)
- assumes invl: "\<div> x \<oplus> x = \<zero>"
-
-text {* \noindent We continue with a further example for abstract
-proofs relative to type classes: *}
-
-lemma left_cancel:
- fixes x y z :: "'a\<Colon>group"
- shows "x \<oplus> y = x \<oplus> z \<longleftrightarrow> y = z"
-proof
- assume "x \<oplus> y = x \<oplus> z"
- then have "\<div> x \<oplus> (x \<oplus> y) = \<div> x \<oplus> (x \<oplus> z)" by simp
- then have "(\<div> x \<oplus> x) \<oplus> y = (\<div> x \<oplus> x) \<oplus> z" by (simp add: assoc)
- then show "y = z" by (simp add: invl neutl)
-next
- assume "y = z"
- then show "x \<oplus> y = x \<oplus> z" by simp
-qed
-
-text {* \noindent Any @{text "group"} is also a @{text "monoid"}; this
-can be made explicit by claiming an additional subclass relation,
-together with a proof of the logical difference: *}
-
-instance group \<subseteq> monoid
-proof
- fix x
- from invl have "\<div> x \<oplus> x = \<zero>" .
- then have "\<div> x \<oplus> (x \<oplus> \<zero>) = \<div> x \<oplus> x"
- by (simp add: neutl invl assoc [symmetric])
- then show "x \<oplus> \<zero> = x" by (simp add: left_cancel)
-qed
-
-text {* \noindent The proof result is propagated to the type system,
-making @{text group} an instance of @{text monoid} by adding an
-additional edge to the graph of subclass relation; see also
-Figure~\ref{fig:subclass}.
-
-\begin{figure}[htbp]
- \begin{center}
- \small
- \unitlength 0.6mm
- \begin{picture}(40,60)(0,0)
- \put(20,60){\makebox(0,0){@{text semigroup}}}
- \put(20,40){\makebox(0,0){@{text monoidl}}}
- \put(00,20){\makebox(0,0){@{text monoid}}}
- \put(40,00){\makebox(0,0){@{text group}}}
- \put(20,55){\vector(0,-1){10}}
- \put(15,35){\vector(-1,-1){10}}
- \put(25,35){\vector(1,-3){10}}
- \end{picture}
- \hspace{8em}
- \begin{picture}(40,60)(0,0)
- \put(20,60){\makebox(0,0){@{text semigroup}}}
- \put(20,40){\makebox(0,0){@{text monoidl}}}
- \put(00,20){\makebox(0,0){@{text monoid}}}
- \put(40,00){\makebox(0,0){@{text group}}}
- \put(20,55){\vector(0,-1){10}}
- \put(15,35){\vector(-1,-1){10}}
- \put(05,15){\vector(3,-1){30}}
- \end{picture}
- \caption{Subclass relationship of monoids and groups:
- before and after establishing the relationship
- @{text "group \<subseteq> monoid"}; transitive edges are left out.}
- \label{fig:subclass}
- \end{center}
-\end{figure}
-*}
-
-subsubsection {* Inconsistencies *}
-
-text {* The reader may be wondering what happens if we attach an
-inconsistent set of axioms to a class. So far we have always avoided
-to add new axioms to HOL for fear of inconsistencies and suddenly it
-seems that we are throwing all caution to the wind. So why is there no
-problem?
-
-The point is that by construction, all type variables in the axioms of
-a \isacommand{class} are automatically constrained with the class
-being defined (as shown for axiom @{thm[source]refl} above). These
-constraints are always carried around and Isabelle takes care that
-they are never lost, unless the type variable is instantiated with a
-type that has been shown to belong to that class. Thus you may be able
-to prove @{prop False} from your axioms, but Isabelle will remind you
-that this theorem has the hidden hypothesis that the class is
-non-empty.
-
-Even if each individual class is consistent, intersections of
-(unrelated) classes readily become inconsistent in practice. Now we
-know this need not worry us. *}
-
-
-subsubsection{* Syntactic Classes and Predefined Overloading *}
-
-text {* In our algebra example, we have started with a \emph{syntactic
-class} @{class plus} which only specifies operations but no axioms; it
-would have been also possible to start immediately with class @{class
-semigroup}, specifying the @{text "\<oplus>"} operation and associativity at
-the same time.
-
-Which approach is more appropriate depends. Usually it is more
-convenient to introduce operations and axioms in the same class: then
-the type checker will automatically insert the corresponding class
-constraints whenever the operations occur, reducing the need of manual
-annotations. However, when operations are decorated with popular
-syntax, syntactic classes can be an option to re-use the syntax in
-different contexts; this is indeed the way most overloaded constants
-in HOL are introduced, of which the most important are listed in
-Table~\ref{tab:overloading} in the appendix. Section
-\ref{sec:numeric-classes} covers a range of corresponding classes
-\emph{with} axioms.
-
-Further note that classes may contain axioms but \emph{no} operations.
-An example is class @{class finite} from theory @{theory Finite_Set}
-which specifies a type to be finite: @{lemma [source] "finite (UNIV \<Colon> 'a\<Colon>finite
-set)" by (fact finite_UNIV)}. *}
-
-(*<*)end(*>*)
--- a/doc-src/TutorialI/Types/Numbers.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,280 +0,0 @@
-theory Numbers
-imports Complex_Main
-begin
-
-text{*
-
-numeric literals; default simprules; can re-orient
-*}
-
-lemma "2 * m = m + m"
-txt{*
-@{subgoals[display,indent=0,margin=65]}
-*};
-oops
-
-fun h :: "nat \<Rightarrow> nat" where
-"h i = (if i = 3 then 2 else i)"
-
-text{*
-@{term"h 3 = 2"}
-@{term"h i = i"}
-*}
-
-text{*
-@{thm[display] numeral_1_eq_1[no_vars]}
-\rulename{numeral_1_eq_1}
-
-@{thm[display] add_2_eq_Suc[no_vars]}
-\rulename{add_2_eq_Suc}
-
-@{thm[display] add_2_eq_Suc'[no_vars]}
-\rulename{add_2_eq_Suc'}
-
-@{thm[display] add_assoc[no_vars]}
-\rulename{add_assoc}
-
-@{thm[display] add_commute[no_vars]}
-\rulename{add_commute}
-
-@{thm[display] add_left_commute[no_vars]}
-\rulename{add_left_commute}
-
-these form add_ac; similarly there is mult_ac
-*}
-
-lemma "Suc(i + j*l*k + m*n) = f (n*m + i + k*j*l)"
-txt{*
-@{subgoals[display,indent=0,margin=65]}
-*};
-apply (simp add: add_ac mult_ac)
-txt{*
-@{subgoals[display,indent=0,margin=65]}
-*};
-oops
-
-text{*
-
-@{thm[display] div_le_mono[no_vars]}
-\rulename{div_le_mono}
-
-@{thm[display] diff_mult_distrib[no_vars]}
-\rulename{diff_mult_distrib}
-
-@{thm[display] mult_mod_left[no_vars]}
-\rulename{mult_mod_left}
-
-@{thm[display] nat_diff_split[no_vars]}
-\rulename{nat_diff_split}
-*}
-
-
-lemma "(n - 1) * (n + 1) = n * n - (1::nat)"
-apply (clarsimp split: nat_diff_split iff del: less_Suc0)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (subgoal_tac "n=0", force, arith)
-done
-
-
-lemma "(n - 2) * (n + 2) = n * n - (4::nat)"
-apply (simp split: nat_diff_split, clarify)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (subgoal_tac "n=0 | n=1", force, arith)
-done
-
-text{*
-@{thm[display] mod_if[no_vars]}
-\rulename{mod_if}
-
-@{thm[display] mod_div_equality[no_vars]}
-\rulename{mod_div_equality}
-
-
-@{thm[display] div_mult1_eq[no_vars]}
-\rulename{div_mult1_eq}
-
-@{thm[display] mod_mult_right_eq[no_vars]}
-\rulename{mod_mult_right_eq}
-
-@{thm[display] div_mult2_eq[no_vars]}
-\rulename{div_mult2_eq}
-
-@{thm[display] mod_mult2_eq[no_vars]}
-\rulename{mod_mult2_eq}
-
-@{thm[display] div_mult_mult1[no_vars]}
-\rulename{div_mult_mult1}
-
-@{thm[display] div_by_0 [no_vars]}
-\rulename{div_by_0}
-
-@{thm[display] mod_by_0 [no_vars]}
-\rulename{mod_by_0}
-
-@{thm[display] dvd_antisym[no_vars]}
-\rulename{dvd_antisym}
-
-@{thm[display] dvd_add[no_vars]}
-\rulename{dvd_add}
-
-For the integers, I'd list a few theorems that somehow involve negative
-numbers.*}
-
-
-text{*
-Division, remainder of negatives
-
-
-@{thm[display] pos_mod_sign[no_vars]}
-\rulename{pos_mod_sign}
-
-@{thm[display] pos_mod_bound[no_vars]}
-\rulename{pos_mod_bound}
-
-@{thm[display] neg_mod_sign[no_vars]}
-\rulename{neg_mod_sign}
-
-@{thm[display] neg_mod_bound[no_vars]}
-\rulename{neg_mod_bound}
-
-@{thm[display] zdiv_zadd1_eq[no_vars]}
-\rulename{zdiv_zadd1_eq}
-
-@{thm[display] mod_add_eq[no_vars]}
-\rulename{mod_add_eq}
-
-@{thm[display] zdiv_zmult1_eq[no_vars]}
-\rulename{zdiv_zmult1_eq}
-
-@{thm[display] mod_mult_right_eq[no_vars]}
-\rulename{mod_mult_right_eq}
-
-@{thm[display] zdiv_zmult2_eq[no_vars]}
-\rulename{zdiv_zmult2_eq}
-
-@{thm[display] zmod_zmult2_eq[no_vars]}
-\rulename{zmod_zmult2_eq}
-*}
-
-lemma "abs (x+y) \<le> abs x + abs (y :: int)"
-by arith
-
-lemma "abs (2*x) = 2 * abs (x :: int)"
-by (simp add: abs_if)
-
-
-text {*Induction rules for the Integers
-
-@{thm[display] int_ge_induct[no_vars]}
-\rulename{int_ge_induct}
-
-@{thm[display] int_gr_induct[no_vars]}
-\rulename{int_gr_induct}
-
-@{thm[display] int_le_induct[no_vars]}
-\rulename{int_le_induct}
-
-@{thm[display] int_less_induct[no_vars]}
-\rulename{int_less_induct}
-*}
-
-text {*FIELDS
-
-@{thm[display] dense[no_vars]}
-\rulename{dense}
-
-@{thm[display] times_divide_eq_right[no_vars]}
-\rulename{times_divide_eq_right}
-
-@{thm[display] times_divide_eq_left[no_vars]}
-\rulename{times_divide_eq_left}
-
-@{thm[display] divide_divide_eq_right[no_vars]}
-\rulename{divide_divide_eq_right}
-
-@{thm[display] divide_divide_eq_left[no_vars]}
-\rulename{divide_divide_eq_left}
-
-@{thm[display] minus_divide_left[no_vars]}
-\rulename{minus_divide_left}
-
-@{thm[display] minus_divide_right[no_vars]}
-\rulename{minus_divide_right}
-
-This last NOT a simprule
-
-@{thm[display] add_divide_distrib[no_vars]}
-\rulename{add_divide_distrib}
-*}
-
-lemma "3/4 < (7/8 :: real)"
-by simp
-
-lemma "P ((3/4) * (8/15 :: real))"
-txt{*
-@{subgoals[display,indent=0,margin=65]}
-*};
-apply simp
-txt{*
-@{subgoals[display,indent=0,margin=65]}
-*};
-oops
-
-lemma "(3/4) * (8/15) < (x :: real)"
-txt{*
-@{subgoals[display,indent=0,margin=65]}
-*};
-apply simp
-txt{*
-@{subgoals[display,indent=0,margin=65]}
-*};
-oops
-
-text{*
-Ring and Field
-
-Requires a field, or else an ordered ring
-
-@{thm[display] mult_eq_0_iff[no_vars]}
-\rulename{mult_eq_0_iff}
-
-@{thm[display] mult_cancel_right[no_vars]}
-\rulename{mult_cancel_right}
-
-@{thm[display] mult_cancel_left[no_vars]}
-\rulename{mult_cancel_left}
-*}
-
-text{*
-effect of show sorts on the above
-
-@{thm[display,show_sorts] mult_cancel_left[no_vars]}
-\rulename{mult_cancel_left}
-*}
-
-text{*
-absolute value
-
-@{thm[display] abs_mult[no_vars]}
-\rulename{abs_mult}
-
-@{thm[display] abs_le_iff[no_vars]}
-\rulename{abs_le_iff}
-
-@{thm[display] abs_triangle_ineq[no_vars]}
-\rulename{abs_triangle_ineq}
-
-@{thm[display] power_add[no_vars]}
-\rulename{power_add}
-
-@{thm[display] power_mult[no_vars]}
-\rulename{power_mult}
-
-@{thm[display] power_abs[no_vars]}
-\rulename{power_abs}
-
-
-*}
-
-
-end
--- a/doc-src/TutorialI/Types/Overloading.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,78 +0,0 @@
-(*<*)theory Overloading imports Main Setup begin
-
-hide_class (open) plus (*>*)
-
-text {* Type classes allow \emph{overloading}; thus a constant may
-have multiple definitions at non-overlapping types. *}
-
-subsubsection {* Overloading *}
-
-text {* We can introduce a binary infix addition operator @{text "\<otimes>"}
-for arbitrary types by means of a type class: *}
-
-class plus =
- fixes plus :: "'a \<Rightarrow> 'a \<Rightarrow> 'a" (infixl "\<oplus>" 70)
-
-text {* \noindent This introduces a new class @{class [source] plus},
-along with a constant @{const [source] plus} with nice infix syntax.
-@{const [source] plus} is also named \emph{class operation}. The type
-of @{const [source] plus} carries a class constraint @{typ [source] "'a
-:: plus"} on its type variable, meaning that only types of class
-@{class [source] plus} can be instantiated for @{typ [source] "'a"}.
-To breathe life into @{class [source] plus} we need to declare a type
-to be an \bfindex{instance} of @{class [source] plus}: *}
-
-instantiation nat :: plus
-begin
-
-text {* \noindent Command \isacommand{instantiation} opens a local
-theory context. Here we can now instantiate @{const [source] plus} on
-@{typ nat}: *}
-
-primrec plus_nat :: "nat \<Rightarrow> nat \<Rightarrow> nat" where
- "(0::nat) \<oplus> n = n"
- | "Suc m \<oplus> n = Suc (m \<oplus> n)"
-
-text {* \noindent Note that the name @{const [source] plus} carries a
-suffix @{text "_nat"}; by default, the local name of a class operation
-@{text f} to be instantiated on type constructor @{text \<kappa>} is mangled
-as @{text f_\<kappa>}. In case of uncertainty, these names may be inspected
-using the @{command "print_context"} command or the corresponding
-ProofGeneral button.
-
-Although class @{class [source] plus} has no axioms, the instantiation must be
-formally concluded by a (trivial) instantiation proof ``..'': *}
-
-instance ..
-
-text {* \noindent More interesting \isacommand{instance} proofs will
-arise below.
-
-The instantiation is finished by an explicit *}
-
-end
-
-text {* \noindent From now on, terms like @{term "Suc (m \<oplus> 2)"} are
-legal. *}
-
-instantiation prod :: (plus, plus) plus
-begin
-
-text {* \noindent Here we instantiate the product type @{type prod} to
-class @{class [source] plus}, given that its type arguments are of
-class @{class [source] plus}: *}
-
-fun plus_prod :: "'a \<times> 'b \<Rightarrow> 'a \<times> 'b \<Rightarrow> 'a \<times> 'b" where
- "(x, y) \<oplus> (w, z) = (x \<oplus> w, y \<oplus> z)"
-
-text {* \noindent Obviously, overloaded specifications may include
-recursion over the syntactic structure of types. *}
-
-instance ..
-
-end
-
-text {* \noindent This way we have encoded the canonical lifting of
-binary operations to products by means of type classes. *}
-
-(*<*)end(*>*)
--- a/doc-src/TutorialI/Types/Pairs.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,208 +0,0 @@
-(*<*)theory Pairs imports Main begin(*>*)
-
-section{*Pairs and Tuples*}
-
-text{*\label{sec:products}
-Ordered pairs were already introduced in \S\ref{sec:pairs}, but only with a minimal
-repertoire of operations: pairing and the two projections @{term fst} and
-@{term snd}. In any non-trivial application of pairs you will find that this
-quickly leads to unreadable nests of projections. This
-section introduces syntactic sugar to overcome this
-problem: pattern matching with tuples.
-*}
-
-subsection{*Pattern Matching with Tuples*}
-
-text{*
-Tuples may be used as patterns in $\lambda$-abstractions,
-for example @{text"\<lambda>(x,y,z).x+y+z"} and @{text"\<lambda>((x,y),z).x+y+z"}. In fact,
-tuple patterns can be used in most variable binding constructs,
-and they can be nested. Here are
-some typical examples:
-\begin{quote}
-@{term"let (x,y) = f z in (y,x)"}\\
-@{term"case xs of [] => (0::nat) | (x,y)#zs => x+y"}\\
-@{text"\<forall>(x,y)\<in>A. x=y"}\\
-@{text"{(x,y,z). x=z}"}\\
-@{term"\<Union>(x,y)\<in>A. {x+y}"}
-\end{quote}
-The intuitive meanings of these expressions should be obvious.
-Unfortunately, we need to know in more detail what the notation really stands
-for once we have to reason about it. Abstraction
-over pairs and tuples is merely a convenient shorthand for a more complex
-internal representation. Thus the internal and external form of a term may
-differ, which can affect proofs. If you want to avoid this complication,
-stick to @{term fst} and @{term snd} and write @{term"%p. fst p + snd p"}
-instead of @{text"\<lambda>(x,y). x+y"}. These terms are distinct even though they
-denote the same function.
-
-Internally, @{term"%(x,y). t"} becomes @{text"split (\<lambda>x y. t)"}, where
-\cdx{split} is the uncurrying function of type @{text"('a \<Rightarrow> 'b
-\<Rightarrow> 'c) \<Rightarrow> 'a \<times> 'b \<Rightarrow> 'c"} defined as
-\begin{center}
-@{thm split_def}
-\hfill(@{thm[source]split_def})
-\end{center}
-Pattern matching in
-other variable binding constructs is translated similarly. Thus we need to
-understand how to reason about such constructs.
-*}
-
-subsection{*Theorem Proving*}
-
-text{*
-The most obvious approach is the brute force expansion of @{term split}:
-*}
-
-lemma "(\<lambda>(x,y).x) p = fst p"
-by(simp add: split_def)
-
-text{* \noindent
-This works well if rewriting with @{thm[source]split_def} finishes the
-proof, as it does above. But if it does not, you end up with exactly what
-we are trying to avoid: nests of @{term fst} and @{term snd}. Thus this
-approach is neither elegant nor very practical in large examples, although it
-can be effective in small ones.
-
-If we consider why this lemma presents a problem,
-we realize that we need to replace variable~@{term
-p} by some pair @{term"(a,b)"}. Then both sides of the
-equation would simplify to @{term a} by the simplification rules
-@{thm split_conv[no_vars]} and @{thm fst_conv[no_vars]}.
-To reason about tuple patterns requires some way of
-converting a variable of product type into a pair.
-In case of a subterm of the form @{term"split f p"} this is easy: the split
-rule @{thm[source]split_split} replaces @{term p} by a pair:%
-\index{*split (method)}
-*}
-
-lemma "(\<lambda>(x,y).y) p = snd p"
-apply(split split_split);
-
-txt{*
-@{subgoals[display,indent=0]}
-This subgoal is easily proved by simplification. Thus we could have combined
-simplification and splitting in one command that proves the goal outright:
-*}
-(*<*)
-by simp
-lemma "(\<lambda>(x,y).y) p = snd p"(*>*)
-by(simp split: split_split)
-
-text{*
-Let us look at a second example:
-*}
-
-lemma "let (x,y) = p in fst p = x";
-apply(simp only: Let_def)
-
-txt{*
-@{subgoals[display,indent=0]}
-A paired @{text let} reduces to a paired $\lambda$-abstraction, which
-can be split as above. The same is true for paired set comprehension:
-*}
-
-(*<*)by(simp split: split_split)(*>*)
-lemma "p \<in> {(x,y). x=y} \<longrightarrow> fst p = snd p"
-apply simp
-
-txt{*
-@{subgoals[display,indent=0]}
-Again, simplification produces a term suitable for @{thm[source]split_split}
-as above. If you are worried about the strange form of the premise:
-@{text"split (op =)"} is short for @{term"\<lambda>(x,y). x=y"}.
-The same proof procedure works for
-*}
-
-(*<*)by(simp split: split_split)(*>*)
-lemma "p \<in> {(x,y). x=y} \<Longrightarrow> fst p = snd p"
-
-txt{*\noindent
-except that we now have to use @{thm[source]split_split_asm}, because
-@{term split} occurs in the assumptions.
-
-However, splitting @{term split} is not always a solution, as no @{term split}
-may be present in the goal. Consider the following function:
-*}
-
-(*<*)by(simp split: split_split_asm)(*>*)
-primrec swap :: "'a \<times> 'b \<Rightarrow> 'b \<times> 'a" where "swap (x,y) = (y,x)"
-
-text{*\noindent
-Note that the above \isacommand{primrec} definition is admissible
-because @{text"\<times>"} is a datatype. When we now try to prove
-*}
-
-lemma "swap(swap p) = p"
-
-txt{*\noindent
-simplification will do nothing, because the defining equation for
-@{const[source] swap} expects a pair. Again, we need to turn @{term p}
-into a pair first, but this time there is no @{term split} in sight.
-The only thing we can do is to split the term by hand:
-*}
-apply(case_tac p)
-
-txt{*\noindent
-@{subgoals[display,indent=0]}
-Again, \methdx{case_tac} is applicable because @{text"\<times>"} is a datatype.
-The subgoal is easily proved by @{text simp}.
-
-Splitting by @{text case_tac} also solves the previous examples and may thus
-appear preferable to the more arcane methods introduced first. However, see
-the warning about @{text case_tac} in \S\ref{sec:struct-ind-case}.
-
-Alternatively, you can split \emph{all} @{text"\<And>"}-quantified variables
-in a goal with the rewrite rule @{thm[source]split_paired_all}:
-*}
-
-(*<*)by simp(*>*)
-lemma "\<And>p q. swap(swap p) = q \<longrightarrow> p = q"
-apply(simp only: split_paired_all)
-
-txt{*\noindent
-@{subgoals[display,indent=0,margin=70]}
-*}
-
-apply simp
-done
-
-text{*\noindent
-Note that we have intentionally included only @{thm[source]split_paired_all}
-in the first simplification step, and then we simplify again.
-This time the reason was not merely
-pedagogical:
-@{thm[source]split_paired_all} may interfere with other functions
-of the simplifier.
-The following command could fail (here it does not)
-where two separate \isa{simp} applications succeed.
-*}
-
-(*<*)
-lemma "\<And>p q. swap(swap p) = q \<longrightarrow> p = q"
-(*>*)
-apply(simp add: split_paired_all)
-(*<*)done(*>*)
-text{*\noindent
-Finally, the simplifier automatically splits all @{text"\<forall>"} and
-@{text"\<exists>"}-quantified variables:
-*}
-
-lemma "\<forall>p. \<exists>q. swap p = swap q"
-by simp;
-
-text{*\noindent
-To turn off this automatic splitting, disable the
-responsible simplification rules:
-\begin{center}
-@{thm split_paired_All[no_vars]}
-\hfill
-(@{thm[source]split_paired_All})\\
-@{thm split_paired_Ex[no_vars]}
-\hfill
-(@{thm[source]split_paired_Ex})
-\end{center}
-*}
-(*<*)
-end
-(*>*)
--- a/doc-src/TutorialI/Types/Records.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,408 +0,0 @@
-
-header {* Records \label{sec:records} *}
-
-(*<*)
-theory Records imports Main begin
-(*>*)
-
-text {*
- \index{records|(}%
- Records are familiar from programming languages. A record of $n$
- fields is essentially an $n$-tuple, but the record's components have
- names, which can make expressions easier to read and reduces the
- risk of confusing one field for another.
-
- A record of Isabelle/HOL covers a collection of fields, with select
- and update operations. Each field has a specified type, which may
- be polymorphic. The field names are part of the record type, and
- the order of the fields is significant --- as it is in Pascal but
- not in Standard ML. If two different record types have field names
- in common, then the ambiguity is resolved in the usual way, by
- qualified names.
-
- Record types can also be defined by extending other record types.
- Extensible records make use of the reserved pseudo-field \cdx{more},
- which is present in every record type. Generic record operations
- work on all possible extensions of a given type scheme; polymorphism
- takes care of structural sub-typing behind the scenes. There are
- also explicit coercion functions between fixed record types.
-*}
-
-
-subsection {* Record Basics *}
-
-text {*
- Record types are not primitive in Isabelle and have a delicate
- internal representation \cite{NaraschewskiW-TPHOLs98}, based on
- nested copies of the primitive product type. A \commdx{record}
- declaration introduces a new record type scheme by specifying its
- fields, which are packaged internally to hold up the perception of
- the record as a distinguished entity. Here is a simple example:
-*}
-
-record point =
- Xcoord :: int
- Ycoord :: int
-
-text {*\noindent
- Records of type @{typ point} have two fields named @{const Xcoord}
- and @{const Ycoord}, both of type~@{typ int}. We now define a
- constant of type @{typ point}:
-*}
-
-definition pt1 :: point where
-"pt1 \<equiv> (| Xcoord = 999, Ycoord = 23 |)"
-
-text {*\noindent
- We see above the ASCII notation for record brackets. You can also
- use the symbolic brackets @{text \<lparr>} and @{text \<rparr>}. Record type
- expressions can be also written directly with individual fields.
- The type name above is merely an abbreviation.
-*}
-
-definition pt2 :: "\<lparr>Xcoord :: int, Ycoord :: int\<rparr>" where
-"pt2 \<equiv> \<lparr>Xcoord = -45, Ycoord = 97\<rparr>"
-
-text {*
- For each field, there is a \emph{selector}\index{selector!record}
- function of the same name. For example, if @{text p} has type @{typ
- point} then @{text "Xcoord p"} denotes the value of the @{text
- Xcoord} field of~@{text p}. Expressions involving field selection
- of explicit records are simplified automatically:
-*}
-
-lemma "Xcoord \<lparr>Xcoord = a, Ycoord = b\<rparr> = a"
- by simp
-
-text {*
- The \emph{update}\index{update!record} operation is functional. For
- example, @{term "p\<lparr>Xcoord := 0\<rparr>"} is a record whose @{const Xcoord}
- value is zero and whose @{const Ycoord} value is copied from~@{text
- p}. Updates of explicit records are also simplified automatically:
-*}
-
-lemma "\<lparr>Xcoord = a, Ycoord = b\<rparr>\<lparr>Xcoord := 0\<rparr> =
- \<lparr>Xcoord = 0, Ycoord = b\<rparr>"
- by simp
-
-text {*
- \begin{warn}
- Field names are declared as constants and can no longer be used as
- variables. It would be unwise, for example, to call the fields of
- type @{typ point} simply @{text x} and~@{text y}.
- \end{warn}
-*}
-
-
-subsection {* Extensible Records and Generic Operations *}
-
-text {*
- \index{records!extensible|(}%
-
- Now, let us define coloured points (type @{text cpoint}) to be
- points extended with a field @{text col} of type @{text colour}:
-*}
-
-datatype colour = Red | Green | Blue
-
-record cpoint = point +
- col :: colour
-
-text {*\noindent
- The fields of this new type are @{const Xcoord}, @{text Ycoord} and
- @{text col}, in that order.
-*}
-
-definition cpt1 :: cpoint where
-"cpt1 \<equiv> \<lparr>Xcoord = 999, Ycoord = 23, col = Green\<rparr>"
-
-text {*
- We can define generic operations that work on arbitrary
- instances of a record scheme, e.g.\ covering @{typ point}, @{typ
- cpoint}, and any further extensions. Every record structure has an
- implicit pseudo-field, \cdx{more}, that keeps the extension as an
- explicit value. Its type is declared as completely
- polymorphic:~@{typ 'a}. When a fixed record value is expressed
- using just its standard fields, the value of @{text more} is
- implicitly set to @{text "()"}, the empty tuple, which has type
- @{typ unit}. Within the record brackets, you can refer to the
- @{text more} field by writing ``@{text "\<dots>"}'' (three dots):
-*}
-
-lemma "Xcoord \<lparr>Xcoord = a, Ycoord = b, \<dots> = p\<rparr> = a"
- by simp
-
-text {*
- This lemma applies to any record whose first two fields are @{text
- Xcoord} and~@{const Ycoord}. Note that @{text "\<lparr>Xcoord = a, Ycoord
- = b, \<dots> = ()\<rparr>"} is exactly the same as @{text "\<lparr>Xcoord = a, Ycoord
- = b\<rparr>"}. Selectors and updates are always polymorphic wrt.\ the
- @{text more} part of a record scheme, its value is just ignored (for
- select) or copied (for update).
-
- The @{text more} pseudo-field may be manipulated directly as well,
- but the identifier needs to be qualified:
-*}
-
-lemma "point.more cpt1 = \<lparr>col = Green\<rparr>"
- by (simp add: cpt1_def)
-
-text {*\noindent
- We see that the colour part attached to this @{typ point} is a
- rudimentary record in its own right, namely @{text "\<lparr>col =
- Green\<rparr>"}. In order to select or update @{text col}, this fragment
- needs to be put back into the context of the parent type scheme, say
- as @{text more} part of another @{typ point}.
-
- To define generic operations, we need to know a bit more about
- records. Our definition of @{typ point} above has generated two
- type abbreviations:
-
- \medskip
- \begin{tabular}{l}
- @{typ point}~@{text "="}~@{text "\<lparr>Xcoord :: int, Ycoord :: int\<rparr>"} \\
- @{typ "'a point_scheme"}~@{text "="}~@{text "\<lparr>Xcoord :: int, Ycoord :: int, \<dots> :: 'a\<rparr>"} \\
- \end{tabular}
- \medskip
-
-\noindent
- Type @{typ point} is for fixed records having exactly the two fields
- @{const Xcoord} and~@{text Ycoord}, while the polymorphic type @{typ
- "'a point_scheme"} comprises all possible extensions to those two
- fields. Note that @{typ "unit point_scheme"} coincides with @{typ
- point}, and @{typ "\<lparr>col :: colour\<rparr> point_scheme"} with @{typ
- cpoint}.
-
- In the following example we define two operations --- methods, if we
- regard records as objects --- to get and set any point's @{text
- Xcoord} field.
-*}
-
-definition getX :: "'a point_scheme \<Rightarrow> int" where
-"getX r \<equiv> Xcoord r"
-definition setX :: "'a point_scheme \<Rightarrow> int \<Rightarrow> 'a point_scheme" where
-"setX r a \<equiv> r\<lparr>Xcoord := a\<rparr>"
-
-text {*
- Here is a generic method that modifies a point, incrementing its
- @{const Xcoord} field. The @{text Ycoord} and @{text more} fields
- are copied across. It works for any record type scheme derived from
- @{typ point} (including @{typ cpoint} etc.):
-*}
-
-definition incX :: "'a point_scheme \<Rightarrow> 'a point_scheme" where
-"incX r \<equiv>
- \<lparr>Xcoord = Xcoord r + 1, Ycoord = Ycoord r, \<dots> = point.more r\<rparr>"
-
-text {*
- Generic theorems can be proved about generic methods. This trivial
- lemma relates @{const incX} to @{text getX} and @{text setX}:
-*}
-
-lemma "incX r = setX r (getX r + 1)"
- by (simp add: getX_def setX_def incX_def)
-
-text {*
- \begin{warn}
- If you use the symbolic record brackets @{text \<lparr>} and @{text \<rparr>},
- then you must also use the symbolic ellipsis, ``@{text \<dots>}'', rather
- than three consecutive periods, ``@{text "..."}''. Mixing the ASCII
- and symbolic versions causes a syntax error. (The two versions are
- more distinct on screen than they are on paper.)
- \end{warn}%
- \index{records!extensible|)}
-*}
-
-
-subsection {* Record Equality *}
-
-text {*
- Two records are equal\index{equality!of records} if all pairs of
- corresponding fields are equal. Concrete record equalities are
- simplified automatically:
-*}
-
-lemma "(\<lparr>Xcoord = a, Ycoord = b\<rparr> = \<lparr>Xcoord = a', Ycoord = b'\<rparr>) =
- (a = a' \<and> b = b')"
- by simp
-
-text {*
- The following equality is similar, but generic, in that @{text r}
- can be any instance of @{typ "'a point_scheme"}:
-*}
-
-lemma "r\<lparr>Xcoord := a, Ycoord := b\<rparr> = r\<lparr>Ycoord := b, Xcoord := a\<rparr>"
- by simp
-
-text {*\noindent
- We see above the syntax for iterated updates. We could equivalently
- have written the left-hand side as @{text "r\<lparr>Xcoord := a\<rparr>\<lparr>Ycoord :=
- b\<rparr>"}.
-
- Record equality is \emph{extensional}:
- \index{extensionality!for records} a record is determined entirely
- by the values of its fields.
-*}
-
-lemma "r = \<lparr>Xcoord = Xcoord r, Ycoord = Ycoord r\<rparr>"
- by simp
-
-text {*\noindent
- The generic version of this equality includes the pseudo-field
- @{text more}:
-*}
-
-lemma "r = \<lparr>Xcoord = Xcoord r, Ycoord = Ycoord r, \<dots> = point.more r\<rparr>"
- by simp
-
-text {*
- The simplifier can prove many record equalities
- automatically, but general equality reasoning can be tricky.
- Consider proving this obvious fact:
-*}
-
-lemma "r\<lparr>Xcoord := a\<rparr> = r\<lparr>Xcoord := a'\<rparr> \<Longrightarrow> a = a'"
- apply simp?
- oops
-
-text {*\noindent
- Here the simplifier can do nothing, since general record equality is
- not eliminated automatically. One way to proceed is by an explicit
- forward step that applies the selector @{const Xcoord} to both sides
- of the assumed record equality:
-*}
-
-lemma "r\<lparr>Xcoord := a\<rparr> = r\<lparr>Xcoord := a'\<rparr> \<Longrightarrow> a = a'"
- apply (drule_tac f = Xcoord in arg_cong)
- txt {* @{subgoals [display, indent = 0, margin = 65]}
- Now, @{text simp} will reduce the assumption to the desired
- conclusion. *}
- apply simp
- done
-
-text {*
- The @{text cases} method is preferable to such a forward proof. We
- state the desired lemma again:
-*}
-
-lemma "r\<lparr>Xcoord := a\<rparr> = r\<lparr>Xcoord := a'\<rparr> \<Longrightarrow> a = a'"
-
- txt {* The \methdx{cases} method adds an equality to replace the
- named record term by an explicit record expression, listing all
- fields. It even includes the pseudo-field @{text more}, since the
- record equality stated here is generic for all extensions. *}
-
- apply (cases r)
-
- txt {* @{subgoals [display, indent = 0, margin = 65]} Again, @{text
- simp} finishes the proof. Because @{text r} is now represented as
- an explicit record construction, the updates can be applied and the
- record equality can be replaced by equality of the corresponding
- fields (due to injectivity). *}
-
- apply simp
- done
-
-text {*
- The generic cases method does not admit references to locally bound
- parameters of a goal. In longer proof scripts one might have to
- fall back on the primitive @{text rule_tac} used together with the
- internal field representation rules of records. The above use of
- @{text "(cases r)"} would become @{text "(rule_tac r = r in
- point.cases_scheme)"}.
-*}
-
-
-subsection {* Extending and Truncating Records *}
-
-text {*
- Each record declaration introduces a number of derived operations to
- refer collectively to a record's fields and to convert between fixed
- record types. They can, for instance, convert between types @{typ
- point} and @{typ cpoint}. We can add a colour to a point or convert
- a @{typ cpoint} to a @{typ point} by forgetting its colour.
-
- \begin{itemize}
-
- \item Function \cdx{make} takes as arguments all of the record's
- fields (including those inherited from ancestors). It returns the
- corresponding record.
-
- \item Function \cdx{fields} takes the record's very own fields and
- returns a record fragment consisting of just those fields. This may
- be filled into the @{text more} part of the parent record scheme.
-
- \item Function \cdx{extend} takes two arguments: a record to be
- extended and a record containing the new fields.
-
- \item Function \cdx{truncate} takes a record (possibly an extension
- of the original record type) and returns a fixed record, removing
- any additional fields.
-
- \end{itemize}
- These functions provide useful abbreviations for standard
- record expressions involving constructors and selectors. The
- definitions, which are \emph{not} unfolded by default, are made
- available by the collective name of @{text defs} (@{text
- point.defs}, @{text cpoint.defs}, etc.).
- For example, here are the versions of those functions generated for
- record @{typ point}. We omit @{text point.fields}, which happens to
- be the same as @{text point.make}.
-
- @{thm [display, indent = 0, margin = 65] point.make_def [no_vars]
- point.extend_def [no_vars] point.truncate_def [no_vars]}
- Contrast those with the corresponding functions for record @{typ
- cpoint}. Observe @{text cpoint.fields} in particular.
- @{thm [display, indent = 0, margin = 65] cpoint.make_def [no_vars]
- cpoint.fields_def [no_vars] cpoint.extend_def [no_vars]
- cpoint.truncate_def [no_vars]}
-
- To demonstrate these functions, we declare a new coloured point by
- extending an ordinary point. Function @{text point.extend} augments
- @{text pt1} with a colour value, which is converted into an
- appropriate record fragment by @{text cpoint.fields}.
-*}
-
-definition cpt2 :: cpoint where
-"cpt2 \<equiv> point.extend pt1 (cpoint.fields Green)"
-
-text {*
- The coloured points @{const cpt1} and @{text cpt2} are equal. The
- proof is trivial, by unfolding all the definitions. We deliberately
- omit the definition of~@{text pt1} in order to reveal the underlying
- comparison on type @{typ point}.
-*}
-
-lemma "cpt1 = cpt2"
- apply (simp add: cpt1_def cpt2_def point.defs cpoint.defs)
- txt {* @{subgoals [display, indent = 0, margin = 65]} *}
- apply (simp add: pt1_def)
- done
-
-text {*
- In the example below, a coloured point is truncated to leave a
- point. We use the @{text truncate} function of the target record.
-*}
-
-lemma "point.truncate cpt2 = pt1"
- by (simp add: pt1_def cpt2_def point.defs)
-
-text {*
- \begin{exercise}
- Extend record @{typ cpoint} to have a further field, @{text
- intensity}, of type~@{typ nat}. Experiment with generic operations
- (using polymorphic selectors and updates) and explicit coercions
- (using @{text extend}, @{text truncate} etc.) among the three record
- types.
- \end{exercise}
-
- \begin{exercise}
- (For Java programmers.)
- Model a small class hierarchy using records.
- \end{exercise}
- \index{records|)}
-*}
-
-(*<*)
-end
-(*>*)
--- a/doc-src/TutorialI/Types/Setup.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,10 +0,0 @@
-theory Setup
-imports Main
-begin
-
-ML_file "../../antiquote_setup.ML"
-ML_file "../../more_antiquote.ML"
-
-setup {* Antiquote_Setup.setup #> More_Antiquote.setup *}
-
-end
\ No newline at end of file
--- a/doc-src/TutorialI/Types/Typedefs.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,242 +0,0 @@
-(*<*)theory Typedefs imports Main begin(*>*)
-
-section{*Introducing New Types*}
-
-text{*\label{sec:adv-typedef}
-For most applications, a combination of predefined types like @{typ bool} and
-@{text"\<Rightarrow>"} with recursive datatypes and records is quite sufficient. Very
-occasionally you may feel the need for a more advanced type. If you
-are certain that your type is not definable by any of the
-standard means, then read on.
-\begin{warn}
- Types in HOL must be non-empty; otherwise the quantifier rules would be
- unsound, because $\exists x.\ x=x$ is a theorem.
-\end{warn}
-*}
-
-subsection{*Declaring New Types*}
-
-text{*\label{sec:typedecl}
-\index{types!declaring|(}%
-\index{typedecl@\isacommand {typedecl} (command)}%
-The most trivial way of introducing a new type is by a \textbf{type
-declaration}: *}
-
-typedecl my_new_type
-
-text{*\noindent
-This does not define @{typ my_new_type} at all but merely introduces its
-name. Thus we know nothing about this type, except that it is
-non-empty. Such declarations without definitions are
-useful if that type can be viewed as a parameter of the theory.
-A typical example is given in \S\ref{sec:VMC}, where we define a transition
-relation over an arbitrary type of states.
-
-In principle we can always get rid of such type declarations by making those
-types parameters of every other type, thus keeping the theory generic. In
-practice, however, the resulting clutter can make types hard to read.
-
-If you are looking for a quick and dirty way of introducing a new type
-together with its properties: declare the type and state its properties as
-axioms. Example:
-*}
-
-axioms
-just_one: "\<exists>x::my_new_type. \<forall>y. x = y"
-
-text{*\noindent
-However, we strongly discourage this approach, except at explorative stages
-of your development. It is extremely easy to write down contradictory sets of
-axioms, in which case you will be able to prove everything but it will mean
-nothing. In the example above, the axiomatic approach is
-unnecessary: a one-element type called @{typ unit} is already defined in HOL.
-\index{types!declaring|)}
-*}
-
-subsection{*Defining New Types*}
-
-text{*\label{sec:typedef}
-\index{types!defining|(}%
-\index{typedecl@\isacommand {typedef} (command)|(}%
-Now we come to the most general means of safely introducing a new type, the
-\textbf{type definition}. All other means, for example
-\isacommand{datatype}, are based on it. The principle is extremely simple:
-any non-empty subset of an existing type can be turned into a new type.
-More precisely, the new type is specified to be isomorphic to some
-non-empty subset of an existing type.
-
-Let us work a simple example, the definition of a three-element type.
-It is easily represented by the first three natural numbers:
-*}
-
-typedef three = "{0::nat, 1, 2}"
-
-txt{*\noindent
-In order to enforce that the representing set on the right-hand side is
-non-empty, this definition actually starts a proof to that effect:
-@{subgoals[display,indent=0]}
-Fortunately, this is easy enough to show, even \isa{auto} could do it.
-In general, one has to provide a witness, in our case 0:
-*}
-
-apply(rule_tac x = 0 in exI)
-by simp
-
-text{*
-This type definition introduces the new type @{typ three} and asserts
-that it is a copy of the set @{term"{0::nat,1,2}"}. This assertion
-is expressed via a bijection between the \emph{type} @{typ three} and the
-\emph{set} @{term"{0::nat,1,2}"}. To this end, the command declares the following
-constants behind the scenes:
-\begin{center}
-\begin{tabular}{rcl}
-@{term three} &::& @{typ"nat set"} \\
-@{term Rep_three} &::& @{typ"three \<Rightarrow> nat"}\\
-@{term Abs_three} &::& @{typ"nat \<Rightarrow> three"}
-\end{tabular}
-\end{center}
-where constant @{term three} is explicitly defined as the representing set:
-\begin{center}
-@{thm three_def}\hfill(@{thm[source]three_def})
-\end{center}
-The situation is best summarized with the help of the following diagram,
-where squares denote types and the irregular region denotes a set:
-\begin{center}
-\includegraphics[scale=.8]{typedef}
-\end{center}
-Finally, \isacommand{typedef} asserts that @{term Rep_three} is
-surjective on the subset @{term three} and @{term Abs_three} and @{term
-Rep_three} are inverses of each other:
-\begin{center}
-\begin{tabular}{@ {}r@ {\qquad\qquad}l@ {}}
-@{thm Rep_three[no_vars]} & (@{thm[source]Rep_three}) \\
-@{thm Rep_three_inverse[no_vars]} & (@{thm[source]Rep_three_inverse}) \\
-@{thm Abs_three_inverse[no_vars]} & (@{thm[source]Abs_three_inverse})
-\end{tabular}
-\end{center}
-%
-From this example it should be clear what \isacommand{typedef} does
-in general given a name (here @{text three}) and a set
-(here @{term"{0::nat,1,2}"}).
-
-Our next step is to define the basic functions expected on the new type.
-Although this depends on the type at hand, the following strategy works well:
-\begin{itemize}
-\item define a small kernel of basic functions that can express all other
-functions you anticipate.
-\item define the kernel in terms of corresponding functions on the
-representing type using @{term Abs} and @{term Rep} to convert between the
-two levels.
-\end{itemize}
-In our example it suffices to give the three elements of type @{typ three}
-names:
-*}
-
-definition A :: three where "A \<equiv> Abs_three 0"
-definition B :: three where "B \<equiv> Abs_three 1"
-definition C :: three where "C \<equiv> Abs_three 2"
-
-text{*
-So far, everything was easy. But it is clear that reasoning about @{typ
-three} will be hell if we have to go back to @{typ nat} every time. Thus our
-aim must be to raise our level of abstraction by deriving enough theorems
-about type @{typ three} to characterize it completely. And those theorems
-should be phrased in terms of @{term A}, @{term B} and @{term C}, not @{term
-Abs_three} and @{term Rep_three}. Because of the simplicity of the example,
-we merely need to prove that @{term A}, @{term B} and @{term C} are distinct
-and that they exhaust the type.
-
-In processing our \isacommand{typedef} declaration,
-Isabelle proves several helpful lemmas. The first two
-express injectivity of @{term Rep_three} and @{term Abs_three}:
-\begin{center}
-\begin{tabular}{@ {}r@ {\qquad}l@ {}}
-@{thm Rep_three_inject[no_vars]} & (@{thm[source]Rep_three_inject}) \\
-\begin{tabular}{@ {}l@ {}}
-@{text"\<lbrakk>x \<in> three; y \<in> three \<rbrakk>"} \\
-@{text"\<Longrightarrow> (Abs_three x = Abs_three y) = (x = y)"}
-\end{tabular} & (@{thm[source]Abs_three_inject}) \\
-\end{tabular}
-\end{center}
-The following ones allow to replace some @{text"x::three"} by
-@{text"Abs_three(y::nat)"}, and conversely @{term y} by @{term"Rep_three x"}:
-\begin{center}
-\begin{tabular}{@ {}r@ {\qquad}l@ {}}
-@{thm Rep_three_cases[no_vars]} & (@{thm[source]Rep_three_cases}) \\
-@{thm Abs_three_cases[no_vars]} & (@{thm[source]Abs_three_cases}) \\
-@{thm Rep_three_induct[no_vars]} & (@{thm[source]Rep_three_induct}) \\
-@{thm Abs_three_induct[no_vars]} & (@{thm[source]Abs_three_induct}) \\
-\end{tabular}
-\end{center}
-These theorems are proved for any type definition, with @{term three}
-replaced by the name of the type in question.
-
-Distinctness of @{term A}, @{term B} and @{term C} follows immediately
-if we expand their definitions and rewrite with the injectivity
-of @{term Abs_three}:
-*}
-
-lemma "A \<noteq> B \<and> B \<noteq> A \<and> A \<noteq> C \<and> C \<noteq> A \<and> B \<noteq> C \<and> C \<noteq> B"
-by(simp add: Abs_three_inject A_def B_def C_def three_def)
-
-text{*\noindent
-Of course we rely on the simplifier to solve goals like @{prop"(0::nat) \<noteq> 1"}.
-
-The fact that @{term A}, @{term B} and @{term C} exhaust type @{typ three} is
-best phrased as a case distinction theorem: if you want to prove @{prop"P x"}
-(where @{term x} is of type @{typ three}) it suffices to prove @{prop"P A"},
-@{prop"P B"} and @{prop"P C"}: *}
-
-lemma three_cases: "\<lbrakk> P A; P B; P C \<rbrakk> \<Longrightarrow> P x"
-
-txt{*\noindent Again this follows easily using the induction principle stemming from the type definition:*}
-
-apply(induct_tac x)
-
-txt{*
-@{subgoals[display,indent=0]}
-Simplification with @{thm[source]three_def} leads to the disjunction @{prop"y
-= 0 \<or> y = 1 \<or> y = (2::nat)"} which \isa{auto} separates into three
-subgoals, each of which is easily solved by simplification: *}
-
-apply(auto simp add: three_def A_def B_def C_def)
-done
-
-text{*\noindent
-This concludes the derivation of the characteristic theorems for
-type @{typ three}.
-
-The attentive reader has realized long ago that the
-above lengthy definition can be collapsed into one line:
-*}
-
-datatype better_three = A | B | C
-
-text{*\noindent
-In fact, the \isacommand{datatype} command performs internally more or less
-the same derivations as we did, which gives you some idea what life would be
-like without \isacommand{datatype}.
-
-Although @{typ three} could be defined in one line, we have chosen this
-example to demonstrate \isacommand{typedef} because its simplicity makes the
-key concepts particularly easy to grasp. If you would like to see a
-non-trivial example that cannot be defined more directly, we recommend the
-definition of \emph{finite multisets} in the Library~\cite{HOL-Library}.
-
-Let us conclude by summarizing the above procedure for defining a new type.
-Given some abstract axiomatic description $P$ of a type $ty$ in terms of a
-set of functions $F$, this involves three steps:
-\begin{enumerate}
-\item Find an appropriate type $\tau$ and subset $A$ which has the desired
- properties $P$, and make a type definition based on this representation.
-\item Define the required functions $F$ on $ty$ by lifting
-analogous functions on the representation via $Abs_ty$ and $Rep_ty$.
-\item Prove that $P$ holds for $ty$ by lifting $P$ from the representation.
-\end{enumerate}
-You can now forget about the representation and work solely in terms of the
-abstract functions $F$ and properties $P$.%
-\index{typedecl@\isacommand {typedef} (command)|)}%
-\index{types!defining|)}
-*}
-
-(*<*)end(*>*)
--- a/doc-src/TutorialI/document/Isa-logics.eps Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,753 +0,0 @@
-%!PS-Adobe-3.0 EPSF-3.0
-%%BoundingBox: 106 651 274 788
-%%Title: (Isa-logics)
-%%Creator: (ClarisDraw: LaserWriter 8 8.1.1)
-%%CreationDate: (9:19 pm Wednesday, April 24, 1996)
-%%For: (Larry)
-%%Pages: 1
-%%DocumentFonts: Times-Roman
-%%DocumentNeededFonts: Times-Roman
-%%DocumentSuppliedFonts:
-%%DocumentData: Clean7Bit
-%%PageOrder: Ascend
-%%Orientation: Portrait
-%ADO_PaperArea: -124 -112 3244 2268
-%ADO_ImageableArea: 0 0 3124 2152
-%%EndComments
-/md 148 dict def md begin
-/currentpacking where {pop /sc_oldpacking currentpacking def true setpacking}if
-%%BeginFile: adobe_psp_basic
-%%Copyright: Copyright 1990-1993 Adobe Systems Incorporated. All Rights Reserved.
-/bd{bind def}bind def
-/xdf{exch def}bd
-/xs{exch store}bd
-/ld{load def}bd
-/Z{0 def}bd
-/T/true
-/F/false
-/:L/lineto
-/lw/setlinewidth
-/:M/moveto
-/rl/rlineto
-/rm/rmoveto
-/:C/curveto
-/:T/translate
-/:K/closepath
-/:mf/makefont
-/gS/gsave
-/gR/grestore
-/np/newpath
-14{ld}repeat
-/$m matrix def
-/av 81 def
-/por true def
-/normland false def
-/psb-nosave{}bd
-/pse-nosave{}bd
-/us Z
-/psb{/us save store}bd
-/pse{us restore}bd
-/level2
-/languagelevel where
-{
-pop languagelevel 2 ge
-}{
-false
-}ifelse
-def
-/featurecleanup
-{
-stopped
-cleartomark
-countdictstack exch sub dup 0 gt
-{
-{end}repeat
-}{
-pop
-}ifelse
-}bd
-/noload Z
-/startnoload
-{
-{/noload save store}if
-}bd
-/endnoload
-{
-{noload restore}if
-}bd
-level2 startnoload
-/setjob
-{
-statusdict/jobname 3 -1 roll put
-}bd
-/setcopies
-{
-userdict/#copies 3 -1 roll put
-}bd
-level2 endnoload level2 not startnoload
-/setjob
-{
-1 dict begin/JobName xdf currentdict end setuserparams
-}bd
-/setcopies
-{
-1 dict begin/NumCopies xdf currentdict end setpagedevice
-}bd
-level2 not endnoload
-/pm Z
-/mT Z
-/sD Z
-/realshowpage Z
-/initializepage
-{
-/pm save store mT concat
-}bd
-/endp
-{
-pm restore showpage
-}def
-/$c/DeviceRGB def
-/rectclip where
-{
-pop/rC/rectclip ld
-}{
-/rC
-{
-np 4 2 roll
-:M
-1 index 0 rl
-0 exch rl
-neg 0 rl
-:K
-clip np
-}bd
-}ifelse
-/rectfill where
-{
-pop/rF/rectfill ld
-}{
-/rF
-{
-gS
-np
-4 2 roll
-:M
-1 index 0 rl
-0 exch rl
-neg 0 rl
-fill
-gR
-}bd
-}ifelse
-/rectstroke where
-{
-pop/rS/rectstroke ld
-}{
-/rS
-{
-gS
-np
-4 2 roll
-:M
-1 index 0 rl
-0 exch rl
-neg 0 rl
-:K
-stroke
-gR
-}bd
-}ifelse
-%%EndFile
-%%BeginFile: adobe_psp_colorspace_level1
-%%Copyright: Copyright 1991-1993 Adobe Systems Incorporated. All Rights Reserved.
-/G/setgray ld
-/:F/setrgbcolor ld
-%%EndFile
-%%BeginFile: adobe_psp_uniform_graphics
-%%Copyright: Copyright 1990-1993 Adobe Systems Incorporated. All Rights Reserved.
-/@a
-{
-np :M 0 rl :L 0 exch rl 0 rl :L fill
-}bd
-/@b
-{
-np :M 0 rl 0 exch rl :L 0 rl 0 exch rl fill
-}bd
-/arct where
-{
-pop
-}{
-/arct
-{
-arcto pop pop pop pop
-}bd
-}ifelse
-/x1 Z
-/x2 Z
-/y1 Z
-/y2 Z
-/rad Z
-/@q
-{
-/rad xs
-/y2 xs
-/x2 xs
-/y1 xs
-/x1 xs
-np
-x2 x1 add 2 div y1 :M
-x2 y1 x2 y2 rad arct
-x2 y2 x1 y2 rad arct
-x1 y2 x1 y1 rad arct
-x1 y1 x2 y1 rad arct
-fill
-}bd
-/@s
-{
-/rad xs
-/y2 xs
-/x2 xs
-/y1 xs
-/x1 xs
-np
-x2 x1 add 2 div y1 :M
-x2 y1 x2 y2 rad arct
-x2 y2 x1 y2 rad arct
-x1 y2 x1 y1 rad arct
-x1 y1 x2 y1 rad arct
-:K
-stroke
-}bd
-/@i
-{
-np 0 360 arc fill
-}bd
-/@j
-{
-gS
-np
-:T
-scale
-0 0 .5 0 360 arc
-fill
-gR
-}bd
-/@e
-{
-np
-0 360 arc
-:K
-stroke
-}bd
-/@f
-{
-np
-$m currentmatrix
-pop
-:T
-scale
-0 0 .5 0 360 arc
-:K
-$m setmatrix
-stroke
-}bd
-/@k
-{
-gS
-np
-:T
-0 0 :M
-0 0 5 2 roll
-arc fill
-gR
-}bd
-/@l
-{
-gS
-np
-:T
-0 0 :M
-scale
-0 0 .5 5 -2 roll arc
-fill
-gR
-}bd
-/@m
-{
-np
-arc
-stroke
-}bd
-/@n
-{
-np
-$m currentmatrix
-pop
-:T
-scale
-0 0 .5 5 -2 roll arc
-$m setmatrix
-stroke
-}bd
-%%EndFile
-%%BeginFile: adobe_psp_customps
-%%Copyright: Copyright 1990-1993 Adobe Systems Incorporated. All Rights Reserved.
-/$t Z
-/$p Z
-/$s Z
-/$o 1. def
-/2state? false def
-/ps Z
-level2 startnoload
-/pushcolor/currentrgbcolor ld
-/popcolor/setrgbcolor ld
-/setcmykcolor where
-{
-pop/currentcmykcolor where
-{
-pop/pushcolor/currentcmykcolor ld
-/popcolor/setcmykcolor ld
-}if
-}if
-level2 endnoload level2 not startnoload
-/pushcolor
-{
-currentcolorspace $c eq
-{
-currentcolor currentcolorspace true
-}{
-currentcmykcolor false
-}ifelse
-}bd
-/popcolor
-{
-{
-setcolorspace setcolor
-}{
-setcmykcolor
-}ifelse
-}bd
-level2 not endnoload
-/pushstatic
-{
-ps
-2state?
-$o
-$t
-$p
-$s
-}bd
-/popstatic
-{
-/$s xs
-/$p xs
-/$t xs
-/$o xs
-/2state? xs
-/ps xs
-}bd
-/pushgstate
-{
-save errordict/nocurrentpoint{pop 0 0}put
-currentpoint
-3 -1 roll restore
-pushcolor
-currentlinewidth
-currentlinecap
-currentlinejoin
-currentdash exch aload length
-np clippath pathbbox
-$m currentmatrix aload pop
-}bd
-/popgstate
-{
-$m astore setmatrix
-2 index sub exch
-3 index sub exch
-rC
-array astore exch setdash
-setlinejoin
-setlinecap
-lw
-popcolor
-np :M
-}bd
-/bu
-{
-pushgstate
-gR
-pushgstate
-2state?
-{
-gR
-pushgstate
-}if
-pushstatic
-pm restore
-mT concat
-}bd
-/bn
-{
-/pm save store
-popstatic
-popgstate
-gS
-popgstate
-2state?
-{
-gS
-popgstate
-}if
-}bd
-/cpat{pop 64 div G 8{pop}repeat}bd
-%%EndFile
-%%BeginFile: adobe_psp_basic_text
-%%Copyright: Copyright 1990-1993 Adobe Systems Incorporated. All Rights Reserved.
-/S/show ld
-/A{
-0.0 exch ashow
-}bd
-/R{
-0.0 exch 32 exch widthshow
-}bd
-/W{
-0.0 3 1 roll widthshow
-}bd
-/J{
-0.0 32 4 2 roll 0.0 exch awidthshow
-}bd
-/V{
-0.0 4 1 roll 0.0 exch awidthshow
-}bd
-/fcflg true def
-/fc{
-fcflg{
-vmstatus exch sub 50000 lt{
-(%%[ Warning: Running out of memory ]%%\r)print flush/fcflg false store
-}if pop
-}if
-}bd
-/$f[1 0 0 -1 0 0]def
-/:ff{$f :mf}bd
-/MacEncoding StandardEncoding 256 array copy def
-MacEncoding 39/quotesingle put
-MacEncoding 96/grave put
-/Adieresis/Aring/Ccedilla/Eacute/Ntilde/Odieresis/Udieresis/aacute
-/agrave/acircumflex/adieresis/atilde/aring/ccedilla/eacute/egrave
-/ecircumflex/edieresis/iacute/igrave/icircumflex/idieresis/ntilde/oacute
-/ograve/ocircumflex/odieresis/otilde/uacute/ugrave/ucircumflex/udieresis
-/dagger/degree/cent/sterling/section/bullet/paragraph/germandbls
-/registered/copyright/trademark/acute/dieresis/notequal/AE/Oslash
-/infinity/plusminus/lessequal/greaterequal/yen/mu/partialdiff/summation
-/product/pi/integral/ordfeminine/ordmasculine/Omega/ae/oslash
-/questiondown/exclamdown/logicalnot/radical/florin/approxequal/Delta/guillemotleft
-/guillemotright/ellipsis/space/Agrave/Atilde/Otilde/OE/oe
-/endash/emdash/quotedblleft/quotedblright/quoteleft/quoteright/divide/lozenge
-/ydieresis/Ydieresis/fraction/currency/guilsinglleft/guilsinglright/fi/fl
-/daggerdbl/periodcentered/quotesinglbase/quotedblbase/perthousand
-/Acircumflex/Ecircumflex/Aacute/Edieresis/Egrave/Iacute/Icircumflex/Idieresis/Igrave
-/Oacute/Ocircumflex/apple/Ograve/Uacute/Ucircumflex/Ugrave/dotlessi/circumflex/tilde
-/macron/breve/dotaccent/ring/cedilla/hungarumlaut/ogonek/caron
-MacEncoding 128 128 getinterval astore pop
-level2 startnoload
-/copyfontdict
-{
-findfont dup length dict
-begin
-{
-1 index/FID ne{def}{pop pop}ifelse
-}forall
-}bd
-level2 endnoload level2 not startnoload
-/copyfontdict
-{
-findfont dup length dict
-copy
-begin
-}bd
-level2 not endnoload
-md/fontname known not{
-/fontname/customfont def
-}if
-/Encoding Z
-/:mre
-{
-copyfontdict
-/Encoding MacEncoding def
-fontname currentdict
-end
-definefont :ff def
-}bd
-/:bsr
-{
-copyfontdict
-/Encoding Encoding 256 array copy def
-Encoding dup
-}bd
-/pd{put dup}bd
-/:esr
-{
-pop pop
-fontname currentdict
-end
-definefont :ff def
-}bd
-/scf
-{
-scalefont def
-}bd
-/scf-non
-{
-$m scale :mf setfont
-}bd
-/ps Z
-/fz{/ps xs}bd
-/sf/setfont ld
-/cF/currentfont ld
-/mbf
-{
-/makeblendedfont where
-{
-pop
-makeblendedfont
-/ABlend exch definefont
-}{
-pop
-}ifelse
-def
-}def
-%%EndFile
-/currentpacking where {pop sc_oldpacking setpacking}if
-end % md
-%%EndProlog
-%%BeginSetup
-md begin
-/pT[1 0 0 -1 28 811]def/mT[.25 0 0 -.25 28 811]def
-/sD 16 dict def
-%%IncludeFont: Times-Roman
-/f0_1/Times-Roman :mre
-/f0_40 f0_1 40 scf
-/Courier findfont[10 0 0 -10 0 0]:mf setfont
-%PostScript Hack by Mike Brors 12/7/90
-/DisableNextSetRGBColor
- {
- userdict begin
- /setrgbcolor
- {
- pop
- pop
- pop
- userdict begin
- /setrgbcolor systemdict /setrgbcolor get def
- end
- } def
- end
-} bind def
-/bcarray where {
- pop
- bcarray 2 {
- /da 4 ps div def
- df setfont gsave cs wi
- 1 index 0 ne{exch da add exch}if grestore setcharwidth
- cs 0 0 smc da 0 smc da da smc 0 da smc c
- gray
- { gl}
- {1 setgray}ifelse
- da 2. div dup moveto show
- }bind put
-} if
-%
-% Used to snap to device pixels, 1/4th of the pixel in.
-/stp { % x y pl x y % Snap To Pixel, pixel (auto stroke adjust)
- transform
- 0.25 sub round 0.25 add exch
- 0.25 sub round 0.25 add exch
- itransform
-} bind def
-
-/snapmoveto { % x y m - % moveto, auto stroke adjust
- stp moveto
-} bind def
-
-/snaplineto { % x y l - % lineto, auto stroke adjust
- stp lineto
-} bind def
-%%EndSetup
-%%Page: 1 1
-%%BeginPageSetup
-initializepage
-%%EndPageSetup
-gS 0 0 2152 3124 rC
-0 0 :M
-.25 0 translate
-/DrawObject_save_matrix_0 matrix currentmatrix def
-0 0 2152 2912 rC
--40 -12 :M
-DrawObject_save_matrix_0 setmatrix
-/DrawObject_save_matrix_0 matrix currentmatrix def
--40 -12 :M
-/DrawObject_save_matrix_1 matrix currentmatrix def
-0 0 2152 2911 rC
--40 -12 :M
-/DrawObject_save_matrix_2 matrix currentmatrix def
--40 -12 :M
-DrawObject_save_matrix_2 setmatrix
-DrawObject_save_matrix_1 setmatrix
-/DrawObject_save_matrix_1 matrix currentmatrix def
-558 556 208 48 rC
-558 556 :M
-DrawObject_save_matrix_1 setmatrix
-/DrawObject_save_matrix_1 matrix currentmatrix def
-gR
-gS 553 520 218 84 rC
-558 592 :M
-f0_40 sf
--.055(Pure Isabelle)A
-gR
-gS 0 0 2152 2912 rC
-4 lw
-518 528 806 636 32 @s
-168 24 :M
-DrawObject_save_matrix_1 setmatrix
-/DrawObject_save_matrix_1 matrix currentmatrix def
-426 422 -4 4 538 526 4 426 418 @a
-426 418 :M
-DrawObject_save_matrix_1 setmatrix
-/DrawObject_save_matrix_1 matrix currentmatrix def
--4 -4 790 530 4 4 894 418 @b
-786 526 :M
-DrawObject_save_matrix_1 setmatrix
-/DrawObject_save_matrix_1 matrix currentmatrix def
-588 422 -4 4 610 526 4 588 418 @a
-588 418 :M
-DrawObject_save_matrix_1 setmatrix
-/DrawObject_save_matrix_1 matrix currentmatrix def
--4 -4 718 530 4 4 732 418 @b
-714 526 :M
-DrawObject_save_matrix_1 setmatrix
-/DrawObject_save_matrix_1 matrix currentmatrix def
-376 364 92 48 rC
-376 364 :M
-DrawObject_save_matrix_1 setmatrix
-/DrawObject_save_matrix_1 matrix currentmatrix def
-gR
-gS 371 328 102 84 rC
-376 400 :M
-f0_40 sf
--.286(IFOL)A
-gR
-gS 556 364 76 48 rC
-556 364 :M
-DrawObject_save_matrix_1 setmatrix
-/DrawObject_save_matrix_1 matrix currentmatrix def
-gR
-gS 551 328 86 84 rC
-556 400 :M
-f0_40 sf
--.273(CTT)A
-gR
-gS 700 364 84 48 rC
-700 364 :M
-DrawObject_save_matrix_1 setmatrix
-/DrawObject_save_matrix_1 matrix currentmatrix def
-gR
-gS 695 328 94 84 rC
-700 400 :M
-f0_40 sf
--.094(HOL)A
-gR
-gS 880 364 56 48 rC
-880 364 :M
-DrawObject_save_matrix_1 setmatrix
-/DrawObject_save_matrix_1 matrix currentmatrix def
-gR
-gS 875 328 66 84 rC
-880 400 :M
-f0_40 sf
--.311(LK)A
-gR
-gS 0 0 2152 2912 rC
--4 -4 916 361 4 4 912 285 @b
-4 lw
-912 357 :M
-DrawObject_save_matrix_1 setmatrix
-/DrawObject_save_matrix_1 matrix currentmatrix def
-320 94 :M
-/DrawObject_save_matrix_2 matrix currentmatrix def
-336 152 -4 4 394 220 4 336 148 @a
-336 148 :M
-DrawObject_save_matrix_2 setmatrix
-/DrawObject_save_matrix_2 matrix currentmatrix def
--4 -4 430 224 4 4 480 148 @b
-426 220 :M
-DrawObject_save_matrix_2 setmatrix
-/DrawObject_save_matrix_2 matrix currentmatrix def
-320 94 48 48 rC
-320 94 :M
-DrawObject_save_matrix_2 setmatrix
-/DrawObject_save_matrix_2 matrix currentmatrix def
-gR
-gS 315 58 58 84 rC
-320 130 :M
-f0_40 sf
--.67(ZF)A
-gR
-gS 448 94 76 48 rC
-448 94 :M
-DrawObject_save_matrix_2 setmatrix
-DrawObject_save_matrix_1 setmatrix
-/DrawObject_save_matrix_1 matrix currentmatrix def
-gR
-gS 443 58 86 84 rC
-448 130 :M
-f0_40 sf
--.175(LCF)A
-gR
-gS 860 178 116 96 rC
-gR
-gS 855 142 126 132 rC
-860 214 :M
-f0_40 sf
--.106(Modal)A
-975 262 :M
-DrawObject_save_matrix_1 setmatrix
-/DrawObject_save_matrix_1 matrix currentmatrix def
-860 262 :M
--.077( logics)A
-gR
-gS 0 0 2152 2912 rC
--4 -4 412 360 4 4 408 284 @b
-4 lw
-408 356 :M
-DrawObject_save_matrix_1 setmatrix
-/DrawObject_save_matrix_1 matrix currentmatrix def
-376 228 76 48 rC
-376 228 :M
-DrawObject_save_matrix_1 setmatrix
-/DrawObject_save_matrix_1 matrix currentmatrix def
-gR
-gS 371 192 86 84 rC
-376 264 :M
-f0_40 sf
--.273(FOL)A
-gR
-gS 680 230 132 48 rC
-680 230 :M
-DrawObject_save_matrix_1 setmatrix
-/DrawObject_save_matrix_1 matrix currentmatrix def
-gR
-gS 675 194 142 84 rC
-680 266 :M
-f0_40 sf
--.026(HOLCF)A
-gR
-gS 0 0 2152 2912 rC
--4 -4 748 361 4 4 744 285 @b
-4 lw
-744 357 :M
-DrawObject_save_matrix_1 setmatrix
-DrawObject_save_matrix_0 setmatrix
-endp
-%%Trailer
-end % md
-%%EOF
Binary file doc-src/TutorialI/document/Isa-logics.pdf has changed
--- a/doc-src/TutorialI/document/advanced0.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,49 +0,0 @@
-\chapter{Advanced Simplification and Induction}
-
-Although we have already learned a lot about simplification and
-induction, there are some advanced proof techniques that we have not covered
-yet and which are worth learning. The sections of this chapter are
-independent of each other and can be read in any order.
-
-\input{simp2.tex}
-
-\section{Advanced Induction Techniques}
-\label{sec:advanced-ind}
-\index{induction|(}
-\input{AdvancedInd.tex}
-\input{CTLind.tex}
-\index{induction|)}
-
-%\section{Advanced Forms of Recursion}
-%\index{recdef@\isacommand {recdef} (command)|(}
-
-%This section introduces advanced forms of
-%\isacommand{recdef}: how to establish termination by means other than measure
-%functions, how to define recursive functions over nested recursive datatypes
-%and how to deal with partial functions.
-%
-%If, after reading this section, you feel that the definition of recursive
-%functions is overly complicated by the requirement of
-%totality, you should ponder the alternatives. In a logic of partial functions,
-%recursive definitions are always accepted. But there are many
-%such logics, and no clear winner has emerged. And in all of these logics you
-%are (more or less frequently) required to reason about the definedness of
-%terms explicitly. Thus one shifts definedness arguments from definition time to
-%proof time. In HOL you may have to work hard to define a function, but proofs
-%can then proceed unencumbered by worries about undefinedness.
-
-%\subsection{Beyond Measure}
-%\label{sec:beyond-measure}
-%\input{WFrec.tex}
-%
-%\subsection{Recursion Over Nested Datatypes}
-%\label{sec:nested-recdef}
-%\input{Nested0.tex}
-%\input{Nested1.tex}
-%\input{Nested2.tex}
-%
-%\subsection{Partial Functions}
-%\index{functions!partial}
-%\input{Partial.tex}
-%
-%\index{recdef@\isacommand {recdef} (command)|)}
--- a/doc-src/TutorialI/document/appendix0.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,190 +0,0 @@
-\appendix
-
-\chapter{Appendix}
-\label{sec:Appendix}
-
-\begin{table}[htbp]
-\begin{center}
-\begin{tabular}{|l|l|l|}
-\hline
-\indexboldpos{\isasymlbrakk}{$Isabrl} &
-\texttt{[|}\index{$Isabrl@\ttlbr|bold} &
-\verb$\<lbrakk>$ \\
-\indexboldpos{\isasymrbrakk}{$Isabrr} &
-\texttt{|]}\index{$Isabrr@\ttrbr|bold} &
-\verb$\<rbrakk>$ \\
-\indexboldpos{\isasymImp}{$IsaImp} &
-\ttindexboldpos{==>}{$IsaImp} &
-\verb$\<Longrightarrow>$ \\
-\isasymAnd\index{$IsaAnd@\isasymAnd|bold}&
-\texttt{!!}\index{$IsaAnd@\ttAnd|bold} &
-\verb$\<And>$ \\
-\indexboldpos{\isasymequiv}{$IsaEq} &
-\ttindexboldpos{==}{$IsaEq} &
-\verb$\<equiv>$ \\
-\indexboldpos{\isasymrightleftharpoons}{$IsaEqTrans} &
-\ttindexboldpos{==}{$IsaEq} &
-\verb$\<rightleftharpoons>$ \\
-\indexboldpos{\isasymrightharpoonup}{$IsaEqTrans1} &
-\ttindexboldpos{=>}{$IsaFun} &
-\verb$\<rightharpoonup>$ \\
-\indexboldpos{\isasymleftharpoondown}{$IsaEqTrans2} &
-\ttindexboldpos{<=}{$IsaFun2} &
-\verb$\<leftharpoondown>$ \\
-\indexboldpos{\isasymlambda}{$Isalam} &
-\texttt{\%}\indexbold{$Isalam@\texttt{\%}} &
-\verb$\<lambda>$ \\
-\indexboldpos{\isasymFun}{$IsaFun} &
-\ttindexboldpos{=>}{$IsaFun} &
-\verb$\<Rightarrow>$ \\
-\indexboldpos{\isasymand}{$HOL0and} &
-\texttt{\&}\indexbold{$HOL0and@{\texttt{\&}}} &
-\verb$\<and>$ \\
-\indexboldpos{\isasymor}{$HOL0or} &
-\texttt{|}\index{$HOL0or@\ttor|bold} &
-\verb$\<or>$ \\
-\indexboldpos{\isasymimp}{$HOL0imp} &
-\ttindexboldpos{-->}{$HOL0imp} &
-\verb$\<longrightarrow>$ \\
-\indexboldpos{\isasymnot}{$HOL0not} &
-\verb$~$\index{$HOL0not@\verb$~$|bold} &
-\verb$\<not>$ \\
-\indexboldpos{\isasymnoteq}{$HOL0noteq} &
-\verb$~=$\index{$HOL0noteq@\verb$~=$|bold} &
-\verb$\<noteq>$ \\
-\indexboldpos{\isasymforall}{$HOL0All} &
-\ttindexbold{ALL}, \texttt{!}\index{$HOL0All@\ttall|bold} &
-\verb$\<forall>$ \\
-\indexboldpos{\isasymexists}{$HOL0Ex} &
-\ttindexbold{EX}, \texttt{?}\index{$HOL0Ex@\texttt{?}|bold} &
-\verb$\<exists>$ \\
-\isasymuniqex\index{$HOL0ExU@\isasymuniqex|bold} &
-\ttEXU\index{EXX@\ttEXU|bold}, \ttuniquex\index{$HOL0ExU@\ttuniquex|bold} &
-\verb$\<exists>!$\\
-\indexboldpos{\isasymepsilon}{$HOL0ExSome} &
-\ttindexbold{SOME}, \isa{\at}\index{$HOL2list@\isa{\at}} &
-\verb$\<epsilon>$\\
-\indexboldpos{\isasymcirc}{$HOL1} &
-\ttindexbold{o} &
-\verb$\<circ>$\\
-\indexboldpos{\isasymbar~\isasymbar}{$HOL2arithfun}&
-\ttindexbold{abs}&
-\verb$\<bar> \<bar>$\\
-\indexboldpos{\isasymle}{$HOL2arithrel}&
-\isadxboldpos{<=}{$HOL2arithrel}&
-\verb$\<le>$\\
-\indexboldpos{\isasymtimes}{$Isatype}&
-\ttindexboldpos{*}{$HOL2arithfun} &
-\verb$\<times>$\\
-\indexboldpos{\isasymin}{$HOL3Set0a}&
-\ttindexboldpos{:}{$HOL3Set0b} &
-\verb$\<in>$\\
-\isasymnotin\index{$HOL3Set0c@\isasymnotin|bold} &
-\verb$~:$\index{$HOL3Set0d@\verb$~:$|bold} &
-\verb$\<notin>$\\
-\indexboldpos{\isasymsubseteq}{$HOL3Set0e}&
-\verb$<=$ & \verb$\<subseteq>$\\
-\indexboldpos{\isasymsubset}{$HOL3Set0f}&
-\verb$<$ & \verb$\<subset>$\\
-\indexboldpos{\isasymunion}{$HOL3Set1}&
-\ttindexbold{Un} &
-\verb$\<union>$\\
-\indexboldpos{\isasyminter}{$HOL3Set1}&
-\ttindexbold{Int} &
-\verb$\<inter>$\\
-\isasymUnion\index{$HOL3Set2@\isasymUnion|bold}&
-\ttindexbold{UN}, \ttindexbold{Union} &
-\verb$\<Union>$\\
-\isasymInter\index{$HOL3Set2@\isasymInter|bold}&
-\ttindexbold{INT}, \ttindexbold{Inter} &
-\verb$\<Inter>$\\
-\isactrlsup{\isacharasterisk}\index{$HOL4star@\isactrlsup{\isacharasterisk}|bold}&
-\verb$^*$\index{$HOL4star@\verb$^$\texttt{*}|bold} &
-\verb$\<^sup>*$\\
-\isasyminverse\index{$HOL4inv@\isasyminverse|bold}&
-\verb$^-1$\index{$HOL4inv@\verb$^-1$|bold} &
-\verb$\<inverse>$\\
-\hline
-\end{tabular}
-\end{center}
-\caption{Mathematical Symbols, Their \textsc{ascii}-Equivalents and Internal Names}
-\label{tab:ascii}
-\end{table}\indexbold{ASCII@\textsc{ascii} symbols}
-
-\input{appendix.tex}
-
-\begin{table}[htbp]
-\begin{center}
-\begin{tabular}{@{}|lllllllll|@{}}
-\hline
-\texttt{ALL} &
-\texttt{BIT} &
-\texttt{CHR} &
-\texttt{EX} &
-\texttt{GREATEST} &
-\texttt{INT} &
-\texttt{Int} &
-\texttt{LEAST} &
-\texttt{O} \\
-\texttt{OFCLASS} &
-\texttt{PI} &
-\texttt{PROP} &
-\texttt{SIGMA} &
-\texttt{SOME} &
-\texttt{THE} &
-\texttt{TYPE} &
-\texttt{UN} &
-\texttt{Un} \\
-\texttt{WRT} &
-\texttt{case} &
-\texttt{choose} &
-\texttt{div} &
-\texttt{dvd} &
-\texttt{else} &
-\texttt{funcset} &
-\texttt{if} &
-\texttt{in} \\
-\texttt{let} &
-\texttt{mem} &
-\texttt{mod} &
-\texttt{o} &
-\texttt{of} &
-\texttt{op} &
-\texttt{then} &&\\
-\hline
-\end{tabular}
-\end{center}
-\caption{Reserved Words in HOL Terms}
-\label{tab:ReservedWords}
-\end{table}
-
-
-%\begin{table}[htbp]
-%\begin{center}
-%\begin{tabular}{|lllll|}
-%\hline
-%\texttt{and} &
-%\texttt{binder} &
-%\texttt{concl} &
-%\texttt{congs} \\
-%\texttt{distinct} &
-%\texttt{files} &
-%\texttt{in} &
-%\texttt{induction} &
-%\texttt{infixl} \\
-%\texttt{infixr} &
-%\texttt{inject} &
-%\texttt{intrs} &
-%\texttt{is} &
-%\texttt{monos} \\
-%\texttt{output} &
-%\texttt{where} &
-% &
-% &
-% \\
-%\hline
-%\end{tabular}
-%\end{center}
-%\caption{Minor Keywords in HOL Theories}
-%\label{tab:keywords}
-%\end{table}
--- a/doc-src/TutorialI/document/basics.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,350 +0,0 @@
-\chapter{The Basics}
-
-\section{Introduction}
-
-This book is a tutorial on how to use the theorem prover Isabelle/HOL as a
-specification and verification system. Isabelle is a generic system for
-implementing logical formalisms, and Isabelle/HOL is the specialization
-of Isabelle for HOL, which abbreviates Higher-Order Logic. We introduce
-HOL step by step following the equation
-\[ \mbox{HOL} = \mbox{Functional Programming} + \mbox{Logic}. \]
-We do not assume that you are familiar with mathematical logic.
-However, we do assume that
-you are used to logical and set theoretic notation, as covered
-in a good discrete mathematics course~\cite{Rosen-DMA}, and
-that you are familiar with the basic concepts of functional
-programming~\cite{Bird-Haskell,Hudak-Haskell,paulson-ml2,Thompson-Haskell}.
-Although this tutorial initially concentrates on functional programming, do
-not be misled: HOL can express most mathematical concepts, and functional
-programming is just one particularly simple and ubiquitous instance.
-
-Isabelle~\cite{paulson-isa-book} is implemented in ML~\cite{SML}. This has
-influenced some of Isabelle/HOL's concrete syntax but is otherwise irrelevant
-for us: this tutorial is based on
-Isabelle/Isar~\cite{isabelle-isar-ref}, an extension of Isabelle which hides
-the implementation language almost completely. Thus the full name of the
-system should be Isabelle/Isar/HOL, but that is a bit of a mouthful.
-
-There are other implementations of HOL, in particular the one by Mike Gordon
-\index{Gordon, Mike}%
-\emph{et al.}, which is usually referred to as ``the HOL system''
-\cite{mgordon-hol}. For us, HOL refers to the logical system, and sometimes
-its incarnation Isabelle/HOL\@.
-
-A tutorial is by definition incomplete. Currently the tutorial only
-introduces the rudiments of Isar's proof language. To fully exploit the power
-of Isar, in particular the ability to write readable and structured proofs,
-you should start with Nipkow's overview~\cite{Nipkow-TYPES02} and consult
-the Isabelle/Isar Reference Manual~\cite{isabelle-isar-ref} and Wenzel's
-PhD thesis~\cite{Wenzel-PhD} (which discusses many proof patterns)
-for further details. If you want to use Isabelle's ML level
-directly (for example for writing your own proof procedures) see the Isabelle
-Reference Manual~\cite{isabelle-ref}; for details relating to HOL see the
-Isabelle/HOL manual~\cite{isabelle-HOL}. All manuals have a comprehensive
-index.
-
-\section{Theories}
-\label{sec:Basic:Theories}
-
-\index{theories|(}%
-Working with Isabelle means creating theories. Roughly speaking, a
-\textbf{theory} is a named collection of types, functions, and theorems,
-much like a module in a programming language or a specification in a
-specification language. In fact, theories in HOL can be either. The general
-format of a theory \texttt{T} is
-\begin{ttbox}
-theory T
-imports B\(@1\) \(\ldots\) B\(@n\)
-begin
-{\rmfamily\textit{declarations, definitions, and proofs}}
-end
-\end{ttbox}\cmmdx{theory}\cmmdx{imports}
-where \texttt{B}$@1$ \dots\ \texttt{B}$@n$ are the names of existing
-theories that \texttt{T} is based on and \textit{declarations,
- definitions, and proofs} represents the newly introduced concepts
-(types, functions etc.) and proofs about them. The \texttt{B}$@i$ are the
-direct \textbf{parent theories}\indexbold{parent theories} of~\texttt{T}\@.
-Everything defined in the parent theories (and their parents, recursively) is
-automatically visible. To avoid name clashes, identifiers can be
-\textbf{qualified}\indexbold{identifiers!qualified}
-by theory names as in \texttt{T.f} and~\texttt{B.f}.
-Each theory \texttt{T} must
-reside in a \textbf{theory file}\index{theory files} named \texttt{T.thy}.
-
-This tutorial is concerned with introducing you to the different linguistic
-constructs that can fill the \textit{declarations, definitions, and
- proofs} above. A complete grammar of the basic
-constructs is found in the Isabelle/Isar Reference
-Manual~\cite{isabelle-isar-ref}.
-
-\begin{warn}
- HOL contains a theory \thydx{Main}, the union of all the basic
- predefined theories like arithmetic, lists, sets, etc.
- Unless you know what you are doing, always include \isa{Main}
- as a direct or indirect parent of all your theories.
-\end{warn}
-HOL's theory collection is available online at
-\begin{center}\small
- \url{http://isabelle.in.tum.de/library/HOL/}
-\end{center}
-and is recommended browsing. In subdirectory \texttt{Library} you find
-a growing library of useful theories that are not part of \isa{Main}
-but can be included among the parents of a theory and will then be
-loaded automatically.
-
-For the more adventurous, there is the \emph{Archive of Formal Proofs},
-a journal-like collection of more advanced Isabelle theories:
-\begin{center}\small
- \url{http://afp.sourceforge.net/}
-\end{center}
-We hope that you will contribute to it yourself one day.%
-\index{theories|)}
-
-
-\section{Types, Terms and Formulae}
-\label{sec:TypesTermsForms}
-
-Embedded in a theory are the types, terms and formulae of HOL\@. HOL is a typed
-logic whose type system resembles that of functional programming languages
-like ML or Haskell. Thus there are
-\index{types|(}
-\begin{description}
-\item[base types,]
-in particular \tydx{bool}, the type of truth values,
-and \tydx{nat}, the type of natural numbers.
-\item[type constructors,]\index{type constructors}
- in particular \tydx{list}, the type of
-lists, and \tydx{set}, the type of sets. Type constructors are written
-postfix, e.g.\ \isa{(nat)list} is the type of lists whose elements are
-natural numbers. Parentheses around single arguments can be dropped (as in
-\isa{nat list}), multiple arguments are separated by commas (as in
-\isa{(bool,nat)ty}).
-\item[function types,]\index{function types}
-denoted by \isasymFun\indexbold{$IsaFun@\isasymFun}.
- In HOL \isasymFun\ represents \emph{total} functions only. As is customary,
- \isa{$\tau@1$ \isasymFun~$\tau@2$ \isasymFun~$\tau@3$} means
- \isa{$\tau@1$ \isasymFun~($\tau@2$ \isasymFun~$\tau@3$)}. Isabelle also
- supports the notation \isa{[$\tau@1,\dots,\tau@n$] \isasymFun~$\tau$}
- which abbreviates \isa{$\tau@1$ \isasymFun~$\cdots$ \isasymFun~$\tau@n$
- \isasymFun~$\tau$}.
-\item[type variables,]\index{type variables}\index{variables!type}
- denoted by \ttindexboldpos{'a}{$Isatype}, \isa{'b} etc., just like in ML\@. They give rise
- to polymorphic types like \isa{'a \isasymFun~'a}, the type of the identity
- function.
-\end{description}
-\begin{warn}
- Types are extremely important because they prevent us from writing
- nonsense. Isabelle insists that all terms and formulae must be
- well-typed and will print an error message if a type mismatch is
- encountered. To reduce the amount of explicit type information that
- needs to be provided by the user, Isabelle infers the type of all
- variables automatically (this is called \bfindex{type inference})
- and keeps quiet about it. Occasionally this may lead to
- misunderstandings between you and the system. If anything strange
- happens, we recommend that you ask Isabelle to display all type
- information via the Proof General menu item \pgmenu{Isabelle} $>$
- \pgmenu{Settings} $>$ \pgmenu{Show Types} (see \S\ref{sec:interface}
- for details).
-\end{warn}%
-\index{types|)}
-
-
-\index{terms|(}
-\textbf{Terms} are formed as in functional programming by
-applying functions to arguments. If \isa{f} is a function of type
-\isa{$\tau@1$ \isasymFun~$\tau@2$} and \isa{t} is a term of type
-$\tau@1$ then \isa{f~t} is a term of type $\tau@2$. HOL also supports
-infix functions like \isa{+} and some basic constructs from functional
-programming, such as conditional expressions:
-\begin{description}
-\item[\isa{if $b$ then $t@1$ else $t@2$}]\index{*if expressions}
-Here $b$ is of type \isa{bool} and $t@1$ and $t@2$ are of the same type.
-\item[\isa{let $x$ = $t$ in $u$}]\index{*let expressions}
-is equivalent to $u$ where all free occurrences of $x$ have been replaced by
-$t$. For example,
-\isa{let x = 0 in x+x} is equivalent to \isa{0+0}. Multiple bindings are separated
-by semicolons: \isa{let $x@1$ = $t@1$;\dots; $x@n$ = $t@n$ in $u$}.
-\item[\isa{case $e$ of $c@1$ \isasymFun~$e@1$ |~\dots~| $c@n$ \isasymFun~$e@n$}]
-\index{*case expressions}
-evaluates to $e@i$ if $e$ is of the form $c@i$.
-\end{description}
-
-Terms may also contain
-\isasymlambda-abstractions.\index{lambda@$\lambda$ expressions}
-For example,
-\isa{\isasymlambda{}x.~x+1} is the function that takes an argument \isa{x} and
-returns \isa{x+1}. Instead of
-\isa{\isasymlambda{}x.\isasymlambda{}y.\isasymlambda{}z.~$t$} we can write
-\isa{\isasymlambda{}x~y~z.~$t$}.%
-\index{terms|)}
-
-\index{formulae|(}%
-\textbf{Formulae} are terms of type \tydx{bool}.
-There are the basic constants \cdx{True} and \cdx{False} and
-the usual logical connectives (in decreasing order of priority):
-\indexboldpos{\protect\isasymnot}{$HOL0not}, \indexboldpos{\protect\isasymand}{$HOL0and},
-\indexboldpos{\protect\isasymor}{$HOL0or}, and \indexboldpos{\protect\isasymimp}{$HOL0imp},
-all of which (except the unary \isasymnot) associate to the right. In
-particular \isa{A \isasymimp~B \isasymimp~C} means \isa{A \isasymimp~(B
- \isasymimp~C)} and is thus logically equivalent to \isa{A \isasymand~B
- \isasymimp~C} (which is \isa{(A \isasymand~B) \isasymimp~C}).
-
-Equality\index{equality} is available in the form of the infix function
-\isa{=} of type \isa{'a \isasymFun~'a
- \isasymFun~bool}. Thus \isa{$t@1$ = $t@2$} is a formula provided $t@1$
-and $t@2$ are terms of the same type. If $t@1$ and $t@2$ are of type
-\isa{bool} then \isa{=} acts as \rmindex{if-and-only-if}.
-The formula
-\isa{$t@1$~\isasymnoteq~$t@2$} is merely an abbreviation for
-\isa{\isasymnot($t@1$ = $t@2$)}.
-
-Quantifiers\index{quantifiers} are written as
-\isa{\isasymforall{}x.~$P$} and \isa{\isasymexists{}x.~$P$}.
-There is even
-\isa{\isasymuniqex{}x.~$P$}, which
-means that there exists exactly one \isa{x} that satisfies \isa{$P$}.
-Nested quantifications can be abbreviated:
-\isa{\isasymforall{}x~y~z.~$P$} means
-\isa{\isasymforall{}x.\isasymforall{}y.\isasymforall{}z.~$P$}.%
-\index{formulae|)}
-
-Despite type inference, it is sometimes necessary to attach explicit
-\bfindex{type constraints} to a term. The syntax is
-\isa{$t$::$\tau$} as in \isa{x < (y::nat)}. Note that
-\ttindexboldpos{::}{$Isatype} binds weakly and should therefore be enclosed
-in parentheses. For instance,
-\isa{x < y::nat} is ill-typed because it is interpreted as
-\isa{(x < y)::nat}. Type constraints may be needed to disambiguate
-expressions
-involving overloaded functions such as~\isa{+},
-\isa{*} and~\isa{<}. Section~\ref{sec:overloading}
-discusses overloading, while Table~\ref{tab:overloading} presents the most
-important overloaded function symbols.
-
-In general, HOL's concrete \rmindex{syntax} tries to follow the conventions of
-functional programming and mathematics. Here are the main rules that you
-should be familiar with to avoid certain syntactic traps:
-\begin{itemize}
-\item
-Remember that \isa{f t u} means \isa{(f t) u} and not \isa{f(t u)}!
-\item
-Isabelle allows infix functions like \isa{+}. The prefix form of function
-application binds more strongly than anything else and hence \isa{f~x + y}
-means \isa{(f~x)~+~y} and not \isa{f(x+y)}.
-\item Remember that in HOL if-and-only-if is expressed using equality. But
- equality has a high priority, as befitting a relation, while if-and-only-if
- typically has the lowest priority. Thus, \isa{\isasymnot~\isasymnot~P =
- P} means \isa{\isasymnot\isasymnot(P = P)} and not
- \isa{(\isasymnot\isasymnot P) = P}. When using \isa{=} to mean
- logical equivalence, enclose both operands in parentheses, as in \isa{(A
- \isasymand~B) = (B \isasymand~A)}.
-\item
-Constructs with an opening but without a closing delimiter bind very weakly
-and should therefore be enclosed in parentheses if they appear in subterms, as
-in \isa{(\isasymlambda{}x.~x) = f}. This includes
-\isa{if},\index{*if expressions}
-\isa{let},\index{*let expressions}
-\isa{case},\index{*case expressions}
-\isa{\isasymlambda}, and quantifiers.
-\item
-Never write \isa{\isasymlambda{}x.x} or \isa{\isasymforall{}x.x=x}
-because \isa{x.x} is always taken as a single qualified identifier. Write
-\isa{\isasymlambda{}x.~x} and \isa{\isasymforall{}x.~x=x} instead.
-\item Identifiers\indexbold{identifiers} may contain the characters \isa{_}
-and~\isa{'}, except at the beginning.
-\end{itemize}
-
-For the sake of readability, we use the usual mathematical symbols throughout
-the tutorial. Their \textsc{ascii}-equivalents are shown in table~\ref{tab:ascii} in
-the appendix.
-
-\begin{warn}
-A particular problem for novices can be the priority of operators. If
-you are unsure, use additional parentheses. In those cases where
-Isabelle echoes your input, you can see which parentheses are dropped
---- they were superfluous. If you are unsure how to interpret
-Isabelle's output because you don't know where the (dropped)
-parentheses go, set the Proof General flag \pgmenu{Isabelle} $>$
-\pgmenu{Settings} $>$ \pgmenu{Show Brackets} (see \S\ref{sec:interface}).
-\end{warn}
-
-
-\section{Variables}
-\label{sec:variables}
-\index{variables|(}
-
-Isabelle distinguishes free and bound variables, as is customary. Bound
-variables are automatically renamed to avoid clashes with free variables. In
-addition, Isabelle has a third kind of variable, called a \textbf{schematic
- variable}\index{variables!schematic} or \textbf{unknown}\index{unknowns},
-which must have a~\isa{?} as its first character.
-Logically, an unknown is a free variable. But it may be
-instantiated by another term during the proof process. For example, the
-mathematical theorem $x = x$ is represented in Isabelle as \isa{?x = ?x},
-which means that Isabelle can instantiate it arbitrarily. This is in contrast
-to ordinary variables, which remain fixed. The programming language Prolog
-calls unknowns {\em logical\/} variables.
-
-Most of the time you can and should ignore unknowns and work with ordinary
-variables. Just don't be surprised that after you have finished the proof of
-a theorem, Isabelle will turn your free variables into unknowns. It
-indicates that Isabelle will automatically instantiate those unknowns
-suitably when the theorem is used in some other proof.
-Note that for readability we often drop the \isa{?}s when displaying a theorem.
-\begin{warn}
- For historical reasons, Isabelle accepts \isa{?} as an ASCII representation
- of the \(\exists\) symbol. However, the \isa{?} character must then be followed
- by a space, as in \isa{?~x. f(x) = 0}. Otherwise, \isa{?x} is
- interpreted as a schematic variable. The preferred ASCII representation of
- the \(\exists\) symbol is \isa{EX}\@.
-\end{warn}%
-\index{variables|)}
-
-\section{Interaction and Interfaces}
-\label{sec:interface}
-
-The recommended interface for Isabelle/Isar is the (X)Emacs-based
-\bfindex{Proof General}~\cite{proofgeneral,Aspinall:TACAS:2000}.
-Interaction with Isabelle at the shell level, although possible,
-should be avoided. Most of the tutorial is independent of the
-interface and is phrased in a neutral language. For example, the
-phrase ``to abandon a proof'' corresponds to the obvious
-action of clicking on the \pgmenu{Undo} symbol in Proof General.
-Proof General specific information is often displayed in paragraphs
-identified by a miniature Proof General icon. Here are two examples:
-\begin{pgnote}
-Proof General supports a special font with mathematical symbols known
-as ``x-symbols''. All symbols have \textsc{ascii}-equivalents: for
-example, you can enter either \verb!&! or \verb!\<and>! to obtain
-$\land$. For a list of the most frequent symbols see table~\ref{tab:ascii}
-in the appendix.
-
-Note that by default x-symbols are not enabled. You have to switch
-them on via the menu item \pgmenu{Proof-General} $>$ \pgmenu{Options} $>$
-\pgmenu{X-Symbols} (and save the option via the top-level
-\pgmenu{Options} menu).
-\end{pgnote}
-
-\begin{pgnote}
-Proof General offers the \pgmenu{Isabelle} menu for displaying
-information and setting flags. A particularly useful flag is
-\pgmenu{Isabelle} $>$ \pgmenu{Settings} $>$ \pgdx{Show Types} which
-causes Isabelle to output the type information that is usually
-suppressed. This is indispensible in case of errors of all kinds
-because often the types reveal the source of the problem. Once you
-have diagnosed the problem you may no longer want to see the types
-because they clutter all output. Simply reset the flag.
-\end{pgnote}
-
-\section{Getting Started}
-
-Assuming you have installed Isabelle and Proof General, you start it by typing
-\texttt{Isabelle} in a shell window. This launches a Proof General window.
-By default, you are in HOL\footnote{This is controlled by the
-\texttt{ISABELLE_LOGIC} setting, see \emph{The Isabelle System Manual}
-for more details.}.
-
-\begin{pgnote}
-You can choose a different logic via the \pgmenu{Isabelle} $>$
-\pgmenu{Logics} menu.
-\end{pgnote}
--- a/doc-src/TutorialI/document/build Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,26 +0,0 @@
-#!/bin/bash
-
-set -e
-
-FORMAT="$1"
-VARIANT="$2"
-
-"$ISABELLE_TOOL" logo -o isabelle_hol.pdf "HOL"
-"$ISABELLE_TOOL" logo -o isabelle_hol.eps "HOL"
-
-cp "$ISABELLE_HOME/doc-src/proof.sty" .
-cp "$ISABELLE_HOME/doc-src/ttbox.sty" .
-cp "$ISABELLE_HOME/doc-src/manual.bib" .
-
-cp "$ISABELLE_HOME/doc-src/TutorialI/ToyList/ToyList1" .
-cp "$ISABELLE_HOME/doc-src/TutorialI/ToyList/ToyList2" .
-
-"$ISABELLE_TOOL" latex -o sty
-cp "$ISABELLE_HOME/doc-src/pdfsetup.sty" .
-
-"$ISABELLE_TOOL" latex -o "$FORMAT"
-"$ISABELLE_TOOL" latex -o bbl
-./isa-index root
-"$ISABELLE_TOOL" latex -o "$FORMAT"
-[ -f root.out ] && "$ISABELLE_HOME/doc-src/fixbookmarks" root.out
-"$ISABELLE_TOOL" latex -o "$FORMAT"
--- a/doc-src/TutorialI/document/cl2emono-modified.sty Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,1371 +0,0 @@
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%% This is cl2emono.sty version 2.2
-%% (intermediate fix also for springer.sty for the use of
-%% LaTeX2e and NFSS2)
-%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% This is ucgreek
-% the definition of versal greek characters
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\mathchardef\Gamma="0100
-\mathchardef\Delta="0101
-\mathchardef\Theta="0102
-\mathchardef\Lambda="0103
-\mathchardef\Xi="0104
-\mathchardef\Pi="0105
-\mathchardef\Sigma="0106
-\mathchardef\Upsilon="0107
-\mathchardef\Phi="0108
-\mathchardef\Psi="0109
-\mathchardef\Omega="010A
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% This is referee.tex
-%
-% It defines the style option "referee"
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\newif\if@referee \@refereefalse
-\def\ds@referee{\@refereetrue
-\typeout{A referee's copy will be produced.}%
-\def\baselinestretch{2}\small
-\normalsize\rm
-\newbox\refereebox
-\setbox\refereebox=\vbox to0pt{\vskip0.5cm%
- \hbox to\textwidth{\normalsize\tt\hrulefill\lower0.5ex
- \hbox{\kern5pt referee's copy\kern5pt}\hrulefill}\vss}%
-\def\@oddfoot{\copy\refereebox}\let\@evenfoot=\@oddfoot}
-% This is footinfo.tex
-% it provides an informatory line on every page
-%
-\def\SpringerMacroPackageNameA{\springerstylefile}
-% \thetime, \thedate and \timstamp are macros to include
-% time, date (or both) of the TeX run in the document
-\def\maketimestamp{\count255=\time
-\divide\count255 by 60\relax
-\edef\thetime{\the\count255:}%
-\multiply\count255 by-60\relax
-\advance\count255 by\time
-\edef\thetime{\thetime\ifnum\count255<10 0\fi\the\count255}
-\edef\thedate{\number\day-\ifcase\month\or Jan\or Feb\or Mar\or
- Apr\or May\or Jun\or Jul\or Aug\or Sep\or Oct\or
- Nov\or Dec\fi-\number\year}
-\def\timstamp{\hbox to\hsize{\tt\hfil\thedate\hfil\thetime\hfil}}}
-\maketimestamp
-%
-% \footinfo generates a info footline on every page containing
-% pagenumber, jobname, macroname, and timestamp
-\def\ds@footinfo{\maketimestamp
- \def\@oddfoot{\footnotesize\tt Page: \thepage\hfil job: \jobname\hfil
- macro: \SpringerMacroPackageNameA\hfil
- date/time: \thedate/\thetime}%
- \let\@evenfoot=\@oddfoot}
-\def\footinfo{\maketimestamp
- \ds@footinfo
- \typeout{You ordered a foot-info line. }}
-\def\nofootinfo{%
- \def\@oddfoot{}\def\@evenfoot{}%
- \typeout{Foot-info has been disabled. }}
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% This is vector.tex
-%
-% It redefines the plain TeX \vec command
-% and adds a \tens command for tensors
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-% ##### (changed by RB)
-\def\vec@style{\relax} % hook to change style of vector
- % default yields boldface italic
-% \def\vec@style{\bf} % hook to change style of vector
-% % default yields mathstyle i.e. boldface upright
-
-\def\vec#1{\relax\ifmmode\mathchoice
-{\mbox{\boldmath$\vec@style\displaystyle#1$}}
-{\mbox{\boldmath$\vec@style\textstyle#1$}}
-{\mbox{\boldmath$\vec@style\scriptstyle#1$}}
-{\mbox{\boldmath$\vec@style\scriptscriptstyle#1$}}\else
-\hbox{\boldmath$\vec@style\textstyle#1$}\fi}
-
-\def\tens#1{\relax\ifmmode\mathchoice{\mbox{$\sf\displaystyle#1$}}
-{\mbox{$\sf\textstyle#1$}}
-{\mbox{$\sf\scriptstyle#1$}}
-{\mbox{$\sf\scriptscriptstyle#1$}}\else
-\hbox{$\sf\textstyle#1$}\fi}
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% This is vecstyle.tex
-%
-% It enables documentstyle options vecmath and vecphys
-% to change the vectors to upright bold face or
-% to math italic bold respectively
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\def\ds@vecmath{\def\vec@style{\bf}\typeout{Vectors are now represented
-in mathematics style as boldface upright characters.}}
-\def\ds@vecphys{\let\vec@style\relax\typeout{Vectors are now represented
-in physics style as boldface italics.}}
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% This is defaults.tex
-%
-% It sets the switches for twoside printing, numbering
-% of equations and kind of citation.
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\@twosidetrue % twoside is default
-\newif\if@bibay \@bibayfalse % citation with numbers
- % is default
-\newif\if@numart \@numartfalse % numbering with chapternumbers
- % is default
-
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% This is misc.xxx
-%
-% It defines various commands not available in "plain LaTeX"
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\newcommand{\ts}{\thinspace{}}
-\newcommand{\sq}{\hbox{\rlap{$\sqcap$}$\sqcup$}}
-\newcommand{\qed}{\ifmmode\sq\else{\unskip\nobreak\hfil
- \penalty50\hskip1em\null\nobreak\hfil\sq
- \parfillskip=0pt\finalhyphendemerits=0\endgraf}\fi{}}
-\def\D{{\rm d}}
-\def\E{{\rm e}}
-\let\eul=\E
-\def\I{{\rm i}}
-\let\imag=\I
-\def\strich{\vskip0.5cm\hrule\vskip3ptplus12pt\null}
-
-% Frame for paste-in figures or tables
-%\def\mpicplace#1#2{%#1 = width #2 = height
-%\vbox{\@tempdima=#2\advance\@tempdima by-2\fboxrule
-%\hrule\@height \fboxrule\@width #1
-%\hbox to #1{\vrule\@width \fboxrule\@height\@tempdima\hfil
-%\vrule\@width \fboxrule\@height\@tempdima}\hrule\@height
-%\fboxrule\@width #1}}
-
-% #####
-% Frame for paste-in figures or tables
-\def\mpicplace#1#2{% #1 =width #2 =height
-\vbox{\hbox to #1{\vrule width \fboxrule height #2\hfill}}}
-
-\def\picplace#1{\mpicplace{\hsize}{#1}}
-% Ragged bottom for the actual page
-\def\thisbottomragged{\def\@textbottom{\vskip\z@ plus.0001fil
-\global\let\@textbottom\relax}}
-\flushbottom
-
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% This is layout.m01
-%
-% It defines various sizes and settings for books
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\topmargin=0cm
-\textwidth=11.7cm
-\textheight=18.9cm
-\oddsidemargin=0.7cm
-\evensidemargin=0.7cm
-\headsep=12pt
-
-\baselineskip=12pt
-\parindent=15pt
-\parskip=0pt plus 1pt
-\hfuzz=2pt
-\frenchspacing
-
-\tolerance=500
-
-\abovedisplayskip=3mm plus6pt minus 4pt
-\belowdisplayskip=3mm plus6pt minus 4pt
-\abovedisplayshortskip=0mm plus6pt minus 2pt
-\belowdisplayshortskip=2mm plus4pt minus 4pt
-
-\predisplaypenalty=0
-\clubpenalty=10000
-\widowpenalty=10000
-
-\newdimen\betweenumberspace % dimension for space between
-\betweenumberspace=5pt % number and text of titles.
-\newdimen\headlineindent % dimension for space between
-\headlineindent=2.5cc % number and text of headings.
-
-\intextsep 20pt plus 2pt minus 2pt
-
-\setcounter{topnumber}{4}
-\def\topfraction{.9}
-\setcounter{bottomnumber}{2}
-\def\bottomfraction{.5}
-\setcounter{totalnumber}{6}
-\def\textfraction{.2}
-\def\floatpagefraction{.5}
-
-% Figures and tables are processed in small print
-\def \@floatboxreset {%
- \reset@font
- \small
- \@setnobreak
- \@setminipage
-}
-\def\figure{\@float{figure}}
-\@namedef{figure*}{\@dblfloat{figure}}
-\def\table{\@float{table}}
-\@namedef{table*}{\@dblfloat{table}}
-\def\fps@figure{htbp}
-\def\fps@table{htbp}
-
-\labelsep=5\p@ % measures for lists
-\leftmargini=17.777\p@
-\labelwidth\leftmargini\advance\labelwidth-\labelsep
-\leftmarginii=\leftmargini
-\leftmarginiii=\leftmargini
-\parsep=\parskip
-
-\def\@listI{\leftmargin\leftmargini
- \parsep=\parskip
- \topsep=\medskipamount
- \itemsep=\parskip \advance\itemsep by -\parsep}
-\let\@listi\@listI
-\@listi
-
-\def\@listii{\leftmargin\leftmarginii
- \labelwidth\leftmarginii\advance\labelwidth by -\labelsep
- \parsep=\parskip
- \topsep=\z@
- \itemsep=\parskip \advance\itemsep by -\parsep}
-\def\@listiii{\leftmargin\leftmarginiii
- \labelwidth\leftmarginiii\advance\labelwidth by -\labelsep
- \parsep=\parskip
- \topsep=\z@
- \itemsep=\parskip \advance\itemsep by -\parsep}
-%
-\def\@normalsize{\@setsize\normalsize{12pt}\xpt\@xpt
-\abovedisplayskip=3mm plus6pt minus 4pt
-\belowdisplayskip=3mm plus6pt minus 4pt
-\abovedisplayshortskip=0mm plus6pt minus 2pt
-\belowdisplayshortskip=2mm plus4pt minus 4pt
-\let\@listi\@listI} % Setting of \@listi added 9 Jun 87
-%
-\def\small{\@setsize\small{10pt}\ixpt\@ixpt
-\abovedisplayskip 8.5\p@ plus3\p@ minus4\p@
-\belowdisplayskip \abovedisplayskip
-\abovedisplayshortskip \z@ plus2\p@
-\belowdisplayshortskip 4\p@ plus2\p@ minus2\p@
-\def\@listi{\leftmargin\leftmargini
-\topsep 4pt plus 2pt minus 2pt\parsep\parskip
-\itemsep\parskip}}
-%
-\def\itemize{\ifnum \@itemdepth >3 \@toodeep\else \advance\@itemdepth \@ne
-\ifnum \@itemdepth=1 \leftmargini=10\p@
-\labelwidth\leftmargini\advance\labelwidth-\labelsep
-\leftmarginii=\leftmargini \leftmarginiii=\leftmargini \fi
-\edef\@itemitem{labelitem\romannumeral\the\@itemdepth}%
-\list{\csname\@itemitem\endcsname}{\def\makelabel##1{\rlap{##1}\hss}}\fi}
-%
-\newdimen\verbatimindent \verbatimindent\parindent
-\def\verbatim{\advance\@totalleftmargin by\verbatimindent
-\@verbatim \frenchspacing\@vobeyspaces \@xverbatim}
-%
-\let\footnotesize=\small
-%
-\def\petit{\par\addvspace{6pt}\small}
-\def\endpetit{\par\addvspace{6pt}}
-%
-\raggedbottom
-\normalsize % Choose the normalsize font.
-% This is texte.tex
-% it defines various texts and their translations
-% called up with documentstyle options
-\def\abstractname{Summary.}
-\def\ackname{Acknowledgement.}
-\def\andname{and}
-\def\lastandname{, and}
-\def\appendixname{Appendix}
-\def\chaptername{Chapter}
-\def\claimname{Claim}
-\def\conjecturename{Conjecture}
-\def\contentsname{Table of Contents}
-\def\corollaryname{Corollary}
-\def\definitionname{Definition}
-\def\examplename{Example}
-\def\exercisename{Exercise}
-\def\figurename{Fig.}
-\def\keywordname{{\bf Key words:}}
-\def\indexname{Index}
-\def\lemmaname{Lemma}
-\def\contriblistname{List of Contributors}
-\def\listfigurename{List of Figures}
-\def\listtablename{List of Tables}
-\def\mailname{{\it Correspondence to\/}:}
-\def\noteaddname{Note added in proof}
-\def\notename{Note}
-\def\partname{Part}
-\def\problemname{Problem}
-\def\proofname{Proof}
-\def\propertyname{Property}
-\def\propositionname{Proposition}
-\def\questionname{Question}
-\def\remarkname{Remark}
-\def\seename{see}
-\def\solutionname{Solution}
-\def\subclassname{{\it Subject Classifications\/}:}
-\def\tablename{Table}
-\def\theoremname{Theorem}
-% Names of theorem like environments are already defined
-% but must be translated if another language is chosen
-%
-% French section
-\def\ds@francais{\typeout{On parle francais.}%
- \def\abstractname{R\'esum\'e.}%
- \def\ackname{Remerciements.}%
- \def\andname{et}%
- \def\lastandname{ et}%
- \def\appendixname{Appendice}
- \def\chaptername{Chapitre}%
- \def\claimname{Pr\'etention}%
- \def\conjecturename{Hypoth\`ese}%
- \def\contentsname{Table des mati\`eres}%
- \def\corollaryname{Corollaire}%
- \def\definitionname{D\'efinition}%
- \def\examplename{Exemple}%
- \def\exercisename{Exercice}%
- \def\figurename{Fig.}%
- \def\keywordname{{\bf Mots-cl\'e:}}
- \def\indexname{Index}
- \def\lemmaname{Lemme}%
- \def\contriblistname{Liste des contributeurs}
- \def\listfigurename{Liste des figures}%
- \def\listtablename{Liste des tables}%
- \def\mailname{{\it Correspondence to\/}:}
- \def\noteaddname{Note ajout\'ee \`a l'\'epreuve}%
- \def\notename{Remarque}%
- \def\partname{Partie}%
- \def\problemname{Probl\`eme}%
- \def\proofname{\'Epreuve}%
- \def\propertyname{Caract\'eristique}%
-%\def\propositionname{Proposition}%
- \def\questionname{Question}%
- \def\remarkname{Remarque}%
- \def\seename{voir}
- \def\solutionname{Solution}%
- \def\subclassname{{\it Subject Classifications\/}:}
- \def\tablename{Tableau}%
- \def\theoremname{Th\'eor\`eme}%
-}
-%
-% German section
-\def\ds@deutsch{\typeout{Man spricht deutsch.}%
- \def\abstractname{Zusammenfassung.}%
- \def\ackname{Danksagung.}%
- \def\andname{und}%
- \def\lastandname{ und}%
- \def\appendixname{Anhang}%
- \def\chaptername{Kapitel}%
- \def\claimname{Behauptung}%
- \def\conjecturename{Hypothese}%
- \def\contentsname{Inhaltsverzeichnis}%
- \def\corollaryname{Korollar}%
-%\def\definitionname{Definition}%
- \def\examplename{Beispiel}%
- \def\exercisename{\"Ubung}%
- \def\figurename{Abb.}%
- \def\keywordname{{\bf Schl\"usselw\"orter:}}
- \def\indexname{Index}
-%\def\lemmaname{Lemma}%
- \def\contriblistname{Mitarbeiter}
- \def\listfigurename{Abbildungsverzeichnis}%
- \def\listtablename{Tabellenverzeichnis}%
- \def\mailname{{\it Correspondence to\/}:}
- \def\noteaddname{Nachtrag}%
- \def\notename{Anmerkung}%
- \def\partname{Teil}%
-%\def\problemname{Problem}%
- \def\proofname{Beweis}%
- \def\propertyname{Eigenschaft}%
-%\def\propositionname{Proposition}%
- \def\questionname{Frage}%
- \def\remarkname{Anmerkung}%
- \def\seename{siehe}
- \def\solutionname{L\"osung}%
- \def\subclassname{{\it Subject Classifications\/}:}
- \def\tablename{Tabelle}%
-%\def\theoremname{Theorem}%
-}
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% This is titneu.xxx
-%
-% It redefines titles. Usage is like Lamport described.
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\setcounter{secnumdepth}{2} % depth of the highest-level
- % sectioning command
-\newcounter{chapter} % to use chapter together with
-\@addtoreset{section}{chapter} % article.sty
-\@addtoreset{footnote}{chapter}
-
-\def\thechapter{\arabic{chapter}} % how titles will be typeset
-\def\thesection{\thechapter.\arabic{section}}
-\def\thesubsection{\thesection.\arabic{subsection}}
-\def\thesubsubsection{\thesubsection.\arabic{subsubsection}}
-\def\theparagraph{\thesubsubsection.\arabic{paragraph}}
-\def\thesubparagraph{\theparagraph.\arabic{subparagraph}}
-\def\chaptermark#1{}
-\def\sec@hangfrom#1{\setbox\@tempboxa\hbox{#1}%
- \hangindent \z@\noindent\box\@tempboxa}
-
-% definition of chapter
-
-\def\@chapapp{\chaptername}
-
-\def\@makechapterhead#1{{\parindent0pt\raggedright
- \hyphenpenalty \@M
- \Large\bf\boldmath
- \sec@hangfrom{\thechapter\thechapterend\hskip\betweenumberspace}%!!!
- \ignorespaces#1\par
- \ifdim\pagetotal>118pt
- \vskip 24pt
- \else
- \@tempdima=118pt\advance\@tempdima by-\pagetotal
- \vskip\@tempdima
- \fi}}
-
-\def\@makeschapterhead#1{{\parindent0pt\raggedright
- \hyphenpenalty \@M
- \Large\bf\boldmath
- \ignorespaces#1\par
- \ifdim\pagetotal>118pt
- \vskip 24pt
- \else
- \@tempdima=118pt\advance\@tempdima by-\pagetotal
- \vskip\@tempdima
- \fi}}
-
-\newcommand{\clearemptydoublepage}{%
- \newpage{\pagestyle{empty}\cleardoublepage}}
-
-\def\chapter{\clearemptydoublepage\thispagestyle{empty}
- \global\@topnum\z@\@afterindentfalse
- \secdef\@chapter\@schapter}
-
-\def\@chapter[#1]#2{\ifnum\c@secnumdepth>\m@ne
- \refstepcounter{chapter}
- \typeout{\@chapapp\space\thechapter}
- \addcontentsline{toc}{chapter}{\protect
- \numberline{\thechapter\thechapterend}#1}\else %!!!
- \addcontentsline{toc}{chapter}{#1}
- \fi
- \chaptermark{#1}
- \addtocontents{lof}{\protect\addvspace{10pt}}
- \addtocontents{lot}{\protect\addvspace{10pt}}
- \if@twocolumn
- \@topnewpage[\@makechapterhead{#2}]
- \else \@makechapterhead{#2}
- \@afterheading
- \fi}
-
-\def\@schapter#1{\if@twocolumn\@topnewpage[\@makeschapterhead{#1}]
- \else \@makeschapterhead{#1}
- \@afterheading\fi}
-
-% Appendix
-\def\appendix{\par
- \setcounter{chapter}{0}%
- \setcounter{section}{0}%
- \def\@chapapp{\appendixname}%
- \def\thechapter{\Alph{chapter}}}
-
-% definition of sections
-% \hyphenpenalty and \raggedright added, so that there is no
-% hyphenation and the text is set ragged-right in sectioning
-
-\def\runinsep{.}
-\def\aftertext{\unskip\runinsep}
-
-\def\@sect#1#2#3#4#5#6[#7]#8{\ifnum #2>\c@secnumdepth
- \let\@svsec\@empty\else
- \refstepcounter{#1}\edef\@svsec{\csname the#1\endcsname
- \hskip\betweenumberspace
- \ignorespaces}\fi
- \@tempskipa #5\relax
- \ifdim \@tempskipa>\z@
- \begingroup #6\relax
- \sec@hangfrom{\hskip #3\relax\@svsec}{%
- \raggedright
- \hyphenpenalty \@M
- \interlinepenalty \@M #8\par}%
- \endgroup
- \csname #1mark\endcsname{#7}\addcontentsline
- {toc}{#1}{\ifnum #2>\c@secnumdepth \else
- \protect\numberline{\csname the#1\endcsname}\fi
- #7}\else
- \def\@svsechd{#6\hskip #3\relax
- \@svsec #8\aftertext\ignorespaces
- \csname #1mark\endcsname
- {#7}\addcontentsline
- {toc}{#1}{\ifnum #2>\c@secnumdepth \else
- \protect\numberline{\csname the#1\endcsname}\fi
- #7}}\fi
- \@xsect{#5}}
-
-% measures and setting of sections
-
-\def\section{\@startsection{section}{1}{\z@}%
- {-25pt plus-4pt minus-4pt}{12.5pt plus4pt
- minus4pt}{\large\bf\boldmath}}
-\def\subsection{\@startsection{subsection}{2}{\z@}%
- {-17pt plus-4pt minus-4pt}{10pt plus4pt
- minus4pt}{\normalsize\bf\boldmath}}
-\def\subsubsection{\@startsection{subsubsection}{3}{\z@}%
- {-5.388pt plus-4pt minus-4pt}{-5pt}{\normalsize\bf\boldmath}}
-\def\paragraph{\@startsection{paragraph}{4}{\z@}%
- {-5.388pt plus-4pt minus-4pt}{-5pt}{\normalsize\it}}
-\def\subparagraph{\@startsection{subparagraph}{5}{\z@}%
- {-5.388pt plus-4pt minus-4pt}{-5pt}{\normalsize\it}}
-
-% definition of \part
-\def\thepart{\Roman{part}}
-\def\part{\clearemptydoublepage % Starts new page.
- \thispagestyle{empty} % Page style of part page is empty
- \if@twocolumn % IF two-column style
- \onecolumn % THEN \onecolumn
- \@tempswatrue % @tempswa := true
- \else \@tempswafalse % ELSE @tempswa := false
- \fi % FI
-% \hbox{}\vfil % Add fil glue to center title
-%% \bgroup \centering % BEGIN centering %% Removed 19 Jan 88
- \secdef\@part\@spart}
-
-
-\def\@part[#1]#2{\ifnum \c@secnumdepth >-2\relax % IF secnumdepth > -2
- \refstepcounter{part} % THEN step part counter
- \addcontentsline{toc}{part}{\partname\ % add toc line
- \thepart. #1}\else % ELSE add unnumbered line
- \addcontentsline{toc}{part}{#1}\fi % FI
- \markboth{}{}
- {\raggedleft % added 8.1.92 FUH
- \ifnum \c@secnumdepth >-2\relax % IF secnumdepth > -2
- \Large\partname\ \thepart % THEN Print 'Part' and number
- \par % in \Large
- \vskip 103.3pt \fi % Add space before title.
- \bf\boldmath % FI
- #2\par}\@endpart} % Print Title in \Large bold.
-
-
-% \@endpart finishes the part page
-%
-\def\@endpart{\vfil\newpage % End page with 1fil glue.
- \if@twoside % IF twoside printing
- \hbox{} % THEN Produce totally blank page
- \thispagestyle{empty}
- \newpage
- \fi % FI
- \if@tempswa % IF @tempswa = true
- \twocolumn % THEN \twocolumn
- \fi} % FI
-
-\def\@spart#1{{\raggedleft % added 8 Jan 92 FUH
- \Large\bf\boldmath % Print title in \Large-boldface
- #1\par}\@endpart}
-
-\def\subtitle#1{\gdef\@subtitle{#1}}
-\def\@subtitle{}
-
-\def\maketitle{\par
- \begingroup
- \def\thefootnote{\fnsymbol{footnote}}%
- \def\@makefnmark{\hbox
- to\z@{$\m@th^{\@thefnmark}$\hss}}%
- \if@twocolumn
- \twocolumn[\@maketitle]%
- \else \newpage
- \global\@topnum\z@ % Prevents figures from going at top of page.
- \@maketitle \fi\thispagestyle{empty}\@thanks
- \par\penalty -\@M
- \endgroup
- \setcounter{footnote}{0}%
- \let\maketitle\relax
- \let\@maketitle\relax
- \gdef\@thanks{}\gdef\@author{}\gdef\@title{}\let\thanks\relax}
-
-\def\@maketitle{\newpage
- \null
- \vskip 2em % Vertical space above title.
-\begingroup
- \def\and{\unskip, }
- \parindent=\z@
- \pretolerance=10000
- \rightskip=0pt plus 3cm
- {\LARGE % each author set in \LARGE
- \lineskip .5em
- \@author
- \par}%
- \vskip 2cm % Vertical space after author.
- {\Huge \@title \par}% % Title set in \Huge size.
- \vskip 1cm % Vertical space after title.
- \if!\@subtitle!\else
- {\LARGE\ignorespaces\@subtitle \par}
- \vskip 1cm % Vertical space after subtitle.
- \fi
- \if!\@date!\else
- {\large \@date}% % Date set in \large size.
- \par
- \vskip 1.5em % Vertical space after date.
- \fi
- \vfill
- {\Large Springer-\kern-0.1em Verlag\par}
- \vskip 5pt
- \large
- Berlin\enspace Heidelberg\enspace New\kern0.1em York\\
- London\enspace Paris\enspace Tokyo\\
- Hong\thinspace Kong\enspace Barcelona\\
- Budapest\par
-\endgroup}
-
-\def\abstract{\if@twocolumn
-\section*{\abstractname}%
-\else \small
-\begin{center}%
-{\bf \abstractname\vspace{-.5em}\vspace{\z@}}%
-\end{center}%
-\quotation
-\fi}
-
-\def\endabstract{\if@twocolumn\else\endquotation\fi}
-
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% This is toc.xxx
-%
-% it modifies the appearence of the table of contents
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\def\tableofcontents{\@restonecolfalse\if@twocolumn\@restonecoltrue\onecolumn
- \fi\chapter*{\contentsname \@mkboth{{\contentsname}}{{\contentsname}}}
- \@starttoc{toc}\if@restonecol\twocolumn\fi}
-
-\setcounter{tocdepth}{2}
-
-\def\l@part#1#2{\addpenalty{\@secpenalty}%
- \addvspace{2em plus\p@}% % space above part line
- \begingroup
- \parindent \z@
- \rightskip \z@ plus 5em
- \hrule\vskip5pt
- \bf\boldmath % set line in boldface
- \leavevmode % TeX command to enter horizontal mode.
- #1\par
- \vskip5pt
- \hrule
- \vskip1pt
- \nobreak % Never break after part entry
- \endgroup}
-
-\def\@dotsep{2}
-
-\def\l@chapter#1#2{\addpenalty{-\@highpenalty}
- \vskip 1.0em plus 1pt \@tempdima \tocchpnum \begingroup
- \parindent \z@ \rightskip \@pnumwidth
- \parfillskip -\@pnumwidth
- \leavevmode \advance\leftskip\@tempdima \hskip -\leftskip
- {\bf\boldmath#1}\nobreak
- \leaders\hbox{$\m@th \mkern \@dotsep mu.\mkern
- \@dotsep mu$}\hfill
- \nobreak\hbox to\@pnumwidth{\hss #2}\par
- \penalty\@highpenalty \endgroup}
-
-\newdimen\tocchpnum
-\newdimen\tocsecnum
-\newdimen\tocsectotal
-\newdimen\tocsubsecnum
-\newdimen\tocsubsectotal
-\newdimen\tocsubsubsecnum
-\newdimen\tocsubsubsectotal
-\newdimen\tocparanum
-\newdimen\tocparatotal
-\newdimen\tocsubparanum
-\tocchpnum=20\p@ % chapter {\bf 88.} plus 5.3pt
-\tocsecnum=22.5\p@ % section 88.8. plus 4.722pt
-\tocsubsecnum=30.5\p@ % subsection 88.8.8 plus 4.944pt
-\tocsubsubsecnum=38\p@ % subsubsection 88.8.8.8 plus 4.666pt
-\tocparanum=45\p@ % paragraph 88.8.8.8.8 plus 3.888pt
-\tocsubparanum=53\p@ % subparagraph 88.8.8.8.8.8 plus 4.11pt
-\def\calctocindent{%
-\tocsectotal=\tocchpnum
-\advance\tocsectotal by\tocsecnum
-\tocsubsectotal=\tocsectotal
-\advance\tocsubsectotal by\tocsubsecnum
-\tocsubsubsectotal=\tocsubsectotal
-\advance\tocsubsubsectotal by\tocsubsubsecnum
-\tocparatotal=\tocsubsubsectotal
-\advance\tocparatotal by\tocparanum}
-\calctocindent
-
-\def\l@section{\@dottedtocline{1}{\tocchpnum}{\tocsecnum}}
-\def\l@subsection{\@dottedtocline{2}{\tocsectotal}{\tocsubsecnum}}
-\def\l@subsubsection{\@dottedtocline{3}{\tocsubsectotal}{\tocsubsubsecnum}}
-\def\l@paragraph{\@dottedtocline{4}{\tocsubsubsectotal}{\tocparanum}}
-\def\l@subparagraph{\@dottedtocline{5}{\tocparatotal}{\tocsubparanum}}
-
-\def\listoffigures{\@restonecolfalse\if@twocolumn\@restonecoltrue\onecolumn
- \fi\chapter*{\listfigurename\@mkboth{{\listfigurename}}{{\listfigurename}}}
- \@starttoc{lof}\if@restonecol\twocolumn\fi}
-\def\l@figure{\@dottedtocline{1}{0em}{\tocsecnum}}
-
-\def\listoftables{\@restonecolfalse\if@twocolumn\@restonecoltrue\onecolumn
- \fi\chapter*{\listtablename\@mkboth{{\listtablename}}{{\listtablename}}}
- \@starttoc{lot}\if@restonecol\twocolumn\fi}
-\let\l@table\l@figure
-
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% This is runnhead.xxx
-%
-% It redefines the headings of a text. There are two
-% pagestyles possible: "\pagestyle{headings}" and
-% "\pagestyle{myheadings}". "\pagestyle{headings}" is
-% default.
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-\@ifundefined{thechapterend}{\def\thechapterend{.}}{}
-\if@twoside
-\def\ps@headings{\let\@mkboth\markboth
- \def\@oddfoot{}\def\@evenfoot{}
- \def\@evenhead{\small\rm\rlap{\thepage}\hskip\headlineindent
- \leftmark\hfil}
- \def\@oddhead{\hfil\small\rm\rightmark\hskip\headlineindent
- \llap{\thepage}}
- \def\chaptermark##1{\markboth{{\ifnum\c@secnumdepth>\m@ne
- \thechapter\thechapterend\hskip\betweenumberspace\fi ##1}}{{\ifnum %!!!
- \c@secnumdepth>\m@ne\thechapter\thechapterend\hskip\betweenumberspace\fi ##1}}}%!!!
- \def\sectionmark##1{\markright{{\ifnum\c@secnumdepth>\z@
- \thesection\hskip\betweenumberspace\fi ##1}}}}
-\else \def\ps@headings{\let\@mkboth\markboth
- \def\@oddfoot{}\def\@evenfoot{}
- \def\@oddhead{\hfil\small\rm\rightmark\hskip\headlineindent
- \llap{\thepage}}
- \def\chaptermark##1{\markright{{\ifnum\c@secnumdepth>\m@ne
- \thechapter\thechapterend\hskip\betweenumberspace\fi ##1}}}} %!!!
-\fi
-\def\ps@myheadings{\let\@mkboth\@gobbletwo
- \def\@oddfoot{}\def\@evenfoot{}
- \def\@evenhead{\small\rm\rlap{\thepage}\hskip\headlineindent
- \leftmark\hfil}
- \def\@oddhead{\hfil\small\rm\rightmark\hskip\headlineindent
- \llap{\thepage}}
- \def\chaptermark##1{}
- \def\sectionmark##1{}%
- \def\subsectionmark##1{}}
-\ps@headings
-
-% Definition of the "\spnewtheorem" command.
-%
-% Usage:
-%
-% \spnewtheorem{env_nam}{caption}[within]{cap_font}{body_font}
-% or \spnewtheorem{env_nam}[numbered_like]{caption}{cap_font}{body_font}
-% or \spnewtheorem*{env_nam}{caption}{cap_font}{body_font}
-%
-% New is "cap_font" and "body_font". It stands for
-% fontdefinition of the caption and the text itself.
-%
-% "\spnewtheorem*" gives a theorem without number.
-%
-% A defined spnewthoerem environment is used as described
-% by Lamport.
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\let\if@envcntreset\iffalse % environment counter is reset each chapter
-\DeclareOption{envcountreset}{\let\if@envcntreset\iftrue}
-\let\if@envcntsame\iffalse % NOT all environments like "Theorem",
- % each using its own counter
-\DeclareOption{envcountsame}{\let\if@envcntsame\iftrue}
-\def\envankh{section} % show \thesection along with theorem number
-\DeclareOption{envcountchap}{\def\envankh{chapter}%
-\ExecuteOptions{envcountsect}}
-\let\if@envcntsect\iftrue % show \csname the\envankh\endcsname along
- % with environment number
-\DeclareOption{envcountsect}{\let\if@envcntsect\iftrue}
-\ProcessOptions
-
-\def\@thmcountersep{.}
-\def\@thmcounterend{.}
-
-\def\spnewtheorem{\@ifstar{\@sthm}{\@Sthm}}
-
-% definition of \spnewtheorem with number
-
-\def\@spnthm#1#2{%
- \@ifnextchar[{\@spxnthm{#1}{#2}}{\@spynthm{#1}{#2}}}
-\def\@Sthm#1{\@ifnextchar[{\@spothm{#1}}{\@spnthm{#1}}}
-
-\def\@spxnthm#1#2[#3]#4#5{\expandafter\@ifdefinable\csname #1\endcsname
- {\@definecounter{#1}\@addtoreset{#1}{#3}%
- \expandafter\xdef\csname the#1\endcsname{\expandafter\noexpand
- \csname the#3\endcsname \noexpand\@thmcountersep \@thmcounter{#1}}%
- \expandafter\xdef\csname #1name\endcsname{#2}%
- \global\@namedef{#1}{\@spthm{#1}{\csname #1name\endcsname}{#4}{#5}}%
- \global\@namedef{end#1}{\@endtheorem}}}
-
-\def\@spynthm#1#2#3#4{\expandafter\@ifdefinable\csname #1\endcsname
- {\@definecounter{#1}%
- \expandafter\xdef\csname the#1\endcsname{\@thmcounter{#1}}%
- \expandafter\xdef\csname #1name\endcsname{#2}%
- \global\@namedef{#1}{\@spthm{#1}{\csname #1name\endcsname}{#3}{#4}}%
- \global\@namedef{end#1}{\@endtheorem}}}
-
-\def\@spothm#1[#2]#3#4#5{%
- \@ifundefined{c@#2}{\@latexerr{No theorem environment `#2' defined}\@eha}%
- {\expandafter\@ifdefinable\csname #1\endcsname
- {\global\@namedef{the#1}{\@nameuse{the#2}}%
- \expandafter\xdef\csname #1name\endcsname{#3}%
- \global\@namedef{#1}{\@spthm{#2}{\csname #1name\endcsname}{#4}{#5}}%
- \global\@namedef{end#1}{\@endtheorem}}}}
-
-\def\@spthm#1#2#3#4{\topsep 7\p@ \@plus2\p@ \@minus4\p@
-\refstepcounter{#1}%
-\@ifnextchar[{\@spythm{#1}{#2}{#3}{#4}}{\@spxthm{#1}{#2}{#3}{#4}}}
-
-\def\@spxthm#1#2#3#4{\@spbegintheorem{#2}{\csname the#1\endcsname}{#3}{#4}%
- \ignorespaces}
-
-\def\@spythm#1#2#3#4[#5]{\@spopargbegintheorem{#2}{\csname
- the#1\endcsname}{#5}{#3}{#4}\ignorespaces}
-
-\def\@spbegintheorem#1#2#3#4{\trivlist
- \item[\hskip\labelsep{#3#1\ #2\@thmcounterend}]#4}
-
-\def\@spopargbegintheorem#1#2#3#4#5{\trivlist
- \item[\hskip\labelsep{#4#1\ #2}]{#4(#3)\@thmcounterend\ }#5}
-
-% definition of \spnewtheorem* without number
-
-\def\@sthm#1#2{\@Ynthm{#1}{#2}}
-
-\def\@Ynthm#1#2#3#4{\expandafter\@ifdefinable\csname #1\endcsname
- {\global\@namedef{#1}{\@Thm{\csname #1name\endcsname}{#3}{#4}}%
- \expandafter\xdef\csname #1name\endcsname{#2}%
- \global\@namedef{end#1}{\@endtheorem}}}
-
-\def\@Thm#1#2#3{\topsep 7\p@ \@plus2\p@ \@minus4\p@
-\@ifnextchar[{\@Ythm{#1}{#2}{#3}}{\@Xthm{#1}{#2}{#3}}}
-
-\def\@Xthm#1#2#3{\@Begintheorem{#1}{#2}{#3}\ignorespaces}
-
-\def\@Ythm#1#2#3[#4]{\@Opargbegintheorem{#1}
- {#4}{#2}{#3}\ignorespaces}
-
-\def\@Begintheorem#1#2#3{#3\trivlist
- \item[\hskip\labelsep{#2#1\@thmcounterend}]}
-
-\def\@Opargbegintheorem#1#2#3#4{#4\trivlist
- \item[\hskip\labelsep{#3#1}]{#3(#2)\@thmcounterend\ }}
-
-% initialize theorem environment
-
-\if@envcntsect % show section counter
- \def\@thmcountersep{.}
- \spnewtheorem{theorem}{Theorem}[\envankh]{\bfseries}{\itshape}
-\else % theorem counter only
- \spnewtheorem{theorem}{Theorem}{\bfseries}{\itshape}
- \if@envcntreset
- \@addtoreset{theorem}{section}
- \else
- \@addtoreset{theorem}{chapter}
- \fi
-\fi
-
-%definition of divers theorem environments
-\spnewtheorem*{claim}{Claim}{\itshape}{\rmfamily}
-\spnewtheorem*{proof}{Proof}{\itshape}{\rmfamily}
-\if@envcntsame % all environments like "Theorem" - using its counter
- \def\spn@wtheorem#1#2#3#4{\@spothm{#1}[theorem]{#2}{#3}{#4}}
-\else % all environments with their own counter
- \if@envcntsect % show section counter
- \def\spn@wtheorem#1#2#3#4{\@spxnthm{#1}{#2}[\envankh]{#3}{#4}}
- \else % environment counter only
- \if@envcntreset % environment counter is reset each section
- \def\spn@wtheorem#1#2#3#4{\@spynthm{#1}{#2}{#3}{#4}
- \@addtoreset{#1}{section}}
- \else
- \let\spn@wtheorem=\@spynthm
- \fi
- \fi
-\fi
-\spn@wtheorem{case}{Case}{\itshape}{\rmfamily}
-\spn@wtheorem{conjecture}{Conjecture}{\itshape}{\rmfamily}
-\spn@wtheorem{corollary}{Corollary}{\bfseries}{\itshape}
-\spn@wtheorem{definition}{Definition}{\bfseries}{\itshape}
-\spn@wtheorem{example}{Example}{\itshape}{\rmfamily}
-%%LCP%% \spn@wtheorem{exercise}{Exercise}{\bfseries}{\rmfamily}
-\spn@wtheorem{lemma}{Lemma}{\bfseries}{\itshape}
-\spn@wtheorem{note}{Note}{\itshape}{\rmfamily}
-\spn@wtheorem{problem}{Problem}{\bfseries}{\rmfamily}
-\spn@wtheorem{property}{Property}{\itshape}{\rmfamily}
-\spn@wtheorem{proposition}{Proposition}{\bfseries}{\itshape}
-\spn@wtheorem{question}{Question}{\itshape}{\rmfamily}
-\spn@wtheorem{solution}{Solution}{\bfseries}{\rmfamily}
-\spn@wtheorem{remark}{Remark}{\itshape}{\rmfamily}
-
-\def\@takefromreset#1#2{%
- \def\@tempa{#1}%
- \let\@tempd\@elt
- \def\@elt##1{%
- \def\@tempb{##1}%
- \ifx\@tempa\@tempb\else
- \@addtoreset{##1}{#2}%
- \fi}%
- \expandafter\expandafter\let\expandafter\@tempc\csname cl@#2\endcsname
- \expandafter\def\csname cl@#2\endcsname{}%
- \@tempc
- \let\@elt\@tempd}
-
-\def\theopargself{\def\@spopargbegintheorem##1##2##3##4##5{\trivlist
- \item[\hskip\labelsep{##4##1\ ##2}]{##4##3\@thmcounterend\ }##5}
- \def\@Opargbegintheorem##1##2##3##4{##4\trivlist
- \item[\hskip\labelsep{##3##1}]{##3##2\@thmcounterend\ }}
- }
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%%
-%% This is figure.neu
-%%
-%% It redefines the captions for "figure" and "table"
-%% environments.
-%%
-%% There are three new kind of captions: "\firstcaption"
-%% and "\secondcaption" for captions set side by side.
-%% Usage for those two commands: like "\caption".
-%%
-%% "\sidecaption" with two parms: #1 width of picture
-%% #2 height of picture
-%%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\@ifundefined{floatlegendstyle}{\def\floatlegendstyle{\bfseries}}{}
-\def\floatcounterend{.\ }
-\def\capstrut{\vrule\@width\z@\@height\topskip}
-\@ifundefined{captionstyle}{\def\captionstyle{\normalfont\small}}{}
-\@ifundefined{instindent}{\newdimen\instindent}{}
-
-\long\def\@caption#1[#2]#3{\par\addcontentsline{\csname
- ext@#1\endcsname}{#1}{\protect\numberline{\csname
- the#1\endcsname}{\ignorespaces #2}}\begingroup
- \@parboxrestore
- \@makecaption{\csname fnum@#1\endcsname}{\ignorespaces #3}\par
- \endgroup}
-
-\def\firstcaption{\refstepcounter\@captype\@dblarg%
- {\@firstcaption\@captype}}
-
-\def\secondcaption{\refstepcounter\@captype\@dblarg%
- {\@secondcaption\@captype}}
-
-\long\def\@firstcaption#1[#2]#3{\addcontentsline{\csname
- ext@#1\endcsname}{#1}{\protect\numberline{\csname
- the#1\endcsname}{\ignorespaces #2}}\begingroup
- \@parboxrestore
- \vskip3pt
- \@maketwocaptions{\csname fnum@#1\endcsname}{\ignorespaces #3}%
- \ignorespaces\hspace{.073\textwidth}\hfil%
- \endgroup}
-
-\long\def\@secondcaption#1[#2]#3{\addcontentsline{\csname
- ext@#1\endcsname}{#1}{\protect\numberline{\csname
- the#1\endcsname}{\ignorespaces #2}}\begingroup
- \@parboxrestore
- \@maketwocaptions{\csname fnum@#1\endcsname}{\ignorespaces #3}\par
- \endgroup}
-
-\long\def\@maketwocaptions#1#2{%
- \parbox[t]{.46\textwidth}{{\floatlegendstyle #1\floatcounterend} #2}}
-
-\newdimen\figgap\figgap=14.2pt
-%
-\long\def\@makesidecaption#1#2{%
- \setbox0=\vbox{\hsize=\@tempdima
- \captionstyle{\floatlegendstyle
- #1\floatcounterend}#2}%
- \ifdim\instindent<\z@
- \ifdim\ht0>-\instindent
- \advance\instindent by\ht0
- \typeout{^^JClass-Warning: Legend of \string\sidecaption\space for
- \@captype\space\csname the\@captype\endcsname
- ^^Jis \the\instindent\space taller than the corresponding float -
- ^^Jyou'd better switch the environment. }%
- \instindent\z@
- \fi
- \else
- \ifdim\ht0<\instindent
- \advance\instindent by-\ht0
- \advance\instindent by-\dp0\relax
- \advance\instindent by\topskip
- \advance\instindent by-11pt
- \else
- \advance\instindent by-\ht0
- \instindent=-\instindent
- \typeout{^^JClass-Warning: Legend of \string\sidecaption\space for
- \@captype\space\csname the\@captype\endcsname
- ^^Jis \the\instindent\space taller than the corresponding float -
- ^^Jyou'd better switch the environment. }%
- \instindent\z@
- \fi
- \fi
- \parbox[b]{\@tempdima}{\captionstyle{\floatlegendstyle
- #1\floatcounterend}#2%
- \ifdim\instindent>\z@ \\
- \vrule\@width\z@\@height\instindent
- \@depth\z@
- \fi}}
-\def\sidecaption{\@ifnextchar[\sidec@ption{\sidec@ption[b]}}
-\def\sidec@ption[#1]#2\caption{%
-\setbox\@tempboxa=\hbox{\ignorespaces#2\unskip}%
-\if@twocolumn
- \ifdim\hsize<\textwidth\else
- \ifdim\wd\@tempboxa<\columnwidth
- \typeout{Double column float fits into single column -
- ^^Jyou'd better switch the environment. }%
- \fi
- \fi
-\fi
- \instindent=\ht\@tempboxa
- \advance\instindent by\dp\@tempboxa
-\if t#1
-\else
- \instindent=-\instindent
-\fi
-\@tempdima=\hsize
-\advance\@tempdima by-\figgap
-\advance\@tempdima by-\wd\@tempboxa
-\ifdim\@tempdima<3cm
- \typeout{\string\sidecaption: No sufficient room for the legend;
- using normal \string\caption. }%
- \unhbox\@tempboxa
- \let\@capcommand=\@caption
-\else
- \ifdim\@tempdima<4.5cm
- \typeout{\string\sidecaption: Room for the legend very narrow;
- using \string\raggedright. }%
- \toks@\expandafter{\captionstyle\sloppy
- \rightskip=0ptplus6mm\relax}%
- \def\captionstyle{\the\toks@}%
- \fi
- \let\@capcommand=\@sidecaption
- \leavevmode
- \unhbox\@tempboxa
- \hfill
-\fi
-\refstepcounter\@captype
-\@dblarg{\@capcommand\@captype}}
-\long\def\@sidecaption#1[#2]#3{\addcontentsline{\csname
- ext@#1\endcsname}{#1}{\protect\numberline{\csname
- the#1\endcsname}{\ignorespaces #2}}\begingroup
- \@parboxrestore
- \@makesidecaption{\csname fnum@#1\endcsname}{\ignorespaces #3}\par
- \endgroup}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\def\fig@type{figure}
-
-\def\leftlegendglue{\hfil}
-\newdimen\figcapgap\figcapgap=3pt
-\newdimen\tabcapgap\tabcapgap=5.5pt
-
-\long\def\@makecaption#1#2{%
- \captionstyle
- \ifx\@captype\fig@type
- \vskip\figcapgap
- \fi
- \setbox\@tempboxa\hbox{{\floatlegendstyle #1\floatcounterend}%
- \capstrut #2}%
- \ifdim \wd\@tempboxa >\hsize
- {\floatlegendstyle #1\floatcounterend}\capstrut #2\par
- \else
- \hbox to\hsize{\leftlegendglue\unhbox\@tempboxa\hfil}%
- \fi
- \ifx\@captype\fig@type\else
- \vskip\tabcapgap
- \fi}
-
-\newcounter{merk}
-\def\endfigure{\resetsubfig\end@float}
-\@namedef{endfigure*}{\resetsubfig\end@dblfloat}
-\let\resetsubfig\relax
-\def\subfigures{\stepcounter{figure}\setcounter{merk}{\value{figure}}%
-\setcounter{figure}{0}\def\thefigure{\if@numart\else\thechapter.\fi
-\@arabic\c@merk\alph{figure}}%
-\def\resetsubfig{\setcounter{figure}{\value{merk}}}}
-\let\leftlegendglue\relax
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% Definition of environment thebibliography
-%
-% Borrowed from book.cls
-%
-% by lcp
-
-\newcommand\bibname{Bibliography}
-\setlength\bibindent{1.5em}
-\renewenvironment{thebibliography}[1]
- {\chapter*{\bibname
- \@mkboth{\MakeUppercase\bibname}{\MakeUppercase\bibname}}%
- \list{\@biblabel{\@arabic\c@enumiv}}%
- {\settowidth\labelwidth{\@biblabel{#1}}%
- \leftmargin\labelwidth
- \advance\leftmargin\labelsep
- \@openbib@code
- \usecounter{enumiv}%
- \let\p@enumiv\@empty
- \renewcommand\theenumiv{\@arabic\c@enumiv}}%
- \sloppy
- \clubpenalty4000
- \@clubpenalty \clubpenalty
- \widowpenalty4000%
- \sfcode`\.\@m}
- {\def\@noitemerr
- {\@latex@warning{Empty `thebibliography' environment}}%
- \endlist}
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% This is fonotebk.xxx
-%
-% It redefines how footnotes will be typeset.
-%
-% Usage like described by Lamport.
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\newdimen\footnoterulewidth
- \footnoterulewidth=1.666cm
-
-\def\footnoterule{\kern-3\p@
- \hrule width\footnoterulewidth
- \kern 2.6\p@}
-
-\newdimen\foot@parindent
-\foot@parindent 10.83\p@
-
-%\long\def\@makefntext#1{\parindent\foot@parindent\noindent
-% \hbox to\foot@parindent{\hss$\m@th^{\@thefnmark}$\kern3pt}#1}
-\long\def\@makefntext#1{\@setpar{\@@par\@tempdima \hsize
- \advance\@tempdima-\foot@parindent\parshape\@ne\foot@parindent
- \@tempdima}\par
- \parindent \foot@parindent\noindent \hbox to \z@{%
- \hss\hss$^{\@thefnmark}$ }#1}
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% This is environ.tex
-%
-% It defines the environment for acknowledgements.
-% and noteadd
-%
-% Usage e.g.: \begin{acknowledgement}
-% Text
-% \end{acknowledgement}
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-% Define `abstract' environment
-\def\acknowledgement{\par\addvspace{17pt}\small\rm
-\trivlist\item[\hskip\labelsep
-{\it\ackname}]}
-\def\endacknowledgement{\endtrivlist\addvspace{6pt}}
-% Define `noteadd' environment
-\def\noteadd{\par\addvspace{17pt}\small\rm
-\trivlist\item[\hskip\labelsep
-{\it\noteaddname}]}
-\def\endnoteadd{\endtrivlist\addvspace{6pt}}
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% This is item.xxx
-%
-% It redefines the kind of label for "itemize", "enumerate"
-% and "description" environment. The last is extended by
-% an optional parameter. Its length is used for overall
-% indentation.
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-% labels of enumerate
-
-\def\labelenumi{\theenumi.}
-\def\labelenumii{\theenumii)}
-\def\theenumii{\alph{enumii}}
-\def\p@enumii{\theenumi}
-
-% labels of itemize
-
-\def\labelitemi{\bf --}
-\def\labelitemii{\bf --}
-\def\labelitemiii{$\bullet$}
-\def\labelitemiv{$\cdot$}
-
-% labels of description
-\def\descriptionlabel#1{\hspace\labelsep #1\hfil}
-
-% make indentations changeable
-
-\def\setitemindent#1{\settowidth{\labelwidth}{#1}%
- \leftmargini\labelwidth
- \advance\leftmargini\labelsep
- \def\@listi{\leftmargin\leftmargini
- \labelwidth\leftmargini\advance\labelwidth by -\labelsep
- \parsep=\parskip
- \topsep=\medskipamount
- \itemsep=\parskip \advance\itemsep by -\parsep}}
-\def\setitemitemindent#1{\settowidth{\labelwidth}{#1}%
- \leftmarginii\labelwidth
- \advance\leftmarginii\labelsep
-\def\@listii{\leftmargin\leftmarginii
- \labelwidth\leftmarginii\advance\labelwidth by -\labelsep
- \parsep=\parskip
- \topsep=\z@
- \itemsep=\parskip \advance\itemsep by -\parsep}}
-%
-% adjusted environment "description"
-% if an optional parameter (at the first two levels of lists)
-% is present, its width is considered to be the widest mark
-% throughout the current list.
-\def\description{\@ifnextchar[{\@describe}{\list{}{\labelwidth\z@
- \itemindent-\leftmargin \let\makelabel\descriptionlabel}}}
-%
-\def\describelabel#1{#1\hfil}
-\def\@describe[#1]{\relax\ifnum\@listdepth=0
-\setitemindent{#1}\else\ifnum\@listdepth=1
-\setitemitemindent{#1}\fi\fi
-\list{--}{\let\makelabel\describelabel}}
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% This is index.xxx
-%
-% It defines miscelaneous addons used for the preparation
-% of an index.
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\def\theindex{\@restonecoltrue\if@twocolumn\@restonecolfalse\fi
-\columnseprule \z@
-\columnsep 1cc\twocolumn[\@makeschapterhead{\indexname}%
- \csname indexstarthook\endcsname]%
- \@mkboth{\indexname}{\indexname}%
- \thispagestyle{empty}\parindent\z@
- \rightskip0\p@ plus 40\p@
- \parskip\z@ plus .3\p@\relax\let\item\@idxitem
- \def\,{\relax\ifmmode\mskip\thinmuskip
- \else\hskip0.2em\ignorespaces\fi}%
- \small\rm}
-
-\def\idxquad{\hskip 10\p@}% space that divides entry from number
-
-\def\@idxitem{\par\hangindent 10\p@}
-
-\def\subitem{\par\setbox0=\hbox{--\enspace}% second order
- \noindent\hangindent\wd0\box0}% index entry
-
-\def\subsubitem{\par\setbox0=\hbox{--\,--\enspace}% third
- \noindent\hangindent\wd0\box0}% order index entry
-
-\def\endtheindex{\if@restonecol\onecolumn\else\clearpage\fi}
-
-\def\indexspace{\par \vskip 10\p@ plus5\p@ minus3\p@\relax}
-
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% This is numberbk.xxx
-%
-% It redefines the kind of numeration for figures,
-% tables and equations. With style option "numart" they
-% are numbered with "no.", otherwise with "kapno.no."
-%
-% e.g. \documentstyle[numart]{article} gives a
-% numbering like in article.sty defined.
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-\def\@takefromreset#1#2{%
- \def\@tempa{#1}%
- \let\@tempd\@elt
- \def\@elt##1{%
- \def\@tempb{##1}%
- \ifx\@tempa\@tempb\else
- \@addtoreset{##1}{#2}%
- \fi}%
- \expandafter\expandafter\let\expandafter\@tempc\csname cl@#2\endcsname
- \expandafter\def\csname cl@#2\endcsname{}%
- \@tempc
- \let\@elt\@tempd
-}
-%
-\def\ds@numart{\@numarttrue
- \@takefromreset{figure}{chapter}%
- \@takefromreset{table}{chapter}%
- \@takefromreset{equation}{chapter}%
- \def\thefigure{\@arabic\c@figure}%
- \def\thetable{\@arabic\c@table}%
- \def\theequation{\arabic{equation}}}
-%
-\def\thefigure{\thechapter.\@arabic\c@figure}
-\def\thetable{\thechapter.\@arabic\c@table}
-\def\theequation{\thechapter.\arabic{equation}}
-\@addtoreset{figure}{chapter}
-\@addtoreset{table}{chapter}
-\@addtoreset{equation}{chapter}
-\endinput
-
--- a/doc-src/TutorialI/document/ctl0.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,6 +0,0 @@
-\index{model checking example|(}%
-\index{lfp@{\texttt{lfp}}!applications of|see{CTL}}
-\input{Base.tex}
-\input{PDL.tex}
-\input{CTL.tex}
-\index{model checking example|)}
--- a/doc-src/TutorialI/document/documents0.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,24 +0,0 @@
-
-\chapter{Presenting Theories}
-\label{ch:thy-present}
-
-By now the reader should have become sufficiently acquainted with elementary
-theory development in Isabelle/HOL\@. The following interlude describes
-how to present theories in a typographically
-pleasing manner. Isabelle provides a rich infrastructure for concrete syntax
-of the underlying $\lambda$-calculus language (see
-{\S}\ref{sec:concrete-syntax}), as well as document preparation of theory texts
-based on existing PDF-{\LaTeX} technology (see
-{\S}\ref{sec:document-preparation}).
-
-As pointed out by Leibniz\index{Leibniz, Gottfried Wilhelm} more than 300
-years ago, \emph{notions} are in principle more important than
-\emph{notations}, but suggestive textual representation of ideas is vital to
-reduce the mental effort to comprehend and apply them.
-
-\input{Documents.tex}
-
-%%% Local Variables:
-%%% mode: latex
-%%% TeX-master: t
-%%% End:
--- a/doc-src/TutorialI/document/fp.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,484 +0,0 @@
-\chapter{Functional Programming in HOL}
-
-This chapter describes how to write
-functional programs in HOL and how to verify them. However,
-most of the constructs and
-proof procedures introduced are general and recur in any specification
-or verification task. We really should speak of functional
-\emph{modelling} rather than functional \emph{programming}:
-our primary aim is not
-to write programs but to design abstract models of systems. HOL is
-a specification language that goes well beyond what can be expressed as a
-program. However, for the time being we concentrate on the computable.
-
-If you are a purist functional programmer, please note that all functions
-in HOL must be total:
-they must terminate for all inputs. Lazy data structures are not
-directly available.
-
-\section{An Introductory Theory}
-\label{sec:intro-theory}
-
-Functional programming needs datatypes and functions. Both of them can be
-defined in a theory with a syntax reminiscent of languages like ML or
-Haskell. As an example consider the theory in figure~\ref{fig:ToyList}.
-We will now examine it line by line.
-
-\begin{figure}[htbp]
-\begin{ttbox}\makeatother
-\input{ToyList1}\end{ttbox}
-\caption{A Theory of Lists}
-\label{fig:ToyList}
-\end{figure}
-
-\index{*ToyList example|(}
-{\makeatother\medskip\input{ToyList.tex}}
-
-The complete proof script is shown in Fig.\ts\ref{fig:ToyList-proofs}. The
-concatenation of Figs.\ts\ref{fig:ToyList} and~\ref{fig:ToyList-proofs}
-constitutes the complete theory \texttt{ToyList} and should reside in file
-\texttt{ToyList.thy}.
-% It is good practice to present all declarations and
-%definitions at the beginning of a theory to facilitate browsing.%
-\index{*ToyList example|)}
-
-\begin{figure}[htbp]
-\begin{ttbox}\makeatother
-\input{ToyList2}\end{ttbox}
-\caption{Proofs about Lists}
-\label{fig:ToyList-proofs}
-\end{figure}
-
-\subsubsection*{Review}
-
-This is the end of our toy proof. It should have familiarized you with
-\begin{itemize}
-\item the standard theorem proving procedure:
-state a goal (lemma or theorem); proceed with proof until a separate lemma is
-required; prove that lemma; come back to the original goal.
-\item a specific procedure that works well for functional programs:
-induction followed by all-out simplification via \isa{auto}.
-\item a basic repertoire of proof commands.
-\end{itemize}
-
-\begin{warn}
-It is tempting to think that all lemmas should have the \isa{simp} attribute
-just because this was the case in the example above. However, in that example
-all lemmas were equations, and the right-hand side was simpler than the
-left-hand side --- an ideal situation for simplification purposes. Unless
-this is clearly the case, novices should refrain from awarding a lemma the
-\isa{simp} attribute, which has a global effect. Instead, lemmas can be
-applied locally where they are needed, which is discussed in the following
-chapter.
-\end{warn}
-
-\section{Some Helpful Commands}
-\label{sec:commands-and-hints}
-
-This section discusses a few basic commands for manipulating the proof state
-and can be skipped by casual readers.
-
-There are two kinds of commands used during a proof: the actual proof
-commands and auxiliary commands for examining the proof state and controlling
-the display. Simple proof commands are of the form
-\commdx{apply}(\textit{method}), where \textit{method} is typically
-\isa{induct_tac} or \isa{auto}. All such theorem proving operations
-are referred to as \bfindex{methods}, and further ones are
-introduced throughout the tutorial. Unless stated otherwise, you may
-assume that a method attacks merely the first subgoal. An exception is
-\isa{auto}, which tries to solve all subgoals.
-
-The most useful auxiliary commands are as follows:
-\begin{description}
-\item[Modifying the order of subgoals:]
-\commdx{defer} moves the first subgoal to the end and
-\commdx{prefer}~$n$ moves subgoal $n$ to the front.
-\item[Printing theorems:]
- \commdx{thm}~\textit{name}$@1$~\dots~\textit{name}$@n$
- prints the named theorems.
-\item[Reading terms and types:] \commdx{term}
- \textit{string} reads, type-checks and prints the given string as a term in
- the current context; the inferred type is output as well.
- \commdx{typ} \textit{string} reads and prints the given
- string as a type in the current context.
-\end{description}
-Further commands are found in the Isabelle/Isar Reference
-Manual~\cite{isabelle-isar-ref}.
-
-\begin{pgnote}
-Clicking on the \pgmenu{State} button redisplays the current proof state.
-This is helpful in case commands like \isacommand{thm} have overwritten it.
-\end{pgnote}
-
-We now examine Isabelle's functional programming constructs systematically,
-starting with inductive datatypes.
-
-
-\section{Datatypes}
-\label{sec:datatype}
-
-\index{datatypes|(}%
-Inductive datatypes are part of almost every non-trivial application of HOL.
-First we take another look at an important example, the datatype of
-lists, before we turn to datatypes in general. The section closes with a
-case study.
-
-
-\subsection{Lists}
-
-\index{*list (type)}%
-Lists are one of the essential datatypes in computing. We expect that you
-are already familiar with their basic operations.
-Theory \isa{ToyList} is only a small fragment of HOL's predefined theory
-\thydx{List}\footnote{\url{http://isabelle.in.tum.de/library/HOL/List.html}}.
-The latter contains many further operations. For example, the functions
-\cdx{hd} (``head'') and \cdx{tl} (``tail'') return the first
-element and the remainder of a list. (However, pattern matching is usually
-preferable to \isa{hd} and \isa{tl}.)
-Also available are higher-order functions like \isa{map} and \isa{filter}.
-Theory \isa{List} also contains
-more syntactic sugar: \isa{[}$x@1$\isa{,}\dots\isa{,}$x@n$\isa{]} abbreviates
-$x@1$\isa{\#}\dots\isa{\#}$x@n$\isa{\#[]}. In the rest of the tutorial we
-always use HOL's predefined lists by building on theory \isa{Main}.
-\begin{warn}
-Looking ahead to sets and quanifiers in Part II:
-The best way to express that some element \isa{x} is in a list \isa{xs} is
-\isa{x $\in$ set xs}, where \isa{set} is a function that turns a list into the
-set of its elements.
-By the same device you can also write bounded quantifiers like
-\isa{$\forall$x $\in$ set xs} or embed lists in other set expressions.
-\end{warn}
-
-
-\subsection{The General Format}
-\label{sec:general-datatype}
-
-The general HOL \isacommand{datatype} definition is of the form
-\[
-\isacommand{datatype}~(\alpha@1, \dots, \alpha@n) \, t ~=~
-C@1~\tau@{11}~\dots~\tau@{1k@1} ~\mid~ \dots ~\mid~
-C@m~\tau@{m1}~\dots~\tau@{mk@m}
-\]
-where $\alpha@i$ are distinct type variables (the parameters), $C@i$ are distinct
-constructor names and $\tau@{ij}$ are types; it is customary to capitalize
-the first letter in constructor names. There are a number of
-restrictions (such as that the type should not be empty) detailed
-elsewhere~\cite{isabelle-HOL}. Isabelle notifies you if you violate them.
-
-Laws about datatypes, such as \isa{[] \isasymnoteq~x\#xs} and
-\isa{(x\#xs = y\#ys) = (x=y \isasymand~xs=ys)}, are used automatically
-during proofs by simplification. The same is true for the equations in
-primitive recursive function definitions.
-
-Every\footnote{Except for advanced datatypes where the recursion involves
-``\isasymRightarrow'' as in {\S}\ref{sec:nested-fun-datatype}.} datatype $t$
-comes equipped with a \isa{size} function from $t$ into the natural numbers
-(see~{\S}\ref{sec:nat} below). For lists, \isa{size} is just the length, i.e.\
-\isa{size [] = 0} and \isa{size(x \# xs) = size xs + 1}. In general,
-\cdx{size} returns
-\begin{itemize}
-\item zero for all constructors that do not have an argument of type $t$,
-\item one plus the sum of the sizes of all arguments of type~$t$,
-for all other constructors.
-\end{itemize}
-Note that because
-\isa{size} is defined on every datatype, it is overloaded; on lists
-\isa{size} is also called \sdx{length}, which is not overloaded.
-Isabelle will always show \isa{size} on lists as \isa{length}.
-
-
-\subsection{Primitive Recursion}
-
-\index{recursion!primitive}%
-Functions on datatypes are usually defined by recursion. In fact, most of the
-time they are defined by what is called \textbf{primitive recursion} over some
-datatype $t$. This means that the recursion equations must be of the form
-\[ f \, x@1 \, \dots \, (C \, y@1 \, \dots \, y@k)\, \dots \, x@n = r \]
-such that $C$ is a constructor of $t$ and all recursive calls of
-$f$ in $r$ are of the form $f \, \dots \, y@i \, \dots$ for some $i$. Thus
-Isabelle immediately sees that $f$ terminates because one (fixed!) argument
-becomes smaller with every recursive call. There must be at most one equation
-for each constructor. Their order is immaterial.
-A more general method for defining total recursive functions is introduced in
-{\S}\ref{sec:fun}.
-
-\begin{exercise}\label{ex:Tree}
-\input{Tree.tex}%
-\end{exercise}
-
-\input{case_exprs.tex}
-
-\input{Ifexpr.tex}
-\index{datatypes|)}
-
-
-\section{Some Basic Types}
-
-This section introduces the types of natural numbers and ordered pairs. Also
-described is type \isa{option}, which is useful for modelling exceptional
-cases.
-
-\subsection{Natural Numbers}
-\label{sec:nat}\index{natural numbers}%
-\index{linear arithmetic|(}
-
-\input{fakenat.tex}\medskip
-\input{natsum.tex}
-
-\index{linear arithmetic|)}
-
-
-\subsection{Pairs}
-\input{pairs2.tex}
-
-\subsection{Datatype {\tt\slshape option}}
-\label{sec:option}
-\input{Option2.tex}
-
-\section{Definitions}
-\label{sec:Definitions}
-
-A definition is simply an abbreviation, i.e.\ a new name for an existing
-construction. In particular, definitions cannot be recursive. Isabelle offers
-definitions on the level of types and terms. Those on the type level are
-called \textbf{type synonyms}; those on the term level are simply called
-definitions.
-
-
-\subsection{Type Synonyms}
-
-\index{type synonyms}%
-Type synonyms are similar to those found in ML\@. They are created by a
-\commdx{type\protect\_synonym} command:
-
-\medskip
-\input{types.tex}
-
-\input{prime_def.tex}
-
-
-\section{The Definitional Approach}
-\label{sec:definitional}
-
-\index{Definitional Approach}%
-As we pointed out at the beginning of the chapter, asserting arbitrary
-axioms such as $f(n) = f(n) + 1$ can easily lead to contradictions. In order
-to avoid this danger, we advocate the definitional rather than
-the axiomatic approach: introduce new concepts by definitions. However, Isabelle/HOL seems to
-support many richer definitional constructs, such as
-\isacommand{primrec}. The point is that Isabelle reduces such constructs to first principles. For example, each
-\isacommand{primrec} function definition is turned into a proper
-(nonrecursive!) definition from which the user-supplied recursion equations are
-automatically proved. This process is
-hidden from the user, who does not have to understand the details. Other commands described
-later, like \isacommand{fun} and \isacommand{inductive}, work similarly.
-This strict adherence to the definitional approach reduces the risk of
-soundness errors.
-
-\chapter{More Functional Programming}
-
-The purpose of this chapter is to deepen your understanding of the
-concepts encountered so far and to introduce advanced forms of datatypes and
-recursive functions. The first two sections give a structured presentation of
-theorem proving by simplification ({\S}\ref{sec:Simplification}) and discuss
-important heuristics for induction ({\S}\ref{sec:InductionHeuristics}). You can
-skip them if you are not planning to perform proofs yourself.
-We then present a case
-study: a compiler for expressions ({\S}\ref{sec:ExprCompiler}). Advanced
-datatypes, including those involving function spaces, are covered in
-{\S}\ref{sec:advanced-datatypes}; it closes with another case study, search
-trees (``tries''). Finally we introduce \isacommand{fun}, a general
-form of recursive function definition that goes well beyond
-\isacommand{primrec} ({\S}\ref{sec:fun}).
-
-
-\section{Simplification}
-\label{sec:Simplification}
-\index{simplification|(}
-
-So far we have proved our theorems by \isa{auto}, which simplifies
-all subgoals. In fact, \isa{auto} can do much more than that.
-To go beyond toy examples, you
-need to understand the ingredients of \isa{auto}. This section covers the
-method that \isa{auto} always applies first, simplification.
-
-Simplification is one of the central theorem proving tools in Isabelle and
-many other systems. The tool itself is called the \textbf{simplifier}.
-This section introduces the many features of the simplifier
-and is required reading if you intend to perform proofs. Later on,
-{\S}\ref{sec:simplification-II} explains some more advanced features and a
-little bit of how the simplifier works. The serious student should read that
-section as well, in particular to understand why the simplifier did
-something unexpected.
-
-\subsection{What is Simplification?}
-
-In its most basic form, simplification means repeated application of
-equations from left to right. For example, taking the rules for \isa{\at}
-and applying them to the term \isa{[0,1] \at\ []} results in a sequence of
-simplification steps:
-\begin{ttbox}\makeatother
-(0#1#[]) @ [] \(\leadsto\) 0#((1#[]) @ []) \(\leadsto\) 0#(1#([] @ [])) \(\leadsto\) 0#1#[]
-\end{ttbox}
-This is also known as \bfindex{term rewriting}\indexbold{rewriting} and the
-equations are referred to as \bfindex{rewrite rules}.
-``Rewriting'' is more honest than ``simplification'' because the terms do not
-necessarily become simpler in the process.
-
-The simplifier proves arithmetic goals as described in
-{\S}\ref{sec:nat} above. Arithmetic expressions are simplified using built-in
-procedures that go beyond mere rewrite rules. New simplification procedures
-can be coded and installed, but they are definitely not a matter for this
-tutorial.
-
-\input{simp.tex}
-
-\index{simplification|)}
-
-\input{Itrev.tex}
-\begin{exercise}
-\input{Plus.tex}%
-\end{exercise}
-\begin{exercise}
-\input{Tree2.tex}%
-\end{exercise}
-
-\input{CodeGen.tex}
-
-
-\section{Advanced Datatypes}
-\label{sec:advanced-datatypes}
-\index{datatype@\isacommand {datatype} (command)|(}
-\index{primrec@\isacommand {primrec} (command)|(}
-%|)
-
-This section presents advanced forms of datatypes: mutual and nested
-recursion. A series of examples will culminate in a treatment of the trie
-data structure.
-
-
-\subsection{Mutual Recursion}
-\label{sec:datatype-mut-rec}
-
-\input{ABexpr.tex}
-
-\subsection{Nested Recursion}
-\label{sec:nested-datatype}
-
-{\makeatother\input{Nested.tex}}
-
-
-\subsection{The Limits of Nested Recursion}
-\label{sec:nested-fun-datatype}
-
-How far can we push nested recursion? By the unfolding argument above, we can
-reduce nested to mutual recursion provided the nested recursion only involves
-previously defined datatypes. This does not include functions:
-\begin{isabelle}
-\isacommand{datatype} t = C "t \isasymRightarrow\ bool"
-\end{isabelle}
-This declaration is a real can of worms.
-In HOL it must be ruled out because it requires a type
-\isa{t} such that \isa{t} and its power set \isa{t \isasymFun\ bool} have the
-same cardinality --- an impossibility. For the same reason it is not possible
-to allow recursion involving the type \isa{t set}, which is isomorphic to
-\isa{t \isasymFun\ bool}.
-
-Fortunately, a limited form of recursion
-involving function spaces is permitted: the recursive type may occur on the
-right of a function arrow, but never on the left. Hence the above can of worms
-is ruled out but the following example of a potentially
-\index{infinitely branching trees}%
-infinitely branching tree is accepted:
-\smallskip
-
-\input{Fundata.tex}
-
-If you need nested recursion on the left of a function arrow, there are
-alternatives to pure HOL\@. In the Logic for Computable Functions
-(\rmindex{LCF}), types like
-\begin{isabelle}
-\isacommand{datatype} lam = C "lam \isasymrightarrow\ lam"
-\end{isabelle}
-do indeed make sense~\cite{paulson87}. Note the different arrow,
-\isa{\isasymrightarrow} instead of \isa{\isasymRightarrow},
-expressing the type of \emph{continuous} functions.
-There is even a version of LCF on top of HOL,
-called \rmindex{HOLCF}~\cite{MuellerNvOS99}.
-\index{datatype@\isacommand {datatype} (command)|)}
-\index{primrec@\isacommand {primrec} (command)|)}
-
-
-\subsection{Case Study: Tries}
-\label{sec:Trie}
-
-\index{tries|(}%
-Tries are a classic search tree data structure~\cite{Knuth3-75} for fast
-indexing with strings. Figure~\ref{fig:trie} gives a graphical example of a
-trie containing the words ``all'', ``an'', ``ape'', ``can'', ``car'' and
-``cat''. When searching a string in a trie, the letters of the string are
-examined sequentially. Each letter determines which subtrie to search next.
-In this case study we model tries as a datatype, define a lookup and an
-update function, and prove that they behave as expected.
-
-\begin{figure}[htbp]
-\begin{center}
-\unitlength1mm
-\begin{picture}(60,30)
-\put( 5, 0){\makebox(0,0)[b]{l}}
-\put(25, 0){\makebox(0,0)[b]{e}}
-\put(35, 0){\makebox(0,0)[b]{n}}
-\put(45, 0){\makebox(0,0)[b]{r}}
-\put(55, 0){\makebox(0,0)[b]{t}}
-%
-\put( 5, 9){\line(0,-1){5}}
-\put(25, 9){\line(0,-1){5}}
-\put(44, 9){\line(-3,-2){9}}
-\put(45, 9){\line(0,-1){5}}
-\put(46, 9){\line(3,-2){9}}
-%
-\put( 5,10){\makebox(0,0)[b]{l}}
-\put(15,10){\makebox(0,0)[b]{n}}
-\put(25,10){\makebox(0,0)[b]{p}}
-\put(45,10){\makebox(0,0)[b]{a}}
-%
-\put(14,19){\line(-3,-2){9}}
-\put(15,19){\line(0,-1){5}}
-\put(16,19){\line(3,-2){9}}
-\put(45,19){\line(0,-1){5}}
-%
-\put(15,20){\makebox(0,0)[b]{a}}
-\put(45,20){\makebox(0,0)[b]{c}}
-%
-\put(30,30){\line(-3,-2){13}}
-\put(30,30){\line(3,-2){13}}
-\end{picture}
-\end{center}
-\caption{A Sample Trie}
-\label{fig:trie}
-\end{figure}
-
-Proper tries associate some value with each string. Since the
-information is stored only in the final node associated with the string, many
-nodes do not carry any value. This distinction is modeled with the help
-of the predefined datatype \isa{option} (see {\S}\ref{sec:option}).
-\input{Trie.tex}
-\index{tries|)}
-
-\section{Total Recursive Functions: \isacommand{fun}}
-\label{sec:fun}
-\index{fun@\isacommand {fun} (command)|(}\index{functions!total|(}
-
-Although many total functions have a natural primitive recursive definition,
-this is not always the case. Arbitrary total recursive functions can be
-defined by means of \isacommand{fun}: you can use full pattern matching,
-recursion need not involve datatypes, and termination is proved by showing
-that the arguments of all recursive calls are smaller in a suitable sense.
-In this section we restrict ourselves to functions where Isabelle can prove
-termination automatically. More advanced function definitions, including user
-supplied termination proofs, nested recursion and partiality, are discussed
-in a separate tutorial~\cite{isabelle-function}.
-
-\input{fun0.tex}
-
-\index{fun@\isacommand {fun} (command)|)}\index{functions!total|)}
--- a/doc-src/TutorialI/document/inductive0.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,31 +0,0 @@
-\chapter{Inductively Defined Sets} \label{chap:inductive}
-\index{inductive definitions|(}
-
-This chapter is dedicated to the most important definition principle after
-recursive functions and datatypes: inductively defined sets.
-
-We start with a simple example: the set of even numbers. A slightly more
-complicated example, the reflexive transitive closure, is the subject of
-{\S}\ref{sec:rtc}. In particular, some standard induction heuristics are
-discussed. Advanced forms of inductive definitions are discussed in
-{\S}\ref{sec:adv-ind-def}. To demonstrate the versatility of inductive
-definitions, the chapter closes with a case study from the realm of
-context-free grammars. The first two sections are required reading for anybody
-interested in mathematical modelling.
-
-\begin{warn}
-Predicates can also be defined inductively.
-See {\S}\ref{sec:ind-predicates}.
-\end{warn}
-
-\input{Even}
-\input{Mutual}
-\input{Star}
-
-\section{Advanced Inductive Definitions}
-\label{sec:adv-ind-def}
-\input{Advanced}
-
-\input{AB}
-
-\index{inductive definitions|)}
--- a/doc-src/TutorialI/document/isa-index Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,23 +0,0 @@
-#! /bin/sh
-#
-#sedindex - shell script to create indexes, preprocessing LaTeX's .idx file
-#
-# puts strings prefixed by * into \tt font
-# terminator characters for strings are |!@{}
-#
-# a space terminates the \tt part to allow \index{*notE theorem}, etc.
-#
-# note that makeindex uses a dboule quote (") to delimit special characters.
-#
-# change *"X"Y"Z"W to "X"Y"Z"W@{\tt "X"Y"Z"W}
-# change *"X"Y"Z to "X"Y"Z@{\tt "X"Y"Z}
-# change *"X"Y to "X"Y@{\tt "X"Y}
-# change *"X to "X@{\tt "X}
-# change *IDENT to IDENT@{\tt IDENT}
-# where IDENT is any string not containing | ! or @
-# FOUR backslashes: to escape the shell AND sed
-sed -e "s~\*\(\".\".\".\".\)~\1@\\\\isa {\1}~g
-s~\*\(\".\".\".\)~\1@\\\\isa {\1}~g
-s~\*\(\".\".\)~\1@\\\\isa {\1}~g
-s~\*\(\".\)~\1@\\\\isa {\1}~g
-s~\*\([^ |!@{}][^ |!@{}]*\)~\1@\\\\isa {\1}~g" $1.idx | makeindex -c -q -o $1.ind
--- a/doc-src/TutorialI/document/numerics.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,543 +0,0 @@
-\section{Numbers}
-\label{sec:numbers}
-
-\index{numbers|(}%
-Until now, our numerical examples have used the type of \textbf{natural
-numbers},
-\isa{nat}. This is a recursive datatype generated by the constructors
-zero and successor, so it works well with inductive proofs and primitive
-recursive function definitions. HOL also provides the type
-\isa{int} of \textbf{integers}, which lack induction but support true
-subtraction. With subtraction, arithmetic reasoning is easier, which makes
-the integers preferable to the natural numbers for
-complicated arithmetic expressions, even if they are non-negative. There are also the types
-\isa{rat}, \isa{real} and \isa{complex}: the rational, real and complex numbers. Isabelle has no
-subtyping, so the numeric
-types are distinct and there are functions to convert between them.
-Most numeric operations are overloaded: the same symbol can be
-used at all numeric types. Table~\ref{tab:overloading} in the appendix
-shows the most important operations, together with the priorities of the
-infix symbols. Algebraic properties are organized using type classes
-around algebraic concepts such as rings and fields;
-a property such as the commutativity of addition is a single theorem
-(\isa{add_commute}) that applies to all numeric types.
-
-\index{linear arithmetic}%
-Many theorems involving numeric types can be proved automatically by
-Isabelle's arithmetic decision procedure, the method
-\methdx{arith}. Linear arithmetic comprises addition, subtraction
-and multiplication by constant factors; subterms involving other operators
-are regarded as variables. The procedure can be slow, especially if the
-subgoal to be proved involves subtraction over type \isa{nat}, which
-causes case splits. On types \isa{nat} and \isa{int}, \methdx{arith}
-can deal with quantifiers---this is known as Presburger arithmetic---whereas on type \isa{real} it cannot.
-
-The simplifier reduces arithmetic expressions in other
-ways, such as dividing through by common factors. For problems that lie
-outside the scope of automation, HOL provides hundreds of
-theorems about multiplication, division, etc., that can be brought to
-bear. You can locate them using Proof General's Find
-button. A few lemmas are given below to show what
-is available.
-
-\subsection{Numeric Literals}
-\label{sec:numerals}
-
-\index{numeric literals|(}%
-The constants \cdx{0} and \cdx{1} are overloaded. They denote zero and one,
-respectively, for all numeric types. Other values are expressed by numeric
-literals, which consist of one or more decimal digits optionally preceeded by a minus sign (\isa{-}). Examples are \isa{2}, \isa{-3} and
-\isa{441223334678}. Literals are available for the types of natural
-numbers, integers, rationals, reals, etc.; they denote integer values of
-arbitrary size.
-
-Literals look like constants, but they abbreviate
-terms representing the number in a two's complement binary notation.
-Isabelle performs arithmetic on literals by rewriting rather
-than using the hardware arithmetic. In most cases arithmetic
-is fast enough, even for numbers in the millions. The arithmetic operations
-provided for literals include addition, subtraction, multiplication,
-integer division and remainder. Fractions of literals (expressed using
-division) are reduced to lowest terms.
-
-\begin{warn}\index{overloading!and arithmetic}
-The arithmetic operators are
-overloaded, so you must be careful to ensure that each numeric
-expression refers to a specific type, if necessary by inserting
-type constraints. Here is an example of what can go wrong:
-\par
-\begin{isabelle}
-\isacommand{lemma}\ "2\ *\ m\ =\ m\ +\ m"
-\end{isabelle}
-%
-Carefully observe how Isabelle displays the subgoal:
-\begin{isabelle}
-\ 1.\ (2::'a)\ *\ m\ =\ m\ +\ m
-\end{isabelle}
-The type \isa{'a} given for the literal \isa{2} warns us that no numeric
-type has been specified. The problem is underspecified. Given a type
-constraint such as \isa{nat}, \isa{int} or \isa{real}, it becomes trivial.
-\end{warn}
-
-\begin{warn}
-\index{function@\isacommand {function} (command)!and numeric literals}
-Numeric literals are not constructors and therefore
-must not be used in patterns. For example, this declaration is
-rejected:
-\begin{isabelle}
-\isacommand{function}\ h\ \isakeyword{where}\isanewline
-"h\ 3\ =\ 2"\isanewline
-\isacharbar "h\ i\ \ =\ i"
-\end{isabelle}
-
-You should use a conditional expression instead:
-\begin{isabelle}
-"h\ i\ =\ (if\ i\ =\ 3\ then\ 2\ else\ i)"
-\end{isabelle}
-\index{numeric literals|)}
-\end{warn}
-
-
-\subsection{The Type of Natural Numbers, {\tt\slshape nat}}
-
-\index{natural numbers|(}\index{*nat (type)|(}%
-This type requires no introduction: we have been using it from the
-beginning. Hundreds of theorems about the natural numbers are
-proved in the theories \isa{Nat} and \isa{Divides}.
-Basic properties of addition and multiplication are available through the
-axiomatic type class for semirings (\S\ref{sec:numeric-classes}).
-
-\subsubsection{Literals}
-\index{numeric literals!for type \protect\isa{nat}}%
-The notational options for the natural numbers are confusing. Recall that an
-overloaded constant can be defined independently for each type; the definition
-of \cdx{1} for type \isa{nat} is
-\begin{isabelle}
-1\ \isasymequiv\ Suc\ 0
-\rulename{One_nat_def}
-\end{isabelle}
-This is installed as a simplification rule, so the simplifier will replace
-every occurrence of \isa{1::nat} by \isa{Suc\ 0}. Literals are obviously
-better than nested \isa{Suc}s at expressing large values. But many theorems,
-including the rewrite rules for primitive recursive functions, can only be
-applied to terms of the form \isa{Suc\ $n$}.
-
-The following default simplification rules replace
-small literals by zero and successor:
-\begin{isabelle}
-2\ +\ n\ =\ Suc\ (Suc\ n)
-\rulename{add_2_eq_Suc}\isanewline
-n\ +\ 2\ =\ Suc\ (Suc\ n)
-\rulename{add_2_eq_Suc'}
-\end{isabelle}
-It is less easy to transform \isa{100} into \isa{Suc\ 99} (for example), and
-the simplifier will normally reverse this transformation. Novices should
-express natural numbers using \isa{0} and \isa{Suc} only.
-
-\subsubsection{Division}
-\index{division!for type \protect\isa{nat}}%
-The infix operators \isa{div} and \isa{mod} are overloaded.
-Isabelle/HOL provides the basic facts about quotient and remainder
-on the natural numbers:
-\begin{isabelle}
-m\ mod\ n\ =\ (if\ m\ <\ n\ then\ m\ else\ (m\ -\ n)\ mod\ n)
-\rulename{mod_if}\isanewline
-m\ div\ n\ *\ n\ +\ m\ mod\ n\ =\ m%
-\rulenamedx{mod_div_equality}
-\end{isabelle}
-
-Many less obvious facts about quotient and remainder are also provided.
-Here is a selection:
-\begin{isabelle}
-a\ *\ b\ div\ c\ =\ a\ *\ (b\ div\ c)\ +\ a\ *\ (b\ mod\ c)\ div\ c%
-\rulename{div_mult1_eq}\isanewline
-a\ *\ b\ mod\ c\ =\ a\ *\ (b\ mod\ c)\ mod\ c%
-\rulename{mod_mult_right_eq}\isanewline
-a\ div\ (b*c)\ =\ a\ div\ b\ div\ c%
-\rulename{div_mult2_eq}\isanewline
-a\ mod\ (b*c)\ =\ b * (a\ div\ b\ mod\ c)\ +\ a\ mod\ b%
-\rulename{mod_mult2_eq}\isanewline
-0\ <\ c\ \isasymLongrightarrow \ (c\ *\ a)\ div\ (c\ *\ b)\ =\ a\ div\ b%
-\rulename{div_mult_mult1}\isanewline
-(m\ mod\ n)\ *\ k\ =\ (m\ *\ k)\ mod\ (n\ *\ k)
-\rulenamedx{mod_mult_distrib}\isanewline
-m\ \isasymle \ n\ \isasymLongrightarrow \ m\ div\ k\ \isasymle \ n\ div\ k%
-\rulename{div_le_mono}
-\end{isabelle}
-
-Surprisingly few of these results depend upon the
-divisors' being nonzero.
-\index{division!by zero}%
-That is because division by
-zero yields zero:
-\begin{isabelle}
-a\ div\ 0\ =\ 0
-\rulename{DIVISION_BY_ZERO_DIV}\isanewline
-a\ mod\ 0\ =\ a%
-\rulename{DIVISION_BY_ZERO_MOD}
-\end{isabelle}
-In \isa{div_mult_mult1} above, one of
-the two divisors (namely~\isa{c}) must still be nonzero.
-
-The \textbf{divides} relation\index{divides relation}
-has the standard definition, which
-is overloaded over all numeric types:
-\begin{isabelle}
-m\ dvd\ n\ \isasymequiv\ {\isasymexists}k.\ n\ =\ m\ *\ k
-\rulenamedx{dvd_def}
-\end{isabelle}
-%
-Section~\ref{sec:proving-euclid} discusses proofs involving this
-relation. Here are some of the facts proved about it:
-\begin{isabelle}
-\isasymlbrakk m\ dvd\ n;\ n\ dvd\ m\isasymrbrakk \ \isasymLongrightarrow \ m\ =\ n%
-\rulenamedx{dvd_antisym}\isanewline
-\isasymlbrakk k\ dvd\ m;\ k\ dvd\ n\isasymrbrakk \ \isasymLongrightarrow \ k\ dvd\ (m\ +\ n)
-\rulenamedx{dvd_add}
-\end{isabelle}
-
-\subsubsection{Subtraction}
-
-There are no negative natural numbers, so \isa{m\ -\ n} equals zero unless
-\isa{m} exceeds~\isa{n}. The following is one of the few facts
-about \isa{m\ -\ n} that is not subject to
-the condition \isa{n\ \isasymle \ m}.
-\begin{isabelle}
-(m\ -\ n)\ *\ k\ =\ m\ *\ k\ -\ n\ *\ k%
-\rulenamedx{diff_mult_distrib}
-\end{isabelle}
-Natural number subtraction has few
-nice properties; often you should remove it by simplifying with this split
-rule.
-\begin{isabelle}
-P(a-b)\ =\ ((a<b\ \isasymlongrightarrow \ P\
-0)\ \isasymand \ (\isasymforall d.\ a\ =\ b+d\ \isasymlongrightarrow \ P\
-d))
-\rulename{nat_diff_split}
-\end{isabelle}
-For example, splitting helps to prove the following fact.
-\begin{isabelle}
-\isacommand{lemma}\ "(n\ -\ 2)\ *\ (n\ +\ 2)\ =\ n\ *\ n\ -\ (4::nat)"\isanewline
-\isacommand{apply}\ (simp\ split:\ nat_diff_split,\ clarify)\isanewline
-\ 1.\ \isasymAnd d.\ \isasymlbrakk n\ <\ 2;\ n\ *\ n\ =\ 4\ +\ d\isasymrbrakk \ \isasymLongrightarrow \ d\ =\ 0
-\end{isabelle}
-The result lies outside the scope of linear arithmetic, but
- it is easily found
-if we explicitly split \isa{n<2} as \isa{n=0} or \isa{n=1}:
-\begin{isabelle}
-\isacommand{apply}\ (subgoal_tac\ "n=0\ |\ n=1",\ force,\ arith)\isanewline
-\isacommand{done}
-\end{isabelle}%%%%%%
-\index{natural numbers|)}\index{*nat (type)|)}
-
-
-\subsection{The Type of Integers, {\tt\slshape int}}
-
-\index{integers|(}\index{*int (type)|(}%
-Reasoning methods for the integers resemble those for the natural numbers,
-but induction and
-the constant \isa{Suc} are not available. HOL provides many lemmas for
-proving inequalities involving integer multiplication and division, similar
-to those shown above for type~\isa{nat}. The laws of addition, subtraction
-and multiplication are available through the axiomatic type class for rings
-(\S\ref{sec:numeric-classes}).
-
-The \rmindex{absolute value} function \cdx{abs} is overloaded, and is
-defined for all types that involve negative numbers, including the integers.
-The \isa{arith} method can prove facts about \isa{abs} automatically,
-though as it does so by case analysis, the cost can be exponential.
-\begin{isabelle}
-\isacommand{lemma}\ "abs\ (x+y)\ \isasymle \ abs\ x\ +\ abs\ (y\ ::\ int)"\isanewline
-\isacommand{by}\ arith
-\end{isabelle}
-
-For division and remainder,\index{division!by negative numbers}
-the treatment of negative divisors follows
-mathematical practice: the sign of the remainder follows that
-of the divisor:
-\begin{isabelle}
-0\ <\ b\ \isasymLongrightarrow \ 0\ \isasymle \ a\ mod\ b%
-\rulename{pos_mod_sign}\isanewline
-0\ <\ b\ \isasymLongrightarrow \ a\ mod\ b\ <\ b%
-\rulename{pos_mod_bound}\isanewline
-b\ <\ 0\ \isasymLongrightarrow \ a\ mod\ b\ \isasymle \ 0
-\rulename{neg_mod_sign}\isanewline
-b\ <\ 0\ \isasymLongrightarrow \ b\ <\ a\ mod\ b%
-\rulename{neg_mod_bound}
-\end{isabelle}
-ML treats negative divisors in the same way, but most computer hardware
-treats signed operands using the same rules as for multiplication.
-Many facts about quotients and remainders are provided:
-\begin{isabelle}
-(a\ +\ b)\ div\ c\ =\isanewline
-a\ div\ c\ +\ b\ div\ c\ +\ (a\ mod\ c\ +\ b\ mod\ c)\ div\ c%
-\rulename{zdiv_zadd1_eq}
-\par\smallskip
-(a\ +\ b)\ mod\ c\ =\ (a\ mod\ c\ +\ b\ mod\ c)\ mod\ c%
-\rulename{mod_add_eq}
-\end{isabelle}
-
-\begin{isabelle}
-(a\ *\ b)\ div\ c\ =\ a\ *\ (b\ div\ c)\ +\ a\ *\ (b\ mod\ c)\ div\ c%
-\rulename{zdiv_zmult1_eq}\isanewline
-(a\ *\ b)\ mod\ c\ =\ a\ *\ (b\ mod\ c)\ mod\ c%
-\rulename{zmod_zmult1_eq}
-\end{isabelle}
-
-\begin{isabelle}
-0\ <\ c\ \isasymLongrightarrow \ a\ div\ (b*c)\ =\ a\ div\ b\ div\ c%
-\rulename{zdiv_zmult2_eq}\isanewline
-0\ <\ c\ \isasymLongrightarrow \ a\ mod\ (b*c)\ =\ b*(a\ div\ b\ mod\
-c)\ +\ a\ mod\ b%
-\rulename{zmod_zmult2_eq}
-\end{isabelle}
-The last two differ from their natural number analogues by requiring
-\isa{c} to be positive. Since division by zero yields zero, we could allow
-\isa{c} to be zero. However, \isa{c} cannot be negative: a counterexample
-is
-$\isa{a} = 7$, $\isa{b} = 2$ and $\isa{c} = -3$, when the left-hand side of
-\isa{zdiv_zmult2_eq} is $-2$ while the right-hand side is~$-1$.
-The prefix~\isa{z} in many theorem names recalls the use of $\mathbb{Z}$ to
-denote the set of integers.%
-\index{integers|)}\index{*int (type)|)}
-
-Induction is less important for integers than it is for the natural numbers, but it can be valuable if the range of integers has a lower or upper bound. There are four rules for integer induction, corresponding to the possible relations of the bound ($\geq$, $>$, $\leq$ and $<$):
-\begin{isabelle}
-\isasymlbrakk k\ \isasymle \ i;\ P\ k;\ \isasymAnd i.\ \isasymlbrakk k\ \isasymle \ i;\ P\ i\isasymrbrakk \ \isasymLongrightarrow \ P(i+1)\isasymrbrakk \ \isasymLongrightarrow \ P\ i%
-\rulename{int_ge_induct}\isanewline
-\isasymlbrakk k\ <\ i;\ P(k+1);\ \isasymAnd i.\ \isasymlbrakk k\ <\ i;\ P\ i\isasymrbrakk \ \isasymLongrightarrow \ P(i+1)\isasymrbrakk \ \isasymLongrightarrow \ P\ i%
-\rulename{int_gr_induct}\isanewline
-\isasymlbrakk i\ \isasymle \ k;\ P\ k;\ \isasymAnd i.\ \isasymlbrakk i\ \isasymle \ k;\ P\ i\isasymrbrakk \ \isasymLongrightarrow \ P(i-1)\isasymrbrakk \ \isasymLongrightarrow \ P\ i%
-\rulename{int_le_induct}\isanewline
-\isasymlbrakk i\ <\ k;\ P(k-1);\ \isasymAnd i.\ \isasymlbrakk i\ <\ k;\ P\ i\isasymrbrakk \ \isasymLongrightarrow \ P(i-1)\isasymrbrakk \ \isasymLongrightarrow \ P\ i%
-\rulename{int_less_induct}
-\end{isabelle}
-
-
-\subsection{The Types of Rational, Real and Complex Numbers}
-\label{sec:real}
-
-\index{rational numbers|(}\index{*rat (type)|(}%
-\index{real numbers|(}\index{*real (type)|(}%
-\index{complex numbers|(}\index{*complex (type)|(}%
-These types provide true division, the overloaded operator \isa{/},
-which differs from the operator \isa{div} of the
-natural numbers and integers. The rationals and reals are
-\textbf{dense}: between every two distinct numbers lies another.
-This property follows from the division laws, since if $x\not=y$ then $(x+y)/2$ lies between them:
-\begin{isabelle}
-a\ <\ b\ \isasymLongrightarrow \ \isasymexists r.\ a\ <\ r\ \isasymand \ r\ <\ b%
-\rulename{dense}
-\end{isabelle}
-
-The real numbers are, moreover, \textbf{complete}: every set of reals that
-is bounded above has a least upper bound. Completeness distinguishes the
-reals from the rationals, for which the set $\{x\mid x^2<2\}$ has no least
-upper bound. (It could only be $\surd2$, which is irrational.) The
-formalization of completeness, which is complicated,
-can be found in theory \texttt{RComplete}.
-
-Numeric literals\index{numeric literals!for type \protect\isa{real}}
-for type \isa{real} have the same syntax as those for type
-\isa{int} and only express integral values. Fractions expressed
-using the division operator are automatically simplified to lowest terms:
-\begin{isabelle}
-\ 1.\ P\ ((3\ /\ 4)\ *\ (8\ /\ 15))\isanewline
-\isacommand{apply} simp\isanewline
-\ 1.\ P\ (2\ /\ 5)
-\end{isabelle}
-Exponentiation can express floating-point values such as
-\isa{2 * 10\isacharcircum6}, which will be simplified to integers.
-
-\begin{warn}
-Types \isa{rat}, \isa{real} and \isa{complex} are provided by theory HOL-Complex, which is
-Main extended with a definitional development of the rational, real and complex
-numbers. Base your theory upon theory \thydx{Complex_Main}, not the
-usual \isa{Main}.%
-\end{warn}
-
-Available in the logic HOL-NSA is the
-theory \isa{Hyperreal}, which define the type \tydx{hypreal} of
-\rmindex{non-standard reals}. These
-\textbf{hyperreals} include infinitesimals, which represent infinitely
-small and infinitely large quantities; they facilitate proofs
-about limits, differentiation and integration~\cite{fleuriot-jcm}. The
-development defines an infinitely large number, \isa{omega} and an
-infinitely small positive number, \isa{epsilon}. The
-relation $x\approx y$ means ``$x$ is infinitely close to~$y$.''
-Theory \isa{Hyperreal} also defines transcendental functions such as sine,
-cosine, exponential and logarithm --- even the versions for type
-\isa{real}, because they are defined using nonstandard limits.%
-\index{rational numbers|)}\index{*rat (type)|)}%
-\index{real numbers|)}\index{*real (type)|)}%
-\index{complex numbers|)}\index{*complex (type)|)}
-
-
-\subsection{The Numeric Type Classes}\label{sec:numeric-classes}
-
-Isabelle/HOL organises its numeric theories using axiomatic type classes.
-Hundreds of basic properties are proved in the theory \isa{Ring_and_Field}.
-These lemmas are available (as simprules if they were declared as such)
-for all numeric types satisfying the necessary axioms. The theory defines
-dozens of type classes, such as the following:
-\begin{itemize}
-\item
-\tcdx{semiring} and \tcdx{ordered_semiring}: a \emph{semiring}
-provides the associative operators \isa{+} and~\isa{*}, with \isa{0} and~\isa{1}
-as their respective identities. The operators enjoy the usual distributive law,
-and addition (\isa{+}) is also commutative.
-An \emph{ordered semiring} is also linearly
-ordered, with addition and multiplication respecting the ordering. Type \isa{nat} is an ordered semiring.
-\item
-\tcdx{ring} and \tcdx{ordered_ring}: a \emph{ring} extends a semiring
-with unary minus (the additive inverse) and subtraction (both
-denoted~\isa{-}). An \emph{ordered ring} includes the absolute value
-function, \cdx{abs}. Type \isa{int} is an ordered ring.
-\item
-\tcdx{field} and \tcdx{ordered_field}: a field extends a ring with the
-multiplicative inverse (called simply \cdx{inverse} and division~(\isa{/})).
-An ordered field is based on an ordered ring. Type \isa{complex} is a field, while type \isa{real} is an ordered field.
-\item
-\tcdx{division_by_zero} includes all types where \isa{inverse 0 = 0}
-and \isa{a / 0 = 0}. These include all of Isabelle's standard numeric types.
-However, the basic properties of fields are derived without assuming
-division by zero.
-\end{itemize}
-
-Hundreds of basic lemmas are proved, each of which
-holds for all types in the corresponding type class. In most
-cases, it is obvious whether a property is valid for a particular type. No
-abstract properties involving subtraction hold for type \isa{nat};
-instead, theorems such as
-\isa{diff_mult_distrib} are proved specifically about subtraction on
-type~\isa{nat}. All abstract properties involving division require a field.
-Obviously, all properties involving orderings required an ordered
-structure.
-
-The class \tcdx{ring_no_zero_divisors} of rings without zero divisors satisfies a number of natural cancellation laws, the first of which characterizes this class:
-\begin{isabelle}
-(a\ *\ b\ =\ (0::'a))\ =\ (a\ =\ (0::'a)\ \isasymor \ b\ =\ (0::'a))
-\rulename{mult_eq_0_iff}\isanewline
-(a\ *\ c\ =\ b\ *\ c)\ =\ (c\ =\ (0::'a)\ \isasymor \ a\ =\ b)
-\rulename{mult_cancel_right}
-\end{isabelle}
-\begin{pgnote}
-Setting the flag \pgmenu{Isabelle} $>$ \pgmenu{Settings} $>$
-\pgmenu{Show Sorts} will display the type classes of all type variables.
-\end{pgnote}
-\noindent
-Here is how the theorem \isa{mult_cancel_left} appears with the flag set.
-\begin{isabelle}
-((c::'a::ring_no_zero_divisors)\ *\ (a::'a::ring_no_zero_divisors) =\isanewline
-\ c\ *\ (b::'a::ring_no_zero_divisors))\ =\isanewline
-(c\ =\ (0::'a::ring_no_zero_divisors)\ \isasymor\ a\ =\ b)
-\end{isabelle}
-
-
-\subsubsection{Simplifying with the AC-Laws}
-Suppose that two expressions are equal, differing only in
-associativity and commutativity of addition. Simplifying with the
-following equations sorts the terms and groups them to the right, making
-the two expressions identical.
-\begin{isabelle}
-a\ +\ b\ +\ c\ =\ a\ +\ (b\ +\ c)
-\rulenamedx{add_assoc}\isanewline
-a\ +\ b\ =\ b\ +\ a%
-\rulenamedx{add_commute}\isanewline
-a\ +\ (b\ +\ c)\ =\ b\ +\ (a\ +\ c)
-\rulename{add_left_commute}
-\end{isabelle}
-The name \isa{add_ac}\index{*add_ac (theorems)}
-refers to the list of all three theorems; similarly
-there is \isa{mult_ac}.\index{*mult_ac (theorems)}
-They are all proved for semirings and therefore hold for all numeric types.
-
-Here is an example of the sorting effect. Start
-with this goal, which involves type \isa{nat}.
-\begin{isabelle}
-\ 1.\ Suc\ (i\ +\ j\ *\ l\ *\ k\ +\ m\ *\ n)\ =\
-f\ (n\ *\ m\ +\ i\ +\ k\ *\ j\ *\ l)
-\end{isabelle}
-%
-Simplify using \isa{add_ac} and \isa{mult_ac}.
-\begin{isabelle}
-\isacommand{apply}\ (simp\ add:\ add_ac\ mult_ac)
-\end{isabelle}
-%
-Here is the resulting subgoal.
-\begin{isabelle}
-\ 1.\ Suc\ (i\ +\ (m\ *\ n\ +\ j\ *\ (k\ *\ l)))\
-=\ f\ (i\ +\ (m\ *\ n\ +\ j\ *\ (k\ *\ l)))%
-\end{isabelle}
-
-
-\subsubsection{Division Laws for Fields}
-
-Here is a selection of rules about the division operator. The following
-are installed as default simplification rules in order to express
-combinations of products and quotients as rational expressions:
-\begin{isabelle}
-a\ *\ (b\ /\ c)\ =\ a\ *\ b\ /\ c
-\rulename{times_divide_eq_right}\isanewline
-b\ /\ c\ *\ a\ =\ b\ *\ a\ /\ c
-\rulename{times_divide_eq_left}\isanewline
-a\ /\ (b\ /\ c)\ =\ a\ *\ c\ /\ b
-\rulename{divide_divide_eq_right}\isanewline
-a\ /\ b\ /\ c\ =\ a\ /\ (b\ *\ c)
-\rulename{divide_divide_eq_left}
-\end{isabelle}
-
-Signs are extracted from quotients in the hope that complementary terms can
-then be cancelled:
-\begin{isabelle}
--\ (a\ /\ b)\ =\ -\ a\ /\ b
-\rulename{minus_divide_left}\isanewline
--\ (a\ /\ b)\ =\ a\ /\ -\ b
-\rulename{minus_divide_right}
-\end{isabelle}
-
-The following distributive law is available, but it is not installed as a
-simplification rule.
-\begin{isabelle}
-(a\ +\ b)\ /\ c\ =\ a\ /\ c\ +\ b\ /\ c%
-\rulename{add_divide_distrib}
-\end{isabelle}
-
-
-\subsubsection{Absolute Value}
-
-The \rmindex{absolute value} function \cdx{abs} is available for all
-ordered rings, including types \isa{int}, \isa{rat} and \isa{real}.
-It satisfies many properties,
-such as the following:
-\begin{isabelle}
-\isasymbar x\ *\ y\isasymbar \ =\ \isasymbar x\isasymbar \ *\ \isasymbar y\isasymbar
-\rulename{abs_mult}\isanewline
-(\isasymbar a\isasymbar \ \isasymle \ b)\ =\ (a\ \isasymle \ b\ \isasymand \ -\ a\ \isasymle \ b)
-\rulename{abs_le_iff}\isanewline
-\isasymbar a\ +\ b\isasymbar \ \isasymle \ \isasymbar a\isasymbar \ +\ \isasymbar b\isasymbar
-\rulename{abs_triangle_ineq}
-\end{isabelle}
-
-\begin{warn}
-The absolute value bars shown above cannot be typed on a keyboard. They
-can be entered using the X-symbol package. In \textsc{ascii}, type \isa{abs x} to
-get \isa{\isasymbar x\isasymbar}.
-\end{warn}
-
-
-\subsubsection{Raising to a Power}
-
-Another type class, \tcdx{ordered\_idom}, specifies rings that also have
-exponentation to a natural number power, defined using the obvious primitive
-recursion. Theory \thydx{Power} proves various theorems, such as the
-following.
-\begin{isabelle}
-a\ \isacharcircum \ (m\ +\ n)\ =\ a\ \isacharcircum \ m\ *\ a\ \isacharcircum \ n%
-\rulename{power_add}\isanewline
-a\ \isacharcircum \ (m\ *\ n)\ =\ (a\ \isacharcircum \ m)\ \isacharcircum \ n%
-\rulename{power_mult}\isanewline
-\isasymbar a\ \isacharcircum \ n\isasymbar \ =\ \isasymbar a\isasymbar \ \isacharcircum \ n%
-\rulename{power_abs}
-\end{isabelle}%%%%%%%%%%%%%%%%%%%%%%%%%
-\index{numbers|)}
--- a/doc-src/TutorialI/document/pghead.eps Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,73 +0,0 @@
-%!PS-Adobe-3.0 EPSF-3.0
%%Title: (portrait-head copy)
%%Version: 1 6
%%Creator: Adobe Acrobat 7.0
%%CreationDate: 26/05/2005 09:00
%%DocumentData: Clean7Bit
%%LanguageLevel: 2
%%ADO_ContainsXMP: MainFirst
%%BoundingBox: 172 54 468 463
%%HiResBoundingBox: 172.0 54.0 468.0 463.0
%%Pages: 0
%%DocumentProcessColors: Black
%%DocumentSuppliedResources:
%%+ procset (Adobe Acrobat - PDF operators) 1.2 0
%%EndComments
%%BeginProlog
%%EndProlog
%%BeginSetup
%ADOPrintSettings: L2 W0 VM op crd os scsa T h ef bg ucr sf ef r b fa pr seps ttf hb EF t2 irt Printer/PostScript Color Management 0
-
%%BeginResource: procset l2check 6.0 1
%%Copyright: Copyright 1993,2001 Adobe Systems Incorporated. All Rights Reserved.
systemdict /languagelevel known
{ systemdict /languagelevel get 1 eq }
{ true }
ifelse
{
initgraphics /Helvetica findfont 18 scalefont setfont
72 600 moveto (Error: This application does not support) dup show
72 580 moveto (printing to a PostScript Language Level 1 printer.) dup show
exch = =
/Times-Roman findfont 16 scalefont setfont
72 500 moveto (As a workaround, try selecting Print As Image from) show
72 480 moveto (the Advanced Print dialog.) show
showpage
quit
}
if
%%EndResource
/currentpacking where{pop currentpacking true setpacking}if
%%BeginResource: procset pdfvars 6.0 1
%%Copyright: Copyright 1987-2002 Adobe Systems Incorporated. All Rights Reserved.
%%Title: definition of dictionary of variables used by PDF & PDFText procsets
userdict /PDF 162 dict put
userdict /PDFVars 89 dict dup begin put
/docSetupDone false def
/InitAll 0 def
/TermAll 0 def
/DocInitAll 0 def
/DocTermAll 0 def
/_pdfEncodings 2 array def
/_pdf_str1 1 string def
/_pdf_i 0 def
/_pdf_na 0 def
/_pdf_showproc 0 def
/_italMtx [1 0 .212557 1 0 0] def
/_italMtx_WMode1 [1 -.212557 0 1 0 0] def
/_italMtxType0 [1 0 .1062785 1 0 0] def
/_italMtx_WMode1Type0 [1 -.1062785 0 1 0 0] def
/_basefont 0 def
/_basefonto 0 def
/_pdf_oldCIDInit null def
/_pdf_FontDirectory 30 dict def
/_categories 10 dict def
/_sa? true def
/_ColorSep5044? false def
/nulldict 0 dict def
/_processColors 0 def
/overprintstack null def
/_defaulttransfer currenttransfer def
/_defaultflatness currentflat def
/_defaulthalftone null def
/_defaultcolortransfer null def
/_defaultblackgeneration null def
/_defaultundercolorremoval null def
/_defaultcolortransfer null def
PDF begin
[/c/cs/cm/d/d0/f/h/i/j/J/l/m/M/n/q/Q/re/ri/S/sc/sh/Tf/w/W
/applyInterpFunc/applystitchFunc/domainClip/encodeInput
/initgs/int/limit/rangeClip
/defineRes/undefineRes/findRes/setSA/pl
/? /! /| /: /+ /GetGlyphDirectory
/pdf_flushFilters /pdf_readstring /pdf_dictOp /pdf_image /pdf_maskedImage
/pdf_shfill /pdf_sethalftone
] {null def} bind forall
end
end
%%EndResource
PDFVars begin PDF begin
%%BeginResource: procset pdfutil 6.0 1
%%Copyright: Copyright 1993-2001 Adobe Systems Incorporated. All Rights Reserved.
%%Title: Basic utilities used by other PDF procsets
/bd {bind def} bind def
/ld {load def} bd
/bld {
dup length dict begin
{ null def } forall
bind
end
def
} bd
/dd { PDFVars 3 1 roll put } bd
/xdd { exch dd } bd
/Level2?
systemdict /languagelevel known
{ systemdict /languagelevel get 2 ge } { false } ifelse
def
/Level1? Level2? not def
/Level3?
systemdict /languagelevel known
{systemdict /languagelevel get 3 eq } { false } ifelse
def
/getifknown {
2 copy known { get true } { pop pop false } ifelse
} bd
/here {
currentdict exch getifknown
} bd
/isdefined? { where { pop true } { false } ifelse } bd
%%EndResource
%%BeginResource: procset pdf 6.0 1
%%Copyright: Copyright 1998-2003 Adobe Systems Incorporated. All Rights Reserved.
%%Title: General operators for PDF, common to all Language Levels.
/cm { matrix astore concat } bd
/d /setdash ld
/f /fill ld
/h /closepath ld
/i {dup 0 eq {pop _defaultflatness} if setflat} bd
/j /setlinejoin ld
/J /setlinecap ld
/M /setmiterlimit ld
/n /newpath ld
/S /stroke ld
/w /setlinewidth ld
/W /clip ld
/sg /setgray ld
/initgs {
0 setgray
[] 0 d
0 j
0 J
10 M
1 w
false setSA
/_defaulttransfer load settransfer
0 i
/RelativeColorimetric ri
newpath
} bd
/int {
dup 2 index sub 3 index 5 index sub div 6 -2 roll sub mul
exch pop add exch pop
} bd
/limit {
dup 2 index le { exch } if pop
dup 2 index ge { exch } if pop
} bd
/domainClip {
Domain aload pop 3 2 roll
limit
} [/Domain] bld
/applyInterpFunc {
0 1 DimOut 1 sub
{
dup C0 exch get exch
dup C1 exch get exch
3 1 roll
1 index sub
3 index
N exp mul add
exch
currentdict /Range_lo known
{
dup Range_lo exch get exch
Range_hi exch get
3 2 roll limit
}
{
pop
}
ifelse
exch
} for
pop
} [/DimOut /C0 /C1 /N /Range_lo /Range_hi] bld
/encodeInput {
NumParts 1 sub
0 1 2 index
{
dup Bounds exch get
2 index gt
{ exit }
{ dup
3 index eq
{ exit }
{ pop } ifelse
} ifelse
} for
3 2 roll pop
dup Bounds exch get exch
dup 1 add Bounds exch get exch
2 mul
dup Encode exch get exch
1 add Encode exch get
int
} [/NumParts /Bounds /Encode] bld
/rangeClip {
exch dup Range_lo exch get
exch Range_hi exch get
3 2 roll
limit
} [/Range_lo /Range_hi] bld
/applyStitchFunc {
Functions exch get exec
currentdict /Range_lo known {
0 1 DimOut 1 sub {
DimOut 1 add -1 roll
rangeClip
} for
} if
} [/Functions /Range_lo /DimOut] bld
/pdf_flushfilters
{
aload length
{ dup status
1 index currentfile ne and
{ dup flushfile closefile }
{ pop }
ifelse
} repeat
} bd
/pdf_readstring
{
1 index dup length 1 sub get
exch readstring pop
exch pdf_flushfilters
} bind def
/pdf_dictOp
{
3 2 roll
10 dict copy
begin
_Filters dup length 1 sub get def
currentdict exch exec
_Filters pdf_flushfilters
end
} [/_Filters] bld
/pdf_imagemask {{imagemask} /DataSource pdf_dictOp} bd
/pdf_shfill {{sh} /DataSource pdf_dictOp} bd
/pdf_sethalftone {{sethalftone} /Thresholds pdf_dictOp} bd
/masks [ 2#10000000
2#11000000
2#11100000
2#11110000
2#11111000
2#11111100
2#11111110
2#11111111 ] def
/addNBits
{
/numBits exch def
/byte exch def
OutBitOffset numBits add 8 gt
{
byte OutBitOffset 8 sub bitshift
OutBuffer OutByteIndex get or
OutBuffer OutByteIndex 3 -1 roll put
/OutByteIndex OutByteIndex 1 add def
/bitsDoneSoFar OutBitOffset def
/OutBitOffset numBits 8 OutBitOffset sub sub def
OutBitOffset 0 gt
{
byte bitsDoneSoFar bitshift
masks numBits bitsDoneSoFar sub get and
OutBuffer OutByteIndex 3 -1 roll put
} if
}
{
byte masks numBits 1 sub get and
OutBitOffset neg bitshift
OutBuffer OutByteIndex get or
OutBuffer OutByteIndex 3 -1 roll put
/OutBitOffset OutBitOffset numBits add def
OutBitOffset 8 eq
{
/OutBitOffset 0 def
/OutByteIndex OutByteIndex 1 add def
} if
} ifelse
} bind def
/DevNNFilter
{
/InBuffer Width NumComps mul BitsPerComponent mul 7 add 8 idiv string def
AllSource InBuffer readstring pop pop
/outlen Width NewNumComps mul BitsPerComponent mul 7 add 8 idiv def
/OutBuffer outlen string def
0 1 outlen 1 sub { OutBuffer exch 0 put } for
/InByteIndex 0 def
/InBitOffset 0 def
/OutByteIndex 0 def
/OutBitOffset 0 def
/KeepArray NumComps array def
0 1 NumComps 1 sub { KeepArray exch true put } for
DevNNones { KeepArray exch false put } forall
Width {
KeepArray
{
{
/bitsLeft BitsPerComponent def
{
bitsLeft 0 le { exit } if
/bitsToDo 8 InBitOffset sub dup bitsLeft gt { pop bitsLeft } if def
InBuffer InByteIndex get
InBitOffset bitshift
bitsToDo addNBits
/bitsLeft bitsLeft bitsToDo sub def
InBitOffset bitsToDo add
dup 8 mod /InBitOffset exch def
8 idiv InByteIndex add /InByteIndex exch def
} loop
}
{
InBitOffset BitsPerComponent add
dup 8 mod /InBitOffset exch def
8 idiv InByteIndex add /InByteIndex exch def
}
ifelse
}
forall
} repeat
OutBuffer
} bd
/pdf_image
{
20 dict copy
begin
/UnusedNones where { /UnusedNones get}{false} ifelse
{
/NumComps Decode length 2 div cvi def
/OrigDecode Decode def
/NumNones DevNNones length def
/NewNumComps NumComps NumNones sub def
/Decode NewNumComps 2 mul cvi array def
/devNNindx 0 def
/decIndx 0 def
/cmpIndx 0 def
NumComps {
cmpIndx DevNNones devNNindx get eq
{
/devNNindx devNNindx 1 add dup NumNones eq {pop 0} if def
}
{
Decode decIndx OrigDecode cmpIndx 2 mul get put
Decode decIndx 1 add OrigDecode cmpIndx 2 mul 1 add get put
/decIndx decIndx 2 add def
} ifelse
/cmpIndx cmpIndx 1 add def
} repeat
_Filters dup length 1 sub get /AllSource exch def
/DataSource { DevNNFilter } def
}
{ _Filters dup length 1 sub get /DataSource exch def }
ifelse
currentdict image
_Filters pdf_flushfilters
end
} bd
/pdf_maskedImage
{
10 dict copy begin
/miDict currentdict def
/DataDict DataDict 10 dict copy def
DataDict begin
/DataSource
_Filters dup length 1 sub get
def
miDict image
_Filters pdf_flushfilters
end
miDict /InterleaveType get 3 eq
{ MaskDict /DataSource get dup type /filetype eq { closefile } { pop } ifelse }
if
end
} [/miDict /DataDict /_Filters] bld
/RadialShade {
40 dict begin
/background exch def
/ext1 exch def
/ext0 exch def
/BBox exch def
/r2 exch def
/c2y exch def
/c2x exch def
/r1 exch def
/c1y exch def
/c1x exch def
/rampdict exch def
gsave
BBox length 0 gt {
newpath
BBox 0 get BBox 1 get moveto
BBox 2 get BBox 0 get sub 0 rlineto
0 BBox 3 get BBox 1 get sub rlineto
BBox 2 get BBox 0 get sub neg 0 rlineto
closepath
clip
newpath
} if
c1x c2x eq
{
c1y c2y lt {/theta 90 def}{/theta 270 def} ifelse
}
{
/slope c2y c1y sub c2x c1x sub div def
/theta slope 1 atan def
c2x c1x lt c2y c1y ge and { /theta theta 180 sub def} if
c2x c1x lt c2y c1y lt and { /theta theta 180 add def} if
}
ifelse
gsave
clippath
c1x c1y translate
theta rotate
-90 rotate
{ pathbbox } stopped
{ 0 0 0 0 } if
/yMax exch def
/xMax exch def
/yMin exch def
/xMin exch def
grestore
xMax xMin eq yMax yMin eq or
{
grestore
end
}
{
/max { 2 copy gt { pop } {exch pop} ifelse } bind def
/min { 2 copy lt { pop } {exch pop} ifelse } bind def
rampdict begin
40 dict begin
background length 0 gt { background sssetbackground gsave clippath fill grestore } if
gsave
c1x c1y translate
theta rotate
-90 rotate
/c2y c1x c2x sub dup mul c1y c2y sub dup mul add sqrt def
/c1y 0 def
/c1x 0 def
/c2x 0 def
ext0 {
0 getrampcolor
c2y r2 add r1 sub 0.0001 lt
{
c1x c1y r1 360 0 arcn
pathbbox
/aymax exch def
/axmax exch def
/aymin exch def
/axmin exch def
/bxMin xMin axmin min def
/byMin yMin aymin min def
/bxMax xMax axmax max def
/byMax yMax aymax max def
bxMin byMin moveto
bxMax byMin lineto
bxMax byMax lineto
bxMin byMax lineto
bxMin byMin lineto
eofill
}
{
c2y r1 add r2 le
{
c1x c1y r1 0 360 arc
fill
}
{
c2x c2y r2 0 360 arc fill
r1 r2 eq
{
/p1x r1 neg def
/p1y c1y def
/p2x r1 def
/p2y c1y def
p1x p1y moveto p2x p2y lineto p2x yMin lineto p1x yMin lineto
fill
}
{
/AA r2 r1 sub c2y div def
AA -1 eq
{ /theta 89.99 def}
{ /theta AA 1 AA dup mul sub sqrt div 1 atan def}
ifelse
/SS1 90 theta add dup sin exch cos div def
/p1x r1 SS1 SS1 mul SS1 SS1 mul 1 add div sqrt mul neg def
/p1y p1x SS1 div neg def
/SS2 90 theta sub dup sin exch cos div def
/p2x r1 SS2 SS2 mul SS2 SS2 mul 1 add div sqrt mul def
/p2y p2x SS2 div neg def
r1 r2 gt
{
/L1maxX p1x yMin p1y sub SS1 div add def
/L2maxX p2x yMin p2y sub SS2 div add def
}
{
/L1maxX 0 def
/L2maxX 0 def
}ifelse
p1x p1y moveto p2x p2y lineto L2maxX L2maxX p2x sub SS2 mul p2y add lineto
L1maxX L1maxX p1x sub SS1 mul p1y add lineto
fill
}
ifelse
}
ifelse
} ifelse
} if
c1x c2x sub dup mul
c1y c2y sub dup mul
add 0.5 exp
0 dtransform
dup mul exch dup mul add 0.5 exp 72 div
0 72 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt
72 0 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt
1 index 1 index lt { exch } if pop
/hires exch def
hires mul
/numpix exch def
/numsteps NumSamples def
/rampIndxInc 1 def
/subsampling false def
numpix 0 ne
{
NumSamples numpix div 0.5 gt
{
/numsteps numpix 2 div round cvi dup 1 le { pop 2 } if def
/rampIndxInc NumSamples 1 sub numsteps div def
/subsampling true def
} if
} if
/xInc c2x c1x sub numsteps div def
/yInc c2y c1y sub numsteps div def
/rInc r2 r1 sub numsteps div def
/cx c1x def
/cy c1y def
/radius r1 def
newpath
xInc 0 eq yInc 0 eq rInc 0 eq and and
{
0 getrampcolor
cx cy radius 0 360 arc
stroke
NumSamples 1 sub getrampcolor
cx cy radius 72 hires div add 0 360 arc
0 setlinewidth
stroke
}
{
0
numsteps
{
dup
subsampling { round } if
getrampcolor
cx cy radius 0 360 arc
/cx cx xInc add def
/cy cy yInc add def
/radius radius rInc add def
cx cy radius 360 0 arcn
eofill
rampIndxInc add
}
repeat
pop
} ifelse
ext1 {
c2y r2 add r1 lt
{
c2x c2y r2 0 360 arc
fill
}
{
c2y r1 add r2 sub 0.0001 le
{
c2x c2y r2 360 0 arcn
pathbbox
/aymax exch def
/axmax exch def
/aymin exch def
/axmin exch def
/bxMin xMin axmin min def
/byMin yMin aymin min def
/bxMax xMax axmax max def
/byMax yMax aymax max def
bxMin byMin moveto
bxMax byMin lineto
bxMax byMax lineto
bxMin byMax lineto
bxMin byMin lineto
eofill
}
{
c2x c2y r2 0 360 arc fill
r1 r2 eq
{
/p1x r2 neg def
/p1y c2y def
/p2x r2 def
/p2y c2y def
p1x p1y moveto p2x p2y lineto p2x yMax lineto p1x yMax lineto
fill
}
{
/AA r2 r1 sub c2y div def
AA -1 eq
{ /theta 89.99 def}
{ /theta AA 1 AA dup mul sub sqrt div 1 atan def}
ifelse
/SS1 90 theta add dup sin exch cos div def
/p1x r2 SS1 SS1 mul SS1 SS1 mul 1 add div sqrt mul neg def
/p1y c2y p1x SS1 div sub def
/SS2 90 theta sub dup sin exch cos div def
/p2x r2 SS2 SS2 mul SS2 SS2 mul 1 add div sqrt mul def
/p2y c2y p2x SS2 div sub def
r1 r2 lt
{
/L1maxX p1x yMax p1y sub SS1 div add def
/L2maxX p2x yMax p2y sub SS2 div add def
}
{
/L1maxX 0 def
/L2maxX 0 def
}ifelse
p1x p1y moveto p2x p2y lineto L2maxX L2maxX p2x sub SS2 mul p2y add lineto
L1maxX L1maxX p1x sub SS1 mul p1y add lineto
fill
}
ifelse
}
ifelse
} ifelse
} if
grestore
grestore
end
end
end
} ifelse
} bd
/GenStrips {
40 dict begin
/background exch def
/ext1 exch def
/ext0 exch def
/BBox exch def
/y2 exch def
/x2 exch def
/y1 exch def
/x1 exch def
/rampdict exch def
gsave
BBox length 0 gt {
newpath
BBox 0 get BBox 1 get moveto
BBox 2 get BBox 0 get sub 0 rlineto
0 BBox 3 get BBox 1 get sub rlineto
BBox 2 get BBox 0 get sub neg 0 rlineto
closepath
clip
newpath
} if
x1 x2 eq
{
y1 y2 lt {/theta 90 def}{/theta 270 def} ifelse
}
{
/slope y2 y1 sub x2 x1 sub div def
/theta slope 1 atan def
x2 x1 lt y2 y1 ge and { /theta theta 180 sub def} if
x2 x1 lt y2 y1 lt and { /theta theta 180 add def} if
}
ifelse
gsave
clippath
x1 y1 translate
theta rotate
{ pathbbox } stopped
{ 0 0 0 0 } if
/yMax exch def
/xMax exch def
/yMin exch def
/xMin exch def
grestore
xMax xMin eq yMax yMin eq or
{
grestore
end
}
{
rampdict begin
20 dict begin
background length 0 gt { background sssetbackground gsave clippath fill grestore } if
gsave
x1 y1 translate
theta rotate
/xStart 0 def
/xEnd x2 x1 sub dup mul y2 y1 sub dup mul add 0.5 exp def
/ySpan yMax yMin sub def
/numsteps NumSamples def
/rampIndxInc 1 def
/subsampling false def
xStart 0 transform
xEnd 0 transform
3 -1 roll
sub dup mul
3 1 roll
sub dup mul
add 0.5 exp 72 div
0 72 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt
72 0 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt
1 index 1 index lt { exch } if pop
mul
/numpix exch def
numpix 0 ne
{
NumSamples numpix div 0.5 gt
{
/numsteps numpix 2 div round cvi dup 1 le { pop 2 } if def
/rampIndxInc NumSamples 1 sub numsteps div def
/subsampling true def
} if
} if
ext0 {
0 getrampcolor
xMin xStart lt
{ xMin yMin xMin neg ySpan rectfill } if
} if
/xInc xEnd xStart sub numsteps div def
/x xStart def
0
numsteps
{
dup
subsampling { round } if
getrampcolor
x yMin xInc ySpan rectfill
/x x xInc add def
rampIndxInc add
}
repeat
pop
ext1 {
xMax xEnd gt
{ xEnd yMin xMax xEnd sub ySpan rectfill } if
} if
grestore
grestore
end
end
end
} ifelse
} bd
/currentdistillerparams where { pop currentdistillerparams /CoreDistVersion get 5000 lt}{true}ifelse
{
/PDFMark5 {cleartomark} bd
}
{
/PDFMark5 {pdfmark} bd
}ifelse
/ReadByPDFMark5
{
2 dict begin
/makerString exch def string /tmpString exch def
{
currentfile tmpString readline pop
makerString anchorsearch
{
pop pop cleartomark exit
}
{
3 copy /PUT PDFMark5 pop 2 copy (\n) /PUT PDFMark5
} ifelse
}loop
end
}bd
%%EndResource
%%BeginResource: procset pdflev2 6.0 1
%%Copyright: Copyright 1987-2001,2003 Adobe Systems Incorporated. All Rights Reserved.
%%Title: PDF operators, with code specific for Level 2
/docinitialize {
PDF begin
/_defaulthalftone currenthalftone dd
/_defaultblackgeneration currentblackgeneration dd
/_defaultundercolorremoval currentundercolorremoval dd
/_defaultcolortransfer [currentcolortransfer] dd
/_defaulttransfer currenttransfer dd
end
PDFVars /docSetupDone true put
} bd
/initialize {
PDFVars /docSetupDone get {
_defaulthalftone sethalftone
/_defaultblackgeneration load setblackgeneration
/_defaultundercolorremoval load setundercolorremoval
_defaultcolortransfer aload pop setcolortransfer
} if
false setoverprint
} bd
/terminate { } bd
/c /curveto ld
/cs /setcolorspace ld
/l /lineto ld
/m /moveto ld
/q /gsave ld
/Q /grestore ld
/sc /setcolor ld
/setSA/setstrokeadjust ld
/re {
4 2 roll m
1 index 0 rlineto
0 exch rlineto
neg 0 rlineto
h
} bd
/concattransferfuncs {
[ 3 1 roll /exec load exch /exec load ] cvx
} bd
/concatandsettransfer {
/_defaulttransfer load concattransferfuncs settransfer
} bd
/concatandsetcolortransfer {
_defaultcolortransfer aload pop
8 -1 roll 5 -1 roll concattransferfuncs 7 1 roll
6 -1 roll 4 -1 roll concattransferfuncs 5 1 roll
4 -1 roll 3 -1 roll concattransferfuncs 3 1 roll
concattransferfuncs
setcolortransfer
} bd
/defineRes/defineresource ld
/undefineRes/undefineresource ld
/findRes/findresource ld
currentglobal
true systemdict /setglobal get exec
[/Function /ExtGState /Form /Shading /FunctionDictionary /MadePattern /PatternPrototype /DataSource /Image]
{ /Generic /Category findresource dup length dict copy /Category defineresource pop }
forall
systemdict /setglobal get exec
/ri
{
/findcolorrendering isdefined?
{
mark exch
findcolorrendering
counttomark 2 eq
{ type /booleantype eq
{ dup type /nametype eq
{ dup /ColorRendering resourcestatus
{ pop pop
dup /DefaultColorRendering ne
{
/ColorRendering findresource
setcolorrendering
} if
} if
} if
} if
} if
cleartomark
}
{ pop
} ifelse
} bd
/knownColorants? {
pop false
} bd
/getrampcolor {
cvi
/indx exch def
0 1 NumComp 1 sub {
dup
Samples exch get
dup type /stringtype eq { indx get } if
exch
Scaling exch get aload pop
3 1 roll
mul add
} for
setcolor
} bd
/sssetbackground { aload pop setcolor } bd
%%EndResource
%%BeginResource: procset pdftext 6.0 1
%%Copyright: Copyright 1987-2001,2003 Adobe Systems Incorporated. All Rights Reserved.
%%Title: Text operators for PDF
PDF /PDFText 78 dict dup begin put
/docinitialize
{
/resourcestatus where {
pop
/CIDParams /ProcSet resourcestatus {
pop pop
false /CIDParams /ProcSet findresource /SetBuildCompatible get exec
} if
} if
PDF begin
PDFText /_pdfDefineIdentity-H known
{ PDFText /_pdfDefineIdentity-H get exec}
if
end
} bd
/initialize {
PDFText begin
} bd
/terminate { end } bd
Level2?
{
/_safeput
{
3 -1 roll load 3 1 roll put
}
bd
}
{
/_safeput
{
2 index load dup dup length exch maxlength ge
{ dup length 5 add dict copy
3 index xdd
}
{ pop }
ifelse
3 -1 roll load 3 1 roll put
}
bd
}
ifelse
/pdf_has_composefont? systemdict /composefont known def
/CopyFont {
{
1 index /FID ne 2 index /UniqueID ne and
{ def } { pop pop } ifelse
} forall
} bd
/Type0CopyFont
{
exch
dup length dict
begin
CopyFont
[
exch
FDepVector
{
dup /FontType get 0 eq
{
1 index Type0CopyFont
/_pdfType0 exch definefont
}
{
/_pdfBaseFont exch
2 index exec
}
ifelse
exch
}
forall
pop
]
/FDepVector exch def
currentdict
end
} bd
Level2? {currentglobal true setglobal} if
/cHexEncoding
[/c00/c01/c02/c03/c04/c05/c06/c07/c08/c09/c0A/c0B/c0C/c0D/c0E/c0F/c10/c11/c12
/c13/c14/c15/c16/c17/c18/c19/c1A/c1B/c1C/c1D/c1E/c1F/c20/c21/c22/c23/c24/c25
/c26/c27/c28/c29/c2A/c2B/c2C/c2D/c2E/c2F/c30/c31/c32/c33/c34/c35/c36/c37/c38
/c39/c3A/c3B/c3C/c3D/c3E/c3F/c40/c41/c42/c43/c44/c45/c46/c47/c48/c49/c4A/c4B
/c4C/c4D/c4E/c4F/c50/c51/c52/c53/c54/c55/c56/c57/c58/c59/c5A/c5B/c5C/c5D/c5E
/c5F/c60/c61/c62/c63/c64/c65/c66/c67/c68/c69/c6A/c6B/c6C/c6D/c6E/c6F/c70/c71
/c72/c73/c74/c75/c76/c77/c78/c79/c7A/c7B/c7C/c7D/c7E/c7F/c80/c81/c82/c83/c84
/c85/c86/c87/c88/c89/c8A/c8B/c8C/c8D/c8E/c8F/c90/c91/c92/c93/c94/c95/c96/c97
/c98/c99/c9A/c9B/c9C/c9D/c9E/c9F/cA0/cA1/cA2/cA3/cA4/cA5/cA6/cA7/cA8/cA9/cAA
/cAB/cAC/cAD/cAE/cAF/cB0/cB1/cB2/cB3/cB4/cB5/cB6/cB7/cB8/cB9/cBA/cBB/cBC/cBD
/cBE/cBF/cC0/cC1/cC2/cC3/cC4/cC5/cC6/cC7/cC8/cC9/cCA/cCB/cCC/cCD/cCE/cCF/cD0
/cD1/cD2/cD3/cD4/cD5/cD6/cD7/cD8/cD9/cDA/cDB/cDC/cDD/cDE/cDF/cE0/cE1/cE2/cE3
/cE4/cE5/cE6/cE7/cE8/cE9/cEA/cEB/cEC/cED/cEE/cEF/cF0/cF1/cF2/cF3/cF4/cF5/cF6
/cF7/cF8/cF9/cFA/cFB/cFC/cFD/cFE/cFF] def
Level2? {setglobal} if
/modEnc {
/_enc xdd
/_icode 0 dd
counttomark 1 sub -1 0
{
index
dup type /nametype eq
{
_enc _icode 3 -1 roll put
_icode 1 add
}
if
/_icode xdd
} for
cleartomark
_enc
} bd
/trEnc {
/_enc xdd
255 -1 0 {
exch dup -1 eq
{ pop /.notdef }
{ Encoding exch get }
ifelse
_enc 3 1 roll put
} for
pop
_enc
} bd
/TE {
/_i xdd
StandardEncoding 256 array copy modEnc
_pdfEncodings exch _i exch put
} bd
Level2?
{
/pdfPatchCStrings
{
currentdict /CharStrings known currentdict /FontType known and
{
FontType 1 eq CharStrings type /dicttype eq and
{
CharStrings /mu known CharStrings /mu1 known not and CharStrings wcheck and
{
CharStrings /mu get
type /stringtype eq
{
currentglobal
CharStrings /mu1
CharStrings /mu get
dup gcheck setglobal
dup length string copy
put
setglobal
} if
} if
} if
} if
} bd
}
{ /pdfPatchCStrings {} bd }
ifelse
/TZ
{
/_usePDFEncoding xdd
findfont
dup length 6 add dict
begin
{
1 index /FID ne { def } { pop pop } ifelse
} forall
pdfPatchCStrings
/pdf_origFontName FontName def
/FontName exch def
currentdict /PaintType known
{ PaintType 2 eq {/PaintType 0 def} if }
if
_usePDFEncoding 0 ge
{
/Encoding _pdfEncodings _usePDFEncoding get def
pop
}
{
_usePDFEncoding -1 eq
{
counttomark 0 eq
{ pop }
{
Encoding 256 array copy
modEnc /Encoding exch def
}
ifelse
}
{
256 array
trEnc /Encoding exch def
}
ifelse
}
ifelse
pdf_EuroProcSet pdf_origFontName known
{
pdf_origFontName pdf_AddEuroGlyphProc
} if
Level2?
{
currentdict /pdf_origFontName undef
} if
FontName currentdict
end
definefont pop
}
bd
Level2?
{
/TZG
{
currentglobal true setglobal
2 index _pdfFontStatus
{
2 index findfont
false setglobal
3 index findfont
true setglobal
ne
{
2 index findfont dup rcheck
{
dup length dict begin
{
1 index /FID ne { def } { pop pop } ifelse
} forall
pdfPatchCStrings
currentdict end
}
if
3 index exch definefont pop
}
if
} if
setglobal
TZ
} bd
}
{
/TZG {TZ} bd
} ifelse
Level2?
{
currentglobal false setglobal
userdict /pdftext_data 5 dict put
pdftext_data
begin
/saveStacks
{
pdftext_data
begin
/vmmode currentglobal def
false setglobal
count array astore /os exch def
end
countdictstack array dictstack pdftext_data exch /ds exch put
cleardictstack pdftext_data /dscount countdictstack put
pdftext_data /vmmode get setglobal
} bind def
/restoreStacks
{
pdftext_data /vmmode currentglobal put false setglobal
clear cleardictstack
pdftext_data /ds get dup
pdftext_data /dscount get 1 2 index length 1 sub
{ get begin dup } for
pop pop
pdftext_data /os get aload pop
pdftext_data /vmmode get setglobal
} bind def
/testForClonePrinterBug
{
currentglobal true setglobal
/undefinedCategory /Generic /Category findresource
dup length dict copy /Category defineresource pop
setglobal
pdftext_data /saveStacks get exec
pdftext_data /vmmode currentglobal put false setglobal
/undefined /undefinedCategory { resourcestatus } stopped
pdftext_data exch /bugFound exch put
pdftext_data /vmmode get setglobal
pdftext_data /restoreStacks get exec
pdftext_data /bugFound get
} bind def
end
setglobal
/pdf_resourcestatus
pdftext_data /testForClonePrinterBug get exec
{
{
pdftext_data /saveStacks get exec
pdftext_data /os get dup dup length 1 sub
dup 1 sub dup 0 lt { pop 0 } if
exch 1 exch { get exch dup } for
pop pop
{ resourcestatus }
stopped
{
clear cleardictstack pdftext_data /restoreStacks get exec
{ pop pop } stopped pop false
}
{
count array astore pdftext_data exch /results exch put
pdftext_data /restoreStacks get exec pop pop
pdftext_data /results get aload pop
}
ifelse
}
}
{ { resourcestatus } }
ifelse
bd
}
if
Level2?
{
/_pdfUndefineResource
{
currentglobal 3 1 roll
_pdf_FontDirectory 2 index 2 copy known
{undef}
{pop pop}
ifelse
1 index (pdf) exch _pdfConcatNames 1 index
1 index 1 _pdfConcatNames 1 index
5 index 1 _pdfConcatNames 1 index
4
{
2 copy pdf_resourcestatus
{
pop 2 lt
{2 copy findresource gcheck setglobal undefineresource}
{pop pop}
ifelse
}
{ pop pop}
ifelse
} repeat
setglobal
} bd
}
{
/_pdfUndefineResource { pop pop} bd
}
ifelse
Level2?
{
/_pdfFontStatus
{
currentglobal exch
/Font pdf_resourcestatus
{pop pop true}
{false}
ifelse
exch setglobal
} bd
}
{
/_pdfFontStatusString 50 string def
_pdfFontStatusString 0 (fonts/) putinterval
/_pdfFontStatus
{
FontDirectory 1 index known
{ pop true }
{
_pdfFontStatusString 6 42 getinterval
cvs length 6 add
_pdfFontStatusString exch 0 exch getinterval
{ status } stopped
{pop false}
{
{ pop pop pop pop true}
{ false }
ifelse
}
ifelse
}
ifelse
} bd
}
ifelse
Level2?
{
/_pdfCIDFontStatus
{
/CIDFont /Category pdf_resourcestatus
{
pop pop
/CIDFont pdf_resourcestatus
{pop pop true}
{false}
ifelse
}
{ pop false }
ifelse
} bd
}
if
/_pdfString100 100 string def
/_pdfComposeFontName
{
dup length 1 eq
{
0 get
1 index
type /nametype eq
{
_pdfString100 cvs
length dup dup _pdfString100 exch (-) putinterval
_pdfString100 exch 1 add dup _pdfString100 length exch sub getinterval
2 index exch cvs length
add 1 add _pdfString100 exch 0 exch getinterval
exch pop
true
}
{
pop pop
false
}
ifelse
}
{
false
}
ifelse
dup {exch cvn exch} if
} bd
/_pdfConcatNames
{
exch
_pdfString100 cvs
length dup dup _pdfString100 exch (-) putinterval
_pdfString100 exch 1 add dup _pdfString100 length exch sub getinterval
3 -1 roll exch cvs length
add 1 add _pdfString100 exch 0 exch getinterval
cvn
} bind def
/_pdfTextTempString 50 string def
/_pdfRegOrderingArray [(Adobe-Japan1) (Adobe-CNS1) (Adobe-Korea1) (Adobe-GB1)] def
/_pdf_CheckCIDSystemInfo
{
1 index _pdfTextTempString cvs
(Identity) anchorsearch
{
pop pop pop pop true
}
{
false
_pdfRegOrderingArray
{
2 index exch
anchorsearch
{ pop pop pop true exit}
{ pop }
ifelse
}
forall
exch pop
exch /CIDFont findresource
/CIDSystemInfo get
3 -1 roll /CMap findresource
/CIDSystemInfo get
exch
3 -1 roll
{
2 copy
/Supplement get
exch
dup type /dicttype eq
{/Supplement get}
{pop 0 }
ifelse
ge
}
{ true }
ifelse
{
dup /Registry get
2 index /Registry get eq
{
/Ordering get
exch /Ordering get
dup type /arraytype eq
{
1 index type /arraytype eq
{
true
1 index length 1 sub -1 0
{
dup 2 index exch get exch 3 index exch get ne
{ pop false exit}
if
} for
exch pop exch pop
}
{ pop pop false }
ifelse
}
{
eq
}
ifelse
}
{ pop pop false }
ifelse
}
{ pop pop false }
ifelse
}
ifelse
} bind def
pdf_has_composefont?
{
/_pdfComposeFont
{
2 copy _pdfComposeFontName not
{
2 index
}
if
(pdf) exch _pdfConcatNames
dup _pdfFontStatus
{ dup findfont 5 2 roll pop pop pop true}
{
4 1 roll
1 index /CMap pdf_resourcestatus
{
pop pop
true
}
{false}
ifelse
1 index true exch
{
_pdfCIDFontStatus not
{pop false exit}
if
}
forall
and
{
1 index 1 index 0 get _pdf_CheckCIDSystemInfo
{
3 -1 roll pop
2 index 3 1 roll
composefont true
}
{
pop pop exch pop false
}
ifelse
}
{
_pdfComposeFontName
{
dup _pdfFontStatus
{
exch pop
1 index exch
findfont definefont true
}
{
pop exch pop
false
}
ifelse
}
{
exch pop
false
}
ifelse
}
ifelse
{ true }
{
dup _pdfFontStatus
{ dup findfont true }
{ pop false }
ifelse
}
ifelse
}
ifelse
} bd
}
{
/_pdfComposeFont
{
_pdfComposeFontName not
{
dup
}
if
dup
_pdfFontStatus
{exch pop dup findfont true}
{
1 index
dup type /nametype eq
{pop}
{cvn}
ifelse
eq
{pop false}
{
dup _pdfFontStatus
{dup findfont true}
{pop false}
ifelse
}
ifelse
}
ifelse
} bd
}
ifelse
/_pdfStyleDicts 4 dict dup begin
/Adobe-Japan1 4 dict dup begin
Level2?
{
/Serif
/HeiseiMin-W3-83pv-RKSJ-H _pdfFontStatus
{/HeiseiMin-W3}
{
/HeiseiMin-W3 _pdfCIDFontStatus
{/HeiseiMin-W3}
{/Ryumin-Light}
ifelse
}
ifelse
def
/SansSerif
/HeiseiKakuGo-W5-83pv-RKSJ-H _pdfFontStatus
{/HeiseiKakuGo-W5}
{
/HeiseiKakuGo-W5 _pdfCIDFontStatus
{/HeiseiKakuGo-W5}
{/GothicBBB-Medium}
ifelse
}
ifelse
def
/HeiseiMaruGo-W4-83pv-RKSJ-H _pdfFontStatus
{/HeiseiMaruGo-W4}
{
/HeiseiMaruGo-W4 _pdfCIDFontStatus
{/HeiseiMaruGo-W4}
{
/Jun101-Light-RKSJ-H _pdfFontStatus
{ /Jun101-Light }
{ SansSerif }
ifelse
}
ifelse
}
ifelse
/RoundSansSerif exch def
/Default Serif def
}
{
/Serif /Ryumin-Light def
/SansSerif /GothicBBB-Medium def
{
(fonts/Jun101-Light-83pv-RKSJ-H) status
}stopped
{pop}{
{ pop pop pop pop /Jun101-Light }
{ SansSerif }
ifelse
/RoundSansSerif exch def
}ifelse
/Default Serif def
}
ifelse
end
def
/Adobe-Korea1 4 dict dup begin
/Serif /HYSMyeongJo-Medium def
/SansSerif /HYGoThic-Medium def
/RoundSansSerif SansSerif def
/Default Serif def
end
def
/Adobe-GB1 4 dict dup begin
/Serif /STSong-Light def
/SansSerif /STHeiti-Regular def
/RoundSansSerif SansSerif def
/Default Serif def
end
def
/Adobe-CNS1 4 dict dup begin
/Serif /MKai-Medium def
/SansSerif /MHei-Medium def
/RoundSansSerif SansSerif def
/Default Serif def
end
def
end
def
/TZzero
{
/_wmode xdd
/_styleArr xdd
/_regOrdering xdd
3 copy
_pdfComposeFont
{
5 2 roll pop pop pop
}
{
[
0 1 _styleArr length 1 sub
{
_styleArr exch get
_pdfStyleDicts _regOrdering 2 copy known
{
get
exch 2 copy known not
{ pop /Default }
if
get
}
{
pop pop pop /Unknown
}
ifelse
}
for
]
exch pop
2 index 3 1 roll
_pdfComposeFont
{3 -1 roll pop}
{
findfont dup /FontName get exch
}
ifelse
}
ifelse
dup /WMode 2 copy known
{ get _wmode ne }
{ pop pop _wmode 1 eq}
ifelse
{
exch _wmode _pdfConcatNames
dup _pdfFontStatus
{ exch pop dup findfont false}
{ exch true }
ifelse
}
{
dup /FontType get 0 ne
}
ifelse
{
dup /FontType get 3 eq _wmode 1 eq and
{
_pdfVerticalRomanT3Font dup length 10 add dict copy
begin
/_basefont exch
dup length 3 add dict
begin
{1 index /FID ne {def}{pop pop} ifelse }
forall
/Encoding Encoding dup length array copy
dup 16#27 /quotesingle put
dup 16#60 /grave put
_regOrdering /Adobe-Japan1 eq
{dup 16#5c /yen put dup 16#a5 /yen put dup 16#b4 /yen put}
if
def
FontName
currentdict
end
definefont
def
/Encoding _basefont /Encoding get def
/_fauxfont true def
}
{
dup length 3 add dict
begin
{1 index /FID ne {def}{pop pop} ifelse }
forall
FontType 0 ne
{
/Encoding Encoding dup length array copy
dup 16#27 /quotesingle put
dup 16#60 /grave put
_regOrdering /Adobe-Japan1 eq
{dup 16#5c /yen put}
if
def
/_fauxfont true def
} if
} ifelse
/WMode _wmode def
dup dup /FontName exch def
currentdict
end
definefont pop
}
{
pop
}
ifelse
/_pdf_FontDirectory 3 1 roll _safeput
}
bd
Level2?
{
/Tf {
_pdf_FontDirectory 2 index 2 copy known
{get exch 3 -1 roll pop}
{pop pop}
ifelse
selectfont
} bd
}
{
/Tf {
_pdf_FontDirectory 2 index 2 copy known
{get exch 3 -1 roll pop}
{pop pop}
ifelse
exch findfont exch
dup type /arraytype eq
{makefont}
{scalefont}
ifelse
setfont
} bd
}
ifelse
/cshow where
{
pop /pdf_cshow /cshow load dd
/pdf_remove2 {pop pop} dd
}
{
/pdf_cshow {exch forall} dd
/pdf_remove2 {} dd
} ifelse
/pdf_xshow
{
/_pdf_na xdd
/_pdf_i 0 dd
currentpoint
/_pdf_y xdd
/_pdf_x xdd
{
pdf_remove2
_pdf_str1 exch 0 exch put
_pdf_str1 /_pdf_showproc load exec
{_pdf_na _pdf_i get} stopped
{ pop pop }
{
_pdf_x _pdf_y moveto
0
rmoveto
}
ifelse
_pdf_i 1 add /_pdf_i xdd
currentpoint
/_pdf_y xdd
/_pdf_x xdd
}
exch
pdf_cshow
} bd
/pdf_yshow
{
/_pdf_na xdd
/_pdf_i 0 dd
currentpoint
/_pdf_y xdd
/_pdf_x xdd
{
pdf_remove2
_pdf_str1 exch 0 exch put
_pdf_str1 /_pdf_showproc load exec
{_pdf_na _pdf_i get} stopped
{ pop pop }
{
_pdf_x _pdf_y moveto
0 exch
rmoveto
}
ifelse
_pdf_i 1 add /_pdf_i xdd
currentpoint
/_pdf_y xdd
/_pdf_x xdd
}
exch
pdf_cshow
} bd
/pdf_xyshow
{
/_pdf_na xdd
/_pdf_i 0 dd
currentpoint
/_pdf_y xdd
/_pdf_x xdd
{
pdf_remove2
_pdf_str1 exch 0 exch put
_pdf_str1 /_pdf_showproc load exec
{_pdf_na _pdf_i get} stopped
{ pop pop }
{
{_pdf_na _pdf_i 1 add get} stopped
{ pop pop pop}
{
_pdf_x _pdf_y moveto
rmoveto
}
ifelse
}
ifelse
_pdf_i 2 add /_pdf_i xdd
currentpoint
/_pdf_y xdd
/_pdf_x xdd
}
exch
pdf_cshow
} bd
/pdfl1xs {/_pdf_showproc /show load dd pdf_xshow} bd
/pdfl1ys {/_pdf_showproc /show load dd pdf_yshow} bd
/pdfl1xys {/_pdf_showproc /show load dd pdf_xyshow} bd
Level2? _ColorSep5044? not and
{
/pdfxs {{xshow} stopped {pdfl1xs} if} bd
/pdfys {{yshow} stopped {pdfl1ys} if} bd
/pdfxys {{xyshow} stopped {pdfl1xys} if} bd
}
{
/pdfxs /pdfl1xs load dd
/pdfys /pdfl1ys load dd
/pdfxys /pdfl1xys load dd
} ifelse
/pdf_charpath {false charpath} bd
/pdf_xcharpath {/_pdf_showproc /pdf_charpath load dd pdf_xshow} bd
/pdf_ycharpath {/_pdf_showproc /pdf_charpath load dd pdf_yshow} bd
/pdf_xycharpath {/_pdf_showproc /pdf_charpath load dd pdf_xyshow} bd
/pdf_strokepath
{
{
pdf_remove2
_pdf_str1 exch 0 exch put
_pdf_str1 false charpath
currentpoint S moveto
} bind
exch pdf_cshow
} bd
/pdf_xstrokepath {/_pdf_showproc {pdf_charpath S} dd pdf_xshow} bd
/pdf_ystrokepath {/_pdf_showproc {pdf_charpath S} dd pdf_yshow} bd
/pdf_xystrokepath {/_pdf_showproc {pdf_charpath S} dd pdf_xyshow} bd
Level2? {currentglobal true setglobal} if
/d0/setcharwidth ld
/nND {{/.notdef} repeat} bd
/T3Defs {
/BuildChar
{
1 index /Encoding get exch get
1 index /BuildGlyph get exec
}
def
/BuildGlyph {
exch begin
GlyphProcs exch get exec
end
} def
/_pdfT3Font true def
} bd
/_pdfBoldRomanWidthProc
{
stringwidth 1 index 0 ne { exch .03 add exch }if setcharwidth
0 0
} bd
/_pdfType0WidthProc
{
dup stringwidth 0 0 moveto
2 index true charpath pathbbox
0 -1
7 index 2 div .88
setcachedevice2
pop
0 0
} bd
/_pdfType0WMode1WidthProc
{
dup stringwidth
pop 2 div neg -0.88
2 copy
moveto
0 -1
5 -1 roll true charpath pathbbox
setcachedevice
} bd
/_pdfBoldBaseFont
11 dict begin
/FontType 3 def
/FontMatrix[1 0 0 1 0 0]def
/FontBBox[0 0 1 1]def
/Encoding cHexEncoding def
/_setwidthProc /_pdfBoldRomanWidthProc load def
/_bcstr1 1 string def
/BuildChar
{
exch begin
_basefont setfont
_bcstr1 dup 0 4 -1 roll put
dup
_setwidthProc
3 copy
moveto
show
_basefonto setfont
moveto
show
end
}bd
currentdict
end
def
pdf_has_composefont?
{
/_pdfBoldBaseCIDFont
11 dict begin
/CIDFontType 1 def
/CIDFontName /_pdfBoldBaseCIDFont def
/FontMatrix[1 0 0 1 0 0]def
/FontBBox[0 0 1 1]def
/_setwidthProc /_pdfType0WidthProc load def
/_bcstr2 2 string def
/BuildGlyph
{
exch begin
_basefont setfont
_bcstr2 1 2 index 256 mod put
_bcstr2 0 3 -1 roll 256 idiv put
_bcstr2 dup _setwidthProc
3 copy
moveto
show
_basefonto setfont
moveto
show
end
}bd
currentdict
end
def
/_pdfDefineIdentity-H
{
/Identity-H /CMap PDFText /pdf_resourcestatus get exec
{
pop pop
}
{
/CIDInit/ProcSet findresource begin 12 dict begin
begincmap
/CIDSystemInfo
3 dict begin
/Registry (Adobe) def
/Ordering (Identity) def
/Supplement 0 def
currentdict
end
def
/CMapName /Identity-H def
/CMapVersion 1 def
/CMapType 1 def
1 begincodespacerange
<0000> <ffff>
endcodespacerange
1 begincidrange
<0000> <ffff> 0
endcidrange
endcmap
CMapName currentdict/CMap defineresource pop
end
end
} ifelse
} def
} if
/_pdfVerticalRomanT3Font
10 dict begin
/FontType 3 def
/FontMatrix[1 0 0 1 0 0]def
/FontBBox[0 0 1 1]def
/_bcstr1 1 string def
/BuildChar
{
exch begin
_basefont setfont
_bcstr1 dup 0 4 -1 roll put
dup
_pdfType0WidthProc
moveto
show
end
}bd
currentdict
end
def
Level2? {setglobal} if
/MakeBoldFont
{
dup /ct_SyntheticBold known
{
dup length 3 add dict begin
CopyFont
/ct_StrokeWidth .03 0 FontMatrix idtransform pop def
/ct_SyntheticBold true def
currentdict
end
definefont
}
{
dup dup length 3 add dict
begin
CopyFont
/PaintType 2 def
/StrokeWidth .03 0 FontMatrix idtransform pop def
/dummybold currentdict
end
definefont
dup /FontType get dup 9 ge exch 11 le and
{
_pdfBoldBaseCIDFont
dup length 3 add dict copy begin
dup /CIDSystemInfo get /CIDSystemInfo exch def
/_Type0Identity /Identity-H 3 -1 roll [ exch ] composefont
/_basefont exch def
/_Type0Identity /Identity-H 3 -1 roll [ exch ] composefont
/_basefonto exch def
currentdict
end
/CIDFont defineresource
}
{
_pdfBoldBaseFont
dup length 3 add dict copy begin
/_basefont exch def
/_basefonto exch def
currentdict
end
definefont
}
ifelse
}
ifelse
} bd
/MakeBold {
1 index
_pdf_FontDirectory 2 index 2 copy known
{get}
{exch pop}
ifelse
findfont
dup
/FontType get 0 eq
{
dup /WMode known {dup /WMode get 1 eq }{false} ifelse
version length 4 ge
and
{version 0 4 getinterval cvi 2015 ge }
{true}
ifelse
{/_pdfType0WidthProc}
{/_pdfType0WMode1WidthProc}
ifelse
_pdfBoldBaseFont /_setwidthProc 3 -1 roll load put
{MakeBoldFont} Type0CopyFont definefont
}
{
dup /_fauxfont known not 1 index /SubstMaster known not and
{
_pdfBoldBaseFont /_setwidthProc /_pdfBoldRomanWidthProc load put
MakeBoldFont
}
{
2 index 2 index eq
{ exch pop }
{
dup length dict begin
CopyFont
currentdict
end
definefont
}
ifelse
}
ifelse
}
ifelse
pop pop
dup /dummybold ne
{/_pdf_FontDirectory exch dup _safeput }
{ pop }
ifelse
}bd
/MakeItalic {
_pdf_FontDirectory exch 2 copy known
{get}
{exch pop}
ifelse
dup findfont
dup /FontInfo 2 copy known
{
get
/ItalicAngle 2 copy known
{get 0 eq }
{ pop pop true}
ifelse
}
{ pop pop true}
ifelse
{
exch pop
dup /FontType get 0 eq Level2? not and
{ dup /FMapType get 6 eq }
{ false }
ifelse
{
dup /WMode 2 copy known
{
get 1 eq
{ _italMtx_WMode1Type0 }
{ _italMtxType0 }
ifelse
}
{ pop pop _italMtxType0 }
ifelse
}
{
dup /WMode 2 copy known
{
get 1 eq
{ _italMtx_WMode1 }
{ _italMtx }
ifelse
}
{ pop pop _italMtx }
ifelse
}
ifelse
makefont
dup /FontType get 42 eq Level2? not or
{
dup length dict begin
CopyFont
currentdict
end
}
if
1 index exch
definefont pop
/_pdf_FontDirectory exch dup _safeput
}
{
pop
2 copy ne
{
/_pdf_FontDirectory 3 1 roll _safeput
}
{ pop pop }
ifelse
}
ifelse
}bd
/MakeBoldItalic {
/dummybold exch
MakeBold
/dummybold
MakeItalic
}bd
Level2?
{
/pdf_CopyDict
{1 index length add dict copy}
def
}
{
/pdf_CopyDict
{
1 index length add dict
1 index wcheck
{ copy }
{ begin
{def} forall
currentdict
end
}
ifelse
}
def
}
ifelse
/pdf_AddEuroGlyphProc
{
currentdict /CharStrings known
{
CharStrings /Euro known not
{
dup
/CharStrings
CharStrings 1 pdf_CopyDict
begin
/Euro pdf_EuroProcSet 4 -1 roll get def
currentdict
end
def
/pdf_PSBuildGlyph /pdf_PSBuildGlyph load def
/pdf_PathOps /pdf_PathOps load def
/Symbol eq Encoding 160 get /.notdef eq and
{
/Encoding Encoding dup length array copy
dup 160 /Euro put def
}
if
}
{ pop
}
ifelse
}
{ pop
}
ifelse
}
def
Level2? {currentglobal true setglobal} if
/pdf_PathOps 4 dict dup begin
/m {moveto} def
/l {lineto} def
/c {curveto} def
/cp {closepath} def
end
def
/pdf_PSBuildGlyph
{
gsave
8 -1 roll pop
7 1 roll
currentdict /PaintType 2 copy known {get 2 eq}{pop pop false} ifelse
dup 9 1 roll
{
currentdict /StrokeWidth 2 copy known
{
get 2 div
5 1 roll
4 -1 roll 4 index sub
4 1 roll
3 -1 roll 4 index sub
3 1 roll
exch 4 index add exch
4 index add
5 -1 roll pop
}
{
pop pop
}
ifelse
}
if
setcachedevice
pdf_PathOps begin
exec
end
{
currentdict /StrokeWidth 2 copy known
{ get }
{ pop pop 0 }
ifelse
setlinewidth stroke
}
{
fill
}
ifelse
grestore
} def
/pdf_EuroProcSet 13 dict def
pdf_EuroProcSet
begin
/Courier-Bold
{
600 0 6 -12 585 612
{
385 274 m
180 274 l
179 283 179 293 179 303 c
179 310 179 316 180 323 c
398 323 l
423 404 l
197 404 l
219 477 273 520 357 520 c
409 520 466 490 487 454 c
487 389 l
579 389 l
579 612 l
487 612 l
487 560 l
449 595 394 612 349 612 c
222 612 130 529 98 404 c
31 404 l
6 323 l
86 323 l
86 304 l
86 294 86 284 87 274 c
31 274 l
6 193 l
99 193 l
129 77 211 -12 359 -12 c
398 -12 509 8 585 77 c
529 145 l
497 123 436 80 356 80 c
285 80 227 122 198 193 c
360 193 l
cp
600 0 m
}
pdf_PSBuildGlyph
} def
/Courier-BoldOblique /Courier-Bold load def
/Courier
{
600 0 17 -12 578 584
{
17 204 m
97 204 l
126 81 214 -12 361 -12 c
440 -12 517 17 578 62 c
554 109 l
501 70 434 43 366 43 c
266 43 184 101 154 204 c
380 204 l
400 259 l
144 259 l
144 270 143 281 143 292 c
143 299 143 307 144 314 c
418 314 l
438 369 l
153 369 l
177 464 249 529 345 529 c
415 529 484 503 522 463 c
522 391 l
576 391 l
576 584 l
522 584 l
522 531 l
473 566 420 584 348 584 c
216 584 122 490 95 369 c
37 369 l
17 314 l
87 314 l
87 297 l
87 284 88 272 89 259 c
37 259 l
cp
600 0 m
}
pdf_PSBuildGlyph
} def
/Courier-Oblique /Courier load def
/Helvetica
{
556 0 24 -19 541 703
{
541 628 m
510 669 442 703 354 703 c
201 703 117 607 101 444 c
50 444 l
25 372 l
97 372 l
97 301 l
49 301 l
24 229 l
103 229 l
124 67 209 -19 350 -19 c
435 -19 501 25 509 32 c
509 131 l
492 105 417 60 343 60 c
267 60 204 127 197 229 c
406 229 l
430 301 l
191 301 l
191 372 l
455 372 l
479 444 l
194 444 l
201 531 245 624 348 624 c
433 624 484 583 509 534 c
cp
556 0 m
}
pdf_PSBuildGlyph
} def
/Helvetica-Oblique /Helvetica load def
/Helvetica-Bold
{
556 0 12 -19 563 710
{
563 621 m
537 659 463 710 363 710 c
216 710 125 620 101 462 c
51 462 l
12 367 l
92 367 l
92 346 l
92 337 93 328 93 319 c
52 319 l
12 224 l
102 224 l
131 58 228 -19 363 -19 c
417 -19 471 -12 517 18 c
517 146 l
481 115 426 93 363 93 c
283 93 254 166 246 224 c
398 224 l
438 319 l
236 319 l
236 367 l
457 367 l
497 462 l
244 462 l
259 552 298 598 363 598 c
425 598 464 570 486 547 c
507 526 513 517 517 509 c
cp
556 0 m
}
pdf_PSBuildGlyph
} def
/Helvetica-BoldOblique /Helvetica-Bold load def
/Symbol
{
750 0 20 -12 714 685
{
714 581 m
650 645 560 685 465 685 c
304 685 165 580 128 432 c
50 432 l
20 369 l
116 369 l
115 356 115 347 115 337 c
115 328 115 319 116 306 c
50 306 l
20 243 l
128 243 l
165 97 300 -12 465 -12 c
560 -12 635 25 685 65 c
685 155 l
633 91 551 51 465 51 c
340 51 238 131 199 243 c
555 243 l
585 306 l
184 306 l
183 317 182 326 182 336 c
182 346 183 356 184 369 c
614 369 l 644 432 l
199 432 l
233 540 340 622 465 622 c
555 622 636 580 685 520 c
cp
750 0 m
}
pdf_PSBuildGlyph
} def
/Times-Bold
{
500 0 16 -14 478 700
{
367 308 m
224 308 l
224 368 l
375 368 l
380 414 l
225 414 l
230 589 257 653 315 653 c
402 653 431 521 444 457 c
473 457 l
473 698 l
444 697 l
441 679 437 662 418 662 c
393 662 365 700 310 700 c
211 700 97 597 73 414 c
21 414 l
16 368 l
69 368 l
69 359 68 350 68 341 c
68 330 68 319 69 308 c
21 308 l
16 262 l
73 262 l
91 119 161 -14 301 -14 c
380 -14 443 50 478 116 c
448 136 l
415 84 382 40 323 40 c
262 40 231 77 225 262 c
362 262 l
cp
500 0 m
}
pdf_PSBuildGlyph
} def
/Times-BoldItalic
{
500 0 9 -20 542 686
{
542 686 m
518 686 l
513 673 507 660 495 660 c
475 660 457 683 384 683 c
285 683 170 584 122 430 c
58 430 l
34 369 l
105 369 l
101 354 92 328 90 312 c
34 312 l
9 251 l
86 251 l
85 238 84 223 84 207 c
84 112 117 -14 272 -14 c
326 -14 349 9 381 9 c
393 9 393 -10 394 -20 c
420 -20 l
461 148 l
429 148 l
416 109 362 15 292 15 c
227 15 197 55 197 128 c
197 162 204 203 216 251 c
378 251 l
402 312 l
227 312 l
229 325 236 356 241 369 c
425 369 l
450 430 l
255 430 l
257 435 264 458 274 488 c
298 561 337 654 394 654 c
437 654 484 621 484 530 c
484 516 l
516 516 l
cp
500 0 m
}
pdf_PSBuildGlyph
} def
/Times-Italic
{
500 0 23 -10 595 692
{
399 317 m
196 317 l
199 340 203 363 209 386 c
429 386 l
444 424 l
219 424 l
246 514 307 648 418 648 c
448 648 471 638 492 616 c
529 576 524 529 527 479 c
549 475 l
595 687 l
570 687 l
562 674 558 664 542 664 c
518 664 474 692 423 692 c
275 692 162 551 116 424 c
67 424 l
53 386 l
104 386 l
98 363 93 340 90 317 c
37 317 l
23 279 l
86 279 l
85 266 85 253 85 240 c
85 118 137 -10 277 -10 c
370 -10 436 58 488 128 c
466 149 l
424 101 375 48 307 48 c
212 48 190 160 190 234 c
190 249 191 264 192 279 c
384 279 l
cp
500 0 m
}
pdf_PSBuildGlyph
} def
/Times-Roman
{
500 0 10 -12 484 692
{
347 298 m
171 298 l
170 310 170 322 170 335 c
170 362 l
362 362 l
374 403 l
172 403 l
184 580 244 642 308 642 c
380 642 434 574 457 457 c
481 462 l
474 691 l
449 691 l
433 670 429 657 410 657 c
394 657 360 692 299 692 c
204 692 94 604 73 403 c
22 403 l
10 362 l
70 362 l
69 352 69 341 69 330 c
69 319 69 308 70 298 c
22 298 l
10 257 l
73 257 l
97 57 216 -12 295 -12 c
364 -12 427 25 484 123 c
458 142 l
425 101 384 37 316 37 c
256 37 189 84 173 257 c
335 257 l
cp
500 0 m
}
pdf_PSBuildGlyph
} def
end
Level2? {setglobal} if
currentdict readonly pop end
%%EndResource
PDFText begin
[39/quotesingle 96/grave 128/Adieresis/Aring/Ccedilla/Eacute/Ntilde/Odieresis
/Udieresis/aacute/agrave/acircumflex/adieresis/atilde/aring/ccedilla/eacute
/egrave/ecircumflex/edieresis/iacute/igrave/icircumflex/idieresis/ntilde
/oacute/ograve/ocircumflex/odieresis/otilde/uacute/ugrave/ucircumflex
/udieresis/dagger/degree/cent/sterling/section/bullet/paragraph/germandbls
/registered/copyright/trademark/acute/dieresis/.notdef/AE/Oslash
/.notdef/plusminus/.notdef/.notdef/yen/mu/.notdef/.notdef
/.notdef/.notdef/.notdef/ordfeminine/ordmasculine/.notdef/ae/oslash
/questiondown/exclamdown/logicalnot/.notdef/florin/.notdef/.notdef
/guillemotleft/guillemotright/ellipsis/space/Agrave/Atilde/Otilde/OE/oe
/endash/emdash/quotedblleft/quotedblright/quoteleft/quoteright/divide
/.notdef/ydieresis/Ydieresis/fraction/currency/guilsinglleft/guilsinglright
/fi/fl/daggerdbl/periodcentered/quotesinglbase/quotedblbase/perthousand
/Acircumflex/Ecircumflex/Aacute/Edieresis/Egrave/Iacute/Icircumflex
/Idieresis/Igrave/Oacute/Ocircumflex/.notdef/Ograve/Uacute/Ucircumflex
/Ugrave/dotlessi/circumflex/tilde/macron/breve/dotaccent/ring/cedilla
/hungarumlaut/ogonek/caron
0 TE
[1/dotlessi/caron 39/quotesingle 96/grave
127/bullet/Euro/bullet/quotesinglbase/florin/quotedblbase/ellipsis
/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE
/bullet/Zcaron/bullet/bullet/quoteleft/quoteright/quotedblleft
/quotedblright/bullet/endash/emdash/tilde/trademark/scaron
/guilsinglright/oe/bullet/zcaron/Ydieresis/space/exclamdown/cent/sterling
/currency/yen/brokenbar/section/dieresis/copyright/ordfeminine
/guillemotleft/logicalnot/hyphen/registered/macron/degree/plusminus
/twosuperior/threesuperior/acute/mu/paragraph/periodcentered/cedilla
/onesuperior/ordmasculine/guillemotright/onequarter/onehalf/threequarters
/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla
/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis
/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash
/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave
/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute
/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde
/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute
/ucircumflex/udieresis/yacute/thorn/ydieresis
1 TE
end
%%BeginResource: procset pdfasc.prc 6.0 1
%%Copyright: Copyright 1992-2003 Adobe Systems Incorporated. All Rights Reserved.
/ASR {
13 dict begin
/mirV? exch def
/mirH? exch def
/center? exch def
/autorotate? exch def
/angle exch def
/shrink exch def
/Pury exch def
/Purx exch def
/Plly exch def
/Pllx exch def
/Dury exch def
/Durx exch def
/Dlly exch def
/Dllx exch def
Dury 0 eq Durx 0 eq and Dlly 0 eq Dllx 0 eq and and
{ shrink 0 gt { GClipBBox } { GPageBBox } ifelse }
{ ITransDBBox }
ifelse
/PHt Pury Plly sub def
/PW Purx Pllx sub def
/DHt Dury Dlly sub def
/DW Durx Dllx sub def
angle 90 eq angle 270 eq or
{
PHt /PHt PW def /PW exch def
} if
autorotate? PHt PW ne and DHt DW ne and
{
DHt DW ge
PHt PW ge
ne
{ /angle angle 90 add def
PHt /PHt PW def /PW exch def
}
if
} if
angle 0 ne
{
/angle angle 360 mod def
angle rotate
angle 90 eq
{ 0 DW neg translate }
if
angle 180 eq
{ DW neg DHt neg translate }
if
angle 270 eq
{ DHt neg 0 translate }
if
} if
center?
{
ITransBBox
Durx Dllx add 2 div Dury Dlly add 2 div
Purx Pllx add -2 div Pury Plly add -2 div
3 -1 roll add exch
3 -1 roll add exch
translate
}
{
ITransBBox
angle 0 eq
{Dllx Pllx sub Dury Pury sub}
if
angle 90 eq
{Durx Purx sub Dury Pury sub}
if
angle 180 eq
{Durx Purx sub Dlly Plly sub}
if
angle 270 eq
{Dllx Pllx sub Dlly Plly sub}
if
translate
}
ifelse
mirH? mirV? or
{
ITransBBox
mirH?
{
-1 1 scale
Durx Dllx add neg 0 translate
} if
mirV?
{
1 -1 scale
0 Dury Dlly add neg translate
} if
} if
shrink 0 ne
{
ITransBBox
Dury Dlly sub Pury Plly sub div
Durx Dllx sub Purx Pllx sub div
2 copy gt { exch } if pop
shrink 1 eq
{
Durx Dllx add 2 div Dury Dlly add 2 div translate
dup scale
Purx Pllx add -2 div Pury Plly add -2 div translate
}
{
shrink 2 eq 1 index 1.0 lt and
{
Durx Dllx add 2 div Dury Dlly add 2 div translate
dup scale
Purx Pllx add -2 div Pury Plly add -2 div translate
}
{ pop }
ifelse
}
ifelse
} if
end
} [/autorotate? /shrink? /mirH? /mirV? /angle /Pury /Purx /Plly /Pllx /Durx /Dury /Dllx /Dlly /PW /PHt /DW /DHt
/Devurx /Devury /Devllx /Devlly /pdfHt /pdfW]
bld
/GClipBBox
{
gsave newpath clippath pathbbox newpath grestore
/Dury exch def
/Durx exch def
/Dlly exch def
/Dllx exch def
ITransDBBox
} [/Durx /Dury /Dllx /Dlly]
bld
/GPageBBox
{
{
currentpagedevice /PageSize get aload pop
/Devury exch def /Devurx exch def
/Devllx 0 def /Devlly 0 def
ITransBBox
}
stopped
{ GClipBBox }
if
} [/Devurx /Devury /Devllx /Devlly ]
bld
/ITransDBBox
{
Durx Dury transform matrix defaultmatrix itransform
/Devury exch def
/Devurx exch def
Dllx Dlly transform matrix defaultmatrix itransform
/Devlly exch def
/Devllx exch def
Devury Devlly lt {/Devlly Devury /Devury Devlly def def} if
Devurx Devllx lt {/Devllx Devurx /Devurx Devllx def def} if
} [/Durx /Dury /Dllx /Dlly /Devurx /Devury /Devllx /Devlly ]
bld
/ITransBBox
{
/um matrix currentmatrix matrix defaultmatrix matrix invertmatrix matrix concatmatrix def
Devllx Devlly um itransform
Devurx Devury um itransform
/Dury exch def
/Durx exch def
/Dlly exch def
/Dllx exch def
Dury Dlly lt {/Dlly Dury /Dury Dlly def def} if
Durx Dllx lt {/Dllx Durx /Durx Dllx def def} if
} [ /um /Durx /Dury /Dllx /Dlly /Devurx /Devury /Devllx /Devlly ]
bld
%%EndResource
currentdict readonly pop
end end
/currentpacking where {pop setpacking}if
PDFVars/DocInitAll{[PDF PDFText]{/docinitialize get exec}forall }put
-PDFVars/InitAll{[PDF PDFText]{/initialize get exec}forall initgs}put
-PDFVars/TermAll{[PDFText PDF]{/terminate get exec}forall}put
-PDFVars begin PDF begin
PDFVars/DocInitAll get exec PDFVars/InitAll get exec
[/NamespacePush PDFMark5
[/_objdef {Metadata_In_EPS} /type /stream /OBJ PDFMark5
[{Metadata_In_EPS} 17988 (% &end XMP packet& %) ReadByPDFMark5
<?xpacket begin="" id="W5M0MpCehiHzreSzNTczkc9d"?>
-<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="3.1-701">
- <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
- <rdf:Description rdf:about=""
- xmlns:xap="http://ns.adobe.com/xap/1.0/"
- xmlns:xapGImg="http://ns.adobe.com/xap/1.0/g/img/">
- <xap:CreateDate>2005-05-26T09:00:06+01:00</xap:CreateDate>
- <xap:ModifyDate>2005-05-26T09:00:06+01:00</xap:ModifyDate>
- <xap:MetadataDate>2005-05-26T09:00:06+01:00</xap:MetadataDate>
- <xap:Thumbnails>
- <rdf:Alt>
- <rdf:li rdf:parseType="Resource">
- <xapGImg:width>196</xapGImg:width>
- <xapGImg:height>256</xapGImg:height>
- <xapGImg:format>JPEG</xapGImg:format>
- <xapGImg:image>/9j/4AAQSkZJRgABAgEASABIAAD/7QAsUGhvdG9zaG9wIDMuMAA4QklNA+0AAAAAABAASAAAAAEA
AQBIAAAAAQAB/+4ADkFkb2JlAGTAAAAAAf/bAIQABgQEBAUEBgUFBgkGBQYJCwgGBggLDAoKCwoK
DBAMDAwMDAwQDA4PEA8ODBMTFBQTExwbGxscHx8fHx8fHx8fHwEHBwcNDA0YEBAYGhURFRofHx8f
Hx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8f/8AAEQgBAADEAwER
AAIRAQMRAf/EAaIAAAAHAQEBAQEAAAAAAAAAAAQFAwIGAQAHCAkKCwEAAgIDAQEBAQEAAAAAAAAA
AQACAwQFBgcICQoLEAACAQMDAgQCBgcDBAIGAnMBAgMRBAAFIRIxQVEGE2EicYEUMpGhBxWxQiPB
UtHhMxZi8CRygvElQzRTkqKyY3PCNUQnk6OzNhdUZHTD0uIIJoMJChgZhJRFRqS0VtNVKBry4/PE
1OT0ZXWFlaW1xdXl9WZ2hpamtsbW5vY3R1dnd4eXp7fH1+f3OEhYaHiImKi4yNjo+Ck5SVlpeYmZ
qbnJ2en5KjpKWmp6ipqqusra6voRAAICAQIDBQUEBQYECAMDbQEAAhEDBCESMUEFURNhIgZxgZEy
obHwFMHR4SNCFVJicvEzJDRDghaSUyWiY7LCB3PSNeJEgxdUkwgJChgZJjZFGidkdFU38qOzwygp
0+PzhJSktMTU5PRldYWVpbXF1eX1RlZmdoaWprbG1ub2R1dnd4eXp7fH1+f3OEhYaHiImKi4yNjo
+DlJWWl5iZmpucnZ6fkqOkpaanqKmqq6ytrq+v/aAAwDAQACEQMRAD8A9U4q7FXYq7FXYq7FXYq7
FXYq7FUJdaxpFozrdX1vbtEOUiyyohUEVq3Iim2KsV1X86vyn0q8+p33mnT0uaAlEmEoWppRmi5q
p9icVRFl+bn5W3ppbebdIZq0CNewIx77K7qTirJbLUtOv4vVsbqG7i/35BIsi/epI7YqiMVdirsV
dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVUL6+stPs576+njtbO2Rpbi4lYJGiKKszM1AA
Bir48/PH/nKbVddkufL3kmZ9P0VHKTazC7pcXaDp6dVjeGM9/wBpvECoKr55nnnuJmmnkaaZzV5J
GLMT7k7nFVPFXYqvjllicPG7I46MpIP3jFX0h+Rv/OVV3oy2vlvz073mlhkhtNaO81tHTiBOAKyx
jb4vtAV+1sAq+vLS7tby1hu7SZLi1uEWWCeJg6OjiqsrCoIINQRiqrirsVdirsVdirsVdirsVdir
sVdirsVdirsVdirsVU7q6t7S2murmRYba3RpZ5nIVURByZmJ6AAVOKvgX86vz+8y/mLcvpyUsPK9
vMzWthFUNMFY+nLcsT8TU6L9keFd8VeU4q7FXYq7FXYq7FXrP5Lf85BeZfy7u4rC5Z9S8qO/+kaa
5q0IY/FJbMfst3KfZb2PxBV96aff2eoWNvf2Uq3FndxpPbTpurxyKGRh7EGuKq+KuxV2KuxV2Kux
V2KuxV2KuxV2KuxV2KuxV2Kvm3/nMj8yf0doVl5I0+cpe6qfrWqemxBWzQlUjanaaTf5J74q+PcV
dirsVZn+Ulh5S1bzvp2heZ7KW6stamTT4ZoJmhkt57hvTilAAIejsuzbUxVIPNGgXfl3zJqmg3ZB
udLuprSVhUBjC5TktezUqPbFUrxV2KuxV9U/84jfnMicfy7124oCWfy7cSHap+J7Sp8d3j+lf5Ri
r6rxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KpL5y826P5R8s3/mLV5PTsbCIyMB9p3OyRIO7yOQ
q+5xV+cPnbzfq3nDzTqPmPVWreahKZCgJKxoBxjiSv7MaAKPliqR4q7FXYqynQobvy7pVt5zpwu2
ung8vVA2uLZUeW6oev1f1Y+Hi5r+wQVWXf8AOSVtHP58s/NFugSz83aVY6xDw+yGkhEbr/rcoqn5
4q8smglhZVlUozKrgHrxdQyn6VIOKqeKuxVUt7i4triK5t5GhuIXWSGaMlXR0NVZWG4IIqDir9Hv
ye85v5y/LXQfMEzc7y4txHfseIJurdjDO3FaBeckZcDwIxVmWKuxV2KuxV2KuxV2KuxV2KuxV2Ku
xV2Kvkv/AJzJ/M6O5vLX8vrBqrZOl9rMg/36yVgh/wBiknNvmvhir5fxV2KuxV2KssS91XzN5f0n
R7i5htrHy4s6WjG2uGVY7mUTSM8ltHOW+Mknkop79lUdq3myzk8s6PoepX0fmBdA9b9ERwQSQwxr
cNzZJrmYRTyIGA/diIezjuqx3RbD/EfmGO1vdSt9Ne9ZuV/dLIIEahIDCBJCi7U2XivsMVVtV8j+
ZtN1HU7CWzaeTSYxc3ctsRNF9VfjwuUdK8oHDqRINqEYqkOKuxV9T/8AOEvm+b19f8oTOWiKLqtk
hOylSsFxT/W5Rfdir6txV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV+dn/OQEc0f5zebFm+2b0sKmvw
sisn/CkYq8+xVdGzJIrJ9pSCu1dx02OKphHf3FlLdmaIPqMxZJ/rUMUvA8wzHjMkhDkrSooRv44q
l7uXcuaAsakKAo+gCgGKu5vw4cjwry412r0rTFVuKpx5U82+YPKetwa3oF2bPUreojmCo44tsysr
hlIPuMVereUfPWkebPNI1vUoZNP83RIy2CWFzHHZTllIeL6lcgJwn5MJY0mJk5HjGSd1WC655GvE
0LUdej0u80tLO+kje1uUk9P6s0npgxSOkfJreUiKUHf4l2HxYqwvFXsf/OJd1ND+demRxmi3NteR
SjfdRA0n/Eoxir7xxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV8I/85W+T9W0T81r3VrleWneYAl1Y
XABAJjjSKWI/5SMtfkQe+KvGcVZPoF5DZQwQaDaS6h5vvnCW9wqFza8jRUtIhyL3D/78I+D9gcvj
CrpvLuiaSSfMWqerf9W0rTClxKrdStxdE/V4j/qeqwOzKuKqLeZNGtiV0vy9aRgGsdxfvLe3FPBq
mK1b/pHGKpheav5/tNGsNbl0+Gx0m+dhp+oQ6XZW0UskJ4twkigQMVK/gffFVC085+eL644wcdQm
RCfTawtbqiVAJ4PDIKVp2xVVn83SLK0fmLyrpd0zVBH1NtLkX3Qae1mgI/ykI9sVXppHkHXlZdGv
5tA1Q/3Om6u6TWkrfypqEawiIk9PXiVB3kxVXvvzA876fpd35V8wRfWFMfpFL5G9eMenwjdXqCaR
misa1SgqVCcVWDYq+gv+cM/KdzqH5g3vmNoyLHRbR0WWmxubr92iiv8AxUJCae3jir7SxV2KuxV2
KuxV2KuxV2KuxV2KuxV2KuxV59+ef5aw+f8A8v77S44wdXtQbvR5Nqi5jU0jqeiyiqH517Yq/PK7
tLuzuZLW7hktrqFik0EqlJEYdVZWAIPzxVlfk3TvPV1omqL5Z0+5mjuf9GurqwtJLi7kBXk1qjxh
nSMr8UvGlV2avwrirDyCDQ9cVaxV9earfeX/AD1/ziJLHokEa3fl+ztjcWEZ5PbT2Mi+s5WvICSE
SOCf2W8a4qy/8j/JWhflL+V36e8xEWmqakkd3q87IzSxq/8AcWqogZyUDbqoqXJ9sVXat/zkV5Xl
Etrd+RvM97p4DetJJpKGFlHfhLKPhpWvIDFWGP5M/wCcbPzhaa18tP8A4X828WZbVIvqcvJQT8Vm
37iUDq3pHl4kYq8J/MzQvOPkhT5E81W8V2tq63OhaoKsyQMWDrbymjGCQ/aib7LiopvyVYRo2j6l
rOq2mk6ZA1zqF9KkFrAnVpHNAN9h7k7DFX6M/lT5As/IfkbTfLsHB7iBPU1C5RQPWupDylcmgJFT
xWu/EAdsVZdirsVdirsVdirsVdirsVdirsVdirsVdirsVeO/np/zjxpH5ir+mNPlGm+aoIvTS441
hulX7EdwBQ1HRZBuBseQAAVY15wsLj8tP+cUUsdLpZaleWtqmoSqQJDPqDIbujKd24syA/yj2xV8
ZYquRijqwpVSCKgEbeINQcVegeV/zH1HRbN7+0jexWCL9HzjTHgtnm+tCRubNNb3dKLGwIWgrxIp
TdVOfNH5x+aG8vWMa6zeapJrMUlxNb6s0V9HZxpNJbJGqtDHFJM/os5kMfwqyhaMC2KvNv8AEvmP
iqDVLsIgoiCeQKorWiqGoBU9BiqZ6J5+1+w1jT9QvLiTUxp80U0C3MjPJH6Th19CYkyQkEVHAgeI
I2xV9k/85G+SE/ML8qYNU0O0e+1a0Nvf6MsSVmlhuSqyRgdaNG4cjxUYqnH5O/kN5U/LqxjuFiXU
PMkihrjVp0UyRlk4tHb9fSTcg0NW7mlAFXp2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KsX/M
Typb+cvKmr+WJ/Ui+tWvK2uEd4wJ/i9OvEryCOqllO24rir5k832M+pf84eeWLm3eV10W+P16Loq
f6TcW9XG5+B5FVd6Ubp0oq+bsVV7GxvL+8hsrKFri6uGEcMMYqzMegAxVPNG8lapqepaDp0UsRfz
DfmxtVR+dCkqQ+s1NuHKRuJ/yT2xV7f/AM5P/lpo+m61olj5f0+HT/UsKaXBBGkQupbeQi5gHAAN
NxeKRB1clxuzKMVfNxBBoeuKs6/I/wAm2PnH80dC0LUBy0+WV57yM/txW0bTtHtvST0+B+eKv0YR
FRQiAKqgBVAoAB0AGKt4q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FWG/m5ba5f+QtU0fy9O
IPMWrRNa6T+89FpJOJlljSTYKzQRSUqRirxjzTp2s+Wf+cV9GTTLF5Y7edZPNVpctUywyyTJeB6c
WKtcOvGnxKtGrVeWKvkq8+p/WpfqfqfVSxMIm4+oFPQMV+EkdKiletB0xVOvJNrq2qa9aeXNKmW1
utfni083R2ZUuHEbLzHxBG5fGF+0Num2KvTxZflV5R/OXyM/lXzC2oaRY3UUGtXsrMpju4rgiSQl
0RBA4kXdKrQN8R64q+oPzs/Law/MjylPolvcxQ+YNPKX2lylhWORuSoJKVdYpgrLXxFd+NMVfH3k
fyHrX5qX99bQWZk1ewCm81i0ltqPy5KslxBNLAJizJQzQtX9p1dmrir3H8nf+cVfMfk7zxYeaNX1
62I0wu8FtYq7tKZI2iZXeVUCLxc1oGr7dcVfQHmmbzLDoF5L5Zt7a61xE5WVveu8cDsDuGZATuK0
6CvUgb4qmFp9ZNrCbrj9Z4L6/pghPUoOXEEsaV6b4qq4q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7
FXYqhr+OExLcSQxSyWjevC03ECNgrIzq7A8G9N2FfAkdCcVY7+arWY/LjzDBdSQwxXllJYRPckrC
Jr0fVoAzKG4gyyqOVNuuKvzev9PvtPuntL+3ktbqMKXgmRo3AdQ6kqwB+JWBHtirKPyj84aV5O/M
TRvMWq2f16wsZSZohQuodGj9VAdi8XLmo8R1HXFUNe+c7i3896n5j0ZY7aG61CS7js1QLbtD9aFz
HA8WwMVUSqHwxV9H+Uf+cpPL3mHzvpmo67b23li3tIHtri6a4mkknE0bM8ZRLZ0aJZ0jK8nRl6gm
rLirHpb/AEr8t/8AnI2180WHmGwufKvmh5prx4J4z6NvdDnJHcRRfEgSXi8fw/FQd+QxV9DWf55/
k/dsFi83aapJ4/vp1gFfnLw298VZDa+b/LF/Zz3Wl6rZ6kkEbSv9UuIpvhVS3+62bsMVfPX5u/m7
p+h/85H+VlkvJhpXl+MQa0sUhWJZL1XDMyfErCKOVHbavbrir6dVlZQykFSKgjcEHFXYq7FXYq7F
XYq7FXYq7FXYq7FXYq7FXYq7FXYqxT8x/I9t5t8jX/lZQIIL94C/CihQl1HcOwp3+AnFXxX/AM5P
3i3H51a7FH/cWSWlrCKUoI7SIsN/B2bFXlWKuxV2KuxV2Krkd0dXRirqQVYGhBHQg4qqyy3l9dmS
V5Lq8uH+J2LSSSOx7k1ZmJxV+lX5bWmr2f5e+W7PWUMeqW2mWkN5G32lkSFVIev7Qp8XvirI8Vdi
rsVdirsVdirsVdirsVdirsVdirsVdirsVdir4V/5yw8rxaN+aN3fNMz3GuEXqRFRwW3EMMKHkP2m
njnBWmyhT3xV4rirsVfan5A3v5Wee9Nt77TPLWl6P5s0BYk1KJLKIpIkoIMsdQGPMoaNyLIaAkg0
ZV7TqHk7yhqKenqGh6feJSnC4tYZRQ+zqcVYnd/84+fkzdyyyS+VbNTLx5LD6kCjia/CImTjXvTF
XWP5Cfk9psqG18oWMwlLJIbgNchFZCeVLhpe6gCm4rXFU90P8sfy70K8F9o/lvTrK9X7F1FbRCVf
9R6cl+g4qybFXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYqw+H82/y59F3u/Mem2kkd5PYtDN
dwpIJIbl7fdCwYBinIGlOPxdN8VYj/zkZ+UN7+ZXlSxk0OWM61pDvPYI7AR3EU6qJIg/RWbghVjt
tQ0rUKvhC9sryxupLS9gktrqE8ZYJVKOp8GVqEYqyC68jXkH5cWHnbkxtbzVLjS3jK0CmKGOWJw3
fn+9B8OH3Kvf/wDnB7R3Nz5r1lgwjRLSziNDwYsZJJN+lV4p9+Kvq7FXYqhZNV0yPUYdMku4U1G4
jaaCyaRRM8aEB3SMnkyrXcgYqisVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdir5R/wCcqPz3
1OK/vfy78vSG2hiCLreoxSfHL6iBzaoV+woDUk3qfs7CtVXzNqemyWDW0coIlnt4rkg9lnX1I6fO
NlOKs6/LL8+vzA/L944NPu/r2iqfj0e8LSQAE1PpGvKE7k/AaV6g4qs/PL8wfL3n/wA3W3mbSLGX
T57mwhj1a3mKt/pcTOlVdftr6IjAag6dMVZnN54/LuT/AJxVs/KV3chvNMV3LNaWUQZpFmF48nrS
GnFVNvKU3O/b2VeqfkB+Z35NeTvyy03SbjzLbwanLyu9UjmSRGW5npyXZKNwVVStT0xVluvf85Sf
lJp3GHTr248wahIeMNjplvJI7M32RzkEUe5/lYn2xV5X+YP/ADkF+Zs0Ekk5t/IWnKCYtNZhc65c
kUIj9IgNbq21XdI6CtGcjjiry382tH1Ox0zyx5w1S4ZfNfnF7/XbwRsw9C3neFrOOMliyqELFR+z
Xj2xV9Hf84y/njL540xvLWtKF8waNbRlbovU3kCngZCp3EifDz61rXbpir3TFXYq7FXYq7FXYq7F
XYq7FXYq7FXYqxzVvzI/L3R5ZYNU8zaXZXEAJltpryBJhxFSPSL86+wFcVeRa3/zmh+W9nPJDpmn
alqnAkCcJFBC9DsVLuZKH3QYq8h81f8AOYP5napNdxaOtpo1hLzS39KIyXKRtUKWlkZ19QA/aVRv
2xV4ZNNNPNJNNI0s0rF5ZXJZmZjVmZjuST1OKsn/ADLdW80qEUKkWmaRCgWtOMOlWsYO++4WuKpd
r3lDzDoNnpV9qdo0Flrdst5plzUNHNE1OjKTRlr8SncbdiMVTP8ALb8s/M/5h6+dF0BIhLHE09xd
XLMlvDGu1ZGRZG+JiAAFJP34qlnmW08vWV59S0mW4uXtgsV3dSlBFJOg4zGBVAb0uY+AsaleoGKv
Yfyf/LP8h/Pept5dGo+YG1z6qbgTsttb27FaCQIqrcspQmvxtQj32xV6j5Y/5w08vaVe3E975p1O
eGQFIorEJYNwPVJpKzmQU8AuKpp54/KL8mvy3/LbzHrcOjRG/XT7i3tb29d7mY3NzGYYeAlZkRzI
4+JFBAqcVfG2v+add8wfo/8AS1011+irOLTrHlQenbQV9NBTwr16nFVnlvzHrPlrXLPXNGuWtNSs
ZBLBMviOqsOjKw2ZTsRscVe5+RP+cx/O2n6kF84wx61pT19R7eKO3uozTYpw4RMPFWH04q9g0H/n
L78pdW1KCxlXUtL9dxGtzewRCEM2w5NBNOVFe5FB32xV61Y+avK9/fGwsdYsbu+UFjaQXMUkoAFS
fTVi34YqmmKuxV2KuxV2KrZJI4o2kkYJGgLO7EBQoFSST0AxV8yeaP8AnNvSre+9Hy15dlvrVKh7
q+mW3LMCR8EUQn+GlCGLA/5IxVhXmH/nND8xb74NF06w0eIqAXZXupg9TUhnKR0pTYxn54q8r1z8
2/zO1yd5tT8z6lKXrWJLh4Yd9jSGExxr9C4qxIkk1PXFWsVdirsVR2sarNql4t3MKSCC2tz7i2t0
gB+ZEVcVZf5g/N7VvMH5d6X5I1TTrN7bQzF+idRhDx3MYjUoVkJZ1dXRqEALuAe2KvYY721/KD/n
Gm1nsXEfm/8AMBFlSdac1gmTkHX/ACYbaQAeEklcVfMOKvpL/nC9vLFl5h1i+1LUba21m8jj0/SL
OWVEllUsJJ+CsaklhEFp13p0OKvd/wA2/wA/PJv5bqLS9Emo69LH6tvpNvQNxNQrTSmqxKSPdvBT
ir40/NT86fOP5kXqNq8q22l27FrPSbeogjJ25tXeSSm3JvoArirAcVdirsVdiqM0rV9V0e/i1DSb
yfT7+Cvo3drI8MqcgVbi6FWFVJB9sVZ75c/5yJ/N/QruW5j8w3GoGWMxmHUna7jWpB5oshPFhTqM
Veh+Vf8AnNTznYiRPMmj2uspxPoyW7GylD7fbPGdCvyQH3xV7B+U3/OUPlPz5q6aHeWUmg61PX6n
DLKs8E5ArwSYLEfU60VkFexJ2xV7RirsVfOX/OTH/OQNjo1jrH5f6Ikr69cRC21G9+EQwQ3Eas6o
QSzSNG/HoONetcVfHGKuxV2KuxV2KuxV2KuxV2Kp/wCbPOuteZxpCai6+homnW2lafCgoqQWsYQH
3ZyOTH+AGKpBirasVIZSQwNQR1BxVk3mPXb7zVYW2qXvqXOtaZCttqd6QWM1qhWO1nmbf94vP0WY
9R6f7VSVWMYq7FXYq7FXYq7FXYq7FVayvLqxvIL20laC7tZEmt5kNGSSNgyMp8VYVGKv0A/KX8/P
JXn6xtrZbxLHzL6ai60m4IjdpAo5Nbk/DKpNaBTyA6gYq9OxV+V0sss0ryyu0kshLPI5LMzHckk7
k4qsxV2KuxV2KuxV2KuxV2KuxV2KuxV2KvQfyMg0O78+rYeYruK08uXun6hDrLzOI1Nv9UkccS37
aSoki9wVBHTFWL+bJvLT6uY/LkDxaXbxxwJPKWMlzIgpJcsrE8PVepVB9laDrU4qk2KuxV2Ksz0P
8n/zC1vzRe+VrDS+WvafbLeXVlJNDEVhcRsrc3dUPIToR8XfFUfqn/OP35y6YrNdeVbsqgJZrcxX
IAFCTWB5B3xVjF/5I856cgkv9B1G0jIDB57SeNSpFQQzIAQRvXFUlZWVirAqymjKdiCOxxVrFW1Z
lYMpKspqrDYgjuMVfTX+OPOP/QpX6W/TV7+lP0p9T+v+vJ6/1flw9P1a8+PHbrir5kxV2KuxV2Ku
xV2KuxV2KuxV2Kq5tSLNLr1YyGkaIwhv3q8VDciv8rctj7HFVDFXYq2CR0xVrFXYq7FXYq+t/wAs
tdsovzt8tSu6CfzL5V0qUuxCfHFYOjxiv2iXhGw8PbFXrP59WNzc+QGlW1e/06wv7G+1vTYuXK50
62uFkuouK/aHAciPAYqgNMn8p2eqQ3XkXWoLfy9q7wNq8OmejJb2S+hciG4RSskNsJ5RHHICm7KN
geZxVX/T6a1bSXGvaRYXsNu1nGltNbCV7q3urlrM3UJkLcUeQF4k4n4difjDBVb5+/Ij8s9V8s6u
LLytYW2rNZXH1CazhW2Zbj0mMTAQ+mCQ9Dv174q/PnFX0B/65t/2/P8Ambir5/xV2KuxV2KuxV2K
uxV2KuxV2KuxV2KuxV2KuxV2KuxVPI/Kty2k6Lqj3EaW2t31xp8QNeUb2oty7vsBxIu1pQ9jir2H
zp/zil+YmlaVLrGoeYrC9sNLgROcjX0ksdvHRVSOKOCduKV6LsBviqS+WPyX/PifSLfWfJt1Jc6b
ccjaXWn6j9UDhH4clEz2rUqm23bFUbpvlj/nLDygkkOmWusW8bO8ssds0V2jSftOQjTKzN4/te+K
qmpfmJ/zlDCsR17R766W1dZLea90NQY3i+JXjnS3jYMpFeStXFU2g/5zD/NnTWCaxoOnuoO5eC6t
pDWppUylenT4cVfPl/NBPfXE1vF6FvLK7wwV5cEZiVTlQV4jauKvef8A1zb/ALfn/M3FXz/irsVd
irsVdirsVdirsVdirsVdirsVdirsVdirsVdir0O7h9T8idF1GLaTTfM19blttjc2VrKp6d/QP3Yq
/QSCWLWNEjlVjHDqNsGDRkFlWeOtVJFKgNtUYq+b7PzF5Mt/+cbrjyqNWhuNXsptVsNFjSV/rEk8
FzcS200aWhMhHpFSGpwqRy2OKpZ5a83XFro+kW+ra9qP6BFnqTC+0+9u7BV1ZhFc28D3l66qWS25
KsUsjR+pUbjFWW6Z+ZXnQ6fcatc6+EvLf9D3uj6NLBAq6rpd5DEkiRIA8puJbhnXkshCSDiSErir
1j82NFXWvyy80aaVLvNptyYVH+/o4zJF1/4sRcVfmtir6A/9c2/7fn/M3FXz/irsVdirsVdirsVd
irsVdirsVdirsVdirsVdirsVTzyl5fg1y9vrWWZoWttN1DUIitPiewtJLrga9mWIjb+3FXpvk/8A
KvSNS8m+XBqlzrUSeZdVWz/0JrWSwivGjDWzyRzNEQ7wTbHlXZqdhir1i3/5xn8x2omh0D83L+2e
wBWW3j9VfR5A0V/SvF9MEA/s4qktp/zj9+Zug6+V0L8x9Nj100C+qTHeMrLU1HGeTcfeMVZJJ5L/
AOcxLWMRDzbo+pQNUtFIkL9KEcjNYofl8WKoW6tv+cuzNbT32haDrlxYkS2c06WTPFKP2omMkHB2
4jdaYqlnnT/nIL/nIPyQluvnTyho9pDqHNbenORJAgHqLWK7uF6MOuKvlSUxmVzECsRY8A25C12r
9GKvff8A1zb/ALfn/M3FXz/irsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVZl+UUbT+fbKyUq
G1C21DT1Lgstb3T57YVA95cVey/lprui6X+R2mXd/OkgsPOGk37GEPPJCsUkHqBlVeSuILaRqdOJ
FDvTFXub6Jqc1t5gh01Hm0HzGyOizIl3bql7Nynmh4yxSyW08UzvJCWBR+RXZ8VeT/mh5O803sei
StZ6jL5g03TtT0u81e30i4vTdvpU8M+lyh41keE3TRbShuSkkfZriqUS+WrOa889C90mTR7y5sb+
/wBHsba1vYJ47k2VtqQRJlpbNHDNbSx8aKwc0FQ9FVeiWnnryJfeem1dNcm0vRtd0SbT7iOSe6tD
Fqlq1o3FFZoyJ/QuURTGKsY2AJNcVeS/mdOdc/I2GW71aLVta0bU4J55k1CbUpPq8sTWckkpuPjg
aW5i5ekv7ulCnUnFXz1ir6A/9c2/7fn/ADNxV8/4q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq
7FVS3ubi2mSe3kaGaM1SWMlWU+II3GKsq8s/ll+ZWu6eureXdEvb2ydmjF1aiqlkPxLUEdDirJbb
8tP+cjbX/eXTNfg24/upZk+EdvhcbYqm1voX/OWtvQRP5qCgcVU3dyygDwVpCBiqZWz/APOYtsVM
f6fbgKD1Qsvtv6nKv04qn1rqX/ObsUSiNLxkPxASwaUzb70JkQv9GKpH+aGu/wDOR9l5G1BPzB0y
3TQNdaC0luClikwnSQXMJ/0RxKD/AKP/ALsUrT3pirwLFX0B/wCubf8Ab8/5m4q+f8VdirsVdirs
VTLSvL+q6rHdS2cPKKzglup5nIjjWOAKXrI1EDfGtAT8RIUVZlBVS3FXYq7FXYq7FXYq7FXYq7FX
Yq7FX27/AM4Z3Bl/KW6j5V+r6vcxgeFYYJKf8PXFXu+Ksf8AIsNxD5dhikvrS+hjYxWbWDSSwRQQ
gQpF60sk0kzr6fxyO1WauwxVH6HqulahBcfoy+hv4bS4ktJmhl9YxzREB4pHLOfUUncHFUJ5Qv7q
9sLt7q8tLuaG+urfhZSGVIEhmKRwyOzOxmCBWk5UoxIApTFWB/8AOU2mpe/klrzkVks2tbmL2K3U
aMTt/vt2xV8B4q+gP/XNv+35/wAzcVfP+KuxV2KuxV2Kpvd+bfMV3odvoU1840a1IaKwjCxQlx0d
0jCiR/8ALere+KpRirsVdirsVdirsVdirsVdirsVdir3X/nH7/nIPS/y50K70DUdPluY7+++tJdC
ThFDzjSJi6qkslP3YJ4qTToDir1bzP8A85h+X9JihS10m31uaf1vUjs76T040RuEZd5bOP8AvR8Q
UAkD7VDtirCfL3/OYOkeXNL/AEbovkMW1sCWRW1V5aHiEWpe1LMERVRRy2VQO2KoLy//AM5bw+Xh
fDSPJNtbfpK6kv70/Xp3LzygBmq6NxFFACrRR2GKusf+cwtQ0prn9DeT7CyjvJTcXKG4nk5SlQpY
bIFHFR8Kin34qg/OH/OW2ueavKOreXNQ8u2kcWqQNALiGaUGOu4fiwbkQQD1GKvA8VfQH/rm3/b8
/wCZuKvn/FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq+gP/AFzb
/t+f8zcVfP8AirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVfQH/r
m3/b8/5m4q+f8VdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdir6A/9
c2/7fn/M3FX/2Q==</xapGImg:image>
- </rdf:li>
- </rdf:Alt>
- </xap:Thumbnails>
- </rdf:Description>
- <rdf:Description rdf:about=""
- xmlns:xapMM="http://ns.adobe.com/xap/1.0/mm/"
- xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#">
- <xapMM:DocumentID>uuid:E299AD35CF5611D9931E9E29EC286463</xapMM:DocumentID>
- <xapMM:InstanceID>uuid:E299AD35CF5611D9931E9E29EC286463</xapMM:InstanceID>
- <xapMM:DerivedFrom rdf:parseType="Resource">
- <stRef:instanceID>uuid:e3e3a208-cd3c-11d9-8977-000d936c956e</stRef:instanceID>
- <stRef:documentID>uuid:AB03F8A6CDD611D982B3C176F4FB2AEE</stRef:documentID>
- </xapMM:DerivedFrom>
- </rdf:Description>
- <rdf:Description rdf:about=""
- xmlns:dc="http://purl.org/dc/elements/1.1/">
- <dc:title>
- <rdf:Alt>
- <rdf:li xml:lang="x-default">portrait-head copy</rdf:li>
- </rdf:Alt>
- </dc:title>
- <dc:format>application/eps</dc:format>
- </rdf:Description>
- <rdf:Description rdf:about=""
- xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/">
- <photoshop:ColorMode>3</photoshop:ColorMode>
- <photoshop:History/>
- </rdf:Description>
- </rdf:RDF>
-</x:xmpmeta>
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-<?xpacket end="w"?>
% &end XMP packet& %
[{Metadata_In_EPS} 2 dict begin /Type /Metadata def /Subtype /XML def currentdict end /PUT PDFMark5
[/Document 1 dict begin /Metadata {Metadata_In_EPS} def currentdict end /BDC PDFMark5
[/NamespacePop PDFMark5
PDFVars/TermAll get exec end end
PDF /docinitialize get exec
-
%%EndSetup
PDFVars begin PDF begin PDFVars/InitAll get exec
172.0 54.0 296.0 409.0 rectclip
q
172.0 54.0 m
468.0 54.0 l
468.0 463.0 l
172.0 463.0 l
h
W
n
q
n
0.0 480.0 640.0 -480.0 re
W
n
q
true setSA
172.0 54.0 296.0 409.0 re
W
n
n
335.201 367.981 m
333.385 369.335 330.805 369.835 328.2 368.652 c
322.949 374.353 322.186 384.354 319.8 392.8 c
315.154 386.669 307.689 378.628 311.4 368.652 c
308.876 369.681 308.006 368.819 304.399 369.323 c
304.324 380.208 313.847 387.489 318.4 396.154 c
317.73 402.89 317.119 409.683 308.6 408.898 c
311.234 410.792 315.023 413.818 319.8 411.582 c
327.617 399.62 326.688 379.276 335.201 367.981 c
[/DeviceGray] cs 1.0 sc
eofill
n
322.6 357.249 m
318.99 354.59 309.367 354.389 304.399 355.237 c
309.273 356.61 318.049 357.799 322.6 357.249 c
eofill
n
273.598 353.896 m
275.535 354.009 276.001 352.865 274.998 351.883 c
278.4 352.2 281.25 353.047 284.098 353.896 c
283.331 350.815 273.651 348.813 270.098 349.871 c
270.095 352.333 272.549 352.441 273.598 353.896 c
eofill
n
275.698 347.188 m
271.917 344.774 266.738 343.699 262.397 341.821 c
265.361 344.664 271.338 347.885 275.698 347.188 c
eofill
n
246.296 343.163 m
248.1 342.035 245.702 339.313 244.896 338.468 c
244.126 330.771 243.94 342.296 246.296 343.163 c
eofill
n
367.402 342.492 m
382.533 343.126 391.632 332.171 399.604 323.71 c
389.667 328.053 379.82 338.291 367.402 342.492 c
eofill
n
263.797 337.126 m
256.335 330.414 249.26 323.331 240.696 317.674 c
242.625 325.219 252.857 330.614 258.897 336.455 c
261.325 335.917 261.588 337.454 263.797 337.126 c
eofill
n
242.096 334.443 m
243.162 332.5 239.825 329.038 239.996 325.723 c
238.557 328.023 240.96 332.381 242.096 334.443 c
eofill
n
349.901 292.855 m
345.818 290.507 339.01 290.771 332.4 290.843 c
335.809 294.692 344.583 293.494 349.901 292.855 c
0.0 sc
eofill
n
380.003 243.889 m
361.751 227.327 333.626 256.615 328.9 270.049 c
320.358 294.333 372.045 299.295 382.804 283.464 c
383.45 282.512 385.821 277.044 385.604 274.745 c
385.214 270.637 378.237 264.074 377.903 255.963 c
377.744 252.102 378.594 248.677 380.003 243.889 c
eofill
n
303.699 289.501 m
300.093 289.492 299.222 288.63 296.699 290.172 c
298.743 290.818 303.655 292.552 303.699 289.501 c
1.0 sc
eofill
n
405.904 243.889 m
405.44 241.427 405.159 238.79 404.504 236.511 c
400.915 236.201 401.338 239.737 397.504 239.193 c
398.963 243.326 400.66 244.252 405.904 243.889 c
0.0 sc
eofill
n
313.5 231.145 m
316.143 231.441 316.786 229.821 318.4 229.132 c
317.548 228.16 315.604 228.233 315.6 226.449 c
314.251 226.722 315.047 229.05 312.8 228.461 c
312.711 229.664 313.657 229.876 313.5 231.145 c
1.0 sc
eofill
n
234.396 223.766 m
235.994 221.496 236.419 218.103 236.496 214.375 c
235.048 216.789 233.883 219.474 234.396 223.766 c
0.0 sc
eofill
n
236.496 213.704 m
237.603 212.306 238.778 210.972 239.296 209.009 c
239.95 209.501 240.357 210.229 240.696 211.021 c
243.049 209.716 241.634 205.406 242.096 200.96 c
240.518 201.459 241.823 204.722 241.396 206.326 c
241.263 206.869 240.694 206.994 240.696 207.668 c
239.257 207.358 239.345 209.687 236.496 209.68 c
h
eofill
n
240.696 192.91 m
242.821 189.055 239.509 178.342 241.396 172.117 c
239.354 169.795 240.487 182.937 240.696 186.203 c
240.851 188.61 240.575 191.107 240.696 192.91 c
eofill
n
308.6 162.055 m
314.675 154.383 312.125 145.973 317.7 138.578 c
316.42 136.645 316.564 136.48 317.0 133.883 c
313.95 133.228 311.994 131.525 310.0 129.858 c
307.797 129.537 307.263 130.813 305.799 131.2 c
305.191 140.651 304.613 147.547 307.899 154.006 c
303.2 152.07 309.483 158.048 308.6 162.055 c
1.0 sc
eofill
n
244.896 143.273 m
244.156 129.208 241.88 108.192 242.796 92.966 c
236.285 107.105 239.955 130.17 244.896 143.273 c
eofill
n
302.299 118.455 m
306.008 120.202 310.441 116.88 315.6 117.784 c
314.137 116.504 312.257 115.621 310.0 115.102 c
310.43 115.698 310.846 116.301 310.0 116.442 c
306.528 115.744 305.256 112.939 301.599 112.418 c
301.313 110.802 302.878 110.96 302.299 109.064 c
295.729 97.919 290.589 85.405 283.398 74.855 c
276.968 92.139 288.191 102.929 294.599 113.76 c
297.204 114.617 300.502 114.811 303.0 115.772 c
302.941 116.834 303.336 118.33 302.299 118.455 c
eofill
n
261.697 113.76 m
269.896 111.554 271.323 102.86 274.998 96.319 c
272.167 96.234 266.496 98.782 261.697 99.003 c
h
eofill
n
453.507 21.864 m
451.755 21.308 450.758 20.026 448.606 19.852 c
448.186 29.957 446.449 38.803 445.807 48.695 c
446.854 49.48 448.67 49.529 449.307 50.707 c
452.953 43.245 452.55 31.903 453.507 21.864 c
eofill
n
455.606 50.036 m
458.758 41.682 459.65 32.563 459.107 23.206 c
456.895 31.84 456.211 41.077 455.606 50.036 c
eofill
n
508.109 24.547 m
511.355 28.32 510.013 38.014 502.509 37.292 c
500.598 31.98 503.062 25.393 508.109 24.547 c
510.21 23.877 m
501.324 22.965 498.933 28.274 499.009 35.95 c
505.278 45.055 517.523 31.475 510.21 23.877 c
0.0 sc
eofill
n
502.509 37.292 m
510.013 38.014 511.355 28.32 508.109 24.547 c
503.062 25.393 500.598 31.98 502.509 37.292 c
1.0 sc
eofill
n
517.91 35.95 m
514.734 31.577 517.265 22.836 523.51 23.206 c
525.542 27.478 524.332 35.844 517.91 35.95 c
524.91 22.535 m
525.076 20.682 528.859 22.295 528.41 19.852 c
524.141 16.739 520.433 25.449 517.21 21.193 c
516.797 25.973 513.585 27.31 513.71 33.938 c
519.671 43.435 532.165 29.572 524.91 22.535 c
0.0 sc
eofill
n
523.51 23.206 m
517.265 22.836 514.734 31.577 517.91 35.95 c
524.332 35.844 525.542 27.478 523.51 23.206 c
1.0 sc
eofill
n
284.798 30.584 m
287.068 31.878 288.612 30.792 291.099 30.584 c
291.099 24.547 l
288.065 25.665 287.627 29.27 284.798 30.584 c
eofill
n
433.906 12.474 m
434.501 12.597 434.566 12.212 434.605 11.803 c
434.492 11.022 434.761 10.609 435.306 10.461 c
435.139 4.936 436.164 -1.384 436.706 -7.649 c
437.207 -13.44 439.325 -20.188 436.006 -22.406 c
431.935 -20.405 432.173 -13.479 431.806 -8.32 c
431.358 -2.04 432.145 5.144 431.806 11.132 c
432.37 11.709 433.724 11.53 433.906 12.474 c
eofill
n
420.605 -25.761 m
421.2 -25.637 421.266 -26.022 421.305 -26.432 c
421.177 -27.002 421.578 -27.063 422.005 -27.102 c
422.263 -33.01 422.791 -40.389 423.405 -47.225 c
423.912 -52.866 427.445 -61.162 421.305 -63.323 c
419.491 -51.869 419.411 -38.755 417.805 -27.102 c
419.108 -27.01 420.145 -26.661 420.605 -25.761 c
eofill
n
455.606 -37.163 m
455.987 -39.606 456.104 -40.257 457.007 -43.2 c
454.473 -41.866 454.052 -35.555 449.307 -38.505 c
453.136 -43.367 461.496 -48.421 455.606 -55.274 c
452.412 -55.876 451.639 -54.157 449.307 -53.933 c
450.123 -50.738 447.19 -48.917 448.606 -47.225 c
449.906 -49.78 451.392 -52.158 453.507 -53.933 c
455.754 -54.521 454.958 -52.193 456.307 -51.92 c
454.046 -46.284 446.483 -45.169 447.906 -37.834 c
449.713 -35.324 452.823 -35.775 455.606 -37.163 c
0.0 sc
eofill
n
463.308 -47.225 m
464.538 -46.839 467.42 -48.036 467.508 -46.555 c
464.521 -46.487 465.668 -42.06 464.707 -41.859 c
464.017 -43.434 463.479 -45.154 463.308 -47.225 c
464.008 -36.493 m
469.731 -41.293 470.361 -50.975 475.208 -56.616 c
473.366 -55.921 470.912 -55.813 468.207 -55.945 c
468.848 -54.77 468.448 -52.599 469.607 -51.92 c
467.864 -49.391 465.679 -48.632 462.607 -49.908 c
461.353 -53.794 464.99 -52.991 464.707 -55.945 c
463.105 -55.244 460.484 -55.52 459.107 -54.604 c
462.148 -49.915 462.82 -42.957 464.008 -36.493 c
eofill
n
478.708 -39.847 m
481.508 -39.847 l
482.104 -41.735 483.77 -42.599 483.608 -45.213 c
482.284 -46.543 480.301 -45.538 478.708 -45.213 c
480.231 -43.992 477.185 -41.067 478.708 -39.847 c
1.0 sc
eofill
n
428.306 -42.529 m
432.835 -44.021 429.524 -46.889 431.105 -50.579 c
427.428 -48.271 430.559 -45.576 428.306 -42.529 c
eofill
n
479.408 -47.896 m
481.681 -47.507 482.665 -48.353 484.309 -48.566 c
485.405 -51.125 485.772 -52.598 484.309 -55.274 c
479.157 -55.492 479.966 -50.419 479.408 -47.896 c
eofill
n
508.109 -82.775 m
511.609 -82.775 l
511.521 -83.979 512.467 -84.19 512.31 -85.459 c
510.906 -84.757 509.056 -81.867 508.81 -85.459 c
507.859 -85.251 508.229 -83.779 508.109 -82.775 c
0.0 sc
eofill
n
494.108 -86.801 m
495.318 -88.66 492.325 -92.224 489.209 -92.167 c
491.068 -90.595 493.245 -89.326 494.108 -86.801 c
eofill
n
428.306 -87.471 m
429.944 -87.689 428.985 -90.397 430.405 -90.825 c
429.02 -92.962 427.683 -89.473 428.306 -87.471 c
1.0 sc
eofill
n
472.408 -103.569 m
471.546 -103.862 470.971 -104.428 471.008 -105.582 c
468.381 -106.087 469.481 -103.02 467.508 -102.898 c
468.134 -101.71 470.349 -102.044 469.607 -99.545 c
470.46 -100.965 472.242 -101.493 472.408 -103.569 c
eofill
n
489.908 -103.569 m
489.57 -101.457 492.058 -102.051 491.309 -99.545 c
492.63 -100.515 494.412 -101.043 494.108 -103.569 c
492.57 -105.11 491.783 -104.658 489.908 -103.569 c
eofill
n
423.405 -107.595 m
424.647 -105.805 423.915 -111.524 424.105 -112.961 c
422.863 -114.75 423.596 -109.03 423.405 -107.595 c
eofill
n
450.707 -116.985 m
451.855 -117.096 451.855 -112.851 450.707 -112.961 c
451.451 -111.438 455.107 -112.705 457.007 -112.29 c
456.223 -121.449 443.292 -119.499 440.906 -112.961 c
445.277 -113.214 449.114 -111.688 450.707 -116.985 c
eofill
n
440.906 -112.961 m
443.292 -119.499 456.223 -121.449 457.007 -112.29 c
455.107 -112.705 451.451 -111.438 450.707 -112.961 c
451.855 -112.851 451.855 -117.096 450.707 -116.985 c
449.114 -111.688 445.277 -113.214 440.906 -112.961 c
424.105 -112.961 m
423.915 -111.524 424.647 -105.805 423.405 -107.595 c
423.596 -109.03 422.863 -114.75 424.105 -112.961 c
185.394 -103.569 m
185.436 -101.911 184.688 -97.609 183.993 -98.874 c
185.312 -103.715 180.065 -102.266 179.093 -104.911 c
188.182 -106.018 190.452 -100.591 194.494 -96.862 c
192.126 -97.08 190.815 -92.836 188.894 -94.85 c
190.269 -95.992 192.393 -96.416 193.094 -98.203 c
189.207 -98.727 187.533 -101.372 185.394 -103.569 c
430.405 -90.825 m
428.985 -90.397 429.944 -87.689 428.306 -87.471 c
427.683 -89.473 429.02 -92.962 430.405 -90.825 c
540.312 -75.397 m
504.953 -77.282 466.034 -76.428 431.105 -76.739 c
432.544 -88.105 432.56 -100.835 433.906 -112.29 c
462.218 -111.651 511.072 -109.362 545.911 -110.277 c
544.442 -98.493 543.693 -86.02 541.011 -75.397 c
h
431.806 -53.933 m
430.96 -53.791 431.375 -53.188 431.806 -52.591 c
431.263 -52.441 430.425 -52.572 430.405 -51.92 c
430.833 -51.883 431.234 -51.82 431.105 -51.25 c
427.934 -50.69 430.186 -58.35 431.806 -55.274 c
430.668 -55.475 429.917 -54.368 431.105 -53.933 c
431.104 -54.305 431.673 -54.694 431.806 -53.933 c
431.105 -50.579 m
429.524 -46.889 432.835 -44.021 428.306 -42.529 c
430.559 -45.576 427.428 -48.271 431.105 -50.579 c
429.006 -41.859 m
431.135 -40.424 429.522 -34.865 428.306 -32.468 c
426.215 -35.179 429.978 -40.22 429.006 -41.859 c
433.906 -59.299 m
467.277 -61.479 504.295 -63.707 540.312 -65.336 c
542.679 -65.303 543.348 -66.897 544.512 -68.019 c
543.232 -56.276 540.656 -45.776 538.911 -34.48 c
499.032 -31.887 468.391 -29.707 431.105 -26.432 c
431.704 -38.723 432.988 -45.673 433.906 -59.299 c
417.805 -27.102 m
419.411 -38.755 419.491 -51.869 421.305 -63.323 c
427.445 -61.162 423.912 -52.866 423.405 -47.225 c
422.791 -40.389 422.263 -33.01 422.005 -27.102 c
421.578 -27.063 421.177 -27.002 421.305 -26.432 c
421.266 -26.022 421.2 -25.637 420.605 -25.761 c
420.145 -26.661 419.108 -27.01 417.805 -27.102 c
444.406 11.803 m
444.775 2.329 446.709 -9.633 447.206 -19.053 c
481.067 -21.219 507.654 -24.143 548.712 -26.432 c
548.808 -27.681 549.172 -28.673 550.111 -29.114 c
548.047 -18.796 546.644 -7.842 544.512 2.412 c
512.655 5.229 472.271 8.489 444.406 11.803 c
431.806 11.132 m
432.145 5.144 431.358 -2.04 431.806 -8.32 c
432.173 -13.479 431.935 -20.405 436.006 -22.406 c
439.325 -20.188 437.207 -13.44 436.706 -7.649 c
436.164 -1.384 435.139 4.936 435.306 10.461 c
434.761 10.609 434.492 11.022 434.605 11.803 c
434.566 12.212 434.501 12.597 433.906 12.474 c
433.724 11.53 432.37 11.709 431.806 11.132 c
291.099 24.547 m
291.099 30.584 l
288.612 30.792 287.068 31.878 284.798 30.584 c
287.627 29.27 288.065 25.665 291.099 24.547 c
548.712 14.485 m
549.565 14.41 550.369 14.285 550.111 13.145 c
550.081 12.431 550.441 11.44 550.812 12.474 c
549.29 21.523 547.661 30.473 545.911 39.305 c
517.488 43.596 487.951 46.82 458.407 50.036 c
459.174 43.407 460.608 33.383 461.207 24.547 c
489.498 20.354 520.27 18.535 548.712 14.485 c
459.107 23.206 m
459.65 32.563 458.758 41.682 455.606 50.036 c
456.211 41.077 456.895 31.84 459.107 23.206 c
449.307 50.707 m
448.67 49.529 446.854 49.48 445.807 48.695 c
446.449 38.803 448.186 29.957 448.606 19.852 c
450.758 20.026 451.755 21.308 453.507 21.864 c
452.55 31.903 452.953 43.245 449.307 50.707 c
261.697 99.003 m
266.496 98.782 272.167 96.234 274.998 96.319 c
271.323 102.86 269.896 111.554 261.697 113.76 c
h
303.0 115.772 m
300.502 114.811 297.204 114.617 294.599 113.76 c
288.191 102.929 276.968 92.139 283.398 74.855 c
290.589 85.405 295.729 97.919 302.299 109.064 c
302.878 110.96 301.313 110.802 301.599 112.418 c
305.256 112.939 306.528 115.744 310.0 116.442 c
310.846 116.301 310.43 115.698 310.0 115.102 c
312.257 115.621 314.137 116.504 315.6 117.784 c
310.441 116.88 306.008 120.202 302.299 118.455 c
303.336 118.33 302.941 116.834 303.0 115.772 c
356.202 48.695 m
356.612 47.3 357.673 46.527 358.302 45.341 c
357.542 45.181 356.621 44.236 357.602 44.0 c
357.611 45.332 359.512 44.853 359.002 46.683 c
363.245 49.29 372.338 60.687 369.503 59.428 c
369.542 59.837 369.607 60.222 370.203 60.098 c
369.969 56.951 366.326 58.617 364.603 58.757 c
365.335 56.859 363.447 54.155 364.603 54.062 c
364.809 54.657 366.496 56.998 366.702 55.402 c
364.903 55.338 365.701 52.784 363.902 52.72 c
360.545 58.223 357.465 63.991 354.102 69.489 c
354.707 62.384 360.926 58.399 356.202 48.695 c
349.201 88.941 m
362.053 98.986 383.324 100.964 380.703 125.834 c
372.736 121.118 364.62 120.807 356.202 119.126 c
353.471 118.58 351.11 116.456 347.802 116.442 c
344.115 116.428 340.976 119.504 337.301 119.797 c
332.525 120.177 327.116 118.04 322.6 117.113 c
324.914 116.107 321.146 115.474 321.9 113.76 c
328.2 113.76 l
329.125 115.438 325.433 115.859 327.501 116.442 c
330.774 115.108 333.572 113.316 335.901 111.076 c
334.361 103.381 330.914 93.947 329.601 88.271 c
331.902 89.168 330.764 88.077 331.701 90.283 c
342.099 86.468 348.807 79.973 352.702 70.16 c
353.492 75.701 346.735 79.582 347.102 86.929 c
349.868 85.295 346.583 87.678 348.502 88.271 c
349.956 87.52 349.984 87.547 349.201 88.941 c
354.102 125.163 m
365.544 127.169 378.804 131.006 382.104 138.578 c
375.081 131.892 363.15 129.907 354.102 125.163 c
242.796 92.966 m
241.88 108.192 244.156 129.208 244.896 143.273 c
239.955 130.17 236.285 107.105 242.796 92.966 c
388.403 121.139 m
393.903 127.276 393.784 139.751 391.903 144.615 c
392.907 136.637 380.407 129.962 388.403 121.139 c
307.899 154.006 m
304.613 147.547 305.191 140.651 305.799 131.2 c
307.263 130.813 307.797 129.537 310.0 129.858 c
311.994 131.525 313.95 133.228 317.0 133.883 c
316.564 136.48 316.42 136.645 317.7 138.578 c
312.125 145.973 314.675 154.383 308.6 162.055 c
309.483 158.048 303.2 152.07 307.899 154.006 c
312.8 228.461 m
315.047 229.05 314.251 226.722 315.6 226.449 c
315.604 228.233 317.548 228.16 318.4 229.132 c
316.786 229.821 316.143 231.441 313.5 231.145 c
313.657 229.876 312.711 229.664 312.8 228.461 c
300.899 216.388 m
301.256 220.518 302.618 223.684 303.0 227.791 c
295.785 231.439 304.666 240.863 310.0 234.498 c
309.641 239.792 307.21 240.92 307.2 245.901 c
302.201 243.472 295.592 238.216 297.399 229.803 c
295.535 228.251 292.96 223.265 295.999 221.083 c
296.192 222.259 294.028 224.43 295.999 225.107 c
296.472 219.969 298.21 218.106 300.899 216.388 c
289.699 245.23 m
294.173 248.55 300.955 253.22 301.599 257.976 c
299.028 252.832 291.614 248.768 289.699 245.23 c
307.899 250.597 m
308.51 252.941 310.588 257.381 308.6 259.987 c
308.989 257.6 305.037 254.656 308.6 254.621 c
307.443 254.611 308.208 252.761 307.2 252.609 c
307.202 252.981 306.632 253.37 306.5 252.609 c
307.655 252.599 306.891 250.749 307.899 250.597 c
311.4 271.391 m
312.958 273.594 313.662 279.421 311.4 281.452 c
311.106 277.181 310.998 273.175 311.4 271.391 c
326.801 283.464 m
323.645 285.683 311.96 286.438 312.8 282.123 c
315.108 285.945 324.377 282.989 326.801 283.464 c
309.3 283.464 m
309.015 286.491 301.809 289.471 301.599 288.16 c
304.835 287.235 306.922 285.211 309.3 283.464 c
296.699 290.172 m
299.222 288.63 300.093 289.492 303.699 289.501 c
303.655 292.552 298.743 290.818 296.699 290.172 c
254.697 303.587 m
252.251 303.222 249.397 299.756 250.497 298.221 c
250.653 298.742 250.516 299.544 251.197 299.563 c
251.354 299.042 251.216 298.24 251.897 298.221 c
252.015 302.573 253.02 299.924 254.697 303.587 c
387.703 314.991 m
383.931 317.518 379.809 321.193 375.803 323.04 c
337.156 340.858 272.046 333.811 246.997 307.612 c
249.687 307.003 253.665 311.43 256.797 313.649 c
292.652 339.057 370.621 337.958 396.804 304.258 c
398.016 309.765 391.957 312.142 387.703 314.991 c
239.996 325.723 m
239.825 329.038 243.162 332.5 242.096 334.443 c
240.96 332.381 238.557 328.023 239.996 325.723 c
258.897 336.455 m
252.857 330.614 242.625 325.219 240.696 317.674 c
249.26 323.331 256.335 330.414 263.797 337.126 c
261.588 337.454 261.325 335.917 258.897 336.455 c
401.004 326.394 m
399.797 327.266 396.705 332.1 394.004 333.772 c
394.158 334.295 394.59 334.552 395.404 334.443 c
395.325 336.157 394.12 336.791 393.304 337.797 c
391.721 334.498 386.21 338.901 387.703 337.797 c
391.603 334.546 399.437 325.275 401.004 326.394 c
399.604 323.71 m
391.632 332.171 382.533 343.126 367.402 342.492 c
379.82 338.291 389.667 328.053 399.604 323.71 c
244.896 338.468 m
245.702 339.313 248.1 342.035 246.296 343.163 c
243.94 342.296 244.126 330.771 244.896 338.468 c
262.397 341.821 m
266.738 343.699 271.917 344.774 275.698 347.188 c
271.338 347.885 265.361 344.664 262.397 341.821 c
401.704 327.064 m
398.708 335.149 396.251 343.751 389.804 348.529 c
394.293 340.481 397.984 334.951 401.704 327.064 c
270.098 349.871 m
273.651 348.813 283.331 350.815 284.098 353.896 c
281.25 353.047 278.4 352.2 274.998 351.883 c
276.001 352.865 275.535 354.009 273.598 353.896 c
272.549 352.441 270.095 352.333 270.098 349.871 c
257.497 351.883 m
257.699 351.692 261.628 353.248 259.597 352.554 c
259.054 352.704 258.216 352.572 258.197 353.225 c
259.129 353.896 260.31 354.33 260.997 355.237 c
258.894 355.418 256.148 352.788 257.497 351.883 c
377.203 345.846 m
378.514 346.826 381.842 345.873 382.804 347.188 c
380.734 349.4 376.373 349.005 374.403 348.529 c
375.637 347.923 376.57 347.029 377.203 345.846 c
363.902 351.212 m
366.568 350.894 368.272 351.497 368.803 353.225 c
364.142 353.23 362.604 356.229 357.602 355.908 c
359.67 352.818 355.885 354.838 354.802 353.225 c
363.754 348.833 375.564 343.608 384.203 341.151 c
378.763 347.249 370.329 346.707 363.902 351.212 c
304.399 355.237 m
309.367 354.389 318.99 354.59 322.6 357.249 c
318.049 357.799 309.273 356.61 304.399 355.237 c
386.304 344.504 m
383.562 350.378 380.271 359.289 373.703 359.261 c
377.983 354.863 382.952 347.559 386.304 344.504 c
371.603 353.225 m
367.71 354.423 364.802 365.927 356.902 363.286 c
357.662 363.125 358.583 362.182 357.602 361.944 c
356.816 361.876 356.512 362.919 356.202 361.944 c
361.791 360.525 370.078 351.941 371.603 353.225 c
308.6 363.957 m
324.934 355.586 344.37 368.122 347.102 380.726 c
342.493 366.581 323.285 358.619 308.6 363.957 c
319.8 411.582 m
315.023 413.818 311.234 410.792 308.6 408.898 c
317.119 409.683 317.73 402.89 318.4 396.154 c
313.847 387.489 304.324 380.208 304.399 369.323 c
308.006 368.819 308.876 369.681 311.4 368.652 c
307.689 378.628 315.154 386.669 319.8 392.8 c
322.186 384.354 322.949 374.353 328.2 368.652 c
330.805 369.835 333.385 369.335 335.201 367.981 c
326.688 379.276 327.617 399.62 319.8 411.582 c
327.501 269.378 m
322.6 269.378 l
321.13 260.632 316.914 254.621 317.7 247.914 c
317.857 248.435 317.719 249.236 318.4 249.255 c
318.066 246.853 317.262 245.379 318.4 243.219 c
317.698 243.216 317.567 243.762 317.0 243.889 c
318.358 241.653 316.006 236.907 318.4 239.864 c
317.352 235.7 319.959 233.483 322.6 231.145 c
321.516 230.396 321.143 228.964 319.1 229.132 c
318.209 223.359 322.566 222.616 324.7 219.741 c
325.35 221.802 329.084 220.907 330.301 222.425 c
330.279 220.442 333.542 220.153 334.501 221.083 c
332.215 224.93 331.089 229.888 326.801 231.815 c
327.437 233.218 328.866 233.86 331.001 233.827 c
331.932 230.026 339.512 222.925 335.201 222.425 c
335.819 220.78 337.299 219.963 336.601 217.059 c
334.429 216.178 334.604 217.24 331.701 217.059 c
331.73 216.135 331.371 215.585 331.001 215.046 c
332.971 217.131 340.802 213.493 343.602 214.375 c
343.538 212.545 344.768 213.025 343.602 211.692 c
347.513 211.298 348.997 213.229 352.702 213.033 c
349.92 217.076 346.073 220.098 343.602 224.437 c
347.06 224.808 342.873 224.781 342.901 225.778 c
343.019 226.56 344.008 226.507 345.001 226.449 c
344.618 227.424 345.819 229.916 344.302 229.803 c
344.233 229.305 341.568 229.305 341.501 229.803 c
340.95 232.791 341.979 234.264 342.901 235.84 c
333.62 243.046 329.249 254.955 327.501 269.378 c
71.988 63.452 m
75.19 64.854 77.814 66.813 77.588 71.501 c
88.843 73.461 89.955 85.141 94.389 93.637 c
99.289 93.637 l
100.435 99.065 114.086 95.906 120.29 96.99 c
121.11 97.099 120.881 98.214 120.99 99.003 c
133.707 99.115 139.85 105.526 153.192 105.04 c
157.742 108.581 167.309 110.369 172.793 109.064 c
179.777 116.142 188.263 114.573 199.394 116.442 c
192.942 118.949 210.24 121.288 213.395 121.139 c
216.919 125.811 223.365 127.683 223.195 135.896 c
230.365 138.863 231.902 147.229 239.996 149.311 c
240.101 154.104 239.949 155.726 240.696 162.055 c
241.628 160.029 241.277 150.994 245.597 149.981 c
248.687 150.53 251.995 149.833 253.997 152.664 c
264.717 146.168 276.445 140.635 286.898 133.883 c
288.442 140.015 285.188 144.035 284.098 148.64 c
282.085 150.052 279.969 149.369 278.498 149.981 c
279.1 150.522 278.914 151.818 279.898 151.993 c
272.857 157.003 270.389 157.391 268.698 168.763 c
267.877 168.654 268.107 167.54 267.998 166.751 c
265.892 170.24 265.636 174.191 268.698 176.813 c
268.122 178.859 266.729 178.421 267.998 180.837 c
266.171 177.745 266.76 176.318 265.197 172.787 c
261.265 181.377 263.206 199.305 265.197 209.68 c
263.715 209.127 263.383 210.187 263.097 213.033 c
261.504 212.548 262.889 209.209 260.297 209.68 c
259.078 213.482 257.669 213.832 257.497 217.729 c
255.328 214.287 258.865 210.56 260.297 208.338 c
257.133 200.089 256.719 199.613 256.097 190.898 c
255.147 199.59 250.905 209.717 254.697 217.059 c
255.517 216.95 255.287 215.835 255.397 215.046 c
258.126 215.63 254.389 217.795 254.697 219.07 c
254.829 219.615 256.784 220.126 256.797 220.412 c
256.835 221.227 254.701 221.836 254.697 221.754 c
254.748 222.902 256.515 221.827 256.797 222.425 c
256.554 221.91 256.152 226.146 256.097 226.449 c
255.404 230.285 252.718 236.249 250.497 238.522 c
250.917 241.572 250.755 243.198 251.897 246.572 c
248.035 241.922 253.948 250.153 251.197 249.926 c
255.398 249.473 256.996 240.732 263.097 239.864 c
256.299 243.683 249.691 257.859 251.197 266.024 c
250.545 264.189 247.705 264.451 246.296 263.342 c
250.755 267.016 254.723 278.546 251.897 286.147 c
251.906 287.724 253.807 285.902 253.297 284.806 c
254.627 289.65 257.457 293.415 258.897 294.868 c
256.895 296.548 252.736 295.404 249.797 293.526 c
248.231 293.815 249.513 296.832 249.097 298.221 c
246.199 290.817 239.14 287.001 240.696 274.074 c
239.241 274.449 239.213 275.12 239.996 276.086 c
236.154 274.206 242.033 272.992 242.796 271.391 c
242.378 264.876 244.448 262.773 241.396 259.316 c
242.404 259.692 243.104 260.363 243.496 261.329 c
243.853 257.172 244.297 249.94 243.496 243.889 c
242.033 243.605 241.643 244.349 240.696 244.56 c
241.746 239.452 244.62 233.072 239.996 229.803 c
237.942 230.88 236.193 235.81 238.596 237.182 c
238.39 238.776 236.702 236.436 236.496 235.84 c
230.089 238.514 234.56 249.341 235.796 251.938 c
237.492 253.625 237.353 250.587 237.896 249.255 c
240.165 252.384 233.58 275.508 228.795 266.024 c
226.797 262.063 228.462 252.25 228.795 246.572 c
225.05 256.536 225.567 272.131 237.896 272.732 c
239.774 279.764 233.73 282.106 229.496 284.806 c
225.178 287.558 222.336 294.917 217.595 294.868 c
212.686 305.367 206.74 314.875 200.794 324.381 c
201.981 336.655 198.296 346.384 200.794 355.908 c
202.785 363.495 210.137 368.878 210.595 376.702 c
218.609 388.922 226.706 401.063 232.296 415.606 c
237.006 418.248 237.862 424.583 240.696 429.021 c
250.083 432.101 253.288 441.104 262.397 444.449 c
262.397 447.803 l
271.344 449.292 272.312 458.426 282.698 458.535 c
284.896 458.218 284.548 460.341 286.198 460.548 c
294.623 460.524 303.629 459.944 308.6 463.231 c
329.235 463.775 345.591 460.218 363.902 458.535 c
366.289 454.114 372.183 453.054 374.403 448.474 c
375.215 447.911 376.279 447.589 377.903 447.803 c
385.117 439.511 394.755 433.542 403.104 426.338 c
407.774 415.807 419.248 401.453 427.605 390.117 c
427.787 386.937 428.332 384.106 430.405 382.738 c
430.405 378.714 l
439.521 362.954 445.832 329.106 432.506 312.308 c
432.536 310.592 431.985 311.49 431.105 311.637 c
428.293 302.144 423.28 298.4 419.205 290.843 c
412.571 290.715 412.852 283.963 406.604 283.464 c
404.175 281.321 405.457 275.62 401.704 274.745 c
402.15 271.818 405.29 271.473 407.305 270.049 c
410.933 266.431 409.264 266.431 406.604 270.049 c
404.266 270.491 403.181 272.135 401.004 272.732 c
401.51 274.782 400.288 275.177 400.304 276.757 c
399.483 276.648 399.714 275.534 399.604 274.745 c
395.828 304.747 365.267 315.206 334.501 314.991 c
335.927 313.099 332.96 314.154 334.501 311.637 c
333.007 311.323 333.168 312.595 333.101 313.649 c
328.189 307.244 321.906 296.282 320.5 290.843 c
312.896 297.83 319.043 312.756 308.6 317.674 c
303.84 316.645 305.106 309.842 301.599 307.612 c
306.119 300.45 306.033 293.025 317.0 292.185 c
314.397 290.206 308.9 291.001 304.399 290.843 c
306.656 287.192 317.93 292.181 318.4 286.818 c
320.311 287.424 316.271 288.319 318.4 289.501 c
338.001 289.501 l
333.701 287.361 330.055 284.595 326.801 281.452 c
325.453 261.088 348.013 241.605 364.603 237.182 c
363.159 236.328 360.984 236.177 359.702 235.169 c
362.563 239.252 356.666 234.34 354.102 236.511 c
354.34 235.164 353.959 234.412 352.702 234.498 c
354.491 228.909 361.311 221.284 358.302 214.375 c
373.915 214.578 387.628 212.962 400.304 210.351 c
404.061 213.459 401.965 222.175 405.904 225.107 c
403.462 218.644 404.88 214.72 402.404 209.68 c
403.049 208.508 404.593 208.199 406.604 208.338 c
409.308 214.603 414.059 221.266 412.904 229.132 c
414.857 229.72 416.362 230.738 418.505 231.145 c
419.699 228.776 421.743 225.721 419.905 222.425 c
424.084 214.456 428.896 207.888 428.306 196.936 c
423.385 184.104 409.015 184.798 397.504 186.874 c
398.991 181.145 397.844 172.889 398.204 166.08 c
396.625 168.601 397.931 179.674 397.504 185.532 c
390.178 184.465 378.929 184.465 371.603 185.532 c
369.684 185.519 369.94 182.368 370.902 181.508 c
370.03 180.072 369.17 184.266 368.803 185.532 c
353.525 187.353 341.924 191.047 334.501 186.203 c
334.352 182.466 339.798 180.567 340.102 179.495 c
341.099 177.271 332.095 181.212 333.101 185.532 c
330.057 186.455 323.282 186.907 321.2 184.861 c
320.938 182.03 325.963 181.521 324.7 178.153 c
327.806 182.509 327.499 172.85 329.601 175.471 c
332.455 174.976 331.188 168.955 333.801 169.434 c
335.99 168.349 331.019 168.6 332.4 166.08 c
332.41 164.504 334.311 166.325 333.801 167.421 c
332.895 161.781 331.273 157.57 331.001 148.64 c
330.24 148.806 330.525 149.974 329.601 149.981 c
331.038 148.042 325.5 143.503 328.2 140.591 c
325.265 139.363 323.438 135.075 324.7 131.87 c
327.669 132.229 339.268 130.912 339.401 131.2 c
352.32 130.529 375.411 142.27 382.804 145.286 c
384.537 144.224 383.089 140.593 382.804 139.249 c
384.727 140.536 386.058 142.391 385.604 145.957 c
389.419 148.561 395.013 149.462 396.804 154.006 c
398.832 155.117 395.44 152.419 396.104 150.652 c
398.395 149.046 400.019 146.802 404.504 147.298 c
406.847 142.388 409.719 137.984 415.005 135.896 c
414.936 128.227 421.337 126.758 423.405 121.139 c
429.476 122.459 436.398 121.338 440.206 117.113 c
441.187 117.351 440.267 118.295 439.506 118.455 c
440.644 120.145 441.778 116.214 442.307 115.102 c
451.886 114.25 465.622 115.221 466.107 107.723 c
472.891 108.617 480.403 110.39 483.608 105.04 c
482.305 104.398 481.269 107.049 480.809 105.04 c
486.318 101.815 501.291 106.936 501.109 99.674 c
510.051 100.993 517.076 100.198 522.811 95.648 c
539.221 99.815 547.974 87.258 551.512 74.855 c
558.645 69.169 568.117 65.724 576.013 60.769 c
576.013 -184.063 l
71.988 -184.063 l
h
0.0 sc
eofill
n
240.696 186.203 m
240.487 182.937 239.354 169.795 241.396 172.117 c
239.509 178.342 242.821 189.055 240.696 192.91 c
240.575 191.107 240.851 188.61 240.696 186.203 c
236.496 209.68 m
239.345 209.687 239.257 207.358 240.696 207.668 c
240.694 206.994 241.263 206.869 241.396 206.326 c
241.823 204.722 240.518 201.459 242.096 200.96 c
241.634 205.406 243.049 209.716 240.696 211.021 c
240.357 210.229 239.95 209.501 239.296 209.009 c
238.778 210.972 237.603 212.306 236.496 213.704 c
h
236.496 214.375 m
236.419 218.103 235.994 221.496 234.396 223.766 c
233.883 219.474 235.048 216.789 236.496 214.375 c
232.996 228.461 m
231.852 230.294 231.038 235.945 230.196 235.84 c
230.663 232.934 230.372 229.301 232.996 228.461 c
397.504 239.193 m
401.338 239.737 400.915 236.201 404.504 236.511 c
405.159 238.79 405.44 241.427 405.904 243.889 c
400.66 244.252 398.963 243.326 397.504 239.193 c
332.4 290.843 m
339.01 290.771 345.818 290.507 349.901 292.855 c
344.583 293.494 335.809 294.692 332.4 290.843 c
382.104 286.818 m
379.886 300.126 346.105 307.075 335.901 294.197 c
354.41 298.166 372.812 294.284 382.104 286.818 c
377.903 255.963 m
378.237 264.074 385.214 270.637 385.604 274.745 c
385.821 277.044 383.45 282.512 382.804 283.464 c
372.045 299.295 320.358 294.333 328.9 270.049 c
333.626 256.615 361.751 227.327 380.003 243.889 c
378.594 248.677 377.744 252.102 377.903 255.963 c
576.013 60.769 m
568.117 65.724 558.645 69.169 551.512 74.855 c
547.974 87.258 539.221 99.815 522.811 95.648 c
517.076 100.198 510.051 100.993 501.109 99.674 c
501.291 106.936 486.318 101.815 480.809 105.04 c
481.269 107.049 482.305 104.398 483.608 105.04 c
480.403 110.39 472.891 108.617 466.107 107.723 c
465.622 115.221 451.886 114.25 442.307 115.102 c
441.778 116.214 440.644 120.145 439.506 118.455 c
440.267 118.295 441.187 117.351 440.206 117.113 c
436.398 121.338 429.476 122.459 423.405 121.139 c
421.337 126.758 414.936 128.227 415.005 135.896 c
409.719 137.984 406.847 142.388 404.504 147.298 c
400.019 146.802 398.395 149.046 396.104 150.652 c
395.44 152.419 398.832 155.117 396.804 154.006 c
395.013 149.462 389.419 148.561 385.604 145.957 c
386.058 142.391 384.727 140.536 382.804 139.249 c
383.089 140.593 384.537 144.224 382.804 145.286 c
375.411 142.27 352.32 130.529 339.401 131.2 c
339.268 130.912 327.669 132.229 324.7 131.87 c
323.438 135.075 325.265 139.363 328.2 140.591 c
325.5 143.503 331.038 148.042 329.601 149.981 c
330.525 149.974 330.24 148.806 331.001 148.64 c
331.273 157.57 332.895 161.781 333.801 167.421 c
334.311 166.325 332.41 164.504 332.4 166.08 c
331.019 168.6 335.99 168.349 333.801 169.434 c
331.188 168.955 332.455 174.976 329.601 175.471 c
327.499 172.85 327.806 182.509 324.7 178.153 c
325.963 181.521 320.938 182.03 321.2 184.861 c
323.282 186.907 330.057 186.455 333.101 185.532 c
332.095 181.212 341.099 177.271 340.102 179.495 c
339.798 180.567 334.352 182.466 334.501 186.203 c
341.924 191.047 353.525 187.353 368.803 185.532 c
369.17 184.266 370.03 180.072 370.902 181.508 c
369.94 182.368 369.684 185.519 371.603 185.532 c
378.929 184.465 390.178 184.465 397.504 185.532 c
397.931 179.674 396.625 168.601 398.204 166.08 c
397.844 172.889 398.991 181.145 397.504 186.874 c
409.015 184.798 423.385 184.104 428.306 196.936 c
428.896 207.888 424.084 214.456 419.905 222.425 c
421.743 225.721 419.699 228.776 418.505 231.145 c
416.362 230.738 414.857 229.72 412.904 229.132 c
414.059 221.266 409.308 214.603 406.604 208.338 c
404.593 208.199 403.049 208.508 402.404 209.68 c
404.88 214.72 403.462 218.644 405.904 225.107 c
401.965 222.175 404.061 213.459 400.304 210.351 c
387.628 212.962 373.915 214.578 358.302 214.375 c
361.311 221.284 354.491 228.909 352.702 234.498 c
353.959 234.412 354.34 235.164 354.102 236.511 c
356.666 234.34 362.563 239.252 359.702 235.169 c
360.984 236.177 363.159 236.328 364.603 237.182 c
348.013 241.605 325.453 261.088 326.801 281.452 c
330.055 284.595 333.701 287.361 338.001 289.501 c
318.4 289.501 l
316.271 288.319 320.311 287.424 318.4 286.818 c
317.93 292.181 306.656 287.192 304.399 290.843 c
308.9 291.001 314.397 290.206 317.0 292.185 c
306.033 293.025 306.119 300.45 301.599 307.612 c
305.106 309.842 303.84 316.645 308.6 317.674 c
319.043 312.756 312.896 297.83 320.5 290.843 c
321.906 296.282 328.189 307.244 333.101 313.649 c
333.168 312.595 333.007 311.323 334.501 311.637 c
332.96 314.154 335.927 313.099 334.501 314.991 c
365.267 315.206 395.828 304.747 399.604 274.745 c
399.714 275.534 399.483 276.648 400.304 276.757 c
400.288 275.177 401.51 274.782 401.004 272.732 c
403.181 272.135 404.266 270.491 406.604 270.049 c
409.264 266.431 410.933 266.431 407.305 270.049 c
405.29 271.473 402.15 271.818 401.704 274.745 c
405.457 275.62 404.175 281.321 406.604 283.464 c
412.852 283.963 412.571 290.715 419.205 290.843 c
423.28 298.4 428.293 302.144 431.105 311.637 c
431.985 311.49 432.536 310.592 432.506 312.308 c
445.832 329.106 439.521 362.954 430.405 378.714 c
430.405 382.738 l
428.332 384.106 427.787 386.937 427.605 390.117 c
419.248 401.453 407.774 415.807 403.104 426.338 c
394.755 433.542 385.117 439.511 377.903 447.803 c
376.279 447.589 375.215 447.911 374.403 448.474 c
372.183 453.054 366.289 454.114 363.902 458.535 c
345.591 460.218 329.235 463.775 308.6 463.231 c
303.629 459.944 294.623 460.524 286.198 460.548 c
284.548 460.341 284.896 458.218 282.698 458.535 c
272.312 458.426 271.344 449.292 262.397 447.803 c
262.397 444.449 l
253.288 441.104 250.083 432.101 240.696 429.021 c
237.862 424.583 237.006 418.248 232.296 415.606 c
226.706 401.063 218.609 388.922 210.595 376.702 c
210.137 368.878 202.785 363.495 200.794 355.908 c
198.296 346.384 201.981 336.655 200.794 324.381 c
206.74 314.875 212.686 305.367 217.595 294.868 c
222.336 294.917 225.178 287.558 229.496 284.806 c
233.73 282.106 239.774 279.764 237.896 272.732 c
225.567 272.131 225.05 256.536 228.795 246.572 c
228.462 252.25 226.797 262.063 228.795 266.024 c
233.58 275.508 240.165 252.384 237.896 249.255 c
237.353 250.587 237.492 253.625 235.796 251.938 c
234.56 249.341 230.089 238.514 236.496 235.84 c
236.702 236.436 238.39 238.776 238.596 237.182 c
236.193 235.81 237.942 230.88 239.996 229.803 c
244.62 233.072 241.746 239.452 240.696 244.56 c
241.643 244.349 242.033 243.605 243.496 243.889 c
244.297 249.94 243.853 257.172 243.496 261.329 c
243.104 260.363 242.404 259.692 241.396 259.316 c
244.448 262.773 242.378 264.876 242.796 271.391 c
242.033 272.992 236.154 274.206 239.996 276.086 c
239.213 275.12 239.241 274.449 240.696 274.074 c
239.14 287.001 246.199 290.817 249.097 298.221 c
249.513 296.832 248.231 293.815 249.797 293.526 c
252.736 295.404 256.895 296.548 258.897 294.868 c
257.457 293.415 254.627 289.65 253.297 284.806 c
253.807 285.902 251.906 287.724 251.897 286.147 c
254.723 278.546 250.755 267.016 246.296 263.342 c
247.705 264.451 250.545 264.189 251.197 266.024 c
249.691 257.859 256.299 243.683 263.097 239.864 c
256.996 240.732 255.398 249.473 251.197 249.926 c
253.948 250.153 248.035 241.922 251.897 246.572 c
250.755 243.198 250.917 241.572 250.497 238.522 c
252.718 236.249 255.404 230.285 256.097 226.449 c
256.152 226.146 256.554 221.91 256.797 222.425 c
256.515 221.827 254.748 222.902 254.697 221.754 c
254.701 221.836 256.835 221.227 256.797 220.412 c
256.784 220.126 254.829 219.615 254.697 219.07 c
254.389 217.795 258.126 215.63 255.397 215.046 c
255.287 215.835 255.517 216.95 254.697 217.059 c
250.905 209.717 255.147 199.59 256.097 190.898 c
256.719 199.613 257.133 200.089 260.297 208.338 c
258.865 210.56 255.328 214.287 257.497 217.729 c
257.669 213.832 259.078 213.482 260.297 209.68 c
262.889 209.209 261.504 212.548 263.097 213.033 c
263.383 210.187 263.715 209.127 265.197 209.68 c
263.206 199.305 261.265 181.377 265.197 172.787 c
266.76 176.318 266.171 177.745 267.998 180.837 c
266.729 178.421 268.122 178.859 268.698 176.813 c
265.636 174.191 265.892 170.24 267.998 166.751 c
268.107 167.54 267.877 168.654 268.698 168.763 c
270.389 157.391 272.857 157.003 279.898 151.993 c
278.914 151.818 279.1 150.522 278.498 149.981 c
279.969 149.369 282.085 150.052 284.098 148.64 c
285.188 144.035 288.442 140.015 286.898 133.883 c
276.445 140.635 264.717 146.168 253.997 152.664 c
251.995 149.833 248.687 150.53 245.597 149.981 c
241.277 150.994 241.628 160.029 240.696 162.055 c
239.949 155.726 240.101 154.104 239.996 149.311 c
231.902 147.229 230.365 138.863 223.195 135.896 c
223.365 127.683 216.919 125.811 213.395 121.139 c
210.24 121.288 192.942 118.949 199.394 116.442 c
188.263 114.573 179.777 116.142 172.793 109.064 c
167.309 110.369 157.742 108.581 153.192 105.04 c
139.85 105.526 133.707 99.115 120.99 99.003 c
120.881 98.214 121.11 97.099 120.29 96.99 c
114.086 95.906 100.435 99.065 99.289 93.637 c
94.389 93.637 l
89.955 85.141 88.843 73.461 77.588 71.501 c
77.814 66.813 75.19 64.854 71.988 63.452 c
71.988 480.0 l
576.013 480.0 l
h
1.0 sc
eofill
n
342.901 235.84 m
341.979 234.264 340.95 232.791 341.501 229.803 c
341.568 229.305 344.233 229.305 344.302 229.803 c
345.819 229.916 344.618 227.424 345.001 226.449 c
344.008 226.507 343.019 226.56 342.901 225.778 c
342.873 224.781 347.06 224.808 343.602 224.437 c
346.073 220.098 349.92 217.076 352.702 213.033 c
348.997 213.229 347.513 211.298 343.602 211.692 c
344.768 213.025 343.538 212.545 343.602 214.375 c
340.802 213.493 332.971 217.131 331.001 215.046 c
331.371 215.585 331.73 216.135 331.701 217.059 c
334.604 217.24 334.429 216.178 336.601 217.059 c
337.299 219.963 335.819 220.78 335.201 222.425 c
339.512 222.925 331.932 230.026 331.001 233.827 c
328.866 233.86 327.437 233.218 326.801 231.815 c
331.089 229.888 332.215 224.93 334.501 221.083 c
333.542 220.153 330.279 220.442 330.301 222.425 c
329.084 220.907 325.35 221.802 324.7 219.741 c
322.566 222.616 318.209 223.359 319.1 229.132 c
321.143 228.964 321.516 230.396 322.6 231.145 c
319.959 233.483 317.352 235.7 318.4 239.864 c
316.006 236.907 318.358 241.653 317.0 243.889 c
317.567 243.762 317.698 243.216 318.4 243.219 c
317.262 245.379 318.066 246.853 318.4 249.255 c
317.719 249.236 317.857 248.435 317.7 247.914 c
316.914 254.621 321.13 260.632 322.6 269.378 c
327.501 269.378 l
329.249 254.955 333.62 243.046 342.901 235.84 c
eofill
n
347.102 380.726 m
344.37 368.122 324.934 355.586 308.6 363.957 c
323.285 358.619 342.493 366.581 347.102 380.726 c
eofill
n
356.202 361.944 m
356.512 362.919 356.816 361.876 357.602 361.944 c
358.583 362.182 357.662 363.125 356.902 363.286 c
364.802 365.927 367.71 354.423 371.603 353.225 c
370.078 351.941 361.791 360.525 356.202 361.944 c
eofill
n
373.703 359.261 m
380.271 359.289 383.562 350.378 386.304 344.504 c
382.952 347.559 377.983 354.863 373.703 359.261 c
eofill
n
384.203 341.151 m
375.564 343.608 363.754 348.833 354.802 353.225 c
355.885 354.838 359.67 352.818 357.602 355.908 c
362.604 356.229 364.142 353.23 368.803 353.225 c
368.272 351.497 366.568 350.894 363.902 351.212 c
370.329 346.707 378.763 347.249 384.203 341.151 c
eofill
n
374.403 348.529 m
376.373 349.005 380.734 349.4 382.804 347.188 c
381.842 345.873 378.514 346.826 377.203 345.846 c
376.57 347.029 375.637 347.923 374.403 348.529 c
eofill
n
260.997 355.237 m
260.31 354.33 259.129 353.896 258.197 353.225 c
258.216 352.572 259.054 352.704 259.597 352.554 c
261.628 353.248 257.699 351.692 257.497 351.883 c
256.148 352.788 258.894 355.418 260.997 355.237 c
eofill
n
389.804 348.529 m
396.251 343.751 398.708 335.149 401.704 327.064 c
397.984 334.951 394.293 340.481 389.804 348.529 c
eofill
n
387.703 337.797 m
386.21 338.901 391.721 334.498 393.304 337.797 c
394.12 336.791 395.325 336.157 395.404 334.443 c
394.59 334.552 394.158 334.295 394.004 333.772 c
396.705 332.1 399.797 327.266 401.004 326.394 c
399.437 325.275 391.603 334.546 387.703 337.797 c
eofill
n
396.804 304.258 m
370.621 337.958 292.652 339.057 256.797 313.649 c
253.665 311.43 249.687 307.003 246.997 307.612 c
272.046 333.811 337.156 340.858 375.803 323.04 c
379.809 321.193 383.931 317.518 387.703 314.991 c
391.957 312.142 398.016 309.765 396.804 304.258 c
eofill
n
251.897 298.221 m
251.216 298.24 251.354 299.042 251.197 299.563 c
250.516 299.544 250.653 298.742 250.497 298.221 c
249.397 299.756 252.251 303.222 254.697 303.587 c
253.02 299.924 252.015 302.573 251.897 298.221 c
eofill
n
335.901 294.197 m
346.105 307.075 379.886 300.126 382.104 286.818 c
372.812 294.284 354.41 298.166 335.901 294.197 c
0.0 sc
eofill
n
301.599 288.16 m
301.809 289.471 309.015 286.491 309.3 283.464 c
306.922 285.211 304.835 287.235 301.599 288.16 c
1.0 sc
eofill
n
312.8 282.123 m
311.96 286.438 323.645 285.683 326.801 283.464 c
324.377 282.989 315.108 285.945 312.8 282.123 c
eofill
n
311.4 281.452 m
313.662 279.421 312.958 273.594 311.4 271.391 c
310.998 273.175 311.106 277.181 311.4 281.452 c
eofill
n
306.5 252.609 m
306.632 253.37 307.202 252.981 307.2 252.609 c
308.208 252.761 307.443 254.611 308.6 254.621 c
305.037 254.656 308.989 257.6 308.6 259.987 c
310.588 257.381 308.51 252.941 307.899 250.597 c
306.891 250.749 307.655 252.599 306.5 252.609 c
eofill
n
301.599 257.976 m
300.955 253.22 294.173 248.55 289.699 245.23 c
291.614 248.768 299.028 252.832 301.599 257.976 c
eofill
n
295.999 225.107 m
294.028 224.43 296.192 222.259 295.999 221.083 c
292.96 223.265 295.535 228.251 297.399 229.803 c
295.592 238.216 302.201 243.472 307.2 245.901 c
307.21 240.92 309.641 239.792 310.0 234.498 c
304.666 240.863 295.785 231.439 303.0 227.791 c
302.618 223.684 301.256 220.518 300.899 216.388 c
298.21 218.106 296.472 219.969 295.999 225.107 c
eofill
n
230.196 235.84 m
231.038 235.945 231.852 230.294 232.996 228.461 c
230.372 229.301 230.663 232.934 230.196 235.84 c
0.0 sc
eofill
n
391.903 144.615 m
393.784 139.751 393.903 127.276 388.403 121.139 c
380.407 129.962 392.907 136.637 391.903 144.615 c
1.0 sc
eofill
n
382.104 138.578 m
378.804 131.006 365.544 127.169 354.102 125.163 c
363.15 129.907 375.081 131.892 382.104 138.578 c
eofill
n
348.502 88.271 m
346.583 87.678 349.868 85.295 347.102 86.929 c
346.735 79.582 353.492 75.701 352.702 70.16 c
348.807 79.973 342.099 86.468 331.701 90.283 c
330.764 88.077 331.902 89.168 329.601 88.271 c
330.914 93.947 334.361 103.381 335.901 111.076 c
333.572 113.316 330.774 115.108 327.501 116.442 c
325.433 115.859 329.125 115.438 328.2 113.76 c
321.9 113.76 l
321.146 115.474 324.914 116.107 322.6 117.113 c
327.116 118.04 332.525 120.177 337.301 119.797 c
340.976 119.504 344.115 116.428 347.802 116.442 c
351.11 116.456 353.471 118.58 356.202 119.126 c
364.62 120.807 372.736 121.118 380.703 125.834 c
383.324 100.964 362.053 98.986 349.201 88.941 c
349.984 87.547 349.956 87.52 348.502 88.271 c
eofill
n
354.102 69.489 m
357.465 63.991 360.545 58.223 363.902 52.72 c
365.701 52.784 364.903 55.338 366.702 55.402 c
366.496 56.998 364.809 54.657 364.603 54.062 c
363.447 54.155 365.335 56.859 364.603 58.757 c
366.326 58.617 369.969 56.951 370.203 60.098 c
369.607 60.222 369.542 59.837 369.503 59.428 c
372.338 60.687 363.245 49.29 359.002 46.683 c
359.512 44.853 357.611 45.332 357.602 44.0 c
356.621 44.236 357.542 45.181 358.302 45.341 c
357.673 46.527 356.612 47.3 356.202 48.695 c
360.926 58.399 354.707 62.384 354.102 69.489 c
eofill
n
513.71 33.938 m
513.585 27.31 516.797 25.973 517.21 21.193 c
520.433 25.449 524.141 16.739 528.41 19.852 c
528.859 22.295 525.076 20.682 524.91 22.535 c
532.165 29.572 519.671 43.435 513.71 33.938 c
499.009 35.95 m
498.933 28.274 501.324 22.965 510.21 23.877 c
517.523 31.475 505.278 45.055 499.009 35.95 c
483.608 43.329 m
473.862 36.4 489.757 11.258 498.309 27.23 c
495.953 26.805 496.118 23.964 492.709 24.547 c
484.476 24.824 479.798 42.453 489.209 42.658 c
494.111 42.765 494.484 35.844 497.609 35.279 c
496.105 36.745 497.28 40.778 495.509 41.987 c
492.297 42.364 487.997 46.449 483.608 43.329 c
461.207 24.547 m
460.608 33.383 459.174 43.407 458.407 50.036 c
487.951 46.82 517.488 43.596 545.911 39.305 c
547.661 30.473 549.29 21.523 550.812 12.474 c
550.441 11.44 550.081 12.431 550.111 13.145 c
550.369 14.285 549.565 14.41 548.712 14.485 c
520.27 18.535 489.498 20.354 461.207 24.547 c
eofill
n
513.71 -12.345 m
514.29 -14.766 522.841 -25.274 526.311 -16.369 c
526.042 -17.059 525.966 -15.34 526.311 -14.357 c
525.778 -15.878 530.232 -11.084 526.311 -9.662 c
528.308 -0.039 507.711 0.298 513.01 -10.333 c
512.75 -11.035 513.188 -10.168 513.71 -12.345 c
508.109 -14.357 m
508.067 -14.385 505.99 -12.608 508.109 -15.699 c
506.466 -15.913 505.481 -16.759 503.209 -16.369 c
501.104 -13.021 499.115 -9.56 499.709 -3.625 c
503.16 0.303 509.199 -5.246 508.109 -7.649 c
511.438 -7.439 507.689 -4.61 508.81 -2.283 c
495.225 4.92 494.452 -11.113 498.309 -11.004 c
495.951 -17.397 505.944 -20.3 510.909 -16.369 c
510.954 -14.092 510.089 -12.685 508.81 -11.674 c
510.044 -10.411 510.978 -12.592 511.609 -10.333 c
510.106 -9.09 506.481 -9.88 503.909 -9.662 c
505.396 -13.008 509.979 -13.119 508.109 -14.357 c
465.407 -3.625 m
466.97 -3.917 467.903 -4.811 468.207 -6.308 c
465.706 -4.497 467.644 -10.472 468.907 -12.345 c
466.355 -10.606 468.975 -13.419 468.207 -15.699 c
467.092 -15.825 464.534 -17.888 466.107 -18.382 c
470.16 -19.059 482.469 -22.261 483.608 -14.357 c
482.847 -17.136 491.803 -17.475 494.809 -16.369 c
493.89 -15.987 497.907 -12.704 494.809 -11.674 c
494.77 -14.549 489.864 -15.989 488.509 -13.687 c
488.235 -10.549 488.082 -11.458 487.809 -8.32 c
491.104 -7.623 491.329 -9.866 492.709 -11.004 c
492.587 -7.262 492.76 -3.865 490.608 -4.296 c
492.839 -5.624 489.197 -6.904 487.108 -6.308 c
487.525 -4.918 486.243 -1.901 487.809 -1.612 c
490.67 -3.498 488.209 -2.143 490.608 -1.612 c
492.255 -1.824 491.024 -4.792 493.409 -4.296 c
493.971 -1.969 492.366 -1.718 492.709 0.399 c
488.191 -0.451 481.102 3.483 480.108 -0.271 c
483.077 -0.355 483.722 -3.065 485.009 -2.954 c
483.574 -3.797 484.608 -5.908 483.608 -8.32 c
484.432 -8.426 485.596 -8.205 485.708 -8.991 c
482.286 -9.183 485.566 -11.446 486.408 -11.674 c
483.868 -11.028 485.82 -14.688 483.608 -14.357 c
483.46 -13.547 482.831 -13.945 482.208 -14.357 c
482.296 -12.679 483.544 -12.258 481.508 -11.674 c
481.235 -12.402 480.668 -13.285 481.508 -12.345 c
481.661 -14.077 478.034 -17.945 473.107 -17.04 c
470.458 -10.191 471.482 -1.868 469.607 4.424 c
470.708 4.488 472.035 4.334 471.708 5.766 c
471.514 6.73 460.44 8.643 461.907 5.766 c
462.18 6.795 462.747 5.864 461.907 5.095 c
466.096 5.308 466.209 1.615 467.508 -0.942 c
466.482 -0.953 465.289 1.887 465.407 -0.942 c
468.336 -0.688 466.172 -3.38 465.407 -3.625 c
544.512 2.412 m
546.644 -7.842 548.047 -18.796 550.111 -29.114 c
549.172 -28.673 548.808 -27.681 548.712 -26.432 c
507.654 -24.143 481.067 -21.219 447.206 -19.053 c
446.709 -9.633 444.775 2.329 444.406 11.803 c
472.271 8.489 512.655 5.229 544.512 2.412 c
eofill
n
465.407 -0.942 m
465.289 1.887 466.482 -0.953 467.508 -0.942 c
466.209 1.615 466.096 5.308 461.907 5.095 c
462.747 5.864 462.18 6.795 461.907 5.766 c
460.44 8.643 471.514 6.73 471.708 5.766 c
472.035 4.334 470.708 4.488 469.607 4.424 c
471.482 -1.868 470.458 -10.191 473.107 -17.04 c
478.034 -17.945 481.661 -14.077 481.508 -12.345 c
480.668 -13.285 481.235 -12.402 481.508 -11.674 c
483.544 -12.258 482.296 -12.679 482.208 -14.357 c
482.831 -13.945 483.46 -13.547 483.608 -14.357 c
485.82 -14.688 483.868 -11.028 486.408 -11.674 c
485.566 -11.446 482.286 -9.183 485.708 -8.991 c
485.596 -8.205 484.432 -8.426 483.608 -8.32 c
484.608 -5.908 483.574 -3.797 485.009 -2.954 c
483.722 -3.065 483.077 -0.355 480.108 -0.271 c
481.102 3.483 488.191 -0.451 492.709 0.399 c
492.366 -1.718 493.971 -1.969 493.409 -4.296 c
491.024 -4.792 492.255 -1.824 490.608 -1.612 c
488.209 -2.143 490.67 -3.498 487.809 -1.612 c
486.243 -1.901 487.525 -4.918 487.108 -6.308 c
489.197 -6.904 492.839 -5.624 490.608 -4.296 c
492.76 -3.865 492.587 -7.262 492.709 -11.004 c
491.329 -9.866 491.104 -7.623 487.809 -8.32 c
488.082 -11.458 488.235 -10.549 488.509 -13.687 c
489.864 -15.989 494.77 -14.549 494.809 -11.674 c
497.907 -12.704 493.89 -15.987 494.809 -16.369 c
491.803 -17.475 482.847 -17.136 483.608 -14.357 c
482.469 -22.261 470.16 -19.059 466.107 -18.382 c
464.534 -17.888 467.092 -15.825 468.207 -15.699 c
468.975 -13.419 466.355 -10.606 468.907 -12.345 c
467.644 -10.472 465.706 -4.497 468.207 -6.308 c
467.903 -4.811 466.97 -3.917 465.407 -3.625 c
466.172 -3.38 468.336 -0.688 465.407 -0.942 c
0.0 sc
eofill
n
503.909 -9.662 m
506.481 -9.88 510.106 -9.09 511.609 -10.333 c
510.978 -12.592 510.044 -10.411 508.81 -11.674 c
510.089 -12.685 510.954 -14.092 510.909 -16.369 c
505.944 -20.3 495.951 -17.397 498.309 -11.004 c
494.452 -11.113 495.225 4.92 508.81 -2.283 c
507.689 -4.61 511.438 -7.439 508.109 -7.649 c
509.199 -5.246 503.16 0.303 499.709 -3.625 c
499.115 -9.56 501.104 -13.021 503.209 -16.369 c
505.481 -16.759 506.466 -15.913 508.109 -15.699 c
505.99 -12.608 508.067 -14.385 508.109 -14.357 c
509.979 -13.119 505.396 -13.008 503.909 -9.662 c
eofill
n
520.01 -2.954 m
522.51 -5.376 523.174 -9.944 527.011 -11.004 c
524.954 -13.318 524.831 -13.35 524.21 -17.04 c
522.562 -17.025 522.149 -18.195 520.01 -17.711 c
519.215 -16.237 517.669 -15.482 517.21 -13.687 c
517.199 -15.384 515.373 -15.244 515.109 -12.345 c
518.12 -13.974 514.128 -5.783 516.51 -3.625 c
517.527 -3.258 520.128 -4.409 520.01 -2.954 c
1.0 sc
eofill
n
516.51 -3.625 m
514.128 -5.783 518.12 -13.974 515.109 -12.345 c
515.373 -15.244 517.199 -15.384 517.21 -13.687 c
517.669 -15.482 519.215 -16.237 520.01 -17.711 c
522.149 -18.195 522.562 -17.025 524.21 -17.04 c
524.831 -13.35 524.954 -13.318 527.011 -11.004 c
523.174 -9.944 522.51 -5.376 520.01 -2.954 c
520.128 -4.409 517.527 -3.258 516.51 -3.625 c
513.01 -10.333 m
507.711 0.298 528.308 -0.039 526.311 -9.662 c
530.232 -11.084 525.778 -15.878 526.311 -14.357 c
525.966 -15.34 526.042 -17.059 526.311 -16.369 c
522.841 -25.274 514.29 -14.766 513.71 -12.345 c
513.188 -10.168 512.75 -11.035 513.01 -10.333 c
0.0 sc
eofill
n
533.311 -57.957 m
531.124 -56.543 533.923 -54.238 531.211 -53.933 c
529.556 -54.807 529.861 -57.559 529.11 -59.299 c
533.097 -58.833 534.925 -60.436 538.911 -59.97 c
539.607 -57.969 539.688 -55.864 538.911 -55.274 c
538.501 -57.564 536.621 -58.446 533.311 -57.957 c
531.211 -49.237 m
530.808 -48.059 532.057 -45.297 530.511 -45.213 c
530.513 -45.585 529.943 -45.975 529.811 -45.213 c
530.942 -44.062 532.738 -43.547 535.411 -43.871 c
535.303 -44.768 536.511 -47.569 536.811 -45.884 c
535.43 -45.418 536.983 -42.141 535.411 -41.859 c
533.875 -43.528 526.524 -40.004 524.91 -42.529 c
526.494 -43.248 527.988 -44.052 529.11 -45.213 c
527.148 -45.871 530.127 -47.002 528.41 -47.896 c
532.328 -47.169 527.048 -52.794 531.211 -52.591 c
530.783 -52.629 530.382 -52.691 530.511 -53.262 c
531.926 -51.304 535.653 -50.172 536.811 -53.262 c
536.054 -50.916 535.984 -47.044 535.411 -47.896 c
535.333 -49.609 533.066 -49.228 531.211 -49.237 c
517.21 -58.628 m
521.196 -58.162 523.024 -59.765 527.011 -59.299 c
527.667 -58.732 528.506 -55.022 527.011 -54.604 c
526.601 -56.894 524.721 -57.775 521.41 -57.286 c
520.051 -51.876 518.526 -47.809 520.01 -41.188 c
517.195 -41.649 516.014 -40.545 513.71 -40.518 c
513.025 -43.823 516.34 -42.256 516.51 -43.2 c
515.503 -48.569 520.995 -55.437 517.21 -58.628 c
506.01 -48.566 m
504.687 -49.932 506.695 -55.79 505.31 -57.957 c
509.357 -57.433 511.294 -58.931 515.109 -58.628 c
515.107 -57.43 516.995 -54.726 515.109 -53.933 c
514.501 -55.586 513.479 -56.841 510.909 -56.616 c
507.021 -52.478 506.979 -45.906 508.109 -40.518 c
504.169 -40.451 505.05 -39.912 501.109 -39.847 c
503.802 -42.594 504.768 -45.967 506.01 -48.566 c
491.309 -57.286 m
495.507 -56.842 498.141 -57.895 501.81 -57.957 c
502.548 -57.26 503.255 -53.168 501.81 -52.591 c
499.905 -59.398 492.142 -53.92 495.509 -48.566 c
497.876 -48.534 498.546 -50.128 499.709 -51.25 c
498.921 -49.322 499.567 -46.02 498.309 -44.542 c
497.873 -47.376 496.754 -47.006 494.108 -46.555 c
494.625 -43.649 492.525 -42.399 494.809 -41.188 c
497.295 -40.841 498.587 -42.632 500.409 -44.542 c
500.186 -42.967 499.303 -42.024 499.709 -39.847 c
497.789 -39.646 490.268 -38.615 487.809 -39.176 c
489.694 -41.15 490.73 -43.675 492.709 -43.871 c
489.426 -46.578 494.073 -52.155 491.309 -57.286 c
478.008 -52.591 m
475.885 -52.569 476.264 -54.944 475.908 -56.616 c
487.108 -56.616 l
490.347 -52.326 487.916 -49.979 485.708 -45.884 c
488.177 -38.196 479.556 -37.093 472.408 -37.834 c
478.483 -43.708 475.183 -46.119 478.008 -52.591 c
459.107 -54.604 m
460.484 -55.52 463.105 -55.244 464.707 -55.945 c
464.99 -52.991 461.353 -53.794 462.607 -49.908 c
465.679 -48.632 467.864 -49.391 469.607 -51.92 c
468.448 -52.599 468.848 -54.77 468.207 -55.945 c
470.912 -55.813 473.366 -55.921 475.208 -56.616 c
470.361 -50.975 469.731 -41.293 464.008 -36.493 c
462.82 -42.957 462.148 -49.915 459.107 -54.604 c
447.906 -37.834 m
446.483 -45.169 454.046 -46.284 456.307 -51.92 c
454.958 -52.193 455.754 -54.521 453.507 -53.933 c
451.392 -52.158 449.906 -49.78 448.606 -47.225 c
447.19 -48.917 450.123 -50.738 449.307 -53.933 c
451.639 -54.157 452.412 -55.876 455.606 -55.274 c
461.496 -48.421 453.136 -43.367 449.307 -38.505 c
454.052 -35.555 454.473 -41.866 457.007 -43.2 c
456.104 -40.257 455.987 -39.606 455.606 -37.163 c
452.823 -35.775 449.713 -35.324 447.906 -37.834 c
437.406 -57.286 m
440.371 -59.115 442.306 -57.745 447.206 -58.628 c
446.944 -55.432 444.229 -56.3 443.006 -53.262 c
441.3 -49.024 443.648 -39.649 440.906 -34.48 c
441.452 -34.332 441.72 -33.919 441.606 -33.139 c
442.706 -33.075 444.033 -33.229 443.706 -31.797 c
441.124 -30.694 437.121 -30.952 433.906 -30.456 c
436.934 -34.807 439.159 -35.103 438.806 -40.518 c
438.804 -40.145 439.373 -39.756 439.506 -40.518 c
439.196 -41.807 437.896 -46.914 440.206 -47.225 c
438.474 -50.775 442.523 -53.217 437.406 -57.286 c
431.105 -26.432 m
468.391 -29.707 499.032 -31.887 538.911 -34.48 c
540.656 -45.776 543.232 -56.276 544.512 -68.019 c
543.348 -66.897 542.679 -65.303 540.312 -65.336 c
504.295 -63.707 467.277 -61.479 433.906 -59.299 c
432.988 -45.673 431.704 -38.723 431.105 -26.432 c
1.0 sc
eofill
n
428.306 -32.468 m
429.522 -34.865 431.135 -40.424 429.006 -41.859 c
429.978 -40.22 426.215 -35.179 428.306 -32.468 c
eofill
n
535.411 -47.896 m
535.984 -47.044 536.054 -50.916 536.811 -53.262 c
535.653 -50.172 531.926 -51.304 530.511 -53.262 c
530.382 -52.691 530.783 -52.629 531.211 -52.591 c
527.048 -52.794 532.328 -47.169 528.41 -47.896 c
530.127 -47.002 527.148 -45.871 529.11 -45.213 c
527.988 -44.052 526.494 -43.248 524.91 -42.529 c
526.524 -40.004 533.875 -43.528 535.411 -41.859 c
536.983 -42.141 535.43 -45.418 536.811 -45.884 c
536.511 -47.569 535.303 -44.768 535.411 -43.871 c
532.738 -43.547 530.942 -44.062 529.811 -45.213 c
529.943 -45.975 530.513 -45.585 530.511 -45.213 c
532.057 -45.297 530.808 -48.059 531.211 -49.237 c
533.066 -49.228 535.333 -49.609 535.411 -47.896 c
0.0 sc
eofill
n
464.707 -41.859 m
465.668 -42.06 464.521 -46.487 467.508 -46.555 c
467.42 -48.036 464.538 -46.839 463.308 -47.225 c
463.479 -45.154 464.017 -43.434 464.707 -41.859 c
1.0 sc
eofill
n
431.105 -53.933 m
429.917 -54.368 430.668 -55.475 431.806 -55.274 c
430.186 -58.35 427.934 -50.69 431.105 -51.25 c
431.234 -51.82 430.833 -51.883 430.405 -51.92 c
430.425 -52.572 431.263 -52.441 431.806 -52.591 c
431.375 -53.188 430.96 -53.791 431.806 -53.933 c
431.673 -54.694 431.104 -54.305 431.105 -53.933 c
eofill
n
538.911 -55.274 m
539.688 -55.864 539.607 -57.969 538.911 -59.97 c
534.925 -60.436 533.097 -58.833 529.11 -59.299 c
529.861 -57.559 529.556 -54.807 531.211 -53.933 c
533.923 -54.238 531.124 -56.543 533.311 -57.957 c
536.621 -58.446 538.501 -57.564 538.911 -55.274 c
0.0 sc
eofill
n
468.907 -82.105 m
467.16 -82.569 470.207 -83.895 469.607 -85.459 c
468.232 -83.845 466.108 -83.914 465.407 -86.13 c
463.758 -85.563 465.989 -83.188 466.107 -82.105 c
471.093 -79.012 478.185 -89.206 468.907 -82.105 c
eofill
n
509.51 -82.105 m
511.788 -80.185 515.938 -82.177 515.81 -84.788 c
514.552 -83.087 513.049 -81.62 509.51 -82.105 c
eofill
n
487.108 -84.117 m
485.948 -82.813 488.402 -81.903 490.608 -82.775 c
490.52 -83.979 491.466 -84.19 491.309 -85.459 c
489.495 -83.424 488.706 -84.772 486.408 -85.459 c
486.799 -84.863 488.515 -82.522 487.108 -84.117 c
eofill
n
469.607 -106.924 m
471.535 -106.088 473.003 -104.811 473.107 -102.229 c
471.944 -100.884 471.229 -99.11 468.907 -98.874 c
468.448 -100.67 466.902 -101.425 466.107 -102.898 c
466.982 -104.52 469.638 -104.436 469.607 -106.924 c
509.51 -101.558 m
512.524 -102.434 511.724 -99.654 513.01 -98.874 c
513.226 -100.456 515.44 -100.122 515.109 -102.229 c
514.409 -103.121 513.956 -104.253 513.01 -104.911 c
513.195 -103.538 510.294 -101.806 510.21 -102.898 c
512.107 -103.316 511.952 -105.701 514.41 -105.582 c
514.071 -103.469 516.559 -104.063 515.81 -101.558 c
514.94 -100.154 513.773 -99.036 512.31 -98.203 c
511.836 -99.762 509.983 -99.999 509.51 -101.558 c
491.309 -98.203 m
488.066 -98.293 488.341 -104.381 491.309 -106.253 c
497.375 -105.275 494.477 -98.116 491.309 -98.203 c
513.01 -90.154 m
510.521 -91.197 512.587 -87.876 510.909 -88.142 c
510.962 -89.311 510.753 -90.228 510.21 -90.825 c
513.488 -90.907 509.447 -91.802 510.21 -93.508 c
511.414 -93.243 512.004 -94.504 512.31 -93.508 c
511.883 -93.47 511.48 -93.408 511.609 -92.837 c
512.048 -90.549 516.63 -88.738 515.109 -86.801 c
514.579 -89.529 511.547 -88.388 513.01 -90.154 c
489.209 -92.167 m
492.325 -92.224 495.318 -88.66 494.108 -86.801 c
493.245 -89.326 491.068 -90.595 489.209 -92.167 c
470.308 -90.154 m
470.268 -90.563 470.203 -90.948 469.607 -90.825 c
468.905 -90.827 468.774 -90.281 468.207 -90.154 c
468.003 -90.566 466.466 -92.736 468.207 -92.837 c
468.221 -90.572 472.396 -91.906 473.808 -86.801 c
471.348 -89.656 469.983 -87.971 468.207 -89.483 c
469.031 -89.589 470.194 -89.368 470.308 -90.154 c
508.81 -85.459 m
509.056 -81.867 510.906 -84.757 512.31 -85.459 c
512.467 -84.19 511.521 -83.979 511.609 -82.775 c
508.109 -82.775 l
508.229 -83.779 507.859 -85.251 508.81 -85.459 c
515.81 -84.788 m
515.938 -82.177 511.788 -80.185 509.51 -82.105 c
513.049 -81.62 514.552 -83.087 515.81 -84.788 c
466.107 -82.105 m
465.989 -83.188 463.758 -85.563 465.407 -86.13 c
466.108 -83.914 468.232 -83.845 469.607 -85.459 c
470.207 -83.895 467.16 -82.569 468.907 -82.105 c
478.185 -89.206 471.093 -79.012 466.107 -82.105 c
486.408 -85.459 m
488.706 -84.772 489.495 -83.424 491.309 -85.459 c
491.466 -84.19 490.52 -83.979 490.608 -82.775 c
488.402 -81.903 485.948 -82.813 487.108 -84.117 c
488.515 -82.522 486.799 -84.863 486.408 -85.459 c
541.011 -75.397 m
543.693 -86.02 544.442 -98.493 545.911 -110.277 c
511.072 -109.362 462.218 -111.651 433.906 -112.29 c
432.56 -100.835 432.544 -88.105 431.105 -76.739 c
466.034 -76.428 504.953 -77.282 540.312 -75.397 c
h
1.0 sc
eofill
n
468.207 -89.483 m
469.983 -87.971 471.348 -89.656 473.808 -86.801 c
472.396 -91.906 468.221 -90.572 468.207 -92.837 c
466.466 -92.736 468.003 -90.566 468.207 -90.154 c
468.774 -90.281 468.905 -90.827 469.607 -90.825 c
470.203 -90.948 470.268 -90.563 470.308 -90.154 c
470.194 -89.368 469.031 -89.589 468.207 -89.483 c
0.0 sc
eofill
n
515.109 -86.801 m
516.63 -88.738 512.048 -90.549 511.609 -92.837 c
511.48 -93.408 511.883 -93.47 512.31 -93.508 c
512.004 -94.504 511.414 -93.243 510.21 -93.508 c
509.447 -91.802 513.488 -90.907 510.21 -90.825 c
510.753 -90.228 510.962 -89.311 510.909 -88.142 c
512.587 -87.876 510.521 -91.197 513.01 -90.154 c
511.547 -88.388 514.579 -89.529 515.109 -86.801 c
eofill
n
193.094 -98.203 m
192.393 -96.416 190.269 -95.992 188.894 -94.85 c
190.815 -92.836 192.126 -97.08 194.494 -96.862 c
190.452 -100.591 188.182 -106.018 179.093 -104.911 c
180.065 -102.266 185.312 -103.715 183.993 -98.874 c
184.688 -97.609 185.436 -101.911 185.394 -103.569 c
187.533 -101.372 189.207 -98.727 193.094 -98.203 c
1.0 sc
eofill
n
494.108 -103.569 m
494.412 -101.043 492.63 -100.515 491.309 -99.545 c
492.058 -102.051 489.57 -101.457 489.908 -103.569 c
491.783 -104.658 492.57 -105.11 494.108 -103.569 c
491.309 -106.253 m
488.341 -104.381 488.066 -98.293 491.309 -98.203 c
494.477 -98.116 497.375 -105.275 491.309 -106.253 c
0.0 sc
eofill
n
512.31 -98.203 m
513.773 -99.036 514.94 -100.154 515.81 -101.558 c
516.559 -104.063 514.071 -103.469 514.41 -105.582 c
511.952 -105.701 512.107 -103.316 510.21 -102.898 c
510.294 -101.806 513.195 -103.538 513.01 -104.911 c
513.956 -104.253 514.409 -103.121 515.109 -102.229 c
515.44 -100.122 513.226 -100.456 513.01 -98.874 c
511.724 -99.654 512.524 -102.434 509.51 -101.558 c
509.983 -99.999 511.836 -99.762 512.31 -98.203 c
eofill
n
469.607 -99.545 m
470.349 -102.044 468.134 -101.71 467.508 -102.898 c
469.481 -103.02 468.381 -106.087 471.008 -105.582 c
470.971 -104.428 471.546 -103.862 472.408 -103.569 c
472.242 -101.493 470.46 -100.965 469.607 -99.545 c
466.107 -102.898 m
466.902 -101.425 468.448 -100.67 468.907 -98.874 c
471.229 -99.11 471.944 -100.884 473.107 -102.229 c
473.003 -104.811 471.535 -106.088 469.607 -106.924 c
469.638 -104.436 466.982 -104.52 466.107 -102.898 c
eofill
n
495.509 41.987 m
497.28 40.778 496.105 36.745 497.609 35.279 c
494.484 35.844 494.111 42.765 489.209 42.658 c
479.798 42.453 484.476 24.824 492.709 24.547 c
496.118 23.964 495.953 26.805 498.309 27.23 c
489.757 11.258 473.862 36.4 483.608 43.329 c
487.997 46.449 492.297 42.364 495.509 41.987 c
eofill
n
440.206 -47.225 m
437.896 -46.914 439.196 -41.807 439.506 -40.518 c
439.373 -39.756 438.804 -40.145 438.806 -40.518 c
439.159 -35.103 436.934 -34.807 433.906 -30.456 c
437.121 -30.952 441.124 -30.694 443.706 -31.797 c
444.033 -33.229 442.706 -33.075 441.606 -33.139 c
441.72 -33.919 441.452 -34.332 440.906 -34.48 c
443.648 -39.649 441.3 -49.024 443.006 -53.262 c
444.229 -56.3 446.944 -55.432 447.206 -58.628 c
442.306 -57.745 440.371 -59.115 437.406 -57.286 c
442.523 -53.217 438.474 -50.775 440.206 -47.225 c
eofill
n
516.51 -43.2 m
516.34 -42.256 513.025 -43.823 513.71 -40.518 c
516.014 -40.545 517.195 -41.649 520.01 -41.188 c
518.526 -47.809 520.051 -51.876 521.41 -57.286 c
524.721 -57.775 526.601 -56.894 527.011 -54.604 c
528.506 -55.022 527.667 -58.732 527.011 -59.299 c
523.024 -59.765 521.196 -58.162 517.21 -58.628 c
520.995 -55.437 515.503 -48.569 516.51 -43.2 c
eofill
n
484.309 -55.274 m
485.772 -52.598 485.405 -51.125 484.309 -48.566 c
482.665 -48.353 481.681 -47.507 479.408 -47.896 c
479.966 -50.419 479.157 -55.492 484.309 -55.274 c
478.708 -45.213 m
480.301 -45.538 482.284 -46.543 483.608 -45.213 c
483.77 -42.599 482.104 -41.735 481.508 -39.847 c
478.708 -39.847 l
477.185 -41.067 480.231 -43.992 478.708 -45.213 c
472.408 -37.834 m
479.556 -37.093 488.177 -38.196 485.708 -45.884 c
487.916 -49.979 490.347 -52.326 487.108 -56.616 c
475.908 -56.616 l
476.264 -54.944 475.885 -52.569 478.008 -52.591 c
475.183 -46.119 478.483 -43.708 472.408 -37.834 c
eofill
n
492.709 -43.871 m
490.73 -43.675 489.694 -41.15 487.809 -39.176 c
490.268 -38.615 497.789 -39.646 499.709 -39.847 c
499.303 -42.024 500.186 -42.967 500.409 -44.542 c
498.587 -42.632 497.295 -40.841 494.809 -41.188 c
492.525 -42.399 494.625 -43.649 494.108 -46.555 c
496.754 -47.006 497.873 -47.376 498.309 -44.542 c
499.567 -46.02 498.921 -49.322 499.709 -51.25 c
498.546 -50.128 497.876 -48.534 495.509 -48.566 c
492.142 -53.92 499.905 -59.398 501.81 -52.591 c
503.255 -53.168 502.548 -57.26 501.81 -57.957 c
498.141 -57.895 495.507 -56.842 491.309 -57.286 c
494.073 -52.155 489.426 -46.578 492.709 -43.871 c
eofill
n
501.109 -39.847 m
505.05 -39.912 504.169 -40.451 508.109 -40.518 c
506.979 -45.906 507.021 -52.478 510.909 -56.616 c
513.479 -56.841 514.501 -55.586 515.109 -53.933 c
516.995 -54.726 515.107 -57.43 515.109 -58.628 c
511.294 -58.931 509.357 -57.433 505.31 -57.957 c
506.695 -55.79 504.687 -49.932 506.01 -48.566 c
504.768 -45.967 503.802 -42.594 501.109 -39.847 c
eofill
Q
Q
Q
[/EMC PDFMark5
PDFVars/TermAll get exec end end
%%PageTrailer
%%Trailer
%%EOF
\ No newline at end of file
Binary file doc-src/TutorialI/document/pghead.pdf has changed
--- a/doc-src/TutorialI/document/preface.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,56 +0,0 @@
-\chapter*{Preface}
-\markboth{Preface}{Preface}
-
-This volume is a self-contained introduction to interactive proof
-in higher-order logic (HOL), using the proof assistant Isabelle.
-It is written for potential users rather
-than for our colleagues in the research world.
-
-The book has three parts.
-\begin{itemize}
-\item
-The first part, \textbf{Elementary Techniques},
-shows how to model functional programs in higher-order logic. Early
-examples involve lists and the natural numbers. Most proofs
-are two steps long, consisting of induction on a chosen variable
-followed by the \isa{auto} tactic. But even this elementary part
-covers such advanced topics as nested and mutual recursion.
-\item
-The second part, \textbf{Logic and Sets}, presents a collection of
-lower-level tactics that you can use to apply rules selectively. It
-also describes Isabelle/HOL's treatment of sets, functions and
-relations and explains how to define sets inductively. One of the
-examples concerns the theory of model checking, and another is drawn
-from a classic textbook on formal languages.
-\item
-The third part, \textbf{Advanced Material}, describes a variety of other
-topics. Among these are the real numbers, records and overloading. Advanced
-techniques for induction and recursion are described. A whole chapter is
-devoted to an extended example: the verification of a security protocol.
-\end{itemize}
-
-The typesetting relies on Wenzel's theory presentation tools. An
-annotated source file is run, typesetting the theory
-in the form of a \LaTeX\ source file. This book is derived almost entirely
-from output generated in this way. The final chapter of Part~I explains how
-users may produce their own formal documents in a similar fashion.
-
-Isabelle's \hfootref{http://isabelle.in.tum.de/}{web site} contains
-links to the download area and to documentation and other information.
-The classic Isabelle user interface is Proof~General~/ Emacs by David
-Aspinall's\index{Aspinall, David}. This book says very little about
-Proof General, which has its own documentation.
-
-This tutorial owes a lot to the constant discussions with and the valuable
-feedback from the Isabelle group at Munich: Stefan Berghofer, Olaf
-M{\"u}ller, Wolfgang Naraschewski, David von Oheimb, Leonor Prensa Nieto,
-Cornelia Pusch, Norbert Schirmer and Martin Strecker. Stephan
-Merz was also kind enough to read and comment on a draft version. We
-received comments from Stefano Bistarelli, Gergely Buday, John Matthews
-and Tanja Vos.
-
-The research has been funded by many sources, including the {\sc dfg} grants
-NI~491/2, NI~491/3, NI~491/4, NI~491/6, {\sc bmbf} project Verisoft, the {\sc
-epsrc} grants GR/K57381, GR/K77051, GR/M75440, GR/R01156/01 GR/S57198/01 and
-by the \textsc{esprit} working groups 21900 and IST-1999-29001 (the
-\emph{Types} project).
--- a/doc-src/TutorialI/document/protocol.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,135 +0,0 @@
-\chapter{Case Study: Verifying a Security Protocol}
-\label{chap:crypto}
-
-\index{protocols!security|(}
-
-%crypto primitives
-\def\lbb{\mathopen{\{\kern-.30em|}}
-\def\rbb{\mathclose{|\kern-.32em\}}}
-\def\comp#1{\lbb#1\rbb}
-
-Communications security is an ancient art. Julius Caesar is said to have
-encrypted his messages, shifting each letter three places along the
-alphabet. Mary Queen of Scots was convicted of treason after a cipher used
-in her letters was broken. Today's postal system
-incorporates security features. The envelope provides a degree of
-\emph{secrecy}. The signature provides \emph{authenticity} (proof of
-origin), as do departmental stamps and letterheads.
-
-Networks are vulnerable: messages pass through many computers, any of which
-might be controlled by an adversary, who thus can capture or redirect
-messages. People who wish to communicate securely over such a network can
-use cryptography, but if they are to understand each other, they need to
-follow a
-\emph{protocol}: a pre-arranged sequence of message formats.
-
-Protocols can be attacked in many ways, even if encryption is unbreakable.
-A \emph{splicing attack} involves an adversary's sending a message composed
-of parts of several old messages. This fake message may have the correct
-format, fooling an honest party. The adversary might be able to masquerade
-as somebody else, or he might obtain a secret key.
-
-\emph{Nonces} help prevent splicing attacks. A typical nonce is a 20-byte
-random number. Each message that requires a reply incorporates a nonce. The
-reply must include a copy of that nonce, to prove that it is not a replay of
-a past message. The nonce in the reply must be cryptographically
-protected, since otherwise an adversary could easily replace it by a
-different one. You should be starting to see that protocol design is
-tricky!
-
-Researchers are developing methods for proving the correctness of security
-protocols. The Needham-Schroeder public-key
-protocol~\cite{needham-schroeder} has become a standard test case.
-Proposed in 1978, it was found to be defective nearly two decades
-later~\cite{lowe-fdr}. This toy protocol will be useful in demonstrating
-how to verify protocols using Isabelle.
-
-
-\section{The Needham-Schroeder Public-Key Protocol}\label{sec:ns-protocol}
-
-\index{Needham-Schroeder protocol|(}%
-This protocol uses public-key cryptography. Each person has a private key, known only to
-himself, and a public key, known to everybody. If Alice wants to send Bob a secret message, she
-encrypts it using Bob's public key (which everybody knows), and sends it to Bob. Only Bob has the
-matching private key, which is needed in order to decrypt Alice's message.
-
-The core of the Needham-Schroeder protocol consists of three messages:
-\begin{alignat*}{2}
- &1.&\quad A\to B &: \comp{Na,A}\sb{Kb} \\
- &2.&\quad B\to A &: \comp{Na,Nb}\sb{Ka} \\
- &3.&\quad A\to B &: \comp{Nb}\sb{Kb}
-\end{alignat*}
-First, let's understand the notation. In the first message, Alice
-sends Bob a message consisting of a nonce generated by Alice~($Na$)
-paired with Alice's name~($A$) and encrypted using Bob's public
-key~($Kb$). In the second message, Bob sends Alice a message
-consisting of $Na$ paired with a nonce generated by Bob~($Nb$),
-encrypted using Alice's public key~($Ka$). In the last message, Alice
-returns $Nb$ to Bob, encrypted using his public key.
-
-When Alice receives Message~2, she knows that Bob has acted on her
-message, since only he could have decrypted
-$\comp{Na,A}\sb{Kb}$ and extracted~$Na$. That is precisely what
-nonces are for. Similarly, message~3 assures Bob that Alice is
-active. But the protocol was widely believed~\cite{ban89} to satisfy a
-further property: that
-$Na$ and~$Nb$ were secrets shared by Alice and Bob. (Many
-protocols generate such shared secrets, which can be used
-to lessen the reliance on slow public-key operations.)
-Lowe\index{Lowe, Gavin|(} found this
-claim to be false: if Alice runs the protocol with someone untrustworthy
-(Charlie say), then he can start a new run with another agent (Bob say).
-Charlie uses Alice as an oracle, masquerading as
-Alice to Bob~\cite{lowe-fdr}.
-\begin{alignat*}{4}
- &1.&\quad A\to C &: \comp{Na,A}\sb{Kc} &&
- \qquad 1'.&\quad C\to B &: \comp{Na,A}\sb{Kb} \\
- &2.&\quad B\to A &: \comp{Na,Nb}\sb{Ka} \\
- &3.&\quad A\to C &: \comp{Nb}\sb{Kc} &&
- \qquad 3'.&\quad C\to B &: \comp{Nb}\sb{Kb}
-\end{alignat*}
-In messages~1 and~3, Charlie removes the encryption using his private
-key and re-encrypts Alice's messages using Bob's public key. Bob is
-left thinking he has run the protocol with Alice, which was not
-Alice's intention, and Bob is unaware that the ``secret'' nonces are
-known to Charlie. This is a typical man-in-the-middle attack launched
-by an insider.
-
-Whether this counts as an attack has been disputed. In protocols of this
-type, we normally assume that the other party is honest. To be honest
-means to obey the protocol rules, so Alice's running the protocol with
-Charlie does not make her dishonest, just careless. After Lowe's
-attack, Alice has no grounds for complaint: this protocol does not have to
-guarantee anything if you run it with a bad person. Bob does have
-grounds for complaint, however: the protocol tells him that he is
-communicating with Alice (who is honest) but it does not guarantee
-secrecy of the nonces.
-
-Lowe also suggested a correction, namely to include Bob's name in
-message~2:
-\begin{alignat*}{2}
- &1.&\quad A\to B &: \comp{Na,A}\sb{Kb} \\
- &2.&\quad B\to A &: \comp{Na,Nb,B}\sb{Ka} \\
- &3.&\quad A\to B &: \comp{Nb}\sb{Kb}
-\end{alignat*}
-If Charlie tries the same attack, Alice will receive the message
-$\comp{Na,Nb,B}\sb{Ka}$ when she was expecting to receive
-$\comp{Na,Nb,C}\sb{Ka}$. She will abandon the run, and eventually so
-will Bob. Below, we shall look at parts of this protocol's correctness
-proof.
-
-In ground-breaking work, Lowe~\cite{lowe-fdr}\index{Lowe, Gavin|)}
-showed how such attacks
-could be found automatically using a model checker. An alternative,
-which we shall examine below, is to prove protocols correct. Proofs
-can be done under more realistic assumptions because our model does
-not have to be finite. The strategy is to formalize the operational
-semantics of the system and to prove security properties using rule
-induction.%
-\index{Needham-Schroeder protocol|)}
-
-
-\input{Message}
-\input{Event}
-\input{Public}
-\input{NS_Public}
--- a/doc-src/TutorialI/document/root.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,98 +0,0 @@
-\documentclass{article}
-\usepackage{cl2emono-modified,isabelle,isabellesym}
-\usepackage{proof,amsmath,amsfonts}
-\usepackage{latexsym,wasysym,verbatim,graphicx,tutorial,ttbox,comment}
-\usepackage{eurosym}
-\usepackage[english]{babel}
-\usepackage{pdfsetup}
-%last package!
-
-\remarkstrue %TRUE causes remarks to be displayed (as marginal notes)
-%\remarksfalse
-
-\makeindex
-
-\index{conditional expressions|see{\isa{if} expressions}}
-\index{primitive recursion|see{recursion, primitive}}
-\index{product type|see{pairs and tuples}}
-\index{structural induction|see{induction, structural}}
-\index{termination|see{functions, total}}
-\index{tuples|see{pairs and tuples}}
-\index{*<*lex*>|see{lexicographic product}}
-
-\underscoreoff
-
-\setcounter{secnumdepth}{2} \setcounter{tocdepth}{2} %% {secnumdepth}{2}???
-
-\pagestyle{headings}
-
-
-\begin{document}
-\title{
-\begin{center}
-\includegraphics[scale=.8]{isabelle_hol}
- \\ \vspace{0.5cm} A Proof Assistant for Higher-Order Logic
-\end{center}}
-\author{Tobias Nipkow \quad Lawrence C. Paulson \quad Markus Wenzel%\\[1ex]
-%Technische Universit{\"a}t M{\"u}nchen \\
-%Institut f{\"u}r Informatik \\[1ex]
-%University of Cambridge\\
-%Computer Laboratory
-}
-\pagenumbering{roman}
-\maketitle
-\newpage
-
-%\setcounter{page}{5}
-%\vspace*{\fill}
-%\begin{center}
-%\LARGE In memoriam \\[1ex]
-%{\sc Annette Schumann}\\[1ex]
-%1959 -- 2001
-%\end{center}
-%\vspace*{\fill}
-%\vspace*{\fill}
-%\newpage
-
-\input{preface}
-
-\tableofcontents
-
-\cleardoublepage\pagenumbering{arabic}
-
-\part{Elementary Techniques}
-\input{basics}
-\input{fp}
-\input{documents0}
-
-\part{Logic and Sets}
-\input{rules}
-\input{sets}
-\input{inductive0}
-
-\part{Advanced Material}
-\input{types0}
-\input{advanced0}
-\input{protocol}
-
-\markboth{}{}
-\cleardoublepage
-\vspace*{\fill}
-\begin{flushright}
-\begin{tabular}{l}
-{\large\sf\slshape You know my methods. Apply them!}\\[1ex]
-Sherlock Holmes
-\end{tabular}
-\end{flushright}
-\vspace*{\fill}
-\vspace*{\fill}
-
-\underscoreoff
-
-\input{appendix0}
-
-\bibliographystyle{plain}
-\bibliography{manual}
-\underscoreoff
-\printindex
-\end{document}
--- a/doc-src/TutorialI/document/rules.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,2641 +0,0 @@
-%!TEX root = ../tutorial.tex
-\chapter{The Rules of the Game}
-\label{chap:rules}
-
-This chapter outlines the concepts and techniques that underlie reasoning
-in Isabelle. Until now, we have proved everything using only induction and
-simplification, but any serious verification project requires more elaborate
-forms of inference. The chapter also introduces the fundamentals of
-predicate logic. The first examples in this chapter will consist of
-detailed, low-level proof steps. Later, we shall see how to automate such
-reasoning using the methods
-\isa{blast},
-\isa{auto} and others. Backward or goal-directed proof is our usual style,
-but the chapter also introduces forward reasoning, where one theorem is
-transformed to yield another.
-
-\section{Natural Deduction}
-
-\index{natural deduction|(}%
-In Isabelle, proofs are constructed using inference rules. The
-most familiar inference rule is probably \emph{modus ponens}:%
-\index{modus ponens@\emph{modus ponens}}
-\[ \infer{Q}{P\imp Q & P} \]
-This rule says that from $P\imp Q$ and $P$ we may infer~$Q$.
-
-\textbf{Natural deduction} is an attempt to formalize logic in a way
-that mirrors human reasoning patterns.
-For each logical symbol (say, $\conj$), there
-are two kinds of rules: \textbf{introduction} and \textbf{elimination} rules.
-The introduction rules allow us to infer this symbol (say, to
-infer conjunctions). The elimination rules allow us to deduce
-consequences from this symbol. Ideally each rule should mention
-one symbol only. For predicate logic this can be
-done, but when users define their own concepts they typically
-have to refer to other symbols as well. It is best not to be dogmatic.
-
-Natural deduction generally deserves its name. It is easy to use. Each
-proof step consists of identifying the outermost symbol of a formula and
-applying the corresponding rule. It creates new subgoals in
-an obvious way from parts of the chosen formula. Expanding the
-definitions of constants can blow up the goal enormously. Deriving natural
-deduction rules for such constants lets us reason in terms of their key
-properties, which might otherwise be obscured by the technicalities of its
-definition. Natural deduction rules also lend themselves to automation.
-Isabelle's
-\textbf{classical reasoner} accepts any suitable collection of natural deduction
-rules and uses them to search for proofs automatically. Isabelle is designed around
-natural deduction and many of its tools use the terminology of introduction
-and elimination rules.%
-\index{natural deduction|)}
-
-
-\section{Introduction Rules}
-
-\index{introduction rules|(}%
-An introduction rule tells us when we can infer a formula
-containing a specific logical symbol. For example, the conjunction
-introduction rule says that if we have $P$ and if we have $Q$ then
-we have $P\conj Q$. In a mathematics text, it is typically shown
-like this:
-\[ \infer{P\conj Q}{P & Q} \]
-The rule introduces the conjunction
-symbol~($\conj$) in its conclusion. In Isabelle proofs we
-mainly reason backwards. When we apply this rule, the subgoal already has
-the form of a conjunction; the proof step makes this conjunction symbol
-disappear.
-
-In Isabelle notation, the rule looks like this:
-\begin{isabelle}
-\isasymlbrakk?P;\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?P\ \isasymand\ ?Q\rulenamedx{conjI}
-\end{isabelle}
-Carefully examine the syntax. The premises appear to the
-left of the arrow and the conclusion to the right. The premises (if
-more than one) are grouped using the fat brackets. The question marks
-indicate \textbf{schematic variables} (also called
-\textbf{unknowns}):\index{unknowns|bold} they may
-be replaced by arbitrary formulas. If we use the rule backwards, Isabelle
-tries to unify the current subgoal with the conclusion of the rule, which
-has the form \isa{?P\ \isasymand\ ?Q}. (Unification is discussed below,
-{\S}\ref{sec:unification}.) If successful,
-it yields new subgoals given by the formulas assigned to
-\isa{?P} and \isa{?Q}.
-
-The following trivial proof illustrates how rules work. It also introduces a
-style of indentation. If a command adds a new subgoal, then the next
-command's indentation is increased by one space; if it proves a subgoal, then
-the indentation is reduced. This provides the reader with hints about the
-subgoal structure.
-\begin{isabelle}
-\isacommand{lemma}\ conj_rule:\ "\isasymlbrakk P;\
-Q\isasymrbrakk\ \isasymLongrightarrow\ P\ \isasymand\
-(Q\ \isasymand\ P)"\isanewline
-\isacommand{apply}\ (rule\ conjI)\isanewline
-\ \isacommand{apply}\ assumption\isanewline
-\isacommand{apply}\ (rule\ conjI)\isanewline
-\ \isacommand{apply}\ assumption\isanewline
-\isacommand{apply}\ assumption
-\end{isabelle}
-At the start, Isabelle presents
-us with the assumptions (\isa{P} and~\isa{Q}) and with the goal to be proved,
-\isa{P\ \isasymand\
-(Q\ \isasymand\ P)}. We are working backwards, so when we
-apply conjunction introduction, the rule removes the outermost occurrence
-of the \isa{\isasymand} symbol. To apply a rule to a subgoal, we apply
-the proof method \isa{rule} --- here with \isa{conjI}, the conjunction
-introduction rule.
-\begin{isabelle}
-%\isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\ P\ \isasymand\ Q\
-%\isasymand\ P\isanewline
-\ 1.\ \isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\ P\isanewline
-\ 2.\ \isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\ Q\ \isasymand\ P
-\end{isabelle}
-Isabelle leaves two new subgoals: the two halves of the original conjunction.
-The first is simply \isa{P}, which is trivial, since \isa{P} is among
-the assumptions. We can apply the \methdx{assumption}
-method, which proves a subgoal by finding a matching assumption.
-\begin{isabelle}
-\ 1.\ \isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\
-Q\ \isasymand\ P
-\end{isabelle}
-We are left with the subgoal of proving
-\isa{Q\ \isasymand\ P} from the assumptions \isa{P} and~\isa{Q}. We apply
-\isa{rule conjI} again.
-\begin{isabelle}
-\ 1.\ \isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\ Q\isanewline
-\ 2.\ \isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\ P
-\end{isabelle}
-We are left with two new subgoals, \isa{Q} and~\isa{P}, each of which can be proved
-using the \isa{assumption} method.%
-\index{introduction rules|)}
-
-
-\section{Elimination Rules}
-
-\index{elimination rules|(}%
-Elimination rules work in the opposite direction from introduction
-rules. In the case of conjunction, there are two such rules.
-From $P\conj Q$ we infer $P$. also, from $P\conj Q$
-we infer $Q$:
-\[ \infer{P}{P\conj Q} \qquad \infer{Q}{P\conj Q} \]
-
-Now consider disjunction. There are two introduction rules, which resemble inverted forms of the
-conjunction elimination rules:
-\[ \infer{P\disj Q}{P} \qquad \infer{P\disj Q}{Q} \]
-
-What is the disjunction elimination rule? The situation is rather different from
-conjunction. From $P\disj Q$ we cannot conclude that $P$ is true and we
-cannot conclude that $Q$ is true; there are no direct
-elimination rules of the sort that we have seen for conjunction. Instead,
-there is an elimination rule that works indirectly. If we are trying to prove
-something else, say $R$, and we know that $P\disj Q$ holds, then we have to consider
-two cases. We can assume that $P$ is true and prove $R$ and then assume that $Q$ is
-true and prove $R$ a second time. Here we see a fundamental concept used in natural
-deduction: that of the \textbf{assumptions}. We have to prove $R$ twice, under
-different assumptions. The assumptions are local to these subproofs and are visible
-nowhere else.
-
-In a logic text, the disjunction elimination rule might be shown
-like this:
-\[ \infer{R}{P\disj Q & \infer*{R}{[P]} & \infer*{R}{[Q]}} \]
-The assumptions $[P]$ and $[Q]$ are bracketed
-to emphasize that they are local to their subproofs. In Isabelle
-notation, the already-familiar \isa{\isasymLongrightarrow} syntax serves the
-same purpose:
-\begin{isabelle}
-\isasymlbrakk?P\ \isasymor\ ?Q;\ ?P\ \isasymLongrightarrow\ ?R;\ ?Q\ \isasymLongrightarrow\ ?R\isasymrbrakk\ \isasymLongrightarrow\ ?R\rulenamedx{disjE}
-\end{isabelle}
-When we use this sort of elimination rule backwards, it produces
-a case split. (We have seen this before, in proofs by induction.) The following proof
-illustrates the use of disjunction elimination.
-\begin{isabelle}
-\isacommand{lemma}\ disj_swap:\ "P\ \isasymor\ Q\
-\isasymLongrightarrow\ Q\ \isasymor\ P"\isanewline
-\isacommand{apply}\ (erule\ disjE)\isanewline
-\ \isacommand{apply}\ (rule\ disjI2)\isanewline
-\ \isacommand{apply}\ assumption\isanewline
-\isacommand{apply}\ (rule\ disjI1)\isanewline
-\isacommand{apply}\ assumption
-\end{isabelle}
-We assume \isa{P\ \isasymor\ Q} and
-must prove \isa{Q\ \isasymor\ P}\@. Our first step uses the disjunction
-elimination rule, \isa{disjE}\@. We invoke it using \methdx{erule}, a
-method designed to work with elimination rules. It looks for an assumption that
-matches the rule's first premise. It deletes the matching assumption,
-regards the first premise as proved and returns subgoals corresponding to
-the remaining premises. When we apply \isa{erule} to \isa{disjE}, only two
-subgoals result. This is better than applying it using \isa{rule}
-to get three subgoals, then proving the first by assumption: the other
-subgoals would have the redundant assumption
-\hbox{\isa{P\ \isasymor\ Q}}.
-Most of the time, \isa{erule} is the best way to use elimination rules, since it
-replaces an assumption by its subformulas; only rarely does the original
-assumption remain useful.
-
-\begin{isabelle}
-%P\ \isasymor\ Q\ \isasymLongrightarrow\ Q\ \isasymor\ P\isanewline
-\ 1.\ P\ \isasymLongrightarrow\ Q\ \isasymor\ P\isanewline
-\ 2.\ Q\ \isasymLongrightarrow\ Q\ \isasymor\ P
-\end{isabelle}
-These are the two subgoals returned by \isa{erule}. The first assumes
-\isa{P} and the second assumes \isa{Q}. Tackling the first subgoal, we
-need to show \isa{Q\ \isasymor\ P}\@. The second introduction rule
-(\isa{disjI2}) can reduce this to \isa{P}, which matches the assumption.
-So, we apply the
-\isa{rule} method with \isa{disjI2} \ldots
-\begin{isabelle}
-\ 1.\ P\ \isasymLongrightarrow\ P\isanewline
-\ 2.\ Q\ \isasymLongrightarrow\ Q\ \isasymor\ P
-\end{isabelle}
-\ldots and finish off with the \isa{assumption}
-method. We are left with the other subgoal, which
-assumes \isa{Q}.
-\begin{isabelle}
-\ 1.\ Q\ \isasymLongrightarrow\ Q\ \isasymor\ P
-\end{isabelle}
-Its proof is similar, using the introduction
-rule \isa{disjI1}.
-
-The result of this proof is a new inference rule \isa{disj_swap}, which is neither
-an introduction nor an elimination rule, but which might
-be useful. We can use it to replace any goal of the form $Q\disj P$
-by one of the form $P\disj Q$.%
-\index{elimination rules|)}
-
-
-\section{Destruction Rules: Some Examples}
-
-\index{destruction rules|(}%
-Now let us examine the analogous proof for conjunction.
-\begin{isabelle}
-\isacommand{lemma}\ conj_swap:\ "P\ \isasymand\ Q\ \isasymLongrightarrow\ Q\ \isasymand\ P"\isanewline
-\isacommand{apply}\ (rule\ conjI)\isanewline
-\ \isacommand{apply}\ (drule\ conjunct2)\isanewline
-\ \isacommand{apply}\ assumption\isanewline
-\isacommand{apply}\ (drule\ conjunct1)\isanewline
-\isacommand{apply}\ assumption
-\end{isabelle}
-Recall that the conjunction elimination rules --- whose Isabelle names are
-\isa{conjunct1} and \isa{conjunct2} --- simply return the first or second half
-of a conjunction. Rules of this sort (where the conclusion is a subformula of a
-premise) are called \textbf{destruction} rules because they take apart and destroy
-a premise.%
-\footnote{This Isabelle terminology has no counterpart in standard logic texts,
-although the distinction between the two forms of elimination rule is well known.
-Girard \cite[page 74]{girard89},\index{Girard, Jean-Yves|fnote}
-for example, writes ``The elimination rules
-[for $\disj$ and $\exists$] are very
-bad. What is catastrophic about them is the parasitic presence of a formula [$R$]
-which has no structural link with the formula which is eliminated.''}
-
-The first proof step applies conjunction introduction, leaving
-two subgoals:
-\begin{isabelle}
-%P\ \isasymand\ Q\ \isasymLongrightarrow\ Q\ \isasymand\ P\isanewline
-\ 1.\ P\ \isasymand\ Q\ \isasymLongrightarrow\ Q\isanewline
-\ 2.\ P\ \isasymand\ Q\ \isasymLongrightarrow\ P
-\end{isabelle}
-
-To invoke the elimination rule, we apply a new method, \isa{drule}.
-Think of the \isa{d} as standing for \textbf{destruction} (or \textbf{direct}, if
-you prefer). Applying the
-second conjunction rule using \isa{drule} replaces the assumption
-\isa{P\ \isasymand\ Q} by \isa{Q}.
-\begin{isabelle}
-\ 1.\ Q\ \isasymLongrightarrow\ Q\isanewline
-\ 2.\ P\ \isasymand\ Q\ \isasymLongrightarrow\ P
-\end{isabelle}
-The resulting subgoal can be proved by applying \isa{assumption}.
-The other subgoal is similarly proved, using the \isa{conjunct1} rule and the
-\isa{assumption} method.
-
-Choosing among the methods \isa{rule}, \isa{erule} and \isa{drule} is up to
-you. Isabelle does not attempt to work out whether a rule
-is an introduction rule or an elimination rule. The
-method determines how the rule will be interpreted. Many rules
-can be used in more than one way. For example, \isa{disj_swap} can
-be applied to assumptions as well as to goals; it replaces any
-assumption of the form
-$P\disj Q$ by a one of the form $Q\disj P$.
-
-Destruction rules are simpler in form than indirect rules such as \isa{disjE},
-but they can be inconvenient. Each of the conjunction rules discards half
-of the formula, when usually we want to take both parts of the conjunction as new
-assumptions. The easiest way to do so is by using an
-alternative conjunction elimination rule that resembles \isa{disjE}\@. It is
-seldom, if ever, seen in logic books. In Isabelle syntax it looks like this:
-\begin{isabelle}
-\isasymlbrakk?P\ \isasymand\ ?Q;\ \isasymlbrakk?P;\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?R\isasymrbrakk\ \isasymLongrightarrow\ ?R\rulenamedx{conjE}
-\end{isabelle}
-\index{destruction rules|)}
-
-\begin{exercise}
-Use the rule \isa{conjE} to shorten the proof above.
-\end{exercise}
-
-
-\section{Implication}
-
-\index{implication|(}%
-At the start of this chapter, we saw the rule \emph{modus ponens}. It is, in fact,
-a destruction rule. The matching introduction rule looks like this
-in Isabelle:
-\begin{isabelle}
-(?P\ \isasymLongrightarrow\ ?Q)\ \isasymLongrightarrow\ ?P\
-\isasymlongrightarrow\ ?Q\rulenamedx{impI}
-\end{isabelle}
-And this is \emph{modus ponens}\index{modus ponens@\emph{modus ponens}}:
-\begin{isabelle}
-\isasymlbrakk?P\ \isasymlongrightarrow\ ?Q;\ ?P\isasymrbrakk\
-\isasymLongrightarrow\ ?Q
-\rulenamedx{mp}
-\end{isabelle}
-
-Here is a proof using the implication rules. This
-lemma performs a sort of uncurrying, replacing the two antecedents
-of a nested implication by a conjunction. The proof illustrates
-how assumptions work. At each proof step, the subgoals inherit the previous
-assumptions, perhaps with additions or deletions. Rules such as
-\isa{impI} and \isa{disjE} add assumptions, while applying \isa{erule} or
-\isa{drule} deletes the matching assumption.
-\begin{isabelle}
-\isacommand{lemma}\ imp_uncurry:\
-"P\ \isasymlongrightarrow\ (Q\
-\isasymlongrightarrow\ R)\ \isasymLongrightarrow\ P\
-\isasymand\ Q\ \isasymlongrightarrow\
-R"\isanewline
-\isacommand{apply}\ (rule\ impI)\isanewline
-\isacommand{apply}\ (erule\ conjE)\isanewline
-\isacommand{apply}\ (drule\ mp)\isanewline
-\ \isacommand{apply}\ assumption\isanewline
-\isacommand{apply}\ (drule\ mp)\isanewline
-\ \ \isacommand{apply}\ assumption\isanewline
-\ \isacommand{apply}\ assumption
-\end{isabelle}
-First, we state the lemma and apply implication introduction (\isa{rule impI}),
-which moves the conjunction to the assumptions.
-\begin{isabelle}
-%P\ \isasymlongrightarrow\ Q\ \isasymlongrightarrow\ R\ \isasymLongrightarrow\ P\
-%\isasymand\ Q\ \isasymlongrightarrow\ R\isanewline
-\ 1.\ \isasymlbrakk P\ \isasymlongrightarrow\ Q\ \isasymlongrightarrow\ R;\ P\ \isasymand\ Q\isasymrbrakk\ \isasymLongrightarrow\ R
-\end{isabelle}
-Next, we apply conjunction elimination (\isa{erule conjE}), which splits this
-conjunction into two parts.
-\begin{isabelle}
-\ 1.\ \isasymlbrakk P\ \isasymlongrightarrow\ Q\ \isasymlongrightarrow\ R;\ P;\
-Q\isasymrbrakk\ \isasymLongrightarrow\ R
-\end{isabelle}
-Now, we work on the assumption \isa{P\ \isasymlongrightarrow\ (Q\
-\isasymlongrightarrow\ R)}, where the parentheses have been inserted for
-clarity. The nested implication requires two applications of
-\textit{modus ponens}: \isa{drule mp}. The first use yields the
-implication \isa{Q\
-\isasymlongrightarrow\ R}, but first we must prove the extra subgoal
-\isa{P}, which we do by assumption.
-\begin{isabelle}
-\ 1.\ \isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\ P\isanewline
-\ 2.\ \isasymlbrakk P;\ Q;\ Q\ \isasymlongrightarrow\ R\isasymrbrakk\ \isasymLongrightarrow\ R
-\end{isabelle}
-Repeating these steps for \isa{Q\
-\isasymlongrightarrow\ R} yields the conclusion we seek, namely~\isa{R}.
-\begin{isabelle}
-\ 1.\ \isasymlbrakk P;\ Q;\ Q\ \isasymlongrightarrow\ R\isasymrbrakk\
-\isasymLongrightarrow\ R
-\end{isabelle}
-
-The symbols \isa{\isasymLongrightarrow} and \isa{\isasymlongrightarrow}
-both stand for implication, but they differ in many respects. Isabelle
-uses \isa{\isasymLongrightarrow} to express inference rules; the symbol is
-built-in and Isabelle's inference mechanisms treat it specially. On the
-other hand, \isa{\isasymlongrightarrow} is just one of the many connectives
-available in higher-order logic. We reason about it using inference rules
-such as \isa{impI} and \isa{mp}, just as we reason about the other
-connectives. You will have to use \isa{\isasymlongrightarrow} in any
-context that requires a formula of higher-order logic. Use
-\isa{\isasymLongrightarrow} to separate a theorem's preconditions from its
-conclusion.%
-\index{implication|)}
-
-\medskip
-\index{by@\isacommand{by} (command)|(}%
-The \isacommand{by} command is useful for proofs like these that use
-\isa{assumption} heavily. It executes an
-\isacommand{apply} command, then tries to prove all remaining subgoals using
-\isa{assumption}. Since (if successful) it ends the proof, it also replaces the
-\isacommand{done} symbol. For example, the proof above can be shortened:
-\begin{isabelle}
-\isacommand{lemma}\ imp_uncurry:\
-"P\ \isasymlongrightarrow\ (Q\
-\isasymlongrightarrow\ R)\ \isasymLongrightarrow\ P\
-\isasymand\ Q\ \isasymlongrightarrow\
-R"\isanewline
-\isacommand{apply}\ (rule\ impI)\isanewline
-\isacommand{apply}\ (erule\ conjE)\isanewline
-\isacommand{apply}\ (drule\ mp)\isanewline
-\ \isacommand{apply}\ assumption\isanewline
-\isacommand{by}\ (drule\ mp)
-\end{isabelle}
-We could use \isacommand{by} to replace the final \isacommand{apply} and
-\isacommand{done} in any proof, but typically we use it
-to eliminate calls to \isa{assumption}. It is also a nice way of expressing a
-one-line proof.%
-\index{by@\isacommand{by} (command)|)}
-
-
-
-\section{Negation}
-
-\index{negation|(}%
-Negation causes surprising complexity in proofs. Its natural
-deduction rules are straightforward, but additional rules seem
-necessary in order to handle negated assumptions gracefully. This section
-also illustrates the \isa{intro} method: a convenient way of
-applying introduction rules.
-
-Negation introduction deduces $\lnot P$ if assuming $P$ leads to a
-contradiction. Negation elimination deduces any formula in the
-presence of $\lnot P$ together with~$P$:
-\begin{isabelle}
-(?P\ \isasymLongrightarrow\ False)\ \isasymLongrightarrow\ \isasymnot\ ?P%
-\rulenamedx{notI}\isanewline
-\isasymlbrakk{\isasymnot}\ ?P;\ ?P\isasymrbrakk\ \isasymLongrightarrow\ ?R%
-\rulenamedx{notE}
-\end{isabelle}
-%
-Classical logic allows us to assume $\lnot P$
-when attempting to prove~$P$:
-\begin{isabelle}
-(\isasymnot\ ?P\ \isasymLongrightarrow\ ?P)\ \isasymLongrightarrow\ ?P%
-\rulenamedx{classical}
-\end{isabelle}
-
-\index{contrapositives|(}%
-The implications $P\imp Q$ and $\lnot Q\imp\lnot P$ are logically
-equivalent, and each is called the
-\textbf{contrapositive} of the other. Four further rules support
-reasoning about contrapositives. They differ in the placement of the
-negation symbols:
-\begin{isabelle}
-\isasymlbrakk?Q;\ \isasymnot\ ?P\ \isasymLongrightarrow\ \isasymnot\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?P%
-\rulename{contrapos_pp}\isanewline
-\isasymlbrakk?Q;\ ?P\ \isasymLongrightarrow\ \isasymnot\ ?Q\isasymrbrakk\ \isasymLongrightarrow\
-\isasymnot\ ?P%
-\rulename{contrapos_pn}\isanewline
-\isasymlbrakk{\isasymnot}\ ?Q;\ \isasymnot\ ?P\ \isasymLongrightarrow\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?P%
-\rulename{contrapos_np}\isanewline
-\isasymlbrakk{\isasymnot}\ ?Q;\ ?P\ \isasymLongrightarrow\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ \isasymnot\ ?P%
-\rulename{contrapos_nn}
-\end{isabelle}
-%
-These rules are typically applied using the \isa{erule} method, where
-their effect is to form a contrapositive from an
-assumption and the goal's conclusion.%
-\index{contrapositives|)}
-
-The most important of these is \isa{contrapos_np}. It is useful
-for applying introduction rules to negated assumptions. For instance,
-the assumption $\lnot(P\imp Q)$ is equivalent to the conclusion $P\imp Q$ and we
-might want to use conjunction introduction on it.
-Before we can do so, we must move that assumption so that it
-becomes the conclusion. The following proof demonstrates this
-technique:
-\begin{isabelle}
-\isacommand{lemma}\ "\isasymlbrakk{\isasymnot}(P{\isasymlongrightarrow}Q);\
-\isasymnot(R{\isasymlongrightarrow}Q)\isasymrbrakk\ \isasymLongrightarrow\
-R"\isanewline
-\isacommand{apply}\ (erule_tac\ Q = "R{\isasymlongrightarrow}Q"\ \isakeyword{in}\
-contrapos_np)\isanewline
-\isacommand{apply}\ (intro\ impI)\isanewline
-\isacommand{by}\ (erule\ notE)
-\end{isabelle}
-%
-There are two negated assumptions and we need to exchange the conclusion with the
-second one. The method \isa{erule contrapos_np} would select the first assumption,
-which we do not want. So we specify the desired assumption explicitly
-using a new method, \isa{erule_tac}. This is the resulting subgoal:
-\begin{isabelle}
-\ 1.\ \isasymlbrakk{\isasymnot}\ (P\ \isasymlongrightarrow\ Q);\ \isasymnot\
-R\isasymrbrakk\ \isasymLongrightarrow\ R\ \isasymlongrightarrow\ Q%
-\end{isabelle}
-The former conclusion, namely \isa{R}, now appears negated among the assumptions,
-while the negated formula \isa{R\ \isasymlongrightarrow\ Q} becomes the new
-conclusion.
-
-We can now apply introduction rules. We use the \methdx{intro} method, which
-repeatedly applies the given introduction rules. Here its effect is equivalent
-to \isa{rule impI}.
-\begin{isabelle}
-\ 1.\ \isasymlbrakk{\isasymnot}\ (P\ \isasymlongrightarrow\ Q);\ \isasymnot\ R;\
-R\isasymrbrakk\ \isasymLongrightarrow\ Q%
-\end{isabelle}
-We can see a contradiction in the form of assumptions \isa{\isasymnot\ R}
-and~\isa{R}, which suggests using negation elimination. If applied on its own,
-\isa{notE} will select the first negated assumption, which is useless.
-Instead, we invoke the rule using the
-\isa{by} command.
-Now when Isabelle selects the first assumption, it tries to prove \isa{P\
-\isasymlongrightarrow\ Q} and fails; it then backtracks, finds the
-assumption \isa{\isasymnot~R} and finally proves \isa{R} by assumption. That
-concludes the proof.
-
-\medskip
-
-The following example may be skipped on a first reading. It involves a
-peculiar but important rule, a form of disjunction introduction:
-\begin{isabelle}
-(\isasymnot \ ?Q\ \isasymLongrightarrow \ ?P)\ \isasymLongrightarrow \ ?P\ \isasymor \ ?Q%
-\rulenamedx{disjCI}
-\end{isabelle}
-This rule combines the effects of \isa{disjI1} and \isa{disjI2}. Its great
-advantage is that we can remove the disjunction symbol without deciding
-which disjunction to prove. This treatment of disjunction is standard in sequent
-and tableau calculi.
-
-\begin{isabelle}
-\isacommand{lemma}\ "(P\ \isasymor\ Q)\ \isasymand\ R\
-\isasymLongrightarrow\ P\ \isasymor\ (Q\ \isasymand\ R)"\isanewline
-\isacommand{apply}\ (rule\ disjCI)\isanewline
-\isacommand{apply}\ (elim\ conjE\ disjE)\isanewline
-\ \isacommand{apply}\ assumption
-\isanewline
-\isacommand{by}\ (erule\ contrapos_np,\ rule\ conjI)
-\end{isabelle}
-%
-The first proof step to applies the introduction rules \isa{disjCI}.
-The resulting subgoal has the negative assumption
-\hbox{\isa{\isasymnot(Q\ \isasymand\ R)}}.
-
-\begin{isabelle}
-\ 1.\ \isasymlbrakk(P\ \isasymor\ Q)\ \isasymand\ R;\ \isasymnot\ (Q\ \isasymand\
-R)\isasymrbrakk\ \isasymLongrightarrow\ P%
-\end{isabelle}
-Next we apply the \isa{elim} method, which repeatedly applies
-elimination rules; here, the elimination rules given
-in the command. One of the subgoals is trivial (\isa{\isacommand{apply} assumption}),
-leaving us with one other:
-\begin{isabelle}
-\ 1.\ \isasymlbrakk{\isasymnot}\ (Q\ \isasymand\ R);\ R;\ Q\isasymrbrakk\ \isasymLongrightarrow\ P%
-\end{isabelle}
-%
-Now we must move the formula \isa{Q\ \isasymand\ R} to be the conclusion. The
-combination
-\begin{isabelle}
-\ \ \ \ \ (erule\ contrapos_np,\ rule\ conjI)
-\end{isabelle}
-is robust: the \isa{conjI} forces the \isa{erule} to select a
-conjunction. The two subgoals are the ones we would expect from applying
-conjunction introduction to
-\isa{Q~\isasymand~R}:
-\begin{isabelle}
-\ 1.\ \isasymlbrakk R;\ Q;\ \isasymnot\ P\isasymrbrakk\ \isasymLongrightarrow\
-Q\isanewline
-\ 2.\ \isasymlbrakk R;\ Q;\ \isasymnot\ P\isasymrbrakk\ \isasymLongrightarrow\ R%
-\end{isabelle}
-They are proved by assumption, which is implicit in the \isacommand{by}
-command.%
-\index{negation|)}
-
-
-\section{Interlude: the Basic Methods for Rules}
-
-We have seen examples of many tactics that operate on individual rules. It
-may be helpful to review how they work given an arbitrary rule such as this:
-\[ \infer{Q}{P@1 & \ldots & P@n} \]
-Below, we refer to $P@1$ as the \bfindex{major premise}. This concept
-applies only to elimination and destruction rules. These rules act upon an
-instance of their major premise, typically to replace it by subformulas of itself.
-
-Suppose that the rule above is called~\isa{R}\@. Here are the basic rule
-methods, most of which we have already seen:
-\begin{itemize}
-\item
-Method \isa{rule\ R} unifies~$Q$ with the current subgoal, replacing it
-by $n$ new subgoals: instances of $P@1$, \ldots,~$P@n$.
-This is backward reasoning and is appropriate for introduction rules.
-\item
-Method \isa{erule\ R} unifies~$Q$ with the current subgoal and
-simultaneously unifies $P@1$ with some assumption. The subgoal is
-replaced by the $n-1$ new subgoals of proving
-instances of $P@2$,
-\ldots,~$P@n$, with the matching assumption deleted. It is appropriate for
-elimination rules. The method
-\isa{(rule\ R,\ assumption)} is similar, but it does not delete an
-assumption.
-\item
-Method \isa{drule\ R} unifies $P@1$ with some assumption, which it
-then deletes. The subgoal is
-replaced by the $n-1$ new subgoals of proving $P@2$, \ldots,~$P@n$; an
-$n$th subgoal is like the original one but has an additional assumption: an
-instance of~$Q$. It is appropriate for destruction rules.
-\item
-Method \isa{frule\ R} is like \isa{drule\ R} except that the matching
-assumption is not deleted. (See {\S}\ref{sec:frule} below.)
-\end{itemize}
-
-Other methods apply a rule while constraining some of its
-variables. The typical form is
-\begin{isabelle}
-\ \ \ \ \ \methdx{rule_tac}\ $v@1$ = $t@1$ \isakeyword{and} \ldots \isakeyword{and}
-$v@k$ =
-$t@k$ \isakeyword{in} R
-\end{isabelle}
-This method behaves like \isa{rule R}, while instantiating the variables
-$v@1$, \ldots,
-$v@k$ as specified. We similarly have \methdx{erule_tac}, \methdx{drule_tac} and
-\methdx{frule_tac}. These methods also let us specify which subgoal to
-operate on. By default it is the first subgoal, as with nearly all
-methods, but we can specify that rule \isa{R} should be applied to subgoal
-number~$i$:
-\begin{isabelle}
-\ \ \ \ \ rule_tac\ [$i$] R
-\end{isabelle}
-
-
-
-\section{Unification and Substitution}\label{sec:unification}
-
-\index{unification|(}%
-As we have seen, Isabelle rules involve schematic variables, which begin with
-a question mark and act as
-placeholders for terms. \textbf{Unification} --- well known to Prolog programmers --- is the act of
-making two terms identical, possibly replacing their schematic variables by
-terms. The simplest case is when the two terms are already the same. Next
-simplest is \textbf{pattern-matching}, which replaces variables in only one of the
-terms. The
-\isa{rule} method typically matches the rule's conclusion
-against the current subgoal. The
-\isa{assumption} method matches the current subgoal's conclusion
-against each of its assumptions. Unification can instantiate variables in both terms; the \isa{rule} method can do this if the goal
-itself contains schematic variables. Other occurrences of the variables in
-the rule or proof state are updated at the same time.
-
-Schematic variables in goals represent unknown terms. Given a goal such
-as $\exists x.\,P$, they let us proceed with a proof. They can be
-filled in later, sometimes in stages and often automatically.
-
-\begin{pgnote}
-If unification fails when you think it should succeed, try setting the Proof General flag \pgmenu{Isabelle} $>$ \pgmenu{Settings} $>$
-\pgmenu{Trace Unification},
-which makes Isabelle show the cause of unification failures (in Proof
-General's \pgmenu{Trace} buffer).
-\end{pgnote}
-\noindent
-For example, suppose we are trying to prove this subgoal by assumption:
-\begin{isabelle}
-\ 1.\ P\ (a,\ f\ (b,\ g\ (e,\ a),\ b),\ a)\ \isasymLongrightarrow \ P\ (a,\ f\ (b,\ g\ (c,\ a),\ b),\ a)
-\end{isabelle}
-The \isa{assumption} method having failed, we try again with the flag set:
-\begin{isabelle}
-\isacommand{apply} assumption
-\end{isabelle}
-In this trivial case, the output clearly shows that \isa{e} clashes with \isa{c}:
-\begin{isabelle}
-Clash: e =/= c
-\end{isabelle}
-
-Isabelle uses
-\textbf{higher-order} unification, which works in the
-typed $\lambda$-calculus. The procedure requires search and is potentially
-undecidable. For our purposes, however, the differences from ordinary
-unification are straightforward. It handles bound variables
-correctly, avoiding capture. The two terms
-\isa{{\isasymlambda}x.\ f(x,z)} and \isa{{\isasymlambda}y.\ f(y,z)} are
-trivially unifiable because they differ only by a bound variable renaming. The two terms \isa{{\isasymlambda}x.\ ?P} and
-\isa{{\isasymlambda}x.\ t x} are not unifiable; replacing \isa{?P} by
-\isa{t x} is forbidden because the free occurrence of~\isa{x} would become
-bound. Unfortunately, even if \isa{trace_unify_fail} is set, Isabelle displays no information about this type of failure.
-
-\begin{warn}
-Higher-order unification sometimes must invent
-$\lambda$-terms to replace function variables,
-which can lead to a combinatorial explosion. However, Isabelle proofs tend
-to involve easy cases where there are few possibilities for the
-$\lambda$-term being constructed. In the easiest case, the
-function variable is applied only to bound variables,
-as when we try to unify \isa{{\isasymlambda}x\ y.\ f(?h x y)} and
-\isa{{\isasymlambda}x\ y.\ f(x+y+a)}. The only solution is to replace
-\isa{?h} by \isa{{\isasymlambda}x\ y.\ x+y+a}. Such cases admit at most
-one unifier, like ordinary unification. A harder case is
-unifying \isa{?h a} with~\isa{a+b}; it admits two solutions for \isa{?h},
-namely \isa{{\isasymlambda}x.~a+b} and \isa{{\isasymlambda}x.~x+b}.
-Unifying \isa{?h a} with~\isa{a+a+b} admits four solutions; their number is
-exponential in the number of occurrences of~\isa{a} in the second term.
-\end{warn}
-
-
-
-\subsection{Substitution and the {\tt\slshape subst} Method}
-\label{sec:subst}
-
-\index{substitution|(}%
-Isabelle also uses function variables to express \textbf{substitution}.
-A typical substitution rule allows us to replace one term by
-another if we know that two terms are equal.
-\[ \infer{P[t/x]}{s=t & P[s/x]} \]
-The rule uses a notation for substitution: $P[t/x]$ is the result of
-replacing $x$ by~$t$ in~$P$. The rule only substitutes in the positions
-designated by~$x$. For example, it can
-derive symmetry of equality from reflexivity. Using $x=s$ for~$P$
-replaces just the first $s$ in $s=s$ by~$t$:
-\[ \infer{t=s}{s=t & \infer{s=s}{}} \]
-
-The Isabelle version of the substitution rule looks like this:
-\begin{isabelle}
-\isasymlbrakk?t\ =\ ?s;\ ?P\ ?s\isasymrbrakk\ \isasymLongrightarrow\ ?P\
-?t
-\rulenamedx{ssubst}
-\end{isabelle}
-Crucially, \isa{?P} is a function
-variable. It can be replaced by a $\lambda$-term
-with one bound variable, whose occurrences identify the places
-in which $s$ will be replaced by~$t$. The proof above requires \isa{?P}
-to be replaced by \isa{{\isasymlambda}x.~x=s}; the second premise will then
-be \isa{s=s} and the conclusion will be \isa{t=s}.
-
-The \isa{simp} method also replaces equals by equals, but the substitution
-rule gives us more control. Consider this proof:
-\begin{isabelle}
-\isacommand{lemma}\
-"\isasymlbrakk x\ =\ f\ x;\ odd(f\ x)\isasymrbrakk\ \isasymLongrightarrow\
-odd\ x"\isanewline
-\isacommand{by}\ (erule\ ssubst)
-\end{isabelle}
-%
-The assumption \isa{x\ =\ f\ x}, if used for rewriting, would loop,
-replacing \isa{x} by \isa{f x} and then by
-\isa{f(f x)} and so forth. (Here \isa{simp}
-would see the danger and would re-orient the equality, but in more complicated
-cases it can be fooled.) When we apply the substitution rule,
-Isabelle replaces every
-\isa{x} in the subgoal by \isa{f x} just once. It cannot loop. The
-resulting subgoal is trivial by assumption, so the \isacommand{by} command
-proves it implicitly.
-
-We are using the \isa{erule} method in a novel way. Hitherto,
-the conclusion of the rule was just a variable such as~\isa{?R}, but it may
-be any term. The conclusion is unified with the subgoal just as
-it would be with the \isa{rule} method. At the same time \isa{erule} looks
-for an assumption that matches the rule's first premise, as usual. With
-\isa{ssubst} the effect is to find, use and delete an equality
-assumption.
-
-The \methdx{subst} method performs individual substitutions. In simple cases,
-it closely resembles a use of the substitution rule. Suppose a
-proof has reached this point:
-\begin{isabelle}
-\ 1.\ \isasymlbrakk P\ x\ y\ z;\ Suc\ x\ <\ y\isasymrbrakk \ \isasymLongrightarrow \ f\ z\ =\ x\ *\ y%
-\end{isabelle}
-Now we wish to apply a commutative law:
-\begin{isabelle}
-?m\ *\ ?n\ =\ ?n\ *\ ?m%
-\rulename{mult_commute}
-\end{isabelle}
-Isabelle rejects our first attempt:
-\begin{isabelle}
-apply (simp add: mult_commute)
-\end{isabelle}
-The simplifier notices the danger of looping and refuses to apply the
-rule.%
-\footnote{More precisely, it only applies such a rule if the new term is
-smaller under a specified ordering; here, \isa{x\ *\ y}
-is already smaller than
-\isa{y\ *\ x}.}
-%
-The \isa{subst} method applies \isa{mult_commute} exactly once.
-\begin{isabelle}
-\isacommand{apply}\ (subst\ mult_commute)\isanewline
-\ 1.\ \isasymlbrakk P\ x\ y\ z;\ Suc\ x\ <\ y\isasymrbrakk \
-\isasymLongrightarrow \ f\ z\ =\ y\ *\ x%
-\end{isabelle}
-As we wanted, \isa{x\ *\ y} has become \isa{y\ *\ x}.
-
-\medskip
-This use of the \methdx{subst} method has the same effect as the command
-\begin{isabelle}
-\isacommand{apply}\ (rule\ mult_commute [THEN ssubst])
-\end{isabelle}
-The attribute \isa{THEN}, which combines two rules, is described in
-{\S}\ref{sec:THEN} below. The \methdx{subst} method is more powerful than
-applying the substitution rule. It can perform substitutions in a subgoal's
-assumptions. Moreover, if the subgoal contains more than one occurrence of
-the left-hand side of the equality, the \methdx{subst} method lets us specify which occurrence should be replaced.
-
-
-\subsection{Unification and Its Pitfalls}
-
-Higher-order unification can be tricky. Here is an example, which you may
-want to skip on your first reading:
-\begin{isabelle}
-\isacommand{lemma}\ "\isasymlbrakk x\ =\
-f\ x;\ triple\ (f\ x)\ (f\ x)\ x\isasymrbrakk\
-\isasymLongrightarrow\ triple\ x\ x\ x"\isanewline
-\isacommand{apply}\ (erule\ ssubst)\isanewline
-\isacommand{back}\isanewline
-\isacommand{back}\isanewline
-\isacommand{back}\isanewline
-\isacommand{back}\isanewline
-\isacommand{apply}\ assumption\isanewline
-\isacommand{done}
-\end{isabelle}
-%
-By default, Isabelle tries to substitute for all the
-occurrences. Applying \isa{erule\ ssubst} yields this subgoal:
-\begin{isabelle}
-\ 1.\ triple\ (f\ x)\ (f\ x)\ x\ \isasymLongrightarrow\ triple\ (f\ x)\ (f\ x)\ (f\ x)
-\end{isabelle}
-The substitution should have been done in the first two occurrences
-of~\isa{x} only. Isabelle has gone too far. The \commdx{back}
-command allows us to reject this possibility and demand a new one:
-\begin{isabelle}
-\ 1.\ triple\ (f\ x)\ (f\ x)\ x\ \isasymLongrightarrow\ triple\ x\ (f\ x)\ (f\ x)
-\end{isabelle}
-%
-Now Isabelle has left the first occurrence of~\isa{x} alone. That is
-promising but it is not the desired combination. So we use \isacommand{back}
-again:
-\begin{isabelle}
-\ 1.\ triple\ (f\ x)\ (f\ x)\ x\ \isasymLongrightarrow\ triple\ (f\ x)\ x\ (f\ x)
-\end{isabelle}
-%
-This also is wrong, so we use \isacommand{back} again:
-\begin{isabelle}
-\ 1.\ triple\ (f\ x)\ (f\ x)\ x\ \isasymLongrightarrow\ triple\ x\ x\ (f\ x)
-\end{isabelle}
-%
-And this one is wrong too. Looking carefully at the series
-of alternatives, we see a binary countdown with reversed bits: 111,
-011, 101, 001. Invoke \isacommand{back} again:
-\begin{isabelle}
-\ 1.\ triple\ (f\ x)\ (f\ x)\ x\ \isasymLongrightarrow\ triple\ (f\ x)\ (f\ x)\ x%
-\end{isabelle}
-At last, we have the right combination! This goal follows by assumption.%
-\index{unification|)}
-
-\medskip
-This example shows that unification can do strange things with
-function variables. We were forced to select the right unifier using the
-\isacommand{back} command. That is all right during exploration, but \isacommand{back}
-should never appear in the final version of a proof. You can eliminate the
-need for \isacommand{back} by giving Isabelle less freedom when you apply a rule.
-
-One way to constrain the inference is by joining two methods in a
-\isacommand{apply} command. Isabelle applies the first method and then the
-second. If the second method fails then Isabelle automatically backtracks.
-This process continues until the first method produces an output that the
-second method can use. We get a one-line proof of our example:
-\begin{isabelle}
-\isacommand{lemma}\ "\isasymlbrakk x\ =\ f\ x;\ triple\ (f\ x)\ (f\ x)\ x\isasymrbrakk\
-\isasymLongrightarrow\ triple\ x\ x\ x"\isanewline
-\isacommand{apply}\ (erule\ ssubst,\ assumption)\isanewline
-\isacommand{done}
-\end{isabelle}
-
-\noindent
-The \isacommand{by} command works too, since it backtracks when
-proving subgoals by assumption:
-\begin{isabelle}
-\isacommand{lemma}\ "\isasymlbrakk x\ =\ f\ x;\ triple\ (f\ x)\ (f\ x)\ x\isasymrbrakk\
-\isasymLongrightarrow\ triple\ x\ x\ x"\isanewline
-\isacommand{by}\ (erule\ ssubst)
-\end{isabelle}
-
-
-The most general way to constrain unification is
-by instantiating variables in the rule. The method \isa{rule_tac} is
-similar to \isa{rule}, but it
-makes some of the rule's variables denote specified terms.
-Also available are {\isa{drule_tac}} and \isa{erule_tac}. Here we need
-\isa{erule_tac} since above we used \isa{erule}.
-\begin{isabelle}
-\isacommand{lemma}\ "\isasymlbrakk x\ =\ f\ x;\ triple\ (f\ x)\ (f\ x)\ x\isasymrbrakk\ \isasymLongrightarrow\ triple\ x\ x\ x"\isanewline
-\isacommand{by}\ (erule_tac\ P = "\isasymlambda u.\ triple\ u\ u\ x"\
-\isakeyword{in}\ ssubst)
-\end{isabelle}
-%
-To specify a desired substitution
-requires instantiating the variable \isa{?P} with a $\lambda$-expression.
-The bound variable occurrences in \isa{{\isasymlambda}u.\ P\ u\
-u\ x} indicate that the first two arguments have to be substituted, leaving
-the third unchanged. With this instantiation, backtracking is neither necessary
-nor possible.
-
-An alternative to \isa{rule_tac} is to use \isa{rule} with a theorem
-modified using~\isa{of}, described in
-{\S}\ref{sec:forward} below. But \isa{rule_tac}, unlike \isa{of}, can
-express instantiations that refer to
-\isasymAnd-bound variables in the current subgoal.%
-\index{substitution|)}
-
-
-\section{Quantifiers}
-
-\index{quantifiers!universal|(}%
-Quantifiers require formalizing syntactic substitution and the notion of
-arbitrary value. Consider the universal quantifier. In a logic
-book, its introduction rule looks like this:
-\[ \infer{\forall x.\,P}{P} \]
-Typically, a proviso written in English says that $x$ must not
-occur in the assumptions. This proviso guarantees that $x$ can be regarded as
-arbitrary, since it has not been assumed to satisfy any special conditions.
-Isabelle's underlying formalism, called the
-\bfindex{meta-logic}, eliminates the need for English. It provides its own
-universal quantifier (\isasymAnd) to express the notion of an arbitrary value.
-We have already seen another operator of the meta-logic, namely
-\isa\isasymLongrightarrow, which expresses inference rules and the treatment
-of assumptions. The only other operator in the meta-logic is \isa\isasymequiv,
-which can be used to define constants.
-
-\subsection{The Universal Introduction Rule}
-
-Returning to the universal quantifier, we find that having a similar quantifier
-as part of the meta-logic makes the introduction rule trivial to express:
-\begin{isabelle}
-(\isasymAnd x.\ ?P\ x)\ \isasymLongrightarrow\ {\isasymforall}x.\ ?P\ x\rulenamedx{allI}
-\end{isabelle}
-
-
-The following trivial proof demonstrates how the universal introduction
-rule works.
-\begin{isabelle}
-\isacommand{lemma}\ "{\isasymforall}x.\ P\ x\ \isasymlongrightarrow\ P\ x"\isanewline
-\isacommand{apply}\ (rule\ allI)\isanewline
-\isacommand{by}\ (rule\ impI)
-\end{isabelle}
-The first step invokes the rule by applying the method \isa{rule allI}.
-\begin{isabelle}
-\ 1.\ \isasymAnd x.\ P\ x\ \isasymlongrightarrow\ P\ x
-\end{isabelle}
-Note that the resulting proof state has a bound variable,
-namely~\isa{x}. The rule has replaced the universal quantifier of
-higher-order logic by Isabelle's meta-level quantifier. Our goal is to
-prove
-\isa{P\ x\ \isasymlongrightarrow\ P\ x} for arbitrary~\isa{x}; it is
-an implication, so we apply the corresponding introduction rule (\isa{impI}).
-\begin{isabelle}
-\ 1.\ \isasymAnd x.\ P\ x\ \isasymLongrightarrow\ P\ x
-\end{isabelle}
-This last subgoal is implicitly proved by assumption.
-
-\subsection{The Universal Elimination Rule}
-
-Now consider universal elimination. In a logic text,
-the rule looks like this:
-\[ \infer{P[t/x]}{\forall x.\,P} \]
-The conclusion is $P$ with $t$ substituted for the variable~$x$.
-Isabelle expresses substitution using a function variable:
-\begin{isabelle}
-{\isasymforall}x.\ ?P\ x\ \isasymLongrightarrow\ ?P\ ?x\rulenamedx{spec}
-\end{isabelle}
-This destruction rule takes a
-universally quantified formula and removes the quantifier, replacing
-the bound variable \isa{x} by the schematic variable \isa{?x}. Recall that a
-schematic variable starts with a question mark and acts as a
-placeholder: it can be replaced by any term.
-
-The universal elimination rule is also
-available in the standard elimination format. Like \isa{conjE}, it never
-appears in logic books:
-\begin{isabelle}
-\isasymlbrakk \isasymforall x.\ ?P\ x;\ ?P\ ?x\ \isasymLongrightarrow \ ?R\isasymrbrakk \ \isasymLongrightarrow \ ?R%
-\rulenamedx{allE}
-\end{isabelle}
-The methods \isa{drule~spec} and \isa{erule~allE} do precisely the
-same inference.
-
-To see how $\forall$-elimination works, let us derive a rule about reducing
-the scope of a universal quantifier. In mathematical notation we write
-\[ \infer{P\imp\forall x.\,Q}{\forall x.\,P\imp Q} \]
-with the proviso ``$x$ not free in~$P$.'' Isabelle's treatment of
-substitution makes the proviso unnecessary. The conclusion is expressed as
-\isa{P\
-\isasymlongrightarrow\ ({\isasymforall}x.\ Q\ x)}. No substitution for the
-variable \isa{P} can introduce a dependence upon~\isa{x}: that would be a
-bound variable capture. Let us walk through the proof.
-\begin{isabelle}
-\isacommand{lemma}\ "(\isasymforall x.\ P\ \isasymlongrightarrow \ Q\ x)\
-\isasymLongrightarrow \ P\ \isasymlongrightarrow \ (\isasymforall x.\ Q\
-x)"
-\end{isabelle}
-First we apply implies introduction (\isa{impI}),
-which moves the \isa{P} from the conclusion to the assumptions. Then
-we apply universal introduction (\isa{allI}).
-\begin{isabelle}
-\isacommand{apply}\ (rule\ impI,\ rule\ allI)\isanewline
-\ 1.\ \isasymAnd x.\ \isasymlbrakk{\isasymforall}x.\ P\ \isasymlongrightarrow\ Q\
-x;\ P\isasymrbrakk\ \isasymLongrightarrow\ Q\ x
-\end{isabelle}
-As before, it replaces the HOL
-quantifier by a meta-level quantifier, producing a subgoal that
-binds the variable~\isa{x}. The leading bound variables
-(here \isa{x}) and the assumptions (here \isa{{\isasymforall}x.\ P\
-\isasymlongrightarrow\ Q\ x} and \isa{P}) form the \textbf{context} for the
-conclusion, here \isa{Q\ x}. Subgoals inherit the context,
-although assumptions can be added or deleted (as we saw
-earlier), while rules such as \isa{allI} add bound variables.
-
-Now, to reason from the universally quantified
-assumption, we apply the elimination rule using the \isa{drule}
-method. This rule is called \isa{spec} because it specializes a universal formula
-to a particular term.
-\begin{isabelle}
-\isacommand{apply}\ (drule\ spec)\isanewline
-\ 1.\ \isasymAnd x.\ \isasymlbrakk P;\ P\ \isasymlongrightarrow\ Q\ (?x2\
-x)\isasymrbrakk\ \isasymLongrightarrow\ Q\ x
-\end{isabelle}
-Observe how the context has changed. The quantified formula is gone,
-replaced by a new assumption derived from its body. We have
-removed the quantifier and replaced the bound variable
-by the curious term
-\isa{?x2~x}. This term is a placeholder: it may become any term that can be
-built from~\isa{x}. (Formally, \isa{?x2} is an unknown of function type, applied
-to the argument~\isa{x}.) This new assumption is an implication, so we can use
-\emph{modus ponens} on it, which concludes the proof.
-\begin{isabelle}
-\isacommand{by}\ (drule\ mp)
-\end{isabelle}
-Let us take a closer look at this last step. \emph{Modus ponens} yields
-two subgoals: one where we prove the antecedent (in this case \isa{P}) and
-one where we may assume the consequent. Both of these subgoals are proved
-by the
-\isa{assumption} method, which is implicit in the
-\isacommand{by} command. Replacing the \isacommand{by} command by
-\isa{\isacommand{apply} (drule\ mp, assumption)} would have left one last
-subgoal:
-\begin{isabelle}
-\ 1.\ \isasymAnd x.\ \isasymlbrakk P;\ Q\ (?x2\ x)\isasymrbrakk\
-\isasymLongrightarrow\ Q\ x
-\end{isabelle}
-The consequent is \isa{Q} applied to that placeholder. It may be replaced by any
-term built from~\isa{x}, and here
-it should simply be~\isa{x}. The assumption need not
-be identical to the conclusion, provided the two formulas are unifiable.%
-\index{quantifiers!universal|)}
-
-
-\subsection{The Existential Quantifier}
-
-\index{quantifiers!existential|(}%
-The concepts just presented also apply
-to the existential quantifier, whose introduction rule looks like this in
-Isabelle:
-\begin{isabelle}
-?P\ ?x\ \isasymLongrightarrow\ {\isasymexists}x.\ ?P\ x\rulenamedx{exI}
-\end{isabelle}
-If we can exhibit some $x$ such that $P(x)$ is true, then $\exists x.
-P(x)$ is also true. It is a dual of the universal elimination rule, and
-logic texts present it using the same notation for substitution.
-
-The existential
-elimination rule looks like this
-in a logic text:
-\[ \infer{Q}{\exists x.\,P & \infer*{Q}{[P]}} \]
-%
-It looks like this in Isabelle:
-\begin{isabelle}
-\isasymlbrakk{\isasymexists}x.\ ?P\ x;\ \isasymAnd x.\ ?P\ x\ \isasymLongrightarrow\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?Q\rulenamedx{exE}
-\end{isabelle}
-%
-Given an existentially quantified theorem and some
-formula $Q$ to prove, it creates a new assumption by removing the quantifier. As with
-the universal introduction rule, the textbook version imposes a proviso on the
-quantified variable, which Isabelle expresses using its meta-logic. It is
-enough to have a universal quantifier in the meta-logic; we do not need an existential
-quantifier to be built in as well.
-
-
-\begin{exercise}
-Prove the lemma
-\[ \exists x.\, P\conj Q(x)\Imp P\conj(\exists x.\, Q(x)). \]
-\emph{Hint}: the proof is similar
-to the one just above for the universal quantifier.
-\end{exercise}
-\index{quantifiers!existential|)}
-
-
-\subsection{Renaming a Bound Variable: {\tt\slshape rename_tac}}
-
-\index{assumptions!renaming|(}\index{*rename_tac (method)|(}%
-When you apply a rule such as \isa{allI}, the quantified variable
-becomes a new bound variable of the new subgoal. Isabelle tries to avoid
-changing its name, but sometimes it has to choose a new name in order to
-avoid a clash. The result may not be ideal:
-\begin{isabelle}
-\isacommand{lemma}\ "x\ <\ y\ \isasymLongrightarrow \ \isasymforall x\ y.\ P\ x\
-(f\ y)"\isanewline
-\isacommand{apply}\ (intro allI)\isanewline
-\ 1.\ \isasymAnd xa\ ya.\ x\ <\ y\ \isasymLongrightarrow \ P\ xa\ (f\ ya)
-\end{isabelle}
-%
-The names \isa{x} and \isa{y} were already in use, so the new bound variables are
-called \isa{xa} and~\isa{ya}. You can rename them by invoking \isa{rename_tac}:
-
-\begin{isabelle}
-\isacommand{apply}\ (rename_tac\ v\ w)\isanewline
-\ 1.\ \isasymAnd v\ w.\ x\ <\ y\ \isasymLongrightarrow \ P\ v\ (f\ w)
-\end{isabelle}
-Recall that \isa{rule_tac}\index{*rule_tac (method)!and renaming}
-instantiates a
-theorem with specified terms. These terms may involve the goal's bound
-variables, but beware of referring to variables
-like~\isa{xa}. A future change to your theories could change the set of names
-produced at top level, so that \isa{xa} changes to~\isa{xb} or reverts to~\isa{x}.
-It is safer to rename automatically-generated variables before mentioning them.
-
-If the subgoal has more bound variables than there are names given to
-\isa{rename_tac}, the rightmost ones are renamed.%
-\index{assumptions!renaming|)}\index{*rename_tac (method)|)}
-
-
-\subsection{Reusing an Assumption: {\tt\slshape frule}}
-\label{sec:frule}
-
-\index{assumptions!reusing|(}\index{*frule (method)|(}%
-Note that \isa{drule spec} removes the universal quantifier and --- as
-usual with elimination rules --- discards the original formula. Sometimes, a
-universal formula has to be kept so that it can be used again. Then we use a new
-method: \isa{frule}. It acts like \isa{drule} but copies rather than replaces
-the selected assumption. The \isa{f} is for \emph{forward}.
-
-In this example, going from \isa{P\ a} to \isa{P(h(h~a))}
-requires two uses of the quantified assumption, one for each~\isa{h}
-in~\isa{h(h~a)}.
-\begin{isabelle}
-\isacommand{lemma}\ "\isasymlbrakk{\isasymforall}x.\ P\ x\ \isasymlongrightarrow\ P\ (h\ x);
-\ P\ a\isasymrbrakk\ \isasymLongrightarrow\ P(h\ (h\ a))"
-\end{isabelle}
-%
-Examine the subgoal left by \isa{frule}:
-\begin{isabelle}
-\isacommand{apply}\ (frule\ spec)\isanewline
-\ 1.\ \isasymlbrakk{\isasymforall}x.\ P\ x\ \isasymlongrightarrow\ P\ (h\ x);\ P\ a;\ P\ ?x\ \isasymlongrightarrow\ P\ (h\ ?x)\isasymrbrakk\ \isasymLongrightarrow\ P\ (h\ (h\ a))
-\end{isabelle}
-It is what \isa{drule} would have left except that the quantified
-assumption is still present. Next we apply \isa{mp} to the
-implication and the assumption~\isa{P\ a}:
-\begin{isabelle}
-\isacommand{apply}\ (drule\ mp,\ assumption)\isanewline
-\ 1.\ \isasymlbrakk{\isasymforall}x.\ P\ x\ \isasymlongrightarrow\ P\ (h\ x);\ P\ a;\ P\ (h\ a)\isasymrbrakk\ \isasymLongrightarrow\ P\ (h\ (h\ a))
-\end{isabelle}
-%
-We have created the assumption \isa{P(h\ a)}, which is progress. To
-continue the proof, we apply \isa{spec} again. We shall not need it
-again, so we can use
-\isa{drule}.
-\begin{isabelle}
-\isacommand{apply}\ (drule\ spec)\isanewline
-\ 1.\ \isasymlbrakk P\ a;\ P\ (h\ a);\ P\ ?x2\
-\isasymlongrightarrow \ P\ (h\ ?x2)\isasymrbrakk \ \isasymLongrightarrow \
-P\ (h\ (h\ a))
-\end{isabelle}
-%
-The new assumption bridges the gap between \isa{P(h\ a)} and \isa{P(h(h\ a))}.
-\begin{isabelle}
-\isacommand{by}\ (drule\ mp)
-\end{isabelle}
-
-\medskip
-\emph{A final remark}. Replacing this \isacommand{by} command with
-\begin{isabelle}
-\isacommand{apply}\ (drule\ mp,\ assumption)
-\end{isabelle}
-would not work: it would add a second copy of \isa{P(h~a)} instead
-of the desired assumption, \isa{P(h(h~a))}. The \isacommand{by}
-command forces Isabelle to backtrack until it finds the correct one.
-Alternatively, we could have used the \isacommand{apply} command and bundled the
-\isa{drule mp} with \emph{two} calls of \isa{assumption}. Or, of course,
-we could have given the entire proof to \isa{auto}.%
-\index{assumptions!reusing|)}\index{*frule (method)|)}
-
-
-
-\subsection{Instantiating a Quantifier Explicitly}
-\index{quantifiers!instantiating}
-
-We can prove a theorem of the form $\exists x.\,P\, x$ by exhibiting a
-suitable term~$t$ such that $P\,t$ is true. Dually, we can use an
-assumption of the form $\forall x.\,P\, x$ to generate a new assumption $P\,t$ for
-a suitable term~$t$. In many cases,
-Isabelle makes the correct choice automatically, constructing the term by
-unification. In other cases, the required term is not obvious and we must
-specify it ourselves. Suitable methods are \isa{rule_tac}, \isa{drule_tac}
-and \isa{erule_tac}.
-
-We have seen (just above, {\S}\ref{sec:frule}) a proof of this lemma:
-\begin{isabelle}
-\isacommand{lemma}\ "\isasymlbrakk \isasymforall x.\ P\ x\
-\isasymlongrightarrow \ P\ (h\ x);\ P\ a\isasymrbrakk \
-\isasymLongrightarrow \ P(h\ (h\ a))"
-\end{isabelle}
-We had reached this subgoal:
-\begin{isabelle}
-\ 1.\ \isasymlbrakk{\isasymforall}x.\ P\ x\ \isasymlongrightarrow\ P\ (h\
-x);\ P\ a;\ P\ (h\ a)\isasymrbrakk\ \isasymLongrightarrow\ P\ (h\ (h\ a))
-\end{isabelle}
-%
-The proof requires instantiating the quantified assumption with the
-term~\isa{h~a}.
-\begin{isabelle}
-\isacommand{apply}\ (drule_tac\ x\ =\ "h\ a"\ \isakeyword{in}\
-spec)\isanewline
-\ 1.\ \isasymlbrakk P\ a;\ P\ (h\ a);\ P\ (h\ a)\ \isasymlongrightarrow \
-P\ (h\ (h\ a))\isasymrbrakk \ \isasymLongrightarrow \ P\ (h\ (h\ a))
-\end{isabelle}
-We have forced the desired instantiation.
-
-\medskip
-Existential formulas can be instantiated too. The next example uses the
-\textbf{divides} relation\index{divides relation}
-of number theory:
-\begin{isabelle}
-?m\ dvd\ ?n\ \isasymequiv\ {\isasymexists}k.\ ?n\ =\ ?m\ *\ k
-\rulename{dvd_def}
-\end{isabelle}
-
-Let us prove that multiplication of natural numbers is monotone with
-respect to the divides relation:
-\begin{isabelle}
-\isacommand{lemma}\ mult_dvd_mono:\ "{\isasymlbrakk}i\ dvd\ m;\ j\ dvd\
-n\isasymrbrakk\ \isasymLongrightarrow\ i*j\ dvd\ (m*n\ ::\ nat)"\isanewline
-\isacommand{apply}\ (simp\ add:\ dvd_def)
-\end{isabelle}
-%
-Unfolding the definition of divides has left this subgoal:
-\begin{isabelle}
-\ 1.\ \isasymlbrakk \isasymexists k.\ m\ =\ i\ *\ k;\ \isasymexists k.\ n\
-=\ j\ *\ k\isasymrbrakk \ \isasymLongrightarrow \ \isasymexists k.\ m\ *\
-n\ =\ i\ *\ j\ *\ k
-\end{isabelle}
-%
-Next, we eliminate the two existential quantifiers in the assumptions:
-\begin{isabelle}
-\isacommand{apply}\ (erule\ exE)\isanewline
-\ 1.\ \isasymAnd k.\ \isasymlbrakk \isasymexists k.\ n\ =\ j\ *\ k;\ m\ =\
-i\ *\ k\isasymrbrakk \ \isasymLongrightarrow \ \isasymexists k.\ m\ *\ n\
-=\ i\ *\ j\ *\ k%
-\isanewline
-\isacommand{apply}\ (erule\ exE)
-\isanewline
-\ 1.\ \isasymAnd k\ ka.\ \isasymlbrakk m\ =\ i\ *\ k;\ n\ =\ j\ *\
-ka\isasymrbrakk \ \isasymLongrightarrow \ \isasymexists k.\ m\ *\ n\ =\ i\
-*\ j\ *\ k
-\end{isabelle}
-%
-The term needed to instantiate the remaining quantifier is~\isa{k*ka}. But
-\isa{ka} is an automatically-generated name. As noted above, references to
-such variable names makes a proof less resilient to future changes. So,
-first we rename the most recent variable to~\isa{l}:
-\begin{isabelle}
-\isacommand{apply}\ (rename_tac\ l)\isanewline
-\ 1.\ \isasymAnd k\ l.\ \isasymlbrakk m\ =\ i\ *\ k;\ n\ =\ j\ *\ l\isasymrbrakk \
-\isasymLongrightarrow \ \isasymexists k.\ m\ *\ n\ =\ i\ *\ j\ *\ k%
-\end{isabelle}
-
-We instantiate the quantifier with~\isa{k*l}:
-\begin{isabelle}
-\isacommand{apply}\ (rule_tac\ x="k*l"\ \isakeyword{in}\ exI)\ \isanewline
-\ 1.\ \isasymAnd k\ ka.\ \isasymlbrakk m\ =\ i\ *\ k;\ n\ =\ j\ *\
-ka\isasymrbrakk \ \isasymLongrightarrow \ m\ *\ n\ =\ i\
-*\ j\ *\ (k\ *\ ka)
-\end{isabelle}
-%
-The rest is automatic, by arithmetic.
-\begin{isabelle}
-\isacommand{apply}\ simp\isanewline
-\isacommand{done}\isanewline
-\end{isabelle}
-
-
-
-\section{Description Operators}
-\label{sec:SOME}
-
-\index{description operators|(}%
-HOL provides two description operators.
-A \textbf{definite description} formalizes the word ``the,'' as in
-``the greatest divisior of~$n$.''
-It returns an arbitrary value unless the formula has a unique solution.
-An \textbf{indefinite description} formalizes the word ``some,'' as in
-``some member of~$S$.'' It differs from a definite description in not
-requiring the solution to be unique: it uses the axiom of choice to pick any
-solution.
-
-\begin{warn}
-Description operators can be hard to reason about. Novices
-should try to avoid them. Fortunately, descriptions are seldom required.
-\end{warn}
-
-\subsection{Definite Descriptions}
-
-\index{descriptions!definite}%
-A definite description is traditionally written $\iota x. P(x)$. It denotes
-the $x$ such that $P(x)$ is true, provided there exists a unique such~$x$;
-otherwise, it returns an arbitrary value of the expected type.
-Isabelle uses \sdx{THE} for the Greek letter~$\iota$.
-
-%(The traditional notation could be provided, but it is not legible on screen.)
-
-We reason using this rule, where \isa{a} is the unique solution:
-\begin{isabelle}
-\isasymlbrakk P\ a;\ \isasymAnd x.\ P\ x\ \isasymLongrightarrow \ x\ =\ a\isasymrbrakk \
-\isasymLongrightarrow \ (THE\ x.\ P\ x)\ =\ a%
-\rulenamedx{the_equality}
-\end{isabelle}
-For instance, we can define the
-cardinality of a finite set~$A$ to be that
-$n$ such that $A$ is in one-to-one correspondence with $\{1,\ldots,n\}$. We can then
-prove that the cardinality of the empty set is zero (since $n=0$ satisfies the
-description) and proceed to prove other facts.
-
-A more challenging example illustrates how Isabelle/HOL defines the least number
-operator, which denotes the least \isa{x} satisfying~\isa{P}:%
-\index{least number operator|see{\protect\isa{LEAST}}}
-\begin{isabelle}
-(LEAST\ x.\ P\ x)\ = (THE\ x.\ P\ x\ \isasymand \ (\isasymforall y.\
-P\ y\ \isasymlongrightarrow \ x\ \isasymle \ y))
-\end{isabelle}
-%
-Let us prove the analogue of \isa{the_equality} for \sdx{LEAST}\@.
-\begin{isabelle}
-\isacommand{theorem}\ Least_equality:\isanewline
-\ \ \ \ \ "\isasymlbrakk P\ (k::nat);\ \ \isasymforall x.\ P\ x\ \isasymlongrightarrow \ k\ \isasymle \ x\isasymrbrakk \ \isasymLongrightarrow \ (LEAST\ x.\ P\ x)\ =\ k"\isanewline
-\isacommand{apply}\ (simp\ add:\ Least_def)\isanewline
-\isanewline
-\ 1.\ \isasymlbrakk P\ k;\ \isasymforall x.\ P\ x\ \isasymlongrightarrow \ k\ \isasymle \ x\isasymrbrakk \isanewline
-\isaindent{\ 1.\ }\isasymLongrightarrow \ (THE\ x.\ P\ x\ \isasymand \ (\isasymforall y.\ P\ y\ \isasymlongrightarrow \ x\ \isasymle \ y))\ =\ k%
-\end{isabelle}
-The first step has merely unfolded the definition.
-\begin{isabelle}
-\isacommand{apply}\ (rule\ the_equality)\isanewline
-\isanewline
-\ 1.\ \isasymlbrakk P\ k;\ \isasymforall x.\ P\ x\ \isasymlongrightarrow \ k\
-\isasymle \ x\isasymrbrakk \ \isasymLongrightarrow \ P\ k\ \isasymand \
-(\isasymforall y.\ P\ y\ \isasymlongrightarrow \ k\ \isasymle \ y)\isanewline
-\ 2.\ \isasymAnd x.\ \isasymlbrakk P\ k;\ \isasymforall x.\ P\ x\ \isasymlongrightarrow \ k\ \isasymle \ x;\ P\ x\ \isasymand \ (\isasymforall y.\ P\ y\ \isasymlongrightarrow \ x\ \isasymle \ y)\isasymrbrakk \isanewline
-\ \ \ \ \ \ \ \ \isasymLongrightarrow \ x\ =\ k%
-\end{isabelle}
-As always with \isa{the_equality}, we must show existence and
-uniqueness of the claimed solution,~\isa{k}. Existence, the first
-subgoal, is trivial. Uniqueness, the second subgoal, follows by antisymmetry:
-\begin{isabelle}
-\isasymlbrakk x\ \isasymle \ y;\ y\ \isasymle \ x\isasymrbrakk \ \isasymLongrightarrow \ x\ =\ y%
-\rulename{order_antisym}
-\end{isabelle}
-The assumptions imply both \isa{k~\isasymle~x} and \isa{x~\isasymle~k}. One
-call to \isa{auto} does it all:
-\begin{isabelle}
-\isacommand{by}\ (auto\ intro:\ order_antisym)
-\end{isabelle}
-
-
-\subsection{Indefinite Descriptions}
-
-\index{Hilbert's $\varepsilon$-operator}%
-\index{descriptions!indefinite}%
-An indefinite description is traditionally written $\varepsilon x. P(x)$ and is
-known as Hilbert's $\varepsilon$-operator. It denotes
-some $x$ such that $P(x)$ is true, provided one exists.
-Isabelle uses \sdx{SOME} for the Greek letter~$\varepsilon$.
-
-Here is the definition of~\cdx{inv},\footnote{In fact, \isa{inv} is defined via a second constant \isa{inv_into}, which we ignore here.} which expresses inverses of
-functions:
-\begin{isabelle}
-inv\ f\ \isasymequiv \ \isasymlambda y.\ SOME\ x.\ f\ x\ =\ y%
-\rulename{inv_def}
-\end{isabelle}
-Using \isa{SOME} rather than \isa{THE} makes \isa{inv~f} behave well
-even if \isa{f} is not injective. As it happens, most useful theorems about
-\isa{inv} do assume the function to be injective.
-
-The inverse of \isa{f}, when applied to \isa{y}, returns some~\isa{x} such that
-\isa{f~x~=~y}. For example, we can prove \isa{inv~Suc} really is the inverse
-of the \isa{Suc} function
-\begin{isabelle}
-\isacommand{lemma}\ "inv\ Suc\ (Suc\ n)\ =\ n"\isanewline
-\isacommand{by}\ (simp\ add:\ inv_def)
-\end{isabelle}
-
-\noindent
-The proof is a one-liner: the subgoal simplifies to a degenerate application of
-\isa{SOME}, which is then erased. In detail, the left-hand side simplifies
-to \isa{SOME\ x.\ Suc\ x\ =\ Suc\ n}, then to \isa{SOME\ x.\ x\ =\ n} and
-finally to~\isa{n}.
-
-We know nothing about what
-\isa{inv~Suc} returns when applied to zero. The proof above still treats
-\isa{SOME} as a definite description, since it only reasons about
-situations in which the value is described uniquely. Indeed, \isa{SOME}
-satisfies this rule:
-\begin{isabelle}
-\isasymlbrakk P\ a;\ \isasymAnd x.\ P\ x\ \isasymLongrightarrow \ x\ =\ a\isasymrbrakk \
-\isasymLongrightarrow \ (SOME\ x.\ P\ x)\ =\ a%
-\rulenamedx{some_equality}
-\end{isabelle}
-To go further is
-tricky and requires rules such as these:
-\begin{isabelle}
-P\ x\ \isasymLongrightarrow \ P\ (SOME\ x.\ P\ x)
-\rulenamedx{someI}\isanewline
-\isasymlbrakk P\ a;\ \isasymAnd x.\ P\ x\ \isasymLongrightarrow \ Q\
-x\isasymrbrakk \ \isasymLongrightarrow \ Q\ (SOME\ x.\ P\ x)
-\rulenamedx{someI2}
-\end{isabelle}
-Rule \isa{someI} is basic: if anything satisfies \isa{P} then so does
-\hbox{\isa{SOME\ x.\ P\ x}}. The repetition of~\isa{P} in the conclusion makes it
-difficult to apply in a backward proof, so the derived rule \isa{someI2} is
-also provided.
-
-\medskip
-For example, let us prove the \rmindex{axiom of choice}:
-\begin{isabelle}
-\isacommand{theorem}\ axiom_of_choice:
-\ "(\isasymforall x.\ \isasymexists y.\ P\ x\ y)\ \isasymLongrightarrow \
-\isasymexists f.\ \isasymforall x.\ P\ x\ (f\ x)"\isanewline
-\isacommand{apply}\ (rule\ exI,\ rule\ allI)\isanewline
-
-\ 1.\ \isasymAnd x.\ \isasymforall x.\ \isasymexists y.\ P\ x\ y\
-\isasymLongrightarrow \ P\ x\ (?f\ x)
-\end{isabelle}
-%
-We have applied the introduction rules; now it is time to apply the elimination
-rules.
-
-\begin{isabelle}
-\isacommand{apply}\ (drule\ spec,\ erule\ exE)\isanewline
-
-\ 1.\ \isasymAnd x\ y.\ P\ (?x2\ x)\ y\ \isasymLongrightarrow \ P\ x\ (?f\ x)
-\end{isabelle}
-
-\noindent
-The rule \isa{someI} automatically instantiates
-\isa{f} to \hbox{\isa{\isasymlambda x.\ SOME y.\ P\ x\ y}}, which is the choice
-function. It also instantiates \isa{?x2\ x} to \isa{x}.
-\begin{isabelle}
-\isacommand{by}\ (rule\ someI)\isanewline
-\end{isabelle}
-
-\subsubsection{Historical Note}
-The original purpose of Hilbert's $\varepsilon$-operator was to express an
-existential destruction rule:
-\[ \infer{P[(\varepsilon x. P) / \, x]}{\exists x.\,P} \]
-This rule is seldom used for that purpose --- it can cause exponential
-blow-up --- but it is occasionally used as an introduction rule
-for the~$\varepsilon$-operator. Its name in HOL is \tdxbold{someI_ex}.%%
-\index{description operators|)}
-
-
-\section{Some Proofs That Fail}
-
-\index{proofs!examples of failing|(}%
-Most of the examples in this tutorial involve proving theorems. But not every
-conjecture is true, and it can be instructive to see how
-proofs fail. Here we attempt to prove a distributive law involving
-the existential quantifier and conjunction.
-\begin{isabelle}
-\isacommand{lemma}\ "({\isasymexists}x.\ P\ x)\ \isasymand\
-({\isasymexists}x.\ Q\ x)\ \isasymLongrightarrow\ {\isasymexists}x.\ P\ x\
-\isasymand\ Q\ x"
-\end{isabelle}
-The first steps are routine. We apply conjunction elimination to break
-the assumption into two existentially quantified assumptions.
-Applying existential elimination removes one of the quantifiers.
-\begin{isabelle}
-\isacommand{apply}\ (erule\ conjE)\isanewline
-\isacommand{apply}\ (erule\ exE)\isanewline
-\ 1.\ \isasymAnd x.\ \isasymlbrakk{\isasymexists}x.\ Q\ x;\ P\ x\isasymrbrakk\ \isasymLongrightarrow\ {\isasymexists}x.\ P\ x\ \isasymand\ Q\ x
-\end{isabelle}
-%
-When we remove the other quantifier, we get a different bound
-variable in the subgoal. (The name \isa{xa} is generated automatically.)
-\begin{isabelle}
-\isacommand{apply}\ (erule\ exE)\isanewline
-\ 1.\ \isasymAnd x\ xa.\ \isasymlbrakk P\ x;\ Q\ xa\isasymrbrakk\
-\isasymLongrightarrow\ {\isasymexists}x.\ P\ x\ \isasymand\ Q\ x
-\end{isabelle}
-The proviso of the existential elimination rule has forced the variables to
-differ: we can hardly expect two arbitrary values to be equal! There is
-no way to prove this subgoal. Removing the
-conclusion's existential quantifier yields two
-identical placeholders, which can become any term involving the variables \isa{x}
-and~\isa{xa}. We need one to become \isa{x}
-and the other to become~\isa{xa}, but Isabelle requires all instances of a
-placeholder to be identical.
-\begin{isabelle}
-\isacommand{apply}\ (rule\ exI)\isanewline
-\isacommand{apply}\ (rule\ conjI)\isanewline
-\ 1.\ \isasymAnd x\ xa.\ \isasymlbrakk P\ x;\ Q\ xa\isasymrbrakk\
-\isasymLongrightarrow\ P\ (?x3\ x\ xa)\isanewline
-\ 2.\ \isasymAnd x\ xa.\ \isasymlbrakk P\ x;\ Q\ xa\isasymrbrakk\ \isasymLongrightarrow\ Q\ (?x3\ x\ xa)
-\end{isabelle}
-We can prove either subgoal
-using the \isa{assumption} method. If we prove the first one, the placeholder
-changes into~\isa{x}.
-\begin{isabelle}
-\ \isacommand{apply}\ assumption\isanewline
-\ 1.\ \isasymAnd x\ xa.\ \isasymlbrakk P\ x;\ Q\ xa\isasymrbrakk\
-\isasymLongrightarrow\ Q\ x
-\end{isabelle}
-We are left with a subgoal that cannot be proved. Applying the \isa{assumption}
-method results in an error message:
-\begin{isabelle}
-*** empty result sequence -- proof command failed
-\end{isabelle}
-When interacting with Isabelle via the shell interface,
-you can abandon a proof using the \isacommand{oops} command.
-
-\medskip
-
-Here is another abortive proof, illustrating the interaction between
-bound variables and unknowns.
-If $R$ is a reflexive relation,
-is there an $x$ such that $R\,x\,y$ holds for all $y$? Let us see what happens when
-we attempt to prove it.
-\begin{isabelle}
-\isacommand{lemma}\ "\isasymforall y.\ R\ y\ y\ \isasymLongrightarrow
-\ \isasymexists x.\ \isasymforall y.\ R\ x\ y"
-\end{isabelle}
-First, we remove the existential quantifier. The new proof state has an
-unknown, namely~\isa{?x}.
-\begin{isabelle}
-\isacommand{apply}\ (rule\ exI)\isanewline
-\ 1.\ \isasymforall y.\ R\ y\ y\ \isasymLongrightarrow \ \isasymforall y.\ R\ ?x\ y%
-\end{isabelle}
-It looks like we can just apply \isa{assumption}, but it fails. Isabelle
-refuses to substitute \isa{y}, a bound variable, for~\isa{?x}; that would be
-a bound variable capture. We can still try to finish the proof in some
-other way. We remove the universal quantifier from the conclusion, moving
-the bound variable~\isa{y} into the subgoal. But note that it is still
-bound!
-\begin{isabelle}
-\isacommand{apply}\ (rule\ allI)\isanewline
-\ 1.\ \isasymAnd y.\ \isasymforall y.\ R\ y\ y\ \isasymLongrightarrow \ R\ ?x\ y%
-\end{isabelle}
-Finally, we try to apply our reflexivity assumption. We obtain a
-new assumption whose identical placeholders may be replaced by
-any term involving~\isa{y}.
-\begin{isabelle}
-\isacommand{apply}\ (drule\ spec)\isanewline
-\ 1.\ \isasymAnd y.\ R\ (?z2\ y)\ (?z2\ y)\ \isasymLongrightarrow\ R\ ?x\ y
-\end{isabelle}
-This subgoal can only be proved by putting \isa{y} for all the placeholders,
-making the assumption and conclusion become \isa{R\ y\ y}. Isabelle can
-replace \isa{?z2~y} by \isa{y}; this involves instantiating
-\isa{?z2} to the identity function. But, just as two steps earlier,
-Isabelle refuses to substitute~\isa{y} for~\isa{?x}.
-This example is typical of how Isabelle enforces sound quantifier reasoning.
-\index{proofs!examples of failing|)}
-
-\section{Proving Theorems Using the {\tt\slshape blast} Method}
-
-\index{*blast (method)|(}%
-It is hard to prove many theorems using the methods
-described above. A proof may be hundreds of steps long. You
-may need to search among different ways of proving certain
-subgoals. Often a choice that proves one subgoal renders another
-impossible to prove. There are further complications that we have not
-discussed, concerning negation and disjunction. Isabelle's
-\textbf{classical reasoner} is a family of tools that perform such
-proofs automatically. The most important of these is the
-\isa{blast} method.
-
-In this section, we shall first see how to use the classical
-reasoner in its default mode and then how to insert additional
-rules, enabling it to work in new problem domains.
-
- We begin with examples from pure predicate logic. The following
-example is known as Andrew's challenge. Peter Andrews designed
-it to be hard to prove by automatic means.
-It is particularly hard for a resolution prover, where
-converting the nested biconditionals to
-clause form produces a combinatorial
-explosion~\cite{pelletier86}. However, the
-\isa{blast} method proves it in a fraction of a second.
-\begin{isabelle}
-\isacommand{lemma}\
-"(({\isasymexists}x.\
-{\isasymforall}y.\
-p(x){=}p(y))\
-=\
-(({\isasymexists}x.\
-q(x))=({\isasymforall}y.\
-p(y))))\
-\ \ =\ \ \ \ \isanewline
-\ \ \ \ \ \ \ \
-(({\isasymexists}x.\
-{\isasymforall}y.\
-q(x){=}q(y))\ =\ (({\isasymexists}x.\ p(x))=({\isasymforall}y.\ q(y))))"\isanewline
-\isacommand{by}\ blast
-\end{isabelle}
-The next example is a logic problem composed by Lewis Carroll.
-The \isa{blast} method finds it trivial. Moreover, it turns out
-that not all of the assumptions are necessary. We can
-experiment with variations of this formula and see which ones
-can be proved.
-\begin{isabelle}
-\isacommand{lemma}\
-"({\isasymforall}x.\
-honest(x)\ \isasymand\
-industrious(x)\ \isasymlongrightarrow\
-healthy(x))\
-\isasymand\ \ \isanewline
-\ \ \ \ \ \ \ \ \isasymnot\ ({\isasymexists}x.\
-grocer(x)\ \isasymand\
-healthy(x))\
-\isasymand\ \isanewline
-\ \ \ \ \ \ \ \ ({\isasymforall}x.\
-industrious(x)\ \isasymand\
-grocer(x)\ \isasymlongrightarrow\
-honest(x))\
-\isasymand\ \isanewline
-\ \ \ \ \ \ \ \ ({\isasymforall}x.\
-cyclist(x)\ \isasymlongrightarrow\
-industrious(x))\
-\isasymand\ \isanewline
-\ \ \ \ \ \ \ \ ({\isasymforall}x.\
-{\isasymnot}healthy(x)\ \isasymand\
-cyclist(x)\ \isasymlongrightarrow\
-{\isasymnot}honest(x))\
-\ \isanewline
-\ \ \ \ \ \ \ \ \isasymlongrightarrow\
-({\isasymforall}x.\
-grocer(x)\ \isasymlongrightarrow\
-{\isasymnot}cyclist(x))"\isanewline
-\isacommand{by}\ blast
-\end{isabelle}
-The \isa{blast} method is also effective for set theory, which is
-described in the next chapter. The formula below may look horrible, but
-the \isa{blast} method proves it in milliseconds.
-\begin{isabelle}
-\isacommand{lemma}\ "({\isasymUnion}i{\isasymin}I.\ A(i))\ \isasyminter\ ({\isasymUnion}j{\isasymin}J.\ B(j))\ =\isanewline
-\ \ \ \ \ \ \ \ ({\isasymUnion}i{\isasymin}I.\ {\isasymUnion}j{\isasymin}J.\ A(i)\ \isasyminter\ B(j))"\isanewline
-\isacommand{by}\ blast
-\end{isabelle}
-
-Few subgoals are couched purely in predicate logic and set theory.
-We can extend the scope of the classical reasoner by giving it new rules.
-Extending it effectively requires understanding the notions of
-introduction, elimination and destruction rules. Moreover, there is a
-distinction between safe and unsafe rules. A
-\textbf{safe}\indexbold{safe rules} rule is one that can be applied
-backwards without losing information; an
-\textbf{unsafe}\indexbold{unsafe rules} rule loses information, perhaps
-transforming the subgoal into one that cannot be proved. The safe/unsafe
-distinction affects the proof search: if a proof attempt fails, the
-classical reasoner backtracks to the most recent unsafe rule application
-and makes another choice.
-
-An important special case avoids all these complications. A logical
-equivalence, which in higher-order logic is an equality between
-formulas, can be given to the classical
-reasoner and simplifier by using the attribute \attrdx{iff}. You
-should do so if the right hand side of the equivalence is
-simpler than the left-hand side.
-
-For example, here is a simple fact about list concatenation.
-The result of appending two lists is empty if and only if both
-of the lists are themselves empty. Obviously, applying this equivalence
-will result in a simpler goal. When stating this lemma, we include
-the \attrdx{iff} attribute. Once we have proved the lemma, Isabelle
-will make it known to the classical reasoner (and to the simplifier).
-\begin{isabelle}
-\isacommand{lemma}\
-[iff]:\ "(xs{\isacharat}ys\ =\ [])\ =\
-(xs=[]\ \isasymand\ ys=[])"\isanewline
-\isacommand{apply}\ (induct_tac\ xs)\isanewline
-\isacommand{apply}\ (simp_all)\isanewline
-\isacommand{done}
-\end{isabelle}
-%
-This fact about multiplication is also appropriate for
-the \attrdx{iff} attribute:
-\begin{isabelle}
-(\mbox{?m}\ *\ \mbox{?n}\ =\ 0)\ =\ (\mbox{?m}\ =\ 0\ \isasymor\ \mbox{?n}\ =\ 0)
-\end{isabelle}
-A product is zero if and only if one of the factors is zero. The
-reasoning involves a disjunction. Proving new rules for
-disjunctive reasoning is hard, but translating to an actual disjunction
-works: the classical reasoner handles disjunction properly.
-
-In more detail, this is how the \attrdx{iff} attribute works. It converts
-the equivalence $P=Q$ to a pair of rules: the introduction
-rule $Q\Imp P$ and the destruction rule $P\Imp Q$. It gives both to the
-classical reasoner as safe rules, ensuring that all occurrences of $P$ in
-a subgoal are replaced by~$Q$. The simplifier performs the same
-replacement, since \isa{iff} gives $P=Q$ to the
-simplifier.
-
-Classical reasoning is different from
-simplification. Simplification is deterministic. It applies rewrite rules
-repeatedly, as long as possible, transforming a goal into another goal. Classical
-reasoning uses search and backtracking in order to prove a goal outright.%
-\index{*blast (method)|)}%
-
-
-\section{Other Classical Reasoning Methods}
-
-The \isa{blast} method is our main workhorse for proving theorems
-automatically. Other components of the classical reasoner interact
-with the simplifier. Still others perform classical reasoning
-to a limited extent, giving the user fine control over the proof.
-
-Of the latter methods, the most useful is
-\methdx{clarify}.
-It performs
-all obvious reasoning steps without splitting the goal into multiple
-parts. It does not apply unsafe rules that could render the
-goal unprovable. By performing the obvious
-steps, \isa{clarify} lays bare the difficult parts of the problem,
-where human intervention is necessary.
-
-For example, the following conjecture is false:
-\begin{isabelle}
-\isacommand{lemma}\ "({\isasymforall}x.\ P\ x)\ \isasymand\
-({\isasymexists}x.\ Q\ x)\ \isasymlongrightarrow\ ({\isasymforall}x.\ P\ x\
-\isasymand\ Q\ x)"\isanewline
-\isacommand{apply}\ clarify
-\end{isabelle}
-The \isa{blast} method would simply fail, but \isa{clarify} presents
-a subgoal that helps us see why we cannot continue the proof.
-\begin{isabelle}
-\ 1.\ \isasymAnd x\ xa.\ \isasymlbrakk{\isasymforall}x.\ P\ x;\ Q\
-xa\isasymrbrakk\ \isasymLongrightarrow\ P\ x\ \isasymand\ Q\ x
-\end{isabelle}
-The proof must fail because the assumption \isa{Q\ xa} and conclusion \isa{Q\ x}
-refer to distinct bound variables. To reach this state, \isa{clarify} applied
-the introduction rules for \isa{\isasymlongrightarrow} and \isa{\isasymforall}
-and the elimination rule for \isa{\isasymand}. It did not apply the introduction
-rule for \isa{\isasymand} because of its policy never to split goals.
-
-Also available is \methdx{clarsimp}, a method
-that interleaves \isa{clarify} and \isa{simp}. Also there is \methdx{safe},
-which like \isa{clarify} performs obvious steps but even applies those that
-split goals.
-
-The \methdx{force} method applies the classical
-reasoner and simplifier to one goal.
-Unless it can prove the goal, it fails. Contrast
-that with the \isa{auto} method, which also combines classical reasoning
-with simplification. The latter's purpose is to prove all the
-easy subgoals and parts of subgoals. Unfortunately, it can produce
-large numbers of new subgoals; also, since it proves some subgoals
-and splits others, it obscures the structure of the proof tree.
-The \isa{force} method does not have these drawbacks. Another
-difference: \isa{force} tries harder than {\isa{auto}} to prove
-its goal, so it can take much longer to terminate.
-
-Older components of the classical reasoner have largely been
-superseded by \isa{blast}, but they still have niche applications.
-Most important among these are \isa{fast} and \isa{best}. While \isa{blast}
-searches for proofs using a built-in first-order reasoner, these
-earlier methods search for proofs using standard Isabelle inference.
-That makes them slower but enables them to work in the
-presence of the more unusual features of Isabelle rules, such
-as type classes and function unknowns. For example, recall the introduction rule
-for Hilbert's $\varepsilon$-operator:
-\begin{isabelle}
-?P\ ?x\ \isasymLongrightarrow\ ?P\ (SOME\ x.\ ?P x)
-\rulename{someI}
-\end{isabelle}
-%
-The repeated occurrence of the variable \isa{?P} makes this rule tricky
-to apply. Consider this contrived example:
-\begin{isabelle}
-\isacommand{lemma}\ "\isasymlbrakk Q\ a;\ P\ a\isasymrbrakk\isanewline
-\ \ \ \ \ \ \ \ \,\isasymLongrightarrow\ P\ (SOME\ x.\ P\ x\ \isasymand\ Q\ x)\
-\isasymand\ Q\ (SOME\ x.\ P\ x\ \isasymand\ Q\ x)"\isanewline
-\isacommand{apply}\ (rule\ someI)
-\end{isabelle}
-%
-We can apply rule \isa{someI} explicitly. It yields the
-following subgoal:
-\begin{isabelle}
-\ 1.\ \isasymlbrakk Q\ a;\ P\ a\isasymrbrakk\ \isasymLongrightarrow\ P\ ?x\
-\isasymand\ Q\ ?x%
-\end{isabelle}
-The proof from this point is trivial. Could we have
-proved the theorem with a single command? Not using \isa{blast}: it
-cannot perform the higher-order unification needed here. The
-\methdx{fast} method succeeds:
-\begin{isabelle}
-\isacommand{apply}\ (fast\ intro!:\ someI)
-\end{isabelle}
-
-The \methdx{best} method is similar to
-\isa{fast} but it uses a best-first search instead of depth-first search.
-Accordingly, it is slower but is less susceptible to divergence.
-Transitivity rules usually cause \isa{fast} to loop where \isa{best}
-can often manage.
-
-Here is a summary of the classical reasoning methods:
-\begin{itemize}
-\item \methdx{blast} works automatically and is the fastest
-
-\item \methdx{clarify} and \methdx{clarsimp} perform obvious steps without
-splitting the goal; \methdx{safe} even splits goals
-
-\item \methdx{force} uses classical reasoning and simplification to prove a goal;
- \methdx{auto} is similar but leaves what it cannot prove
-
-\item \methdx{fast} and \methdx{best} are legacy methods that work well with rules
-involving unusual features
-\end{itemize}
-A table illustrates the relationships among four of these methods.
-\begin{center}
-\begin{tabular}{r|l|l|}
- & no split & split \\ \hline
- no simp & \methdx{clarify} & \methdx{safe} \\ \hline
- simp & \methdx{clarsimp} & \methdx{auto} \\ \hline
-\end{tabular}
-\end{center}
-
-\section{Finding More Theorems}
-\label{sec:find2}
-\input{find2.tex}
-
-
-\section{Forward Proof: Transforming Theorems}\label{sec:forward}
-
-\index{forward proof|(}%
-Forward proof means deriving new facts from old ones. It is the
-most fundamental type of proof. Backward proof, by working from goals to
-subgoals, can help us find a difficult proof. But it is
-not always the best way of presenting the proof thus found. Forward
-proof is particularly good for reasoning from the general
-to the specific. For example, consider this distributive law for
-the greatest common divisor:
-\[ k\times\gcd(m,n) = \gcd(k\times m,k\times n)\]
-
-Putting $m=1$ we get (since $\gcd(1,n)=1$ and $k\times1=k$)
-\[ k = \gcd(k,k\times n)\]
-We have derived a new fact; if re-oriented, it might be
-useful for simplification. After re-orienting it and putting $n=1$, we
-derive another useful law:
-\[ \gcd(k,k)=k \]
-Substituting values for variables --- instantiation --- is a forward step.
-Re-orientation works by applying the symmetry of equality to
-an equation, so it too is a forward step.
-
-\subsection{Modifying a Theorem using {\tt\slshape of}, {\tt\slshape where}
- and {\tt\slshape THEN}}
-
-\label{sec:THEN}
-
-Let us reproduce our examples in Isabelle. Recall that in
-{\S}\ref{sec:fun-simplification} we declared the recursive function
-\isa{gcd}:\index{*gcd (constant)|(}
-\begin{isabelle}
-\isacommand{fun}\ gcd\ ::\ "nat\ \isasymRightarrow \ nat\ \isasymRightarrow \ nat"\ \isakeyword{where}\isanewline
-\ \ "gcd\ m\ n\ =\ (if\ n=0\ then\ m\ else\ gcd\ n\ (m\ mod\ n))"
-\end{isabelle}
-%
-From this definition, it is possible to prove the distributive law.
-That takes us to the starting point for our example.
-\begin{isabelle}
-?k\ *\ gcd\ ?m\ ?n\ =\ gcd\ (?k\ *\ ?m)\ (?k\ *\ ?n)
-\rulename{gcd_mult_distrib2}
-\end{isabelle}
-%
-The first step in our derivation is to replace \isa{?m} by~1. We instantiate the
-theorem using~\attrdx{of}, which identifies variables in order of their
-appearance from left to right. In this case, the variables are \isa{?k}, \isa{?m}
-and~\isa{?n}. So, the expression
-\hbox{\texttt{[of k 1]}} replaces \isa{?k} by~\isa{k} and \isa{?m}
-by~\isa{1}.
-\begin{isabelle}
-\isacommand{lemmas}\ gcd_mult_0\ =\ gcd_mult_distrib2\ [of\ k\ 1]
-\end{isabelle}
-%
-The keyword \commdx{lemmas} declares a new theorem, which can be derived
-from an existing one using attributes such as \isa{[of~k~1]}.
-The command
-\isa{thm gcd_mult_0}
-displays the result:
-\begin{isabelle}
-\ \ \ \ \ k\ *\ gcd\ 1\ ?n\ =\ gcd\ (k\ *\ 1)\ (k\ *\ ?n)
-\end{isabelle}
-Something is odd: \isa{k} is an ordinary variable, while \isa{?n}
-is schematic. We did not specify an instantiation
-for \isa{?n}. In its present form, the theorem does not allow
-substitution for \isa{k}. One solution is to avoid giving an instantiation for
-\isa{?k}: instead of a term we can put an underscore~(\isa{_}). For example,
-\begin{isabelle}
-\ \ \ \ \ gcd_mult_distrib2\ [of\ _\ 1]
-\end{isabelle}
-replaces \isa{?m} by~\isa{1} but leaves \isa{?k} unchanged.
-
-An equivalent solution is to use the attribute \isa{where}.
-\begin{isabelle}
-\ \ \ \ \ gcd\_mult\_distrib2\ [where\ m=1]
-\end{isabelle}
-While \isa{of} refers to
-variables by their position, \isa{where} refers to variables by name. Multiple
-instantiations are separated by~\isa{and}, as in this example:
-\begin{isabelle}
-\ \ \ \ \ gcd\_mult\_distrib2\ [where\ m=1\ and\ k=1]
-\end{isabelle}
-
-We now continue the present example with the version of \isa{gcd_mult_0}
-shown above, which has \isa{k} instead of \isa{?k}.
-Once we have replaced \isa{?m} by~1, we must next simplify
-the theorem \isa{gcd_mult_0}, performing the steps
-$\gcd(1,n)=1$ and $k\times1=k$. The \attrdx{simplified}
-attribute takes a theorem
-and returns the result of simplifying it, with respect to the default
-simplification rules:
-\begin{isabelle}
-\isacommand{lemmas}\ gcd_mult_1\ =\ gcd_mult_0\
-[simplified]%
-\end{isabelle}
-%
-Again, we display the resulting theorem:
-\begin{isabelle}
-\ \ \ \ \ k\ =\ gcd\ k\ (k\ *\ ?n)
-\end{isabelle}
-%
-To re-orient the equation requires the symmetry rule:
-\begin{isabelle}
-?s\ =\ ?t\
-\isasymLongrightarrow\ ?t\ =\
-?s%
-\rulenamedx{sym}
-\end{isabelle}
-The following declaration gives our equation to \isa{sym}:
-\begin{isabelle}
-\ \ \ \isacommand{lemmas}\ gcd_mult\ =\ gcd_mult_1\ [THEN\ sym]
-\end{isabelle}
-%
-Here is the result:
-\begin{isabelle}
-\ \ \ \ \ gcd\ k\ (k\ *\ ?n)\ =\ k%
-\end{isabelle}
-\isa{THEN~sym}\indexbold{*THEN (attribute)} gives the current theorem to the
-rule \isa{sym} and returns the resulting conclusion. The effect is to
-exchange the two operands of the equality. Typically \isa{THEN} is used
-with destruction rules. Also useful is \isa{THEN~spec}, which removes the
-quantifier from a theorem of the form $\forall x.\,P$, and \isa{THEN~mp},
-which converts the implication $P\imp Q$ into the rule
-$\vcenter{\infer{Q}{P}}$. Similar to \isa{mp} are the following two rules,
-which extract the two directions of reasoning about a boolean equivalence:
-\begin{isabelle}
-\isasymlbrakk?Q\ =\ ?P;\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?P%
-\rulenamedx{iffD1}%
-\isanewline
-\isasymlbrakk?P\ =\ ?Q;\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?P%
-\rulenamedx{iffD2}
-\end{isabelle}
-%
-Normally we would never name the intermediate theorems
-such as \isa{gcd_mult_0} and \isa{gcd_mult_1} but would combine
-the three forward steps:
-\begin{isabelle}
-\isacommand{lemmas}\ gcd_mult\ =\ gcd_mult_distrib2\ [of\ k\ 1,\ simplified,\ THEN\ sym]%
-\end{isabelle}
-The directives, or attributes, are processed from left to right. This
-declaration of \isa{gcd_mult} is equivalent to the
-previous one.
-
-Such declarations can make the proof script hard to read. Better
-is to state the new lemma explicitly and to prove it using a single
-\isa{rule} method whose operand is expressed using forward reasoning:
-\begin{isabelle}
-\isacommand{lemma}\ gcd\_mult\ [simp]:\ "gcd\ k\ (k*n)\ =\ k"\isanewline
-\isacommand{by}\ (rule\ gcd_mult_distrib2\ [of\ k\ 1,\ simplified,\ THEN\ sym])
-\end{isabelle}
-Compared with the previous proof of \isa{gcd_mult}, this
-version shows the reader what has been proved. Also, the result will be processed
-in the normal way. In particular, Isabelle generalizes over all variables: the
-resulting theorem will have {\isa{?k}} instead of {\isa{k}}.
-
-At the start of this section, we also saw a proof of $\gcd(k,k)=k$. Here
-is the Isabelle version:\index{*gcd (constant)|)}
-\begin{isabelle}
-\isacommand{lemma}\ gcd\_self\ [simp]:\ "gcd\ k\ k\ =\ k"\isanewline
-\isacommand{by}\ (rule\ gcd_mult\ [of\ k\ 1,\ simplified])
-\end{isabelle}
-
-\begin{warn}
-To give~\isa{of} a nonatomic term, enclose it in quotation marks, as in
-\isa{[of "k*m"]}. The term must not contain unknowns: an
-attribute such as
-\isa{[of "?k*m"]} will be rejected.
-\end{warn}
-
-%Answer is now included in that section! Is a modified version of this
-% exercise worth including? E.g. find a difference between the two ways
-% of substituting.
-%\begin{exercise}
-%In {\S}\ref{sec:subst} the method \isa{subst\ mult_commute} was applied. How
-%can we achieve the same effect using \isa{THEN} with the rule \isa{ssubst}?
-%% answer rule (mult_commute [THEN ssubst])
-%\end{exercise}
-
-\subsection{Modifying a Theorem using {\tt\slshape OF}}
-
-\index{*OF (attribute)|(}%
-Recall that \isa{of} generates an instance of a
-rule by specifying values for its variables. Analogous is \isa{OF}, which
-generates an instance of a rule by specifying facts for its premises.
-
-We again need the divides relation\index{divides relation} of number theory, which
-as we recall is defined by
-\begin{isabelle}
-?m\ dvd\ ?n\ \isasymequiv\ {\isasymexists}k.\ ?n\ =\ ?m\ *\ k
-\rulename{dvd_def}
-\end{isabelle}
-%
-Suppose, for example, that we have proved the following rule.
-It states that if $k$ and $n$ are relatively prime
-and if $k$ divides $m\times n$ then $k$ divides $m$.
-\begin{isabelle}
-\isasymlbrakk gcd ?k ?n {=} 1;\ ?k\ dvd\ ?m * ?n\isasymrbrakk\
-\isasymLongrightarrow\ ?k\ dvd\ ?m
-\rulename{relprime_dvd_mult}
-\end{isabelle}
-We can use \isa{OF} to create an instance of this rule.
-First, we
-prove an instance of its first premise:
-\begin{isabelle}
-\isacommand{lemma}\ relprime\_20\_81:\ "gcd\ 20\ 81\ =\ 1"\isanewline
-\isacommand{by}\ (simp\ add:\ gcd.simps)
-\end{isabelle}
-We have evaluated an application of the \isa{gcd} function by
-simplification. Expression evaluation involving recursive functions is not
-guaranteed to terminate, and it can be slow; Isabelle
-performs arithmetic by rewriting symbolic bit strings. Here,
-however, the simplification takes less than one second. We can
-give this new lemma to \isa{OF}. The expression
-\begin{isabelle}
-\ \ \ \ \ relprime_dvd_mult [OF relprime_20_81]
-\end{isabelle}
-yields the theorem
-\begin{isabelle}
-\ \ \ \ \ 20\ dvd\ (?m\ *\ 81)\ \isasymLongrightarrow\ 20\ dvd\ ?m%
-\end{isabelle}
-%
-\isa{OF} takes any number of operands. Consider
-the following facts about the divides relation:
-\begin{isabelle}
-\isasymlbrakk?k\ dvd\ ?m;\
-?k\ dvd\ ?n\isasymrbrakk\
-\isasymLongrightarrow\ ?k\ dvd\
-?m\ +\ ?n
-\rulename{dvd_add}\isanewline
-?m\ dvd\ ?m%
-\rulename{dvd_refl}
-\end{isabelle}
-Let us supply \isa{dvd_refl} for each of the premises of \isa{dvd_add}:
-\begin{isabelle}
-\ \ \ \ \ dvd_add [OF dvd_refl dvd_refl]
-\end{isabelle}
-Here is the theorem that we have expressed:
-\begin{isabelle}
-\ \ \ \ \ ?k\ dvd\ (?k\ +\ ?k)
-\end{isabelle}
-As with \isa{of}, we can use the \isa{_} symbol to leave some positions
-unspecified:
-\begin{isabelle}
-\ \ \ \ \ dvd_add [OF _ dvd_refl]
-\end{isabelle}
-The result is
-\begin{isabelle}
-\ \ \ \ \ ?k\ dvd\ ?m\ \isasymLongrightarrow\ ?k\ dvd\ ?m\ +\ ?k
-\end{isabelle}
-
-You may have noticed that \isa{THEN} and \isa{OF} are based on
-the same idea, namely to combine two rules. They differ in the
-order of the combination and thus in their effect. We use \isa{THEN}
-typically with a destruction rule to extract a subformula of the current
-theorem. We use \isa{OF} with a list of facts to generate an instance of
-the current theorem.%
-\index{*OF (attribute)|)}
-
-Here is a summary of some primitives for forward reasoning:
-\begin{itemize}
-\item \attrdx{of} instantiates the variables of a rule to a list of terms
-\item \attrdx{OF} applies a rule to a list of theorems
-\item \attrdx{THEN} gives a theorem to a named rule and returns the
-conclusion
-%\item \attrdx{rule_format} puts a theorem into standard form
-% by removing \isa{\isasymlongrightarrow} and~\isa{\isasymforall}
-\item \attrdx{simplified} applies the simplifier to a theorem
-\item \isacommand{lemmas} assigns a name to the theorem produced by the
-attributes above
-\end{itemize}
-
-
-\section{Forward Reasoning in a Backward Proof}
-
-We have seen that the forward proof directives work well within a backward
-proof. There are many ways to achieve a forward style using our existing
-proof methods. We shall also meet some new methods that perform forward
-reasoning.
-
-The methods \isa{drule}, \isa{frule}, \isa{drule_tac}, etc.,
-reason forward from a subgoal. We have seen them already, using rules such as
-\isa{mp} and
-\isa{spec} to operate on formulae. They can also operate on terms, using rules
-such as these:
-\begin{isabelle}
-x\ =\ y\ \isasymLongrightarrow \ f\ x\ =\ f\ y%
-\rulenamedx{arg_cong}\isanewline
-i\ \isasymle \ j\ \isasymLongrightarrow \ i\ *\ k\ \isasymle \ j\ *\ k%
-\rulename{mult_le_mono1}
-\end{isabelle}
-
-For example, let us prove a fact about divisibility in the natural numbers:
-\begin{isabelle}
-\isacommand{lemma}\ "2\ \isasymle \ u\ \isasymLongrightarrow \ u*m\ \isasymnoteq
-\ Suc(u*n)"\isanewline
-\isacommand{apply}\ (intro\ notI)\isanewline
-\ 1.\ \isasymlbrakk 2\ \isasymle \ u;\ u\ *\ m\ =\ Suc\ (u\ *\ n)\isasymrbrakk \ \isasymLongrightarrow \ False%
-\end{isabelle}
-%
-The key step is to apply the function \ldots\isa{mod\ u} to both sides of the
-equation
-\isa{u*m\ =\ Suc(u*n)}:\index{*drule_tac (method)}
-\begin{isabelle}
-\isacommand{apply}\ (drule_tac\ f="\isasymlambda x.\ x\ mod\ u"\ \isakeyword{in}\
-arg_cong)\isanewline
-\ 1.\ \isasymlbrakk 2\ \isasymle \ u;\ u\ *\ m\ mod\ u\ =\ Suc\ (u\ *\ n)\ mod\
-u\isasymrbrakk \ \isasymLongrightarrow \ False
-\end{isabelle}
-%
-Simplification reduces the left side to 0 and the right side to~1, yielding the
-required contradiction.
-\begin{isabelle}
-\isacommand{apply}\ (simp\ add:\ mod_Suc)\isanewline
-\isacommand{done}
-\end{isabelle}
-
-Our proof has used a fact about remainder:
-\begin{isabelle}
-Suc\ m\ mod\ n\ =\isanewline
-(if\ Suc\ (m\ mod\ n)\ =\ n\ then\ 0\ else\ Suc\ (m\ mod\ n))
-\rulename{mod_Suc}
-\end{isabelle}
-
-\subsection{The Method {\tt\slshape insert}}
-
-\index{*insert (method)|(}%
-The \isa{insert} method
-inserts a given theorem as a new assumption of all subgoals. This
-already is a forward step; moreover, we may (as always when using a
-theorem) apply
-\isa{of}, \isa{THEN} and other directives. The new assumption can then
-be used to help prove the subgoals.
-
-For example, consider this theorem about the divides relation. The first
-proof step inserts the distributive law for
-\isa{gcd}. We specify its variables as shown.
-\begin{isabelle}
-\isacommand{lemma}\ relprime\_dvd\_mult:\ \isanewline
-\ \ \ \ \ \ "\isasymlbrakk \ gcd\ k\ n\ =\ 1;\ k\ dvd\ m*n\ \isasymrbrakk \ \isasymLongrightarrow \ k\ dvd\ m"\isanewline
-\isacommand{apply}\ (insert\ gcd_mult_distrib2\ [of\ m\ k\ n])
-\end{isabelle}
-In the resulting subgoal, note how the equation has been
-inserted:
-\begin{isabelle}
-\ 1.\ \isasymlbrakk gcd\ k\ n\ =\ 1;\ k\ dvd\ m\ *\ n;\ m\ *\ gcd\ k\ n\ =\ gcd\ (m\ *\ k)\ (m\ *\ n)\isasymrbrakk \isanewline
-\isaindent{\ 1.\ }\isasymLongrightarrow \ k\ dvd\ m%
-\end{isabelle}
-The next proof step utilizes the assumption \isa{gcd\ k\ n\ =\ 1}
-(note that \isa{Suc\ 0} is another expression for 1):
-\begin{isabelle}
-\isacommand{apply}(simp)\isanewline
-\ 1.\ \isasymlbrakk gcd\ k\ n\ =\ Suc\ 0;\ k\ dvd\ m\ *\ n;\ m\ =\ gcd\ (m\ *\ k)\ (m\ *\ n)\isasymrbrakk \isanewline
-\isaindent{\ 1.\ }\isasymLongrightarrow \ k\ dvd\ m%
-\end{isabelle}
-Simplification has yielded an equation for~\isa{m}. The rest of the proof
-is omitted.
-
-\medskip
-Here is another demonstration of \isa{insert}. Division and
-remainder obey a well-known law:
-\begin{isabelle}
-(?m\ div\ ?n)\ *\ ?n\ +\ ?m\ mod\ ?n\ =\ ?m
-\rulename{mod_div_equality}
-\end{isabelle}
-
-We refer to this law explicitly in the following proof:
-\begin{isabelle}
-\isacommand{lemma}\ div_mult_self_is_m:\ \isanewline
-\ \ \ \ \ \ "0{\isacharless}n\ \isasymLongrightarrow\ (m*n)\ div\ n\ =\
-(m::nat)"\isanewline
-\isacommand{apply}\ (insert\ mod_div_equality\ [of\ "m*n"\ n])\isanewline
-\isacommand{apply}\ (simp)\isanewline
-\isacommand{done}
-\end{isabelle}
-The first step inserts the law, specifying \isa{m*n} and
-\isa{n} for its variables. Notice that non-trivial expressions must be
-enclosed in quotation marks. Here is the resulting
-subgoal, with its new assumption:
-\begin{isabelle}
-%0\ \isacharless\ n\ \isasymLongrightarrow\ (m\
-%*\ n)\ div\ n\ =\ m\isanewline
-\ 1.\ \isasymlbrakk0\ \isacharless\
-n;\ \ (m\ *\ n)\ div\ n\ *\ n\ +\ (m\ *\ n)\ mod\ n\
-=\ m\ *\ n\isasymrbrakk\isanewline
-\ \ \ \ \isasymLongrightarrow\ (m\ *\ n)\ div\ n\
-=\ m
-\end{isabelle}
-Simplification reduces \isa{(m\ *\ n)\ mod\ n} to zero.
-Then it cancels the factor~\isa{n} on both
-sides of the equation \isa{(m\ *\ n)\ div\ n\ *\ n\ =\ m\ *\ n}, proving the
-theorem.
-
-\begin{warn}
-Any unknowns in the theorem given to \methdx{insert} will be universally
-quantified in the new assumption.
-\end{warn}%
-\index{*insert (method)|)}
-
-\subsection{The Method {\tt\slshape subgoal_tac}}
-
-\index{*subgoal_tac (method)}%
-A related method is \isa{subgoal_tac}, but instead
-of inserting a theorem as an assumption, it inserts an arbitrary formula.
-This formula must be proved later as a separate subgoal. The
-idea is to claim that the formula holds on the basis of the current
-assumptions, to use this claim to complete the proof, and finally
-to justify the claim. It gives the proof
-some structure. If you find yourself generating a complex assumption by a
-long series of forward steps, consider using \isa{subgoal_tac} instead: you can
-state the formula you are aiming for, and perhaps prove it automatically.
-
-Look at the following example.
-\begin{isabelle}
-\isacommand{lemma}\ "\isasymlbrakk(z::int)\ <\ 37;\ 66\ <\ 2*z;\ z*z\
-\isasymnoteq\ 1225;\ Q(34);\ Q(36)\isasymrbrakk\isanewline
-\ \ \ \ \ \ \ \ \,\isasymLongrightarrow\ Q(z)"\isanewline
-\isacommand{apply}\ (subgoal_tac\ "z\ =\ 34\ \isasymor\ z\ =\
-36")\isanewline
-\isacommand{apply}\ blast\isanewline
-\isacommand{apply}\ (subgoal_tac\ "z\ \isasymnoteq\ 35")\isanewline
-\isacommand{apply}\ arith\isanewline
-\isacommand{apply}\ force\isanewline
-\isacommand{done}
-\end{isabelle}
-The first assumption tells us
-that \isa{z} is no greater than~36. The second tells us that \isa{z}
-is at least~34. The third assumption tells us that \isa{z} cannot be 35, since
-$35\times35=1225$. So \isa{z} is either 34 or~36, and since \isa{Q} holds for
-both of those values, we have the conclusion.
-
-The Isabelle proof closely follows this reasoning. The first
-step is to claim that \isa{z} is either 34 or 36. The resulting proof
-state gives us two subgoals:
-\begin{isabelle}
-%\isasymlbrakk z\ <\ 37;\ 66\ <\ 2\ *\ z;\ z\ *\ z\ \isasymnoteq\ 1225;\
-%Q\ 34;\ Q\ 36\isasymrbrakk\ \isasymLongrightarrow\ Q\ z\isanewline
-\ 1.\ \isasymlbrakk z\ <\ 37;\ 66\ <\ 2\ *\ z;\ z\ *\ z\ \isasymnoteq\ 1225;\ Q\ 34;\ Q\ 36;\isanewline
-\ \ \ \ \ z\ =\ 34\ \isasymor\ z\ =\ 36\isasymrbrakk\isanewline
-\ \ \ \ \isasymLongrightarrow\ Q\ z\isanewline
-\ 2.\ \isasymlbrakk z\ <\ 37;\ 66\ <\ 2\ *\ z;\ z\ *\ z\ \isasymnoteq\ 1225;\ Q\ 34;\ Q\ 36\isasymrbrakk\isanewline
-\ \ \ \ \isasymLongrightarrow\ z\ =\ 34\ \isasymor\ z\ =\ 36
-\end{isabelle}
-The first subgoal is trivial (\isa{blast}), but for the second Isabelle needs help to eliminate
-the case
-\isa{z}=35. The second invocation of {\isa{subgoal_tac}} leaves two
-subgoals:
-\begin{isabelle}
-\ 1.\ \isasymlbrakk z\ <\ 37;\ 66\ <\ 2\ *\ z;\ z\ *\ z\ \isasymnoteq\
-1225;\ Q\ 34;\ Q\ 36;\isanewline
-\ \ \ \ \ z\ \isasymnoteq\ 35\isasymrbrakk\isanewline
-\ \ \ \ \isasymLongrightarrow\ z\ =\ 34\ \isasymor\ z\ =\ 36\isanewline
-\ 2.\ \isasymlbrakk z\ <\ 37;\ 66\ <\ 2\ *\ z;\ z\ *\ z\ \isasymnoteq\ 1225;\ Q\ 34;\ Q\ 36\isasymrbrakk\isanewline
-\ \ \ \ \isasymLongrightarrow\ z\ \isasymnoteq\ 35
-\end{isabelle}
-
-Assuming that \isa{z} is not 35, the first subgoal follows by linear arithmetic
-(\isa{arith}). For the second subgoal we apply the method \isa{force},
-which proceeds by assuming that \isa{z}=35 and arriving at a contradiction.
-
-
-\medskip
-Summary of these methods:
-\begin{itemize}
-\item \methdx{insert} adds a theorem as a new assumption
-\item \methdx{subgoal_tac} adds a formula as a new assumption and leaves the
-subgoal of proving that formula
-\end{itemize}
-\index{forward proof|)}
-
-
-\section{Managing Large Proofs}
-
-Naturally you should try to divide proofs into manageable parts. Look for lemmas
-that can be proved separately. Sometimes you will observe that they are
-instances of much simpler facts. On other occasions, no lemmas suggest themselves
-and you are forced to cope with a long proof involving many subgoals.
-
-\subsection{Tacticals, or Control Structures}
-
-\index{tacticals|(}%
-If the proof is long, perhaps it at least has some regularity. Then you can
-express it more concisely using \textbf{tacticals}, which provide control
-structures. Here is a proof (it would be a one-liner using
-\isa{blast}, but forget that) that contains a series of repeated
-commands:
-%
-\begin{isabelle}
-\isacommand{lemma}\ "\isasymlbrakk P\isasymlongrightarrow Q;\
-Q\isasymlongrightarrow R;\ R\isasymlongrightarrow S;\ P\isasymrbrakk \
-\isasymLongrightarrow \ S"\isanewline
-\isacommand{apply}\ (drule\ mp,\ assumption)\isanewline
-\isacommand{apply}\ (drule\ mp,\ assumption)\isanewline
-\isacommand{apply}\ (drule\ mp,\ assumption)\isanewline
-\isacommand{apply}\ (assumption)\isanewline
-\isacommand{done}
-\end{isabelle}
-%
-Each of the three identical commands finds an implication and proves its
-antecedent by assumption. The first one finds \isa{P\isasymlongrightarrow Q} and
-\isa{P}, concluding~\isa{Q}; the second one concludes~\isa{R} and the third one
-concludes~\isa{S}. The final step matches the assumption \isa{S} with the goal to
-be proved.
-
-Suffixing a method with a plus sign~(\isa+)\index{*"+ (tactical)}
-expresses one or more repetitions:
-\begin{isabelle}
-\isacommand{lemma}\ "\isasymlbrakk P\isasymlongrightarrow Q;\ Q\isasymlongrightarrow R;\ R\isasymlongrightarrow S;\ P\isasymrbrakk \ \isasymLongrightarrow \ S"\isanewline
-\isacommand{by}\ (drule\ mp,\ assumption)+
-\end{isabelle}
-%
-Using \isacommand{by} takes care of the final use of \isa{assumption}. The new
-proof is more concise. It is also more general: the repetitive method works
-for a chain of implications having any length, not just three.
-
-Choice is another control structure. Separating two methods by a vertical
-% we must use ?? rather than "| as the sorting item because somehow the presence
-% of | (even quoted) stops hyperref from putting |hyperpage at the end of the index
-% entry.
-bar~(\isa|)\index{??@\texttt{"|} (tactical)} gives the effect of applying the
-first method, and if that fails, trying the second. It can be combined with
-repetition, when the choice must be made over and over again. Here is a chain of
-implications in which most of the antecedents are proved by assumption, but one is
-proved by arithmetic:
-\begin{isabelle}
-\isacommand{lemma}\ "\isasymlbrakk Q\isasymlongrightarrow R;\ P\isasymlongrightarrow Q;\ x<5\isasymlongrightarrow P;\
-Suc\ x\ <\ 5\isasymrbrakk \ \isasymLongrightarrow \ R"\ \isanewline
-\isacommand{by}\ (drule\ mp,\ (assumption|arith))+
-\end{isabelle}
-The \isa{arith}
-method can prove $x<5$ from $x+1<5$, but it cannot duplicate the effect of
-\isa{assumption}. Therefore, we combine these methods using the choice
-operator.
-
-A postfixed question mark~(\isa?)\index{*"? (tactical)} expresses zero or one
-repetitions of a method. It can also be viewed as the choice between executing a
-method and doing nothing. It is useless at top level but can be valuable
-within other control structures; for example,
-\isa{($m$+)?} performs zero or more repetitions of method~$m$.%
-\index{tacticals|)}
-
-
-\subsection{Subgoal Numbering}
-
-Another problem in large proofs is contending with huge
-subgoals or many subgoals. Induction can produce a proof state that looks
-like this:
-\begin{isabelle}
-\ 1.\ bigsubgoal1\isanewline
-\ 2.\ bigsubgoal2\isanewline
-\ 3.\ bigsubgoal3\isanewline
-\ 4.\ bigsubgoal4\isanewline
-\ 5.\ bigsubgoal5\isanewline
-\ 6.\ bigsubgoal6
-\end{isabelle}
-If each \isa{bigsubgoal} is 15 lines or so, the proof state will be too big to
-scroll through. By default, Isabelle displays at most 10 subgoals. The
-\commdx{pr} command lets you change this limit:
-\begin{isabelle}
-\isacommand{pr}\ 2\isanewline
-\ 1.\ bigsubgoal1\isanewline
-\ 2.\ bigsubgoal2\isanewline
-A total of 6 subgoals...
-\end{isabelle}
-
-\medskip
-All methods apply to the first subgoal.
-Sometimes, not only in a large proof, you may want to focus on some other
-subgoal. Then you should try the commands \isacommand{defer} or \isacommand{prefer}.
-
-In the following example, the first subgoal looks hard, while the others
-look as if \isa{blast} alone could prove them:
-\begin{isabelle}
-\ 1.\ hard\isanewline
-\ 2.\ \isasymnot \ \isasymnot \ P\ \isasymLongrightarrow \ P\isanewline
-\ 3.\ Q\ \isasymLongrightarrow \ Q%
-\end{isabelle}
-%
-The \commdx{defer} command moves the first subgoal into the last position.
-\begin{isabelle}
-\isacommand{defer}\ 1\isanewline
-\ 1.\ \isasymnot \ \isasymnot \ P\ \isasymLongrightarrow \ P\isanewline
-\ 2.\ Q\ \isasymLongrightarrow \ Q\isanewline
-\ 3.\ hard%
-\end{isabelle}
-%
-Now we apply \isa{blast} repeatedly to the easy subgoals:
-\begin{isabelle}
-\isacommand{apply}\ blast+\isanewline
-\ 1.\ hard%
-\end{isabelle}
-Using \isacommand{defer}, we have cleared away the trivial parts of the proof so
-that we can devote attention to the difficult part.
-
-\medskip
-The \commdx{prefer} command moves the specified subgoal into the
-first position. For example, if you suspect that one of your subgoals is
-invalid (not a theorem), then you should investigate that subgoal first. If it
-cannot be proved, then there is no point in proving the other subgoals.
-\begin{isabelle}
-\ 1.\ ok1\isanewline
-\ 2.\ ok2\isanewline
-\ 3.\ doubtful%
-\end{isabelle}
-%
-We decide to work on the third subgoal.
-\begin{isabelle}
-\isacommand{prefer}\ 3\isanewline
-\ 1.\ doubtful\isanewline
-\ 2.\ ok1\isanewline
-\ 3.\ ok2
-\end{isabelle}
-If we manage to prove \isa{doubtful}, then we can work on the other
-subgoals, confident that we are not wasting our time. Finally we revise the
-proof script to remove the \isacommand{prefer} command, since we needed it only to
-focus our exploration. The previous example is different: its use of
-\isacommand{defer} stops trivial subgoals from cluttering the rest of the
-proof. Even there, we should consider proving \isa{hard} as a preliminary
-lemma. Always seek ways to streamline your proofs.
-
-
-\medskip
-Summary:
-\begin{itemize}
-\item the control structures \isa+, \isa? and \isa| help express complicated proofs
-\item the \isacommand{pr} command can limit the number of subgoals to display
-\item the \isacommand{defer} and \isacommand{prefer} commands move a
-subgoal to the last or first position
-\end{itemize}
-
-\begin{exercise}
-Explain the use of \isa? and \isa+ in this proof.
-\begin{isabelle}
-\isacommand{lemma}\ "\isasymlbrakk P\isasymand Q\isasymlongrightarrow R;\ P\isasymlongrightarrow Q;\ P\isasymrbrakk \ \isasymLongrightarrow \ R"\isanewline
-\isacommand{by}\ (drule\ mp,\ (intro conjI)?,\ assumption+)+
-\end{isabelle}
-\end{exercise}
-
-
-
-\section{Proving the Correctness of Euclid's Algorithm}
-\label{sec:proving-euclid}
-
-\index{Euclid's algorithm|(}\index{*gcd (constant)|(}\index{divides relation|(}%
-A brief development will demonstrate the techniques of this chapter,
-including \isa{blast} applied with additional rules. We shall also see
-\isa{case_tac} used to perform a Boolean case split.
-
-Let us prove that \isa{gcd} computes the greatest common
-divisor of its two arguments.
-%
-We use induction: \isa{gcd.induct} is the
-induction rule returned by \isa{fun}. We simplify using
-rules proved in {\S}\ref{sec:fun-simplification}, since rewriting by the
-definition of \isa{gcd} can loop.
-\begin{isabelle}
-\isacommand{lemma}\ gcd\_dvd\_both:\ "(gcd\ m\ n\ dvd\ m)\ \isasymand \ (gcd\ m\ n\ dvd\ n)"
-\end{isabelle}
-The induction formula must be a conjunction. In the
-inductive step, each conjunct establishes the other.
-\begin{isabelle}
-\ 1.\ \isasymAnd m\ n.\ (n\ \isasymnoteq \ 0\ \isasymLongrightarrow \isanewline
-\isaindent{\ 1.\ \isasymAnd m\ n.\ (}gcd\ n\ (m\ mod\ n)\ dvd\ n\ \isasymand \isanewline
-\isaindent{\ 1.\ \isasymAnd m\ n.\ (}gcd\ n\ (m\ mod\ n)\ dvd\ m\ mod\ n)\ \isasymLongrightarrow \isanewline
-\isaindent{\ 1.\ \isasymAnd m\ n.\ }gcd\ m\ n\ dvd\ m\ \isasymand \ gcd\ m\ n\ dvd\ n%
-\end{isabelle}
-
-The conditional induction hypothesis suggests doing a case
-analysis on \isa{n=0}. We apply \methdx{case_tac} with type
-\isa{bool} --- and not with a datatype, as we have done until now. Since
-\isa{nat} is a datatype, we could have written
-\isa{case_tac~n} instead of \isa{case_tac~"n=0"}. However, the definition
-of \isa{gcd} makes a Boolean decision:
-\begin{isabelle}
-\ \ \ \ "gcd\ m\ n\ =\ (if\ n=0\ then\ m\ else\ gcd\ n\ (m\ mod\ n))"
-\end{isabelle}
-Proofs about a function frequently follow the function's definition, so we perform
-case analysis over the same formula.
-\begin{isabelle}
-\isacommand{apply}\ (case_tac\ "n=0")\isanewline
-\ 1.\ \isasymAnd m\ n.\ \isasymlbrakk n\ \isasymnoteq \ 0\ \isasymLongrightarrow \isanewline
-\isaindent{\ 1.\ \isasymAnd m\ n.\ \isasymlbrakk }gcd\ n\ (m\ mod\ n)\ dvd\ n\ \isasymand \ gcd\ n\ (m\ mod\ n)\ dvd\ m\ mod\ n;\isanewline
-\isaindent{\ 1.\ \isasymAnd m\ n.\ \ }n\ =\ 0\isasymrbrakk \isanewline
-\isaindent{\ 1.\ \isasymAnd m\ n.\ }\isasymLongrightarrow \ gcd\ m\ n\ dvd\ m\ \isasymand \ gcd\ m\ n\ dvd\ n\isanewline
-\ 2.\ \isasymAnd m\ n.\ \isasymlbrakk n\ \isasymnoteq \ 0\ \isasymLongrightarrow \isanewline
-\isaindent{\ 2.\ \isasymAnd m\ n.\ \isasymlbrakk }gcd\ n\ (m\ mod\ n)\ dvd\ n\ \isasymand \ gcd\ n\ (m\ mod\ n)\ dvd\ m\ mod\ n;\isanewline
-\isaindent{\ 2.\ \isasymAnd m\ n.\ \ }n\ \isasymnoteq \ 0\isasymrbrakk \isanewline
-\isaindent{\ 2.\ \isasymAnd m\ n.\ }\isasymLongrightarrow \ gcd\ m\ n\ dvd\ m\ \isasymand \ gcd\ m\ n\ dvd\ n%
-\end{isabelle}
-%
-Simplification leaves one subgoal:
-\begin{isabelle}
-\isacommand{apply}\ (simp_all)\isanewline
-\ 1.\ \isasymAnd m\ n.\ \isasymlbrakk gcd\ n\ (m\ mod\ n)\ dvd\ n\ \isasymand \ gcd\ n\ (m\ mod\ n)\ dvd\ m\ mod\ n;\isanewline
-\isaindent{\ 1.\ \isasymAnd m\ n.\ \ }0\ <\ n\isasymrbrakk \isanewline
-\isaindent{\ 1.\ \isasymAnd m\ n.\ }\isasymLongrightarrow \ gcd\ n\ (m\ mod\ n)\ dvd\ m%
-\end{isabelle}
-%
-Here, we can use \isa{blast}.
-One of the assumptions, the induction hypothesis, is a conjunction.
-The two divides relationships it asserts are enough to prove
-the conclusion, for we have the following theorem at our disposal:
-\begin{isabelle}
-\isasymlbrakk?k\ dvd\ (?m\ mod\ ?n){;}\ ?k\ dvd\ ?n\isasymrbrakk\ \isasymLongrightarrow\ ?k\ dvd\ ?m%
-\rulename{dvd_mod_imp_dvd}
-\end{isabelle}
-%
-This theorem can be applied in various ways. As an introduction rule, it
-would cause backward chaining from the conclusion (namely
-\isa{?k~dvd~?m}) to the two premises, which
-also involve the divides relation. This process does not look promising
-and could easily loop. More sensible is to apply the rule in the forward
-direction; each step would eliminate an occurrence of the \isa{mod} symbol, so the
-process must terminate.
-\begin{isabelle}
-\isacommand{apply}\ (blast\ dest:\ dvd_mod_imp_dvd)\isanewline
-\isacommand{done}
-\end{isabelle}
-Attaching the \attrdx{dest} attribute to \isa{dvd_mod_imp_dvd} tells
-\isa{blast} to use it as destruction rule; that is, in the forward direction.
-
-\medskip
-We have proved a conjunction. Now, let us give names to each of the
-two halves:
-\begin{isabelle}
-\isacommand{lemmas}\ gcd_dvd1\ [iff]\ =\ gcd_dvd_both\ [THEN\ conjunct1]\isanewline
-\isacommand{lemmas}\ gcd_dvd2\ [iff]\ =\ gcd_dvd_both\ [THEN\ conjunct2]%
-\end{isabelle}
-Here we see \commdx{lemmas}
-used with the \attrdx{iff} attribute, which supplies the new theorems to the
-classical reasoner and the simplifier. Recall that \attrdx{THEN} is
-frequently used with destruction rules; \isa{THEN conjunct1} extracts the
-first half of a conjunctive theorem. Given \isa{gcd_dvd_both} it yields
-\begin{isabelle}
-\ \ \ \ \ gcd\ ?m1\ ?n1\ dvd\ ?m1
-\end{isabelle}
-The variable names \isa{?m1} and \isa{?n1} arise because
-Isabelle renames schematic variables to prevent
-clashes. The second \isacommand{lemmas} declaration yields
-\begin{isabelle}
-\ \ \ \ \ gcd\ ?m1\ ?n1\ dvd\ ?n1
-\end{isabelle}
-
-\medskip
-To complete the verification of the \isa{gcd} function, we must
-prove that it returns the greatest of all the common divisors
-of its arguments. The proof is by induction, case analysis and simplification.
-\begin{isabelle}
-\isacommand{lemma}\ gcd\_greatest\ [rule\_format]:\isanewline
-\ \ \ \ \ \ "k\ dvd\ m\ \isasymlongrightarrow \ k\ dvd\ n\ \isasymlongrightarrow \ k\ dvd\ gcd\ m\ n"
-\end{isabelle}
-%
-The goal is expressed using HOL implication,
-\isa{\isasymlongrightarrow}, because the induction affects the two
-preconditions. The directive \isa{rule_format} tells Isabelle to replace
-each \isa{\isasymlongrightarrow} by \isa{\isasymLongrightarrow} before
-storing the eventual theorem. This directive can also remove outer
-universal quantifiers, converting the theorem into the usual format for
-inference rules. It can replace any series of applications of
-\isa{THEN} to the rules \isa{mp} and \isa{spec}. We did not have to
-write this:
-\begin{isabelle}
-\isacommand{lemma}\ gcd_greatest\
-[THEN mp, THEN mp]:\isanewline
-\ \ \ \ \ \ "k\ dvd\ m\ \isasymlongrightarrow \ k\ dvd\ n\ \isasymlongrightarrow \ k\ dvd\ gcd\ m\ n"
-\end{isabelle}
-
-Because we are again reasoning about \isa{gcd}, we perform the same
-induction and case analysis as in the previous proof:
-\begingroup\samepage
-\begin{isabelle}
-\ 1.\ \isasymAnd m\ n.\ \isasymlbrakk n\ \isasymnoteq \ 0\ \isasymLongrightarrow \isanewline
-\isaindent{\ 1.\ \isasymAnd m\ n.\ \isasymlbrakk }k\ dvd\ n\ \isasymlongrightarrow \ k\ dvd\ m\ mod\ n\ \isasymlongrightarrow \ k\ dvd\ gcd\ n\ (m\ mod\ n);\isanewline
-\isaindent{\ 1.\ \isasymAnd m\ n.\ \ }n\ =\ 0\isasymrbrakk \isanewline
-\isaindent{\ 1.\ \isasymAnd m\ n.\ }\isasymLongrightarrow \ k\ dvd\ m\ \isasymlongrightarrow \ k\ dvd\ n\ \isasymlongrightarrow \ k\ dvd\ gcd\ m\ n\isanewline
-\ 2.\ \isasymAnd m\ n.\ \isasymlbrakk n\ \isasymnoteq \ 0\ \isasymLongrightarrow \isanewline
-\isaindent{\ 2.\ \isasymAnd m\ n.\ \isasymlbrakk }k\ dvd\ n\ \isasymlongrightarrow \ k\ dvd\ m\ mod\ n\ \isasymlongrightarrow \ k\ dvd\ gcd\ n\ (m\ mod\ n);\isanewline
-\isaindent{\ 2.\ \isasymAnd m\ n.\ \ }n\ \isasymnoteq \ 0\isasymrbrakk \isanewline
-\isaindent{\ 2.\ \isasymAnd m\ n.\ }\isasymLongrightarrow \ k\ dvd\ m\ \isasymlongrightarrow \ k\ dvd\ n\ \isasymlongrightarrow \ k\ dvd\ gcd\ m\ n%
-\end{isabelle}
-\endgroup
-
-\noindent Simplification proves both subgoals.
-\begin{isabelle}
-\isacommand{apply}\ (simp_all\ add:\ dvd_mod)\isanewline
-\isacommand{done}
-\end{isabelle}
-In the first, where \isa{n=0}, the implication becomes trivial: \isa{k\ dvd\
-gcd\ m\ n} goes to~\isa{k\ dvd\ m}. The second subgoal is proved by
-an unfolding of \isa{gcd}, using this rule about divides:
-\begin{isabelle}
-\isasymlbrakk ?f\ dvd\ ?m;\ ?f\ dvd\ ?n\isasymrbrakk \
-\isasymLongrightarrow \ ?f\ dvd\ ?m\ mod\ ?n%
-\rulename{dvd_mod}
-\end{isabelle}
-
-
-\medskip
-The facts proved above can be summarized as a single logical
-equivalence. This step gives us a chance to see another application
-of \isa{blast}.
-\begin{isabelle}
-\isacommand{theorem}\ gcd\_greatest\_iff\ [iff]:\ \isanewline
-\ \ \ \ \ \ \ \ "(k\ dvd\ gcd\ m\ n)\ =\ (k\ dvd\ m\ \isasymand \ k\ dvd\ n)"\isanewline
-\isacommand{by}\ (blast\ intro!:\ gcd_greatest\ intro:\ dvd_trans)
-\end{isabelle}
-This theorem concisely expresses the correctness of the \isa{gcd}
-function.
-We state it with the \isa{iff} attribute so that
-Isabelle can use it to remove some occurrences of \isa{gcd}.
-The theorem has a one-line
-proof using \isa{blast} supplied with two additional introduction
-rules. The exclamation mark
-({\isa{intro}}{\isa{!}})\ signifies safe rules, which are
-applied aggressively. Rules given without the exclamation mark
-are applied reluctantly and their uses can be undone if
-the search backtracks. Here the unsafe rule expresses transitivity
-of the divides relation:
-\begin{isabelle}
-\isasymlbrakk?m\ dvd\ ?n;\ ?n\ dvd\ ?p\isasymrbrakk\ \isasymLongrightarrow\ ?m\ dvd\ ?p%
-\rulename{dvd_trans}
-\end{isabelle}
-Applying \isa{dvd_trans} as
-an introduction rule entails a risk of looping, for it multiplies
-occurrences of the divides symbol. However, this proof relies
-on transitivity reasoning. The rule {\isa{gcd\_greatest}} is safe to apply
-aggressively because it yields simpler subgoals. The proof implicitly
-uses \isa{gcd_dvd1} and \isa{gcd_dvd2} as safe rules, because they were
-declared using \isa{iff}.%
-\index{Euclid's algorithm|)}\index{*gcd (constant)|)}\index{divides relation|)}
--- a/doc-src/TutorialI/document/sets.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,1069 +0,0 @@
-\chapter{Sets, Functions and Relations}
-
-This chapter describes the formalization of typed set theory, which is
-the basis of much else in HOL\@. For example, an
-inductive definition yields a set, and the abstract theories of relations
-regard a relation as a set of pairs. The chapter introduces the well-known
-constants such as union and intersection, as well as the main operations on relations, such as converse, composition and
-transitive closure. Functions are also covered. They are not sets in
-HOL, but many of their properties concern sets: the range of a
-function is a set, and the inverse image of a function maps sets to sets.
-
-This chapter will be useful to anybody who plans to develop a substantial
-proof. Sets are convenient for formalizing computer science concepts such
-as grammars, logical calculi and state transition systems. Isabelle can
-prove many statements involving sets automatically.
-
-This chapter ends with a case study concerning model checking for the
-temporal logic CTL\@. Most of the other examples are simple. The
-chapter presents a small selection of built-in theorems in order to point
-out some key properties of the various constants and to introduce you to
-the notation.
-
-Natural deduction rules are provided for the set theory constants, but they
-are seldom used directly, so only a few are presented here.
-
-
-\section{Sets}
-
-\index{sets|(}%
-HOL's set theory should not be confused with traditional, untyped set
-theory, in which everything is a set. Our sets are typed. In a given set,
-all elements have the same type, say~$\tau$, and the set itself has type
-$\tau$~\tydx{set}.
-
-We begin with \textbf{intersection}, \textbf{union} and
-\textbf{complement}. In addition to the
-\textbf{membership relation}, there is a symbol for its negation. These
-points can be seen below.
-
-Here are the natural deduction rules for \rmindex{intersection}. Note
-the resemblance to those for conjunction.
-\begin{isabelle}
-\isasymlbrakk c\ \isasymin\ A;\ c\ \isasymin\ B\isasymrbrakk\
-\isasymLongrightarrow\ c\ \isasymin\ A\ \isasyminter\ B%
-\rulenamedx{IntI}\isanewline
-c\ \isasymin\ A\ \isasyminter\ B\ \isasymLongrightarrow\ c\ \isasymin\ A
-\rulenamedx{IntD1}\isanewline
-c\ \isasymin\ A\ \isasyminter\ B\ \isasymLongrightarrow\ c\ \isasymin\ B
-\rulenamedx{IntD2}
-\end{isabelle}
-
-Here are two of the many installed theorems concerning set
-complement.\index{complement!of a set}
-Note that it is denoted by a minus sign.
-\begin{isabelle}
-(c\ \isasymin\ -\ A)\ =\ (c\ \isasymnotin\ A)
-\rulenamedx{Compl_iff}\isanewline
--\ (A\ \isasymunion\ B)\ =\ -\ A\ \isasyminter\ -\ B
-\rulename{Compl_Un}
-\end{isabelle}
-
-Set \textbf{difference}\indexbold{difference!of sets} is the intersection
-of a set with the complement of another set. Here we also see the syntax
-for the empty set and for the universal set.
-\begin{isabelle}
-A\ \isasyminter\ (B\ -\ A)\ =\ \isacharbraceleft\isacharbraceright
-\rulename{Diff_disjoint}\isanewline
-A\ \isasymunion\ -\ A\ =\ UNIV%
-\rulename{Compl_partition}
-\end{isabelle}
-
-The \bfindex{subset relation} holds between two sets just if every element
-of one is also an element of the other. This relation is reflexive. These
-are its natural deduction rules:
-\begin{isabelle}
-({\isasymAnd}x.\ x\ \isasymin\ A\ \isasymLongrightarrow\ x\ \isasymin\ B)\ \isasymLongrightarrow\ A\ \isasymsubseteq\ B%
-\rulenamedx{subsetI}%
-\par\smallskip% \isanewline didn't leave enough space
-\isasymlbrakk A\ \isasymsubseteq\ B;\ c\ \isasymin\
-A\isasymrbrakk\ \isasymLongrightarrow\ c\
-\isasymin\ B%
-\rulenamedx{subsetD}
-\end{isabelle}
-In harder proofs, you may need to apply \isa{subsetD} giving a specific term
-for~\isa{c}. However, \isa{blast} can instantly prove facts such as this
-one:
-\begin{isabelle}
-(A\ \isasymunion\ B\ \isasymsubseteq\ C)\ =\
-(A\ \isasymsubseteq\ C\ \isasymand\ B\ \isasymsubseteq\ C)
-\rulenamedx{Un_subset_iff}
-\end{isabelle}
-Here is another example, also proved automatically:
-\begin{isabelle}
-\isacommand{lemma}\ "(A\
-\isasymsubseteq\ -B)\ =\ (B\ \isasymsubseteq\ -A)"\isanewline
-\isacommand{by}\ blast
-\end{isabelle}
-%
-This is the same example using \textsc{ascii} syntax, illustrating a pitfall:
-\begin{isabelle}
-\isacommand{lemma}\ "(A\ <=\ -B)\ =\ (B\ <=\ -A)"
-\end{isabelle}
-%
-The proof fails. It is not a statement about sets, due to overloading;
-the relation symbol~\isa{<=} can be any relation, not just
-subset.
-In this general form, the statement is not valid. Putting
-in a type constraint forces the variables to denote sets, allowing the
-proof to succeed:
-
-\begin{isabelle}
-\isacommand{lemma}\ "((A::\ {\isacharprime}a\ set)\ <=\ -B)\ =\ (B\ <=\
--A)"
-\end{isabelle}
-Section~\ref{sec:axclass} below describes overloading. Incidentally,
-\isa{A~\isasymsubseteq~-B} asserts that the sets \isa{A} and \isa{B} are
-disjoint.
-
-\medskip
-Two sets are \textbf{equal}\indexbold{equality!of sets} if they contain the
-same elements. This is
-the principle of \textbf{extensionality}\indexbold{extensionality!for sets}
-for sets.
-\begin{isabelle}
-({\isasymAnd}x.\ (x\ {\isasymin}\ A)\ =\ (x\ {\isasymin}\ B))\
-{\isasymLongrightarrow}\ A\ =\ B
-\rulenamedx{set_ext}
-\end{isabelle}
-Extensionality can be expressed as
-$A=B\iff (A\subseteq B)\conj (B\subseteq A)$.
-The following rules express both
-directions of this equivalence. Proving a set equation using
-\isa{equalityI} allows the two inclusions to be proved independently.
-\begin{isabelle}
-\isasymlbrakk A\ \isasymsubseteq\ B;\ B\ \isasymsubseteq\
-A\isasymrbrakk\ \isasymLongrightarrow\ A\ =\ B
-\rulenamedx{equalityI}
-\par\smallskip% \isanewline didn't leave enough space
-\isasymlbrakk A\ =\ B;\ \isasymlbrakk A\ \isasymsubseteq\ B;\ B\
-\isasymsubseteq\ A\isasymrbrakk\ \isasymLongrightarrow\ P\isasymrbrakk\
-\isasymLongrightarrow\ P%
-\rulenamedx{equalityE}
-\end{isabelle}
-
-
-\subsection{Finite Set Notation}
-
-\indexbold{sets!notation for finite}
-Finite sets are expressed using the constant \cdx{insert}, which is
-a form of union:
-\begin{isabelle}
-insert\ a\ A\ =\ \isacharbraceleft a\isacharbraceright\ \isasymunion\ A
-\rulename{insert_is_Un}
-\end{isabelle}
-%
-The finite set expression \isa{\isacharbraceleft
-a,b\isacharbraceright} abbreviates
-\isa{insert\ a\ (insert\ b\ \isacharbraceleft\isacharbraceright)}.
-Many facts about finite sets can be proved automatically:
-\begin{isabelle}
-\isacommand{lemma}\
-"\isacharbraceleft a,b\isacharbraceright\
-\isasymunion\ \isacharbraceleft c,d\isacharbraceright\ =\
-\isacharbraceleft a,b,c,d\isacharbraceright"\isanewline
-\isacommand{by}\ blast
-\end{isabelle}
-
-
-Not everything that we would like to prove is valid.
-Consider this attempt:
-\begin{isabelle}
-\isacommand{lemma}\ "\isacharbraceleft a,b\isacharbraceright\ \isasyminter\ \isacharbraceleft b,c\isacharbraceright\ =\
-\isacharbraceleft b\isacharbraceright"\isanewline
-\isacommand{apply}\ auto
-\end{isabelle}
-%
-The proof fails, leaving the subgoal \isa{b=c}. To see why it
-fails, consider a correct version:
-\begin{isabelle}
-\isacommand{lemma}\ "\isacharbraceleft a,b\isacharbraceright\ \isasyminter\
-\isacharbraceleft b,c\isacharbraceright\ =\ (if\ a=c\ then\
-\isacharbraceleft a,b\isacharbraceright\ else\ \isacharbraceleft
-b\isacharbraceright)"\isanewline
-\isacommand{apply}\ simp\isanewline
-\isacommand{by}\ blast
-\end{isabelle}
-
-Our mistake was to suppose that the various items were distinct. Another
-remark: this proof uses two methods, namely {\isa{simp}} and
-{\isa{blast}}. Calling {\isa{simp}} eliminates the
-\isa{if}-\isa{then}-\isa{else} expression, which {\isa{blast}}
-cannot break down. The combined methods (namely {\isa{force}} and
-\isa{auto}) can prove this fact in one step.
-
-
-\subsection{Set Comprehension}
-
-\index{set comprehensions|(}%
-The set comprehension \isa{\isacharbraceleft x.\
-P\isacharbraceright} expresses the set of all elements that satisfy the
-predicate~\isa{P}. Two laws describe the relationship between set
-comprehension and the membership relation:
-\begin{isabelle}
-(a\ \isasymin\
-\isacharbraceleft x.\ P\ x\isacharbraceright)\ =\ P\ a
-\rulename{mem_Collect_eq}\isanewline
-\isacharbraceleft x.\ x\ \isasymin\ A\isacharbraceright\ =\ A
-\rulename{Collect_mem_eq}
-\end{isabelle}
-
-\smallskip
-Facts such as these have trivial proofs:
-\begin{isabelle}
-\isacommand{lemma}\ "\isacharbraceleft x.\ P\ x\ \isasymor\
-x\ \isasymin\ A\isacharbraceright\ =\
-\isacharbraceleft x.\ P\ x\isacharbraceright\ \isasymunion\ A"
-\par\smallskip
-\isacommand{lemma}\ "\isacharbraceleft x.\ P\ x\
-\isasymlongrightarrow\ Q\ x\isacharbraceright\ =\
--\isacharbraceleft x.\ P\ x\isacharbraceright\
-\isasymunion\ \isacharbraceleft x.\ Q\ x\isacharbraceright"
-\end{isabelle}
-
-\smallskip
-Isabelle has a general syntax for comprehension, which is best
-described through an example:
-\begin{isabelle}
-\isacommand{lemma}\ "\isacharbraceleft p*q\ \isacharbar\ p\ q.\
-p{\isasymin}prime\ \isasymand\ q{\isasymin}prime\isacharbraceright\ =\
-\isanewline
-\ \ \ \ \ \ \ \ \isacharbraceleft z.\ \isasymexists p\ q.\ z\ =\ p*q\
-\isasymand\ p{\isasymin}prime\ \isasymand\
-q{\isasymin}prime\isacharbraceright"
-\end{isabelle}
-The left and right hand sides
-of this equation are identical. The syntax used in the
-left-hand side abbreviates the right-hand side: in this case, all numbers
-that are the product of two primes. The syntax provides a neat
-way of expressing any set given by an expression built up from variables
-under specific constraints. The drawback is that it hides the true form of
-the expression, with its existential quantifiers.
-
-\smallskip
-\emph{Remark}. We do not need sets at all. They are essentially equivalent
-to predicate variables, which are allowed in higher-order logic. The main
-benefit of sets is their notation; we can write \isa{x{\isasymin}A}
-and
-\isa{\isacharbraceleft z.\ P\isacharbraceright} where predicates would
-require writing
-\isa{A(x)} and
-\isa{{\isasymlambda}z.\ P}.
-\index{set comprehensions|)}
-
-
-\subsection{Binding Operators}
-
-\index{quantifiers!for sets|(}%
-Universal and existential quantifications may range over sets,
-with the obvious meaning. Here are the natural deduction rules for the
-bounded universal quantifier. Occasionally you will need to apply
-\isa{bspec} with an explicit instantiation of the variable~\isa{x}:
-%
-\begin{isabelle}
-({\isasymAnd}x.\ x\ \isasymin\ A\ \isasymLongrightarrow\ P\ x)\ \isasymLongrightarrow\ {\isasymforall}x\isasymin
-A.\ P\ x%
-\rulenamedx{ballI}%
-\isanewline
-\isasymlbrakk{\isasymforall}x\isasymin A.\
-P\ x;\ x\ \isasymin\
-A\isasymrbrakk\ \isasymLongrightarrow\ P\
-x%
-\rulenamedx{bspec}
-\end{isabelle}
-%
-Dually, here are the natural deduction rules for the
-bounded existential quantifier. You may need to apply
-\isa{bexI} with an explicit instantiation:
-\begin{isabelle}
-\isasymlbrakk P\ x;\
-x\ \isasymin\ A\isasymrbrakk\
-\isasymLongrightarrow\
-\isasymexists x\isasymin A.\ P\
-x%
-\rulenamedx{bexI}%
-\isanewline
-\isasymlbrakk\isasymexists x\isasymin A.\
-P\ x;\ {\isasymAnd}x.\
-{\isasymlbrakk}x\ \isasymin\ A;\
-P\ x\isasymrbrakk\ \isasymLongrightarrow\
-Q\isasymrbrakk\ \isasymLongrightarrow\ Q%
-\rulenamedx{bexE}
-\end{isabelle}
-\index{quantifiers!for sets|)}
-
-\index{union!indexed}%
-Unions can be formed over the values of a given set. The syntax is
-\mbox{\isa{\isasymUnion x\isasymin A.\ B}} or
-\isa{UN x:A.\ B} in \textsc{ascii}. Indexed union satisfies this basic law:
-\begin{isabelle}
-(b\ \isasymin\
-(\isasymUnion x\isasymin A. B\ x)) =\ (\isasymexists x\isasymin A.\
-b\ \isasymin\ B\ x)
-\rulenamedx{UN_iff}
-\end{isabelle}
-It has two natural deduction rules similar to those for the existential
-quantifier. Sometimes \isa{UN_I} must be applied explicitly:
-\begin{isabelle}
-\isasymlbrakk a\ \isasymin\
-A;\ b\ \isasymin\
-B\ a\isasymrbrakk\ \isasymLongrightarrow\
-b\ \isasymin\
-(\isasymUnion x\isasymin A. B\ x)
-\rulenamedx{UN_I}%
-\isanewline
-\isasymlbrakk b\ \isasymin\
-(\isasymUnion x\isasymin A. B\ x);\
-{\isasymAnd}x.\ {\isasymlbrakk}x\ \isasymin\
-A;\ b\ \isasymin\
-B\ x\isasymrbrakk\ \isasymLongrightarrow\
-R\isasymrbrakk\ \isasymLongrightarrow\ R%
-\rulenamedx{UN_E}
-\end{isabelle}
-%
-The following built-in abbreviation (see {\S}\ref{sec:abbreviations})
-lets us express the union over a \emph{type}:
-\begin{isabelle}
-\ \ \ \ \
-({\isasymUnion}x.\ B\ x)\ {\isasymequiv}\
-({\isasymUnion}x{\isasymin}UNIV. B\ x)
-\end{isabelle}
-
-We may also express the union of a set of sets, written \isa{Union\ C} in
-\textsc{ascii}:
-\begin{isabelle}
-(A\ \isasymin\ \isasymUnion C)\ =\ (\isasymexists X\isasymin C.\ A\
-\isasymin\ X)
-\rulenamedx{Union_iff}
-\end{isabelle}
-
-\index{intersection!indexed}%
-Intersections are treated dually, although they seem to be used less often
-than unions. The syntax below would be \isa{INT
-x:\ A.\ B} and \isa{Inter\ C} in \textsc{ascii}. Among others, these
-theorems are available:
-\begin{isabelle}
-(b\ \isasymin\
-(\isasymInter x\isasymin A. B\ x))\
-=\
-({\isasymforall}x\isasymin A.\
-b\ \isasymin\ B\ x)
-\rulenamedx{INT_iff}%
-\isanewline
-(A\ \isasymin\
-\isasymInter C)\ =\
-({\isasymforall}X\isasymin C.\
-A\ \isasymin\ X)
-\rulenamedx{Inter_iff}
-\end{isabelle}
-
-Isabelle uses logical equivalences such as those above in automatic proof.
-Unions, intersections and so forth are not simply replaced by their
-definitions. Instead, membership tests are simplified. For example, $x\in
-A\cup B$ is replaced by $x\in A\lor x\in B$.
-
-The internal form of a comprehension involves the constant
-\cdx{Collect},
-which occasionally appears when a goal or theorem
-is displayed. For example, \isa{Collect\ P} is the same term as
-\isa{\isacharbraceleft x.\ P\ x\isacharbraceright}. The same thing can
-happen with quantifiers: \hbox{\isa{All\ P}}\index{*All (constant)}
-is
-\isa{{\isasymforall}x.\ P\ x} and
-\hbox{\isa{Ex\ P}}\index{*Ex (constant)} is \isa{\isasymexists x.\ P\ x};
-also \isa{Ball\ A\ P}\index{*Ball (constant)} is
-\isa{{\isasymforall}x\isasymin A.\ P\ x} and
-\isa{Bex\ A\ P}\index{*Bex (constant)} is
-\isa{\isasymexists x\isasymin A.\ P\ x}. For indexed unions and
-intersections, you may see the constants
-\cdx{UNION} and \cdx{INTER}\@.
-The internal constant for $\varepsilon x.P(x)$ is~\cdx{Eps}.
-
-We have only scratched the surface of Isabelle/HOL's set theory, which provides
-hundreds of theorems for your use.
-
-
-\subsection{Finiteness and Cardinality}
-
-\index{sets!finite}%
-The predicate \sdx{finite} holds of all finite sets. Isabelle/HOL
-includes many familiar theorems about finiteness and cardinality
-(\cdx{card}). For example, we have theorems concerning the
-cardinalities of unions, intersections and the
-powerset:\index{cardinality}
-%
-\begin{isabelle}
-{\isasymlbrakk}finite\ A;\ finite\ B\isasymrbrakk\isanewline
-\isasymLongrightarrow\ card\ A\ \isacharplus\ card\ B\ =\ card\ (A\ \isasymunion\ B)\ \isacharplus\ card\ (A\ \isasyminter\ B)
-\rulenamedx{card_Un_Int}%
-\isanewline
-\isanewline
-finite\ A\ \isasymLongrightarrow\ card\
-(Pow\ A)\ =\ 2\ \isacharcircum\ card\ A%
-\rulenamedx{card_Pow}%
-\isanewline
-\isanewline
-finite\ A\ \isasymLongrightarrow\isanewline
-card\ \isacharbraceleft B.\ B\ \isasymsubseteq\
-A\ \isasymand\ card\ B\ =\
-k\isacharbraceright\ =\ card\ A\ choose\ k%
-\rulename{n_subsets}
-\end{isabelle}
-Writing $|A|$ as $n$, the last of these theorems says that the number of
-$k$-element subsets of~$A$ is \index{binomial coefficients}
-$\binom{n}{k}$.
-
-%\begin{warn}
-%The term \isa{finite\ A} is defined via a syntax translation as an
-%abbreviation for \isa{A {\isasymin} Finites}, where the constant
-%\cdx{Finites} denotes the set of all finite sets of a given type. There
-%is no constant \isa{finite}.
-%\end{warn}
-\index{sets|)}
-
-
-\section{Functions}
-
-\index{functions|(}%
-This section describes a few concepts that involve
-functions. Some of the more important theorems are given along with the
-names. A few sample proofs appear. Unlike with set theory, however,
-we cannot simply state lemmas and expect them to be proved using
-\isa{blast}.
-
-\subsection{Function Basics}
-
-Two functions are \textbf{equal}\indexbold{equality!of functions}
-if they yield equal results given equal
-arguments. This is the principle of
-\textbf{extensionality}\indexbold{extensionality!for functions} for
-functions:
-\begin{isabelle}
-({\isasymAnd}x.\ f\ x\ =\ g\ x)\ {\isasymLongrightarrow}\ f\ =\ g
-\rulenamedx{ext}
-\end{isabelle}
-
-\indexbold{updating a function}%
-Function \textbf{update} is useful for modelling machine states. It has
-the obvious definition and many useful facts are proved about
-it. In particular, the following equation is installed as a simplification
-rule:
-\begin{isabelle}
-(f(x:=y))\ z\ =\ (if\ z\ =\ x\ then\ y\ else\ f\ z)
-\rulename{fun_upd_apply}
-\end{isabelle}
-Two syntactic points must be noted. In
-\isa{(f(x:=y))\ z} we are applying an updated function to an
-argument; the outer parentheses are essential. A series of two or more
-updates can be abbreviated as shown on the left-hand side of this theorem:
-\begin{isabelle}
-f(x:=y,\ x:=z)\ =\ f(x:=z)
-\rulename{fun_upd_upd}
-\end{isabelle}
-Note also that we can write \isa{f(x:=z)} with only one pair of parentheses
-when it is not being applied to an argument.
-
-\medskip
-The \bfindex{identity function} and function
-\textbf{composition}\indexbold{composition!of functions} are
-defined:
-\begin{isabelle}%
-id\ \isasymequiv\ {\isasymlambda}x.\ x%
-\rulenamedx{id_def}\isanewline
-f\ \isasymcirc\ g\ \isasymequiv\
-{\isasymlambda}x.\ f\
-(g\ x)%
-\rulenamedx{o_def}
-\end{isabelle}
-%
-Many familiar theorems concerning the identity and composition
-are proved. For example, we have the associativity of composition:
-\begin{isabelle}
-f\ \isasymcirc\ (g\ \isasymcirc\ h)\ =\ f\ \isasymcirc\ g\ \isasymcirc\ h
-\rulename{o_assoc}
-\end{isabelle}
-
-\subsection{Injections, Surjections, Bijections}
-
-\index{injections}\index{surjections}\index{bijections}%
-A function may be \textbf{injective}, \textbf{surjective} or \textbf{bijective}:
-\begin{isabelle}
-inj_on\ f\ A\ \isasymequiv\ {\isasymforall}x\isasymin A.\
-{\isasymforall}y\isasymin A.\ f\ x\ =\ f\ y\ \isasymlongrightarrow\ x\
-=\ y%
-\rulenamedx{inj_on_def}\isanewline
-surj\ f\ \isasymequiv\ {\isasymforall}y.\
-\isasymexists x.\ y\ =\ f\ x%
-\rulenamedx{surj_def}\isanewline
-bij\ f\ \isasymequiv\ inj\ f\ \isasymand\ surj\ f
-\rulenamedx{bij_def}
-\end{isabelle}
-The second argument
-of \isa{inj_on} lets us express that a function is injective over a
-given set. This refinement is useful in higher-order logic, where
-functions are total; in some cases, a function's natural domain is a subset
-of its domain type. Writing \isa{inj\ f} abbreviates \isa{inj_on\ f\
-UNIV}, for when \isa{f} is injective everywhere.
-
-The operator \isa{inv} expresses the
-\textbf{inverse}\indexbold{inverse!of a function}
-of a function. In
-general the inverse may not be well behaved. We have the usual laws,
-such as these:
-\begin{isabelle}
-inj\ f\ \ \isasymLongrightarrow\ inv\ f\ (f\ x)\ =\ x%
-\rulename{inv_f_f}\isanewline
-surj\ f\ \isasymLongrightarrow\ f\ (inv\ f\ y)\ =\ y
-\rulename{surj_f_inv_f}\isanewline
-bij\ f\ \ \isasymLongrightarrow\ inv\ (inv\ f)\ =\ f
-\rulename{inv_inv_eq}
-\end{isabelle}
-%
-%Other useful facts are that the inverse of an injection
-%is a surjection and vice versa; the inverse of a bijection is
-%a bijection.
-%\begin{isabelle}
-%inj\ f\ \isasymLongrightarrow\ surj\
-%(inv\ f)
-%\rulename{inj_imp_surj_inv}\isanewline
-%surj\ f\ \isasymLongrightarrow\ inj\ (inv\ f)
-%\rulename{surj_imp_inj_inv}\isanewline
-%bij\ f\ \isasymLongrightarrow\ bij\ (inv\ f)
-%\rulename{bij_imp_bij_inv}
-%\end{isabelle}
-%
-%The converses of these results fail. Unless a function is
-%well behaved, little can be said about its inverse. Here is another
-%law:
-%\begin{isabelle}
-%{\isasymlbrakk}bij\ f;\ bij\ g\isasymrbrakk\ \isasymLongrightarrow\ inv\ (f\ \isasymcirc\ g)\ =\ inv\ g\ \isasymcirc\ inv\ f%
-%\rulename{o_inv_distrib}
-%\end{isabelle}
-
-Theorems involving these concepts can be hard to prove. The following
-example is easy, but it cannot be proved automatically. To begin
-with, we need a law that relates the equality of functions to
-equality over all arguments:
-\begin{isabelle}
-(f\ =\ g)\ =\ ({\isasymforall}x.\ f\ x\ =\ g\ x)
-\rulename{fun_eq_iff}
-\end{isabelle}
-%
-This is just a restatement of
-extensionality.\indexbold{extensionality!for functions}
-Our lemma
-states that an injection can be cancelled from the left side of
-function composition:
-\begin{isabelle}
-\isacommand{lemma}\ "inj\ f\ \isasymLongrightarrow\ (f\ o\ g\ =\ f\ o\ h)\ =\ (g\ =\ h)"\isanewline
-\isacommand{apply}\ (simp\ add:\ fun_eq_iff\ inj_on_def)\isanewline
-\isacommand{apply}\ auto\isanewline
-\isacommand{done}
-\end{isabelle}
-
-The first step of the proof invokes extensionality and the definitions
-of injectiveness and composition. It leaves one subgoal:
-\begin{isabelle}
-\ 1.\ {\isasymforall}x\ y.\ f\ x\ =\ f\ y\ \isasymlongrightarrow\ x\ =\ y\
-\isasymLongrightarrow\isanewline
-\ \ \ \ ({\isasymforall}x.\ f\ (g\ x)\ =\ f\ (h\ x))\ =\ ({\isasymforall}x.\ g\ x\ =\ h\ x)
-\end{isabelle}
-This can be proved using the \isa{auto} method.
-
-
-\subsection{Function Image}
-
-The \textbf{image}\indexbold{image!under a function}
-of a set under a function is a most useful notion. It
-has the obvious definition:
-\begin{isabelle}
-f\ `\ A\ \isasymequiv\ \isacharbraceleft y.\ \isasymexists x\isasymin
-A.\ y\ =\ f\ x\isacharbraceright
-\rulenamedx{image_def}
-\end{isabelle}
-%
-Here are some of the many facts proved about image:
-\begin{isabelle}
-(f\ \isasymcirc\ g)\ `\ r\ =\ f\ `\ g\ `\ r
-\rulename{image_compose}\isanewline
-f`(A\ \isasymunion\ B)\ =\ f`A\ \isasymunion\ f`B
-\rulename{image_Un}\isanewline
-inj\ f\ \isasymLongrightarrow\ f`(A\ \isasyminter\
-B)\ =\ f`A\ \isasyminter\ f`B
-\rulename{image_Int}
-%\isanewline
-%bij\ f\ \isasymLongrightarrow\ f\ `\ (-\ A)\ =\ -\ f\ `\ A%
-%\rulename{bij_image_Compl_eq}
-\end{isabelle}
-
-
-Laws involving image can often be proved automatically. Here
-are two examples, illustrating connections with indexed union and with the
-general syntax for comprehension:
-\begin{isabelle}
-\isacommand{lemma}\ "f`A\ \isasymunion\ g`A\ =\ ({\isasymUnion}x{\isasymin}A.\ \isacharbraceleft f\ x,\ g\
-x\isacharbraceright)"
-\par\smallskip
-\isacommand{lemma}\ "f\ `\ \isacharbraceleft(x,y){.}\ P\ x\ y\isacharbraceright\ =\ \isacharbraceleft f(x,y)\ \isacharbar\ x\ y.\ P\ x\
-y\isacharbraceright"
-\end{isabelle}
-
-\medskip
-\index{range!of a function}%
-A function's \textbf{range} is the set of values that the function can
-take on. It is, in fact, the image of the universal set under
-that function. There is no constant \isa{range}. Instead,
-\sdx{range} abbreviates an application of image to \isa{UNIV}:
-\begin{isabelle}
-\ \ \ \ \ range\ f\
-{\isasymrightleftharpoons}\ f`UNIV
-\end{isabelle}
-%
-Few theorems are proved specifically
-for {\isa{range}}; in most cases, you should look for a more general
-theorem concerning images.
-
-\medskip
-\textbf{Inverse image}\index{inverse image!of a function} is also useful.
-It is defined as follows:
-\begin{isabelle}
-f\ -`\ B\ \isasymequiv\ \isacharbraceleft x.\ f\ x\ \isasymin\ B\isacharbraceright
-\rulenamedx{vimage_def}
-\end{isabelle}
-%
-This is one of the facts proved about it:
-\begin{isabelle}
-f\ -`\ (-\ A)\ =\ -\ f\ -`\ A%
-\rulename{vimage_Compl}
-\end{isabelle}
-\index{functions|)}
-
-
-\section{Relations}
-\label{sec:Relations}
-
-\index{relations|(}%
-A \textbf{relation} is a set of pairs. As such, the set operations apply
-to them. For instance, we may form the union of two relations. Other
-primitives are defined specifically for relations.
-
-\subsection{Relation Basics}
-
-The \bfindex{identity relation}, also known as equality, has the obvious
-definition:
-\begin{isabelle}
-Id\ \isasymequiv\ \isacharbraceleft p.\ \isasymexists x.\ p\ =\ (x,x){\isacharbraceright}%
-\rulenamedx{Id_def}
-\end{isabelle}
-
-\indexbold{composition!of relations}%
-\textbf{Composition} of relations (the infix \sdx{O}) is also
-available:
-\begin{isabelle}
-r\ O\ s\ \isasymequiv\ \isacharbraceleft(x,z).\ \isasymexists y.\ (x,y)\ \isasymin\ s\ \isasymand\ (y,z)\ \isasymin\ r\isacharbraceright
-\rulenamedx{rel_comp_def}
-\end{isabelle}
-%
-This is one of the many lemmas proved about these concepts:
-\begin{isabelle}
-R\ O\ Id\ =\ R
-\rulename{R_O_Id}
-\end{isabelle}
-%
-Composition is monotonic, as are most of the primitives appearing
-in this chapter. We have many theorems similar to the following
-one:
-\begin{isabelle}
-\isasymlbrakk r\isacharprime\ \isasymsubseteq\ r;\ s\isacharprime\
-\isasymsubseteq\ s\isasymrbrakk\ \isasymLongrightarrow\ r\isacharprime\ O\
-s\isacharprime\ \isasymsubseteq\ r\ O\ s%
-\rulename{rel_comp_mono}
-\end{isabelle}
-
-\indexbold{converse!of a relation}%
-\indexbold{inverse!of a relation}%
-The \textbf{converse} or inverse of a
-relation exchanges the roles of the two operands. We use the postfix
-notation~\isa{r\isasyminverse} or
-\isa{r\isacharcircum-1} in ASCII\@.
-\begin{isabelle}
-((a,b)\ \isasymin\ r\isasyminverse)\ =\
-((b,a)\ \isasymin\ r)
-\rulenamedx{converse_iff}
-\end{isabelle}
-%
-Here is a typical law proved about converse and composition:
-\begin{isabelle}
-(r\ O\ s)\isasyminverse\ =\ s\isasyminverse\ O\ r\isasyminverse
-\rulename{converse_rel_comp}
-\end{isabelle}
-
-\indexbold{image!under a relation}%
-The \textbf{image} of a set under a relation is defined
-analogously to image under a function:
-\begin{isabelle}
-(b\ \isasymin\ r\ ``\ A)\ =\ (\isasymexists x\isasymin
-A.\ (x,b)\ \isasymin\ r)
-\rulenamedx{Image_iff}
-\end{isabelle}
-It satisfies many similar laws.
-
-\index{domain!of a relation}%
-\index{range!of a relation}%
-The \textbf{domain} and \textbf{range} of a relation are defined in the
-standard way:
-\begin{isabelle}
-(a\ \isasymin\ Domain\ r)\ =\ (\isasymexists y.\ (a,y)\ \isasymin\
-r)
-\rulenamedx{Domain_iff}%
-\isanewline
-(a\ \isasymin\ Range\ r)\
-\ =\ (\isasymexists y.\
-(y,a)\
-\isasymin\ r)
-\rulenamedx{Range_iff}
-\end{isabelle}
-
-Iterated composition of a relation is available. The notation overloads
-that of exponentiation. Two simplification rules are installed:
-\begin{isabelle}
-R\ \isacharcircum\ \isadigit{0}\ =\ Id\isanewline
-R\ \isacharcircum\ Suc\ n\ =\ R\ O\ R\isacharcircum n
-\end{isabelle}
-
-\subsection{The Reflexive and Transitive Closure}
-
-\index{reflexive and transitive closure|(}%
-The \textbf{reflexive and transitive closure} of the
-relation~\isa{r} is written with a
-postfix syntax. In ASCII we write \isa{r\isacharcircum*} and in
-symbol notation~\isa{r\isactrlsup *}. It is the least solution of the
-equation
-\begin{isabelle}
-r\isactrlsup *\ =\ Id\ \isasymunion \ (r\ O\ r\isactrlsup *)
-\rulename{rtrancl_unfold}
-\end{isabelle}
-%
-Among its basic properties are three that serve as introduction
-rules:
-\begin{isabelle}
-(a,\ a)\ \isasymin \ r\isactrlsup *
-\rulenamedx{rtrancl_refl}\isanewline
-p\ \isasymin \ r\ \isasymLongrightarrow \ p\ \isasymin \ r\isactrlsup *
-\rulenamedx{r_into_rtrancl}\isanewline
-\isasymlbrakk (a,b)\ \isasymin \ r\isactrlsup *;\
-(b,c)\ \isasymin \ r\isactrlsup *\isasymrbrakk \ \isasymLongrightarrow \
-(a,c)\ \isasymin \ r\isactrlsup *
-\rulenamedx{rtrancl_trans}
-\end{isabelle}
-%
-Induction over the reflexive transitive closure is available:
-\begin{isabelle}
-\isasymlbrakk (a,\ b)\ \isasymin \ r\isactrlsup *;\ P\ a;\ \isasymAnd y\ z.\ \isasymlbrakk (a,\ y)\ \isasymin \ r\isactrlsup *;\ (y,\ z)\ \isasymin \ r;\ P\ y\isasymrbrakk \ \isasymLongrightarrow \ P\ z\isasymrbrakk \isanewline
-\isasymLongrightarrow \ P\ b%
-\rulename{rtrancl_induct}
-\end{isabelle}
-%
-Idempotence is one of the laws proved about the reflexive transitive
-closure:
-\begin{isabelle}
-(r\isactrlsup *)\isactrlsup *\ =\ r\isactrlsup *
-\rulename{rtrancl_idemp}
-\end{isabelle}
-
-\smallskip
-The transitive closure is similar. The ASCII syntax is
-\isa{r\isacharcircum+}. It has two introduction rules:
-\begin{isabelle}
-p\ \isasymin \ r\ \isasymLongrightarrow \ p\ \isasymin \ r\isactrlsup +
-\rulenamedx{r_into_trancl}\isanewline
-\isasymlbrakk (a,\ b)\ \isasymin \ r\isactrlsup +;\ (b,\ c)\ \isasymin \ r\isactrlsup +\isasymrbrakk \ \isasymLongrightarrow \ (a,\ c)\ \isasymin \ r\isactrlsup +
-\rulenamedx{trancl_trans}
-\end{isabelle}
-%
-The induction rule resembles the one shown above.
-A typical lemma states that transitive closure commutes with the converse
-operator:
-\begin{isabelle}
-(r\isasyminverse )\isactrlsup +\ =\ (r\isactrlsup +)\isasyminverse
-\rulename{trancl_converse}
-\end{isabelle}
-
-\subsection{A Sample Proof}
-
-The reflexive transitive closure also commutes with the converse
-operator. Let us examine the proof. Each direction of the equivalence
-is proved separately. The two proofs are almost identical. Here
-is the first one:
-\begin{isabelle}
-\isacommand{lemma}\ rtrancl_converseD:\ "(x,y)\ \isasymin \
-(r\isasyminverse)\isactrlsup *\ \isasymLongrightarrow \ (y,x)\ \isasymin
-\ r\isactrlsup *"\isanewline
-\isacommand{apply}\ (erule\ rtrancl_induct)\isanewline
-\ \isacommand{apply}\ (rule\ rtrancl_refl)\isanewline
-\isacommand{apply}\ (blast\ intro:\ rtrancl_trans)\isanewline
-\isacommand{done}
-\end{isabelle}
-%
-The first step of the proof applies induction, leaving these subgoals:
-\begin{isabelle}
-\ 1.\ (x,\ x)\ \isasymin \ r\isactrlsup *\isanewline
-\ 2.\ \isasymAnd y\ z.\ \isasymlbrakk (x,y)\ \isasymin \
-(r\isasyminverse)\isactrlsup *;\ (y,z)\ \isasymin \ r\isasyminverse ;\
-(y,x)\ \isasymin \ r\isactrlsup *\isasymrbrakk \isanewline
-\ \ \ \ \ \ \ \ \ \ \isasymLongrightarrow \ (z,x)\ \isasymin \ r\isactrlsup *
-\end{isabelle}
-%
-The first subgoal is trivial by reflexivity. The second follows
-by first eliminating the converse operator, yielding the
-assumption \isa{(z,y)\
-\isasymin\ r}, and then
-applying the introduction rules shown above. The same proof script handles
-the other direction:
-\begin{isabelle}
-\isacommand{lemma}\ rtrancl_converseI:\ "(y,x)\ \isasymin \ r\isactrlsup *\ \isasymLongrightarrow \ (x,y)\ \isasymin \ (r\isasyminverse)\isactrlsup *"\isanewline
-\isacommand{apply}\ (erule\ rtrancl_induct)\isanewline
-\ \isacommand{apply}\ (rule\ rtrancl_refl)\isanewline
-\isacommand{apply}\ (blast\ intro:\ rtrancl_trans)\isanewline
-\isacommand{done}
-\end{isabelle}
-
-
-Finally, we combine the two lemmas to prove the desired equation:
-\begin{isabelle}
-\isacommand{lemma}\ rtrancl_converse:\ "(r\isasyminverse)\isactrlsup *\ =\ (r\isactrlsup *)\isasyminverse"\isanewline
-\isacommand{by}\ (auto\ intro:\ rtrancl_converseI\ dest:\
-rtrancl_converseD)
-\end{isabelle}
-
-\begin{warn}
-This trivial proof requires \isa{auto} rather than \isa{blast} because
-of a subtle issue involving ordered pairs. Here is a subgoal that
-arises internally after the rules
-\isa{equalityI} and \isa{subsetI} have been applied:
-\begin{isabelle}
-\ 1.\ \isasymAnd x.\ x\ \isasymin \ (r\isasyminverse )\isactrlsup *\ \isasymLongrightarrow \ x\ \isasymin \ (r\isactrlsup
-*)\isasyminverse
-%ignore subgoal 2
-%\ 2.\ \isasymAnd x.\ x\ \isasymin \ (r\isactrlsup *)\isasyminverse \
-%\isasymLongrightarrow \ x\ \isasymin \ (r\isasyminverse )\isactrlsup *
-\end{isabelle}
-\par\noindent
-We cannot apply \isa{rtrancl_converseD}\@. It refers to
-ordered pairs, while \isa{x} is a variable of product type.
-The \isa{simp} and \isa{blast} methods can do nothing, so let us try
-\isa{clarify}:
-\begin{isabelle}
-\ 1.\ \isasymAnd a\ b.\ (a,b)\ \isasymin \ (r\isasyminverse )\isactrlsup *\ \isasymLongrightarrow \ (b,a)\ \isasymin \ r\isactrlsup
-*
-\end{isabelle}
-Now that \isa{x} has been replaced by the pair \isa{(a,b)}, we can
-proceed. Other methods that split variables in this way are \isa{force},
-\isa{auto}, \isa{fast} and \isa{best}. Section~\ref{sec:products} will discuss proof
-techniques for ordered pairs in more detail.
-\end{warn}
-\index{relations|)}\index{reflexive and transitive closure|)}
-
-
-\section{Well-Founded Relations and Induction}
-\label{sec:Well-founded}
-
-\index{relations!well-founded|(}%
-A well-founded relation captures the notion of a terminating
-process. Complex recursive functions definitions must specify a
-well-founded relation that justifies their
-termination~\cite{isabelle-function}. Most of the forms of induction found
-in mathematics are merely special cases of induction over a
-well-founded relation.
-
-Intuitively, the relation~$\prec$ is \textbf{well-founded} if it admits no
-infinite descending chains
-\[ \cdots \prec a@2 \prec a@1 \prec a@0. \]
-Well-foundedness can be hard to show. The various
-formulations are all complicated. However, often a relation
-is well-founded by construction. HOL provides
-theorems concerning ways of constructing a well-founded relation. The
-most familiar way is to specify a
-\index{measure functions}\textbf{measure function}~\isa{f} into
-the natural numbers, when $\isa{x}\prec \isa{y}\iff \isa{f x} < \isa{f y}$;
-we write this particular relation as
-\isa{measure~f}.
-
-\begin{warn}
-You may want to skip the rest of this section until you need to perform a
-complex recursive function definition or induction. The induction rule
-returned by
-\isacommand{fun} is good enough for most purposes. We use an explicit
-well-founded induction only in {\S}\ref{sec:CTL-revisited}.
-\end{warn}
-
-Isabelle/HOL declares \cdx{less_than} as a relation object,
-that is, a set of pairs of natural numbers. Two theorems tell us that this
-relation behaves as expected and that it is well-founded:
-\begin{isabelle}
-((x,y)\ \isasymin\ less_than)\ =\ (x\ <\ y)
-\rulenamedx{less_than_iff}\isanewline
-wf\ less_than
-\rulenamedx{wf_less_than}
-\end{isabelle}
-
-The notion of measure generalizes to the
-\index{inverse image!of a relation}\textbf{inverse image} of
-a relation. Given a relation~\isa{r} and a function~\isa{f}, we express a
-new relation using \isa{f} as a measure. An infinite descending chain on
-this new relation would give rise to an infinite descending chain
-on~\isa{r}. Isabelle/HOL defines this concept and proves a
-theorem stating that it preserves well-foundedness:
-\begin{isabelle}
-inv_image\ r\ f\ \isasymequiv\ \isacharbraceleft(x,y).\ (f\ x,\ f\ y)\
-\isasymin\ r\isacharbraceright
-\rulenamedx{inv_image_def}\isanewline
-wf\ r\ \isasymLongrightarrow\ wf\ (inv_image\ r\ f)
-\rulenamedx{wf_inv_image}
-\end{isabelle}
-
-A measure function involves the natural numbers. The relation \isa{measure
-size} justifies primitive recursion and structural induction over a
-datatype. Isabelle/HOL defines
-\isa{measure} as shown:
-\begin{isabelle}
-measure\ \isasymequiv\ inv_image\ less_than%
-\rulenamedx{measure_def}\isanewline
-wf\ (measure\ f)
-\rulenamedx{wf_measure}
-\end{isabelle}
-
-Of the other constructions, the most important is the
-\bfindex{lexicographic product} of two relations. It expresses the
-standard dictionary ordering over pairs. We write \isa{ra\ <*lex*>\
-rb}, where \isa{ra} and \isa{rb} are the two operands. The
-lexicographic product satisfies the usual definition and it preserves
-well-foundedness:
-\begin{isabelle}
-ra\ <*lex*>\ rb\ \isasymequiv \isanewline
-\ \ \isacharbraceleft ((a,b),(a',b')).\ (a,a')\ \isasymin \ ra\
-\isasymor\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \,a=a'\ \isasymand \ (b,b')\
-\isasymin \ rb\isacharbraceright
-\rulenamedx{lex_prod_def}%
-\par\smallskip
-\isasymlbrakk wf\ ra;\ wf\ rb\isasymrbrakk \ \isasymLongrightarrow \ wf\ (ra\ <*lex*>\ rb)
-\rulenamedx{wf_lex_prod}
-\end{isabelle}
-
-%These constructions can be used in a
-%\textbf{recdef} declaration ({\S}\ref{sec:recdef-simplification}) to define
-%the well-founded relation used to prove termination.
-
-The \bfindex{multiset ordering}, useful for hard termination proofs, is
-available in the Library~\cite{HOL-Library}.
-Baader and Nipkow \cite[{\S}2.5]{Baader-Nipkow} discuss it.
-
-\medskip
-Induction\index{induction!well-founded|(}
-comes in many forms,
-including traditional mathematical induction, structural induction on
-lists and induction on size. All are instances of the following rule,
-for a suitable well-founded relation~$\prec$:
-\[ \infer{P(a)}{\infer*{P(x)}{[\forall y.\, y\prec x \imp P(y)]}} \]
-To show $P(a)$ for a particular term~$a$, it suffices to show $P(x)$ for
-arbitrary~$x$ under the assumption that $P(y)$ holds for $y\prec x$.
-Intuitively, the well-foundedness of $\prec$ ensures that the chains of
-reasoning are finite.
-
-\smallskip
-In Isabelle, the induction rule is expressed like this:
-\begin{isabelle}
-{\isasymlbrakk}wf\ r;\
- {\isasymAnd}x.\ {\isasymforall}y.\ (y,x)\ \isasymin\ r\
-\isasymlongrightarrow\ P\ y\ \isasymLongrightarrow\ P\ x\isasymrbrakk\
-\isasymLongrightarrow\ P\ a
-\rulenamedx{wf_induct}
-\end{isabelle}
-Here \isa{wf\ r} expresses that the relation~\isa{r} is well-founded.
-
-Many familiar induction principles are instances of this rule.
-For example, the predecessor relation on the natural numbers
-is well-founded; induction over it is mathematical induction.
-The ``tail of'' relation on lists is well-founded; induction over
-it is structural induction.%
-\index{induction!well-founded|)}%
-\index{relations!well-founded|)}
-
-
-\section{Fixed Point Operators}
-
-\index{fixed points|(}%
-Fixed point operators define sets
-recursively. They are invoked implicitly when making an inductive
-definition, as discussed in Chap.\ts\ref{chap:inductive} below. However,
-they can be used directly, too. The
-\emph{least} or \emph{strongest} fixed point yields an inductive
-definition; the \emph{greatest} or \emph{weakest} fixed point yields a
-coinductive definition. Mathematicians may wish to note that the
-existence of these fixed points is guaranteed by the Knaster-Tarski
-theorem.
-
-\begin{warn}
-Casual readers should skip the rest of this section. We use fixed point
-operators only in {\S}\ref{sec:VMC}.
-\end{warn}
-
-The theory applies only to monotonic functions.\index{monotone functions|bold}
-Isabelle's definition of monotone is overloaded over all orderings:
-\begin{isabelle}
-mono\ f\ \isasymequiv\ {\isasymforall}A\ B.\ A\ \isasymle\ B\ \isasymlongrightarrow\ f\ A\ \isasymle\ f\ B%
-\rulenamedx{mono_def}
-\end{isabelle}
-%
-For fixed point operators, the ordering will be the subset relation: if
-$A\subseteq B$ then we expect $f(A)\subseteq f(B)$. In addition to its
-definition, monotonicity has the obvious introduction and destruction
-rules:
-\begin{isabelle}
-({\isasymAnd}A\ B.\ A\ \isasymle\ B\ \isasymLongrightarrow\ f\ A\ \isasymle\ f\ B)\ \isasymLongrightarrow\ mono\ f%
-\rulename{monoI}%
-\par\smallskip% \isanewline didn't leave enough space
-{\isasymlbrakk}mono\ f;\ A\ \isasymle\ B\isasymrbrakk\
-\isasymLongrightarrow\ f\ A\ \isasymle\ f\ B%
-\rulename{monoD}
-\end{isabelle}
-
-The most important properties of the least fixed point are that
-it is a fixed point and that it enjoys an induction rule:
-\begin{isabelle}
-mono\ f\ \isasymLongrightarrow\ lfp\ f\ =\ f\ (lfp\ f)
-\rulename{lfp_unfold}%
-\par\smallskip% \isanewline didn't leave enough space
-{\isasymlbrakk}a\ \isasymin\ lfp\ f;\ mono\ f;\isanewline
- \ {\isasymAnd}x.\ x\
-\isasymin\ f\ (lfp\ f\ \isasyminter\ \isacharbraceleft x.\ P\
-x\isacharbraceright)\ \isasymLongrightarrow\ P\ x\isasymrbrakk\
-\isasymLongrightarrow\ P\ a%
-\rulename{lfp_induct}
-\end{isabelle}
-%
-The induction rule shown above is more convenient than the basic
-one derived from the minimality of {\isa{lfp}}. Observe that both theorems
-demand \isa{mono\ f} as a premise.
-
-The greatest fixed point is similar, but it has a \bfindex{coinduction} rule:
-\begin{isabelle}
-mono\ f\ \isasymLongrightarrow\ gfp\ f\ =\ f\ (gfp\ f)
-\rulename{gfp_unfold}%
-\isanewline
-{\isasymlbrakk}mono\ f;\ a\ \isasymin\ X;\ X\ \isasymsubseteq\ f\ (X\
-\isasymunion\ gfp\ f)\isasymrbrakk\ \isasymLongrightarrow\ a\ \isasymin\
-gfp\ f%
-\rulename{coinduct}
-\end{isabelle}
-A \textbf{bisimulation}\index{bisimulations}
-is perhaps the best-known concept defined as a
-greatest fixed point. Exhibiting a bisimulation to prove the equality of
-two agents in a process algebra is an example of coinduction.
-The coinduction rule can be strengthened in various ways.
-\index{fixed points|)}
-
-%The section "Case Study: Verified Model Checking" is part of this chapter
-\input{ctl0}
-\endinput
--- a/doc-src/TutorialI/document/tutorial.sty Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,191 +0,0 @@
-% tutorial.sty : Isabelle Tutorial Page Layout
-%
-\typeout{Document Style tutorial. Released 9 July 2001}
-
-\hyphenation{Isa-belle man-u-script man-u-scripts ap-pen-dix mut-u-al-ly}
-\hyphenation{data-type data-types co-data-type co-data-types }
-
-%usage: \iflabelundefined{LABEL}{if not defined}{if defined}
-\newcommand{\iflabelundefined}[1]{\@ifundefined{r@#1}}
-
-
-%%%INDEXING use isa-index to process the index
-
-\newcommand\seealso[2]{\emph{see also} #1}
-\usepackage{makeidx}
-
-%index, putting page numbers of definitions in boldface
-\def\bold#1{\textbf{#1}}
-\newcommand\fnote[1]{#1n}
-\newcommand\indexbold[1]{\index{#1|bold}}
-
-% The alternative to \protect\isa in the indexing macros is
-% \noexpand\noexpand \noexpand\isa
-% need TWO levels of \noexpand to delay the expansion of \isa:
-% the \noexpand\noexpand will leave one \noexpand, to be given to the
-% (still unexpanded) \isa token. See TeX by Topic, page 122.
-
-%%%% for indexing constants, symbols, theorems, ...
-\newcommand\cdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (constant)}}
-\newcommand\sdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (symbol)}}
-\newcommand\sdxpos[2]{\isa{#1}\index{#2@\protect\isa{#1} (symbol)}}
-
-\newcommand\tdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (theorem)}}
-\newcommand\tdxbold[1]{\isa{#1}\index{#1@\protect\isa{#1} (theorem)|bold}}
-
-\newcommand\cldx[1]{\isa{#1}\index{#1@\protect\isa{#1} (class)}}
-\newcommand\tydx[1]{\isa{#1}\index{#1@\protect\isa{#1} (type)}}
-\newcommand\tcdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (type class)}}
-\newcommand\thydx[1]{\isa{#1}\index{#1@\protect\isa{#1} (theory)}}
-
-\newcommand\attrdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (attribute)}}
-\newcommand\cmmdx[1]{\index{#1@\protect\isacommand{#1} (command)}}
-\newcommand\commdx[1]{\isacommand{#1}\index{#1@\protect\isacommand{#1} (command)}}
-\newcommand\methdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (method)}}
-\newcommand\tooldx[1]{\isa{#1}\index{#1@\protect\isa{#1} (tool)}}
-\newcommand\settdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (setting)}}
-\newcommand\pgdx[1]{\pgmenu{#1}\index{#1@\protect\pgmenu{#1} (Proof General)}}
-
-%set argument in \bf font and index in ROMAN font (for definitions in text!)
-\newcommand\bfindex[1]{{\bf#1}\index{#1|bold}\@}
-
-\newcommand\rmindex[1]{{#1}\index{#1}\@}
-\newcommand\ttindex[1]{\texttt{#1}\index{#1@\texttt{#1}}\@}
-\newcommand\ttindexbold[1]{\texttt{#1}\index{#1@\texttt{#1}|bold}\@}
-
-\newcommand{\isadxpos}[2]{\isa{#1}\index{#2@\protect\isa{#1}}\@}
-\newcommand{\isadxboldpos}[2]{\isa{#1}\index{#2@\protect\isa{#1}|bold}\@}
-
-%Commented-out the original versions to see what the index looks like without them.
-% In any event, they need to use \isa or \protect\isa rather than \texttt.
-%%\newcommand{\indexboldpos}[2]{#1\index{#2@#1|bold}\@}
-%%\newcommand{\ttindexboldpos}[2]{\texttt{#1}\index{#2@\texttt{#1}|bold}\@}
-\newcommand{\indexboldpos}[2]{#1\@}
-\newcommand{\ttindexboldpos}[2]{\isa{#1}\@}
-
-%\newtheorem{theorem}{Theorem}[section]
-\newtheorem{Exercise}{Exercise}[section]
-\newenvironment{exercise}{\begin{Exercise}\rm}{\end{Exercise}}
-\newcommand{\ttlbr}{\texttt{[|}}
-\newcommand{\ttrbr}{\texttt{|]}}
-\newcommand{\ttor}{\texttt{|}}
-\newcommand{\ttall}{\texttt{!}}
-\newcommand{\ttuniquex}{\texttt{?!}}
-\newcommand{\ttEXU}{\texttt{EX!}}
-\newcommand{\ttAnd}{\texttt{!!}}
-
-\newcommand{\isasymignore}{}
-\newcommand{\isasymimp}{\isasymlongrightarrow}
-\newcommand{\isasymImp}{\isasymLongrightarrow}
-\newcommand{\isasymFun}{\isasymRightarrow}
-\newcommand{\isasymuniqex}{\isamath{\exists!\,}}
-\renewcommand{\S}{Sect.\ts}
-
-\renewenvironment{isamarkuptxt}{\begin{isamarkuptext}}{\end{isamarkuptext}}
-
-\newif\ifremarks
-\newcommand{\REMARK}[1]{\ifremarks\marginpar{\raggedright\footnotesize#1}\fi}
-
-%names of Isabelle rules
-\newcommand{\rulename}[1]{\hfill(#1)}
-\newcommand{\rulenamedx}[1]{\hfill(#1\index{#1@\protect\isa{#1} (theorem)|bold})}
-
-%%%% meta-logical connectives
-
-\let\Forall=\bigwedge
-\let\Imp=\Longrightarrow
-\let\To=\Rightarrow
-\newcommand{\Var}[1]{{?\!#1}}
-
-%%% underscores as ordinary characters, not for subscripting
-%% use @ or \sb for subscripting; use \at for @
-%% only works in \tt font
-%% must not make _ an active char; would make \ttindex fail!
-\gdef\underscoreoff{\catcode`\@=8\catcode`\_=\other}
-\gdef\underscoreon{\catcode`\_=8\makeatother}
-\chardef\other=12
-\chardef\at=`\@
-
-% alternative underscore
-\def\_{\leavevmode\kern.06em\vbox{\hrule height.2ex width.3em}\hskip0.1em}
-
-
-%%%% ``WARNING'' environment: 2 ! characters separated by negative thin space
-\def\warnbang{\vtop to 0pt{\vss\hbox{\Huge\bf!\!!}\vss}}
-\newenvironment{warn}{\medskip\medbreak\begingroup \clubpenalty=10000
- \small %%WAS\baselineskip=0.9\baselineskip
- \noindent \hangindent\parindent \hangafter=-2
- \hbox to0pt{\hskip-\hangindent\warnbang\hfill}\ignorespaces}%
- {\par\endgroup\medbreak}
-
-%%%% ``PROOF GENERAL'' environment
-\def\pghead{\lower3pt\vbox to 0pt{\vss\hbox{\includegraphics[width=12pt]{pghead}}\vss}}
-\newenvironment{pgnote}{\medskip\medbreak\begingroup \clubpenalty=10000
- \small \noindent \hangindent\parindent \hangafter=-2
- \hbox to0pt{\hskip-\hangindent \pghead\hfill}\ignorespaces}%
- {\par\endgroup\medbreak}
-\newcommand{\pgmenu}[1]{\textsf{#1}}
-
-
-%%%% Standard logical symbols
-\let\turn=\vdash
-\let\conj=\wedge
-\let\disj=\vee
-\let\imp=\rightarrow
-\let\bimp=\leftrightarrow
-\newcommand\all[1]{\forall#1.} %quantification
-\newcommand\ex[1]{\exists#1.}
-\newcommand{\pair}[1]{\langle#1\rangle}
-
-\newcommand{\lparr}{\mathopen{(\!|}}
-\newcommand{\rparr}{\mathclose{|\!)}}
-\newcommand{\fs}{\mathpunct{,\,}}
-\newcommand{\ty}{\mathrel{::}}
-\newcommand{\asn}{\mathrel{:=}}
-\newcommand{\more}{\ldots}
-\newcommand{\record}[1]{\lparr #1 \rparr}
-\newcommand{\dtt}{\mathord.}
-
-\newcommand\lbrakk{\mathopen{[\![}}
-\newcommand\rbrakk{\mathclose{]\!]}}
-\newcommand\List[1]{\lbrakk#1\rbrakk} %was \obj
-\newcommand\vpile[1]{\begin{array}{c}#1\end{array}}
-\newenvironment{matharray}[1]{\[\begin{array}{#1}}{\end{array}\]}
-\newcommand{\Text}[1]{\mbox{#1}}
-
-\DeclareMathSymbol{\dshsym}{\mathalpha}{letters}{"2D}
-\newcommand{\dsh}{\mathit{\dshsym}}
-
-\let\int=\cap
-\let\un=\cup
-\let\inter=\bigcap
-\let\union=\bigcup
-
-\def\ML{{\sc ml}}
-\def\AST{{\sc ast}}
-
-%macros to change the treatment of symbols
-\def\relsemicolon{\mathcode`\;="303B} %treat ; like a relation
-\def\binperiod{\mathcode`\.="213A} %treat . like a binary operator
-\def\binvert{\mathcode`\|="226A} %treat | like a binary operator
-
-%redefinition of \sloppy and \fussy to use \emergencystretch
-\def\sloppy{\tolerance2000 \hfuzz.5pt \vfuzz.5pt \emergencystretch=15pt}
-\def\fussy{\tolerance200 \hfuzz.1pt \vfuzz.1pt \emergencystretch=0pt}
-
-%non-bf version of description
-\def\descrlabel#1{\hspace\labelsep #1}
-\def\descr{\list{}{\labelwidth\z@ \itemindent-\leftmargin\let\makelabel\descrlabel}}
-\let\enddescr\endlist
-
-% The mathcodes for the letters A, ..., Z, a, ..., z are changed to
-% generate text italic rather than math italic by default. This makes
-% multi-letter identifiers look better. The mathcode for character c
-% is set to |"7000| (variable family) + |"400| (text italic) + |c|.
-%
-\DeclareSymbolFont{italics}{\encodingdefault}{\rmdefault}{m}{it}%
-\def\@setmcodes#1#2#3{{\count0=#1 \count1=#3
- \loop \global\mathcode\count0=\count1 \ifnum \count0<#2
- \advance\count0 by1 \advance\count1 by1 \repeat}}
-\@setmcodes{`A}{`Z}{"7\hexnumber@\symitalics41}
-\@setmcodes{`a}{`z}{"7\hexnumber@\symitalics61}
Binary file doc-src/TutorialI/document/typedef.pdf has changed
--- a/doc-src/TutorialI/document/typedef.ps Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,2461 +0,0 @@
-%!PS-Adobe-3.0
-%%Title: (new.pdf)
-%%Version: 1 3
-%%DocumentData: Clean7Bit
-%%LanguageLevel: 2
-%%BoundingBox: 155 328 457 464
-%%Pages: 1
-%%DocumentProcessColors: (atend)
-%%DocumentSuppliedResources: (atend)
-%%EndComments
-%%BeginDefaults
-%%EndDefaults
-%%BeginProlog
-%%EndProlog
-%%BeginSetup
-%%BeginResource: l2check
-%%Copyright: Copyright 1993 Adobe Systems Incorporated. All Rights Reserved.
-systemdict /languagelevel known
-{ systemdict /languagelevel get 1 eq }
-{ true }
-ifelse
-{
-initgraphics /Helvetica findfont 18 scalefont setfont
-72 600 moveto (Error: Your printer driver needs to be configured) dup show
-72 580 moveto (for printing to a PostScript Language Level 1 printer.) dup show
-exch = =
-/Helvetica-Bold findfont 16 scalefont setfont
-72 520 moveto (Windows and Unix) show
-/Times-Roman findfont 16 scalefont setfont
-72 500 moveto (Select ªLanguage Level 1º in the PostScript options section) show
-72 480 moveto (of the Acrobat print dialog.) show
-/Helvetica-Bold findfont 16 scalefont setfont
-72 440 moveto (Macintosh) show
-/Times-Roman findfont 16 scalefont setfont
-72 420 moveto (In the Chooser, select your printer driver.) show
-72 400 moveto (Then select your printer and click the Setup button.) show
-72 380 moveto (Follow any on-screen dialogs that may appear.) show
-showpage
-quit
-}
-if
-%%EndResource
-/currentpacking where{pop currentpacking true setpacking}if
-%%BeginResource: procset pdfvars
-%%Copyright: Copyright 1987-1999 Adobe Systems Incorporated. All Rights Reserved.
-%%Version: 4.0 2
-%%Title: definition of dictionary of variables used by PDF & PDFText procsets
-userdict /PDF 160 dict put
-userdict /PDFVars 86 dict dup begin put
-/_save 0 def
-/_cshow 0 def
-/InitAll 0 def
-/TermAll 0 def
-/DocInitAll 0 def
-/DocTermAll 0 def
-/_lp /none def
-/_doClip 0 def
-/sfc 0 def
-/_sfcs 0 def
-/_sfc 0 def
-/ssc 0 def
-/_sscs 0 def
-/_ssc 0 def
-/_fcs 0 def
-/_scs 0 def
-/_fp 0 def
-/_sp 0 def
-/AGM_MAX_CS_COMPONENTS 10 def
-/_fillColors [ 0 1 AGM_MAX_CS_COMPONENTS { array } for ] def
-/_strokeColors [ 0 1 AGM_MAX_CS_COMPONENTS { array } for ] def
-/_fc null def
-/_sc null def
-/DefaultGray [/DeviceGray] def
-/DefaultRGB [/DeviceRGB] def
-/DefaultCMYK [/DeviceCMYK] def
-/_inT false def
-/_tr -1 def
-/_rise 0 def
-/_ax 0 def
-/_cx 0 def
-/_ld 0 def
-/_tm matrix def
-/_ctm matrix def
-/_mtx matrix def
-/_hy (-) def
-/_fScl 0 def
-/_hs 1 def
-/_pdfEncodings 2 array def
-/_baselineadj 0 def
-/_fTzero false def
-/_Tj 0 def
-/_italMtx [1 0 .212557 1 0 0] def
-/_italMtx_WMode1 [1 -.212557 0 1 0 0] def
-/_italMtxType0 [1 0 .1062785 1 0 0] def
-/_italMtx_WMode1Type0 [1 -.1062785 0 1 0 0] def
-/_basefont 0 def
-/_basefonto 0 def
-/_pdf_oldCIDInit null def
-/_pdf_FontDirectory 30 dict def
-/_categories 10 dict def
-/_sa? true def
-/_op? false def
-/_OP? false def
-/_opmode 0 def
-/_ColorSep5044? false def
-/_tmpcolr? [] def
-/_tmpop? {} def
-/_processColors 0 def
-/_defaulttransfer currenttransfer def
-/_defaultflatness currentflat def
-/_defaulthalftone null def
-/_defaultcolortransfer null def
-/_defaultblackgeneration null def
-/_defaultundercolorremoval null def
-/_defaultcolortransfer null def
-end
-%%EndResource
-PDFVars begin PDF begin
-%%BeginResource: procset pdfutil
-%%Copyright: Copyright 1993-1999 Adobe Systems Incorporated. All Rights Reserved.
-%%Version: 4.0 2
-%%Title: Basic utilities used by other PDF procsets
-/bd {bind def} bind def
-/ld {load def} bd
-/bld {
-dup length dict begin
-{ null def } forall
-bind
-end
-def
-} bd
-/dd { PDFVars 3 1 roll put } bd
-/xdd { exch dd } bd
-/Level2?
-systemdict /languagelevel known
-{ systemdict /languagelevel get 2 ge } { false } ifelse
-def
-/Level3?
-systemdict /languagelevel known
-{systemdict /languagelevel get 3 eq } { false } ifelse
-def
-/getifknown {
-2 copy known { get true } { pop pop false } ifelse
-} bd
-/here {
-currentdict exch getifknown
-} bd
-/isdefined? { where { pop true } { false } ifelse } bd
-/StartLoad { dup dup not { /_save save dd } if } bd
-/EndLoad { if not { _save restore } if } bd
-%%EndResource
-%%BeginResource: procset pdf
-%%Version: 4.0 3
-%%Copyright: Copyright 1998-1999 Adobe Systems Incorporated. All Rights Reserved.
-%%Title: General operators for PDF, common to all Language Levels.
-[/b/B/b*/B*/BDC/BI/BMC/BT/BX/c/cm/cs/CS/d/d0/d1/Do/DP/EI/EMC/ET/EX/f/f*/g/G/gs
-/h/i/j/J/k/K/l/m/M/MP/n/q/Q/re/rg/RG/ri/s/S/sc/SC/scn/SCN/sg/Tc/Td/TD/Tf/Tj/TJ
-/TL/Tm/Tr/Ts/Tw/Tz/T*/v/w/W/W*/y/'/"
-/applyInterpFunc/applystitchFunc/domainClip/EF/encodeInput/gsDI/ilp/icl
-/initgs/int/limit/PS/rangeClip/RC/rf/makePat/csfamily
-/? /! /| /: /+ /GetGlyphDirectory
-] {null def} bind forall
-/v { currentpoint 6 2 roll c } bd
-/y { 2 copy c } bd
-/h/closepath ld
-/d/setdash ld
-/j/setlinejoin ld
-/J/setlinecap ld
-/M/setmiterlimit ld
-/w/setlinewidth ld
-/i {
-dup 0 eq { pop _defaultflatness } if
-setflat
-} bd
-/gsDI {
-begin
-/OP here { /_OP? xdd } if
-/op here { /_op? xdd }
-{ /OP here { /_op? xdd } if }
-ifelse
-/OPM here { /_opmode xdd } if
-/Font here { aload pop Tf } if
-/LW here { w } if
-/LC here { J } if
-/LJ here { j } if
-/ML here { M } if
-/D here { aload pop d } if
-end
-} bd
-/ilp { /_lp /none dd } bd
-/icl { /_doClip 0 dd } bd
-/W { /_doClip 1 dd } bd
-/W* { /_doClip 2 dd } bd
-/n {
-{{} {clip} {eoclip}} _doClip get exec
-icl
-newpath
-} bd
-/s { h S } bd
-/B { q f Q S } bd
-/B* { q f* Q S } bd
-/b { h B } bd
-/b* { h B* } bd
-/q/save ld
-/Q { restore ilp } bd
-/GetCSFamily {
-dup type /arraytype eq {0 get} if
-} bd
-/GetCompsDict
-11 dict begin
-/DeviceGray { pop 1 } bd
-/DeviceRGB { pop 3 } bd
-/DeviceCMYK { pop 4 } bd
-/CIEBasedA { pop 1 } bd
-/CIEBasedABC { pop 3 } bd
-/CIEBasedDEF { pop 3 } bd
-/CIEBasedDEFG { pop 4 } bd
-/DeviceN { 1 get length } bd
-/Separation { pop 1 } bd
-/Indexed { pop 1 } bd
-/Pattern { pop 0 } bd
-currentdict
-end
-def
-/GetComps {
-GetCompsDict
-1 index GetCSFamily
-get exec
-} bd
-/cs
-{
-dup _fcs eq
-{ pop }
-{ dup /_fcs xdd
-GetComps
-_fillColors exch get
-/_fc xdd
-/_fp null dd
-} ifelse
-} bd
-/CS
-{
-dup _scs eq
-{ pop }
-{ dup /_scs xdd GetComps _strokeColors exch get /_sc xdd /_sp null dd }
-ifelse
-} bd
-/sc {
-_fc astore pop
-ilp
-} bd
-/SC {
-_sc astore pop
-ilp
-} bd
-/g { DefaultGray cs sc } bd
-/rg { DefaultRGB cs sc } bd
-/k { DefaultCMYK cs sc } bd
-/G { DefaultGray CS SC } bd
-/RG { DefaultRGB CS SC } bd
-/K { DefaultCMYK CS SC } bd
-/cm { _mtx astore concat } bd
-/re {
-4 2 roll m
-1 index 0 rlineto
-0 exch rlineto
-neg 0 rlineto
-h
-} bd
-/RC/rectclip ld
-/EF/execform ld
-/PS { cvx exec } bd
-/initgs {
-/DefaultGray [/DeviceGray] dd
-/DefaultRGB [/DeviceRGB] dd
-/DefaultCMYK [/DeviceCMYK] dd
-0 g 0 G
-[] 0 d
-0 j
-0 J
-10 M
-1 w
-true setSA
-/_op? false dd
-/_OP? false dd
-/_opmode 0 dd
-/_defaulttransfer load settransfer
-0 i
-/RelativeColorimetric ri
-newpath
-} bd
-/int {
-dup 2 index sub 3 index 5 index sub div 6 -2 roll sub mul
-exch pop add exch pop
-} bd
-/limit {
-dup 2 index le { exch } if pop
-dup 2 index ge { exch } if pop
-} bd
-/domainClip {
-Domain aload pop 3 2 roll
-limit
-} [/Domain] bld
-/applyInterpFunc {
-0 1 DimOut 1 sub
-{
-dup C0 exch get exch
-dup C1 exch get exch
-3 1 roll
-1 index sub
-3 index
-N exp mul add
-exch
-currentdict /Range_lo known
-{
-dup Range_lo exch get exch
-Range_hi exch get
-3 2 roll limit
-}
-{
-pop
-}
-ifelse
-exch
-} for
-pop
-} [/DimOut /C0 /C1 /N /Range_lo /Range_hi] bld
-/encodeInput {
-NumParts 1 sub
-0 1 2 index
-{
-dup Bounds exch get
-2 index gt
-{ exit }
-{ dup
-3 index eq
-{ exit }
-{ pop } ifelse
-} ifelse
-} for
-3 2 roll pop
-dup Bounds exch get exch
-dup 1 add Bounds exch get exch
-2 mul
-dup Encode exch get exch
-1 add Encode exch get
-int
-} [/NumParts /Bounds /Encode] bld
-/rangeClip {
-exch dup Range_lo exch get
-exch Range_hi exch get
-3 2 roll
-limit
-} [/Range_lo /Range_hi] bld
-/applyStitchFunc {
-Functions exch get exec
-currentdict /Range_lo known {
-0 1 DimOut 1 sub {
-DimOut 1 add -1 roll
-rangeClip
-} for
-} if
-} [/Functions /Range_lo /DimOut] bld
-%%EndResource
-%%BeginResource: procset pdflev2
-%%Version: 4.0 5
-%%Copyright: Copyright 1987-1999 Adobe Systems Incorporated. All Rights Reserved.
-%%LanguageLevel: 2
-%%Title: PDF operators, with code specific for Level 2
-/_defaulthalftone currenthalftone dd
-/_defaultblackgeneration currentblackgeneration dd
-/_defaultundercolorremoval currentundercolorremoval dd
-/_defaultcolortransfer [currentcolortransfer] dd
-/initialize {
-_defaulthalftone sethalftone
-/_defaultblackgeneration load setblackgeneration
-/_defaultundercolorremoval load setundercolorremoval
-_defaultcolortransfer aload pop setcolortransfer
-false setoverprint
-<</MaxFormItem 0>> setuserparams
-} bd
-/terminate { } bd
-/m/moveto ld
-/l/lineto ld
-/c/curveto ld
-/setSA/setstrokeadjust ld
-/defineRes/defineresource ld
-/findRes/findresource ld
-currentglobal
-true systemdict /setglobal get exec
-[/Function /ExtGState /Form /Shading /FunctionDictionary /MadePattern /PatternPrototype /DataSource]
-{ /Generic /Category findresource dup length dict copy /Category defineresource pop }
-forall
-systemdict /setglobal get exec
-/ri
-{
-/findcolorrendering isdefined?
-{
-mark exch
-findcolorrendering
-counttomark 2 eq
-{ type /booleantype eq
-{ dup type /nametype eq
-{ dup /ColorRendering resourcestatus
-{ pop pop
-dup /DefaultColorRendering ne
-{
-/ColorRendering findresource
-setcolorrendering
-} if
-} if
-} if
-} if
-} if
-cleartomark
-}
-{ pop
-} ifelse
-} bd
-/_sfcs {_fcs setcolorspace} bind dd
-/_sscs {_scs setcolorspace} bind dd
-/_sfc
-{
-_fc aload pop
-_fp null eq
-{ setcolor }
-{ _fp setpattern }
-ifelse
-} bind dd
-/_ssc
-{
-_sc aload pop
-_sp null eq { setcolor} { _sp setpattern } ifelse
-} bind dd
-/scn {
-dup type /dicttype eq
-{ dup /_fp xdd
-/PaintType get 1 eq
-{ /_fc _fillColors 0 get dd ilp }
-{ /_fc _fillColors
-_fcs 1 get
-GetComps get dd
-sc
-}
-ifelse
-}
-{ sc }
-ifelse
-} bd
-/SCN {
-dup type /dicttype eq
-{ dup /_sp xdd
-/PaintType get 1 eq
-{ /_sc _strokeColors 0 get dd ilp }
-{ /_sc _strokeColors _scs 1 get GetComps get dd
-SC
-}
-ifelse
-}
-{ SC }
-ifelse
-} bd
-/gs
-{
-begin
-/SA here { setstrokeadjust } if
-/BG here { setblackgeneration } if
-/UCR here { setundercolorremoval } if
-/FL here { i } if
-/RI here { ri } if
-/TR here
-{
-dup xcheck
-{ settransfer }
-{ aload pop setcolortransfer }
-ifelse
-} if
-/sethalftonephase isdefined? { /HTP here { sethalftonephase } if } if
-/HT here { sethalftone } if
-currentdict gsDI
-end
-} bd
-/sfc {
-_op? setoverprint
-_lp /fill ne {
-_sfcs
-_sfc
-/_lp /fill dd
-} if
-} dd
-/ssc {
-_OP? setoverprint
-_lp /stroke ne {
-_sscs
-_ssc
-/_lp /stroke dd
-} if
-} dd
-/f {
-{ { sfc fill }
-{gsave sfc fill grestore clip newpath icl ilp}
-{gsave sfc fill grestore eoclip newpath icl ilp}
-} _doClip get exec
-} bd
-/f* {
-{ { sfc eofill }
-{gsave sfc eofill grestore clip newpath icl ilp}
-{gsave sfc eofill grestore eoclip newpath icl ilp}
-} _doClip get exec
-} bd
-/S {
-{ { ssc stroke }
-{gsave ssc stroke grestore clip newpath icl ilp}
-{gsave ssc stroke grestore eoclip newpath icl ilp}
-} _doClip get exec
-} bd
-/rf {
-{ { sfc rectfill }
-{gsave sfc rectfill grestore clip newpath icl ilp}
-{gsave sfc rectfill grestore eoclip newpath icl ilp}
-} _doClip get exec
-} bd
-/knownColorants? {
-pop false
-} bd
-/makePat {
-gsave
-dup /Matrix get concat
-matrix makepattern
-grestore
-/MadePattern defineRes pop
-} bd
-%%EndResource
-%%BeginResource: procset spots
-%%Version: 4.0 1
-%%Copyright: Copyright 1987-1999 Adobe Systems Incorporated. All Rights Reserved.
-%%Title: Predefined (named) spot functions for PDF
-21 dict dup begin
-/CosineDot
-{ 180 mul cos exch 180 mul cos add 2 div } bd
-/Cross
-{ abs exch abs 2 copy gt { exch } if pop neg } bd
-/Diamond
-{ abs exch abs 2 copy add .75 le
-{ dup mul exch dup mul add 1 exch sub }
-{ 2 copy add 1.23 le
-{ .85 mul add 1 exch sub }
-{ 1 sub dup mul exch 1 sub dup mul add 1 sub }
-ifelse }
-ifelse } bd
-/Double
-{ exch 2 div exch 2 { 360 mul sin 2 div exch } repeat add } bd
-/DoubleDot
-{ 2 { 360 mul sin 2 div exch } repeat add } bd
-/Ellipse
-{ abs exch abs 2 copy 3 mul exch 4 mul add 3 sub dup 0 lt
-{ pop dup mul exch .75 div dup mul add 4 div
-1 exch sub }
-{ dup 1 gt
-{pop 1 exch sub dup mul exch 1 exch sub
-.75 div dup mul add 4 div 1 sub }
-{ .5 exch sub exch pop exch pop }
-ifelse }
-ifelse } bd
-/EllipseA
-{ dup mul .9 mul exch dup mul add 1 exch sub } bd
-/EllipseB
-{ dup 5 mul 8 div mul exch dup mul exch add sqrt 1 exch sub } bd
-/EllipseC
-{ dup mul exch dup mul .9 mul add 1 exch sub } bd
-/InvertedDouble
-{ exch 2 div exch 2 { 360 mul sin 2 div exch } repeat add neg } bd
-/InvertedDoubleDot
-{ 2 { 360 mul sin 2 div exch } repeat add neg } bd
-/InvertedEllipseA
-{ dup mul .9 mul exch dup mul add 1 sub } bd
-/InvertedEllipseC
-{ dup mul exch dup mul .9 mul add 1 sub } bd
-/InvertedSimpleDot
-{ dup mul exch dup mul add 1 sub } bd
-/Line
-{ exch pop abs neg } bd
-/LineX
-{ pop } bd
-/LineY
-{ exch pop } bd
-/Rhomboid
-{ abs exch abs 0.9 mul add 2 div } bd
-/Round
-{ abs exch abs 2 copy add 1 le
-{ dup mul exch dup mul add 1 exch sub }
-{ 1 sub dup mul exch 1 sub dup mul add 1 sub }
-ifelse } bd
-/SimpleDot
-{ dup mul exch dup mul add 1 exch sub } bd
-/Square
-{ abs exch abs 2 copy lt { exch } if pop neg } bd
-end
-{ /Function defineRes pop } forall
-%%EndResource
-%%BeginResource: procset pdftext
-%%Version: 4.0 2
-%%Copyright: Copyright 1987-1998 Adobe Systems Incorporated. All Rights Reserved.
-%%Title: Text operators for PDF
-PDF /PDFText 75 dict dup begin put
-/docinitialize
-{
-/resourcestatus where {
-pop
-/CIDParams /ProcSet resourcestatus {
-pop pop
-false /CIDParams /ProcSet findresource /SetBuildCompatible get exec
-} if
-} if
-PDF begin
-PDFText /_pdfDefineIdentity-H known
-{ PDFText /_pdfDefineIdentity-H get exec}
-if
-end
-} bd
-/initialize {
-PDFText begin
-/_intT false dd
-0 Tr
-} bd
-/terminate { end } bd
-/_safeput
-{
-Level2? not
-{
-2 index load dup dup length exch maxlength ge
-{ dup length 5 add dict copy
-3 index xdd
-}
-{ pop }
-ifelse
-}
-if
-3 -1 roll load 3 1 roll put
-}
-bd
-/pdf_has_composefont? systemdict /composefont known def
-/CopyFont {
-{
-1 index /FID ne 2 index /UniqueID ne and
-{ def } { pop pop } ifelse
-} forall
-} bd
-/Type0CopyFont
-{
-exch
-dup length dict
-begin
-CopyFont
-[
-exch
-FDepVector
-{
-dup /FontType get 0 eq
-{
-1 index Type0CopyFont
-/_pdfType0 exch definefont
-}
-{
-/_pdfBaseFont exch
-2 index exec
-}
-ifelse
-exch
-}
-forall
-pop
-]
-/FDepVector exch def
-currentdict
-end
-} bd
-/cHexEncoding
-[/c00/c01/c02/c03/c04/c05/c06/c07/c08/c09/c0A/c0B/c0C/c0D/c0E/c0F/c10/c11/c12
-/c13/c14/c15/c16/c17/c18/c19/c1A/c1B/c1C/c1D/c1E/c1F/c20/c21/c22/c23/c24/c25
-/c26/c27/c28/c29/c2A/c2B/c2C/c2D/c2E/c2F/c30/c31/c32/c33/c34/c35/c36/c37/c38
-/c39/c3A/c3B/c3C/c3D/c3E/c3F/c40/c41/c42/c43/c44/c45/c46/c47/c48/c49/c4A/c4B
-/c4C/c4D/c4E/c4F/c50/c51/c52/c53/c54/c55/c56/c57/c58/c59/c5A/c5B/c5C/c5D/c5E
-/c5F/c60/c61/c62/c63/c64/c65/c66/c67/c68/c69/c6A/c6B/c6C/c6D/c6E/c6F/c70/c71
-/c72/c73/c74/c75/c76/c77/c78/c79/c7A/c7B/c7C/c7D/c7E/c7F/c80/c81/c82/c83/c84
-/c85/c86/c87/c88/c89/c8A/c8B/c8C/c8D/c8E/c8F/c90/c91/c92/c93/c94/c95/c96/c97
-/c98/c99/c9A/c9B/c9C/c9D/c9E/c9F/cA0/cA1/cA2/cA3/cA4/cA5/cA6/cA7/cA8/cA9/cAA
-/cAB/cAC/cAD/cAE/cAF/cB0/cB1/cB2/cB3/cB4/cB5/cB6/cB7/cB8/cB9/cBA/cBB/cBC/cBD
-/cBE/cBF/cC0/cC1/cC2/cC3/cC4/cC5/cC6/cC7/cC8/cC9/cCA/cCB/cCC/cCD/cCE/cCF/cD0
-/cD1/cD2/cD3/cD4/cD5/cD6/cD7/cD8/cD9/cDA/cDB/cDC/cDD/cDE/cDF/cE0/cE1/cE2/cE3
-/cE4/cE5/cE6/cE7/cE8/cE9/cEA/cEB/cEC/cED/cEE/cEF/cF0/cF1/cF2/cF3/cF4/cF5/cF6
-/cF7/cF8/cF9/cFA/cFB/cFC/cFD/cFE/cFF] def
-/modEnc {
-/_enc xdd
-/_icode 0 dd
-counttomark 1 sub -1 0
-{
-index
-dup type /nametype eq
-{
-_enc _icode 3 -1 roll put
-_icode 1 add
-}
-if
-/_icode xdd
-} for
-cleartomark
-_enc
-} bd
-/trEnc {
-/_enc xdd
-255 -1 0 {
-exch dup -1 eq
-{ pop /.notdef }
-{ Encoding exch get }
-ifelse
-_enc 3 1 roll put
-} for
-pop
-_enc
-} bd
-/TE {
-/_i xdd
-StandardEncoding 256 array copy modEnc
-_pdfEncodings exch _i exch put
-} bd
-/TZ
-{
-/_usePDFEncoding xdd
-findfont
-dup length 6 add dict
-begin
-{
-1 index /FID ne { def } { pop pop } ifelse
-} forall
-/pdf_origFontName FontName def
-/FontName exch def
-_usePDFEncoding 0 ge
-{
-/Encoding _pdfEncodings _usePDFEncoding get def
-pop
-}
-{
-_usePDFEncoding -1 eq
-{
-counttomark 0 eq
-{ pop }
-{
-Encoding 256 array copy
-modEnc /Encoding exch def
-}
-ifelse
-}
-{
-256 array
-trEnc /Encoding exch def
-}
-ifelse
-}
-ifelse
-pdf_EuroProcSet pdf_origFontName known
-{
-pdf_origFontName pdf_AddEuroGlyphProc
-} if
-FontName currentdict
-end
-definefont pop
-}
-bd
-/Level2?
-systemdict /languagelevel known
-{systemdict /languagelevel get 2 ge}
-{false}
-ifelse
-def
-Level2?
-{
-/_pdfFontStatus
-{
-currentglobal exch
-/Font resourcestatus
-{pop pop true}
-{false}
-ifelse
-exch setglobal
-} bd
-}
-{
-/_pdfFontStatusString 50 string def
-_pdfFontStatusString 0 (fonts/) putinterval
-/_pdfFontStatus
-{
-FontDirectory 1 index known
-{ pop true }
-{
-_pdfFontStatusString 6 42 getinterval
-cvs length 6 add
-_pdfFontStatusString exch 0 exch getinterval
-{ status } stopped
-{pop false}
-{
-{ pop pop pop pop true}
-{ false }
-ifelse
-}
-ifelse
-}
-ifelse
-} bd
-}
-ifelse
-Level2?
-{
-/_pdfCIDFontStatus
-{
-/CIDFont /Category resourcestatus
-{
-pop pop
-/CIDFont resourcestatus
-{pop pop true}
-{false}
-ifelse
-}
-{ pop false }
-ifelse
-} bd
-}
-if
-/_pdfString100 100 string def
-/_pdfComposeFontName
-{
-dup length 1 eq
-{
-0 get
-1 index
-type /nametype eq
-{
-_pdfString100 cvs
-length dup dup _pdfString100 exch (-) putinterval
-_pdfString100 exch 1 add dup _pdfString100 length exch sub getinterval
-2 index exch cvs length
-add 1 add _pdfString100 exch 0 exch getinterval
-exch pop
-true
-}
-{
-pop pop
-false
-}
-ifelse
-}
-{
-false
-}
-ifelse
-dup {exch cvn exch} if
-} bd
-/_pdfConcatNames
-{
-exch
-_pdfString100 cvs
-length dup dup _pdfString100 exch (-) putinterval
-_pdfString100 exch 1 add dup _pdfString100 length exch sub getinterval
-3 -1 roll exch cvs length
-add 1 add _pdfString100 exch 0 exch getinterval
-cvn
-} bind def
-/_pdfTextTempString 50 string def
-/_pdfRegOrderingArray [(Adobe-Japan1) (Adobe-CNS1) (Adobe-Korea1) (Adobe-GB1)] def
-/_pdf_CheckSupplements
-{
-1 index _pdfTextTempString cvs
-false
-_pdfRegOrderingArray
-{
-2 index exch
-anchorsearch
-{ pop pop pop true exit}
-{ pop }
-ifelse
-}
-forall
-exch pop
-{
-/CIDFont findresource
-/CIDSystemInfo get /Supplement get
-exch /CMap findresource
-/CIDSystemInfo get
-dup type /dicttype eq
-{/Supplement get}
-{pop 0 }
-ifelse
-ge
-}
-{ pop pop true }
-ifelse
-} bind def
-pdf_has_composefont?
-{
-/_pdfComposeFont
-{
-2 copy _pdfComposeFontName not
-{
-2 index
-}
-if
-(pdf) exch _pdfConcatNames
-dup _pdfFontStatus
-{ dup findfont 5 2 roll pop pop pop true}
-{
-4 1 roll
-1 index /CMap resourcestatus
-{
-pop pop
-true
-}
-{false}
-ifelse
-1 index true exch
-{
-_pdfCIDFontStatus not
-{pop false exit}
-if
-}
-forall
-and
-{
-1 index 1 index 0 get _pdf_CheckSupplements
-{
-3 -1 roll pop
-2 index 3 1 roll
-composefont true
-}
-{
-pop pop exch pop false
-}
-ifelse
-}
-{
-_pdfComposeFontName
-{
-dup _pdfFontStatus
-{
-exch pop
-1 index exch
-findfont definefont true
-}
-{
-pop exch pop
-false
-}
-ifelse
-}
-{
-exch pop
-false
-}
-ifelse
-}
-ifelse
-{ true }
-{
-dup _pdfFontStatus
-{ dup findfont true }
-{ pop false }
-ifelse
-}
-ifelse
-}
-ifelse
-} bd
-}
-{
-/_pdfComposeFont
-{
-_pdfComposeFontName not
-{
-dup
-}
-if
-dup
-_pdfFontStatus
-{exch pop dup findfont true}
-{
-1 index
-dup type /nametype eq
-{pop}
-{cvn}
-ifelse
-eq
-{pop false}
-{
-dup _pdfFontStatus
-{dup findfont true}
-{pop false}
-ifelse
-}
-ifelse
-}
-ifelse
-} bd
-}
-ifelse
-/_pdfStyleDicts 4 dict dup begin
-/Adobe-Japan1 4 dict dup begin
-Level2?
-{
-/Serif
-/HeiseiMin-W3-83pv-RKSJ-H _pdfFontStatus
-{/HeiseiMin-W3}
-{
-/HeiseiMin-W3 _pdfCIDFontStatus
-{/HeiseiMin-W3}
-{/Ryumin-Light}
-ifelse
-}
-ifelse
-def
-/SansSerif
-/HeiseiKakuGo-W5-83pv-RKSJ-H _pdfFontStatus
-{/HeiseiKakuGo-W5}
-{
-/HeiseiKakuGo-W5 _pdfCIDFontStatus
-{/HeiseiKakuGo-W5}
-{/GothicBBB-Medium}
-ifelse
-}
-ifelse
-def
-/HeiseiMaruGo-W4-83pv-RKSJ-H _pdfFontStatus
-{/HeiseiMaruGo-W4}
-{
-/HeiseiMaruGo-W4 _pdfCIDFontStatus
-{/HeiseiMaruGo-W4}
-{
-/Jun101-Light-RKSJ-H _pdfFontStatus
-{ /Jun101-Light }
-{ SansSerif }
-ifelse
-}
-ifelse
-}
-ifelse
-/RoundSansSerif exch def
-/Default Serif def
-}
-{
-/Serif /Ryumin-Light def
-/SansSerif /GothicBBB-Medium def
-{
-(fonts/Jun101-Light-83pv-RKSJ-H) status
-}stopped
-{pop}{
-{ pop pop pop pop /Jun101-Light }
-{ SansSerif }
-ifelse
-/RoundSansSerif exch def
-}ifelse
-/Default Serif def
-}
-ifelse
-end
-def
-/Adobe-Korea1 4 dict dup begin
-/Serif /HYSMyeongJo-Medium def
-/SansSerif /HYGoThic-Medium def
-/RoundSansSerif SansSerif def
-/Default Serif def
-end
-def
-/Adobe-GB1 4 dict dup begin
-/Serif /STSong-Light def
-/SansSerif /STHeiti-Regular def
-/RoundSansSerif SansSerif def
-/Default Serif def
-end
-def
-/Adobe-CNS1 4 dict dup begin
-/Serif /MKai-Medium def
-/SansSerif /MHei-Medium def
-/RoundSansSerif SansSerif def
-/Default Serif def
-end
-def
-end
-def
-/TZzero
-{
-/_fyAdj xdd
-/_wmode xdd
-/_styleArr xdd
-/_regOrdering xdd
-3 copy
-_pdfComposeFont
-{
-5 2 roll pop pop pop
-}
-{
-[
-0 1 _styleArr length 1 sub
-{
-_styleArr exch get
-_pdfStyleDicts _regOrdering 2 copy known
-{
-get
-exch 2 copy known not
-{ pop /Default }
-if
-get
-}
-{
-pop pop pop /Unknown
-}
-ifelse
-}
-for
-]
-exch pop
-2 index 3 1 roll
-_pdfComposeFont
-{3 -1 roll pop}
-{
-findfont dup /FontName get exch
-}
-ifelse
-}
-ifelse
-dup /WMode 2 copy known
-{ get _wmode ne }
-{ pop pop _wmode 1 eq}
-ifelse
-_fyAdj 0 ne or
-{
-exch _wmode _pdfConcatNames _fyAdj _pdfConcatNames
-dup _pdfFontStatus
-{ exch pop dup findfont false}
-{ exch true }
-ifelse
-}
-{
-dup /FontType get 0 ne
-}
-ifelse
-{
-dup /FontType get 3 eq _wmode 1 eq and
-{
-_pdfVerticalRomanT3Font dup length 10 add dict copy
-begin
-/_basefont exch
-dup length 3 add dict
-begin
-{1 index /FID ne {def}{pop pop} ifelse }
-forall
-/Encoding Encoding dup length array copy
-dup 16#27 /quotesingle put
-dup 16#60 /grave put
-_regOrdering /Adobe-Japan1 eq
-{dup 16#5c /yen put dup 16#a5 /yen put dup 16#b4 /yen put}
-if
-def
-FontName
-currentdict
-end
-definefont
-def
-/Encoding _basefont /Encoding get def
-/_fauxfont true def
-}
-{
-dup length 3 add dict
-begin
-{1 index /FID ne {def}{pop pop} ifelse }
-forall
-FontType 0 ne
-{
-/Encoding Encoding dup length array copy
-dup 16#27 /quotesingle put
-dup 16#60 /grave put
-_regOrdering /Adobe-Japan1 eq
-{dup 16#5c /yen put}
-if
-def
-/_fauxfont true def
-} if
-} ifelse
-/WMode _wmode def
-/BaseLineAdj _fyAdj def
-dup dup /FontName exch def
-currentdict
-end
-definefont pop
-}
-{
-pop
-}
-ifelse
-/_pdf_FontDirectory 3 1 roll _safeput
-}
-bd
-/swj {
-dup 4 1 roll
-dup length exch stringwidth
-exch 5 -1 roll 3 index mul add
-4 1 roll 3 1 roll mul add
-6 2 roll /_cnt 0 dd
-{1 index eq {/_cnt _cnt 1 add dd} if} forall pop
-exch _cnt mul exch _cnt mul 2 index add 4 1 roll 2 index add 4 1 roll pop pop
-} bd
-/jss {
-4 1 roll
-{
-pop pop
-(0) exch 2 copy 0 exch put
-gsave
-exch false charpath currentpoint
-5 index setmatrix stroke
-3 -1 roll
-32 eq
-{
-moveto
-5 index 5 index rmoveto currentpoint
-}
-if
-grestore
-moveto
-2 copy rmoveto
-} exch cshow
-6 {pop} repeat
-} def
-/jsfTzero {
-{
-pop pop
-(0) exch 2 copy 0 exch put
-exch show
-32 eq
-{
-4 index 4 index rmoveto
-}
-if
-2 copy rmoveto
-} exch cshow
-5 {pop} repeat
-} def
-/jsp
-{
-{
-pop pop
-(0) exch 2 copy 0 exch put
-32 eq
-dup {currentfont /Encoding get dup length 33 ge
-{32 get /space eq and}{pop}ifelse
-}if
-{ exch 5 index 5 index 5 index 5 -1 roll widthshow }
-{ false charpath }
-ifelse
-2 copy rmoveto
-} exch cshow
-5 {pop} repeat
-} bd
-/trj { _cx 0 fWModeProc 32 _ax 0 fWModeProc 6 5 roll } bd
-/pjsf { trj sfc fawidthshowProc } bd
-/pjss { trj _ctm ssc jss } bd
-/pjsc { trj jsp } bd
-/_Tjdef [
-/pjsf load
-/pjss load
-{
-dup
-currentpoint 3 2 roll
-pjsf
-newpath moveto
-pjss
-} bind
-{
-trj swj rmoveto
-} bind
-{
-dup currentpoint 4 2 roll gsave
-pjsf
-grestore 3 1 roll moveto
-pjsc
-} bind
-{
-dup currentpoint 4 2 roll
-currentpoint gsave newpath moveto
-pjss
-grestore 3 1 roll moveto
-pjsc
-} bind
-{
-dup currentpoint 4 2 roll gsave
-dup currentpoint 3 2 roll
-pjsf
-newpath moveto
-pjss
-grestore 3 1 roll moveto
-pjsc
-} bind
-/pjsc load
-] def
-/BT
-{
-/_inT true dd
-_ctm currentmatrix pop matrix _tm copy pop
-0 _rise _baselineadj add translate _hs 1 scale
-0 0 moveto
-} bd
-/ET
-{
-/_inT false dd
-_tr 3 gt {clip} if
-_ctm setmatrix newpath
-} bd
-/Tr {
-_inT { _tr 3 le {currentpoint newpath moveto} if } if
-dup /_tr xdd
-_Tjdef exch get /_Tj xdd
-} bd
-/Tj {
-userdict /$$copystring 2 index put
-_Tj
-} bd
-/iTm { _ctm setmatrix _tm concat 0 _rise _baselineadj add translate _hs 1 scale } bd
-/Tm { _tm astore pop iTm 0 0 moveto } bd
-/Td { _mtx translate _tm _tm concatmatrix pop iTm 0 0 moveto } bd
-/TD { dup /_ld xdd Td } bd
-/_nullProc {} bd
-/Tf {
-dup 1000 div /_fScl xdd
-_pdf_FontDirectory 2 index 2 copy known
-{get exch 3 -1 roll pop}
-{pop pop}
-ifelse
-Level2?
-{ selectfont }
-{ exch findfont exch scalefont setfont}
-ifelse
-currentfont dup
-/_nullProc exch
-/WMode known
-{
-1 index /WMode get 1 eq
-{pop /exch}
-if
-}
-if
-load /fWModeProc xdd
-dup
-/FontType get 0 eq dup _cx 0 ne and
-{ /jsfTzero }
-{ /awidthshow }
-ifelse
-load /fawidthshowProc xdd
-/_fTzero xdd
-dup /BaseLineAdj known
-{ dup /BaseLineAdj get _fScl mul }
-{ 0 }
-ifelse
-/_baselineadj xdd
-dup /_pdfT3Font known
-{ 0 }
-{_tr}
-ifelse
-_Tjdef exch get /_Tj xdd
-_intT
-{currentpoint iTm moveto}
-if
-pop
-} bd
-/TL { neg /_ld xdd } bd
-/Tw {
-/_cx xdd
-_cx 0 ne _fTzero and
-{ /jsfTzero }
-{ /awidthshow }
-ifelse
-load /fawidthshowProc xdd
-} bd
-/Tc { /_ax xdd } bd
-/Ts { /_rise xdd currentpoint iTm moveto } bd
-/Tz { 100 div /_hs xdd iTm } bd
-/Tk { exch pop _fScl mul neg 0 fWModeProc rmoveto } bd
-/T* { 0 _ld Td } bd
-/' { T* Tj } bd
-/" { exch Tc exch Tw ' } bd
-/TJ {
-{
-dup type /stringtype eq
-{ Tj }
-{ 0 exch Tk }
-ifelse
-} forall
-} bd
-/T- { _hy Tj } bd
-/d0/setcharwidth ld
-/d1 { setcachedevice /sfc{}dd /ssc{}dd } bd
-/nND {{/.notdef} repeat} bd
-/T3Defs {
-/BuildChar
-{
-1 index /Encoding get exch get
-1 index /BuildGlyph get exec
-}
-def
-/BuildGlyph {
-exch begin
-GlyphProcs exch get exec
-end
-} def
-/_pdfT3Font true def
-} bd
-/_pdfBoldRomanWidthProc
-{
-stringwidth 1 index 0 ne { exch .03 add exch }if setcharwidth
-0 0
-} bd
-/_pdfType0WidthProc
-{
-dup stringwidth 0 0 moveto
-2 index true charpath pathbbox
-0 -1
-7 index 2 div .88
-setcachedevice2
-pop
-0 0
-} bd
-/_pdfType0WMode1WidthProc
-{
-dup stringwidth
-pop 2 div neg -0.88
-2 copy
-moveto
-0 -1
-5 -1 roll true charpath pathbbox
-setcachedevice
-} bd
-/_pdfBoldBaseFont
-11 dict begin
-/FontType 3 def
-/FontMatrix[1 0 0 1 0 0]def
-/FontBBox[0 0 1 1]def
-/Encoding cHexEncoding def
-/_setwidthProc /_pdfBoldRomanWidthProc load def
-/_bcstr1 1 string def
-/BuildChar
-{
-exch begin
-_basefont setfont
-_bcstr1 dup 0 4 -1 roll put
-dup
-_setwidthProc
-3 copy
-moveto
-show
-_basefonto setfont
-moveto
-show
-end
-}bd
-currentdict
-end
-def
-pdf_has_composefont?
-{
-/_pdfBoldBaseCIDFont
-11 dict begin
-/CIDFontType 1 def
-/CIDFontName /_pdfBoldBaseCIDFont def
-/FontMatrix[1 0 0 1 0 0]def
-/FontBBox[0 0 1 1]def
-/_setwidthProc /_pdfType0WidthProc load def
-/_bcstr2 2 string def
-/BuildGlyph
-{
-exch begin
-_basefont setfont
-_bcstr2 1 2 index 256 mod put
-_bcstr2 0 3 -1 roll 256 idiv put
-_bcstr2 dup _setwidthProc
-3 copy
-moveto
-show
-_basefonto setfont
-moveto
-show
-end
-}bd
-currentdict
-end
-def
-/_pdfDefineIdentity-H
-{
-/Identity-H /CMap resourcestatus
-{
-pop pop
-}
-{
-/CIDInit/ProcSet findresource begin 12 dict begin
-begincmap
-/CIDSystemInfo
-3 dict begin
-/Registry (Adobe) def
-/Ordering (Identity) def
-/Supplement 0 def
-currentdict
-end
-def
-/CMapName /Identity-H def
-/CMapVersion 1 def
-/CMapType 1 def
-1 begincodespacerange
-<0000> <ffff>
-endcodespacerange
-1 begincidrange
-<0000> <ffff> 0
-endcidrange
-endcmap
-CMapName currentdict/CMap defineresource pop
-end
-end
-} ifelse
-} def
-} if
-/_pdfVerticalRomanT3Font
-10 dict begin
-/FontType 3 def
-/FontMatrix[1 0 0 1 0 0]def
-/FontBBox[0 0 1 1]def
-/_bcstr1 1 string def
-/BuildChar
-{
-exch begin
-_basefont setfont
-_bcstr1 dup 0 4 -1 roll put
-dup
-_pdfType0WidthProc
-moveto
-show
-end
-}bd
-currentdict
-end
-def
-/MakeBoldFont
-{
-dup /ct_SyntheticBold known
-{
-dup length 3 add dict begin
-CopyFont
-/ct_StrokeWidth .03 0 FontMatrix idtransform pop def
-/ct_SyntheticBold true def
-currentdict
-end
-definefont
-}
-{
-dup dup length 3 add dict
-begin
-CopyFont
-/PaintType 2 def
-/StrokeWidth .03 0 FontMatrix idtransform pop def
-/dummybold currentdict
-end
-definefont
-dup /FontType get dup 9 ge exch 11 le and
-{
-_pdfBoldBaseCIDFont
-dup length 3 add dict copy begin
-dup /CIDSystemInfo get /CIDSystemInfo exch def
-/_Type0Identity /Identity-H 3 -1 roll [ exch ] composefont
-/_basefont exch def
-/_Type0Identity /Identity-H 3 -1 roll [ exch ] composefont
-/_basefonto exch def
-currentdict
-end
-/CIDFont defineresource
-}
-{
-_pdfBoldBaseFont
-dup length 3 add dict copy begin
-/_basefont exch def
-/_basefonto exch def
-currentdict
-end
-definefont
-}
-ifelse
-}
-ifelse
-} bd
-/MakeBold {
-1 index
-_pdf_FontDirectory 2 index 2 copy known
-{get}
-{exch pop}
-ifelse
-findfont
-dup
-/FontType get 0 eq
-{
-dup /WMode known {dup /WMode get 1 eq }{false} ifelse
-version length 4 ge
-and
-{version 0 4 getinterval cvi 2015 ge }
-{true}
-ifelse
-{/_pdfType0WidthProc}
-{/_pdfType0WMode1WidthProc}
-ifelse
-_pdfBoldBaseFont /_setwidthProc 3 -1 roll load put
-{MakeBoldFont} Type0CopyFont definefont
-}
-{
-dup /_fauxfont known not 1 index /SubstMaster known not and
-{
-_pdfBoldBaseFont /_setwidthProc /_pdfBoldRomanWidthProc load put
-MakeBoldFont
-}
-{
-2 index 2 index eq
-{ exch pop }
-{
-dup length dict begin
-CopyFont
-currentdict
-end
-definefont
-}
-ifelse
-}
-ifelse
-}
-ifelse
-pop pop
-dup /dummybold ne
-{/_pdf_FontDirectory exch dup _safeput }
-{ pop }
-ifelse
-}bd
-/MakeItalic {
-_pdf_FontDirectory exch 2 copy known
-{get}
-{exch pop}
-ifelse
-dup findfont
-dup /FontInfo 2 copy known
-{
-get
-/ItalicAngle 2 copy known
-{get 0 eq }
-{ pop pop true}
-ifelse
-}
-{ pop pop true}
-ifelse
-{
-exch pop
-dup /FontType get 0 eq Level2? not and
-{ dup /FMapType get 6 eq }
-{ false }
-ifelse
-{
-dup /WMode 2 copy known
-{
-get 1 eq
-{ _italMtx_WMode1Type0 }
-{ _italMtxType0 }
-ifelse
-}
-{ pop pop _italMtxType0 }
-ifelse
-}
-{
-dup /WMode 2 copy known
-{
-get 1 eq
-{ _italMtx_WMode1 }
-{ _italMtx }
-ifelse
-}
-{ pop pop _italMtx }
-ifelse
-}
-ifelse
-makefont
-dup /FontType get 42 eq Level2? not or
-{
-dup length dict begin
-CopyFont
-currentdict
-end
-}
-if
-1 index exch
-definefont pop
-/_pdf_FontDirectory exch dup _safeput
-}
-{
-pop
-2 copy ne
-{
-/_pdf_FontDirectory 3 1 roll _safeput
-}
-{ pop pop }
-ifelse
-}
-ifelse
-}bd
-/MakeBoldItalic {
-/dummybold exch
-MakeBold
-/dummybold
-MakeItalic
-}bd
-Level2?
-{
-/pdf_CopyDict
-{1 index length add dict copy}
-def
-}
-{
-/pdf_CopyDict
-{
-1 index length add dict
-1 index wcheck
-{ copy }
-{ begin
-{def} forall
-currentdict
-end
-}
-ifelse
-}
-def
-}
-ifelse
-/pdf_AddEuroGlyphProc
-{
-currentdict /CharStrings known
-{
-CharStrings /Euro known not
-{
-dup
-/CharStrings
-CharStrings 1 pdf_CopyDict
-begin
-/Euro pdf_EuroProcSet 4 -1 roll get def
-currentdict
-end
-def
-/pdf_PSBuildGlyph /pdf_PSBuildGlyph load def
-/pdf_PathOps /pdf_PathOps load def
-/Symbol eq
-{
-/Encoding Encoding dup length array copy
-dup 160 /Euro put def
-}
-if
-}
-{ pop
-}
-ifelse
-}
-{ pop
-}
-ifelse
-}
-def
-/pdf_PathOps 4 dict dup begin
-/m {moveto} def
-/l {lineto} def
-/c {curveto} def
-/cp {closepath} def
-end
-def
-/pdf_PSBuildGlyph
-{
-gsave
-8 -1 roll pop
-7 1 roll
-currentdict /PaintType 2 copy known {get 2 eq}{pop pop false} ifelse
-dup 9 1 roll
-{
-currentdict /StrokeWidth 2 copy known
-{
-get 2 div
-5 1 roll
-4 -1 roll 4 index sub
-4 1 roll
-3 -1 roll 4 index sub
-3 1 roll
-exch 4 index add exch
-4 index add
-5 -1 roll pop
-}
-{
-pop pop
-}
-ifelse
-}
-if
-setcachedevice
-pdf_PathOps begin
-exec
-end
-{
-currentdict /StrokeWidth 2 copy known
-{ get }
-{ pop pop 0 }
-ifelse
-setlinewidth stroke
-}
-{
-fill
-}
-ifelse
-grestore
-} def
-/pdf_EuroProcSet 13 dict def
-pdf_EuroProcSet
-begin
-/Courier-Bold
-{
-600 0 6 -12 585 612
-{
-385 274 m
-180 274 l
-179 283 179 293 179 303 c
-179 310 179 316 180 323 c
-398 323 l
-423 404 l
-197 404 l
-219 477 273 520 357 520 c
-409 520 466 490 487 454 c
-487 389 l
-579 389 l
-579 612 l
-487 612 l
-487 560 l
-449 595 394 612 349 612 c
-222 612 130 529 98 404 c
-31 404 l
-6 323 l
-86 323 l
-86 304 l
-86 294 86 284 87 274 c
-31 274 l
-6 193 l
-99 193 l
-129 77 211 -12 359 -12 c
-398 -12 509 8 585 77 c
-529 145 l
-497 123 436 80 356 80 c
-285 80 227 122 198 193 c
-360 193 l
-cp
-600 0 m
-}
-pdf_PSBuildGlyph
-} def
-/Courier-BoldOblique /Courier-Bold load def
-/Courier
-{
-600 0 17 -12 578 584
-{
-17 204 m
-97 204 l
-126 81 214 -12 361 -12 c
-440 -12 517 17 578 62 c
-554 109 l
-501 70 434 43 366 43 c
-266 43 184 101 154 204 c
-380 204 l
-400 259 l
-144 259 l
-144 270 143 281 143 292 c
-143 299 143 307 144 314 c
-418 314 l
-438 369 l
-153 369 l
-177 464 249 529 345 529 c
-415 529 484 503 522 463 c
-522 391 l
-576 391 l
-576 584 l
-522 584 l
-522 531 l
-473 566 420 584 348 584 c
-216 584 122 490 95 369 c
-37 369 l
-17 314 l
-87 314 l
-87 297 l
-87 284 88 272 89 259 c
-37 259 l
-cp
-600 0 m
-}
-pdf_PSBuildGlyph
-} def
-/Courier-Oblique /Courier load def
-/Helvetica
-{
-556 0 24 -19 541 703
-{
-541 628 m
-510 669 442 703 354 703 c
-201 703 117 607 101 444 c
-50 444 l
-25 372 l
-97 372 l
-97 301 l
-49 301 l
-24 229 l
-103 229 l
-124 67 209 -19 350 -19 c
-435 -19 501 25 509 32 c
-509 131 l
-492 105 417 60 343 60 c
-267 60 204 127 197 229 c
-406 229 l
-430 301 l
-191 301 l
-191 372 l
-455 372 l
-479 444 l
-194 444 l
-201 531 245 624 348 624 c
-433 624 484 583 509 534 c
-cp
-556 0 m
-}
-pdf_PSBuildGlyph
-} def
-/Helvetica-Oblique /Helvetica load def
-/Helvetica-Bold
-{
-556 0 12 -19 563 710
-{
-563 621 m
-537 659 463 710 363 710 c
-216 710 125 620 101 462 c
-51 462 l
-12 367 l
-92 367 l
-92 346 l
-92 337 93 328 93 319 c
-52 319 l
-12 224 l
-102 224 l
-131 58 228 -19 363 -19 c
-417 -19 471 -12 517 18 c
-517 146 l
-481 115 426 93 363 93 c
-283 93 254 166 246 224 c
-398 224 l
-438 319 l
-236 319 l
-236 367 l
-457 367 l
-497 462 l
-244 462 l
-259 552 298 598 363 598 c
-425 598 464 570 486 547 c
-507 526 513 517 517 509 c
-cp
-556 0 m
-}
-pdf_PSBuildGlyph
-} def
-/Helvetica-BoldOblique /Helvetica-Bold load def
-/Symbol
-{
-750 0 20 -12 714 685
-{
-714 581 m
-650 645 560 685 465 685 c
-304 685 165 580 128 432 c
-50 432 l
-20 369 l
-116 369 l
-115 356 115 347 115 337 c
-115 328 115 319 116 306 c
-50 306 l
-20 243 l
-128 243 l
-165 97 300 -12 465 -12 c
-560 -12 635 25 685 65 c
-685 155 l
-633 91 551 51 465 51 c
-340 51 238 131 199 243 c
-555 243 l
-585 306 l
-184 306 l
-183 317 182 326 182 336 c
-182 346 183 356 184 369 c
-614 369 l 644 432 l
-199 432 l
-233 540 340 622 465 622 c
-555 622 636 580 685 520 c
-cp
-750 0 m
-}
-pdf_PSBuildGlyph
-} def
-/Times-Bold
-{
-500 0 16 -14 478 700
-{
-367 308 m
-224 308 l
-224 368 l
-375 368 l
-380 414 l
-225 414 l
-230 589 257 653 315 653 c
-402 653 431 521 444 457 c
-473 457 l
-473 698 l
-444 697 l
-441 679 437 662 418 662 c
-393 662 365 700 310 700 c
-211 700 97 597 73 414 c
-21 414 l
-16 368 l
-69 368 l
-69 359 68 350 68 341 c
-68 330 68 319 69 308 c
-21 308 l
-16 262 l
-73 262 l
-91 119 161 -14 301 -14 c
-380 -14 443 50 478 116 c
-448 136 l
-415 84 382 40 323 40 c
-262 40 231 77 225 262 c
-362 262 l
-cp
-500 0 m
-}
-pdf_PSBuildGlyph
-} def
-/Times-BoldItalic
-{
-500 0 9 -20 542 686
-{
-542 686 m
-518 686 l
-513 673 507 660 495 660 c
-475 660 457 683 384 683 c
-285 683 170 584 122 430 c
-58 430 l
-34 369 l
-105 369 l
-101 354 92 328 90 312 c
-34 312 l
-9 251 l
-86 251 l
-85 238 84 223 84 207 c
-84 112 117 -14 272 -14 c
-326 -14 349 9 381 9 c
-393 9 393 -10 394 -20 c
-420 -20 l
-461 148 l
-429 148 l
-416 109 362 15 292 15 c
-227 15 197 55 197 128 c
-197 162 204 203 216 251 c
-378 251 l
-402 312 l
-227 312 l
-229 325 236 356 241 369 c
-425 369 l
-450 430 l
-255 430 l
-257 435 264 458 274 488 c
-298 561 337 654 394 654 c
-437 654 484 621 484 530 c
-484 516 l
-516 516 l
-cp
-500 0 m
-}
-pdf_PSBuildGlyph
-} def
-/Times-Italic
-{
-500 0 23 -10 595 692
-{
-399 317 m
-196 317 l
-199 340 203 363 209 386 c
-429 386 l
-444 424 l
-219 424 l
-246 514 307 648 418 648 c
-448 648 471 638 492 616 c
-529 576 524 529 527 479 c
-549 475 l
-595 687 l
-570 687 l
-562 674 558 664 542 664 c
-518 664 474 692 423 692 c
-275 692 162 551 116 424 c
-67 424 l
-53 386 l
-104 386 l
-98 363 93 340 90 317 c
-37 317 l
-23 279 l
-86 279 l
-85 266 85 253 85 240 c
-85 118 137 -10 277 -10 c
-370 -10 436 58 488 128 c
-466 149 l
-424 101 375 48 307 48 c
-212 48 190 160 190 234 c
-190 249 191 264 192 279 c
-384 279 l
-cp
-500 0 m
-}
-pdf_PSBuildGlyph
-} def
-/Times-Roman
-{
-500 0 10 -12 484 692
-{
-347 298 m
-171 298 l
-170 310 170 322 170 335 c
-170 362 l
-362 362 l
-374 403 l
-172 403 l
-184 580 244 642 308 642 c
-380 642 434 574 457 457 c
-481 462 l
-474 691 l
-449 691 l
-433 670 429 657 410 657 c
-394 657 360 692 299 692 c
-204 692 94 604 73 403 c
-22 403 l
-10 362 l
-70 362 l
-69 352 69 341 69 330 c
-69 319 69 308 70 298 c
-22 298 l
-10 257 l
-73 257 l
-97 57 216 -12 295 -12 c
-364 -12 427 25 484 123 c
-458 142 l
-425 101 384 37 316 37 c
-256 37 189 84 173 257 c
-335 257 l
-cp
-500 0 m
-}
-pdf_PSBuildGlyph
-} def
-end
-currentdict readonly pop end
-%%EndResource
-PDFText begin
-[39/quotesingle 96/grave 128/Adieresis/Aring/Ccedilla/Eacute/Ntilde/Odieresis
-/Udieresis/aacute/agrave/acircumflex/adieresis/atilde/aring/ccedilla/eacute
-/egrave/ecircumflex/edieresis/iacute/igrave/icircumflex/idieresis/ntilde
-/oacute/ograve/ocircumflex/odieresis/otilde/uacute/ugrave/ucircumflex
-/udieresis/dagger/degree/cent/sterling/section/bullet/paragraph/germandbls
-/registered/copyright/trademark/acute/dieresis/.notdef/AE/Oslash
-/.notdef/plusminus/.notdef/.notdef/yen/mu/.notdef/.notdef
-/.notdef/.notdef/.notdef/ordfeminine/ordmasculine/.notdef/ae/oslash
-/questiondown/exclamdown/logicalnot/.notdef/florin/.notdef/.notdef
-/guillemotleft/guillemotright/ellipsis/space/Agrave/Atilde/Otilde/OE/oe
-/endash/emdash/quotedblleft/quotedblright/quoteleft/quoteright/divide
-/.notdef/ydieresis/Ydieresis/fraction/currency/guilsinglleft/guilsinglright
-/fi/fl/daggerdbl/periodcentered/quotesinglbase/quotedblbase/perthousand
-/Acircumflex/Ecircumflex/Aacute/Edieresis/Egrave/Iacute/Icircumflex
-/Idieresis/Igrave/Oacute/Ocircumflex/.notdef/Ograve/Uacute/Ucircumflex
-/Ugrave/dotlessi/circumflex/tilde/macron/breve/dotaccent/ring/cedilla
-/hungarumlaut/ogonek/caron
-0 TE
-[1/dotlessi/caron 39/quotesingle 96/grave
-127/bullet/Euro/bullet/quotesinglbase/florin/quotedblbase/ellipsis
-/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE
-/bullet/Zcaron/bullet/bullet/quoteleft/quoteright/quotedblleft
-/quotedblright/bullet/endash/emdash/tilde/trademark/scaron
-/guilsinglright/oe/bullet/zcaron/Ydieresis/space/exclamdown/cent/sterling
-/currency/yen/brokenbar/section/dieresis/copyright/ordfeminine
-/guillemotleft/logicalnot/hyphen/registered/macron/degree/plusminus
-/twosuperior/threesuperior/acute/mu/paragraph/periodcentered/cedilla
-/onesuperior/ordmasculine/guillemotright/onequarter/onehalf/threequarters
-/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla
-/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis
-/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash
-/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave
-/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute
-/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde
-/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute
-/ucircumflex/udieresis/yacute/thorn/ydieresis
-1 TE
-end
-currentdict readonly pop
-end end
-/currentpacking where {pop setpacking}if
-PDFVars/DocInitAll{[ PDFText]{/docinitialize get exec}forall }put
-PDFVars/InitAll{[PDF PDFText]{/initialize get exec}forall initgs}put
-PDFVars/TermAll{[PDFText PDF]{/terminate get exec}forall}put
-PDFVars begin PDF begin
-PDFVars/DocInitAll get exec PDFVars/InitAll get exec
-PDFVars/TermAll get exec end end
-
-%%EndSetup
-%%Page: 1 1
-%%BeginPageSetup
-userdict /pgsave save put
-PDFVars begin PDF begin PDFVars/InitAll get exec
-156 331 translate
-%%BeginResource: font N34
-%!FontType1-1.0: N34
-11 dict begin
-/FontInfo 5 dict dup begin
-/Notice (Copyright \(C\) 1997 American Mathematical Society. All Rights Reserved) def
-/FamilyName (Computer Modern) def
-/FullName (CMTT10) def
-end readonly def
-/FontName /N34 def
-/Encoding 256 array
-0 1 255 {1 index exch /.notdef put} for
-dup 44 /comma put
-dup 48 /zero put
-dup 49 /one put
-dup 50 /two put
-dup 97 /a put
-dup 101 /e put
-dup 104 /h put
-dup 110 /n put
-dup 114 /r put
-dup 116 /t put
-dup 123 /braceleft put
-dup 125 /braceright put
-readonly def
-/FontMatrix [0.001 0 0 0.001 0 0] readonly def
-/FontBBox {-4 -235 731 800} readonly def
-/FontType 1 def
-/PaintType 0 def
-/StrokeWidth 0 def
-currentdict end
-currentfile eexec
-f3e7f93fe0b3c7a88086f982b4b55bdb0f2f559321725d901e33615b89ebc3ed
-b644cbe16c663d6859274d0ce2e86ecfea9f7e1b5970a122f75e9b050df4480e
-56172e8b6a9a7322d8372244fb30b64ec966496b08baae35096817082b1ee90a
-634d662a40353df3516c1402378432ab41d28040059334248c54fc26fbf5fc94
-879f85cd5bfa2b3d6d059c93f11fe5780c1fcf8d5dc00e950018df83ec4928de
-7cec20207ab2cf39abc85a9caa0b0e2c323f501f5962617e99a333fe9738b872
-fcc9a8251b532781309174dc760f25d7636c27db2792bd40f540cb897c86c8fe
-0eda9639093664059ed48c227060d40f39eabac85c47e505de850379e1267e79
-2d6e82c3d67cb2e9f84a7ff7a61df53239fe2625ac170163bf19e528676f0853
-e7abcece7107203958dc0b5bb270a0de82161699a18d4d5b8da383e6c4937d39
-9c20cfb315dd9c8a08d93ee76257cd6a52b6a8800735be153582e40f2f85a432
-7c5527b7e085f60031b66fad2baca496b105ff4cb56629346f3fe9d596a90cd0
-6c125fa5e27179c9b7d4980f2c2d0969fd3f87796a05c1c030bc94ceacdb95fd
-fe11d180104266be31ea0837366a9001d0f54ce82d78e992228606798a6ed75e
-9ad79061031e325d884aa3747b7a4d4e398888c2eb0fd2a7e9c9a88999859ebf
-d10290b74c3dcba000519bd2e4cc03e4f466007d60731bfba66e92bd0e6a367d
-8e706e0b1c606425d4c7ff696440cf4f0a231961f0b9d5636cfb4a5abf263408
-b80f06166d9c533b3b13112cd9cedbc2e9197a4675125022e28d23047a93e6e7
-f3255e2fe972045499c7527fb9f32e1363a60cb2254abf34ab918f5d08f181ce
-c85dbd3408edc656c0bb2dbc47b854aedb2acd8d9fc0d5f7cce1724eb4c93133
-3e496ba69350daeeed903ee17260db986f11afaf68b53d894dd3d679ebe7f703
-b4ae32683591d34ce4137f9abc8dedb065d06ca3470afce541a9b0fe1f4de178
-db038a0a5b0c30a5ac304c5ea38686389f8fdfc9790296ba65b6ea7450659e46
-e17173f120846258b315eed9142ac66063205167a553e47d24547ad2c4a8f702
-fb9bec6b138ac48c5f5465e345d40f455cae3ef6838c2cb147344ecf7da3302d
-e1f8ca2a49e6d6c25d64d76a0007d91183a500f4db07b7232ae944051ec6db95
-c83956967f6e8cc3eb79ba8f6f7f9d9588e0790aa4ef2c8bb1af4bbe40c3e6e9
-c4c2abb5b8955d7f7db4744779ce92f484438d836457bd63a15762120b30d264
-064049f0b4e3f543f275f27d1490e4ec3ab8744cb0d07dd31166f744f9099dba
-9d4c7532182bfe249b19166e5a9c793ad26dfe0a4f6eb4f1f81c7daebfbb4f41
-900682d3f98e1d12d5d2cedf7d5d81f5294253cd05392a6c1b08faf2c937c587
-acb67c282079d5381342090e8f6bc758b6aafa1987e4025a38e0b007b5e734fb
-f7653c6d09bb30c736ed42f6faa6c8be715ee08edeb32e32716e161de47fa740
-2c7520f6a147a3a1ac4008ac7ac47e68ac95dd0e40def0262d7f19420ec9d836
-a83b0a6e8864bc93fb0246b910bd00506ac7e91476ac4f4ea8030c570d74d3c7
-f50ae3960629442be51c34d3d5064d144e4d5882e454f1f70b5db71acb0851ee
-ea8472b8bbf439406e33f3967b4e44371843616eb00bb0bbb2d7b50e64275eb7
-b0bf39d87aeef439b352c5d5549063adaca1807abb74c6d4b369bccf032a3a07
-e38165eb254cf180cb4b4e686f361ced5579846482cc428c7e317c7d35136f92
-2cfc13f1d489c450b84f26bb7ff8bf1751a1fe52be5b11ed2c9b21620b22b7e3
-da6b3bb7f97b07e6e53022f1e8fe751308247716fd05d7b925b7e019962c5ae8
-6f011dd826d13f3f797453ad0250bfb8ff3835b952b3f86d2a84fb4b646d2013
-39841e22dc6111dc48b71ddc930224f2a2cd65518f44c58fc4d0c703ac11aaf5
-e98a735db48973639a28b97b5181afc5129c2521df2369f4091bcad9ec2ecc57
-39a0c3fbc77b7293125db00eed1d7b6075f390b5f9aa84fe48cca11b71e92559
-2d81a03384d3fdfe7d782bc2bbd96e50af51259cd4c1d063629c41d932bf8d39
-aaf0a55979fbe4245b867b23f965abfc16c5fe1ae6dc46fb4341922cdf1e4466
-11c7c9f9c73001469081ced3169c7d55631800b59b5ef77405b3814bff9fd90c
-8a01addc3c525ddfc00f3579cd0e9effe77f4d8f27b6e55a5d18b0c66dfed09b
-ee81795632d12b202f606300f6aad5201cb07634500bba045aef4c198a8b640e
-1f974e4cb6eb54790a3e412b485888ec8931a028bf92647e874c5f69142e61b6
-8cce581e6d79c80eb947fe6eb9cd7c68ed8051c618acca8d0d094105154c891f
-545ddfe32e786f9fb516189571ad8aeb643658c5e7c4d19226166d6b5696ba0b
-d215d3020d2549971e15e2057fb25e27e3ebb8182440a32a8df73bb5a60b48c0
-d1ab1ec93b54b49e3277f0b177d2bbcbb4245dfc78032f7b0aa304ed83b67b2d
-8dba0f9d0d3771a8f89b2255c83248ef3d00600f2a486fff6658539aed4a9f00
-c3c42b10d0f4c244b6469ff45ec83926d3ac4ca1012e8ff7a761db98cd899eea
-80fee257ce8dafa44415d6ff106fc6f387dd1767f1afac6170e732784da4ba20
-5aaa275b9272df543410fc8f8289a6b49f86991912f0d5d087c0d72a43df98a4
-b6d3551660fa557b867f62a22d6bf7956f9c0c929fec10a91c871366a7b22a18
-87d91ac067f1bb24cc26ae2a614235ddaef02c0ce47ec6ea3d625d007ab9b0e3
-f329f0cbc2ff80c1c5338dfa4d46cfb7982b71ba740a2f67171562d81a226906
-ecfd0fffeb67fde9f741a911c33dfecbfb5e6c115948ac90d76bdc3bf1474d9a
-39b6a931f4a6a0b5650f878eefdb8c222f66816e57e4f50c25a30d36ea28
-9e8d92f7230d739034c81f27adc4a9e48b852faf5299636d6d51fabbc0358857
-892f306e6f760c780ee75ccc2e2d976dfc836c7f086fe12970e997dff6ecea59
-9f629f24ed853d4ec5a9872527b8d26bb25bb7c3f612d212447a96f6dc098bae
-c16e6726dd90f6742422e953650c83fd020902f7b460a6de1248c38826fc538b
-e49bab3522d3bca7cd6558fe0cb4f8e488e7bce25eb53d9b498c78180099b809
-0e8bef2f7a97189a65a448895aea28b96e68f2c311db2caadf85281a4ac31723
-1667348978e47ab73d3e23e366ce99481972f7fd6882aaaac15727e6dd93afb3
-89bab7af45d82b56bed628443e6d079e19ede69edbe920538b104a7f062c42a4
-2b793f867529594f9b5d625b5afb30b2ea70e59075808899d3f95b4f68e1ba72
-4082aafb0c1278e4e0b0759e2beaa53d17de4f86
-0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
cleartomark
%%EndResource
-[/N9/N34 -1 TZ
-%%EndPageSetup
-0 0 300 130 RC
-0.09999 0 0 0.09999 0 0 cm
-
-q
-Q
-q
-0 0 m
-0 1300 l
-3000 1300 l
-3000 0 l
-h
-W n
-1 i
-10 w
-4 M
-46.25 377.25 554 554 re
-S
-q
-10 0 0 10 0 0 cm
-
-BT
-/N9 12 Tf
-1 0 0 1 16.60778 62.02688 Tm
-(t)Tj
-6.29998 0 Td
-(h)Tj
-6.29998 0 Td
-(r)Tj
-6.29998 0 Td
-(e)Tj
-6.29998 0 Td
-(e)Tj
-ET
-Q
-1 g
-1707.25 30.25 1244 1243 rf
-1707.25 30.25 1244 1243 re
-S
-0 g
-q
-10 0 0 10 0 0 cm
-
-BT
-/N9 12 Tf
-1 0 0 1 223.47399 106.70199 Tm
-(n)Tj
-6.29998 0 Td
-(a)Tj
-6.29998 0 Td
-(t)Tj
-ET
-Q
-0.85089 g
-2304.25 931.25 m
-2040.67999 931.16799 1898.80999 647.12399 1888.25 476.25 c
-1878.53999 306.24499 1858.27999 90.37599 2061.25 238.25 c
-2263.64999 385.78599 2294.05999 442.61299 2476.25 329.25 c
-2658.89999 215.35699 3023.76998 238.08099 2770.25 601.25 c
-2517.01998 965.24899 2304.19999 931.16799 2304.25 931.25 c
-f
-2304.25 931.25 m
-2040.67999 931.16799 1898.80999 647.12399 1888.25 476.25 c
-1878.53999 306.24499 1858.27999 90.37599 2061.25 238.25 c
-2263.64999 385.78599 2294.05999 442.61299 2476.25 329.25 c
-2658.89999 215.35699 3023.76998 238.08099 2770.25 601.25 c
-2517.01998 965.24899 2304.19999 931.16799 2304.25 931.25 c
-h
-S
-0 g
-q
-10 0 0 10 0 0 cm
-
-BT
-/N9 12 Tf
-1 0 0 1 209.33399 61.78269 Tm
-({)Tj
-6.29998 0 Td
-(0)Tj
-6.29998 0 Td
-(,)Tj
-6.29998 0 Td
-(1)Tj
-6.29998 0 Td
-(,)Tj
-6.29998 0 Td
-(2)Tj
-6.29998 0 Td
-(})Tj
-ET
-Q
-2373.25 821.25 m
-386.25 821.25 l
-S
-356.25 821.25 m
-370.69799 826.43598 388.31399 835.42498 399.25 845.25 c
-390.25 821.25 l
-399.25 797.25 l
-388.31399 806.90899 370.69799 815.89898 356.25 821.25 c
-f
-326.25 821.25 m
-354.72099 831.70498 389.95498 849.68399 412.25 868.25 c
-394.25 821.25 l
-412.25 773.25 l
-389.95498 792.65199 354.72099 810.63499 326.25 821.25 c
-f
-326.25 481.25 m
-2313.25 481.25 l
-S
-2343.25 481.25 m
-2328.95999 486.44099 2311.34999 495.42498 2300.25 505.25 c
-2309.25 481.25 l
-2300.25 457.25 l
-2311.34999 466.90899 2328.95999 475.89399 2343.25 481.25 c
-f
-2373.25 481.25 m
-2344.93998 491.70498 2309.70999 509.68399 2288.25 528.25 c
-2305.25 481.25 l
-2288.25 433.25 l
-2309.70999 452.65199 2344.93998 470.63999 2373.25 481.25 c
-f
-Q
-PDFVars/TermAll get exec end end
-userdict /pgsave get restore
-showpage
-%%PageTrailer
-%%EndPage
-%%Trailer
-%%DocumentProcessColors: Black
-%%DocumentSuppliedResources:
-%%+ font N34
-%%+ procset (Adobe Acrobat - PDF operators) 1.2 0
-%%+ procset (Adobe Acrobat - type operators) 1.2 0
-%%EOF
--- a/doc-src/TutorialI/document/types0.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,69 +0,0 @@
-\chapter{More about Types}
-\label{ch:more-types}
-
-So far we have learned about a few basic types (for example \isa{bool} and
-\isa{nat}), type abbreviations (\isacommand{types}) and recursive datatypes
-(\isacommand{datatype}). This chapter will introduce more
-advanced material:
-\begin{itemize}
-\item Pairs ({\S}\ref{sec:products}) and records ({\S}\ref{sec:records}),
-and how to reason about them.
-\item Type classes: how to specify and reason about axiomatic collections of
- types ({\S}\ref{sec:axclass}). This section leads on to a discussion of
- Isabelle's numeric types ({\S}\ref{sec:numbers}).
-\item Introducing your own types: how to define types that
- cannot be constructed with any of the basic methods
- ({\S}\ref{sec:adv-typedef}).
-\end{itemize}
-
-The material in this section goes beyond the needs of most novices.
-Serious users should at least skim the sections as far as type classes.
-That material is fairly advanced; read the beginning to understand what it
-is about, but consult the rest only when necessary.
-
-\index{pairs and tuples|(}
-\input{Pairs} %%%Section "Pairs and Tuples"
-\index{pairs and tuples|)}
-
-\input{Records} %%%Section "Records"
-
-
-\section{Type Classes} %%%Section
-\label{sec:axclass}
-\index{axiomatic type classes|(}
-\index{*axclass|(}
-
-The programming language Haskell has popularized the notion of type
-classes: a type class is a set of types with a
-common interface: all types in that class must provide the functions
-in the interface. Isabelle offers a similar type class concept: in
-addition, properties (\emph{class axioms}) can be specified which any
-instance of this type class must obey. Thus we can talk about a type
-$\tau$ being in a class $C$, which is written $\tau :: C$. This is the case
-if $\tau$ satisfies the axioms of $C$. Furthermore, type classes can be
-organized in a hierarchy. Thus there is the notion of a class $D$
-being a subclass\index{subclasses} of a class $C$, written $D
-< C$. This is the case if all axioms of $C$ are also provable in $D$.
-
-In this section we introduce the most important concepts behind type
-classes by means of a running example from algebra. This should give
-you an intuition how to use type classes and to understand
-specifications involving type classes. Type classes are covered more
-deeply in a separate tutorial \cite{isabelle-classes}.
-
-\subsection{Overloading}
-\label{sec:overloading}
-\index{overloading|(}
-
-\input{Overloading}
-
-\index{overloading|)}
-
-\input{Axioms}
-
-\index{type classes|)}
-\index{*class|)}
-
-\input{numerics} %%%Section "Numbers"
-
-\input{Typedefs} %%%Section "Introducing New Types"
--- a/doc-src/TutorialI/todo.tobias Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,130 +0,0 @@
-Implementation
-==============
-
-Add map_cong?? (upto 10% slower)
-
-a simp command for terms
-
-Recdef: Get rid of function name in header.
-Support mutual recursion (Konrad?)
-
-improve solver in simplifier: treat & and ! ...
-
-better 1 point rules:
-!x. !y. x = f y --> P x y should reduce to !y. P (f y) y.
-
-it would be nice if @term could deal with ?-vars.
-then a number of (unchecked!) @texts could be converted to @terms.
-
-it would be nice if one could get id to the enclosing quotes in the [source] option.
-
-More predefined functions for datatypes: map?
-
-Induction rules for int: int_le/ge_induct?
-Needed for ifak example. But is that example worth it?
-
-Komischerweise geht das Splitten von _Annahmen_ auch mit simp_tac, was
-ein generelles Feature ist, das man vielleicht mal abstellen sollte.
-
-proper mutual simplification
-
-defs with = and pattern matching??
-
-
-Minor fixes in the tutorial
-===========================
-
-Appendix: Lexical: long ids.
-
-Warning: infixes automatically become reserved words!
-
-Syntax section: syntax annotations not just for consts but also for constdefs and datatype.
-
-Appendix with list functions.
-
-All theory sources on the web?
-
-Possible exercises
-==================
-
-Exercises
-
-For extensionality (in Sets chapter): prove
-valif o norm = valif
-in If-expression case study (Ifexpr)
-
-Nested inductive datatypes: another example/exercise:
- size(t) <= size(subst s t)?
-
-insertion sort: primrec, later recdef
-
-OTree:
- first version only for non-empty trees:
- Tip 'a | Node tree tree
- Then real version?
- First primrec, then recdef?
-
-Ind. sets: define ABC inductively and prove
-ABC = {rep A n @ rep B n @ rep C n. True}
-
-Partial rekursive functions / Nontermination:
-
-Exercise: ?! f. !i. f i = if i=0 then 1 else i*f(i-1)
-(What about sum? Is there one, a unique one?)
-
-Exercise
-Better(?) sum i = fst(while (%(s,i). i=0) (%(s,i). (s+i,i-1)) (0,i))
-Prove 0 <= i ==> sum i = i*(i+1) via while-rule
-
-Possible examples/case studies
-==============================
-
-Trie: Define functional version
-datatype ('a,'b)trie = Trie ('b option) ('a => ('a,'b)trie option)
-lookup t [] = value t
-lookup t (a#as) = case tries t a of None => None | Some s => lookup s as
-Maybe as an exercise?
-
-Trie: function for partial matches (prefixes). Needs sets for spec/proof.
-
-Sets via ordered list of intervals. (Isa/Interval(2))
-
-propositional logic (soundness and completeness?),
-predicate logic (soundness?),
-
-Tautology checker. Based on Ifexpr or prop.logic?
-Include forward reference in relevant section.
-
-Sorting with comp-parameter and with type class (<)
-
-Recdef:more example proofs:
- if-normalization with measure function,
- nested if-normalization,
- quicksort
- Trie?
-
-New book by Bird?
-
-Steps Towards Mechanizing Program Transformations Using PVS by N. Shankar,
- Science of Computer Programming, 26(1-3):33-57, 1996.
-You can get it from http://www.csl.sri.com/scp95.html
-
-J Moore article Towards a ...
-Mergesort, JVM
-
-
-Additional topics
-=================
-
-Recdef with nested recursion?
-
-Extensionality: applications in
-- boolean expressions: valif o bool2if = value
-- Advanced datatypes exercise subst (f o g) = subst f o subst g
-
-A look at the library?
-Map.
-
-Prototyping?
-
-==============================================================
--- a/doc-src/ZF/FOL_examples.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,34 +0,0 @@
-header{*Examples of Classical Reasoning*}
-
-theory FOL_examples imports "~~/src/FOL/FOL" begin
-
-lemma "EX y. ALL x. P(y)-->P(x)"
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (rule exCI)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (rule allI)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (rule impI)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (erule allE)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-txt{*see below for @{text allI} combined with @{text swap}*}
-apply (erule allI [THEN [2] swap])
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (rule impI)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (erule notE)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply assumption
-done
-
-text {*
-@{thm[display] allI [THEN [2] swap]}
-*}
-
-lemma "EX y. ALL x. P(y)-->P(x)"
-by blast
-
-end
-
-
--- a/doc-src/ZF/IFOL_examples.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,58 +0,0 @@
-header{*Examples of Intuitionistic Reasoning*}
-
-theory IFOL_examples imports "~~/src/FOL/IFOL" begin
-
-text{*Quantifier example from the book Logic and Computation*}
-lemma "(EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))"
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (rule impI)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (rule allI)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (rule exI)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (erule exE)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (erule allE)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-txt{*Now @{text "apply assumption"} fails*}
-oops
-
-text{*Trying again, with the same first two steps*}
-lemma "(EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))"
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (rule impI)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (rule allI)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (erule exE)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (rule exI)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (erule allE)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply assumption
- --{* @{subgoals[display,indent=0,margin=65]} *}
-done
-
-lemma "(EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))"
-by (tactic {*IntPr.fast_tac 1*})
-
-text{*Example of Dyckhoff's method*}
-lemma "~ ~ ((P-->Q) | (Q-->P))"
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (unfold not_def)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (rule impI)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (erule disj_impE)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (erule imp_impE)
- --{* @{subgoals[display,indent=0,margin=65]} *}
- apply (erule imp_impE)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply assumption
-apply (erule FalseE)+
-done
-
-end
--- a/doc-src/ZF/If.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,85 +0,0 @@
-(* Title: FOL/ex/If.ML
- Author: Lawrence C Paulson, Cambridge University Computer Laboratory
- Copyright 1991 University of Cambridge
-
-First-Order Logic: the 'if' example.
-*)
-
-theory If imports "~~/src/FOL/FOL" begin
-
-definition "if" :: "[o,o,o]=>o" where
- "if(P,Q,R) == P&Q | ~P&R"
-
-lemma ifI:
- "[| P ==> Q; ~P ==> R |] ==> if(P,Q,R)"
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (simp add: if_def)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply blast
-done
-
-lemma ifE:
- "[| if(P,Q,R); [| P; Q |] ==> S; [| ~P; R |] ==> S |] ==> S"
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (simp add: if_def)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply blast
-done
-
-lemma if_commute: "if(P, if(Q,A,B), if(Q,C,D)) <-> if(Q, if(P,A,C), if(P,B,D))"
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (rule iffI)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (erule ifE)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (erule ifE)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (rule ifI)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (rule ifI)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-oops
-
-text{*Trying again from the beginning in order to use @{text blast}*}
-declare ifI [intro!]
-declare ifE [elim!]
-
-lemma if_commute: "if(P, if(Q,A,B), if(Q,C,D)) <-> if(Q, if(P,A,C), if(P,B,D))"
-by blast
-
-
-lemma "if(if(P,Q,R), A, B) <-> if(P, if(Q,A,B), if(R,A,B))"
- --{* @{subgoals[display,indent=0,margin=65]} *}
-by blast
-
-text{*Trying again from the beginning in order to prove from the definitions*}
-lemma "if(if(P,Q,R), A, B) <-> if(P, if(Q,A,B), if(R,A,B))"
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (simp add: if_def)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply blast
-done
-
-
-text{*An invalid formula. High-level rules permit a simpler diagnosis*}
-lemma "if(if(P,Q,R), A, B) <-> if(P, if(Q,A,B), if(R,B,A))"
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply auto
- --{* @{subgoals[display,indent=0,margin=65]} *}
-(*The next step will fail unless subgoals remain*)
-apply (tactic all_tac)
-oops
-
-text{*Trying again from the beginning in order to prove from the definitions*}
-lemma "if(if(P,Q,R), A, B) <-> if(P, if(Q,A,B), if(R,B,A))"
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (simp add: if_def)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (auto)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-(*The next step will fail unless subgoals remain*)
-apply (tactic all_tac)
-oops
-
-
-end
--- a/doc-src/ZF/ZF_Isar.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,140 +0,0 @@
-theory ZF_Isar
-imports Main
-begin
-
-(*<*)
-ML_file "../antiquote_setup.ML"
-setup Antiquote_Setup.setup
-(*>*)
-
-chapter {* Some Isar language elements *}
-
-section {* Type checking *}
-
-text {*
- The ZF logic is essentially untyped, so the concept of ``type
- checking'' is performed as logical reasoning about set-membership
- statements. A special method assists users in this task; a version
- of this is already declared as a ``solver'' in the standard
- Simplifier setup.
-
- \begin{matharray}{rcl}
- @{command_def (ZF) "print_tcset"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
- @{method_def (ZF) typecheck} & : & @{text method} \\
- @{attribute_def (ZF) TC} & : & @{text attribute} \\
- \end{matharray}
-
- @{rail "
- @@{attribute (ZF) TC} (() | 'add' | 'del')
- "}
-
- \begin{description}
-
- \item @{command (ZF) "print_tcset"} prints the collection of
- typechecking rules of the current context.
-
- \item @{method (ZF) typecheck} attempts to solve any pending
- type-checking problems in subgoals.
-
- \item @{attribute (ZF) TC} adds or deletes type-checking rules from
- the context.
-
- \end{description}
-*}
-
-
-section {* (Co)Inductive sets and datatypes *}
-
-subsection {* Set definitions *}
-
-text {*
- In ZF everything is a set. The generic inductive package also
- provides a specific view for ``datatype'' specifications.
- Coinductive definitions are available in both cases, too.
-
- \begin{matharray}{rcl}
- @{command_def (ZF) "inductive"} & : & @{text "theory \<rightarrow> theory"} \\
- @{command_def (ZF) "coinductive"} & : & @{text "theory \<rightarrow> theory"} \\
- @{command_def (ZF) "datatype"} & : & @{text "theory \<rightarrow> theory"} \\
- @{command_def (ZF) "codatatype"} & : & @{text "theory \<rightarrow> theory"} \\
- \end{matharray}
-
- @{rail "
- (@@{command (ZF) inductive} | @@{command (ZF) coinductive}) domains intros hints
- ;
-
- domains: @'domains' (@{syntax term} + '+') ('<=' | '\<subseteq>') @{syntax term}
- ;
- intros: @'intros' (@{syntax thmdecl}? @{syntax prop} +)
- ;
- hints: @{syntax (ZF) \"monos\"}? condefs? \\
- @{syntax (ZF) typeintros}? @{syntax (ZF) typeelims}?
- ;
- @{syntax_def (ZF) \"monos\"}: @'monos' @{syntax thmrefs}
- ;
- condefs: @'con_defs' @{syntax thmrefs}
- ;
- @{syntax_def (ZF) typeintros}: @'type_intros' @{syntax thmrefs}
- ;
- @{syntax_def (ZF) typeelims}: @'type_elims' @{syntax thmrefs}
- "}
-
- In the following syntax specification @{text "monos"}, @{text
- typeintros}, and @{text typeelims} are the same as above.
-
- @{rail "
- (@@{command (ZF) datatype} | @@{command (ZF) codatatype}) domain? (dtspec + @'and') hints
- ;
-
- domain: ('<=' | '\<subseteq>') @{syntax term}
- ;
- dtspec: @{syntax term} '=' (con + '|')
- ;
- con: @{syntax name} ('(' (@{syntax term} ',' +) ')')?
- ;
- hints: @{syntax (ZF) \"monos\"}? @{syntax (ZF) typeintros}? @{syntax (ZF) typeelims}?
- "}
-
- See \cite{isabelle-ZF} for further information on inductive
- definitions in ZF, but note that this covers the old-style theory
- format.
-*}
-
-
-subsection {* Primitive recursive functions *}
-
-text {*
- \begin{matharray}{rcl}
- @{command_def (ZF) "primrec"} & : & @{text "theory \<rightarrow> theory"} \\
- \end{matharray}
-
- @{rail "
- @@{command (ZF) primrec} (@{syntax thmdecl}? @{syntax prop} +)
- "}
-*}
-
-
-subsection {* Cases and induction: emulating tactic scripts *}
-
-text {*
- The following important tactical tools of Isabelle/ZF have been
- ported to Isar. These should not be used in proper proof texts.
-
- \begin{matharray}{rcl}
- @{method_def (ZF) case_tac}@{text "\<^sup>*"} & : & @{text method} \\
- @{method_def (ZF) induct_tac}@{text "\<^sup>*"} & : & @{text method} \\
- @{method_def (ZF) ind_cases}@{text "\<^sup>*"} & : & @{text method} \\
- @{command_def (ZF) "inductive_cases"} & : & @{text "theory \<rightarrow> theory"} \\
- \end{matharray}
-
- @{rail "
- (@@{method (ZF) case_tac} | @@{method (ZF) induct_tac}) @{syntax goal_spec}? @{syntax name}
- ;
- @@{method (ZF) ind_cases} (@{syntax prop} +)
- ;
- @@{command (ZF) inductive_cases} (@{syntax thmdecl}? (@{syntax prop} +) + @'and')
- ;
- "}
-*}
-
-end
--- a/doc-src/ZF/ZF_examples.thy Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,202 +0,0 @@
-header{*Examples of Reasoning in ZF Set Theory*}
-
-theory ZF_examples imports Main_ZFC begin
-
-subsection {* Binary Trees *}
-
-consts
- bt :: "i => i"
-
-datatype "bt(A)" =
- Lf | Br ("a \<in> A", "t1 \<in> bt(A)", "t2 \<in> bt(A)")
-
-declare bt.intros [simp]
-
-text{*Induction via tactic emulation*}
-lemma Br_neq_left [rule_format]: "l \<in> bt(A) ==> \<forall>x r. Br(x, l, r) \<noteq> l"
- --{* @{subgoals[display,indent=0,margin=65]} *}
- apply (induct_tac l)
- --{* @{subgoals[display,indent=0,margin=65]} *}
- apply auto
- done
-
-(*
- apply (Inductive.case_tac l)
- apply (tactic {*exhaust_tac "l" 1*})
-*)
-
-text{*The new induction method, which I don't understand*}
-lemma Br_neq_left': "l \<in> bt(A) ==> (!!x r. Br(x, l, r) \<noteq> l)"
- --{* @{subgoals[display,indent=0,margin=65]} *}
- apply (induct set: bt)
- --{* @{subgoals[display,indent=0,margin=65]} *}
- apply auto
- done
-
-lemma Br_iff: "Br(a,l,r) = Br(a',l',r') <-> a=a' & l=l' & r=r'"
- -- "Proving a freeness theorem."
- by (blast elim!: bt.free_elims)
-
-inductive_cases Br_in_bt: "Br(a,l,r) \<in> bt(A)"
- -- "An elimination rule, for type-checking."
-
-text {*
-@{thm[display] Br_in_bt[no_vars]}
-*};
-
-subsection{*Primitive recursion*}
-
-consts n_nodes :: "i => i"
-primrec
- "n_nodes(Lf) = 0"
- "n_nodes(Br(a,l,r)) = succ(n_nodes(l) #+ n_nodes(r))"
-
-lemma n_nodes_type [simp]: "t \<in> bt(A) ==> n_nodes(t) \<in> nat"
- by (induct_tac t, auto)
-
-consts n_nodes_aux :: "i => i"
-primrec
- "n_nodes_aux(Lf) = (\<lambda>k \<in> nat. k)"
- "n_nodes_aux(Br(a,l,r)) =
- (\<lambda>k \<in> nat. n_nodes_aux(r) ` (n_nodes_aux(l) ` succ(k)))"
-
-lemma n_nodes_aux_eq [rule_format]:
- "t \<in> bt(A) ==> \<forall>k \<in> nat. n_nodes_aux(t)`k = n_nodes(t) #+ k"
- by (induct_tac t, simp_all)
-
-definition n_nodes_tail :: "i => i" where
- "n_nodes_tail(t) == n_nodes_aux(t) ` 0"
-
-lemma "t \<in> bt(A) ==> n_nodes_tail(t) = n_nodes(t)"
- by (simp add: n_nodes_tail_def n_nodes_aux_eq)
-
-
-subsection {*Inductive definitions*}
-
-consts Fin :: "i=>i"
-inductive
- domains "Fin(A)" \<subseteq> "Pow(A)"
- intros
- emptyI: "0 \<in> Fin(A)"
- consI: "[| a \<in> A; b \<in> Fin(A) |] ==> cons(a,b) \<in> Fin(A)"
- type_intros empty_subsetI cons_subsetI PowI
- type_elims PowD [elim_format]
-
-
-consts acc :: "i => i"
-inductive
- domains "acc(r)" \<subseteq> "field(r)"
- intros
- vimage: "[| r-``{a}: Pow(acc(r)); a \<in> field(r) |] ==> a \<in> acc(r)"
- monos Pow_mono
-
-
-consts
- llist :: "i=>i";
-
-codatatype
- "llist(A)" = LNil | LCons ("a \<in> A", "l \<in> llist(A)")
-
-
-(*Coinductive definition of equality*)
-consts
- lleq :: "i=>i"
-
-(*Previously used <*> in the domain and variant pairs as elements. But
- standard pairs work just as well. To use variant pairs, must change prefix
- a q/Q to the Sigma, Pair and converse rules.*)
-coinductive
- domains "lleq(A)" \<subseteq> "llist(A) * llist(A)"
- intros
- LNil: "<LNil, LNil> \<in> lleq(A)"
- LCons: "[| a \<in> A; <l,l'> \<in> lleq(A) |]
- ==> <LCons(a,l), LCons(a,l')> \<in> lleq(A)"
- type_intros llist.intros
-
-
-subsection{*Powerset example*}
-
-lemma Pow_mono: "A\<subseteq>B ==> Pow(A) \<subseteq> Pow(B)"
-apply (rule subsetI)
-apply (rule PowI)
-apply (drule PowD)
-apply (erule subset_trans, assumption)
-done
-
-lemma "Pow(A Int B) = Pow(A) Int Pow(B)"
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (rule equalityI)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (rule Int_greatest)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (rule Int_lower1 [THEN Pow_mono])
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (rule Int_lower2 [THEN Pow_mono])
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (rule subsetI)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (erule IntE)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (rule PowI)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (drule PowD)+
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (rule Int_greatest)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (assumption+)
-done
-
-text{*Trying again from the beginning in order to use @{text blast}*}
-lemma "Pow(A Int B) = Pow(A) Int Pow(B)"
-by blast
-
-
-lemma "C\<subseteq>D ==> Union(C) \<subseteq> Union(D)"
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (rule subsetI)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (erule UnionE)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (rule UnionI)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (erule subsetD)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply assumption
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply assumption
-done
-
-text{*A more abstract version of the same proof*}
-
-lemma "C\<subseteq>D ==> Union(C) \<subseteq> Union(D)"
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (rule Union_least)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (rule Union_upper)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (erule subsetD, assumption)
-done
-
-
-lemma "[| a \<in> A; f \<in> A->B; g \<in> C->D; A \<inter> C = 0 |] ==> (f \<union> g)`a = f`a"
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (rule apply_equality)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (rule UnI1)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (rule apply_Pair)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply assumption
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply assumption
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply (rule fun_disjoint_Un)
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply assumption
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply assumption
- --{* @{subgoals[display,indent=0,margin=65]} *}
-apply assumption
-done
-
-end
--- a/doc-src/ZF/document/FOL.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,855 +0,0 @@
-%!TEX root = logics-ZF.tex
-\chapter{First-Order Logic}
-\index{first-order logic|(}
-
-Isabelle implements Gentzen's natural deduction systems {\sc nj} and {\sc
- nk}. Intuitionistic first-order logic is defined first, as theory
-\thydx{IFOL}. Classical logic, theory \thydx{FOL}, is
-obtained by adding the double negation rule. Basic proof procedures are
-provided. The intuitionistic prover works with derived rules to simplify
-implications in the assumptions. Classical~\texttt{FOL} employs Isabelle's
-classical reasoner, which simulates a sequent calculus.
-
-\section{Syntax and rules of inference}
-The logic is many-sorted, using Isabelle's type classes. The class of
-first-order terms is called \cldx{term} and is a subclass of \isa{logic}.
-No types of individuals are provided, but extensions can define types such
-as \isa{nat::term} and type constructors such as \isa{list::(term)term}
-(see the examples directory, \texttt{FOL/ex}). Below, the type variable
-$\alpha$ ranges over class \isa{term}; the equality symbol and quantifiers
-are polymorphic (many-sorted). The type of formulae is~\tydx{o}, which
-belongs to class~\cldx{logic}. Figure~\ref{fol-syntax} gives the syntax.
-Note that $a$\verb|~=|$b$ is translated to $\neg(a=b)$.
-
-Figure~\ref{fol-rules} shows the inference rules with their names.
-Negation is defined in the usual way for intuitionistic logic; $\neg P$
-abbreviates $P\imp\bot$. The biconditional~($\bimp$) is defined through
-$\conj$ and~$\imp$; introduction and elimination rules are derived for it.
-
-The unique existence quantifier, $\exists!x.P(x)$, is defined in terms
-of~$\exists$ and~$\forall$. An Isabelle binder, it admits nested
-quantifications. For instance, $\exists!x\;y.P(x,y)$ abbreviates
-$\exists!x. \exists!y.P(x,y)$; note that this does not mean that there
-exists a unique pair $(x,y)$ satisfying~$P(x,y)$.
-
-Some intuitionistic derived rules are shown in
-Fig.\ts\ref{fol-int-derived}, again with their names. These include
-rules for the defined symbols $\neg$, $\bimp$ and $\exists!$. Natural
-deduction typically involves a combination of forward and backward
-reasoning, particularly with the destruction rules $(\conj E)$,
-$({\imp}E)$, and~$(\forall E)$. Isabelle's backward style handles these
-rules badly, so sequent-style rules are derived to eliminate conjunctions,
-implications, and universal quantifiers. Used with elim-resolution,
-\tdx{allE} eliminates a universal quantifier while \tdx{all_dupE}
-re-inserts the quantified formula for later use. The rules
-\isa{conj\_impE}, etc., support the intuitionistic proof procedure
-(see~\S\ref{fol-int-prover}).
-
-See the on-line theory library for complete listings of the rules and
-derived rules.
-
-\begin{figure}
-\begin{center}
-\begin{tabular}{rrr}
- \it name &\it meta-type & \it description \\
- \cdx{Trueprop}& $o\To prop$ & coercion to $prop$\\
- \cdx{Not} & $o\To o$ & negation ($\neg$) \\
- \cdx{True} & $o$ & tautology ($\top$) \\
- \cdx{False} & $o$ & absurdity ($\bot$)
-\end{tabular}
-\end{center}
-\subcaption{Constants}
-
-\begin{center}
-\begin{tabular}{llrrr}
- \it symbol &\it name &\it meta-type & \it priority & \it description \\
- \sdx{ALL} & \cdx{All} & $(\alpha\To o)\To o$ & 10 &
- universal quantifier ($\forall$) \\
- \sdx{EX} & \cdx{Ex} & $(\alpha\To o)\To o$ & 10 &
- existential quantifier ($\exists$) \\
- \isa{EX!} & \cdx{Ex1} & $(\alpha\To o)\To o$ & 10 &
- unique existence ($\exists!$)
-\end{tabular}
-\index{*"E"X"! symbol}
-\end{center}
-\subcaption{Binders}
-
-\begin{center}
-\index{*"= symbol}
-\index{&@{\tt\&} symbol}
-\index{"!@{\tt\char124} symbol} %\char124 is vertical bar. We use ! because | stopped working
-\index{*"-"-"> symbol}
-\index{*"<"-"> symbol}
-\begin{tabular}{rrrr}
- \it symbol & \it meta-type & \it priority & \it description \\
- \tt = & $[\alpha,\alpha]\To o$ & Left 50 & equality ($=$) \\
- \tt \& & $[o,o]\To o$ & Right 35 & conjunction ($\conj$) \\
- \tt | & $[o,o]\To o$ & Right 30 & disjunction ($\disj$) \\
- \tt --> & $[o,o]\To o$ & Right 25 & implication ($\imp$) \\
- \tt <-> & $[o,o]\To o$ & Right 25 & biconditional ($\bimp$)
-\end{tabular}
-\end{center}
-\subcaption{Infixes}
-
-\dquotes
-\[\begin{array}{rcl}
- formula & = & \hbox{expression of type~$o$} \\
- & | & term " = " term \quad| \quad term " \ttilde= " term \\
- & | & "\ttilde\ " formula \\
- & | & formula " \& " formula \\
- & | & formula " | " formula \\
- & | & formula " --> " formula \\
- & | & formula " <-> " formula \\
- & | & "ALL~" id~id^* " . " formula \\
- & | & "EX~~" id~id^* " . " formula \\
- & | & "EX!~" id~id^* " . " formula
- \end{array}
-\]
-\subcaption{Grammar}
-\caption{Syntax of \texttt{FOL}} \label{fol-syntax}
-\end{figure}
-
-
-\begin{figure}
-\begin{ttbox}
-\tdx{refl} a=a
-\tdx{subst} [| a=b; P(a) |] ==> P(b)
-\subcaption{Equality rules}
-
-\tdx{conjI} [| P; Q |] ==> P&Q
-\tdx{conjunct1} P&Q ==> P
-\tdx{conjunct2} P&Q ==> Q
-
-\tdx{disjI1} P ==> P|Q
-\tdx{disjI2} Q ==> P|Q
-\tdx{disjE} [| P|Q; P ==> R; Q ==> R |] ==> R
-
-\tdx{impI} (P ==> Q) ==> P-->Q
-\tdx{mp} [| P-->Q; P |] ==> Q
-
-\tdx{FalseE} False ==> P
-\subcaption{Propositional rules}
-
-\tdx{allI} (!!x. P(x)) ==> (ALL x.P(x))
-\tdx{spec} (ALL x.P(x)) ==> P(x)
-
-\tdx{exI} P(x) ==> (EX x.P(x))
-\tdx{exE} [| EX x.P(x); !!x. P(x) ==> R |] ==> R
-\subcaption{Quantifier rules}
-
-\tdx{True_def} True == False-->False
-\tdx{not_def} ~P == P-->False
-\tdx{iff_def} P<->Q == (P-->Q) & (Q-->P)
-\tdx{ex1_def} EX! x. P(x) == EX x. P(x) & (ALL y. P(y) --> y=x)
-\subcaption{Definitions}
-\end{ttbox}
-
-\caption{Rules of intuitionistic logic} \label{fol-rules}
-\end{figure}
-
-
-\begin{figure}
-\begin{ttbox}
-\tdx{sym} a=b ==> b=a
-\tdx{trans} [| a=b; b=c |] ==> a=c
-\tdx{ssubst} [| b=a; P(a) |] ==> P(b)
-\subcaption{Derived equality rules}
-
-\tdx{TrueI} True
-
-\tdx{notI} (P ==> False) ==> ~P
-\tdx{notE} [| ~P; P |] ==> R
-
-\tdx{iffI} [| P ==> Q; Q ==> P |] ==> P<->Q
-\tdx{iffE} [| P <-> Q; [| P-->Q; Q-->P |] ==> R |] ==> R
-\tdx{iffD1} [| P <-> Q; P |] ==> Q
-\tdx{iffD2} [| P <-> Q; Q |] ==> P
-
-\tdx{ex1I} [| P(a); !!x. P(x) ==> x=a |] ==> EX! x. P(x)
-\tdx{ex1E} [| EX! x.P(x); !!x.[| P(x); ALL y. P(y) --> y=x |] ==> R
- |] ==> R
-\subcaption{Derived rules for \(\top\), \(\neg\), \(\bimp\) and \(\exists!\)}
-
-\tdx{conjE} [| P&Q; [| P; Q |] ==> R |] ==> R
-\tdx{impE} [| P-->Q; P; Q ==> R |] ==> R
-\tdx{allE} [| ALL x.P(x); P(x) ==> R |] ==> R
-\tdx{all_dupE} [| ALL x.P(x); [| P(x); ALL x.P(x) |] ==> R |] ==> R
-\subcaption{Sequent-style elimination rules}
-
-\tdx{conj_impE} [| (P&Q)-->S; P-->(Q-->S) ==> R |] ==> R
-\tdx{disj_impE} [| (P|Q)-->S; [| P-->S; Q-->S |] ==> R |] ==> R
-\tdx{imp_impE} [| (P-->Q)-->S; [| P; Q-->S |] ==> Q; S ==> R |] ==> R
-\tdx{not_impE} [| ~P --> S; P ==> False; S ==> R |] ==> R
-\tdx{iff_impE} [| (P<->Q)-->S; [| P; Q-->S |] ==> Q; [| Q; P-->S |] ==> P;
- S ==> R |] ==> R
-\tdx{all_impE} [| (ALL x.P(x))-->S; !!x.P(x); S ==> R |] ==> R
-\tdx{ex_impE} [| (EX x.P(x))-->S; P(a)-->S ==> R |] ==> R
-\end{ttbox}
-\subcaption{Intuitionistic simplification of implication}
-\caption{Derived rules for intuitionistic logic} \label{fol-int-derived}
-\end{figure}
-
-
-\section{Generic packages}
-FOL instantiates most of Isabelle's generic packages.
-\begin{itemize}
-\item
-It instantiates the simplifier, which is invoked through the method
-\isa{simp}. Both equality ($=$) and the biconditional
-($\bimp$) may be used for rewriting.
-
-\item
-It instantiates the classical reasoner, which is invoked mainly through the
-methods \isa{blast} and \isa{auto}. See~\S\ref{fol-cla-prover}
-for details.
-%
-%\item FOL provides the tactic \ttindex{hyp_subst_tac}, which substitutes for
-% an equality throughout a subgoal and its hypotheses. This tactic uses FOL's
-% general substitution rule.
-\end{itemize}
-
-\begin{warn}\index{simplification!of conjunctions}%
- Simplifying $a=b\conj P(a)$ to $a=b\conj P(b)$ is often advantageous. The
- left part of a conjunction helps in simplifying the right part. This effect
- is not available by default: it can be slow. It can be obtained by
- including the theorem \isa{conj_cong}\index{*conj_cong (rule)}%
- as a congruence rule in
- simplification, \isa{simp cong:\ conj\_cong}.
-\end{warn}
-
-
-\section{Intuitionistic proof procedures} \label{fol-int-prover}
-Implication elimination (the rules~\isa{mp} and~\isa{impE}) pose
-difficulties for automated proof. In intuitionistic logic, the assumption
-$P\imp Q$ cannot be treated like $\neg P\disj Q$. Given $P\imp Q$, we may
-use~$Q$ provided we can prove~$P$; the proof of~$P$ may require repeated
-use of $P\imp Q$. If the proof of~$P$ fails then the whole branch of the
-proof must be abandoned. Thus intuitionistic propositional logic requires
-backtracking.
-
-For an elementary example, consider the intuitionistic proof of $Q$ from
-$P\imp Q$ and $(P\imp Q)\imp P$. The implication $P\imp Q$ is needed
-twice:
-\[ \infer[({\imp}E)]{Q}{P\imp Q &
- \infer[({\imp}E)]{P}{(P\imp Q)\imp P & P\imp Q}}
-\]
-The theorem prover for intuitionistic logic does not use~\isa{impE}.\@
-Instead, it simplifies implications using derived rules
-(Fig.\ts\ref{fol-int-derived}). It reduces the antecedents of implications
-to atoms and then uses Modus Ponens: from $P\imp Q$ and~$P$ deduce~$Q$.
-The rules \tdx{conj_impE} and \tdx{disj_impE} are
-straightforward: $(P\conj Q)\imp S$ is equivalent to $P\imp (Q\imp S)$, and
-$(P\disj Q)\imp S$ is equivalent to the conjunction of $P\imp S$ and $Q\imp
-S$. The other \ldots\isa{\_impE} rules are unsafe; the method requires
-backtracking. All the rules are derived in the same simple manner.
-
-Dyckhoff has independently discovered similar rules, and (more importantly)
-has demonstrated their completeness for propositional
-logic~\cite{dyckhoff}. However, the tactics given below are not complete
-for first-order logic because they discard universally quantified
-assumptions after a single use. These are \ML{} functions, and are listed
-below with their \ML{} type:
-\begin{ttbox}
-mp_tac : int -> tactic
-eq_mp_tac : int -> tactic
-IntPr.safe_step_tac : int -> tactic
-IntPr.safe_tac : tactic
-IntPr.inst_step_tac : int -> tactic
-IntPr.step_tac : int -> tactic
-IntPr.fast_tac : int -> tactic
-IntPr.best_tac : int -> tactic
-\end{ttbox}
-Most of these belong to the structure \ML{} structure \texttt{IntPr} and resemble the
-tactics of Isabelle's classical reasoner. There are no corresponding
-Isar methods, but you can use the
-\isa{tactic} method to call \ML{} tactics in an Isar script:
-\begin{isabelle}
-\isacommand{apply}\ (tactic\ {* IntPr.fast\_tac 1*})
-\end{isabelle}
-Here is a description of each tactic:
-
-\begin{ttdescription}
-\item[\ttindexbold{mp_tac} {\it i}]
-attempts to use \tdx{notE} or \tdx{impE} within the assumptions in
-subgoal $i$. For each assumption of the form $\neg P$ or $P\imp Q$, it
-searches for another assumption unifiable with~$P$. By
-contradiction with $\neg P$ it can solve the subgoal completely; by Modus
-Ponens it can replace the assumption $P\imp Q$ by $Q$. The tactic can
-produce multiple outcomes, enumerating all suitable pairs of assumptions.
-
-\item[\ttindexbold{eq_mp_tac} {\it i}]
-is like \texttt{mp_tac} {\it i}, but may not instantiate unknowns --- thus, it
-is safe.
-
-\item[\ttindexbold{IntPr.safe_step_tac} $i$] performs a safe step on
-subgoal~$i$. This may include proof by assumption or Modus Ponens (taking
-care not to instantiate unknowns), or \texttt{hyp_subst_tac}.
-
-\item[\ttindexbold{IntPr.safe_tac}] repeatedly performs safe steps on all
-subgoals. It is deterministic, with at most one outcome.
-
-\item[\ttindexbold{IntPr.inst_step_tac} $i$] is like \texttt{safe_step_tac},
-but allows unknowns to be instantiated.
-
-\item[\ttindexbold{IntPr.step_tac} $i$] tries \texttt{safe_tac} or {\tt
- inst_step_tac}, or applies an unsafe rule. This is the basic step of
- the intuitionistic proof procedure.
-
-\item[\ttindexbold{IntPr.fast_tac} $i$] applies \texttt{step_tac}, using
-depth-first search, to solve subgoal~$i$.
-
-\item[\ttindexbold{IntPr.best_tac} $i$] applies \texttt{step_tac}, using
-best-first search (guided by the size of the proof state) to solve subgoal~$i$.
-\end{ttdescription}
-Here are some of the theorems that \texttt{IntPr.fast_tac} proves
-automatically. The latter three date from {\it Principia Mathematica}
-(*11.53, *11.55, *11.61)~\cite{principia}.
-\begin{ttbox}
-~~P & ~~(P --> Q) --> ~~Q
-(ALL x y. P(x) --> Q(y)) <-> ((EX x. P(x)) --> (ALL y. Q(y)))
-(EX x y. P(x) & Q(x,y)) <-> (EX x. P(x) & (EX y. Q(x,y)))
-(EX y. ALL x. P(x) --> Q(x,y)) --> (ALL x. P(x) --> (EX y. Q(x,y)))
-\end{ttbox}
-
-
-
-\begin{figure}
-\begin{ttbox}
-\tdx{excluded_middle} ~P | P
-
-\tdx{disjCI} (~Q ==> P) ==> P|Q
-\tdx{exCI} (ALL x. ~P(x) ==> P(a)) ==> EX x.P(x)
-\tdx{impCE} [| P-->Q; ~P ==> R; Q ==> R |] ==> R
-\tdx{iffCE} [| P<->Q; [| P; Q |] ==> R; [| ~P; ~Q |] ==> R |] ==> R
-\tdx{notnotD} ~~P ==> P
-\tdx{swap} ~P ==> (~Q ==> P) ==> Q
-\end{ttbox}
-\caption{Derived rules for classical logic} \label{fol-cla-derived}
-\end{figure}
-
-
-\section{Classical proof procedures} \label{fol-cla-prover}
-The classical theory, \thydx{FOL}, consists of intuitionistic logic plus
-the rule
-$$ \vcenter{\infer{P}{\infer*{P}{[\neg P]}}} \eqno(classical) $$
-\noindent
-Natural deduction in classical logic is not really all that natural. FOL
-derives classical introduction rules for $\disj$ and~$\exists$, as well as
-classical elimination rules for~$\imp$ and~$\bimp$, and the swap rule (see
-Fig.\ts\ref{fol-cla-derived}).
-
-The classical reasoner is installed. The most useful methods are
-\isa{blast} (pure classical reasoning) and \isa{auto} (classical reasoning
-combined with simplification), but the full range of
-methods is available, including \isa{clarify},
-\isa{fast}, \isa{best} and \isa{force}.
- See the
-\iflabelundefined{chap:classical}{the {\em Reference Manual\/}}%
- {Chap.\ts\ref{chap:classical}}
-and the \emph{Tutorial}~\cite{isa-tutorial}
-for more discussion of classical proof methods.
-
-
-\section{An intuitionistic example}
-Here is a session similar to one in the book {\em Logic and Computation}
-\cite[pages~222--3]{paulson87}. It illustrates the treatment of
-quantifier reasoning, which is different in Isabelle than it is in
-{\sc lcf}-based theorem provers such as {\sc hol}.
-
-The theory header specifies that we are working in intuitionistic
-logic by designating \isa{IFOL} rather than \isa{FOL} as the parent
-theory:
-\begin{isabelle}
-\isacommand{theory}\ IFOL\_examples\ \isacommand{imports}\ IFOL\isanewline
-\isacommand{begin}
-\end{isabelle}
-The proof begins by entering the goal, then applying the rule $({\imp}I)$.
-\begin{isabelle}
-\isacommand{lemma}\ "(EX\ y.\ ALL\ x.\ Q(x,y))\ -->\ \ (ALL\ x.\ EX\ y.\ Q(x,y))"\isanewline
-\ 1.\ (\isasymexists y.\ \isasymforall x.\ Q(x,\ y))\
-\isasymlongrightarrow \ (\isasymforall x.\ \isasymexists y.\ Q(x,\ y))
-\isanewline
-\isacommand{apply}\ (rule\ impI)\isanewline
-\ 1.\ \isasymexists y.\ \isasymforall x.\ Q(x,\ y)\
-\isasymLongrightarrow \ \isasymforall x.\ \isasymexists y.\ Q(x,\ y)
-\end{isabelle}
-Isabelle's output is shown as it would appear using Proof General.
-In this example, we shall never have more than one subgoal. Applying
-$({\imp}I)$ replaces~\isa{\isasymlongrightarrow}
-by~\isa{\isasymLongrightarrow}, so that
-\(\ex{y}\all{x}Q(x,y)\) becomes an assumption. We have the choice of
-$({\exists}E)$ and $({\forall}I)$; let us try the latter.
-\begin{isabelle}
-\isacommand{apply}\ (rule\ allI)\isanewline
-\ 1.\ \isasymAnd x.\ \isasymexists y.\ \isasymforall x.\ Q(x,\ y)\
-\isasymLongrightarrow \ \isasymexists y.\ Q(x,\ y)\hfill\((*)\)
-\end{isabelle}
-Applying $({\forall}I)$ replaces the \isa{\isasymforall
-x} (in ASCII, \isa{ALL~x}) by \isa{\isasymAnd x}
-(or \isa{!!x}), replacing FOL's universal quantifier by Isabelle's
-meta universal quantifier. The bound variable is a {\bf parameter} of
-the subgoal. We now must choose between $({\exists}I)$ and
-$({\exists}E)$. What happens if the wrong rule is chosen?
-\begin{isabelle}
-\isacommand{apply}\ (rule\ exI)\isanewline
-\ 1.\ \isasymAnd x.\ \isasymexists y.\ \isasymforall x.\ Q(x,\ y)\
-\isasymLongrightarrow \ Q(x,\ ?y2(x))
-\end{isabelle}
-The new subgoal~1 contains the function variable \isa{?y2}. Instantiating
-\isa{?y2} can replace~\isa{?y2(x)} by a term containing~\isa{x}, even
-though~\isa{x} is a bound variable. Now we analyse the assumption
-\(\exists y.\forall x. Q(x,y)\) using elimination rules:
-\begin{isabelle}
-\isacommand{apply}\ (erule\ exE)\isanewline
-\ 1.\ \isasymAnd x\ y.\ \isasymforall x.\ Q(x,\ y)\ \isasymLongrightarrow \ Q(x,\ ?y2(x))
-\end{isabelle}
-Applying $(\exists E)$ has produced the parameter \isa{y} and stripped the
-existential quantifier from the assumption. But the subgoal is unprovable:
-there is no way to unify \isa{?y2(x)} with the bound variable~\isa{y}.
-Using Proof General, we can return to the critical point, marked
-$(*)$ above. This time we apply $({\exists}E)$:
-\begin{isabelle}
-\isacommand{apply}\ (erule\ exE)\isanewline
-\ 1.\ \isasymAnd x\ y.\ \isasymforall x.\ Q(x,\ y)\
-\isasymLongrightarrow \ \isasymexists y.\ Q(x,\ y)
-\end{isabelle}
-We now have two parameters and no scheme variables. Applying
-$({\exists}I)$ and $({\forall}E)$ produces two scheme variables, which are
-applied to those parameters. Parameters should be produced early, as this
-example demonstrates.
-\begin{isabelle}
-\isacommand{apply}\ (rule\ exI)\isanewline
-\ 1.\ \isasymAnd x\ y.\ \isasymforall x.\ Q(x,\ y)\
-\isasymLongrightarrow \ Q(x,\ ?y3(x,\ y))
-\isanewline
-\isacommand{apply}\ (erule\ allE)\isanewline
-\ 1.\ \isasymAnd x\ y.\ Q(?x4(x,\ y),\ y)\ \isasymLongrightarrow \
-Q(x,\ ?y3(x,\ y))
-\end{isabelle}
-The subgoal has variables \isa{?y3} and \isa{?x4} applied to both
-parameters. The obvious projection functions unify \isa{?x4(x,y)} with~\isa{
-x} and \isa{?y3(x,y)} with~\isa{y}.
-\begin{isabelle}
-\isacommand{apply}\ assumption\isanewline
-No\ subgoals!\isanewline
-\isacommand{done}
-\end{isabelle}
-The theorem was proved in six method invocations, not counting the
-abandoned ones. But proof checking is tedious, and the \ML{} tactic
-\ttindex{IntPr.fast_tac} can prove the theorem in one step.
-\begin{isabelle}
-\isacommand{lemma}\ "(EX\ y.\ ALL\ x.\ Q(x,y))\ -->\ \ (ALL\ x.\ EX\ y.\ Q(x,y))"\isanewline
-\ 1.\ (\isasymexists y.\ \isasymforall x.\ Q(x,\ y))\
-\isasymlongrightarrow \ (\isasymforall x.\ \isasymexists y.\ Q(x,\ y))
-\isanewline
-\isacommand{by} (tactic \ttlbrace*IntPr.fast_tac 1*\ttrbrace)\isanewline
-No\ subgoals!
-\end{isabelle}
-
-
-\section{An example of intuitionistic negation}
-The following example demonstrates the specialized forms of implication
-elimination. Even propositional formulae can be difficult to prove from
-the basic rules; the specialized rules help considerably.
-
-Propositional examples are easy to invent. As Dummett notes~\cite[page
-28]{dummett}, $\neg P$ is classically provable if and only if it is
-intuitionistically provable; therefore, $P$ is classically provable if and
-only if $\neg\neg P$ is intuitionistically provable.%
-\footnote{This remark holds only for propositional logic, not if $P$ is
- allowed to contain quantifiers.}
-%
-Proving $\neg\neg P$ intuitionistically is
-much harder than proving~$P$ classically.
-
-Our example is the double negation of the classical tautology $(P\imp
-Q)\disj (Q\imp P)$. The first step is apply the
-\isa{unfold} method, which expands
-negations to implications using the definition $\neg P\equiv P\imp\bot$
-and allows use of the special implication rules.
-\begin{isabelle}
-\isacommand{lemma}\ "\isachartilde \ \isachartilde \ ((P-->Q)\ |\ (Q-->P))"\isanewline
-\ 1.\ \isasymnot \ \isasymnot \ ((P\ \isasymlongrightarrow \ Q)\ \isasymor \ (Q\ \isasymlongrightarrow \ P))
-\isanewline
-\isacommand{apply}\ (unfold\ not\_def)\isanewline
-\ 1.\ ((P\ \isasymlongrightarrow \ Q)\ \isasymor \ (Q\ \isasymlongrightarrow \ P)\ \isasymlongrightarrow \ False)\ \isasymlongrightarrow \ False%
-\end{isabelle}
-The next step is a trivial use of $(\imp I)$.
-\begin{isabelle}
-\isacommand{apply}\ (rule\ impI)\isanewline
-\ 1.\ (P\ \isasymlongrightarrow \ Q)\ \isasymor \ (Q\ \isasymlongrightarrow \ P)\ \isasymlongrightarrow \ False\ \isasymLongrightarrow \ False%
-\end{isabelle}
-By $(\imp E)$ it would suffice to prove $(P\imp Q)\disj (Q\imp P)$, but
-that formula is not a theorem of intuitionistic logic. Instead, we
-apply the specialized implication rule \tdx{disj_impE}. It splits the
-assumption into two assumptions, one for each disjunct.
-\begin{isabelle}
-\isacommand{apply}\ (erule\ disj\_impE)\isanewline
-\ 1.\ \isasymlbrakk (P\ \isasymlongrightarrow \ Q)\ \isasymlongrightarrow \ False;\ (Q\ \isasymlongrightarrow \ P)\ \isasymlongrightarrow \ False\isasymrbrakk \ \isasymLongrightarrow \
-False
-\end{isabelle}
-We cannot hope to prove $P\imp Q$ or $Q\imp P$ separately, but
-their negations are inconsistent. Applying \tdx{imp_impE} breaks down
-the assumption $\neg(P\imp Q)$, asking to show~$Q$ while providing new
-assumptions~$P$ and~$\neg Q$.
-\begin{isabelle}
-\isacommand{apply}\ (erule\ imp\_impE)\isanewline
-\ 1.\ \isasymlbrakk (Q\ \isasymlongrightarrow \ P)\ \isasymlongrightarrow \ False;\ P;\ Q\ \isasymlongrightarrow \ False\isasymrbrakk \ \isasymLongrightarrow \ Q\isanewline
-\ 2.\ \isasymlbrakk (Q\ \isasymlongrightarrow \ P)\ \isasymlongrightarrow \ False;\ False\isasymrbrakk \ \isasymLongrightarrow \
-False
-\end{isabelle}
-Subgoal~2 holds trivially; let us ignore it and continue working on
-subgoal~1. Thanks to the assumption~$P$, we could prove $Q\imp P$;
-applying \tdx{imp_impE} is simpler.
-\begin{isabelle}
-\ \isacommand{apply}\ (erule\ imp\_impE)\isanewline
-\ 1.\ \isasymlbrakk P;\ Q\ \isasymlongrightarrow \ False;\ Q;\ P\ \isasymlongrightarrow \ False\isasymrbrakk \ \isasymLongrightarrow \ P\isanewline
-\ 2.\ \isasymlbrakk P;\ Q\ \isasymlongrightarrow \ False;\ False\isasymrbrakk \ \isasymLongrightarrow \ Q\isanewline
-\ 3.\ \isasymlbrakk (Q\ \isasymlongrightarrow \ P)\ \isasymlongrightarrow \ False;\ False\isasymrbrakk \ \isasymLongrightarrow \ False%
-\end{isabelle}
-The three subgoals are all trivial.
-\begin{isabelle}
-\isacommand{apply}\ assumption\ \isanewline
-\ 1.\ \isasymlbrakk P;\ Q\ \isasymlongrightarrow \ False;\
-False\isasymrbrakk \ \isasymLongrightarrow \ Q\isanewline
-\ 2.\ \isasymlbrakk (Q\ \isasymlongrightarrow \ P)\
-\isasymlongrightarrow \ False;\ False\isasymrbrakk \
-\isasymLongrightarrow \ False%
-\isanewline
-\isacommand{apply}\ (erule\ FalseE)+\isanewline
-No\ subgoals!\isanewline
-\isacommand{done}
-\end{isabelle}
-This proof is also trivial for the \ML{} tactic \isa{IntPr.fast_tac}.
-
-
-\section{A classical example} \label{fol-cla-example}
-To illustrate classical logic, we shall prove the theorem
-$\ex{y}\all{x}P(y)\imp P(x)$. Informally, the theorem can be proved as
-follows. Choose~$y$ such that~$\neg P(y)$, if such exists; otherwise
-$\all{x}P(x)$ is true. Either way the theorem holds. First, we must
-work in a theory based on classical logic, the theory \isa{FOL}:
-\begin{isabelle}
-\isacommand{theory}\ FOL\_examples\ \isacommand{imports}\ FOL\isanewline
-\isacommand{begin}
-\end{isabelle}
-
-The formal proof does not conform in any obvious way to the sketch given
-above. Its key step is its first rule, \tdx{exCI}, a classical
-version of~$(\exists I)$ that allows multiple instantiation of the
-quantifier.
-\begin{isabelle}
-\isacommand{lemma}\ "EX\ y.\ ALL\ x.\ P(y)-->P(x)"\isanewline
-\ 1.\ \isasymexists y.\ \isasymforall x.\ P(y)\ \isasymlongrightarrow \ P(x)
-\isanewline
-\isacommand{apply}\ (rule\ exCI)\isanewline
-\ 1.\ \isasymforall y.\ \isasymnot \ (\isasymforall x.\ P(y)\ \isasymlongrightarrow \ P(x))\ \isasymLongrightarrow \ \isasymforall x.\ P(?a)\ \isasymlongrightarrow \ P(x)
-\end{isabelle}
-We can either exhibit a term \isa{?a} to satisfy the conclusion of
-subgoal~1, or produce a contradiction from the assumption. The next
-steps are routine.
-\begin{isabelle}
-\isacommand{apply}\ (rule\ allI)\isanewline
-\ 1.\ \isasymAnd x.\ \isasymforall y.\ \isasymnot \ (\isasymforall x.\ P(y)\ \isasymlongrightarrow \ P(x))\ \isasymLongrightarrow \ P(?a)\ \isasymlongrightarrow \ P(x)
-\isanewline
-\isacommand{apply}\ (rule\ impI)\isanewline
-\ 1.\ \isasymAnd x.\ \isasymlbrakk \isasymforall y.\ \isasymnot \ (\isasymforall x.\ P(y)\ \isasymlongrightarrow \ P(x));\ P(?a)\isasymrbrakk \ \isasymLongrightarrow \ P(x)
-\end{isabelle}
-By the duality between $\exists$ and~$\forall$, applying~$(\forall E)$
-is equivalent to applying~$(\exists I)$ again.
-\begin{isabelle}
-\isacommand{apply}\ (erule\ allE)\isanewline
-\ 1.\ \isasymAnd x.\ \isasymlbrakk P(?a);\ \isasymnot \ (\isasymforall xa.\ P(?y3(x))\ \isasymlongrightarrow \ P(xa))\isasymrbrakk \ \isasymLongrightarrow \ P(x)
-\end{isabelle}
-In classical logic, a negated assumption is equivalent to a conclusion. To
-get this effect, we create a swapped version of $(\forall I)$ and apply it
-using \ttindex{erule}.
-\begin{isabelle}
-\isacommand{apply}\ (erule\ allI\ [THEN\ [2]\ swap])\isanewline
-\ 1.\ \isasymAnd x\ xa.\ \isasymlbrakk P(?a);\ \isasymnot \ P(x)\isasymrbrakk \ \isasymLongrightarrow \ P(?y3(x))\ \isasymlongrightarrow \ P(xa)
-\end{isabelle}
-The operand of \isa{erule} above denotes the following theorem:
-\begin{isabelle}
-\ \ \ \ \isasymlbrakk \isasymnot \ (\isasymforall x.\ ?P1(x));\
-\isasymAnd x.\ \isasymnot \ ?P\ \isasymLongrightarrow \
-?P1(x)\isasymrbrakk \
-\isasymLongrightarrow \ ?P%
-\end{isabelle}
-The previous conclusion, \isa{P(x)}, has become a negated assumption.
-\begin{isabelle}
-\isacommand{apply}\ (rule\ impI)\isanewline
-\ 1.\ \isasymAnd x\ xa.\ \isasymlbrakk P(?a);\ \isasymnot \ P(x);\ P(?y3(x))\isasymrbrakk \ \isasymLongrightarrow \ P(xa)
-\end{isabelle}
-The subgoal has three assumptions. We produce a contradiction between the
-\index{assumptions!contradictory} assumptions~\isa{\isasymnot P(x)}
-and~\isa{P(?y3(x))}. The proof never instantiates the
-unknown~\isa{?a}.
-\begin{isabelle}
-\isacommand{apply}\ (erule\ notE)\isanewline
-\ 1.\ \isasymAnd x\ xa.\ \isasymlbrakk P(?a);\ P(?y3(x))\isasymrbrakk \ \isasymLongrightarrow \ P(x)
-\isanewline
-\isacommand{apply}\ assumption\isanewline
-No\ subgoals!\isanewline
-\isacommand{done}
-\end{isabelle}
-The civilised way to prove this theorem is using the
-\methdx{blast} method, which automatically uses the classical form
-of the rule~$(\exists I)$:
-\begin{isabelle}
-\isacommand{lemma}\ "EX\ y.\ ALL\ x.\ P(y)-->P(x)"\isanewline
-\ 1.\ \isasymexists y.\ \isasymforall x.\ P(y)\ \isasymlongrightarrow \ P(x)
-\isanewline
-\isacommand{by}\ blast\isanewline
-No\ subgoals!
-\end{isabelle}
-If this theorem seems counterintuitive, then perhaps you are an
-intuitionist. In constructive logic, proving $\ex{y}\all{x}P(y)\imp P(x)$
-requires exhibiting a particular term~$t$ such that $\all{x}P(t)\imp P(x)$,
-which we cannot do without further knowledge about~$P$.
-
-
-\section{Derived rules and the classical tactics}
-Classical first-order logic can be extended with the propositional
-connective $if(P,Q,R)$, where
-$$ if(P,Q,R) \equiv P\conj Q \disj \neg P \conj R. \eqno(if) $$
-Theorems about $if$ can be proved by treating this as an abbreviation,
-replacing $if(P,Q,R)$ by $P\conj Q \disj \neg P \conj R$ in subgoals. But
-this duplicates~$P$, causing an exponential blowup and an unreadable
-formula. Introducing further abbreviations makes the problem worse.
-
-Natural deduction demands rules that introduce and eliminate $if(P,Q,R)$
-directly, without reference to its definition. The simple identity
-\[ if(P,Q,R) \,\bimp\, (P\imp Q)\conj (\neg P\imp R) \]
-suggests that the
-$if$-introduction rule should be
-\[ \infer[({if}\,I)]{if(P,Q,R)}{\infer*{Q}{[P]} & \infer*{R}{[\neg P]}} \]
-The $if$-elimination rule reflects the definition of $if(P,Q,R)$ and the
-elimination rules for~$\disj$ and~$\conj$.
-\[ \infer[({if}\,E)]{S}{if(P,Q,R) & \infer*{S}{[P,Q]}
- & \infer*{S}{[\neg P,R]}}
-\]
-Having made these plans, we get down to work with Isabelle. The theory of
-classical logic, \texttt{FOL}, is extended with the constant
-$if::[o,o,o]\To o$. The axiom \tdx{if_def} asserts the
-equation~$(if)$.
-\begin{isabelle}
-\isacommand{theory}\ If\ \isacommand{imports}\ FOL\isanewline
-\isacommand{begin}\isanewline
-\isacommand{constdefs}\isanewline
-\ \ if\ ::\ "[o,o,o]=>o"\isanewline
-\ \ \ "if(P,Q,R)\ ==\ P\&Q\ |\ \isachartilde P\&R"
-\end{isabelle}
-We create the file \texttt{If.thy} containing these declarations. (This file
-is on directory \texttt{FOL/ex} in the Isabelle distribution.) Typing
-\begin{isabelle}
-use_thy "If";
-\end{isabelle}
-loads that theory and sets it to be the current context.
-
-
-\subsection{Deriving the introduction rule}
-
-The derivations of the introduction and elimination rules demonstrate the
-methods for rewriting with definitions. Classical reasoning is required,
-so we use \isa{blast}.
-
-The introduction rule, given the premises $P\Imp Q$ and $\neg P\Imp R$,
-concludes $if(P,Q,R)$. We propose this lemma and immediately simplify
-using \isa{if\_def} to expand the definition of \isa{if} in the
-subgoal.
-\begin{isabelle}
-\isacommand{lemma}\ ifI: "[|\ P\ ==>\ Q;\ \isachartilde P\ ==>\ R\
-|]\ ==>\ if(P,Q,R)"\isanewline
-\ 1.\ \isasymlbrakk P\ \isasymLongrightarrow \ Q;\ \isasymnot \ P\ \isasymLongrightarrow \ R\isasymrbrakk \ \isasymLongrightarrow \ if(P,\ Q,\ R)
-\isanewline
-\isacommand{apply}\ (simp\ add:\ if\_def)\isanewline
-\ 1.\ \isasymlbrakk P\ \isasymLongrightarrow \ Q;\ \isasymnot \ P\ \isasymLongrightarrow \ R\isasymrbrakk \ \isasymLongrightarrow \ P\ \isasymand \ Q\ \isasymor \ \isasymnot \ P\ \isasymand \
-R
-\end{isabelle}
-The rule's premises, although expressed using meta-level implication
-(\isa{\isasymLongrightarrow}) are passed as ordinary implications to
-\methdx{blast}.
-\begin{isabelle}
-\isacommand{apply}\ blast\isanewline
-No\ subgoals!\isanewline
-\isacommand{done}
-\end{isabelle}
-
-
-\subsection{Deriving the elimination rule}
-The elimination rule has three premises, two of which are themselves rules.
-The conclusion is simply $S$.
-\begin{isabelle}
-\isacommand{lemma}\ ifE:\isanewline
-\ \ \ "[|\ if(P,Q,R);\ \ [|P;\ Q|]\ ==>\ S;\ [|\isachartilde P;\ R|]\ ==>\ S\ |]\ ==>\ S"\isanewline
-\ 1.\ \isasymlbrakk if(P,\ Q,\ R);\ \isasymlbrakk P;\ Q\isasymrbrakk \ \isasymLongrightarrow \ S;\ \isasymlbrakk \isasymnot \ P;\ R\isasymrbrakk \ \isasymLongrightarrow \ S\isasymrbrakk \ \isasymLongrightarrow \ S%
-\isanewline
-\isacommand{apply}\ (simp\ add:\ if\_def)\isanewline
-\ 1.\ \isasymlbrakk P\ \isasymand \ Q\ \isasymor \ \isasymnot \ P\ \isasymand \ R;\ \isasymlbrakk P;\ Q\isasymrbrakk \ \isasymLongrightarrow \ S;\ \isasymlbrakk \isasymnot \ P;\ R\isasymrbrakk \ \isasymLongrightarrow \ S\isasymrbrakk \ \isasymLongrightarrow \ S%
-\end{isabelle}
-The proof script is the same as before: \isa{simp} followed by
-\isa{blast}:
-\begin{isabelle}
-\isacommand{apply}\ blast\isanewline
-No\ subgoals!\isanewline
-\isacommand{done}
-\end{isabelle}
-
-
-\subsection{Using the derived rules}
-Our new derived rules, \tdx{ifI} and~\tdx{ifE}, permit natural
-proofs of theorems such as the following:
-\begin{eqnarray*}
- if(P, if(Q,A,B), if(Q,C,D)) & \bimp & if(Q,if(P,A,C),if(P,B,D)) \\
- if(if(P,Q,R), A, B) & \bimp & if(P,if(Q,A,B),if(R,A,B))
-\end{eqnarray*}
-Proofs also require the classical reasoning rules and the $\bimp$
-introduction rule (called~\tdx{iffI}: do not confuse with~\isa{ifI}).
-
-To display the $if$-rules in action, let us analyse a proof step by step.
-\begin{isabelle}
-\isacommand{lemma}\ if\_commute:\isanewline
-\ \ \ \ \ "if(P,\ if(Q,A,B),\
-if(Q,C,D))\ <->\ if(Q,\ if(P,A,C),\ if(P,B,D))"\isanewline
-\isacommand{apply}\ (rule\ iffI)\isanewline
-\ 1.\ if(P,\ if(Q,\ A,\ B),\ if(Q,\ C,\ D))\ \isasymLongrightarrow \isanewline
-\isaindent{\ 1.\ }if(Q,\ if(P,\ A,\ C),\ if(P,\ B,\ D))\isanewline
-\ 2.\ if(Q,\ if(P,\ A,\ C),\ if(P,\ B,\ D))\ \isasymLongrightarrow \isanewline
-\isaindent{\ 2.\ }if(P,\ if(Q,\ A,\ B),\ if(Q,\ C,\ D))
-\end{isabelle}
-The $if$-elimination rule can be applied twice in succession.
-\begin{isabelle}
-\isacommand{apply}\ (erule\ ifE)\isanewline
-\ 1.\ \isasymlbrakk P;\ if(Q,\ A,\ B)\isasymrbrakk \ \isasymLongrightarrow \ if(Q,\ if(P,\ A,\ C),\ if(P,\ B,\ D))\isanewline
-\ 2.\ \isasymlbrakk \isasymnot \ P;\ if(Q,\ C,\ D)\isasymrbrakk \ \isasymLongrightarrow \ if(Q,\ if(P,\ A,\ C),\ if(P,\ B,\ D))\isanewline
-\ 3.\ if(Q,\ if(P,\ A,\ C),\ if(P,\ B,\ D))\ \isasymLongrightarrow \isanewline
-\isaindent{\ 3.\ }if(P,\ if(Q,\ A,\ B),\ if(Q,\ C,\ D))
-\isanewline
-\isacommand{apply}\ (erule\ ifE)\isanewline
-\ 1.\ \isasymlbrakk P;\ Q;\ A\isasymrbrakk \ \isasymLongrightarrow \ if(Q,\ if(P,\ A,\ C),\ if(P,\ B,\ D))\isanewline
-\ 2.\ \isasymlbrakk P;\ \isasymnot \ Q;\ B\isasymrbrakk \ \isasymLongrightarrow \ if(Q,\ if(P,\ A,\ C),\ if(P,\ B,\ D))\isanewline
-\ 3.\ \isasymlbrakk \isasymnot \ P;\ if(Q,\ C,\ D)\isasymrbrakk \ \isasymLongrightarrow \ if(Q,\ if(P,\ A,\ C),\ if(P,\ B,\ D))\isanewline
-\ 4.\ if(Q,\ if(P,\ A,\ C),\ if(P,\ B,\ D))\ \isasymLongrightarrow \isanewline
-\isaindent{\ 4.\ }if(P,\ if(Q,\ A,\ B),\ if(Q,\ C,\ D))
-\end{isabelle}
-%
-In the first two subgoals, all assumptions have been reduced to atoms. Now
-$if$-introduction can be applied. Observe how the $if$-rules break down
-occurrences of $if$ when they become the outermost connective.
-\begin{isabelle}
-\isacommand{apply}\ (rule\ ifI)\isanewline
-\ 1.\ \isasymlbrakk P;\ Q;\ A;\ Q\isasymrbrakk \ \isasymLongrightarrow \ if(P,\ A,\ C)\isanewline
-\ 2.\ \isasymlbrakk P;\ Q;\ A;\ \isasymnot \ Q\isasymrbrakk \ \isasymLongrightarrow \ if(P,\ B,\ D)\isanewline
-\ 3.\ \isasymlbrakk P;\ \isasymnot \ Q;\ B\isasymrbrakk \ \isasymLongrightarrow \ if(Q,\ if(P,\ A,\ C),\ if(P,\ B,\ D))\isanewline
-\ 4.\ \isasymlbrakk \isasymnot \ P;\ if(Q,\ C,\ D)\isasymrbrakk \ \isasymLongrightarrow \ if(Q,\ if(P,\ A,\ C),\ if(P,\ B,\ D))\isanewline
-\ 5.\ if(Q,\ if(P,\ A,\ C),\ if(P,\ B,\ D))\ \isasymLongrightarrow \isanewline
-\isaindent{\ 5.\ }if(P,\ if(Q,\ A,\ B),\ if(Q,\ C,\ D))
-\isanewline
-\isacommand{apply}\ (rule\ ifI)\isanewline
-\ 1.\ \isasymlbrakk P;\ Q;\ A;\ Q;\ P\isasymrbrakk \ \isasymLongrightarrow \ A\isanewline
-\ 2.\ \isasymlbrakk P;\ Q;\ A;\ Q;\ \isasymnot \ P\isasymrbrakk \ \isasymLongrightarrow \ C\isanewline
-\ 3.\ \isasymlbrakk P;\ Q;\ A;\ \isasymnot \ Q\isasymrbrakk \ \isasymLongrightarrow \ if(P,\ B,\ D)\isanewline
-\ 4.\ \isasymlbrakk P;\ \isasymnot \ Q;\ B\isasymrbrakk \ \isasymLongrightarrow \ if(Q,\ if(P,\ A,\ C),\ if(P,\ B,\ D))\isanewline
-\ 5.\ \isasymlbrakk \isasymnot \ P;\ if(Q,\ C,\ D)\isasymrbrakk \ \isasymLongrightarrow \ if(Q,\ if(P,\ A,\ C),\ if(P,\ B,\ D))\isanewline
-\ 6.\ if(Q,\ if(P,\ A,\ C),\ if(P,\ B,\ D))\ \isasymLongrightarrow \isanewline
-\isaindent{\ 6.\ }if(P,\ if(Q,\ A,\ B),\ if(Q,\ C,\ D))
-\end{isabelle}
-Where do we stand? The first subgoal holds by assumption; the second and
-third, by contradiction. This is getting tedious. We could use the classical
-reasoner, but first let us extend the default claset with the derived rules
-for~$if$.
-\begin{isabelle}
-\isacommand{declare}\ ifI\ [intro!]\isanewline
-\isacommand{declare}\ ifE\ [elim!]
-\end{isabelle}
-With these declarations, we could have proved this theorem with a single
-call to \isa{blast}. Here is another example:
-\begin{isabelle}
-\isacommand{lemma}\ "if(if(P,Q,R),\ A,\ B)\ <->\ if(P,\ if(Q,A,B),\ if(R,A,B))"\isanewline
-\ 1.\ if(if(P,\ Q,\ R),\ A,\ B)\ \isasymlongleftrightarrow \ if(P,\ if(Q,\ A,\ B),\ if(R,\ A,\ B))
-\isanewline
-\isacommand{by}\ blast
-\end{isabelle}
-
-
-\subsection{Derived rules versus definitions}
-Dispensing with the derived rules, we can treat $if$ as an
-abbreviation, and let \ttindex{blast_tac} prove the expanded formula. Let
-us redo the previous proof:
-\begin{isabelle}
-\isacommand{lemma}\ "if(if(P,Q,R),\ A,\ B)\ <->\ if(P,\ if(Q,A,B),\ if(R,A,B))"\isanewline
-\ 1.\ if(if(P,\ Q,\ R),\ A,\ B)\ \isasymlongleftrightarrow \ if(P,\ if(Q,\ A,\ B),\ if(R,\ A,\ B))
-\end{isabelle}
-This time, we simply unfold using the definition of $if$:
-\begin{isabelle}
-\isacommand{apply}\ (simp\ add:\ if\_def)\isanewline
-\ 1.\ (P\ \isasymand \ Q\ \isasymor \ \isasymnot \ P\ \isasymand \ R)\ \isasymand \ A\ \isasymor \ (\isasymnot \ P\ \isasymor \ \isasymnot \ Q)\ \isasymand \ (P\ \isasymor \ \isasymnot \ R)\ \isasymand \ B\ \isasymlongleftrightarrow \isanewline
-\isaindent{\ 1.\ }P\ \isasymand \ (Q\ \isasymand \ A\ \isasymor \ \isasymnot \ Q\ \isasymand \ B)\ \isasymor \ \isasymnot \ P\ \isasymand \ (R\ \isasymand \ A\ \isasymor \ \isasymnot \ R\ \isasymand \ B)
-\end{isabelle}
-We are left with a subgoal in pure first-order logic, and it falls to
-\isa{blast}:
-\begin{isabelle}
-\isacommand{apply}\ blast\isanewline
-No\ subgoals!
-\end{isabelle}
-Expanding definitions reduces the extended logic to the base logic. This
-approach has its merits, but it can be slow. In these examples, proofs
-using the derived rules for~\isa{if} run about six
-times faster than proofs using just the rules of first-order logic.
-
-Expanding definitions can also make it harder to diagnose errors.
-Suppose we are having difficulties in proving some goal. If by expanding
-definitions we have made it unreadable, then we have little hope of
-diagnosing the problem.
-
-Attempts at program verification often yield invalid assertions.
-Let us try to prove one:
-\begin{isabelle}
-\isacommand{lemma}\ "if(if(P,Q,R),\ A,\ B)\ <->\ if(P,\ if(Q,A,B),\ if(R,B,A))"\isanewline
-\ 1.\ if(if(P,\ Q,\ R),\ A,\ B)\ \isasymlongleftrightarrow \ if(P,\ if(Q,\ A,\ B),\ if(R,\ B,\
-A))
-\end{isabelle}
-Calling \isa{blast} yields an uninformative failure message. We can
-get a closer look at the situation by applying \methdx{auto}.
-\begin{isabelle}
-\isacommand{apply}\ auto\isanewline
-\ 1.\ \isasymlbrakk A;\ \isasymnot \ P;\ R\isasymrbrakk \ \isasymLongrightarrow \ B\isanewline
-\ 2.\ \isasymlbrakk B;\ \isasymnot \ P;\ \isasymnot \ R\isasymrbrakk \ \isasymLongrightarrow \ A\isanewline
-\ 3.\ \isasymlbrakk B;\ \isasymnot \ P;\ R\isasymrbrakk \ \isasymLongrightarrow \ A\isanewline
-\ 4.\ \isasymlbrakk \isasymnot \ R;\ A;\ \isasymnot \ B;\ \isasymnot \ P\isasymrbrakk \ \isasymLongrightarrow \
-False
-\end{isabelle}
-Subgoal~1 is unprovable and yields a countermodel: $P$ and~$B$ are false
-while~$R$ and~$A$ are true. This truth assignment reduces the main goal to
-$true\bimp false$, which is of course invalid.
-
-We can repeat this analysis by expanding definitions, using just the rules of
-first-order logic:
-\begin{isabelle}
-\isacommand{lemma}\ "if(if(P,Q,R),\ A,\ B)\ <->\ if(P,\ if(Q,A,B),\ if(R,B,A))"\isanewline
-\ 1.\ if(if(P,\ Q,\ R),\ A,\ B)\ \isasymlongleftrightarrow \ if(P,\ if(Q,\ A,\ B),\ if(R,\ B,\
-A))
-\isanewline
-\isacommand{apply}\ (simp\ add:\ if\_def)\isanewline
-\ 1.\ (P\ \isasymand \ Q\ \isasymor \ \isasymnot \ P\ \isasymand \ R)\ \isasymand \ A\ \isasymor \ (\isasymnot \ P\ \isasymor \ \isasymnot \ Q)\ \isasymand \ (P\ \isasymor \ \isasymnot \ R)\ \isasymand \ B\ \isasymlongleftrightarrow \isanewline
-\isaindent{\ 1.\ }P\ \isasymand \ (Q\ \isasymand \ A\ \isasymor \ \isasymnot \ Q\ \isasymand \ B)\ \isasymor \ \isasymnot \ P\ \isasymand \ (R\ \isasymand \ B\ \isasymor \ \isasymnot \ R\ \isasymand \ A)
-\end{isabelle}
-Again \isa{blast} would fail, so we try \methdx{auto}:
-\begin{isabelle}
-\isacommand{apply}\ (auto)\ \isanewline
-\ 1.\ \isasymlbrakk A;\ \isasymnot \ P;\ R\isasymrbrakk \ \isasymLongrightarrow \ B\isanewline
-\ 2.\ \isasymlbrakk A;\ \isasymnot \ P;\ R;\ \isasymnot \ B\isasymrbrakk \ \isasymLongrightarrow \ Q\isanewline
-\ 3.\ \isasymlbrakk B;\ \isasymnot \ R;\ \isasymnot \ P;\ \isasymnot \ A\isasymrbrakk \ \isasymLongrightarrow \ False\isanewline
-\ 4.\ \isasymlbrakk B;\ \isasymnot \ P;\ \isasymnot \ A;\ \isasymnot \ R;\ Q\isasymrbrakk \ \isasymLongrightarrow \ False\isanewline
-\ 5.\ \isasymlbrakk B;\ \isasymnot \ Q;\ \isasymnot \ R;\ \isasymnot \ P;\ \isasymnot \ A\isasymrbrakk \ \isasymLongrightarrow \ False\isanewline
-\ 6.\ \isasymlbrakk B;\ \isasymnot \ A;\ \isasymnot \ P;\ R\isasymrbrakk \ \isasymLongrightarrow \ False\isanewline
-\ 7.\ \isasymlbrakk \isasymnot \ P;\ A;\ \isasymnot \ B;\ \isasymnot \ R\isasymrbrakk \ \isasymLongrightarrow \ False\isanewline
-\ 8.\ \isasymlbrakk \isasymnot \ P;\ A;\ \isasymnot \ B;\ \isasymnot \ R\isasymrbrakk \ \isasymLongrightarrow \ Q%
-\end{isabelle}
-Subgoal~1 yields the same countermodel as before. But each proof step has
-taken six times as long, and the final result contains twice as many subgoals.
-
-Expanding your definitions usually makes proofs more difficult. This is
-why the classical prover has been designed to accept derived rules.
-
-\index{first-order logic|)}
--- a/doc-src/ZF/document/ZF.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,2717 +0,0 @@
-\chapter{Zermelo-Fraenkel Set Theory}
-\index{set theory|(}
-
-The theory~\thydx{ZF} implements Zermelo-Fraenkel set
-theory~\cite{halmos60,suppes72} as an extension of~\texttt{FOL}, classical
-first-order logic. The theory includes a collection of derived natural
-deduction rules, for use with Isabelle's classical reasoner. Some
-of it is based on the work of No\"el~\cite{noel}.
-
-A tremendous amount of set theory has been formally developed, including the
-basic properties of relations, functions, ordinals and cardinals. Significant
-results have been proved, such as the Schr\"oder-Bernstein Theorem, the
-Wellordering Theorem and a version of Ramsey's Theorem. \texttt{ZF} provides
-both the integers and the natural numbers. General methods have been
-developed for solving recursion equations over monotonic functors; these have
-been applied to yield constructions of lists, trees, infinite lists, etc.
-
-\texttt{ZF} has a flexible package for handling inductive definitions,
-such as inference systems, and datatype definitions, such as lists and
-trees. Moreover it handles coinductive definitions, such as
-bisimulation relations, and codatatype definitions, such as streams. It
-provides a streamlined syntax for defining primitive recursive functions over
-datatypes.
-
-Published articles~\cite{paulson-set-I,paulson-set-II} describe \texttt{ZF}
-less formally than this chapter. Isabelle employs a novel treatment of
-non-well-founded data structures within the standard {\sc zf} axioms including
-the Axiom of Foundation~\cite{paulson-mscs}.
-
-
-\section{Which version of axiomatic set theory?}
-The two main axiom systems for set theory are Bernays-G\"odel~({\sc bg})
-and Zermelo-Fraenkel~({\sc zf}). Resolution theorem provers can use {\sc
- bg} because it is finite~\cite{boyer86,quaife92}. {\sc zf} does not
-have a finite axiom system because of its Axiom Scheme of Replacement.
-This makes it awkward to use with many theorem provers, since instances
-of the axiom scheme have to be invoked explicitly. Since Isabelle has no
-difficulty with axiom schemes, we may adopt either axiom system.
-
-These two theories differ in their treatment of {\bf classes}, which are
-collections that are `too big' to be sets. The class of all sets,~$V$,
-cannot be a set without admitting Russell's Paradox. In {\sc bg}, both
-classes and sets are individuals; $x\in V$ expresses that $x$ is a set. In
-{\sc zf}, all variables denote sets; classes are identified with unary
-predicates. The two systems define essentially the same sets and classes,
-with similar properties. In particular, a class cannot belong to another
-class (let alone a set).
-
-Modern set theorists tend to prefer {\sc zf} because they are mainly concerned
-with sets, rather than classes. {\sc bg} requires tiresome proofs that various
-collections are sets; for instance, showing $x\in\{x\}$ requires showing that
-$x$ is a set.
-
-
-\begin{figure} \small
-\begin{center}
-\begin{tabular}{rrr}
- \it name &\it meta-type & \it description \\
- \cdx{Let} & $[\alpha,\alpha\To\beta]\To\beta$ & let binder\\
- \cdx{0} & $i$ & empty set\\
- \cdx{cons} & $[i,i]\To i$ & finite set constructor\\
- \cdx{Upair} & $[i,i]\To i$ & unordered pairing\\
- \cdx{Pair} & $[i,i]\To i$ & ordered pairing\\
- \cdx{Inf} & $i$ & infinite set\\
- \cdx{Pow} & $i\To i$ & powerset\\
- \cdx{Union} \cdx{Inter} & $i\To i$ & set union/intersection \\
- \cdx{split} & $[[i,i]\To i, i] \To i$ & generalized projection\\
- \cdx{fst} \cdx{snd} & $i\To i$ & projections\\
- \cdx{converse}& $i\To i$ & converse of a relation\\
- \cdx{succ} & $i\To i$ & successor\\
- \cdx{Collect} & $[i,i\To o]\To i$ & separation\\
- \cdx{Replace} & $[i, [i,i]\To o] \To i$ & replacement\\
- \cdx{PrimReplace} & $[i, [i,i]\To o] \To i$ & primitive replacement\\
- \cdx{RepFun} & $[i, i\To i] \To i$ & functional replacement\\
- \cdx{Pi} \cdx{Sigma} & $[i,i\To i]\To i$ & general product/sum\\
- \cdx{domain} & $i\To i$ & domain of a relation\\
- \cdx{range} & $i\To i$ & range of a relation\\
- \cdx{field} & $i\To i$ & field of a relation\\
- \cdx{Lambda} & $[i, i\To i]\To i$ & $\lambda$-abstraction\\
- \cdx{restrict}& $[i, i] \To i$ & restriction of a function\\
- \cdx{The} & $[i\To o]\To i$ & definite description\\
- \cdx{if} & $[o,i,i]\To i$ & conditional\\
- \cdx{Ball} \cdx{Bex} & $[i, i\To o]\To o$ & bounded quantifiers
-\end{tabular}
-\end{center}
-\subcaption{Constants}
-
-\begin{center}
-\index{*"`"` symbol}
-\index{*"-"`"` symbol}
-\index{*"` symbol}\index{function applications}
-\index{*"- symbol}
-\index{*": symbol}
-\index{*"<"= symbol}
-\begin{tabular}{rrrr}
- \it symbol & \it meta-type & \it priority & \it description \\
- \tt `` & $[i,i]\To i$ & Left 90 & image \\
- \tt -`` & $[i,i]\To i$ & Left 90 & inverse image \\
- \tt ` & $[i,i]\To i$ & Left 90 & application \\
- \sdx{Int} & $[i,i]\To i$ & Left 70 & intersection ($\int$) \\
- \sdx{Un} & $[i,i]\To i$ & Left 65 & union ($\un$) \\
- \tt - & $[i,i]\To i$ & Left 65 & set difference ($-$) \\[1ex]
- \tt: & $[i,i]\To o$ & Left 50 & membership ($\in$) \\
- \tt <= & $[i,i]\To o$ & Left 50 & subset ($\subseteq$)
-\end{tabular}
-\end{center}
-\subcaption{Infixes}
-\caption{Constants of ZF} \label{zf-constants}
-\end{figure}
-
-
-\section{The syntax of set theory}
-The language of set theory, as studied by logicians, has no constants. The
-traditional axioms merely assert the existence of empty sets, unions,
-powersets, etc.; this would be intolerable for practical reasoning. The
-Isabelle theory declares constants for primitive sets. It also extends
-\texttt{FOL} with additional syntax for finite sets, ordered pairs,
-comprehension, general union/intersection, general sums/products, and
-bounded quantifiers. In most other respects, Isabelle implements precisely
-Zermelo-Fraenkel set theory.
-
-Figure~\ref{zf-constants} lists the constants and infixes of~ZF, while
-Figure~\ref{zf-trans} presents the syntax translations. Finally,
-Figure~\ref{zf-syntax} presents the full grammar for set theory, including the
-constructs of FOL.
-
-Local abbreviations can be introduced by a \isa{let} construct whose
-syntax appears in Fig.\ts\ref{zf-syntax}. Internally it is translated into
-the constant~\cdx{Let}. It can be expanded by rewriting with its
-definition, \tdx{Let_def}.
-
-Apart from \isa{let}, set theory does not use polymorphism. All terms in
-ZF have type~\tydx{i}, which is the type of individuals and has
-class~\cldx{term}. The type of first-order formulae, remember,
-is~\tydx{o}.
-
-Infix operators include binary union and intersection ($A\un B$ and
-$A\int B$), set difference ($A-B$), and the subset and membership
-relations. Note that $a$\verb|~:|$b$ is translated to $\lnot(a\in b)$,
-which is equivalent to $a\notin b$. The
-union and intersection operators ($\bigcup A$ and $\bigcap A$) form the
-union or intersection of a set of sets; $\bigcup A$ means the same as
-$\bigcup@{x\in A}x$. Of these operators, only $\bigcup A$ is primitive.
-
-The constant \cdx{Upair} constructs unordered pairs; thus \isa{Upair($A$,$B$)} denotes the set~$\{A,B\}$ and
-\isa{Upair($A$,$A$)} denotes the singleton~$\{A\}$. General union is
-used to define binary union. The Isabelle version goes on to define
-the constant
-\cdx{cons}:
-\begin{eqnarray*}
- A\cup B & \equiv & \bigcup(\isa{Upair}(A,B)) \\
- \isa{cons}(a,B) & \equiv & \isa{Upair}(a,a) \un B
-\end{eqnarray*}
-The $\{a@1, \ldots\}$ notation abbreviates finite sets constructed in the
-obvious manner using~\isa{cons} and~$\emptyset$ (the empty set) \isasymin \begin{eqnarray*}
- \{a,b,c\} & \equiv & \isa{cons}(a,\isa{cons}(b,\isa{cons}(c,\emptyset)))
-\end{eqnarray*}
-
-The constant \cdx{Pair} constructs ordered pairs, as in \isa{Pair($a$,$b$)}. Ordered pairs may also be written within angle brackets,
-as {\tt<$a$,$b$>}. The $n$-tuple {\tt<$a@1$,\ldots,$a@{n-1}$,$a@n$>}
-abbreviates the nest of pairs\par\nobreak
-\centerline{\isa{Pair($a@1$,\ldots,Pair($a@{n-1}$,$a@n$)\ldots).}}
-
-In ZF, a function is a set of pairs. A ZF function~$f$ is simply an
-individual as far as Isabelle is concerned: its Isabelle type is~$i$, not say
-$i\To i$. The infix operator~{\tt`} denotes the application of a function set
-to its argument; we must write~$f{\tt`}x$, not~$f(x)$. The syntax for image
-is~$f{\tt``}A$ and that for inverse image is~$f{\tt-``}A$.
-
-
-\begin{figure}
-\index{lambda abs@$\lambda$-abstractions}
-\index{*"-"> symbol}
-\index{*"* symbol}
-\begin{center} \footnotesize\tt\frenchspacing
-\begin{tabular}{rrr}
- \it external & \it internal & \it description \\
- $a$ \ttilde: $b$ & \ttilde($a$ : $b$) & \rm negated membership\\
- \ttlbrace$a@1$, $\ldots$, $a@n$\ttrbrace & cons($a@1$,$\ldots$,cons($a@n$,0)) &
- \rm finite set \\
- <$a@1$, $\ldots$, $a@{n-1}$, $a@n$> &
- Pair($a@1$,\ldots,Pair($a@{n-1}$,$a@n$)\ldots) &
- \rm ordered $n$-tuple \\
- \ttlbrace$x$:$A . P[x]$\ttrbrace & Collect($A$,$\lambda x. P[x]$) &
- \rm separation \\
- \ttlbrace$y . x$:$A$, $Q[x,y]$\ttrbrace & Replace($A$,$\lambda x\,y. Q[x,y]$) &
- \rm replacement \\
- \ttlbrace$b[x] . x$:$A$\ttrbrace & RepFun($A$,$\lambda x. b[x]$) &
- \rm functional replacement \\
- \sdx{INT} $x$:$A . B[x]$ & Inter(\ttlbrace$B[x] . x$:$A$\ttrbrace) &
- \rm general intersection \\
- \sdx{UN} $x$:$A . B[x]$ & Union(\ttlbrace$B[x] . x$:$A$\ttrbrace) &
- \rm general union \\
- \sdx{PROD} $x$:$A . B[x]$ & Pi($A$,$\lambda x. B[x]$) &
- \rm general product \\
- \sdx{SUM} $x$:$A . B[x]$ & Sigma($A$,$\lambda x. B[x]$) &
- \rm general sum \\
- $A$ -> $B$ & Pi($A$,$\lambda x. B$) &
- \rm function space \\
- $A$ * $B$ & Sigma($A$,$\lambda x. B$) &
- \rm binary product \\
- \sdx{THE} $x . P[x]$ & The($\lambda x. P[x]$) &
- \rm definite description \\
- \sdx{lam} $x$:$A . b[x]$ & Lambda($A$,$\lambda x. b[x]$) &
- \rm $\lambda$-abstraction\\[1ex]
- \sdx{ALL} $x$:$A . P[x]$ & Ball($A$,$\lambda x. P[x]$) &
- \rm bounded $\forall$ \\
- \sdx{EX} $x$:$A . P[x]$ & Bex($A$,$\lambda x. P[x]$) &
- \rm bounded $\exists$
-\end{tabular}
-\end{center}
-\caption{Translations for ZF} \label{zf-trans}
-\end{figure}
-
-
-\begin{figure}
-\index{*let symbol}
-\index{*in symbol}
-\dquotes
-\[\begin{array}{rcl}
- term & = & \hbox{expression of type~$i$} \\
- & | & "let"~id~"="~term";"\dots";"~id~"="~term~"in"~term \\
- & | & "if"~term~"then"~term~"else"~term \\
- & | & "{\ttlbrace} " term\; ("," term)^* " {\ttrbrace}" \\
- & | & "< " term\; ("," term)^* " >" \\
- & | & "{\ttlbrace} " id ":" term " . " formula " {\ttrbrace}" \\
- & | & "{\ttlbrace} " id " . " id ":" term ", " formula " {\ttrbrace}" \\
- & | & "{\ttlbrace} " term " . " id ":" term " {\ttrbrace}" \\
- & | & term " `` " term \\
- & | & term " -`` " term \\
- & | & term " ` " term \\
- & | & term " * " term \\
- & | & term " \isasyminter " term \\
- & | & term " \isasymunion " term \\
- & | & term " - " term \\
- & | & term " -> " term \\
- & | & "THE~~" id " . " formula\\
- & | & "lam~~" id ":" term " . " term \\
- & | & "INT~~" id ":" term " . " term \\
- & | & "UN~~~" id ":" term " . " term \\
- & | & "PROD~" id ":" term " . " term \\
- & | & "SUM~~" id ":" term " . " term \\[2ex]
- formula & = & \hbox{expression of type~$o$} \\
- & | & term " : " term \\
- & | & term " \ttilde: " term \\
- & | & term " <= " term \\
- & | & term " = " term \\
- & | & term " \ttilde= " term \\
- & | & "\ttilde\ " formula \\
- & | & formula " \& " formula \\
- & | & formula " | " formula \\
- & | & formula " --> " formula \\
- & | & formula " <-> " formula \\
- & | & "ALL " id ":" term " . " formula \\
- & | & "EX~~" id ":" term " . " formula \\
- & | & "ALL~" id~id^* " . " formula \\
- & | & "EX~~" id~id^* " . " formula \\
- & | & "EX!~" id~id^* " . " formula
- \end{array}
-\]
-\caption{Full grammar for ZF} \label{zf-syntax}
-\end{figure}
-
-
-\section{Binding operators}
-The constant \cdx{Collect} constructs sets by the principle of {\bf
- separation}. The syntax for separation is
-\hbox{\tt\ttlbrace$x$:$A$.\ $P[x]$\ttrbrace}, where $P[x]$ is a formula
-that may contain free occurrences of~$x$. It abbreviates the set \isa{Collect($A$,$\lambda x. P[x]$)}, which consists of all $x\in A$ that
-satisfy~$P[x]$. Note that \isa{Collect} is an unfortunate choice of
-name: some set theories adopt a set-formation principle, related to
-replacement, called collection.
-
-The constant \cdx{Replace} constructs sets by the principle of {\bf
- replacement}. The syntax
-\hbox{\tt\ttlbrace$y$.\ $x$:$A$,$Q[x,y]$\ttrbrace} denotes the set
-\isa{Replace($A$,$\lambda x\,y. Q[x,y]$)}, which consists of all~$y$ such
-that there exists $x\in A$ satisfying~$Q[x,y]$. The Replacement Axiom
-has the condition that $Q$ must be single-valued over~$A$: for
-all~$x\in A$ there exists at most one $y$ satisfying~$Q[x,y]$. A
-single-valued binary predicate is also called a {\bf class function}.
-
-The constant \cdx{RepFun} expresses a special case of replacement,
-where $Q[x,y]$ has the form $y=b[x]$. Such a $Q$ is trivially
-single-valued, since it is just the graph of the meta-level
-function~$\lambda x. b[x]$. The resulting set consists of all $b[x]$
-for~$x\in A$. This is analogous to the \ML{} functional \isa{map},
-since it applies a function to every element of a set. The syntax is
-\isa{\ttlbrace$b[x]$.\ $x$:$A$\ttrbrace}, which expands to
-\isa{RepFun($A$,$\lambda x. b[x]$)}.
-
-\index{*INT symbol}\index{*UN symbol}
-General unions and intersections of indexed
-families of sets, namely $\bigcup@{x\in A}B[x]$ and $\bigcap@{x\in A}B[x]$,
-are written \isa{UN $x$:$A$.\ $B[x]$} and \isa{INT $x$:$A$.\ $B[x]$}.
-Their meaning is expressed using \isa{RepFun} as
-\[
-\bigcup(\{B[x]. x\in A\}) \qquad\hbox{and}\qquad
-\bigcap(\{B[x]. x\in A\}).
-\]
-General sums $\sum@{x\in A}B[x]$ and products $\prod@{x\in A}B[x]$ can be
-constructed in set theory, where $B[x]$ is a family of sets over~$A$. They
-have as special cases $A\times B$ and $A\to B$, where $B$ is simply a set.
-This is similar to the situation in Constructive Type Theory (set theory
-has `dependent sets') and calls for similar syntactic conventions. The
-constants~\cdx{Sigma} and~\cdx{Pi} construct general sums and
-products. Instead of \isa{Sigma($A$,$B$)} and \isa{Pi($A$,$B$)} we may
-write
-\isa{SUM $x$:$A$.\ $B[x]$} and \isa{PROD $x$:$A$.\ $B[x]$}.
-\index{*SUM symbol}\index{*PROD symbol}%
-The special cases as \hbox{\tt$A$*$B$} and \hbox{\tt$A$->$B$} abbreviate
-general sums and products over a constant family.\footnote{Unlike normal
-infix operators, {\tt*} and {\tt->} merely define abbreviations; there are
-no constants~\isa{op~*} and~\isa{op~->}.} Isabelle accepts these
-abbreviations in parsing and uses them whenever possible for printing.
-
-\index{*THE symbol} As mentioned above, whenever the axioms assert the
-existence and uniqueness of a set, Isabelle's set theory declares a constant
-for that set. These constants can express the {\bf definite description}
-operator~$\iota x. P[x]$, which stands for the unique~$a$ satisfying~$P[a]$,
-if such exists. Since all terms in ZF denote something, a description is
-always meaningful, but we do not know its value unless $P[x]$ defines it
-uniquely. Using the constant~\cdx{The}, we may write descriptions as
-\isa{The($\lambda x. P[x]$)} or use the syntax \isa{THE $x$.\ $P[x]$}.
-
-\index{*lam symbol}
-Function sets may be written in $\lambda$-notation; $\lambda x\in A. b[x]$
-stands for the set of all pairs $\pair{x,b[x]}$ for $x\in A$. In order for
-this to be a set, the function's domain~$A$ must be given. Using the
-constant~\cdx{Lambda}, we may express function sets as \isa{Lambda($A$,$\lambda x. b[x]$)} or use the syntax \isa{lam $x$:$A$.\ $b[x]$}.
-
-Isabelle's set theory defines two {\bf bounded quantifiers}:
-\begin{eqnarray*}
- \forall x\in A. P[x] &\hbox{abbreviates}& \forall x. x\in A\imp P[x] \\
- \exists x\in A. P[x] &\hbox{abbreviates}& \exists x. x\in A\conj P[x]
-\end{eqnarray*}
-The constants~\cdx{Ball} and~\cdx{Bex} are defined
-accordingly. Instead of \isa{Ball($A$,$P$)} and \isa{Bex($A$,$P$)} we may
-write
-\isa{ALL $x$:$A$.\ $P[x]$} and \isa{EX $x$:$A$.\ $P[x]$}.
-
-
-%%%% ZF.thy
-
-\begin{figure}
-\begin{alltt*}\isastyleminor
-\tdx{Let_def}: Let(s, f) == f(s)
-
-\tdx{Ball_def}: Ball(A,P) == {\isasymforall}x. x \isasymin A --> P(x)
-\tdx{Bex_def}: Bex(A,P) == {\isasymexists}x. x \isasymin A & P(x)
-
-\tdx{subset_def}: A \isasymsubseteq B == {\isasymforall}x \isasymin A. x \isasymin B
-\tdx{extension}: A = B <-> A \isasymsubseteq B & B \isasymsubseteq A
-
-\tdx{Union_iff}: A \isasymin Union(C) <-> ({\isasymexists}B \isasymin C. A \isasymin B)
-\tdx{Pow_iff}: A \isasymin Pow(B) <-> A \isasymsubseteq B
-\tdx{foundation}: A=0 | ({\isasymexists}x \isasymin A. {\isasymforall}y \isasymin x. y \isasymnotin A)
-
-\tdx{replacement}: ({\isasymforall}x \isasymin A. {\isasymforall}y z. P(x,y) & P(x,z) --> y=z) ==>
- b \isasymin PrimReplace(A,P) <-> ({\isasymexists}x{\isasymin}A. P(x,b))
-\subcaption{The Zermelo-Fraenkel Axioms}
-
-\tdx{Replace_def}: Replace(A,P) ==
- PrimReplace(A, \%x y. (\isasymexists!z. P(x,z)) & P(x,y))
-\tdx{RepFun_def}: RepFun(A,f) == {\ttlbrace}y . x \isasymin A, y=f(x)\ttrbrace
-\tdx{the_def}: The(P) == Union({\ttlbrace}y . x \isasymin {\ttlbrace}0{\ttrbrace}, P(y){\ttrbrace})
-\tdx{if_def}: if(P,a,b) == THE z. P & z=a | ~P & z=b
-\tdx{Collect_def}: Collect(A,P) == {\ttlbrace}y . x \isasymin A, x=y & P(x){\ttrbrace}
-\tdx{Upair_def}: Upair(a,b) ==
- {\ttlbrace}y. x\isasymin{}Pow(Pow(0)), x=0 & y=a | x=Pow(0) & y=b{\ttrbrace}
-\subcaption{Consequences of replacement}
-
-\tdx{Inter_def}: Inter(A) == {\ttlbrace}x \isasymin Union(A) . {\isasymforall}y \isasymin A. x \isasymin y{\ttrbrace}
-\tdx{Un_def}: A \isasymunion B == Union(Upair(A,B))
-\tdx{Int_def}: A \isasyminter B == Inter(Upair(A,B))
-\tdx{Diff_def}: A - B == {\ttlbrace}x \isasymin A . x \isasymnotin B{\ttrbrace}
-\subcaption{Union, intersection, difference}
-\end{alltt*}
-\caption{Rules and axioms of ZF} \label{zf-rules}
-\end{figure}
-
-
-\begin{figure}
-\begin{alltt*}\isastyleminor
-\tdx{cons_def}: cons(a,A) == Upair(a,a) \isasymunion A
-\tdx{succ_def}: succ(i) == cons(i,i)
-\tdx{infinity}: 0 \isasymin Inf & ({\isasymforall}y \isasymin Inf. succ(y) \isasymin Inf)
-\subcaption{Finite and infinite sets}
-
-\tdx{Pair_def}: <a,b> == {\ttlbrace}{\ttlbrace}a,a{\ttrbrace}, {\ttlbrace}a,b{\ttrbrace}{\ttrbrace}
-\tdx{split_def}: split(c,p) == THE y. {\isasymexists}a b. p=<a,b> & y=c(a,b)
-\tdx{fst_def}: fst(A) == split(\%x y. x, p)
-\tdx{snd_def}: snd(A) == split(\%x y. y, p)
-\tdx{Sigma_def}: Sigma(A,B) == {\isasymUnion}x \isasymin A. {\isasymUnion}y \isasymin B(x). {\ttlbrace}<x,y>{\ttrbrace}
-\subcaption{Ordered pairs and Cartesian products}
-
-\tdx{converse_def}: converse(r) == {\ttlbrace}z. w\isasymin{}r, {\isasymexists}x y. w=<x,y> & z=<y,x>{\ttrbrace}
-\tdx{domain_def}: domain(r) == {\ttlbrace}x. w \isasymin r, {\isasymexists}y. w=<x,y>{\ttrbrace}
-\tdx{range_def}: range(r) == domain(converse(r))
-\tdx{field_def}: field(r) == domain(r) \isasymunion range(r)
-\tdx{image_def}: r `` A == {\ttlbrace}y\isasymin{}range(r) . {\isasymexists}x \isasymin A. <x,y> \isasymin r{\ttrbrace}
-\tdx{vimage_def}: r -`` A == converse(r)``A
-\subcaption{Operations on relations}
-
-\tdx{lam_def}: Lambda(A,b) == {\ttlbrace}<x,b(x)> . x \isasymin A{\ttrbrace}
-\tdx{apply_def}: f`a == THE y. <a,y> \isasymin f
-\tdx{Pi_def}: Pi(A,B) == {\ttlbrace}f\isasymin{}Pow(Sigma(A,B)). {\isasymforall}x\isasymin{}A. \isasymexists!y. <x,y>\isasymin{}f{\ttrbrace}
-\tdx{restrict_def}: restrict(f,A) == lam x \isasymin A. f`x
-\subcaption{Functions and general product}
-\end{alltt*}
-\caption{Further definitions of ZF} \label{zf-defs}
-\end{figure}
-
-
-
-\section{The Zermelo-Fraenkel axioms}
-The axioms appear in Fig.\ts \ref{zf-rules}. They resemble those
-presented by Suppes~\cite{suppes72}. Most of the theory consists of
-definitions. In particular, bounded quantifiers and the subset relation
-appear in other axioms. Object-level quantifiers and implications have
-been replaced by meta-level ones wherever possible, to simplify use of the
-axioms.
-
-The traditional replacement axiom asserts
-\[ y \in \isa{PrimReplace}(A,P) \bimp (\exists x\in A. P(x,y)) \]
-subject to the condition that $P(x,y)$ is single-valued for all~$x\in A$.
-The Isabelle theory defines \cdx{Replace} to apply
-\cdx{PrimReplace} to the single-valued part of~$P$, namely
-\[ (\exists!z. P(x,z)) \conj P(x,y). \]
-Thus $y\in \isa{Replace}(A,P)$ if and only if there is some~$x$ such that
-$P(x,-)$ holds uniquely for~$y$. Because the equivalence is unconditional,
-\isa{Replace} is much easier to use than \isa{PrimReplace}; it defines the
-same set, if $P(x,y)$ is single-valued. The nice syntax for replacement
-expands to \isa{Replace}.
-
-Other consequences of replacement include replacement for
-meta-level functions
-(\cdx{RepFun}) and definite descriptions (\cdx{The}).
-Axioms for separation (\cdx{Collect}) and unordered pairs
-(\cdx{Upair}) are traditionally assumed, but they actually follow
-from replacement~\cite[pages 237--8]{suppes72}.
-
-The definitions of general intersection, etc., are straightforward. Note
-the definition of \isa{cons}, which underlies the finite set notation.
-The axiom of infinity gives us a set that contains~0 and is closed under
-successor (\cdx{succ}). Although this set is not uniquely defined,
-the theory names it (\cdx{Inf}) in order to simplify the
-construction of the natural numbers.
-
-Further definitions appear in Fig.\ts\ref{zf-defs}. Ordered pairs are
-defined in the standard way, $\pair{a,b}\equiv\{\{a\},\{a,b\}\}$. Recall
-that \cdx{Sigma}$(A,B)$ generalizes the Cartesian product of two
-sets. It is defined to be the union of all singleton sets
-$\{\pair{x,y}\}$, for $x\in A$ and $y\in B(x)$. This is a typical usage of
-general union.
-
-The projections \cdx{fst} and~\cdx{snd} are defined in terms of the
-generalized projection \cdx{split}. The latter has been borrowed from
-Martin-L\"of's Type Theory, and is often easier to use than \cdx{fst}
-and~\cdx{snd}.
-
-Operations on relations include converse, domain, range, and image. The
-set $\isa{Pi}(A,B)$ generalizes the space of functions between two sets.
-Note the simple definitions of $\lambda$-abstraction (using
-\cdx{RepFun}) and application (using a definite description). The
-function \cdx{restrict}$(f,A)$ has the same values as~$f$, but only
-over the domain~$A$.
-
-
-%%%% zf.thy
-
-\begin{figure}
-\begin{alltt*}\isastyleminor
-\tdx{ballI}: [| !!x. x\isasymin{}A ==> P(x) |] ==> {\isasymforall}x\isasymin{}A. P(x)
-\tdx{bspec}: [| {\isasymforall}x\isasymin{}A. P(x); x\isasymin{}A |] ==> P(x)
-\tdx{ballE}: [| {\isasymforall}x\isasymin{}A. P(x); P(x) ==> Q; x \isasymnotin A ==> Q |] ==> Q
-
-\tdx{ball_cong}: [| A=A'; !!x. x\isasymin{}A' ==> P(x) <-> P'(x) |] ==>
- ({\isasymforall}x\isasymin{}A. P(x)) <-> ({\isasymforall}x\isasymin{}A'. P'(x))
-
-\tdx{bexI}: [| P(x); x\isasymin{}A |] ==> {\isasymexists}x\isasymin{}A. P(x)
-\tdx{bexCI}: [| {\isasymforall}x\isasymin{}A. ~P(x) ==> P(a); a\isasymin{}A |] ==> {\isasymexists}x\isasymin{}A. P(x)
-\tdx{bexE}: [| {\isasymexists}x\isasymin{}A. P(x); !!x. [| x\isasymin{}A; P(x) |] ==> Q |] ==> Q
-
-\tdx{bex_cong}: [| A=A'; !!x. x\isasymin{}A' ==> P(x) <-> P'(x) |] ==>
- ({\isasymexists}x\isasymin{}A. P(x)) <-> ({\isasymexists}x\isasymin{}A'. P'(x))
-\subcaption{Bounded quantifiers}
-
-\tdx{subsetI}: (!!x. x \isasymin A ==> x \isasymin B) ==> A \isasymsubseteq B
-\tdx{subsetD}: [| A \isasymsubseteq B; c \isasymin A |] ==> c \isasymin B
-\tdx{subsetCE}: [| A \isasymsubseteq B; c \isasymnotin A ==> P; c \isasymin B ==> P |] ==> P
-\tdx{subset_refl}: A \isasymsubseteq A
-\tdx{subset_trans}: [| A \isasymsubseteq B; B \isasymsubseteq C |] ==> A \isasymsubseteq C
-
-\tdx{equalityI}: [| A \isasymsubseteq B; B \isasymsubseteq A |] ==> A = B
-\tdx{equalityD1}: A = B ==> A \isasymsubseteq B
-\tdx{equalityD2}: A = B ==> B \isasymsubseteq A
-\tdx{equalityE}: [| A = B; [| A \isasymsubseteq B; B \isasymsubseteq A |] ==> P |] ==> P
-\subcaption{Subsets and extensionality}
-
-\tdx{emptyE}: a \isasymin 0 ==> P
-\tdx{empty_subsetI}: 0 \isasymsubseteq A
-\tdx{equals0I}: [| !!y. y \isasymin A ==> False |] ==> A=0
-\tdx{equals0D}: [| A=0; a \isasymin A |] ==> P
-
-\tdx{PowI}: A \isasymsubseteq B ==> A \isasymin Pow(B)
-\tdx{PowD}: A \isasymin Pow(B) ==> A \isasymsubseteq B
-\subcaption{The empty set; power sets}
-\end{alltt*}
-\caption{Basic derived rules for ZF} \label{zf-lemmas1}
-\end{figure}
-
-
-\section{From basic lemmas to function spaces}
-Faced with so many definitions, it is essential to prove lemmas. Even
-trivial theorems like $A \int B = B \int A$ would be difficult to
-prove from the definitions alone. Isabelle's set theory derives many
-rules using a natural deduction style. Ideally, a natural deduction
-rule should introduce or eliminate just one operator, but this is not
-always practical. For most operators, we may forget its definition
-and use its derived rules instead.
-
-\subsection{Fundamental lemmas}
-Figure~\ref{zf-lemmas1} presents the derived rules for the most basic
-operators. The rules for the bounded quantifiers resemble those for the
-ordinary quantifiers, but note that \tdx{ballE} uses a negated assumption
-in the style of Isabelle's classical reasoner. The \rmindex{congruence
- rules} \tdx{ball_cong} and \tdx{bex_cong} are required by Isabelle's
-simplifier, but have few other uses. Congruence rules must be specially
-derived for all binding operators, and henceforth will not be shown.
-
-Figure~\ref{zf-lemmas1} also shows rules for the subset and equality
-relations (proof by extensionality), and rules about the empty set and the
-power set operator.
-
-Figure~\ref{zf-lemmas2} presents rules for replacement and separation.
-The rules for \cdx{Replace} and \cdx{RepFun} are much simpler than
-comparable rules for \isa{PrimReplace} would be. The principle of
-separation is proved explicitly, although most proofs should use the
-natural deduction rules for \isa{Collect}. The elimination rule
-\tdx{CollectE} is equivalent to the two destruction rules
-\tdx{CollectD1} and \tdx{CollectD2}, but each rule is suited to
-particular circumstances. Although too many rules can be confusing, there
-is no reason to aim for a minimal set of rules.
-
-Figure~\ref{zf-lemmas3} presents rules for general union and intersection.
-The empty intersection should be undefined. We cannot have
-$\bigcap(\emptyset)=V$ because $V$, the universal class, is not a set. All
-expressions denote something in ZF set theory; the definition of
-intersection implies $\bigcap(\emptyset)=\emptyset$, but this value is
-arbitrary. The rule \tdx{InterI} must have a premise to exclude
-the empty intersection. Some of the laws governing intersections require
-similar premises.
-
-
-%the [p] gives better page breaking for the book
-\begin{figure}[p]
-\begin{alltt*}\isastyleminor
-\tdx{ReplaceI}: [| x\isasymin{}A; P(x,b); !!y. P(x,y) ==> y=b |] ==>
- b\isasymin{}{\ttlbrace}y. x\isasymin{}A, P(x,y){\ttrbrace}
-
-\tdx{ReplaceE}: [| b\isasymin{}{\ttlbrace}y. x\isasymin{}A, P(x,y){\ttrbrace};
- !!x. [| x\isasymin{}A; P(x,b); {\isasymforall}y. P(x,y)-->y=b |] ==> R
- |] ==> R
-
-\tdx{RepFunI}: [| a\isasymin{}A |] ==> f(a)\isasymin{}{\ttlbrace}f(x). x\isasymin{}A{\ttrbrace}
-\tdx{RepFunE}: [| b\isasymin{}{\ttlbrace}f(x). x\isasymin{}A{\ttrbrace};
- !!x.[| x\isasymin{}A; b=f(x) |] ==> P |] ==> P
-
-\tdx{separation}: a\isasymin{}{\ttlbrace}x\isasymin{}A. P(x){\ttrbrace} <-> a\isasymin{}A & P(a)
-\tdx{CollectI}: [| a\isasymin{}A; P(a) |] ==> a\isasymin{}{\ttlbrace}x\isasymin{}A. P(x){\ttrbrace}
-\tdx{CollectE}: [| a\isasymin{}{\ttlbrace}x\isasymin{}A. P(x){\ttrbrace}; [| a\isasymin{}A; P(a) |] ==> R |] ==> R
-\tdx{CollectD1}: a\isasymin{}{\ttlbrace}x\isasymin{}A. P(x){\ttrbrace} ==> a\isasymin{}A
-\tdx{CollectD2}: a\isasymin{}{\ttlbrace}x\isasymin{}A. P(x){\ttrbrace} ==> P(a)
-\end{alltt*}
-\caption{Replacement and separation} \label{zf-lemmas2}
-\end{figure}
-
-
-\begin{figure}
-\begin{alltt*}\isastyleminor
-\tdx{UnionI}: [| B\isasymin{}C; A\isasymin{}B |] ==> A\isasymin{}Union(C)
-\tdx{UnionE}: [| A\isasymin{}Union(C); !!B.[| A\isasymin{}B; B\isasymin{}C |] ==> R |] ==> R
-
-\tdx{InterI}: [| !!x. x\isasymin{}C ==> A\isasymin{}x; c\isasymin{}C |] ==> A\isasymin{}Inter(C)
-\tdx{InterD}: [| A\isasymin{}Inter(C); B\isasymin{}C |] ==> A\isasymin{}B
-\tdx{InterE}: [| A\isasymin{}Inter(C); A\isasymin{}B ==> R; B \isasymnotin C ==> R |] ==> R
-
-\tdx{UN_I}: [| a\isasymin{}A; b\isasymin{}B(a) |] ==> b\isasymin{}({\isasymUnion}x\isasymin{}A. B(x))
-\tdx{UN_E}: [| b\isasymin{}({\isasymUnion}x\isasymin{}A. B(x)); !!x.[| x\isasymin{}A; b\isasymin{}B(x) |] ==> R
- |] ==> R
-
-\tdx{INT_I}: [| !!x. x\isasymin{}A ==> b\isasymin{}B(x); a\isasymin{}A |] ==> b\isasymin{}({\isasymInter}x\isasymin{}A. B(x))
-\tdx{INT_E}: [| b\isasymin{}({\isasymInter}x\isasymin{}A. B(x)); a\isasymin{}A |] ==> b\isasymin{}B(a)
-\end{alltt*}
-\caption{General union and intersection} \label{zf-lemmas3}
-\end{figure}
-
-
-%%% upair.thy
-
-\begin{figure}
-\begin{alltt*}\isastyleminor
-\tdx{pairing}: a\isasymin{}Upair(b,c) <-> (a=b | a=c)
-\tdx{UpairI1}: a\isasymin{}Upair(a,b)
-\tdx{UpairI2}: b\isasymin{}Upair(a,b)
-\tdx{UpairE}: [| a\isasymin{}Upair(b,c); a=b ==> P; a=c ==> P |] ==> P
-\end{alltt*}
-\caption{Unordered pairs} \label{zf-upair1}
-\end{figure}
-
-
-\begin{figure}
-\begin{alltt*}\isastyleminor
-\tdx{UnI1}: c\isasymin{}A ==> c\isasymin{}A \isasymunion B
-\tdx{UnI2}: c\isasymin{}B ==> c\isasymin{}A \isasymunion B
-\tdx{UnCI}: (c \isasymnotin B ==> c\isasymin{}A) ==> c\isasymin{}A \isasymunion B
-\tdx{UnE}: [| c\isasymin{}A \isasymunion B; c\isasymin{}A ==> P; c\isasymin{}B ==> P |] ==> P
-
-\tdx{IntI}: [| c\isasymin{}A; c\isasymin{}B |] ==> c\isasymin{}A \isasyminter B
-\tdx{IntD1}: c\isasymin{}A \isasyminter B ==> c\isasymin{}A
-\tdx{IntD2}: c\isasymin{}A \isasyminter B ==> c\isasymin{}B
-\tdx{IntE}: [| c\isasymin{}A \isasyminter B; [| c\isasymin{}A; c\isasymin{}B |] ==> P |] ==> P
-
-\tdx{DiffI}: [| c\isasymin{}A; c \isasymnotin B |] ==> c\isasymin{}A - B
-\tdx{DiffD1}: c\isasymin{}A - B ==> c\isasymin{}A
-\tdx{DiffD2}: c\isasymin{}A - B ==> c \isasymnotin B
-\tdx{DiffE}: [| c\isasymin{}A - B; [| c\isasymin{}A; c \isasymnotin B |] ==> P |] ==> P
-\end{alltt*}
-\caption{Union, intersection, difference} \label{zf-Un}
-\end{figure}
-
-
-\begin{figure}
-\begin{alltt*}\isastyleminor
-\tdx{consI1}: a\isasymin{}cons(a,B)
-\tdx{consI2}: a\isasymin{}B ==> a\isasymin{}cons(b,B)
-\tdx{consCI}: (a \isasymnotin B ==> a=b) ==> a\isasymin{}cons(b,B)
-\tdx{consE}: [| a\isasymin{}cons(b,A); a=b ==> P; a\isasymin{}A ==> P |] ==> P
-
-\tdx{singletonI}: a\isasymin{}{\ttlbrace}a{\ttrbrace}
-\tdx{singletonE}: [| a\isasymin{}{\ttlbrace}b{\ttrbrace}; a=b ==> P |] ==> P
-\end{alltt*}
-\caption{Finite and singleton sets} \label{zf-upair2}
-\end{figure}
-
-
-\begin{figure}
-\begin{alltt*}\isastyleminor
-\tdx{succI1}: i\isasymin{}succ(i)
-\tdx{succI2}: i\isasymin{}j ==> i\isasymin{}succ(j)
-\tdx{succCI}: (i \isasymnotin j ==> i=j) ==> i\isasymin{}succ(j)
-\tdx{succE}: [| i\isasymin{}succ(j); i=j ==> P; i\isasymin{}j ==> P |] ==> P
-\tdx{succ_neq_0}: [| succ(n)=0 |] ==> P
-\tdx{succ_inject}: succ(m) = succ(n) ==> m=n
-\end{alltt*}
-\caption{The successor function} \label{zf-succ}
-\end{figure}
-
-
-\begin{figure}
-\begin{alltt*}\isastyleminor
-\tdx{the_equality}: [| P(a); !!x. P(x) ==> x=a |] ==> (THE x. P(x))=a
-\tdx{theI}: \isasymexists! x. P(x) ==> P(THE x. P(x))
-
-\tdx{if_P}: P ==> (if P then a else b) = a
-\tdx{if_not_P}: ~P ==> (if P then a else b) = b
-
-\tdx{mem_asym}: [| a\isasymin{}b; b\isasymin{}a |] ==> P
-\tdx{mem_irrefl}: a\isasymin{}a ==> P
-\end{alltt*}
-\caption{Descriptions; non-circularity} \label{zf-the}
-\end{figure}
-
-
-\subsection{Unordered pairs and finite sets}
-Figure~\ref{zf-upair1} presents the principle of unordered pairing, along
-with its derived rules. Binary union and intersection are defined in terms
-of ordered pairs (Fig.\ts\ref{zf-Un}). Set difference is also included. The
-rule \tdx{UnCI} is useful for classical reasoning about unions,
-like \isa{disjCI}\@; it supersedes \tdx{UnI1} and
-\tdx{UnI2}, but these rules are often easier to work with. For
-intersection and difference we have both elimination and destruction rules.
-Again, there is no reason to provide a minimal rule set.
-
-Figure~\ref{zf-upair2} is concerned with finite sets: it presents rules
-for~\isa{cons}, the finite set constructor, and rules for singleton
-sets. Figure~\ref{zf-succ} presents derived rules for the successor
-function, which is defined in terms of~\isa{cons}. The proof that
-\isa{succ} is injective appears to require the Axiom of Foundation.
-
-Definite descriptions (\sdx{THE}) are defined in terms of the singleton
-set~$\{0\}$, but their derived rules fortunately hide this
-(Fig.\ts\ref{zf-the}). The rule~\tdx{theI} is difficult to apply
-because of the two occurrences of~$\Var{P}$. However,
-\tdx{the_equality} does not have this problem and the files contain
-many examples of its use.
-
-Finally, the impossibility of having both $a\in b$ and $b\in a$
-(\tdx{mem_asym}) is proved by applying the Axiom of Foundation to
-the set $\{a,b\}$. The impossibility of $a\in a$ is a trivial consequence.
-
-
-%%% subset.thy?
-
-\begin{figure}
-\begin{alltt*}\isastyleminor
-\tdx{Union_upper}: B\isasymin{}A ==> B \isasymsubseteq Union(A)
-\tdx{Union_least}: [| !!x. x\isasymin{}A ==> x \isasymsubseteq C |] ==> Union(A) \isasymsubseteq C
-
-\tdx{Inter_lower}: B\isasymin{}A ==> Inter(A) \isasymsubseteq B
-\tdx{Inter_greatest}: [| a\isasymin{}A; !!x. x\isasymin{}A ==> C \isasymsubseteq x |] ==> C\isasymsubseteq{}Inter(A)
-
-\tdx{Un_upper1}: A \isasymsubseteq A \isasymunion B
-\tdx{Un_upper2}: B \isasymsubseteq A \isasymunion B
-\tdx{Un_least}: [| A \isasymsubseteq C; B \isasymsubseteq C |] ==> A \isasymunion B \isasymsubseteq C
-
-\tdx{Int_lower1}: A \isasyminter B \isasymsubseteq A
-\tdx{Int_lower2}: A \isasyminter B \isasymsubseteq B
-\tdx{Int_greatest}: [| C \isasymsubseteq A; C \isasymsubseteq B |] ==> C \isasymsubseteq A \isasyminter B
-
-\tdx{Diff_subset}: A-B \isasymsubseteq A
-\tdx{Diff_contains}: [| C \isasymsubseteq A; C \isasyminter B = 0 |] ==> C \isasymsubseteq A-B
-
-\tdx{Collect_subset}: Collect(A,P) \isasymsubseteq A
-\end{alltt*}
-\caption{Subset and lattice properties} \label{zf-subset}
-\end{figure}
-
-
-\subsection{Subset and lattice properties}
-The subset relation is a complete lattice. Unions form least upper bounds;
-non-empty intersections form greatest lower bounds. Figure~\ref{zf-subset}
-shows the corresponding rules. A few other laws involving subsets are
-included.
-Reasoning directly about subsets often yields clearer proofs than
-reasoning about the membership relation. Section~\ref{sec:ZF-pow-example}
-below presents an example of this, proving the equation
-${\isa{Pow}(A)\cap \isa{Pow}(B)}= \isa{Pow}(A\cap B)$.
-
-%%% pair.thy
-
-\begin{figure}
-\begin{alltt*}\isastyleminor
-\tdx{Pair_inject1}: <a,b> = <c,d> ==> a=c
-\tdx{Pair_inject2}: <a,b> = <c,d> ==> b=d
-\tdx{Pair_inject}: [| <a,b> = <c,d>; [| a=c; b=d |] ==> P |] ==> P
-\tdx{Pair_neq_0}: <a,b>=0 ==> P
-
-\tdx{fst_conv}: fst(<a,b>) = a
-\tdx{snd_conv}: snd(<a,b>) = b
-\tdx{split}: split(\%x y. c(x,y), <a,b>) = c(a,b)
-
-\tdx{SigmaI}: [| a\isasymin{}A; b\isasymin{}B(a) |] ==> <a,b>\isasymin{}Sigma(A,B)
-
-\tdx{SigmaE}: [| c\isasymin{}Sigma(A,B);
- !!x y.[| x\isasymin{}A; y\isasymin{}B(x); c=<x,y> |] ==> P |] ==> P
-
-\tdx{SigmaE2}: [| <a,b>\isasymin{}Sigma(A,B);
- [| a\isasymin{}A; b\isasymin{}B(a) |] ==> P |] ==> P
-\end{alltt*}
-\caption{Ordered pairs; projections; general sums} \label{zf-pair}
-\end{figure}
-
-
-\subsection{Ordered pairs} \label{sec:pairs}
-
-Figure~\ref{zf-pair} presents the rules governing ordered pairs,
-projections and general sums --- in particular, that
-$\{\{a\},\{a,b\}\}$ functions as an ordered pair. This property is
-expressed as two destruction rules,
-\tdx{Pair_inject1} and \tdx{Pair_inject2}, and equivalently
-as the elimination rule \tdx{Pair_inject}.
-
-The rule \tdx{Pair_neq_0} asserts $\pair{a,b}\neq\emptyset$. This
-is a property of $\{\{a\},\{a,b\}\}$, and need not hold for other
-encodings of ordered pairs. The non-standard ordered pairs mentioned below
-satisfy $\pair{\emptyset;\emptyset}=\emptyset$.
-
-The natural deduction rules \tdx{SigmaI} and \tdx{SigmaE}
-assert that \cdx{Sigma}$(A,B)$ consists of all pairs of the form
-$\pair{x,y}$, for $x\in A$ and $y\in B(x)$. The rule \tdx{SigmaE2}
-merely states that $\pair{a,b}\in \isa{Sigma}(A,B)$ implies $a\in A$ and
-$b\in B(a)$.
-
-In addition, it is possible to use tuples as patterns in abstractions:
-\begin{center}
-{\tt\%<$x$,$y$>. $t$} \quad stands for\quad \isa{split(\%$x$ $y$.\ $t$)}
-\end{center}
-Nested patterns are translated recursively:
-{\tt\%<$x$,$y$,$z$>. $t$} $\leadsto$ {\tt\%<$x$,<$y$,$z$>>. $t$} $\leadsto$
-\isa{split(\%$x$.\%<$y$,$z$>. $t$)} $\leadsto$ \isa{split(\%$x$. split(\%$y$
- $z$.\ $t$))}. The reverse translation is performed upon printing.
-\begin{warn}
- The translation between patterns and \isa{split} is performed automatically
- by the parser and printer. Thus the internal and external form of a term
- may differ, which affects proofs. For example the term \isa{(\%<x,y>.<y,x>)<a,b>} requires the theorem \isa{split} to rewrite to
- {\tt<b,a>}.
-\end{warn}
-In addition to explicit $\lambda$-abstractions, patterns can be used in any
-variable binding construct which is internally described by a
-$\lambda$-abstraction. Here are some important examples:
-\begin{description}
-\item[Let:] \isa{let {\it pattern} = $t$ in $u$}
-\item[Choice:] \isa{THE~{\it pattern}~.~$P$}
-\item[Set operations:] \isa{\isasymUnion~{\it pattern}:$A$.~$B$}
-\item[Comprehension:] \isa{{\ttlbrace}~{\it pattern}:$A$~.~$P$~{\ttrbrace}}
-\end{description}
-
-
-%%% domrange.thy?
-
-\begin{figure}
-\begin{alltt*}\isastyleminor
-\tdx{domainI}: <a,b>\isasymin{}r ==> a\isasymin{}domain(r)
-\tdx{domainE}: [| a\isasymin{}domain(r); !!y. <a,y>\isasymin{}r ==> P |] ==> P
-\tdx{domain_subset}: domain(Sigma(A,B)) \isasymsubseteq A
-
-\tdx{rangeI}: <a,b>\isasymin{}r ==> b\isasymin{}range(r)
-\tdx{rangeE}: [| b\isasymin{}range(r); !!x. <x,b>\isasymin{}r ==> P |] ==> P
-\tdx{range_subset}: range(A*B) \isasymsubseteq B
-
-\tdx{fieldI1}: <a,b>\isasymin{}r ==> a\isasymin{}field(r)
-\tdx{fieldI2}: <a,b>\isasymin{}r ==> b\isasymin{}field(r)
-\tdx{fieldCI}: (<c,a> \isasymnotin r ==> <a,b>\isasymin{}r) ==> a\isasymin{}field(r)
-
-\tdx{fieldE}: [| a\isasymin{}field(r);
- !!x. <a,x>\isasymin{}r ==> P;
- !!x. <x,a>\isasymin{}r ==> P
- |] ==> P
-
-\tdx{field_subset}: field(A*A) \isasymsubseteq A
-\end{alltt*}
-\caption{Domain, range and field of a relation} \label{zf-domrange}
-\end{figure}
-
-\begin{figure}
-\begin{alltt*}\isastyleminor
-\tdx{imageI}: [| <a,b>\isasymin{}r; a\isasymin{}A |] ==> b\isasymin{}r``A
-\tdx{imageE}: [| b\isasymin{}r``A; !!x.[| <x,b>\isasymin{}r; x\isasymin{}A |] ==> P |] ==> P
-
-\tdx{vimageI}: [| <a,b>\isasymin{}r; b\isasymin{}B |] ==> a\isasymin{}r-``B
-\tdx{vimageE}: [| a\isasymin{}r-``B; !!x.[| <a,x>\isasymin{}r; x\isasymin{}B |] ==> P |] ==> P
-\end{alltt*}
-\caption{Image and inverse image} \label{zf-domrange2}
-\end{figure}
-
-
-\subsection{Relations}
-Figure~\ref{zf-domrange} presents rules involving relations, which are sets
-of ordered pairs. The converse of a relation~$r$ is the set of all pairs
-$\pair{y,x}$ such that $\pair{x,y}\in r$; if $r$ is a function, then
-{\cdx{converse}$(r)$} is its inverse. The rules for the domain
-operation, namely \tdx{domainI} and~\tdx{domainE}, assert that
-\cdx{domain}$(r)$ consists of all~$x$ such that $r$ contains
-some pair of the form~$\pair{x,y}$. The range operation is similar, and
-the field of a relation is merely the union of its domain and range.
-
-Figure~\ref{zf-domrange2} presents rules for images and inverse images.
-Note that these operations are generalisations of range and domain,
-respectively.
-
-
-%%% func.thy
-
-\begin{figure}
-\begin{alltt*}\isastyleminor
-\tdx{fun_is_rel}: f\isasymin{}Pi(A,B) ==> f \isasymsubseteq Sigma(A,B)
-
-\tdx{apply_equality}: [| <a,b>\isasymin{}f; f\isasymin{}Pi(A,B) |] ==> f`a = b
-\tdx{apply_equality2}: [| <a,b>\isasymin{}f; <a,c>\isasymin{}f; f\isasymin{}Pi(A,B) |] ==> b=c
-
-\tdx{apply_type}: [| f\isasymin{}Pi(A,B); a\isasymin{}A |] ==> f`a\isasymin{}B(a)
-\tdx{apply_Pair}: [| f\isasymin{}Pi(A,B); a\isasymin{}A |] ==> <a,f`a>\isasymin{}f
-\tdx{apply_iff}: f\isasymin{}Pi(A,B) ==> <a,b>\isasymin{}f <-> a\isasymin{}A & f`a = b
-
-\tdx{fun_extension}: [| f\isasymin{}Pi(A,B); g\isasymin{}Pi(A,D);
- !!x. x\isasymin{}A ==> f`x = g`x |] ==> f=g
-
-\tdx{domain_type}: [| <a,b>\isasymin{}f; f\isasymin{}Pi(A,B) |] ==> a\isasymin{}A
-\tdx{range_type}: [| <a,b>\isasymin{}f; f\isasymin{}Pi(A,B) |] ==> b\isasymin{}B(a)
-
-\tdx{Pi_type}: [| f\isasymin{}A->C; !!x. x\isasymin{}A ==> f`x\isasymin{}B(x) |] ==> f\isasymin{}Pi(A,B)
-\tdx{domain_of_fun}: f\isasymin{}Pi(A,B) ==> domain(f)=A
-\tdx{range_of_fun}: f\isasymin{}Pi(A,B) ==> f\isasymin{}A->range(f)
-
-\tdx{restrict}: a\isasymin{}A ==> restrict(f,A) ` a = f`a
-\tdx{restrict_type}: [| !!x. x\isasymin{}A ==> f`x\isasymin{}B(x) |] ==>
- restrict(f,A)\isasymin{}Pi(A,B)
-\end{alltt*}
-\caption{Functions} \label{zf-func1}
-\end{figure}
-
-
-\begin{figure}
-\begin{alltt*}\isastyleminor
-\tdx{lamI}: a\isasymin{}A ==> <a,b(a)>\isasymin{}(lam x\isasymin{}A. b(x))
-\tdx{lamE}: [| p\isasymin{}(lam x\isasymin{}A. b(x)); !!x.[| x\isasymin{}A; p=<x,b(x)> |] ==> P
- |] ==> P
-
-\tdx{lam_type}: [| !!x. x\isasymin{}A ==> b(x)\isasymin{}B(x) |] ==> (lam x\isasymin{}A. b(x))\isasymin{}Pi(A,B)
-
-\tdx{beta}: a\isasymin{}A ==> (lam x\isasymin{}A. b(x)) ` a = b(a)
-\tdx{eta}: f\isasymin{}Pi(A,B) ==> (lam x\isasymin{}A. f`x) = f
-\end{alltt*}
-\caption{$\lambda$-abstraction} \label{zf-lam}
-\end{figure}
-
-
-\begin{figure}
-\begin{alltt*}\isastyleminor
-\tdx{fun_empty}: 0\isasymin{}0->0
-\tdx{fun_single}: {\ttlbrace}<a,b>{\ttrbrace}\isasymin{}{\ttlbrace}a{\ttrbrace} -> {\ttlbrace}b{\ttrbrace}
-
-\tdx{fun_disjoint_Un}: [| f\isasymin{}A->B; g\isasymin{}C->D; A \isasyminter C = 0 |] ==>
- (f \isasymunion g)\isasymin{}(A \isasymunion C) -> (B \isasymunion D)
-
-\tdx{fun_disjoint_apply1}: [| a\isasymin{}A; f\isasymin{}A->B; g\isasymin{}C->D; A\isasyminter{}C = 0 |] ==>
- (f \isasymunion g)`a = f`a
-
-\tdx{fun_disjoint_apply2}: [| c\isasymin{}C; f\isasymin{}A->B; g\isasymin{}C->D; A\isasyminter{}C = 0 |] ==>
- (f \isasymunion g)`c = g`c
-\end{alltt*}
-\caption{Constructing functions from smaller sets} \label{zf-func2}
-\end{figure}
-
-
-\subsection{Functions}
-Functions, represented by graphs, are notoriously difficult to reason
-about. The ZF theory provides many derived rules, which overlap more
-than they ought. This section presents the more important rules.
-
-Figure~\ref{zf-func1} presents the basic properties of \cdx{Pi}$(A,B)$,
-the generalized function space. For example, if $f$ is a function and
-$\pair{a,b}\in f$, then $f`a=b$ (\tdx{apply_equality}). Two functions
-are equal provided they have equal domains and deliver equals results
-(\tdx{fun_extension}).
-
-By \tdx{Pi_type}, a function typing of the form $f\in A\to C$ can be
-refined to the dependent typing $f\in\prod@{x\in A}B(x)$, given a suitable
-family of sets $\{B(x)\}@{x\in A}$. Conversely, by \tdx{range_of_fun},
-any dependent typing can be flattened to yield a function type of the form
-$A\to C$; here, $C=\isa{range}(f)$.
-
-Among the laws for $\lambda$-abstraction, \tdx{lamI} and \tdx{lamE}
-describe the graph of the generated function, while \tdx{beta} and
-\tdx{eta} are the standard conversions. We essentially have a
-dependently-typed $\lambda$-calculus (Fig.\ts\ref{zf-lam}).
-
-Figure~\ref{zf-func2} presents some rules that can be used to construct
-functions explicitly. We start with functions consisting of at most one
-pair, and may form the union of two functions provided their domains are
-disjoint.
-
-
-\begin{figure}
-\begin{alltt*}\isastyleminor
-\tdx{Int_absorb}: A \isasyminter A = A
-\tdx{Int_commute}: A \isasyminter B = B \isasyminter A
-\tdx{Int_assoc}: (A \isasyminter B) \isasyminter C = A \isasyminter (B \isasyminter C)
-\tdx{Int_Un_distrib}: (A \isasymunion B) \isasyminter C = (A \isasyminter C) \isasymunion (B \isasyminter C)
-
-\tdx{Un_absorb}: A \isasymunion A = A
-\tdx{Un_commute}: A \isasymunion B = B \isasymunion A
-\tdx{Un_assoc}: (A \isasymunion B) \isasymunion C = A \isasymunion (B \isasymunion C)
-\tdx{Un_Int_distrib}: (A \isasyminter B) \isasymunion C = (A \isasymunion C) \isasyminter (B \isasymunion C)
-
-\tdx{Diff_cancel}: A-A = 0
-\tdx{Diff_disjoint}: A \isasyminter (B-A) = 0
-\tdx{Diff_partition}: A \isasymsubseteq B ==> A \isasymunion (B-A) = B
-\tdx{double_complement}: [| A \isasymsubseteq B; B \isasymsubseteq C |] ==> (B - (C-A)) = A
-\tdx{Diff_Un}: A - (B \isasymunion C) = (A-B) \isasyminter (A-C)
-\tdx{Diff_Int}: A - (B \isasyminter C) = (A-B) \isasymunion (A-C)
-
-\tdx{Union_Un_distrib}: Union(A \isasymunion B) = Union(A) \isasymunion Union(B)
-\tdx{Inter_Un_distrib}: [| a \isasymin A; b \isasymin B |] ==>
- Inter(A \isasymunion B) = Inter(A) \isasyminter Inter(B)
-
-\tdx{Int_Union_RepFun}: A \isasyminter Union(B) = ({\isasymUnion}C \isasymin B. A \isasyminter C)
-
-\tdx{Un_Inter_RepFun}: b \isasymin B ==>
- A \isasymunion Inter(B) = ({\isasymInter}C \isasymin B. A \isasymunion C)
-
-\tdx{SUM_Un_distrib1}: (SUM x \isasymin A \isasymunion B. C(x)) =
- (SUM x \isasymin A. C(x)) \isasymunion (SUM x \isasymin B. C(x))
-
-\tdx{SUM_Un_distrib2}: (SUM x \isasymin C. A(x) \isasymunion B(x)) =
- (SUM x \isasymin C. A(x)) \isasymunion (SUM x \isasymin C. B(x))
-
-\tdx{SUM_Int_distrib1}: (SUM x \isasymin A \isasyminter B. C(x)) =
- (SUM x \isasymin A. C(x)) \isasyminter (SUM x \isasymin B. C(x))
-
-\tdx{SUM_Int_distrib2}: (SUM x \isasymin C. A(x) \isasyminter B(x)) =
- (SUM x \isasymin C. A(x)) \isasyminter (SUM x \isasymin C. B(x))
-\end{alltt*}
-\caption{Equalities} \label{zf-equalities}
-\end{figure}
-
-
-\begin{figure}
-%\begin{constants}
-% \cdx{1} & $i$ & & $\{\emptyset\}$ \\
-% \cdx{bool} & $i$ & & the set $\{\emptyset,1\}$ \\
-% \cdx{cond} & $[i,i,i]\To i$ & & conditional for \isa{bool} \\
-% \cdx{not} & $i\To i$ & & negation for \isa{bool} \\
-% \sdx{and} & $[i,i]\To i$ & Left 70 & conjunction for \isa{bool} \\
-% \sdx{or} & $[i,i]\To i$ & Left 65 & disjunction for \isa{bool} \\
-% \sdx{xor} & $[i,i]\To i$ & Left 65 & exclusive-or for \isa{bool}
-%\end{constants}
-%
-\begin{alltt*}\isastyleminor
-\tdx{bool_def}: bool == {\ttlbrace}0,1{\ttrbrace}
-\tdx{cond_def}: cond(b,c,d) == if b=1 then c else d
-\tdx{not_def}: not(b) == cond(b,0,1)
-\tdx{and_def}: a and b == cond(a,b,0)
-\tdx{or_def}: a or b == cond(a,1,b)
-\tdx{xor_def}: a xor b == cond(a,not(b),b)
-
-\tdx{bool_1I}: 1 \isasymin bool
-\tdx{bool_0I}: 0 \isasymin bool
-\tdx{boolE}: [| c \isasymin bool; c=1 ==> P; c=0 ==> P |] ==> P
-\tdx{cond_1}: cond(1,c,d) = c
-\tdx{cond_0}: cond(0,c,d) = d
-\end{alltt*}
-\caption{The booleans} \label{zf-bool}
-\end{figure}
-
-
-\section{Further developments}
-The next group of developments is complex and extensive, and only
-highlights can be covered here. It involves many theories and proofs.
-
-Figure~\ref{zf-equalities} presents commutative, associative, distributive,
-and idempotency laws of union and intersection, along with other equations.
-
-Theory \thydx{Bool} defines $\{0,1\}$ as a set of booleans, with the usual
-operators including a conditional (Fig.\ts\ref{zf-bool}). Although ZF is a
-first-order theory, you can obtain the effect of higher-order logic using
-\isa{bool}-valued functions, for example. The constant~\isa{1} is
-translated to \isa{succ(0)}.
-
-\begin{figure}
-\index{*"+ symbol}
-\begin{constants}
- \it symbol & \it meta-type & \it priority & \it description \\
- \tt + & $[i,i]\To i$ & Right 65 & disjoint union operator\\
- \cdx{Inl}~~\cdx{Inr} & $i\To i$ & & injections\\
- \cdx{case} & $[i\To i,i\To i, i]\To i$ & & conditional for $A+B$
-\end{constants}
-\begin{alltt*}\isastyleminor
-\tdx{sum_def}: A+B == {\ttlbrace}0{\ttrbrace}*A \isasymunion {\ttlbrace}1{\ttrbrace}*B
-\tdx{Inl_def}: Inl(a) == <0,a>
-\tdx{Inr_def}: Inr(b) == <1,b>
-\tdx{case_def}: case(c,d,u) == split(\%y z. cond(y, d(z), c(z)), u)
-
-\tdx{InlI}: a \isasymin A ==> Inl(a) \isasymin A+B
-\tdx{InrI}: b \isasymin B ==> Inr(b) \isasymin A+B
-
-\tdx{Inl_inject}: Inl(a)=Inl(b) ==> a=b
-\tdx{Inr_inject}: Inr(a)=Inr(b) ==> a=b
-\tdx{Inl_neq_Inr}: Inl(a)=Inr(b) ==> P
-
-\tdx{sum_iff}: u \isasymin A+B <-> ({\isasymexists}x\isasymin{}A. u=Inl(x)) | ({\isasymexists}y\isasymin{}B. u=Inr(y))
-
-\tdx{case_Inl}: case(c,d,Inl(a)) = c(a)
-\tdx{case_Inr}: case(c,d,Inr(b)) = d(b)
-\end{alltt*}
-\caption{Disjoint unions} \label{zf-sum}
-\end{figure}
-
-
-\subsection{Disjoint unions}
-
-Theory \thydx{Sum} defines the disjoint union of two sets, with
-injections and a case analysis operator (Fig.\ts\ref{zf-sum}). Disjoint
-unions play a role in datatype definitions, particularly when there is
-mutual recursion~\cite{paulson-set-II}.
-
-\begin{figure}
-\begin{alltt*}\isastyleminor
-\tdx{QPair_def}: <a;b> == a+b
-\tdx{qsplit_def}: qsplit(c,p) == THE y. {\isasymexists}a b. p=<a;b> & y=c(a,b)
-\tdx{qfsplit_def}: qfsplit(R,z) == {\isasymexists}x y. z=<x;y> & R(x,y)
-\tdx{qconverse_def}: qconverse(r) == {\ttlbrace}z. w \isasymin r, {\isasymexists}x y. w=<x;y> & z=<y;x>{\ttrbrace}
-\tdx{QSigma_def}: QSigma(A,B) == {\isasymUnion}x \isasymin A. {\isasymUnion}y \isasymin B(x). {\ttlbrace}<x;y>{\ttrbrace}
-
-\tdx{qsum_def}: A <+> B == ({\ttlbrace}0{\ttrbrace} <*> A) \isasymunion ({\ttlbrace}1{\ttrbrace} <*> B)
-\tdx{QInl_def}: QInl(a) == <0;a>
-\tdx{QInr_def}: QInr(b) == <1;b>
-\tdx{qcase_def}: qcase(c,d) == qsplit(\%y z. cond(y, d(z), c(z)))
-\end{alltt*}
-\caption{Non-standard pairs, products and sums} \label{zf-qpair}
-\end{figure}
-
-
-\subsection{Non-standard ordered pairs}
-
-Theory \thydx{QPair} defines a notion of ordered pair that admits
-non-well-founded tupling (Fig.\ts\ref{zf-qpair}). Such pairs are written
-{\tt<$a$;$b$>}. It also defines the eliminator \cdx{qsplit}, the
-converse operator \cdx{qconverse}, and the summation operator
-\cdx{QSigma}. These are completely analogous to the corresponding
-versions for standard ordered pairs. The theory goes on to define a
-non-standard notion of disjoint sum using non-standard pairs. All of these
-concepts satisfy the same properties as their standard counterparts; in
-addition, {\tt<$a$;$b$>} is continuous. The theory supports coinductive
-definitions, for example of infinite lists~\cite{paulson-mscs}.
-
-\begin{figure}
-\begin{alltt*}\isastyleminor
-\tdx{bnd_mono_def}: bnd_mono(D,h) ==
- h(D)\isasymsubseteq{}D & ({\isasymforall}W X. W\isasymsubseteq{}X --> X\isasymsubseteq{}D --> h(W)\isasymsubseteq{}h(X))
-
-\tdx{lfp_def}: lfp(D,h) == Inter({\ttlbrace}X \isasymin Pow(D). h(X) \isasymsubseteq X{\ttrbrace})
-\tdx{gfp_def}: gfp(D,h) == Union({\ttlbrace}X \isasymin Pow(D). X \isasymsubseteq h(X){\ttrbrace})
-
-
-\tdx{lfp_lowerbound}: [| h(A) \isasymsubseteq A; A \isasymsubseteq D |] ==> lfp(D,h) \isasymsubseteq A
-
-\tdx{lfp_subset}: lfp(D,h) \isasymsubseteq D
-
-\tdx{lfp_greatest}: [| bnd_mono(D,h);
- !!X. [| h(X) \isasymsubseteq X; X \isasymsubseteq D |] ==> A \isasymsubseteq X
- |] ==> A \isasymsubseteq lfp(D,h)
-
-\tdx{lfp_Tarski}: bnd_mono(D,h) ==> lfp(D,h) = h(lfp(D,h))
-
-\tdx{induct}: [| a \isasymin lfp(D,h); bnd_mono(D,h);
- !!x. x \isasymin h(Collect(lfp(D,h),P)) ==> P(x)
- |] ==> P(a)
-
-\tdx{lfp_mono}: [| bnd_mono(D,h); bnd_mono(E,i);
- !!X. X \isasymsubseteq D ==> h(X) \isasymsubseteq i(X)
- |] ==> lfp(D,h) \isasymsubseteq lfp(E,i)
-
-\tdx{gfp_upperbound}: [| A \isasymsubseteq h(A); A \isasymsubseteq D |] ==> A \isasymsubseteq gfp(D,h)
-
-\tdx{gfp_subset}: gfp(D,h) \isasymsubseteq D
-
-\tdx{gfp_least}: [| bnd_mono(D,h);
- !!X. [| X \isasymsubseteq h(X); X \isasymsubseteq D |] ==> X \isasymsubseteq A
- |] ==> gfp(D,h) \isasymsubseteq A
-
-\tdx{gfp_Tarski}: bnd_mono(D,h) ==> gfp(D,h) = h(gfp(D,h))
-
-\tdx{coinduct}: [| bnd_mono(D,h); a \isasymin X; X \isasymsubseteq h(X \isasymunion gfp(D,h)); X \isasymsubseteq D
- |] ==> a \isasymin gfp(D,h)
-
-\tdx{gfp_mono}: [| bnd_mono(D,h); D \isasymsubseteq E;
- !!X. X \isasymsubseteq D ==> h(X) \isasymsubseteq i(X)
- |] ==> gfp(D,h) \isasymsubseteq gfp(E,i)
-\end{alltt*}
-\caption{Least and greatest fixedpoints} \label{zf-fixedpt}
-\end{figure}
-
-
-\subsection{Least and greatest fixedpoints}
-
-The Knaster-Tarski Theorem states that every monotone function over a
-complete lattice has a fixedpoint. Theory \thydx{Fixedpt} proves the
-Theorem only for a particular lattice, namely the lattice of subsets of a
-set (Fig.\ts\ref{zf-fixedpt}). The theory defines least and greatest
-fixedpoint operators with corresponding induction and coinduction rules.
-These are essential to many definitions that follow, including the natural
-numbers and the transitive closure operator. The (co)inductive definition
-package also uses the fixedpoint operators~\cite{paulson-CADE}. See
-Davey and Priestley~\cite{davey-priestley} for more on the Knaster-Tarski
-Theorem and my paper~\cite{paulson-set-II} for discussion of the Isabelle
-proofs.
-
-Monotonicity properties are proved for most of the set-forming operations:
-union, intersection, Cartesian product, image, domain, range, etc. These
-are useful for applying the Knaster-Tarski Fixedpoint Theorem. The proofs
-themselves are trivial applications of Isabelle's classical reasoner.
-
-
-\subsection{Finite sets and lists}
-
-Theory \texttt{Finite} (Figure~\ref{zf-fin}) defines the finite set operator;
-$\isa{Fin}(A)$ is the set of all finite sets over~$A$. The theory employs
-Isabelle's inductive definition package, which proves various rules
-automatically. The induction rule shown is stronger than the one proved by
-the package. The theory also defines the set of all finite functions
-between two given sets.
-
-\begin{figure}
-\begin{alltt*}\isastyleminor
-\tdx{Fin.emptyI} 0 \isasymin Fin(A)
-\tdx{Fin.consI} [| a \isasymin A; b \isasymin Fin(A) |] ==> cons(a,b) \isasymin Fin(A)
-
-\tdx{Fin_induct}
- [| b \isasymin Fin(A);
- P(0);
- !!x y. [| x\isasymin{}A; y\isasymin{}Fin(A); x\isasymnotin{}y; P(y) |] ==> P(cons(x,y))
- |] ==> P(b)
-
-\tdx{Fin_mono}: A \isasymsubseteq B ==> Fin(A) \isasymsubseteq Fin(B)
-\tdx{Fin_UnI}: [| b \isasymin Fin(A); c \isasymin Fin(A) |] ==> b \isasymunion c \isasymin Fin(A)
-\tdx{Fin_UnionI}: C \isasymin Fin(Fin(A)) ==> Union(C) \isasymin Fin(A)
-\tdx{Fin_subset}: [| c \isasymsubseteq b; b \isasymin Fin(A) |] ==> c \isasymin Fin(A)
-\end{alltt*}
-\caption{The finite set operator} \label{zf-fin}
-\end{figure}
-
-\begin{figure}
-\begin{constants}
- \it symbol & \it meta-type & \it priority & \it description \\
- \cdx{list} & $i\To i$ && lists over some set\\
- \cdx{list_case} & $[i, [i,i]\To i, i] \To i$ && conditional for $list(A)$ \\
- \cdx{map} & $[i\To i, i] \To i$ & & mapping functional\\
- \cdx{length} & $i\To i$ & & length of a list\\
- \cdx{rev} & $i\To i$ & & reverse of a list\\
- \tt \at & $[i,i]\To i$ & Right 60 & append for lists\\
- \cdx{flat} & $i\To i$ & & append of list of lists
-\end{constants}
-
-\underscoreon %%because @ is used here
-\begin{alltt*}\isastyleminor
-\tdx{NilI}: Nil \isasymin list(A)
-\tdx{ConsI}: [| a \isasymin A; l \isasymin list(A) |] ==> Cons(a,l) \isasymin list(A)
-
-\tdx{List.induct}
- [| l \isasymin list(A);
- P(Nil);
- !!x y. [| x \isasymin A; y \isasymin list(A); P(y) |] ==> P(Cons(x,y))
- |] ==> P(l)
-
-\tdx{Cons_iff}: Cons(a,l)=Cons(a',l') <-> a=a' & l=l'
-\tdx{Nil_Cons_iff}: Nil \isasymnoteq Cons(a,l)
-
-\tdx{list_mono}: A \isasymsubseteq B ==> list(A) \isasymsubseteq list(B)
-
-\tdx{map_ident}: l\isasymin{}list(A) ==> map(\%u. u, l) = l
-\tdx{map_compose}: l\isasymin{}list(A) ==> map(h, map(j,l)) = map(\%u. h(j(u)), l)
-\tdx{map_app_distrib}: xs\isasymin{}list(A) ==> map(h, xs@ys) = map(h,xs)@map(h,ys)
-\tdx{map_type}
- [| l\isasymin{}list(A); !!x. x\isasymin{}A ==> h(x)\isasymin{}B |] ==> map(h,l)\isasymin{}list(B)
-\tdx{map_flat}
- ls: list(list(A)) ==> map(h, flat(ls)) = flat(map(map(h),ls))
-\end{alltt*}
-\caption{Lists} \label{zf-list}
-\end{figure}
-
-
-Figure~\ref{zf-list} presents the set of lists over~$A$, $\isa{list}(A)$. The
-definition employs Isabelle's datatype package, which defines the introduction
-and induction rules automatically, as well as the constructors, case operator
-(\isa{list\_case}) and recursion operator. The theory then defines the usual
-list functions by primitive recursion. See theory \texttt{List}.
-
-
-\subsection{Miscellaneous}
-
-\begin{figure}
-\begin{constants}
- \it symbol & \it meta-type & \it priority & \it description \\
- \sdx{O} & $[i,i]\To i$ & Right 60 & composition ($\circ$) \\
- \cdx{id} & $i\To i$ & & identity function \\
- \cdx{inj} & $[i,i]\To i$ & & injective function space\\
- \cdx{surj} & $[i,i]\To i$ & & surjective function space\\
- \cdx{bij} & $[i,i]\To i$ & & bijective function space
-\end{constants}
-
-\begin{alltt*}\isastyleminor
-\tdx{comp_def}: r O s == {\ttlbrace}xz \isasymin domain(s)*range(r) .
- {\isasymexists}x y z. xz=<x,z> & <x,y> \isasymin s & <y,z> \isasymin r{\ttrbrace}
-\tdx{id_def}: id(A) == (lam x \isasymin A. x)
-\tdx{inj_def}: inj(A,B) == {\ttlbrace} f\isasymin{}A->B. {\isasymforall}w\isasymin{}A. {\isasymforall}x\isasymin{}A. f`w=f`x --> w=x {\ttrbrace}
-\tdx{surj_def}: surj(A,B) == {\ttlbrace} f\isasymin{}A->B . {\isasymforall}y\isasymin{}B. {\isasymexists}x\isasymin{}A. f`x=y {\ttrbrace}
-\tdx{bij_def}: bij(A,B) == inj(A,B) \isasyminter surj(A,B)
-
-
-\tdx{left_inverse}: [| f\isasymin{}inj(A,B); a\isasymin{}A |] ==> converse(f)`(f`a) = a
-\tdx{right_inverse}: [| f\isasymin{}inj(A,B); b\isasymin{}range(f) |] ==>
- f`(converse(f)`b) = b
-
-\tdx{inj_converse_inj}: f\isasymin{}inj(A,B) ==> converse(f) \isasymin inj(range(f),A)
-\tdx{bij_converse_bij}: f\isasymin{}bij(A,B) ==> converse(f) \isasymin bij(B,A)
-
-\tdx{comp_type}: [| s \isasymsubseteq A*B; r \isasymsubseteq B*C |] ==> (r O s) \isasymsubseteq A*C
-\tdx{comp_assoc}: (r O s) O t = r O (s O t)
-
-\tdx{left_comp_id}: r \isasymsubseteq A*B ==> id(B) O r = r
-\tdx{right_comp_id}: r \isasymsubseteq A*B ==> r O id(A) = r
-
-\tdx{comp_func}: [| g\isasymin{}A->B; f\isasymin{}B->C |] ==> (f O g) \isasymin A->C
-\tdx{comp_func_apply}: [| g\isasymin{}A->B; f\isasymin{}B->C; a\isasymin{}A |] ==> (f O g)`a = f`(g`a)
-
-\tdx{comp_inj}: [| g\isasymin{}inj(A,B); f\isasymin{}inj(B,C) |] ==> (f O g)\isasymin{}inj(A,C)
-\tdx{comp_surj}: [| g\isasymin{}surj(A,B); f\isasymin{}surj(B,C) |] ==> (f O g)\isasymin{}surj(A,C)
-\tdx{comp_bij}: [| g\isasymin{}bij(A,B); f\isasymin{}bij(B,C) |] ==> (f O g)\isasymin{}bij(A,C)
-
-\tdx{left_comp_inverse}: f\isasymin{}inj(A,B) ==> converse(f) O f = id(A)
-\tdx{right_comp_inverse}: f\isasymin{}surj(A,B) ==> f O converse(f) = id(B)
-
-\tdx{bij_disjoint_Un}:
- [| f\isasymin{}bij(A,B); g\isasymin{}bij(C,D); A \isasyminter C = 0; B \isasyminter D = 0 |] ==>
- (f \isasymunion g)\isasymin{}bij(A \isasymunion C, B \isasymunion D)
-
-\tdx{restrict_bij}: [| f\isasymin{}inj(A,B); C\isasymsubseteq{}A |] ==> restrict(f,C)\isasymin{}bij(C, f``C)
-\end{alltt*}
-\caption{Permutations} \label{zf-perm}
-\end{figure}
-
-The theory \thydx{Perm} is concerned with permutations (bijections) and
-related concepts. These include composition of relations, the identity
-relation, and three specialized function spaces: injective, surjective and
-bijective. Figure~\ref{zf-perm} displays many of their properties that
-have been proved. These results are fundamental to a treatment of
-equipollence and cardinality.
-
-Theory \thydx{Univ} defines a `universe' $\isa{univ}(A)$, which is used by
-the datatype package. This set contains $A$ and the
-natural numbers. Vitally, it is closed under finite products:
-$\isa{univ}(A)\times\isa{univ}(A)\subseteq\isa{univ}(A)$. This theory also
-defines the cumulative hierarchy of axiomatic set theory, which
-traditionally is written $V@\alpha$ for an ordinal~$\alpha$. The
-`universe' is a simple generalization of~$V@\omega$.
-
-Theory \thydx{QUniv} defines a `universe' $\isa{quniv}(A)$, which is used by
-the datatype package to construct codatatypes such as streams. It is
-analogous to $\isa{univ}(A)$ (and is defined in terms of it) but is closed
-under the non-standard product and sum.
-
-
-\section{Automatic Tools}
-
-ZF provides the simplifier and the classical reasoner. Moreover it supplies a
-specialized tool to infer `types' of terms.
-
-\subsection{Simplification and Classical Reasoning}
-
-ZF inherits simplification from FOL but adopts it for set theory. The
-extraction of rewrite rules takes the ZF primitives into account. It can
-strip bounded universal quantifiers from a formula; for example, ${\forall
- x\in A. f(x)=g(x)}$ yields the conditional rewrite rule $x\in A \Imp
-f(x)=g(x)$. Given $a\in\{x\in A. P(x)\}$ it extracts rewrite rules from $a\in
-A$ and~$P(a)$. It can also break down $a\in A\int B$ and $a\in A-B$.
-
-The default simpset used by \isa{simp} contains congruence rules for all of ZF's
-binding operators. It contains all the conversion rules, such as
-\isa{fst} and
-\isa{snd}, as well as the rewrites shown in Fig.\ts\ref{zf-simpdata}.
-
-Classical reasoner methods such as \isa{blast} and \isa{auto} refer to
-a rich collection of built-in axioms for all the set-theoretic
-primitives.
-
-
-\begin{figure}
-\begin{eqnarray*}
- a\in \emptyset & \bimp & \bot\\
- a \in A \un B & \bimp & a\in A \disj a\in B\\
- a \in A \int B & \bimp & a\in A \conj a\in B\\
- a \in A-B & \bimp & a\in A \conj \lnot (a\in B)\\
- \pair{a,b}\in \isa{Sigma}(A,B)
- & \bimp & a\in A \conj b\in B(a)\\
- a \in \isa{Collect}(A,P) & \bimp & a\in A \conj P(a)\\
- (\forall x \in \emptyset. P(x)) & \bimp & \top\\
- (\forall x \in A. \top) & \bimp & \top
-\end{eqnarray*}
-\caption{Some rewrite rules for set theory} \label{zf-simpdata}
-\end{figure}
-
-
-\subsection{Type-Checking Tactics}
-\index{type-checking tactics}
-
-Isabelle/ZF provides simple tactics to help automate those proofs that are
-essentially type-checking. Such proofs are built by applying rules such as
-these:
-\begin{ttbox}\isastyleminor
-[| ?P ==> ?a \isasymin ?A; ~?P ==> ?b \isasymin ?A |]
-==> (if ?P then ?a else ?b) \isasymin ?A
-
-[| ?m \isasymin nat; ?n \isasymin nat |] ==> ?m #+ ?n \isasymin nat
-
-?a \isasymin ?A ==> Inl(?a) \isasymin ?A + ?B
-\end{ttbox}
-In typical applications, the goal has the form $t\in\Var{A}$: in other words,
-we have a specific term~$t$ and need to infer its `type' by instantiating the
-set variable~$\Var{A}$. Neither the simplifier nor the classical reasoner
-does this job well. The if-then-else rule, and many similar ones, can make
-the classical reasoner loop. The simplifier refuses (on principle) to
-instantiate variables during rewriting, so goals such as \isa{i\#+j \isasymin \ ?A}
-are left unsolved.
-
-The simplifier calls the type-checker to solve rewritten subgoals: this stage
-can indeed instantiate variables. If you have defined new constants and
-proved type-checking rules for them, then declare the rules using
-the attribute \isa{TC} and the rest should be automatic. In
-particular, the simplifier will use type-checking to help satisfy
-conditional rewrite rules. Call the method \ttindex{typecheck} to
-break down all subgoals using type-checking rules. You can add new
-type-checking rules temporarily like this:
-\begin{isabelle}
-\isacommand{apply}\ (typecheck add:\ inj_is_fun)
-\end{isabelle}
-
-
-%Though the easiest way to invoke the type-checker is via the simplifier,
-%specialized applications may require more detailed knowledge of
-%the type-checking primitives. They are modelled on the simplifier's:
-%\begin{ttdescription}
-%\item[\ttindexbold{tcset}] is the type of tcsets: sets of type-checking rules.
-%
-%\item[\ttindexbold{addTCs}] is an infix operator to add type-checking rules to
-% a tcset.
-%
-%\item[\ttindexbold{delTCs}] is an infix operator to remove type-checking rules
-% from a tcset.
-%
-%\item[\ttindexbold{typecheck_tac}] is a tactic for attempting to prove all
-% subgoals using the rules given in its argument, a tcset.
-%\end{ttdescription}
-%
-%Tcsets, like simpsets, are associated with theories and are merged when
-%theories are merged. There are further primitives that use the default tcset.
-%\begin{ttdescription}
-%\item[\ttindexbold{tcset}] is a function to return the default tcset; use the
-% expression \isa{tcset()}.
-%
-%\item[\ttindexbold{AddTCs}] adds type-checking rules to the default tcset.
-%
-%\item[\ttindexbold{DelTCs}] removes type-checking rules from the default
-% tcset.
-%
-%\item[\ttindexbold{Typecheck_tac}] calls \isa{typecheck_tac} using the
-% default tcset.
-%\end{ttdescription}
-%
-%To supply some type-checking rules temporarily, using \isa{Addrules} and
-%later \isa{Delrules} is the simplest way. There is also a high-tech
-%approach. Call the simplifier with a new solver expressed using
-%\ttindexbold{type_solver_tac} and your temporary type-checking rules.
-%\begin{ttbox}\isastyleminor
-%by (asm_simp_tac
-% (simpset() setSolver type_solver_tac (tcset() addTCs prems)) 2);
-%\end{ttbox}
-
-
-\section{Natural number and integer arithmetic}
-
-\index{arithmetic|(}
-
-\begin{figure}\small
-\index{#*@{\tt\#*} symbol}
-\index{*div symbol}
-\index{*mod symbol}
-\index{#+@{\tt\#+} symbol}
-\index{#-@{\tt\#-} symbol}
-\begin{constants}
- \it symbol & \it meta-type & \it priority & \it description \\
- \cdx{nat} & $i$ & & set of natural numbers \\
- \cdx{nat_case}& $[i,i\To i,i]\To i$ & & conditional for $nat$\\
- \tt \#* & $[i,i]\To i$ & Left 70 & multiplication \\
- \tt div & $[i,i]\To i$ & Left 70 & division\\
- \tt mod & $[i,i]\To i$ & Left 70 & modulus\\
- \tt \#+ & $[i,i]\To i$ & Left 65 & addition\\
- \tt \#- & $[i,i]\To i$ & Left 65 & subtraction
-\end{constants}
-
-\begin{alltt*}\isastyleminor
-\tdx{nat_def}: nat == lfp(lam r \isasymin Pow(Inf). {\ttlbrace}0{\ttrbrace} \isasymunion {\ttlbrace}succ(x). x \isasymin r{\ttrbrace}
-
-\tdx{nat_case_def}: nat_case(a,b,k) ==
- THE y. k=0 & y=a | ({\isasymexists}x. k=succ(x) & y=b(x))
-
-\tdx{nat_0I}: 0 \isasymin nat
-\tdx{nat_succI}: n \isasymin nat ==> succ(n) \isasymin nat
-
-\tdx{nat_induct}:
- [| n \isasymin nat; P(0); !!x. [| x \isasymin nat; P(x) |] ==> P(succ(x))
- |] ==> P(n)
-
-\tdx{nat_case_0}: nat_case(a,b,0) = a
-\tdx{nat_case_succ}: nat_case(a,b,succ(m)) = b(m)
-
-\tdx{add_0_natify}: 0 #+ n = natify(n)
-\tdx{add_succ}: succ(m) #+ n = succ(m #+ n)
-
-\tdx{mult_type}: m #* n \isasymin nat
-\tdx{mult_0}: 0 #* n = 0
-\tdx{mult_succ}: succ(m) #* n = n #+ (m #* n)
-\tdx{mult_commute}: m #* n = n #* m
-\tdx{add_mult_dist}: (m #+ n) #* k = (m #* k) #+ (n #* k)
-\tdx{mult_assoc}: (m #* n) #* k = m #* (n #* k)
-\tdx{mod_div_equality}: m \isasymin nat ==> (m div n)#*n #+ m mod n = m
-\end{alltt*}
-\caption{The natural numbers} \label{zf-nat}
-\end{figure}
-
-\index{natural numbers}
-
-Theory \thydx{Nat} defines the natural numbers and mathematical
-induction, along with a case analysis operator. The set of natural
-numbers, here called \isa{nat}, is known in set theory as the ordinal~$\omega$.
-
-Theory \thydx{Arith} develops arithmetic on the natural numbers
-(Fig.\ts\ref{zf-nat}). Addition, multiplication and subtraction are defined
-by primitive recursion. Division and remainder are defined by repeated
-subtraction, which requires well-founded recursion; the termination argument
-relies on the divisor's being non-zero. Many properties are proved:
-commutative, associative and distributive laws, identity and cancellation
-laws, etc. The most interesting result is perhaps the theorem $a \bmod b +
-(a/b)\times b = a$.
-
-To minimize the need for tedious proofs of $t\in\isa{nat}$, the arithmetic
-operators coerce their arguments to be natural numbers. The function
-\cdx{natify} is defined such that $\isa{natify}(n) = n$ if $n$ is a natural
-number, $\isa{natify}(\isa{succ}(x)) =
-\isa{succ}(\isa{natify}(x))$ for all $x$, and finally
-$\isa{natify}(x)=0$ in all other cases. The benefit is that the addition,
-subtraction, multiplication, division and remainder operators always return
-natural numbers, regardless of their arguments. Algebraic laws (commutative,
-associative, distributive) are unconditional. Occurrences of \isa{natify}
-as operands of those operators are simplified away. Any remaining occurrences
-can either be tolerated or else eliminated by proving that the argument is a
-natural number.
-
-The simplifier automatically cancels common terms on the opposite sides of
-subtraction and of relations ($=$, $<$ and $\le$). Here is an example:
-\begin{isabelle}
- 1. i \#+ j \#+ k \#- j < k \#+ l\isanewline
-\isacommand{apply}\ simp\isanewline
- 1. natify(i) < natify(l)
-\end{isabelle}
-Given the assumptions \isa{i \isasymin nat} and \isa{l \isasymin nat}, both occurrences of
-\cdx{natify} would be simplified away.
-
-
-\begin{figure}\small
-\index{$*@{\tt\$*} symbol}
-\index{$+@{\tt\$+} symbol}
-\index{$-@{\tt\$-} symbol}
-\begin{constants}
- \it symbol & \it meta-type & \it priority & \it description \\
- \cdx{int} & $i$ & & set of integers \\
- \tt \$* & $[i,i]\To i$ & Left 70 & multiplication \\
- \tt \$+ & $[i,i]\To i$ & Left 65 & addition\\
- \tt \$- & $[i,i]\To i$ & Left 65 & subtraction\\
- \tt \$< & $[i,i]\To o$ & Left 50 & $<$ on integers\\
- \tt \$<= & $[i,i]\To o$ & Left 50 & $\le$ on integers
-\end{constants}
-
-\begin{alltt*}\isastyleminor
-\tdx{zadd_0_intify}: 0 $+ n = intify(n)
-
-\tdx{zmult_type}: m $* n \isasymin int
-\tdx{zmult_0}: 0 $* n = 0
-\tdx{zmult_commute}: m $* n = n $* m
-\tdx{zadd_zmult_dist}: (m $+ n) $* k = (m $* k) $+ (n $* k)
-\tdx{zmult_assoc}: (m $* n) $* k = m $* (n $* k)
-\end{alltt*}
-\caption{The integers} \label{zf-int}
-\end{figure}
-
-
-\index{integers}
-
-Theory \thydx{Int} defines the integers, as equivalence classes of natural
-numbers. Figure~\ref{zf-int} presents a tidy collection of laws. In
-fact, a large library of facts is proved, including monotonicity laws for
-addition and multiplication, covering both positive and negative operands.
-
-As with the natural numbers, the need for typing proofs is minimized. All the
-operators defined in Fig.\ts\ref{zf-int} coerce their operands to integers by
-applying the function \cdx{intify}. This function is the identity on integers
-and maps other operands to zero.
-
-Decimal notation is provided for the integers. Numbers, written as
-\isa{\#$nnn$} or \isa{\#-$nnn$}, are represented internally in
-two's-complement binary. Expressions involving addition, subtraction and
-multiplication of numeral constants are evaluated (with acceptable efficiency)
-by simplification. The simplifier also collects similar terms, multiplying
-them by a numerical coefficient. It also cancels occurrences of the same
-terms on the other side of the relational operators. Example:
-\begin{isabelle}
- 1. y \$+ z \$+ \#-3 \$* x \$+ y \$<= x \$* \#2 \$+
-z\isanewline
-\isacommand{apply}\ simp\isanewline
- 1. \#2 \$* y \$<= \#5 \$* x
-\end{isabelle}
-For more information on the integers, please see the theories on directory
-\texttt{ZF/Integ}.
-
-\index{arithmetic|)}
-
-
-\section{Datatype definitions}
-\label{sec:ZF:datatype}
-\index{*datatype|(}
-
-The \ttindex{datatype} definition package of ZF constructs inductive datatypes
-similar to \ML's. It can also construct coinductive datatypes
-(codatatypes), which are non-well-founded structures such as streams. It
-defines the set using a fixed-point construction and proves induction rules,
-as well as theorems for recursion and case combinators. It supplies
-mechanisms for reasoning about freeness. The datatype package can handle both
-mutual and indirect recursion.
-
-
-\subsection{Basics}
-\label{subsec:datatype:basics}
-
-A \isa{datatype} definition has the following form:
-\[
-\begin{array}{llcl}
-\mathtt{datatype} & t@1(A@1,\ldots,A@h) & = &
- constructor^1@1 ~\mid~ \ldots ~\mid~ constructor^1@{k@1} \\
- & & \vdots \\
-\mathtt{and} & t@n(A@1,\ldots,A@h) & = &
- constructor^n@1~ ~\mid~ \ldots ~\mid~ constructor^n@{k@n}
-\end{array}
-\]
-Here $t@1$, \ldots,~$t@n$ are identifiers and $A@1$, \ldots,~$A@h$ are
-variables: the datatype's parameters. Each constructor specification has the
-form \dquotesoff
-\[ C \hbox{\tt~( } \hbox{\tt"} x@1 \hbox{\tt:} T@1 \hbox{\tt"},\;
- \ldots,\;
- \hbox{\tt"} x@m \hbox{\tt:} T@m \hbox{\tt"}
- \hbox{\tt~)}
-\]
-Here $C$ is the constructor name, and variables $x@1$, \ldots,~$x@m$ are the
-constructor arguments, belonging to the sets $T@1$, \ldots, $T@m$,
-respectively. Typically each $T@j$ is either a constant set, a datatype
-parameter (one of $A@1$, \ldots, $A@h$) or a recursive occurrence of one of
-the datatypes, say $t@i(A@1,\ldots,A@h)$. More complex possibilities exist,
-but they are much harder to realize. Often, additional information must be
-supplied in the form of theorems.
-
-A datatype can occur recursively as the argument of some function~$F$. This
-is called a {\em nested} (or \emph{indirect}) occurrence. It is only allowed
-if the datatype package is given a theorem asserting that $F$ is monotonic.
-If the datatype has indirect occurrences, then Isabelle/ZF does not support
-recursive function definitions.
-
-A simple example of a datatype is \isa{list}, which is built-in, and is
-defined by
-\begin{alltt*}\isastyleminor
-consts list :: "i=>i"
-datatype "list(A)" = Nil | Cons ("a \isasymin A", "l \isasymin list(A)")
-\end{alltt*}
-Note that the datatype operator must be declared as a constant first.
-However, the package declares the constructors. Here, \isa{Nil} gets type
-$i$ and \isa{Cons} gets type $[i,i]\To i$.
-
-Trees and forests can be modelled by the mutually recursive datatype
-definition
-\begin{alltt*}\isastyleminor
-consts
- tree :: "i=>i"
- forest :: "i=>i"
- tree_forest :: "i=>i"
-datatype "tree(A)" = Tcons ("a{\isasymin}A", "f{\isasymin}forest(A)")
-and "forest(A)" = Fnil | Fcons ("t{\isasymin}tree(A)", "f{\isasymin}forest(A)")
-\end{alltt*}
-Here $\isa{tree}(A)$ is the set of trees over $A$, $\isa{forest}(A)$ is
-the set of forests over $A$, and $\isa{tree_forest}(A)$ is the union of
-the previous two sets. All three operators must be declared first.
-
-The datatype \isa{term}, which is defined by
-\begin{alltt*}\isastyleminor
-consts term :: "i=>i"
-datatype "term(A)" = Apply ("a \isasymin A", "l \isasymin list(term(A))")
- monos list_mono
- type_elims list_univ [THEN subsetD, elim_format]
-\end{alltt*}
-is an example of nested recursion. (The theorem \isa{list_mono} is proved
-in theory \isa{List}, and the \isa{term} example is developed in
-theory
-\thydx{Induct/Term}.)
-
-\subsubsection{Freeness of the constructors}
-
-Constructors satisfy {\em freeness} properties. Constructions are distinct,
-for example $\isa{Nil}\not=\isa{Cons}(a,l)$, and they are injective, for
-example $\isa{Cons}(a,l)=\isa{Cons}(a',l') \bimp a=a' \conj l=l'$.
-Because the number of freeness is quadratic in the number of constructors, the
-datatype package does not prove them. Instead, it ensures that simplification
-will prove them dynamically: when the simplifier encounters a formula
-asserting the equality of two datatype constructors, it performs freeness
-reasoning.
-
-Freeness reasoning can also be done using the classical reasoner, but it is
-more complicated. You have to add some safe elimination rules rules to the
-claset. For the \isa{list} datatype, they are called
-\isa{list.free_elims}. Occasionally this exposes the underlying
-representation of some constructor, which can be rectified using the command
-\isa{unfold list.con_defs [symmetric]}.
-
-
-\subsubsection{Structural induction}
-
-The datatype package also provides structural induction rules. For datatypes
-without mutual or nested recursion, the rule has the form exemplified by
-\isa{list.induct} in Fig.\ts\ref{zf-list}. For mutually recursive
-datatypes, the induction rule is supplied in two forms. Consider datatype
-\isa{TF}. The rule \isa{tree_forest.induct} performs induction over a
-single predicate~\isa{P}, which is presumed to be defined for both trees
-and forests:
-\begin{alltt*}\isastyleminor
-[| x \isasymin tree_forest(A);
- !!a f. [| a \isasymin A; f \isasymin forest(A); P(f) |] ==> P(Tcons(a, f));
- P(Fnil);
- !!f t. [| t \isasymin tree(A); P(t); f \isasymin forest(A); P(f) |]
- ==> P(Fcons(t, f))
-|] ==> P(x)
-\end{alltt*}
-The rule \isa{tree_forest.mutual_induct} performs induction over two
-distinct predicates, \isa{P_tree} and \isa{P_forest}.
-\begin{alltt*}\isastyleminor
-[| !!a f.
- [| a{\isasymin}A; f{\isasymin}forest(A); P_forest(f) |] ==> P_tree(Tcons(a,f));
- P_forest(Fnil);
- !!f t. [| t{\isasymin}tree(A); P_tree(t); f{\isasymin}forest(A); P_forest(f) |]
- ==> P_forest(Fcons(t, f))
-|] ==> ({\isasymforall}za. za \isasymin tree(A) --> P_tree(za)) &
- ({\isasymforall}za. za \isasymin forest(A) --> P_forest(za))
-\end{alltt*}
-
-For datatypes with nested recursion, such as the \isa{term} example from
-above, things are a bit more complicated. The rule \isa{term.induct}
-refers to the monotonic operator, \isa{list}:
-\begin{alltt*}\isastyleminor
-[| x \isasymin term(A);
- !!a l. [| a\isasymin{}A; l\isasymin{}list(Collect(term(A), P)) |] ==> P(Apply(a,l))
-|] ==> P(x)
-\end{alltt*}
-The theory \isa{Induct/Term.thy} derives two higher-level induction rules,
-one of which is particularly useful for proving equations:
-\begin{alltt*}\isastyleminor
-[| t \isasymin term(A);
- !!x zs. [| x \isasymin A; zs \isasymin list(term(A)); map(f, zs) = map(g, zs) |]
- ==> f(Apply(x, zs)) = g(Apply(x, zs))
-|] ==> f(t) = g(t)
-\end{alltt*}
-How this can be generalized to other nested datatypes is a matter for future
-research.
-
-
-\subsubsection{The \isa{case} operator}
-
-The package defines an operator for performing case analysis over the
-datatype. For \isa{list}, it is called \isa{list_case} and satisfies
-the equations
-\begin{ttbox}\isastyleminor
-list_case(f_Nil, f_Cons, []) = f_Nil
-list_case(f_Nil, f_Cons, Cons(a, l)) = f_Cons(a, l)
-\end{ttbox}
-Here \isa{f_Nil} is the value to return if the argument is \isa{Nil} and
-\isa{f_Cons} is a function that computes the value to return if the
-argument has the form $\isa{Cons}(a,l)$. The function can be expressed as
-an abstraction, over patterns if desired (\S\ref{sec:pairs}).
-
-For mutually recursive datatypes, there is a single \isa{case} operator.
-In the tree/forest example, the constant \isa{tree_forest_case} handles all
-of the constructors of the two datatypes.
-
-
-\subsection{Defining datatypes}
-
-The theory syntax for datatype definitions is shown in the
-Isabelle/Isar reference manual. In order to be well-formed, a
-datatype definition has to obey the rules stated in the previous
-section. As a result the theory is extended with the new types, the
-constructors, and the theorems listed in the previous section.
-
-Codatatypes are declared like datatypes and are identical to them in every
-respect except that they have a coinduction rule instead of an induction rule.
-Note that while an induction rule has the effect of limiting the values
-contained in the set, a coinduction rule gives a way of constructing new
-values of the set.
-
-Most of the theorems about datatypes become part of the default simpset. You
-never need to see them again because the simplifier applies them
-automatically.
-
-\subsubsection{Specialized methods for datatypes}
-
-Induction and case-analysis can be invoked using these special-purpose
-methods:
-\begin{ttdescription}
-\item[\methdx{induct_tac} $x$] applies structural
- induction on variable $x$ to subgoal~1, provided the type of $x$ is a
- datatype. The induction variable should not occur among other assumptions
- of the subgoal.
-\end{ttdescription}
-%
-% we also have the ind_cases method, but what does it do?
-In some situations, induction is overkill and a case distinction over all
-constructors of the datatype suffices.
-\begin{ttdescription}
-\item[\methdx{case_tac} $x$]
- performs a case analysis for the variable~$x$.
-\end{ttdescription}
-
-Both tactics can only be applied to a variable, whose typing must be given in
-some assumption, for example the assumption \isa{x \isasymin \ list(A)}. The tactics
-also work for the natural numbers (\isa{nat}) and disjoint sums, although
-these sets were not defined using the datatype package. (Disjoint sums are
-not recursive, so only \isa{case_tac} is available.)
-
-Structured Isar methods are also available. Below, $t$
-stands for the name of the datatype.
-\begin{ttdescription}
-\item[\methdx{induct} \isa{set:}\ $t$] is the Isar induction tactic.
-\item[\methdx{cases} \isa{set:}\ $t$] is the Isar case-analysis tactic.
-\end{ttdescription}
-
-
-\subsubsection{The theorems proved by a datatype declaration}
-
-Here are some more details for the technically minded. Processing the
-datatype declaration of a set~$t$ produces a name space~$t$ containing
-the following theorems:
-\begin{ttbox}\isastyleminor
-intros \textrm{the introduction rules}
-cases \textrm{the case analysis rule}
-induct \textrm{the standard induction rule}
-mutual_induct \textrm{the mutual induction rule, if needed}
-case_eqns \textrm{equations for the case operator}
-recursor_eqns \textrm{equations for the recursor}
-simps \textrm{the union of} case_eqns \textrm{and} recursor_eqns
-con_defs \textrm{definitions of the case operator and constructors}
-free_iffs \textrm{logical equivalences for proving freeness}
-free_elims \textrm{elimination rules for proving freeness}
-defs \textrm{datatype definition(s)}
-\end{ttbox}
-Furthermore there is the theorem $C$ for every constructor~$C$; for
-example, the \isa{list} datatype's introduction rules are bound to the
-identifiers \isa{Nil} and \isa{Cons}.
-
-For a codatatype, the component \isa{coinduct} is the coinduction rule,
-replacing the \isa{induct} component.
-
-See the theories \isa{Induct/Ntree} and \isa{Induct/Brouwer} for examples of
-infinitely branching datatypes. See theory \isa{Induct/LList} for an example
-of a codatatype. Some of these theories illustrate the use of additional,
-undocumented features of the datatype package. Datatype definitions are
-reduced to inductive definitions, and the advanced features should be
-understood in that light.
-
-
-\subsection{Examples}
-
-\subsubsection{The datatype of binary trees}
-
-Let us define the set $\isa{bt}(A)$ of binary trees over~$A$. The theory
-must contain these lines:
-\begin{alltt*}\isastyleminor
-consts bt :: "i=>i"
-datatype "bt(A)" = Lf | Br ("a\isasymin{}A", "t1\isasymin{}bt(A)", "t2\isasymin{}bt(A)")
-\end{alltt*}
-After loading the theory, we can prove some theorem.
-We begin by declaring the constructor's typechecking rules
-as simplification rules:
-\begin{isabelle}
-\isacommand{declare}\ bt.intros\ [simp]%
-\end{isabelle}
-
-Our first example is the theorem that no tree equals its
-left branch. To make the inductive hypothesis strong enough,
-the proof requires a quantified induction formula, but
-the \isa{rule\_format} attribute will remove the quantifiers
-before the theorem is stored.
-\begin{isabelle}
-\isacommand{lemma}\ Br\_neq\_left\ [rule\_format]:\ "l\isasymin bt(A)\ ==>\ \isasymforall x\ r.\ Br(x,l,r)\isasymnoteq{}l"\isanewline
-\ 1.\ l\ \isasymin \ bt(A)\ \isasymLongrightarrow \ \isasymforall x\ r.\ Br(x,\ l,\ r)\ \isasymnoteq \ l%
-\end{isabelle}
-This can be proved by the structural induction tactic:
-\begin{isabelle}
-\ \ \isacommand{apply}\ (induct\_tac\ l)\isanewline
-\ 1.\ \isasymforall x\ r.\ Br(x,\ Lf,\ r)\ \isasymnoteq \ Lf\isanewline
-\ 2.\ \isasymAnd a\ t1\ t2.\isanewline
-\isaindent{\ 2.\ \ \ \ }\isasymlbrakk a\ \isasymin \ A;\ t1\ \isasymin \ bt(A);\ \isasymforall x\ r.\ Br(x,\ t1,\ r)\ \isasymnoteq \ t1;\ t2\ \isasymin \ bt(A);\isanewline
-\isaindent{\ 2.\ \ \ \ \ \ \ }\isasymforall x\ r.\ Br(x,\ t2,\ r)\ \isasymnoteq \ t2\isasymrbrakk \isanewline
-\isaindent{\ 2.\ \ \ \ }\isasymLongrightarrow \ \isasymforall x\ r.\ Br(x,\ Br(a,\ t1,\ t2),\ r)\ \isasymnoteq \ Br(a,\ t1,\ t2)
-\end{isabelle}
-Both subgoals are proved using \isa{auto}, which performs the necessary
-freeness reasoning.
-\begin{isabelle}
-\ \ \isacommand{apply}\ auto\isanewline
-No\ subgoals!\isanewline
-\isacommand{done}
-\end{isabelle}
-
-An alternative proof uses Isar's fancy \isa{induct} method, which
-automatically quantifies over all free variables:
-
-\begin{isabelle}
-\isacommand{lemma}\ Br\_neq\_left':\ "l\ \isasymin \ bt(A)\ ==>\ (!!x\ r.\ Br(x,\ l,\ r)\ \isasymnoteq \ l)"\isanewline
-\ \ \isacommand{apply}\ (induct\ set:\ bt)\isanewline
-\ 1.\ \isasymAnd x\ r.\ Br(x,\ Lf,\ r)\ \isasymnoteq \ Lf\isanewline
-\ 2.\ \isasymAnd a\ t1\ t2\ x\ r.\isanewline
-\isaindent{\ 2.\ \ \ \ }\isasymlbrakk a\ \isasymin \ A;\ t1\ \isasymin \ bt(A);\ \isasymAnd x\ r.\ Br(x,\ t1,\ r)\ \isasymnoteq \ t1;\ t2\ \isasymin \ bt(A);\isanewline
-\isaindent{\ 2.\ \ \ \ \ \ \ }\isasymAnd x\ r.\ Br(x,\ t2,\ r)\ \isasymnoteq \ t2\isasymrbrakk \isanewline
-\isaindent{\ 2.\ \ \ \ }\isasymLongrightarrow \ Br(x,\ Br(a,\ t1,\ t2),\ r)\ \isasymnoteq \ Br(a,\ t1,\ t2)
-\end{isabelle}
-Compare the form of the induction hypotheses with the corresponding ones in
-the previous proof. As before, to conclude requires only \isa{auto}.
-
-When there are only a few constructors, we might prefer to prove the freenness
-theorems for each constructor. This is simple:
-\begin{isabelle}
-\isacommand{lemma}\ Br\_iff:\ "Br(a,l,r)\ =\ Br(a',l',r')\ <->\ a=a'\ \&\ l=l'\ \&\ r=r'"\isanewline
-\ \ \isacommand{by}\ (blast\ elim!:\ bt.free\_elims)
-\end{isabelle}
-Here we see a demonstration of freeness reasoning using
-\isa{bt.free\_elims}, but simpler still is just to apply \isa{auto}.
-
-An \ttindex{inductive\_cases} declaration generates instances of the
-case analysis rule that have been simplified using freeness
-reasoning.
-\begin{isabelle}
-\isacommand{inductive\_cases}\ Br\_in\_bt:\ "Br(a,\ l,\ r)\ \isasymin \ bt(A)"
-\end{isabelle}
-The theorem just created is
-\begin{isabelle}
-\isasymlbrakk Br(a,\ l,\ r)\ \isasymin \ bt(A);\ \isasymlbrakk a\ \isasymin \ A;\ l\ \isasymin \ bt(A);\ r\ \isasymin \ bt(A)\isasymrbrakk \ \isasymLongrightarrow \ Q\isasymrbrakk \ \isasymLongrightarrow \ Q.
-\end{isabelle}
-It is an elimination rule that from $\isa{Br}(a,l,r)\in\isa{bt}(A)$
-lets us infer $a\in A$, $l\in\isa{bt}(A)$ and
-$r\in\isa{bt}(A)$.
-
-
-\subsubsection{Mixfix syntax in datatypes}
-
-Mixfix syntax is sometimes convenient. The theory \isa{Induct/PropLog} makes a
-deep embedding of propositional logic:
-\begin{alltt*}\isastyleminor
-consts prop :: i
-datatype "prop" = Fls
- | Var ("n \isasymin nat") ("#_" [100] 100)
- | "=>" ("p \isasymin prop", "q \isasymin prop") (infixr 90)
-\end{alltt*}
-The second constructor has a special $\#n$ syntax, while the third constructor
-is an infixed arrow.
-
-
-\subsubsection{A giant enumeration type}
-
-This example shows a datatype that consists of 60 constructors:
-\begin{alltt*}\isastyleminor
-consts enum :: i
-datatype
- "enum" = C00 | C01 | C02 | C03 | C04 | C05 | C06 | C07 | C08 | C09
- | C10 | C11 | C12 | C13 | C14 | C15 | C16 | C17 | C18 | C19
- | C20 | C21 | C22 | C23 | C24 | C25 | C26 | C27 | C28 | C29
- | C30 | C31 | C32 | C33 | C34 | C35 | C36 | C37 | C38 | C39
- | C40 | C41 | C42 | C43 | C44 | C45 | C46 | C47 | C48 | C49
- | C50 | C51 | C52 | C53 | C54 | C55 | C56 | C57 | C58 | C59
-end
-\end{alltt*}
-The datatype package scales well. Even though all properties are proved
-rather than assumed, full processing of this definition takes around two seconds
-(on a 1.8GHz machine). The constructors have a balanced representation,
-related to binary notation, so freeness properties can be proved fast.
-\begin{isabelle}
-\isacommand{lemma}\ "C00 \isasymnoteq\ C01"\isanewline
-\ \ \isacommand{by}\ simp
-\end{isabelle}
-You need not derive such inequalities explicitly. The simplifier will
-dispose of them automatically.
-
-\index{*datatype|)}
-
-
-\subsection{Recursive function definitions}\label{sec:ZF:recursive}
-\index{recursive functions|see{recursion}}
-\index{*primrec|(}
-\index{recursion!primitive|(}
-
-Datatypes come with a uniform way of defining functions, {\bf primitive
- recursion}. Such definitions rely on the recursion operator defined by the
-datatype package. Isabelle proves the desired recursion equations as
-theorems.
-
-In principle, one could introduce primitive recursive functions by asserting
-their reduction rules as axioms. Here is a dangerous way of defining a
-recursive function over binary trees:
-\begin{isabelle}
-\isacommand{consts}\ \ n\_nodes\ ::\ "i\ =>\ i"\isanewline
-\isacommand{axioms}\isanewline
-\ \ n\_nodes\_Lf:\ "n\_nodes(Lf)\ =\ 0"\isanewline
-\ \ n\_nodes\_Br:\ "n\_nodes(Br(a,l,r))\ =\ succ(n\_nodes(l)\ \#+\ n\_nodes(r))"
-\end{isabelle}
-Asserting axioms brings the danger of accidentally introducing
-contradictions. It should be avoided whenever possible.
-
-The \ttindex{primrec} declaration is a safe means of defining primitive
-recursive functions on datatypes:
-\begin{isabelle}
-\isacommand{consts}\ \ n\_nodes\ ::\ "i\ =>\ i"\isanewline
-\isacommand{primrec}\isanewline
-\ \ "n\_nodes(Lf)\ =\ 0"\isanewline
-\ \ "n\_nodes(Br(a,\ l,\ r))\ =\ succ(n\_nodes(l)\ \#+\ n\_nodes(r))"
-\end{isabelle}
-Isabelle will now derive the two equations from a low-level definition
-based upon well-founded recursion. If they do not define a legitimate
-recursion, then Isabelle will reject the declaration.
-
-
-\subsubsection{Syntax of recursive definitions}
-
-The general form of a primitive recursive definition is
-\begin{ttbox}\isastyleminor
-primrec
- {\it reduction rules}
-\end{ttbox}
-where \textit{reduction rules} specify one or more equations of the form
-\[ f \, x@1 \, \dots \, x@m \, (C \, y@1 \, \dots \, y@k) \, z@1 \,
-\dots \, z@n = r \] such that $C$ is a constructor of the datatype, $r$
-contains only the free variables on the left-hand side, and all recursive
-calls in $r$ are of the form $f \, \dots \, y@i \, \dots$ for some $i$.
-There must be at most one reduction rule for each constructor. The order is
-immaterial. For missing constructors, the function is defined to return zero.
-
-All reduction rules are added to the default simpset.
-If you would like to refer to some rule by name, then you must prefix
-the rule with an identifier. These identifiers, like those in the
-\isa{rules} section of a theory, will be visible in proof scripts.
-
-The reduction rules become part of the default simpset, which
-leads to short proof scripts:
-\begin{isabelle}
-\isacommand{lemma}\ n\_nodes\_type\ [simp]:\ "t\ \isasymin \ bt(A)\ ==>\ n\_nodes(t)\ \isasymin \ nat"\isanewline
-\ \ \isacommand{by}\ (induct\_tac\ t,\ auto)
-\end{isabelle}
-
-You can even use the \isa{primrec} form with non-recursive datatypes and
-with codatatypes. Recursion is not allowed, but it provides a convenient
-syntax for defining functions by cases.
-
-
-\subsubsection{Example: varying arguments}
-
-All arguments, other than the recursive one, must be the same in each equation
-and in each recursive call. To get around this restriction, use explict
-$\lambda$-abstraction and function application. For example, let us
-define the tail-recursive version of \isa{n\_nodes}, using an
-accumulating argument for the counter. The second argument, $k$, varies in
-recursive calls.
-\begin{isabelle}
-\isacommand{consts}\ \ n\_nodes\_aux\ ::\ "i\ =>\ i"\isanewline
-\isacommand{primrec}\isanewline
-\ \ "n\_nodes\_aux(Lf)\ =\ (\isasymlambda k\ \isasymin \ nat.\ k)"\isanewline
-\ \ "n\_nodes\_aux(Br(a,l,r))\ =\ \isanewline
-\ \ \ \ \ \ (\isasymlambda k\ \isasymin \ nat.\ n\_nodes\_aux(r)\ `\ \ (n\_nodes\_aux(l)\ `\ succ(k)))"
-\end{isabelle}
-Now \isa{n\_nodes\_aux(t)\ `\ k} is our function in two arguments. We
-can prove a theorem relating it to \isa{n\_nodes}. Note the quantification
-over \isa{k\ \isasymin \ nat}:
-\begin{isabelle}
-\isacommand{lemma}\ n\_nodes\_aux\_eq\ [rule\_format]:\isanewline
-\ \ \ \ \ "t\ \isasymin \ bt(A)\ ==>\ \isasymforall k\ \isasymin \ nat.\ n\_nodes\_aux(t)`k\ =\ n\_nodes(t)\ \#+\ k"\isanewline
-\ \ \isacommand{by}\ (induct\_tac\ t,\ simp\_all)
-\end{isabelle}
-
-Now, we can use \isa{n\_nodes\_aux} to define a tail-recursive version
-of \isa{n\_nodes}:
-\begin{isabelle}
-\isacommand{constdefs}\isanewline
-\ \ n\_nodes\_tail\ ::\ "i\ =>\ i"\isanewline
-\ \ \ "n\_nodes\_tail(t)\ ==\ n\_nodes\_aux(t)\ `\ 0"
-\end{isabelle}
-It is easy to
-prove that \isa{n\_nodes\_tail} is equivalent to \isa{n\_nodes}:
-\begin{isabelle}
-\isacommand{lemma}\ "t\ \isasymin \ bt(A)\ ==>\ n\_nodes\_tail(t)\ =\ n\_nodes(t)"\isanewline
-\ \isacommand{by}\ (simp\ add:\ n\_nodes\_tail\_def\ n\_nodes\_aux\_eq)
-\end{isabelle}
-
-
-
-
-\index{recursion!primitive|)}
-\index{*primrec|)}
-
-
-\section{Inductive and coinductive definitions}
-\index{*inductive|(}
-\index{*coinductive|(}
-
-An {\bf inductive definition} specifies the least set~$R$ closed under given
-rules. (Applying a rule to elements of~$R$ yields a result within~$R$.) For
-example, a structural operational semantics is an inductive definition of an
-evaluation relation. Dually, a {\bf coinductive definition} specifies the
-greatest set~$R$ consistent with given rules. (Every element of~$R$ can be
-seen as arising by applying a rule to elements of~$R$.) An important example
-is using bisimulation relations to formalise equivalence of processes and
-infinite data structures.
-
-A theory file may contain any number of inductive and coinductive
-definitions. They may be intermixed with other declarations; in
-particular, the (co)inductive sets {\bf must} be declared separately as
-constants, and may have mixfix syntax or be subject to syntax translations.
-
-Each (co)inductive definition adds definitions to the theory and also
-proves some theorems. It behaves identially to the analogous
-inductive definition except that instead of an induction rule there is
-a coinduction rule. Its treatment of coinduction is described in
-detail in a separate paper,%
-\footnote{It appeared in CADE~\cite{paulson-CADE}; a longer version is
- distributed with Isabelle as \emph{A Fixedpoint Approach to
- (Co)Inductive and (Co)Datatype Definitions}.} %
-which you might refer to for background information.
-
-
-\subsection{The syntax of a (co)inductive definition}
-An inductive definition has the form
-\begin{ttbox}\isastyleminor
-inductive
- domains {\it domain declarations}
- intros {\it introduction rules}
- monos {\it monotonicity theorems}
- con_defs {\it constructor definitions}
- type_intros {\it introduction rules for type-checking}
- type_elims {\it elimination rules for type-checking}
-\end{ttbox}
-A coinductive definition is identical, but starts with the keyword
-\isa{co\-inductive}.
-
-The \isa{monos}, \isa{con\_defs}, \isa{type\_intros} and \isa{type\_elims}
-sections are optional. If present, each is specified as a list of
-theorems, which may contain Isar attributes as usual.
-
-\begin{description}
-\item[\it domain declarations] are items of the form
- {\it string\/}~\isa{\isasymsubseteq }~{\it string}, associating each recursive set with
- its domain. (The domain is some existing set that is large enough to
- hold the new set being defined.)
-
-\item[\it introduction rules] specify one or more introduction rules in
- the form {\it ident\/}~{\it string}, where the identifier gives the name of
- the rule in the result structure.
-
-\item[\it monotonicity theorems] are required for each operator applied to
- a recursive set in the introduction rules. There \textbf{must} be a theorem
- of the form $A\subseteq B\Imp M(A)\subseteq M(B)$, for each premise $t\in M(R_i)$
- in an introduction rule!
-
-\item[\it constructor definitions] contain definitions of constants
- appearing in the introduction rules. The (co)datatype package supplies
- the constructors' definitions here. Most (co)inductive definitions omit
- this section; one exception is the primitive recursive functions example;
- see theory \isa{Induct/Primrec}.
-
-\item[\it type\_intros] consists of introduction rules for type-checking the
- definition: for demonstrating that the new set is included in its domain.
- (The proof uses depth-first search.)
-
-\item[\it type\_elims] consists of elimination rules for type-checking the
- definition. They are presumed to be safe and are applied as often as
- possible prior to the \isa{type\_intros} search.
-\end{description}
-
-The package has a few restrictions:
-\begin{itemize}
-\item The theory must separately declare the recursive sets as
- constants.
-
-\item The names of the recursive sets must be identifiers, not infix
-operators.
-
-\item Side-conditions must not be conjunctions. However, an introduction rule
-may contain any number of side-conditions.
-
-\item Side-conditions of the form $x=t$, where the variable~$x$ does not
- occur in~$t$, will be substituted through the rule \isa{mutual\_induct}.
-\end{itemize}
-
-
-\subsection{Example of an inductive definition}
-
-Below, we shall see how Isabelle/ZF defines the finite powerset
-operator. The first step is to declare the constant~\isa{Fin}. Then we
-must declare it inductively, with two introduction rules:
-\begin{isabelle}
-\isacommand{consts}\ \ Fin\ ::\ "i=>i"\isanewline
-\isacommand{inductive}\isanewline
-\ \ \isakeyword{domains}\ \ \ "Fin(A)"\ \isasymsubseteq\ "Pow(A)"\isanewline
-\ \ \isakeyword{intros}\isanewline
-\ \ \ \ emptyI:\ \ "0\ \isasymin\ Fin(A)"\isanewline
-\ \ \ \ consI:\ \ \ "[|\ a\ \isasymin\ A;\ \ b\ \isasymin\ Fin(A)\ |]\ ==>\ cons(a,b)\ \isasymin\ Fin(A)"\isanewline
-\ \ \isakeyword{type\_intros}\ \ empty\_subsetI\ cons\_subsetI\ PowI\isanewline
-\ \ \isakeyword{type\_elims}\ \ \ PowD\ [THEN\ revcut\_rl]\end{isabelle}
-The resulting theory contains a name space, called~\isa{Fin}.
-The \isa{Fin}$~A$ introduction rules can be referred to collectively as
-\isa{Fin.intros}, and also individually as \isa{Fin.emptyI} and
-\isa{Fin.consI}. The induction rule is \isa{Fin.induct}.
-
-The chief problem with making (co)inductive definitions involves type-checking
-the rules. Sometimes, additional theorems need to be supplied under
-\isa{type_intros} or \isa{type_elims}. If the package fails when trying
-to prove your introduction rules, then set the flag \ttindexbold{trace_induct}
-to \isa{true} and try again. (See the manual \emph{A Fixedpoint Approach
- \ldots} for more discussion of type-checking.)
-
-In the example above, $\isa{Pow}(A)$ is given as the domain of
-$\isa{Fin}(A)$, for obviously every finite subset of~$A$ is a subset
-of~$A$. However, the inductive definition package can only prove that given a
-few hints.
-Here is the output that results (with the flag set) when the
-\isa{type_intros} and \isa{type_elims} are omitted from the inductive
-definition above:
-\begin{alltt*}\isastyleminor
-Inductive definition Finite.Fin
-Fin(A) ==
-lfp(Pow(A),
- \%X. {z\isasymin{}Pow(A) . z = 0 | ({\isasymexists}a b. z = cons(a,b) & a\isasymin{}A & b\isasymin{}X)})
- Proving monotonicity...
-\ttbreak
- Proving the introduction rules...
-The type-checking subgoal:
-0 \isasymin Fin(A)
- 1. 0 \isasymin Pow(A)
-\ttbreak
-The subgoal after monos, type_elims:
-0 \isasymin Fin(A)
- 1. 0 \isasymin Pow(A)
-*** prove_goal: tactic failed
-\end{alltt*}
-We see the need to supply theorems to let the package prove
-$\emptyset\in\isa{Pow}(A)$. Restoring the \isa{type_intros} but not the
-\isa{type_elims}, we again get an error message:
-\begin{alltt*}\isastyleminor
-The type-checking subgoal:
-0 \isasymin Fin(A)
- 1. 0 \isasymin Pow(A)
-\ttbreak
-The subgoal after monos, type_elims:
-0 \isasymin Fin(A)
- 1. 0 \isasymin Pow(A)
-\ttbreak
-The type-checking subgoal:
-cons(a, b) \isasymin Fin(A)
- 1. [| a \isasymin A; b \isasymin Fin(A) |] ==> cons(a, b) \isasymin Pow(A)
-\ttbreak
-The subgoal after monos, type_elims:
-cons(a, b) \isasymin Fin(A)
- 1. [| a \isasymin A; b \isasymin Pow(A) |] ==> cons(a, b) \isasymin Pow(A)
-*** prove_goal: tactic failed
-\end{alltt*}
-The first rule has been type-checked, but the second one has failed. The
-simplest solution to such problems is to prove the failed subgoal separately
-and to supply it under \isa{type_intros}. The solution actually used is
-to supply, under \isa{type_elims}, a rule that changes
-$b\in\isa{Pow}(A)$ to $b\subseteq A$; together with \isa{cons_subsetI}
-and \isa{PowI}, it is enough to complete the type-checking.
-
-
-
-\subsection{Further examples}
-
-An inductive definition may involve arbitrary monotonic operators. Here is a
-standard example: the accessible part of a relation. Note the use
-of~\isa{Pow} in the introduction rule and the corresponding mention of the
-rule \isa{Pow\_mono} in the \isa{monos} list. If the desired rule has a
-universally quantified premise, usually the effect can be obtained using
-\isa{Pow}.
-\begin{isabelle}
-\isacommand{consts}\ \ acc\ ::\ "i\ =>\ i"\isanewline
-\isacommand{inductive}\isanewline
-\ \ \isakeyword{domains}\ "acc(r)"\ \isasymsubseteq \ "field(r)"\isanewline
-\ \ \isakeyword{intros}\isanewline
-\ \ \ \ vimage:\ \ "[|\ r-``\isacharbraceleft a\isacharbraceright\ \isasymin\ Pow(acc(r));\ a\ \isasymin \ field(r)\ |]
-\isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ \ \ ==>\ a\ \isasymin \ acc(r)"\isanewline
-\ \ \isakeyword{monos}\ \ Pow\_mono
-\end{isabelle}
-
-Finally, here are some coinductive definitions. We begin by defining
-lazy (potentially infinite) lists as a codatatype:
-\begin{isabelle}
-\isacommand{consts}\ \ llist\ \ ::\ "i=>i"\isanewline
-\isacommand{codatatype}\isanewline
-\ \ "llist(A)"\ =\ LNil\ |\ LCons\ ("a\ \isasymin \ A",\ "l\ \isasymin \ llist(A)")\isanewline
-\end{isabelle}
-
-The notion of equality on such lists is modelled as a bisimulation:
-\begin{isabelle}
-\isacommand{consts}\ \ lleq\ ::\ "i=>i"\isanewline
-\isacommand{coinductive}\isanewline
-\ \ \isakeyword{domains}\ "lleq(A)"\ <=\ "llist(A)\ *\ llist(A)"\isanewline
-\ \ \isakeyword{intros}\isanewline
-\ \ \ \ LNil:\ \ "<LNil,\ LNil>\ \isasymin \ lleq(A)"\isanewline
-\ \ \ \ LCons:\ "[|\ a\ \isasymin \ A;\ <l,l'>\ \isasymin \ lleq(A)\ |]\ \isanewline
-\ \ \ \ \ \ \ \ \ \ \ \ ==>\ <LCons(a,l),\ LCons(a,l')>\ \isasymin \ lleq(A)"\isanewline
-\ \ \isakeyword{type\_intros}\ \ llist.intros
-\end{isabelle}
-This use of \isa{type_intros} is typical: the relation concerns the
-codatatype \isa{llist}, so naturally the introduction rules for that
-codatatype will be required for type-checking the rules.
-
-The Isabelle distribution contains many other inductive definitions. Simple
-examples are collected on subdirectory \isa{ZF/Induct}. The directory
-\isa{Coind} and the theory \isa{ZF/Induct/LList} contain coinductive
-definitions. Larger examples may be found on other subdirectories of
-\isa{ZF}, such as \isa{IMP}, and \isa{Resid}.
-
-
-\subsection{Theorems generated}
-
-Each (co)inductive set defined in a theory file generates a name space
-containing the following elements:
-\begin{ttbox}\isastyleminor
-intros \textrm{the introduction rules}
-elim \textrm{the elimination (case analysis) rule}
-induct \textrm{the standard induction rule}
-mutual_induct \textrm{the mutual induction rule, if needed}
-defs \textrm{definitions of inductive sets}
-bnd_mono \textrm{monotonicity property}
-dom_subset \textrm{inclusion in `bounding set'}
-\end{ttbox}
-Furthermore, each introduction rule is available under its declared
-name. For a codatatype, the component \isa{coinduct} is the coinduction rule,
-replacing the \isa{induct} component.
-
-Recall that the \ttindex{inductive\_cases} declaration generates
-simplified instances of the case analysis rule. It is as useful for
-inductive definitions as it is for datatypes. There are many examples
-in the theory
-\isa{Induct/Comb}, which is discussed at length
-elsewhere~\cite{paulson-generic}. The theory first defines the
-datatype
-\isa{comb} of combinators:
-\begin{alltt*}\isastyleminor
-consts comb :: i
-datatype "comb" = K
- | S
- | "#" ("p \isasymin comb", "q \isasymin comb") (infixl 90)
-\end{alltt*}
-The theory goes on to define contraction and parallel contraction
-inductively. Then the theory \isa{Induct/Comb.thy} defines special
-cases of contraction, such as this one:
-\begin{isabelle}
-\isacommand{inductive\_cases}\ K\_contractE [elim!]:\ "K -1-> r"
-\end{isabelle}
-The theorem just created is \isa{K -1-> r \ \isasymLongrightarrow \ Q},
-which expresses that the combinator \isa{K} cannot reduce to
-anything. (From the assumption \isa{K-1->r}, we can conclude any desired
-formula \isa{Q}\@.) Similar elimination rules for \isa{S} and application are also
-generated. The attribute \isa{elim!}\ shown above supplies the generated
-theorem to the classical reasoner. This mode of working allows
-effective reasoniung about operational semantics.
-
-\index{*coinductive|)} \index{*inductive|)}
-
-
-
-\section{The outer reaches of set theory}
-
-The constructions of the natural numbers and lists use a suite of
-operators for handling recursive function definitions. I have described
-the developments in detail elsewhere~\cite{paulson-set-II}. Here is a brief
-summary:
-\begin{itemize}
- \item Theory \isa{Trancl} defines the transitive closure of a relation
- (as a least fixedpoint).
-
- \item Theory \isa{WF} proves the well-founded recursion theorem, using an
- elegant approach of Tobias Nipkow. This theorem permits general
- recursive definitions within set theory.
-
- \item Theory \isa{Ord} defines the notions of transitive set and ordinal
- number. It derives transfinite induction. A key definition is {\bf
- less than}: $i<j$ if and only if $i$ and $j$ are both ordinals and
- $i\in j$. As a special case, it includes less than on the natural
- numbers.
-
- \item Theory \isa{Epsilon} derives $\varepsilon$-induction and
- $\varepsilon$-recursion, which are generalisations of transfinite
- induction and recursion. It also defines \cdx{rank}$(x)$, which is the
- least ordinal $\alpha$ such that $x$ is constructed at stage $\alpha$ of
- the cumulative hierarchy (thus $x\in V@{\alpha+1}$).
-\end{itemize}
-
-Other important theories lead to a theory of cardinal numbers. They have
-not yet been written up anywhere. Here is a summary:
-\begin{itemize}
-\item Theory \isa{Rel} defines the basic properties of relations, such as
- reflexivity, symmetry and transitivity.
-
-\item Theory \isa{EquivClass} develops a theory of equivalence
- classes, not using the Axiom of Choice.
-
-\item Theory \isa{Order} defines partial orderings, total orderings and
- wellorderings.
-
-\item Theory \isa{OrderArith} defines orderings on sum and product sets.
- These can be used to define ordinal arithmetic and have applications to
- cardinal arithmetic.
-
-\item Theory \isa{OrderType} defines order types. Every wellordering is
- equivalent to a unique ordinal, which is its order type.
-
-\item Theory \isa{Cardinal} defines equipollence and cardinal numbers.
-
-\item Theory \isa{CardinalArith} defines cardinal addition and
- multiplication, and proves their elementary laws. It proves that there
- is no greatest cardinal. It also proves a deep result, namely
- $\kappa\otimes\kappa=\kappa$ for every infinite cardinal~$\kappa$; see
- Kunen~\cite[page 29]{kunen80}. None of these results assume the Axiom of
- Choice, which complicates their proofs considerably.
-\end{itemize}
-
-The following developments involve the Axiom of Choice (AC):
-\begin{itemize}
-\item Theory \isa{AC} asserts the Axiom of Choice and proves some simple
- equivalent forms.
-
-\item Theory \isa{Zorn} proves Hausdorff's Maximal Principle, Zorn's Lemma
- and the Wellordering Theorem, following Abrial and
- Laffitte~\cite{abrial93}.
-
-\item Theory \isa{Cardinal\_AC} uses AC to prove simplified theorems about
- the cardinals. It also proves a theorem needed to justify
- infinitely branching datatype declarations: if $\kappa$ is an infinite
- cardinal and $|X(\alpha)| \le \kappa$ for all $\alpha<\kappa$ then
- $|\union\sb{\alpha<\kappa} X(\alpha)| \le \kappa$.
-
-\item Theory \isa{InfDatatype} proves theorems to justify infinitely
- branching datatypes. Arbitrary index sets are allowed, provided their
- cardinalities have an upper bound. The theory also justifies some
- unusual cases of finite branching, involving the finite powerset operator
- and the finite function space operator.
-\end{itemize}
-
-
-
-\section{The examples directories}
-Directory \isa{HOL/IMP} contains a mechanised version of a semantic
-equivalence proof taken from Winskel~\cite{winskel93}. It formalises the
-denotational and operational semantics of a simple while-language, then
-proves the two equivalent. It contains several datatype and inductive
-definitions, and demonstrates their use.
-
-The directory \isa{ZF/ex} contains further developments in ZF set theory.
-Here is an overview; see the files themselves for more details. I describe
-much of this material in other
-publications~\cite{paulson-set-I,paulson-set-II,paulson-fixedpt-milner}.
-\begin{itemize}
-\item File \isa{misc.ML} contains miscellaneous examples such as
- Cantor's Theorem, the Schr\"oder-Bernstein Theorem and the `Composition
- of homomorphisms' challenge~\cite{boyer86}.
-
-\item Theory \isa{Ramsey} proves the finite exponent 2 version of
- Ramsey's Theorem, following Basin and Kaufmann's
- presentation~\cite{basin91}.
-
-\item Theory \isa{Integ} develops a theory of the integers as
- equivalence classes of pairs of natural numbers.
-
-\item Theory \isa{Primrec} develops some computation theory. It
- inductively defines the set of primitive recursive functions and presents a
- proof that Ackermann's function is not primitive recursive.
-
-\item Theory \isa{Primes} defines the Greatest Common Divisor of two
- natural numbers and and the ``divides'' relation.
-
-\item Theory \isa{Bin} defines a datatype for two's complement binary
- integers, then proves rewrite rules to perform binary arithmetic. For
- instance, $1359\times {-}2468 = {-}3354012$ takes 0.3 seconds.
-
-\item Theory \isa{BT} defines the recursive data structure $\isa{bt}(A)$, labelled binary trees.
-
-\item Theory \isa{Term} defines a recursive data structure for terms
- and term lists. These are simply finite branching trees.
-
-\item Theory \isa{TF} defines primitives for solving mutually
- recursive equations over sets. It constructs sets of trees and forests
- as an example, including induction and recursion rules that handle the
- mutual recursion.
-
-\item Theory \isa{Prop} proves soundness and completeness of
- propositional logic~\cite{paulson-set-II}. This illustrates datatype
- definitions, inductive definitions, structural induction and rule
- induction.
-
-\item Theory \isa{ListN} inductively defines the lists of $n$
- elements~\cite{paulin-tlca}.
-
-\item Theory \isa{Acc} inductively defines the accessible part of a
- relation~\cite{paulin-tlca}.
-
-\item Theory \isa{Comb} defines the datatype of combinators and
- inductively defines contraction and parallel contraction. It goes on to
- prove the Church-Rosser Theorem. This case study follows Camilleri and
- Melham~\cite{camilleri92}.
-
-\item Theory \isa{LList} defines lazy lists and a coinduction
- principle for proving equations between them.
-\end{itemize}
-
-
-\section{A proof about powersets}\label{sec:ZF-pow-example}
-To demonstrate high-level reasoning about subsets, let us prove the
-equation ${\isa{Pow}(A)\cap \isa{Pow}(B)}= \isa{Pow}(A\cap B)$. Compared
-with first-order logic, set theory involves a maze of rules, and theorems
-have many different proofs. Attempting other proofs of the theorem might
-be instructive. This proof exploits the lattice properties of
-intersection. It also uses the monotonicity of the powerset operation,
-from \isa{ZF/mono.ML}:
-\begin{isabelle}
-\tdx{Pow_mono}: A \isasymsubseteq B ==> Pow(A) \isasymsubseteq Pow(B)
-\end{isabelle}
-We enter the goal and make the first step, which breaks the equation into
-two inclusions by extensionality:\index{*equalityI theorem}
-\begin{isabelle}
-\isacommand{lemma}\ "Pow(A\ Int\ B)\ =\ Pow(A)\ Int\ Pow(B)"\isanewline
-\ 1.\ Pow(A\ \isasyminter \ B)\ =\ Pow(A)\ \isasyminter \ Pow(B)\isanewline
-\isacommand{apply}\ (rule\ equalityI)\isanewline
-\ 1.\ Pow(A\ \isasyminter \ B)\ \isasymsubseteq \ Pow(A)\ \isasyminter \ Pow(B)\isanewline
-\ 2.\ Pow(A)\ \isasyminter \ Pow(B)\ \isasymsubseteq \ Pow(A\ \isasyminter \ B)
-\end{isabelle}
-Both inclusions could be tackled straightforwardly using \isa{subsetI}.
-A shorter proof results from noting that intersection forms the greatest
-lower bound:\index{*Int_greatest theorem}
-\begin{isabelle}
-\isacommand{apply}\ (rule\ Int\_greatest)\isanewline
-\ 1.\ Pow(A\ \isasyminter \ B)\ \isasymsubseteq \ Pow(A)\isanewline
-\ 2.\ Pow(A\ \isasyminter \ B)\ \isasymsubseteq \ Pow(B)\isanewline
-\ 3.\ Pow(A)\ \isasyminter \ Pow(B)\ \isasymsubseteq \ Pow(A\ \isasyminter \ B)
-\end{isabelle}
-Subgoal~1 follows by applying the monotonicity of \isa{Pow} to $A\int
-B\subseteq A$; subgoal~2 follows similarly:
-\index{*Int_lower1 theorem}\index{*Int_lower2 theorem}
-\begin{isabelle}
-\isacommand{apply}\ (rule\ Int\_lower1\ [THEN\ Pow\_mono])\isanewline
-\ 1.\ Pow(A\ \isasyminter \ B)\ \isasymsubseteq \ Pow(B)\isanewline
-\ 2.\ Pow(A)\ \isasyminter \ Pow(B)\ \isasymsubseteq \ Pow(A\ \isasyminter \ B)
-\isanewline
-\isacommand{apply}\ (rule\ Int\_lower2\ [THEN\ Pow\_mono])\isanewline
-\ 1.\ Pow(A)\ \isasyminter \ Pow(B)\ \isasymsubseteq \ Pow(A\ \isasyminter \ B)
-\end{isabelle}
-We are left with the opposite inclusion, which we tackle in the
-straightforward way:\index{*subsetI theorem}
-\begin{isabelle}
-\isacommand{apply}\ (rule\ subsetI)\isanewline
-\ 1.\ \isasymAnd x.\ x\ \isasymin \ Pow(A)\ \isasyminter \ Pow(B)\ \isasymLongrightarrow \ x\ \isasymin \ Pow(A\ \isasyminter \ B)
-\end{isabelle}
-The subgoal is to show $x\in \isa{Pow}(A\cap B)$ assuming $x\in\isa{Pow}(A)\cap \isa{Pow}(B)$; eliminating this assumption produces two
-subgoals. The rule \tdx{IntE} treats the intersection like a conjunction
-instead of unfolding its definition.
-\begin{isabelle}
-\isacommand{apply}\ (erule\ IntE)\isanewline
-\ 1.\ \isasymAnd x.\ \isasymlbrakk x\ \isasymin \ Pow(A);\ x\ \isasymin \ Pow(B)\isasymrbrakk \ \isasymLongrightarrow \ x\ \isasymin \ Pow(A\ \isasyminter \ B)
-\end{isabelle}
-The next step replaces the \isa{Pow} by the subset
-relation~($\subseteq$).\index{*PowI theorem}
-\begin{isabelle}
-\isacommand{apply}\ (rule\ PowI)\isanewline
-\ 1.\ \isasymAnd x.\ \isasymlbrakk x\ \isasymin \ Pow(A);\ x\ \isasymin \ Pow(B)\isasymrbrakk \ \isasymLongrightarrow \ x\ \isasymsubseteq \ A\ \isasyminter \ B%
-\end{isabelle}
-We perform the same replacement in the assumptions. This is a good
-demonstration of the tactic \ttindex{drule}:\index{*PowD theorem}
-\begin{isabelle}
-\isacommand{apply}\ (drule\ PowD)+\isanewline
-\ 1.\ \isasymAnd x.\ \isasymlbrakk x\ \isasymsubseteq \ A;\ x\ \isasymsubseteq \ B\isasymrbrakk \ \isasymLongrightarrow \ x\ \isasymsubseteq \ A\ \isasyminter \ B%
-\end{isabelle}
-The assumptions are that $x$ is a lower bound of both $A$ and~$B$, but
-$A\int B$ is the greatest lower bound:\index{*Int_greatest theorem}
-\begin{isabelle}
-\isacommand{apply}\ (rule\ Int\_greatest)\isanewline
-\ 1.\ \isasymAnd x.\ \isasymlbrakk x\ \isasymsubseteq \ A;\ x\ \isasymsubseteq \ B\isasymrbrakk \ \isasymLongrightarrow \ x\ \isasymsubseteq \ A\isanewline
-\ 2.\ \isasymAnd x.\ \isasymlbrakk x\ \isasymsubseteq \ A;\ x\ \isasymsubseteq \ B\isasymrbrakk \ \isasymLongrightarrow \ x\ \isasymsubseteq \ B%
-\end{isabelle}
-To conclude the proof, we clear up the trivial subgoals:
-\begin{isabelle}
-\isacommand{apply}\ (assumption+)\isanewline
-\isacommand{done}%
-\end{isabelle}
-
-We could have performed this proof instantly by calling
-\ttindex{blast}:
-\begin{isabelle}
-\isacommand{lemma}\ "Pow(A\ Int\ B)\ =\ Pow(A)\ Int\ Pow(B)"\isanewline
-\isacommand{by}
-\end{isabelle}
-Past researchers regarded this as a difficult proof, as indeed it is if all
-the symbols are replaced by their definitions.
-\goodbreak
-
-\section{Monotonicity of the union operator}
-For another example, we prove that general union is monotonic:
-${C\subseteq D}$ implies $\bigcup(C)\subseteq \bigcup(D)$. To begin, we
-tackle the inclusion using \tdx{subsetI}:
-\begin{isabelle}
-\isacommand{lemma}\ "C\isasymsubseteq D\ ==>\ Union(C)\
-\isasymsubseteq \ Union(D)"\isanewline
-\isacommand{apply}\ (rule\ subsetI)\isanewline
-\ 1.\ \isasymAnd x.\ \isasymlbrakk C\ \isasymsubseteq \ D;\ x\ \isasymin \ \isasymUnion C\isasymrbrakk \ \isasymLongrightarrow \ x\ \isasymin \ \isasymUnion D%
-\end{isabelle}
-Big union is like an existential quantifier --- the occurrence in the
-assumptions must be eliminated early, since it creates parameters.
-\index{*UnionE theorem}
-\begin{isabelle}
-\isacommand{apply}\ (erule\ UnionE)\isanewline
-\ 1.\ \isasymAnd x\ B.\ \isasymlbrakk C\ \isasymsubseteq \ D;\ x\ \isasymin \ B;\ B\ \isasymin \ C\isasymrbrakk \ \isasymLongrightarrow \ x\ \isasymin \ \isasymUnion D%
-\end{isabelle}
-Now we may apply \tdx{UnionI}, which creates an unknown involving the
-parameters. To show \isa{x\ \isasymin \ \isasymUnion D} it suffices to show that~\isa{x} belongs
-to some element, say~\isa{?B2(x,B)}, of~\isa{D}\@.
-\begin{isabelle}
-\isacommand{apply}\ (rule\ UnionI)\isanewline
-\ 1.\ \isasymAnd x\ B.\ \isasymlbrakk C\ \isasymsubseteq \ D;\ x\ \isasymin \ B;\ B\ \isasymin \ C\isasymrbrakk \ \isasymLongrightarrow \ ?B2(x,\ B)\ \isasymin \ D\isanewline
-\ 2.\ \isasymAnd x\ B.\ \isasymlbrakk C\ \isasymsubseteq \ D;\ x\ \isasymin \ B;\ B\ \isasymin \ C\isasymrbrakk \ \isasymLongrightarrow \ x\ \isasymin \ ?B2(x,\ B)
-\end{isabelle}
-Combining the rule \tdx{subsetD} with the assumption \isa{C\ \isasymsubseteq \ D} yields
-$\Var{a}\in C \Imp \Var{a}\in D$, which reduces subgoal~1. Note that
-\isa{erule} removes the subset assumption.
-\begin{isabelle}
-\isacommand{apply}\ (erule\ subsetD)\isanewline
-\ 1.\ \isasymAnd x\ B.\ \isasymlbrakk x\ \isasymin \ B;\ B\ \isasymin \ C\isasymrbrakk \ \isasymLongrightarrow \ ?B2(x,\ B)\ \isasymin \ C\isanewline
-\ 2.\ \isasymAnd x\ B.\ \isasymlbrakk C\ \isasymsubseteq \ D;\ x\ \isasymin \ B;\ B\ \isasymin \ C\isasymrbrakk \ \isasymLongrightarrow \ x\ \isasymin \ ?B2(x,\ B)
-\end{isabelle}
-The rest is routine. Observe how the first call to \isa{assumption}
-instantiates \isa{?B2(x,B)} to~\isa{B}\@.
-\begin{isabelle}
-\isacommand{apply}\ assumption\ \isanewline
-\ 1.\ \isasymAnd x\ B.\ \isasymlbrakk C\ \isasymsubseteq \ D;\ x\ \isasymin \ B;\ B\ \isasymin \ C\isasymrbrakk \ \isasymLongrightarrow \ x\ \isasymin \ B%
-\isanewline
-\isacommand{apply}\ assumption\ \isanewline
-No\ subgoals!\isanewline
-\isacommand{done}%
-\end{isabelle}
-Again, \isa{blast} can prove this theorem in one step.
-
-The theory \isa{ZF/equalities.thy} has many similar proofs. Reasoning about
-general intersection can be difficult because of its anomalous behaviour on
-the empty set. However, \isa{blast} copes well with these. Here is
-a typical example, borrowed from Devlin~\cite[page 12]{devlin79}:
-\[ a\in C \,\Imp\, \inter@{x\in C} \Bigl(A(x) \int B(x)\Bigr) =
- \Bigl(\inter@{x\in C} A(x)\Bigr) \int
- \Bigl(\inter@{x\in C} B(x)\Bigr) \]
-
-\section{Low-level reasoning about functions}
-The derived rules \isa{lamI}, \isa{lamE}, \isa{lam_type}, \isa{beta}
-and \isa{eta} support reasoning about functions in a
-$\lambda$-calculus style. This is generally easier than regarding
-functions as sets of ordered pairs. But sometimes we must look at the
-underlying representation, as in the following proof
-of~\tdx{fun_disjoint_apply1}. This states that if $f$ and~$g$ are
-functions with disjoint domains~$A$ and~$C$, and if $a\in A$, then
-$(f\un g)`a = f`a$:
-\begin{isabelle}
-\isacommand{lemma}\ "[|\ a\ \isasymin \ A;\ \ f\ \isasymin \ A->B;\ \ g\ \isasymin \ C->D;\ \ A\ \isasyminter \ C\ =\ 0\ |]
-\isanewline
-\ \ \ \ \ \ \ \ ==>\ (f\ \isasymunion \ g)`a\ =\ f`a"
-\end{isabelle}
-Using \tdx{apply_equality}, we reduce the equality to reasoning about
-ordered pairs. The second subgoal is to verify that \isa{f\ \isasymunion \ g} is a function, since
-\isa{Pi(?A,?B)} denotes a dependent function space.
-\begin{isabelle}
-\isacommand{apply}\ (rule\ apply\_equality)\isanewline
-\ 1.\ \isasymlbrakk a\ \isasymin \ A;\ f\ \isasymin \ A\ \isasymrightarrow \ B;\ g\ \isasymin \ C\ \isasymrightarrow \ D;\ A\ \isasyminter \ C\ =\ 0\isasymrbrakk \isanewline
-\isaindent{\ 1.\ }\isasymLongrightarrow \ \isasymlangle a,\ f\ `\ a\isasymrangle \ \isasymin \ f\ \isasymunion \ g\isanewline
-\ 2.\ \isasymlbrakk a\ \isasymin \ A;\ f\ \isasymin \ A\ \isasymrightarrow \ B;\ g\ \isasymin \ C\ \isasymrightarrow \ D;\ A\ \isasyminter \ C\ =\ 0\isasymrbrakk \isanewline
-\isaindent{\ 2.\ }\isasymLongrightarrow \ f\ \isasymunion \ g\ \isasymin \ Pi(?A,\ ?B)
-\end{isabelle}
-We must show that the pair belongs to~$f$ or~$g$; by~\tdx{UnI1} we
-choose~$f$:
-\begin{isabelle}
-\isacommand{apply}\ (rule\ UnI1)\isanewline
-\ 1.\ \isasymlbrakk a\ \isasymin \ A;\ f\ \isasymin \ A\ \isasymrightarrow \ B;\ g\ \isasymin \ C\ \isasymrightarrow \ D;\ A\ \isasyminter \ C\ =\ 0\isasymrbrakk \ \isasymLongrightarrow \ \isasymlangle a,\ f\ `\ a\isasymrangle \ \isasymin \ f\isanewline
-\ 2.\ \isasymlbrakk a\ \isasymin \ A;\ f\ \isasymin \ A\ \isasymrightarrow \ B;\ g\ \isasymin \ C\ \isasymrightarrow \ D;\ A\ \isasyminter \ C\ =\ 0\isasymrbrakk \isanewline
-\isaindent{\ 2.\ }\isasymLongrightarrow \ f\ \isasymunion \ g\ \isasymin \ Pi(?A,\ ?B)
-\end{isabelle}
-To show $\pair{a,f`a}\in f$ we use \tdx{apply_Pair}, which is
-essentially the converse of \tdx{apply_equality}:
-\begin{isabelle}
-\isacommand{apply}\ (rule\ apply\_Pair)\isanewline
-\ 1.\ \isasymlbrakk a\ \isasymin \ A;\ f\ \isasymin \ A\ \isasymrightarrow \ B;\ g\ \isasymin \ C\ \isasymrightarrow \ D;\ A\ \isasyminter \ C\ =\ 0\isasymrbrakk \ \isasymLongrightarrow \ f\ \isasymin \ Pi(?A2,?B2)\isanewline
-\ 2.\ \isasymlbrakk a\ \isasymin \ A;\ f\ \isasymin \ A\ \isasymrightarrow \ B;\ g\ \isasymin \ C\ \isasymrightarrow \ D;\ A\ \isasyminter \ C\ =\ 0\isasymrbrakk \ \isasymLongrightarrow \ a\ \isasymin \ ?A2\isanewline
-\ 3.\ \isasymlbrakk a\ \isasymin \ A;\ f\ \isasymin \ A\ \isasymrightarrow \ B;\ g\ \isasymin \ C\ \isasymrightarrow \ D;\ A\ \isasyminter \ C\ =\ 0\isasymrbrakk \isanewline
-\isaindent{\ 3.\ }\isasymLongrightarrow \ f\ \isasymunion \ g\ \isasymin \ Pi(?A,\ ?B)
-\end{isabelle}
-Using the assumptions $f\in A\to B$ and $a\in A$, we solve the two subgoals
-from \tdx{apply_Pair}. Recall that a $\Pi$-set is merely a generalized
-function space, and observe that~{\tt?A2} gets instantiated to~\isa{A}.
-\begin{isabelle}
-\isacommand{apply}\ assumption\ \isanewline
-\ 1.\ \isasymlbrakk a\ \isasymin \ A;\ f\ \isasymin \ A\ \isasymrightarrow \ B;\ g\ \isasymin \ C\ \isasymrightarrow \ D;\ A\ \isasyminter \ C\ =\ 0\isasymrbrakk \ \isasymLongrightarrow \ a\ \isasymin \ A\isanewline
-\ 2.\ \isasymlbrakk a\ \isasymin \ A;\ f\ \isasymin \ A\ \isasymrightarrow \ B;\ g\ \isasymin \ C\ \isasymrightarrow \ D;\ A\ \isasyminter \ C\ =\ 0\isasymrbrakk \isanewline
-\isaindent{\ 2.\ }\isasymLongrightarrow \ f\ \isasymunion \ g\ \isasymin \ Pi(?A,\ ?B)
-\isanewline
-\isacommand{apply}\ assumption\ \isanewline
-\ 1.\ \isasymlbrakk a\ \isasymin \ A;\ f\ \isasymin \ A\ \isasymrightarrow \ B;\ g\ \isasymin \ C\ \isasymrightarrow \ D;\ A\ \isasyminter \ C\ =\ 0\isasymrbrakk \isanewline
-\isaindent{\ 1.\ }\isasymLongrightarrow \ f\ \isasymunion \ g\ \isasymin \ Pi(?A,\ ?B)
-\end{isabelle}
-To construct functions of the form $f\un g$, we apply
-\tdx{fun_disjoint_Un}:
-\begin{isabelle}
-\isacommand{apply}\ (rule\ fun\_disjoint\_Un)\isanewline
-\ 1.\ \isasymlbrakk a\ \isasymin \ A;\ f\ \isasymin \ A\ \isasymrightarrow \ B;\ g\ \isasymin \ C\ \isasymrightarrow \ D;\ A\ \isasyminter \ C\ =\ 0\isasymrbrakk \ \isasymLongrightarrow \ f\ \isasymin \ ?A3\ \isasymrightarrow \ ?B3\isanewline
-\ 2.\ \isasymlbrakk a\ \isasymin \ A;\ f\ \isasymin \ A\ \isasymrightarrow \ B;\ g\ \isasymin \ C\ \isasymrightarrow \ D;\ A\ \isasyminter \ C\ =\ 0\isasymrbrakk \ \isasymLongrightarrow \ g\ \isasymin \ ?C3\ \isasymrightarrow \ ?D3\isanewline
-\ 3.\ \isasymlbrakk a\ \isasymin \ A;\ f\ \isasymin \ A\ \isasymrightarrow \ B;\ g\ \isasymin \ C\ \isasymrightarrow \ D;\ A\ \isasyminter \ C\ =\ 0\isasymrbrakk \ \isasymLongrightarrow \ ?A3\ \isasyminter \ ?C3\ =\ 0
-\end{isabelle}
-The remaining subgoals are instances of the assumptions. Again, observe how
-unknowns become instantiated:
-\begin{isabelle}
-\isacommand{apply}\ assumption\ \isanewline
-\ 1.\ \isasymlbrakk a\ \isasymin \ A;\ f\ \isasymin \ A\ \isasymrightarrow \ B;\ g\ \isasymin \ C\ \isasymrightarrow \ D;\ A\ \isasyminter \ C\ =\ 0\isasymrbrakk \ \isasymLongrightarrow \ g\ \isasymin \ ?C3\ \isasymrightarrow \ ?D3\isanewline
-\ 2.\ \isasymlbrakk a\ \isasymin \ A;\ f\ \isasymin \ A\ \isasymrightarrow \ B;\ g\ \isasymin \ C\ \isasymrightarrow \ D;\ A\ \isasyminter \ C\ =\ 0\isasymrbrakk \ \isasymLongrightarrow \ A\ \isasyminter \ ?C3\ =\ 0
-\isanewline
-\isacommand{apply}\ assumption\ \isanewline
-\ 1.\ \isasymlbrakk a\ \isasymin \ A;\ f\ \isasymin \ A\ \isasymrightarrow \ B;\ g\ \isasymin \ C\ \isasymrightarrow \ D;\ A\ \isasyminter \ C\ =\ 0\isasymrbrakk \ \isasymLongrightarrow \ A\ \isasyminter \ C\ =\ 0
-\isanewline
-\isacommand{apply}\ assumption\ \isanewline
-No\ subgoals!\isanewline
-\isacommand{done}
-\end{isabelle}
-See the theories \isa{ZF/func.thy} and \isa{ZF/WF.thy} for more
-examples of reasoning about functions.
-
-\index{set theory|)}
--- a/doc-src/ZF/document/build Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,18 +0,0 @@
-#!/bin/bash
-
-set -e
-
-FORMAT="$1"
-VARIANT="$2"
-
-"$ISABELLE_TOOL" logo -o isabelle_zf.pdf "ZF"
-"$ISABELLE_TOOL" logo -o isabelle_zf.eps "ZF"
-
-cp "$ISABELLE_HOME/doc-src/isar.sty" .
-cp "$ISABELLE_HOME/doc-src/ttbox.sty" .
-cp "$ISABELLE_HOME/doc-src/proof.sty" .
-cp "$ISABELLE_HOME/doc-src/manual.bib" .
-cp "$ISABELLE_HOME/doc-src/Logics/document/syntax.tex" .
-
-"$ISABELLE_HOME/doc-src/prepare_document" "$FORMAT"
-
--- a/doc-src/ZF/document/logics.sty Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,1 +0,0 @@
-% logics.sty : Logics Manuals Page Layout
%
\typeout{Document Style logics. Released 18 August 2003}
\hyphenation{Isa-belle man-u-script man-u-scripts ap-pen-dix mut-u-al-ly}
\hyphenation{data-type data-types co-data-type co-data-types }
%usage: \iflabelundefined{LABEL}{if not defined}{if defined}
\newcommand{\iflabelundefined}[1]{\@ifundefined{r@#1}}
%%%INDEXING use isa-index to process the index
\newcommand\seealso[2]{\emph{see also} #1}
\usepackage{makeidx}
%index, putting page numbers of definitions in boldface
\def\bold#1{\textbf{#1}}
\newcommand\fnote[1]{#1n}
\newcommand\indexbold[1]{\index{#1|bold}}
% The alternative to \protect\isa in the indexing macros is
% \noexpand\noexpand \noexpand\isa
% need TWO levels of \noexpand to delay the expansion of \isa:
% the \noexpand\noexpand will leave one \noexpand, to be given to the
% (still unexpanded) \isa token. See TeX by Topic, page 122.
%%%% for indexing constants, symbols, theorems, ...
\newcommand\cdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (constant)}}
\newcommand\sdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (symbol)}}
\newcommand\tdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (theorem)}}
\newcommand\tdxbold[1]{\isa{#1}\index{#1@\protect\isa{#1} (theorem)|bold}}
\newcommand\cldx[1]{\isa{#1}\index{#1@\protect\isa{#1} (class)}}
\newcommand\tydx[1]{\isa{#1}\index{#1@\protect\isa{#1} (type)}}
\newcommand\thydx[1]{\isa{#1}\index{#1@\protect\isa{#1} (theory)}}
\newcommand\attrdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (attribute)}}
\newcommand\cmmdx[1]{\index{#1@\protect\isacommand{#1} (command)}}
\newcommand\commdx[1]{\isacommand{#1}\index{#1@\protect\isacommand{#1} (command)}}
\newcommand\methdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (method)}}
\newcommand\tooldx[1]{\isa{#1}\index{#1@\protect\isa{#1} (tool)}}
\newcommand\settdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (setting)}}
%set argument in \bf font and index in ROMAN font (for definitions in text!)
\newcommand\bfindex[1]{{\bf#1}\index{#1|bold}\@}
\newcommand\rmindex[1]{{#1}\index{#1}\@}
\newcommand\ttindex[1]{\texttt{#1}\index{#1@\texttt{#1}}\@}
\newcommand\ttindexbold[1]{\texttt{#1}\index{#1@\texttt{#1}|bold}\@}
\newcommand{\indexboldpos}[2]{#1\@}
\newcommand{\ttindexboldpos}[2]{\isa{#1}\@}
%\newtheorem{theorem}{Theorem}[section]
\newtheorem{Exercise}{Exercise}[section]
\newenvironment{exercise}{\begin{Exercise}\rm}{\end{Exercise}}
\newcommand{\ttlbr}{\texttt{[|}}
\newcommand{\ttrbr}{\texttt{|]}}
\newcommand{\ttor}{\texttt{|}}
\newcommand{\ttall}{\texttt{!}}
\newcommand{\ttuniquex}{\texttt{?!}}
\newcommand{\ttEXU}{\texttt{EX!}}
\newcommand{\ttAnd}{\texttt{!!}}
\newcommand{\isasymignore}{}
\newcommand{\isasymimp}{\isasymlongrightarrow}
\newcommand{\isasymImp}{\isasymLongrightarrow}
\newcommand{\isasymFun}{\isasymRightarrow}
\newcommand{\isasymuniqex}{\isamath{\exists!\,}}
\renewcommand{\S}{Sect.\ts}
\renewenvironment{isamarkuptxt}{\begin{isamarkuptext}}{\end{isamarkuptext}}
\newif\ifremarks
\newcommand{\REMARK}[1]{\ifremarks\marginpar{\raggedright\footnotesize#1}\fi}
%names of Isabelle rules
\newcommand{\rulename}[1]{\hfill(#1)}
\newcommand{\rulenamedx}[1]{\hfill(#1\index{#1@\protect\isa{#1} (theorem)|bold})}
%%%% meta-logical connectives
\let\Forall=\bigwedge
\let\Imp=\Longrightarrow
\let\To=\Rightarrow
\newcommand{\Var}[1]{{?\!#1}}
%%% underscores as ordinary characters, not for subscripting
%% use @ or \sb for subscripting; use \at for @
%% only works in \tt font
%% must not make _ an active char; would make \ttindex fail!
\gdef\underscoreoff{\catcode`\@=8\catcode`\_=\other}
\gdef\underscoreon{\catcode`\_=8\makeatother}
\chardef\other=12
\chardef\at=`\@
% alternative underscore
\def\_{\leavevmode\kern.06em\vbox{\hrule height.2ex width.3em}\hskip0.1em}
%%%% ``WARNING'' environment
\def\dbend{\vtop to 0pt{\vss\hbox{\Huge\bf!}\vss}}
\newenvironment{warn}{\medskip\medbreak\begingroup \clubpenalty=10000
\small %%WAS\baselineskip=0.9\baselineskip
\noindent \hangindent\parindent \hangafter=-2
\hbox to0pt{\hskip-\hangindent\dbend\hfill}\ignorespaces}%
{\par\endgroup\medbreak}
%%%% Standard logical symbols
\let\turn=\vdash
\let\conj=\wedge
\let\disj=\vee
\let\imp=\rightarrow
\let\bimp=\leftrightarrow
\newcommand\all[1]{\forall#1.} %quantification
\newcommand\ex[1]{\exists#1.}
\newcommand{\pair}[1]{\langle#1\rangle}
\newcommand{\lparr}{\mathopen{(\!|}}
\newcommand{\rparr}{\mathclose{|\!)}}
\newcommand{\fs}{\mathpunct{,\,}}
\newcommand{\ty}{\mathrel{::}}
\newcommand{\asn}{\mathrel{:=}}
\newcommand{\more}{\ldots}
\newcommand{\record}[1]{\lparr #1 \rparr}
\newcommand{\dtt}{\mathord.}
\newcommand\lbrakk{\mathopen{[\![}}
\newcommand\rbrakk{\mathclose{]\!]}}
\newcommand\List[1]{\lbrakk#1\rbrakk} %was \obj
\newcommand\vpile[1]{\begin{array}{c}#1\end{array}}
\newenvironment{matharray}[1]{\[\begin{array}{#1}}{\end{array}\]}
\newcommand{\Text}[1]{\mbox{#1}}
\DeclareMathSymbol{\dshsym}{\mathalpha}{letters}{"2D}
\newcommand{\dsh}{\mathit{\dshsym}}
\let\int=\cap
\let\un=\cup
\let\inter=\bigcap
\let\union=\bigcup
\def\ML{{\sc ml}}
\def\AST{{\sc ast}}
%macros to change the treatment of symbols
\def\relsemicolon{\mathcode`\;="303B} %treat ; like a relation
\def\binperiod{\mathcode`\.="213A} %treat . like a binary operator
\def\binvert{\mathcode`\|="226A} %treat | like a binary operator
%redefinition of \sloppy and \fussy to use \emergencystretch
\def\sloppy{\tolerance2000 \hfuzz.5pt \vfuzz.5pt \emergencystretch=15pt}
\def\fussy{\tolerance200 \hfuzz.1pt \vfuzz.1pt \emergencystretch=0pt}
%non-bf version of description
\def\descrlabel#1{\hspace\labelsep #1}
\def\descr{\list{}{\labelwidth\z@ \itemindent-\leftmargin\let\makelabel\descrlabel}}
\let\enddescr\endlist
% The mathcodes for the letters A, ..., Z, a, ..., z are changed to
% generate text italic rather than math italic by default. This makes
% multi-letter identifiers look better. The mathcode for character c
% is set to |"7000| (variable family) + |"400| (text italic) + |c|.
%
\DeclareSymbolFont{italics}{\encodingdefault}{\rmdefault}{m}{it}%
\def\@setmcodes#1#2#3{{\count0=#1 \count1=#3
\loop \global\mathcode\count0=\count1 \ifnum \count0<#2
\advance\count0 by1 \advance\count1 by1 \repeat}}
\@setmcodes{`A}{`Z}{"7\hexnumber@\symitalics41}
\@setmcodes{`a}{`z}{"7\hexnumber@\symitalics61}
%%% \dquotes permits usage of "..." for \hbox{...}
%%% also taken from under.sty
{\catcode`\"=\active
\gdef\dquotes{\catcode`\"=\active \let"=\@mathText}%
\gdef\@mathText#1"{\hbox{\mathTextFont #1\/}}}
\def\mathTextFont{\frenchspacing\tt}
\def\dquotesoff{\catcode`\"=\other}
\ No newline at end of file
--- a/doc-src/ZF/document/root.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,91 +0,0 @@
-\documentclass[11pt,a4paper]{report}
-\usepackage{isabelle,isabellesym,railsetup}
-\usepackage{graphicx,logics,ttbox,proof,latexsym}
-\usepackage{isar}
-
-\usepackage{pdfsetup}
-%last package!
-
-\remarkstrue
-
-%%% to index derived rls: ^\([a-zA-Z0-9][a-zA-Z0-9_]*\) \\tdx{\1}
-%%% to index rulenames: ^ *(\([a-zA-Z0-9][a-zA-Z0-9_]*\), \\tdx{\1}
-%%% to index constants: \\tt \([a-zA-Z0-9][a-zA-Z0-9_]*\) \\cdx{\1}
-%%% to deverbify: \\verb|\([^|]*\)| \\ttindex{\1}
-
-\title{\includegraphics[scale=0.5]{isabelle_zf} \\[4ex]
- Isabelle's Logics: FOL and ZF}
-
-\author{{\em Lawrence C. Paulson}\\
- Computer Laboratory \\ University of Cambridge \\
- \texttt{lcp@cl.cam.ac.uk}\\[3ex]
- With Contributions by Tobias Nipkow and Markus Wenzel}
-
-\newcommand\subcaption[1]{\par {\centering\normalsize\sc#1\par}\bigskip
- \hrule\bigskip}
-\newenvironment{constants}{\begin{center}\small\begin{tabular}{rrrr}}{\end{tabular}\end{center}}
-
-\let\ts=\thinspace
-
-\makeindex
-
-\underscoreoff
-
-\setcounter{secnumdepth}{2} \setcounter{tocdepth}{2} %% {secnumdepth}{2}???
-
-\pagestyle{headings}
-\sloppy
-\binperiod %%%treat . like a binary operator
-
-
-\isadroptag{theory}
-
-\railtermfont{\isabellestyle{tt}}
-\railnontermfont{\isabellestyle{literal}}
-\railnamefont{\isabellestyle{literal}}
-
-
-\begin{document}
-\maketitle
-
-\begin{abstract}
-This manual describes Isabelle's formalizations of many-sorted first-order
-logic (\texttt{FOL}) and Zermelo-Fraenkel set theory (\texttt{ZF}). See the
-\emph{Reference Manual} for general Isabelle commands, and \emph{Introduction
- to Isabelle} for an overall tutorial.
-
-This manual is part of the earlier Isabelle documentation,
-which is somewhat superseded by the Isabelle/HOL
-\emph{Tutorial}~\cite{isa-tutorial}. However, the present document is the
-only available documentation for Isabelle's versions of first-order logic
-and set theory. Much of it is concerned with
-the primitives for conducting proofs
-using the ML top level. It has been rewritten to use the Isar proof
-language, but evidence of the old \ML{} orientation remains.
-\end{abstract}
-
-
-\subsubsection*{Acknowledgements}
-Markus Wenzel made numerous improvements.
- Philippe de Groote contributed to~ZF. Philippe No\"el and
- Martin Coen made many contributions to~ZF. The research has
- been funded by the EPSRC (grants GR/G53279, GR/H40570, GR/K57381,
- GR/K77051, GR/M75440) and by ESPRIT (projects 3245:
- Logical Frameworks, and 6453: Types) and by the DFG Schwerpunktprogramm
- \emph{Deduktion}.
-
-\pagenumbering{roman} \tableofcontents \cleardoublepage
-\pagenumbering{arabic}
-\setcounter{page}{1}
-\input{syntax}
-\input{FOL}
-\input{ZF}
-
-\isabellestyle{literal}
-\input{ZF_Isar}
-\isabellestyle{tt}
-
-\bibliographystyle{plain}
-\bibliography{manual}
-\printindex
-\end{document}
--- a/doc-src/antiquote_setup.ML Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,227 +0,0 @@
-(* Title: doc-src/antiquote_setup.ML
- Author: Makarius
-
-Auxiliary antiquotations for the Isabelle manuals.
-*)
-
-signature ANTIQUOTE_SETUP =
-sig
- val setup: theory -> theory
-end;
-
-structure Antiquote_Setup: ANTIQUOTE_SETUP =
-struct
-
-(* misc utils *)
-
-fun translate f = Symbol.explode #> map f #> implode;
-
-val clean_string = translate
- (fn "_" => "\\_"
- | "#" => "\\#"
- | "<" => "$<$"
- | ">" => "$>$"
- | "{" => "\\{"
- | "|" => "$\\mid$"
- | "}" => "\\}"
- | "\<hyphen>" => "-"
- | c => c);
-
-fun clean_name "\<dots>" = "dots"
- | clean_name ".." = "ddot"
- | clean_name "." = "dot"
- | clean_name "_" = "underscore"
- | clean_name "{" = "braceleft"
- | clean_name "}" = "braceright"
- | clean_name s = s |> translate (fn "_" => "-" | "\<hyphen>" => "-" | c => c);
-
-
-(* verbatim text *)
-
-val verbatim = space_implode "\\verb,|," o map (enclose "\\verb|" "|") o space_explode "|";
-
-val verbatim_setup =
- Thy_Output.antiquotation @{binding verbatim} (Scan.lift Args.name)
- (K (split_lines #> map verbatim #> space_implode "\\isasep\\isanewline%\n"));
-
-
-(* ML text *)
-
-local
-
-fun ml_val (txt1, "") = "fn _ => (" ^ txt1 ^ ");"
- | ml_val (txt1, txt2) = "fn _ => (" ^ txt1 ^ " : " ^ txt2 ^ ");";
-
-fun ml_op (txt1, "") = "fn _ => (op " ^ txt1 ^ ");"
- | ml_op (txt1, txt2) = "fn _ => (op " ^ txt1 ^ " : " ^ txt2 ^ ");";
-
-fun ml_type (txt1, "") = "val _ = NONE : (" ^ txt1 ^ ") option;"
- | ml_type (txt1, txt2) = "val _ = [NONE : (" ^ txt1 ^ ") option, NONE : (" ^ txt2 ^ ") option];";
-
-fun ml_exn (txt1, "") = "fn _ => (" ^ txt1 ^ " : exn);"
- | ml_exn (txt1, txt2) = "fn _ => (" ^ txt1 ^ " : " ^ txt2 ^ " -> exn);";
-
-fun ml_structure (txt, _) = "functor XXX() = struct structure XX = " ^ txt ^ " end;";
-
-fun ml_functor (txt, _) = "ML_Env.check_functor " ^ ML_Syntax.print_string txt;
-
-val is_name = ML_Lex.kind_of #> (fn kind => kind = ML_Lex.Ident orelse kind = ML_Lex.LongIdent);
-
-fun ml_name txt =
- (case filter is_name (ML_Lex.tokenize txt) of
- toks as [_] => ML_Lex.flatten toks
- | _ => error ("Single ML name expected in input: " ^ quote txt));
-
-fun index_ml name kind ml = Thy_Output.antiquotation name
- (Scan.lift (Args.name -- Scan.optional (Args.colon |-- Args.name) ""))
- (fn {context = ctxt, ...} => fn (txt1, txt2) =>
- let
- val txt =
- if txt2 = "" then txt1
- else if kind = "type" then txt1 ^ " = " ^ txt2
- else if kind = "exception" then txt1 ^ " of " ^ txt2
- else if Lexicon.is_identifier (Long_Name.base_name (ml_name txt1))
- then txt1 ^ ": " ^ txt2
- else txt1 ^ " : " ^ txt2;
- val txt' = if kind = "" then txt else kind ^ " " ^ txt;
- val _ = ML_Context.eval_text_in (SOME ctxt) false Position.none (ml (txt1, txt2)); (* ML_Lex.read (!?) *)
- val kind' = if kind = "" then "ML" else "ML " ^ kind;
- in
- "\\indexdef{}{" ^ kind' ^ "}{" ^ clean_string (ml_name txt1) ^ "}" ^
- (txt'
- |> (if Config.get ctxt Thy_Output.quotes then quote else I)
- |> (if Config.get ctxt Thy_Output.display then enclose "\\begin{verbatim}\n" "\n\\end{verbatim}"
- else split_lines #> map verbatim #> space_implode "\\isasep\\isanewline%\n"))
- end);
-
-in
-
-val index_ml_setup =
- index_ml @{binding index_ML} "" ml_val #>
- index_ml @{binding index_ML_op} "infix" ml_op #>
- index_ml @{binding index_ML_type} "type" ml_type #>
- index_ml @{binding index_ML_exn} "exception" ml_exn #>
- index_ml @{binding index_ML_structure} "structure" ml_structure #>
- index_ml @{binding index_ML_functor} "functor" ml_functor;
-
-end;
-
-
-(* named theorems *)
-
-val named_thms_setup =
- Thy_Output.antiquotation @{binding named_thms}
- (Scan.repeat (Attrib.thm -- Scan.lift (Args.parens Args.name)))
- (fn {context = ctxt, ...} =>
- map (apfst (Thy_Output.pretty_thm ctxt))
- #> (if Config.get ctxt Thy_Output.quotes then map (apfst Pretty.quote) else I)
- #> (if Config.get ctxt Thy_Output.display
- then
- map (fn (p, name) =>
- Output.output (Pretty.string_of (Pretty.indent (Config.get ctxt Thy_Output.indent) p)) ^
- "\\rulename{" ^ Output.output (Pretty.str_of (Thy_Output.pretty_text ctxt name)) ^ "}")
- #> space_implode "\\par\\smallskip%\n"
- #> enclose "\\begin{isabelle}%\n" "%\n\\end{isabelle}"
- else
- map (fn (p, name) =>
- Output.output (Pretty.str_of p) ^
- "\\rulename{" ^ Output.output (Pretty.str_of (Thy_Output.pretty_text ctxt name)) ^ "}")
- #> space_implode "\\par\\smallskip%\n"
- #> enclose "\\isa{" "}"));
-
-
-(* theory file *)
-
-val thy_file_setup =
- Thy_Output.antiquotation @{binding thy_file} (Scan.lift Args.name)
- (fn {context = ctxt, ...} =>
- fn name => (Thy_Load.check_thy Path.current name; Thy_Output.output ctxt [Pretty.str name]));
-
-
-(* Isabelle/Isar entities (with index) *)
-
-local
-
-fun no_check _ _ = true;
-
-fun thy_check intern defined ctxt =
- let val thy = Proof_Context.theory_of ctxt
- in defined thy o intern thy end;
-
-fun check_tool name =
- let val tool_dirs = map Path.explode ["~~/lib/Tools", "~~/src/Tools/jEdit/lib/Tools"]
- in exists (fn dir => File.exists (Path.append dir (Path.basic name))) tool_dirs end;
-
-val arg = enclose "{" "}" o clean_string;
-
-fun entity check markup kind index =
- Thy_Output.antiquotation
- (Binding.name (translate (fn " " => "_" | c => c) kind ^
- (case index of NONE => "" | SOME true => "_def" | SOME false => "_ref")))
- (Scan.lift (Scan.optional (Args.parens Args.name) "" -- Args.name))
- (fn {context = ctxt, ...} => fn (logic, name) =>
- let
- val hyper_name =
- "{" ^ Long_Name.append kind (Long_Name.append logic (clean_name name)) ^ "}";
- val hyper =
- enclose ("\\hyperlink" ^ hyper_name ^ "{") "}" #>
- index = SOME true ? enclose ("\\hypertarget" ^ hyper_name ^ "{") "}";
- val idx =
- (case index of
- NONE => ""
- | SOME is_def =>
- "\\index" ^ (if is_def then "def" else "ref") ^ arg logic ^ arg kind ^ arg name);
- in
- if check ctxt name then
- idx ^
- (Output.output name
- |> (if markup = "" then I else enclose ("\\" ^ markup ^ "{") "}")
- |> (if Config.get ctxt Thy_Output.quotes then quote else I)
- |> (if Config.get ctxt Thy_Output.display
- then enclose "\\begin{isabelle}%\n" "%\n\\end{isabelle}"
- else hyper o enclose "\\mbox{\\isa{" "}}"))
- else error ("Bad " ^ kind ^ " " ^ quote name)
- end);
-
-fun entity_antiqs check markup kind =
- entity check markup kind NONE #>
- entity check markup kind (SOME true) #>
- entity check markup kind (SOME false);
-
-in
-
-val entity_setup =
- entity_antiqs no_check "" "syntax" #>
- entity_antiqs (K (is_some o Keyword.command_keyword)) "isacommand" "command" #>
- entity_antiqs (K Keyword.is_keyword) "isakeyword" "keyword" #>
- entity_antiqs (K Keyword.is_keyword) "isakeyword" "element" #>
- entity_antiqs (thy_check Method.intern Method.defined) "" "method" #>
- entity_antiqs (thy_check Attrib.intern Attrib.defined) "" "attribute" #>
- entity_antiqs no_check "" "fact" #>
- entity_antiqs no_check "" "variable" #>
- entity_antiqs no_check "" "case" #>
- entity_antiqs (thy_check Thy_Output.intern_command Thy_Output.defined_command)
- "" "antiquotation" #>
- entity_antiqs (thy_check Thy_Output.intern_option Thy_Output.defined_option)
- "" "antiquotation option" #>
- entity_antiqs no_check "isatt" "setting" #>
- entity_antiqs no_check "isatt" "system option" #>
- entity_antiqs no_check "" "inference" #>
- entity_antiqs no_check "isatt" "executable" #>
- entity_antiqs (K check_tool) "isatool" "tool" #>
- entity_antiqs (thy_check ML_Context.intern_antiq ML_Context.defined_antiq)
- "" Isabelle_Markup.ML_antiquotationN;
-
-end;
-
-
-(* theory setup *)
-
-val setup =
- verbatim_setup #>
- index_ml_setup #>
- named_thms_setup #>
- thy_file_setup #>
- entity_setup;
-
-end;
--- a/doc-src/extra.sty Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,25 +0,0 @@
-% extra.sty : Isabelle Manual extra macros for non-Springer version
-%
-\typeout{Document Style extra. Released 17/2/94, version of 22/8/00}
-
-%%Euro-style date: 20 September 1955
-\def\today{\number\day\space\ifcase\month\or
-January\or February\or March\or April\or May\or June\or
-July\or August\or September\or October\or November\or December\fi
-\space\number\year}
-
-%%%Put first chapter on odd page, with arabic numbering; like \cleardoublepage
-\newcommand\clearfirst{\clearpage\ifodd\c@page\else
- \hbox{}\newpage\if@twocolumn\hbox{}\newpage\fi\fi
- \pagenumbering{arabic}}
-
-%%%Ruled chapter headings
-\def\@rulehead#1{\hrule height1pt \vskip 14pt \Huge \bf
- #1 \vskip 14pt\hrule height1pt}
-\def\@makechapterhead#1{ { \parindent 0pt
- \ifnum\c@secnumdepth >\m@ne \raggedleft\large\bf\@chapapp{} \thechapter \par
- \vskip 20pt \fi \raggedright \@rulehead{#1} \par \nobreak \vskip 40pt } }
-
-\def\@makeschapterhead#1{ { \parindent 0pt \raggedright
- \@rulehead{#1} \par \nobreak \vskip 40pt } }
-
--- a/doc-src/fixbookmarks Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,3 +0,0 @@
-#!/bin/bash
-
-perl -pi -e 's/\\([a-zA-Z]+)\s*/$1/g; s/\$//g; s/^BOOKMARK/\\BOOKMARK/g;' "$@"
--- a/doc-src/iman.sty Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,153 +0,0 @@
-% iman.sty : Isabelle Manual Page Layout
-%
-\typeout{Document Style iman. Released 17 February 1994}
-
-\hyphenation{Isa-belle man-u-script man-u-scripts ap-pen-dix mut-u-al-ly}
-\hyphenation{data-type data-types co-data-type co-data-types }
-
-\let\ts=\thinspace
-
-%usage: \iflabelundefined{LABEL}{if not defined}{if defined}
-\newcommand{\iflabelundefined}[1]{\@ifundefined{r@#1}}
-
-
-%%%INDEXING use sedindex to process the index
-
-\newcommand\seealso[2]{\emph{see also} #1}
-\usepackage{makeidx}
-
-%index, putting page numbers of definitions in boldface
-\def\bold#1{\textbf{#1}}
-\newcommand\fnote[1]{#1n}
-\newcommand\indexbold[1]{\index{#1|bold}}
-
-%for indexing constants, symbols, theorems, ...
-\newcommand\cdx[1]{{\tt#1}\index{#1@{\tt#1} constant}}
-\newcommand\sdx[1]{{\tt#1}\index{#1@{\tt#1} symbol}}
-
-\newcommand\tdx[1]{{\tt#1}\index{#1@{\tt#1} theorem}}
-\newcommand\tdxbold[1]{{\tt#1}\index{#1@{\tt#1} theorem|bold}}
-
-\newcommand\mltydx[1]{{\tt#1}\index{#1@{\tt#1} ML type}}
-\newcommand\xdx[1]{{\tt#1}\index{#1@{\tt#1} exception}}
-
-\newcommand\ndx[1]{{\tt#1}\index{#1@{\tt#1} nonterminal}}
-\newcommand\ndxbold[1]{{\tt#1}\index{#1@{\tt#1} nonterminal|bold}}
-
-\newcommand\cldx[1]{{\tt#1}\index{#1@{\tt#1} class}}
-\newcommand\tydx[1]{\textit{#1}\index{#1@{\textit{#1}} type}}
-\newcommand\thydx[1]{{\tt#1}\index{#1@{\tt#1} theory}}
-
-\newcommand\tooldx[1]{{\tt#1}\index{#1@{\tt#1} tool}}
-\newcommand\settdx[1]{{\tt#1}\index{#1@{\tt#1} setting}}
-
-%set argument in \tt font; at the same time, index using * prefix
-\newcommand\rmindex[1]{{#1}\index{#1}\@}
-\newcommand\ttindex[1]{{\tt#1}\index{*#1}\@}
-\newcommand\ttindexbold[1]{{\tt#1}\index{*#1|bold}\@}
-
-%set argument in \bf font and index in ROMAN font (for definitions in text!)
-\newcommand\bfindex[1]{{\bf#1}\index{#1|bold}\@}
-
-
-%%% underscores as ordinary characters, not for subscripting
-%% use @ or \sb for subscripting; use \at for @
-%% only works in \tt font
-%% must not make _ an active char; would make \ttindex fail!
-\gdef\underscoreoff{\catcode`\@=8\catcode`\_=\other}
-\gdef\underscoreon{\catcode`\_=8\makeatother}
-\chardef\other=12
-\chardef\at=`\@
-
-% alternative underscore
-\def\_{\leavevmode\kern.06em\vbox{\hrule height.2ex width.3em}\hskip0.1em}
-
-%%% \dquotes permits usage of "..." for \hbox{...} -- also taken from under.sty
-{\catcode`\"=\active
-\gdef\dquotes{\catcode`\"=\active \let"=\@mathText}%
-\gdef\@mathText#1"{\hbox{\mathTextFont #1\/}}}
-\def\mathTextFont{\frenchspacing\tt}
-\def\dquotesoff{\catcode`\"=\other}
-
-%%%% meta-logical connectives
-
-\let\Forall=\bigwedge
-\let\Imp=\Longrightarrow
-\let\To=\Rightarrow
-\newcommand{\PROP}{\mathop{\mathrm{PROP}}}
-\newcommand{\Var}[1]{{?\!#1}}
-\newcommand{\All}[1]{\Forall#1.} %quantification
-
-%%%% ``WARNING'' environment
-\def\dbend{\vtop to 0pt{\vss\hbox{\Huge\bf!}\vss}}
-\newenvironment{warn}{\medskip\medbreak\begingroup \clubpenalty=10000
- \small %%WAS\baselineskip=0.9\baselineskip
- \noindent \ifdim\parindent > 0pt\hangindent\parindent\else\hangindent1.5em\fi
- \hangafter=-2
- \hbox to0pt{\hskip-\hangindent\dbend\hfill}\ignorespaces}%
- {\par\endgroup\medbreak}
-
-
-%%%% Standard logical symbols
-\let\turn=\vdash
-\let\conj=\wedge
-\let\disj=\vee
-\let\imp=\rightarrow
-\let\bimp=\leftrightarrow
-\newcommand\all[1]{\forall#1.} %quantification
-\newcommand\ex[1]{\exists#1.}
-\newcommand{\pair}[1]{\langle#1\rangle}
-
-\newcommand{\lparr}{\mathopen{(\!|}}
-\newcommand{\rparr}{\mathclose{|\!)}}
-\newcommand{\fs}{\mathpunct{,\,}}
-\newcommand{\ty}{\mathrel{::}}
-\newcommand{\asn}{\mathrel{:=}}
-\newcommand{\more}{\ldots}
-\newcommand{\record}[1]{\lparr #1 \rparr}
-\newcommand{\dtt}{\mathord.}
-
-\newcommand\lbrakk{\mathopen{[\![}}
-\newcommand\rbrakk{\mathclose{]\!]}}
-\newcommand\List[1]{\lbrakk#1\rbrakk} %was \obj
-\newcommand\vpile[1]{\begin{array}{c}#1\end{array}}
-\newenvironment{matharray}[1]{\[\begin{array}{#1}}{\end{array}\]}
-\newcommand{\Text}[1]{\mbox{#1}}
-
-\DeclareMathSymbol{\dshsym}{\mathalpha}{letters}{"2D}
-\newcommand{\dsh}{\mathit{\dshsym}}
-
-\let\int=\cap
-\let\un=\cup
-\let\inter=\bigcap
-\let\union=\bigcup
-
-\def\ML{{\sc ml}}
-\def\OBJ{{\sc obj}}
-\def\AST{{\sc ast}}
-
-%macros to change the treatment of symbols
-\def\relsemicolon{\mathcode`\;="303B} %treat ; like a relation
-\def\binperiod{\mathcode`\.="213A} %treat . like a binary operator
-\def\binvert{\mathcode`\|="226A} %treat | like a binary operator
-
-%redefinition of \sloppy and \fussy to use \emergencystretch
-\def\sloppy{\tolerance2000 \hfuzz.5pt \vfuzz.5pt \emergencystretch=15pt}
-\def\fussy{\tolerance200 \hfuzz.1pt \vfuzz.1pt \emergencystretch=0pt}
-
-%non-bf version of description
-\def\descrlabel#1{\hspace\labelsep #1}
-\def\descr{\list{}{\labelwidth\z@ \itemindent-\leftmargin\let\makelabel\descrlabel}}
-\let\enddescr\endlist
-
-% The mathcodes for the letters A, ..., Z, a, ..., z are changed to
-% generate text italic rather than math italic by default. This makes
-% multi-letter identifiers look better. The mathcode for character c
-% is set to |"7000| (variable family) + |"400| (text italic) + |c|.
-%
-\DeclareSymbolFont{italics}{\encodingdefault}{\rmdefault}{m}{it}%
-\def\@setmcodes#1#2#3{{\count0=#1 \count1=#3
- \loop \global\mathcode\count0=\count1 \ifnum \count0<#2
- \advance\count0 by1 \advance\count1 by1 \repeat}}
-\@setmcodes{`A}{`Z}{"7\hexnumber@\symitalics41}
-\@setmcodes{`a}{`z}{"7\hexnumber@\symitalics61}
--- a/doc-src/isar.sty Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,26 +0,0 @@
-\usepackage{ifthen}
-
-\newcommand{\indexdef}[3]%
-{\ifthenelse{\equal{}{#1}}{\index{#3 (#2)|bold}}{\index{#3 (#1\ #2)|bold}}}
-\newcommand{\indexref}[3]{\ifthenelse{\equal{}{#1}}{\index{#3 (#2)}}{\index{#3 (#1\ #2)}}}
-
-\newcommand{\isatt}[1]{{\def\isacharminus{-}\def\isacharunderscore{\_}\tt #1}}
-\newcommand{\isatool}[1]{{\def\isacharminus{-}\def\isacharunderscore{\_}\tt isabelle #1}}
-
-\newcommand{\indexoutertoken}[1]{\indexdef{}{syntax}{#1}}
-\newcommand{\indexouternonterm}[1]{\indexdef{}{syntax}{#1}}
-\newcommand{\indexisarelem}[1]{\indexdef{}{element}{#1}}
-
-\newcommand{\isasymAND}{\isakeyword{and}}
-\newcommand{\isasymIS}{\isakeyword{is}}
-\newcommand{\isasymWHERE}{\isakeyword{where}}
-\newcommand{\isasymBEGIN}{\isakeyword{begin}}
-\newcommand{\isasymIMPORTS}{\isakeyword{imports}}
-\newcommand{\isasymIN}{\isakeyword{in}}
-\newcommand{\isasymSTRUCTURE}{\isakeyword{structure}}
-\newcommand{\isasymFIXES}{\isakeyword{fixes}}
-\newcommand{\isasymASSUMES}{\isakeyword{assumes}}
-\newcommand{\isasymSHOWS}{\isakeyword{shows}}
-\newcommand{\isasymOBTAINS}{\isakeyword{obtains}}
-
-\newcommand{\isasymASSM}{\isacommand{assm}}
--- a/doc-src/manual.bib Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,2074 +0,0 @@
-% BibTeX database for the Isabelle documentation
-
-%publishers
-@string{AP="Academic Press"}
-@string{CUP="Cambridge University Press"}
-@string{IEEE="IEEE Computer Society Press"}
-@string{LNCS="Lecture Notes in Computer Science"}
-@string{MIT="MIT Press"}
-@string{NH="North-Holland"}
-@string{Prentice="Prentice-Hall"}
-@string{PH="Prentice-Hall"}
-@string{Springer="Springer-Verlag"}
-
-%institutions
-@string{CUCL="Computer Laboratory, University of Cambridge"}
-@string{Edinburgh="Department of Computer Science, University of Edinburgh"}
-@string{TUM="Department of Informatics, Technical University of Munich"}
-
-%journals
-@string{AI="Artificial Intelligence"}
-@string{FAC="Formal Aspects of Computing"}
-@string{JAR="Journal of Automated Reasoning"}
-@string{JCS="Journal of Computer Security"}
-@string{JFP="Journal of Functional Programming"}
-@string{JLC="Journal of Logic and Computation"}
-@string{JLP="Journal of Logic Programming"}
-@string{JSC="Journal of Symbolic Computation"}
-@string{JSL="Journal of Symbolic Logic"}
-@string{PROYAL="Proceedings of the Royal Society of London"}
-@string{SIGPLAN="{SIGPLAN} Notices"}
-@string{TISSEC="ACM Transactions on Information and System Security"}
-
-%conferences
-@string{CADE="International Conference on Automated Deduction"}
-@string{POPL="Symposium on Principles of Programming Languages"}
-@string{TYPES="Types for Proofs and Programs"}
-
-
-%A
-
-@incollection{abramsky90,
- author = {Samson Abramsky},
- title = {The Lazy Lambda Calculus},
- pages = {65-116},
- editor = {David A. Turner},
- booktitle = {Research Topics in Functional Programming},
- publisher = {Addison-Wesley},
- year = 1990}
-
-@Unpublished{abrial93,
- author = {J. R. Abrial and G. Laffitte},
- title = {Towards the Mechanization of the Proofs of Some Classical
- Theorems of Set Theory},
- note = {preprint},
- year = 1993,
- month = Feb}
-
-@incollection{aczel77,
- author = {Peter Aczel},
- title = {An Introduction to Inductive Definitions},
- pages = {739-782},
- crossref = {barwise-handbk}}
-
-@Book{aczel88,
- author = {Peter Aczel},
- title = {Non-Well-Founded Sets},
- publisher = {CSLI},
- year = 1988}
-
-@inproceedings{Aehlig-Haftmann-Nipkow:2008:nbe,
- author = {Klaus Aehlig and Florian Haftmann and Tobias Nipkow},
- title = {A Compiled Implementation of Normalization by Evaluation},
- booktitle = {TPHOLs '08: Proceedings of the 21th International Conference on Theorem Proving in Higher Order Logics},
- year = {2008},
- isbn = {978-3-540-71065-3},
- pages = {352--367},
- publisher = Springer,
- series = LNCS,
- volume = {5170},
- editor = {Otmane A\"{\i}t Mohamed and C{\'e}sar Mu{\~n}oz and Sofi{\`e}ne Tahar}
-}
-
-@InProceedings{alf,
- author = {Lena Magnusson and Bengt {Nordstr\"{o}m}},
- title = {The {ALF} Proof Editor and Its Proof Engine},
- crossref = {types93},
- pages = {213-237}}
-
-@inproceedings{andersson-1993,
- author = "Arne Andersson",
- title = "Balanced Search Trees Made Simple",
- editor = "F. K. H. A. Dehne and N. Santoro and S. Whitesides",
- booktitle = "WADS 1993",
- series = LNCS,
- volume = {709},
- pages = "61--70",
- year = 1993,
- publisher = Springer}
-
-@book{andrews86,
- author = "Peter Andrews",
- title = "An Introduction to Mathematical Logic and Type Theory: to Truth
-through Proof",
- publisher = AP,
- series = "Computer Science and Applied Mathematics",
- year = 1986}
-
-@InProceedings{Aspinall:2000:eProof,
- author = {David Aspinall},
- title = {Protocols for Interactive {e-Proof}},
- booktitle = {Theorem Proving in Higher Order Logics (TPHOLs)},
- year = 2000,
- note = {Unpublished work-in-progress paper,
- \url{http://homepages.inf.ed.ac.uk/da/papers/drafts/eproof.ps.gz}}
-}
-
-@InProceedings{Aspinall:TACAS:2000,
- author = {David Aspinall},
- title = {{P}roof {G}eneral: A Generic Tool for Proof Development},
- booktitle = {Tools and Algorithms for the Construction and Analysis of
- Systems (TACAS)},
- year = 2000,
- publisher = Springer,
- series = LNCS,
- volume = 1785,
- pages = "38--42"
-}
-
-@Misc{isamode,
- author = {David Aspinall},
- title = {Isamode --- {U}sing {I}sabelle with {E}macs},
- note = {\url{http://homepages.inf.ed.ac.uk/da/Isamode/}}
-}
-
-@Misc{proofgeneral,
- author = {David Aspinall},
- title = {{P}roof {G}eneral},
- note = {\url{http://proofgeneral.inf.ed.ac.uk/}}
-}
-
-%B
-
-@inproceedings{backes-brown-2010,
- title = "Analytic Tableaux for Higher-Order Logic with Choice",
- author = "Julian Backes and Chad E. Brown",
- booktitle={Automated Reasoning: IJCAR 2010},
- editor={J. Giesl and R. H\"ahnle},
- publisher = Springer,
- series = LNCS,
- volume = 6173,
- pages = "76--90",
- year = 2010}
-
-@book{Baader-Nipkow,author={Franz Baader and Tobias Nipkow},
-title="Term Rewriting and All That",publisher=CUP,year=1998}
-
-@manual{isabelle-locale,
- author = {Clemens Ballarin},
- title = {Tutorial to Locales and Locale Interpretation},
- institution = TUM,
- note = {\url{http://isabelle.in.tum.de/doc/locales.pdf}}
-}
-
-@InCollection{Barendregt-Geuvers:2001,
- author = {H. Barendregt and H. Geuvers},
- title = {Proof Assistants using Dependent Type Systems},
- booktitle = {Handbook of Automated Reasoning},
- publisher = {Elsevier},
- year = 2001,
- editor = {A. Robinson and A. Voronkov}
-}
-
-@inproceedings{cvc3,
- author = {Clark Barrett and Cesare Tinelli},
- title = {{CVC3}},
- booktitle = {CAV},
- editor = {Werner Damm and Holger Hermanns},
- volume = {4590},
- series = LNCS,
- pages = {298--302},
- publisher = {Springer},
- year = {2007}
-}
-
-@incollection{basin91,
- author = {David Basin and Matt Kaufmann},
- title = {The {Boyer-Moore} Prover and {Nuprl}: An Experimental
- Comparison},
- crossref = {huet-plotkin91},
- pages = {89-119}}
-
-@Unpublished{HOL-Library,
- author = {Gertrud Bauer and Tobias Nipkow and Oheimb, David von and
- Lawrence C Paulson and Thomas M Rasmussen and Christophe Tabacznyj and
- Markus Wenzel},
- title = {The Supplemental {Isabelle/HOL} Library},
- note = {Part of the Isabelle distribution,
- \url{http://isabelle.in.tum.de/library/HOL/Library/document.pdf}},
- year = 2002
-}
-
-@InProceedings{Bauer-Wenzel:2000:HB,
- author = {Gertrud Bauer and Markus Wenzel},
- title = {Computer-Assisted Mathematics at Work --- The {H}ahn-{B}anach Theorem in
- {I}sabelle/{I}sar},
- booktitle = {Types for Proofs and Programs: TYPES'99},
- editor = {Thierry Coquand and Peter Dybjer and Bengt Nordstr{\"o}m
- and Jan Smith},
- series = {LNCS},
- year = 2000
-}
-
-@InProceedings{Bauer-Wenzel:2001,
- author = {Gertrud Bauer and Markus Wenzel},
- title = {Calculational reasoning revisited --- an {Isabelle/Isar} experience},
- crossref = {tphols2001}}
-
-@inproceedings{leo2,
- author = "Christoph Benzm{\"u}ller and Lawrence C. Paulson and Frank Theiss and Arnaud Fietzke",
- title = "{LEO-II}---A Cooperative Automatic Theorem Prover for Higher-Order Logic",
- editor = "Alessandro Armando and Peter Baumgartner and Gilles Dowek",
- booktitle = "Automated Reasoning: IJCAR 2008",
- publisher = Springer,
- series = LNCS,
- volume = 5195,
- pages = "162--170",
- year = 2008}
-
-@inProceedings{Berghofer-Bulwahn-Haftmann:2009:TPHOL,
- author = {Berghofer, Stefan and Bulwahn, Lukas and Haftmann, Florian},
- booktitle = {Theorem Proving in Higher Order Logics},
- pages = {131--146},
- title = {Turning Inductive into Equational Specifications},
- year = {2009}
-}
-
-@INPROCEEDINGS{Berghofer-Nipkow:2000:TPHOL,
- crossref = "tphols2000",
- title = "Proof terms for simply typed higher order logic",
- author = "Stefan Berghofer and Tobias Nipkow",
- pages = "38--52"}
-
-@inproceedings{berghofer-nipkow-2004,
- author = {Stefan Berghofer and Tobias Nipkow},
- title = {Random Testing in {I}sabelle/{HOL}},
- pages = {230--239},
- editor = "J. Cuellar and Z. Liu",
- booktitle = {{SEFM} 2004},
- publisher = IEEE,
- year = 2004}
-
-@InProceedings{Berghofer-Nipkow:2002,
- author = {Stefan Berghofer and Tobias Nipkow},
- title = {Executing Higher Order Logic},
- booktitle = {Types for Proofs and Programs: TYPES'2000},
- editor = {P. Callaghan and Z. Luo and J. McKinna and R. Pollack},
- series = LNCS,
- publisher = Springer,
- volume = 2277,
- year = 2002}
-
-@InProceedings{Berghofer-Wenzel:1999:TPHOL,
- author = {Stefan Berghofer and Markus Wenzel},
- title = {Inductive datatypes in {HOL} --- lessons learned in
- {F}ormal-{L}ogic {E}ngineering},
- crossref = {tphols99}}
-
-
-@InProceedings{Bezem-Coquand:2005,
- author = {M.A. Bezem and T. Coquand},
- title = {Automating {Coherent Logic}},
- booktitle = {LPAR-12},
- editor = {G. Sutcliffe and A. Voronkov},
- volume = 3835,
- series = LNCS,
- publisher = Springer}
-
-@book{Bird-Wadler,author="Richard Bird and Philip Wadler",
-title="Introduction to Functional Programming",publisher=PH,year=1988}
-
-@book{Bird-Haskell,author="Richard Bird",
-title="Introduction to Functional Programming using Haskell",
-publisher=PH,year=1998}
-
-@manual{isabelle-nitpick,
- author = {Jasmin Christian Blanchette},
- title = {Picking Nits: A User's Guide to {N}itpick for {I}sabelle/{HOL}},
- institution = TUM,
- note = {\url{http://isabelle.in.tum.de/doc/nitpick.pdf}}
-}
-
-@manual{isabelle-sledgehammer,
- author = {Jasmin Christian Blanchette},
- title = {Hammering Away: A User's Guide to {S}ledgehammer for {I}sabelle/{HOL}},
- institution = TUM,
- note = {\url{http://isabelle.in.tum.de/doc/sledgehammer.pdf}}
-}
-
-@inproceedings{blanchette-nipkow-2010,
- title = "Nitpick: A Counterexample Generator for Higher-Order Logic Based on a Relational Model Finder",
- author = "Jasmin Christian Blanchette and Tobias Nipkow",
- crossref = {itp2010}}
-
-@inproceedings{why3,
- author = {Fran\c{c}ois Bobot and Jean-Christophe Filli\^atre and Claude March\'e and Andrei Paskevich},
- title = {{Why3}: Shepherd Your Herd of Provers},
- editor = "K. Rustan M. Leino and Micha\l{} Moskal",
- booktitle = {Boogie 2011},
- pages = "53--64",
- year = 2011
-}
-
-@inproceedings{alt-ergo,
- author = {Fran\c{c}ois Bobot and Sylvain Conchon and Evelyne Contejean and St\'ephane Lescuyer},
- title = {Implementing Polymorphism in {SMT} Solvers},
- booktitle = {SMT '08},
- pages = "1--5",
- publisher = "ACM",
- series = "ICPS",
- year = 2008,
- editor = {Clark Barrett and Leonardo de Moura}}
-% /BPR
-% and Domagoj Babic and Amit Goel
-
-@inproceedings{boehme-nipkow-2010,
- author={Sascha B\"ohme and Tobias Nipkow},
- title={Sledgehammer: Judgement Day},
- booktitle={Automated Reasoning: IJCAR 2010},
- editor={J. Giesl and R. H\"ahnle},
- publisher=Springer,
- series=LNCS,
- volume = 6173,
- pages = "107--121",
- year=2010}
-
-@Article{boyer86,
- author = {Robert Boyer and Ewing Lusk and William McCune and Ross
- Overbeek and Mark Stickel and Lawrence Wos},
- title = {Set Theory in First-Order Logic: Clauses for {G\"{o}del's}
- Axioms},
- journal = JAR,
- year = 1986,
- volume = 2,
- number = 3,
- pages = {287-327}}
-
-@book{bm79,
- author = {Robert S. Boyer and J Strother Moore},
- title = {A Computational Logic},
- publisher = {Academic Press},
- year = 1979}
-
-@book{bm88book,
- author = {Robert S. Boyer and J Strother Moore},
- title = {A Computational Logic Handbook},
- publisher = {Academic Press},
- year = 1988}
-
-@inproceedings{satallax,
- author = "Chad E. Brown",
- title = "Reducing Higher-Order Theorem Proving to a Sequence of {SAT} Problems",
- booktitle = {Automated Deduction --- CADE-23},
- publisher = Springer,
- series = LNCS,
- volume = 6803,
- pages = "147--161",
- editor = "Nikolaj Bj{\o}rner and Viorica Sofronie-Stokkermans",
- year = 2011}
-
-@Article{debruijn72,
- author = {N. G. de Bruijn},
- title = {Lambda Calculus Notation with Nameless Dummies,
- a Tool for Automatic Formula Manipulation,
- with Application to the {Church-Rosser Theorem}},
- journal = {Indag. Math.},
- volume = 34,
- pages = {381-392},
- year = 1972}
-
-@InProceedings{bulwahnKN07,
- author = {Lukas Bulwahn and Alexander Krauss and Tobias Nipkow},
- title = {Finding Lexicographic Orders for Termination Proofs in {Isabelle/HOL}},
- crossref = {tphols2007},
- pages = {38--53}
-}
-
-@InProceedings{bulwahn-et-al:2008:imperative,
- author = {Lukas Bulwahn and Alexander Krauss and Florian Haftmann and Levent Erkök and John Matthews},
- title = {Imperative Functional Programming with {Isabelle/HOL}},
- crossref = {tphols2008},
-}
-% pages = {38--53}
-
-@Article{ban89,
- author = {M. Burrows and M. Abadi and R. M. Needham},
- title = {A Logic of Authentication},
- journal = PROYAL,
- year = 1989,
- volume = 426,
- pages = {233-271}}
-
-%C
-
-@InProceedings{Chaieb-Wenzel:2007,
- author = {Amine Chaieb and Makarius Wenzel},
- title = {Context aware Calculation and Deduction ---
- Ring Equalities via {Gr\"obner Bases} in {Isabelle}},
- booktitle = {Towards Mechanized Mathematical Assistants (CALCULEMUS 2007)},
- editor = {Manuel Kauers and Manfred Kerber and Robert Miner and Wolfgang Windsteiger},
- series = LNAI,
- volume = 4573,
- year = 2007,
- publisher = Springer
-}
-
-@TechReport{camilleri92,
- author = {J. Camilleri and T. F. Melham},
- title = {Reasoning with Inductively Defined Relations in the
- {HOL} Theorem Prover},
- institution = CUCL,
- year = 1992,
- number = 265,
- month = Aug}
-
-@Book{charniak80,
- author = {E. Charniak and C. K. Riesbeck and D. V. McDermott},
- title = {Artificial Intelligence Programming},
- publisher = {Lawrence Erlbaum Associates},
- year = 1980}
-
-@article{church40,
- author = "Alonzo Church",
- title = "A Formulation of the Simple Theory of Types",
- journal = JSL,
- year = 1940,
- volume = 5,
- pages = "56-68"}
-
-@book{ClarkeGP-book,author="Edmund Clarke and Orna Grumberg and Doron Peled",
-title="Model Checking",publisher=MIT,year=1999}
-
-@PhdThesis{coen92,
- author = {Martin D. Coen},
- title = {Interactive Program Derivation},
- school = {University of Cambridge},
- note = {Computer Laboratory Technical Report 272},
- month = nov,
- year = 1992}
-
-@book{constable86,
- author = {R. L. Constable and others},
- title = {Implementing Mathematics with the Nuprl Proof
- Development System},
- publisher = Prentice,
- year = 1986}
-
-%D
-
-@Book{davey-priestley,
- author = {B. A. Davey and H. A. Priestley},
- title = {Introduction to Lattices and Order},
- publisher = CUP,
- year = 1990}
-
-@Book{devlin79,
- author = {Keith J. Devlin},
- title = {Fundamentals of Contemporary Set Theory},
- publisher = {Springer},
- year = 1979}
-
-@book{dummett,
- author = {Michael Dummett},
- title = {Elements of Intuitionism},
- year = 1977,
- publisher = {Oxford University Press}}
-
-@misc{yices,
- author = {Bruno Dutertre and Leonardo de Moura},
- title = {The {Yices} {SMT} Solver},
- howpublished = "\url{http://yices.csl.sri.com/tool-paper.pdf}",
- year = 2006}
-
-@incollection{dybjer91,
- author = {Peter Dybjer},
- title = {Inductive Sets and Families in {Martin-L{\"o}f's} Type
- Theory and Their Set-Theoretic Semantics},
- crossref = {huet-plotkin91},
- pages = {280-306}}
-
-@Article{dyckhoff,
- author = {Roy Dyckhoff},
- title = {Contraction-Free Sequent Calculi for Intuitionistic Logic},
- journal = JSL,
- year = 1992,
- volume = 57,
- number = 3,
- pages = {795-807}}
-
-%F
-
-@Article{IMPS,
- author = {William M. Farmer and Joshua D. Guttman and F. Javier
- Thayer},
- title = {{IMPS}: An Interactive Mathematical Proof System},
- journal = JAR,
- volume = 11,
- number = 2,
- year = 1993,
- pages = {213-248}}
-
-@InProceedings{felty91a,
- Author = {Amy Felty},
- Title = {A Logic Program for Transforming Sequent Proofs to Natural
- Deduction Proofs},
- crossref = {extensions91},
- pages = {157-178}}
-
-@Article{fleuriot-jcm,
- author = {Jacques Fleuriot and Lawrence C. Paulson},
- title = {Mechanizing Nonstandard Real Analysis},
- journal = {LMS Journal of Computation and Mathematics},
- year = 2000,
- volume = 3,
- pages = {140-190},
- note = {\url{http://www.lms.ac.uk/jcm/3/lms1999-027/}}
-}
-
-@TechReport{frost93,
- author = {Jacob Frost},
- title = {A Case Study of Co-induction in {Isabelle HOL}},
- institution = CUCL,
- number = 308,
- year = 1993,
- month = Aug}
-
-%revised version of frost93
-@TechReport{frost95,
- author = {Jacob Frost},
- title = {A Case Study of Co-induction in {Isabelle}},
- institution = CUCL,
- number = 359,
- year = 1995,
- month = Feb}
-
-@inproceedings{OBJ,
- author = {K. Futatsugi and J.A. Goguen and Jean-Pierre Jouannaud
- and J. Meseguer},
- title = {Principles of {OBJ2}},
- booktitle = POPL,
- year = 1985,
- pages = {52-66}}
-
-%G
-
-@book{gallier86,
- author = {J. H. Gallier},
- title = {Logic for Computer Science:
- Foundations of Automatic Theorem Proving},
- year = 1986,
- publisher = {Harper \& Row}}
-
-@Book{galton90,
- author = {Antony Galton},
- title = {Logic for Information Technology},
- publisher = {Wiley},
- year = 1990}
-
-@Article{Gentzen:1935,
- author = {G. Gentzen},
- title = {Untersuchungen {\"u}ber das logische {S}chlie{\ss}en},
- journal = {Math. Zeitschrift},
- year = 1935
-}
-
-@InProceedings{gimenez-codifying,
- author = {Eduardo Gim{\'e}nez},
- title = {Codifying Guarded Definitions with Recursive Schemes},
- crossref = {types94},
- pages = {39-59}
-}
-
-@book{girard89,
- author = {Jean-Yves Girard},
- title = {Proofs and Types},
- year = 1989,
- publisher = CUP,
- note = {Translated by Yves LaFont and Paul Taylor}}
-
-@Book{mgordon-hol,
- editor = {M. J. C. Gordon and T. F. Melham},
- title = {Introduction to {HOL}: A Theorem Proving Environment for Higher Order Logic},
- publisher = CUP,
- year = 1993}
-
-@book{mgordon79,
- author = {Michael J. C. Gordon and Robin Milner and Christopher P.
- Wadsworth},
- title = {Edinburgh {LCF}: A Mechanised Logic of Computation},
- year = 1979,
- publisher = {Springer},
- series = {LNCS 78}}
-
-@inproceedings{Gunter-HOL92,author={Elsa L. Gunter},
-title={Why we can't have {SML} style datatype declarations in {HOL}},
-booktitle={Higher Order Logic Theorem Proving and its Applications: Proc.\
-IFIP TC10/WG10.2 Intl. Workshop, 1992},
-editor={L.J.M. Claesen and M.J.C. Gordon},
-publisher=NH,year=1993,pages={561--568}}
-
-@InProceedings{gunter-trees,
- author = {Elsa L. Gunter},
- title = {A Broader Class of Trees for Recursive Type Definitions for
- {HOL}},
- crossref = {hug93},
- pages = {141-154}}
-
-%H
-
-@InProceedings{Haftmann-Wenzel:2006:classes,
- author = {Florian Haftmann and Makarius Wenzel},
- title = {Constructive Type Classes in {Isabelle}},
- editor = {T. Altenkirch and C. McBride},
- booktitle = {Types for Proofs and Programs, TYPES 2006},
- publisher = {Springer},
- series = {LNCS},
- volume = {4502},
- year = {2007}
-}
-
-@inproceedings{Haftmann-Nipkow:2010:code,
- author = {Florian Haftmann and Tobias Nipkow},
- title = {Code Generation via Higher-Order Rewrite Systems},
- booktitle = {Functional and Logic Programming: 10th International Symposium: FLOPS 2010},
- year = 2010,
- publisher = Springer,
- series = LNCS,
- editor = {Matthias Blume and Naoki Kobayashi and Germ{\'a}n Vidal},
- volume = 6009
-}
-
-@InProceedings{Haftmann-Wenzel:2009,
- author = {Florian Haftmann and Makarius Wenzel},
- title = {Local theory specifications in {Isabelle/Isar}},
- editor = {Stefano Berardi and Ferruccio Damiani and de Liguoro, Ugo},
- booktitle = {Types for Proofs and Programs, TYPES 2008},
- publisher = {Springer},
- series = {LNCS},
- volume = {5497},
- year = {2009}
-}
-
-@inproceedings{hindleymilner,
- author = {L. Damas and H. Milner},
- title = {Principal type schemes for functional programs},
- booktitle = {ACM Symp. Principles of Programming Languages},
- year = 1982
-}
-
-@manual{isabelle-classes,
- author = {Florian Haftmann},
- title = {Haskell-style type classes with {Isabelle}/{Isar}},
- institution = TUM,
- note = {\url{http://isabelle.in.tum.de/doc/classes.pdf}}
-}
-
-@manual{isabelle-codegen,
- author = {Florian Haftmann},
- title = {Code generation from Isabelle theories},
- institution = TUM,
- note = {\url{http://isabelle.in.tum.de/doc/codegen.pdf}}
-}
-
-@Book{halmos60,
- author = {Paul R. Halmos},
- title = {Naive Set Theory},
- publisher = {Van Nostrand},
- year = 1960}
-
-@book{HarelKT-DL,author={David Harel and Dexter Kozen and Jerzy Tiuryn},
-title={Dynamic Logic},publisher=MIT,year=2000}
-
-@Book{hennessy90,
- author = {Matthew Hennessy},
- title = {The Semantics of Programming Languages: An Elementary
- Introduction Using Structural Operational Semantics},
- publisher = {Wiley},
- year = 1990}
-
-@article{waldmeister,
- author = {Thomas Hillenbrand and Arnim Buch and Rolan Vogt and Bernd L\"ochner},
- title = "Waldmeister: High-Performance Equational Deduction",
- journal = JAR,
- volume = 18,
- number = 2,
- pages = {265--270},
- year = 1997}
-
-@book{HopcroftUllman,author={John E. Hopcroft and Jeffrey D. Ullman},
-title={Introduction to Automata Theory, Languages, and Computation.},
-publisher={Addison-Wesley},year=1979}
-
-@Article{haskell-report,
- author = {Paul Hudak and Simon Peyton Jones and Philip Wadler},
- title = {Report on the Programming Language {Haskell}: A
- Non-strict, Purely Functional Language},
- journal = SIGPLAN,
- year = 1992,
- volume = 27,
- number = 5,
- month = May,
- note = {Version 1.2}}
-
-@Article{haskell-tutorial,
- author = {Paul Hudak and Joseph H. Fasel},
- title = {A Gentle Introduction to {Haskell}},
- journal = SIGPLAN,
- year = 1992,
- volume = 27,
- number = 5,
- month = May}
-
-@inproceedings{sine,
- author = "Kry\v{s}tof Hoder and Andrei Voronkov",
- title = "Sine Qua Non for Large Theory Reasoning",
- booktitle = {Automated Deduction --- CADE-23},
- publisher = Springer,
- series = LNCS,
- volume = 6803,
- pages = "299--314",
- editor = "Nikolaj Bj{\o}rner and Viorica Sofronie-Stokkermans",
- year = 2011}
-
-@book{Hudak-Haskell,author={Paul Hudak},
-title={The Haskell School of Expression},publisher=CUP,year=2000}
-
-@article{huet75,
- author = {G. P. Huet},
- title = {A Unification Algorithm for Typed $\lambda$-Calculus},
- journal = TCS,
- volume = 1,
- year = 1975,
- pages = {27-57}}
-
-@article{huet78,
- author = {G. P. Huet and B. Lang},
- title = {Proving and Applying Program Transformations Expressed with
- Second-Order Patterns},
- journal = acta,
- volume = 11,
- year = 1978,
- pages = {31-55}}
-
-@inproceedings{huet88,
- author = {G{\'e}rard Huet},
- title = {Induction Principles Formalized in the {Calculus of
- Constructions}},
- booktitle = {Programming of Future Generation Computers},
- editor = {K. Fuchi and M. Nivat},
- year = 1988,
- pages = {205-216},
- publisher = {Elsevier}}
-
-@Book{Huth-Ryan-book,
- author = {Michael Huth and Mark Ryan},
- title = {Logic in Computer Science. Modelling and reasoning about systems},
- publisher = CUP,
- year = 2000}
-
-@InProceedings{Harrison:1996:MizarHOL,
- author = {J. Harrison},
- title = {A {Mizar} Mode for {HOL}},
- pages = {203--220},
- crossref = {tphols96}}
-
-@misc{metis,
- author = "Joe Hurd",
- title = "Metis Theorem Prover",
- note = "\url{http://www.gilith.com/software/metis/}"}
-
-%J
-
-@article{haskell-revised-report,
- author = {Simon {Peyton Jones} and others},
- title = {The {Haskell} 98 Language and Libraries: The Revised Report},
- journal = {Journal of Functional Programming},
- volume = 13,
- number = 1,
- pages = {0--255},
- month = {Jan},
- year = 2003,
- note = {\url{http://www.haskell.org/definition/}}}
-
-@book{jackson-2006,
- author = "Daniel Jackson",
- title = "Software Abstractions: Logic, Language, and Analysis",
- publisher = MIT,
- year = 2006}
-
-%K
-
-@InProceedings{kammueller-locales,
- author = {Florian Kamm{\"u}ller and Markus Wenzel and
- Lawrence C. Paulson},
- title = {Locales: A Sectioning Concept for {Isabelle}},
- crossref = {tphols99}}
-
-@book{Knuth3-75,
- author={Donald E. Knuth},
- title={The Art of Computer Programming, Volume 3: Sorting and Searching},
- publisher={Addison-Wesley},
- year=1975}
-
-@Article{korf85,
- author = {R. E. Korf},
- title = {Depth-First Iterative-Deepening: an Optimal Admissible
- Tree Search},
- journal = AI,
- year = 1985,
- volume = 27,
- pages = {97-109}}
-
-@inproceedings{korovin-2009,
- title = "Instantiation-Based Automated Reasoning: From Theory to Practice",
- author = "Konstantin Korovin",
- editor = "Renate A. Schmidt",
- booktitle = {Automated Deduction --- CADE-22},
- series = "LNAI",
- volume = {5663},
- pages = "163--166",
- year = 2009,
- publisher = "Springer"}
-
-@inproceedings{korovin-sticksel-2010,
- author = {Konstantin Korovin and
- Christoph Sticksel},
- title = {{iP}rover-{E}q: An Instantiation-Based Theorem Prover with Equality},
- pages = {196--202},
- booktitle={Automated Reasoning: IJCAR 2010},
- editor={J. Giesl and R. H\"ahnle},
- publisher = Springer,
- series = LNCS,
- volume = 6173,
- year = 2010}
-
-@InProceedings{krauss2006,
- author = {Alexander Krauss},
- title = {Partial Recursive Functions in {Higher-Order Logic}},
- crossref = {ijcar2006},
- pages = {589--603}}
-
-@PhdThesis{krauss_phd,
- author = {Alexander Krauss},
- title = {Automating Recursive Definitions and Termination Proofs in Higher-Order Logic},
- school = {Institut f{\"u}r Informatik, Technische Universit{\"a}t M{\"u}nchen},
- year = {2009},
- address = {Germany}
-}
-
-@manual{isabelle-function,
- author = {Alexander Krauss},
- title = {Defining Recursive Functions in {Isabelle/HOL}},
- institution = TUM,
- note = {\url{http://isabelle.in.tum.de/doc/functions.pdf}}
-}
-
-@Book{kunen80,
- author = {Kenneth Kunen},
- title = {Set Theory: An Introduction to Independence Proofs},
- publisher = NH,
- year = 1980}
-
-%L
-
-@manual{OCaml,
- author = {Xavier Leroy and others},
- title = {The Objective Caml system -- Documentation and user's manual},
- note = {\url{http://caml.inria.fr/pub/docs/manual-ocaml/}}}
-
-@incollection{lochbihler-2010,
- title = "Coinduction",
- author = "Andreas Lochbihler",
- booktitle = "The Archive of Formal Proofs",
- editor = "Gerwin Klein and Tobias Nipkow and Lawrence C. Paulson",
- publisher = "\url{http://afp.sourceforge.net/entries/Coinductive.shtml}",
- month = "Feb.",
- year = 2010}
-
-@book{loveland-78,
- author = "D. W. Loveland",
- title = "Automated Theorem Proving: A Logical Basis",
- year = 1978,
- publisher = "North-Holland Publishing Co."}
-
-@InProceedings{lowe-fdr,
- author = {Gavin Lowe},
- title = {Breaking and Fixing the {Needham}-{Schroeder} Public-Key
- Protocol using {CSP} and {FDR}},
- booktitle = {Tools and Algorithms for the Construction and Analysis
- of Systems: second international workshop, TACAS '96},
- editor = {T. Margaria and B. Steffen},
- series = {LNCS 1055},
- year = 1996,
- publisher = {Springer},
- pages = {147-166}}
-
-%M
-
-@Article{mw81,
- author = {Zohar Manna and Richard Waldinger},
- title = {Deductive Synthesis of the Unification Algorithm},
- journal = SCP,
- year = 1981,
- volume = 1,
- number = 1,
- pages = {5-48}}
-
-@InProceedings{martin-nipkow,
- author = {Ursula Martin and Tobias Nipkow},
- title = {Ordered Rewriting and Confluence},
- crossref = {cade10},
- pages = {366-380}}
-
-@book{martinlof84,
- author = {Per Martin-L{\"o}f},
- title = {Intuitionistic type theory},
- year = 1984,
- publisher = {Bibliopolis}}
-
-@incollection{melham89,
- author = {Thomas F. Melham},
- title = {Automating Recursive Type Definitions in Higher Order
- Logic},
- pages = {341-386},
- crossref = {birtwistle89}}
-
-@Article{Miller:1991,
- author = {Dale Miller},
- title = {A Logic Programming Language with Lambda-Abstraction, Function Variables,
- and Simple Unification},
- journal = {Journal of Logic and Computation},
- year = 1991,
- volume = 1,
- number = 4
-}
-
-@Article{miller-mixed,
- Author = {Dale Miller},
- Title = {Unification Under a Mixed Prefix},
- journal = JSC,
- volume = 14,
- number = 4,
- pages = {321-358},
- Year = 1992}
-
-@Article{milner78,
- author = {Robin Milner},
- title = {A Theory of Type Polymorphism in Programming},
- journal = "J. Comp.\ Sys.\ Sci.",
- year = 1978,
- volume = 17,
- pages = {348-375}}
-
-@TechReport{milner-ind,
- author = {Robin Milner},
- title = {How to Derive Inductions in {LCF}},
- institution = Edinburgh,
- year = 1980,
- type = {note}}
-
-@Article{milner-coind,
- author = {Robin Milner and Mads Tofte},
- title = {Co-induction in Relational Semantics},
- journal = TCS,
- year = 1991,
- volume = 87,
- pages = {209-220}}
-
-@Book{milner89,
- author = {Robin Milner},
- title = {Communication and Concurrency},
- publisher = Prentice,
- year = 1989}
-
-@book{SML,author="Robin Milner and Mads Tofte and Robert Harper",
-title="The Definition of Standard ML",publisher=MIT,year=1990}
-
-@PhdThesis{monahan84,
- author = {Brian Q. Monahan},
- title = {Data Type Proofs using Edinburgh {LCF}},
- school = {University of Edinburgh},
- year = 1984}
-
-@article{MuellerNvOS99,
-author=
-{Olaf M{\"u}ller and Tobias Nipkow and Oheimb, David von and Oscar Slotosch},
-title={{HOLCF = HOL + LCF}},journal=JFP,year=1999,volume=9,pages={191--223}}
-
-@Manual{Muzalewski:Mizar,
- title = {An Outline of {PC} {Mizar}},
- author = {Micha{\l} Muzalewski},
- organization = {Fondation of Logic, Mathematics and Informatics
- --- Mizar Users Group},
- year = 1993,
- note = {\url{http://www.cs.kun.nl/~freek/mizar/mizarmanual.ps.gz}}
-}
-
-%N
-
-@InProceedings{NaraschewskiW-TPHOLs98,
- author = {Wolfgang Naraschewski and Markus Wenzel},
- title =
-{Object-Oriented Verification based on Record Subtyping in
- Higher-Order Logic},
- crossref = {tphols98}}
-
-@inproceedings{nazareth-nipkow,
- author = {Dieter Nazareth and Tobias Nipkow},
- title = {Formal Verification of Algorithm {W}: The Monomorphic Case},
- crossref = {tphols96},
- pages = {331-345},
- year = 1996}
-
-@Article{needham-schroeder,
- author = "Roger M. Needham and Michael D. Schroeder",
- title = "Using Encryption for Authentication in Large Networks
- of Computers",
- journal = cacm,
- volume = 21,
- number = 12,
- pages = "993-999",
- month = dec,
- year = 1978}
-
-@inproceedings{nipkow-W,
- author = {Wolfgang Naraschewski and Tobias Nipkow},
- title = {Type Inference Verified: Algorithm {W} in {Isabelle/HOL}},
- booktitle = {Types for Proofs and Programs: Intl. Workshop TYPES '96},
- editor = {E. Gim{\'e}nez and C. Paulin-Mohring},
- publisher = Springer,
- series = LNCS,
- volume = 1512,
- pages = {317-332},
- year = 1998}
-
-@InCollection{nipkow-sorts93,
- author = {T. Nipkow},
- title = {Order-Sorted Polymorphism in {Isabelle}},
- booktitle = {Logical Environments},
- publisher = CUP,
- year = 1993,
- editor = {G. Huet and G. Plotkin},
- pages = {164--188}
-}
-
-@Misc{nipkow-types93,
- author = {Tobias Nipkow},
- title = {Axiomatic Type Classes (in {I}sabelle)},
- howpublished = {Presentation at the workshop \emph{Types for Proof and Programs}, Nijmegen},
- year = 1993
-}
-
-@inproceedings{Nipkow-CR,
- author = {Tobias Nipkow},
- title = {More {Church-Rosser} Proofs (in {Isabelle/HOL})},
- booktitle = {Automated Deduction --- CADE-13},
- editor = {M. McRobbie and J.K. Slaney},
- publisher = Springer,
- series = LNCS,
- volume = 1104,
- pages = {733-747},
- year = 1996}
-
-% WAS Nipkow-LICS-93
-@InProceedings{nipkow-patterns,
- title = {Functional Unification of Higher-Order Patterns},
- author = {Tobias Nipkow},
- pages = {64-74},
- crossref = {lics8},
- url = {\url{ftp://ftp.informatik.tu-muenchen.de/local/lehrstuhl/nipkow/lics93.html}},
- keywords = {unification}}
-
-@article{nipkow-IMP,
- author = {Tobias Nipkow},
- title = {Winskel is (almost) Right: Towards a Mechanized Semantics Textbook},
- journal = FAC,
- volume = 10,
- pages = {171-186},
- year = 1998}
-
-@inproceedings{Nipkow-TYPES02,
- author = {Tobias Nipkow},
- title = {{Structured Proofs in Isar/HOL}},
- booktitle = {Types for Proofs and Programs (TYPES 2002)},
- editor = {H. Geuvers and F. Wiedijk},
- year = 2003,
- publisher = Springer,
- series = LNCS,
- volume = 2646,
- pages = {259-278}}
-
-@manual{isabelle-HOL,
- author = {Tobias Nipkow and Lawrence C. Paulson and Markus Wenzel},
- title = {{Isabelle}'s Logics: {HOL}},
- institution = {Institut f{\"u}r Informatik, Technische Universi{\"a}t
- M{\"u}nchen and Computer Laboratory, University of Cambridge},
- note = {\url{http://isabelle.in.tum.de/doc/logics-HOL.pdf}}}
-
-@article{nipkow-prehofer,
- author = {Tobias Nipkow and Christian Prehofer},
- title = {Type Reconstruction for Type Classes},
- journal = JFP,
- volume = 5,
- number = 2,
- year = 1995,
- pages = {201-224}}
-
-@InProceedings{Nipkow-Prehofer:1993,
- author = {T. Nipkow and C. Prehofer},
- title = {Type checking type classes},
- booktitle = {ACM Symp.\ Principles of Programming Languages},
- year = 1993
-}
-
-@Book{isa-tutorial,
- author = {Tobias Nipkow and Lawrence C. Paulson and Markus Wenzel},
- title = {Isabelle/{HOL}: A Proof Assistant for Higher-Order Logic},
- publisher = Springer,
- year = 2002,
- series = LNCS,
- volume = 2283}
-
-@Article{noel,
- author = {Philippe No{\"e}l},
- title = {Experimenting with {Isabelle} in {ZF} Set Theory},
- journal = JAR,
- volume = 10,
- number = 1,
- pages = {15-58},
- year = 1993}
-
-@book{nordstrom90,
- author = {Bengt {Nordstr{\"o}m} and Kent Petersson and Jan Smith},
- title = {Programming in {Martin-L{\"o}f}'s Type Theory. An
- Introduction},
- publisher = {Oxford University Press},
- year = 1990}
-
-%O
-
-@TechReport{scala-overview-tech-report,
- author = {Martin Odersky and al.},
- title = {An Overview of the Scala Programming Language},
- institution = {EPFL Lausanne, Switzerland},
- year = 2004,
- number = {IC/2004/64}
-}
-
-@Article{Oppen:1980,
- author = {D. C. Oppen},
- title = {Pretty Printing},
- journal = {ACM Transactions on Programming Languages and Systems},
- year = 1980,
- volume = 2,
- number = 4}
-
-@Manual{pvs-language,
- title = {The {PVS} specification language},
- author = {S. Owre and N. Shankar and J. M. Rushby},
- organization = {Computer Science Laboratory, SRI International},
- address = {Menlo Park, CA},
- note = {Beta release},
- year = 1993,
- month = apr,
- url = {\url{http://www.csl.sri.com/reports/pvs-language.dvi.Z}}}
-
-%P
-
-% replaces paulin92
-@InProceedings{paulin-tlca,
- author = {Christine Paulin-Mohring},
- title = {Inductive Definitions in the System {Coq}: Rules and
- Properties},
- crossref = {tlca93},
- pages = {328-345}}
-
-@InProceedings{paulson-CADE,
- author = {Lawrence C. Paulson},
- title = {A Fixedpoint Approach to Implementing (Co)Inductive
- Definitions},
- pages = {148-161},
- crossref = {cade12}}
-
-@InProceedings{paulson-COLOG,
- author = {Lawrence C. Paulson},
- title = {A Formulation of the Simple Theory of Types (for
- {Isabelle})},
- pages = {246-274},
- crossref = {colog88},
- url = {\url{http://www.cl.cam.ac.uk/Research/Reports/TR175-lcp-simple.dvi.gz}}}
-
-@Article{paulson-coind,
- author = {Lawrence C. Paulson},
- title = {Mechanizing Coinduction and Corecursion in Higher-Order
- Logic},
- journal = JLC,
- year = 1997,
- volume = 7,
- number = 2,
- month = mar,
- pages = {175-204}}
-
-@manual{isabelle-intro,
- author = {Lawrence C. Paulson},
- title = {Old Introduction to {Isabelle}},
- institution = CUCL,
- note = {\url{http://isabelle.in.tum.de/doc/intro.pdf}}}
-
-@manual{isabelle-logics,
- author = {Lawrence C. Paulson},
- title = {{Isabelle's} Logics},
- institution = CUCL,
- note = {\url{http://isabelle.in.tum.de/doc/logics.pdf}}}
-
-@manual{isabelle-ref,
- author = {Lawrence C. Paulson},
- title = {The Old {Isabelle} Reference Manual},
- institution = CUCL,
- note = {\url{http://isabelle.in.tum.de/doc/ref.pdf}}}
-
-@manual{isabelle-ZF,
- author = {Lawrence C. Paulson},
- title = {{Isabelle}'s Logics: {FOL} and {ZF}},
- institution = CUCL,
- note = {\url{http://isabelle.in.tum.de/doc/logics-ZF.pdf}}}
-
-@article{paulson-found,
- author = {Lawrence C. Paulson},
- title = {The Foundation of a Generic Theorem Prover},
- journal = JAR,
- volume = 5,
- number = 3,
- pages = {363-397},
- year = 1989,
- url = {\url{http://www.cl.cam.ac.uk/Research/Reports/TR130-lcp-generic-theorem-prover.dvi.gz}}}
-
-%replaces paulson-final
-@Article{paulson-mscs,
- author = {Lawrence C. Paulson},
- title = {Final Coalgebras as Greatest Fixed Points
- in {ZF} Set Theory},
- journal = {Mathematical Structures in Computer Science},
- year = 1999,
- volume = 9,
- number = 5,
- pages = {545-567}}
-
-@InCollection{paulson-generic,
- author = {Lawrence C. Paulson},
- title = {Generic Automatic Proof Tools},
- crossref = {wos-fest},
- chapter = 3}
-
-@Article{paulson-gr,
- author = {Lawrence C. Paulson and Krzysztof Gr\c{a}bczewski},
- title = {Mechanizing Set Theory: Cardinal Arithmetic and the Axiom of
- Choice},
- journal = JAR,
- year = 1996,
- volume = 17,
- number = 3,
- month = dec,
- pages = {291-323}}
-
-@InCollection{paulson-fixedpt-milner,
- author = {Lawrence C. Paulson},
- title = {A Fixedpoint Approach to (Co)inductive and
- (Co)datatype Definitions},
- pages = {187-211},
- crossref = {milner-fest}}
-
-@book{milner-fest,
- title = {Proof, Language, and Interaction:
- Essays in Honor of {Robin Milner}},
- booktitle = {Proof, Language, and Interaction:
- Essays in Honor of {Robin Milner}},
- publisher = MIT,
- year = 2000,
- editor = {Gordon Plotkin and Colin Stirling and Mads Tofte}}
-
-@InCollection{paulson-handbook,
- author = {Lawrence C. Paulson},
- title = {Designing a Theorem Prover},
- crossref = {handbk-lics2},
- pages = {415-475}}
-
-@Book{paulson-isa-book,
- author = {Lawrence C. Paulson},
- title = {Isabelle: A Generic Theorem Prover},
- publisher = {Springer},
- year = 1994,
- note = {LNCS 828}}
-
-@Book{isabelle-hol-book,
- author = {Tobias Nipkow and Lawrence C. Paulson and Markus Wenzel},
- title = {Isabelle/HOL --- A Proof Assistant for Higher-Order Logic},
- publisher = {Springer},
- year = 2002,
- note = {LNCS 2283}}
-
-@InCollection{paulson-markt,
- author = {Lawrence C. Paulson},
- title = {Tool Support for Logics of Programs},
- booktitle = {Mathematical Methods in Program Development:
- Summer School Marktoberdorf 1996},
- publisher = {Springer},
- pages = {461-498},
- year = {Published 1997},
- editor = {Manfred Broy},
- series = {NATO ASI Series F}}
-
-%replaces Paulson-ML and paulson91
-@book{paulson-ml2,
- author = {Lawrence C. Paulson},
- title = {{ML} for the Working Programmer},
- year = 1996,
- edition = {2nd},
- publisher = CUP}
-
-@article{paulson-natural,
- author = {Lawrence C. Paulson},
- title = {Natural Deduction as Higher-order Resolution},
- journal = JLP,
- volume = 3,
- pages = {237-258},
- year = 1986,
- url = {\url{http://www.cl.cam.ac.uk/Research/Reports/TR82-lcp-higher-order-resolution.dvi.gz}}}
-
-@Article{paulson-set-I,
- author = {Lawrence C. Paulson},
- title = {Set Theory for Verification: {I}. {From}
- Foundations to Functions},
- journal = JAR,
- volume = 11,
- number = 3,
- pages = {353-389},
- year = 1993,
- url = {\url{http://www.cl.cam.ac.uk/users/lcp/papers/Sets/set-I.pdf}}}
-
-@Article{paulson-set-II,
- author = {Lawrence C. Paulson},
- title = {Set Theory for Verification: {II}. {Induction} and
- Recursion},
- journal = JAR,
- volume = 15,
- number = 2,
- pages = {167-215},
- year = 1995,
- url = {\url{http://www.cl.cam.ac.uk/Research/Reports/TR312-lcp-set-II.ps.gz}}}
-
-@article{paulson85,
- author = {Lawrence C. Paulson},
- title = {Verifying the Unification Algorithm in {LCF}},
- journal = SCP,
- volume = 5,
- pages = {143-170},
- year = 1985}
-
-%replaces Paulson-LCF
-@book{paulson87,
- author = {Lawrence C. Paulson},
- title = {Logic and Computation: Interactive proof with Cambridge
- LCF},
- year = 1987,
- publisher = CUP}
-
-@incollection{paulson700,
- author = {Lawrence C. Paulson},
- title = {{Isabelle}: The Next 700 Theorem Provers},
- crossref = {odifreddi90},
- pages = {361-386},
- url = {\url{http://www.cl.cam.ac.uk/Research/Reports/TR143-lcp-experience.dvi.gz}}}
-
-% replaces paulson-ns and paulson-security
-@Article{paulson-jcs,
- author = {Lawrence C. Paulson},
- title = {The Inductive Approach to Verifying Cryptographic Protocols},
- journal = JCS,
- year = 1998,
- volume = 6,
- pages = {85-128}}
-
-@Article{paulson-tls,
- author = {Lawrence C. Paulson},
- title = {Inductive Analysis of the {Internet} Protocol {TLS}},
- journal = TISSEC,
- month = aug,
- year = 1999,
- volume = 2,
- number = 3,
- pages = {332-351}}
-
-@Article{paulson-yahalom,
- author = {Lawrence C. Paulson},
- title = {Relations Between Secrets:
- Two Formal Analyses of the {Yahalom} Protocol},
- journal = JCS,
- volume = 9,
- number = 3,
- pages = {197-216},
- year = 2001}}
-
-@article{pelletier86,
- author = {F. J. Pelletier},
- title = {Seventy-five Problems for Testing Automatic Theorem
- Provers},
- journal = JAR,
- volume = 2,
- pages = {191-216},
- year = 1986,
- note = {Errata, JAR 4 (1988), 235--236 and JAR 18 (1997), 135}}
-
-@InCollection{pitts93,
- author = {A. Pitts},
- title = {The {HOL} Logic},
- editor = {M. J. C. Gordon and T. F. Melham},
- booktitle = {Introduction to {HOL}: A Theorem Proving Environment for Higher Order Logic},
- pages = {191--232},
- publisher = CUP,
- year = 1993}
-
-@Article{pitts94,
- author = {Andrew M. Pitts},
- title = {A Co-induction Principle for Recursively Defined Domains},
- journal = TCS,
- volume = 124,
- pages = {195-219},
- year = 1994}
-
-@Article{plaisted90,
- author = {David A. Plaisted},
- title = {A Sequent-Style Model Elimination Strategy and a Positive
- Refinement},
- journal = JAR,
- year = 1990,
- volume = 6,
- number = 4,
- pages = {389-402}}
-
-%Q
-
-@Article{quaife92,
- author = {Art Quaife},
- title = {Automated Deduction in {von Neumann-Bernays-G\"{o}del} Set
- Theory},
- journal = JAR,
- year = 1992,
- volume = 8,
- number = 1,
- pages = {91-147}}
-
-%R
-
-@TechReport{rasmussen95,
- author = {Ole Rasmussen},
- title = {The {Church-Rosser} Theorem in {Isabelle}: A Proof Porting
- Experiment},
- institution = {Computer Laboratory, University of Cambridge},
- year = 1995,
- number = 364,
- month = may,
- url = {\url{http://www.cl.cam.ac.uk:80/ftp/papers/reports/TR364-or200-church-rosser-isabelle.ps.gz}}}
-
-@Book{reeves90,
- author = {Steve Reeves and Michael Clarke},
- title = {Logic for Computer Science},
- publisher = {Addison-Wesley},
- year = 1990}
-
-@article{riazanov-voronkov-2002,
- author = "Alexander Riazanov and Andrei Voronkov",
- title = "The Design and Implementation of {Vampire}",
- journal = "Journal of AI Communications",
- year = 2002,
- volume = 15,
- number ="2/3",
- pages = "91--110"}
-
-@book{Rosen-DMA,author={Kenneth H. Rosen},
-title={Discrete Mathematics and Its Applications},
-publisher={McGraw-Hill},year=1998}
-
-@InProceedings{Rudnicki:1992:MizarOverview,
- author = {P. Rudnicki},
- title = {An Overview of the {MIZAR} Project},
- booktitle = {1992 Workshop on Types for Proofs and Programs},
- year = 1992,
- organization = {Chalmers University of Technology},
- publisher = {Bastad}
-}
-
-%S
-
-@inproceedings{saaltink-fme,
- author = {Mark Saaltink and Sentot Kromodimoeljo and Bill Pase and
- Dan Craigen and Irwin Meisels},
- title = {An {EVES} Data Abstraction Example},
- pages = {578-596},
- crossref = {fme93}}
-
-@Article{Schroeder-Heister:1984,
- author = {Peter Schroeder-Heister},
- title = {A Natural Extension of Natural Deduction},
- journal = {Journal of Symbolic Logic},
- year = 1984,
- volume = 49,
- number = 4
-}
-
-@article{schulz-2002,
- author = "Stephan Schulz",
- title = "E---A Brainiac Theorem Prover",
- journal = "Journal of AI Communications",
- year = 2002,
- volume = 15,
- number ="2/3",
- pages = "111--126"}
-
-@misc{sledgehammer-2009,
- key = "Sledgehammer",
- title = "The {S}ledgehammer: Let Automatic Theorem Provers
-Write Your {I}s\-a\-belle Scripts",
- note = "\url{http://www.cl.cam.ac.uk/research/hvg/Isabelle/sledgehammer.html}"}
-
-@inproceedings{slind-tfl,
- author = {Konrad Slind},
- title = {Function Definition in Higher Order Logic},
- crossref = {tphols96},
- pages = {381-397}}
-
-@inproceedings{snark,
- author = {M. Stickel and R. Waldinger and M. Lowry and T. Pressburger and I. Underwood},
- title = {Deductive composition of astronomical software from subroutine libraries},
- pages = "341--355",
- crossref = {cade12}}
-
-@book{suppes72,
- author = {Patrick Suppes},
- title = {Axiomatic Set Theory},
- year = 1972,
- publisher = {Dover}}
-
-@inproceedings{sutcliffe-2000,
- author = "Geoff Sutcliffe",
- title = "System Description: {SystemOnTPTP}",
- editor = "David McAllester",
- booktitle = {Automated Deduction --- {CADE}-17 International Conference},
- series = "Lecture Notes in Artificial Intelligence",
- volume = {1831},
- pages = "406--410",
- year = 2000,
- publisher = Springer}
-
-@misc{tofof,
- author = "Geoff Sutcliffe",
- title = "{ToFoF}",
- note = "\url{http://www.cs.miami.edu/~tptp/ATPSystems/ToFoF/}"}
-
-@Article{Sutter:2005,
- author = {H. Sutter},
- title = {The Free Lunch Is Over --- A Fundamental Turn Toward Concurrency in Software},
- journal = {Dr. Dobb's Journal},
- year = 2005,
- volume = 30,
- number = 3}
-
-@InCollection{szasz93,
- author = {Nora Szasz},
- title = {A Machine Checked Proof that {Ackermann's} Function is not
- Primitive Recursive},
- crossref = {huet-plotkin93},
- pages = {317-338}}
-
-@TechReport{Syme:1997:DECLARE,
- author = {D. Syme},
- title = {{DECLARE}: A Prototype Declarative Proof System for Higher Order Logic},
- institution = {University of Cambridge Computer Laboratory},
- year = 1997,
- number = 416
-}
-
-@PhdThesis{Syme:1998:thesis,
- author = {D. Syme},
- title = {Declarative Theorem Proving for Operational Semantics},
- school = {University of Cambridge},
- year = 1998,
- note = {Submitted}
-}
-
-@InProceedings{Syme:1999:TPHOL,
- author = {D. Syme},
- title = {Three Tactic Theorem Proving},
- crossref = {tphols99}}
-
-%T
-
-@book{takeuti87,
- author = {G. Takeuti},
- title = {Proof Theory},
- year = 1987,
- publisher = NH,
- edition = {2nd}}
-
-@Book{thompson91,
- author = {Simon Thompson},
- title = {Type Theory and Functional Programming},
- publisher = {Addison-Wesley},
- year = 1991}
-
-@book{Thompson-Haskell,author={Simon Thompson},
-title={Haskell: The Craft of Functional Programming},
-publisher={Addison-Wesley},year=1999}
-
-@misc{kodkod-2009,
- author = "Emina Torlak",
- title = {Kodkod: Constraint Solver for Relational Logic},
- note = "\url{http://alloy.mit.edu/kodkod/}"}
-
-@misc{kodkod-2009-options,
- author = "Emina Torlak",
- title = "Kodkod {API}: Class {Options}",
- note = "\url{http://alloy.mit.edu/kodkod/docs/kodkod/engine/config/Options.html}"}
-
-@inproceedings{torlak-jackson-2007,
- title = "Kodkod: A Relational Model Finder",
- author = "Emina Torlak and Daniel Jackson",
- editor = "Orna Grumberg and Michael Huth",
- booktitle = "TACAS 2007",
- series = LNCS,
- volume = {4424},
- pages = "632--647",
- year = 2007,
- publisher = Springer}
-
-@unpublished{traytel-berghofer-nipkow-2011,
- author = {D. Traytel and S. Berghofer and T. Nipkow},
- title = {Extending Hindley-Milner Type Inference with Coercive
- Subtyping (long version)},
- year = 2011,
- note = {Submitted,
- \url{http://isabelle.in.tum.de/doc/implementation.pdf}}},
-}
-
-@Unpublished{Trybulec:1993:MizarFeatures,
- author = {A. Trybulec},
- title = {Some Features of the {Mizar} Language},
- note = {Presented at a workshop in Turin, Italy},
- year = 1993
-}
-
-%V
-
-@Unpublished{voelker94,
- author = {Norbert V{\"o}lker},
- title = {The Verification of a Timer Program using {Isabelle/HOL}},
- url = {\url{ftp://ftp.fernuni-hagen.de/pub/fachb/et/dvt/projects/verification/timer.tar.gz}},
- year = 1994,
- month = aug}
-
-%W
-
-@inproceedings{wadler89how,
- author = {P. Wadler and S. Blott},
- title = {How to make ad-hoc polymorphism less ad-hoc},
- booktitle = {ACM Symp.\ Principles of Programming Languages},
- year = 1989
-}
-
-@phdthesis{weber-2008,
- author = "Tjark Weber",
- title = "SAT-Based Finite Model Generation for Higher-Order Logic",
- school = {Dept.\ of Informatics, T.U. M\"unchen},
- type = "{Ph.D.}\ thesis",
- year = 2008}
-
-@Misc{x-symbol,
- author = {Christoph Wedler},
- title = {Emacs package ``{X-Symbol}''},
- note = {\url{http://x-symbol.sourceforge.net}}
-}
-
-@misc{weidenbach-et-al-2009,
- author = "Christoph Weidenbach and Dilyana Dimova and Arnaud Fietzke and Rohit Kumar and Martin Suda and Patrick Wischnewski",
- title = "{SPASS} Version 3.5",
- note = {\url{http://www.spass-prover.org/publications/spass.pdf}}}
-
-@manual{isabelle-sys,
- author = {Markus Wenzel and Stefan Berghofer},
- title = {The {Isabelle} System Manual},
- institution = {TU Munich},
- note = {\url{http://isabelle.in.tum.de/doc/system.pdf}}}
-
-@manual{isabelle-isar-ref,
- author = {Makarius Wenzel},
- title = {The {Isabelle/Isar} Reference Manual},
- institution = {TU Munich},
- note = {\url{http://isabelle.in.tum.de/doc/isar-ref.pdf}}}
-
-@manual{isabelle-implementation,
- author = {Makarius Wenzel},
- title = {The {Isabelle/Isar} Implementation},
- institution = {TU Munich},
- note = {\url{http://isabelle.in.tum.de/doc/implementation.pdf}}}
-
-@InProceedings{Wenzel:1999:TPHOL,
- author = {Markus Wenzel},
- title = {{Isar} --- a Generic Interpretative Approach to Readable Formal Proof Documents},
- crossref = {tphols99}}
-
-@InProceedings{Wenzel:1997:TPHOL,
- author = {Markus Wenzel},
- title = {Type Classes and Overloading in Higher-Order Logic},
- crossref = {tphols97}}
-
-@phdthesis{Wenzel-PhD,
- author={Markus Wenzel},
- title={Isabelle/Isar --- a versatile environment for human-readable formal proof documents},
- school={Institut f{\"u}r Informatik, Technische Universit{\"a}t M{\"u}nchen},
- year=2002,
- note = {\url{http://tumb1.biblio.tu-muenchen.de/publ/diss/in/2002/wenzel.html}}}
-
-@Article{Wenzel-Wiedijk:2002,
- author = {Freek Wiedijk and Markus Wenzel},
- title = {A comparison of the mathematical proof languages {Mizar} and {Isar}.},
- journal = {Journal of Automated Reasoning},
- year = 2002,
- volume = 29,
- number = {3-4}
-}
-
-@InCollection{Wenzel-Paulson:2006,
- author = {Markus Wenzel and Lawrence C. Paulson},
- title = {{Isabelle/Isar}},
- booktitle = {The Seventeen Provers of the World},
- year = 2006,
- editor = {F. Wiedijk},
- series = {LNAI 3600}
-}
-
-@InCollection{Wenzel:2006:Festschrift,
- author = {Makarius Wenzel},
- title = {{Isabelle/Isar} --- a generic framework for human-readable proof documents},
- booktitle = {From Insight to Proof --- Festschrift in Honour of Andrzej Trybulec},
- publisher = {University of Bia{\l}ystok},
- year = 2007,
- editor = {R. Matuszewski and A. Zalewska},
- volume = {10(23)},
- series = {Studies in Logic, Grammar, and Rhetoric},
- note = {\url{http://www.in.tum.de/~wenzelm/papers/isar-framework.pdf}}
-}
-
-@InProceedings{Wenzel-Chaieb:2007b,
- author = {Makarius Wenzel and Amine Chaieb},
- title = {{SML} with antiquotations embedded into {Isabelle/Isar}},
- booktitle = {Workshop on Programming Languages for Mechanized Mathematics
- (satellite of CALCULEMUS 2007). Hagenberg, Austria},
- editor = {Jacques Carette and Freek Wiedijk},
- month = {June},
- year = {2007}
-}
-
-@InProceedings{Wenzel:2009,
- author = {M. Wenzel},
- title = {Parallel Proof Checking in {Isabelle/Isar}},
- booktitle = {ACM SIGSAM Workshop on Programming Languages for Mechanized Mathematics Systems (PLMMS 2009)},
- year = 2009,
- editor = {Dos Reis, G. and L. Th\'ery},
- publisher = {ACM Digital Library}}
-
-@book{principia,
- author = {A. N. Whitehead and B. Russell},
- title = {Principia Mathematica},
- year = 1962,
- publisher = CUP,
- note = {Paperback edition to *56,
- abridged from the 2nd edition (1927)}}
-
-@Misc{Wiedijk:1999:Mizar,
- author = {Freek Wiedijk},
- title = {Mizar: An Impression},
- howpublished = {Unpublished paper},
- year = 1999,
- note = {\url{http://www.cs.kun.nl/~freek/mizar/mizarintro.ps.gz}}
-}
-
-@Misc{Wiedijk:2000:MV,
- author = {Freek Wiedijk},
- title = {The Mathematical Vernacular},
- howpublished = {Unpublished paper},
- year = 2000,
- note = {\url{http://www.cs.kun.nl/~freek/notes/mv.ps.gz}}
-}
-
-@misc{wikipedia-2009-aa-trees,
- key = "Wikipedia",
- title = "Wikipedia: {AA} Tree",
- note = "\url{http://en.wikipedia.org/wiki/AA_tree}"}
-
-@book{winskel93,
- author = {Glynn Winskel},
- title = {The Formal Semantics of Programming Languages},
- publisher = MIT,year=1993}
-
-@InCollection{wos-bledsoe,
- author = {Larry Wos},
- title = {Automated Reasoning and {Bledsoe's} Dream for the Field},
- crossref = {bledsoe-fest},
- pages = {297-342}}
-
-@InProceedings{Zammit:1999:TPHOL,
- author = {Vincent Zammit},
- title = {On the Implementation of an Extensible Declarative Proof Language},
- crossref = {tphols99}}
-
-%Z
-
-@misc{z3,
- key = "Z3",
- title = "Z3: An Efficient {SMT} Solver",
- note = "\url{http://research.microsoft.com/en-us/um/redmond/projects/z3/}"}
-
-
-% CROSS REFERENCES
-
-@book{handbk-lics2,
- editor = {S. Abramsky and D. M. Gabbay and T. S. E. Maibaum},
- title = {Handbook of Logic in Computer Science},
- booktitle = {Handbook of Logic in Computer Science},
- publisher = {Oxford University Press},
- year = 1992,
- volume = 2}
-
-@book{types93,
- editor = {Henk Barendregt and Tobias Nipkow},
- title = TYPES # {: International Workshop {TYPES '93}},
- booktitle = TYPES # {: International Workshop {TYPES '93}},
- year = {published 1994},
- publisher = {Springer},
- series = {LNCS 806}}
-
-@book{barwise-handbk,
- editor = {J. Barwise},
- title = {Handbook of Mathematical Logic},
- booktitle = {Handbook of Mathematical Logic},
- year = 1977,
- publisher = NH}
-
-@Proceedings{tlca93,
- title = {Typed Lambda Calculi and Applications},
- booktitle = {Typed Lambda Calculi and Applications},
- editor = {M. Bezem and J.F. Groote},
- year = 1993,
- publisher = {Springer},
- series = {LNCS 664}}
-
-@book{birtwistle89,
- editor = {Graham Birtwistle and P. A. Subrahmanyam},
- title = {Current Trends in Hardware Verification and Automated
- Theorem Proving},
- booktitle = {Current Trends in Hardware Verification and Automated
- Theorem Proving},
- publisher = {Springer},
- year = 1989}
-
-@book{bledsoe-fest,
- title = {Automated Reasoning: Essays in Honor of {Woody Bledsoe}},
- booktitle = {Automated Reasoning: Essays in Honor of {Woody Bledsoe}},
- publisher = {Kluwer Academic Publishers},
- year = 1991,
- editor = {Robert S. Boyer}}
-
-@Proceedings{cade12,
- editor = {Alan Bundy},
- title = {Automated Deduction --- {CADE}-12
- International Conference},
- booktitle = {Automated Deduction --- {CADE}-12
- International Conference},
- year = 1994,
- series = {LNAI 814},
- publisher = {Springer}}
-
-@book{types94,
- editor = {Peter Dybjer and Bengt Nordstr{{\"o}m} and Jan Smith},
- title = TYPES # {: International Workshop {TYPES '94}},
- booktitle = TYPES # {: International Workshop {TYPES '94}},
- year = 1995,
- publisher = {Springer},
- series = {LNCS 996}}
-
-@book{huet-plotkin91,
- editor = {{G{\'e}rard} Huet and Gordon Plotkin},
- title = {Logical Frameworks},
- booktitle = {Logical Frameworks},
- publisher = CUP,
- year = 1991}
-
-@book{huet-plotkin93,
- editor = {{G{\'e}rard} Huet and Gordon Plotkin},
- title = {Logical Environments},
- booktitle = {Logical Environments},
- publisher = CUP,
- year = 1993}
-
-@Proceedings{hug93,
- editor = {J. Joyce and C. Seger},
- title = {Higher Order Logic Theorem Proving and Its
- Applications: HUG '93},
- booktitle = {Higher Order Logic Theorem Proving and Its
- Applications: HUG '93},
- year = {Published 1994},
- publisher = {Springer},
- series = {LNCS 780}}
-
-@proceedings{colog88,
- editor = {P. Martin-L{\"o}f and G. Mints},
- title = {COLOG-88: International Conference on Computer Logic},
- booktitle = {COLOG-88: International Conference on Computer Logic},
- year = {Published 1990},
- publisher = {Springer},
- organization = {Estonian Academy of Sciences},
- address = {Tallinn},
- series = {LNCS 417}}
-
-@book{odifreddi90,
- editor = {P. Odifreddi},
- title = {Logic and Computer Science},
- booktitle = {Logic and Computer Science},
- publisher = {Academic Press},
- year = 1990}
-
-@proceedings{extensions91,
- editor = {Peter Schroeder-Heister},
- title = {Extensions of Logic Programming},
- booktitle = {Extensions of Logic Programming},
- year = 1991,
- series = {LNAI 475},
- publisher = {Springer}}
-
-@proceedings{cade10,
- editor = {Mark E. Stickel},
- title = {10th } # CADE,
- booktitle = {10th } # CADE,
- year = 1990,
- publisher = {Springer},
- series = {LNAI 449}}
-
-@Proceedings{lics8,
- editor = {M. Vardi},
- title = {Eighth Annual Symposium on Logic in Computer Science},
- booktitle = {Eighth Annual Symposium on Logic in Computer Science},
- publisher = IEEE,
- year = 1993}
-
-@book{wos-fest,
- title = {Automated Reasoning and its Applications:
- Essays in Honor of {Larry Wos}},
- booktitle = {Automated Reasoning and its Applications:
- Essays in Honor of {Larry Wos}},
- publisher = MIT,
- year = 1997,
- editor = {Robert Veroff}}
-
-@proceedings{fme93,
- editor = {J. C. P. Woodcock and P. G. Larsen},
- title = {FME '93: Industrial-Strength Formal Methods},
- booktitle = {FME '93: Industrial-Strength Formal Methods},
- year = 1993,
- publisher = Springer,
- series = LNCS,
- volume = 670}
-
-@Proceedings{tphols96,
- title = {Theorem Proving in Higher Order Logics: {TPHOLs} '96},
- booktitle = {Theorem Proving in Higher Order Logics: {TPHOLs} '96},
- editor = {J. von Wright and J. Grundy and J. Harrison},
- publisher = Springer,
- series = LNCS,
- volume = 1125,
- year = 1996}
-
-@Proceedings{tphols97,
- title = {Theorem Proving in Higher Order Logics: {TPHOLs} '97},
- booktitle = {Theorem Proving in Higher Order Logics: {TPHOLs} '97},
- editor = {Elsa L. Gunter and Amy Felty},
- publisher = Springer,
- series = LNCS,
- volume = 1275,
- year = 1997}
-
-@Proceedings{tphols98,
- title = {Theorem Proving in Higher Order Logics: {TPHOLs} '98},
- booktitle = {Theorem Proving in Higher Order Logics: {TPHOLs} '98},
- editor = {Jim Grundy and Malcom Newey},
- publisher = Springer,
- series = LNCS,
- volume = 1479,
- year = 1998}
-
-@Proceedings{tphols99,
- title = {Theorem Proving in Higher Order Logics: {TPHOLs} '99},
- booktitle = {Theorem Proving in Higher Order Logics: {TPHOLs} '99},
- editor = {Bertot, Y. and Dowek, G. and Hirschowitz, A. and
- Paulin, C. and Thery, L.},
- publisher = Springer,
- series = LNCS,
- volume = 1690,
- year = 1999}
-
-@Proceedings{tphols2000,
- title = {Theorem Proving in Higher Order Logics: {TPHOLs} 2000},
- booktitle = {Theorem Proving in Higher Order Logics: {TPHOLs} 2000},
- editor = {J. Harrison and M. Aagaard},
- publisher = Springer,
- series = LNCS,
- volume = 1869,
- year = 2000}
-
-@Proceedings{tphols2001,
- title = {Theorem Proving in Higher Order Logics: {TPHOLs} 2001},
- booktitle = {Theorem Proving in Higher Order Logics: {TPHOLs} 2001},
- editor = {R. J. Boulton and P. B. Jackson},
- publisher = Springer,
- series = LNCS,
- volume = 2152,
- year = 2001}
-
-@Proceedings{ijcar2006,
- title = {Automated Reasoning: {IJCAR} 2006},
- booktitle = {Automated Reasoning: {IJCAR} 2006},
- editor = {U. Furbach and N. Shankar},
- publisher = Springer,
- series = LNCS,
- volume = 4130,
- year = 2006}
-
-@Proceedings{tphols2007,
- title = {Theorem Proving in Higher Order Logics: {TPHOLs} 2007},
- booktitle = {Theorem Proving in Higher Order Logics: {TPHOLs} 2007},
- editor = {K. Schneider and J. Brandt},
- publisher = Springer,
- series = LNCS,
- volume = 4732,
- year = 2007}
-
-@Proceedings{tphols2008,
- title = {Theorem Proving in Higher Order Logics: {TPHOLs} 2008},
- booktitle = {Theorem Proving in Higher Order Logics: {TPHOLs} 2008},
- publisher = Springer,
- series = LNCS,
- year = 2008}
-% editor =
-% volume = 4732,
-
-@Proceedings{itp2010,
- title = {Interactive Theorem Proving: {ITP}-10},
- booktitle = {Interactive Theorem Proving: {ITP}-10},
- editor = "Matt Kaufmann and Lawrence Paulson",
- publisher = Springer,
- series = LNCS,
- year = 2010}
-
-@unpublished{classes_modules,
- title = {{ML} Modules and {Haskell} Type Classes: A Constructive Comparison},
- author = {Stefan Wehr et. al.}
-}
--- a/doc-src/mathsing.sty Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,950 +0,0 @@
-%% edited by LCP!!
-%% Modified page break penalties
-%% Commented out the change to \newlinechar
-%% Increased space in Contents and List of Figures
-%% Changed \thebibliography to the defn in llncs.sty
-%% Added ttbox
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% MATHSING.STY Version 1.1
-%
-% This LaTeX style option file contains necessary macros for writing
-% camera ready English single author math book manuscripts.
-%
-%
-% Usage:
-%
-% \documentstyle[12pt,mathsing]{book}
-% ...
-%
-% Change log:
-%
-% 90/11/04 pagestyle empty for first page of chapter
-% 90/11/04 distinct figure and table captions
-% 90/11/04 \small for captions and headings
-% 90/11/04 improved definition of theorem-like environments
-% 90/12/01 separation after chapter title changed to 5.1cm
-% 90/12/01 page size changed to 45x14.4+10pt=23.05cm
-% 90/12/01 references
-% 90/12/01 common counter for theorem-like environments
-% 90/12/02 table of contents
-% 90/12/02 final improvements and corrections
-% 90/12/26 two styles for equation numbers
-% 91/02/05 \numberlikebook and \numberlikearticle replace
-% \eqnbook and \eqnarticle
-% 91/10/07 \listoffigures, \listoftables made similar to
-% \tableofcontents,
-% running head of Index changed: Sachverzeichnis -> Index,
-% \newthe now uses \thechapter instead of \arabic{chapter}
-% 91/02/05 binding: \tablebook, \tablearticle
-% \figurebook, \figurearticle added
-% 91/10/07 holzwarth: \listoffigures, \listoftables
-% according to \tableofcontents,
-% \begin{theindex}
-% \newthe to produce correct numbers
-% 91/12/03 \chapter, \section, and \subsection now do not
-% hyphenate the headings any more
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% change the catcode of @ (allows names containing @ after \begin{document})
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\makeatletter
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% page layout and dimensions
-%
-% The following commands are redefined:
-%
-% \ps@headings (cf. BOOK.STY)
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%
-% Layout
-%
-% Note: The following values do not apply for English Springer
-% books on phsics; use \baselineskip=14pt, \textwidth=13.8cm,
-% \textheight=640pt (=45x14pt+10pt=22.5cm) instead!
-%
-
-\baselineskip=14.4pt % LaTeX default
-
-\topmargin=0cm
-\textwidth=14.2cm % 1.2 x 11.833 cm
-\textheight=658pt % 45x14.4pt+10pt = 658pt = 23.0554cm
-%\textheight=23.2502cm % 1.2x19.3752cm=23.2502cm (first version)
-\oddsidemargin=0.7cm
-\evensidemargin=0.7cm
-\headsep=20pt % ?
-
-\parindent=7mm % 1.2 x 5.833mm
-
-\hfuzz=2pt % supress "overfull box" messages below 2pt
-
-\frenchspacing % no large blanks at the end of a sentence
-
-
-\tolerance=500
-
-\abovedisplayskip=3.6 mm plus7.2pt minus 4.8pt
-\belowdisplayskip=3.6 mm plus7.2pt minus 4.8pt
-\abovedisplayshortskip=0.0 mm plus7.2pt minus 2.4pt
-\belowdisplayshortskip=2.4 mm plus4.8pt minus 4.8pt
-
-%%LCP: were 0, 10000, 10000
-\predisplaypenalty=100 % penalties for page break
-\clubpenalty=400 %
-\widowpenalty=400 %
-
-
-%
-% running titles
-%
-
-% binding 5.2.91 \hspace changed to 1.0 cm | |
-% binding 5.2.91 dot deleted after \thesection |
-\def\ps@headings{
- \let\@mkboth\markboth
- \def\@oddfoot{}
- \def\@evenfoot{}
- \def\@evenhead{\rm\small\thepage\hspace{1.0cm}\leftmark\hfil\hbox{}}
- \def\@oddhead{\hbox{}\hfil\rm\small\rightmark\hspace{1.0cm}\thepage}
- \def\chaptermark##1{\markboth
- {\ifnum \c@secnumdepth >\m@ne \thechapter.\ \fi ##1}{}}
-%hier punkt raus. binding |
- \def\sectionmark##1{\markright
- {\ifnum \c@secnumdepth >\z@ \thesection\ \fi ##1}}
- }
-
-\pagestyle{headings}
-
-
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% Chapters and Sections
-%
-% The following commands are redefined:
-%
-% \@makechapterhead (cf. BK12.STY)
-% \@makeschapterhead (cf. BK12.STY)
-% \chapter (cf. BK12.STY)
-% \@sect (cf. LATEX.TEX)
-% \section (cf. BK12.STY)
-% \subsection (cf. BK12.STY)
-% \subsubsection (cf. BK12.STY)
-% \paragraph (cf. BK12.STY)
-% \subparagraph (cf. BK12.STY)
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%
-% number of numbered section levels
-%
-
-\setcounter{secnumdepth}{3}
-
-
-%
-% Adapt the font size for chapter titles and supress printing of
-% the word "chapter"
-%
-
-\def\@makechapterhead#1{ { \parindent 0pt \raggedright
-% \pretolerance added 12/3/91 fuh
-{\pretolerance=10000\Large \bf \thechapter.\hspace{0.3cm}#1\par}%
- \nobreak \vskip 4cm \vskip\baselineskip} }
-
-\def\@makeschapterhead#1{ { \parindent 0pt \raggedright
-% \pretolerance added 12/3/91 fuh
- \pretolerance=10000\Large \bf #1\par
- \nobreak \vskip 4cm \vskip\baselineskip} }
-
-%
-% define pagestyle=empty for first page of a chapter
-%
-
-\def\chapter{\cleardoublepage \thispagestyle{empty} \global\@topnum\z@
-\@afterindentfalse \secdef\@chapter\@schapter}
-
-%
-% Change the distance between section number and title from 1em to 2mm
-% binding: changed again to 1en=0.5em | 5.2.91
-%
-
-\def\@sect#1#2#3#4#5#6[#7]#8{\ifnum #2>\c@secnumdepth
- \def\@svsec{}\else
- \refstepcounter{#1}%
- \edef\@svsec{\csname the#1\endcsname\hskip 0.5em }\fi
- \@tempskipa #5\relax
- \ifdim \@tempskipa>\z@
- \begingroup #6\relax
-% changed by Binding :) 20.3.91
-% old: \@hangfrom{\hskip #3\relax\@svsec}{\interlinepenalty \@M #8\par}
-% \@hangfrom deleted to avoid hanging indentation \noindent added
- {\noindent\hskip #3\relax\@svsec}%
- {\interlinepenalty \@M #8\par}
- \endgroup
- \csname #1mark\endcsname{#7}\addcontentsline
- {toc}{#1}{\ifnum #2>\c@secnumdepth \else
- \protect\numberline{\csname the#1\endcsname}\fi
- #7}\else
- \def\@svsechd{#6\hskip #3\@svsec #8\csname #1mark\endcsname
- {#7}\addcontentsline
- {toc}{#1}{\ifnum #2>\c@secnumdepth \else
- \protect\numberline{\csname the#1\endcsname}\fi
- #7}}\fi
- \@xsect{#5}}
-
-
-%
-% Font size for section titles;
-% Increased vertical space before and after sections, subsections
-% and subsubsections by 1ex; run-in headings starting with subsubsection
-%
-% (\@startsection{NAME}{LEVEL}{INDENT}{BEFORESKIP}{AFTERSKIP}{STYLE})
-%
-
-%binding, 18.3.91: \boldmath inserted
-\def\section{\@startsection{section}{1}{\z@}{
- -4.50ex plus -1ex minus -.2ex}{3.3ex plus .2ex}
- {\large\bf\boldmath\raggedright\pretolerance=10000}}
-% \raggedright and \pretolerance added 12/3/91 fuh
-\def\subsection{\@startsection{subsection}{2}{\z@}{
- -4.25ex plus -1ex minus -.2ex}{2.5ex plus .2ex}
- {\normalsize\bf\boldmath\raggedright\pretolerance=10000}}
-% \raggedright and \pretolerance added 12/3/91 fuh
-\def\subsubsection{\@startsection{subsubsection}{3}{\z@}{
- -3.25ex plus -1ex minus -.2ex}{-0.5em}
- {\normalsize\bf\boldmath}}
-\def\paragraph{\@startsection{paragraph}{4}{\z@}{
- -3.25ex plus -1ex minus -.2ex}{-0.5em}{\normalsize\it}}
-\def\subparagraph{\@startsection{subparagraph}{5}{\@}{
- -3.25ex plus -1ex minus -.2ex}{-0.5em}{\normalsize\it}}
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%20.3.91, binding: \labelitemi changed
-\renewcommand{\labelitemi}{$\bullet$}
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% Tables
-%
-% Change width of horizontal and vertical lines in arrays and tables
-%
-% The following commands are redefined:
-%
-% \arrayrulewidth
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\arrayrulewidth0.15mm
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% Figure and table captions (small)
-%
-% To meet the different requirements for table and figure captions
-% new macros \@makefigurecaption and \@maketablecaption are introduced
-% in addition to \@makecaption (cf. BOOK.STY). The \@caption macro is
-% changed to check for figures and tables.
-%
-% The following commands are redefined:
-%
-% \@caption (cf. LATEX.TEX)
-% \fnum@figure (cf. BOOK.STY)
-% \fnum@table (cf. BOOK.STY)
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\long\def\@caption#1[#2]#3{\addcontentsline{\csname
- ext@#1\endcsname}{#1}{\protect\numberline{\csname
- the#1\endcsname}{\ignorespaces #2}}\par
- \begingroup
- \@parboxrestore
- \normalsize
- \csname @make#1caption\endcsname
- {\csname fnum@#1\endcsname}{\ignorespaces #3}\par
- \endgroup}
-
-\long\def\@makefigurecaption#1#2{
- \vskip 10pt % skip between figure and caption
- {\small % required here for correct \baselineskip !
- \setbox\@tempboxa\hbox{\small{\bf#1}#2}
- \ifdim \wd\@tempboxa >\hsize
- \unhbox\@tempboxa\par
- \else
- \hbox to\hsize{\hfil\box\@tempboxa\hfil} % centered short caption !
- \fi}
- \vskip 10pt} % additional space between caption and text
-
-\long\def\@maketablecaption#1#2{
- \vskip 10pt % additional space between text and caption
- {\small % required here for correct \baselineskip !
- \setbox\@tempboxa\hbox{\small{\bf#1}#2}
- \ifdim \wd\@tempboxa >\hsize
- \unhbox\@tempboxa\par
- \else \hbox to\hsize{\box\@tempboxa\hfil} % leftadjusted short caption !
- \fi}
- \vskip 10pt} % skip between caption and table
-
-\def\fnum@figure{Fig.$\,$\thefigure.$\;$}
-\def\fnum@table{Table$\,$\thetable.$\;$}
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% Distance between text and floatings (tables, figures)
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\floatsep 14pt plus 2pt minus 4pt % LaTeX defaults values
-\textfloatsep 20pt plus 2pt minus 4pt %
-\intextsep 14pt plus 4pt minus 4pt %
-\@maxsep 20pt %
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% Table of contents
-%
-% The following commands are redefined:
-%
-% \l@chapter (cf. LATEX.STY)
-% \tableofcontents
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%
-% lowest level for table of contents entries
-%
-\setcounter{tocdepth}{3}
-
-%
-% dotted line for chapters in table of contents
-% (cf. definition of \@dottedline in LATEX.STY)
-%
-\def\l@chapter#1#2{\pagebreak[3]
- \vskip 1.0em plus 1pt \@tempdima 1.5em \begingroup
- \parindent \z@ \rightskip \@pnumwidth
- \parfillskip -\@pnumwidth
- \rm \leavevmode #1
- \nobreak\leaders\hbox{$\m@th \mkern \@dotsep mu.\mkern \@dotsep mu$}\hfill
- \nobreak
- \hbox to\@pnumwidth{\hss \rm #2}\par
- \endgroup}
-
-%copied from book.sty to leave room for 12.11, etc. -- Frank Holzwarth via LCP
-\def\l@section{\@dottedtocline{1}{1.5em}{2.8em}}
-\def\l@figure{\@dottedtocline{1}{1.5em}{2.8em}}
-
-%
-% Adaption of \tableofcontents (title,headings,pagenumber)
-%
-
-\def\tableofcontents{
- \@restonecolfalse
- \if@twocolumn\@restonecoltrue\onecolumn\fi
- \chapter*{Table of Contents}
- \markboth{Table of Contents}{Table of Contents} % headline
- \renewcommand{\thepage}{\Roman{page}} % roman page number
- \@starttoc{toc}\if@restonecol\twocolumn\fi}
-
-%%%%%%%% added 91/10/07 fuh %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% List of figures
-%
-% The following commands are redefined:
-%
-% \listoffigures
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-\def\listoffigures{
- \@restonecolfalse
- \if@twocolumn\@restonecoltrue\onecolumn\fi
- \chapter*{List of Figures}
- \markboth{List of Figures}{List of Figures} % headline
- \renewcommand{\thepage}{\Roman{page}} % roman page number
- \@starttoc{lof}\if@restonecol\twocolumn\fi}
-
-%%%%%%%% added 91/10/07 fuh %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% List of tables
-%
-% The following commands are redefined:
-%
-% \listoftables
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-\def\listoftables{
- \@restonecolfalse
- \if@twocolumn\@restonecoltrue\onecolumn\fi
- \chapter*{List of Tables}
- \markboth{List of Tables}{List of Tables} % headline
- \renewcommand{\thepage}{\Roman{page}} % roman page number
- \@starttoc{lot}\if@restonecol\twocolumn\fi}
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% Index (with table of contents entry)
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\def\theindex{ \cleardoublepage
- \small
- \columnseprule \z@
- \columnsep=0.84cm
- \twocolumn[\@makeschapterhead{Index}]
- \addcontentsline{toc}{chapter}{Index}
- \@mkboth{Index}{Index}
- \thispagestyle{plain}\parindent\z@
- \parskip\z@ plus .3pt\relax\let\item\@idxitem}
-\def\@idxitem{\par\hangindent 15pt}
-\def\subitem{\par\hangindent 15pt -- }
-\def\endtheindex{\clearpage}
-\def\indexspace{\par \vskip 10pt plus 5pt minus 3pt\relax}
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% References (Bibliography)
-%
-% Macros for creating a list of references in small print using LaTeX
-% defaults or some special Springer commands.
-%
-% Usage:
-%
-% \begin{thebibliography}{wide-label} % LaTeX standard macros
-% \bibitem[label]{name} ... text ...
-% \bibitem[label]{name} ... text ...
-% \end{thebibliography}
-%
-% or
-%
-% \begin{references}{wide-label} % Springer macros
-% \refer ... text ...
-% \refno{no.} ... text ...
-% \refmark{[label]} ... text ...
-% \end{references}
-%
-% New commands:
-%
-% \refchapter starts an unnumbered chapter "References"; small font
-% \refer unlabeled item with hanging indentation
-% \refno right adjusted label (for numbers)
-% \refmark left adjusted label (for text labels)
-%
-% Changed commands
-%
-% \thebibliography (BOOK.STY) (further edit by LCP!)
-% \endthebibliography (BOOK.STY)
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\def\refchapter{\chapter*{References}
-\parindent0pt\parskip0pt\small
-\addcontentsline{toc}{chapter}{References}
-\markboth{References}{References}}
-
-
-\def\thebibliography#1{\refchapter\small\list
- {\arabic{enumi}.}{\settowidth\labelwidth{#1.}\leftmargin\labelwidth
- \advance\leftmargin\labelsep
- \usecounter{enumi}}
- \def\newblock{\hskip .11em plus .33em minus -.07em}
- \sloppy
- \sfcode`\.=1000\relax}
-\let\endthebibliography=\endlist
-
-
-\newenvironment{references}[1]{\refchapter
- \settowidth\labelwidth{#1\enspace}
- \begingroup}{\endgraf\endgroup}
-%
-% The following macros are from REFER.TEX.
-% \refindent is replaced by the predefined dimension \labelwidth
-% that is also used by \thebibliography; \ref is replaced by \refer
-% since \ref is already used for referencing lables!
-
-%%%\newlinechar=`\|
-
-% \refer produces ordinary entries, successive line are indented 1em
-\def\refer{\goodbreak\hangindent1em\hangafter=1\noindent\ignorespaces}
-
-% \refno produces entries with right-aligned marks in the margin
-\def\refno#1{\goodbreak
-\setbox0=\hbox{#1\enspace}\ifdim\labelwidth<\wd0\relax
-\message{|Your reference `#1' is wider than you pretended in using
-\string\begref.}\fi
-\hangindent\labelwidth\hangafter=1\noindent
-\kern\labelwidth\llap{#1\enspace}\ignorespaces}
-
-% \refmark produces entries with left-aligned marks in the margin
-\def\refmark#1{\goodbreak
-\setbox0=\hbox{#1\enspace}\ifdim\labelwidth<\wd0\relax
-\message{|Your reference `#1' is wider than you pretended in using
-\string\begref.}\fi
-\hangindent\labelwidth\hangafter=1\noindent
-\hbox to\labelwidth{#1\hss}\ignorespaces}
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% New environments
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-%
-% The following lines define a new environment 'listing'
-%
-% \begin{listing}
-% ...
-% \end{listing}
-%
-% that prints listings using \footnotesize and takes care to reset
-% the \baselineskip. The macro definition is based on ALLTT.STY that
-% allows various TEX commands to be given within the environment
-% (e.g. '\input', '\index' or '\it'). '%' has been retained as a special
-% character within 'listing', however, to avoid unwanted line breaks.
-%
-%
-
-\def\docspecials{\do\ \do\$\do\&%
- \do\#\do\^\do\^^K\do\_\do\^^A\do\~}
-
-\newdimen\oldbaselineskip
-\def\listing{\par\noindent\oldbaselineskip=\baselineskip \footnotesize%
-\trivlist \item[]\if@minipage\else\vskip\parskip\fi
-\leftskip\@totalleftmargin\rightskip\z@
-\parindent\z@\parfillskip\@flushglue\parskip\z@
-\@tempswafalse \def\par{\if@tempswa\hbox{}\fi\@tempswatrue\@@par}
-\obeylines \tt \catcode``=13 \@noligs \let\do\@makeother \docspecials
- \frenchspacing\@vobeyspaces}
-
-\def\endlisting{\endtrivlist\baselineskip=\oldbaselineskip}
-
-%Add ttbox to Springer's macros!! - LCP
-%now redefines \{ and \}
-\newenvironment{ttbox}{\par\nobreak\vskip-2pt%
- \vbox\bgroup\begin{listing}\chardef\{=`\{\chardef\}=`\}%
- \leftskip\leftmargini}%
- {\end{listing}\egroup\vskip-7pt\@endparenv}
-\newcommand\ttbreak{\end{ttbox}\goodbreak\vskip-8pt plus 3pt\begin{ttbox}}
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% Acknowledgements ( = acknow.tex)
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\def\ack#1{\vskip11pt\begingroup\noindent{\it Acknowledgements\/}.
-\ignorespaces#1\vskip6pt\endgroup}
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% Definition of versal greek letters ( = ucgreek.tex)
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\mathchardef\Gamma="0100
-\mathchardef\Delta="0101
-\mathchardef\Theta="0102
-\mathchardef\Lambda="0103
-\mathchardef\Xi="0104
-\mathchardef\Pi="0105
-\mathchardef\Sigma="0106
-\mathchardef\Upsilon="0107
-\mathchardef\Phi="0108
-\mathchardef\Psi="0109
-\mathchardef\Omega="010A
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% Vectors ( = vector.tex)
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-% This is vector.tex
-% it redefines the plain TeX \vec command
-% to produce bold characters
-%
-\def\vec#1{\ifmmode
-\mathchoice{\mbox{\boldmath$\displaystyle\bf#1$}}
-{\mbox{\boldmath$\textstyle\bf#1$}}
-{\mbox{\boldmath$\scriptstyle\bf#1$}}
-{\mbox{\boldmath$\scriptscriptstyle\bf#1$}}\else
-{\mbox{\boldmath$\bf#1$}}\fi}
-%
-%\def\vec#1{{\textfont0=\tenbf\scriptfont0=\sevenbf
-%\scriptscriptfont0=\fivebf
-%\textfont1=\tenbf\scriptfont1=\sevenbf
-%\scriptscriptfont1=\fivebf
-%\ifmmode % supply all varieties of math sizes
-% \mathchoice{\hbox{$\displaystyle#1$}}{\hbox{$\textstyle#1$}}
-% {\hbox{$\scriptstyle#1$}}{\hbox{$\scriptscriptstyle#1$}}
-%\else\hbox{$#1$}\fi}}
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% Symbols ( = symbols.tex )
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-% This is symbols.tex
-% the symbols not available in plain TeX are constructed
-% by overprinting some characters
-
-\def\sun{{\hbox{$\odot$}}}
-\def\la{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil
-$\displaystyle##$\hfil\cr<\cr\noalign{\vskip1.5pt}\sim\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr<\cr
-\noalign{\vskip1.0pt}\sim\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr<\cr
-\noalign{\vskip0.5pt}\sim\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil
-\cr<\cr\noalign{\vskip0.5pt}\sim\cr}}}}}
-\def\ga{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil
-$\displaystyle##$\hfil\cr>\cr\noalign{\vskip1.5pt}\sim\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr>\cr
-\noalign{\vskip1.0pt}\sim\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr>\cr
-\noalign{\vskip0.5pt}\sim\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil
-\cr>\cr\noalign{\vskip0.5pt}\sim\cr}}}}}
-\def\sq{\hbox{\rlap{$\sqcap$}$\sqcup$}}
-\def\degr{\hbox{$^\circ$}}
-\def\arcmin{\hbox{$^\prime$}}
-\def\arcsec{\hbox{$^{\prime\prime}$}}
-\def\utw{\smash{\rlap{\lower5pt\hbox{$\sim$}}}}
-\def\udtw{\smash{\rlap{\lower6pt\hbox{$\approx$}}}}
-\def\fd{\hbox{$.\!\!^{\rm d}$}}
-\def\fh{\hbox{$.\!\!^{\rm h}$}}
-\def\fm{\hbox{$.\!\!^{\rm m}$}}
-\def\fs{\hbox{$.\!\!^{\rm s}$}}
-\def\fdg{\hbox{$.\!\!^\circ$}}
-\def\farcm{\hbox{$.\mkern-4mu^\prime$}}
-\def\farcs{\hbox{$.\!\!^{\prime\prime}$}}
-\def\fp{\hbox{$.\!\!^{\scriptscriptstyle\rm p}$}}
-\def\getsto{\mathrel{\mathchoice {\vcenter{\offinterlineskip
-\halign{\hfil$\displaystyle##$\hfil\cr\gets\cr\to\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr
-\gets\cr\to\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr
-\gets\cr\to\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr
-\gets\cr\to\cr}}}}}
-\def\cor{\mathrel{\mathchoice {\hbox{$\widehat=$}}{\hbox{$\widehat=$}}
-{\hbox{$\scriptstyle\hat=$}}
-{\hbox{$\scriptscriptstyle\hat=$}}}}
-\def\grole{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil
-$\displaystyle##$\hfil\cr>\cr\noalign{\vskip-1.5pt}<\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr
->\cr\noalign{\vskip-1.5pt}<\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr
->\cr\noalign{\vskip-1pt}<\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr
->\cr\noalign{\vskip-0.5pt}<\cr}}}}}
-\def\lid{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil
-$\displaystyle##$\hfil\cr<\cr\noalign{\vskip1.5pt}=\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr<\cr
-\noalign{\vskip1pt}=\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr<\cr
-\noalign{\vskip0.5pt}=\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr
-<\cr\noalign{\vskip0.5pt}=\cr}}}}}
-\def\gid{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil
-$\displaystyle##$\hfil\cr>\cr\noalign{\vskip1.5pt}=\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr>\cr
-\noalign{\vskip1pt}=\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr>\cr
-\noalign{\vskip0.5pt}=\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr
->\cr\noalign{\vskip0.5pt}=\cr}}}}}
-\def\sol{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil
-$\displaystyle##$\hfil\cr\sim\cr\noalign{\vskip-0.2mm}<\cr}}}
-{\vcenter{\offinterlineskip
-\halign{\hfil$\textstyle##$\hfil\cr\sim\cr<\cr}}}
-{\vcenter{\offinterlineskip
-\halign{\hfil$\scriptstyle##$\hfil\cr\sim\cr<\cr}}}
-{\vcenter{\offinterlineskip
-\halign{\hfil$\scriptscriptstyle##$\hfil\cr\sim\cr<\cr}}}}}
-\def\sog{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil
-$\displaystyle##$\hfil\cr\sim\cr\noalign{\vskip-0.2mm}>\cr}}}
-{\vcenter{\offinterlineskip
-\halign{\hfil$\textstyle##$\hfil\cr\sim\cr>\cr}}}
-{\vcenter{\offinterlineskip
-\halign{\hfil$\scriptstyle##$\hfil\cr\sim\cr>\cr}}}
-{\vcenter{\offinterlineskip
-\halign{\hfil$\scriptscriptstyle##$\hfil\cr\sim\cr>\cr}}}}}
-\def\lse{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil
-$\displaystyle##$\hfil\cr<\cr\noalign{\vskip1.5pt}\simeq\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr<\cr
-\noalign{\vskip1pt}\simeq\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr<\cr
-\noalign{\vskip0.5pt}\simeq\cr}}}
-{\vcenter{\offinterlineskip
-\halign{\hfil$\scriptscriptstyle##$\hfil\cr<\cr
-\noalign{\vskip0.5pt}\simeq\cr}}}}}
-\def\gse{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil
-$\displaystyle##$\hfil\cr>\cr\noalign{\vskip1.5pt}\simeq\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr>\cr
-\noalign{\vskip1.0pt}\simeq\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr>\cr
-\noalign{\vskip0.5pt}\simeq\cr}}}
-{\vcenter{\offinterlineskip
-\halign{\hfil$\scriptscriptstyle##$\hfil\cr>\cr
-\noalign{\vskip0.5pt}\simeq\cr}}}}}
-\def\grole{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil
-$\displaystyle##$\hfil\cr>\cr\noalign{\vskip-1.5pt}<\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr
->\cr\noalign{\vskip-1.5pt}<\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr
->\cr\noalign{\vskip-1pt}<\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr
->\cr\noalign{\vskip-0.5pt}<\cr}}}}}
-\def\leogr{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil
-$\displaystyle##$\hfil\cr<\cr\noalign{\vskip-1.5pt}>\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr
-<\cr\noalign{\vskip-1.5pt}>\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr
-<\cr\noalign{\vskip-1pt}>\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr
-<\cr\noalign{\vskip-0.5pt}>\cr}}}}}
-\def\loa{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil
-$\displaystyle##$\hfil\cr<\cr\noalign{\vskip1.5pt}\approx\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr<\cr
-\noalign{\vskip1.0pt}\approx\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr<\cr
-\noalign{\vskip0.5pt}\approx\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr
-<\cr\noalign{\vskip0.5pt}\approx\cr}}}}}
-\def\goa{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil
-$\displaystyle##$\hfil\cr>\cr\noalign{\vskip1.5pt}\approx\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr>\cr
-\noalign{\vskip1.0pt}\approx\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr>\cr
-\noalign{\vskip0.5pt}\approx\cr}}}
-{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr
->\cr\noalign{\vskip0.5pt}\approx\cr}}}}}
-\def\bbbr{{\rm I\!R}} %reelle Zahlen
-\def\bbbn{{\rm I\!N}} %natuerliche Zahlen
-\def\bbbm{{\rm I\!M}}
-\def\bbbh{{\rm I\!H}}
-\def\bbbf{{\rm I\!F}}
-\def\bbbk{{\rm I\!K}}
-\def\bbbp{{\rm I\!P}}
-\def\bbbone{{\mathchoice {\rm 1\mskip-4mu l} {\rm 1\mskip-4mu l}
-{\rm 1\mskip-4.5mu l} {\rm 1\mskip-5mu l}}}
-\def\bbbc{{\mathchoice {\setbox0=\hbox{$\displaystyle\rm C$}\hbox{\hbox
-to0pt{\kern0.4\wd0\vrule height0.9\ht0\hss}\box0}}
-{\setbox0=\hbox{$\textstyle\rm C$}\hbox{\hbox
-to0pt{\kern0.4\wd0\vrule height0.9\ht0\hss}\box0}}
-{\setbox0=\hbox{$\scriptstyle\rm C$}\hbox{\hbox
-to0pt{\kern0.4\wd0\vrule height0.9\ht0\hss}\box0}}
-{\setbox0=\hbox{$\scriptscriptstyle\rm C$}\hbox{\hbox
-to0pt{\kern0.4\wd0\vrule height0.9\ht0\hss}\box0}}}}
-\def\bbbe{{\mathchoice {\setbox0=\hbox{\smalletextfont e}\hbox{\raise
-0.1\ht0\hbox to0pt{\kern0.4\wd0\vrule width0.3pt
-height0.7\ht0\hss}\box0}}
-{\setbox0=\hbox{\smalletextfont e}\hbox{\raise
-0.1\ht0\hbox to0pt{\kern0.4\wd0\vrule width0.3pt
-height0.7\ht0\hss}\box0}}
-{\setbox0=\hbox{\smallescriptfont e}\hbox{\raise
-0.1\ht0\hbox to0pt{\kern0.5\wd0\vrule width0.2pt
-height0.7\ht0\hss}\box0}}
-{\setbox0=\hbox{\smallescriptscriptfont e}\hbox{\raise
-0.1\ht0\hbox to0pt{\kern0.4\wd0\vrule width0.2pt
-height0.7\ht0\hss}\box0}}}}
-\def\bbbq{{\mathchoice {\setbox0=\hbox{$\displaystyle\rm Q$}\hbox{\raise
-0.15\ht0\hbox to0pt{\kern0.4\wd0\vrule height0.8\ht0\hss}\box0}}
-{\setbox0=\hbox{$\textstyle\rm Q$}\hbox{\raise
-0.15\ht0\hbox to0pt{\kern0.4\wd0\vrule height0.8\ht0\hss}\box0}}
-{\setbox0=\hbox{$\scriptstyle\rm Q$}\hbox{\raise
-0.15\ht0\hbox to0pt{\kern0.4\wd0\vrule height0.7\ht0\hss}\box0}}
-{\setbox0=\hbox{$\scriptscriptstyle\rm Q$}\hbox{\raise
-0.15\ht0\hbox to0pt{\kern0.4\wd0\vrule height0.7\ht0\hss}\box0}}}}
-\def\bbbt{{\mathchoice {\setbox0=\hbox{$\displaystyle\rm
-T$}\hbox{\hbox to0pt{\kern0.3\wd0\vrule height0.9\ht0\hss}\box0}}
-{\setbox0=\hbox{$\textstyle\rm T$}\hbox{\hbox
-to0pt{\kern0.3\wd0\vrule height0.9\ht0\hss}\box0}}
-{\setbox0=\hbox{$\scriptstyle\rm T$}\hbox{\hbox
-to0pt{\kern0.3\wd0\vrule height0.9\ht0\hss}\box0}}
-{\setbox0=\hbox{$\scriptscriptstyle\rm T$}\hbox{\hbox
-to0pt{\kern0.3\wd0\vrule height0.9\ht0\hss}\box0}}}}
-\def\bbbs{{\mathchoice
-{\setbox0=\hbox{$\displaystyle \rm S$}\hbox{\raise0.5\ht0\hbox
-to0pt{\kern0.35\wd0\vrule height0.45\ht0\hss}\hbox
-to0pt{\kern0.55\wd0\vrule height0.5\ht0\hss}\box0}}
-{\setbox0=\hbox{$\textstyle \rm S$}\hbox{\raise0.5\ht0\hbox
-to0pt{\kern0.35\wd0\vrule height0.45\ht0\hss}\hbox
-to0pt{\kern0.55\wd0\vrule height0.5\ht0\hss}\box0}}
-{\setbox0=\hbox{$\scriptstyle \rm S$}\hbox{\raise0.5\ht0\hbox
-to0pt{\kern0.35\wd0\vrule height0.45\ht0\hss}\raise0.05\ht0\hbox
-to0pt{\kern0.5\wd0\vrule height0.45\ht0\hss}\box0}}
-{\setbox0=\hbox{$\scriptscriptstyle\rm S$}\hbox{\raise0.5\ht0\hbox
-to0pt{\kern0.4\wd0\vrule height0.45\ht0\hss}\raise0.05\ht0\hbox
-to0pt{\kern0.55\wd0\vrule height0.45\ht0\hss}\box0}}}}
-
-%
-% note: changed \sans to \sf for LaTeX
-%
-
-\def\bbbz{{\mathchoice {\hbox{$\sf\textstyle Z\kern-0.4em Z$}}
-{\hbox{$\sf\textstyle Z\kern-0.4em Z$}}
-{\hbox{$\sf\scriptstyle Z\kern-0.3em Z$}}
-{\hbox{$\sf\scriptscriptstyle Z\kern-0.2em Z$}}}}
-
-\def\diameter{{\ifmmode\oslash\else$\oslash$\fi}}
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% petit (substitute for petit.tex)
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-\newenvironment{petit}{\vskip6pt\begingroup\small}{\endgroup\vskip6pt}
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% New environments
-%
-% lemma, proposition, theorem, corollary (\bf,\it) (numbered)
-% exercise, problem, solution, definition (\bf,\rm)
-% 27.3.91 binding: example, note and question changed to (\bf, \rm)
-%
-% lemma*, proposition*, theorem*, corollary* (\bf,\it) (unnumbered)
-% exercise*, problem*, solution*, definition* (\bf,\rm)
-% example*, note*, question* (\it,\rm)
-%
-% remark, proof (\it,\rm) (unnumbered)
-%
-% usage: \begin{lemma} or \begin{lemma}[COMMENT]
-% ... ...
-% \end{lemma} \end{lemma}
-%
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-% currently one counter is used for all theorem like environments
-
-\newcounter{lemmacount}[chapter]
-\renewcommand{\thelemmacount}{\thechapter.\arabic{lemmacount}}
-
-
-%
-% short form for defininng new theorem like environments:
-% \newthe{NAME}{NAME*}{TITLE}{COUNTER}{FONT1}{FONT2}
-%
-\def\@@begthe#1{\@ifnextchar[{\@optbegthe#1}{\@begthe#1}}
-%27.3.91 binding: dot deleted
-%def\@begthe#1{. #1} old
-\def\@begthe#1{ #1}
-\def\@optbegthe#1[#2]{ {#2} #1}
-\newcommand{\newthe}[6]{
- \def\nlni{\par\ifvmode\removelastskip\fi\vskip\baselineskip\noindent}
- \def\xxxend{\endgroup\vskip\baselineskip}
- \newenvironment{#1}{\nlni\begingroup\refstepcounter{#4}#5#3
-%changed 91/10/7 fuh:\arabic{chapter}.\arabic{#4}\@@begthe{#6}}{\xxxend}
- \thechapter.\arabic{#4}\@@begthe{#6}}{\xxxend}
- \newenvironment{#2}{\nlni\begingroup#5#3\@@begthe{#6}}{\xxxend}}
-
-
-% Lemma, Proposition, Theorem, Corollary (\bf,\it)
-
-\newthe{lemma}{lemma*}{Lemma}{lemmacount}{\bf}{\it}
-\newthe{proposition}{proposition*}{Proposition}{lemmacount}{\bf}{\it}
-\newthe{theorem}{theorem*}{Theorem}{lemmacount}{\bf}{\it}
-\newthe{corollary}{corollary*}{Corollary}{lemmacount}{\bf}{\it}
-
-
-% Exercise, Problem, Solution, Definition (\bf,\rm)
-
-\newthe{exercise}{exercise*}{exercise}{lemmacount}{\bf}{\it}
-\newthe{problem}{problem*}{Problem}{lemmacount}{\bf}{\it}
-\newthe{solution}{solution*}{Solution}{lemmacount}{\bf}{\it}
-\newthe{definition}{definition*}{Definition}{lemmacount}{\bf}{\it}
-
-
-% Example, Note, Question (\bf,\rm)
-
-\newthe{example}{example*}{Example}{lemmacount}{\bf}{\rm}
-\newthe{note}{note*}{Note}{lemmacount}{\bf}{\rm}
-\newthe{question}{question*}{Question}{lemmacount}{\bf}{\rm}
-
-
-% Remark, Proof
-
-\newenvironment{remark}{\nlni\begingroup\it Remark. \rm}{
- \endgroup\vskip\baselineskip}
-\newenvironment{proof}{\nlni\begingroup\it Proof. \rm}{
- \endgroup\vskip\baselineskip}
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% qed
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\def\qed{\ifmmode\sq\else{\unskip\nobreak\hfil
-\penalty50\hskip1em\null\nobreak\hfil\sq
-\parfillskip=0pt\finalhyphendemerits=0\endgraf}\fi}
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% \eqnarticle simple equation numbers without chapter number
-% \eqnbook structured equation numbers (default)
-% changed by binding 5.2.91: changed to \numberlikearticle and
-% \numberlikebook, changing numbering of
-% figures and tables also.
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\def\numberlikearticle{\global\def\theequation{\arabic{equation}}
-\global\def\thetable{\arabic{table}}
-\global\def\thefigure{\arabic{figure}}}
-\def\numberlikebook{\global\def\theequation{\thechapter.\arabic{equation}}
-\global\def\thetable{\thechapter.\arabic{table}}
-\global\def\thefigure{\thechapter.\arabic{figure}}}
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% Redeclaration of \makeatletter; no @-expressions may be used from now on
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\makeatother
-
-
-
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-%
-% End of MATHSING.STY
-%
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-
-
--- a/doc-src/more_antiquote.ML Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,50 +0,0 @@
-(* Title: doc-src/more_antiquote.ML
- Author: Florian Haftmann, TU Muenchen
-
-More antiquotations.
-*)
-
-signature MORE_ANTIQUOTE =
-sig
- val setup: theory -> theory
-end;
-
-structure More_Antiquote : MORE_ANTIQUOTE =
-struct
-
-(* code theorem antiquotation *)
-
-local
-
-fun pretty_term ctxt t = Syntax.pretty_term (Variable.auto_fixes t ctxt) t;
-
-fun pretty_thm ctxt = pretty_term ctxt o Thm.full_prop_of;
-
-fun no_vars ctxt thm =
- let
- val ctxt' = Variable.set_body false ctxt;
- val ((_, [thm]), _) = Variable.import true [thm] ctxt';
- in thm end;
-
-fun pretty_code_thm src ctxt raw_const =
- let
- val thy = Proof_Context.theory_of ctxt;
- val const = Code.check_const thy raw_const;
- val (_, eqngr) = Code_Preproc.obtain true thy [const] [];
- fun holize thm = @{thm meta_eq_to_obj_eq} OF [thm];
- val thms = Code_Preproc.cert eqngr const
- |> Code.equations_of_cert thy
- |> snd
- |> map_filter (fn (_, (some_thm, proper)) => if proper then some_thm else NONE)
- |> map (holize o no_vars ctxt o AxClass.overload thy);
- in Thy_Output.output ctxt (Thy_Output.maybe_pretty_source pretty_thm ctxt src thms) end;
-
-in
-
-val setup =
- Thy_Output.antiquotation @{binding code_thms} Args.term
- (fn {source, context, ...} => pretty_code_thm source context);
-
-end;
-
-end;
--- a/doc-src/pdfsetup.sty Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,27 +0,0 @@
-%%
-%% hyperref setup -- special version for Isabelle documentation
-%%
-
-\usepackage{ifpdf}
-
-\usepackage{color}
-\definecolor{linkcolor}{rgb}{0,0,0}
-\usepackage[colorlinks=true,linkcolor=linkcolor,citecolor=linkcolor,filecolor=linkcolor,pagecolor=linkcolor,urlcolor=linkcolor,pdfpagelabels]{hyperref}
-
-\newcommand{\hfootref}[2]{\href{#1}{#2}\footnote{\url{#1}}}
-\gdef\fnote#1{\hyperpage{#1}n}
-\gdef\bold#1{\textbf{\hyperpage{#1}}}
-
-\urlstyle{rm}
-\ifpdf\relax\else\renewcommand{\url}[1]{\nolinkurl{#1}}\fi
-
-\def\isaliteral#1#2{#2}
-\def\isanil{}
-
-%experimental treatment of replacement text
-\iffalse
-\ifnum\pdfminorversion<5\pdfminorversion=5\fi
-\renewcommand{\isaliteral}[2]{%
-\pdfliteral direct{/Span <</ActualText<#1>>> BDC}#2\pdfliteral direct{EMC}}
-\renewcommand{\isanil}{{\color{white}.}}
-\fi
--- a/doc-src/preface.tex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,143 +0,0 @@
-\chapter*{Preface}
-\markboth{Preface}{Preface} %or Preface ?
-%%\addcontentsline{toc}{chapter}{Preface}
-
-Most theorem provers support a fixed logic, such as first-order or
-equational logic. They bring sophisticated proof procedures to bear upon
-the conjectured formula. The resolution prover Otter~\cite{wos-bledsoe} is
-an impressive example.
-
-{\sc alf}~\cite{alf}, Coq~\cite{coq} and Nuprl~\cite{constable86} each
-support a fixed logic too. These are higher-order type theories,
-explicitly concerned with computation and capable of expressing
-developments in constructive mathematics. They are far removed from
-classical first-order logic.
-
-A diverse collection of logics --- type theories, process calculi,
-$\lambda$-calculi --- may be found in the Computer Science literature.
-Such logics require proof support. Few proof procedures are known for
-them, but the theorem prover can at least automate routine steps.
-
-A {\bf generic} theorem prover is one that supports a variety of logics.
-Some generic provers are noteworthy for their user interfaces
-\cite{dawson90,mural,sawamura92}. Most of them work by implementing a
-syntactic framework that can express typical inference rules. Isabelle's
-distinctive feature is its representation of logics within a fragment of
-higher-order logic, called the meta-logic. The proof theory of
-higher-order logic may be used to demonstrate that the representation is
-correct~\cite{paulson89}. The approach has much in common with the
-Edinburgh Logical Framework~\cite{harper-jacm} and with
-Felty's~\cite{felty93} use of $\lambda$Prolog to implement logics.
-
-An inference rule in Isabelle is a generalized Horn clause. Rules are
-joined to make proofs by resolving such clauses. Logical variables in
-goals can be instantiated incrementally. But Isabelle is not a resolution
-theorem prover like Otter. Isabelle's clauses are drawn from a richer
-language and a fully automatic search would be impractical. Isabelle does
-not resolve clauses automatically, but under user direction. You can
-conduct single-step proofs, use Isabelle's built-in proof procedures, or
-develop new proof procedures using tactics and tacticals.
-
-Isabelle's meta-logic is higher-order, based on the simply typed
-$\lambda$-calculus. So resolution cannot use ordinary unification, but
-higher-order unification~\cite{huet75}. This complicated procedure gives
-Isabelle strong support for many logical formalisms involving variable
-binding.
-
-The diagram below illustrates some of the logics distributed with Isabelle.
-These include first-order logic (intuitionistic and classical), the sequent
-calculus, higher-order logic, Zermelo-Fraenkel set theory~\cite{suppes72},
-a version of Constructive Type Theory~\cite{nordstrom90}, several modal
-logics, and a Logic for Computable Functions~\cite{paulson87}. Several
-experimental logics are being developed, such as linear logic.
-
-\centerline{\epsfbox{gfx/Isa-logics.eps}}
-
-
-\section*{How to read this book}
-Isabelle is a complex system, but beginners can get by with a few commands
-and a basic knowledge of how Isabelle works. Some knowledge of
-Standard~\ML{} is essential because \ML{} is Isabelle's user interface.
-Advanced Isabelle theorem proving can involve writing \ML{} code, possibly
-with Isabelle's sources at hand. My book on~\ML{}~\cite{paulson91} covers
-much material connected with Isabelle, including a simple theorem prover.
-
-The Isabelle documentation is divided into three parts, which serve
-distinct purposes:
-\begin{itemize}
-\item {\em Introduction to Isabelle\/} describes the basic features of
- Isabelle. This part is intended to be read through. If you are
- impatient to get started, you might skip the first chapter, which
- describes Isabelle's meta-logic in some detail. The other chapters
- present on-line sessions of increasing difficulty. It also explains how
- to derive rules define theories, and concludes with an extended example:
- a Prolog interpreter.
-
-\item {\em The Isabelle Reference Manual\/} provides detailed information
- about Isabelle's facilities, excluding the object-logics. This part
- would make boring reading, though browsing might be useful. Mostly you
- should use it to locate facts quickly.
-
-\item {\em Isabelle's Object-Logics\/} describes the various logics
- distributed with Isabelle. The chapters are intended for reference only;
- they overlap somewhat so that each chapter can be read in isolation.
-\end{itemize}
-This book should not be read from start to finish. Instead you might read
-a couple of chapters from {\em Introduction to Isabelle}, then try some
-examples referring to the other parts, return to the {\em Introduction},
-and so forth. Starred sections discuss obscure matters and may be skipped
-on a first reading.
-
-
-
-\section*{Releases of Isabelle}
-Isabelle was first distributed in 1986. The 1987 version introduced a
-higher-order meta-logic with an improved treatment of quantifiers. The
-1988 version added limited polymorphism and support for natural deduction.
-The 1989 version included a parser and pretty printer generator. The 1992
-version introduced type classes, to support many-sorted and higher-order
-logics. The 1993 version provides greater support for theories and is
-much faster.
-
-Isabelle is still under development. Projects under consideration include
-better support for inductive definitions, some means of recording proofs, a
-graphical user interface, and developments in the standard object-logics.
-I hope but cannot promise to maintain upwards compatibility.
-
-Isabelle can be downloaded from .
-\begin{quote}
-{\tt http://www.cl.cam.ac.uk/Research/HVG/Isabelle/dist/}
-\end{quote}
-The electronic distribution list {\tt isabelle-users\at cl.cam.ac.uk}
-provides a forum for discussing problems and applications involving
-Isabelle. To join, send me a message via {\tt lcp\at cl.cam.ac.uk}.
-Please notify me of any errors you find in this book.
-
-\section*{Acknowledgements}
-Tobias Nipkow has made immense contributions to Isabelle, including the
-parser generator, type classes, the simplifier, and several object-logics.
-He also arranged for several of his students to help. Carsten Clasohm
-implemented the theory database; Markus Wenzel implemented macros; Sonia
-Mahjoub and Karin Nimmermann also contributed.
-
-Nipkow and his students wrote much of the documentation underlying this
-book. Nipkow wrote the first versions of \S\ref{sec:defining-theories},
-\S\ref{sec:ref-defining-theories}, Chap.\ts\ref{Defining-Logics},
-Chap.\ts\ref{simp-chap} and App.\ts\ref{app:TheorySyntax}\@. Carsten
-Clasohm contributed to Chap.\ts\ref{theories}. Markus Wenzel contributed
-to Chap.\ts\ref{chap:syntax}. Nipkow also provided the quotation at
-the front.
-
-David Aspinall, Sara Kalvala, Ina Kraan, Chris Owens, Zhenyu Qian, Norbert
-V{\"o}lker and Markus Wenzel suggested changes and corrections to the
-documentation.
-
-Martin Coen, Rajeev Gor\'e, Philippe de Groote and Philippe No\"el helped
-to develop Isabelle's standard object-logics. David Aspinall performed
-some useful research into theories and implemented an Isabelle Emacs mode.
-Isabelle was developed using Dave Matthews's Standard~{\sc ml} compiler,
-Poly/{\sc ml}.
-
-The research has been funded by numerous SERC grants dating from the Alvey
-programme (grants GR/E0355.7, GR/G53279, GR/H40570) and by ESPRIT (projects
-3245: Logical Frameworks and 6453: Types).
--- a/doc-src/prepare_document Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,16 +0,0 @@
-#!/bin/bash
-
-set -e
-
-FORMAT="$1"
-
-"$ISABELLE_TOOL" latex -o sty
-cp "$ISABELLE_HOME/doc-src/pdfsetup.sty" .
-
-"$ISABELLE_TOOL" latex -o "$FORMAT"
-"$ISABELLE_TOOL" latex -o bbl
-[ -f root.idx ] && "$ISABELLE_HOME/doc-src/sedindex" root
-"$ISABELLE_TOOL" latex -o "$FORMAT"
-[ -f root.out ] && "$ISABELLE_HOME/doc-src/fixbookmarks" root.out
-"$ISABELLE_TOOL" latex -o "$FORMAT"
-
--- a/doc-src/proof.sty Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,272 +0,0 @@
-\ProvidesPackage{proof}[1995/05/22]
-% proof.sty (Proof Figure Macros)
-%
-% version 2.0
-% June 24, 1991
-% Copyright (C) 1990,1991 Makoto Tatsuta (tatsuta@riec.tohoku.ac.jp)
-%
-%Modified for LaTeX-2e by L. C. Paulson
-%
-% This program is free software; you can redistribute it or modify
-% it under the terms of the GNU General Public License as published by
-% the Free Software Foundation; either versions 1, or (at your option)
-% any later version.
-%
-% This program is distributed in the hope that it will be useful
-% but WITHOUT ANY WARRANTY; without even the implied warranty of
-% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-% GNU General Public License for more details.
-%
-% Usage:
-% In \documentstyle, specify an optional style `proof', say,
-% \documentstyle[proof]{article}.
-%
-% The following macros are available:
-%
-% In all the following macros, all the arguments such as
-% <Lowers> and <Uppers> are processed in math mode.
-%
-% \infer<Lower><Uppers>
-% draws an inference.
-%
-% Use & in <Uppers> to delimit upper formulae.
-% <Uppers> consists more than 0 formulae.
-%
-% \infer returns \hbox{ ... } or \vbox{ ... } and
-% sets \@LeftOffset and \@RightOffset globally.
-%
-% \infer[<Label>]<Lower><Uppers>
-% draws an inference labeled with <Label>.
-%
-% \infer*<Lower><Uppers>
-% draws a many step deduction.
-%
-% \infer*[<Label>]<Lower><Uppers>
-% draws a many step deduction labeled with <Label>.
-%
-% \infer=<Lower><Uppers>
-% draws a double-ruled deduction.
-%
-% \infer=[<Label>]<Lower><Uppers>
-% draws a double-ruled deduction labeled with <Label>.
-%
-% \deduce<Lower><Uppers>
-% draws an inference without a rule.
-%
-% \deduce[<Proof>]<Lower><Uppers>
-% draws a many step deduction with a proof name.
-%
-% Example:
-% If you want to write
-% B C
-% -----
-% A D
-% ----------
-% E
-% use
-% \infer{E}{
-% A
-% &
-% \infer{D}{B & C}
-% }
-%
-
-% Style Parameters
-
-\newdimen\inferLineSkip \inferLineSkip=2pt
-\newdimen\inferLabelSkip \inferLabelSkip=5pt
-\def\inferTabSkip{\quad}
-
-% Variables
-
-\newdimen\@LeftOffset % global
-\newdimen\@RightOffset % global
-\newdimen\@SavedLeftOffset % safe from users
-
-\newdimen\UpperWidth
-\newdimen\LowerWidth
-\newdimen\LowerHeight
-\newdimen\UpperLeftOffset
-\newdimen\UpperRightOffset
-\newdimen\UpperCenter
-\newdimen\LowerCenter
-\newdimen\UpperAdjust
-\newdimen\RuleAdjust
-\newdimen\LowerAdjust
-\newdimen\RuleWidth
-\newdimen\HLabelAdjust
-\newdimen\VLabelAdjust
-\newdimen\WidthAdjust
-
-\newbox\@UpperPart
-\newbox\@LowerPart
-\newbox\@LabelPart
-\newbox\ResultBox
-
-% Flags
-
-\newif\if@inferRule % whether \@infer draws a rule.
-\newif\if@DoubleRule % whether \@infer draws doulbe rules.
-\newif\if@ReturnLeftOffset % whether \@infer returns \@LeftOffset.
-\newif\if@MathSaved % whether inner math mode where \infer or
- % \deduce appears.
-
-% Special Fonts
-
-\def\DeduceSym{\vtop{\baselineskip4\p@ \lineskiplimit\z@
- \vbox{\hbox{.}\hbox{.}\hbox{.}}\hbox{.}}}
-
-% Math Save Macros
-%
-% \@SaveMath is called in the very begining of toplevel macros
-% which are \infer and \deduce.
-% \@RestoreMath is called in the very last before toplevel macros end.
-% Remark \infer and \deduce ends calling \@infer.
-%TEMPORARILY DELETED BY LCP DUE TO CONFLICT WITH CLASS "amsmath.sty"
-
-\def\@SaveMath{}
-
-\def\@RestoreMath{}
-
-% Macros
-
-\def\@ifEmpty#1#2#3{\def\@tempa{\@empty}\def\@tempb{#1}\relax
- \ifx \@tempa \@tempb #2\else #3\fi }
-
-\def\infer{\@SaveMath \@ifnextchar *{\@inferSteps}{\relax
- \@ifnextchar ={\@inferDoubleRule}{\@inferOneStep}}}
-
-\def\@inferOneStep{\@inferRuletrue \@DoubleRulefalse
- \@ifnextchar [{\@infer}{\@infer[\@empty]}}
-
-\def\@inferDoubleRule={\@inferRuletrue \@DoubleRuletrue
- \@ifnextchar [{\@infer}{\@infer[\@empty]}}
-
-\def\@inferSteps*{\@ifnextchar [{\@@inferSteps}{\@@inferSteps[\@empty]}}
-
-\def\@@inferSteps[#1]{\@deduce{#1}[\DeduceSym]}
-
-\def\deduce{\@SaveMath \@ifnextchar [{\@deduce{\@empty}}
- {\@inferRulefalse \@infer[\@empty]}}
-
-% \@deduce<Proof Label>[<Proof>]<Lower><Uppers>
-
-\def\@deduce#1[#2]#3#4{\@inferRulefalse
- \@infer[\@empty]{#3}{\@SaveMath \@infer[{#1}]{#2}{#4}}}
-
-% \@infer[<Label>]<Lower><Uppers>
-% If \@inferRuletrue, it draws a rule and <Label> is right to
-% a rule. In this case, if \@DoubleRuletrue, it draws
-% double rules.
-%
-% Otherwise, draws no rule and <Label> is right to <Lower>.
-
-\def\@infer[#1]#2#3{\relax
-% Get parameters
- \if@ReturnLeftOffset \else \@SavedLeftOffset=\@LeftOffset \fi
- \setbox\@LabelPart=\hbox{$#1$}\relax
- \setbox\@LowerPart=\hbox{$#2$}\relax
-%
- \global\@LeftOffset=0pt
- \setbox\@UpperPart=\vbox{\tabskip=0pt \halign{\relax
- \global\@RightOffset=0pt \@ReturnLeftOffsettrue $##$&&
- \inferTabSkip
- \global\@RightOffset=0pt \@ReturnLeftOffsetfalse $##$\cr
- #3\cr}}\relax
-% Here is a little trick.
-% \@ReturnLeftOffsettrue(false) influences on \infer or
-% \deduce placed in ## locally
-% because of \@SaveMath and \@RestoreMath.
- \UpperLeftOffset=\@LeftOffset
- \UpperRightOffset=\@RightOffset
-% Calculate Adjustments
- \LowerWidth=\wd\@LowerPart
- \LowerHeight=\ht\@LowerPart
- \LowerCenter=0.5\LowerWidth
-%
- \UpperWidth=\wd\@UpperPart \advance\UpperWidth by -\UpperLeftOffset
- \advance\UpperWidth by -\UpperRightOffset
- \UpperCenter=\UpperLeftOffset
- \advance\UpperCenter by 0.5\UpperWidth
-%
- \ifdim \UpperWidth > \LowerWidth
- % \UpperCenter > \LowerCenter
- \UpperAdjust=0pt
- \RuleAdjust=\UpperLeftOffset
- \LowerAdjust=\UpperCenter \advance\LowerAdjust by -\LowerCenter
- \RuleWidth=\UpperWidth
- \global\@LeftOffset=\LowerAdjust
-%
- \else % \UpperWidth <= \LowerWidth
- \ifdim \UpperCenter > \LowerCenter
-%
- \UpperAdjust=0pt
- \RuleAdjust=\UpperCenter \advance\RuleAdjust by -\LowerCenter
- \LowerAdjust=\RuleAdjust
- \RuleWidth=\LowerWidth
- \global\@LeftOffset=\LowerAdjust
-%
- \else % \UpperWidth <= \LowerWidth
- % \UpperCenter <= \LowerCenter
-%
- \UpperAdjust=\LowerCenter \advance\UpperAdjust by -\UpperCenter
- \RuleAdjust=0pt
- \LowerAdjust=0pt
- \RuleWidth=\LowerWidth
- \global\@LeftOffset=0pt
-%
- \fi\fi
-% Make a box
- \if@inferRule
-%
- \setbox\ResultBox=\vbox{
- \moveright \UpperAdjust \box\@UpperPart
- \nointerlineskip \kern\inferLineSkip
- \if@DoubleRule
- \moveright \RuleAdjust \vbox{\hrule width\RuleWidth
- \kern 1pt\hrule width\RuleWidth}\relax
- \else
- \moveright \RuleAdjust \vbox{\hrule width\RuleWidth}\relax
- \fi
- \nointerlineskip \kern\inferLineSkip
- \moveright \LowerAdjust \box\@LowerPart }\relax
-%
- \@ifEmpty{#1}{}{\relax
-%
- \HLabelAdjust=\wd\ResultBox \advance\HLabelAdjust by -\RuleAdjust
- \advance\HLabelAdjust by -\RuleWidth
- \WidthAdjust=\HLabelAdjust
- \advance\WidthAdjust by -\inferLabelSkip
- \advance\WidthAdjust by -\wd\@LabelPart
- \ifdim \WidthAdjust < 0pt \WidthAdjust=0pt \fi
-%
- \VLabelAdjust=\dp\@LabelPart
- \advance\VLabelAdjust by -\ht\@LabelPart
- \VLabelAdjust=0.5\VLabelAdjust \advance\VLabelAdjust by \LowerHeight
- \advance\VLabelAdjust by \inferLineSkip
-%
- \setbox\ResultBox=\hbox{\box\ResultBox
- \kern -\HLabelAdjust \kern\inferLabelSkip
- \raise\VLabelAdjust \box\@LabelPart \kern\WidthAdjust}\relax
-%
- }\relax % end @ifEmpty
-%
- \else % \@inferRulefalse
-%
- \setbox\ResultBox=\vbox{
- \moveright \UpperAdjust \box\@UpperPart
- \nointerlineskip \kern\inferLineSkip
- \moveright \LowerAdjust \hbox{\unhbox\@LowerPart
- \@ifEmpty{#1}{}{\relax
- \kern\inferLabelSkip \unhbox\@LabelPart}}}\relax
- \fi
-%
- \global\@RightOffset=\wd\ResultBox
- \global\advance\@RightOffset by -\@LeftOffset
- \global\advance\@RightOffset by -\LowerWidth
- \if@ReturnLeftOffset \else \global\@LeftOffset=\@SavedLeftOffset \fi
-%
- \box\ResultBox
- \@RestoreMath
-}
-\endinput
--- a/doc-src/sedindex Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,21 +0,0 @@
-#! /bin/sh
-#
-#sedindex - shell script to create indexes, preprocessing LaTeX's .idx file
-#
-# puts strings prefixed by * into \tt font
-# terminator characters for strings are |!@{}
-#
-# a space terminates the \tt part to allow \index{*NE theorem}, etc.
-#
-# change *"X"Y"Z"W to "X"Y"Z"W@{\tt "X"Y"Z"W}
-# change *"X"Y"Z to "X"Y"Z@{\tt "X"Y"Z}
-# change *"X"Y to "X"Y@{\tt "X"Y}
-# change *"X to "X@{\tt "X}
-# change *IDENT to IDENT@{\tt IDENT}
-# where IDENT is any string not containing | ! or @
-# FOUR backslashes: to escape the shell AND sed
-sed -e "s~\*\(\".\".\".\".\)~\1@{\\\\tt \1}~g
-s~\*\(\".\".\".\)~\1@{\\\\tt \1}~g
-s~\*\(\".\".\)~\1@{\\\\tt \1}~g
-s~\*\(\".\)~\1@{\\\\tt \1}~g
-s~\*\([^ |!@{}][^ |!@{}]*\)~\1@{\\\\tt \1}~g" $1.idx | makeindex -c -q -o $1.ind
--- a/doc-src/ttbox.sty Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,40 +0,0 @@
-\ProvidesPackage{ttbox}[1997/06/25]
-\RequirePackage{alltt}
-
-%%%Boxed terminal sessions
-
-%Redefines \{ and \} to be in \tt font and \| to make a BACKSLASH
-\def\ttbraces{\chardef\{=`\{\chardef\}=`\}\chardef\|=`\\}
-
-%Restores % as the comment character (especially, to suppress line breaks)
-\newcommand\comments{\catcode`\%=14\relax}
-
-%alltt* environment: like alltt but smaller, and with \{ \} and \| as in ttbox
-\newenvironment{alltt*}{\begin{alltt}\footnotesize\ttbraces}{\end{alltt}}
-
-%Indented alltt* environment with small point size
-%NO LINE BREAKS are allowed unless \pagebreak appears at START of a line
-\newenvironment{ttbox}{\begin{quote}\samepage\begin{alltt*}}%
- {\end{alltt*}\end{quote}}
-
-{\obeylines\gdef\ttbreak
-{\allowbreak}}
-
-%%%% more \tt things
-
-\def\ttdescriptionlabel#1{\hspace\labelsep \tt #1}
-\def\ttdescription{\list{}{\labelwidth\z@ \itemindent-\leftmargin
- \let\makelabel\ttdescriptionlabel}}
-
-\let\endttdescription\endlist
-
-\chardef\ttilde=`\~ % A tilde for \tt font
-\chardef\ttback=`\\ % A backslash for \tt font
-\chardef\ttlbrace=`\{ % A left brace for \tt font
-\chardef\ttrbrace=`\} % A right brace for \tt font
-\chardef\ttlbrack=`\[ % A left bracket for \tt font
-\chardef\ttrbrack=`\] % A right bracket for \tt font
-
-\newcommand\out{\ \ttfamily\slshape} %% for output from terminal sessions
-
-\endinput
--- a/doc-src/underscore.sty Tue Aug 28 18:46:15 2012 +0200
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,248 +0,0 @@
-% underscore.sty 21-Sep-2005 Donald Arseneau asnd@triumf.ca
-% Make the "_" character print as "\textunderscore" in text.
-% Copyright 1998,2001,2005,2006 Donald Arseneau;
-% License: LPPL version 1.2 or later.
-% Instructions follow after the definitions.
-
-\ProvidesPackage{underscore}[2006/09/13]
-
-\begingroup
- \catcode`\_=\active
- \gdef _{% \relax % No relax gives a small vulnerability in alignments
- \ifx\if@safe@actives\iftrue % must be outermost test!
- \string_%
- \else
- \ifx\protect\@typeset@protect
- \ifmmode \sb \else \BreakableUnderscore \fi
- \else
- \ifx\protect\@unexpandable@protect \noexpand_%
- \else \protect_%
- \fi\fi
- \fi}
- \global\let\ActiveUnderscore=_
- \gdef\normalUnderscoreDef{\let_\ActiveUnderscore}
-\endgroup
-
-% At begin: set catcode; fix \long \ttdefault so I can use it in comparisons;
-% reapply definition of active _ in output routine (\@firstofone to strip
-% away braces, so avoiding deeper nesting).
-\AtBeginDocument{%
- {\immediate\write\@auxout{\catcode\number\string`\_ \string\active}}%
- \catcode\string`\_\string=\active
- \edef\ttdefault{\ttdefault}%
- \output=\expandafter\expandafter\expandafter
- {\expandafter\expandafter\expandafter\normalUnderscoreDef
- \expandafter\@firstofone\the\output}%
-}
-
-\newcommand{\BreakableUnderscore}{\leavevmode\nobreak\hskip\z@skip
- \ifx\f@family\ttdefault \string_\else \textunderscore\fi
- \usc@dischyph\nobreak\hskip\z@skip}
-
-\DeclareRobustCommand{\_}{%
- \ifmmode \nfss@text{\textunderscore}\else \BreakableUnderscore \fi}
-
-
-\let\usc@dischyph\@dischyph
-\DeclareOption{nohyphen}{\def\usc@dischyph{\discretionary{}{}{}}}
-\DeclareOption{strings}{\catcode`\_=\active}
-
-\ProcessOptions
-\ifnum\catcode`\_=\active\else \endinput \fi
-
-%%%%%%%% Redefine commands that use character strings %%%%%%%%
-
-\@ifundefined{UnderscoreCommands}{\let\UnderscoreCommands\@empty}{}
-\expandafter\def\expandafter\UnderscoreCommands\expandafter{%
- \UnderscoreCommands
- \do\include \do\includeonly
- \do\@input \do\@iinput \do\InputIfFileExists
- \do\ref \do\pageref \do\newlabel
- \do\bibitem \do\@bibitem \do\cite \do\nocite \do\bibcite
- \do\Ginclude@graphics \do\@setckpt
-}
-
-% Macro to redefine a macro to pre-process its string argument
-% with \protect -> \string.
-\def\do#1{% Avoid double processing if user includes command twice!
- \@ifundefined{US\string_\expandafter\@gobble\string#1}{%
- \edef\@tempb{\meaning#1}% Check if macro is just a protection shell...
- \def\@tempc{\protect}%
- \edef\@tempc{\meaning\@tempc\string#1\space\space}%
- \ifx\@tempb\@tempc % just a shell: hook into the protected inner command
- \expandafter\do
- \csname \expandafter\@gobble\string#1 \expandafter\endcsname
- \else % Check if macro takes an optional argument
- \def\@tempc{\@ifnextchar[}%
- \edef\@tempa{\def\noexpand\@tempa####1\meaning\@tempc}%
- \@tempa##2##3\@tempa{##2\relax}%
- \edef\@tempb{\meaning#1\meaning\@tempc}%
- \edef\@tempc{\noexpand\@tempd \csname
- US\string_\expandafter\@gobble\string#1\endcsname}%
- \if \expandafter\@tempa\@tempb \relax 12\@tempa % then no optional arg
- \@tempc #1\US@prot
- \else % There is optional arg
- \@tempc #1\US@protopt
- \fi
- \fi
- }{}}
-
-\def\@tempd#1#2#3{\let#1#2\def#2{#3#1}}
-
-\def\US@prot#1#2{\let\@@protect\protect \let\protect\string
- \edef\US@temp##1{##1{#2}}\restore@protect\US@temp#1}
-\def\US@protopt#1{\@ifnextchar[{\US@protarg#1}{\US@prot#1}}
-\def\US@protarg #1[#2]{\US@prot{{#1[#2]}}}
-
-\UnderscoreCommands
-\let\do\relax \let\@tempd\relax % un-do
-
-%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
-
-\endinput
-
-underscore.sty 13-Sep-2006 Donald Arseneau
-
-Features:
-~~~~~~~~~
-The "\_" command (which normally prints an underscore character or
-facsimile) is altered so that the hyphenation of constituent words
-is not affected, and hyphenation is permitted after the underscore.
-For example, "compound\_fracture" hyphenates as com- pound\_- frac- ture.
-If you prefer the underscore to break without a hyphen (but still with
-the same rules for explicit hyphen-breaks) then use the [nohyphen]
-package option.
-
-A simple "_" acts just like "\_" in text mode, but makes a subscript
-in math mode: activation_energy $E_a$
-
-Both forms use an underscore character if the font encoding contains
-one (e.g., "\usepackage[T1]{fontenc}" or typewriter fonts in any encoding),
-but they use a rule if there is no proper character.
-
-Deficiencies:
-~~~~~~~~~~~~~
-The skips and penalties ruin any kerning with the underscore character
-(when a character is used). However, there doesn't seem to be much, if
-any, such kerning in the ec fonts, and there is never any kerning with
-a rule.
-
-You must avoid "_" in file names and in cite or ref tags, or you must use
-the babel package, with its active-character controls, or you must give
-the [strings] option, which attempts to redefine several commands (and
-may not work perfectly). Even without the [strings] option or babel, you
-can use occasional underscores like: "\include{file\string_name}".
-
-Option: [strings]
-~~~~~~~~~~~~~~~~~
-The default operation is quite simple and needs no customization; but
-you must avoid using "_" in any place where LaTeX uses an argument as
-a string of characters for some control function or as a name. These
-include the tags for "\cite" and "\ref", file names for "\input",
-"\include", and "\includegraphics", environment names, counter names,
-and placement parameters (like "[t]"). The problem with these contexts
-is that they are `moving arguments' but LaTeX does not `switch on' the
-"\protect" mechanism for them.
-
-If you need to use the underscore character in these places, the package
-option [strings] is provided to redefine commands that take such a string
-argument so that protection is applied (with "\protect" being "\string").
-The list of commands is given in "\UnderscoreCommands", with "\do" before
-each; plus several others covering "\input", "\includegraphics, "\cite",
-"\ref", and their variants. Not included are many commands regarding font
-names, everything with counter names, environment names, page styles, and
-versions of "\ref" and "\cite" defined by external packages (e.g., "\vref"
-and "\citeyear").
-
-You can add to the list of supported commands by defining "\UnderscoreCommands"
-before loading this package; e.g.
-
- \usepackage{chicago}
- \newcommand{\UnderscoreCommands}{% (\cite already done)
- \do\citeNP \do\citeA \do\citeANP \do\citeN \do\shortcite
- \do\shortciteNP \do\shortciteA \do\shortciteANP \do\shortciteN
- \do\citeyear \do\citeyearNP
- }
- \usepackage[strings]{underscore}
-
-Not all commands can be supported this way! Only commands that take a
-string argument *first* can be protected. One optional argument before
-the string argument is also permitted, as exemplified by "\cite": both
-"\cite{tags}" and "\cite[text]{tags}" are allowed. A command like
-"\@addtoreset" which takes two counter names as arguments could not
-be protected by listing it in "\UnderscoreCommands".
-
-*When you use the [strings] option, you must load this package
-last* (or nearly last).
-
-There are two reasons: 1) The redefinitions done for protection must come
-after other packages define their customized versions of those commands.
-2) The [strings] option requires the "_" character to be activated immediately
-in order for the cite and ref tags to be read properly from the .aux file
-as plain strings, and this catcode setting might disrupt other packages.
-
-The babel package implements a protection mechanism for many commands,
-and will be a complete fix for most documents without the [strings] option.
-Many add-on packages are compatible with babel, so they will get the
-strings protection also. However, there are several commands that are
-not covered by babel, but can easily be supported by the [strings] and
-"\UnderscoreCommands" mechanism. Beware that using both [strings] and
-babel might lead to conflicts, but none are seen yet (load babel last).
-
-Implementation Notes:
-~~~~~~~~~~~~~~~~~~~~~
-The first setting of "_" to be an active character is performed in a local
-group so as to not interfere with other packages. The catcode setting
-is repeated with "\AtBeginDocument" so the definition is in effect for the
-text. However, the catcode setting is repeated immediately when the
-[strings] option is detected.
-
-The definition of the active "_" is essentially:
-
- \ifmmode \sb \else \BreakableUnderscore \fi
-
-where "\sb" retains the normal subscript meaning of "_" and where
-"\BreakableUnderscore" is essentially "\_". The rest of the definition
-handles the "\protect"ion without causing "\relax" to be inserted before
-the character.
-
-"\BreakableUnderscore" uses "\nobreak\hskip\z@skip" to separate the
-underscore from surrounding words, thus allowing TeX to hyphenate them,
-but preventing free breaks around the underscore. Next, it checks the
-current font family, and uses the underscore character from tt fonts or
-otherwise "\textunderscore" (which is a character or rule depending on
-the font encoding). After the underscore, it inserts a discretionary
-hyphenation point as "\usc@dischyph", which is usually just "\-"
-except that it still works in the tabbing environment, although it
-will give "\discretionary{}{}{}" under the [nohyphen] option. After
-that, another piece of non-breaking interword glue is inserted.
-Ordinarily, the comparison "\ifx\f@family\ttdefault" will always fail
-because "\ttdefault" is `long' whereas "\f@family" is not (boooo hisss),
-but "\ttdefault" is redefined to be non-long by "\AtBeginDocument".
-
-The "\_" command is then defined to use "\BreakableUnderscore".
-
-If the [strings] option is not given, then that is all!
-
-Under the [strings] option, the list of special commands is processed to:
-
- - retain the original command as "\US_"*command* (e.g., "\US_ref")
- - redefine the command as "\US@prot\US_command" for ordinary commands
- ("\US@prot\US_ref") or as "\US@protopt\US_command" when an optional
- argument is possible (e.g., "\US@protopt\US_bibitem").
- - self-protecting commands ("\cite") retain their self-protection.
-
-Diagnosing the state of the pre-existing command is done by painful
-contortions involving "\meaning".
-
-"\US@prot" and "\US@protopt" read the argument, process it with
-"\protect" enabled, then invoke the saved "\US_command".
-
-Modifications:
-~~~~~~~~~~~~~~
-13-Sep-2006 Reassert my definition in the output routine (listings).
-21-Sep-2005 \includegraphics safe.
-12-Oct-2001 Babel (safe@actives) compatibility and [nohyphen] option.
-
-Test file integrity: ASCII 32-57, 58-126: !"#$%&'()*+,-./0123456789
-:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Classes/Classes.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,642 @@
+theory Classes
+imports Main Setup
+begin
+
+section {* Introduction *}
+
+text {*
+ Type classes were introduced by Wadler and Blott \cite{wadler89how}
+ into the Haskell language to allow for a reasonable implementation
+ of overloading\footnote{throughout this tutorial, we are referring
+ to classical Haskell 1.0 type classes, not considering later
+ additions in expressiveness}. As a canonical example, a polymorphic
+ equality function @{text "eq \<Colon> \<alpha> \<Rightarrow> \<alpha> \<Rightarrow> bool"} which is overloaded on
+ different types for @{text "\<alpha>"}, which is achieved by splitting
+ introduction of the @{text eq} function from its overloaded
+ definitions by means of @{text class} and @{text instance}
+ declarations: \footnote{syntax here is a kind of isabellized
+ Haskell}
+
+ \begin{quote}
+
+ \noindent@{text "class eq where"} \\
+ \hspace*{2ex}@{text "eq \<Colon> \<alpha> \<Rightarrow> \<alpha> \<Rightarrow> bool"}
+
+ \medskip\noindent@{text "instance nat \<Colon> eq where"} \\
+ \hspace*{2ex}@{text "eq 0 0 = True"} \\
+ \hspace*{2ex}@{text "eq 0 _ = False"} \\
+ \hspace*{2ex}@{text "eq _ 0 = False"} \\
+ \hspace*{2ex}@{text "eq (Suc n) (Suc m) = eq n m"}
+
+ \medskip\noindent@{text "instance (\<alpha>\<Colon>eq, \<beta>\<Colon>eq) pair \<Colon> eq where"} \\
+ \hspace*{2ex}@{text "eq (x1, y1) (x2, y2) = eq x1 x2 \<and> eq y1 y2"}
+
+ \medskip\noindent@{text "class ord extends eq where"} \\
+ \hspace*{2ex}@{text "less_eq \<Colon> \<alpha> \<Rightarrow> \<alpha> \<Rightarrow> bool"} \\
+ \hspace*{2ex}@{text "less \<Colon> \<alpha> \<Rightarrow> \<alpha> \<Rightarrow> bool"}
+
+ \end{quote}
+
+ \noindent Type variables are annotated with (finitely many) classes;
+ these annotations are assertions that a particular polymorphic type
+ provides definitions for overloaded functions.
+
+ Indeed, type classes not only allow for simple overloading but form
+ a generic calculus, an instance of order-sorted algebra
+ \cite{nipkow-sorts93,Nipkow-Prehofer:1993,Wenzel:1997:TPHOL}.
+
+ From a software engineering point of view, type classes roughly
+ correspond to interfaces in object-oriented languages like Java; so,
+ it is naturally desirable that type classes do not only provide
+ functions (class parameters) but also state specifications
+ implementations must obey. For example, the @{text "class eq"}
+ above could be given the following specification, demanding that
+ @{text "class eq"} is an equivalence relation obeying reflexivity,
+ symmetry and transitivity:
+
+ \begin{quote}
+
+ \noindent@{text "class eq where"} \\
+ \hspace*{2ex}@{text "eq \<Colon> \<alpha> \<Rightarrow> \<alpha> \<Rightarrow> bool"} \\
+ @{text "satisfying"} \\
+ \hspace*{2ex}@{text "refl: eq x x"} \\
+ \hspace*{2ex}@{text "sym: eq x y \<longleftrightarrow> eq x y"} \\
+ \hspace*{2ex}@{text "trans: eq x y \<and> eq y z \<longrightarrow> eq x z"}
+
+ \end{quote}
+
+ \noindent From a theoretical point of view, type classes are
+ lightweight modules; Haskell type classes may be emulated by SML
+ functors \cite{classes_modules}. Isabelle/Isar offers a discipline
+ of type classes which brings all those aspects together:
+
+ \begin{enumerate}
+ \item specifying abstract parameters together with
+ corresponding specifications,
+ \item instantiating those abstract parameters by a particular
+ type
+ \item in connection with a ``less ad-hoc'' approach to overloading,
+ \item with a direct link to the Isabelle module system:
+ locales \cite{kammueller-locales}.
+ \end{enumerate}
+
+ \noindent Isar type classes also directly support code generation in
+ a Haskell like fashion. Internally, they are mapped to more
+ primitive Isabelle concepts \cite{Haftmann-Wenzel:2006:classes}.
+
+ This tutorial demonstrates common elements of structured
+ specifications and abstract reasoning with type classes by the
+ algebraic hierarchy of semigroups, monoids and groups. Our
+ background theory is that of Isabelle/HOL \cite{isa-tutorial}, for
+ which some familiarity is assumed.
+*}
+
+section {* A simple algebra example \label{sec:example} *}
+
+subsection {* Class definition *}
+
+text {*
+ Depending on an arbitrary type @{text "\<alpha>"}, class @{text
+ "semigroup"} introduces a binary operator @{text "(\<otimes>)"} that is
+ assumed to be associative:
+*}
+
+class %quote semigroup =
+ fixes mult :: "\<alpha> \<Rightarrow> \<alpha> \<Rightarrow> \<alpha>" (infixl "\<otimes>" 70)
+ assumes assoc: "(x \<otimes> y) \<otimes> z = x \<otimes> (y \<otimes> z)"
+
+text {*
+ \noindent This @{command class} specification consists of two parts:
+ the \qn{operational} part names the class parameter (@{element
+ "fixes"}), the \qn{logical} part specifies properties on them
+ (@{element "assumes"}). The local @{element "fixes"} and @{element
+ "assumes"} are lifted to the theory toplevel, yielding the global
+ parameter @{term [source] "mult \<Colon> \<alpha>\<Colon>semigroup \<Rightarrow> \<alpha> \<Rightarrow> \<alpha>"} and the
+ global theorem @{fact "semigroup.assoc:"}~@{prop [source] "\<And>x y z \<Colon>
+ \<alpha>\<Colon>semigroup. (x \<otimes> y) \<otimes> z = x \<otimes> (y \<otimes> z)"}.
+*}
+
+
+subsection {* Class instantiation \label{sec:class_inst} *}
+
+text {*
+ The concrete type @{typ int} is made a @{class semigroup} instance
+ by providing a suitable definition for the class parameter @{text
+ "(\<otimes>)"} and a proof for the specification of @{fact assoc}. This is
+ accomplished by the @{command instantiation} target:
+*}
+
+instantiation %quote int :: semigroup
+begin
+
+definition %quote
+ mult_int_def: "i \<otimes> j = i + (j\<Colon>int)"
+
+instance %quote proof
+ fix i j k :: int have "(i + j) + k = i + (j + k)" by simp
+ then show "(i \<otimes> j) \<otimes> k = i \<otimes> (j \<otimes> k)"
+ unfolding mult_int_def .
+qed
+
+end %quote
+
+text {*
+ \noindent @{command instantiation} defines class parameters at a
+ particular instance using common specification tools (here,
+ @{command definition}). The concluding @{command instance} opens a
+ proof that the given parameters actually conform to the class
+ specification. Note that the first proof step is the @{method
+ default} method, which for such instance proofs maps to the @{method
+ intro_classes} method. This reduces an instance judgement to the
+ relevant primitive proof goals; typically it is the first method
+ applied in an instantiation proof.
+
+ From now on, the type-checker will consider @{typ int} as a @{class
+ semigroup} automatically, i.e.\ any general results are immediately
+ available on concrete instances.
+
+ \medskip Another instance of @{class semigroup} yields the natural
+ numbers:
+*}
+
+instantiation %quote nat :: semigroup
+begin
+
+primrec %quote mult_nat where
+ "(0\<Colon>nat) \<otimes> n = n"
+ | "Suc m \<otimes> n = Suc (m \<otimes> n)"
+
+instance %quote proof
+ fix m n q :: nat
+ show "m \<otimes> n \<otimes> q = m \<otimes> (n \<otimes> q)"
+ by (induct m) auto
+qed
+
+end %quote
+
+text {*
+ \noindent Note the occurence of the name @{text mult_nat} in the
+ primrec declaration; by default, the local name of a class operation
+ @{text f} to be instantiated on type constructor @{text \<kappa>} is
+ mangled as @{text f_\<kappa>}. In case of uncertainty, these names may be
+ inspected using the @{command "print_context"} command or the
+ corresponding ProofGeneral button.
+*}
+
+subsection {* Lifting and parametric types *}
+
+text {*
+ Overloaded definitions given at a class instantiation may include
+ recursion over the syntactic structure of types. As a canonical
+ example, we model product semigroups using our simple algebra:
+*}
+
+instantiation %quote prod :: (semigroup, semigroup) semigroup
+begin
+
+definition %quote
+ mult_prod_def: "p\<^isub>1 \<otimes> p\<^isub>2 = (fst p\<^isub>1 \<otimes> fst p\<^isub>2, snd p\<^isub>1 \<otimes> snd p\<^isub>2)"
+
+instance %quote proof
+ fix p\<^isub>1 p\<^isub>2 p\<^isub>3 :: "\<alpha>\<Colon>semigroup \<times> \<beta>\<Colon>semigroup"
+ show "p\<^isub>1 \<otimes> p\<^isub>2 \<otimes> p\<^isub>3 = p\<^isub>1 \<otimes> (p\<^isub>2 \<otimes> p\<^isub>3)"
+ unfolding mult_prod_def by (simp add: assoc)
+qed
+
+end %quote
+
+text {*
+ \noindent Associativity of product semigroups is established using
+ the definition of @{text "(\<otimes>)"} on products and the hypothetical
+ associativity of the type components; these hypotheses are
+ legitimate due to the @{class semigroup} constraints imposed on the
+ type components by the @{command instance} proposition. Indeed,
+ this pattern often occurs with parametric types and type classes.
+*}
+
+
+subsection {* Subclassing *}
+
+text {*
+ We define a subclass @{text monoidl} (a semigroup with a left-hand
+ neutral) by extending @{class semigroup} with one additional
+ parameter @{text neutral} together with its characteristic property:
+*}
+
+class %quote monoidl = semigroup +
+ fixes neutral :: "\<alpha>" ("\<one>")
+ assumes neutl: "\<one> \<otimes> x = x"
+
+text {*
+ \noindent Again, we prove some instances, by providing suitable
+ parameter definitions and proofs for the additional specifications.
+ Observe that instantiations for types with the same arity may be
+ simultaneous:
+*}
+
+instantiation %quote nat and int :: monoidl
+begin
+
+definition %quote
+ neutral_nat_def: "\<one> = (0\<Colon>nat)"
+
+definition %quote
+ neutral_int_def: "\<one> = (0\<Colon>int)"
+
+instance %quote proof
+ fix n :: nat
+ show "\<one> \<otimes> n = n"
+ unfolding neutral_nat_def by simp
+next
+ fix k :: int
+ show "\<one> \<otimes> k = k"
+ unfolding neutral_int_def mult_int_def by simp
+qed
+
+end %quote
+
+instantiation %quote prod :: (monoidl, monoidl) monoidl
+begin
+
+definition %quote
+ neutral_prod_def: "\<one> = (\<one>, \<one>)"
+
+instance %quote proof
+ fix p :: "\<alpha>\<Colon>monoidl \<times> \<beta>\<Colon>monoidl"
+ show "\<one> \<otimes> p = p"
+ unfolding neutral_prod_def mult_prod_def by (simp add: neutl)
+qed
+
+end %quote
+
+text {*
+ \noindent Fully-fledged monoids are modelled by another subclass,
+ which does not add new parameters but tightens the specification:
+*}
+
+class %quote monoid = monoidl +
+ assumes neutr: "x \<otimes> \<one> = x"
+
+instantiation %quote nat and int :: monoid
+begin
+
+instance %quote proof
+ fix n :: nat
+ show "n \<otimes> \<one> = n"
+ unfolding neutral_nat_def by (induct n) simp_all
+next
+ fix k :: int
+ show "k \<otimes> \<one> = k"
+ unfolding neutral_int_def mult_int_def by simp
+qed
+
+end %quote
+
+instantiation %quote prod :: (monoid, monoid) monoid
+begin
+
+instance %quote proof
+ fix p :: "\<alpha>\<Colon>monoid \<times> \<beta>\<Colon>monoid"
+ show "p \<otimes> \<one> = p"
+ unfolding neutral_prod_def mult_prod_def by (simp add: neutr)
+qed
+
+end %quote
+
+text {*
+ \noindent To finish our small algebra example, we add a @{text
+ group} class with a corresponding instance:
+*}
+
+class %quote group = monoidl +
+ fixes inverse :: "\<alpha> \<Rightarrow> \<alpha>" ("(_\<div>)" [1000] 999)
+ assumes invl: "x\<div> \<otimes> x = \<one>"
+
+instantiation %quote int :: group
+begin
+
+definition %quote
+ inverse_int_def: "i\<div> = - (i\<Colon>int)"
+
+instance %quote proof
+ fix i :: int
+ have "-i + i = 0" by simp
+ then show "i\<div> \<otimes> i = \<one>"
+ unfolding mult_int_def neutral_int_def inverse_int_def .
+qed
+
+end %quote
+
+
+section {* Type classes as locales *}
+
+subsection {* A look behind the scenes *}
+
+text {*
+ The example above gives an impression how Isar type classes work in
+ practice. As stated in the introduction, classes also provide a
+ link to Isar's locale system. Indeed, the logical core of a class
+ is nothing other than a locale:
+*}
+
+class %quote idem =
+ fixes f :: "\<alpha> \<Rightarrow> \<alpha>"
+ assumes idem: "f (f x) = f x"
+
+text {*
+ \noindent essentially introduces the locale
+*} (*<*)setup %invisible {* Sign.add_path "foo" *}
+(*>*)
+locale %quote idem =
+ fixes f :: "\<alpha> \<Rightarrow> \<alpha>"
+ assumes idem: "f (f x) = f x"
+
+text {* \noindent together with corresponding constant(s): *}
+
+consts %quote f :: "\<alpha> \<Rightarrow> \<alpha>"
+
+text {*
+ \noindent The connection to the type system is done by means
+ of a primitive type class
+*} (*<*)setup %invisible {* Sign.add_path "foo" *}
+(*>*)
+classes %quote idem < type
+(*<*)axiomatization where idem: "f (f (x::\<alpha>\<Colon>idem)) = f x"
+setup %invisible {* Sign.parent_path *}(*>*)
+
+text {* \noindent together with a corresponding interpretation: *}
+
+interpretation %quote idem_class:
+ idem "f \<Colon> (\<alpha>\<Colon>idem) \<Rightarrow> \<alpha>"
+(*<*)proof qed (rule idem)(*>*)
+
+text {*
+ \noindent This gives you the full power of the Isabelle module system;
+ conclusions in locale @{text idem} are implicitly propagated
+ to class @{text idem}.
+*} (*<*)setup %invisible {* Sign.parent_path *}
+(*>*)
+subsection {* Abstract reasoning *}
+
+text {*
+ Isabelle locales enable reasoning at a general level, while results
+ are implicitly transferred to all instances. For example, we can
+ now establish the @{text "left_cancel"} lemma for groups, which
+ states that the function @{text "(x \<otimes>)"} is injective:
+*}
+
+lemma %quote (in group) left_cancel: "x \<otimes> y = x \<otimes> z \<longleftrightarrow> y = z"
+proof
+ assume "x \<otimes> y = x \<otimes> z"
+ then have "x\<div> \<otimes> (x \<otimes> y) = x\<div> \<otimes> (x \<otimes> z)" by simp
+ then have "(x\<div> \<otimes> x) \<otimes> y = (x\<div> \<otimes> x) \<otimes> z" using assoc by simp
+ then show "y = z" using neutl and invl by simp
+next
+ assume "y = z"
+ then show "x \<otimes> y = x \<otimes> z" by simp
+qed
+
+text {*
+ \noindent Here the \qt{@{keyword "in"} @{class group}} target
+ specification indicates that the result is recorded within that
+ context for later use. This local theorem is also lifted to the
+ global one @{fact "group.left_cancel:"} @{prop [source] "\<And>x y z \<Colon>
+ \<alpha>\<Colon>group. x \<otimes> y = x \<otimes> z \<longleftrightarrow> y = z"}. Since type @{text "int"} has been
+ made an instance of @{text "group"} before, we may refer to that
+ fact as well: @{prop [source] "\<And>x y z \<Colon> int. x \<otimes> y = x \<otimes> z \<longleftrightarrow> y =
+ z"}.
+*}
+
+
+subsection {* Derived definitions *}
+
+text {*
+ Isabelle locales are targets which support local definitions:
+*}
+
+primrec %quote (in monoid) pow_nat :: "nat \<Rightarrow> \<alpha> \<Rightarrow> \<alpha>" where
+ "pow_nat 0 x = \<one>"
+ | "pow_nat (Suc n) x = x \<otimes> pow_nat n x"
+
+text {*
+ \noindent If the locale @{text group} is also a class, this local
+ definition is propagated onto a global definition of @{term [source]
+ "pow_nat \<Colon> nat \<Rightarrow> \<alpha>\<Colon>monoid \<Rightarrow> \<alpha>\<Colon>monoid"} with corresponding theorems
+
+ @{thm pow_nat.simps [no_vars]}.
+
+ \noindent As you can see from this example, for local definitions
+ you may use any specification tool which works together with
+ locales, such as Krauss's recursive function package
+ \cite{krauss2006}.
+*}
+
+
+subsection {* A functor analogy *}
+
+text {*
+ We introduced Isar classes by analogy to type classes in functional
+ programming; if we reconsider this in the context of what has been
+ said about type classes and locales, we can drive this analogy
+ further by stating that type classes essentially correspond to
+ functors that have a canonical interpretation as type classes.
+ There is also the possibility of other interpretations. For
+ example, @{text list}s also form a monoid with @{text append} and
+ @{term "[]"} as operations, but it seems inappropriate to apply to
+ lists the same operations as for genuinely algebraic types. In such
+ a case, we can simply make a particular interpretation of monoids
+ for lists:
+*}
+
+interpretation %quote list_monoid: monoid append "[]"
+ proof qed auto
+
+text {*
+ \noindent This enables us to apply facts on monoids
+ to lists, e.g. @{thm list_monoid.neutl [no_vars]}.
+
+ When using this interpretation pattern, it may also
+ be appropriate to map derived definitions accordingly:
+*}
+
+primrec %quote replicate :: "nat \<Rightarrow> \<alpha> list \<Rightarrow> \<alpha> list" where
+ "replicate 0 _ = []"
+ | "replicate (Suc n) xs = xs @ replicate n xs"
+
+interpretation %quote list_monoid: monoid append "[]" where
+ "monoid.pow_nat append [] = replicate"
+proof -
+ interpret monoid append "[]" ..
+ show "monoid.pow_nat append [] = replicate"
+ proof
+ fix n
+ show "monoid.pow_nat append [] n = replicate n"
+ by (induct n) auto
+ qed
+qed intro_locales
+
+text {*
+ \noindent This pattern is also helpful to reuse abstract
+ specifications on the \emph{same} type. For example, think of a
+ class @{text preorder}; for type @{typ nat}, there are at least two
+ possible instances: the natural order or the order induced by the
+ divides relation. But only one of these instances can be used for
+ @{command instantiation}; using the locale behind the class @{text
+ preorder}, it is still possible to utilise the same abstract
+ specification again using @{command interpretation}.
+*}
+
+subsection {* Additional subclass relations *}
+
+text {*
+ Any @{text "group"} is also a @{text "monoid"}; this can be made
+ explicit by claiming an additional subclass relation, together with
+ a proof of the logical difference:
+*}
+
+subclass %quote (in group) monoid
+proof
+ fix x
+ from invl have "x\<div> \<otimes> x = \<one>" by simp
+ with assoc [symmetric] neutl invl have "x\<div> \<otimes> (x \<otimes> \<one>) = x\<div> \<otimes> x" by simp
+ with left_cancel show "x \<otimes> \<one> = x" by simp
+qed
+
+text {*
+ The logical proof is carried out on the locale level. Afterwards it
+ is propagated to the type system, making @{text group} an instance
+ of @{text monoid} by adding an additional edge to the graph of
+ subclass relations (\figref{fig:subclass}).
+
+ \begin{figure}[htbp]
+ \begin{center}
+ \small
+ \unitlength 0.6mm
+ \begin{picture}(40,60)(0,0)
+ \put(20,60){\makebox(0,0){@{text semigroup}}}
+ \put(20,40){\makebox(0,0){@{text monoidl}}}
+ \put(00,20){\makebox(0,0){@{text monoid}}}
+ \put(40,00){\makebox(0,0){@{text group}}}
+ \put(20,55){\vector(0,-1){10}}
+ \put(15,35){\vector(-1,-1){10}}
+ \put(25,35){\vector(1,-3){10}}
+ \end{picture}
+ \hspace{8em}
+ \begin{picture}(40,60)(0,0)
+ \put(20,60){\makebox(0,0){@{text semigroup}}}
+ \put(20,40){\makebox(0,0){@{text monoidl}}}
+ \put(00,20){\makebox(0,0){@{text monoid}}}
+ \put(40,00){\makebox(0,0){@{text group}}}
+ \put(20,55){\vector(0,-1){10}}
+ \put(15,35){\vector(-1,-1){10}}
+ \put(05,15){\vector(3,-1){30}}
+ \end{picture}
+ \caption{Subclass relationship of monoids and groups:
+ before and after establishing the relationship
+ @{text "group \<subseteq> monoid"}; transitive edges are left out.}
+ \label{fig:subclass}
+ \end{center}
+ \end{figure}
+
+ For illustration, a derived definition in @{text group} using @{text
+ pow_nat}
+*}
+
+definition %quote (in group) pow_int :: "int \<Rightarrow> \<alpha> \<Rightarrow> \<alpha>" where
+ "pow_int k x = (if k >= 0
+ then pow_nat (nat k) x
+ else (pow_nat (nat (- k)) x)\<div>)"
+
+text {*
+ \noindent yields the global definition of @{term [source] "pow_int \<Colon>
+ int \<Rightarrow> \<alpha>\<Colon>group \<Rightarrow> \<alpha>\<Colon>group"} with the corresponding theorem @{thm
+ pow_int_def [no_vars]}.
+*}
+
+subsection {* A note on syntax *}
+
+text {*
+ As a convenience, class context syntax allows references to local
+ class operations and their global counterparts uniformly; type
+ inference resolves ambiguities. For example:
+*}
+
+context %quote semigroup
+begin
+
+term %quote "x \<otimes> y" -- {* example 1 *}
+term %quote "(x\<Colon>nat) \<otimes> y" -- {* example 2 *}
+
+end %quote
+
+term %quote "x \<otimes> y" -- {* example 3 *}
+
+text {*
+ \noindent Here in example 1, the term refers to the local class
+ operation @{text "mult [\<alpha>]"}, whereas in example 2 the type
+ constraint enforces the global class operation @{text "mult [nat]"}.
+ In the global context in example 3, the reference is to the
+ polymorphic global class operation @{text "mult [?\<alpha> \<Colon> semigroup]"}.
+*}
+
+section {* Further issues *}
+
+subsection {* Type classes and code generation *}
+
+text {*
+ Turning back to the first motivation for type classes, namely
+ overloading, it is obvious that overloading stemming from @{command
+ class} statements and @{command instantiation} targets naturally
+ maps to Haskell type classes. The code generator framework
+ \cite{isabelle-codegen} takes this into account. If the target
+ language (e.g.~SML) lacks type classes, then they are implemented by
+ an explicit dictionary construction. As example, let's go back to
+ the power function:
+*}
+
+definition %quote example :: int where
+ "example = pow_int 10 (-2)"
+
+text {*
+ \noindent This maps to Haskell as follows:
+*}
+(*<*)code_include %invisible Haskell "Natural" -(*>*)
+text %quotetypewriter {*
+ @{code_stmts example (Haskell)}
+*}
+
+text {*
+ \noindent The code in SML has explicit dictionary passing:
+*}
+text %quotetypewriter {*
+ @{code_stmts example (SML)}
+*}
+
+
+text {*
+ \noindent In Scala, implicts are used as dictionaries:
+*}
+(*<*)code_include %invisible Scala "Natural" -(*>*)
+text %quotetypewriter {*
+ @{code_stmts example (Scala)}
+*}
+
+
+subsection {* Inspecting the type class universe *}
+
+text {*
+ To facilitate orientation in complex subclass structures, two
+ diagnostics commands are provided:
+
+ \begin{description}
+
+ \item[@{command "print_classes"}] print a list of all classes
+ together with associated operations etc.
+
+ \item[@{command "class_deps"}] visualizes the subclass relation
+ between all classes as a Hasse diagram.
+
+ \end{description}
+*}
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Classes/Setup.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,40 @@
+theory Setup
+imports Main "~~/src/HOL/Library/Code_Integer"
+begin
+
+ML_file "../antiquote_setup.ML"
+ML_file "../more_antiquote.ML"
+
+setup {*
+ Antiquote_Setup.setup #>
+ More_Antiquote.setup #>
+ Code_Target.set_default_code_width 74
+*}
+
+syntax
+ "_alpha" :: "type" ("\<alpha>")
+ "_alpha_ofsort" :: "sort \<Rightarrow> type" ("\<alpha>()\<Colon>_" [0] 1000)
+ "_beta" :: "type" ("\<beta>")
+ "_beta_ofsort" :: "sort \<Rightarrow> type" ("\<beta>()\<Colon>_" [0] 1000)
+
+parse_ast_translation {*
+ let
+ fun alpha_ast_tr [] = Ast.Variable "'a"
+ | alpha_ast_tr asts = raise Ast.AST ("alpha_ast_tr", asts);
+ fun alpha_ofsort_ast_tr [ast] =
+ Ast.Appl [Ast.Constant @{syntax_const "_ofsort"}, Ast.Variable "'a", ast]
+ | alpha_ofsort_ast_tr asts = raise Ast.AST ("alpha_ast_tr", asts);
+ fun beta_ast_tr [] = Ast.Variable "'b"
+ | beta_ast_tr asts = raise Ast.AST ("beta_ast_tr", asts);
+ fun beta_ofsort_ast_tr [ast] =
+ Ast.Appl [Ast.Constant @{syntax_const "_ofsort"}, Ast.Variable "'b", ast]
+ | beta_ofsort_ast_tr asts = raise Ast.AST ("beta_ast_tr", asts);
+ in
+ [(@{syntax_const "_alpha"}, alpha_ast_tr),
+ (@{syntax_const "_alpha_ofsort"}, alpha_ofsort_ast_tr),
+ (@{syntax_const "_beta"}, beta_ast_tr),
+ (@{syntax_const "_beta_ofsort"}, beta_ofsort_ast_tr)]
+ end
+*}
+
+end
\ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Classes/document/build Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+set -e
+
+FORMAT="$1"
+VARIANT="$2"
+
+"$ISABELLE_TOOL" logo -o isabelle_isar.pdf Isar
+"$ISABELLE_TOOL" logo -o isabelle_isar.eps Isar
+
+cp "$ISABELLE_HOME/src/Doc/iman.sty" .
+cp "$ISABELLE_HOME/src/Doc/extra.sty" .
+cp "$ISABELLE_HOME/src/Doc/isar.sty" .
+cp "$ISABELLE_HOME/src/Doc/proof.sty" .
+cp "$ISABELLE_HOME/src/Doc/manual.bib" .
+
+"$ISABELLE_HOME/src/Doc/prepare_document" "$FORMAT"
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Classes/document/root.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,46 @@
+\documentclass[12pt,a4paper,fleqn]{article}
+\usepackage{latexsym,graphicx}
+\usepackage{iman,extra,isar,proof}
+\usepackage{isabelle,isabellesym}
+\usepackage{style}
+\usepackage{pdfsetup}
+
+
+\hyphenation{Isabelle}
+\hyphenation{Isar}
+\isadroptag{theory}
+
+\title{\includegraphics[scale=0.5]{isabelle_isar}
+ \\[4ex] Haskell-style type classes with Isabelle/Isar}
+\author{\emph{Florian Haftmann}}
+
+\begin{document}
+
+\maketitle
+
+\begin{abstract}
+ \noindent This tutorial introduces Isar type classes, which
+ are a convenient mechanism for organizing specifications.
+ Essentially, they combine an operational aspect (in the
+ manner of Haskell) with a logical aspect, both managed uniformly.
+\end{abstract}
+
+\thispagestyle{empty}\clearpage
+
+\pagenumbering{roman}
+\clearfirst
+
+\input{Classes.tex}
+
+\begingroup
+\bibliographystyle{plain} \small\raggedright\frenchspacing
+\bibliography{manual}
+\endgroup
+
+\end{document}
+
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: t
+%%% End:
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Classes/document/style.sty Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,58 @@
+
+%% toc
+\newcommand{\tocentry}[1]{\cleardoublepage\phantomsection\addcontentsline{toc}{chapter}{#1}
+\@mkboth{\MakeUppercase{#1}}{\MakeUppercase{#1}}}
+
+%% paragraphs
+\setlength{\parindent}{1em}
+
+%% references
+\newcommand{\secref}[1]{\S\ref{#1}}
+\newcommand{\figref}[1]{figure~\ref{#1}}
+
+%% logical markup
+\newcommand{\strong}[1]{{\bfseries {#1}}}
+\newcommand{\qn}[1]{\emph{#1}}
+
+%% typographic conventions
+\newcommand{\qt}[1]{``{#1}''}
+\newcommand{\ditem}[1]{\item[\isastyletext #1]}
+
+%% quote environment
+\isakeeptag{quote}
+\renewenvironment{quote}
+ {\list{}{\leftmargin2em\rightmargin0pt}\parindent0pt\parskip0pt\item\relax}
+ {\endlist}
+\renewcommand{\isatagquote}{\begin{quote}}
+\renewcommand{\endisatagquote}{\end{quote}}
+\newcommand{\quotebreak}{\\[1.2ex]}
+
+%% typewriter text
+\newenvironment{typewriter}{\renewcommand{\isastyletext}{}%
+\renewcommand{\isadigit}[1]{{##1}}%
+\parindent0pt%
+\makeatletter\isa@parindent0pt\makeatother%
+\isabellestyle{tt}\isastyle%
+\fontsize{9pt}{9pt}\selectfont}{}
+
+\isakeeptag{quotetypewriter}
+\renewcommand{\isatagquotetypewriter}{\begin{quote}\begin{typewriter}}
+\renewcommand{\endisatagquotetypewriter}{\end{typewriter}\end{quote}}
+
+%% presentation
+\setcounter{secnumdepth}{2} \setcounter{tocdepth}{2}
+
+%% character detail
+\renewcommand{\isadigit}[1]{\isamath{#1}}
+\binperiod
+\underscoreoff
+
+%% format
+\pagestyle{headings}
+\isabellestyle{it}
+
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: "implementation"
+%%% End:
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Codegen/Adaptation.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,347 @@
+theory Adaptation
+imports Setup
+begin
+
+setup %invisible {* Code_Target.extend_target ("\<SML>", ("SML", K I))
+ #> Code_Target.extend_target ("\<SMLdummy>", ("Haskell", K I)) *}
+
+section {* Adaptation to target languages \label{sec:adaptation} *}
+
+subsection {* Adapting code generation *}
+
+text {*
+ The aspects of code generation introduced so far have two aspects
+ in common:
+
+ \begin{itemize}
+
+ \item They act uniformly, without reference to a specific target
+ language.
+
+ \item They are \emph{safe} in the sense that as long as you trust
+ the code generator meta theory and implementation, you cannot
+ produce programs that yield results which are not derivable in
+ the logic.
+
+ \end{itemize}
+
+ \noindent In this section we will introduce means to \emph{adapt}
+ the serialiser to a specific target language, i.e.~to print program
+ fragments in a way which accommodates \qt{already existing}
+ ingredients of a target language environment, for three reasons:
+
+ \begin{itemize}
+ \item improving readability and aesthetics of generated code
+ \item gaining efficiency
+ \item interface with language parts which have no direct counterpart
+ in @{text "HOL"} (say, imperative data structures)
+ \end{itemize}
+
+ \noindent Generally, you should avoid using those features yourself
+ \emph{at any cost}:
+
+ \begin{itemize}
+
+ \item The safe configuration methods act uniformly on every target
+ language, whereas for adaptation you have to treat each target
+ language separately.
+
+ \item Application is extremely tedious since there is no
+ abstraction which would allow for a static check, making it easy
+ to produce garbage.
+
+ \item Subtle errors can be introduced unconsciously.
+
+ \end{itemize}
+
+ \noindent However, even if you ought refrain from setting up
+ adaptation yourself, already the @{text "HOL"} comes with some
+ reasonable default adaptations (say, using target language list
+ syntax). There also some common adaptation cases which you can
+ setup by importing particular library theories. In order to
+ understand these, we provide some clues here; these however are not
+ supposed to replace a careful study of the sources.
+*}
+
+
+subsection {* The adaptation principle *}
+
+text {*
+ Figure \ref{fig:adaptation} illustrates what \qt{adaptation} is
+ conceptually supposed to be:
+
+ \begin{figure}[here]
+ \includegraphics{adapt}
+ \caption{The adaptation principle}
+ \label{fig:adaptation}
+ \end{figure}
+
+ \noindent In the tame view, code generation acts as broker between
+ @{text logic}, @{text "intermediate language"} and @{text "target
+ language"} by means of @{text translation} and @{text
+ serialisation}; for the latter, the serialiser has to observe the
+ structure of the @{text language} itself plus some @{text reserved}
+ keywords which have to be avoided for generated code. However, if
+ you consider @{text adaptation} mechanisms, the code generated by
+ the serializer is just the tip of the iceberg:
+
+ \begin{itemize}
+
+ \item @{text serialisation} can be \emph{parametrised} such that
+ logical entities are mapped to target-specific ones
+ (e.g. target-specific list syntax, see also
+ \secref{sec:adaptation_mechanisms})
+
+ \item Such parametrisations can involve references to a
+ target-specific standard @{text library} (e.g. using the @{text
+ Haskell} @{verbatim Maybe} type instead of the @{text HOL}
+ @{type "option"} type); if such are used, the corresponding
+ identifiers (in our example, @{verbatim Maybe}, @{verbatim
+ Nothing} and @{verbatim Just}) also have to be considered @{text
+ reserved}.
+
+ \item Even more, the user can enrich the library of the
+ target-language by providing code snippets (\qt{@{text
+ "includes"}}) which are prepended to any generated code (see
+ \secref{sec:include}); this typically also involves further
+ @{text reserved} identifiers.
+
+ \end{itemize}
+
+ \noindent As figure \ref{fig:adaptation} illustrates, all these
+ adaptation mechanisms have to act consistently; it is at the
+ discretion of the user to take care for this.
+*}
+
+subsection {* Common adaptation patterns *}
+
+text {*
+ The @{theory HOL} @{theory Main} theory already provides a code
+ generator setup which should be suitable for most applications.
+ Common extensions and modifications are available by certain
+ theories of the @{text HOL} library; beside being useful in
+ applications, they may serve as a tutorial for customising the code
+ generator setup (see below \secref{sec:adaptation_mechanisms}).
+
+ \begin{description}
+
+ \item[@{text "Code_Integer"}] represents @{text HOL} integers by
+ big integer literals in target languages.
+
+ \item[@{text "Code_Char"}] represents @{text HOL} characters by
+ character literals in target languages.
+
+ \item[@{text "Code_Char_chr"}] like @{text "Code_Char"}, but
+ also offers treatment of character codes; includes @{text
+ "Code_Char"}.
+
+ \item[@{text "Efficient_Nat"}] \label{eff_nat} implements
+ natural numbers by integers, which in general will result in
+ higher efficiency; pattern matching with @{term "0\<Colon>nat"} /
+ @{const "Suc"} is eliminated; includes @{text "Code_Integer"}
+ and @{text "Code_Numeral"}.
+
+ \item[@{theory "Code_Numeral"}] provides an additional datatype
+ @{typ index} which is mapped to target-language built-in
+ integers. Useful for code setups which involve e.g.~indexing
+ of target-language arrays. Part of @{text "HOL-Main"}.
+
+ \item[@{theory "String"}] provides an additional datatype @{typ
+ String.literal} which is isomorphic to strings; @{typ
+ String.literal}s are mapped to target-language strings. Useful
+ for code setups which involve e.g.~printing (error) messages.
+ Part of @{text "HOL-Main"}.
+
+ \end{description}
+
+ \begin{warn}
+ When importing any of those theories which are not part of
+ @{text "HOL-Main"}, they should form the last
+ items in an import list. Since these theories adapt the code
+ generator setup in a non-conservative fashion, strange effects may
+ occur otherwise.
+ \end{warn}
+*}
+
+
+subsection {* Parametrising serialisation \label{sec:adaptation_mechanisms} *}
+
+text {*
+ Consider the following function and its corresponding SML code:
+*}
+
+primrec %quote in_interval :: "nat \<times> nat \<Rightarrow> nat \<Rightarrow> bool" where
+ "in_interval (k, l) n \<longleftrightarrow> k \<le> n \<and> n \<le> l"
+(*<*)
+code_type %invisible bool
+ (SML)
+code_const %invisible True and False and "op \<and>" and Not
+ (SML and and and)
+(*>*)
+text %quotetypewriter {*
+ @{code_stmts in_interval (SML)}
+*}
+
+text {*
+ \noindent Though this is correct code, it is a little bit
+ unsatisfactory: boolean values and operators are materialised as
+ distinguished entities with have nothing to do with the SML-built-in
+ notion of \qt{bool}. This results in less readable code;
+ additionally, eager evaluation may cause programs to loop or break
+ which would perfectly terminate when the existing SML @{verbatim
+ "bool"} would be used. To map the HOL @{typ bool} on SML @{verbatim
+ "bool"}, we may use \qn{custom serialisations}:
+*}
+
+code_type %quotett bool
+ (SML "bool")
+code_const %quotett True and False and "op \<and>"
+ (SML "true" and "false" and "_ andalso _")
+
+text {*
+ \noindent The @{command_def code_type} command takes a type constructor
+ as arguments together with a list of custom serialisations. Each
+ custom serialisation starts with a target language identifier
+ followed by an expression, which during code serialisation is
+ inserted whenever the type constructor would occur. For constants,
+ @{command_def code_const} implements the corresponding mechanism. Each
+ ``@{verbatim "_"}'' in a serialisation expression is treated as a
+ placeholder for the type constructor's (the constant's) arguments.
+*}
+
+text %quotetypewriter {*
+ @{code_stmts in_interval (SML)}
+*}
+
+text {*
+ \noindent This still is not perfect: the parentheses around the
+ \qt{andalso} expression are superfluous. Though the serialiser by
+ no means attempts to imitate the rich Isabelle syntax framework, it
+ provides some common idioms, notably associative infixes with
+ precedences which may be used here:
+*}
+
+code_const %quotett "op \<and>"
+ (SML infixl 1 "andalso")
+
+text %quotetypewriter {*
+ @{code_stmts in_interval (SML)}
+*}
+
+text {*
+ \noindent The attentive reader may ask how we assert that no
+ generated code will accidentally overwrite. For this reason the
+ serialiser has an internal table of identifiers which have to be
+ avoided to be used for new declarations. Initially, this table
+ typically contains the keywords of the target language. It can be
+ extended manually, thus avoiding accidental overwrites, using the
+ @{command_def "code_reserved"} command:
+*}
+
+code_reserved %quote "\<SMLdummy>" bool true false andalso
+
+text {*
+ \noindent Next, we try to map HOL pairs to SML pairs, using the
+ infix ``@{verbatim "*"}'' type constructor and parentheses:
+*}
+(*<*)
+code_type %invisible prod
+ (SML)
+code_const %invisible Pair
+ (SML)
+(*>*)
+code_type %quotett prod
+ (SML infix 2 "*")
+code_const %quotett Pair
+ (SML "!((_),/ (_))")
+
+text {*
+ \noindent The initial bang ``@{verbatim "!"}'' tells the serialiser
+ never to put parentheses around the whole expression (they are
+ already present), while the parentheses around argument place
+ holders tell not to put parentheses around the arguments. The slash
+ ``@{verbatim "/"}'' (followed by arbitrary white space) inserts a
+ space which may be used as a break if necessary during pretty
+ printing.
+
+ These examples give a glimpse what mechanisms custom serialisations
+ provide; however their usage requires careful thinking in order not
+ to introduce inconsistencies -- or, in other words: custom
+ serialisations are completely axiomatic.
+
+ A further noteworthy detail is that any special character in a
+ custom serialisation may be quoted using ``@{verbatim "'"}''; thus,
+ in ``@{verbatim "fn '_ => _"}'' the first ``@{verbatim "_"}'' is a
+ proper underscore while the second ``@{verbatim "_"}'' is a
+ placeholder.
+*}
+
+
+subsection {* @{text Haskell} serialisation *}
+
+text {*
+ For convenience, the default @{text HOL} setup for @{text Haskell}
+ maps the @{class equal} class to its counterpart in @{text Haskell},
+ giving custom serialisations for the class @{class equal} (by command
+ @{command_def code_class}) and its operation @{const [source] HOL.equal}
+*}
+
+code_class %quotett equal
+ (Haskell "Eq")
+
+code_const %quotett "HOL.equal"
+ (Haskell infixl 4 "==")
+
+text {*
+ \noindent A problem now occurs whenever a type which is an instance
+ of @{class equal} in @{text HOL} is mapped on a @{text
+ Haskell}-built-in type which is also an instance of @{text Haskell}
+ @{text Eq}:
+*}
+
+typedecl %quote bar
+
+instantiation %quote bar :: equal
+begin
+
+definition %quote "HOL.equal (x\<Colon>bar) y \<longleftrightarrow> x = y"
+
+instance %quote by default (simp add: equal_bar_def)
+
+end %quote (*<*)
+
+(*>*) code_type %quotett bar
+ (Haskell "Integer")
+
+text {*
+ \noindent The code generator would produce an additional instance,
+ which of course is rejected by the @{text Haskell} compiler. To
+ suppress this additional instance, use @{command_def "code_instance"}:
+*}
+
+code_instance %quotett bar :: equal
+ (Haskell -)
+
+
+subsection {* Enhancing the target language context \label{sec:include} *}
+
+text {*
+ In rare cases it is necessary to \emph{enrich} the context of a
+ target language; this is accomplished using the @{command_def
+ "code_include"} command:
+*}
+
+code_include %quotett Haskell "Errno"
+{*errno i = error ("Error number: " ++ show i)*}
+
+code_reserved %quotett Haskell Errno
+
+text {*
+ \noindent Such named @{text include}s are then prepended to every
+ generated code. Inspect such code in order to find out how
+ @{command "code_include"} behaves with respect to a particular
+ target language.
+*}
+
+end
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Codegen/Evaluation.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,287 @@
+theory Evaluation
+imports Setup
+begin
+
+section {* Evaluation \label{sec:evaluation} *}
+
+text {*
+ Recalling \secref{sec:principle}, code generation turns a system of
+ equations into a program with the \emph{same} equational semantics.
+ As a consequence, this program can be used as a \emph{rewrite
+ engine} for terms: rewriting a term @{term "t"} using a program to a
+ term @{term "t'"} yields the theorems @{prop "t \<equiv> t'"}. This
+ application of code generation in the following is referred to as
+ \emph{evaluation}.
+*}
+
+
+subsection {* Evaluation techniques *}
+
+text {*
+ The existing infrastructure provides a rich palette of evaluation
+ techniques, each comprising different aspects:
+
+ \begin{description}
+
+ \item[Expressiveness.] Depending on how good symbolic computation
+ is supported, the class of terms which can be evaluated may be
+ bigger or smaller.
+
+ \item[Efficiency.] The more machine-near the technique, the
+ faster it is.
+
+ \item[Trustability.] Techniques which a huge (and also probably
+ more configurable infrastructure) are more fragile and less
+ trustable.
+
+ \end{description}
+*}
+
+
+subsubsection {* The simplifier (@{text simp}) *}
+
+text {*
+ The simplest way for evaluation is just using the simplifier with
+ the original code equations of the underlying program. This gives
+ fully symbolic evaluation and highest trustablity, with the usual
+ performance of the simplifier. Note that for operations on abstract
+ datatypes (cf.~\secref{sec:invariant}), the original theorems as
+ given by the users are used, not the modified ones.
+*}
+
+
+subsubsection {* Normalization by evaluation (@{text nbe}) *}
+
+text {*
+ Normalization by evaluation \cite{Aehlig-Haftmann-Nipkow:2008:nbe}
+ provides a comparably fast partially symbolic evaluation which
+ permits also normalization of functions and uninterpreted symbols;
+ the stack of code to be trusted is considerable.
+*}
+
+
+subsubsection {* Evaluation in ML (@{text code}) *}
+
+text {*
+ Highest performance can be achieved by evaluation in ML, at the cost
+ of being restricted to ground results and a layered stack of code to
+ be trusted, including code generator configurations by the user.
+
+ Evaluation is carried out in a target language \emph{Eval} which
+ inherits from \emph{SML} but for convenience uses parts of the
+ Isabelle runtime environment. The soundness of computation carried
+ out there depends crucially on the correctness of the code
+ generator setup; this is one of the reasons why you should not use
+ adaptation (see \secref{sec:adaptation}) frivolously.
+*}
+
+
+subsection {* Aspects of evaluation *}
+
+text {*
+ Each of the techniques can be combined with different aspects. The
+ most important distinction is between dynamic and static evaluation.
+ Dynamic evaluation takes the code generator configuration \qt{as it
+ is} at the point where evaluation is issued. Best example is the
+ @{command_def value} command which allows ad-hoc evaluation of
+ terms:
+*}
+
+value %quote "42 / (12 :: rat)"
+
+text {*
+ \noindent By default @{command value} tries all available evaluation
+ techniques and prints the result of the first succeeding one. A particular
+ technique may be specified in square brackets, e.g.
+*}
+
+value %quote [nbe] "42 / (12 :: rat)"
+
+text {*
+ To employ dynamic evaluation in the document generation, there is also
+ a @{text value} antiquotation. By default, it also tries all available evaluation
+ techniques and prints the result of the first succeeding one, unless a particular
+ technique is specified in square brackets.
+
+ Static evaluation freezes the code generator configuration at a
+ certain point and uses this context whenever evaluation is issued
+ later on. This is particularly appropriate for proof procedures
+ which use evaluation, since then the behaviour of evaluation is not
+ changed or even compromised later on by actions of the user.
+
+ As a technical complication, terms after evaluation in ML must be
+ turned into Isabelle's internal term representation again. Since
+ this is also configurable, it is never fully trusted. For this
+ reason, evaluation in ML comes with further aspects:
+
+ \begin{description}
+
+ \item[Plain evaluation.] A term is normalized using the provided
+ term reconstruction from ML to Isabelle; for applications which
+ do not need to be fully trusted.
+
+ \item[Property conversion.] Evaluates propositions; since these
+ are monomorphic, the term reconstruction is fixed once and for all
+ and therefore trustable.
+
+ \item[Conversion.] Evaluates an arbitrary term @{term "t"} first
+ by plain evaluation and certifies the result @{term "t'"} by
+ checking the equation @{term "t \<equiv> t'"} using property
+ conversion.
+
+ \end{description}
+
+ \noindent The picture is further complicated by the roles of
+ exceptions. Here three cases have to be distinguished:
+
+ \begin{itemize}
+
+ \item Evaluation of @{term t} terminates with a result @{term
+ "t'"}.
+
+ \item Evaluation of @{term t} terminates which en exception
+ indicating a pattern match failure or a non-implemented
+ function. As sketched in \secref{sec:partiality}, this can be
+ interpreted as partiality.
+
+ \item Evaluation raises any other kind of exception.
+
+ \end{itemize}
+
+ \noindent For conversions, the first case yields the equation @{term
+ "t = t'"}, the second defaults to reflexivity @{term "t = t"}.
+ Exceptions of the third kind are propagated to the user.
+
+ By default return values of plain evaluation are optional, yielding
+ @{text "SOME t'"} in the first case, @{text "NONE"} in the
+ second, and propagating the exception in the third case. A strict
+ variant of plain evaluation either yields @{text "t'"} or propagates
+ any exception, a liberal variant caputures any exception in a result
+ of type @{text "Exn.result"}.
+
+ For property conversion (which coincides with conversion except for
+ evaluation in ML), methods are provided which solve a given goal by
+ evaluation.
+*}
+
+
+subsection {* Schematic overview *}
+
+text {*
+ \newcommand{\ttsize}{\fontsize{5.8pt}{8pt}\selectfont}
+ \fontsize{9pt}{12pt}\selectfont
+ \begin{tabular}{ll||c|c|c}
+ & & @{text simp} & @{text nbe} & @{text code} \tabularnewline \hline \hline
+ \multirow{5}{1ex}{\rotatebox{90}{dynamic}}
+ & interactive evaluation
+ & @{command value} @{text "[simp]"} & @{command value} @{text "[nbe]"} & @{command value} @{text "[code]"}
+ \tabularnewline
+ & plain evaluation & & & \ttsize@{ML "Code_Evaluation.dynamic_value"} \tabularnewline \cline{2-5}
+ & evaluation method & @{method code_simp} & @{method normalization} & @{method eval} \tabularnewline
+ & property conversion & & & \ttsize@{ML "Code_Runtime.dynamic_holds_conv"} \tabularnewline \cline{2-5}
+ & conversion & \ttsize@{ML "Code_Simp.dynamic_conv"} & \ttsize@{ML "Nbe.dynamic_conv"}
+ & \ttsize@{ML "Code_Evaluation.dynamic_conv"} \tabularnewline \hline \hline
+ \multirow{3}{1ex}{\rotatebox{90}{static}}
+ & plain evaluation & & & \ttsize@{ML "Code_Evaluation.static_value"} \tabularnewline \cline{2-5}
+ & property conversion & &
+ & \ttsize@{ML "Code_Runtime.static_holds_conv"} \tabularnewline \cline{2-5}
+ & conversion & \ttsize@{ML "Code_Simp.static_conv"}
+ & \ttsize@{ML "Nbe.static_conv"}
+ & \ttsize@{ML "Code_Evaluation.static_conv"}
+ \end{tabular}
+*}
+
+
+subsection {* Intimate connection between logic and system runtime *}
+
+text {*
+ The toolbox of static evaluation conversions forms a reasonable base
+ to interweave generated code and system tools. However in some
+ situations more direct interaction is desirable.
+*}
+
+
+subsubsection {* Static embedding of generated code into system runtime -- the @{text code} antiquotation *}
+
+text {*
+ The @{text code} antiquotation allows to include constants from
+ generated code directly into ML system code, as in the following toy
+ example:
+*}
+
+datatype %quote form = T | F | And form form | Or form form (*<*)
+
+(*>*) ML %quotett {*
+ fun eval_form @{code T} = true
+ | eval_form @{code F} = false
+ | eval_form (@{code And} (p, q)) =
+ eval_form p andalso eval_form q
+ | eval_form (@{code Or} (p, q)) =
+ eval_form p orelse eval_form q;
+*}
+
+text {*
+ \noindent @{text code} takes as argument the name of a constant;
+ after the whole ML is read, the necessary code is generated
+ transparently and the corresponding constant names are inserted.
+ This technique also allows to use pattern matching on constructors
+ stemming from compiled datatypes. Note that the @{text code}
+ antiquotation may not refer to constants which carry adaptations;
+ here you have to refer to the corresponding adapted code directly.
+
+ For a less simplistic example, theory @{text Approximation} in
+ the @{text Decision_Procs} session is a good reference.
+*}
+
+
+subsubsection {* Static embedding of generated code into system runtime -- @{text code_reflect} *}
+
+text {*
+ The @{text code} antiquoation is lightweight, but the generated code
+ is only accessible while the ML section is processed. Sometimes this
+ is not appropriate, especially if the generated code contains datatype
+ declarations which are shared with other parts of the system. In these
+ cases, @{command_def code_reflect} can be used:
+*}
+
+code_reflect %quote Sum_Type
+ datatypes sum = Inl | Inr
+ functions "Sum_Type.Projl" "Sum_Type.Projr"
+
+text {*
+ \noindent @{command_def code_reflect} takes a structure name and
+ references to datatypes and functions; for these code is compiled
+ into the named ML structure and the \emph{Eval} target is modified
+ in a way that future code generation will reference these
+ precompiled versions of the given datatypes and functions. This
+ also allows to refer to the referenced datatypes and functions from
+ arbitrary ML code as well.
+
+ A typical example for @{command code_reflect} can be found in the
+ @{theory Predicate} theory.
+*}
+
+
+subsubsection {* Separate compilation -- @{text code_reflect} *}
+
+text {*
+ For technical reasons it is sometimes necessary to separate
+ generation and compilation of code which is supposed to be used in
+ the system runtime. For this @{command code_reflect} with an
+ optional @{text "file"} argument can be used:
+*}
+
+code_reflect %quote Rat
+ datatypes rat = Frct
+ functions Fract
+ "(plus :: rat \<Rightarrow> rat \<Rightarrow> rat)" "(minus :: rat \<Rightarrow> rat \<Rightarrow> rat)"
+ "(times :: rat \<Rightarrow> rat \<Rightarrow> rat)" "(divide :: rat \<Rightarrow> rat \<Rightarrow> rat)"
+ file "examples/rat.ML"
+
+text {*
+ \noindent This merely generates the referenced code to the given
+ file which can be included into the system runtime later on.
+*}
+
+end
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Codegen/Foundations.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,347 @@
+theory Foundations
+imports Introduction
+begin
+
+section {* Code generation foundations \label{sec:foundations} *}
+
+subsection {* Code generator architecture \label{sec:architecture} *}
+
+text {*
+ The code generator is actually a framework consisting of different
+ components which can be customised individually.
+
+ Conceptually all components operate on Isabelle's logic framework
+ @{theory Pure}. Practically, the object logic @{theory HOL}
+ provides the necessary facilities to make use of the code generator,
+ mainly since it is an extension of @{theory Pure}.
+
+ The constellation of the different components is visualized in the
+ following picture.
+
+ \begin{figure}[h]
+ \includegraphics{architecture}
+ \caption{Code generator architecture}
+ \label{fig:arch}
+ \end{figure}
+
+ \noindent Central to code generation is the notion of \emph{code
+ equations}. A code equation as a first approximation is a theorem
+ of the form @{text "f t\<^isub>1 t\<^isub>2 \<dots> t\<^isub>n \<equiv> t"} (an equation headed by a
+ constant @{text f} with arguments @{text "t\<^isub>1 t\<^isub>2 \<dots> t\<^isub>n"} and right
+ hand side @{text t}).
+
+ \begin{itemize}
+
+ \item Starting point of code generation is a collection of (raw)
+ code equations in a theory. It is not relevant where they stem
+ from, but typically they were either produced by specification
+ tools or proved explicitly by the user.
+
+ \item These raw code equations can be subjected to theorem
+ transformations. This \qn{preprocessor} (see
+ \secref{sec:preproc}) can apply the full expressiveness of
+ ML-based theorem transformations to code generation. The result
+ of preprocessing is a structured collection of code equations.
+
+ \item These code equations are \qn{translated} to a program in an
+ abstract intermediate language. Think of it as a kind of
+ \qt{Mini-Haskell} with four \qn{statements}: @{text data} (for
+ datatypes), @{text fun} (stemming from code equations), also
+ @{text class} and @{text inst} (for type classes).
+
+ \item Finally, the abstract program is \qn{serialised} into
+ concrete source code of a target language. This step only
+ produces concrete syntax but does not change the program in
+ essence; all conceptual transformations occur in the translation
+ step.
+
+ \end{itemize}
+
+ \noindent From these steps, only the last two are carried out
+ outside the logic; by keeping this layer as thin as possible, the
+ amount of code to trust is kept to a minimum.
+*}
+
+
+subsection {* The preprocessor \label{sec:preproc} *}
+
+text {*
+ Before selected function theorems are turned into abstract code, a
+ chain of definitional transformation steps is carried out:
+ \emph{preprocessing}. The preprocessor consists of two
+ components: a \emph{simpset} and \emph{function transformers}.
+
+ The \emph{simpset} can apply the full generality of the Isabelle
+ simplifier. Due to the interpretation of theorems as code
+ equations, rewrites are applied to the right hand side and the
+ arguments of the left hand side of an equation, but never to the
+ constant heading the left hand side. An important special case are
+ \emph{unfold theorems}, which may be declared and removed using the
+ @{attribute code_unfold} or \emph{@{attribute code_unfold} del}
+ attribute, respectively.
+
+ Some common applications:
+*}
+
+text_raw {*
+ \begin{itemize}
+*}
+
+text {*
+ \item replacing non-executable constructs by executable ones:
+*}
+
+lemma %quote [code_unfold]:
+ "x \<in> set xs \<longleftrightarrow> List.member xs x" by (fact in_set_member)
+
+text {*
+ \item replacing executable but inconvenient constructs:
+*}
+
+lemma %quote [code_unfold]:
+ "xs = [] \<longleftrightarrow> List.null xs" by (fact eq_Nil_null)
+
+text {*
+ \item eliminating disturbing expressions:
+*}
+
+lemma %quote [code_unfold]:
+ "1 = Suc 0" by (fact One_nat_def)
+
+text_raw {*
+ \end{itemize}
+*}
+
+text {*
+ \noindent \emph{Function transformers} provide a very general
+ interface, transforming a list of function theorems to another list
+ of function theorems, provided that neither the heading constant nor
+ its type change. The @{term "0\<Colon>nat"} / @{const Suc} pattern
+ elimination implemented in theory @{text Efficient_Nat} (see
+ \secref{eff_nat}) uses this interface.
+
+ \noindent The current setup of the preprocessor may be inspected
+ using the @{command_def print_codeproc} command. @{command_def
+ code_thms} (see \secref{sec:equations}) provides a convenient
+ mechanism to inspect the impact of a preprocessor setup on code
+ equations.
+*}
+
+
+subsection {* Understanding code equations \label{sec:equations} *}
+
+text {*
+ As told in \secref{sec:principle}, the notion of code equations is
+ vital to code generation. Indeed most problems which occur in
+ practice can be resolved by an inspection of the underlying code
+ equations.
+
+ It is possible to exchange the default code equations for constants
+ by explicitly proving alternative ones:
+*}
+
+lemma %quote [code]:
+ "dequeue (AQueue xs []) =
+ (if xs = [] then (None, AQueue [] [])
+ else dequeue (AQueue [] (rev xs)))"
+ "dequeue (AQueue xs (y # ys)) =
+ (Some y, AQueue xs ys)"
+ by (cases xs, simp_all) (cases "rev xs", simp_all)
+
+text {*
+ \noindent The annotation @{text "[code]"} is an @{text attribute}
+ which states that the given theorems should be considered as code
+ equations for a @{text fun} statement -- the corresponding constant
+ is determined syntactically. The resulting code:
+*}
+
+text %quotetypewriter {*
+ @{code_stmts dequeue (consts) dequeue (Haskell)}
+*}
+
+text {*
+ \noindent You may note that the equality test @{term "xs = []"} has
+ been replaced by the predicate @{term "List.null xs"}. This is due
+ to the default setup of the \qn{preprocessor}.
+
+ This possibility to select arbitrary code equations is the key
+ technique for program and datatype refinement (see
+ \secref{sec:refinement}).
+
+ Due to the preprocessor, there is the distinction of raw code
+ equations (before preprocessing) and code equations (after
+ preprocessing).
+
+ The first can be listed (among other data) using the @{command_def
+ print_codesetup} command.
+
+ The code equations after preprocessing are already are blueprint of
+ the generated program and can be inspected using the @{command
+ code_thms} command:
+*}
+
+code_thms %quote dequeue
+
+text {*
+ \noindent This prints a table with the code equations for @{const
+ dequeue}, including \emph{all} code equations those equations depend
+ on recursively. These dependencies themselves can be visualized using
+ the @{command_def code_deps} command.
+*}
+
+
+subsection {* Equality *}
+
+text {*
+ Implementation of equality deserves some attention. Here an example
+ function involving polymorphic equality:
+*}
+
+primrec %quote collect_duplicates :: "'a list \<Rightarrow> 'a list \<Rightarrow> 'a list \<Rightarrow> 'a list" where
+ "collect_duplicates xs ys [] = xs"
+| "collect_duplicates xs ys (z#zs) = (if z \<in> set xs
+ then if z \<in> set ys
+ then collect_duplicates xs ys zs
+ else collect_duplicates xs (z#ys) zs
+ else collect_duplicates (z#xs) (z#ys) zs)"
+
+text {*
+ \noindent During preprocessing, the membership test is rewritten,
+ resulting in @{const List.member}, which itself performs an explicit
+ equality check, as can be seen in the corresponding @{text SML} code:
+*}
+
+text %quotetypewriter {*
+ @{code_stmts collect_duplicates (SML)}
+*}
+
+text {*
+ \noindent Obviously, polymorphic equality is implemented the Haskell
+ way using a type class. How is this achieved? HOL introduces an
+ explicit class @{class equal} with a corresponding operation @{const
+ HOL.equal} such that @{thm equal [no_vars]}. The preprocessing
+ framework does the rest by propagating the @{class equal} constraints
+ through all dependent code equations. For datatypes, instances of
+ @{class equal} are implicitly derived when possible. For other types,
+ you may instantiate @{text equal} manually like any other type class.
+*}
+
+
+subsection {* Explicit partiality \label{sec:partiality} *}
+
+text {*
+ Partiality usually enters the game by partial patterns, as
+ in the following example, again for amortised queues:
+*}
+
+definition %quote strict_dequeue :: "'a queue \<Rightarrow> 'a \<times> 'a queue" where
+ "strict_dequeue q = (case dequeue q
+ of (Some x, q') \<Rightarrow> (x, q'))"
+
+lemma %quote strict_dequeue_AQueue [code]:
+ "strict_dequeue (AQueue xs (y # ys)) = (y, AQueue xs ys)"
+ "strict_dequeue (AQueue xs []) =
+ (case rev xs of y # ys \<Rightarrow> (y, AQueue [] ys))"
+ by (simp_all add: strict_dequeue_def) (cases xs, simp_all split: list.split)
+
+text {*
+ \noindent In the corresponding code, there is no equation
+ for the pattern @{term "AQueue [] []"}:
+*}
+
+text %quotetypewriter {*
+ @{code_stmts strict_dequeue (consts) strict_dequeue (Haskell)}
+*}
+
+text {*
+ \noindent In some cases it is desirable to have this
+ pseudo-\qt{partiality} more explicitly, e.g.~as follows:
+*}
+
+axiomatization %quote empty_queue :: 'a
+
+definition %quote strict_dequeue' :: "'a queue \<Rightarrow> 'a \<times> 'a queue" where
+ "strict_dequeue' q = (case dequeue q of (Some x, q') \<Rightarrow> (x, q') | _ \<Rightarrow> empty_queue)"
+
+lemma %quote strict_dequeue'_AQueue [code]:
+ "strict_dequeue' (AQueue xs []) = (if xs = [] then empty_queue
+ else strict_dequeue' (AQueue [] (rev xs)))"
+ "strict_dequeue' (AQueue xs (y # ys)) =
+ (y, AQueue xs ys)"
+ by (simp_all add: strict_dequeue'_def split: list.splits)
+
+text {*
+ Observe that on the right hand side of the definition of @{const
+ "strict_dequeue'"}, the unspecified constant @{const empty_queue} occurs.
+
+ Normally, if constants without any code equations occur in a
+ program, the code generator complains (since in most cases this is
+ indeed an error). But such constants can also be thought
+ of as function definitions which always fail,
+ since there is never a successful pattern match on the left hand
+ side. In order to categorise a constant into that category
+ explicitly, use @{command_def "code_abort"}:
+*}
+
+code_abort %quote empty_queue
+
+text {*
+ \noindent Then the code generator will just insert an error or
+ exception at the appropriate position:
+*}
+
+text %quotetypewriter {*
+ @{code_stmts strict_dequeue' (consts) empty_queue strict_dequeue' (Haskell)}
+*}
+
+text {*
+ \noindent This feature however is rarely needed in practice. Note
+ also that the HOL default setup already declares @{const undefined}
+ as @{command "code_abort"}, which is most likely to be used in such
+ situations.
+*}
+
+
+subsection {* If something goes utterly wrong \label{sec:utterly_wrong} *}
+
+text {*
+ Under certain circumstances, the code generator fails to produce
+ code entirely. To debug these, the following hints may prove
+ helpful:
+
+ \begin{description}
+
+ \ditem{\emph{Check with a different target language}.} Sometimes
+ the situation gets more clear if you switch to another target
+ language; the code generated there might give some hints what
+ prevents the code generator to produce code for the desired
+ language.
+
+ \ditem{\emph{Inspect code equations}.} Code equations are the central
+ carrier of code generation. Most problems occurring while generating
+ code can be traced to single equations which are printed as part of
+ the error message. A closer inspection of those may offer the key
+ for solving issues (cf.~\secref{sec:equations}).
+
+ \ditem{\emph{Inspect preprocessor setup}.} The preprocessor might
+ transform code equations unexpectedly; to understand an
+ inspection of its setup is necessary (cf.~\secref{sec:preproc}).
+
+ \ditem{\emph{Generate exceptions}.} If the code generator
+ complains about missing code equations, in can be helpful to
+ implement the offending constants as exceptions
+ (cf.~\secref{sec:partiality}); this allows at least for a formal
+ generation of code, whose inspection may then give clues what is
+ wrong.
+
+ \ditem{\emph{Remove offending code equations}.} If code
+ generation is prevented by just a single equation, this can be
+ removed (cf.~\secref{sec:equations}) to allow formal code
+ generation, whose result in turn can be used to trace the
+ problem. The most prominent case here are mismatches in type
+ class signatures (\qt{wellsortedness error}).
+
+ \end{description}
+*}
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Codegen/Further.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,351 @@
+theory Further
+imports Setup
+begin
+
+section {* Further issues \label{sec:further} *}
+
+subsection {* Specialities of the @{text Scala} target language \label{sec:scala} *}
+
+text {*
+ @{text Scala} deviates from languages of the ML family in a couple
+ of aspects; those which affect code generation mainly have to do with
+ @{text Scala}'s type system:
+
+ \begin{itemize}
+
+ \item @{text Scala} prefers tupled syntax over curried syntax.
+
+ \item @{text Scala} sacrifices Hindely-Milner type inference for a
+ much more rich type system with subtyping etc. For this reason
+ type arguments sometimes have to be given explicitly in square
+ brackets (mimicking System F syntax).
+
+ \item In contrast to @{text Haskell} where most specialities of
+ the type system are implemented using \emph{type classes},
+ @{text Scala} provides a sophisticated system of \emph{implicit
+ arguments}.
+
+ \end{itemize}
+
+ \noindent Concerning currying, the @{text Scala} serializer counts
+ arguments in code equations to determine how many arguments
+ shall be tupled; remaining arguments and abstractions in terms
+ rather than function definitions are always curried.
+
+ The second aspect affects user-defined adaptations with @{command
+ code_const}. For regular terms, the @{text Scala} serializer prints
+ all type arguments explicitly. For user-defined term adaptations
+ this is only possible for adaptations which take no arguments: here
+ the type arguments are just appended. Otherwise they are ignored;
+ hence user-defined adaptations for polymorphic constants have to be
+ designed very carefully to avoid ambiguity.
+
+ Isabelle's type classes are mapped onto @{text Scala} implicits; in
+ cases with diamonds in the subclass hierarchy this can lead to
+ ambiguities in the generated code:
+*}
+
+class %quote class1 =
+ fixes foo :: "'a \<Rightarrow> 'a"
+
+class %quote class2 = class1
+
+class %quote class3 = class1
+
+text {*
+ \noindent Here both @{class class2} and @{class class3} inherit from @{class class1},
+ forming the upper part of a diamond.
+*}
+
+definition %quote bar :: "'a :: {class2, class3} \<Rightarrow> 'a" where
+ "bar = foo"
+
+text {*
+ \noindent This yields the following code:
+*}
+
+text %quotetypewriter {*
+ @{code_stmts bar (Scala)}
+*}
+
+text {*
+ \noindent This code is rejected by the @{text Scala} compiler: in
+ the definition of @{text bar}, it is not clear from where to derive
+ the implicit argument for @{text foo}.
+
+ The solution to the problem is to close the diamond by a further
+ class with inherits from both @{class class2} and @{class class3}:
+*}
+
+class %quote class4 = class2 + class3
+
+text {*
+ \noindent Then the offending code equation can be restricted to
+ @{class class4}:
+*}
+
+lemma %quote [code]:
+ "(bar :: 'a::class4 \<Rightarrow> 'a) = foo"
+ by (simp only: bar_def)
+
+text {*
+ \noindent with the following code:
+*}
+
+text %quotetypewriter {*
+ @{code_stmts bar (Scala)}
+*}
+
+text {*
+ \noindent which exposes no ambiguity.
+
+ Since the preprocessor (cf.~\secref{sec:preproc}) propagates sort
+ constraints through a system of code equations, it is usually not
+ very difficult to identify the set of code equations which actually
+ needs more restricted sort constraints.
+*}
+
+subsection {* Modules namespace *}
+
+text {*
+ When invoking the @{command export_code} command it is possible to
+ leave out the @{keyword "module_name"} part; then code is
+ distributed over different modules, where the module name space
+ roughly is induced by the Isabelle theory name space.
+
+ Then sometimes the awkward situation occurs that dependencies
+ between definitions introduce cyclic dependencies between modules,
+ which in the @{text Haskell} world leaves you to the mercy of the
+ @{text Haskell} implementation you are using, while for @{text
+ SML}/@{text OCaml} code generation is not possible.
+
+ A solution is to declare module names explicitly. Let use assume
+ the three cyclically dependent modules are named \emph{A}, \emph{B}
+ and \emph{C}. Then, by stating
+*}
+
+code_modulename %quote SML
+ A ABC
+ B ABC
+ C ABC
+
+text {*
+ \noindent we explicitly map all those modules on \emph{ABC},
+ resulting in an ad-hoc merge of this three modules at serialisation
+ time.
+*}
+
+subsection {* Locales and interpretation *}
+
+text {*
+ A technical issue comes to surface when generating code from
+ specifications stemming from locale interpretation.
+
+ Let us assume a locale specifying a power operation on arbitrary
+ types:
+*}
+
+locale %quote power =
+ fixes power :: "'a \<Rightarrow> 'b \<Rightarrow> 'b"
+ assumes power_commute: "power x \<circ> power y = power y \<circ> power x"
+begin
+
+text {*
+ \noindent Inside that locale we can lift @{text power} to exponent
+ lists by means of specification relative to that locale:
+*}
+
+primrec %quote powers :: "'a list \<Rightarrow> 'b \<Rightarrow> 'b" where
+ "powers [] = id"
+| "powers (x # xs) = power x \<circ> powers xs"
+
+lemma %quote powers_append:
+ "powers (xs @ ys) = powers xs \<circ> powers ys"
+ by (induct xs) simp_all
+
+lemma %quote powers_power:
+ "powers xs \<circ> power x = power x \<circ> powers xs"
+ by (induct xs)
+ (simp_all del: o_apply id_apply add: o_assoc [symmetric],
+ simp del: o_apply add: o_assoc power_commute)
+
+lemma %quote powers_rev:
+ "powers (rev xs) = powers xs"
+ by (induct xs) (simp_all add: powers_append powers_power)
+
+end %quote
+
+text {*
+ After an interpretation of this locale (say, @{command_def
+ interpretation} @{text "fun_power:"} @{term [source] "power (\<lambda>n (f
+ :: 'a \<Rightarrow> 'a). f ^^ n)"}), one would expect to have a constant @{text
+ "fun_power.powers :: nat list \<Rightarrow> ('a \<Rightarrow> 'a) \<Rightarrow> 'a \<Rightarrow> 'a"} for which code
+ can be generated. But this not the case: internally, the term
+ @{text "fun_power.powers"} is an abbreviation for the foundational
+ term @{term [source] "power.powers (\<lambda>n (f :: 'a \<Rightarrow> 'a). f ^^ n)"}
+ (see \cite{isabelle-locale} for the details behind).
+
+ Fortunately, with minor effort the desired behaviour can be
+ achieved. First, a dedicated definition of the constant on which
+ the local @{text "powers"} after interpretation is supposed to be
+ mapped on:
+*}
+
+definition %quote funpows :: "nat list \<Rightarrow> ('a \<Rightarrow> 'a) \<Rightarrow> 'a \<Rightarrow> 'a" where
+ [code del]: "funpows = power.powers (\<lambda>n f. f ^^ n)"
+
+text {*
+ \noindent In general, the pattern is @{text "c = t"} where @{text c}
+ is the name of the future constant and @{text t} the foundational
+ term corresponding to the local constant after interpretation.
+
+ The interpretation itself is enriched with an equation @{text "t = c"}:
+*}
+
+interpretation %quote fun_power: power "\<lambda>n (f :: 'a \<Rightarrow> 'a). f ^^ n" where
+ "power.powers (\<lambda>n f. f ^^ n) = funpows"
+ by unfold_locales
+ (simp_all add: fun_eq_iff funpow_mult mult_commute funpows_def)
+
+text {*
+ \noindent This additional equation is trivially proved by the
+ definition itself.
+
+ After this setup procedure, code generation can continue as usual:
+*}
+
+text %quotetypewriter {*
+ @{code_stmts funpows (consts) Nat.funpow funpows (Haskell)}
+*}
+
+
+subsection {* Imperative data structures *}
+
+text {*
+ If you consider imperative data structures as inevitable for a
+ specific application, you should consider \emph{Imperative
+ Functional Programming with Isabelle/HOL}
+ \cite{bulwahn-et-al:2008:imperative}; the framework described there
+ is available in session @{text Imperative_HOL}, together with a
+ short primer document.
+*}
+
+
+subsection {* ML system interfaces \label{sec:ml} *}
+
+text {*
+ Since the code generator framework not only aims to provide a nice
+ Isar interface but also to form a base for code-generation-based
+ applications, here a short description of the most fundamental ML
+ interfaces.
+*}
+
+subsubsection {* Managing executable content *}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML Code.read_const: "theory -> string -> string"} \\
+ @{index_ML Code.add_eqn: "thm -> theory -> theory"} \\
+ @{index_ML Code.del_eqn: "thm -> theory -> theory"} \\
+ @{index_ML Code_Preproc.map_pre: "(simpset -> simpset) -> theory -> theory"} \\
+ @{index_ML Code_Preproc.map_post: "(simpset -> simpset) -> theory -> theory"} \\
+ @{index_ML Code_Preproc.add_functrans: "
+ string * (theory -> (thm * bool) list -> (thm * bool) list option)
+ -> theory -> theory"} \\
+ @{index_ML Code_Preproc.del_functrans: "string -> theory -> theory"} \\
+ @{index_ML Code.add_datatype: "(string * typ) list -> theory -> theory"} \\
+ @{index_ML Code.get_type: "theory -> string
+ -> ((string * sort) list * (string * ((string * sort) list * typ list)) list) * bool"} \\
+ @{index_ML Code.get_type_of_constr_or_abstr: "theory -> string -> (string * bool) option"}
+ \end{mldecls}
+
+ \begin{description}
+
+ \item @{ML Code.read_const}~@{text thy}~@{text s}
+ reads a constant as a concrete term expression @{text s}.
+
+ \item @{ML Code.add_eqn}~@{text "thm"}~@{text "thy"} adds function
+ theorem @{text "thm"} to executable content.
+
+ \item @{ML Code.del_eqn}~@{text "thm"}~@{text "thy"} removes function
+ theorem @{text "thm"} from executable content, if present.
+
+ \item @{ML Code_Preproc.map_pre}~@{text "f"}~@{text "thy"} changes
+ the preprocessor simpset.
+
+ \item @{ML Code_Preproc.add_functrans}~@{text "(name, f)"}~@{text "thy"} adds
+ function transformer @{text f} (named @{text name}) to executable content;
+ @{text f} is a transformer of the code equations belonging
+ to a certain function definition, depending on the
+ current theory context. Returning @{text NONE} indicates that no
+ transformation took place; otherwise, the whole process will be iterated
+ with the new code equations.
+
+ \item @{ML Code_Preproc.del_functrans}~@{text "name"}~@{text "thy"} removes
+ function transformer named @{text name} from executable content.
+
+ \item @{ML Code.add_datatype}~@{text cs}~@{text thy} adds
+ a datatype to executable content, with generation
+ set @{text cs}.
+
+ \item @{ML Code.get_type_of_constr_or_abstr}~@{text "thy"}~@{text "const"}
+ returns type constructor corresponding to
+ constructor @{text const}; returns @{text NONE}
+ if @{text const} is no constructor.
+
+ \end{description}
+*}
+
+
+subsubsection {* Data depending on the theory's executable content *}
+
+text {*
+ Implementing code generator applications on top of the framework set
+ out so far usually not only involves using those primitive
+ interfaces but also storing code-dependent data and various other
+ things.
+
+ Due to incrementality of code generation, changes in the theory's
+ executable content have to be propagated in a certain fashion.
+ Additionally, such changes may occur not only during theory
+ extension but also during theory merge, which is a little bit nasty
+ from an implementation point of view. The framework provides a
+ solution to this technical challenge by providing a functorial data
+ slot @{ML_functor Code_Data}; on instantiation of this functor, the
+ following types and operations are required:
+
+ \medskip
+ \begin{tabular}{l}
+ @{text "type T"} \\
+ @{text "val empty: T"} \\
+ \end{tabular}
+
+ \begin{description}
+
+ \item @{text T} the type of data to store.
+
+ \item @{text empty} initial (empty) data.
+
+ \end{description}
+
+ \noindent An instance of @{ML_functor Code_Data} provides the
+ following interface:
+
+ \medskip
+ \begin{tabular}{l}
+ @{text "change: theory \<rightarrow> (T \<rightarrow> T) \<rightarrow> T"} \\
+ @{text "change_yield: theory \<rightarrow> (T \<rightarrow> 'a * T) \<rightarrow> 'a * T"}
+ \end{tabular}
+
+ \begin{description}
+
+ \item @{text change} update of current data (cached!) by giving a
+ continuation.
+
+ \item @{text change_yield} update with side result.
+
+ \end{description}
+*}
+
+end
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Codegen/Inductive_Predicate.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,275 @@
+theory Inductive_Predicate
+imports Setup
+begin
+
+(*<*)
+hide_const %invisible append
+
+inductive %invisible append where
+ "append [] ys ys"
+| "append xs ys zs \<Longrightarrow> append (x # xs) ys (x # zs)"
+
+lemma %invisible append: "append xs ys zs = (xs @ ys = zs)"
+ by (induct xs arbitrary: ys zs) (auto elim: append.cases intro: append.intros)
+
+lemmas lexordp_def =
+ lexordp_def [unfolded lexord_def mem_Collect_eq split]
+(*>*)
+
+section {* Inductive Predicates \label{sec:inductive} *}
+
+text {*
+ The @{text "predicate compiler"} is an extension of the code generator
+ which turns inductive specifications into equational ones, from
+ which in turn executable code can be generated. The mechanisms of
+ this compiler are described in detail in
+ \cite{Berghofer-Bulwahn-Haftmann:2009:TPHOL}.
+
+ Consider the simple predicate @{const append} given by these two
+ introduction rules:
+*}
+
+text %quote {*
+ @{thm append.intros(1)[of ys]} \\
+ @{thm append.intros(2)[of xs ys zs x]}
+*}
+
+text {*
+ \noindent To invoke the compiler, simply use @{command_def "code_pred"}:
+*}
+
+code_pred %quote append .
+
+text {*
+ \noindent The @{command "code_pred"} command takes the name of the
+ inductive predicate and then you put a period to discharge a trivial
+ correctness proof. The compiler infers possible modes for the
+ predicate and produces the derived code equations. Modes annotate
+ which (parts of the) arguments are to be taken as input, and which
+ output. Modes are similar to types, but use the notation @{text "i"}
+ for input and @{text "o"} for output.
+
+ For @{term "append"}, the compiler can infer the following modes:
+ \begin{itemize}
+ \item @{text "i \<Rightarrow> i \<Rightarrow> i \<Rightarrow> bool"}
+ \item @{text "i \<Rightarrow> i \<Rightarrow> o \<Rightarrow> bool"}
+ \item @{text "o \<Rightarrow> o \<Rightarrow> i \<Rightarrow> bool"}
+ \end{itemize}
+ You can compute sets of predicates using @{command_def "values"}:
+*}
+
+values %quote "{zs. append [(1::nat),2,3] [4,5] zs}"
+
+text {* \noindent outputs @{text "{[1, 2, 3, 4, 5]}"}, and *}
+
+values %quote "{(xs, ys). append xs ys [(2::nat),3]}"
+
+text {* \noindent outputs @{text "{([], [2, 3]), ([2], [3]), ([2, 3], [])}"}. *}
+
+text {*
+ \noindent If you are only interested in the first elements of the
+ set comprehension (with respect to a depth-first search on the
+ introduction rules), you can pass an argument to @{command "values"}
+ to specify the number of elements you want:
+*}
+
+values %quote 1 "{(xs, ys). append xs ys [(1::nat), 2, 3, 4]}"
+values %quote 3 "{(xs, ys). append xs ys [(1::nat), 2, 3, 4]}"
+
+text {*
+ \noindent The @{command "values"} command can only compute set
+ comprehensions for which a mode has been inferred.
+
+ The code equations for a predicate are made available as theorems with
+ the suffix @{text "equation"}, and can be inspected with:
+*}
+
+thm %quote append.equation
+
+text {*
+ \noindent More advanced options are described in the following subsections.
+*}
+
+subsection {* Alternative names for functions *}
+
+text {*
+ By default, the functions generated from a predicate are named after
+ the predicate with the mode mangled into the name (e.g., @{text
+ "append_i_i_o"}). You can specify your own names as follows:
+*}
+
+code_pred %quote (modes: i \<Rightarrow> i \<Rightarrow> o \<Rightarrow> bool as concat,
+ o \<Rightarrow> o \<Rightarrow> i \<Rightarrow> bool as split,
+ i \<Rightarrow> o \<Rightarrow> i \<Rightarrow> bool as suffix) append .
+
+subsection {* Alternative introduction rules *}
+
+text {*
+ Sometimes the introduction rules of an predicate are not executable
+ because they contain non-executable constants or specific modes
+ could not be inferred. It is also possible that the introduction
+ rules yield a function that loops forever due to the execution in a
+ depth-first search manner. Therefore, you can declare alternative
+ introduction rules for predicates with the attribute @{attribute
+ "code_pred_intro"}. For example, the transitive closure is defined
+ by:
+*}
+
+text %quote {*
+ @{lemma [source] "r a b \<Longrightarrow> tranclp r a b" by (fact tranclp.intros(1))}\\
+ @{lemma [source] "tranclp r a b \<Longrightarrow> r b c \<Longrightarrow> tranclp r a c" by (fact tranclp.intros(2))}
+*}
+
+text {*
+ \noindent These rules do not suit well for executing the transitive
+ closure with the mode @{text "(i \<Rightarrow> o \<Rightarrow> bool) \<Rightarrow> i \<Rightarrow> o \<Rightarrow> bool"}, as
+ the second rule will cause an infinite loop in the recursive call.
+ This can be avoided using the following alternative rules which are
+ declared to the predicate compiler by the attribute @{attribute
+ "code_pred_intro"}:
+*}
+
+lemma %quote [code_pred_intro]:
+ "r a b \<Longrightarrow> tranclp r a b"
+ "r a b \<Longrightarrow> tranclp r b c \<Longrightarrow> tranclp r a c"
+by auto
+
+text {*
+ \noindent After declaring all alternative rules for the transitive
+ closure, you invoke @{command "code_pred"} as usual. As you have
+ declared alternative rules for the predicate, you are urged to prove
+ that these introduction rules are complete, i.e., that you can
+ derive an elimination rule for the alternative rules:
+*}
+
+code_pred %quote tranclp
+proof -
+ case tranclp
+ from this converse_tranclpE [OF tranclp.prems] show thesis by metis
+qed
+
+text {*
+ \noindent Alternative rules can also be used for constants that have
+ not been defined inductively. For example, the lexicographic order
+ which is defined as:
+*}
+
+text %quote {*
+ @{thm [display] lexordp_def [of r]}
+*}
+
+text {*
+ \noindent To make it executable, you can derive the following two
+ rules and prove the elimination rule:
+*}
+
+lemma %quote [code_pred_intro]:
+ "append xs (a # v) ys \<Longrightarrow> lexordp r xs ys"
+(*<*)unfolding lexordp_def by (auto simp add: append)(*>*)
+
+lemma %quote [code_pred_intro]:
+ "append u (a # v) xs \<Longrightarrow> append u (b # w) ys \<Longrightarrow> r a b
+ \<Longrightarrow> lexordp r xs ys"
+(*<*)unfolding lexordp_def append apply simp
+apply (rule disjI2) by auto(*>*)
+
+code_pred %quote lexordp
+(*<*)proof -
+ fix r xs ys
+ assume lexord: "lexordp r xs ys"
+ assume 1: "\<And>r' xs' ys' a v. r = r' \<Longrightarrow> xs = xs' \<Longrightarrow> ys = ys'
+ \<Longrightarrow> append xs' (a # v) ys' \<Longrightarrow> thesis"
+ assume 2: "\<And>r' xs' ys' u a v b w. r = r' \<Longrightarrow> xs = xs' \<Longrightarrow> ys = ys'
+ \<Longrightarrow> append u (a # v) xs' \<Longrightarrow> append u (b # w) ys' \<Longrightarrow> r' a b \<Longrightarrow> thesis"
+ {
+ assume "\<exists>a v. ys = xs @ a # v"
+ from this 1 have thesis
+ by (fastforce simp add: append)
+ } moreover
+ {
+ assume "\<exists>u a b v w. r a b \<and> xs = u @ a # v \<and> ys = u @ b # w"
+ from this 2 have thesis by (fastforce simp add: append)
+ } moreover
+ note lexord
+ ultimately show thesis
+ unfolding lexordp_def
+ by fastforce
+qed(*>*)
+
+
+subsection {* Options for values *}
+
+text {*
+ In the presence of higher-order predicates, multiple modes for some
+ predicate could be inferred that are not disambiguated by the
+ pattern of the set comprehension. To disambiguate the modes for the
+ arguments of a predicate, you can state the modes explicitly in the
+ @{command "values"} command. Consider the simple predicate @{term
+ "succ"}:
+*}
+
+inductive %quote succ :: "nat \<Rightarrow> nat \<Rightarrow> bool" where
+ "succ 0 (Suc 0)"
+| "succ x y \<Longrightarrow> succ (Suc x) (Suc y)"
+
+code_pred %quote succ .
+
+text {*
+ \noindent For this, the predicate compiler can infer modes @{text "o
+ \<Rightarrow> o \<Rightarrow> bool"}, @{text "i \<Rightarrow> o \<Rightarrow> bool"}, @{text "o \<Rightarrow> i \<Rightarrow> bool"} and
+ @{text "i \<Rightarrow> i \<Rightarrow> bool"}. The invocation of @{command "values"}
+ @{text "{n. tranclp succ 10 n}"} loops, as multiple modes for the
+ predicate @{text "succ"} are possible and here the first mode @{text
+ "o \<Rightarrow> o \<Rightarrow> bool"} is chosen. To choose another mode for the argument,
+ you can declare the mode for the argument between the @{command
+ "values"} and the number of elements.
+*}
+
+values %quote [mode: i \<Rightarrow> o \<Rightarrow> bool] 1 "{n. tranclp succ 10 n}" (*FIMXE does not terminate for n\<ge>1*)
+values %quote [mode: o \<Rightarrow> i \<Rightarrow> bool] 1 "{n. tranclp succ n 10}"
+
+
+subsection {* Embedding into functional code within Isabelle/HOL *}
+
+text {*
+ To embed the computation of an inductive predicate into functions
+ that are defined in Isabelle/HOL, you have a number of options:
+
+ \begin{itemize}
+
+ \item You want to use the first-order predicate with the mode
+ where all arguments are input. Then you can use the predicate directly, e.g.
+
+ \begin{quote}
+ @{text "valid_suffix ys zs = "} \\
+ @{text "(if append [Suc 0, 2] ys zs then Some ys else None)"}
+ \end{quote}
+
+ \item If you know that the execution returns only one value (it is
+ deterministic), then you can use the combinator @{term
+ "Predicate.the"}, e.g., a functional concatenation of lists is
+ defined with
+
+ \begin{quote}
+ @{term "functional_concat xs ys = Predicate.the (append_i_i_o xs ys)"}
+ \end{quote}
+
+ Note that if the evaluation does not return a unique value, it
+ raises a run-time error @{term "not_unique"}.
+
+ \end{itemize}
+*}
+
+
+subsection {* Further Examples *}
+
+text {*
+ Further examples for compiling inductive predicates can be found in
+ the @{text "HOL/ex/Predicate_Compile_ex.thy"} theory file. There are
+ also some examples in the Archive of Formal Proofs, notably in the
+ @{text "POPLmark-deBruijn"} and the @{text "FeatherweightJava"}
+ sessions.
+*}
+
+end
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Codegen/Introduction.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,242 @@
+theory Introduction
+imports Setup
+begin
+
+section {* Introduction *}
+
+text {*
+ This tutorial introduces the code generator facilities of @{text
+ "Isabelle/HOL"}. It allows to turn (a certain class of) HOL
+ specifications into corresponding executable code in the programming
+ languages @{text SML} \cite{SML}, @{text OCaml} \cite{OCaml},
+ @{text Haskell} \cite{haskell-revised-report} and @{text Scala}
+ \cite{scala-overview-tech-report}.
+
+ To profit from this tutorial, some familiarity and experience with
+ @{theory HOL} \cite{isa-tutorial} and its basic theories is assumed.
+*}
+
+
+subsection {* Code generation principle: shallow embedding \label{sec:principle} *}
+
+text {*
+ The key concept for understanding Isabelle's code generation is
+ \emph{shallow embedding}: logical entities like constants, types and
+ classes are identified with corresponding entities in the target
+ language. In particular, the carrier of a generated program's
+ semantics are \emph{equational theorems} from the logic. If we view
+ a generated program as an implementation of a higher-order rewrite
+ system, then every rewrite step performed by the program can be
+ simulated in the logic, which guarantees partial correctness
+ \cite{Haftmann-Nipkow:2010:code}.
+*}
+
+
+subsection {* A quick start with the Isabelle/HOL toolbox \label{sec:queue_example} *}
+
+text {*
+ In a HOL theory, the @{command_def datatype} and @{command_def
+ definition}/@{command_def primrec}/@{command_def fun} declarations
+ form the core of a functional programming language. By default
+ equational theorems stemming from those are used for generated code,
+ therefore \qt{naive} code generation can proceed without further
+ ado.
+
+ For example, here a simple \qt{implementation} of amortised queues:
+*}
+
+datatype %quote 'a queue = AQueue "'a list" "'a list"
+
+definition %quote empty :: "'a queue" where
+ "empty = AQueue [] []"
+
+primrec %quote enqueue :: "'a \<Rightarrow> 'a queue \<Rightarrow> 'a queue" where
+ "enqueue x (AQueue xs ys) = AQueue (x # xs) ys"
+
+fun %quote dequeue :: "'a queue \<Rightarrow> 'a option \<times> 'a queue" where
+ "dequeue (AQueue [] []) = (None, AQueue [] [])"
+ | "dequeue (AQueue xs (y # ys)) = (Some y, AQueue xs ys)"
+ | "dequeue (AQueue xs []) =
+ (case rev xs of y # ys \<Rightarrow> (Some y, AQueue [] ys))" (*<*)
+
+lemma %invisible dequeue_nonempty_Nil [simp]:
+ "xs \<noteq> [] \<Longrightarrow> dequeue (AQueue xs []) = (case rev xs of y # ys \<Rightarrow> (Some y, AQueue [] ys))"
+ by (cases xs) (simp_all split: list.splits) (*>*)
+
+text {* \noindent Then we can generate code e.g.~for @{text SML} as follows: *}
+
+export_code %quote empty dequeue enqueue in SML
+ module_name Example file "examples/example.ML"
+
+text {* \noindent resulting in the following code: *}
+
+text %quotetypewriter {*
+ @{code_stmts empty enqueue dequeue (SML)}
+*}
+
+text {*
+ \noindent The @{command_def export_code} command takes a
+ space-separated list of constants for which code shall be generated;
+ anything else needed for those is added implicitly. Then follows a
+ target language identifier and a freely chosen module name. A file
+ name denotes the destination to store the generated code. Note that
+ the semantics of the destination depends on the target language: for
+ @{text SML}, @{text OCaml} and @{text Scala} it denotes a \emph{file},
+ for @{text Haskell} it denotes a \emph{directory} where a file named as the
+ module name (with extension @{text ".hs"}) is written:
+*}
+
+export_code %quote empty dequeue enqueue in Haskell
+ module_name Example file "examples/"
+
+text {*
+ \noindent This is the corresponding code:
+*}
+
+text %quotetypewriter {*
+ @{code_stmts empty enqueue dequeue (Haskell)}
+*}
+
+text {*
+ \noindent For more details about @{command export_code} see
+ \secref{sec:further}.
+*}
+
+
+subsection {* Type classes *}
+
+text {*
+ Code can also be generated from type classes in a Haskell-like
+ manner. For illustration here an example from abstract algebra:
+*}
+
+class %quote semigroup =
+ fixes mult :: "'a \<Rightarrow> 'a \<Rightarrow> 'a" (infixl "\<otimes>" 70)
+ assumes assoc: "(x \<otimes> y) \<otimes> z = x \<otimes> (y \<otimes> z)"
+
+class %quote monoid = semigroup +
+ fixes neutral :: 'a ("\<one>")
+ assumes neutl: "\<one> \<otimes> x = x"
+ and neutr: "x \<otimes> \<one> = x"
+
+instantiation %quote nat :: monoid
+begin
+
+primrec %quote mult_nat where
+ "0 \<otimes> n = (0\<Colon>nat)"
+ | "Suc m \<otimes> n = n + m \<otimes> n"
+
+definition %quote neutral_nat where
+ "\<one> = Suc 0"
+
+lemma %quote add_mult_distrib:
+ fixes n m q :: nat
+ shows "(n + m) \<otimes> q = n \<otimes> q + m \<otimes> q"
+ by (induct n) simp_all
+
+instance %quote proof
+ fix m n q :: nat
+ show "m \<otimes> n \<otimes> q = m \<otimes> (n \<otimes> q)"
+ by (induct m) (simp_all add: add_mult_distrib)
+ show "\<one> \<otimes> n = n"
+ by (simp add: neutral_nat_def)
+ show "m \<otimes> \<one> = m"
+ by (induct m) (simp_all add: neutral_nat_def)
+qed
+
+end %quote
+
+text {*
+ \noindent We define the natural operation of the natural numbers
+ on monoids:
+*}
+
+primrec %quote (in monoid) pow :: "nat \<Rightarrow> 'a \<Rightarrow> 'a" where
+ "pow 0 a = \<one>"
+ | "pow (Suc n) a = a \<otimes> pow n a"
+
+text {*
+ \noindent This we use to define the discrete exponentiation
+ function:
+*}
+
+definition %quote bexp :: "nat \<Rightarrow> nat" where
+ "bexp n = pow n (Suc (Suc 0))"
+
+text {*
+ \noindent The corresponding code in Haskell uses that language's
+ native classes:
+*}
+
+text %quotetypewriter {*
+ @{code_stmts bexp (Haskell)}
+*}
+
+text {*
+ \noindent This is a convenient place to show how explicit dictionary
+ construction manifests in generated code -- the same example in
+ @{text SML}:
+*}
+
+text %quotetypewriter {*
+ @{code_stmts bexp (SML)}
+*}
+
+text {*
+ \noindent Note the parameters with trailing underscore (@{verbatim
+ "A_"}), which are the dictionary parameters.
+*}
+
+
+subsection {* How to continue from here *}
+
+text {*
+ What you have seen so far should be already enough in a lot of
+ cases. If you are content with this, you can quit reading here.
+
+ Anyway, to understand situations where problems occur or to increase
+ the scope of code generation beyond default, it is necessary to gain
+ some understanding how the code generator actually works:
+
+ \begin{itemize}
+
+ \item The foundations of the code generator are described in
+ \secref{sec:foundations}.
+
+ \item In particular \secref{sec:utterly_wrong} gives hints how to
+ debug situations where code generation does not succeed as
+ expected.
+
+ \item The scope and quality of generated code can be increased
+ dramatically by applying refinement techniques, which are
+ introduced in \secref{sec:refinement}.
+
+ \item Inductive predicates can be turned executable using an
+ extension of the code generator \secref{sec:inductive}.
+
+ \item If you want to utilize code generation to obtain fast
+ evaluators e.g.~for decision procedures, have a look at
+ \secref{sec:evaluation}.
+
+ \item You may want to skim over the more technical sections
+ \secref{sec:adaptation} and \secref{sec:further}.
+
+ \item The target language Scala \cite{scala-overview-tech-report}
+ comes with some specialities discussed in \secref{sec:scala}.
+
+ \item For exhaustive syntax diagrams etc. you should visit the
+ Isabelle/Isar Reference Manual \cite{isabelle-isar-ref}.
+
+ \end{itemize}
+
+ \bigskip
+
+ \begin{center}\fbox{\fbox{\begin{minipage}{8cm}
+
+ \begin{center}\textit{Happy proving, happy hacking!}\end{center}
+
+ \end{minipage}}}\end{center}
+*}
+
+end
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Codegen/Refinement.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,274 @@
+theory Refinement
+imports Setup
+begin
+
+section {* Program and datatype refinement \label{sec:refinement} *}
+
+text {*
+ Code generation by shallow embedding (cf.~\secref{sec:principle})
+ allows to choose code equations and datatype constructors freely,
+ given that some very basic syntactic properties are met; this
+ flexibility opens up mechanisms for refinement which allow to extend
+ the scope and quality of generated code dramatically.
+*}
+
+
+subsection {* Program refinement *}
+
+text {*
+ Program refinement works by choosing appropriate code equations
+ explicitly (cf.~\secref{sec:equations}); as example, we use Fibonacci
+ numbers:
+*}
+
+fun %quote fib :: "nat \<Rightarrow> nat" where
+ "fib 0 = 0"
+ | "fib (Suc 0) = Suc 0"
+ | "fib (Suc (Suc n)) = fib n + fib (Suc n)"
+
+text {*
+ \noindent The runtime of the corresponding code grows exponential due
+ to two recursive calls:
+*}
+
+text %quotetypewriter {*
+ @{code_stmts fib (consts) fib (Haskell)}
+*}
+
+text {*
+ \noindent A more efficient implementation would use dynamic
+ programming, e.g.~sharing of common intermediate results between
+ recursive calls. This idea is expressed by an auxiliary operation
+ which computes a Fibonacci number and its successor simultaneously:
+*}
+
+definition %quote fib_step :: "nat \<Rightarrow> nat \<times> nat" where
+ "fib_step n = (fib (Suc n), fib n)"
+
+text {*
+ \noindent This operation can be implemented by recursion using
+ dynamic programming:
+*}
+
+lemma %quote [code]:
+ "fib_step 0 = (Suc 0, 0)"
+ "fib_step (Suc n) = (let (m, q) = fib_step n in (m + q, m))"
+ by (simp_all add: fib_step_def)
+
+text {*
+ \noindent What remains is to implement @{const fib} by @{const
+ fib_step} as follows:
+*}
+
+lemma %quote [code]:
+ "fib 0 = 0"
+ "fib (Suc n) = fst (fib_step n)"
+ by (simp_all add: fib_step_def)
+
+text {*
+ \noindent The resulting code shows only linear growth of runtime:
+*}
+
+text %quotetypewriter {*
+ @{code_stmts fib (consts) fib fib_step (Haskell)}
+*}
+
+
+subsection {* Datatype refinement *}
+
+text {*
+ Selecting specific code equations \emph{and} datatype constructors
+ leads to datatype refinement. As an example, we will develop an
+ alternative representation of the queue example given in
+ \secref{sec:queue_example}. The amortised representation is
+ convenient for generating code but exposes its \qt{implementation}
+ details, which may be cumbersome when proving theorems about it.
+ Therefore, here is a simple, straightforward representation of
+ queues:
+*}
+
+datatype %quote 'a queue = Queue "'a list"
+
+definition %quote empty :: "'a queue" where
+ "empty = Queue []"
+
+primrec %quote enqueue :: "'a \<Rightarrow> 'a queue \<Rightarrow> 'a queue" where
+ "enqueue x (Queue xs) = Queue (xs @ [x])"
+
+fun %quote dequeue :: "'a queue \<Rightarrow> 'a option \<times> 'a queue" where
+ "dequeue (Queue []) = (None, Queue [])"
+ | "dequeue (Queue (x # xs)) = (Some x, Queue xs)"
+
+text {*
+ \noindent This we can use directly for proving; for executing,
+ we provide an alternative characterisation:
+*}
+
+definition %quote AQueue :: "'a list \<Rightarrow> 'a list \<Rightarrow> 'a queue" where
+ "AQueue xs ys = Queue (ys @ rev xs)"
+
+code_datatype %quote AQueue
+
+text {*
+ \noindent Here we define a \qt{constructor} @{const "AQueue"} which
+ is defined in terms of @{text "Queue"} and interprets its arguments
+ according to what the \emph{content} of an amortised queue is supposed
+ to be.
+
+ The prerequisite for datatype constructors is only syntactical: a
+ constructor must be of type @{text "\<tau> = \<dots> \<Rightarrow> \<kappa> \<alpha>\<^isub>1 \<dots> \<alpha>\<^isub>n"} where @{text
+ "{\<alpha>\<^isub>1, \<dots>, \<alpha>\<^isub>n}"} is exactly the set of \emph{all} type variables in
+ @{text "\<tau>"}; then @{text "\<kappa>"} is its corresponding datatype. The
+ HOL datatype package by default registers any new datatype with its
+ constructors, but this may be changed using @{command_def
+ code_datatype}; the currently chosen constructors can be inspected
+ using the @{command print_codesetup} command.
+
+ Equipped with this, we are able to prove the following equations
+ for our primitive queue operations which \qt{implement} the simple
+ queues in an amortised fashion:
+*}
+
+lemma %quote empty_AQueue [code]:
+ "empty = AQueue [] []"
+ by (simp add: AQueue_def empty_def)
+
+lemma %quote enqueue_AQueue [code]:
+ "enqueue x (AQueue xs ys) = AQueue (x # xs) ys"
+ by (simp add: AQueue_def)
+
+lemma %quote dequeue_AQueue [code]:
+ "dequeue (AQueue xs []) =
+ (if xs = [] then (None, AQueue [] [])
+ else dequeue (AQueue [] (rev xs)))"
+ "dequeue (AQueue xs (y # ys)) = (Some y, AQueue xs ys)"
+ by (simp_all add: AQueue_def)
+
+text {*
+ \noindent It is good style, although no absolute requirement, to
+ provide code equations for the original artefacts of the implemented
+ type, if possible; in our case, these are the datatype constructor
+ @{const Queue} and the case combinator @{const queue_case}:
+*}
+
+lemma %quote Queue_AQueue [code]:
+ "Queue = AQueue []"
+ by (simp add: AQueue_def fun_eq_iff)
+
+lemma %quote queue_case_AQueue [code]:
+ "queue_case f (AQueue xs ys) = f (ys @ rev xs)"
+ by (simp add: AQueue_def)
+
+text {*
+ \noindent The resulting code looks as expected:
+*}
+
+text %quotetypewriter {*
+ @{code_stmts empty enqueue dequeue Queue queue_case (SML)}
+*}
+
+text {*
+ The same techniques can also be applied to types which are not
+ specified as datatypes, e.g.~type @{typ int} is originally specified
+ as quotient type by means of @{command_def typedef}, but for code
+ generation constants allowing construction of binary numeral values
+ are used as constructors for @{typ int}.
+
+ This approach however fails if the representation of a type demands
+ invariants; this issue is discussed in the next section.
+*}
+
+
+subsection {* Datatype refinement involving invariants \label{sec:invariant} *}
+
+text {*
+ Datatype representation involving invariants require a dedicated
+ setup for the type and its primitive operations. As a running
+ example, we implement a type @{text "'a dlist"} of list consisting
+ of distinct elements.
+
+ The first step is to decide on which representation the abstract
+ type (in our example @{text "'a dlist"}) should be implemented.
+ Here we choose @{text "'a list"}. Then a conversion from the concrete
+ type to the abstract type must be specified, here:
+*}
+
+text %quote {*
+ @{term_type Dlist}
+*}
+
+text {*
+ \noindent Next follows the specification of a suitable \emph{projection},
+ i.e.~a conversion from abstract to concrete type:
+*}
+
+text %quote {*
+ @{term_type list_of_dlist}
+*}
+
+text {*
+ \noindent This projection must be specified such that the following
+ \emph{abstract datatype certificate} can be proven:
+*}
+
+lemma %quote [code abstype]:
+ "Dlist (list_of_dlist dxs) = dxs"
+ by (fact Dlist_list_of_dlist)
+
+text {*
+ \noindent Note that so far the invariant on representations
+ (@{term_type distinct}) has never been mentioned explicitly:
+ the invariant is only referred to implicitly: all values in
+ set @{term "{xs. list_of_dlist (Dlist xs) = xs}"} are invariant,
+ and in our example this is exactly @{term "{xs. distinct xs}"}.
+
+ The primitive operations on @{typ "'a dlist"} are specified
+ indirectly using the projection @{const list_of_dlist}. For
+ the empty @{text "dlist"}, @{const Dlist.empty}, we finally want
+ the code equation
+*}
+
+text %quote {*
+ @{term "Dlist.empty = Dlist []"}
+*}
+
+text {*
+ \noindent This we have to prove indirectly as follows:
+*}
+
+lemma %quote [code abstract]:
+ "list_of_dlist Dlist.empty = []"
+ by (fact list_of_dlist_empty)
+
+text {*
+ \noindent This equation logically encodes both the desired code
+ equation and that the expression @{const Dlist} is applied to obeys
+ the implicit invariant. Equations for insertion and removal are
+ similar:
+*}
+
+lemma %quote [code abstract]:
+ "list_of_dlist (Dlist.insert x dxs) = List.insert x (list_of_dlist dxs)"
+ by (fact list_of_dlist_insert)
+
+lemma %quote [code abstract]:
+ "list_of_dlist (Dlist.remove x dxs) = remove1 x (list_of_dlist dxs)"
+ by (fact list_of_dlist_remove)
+
+text {*
+ \noindent Then the corresponding code is as follows:
+*}
+
+text %quotetypewriter {*
+ @{code_stmts Dlist.empty Dlist.insert Dlist.remove list_of_dlist (Haskell)}
+*} (*(types) dlist (consts) dempty dinsert dremove list_of List.member insert remove *)
+
+text {*
+ Typical data structures implemented by representations involving
+ invariants are available in the library, theory @{theory Mapping}
+ specifies key-value-mappings (type @{typ "('a, 'b) mapping"});
+ these can be implemented by red-black-trees (theory @{theory RBT}).
+*}
+
+end
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Codegen/Setup.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,37 @@
+theory Setup
+imports
+ Complex_Main
+ "~~/src/HOL/Library/Dlist"
+ "~~/src/HOL/Library/RBT"
+ "~~/src/HOL/Library/Mapping"
+begin
+
+(* FIXME avoid writing into source directory *)
+ML {*
+ Isabelle_System.mkdirs (Path.append (Thy_Load.master_directory @{theory}) (Path.basic "examples"))
+*}
+
+ML_file "../antiquote_setup.ML"
+ML_file "../more_antiquote.ML"
+
+setup {*
+ Antiquote_Setup.setup #>
+ More_Antiquote.setup #>
+let
+ val typ = Simple_Syntax.read_typ;
+in
+ Sign.del_modesyntax_i (Symbol.xsymbolsN, false)
+ [("_constrain", typ "logic => type => logic", Mixfix ("_\<Colon>_", [4, 0], 3)),
+ ("_constrain", typ "prop' => type => prop'", Mixfix ("_\<Colon>_", [4, 0], 3))] #>
+ Sign.add_modesyntax_i (Symbol.xsymbolsN, false)
+ [("_constrain", typ "logic => type => logic", Mixfix ("_ \<Colon> _", [4, 0], 3)),
+ ("_constrain", typ "prop' => type => prop'", Mixfix ("_ \<Colon> _", [4, 0], 3))]
+end
+*}
+
+setup {* Code_Target.set_default_code_width 74 *}
+
+declare [[names_unique = false]]
+
+end
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Codegen/document/adapt.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,52 @@
+
+\documentclass[12pt]{article}
+\usepackage{tikz}
+
+\begin{document}
+
+\thispagestyle{empty}
+\setlength{\fboxrule}{0.01pt}
+\setlength{\fboxsep}{4pt}
+
+\fcolorbox{white}{white}{
+
+\begin{tikzpicture}[scale = 0.5]
+ \tikzstyle water=[color = blue, thick]
+ \tikzstyle ice=[color = black, very thick, cap = round, join = round, fill = white]
+ \tikzstyle process=[color = green, semithick, ->]
+ \tikzstyle adaptation=[color = red, semithick, ->]
+ \tikzstyle target=[color = black]
+ \foreach \x in {0, ..., 24}
+ \draw[style=water] (\x, 0.25) sin + (0.25, 0.25) cos + (0.25, -0.25) sin
+ + (0.25, -0.25) cos + (0.25, 0.25);
+ \draw[style=ice] (1, 0) --
+ (3, 6) node[above, fill=white] {logic} -- (5, 0) -- cycle;
+ \draw[style=ice] (9, 0) --
+ (11, 6) node[above, fill=white] {intermediate language} -- (13, 0) -- cycle;
+ \draw[style=ice] (15, -6) --
+ (19, 6) node[above, fill=white] {target language} -- (23, -6) -- cycle;
+ \draw[style=process]
+ (3.5, 3) .. controls (7, 5) .. node[fill=white] {translation} (10.5, 3);
+ \draw[style=process]
+ (11.5, 3) .. controls (15, 5) .. node[fill=white] (serialisation) {serialisation} (18.5, 3);
+ \node (adaptation) at (11, -2) [style=adaptation] {adaptation};
+ \node at (19, 3) [rotate=90] {generated};
+ \node at (19.5, -5) {language};
+ \node at (19.5, -3) {library};
+ \node (includes) at (19.5, -1) {includes};
+ \node (reserved) at (16.5, -3) [rotate=72] {reserved}; % proper 71.57
+ \draw[style=process]
+ (includes) -- (serialisation);
+ \draw[style=process]
+ (reserved) -- (serialisation);
+ \draw[style=adaptation]
+ (adaptation) -- (serialisation);
+ \draw[style=adaptation]
+ (adaptation) -- (includes);
+ \draw[style=adaptation]
+ (adaptation) -- (reserved);
+\end{tikzpicture}
+
+}
+
+\end{document}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Codegen/document/architecture.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,50 @@
+
+\documentclass[12pt]{article}
+\usepackage{tikz}
+\usetikzlibrary{shapes}
+\usetikzlibrary{arrows}
+
+\begin{document}
+
+\thispagestyle{empty}
+\setlength{\fboxrule}{0.01pt}
+\setlength{\fboxsep}{4pt}
+
+\fcolorbox{white}{white}{
+
+\newcommand{\sys}[1]{\emph{#1}}
+
+\begin{tikzpicture}[x = 4cm, y = 1cm]
+ \tikzstyle positive=[color = black, fill = white];
+ \tikzstyle negative=[color = white, fill = black];
+ \tikzstyle entity=[rounded corners, draw, thick];
+ \tikzstyle process=[ellipse, draw, thick];
+ \tikzstyle arrow=[-stealth, semithick];
+ \node (spec) at (0, 3) [entity, positive] {specification tools};
+ \node (user) at (1, 3) [entity, positive] {user proofs};
+ \node (spec_user_join) at (0.5, 3) [shape=coordinate] {};
+ \node (raw) at (0.5, 4) [entity, positive] {raw code equations};
+ \node (pre) at (1.5, 4) [process, positive] {preprocessing};
+ \node (eqn) at (2.5, 4) [entity, positive] {code equations};
+ \node (iml) at (0.5, 0) [entity, positive] {intermediate program};
+ \node (seri) at (1.5, 0) [process, positive] {serialisation};
+ \node (SML) at (2.5, 3) [entity, positive] {\sys{SML}};
+ \node (OCaml) at (2.5, 2) [entity, positive] {\sys{OCaml}};
+ \node (Haskell) at (2.5, 1) [entity, positive] {\sys{Haskell}};
+ \node (Scala) at (2.5, 0) [entity, positive] {\sys{Scala}};
+ \draw [semithick] (spec) -- (spec_user_join);
+ \draw [semithick] (user) -- (spec_user_join);
+ \draw [-diamond, semithick] (spec_user_join) -- (raw);
+ \draw [arrow] (raw) -- (pre);
+ \draw [arrow] (pre) -- (eqn);
+ \draw [arrow] (eqn) -- node (transl) [process, positive] {translation} (iml);
+ \draw [arrow] (iml) -- (seri);
+ \draw [arrow] (seri) -- (SML);
+ \draw [arrow] (seri) -- (OCaml);
+ \draw [arrow] (seri) -- (Haskell);
+ \draw [arrow] (seri) -- (Scala);
+\end{tikzpicture}
+
+}
+
+\end{document}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Codegen/document/build Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+set -e
+
+FORMAT="$1"
+VARIANT="$2"
+
+"$ISABELLE_TOOL" logo -o isabelle_isar.pdf "Isar"
+"$ISABELLE_TOOL" logo -o isabelle_isar.eps "Isar"
+
+cp "$ISABELLE_HOME/src/Doc/iman.sty" .
+cp "$ISABELLE_HOME/src/Doc/extra.sty" .
+cp "$ISABELLE_HOME/src/Doc/isar.sty" .
+cp "$ISABELLE_HOME/src/Doc/proof.sty" .
+cp "$ISABELLE_HOME/src/Doc/manual.bib" .
+
+for NAME in architecture adapt
+do
+ latex "$NAME"
+ $ISABELLE_DVIPS -E -o "$NAME.eps" "$NAME.dvi"
+ $ISABELLE_EPSTOPDF "$NAME.eps"
+done
+
+"$ISABELLE_HOME/src/Doc/prepare_document" "$FORMAT"
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Codegen/document/root.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,52 @@
+
+\documentclass[12pt,a4paper,fleqn]{article}
+\usepackage{latexsym,graphicx}
+\usepackage{multirow}
+\usepackage{iman,extra,isar,proof}
+\usepackage{isabelle,isabellesym}
+\usepackage{style}
+\usepackage{pdfsetup}
+
+\hyphenation{Isabelle}
+\hyphenation{Isar}
+\isadroptag{theory}
+
+\title{\includegraphics[scale=0.5]{isabelle_isar}
+ \\[4ex] Code generation from Isabelle/HOL theories}
+\author{\emph{Florian Haftmann with contributions from Lukas Bulwahn}}
+
+\begin{document}
+
+\maketitle
+
+\begin{abstract}
+ \noindent This tutorial introduces the code generator facilities of Isabelle/HOL.
+ They empower the user to turn HOL specifications into corresponding executable
+ programs in the languages SML, OCaml, Haskell and Scala.
+\end{abstract}
+
+\thispagestyle{empty}\clearpage
+
+\pagenumbering{roman}
+\clearfirst
+
+\input{Introduction.tex}
+\input{Foundations.tex}
+\input{Refinement.tex}
+\input{Inductive_Predicate.tex}
+\input{Adaptation.tex}
+\input{Evaluation.tex}
+\input{Further.tex}
+
+\begingroup
+\bibliographystyle{plain} \small\raggedright\frenchspacing
+\bibliography{manual}
+\endgroup
+
+\end{document}
+
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: t
+%%% End:
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Codegen/document/style.sty Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,75 @@
+
+%% toc
+\newcommand{\tocentry}[1]{\cleardoublepage\phantomsection\addcontentsline{toc}{chapter}{#1}
+\@mkboth{\MakeUppercase{#1}}{\MakeUppercase{#1}}}
+
+%% paragraphs
+\setlength{\parindent}{1em}
+
+%% references
+\newcommand{\secref}[1]{\S\ref{#1}}
+\newcommand{\figref}[1]{figure~\ref{#1}}
+
+%% logical markup
+\newcommand{\strong}[1]{{\bfseries {#1}}}
+\newcommand{\qn}[1]{\emph{#1}}
+
+%% typographic conventions
+\newcommand{\qt}[1]{``{#1}''}
+\newcommand{\ditem}[1]{\item[\isastyletext #1]}
+
+%% quote environment
+\isakeeptag{quote}
+\renewenvironment{quote}
+ {\list{}{\leftmargin2em\rightmargin0pt}\parindent0pt\parskip0pt\item\relax}
+ {\endlist}
+\renewcommand{\isatagquote}{\begin{quote}}
+\renewcommand{\endisatagquote}{\end{quote}}
+\newcommand{\quotebreak}{\\[1.2ex]}
+
+%% typewriter text
+\newenvironment{typewriter}{\renewcommand{\isastyletext}{}%
+\renewcommand{\isadigit}[1]{{##1}}%
+\parindent0pt%
+\makeatletter\isa@parindent0pt\makeatother%
+\isabellestyle{tt}\isastyle%
+\fontsize{9pt}{9pt}\selectfont}{}
+
+\isakeeptag{quotetypewriter}
+\renewcommand{\isatagquotetypewriter}{\begin{quote}\begin{typewriter}}
+\renewcommand{\endisatagquotetypewriter}{\end{typewriter}\end{quote}}
+
+\isakeeptag{quotett}
+\renewcommand{\isatagquotett}{\begin{quote}\isabellestyle{tt}\isastyle}
+\renewcommand{\endisatagquotett}{\end{quote}}
+
+%% a trick
+\newcommand{\isasymSML}{SML}
+\newcommand{\isasymSMLdummy}{SML}
+
+%% presentation
+\setcounter{secnumdepth}{2} \setcounter{tocdepth}{2}
+
+%% character detail
+\renewcommand{\isadigit}[1]{\isamath{#1}}
+\binperiod
+\underscoreoff
+
+%% format
+\pagestyle{headings}
+\isabellestyle{it}
+
+%% ml reference
+\newenvironment{mldecls}{\par\noindent\begingroup\footnotesize\def\isanewline{\\}\begin{tabular}{l}}{\end{tabular}\smallskip\endgroup}
+
+\isakeeptag{mlref}
+\renewcommand{\isatagmlref}{\subsection*{\makebox[0pt][r]{\fbox{\ML}~~}Reference}\begingroup\def\isastyletext{\rm}\small}
+\renewcommand{\endisatagmlref}{\endgroup}
+
+\isabellestyle{it}
+
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: "implementation"
+%%% End:
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Functions/Functions.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,1190 @@
+(* Title: Doc/Functions/Thy/Fundefs.thy
+ Author: Alexander Krauss, TU Muenchen
+
+Tutorial for function definitions with the new "function" package.
+*)
+
+theory Functions
+imports Main
+begin
+
+section {* Function Definitions for Dummies *}
+
+text {*
+ In most cases, defining a recursive function is just as simple as other definitions:
+*}
+
+fun fib :: "nat \<Rightarrow> nat"
+where
+ "fib 0 = 1"
+| "fib (Suc 0) = 1"
+| "fib (Suc (Suc n)) = fib n + fib (Suc n)"
+
+text {*
+ The syntax is rather self-explanatory: We introduce a function by
+ giving its name, its type,
+ and a set of defining recursive equations.
+ If we leave out the type, the most general type will be
+ inferred, which can sometimes lead to surprises: Since both @{term
+ "1::nat"} and @{text "+"} are overloaded, we would end up
+ with @{text "fib :: nat \<Rightarrow> 'a::{one,plus}"}.
+*}
+
+text {*
+ The function always terminates, since its argument gets smaller in
+ every recursive call.
+ Since HOL is a logic of total functions, termination is a
+ fundamental requirement to prevent inconsistencies\footnote{From the
+ \qt{definition} @{text "f(n) = f(n) + 1"} we could prove
+ @{text "0 = 1"} by subtracting @{text "f(n)"} on both sides.}.
+ Isabelle tries to prove termination automatically when a definition
+ is made. In \S\ref{termination}, we will look at cases where this
+ fails and see what to do then.
+*}
+
+subsection {* Pattern matching *}
+
+text {* \label{patmatch}
+ Like in functional programming, we can use pattern matching to
+ define functions. At the moment we will only consider \emph{constructor
+ patterns}, which only consist of datatype constructors and
+ variables. Furthermore, patterns must be linear, i.e.\ all variables
+ on the left hand side of an equation must be distinct. In
+ \S\ref{genpats} we discuss more general pattern matching.
+
+ If patterns overlap, the order of the equations is taken into
+ account. The following function inserts a fixed element between any
+ two elements of a list:
+*}
+
+fun sep :: "'a \<Rightarrow> 'a list \<Rightarrow> 'a list"
+where
+ "sep a (x#y#xs) = x # a # sep a (y # xs)"
+| "sep a xs = xs"
+
+text {*
+ Overlapping patterns are interpreted as \qt{increments} to what is
+ already there: The second equation is only meant for the cases where
+ the first one does not match. Consequently, Isabelle replaces it
+ internally by the remaining cases, making the patterns disjoint:
+*}
+
+thm sep.simps
+
+text {* @{thm [display] sep.simps[no_vars]} *}
+
+text {*
+ \noindent The equations from function definitions are automatically used in
+ simplification:
+*}
+
+lemma "sep 0 [1, 2, 3] = [1, 0, 2, 0, 3]"
+by simp
+
+subsection {* Induction *}
+
+text {*
+
+ Isabelle provides customized induction rules for recursive
+ functions. These rules follow the recursive structure of the
+ definition. Here is the rule @{text sep.induct} arising from the
+ above definition of @{const sep}:
+
+ @{thm [display] sep.induct}
+
+ We have a step case for list with at least two elements, and two
+ base cases for the zero- and the one-element list. Here is a simple
+ proof about @{const sep} and @{const map}
+*}
+
+lemma "map f (sep x ys) = sep (f x) (map f ys)"
+apply (induct x ys rule: sep.induct)
+
+txt {*
+ We get three cases, like in the definition.
+
+ @{subgoals [display]}
+*}
+
+apply auto
+done
+text {*
+
+ With the \cmd{fun} command, you can define about 80\% of the
+ functions that occur in practice. The rest of this tutorial explains
+ the remaining 20\%.
+*}
+
+
+section {* fun vs.\ function *}
+
+text {*
+ The \cmd{fun} command provides a
+ convenient shorthand notation for simple function definitions. In
+ this mode, Isabelle tries to solve all the necessary proof obligations
+ automatically. If any proof fails, the definition is
+ rejected. This can either mean that the definition is indeed faulty,
+ or that the default proof procedures are just not smart enough (or
+ rather: not designed) to handle the definition.
+
+ By expanding the abbreviation to the more verbose \cmd{function} command, these proof obligations become visible and can be analyzed or
+ solved manually. The expansion from \cmd{fun} to \cmd{function} is as follows:
+
+\end{isamarkuptext}
+
+
+\[\left[\;\begin{minipage}{0.25\textwidth}\vspace{6pt}
+\cmd{fun} @{text "f :: \<tau>"}\\%
+\cmd{where}\\%
+\hspace*{2ex}{\it equations}\\%
+\hspace*{2ex}\vdots\vspace*{6pt}
+\end{minipage}\right]
+\quad\equiv\quad
+\left[\;\begin{minipage}{0.48\textwidth}\vspace{6pt}
+\cmd{function} @{text "("}\cmd{sequential}@{text ") f :: \<tau>"}\\%
+\cmd{where}\\%
+\hspace*{2ex}{\it equations}\\%
+\hspace*{2ex}\vdots\\%
+\cmd{by} @{text "pat_completeness auto"}\\%
+\cmd{termination by} @{text "lexicographic_order"}\vspace{6pt}
+\end{minipage}
+\right]\]
+
+\begin{isamarkuptext}
+ \vspace*{1em}
+ \noindent Some details have now become explicit:
+
+ \begin{enumerate}
+ \item The \cmd{sequential} option enables the preprocessing of
+ pattern overlaps which we already saw. Without this option, the equations
+ must already be disjoint and complete. The automatic completion only
+ works with constructor patterns.
+
+ \item A function definition produces a proof obligation which
+ expresses completeness and compatibility of patterns (we talk about
+ this later). The combination of the methods @{text "pat_completeness"} and
+ @{text "auto"} is used to solve this proof obligation.
+
+ \item A termination proof follows the definition, started by the
+ \cmd{termination} command. This will be explained in \S\ref{termination}.
+ \end{enumerate}
+ Whenever a \cmd{fun} command fails, it is usually a good idea to
+ expand the syntax to the more verbose \cmd{function} form, to see
+ what is actually going on.
+ *}
+
+
+section {* Termination *}
+
+text {*\label{termination}
+ The method @{text "lexicographic_order"} is the default method for
+ termination proofs. It can prove termination of a
+ certain class of functions by searching for a suitable lexicographic
+ combination of size measures. Of course, not all functions have such
+ a simple termination argument. For them, we can specify the termination
+ relation manually.
+*}
+
+subsection {* The {\tt relation} method *}
+text{*
+ Consider the following function, which sums up natural numbers up to
+ @{text "N"}, using a counter @{text "i"}:
+*}
+
+function sum :: "nat \<Rightarrow> nat \<Rightarrow> nat"
+where
+ "sum i N = (if i > N then 0 else i + sum (Suc i) N)"
+by pat_completeness auto
+
+text {*
+ \noindent The @{text "lexicographic_order"} method fails on this example, because none of the
+ arguments decreases in the recursive call, with respect to the standard size ordering.
+ To prove termination manually, we must provide a custom wellfounded relation.
+
+ The termination argument for @{text "sum"} is based on the fact that
+ the \emph{difference} between @{text "i"} and @{text "N"} gets
+ smaller in every step, and that the recursion stops when @{text "i"}
+ is greater than @{text "N"}. Phrased differently, the expression
+ @{text "N + 1 - i"} always decreases.
+
+ We can use this expression as a measure function suitable to prove termination.
+*}
+
+termination sum
+apply (relation "measure (\<lambda>(i,N). N + 1 - i)")
+
+txt {*
+ The \cmd{termination} command sets up the termination goal for the
+ specified function @{text "sum"}. If the function name is omitted, it
+ implicitly refers to the last function definition.
+
+ The @{text relation} method takes a relation of
+ type @{typ "('a \<times> 'a) set"}, where @{typ "'a"} is the argument type of
+ the function. If the function has multiple curried arguments, then
+ these are packed together into a tuple, as it happened in the above
+ example.
+
+ The predefined function @{term[source] "measure :: ('a \<Rightarrow> nat) \<Rightarrow> ('a \<times> 'a) set"} constructs a
+ wellfounded relation from a mapping into the natural numbers (a
+ \emph{measure function}).
+
+ After the invocation of @{text "relation"}, we must prove that (a)
+ the relation we supplied is wellfounded, and (b) that the arguments
+ of recursive calls indeed decrease with respect to the
+ relation:
+
+ @{subgoals[display,indent=0]}
+
+ These goals are all solved by @{text "auto"}:
+*}
+
+apply auto
+done
+
+text {*
+ Let us complicate the function a little, by adding some more
+ recursive calls:
+*}
+
+function foo :: "nat \<Rightarrow> nat \<Rightarrow> nat"
+where
+ "foo i N = (if i > N
+ then (if N = 0 then 0 else foo 0 (N - 1))
+ else i + foo (Suc i) N)"
+by pat_completeness auto
+
+text {*
+ When @{text "i"} has reached @{text "N"}, it starts at zero again
+ and @{text "N"} is decremented.
+ This corresponds to a nested
+ loop where one index counts up and the other down. Termination can
+ be proved using a lexicographic combination of two measures, namely
+ the value of @{text "N"} and the above difference. The @{const
+ "measures"} combinator generalizes @{text "measure"} by taking a
+ list of measure functions.
+*}
+
+termination
+by (relation "measures [\<lambda>(i, N). N, \<lambda>(i,N). N + 1 - i]") auto
+
+subsection {* How @{text "lexicographic_order"} works *}
+
+(*fun fails :: "nat \<Rightarrow> nat list \<Rightarrow> nat"
+where
+ "fails a [] = a"
+| "fails a (x#xs) = fails (x + a) (x # xs)"
+*)
+
+text {*
+ To see how the automatic termination proofs work, let's look at an
+ example where it fails\footnote{For a detailed discussion of the
+ termination prover, see \cite{bulwahnKN07}}:
+
+\end{isamarkuptext}
+\cmd{fun} @{text "fails :: \"nat \<Rightarrow> nat list \<Rightarrow> nat\""}\\%
+\cmd{where}\\%
+\hspace*{2ex}@{text "\"fails a [] = a\""}\\%
+|\hspace*{1.5ex}@{text "\"fails a (x#xs) = fails (x + a) (x#xs)\""}\\
+\begin{isamarkuptext}
+
+\noindent Isabelle responds with the following error:
+
+\begin{isabelle}
+*** Unfinished subgoals:\newline
+*** (a, 1, <):\newline
+*** \ 1.~@{text "\<And>x. x = 0"}\newline
+*** (a, 1, <=):\newline
+*** \ 1.~False\newline
+*** (a, 2, <):\newline
+*** \ 1.~False\newline
+*** Calls:\newline
+*** a) @{text "(a, x # xs) -->> (x + a, x # xs)"}\newline
+*** Measures:\newline
+*** 1) @{text "\<lambda>x. size (fst x)"}\newline
+*** 2) @{text "\<lambda>x. size (snd x)"}\newline
+*** Result matrix:\newline
+*** \ \ \ \ 1\ \ 2 \newline
+*** a: ? <= \newline
+*** Could not find lexicographic termination order.\newline
+*** At command "fun".\newline
+\end{isabelle}
+*}
+text {*
+ The key to this error message is the matrix at the bottom. The rows
+ of that matrix correspond to the different recursive calls (In our
+ case, there is just one). The columns are the function's arguments
+ (expressed through different measure functions, which map the
+ argument tuple to a natural number).
+
+ The contents of the matrix summarize what is known about argument
+ descents: The second argument has a weak descent (@{text "<="}) at the
+ recursive call, and for the first argument nothing could be proved,
+ which is expressed by @{text "?"}. In general, there are the values
+ @{text "<"}, @{text "<="} and @{text "?"}.
+
+ For the failed proof attempts, the unfinished subgoals are also
+ printed. Looking at these will often point to a missing lemma.
+*}
+
+subsection {* The @{text size_change} method *}
+
+text {*
+ Some termination goals that are beyond the powers of
+ @{text lexicographic_order} can be solved automatically by the
+ more powerful @{text size_change} method, which uses a variant of
+ the size-change principle, together with some other
+ techniques. While the details are discussed
+ elsewhere\cite{krauss_phd},
+ here are a few typical situations where
+ @{text lexicographic_order} has difficulties and @{text size_change}
+ may be worth a try:
+ \begin{itemize}
+ \item Arguments are permuted in a recursive call.
+ \item Several mutually recursive functions with multiple arguments.
+ \item Unusual control flow (e.g., when some recursive calls cannot
+ occur in sequence).
+ \end{itemize}
+
+ Loading the theory @{text Multiset} makes the @{text size_change}
+ method a bit stronger: it can then use multiset orders internally.
+*}
+
+section {* Mutual Recursion *}
+
+text {*
+ If two or more functions call one another mutually, they have to be defined
+ in one step. Here are @{text "even"} and @{text "odd"}:
+*}
+
+function even :: "nat \<Rightarrow> bool"
+ and odd :: "nat \<Rightarrow> bool"
+where
+ "even 0 = True"
+| "odd 0 = False"
+| "even (Suc n) = odd n"
+| "odd (Suc n) = even n"
+by pat_completeness auto
+
+text {*
+ To eliminate the mutual dependencies, Isabelle internally
+ creates a single function operating on the sum
+ type @{typ "nat + nat"}. Then, @{const even} and @{const odd} are
+ defined as projections. Consequently, termination has to be proved
+ simultaneously for both functions, by specifying a measure on the
+ sum type:
+*}
+
+termination
+by (relation "measure (\<lambda>x. case x of Inl n \<Rightarrow> n | Inr n \<Rightarrow> n)") auto
+
+text {*
+ We could also have used @{text lexicographic_order}, which
+ supports mutual recursive termination proofs to a certain extent.
+*}
+
+subsection {* Induction for mutual recursion *}
+
+text {*
+
+ When functions are mutually recursive, proving properties about them
+ generally requires simultaneous induction. The induction rule @{text "even_odd.induct"}
+ generated from the above definition reflects this.
+
+ Let us prove something about @{const even} and @{const odd}:
+*}
+
+lemma even_odd_mod2:
+ "even n = (n mod 2 = 0)"
+ "odd n = (n mod 2 = 1)"
+
+txt {*
+ We apply simultaneous induction, specifying the induction variable
+ for both goals, separated by \cmd{and}: *}
+
+apply (induct n and n rule: even_odd.induct)
+
+txt {*
+ We get four subgoals, which correspond to the clauses in the
+ definition of @{const even} and @{const odd}:
+ @{subgoals[display,indent=0]}
+ Simplification solves the first two goals, leaving us with two
+ statements about the @{text "mod"} operation to prove:
+*}
+
+apply simp_all
+
+txt {*
+ @{subgoals[display,indent=0]}
+
+ \noindent These can be handled by Isabelle's arithmetic decision procedures.
+
+*}
+
+apply arith
+apply arith
+done
+
+text {*
+ In proofs like this, the simultaneous induction is really essential:
+ Even if we are just interested in one of the results, the other
+ one is necessary to strengthen the induction hypothesis. If we leave
+ out the statement about @{const odd} and just write @{term True} instead,
+ the same proof fails:
+*}
+
+lemma failed_attempt:
+ "even n = (n mod 2 = 0)"
+ "True"
+apply (induct n rule: even_odd.induct)
+
+txt {*
+ \noindent Now the third subgoal is a dead end, since we have no
+ useful induction hypothesis available:
+
+ @{subgoals[display,indent=0]}
+*}
+
+oops
+
+section {* General pattern matching *}
+text{*\label{genpats} *}
+
+subsection {* Avoiding automatic pattern splitting *}
+
+text {*
+
+ Up to now, we used pattern matching only on datatypes, and the
+ patterns were always disjoint and complete, and if they weren't,
+ they were made disjoint automatically like in the definition of
+ @{const "sep"} in \S\ref{patmatch}.
+
+ This automatic splitting can significantly increase the number of
+ equations involved, and this is not always desirable. The following
+ example shows the problem:
+
+ Suppose we are modeling incomplete knowledge about the world by a
+ three-valued datatype, which has values @{term "T"}, @{term "F"}
+ and @{term "X"} for true, false and uncertain propositions, respectively.
+*}
+
+datatype P3 = T | F | X
+
+text {* \noindent Then the conjunction of such values can be defined as follows: *}
+
+fun And :: "P3 \<Rightarrow> P3 \<Rightarrow> P3"
+where
+ "And T p = p"
+| "And p T = p"
+| "And p F = F"
+| "And F p = F"
+| "And X X = X"
+
+
+text {*
+ This definition is useful, because the equations can directly be used
+ as simplification rules. But the patterns overlap: For example,
+ the expression @{term "And T T"} is matched by both the first and
+ the second equation. By default, Isabelle makes the patterns disjoint by
+ splitting them up, producing instances:
+*}
+
+thm And.simps
+
+text {*
+ @{thm[indent=4] And.simps}
+
+ \vspace*{1em}
+ \noindent There are several problems with this:
+
+ \begin{enumerate}
+ \item If the datatype has many constructors, there can be an
+ explosion of equations. For @{const "And"}, we get seven instead of
+ five equations, which can be tolerated, but this is just a small
+ example.
+
+ \item Since splitting makes the equations \qt{less general}, they
+ do not always match in rewriting. While the term @{term "And x F"}
+ can be simplified to @{term "F"} with the original equations, a
+ (manual) case split on @{term "x"} is now necessary.
+
+ \item The splitting also concerns the induction rule @{text
+ "And.induct"}. Instead of five premises it now has seven, which
+ means that our induction proofs will have more cases.
+
+ \item In general, it increases clarity if we get the same definition
+ back which we put in.
+ \end{enumerate}
+
+ If we do not want the automatic splitting, we can switch it off by
+ leaving out the \cmd{sequential} option. However, we will have to
+ prove that our pattern matching is consistent\footnote{This prevents
+ us from defining something like @{term "f x = True"} and @{term "f x
+ = False"} simultaneously.}:
+*}
+
+function And2 :: "P3 \<Rightarrow> P3 \<Rightarrow> P3"
+where
+ "And2 T p = p"
+| "And2 p T = p"
+| "And2 p F = F"
+| "And2 F p = F"
+| "And2 X X = X"
+
+txt {*
+ \noindent Now let's look at the proof obligations generated by a
+ function definition. In this case, they are:
+
+ @{subgoals[display,indent=0]}\vspace{-1.2em}\hspace{3cm}\vdots\vspace{1.2em}
+
+ The first subgoal expresses the completeness of the patterns. It has
+ the form of an elimination rule and states that every @{term x} of
+ the function's input type must match at least one of the patterns\footnote{Completeness could
+ be equivalently stated as a disjunction of existential statements:
+@{term "(\<exists>p. x = (T, p)) \<or> (\<exists>p. x = (p, T)) \<or> (\<exists>p. x = (p, F)) \<or>
+ (\<exists>p. x = (F, p)) \<or> (x = (X, X))"}, and you can use the method @{text atomize_elim} to get that form instead.}. If the patterns just involve
+ datatypes, we can solve it with the @{text "pat_completeness"}
+ method:
+*}
+
+apply pat_completeness
+
+txt {*
+ The remaining subgoals express \emph{pattern compatibility}. We do
+ allow that an input value matches multiple patterns, but in this
+ case, the result (i.e.~the right hand sides of the equations) must
+ also be equal. For each pair of two patterns, there is one such
+ subgoal. Usually this needs injectivity of the constructors, which
+ is used automatically by @{text "auto"}.
+*}
+
+by auto
+termination by (relation "{}") simp
+
+
+subsection {* Non-constructor patterns *}
+
+text {*
+ Most of Isabelle's basic types take the form of inductive datatypes,
+ and usually pattern matching works on the constructors of such types.
+ However, this need not be always the case, and the \cmd{function}
+ command handles other kind of patterns, too.
+
+ One well-known instance of non-constructor patterns are
+ so-called \emph{$n+k$-patterns}, which are a little controversial in
+ the functional programming world. Here is the initial fibonacci
+ example with $n+k$-patterns:
+*}
+
+function fib2 :: "nat \<Rightarrow> nat"
+where
+ "fib2 0 = 1"
+| "fib2 1 = 1"
+| "fib2 (n + 2) = fib2 n + fib2 (Suc n)"
+
+txt {*
+ This kind of matching is again justified by the proof of pattern
+ completeness and compatibility.
+ The proof obligation for pattern completeness states that every natural number is
+ either @{term "0::nat"}, @{term "1::nat"} or @{term "n +
+ (2::nat)"}:
+
+ @{subgoals[display,indent=0,goals_limit=1]}
+
+ This is an arithmetic triviality, but unfortunately the
+ @{text arith} method cannot handle this specific form of an
+ elimination rule. However, we can use the method @{text
+ "atomize_elim"} to do an ad-hoc conversion to a disjunction of
+ existentials, which can then be solved by the arithmetic decision procedure.
+ Pattern compatibility and termination are automatic as usual.
+*}
+apply atomize_elim
+apply arith
+apply auto
+done
+termination by lexicographic_order
+text {*
+ We can stretch the notion of pattern matching even more. The
+ following function is not a sensible functional program, but a
+ perfectly valid mathematical definition:
+*}
+
+function ev :: "nat \<Rightarrow> bool"
+where
+ "ev (2 * n) = True"
+| "ev (2 * n + 1) = False"
+apply atomize_elim
+by arith+
+termination by (relation "{}") simp
+
+text {*
+ This general notion of pattern matching gives you a certain freedom
+ in writing down specifications. However, as always, such freedom should
+ be used with care:
+
+ If we leave the area of constructor
+ patterns, we have effectively departed from the world of functional
+ programming. This means that it is no longer possible to use the
+ code generator, and expect it to generate ML code for our
+ definitions. Also, such a specification might not work very well together with
+ simplification. Your mileage may vary.
+*}
+
+
+subsection {* Conditional equations *}
+
+text {*
+ The function package also supports conditional equations, which are
+ similar to guards in a language like Haskell. Here is Euclid's
+ algorithm written with conditional patterns\footnote{Note that the
+ patterns are also overlapping in the base case}:
+*}
+
+function gcd :: "nat \<Rightarrow> nat \<Rightarrow> nat"
+where
+ "gcd x 0 = x"
+| "gcd 0 y = y"
+| "x < y \<Longrightarrow> gcd (Suc x) (Suc y) = gcd (Suc x) (y - x)"
+| "\<not> x < y \<Longrightarrow> gcd (Suc x) (Suc y) = gcd (x - y) (Suc y)"
+by (atomize_elim, auto, arith)
+termination by lexicographic_order
+
+text {*
+ By now, you can probably guess what the proof obligations for the
+ pattern completeness and compatibility look like.
+
+ Again, functions with conditional patterns are not supported by the
+ code generator.
+*}
+
+
+subsection {* Pattern matching on strings *}
+
+text {*
+ As strings (as lists of characters) are normal datatypes, pattern
+ matching on them is possible, but somewhat problematic. Consider the
+ following definition:
+
+\end{isamarkuptext}
+\noindent\cmd{fun} @{text "check :: \"string \<Rightarrow> bool\""}\\%
+\cmd{where}\\%
+\hspace*{2ex}@{text "\"check (''good'') = True\""}\\%
+@{text "| \"check s = False\""}
+\begin{isamarkuptext}
+
+ \noindent An invocation of the above \cmd{fun} command does not
+ terminate. What is the problem? Strings are lists of characters, and
+ characters are a datatype with a lot of constructors. Splitting the
+ catch-all pattern thus leads to an explosion of cases, which cannot
+ be handled by Isabelle.
+
+ There are two things we can do here. Either we write an explicit
+ @{text "if"} on the right hand side, or we can use conditional patterns:
+*}
+
+function check :: "string \<Rightarrow> bool"
+where
+ "check (''good'') = True"
+| "s \<noteq> ''good'' \<Longrightarrow> check s = False"
+by auto
+termination by (relation "{}") simp
+
+
+section {* Partiality *}
+
+text {*
+ In HOL, all functions are total. A function @{term "f"} applied to
+ @{term "x"} always has the value @{term "f x"}, and there is no notion
+ of undefinedness.
+ This is why we have to do termination
+ proofs when defining functions: The proof justifies that the
+ function can be defined by wellfounded recursion.
+
+ However, the \cmd{function} package does support partiality to a
+ certain extent. Let's look at the following function which looks
+ for a zero of a given function f.
+*}
+
+function (*<*)(domintros)(*>*)findzero :: "(nat \<Rightarrow> nat) \<Rightarrow> nat \<Rightarrow> nat"
+where
+ "findzero f n = (if f n = 0 then n else findzero f (Suc n))"
+by pat_completeness auto
+
+text {*
+ \noindent Clearly, any attempt of a termination proof must fail. And without
+ that, we do not get the usual rules @{text "findzero.simps"} and
+ @{text "findzero.induct"}. So what was the definition good for at all?
+*}
+
+subsection {* Domain predicates *}
+
+text {*
+ The trick is that Isabelle has not only defined the function @{const findzero}, but also
+ a predicate @{term "findzero_dom"} that characterizes the values where the function
+ terminates: the \emph{domain} of the function. If we treat a
+ partial function just as a total function with an additional domain
+ predicate, we can derive simplification and
+ induction rules as we do for total functions. They are guarded
+ by domain conditions and are called @{text psimps} and @{text
+ pinduct}:
+*}
+
+text {*
+ \noindent\begin{minipage}{0.79\textwidth}@{thm[display,margin=85] findzero.psimps}\end{minipage}
+ \hfill(@{text "findzero.psimps"})
+ \vspace{1em}
+
+ \noindent\begin{minipage}{0.79\textwidth}@{thm[display,margin=85] findzero.pinduct}\end{minipage}
+ \hfill(@{text "findzero.pinduct"})
+*}
+
+text {*
+ Remember that all we
+ are doing here is use some tricks to make a total function appear
+ as if it was partial. We can still write the term @{term "findzero
+ (\<lambda>x. 1) 0"} and like any other term of type @{typ nat} it is equal
+ to some natural number, although we might not be able to find out
+ which one. The function is \emph{underdefined}.
+
+ But it is defined enough to prove something interesting about it. We
+ can prove that if @{term "findzero f n"}
+ terminates, it indeed returns a zero of @{term f}:
+*}
+
+lemma findzero_zero: "findzero_dom (f, n) \<Longrightarrow> f (findzero f n) = 0"
+
+txt {* \noindent We apply induction as usual, but using the partial induction
+ rule: *}
+
+apply (induct f n rule: findzero.pinduct)
+
+txt {* \noindent This gives the following subgoals:
+
+ @{subgoals[display,indent=0]}
+
+ \noindent The hypothesis in our lemma was used to satisfy the first premise in
+ the induction rule. However, we also get @{term
+ "findzero_dom (f, n)"} as a local assumption in the induction step. This
+ allows unfolding @{term "findzero f n"} using the @{text psimps}
+ rule, and the rest is trivial.
+ *}
+apply (simp add: findzero.psimps)
+done
+
+text {*
+ Proofs about partial functions are often not harder than for total
+ functions. Fig.~\ref{findzero_isar} shows a slightly more
+ complicated proof written in Isar. It is verbose enough to show how
+ partiality comes into play: From the partial induction, we get an
+ additional domain condition hypothesis. Observe how this condition
+ is applied when calls to @{term findzero} are unfolded.
+*}
+
+text_raw {*
+\begin{figure}
+\hrule\vspace{6pt}
+\begin{minipage}{0.8\textwidth}
+\isabellestyle{it}
+\isastyle\isamarkuptrue
+*}
+lemma "\<lbrakk>findzero_dom (f, n); x \<in> {n ..< findzero f n}\<rbrakk> \<Longrightarrow> f x \<noteq> 0"
+proof (induct rule: findzero.pinduct)
+ fix f n assume dom: "findzero_dom (f, n)"
+ and IH: "\<lbrakk>f n \<noteq> 0; x \<in> {Suc n ..< findzero f (Suc n)}\<rbrakk> \<Longrightarrow> f x \<noteq> 0"
+ and x_range: "x \<in> {n ..< findzero f n}"
+ have "f n \<noteq> 0"
+ proof
+ assume "f n = 0"
+ with dom have "findzero f n = n" by (simp add: findzero.psimps)
+ with x_range show False by auto
+ qed
+
+ from x_range have "x = n \<or> x \<in> {Suc n ..< findzero f n}" by auto
+ thus "f x \<noteq> 0"
+ proof
+ assume "x = n"
+ with `f n \<noteq> 0` show ?thesis by simp
+ next
+ assume "x \<in> {Suc n ..< findzero f n}"
+ with dom and `f n \<noteq> 0` have "x \<in> {Suc n ..< findzero f (Suc n)}" by (simp add: findzero.psimps)
+ with IH and `f n \<noteq> 0`
+ show ?thesis by simp
+ qed
+qed
+text_raw {*
+\isamarkupfalse\isabellestyle{tt}
+\end{minipage}\vspace{6pt}\hrule
+\caption{A proof about a partial function}\label{findzero_isar}
+\end{figure}
+*}
+
+subsection {* Partial termination proofs *}
+
+text {*
+ Now that we have proved some interesting properties about our
+ function, we should turn to the domain predicate and see if it is
+ actually true for some values. Otherwise we would have just proved
+ lemmas with @{term False} as a premise.
+
+ Essentially, we need some introduction rules for @{text
+ findzero_dom}. The function package can prove such domain
+ introduction rules automatically. But since they are not used very
+ often (they are almost never needed if the function is total), this
+ functionality is disabled by default for efficiency reasons. So we have to go
+ back and ask for them explicitly by passing the @{text
+ "(domintros)"} option to the function package:
+
+\vspace{1ex}
+\noindent\cmd{function} @{text "(domintros) findzero :: \"(nat \<Rightarrow> nat) \<Rightarrow> nat \<Rightarrow> nat\""}\\%
+\cmd{where}\isanewline%
+\ \ \ldots\\
+
+ \noindent Now the package has proved an introduction rule for @{text findzero_dom}:
+*}
+
+thm findzero.domintros
+
+text {*
+ @{thm[display] findzero.domintros}
+
+ Domain introduction rules allow to show that a given value lies in the
+ domain of a function, if the arguments of all recursive calls
+ are in the domain as well. They allow to do a \qt{single step} in a
+ termination proof. Usually, you want to combine them with a suitable
+ induction principle.
+
+ Since our function increases its argument at recursive calls, we
+ need an induction principle which works \qt{backwards}. We will use
+ @{text inc_induct}, which allows to do induction from a fixed number
+ \qt{downwards}:
+
+ \begin{center}@{thm inc_induct}\hfill(@{text "inc_induct"})\end{center}
+
+ Figure \ref{findzero_term} gives a detailed Isar proof of the fact
+ that @{text findzero} terminates if there is a zero which is greater
+ or equal to @{term n}. First we derive two useful rules which will
+ solve the base case and the step case of the induction. The
+ induction is then straightforward, except for the unusual induction
+ principle.
+
+*}
+
+text_raw {*
+\begin{figure}
+\hrule\vspace{6pt}
+\begin{minipage}{0.8\textwidth}
+\isabellestyle{it}
+\isastyle\isamarkuptrue
+*}
+lemma findzero_termination:
+ assumes "x \<ge> n" and "f x = 0"
+ shows "findzero_dom (f, n)"
+proof -
+ have base: "findzero_dom (f, x)"
+ by (rule findzero.domintros) (simp add:`f x = 0`)
+
+ have step: "\<And>i. findzero_dom (f, Suc i)
+ \<Longrightarrow> findzero_dom (f, i)"
+ by (rule findzero.domintros) simp
+
+ from `x \<ge> n` show ?thesis
+ proof (induct rule:inc_induct)
+ show "findzero_dom (f, x)" by (rule base)
+ next
+ fix i assume "findzero_dom (f, Suc i)"
+ thus "findzero_dom (f, i)" by (rule step)
+ qed
+qed
+text_raw {*
+\isamarkupfalse\isabellestyle{tt}
+\end{minipage}\vspace{6pt}\hrule
+\caption{Termination proof for @{text findzero}}\label{findzero_term}
+\end{figure}
+*}
+
+text {*
+ Again, the proof given in Fig.~\ref{findzero_term} has a lot of
+ detail in order to explain the principles. Using more automation, we
+ can also have a short proof:
+*}
+
+lemma findzero_termination_short:
+ assumes zero: "x >= n"
+ assumes [simp]: "f x = 0"
+ shows "findzero_dom (f, n)"
+using zero
+by (induct rule:inc_induct) (auto intro: findzero.domintros)
+
+text {*
+ \noindent It is simple to combine the partial correctness result with the
+ termination lemma:
+*}
+
+lemma findzero_total_correctness:
+ "f x = 0 \<Longrightarrow> f (findzero f 0) = 0"
+by (blast intro: findzero_zero findzero_termination)
+
+subsection {* Definition of the domain predicate *}
+
+text {*
+ Sometimes it is useful to know what the definition of the domain
+ predicate looks like. Actually, @{text findzero_dom} is just an
+ abbreviation:
+
+ @{abbrev[display] findzero_dom}
+
+ The domain predicate is the \emph{accessible part} of a relation @{const
+ findzero_rel}, which was also created internally by the function
+ package. @{const findzero_rel} is just a normal
+ inductive predicate, so we can inspect its definition by
+ looking at the introduction rules @{text findzero_rel.intros}.
+ In our case there is just a single rule:
+
+ @{thm[display] findzero_rel.intros}
+
+ The predicate @{const findzero_rel}
+ describes the \emph{recursion relation} of the function
+ definition. The recursion relation is a binary relation on
+ the arguments of the function that relates each argument to its
+ recursive calls. In general, there is one introduction rule for each
+ recursive call.
+
+ The predicate @{term "accp findzero_rel"} is the accessible part of
+ that relation. An argument belongs to the accessible part, if it can
+ be reached in a finite number of steps (cf.~its definition in @{text
+ "Wellfounded.thy"}).
+
+ Since the domain predicate is just an abbreviation, you can use
+ lemmas for @{const accp} and @{const findzero_rel} directly. Some
+ lemmas which are occasionally useful are @{text accpI}, @{text
+ accp_downward}, and of course the introduction and elimination rules
+ for the recursion relation @{text "findzero.intros"} and @{text "findzero.cases"}.
+*}
+
+section {* Nested recursion *}
+
+text {*
+ Recursive calls which are nested in one another frequently cause
+ complications, since their termination proof can depend on a partial
+ correctness property of the function itself.
+
+ As a small example, we define the \qt{nested zero} function:
+*}
+
+function nz :: "nat \<Rightarrow> nat"
+where
+ "nz 0 = 0"
+| "nz (Suc n) = nz (nz n)"
+by pat_completeness auto
+
+text {*
+ If we attempt to prove termination using the identity measure on
+ naturals, this fails:
+*}
+
+termination
+ apply (relation "measure (\<lambda>n. n)")
+ apply auto
+
+txt {*
+ We get stuck with the subgoal
+
+ @{subgoals[display]}
+
+ Of course this statement is true, since we know that @{const nz} is
+ the zero function. And in fact we have no problem proving this
+ property by induction.
+*}
+(*<*)oops(*>*)
+lemma nz_is_zero: "nz_dom n \<Longrightarrow> nz n = 0"
+ by (induct rule:nz.pinduct) (auto simp: nz.psimps)
+
+text {*
+ We formulate this as a partial correctness lemma with the condition
+ @{term "nz_dom n"}. This allows us to prove it with the @{text
+ pinduct} rule before we have proved termination. With this lemma,
+ the termination proof works as expected:
+*}
+
+termination
+ by (relation "measure (\<lambda>n. n)") (auto simp: nz_is_zero)
+
+text {*
+ As a general strategy, one should prove the statements needed for
+ termination as a partial property first. Then they can be used to do
+ the termination proof. This also works for less trivial
+ examples. Figure \ref{f91} defines the 91-function, a well-known
+ challenge problem due to John McCarthy, and proves its termination.
+*}
+
+text_raw {*
+\begin{figure}
+\hrule\vspace{6pt}
+\begin{minipage}{0.8\textwidth}
+\isabellestyle{it}
+\isastyle\isamarkuptrue
+*}
+
+function f91 :: "nat \<Rightarrow> nat"
+where
+ "f91 n = (if 100 < n then n - 10 else f91 (f91 (n + 11)))"
+by pat_completeness auto
+
+lemma f91_estimate:
+ assumes trm: "f91_dom n"
+ shows "n < f91 n + 11"
+using trm by induct (auto simp: f91.psimps)
+
+termination
+proof
+ let ?R = "measure (\<lambda>x. 101 - x)"
+ show "wf ?R" ..
+
+ fix n :: nat assume "\<not> 100 < n" -- "Assumptions for both calls"
+
+ thus "(n + 11, n) \<in> ?R" by simp -- "Inner call"
+
+ assume inner_trm: "f91_dom (n + 11)" -- "Outer call"
+ with f91_estimate have "n + 11 < f91 (n + 11) + 11" .
+ with `\<not> 100 < n` show "(f91 (n + 11), n) \<in> ?R" by simp
+qed
+
+text_raw {*
+\isamarkupfalse\isabellestyle{tt}
+\end{minipage}
+\vspace{6pt}\hrule
+\caption{McCarthy's 91-function}\label{f91}
+\end{figure}
+*}
+
+
+section {* Higher-Order Recursion *}
+
+text {*
+ Higher-order recursion occurs when recursive calls
+ are passed as arguments to higher-order combinators such as @{const
+ map}, @{term filter} etc.
+ As an example, imagine a datatype of n-ary trees:
+*}
+
+datatype 'a tree =
+ Leaf 'a
+| Branch "'a tree list"
+
+
+text {* \noindent We can define a function which swaps the left and right subtrees recursively, using the
+ list functions @{const rev} and @{const map}: *}
+
+fun mirror :: "'a tree \<Rightarrow> 'a tree"
+where
+ "mirror (Leaf n) = Leaf n"
+| "mirror (Branch l) = Branch (rev (map mirror l))"
+
+text {*
+ Although the definition is accepted without problems, let us look at the termination proof:
+*}
+
+termination proof
+ txt {*
+
+ As usual, we have to give a wellfounded relation, such that the
+ arguments of the recursive calls get smaller. But what exactly are
+ the arguments of the recursive calls when mirror is given as an
+ argument to @{const map}? Isabelle gives us the
+ subgoals
+
+ @{subgoals[display,indent=0]}
+
+ So the system seems to know that @{const map} only
+ applies the recursive call @{term "mirror"} to elements
+ of @{term "l"}, which is essential for the termination proof.
+
+ This knowledge about @{const map} is encoded in so-called congruence rules,
+ which are special theorems known to the \cmd{function} command. The
+ rule for @{const map} is
+
+ @{thm[display] map_cong}
+
+ You can read this in the following way: Two applications of @{const
+ map} are equal, if the list arguments are equal and the functions
+ coincide on the elements of the list. This means that for the value
+ @{term "map f l"} we only have to know how @{term f} behaves on
+ the elements of @{term l}.
+
+ Usually, one such congruence rule is
+ needed for each higher-order construct that is used when defining
+ new functions. In fact, even basic functions like @{const
+ If} and @{const Let} are handled by this mechanism. The congruence
+ rule for @{const If} states that the @{text then} branch is only
+ relevant if the condition is true, and the @{text else} branch only if it
+ is false:
+
+ @{thm[display] if_cong}
+
+ Congruence rules can be added to the
+ function package by giving them the @{term fundef_cong} attribute.
+
+ The constructs that are predefined in Isabelle, usually
+ come with the respective congruence rules.
+ But if you define your own higher-order functions, you may have to
+ state and prove the required congruence rules yourself, if you want to use your
+ functions in recursive definitions.
+*}
+(*<*)oops(*>*)
+
+subsection {* Congruence Rules and Evaluation Order *}
+
+text {*
+ Higher order logic differs from functional programming languages in
+ that it has no built-in notion of evaluation order. A program is
+ just a set of equations, and it is not specified how they must be
+ evaluated.
+
+ However for the purpose of function definition, we must talk about
+ evaluation order implicitly, when we reason about termination.
+ Congruence rules express that a certain evaluation order is
+ consistent with the logical definition.
+
+ Consider the following function.
+*}
+
+function f :: "nat \<Rightarrow> bool"
+where
+ "f n = (n = 0 \<or> f (n - 1))"
+(*<*)by pat_completeness auto(*>*)
+
+text {*
+ For this definition, the termination proof fails. The default configuration
+ specifies no congruence rule for disjunction. We have to add a
+ congruence rule that specifies left-to-right evaluation order:
+
+ \vspace{1ex}
+ \noindent @{thm disj_cong}\hfill(@{text "disj_cong"})
+ \vspace{1ex}
+
+ Now the definition works without problems. Note how the termination
+ proof depends on the extra condition that we get from the congruence
+ rule.
+
+ However, as evaluation is not a hard-wired concept, we
+ could just turn everything around by declaring a different
+ congruence rule. Then we can make the reverse definition:
+*}
+
+lemma disj_cong2[fundef_cong]:
+ "(\<not> Q' \<Longrightarrow> P = P') \<Longrightarrow> (Q = Q') \<Longrightarrow> (P \<or> Q) = (P' \<or> Q')"
+ by blast
+
+fun f' :: "nat \<Rightarrow> bool"
+where
+ "f' n = (f' (n - 1) \<or> n = 0)"
+
+text {*
+ \noindent These examples show that, in general, there is no \qt{best} set of
+ congruence rules.
+
+ However, such tweaking should rarely be necessary in
+ practice, as most of the time, the default set of congruence rules
+ works well.
+*}
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Functions/document/build Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -e
+
+FORMAT="$1"
+VARIANT="$2"
+
+cp "$ISABELLE_HOME/src/Doc/iman.sty" .
+cp "$ISABELLE_HOME/src/Doc/extra.sty" .
+cp "$ISABELLE_HOME/src/Doc/isar.sty" .
+cp "$ISABELLE_HOME/src/Doc/manual.bib" .
+
+"$ISABELLE_HOME/src/Doc/prepare_document" "$FORMAT"
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Functions/document/conclusion.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,7 @@
+\section{Conclusion}
+
+\fixme{}
+
+
+
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Functions/document/intro.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,55 @@
+\section{Introduction}
+
+Starting from Isabelle 2007, new facilities for recursive
+function definitions~\cite{krauss2006} are available. They provide
+better support for general recursive definitions than previous
+packages. But despite all tool support, function definitions can
+sometimes be a difficult thing.
+
+This tutorial is an example-guided introduction to the practical use
+of the package and related tools. It should help you get started with
+defining functions quickly. For the more difficult definitions we will
+discuss what problems can arise, and how they can be solved.
+
+We assume that you have mastered the fundamentals of Isabelle/HOL
+and are able to write basic specifications and proofs. To start out
+with Isabelle in general, consult the Isabelle/HOL tutorial
+\cite{isa-tutorial}.
+
+
+
+\paragraph{Structure of this tutorial.}
+Section 2 introduces the syntax and basic operation of the \cmd{fun}
+command, which provides full automation with reasonable default
+behavior. The impatient reader can stop after that
+section, and consult the remaining sections only when needed.
+Section 3 introduces the more verbose \cmd{function} command which
+gives fine-grained control. This form should be used
+whenever the short form fails.
+After that we discuss more specialized issues:
+termination, mutual, nested and higher-order recursion, partiality, pattern matching
+and others.
+
+
+\paragraph{Some background.}
+Following the LCF tradition, the package is realized as a definitional
+extension: Recursive definitions are internally transformed into a
+non-recursive form, such that the function can be defined using
+standard definition facilities. Then the recursive specification is
+derived from the primitive definition. This is a complex task, but it
+is fully automated and mostly transparent to the user. Definitional
+extensions are valuable because they are conservative by construction:
+The \qt{new} concept of general wellfounded recursion is completely reduced
+to existing principles.
+
+
+
+
+The new \cmd{function} command, and its short form \cmd{fun} have mostly
+replaced the traditional \cmd{recdef} command \cite{slind-tfl}. They solve
+a few of technical issues around \cmd{recdef}, and allow definitions
+which were not previously possible.
+
+
+
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Functions/document/mathpartir.sty Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,421 @@
+% Mathpartir --- Math Paragraph for Typesetting Inference Rules
+%
+% Copyright (C) 2001, 2002, 2003, 2004, 2005 Didier Rémy
+%
+% Author : Didier Remy
+% Version : 1.2.0
+% Bug Reports : to author
+% Web Site : http://pauillac.inria.fr/~remy/latex/
+%
+% Mathpartir is free software; you can redistribute it and/or modify
+% it under the terms of the GNU General Public License as published by
+% the Free Software Foundation; either version 2, or (at your option)
+% any later version.
+%
+% Mathpartir is distributed in the hope that it will be useful,
+% but WITHOUT ANY WARRANTY; without even the implied warranty of
+% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+% GNU General Public License for more details
+% (http://pauillac.inria.fr/~remy/license/GPL).
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+% File mathpartir.sty (LaTeX macros)
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\NeedsTeXFormat{LaTeX2e}
+\ProvidesPackage{mathpartir}
+ [2005/12/20 version 1.2.0 Math Paragraph for Typesetting Inference Rules]
+
+%%
+
+%% Identification
+%% Preliminary declarations
+
+\RequirePackage {keyval}
+
+%% Options
+%% More declarations
+
+%% PART I: Typesetting maths in paragraphe mode
+
+\newdimen \mpr@tmpdim
+
+% To ensure hevea \hva compatibility, \hva should expands to nothing
+% in mathpar or in inferrule
+\let \mpr@hva \empty
+
+%% normal paragraph parametters, should rather be taken dynamically
+\def \mpr@savepar {%
+ \edef \MathparNormalpar
+ {\noexpand \lineskiplimit \the\lineskiplimit
+ \noexpand \lineskip \the\lineskip}%
+ }
+
+\def \mpr@rulelineskip {\lineskiplimit=0.3em\lineskip=0.2em plus 0.1em}
+\def \mpr@lesslineskip {\lineskiplimit=0.6em\lineskip=0.5em plus 0.2em}
+\def \mpr@lineskip {\lineskiplimit=1.2em\lineskip=1.2em plus 0.2em}
+\let \MathparLineskip \mpr@lineskip
+\def \mpr@paroptions {\MathparLineskip}
+\let \mpr@prebindings \relax
+
+\newskip \mpr@andskip \mpr@andskip 2em plus 0.5fil minus 0.5em
+
+\def \mpr@goodbreakand
+ {\hskip -\mpr@andskip \penalty -1000\hskip \mpr@andskip}
+\def \mpr@and {\hskip \mpr@andskip}
+\def \mpr@andcr {\penalty 50\mpr@and}
+\def \mpr@cr {\penalty -10000\mpr@and}
+\def \mpr@eqno #1{\mpr@andcr #1\hskip 0em plus -1fil \penalty 10}
+
+\def \mpr@bindings {%
+ \let \and \mpr@andcr
+ \let \par \mpr@andcr
+ \let \\\mpr@cr
+ \let \eqno \mpr@eqno
+ \let \hva \mpr@hva
+ }
+\let \MathparBindings \mpr@bindings
+
+% \@ifundefined {ignorespacesafterend}
+% {\def \ignorespacesafterend {\aftergroup \ignorespaces}
+
+\newenvironment{mathpar}[1][]
+ {$$\mpr@savepar \parskip 0em \hsize \linewidth \centering
+ \vbox \bgroup \mpr@prebindings \mpr@paroptions #1\ifmmode $\else
+ \noindent $\displaystyle\fi
+ \MathparBindings}
+ {\unskip \ifmmode $\fi\egroup $$\ignorespacesafterend}
+
+% \def \math@mathpar #1{\setbox0 \hbox {$\displaystyle #1$}\ifnum
+% \wd0 < \hsize $$\box0$$\else \bmathpar #1\emathpar \fi}
+
+%%% HOV BOXES
+
+\def \mathvbox@ #1{\hbox \bgroup \mpr@normallineskip
+ \vbox \bgroup \tabskip 0em \let \\ \cr
+ \halign \bgroup \hfil $##$\hfil\cr #1\crcr \egroup \egroup
+ \egroup}
+
+\def \mathhvbox@ #1{\setbox0 \hbox {\let \\\qquad $#1$}\ifnum \wd0 < \hsize
+ \box0\else \mathvbox {#1}\fi}
+
+
+%% Part II -- operations on lists
+
+\newtoks \mpr@lista
+\newtoks \mpr@listb
+
+\long \def\mpr@cons #1\mpr@to#2{\mpr@lista {\\{#1}}\mpr@listb \expandafter
+{#2}\edef #2{\the \mpr@lista \the \mpr@listb}}
+
+\long \def\mpr@snoc #1\mpr@to#2{\mpr@lista {\\{#1}}\mpr@listb \expandafter
+{#2}\edef #2{\the \mpr@listb\the\mpr@lista}}
+
+\long \def \mpr@concat#1=#2\mpr@to#3{\mpr@lista \expandafter {#2}\mpr@listb
+\expandafter {#3}\edef #1{\the \mpr@listb\the\mpr@lista}}
+
+\def \mpr@head #1\mpr@to #2{\expandafter \mpr@head@ #1\mpr@head@ #1#2}
+\long \def \mpr@head@ #1#2\mpr@head@ #3#4{\def #4{#1}\def#3{#2}}
+
+\def \mpr@flatten #1\mpr@to #2{\expandafter \mpr@flatten@ #1\mpr@flatten@ #1#2}
+\long \def \mpr@flatten@ \\#1\\#2\mpr@flatten@ #3#4{\def #4{#1}\def #3{\\#2}}
+
+\def \mpr@makelist #1\mpr@to #2{\def \mpr@all {#1}%
+ \mpr@lista {\\}\mpr@listb \expandafter {\mpr@all}\edef \mpr@all {\the
+ \mpr@lista \the \mpr@listb \the \mpr@lista}\let #2\empty
+ \def \mpr@stripof ##1##2\mpr@stripend{\def \mpr@stripped{##2}}\loop
+ \mpr@flatten \mpr@all \mpr@to \mpr@one
+ \expandafter \mpr@snoc \mpr@one \mpr@to #2\expandafter \mpr@stripof
+ \mpr@all \mpr@stripend
+ \ifx \mpr@stripped \empty \let \mpr@isempty 0\else \let \mpr@isempty 1\fi
+ \ifx 1\mpr@isempty
+ \repeat
+}
+
+\def \mpr@rev #1\mpr@to #2{\let \mpr@tmp \empty
+ \def \\##1{\mpr@cons ##1\mpr@to \mpr@tmp}#1\let #2\mpr@tmp}
+
+%% Part III -- Type inference rules
+
+\newif \if@premisse
+\newbox \mpr@hlist
+\newbox \mpr@vlist
+\newif \ifmpr@center \mpr@centertrue
+\def \mpr@htovlist {%
+ \setbox \mpr@hlist
+ \hbox {\strut
+ \ifmpr@center \hskip -0.5\wd\mpr@hlist\fi
+ \unhbox \mpr@hlist}%
+ \setbox \mpr@vlist
+ \vbox {\if@premisse \box \mpr@hlist \unvbox \mpr@vlist
+ \else \unvbox \mpr@vlist \box \mpr@hlist
+ \fi}%
+}
+% OLD version
+% \def \mpr@htovlist {%
+% \setbox \mpr@hlist
+% \hbox {\strut \hskip -0.5\wd\mpr@hlist \unhbox \mpr@hlist}%
+% \setbox \mpr@vlist
+% \vbox {\if@premisse \box \mpr@hlist \unvbox \mpr@vlist
+% \else \unvbox \mpr@vlist \box \mpr@hlist
+% \fi}%
+% }
+
+\def \mpr@item #1{$\displaystyle #1$}
+\def \mpr@sep{2em}
+\def \mpr@blank { }
+\def \mpr@hovbox #1#2{\hbox
+ \bgroup
+ \ifx #1T\@premissetrue
+ \else \ifx #1B\@premissefalse
+ \else
+ \PackageError{mathpartir}
+ {Premisse orientation should either be T or B}
+ {Fatal error in Package}%
+ \fi \fi
+ \def \@test {#2}\ifx \@test \mpr@blank\else
+ \setbox \mpr@hlist \hbox {}%
+ \setbox \mpr@vlist \vbox {}%
+ \if@premisse \let \snoc \mpr@cons \else \let \snoc \mpr@snoc \fi
+ \let \@hvlist \empty \let \@rev \empty
+ \mpr@tmpdim 0em
+ \expandafter \mpr@makelist #2\mpr@to \mpr@flat
+ \if@premisse \mpr@rev \mpr@flat \mpr@to \@rev \else \let \@rev \mpr@flat \fi
+ \def \\##1{%
+ \def \@test {##1}\ifx \@test \empty
+ \mpr@htovlist
+ \mpr@tmpdim 0em %%% last bug fix not extensively checked
+ \else
+ \setbox0 \hbox{\mpr@item {##1}}\relax
+ \advance \mpr@tmpdim by \wd0
+ %\mpr@tmpdim 1.02\mpr@tmpdim
+ \ifnum \mpr@tmpdim < \hsize
+ \ifnum \wd\mpr@hlist > 0
+ \if@premisse
+ \setbox \mpr@hlist
+ \hbox {\unhbox0 \hskip \mpr@sep \unhbox \mpr@hlist}%
+ \else
+ \setbox \mpr@hlist
+ \hbox {\unhbox \mpr@hlist \hskip \mpr@sep \unhbox0}%
+ \fi
+ \else
+ \setbox \mpr@hlist \hbox {\unhbox0}%
+ \fi
+ \else
+ \ifnum \wd \mpr@hlist > 0
+ \mpr@htovlist
+ \mpr@tmpdim \wd0
+ \fi
+ \setbox \mpr@hlist \hbox {\unhbox0}%
+ \fi
+ \advance \mpr@tmpdim by \mpr@sep
+ \fi
+ }%
+ \@rev
+ \mpr@htovlist
+ \ifmpr@center \hskip \wd\mpr@vlist\fi \box \mpr@vlist
+ \fi
+ \egroup
+}
+
+%%% INFERENCE RULES
+
+\@ifundefined{@@over}{%
+ \let\@@over\over % fallback if amsmath is not loaded
+ \let\@@overwithdelims\overwithdelims
+ \let\@@atop\atop \let\@@atopwithdelims\atopwithdelims
+ \let\@@above\above \let\@@abovewithdelims\abovewithdelims
+ }{}
+
+%% The default
+
+\def \mpr@@fraction #1#2{\hbox {\advance \hsize by -0.5em
+ $\displaystyle {#1\mpr@over #2}$}}
+\let \mpr@fraction \mpr@@fraction
+
+%% A generic solution to arrow
+
+\def \mpr@make@fraction #1#2#3#4#5{\hbox {%
+ \def \mpr@tail{#1}%
+ \def \mpr@body{#2}%
+ \def \mpr@head{#3}%
+ \setbox1=\hbox{$#4$}\setbox2=\hbox{$#5$}%
+ \setbox3=\hbox{$\mkern -3mu\mpr@body\mkern -3mu$}%
+ \setbox3=\hbox{$\mkern -3mu \mpr@body\mkern -3mu$}%
+ \dimen0=\dp1\advance\dimen0 by \ht3\relax\dp1\dimen0\relax
+ \dimen0=\ht2\advance\dimen0 by \dp3\relax\ht2\dimen0\relax
+ \setbox0=\hbox {$\box1 \@@atop \box2$}%
+ \dimen0=\wd0\box0
+ \box0 \hskip -\dimen0\relax
+ \hbox to \dimen0 {$%
+ \mathrel{\mpr@tail}\joinrel
+ \xleaders\hbox{\copy3}\hfil\joinrel\mathrel{\mpr@head}%
+ $}}}
+
+%% Old stuff should be removed in next version
+\def \mpr@@reduce #1#2{\hbox
+ {$\lower 0.01pt \mpr@@fraction {#1}{#2}\mkern -15mu\rightarrow$}}
+\def \mpr@@rewrite #1#2#3{\hbox
+ {$\lower 0.01pt \mpr@@fraction {#2}{#3}\mkern -8mu#1$}}
+\def \mpr@infercenter #1{\vcenter {\mpr@hovbox{T}{#1}}}
+
+\def \mpr@empty {}
+\def \mpr@inferrule
+ {\bgroup
+ \ifnum \linewidth<\hsize \hsize \linewidth\fi
+ \mpr@rulelineskip
+ \let \and \qquad
+ \let \hva \mpr@hva
+ \let \@rulename \mpr@empty
+ \let \@rule@options \mpr@empty
+ \let \mpr@over \@@over
+ \mpr@inferrule@}
+\newcommand {\mpr@inferrule@}[3][]
+ {\everymath={\displaystyle}%
+ \def \@test {#2}\ifx \empty \@test
+ \setbox0 \hbox {$\vcenter {\mpr@hovbox{B}{#3}}$}%
+ \else
+ \def \@test {#3}\ifx \empty \@test
+ \setbox0 \hbox {$\vcenter {\mpr@hovbox{T}{#2}}$}%
+ \else
+ \setbox0 \mpr@fraction {\mpr@hovbox{T}{#2}}{\mpr@hovbox{B}{#3}}%
+ \fi \fi
+ \def \@test {#1}\ifx \@test\empty \box0
+ \else \vbox
+%%% Suggestion de Francois pour les etiquettes longues
+%%% {\hbox to \wd0 {\RefTirName {#1}\hfil}\box0}\fi
+ {\hbox {\RefTirName {#1}}\box0}\fi
+ \egroup}
+
+\def \mpr@vdotfil #1{\vbox to #1{\leaders \hbox{$\cdot$} \vfil}}
+
+% They are two forms
+% \inferrule [label]{[premisses}{conclusions}
+% or
+% \inferrule* [options]{[premisses}{conclusions}
+%
+% Premisses and conclusions are lists of elements separated by \\
+% Each \\ produces a break, attempting horizontal breaks if possible,
+% and vertical breaks if needed.
+%
+% An empty element obtained by \\\\ produces a vertical break in all cases.
+%
+% The former rule is aligned on the fraction bar.
+% The optional label appears on top of the rule
+% The second form to be used in a derivation tree is aligned on the last
+% line of its conclusion
+%
+% The second form can be parameterized, using the key=val interface. The
+% folloiwng keys are recognized:
+%
+% width set the width of the rule to val
+% narrower set the width of the rule to val\hsize
+% before execute val at the beginning/left
+% lab put a label [Val] on top of the rule
+% lskip add negative skip on the right
+% left put a left label [Val]
+% Left put a left label [Val], ignoring its width
+% right put a right label [Val]
+% Right put a right label [Val], ignoring its width
+% leftskip skip negative space on the left-hand side
+% rightskip skip negative space on the right-hand side
+% vdots lift the rule by val and fill vertical space with dots
+% after execute val at the end/right
+%
+% Note that most options must come in this order to avoid strange
+% typesetting (in particular leftskip must preceed left and Left and
+% rightskip must follow Right or right; vdots must come last
+% or be only followed by rightskip.
+%
+
+%% Keys that make sence in all kinds of rules
+\def \mprset #1{\setkeys{mprset}{#1}}
+\define@key {mprset}{flushleft}[]{\mpr@centerfalse}
+\define@key {mprset}{center}[]{\mpr@centertrue}
+\define@key {mprset}{rewrite}[]{\let \mpr@fraction \mpr@@rewrite}
+\define@key {mprset}{myfraction}[]{\let \mpr@fraction #1}
+\define@key {mprset}{fraction}[]{\def \mpr@fraction {\mpr@make@fraction #1}}
+
+\newbox \mpr@right
+\define@key {mpr}{flushleft}[]{\mpr@centerfalse}
+\define@key {mpr}{center}[]{\mpr@centertrue}
+\define@key {mpr}{rewrite}[]{\let \mpr@fraction \mpr@@rewrite}
+\define@key {mpr}{myfraction}[]{\let \mpr@fraction #1}
+\define@key {mpr}{fraction}[]{\def \mpr@fraction {\mpr@make@fraction #1}}
+\define@key {mpr}{left}{\setbox0 \hbox {$\TirName {#1}\;$}\relax
+ \advance \hsize by -\wd0\box0}
+\define@key {mpr}{width}{\hsize #1}
+\define@key {mpr}{sep}{\def\mpr@sep{#1}}
+\define@key {mpr}{before}{#1}
+\define@key {mpr}{lab}{\let \RefTirName \TirName \def \mpr@rulename {#1}}
+\define@key {mpr}{Lab}{\let \RefTirName \TirName \def \mpr@rulename {#1}}
+\define@key {mpr}{narrower}{\hsize #1\hsize}
+\define@key {mpr}{leftskip}{\hskip -#1}
+\define@key {mpr}{reduce}[]{\let \mpr@fraction \mpr@@reduce}
+\define@key {mpr}{rightskip}
+ {\setbox \mpr@right \hbox {\unhbox \mpr@right \hskip -#1}}
+\define@key {mpr}{LEFT}{\setbox0 \hbox {$#1$}\relax
+ \advance \hsize by -\wd0\box0}
+\define@key {mpr}{left}{\setbox0 \hbox {$\TirName {#1}\;$}\relax
+ \advance \hsize by -\wd0\box0}
+\define@key {mpr}{Left}{\llap{$\TirName {#1}\;$}}
+\define@key {mpr}{right}
+ {\setbox0 \hbox {$\;\TirName {#1}$}\relax \advance \hsize by -\wd0
+ \setbox \mpr@right \hbox {\unhbox \mpr@right \unhbox0}}
+\define@key {mpr}{RIGHT}
+ {\setbox0 \hbox {$#1$}\relax \advance \hsize by -\wd0
+ \setbox \mpr@right \hbox {\unhbox \mpr@right \unhbox0}}
+\define@key {mpr}{Right}
+ {\setbox \mpr@right \hbox {\unhbox \mpr@right \rlap {$\;\TirName {#1}$}}}
+\define@key {mpr}{vdots}{\def \mpr@vdots {\@@atop \mpr@vdotfil{#1}}}
+\define@key {mpr}{after}{\edef \mpr@after {\mpr@after #1}}
+
+\newdimen \rule@dimen
+\newcommand \mpr@inferstar@ [3][]{\setbox0
+ \hbox {\let \mpr@rulename \mpr@empty \let \mpr@vdots \relax
+ \setbox \mpr@right \hbox{}%
+ $\setkeys{mpr}{#1}%
+ \ifx \mpr@rulename \mpr@empty \mpr@inferrule {#2}{#3}\else
+ \mpr@inferrule [{\mpr@rulename}]{#2}{#3}\fi
+ \box \mpr@right \mpr@vdots$}
+ \setbox1 \hbox {\strut}
+ \rule@dimen \dp0 \advance \rule@dimen by -\dp1
+ \raise \rule@dimen \box0}
+
+\def \mpr@infer {\@ifnextchar *{\mpr@inferstar}{\mpr@inferrule}}
+\newcommand \mpr@err@skipargs[3][]{}
+\def \mpr@inferstar*{\ifmmode
+ \let \@do \mpr@inferstar@
+ \else
+ \let \@do \mpr@err@skipargs
+ \PackageError {mathpartir}
+ {\string\inferrule* can only be used in math mode}{}%
+ \fi \@do}
+
+
+%%% Exports
+
+% Envirnonment mathpar
+
+\let \inferrule \mpr@infer
+
+% make a short name \infer is not already defined
+\@ifundefined {infer}{\let \infer \mpr@infer}{}
+
+\def \TirNameStyle #1{\small \textsc{#1}}
+\def \tir@name #1{\hbox {\small \TirNameStyle{#1}}}
+\let \TirName \tir@name
+\let \DefTirName \TirName
+\let \RefTirName \TirName
+
+%%% Other Exports
+
+% \let \listcons \mpr@cons
+% \let \listsnoc \mpr@snoc
+% \let \listhead \mpr@head
+% \let \listmake \mpr@makelist
+
+
+
+
+\endinput
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Functions/document/root.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,90 @@
+
+\documentclass[a4paper,fleqn]{article}
+
+\usepackage{latexsym,graphicx}
+\usepackage[refpage]{nomencl}
+\usepackage{iman,extra,isar}
+\usepackage{isabelle,isabellesym}
+\usepackage{style}
+\usepackage{mathpartir}
+\usepackage{amsthm}
+\usepackage{pdfsetup}
+
+\newcommand{\cmd}[1]{\isacommand{#1}}
+
+\newcommand{\isasymINFIX}{\cmd{infix}}
+\newcommand{\isasymLOCALE}{\cmd{locale}}
+\newcommand{\isasymINCLUDES}{\cmd{includes}}
+\newcommand{\isasymDATATYPE}{\cmd{datatype}}
+\newcommand{\isasymDEFINES}{\cmd{defines}}
+\newcommand{\isasymNOTES}{\cmd{notes}}
+\newcommand{\isasymCLASS}{\cmd{class}}
+\newcommand{\isasymINSTANCE}{\cmd{instance}}
+\newcommand{\isasymLEMMA}{\cmd{lemma}}
+\newcommand{\isasymPROOF}{\cmd{proof}}
+\newcommand{\isasymQED}{\cmd{qed}}
+\newcommand{\isasymFIX}{\cmd{fix}}
+\newcommand{\isasymASSUME}{\cmd{assume}}
+\newcommand{\isasymSHOW}{\cmd{show}}
+\newcommand{\isasymNOTE}{\cmd{note}}
+\newcommand{\isasymCODEGEN}{\cmd{code\_gen}}
+\newcommand{\isasymPRINTCODETHMS}{\cmd{print\_codethms}}
+\newcommand{\isasymFUN}{\cmd{fun}}
+\newcommand{\isasymFUNCTION}{\cmd{function}}
+\newcommand{\isasymPRIMREC}{\cmd{primrec}}
+\newcommand{\isasymRECDEF}{\cmd{recdef}}
+
+\newcommand{\qt}[1]{``#1''}
+\newcommand{\qtt}[1]{"{}{#1}"{}}
+\newcommand{\qn}[1]{\emph{#1}}
+\newcommand{\strong}[1]{{\bfseries #1}}
+\newcommand{\fixme}[1][!]{\strong{FIXME: #1}}
+
+\newtheorem{exercise}{Exercise}{\bf}{\itshape}
+%\newtheorem*{thmstar}{Theorem}{\bf}{\itshape}
+
+\hyphenation{Isabelle}
+\hyphenation{Isar}
+
+\isadroptag{theory}
+\title{Defining Recursive Functions in Isabelle/HOL}
+\author{Alexander Krauss}
+
+\isabellestyle{tt}
+\renewcommand{\isastyletxt}{\isastyletext}% use same formatting for txt and text
+
+\begin{document}
+
+\date{\ \\}
+\maketitle
+
+\begin{abstract}
+ This tutorial describes the use of the new \emph{function} package,
+ which provides general recursive function definitions for Isabelle/HOL.
+ We start with very simple examples and then gradually move on to more
+ advanced topics such as manual termination proofs, nested recursion,
+ partiality, tail recursion and congruence rules.
+\end{abstract}
+
+%\thispagestyle{empty}\clearpage
+
+%\pagenumbering{roman}
+%\clearfirst
+
+\input{intro.tex}
+\input{Functions.tex}
+%\input{conclusion.tex}
+
+\begingroup
+%\tocentry{\bibname}
+\bibliographystyle{plain} \small\raggedright\frenchspacing
+\bibliography{manual}
+\endgroup
+
+\end{document}
+
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: t
+%%% End:
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Functions/document/style.sty Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,46 @@
+%% toc
+\newcommand{\tocentry}[1]{\cleardoublepage\phantomsection\addcontentsline{toc}{chapter}{#1}
+\@mkboth{\MakeUppercase{#1}}{\MakeUppercase{#1}}}
+
+%% references
+\newcommand{\secref}[1]{\S\ref{#1}}
+\newcommand{\chref}[1]{chapter~\ref{#1}}
+\newcommand{\figref}[1]{figure~\ref{#1}}
+
+%% math
+\newcommand{\text}[1]{\mbox{#1}}
+\newcommand{\isasymvartheta}{\isamath{\theta}}
+\newcommand{\isactrlvec}[1]{\emph{$\overline{#1}$}}
+
+\setcounter{secnumdepth}{2} \setcounter{tocdepth}{2}
+
+\pagestyle{headings}
+\sloppy
+\binperiod
+\underscoreon
+
+\renewcommand{\isadigit}[1]{\isamath{#1}}
+
+\newenvironment{mldecls}{\par\noindent\begingroup\footnotesize\def\isanewline{\\}\begin{tabular}{l}}{\end{tabular}\smallskip\endgroup}
+
+\isafoldtag{FIXME}
+\isakeeptag{mlref}
+\renewcommand{\isatagmlref}{\subsection*{\makebox[0pt][r]{\fbox{\ML}~~}Reference}\begingroup\def\isastyletext{\rm}\small}
+\renewcommand{\endisatagmlref}{\endgroup}
+
+\newcommand{\isasymGUESS}{\isakeyword{guess}}
+\newcommand{\isasymOBTAIN}{\isakeyword{obtain}}
+\newcommand{\isasymTHEORY}{\isakeyword{theory}}
+\newcommand{\isasymUSES}{\isakeyword{uses}}
+\newcommand{\isasymEND}{\isakeyword{end}}
+\newcommand{\isasymCONSTS}{\isakeyword{consts}}
+\newcommand{\isasymDEFS}{\isakeyword{defs}}
+\newcommand{\isasymTHEOREM}{\isakeyword{theorem}}
+\newcommand{\isasymDEFINITION}{\isakeyword{definition}}
+
+\isabellestyle{it}
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: "implementation"
+%%% End:
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/HOL/document/HOL.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,2089 @@
+\chapter{Higher-Order Logic}
+\index{higher-order logic|(}
+\index{HOL system@{\sc hol} system}
+
+\begin{figure}
+\begin{constants}
+ \it name &\it meta-type & \it description \\
+ \cdx{Trueprop}& $bool\To prop$ & coercion to $prop$\\
+ \cdx{Not} & $bool\To bool$ & negation ($\lnot$) \\
+ \cdx{True} & $bool$ & tautology ($\top$) \\
+ \cdx{False} & $bool$ & absurdity ($\bot$) \\
+ \cdx{If} & $[bool,\alpha,\alpha]\To\alpha$ & conditional \\
+ \cdx{Let} & $[\alpha,\alpha\To\beta]\To\beta$ & let binder
+\end{constants}
+\subcaption{Constants}
+
+\begin{constants}
+\index{"@@{\tt\at} symbol}
+\index{*"! symbol}\index{*"? symbol}
+\index{*"?"! symbol}\index{*"E"X"! symbol}
+ \it symbol &\it name &\it meta-type & \it description \\
+ \sdx{SOME} or \tt\at & \cdx{Eps} & $(\alpha\To bool)\To\alpha$ &
+ Hilbert description ($\varepsilon$) \\
+ \sdx{ALL} or {\tt!~} & \cdx{All} & $(\alpha\To bool)\To bool$ &
+ universal quantifier ($\forall$) \\
+ \sdx{EX} or {\tt?~} & \cdx{Ex} & $(\alpha\To bool)\To bool$ &
+ existential quantifier ($\exists$) \\
+ \texttt{EX!} or {\tt?!} & \cdx{Ex1} & $(\alpha\To bool)\To bool$ &
+ unique existence ($\exists!$)\\
+ \texttt{LEAST} & \cdx{Least} & $(\alpha::ord \To bool)\To\alpha$ &
+ least element
+\end{constants}
+\subcaption{Binders}
+
+\begin{constants}
+\index{*"= symbol}
+\index{&@{\tt\&} symbol}
+\index{"!@{\tt\char124} symbol} %\char124 is vertical bar. We use ! because | stopped working
+\index{*"-"-"> symbol}
+ \it symbol & \it meta-type & \it priority & \it description \\
+ \sdx{o} & $[\beta\To\gamma,\alpha\To\beta]\To (\alpha\To\gamma)$ &
+ Left 55 & composition ($\circ$) \\
+ \tt = & $[\alpha,\alpha]\To bool$ & Left 50 & equality ($=$) \\
+ \tt < & $[\alpha::ord,\alpha]\To bool$ & Left 50 & less than ($<$) \\
+ \tt <= & $[\alpha::ord,\alpha]\To bool$ & Left 50 &
+ less than or equals ($\leq$)\\
+ \tt \& & $[bool,bool]\To bool$ & Right 35 & conjunction ($\conj$) \\
+ \tt | & $[bool,bool]\To bool$ & Right 30 & disjunction ($\disj$) \\
+ \tt --> & $[bool,bool]\To bool$ & Right 25 & implication ($\imp$)
+\end{constants}
+\subcaption{Infixes}
+\caption{Syntax of \texttt{HOL}} \label{hol-constants}
+\end{figure}
+
+
+\begin{figure}
+\index{*let symbol}
+\index{*in symbol}
+\dquotes
+\[\begin{array}{rclcl}
+ term & = & \hbox{expression of class~$term$} \\
+ & | & "SOME~" id " . " formula
+ & | & "\at~" id " . " formula \\
+ & | &
+ \multicolumn{3}{l}{"let"~id~"="~term";"\dots";"~id~"="~term~"in"~term} \\
+ & | &
+ \multicolumn{3}{l}{"if"~formula~"then"~term~"else"~term} \\
+ & | & "LEAST"~ id " . " formula \\[2ex]
+ formula & = & \hbox{expression of type~$bool$} \\
+ & | & term " = " term \\
+ & | & term " \ttilde= " term \\
+ & | & term " < " term \\
+ & | & term " <= " term \\
+ & | & "\ttilde\ " formula \\
+ & | & formula " \& " formula \\
+ & | & formula " | " formula \\
+ & | & formula " --> " formula \\
+ & | & "ALL~" id~id^* " . " formula
+ & | & "!~~~" id~id^* " . " formula \\
+ & | & "EX~~" id~id^* " . " formula
+ & | & "?~~~" id~id^* " . " formula \\
+ & | & "EX!~" id~id^* " . " formula
+ & | & "?!~~" id~id^* " . " formula \\
+ \end{array}
+\]
+\caption{Full grammar for HOL} \label{hol-grammar}
+\end{figure}
+
+
+\section{Syntax}
+
+Figure~\ref{hol-constants} lists the constants (including infixes and
+binders), while Fig.\ts\ref{hol-grammar} presents the grammar of
+higher-order logic. Note that $a$\verb|~=|$b$ is translated to
+$\lnot(a=b)$.
+
+\begin{warn}
+ HOL has no if-and-only-if connective; logical equivalence is expressed using
+ equality. But equality has a high priority, as befitting a relation, while
+ if-and-only-if typically has the lowest priority. Thus, $\lnot\lnot P=P$
+ abbreviates $\lnot\lnot (P=P)$ and not $(\lnot\lnot P)=P$. When using $=$
+ to mean logical equivalence, enclose both operands in parentheses.
+\end{warn}
+
+\subsection{Types and overloading}
+The universal type class of higher-order terms is called~\cldx{term}.
+By default, explicit type variables have class \cldx{term}. In
+particular the equality symbol and quantifiers are polymorphic over
+class \texttt{term}.
+
+The type of formulae, \tydx{bool}, belongs to class \cldx{term}; thus,
+formulae are terms. The built-in type~\tydx{fun}, which constructs
+function types, is overloaded with arity {\tt(term,\thinspace
+ term)\thinspace term}. Thus, $\sigma\To\tau$ belongs to class~{\tt
+ term} if $\sigma$ and~$\tau$ do, allowing quantification over
+functions.
+
+HOL allows new types to be declared as subsets of existing types,
+either using the primitive \texttt{typedef} or the more convenient
+\texttt{datatype} (see~{\S}\ref{sec:HOL:datatype}).
+
+Several syntactic type classes --- \cldx{plus}, \cldx{minus},
+\cldx{times} and
+\cldx{power} --- permit overloading of the operators {\tt+},\index{*"+
+ symbol} {\tt-}\index{*"- symbol}, {\tt*}.\index{*"* symbol}
+and \verb|^|.\index{^@\verb.^. symbol}
+%
+They are overloaded to denote the obvious arithmetic operations on types
+\tdx{nat}, \tdx{int} and~\tdx{real}. (With the \verb|^| operator, the
+exponent always has type~\tdx{nat}.) Non-arithmetic overloadings are also
+done: the operator {\tt-} can denote set difference, while \verb|^| can
+denote exponentiation of relations (iterated composition). Unary minus is
+also written as~{\tt-} and is overloaded like its 2-place counterpart; it even
+can stand for set complement.
+
+The constant \cdx{0} is also overloaded. It serves as the zero element of
+several types, of which the most important is \tdx{nat} (the natural
+numbers). The type class \cldx{plus_ac0} comprises all types for which 0
+and~+ satisfy the laws $x+y=y+x$, $(x+y)+z = x+(y+z)$ and $0+x = x$. These
+types include the numeric ones \tdx{nat}, \tdx{int} and~\tdx{real} and also
+multisets. The summation operator \cdx{setsum} is available for all types in
+this class.
+
+Theory \thydx{Ord} defines the syntactic class \cldx{ord} of order
+signatures. The relations $<$ and $\leq$ are polymorphic over this
+class, as are the functions \cdx{mono}, \cdx{min} and \cdx{max}, and
+the \cdx{LEAST} operator. \thydx{Ord} also defines a subclass
+\cldx{order} of \cldx{ord} which axiomatizes the types that are partially
+ordered with respect to~$\leq$. A further subclass \cldx{linorder} of
+\cldx{order} axiomatizes linear orderings.
+For details, see the file \texttt{Ord.thy}.
+
+If you state a goal containing overloaded functions, you may need to include
+type constraints. Type inference may otherwise make the goal more
+polymorphic than you intended, with confusing results. For example, the
+variables $i$, $j$ and $k$ in the goal $i \leq j \Imp i \leq j+k$ have type
+$\alpha::\{ord,plus\}$, although you may have expected them to have some
+numeric type, e.g. $nat$. Instead you should have stated the goal as
+$(i::nat) \leq j \Imp i \leq j+k$, which causes all three variables to have
+type $nat$.
+
+\begin{warn}
+ If resolution fails for no obvious reason, try setting
+ \ttindex{show_types} to \texttt{true}, causing Isabelle to display
+ types of terms. Possibly set \ttindex{show_sorts} to \texttt{true} as
+ well, causing Isabelle to display type classes and sorts.
+
+ \index{unification!incompleteness of}
+ Where function types are involved, Isabelle's unification code does not
+ guarantee to find instantiations for type variables automatically. Be
+ prepared to use \ttindex{res_inst_tac} instead of \texttt{resolve_tac},
+ possibly instantiating type variables. Setting
+ \ttindex{Unify.trace_types} to \texttt{true} causes Isabelle to report
+ omitted search paths during unification.\index{tracing!of unification}
+\end{warn}
+
+
+\subsection{Binders}
+
+Hilbert's {\bf description} operator~$\varepsilon x. P[x]$ stands for some~$x$
+satisfying~$P$, if such exists. Since all terms in HOL denote something, a
+description is always meaningful, but we do not know its value unless $P$
+defines it uniquely. We may write descriptions as \cdx{Eps}($\lambda x.
+P[x]$) or use the syntax \hbox{\tt SOME~$x$.~$P[x]$}.
+
+Existential quantification is defined by
+\[ \exists x. P~x \;\equiv\; P(\varepsilon x. P~x). \]
+The unique existence quantifier, $\exists!x. P$, is defined in terms
+of~$\exists$ and~$\forall$. An Isabelle binder, it admits nested
+quantifications. For instance, $\exists!x\,y. P\,x\,y$ abbreviates
+$\exists!x. \exists!y. P\,x\,y$; note that this does not mean that there
+exists a unique pair $(x,y)$ satisfying~$P\,x\,y$.
+
+\medskip
+
+\index{*"! symbol}\index{*"? symbol}\index{HOL system@{\sc hol} system} The
+basic Isabelle/HOL binders have two notations. Apart from the usual
+\texttt{ALL} and \texttt{EX} for $\forall$ and $\exists$, Isabelle/HOL also
+supports the original notation of Gordon's {\sc hol} system: \texttt{!}\
+and~\texttt{?}. In the latter case, the existential quantifier \emph{must} be
+followed by a space; thus {\tt?x} is an unknown, while \verb'? x. f x=y' is a
+quantification. Both notations are accepted for input. The print mode
+``\ttindexbold{HOL}'' governs the output notation. If enabled (e.g.\ by
+passing option \texttt{-m HOL} to the \texttt{isabelle} executable),
+then~{\tt!}\ and~{\tt?}\ are displayed.
+
+\medskip
+
+If $\tau$ is a type of class \cldx{ord}, $P$ a formula and $x$ a
+variable of type $\tau$, then the term \cdx{LEAST}~$x. P[x]$ is defined
+to be the least (w.r.t.\ $\leq$) $x$ such that $P~x$ holds (see
+Fig.~\ref{hol-defs}). The definition uses Hilbert's $\varepsilon$
+choice operator, so \texttt{Least} is always meaningful, but may yield
+nothing useful in case there is not a unique least element satisfying
+$P$.\footnote{Class $ord$ does not require much of its instances, so
+ $\leq$ need not be a well-ordering, not even an order at all!}
+
+\medskip All these binders have priority 10.
+
+\begin{warn}
+The low priority of binders means that they need to be enclosed in
+parenthesis when they occur in the context of other operations. For example,
+instead of $P \land \forall x. Q$ you need to write $P \land (\forall x. Q)$.
+\end{warn}
+
+
+\subsection{The let and case constructions}
+Local abbreviations can be introduced by a \texttt{let} construct whose
+syntax appears in Fig.\ts\ref{hol-grammar}. Internally it is translated into
+the constant~\cdx{Let}. It can be expanded by rewriting with its
+definition, \tdx{Let_def}.
+
+HOL also defines the basic syntax
+\[\dquotes"case"~e~"of"~c@1~"=>"~e@1~"|" \dots "|"~c@n~"=>"~e@n\]
+as a uniform means of expressing \texttt{case} constructs. Therefore \texttt{case}
+and \sdx{of} are reserved words. Initially, this is mere syntax and has no
+logical meaning. By declaring translations, you can cause instances of the
+\texttt{case} construct to denote applications of particular case operators.
+This is what happens automatically for each \texttt{datatype} definition
+(see~{\S}\ref{sec:HOL:datatype}).
+
+\begin{warn}
+Both \texttt{if} and \texttt{case} constructs have as low a priority as
+quantifiers, which requires additional enclosing parentheses in the context
+of most other operations. For example, instead of $f~x = {\tt if\dots
+then\dots else}\dots$ you need to write $f~x = ({\tt if\dots then\dots
+else\dots})$.
+\end{warn}
+
+\section{Rules of inference}
+
+\begin{figure}
+\begin{ttbox}\makeatother
+\tdx{refl} t = (t::'a)
+\tdx{subst} [| s = t; P s |] ==> P (t::'a)
+\tdx{ext} (!!x::'a. (f x :: 'b) = g x) ==> (\%x. f x) = (\%x. g x)
+\tdx{impI} (P ==> Q) ==> P-->Q
+\tdx{mp} [| P-->Q; P |] ==> Q
+\tdx{iff} (P-->Q) --> (Q-->P) --> (P=Q)
+\tdx{someI} P(x::'a) ==> P(@x. P x)
+\tdx{True_or_False} (P=True) | (P=False)
+\end{ttbox}
+\caption{The \texttt{HOL} rules} \label{hol-rules}
+\end{figure}
+
+Figure~\ref{hol-rules} shows the primitive inference rules of~HOL, with
+their~{\ML} names. Some of the rules deserve additional comments:
+\begin{ttdescription}
+\item[\tdx{ext}] expresses extensionality of functions.
+\item[\tdx{iff}] asserts that logically equivalent formulae are
+ equal.
+\item[\tdx{someI}] gives the defining property of the Hilbert
+ $\varepsilon$-operator. It is a form of the Axiom of Choice. The derived rule
+ \tdx{some_equality} (see below) is often easier to use.
+\item[\tdx{True_or_False}] makes the logic classical.\footnote{In
+ fact, the $\varepsilon$-operator already makes the logic classical, as
+ shown by Diaconescu; see Paulson~\cite{paulson-COLOG} for details.}
+\end{ttdescription}
+
+
+\begin{figure}\hfuzz=4pt%suppress "Overfull \hbox" message
+\begin{ttbox}\makeatother
+\tdx{True_def} True == ((\%x::bool. x)=(\%x. x))
+\tdx{All_def} All == (\%P. P = (\%x. True))
+\tdx{Ex_def} Ex == (\%P. P(@x. P x))
+\tdx{False_def} False == (!P. P)
+\tdx{not_def} not == (\%P. P-->False)
+\tdx{and_def} op & == (\%P Q. !R. (P-->Q-->R) --> R)
+\tdx{or_def} op | == (\%P Q. !R. (P-->R) --> (Q-->R) --> R)
+\tdx{Ex1_def} Ex1 == (\%P. ? x. P x & (! y. P y --> y=x))
+
+\tdx{o_def} op o == (\%(f::'b=>'c) g x::'a. f(g x))
+\tdx{if_def} If P x y ==
+ (\%P x y. @z::'a.(P=True --> z=x) & (P=False --> z=y))
+\tdx{Let_def} Let s f == f s
+\tdx{Least_def} Least P == @x. P(x) & (ALL y. P(y) --> x <= y)"
+\end{ttbox}
+\caption{The \texttt{HOL} definitions} \label{hol-defs}
+\end{figure}
+
+
+HOL follows standard practice in higher-order logic: only a few connectives
+are taken as primitive, with the remainder defined obscurely
+(Fig.\ts\ref{hol-defs}). Gordon's {\sc hol} system expresses the
+corresponding definitions \cite[page~270]{mgordon-hol} using
+object-equality~({\tt=}), which is possible because equality in higher-order
+logic may equate formulae and even functions over formulae. But theory~HOL,
+like all other Isabelle theories, uses meta-equality~({\tt==}) for
+definitions.
+\begin{warn}
+The definitions above should never be expanded and are shown for completeness
+only. Instead users should reason in terms of the derived rules shown below
+or, better still, using high-level tactics.
+\end{warn}
+
+Some of the rules mention type variables; for example, \texttt{refl}
+mentions the type variable~{\tt'a}. This allows you to instantiate
+type variables explicitly by calling \texttt{res_inst_tac}.
+
+
+\begin{figure}
+\begin{ttbox}
+\tdx{sym} s=t ==> t=s
+\tdx{trans} [| r=s; s=t |] ==> r=t
+\tdx{ssubst} [| t=s; P s |] ==> P t
+\tdx{box_equals} [| a=b; a=c; b=d |] ==> c=d
+\tdx{arg_cong} x = y ==> f x = f y
+\tdx{fun_cong} f = g ==> f x = g x
+\tdx{cong} [| f = g; x = y |] ==> f x = g y
+\tdx{not_sym} t ~= s ==> s ~= t
+\subcaption{Equality}
+
+\tdx{TrueI} True
+\tdx{FalseE} False ==> P
+
+\tdx{conjI} [| P; Q |] ==> P&Q
+\tdx{conjunct1} [| P&Q |] ==> P
+\tdx{conjunct2} [| P&Q |] ==> Q
+\tdx{conjE} [| P&Q; [| P; Q |] ==> R |] ==> R
+
+\tdx{disjI1} P ==> P|Q
+\tdx{disjI2} Q ==> P|Q
+\tdx{disjE} [| P | Q; P ==> R; Q ==> R |] ==> R
+
+\tdx{notI} (P ==> False) ==> ~ P
+\tdx{notE} [| ~ P; P |] ==> R
+\tdx{impE} [| P-->Q; P; Q ==> R |] ==> R
+\subcaption{Propositional logic}
+
+\tdx{iffI} [| P ==> Q; Q ==> P |] ==> P=Q
+\tdx{iffD1} [| P=Q; P |] ==> Q
+\tdx{iffD2} [| P=Q; Q |] ==> P
+\tdx{iffE} [| P=Q; [| P --> Q; Q --> P |] ==> R |] ==> R
+\subcaption{Logical equivalence}
+
+\end{ttbox}
+\caption{Derived rules for HOL} \label{hol-lemmas1}
+\end{figure}
+%
+%\tdx{eqTrueI} P ==> P=True
+%\tdx{eqTrueE} P=True ==> P
+
+
+\begin{figure}
+\begin{ttbox}\makeatother
+\tdx{allI} (!!x. P x) ==> !x. P x
+\tdx{spec} !x. P x ==> P x
+\tdx{allE} [| !x. P x; P x ==> R |] ==> R
+\tdx{all_dupE} [| !x. P x; [| P x; !x. P x |] ==> R |] ==> R
+
+\tdx{exI} P x ==> ? x. P x
+\tdx{exE} [| ? x. P x; !!x. P x ==> Q |] ==> Q
+
+\tdx{ex1I} [| P a; !!x. P x ==> x=a |] ==> ?! x. P x
+\tdx{ex1E} [| ?! x. P x; !!x. [| P x; ! y. P y --> y=x |] ==> R
+ |] ==> R
+
+\tdx{some_equality} [| P a; !!x. P x ==> x=a |] ==> (@x. P x) = a
+\subcaption{Quantifiers and descriptions}
+
+\tdx{ccontr} (~P ==> False) ==> P
+\tdx{classical} (~P ==> P) ==> P
+\tdx{excluded_middle} ~P | P
+
+\tdx{disjCI} (~Q ==> P) ==> P|Q
+\tdx{exCI} (! x. ~ P x ==> P a) ==> ? x. P x
+\tdx{impCE} [| P-->Q; ~ P ==> R; Q ==> R |] ==> R
+\tdx{iffCE} [| P=Q; [| P;Q |] ==> R; [| ~P; ~Q |] ==> R |] ==> R
+\tdx{notnotD} ~~P ==> P
+\tdx{swap} ~P ==> (~Q ==> P) ==> Q
+\subcaption{Classical logic}
+
+\tdx{if_P} P ==> (if P then x else y) = x
+\tdx{if_not_P} ~ P ==> (if P then x else y) = y
+\tdx{split_if} P(if Q then x else y) = ((Q --> P x) & (~Q --> P y))
+\subcaption{Conditionals}
+\end{ttbox}
+\caption{More derived rules} \label{hol-lemmas2}
+\end{figure}
+
+Some derived rules are shown in Figures~\ref{hol-lemmas1}
+and~\ref{hol-lemmas2}, with their {\ML} names. These include natural rules
+for the logical connectives, as well as sequent-style elimination rules for
+conjunctions, implications, and universal quantifiers.
+
+Note the equality rules: \tdx{ssubst} performs substitution in
+backward proofs, while \tdx{box_equals} supports reasoning by
+simplifying both sides of an equation.
+
+The following simple tactics are occasionally useful:
+\begin{ttdescription}
+\item[\ttindexbold{strip_tac} $i$] applies \texttt{allI} and \texttt{impI}
+ repeatedly to remove all outermost universal quantifiers and implications
+ from subgoal $i$.
+\item[\ttindexbold{case_tac} {\tt"}$P${\tt"} $i$] performs case distinction on
+ $P$ for subgoal $i$: the latter is replaced by two identical subgoals with
+ the added assumptions $P$ and $\lnot P$, respectively.
+\item[\ttindexbold{smp_tac} $j$ $i$] applies $j$ times \texttt{spec} and then
+ \texttt{mp} in subgoal $i$, which is typically useful when forward-chaining
+ from an induction hypothesis. As a generalization of \texttt{mp_tac},
+ if there are assumptions $\forall \vec{x}. P \vec{x} \imp Q \vec{x}$ and
+ $P \vec{a}$, ($\vec{x}$ being a vector of $j$ variables)
+ then it replaces the universally quantified implication by $Q \vec{a}$.
+ It may instantiate unknowns. It fails if it can do nothing.
+\end{ttdescription}
+
+
+\begin{figure}
+\begin{center}
+\begin{tabular}{rrr}
+ \it name &\it meta-type & \it description \\
+\index{{}@\verb'{}' symbol}
+ \verb|{}| & $\alpha\,set$ & the empty set \\
+ \cdx{insert} & $[\alpha,\alpha\,set]\To \alpha\,set$
+ & insertion of element \\
+ \cdx{Collect} & $(\alpha\To bool)\To\alpha\,set$
+ & comprehension \\
+ \cdx{INTER} & $[\alpha\,set,\alpha\To\beta\,set]\To\beta\,set$
+ & intersection over a set\\
+ \cdx{UNION} & $[\alpha\,set,\alpha\To\beta\,set]\To\beta\,set$
+ & union over a set\\
+ \cdx{Inter} & $(\alpha\,set)set\To\alpha\,set$
+ &set of sets intersection \\
+ \cdx{Union} & $(\alpha\,set)set\To\alpha\,set$
+ &set of sets union \\
+ \cdx{Pow} & $\alpha\,set \To (\alpha\,set)set$
+ & powerset \\[1ex]
+ \cdx{range} & $(\alpha\To\beta )\To\beta\,set$
+ & range of a function \\[1ex]
+ \cdx{Ball}~~\cdx{Bex} & $[\alpha\,set,\alpha\To bool]\To bool$
+ & bounded quantifiers
+\end{tabular}
+\end{center}
+\subcaption{Constants}
+
+\begin{center}
+\begin{tabular}{llrrr}
+ \it symbol &\it name &\it meta-type & \it priority & \it description \\
+ \sdx{INT} & \cdx{INTER1} & $(\alpha\To\beta\,set)\To\beta\,set$ & 10 &
+ intersection\\
+ \sdx{UN} & \cdx{UNION1} & $(\alpha\To\beta\,set)\To\beta\,set$ & 10 &
+ union
+\end{tabular}
+\end{center}
+\subcaption{Binders}
+
+\begin{center}
+\index{*"`"` symbol}
+\index{*": symbol}
+\index{*"<"= symbol}
+\begin{tabular}{rrrr}
+ \it symbol & \it meta-type & \it priority & \it description \\
+ \tt `` & $[\alpha\To\beta ,\alpha\,set]\To \beta\,set$
+ & Left 90 & image \\
+ \sdx{Int} & $[\alpha\,set,\alpha\,set]\To\alpha\,set$
+ & Left 70 & intersection ($\int$) \\
+ \sdx{Un} & $[\alpha\,set,\alpha\,set]\To\alpha\,set$
+ & Left 65 & union ($\un$) \\
+ \tt: & $[\alpha ,\alpha\,set]\To bool$
+ & Left 50 & membership ($\in$) \\
+ \tt <= & $[\alpha\,set,\alpha\,set]\To bool$
+ & Left 50 & subset ($\subseteq$)
+\end{tabular}
+\end{center}
+\subcaption{Infixes}
+\caption{Syntax of the theory \texttt{Set}} \label{hol-set-syntax}
+\end{figure}
+
+
+\begin{figure}
+\begin{center} \tt\frenchspacing
+\index{*"! symbol}
+\begin{tabular}{rrr}
+ \it external & \it internal & \it description \\
+ $a$ \ttilde: $b$ & \ttilde($a$ : $b$) & \rm not in\\
+ {\ttlbrace}$a@1$, $\ldots${\ttrbrace} & insert $a@1$ $\ldots$ {\ttlbrace}{\ttrbrace} & \rm finite set \\
+ {\ttlbrace}$x$. $P[x]${\ttrbrace} & Collect($\lambda x. P[x]$) &
+ \rm comprehension \\
+ \sdx{INT} $x$:$A$. $B[x]$ & INTER $A$ $\lambda x. B[x]$ &
+ \rm intersection \\
+ \sdx{UN}{\tt\ } $x$:$A$. $B[x]$ & UNION $A$ $\lambda x. B[x]$ &
+ \rm union \\
+ \sdx{ALL} $x$:$A$.\ $P[x]$ or \texttt{!} $x$:$A$.\ $P[x]$ &
+ Ball $A$ $\lambda x.\ P[x]$ &
+ \rm bounded $\forall$ \\
+ \sdx{EX}{\tt\ } $x$:$A$.\ $P[x]$ or \texttt{?} $x$:$A$.\ $P[x]$ &
+ Bex $A$ $\lambda x.\ P[x]$ & \rm bounded $\exists$
+\end{tabular}
+\end{center}
+\subcaption{Translations}
+
+\dquotes
+\[\begin{array}{rclcl}
+ term & = & \hbox{other terms\ldots} \\
+ & | & "{\ttlbrace}{\ttrbrace}" \\
+ & | & "{\ttlbrace} " term\; ("," term)^* " {\ttrbrace}" \\
+ & | & "{\ttlbrace} " id " . " formula " {\ttrbrace}" \\
+ & | & term " `` " term \\
+ & | & term " Int " term \\
+ & | & term " Un " term \\
+ & | & "INT~~" id ":" term " . " term \\
+ & | & "UN~~~" id ":" term " . " term \\
+ & | & "INT~~" id~id^* " . " term \\
+ & | & "UN~~~" id~id^* " . " term \\[2ex]
+ formula & = & \hbox{other formulae\ldots} \\
+ & | & term " : " term \\
+ & | & term " \ttilde: " term \\
+ & | & term " <= " term \\
+ & | & "ALL " id ":" term " . " formula
+ & | & "!~" id ":" term " . " formula \\
+ & | & "EX~~" id ":" term " . " formula
+ & | & "?~" id ":" term " . " formula \\
+ \end{array}
+\]
+\subcaption{Full Grammar}
+\caption{Syntax of the theory \texttt{Set} (continued)} \label{hol-set-syntax2}
+\end{figure}
+
+
+\section{A formulation of set theory}
+Historically, higher-order logic gives a foundation for Russell and
+Whitehead's theory of classes. Let us use modern terminology and call them
+{\bf sets}, but note that these sets are distinct from those of ZF set theory,
+and behave more like ZF classes.
+\begin{itemize}
+\item
+Sets are given by predicates over some type~$\sigma$. Types serve to
+define universes for sets, but type-checking is still significant.
+\item
+There is a universal set (for each type). Thus, sets have complements, and
+may be defined by absolute comprehension.
+\item
+Although sets may contain other sets as elements, the containing set must
+have a more complex type.
+\end{itemize}
+Finite unions and intersections have the same behaviour in HOL as they do
+in~ZF. In HOL the intersection of the empty set is well-defined, denoting the
+universal set for the given type.
+
+\subsection{Syntax of set theory}\index{*set type}
+HOL's set theory is called \thydx{Set}. The type $\alpha\,set$ is essentially
+the same as $\alpha\To bool$. The new type is defined for clarity and to
+avoid complications involving function types in unification. The isomorphisms
+between the two types are declared explicitly. They are very natural:
+\texttt{Collect} maps $\alpha\To bool$ to $\alpha\,set$, while \hbox{\tt op :}
+maps in the other direction (ignoring argument order).
+
+Figure~\ref{hol-set-syntax} lists the constants, infixes, and syntax
+translations. Figure~\ref{hol-set-syntax2} presents the grammar of the new
+constructs. Infix operators include union and intersection ($A\un B$
+and $A\int B$), the subset and membership relations, and the image
+operator~{\tt``}\@. Note that $a$\verb|~:|$b$ is translated to
+$\lnot(a\in b)$.
+
+The $\{a@1,\ldots\}$ notation abbreviates finite sets constructed in
+the obvious manner using~\texttt{insert} and~$\{\}$:
+\begin{eqnarray*}
+ \{a, b, c\} & \equiv &
+ \texttt{insert} \, a \, ({\tt insert} \, b \, ({\tt insert} \, c \, \{\}))
+\end{eqnarray*}
+
+The set \hbox{\tt{\ttlbrace}$x$.\ $P[x]${\ttrbrace}} consists of all $x$ (of
+suitable type) that satisfy~$P[x]$, where $P[x]$ is a formula that may contain
+free occurrences of~$x$. This syntax expands to \cdx{Collect}$(\lambda x.
+P[x])$. It defines sets by absolute comprehension, which is impossible in~ZF;
+the type of~$x$ implicitly restricts the comprehension.
+
+The set theory defines two {\bf bounded quantifiers}:
+\begin{eqnarray*}
+ \forall x\in A. P[x] &\hbox{abbreviates}& \forall x. x\in A\imp P[x] \\
+ \exists x\in A. P[x] &\hbox{abbreviates}& \exists x. x\in A\conj P[x]
+\end{eqnarray*}
+The constants~\cdx{Ball} and~\cdx{Bex} are defined
+accordingly. Instead of \texttt{Ball $A$ $P$} and \texttt{Bex $A$ $P$} we may
+write\index{*"! symbol}\index{*"? symbol}
+\index{*ALL symbol}\index{*EX symbol}
+%
+\hbox{\tt ALL~$x$:$A$.\ $P[x]$} and \hbox{\tt EX~$x$:$A$.\ $P[x]$}. The
+original notation of Gordon's {\sc hol} system is supported as well:
+\texttt{!}\ and \texttt{?}.
+
+Unions and intersections over sets, namely $\bigcup@{x\in A}B[x]$ and
+$\bigcap@{x\in A}B[x]$, are written
+\sdx{UN}~\hbox{\tt$x$:$A$.\ $B[x]$} and
+\sdx{INT}~\hbox{\tt$x$:$A$.\ $B[x]$}.
+
+Unions and intersections over types, namely $\bigcup@x B[x]$ and $\bigcap@x
+B[x]$, are written \sdx{UN}~\hbox{\tt$x$.\ $B[x]$} and
+\sdx{INT}~\hbox{\tt$x$.\ $B[x]$}. They are equivalent to the previous
+union and intersection operators when $A$ is the universal set.
+
+The operators $\bigcup A$ and $\bigcap A$ act upon sets of sets. They are
+not binders, but are equal to $\bigcup@{x\in A}x$ and $\bigcap@{x\in A}x$,
+respectively.
+
+
+
+\begin{figure} \underscoreon
+\begin{ttbox}
+\tdx{mem_Collect_eq} (a : {\ttlbrace}x. P x{\ttrbrace}) = P a
+\tdx{Collect_mem_eq} {\ttlbrace}x. x:A{\ttrbrace} = A
+
+\tdx{empty_def} {\ttlbrace}{\ttrbrace} == {\ttlbrace}x. False{\ttrbrace}
+\tdx{insert_def} insert a B == {\ttlbrace}x. x=a{\ttrbrace} Un B
+\tdx{Ball_def} Ball A P == ! x. x:A --> P x
+\tdx{Bex_def} Bex A P == ? x. x:A & P x
+\tdx{subset_def} A <= B == ! x:A. x:B
+\tdx{Un_def} A Un B == {\ttlbrace}x. x:A | x:B{\ttrbrace}
+\tdx{Int_def} A Int B == {\ttlbrace}x. x:A & x:B{\ttrbrace}
+\tdx{set_diff_def} A - B == {\ttlbrace}x. x:A & x~:B{\ttrbrace}
+\tdx{Compl_def} -A == {\ttlbrace}x. ~ x:A{\ttrbrace}
+\tdx{INTER_def} INTER A B == {\ttlbrace}y. ! x:A. y: B x{\ttrbrace}
+\tdx{UNION_def} UNION A B == {\ttlbrace}y. ? x:A. y: B x{\ttrbrace}
+\tdx{INTER1_def} INTER1 B == INTER {\ttlbrace}x. True{\ttrbrace} B
+\tdx{UNION1_def} UNION1 B == UNION {\ttlbrace}x. True{\ttrbrace} B
+\tdx{Inter_def} Inter S == (INT x:S. x)
+\tdx{Union_def} Union S == (UN x:S. x)
+\tdx{Pow_def} Pow A == {\ttlbrace}B. B <= A{\ttrbrace}
+\tdx{image_def} f``A == {\ttlbrace}y. ? x:A. y=f x{\ttrbrace}
+\tdx{range_def} range f == {\ttlbrace}y. ? x. y=f x{\ttrbrace}
+\end{ttbox}
+\caption{Rules of the theory \texttt{Set}} \label{hol-set-rules}
+\end{figure}
+
+
+\begin{figure} \underscoreon
+\begin{ttbox}
+\tdx{CollectI} [| P a |] ==> a : {\ttlbrace}x. P x{\ttrbrace}
+\tdx{CollectD} [| a : {\ttlbrace}x. P x{\ttrbrace} |] ==> P a
+\tdx{CollectE} [| a : {\ttlbrace}x. P x{\ttrbrace}; P a ==> W |] ==> W
+
+\tdx{ballI} [| !!x. x:A ==> P x |] ==> ! x:A. P x
+\tdx{bspec} [| ! x:A. P x; x:A |] ==> P x
+\tdx{ballE} [| ! x:A. P x; P x ==> Q; ~ x:A ==> Q |] ==> Q
+
+\tdx{bexI} [| P x; x:A |] ==> ? x:A. P x
+\tdx{bexCI} [| ! x:A. ~ P x ==> P a; a:A |] ==> ? x:A. P x
+\tdx{bexE} [| ? x:A. P x; !!x. [| x:A; P x |] ==> Q |] ==> Q
+\subcaption{Comprehension and Bounded quantifiers}
+
+\tdx{subsetI} (!!x. x:A ==> x:B) ==> A <= B
+\tdx{subsetD} [| A <= B; c:A |] ==> c:B
+\tdx{subsetCE} [| A <= B; ~ (c:A) ==> P; c:B ==> P |] ==> P
+
+\tdx{subset_refl} A <= A
+\tdx{subset_trans} [| A<=B; B<=C |] ==> A<=C
+
+\tdx{equalityI} [| A <= B; B <= A |] ==> A = B
+\tdx{equalityD1} A = B ==> A<=B
+\tdx{equalityD2} A = B ==> B<=A
+\tdx{equalityE} [| A = B; [| A<=B; B<=A |] ==> P |] ==> P
+
+\tdx{equalityCE} [| A = B; [| c:A; c:B |] ==> P;
+ [| ~ c:A; ~ c:B |] ==> P
+ |] ==> P
+\subcaption{The subset and equality relations}
+\end{ttbox}
+\caption{Derived rules for set theory} \label{hol-set1}
+\end{figure}
+
+
+\begin{figure} \underscoreon
+\begin{ttbox}
+\tdx{emptyE} a : {\ttlbrace}{\ttrbrace} ==> P
+
+\tdx{insertI1} a : insert a B
+\tdx{insertI2} a : B ==> a : insert b B
+\tdx{insertE} [| a : insert b A; a=b ==> P; a:A ==> P |] ==> P
+
+\tdx{ComplI} [| c:A ==> False |] ==> c : -A
+\tdx{ComplD} [| c : -A |] ==> ~ c:A
+
+\tdx{UnI1} c:A ==> c : A Un B
+\tdx{UnI2} c:B ==> c : A Un B
+\tdx{UnCI} (~c:B ==> c:A) ==> c : A Un B
+\tdx{UnE} [| c : A Un B; c:A ==> P; c:B ==> P |] ==> P
+
+\tdx{IntI} [| c:A; c:B |] ==> c : A Int B
+\tdx{IntD1} c : A Int B ==> c:A
+\tdx{IntD2} c : A Int B ==> c:B
+\tdx{IntE} [| c : A Int B; [| c:A; c:B |] ==> P |] ==> P
+
+\tdx{UN_I} [| a:A; b: B a |] ==> b: (UN x:A. B x)
+\tdx{UN_E} [| b: (UN x:A. B x); !!x.[| x:A; b:B x |] ==> R |] ==> R
+
+\tdx{INT_I} (!!x. x:A ==> b: B x) ==> b : (INT x:A. B x)
+\tdx{INT_D} [| b: (INT x:A. B x); a:A |] ==> b: B a
+\tdx{INT_E} [| b: (INT x:A. B x); b: B a ==> R; ~ a:A ==> R |] ==> R
+
+\tdx{UnionI} [| X:C; A:X |] ==> A : Union C
+\tdx{UnionE} [| A : Union C; !!X.[| A:X; X:C |] ==> R |] ==> R
+
+\tdx{InterI} [| !!X. X:C ==> A:X |] ==> A : Inter C
+\tdx{InterD} [| A : Inter C; X:C |] ==> A:X
+\tdx{InterE} [| A : Inter C; A:X ==> R; ~ X:C ==> R |] ==> R
+
+\tdx{PowI} A<=B ==> A: Pow B
+\tdx{PowD} A: Pow B ==> A<=B
+
+\tdx{imageI} [| x:A |] ==> f x : f``A
+\tdx{imageE} [| b : f``A; !!x.[| b=f x; x:A |] ==> P |] ==> P
+
+\tdx{rangeI} f x : range f
+\tdx{rangeE} [| b : range f; !!x.[| b=f x |] ==> P |] ==> P
+\end{ttbox}
+\caption{Further derived rules for set theory} \label{hol-set2}
+\end{figure}
+
+
+\subsection{Axioms and rules of set theory}
+Figure~\ref{hol-set-rules} presents the rules of theory \thydx{Set}. The
+axioms \tdx{mem_Collect_eq} and \tdx{Collect_mem_eq} assert
+that the functions \texttt{Collect} and \hbox{\tt op :} are isomorphisms. Of
+course, \hbox{\tt op :} also serves as the membership relation.
+
+All the other axioms are definitions. They include the empty set, bounded
+quantifiers, unions, intersections, complements and the subset relation.
+They also include straightforward constructions on functions: image~({\tt``})
+and \texttt{range}.
+
+%The predicate \cdx{inj_on} is used for simulating type definitions.
+%The statement ${\tt inj_on}~f~A$ asserts that $f$ is injective on the
+%set~$A$, which specifies a subset of its domain type. In a type
+%definition, $f$ is the abstraction function and $A$ is the set of valid
+%representations; we should not expect $f$ to be injective outside of~$A$.
+
+%\begin{figure} \underscoreon
+%\begin{ttbox}
+%\tdx{Inv_f_f} inj f ==> Inv f (f x) = x
+%\tdx{f_Inv_f} y : range f ==> f(Inv f y) = y
+%
+%\tdx{Inv_injective}
+% [| Inv f x=Inv f y; x: range f; y: range f |] ==> x=y
+%
+%
+%\tdx{monoI} [| !!A B. A <= B ==> f A <= f B |] ==> mono f
+%\tdx{monoD} [| mono f; A <= B |] ==> f A <= f B
+%
+%\tdx{injI} [| !! x y. f x = f y ==> x=y |] ==> inj f
+%\tdx{inj_inverseI} (!!x. g(f x) = x) ==> inj f
+%\tdx{injD} [| inj f; f x = f y |] ==> x=y
+%
+%\tdx{inj_onI} (!!x y. [| f x=f y; x:A; y:A |] ==> x=y) ==> inj_on f A
+%\tdx{inj_onD} [| inj_on f A; f x=f y; x:A; y:A |] ==> x=y
+%
+%\tdx{inj_on_inverseI}
+% (!!x. x:A ==> g(f x) = x) ==> inj_on f A
+%\tdx{inj_on_contraD}
+% [| inj_on f A; x~=y; x:A; y:A |] ==> ~ f x=f y
+%\end{ttbox}
+%\caption{Derived rules involving functions} \label{hol-fun}
+%\end{figure}
+
+
+\begin{figure} \underscoreon
+\begin{ttbox}
+\tdx{Union_upper} B:A ==> B <= Union A
+\tdx{Union_least} [| !!X. X:A ==> X<=C |] ==> Union A <= C
+
+\tdx{Inter_lower} B:A ==> Inter A <= B
+\tdx{Inter_greatest} [| !!X. X:A ==> C<=X |] ==> C <= Inter A
+
+\tdx{Un_upper1} A <= A Un B
+\tdx{Un_upper2} B <= A Un B
+\tdx{Un_least} [| A<=C; B<=C |] ==> A Un B <= C
+
+\tdx{Int_lower1} A Int B <= A
+\tdx{Int_lower2} A Int B <= B
+\tdx{Int_greatest} [| C<=A; C<=B |] ==> C <= A Int B
+\end{ttbox}
+\caption{Derived rules involving subsets} \label{hol-subset}
+\end{figure}
+
+
+\begin{figure} \underscoreon \hfuzz=4pt%suppress "Overfull \hbox" message
+\begin{ttbox}
+\tdx{Int_absorb} A Int A = A
+\tdx{Int_commute} A Int B = B Int A
+\tdx{Int_assoc} (A Int B) Int C = A Int (B Int C)
+\tdx{Int_Un_distrib} (A Un B) Int C = (A Int C) Un (B Int C)
+
+\tdx{Un_absorb} A Un A = A
+\tdx{Un_commute} A Un B = B Un A
+\tdx{Un_assoc} (A Un B) Un C = A Un (B Un C)
+\tdx{Un_Int_distrib} (A Int B) Un C = (A Un C) Int (B Un C)
+
+\tdx{Compl_disjoint} A Int (-A) = {\ttlbrace}x. False{\ttrbrace}
+\tdx{Compl_partition} A Un (-A) = {\ttlbrace}x. True{\ttrbrace}
+\tdx{double_complement} -(-A) = A
+\tdx{Compl_Un} -(A Un B) = (-A) Int (-B)
+\tdx{Compl_Int} -(A Int B) = (-A) Un (-B)
+
+\tdx{Union_Un_distrib} Union(A Un B) = (Union A) Un (Union B)
+\tdx{Int_Union} A Int (Union B) = (UN C:B. A Int C)
+
+\tdx{Inter_Un_distrib} Inter(A Un B) = (Inter A) Int (Inter B)
+\tdx{Un_Inter} A Un (Inter B) = (INT C:B. A Un C)
+
+\end{ttbox}
+\caption{Set equalities} \label{hol-equalities}
+\end{figure}
+%\tdx{Un_Union_image} (UN x:C.(A x) Un (B x)) = Union(A``C) Un Union(B``C)
+%\tdx{Int_Inter_image} (INT x:C.(A x) Int (B x)) = Inter(A``C) Int Inter(B``C)
+
+Figures~\ref{hol-set1} and~\ref{hol-set2} present derived rules. Most are
+obvious and resemble rules of Isabelle's ZF set theory. Certain rules, such
+as \tdx{subsetCE}, \tdx{bexCI} and \tdx{UnCI}, are designed for classical
+reasoning; the rules \tdx{subsetD}, \tdx{bexI}, \tdx{Un1} and~\tdx{Un2} are
+not strictly necessary but yield more natural proofs. Similarly,
+\tdx{equalityCE} supports classical reasoning about extensionality, after the
+fashion of \tdx{iffCE}. See the file \texttt{HOL/Set.ML} for proofs
+pertaining to set theory.
+
+Figure~\ref{hol-subset} presents lattice properties of the subset relation.
+Unions form least upper bounds; non-empty intersections form greatest lower
+bounds. Reasoning directly about subsets often yields clearer proofs than
+reasoning about the membership relation. See the file \texttt{HOL/subset.ML}.
+
+Figure~\ref{hol-equalities} presents many common set equalities. They
+include commutative, associative and distributive laws involving unions,
+intersections and complements. For a complete listing see the file {\tt
+HOL/equalities.ML}.
+
+\begin{warn}
+\texttt{Blast_tac} proves many set-theoretic theorems automatically.
+Hence you seldom need to refer to the theorems above.
+\end{warn}
+
+\begin{figure}
+\begin{center}
+\begin{tabular}{rrr}
+ \it name &\it meta-type & \it description \\
+ \cdx{inj}~~\cdx{surj}& $(\alpha\To\beta )\To bool$
+ & injective/surjective \\
+ \cdx{inj_on} & $[\alpha\To\beta ,\alpha\,set]\To bool$
+ & injective over subset\\
+ \cdx{inv} & $(\alpha\To\beta)\To(\beta\To\alpha)$ & inverse function
+\end{tabular}
+\end{center}
+
+\underscoreon
+\begin{ttbox}
+\tdx{inj_def} inj f == ! x y. f x=f y --> x=y
+\tdx{surj_def} surj f == ! y. ? x. y=f x
+\tdx{inj_on_def} inj_on f A == !x:A. !y:A. f x=f y --> x=y
+\tdx{inv_def} inv f == (\%y. @x. f(x)=y)
+\end{ttbox}
+\caption{Theory \thydx{Fun}} \label{fig:HOL:Fun}
+\end{figure}
+
+\subsection{Properties of functions}\nopagebreak
+Figure~\ref{fig:HOL:Fun} presents a theory of simple properties of functions.
+Note that ${\tt inv}~f$ uses Hilbert's $\varepsilon$ to yield an inverse
+of~$f$. See the file \texttt{HOL/Fun.ML} for a complete listing of the derived
+rules. Reasoning about function composition (the operator~\sdx{o}) and the
+predicate~\cdx{surj} is done simply by expanding the definitions.
+
+There is also a large collection of monotonicity theorems for constructions
+on sets in the file \texttt{HOL/mono.ML}.
+
+
+\section{Simplification and substitution}
+
+Simplification tactics tactics such as \texttt{Asm_simp_tac} and \texttt{Full_simp_tac} use the default simpset
+(\texttt{simpset()}), which works for most purposes. A quite minimal
+simplification set for higher-order logic is~\ttindexbold{HOL_ss};
+even more frugal is \ttindexbold{HOL_basic_ss}. Equality~($=$), which
+also expresses logical equivalence, may be used for rewriting. See
+the file \texttt{HOL/simpdata.ML} for a complete listing of the basic
+simplification rules.
+
+See \iflabelundefined{chap:classical}{the {\em Reference Manual\/}}%
+{Chaps.\ts\ref{substitution} and~\ref{simp-chap}} for details of substitution
+and simplification.
+
+\begin{warn}\index{simplification!of conjunctions}%
+ Reducing $a=b\conj P(a)$ to $a=b\conj P(b)$ is sometimes advantageous. The
+ left part of a conjunction helps in simplifying the right part. This effect
+ is not available by default: it can be slow. It can be obtained by
+ including \ttindex{conj_cong} in a simpset, \verb$addcongs [conj_cong]$.
+\end{warn}
+
+\begin{warn}\index{simplification!of \texttt{if}}\label{if-simp}%
+ By default only the condition of an \ttindex{if} is simplified but not the
+ \texttt{then} and \texttt{else} parts. Of course the latter are simplified
+ once the condition simplifies to \texttt{True} or \texttt{False}. To ensure
+ full simplification of all parts of a conditional you must remove
+ \ttindex{if_weak_cong} from the simpset, \verb$delcongs [if_weak_cong]$.
+\end{warn}
+
+If the simplifier cannot use a certain rewrite rule --- either because
+of nontermination or because its left-hand side is too flexible ---
+then you might try \texttt{stac}:
+\begin{ttdescription}
+\item[\ttindexbold{stac} $thm$ $i,$] where $thm$ is of the form $lhs = rhs$,
+ replaces in subgoal $i$ instances of $lhs$ by corresponding instances of
+ $rhs$. In case of multiple instances of $lhs$ in subgoal $i$, backtracking
+ may be necessary to select the desired ones.
+
+If $thm$ is a conditional equality, the instantiated condition becomes an
+additional (first) subgoal.
+\end{ttdescription}
+
+HOL provides the tactic \ttindex{hyp_subst_tac}, which substitutes for an
+equality throughout a subgoal and its hypotheses. This tactic uses HOL's
+general substitution rule.
+
+\subsection{Case splitting}
+\label{subsec:HOL:case:splitting}
+
+HOL also provides convenient means for case splitting during rewriting. Goals
+containing a subterm of the form \texttt{if}~$b$~{\tt then\dots else\dots}
+often require a case distinction on $b$. This is expressed by the theorem
+\tdx{split_if}:
+$$
+\Var{P}(\mbox{\tt if}~\Var{b}~{\tt then}~\Var{x}~\mbox{\tt else}~\Var{y})~=~
+((\Var{b} \to \Var{P}(\Var{x})) \land (\lnot \Var{b} \to \Var{P}(\Var{y})))
+\eqno{(*)}
+$$
+For example, a simple instance of $(*)$ is
+\[
+x \in (\mbox{\tt if}~x \in A~{\tt then}~A~\mbox{\tt else}~\{x\})~=~
+((x \in A \to x \in A) \land (x \notin A \to x \in \{x\}))
+\]
+Because $(*)$ is too general as a rewrite rule for the simplifier (the
+left-hand side is not a higher-order pattern in the sense of
+\iflabelundefined{chap:simplification}{the {\em Reference Manual\/}}%
+{Chap.\ts\ref{chap:simplification}}), there is a special infix function
+\ttindexbold{addsplits} of type \texttt{simpset * thm list -> simpset}
+(analogous to \texttt{addsimps}) that adds rules such as $(*)$ to a
+simpset, as in
+\begin{ttbox}
+by(simp_tac (simpset() addsplits [split_if]) 1);
+\end{ttbox}
+The effect is that after each round of simplification, one occurrence of
+\texttt{if} is split acording to \texttt{split_if}, until all occurences of
+\texttt{if} have been eliminated.
+
+It turns out that using \texttt{split_if} is almost always the right thing to
+do. Hence \texttt{split_if} is already included in the default simpset. If
+you want to delete it from a simpset, use \ttindexbold{delsplits}, which is
+the inverse of \texttt{addsplits}:
+\begin{ttbox}
+by(simp_tac (simpset() delsplits [split_if]) 1);
+\end{ttbox}
+
+In general, \texttt{addsplits} accepts rules of the form
+\[
+\Var{P}(c~\Var{x@1}~\dots~\Var{x@n})~=~ rhs
+\]
+where $c$ is a constant and $rhs$ is arbitrary. Note that $(*)$ is of the
+right form because internally the left-hand side is
+$\Var{P}(\mathtt{If}~\Var{b}~\Var{x}~~\Var{y})$. Important further examples
+are splitting rules for \texttt{case} expressions (see~{\S}\ref{subsec:list}
+and~{\S}\ref{subsec:datatype:basics}).
+
+Analogous to \texttt{Addsimps} and \texttt{Delsimps}, there are also
+imperative versions of \texttt{addsplits} and \texttt{delsplits}
+\begin{ttbox}
+\ttindexbold{Addsplits}: thm list -> unit
+\ttindexbold{Delsplits}: thm list -> unit
+\end{ttbox}
+for adding splitting rules to, and deleting them from the current simpset.
+
+
+\section{Types}\label{sec:HOL:Types}
+This section describes HOL's basic predefined types ($\alpha \times \beta$,
+$\alpha + \beta$, $nat$ and $\alpha \; list$) and ways for introducing new
+types in general. The most important type construction, the
+\texttt{datatype}, is treated separately in {\S}\ref{sec:HOL:datatype}.
+
+
+\subsection{Product and sum types}\index{*"* type}\index{*"+ type}
+\label{subsec:prod-sum}
+
+\begin{figure}[htbp]
+\begin{constants}
+ \it symbol & \it meta-type & & \it description \\
+ \cdx{Pair} & $[\alpha,\beta]\To \alpha\times\beta$
+ & & ordered pairs $(a,b)$ \\
+ \cdx{fst} & $\alpha\times\beta \To \alpha$ & & first projection\\
+ \cdx{snd} & $\alpha\times\beta \To \beta$ & & second projection\\
+ \cdx{split} & $[[\alpha,\beta]\To\gamma, \alpha\times\beta] \To \gamma$
+ & & generalized projection\\
+ \cdx{Sigma} &
+ $[\alpha\,set, \alpha\To\beta\,set]\To(\alpha\times\beta)set$ &
+ & general sum of sets
+\end{constants}
+%\tdx{fst_def} fst p == @a. ? b. p = (a,b)
+%\tdx{snd_def} snd p == @b. ? a. p = (a,b)
+%\tdx{split_def} split c p == c (fst p) (snd p)
+\begin{ttbox}\makeatletter
+\tdx{Sigma_def} Sigma A B == UN x:A. UN y:B x. {\ttlbrace}(x,y){\ttrbrace}
+
+\tdx{Pair_eq} ((a,b) = (a',b')) = (a=a' & b=b')
+\tdx{Pair_inject} [| (a, b) = (a',b'); [| a=a'; b=b' |] ==> R |] ==> R
+\tdx{PairE} [| !!x y. p = (x,y) ==> Q |] ==> Q
+
+\tdx{fst_conv} fst (a,b) = a
+\tdx{snd_conv} snd (a,b) = b
+\tdx{surjective_pairing} p = (fst p,snd p)
+
+\tdx{split} split c (a,b) = c a b
+\tdx{split_split} R(split c p) = (! x y. p = (x,y) --> R(c x y))
+
+\tdx{SigmaI} [| a:A; b:B a |] ==> (a,b) : Sigma A B
+
+\tdx{SigmaE} [| c:Sigma A B; !!x y.[| x:A; y:B x; c=(x,y) |] ==> P
+ |] ==> P
+\end{ttbox}
+\caption{Type $\alpha\times\beta$}\label{hol-prod}
+\end{figure}
+
+Theory \thydx{Prod} (Fig.\ts\ref{hol-prod}) defines the product type
+$\alpha\times\beta$, with the ordered pair syntax $(a, b)$. General
+tuples are simulated by pairs nested to the right:
+\begin{center}
+\begin{tabular}{c|c}
+external & internal \\
+\hline
+$\tau@1 \times \dots \times \tau@n$ & $\tau@1 \times (\dots (\tau@{n-1} \times \tau@n)\dots)$ \\
+\hline
+$(t@1,\dots,t@n)$ & $(t@1,(\dots,(t@{n-1},t@n)\dots)$ \\
+\end{tabular}
+\end{center}
+In addition, it is possible to use tuples
+as patterns in abstractions:
+\begin{center}
+{\tt\%($x$,$y$). $t$} \quad stands for\quad \texttt{split(\%$x$\thinspace$y$.\ $t$)}
+\end{center}
+Nested patterns are also supported. They are translated stepwise:
+\begin{eqnarray*}
+\hbox{\tt\%($x$,$y$,$z$).\ $t$}
+ & \leadsto & \hbox{\tt\%($x$,($y$,$z$)).\ $t$} \\
+ & \leadsto & \hbox{\tt split(\%$x$.\%($y$,$z$).\ $t$)}\\
+ & \leadsto & \hbox{\tt split(\%$x$.\ split(\%$y$ $z$.\ $t$))}
+\end{eqnarray*}
+The reverse translation is performed upon printing.
+\begin{warn}
+ The translation between patterns and \texttt{split} is performed automatically
+ by the parser and printer. Thus the internal and external form of a term
+ may differ, which can affects proofs. For example the term {\tt
+ (\%(x,y).(y,x))(a,b)} requires the theorem \texttt{split} (which is in the
+ default simpset) to rewrite to {\tt(b,a)}.
+\end{warn}
+In addition to explicit $\lambda$-abstractions, patterns can be used in any
+variable binding construct which is internally described by a
+$\lambda$-abstraction. Some important examples are
+\begin{description}
+\item[Let:] \texttt{let {\it pattern} = $t$ in $u$}
+\item[Quantifiers:] \texttt{ALL~{\it pattern}:$A$.~$P$}
+\item[Choice:] {\underscoreon \tt SOME~{\it pattern}.~$P$}
+\item[Set operations:] \texttt{UN~{\it pattern}:$A$.~$B$}
+\item[Sets:] \texttt{{\ttlbrace}{\it pattern}.~$P${\ttrbrace}}
+\end{description}
+
+There is a simple tactic which supports reasoning about patterns:
+\begin{ttdescription}
+\item[\ttindexbold{split_all_tac} $i$] replaces in subgoal $i$ all
+ {\tt!!}-quantified variables of product type by individual variables for
+ each component. A simple example:
+\begin{ttbox}
+{\out 1. !!p. (\%(x,y,z). (x, y, z)) p = p}
+by(split_all_tac 1);
+{\out 1. !!x xa ya. (\%(x,y,z). (x, y, z)) (x, xa, ya) = (x, xa, ya)}
+\end{ttbox}
+\end{ttdescription}
+
+Theory \texttt{Prod} also introduces the degenerate product type \texttt{unit}
+which contains only a single element named {\tt()} with the property
+\begin{ttbox}
+\tdx{unit_eq} u = ()
+\end{ttbox}
+\bigskip
+
+Theory \thydx{Sum} (Fig.~\ref{hol-sum}) defines the sum type $\alpha+\beta$
+which associates to the right and has a lower priority than $*$: $\tau@1 +
+\tau@2 + \tau@3*\tau@4$ means $\tau@1 + (\tau@2 + (\tau@3*\tau@4))$.
+
+The definition of products and sums in terms of existing types is not
+shown. The constructions are fairly standard and can be found in the
+respective theory files. Although the sum and product types are
+constructed manually for foundational reasons, they are represented as
+actual datatypes later.
+
+\begin{figure}
+\begin{constants}
+ \it symbol & \it meta-type & & \it description \\
+ \cdx{Inl} & $\alpha \To \alpha+\beta$ & & first injection\\
+ \cdx{Inr} & $\beta \To \alpha+\beta$ & & second injection\\
+ \cdx{sum_case} & $[\alpha\To\gamma, \beta\To\gamma, \alpha+\beta] \To\gamma$
+ & & conditional
+\end{constants}
+\begin{ttbox}\makeatletter
+\tdx{Inl_not_Inr} Inl a ~= Inr b
+
+\tdx{inj_Inl} inj Inl
+\tdx{inj_Inr} inj Inr
+
+\tdx{sumE} [| !!x. P(Inl x); !!y. P(Inr y) |] ==> P s
+
+\tdx{sum_case_Inl} sum_case f g (Inl x) = f x
+\tdx{sum_case_Inr} sum_case f g (Inr x) = g x
+
+\tdx{surjective_sum} sum_case (\%x. f(Inl x)) (\%y. f(Inr y)) s = f s
+\tdx{sum.split_case} R(sum_case f g s) = ((! x. s = Inl(x) --> R(f(x))) &
+ (! y. s = Inr(y) --> R(g(y))))
+\end{ttbox}
+\caption{Type $\alpha+\beta$}\label{hol-sum}
+\end{figure}
+
+\begin{figure}
+\index{*"< symbol}
+\index{*"* symbol}
+\index{*div symbol}
+\index{*mod symbol}
+\index{*dvd symbol}
+\index{*"+ symbol}
+\index{*"- symbol}
+\begin{constants}
+ \it symbol & \it meta-type & \it priority & \it description \\
+ \cdx{0} & $\alpha$ & & zero \\
+ \cdx{Suc} & $nat \To nat$ & & successor function\\
+ \tt * & $[\alpha,\alpha]\To \alpha$ & Left 70 & multiplication \\
+ \tt div & $[\alpha,\alpha]\To \alpha$ & Left 70 & division\\
+ \tt mod & $[\alpha,\alpha]\To \alpha$ & Left 70 & modulus\\
+ \tt dvd & $[\alpha,\alpha]\To bool$ & Left 70 & ``divides'' relation\\
+ \tt + & $[\alpha,\alpha]\To \alpha$ & Left 65 & addition\\
+ \tt - & $[\alpha,\alpha]\To \alpha$ & Left 65 & subtraction
+\end{constants}
+\subcaption{Constants and infixes}
+
+\begin{ttbox}\makeatother
+\tdx{nat_induct} [| P 0; !!n. P n ==> P(Suc n) |] ==> P n
+
+\tdx{Suc_not_Zero} Suc m ~= 0
+\tdx{inj_Suc} inj Suc
+\tdx{n_not_Suc_n} n~=Suc n
+\subcaption{Basic properties}
+\end{ttbox}
+\caption{The type of natural numbers, \tydx{nat}} \label{hol-nat1}
+\end{figure}
+
+
+\begin{figure}
+\begin{ttbox}\makeatother
+ 0+n = n
+ (Suc m)+n = Suc(m+n)
+
+ m-0 = m
+ 0-n = n
+ Suc(m)-Suc(n) = m-n
+
+ 0*n = 0
+ Suc(m)*n = n + m*n
+
+\tdx{mod_less} m<n ==> m mod n = m
+\tdx{mod_geq} [| 0<n; ~m<n |] ==> m mod n = (m-n) mod n
+
+\tdx{div_less} m<n ==> m div n = 0
+\tdx{div_geq} [| 0<n; ~m<n |] ==> m div n = Suc((m-n) div n)
+\end{ttbox}
+\caption{Recursion equations for the arithmetic operators} \label{hol-nat2}
+\end{figure}
+
+\subsection{The type of natural numbers, \textit{nat}}
+\index{nat@{\textit{nat}} type|(}
+
+The theory \thydx{Nat} defines the natural numbers in a roundabout but
+traditional way. The axiom of infinity postulates a type~\tydx{ind} of
+individuals, which is non-empty and closed under an injective operation. The
+natural numbers are inductively generated by choosing an arbitrary individual
+for~0 and using the injective operation to take successors. This is a least
+fixedpoint construction.
+
+Type~\tydx{nat} is an instance of class~\cldx{ord}, which makes the overloaded
+functions of this class (especially \cdx{<} and \cdx{<=}, but also \cdx{min},
+\cdx{max} and \cdx{LEAST}) available on \tydx{nat}. Theory \thydx{Nat}
+also shows that {\tt<=} is a linear order, so \tydx{nat} is
+also an instance of class \cldx{linorder}.
+
+Theory \thydx{NatArith} develops arithmetic on the natural numbers. It defines
+addition, multiplication and subtraction. Theory \thydx{Divides} defines
+division, remainder and the ``divides'' relation. The numerous theorems
+proved include commutative, associative, distributive, identity and
+cancellation laws. See Figs.\ts\ref{hol-nat1} and~\ref{hol-nat2}. The
+recursion equations for the operators \texttt{+}, \texttt{-} and \texttt{*} on
+\texttt{nat} are part of the default simpset.
+
+Functions on \tydx{nat} can be defined by primitive or well-founded recursion;
+see {\S}\ref{sec:HOL:recursive}. A simple example is addition.
+Here, \texttt{op +} is the name of the infix operator~\texttt{+}, following
+the standard convention.
+\begin{ttbox}
+\sdx{primrec}
+ "0 + n = n"
+ "Suc m + n = Suc (m + n)"
+\end{ttbox}
+There is also a \sdx{case}-construct
+of the form
+\begin{ttbox}
+case \(e\) of 0 => \(a\) | Suc \(m\) => \(b\)
+\end{ttbox}
+Note that Isabelle insists on precisely this format; you may not even change
+the order of the two cases.
+Both \texttt{primrec} and \texttt{case} are realized by a recursion operator
+\cdx{nat_rec}, which is available because \textit{nat} is represented as
+a datatype.
+
+%The predecessor relation, \cdx{pred_nat}, is shown to be well-founded.
+%Recursion along this relation resembles primitive recursion, but is
+%stronger because we are in higher-order logic; using primitive recursion to
+%define a higher-order function, we can easily Ackermann's function, which
+%is not primitive recursive \cite[page~104]{thompson91}.
+%The transitive closure of \cdx{pred_nat} is~$<$. Many functions on the
+%natural numbers are most easily expressed using recursion along~$<$.
+
+Tactic {\tt\ttindex{induct_tac} "$n$" $i$} performs induction on variable~$n$
+in subgoal~$i$ using theorem \texttt{nat_induct}. There is also the derived
+theorem \tdx{less_induct}:
+\begin{ttbox}
+[| !!n. [| ! m. m<n --> P m |] ==> P n |] ==> P n
+\end{ttbox}
+
+
+\subsection{Numerical types and numerical reasoning}
+
+The integers (type \tdx{int}) are also available in HOL, and the reals (type
+\tdx{real}) are available in the logic image \texttt{HOL-Complex}. They support
+the expected operations of addition (\texttt{+}), subtraction (\texttt{-}) and
+multiplication (\texttt{*}), and much else. Type \tdx{int} provides the
+\texttt{div} and \texttt{mod} operators, while type \tdx{real} provides real
+division and other operations. Both types belong to class \cldx{linorder}, so
+they inherit the relational operators and all the usual properties of linear
+orderings. For full details, please survey the theories in subdirectories
+\texttt{Integ}, \texttt{Real}, and \texttt{Complex}.
+
+All three numeric types admit numerals of the form \texttt{$sd\ldots d$},
+where $s$ is an optional minus sign and $d\ldots d$ is a string of digits.
+Numerals are represented internally by a datatype for binary notation, which
+allows numerical calculations to be performed by rewriting. For example, the
+integer division of \texttt{54342339} by \texttt{3452} takes about five
+seconds. By default, the simplifier cancels like terms on the opposite sites
+of relational operators (reducing \texttt{z+x<x+y} to \texttt{z<y}, for
+instance. The simplifier also collects like terms, replacing \texttt{x+y+x*3}
+by \texttt{4*x+y}.
+
+Sometimes numerals are not wanted, because for example \texttt{n+3} does not
+match a pattern of the form \texttt{Suc $k$}. You can re-arrange the form of
+an arithmetic expression by proving (via \texttt{subgoal_tac}) a lemma such as
+\texttt{n+3 = Suc (Suc (Suc n))}. As an alternative, you can disable the
+fancier simplifications by using a basic simpset such as \texttt{HOL_ss}
+rather than the default one, \texttt{simpset()}.
+
+Reasoning about arithmetic inequalities can be tedious. Fortunately, HOL
+provides a decision procedure for \emph{linear arithmetic}: formulae involving
+addition and subtraction. The simplifier invokes a weak version of this
+decision procedure automatically. If this is not sufficent, you can invoke the
+full procedure \ttindex{Lin_Arith.tac} explicitly. It copes with arbitrary
+formulae involving {\tt=}, {\tt<}, {\tt<=}, {\tt+}, {\tt-}, {\tt Suc}, {\tt
+ min}, {\tt max} and numerical constants. Other subterms are treated as
+atomic, while subformulae not involving numerical types are ignored. Quantified
+subformulae are ignored unless they are positive universal or negative
+existential. The running time is exponential in the number of
+occurrences of {\tt min}, {\tt max}, and {\tt-} because they require case
+distinctions.
+If {\tt k} is a numeral, then {\tt div k}, {\tt mod k} and
+{\tt k dvd} are also supported. The former two are eliminated
+by case distinctions, again blowing up the running time.
+If the formula involves explicit quantifiers, \texttt{Lin_Arith.tac} may take
+super-exponential time and space.
+
+If \texttt{Lin_Arith.tac} fails, try to find relevant arithmetic results in
+the library. The theories \texttt{Nat} and \texttt{NatArith} contain
+theorems about {\tt<}, {\tt<=}, \texttt{+}, \texttt{-} and \texttt{*}.
+Theory \texttt{Divides} contains theorems about \texttt{div} and
+\texttt{mod}. Use Proof General's \emph{find} button (or other search
+facilities) to locate them.
+
+\index{nat@{\textit{nat}} type|)}
+
+
+\begin{figure}
+\index{#@{\tt[]} symbol}
+\index{#@{\tt\#} symbol}
+\index{"@@{\tt\at} symbol}
+\index{*"! symbol}
+\begin{constants}
+ \it symbol & \it meta-type & \it priority & \it description \\
+ \tt[] & $\alpha\,list$ & & empty list\\
+ \tt \# & $[\alpha,\alpha\,list]\To \alpha\,list$ & Right 65 &
+ list constructor \\
+ \cdx{null} & $\alpha\,list \To bool$ & & emptiness test\\
+ \cdx{hd} & $\alpha\,list \To \alpha$ & & head \\
+ \cdx{tl} & $\alpha\,list \To \alpha\,list$ & & tail \\
+ \cdx{last} & $\alpha\,list \To \alpha$ & & last element \\
+ \cdx{butlast} & $\alpha\,list \To \alpha\,list$ & & drop last element \\
+ \tt\at & $[\alpha\,list,\alpha\,list]\To \alpha\,list$ & Left 65 & append \\
+ \cdx{map} & $(\alpha\To\beta) \To (\alpha\,list \To \beta\,list)$
+ & & apply to all\\
+ \cdx{filter} & $(\alpha \To bool) \To (\alpha\,list \To \alpha\,list)$
+ & & filter functional\\
+ \cdx{set}& $\alpha\,list \To \alpha\,set$ & & elements\\
+ \sdx{mem} & $\alpha \To \alpha\,list \To bool$ & Left 55 & membership\\
+ \cdx{foldl} & $(\beta\To\alpha\To\beta) \To \beta \To \alpha\,list \To \beta$ &
+ & iteration \\
+ \cdx{concat} & $(\alpha\,list)list\To \alpha\,list$ & & concatenation \\
+ \cdx{rev} & $\alpha\,list \To \alpha\,list$ & & reverse \\
+ \cdx{length} & $\alpha\,list \To nat$ & & length \\
+ \tt! & $\alpha\,list \To nat \To \alpha$ & Left 100 & indexing \\
+ \cdx{take}, \cdx{drop} & $nat \To \alpha\,list \To \alpha\,list$ &&
+ take/drop a prefix \\
+ \cdx{takeWhile},\\
+ \cdx{dropWhile} &
+ $(\alpha \To bool) \To \alpha\,list \To \alpha\,list$ &&
+ take/drop a prefix
+\end{constants}
+\subcaption{Constants and infixes}
+
+\begin{center} \tt\frenchspacing
+\begin{tabular}{rrr}
+ \it external & \it internal & \it description \\{}
+ [$x@1$, $\dots$, $x@n$] & $x@1$ \# $\cdots$ \# $x@n$ \# [] &
+ \rm finite list \\{}
+ [$x$:$l$. $P$] & filter ($\lambda x{.}P$) $l$ &
+ \rm list comprehension
+\end{tabular}
+\end{center}
+\subcaption{Translations}
+\caption{The theory \thydx{List}} \label{hol-list}
+\end{figure}
+
+
+\begin{figure}
+\begin{ttbox}\makeatother
+null [] = True
+null (x#xs) = False
+
+hd (x#xs) = x
+
+tl (x#xs) = xs
+tl [] = []
+
+[] @ ys = ys
+(x#xs) @ ys = x # xs @ ys
+
+set [] = \ttlbrace\ttrbrace
+set (x#xs) = insert x (set xs)
+
+x mem [] = False
+x mem (y#ys) = (if y=x then True else x mem ys)
+
+concat([]) = []
+concat(x#xs) = x @ concat(xs)
+
+rev([]) = []
+rev(x#xs) = rev(xs) @ [x]
+
+length([]) = 0
+length(x#xs) = Suc(length(xs))
+
+xs!0 = hd xs
+xs!(Suc n) = (tl xs)!n
+\end{ttbox}
+\caption{Simple list processing functions}
+\label{fig:HOL:list-simps}
+\end{figure}
+
+\begin{figure}
+\begin{ttbox}\makeatother
+map f [] = []
+map f (x#xs) = f x # map f xs
+
+filter P [] = []
+filter P (x#xs) = (if P x then x#filter P xs else filter P xs)
+
+foldl f a [] = a
+foldl f a (x#xs) = foldl f (f a x) xs
+
+take n [] = []
+take n (x#xs) = (case n of 0 => [] | Suc(m) => x # take m xs)
+
+drop n [] = []
+drop n (x#xs) = (case n of 0 => x#xs | Suc(m) => drop m xs)
+
+takeWhile P [] = []
+takeWhile P (x#xs) = (if P x then x#takeWhile P xs else [])
+
+dropWhile P [] = []
+dropWhile P (x#xs) = (if P x then dropWhile P xs else xs)
+\end{ttbox}
+\caption{Further list processing functions}
+\label{fig:HOL:list-simps2}
+\end{figure}
+
+
+\subsection{The type constructor for lists, \textit{list}}
+\label{subsec:list}
+\index{list@{\textit{list}} type|(}
+
+Figure~\ref{hol-list} presents the theory \thydx{List}: the basic list
+operations with their types and syntax. Type $\alpha \; list$ is
+defined as a \texttt{datatype} with the constructors {\tt[]} and {\tt\#}.
+As a result the generic structural induction and case analysis tactics
+\texttt{induct\_tac} and \texttt{cases\_tac} also become available for
+lists. A \sdx{case} construct of the form
+\begin{center}\tt
+case $e$ of [] => $a$ | \(x\)\#\(xs\) => b
+\end{center}
+is defined by translation. For details see~{\S}\ref{sec:HOL:datatype}. There
+is also a case splitting rule \tdx{split_list_case}
+\[
+\begin{array}{l}
+P(\mathtt{case}~e~\mathtt{of}~\texttt{[] =>}~a ~\texttt{|}~
+ x\texttt{\#}xs~\texttt{=>}~f~x~xs) ~= \\
+((e = \texttt{[]} \to P(a)) \land
+ (\forall x~ xs. e = x\texttt{\#}xs \to P(f~x~xs)))
+\end{array}
+\]
+which can be fed to \ttindex{addsplits} just like
+\texttt{split_if} (see~{\S}\ref{subsec:HOL:case:splitting}).
+
+\texttt{List} provides a basic library of list processing functions defined by
+primitive recursion. The recursion equations
+are shown in Figs.\ts\ref{fig:HOL:list-simps} and~\ref{fig:HOL:list-simps2}.
+
+\index{list@{\textit{list}} type|)}
+
+
+\section{Datatype definitions}
+\label{sec:HOL:datatype}
+\index{*datatype|(}
+
+Inductive datatypes, similar to those of \ML, frequently appear in
+applications of Isabelle/HOL. In principle, such types could be defined by
+hand via \texttt{typedef}, but this would be far too
+tedious. The \ttindex{datatype} definition package of Isabelle/HOL (cf.\
+\cite{Berghofer-Wenzel:1999:TPHOL}) automates such chores. It generates an
+appropriate \texttt{typedef} based on a least fixed-point construction, and
+proves freeness theorems and induction rules, as well as theorems for
+recursion and case combinators. The user just has to give a simple
+specification of new inductive types using a notation similar to {\ML} or
+Haskell.
+
+The current datatype package can handle both mutual and indirect recursion.
+It also offers to represent existing types as datatypes giving the advantage
+of a more uniform view on standard theories.
+
+
+\subsection{Basics}
+\label{subsec:datatype:basics}
+
+A general \texttt{datatype} definition is of the following form:
+\[
+\begin{array}{llcl}
+\mathtt{datatype} & (\vec{\alpha})t@1 & = &
+ C^1@1~\tau^1@{1,1}~\ldots~\tau^1@{1,m^1@1} ~\mid~ \ldots ~\mid~
+ C^1@{k@1}~\tau^1@{k@1,1}~\ldots~\tau^1@{k@1,m^1@{k@1}} \\
+ & & \vdots \\
+\mathtt{and} & (\vec{\alpha})t@n & = &
+ C^n@1~\tau^n@{1,1}~\ldots~\tau^n@{1,m^n@1} ~\mid~ \ldots ~\mid~
+ C^n@{k@n}~\tau^n@{k@n,1}~\ldots~\tau^n@{k@n,m^n@{k@n}}
+\end{array}
+\]
+where $\vec{\alpha} = (\alpha@1,\ldots,\alpha@h)$ is a list of type variables,
+$C^j@i$ are distinct constructor names and $\tau^j@{i,i'}$ are {\em
+ admissible} types containing at most the type variables $\alpha@1, \ldots,
+\alpha@h$. A type $\tau$ occurring in a \texttt{datatype} definition is {\em
+ admissible} if and only if
+\begin{itemize}
+\item $\tau$ is non-recursive, i.e.\ $\tau$ does not contain any of the
+newly defined type constructors $t@1,\ldots,t@n$, or
+\item $\tau = (\vec{\alpha})t@{j'}$ where $1 \leq j' \leq n$, or
+\item $\tau = (\tau'@1,\ldots,\tau'@{h'})t'$, where $t'$ is
+the type constructor of an already existing datatype and $\tau'@1,\ldots,\tau'@{h'}$
+are admissible types.
+\item $\tau = \sigma \to \tau'$, where $\tau'$ is an admissible
+type and $\sigma$ is non-recursive (i.e. the occurrences of the newly defined
+types are {\em strictly positive})
+\end{itemize}
+If some $(\vec{\alpha})t@{j'}$ occurs in a type $\tau^j@{i,i'}$
+of the form
+\[
+(\ldots,\ldots ~ (\vec{\alpha})t@{j'} ~ \ldots,\ldots)t'
+\]
+this is called a {\em nested} (or \emph{indirect}) occurrence. A very simple
+example of a datatype is the type \texttt{list}, which can be defined by
+\begin{ttbox}
+datatype 'a list = Nil
+ | Cons 'a ('a list)
+\end{ttbox}
+Arithmetic expressions \texttt{aexp} and boolean expressions \texttt{bexp} can be modelled
+by the mutually recursive datatype definition
+\begin{ttbox}
+datatype 'a aexp = If_then_else ('a bexp) ('a aexp) ('a aexp)
+ | Sum ('a aexp) ('a aexp)
+ | Diff ('a aexp) ('a aexp)
+ | Var 'a
+ | Num nat
+and 'a bexp = Less ('a aexp) ('a aexp)
+ | And ('a bexp) ('a bexp)
+ | Or ('a bexp) ('a bexp)
+\end{ttbox}
+The datatype \texttt{term}, which is defined by
+\begin{ttbox}
+datatype ('a, 'b) term = Var 'a
+ | App 'b ((('a, 'b) term) list)
+\end{ttbox}
+is an example for a datatype with nested recursion. Using nested recursion
+involving function spaces, we may also define infinitely branching datatypes, e.g.
+\begin{ttbox}
+datatype 'a tree = Atom 'a | Branch "nat => 'a tree"
+\end{ttbox}
+
+\medskip
+
+Types in HOL must be non-empty. Each of the new datatypes
+$(\vec{\alpha})t@j$ with $1 \leq j \leq n$ is non-empty if and only if it has a
+constructor $C^j@i$ with the following property: for all argument types
+$\tau^j@{i,i'}$ of the form $(\vec{\alpha})t@{j'}$ the datatype
+$(\vec{\alpha})t@{j'}$ is non-empty.
+
+If there are no nested occurrences of the newly defined datatypes, obviously
+at least one of the newly defined datatypes $(\vec{\alpha})t@j$
+must have a constructor $C^j@i$ without recursive arguments, a \emph{base
+ case}, to ensure that the new types are non-empty. If there are nested
+occurrences, a datatype can even be non-empty without having a base case
+itself. Since \texttt{list} is a non-empty datatype, \texttt{datatype t = C (t
+ list)} is non-empty as well.
+
+
+\subsubsection{Freeness of the constructors}
+
+The datatype constructors are automatically defined as functions of their
+respective type:
+\[ C^j@i :: [\tau^j@{i,1},\dots,\tau^j@{i,m^j@i}] \To (\alpha@1,\dots,\alpha@h)t@j \]
+These functions have certain {\em freeness} properties. They construct
+distinct values:
+\[
+C^j@i~x@1~\dots~x@{m^j@i} \neq C^j@{i'}~y@1~\dots~y@{m^j@{i'}} \qquad
+\mbox{for all}~ i \neq i'.
+\]
+The constructor functions are injective:
+\[
+(C^j@i~x@1~\dots~x@{m^j@i} = C^j@i~y@1~\dots~y@{m^j@i}) =
+(x@1 = y@1 \land \dots \land x@{m^j@i} = y@{m^j@i})
+\]
+Since the number of distinctness inequalities is quadratic in the number of
+constructors, the datatype package avoids proving them separately if there are
+too many constructors. Instead, specific inequalities are proved by a suitable
+simplification procedure on demand.\footnote{This procedure, which is already part
+of the default simpset, may be referred to by the ML identifier
+\texttt{DatatypePackage.distinct_simproc}.}
+
+\subsubsection{Structural induction}
+
+The datatype package also provides structural induction rules. For
+datatypes without nested recursion, this is of the following form:
+\[
+\infer{P@1~x@1 \land \dots \land P@n~x@n}
+ {\begin{array}{lcl}
+ \Forall x@1 \dots x@{m^1@1}.
+ \List{P@{s^1@{1,1}}~x@{r^1@{1,1}}; \dots;
+ P@{s^1@{1,l^1@1}}~x@{r^1@{1,l^1@1}}} & \Imp &
+ P@1~\left(C^1@1~x@1~\dots~x@{m^1@1}\right) \\
+ & \vdots \\
+ \Forall x@1 \dots x@{m^1@{k@1}}.
+ \List{P@{s^1@{k@1,1}}~x@{r^1@{k@1,1}}; \dots;
+ P@{s^1@{k@1,l^1@{k@1}}}~x@{r^1@{k@1,l^1@{k@1}}}} & \Imp &
+ P@1~\left(C^1@{k@1}~x@1~\ldots~x@{m^1@{k@1}}\right) \\
+ & \vdots \\
+ \Forall x@1 \dots x@{m^n@1}.
+ \List{P@{s^n@{1,1}}~x@{r^n@{1,1}}; \dots;
+ P@{s^n@{1,l^n@1}}~x@{r^n@{1,l^n@1}}} & \Imp &
+ P@n~\left(C^n@1~x@1~\ldots~x@{m^n@1}\right) \\
+ & \vdots \\
+ \Forall x@1 \dots x@{m^n@{k@n}}.
+ \List{P@{s^n@{k@n,1}}~x@{r^n@{k@n,1}}; \dots
+ P@{s^n@{k@n,l^n@{k@n}}}~x@{r^n@{k@n,l^n@{k@n}}}} & \Imp &
+ P@n~\left(C^n@{k@n}~x@1~\ldots~x@{m^n@{k@n}}\right)
+ \end{array}}
+\]
+where
+\[
+\begin{array}{rcl}
+Rec^j@i & := &
+ \left\{\left(r^j@{i,1},s^j@{i,1}\right),\ldots,
+ \left(r^j@{i,l^j@i},s^j@{i,l^j@i}\right)\right\} = \\[2ex]
+&& \left\{(i',i'')~\left|~
+ 1\leq i' \leq m^j@i \land 1 \leq i'' \leq n \land
+ \tau^j@{i,i'} = (\alpha@1,\ldots,\alpha@h)t@{i''}\right.\right\}
+\end{array}
+\]
+i.e.\ the properties $P@j$ can be assumed for all recursive arguments.
+
+For datatypes with nested recursion, such as the \texttt{term} example from
+above, things are a bit more complicated. Conceptually, Isabelle/HOL unfolds
+a definition like
+\begin{ttbox}
+datatype ('a,'b) term = Var 'a
+ | App 'b ((('a, 'b) term) list)
+\end{ttbox}
+to an equivalent definition without nesting:
+\begin{ttbox}
+datatype ('a,'b) term = Var
+ | App 'b (('a, 'b) term_list)
+and ('a,'b) term_list = Nil'
+ | Cons' (('a,'b) term) (('a,'b) term_list)
+\end{ttbox}
+Note however, that the type \texttt{('a,'b) term_list} and the constructors {\tt
+ Nil'} and \texttt{Cons'} are not really introduced. One can directly work with
+the original (isomorphic) type \texttt{(('a, 'b) term) list} and its existing
+constructors \texttt{Nil} and \texttt{Cons}. Thus, the structural induction rule for
+\texttt{term} gets the form
+\[
+\infer{P@1~x@1 \land P@2~x@2}
+ {\begin{array}{l}
+ \Forall x.~P@1~(\mathtt{Var}~x) \\
+ \Forall x@1~x@2.~P@2~x@2 \Imp P@1~(\mathtt{App}~x@1~x@2) \\
+ P@2~\mathtt{Nil} \\
+ \Forall x@1~x@2. \List{P@1~x@1; P@2~x@2} \Imp P@2~(\mathtt{Cons}~x@1~x@2)
+ \end{array}}
+\]
+Note that there are two predicates $P@1$ and $P@2$, one for the type \texttt{('a,'b) term}
+and one for the type \texttt{(('a, 'b) term) list}.
+
+For a datatype with function types such as \texttt{'a tree}, the induction rule
+is of the form
+\[
+\infer{P~t}
+ {\Forall a.~P~(\mathtt{Atom}~a) &
+ \Forall ts.~(\forall x.~P~(ts~x)) \Imp P~(\mathtt{Branch}~ts)}
+\]
+
+\medskip In principle, inductive types are already fully determined by
+freeness and structural induction. For convenience in applications,
+the following derived constructions are automatically provided for any
+datatype.
+
+\subsubsection{The \sdx{case} construct}
+
+The type comes with an \ML-like \texttt{case}-construct:
+\[
+\begin{array}{rrcl}
+\mbox{\tt case}~e~\mbox{\tt of} & C^j@1~x@{1,1}~\dots~x@{1,m^j@1} & \To & e@1 \\
+ \vdots \\
+ \mid & C^j@{k@j}~x@{k@j,1}~\dots~x@{k@j,m^j@{k@j}} & \To & e@{k@j}
+\end{array}
+\]
+where the $x@{i,j}$ are either identifiers or nested tuple patterns as in
+{\S}\ref{subsec:prod-sum}.
+\begin{warn}
+ All constructors must be present, their order is fixed, and nested patterns
+ are not supported (with the exception of tuples). Violating this
+ restriction results in strange error messages.
+\end{warn}
+
+To perform case distinction on a goal containing a \texttt{case}-construct,
+the theorem $t@j.$\texttt{split} is provided:
+\[
+\begin{array}{@{}rcl@{}}
+P(t@j_\mathtt{case}~f@1~\dots~f@{k@j}~e) &\!\!\!=&
+\!\!\! ((\forall x@1 \dots x@{m^j@1}. e = C^j@1~x@1\dots x@{m^j@1} \to
+ P(f@1~x@1\dots x@{m^j@1})) \\
+&&\!\!\! ~\land~ \dots ~\land \\
+&&~\!\!\! (\forall x@1 \dots x@{m^j@{k@j}}. e = C^j@{k@j}~x@1\dots x@{m^j@{k@j}} \to
+ P(f@{k@j}~x@1\dots x@{m^j@{k@j}})))
+\end{array}
+\]
+where $t@j$\texttt{_case} is the internal name of the \texttt{case}-construct.
+This theorem can be added to a simpset via \ttindex{addsplits}
+(see~{\S}\ref{subsec:HOL:case:splitting}).
+
+Case splitting on assumption works as well, by using the rule
+$t@j.$\texttt{split_asm} in the same manner. Both rules are available under
+$t@j.$\texttt{splits} (this name is \emph{not} bound in ML, though).
+
+\begin{warn}\index{simplification!of \texttt{case}}%
+ By default only the selector expression ($e$ above) in a
+ \texttt{case}-construct is simplified, in analogy with \texttt{if} (see
+ page~\pageref{if-simp}). Only if that reduces to a constructor is one of
+ the arms of the \texttt{case}-construct exposed and simplified. To ensure
+ full simplification of all parts of a \texttt{case}-construct for datatype
+ $t$, remove $t$\texttt{.}\ttindexbold{case_weak_cong} from the simpset, for
+ example by \texttt{delcongs [thm "$t$.weak_case_cong"]}.
+\end{warn}
+
+\subsubsection{The function \cdx{size}}\label{sec:HOL:size}
+
+Theory \texttt{NatArith} declares a generic function \texttt{size} of type
+$\alpha\To nat$. Each datatype defines a particular instance of \texttt{size}
+by overloading according to the following scheme:
+%%% FIXME: This formula is too big and is completely unreadable
+\[
+size(C^j@i~x@1~\dots~x@{m^j@i}) = \!
+\left\{
+\begin{array}{ll}
+0 & \!\mbox{if $Rec^j@i = \emptyset$} \\
+1+\sum\limits@{h=1}^{l^j@i}size~x@{r^j@{i,h}} &
+ \!\mbox{if $Rec^j@i = \left\{\left(r^j@{i,1},s^j@{i,1}\right),\ldots,
+ \left(r^j@{i,l^j@i},s^j@{i,l^j@i}\right)\right\}$}
+\end{array}
+\right.
+\]
+where $Rec^j@i$ is defined above. Viewing datatypes as generalised trees, the
+size of a leaf is 0 and the size of a node is the sum of the sizes of its
+subtrees ${}+1$.
+
+\subsection{Defining datatypes}
+
+The theory syntax for datatype definitions is given in the
+Isabelle/Isar reference manual. In order to be well-formed, a
+datatype definition has to obey the rules stated in the previous
+section. As a result the theory is extended with the new types, the
+constructors, and the theorems listed in the previous section.
+
+Most of the theorems about datatypes become part of the default simpset and
+you never need to see them again because the simplifier applies them
+automatically. Only induction or case distinction are usually invoked by hand.
+\begin{ttdescription}
+\item[\ttindexbold{induct_tac} {\tt"}$x${\tt"} $i$]
+ applies structural induction on variable $x$ to subgoal $i$, provided the
+ type of $x$ is a datatype.
+\item[\texttt{induct_tac}
+ {\tt"}$x@1$ $\ldots$ $x@n${\tt"} $i$] applies simultaneous
+ structural induction on the variables $x@1,\ldots,x@n$ to subgoal $i$. This
+ is the canonical way to prove properties of mutually recursive datatypes
+ such as \texttt{aexp} and \texttt{bexp}, or datatypes with nested recursion such as
+ \texttt{term}.
+\end{ttdescription}
+In some cases, induction is overkill and a case distinction over all
+constructors of the datatype suffices.
+\begin{ttdescription}
+\item[\ttindexbold{case_tac} {\tt"}$u${\tt"} $i$]
+ performs a case analysis for the term $u$ whose type must be a datatype.
+ If the datatype has $k@j$ constructors $C^j@1$, \dots $C^j@{k@j}$, subgoal
+ $i$ is replaced by $k@j$ new subgoals which contain the additional
+ assumption $u = C^j@{i'}~x@1~\dots~x@{m^j@{i'}}$ for $i'=1$, $\dots$,~$k@j$.
+\end{ttdescription}
+
+Note that induction is only allowed on free variables that should not occur
+among the premises of the subgoal. Case distinction applies to arbitrary terms.
+
+\bigskip
+
+
+For the technically minded, we exhibit some more details. Processing the
+theory file produces an \ML\ structure which, in addition to the usual
+components, contains a structure named $t$ for each datatype $t$ defined in
+the file. Each structure $t$ contains the following elements:
+\begin{ttbox}
+val distinct : thm list
+val inject : thm list
+val induct : thm
+val exhaust : thm
+val cases : thm list
+val split : thm
+val split_asm : thm
+val recs : thm list
+val size : thm list
+val simps : thm list
+\end{ttbox}
+\texttt{distinct}, \texttt{inject}, \texttt{induct}, \texttt{size}
+and \texttt{split} contain the theorems
+described above. For user convenience, \texttt{distinct} contains
+inequalities in both directions. The reduction rules of the {\tt
+ case}-construct are in \texttt{cases}. All theorems from {\tt
+ distinct}, \texttt{inject} and \texttt{cases} are combined in \texttt{simps}.
+In case of mutually recursive datatypes, \texttt{recs}, \texttt{size}, \texttt{induct}
+and \texttt{simps} are contained in a separate structure named $t@1_\ldots_t@n$.
+
+
+\section{Old-style recursive function definitions}\label{sec:HOL:recursive}
+\index{recursion!general|(}
+\index{*recdef|(}
+
+Old-style recursive definitions via \texttt{recdef} requires that you
+supply a well-founded relation that governs the recursion. Recursive
+calls are only allowed if they make the argument decrease under the
+relation. Complicated recursion forms, such as nested recursion, can
+be dealt with. Termination can even be proved at a later time, though
+having unsolved termination conditions around can make work
+difficult.%
+\footnote{This facility is based on Konrad Slind's TFL
+ package~\cite{slind-tfl}. Thanks are due to Konrad for implementing
+ TFL and assisting with its installation.}
+
+Using \texttt{recdef}, you can declare functions involving nested recursion
+and pattern-matching. Recursion need not involve datatypes and there are few
+syntactic restrictions. Termination is proved by showing that each recursive
+call makes the argument smaller in a suitable sense, which you specify by
+supplying a well-founded relation.
+
+Here is a simple example, the Fibonacci function. The first line declares
+\texttt{fib} to be a constant. The well-founded relation is simply~$<$ (on
+the natural numbers). Pattern-matching is used here: \texttt{1} is a
+macro for \texttt{Suc~0}.
+\begin{ttbox}
+consts fib :: "nat => nat"
+recdef fib "less_than"
+ "fib 0 = 0"
+ "fib 1 = 1"
+ "fib (Suc(Suc x)) = (fib x + fib (Suc x))"
+\end{ttbox}
+
+With \texttt{recdef}, function definitions may be incomplete, and patterns may
+overlap, as in functional programming. The \texttt{recdef} package
+disambiguates overlapping patterns by taking the order of rules into account.
+For missing patterns, the function is defined to return a default value.
+
+%For example, here is a declaration of the list function \cdx{hd}:
+%\begin{ttbox}
+%consts hd :: 'a list => 'a
+%recdef hd "\{\}"
+% "hd (x#l) = x"
+%\end{ttbox}
+%Because this function is not recursive, we may supply the empty well-founded
+%relation, $\{\}$.
+
+The well-founded relation defines a notion of ``smaller'' for the function's
+argument type. The relation $\prec$ is \textbf{well-founded} provided it
+admits no infinitely decreasing chains
+\[ \cdots\prec x@n\prec\cdots\prec x@1. \]
+If the function's argument has type~$\tau$, then $\prec$ has to be a relation
+over~$\tau$: it must have type $(\tau\times\tau)set$.
+
+Proving well-foundedness can be tricky, so Isabelle/HOL provides a collection
+of operators for building well-founded relations. The package recognises
+these operators and automatically proves that the constructed relation is
+well-founded. Here are those operators, in order of importance:
+\begin{itemize}
+\item \texttt{less_than} is ``less than'' on the natural numbers.
+ (It has type $(nat\times nat)set$, while $<$ has type $[nat,nat]\To bool$.
+
+\item $\mathop{\mathtt{measure}} f$, where $f$ has type $\tau\To nat$, is the
+ relation~$\prec$ on type~$\tau$ such that $x\prec y$ if and only if
+ $f(x)<f(y)$.
+ Typically, $f$ takes the recursive function's arguments (as a tuple) and
+ returns a result expressed in terms of the function \texttt{size}. It is
+ called a \textbf{measure function}. Recall that \texttt{size} is overloaded
+ and is defined on all datatypes (see {\S}\ref{sec:HOL:size}).
+
+\item $\mathop{\mathtt{inv_image}} R\;f$ is a generalisation of
+ \texttt{measure}. It specifies a relation such that $x\prec y$ if and only
+ if $f(x)$
+ is less than $f(y)$ according to~$R$, which must itself be a well-founded
+ relation.
+
+\item $R@1\texttt{<*lex*>}R@2$ is the lexicographic product of two relations.
+ It
+ is a relation on pairs and satisfies $(x@1,x@2)\prec(y@1,y@2)$ if and only
+ if $x@1$
+ is less than $y@1$ according to~$R@1$ or $x@1=y@1$ and $x@2$
+ is less than $y@2$ according to~$R@2$.
+
+\item \texttt{finite_psubset} is the proper subset relation on finite sets.
+\end{itemize}
+
+We can use \texttt{measure} to declare Euclid's algorithm for the greatest
+common divisor. The measure function, $\lambda(m,n). n$, specifies that the
+recursion terminates because argument~$n$ decreases.
+\begin{ttbox}
+recdef gcd "measure ((\%(m,n). n) ::nat*nat=>nat)"
+ "gcd (m, n) = (if n=0 then m else gcd(n, m mod n))"
+\end{ttbox}
+
+The general form of a well-founded recursive definition is
+\begin{ttbox}
+recdef {\it function} {\it rel}
+ congs {\it congruence rules} {\bf(optional)}
+ simpset {\it simplification set} {\bf(optional)}
+ {\it reduction rules}
+\end{ttbox}
+where
+\begin{itemize}
+\item \textit{function} is the name of the function, either as an \textit{id}
+ or a \textit{string}.
+
+\item \textit{rel} is a HOL expression for the well-founded termination
+ relation.
+
+\item \textit{congruence rules} are required only in highly exceptional
+ circumstances.
+
+\item The \textit{simplification set} is used to prove that the supplied
+ relation is well-founded. It is also used to prove the \textbf{termination
+ conditions}: assertions that arguments of recursive calls decrease under
+ \textit{rel}. By default, simplification uses \texttt{simpset()}, which
+ is sufficient to prove well-foundedness for the built-in relations listed
+ above.
+
+\item \textit{reduction rules} specify one or more recursion equations. Each
+ left-hand side must have the form $f\,t$, where $f$ is the function and $t$
+ is a tuple of distinct variables. If more than one equation is present then
+ $f$ is defined by pattern-matching on components of its argument whose type
+ is a \texttt{datatype}.
+
+ The \ML\ identifier $f$\texttt{.simps} contains the reduction rules as
+ a list of theorems.
+\end{itemize}
+
+With the definition of \texttt{gcd} shown above, Isabelle/HOL is unable to
+prove one termination condition. It remains as a precondition of the
+recursion theorems:
+\begin{ttbox}
+gcd.simps;
+{\out ["! m n. n ~= 0 --> m mod n < n}
+{\out ==> gcd (?m,?n) = (if ?n=0 then ?m else gcd (?n, ?m mod ?n))"] }
+{\out : thm list}
+\end{ttbox}
+The theory \texttt{HOL/ex/Primes} illustrates how to prove termination
+conditions afterwards. The function \texttt{Tfl.tgoalw} is like the standard
+function \texttt{goalw}, which sets up a goal to prove, but its argument
+should be the identifier $f$\texttt{.simps} and its effect is to set up a
+proof of the termination conditions:
+\begin{ttbox}
+Tfl.tgoalw thy [] gcd.simps;
+{\out Level 0}
+{\out ! m n. n ~= 0 --> m mod n < n}
+{\out 1. ! m n. n ~= 0 --> m mod n < n}
+\end{ttbox}
+This subgoal has a one-step proof using \texttt{simp_tac}. Once the theorem
+is proved, it can be used to eliminate the termination conditions from
+elements of \texttt{gcd.simps}. Theory \texttt{HOL/Subst/Unify} is a much
+more complicated example of this process, where the termination conditions can
+only be proved by complicated reasoning involving the recursive function
+itself.
+
+Isabelle/HOL can prove the \texttt{gcd} function's termination condition
+automatically if supplied with the right simpset.
+\begin{ttbox}
+recdef gcd "measure ((\%(m,n). n) ::nat*nat=>nat)"
+ simpset "simpset() addsimps [mod_less_divisor, zero_less_eq]"
+ "gcd (m, n) = (if n=0 then m else gcd(n, m mod n))"
+\end{ttbox}
+
+If all termination conditions were proved automatically, $f$\texttt{.simps}
+is added to the simpset automatically, just as in \texttt{primrec}.
+The simplification rules corresponding to clause $i$ (where counting starts
+at 0) are called $f$\texttt{.}$i$ and can be accessed as \texttt{thms
+ "$f$.$i$"},
+which returns a list of theorems. Thus you can, for example, remove specific
+clauses from the simpset. Note that a single clause may give rise to a set of
+simplification rules in order to capture the fact that if clauses overlap,
+their order disambiguates them.
+
+A \texttt{recdef} definition also returns an induction rule specialised for
+the recursive function. For the \texttt{gcd} function above, the induction
+rule is
+\begin{ttbox}
+gcd.induct;
+{\out "(!!m n. n ~= 0 --> ?P n (m mod n) ==> ?P m n) ==> ?P ?u ?v" : thm}
+\end{ttbox}
+This rule should be used to reason inductively about the \texttt{gcd}
+function. It usually makes the induction hypothesis available at all
+recursive calls, leading to very direct proofs. If any termination conditions
+remain unproved, they will become additional premises of this rule.
+
+\index{recursion!general|)}
+\index{*recdef|)}
+
+
+\section{Example: Cantor's Theorem}\label{sec:hol-cantor}
+Cantor's Theorem states that every set has more subsets than it has
+elements. It has become a favourite example in higher-order logic since
+it is so easily expressed:
+\[ \forall f::\alpha \To \alpha \To bool. \exists S::\alpha\To bool.
+ \forall x::\alpha. f~x \not= S
+\]
+%
+Viewing types as sets, $\alpha\To bool$ represents the powerset
+of~$\alpha$. This version states that for every function from $\alpha$ to
+its powerset, some subset is outside its range.
+
+The Isabelle proof uses HOL's set theory, with the type $\alpha\,set$ and
+the operator \cdx{range}.
+\begin{ttbox}
+context Set.thy;
+\end{ttbox}
+The set~$S$ is given as an unknown instead of a
+quantified variable so that we may inspect the subset found by the proof.
+\begin{ttbox}
+Goal "?S ~: range\thinspace(f :: 'a=>'a set)";
+{\out Level 0}
+{\out ?S ~: range f}
+{\out 1. ?S ~: range f}
+\end{ttbox}
+The first two steps are routine. The rule \tdx{rangeE} replaces
+$\Var{S}\in \texttt{range} \, f$ by $\Var{S}=f~x$ for some~$x$.
+\begin{ttbox}
+by (resolve_tac [notI] 1);
+{\out Level 1}
+{\out ?S ~: range f}
+{\out 1. ?S : range f ==> False}
+\ttbreak
+by (eresolve_tac [rangeE] 1);
+{\out Level 2}
+{\out ?S ~: range f}
+{\out 1. !!x. ?S = f x ==> False}
+\end{ttbox}
+Next, we apply \tdx{equalityCE}, reasoning that since $\Var{S}=f~x$,
+we have $\Var{c}\in \Var{S}$ if and only if $\Var{c}\in f~x$ for
+any~$\Var{c}$.
+\begin{ttbox}
+by (eresolve_tac [equalityCE] 1);
+{\out Level 3}
+{\out ?S ~: range f}
+{\out 1. !!x. [| ?c3 x : ?S; ?c3 x : f x |] ==> False}
+{\out 2. !!x. [| ?c3 x ~: ?S; ?c3 x ~: f x |] ==> False}
+\end{ttbox}
+Now we use a bit of creativity. Suppose that~$\Var{S}$ has the form of a
+comprehension. Then $\Var{c}\in\{x.\Var{P}~x\}$ implies
+$\Var{P}~\Var{c}$. Destruct-resolution using \tdx{CollectD}
+instantiates~$\Var{S}$ and creates the new assumption.
+\begin{ttbox}
+by (dresolve_tac [CollectD] 1);
+{\out Level 4}
+{\out {\ttlbrace}x. ?P7 x{\ttrbrace} ~: range f}
+{\out 1. !!x. [| ?c3 x : f x; ?P7(?c3 x) |] ==> False}
+{\out 2. !!x. [| ?c3 x ~: {\ttlbrace}x. ?P7 x{\ttrbrace}; ?c3 x ~: f x |] ==> False}
+\end{ttbox}
+Forcing a contradiction between the two assumptions of subgoal~1
+completes the instantiation of~$S$. It is now the set $\{x. x\not\in
+f~x\}$, which is the standard diagonal construction.
+\begin{ttbox}
+by (contr_tac 1);
+{\out Level 5}
+{\out {\ttlbrace}x. x ~: f x{\ttrbrace} ~: range f}
+{\out 1. !!x. [| x ~: {\ttlbrace}x. x ~: f x{\ttrbrace}; x ~: f x |] ==> False}
+\end{ttbox}
+The rest should be easy. To apply \tdx{CollectI} to the negated
+assumption, we employ \ttindex{swap_res_tac}:
+\begin{ttbox}
+by (swap_res_tac [CollectI] 1);
+{\out Level 6}
+{\out {\ttlbrace}x. x ~: f x{\ttrbrace} ~: range f}
+{\out 1. !!x. [| x ~: f x; ~ False |] ==> x ~: f x}
+\ttbreak
+by (assume_tac 1);
+{\out Level 7}
+{\out {\ttlbrace}x. x ~: f x{\ttrbrace} ~: range f}
+{\out No subgoals!}
+\end{ttbox}
+How much creativity is required? As it happens, Isabelle can prove this
+theorem automatically. The default classical set \texttt{claset()} contains
+rules for most of the constructs of HOL's set theory. We must augment it with
+\tdx{equalityCE} to break up set equalities, and then apply best-first search.
+Depth-first search would diverge, but best-first search successfully navigates
+through the large search space. \index{search!best-first}
+\begin{ttbox}
+choplev 0;
+{\out Level 0}
+{\out ?S ~: range f}
+{\out 1. ?S ~: range f}
+\ttbreak
+by (best_tac (claset() addSEs [equalityCE]) 1);
+{\out Level 1}
+{\out {\ttlbrace}x. x ~: f x{\ttrbrace} ~: range f}
+{\out No subgoals!}
+\end{ttbox}
+If you run this example interactively, make sure your current theory contains
+theory \texttt{Set}, for example by executing \ttindex{context}~{\tt Set.thy}.
+Otherwise the default claset may not contain the rules for set theory.
+\index{higher-order logic|)}
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: "logics-HOL"
+%%% End:
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/HOL/document/build Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -e
+
+FORMAT="$1"
+VARIANT="$2"
+
+"$ISABELLE_TOOL" logo -o isabelle_hol.pdf "HOL"
+"$ISABELLE_TOOL" logo -o isabelle_hol.eps "HOL"
+
+cp "$ISABELLE_HOME/src/Doc/iman.sty" .
+cp "$ISABELLE_HOME/src/Doc/extra.sty" .
+cp "$ISABELLE_HOME/src/Doc/ttbox.sty" .
+cp "$ISABELLE_HOME/src/Doc/proof.sty" .
+cp "$ISABELLE_HOME/src/Doc/manual.bib" .
+cp "$ISABELLE_HOME/src/Doc/Logics/document/syntax.tex" .
+
+"$ISABELLE_HOME/src/Doc/prepare_document" "$FORMAT"
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/HOL/document/root.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,60 @@
+\documentclass[12pt,a4paper]{report}
+\usepackage{isabelle,isabellesym}
+\usepackage{graphicx,iman,extra,ttbox,proof,latexsym,pdfsetup}
+
+%%% to index derived rls: ^\([a-zA-Z0-9][a-zA-Z0-9_]*\) \\tdx{\1}
+%%% to index rulenames: ^ *(\([a-zA-Z0-9][a-zA-Z0-9_]*\), \\tdx{\1}
+%%% to index constants: \\tt \([a-zA-Z0-9][a-zA-Z0-9_]*\) \\cdx{\1}
+%%% to deverbify: \\verb|\([^|]*\)| \\ttindex{\1}
+
+
+\title{\includegraphics[scale=0.5]{isabelle_hol} \\[4ex]
+ Isabelle's Logics: HOL%
+ \thanks{The research has been funded by the EPSRC (grants GR/G53279,
+ GR\slash H40570, GR/K57381, GR/K77051, GR/M75440), by ESPRIT (projects 3245:
+ Logical Frameworks, and 6453: Types) and by the DFG Schwerpunktprogramm
+ \emph{Deduktion}.}}
+
+\author{Tobias Nipkow\footnote
+{Institut f\"ur Informatik, Technische Universit\"at M\"unchen,
+ \texttt{nipkow@in.tum.de}} and
+Lawrence C. Paulson\footnote
+{Computer Laboratory, University of Cambridge, \texttt{lcp@cl.cam.ac.uk}} and
+Markus Wenzel\footnote
+{Institut f\"ur Informatik, Technische Universit\"at M\"unchen,
+ \texttt{wenzelm@in.tum.de}}}
+
+\newcommand\subcaption[1]{\par {\centering\normalsize\sc#1\par}\bigskip
+ \hrule\bigskip}
+\newenvironment{constants}{\begin{center}\small\begin{tabular}{rrrr}}{\end{tabular}\end{center}}
+
+\newcommand\bs{\char '134 } % A backslash character for \tt font
+
+\makeindex
+
+\underscoreoff
+
+\setcounter{secnumdepth}{2} \setcounter{tocdepth}{2} %% {secnumdepth}{2}???
+
+\pagestyle{headings}
+\sloppy
+\binperiod %%%treat . like a binary operator
+
+\begin{document}
+\maketitle
+
+\begin{abstract}
+ This manual describes Isabelle's formalization of Higher-Order Logic, a
+ polymorphic version of Church's Simple Theory of Types. HOL can be best
+ understood as a simply-typed version of classical set theory. The monograph
+ \emph{Isabelle/HOL --- A Proof Assistant for Higher-Order Logic} provides a
+ gentle introduction on using Isabelle/HOL in practice.
+\end{abstract}
+
+\pagenumbering{roman} \tableofcontents \clearfirst
+\input{syntax}
+\input{HOL}
+\bibliographystyle{plain}
+\bibliography{manual}
+\printindex
+\end{document}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Intro/document/advanced.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,1249 @@
+\part{Advanced Methods}
+Before continuing, it might be wise to try some of your own examples in
+Isabelle, reinforcing your knowledge of the basic functions.
+
+Look through {\em Isabelle's Object-Logics\/} and try proving some
+simple theorems. You probably should begin with first-order logic
+(\texttt{FOL} or~\texttt{LK}). Try working some of the examples provided,
+and others from the literature. Set theory~(\texttt{ZF}) and
+Constructive Type Theory~(\texttt{CTT}) form a richer world for
+mathematical reasoning and, again, many examples are in the
+literature. Higher-order logic~(\texttt{HOL}) is Isabelle's most
+elaborate logic. Its types and functions are identified with those of
+the meta-logic.
+
+Choose a logic that you already understand. Isabelle is a proof
+tool, not a teaching tool; if you do not know how to do a particular proof
+on paper, then you certainly will not be able to do it on the machine.
+Even experienced users plan large proofs on paper.
+
+We have covered only the bare essentials of Isabelle, but enough to perform
+substantial proofs. By occasionally dipping into the {\em Reference
+Manual}, you can learn additional tactics, subgoal commands and tacticals.
+
+
+\section{Deriving rules in Isabelle}
+\index{rules!derived}
+A mathematical development goes through a progression of stages. Each
+stage defines some concepts and derives rules about them. We shall see how
+to derive rules, perhaps involving definitions, using Isabelle. The
+following section will explain how to declare types, constants, rules and
+definitions.
+
+
+\subsection{Deriving a rule using tactics and meta-level assumptions}
+\label{deriving-example}
+\index{examples!of deriving rules}\index{assumptions!of main goal}
+
+The subgoal module supports the derivation of rules, as discussed in
+\S\ref{deriving}. When the \ttindex{Goal} command is supplied a formula of
+the form $\List{\theta@1; \ldots; \theta@k} \Imp \phi$, there are two
+possibilities:
+\begin{itemize}
+\item If all of the premises $\theta@1$, \ldots, $\theta@k$ are simple
+ formulae{} (they do not involve the meta-connectives $\Forall$ or
+ $\Imp$) then the command sets the goal to be
+ $\List{\theta@1; \ldots; \theta@k} \Imp \phi$ and returns the empty list.
+\item If one or more premises involves the meta-connectives $\Forall$ or
+ $\Imp$, then the command sets the goal to be $\phi$ and returns a list
+ consisting of the theorems ${\theta@i\;[\theta@i]}$, for $i=1$, \ldots,~$k$.
+ These meta-level assumptions are also recorded internally, allowing
+ \texttt{result} (which is called by \texttt{qed}) to discharge them in the
+ original order.
+\end{itemize}
+Rules that discharge assumptions or introduce eigenvariables have complex
+premises, and the second case applies. In this section, many of the
+theorems are subject to meta-level assumptions, so we make them visible by by setting the
+\ttindex{show_hyps} flag:
+\begin{ttbox}
+set show_hyps;
+{\out val it = true : bool}
+\end{ttbox}
+
+Now, we are ready to derive $\conj$ elimination. Until now, calling \texttt{Goal} has
+returned an empty list, which we have ignored. In this example, the list
+contains the two premises of the rule, since one of them involves the $\Imp$
+connective. We bind them to the \ML\ identifiers \texttt{major} and {\tt
+ minor}:\footnote{Some ML compilers will print a message such as {\em binding
+ not exhaustive}. This warns that \texttt{Goal} must return a 2-element
+ list. Otherwise, the pattern-match will fail; ML will raise exception
+ \xdx{Match}.}
+\begin{ttbox}
+val [major,minor] = Goal
+ "[| P&Q; [| P; Q |] ==> R |] ==> R";
+{\out Level 0}
+{\out R}
+{\out 1. R}
+{\out val major = "P & Q [P & Q]" : thm}
+{\out val minor = "[| P; Q |] ==> R [[| P; Q |] ==> R]" : thm}
+\end{ttbox}
+Look at the minor premise, recalling that meta-level assumptions are
+shown in brackets. Using \texttt{minor}, we reduce $R$ to the subgoals
+$P$ and~$Q$:
+\begin{ttbox}
+by (resolve_tac [minor] 1);
+{\out Level 1}
+{\out R}
+{\out 1. P}
+{\out 2. Q}
+\end{ttbox}
+Deviating from~\S\ref{deriving}, we apply $({\conj}E1)$ forwards from the
+assumption $P\conj Q$ to obtain the theorem~$P\;[P\conj Q]$.
+\begin{ttbox}
+major RS conjunct1;
+{\out val it = "P [P & Q]" : thm}
+\ttbreak
+by (resolve_tac [major RS conjunct1] 1);
+{\out Level 2}
+{\out R}
+{\out 1. Q}
+\end{ttbox}
+Similarly, we solve the subgoal involving~$Q$.
+\begin{ttbox}
+major RS conjunct2;
+{\out val it = "Q [P & Q]" : thm}
+by (resolve_tac [major RS conjunct2] 1);
+{\out Level 3}
+{\out R}
+{\out No subgoals!}
+\end{ttbox}
+Calling \ttindex{topthm} returns the current proof state as a theorem.
+Note that it contains assumptions. Calling \ttindex{qed} discharges
+the assumptions --- both occurrences of $P\conj Q$ are discharged as
+one --- and makes the variables schematic.
+\begin{ttbox}
+topthm();
+{\out val it = "R [P & Q, P & Q, [| P; Q |] ==> R]" : thm}
+qed "conjE";
+{\out val conjE = "[| ?P & ?Q; [| ?P; ?Q |] ==> ?R |] ==> ?R" : thm}
+\end{ttbox}
+
+
+\subsection{Definitions and derived rules} \label{definitions}
+\index{rules!derived}\index{definitions!and derived rules|(}
+
+Definitions are expressed as meta-level equalities. Let us define negation
+and the if-and-only-if connective:
+\begin{eqnarray*}
+ \neg \Var{P} & \equiv & \Var{P}\imp\bot \\
+ \Var{P}\bimp \Var{Q} & \equiv &
+ (\Var{P}\imp \Var{Q}) \conj (\Var{Q}\imp \Var{P})
+\end{eqnarray*}
+\index{meta-rewriting}%
+Isabelle permits {\bf meta-level rewriting} using definitions such as
+these. {\bf Unfolding} replaces every instance
+of $\neg \Var{P}$ by the corresponding instance of ${\Var{P}\imp\bot}$. For
+example, $\forall x.\neg (P(x)\conj \neg R(x,0))$ unfolds to
+\[ \forall x.(P(x)\conj R(x,0)\imp\bot)\imp\bot. \]
+{\bf Folding} a definition replaces occurrences of the right-hand side by
+the left. The occurrences need not be free in the entire formula.
+
+When you define new concepts, you should derive rules asserting their
+abstract properties, and then forget their definitions. This supports
+modularity: if you later change the definitions without affecting their
+abstract properties, then most of your proofs will carry through without
+change. Indiscriminate unfolding makes a subgoal grow exponentially,
+becoming unreadable.
+
+Taking this point of view, Isabelle does not unfold definitions
+automatically during proofs. Rewriting must be explicit and selective.
+Isabelle provides tactics and meta-rules for rewriting, and a version of
+the \texttt{Goal} command that unfolds the conclusion and premises of the rule
+being derived.
+
+For example, the intuitionistic definition of negation given above may seem
+peculiar. Using Isabelle, we shall derive pleasanter negation rules:
+\[ \infer[({\neg}I)]{\neg P}{\infer*{\bot}{[P]}} \qquad
+ \infer[({\neg}E)]{Q}{\neg P & P} \]
+This requires proving the following meta-formulae:
+$$ (P\Imp\bot) \Imp \neg P \eqno(\neg I) $$
+$$ \List{\neg P; P} \Imp Q. \eqno(\neg E) $$
+
+
+\subsection{Deriving the $\neg$ introduction rule}
+To derive $(\neg I)$, we may call \texttt{Goal} with the appropriate formula.
+Again, the rule's premises involve a meta-connective, and \texttt{Goal}
+returns one-element list. We bind this list to the \ML\ identifier \texttt{prems}.
+\begin{ttbox}
+val prems = Goal "(P ==> False) ==> ~P";
+{\out Level 0}
+{\out ~P}
+{\out 1. ~P}
+{\out val prems = ["P ==> False [P ==> False]"] : thm list}
+\end{ttbox}
+Calling \ttindex{rewrite_goals_tac} with \tdx{not_def}, which is the
+definition of negation, unfolds that definition in the subgoals. It leaves
+the main goal alone.
+\begin{ttbox}
+not_def;
+{\out val it = "~?P == ?P --> False" : thm}
+by (rewrite_goals_tac [not_def]);
+{\out Level 1}
+{\out ~P}
+{\out 1. P --> False}
+\end{ttbox}
+Using \tdx{impI} and the premise, we reduce subgoal~1 to a triviality:
+\begin{ttbox}
+by (resolve_tac [impI] 1);
+{\out Level 2}
+{\out ~P}
+{\out 1. P ==> False}
+\ttbreak
+by (resolve_tac prems 1);
+{\out Level 3}
+{\out ~P}
+{\out 1. P ==> P}
+\end{ttbox}
+The rest of the proof is routine. Note the form of the final result.
+\begin{ttbox}
+by (assume_tac 1);
+{\out Level 4}
+{\out ~P}
+{\out No subgoals!}
+\ttbreak
+qed "notI";
+{\out val notI = "(?P ==> False) ==> ~?P" : thm}
+\end{ttbox}
+\indexbold{*notI theorem}
+
+There is a simpler way of conducting this proof. The \ttindex{Goalw}
+command starts a backward proof, as does \texttt{Goal}, but it also
+unfolds definitions. Thus there is no need to call
+\ttindex{rewrite_goals_tac}:
+\begin{ttbox}
+val prems = Goalw [not_def]
+ "(P ==> False) ==> ~P";
+{\out Level 0}
+{\out ~P}
+{\out 1. P --> False}
+{\out val prems = ["P ==> False [P ==> False]"] : thm list}
+\end{ttbox}
+
+
+\subsection{Deriving the $\neg$ elimination rule}
+Let us derive the rule $(\neg E)$. The proof follows that of~\texttt{conjE}
+above, with an additional step to unfold negation in the major premise.
+The \texttt{Goalw} command is best for this: it unfolds definitions not only
+in the conclusion but the premises.
+\begin{ttbox}
+Goalw [not_def] "[| ~P; P |] ==> R";
+{\out Level 0}
+{\out [| ~ P; P |] ==> R}
+{\out 1. [| P --> False; P |] ==> R}
+\end{ttbox}
+As the first step, we apply \tdx{FalseE}:
+\begin{ttbox}
+by (resolve_tac [FalseE] 1);
+{\out Level 1}
+{\out [| ~ P; P |] ==> R}
+{\out 1. [| P --> False; P |] ==> False}
+\end{ttbox}
+%
+Everything follows from falsity. And we can prove falsity using the
+premises and Modus Ponens:
+\begin{ttbox}
+by (eresolve_tac [mp] 1);
+{\out Level 2}
+{\out [| ~ P; P |] ==> R}
+{\out 1. P ==> P}
+\ttbreak
+by (assume_tac 1);
+{\out Level 3}
+{\out [| ~ P; P |] ==> R}
+{\out No subgoals!}
+\ttbreak
+qed "notE";
+{\out val notE = "[| ~?P; ?P |] ==> ?R" : thm}
+\end{ttbox}
+
+
+\medskip
+\texttt{Goalw} unfolds definitions in the premises even when it has to return
+them as a list. Another way of unfolding definitions in a theorem is by
+applying the function \ttindex{rewrite_rule}.
+
+\index{definitions!and derived rules|)}
+
+
+\section{Defining theories}\label{sec:defining-theories}
+\index{theories!defining|(}
+
+Isabelle makes no distinction between simple extensions of a logic ---
+like specifying a type~$bool$ with constants~$true$ and~$false$ ---
+and defining an entire logic. A theory definition has a form like
+\begin{ttbox}
+\(T\) = \(S@1\) + \(\cdots\) + \(S@n\) +
+classes {\it class declarations}
+default {\it sort}
+types {\it type declarations and synonyms}
+arities {\it type arity declarations}
+consts {\it constant declarations}
+syntax {\it syntactic constant declarations}
+translations {\it ast translation rules}
+defs {\it meta-logical definitions}
+rules {\it rule declarations}
+end
+ML {\it ML code}
+\end{ttbox}
+This declares the theory $T$ to extend the existing theories
+$S@1$,~\ldots,~$S@n$. It may introduce new classes, types, arities
+(of existing types), constants and rules; it can specify the default
+sort for type variables. A constant declaration can specify an
+associated concrete syntax. The translations section specifies
+rewrite rules on abstract syntax trees, handling notations and
+abbreviations. \index{*ML section} The \texttt{ML} section may contain
+code to perform arbitrary syntactic transformations. The main
+declaration forms are discussed below. There are some more sections
+not presented here, the full syntax can be found in
+\iflabelundefined{app:TheorySyntax}{an appendix of the {\it Reference
+ Manual}}{App.\ts\ref{app:TheorySyntax}}. Also note that
+object-logics may add further theory sections, for example
+\texttt{typedef}, \texttt{datatype} in HOL.
+
+All the declaration parts can be omitted or repeated and may appear in
+any order, except that the {\ML} section must be last (after the {\tt
+ end} keyword). In the simplest case, $T$ is just the union of
+$S@1$,~\ldots,~$S@n$. New theories always extend one or more other
+theories, inheriting their types, constants, syntax, etc. The theory
+\thydx{Pure} contains nothing but Isabelle's meta-logic. The variant
+\thydx{CPure} offers the more usual higher-order function application
+syntax $t\,u@1\ldots\,u@n$ instead of $t(u@1,\ldots,u@n)$ in Pure.
+
+Each theory definition must reside in a separate file, whose name is
+the theory's with {\tt.thy} appended. Calling
+\ttindexbold{use_thy}~{\tt"{\it T\/}"} reads the definition from {\it
+ T}{\tt.thy}, writes a corresponding file of {\ML} code {\tt.{\it
+ T}.thy.ML}, reads the latter file, and deletes it if no errors
+occurred. This declares the {\ML} structure~$T$, which contains a
+component \texttt{thy} denoting the new theory, a component for each
+rule, and everything declared in {\it ML code}.
+
+Errors may arise during the translation to {\ML} (say, a misspelled
+keyword) or during creation of the new theory (say, a type error in a
+rule). But if all goes well, \texttt{use_thy} will finally read the file
+{\it T}{\tt.ML} (if it exists). This file typically contains proofs
+that refer to the components of~$T$. The structure is automatically
+opened, so its components may be referred to by unqualified names,
+e.g.\ just \texttt{thy} instead of $T$\texttt{.thy}.
+
+\ttindexbold{use_thy} automatically loads a theory's parents before
+loading the theory itself. When a theory file is modified, many
+theories may have to be reloaded. Isabelle records the modification
+times and dependencies of theory files. See
+\iflabelundefined{sec:reloading-theories}{the {\em Reference Manual\/}}%
+ {\S\ref{sec:reloading-theories}}
+for more details.
+
+
+\subsection{Declaring constants, definitions and rules}
+\indexbold{constants!declaring}\index{rules!declaring}
+
+Most theories simply declare constants, definitions and rules. The {\bf
+ constant declaration part} has the form
+\begin{ttbox}
+consts \(c@1\) :: \(\tau@1\)
+ \vdots
+ \(c@n\) :: \(\tau@n\)
+\end{ttbox}
+where $c@1$, \ldots, $c@n$ are constants and $\tau@1$, \ldots, $\tau@n$ are
+types. The types must be enclosed in quotation marks if they contain
+user-declared infix type constructors like \texttt{*}. Each
+constant must be enclosed in quotation marks unless it is a valid
+identifier. To declare $c@1$, \ldots, $c@n$ as constants of type $\tau$,
+the $n$ declarations may be abbreviated to a single line:
+\begin{ttbox}
+ \(c@1\), \ldots, \(c@n\) :: \(\tau\)
+\end{ttbox}
+The {\bf rule declaration part} has the form
+\begin{ttbox}
+rules \(id@1\) "\(rule@1\)"
+ \vdots
+ \(id@n\) "\(rule@n\)"
+\end{ttbox}
+where $id@1$, \ldots, $id@n$ are \ML{} identifiers and $rule@1$, \ldots,
+$rule@n$ are expressions of type~$prop$. Each rule {\em must\/} be
+enclosed in quotation marks. Rules are simply axioms; they are
+called \emph{rules} because they are mainly used to specify the inference
+rules when defining a new logic.
+
+\indexbold{definitions} The {\bf definition part} is similar, but with
+the keyword \texttt{defs} instead of \texttt{rules}. {\bf Definitions} are
+rules of the form $s \equiv t$, and should serve only as
+abbreviations. The simplest form of a definition is $f \equiv t$,
+where $f$ is a constant. Also allowed are $\eta$-equivalent forms of
+this, where the arguments of~$f$ appear applied on the left-hand side
+of the equation instead of abstracted on the right-hand side.
+
+Isabelle checks for common errors in definitions, such as extra
+variables on the right-hand side and cyclic dependencies, that could
+least to inconsistency. It is still essential to take care:
+theorems proved on the basis of incorrect definitions are useless,
+your system can be consistent and yet still wrong.
+
+\index{examples!of theories} This example theory extends first-order
+logic by declaring and defining two constants, {\em nand} and {\em
+ xor}:
+\begin{ttbox}
+Gate = FOL +
+consts nand,xor :: [o,o] => o
+defs nand_def "nand(P,Q) == ~(P & Q)"
+ xor_def "xor(P,Q) == P & ~Q | ~P & Q"
+end
+\end{ttbox}
+
+Declaring and defining constants can be combined:
+\begin{ttbox}
+Gate = FOL +
+constdefs nand :: [o,o] => o
+ "nand(P,Q) == ~(P & Q)"
+ xor :: [o,o] => o
+ "xor(P,Q) == P & ~Q | ~P & Q"
+end
+\end{ttbox}
+\texttt{constdefs} generates the names \texttt{nand_def} and \texttt{xor_def}
+automatically, which is why it is restricted to alphanumeric identifiers. In
+general it has the form
+\begin{ttbox}
+constdefs \(id@1\) :: \(\tau@1\)
+ "\(id@1 \equiv \dots\)"
+ \vdots
+ \(id@n\) :: \(\tau@n\)
+ "\(id@n \equiv \dots\)"
+\end{ttbox}
+
+
+\begin{warn}
+A common mistake when writing definitions is to introduce extra free variables
+on the right-hand side as in the following fictitious definition:
+\begin{ttbox}
+defs prime_def "prime(p) == (m divides p) --> (m=1 | m=p)"
+\end{ttbox}
+Isabelle rejects this ``definition'' because of the extra \texttt{m} on the
+right-hand side, which would introduce an inconsistency. What you should have
+written is
+\begin{ttbox}
+defs prime_def "prime(p) == ALL m. (m divides p) --> (m=1 | m=p)"
+\end{ttbox}
+\end{warn}
+
+\subsection{Declaring type constructors}
+\indexbold{types!declaring}\indexbold{arities!declaring}
+%
+Types are composed of type variables and {\bf type constructors}. Each
+type constructor takes a fixed number of arguments. They are declared
+with an \ML-like syntax. If $list$ takes one type argument, $tree$ takes
+two arguments and $nat$ takes no arguments, then these type constructors
+can be declared by
+\begin{ttbox}
+types 'a list
+ ('a,'b) tree
+ nat
+\end{ttbox}
+
+The {\bf type declaration part} has the general form
+\begin{ttbox}
+types \(tids@1\) \(id@1\)
+ \vdots
+ \(tids@n\) \(id@n\)
+\end{ttbox}
+where $id@1$, \ldots, $id@n$ are identifiers and $tids@1$, \ldots, $tids@n$
+are type argument lists as shown in the example above. It declares each
+$id@i$ as a type constructor with the specified number of argument places.
+
+The {\bf arity declaration part} has the form
+\begin{ttbox}
+arities \(tycon@1\) :: \(arity@1\)
+ \vdots
+ \(tycon@n\) :: \(arity@n\)
+\end{ttbox}
+where $tycon@1$, \ldots, $tycon@n$ are identifiers and $arity@1$, \ldots,
+$arity@n$ are arities. Arity declarations add arities to existing
+types; they do not declare the types themselves.
+In the simplest case, for an 0-place type constructor, an arity is simply
+the type's class. Let us declare a type~$bool$ of class $term$, with
+constants $tt$ and~$ff$. (In first-order logic, booleans are
+distinct from formulae, which have type $o::logic$.)
+\index{examples!of theories}
+\begin{ttbox}
+Bool = FOL +
+types bool
+arities bool :: term
+consts tt,ff :: bool
+end
+\end{ttbox}
+A $k$-place type constructor may have arities of the form
+$(s@1,\ldots,s@k)c$, where $s@1,\ldots,s@n$ are sorts and $c$ is a class.
+Each sort specifies a type argument; it has the form $\{c@1,\ldots,c@m\}$,
+where $c@1$, \dots,~$c@m$ are classes. Mostly we deal with singleton
+sorts, and may abbreviate them by dropping the braces. The arity
+$(term)term$ is short for $(\{term\})term$. Recall the discussion in
+\S\ref{polymorphic}.
+
+A type constructor may be overloaded (subject to certain conditions) by
+appearing in several arity declarations. For instance, the function type
+constructor~$fun$ has the arity $(logic,logic)logic$; in higher-order
+logic, it is declared also to have arity $(term,term)term$.
+
+Theory \texttt{List} declares the 1-place type constructor $list$, gives
+it the arity $(term)term$, and declares constants $Nil$ and $Cons$ with
+polymorphic types:%
+\footnote{In the \texttt{consts} part, type variable {\tt'a} has the default
+ sort, which is \texttt{term}. See the {\em Reference Manual\/}
+\iflabelundefined{sec:ref-defining-theories}{}%
+{(\S\ref{sec:ref-defining-theories})} for more information.}
+\index{examples!of theories}
+\begin{ttbox}
+List = FOL +
+types 'a list
+arities list :: (term)term
+consts Nil :: 'a list
+ Cons :: ['a, 'a list] => 'a list
+end
+\end{ttbox}
+Multiple arity declarations may be abbreviated to a single line:
+\begin{ttbox}
+arities \(tycon@1\), \ldots, \(tycon@n\) :: \(arity\)
+\end{ttbox}
+
+%\begin{warn}
+%Arity declarations resemble constant declarations, but there are {\it no\/}
+%quotation marks! Types and rules must be quoted because the theory
+%translator passes them verbatim to the {\ML} output file.
+%\end{warn}
+
+\subsection{Type synonyms}\indexbold{type synonyms}
+Isabelle supports {\bf type synonyms} ({\bf abbreviations}) which are similar
+to those found in \ML. Such synonyms are defined in the type declaration part
+and are fairly self explanatory:
+\begin{ttbox}
+types gate = [o,o] => o
+ 'a pred = 'a => o
+ ('a,'b)nuf = 'b => 'a
+\end{ttbox}
+Type declarations and synonyms can be mixed arbitrarily:
+\begin{ttbox}
+types nat
+ 'a stream = nat => 'a
+ signal = nat stream
+ 'a list
+\end{ttbox}
+A synonym is merely an abbreviation for some existing type expression.
+Hence synonyms may not be recursive! Internally all synonyms are
+fully expanded. As a consequence Isabelle output never contains
+synonyms. Their main purpose is to improve the readability of theory
+definitions. Synonyms can be used just like any other type:
+\begin{ttbox}
+consts and,or :: gate
+ negate :: signal => signal
+\end{ttbox}
+
+\subsection{Infix and mixfix operators}
+\index{infixes}\index{examples!of theories}
+
+Infix or mixfix syntax may be attached to constants. Consider the
+following theory:
+\begin{ttbox}
+Gate2 = FOL +
+consts "~&" :: [o,o] => o (infixl 35)
+ "#" :: [o,o] => o (infixl 30)
+defs nand_def "P ~& Q == ~(P & Q)"
+ xor_def "P # Q == P & ~Q | ~P & Q"
+end
+\end{ttbox}
+The constant declaration part declares two left-associating infix operators
+with their priorities, or precedences; they are $\nand$ of priority~35 and
+$\xor$ of priority~30. Hence $P \xor Q \xor R$ is parsed as $(P\xor Q)
+\xor R$ and $P \xor Q \nand R$ as $P \xor (Q \nand R)$. Note the quotation
+marks in \verb|"~&"| and \verb|"#"|.
+
+The constants \hbox{\verb|op ~&|} and \hbox{\verb|op #|} are declared
+automatically, just as in \ML. Hence you may write propositions like
+\verb|op #(True) == op ~&(True)|, which asserts that the functions $\lambda
+Q.True \xor Q$ and $\lambda Q.True \nand Q$ are identical.
+
+\medskip Infix syntax and constant names may be also specified
+independently. For example, consider this version of $\nand$:
+\begin{ttbox}
+consts nand :: [o,o] => o (infixl "~&" 35)
+\end{ttbox}
+
+\bigskip\index{mixfix declarations}
+{\bf Mixfix} operators may have arbitrary context-free syntaxes. Let us
+add a line to the constant declaration part:
+\begin{ttbox}
+ If :: [o,o,o] => o ("if _ then _ else _")
+\end{ttbox}
+This declares a constant $If$ of type $[o,o,o] \To o$ with concrete syntax {\tt
+ if~$P$ then~$Q$ else~$R$} as well as \texttt{If($P$,$Q$,$R$)}. Underscores
+denote argument positions.
+
+The declaration above does not allow the \texttt{if}-\texttt{then}-{\tt
+ else} construct to be printed split across several lines, even if it
+is too long to fit on one line. Pretty-printing information can be
+added to specify the layout of mixfix operators. For details, see
+\iflabelundefined{Defining-Logics}%
+ {the {\it Reference Manual}, chapter `Defining Logics'}%
+ {Chap.\ts\ref{Defining-Logics}}.
+
+Mixfix declarations can be annotated with priorities, just like
+infixes. The example above is just a shorthand for
+\begin{ttbox}
+ If :: [o,o,o] => o ("if _ then _ else _" [0,0,0] 1000)
+\end{ttbox}
+The numeric components determine priorities. The list of integers
+defines, for each argument position, the minimal priority an expression
+at that position must have. The final integer is the priority of the
+construct itself. In the example above, any argument expression is
+acceptable because priorities are non-negative, and conditionals may
+appear everywhere because 1000 is the highest priority. On the other
+hand, the declaration
+\begin{ttbox}
+ If :: [o,o,o] => o ("if _ then _ else _" [100,0,0] 99)
+\end{ttbox}
+defines concrete syntax for a conditional whose first argument cannot have
+the form \texttt{if~$P$ then~$Q$ else~$R$} because it must have a priority
+of at least~100. We may of course write
+\begin{quote}\tt
+if (if $P$ then $Q$ else $R$) then $S$ else $T$
+\end{quote}
+because expressions in parentheses have maximal priority.
+
+Binary type constructors, like products and sums, may also be declared as
+infixes. The type declaration below introduces a type constructor~$*$ with
+infix notation $\alpha*\beta$, together with the mixfix notation
+${<}\_,\_{>}$ for pairs. We also see a rule declaration part.
+\index{examples!of theories}\index{mixfix declarations}
+\begin{ttbox}
+Prod = FOL +
+types ('a,'b) "*" (infixl 20)
+arities "*" :: (term,term)term
+consts fst :: "'a * 'b => 'a"
+ snd :: "'a * 'b => 'b"
+ Pair :: "['a,'b] => 'a * 'b" ("(1<_,/_>)")
+rules fst "fst(<a,b>) = a"
+ snd "snd(<a,b>) = b"
+end
+\end{ttbox}
+
+\begin{warn}
+ The name of the type constructor is~\texttt{*} and not \texttt{op~*}, as
+ it would be in the case of an infix constant. Only infix type
+ constructors can have symbolic names like~\texttt{*}. General mixfix
+ syntax for types may be introduced via appropriate \texttt{syntax}
+ declarations.
+\end{warn}
+
+
+\subsection{Overloading}
+\index{overloading}\index{examples!of theories}
+The {\bf class declaration part} has the form
+\begin{ttbox}
+classes \(id@1\) < \(c@1\)
+ \vdots
+ \(id@n\) < \(c@n\)
+\end{ttbox}
+where $id@1$, \ldots, $id@n$ are identifiers and $c@1$, \ldots, $c@n$ are
+existing classes. It declares each $id@i$ as a new class, a subclass
+of~$c@i$. In the general case, an identifier may be declared to be a
+subclass of $k$ existing classes:
+\begin{ttbox}
+ \(id\) < \(c@1\), \ldots, \(c@k\)
+\end{ttbox}
+Type classes allow constants to be overloaded. As suggested in
+\S\ref{polymorphic}, let us define the class $arith$ of arithmetic
+types with the constants ${+} :: [\alpha,\alpha]\To \alpha$ and $0,1 {::}
+\alpha$, for $\alpha{::}arith$. We introduce $arith$ as a subclass of
+$term$ and add the three polymorphic constants of this class.
+\index{examples!of theories}\index{constants!overloaded}
+\begin{ttbox}
+Arith = FOL +
+classes arith < term
+consts "0" :: 'a::arith ("0")
+ "1" :: 'a::arith ("1")
+ "+" :: ['a::arith,'a] => 'a (infixl 60)
+end
+\end{ttbox}
+No rules are declared for these constants: we merely introduce their
+names without specifying properties. On the other hand, classes
+with rules make it possible to prove {\bf generic} theorems. Such
+theorems hold for all instances, all types in that class.
+
+We can now obtain distinct versions of the constants of $arith$ by
+declaring certain types to be of class $arith$. For example, let us
+declare the 0-place type constructors $bool$ and $nat$:
+\index{examples!of theories}
+\begin{ttbox}
+BoolNat = Arith +
+types bool nat
+arities bool, nat :: arith
+consts Suc :: nat=>nat
+\ttbreak
+rules add0 "0 + n = n::nat"
+ addS "Suc(m)+n = Suc(m+n)"
+ nat1 "1 = Suc(0)"
+ or0l "0 + x = x::bool"
+ or0r "x + 0 = x::bool"
+ or1l "1 + x = 1::bool"
+ or1r "x + 1 = 1::bool"
+end
+\end{ttbox}
+Because $nat$ and $bool$ have class $arith$, we can use $0$, $1$ and $+$ at
+either type. The type constraints in the axioms are vital. Without
+constraints, the $x$ in $1+x = 1$ (axiom \texttt{or1l})
+would have type $\alpha{::}arith$
+and the axiom would hold for any type of class $arith$. This would
+collapse $nat$ to a trivial type:
+\[ Suc(1) = Suc(0+1) = Suc(0)+1 = 1+1 = 1! \]
+
+
+\section{Theory example: the natural numbers}
+
+We shall now work through a small example of formalized mathematics
+demonstrating many of the theory extension features.
+
+
+\subsection{Extending first-order logic with the natural numbers}
+\index{examples!of theories}
+
+Section\ts\ref{sec:logical-syntax} has formalized a first-order logic,
+including a type~$nat$ and the constants $0::nat$ and $Suc::nat\To nat$.
+Let us introduce the Peano axioms for mathematical induction and the
+freeness of $0$ and~$Suc$:\index{axioms!Peano}
+\[ \vcenter{\infer[(induct)]{P[n/x]}{P[0/x] & \infer*{P[Suc(x)/x]}{[P]}}}
+ \qquad \parbox{4.5cm}{provided $x$ is not free in any assumption except~$P$}
+\]
+\[ \infer[(Suc\_inject)]{m=n}{Suc(m)=Suc(n)} \qquad
+ \infer[(Suc\_neq\_0)]{R}{Suc(m)=0}
+\]
+Mathematical induction asserts that $P(n)$ is true, for any $n::nat$,
+provided $P(0)$ holds and that $P(x)$ implies $P(Suc(x))$ for all~$x$.
+Some authors express the induction step as $\forall x. P(x)\imp P(Suc(x))$.
+To avoid making induction require the presence of other connectives, we
+formalize mathematical induction as
+$$ \List{P(0); \Forall x. P(x)\Imp P(Suc(x))} \Imp P(n). \eqno(induct) $$
+
+\noindent
+Similarly, to avoid expressing the other rules using~$\forall$, $\imp$
+and~$\neg$, we take advantage of the meta-logic;\footnote
+{On the other hand, the axioms $Suc(m)=Suc(n) \bimp m=n$
+and $\neg(Suc(m)=0)$ are logically equivalent to those given, and work
+better with Isabelle's simplifier.}
+$(Suc\_neq\_0)$ is
+an elimination rule for $Suc(m)=0$:
+$$ Suc(m)=Suc(n) \Imp m=n \eqno(Suc\_inject) $$
+$$ Suc(m)=0 \Imp R \eqno(Suc\_neq\_0) $$
+
+\noindent
+We shall also define a primitive recursion operator, $rec$. Traditionally,
+primitive recursion takes a natural number~$a$ and a 2-place function~$f$,
+and obeys the equations
+\begin{eqnarray*}
+ rec(0,a,f) & = & a \\
+ rec(Suc(m),a,f) & = & f(m, rec(m,a,f))
+\end{eqnarray*}
+Addition, defined by $m+n \equiv rec(m,n,\lambda x\,y.Suc(y))$,
+should satisfy
+\begin{eqnarray*}
+ 0+n & = & n \\
+ Suc(m)+n & = & Suc(m+n)
+\end{eqnarray*}
+Primitive recursion appears to pose difficulties: first-order logic has no
+function-valued expressions. We again take advantage of the meta-logic,
+which does have functions. We also generalise primitive recursion to be
+polymorphic over any type of class~$term$, and declare the addition
+function:
+\begin{eqnarray*}
+ rec & :: & [nat, \alpha{::}term, [nat,\alpha]\To\alpha] \To\alpha \\
+ + & :: & [nat,nat]\To nat
+\end{eqnarray*}
+
+
+\subsection{Declaring the theory to Isabelle}
+\index{examples!of theories}
+Let us create the theory \thydx{Nat} starting from theory~\verb$FOL$,
+which contains only classical logic with no natural numbers. We declare
+the 0-place type constructor $nat$ and the associated constants. Note that
+the constant~0 requires a mixfix annotation because~0 is not a legal
+identifier, and could not otherwise be written in terms:
+\begin{ttbox}\index{mixfix declarations}
+Nat = FOL +
+types nat
+arities nat :: term
+consts "0" :: nat ("0")
+ Suc :: nat=>nat
+ rec :: [nat, 'a, [nat,'a]=>'a] => 'a
+ "+" :: [nat, nat] => nat (infixl 60)
+rules Suc_inject "Suc(m)=Suc(n) ==> m=n"
+ Suc_neq_0 "Suc(m)=0 ==> R"
+ induct "[| P(0); !!x. P(x) ==> P(Suc(x)) |] ==> P(n)"
+ rec_0 "rec(0,a,f) = a"
+ rec_Suc "rec(Suc(m), a, f) = f(m, rec(m,a,f))"
+ add_def "m+n == rec(m, n, \%x y. Suc(y))"
+end
+\end{ttbox}
+In axiom \texttt{add_def}, recall that \verb|%| stands for~$\lambda$.
+Loading this theory file creates the \ML\ structure \texttt{Nat}, which
+contains the theory and axioms.
+
+\subsection{Proving some recursion equations}
+Theory \texttt{FOL/ex/Nat} contains proofs involving this theory of the
+natural numbers. As a trivial example, let us derive recursion equations
+for \verb$+$. Here is the zero case:
+\begin{ttbox}
+Goalw [add_def] "0+n = n";
+{\out Level 0}
+{\out 0 + n = n}
+{\out 1. rec(0,n,\%x y. Suc(y)) = n}
+\ttbreak
+by (resolve_tac [rec_0] 1);
+{\out Level 1}
+{\out 0 + n = n}
+{\out No subgoals!}
+qed "add_0";
+\end{ttbox}
+And here is the successor case:
+\begin{ttbox}
+Goalw [add_def] "Suc(m)+n = Suc(m+n)";
+{\out Level 0}
+{\out Suc(m) + n = Suc(m + n)}
+{\out 1. rec(Suc(m),n,\%x y. Suc(y)) = Suc(rec(m,n,\%x y. Suc(y)))}
+\ttbreak
+by (resolve_tac [rec_Suc] 1);
+{\out Level 1}
+{\out Suc(m) + n = Suc(m + n)}
+{\out No subgoals!}
+qed "add_Suc";
+\end{ttbox}
+The induction rule raises some complications, which are discussed next.
+\index{theories!defining|)}
+
+
+\section{Refinement with explicit instantiation}
+\index{resolution!with instantiation}
+\index{instantiation|(}
+
+In order to employ mathematical induction, we need to refine a subgoal by
+the rule~$(induct)$. The conclusion of this rule is $\Var{P}(\Var{n})$,
+which is highly ambiguous in higher-order unification. It matches every
+way that a formula can be regarded as depending on a subterm of type~$nat$.
+To get round this problem, we could make the induction rule conclude
+$\forall n.\Var{P}(n)$ --- but putting a subgoal into this form requires
+refinement by~$(\forall E)$, which is equally hard!
+
+The tactic \texttt{res_inst_tac}, like \texttt{resolve_tac}, refines a subgoal by
+a rule. But it also accepts explicit instantiations for the rule's
+schematic variables.
+\begin{description}
+\item[\ttindex{res_inst_tac} {\it insts} {\it thm} {\it i}]
+instantiates the rule {\it thm} with the instantiations {\it insts}, and
+then performs resolution on subgoal~$i$.
+
+\item[\ttindex{eres_inst_tac}]
+and \ttindex{dres_inst_tac} are similar, but perform elim-resolution
+and destruct-resolution, respectively.
+\end{description}
+The list {\it insts} consists of pairs $[(v@1,e@1), \ldots, (v@n,e@n)]$,
+where $v@1$, \ldots, $v@n$ are names of schematic variables in the rule ---
+with no leading question marks! --- and $e@1$, \ldots, $e@n$ are
+expressions giving their instantiations. The expressions are type-checked
+in the context of a particular subgoal: free variables receive the same
+types as they have in the subgoal, and parameters may appear. Type
+variable instantiations may appear in~{\it insts}, but they are seldom
+required: \texttt{res_inst_tac} instantiates type variables automatically
+whenever the type of~$e@i$ is an instance of the type of~$\Var{v@i}$.
+
+\subsection{A simple proof by induction}
+\index{examples!of induction}
+Let us prove that no natural number~$k$ equals its own successor. To
+use~$(induct)$, we instantiate~$\Var{n}$ to~$k$; Isabelle finds a good
+instantiation for~$\Var{P}$.
+\begin{ttbox}
+Goal "~ (Suc(k) = k)";
+{\out Level 0}
+{\out Suc(k) ~= k}
+{\out 1. Suc(k) ~= k}
+\ttbreak
+by (res_inst_tac [("n","k")] induct 1);
+{\out Level 1}
+{\out Suc(k) ~= k}
+{\out 1. Suc(0) ~= 0}
+{\out 2. !!x. Suc(x) ~= x ==> Suc(Suc(x)) ~= Suc(x)}
+\end{ttbox}
+We should check that Isabelle has correctly applied induction. Subgoal~1
+is the base case, with $k$ replaced by~0. Subgoal~2 is the inductive step,
+with $k$ replaced by~$Suc(x)$ and with an induction hypothesis for~$x$.
+The rest of the proof demonstrates~\tdx{notI}, \tdx{notE} and the
+other rules of theory \texttt{Nat}. The base case holds by~\ttindex{Suc_neq_0}:
+\begin{ttbox}
+by (resolve_tac [notI] 1);
+{\out Level 2}
+{\out Suc(k) ~= k}
+{\out 1. Suc(0) = 0 ==> False}
+{\out 2. !!x. Suc(x) ~= x ==> Suc(Suc(x)) ~= Suc(x)}
+\ttbreak
+by (eresolve_tac [Suc_neq_0] 1);
+{\out Level 3}
+{\out Suc(k) ~= k}
+{\out 1. !!x. Suc(x) ~= x ==> Suc(Suc(x)) ~= Suc(x)}
+\end{ttbox}
+The inductive step holds by the contrapositive of~\ttindex{Suc_inject}.
+Negation rules transform the subgoal into that of proving $Suc(x)=x$ from
+$Suc(Suc(x)) = Suc(x)$:
+\begin{ttbox}
+by (resolve_tac [notI] 1);
+{\out Level 4}
+{\out Suc(k) ~= k}
+{\out 1. !!x. [| Suc(x) ~= x; Suc(Suc(x)) = Suc(x) |] ==> False}
+\ttbreak
+by (eresolve_tac [notE] 1);
+{\out Level 5}
+{\out Suc(k) ~= k}
+{\out 1. !!x. Suc(Suc(x)) = Suc(x) ==> Suc(x) = x}
+\ttbreak
+by (eresolve_tac [Suc_inject] 1);
+{\out Level 6}
+{\out Suc(k) ~= k}
+{\out No subgoals!}
+\end{ttbox}
+
+
+\subsection{An example of ambiguity in \texttt{resolve_tac}}
+\index{examples!of induction}\index{unification!higher-order}
+If you try the example above, you may observe that \texttt{res_inst_tac} is
+not actually needed. Almost by chance, \ttindex{resolve_tac} finds the right
+instantiation for~$(induct)$ to yield the desired next state. With more
+complex formulae, our luck fails.
+\begin{ttbox}
+Goal "(k+m)+n = k+(m+n)";
+{\out Level 0}
+{\out k + m + n = k + (m + n)}
+{\out 1. k + m + n = k + (m + n)}
+\ttbreak
+by (resolve_tac [induct] 1);
+{\out Level 1}
+{\out k + m + n = k + (m + n)}
+{\out 1. k + m + n = 0}
+{\out 2. !!x. k + m + n = x ==> k + m + n = Suc(x)}
+\end{ttbox}
+This proof requires induction on~$k$. The occurrence of~0 in subgoal~1
+indicates that induction has been applied to the term~$k+(m+n)$; this
+application is sound but will not lead to a proof here. Fortunately,
+Isabelle can (lazily!) generate all the valid applications of induction.
+The \ttindex{back} command causes backtracking to an alternative outcome of
+the tactic.
+\begin{ttbox}
+back();
+{\out Level 1}
+{\out k + m + n = k + (m + n)}
+{\out 1. k + m + n = k + 0}
+{\out 2. !!x. k + m + n = k + x ==> k + m + n = k + Suc(x)}
+\end{ttbox}
+Now induction has been applied to~$m+n$. This is equally useless. Let us
+call \ttindex{back} again.
+\begin{ttbox}
+back();
+{\out Level 1}
+{\out k + m + n = k + (m + n)}
+{\out 1. k + m + 0 = k + (m + 0)}
+{\out 2. !!x. k + m + x = k + (m + x) ==>}
+{\out k + m + Suc(x) = k + (m + Suc(x))}
+\end{ttbox}
+Now induction has been applied to~$n$. What is the next alternative?
+\begin{ttbox}
+back();
+{\out Level 1}
+{\out k + m + n = k + (m + n)}
+{\out 1. k + m + n = k + (m + 0)}
+{\out 2. !!x. k + m + n = k + (m + x) ==> k + m + n = k + (m + Suc(x))}
+\end{ttbox}
+Inspecting subgoal~1 reveals that induction has been applied to just the
+second occurrence of~$n$. This perfectly legitimate induction is useless
+here.
+
+The main goal admits fourteen different applications of induction. The
+number is exponential in the size of the formula.
+
+\subsection{Proving that addition is associative}
+Let us invoke the induction rule properly, using~{\tt
+ res_inst_tac}. At the same time, we shall have a glimpse at Isabelle's
+simplification tactics, which are described in
+\iflabelundefined{simp-chap}%
+ {the {\em Reference Manual}}{Chap.\ts\ref{simp-chap}}.
+
+\index{simplification}\index{examples!of simplification}
+
+Isabelle's simplification tactics repeatedly apply equations to a subgoal,
+perhaps proving it. For efficiency, the rewrite rules must be packaged into a
+{\bf simplification set},\index{simplification sets} or {\bf simpset}. We
+augment the implicit simpset of FOL with the equations proved in the previous
+section, namely $0+n=n$ and $\texttt{Suc}(m)+n=\texttt{Suc}(m+n)$:
+\begin{ttbox}
+Addsimps [add_0, add_Suc];
+\end{ttbox}
+We state the goal for associativity of addition, and
+use \ttindex{res_inst_tac} to invoke induction on~$k$:
+\begin{ttbox}
+Goal "(k+m)+n = k+(m+n)";
+{\out Level 0}
+{\out k + m + n = k + (m + n)}
+{\out 1. k + m + n = k + (m + n)}
+\ttbreak
+by (res_inst_tac [("n","k")] induct 1);
+{\out Level 1}
+{\out k + m + n = k + (m + n)}
+{\out 1. 0 + m + n = 0 + (m + n)}
+{\out 2. !!x. x + m + n = x + (m + n) ==>}
+{\out Suc(x) + m + n = Suc(x) + (m + n)}
+\end{ttbox}
+The base case holds easily; both sides reduce to $m+n$. The
+tactic~\ttindex{Simp_tac} rewrites with respect to the current
+simplification set, applying the rewrite rules for addition:
+\begin{ttbox}
+by (Simp_tac 1);
+{\out Level 2}
+{\out k + m + n = k + (m + n)}
+{\out 1. !!x. x + m + n = x + (m + n) ==>}
+{\out Suc(x) + m + n = Suc(x) + (m + n)}
+\end{ttbox}
+The inductive step requires rewriting by the equations for addition
+and with the induction hypothesis, which is also an equation. The
+tactic~\ttindex{Asm_simp_tac} rewrites using the implicit
+simplification set and any useful assumptions:
+\begin{ttbox}
+by (Asm_simp_tac 1);
+{\out Level 3}
+{\out k + m + n = k + (m + n)}
+{\out No subgoals!}
+\end{ttbox}
+\index{instantiation|)}
+
+
+\section{A Prolog interpreter}
+\index{Prolog interpreter|bold}
+To demonstrate the power of tacticals, let us construct a Prolog
+interpreter and execute programs involving lists.\footnote{To run these
+examples, see the file \texttt{FOL/ex/Prolog.ML}.} The Prolog program
+consists of a theory. We declare a type constructor for lists, with an
+arity declaration to say that $(\tau)list$ is of class~$term$
+provided~$\tau$ is:
+\begin{eqnarray*}
+ list & :: & (term)term
+\end{eqnarray*}
+We declare four constants: the empty list~$Nil$; the infix list
+constructor~{:}; the list concatenation predicate~$app$; the list reverse
+predicate~$rev$. (In Prolog, functions on lists are expressed as
+predicates.)
+\begin{eqnarray*}
+ Nil & :: & \alpha list \\
+ {:} & :: & [\alpha,\alpha list] \To \alpha list \\
+ app & :: & [\alpha list,\alpha list,\alpha list] \To o \\
+ rev & :: & [\alpha list,\alpha list] \To o
+\end{eqnarray*}
+The predicate $app$ should satisfy the Prolog-style rules
+\[ {app(Nil,ys,ys)} \qquad
+ {app(xs,ys,zs) \over app(x:xs, ys, x:zs)} \]
+We define the naive version of $rev$, which calls~$app$:
+\[ {rev(Nil,Nil)} \qquad
+ {rev(xs,ys)\quad app(ys, x:Nil, zs) \over
+ rev(x:xs, zs)}
+\]
+
+\index{examples!of theories}
+Theory \thydx{Prolog} extends first-order logic in order to make use
+of the class~$term$ and the type~$o$. The interpreter does not use the
+rules of~\texttt{FOL}.
+\begin{ttbox}
+Prolog = FOL +
+types 'a list
+arities list :: (term)term
+consts Nil :: 'a list
+ ":" :: ['a, 'a list]=> 'a list (infixr 60)
+ app :: ['a list, 'a list, 'a list] => o
+ rev :: ['a list, 'a list] => o
+rules appNil "app(Nil,ys,ys)"
+ appCons "app(xs,ys,zs) ==> app(x:xs, ys, x:zs)"
+ revNil "rev(Nil,Nil)"
+ revCons "[| rev(xs,ys); app(ys,x:Nil,zs) |] ==> rev(x:xs,zs)"
+end
+\end{ttbox}
+\subsection{Simple executions}
+Repeated application of the rules solves Prolog goals. Let us
+append the lists $[a,b,c]$ and~$[d,e]$. As the rules are applied, the
+answer builds up in~\texttt{?x}.
+\begin{ttbox}
+Goal "app(a:b:c:Nil, d:e:Nil, ?x)";
+{\out Level 0}
+{\out app(a : b : c : Nil, d : e : Nil, ?x)}
+{\out 1. app(a : b : c : Nil, d : e : Nil, ?x)}
+\ttbreak
+by (resolve_tac [appNil,appCons] 1);
+{\out Level 1}
+{\out app(a : b : c : Nil, d : e : Nil, a : ?zs1)}
+{\out 1. app(b : c : Nil, d : e : Nil, ?zs1)}
+\ttbreak
+by (resolve_tac [appNil,appCons] 1);
+{\out Level 2}
+{\out app(a : b : c : Nil, d : e : Nil, a : b : ?zs2)}
+{\out 1. app(c : Nil, d : e : Nil, ?zs2)}
+\end{ttbox}
+At this point, the first two elements of the result are~$a$ and~$b$.
+\begin{ttbox}
+by (resolve_tac [appNil,appCons] 1);
+{\out Level 3}
+{\out app(a : b : c : Nil, d : e : Nil, a : b : c : ?zs3)}
+{\out 1. app(Nil, d : e : Nil, ?zs3)}
+\ttbreak
+by (resolve_tac [appNil,appCons] 1);
+{\out Level 4}
+{\out app(a : b : c : Nil, d : e : Nil, a : b : c : d : e : Nil)}
+{\out No subgoals!}
+\end{ttbox}
+
+Prolog can run functions backwards. Which list can be appended
+with $[c,d]$ to produce $[a,b,c,d]$?
+Using \ttindex{REPEAT}, we find the answer at once, $[a,b]$:
+\begin{ttbox}
+Goal "app(?x, c:d:Nil, a:b:c:d:Nil)";
+{\out Level 0}
+{\out app(?x, c : d : Nil, a : b : c : d : Nil)}
+{\out 1. app(?x, c : d : Nil, a : b : c : d : Nil)}
+\ttbreak
+by (REPEAT (resolve_tac [appNil,appCons] 1));
+{\out Level 1}
+{\out app(a : b : Nil, c : d : Nil, a : b : c : d : Nil)}
+{\out No subgoals!}
+\end{ttbox}
+
+
+\subsection{Backtracking}\index{backtracking!Prolog style}
+Prolog backtracking can answer questions that have multiple solutions.
+Which lists $x$ and $y$ can be appended to form the list $[a,b,c,d]$? This
+question has five solutions. Using \ttindex{REPEAT} to apply the rules, we
+quickly find the first solution, namely $x=[]$ and $y=[a,b,c,d]$:
+\begin{ttbox}
+Goal "app(?x, ?y, a:b:c:d:Nil)";
+{\out Level 0}
+{\out app(?x, ?y, a : b : c : d : Nil)}
+{\out 1. app(?x, ?y, a : b : c : d : Nil)}
+\ttbreak
+by (REPEAT (resolve_tac [appNil,appCons] 1));
+{\out Level 1}
+{\out app(Nil, a : b : c : d : Nil, a : b : c : d : Nil)}
+{\out No subgoals!}
+\end{ttbox}
+Isabelle can lazily generate all the possibilities. The \ttindex{back}
+command returns the tactic's next outcome, namely $x=[a]$ and $y=[b,c,d]$:
+\begin{ttbox}
+back();
+{\out Level 1}
+{\out app(a : Nil, b : c : d : Nil, a : b : c : d : Nil)}
+{\out No subgoals!}
+\end{ttbox}
+The other solutions are generated similarly.
+\begin{ttbox}
+back();
+{\out Level 1}
+{\out app(a : b : Nil, c : d : Nil, a : b : c : d : Nil)}
+{\out No subgoals!}
+\ttbreak
+back();
+{\out Level 1}
+{\out app(a : b : c : Nil, d : Nil, a : b : c : d : Nil)}
+{\out No subgoals!}
+\ttbreak
+back();
+{\out Level 1}
+{\out app(a : b : c : d : Nil, Nil, a : b : c : d : Nil)}
+{\out No subgoals!}
+\end{ttbox}
+
+
+\subsection{Depth-first search}
+\index{search!depth-first}
+Now let us try $rev$, reversing a list.
+Bundle the rules together as the \ML{} identifier \texttt{rules}. Naive
+reverse requires 120 inferences for this 14-element list, but the tactic
+terminates in a few seconds.
+\begin{ttbox}
+Goal "rev(a:b:c:d:e:f:g:h:i:j:k:l:m:n:Nil, ?w)";
+{\out Level 0}
+{\out rev(a : b : c : d : e : f : g : h : i : j : k : l : m : n : Nil, ?w)}
+{\out 1. rev(a : b : c : d : e : f : g : h : i : j : k : l : m : n : Nil,}
+{\out ?w)}
+\ttbreak
+val rules = [appNil,appCons,revNil,revCons];
+\ttbreak
+by (REPEAT (resolve_tac rules 1));
+{\out Level 1}
+{\out rev(a : b : c : d : e : f : g : h : i : j : k : l : m : n : Nil,}
+{\out n : m : l : k : j : i : h : g : f : e : d : c : b : a : Nil)}
+{\out No subgoals!}
+\end{ttbox}
+We may execute $rev$ backwards. This, too, should reverse a list. What
+is the reverse of $[a,b,c]$?
+\begin{ttbox}
+Goal "rev(?x, a:b:c:Nil)";
+{\out Level 0}
+{\out rev(?x, a : b : c : Nil)}
+{\out 1. rev(?x, a : b : c : Nil)}
+\ttbreak
+by (REPEAT (resolve_tac rules 1));
+{\out Level 1}
+{\out rev(?x1 : Nil, a : b : c : Nil)}
+{\out 1. app(Nil, ?x1 : Nil, a : b : c : Nil)}
+\end{ttbox}
+The tactic has failed to find a solution! It reached a dead end at
+subgoal~1: there is no~$\Var{x@1}$ such that [] appended with~$[\Var{x@1}]$
+equals~$[a,b,c]$. Backtracking explores other outcomes.
+\begin{ttbox}
+back();
+{\out Level 1}
+{\out rev(?x1 : a : Nil, a : b : c : Nil)}
+{\out 1. app(Nil, ?x1 : Nil, b : c : Nil)}
+\end{ttbox}
+This too is a dead end, but the next outcome is successful.
+\begin{ttbox}
+back();
+{\out Level 1}
+{\out rev(c : b : a : Nil, a : b : c : Nil)}
+{\out No subgoals!}
+\end{ttbox}
+\ttindex{REPEAT} goes wrong because it is only a repetition tactical, not a
+search tactical. \texttt{REPEAT} stops when it cannot continue, regardless of
+which state is reached. The tactical \ttindex{DEPTH_FIRST} searches for a
+satisfactory state, as specified by an \ML{} predicate. Below,
+\ttindex{has_fewer_prems} specifies that the proof state should have no
+subgoals.
+\begin{ttbox}
+val prolog_tac = DEPTH_FIRST (has_fewer_prems 1)
+ (resolve_tac rules 1);
+\end{ttbox}
+Since Prolog uses depth-first search, this tactic is a (slow!)
+Prolog interpreter. We return to the start of the proof using
+\ttindex{choplev}, and apply \texttt{prolog_tac}:
+\begin{ttbox}
+choplev 0;
+{\out Level 0}
+{\out rev(?x, a : b : c : Nil)}
+{\out 1. rev(?x, a : b : c : Nil)}
+\ttbreak
+by prolog_tac;
+{\out Level 1}
+{\out rev(c : b : a : Nil, a : b : c : Nil)}
+{\out No subgoals!}
+\end{ttbox}
+Let us try \texttt{prolog_tac} on one more example, containing four unknowns:
+\begin{ttbox}
+Goal "rev(a:?x:c:?y:Nil, d:?z:b:?u)";
+{\out Level 0}
+{\out rev(a : ?x : c : ?y : Nil, d : ?z : b : ?u)}
+{\out 1. rev(a : ?x : c : ?y : Nil, d : ?z : b : ?u)}
+\ttbreak
+by prolog_tac;
+{\out Level 1}
+{\out rev(a : b : c : d : Nil, d : c : b : a : Nil)}
+{\out No subgoals!}
+\end{ttbox}
+Although Isabelle is much slower than a Prolog system, Isabelle
+tactics can exploit logic programming techniques.
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Intro/document/build Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+set -e
+
+FORMAT="$1"
+VARIANT="$2"
+
+"$ISABELLE_TOOL" logo -o isabelle.pdf ""
+"$ISABELLE_TOOL" logo -o isabelle.eps ""
+
+cp "$ISABELLE_HOME/src/Doc/iman.sty" .
+cp "$ISABELLE_HOME/src/Doc/extra.sty" .
+cp "$ISABELLE_HOME/src/Doc/ttbox.sty" .
+cp "$ISABELLE_HOME/src/Doc/proof.sty" .
+cp "$ISABELLE_HOME/src/Doc/manual.bib" .
+
+"$ISABELLE_HOME/src/Doc/prepare_document" "$FORMAT"
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Intro/document/foundations.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,1178 @@
+\part{Foundations}
+The following sections discuss Isabelle's logical foundations in detail:
+representing logical syntax in the typed $\lambda$-calculus; expressing
+inference rules in Isabelle's meta-logic; combining rules by resolution.
+
+If you wish to use Isabelle immediately, please turn to
+page~\pageref{chap:getting}. You can always read about foundations later,
+either by returning to this point or by looking up particular items in the
+index.
+
+\begin{figure}
+\begin{eqnarray*}
+ \neg P & \hbox{abbreviates} & P\imp\bot \\
+ P\bimp Q & \hbox{abbreviates} & (P\imp Q) \conj (Q\imp P)
+\end{eqnarray*}
+\vskip 4ex
+
+\(\begin{array}{c@{\qquad\qquad}c}
+ \infer[({\conj}I)]{P\conj Q}{P & Q} &
+ \infer[({\conj}E1)]{P}{P\conj Q} \qquad
+ \infer[({\conj}E2)]{Q}{P\conj Q} \\[4ex]
+
+ \infer[({\disj}I1)]{P\disj Q}{P} \qquad
+ \infer[({\disj}I2)]{P\disj Q}{Q} &
+ \infer[({\disj}E)]{R}{P\disj Q & \infer*{R}{[P]} & \infer*{R}{[Q]}}\\[4ex]
+
+ \infer[({\imp}I)]{P\imp Q}{\infer*{Q}{[P]}} &
+ \infer[({\imp}E)]{Q}{P\imp Q & P} \\[4ex]
+
+ &
+ \infer[({\bot}E)]{P}{\bot}\\[4ex]
+
+ \infer[({\forall}I)*]{\forall x.P}{P} &
+ \infer[({\forall}E)]{P[t/x]}{\forall x.P} \\[3ex]
+
+ \infer[({\exists}I)]{\exists x.P}{P[t/x]} &
+ \infer[({\exists}E)*]{Q}{{\exists x.P} & \infer*{Q}{[P]} } \\[3ex]
+
+ {t=t} \,(refl) & \vcenter{\infer[(subst)]{P[u/x]}{t=u & P[t/x]}}
+\end{array} \)
+
+\bigskip\bigskip
+*{\em Eigenvariable conditions\/}:
+
+$\forall I$: provided $x$ is not free in the assumptions
+
+$\exists E$: provided $x$ is not free in $Q$ or any assumption except $P$
+\caption{Intuitionistic first-order logic} \label{fol-fig}
+\end{figure}
+
+\section{Formalizing logical syntax in Isabelle}\label{sec:logical-syntax}
+\index{first-order logic}
+
+Figure~\ref{fol-fig} presents intuitionistic first-order logic,
+including equality. Let us see how to formalize
+this logic in Isabelle, illustrating the main features of Isabelle's
+polymorphic meta-logic.
+
+\index{lambda calc@$\lambda$-calculus}
+Isabelle represents syntax using the simply typed $\lambda$-calculus. We
+declare a type for each syntactic category of the logic. We declare a
+constant for each symbol of the logic, giving each $n$-place operation an
+$n$-argument curried function type. Most importantly,
+$\lambda$-abstraction represents variable binding in quantifiers.
+
+\index{types!syntax of}\index{types!function}\index{*fun type}
+\index{type constructors}
+Isabelle has \ML-style polymorphic types such as~$(\alpha)list$, where
+$list$ is a type constructor and $\alpha$ is a type variable; for example,
+$(bool)list$ is the type of lists of booleans. Function types have the
+form $(\sigma,\tau)fun$ or $\sigma\To\tau$, where $\sigma$ and $\tau$ are
+types. Curried function types may be abbreviated:
+\[ \sigma@1\To (\cdots \sigma@n\To \tau\cdots) \quad \hbox{as} \quad
+[\sigma@1, \ldots, \sigma@n] \To \tau \]
+
+\index{terms!syntax of} The syntax for terms is summarised below.
+Note that there are two versions of function application syntax
+available in Isabelle: either $t\,u$, which is the usual form for
+higher-order languages, or $t(u)$, trying to look more like
+first-order. The latter syntax is used throughout the manual.
+\[
+\index{lambda abs@$\lambda$-abstractions}\index{function applications}
+\begin{array}{ll}
+ t :: \tau & \hbox{type constraint, on a term or bound variable} \\
+ \lambda x.t & \hbox{abstraction} \\
+ \lambda x@1\ldots x@n.t
+ & \hbox{curried abstraction, $\lambda x@1. \ldots \lambda x@n.t$} \\
+ t(u) & \hbox{application} \\
+ t (u@1, \ldots, u@n) & \hbox{curried application, $t(u@1)\ldots(u@n)$}
+\end{array}
+\]
+
+
+\subsection{Simple types and constants}\index{types!simple|bold}
+
+The syntactic categories of our logic (Fig.\ts\ref{fol-fig}) are {\bf
+ formulae} and {\bf terms}. Formulae denote truth values, so (following
+tradition) let us call their type~$o$. To allow~0 and~$Suc(t)$ as terms,
+let us declare a type~$nat$ of natural numbers. Later, we shall see
+how to admit terms of other types.
+
+\index{constants}\index{*nat type}\index{*o type}
+After declaring the types~$o$ and~$nat$, we may declare constants for the
+symbols of our logic. Since $\bot$ denotes a truth value (falsity) and 0
+denotes a number, we put \begin{eqnarray*}
+ \bot & :: & o \\
+ 0 & :: & nat.
+\end{eqnarray*}
+If a symbol requires operands, the corresponding constant must have a
+function type. In our logic, the successor function
+($Suc$) is from natural numbers to natural numbers, negation ($\neg$) is a
+function from truth values to truth values, and the binary connectives are
+curried functions taking two truth values as arguments:
+\begin{eqnarray*}
+ Suc & :: & nat\To nat \\
+ {\neg} & :: & o\To o \\
+ \conj,\disj,\imp,\bimp & :: & [o,o]\To o
+\end{eqnarray*}
+The binary connectives can be declared as infixes, with appropriate
+precedences, so that we write $P\conj Q\disj R$ instead of
+$\disj(\conj(P,Q), R)$.
+
+Section~\ref{sec:defining-theories} below describes the syntax of Isabelle
+theory files and illustrates it by extending our logic with mathematical
+induction.
+
+
+\subsection{Polymorphic types and constants} \label{polymorphic}
+\index{types!polymorphic|bold}
+\index{equality!polymorphic}
+\index{constants!polymorphic}
+
+Which type should we assign to the equality symbol? If we tried
+$[nat,nat]\To o$, then equality would be restricted to the natural
+numbers; we should have to declare different equality symbols for each
+type. Isabelle's type system is polymorphic, so we could declare
+\begin{eqnarray*}
+ {=} & :: & [\alpha,\alpha]\To o,
+\end{eqnarray*}
+where the type variable~$\alpha$ ranges over all types.
+But this is also wrong. The declaration is too polymorphic; $\alpha$
+includes types like~$o$ and $nat\To nat$. Thus, it admits
+$\bot=\neg(\bot)$ and $Suc=Suc$ as formulae, which is acceptable in
+higher-order logic but not in first-order logic.
+
+Isabelle's {\bf type classes}\index{classes} control
+polymorphism~\cite{nipkow-prehofer}. Each type variable belongs to a
+class, which denotes a set of types. Classes are partially ordered by the
+subclass relation, which is essentially the subset relation on the sets of
+types. They closely resemble the classes of the functional language
+Haskell~\cite{haskell-tutorial,haskell-report}.
+
+\index{*logic class}\index{*term class}
+Isabelle provides the built-in class $logic$, which consists of the logical
+types: the ones we want to reason about. Let us declare a class $term$, to
+consist of all legal types of terms in our logic. The subclass structure
+is now $term\le logic$.
+
+\index{*nat type}
+We put $nat$ in class $term$ by declaring $nat{::}term$. We declare the
+equality constant by
+\begin{eqnarray*}
+ {=} & :: & [\alpha{::}term,\alpha]\To o
+\end{eqnarray*}
+where $\alpha{::}term$ constrains the type variable~$\alpha$ to class
+$term$. Such type variables resemble Standard~\ML's equality type
+variables.
+
+We give~$o$ and function types the class $logic$ rather than~$term$, since
+they are not legal types for terms. We may introduce new types of class
+$term$ --- for instance, type $string$ or $real$ --- at any time. We can
+even declare type constructors such as~$list$, and state that type
+$(\tau)list$ belongs to class~$term$ provided $\tau$ does; equality
+applies to lists of natural numbers but not to lists of formulae. We may
+summarize this paragraph by a set of {\bf arity declarations} for type
+constructors:\index{arities!declaring}
+\begin{eqnarray*}\index{*o type}\index{*fun type}
+ o & :: & logic \\
+ fun & :: & (logic,logic)logic \\
+ nat, string, real & :: & term \\
+ list & :: & (term)term
+\end{eqnarray*}
+(Recall that $fun$ is the type constructor for function types.)
+In \rmindex{higher-order logic}, equality does apply to truth values and
+functions; this requires the arity declarations ${o::term}$
+and ${fun::(term,term)term}$. The class system can also handle
+overloading.\index{overloading|bold} We could declare $arith$ to be the
+subclass of $term$ consisting of the `arithmetic' types, such as~$nat$.
+Then we could declare the operators
+\begin{eqnarray*}
+ {+},{-},{\times},{/} & :: & [\alpha{::}arith,\alpha]\To \alpha
+\end{eqnarray*}
+If we declare new types $real$ and $complex$ of class $arith$, then we
+in effect have three sets of operators:
+\begin{eqnarray*}
+ {+},{-},{\times},{/} & :: & [nat,nat]\To nat \\
+ {+},{-},{\times},{/} & :: & [real,real]\To real \\
+ {+},{-},{\times},{/} & :: & [complex,complex]\To complex
+\end{eqnarray*}
+Isabelle will regard these as distinct constants, each of which can be defined
+separately. We could even introduce the type $(\alpha)vector$ and declare
+its arity as $(arith)arith$. Then we could declare the constant
+\begin{eqnarray*}
+ {+} & :: & [(\alpha)vector,(\alpha)vector]\To (\alpha)vector
+\end{eqnarray*}
+and specify it in terms of ${+} :: [\alpha,\alpha]\To \alpha$.
+
+A type variable may belong to any finite number of classes. Suppose that
+we had declared yet another class $ord \le term$, the class of all
+`ordered' types, and a constant
+\begin{eqnarray*}
+ {\le} & :: & [\alpha{::}ord,\alpha]\To o.
+\end{eqnarray*}
+In this context the variable $x$ in $x \le (x+x)$ will be assigned type
+$\alpha{::}\{arith,ord\}$, which means $\alpha$ belongs to both $arith$ and
+$ord$. Semantically the set $\{arith,ord\}$ should be understood as the
+intersection of the sets of types represented by $arith$ and $ord$. Such
+intersections of classes are called \bfindex{sorts}. The empty
+intersection of classes, $\{\}$, contains all types and is thus the {\bf
+ universal sort}.
+
+Even with overloading, each term has a unique, most general type. For this
+to be possible, the class and type declarations must satisfy certain
+technical constraints; see
+\iflabelundefined{sec:ref-defining-theories}%
+ {Sect.\ Defining Theories in the {\em Reference Manual}}%
+ {\S\ref{sec:ref-defining-theories}}.
+
+
+\subsection{Higher types and quantifiers}
+\index{types!higher|bold}\index{quantifiers}
+Quantifiers are regarded as operations upon functions. Ignoring polymorphism
+for the moment, consider the formula $\forall x. P(x)$, where $x$ ranges
+over type~$nat$. This is true if $P(x)$ is true for all~$x$. Abstracting
+$P(x)$ into a function, this is the same as saying that $\lambda x.P(x)$
+returns true for all arguments. Thus, the universal quantifier can be
+represented by a constant
+\begin{eqnarray*}
+ \forall & :: & (nat\To o) \To o,
+\end{eqnarray*}
+which is essentially an infinitary truth table. The representation of $\forall
+x. P(x)$ is $\forall(\lambda x. P(x))$.
+
+The existential quantifier is treated
+in the same way. Other binding operators are also easily handled; for
+instance, the summation operator $\Sigma@{k=i}^j f(k)$ can be represented as
+$\Sigma(i,j,\lambda k.f(k))$, where
+\begin{eqnarray*}
+ \Sigma & :: & [nat,nat, nat\To nat] \To nat.
+\end{eqnarray*}
+Quantifiers may be polymorphic. We may define $\forall$ and~$\exists$ over
+all legal types of terms, not just the natural numbers, and
+allow summations over all arithmetic types:
+\begin{eqnarray*}
+ \forall,\exists & :: & (\alpha{::}term\To o) \To o \\
+ \Sigma & :: & [nat,nat, nat\To \alpha{::}arith] \To \alpha
+\end{eqnarray*}
+Observe that the index variables still have type $nat$, while the values
+being summed may belong to any arithmetic type.
+
+
+\section{Formalizing logical rules in Isabelle}
+\index{meta-implication|bold}
+\index{meta-quantifiers|bold}
+\index{meta-equality|bold}
+
+Object-logics are formalized by extending Isabelle's
+meta-logic~\cite{paulson-found}, which is intuitionistic higher-order logic.
+The meta-level connectives are {\bf implication}, the {\bf universal
+ quantifier}, and {\bf equality}.
+\begin{itemize}
+ \item The implication \(\phi\Imp \psi\) means `\(\phi\) implies
+\(\psi\)', and expresses logical {\bf entailment}.
+
+ \item The quantification \(\Forall x.\phi\) means `\(\phi\) is true for
+all $x$', and expresses {\bf generality} in rules and axiom schemes.
+
+\item The equality \(a\equiv b\) means `$a$ equals $b$', for expressing
+ {\bf definitions} (see~\S\ref{definitions}).\index{definitions}
+ Equalities left over from the unification process, so called {\bf
+ flex-flex constraints},\index{flex-flex constraints} are written $a\qeq
+ b$. The two equality symbols have the same logical meaning.
+
+\end{itemize}
+The syntax of the meta-logic is formalized in the same manner
+as object-logics, using the simply typed $\lambda$-calculus. Analogous to
+type~$o$ above, there is a built-in type $prop$ of meta-level truth values.
+Meta-level formulae will have this type. Type $prop$ belongs to
+class~$logic$; also, $\sigma\To\tau$ belongs to $logic$ provided $\sigma$
+and $\tau$ do. Here are the types of the built-in connectives:
+\begin{eqnarray*}\index{*prop type}\index{*logic class}
+ \Imp & :: & [prop,prop]\To prop \\
+ \Forall & :: & (\alpha{::}logic\To prop) \To prop \\
+ {\equiv} & :: & [\alpha{::}\{\},\alpha]\To prop \\
+ \qeq & :: & [\alpha{::}\{\},\alpha]\To prop
+\end{eqnarray*}
+The polymorphism in $\Forall$ is restricted to class~$logic$ to exclude
+certain types, those used just for parsing. The type variable
+$\alpha{::}\{\}$ ranges over the universal sort.
+
+In our formalization of first-order logic, we declared a type~$o$ of
+object-level truth values, rather than using~$prop$ for this purpose. If
+we declared the object-level connectives to have types such as
+${\neg}::prop\To prop$, then these connectives would be applicable to
+meta-level formulae. Keeping $prop$ and $o$ as separate types maintains
+the distinction between the meta-level and the object-level. To formalize
+the inference rules, we shall need to relate the two levels; accordingly,
+we declare the constant
+\index{*Trueprop constant}
+\begin{eqnarray*}
+ Trueprop & :: & o\To prop.
+\end{eqnarray*}
+We may regard $Trueprop$ as a meta-level predicate, reading $Trueprop(P)$ as
+`$P$ is true at the object-level.' Put another way, $Trueprop$ is a coercion
+from $o$ to $prop$.
+
+
+\subsection{Expressing propositional rules}
+\index{rules!propositional}
+We shall illustrate the use of the meta-logic by formalizing the rules of
+Fig.\ts\ref{fol-fig}. Each object-level rule is expressed as a meta-level
+axiom.
+
+One of the simplest rules is $(\conj E1)$. Making
+everything explicit, its formalization in the meta-logic is
+$$
+\Forall P\;Q. Trueprop(P\conj Q) \Imp Trueprop(P). \eqno(\conj E1)
+$$
+This may look formidable, but it has an obvious reading: for all object-level
+truth values $P$ and~$Q$, if $P\conj Q$ is true then so is~$P$. The
+reading is correct because the meta-logic has simple models, where
+types denote sets and $\Forall$ really means `for all.'
+
+\index{*Trueprop constant}
+Isabelle adopts notational conventions to ease the writing of rules. We may
+hide the occurrences of $Trueprop$ by making it an implicit coercion.
+Outer universal quantifiers may be dropped. Finally, the nested implication
+\index{meta-implication}
+\[ \phi@1\Imp(\cdots \phi@n\Imp\psi\cdots) \]
+may be abbreviated as $\List{\phi@1; \ldots; \phi@n} \Imp \psi$, which
+formalizes a rule of $n$~premises.
+
+Using these conventions, the conjunction rules become the following axioms.
+These fully specify the properties of~$\conj$:
+$$ \List{P; Q} \Imp P\conj Q \eqno(\conj I) $$
+$$ P\conj Q \Imp P \qquad P\conj Q \Imp Q \eqno(\conj E1,2) $$
+
+\noindent
+Next, consider the disjunction rules. The discharge of assumption in
+$(\disj E)$ is expressed using $\Imp$:
+\index{assumptions!discharge of}%
+$$ P \Imp P\disj Q \qquad Q \Imp P\disj Q \eqno(\disj I1,2) $$
+$$ \List{P\disj Q; P\Imp R; Q\Imp R} \Imp R \eqno(\disj E) $$
+%
+To understand this treatment of assumptions in natural
+deduction, look at implication. The rule $({\imp}I)$ is the classic
+example of natural deduction: to prove that $P\imp Q$ is true, assume $P$
+is true and show that $Q$ must then be true. More concisely, if $P$
+implies $Q$ (at the meta-level), then $P\imp Q$ is true (at the
+object-level). Showing the coercion explicitly, this is formalized as
+\[ (Trueprop(P)\Imp Trueprop(Q)) \Imp Trueprop(P\imp Q). \]
+The rule $({\imp}E)$ is straightforward; hiding $Trueprop$, the axioms to
+specify $\imp$ are
+$$ (P \Imp Q) \Imp P\imp Q \eqno({\imp}I) $$
+$$ \List{P\imp Q; P} \Imp Q. \eqno({\imp}E) $$
+
+\noindent
+Finally, the intuitionistic contradiction rule is formalized as the axiom
+$$ \bot \Imp P. \eqno(\bot E) $$
+
+\begin{warn}
+Earlier versions of Isabelle, and certain
+papers~\cite{paulson-found,paulson700}, use $\List{P}$ to mean $Trueprop(P)$.
+\end{warn}
+
+\subsection{Quantifier rules and substitution}
+\index{quantifiers}\index{rules!quantifier}\index{substitution|bold}
+\index{variables!bound}\index{lambda abs@$\lambda$-abstractions}
+\index{function applications}
+
+Isabelle expresses variable binding using $\lambda$-abstraction; for instance,
+$\forall x.P$ is formalized as $\forall(\lambda x.P)$. Recall that $F(t)$
+is Isabelle's syntax for application of the function~$F$ to the argument~$t$;
+it is not a meta-notation for substitution. On the other hand, a substitution
+will take place if $F$ has the form $\lambda x.P$; Isabelle transforms
+$(\lambda x.P)(t)$ to~$P[t/x]$ by $\beta$-conversion. Thus, we can express
+inference rules that involve substitution for bound variables.
+
+\index{parameters|bold}\index{eigenvariables|see{parameters}}
+A logic may attach provisos to certain of its rules, especially quantifier
+rules. We cannot hope to formalize arbitrary provisos. Fortunately, those
+typical of quantifier rules always have the same form, namely `$x$ not free in
+\ldots {\it (some set of formulae)},' where $x$ is a variable (called a {\bf
+parameter} or {\bf eigenvariable}) in some premise. Isabelle treats
+provisos using~$\Forall$, its inbuilt notion of `for all'.
+\index{meta-quantifiers}
+
+The purpose of the proviso `$x$ not free in \ldots' is
+to ensure that the premise may not make assumptions about the value of~$x$,
+and therefore holds for all~$x$. We formalize $(\forall I)$ by
+\[ \left(\Forall x. Trueprop(P(x))\right) \Imp Trueprop(\forall x.P(x)). \]
+This means, `if $P(x)$ is true for all~$x$, then $\forall x.P(x)$ is true.'
+The $\forall E$ rule exploits $\beta$-conversion. Hiding $Trueprop$, the
+$\forall$ axioms are
+$$ \left(\Forall x. P(x)\right) \Imp \forall x.P(x) \eqno(\forall I) $$
+$$ (\forall x.P(x)) \Imp P(t). \eqno(\forall E) $$
+
+\noindent
+We have defined the object-level universal quantifier~($\forall$)
+using~$\Forall$. But we do not require meta-level counterparts of all the
+connectives of the object-logic! Consider the existential quantifier:
+$$ P(t) \Imp \exists x.P(x) \eqno(\exists I) $$
+$$ \List{\exists x.P(x);\; \Forall x. P(x)\Imp Q} \Imp Q \eqno(\exists E) $$
+Let us verify $(\exists E)$ semantically. Suppose that the premises
+hold; since $\exists x.P(x)$ is true, we may choose an~$a$ such that $P(a)$ is
+true. Instantiating $\Forall x. P(x)\Imp Q$ with $a$ yields $P(a)\Imp Q$, and
+we obtain the desired conclusion, $Q$.
+
+The treatment of substitution deserves mention. The rule
+\[ \infer{P[u/t]}{t=u & P} \]
+would be hard to formalize in Isabelle. It calls for replacing~$t$ by $u$
+throughout~$P$, which cannot be expressed using $\beta$-conversion. Our
+rule~$(subst)$ uses~$P$ as a template for substitution, inferring $P[u/x]$
+from~$P[t/x]$. When we formalize this as an axiom, the template becomes a
+function variable:
+$$ \List{t=u; P(t)} \Imp P(u). \eqno(subst) $$
+
+
+\subsection{Signatures and theories}
+\index{signatures|bold}
+
+A {\bf signature} contains the information necessary for type-checking,
+parsing and pretty printing a term. It specifies type classes and their
+relationships, types and their arities, constants and their types, etc. It
+also contains grammar rules, specified using mixfix declarations.
+
+Two signatures can be merged provided their specifications are compatible ---
+they must not, for example, assign different types to the same constant.
+Under similar conditions, a signature can be extended. Signatures are
+managed internally by Isabelle; users seldom encounter them.
+
+\index{theories|bold} A {\bf theory} consists of a signature plus a collection
+of axioms. The Pure theory contains only the meta-logic. Theories can be
+combined provided their signatures are compatible. A theory definition
+extends an existing theory with further signature specifications --- classes,
+types, constants and mixfix declarations --- plus lists of axioms and
+definitions etc., expressed as strings to be parsed. A theory can formalize a
+small piece of mathematics, such as lists and their operations, or an entire
+logic. A mathematical development typically involves many theories in a
+hierarchy. For example, the Pure theory could be extended to form a theory
+for Fig.\ts\ref{fol-fig}; this could be extended in two separate ways to form
+a theory for natural numbers and a theory for lists; the union of these two
+could be extended into a theory defining the length of a list:
+\begin{tt}
+\[
+\begin{array}{c@{}c@{}c@{}c@{}c}
+ {} & {} &\hbox{Pure}& {} & {} \\
+ {} & {} & \downarrow & {} & {} \\
+ {} & {} &\hbox{FOL} & {} & {} \\
+ {} & \swarrow & {} & \searrow & {} \\
+ \hbox{Nat} & {} & {} & {} & \hbox{List} \\
+ {} & \searrow & {} & \swarrow & {} \\
+ {} & {} &\hbox{Nat}+\hbox{List}& {} & {} \\
+ {} & {} & \downarrow & {} & {} \\
+ {} & {} & \hbox{Length} & {} & {}
+\end{array}
+\]
+\end{tt}%
+Each Isabelle proof typically works within a single theory, which is
+associated with the proof state. However, many different theories may
+coexist at the same time, and you may work in each of these during a single
+session.
+
+\begin{warn}\index{constants!clashes with variables}%
+ Confusing problems arise if you work in the wrong theory. Each theory
+ defines its own syntax. An identifier may be regarded in one theory as a
+ constant and in another as a variable, for example.
+\end{warn}
+
+\section{Proof construction in Isabelle}
+I have elsewhere described the meta-logic and demonstrated it by
+formalizing first-order logic~\cite{paulson-found}. There is a one-to-one
+correspondence between meta-level proofs and object-level proofs. To each
+use of a meta-level axiom, such as $(\forall I)$, there is a use of the
+corresponding object-level rule. Object-level assumptions and parameters
+have meta-level counterparts. The meta-level formalization is {\bf
+ faithful}, admitting no incorrect object-level inferences, and {\bf
+ adequate}, admitting all correct object-level inferences. These
+properties must be demonstrated separately for each object-logic.
+
+The meta-logic is defined by a collection of inference rules, including
+equational rules for the $\lambda$-calculus and logical rules. The rules
+for~$\Imp$ and~$\Forall$ resemble those for~$\imp$ and~$\forall$ in
+Fig.\ts\ref{fol-fig}. Proofs performed using the primitive meta-rules
+would be lengthy; Isabelle proofs normally use certain derived rules.
+{\bf Resolution}, in particular, is convenient for backward proof.
+
+Unification is central to theorem proving. It supports quantifier
+reasoning by allowing certain `unknown' terms to be instantiated later,
+possibly in stages. When proving that the time required to sort $n$
+integers is proportional to~$n^2$, we need not state the constant of
+proportionality; when proving that a hardware adder will deliver the sum of
+its inputs, we need not state how many clock ticks will be required. Such
+quantities often emerge from the proof.
+
+Isabelle provides {\bf schematic variables}, or {\bf
+ unknowns},\index{unknowns} for unification. Logically, unknowns are free
+variables. But while ordinary variables remain fixed, unification may
+instantiate unknowns. Unknowns are written with a ?\ prefix and are
+frequently subscripted: $\Var{a}$, $\Var{a@1}$, $\Var{a@2}$, \ldots,
+$\Var{P}$, $\Var{P@1}$, \ldots.
+
+Recall that an inference rule of the form
+\[ \infer{\phi}{\phi@1 & \ldots & \phi@n} \]
+is formalized in Isabelle's meta-logic as the axiom
+$\List{\phi@1; \ldots; \phi@n} \Imp \phi$.\index{resolution}
+Such axioms resemble Prolog's Horn clauses, and can be combined by
+resolution --- Isabelle's principal proof method. Resolution yields both
+forward and backward proof. Backward proof works by unifying a goal with
+the conclusion of a rule, whose premises become new subgoals. Forward proof
+works by unifying theorems with the premises of a rule, deriving a new theorem.
+
+Isabelle formulae require an extended notion of resolution.
+They differ from Horn clauses in two major respects:
+\begin{itemize}
+ \item They are written in the typed $\lambda$-calculus, and therefore must be
+resolved using higher-order unification.
+
+\item The constituents of a clause need not be atomic formulae. Any
+ formula of the form $Trueprop(\cdots)$ is atomic, but axioms such as
+ ${\imp}I$ and $\forall I$ contain non-atomic formulae.
+\end{itemize}
+Isabelle has little in common with classical resolution theorem provers
+such as Otter~\cite{wos-bledsoe}. At the meta-level, Isabelle proves
+theorems in their positive form, not by refutation. However, an
+object-logic that includes a contradiction rule may employ a refutation
+proof procedure.
+
+
+\subsection{Higher-order unification}
+\index{unification!higher-order|bold}
+Unification is equation solving. The solution of $f(\Var{x},c) \qeq
+f(d,\Var{y})$ is $\Var{x}\equiv d$ and $\Var{y}\equiv c$. {\bf
+Higher-order unification} is equation solving for typed $\lambda$-terms.
+To handle $\beta$-conversion, it must reduce $(\lambda x.t)u$ to $t[u/x]$.
+That is easy --- in the typed $\lambda$-calculus, all reduction sequences
+terminate at a normal form. But it must guess the unknown
+function~$\Var{f}$ in order to solve the equation
+\begin{equation} \label{hou-eqn}
+ \Var{f}(t) \qeq g(u@1,\ldots,u@k).
+\end{equation}
+Huet's~\cite{huet75} search procedure solves equations by imitation and
+projection. {\bf Imitation} makes~$\Var{f}$ apply the leading symbol (if a
+constant) of the right-hand side. To solve equation~(\ref{hou-eqn}), it
+guesses
+\[ \Var{f} \equiv \lambda x. g(\Var{h@1}(x),\ldots,\Var{h@k}(x)), \]
+where $\Var{h@1}$, \ldots, $\Var{h@k}$ are new unknowns. Assuming there are no
+other occurrences of~$\Var{f}$, equation~(\ref{hou-eqn}) simplifies to the
+set of equations
+\[ \Var{h@1}(t)\qeq u@1 \quad\ldots\quad \Var{h@k}(t)\qeq u@k. \]
+If the procedure solves these equations, instantiating $\Var{h@1}$, \ldots,
+$\Var{h@k}$, then it yields an instantiation for~$\Var{f}$.
+
+{\bf Projection} makes $\Var{f}$ apply one of its arguments. To solve
+equation~(\ref{hou-eqn}), if $t$ expects~$m$ arguments and delivers a
+result of suitable type, it guesses
+\[ \Var{f} \equiv \lambda x. x(\Var{h@1}(x),\ldots,\Var{h@m}(x)), \]
+where $\Var{h@1}$, \ldots, $\Var{h@m}$ are new unknowns. Assuming there are no
+other occurrences of~$\Var{f}$, equation~(\ref{hou-eqn}) simplifies to the
+equation
+\[ t(\Var{h@1}(t),\ldots,\Var{h@m}(t)) \qeq g(u@1,\ldots,u@k). \]
+
+\begin{warn}\index{unification!incompleteness of}%
+Huet's unification procedure is complete. Isabelle's polymorphic version,
+which solves for type unknowns as well as for term unknowns, is incomplete.
+The problem is that projection requires type information. In
+equation~(\ref{hou-eqn}), if the type of~$t$ is unknown, then projections
+are possible for all~$m\geq0$, and the types of the $\Var{h@i}$ will be
+similarly unconstrained. Therefore, Isabelle never attempts such
+projections, and may fail to find unifiers where a type unknown turns out
+to be a function type.
+\end{warn}
+
+\index{unknowns!function|bold}
+Given $\Var{f}(t@1,\ldots,t@n)\qeq u$, Huet's procedure could make up to
+$n+1$ guesses. The search tree and set of unifiers may be infinite. But
+higher-order unification can work effectively, provided you are careful
+with {\bf function unknowns}:
+\begin{itemize}
+ \item Equations with no function unknowns are solved using first-order
+unification, extended to treat bound variables. For example, $\lambda x.x
+\qeq \lambda x.\Var{y}$ has no solution because $\Var{y}\equiv x$ would
+capture the free variable~$x$.
+
+ \item An occurrence of the term $\Var{f}(x,y,z)$, where the arguments are
+distinct bound variables, causes no difficulties. Its projections can only
+match the corresponding variables.
+
+ \item Even an equation such as $\Var{f}(a)\qeq a+a$ is all right. It has
+four solutions, but Isabelle evaluates them lazily, trying projection before
+imitation. The first solution is usually the one desired:
+\[ \Var{f}\equiv \lambda x. x+x \quad
+ \Var{f}\equiv \lambda x. a+x \quad
+ \Var{f}\equiv \lambda x. x+a \quad
+ \Var{f}\equiv \lambda x. a+a \]
+ \item Equations such as $\Var{f}(\Var{x},\Var{y})\qeq t$ and
+$\Var{f}(\Var{g}(x))\qeq t$ admit vast numbers of unifiers, and must be
+avoided.
+\end{itemize}
+In problematic cases, you may have to instantiate some unknowns before
+invoking unification.
+
+
+\subsection{Joining rules by resolution} \label{joining}
+\index{resolution|bold}
+Let $\List{\psi@1; \ldots; \psi@m} \Imp \psi$ and $\List{\phi@1; \ldots;
+\phi@n} \Imp \phi$ be two Isabelle theorems, representing object-level rules.
+Choosing some~$i$ from~1 to~$n$, suppose that $\psi$ and $\phi@i$ have a
+higher-order unifier. Writing $Xs$ for the application of substitution~$s$ to
+expression~$X$, this means there is some~$s$ such that $\psi s\equiv \phi@i s$.
+By resolution, we may conclude
+\[ (\List{\phi@1; \ldots; \phi@{i-1}; \psi@1; \ldots; \psi@m;
+ \phi@{i+1}; \ldots; \phi@n} \Imp \phi)s.
+\]
+The substitution~$s$ may instantiate unknowns in both rules. In short,
+resolution is the following rule:
+\[ \infer[(\psi s\equiv \phi@i s)]
+ {(\List{\phi@1; \ldots; \phi@{i-1}; \psi@1; \ldots; \psi@m;
+ \phi@{i+1}; \ldots; \phi@n} \Imp \phi)s}
+ {\List{\psi@1; \ldots; \psi@m} \Imp \psi & &
+ \List{\phi@1; \ldots; \phi@n} \Imp \phi}
+\]
+It operates at the meta-level, on Isabelle theorems, and is justified by
+the properties of $\Imp$ and~$\Forall$. It takes the number~$i$ (for
+$1\leq i\leq n$) as a parameter and may yield infinitely many conclusions,
+one for each unifier of $\psi$ with $\phi@i$. Isabelle returns these
+conclusions as a sequence (lazy list).
+
+Resolution expects the rules to have no outer quantifiers~($\Forall$).
+It may rename or instantiate any schematic variables, but leaves free
+variables unchanged. When constructing a theory, Isabelle puts the
+rules into a standard form with all free variables converted into
+schematic ones; for instance, $({\imp}E)$ becomes
+\[ \List{\Var{P}\imp \Var{Q}; \Var{P}} \Imp \Var{Q}.
+\]
+When resolving two rules, the unknowns in the first rule are renamed, by
+subscripting, to make them distinct from the unknowns in the second rule. To
+resolve $({\imp}E)$ with itself, the first copy of the rule becomes
+\[ \List{\Var{P@1}\imp \Var{Q@1}; \Var{P@1}} \Imp \Var{Q@1}. \]
+Resolving this with $({\imp}E)$ in the first premise, unifying $\Var{Q@1}$ with
+$\Var{P}\imp \Var{Q}$, is the meta-level inference
+\[ \infer{\List{\Var{P@1}\imp (\Var{P}\imp \Var{Q}); \Var{P@1}; \Var{P}}
+ \Imp\Var{Q}.}
+ {\List{\Var{P@1}\imp \Var{Q@1}; \Var{P@1}} \Imp \Var{Q@1} & &
+ \List{\Var{P}\imp \Var{Q}; \Var{P}} \Imp \Var{Q}}
+\]
+Renaming the unknowns in the resolvent, we have derived the
+object-level rule\index{rules!derived}
+\[ \infer{Q.}{R\imp (P\imp Q) & R & P} \]
+Joining rules in this fashion is a simple way of proving theorems. The
+derived rules are conservative extensions of the object-logic, and may permit
+simpler proofs. Let us consider another example. Suppose we have the axiom
+$$ \forall x\,y. Suc(x)=Suc(y)\imp x=y. \eqno (inject) $$
+
+\noindent
+The standard form of $(\forall E)$ is
+$\forall x.\Var{P}(x) \Imp \Var{P}(\Var{t})$.
+Resolving $(inject)$ with $(\forall E)$ replaces $\Var{P}$ by
+$\lambda x. \forall y. Suc(x)=Suc(y)\imp x=y$ and leaves $\Var{t}$
+unchanged, yielding
+\[ \forall y. Suc(\Var{t})=Suc(y)\imp \Var{t}=y. \]
+Resolving this with $(\forall E)$ puts a subscript on~$\Var{t}$
+and yields
+\[ Suc(\Var{t@1})=Suc(\Var{t})\imp \Var{t@1}=\Var{t}. \]
+Resolving this with $({\imp}E)$ increases the subscripts and yields
+\[ Suc(\Var{t@2})=Suc(\Var{t@1})\Imp \Var{t@2}=\Var{t@1}.
+\]
+We have derived the rule
+\[ \infer{m=n,}{Suc(m)=Suc(n)} \]
+which goes directly from $Suc(m)=Suc(n)$ to $m=n$. It is handy for simplifying
+an equation like $Suc(Suc(Suc(m)))=Suc(Suc(Suc(0)))$.
+
+
+\section{Lifting a rule into a context}
+The rules $({\imp}I)$ and $(\forall I)$ may seem unsuitable for
+resolution. They have non-atomic premises, namely $P\Imp Q$ and $\Forall
+x.P(x)$, while the conclusions of all the rules are atomic (they have the form
+$Trueprop(\cdots)$). Isabelle gets round the problem through a meta-inference
+called \bfindex{lifting}. Let us consider how to construct proofs such as
+\[ \infer[({\imp}I)]{P\imp(Q\imp R)}
+ {\infer[({\imp}I)]{Q\imp R}
+ {\infer*{R}{[P,Q]}}}
+ \qquad
+ \infer[(\forall I)]{\forall x\,y.P(x,y)}
+ {\infer[(\forall I)]{\forall y.P(x,y)}{P(x,y)}}
+\]
+
+\subsection{Lifting over assumptions}
+\index{assumptions!lifting over}
+Lifting over $\theta\Imp{}$ is the following meta-inference rule:
+\[ \infer{\List{\theta\Imp\phi@1; \ldots; \theta\Imp\phi@n} \Imp
+ (\theta \Imp \phi)}
+ {\List{\phi@1; \ldots; \phi@n} \Imp \phi} \]
+This is clearly sound: if $\List{\phi@1; \ldots; \phi@n} \Imp \phi$ is true and
+$\theta\Imp\phi@1$, \ldots, $\theta\Imp\phi@n$ and $\theta$ are all true then
+$\phi$ must be true. Iterated lifting over a series of meta-formulae
+$\theta@k$, \ldots, $\theta@1$ yields an object-rule whose conclusion is
+$\List{\theta@1; \ldots; \theta@k} \Imp \phi$. Typically the $\theta@i$ are
+the assumptions in a natural deduction proof; lifting copies them into a rule's
+premises and conclusion.
+
+When resolving two rules, Isabelle lifts the first one if necessary. The
+standard form of $({\imp}I)$ is
+\[ (\Var{P} \Imp \Var{Q}) \Imp \Var{P}\imp \Var{Q}. \]
+To resolve this rule with itself, Isabelle modifies one copy as follows: it
+renames the unknowns to $\Var{P@1}$ and $\Var{Q@1}$, then lifts the rule over
+$\Var{P}\Imp{}$ to obtain
+\[ (\Var{P}\Imp (\Var{P@1} \Imp \Var{Q@1})) \Imp (\Var{P} \Imp
+ (\Var{P@1}\imp \Var{Q@1})). \]
+Using the $\List{\cdots}$ abbreviation, this can be written as
+\[ \List{\List{\Var{P}; \Var{P@1}} \Imp \Var{Q@1}; \Var{P}}
+ \Imp \Var{P@1}\imp \Var{Q@1}. \]
+Unifying $\Var{P}\Imp \Var{P@1}\imp\Var{Q@1}$ with $\Var{P} \Imp
+\Var{Q}$ instantiates $\Var{Q}$ to ${\Var{P@1}\imp\Var{Q@1}}$.
+Resolution yields
+\[ (\List{\Var{P}; \Var{P@1}} \Imp \Var{Q@1}) \Imp
+\Var{P}\imp(\Var{P@1}\imp\Var{Q@1}). \]
+This represents the derived rule
+\[ \infer{P\imp(Q\imp R).}{\infer*{R}{[P,Q]}} \]
+
+\subsection{Lifting over parameters}
+\index{parameters!lifting over}
+An analogous form of lifting handles premises of the form $\Forall x\ldots\,$.
+Here, lifting prefixes an object-rule's premises and conclusion with $\Forall
+x$. At the same time, lifting introduces a dependence upon~$x$. It replaces
+each unknown $\Var{a}$ in the rule by $\Var{a'}(x)$, where $\Var{a'}$ is a new
+unknown (by subscripting) of suitable type --- necessarily a function type. In
+short, lifting is the meta-inference
+\[ \infer{\List{\Forall x.\phi@1^x; \ldots; \Forall x.\phi@n^x}
+ \Imp \Forall x.\phi^x,}
+ {\List{\phi@1; \ldots; \phi@n} \Imp \phi} \]
+%
+where $\phi^x$ stands for the result of lifting unknowns over~$x$ in
+$\phi$. It is not hard to verify that this meta-inference is sound. If
+$\phi\Imp\psi$ then $\phi^x\Imp\psi^x$ for all~$x$; so if $\phi^x$ is true
+for all~$x$ then so is $\psi^x$. Thus, from $\phi\Imp\psi$ we conclude
+$(\Forall x.\phi^x) \Imp (\Forall x.\psi^x)$.
+
+For example, $(\disj I)$ might be lifted to
+\[ (\Forall x.\Var{P@1}(x)) \Imp (\Forall x. \Var{P@1}(x)\disj \Var{Q@1}(x))\]
+and $(\forall I)$ to
+\[ (\Forall x\,y.\Var{P@1}(x,y)) \Imp (\Forall x. \forall y.\Var{P@1}(x,y)). \]
+Isabelle has renamed a bound variable in $(\forall I)$ from $x$ to~$y$,
+avoiding a clash. Resolving the above with $(\forall I)$ is the meta-inference
+\[ \infer{\Forall x\,y.\Var{P@1}(x,y)) \Imp \forall x\,y.\Var{P@1}(x,y)) }
+ {(\Forall x\,y.\Var{P@1}(x,y)) \Imp
+ (\Forall x. \forall y.\Var{P@1}(x,y)) &
+ (\Forall x.\Var{P}(x)) \Imp (\forall x.\Var{P}(x))} \]
+Here, $\Var{P}$ is replaced by $\lambda x.\forall y.\Var{P@1}(x,y)$; the
+resolvent expresses the derived rule
+\[ \vcenter{ \infer{\forall x\,y.Q(x,y)}{Q(x,y)} }
+ \quad\hbox{provided $x$, $y$ not free in the assumptions}
+\]
+I discuss lifting and parameters at length elsewhere~\cite{paulson-found}.
+Miller goes into even greater detail~\cite{miller-mixed}.
+
+
+\section{Backward proof by resolution}
+\index{resolution!in backward proof}
+
+Resolution is convenient for deriving simple rules and for reasoning
+forward from facts. It can also support backward proof, where we start
+with a goal and refine it to progressively simpler subgoals until all have
+been solved. {\sc lcf} and its descendants {\sc hol} and Nuprl provide
+tactics and tacticals, which constitute a sophisticated language for
+expressing proof searches. {\bf Tactics} refine subgoals while {\bf
+ tacticals} combine tactics.
+
+\index{LCF system}
+Isabelle's tactics and tacticals work differently from {\sc lcf}'s. An
+Isabelle rule is bidirectional: there is no distinction between
+inputs and outputs. {\sc lcf} has a separate tactic for each rule;
+Isabelle performs refinement by any rule in a uniform fashion, using
+resolution.
+
+Isabelle works with meta-level theorems of the form
+\( \List{\phi@1; \ldots; \phi@n} \Imp \phi \).
+We have viewed this as the {\bf rule} with premises
+$\phi@1$,~\ldots,~$\phi@n$ and conclusion~$\phi$. It can also be viewed as
+the {\bf proof state}\index{proof state}
+with subgoals $\phi@1$,~\ldots,~$\phi@n$ and main
+goal~$\phi$.
+
+To prove the formula~$\phi$, take $\phi\Imp \phi$ as the initial proof
+state. This assertion is, trivially, a theorem. At a later stage in the
+backward proof, a typical proof state is $\List{\phi@1; \ldots; \phi@n}
+\Imp \phi$. This proof state is a theorem, ensuring that the subgoals
+$\phi@1$,~\ldots,~$\phi@n$ imply~$\phi$. If $n=0$ then we have
+proved~$\phi$ outright. If $\phi$ contains unknowns, they may become
+instantiated during the proof; a proof state may be $\List{\phi@1; \ldots;
+\phi@n} \Imp \phi'$, where $\phi'$ is an instance of~$\phi$.
+
+\subsection{Refinement by resolution}
+To refine subgoal~$i$ of a proof state by a rule, perform the following
+resolution:
+\[ \infer{\hbox{new proof state}}{\hbox{rule} & & \hbox{proof state}} \]
+Suppose the rule is $\List{\psi'@1; \ldots; \psi'@m} \Imp \psi'$ after
+lifting over subgoal~$i$'s assumptions and parameters. If the proof state
+is $\List{\phi@1; \ldots; \phi@n} \Imp \phi$, then the new proof state is
+(for~$1\leq i\leq n$)
+\[ (\List{\phi@1; \ldots; \phi@{i-1}; \psi'@1;
+ \ldots; \psi'@m; \phi@{i+1}; \ldots; \phi@n} \Imp \phi)s. \]
+Substitution~$s$ unifies $\psi'$ with~$\phi@i$. In the proof state,
+subgoal~$i$ is replaced by $m$ new subgoals, the rule's instantiated premises.
+If some of the rule's unknowns are left un-instantiated, they become new
+unknowns in the proof state. Refinement by~$(\exists I)$, namely
+\[ \Var{P}(\Var{t}) \Imp \exists x. \Var{P}(x), \]
+inserts a new unknown derived from~$\Var{t}$ by subscripting and lifting.
+We do not have to specify an `existential witness' when
+applying~$(\exists I)$. Further resolutions may instantiate unknowns in
+the proof state.
+
+\subsection{Proof by assumption}
+\index{assumptions!use of}
+In the course of a natural deduction proof, parameters $x@1$, \ldots,~$x@l$ and
+assumptions $\theta@1$, \ldots, $\theta@k$ accumulate, forming a context for
+each subgoal. Repeated lifting steps can lift a rule into any context. To
+aid readability, Isabelle puts contexts into a normal form, gathering the
+parameters at the front:
+\begin{equation} \label{context-eqn}
+\Forall x@1 \ldots x@l. \List{\theta@1; \ldots; \theta@k}\Imp\theta.
+\end{equation}
+Under the usual reading of the connectives, this expresses that $\theta$
+follows from $\theta@1$,~\ldots~$\theta@k$ for arbitrary
+$x@1$,~\ldots,~$x@l$. It is trivially true if $\theta$ equals any of
+$\theta@1$,~\ldots~$\theta@k$, or is unifiable with any of them. This
+models proof by assumption in natural deduction.
+
+Isabelle automates the meta-inference for proof by assumption. Its arguments
+are the meta-theorem $\List{\phi@1; \ldots; \phi@n} \Imp \phi$, and some~$i$
+from~1 to~$n$, where $\phi@i$ has the form~(\ref{context-eqn}). Its results
+are meta-theorems of the form
+\[ (\List{\phi@1; \ldots; \phi@{i-1}; \phi@{i+1}; \phi@n} \Imp \phi)s \]
+for each $s$ and~$j$ such that $s$ unifies $\lambda x@1 \ldots x@l. \theta@j$
+with $\lambda x@1 \ldots x@l. \theta$. Isabelle supplies the parameters
+$x@1$,~\ldots,~$x@l$ to higher-order unification as bound variables, which
+regards them as unique constants with a limited scope --- this enforces
+parameter provisos~\cite{paulson-found}.
+
+The premise represents a proof state with~$n$ subgoals, of which the~$i$th
+is to be solved by assumption. Isabelle searches the subgoal's context for
+an assumption~$\theta@j$ that can solve it. For each unifier, the
+meta-inference returns an instantiated proof state from which the $i$th
+subgoal has been removed. Isabelle searches for a unifying assumption; for
+readability and robustness, proofs do not refer to assumptions by number.
+
+Consider the proof state
+\[ (\List{P(a); P(b)} \Imp P(\Var{x})) \Imp Q(\Var{x}). \]
+Proof by assumption (with $i=1$, the only possibility) yields two results:
+\begin{itemize}
+ \item $Q(a)$, instantiating $\Var{x}\equiv a$
+ \item $Q(b)$, instantiating $\Var{x}\equiv b$
+\end{itemize}
+Here, proof by assumption affects the main goal. It could also affect
+other subgoals; if we also had the subgoal ${\List{P(b); P(c)} \Imp
+ P(\Var{x})}$, then $\Var{x}\equiv a$ would transform it to ${\List{P(b);
+ P(c)} \Imp P(a)}$, which might be unprovable.
+
+
+\subsection{A propositional proof} \label{prop-proof}
+\index{examples!propositional}
+Our first example avoids quantifiers. Given the main goal $P\disj P\imp
+P$, Isabelle creates the initial state
+\[ (P\disj P\imp P)\Imp (P\disj P\imp P). \]
+%
+Bear in mind that every proof state we derive will be a meta-theorem,
+expressing that the subgoals imply the main goal. Our aim is to reach the
+state $P\disj P\imp P$; this meta-theorem is the desired result.
+
+The first step is to refine subgoal~1 by (${\imp}I)$, creating a new state
+where $P\disj P$ is an assumption:
+\[ (P\disj P\Imp P)\Imp (P\disj P\imp P) \]
+The next step is $(\disj E)$, which replaces subgoal~1 by three new subgoals.
+Because of lifting, each subgoal contains a copy of the context --- the
+assumption $P\disj P$. (In fact, this assumption is now redundant; we shall
+shortly see how to get rid of it!) The new proof state is the following
+meta-theorem, laid out for clarity:
+\[ \begin{array}{l@{}l@{\qquad\qquad}l}
+ \lbrakk\;& P\disj P\Imp \Var{P@1}\disj\Var{Q@1}; & \hbox{(subgoal 1)} \\
+ & \List{P\disj P; \Var{P@1}} \Imp P; & \hbox{(subgoal 2)} \\
+ & \List{P\disj P; \Var{Q@1}} \Imp P & \hbox{(subgoal 3)} \\
+ \rbrakk\;& \Imp (P\disj P\imp P) & \hbox{(main goal)}
+ \end{array}
+\]
+Notice the unknowns in the proof state. Because we have applied $(\disj E)$,
+we must prove some disjunction, $\Var{P@1}\disj\Var{Q@1}$. Of course,
+subgoal~1 is provable by assumption. This instantiates both $\Var{P@1}$ and
+$\Var{Q@1}$ to~$P$ throughout the proof state:
+\[ \begin{array}{l@{}l@{\qquad\qquad}l}
+ \lbrakk\;& \List{P\disj P; P} \Imp P; & \hbox{(subgoal 1)} \\
+ & \List{P\disj P; P} \Imp P & \hbox{(subgoal 2)} \\
+ \rbrakk\;& \Imp (P\disj P\imp P) & \hbox{(main goal)}
+ \end{array} \]
+Both of the remaining subgoals can be proved by assumption. After two such
+steps, the proof state is $P\disj P\imp P$.
+
+
+\subsection{A quantifier proof}
+\index{examples!with quantifiers}
+To illustrate quantifiers and $\Forall$-lifting, let us prove
+$(\exists x.P(f(x)))\imp(\exists x.P(x))$. The initial proof
+state is the trivial meta-theorem
+\[ (\exists x.P(f(x)))\imp(\exists x.P(x)) \Imp
+ (\exists x.P(f(x)))\imp(\exists x.P(x)). \]
+As above, the first step is refinement by (${\imp}I)$:
+\[ (\exists x.P(f(x))\Imp \exists x.P(x)) \Imp
+ (\exists x.P(f(x)))\imp(\exists x.P(x))
+\]
+The next step is $(\exists E)$, which replaces subgoal~1 by two new subgoals.
+Both have the assumption $\exists x.P(f(x))$. The new proof
+state is the meta-theorem
+\[ \begin{array}{l@{}l@{\qquad\qquad}l}
+ \lbrakk\;& \exists x.P(f(x)) \Imp \exists x.\Var{P@1}(x); & \hbox{(subgoal 1)} \\
+ & \Forall x.\List{\exists x.P(f(x)); \Var{P@1}(x)} \Imp
+ \exists x.P(x) & \hbox{(subgoal 2)} \\
+ \rbrakk\;& \Imp (\exists x.P(f(x)))\imp(\exists x.P(x)) & \hbox{(main goal)}
+ \end{array}
+\]
+The unknown $\Var{P@1}$ appears in both subgoals. Because we have applied
+$(\exists E)$, we must prove $\exists x.\Var{P@1}(x)$, where $\Var{P@1}(x)$ may
+become any formula possibly containing~$x$. Proving subgoal~1 by assumption
+instantiates $\Var{P@1}$ to~$\lambda x.P(f(x))$:
+\[ \left(\Forall x.\List{\exists x.P(f(x)); P(f(x))} \Imp
+ \exists x.P(x)\right)
+ \Imp (\exists x.P(f(x)))\imp(\exists x.P(x))
+\]
+The next step is refinement by $(\exists I)$. The rule is lifted into the
+context of the parameter~$x$ and the assumption $P(f(x))$. This copies
+the context to the subgoal and allows the existential witness to
+depend upon~$x$:
+\[ \left(\Forall x.\List{\exists x.P(f(x)); P(f(x))} \Imp
+ P(\Var{x@2}(x))\right)
+ \Imp (\exists x.P(f(x)))\imp(\exists x.P(x))
+\]
+The existential witness, $\Var{x@2}(x)$, consists of an unknown
+applied to a parameter. Proof by assumption unifies $\lambda x.P(f(x))$
+with $\lambda x.P(\Var{x@2}(x))$, instantiating $\Var{x@2}$ to $f$. The final
+proof state contains no subgoals: $(\exists x.P(f(x)))\imp(\exists x.P(x))$.
+
+
+\subsection{Tactics and tacticals}
+\index{tactics|bold}\index{tacticals|bold}
+{\bf Tactics} perform backward proof. Isabelle tactics differ from those
+of {\sc lcf}, {\sc hol} and Nuprl by operating on entire proof states,
+rather than on individual subgoals. An Isabelle tactic is a function that
+takes a proof state and returns a sequence (lazy list) of possible
+successor states. Lazy lists are coded in ML as functions, a standard
+technique~\cite{paulson-ml2}. Isabelle represents proof states by theorems.
+
+Basic tactics execute the meta-rules described above, operating on a
+given subgoal. The {\bf resolution tactics} take a list of rules and
+return next states for each combination of rule and unifier. The {\bf
+assumption tactic} examines the subgoal's assumptions and returns next
+states for each combination of assumption and unifier. Lazy lists are
+essential because higher-order resolution may return infinitely many
+unifiers. If there are no matching rules or assumptions then no next
+states are generated; a tactic application that returns an empty list is
+said to {\bf fail}.
+
+Sequences realize their full potential with {\bf tacticals} --- operators
+for combining tactics. Depth-first search, breadth-first search and
+best-first search (where a heuristic function selects the best state to
+explore) return their outcomes as a sequence. Isabelle provides such
+procedures in the form of tacticals. Simpler procedures can be expressed
+directly using the basic tacticals {\tt THEN}, {\tt ORELSE} and {\tt REPEAT}:
+\begin{ttdescription}
+\item[$tac1$ THEN $tac2$] is a tactic for sequential composition. Applied
+to a proof state, it returns all states reachable in two steps by applying
+$tac1$ followed by~$tac2$.
+
+\item[$tac1$ ORELSE $tac2$] is a choice tactic. Applied to a state, it
+tries~$tac1$ and returns the result if non-empty; otherwise, it uses~$tac2$.
+
+\item[REPEAT $tac$] is a repetition tactic. Applied to a state, it
+returns all states reachable by applying~$tac$ as long as possible --- until
+it would fail.
+\end{ttdescription}
+For instance, this tactic repeatedly applies $tac1$ and~$tac2$, giving
+$tac1$ priority:
+\begin{center} \tt
+REPEAT($tac1$ ORELSE $tac2$)
+\end{center}
+
+
+\section{Variations on resolution}
+In principle, resolution and proof by assumption suffice to prove all
+theorems. However, specialized forms of resolution are helpful for working
+with elimination rules. Elim-resolution applies an elimination rule to an
+assumption; destruct-resolution is similar, but applies a rule in a forward
+style.
+
+The last part of the section shows how the techniques for proving theorems
+can also serve to derive rules.
+
+\subsection{Elim-resolution}
+\index{elim-resolution|bold}\index{assumptions!deleting}
+
+Consider proving the theorem $((R\disj R)\disj R)\disj R\imp R$. By
+$({\imp}I)$, we prove~$R$ from the assumption $((R\disj R)\disj R)\disj R$.
+Applying $(\disj E)$ to this assumption yields two subgoals, one that
+assumes~$R$ (and is therefore trivial) and one that assumes $(R\disj
+R)\disj R$. This subgoal admits another application of $(\disj E)$. Since
+natural deduction never discards assumptions, we eventually generate a
+subgoal containing much that is redundant:
+\[ \List{((R\disj R)\disj R)\disj R; (R\disj R)\disj R; R\disj R; R} \Imp R. \]
+In general, using $(\disj E)$ on the assumption $P\disj Q$ creates two new
+subgoals with the additional assumption $P$ or~$Q$. In these subgoals,
+$P\disj Q$ is redundant. Other elimination rules behave
+similarly. In first-order logic, only universally quantified
+assumptions are sometimes needed more than once --- say, to prove
+$P(f(f(a)))$ from the assumptions $\forall x.P(x)\imp P(f(x))$ and~$P(a)$.
+
+Many logics can be formulated as sequent calculi that delete redundant
+assumptions after use. The rule $(\disj E)$ might become
+\[ \infer[\disj\hbox{-left}]
+ {\Gamma,P\disj Q,\Delta \turn \Theta}
+ {\Gamma,P,\Delta \turn \Theta && \Gamma,Q,\Delta \turn \Theta} \]
+In backward proof, a goal containing $P\disj Q$ on the left of the~$\turn$
+(that is, as an assumption) splits into two subgoals, replacing $P\disj Q$
+by $P$ or~$Q$. But the sequent calculus, with its explicit handling of
+assumptions, can be tiresome to use.
+
+Elim-resolution is Isabelle's way of getting sequent calculus behaviour
+from natural deduction rules. It lets an elimination rule consume an
+assumption. Elim-resolution combines two meta-theorems:
+\begin{itemize}
+ \item a rule $\List{\psi@1; \ldots; \psi@m} \Imp \psi$
+ \item a proof state $\List{\phi@1; \ldots; \phi@n} \Imp \phi$
+\end{itemize}
+The rule must have at least one premise, thus $m>0$. Write the rule's
+lifted form as $\List{\psi'@1; \ldots; \psi'@m} \Imp \psi'$. Suppose we
+wish to change subgoal number~$i$.
+
+Ordinary resolution would attempt to reduce~$\phi@i$,
+replacing subgoal~$i$ by $m$ new ones. Elim-resolution tries
+simultaneously to reduce~$\phi@i$ and to solve~$\psi'@1$ by assumption; it
+returns a sequence of next states. Each of these replaces subgoal~$i$ by
+instances of $\psi'@2$, \ldots, $\psi'@m$ from which the selected
+assumption has been deleted. Suppose $\phi@i$ has the parameter~$x$ and
+assumptions $\theta@1$,~\ldots,~$\theta@k$. Then $\psi'@1$, the rule's first
+premise after lifting, will be
+\( \Forall x. \List{\theta@1; \ldots; \theta@k}\Imp \psi^{x}@1 \).
+Elim-resolution tries to unify $\psi'\qeq\phi@i$ and
+$\lambda x. \theta@j \qeq \lambda x. \psi^{x}@1$ simultaneously, for
+$j=1$,~\ldots,~$k$.
+
+Let us redo the example from~\S\ref{prop-proof}. The elimination rule
+is~$(\disj E)$,
+\[ \List{\Var{P}\disj \Var{Q};\; \Var{P}\Imp \Var{R};\; \Var{Q}\Imp \Var{R}}
+ \Imp \Var{R} \]
+and the proof state is $(P\disj P\Imp P)\Imp (P\disj P\imp P)$. The
+lifted rule is
+\[ \begin{array}{l@{}l}
+ \lbrakk\;& P\disj P \Imp \Var{P@1}\disj\Var{Q@1}; \\
+ & \List{P\disj P ;\; \Var{P@1}} \Imp \Var{R@1}; \\
+ & \List{P\disj P ;\; \Var{Q@1}} \Imp \Var{R@1} \\
+ \rbrakk\;& \Imp (P\disj P \Imp \Var{R@1})
+ \end{array}
+\]
+Unification takes the simultaneous equations
+$P\disj P \qeq \Var{P@1}\disj\Var{Q@1}$ and $\Var{R@1} \qeq P$, yielding
+$\Var{P@1}\equiv\Var{Q@1}\equiv\Var{R@1} \equiv P$. The new proof state
+is simply
+\[ \List{P \Imp P;\; P \Imp P} \Imp (P\disj P\imp P).
+\]
+Elim-resolution's simultaneous unification gives better control
+than ordinary resolution. Recall the substitution rule:
+$$ \List{\Var{t}=\Var{u}; \Var{P}(\Var{t})} \Imp \Var{P}(\Var{u})
+\eqno(subst) $$
+Unsuitable for ordinary resolution because $\Var{P}(\Var{u})$ admits many
+unifiers, $(subst)$ works well with elim-resolution. It deletes some
+assumption of the form $x=y$ and replaces every~$y$ by~$x$ in the subgoal
+formula. The simultaneous unification instantiates $\Var{u}$ to~$y$; if
+$y$ is not an unknown, then $\Var{P}(y)$ can easily be unified with another
+formula.
+
+In logical parlance, the premise containing the connective to be eliminated
+is called the \bfindex{major premise}. Elim-resolution expects the major
+premise to come first. The order of the premises is significant in
+Isabelle.
+
+\subsection{Destruction rules} \label{destruct}
+\index{rules!destruction}\index{rules!elimination}
+\index{forward proof}
+
+Looking back to Fig.\ts\ref{fol-fig}, notice that there are two kinds of
+elimination rule. The rules $({\conj}E1)$, $({\conj}E2)$, $({\imp}E)$ and
+$({\forall}E)$ extract the conclusion from the major premise. In Isabelle
+parlance, such rules are called {\bf destruction rules}; they are readable
+and easy to use in forward proof. The rules $({\disj}E)$, $({\bot}E)$ and
+$({\exists}E)$ work by discharging assumptions; they support backward proof
+in a style reminiscent of the sequent calculus.
+
+The latter style is the most general form of elimination rule. In natural
+deduction, there is no way to recast $({\disj}E)$, $({\bot}E)$ or
+$({\exists}E)$ as destruction rules. But we can write general elimination
+rules for $\conj$, $\imp$ and~$\forall$:
+\[
+\infer{R}{P\conj Q & \infer*{R}{[P,Q]}} \qquad
+\infer{R}{P\imp Q & P & \infer*{R}{[Q]}} \qquad
+\infer{Q}{\forall x.P & \infer*{Q}{[P[t/x]]}}
+\]
+Because they are concise, destruction rules are simpler to derive than the
+corresponding elimination rules. To facilitate their use in backward
+proof, Isabelle provides a means of transforming a destruction rule such as
+\[ \infer[\quad\hbox{to the elimination rule}\quad]{Q}{P@1 & \ldots & P@m}
+ \infer{R.}{P@1 & \ldots & P@m & \infer*{R}{[Q]}}
+\]
+{\bf Destruct-resolution}\index{destruct-resolution} combines this
+transformation with elim-resolution. It applies a destruction rule to some
+assumption of a subgoal. Given the rule above, it replaces the
+assumption~$P@1$ by~$Q$, with new subgoals of showing instances of $P@2$,
+\ldots,~$P@m$. Destruct-resolution works forward from a subgoal's
+assumptions. Ordinary resolution performs forward reasoning from theorems,
+as illustrated in~\S\ref{joining}.
+
+
+\subsection{Deriving rules by resolution} \label{deriving}
+\index{rules!derived|bold}\index{meta-assumptions!syntax of}
+The meta-logic, itself a form of the predicate calculus, is defined by a
+system of natural deduction rules. Each theorem may depend upon
+meta-assumptions. The theorem that~$\phi$ follows from the assumptions
+$\phi@1$, \ldots, $\phi@n$ is written
+\[ \phi \quad [\phi@1,\ldots,\phi@n]. \]
+A more conventional notation might be $\phi@1,\ldots,\phi@n \turn \phi$,
+but Isabelle's notation is more readable with large formulae.
+
+Meta-level natural deduction provides a convenient mechanism for deriving
+new object-level rules. To derive the rule
+\[ \infer{\phi,}{\theta@1 & \ldots & \theta@k} \]
+assume the premises $\theta@1$,~\ldots,~$\theta@k$ at the
+meta-level. Then prove $\phi$, possibly using these assumptions.
+Starting with a proof state $\phi\Imp\phi$, assumptions may accumulate,
+reaching a final state such as
+\[ \phi \quad [\theta@1,\ldots,\theta@k]. \]
+The meta-rule for $\Imp$ introduction discharges an assumption.
+Discharging them in the order $\theta@k,\ldots,\theta@1$ yields the
+meta-theorem $\List{\theta@1; \ldots; \theta@k} \Imp \phi$, with no
+assumptions. This represents the desired rule.
+Let us derive the general $\conj$ elimination rule:
+$$ \infer{R}{P\conj Q & \infer*{R}{[P,Q]}} \eqno(\conj E) $$
+We assume $P\conj Q$ and $\List{P;Q}\Imp R$, and commence backward proof in
+the state $R\Imp R$. Resolving this with the second assumption yields the
+state
+\[ \phantom{\List{P\conj Q;\; P\conj Q}}
+ \llap{$\List{P;Q}$}\Imp R \quad [\,\List{P;Q}\Imp R\,]. \]
+Resolving subgoals~1 and~2 with~$({\conj}E1)$ and~$({\conj}E2)$,
+respectively, yields the state
+\[ \List{P\conj \Var{Q@1};\; \Var{P@2}\conj Q}\Imp R
+ \quad [\,\List{P;Q}\Imp R\,].
+\]
+The unknowns $\Var{Q@1}$ and~$\Var{P@2}$ arise from unconstrained
+subformulae in the premises of~$({\conj}E1)$ and~$({\conj}E2)$. Resolving
+both subgoals with the assumption $P\conj Q$ instantiates the unknowns to yield
+\[ R \quad [\, \List{P;Q}\Imp R, P\conj Q \,]. \]
+The proof may use the meta-assumptions in any order, and as often as
+necessary; when finished, we discharge them in the correct order to
+obtain the desired form:
+\[ \List{P\conj Q;\; \List{P;Q}\Imp R} \Imp R \]
+We have derived the rule using free variables, which prevents their
+premature instantiation during the proof; we may now replace them by
+schematic variables.
+
+\begin{warn}
+ Schematic variables are not allowed in meta-assumptions, for a variety of
+ reasons. Meta-assumptions remain fixed throughout a proof.
+\end{warn}
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Intro/document/getting.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,956 @@
+\part{Using Isabelle from the ML Top-Level}\label{chap:getting}
+
+Most Isabelle users write proof scripts using the Isar language, as described in the \emph{Tutorial}, and debug them through the Proof General user interface~\cite{proofgeneral}. Isabelle's original user interface --- based on the \ML{} top-level --- is still available, however.
+Proofs are conducted by
+applying certain \ML{} functions, which update a stored proof state.
+All syntax can be expressed using plain {\sc ascii}
+characters, but Isabelle can support
+alternative syntaxes, for example using mathematical symbols from a
+special screen font. The meta-logic and main object-logics already
+provide such fancy output as an option.
+
+Object-logics are built upon Pure Isabelle, which implements the
+meta-logic and provides certain fundamental data structures: types,
+terms, signatures, theorems and theories, tactics and tacticals.
+These data structures have the corresponding \ML{} types \texttt{typ},
+\texttt{term}, \texttt{Sign.sg}, \texttt{thm}, \texttt{theory} and \texttt{tactic};
+tacticals have function types such as \texttt{tactic->tactic}. Isabelle
+users can operate on these data structures by writing \ML{} programs.
+
+
+\section{Forward proof}\label{sec:forward} \index{forward proof|(}
+This section describes the concrete syntax for types, terms and theorems,
+and demonstrates forward proof. The examples are set in first-order logic.
+The command to start Isabelle running first-order logic is
+\begin{ttbox}
+isabelle FOL
+\end{ttbox}
+Note that just typing \texttt{isabelle} usually brings up higher-order logic
+(HOL) by default.
+
+
+\subsection{Lexical matters}
+\index{identifiers}\index{reserved words}
+An {\bf identifier} is a string of letters, digits, underscores~(\verb|_|)
+and single quotes~({\tt'}), beginning with a letter. Single quotes are
+regarded as primes; for instance \texttt{x'} is read as~$x'$. Identifiers are
+separated by white space and special characters. {\bf Reserved words} are
+identifiers that appear in Isabelle syntax definitions.
+
+An Isabelle theory can declare symbols composed of special characters, such
+as {\tt=}, {\tt==}, {\tt=>} and {\tt==>}. (The latter three are part of
+the syntax of the meta-logic.) Such symbols may be run together; thus if
+\verb|}| and \verb|{| are used for set brackets then \verb|{{a},{a,b}}| is
+valid notation for a set of sets --- but only if \verb|}}| and \verb|{{|
+have not been declared as symbols! The parser resolves any ambiguity by
+taking the longest possible symbol that has been declared. Thus the string
+{\tt==>} is read as a single symbol. But \hbox{\tt= =>} is read as two
+symbols.
+
+Identifiers that are not reserved words may serve as free variables or
+constants. A {\bf type identifier} consists of an identifier prefixed by a
+prime, for example {\tt'a} and \hbox{\tt'hello}. Type identifiers stand
+for (free) type variables, which remain fixed during a proof.
+\index{type identifiers}
+
+An {\bf unknown}\index{unknowns} (or type unknown) consists of a question
+mark, an identifier (or type identifier), and a subscript. The subscript,
+a non-negative integer,
+allows the renaming of unknowns prior to unification.%
+\footnote{The subscript may appear after the identifier, separated by a
+ dot; this prevents ambiguity when the identifier ends with a digit. Thus
+ {\tt?z6.0} has identifier {\tt"z6"} and subscript~0, while {\tt?a0.5}
+ has identifier {\tt"a0"} and subscript~5. If the identifier does not
+ end with a digit, then no dot appears and a subscript of~0 is omitted;
+ for example, {\tt?hello} has identifier {\tt"hello"} and subscript
+ zero, while {\tt?z6} has identifier {\tt"z"} and subscript~6. The same
+ conventions apply to type unknowns. The question mark is {\it not\/}
+ part of the identifier!}
+
+
+\subsection{Syntax of types and terms}
+\index{classes!built-in|bold}\index{syntax!of types and terms}
+
+Classes are denoted by identifiers; the built-in class \cldx{logic}
+contains the `logical' types. Sorts are lists of classes enclosed in
+braces~\} and \{; singleton sorts may be abbreviated by dropping the braces.
+
+\index{types!syntax of|bold}\index{sort constraints} Types are written
+with a syntax like \ML's. The built-in type \tydx{prop} is the type
+of propositions. Type variables can be constrained to particular
+classes or sorts, for example \texttt{'a::term} and \texttt{?'b::\ttlbrace
+ ord, arith\ttrbrace}.
+\[\dquotes
+\index{*:: symbol}\index{*=> symbol}
+\index{{}@{\tt\ttlbrace} symbol}\index{{}@{\tt\ttrbrace} symbol}
+\index{*[ symbol}\index{*] symbol}
+\begin{array}{ll}
+ \multicolumn{2}{c}{\hbox{ASCII Notation for Types}} \\ \hline
+ \alpha "::" C & \hbox{class constraint} \\
+ \alpha "::" "\ttlbrace" C@1 "," \ldots "," C@n "\ttrbrace" &
+ \hbox{sort constraint} \\
+ \sigma " => " \tau & \hbox{function type } \sigma\To\tau \\
+ "[" \sigma@1 "," \ldots "," \sigma@n "] => " \tau
+ & \hbox{$n$-argument function type} \\
+ "(" \tau@1"," \ldots "," \tau@n ")" tycon & \hbox{type construction}
+\end{array}
+\]
+Terms are those of the typed $\lambda$-calculus.
+\index{terms!syntax of|bold}\index{type constraints}
+\[\dquotes
+\index{%@{\tt\%} symbol}\index{lambda abs@$\lambda$-abstractions}
+\index{*:: symbol}
+\begin{array}{ll}
+ \multicolumn{2}{c}{\hbox{ASCII Notation for Terms}} \\ \hline
+ t "::" \sigma & \hbox{type constraint} \\
+ "\%" x "." t & \hbox{abstraction } \lambda x.t \\
+ "\%" x@1\ldots x@n "." t & \hbox{abstraction over several arguments} \\
+ t "(" u@1"," \ldots "," u@n ")" &
+ \hbox{application to several arguments (FOL and ZF)} \\
+ t\; u@1 \ldots\; u@n & \hbox{application to several arguments (HOL)}
+\end{array}
+\]
+Note that HOL uses its traditional ``higher-order'' syntax for application,
+which differs from that used in FOL.
+
+The theorems and rules of an object-logic are represented by theorems in
+the meta-logic, which are expressed using meta-formulae. Since the
+meta-logic is higher-order, meta-formulae~$\phi$, $\psi$, $\theta$,~\ldots{}
+are just terms of type~\texttt{prop}.
+\index{meta-implication}
+\index{meta-quantifiers}\index{meta-equality}
+\index{*"!"! symbol}
+
+\index{["!@{\tt[\char124} symbol} %\char124 is vertical bar. We use ! because | stopped working
+\index{"!]@{\tt\char124]} symbol} % so these are [| and |]
+
+\index{*== symbol}\index{*=?= symbol}\index{*==> symbol}
+\[\dquotes
+ \begin{array}{l@{\quad}l@{\quad}l}
+ \multicolumn{3}{c}{\hbox{ASCII Notation for Meta-Formulae}} \\ \hline
+ a " == " b & a\equiv b & \hbox{meta-equality} \\
+ a " =?= " b & a\qeq b & \hbox{flex-flex constraint} \\
+ \phi " ==> " \psi & \phi\Imp \psi & \hbox{meta-implication} \\
+ "[|" \phi@1 ";" \ldots ";" \phi@n "|] ==> " \psi &
+ \List{\phi@1;\ldots;\phi@n} \Imp \psi & \hbox{nested implication} \\
+ "!!" x "." \phi & \Forall x.\phi & \hbox{meta-quantification} \\
+ "!!" x@1\ldots x@n "." \phi &
+ \Forall x@1. \ldots x@n.\phi & \hbox{nested quantification}
+ \end{array}
+\]
+Flex-flex constraints are meta-equalities arising from unification; they
+require special treatment. See~\S\ref{flexflex}.
+\index{flex-flex constraints}
+
+\index{*Trueprop constant}
+Most logics define the implicit coercion $Trueprop$ from object-formulae to
+propositions. This could cause an ambiguity: in $P\Imp Q$, do the
+variables $P$ and $Q$ stand for meta-formulae or object-formulae? If the
+latter, $P\Imp Q$ really abbreviates $Trueprop(P)\Imp Trueprop(Q)$. To
+prevent such ambiguities, Isabelle's syntax does not allow a meta-formula
+to consist of a variable. Variables of type~\tydx{prop} are seldom
+useful, but you can make a variable stand for a meta-formula by prefixing
+it with the symbol \texttt{PROP}:\index{*PROP symbol}
+\begin{ttbox}
+PROP ?psi ==> PROP ?theta
+\end{ttbox}
+
+Symbols of object-logics are typically rendered into {\sc ascii} as
+follows:
+\[ \begin{tabular}{l@{\quad}l@{\quad}l}
+ \tt True & $\top$ & true \\
+ \tt False & $\bot$ & false \\
+ \tt $P$ \& $Q$ & $P\conj Q$ & conjunction \\
+ \tt $P$ | $Q$ & $P\disj Q$ & disjunction \\
+ \verb'~' $P$ & $\neg P$ & negation \\
+ \tt $P$ --> $Q$ & $P\imp Q$ & implication \\
+ \tt $P$ <-> $Q$ & $P\bimp Q$ & bi-implication \\
+ \tt ALL $x\,y\,z$ .\ $P$ & $\forall x\,y\,z.P$ & for all \\
+ \tt EX $x\,y\,z$ .\ $P$ & $\exists x\,y\,z.P$ & there exists
+ \end{tabular}
+\]
+To illustrate the notation, consider two axioms for first-order logic:
+$$ \List{P; Q} \Imp P\conj Q \eqno(\conj I) $$
+$$ \List{\exists x. P(x); \Forall x. P(x)\imp Q} \Imp Q \eqno(\exists E) $$
+$({\conj}I)$ translates into {\sc ascii} characters as
+\begin{ttbox}
+[| ?P; ?Q |] ==> ?P & ?Q
+\end{ttbox}
+The schematic variables let unification instantiate the rule. To avoid
+cluttering logic definitions with question marks, Isabelle converts any
+free variables in a rule to schematic variables; we normally declare
+$({\conj}I)$ as
+\begin{ttbox}
+[| P; Q |] ==> P & Q
+\end{ttbox}
+This variables convention agrees with the treatment of variables in goals.
+Free variables in a goal remain fixed throughout the proof. After the
+proof is finished, Isabelle converts them to scheme variables in the
+resulting theorem. Scheme variables in a goal may be replaced by terms
+during the proof, supporting answer extraction, program synthesis, and so
+forth.
+
+For a final example, the rule $(\exists E)$ is rendered in {\sc ascii} as
+\begin{ttbox}
+[| EX x. P(x); !!x. P(x) ==> Q |] ==> Q
+\end{ttbox}
+
+
+\subsection{Basic operations on theorems}
+\index{theorems!basic operations on|bold}
+\index{LCF system}
+Meta-level theorems have the \ML{} type \mltydx{thm}. They represent the
+theorems and inference rules of object-logics. Isabelle's meta-logic is
+implemented using the {\sc lcf} approach: each meta-level inference rule is
+represented by a function from theorems to theorems. Object-level rules
+are taken as axioms.
+
+The main theorem printing commands are \texttt{prth}, \texttt{prths} and~{\tt
+ prthq}. Of the other operations on theorems, most useful are \texttt{RS}
+and \texttt{RSN}, which perform resolution.
+
+\index{theorems!printing of}
+\begin{ttdescription}
+\item[\ttindex{prth} {\it thm};]
+ pretty-prints {\it thm\/} at the terminal.
+
+\item[\ttindex{prths} {\it thms};]
+ pretty-prints {\it thms}, a list of theorems.
+
+\item[\ttindex{prthq} {\it thmq};]
+ pretty-prints {\it thmq}, a sequence of theorems; this is useful for
+ inspecting the output of a tactic.
+
+\item[$thm1$ RS $thm2$] \index{*RS}
+ resolves the conclusion of $thm1$ with the first premise of~$thm2$.
+
+\item[$thm1$ RSN $(i,thm2)$] \index{*RSN}
+ resolves the conclusion of $thm1$ with the $i$th premise of~$thm2$.
+
+\item[\ttindex{standard} $thm$]
+ puts $thm$ into a standard format. It also renames schematic variables
+ to have subscript zero, improving readability and reducing subscript
+ growth.
+\end{ttdescription}
+The rules of a theory are normally bound to \ML\ identifiers. Suppose we are
+running an Isabelle session containing theory~FOL, natural deduction
+first-order logic.\footnote{For a listing of the FOL rules and their \ML{}
+ names, turn to
+\iflabelundefined{fol-rules}{{\em Isabelle's Object-Logics}}%
+ {page~\pageref{fol-rules}}.}
+Let us try an example given in~\S\ref{joining}. We
+first print \tdx{mp}, which is the rule~$({\imp}E)$, then resolve it with
+itself.
+\begin{ttbox}
+prth mp;
+{\out [| ?P --> ?Q; ?P |] ==> ?Q}
+{\out val it = "[| ?P --> ?Q; ?P |] ==> ?Q" : thm}
+prth (mp RS mp);
+{\out [| ?P1 --> ?P --> ?Q; ?P1; ?P |] ==> ?Q}
+{\out val it = "[| ?P1 --> ?P --> ?Q; ?P1; ?P |] ==> ?Q" : thm}
+\end{ttbox}
+User input appears in {\footnotesize\tt typewriter characters}, and output
+appears in{\out slanted typewriter characters}. \ML's response {\out val
+ }~\ldots{} is compiler-dependent and will sometimes be suppressed. This
+session illustrates two formats for the display of theorems. Isabelle's
+top-level displays theorems as \ML{} values, enclosed in quotes. Printing
+commands like \texttt{prth} omit the quotes and the surrounding \texttt{val
+ \ldots :\ thm}. Ignoring their side-effects, the printing commands are
+identity functions.
+
+To contrast \texttt{RS} with \texttt{RSN}, we resolve
+\tdx{conjunct1}, which stands for~$(\conj E1)$, with~\tdx{mp}.
+\begin{ttbox}
+conjunct1 RS mp;
+{\out val it = "[| (?P --> ?Q) & ?Q1; ?P |] ==> ?Q" : thm}
+conjunct1 RSN (2,mp);
+{\out val it = "[| ?P --> ?Q; ?P & ?Q1 |] ==> ?Q" : thm}
+\end{ttbox}
+These correspond to the following proofs:
+\[ \infer[({\imp}E)]{Q}{\infer[({\conj}E1)]{P\imp Q}{(P\imp Q)\conj Q@1} & P}
+ \qquad
+ \infer[({\imp}E)]{Q}{P\imp Q & \infer[({\conj}E1)]{P}{P\conj Q@1}}
+\]
+%
+Rules can be derived by pasting other rules together. Let us join
+\tdx{spec}, which stands for~$(\forall E)$, with \texttt{mp} and {\tt
+ conjunct1}. In \ML{}, the identifier~\texttt{it} denotes the value just
+printed.
+\begin{ttbox}
+spec;
+{\out val it = "ALL x. ?P(x) ==> ?P(?x)" : thm}
+it RS mp;
+{\out val it = "[| ALL x. ?P3(x) --> ?Q2(x); ?P3(?x1) |] ==>}
+{\out ?Q2(?x1)" : thm}
+it RS conjunct1;
+{\out val it = "[| ALL x. ?P4(x) --> ?P6(x) & ?Q5(x); ?P4(?x2) |] ==>}
+{\out ?P6(?x2)" : thm}
+standard it;
+{\out val it = "[| ALL x. ?P(x) --> ?Pa(x) & ?Q(x); ?P(?x) |] ==>}
+{\out ?Pa(?x)" : thm}
+\end{ttbox}
+By resolving $(\forall E)$ with (${\imp}E)$ and (${\conj}E1)$, we have
+derived a destruction rule for formulae of the form $\forall x.
+P(x)\imp(Q(x)\conj R(x))$. Used with destruct-resolution, such specialized
+rules provide a way of referring to particular assumptions.
+\index{assumptions!use of}
+
+\subsection{*Flex-flex constraints} \label{flexflex}
+\index{flex-flex constraints|bold}\index{unknowns!function}
+In higher-order unification, {\bf flex-flex} equations are those where both
+sides begin with a function unknown, such as $\Var{f}(0)\qeq\Var{g}(0)$.
+They admit a trivial unifier, here $\Var{f}\equiv \lambda x.\Var{a}$ and
+$\Var{g}\equiv \lambda y.\Var{a}$, where $\Var{a}$ is a new unknown. They
+admit many other unifiers, such as $\Var{f} \equiv \lambda x.\Var{g}(0)$
+and $\{\Var{f} \equiv \lambda x.x,\, \Var{g} \equiv \lambda x.0\}$. Huet's
+procedure does not enumerate the unifiers; instead, it retains flex-flex
+equations as constraints on future unifications. Flex-flex constraints
+occasionally become attached to a proof state; more frequently, they appear
+during use of \texttt{RS} and~\texttt{RSN}:
+\begin{ttbox}
+refl;
+{\out val it = "?a = ?a" : thm}
+exI;
+{\out val it = "?P(?x) ==> EX x. ?P(x)" : thm}
+refl RS exI;
+{\out val it = "EX x. ?a3(x) = ?a2(x)" [.] : thm}
+\end{ttbox}
+%
+The mysterious symbol \texttt{[.]} indicates that the result is subject to
+a meta-level hypothesis. We can make all such hypotheses visible by setting the
+\ttindexbold{show_hyps} flag:
+\begin{ttbox}
+set show_hyps;
+{\out val it = true : bool}
+refl RS exI;
+{\out val it = "EX x. ?a3(x) = ?a2(x)" ["?a3(?x) =?= ?a2(?x)"] : thm}
+\end{ttbox}
+
+\noindent
+Renaming variables, this is $\exists x.\Var{f}(x)=\Var{g}(x)$ with
+the constraint ${\Var{f}(\Var{u})\qeq\Var{g}(\Var{u})}$. Instances
+satisfying the constraint include $\exists x.\Var{f}(x)=\Var{f}(x)$ and
+$\exists x.x=\Var{u}$. Calling \ttindex{flexflex_rule} removes all
+constraints by applying the trivial unifier:\index{*prthq}
+\begin{ttbox}
+prthq (flexflex_rule it);
+{\out EX x. ?a4 = ?a4}
+\end{ttbox}
+Isabelle simplifies flex-flex equations to eliminate redundant bound
+variables. In $\lambda x\,y.\Var{f}(k(y),x) \qeq \lambda x\,y.\Var{g}(y)$,
+there is no bound occurrence of~$x$ on the right side; thus, there will be
+none on the left in a common instance of these terms. Choosing a new
+variable~$\Var{h}$, Isabelle assigns $\Var{f}\equiv \lambda u\,v.?h(u)$,
+simplifying the left side to $\lambda x\,y.\Var{h}(k(y))$. Dropping $x$
+from the equation leaves $\lambda y.\Var{h}(k(y)) \qeq \lambda
+y.\Var{g}(y)$. By $\eta$-conversion, this simplifies to the assignment
+$\Var{g}\equiv\lambda y.?h(k(y))$.
+
+\begin{warn}
+\ttindex{RS} and \ttindex{RSN} fail (by raising exception \texttt{THM}) unless
+the resolution delivers {\bf exactly one} resolvent. For multiple results,
+use \ttindex{RL} and \ttindex{RLN}, which operate on theorem lists. The
+following example uses \ttindex{read_instantiate} to create an instance
+of \tdx{refl} containing no schematic variables.
+\begin{ttbox}
+val reflk = read_instantiate [("a","k")] refl;
+{\out val reflk = "k = k" : thm}
+\end{ttbox}
+
+\noindent
+A flex-flex constraint is no longer possible; resolution does not find a
+unique unifier:
+\begin{ttbox}
+reflk RS exI;
+{\out uncaught exception}
+{\out THM ("RSN: multiple unifiers", 1,}
+{\out ["k = k", "?P(?x) ==> EX x. ?P(x)"])}
+\end{ttbox}
+Using \ttindex{RL} this time, we discover that there are four unifiers, and
+four resolvents:
+\begin{ttbox}
+[reflk] RL [exI];
+{\out val it = ["EX x. x = x", "EX x. k = x",}
+{\out "EX x. x = k", "EX x. k = k"] : thm list}
+\end{ttbox}
+\end{warn}
+
+\index{forward proof|)}
+
+\section{Backward proof}
+Although \texttt{RS} and \texttt{RSN} are fine for simple forward reasoning,
+large proofs require tactics. Isabelle provides a suite of commands for
+conducting a backward proof using tactics.
+
+\subsection{The basic tactics}
+The tactics \texttt{assume_tac}, {\tt
+resolve_tac}, \texttt{eresolve_tac}, and \texttt{dresolve_tac} suffice for most
+single-step proofs. Although \texttt{eresolve_tac} and \texttt{dresolve_tac} are
+not strictly necessary, they simplify proofs involving elimination and
+destruction rules. All the tactics act on a subgoal designated by a
+positive integer~$i$, failing if~$i$ is out of range. The resolution
+tactics try their list of theorems in left-to-right order.
+
+\begin{ttdescription}
+\item[\ttindex{assume_tac} {\it i}] \index{tactics!assumption}
+ is the tactic that attempts to solve subgoal~$i$ by assumption. Proof by
+ assumption is not a trivial step; it can falsify other subgoals by
+ instantiating shared variables. There may be several ways of solving the
+ subgoal by assumption.
+
+\item[\ttindex{resolve_tac} {\it thms} {\it i}]\index{tactics!resolution}
+ is the basic resolution tactic, used for most proof steps. The $thms$
+ represent object-rules, which are resolved against subgoal~$i$ of the
+ proof state. For each rule, resolution forms next states by unifying the
+ conclusion with the subgoal and inserting instantiated premises in its
+ place. A rule can admit many higher-order unifiers. The tactic fails if
+ none of the rules generates next states.
+
+\item[\ttindex{eresolve_tac} {\it thms} {\it i}] \index{elim-resolution}
+ performs elim-resolution. Like \texttt{resolve_tac~{\it thms}~{\it i\/}}
+ followed by \texttt{assume_tac~{\it i}}, it applies a rule then solves its
+ first premise by assumption. But \texttt{eresolve_tac} additionally deletes
+ that assumption from any subgoals arising from the resolution.
+
+\item[\ttindex{dresolve_tac} {\it thms} {\it i}]
+ \index{forward proof}\index{destruct-resolution}
+ performs destruct-resolution with the~$thms$, as described
+ in~\S\ref{destruct}. It is useful for forward reasoning from the
+ assumptions.
+\end{ttdescription}
+
+\subsection{Commands for backward proof}
+\index{proofs!commands for}
+Tactics are normally applied using the subgoal module, which maintains a
+proof state and manages the proof construction. It allows interactive
+backtracking through the proof space, going away to prove lemmas, etc.; of
+its many commands, most important are the following:
+\begin{ttdescription}
+\item[\ttindex{Goal} {\it formula}; ]
+begins a new proof, where the {\it formula\/} is written as an \ML\ string.
+
+\item[\ttindex{by} {\it tactic}; ]
+applies the {\it tactic\/} to the current proof
+state, raising an exception if the tactic fails.
+
+\item[\ttindex{undo}(); ]
+ reverts to the previous proof state. Undo can be repeated but cannot be
+ undone. Do not omit the parentheses; typing {\tt\ \ undo;\ \ } merely
+ causes \ML\ to echo the value of that function.
+
+\item[\ttindex{result}();]
+returns the theorem just proved, in a standard format. It fails if
+unproved subgoals are left, etc.
+
+\item[\ttindex{qed} {\it name};] is the usual way of ending a proof.
+ It gets the theorem using \texttt{result}, stores it in Isabelle's
+ theorem database and binds it to an \ML{} identifier.
+
+\end{ttdescription}
+The commands and tactics given above are cumbersome for interactive use.
+Although our examples will use the full commands, you may prefer Isabelle's
+shortcuts:
+\begin{center} \tt
+\index{*br} \index{*be} \index{*bd} \index{*ba}
+\begin{tabular}{l@{\qquad\rm abbreviates\qquad}l}
+ ba {\it i}; & by (assume_tac {\it i}); \\
+
+ br {\it thm} {\it i}; & by (resolve_tac [{\it thm}] {\it i}); \\
+
+ be {\it thm} {\it i}; & by (eresolve_tac [{\it thm}] {\it i}); \\
+
+ bd {\it thm} {\it i}; & by (dresolve_tac [{\it thm}] {\it i});
+\end{tabular}
+\end{center}
+
+\subsection{A trivial example in propositional logic}
+\index{examples!propositional}
+
+Directory \texttt{FOL} of the Isabelle distribution defines the theory of
+first-order logic. Let us try the example from \S\ref{prop-proof},
+entering the goal $P\disj P\imp P$ in that theory.\footnote{To run these
+ examples, see the file \texttt{FOL/ex/intro.ML}.}
+\begin{ttbox}
+Goal "P|P --> P";
+{\out Level 0}
+{\out P | P --> P}
+{\out 1. P | P --> P}
+\end{ttbox}\index{level of a proof}
+Isabelle responds by printing the initial proof state, which has $P\disj
+P\imp P$ as the main goal and the only subgoal. The {\bf level} of the
+state is the number of \texttt{by} commands that have been applied to reach
+it. We now use \ttindex{resolve_tac} to apply the rule \tdx{impI},
+or~$({\imp}I)$, to subgoal~1:
+\begin{ttbox}
+by (resolve_tac [impI] 1);
+{\out Level 1}
+{\out P | P --> P}
+{\out 1. P | P ==> P}
+\end{ttbox}
+In the new proof state, subgoal~1 is $P$ under the assumption $P\disj P$.
+(The meta-implication {\tt==>} indicates assumptions.) We apply
+\tdx{disjE}, or~(${\disj}E)$, to that subgoal:
+\begin{ttbox}
+by (resolve_tac [disjE] 1);
+{\out Level 2}
+{\out P | P --> P}
+{\out 1. P | P ==> ?P1 | ?Q1}
+{\out 2. [| P | P; ?P1 |] ==> P}
+{\out 3. [| P | P; ?Q1 |] ==> P}
+\end{ttbox}
+At Level~2 there are three subgoals, each provable by assumption. We
+deviate from~\S\ref{prop-proof} by tackling subgoal~3 first, using
+\ttindex{assume_tac}. This affects subgoal~1, updating {\tt?Q1} to~{\tt
+ P}.
+\begin{ttbox}
+by (assume_tac 3);
+{\out Level 3}
+{\out P | P --> P}
+{\out 1. P | P ==> ?P1 | P}
+{\out 2. [| P | P; ?P1 |] ==> P}
+\end{ttbox}
+Next we tackle subgoal~2, instantiating {\tt?P1} to~\texttt{P} in subgoal~1.
+\begin{ttbox}
+by (assume_tac 2);
+{\out Level 4}
+{\out P | P --> P}
+{\out 1. P | P ==> P | P}
+\end{ttbox}
+Lastly we prove the remaining subgoal by assumption:
+\begin{ttbox}
+by (assume_tac 1);
+{\out Level 5}
+{\out P | P --> P}
+{\out No subgoals!}
+\end{ttbox}
+Isabelle tells us that there are no longer any subgoals: the proof is
+complete. Calling \texttt{qed} stores the theorem.
+\begin{ttbox}
+qed "mythm";
+{\out val mythm = "?P | ?P --> ?P" : thm}
+\end{ttbox}
+Isabelle has replaced the free variable~\texttt{P} by the scheme
+variable~{\tt?P}\@. Free variables in the proof state remain fixed
+throughout the proof. Isabelle finally converts them to scheme variables
+so that the resulting theorem can be instantiated with any formula.
+
+As an exercise, try doing the proof as in \S\ref{prop-proof}, observing how
+instantiations affect the proof state.
+
+
+\subsection{Part of a distributive law}
+\index{examples!propositional}
+To demonstrate the tactics \ttindex{eresolve_tac}, \ttindex{dresolve_tac}
+and the tactical \texttt{REPEAT}, let us prove part of the distributive
+law
+\[ (P\conj Q)\disj R \,\bimp\, (P\disj R)\conj (Q\disj R). \]
+We begin by stating the goal to Isabelle and applying~$({\imp}I)$ to it:
+\begin{ttbox}
+Goal "(P & Q) | R --> (P | R)";
+{\out Level 0}
+{\out P & Q | R --> P | R}
+{\out 1. P & Q | R --> P | R}
+\ttbreak
+by (resolve_tac [impI] 1);
+{\out Level 1}
+{\out P & Q | R --> P | R}
+{\out 1. P & Q | R ==> P | R}
+\end{ttbox}
+Previously we applied~(${\disj}E)$ using \texttt{resolve_tac}, but
+\ttindex{eresolve_tac} deletes the assumption after use. The resulting proof
+state is simpler.
+\begin{ttbox}
+by (eresolve_tac [disjE] 1);
+{\out Level 2}
+{\out P & Q | R --> P | R}
+{\out 1. P & Q ==> P | R}
+{\out 2. R ==> P | R}
+\end{ttbox}
+Using \ttindex{dresolve_tac}, we can apply~(${\conj}E1)$ to subgoal~1,
+replacing the assumption $P\conj Q$ by~$P$. Normally we should apply the
+rule~(${\conj}E)$, given in~\S\ref{destruct}. That is an elimination rule
+and requires \texttt{eresolve_tac}; it would replace $P\conj Q$ by the two
+assumptions~$P$ and~$Q$. Because the present example does not need~$Q$, we
+may try out \texttt{dresolve_tac}.
+\begin{ttbox}
+by (dresolve_tac [conjunct1] 1);
+{\out Level 3}
+{\out P & Q | R --> P | R}
+{\out 1. P ==> P | R}
+{\out 2. R ==> P | R}
+\end{ttbox}
+The next two steps apply~(${\disj}I1$) and~(${\disj}I2$) in an obvious manner.
+\begin{ttbox}
+by (resolve_tac [disjI1] 1);
+{\out Level 4}
+{\out P & Q | R --> P | R}
+{\out 1. P ==> P}
+{\out 2. R ==> P | R}
+\ttbreak
+by (resolve_tac [disjI2] 2);
+{\out Level 5}
+{\out P & Q | R --> P | R}
+{\out 1. P ==> P}
+{\out 2. R ==> R}
+\end{ttbox}
+Two calls of \texttt{assume_tac} can finish the proof. The
+tactical~\ttindex{REPEAT} here expresses a tactic that calls \texttt{assume_tac~1}
+as many times as possible. We can restrict attention to subgoal~1 because
+the other subgoals move up after subgoal~1 disappears.
+\begin{ttbox}
+by (REPEAT (assume_tac 1));
+{\out Level 6}
+{\out P & Q | R --> P | R}
+{\out No subgoals!}
+\end{ttbox}
+
+
+\section{Quantifier reasoning}
+\index{quantifiers}\index{parameters}\index{unknowns}\index{unknowns!function}
+This section illustrates how Isabelle enforces quantifier provisos.
+Suppose that $x$, $y$ and~$z$ are parameters of a subgoal. Quantifier
+rules create terms such as~$\Var{f}(x,z)$, where~$\Var{f}$ is a function
+unknown. Instantiating $\Var{f}$ to $\lambda x\,z.t$ has the effect of
+replacing~$\Var{f}(x,z)$ by~$t$, where the term~$t$ may contain free
+occurrences of~$x$ and~$z$. On the other hand, no instantiation
+of~$\Var{f}$ can replace~$\Var{f}(x,z)$ by a term containing free
+occurrences of~$y$, since parameters are bound variables.
+
+\subsection{Two quantifier proofs: a success and a failure}
+\index{examples!with quantifiers}
+Let us contrast a proof of the theorem $\forall x.\exists y.x=y$ with an
+attempted proof of the non-theorem $\exists y.\forall x.x=y$. The former
+proof succeeds, and the latter fails, because of the scope of quantified
+variables~\cite{paulson-found}. Unification helps even in these trivial
+proofs. In $\forall x.\exists y.x=y$ the $y$ that `exists' is simply $x$,
+but we need never say so. This choice is forced by the reflexive law for
+equality, and happens automatically.
+
+\paragraph{The successful proof.}
+The proof of $\forall x.\exists y.x=y$ demonstrates the introduction rules
+$(\forall I)$ and~$(\exists I)$. We state the goal and apply $(\forall I)$:
+\begin{ttbox}
+Goal "ALL x. EX y. x=y";
+{\out Level 0}
+{\out ALL x. EX y. x = y}
+{\out 1. ALL x. EX y. x = y}
+\ttbreak
+by (resolve_tac [allI] 1);
+{\out Level 1}
+{\out ALL x. EX y. x = y}
+{\out 1. !!x. EX y. x = y}
+\end{ttbox}
+The variable~\texttt{x} is no longer universally quantified, but is a
+parameter in the subgoal; thus, it is universally quantified at the
+meta-level. The subgoal must be proved for all possible values of~\texttt{x}.
+
+To remove the existential quantifier, we apply the rule $(\exists I)$:
+\begin{ttbox}
+by (resolve_tac [exI] 1);
+{\out Level 2}
+{\out ALL x. EX y. x = y}
+{\out 1. !!x. x = ?y1(x)}
+\end{ttbox}
+The bound variable \texttt{y} has become {\tt?y1(x)}. This term consists of
+the function unknown~{\tt?y1} applied to the parameter~\texttt{x}.
+Instances of {\tt?y1(x)} may or may not contain~\texttt{x}. We resolve the
+subgoal with the reflexivity axiom.
+\begin{ttbox}
+by (resolve_tac [refl] 1);
+{\out Level 3}
+{\out ALL x. EX y. x = y}
+{\out No subgoals!}
+\end{ttbox}
+Let us consider what has happened in detail. The reflexivity axiom is
+lifted over~$x$ to become $\Forall x.\Var{f}(x)=\Var{f}(x)$, which is
+unified with $\Forall x.x=\Var{y@1}(x)$. The function unknowns $\Var{f}$
+and~$\Var{y@1}$ are both instantiated to the identity function, and
+$x=\Var{y@1}(x)$ collapses to~$x=x$ by $\beta$-reduction.
+
+\paragraph{The unsuccessful proof.}
+We state the goal $\exists y.\forall x.x=y$, which is not a theorem, and
+try~$(\exists I)$:
+\begin{ttbox}
+Goal "EX y. ALL x. x=y";
+{\out Level 0}
+{\out EX y. ALL x. x = y}
+{\out 1. EX y. ALL x. x = y}
+\ttbreak
+by (resolve_tac [exI] 1);
+{\out Level 1}
+{\out EX y. ALL x. x = y}
+{\out 1. ALL x. x = ?y}
+\end{ttbox}
+The unknown \texttt{?y} may be replaced by any term, but this can never
+introduce another bound occurrence of~\texttt{x}. We now apply~$(\forall I)$:
+\begin{ttbox}
+by (resolve_tac [allI] 1);
+{\out Level 2}
+{\out EX y. ALL x. x = y}
+{\out 1. !!x. x = ?y}
+\end{ttbox}
+Compare our position with the previous Level~2. Instead of {\tt?y1(x)} we
+have~{\tt?y}, whose instances may not contain the bound variable~\texttt{x}.
+The reflexivity axiom does not unify with subgoal~1.
+\begin{ttbox}
+by (resolve_tac [refl] 1);
+{\out by: tactic failed}
+\end{ttbox}
+There can be no proof of $\exists y.\forall x.x=y$ by the soundness of
+first-order logic. I have elsewhere proved the faithfulness of Isabelle's
+encoding of first-order logic~\cite{paulson-found}; there could, of course, be
+faults in the implementation.
+
+
+\subsection{Nested quantifiers}
+\index{examples!with quantifiers}
+Multiple quantifiers create complex terms. Proving
+\[ (\forall x\,y.P(x,y)) \imp (\forall z\,w.P(w,z)) \]
+will demonstrate how parameters and unknowns develop. If they appear in
+the wrong order, the proof will fail.
+
+This section concludes with a demonstration of \texttt{REPEAT}
+and~\texttt{ORELSE}.
+\begin{ttbox}
+Goal "(ALL x y.P(x,y)) --> (ALL z w.P(w,z))";
+{\out Level 0}
+{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
+{\out 1. (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
+\ttbreak
+by (resolve_tac [impI] 1);
+{\out Level 1}
+{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
+{\out 1. ALL x y. P(x,y) ==> ALL z w. P(w,z)}
+\end{ttbox}
+
+\paragraph{The wrong approach.}
+Using \texttt{dresolve_tac}, we apply the rule $(\forall E)$, bound to the
+\ML\ identifier \tdx{spec}. Then we apply $(\forall I)$.
+\begin{ttbox}
+by (dresolve_tac [spec] 1);
+{\out Level 2}
+{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
+{\out 1. ALL y. P(?x1,y) ==> ALL z w. P(w,z)}
+\ttbreak
+by (resolve_tac [allI] 1);
+{\out Level 3}
+{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
+{\out 1. !!z. ALL y. P(?x1,y) ==> ALL w. P(w,z)}
+\end{ttbox}
+The unknown \texttt{?x1} and the parameter \texttt{z} have appeared. We again
+apply $(\forall E)$ and~$(\forall I)$.
+\begin{ttbox}
+by (dresolve_tac [spec] 1);
+{\out Level 4}
+{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
+{\out 1. !!z. P(?x1,?y3(z)) ==> ALL w. P(w,z)}
+\ttbreak
+by (resolve_tac [allI] 1);
+{\out Level 5}
+{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
+{\out 1. !!z w. P(?x1,?y3(z)) ==> P(w,z)}
+\end{ttbox}
+The unknown \texttt{?y3} and the parameter \texttt{w} have appeared. Each
+unknown is applied to the parameters existing at the time of its creation;
+instances of~\texttt{?x1} cannot contain~\texttt{z} or~\texttt{w}, while instances
+of {\tt?y3(z)} can only contain~\texttt{z}. Due to the restriction on~\texttt{?x1},
+proof by assumption will fail.
+\begin{ttbox}
+by (assume_tac 1);
+{\out by: tactic failed}
+{\out uncaught exception ERROR}
+\end{ttbox}
+
+\paragraph{The right approach.}
+To do this proof, the rules must be applied in the correct order.
+Parameters should be created before unknowns. The
+\ttindex{choplev} command returns to an earlier stage of the proof;
+let us return to the result of applying~$({\imp}I)$:
+\begin{ttbox}
+choplev 1;
+{\out Level 1}
+{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
+{\out 1. ALL x y. P(x,y) ==> ALL z w. P(w,z)}
+\end{ttbox}
+Previously we made the mistake of applying $(\forall E)$ before $(\forall I)$.
+\begin{ttbox}
+by (resolve_tac [allI] 1);
+{\out Level 2}
+{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
+{\out 1. !!z. ALL x y. P(x,y) ==> ALL w. P(w,z)}
+\ttbreak
+by (resolve_tac [allI] 1);
+{\out Level 3}
+{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
+{\out 1. !!z w. ALL x y. P(x,y) ==> P(w,z)}
+\end{ttbox}
+The parameters \texttt{z} and~\texttt{w} have appeared. We now create the
+unknowns:
+\begin{ttbox}
+by (dresolve_tac [spec] 1);
+{\out Level 4}
+{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
+{\out 1. !!z w. ALL y. P(?x3(z,w),y) ==> P(w,z)}
+\ttbreak
+by (dresolve_tac [spec] 1);
+{\out Level 5}
+{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
+{\out 1. !!z w. P(?x3(z,w),?y4(z,w)) ==> P(w,z)}
+\end{ttbox}
+Both {\tt?x3(z,w)} and~{\tt?y4(z,w)} could become any terms containing {\tt
+z} and~\texttt{w}:
+\begin{ttbox}
+by (assume_tac 1);
+{\out Level 6}
+{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
+{\out No subgoals!}
+\end{ttbox}
+
+\paragraph{A one-step proof using tacticals.}
+\index{tacticals} \index{examples!of tacticals}
+
+Repeated application of rules can be effective, but the rules should be
+attempted in the correct order. Let us return to the original goal using
+\ttindex{choplev}:
+\begin{ttbox}
+choplev 0;
+{\out Level 0}
+{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
+{\out 1. (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
+\end{ttbox}
+As we have just seen, \tdx{allI} should be attempted
+before~\tdx{spec}, while \ttindex{assume_tac} generally can be
+attempted first. Such priorities can easily be expressed
+using~\ttindex{ORELSE}, and repeated using~\ttindex{REPEAT}.
+\begin{ttbox}
+by (REPEAT (assume_tac 1 ORELSE resolve_tac [impI,allI] 1
+ ORELSE dresolve_tac [spec] 1));
+{\out Level 1}
+{\out (ALL x y. P(x,y)) --> (ALL z w. P(w,z))}
+{\out No subgoals!}
+\end{ttbox}
+
+
+\subsection{A realistic quantifier proof}
+\index{examples!with quantifiers}
+To see the practical use of parameters and unknowns, let us prove half of
+the equivalence
+\[ (\forall x. P(x) \imp Q) \,\bimp\, ((\exists x. P(x)) \imp Q). \]
+We state the left-to-right half to Isabelle in the normal way.
+Since $\imp$ is nested to the right, $({\imp}I)$ can be applied twice; we
+use \texttt{REPEAT}:
+\begin{ttbox}
+Goal "(ALL x. P(x) --> Q) --> (EX x. P(x)) --> Q";
+{\out Level 0}
+{\out (ALL x. P(x) --> Q) --> (EX x. P(x)) --> Q}
+{\out 1. (ALL x. P(x) --> Q) --> (EX x. P(x)) --> Q}
+\ttbreak
+by (REPEAT (resolve_tac [impI] 1));
+{\out Level 1}
+{\out (ALL x. P(x) --> Q) --> (EX x. P(x)) --> Q}
+{\out 1. [| ALL x. P(x) --> Q; EX x. P(x) |] ==> Q}
+\end{ttbox}
+We can eliminate the universal or the existential quantifier. The
+existential quantifier should be eliminated first, since this creates a
+parameter. The rule~$(\exists E)$ is bound to the
+identifier~\tdx{exE}.
+\begin{ttbox}
+by (eresolve_tac [exE] 1);
+{\out Level 2}
+{\out (ALL x. P(x) --> Q) --> (EX x. P(x)) --> Q}
+{\out 1. !!x. [| ALL x. P(x) --> Q; P(x) |] ==> Q}
+\end{ttbox}
+The only possibility now is $(\forall E)$, a destruction rule. We use
+\ttindex{dresolve_tac}, which discards the quantified assumption; it is
+only needed once.
+\begin{ttbox}
+by (dresolve_tac [spec] 1);
+{\out Level 3}
+{\out (ALL x. P(x) --> Q) --> (EX x. P(x)) --> Q}
+{\out 1. !!x. [| P(x); P(?x3(x)) --> Q |] ==> Q}
+\end{ttbox}
+Because we applied $(\exists E)$ before $(\forall E)$, the unknown
+term~{\tt?x3(x)} may depend upon the parameter~\texttt{x}.
+
+Although $({\imp}E)$ is a destruction rule, it works with
+\ttindex{eresolve_tac} to perform backward chaining. This technique is
+frequently useful.
+\begin{ttbox}
+by (eresolve_tac [mp] 1);
+{\out Level 4}
+{\out (ALL x. P(x) --> Q) --> (EX x. P(x)) --> Q}
+{\out 1. !!x. P(x) ==> P(?x3(x))}
+\end{ttbox}
+The tactic has reduced~\texttt{Q} to~\texttt{P(?x3(x))}, deleting the
+implication. The final step is trivial, thanks to the occurrence of~\texttt{x}.
+\begin{ttbox}
+by (assume_tac 1);
+{\out Level 5}
+{\out (ALL x. P(x) --> Q) --> (EX x. P(x)) --> Q}
+{\out No subgoals!}
+\end{ttbox}
+
+
+\subsection{The classical reasoner}
+\index{classical reasoner}
+Isabelle provides enough automation to tackle substantial examples.
+The classical
+reasoner can be set up for any classical natural deduction logic;
+see \iflabelundefined{chap:classical}{the {\em Reference Manual\/}}%
+ {Chap.\ts\ref{chap:classical}}.
+It cannot compete with fully automatic theorem provers, but it is
+competitive with tools found in other interactive provers.
+
+Rules are packaged into {\bf classical sets}. The classical reasoner
+provides several tactics, which apply rules using naive algorithms.
+Unification handles quantifiers as shown above. The most useful tactic
+is~\ttindex{Blast_tac}.
+
+Let us solve problems~40 and~60 of Pelletier~\cite{pelletier86}. (The
+backslashes~\hbox{\verb|\|\ldots\verb|\|} are an \ML{} string escape
+sequence, to break the long string over two lines.)
+\begin{ttbox}
+Goal "(EX y. ALL x. J(y,x) <-> ~J(x,x)) \ttback
+\ttback --> ~ (ALL x. EX y. ALL z. J(z,y) <-> ~ J(z,x))";
+{\out Level 0}
+{\out (EX y. ALL x. J(y,x) <-> ~J(x,x)) -->}
+{\out ~(ALL x. EX y. ALL z. J(z,y) <-> ~J(z,x))}
+{\out 1. (EX y. ALL x. J(y,x) <-> ~J(x,x)) -->}
+{\out ~(ALL x. EX y. ALL z. J(z,y) <-> ~J(z,x))}
+\end{ttbox}
+\ttindex{Blast_tac} proves subgoal~1 at a stroke.
+\begin{ttbox}
+by (Blast_tac 1);
+{\out Depth = 0}
+{\out Depth = 1}
+{\out Level 1}
+{\out (EX y. ALL x. J(y,x) <-> ~J(x,x)) -->}
+{\out ~(ALL x. EX y. ALL z. J(z,y) <-> ~J(z,x))}
+{\out No subgoals!}
+\end{ttbox}
+Sceptics may examine the proof by calling the package's single-step
+tactics, such as~\texttt{step_tac}. This would take up much space, however,
+so let us proceed to the next example:
+\begin{ttbox}
+Goal "ALL x. P(x,f(x)) <-> \ttback
+\ttback (EX y. (ALL z. P(z,y) --> P(z,f(x))) & P(x,y))";
+{\out Level 0}
+{\out ALL x. P(x,f(x)) <-> (EX y. (ALL z. P(z,y) --> P(z,f(x))) & P(x,y))}
+{\out 1. ALL x. P(x,f(x)) <->}
+{\out (EX y. (ALL z. P(z,y) --> P(z,f(x))) & P(x,y))}
+\end{ttbox}
+Again, subgoal~1 succumbs immediately.
+\begin{ttbox}
+by (Blast_tac 1);
+{\out Depth = 0}
+{\out Depth = 1}
+{\out Level 1}
+{\out ALL x. P(x,f(x)) <-> (EX y. (ALL z. P(z,y) --> P(z,f(x))) & P(x,y))}
+{\out No subgoals!}
+\end{ttbox}
+The classical reasoner is not restricted to the usual logical connectives.
+The natural deduction rules for unions and intersections resemble those for
+disjunction and conjunction. The rules for infinite unions and
+intersections resemble those for quantifiers. Given such rules, the classical
+reasoner is effective for reasoning in set theory.
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Intro/document/root.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,154 @@
+\documentclass[12pt,a4paper]{article}
+\usepackage{graphicx,iman,extra,ttbox,proof,pdfsetup}
+
+%% run bibtex intro to prepare bibliography
+%% run ../sedindex intro to prepare index file
+%prth *(\(.*\)); \1;
+%{\\out \(.*\)} {\\out val it = "\1" : thm}
+
+\title{\includegraphics[scale=0.5]{isabelle} \\[4ex] Old Introduction to Isabelle}
+\author{{\em Lawrence C. Paulson}\\
+ Computer Laboratory \\ University of Cambridge \\
+ \texttt{lcp@cl.cam.ac.uk}\\[3ex]
+ With Contributions by Tobias Nipkow and Markus Wenzel
+}
+\makeindex
+
+\underscoreoff
+
+\setcounter{secnumdepth}{2} \setcounter{tocdepth}{2}
+
+\sloppy
+\binperiod %%%treat . like a binary operator
+
+\newcommand\qeq{\stackrel{?}{\equiv}} %for disagreement pairs in unification
+\newcommand{\nand}{\mathbin{\lnot\&}}
+\newcommand{\xor}{\mathbin{\#}}
+
+\pagenumbering{roman}
+\begin{document}
+\pagestyle{empty}
+\begin{titlepage}
+\maketitle
+\emph{Note}: this document is part of the earlier Isabelle documentation,
+which is largely superseded by the Isabelle/HOL
+\emph{Tutorial}~\cite{isa-tutorial}. It describes the old-style theory
+syntax and shows how to conduct proofs using the
+ML top level. This style of interaction is largely obsolete:
+most Isabelle proofs are now written using the Isar
+language and the Proof General interface. However, this paper contains valuable
+information that is not available elsewhere. Its examples are based
+on first-order logic rather than higher-order logic.
+
+\thispagestyle{empty}
+\vfill
+{\small Copyright \copyright{} \number\year{} by Lawrence C. Paulson}
+\end{titlepage}
+
+\pagestyle{headings}
+\part*{Preface}
+\index{Isabelle!overview} \index{Isabelle!object-logics supported}
+Isabelle~\cite{paulson-natural,paulson-found,paulson700} is a generic theorem
+prover. It has been instantiated to support reasoning in several
+object-logics:
+\begin{itemize}
+\item first-order logic, constructive and classical versions
+\item higher-order logic, similar to that of Gordon's {\sc
+hol}~\cite{mgordon-hol}
+\item Zermelo-Fraenkel set theory~\cite{suppes72}
+\item an extensional version of Martin-L\"of's Type Theory~\cite{nordstrom90}
+\item the classical first-order sequent calculus, {\sc lk}
+\item the modal logics $T$, $S4$, and $S43$
+\item the Logic for Computable Functions~\cite{paulson87}
+\end{itemize}
+A logic's syntax and inference rules are specified declaratively; this
+allows single-step proof construction. Isabelle provides control
+structures for expressing search procedures. Isabelle also provides
+several generic tools, such as simplifiers and classical theorem provers,
+which can be applied to object-logics.
+
+Isabelle is a large system, but beginners can get by with a small
+repertoire of commands and a basic knowledge of how Isabelle works.
+The Isabelle/HOL \emph{Tutorial}~\cite{isa-tutorial} describes how to get started. Advanced Isabelle users will benefit from some
+knowledge of Standard~\ML{}, because Isabelle is written in \ML{};
+\index{ML}
+if you are prepared to writing \ML{}
+code, you can get Isabelle to do almost anything. My book
+on~\ML{}~\cite{paulson-ml2} covers much material connected with Isabelle,
+including a simple theorem prover. Users must be familiar with logic as
+used in computer science; there are many good
+texts~\cite{galton90,reeves90}.
+
+\index{LCF}
+{\sc lcf}, developed by Robin Milner and colleagues~\cite{mgordon79}, is an
+ancestor of {\sc hol}, Nuprl, and several other systems. Isabelle borrows
+ideas from {\sc lcf}: formulae are~\ML{} values; theorems belong to an
+abstract type; tactics and tacticals support backward proof. But {\sc lcf}
+represents object-level rules by functions, while Isabelle represents them
+by terms. You may find my other writings~\cite{paulson87,paulson-handbook}
+helpful in understanding the relationship between {\sc lcf} and Isabelle.
+
+\index{Isabelle!release history} Isabelle was first distributed in 1986.
+The 1987 version introduced a higher-order meta-logic with an improved
+treatment of quantifiers. The 1988 version added limited polymorphism and
+support for natural deduction. The 1989 version included a parser and
+pretty printer generator. The 1992 version introduced type classes, to
+support many-sorted and higher-order logics. The 1994 version introduced
+greater support for theories. The most important recent change is the
+introduction of the Isar proof language, thanks to Markus Wenzel.
+Isabelle is still under
+development and will continue to change.
+
+\subsubsection*{Overview}
+This manual consists of three parts. Part~I discusses the Isabelle's
+foundations. Part~II, presents simple on-line sessions, starting with
+forward proof. It also covers basic tactics and tacticals, and some
+commands for invoking them. Part~III contains further examples for users
+with a bit of experience. It explains how to derive rules define theories,
+and concludes with an extended example: a Prolog interpreter.
+
+Isabelle's Reference Manual and Object-Logics manual contain more details.
+They assume familiarity with the concepts presented here.
+
+
+\subsubsection*{Acknowledgements}
+Tobias Nipkow contributed most of the section on defining theories.
+Stefan Berghofer, Sara Kalvala and Viktor Kuncak suggested improvements.
+
+Tobias Nipkow has made immense contributions to Isabelle, including the parser
+generator, type classes, and the simplifier. Carsten Clasohm and Markus
+Wenzel made major contributions; Sonia Mahjoub and Karin Nimmermann also
+helped. Isabelle was developed using Dave Matthews's Standard~{\sc ml}
+compiler, Poly/{\sc ml}. Many people have contributed to Isabelle's standard
+object-logics, including Martin Coen, Philippe de Groote, Philippe No\"el.
+The research has been funded by the EPSRC (grants GR/G53279, GR/H40570,
+GR/K57381, GR/K77051, GR/M75440) and by ESPRIT (projects 3245: Logical
+Frameworks, and 6453: Types), and by the DFG Schwerpunktprogramm
+\emph{Deduktion}.
+
+\newpage
+\pagestyle{plain} \tableofcontents
+\newpage
+
+\newfont{\sanssi}{cmssi12}
+\vspace*{2.5cm}
+\begin{quote}
+\raggedleft
+{\sanssi
+You can only find truth with logic\\
+if you have already found truth without it.}\\
+\bigskip
+
+G.K. Chesterton, {\em The Man who was Orthodox}
+\end{quote}
+
+\clearfirst \pagestyle{headings}
+\input{foundations}
+\input{getting}
+\input{advanced}
+
+\bibliographystyle{plain} \small\raggedright\frenchspacing
+\bibliography{manual}
+
+\printindex
+\end{document}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarImplementation/Base.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,8 @@
+theory Base
+imports Main
+begin
+
+ML_file "../antiquote_setup.ML"
+setup {* Antiquote_Setup.setup *}
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarImplementation/Eq.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,85 @@
+theory Eq
+imports Base
+begin
+
+chapter {* Equational reasoning *}
+
+text {* Equality is one of the most fundamental concepts of
+ mathematics. The Isabelle/Pure logic (\chref{ch:logic}) provides a
+ builtin relation @{text "\<equiv> :: \<alpha> \<Rightarrow> \<alpha> \<Rightarrow> prop"} that expresses equality
+ of arbitrary terms (or propositions) at the framework level, as
+ expressed by certain basic inference rules (\secref{sec:eq-rules}).
+
+ Equational reasoning means to replace equals by equals, using
+ reflexivity and transitivity to form chains of replacement steps,
+ and congruence rules to access sub-structures. Conversions
+ (\secref{sec:conv}) provide a convenient framework to compose basic
+ equational steps to build specific equational reasoning tools.
+
+ Higher-order matching is able to provide suitable instantiations for
+ giving equality rules, which leads to the versatile concept of
+ @{text "\<lambda>"}-term rewriting (\secref{sec:rewriting}). Internally
+ this is based on the general-purpose Simplifier engine of Isabelle,
+ which is more specific and more efficient than plain conversions.
+
+ Object-logics usually introduce specific notions of equality or
+ equivalence, and relate it with the Pure equality. This enables to
+ re-use the Pure tools for equational reasoning for particular
+ object-logic connectives as well.
+*}
+
+
+section {* Basic equality rules \label{sec:eq-rules} *}
+
+text {* FIXME *}
+
+
+section {* Conversions \label{sec:conv} *}
+
+text {* FIXME *}
+
+
+section {* Rewriting \label{sec:rewriting} *}
+
+text {* Rewriting normalizes a given term (theorem or goal) by
+ replacing instances of given equalities @{text "t \<equiv> u"} in subterms.
+ Rewriting continues until no rewrites are applicable to any subterm.
+ This may be used to unfold simple definitions of the form @{text "f
+ x\<^sub>1 \<dots> x\<^sub>n \<equiv> u"}, but is slightly more general than that.
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML rewrite_rule: "thm list -> thm -> thm"} \\
+ @{index_ML rewrite_goals_rule: "thm list -> thm -> thm"} \\
+ @{index_ML rewrite_goal_tac: "thm list -> int -> tactic"} \\
+ @{index_ML rewrite_goals_tac: "thm list -> tactic"} \\
+ @{index_ML fold_goals_tac: "thm list -> tactic"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item @{ML rewrite_rule}~@{text "rules thm"} rewrites the whole
+ theorem by the given rules.
+
+ \item @{ML rewrite_goals_rule}~@{text "rules thm"} rewrites the
+ outer premises of the given theorem. Interpreting the same as a
+ goal state (\secref{sec:tactical-goals}) it means to rewrite all
+ subgoals (in the same manner as @{ML rewrite_goals_tac}).
+
+ \item @{ML rewrite_goal_tac}~@{text "rules i"} rewrites subgoal
+ @{text "i"} by the given rewrite rules.
+
+ \item @{ML rewrite_goals_tac}~@{text "rules"} rewrites all subgoals
+ by the given rewrite rules.
+
+ \item @{ML fold_goals_tac}~@{text "rules"} essentially uses @{ML
+ rewrite_goals_tac} with the symmetric form of each member of @{text
+ "rules"}, re-ordered to fold longer expression first. This supports
+ to idea to fold primitive definitions that appear in expended form
+ in the proof state.
+
+ \end{description}
+*}
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarImplementation/Integration.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,307 @@
+theory Integration
+imports Base
+begin
+
+chapter {* System integration *}
+
+section {* Isar toplevel \label{sec:isar-toplevel} *}
+
+text {* The Isar toplevel may be considered the central hub of the
+ Isabelle/Isar system, where all key components and sub-systems are
+ integrated into a single read-eval-print loop of Isar commands,
+ which also incorporates the underlying ML compiler.
+
+ Isabelle/Isar departs from the original ``LCF system architecture''
+ where ML was really The Meta Language for defining theories and
+ conducting proofs. Instead, ML now only serves as the
+ implementation language for the system (and user extensions), while
+ the specific Isar toplevel supports the concepts of theory and proof
+ development natively. This includes the graph structure of theories
+ and the block structure of proofs, support for unlimited undo,
+ facilities for tracing, debugging, timing, profiling etc.
+
+ \medskip The toplevel maintains an implicit state, which is
+ transformed by a sequence of transitions -- either interactively or
+ in batch-mode. In interactive mode, Isar state transitions are
+ encapsulated as safe transactions, such that both failure and undo
+ are handled conveniently without destroying the underlying draft
+ theory (cf.~\secref{sec:context-theory}). In batch mode,
+ transitions operate in a linear (destructive) fashion, such that
+ error conditions abort the present attempt to construct a theory or
+ proof altogether.
+
+ The toplevel state is a disjoint sum of empty @{text toplevel}, or
+ @{text theory}, or @{text proof}. On entering the main Isar loop we
+ start with an empty toplevel. A theory is commenced by giving a
+ @{text \<THEORY>} header; within a theory we may issue theory
+ commands such as @{text \<DEFINITION>}, or state a @{text
+ \<THEOREM>} to be proven. Now we are within a proof state, with a
+ rich collection of Isar proof commands for structured proof
+ composition, or unstructured proof scripts. When the proof is
+ concluded we get back to the theory, which is then updated by
+ storing the resulting fact. Further theory declarations or theorem
+ statements with proofs may follow, until we eventually conclude the
+ theory development by issuing @{text \<END>}. The resulting theory
+ is then stored within the theory database and we are back to the
+ empty toplevel.
+
+ In addition to these proper state transformations, there are also
+ some diagnostic commands for peeking at the toplevel state without
+ modifying it (e.g.\ \isakeyword{thm}, \isakeyword{term},
+ \isakeyword{print-cases}).
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML_type Toplevel.state} \\
+ @{index_ML Toplevel.UNDEF: "exn"} \\
+ @{index_ML Toplevel.is_toplevel: "Toplevel.state -> bool"} \\
+ @{index_ML Toplevel.theory_of: "Toplevel.state -> theory"} \\
+ @{index_ML Toplevel.proof_of: "Toplevel.state -> Proof.state"} \\
+ @{index_ML Toplevel.debug: "bool Unsynchronized.ref"} \\
+ @{index_ML Toplevel.timing: "bool Unsynchronized.ref"} \\
+ @{index_ML Toplevel.profiling: "int Unsynchronized.ref"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item Type @{ML_type Toplevel.state} represents Isar toplevel
+ states, which are normally manipulated through the concept of
+ toplevel transitions only (\secref{sec:toplevel-transition}). Also
+ note that a raw toplevel state is subject to the same linearity
+ restrictions as a theory context (cf.~\secref{sec:context-theory}).
+
+ \item @{ML Toplevel.UNDEF} is raised for undefined toplevel
+ operations. Many operations work only partially for certain cases,
+ since @{ML_type Toplevel.state} is a sum type.
+
+ \item @{ML Toplevel.is_toplevel}~@{text "state"} checks for an empty
+ toplevel state.
+
+ \item @{ML Toplevel.theory_of}~@{text "state"} selects the
+ background theory of @{text "state"}, raises @{ML Toplevel.UNDEF}
+ for an empty toplevel state.
+
+ \item @{ML Toplevel.proof_of}~@{text "state"} selects the Isar proof
+ state if available, otherwise raises @{ML Toplevel.UNDEF}.
+
+ \item @{ML "Toplevel.debug := true"} makes the toplevel print further
+ details about internal error conditions, exceptions being raised
+ etc.
+
+ \item @{ML "Toplevel.timing := true"} makes the toplevel print timing
+ information for each Isar command being executed.
+
+ \item @{ML Toplevel.profiling}~@{ML_text ":="}~@{text "n"} controls
+ low-level profiling of the underlying ML runtime system. For
+ Poly/ML, @{text "n = 1"} means time and @{text "n = 2"} space
+ profiling.
+
+ \end{description}
+*}
+
+text %mlantiq {*
+ \begin{matharray}{rcl}
+ @{ML_antiquotation_def "Isar.state"} & : & @{text ML_antiquotation} \\
+ \end{matharray}
+
+ \begin{description}
+
+ \item @{text "@{Isar.state}"} refers to Isar toplevel state at that
+ point --- as abstract value.
+
+ This only works for diagnostic ML commands, such as @{command
+ ML_val} or @{command ML_command}.
+
+ \end{description}
+*}
+
+
+subsection {* Toplevel transitions \label{sec:toplevel-transition} *}
+
+text {*
+ An Isar toplevel transition consists of a partial function on the
+ toplevel state, with additional information for diagnostics and
+ error reporting: there are fields for command name, source position,
+ optional source text, as well as flags for interactive-only commands
+ (which issue a warning in batch-mode), printing of result state,
+ etc.
+
+ The operational part is represented as the sequential union of a
+ list of partial functions, which are tried in turn until the first
+ one succeeds. This acts like an outer case-expression for various
+ alternative state transitions. For example, \isakeyword{qed} works
+ differently for a local proofs vs.\ the global ending of the main
+ proof.
+
+ Toplevel transitions are composed via transition transformers.
+ Internally, Isar commands are put together from an empty transition
+ extended by name and source position. It is then left to the
+ individual command parser to turn the given concrete syntax into a
+ suitable transition transformer that adjoins actual operations on a
+ theory or proof state etc.
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML Toplevel.print: "Toplevel.transition -> Toplevel.transition"} \\
+ @{index_ML Toplevel.no_timing: "Toplevel.transition -> Toplevel.transition"} \\
+ @{index_ML Toplevel.keep: "(Toplevel.state -> unit) ->
+ Toplevel.transition -> Toplevel.transition"} \\
+ @{index_ML Toplevel.theory: "(theory -> theory) ->
+ Toplevel.transition -> Toplevel.transition"} \\
+ @{index_ML Toplevel.theory_to_proof: "(theory -> Proof.state) ->
+ Toplevel.transition -> Toplevel.transition"} \\
+ @{index_ML Toplevel.proof: "(Proof.state -> Proof.state) ->
+ Toplevel.transition -> Toplevel.transition"} \\
+ @{index_ML Toplevel.proofs: "(Proof.state -> Proof.state Seq.seq) ->
+ Toplevel.transition -> Toplevel.transition"} \\
+ @{index_ML Toplevel.end_proof: "(bool -> Proof.state -> Proof.context) ->
+ Toplevel.transition -> Toplevel.transition"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item @{ML Toplevel.print}~@{text "tr"} sets the print flag, which
+ causes the toplevel loop to echo the result state (in interactive
+ mode).
+
+ \item @{ML Toplevel.no_timing}~@{text "tr"} indicates that the
+ transition should never show timing information, e.g.\ because it is
+ a diagnostic command.
+
+ \item @{ML Toplevel.keep}~@{text "tr"} adjoins a diagnostic
+ function.
+
+ \item @{ML Toplevel.theory}~@{text "tr"} adjoins a theory
+ transformer.
+
+ \item @{ML Toplevel.theory_to_proof}~@{text "tr"} adjoins a global
+ goal function, which turns a theory into a proof state. The theory
+ may be changed before entering the proof; the generic Isar goal
+ setup includes an argument that specifies how to apply the proven
+ result to the theory, when the proof is finished.
+
+ \item @{ML Toplevel.proof}~@{text "tr"} adjoins a deterministic
+ proof command, with a singleton result.
+
+ \item @{ML Toplevel.proofs}~@{text "tr"} adjoins a general proof
+ command, with zero or more result states (represented as a lazy
+ list).
+
+ \item @{ML Toplevel.end_proof}~@{text "tr"} adjoins a concluding
+ proof command, that returns the resulting theory, after storing the
+ resulting facts in the context etc.
+
+ \end{description}
+*}
+
+
+section {* Theory database \label{sec:theory-database} *}
+
+text {*
+ The theory database maintains a collection of theories, together
+ with some administrative information about their original sources,
+ which are held in an external store (i.e.\ some directory within the
+ regular file system).
+
+ The theory database is organized as a directed acyclic graph;
+ entries are referenced by theory name. Although some additional
+ interfaces allow to include a directory specification as well, this
+ is only a hint to the underlying theory loader. The internal theory
+ name space is flat!
+
+ Theory @{text A} is associated with the main theory file @{text
+ A}\verb,.thy,, which needs to be accessible through the theory
+ loader path. Any number of additional ML source files may be
+ associated with each theory, by declaring these dependencies in the
+ theory header as @{text \<USES>}, and loading them consecutively
+ within the theory context. The system keeps track of incoming ML
+ sources and associates them with the current theory.
+
+ The basic internal actions of the theory database are @{text
+ "update"} and @{text "remove"}:
+
+ \begin{itemize}
+
+ \item @{text "update A"} introduces a link of @{text "A"} with a
+ @{text "theory"} value of the same name; it asserts that the theory
+ sources are now consistent with that value;
+
+ \item @{text "remove A"} deletes entry @{text "A"} from the theory
+ database.
+
+ \end{itemize}
+
+ These actions are propagated to sub- or super-graphs of a theory
+ entry as expected, in order to preserve global consistency of the
+ state of all loaded theories with the sources of the external store.
+ This implies certain causalities between actions: @{text "update"}
+ or @{text "remove"} of an entry will @{text "remove"} all
+ descendants.
+
+ \medskip There are separate user-level interfaces to operate on the
+ theory database directly or indirectly. The primitive actions then
+ just happen automatically while working with the system. In
+ particular, processing a theory header @{text "\<THEORY> A
+ \<IMPORTS> B\<^sub>1 \<dots> B\<^sub>n \<BEGIN>"} ensures that the
+ sub-graph of the collective imports @{text "B\<^sub>1 \<dots> B\<^sub>n"}
+ is up-to-date, too. Earlier theories are reloaded as required, with
+ @{text update} actions proceeding in topological order according to
+ theory dependencies. There may be also a wave of implied @{text
+ remove} actions for derived theory nodes until a stable situation
+ is achieved eventually.
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML use_thy: "string -> unit"} \\
+ @{index_ML use_thys: "string list -> unit"} \\
+ @{index_ML Thy_Info.get_theory: "string -> theory"} \\
+ @{index_ML Thy_Info.remove_thy: "string -> unit"} \\[1ex]
+ @{index_ML Thy_Info.register_thy: "theory -> unit"} \\[1ex]
+ @{ML_text "datatype action = Update | Remove"} \\
+ @{index_ML Thy_Info.add_hook: "(Thy_Info.action -> string -> unit) -> unit"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item @{ML use_thy}~@{text A} ensures that theory @{text A} is fully
+ up-to-date wrt.\ the external file store, reloading outdated
+ ancestors as required. In batch mode, the simultaneous @{ML
+ use_thys} should be used exclusively.
+
+ \item @{ML use_thys} is similar to @{ML use_thy}, but handles
+ several theories simultaneously. Thus it acts like processing the
+ import header of a theory, without performing the merge of the
+ result. By loading a whole sub-graph of theories like that, the
+ intrinsic parallelism can be exploited by the system, to speedup
+ loading.
+
+ \item @{ML Thy_Info.get_theory}~@{text A} retrieves the theory value
+ presently associated with name @{text A}. Note that the result
+ might be outdated.
+
+ \item @{ML Thy_Info.remove_thy}~@{text A} deletes theory @{text A} and all
+ descendants from the theory database.
+
+ \item @{ML Thy_Info.register_thy}~@{text "text thy"} registers an
+ existing theory value with the theory loader database and updates
+ source version information according to the current file-system
+ state.
+
+ \item @{ML "Thy_Info.add_hook"}~@{text f} registers function @{text
+ f} as a hook for theory database actions. The function will be
+ invoked with the action and theory name being involved; thus derived
+ actions may be performed in associated system components, e.g.\
+ maintaining the state of an editor for the theory sources.
+
+ The kind and order of actions occurring in practice depends both on
+ user interactions and the internal process of resolving theory
+ imports. Hooks should not rely on a particular policy here! Any
+ exceptions raised by the hook are ignored.
+
+ \end{description}
+*}
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarImplementation/Isar.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,584 @@
+theory Isar
+imports Base
+begin
+
+chapter {* Isar language elements *}
+
+text {* The Isar proof language (see also
+ \cite[\S2]{isabelle-isar-ref}) consists of three main categories of
+ language elements as follows.
+
+ \begin{enumerate}
+
+ \item Proof \emph{commands} define the primary language of
+ transactions of the underlying Isar/VM interpreter. Typical
+ examples are @{command "fix"}, @{command "assume"}, @{command
+ "show"}, @{command "proof"}, and @{command "qed"}.
+
+ Composing proof commands according to the rules of the Isar/VM leads
+ to expressions of structured proof text, such that both the machine
+ and the human reader can give it a meaning as formal reasoning.
+
+ \item Proof \emph{methods} define a secondary language of mixed
+ forward-backward refinement steps involving facts and goals.
+ Typical examples are @{method rule}, @{method unfold}, and @{method
+ simp}.
+
+ Methods can occur in certain well-defined parts of the Isar proof
+ language, say as arguments to @{command "proof"}, @{command "qed"},
+ or @{command "by"}.
+
+ \item \emph{Attributes} define a tertiary language of small
+ annotations to theorems being defined or referenced. Attributes can
+ modify both the context and the theorem.
+
+ Typical examples are @{attribute intro} (which affects the context),
+ and @{attribute symmetric} (which affects the theorem).
+
+ \end{enumerate}
+*}
+
+
+section {* Proof commands *}
+
+text {* A \emph{proof command} is state transition of the Isar/VM
+ proof interpreter.
+
+ In principle, Isar proof commands could be defined in user-space as
+ well. The system is built like that in the first place: one part of
+ the commands are primitive, the other part is defined as derived
+ elements. Adding to the genuine structured proof language requires
+ profound understanding of the Isar/VM machinery, though, so this is
+ beyond the scope of this manual.
+
+ What can be done realistically is to define some diagnostic commands
+ that inspect the general state of the Isar/VM, and report some
+ feedback to the user. Typically this involves checking of the
+ linguistic \emph{mode} of a proof state, or peeking at the pending
+ goals (if available).
+
+ Another common application is to define a toplevel command that
+ poses a problem to the user as Isar proof state and processes the
+ final result relatively to the context. Thus a proof can be
+ incorporated into the context of some user-space tool, without
+ modifying the Isar proof language itself. *}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML_type Proof.state} \\
+ @{index_ML Proof.assert_forward: "Proof.state -> Proof.state"} \\
+ @{index_ML Proof.assert_chain: "Proof.state -> Proof.state"} \\
+ @{index_ML Proof.assert_backward: "Proof.state -> Proof.state"} \\
+ @{index_ML Proof.simple_goal: "Proof.state -> {context: Proof.context, goal: thm}"} \\
+ @{index_ML Proof.goal: "Proof.state ->
+ {context: Proof.context, facts: thm list, goal: thm}"} \\
+ @{index_ML Proof.raw_goal: "Proof.state ->
+ {context: Proof.context, facts: thm list, goal: thm}"} \\
+ @{index_ML Proof.theorem: "Method.text option ->
+ (thm list list -> Proof.context -> Proof.context) ->
+ (term * term list) list list -> Proof.context -> Proof.state"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item Type @{ML_type Proof.state} represents Isar proof states.
+ This is a block-structured configuration with proof context,
+ linguistic mode, and optional goal. The latter consists of goal
+ context, goal facts (``@{text "using"}''), and tactical goal state
+ (see \secref{sec:tactical-goals}).
+
+ The general idea is that the facts shall contribute to the
+ refinement of some parts of the tactical goal --- how exactly is
+ defined by the proof method that is applied in that situation.
+
+ \item @{ML Proof.assert_forward}, @{ML Proof.assert_chain}, @{ML
+ Proof.assert_backward} are partial identity functions that fail
+ unless a certain linguistic mode is active, namely ``@{text
+ "proof(state)"}'', ``@{text "proof(chain)"}'', ``@{text
+ "proof(prove)"}'', respectively (using the terminology of
+ \cite{isabelle-isar-ref}).
+
+ It is advisable study the implementations of existing proof commands
+ for suitable modes to be asserted.
+
+ \item @{ML Proof.simple_goal}~@{text "state"} returns the structured
+ Isar goal (if available) in the form seen by ``simple'' methods
+ (like @{method simp} or @{method blast}). The Isar goal facts are
+ already inserted as premises into the subgoals, which are presented
+ individually as in @{ML Proof.goal}.
+
+ \item @{ML Proof.goal}~@{text "state"} returns the structured Isar
+ goal (if available) in the form seen by regular methods (like
+ @{method rule}). The auxiliary internal encoding of Pure
+ conjunctions is split into individual subgoals as usual.
+
+ \item @{ML Proof.raw_goal}~@{text "state"} returns the structured
+ Isar goal (if available) in the raw internal form seen by ``raw''
+ methods (like @{method induct}). This form is rarely appropriate
+ for dignostic tools; @{ML Proof.simple_goal} or @{ML Proof.goal}
+ should be used in most situations.
+
+ \item @{ML Proof.theorem}~@{text "before_qed after_qed statement ctxt"}
+ initializes a toplevel Isar proof state within a given context.
+
+ The optional @{text "before_qed"} method is applied at the end of
+ the proof, just before extracting the result (this feature is rarely
+ used).
+
+ The @{text "after_qed"} continuation receives the extracted result
+ in order to apply it to the final context in a suitable way (e.g.\
+ storing named facts). Note that at this generic level the target
+ context is specified as @{ML_type Proof.context}, but the usual
+ wrapping of toplevel proofs into command transactions will provide a
+ @{ML_type local_theory} here (\chref{ch:local-theory}). This
+ affects the way how results are stored.
+
+ The @{text "statement"} is given as a nested list of terms, each
+ associated with optional @{keyword "is"} patterns as usual in the
+ Isar source language. The original nested list structure over terms
+ is turned into one over theorems when @{text "after_qed"} is
+ invoked.
+
+ \end{description}
+*}
+
+
+text %mlantiq {*
+ \begin{matharray}{rcl}
+ @{ML_antiquotation_def "Isar.goal"} & : & @{text ML_antiquotation} \\
+ \end{matharray}
+
+ \begin{description}
+
+ \item @{text "@{Isar.goal}"} refers to the regular goal state (if
+ available) of the current proof state managed by the Isar toplevel
+ --- as abstract value.
+
+ This only works for diagnostic ML commands, such as @{command
+ ML_val} or @{command ML_command}.
+
+ \end{description}
+*}
+
+text %mlex {* The following example peeks at a certain goal configuration. *}
+
+notepad
+begin
+ have A and B and C
+ ML_val {*
+ val n = Thm.nprems_of (#goal @{Isar.goal});
+ @{assert} (n = 3);
+ *}
+ oops
+
+text {* Here we see 3 individual subgoals in the same way as regular
+ proof methods would do. *}
+
+
+section {* Proof methods *}
+
+text {* A @{text "method"} is a function @{text "context \<rightarrow> thm\<^sup>* \<rightarrow> goal
+ \<rightarrow> (cases \<times> goal)\<^sup>*\<^sup>*"} that operates on the full Isar goal
+ configuration with context, goal facts, and tactical goal state and
+ enumerates possible follow-up goal states, with the potential
+ addition of named extensions of the proof context (\emph{cases}).
+ The latter feature is rarely used.
+
+ This means a proof method is like a structurally enhanced tactic
+ (cf.\ \secref{sec:tactics}). The well-formedness conditions for
+ tactics need to hold for methods accordingly, with the following
+ additions.
+
+ \begin{itemize}
+
+ \item Goal addressing is further limited either to operate either
+ uniformly on \emph{all} subgoals, or specifically on the
+ \emph{first} subgoal.
+
+ Exception: old-style tactic emulations that are embedded into the
+ method space, e.g.\ @{method rule_tac}.
+
+ \item A non-trivial method always needs to make progress: an
+ identical follow-up goal state has to be avoided.\footnote{This
+ enables the user to write method expressions like @{text "meth\<^sup>+"}
+ without looping, while the trivial do-nothing case can be recovered
+ via @{text "meth\<^sup>?"}.}
+
+ Exception: trivial stuttering steps, such as ``@{method -}'' or
+ @{method succeed}.
+
+ \item Goal facts passed to the method must not be ignored. If there
+ is no sensible use of facts outside the goal state, facts should be
+ inserted into the subgoals that are addressed by the method.
+
+ \end{itemize}
+
+ \medskip Syntactically, the language of proof methods appears as
+ arguments to Isar commands like @{command "by"} or @{command apply}.
+ User-space additions are reasonably easy by plugging suitable
+ method-valued parser functions into the framework, using the
+ @{command method_setup} command, for example.
+
+ To get a better idea about the range of possibilities, consider the
+ following Isar proof schemes. This is the general form of
+ structured proof text:
+
+ \medskip
+ \begin{tabular}{l}
+ @{command from}~@{text "facts\<^sub>1"}~@{command have}~@{text "props"}~@{command using}~@{text "facts\<^sub>2"} \\
+ @{command proof}~@{text "(initial_method)"} \\
+ \quad@{text "body"} \\
+ @{command qed}~@{text "(terminal_method)"} \\
+ \end{tabular}
+ \medskip
+
+ The goal configuration consists of @{text "facts\<^sub>1"} and
+ @{text "facts\<^sub>2"} appended in that order, and various @{text
+ "props"} being claimed. The @{text "initial_method"} is invoked
+ with facts and goals together and refines the problem to something
+ that is handled recursively in the proof @{text "body"}. The @{text
+ "terminal_method"} has another chance to finish any remaining
+ subgoals, but it does not see the facts of the initial step.
+
+ \medskip This pattern illustrates unstructured proof scripts:
+
+ \medskip
+ \begin{tabular}{l}
+ @{command have}~@{text "props"} \\
+ \quad@{command using}~@{text "facts\<^sub>1"}~@{command apply}~@{text "method\<^sub>1"} \\
+ \quad@{command apply}~@{text "method\<^sub>2"} \\
+ \quad@{command using}~@{text "facts\<^sub>3"}~@{command apply}~@{text "method\<^sub>3"} \\
+ \quad@{command done} \\
+ \end{tabular}
+ \medskip
+
+ The @{text "method\<^sub>1"} operates on the original claim while
+ using @{text "facts\<^sub>1"}. Since the @{command apply} command
+ structurally resets the facts, the @{text "method\<^sub>2"} will
+ operate on the remaining goal state without facts. The @{text
+ "method\<^sub>3"} will see again a collection of @{text
+ "facts\<^sub>3"} that has been inserted into the script explicitly.
+
+ \medskip Empirically, any Isar proof method can be categorized as
+ follows.
+
+ \begin{enumerate}
+
+ \item \emph{Special method with cases} with named context additions
+ associated with the follow-up goal state.
+
+ Example: @{method "induct"}, which is also a ``raw'' method since it
+ operates on the internal representation of simultaneous claims as
+ Pure conjunction (\secref{sec:logic-aux}), instead of separate
+ subgoals (\secref{sec:tactical-goals}).
+
+ \item \emph{Structured method} with strong emphasis on facts outside
+ the goal state.
+
+ Example: @{method "rule"}, which captures the key ideas behind
+ structured reasoning in Isar in purest form.
+
+ \item \emph{Simple method} with weaker emphasis on facts, which are
+ inserted into subgoals to emulate old-style tactical as
+ ``premises''.
+
+ Examples: @{method "simp"}, @{method "blast"}, @{method "auto"}.
+
+ \item \emph{Old-style tactic emulation} with detailed numeric goal
+ addressing and explicit references to entities of the internal goal
+ state (which are otherwise invisible from proper Isar proof text).
+ The naming convention @{text "foo_tac"} makes this special
+ non-standard status clear.
+
+ Example: @{method "rule_tac"}.
+
+ \end{enumerate}
+
+ When implementing proof methods, it is advisable to study existing
+ implementations carefully and imitate the typical ``boiler plate''
+ for context-sensitive parsing and further combinators to wrap-up
+ tactic expressions as methods.\footnote{Aliases or abbreviations of
+ the standard method combinators should be avoided. Note that from
+ Isabelle99 until Isabelle2009 the system did provide various odd
+ combinations of method wrappers that made user applications more
+ complicated than necessary.}
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML_type Proof.method} \\
+ @{index_ML METHOD_CASES: "(thm list -> cases_tactic) -> Proof.method"} \\
+ @{index_ML METHOD: "(thm list -> tactic) -> Proof.method"} \\
+ @{index_ML SIMPLE_METHOD: "tactic -> Proof.method"} \\
+ @{index_ML SIMPLE_METHOD': "(int -> tactic) -> Proof.method"} \\
+ @{index_ML Method.insert_tac: "thm list -> int -> tactic"} \\
+ @{index_ML Method.setup: "binding -> (Proof.context -> Proof.method) context_parser ->
+ string -> theory -> theory"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item Type @{ML_type Proof.method} represents proof methods as
+ abstract type.
+
+ \item @{ML METHOD_CASES}~@{text "(fn facts => cases_tactic)"} wraps
+ @{text cases_tactic} depending on goal facts as proof method with
+ cases; the goal context is passed via method syntax.
+
+ \item @{ML METHOD}~@{text "(fn facts => tactic)"} wraps @{text
+ tactic} depending on goal facts as regular proof method; the goal
+ context is passed via method syntax.
+
+ \item @{ML SIMPLE_METHOD}~@{text "tactic"} wraps a tactic that
+ addresses all subgoals uniformly as simple proof method. Goal facts
+ are already inserted into all subgoals before @{text "tactic"} is
+ applied.
+
+ \item @{ML SIMPLE_METHOD'}~@{text "tactic"} wraps a tactic that
+ addresses a specific subgoal as simple proof method that operates on
+ subgoal 1. Goal facts are inserted into the subgoal then the @{text
+ "tactic"} is applied.
+
+ \item @{ML Method.insert_tac}~@{text "facts i"} inserts @{text
+ "facts"} into subgoal @{text "i"}. This is convenient to reproduce
+ part of the @{ML SIMPLE_METHOD} or @{ML SIMPLE_METHOD'} wrapping
+ within regular @{ML METHOD}, for example.
+
+ \item @{ML Method.setup}~@{text "name parser description"} provides
+ the functionality of the Isar command @{command method_setup} as ML
+ function.
+
+ \end{description}
+*}
+
+text %mlex {* See also @{command method_setup} in
+ \cite{isabelle-isar-ref} which includes some abstract examples.
+
+ \medskip The following toy examples illustrate how the goal facts
+ and state are passed to proof methods. The pre-defined proof method
+ called ``@{method tactic}'' wraps ML source of type @{ML_type
+ tactic} (abstracted over @{ML_text facts}). This allows immediate
+ experimentation without parsing of concrete syntax. *}
+
+notepad
+begin
+ assume a: A and b: B
+
+ have "A \<and> B"
+ apply (tactic {* rtac @{thm conjI} 1 *})
+ using a apply (tactic {* resolve_tac facts 1 *})
+ using b apply (tactic {* resolve_tac facts 1 *})
+ done
+
+ have "A \<and> B"
+ using a and b
+ ML_val "@{Isar.goal}"
+ apply (tactic {* Method.insert_tac facts 1 *})
+ apply (tactic {* (rtac @{thm conjI} THEN_ALL_NEW atac) 1 *})
+ done
+end
+
+text {* \medskip The next example implements a method that simplifies
+ the first subgoal by rewrite rules given as arguments. *}
+
+method_setup my_simp = {*
+ Attrib.thms >> (fn thms => fn ctxt =>
+ SIMPLE_METHOD' (fn i =>
+ CHANGED (asm_full_simp_tac
+ (HOL_basic_ss addsimps thms) i)))
+*} "rewrite subgoal by given rules"
+
+text {* The concrete syntax wrapping of @{command method_setup} always
+ passes-through the proof context at the end of parsing, but it is
+ not used in this example.
+
+ The @{ML Attrib.thms} parser produces a list of theorems from the
+ usual Isar syntax involving attribute expressions etc.\ (syntax
+ category @{syntax thmrefs}) \cite{isabelle-isar-ref}. The resulting
+ @{ML_text thms} are added to @{ML HOL_basic_ss} which already
+ contains the basic Simplifier setup for HOL.
+
+ The tactic @{ML asm_full_simp_tac} is the one that is also used in
+ method @{method simp} by default. The extra wrapping by the @{ML
+ CHANGED} tactical ensures progress of simplification: identical goal
+ states are filtered out explicitly to make the raw tactic conform to
+ standard Isar method behaviour.
+
+ \medskip Method @{method my_simp} can be used in Isar proofs like
+ this:
+*}
+
+notepad
+begin
+ fix a b c
+ assume a: "a = b"
+ assume b: "b = c"
+ have "a = c" by (my_simp a b)
+end
+
+text {* Here is a similar method that operates on all subgoals,
+ instead of just the first one. *}
+
+method_setup my_simp_all = {*
+ Attrib.thms >> (fn thms => fn ctxt =>
+ SIMPLE_METHOD
+ (CHANGED
+ (ALLGOALS (asm_full_simp_tac
+ (HOL_basic_ss addsimps thms)))))
+*} "rewrite all subgoals by given rules"
+
+notepad
+begin
+ fix a b c
+ assume a: "a = b"
+ assume b: "b = c"
+ have "a = c" and "c = b" by (my_simp_all a b)
+end
+
+text {* \medskip Apart from explicit arguments, common proof methods
+ typically work with a default configuration provided by the context.
+ As a shortcut to rule management we use a cheap solution via functor
+ @{ML_functor Named_Thms} (see also @{file
+ "~~/src/Pure/Tools/named_thms.ML"}). *}
+
+ML {*
+ structure My_Simps =
+ Named_Thms
+ (val name = @{binding my_simp} val description = "my_simp rule")
+*}
+setup My_Simps.setup
+
+text {* This provides ML access to a list of theorems in canonical
+ declaration order via @{ML My_Simps.get}. The user can add or
+ delete rules via the attribute @{attribute my_simp}. The actual
+ proof method is now defined as before, but we append the explicit
+ arguments and the rules from the context. *}
+
+method_setup my_simp' = {*
+ Attrib.thms >> (fn thms => fn ctxt =>
+ SIMPLE_METHOD' (fn i =>
+ CHANGED (asm_full_simp_tac
+ (HOL_basic_ss addsimps (thms @ My_Simps.get ctxt)) i)))
+*} "rewrite subgoal by given rules and my_simp rules from the context"
+
+text {*
+ \medskip Method @{method my_simp'} can be used in Isar proofs
+ like this:
+*}
+
+notepad
+begin
+ fix a b c
+ assume [my_simp]: "a \<equiv> b"
+ assume [my_simp]: "b \<equiv> c"
+ have "a \<equiv> c" by my_simp'
+end
+
+text {* \medskip The @{method my_simp} variants defined above are
+ ``simple'' methods, i.e.\ the goal facts are merely inserted as goal
+ premises by the @{ML SIMPLE_METHOD'} or @{ML SIMPLE_METHOD} wrapper.
+ For proof methods that are similar to the standard collection of
+ @{method simp}, @{method blast}, @{method fast}, @{method auto}
+ there is little more that can be done.
+
+ Note that using the primary goal facts in the same manner as the
+ method arguments obtained via concrete syntax or the context does
+ not meet the requirement of ``strong emphasis on facts'' of regular
+ proof methods, because rewrite rules as used above can be easily
+ ignored. A proof text ``@{command using}~@{text "foo"}~@{command
+ "by"}~@{text "my_simp"}'' where @{text "foo"} is not used would
+ deceive the reader.
+
+ \medskip The technical treatment of rules from the context requires
+ further attention. Above we rebuild a fresh @{ML_type simpset} from
+ the arguments and \emph{all} rules retrieved from the context on
+ every invocation of the method. This does not scale to really large
+ collections of rules, which easily emerges in the context of a big
+ theory library, for example.
+
+ This is an inherent limitation of the simplistic rule management via
+ functor @{ML_functor Named_Thms}, because it lacks tool-specific
+ storage and retrieval. More realistic applications require
+ efficient index-structures that organize theorems in a customized
+ manner, such as a discrimination net that is indexed by the
+ left-hand sides of rewrite rules. For variations on the Simplifier,
+ re-use of the existing type @{ML_type simpset} is adequate, but
+ scalability would require it be maintained statically within the
+ context data, not dynamically on each tool invocation. *}
+
+
+section {* Attributes \label{sec:attributes} *}
+
+text {* An \emph{attribute} is a function @{text "context \<times> thm \<rightarrow>
+ context \<times> thm"}, which means both a (generic) context and a theorem
+ can be modified simultaneously. In practice this mixed form is very
+ rare, instead attributes are presented either as \emph{declaration
+ attribute:} @{text "thm \<rightarrow> context \<rightarrow> context"} or \emph{rule
+ attribute:} @{text "context \<rightarrow> thm \<rightarrow> thm"}.
+
+ Attributes can have additional arguments via concrete syntax. There
+ is a collection of context-sensitive parsers for various logical
+ entities (types, terms, theorems). These already take care of
+ applying morphisms to the arguments when attribute expressions are
+ moved into a different context (see also \secref{sec:morphisms}).
+
+ When implementing declaration attributes, it is important to operate
+ exactly on the variant of the generic context that is provided by
+ the system, which is either global theory context or local proof
+ context. In particular, the background theory of a local context
+ must not be modified in this situation! *}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML_type attribute} \\
+ @{index_ML Thm.rule_attribute: "(Context.generic -> thm -> thm) -> attribute"} \\
+ @{index_ML Thm.declaration_attribute: "
+ (thm -> Context.generic -> Context.generic) -> attribute"} \\
+ @{index_ML Attrib.setup: "binding -> attribute context_parser ->
+ string -> theory -> theory"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item Type @{ML_type attribute} represents attributes as concrete
+ type alias.
+
+ \item @{ML Thm.rule_attribute}~@{text "(fn context => rule)"} wraps
+ a context-dependent rule (mapping on @{ML_type thm}) as attribute.
+
+ \item @{ML Thm.declaration_attribute}~@{text "(fn thm => decl)"}
+ wraps a theorem-dependent declaration (mapping on @{ML_type
+ Context.generic}) as attribute.
+
+ \item @{ML Attrib.setup}~@{text "name parser description"} provides
+ the functionality of the Isar command @{command attribute_setup} as
+ ML function.
+
+ \end{description}
+*}
+
+text %mlantiq {*
+ \begin{matharray}{rcl}
+ @{ML_antiquotation_def attributes} & : & @{text ML_antiquotation} \\
+ \end{matharray}
+
+ @{rail "
+ @@{ML_antiquotation attributes} attributes
+ "}
+
+ \begin{description}
+
+ \item @{text "@{attributes [\<dots>]}"} embeds attribute source
+ representation into the ML text, which is particularly useful with
+ declarations like @{ML Local_Theory.note}. Attribute names are
+ internalized at compile time, but the source is unevaluated. This
+ means attributes with formal arguments (types, terms, theorems) may
+ be subject to odd effects of dynamic scoping!
+
+ \end{description}
+*}
+
+text %mlex {* See also @{command attribute_setup} in
+ \cite{isabelle-isar-ref} which includes some abstract examples. *}
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarImplementation/Local_Theory.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,167 @@
+theory Local_Theory
+imports Base
+begin
+
+chapter {* Local theory specifications \label{ch:local-theory} *}
+
+text {*
+ A \emph{local theory} combines aspects of both theory and proof
+ context (cf.\ \secref{sec:context}), such that definitional
+ specifications may be given relatively to parameters and
+ assumptions. A local theory is represented as a regular proof
+ context, augmented by administrative data about the \emph{target
+ context}.
+
+ The target is usually derived from the background theory by adding
+ local @{text "\<FIX>"} and @{text "\<ASSUME>"} elements, plus
+ suitable modifications of non-logical context data (e.g.\ a special
+ type-checking discipline). Once initialized, the target is ready to
+ absorb definitional primitives: @{text "\<DEFINE>"} for terms and
+ @{text "\<NOTE>"} for theorems. Such definitions may get
+ transformed in a target-specific way, but the programming interface
+ hides such details.
+
+ Isabelle/Pure provides target mechanisms for locales, type-classes,
+ type-class instantiations, and general overloading. In principle,
+ users can implement new targets as well, but this rather arcane
+ discipline is beyond the scope of this manual. In contrast,
+ implementing derived definitional packages to be used within a local
+ theory context is quite easy: the interfaces are even simpler and
+ more abstract than the underlying primitives for raw theories.
+
+ Many definitional packages for local theories are available in
+ Isabelle. Although a few old packages only work for global
+ theories, the standard way of implementing definitional packages in
+ Isabelle is via the local theory interface.
+*}
+
+
+section {* Definitional elements *}
+
+text {*
+ There are separate elements @{text "\<DEFINE> c \<equiv> t"} for terms, and
+ @{text "\<NOTE> b = thm"} for theorems. Types are treated
+ implicitly, according to Hindley-Milner discipline (cf.\
+ \secref{sec:variables}). These definitional primitives essentially
+ act like @{text "let"}-bindings within a local context that may
+ already contain earlier @{text "let"}-bindings and some initial
+ @{text "\<lambda>"}-bindings. Thus we gain \emph{dependent definitions}
+ that are relative to an initial axiomatic context. The following
+ diagram illustrates this idea of axiomatic elements versus
+ definitional elements:
+
+ \begin{center}
+ \begin{tabular}{|l|l|l|}
+ \hline
+ & @{text "\<lambda>"}-binding & @{text "let"}-binding \\
+ \hline
+ types & fixed @{text "\<alpha>"} & arbitrary @{text "\<beta>"} \\
+ terms & @{text "\<FIX> x :: \<tau>"} & @{text "\<DEFINE> c \<equiv> t"} \\
+ theorems & @{text "\<ASSUME> a: A"} & @{text "\<NOTE> b = \<^BG>B\<^EN>"} \\
+ \hline
+ \end{tabular}
+ \end{center}
+
+ A user package merely needs to produce suitable @{text "\<DEFINE>"}
+ and @{text "\<NOTE>"} elements according to the application. For
+ example, a package for inductive definitions might first @{text
+ "\<DEFINE>"} a certain predicate as some fixed-point construction,
+ then @{text "\<NOTE>"} a proven result about monotonicity of the
+ functor involved here, and then produce further derived concepts via
+ additional @{text "\<DEFINE>"} and @{text "\<NOTE>"} elements.
+
+ The cumulative sequence of @{text "\<DEFINE>"} and @{text "\<NOTE>"}
+ produced at package runtime is managed by the local theory
+ infrastructure by means of an \emph{auxiliary context}. Thus the
+ system holds up the impression of working within a fully abstract
+ situation with hypothetical entities: @{text "\<DEFINE> c \<equiv> t"}
+ always results in a literal fact @{text "\<^BG>c \<equiv> t\<^EN>"}, where
+ @{text "c"} is a fixed variable @{text "c"}. The details about
+ global constants, name spaces etc. are handled internally.
+
+ So the general structure of a local theory is a sandwich of three
+ layers:
+
+ \begin{center}
+ \framebox{\quad auxiliary context \quad\framebox{\quad target context \quad\framebox{\quad background theory\quad}}}
+ \end{center}
+
+ When a definitional package is finished, the auxiliary context is
+ reset to the target context. The target now holds definitions for
+ terms and theorems that stem from the hypothetical @{text
+ "\<DEFINE>"} and @{text "\<NOTE>"} elements, transformed by the
+ particular target policy (see \cite[\S4--5]{Haftmann-Wenzel:2009}
+ for details). *}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML_type local_theory: Proof.context} \\
+ @{index_ML Named_Target.init: "(local_theory -> local_theory) ->
+ string -> theory -> local_theory"} \\[1ex]
+ @{index_ML Local_Theory.define: "(binding * mixfix) * (Attrib.binding * term) ->
+ local_theory -> (term * (string * thm)) * local_theory"} \\
+ @{index_ML Local_Theory.note: "Attrib.binding * thm list ->
+ local_theory -> (string * thm list) * local_theory"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item Type @{ML_type local_theory} represents local theories.
+ Although this is merely an alias for @{ML_type Proof.context}, it is
+ semantically a subtype of the same: a @{ML_type local_theory} holds
+ target information as special context data. Subtyping means that
+ any value @{text "lthy:"}~@{ML_type local_theory} can be also used
+ with operations on expecting a regular @{text "ctxt:"}~@{ML_type
+ Proof.context}.
+
+ \item @{ML Named_Target.init}~@{text "before_exit name thy"}
+ initializes a local theory derived from the given background theory.
+ An empty name refers to a \emph{global theory} context, and a
+ non-empty name refers to a @{command locale} or @{command class}
+ context (a fully-qualified internal name is expected here). This is
+ useful for experimentation --- normally the Isar toplevel already
+ takes care to initialize the local theory context. The given @{text
+ "before_exit"} function is invoked before leaving the context; in
+ most situations plain identity @{ML I} is sufficient.
+
+ \item @{ML Local_Theory.define}~@{text "((b, mx), (a, rhs))
+ lthy"} defines a local entity according to the specification that is
+ given relatively to the current @{text "lthy"} context. In
+ particular the term of the RHS may refer to earlier local entities
+ from the auxiliary context, or hypothetical parameters from the
+ target context. The result is the newly defined term (which is
+ always a fixed variable with exactly the same name as specified for
+ the LHS), together with an equational theorem that states the
+ definition as a hypothetical fact.
+
+ Unless an explicit name binding is given for the RHS, the resulting
+ fact will be called @{text "b_def"}. Any given attributes are
+ applied to that same fact --- immediately in the auxiliary context
+ \emph{and} in any transformed versions stemming from target-specific
+ policies or any later interpretations of results from the target
+ context (think of @{command locale} and @{command interpretation},
+ for example). This means that attributes should be usually plain
+ declarations such as @{attribute simp}, while non-trivial rules like
+ @{attribute simplified} are better avoided.
+
+ \item @{ML Local_Theory.note}~@{text "(a, ths) lthy"} is
+ analogous to @{ML Local_Theory.define}, but defines facts instead of
+ terms. There is also a slightly more general variant @{ML
+ Local_Theory.notes} that defines several facts (with attribute
+ expressions) simultaneously.
+
+ This is essentially the internal version of the @{command lemmas}
+ command, or @{command declare} if an empty name binding is given.
+
+ \end{description}
+*}
+
+
+section {* Morphisms and declarations \label{sec:morphisms} *}
+
+text {* FIXME
+
+ \medskip See also \cite{Chaieb-Wenzel:2007}.
+*}
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarImplementation/Logic.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,1137 @@
+theory Logic
+imports Base
+begin
+
+chapter {* Primitive logic \label{ch:logic} *}
+
+text {*
+ The logical foundations of Isabelle/Isar are that of the Pure logic,
+ which has been introduced as a Natural Deduction framework in
+ \cite{paulson700}. This is essentially the same logic as ``@{text
+ "\<lambda>HOL"}'' in the more abstract setting of Pure Type Systems (PTS)
+ \cite{Barendregt-Geuvers:2001}, although there are some key
+ differences in the specific treatment of simple types in
+ Isabelle/Pure.
+
+ Following type-theoretic parlance, the Pure logic consists of three
+ levels of @{text "\<lambda>"}-calculus with corresponding arrows, @{text
+ "\<Rightarrow>"} for syntactic function space (terms depending on terms), @{text
+ "\<And>"} for universal quantification (proofs depending on terms), and
+ @{text "\<Longrightarrow>"} for implication (proofs depending on proofs).
+
+ Derivations are relative to a logical theory, which declares type
+ constructors, constants, and axioms. Theory declarations support
+ schematic polymorphism, which is strictly speaking outside the
+ logic.\footnote{This is the deeper logical reason, why the theory
+ context @{text "\<Theta>"} is separate from the proof context @{text "\<Gamma>"}
+ of the core calculus: type constructors, term constants, and facts
+ (proof constants) may involve arbitrary type schemes, but the type
+ of a locally fixed term parameter is also fixed!}
+*}
+
+
+section {* Types \label{sec:types} *}
+
+text {*
+ The language of types is an uninterpreted order-sorted first-order
+ algebra; types are qualified by ordered type classes.
+
+ \medskip A \emph{type class} is an abstract syntactic entity
+ declared in the theory context. The \emph{subclass relation} @{text
+ "c\<^isub>1 \<subseteq> c\<^isub>2"} is specified by stating an acyclic
+ generating relation; the transitive closure is maintained
+ internally. The resulting relation is an ordering: reflexive,
+ transitive, and antisymmetric.
+
+ A \emph{sort} is a list of type classes written as @{text "s = {c\<^isub>1,
+ \<dots>, c\<^isub>m}"}, it represents symbolic intersection. Notationally, the
+ curly braces are omitted for singleton intersections, i.e.\ any
+ class @{text "c"} may be read as a sort @{text "{c}"}. The ordering
+ on type classes is extended to sorts according to the meaning of
+ intersections: @{text "{c\<^isub>1, \<dots> c\<^isub>m} \<subseteq> {d\<^isub>1, \<dots>, d\<^isub>n}"} iff @{text
+ "\<forall>j. \<exists>i. c\<^isub>i \<subseteq> d\<^isub>j"}. The empty intersection @{text "{}"} refers to
+ the universal sort, which is the largest element wrt.\ the sort
+ order. Thus @{text "{}"} represents the ``full sort'', not the
+ empty one! The intersection of all (finitely many) classes declared
+ in the current theory is the least element wrt.\ the sort ordering.
+
+ \medskip A \emph{fixed type variable} is a pair of a basic name
+ (starting with a @{text "'"} character) and a sort constraint, e.g.\
+ @{text "('a, s)"} which is usually printed as @{text "\<alpha>\<^isub>s"}.
+ A \emph{schematic type variable} is a pair of an indexname and a
+ sort constraint, e.g.\ @{text "(('a, 0), s)"} which is usually
+ printed as @{text "?\<alpha>\<^isub>s"}.
+
+ Note that \emph{all} syntactic components contribute to the identity
+ of type variables: basic name, index, and sort constraint. The core
+ logic handles type variables with the same name but different sorts
+ as different, although the type-inference layer (which is outside
+ the core) rejects anything like that.
+
+ A \emph{type constructor} @{text "\<kappa>"} is a @{text "k"}-ary operator
+ on types declared in the theory. Type constructor application is
+ written postfix as @{text "(\<alpha>\<^isub>1, \<dots>, \<alpha>\<^isub>k)\<kappa>"}. For
+ @{text "k = 0"} the argument tuple is omitted, e.g.\ @{text "prop"}
+ instead of @{text "()prop"}. For @{text "k = 1"} the parentheses
+ are omitted, e.g.\ @{text "\<alpha> list"} instead of @{text "(\<alpha>)list"}.
+ Further notation is provided for specific constructors, notably the
+ right-associative infix @{text "\<alpha> \<Rightarrow> \<beta>"} instead of @{text "(\<alpha>,
+ \<beta>)fun"}.
+
+ The logical category \emph{type} is defined inductively over type
+ variables and type constructors as follows: @{text "\<tau> = \<alpha>\<^isub>s | ?\<alpha>\<^isub>s |
+ (\<tau>\<^sub>1, \<dots>, \<tau>\<^sub>k)\<kappa>"}.
+
+ A \emph{type abbreviation} is a syntactic definition @{text
+ "(\<^vec>\<alpha>)\<kappa> = \<tau>"} of an arbitrary type expression @{text "\<tau>"} over
+ variables @{text "\<^vec>\<alpha>"}. Type abbreviations appear as type
+ constructors in the syntax, but are expanded before entering the
+ logical core.
+
+ A \emph{type arity} declares the image behavior of a type
+ constructor wrt.\ the algebra of sorts: @{text "\<kappa> :: (s\<^isub>1, \<dots>,
+ s\<^isub>k)s"} means that @{text "(\<tau>\<^isub>1, \<dots>, \<tau>\<^isub>k)\<kappa>"} is
+ of sort @{text "s"} if every argument type @{text "\<tau>\<^isub>i"} is
+ of sort @{text "s\<^isub>i"}. Arity declarations are implicitly
+ completed, i.e.\ @{text "\<kappa> :: (\<^vec>s)c"} entails @{text "\<kappa> ::
+ (\<^vec>s)c'"} for any @{text "c' \<supseteq> c"}.
+
+ \medskip The sort algebra is always maintained as \emph{coregular},
+ which means that type arities are consistent with the subclass
+ relation: for any type constructor @{text "\<kappa>"}, and classes @{text
+ "c\<^isub>1 \<subseteq> c\<^isub>2"}, and arities @{text "\<kappa> ::
+ (\<^vec>s\<^isub>1)c\<^isub>1"} and @{text "\<kappa> ::
+ (\<^vec>s\<^isub>2)c\<^isub>2"} holds @{text "\<^vec>s\<^isub>1 \<subseteq>
+ \<^vec>s\<^isub>2"} component-wise.
+
+ The key property of a coregular order-sorted algebra is that sort
+ constraints can be solved in a most general fashion: for each type
+ constructor @{text "\<kappa>"} and sort @{text "s"} there is a most general
+ vector of argument sorts @{text "(s\<^isub>1, \<dots>, s\<^isub>k)"} such
+ that a type scheme @{text "(\<alpha>\<^bsub>s\<^isub>1\<^esub>, \<dots>,
+ \<alpha>\<^bsub>s\<^isub>k\<^esub>)\<kappa>"} is of sort @{text "s"}.
+ Consequently, type unification has most general solutions (modulo
+ equivalence of sorts), so type-inference produces primary types as
+ expected \cite{nipkow-prehofer}.
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML_type class: string} \\
+ @{index_ML_type sort: "class list"} \\
+ @{index_ML_type arity: "string * sort list * sort"} \\
+ @{index_ML_type typ} \\
+ @{index_ML Term.map_atyps: "(typ -> typ) -> typ -> typ"} \\
+ @{index_ML Term.fold_atyps: "(typ -> 'a -> 'a) -> typ -> 'a -> 'a"} \\
+ \end{mldecls}
+ \begin{mldecls}
+ @{index_ML Sign.subsort: "theory -> sort * sort -> bool"} \\
+ @{index_ML Sign.of_sort: "theory -> typ * sort -> bool"} \\
+ @{index_ML Sign.add_type: "Proof.context -> binding * int * mixfix -> theory -> theory"} \\
+ @{index_ML Sign.add_type_abbrev: "Proof.context ->
+ binding * string list * typ -> theory -> theory"} \\
+ @{index_ML Sign.primitive_class: "binding * class list -> theory -> theory"} \\
+ @{index_ML Sign.primitive_classrel: "class * class -> theory -> theory"} \\
+ @{index_ML Sign.primitive_arity: "arity -> theory -> theory"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item Type @{ML_type class} represents type classes.
+
+ \item Type @{ML_type sort} represents sorts, i.e.\ finite
+ intersections of classes. The empty list @{ML "[]: sort"} refers to
+ the empty class intersection, i.e.\ the ``full sort''.
+
+ \item Type @{ML_type arity} represents type arities. A triple
+ @{text "(\<kappa>, \<^vec>s, s) : arity"} represents @{text "\<kappa> ::
+ (\<^vec>s)s"} as described above.
+
+ \item Type @{ML_type typ} represents types; this is a datatype with
+ constructors @{ML TFree}, @{ML TVar}, @{ML Type}.
+
+ \item @{ML Term.map_atyps}~@{text "f \<tau>"} applies the mapping @{text
+ "f"} to all atomic types (@{ML TFree}, @{ML TVar}) occurring in
+ @{text "\<tau>"}.
+
+ \item @{ML Term.fold_atyps}~@{text "f \<tau>"} iterates the operation
+ @{text "f"} over all occurrences of atomic types (@{ML TFree}, @{ML
+ TVar}) in @{text "\<tau>"}; the type structure is traversed from left to
+ right.
+
+ \item @{ML Sign.subsort}~@{text "thy (s\<^isub>1, s\<^isub>2)"}
+ tests the subsort relation @{text "s\<^isub>1 \<subseteq> s\<^isub>2"}.
+
+ \item @{ML Sign.of_sort}~@{text "thy (\<tau>, s)"} tests whether type
+ @{text "\<tau>"} is of sort @{text "s"}.
+
+ \item @{ML Sign.add_type}~@{text "ctxt (\<kappa>, k, mx)"} declares a
+ new type constructors @{text "\<kappa>"} with @{text "k"} arguments and
+ optional mixfix syntax.
+
+ \item @{ML Sign.add_type_abbrev}~@{text "ctxt (\<kappa>, \<^vec>\<alpha>, \<tau>)"}
+ defines a new type abbreviation @{text "(\<^vec>\<alpha>)\<kappa> = \<tau>"}.
+
+ \item @{ML Sign.primitive_class}~@{text "(c, [c\<^isub>1, \<dots>,
+ c\<^isub>n])"} declares a new class @{text "c"}, together with class
+ relations @{text "c \<subseteq> c\<^isub>i"}, for @{text "i = 1, \<dots>, n"}.
+
+ \item @{ML Sign.primitive_classrel}~@{text "(c\<^isub>1,
+ c\<^isub>2)"} declares the class relation @{text "c\<^isub>1 \<subseteq>
+ c\<^isub>2"}.
+
+ \item @{ML Sign.primitive_arity}~@{text "(\<kappa>, \<^vec>s, s)"} declares
+ the arity @{text "\<kappa> :: (\<^vec>s)s"}.
+
+ \end{description}
+*}
+
+text %mlantiq {*
+ \begin{matharray}{rcl}
+ @{ML_antiquotation_def "class"} & : & @{text ML_antiquotation} \\
+ @{ML_antiquotation_def "sort"} & : & @{text ML_antiquotation} \\
+ @{ML_antiquotation_def "type_name"} & : & @{text ML_antiquotation} \\
+ @{ML_antiquotation_def "type_abbrev"} & : & @{text ML_antiquotation} \\
+ @{ML_antiquotation_def "nonterminal"} & : & @{text ML_antiquotation} \\
+ @{ML_antiquotation_def "typ"} & : & @{text ML_antiquotation} \\
+ \end{matharray}
+
+ @{rail "
+ @@{ML_antiquotation class} nameref
+ ;
+ @@{ML_antiquotation sort} sort
+ ;
+ (@@{ML_antiquotation type_name} |
+ @@{ML_antiquotation type_abbrev} |
+ @@{ML_antiquotation nonterminal}) nameref
+ ;
+ @@{ML_antiquotation typ} type
+ "}
+
+ \begin{description}
+
+ \item @{text "@{class c}"} inlines the internalized class @{text
+ "c"} --- as @{ML_type string} literal.
+
+ \item @{text "@{sort s}"} inlines the internalized sort @{text "s"}
+ --- as @{ML_type "string list"} literal.
+
+ \item @{text "@{type_name c}"} inlines the internalized type
+ constructor @{text "c"} --- as @{ML_type string} literal.
+
+ \item @{text "@{type_abbrev c}"} inlines the internalized type
+ abbreviation @{text "c"} --- as @{ML_type string} literal.
+
+ \item @{text "@{nonterminal c}"} inlines the internalized syntactic
+ type~/ grammar nonterminal @{text "c"} --- as @{ML_type string}
+ literal.
+
+ \item @{text "@{typ \<tau>}"} inlines the internalized type @{text "\<tau>"}
+ --- as constructor term for datatype @{ML_type typ}.
+
+ \end{description}
+*}
+
+
+section {* Terms \label{sec:terms} *}
+
+text {*
+ The language of terms is that of simply-typed @{text "\<lambda>"}-calculus
+ with de-Bruijn indices for bound variables (cf.\ \cite{debruijn72}
+ or \cite{paulson-ml2}), with the types being determined by the
+ corresponding binders. In contrast, free variables and constants
+ have an explicit name and type in each occurrence.
+
+ \medskip A \emph{bound variable} is a natural number @{text "b"},
+ which accounts for the number of intermediate binders between the
+ variable occurrence in the body and its binding position. For
+ example, the de-Bruijn term @{text "\<lambda>\<^bsub>bool\<^esub>. \<lambda>\<^bsub>bool\<^esub>. 1 \<and> 0"} would
+ correspond to @{text "\<lambda>x\<^bsub>bool\<^esub>. \<lambda>y\<^bsub>bool\<^esub>. x \<and> y"} in a named
+ representation. Note that a bound variable may be represented by
+ different de-Bruijn indices at different occurrences, depending on
+ the nesting of abstractions.
+
+ A \emph{loose variable} is a bound variable that is outside the
+ scope of local binders. The types (and names) for loose variables
+ can be managed as a separate context, that is maintained as a stack
+ of hypothetical binders. The core logic operates on closed terms,
+ without any loose variables.
+
+ A \emph{fixed variable} is a pair of a basic name and a type, e.g.\
+ @{text "(x, \<tau>)"} which is usually printed @{text "x\<^isub>\<tau>"} here. A
+ \emph{schematic variable} is a pair of an indexname and a type,
+ e.g.\ @{text "((x, 0), \<tau>)"} which is likewise printed as @{text
+ "?x\<^isub>\<tau>"}.
+
+ \medskip A \emph{constant} is a pair of a basic name and a type,
+ e.g.\ @{text "(c, \<tau>)"} which is usually printed as @{text "c\<^isub>\<tau>"}
+ here. Constants are declared in the context as polymorphic families
+ @{text "c :: \<sigma>"}, meaning that all substitution instances @{text
+ "c\<^isub>\<tau>"} for @{text "\<tau> = \<sigma>\<vartheta>"} are valid.
+
+ The vector of \emph{type arguments} of constant @{text "c\<^isub>\<tau>"} wrt.\
+ the declaration @{text "c :: \<sigma>"} is defined as the codomain of the
+ matcher @{text "\<vartheta> = {?\<alpha>\<^isub>1 \<mapsto> \<tau>\<^isub>1, \<dots>, ?\<alpha>\<^isub>n \<mapsto> \<tau>\<^isub>n}"} presented in
+ canonical order @{text "(\<tau>\<^isub>1, \<dots>, \<tau>\<^isub>n)"}, corresponding to the
+ left-to-right occurrences of the @{text "\<alpha>\<^isub>i"} in @{text "\<sigma>"}.
+ Within a given theory context, there is a one-to-one correspondence
+ between any constant @{text "c\<^isub>\<tau>"} and the application @{text "c(\<tau>\<^isub>1,
+ \<dots>, \<tau>\<^isub>n)"} of its type arguments. For example, with @{text "plus :: \<alpha>
+ \<Rightarrow> \<alpha> \<Rightarrow> \<alpha>"}, the instance @{text "plus\<^bsub>nat \<Rightarrow> nat \<Rightarrow> nat\<^esub>"} corresponds to
+ @{text "plus(nat)"}.
+
+ Constant declarations @{text "c :: \<sigma>"} may contain sort constraints
+ for type variables in @{text "\<sigma>"}. These are observed by
+ type-inference as expected, but \emph{ignored} by the core logic.
+ This means the primitive logic is able to reason with instances of
+ polymorphic constants that the user-level type-checker would reject
+ due to violation of type class restrictions.
+
+ \medskip An \emph{atomic term} is either a variable or constant.
+ The logical category \emph{term} is defined inductively over atomic
+ terms, with abstraction and application as follows: @{text "t = b |
+ x\<^isub>\<tau> | ?x\<^isub>\<tau> | c\<^isub>\<tau> | \<lambda>\<^isub>\<tau>. t | t\<^isub>1 t\<^isub>2"}. Parsing and printing takes care of
+ converting between an external representation with named bound
+ variables. Subsequently, we shall use the latter notation instead
+ of internal de-Bruijn representation.
+
+ The inductive relation @{text "t :: \<tau>"} assigns a (unique) type to a
+ term according to the structure of atomic terms, abstractions, and
+ applicatins:
+ \[
+ \infer{@{text "a\<^isub>\<tau> :: \<tau>"}}{}
+ \qquad
+ \infer{@{text "(\<lambda>x\<^sub>\<tau>. t) :: \<tau> \<Rightarrow> \<sigma>"}}{@{text "t :: \<sigma>"}}
+ \qquad
+ \infer{@{text "t u :: \<sigma>"}}{@{text "t :: \<tau> \<Rightarrow> \<sigma>"} & @{text "u :: \<tau>"}}
+ \]
+ A \emph{well-typed term} is a term that can be typed according to these rules.
+
+ Typing information can be omitted: type-inference is able to
+ reconstruct the most general type of a raw term, while assigning
+ most general types to all of its variables and constants.
+ Type-inference depends on a context of type constraints for fixed
+ variables, and declarations for polymorphic constants.
+
+ The identity of atomic terms consists both of the name and the type
+ component. This means that different variables @{text
+ "x\<^bsub>\<tau>\<^isub>1\<^esub>"} and @{text "x\<^bsub>\<tau>\<^isub>2\<^esub>"} may become the same after
+ type instantiation. Type-inference rejects variables of the same
+ name, but different types. In contrast, mixed instances of
+ polymorphic constants occur routinely.
+
+ \medskip The \emph{hidden polymorphism} of a term @{text "t :: \<sigma>"}
+ is the set of type variables occurring in @{text "t"}, but not in
+ its type @{text "\<sigma>"}. This means that the term implicitly depends
+ on type arguments that are not accounted in the result type, i.e.\
+ there are different type instances @{text "t\<vartheta> :: \<sigma>"} and
+ @{text "t\<vartheta>' :: \<sigma>"} with the same type. This slightly
+ pathological situation notoriously demands additional care.
+
+ \medskip A \emph{term abbreviation} is a syntactic definition @{text
+ "c\<^isub>\<sigma> \<equiv> t"} of a closed term @{text "t"} of type @{text "\<sigma>"},
+ without any hidden polymorphism. A term abbreviation looks like a
+ constant in the syntax, but is expanded before entering the logical
+ core. Abbreviations are usually reverted when printing terms, using
+ @{text "t \<rightarrow> c\<^isub>\<sigma>"} as rules for higher-order rewriting.
+
+ \medskip Canonical operations on @{text "\<lambda>"}-terms include @{text
+ "\<alpha>\<beta>\<eta>"}-conversion: @{text "\<alpha>"}-conversion refers to capture-free
+ renaming of bound variables; @{text "\<beta>"}-conversion contracts an
+ abstraction applied to an argument term, substituting the argument
+ in the body: @{text "(\<lambda>x. b)a"} becomes @{text "b[a/x]"}; @{text
+ "\<eta>"}-conversion contracts vacuous application-abstraction: @{text
+ "\<lambda>x. f x"} becomes @{text "f"}, provided that the bound variable
+ does not occur in @{text "f"}.
+
+ Terms are normally treated modulo @{text "\<alpha>"}-conversion, which is
+ implicit in the de-Bruijn representation. Names for bound variables
+ in abstractions are maintained separately as (meaningless) comments,
+ mostly for parsing and printing. Full @{text "\<alpha>\<beta>\<eta>"}-conversion is
+ commonplace in various standard operations (\secref{sec:obj-rules})
+ that are based on higher-order unification and matching.
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML_type term} \\
+ @{index_ML_op "aconv": "term * term -> bool"} \\
+ @{index_ML Term.map_types: "(typ -> typ) -> term -> term"} \\
+ @{index_ML Term.fold_types: "(typ -> 'a -> 'a) -> term -> 'a -> 'a"} \\
+ @{index_ML Term.map_aterms: "(term -> term) -> term -> term"} \\
+ @{index_ML Term.fold_aterms: "(term -> 'a -> 'a) -> term -> 'a -> 'a"} \\
+ \end{mldecls}
+ \begin{mldecls}
+ @{index_ML fastype_of: "term -> typ"} \\
+ @{index_ML lambda: "term -> term -> term"} \\
+ @{index_ML betapply: "term * term -> term"} \\
+ @{index_ML incr_boundvars: "int -> term -> term"} \\
+ @{index_ML Sign.declare_const: "Proof.context ->
+ (binding * typ) * mixfix -> theory -> term * theory"} \\
+ @{index_ML Sign.add_abbrev: "string -> binding * term ->
+ theory -> (term * term) * theory"} \\
+ @{index_ML Sign.const_typargs: "theory -> string * typ -> typ list"} \\
+ @{index_ML Sign.const_instance: "theory -> string * typ list -> typ"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item Type @{ML_type term} represents de-Bruijn terms, with comments
+ in abstractions, and explicitly named free variables and constants;
+ this is a datatype with constructors @{ML Bound}, @{ML Free}, @{ML
+ Var}, @{ML Const}, @{ML Abs}, @{ML_op "$"}.
+
+ \item @{text "t"}~@{ML_text aconv}~@{text "u"} checks @{text
+ "\<alpha>"}-equivalence of two terms. This is the basic equality relation
+ on type @{ML_type term}; raw datatype equality should only be used
+ for operations related to parsing or printing!
+
+ \item @{ML Term.map_types}~@{text "f t"} applies the mapping @{text
+ "f"} to all types occurring in @{text "t"}.
+
+ \item @{ML Term.fold_types}~@{text "f t"} iterates the operation
+ @{text "f"} over all occurrences of types in @{text "t"}; the term
+ structure is traversed from left to right.
+
+ \item @{ML Term.map_aterms}~@{text "f t"} applies the mapping @{text
+ "f"} to all atomic terms (@{ML Bound}, @{ML Free}, @{ML Var}, @{ML
+ Const}) occurring in @{text "t"}.
+
+ \item @{ML Term.fold_aterms}~@{text "f t"} iterates the operation
+ @{text "f"} over all occurrences of atomic terms (@{ML Bound}, @{ML
+ Free}, @{ML Var}, @{ML Const}) in @{text "t"}; the term structure is
+ traversed from left to right.
+
+ \item @{ML fastype_of}~@{text "t"} determines the type of a
+ well-typed term. This operation is relatively slow, despite the
+ omission of any sanity checks.
+
+ \item @{ML lambda}~@{text "a b"} produces an abstraction @{text
+ "\<lambda>a. b"}, where occurrences of the atomic term @{text "a"} in the
+ body @{text "b"} are replaced by bound variables.
+
+ \item @{ML betapply}~@{text "(t, u)"} produces an application @{text
+ "t u"}, with topmost @{text "\<beta>"}-conversion if @{text "t"} is an
+ abstraction.
+
+ \item @{ML incr_boundvars}~@{text "j"} increments a term's dangling
+ bound variables by the offset @{text "j"}. This is required when
+ moving a subterm into a context where it is enclosed by a different
+ number of abstractions. Bound variables with a matching abstraction
+ are unaffected.
+
+ \item @{ML Sign.declare_const}~@{text "ctxt ((c, \<sigma>), mx)"} declares
+ a new constant @{text "c :: \<sigma>"} with optional mixfix syntax.
+
+ \item @{ML Sign.add_abbrev}~@{text "print_mode (c, t)"}
+ introduces a new term abbreviation @{text "c \<equiv> t"}.
+
+ \item @{ML Sign.const_typargs}~@{text "thy (c, \<tau>)"} and @{ML
+ Sign.const_instance}~@{text "thy (c, [\<tau>\<^isub>1, \<dots>, \<tau>\<^isub>n])"}
+ convert between two representations of polymorphic constants: full
+ type instance vs.\ compact type arguments form.
+
+ \end{description}
+*}
+
+text %mlantiq {*
+ \begin{matharray}{rcl}
+ @{ML_antiquotation_def "const_name"} & : & @{text ML_antiquotation} \\
+ @{ML_antiquotation_def "const_abbrev"} & : & @{text ML_antiquotation} \\
+ @{ML_antiquotation_def "const"} & : & @{text ML_antiquotation} \\
+ @{ML_antiquotation_def "term"} & : & @{text ML_antiquotation} \\
+ @{ML_antiquotation_def "prop"} & : & @{text ML_antiquotation} \\
+ \end{matharray}
+
+ @{rail "
+ (@@{ML_antiquotation const_name} |
+ @@{ML_antiquotation const_abbrev}) nameref
+ ;
+ @@{ML_antiquotation const} ('(' (type + ',') ')')?
+ ;
+ @@{ML_antiquotation term} term
+ ;
+ @@{ML_antiquotation prop} prop
+ "}
+
+ \begin{description}
+
+ \item @{text "@{const_name c}"} inlines the internalized logical
+ constant name @{text "c"} --- as @{ML_type string} literal.
+
+ \item @{text "@{const_abbrev c}"} inlines the internalized
+ abbreviated constant name @{text "c"} --- as @{ML_type string}
+ literal.
+
+ \item @{text "@{const c(\<^vec>\<tau>)}"} inlines the internalized
+ constant @{text "c"} with precise type instantiation in the sense of
+ @{ML Sign.const_instance} --- as @{ML Const} constructor term for
+ datatype @{ML_type term}.
+
+ \item @{text "@{term t}"} inlines the internalized term @{text "t"}
+ --- as constructor term for datatype @{ML_type term}.
+
+ \item @{text "@{prop \<phi>}"} inlines the internalized proposition
+ @{text "\<phi>"} --- as constructor term for datatype @{ML_type term}.
+
+ \end{description}
+*}
+
+
+section {* Theorems \label{sec:thms} *}
+
+text {*
+ A \emph{proposition} is a well-typed term of type @{text "prop"}, a
+ \emph{theorem} is a proven proposition (depending on a context of
+ hypotheses and the background theory). Primitive inferences include
+ plain Natural Deduction rules for the primary connectives @{text
+ "\<And>"} and @{text "\<Longrightarrow>"} of the framework. There is also a builtin
+ notion of equality/equivalence @{text "\<equiv>"}.
+*}
+
+
+subsection {* Primitive connectives and rules \label{sec:prim-rules} *}
+
+text {*
+ The theory @{text "Pure"} contains constant declarations for the
+ primitive connectives @{text "\<And>"}, @{text "\<Longrightarrow>"}, and @{text "\<equiv>"} of
+ the logical framework, see \figref{fig:pure-connectives}. The
+ derivability judgment @{text "A\<^isub>1, \<dots>, A\<^isub>n \<turnstile> B"} is
+ defined inductively by the primitive inferences given in
+ \figref{fig:prim-rules}, with the global restriction that the
+ hypotheses must \emph{not} contain any schematic variables. The
+ builtin equality is conceptually axiomatized as shown in
+ \figref{fig:pure-equality}, although the implementation works
+ directly with derived inferences.
+
+ \begin{figure}[htb]
+ \begin{center}
+ \begin{tabular}{ll}
+ @{text "all :: (\<alpha> \<Rightarrow> prop) \<Rightarrow> prop"} & universal quantification (binder @{text "\<And>"}) \\
+ @{text "\<Longrightarrow> :: prop \<Rightarrow> prop \<Rightarrow> prop"} & implication (right associative infix) \\
+ @{text "\<equiv> :: \<alpha> \<Rightarrow> \<alpha> \<Rightarrow> prop"} & equality relation (infix) \\
+ \end{tabular}
+ \caption{Primitive connectives of Pure}\label{fig:pure-connectives}
+ \end{center}
+ \end{figure}
+
+ \begin{figure}[htb]
+ \begin{center}
+ \[
+ \infer[@{text "(axiom)"}]{@{text "\<turnstile> A"}}{@{text "A \<in> \<Theta>"}}
+ \qquad
+ \infer[@{text "(assume)"}]{@{text "A \<turnstile> A"}}{}
+ \]
+ \[
+ \infer[@{text "(\<And>\<hyphen>intro)"}]{@{text "\<Gamma> \<turnstile> \<And>x. b[x]"}}{@{text "\<Gamma> \<turnstile> b[x]"} & @{text "x \<notin> \<Gamma>"}}
+ \qquad
+ \infer[@{text "(\<And>\<hyphen>elim)"}]{@{text "\<Gamma> \<turnstile> b[a]"}}{@{text "\<Gamma> \<turnstile> \<And>x. b[x]"}}
+ \]
+ \[
+ \infer[@{text "(\<Longrightarrow>\<hyphen>intro)"}]{@{text "\<Gamma> - A \<turnstile> A \<Longrightarrow> B"}}{@{text "\<Gamma> \<turnstile> B"}}
+ \qquad
+ \infer[@{text "(\<Longrightarrow>\<hyphen>elim)"}]{@{text "\<Gamma>\<^sub>1 \<union> \<Gamma>\<^sub>2 \<turnstile> B"}}{@{text "\<Gamma>\<^sub>1 \<turnstile> A \<Longrightarrow> B"} & @{text "\<Gamma>\<^sub>2 \<turnstile> A"}}
+ \]
+ \caption{Primitive inferences of Pure}\label{fig:prim-rules}
+ \end{center}
+ \end{figure}
+
+ \begin{figure}[htb]
+ \begin{center}
+ \begin{tabular}{ll}
+ @{text "\<turnstile> (\<lambda>x. b[x]) a \<equiv> b[a]"} & @{text "\<beta>"}-conversion \\
+ @{text "\<turnstile> x \<equiv> x"} & reflexivity \\
+ @{text "\<turnstile> x \<equiv> y \<Longrightarrow> P x \<Longrightarrow> P y"} & substitution \\
+ @{text "\<turnstile> (\<And>x. f x \<equiv> g x) \<Longrightarrow> f \<equiv> g"} & extensionality \\
+ @{text "\<turnstile> (A \<Longrightarrow> B) \<Longrightarrow> (B \<Longrightarrow> A) \<Longrightarrow> A \<equiv> B"} & logical equivalence \\
+ \end{tabular}
+ \caption{Conceptual axiomatization of Pure equality}\label{fig:pure-equality}
+ \end{center}
+ \end{figure}
+
+ The introduction and elimination rules for @{text "\<And>"} and @{text
+ "\<Longrightarrow>"} are analogous to formation of dependently typed @{text
+ "\<lambda>"}-terms representing the underlying proof objects. Proof terms
+ are irrelevant in the Pure logic, though; they cannot occur within
+ propositions. The system provides a runtime option to record
+ explicit proof terms for primitive inferences. Thus all three
+ levels of @{text "\<lambda>"}-calculus become explicit: @{text "\<Rightarrow>"} for
+ terms, and @{text "\<And>/\<Longrightarrow>"} for proofs (cf.\
+ \cite{Berghofer-Nipkow:2000:TPHOL}).
+
+ Observe that locally fixed parameters (as in @{text
+ "\<And>\<hyphen>intro"}) need not be recorded in the hypotheses, because
+ the simple syntactic types of Pure are always inhabitable.
+ ``Assumptions'' @{text "x :: \<tau>"} for type-membership are only
+ present as long as some @{text "x\<^isub>\<tau>"} occurs in the statement
+ body.\footnote{This is the key difference to ``@{text "\<lambda>HOL"}'' in
+ the PTS framework \cite{Barendregt-Geuvers:2001}, where hypotheses
+ @{text "x : A"} are treated uniformly for propositions and types.}
+
+ \medskip The axiomatization of a theory is implicitly closed by
+ forming all instances of type and term variables: @{text "\<turnstile>
+ A\<vartheta>"} holds for any substitution instance of an axiom
+ @{text "\<turnstile> A"}. By pushing substitutions through derivations
+ inductively, we also get admissible @{text "generalize"} and @{text
+ "instantiate"} rules as shown in \figref{fig:subst-rules}.
+
+ \begin{figure}[htb]
+ \begin{center}
+ \[
+ \infer{@{text "\<Gamma> \<turnstile> B[?\<alpha>]"}}{@{text "\<Gamma> \<turnstile> B[\<alpha>]"} & @{text "\<alpha> \<notin> \<Gamma>"}}
+ \quad
+ \infer[\quad@{text "(generalize)"}]{@{text "\<Gamma> \<turnstile> B[?x]"}}{@{text "\<Gamma> \<turnstile> B[x]"} & @{text "x \<notin> \<Gamma>"}}
+ \]
+ \[
+ \infer{@{text "\<Gamma> \<turnstile> B[\<tau>]"}}{@{text "\<Gamma> \<turnstile> B[?\<alpha>]"}}
+ \quad
+ \infer[\quad@{text "(instantiate)"}]{@{text "\<Gamma> \<turnstile> B[t]"}}{@{text "\<Gamma> \<turnstile> B[?x]"}}
+ \]
+ \caption{Admissible substitution rules}\label{fig:subst-rules}
+ \end{center}
+ \end{figure}
+
+ Note that @{text "instantiate"} does not require an explicit
+ side-condition, because @{text "\<Gamma>"} may never contain schematic
+ variables.
+
+ In principle, variables could be substituted in hypotheses as well,
+ but this would disrupt the monotonicity of reasoning: deriving
+ @{text "\<Gamma>\<vartheta> \<turnstile> B\<vartheta>"} from @{text "\<Gamma> \<turnstile> B"} is
+ correct, but @{text "\<Gamma>\<vartheta> \<supseteq> \<Gamma>"} does not necessarily hold:
+ the result belongs to a different proof context.
+
+ \medskip An \emph{oracle} is a function that produces axioms on the
+ fly. Logically, this is an instance of the @{text "axiom"} rule
+ (\figref{fig:prim-rules}), but there is an operational difference.
+ The system always records oracle invocations within derivations of
+ theorems by a unique tag.
+
+ Axiomatizations should be limited to the bare minimum, typically as
+ part of the initial logical basis of an object-logic formalization.
+ Later on, theories are usually developed in a strictly definitional
+ fashion, by stating only certain equalities over new constants.
+
+ A \emph{simple definition} consists of a constant declaration @{text
+ "c :: \<sigma>"} together with an axiom @{text "\<turnstile> c \<equiv> t"}, where @{text "t
+ :: \<sigma>"} is a closed term without any hidden polymorphism. The RHS
+ may depend on further defined constants, but not @{text "c"} itself.
+ Definitions of functions may be presented as @{text "c \<^vec>x \<equiv>
+ t"} instead of the puristic @{text "c \<equiv> \<lambda>\<^vec>x. t"}.
+
+ An \emph{overloaded definition} consists of a collection of axioms
+ for the same constant, with zero or one equations @{text
+ "c((\<^vec>\<alpha>)\<kappa>) \<equiv> t"} for each type constructor @{text "\<kappa>"} (for
+ distinct variables @{text "\<^vec>\<alpha>"}). The RHS may mention
+ previously defined constants as above, or arbitrary constants @{text
+ "d(\<alpha>\<^isub>i)"} for some @{text "\<alpha>\<^isub>i"} projected from @{text
+ "\<^vec>\<alpha>"}. Thus overloaded definitions essentially work by
+ primitive recursion over the syntactic structure of a single type
+ argument. See also \cite[\S4.3]{Haftmann-Wenzel:2006:classes}.
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML Logic.all: "term -> term -> term"} \\
+ @{index_ML Logic.mk_implies: "term * term -> term"} \\
+ \end{mldecls}
+ \begin{mldecls}
+ @{index_ML_type ctyp} \\
+ @{index_ML_type cterm} \\
+ @{index_ML Thm.ctyp_of: "theory -> typ -> ctyp"} \\
+ @{index_ML Thm.cterm_of: "theory -> term -> cterm"} \\
+ @{index_ML Thm.apply: "cterm -> cterm -> cterm"} \\
+ @{index_ML Thm.lambda: "cterm -> cterm -> cterm"} \\
+ @{index_ML Thm.all: "cterm -> cterm -> cterm"} \\
+ @{index_ML Drule.mk_implies: "cterm * cterm -> cterm"} \\
+ \end{mldecls}
+ \begin{mldecls}
+ @{index_ML_type thm} \\
+ @{index_ML proofs: "int Unsynchronized.ref"} \\
+ @{index_ML Thm.transfer: "theory -> thm -> thm"} \\
+ @{index_ML Thm.assume: "cterm -> thm"} \\
+ @{index_ML Thm.forall_intr: "cterm -> thm -> thm"} \\
+ @{index_ML Thm.forall_elim: "cterm -> thm -> thm"} \\
+ @{index_ML Thm.implies_intr: "cterm -> thm -> thm"} \\
+ @{index_ML Thm.implies_elim: "thm -> thm -> thm"} \\
+ @{index_ML Thm.generalize: "string list * string list -> int -> thm -> thm"} \\
+ @{index_ML Thm.instantiate: "(ctyp * ctyp) list * (cterm * cterm) list -> thm -> thm"} \\
+ @{index_ML Thm.add_axiom: "Proof.context ->
+ binding * term -> theory -> (string * thm) * theory"} \\
+ @{index_ML Thm.add_oracle: "binding * ('a -> cterm) -> theory ->
+ (string * ('a -> thm)) * theory"} \\
+ @{index_ML Thm.add_def: "Proof.context -> bool -> bool ->
+ binding * term -> theory -> (string * thm) * theory"} \\
+ \end{mldecls}
+ \begin{mldecls}
+ @{index_ML Theory.add_deps: "Proof.context -> string ->
+ string * typ -> (string * typ) list -> theory -> theory"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item @{ML Logic.all}~@{text "a B"} produces a Pure quantification
+ @{text "\<And>a. B"}, where occurrences of the atomic term @{text "a"} in
+ the body proposition @{text "B"} are replaced by bound variables.
+ (See also @{ML lambda} on terms.)
+
+ \item @{ML Logic.mk_implies}~@{text "(A, B)"} produces a Pure
+ implication @{text "A \<Longrightarrow> B"}.
+
+ \item Types @{ML_type ctyp} and @{ML_type cterm} represent certified
+ types and terms, respectively. These are abstract datatypes that
+ guarantee that its values have passed the full well-formedness (and
+ well-typedness) checks, relative to the declarations of type
+ constructors, constants etc.\ in the background theory. The
+ abstract types @{ML_type ctyp} and @{ML_type cterm} are part of the
+ same inference kernel that is mainly responsible for @{ML_type thm}.
+ Thus syntactic operations on @{ML_type ctyp} and @{ML_type cterm}
+ are located in the @{ML_struct Thm} module, even though theorems are
+ not yet involved at that stage.
+
+ \item @{ML Thm.ctyp_of}~@{text "thy \<tau>"} and @{ML
+ Thm.cterm_of}~@{text "thy t"} explicitly checks types and terms,
+ respectively. This also involves some basic normalizations, such
+ expansion of type and term abbreviations from the theory context.
+ Full re-certification is relatively slow and should be avoided in
+ tight reasoning loops.
+
+ \item @{ML Thm.apply}, @{ML Thm.lambda}, @{ML Thm.all}, @{ML
+ Drule.mk_implies} etc.\ compose certified terms (or propositions)
+ incrementally. This is equivalent to @{ML Thm.cterm_of} after
+ unchecked @{ML_op "$"}, @{ML lambda}, @{ML Logic.all}, @{ML
+ Logic.mk_implies} etc., but there can be a big difference in
+ performance when large existing entities are composed by a few extra
+ constructions on top. There are separate operations to decompose
+ certified terms and theorems to produce certified terms again.
+
+ \item Type @{ML_type thm} represents proven propositions. This is
+ an abstract datatype that guarantees that its values have been
+ constructed by basic principles of the @{ML_struct Thm} module.
+ Every @{ML_type thm} value contains a sliding back-reference to the
+ enclosing theory, cf.\ \secref{sec:context-theory}.
+
+ \item @{ML proofs} specifies the detail of proof recording within
+ @{ML_type thm} values: @{ML 0} records only the names of oracles,
+ @{ML 1} records oracle names and propositions, @{ML 2} additionally
+ records full proof terms. Officially named theorems that contribute
+ to a result are recorded in any case.
+
+ \item @{ML Thm.transfer}~@{text "thy thm"} transfers the given
+ theorem to a \emph{larger} theory, see also \secref{sec:context}.
+ This formal adjustment of the background context has no logical
+ significance, but is occasionally required for formal reasons, e.g.\
+ when theorems that are imported from more basic theories are used in
+ the current situation.
+
+ \item @{ML Thm.assume}, @{ML Thm.forall_intr}, @{ML
+ Thm.forall_elim}, @{ML Thm.implies_intr}, and @{ML Thm.implies_elim}
+ correspond to the primitive inferences of \figref{fig:prim-rules}.
+
+ \item @{ML Thm.generalize}~@{text "(\<^vec>\<alpha>, \<^vec>x)"}
+ corresponds to the @{text "generalize"} rules of
+ \figref{fig:subst-rules}. Here collections of type and term
+ variables are generalized simultaneously, specified by the given
+ basic names.
+
+ \item @{ML Thm.instantiate}~@{text "(\<^vec>\<alpha>\<^isub>s,
+ \<^vec>x\<^isub>\<tau>)"} corresponds to the @{text "instantiate"} rules
+ of \figref{fig:subst-rules}. Type variables are substituted before
+ term variables. Note that the types in @{text "\<^vec>x\<^isub>\<tau>"}
+ refer to the instantiated versions.
+
+ \item @{ML Thm.add_axiom}~@{text "ctxt (name, A)"} declares an
+ arbitrary proposition as axiom, and retrieves it as a theorem from
+ the resulting theory, cf.\ @{text "axiom"} in
+ \figref{fig:prim-rules}. Note that the low-level representation in
+ the axiom table may differ slightly from the returned theorem.
+
+ \item @{ML Thm.add_oracle}~@{text "(binding, oracle)"} produces a named
+ oracle rule, essentially generating arbitrary axioms on the fly,
+ cf.\ @{text "axiom"} in \figref{fig:prim-rules}.
+
+ \item @{ML Thm.add_def}~@{text "ctxt unchecked overloaded (name, c
+ \<^vec>x \<equiv> t)"} states a definitional axiom for an existing constant
+ @{text "c"}. Dependencies are recorded via @{ML Theory.add_deps},
+ unless the @{text "unchecked"} option is set. Note that the
+ low-level representation in the axiom table may differ slightly from
+ the returned theorem.
+
+ \item @{ML Theory.add_deps}~@{text "ctxt name c\<^isub>\<tau> \<^vec>d\<^isub>\<sigma>"}
+ declares dependencies of a named specification for constant @{text
+ "c\<^isub>\<tau>"}, relative to existing specifications for constants @{text
+ "\<^vec>d\<^isub>\<sigma>"}.
+
+ \end{description}
+*}
+
+
+text %mlantiq {*
+ \begin{matharray}{rcl}
+ @{ML_antiquotation_def "ctyp"} & : & @{text ML_antiquotation} \\
+ @{ML_antiquotation_def "cterm"} & : & @{text ML_antiquotation} \\
+ @{ML_antiquotation_def "cprop"} & : & @{text ML_antiquotation} \\
+ @{ML_antiquotation_def "thm"} & : & @{text ML_antiquotation} \\
+ @{ML_antiquotation_def "thms"} & : & @{text ML_antiquotation} \\
+ @{ML_antiquotation_def "lemma"} & : & @{text ML_antiquotation} \\
+ \end{matharray}
+
+ @{rail "
+ @@{ML_antiquotation ctyp} typ
+ ;
+ @@{ML_antiquotation cterm} term
+ ;
+ @@{ML_antiquotation cprop} prop
+ ;
+ @@{ML_antiquotation thm} thmref
+ ;
+ @@{ML_antiquotation thms} thmrefs
+ ;
+ @@{ML_antiquotation lemma} ('(' @'open' ')')? ((prop +) + @'and') \\
+ @'by' method method?
+ "}
+
+ \begin{description}
+
+ \item @{text "@{ctyp \<tau>}"} produces a certified type wrt.\ the
+ current background theory --- as abstract value of type @{ML_type
+ ctyp}.
+
+ \item @{text "@{cterm t}"} and @{text "@{cprop \<phi>}"} produce a
+ certified term wrt.\ the current background theory --- as abstract
+ value of type @{ML_type cterm}.
+
+ \item @{text "@{thm a}"} produces a singleton fact --- as abstract
+ value of type @{ML_type thm}.
+
+ \item @{text "@{thms a}"} produces a general fact --- as abstract
+ value of type @{ML_type "thm list"}.
+
+ \item @{text "@{lemma \<phi> by meth}"} produces a fact that is proven on
+ the spot according to the minimal proof, which imitates a terminal
+ Isar proof. The result is an abstract value of type @{ML_type thm}
+ or @{ML_type "thm list"}, depending on the number of propositions
+ given here.
+
+ The internal derivation object lacks a proper theorem name, but it
+ is formally closed, unless the @{text "(open)"} option is specified
+ (this may impact performance of applications with proof terms).
+
+ Since ML antiquotations are always evaluated at compile-time, there
+ is no run-time overhead even for non-trivial proofs. Nonetheless,
+ the justification is syntactically limited to a single @{command
+ "by"} step. More complex Isar proofs should be done in regular
+ theory source, before compiling the corresponding ML text that uses
+ the result.
+
+ \end{description}
+
+*}
+
+
+subsection {* Auxiliary connectives \label{sec:logic-aux} *}
+
+text {* Theory @{text "Pure"} provides a few auxiliary connectives
+ that are defined on top of the primitive ones, see
+ \figref{fig:pure-aux}. These special constants are useful in
+ certain internal encodings, and are normally not directly exposed to
+ the user.
+
+ \begin{figure}[htb]
+ \begin{center}
+ \begin{tabular}{ll}
+ @{text "conjunction :: prop \<Rightarrow> prop \<Rightarrow> prop"} & (infix @{text "&&&"}) \\
+ @{text "\<turnstile> A &&& B \<equiv> (\<And>C. (A \<Longrightarrow> B \<Longrightarrow> C) \<Longrightarrow> C)"} \\[1ex]
+ @{text "prop :: prop \<Rightarrow> prop"} & (prefix @{text "#"}, suppressed) \\
+ @{text "#A \<equiv> A"} \\[1ex]
+ @{text "term :: \<alpha> \<Rightarrow> prop"} & (prefix @{text "TERM"}) \\
+ @{text "term x \<equiv> (\<And>A. A \<Longrightarrow> A)"} \\[1ex]
+ @{text "TYPE :: \<alpha> itself"} & (prefix @{text "TYPE"}) \\
+ @{text "(unspecified)"} \\
+ \end{tabular}
+ \caption{Definitions of auxiliary connectives}\label{fig:pure-aux}
+ \end{center}
+ \end{figure}
+
+ The introduction @{text "A \<Longrightarrow> B \<Longrightarrow> A &&& B"}, and eliminations
+ (projections) @{text "A &&& B \<Longrightarrow> A"} and @{text "A &&& B \<Longrightarrow> B"} are
+ available as derived rules. Conjunction allows to treat
+ simultaneous assumptions and conclusions uniformly, e.g.\ consider
+ @{text "A \<Longrightarrow> B \<Longrightarrow> C &&& D"}. In particular, the goal mechanism
+ represents multiple claims as explicit conjunction internally, but
+ this is refined (via backwards introduction) into separate sub-goals
+ before the user commences the proof; the final result is projected
+ into a list of theorems using eliminations (cf.\
+ \secref{sec:tactical-goals}).
+
+ The @{text "prop"} marker (@{text "#"}) makes arbitrarily complex
+ propositions appear as atomic, without changing the meaning: @{text
+ "\<Gamma> \<turnstile> A"} and @{text "\<Gamma> \<turnstile> #A"} are interchangeable. See
+ \secref{sec:tactical-goals} for specific operations.
+
+ The @{text "term"} marker turns any well-typed term into a derivable
+ proposition: @{text "\<turnstile> TERM t"} holds unconditionally. Although
+ this is logically vacuous, it allows to treat terms and proofs
+ uniformly, similar to a type-theoretic framework.
+
+ The @{text "TYPE"} constructor is the canonical representative of
+ the unspecified type @{text "\<alpha> itself"}; it essentially injects the
+ language of types into that of terms. There is specific notation
+ @{text "TYPE(\<tau>)"} for @{text "TYPE\<^bsub>\<tau>
+ itself\<^esub>"}.
+ Although being devoid of any particular meaning, the term @{text
+ "TYPE(\<tau>)"} accounts for the type @{text "\<tau>"} within the term
+ language. In particular, @{text "TYPE(\<alpha>)"} may be used as formal
+ argument in primitive definitions, in order to circumvent hidden
+ polymorphism (cf.\ \secref{sec:terms}). For example, @{text "c
+ TYPE(\<alpha>) \<equiv> A[\<alpha>]"} defines @{text "c :: \<alpha> itself \<Rightarrow> prop"} in terms of
+ a proposition @{text "A"} that depends on an additional type
+ argument, which is essentially a predicate on types.
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML Conjunction.intr: "thm -> thm -> thm"} \\
+ @{index_ML Conjunction.elim: "thm -> thm * thm"} \\
+ @{index_ML Drule.mk_term: "cterm -> thm"} \\
+ @{index_ML Drule.dest_term: "thm -> cterm"} \\
+ @{index_ML Logic.mk_type: "typ -> term"} \\
+ @{index_ML Logic.dest_type: "term -> typ"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item @{ML Conjunction.intr} derives @{text "A &&& B"} from @{text
+ "A"} and @{text "B"}.
+
+ \item @{ML Conjunction.elim} derives @{text "A"} and @{text "B"}
+ from @{text "A &&& B"}.
+
+ \item @{ML Drule.mk_term} derives @{text "TERM t"}.
+
+ \item @{ML Drule.dest_term} recovers term @{text "t"} from @{text
+ "TERM t"}.
+
+ \item @{ML Logic.mk_type}~@{text "\<tau>"} produces the term @{text
+ "TYPE(\<tau>)"}.
+
+ \item @{ML Logic.dest_type}~@{text "TYPE(\<tau>)"} recovers the type
+ @{text "\<tau>"}.
+
+ \end{description}
+*}
+
+
+section {* Object-level rules \label{sec:obj-rules} *}
+
+text {*
+ The primitive inferences covered so far mostly serve foundational
+ purposes. User-level reasoning usually works via object-level rules
+ that are represented as theorems of Pure. Composition of rules
+ involves \emph{backchaining}, \emph{higher-order unification} modulo
+ @{text "\<alpha>\<beta>\<eta>"}-conversion of @{text "\<lambda>"}-terms, and so-called
+ \emph{lifting} of rules into a context of @{text "\<And>"} and @{text
+ "\<Longrightarrow>"} connectives. Thus the full power of higher-order Natural
+ Deduction in Isabelle/Pure becomes readily available.
+*}
+
+
+subsection {* Hereditary Harrop Formulae *}
+
+text {*
+ The idea of object-level rules is to model Natural Deduction
+ inferences in the style of Gentzen \cite{Gentzen:1935}, but we allow
+ arbitrary nesting similar to \cite{extensions91}. The most basic
+ rule format is that of a \emph{Horn Clause}:
+ \[
+ \infer{@{text "A"}}{@{text "A\<^sub>1"} & @{text "\<dots>"} & @{text "A\<^sub>n"}}
+ \]
+ where @{text "A, A\<^sub>1, \<dots>, A\<^sub>n"} are atomic propositions
+ of the framework, usually of the form @{text "Trueprop B"}, where
+ @{text "B"} is a (compound) object-level statement. This
+ object-level inference corresponds to an iterated implication in
+ Pure like this:
+ \[
+ @{text "A\<^sub>1 \<Longrightarrow> \<dots> A\<^sub>n \<Longrightarrow> A"}
+ \]
+ As an example consider conjunction introduction: @{text "A \<Longrightarrow> B \<Longrightarrow> A \<and>
+ B"}. Any parameters occurring in such rule statements are
+ conceptionally treated as arbitrary:
+ \[
+ @{text "\<And>x\<^sub>1 \<dots> x\<^sub>m. A\<^sub>1 x\<^sub>1 \<dots> x\<^sub>m \<Longrightarrow> \<dots> A\<^sub>n x\<^sub>1 \<dots> x\<^sub>m \<Longrightarrow> A x\<^sub>1 \<dots> x\<^sub>m"}
+ \]
+
+ Nesting of rules means that the positions of @{text "A\<^sub>i"} may
+ again hold compound rules, not just atomic propositions.
+ Propositions of this format are called \emph{Hereditary Harrop
+ Formulae} in the literature \cite{Miller:1991}. Here we give an
+ inductive characterization as follows:
+
+ \medskip
+ \begin{tabular}{ll}
+ @{text "\<^bold>x"} & set of variables \\
+ @{text "\<^bold>A"} & set of atomic propositions \\
+ @{text "\<^bold>H = \<And>\<^bold>x\<^sup>*. \<^bold>H\<^sup>* \<Longrightarrow> \<^bold>A"} & set of Hereditary Harrop Formulas \\
+ \end{tabular}
+ \medskip
+
+ Thus we essentially impose nesting levels on propositions formed
+ from @{text "\<And>"} and @{text "\<Longrightarrow>"}. At each level there is a prefix
+ of parameters and compound premises, concluding an atomic
+ proposition. Typical examples are @{text "\<longrightarrow>"}-introduction @{text
+ "(A \<Longrightarrow> B) \<Longrightarrow> A \<longrightarrow> B"} or mathematical induction @{text "P 0 \<Longrightarrow> (\<And>n. P n
+ \<Longrightarrow> P (Suc n)) \<Longrightarrow> P n"}. Even deeper nesting occurs in well-founded
+ induction @{text "(\<And>x. (\<And>y. y \<prec> x \<Longrightarrow> P y) \<Longrightarrow> P x) \<Longrightarrow> P x"}, but this
+ already marks the limit of rule complexity that is usually seen in
+ practice.
+
+ \medskip Regular user-level inferences in Isabelle/Pure always
+ maintain the following canonical form of results:
+
+ \begin{itemize}
+
+ \item Normalization by @{text "(A \<Longrightarrow> (\<And>x. B x)) \<equiv> (\<And>x. A \<Longrightarrow> B x)"},
+ which is a theorem of Pure, means that quantifiers are pushed in
+ front of implication at each level of nesting. The normal form is a
+ Hereditary Harrop Formula.
+
+ \item The outermost prefix of parameters is represented via
+ schematic variables: instead of @{text "\<And>\<^vec>x. \<^vec>H \<^vec>x
+ \<Longrightarrow> A \<^vec>x"} we have @{text "\<^vec>H ?\<^vec>x \<Longrightarrow> A ?\<^vec>x"}.
+ Note that this representation looses information about the order of
+ parameters, and vacuous quantifiers vanish automatically.
+
+ \end{itemize}
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML Simplifier.norm_hhf: "thm -> thm"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item @{ML Simplifier.norm_hhf}~@{text thm} normalizes the given
+ theorem according to the canonical form specified above. This is
+ occasionally helpful to repair some low-level tools that do not
+ handle Hereditary Harrop Formulae properly.
+
+ \end{description}
+*}
+
+
+subsection {* Rule composition *}
+
+text {*
+ The rule calculus of Isabelle/Pure provides two main inferences:
+ @{inference resolution} (i.e.\ back-chaining of rules) and
+ @{inference assumption} (i.e.\ closing a branch), both modulo
+ higher-order unification. There are also combined variants, notably
+ @{inference elim_resolution} and @{inference dest_resolution}.
+
+ To understand the all-important @{inference resolution} principle,
+ we first consider raw @{inference_def composition} (modulo
+ higher-order unification with substitution @{text "\<vartheta>"}):
+ \[
+ \infer[(@{inference_def composition})]{@{text "\<^vec>A\<vartheta> \<Longrightarrow> C\<vartheta>"}}
+ {@{text "\<^vec>A \<Longrightarrow> B"} & @{text "B' \<Longrightarrow> C"} & @{text "B\<vartheta> = B'\<vartheta>"}}
+ \]
+ Here the conclusion of the first rule is unified with the premise of
+ the second; the resulting rule instance inherits the premises of the
+ first and conclusion of the second. Note that @{text "C"} can again
+ consist of iterated implications. We can also permute the premises
+ of the second rule back-and-forth in order to compose with @{text
+ "B'"} in any position (subsequently we shall always refer to
+ position 1 w.l.o.g.).
+
+ In @{inference composition} the internal structure of the common
+ part @{text "B"} and @{text "B'"} is not taken into account. For
+ proper @{inference resolution} we require @{text "B"} to be atomic,
+ and explicitly observe the structure @{text "\<And>\<^vec>x. \<^vec>H
+ \<^vec>x \<Longrightarrow> B' \<^vec>x"} of the premise of the second rule. The
+ idea is to adapt the first rule by ``lifting'' it into this context,
+ by means of iterated application of the following inferences:
+ \[
+ \infer[(@{inference_def imp_lift})]{@{text "(\<^vec>H \<Longrightarrow> \<^vec>A) \<Longrightarrow> (\<^vec>H \<Longrightarrow> B)"}}{@{text "\<^vec>A \<Longrightarrow> B"}}
+ \]
+ \[
+ \infer[(@{inference_def all_lift})]{@{text "(\<And>\<^vec>x. \<^vec>A (?\<^vec>a \<^vec>x)) \<Longrightarrow> (\<And>\<^vec>x. B (?\<^vec>a \<^vec>x))"}}{@{text "\<^vec>A ?\<^vec>a \<Longrightarrow> B ?\<^vec>a"}}
+ \]
+ By combining raw composition with lifting, we get full @{inference
+ resolution} as follows:
+ \[
+ \infer[(@{inference_def resolution})]
+ {@{text "(\<And>\<^vec>x. \<^vec>H \<^vec>x \<Longrightarrow> \<^vec>A (?\<^vec>a \<^vec>x))\<vartheta> \<Longrightarrow> C\<vartheta>"}}
+ {\begin{tabular}{l}
+ @{text "\<^vec>A ?\<^vec>a \<Longrightarrow> B ?\<^vec>a"} \\
+ @{text "(\<And>\<^vec>x. \<^vec>H \<^vec>x \<Longrightarrow> B' \<^vec>x) \<Longrightarrow> C"} \\
+ @{text "(\<lambda>\<^vec>x. B (?\<^vec>a \<^vec>x))\<vartheta> = B'\<vartheta>"} \\
+ \end{tabular}}
+ \]
+
+ Continued resolution of rules allows to back-chain a problem towards
+ more and sub-problems. Branches are closed either by resolving with
+ a rule of 0 premises, or by producing a ``short-circuit'' within a
+ solved situation (again modulo unification):
+ \[
+ \infer[(@{inference_def assumption})]{@{text "C\<vartheta>"}}
+ {@{text "(\<And>\<^vec>x. \<^vec>H \<^vec>x \<Longrightarrow> A \<^vec>x) \<Longrightarrow> C"} & @{text "A\<vartheta> = H\<^sub>i\<vartheta>"}~~\text{(for some~@{text i})}}
+ \]
+
+ FIXME @{inference_def elim_resolution}, @{inference_def dest_resolution}
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML_op "RSN": "thm * (int * thm) -> thm"} \\
+ @{index_ML_op "RS": "thm * thm -> thm"} \\
+
+ @{index_ML_op "RLN": "thm list * (int * thm list) -> thm list"} \\
+ @{index_ML_op "RL": "thm list * thm list -> thm list"} \\
+
+ @{index_ML_op "MRS": "thm list * thm -> thm"} \\
+ @{index_ML_op "OF": "thm * thm list -> thm"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item @{text "rule\<^sub>1 RSN (i, rule\<^sub>2)"} resolves the conclusion of
+ @{text "rule\<^sub>1"} with the @{text i}-th premise of @{text "rule\<^sub>2"},
+ according to the @{inference resolution} principle explained above.
+ Unless there is precisely one resolvent it raises exception @{ML
+ THM}.
+
+ This corresponds to the rule attribute @{attribute THEN} in Isar
+ source language.
+
+ \item @{text "rule\<^sub>1 RS rule\<^sub>2"} abbreviates @{text "rule\<^sub>1 RS (1,
+ rule\<^sub>2)"}.
+
+ \item @{text "rules\<^sub>1 RLN (i, rules\<^sub>2)"} joins lists of rules. For
+ every @{text "rule\<^sub>1"} in @{text "rules\<^sub>1"} and @{text "rule\<^sub>2"} in
+ @{text "rules\<^sub>2"}, it resolves the conclusion of @{text "rule\<^sub>1"} with
+ the @{text "i"}-th premise of @{text "rule\<^sub>2"}, accumulating multiple
+ results in one big list. Note that such strict enumerations of
+ higher-order unifications can be inefficient compared to the lazy
+ variant seen in elementary tactics like @{ML resolve_tac}.
+
+ \item @{text "rules\<^sub>1 RL rules\<^sub>2"} abbreviates @{text "rules\<^sub>1 RLN (1,
+ rules\<^sub>2)"}.
+
+ \item @{text "[rule\<^sub>1, \<dots>, rule\<^sub>n] MRS rule"} resolves @{text "rule\<^isub>i"}
+ against premise @{text "i"} of @{text "rule"}, for @{text "i = n, \<dots>,
+ 1"}. By working from right to left, newly emerging premises are
+ concatenated in the result, without interfering.
+
+ \item @{text "rule OF rules"} is an alternative notation for @{text
+ "rules MRS rule"}, which makes rule composition look more like
+ function application. Note that the argument @{text "rules"} need
+ not be atomic.
+
+ This corresponds to the rule attribute @{attribute OF} in Isar
+ source language.
+
+ \end{description}
+*}
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarImplementation/ML.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,1777 @@
+theory "ML"
+imports Base
+begin
+
+chapter {* Isabelle/ML *}
+
+text {* Isabelle/ML is best understood as a certain culture based on
+ Standard ML. Thus it is not a new programming language, but a
+ certain way to use SML at an advanced level within the Isabelle
+ environment. This covers a variety of aspects that are geared
+ towards an efficient and robust platform for applications of formal
+ logic with fully foundational proof construction --- according to
+ the well-known \emph{LCF principle}. There is specific
+ infrastructure with library modules to address the needs of this
+ difficult task. For example, the raw parallel programming model of
+ Poly/ML is presented as considerably more abstract concept of
+ \emph{future values}, which is then used to augment the inference
+ kernel, proof interpreter, and theory loader accordingly.
+
+ The main aspects of Isabelle/ML are introduced below. These
+ first-hand explanations should help to understand how proper
+ Isabelle/ML is to be read and written, and to get access to the
+ wealth of experience that is expressed in the source text and its
+ history of changes.\footnote{See
+ \url{http://isabelle.in.tum.de/repos/isabelle} for the full
+ Mercurial history. There are symbolic tags to refer to official
+ Isabelle releases, as opposed to arbitrary \emph{tip} versions that
+ merely reflect snapshots that are never really up-to-date.} *}
+
+
+section {* Style and orthography *}
+
+text {* The sources of Isabelle/Isar are optimized for
+ \emph{readability} and \emph{maintainability}. The main purpose is
+ to tell an informed reader what is really going on and how things
+ really work. This is a non-trivial aim, but it is supported by a
+ certain style of writing Isabelle/ML that has emerged from long
+ years of system development.\footnote{See also the interesting style
+ guide for OCaml
+ \url{http://caml.inria.fr/resources/doc/guides/guidelines.en.html}
+ which shares many of our means and ends.}
+
+ The main principle behind any coding style is \emph{consistency}.
+ For a single author of a small program this merely means ``choose
+ your style and stick to it''. A complex project like Isabelle, with
+ long years of development and different contributors, requires more
+ standardization. A coding style that is changed every few years or
+ with every new contributor is no style at all, because consistency
+ is quickly lost. Global consistency is hard to achieve, though.
+ Nonetheless, one should always strive at least for local consistency
+ of modules and sub-systems, without deviating from some general
+ principles how to write Isabelle/ML.
+
+ In a sense, good coding style is like an \emph{orthography} for the
+ sources: it helps to read quickly over the text and see through the
+ main points, without getting distracted by accidental presentation
+ of free-style code.
+*}
+
+
+subsection {* Header and sectioning *}
+
+text {* Isabelle source files have a certain standardized header
+ format (with precise spacing) that follows ancient traditions
+ reaching back to the earliest versions of the system by Larry
+ Paulson. See @{file "~~/src/Pure/thm.ML"}, for example.
+
+ The header includes at least @{verbatim Title} and @{verbatim
+ Author} entries, followed by a prose description of the purpose of
+ the module. The latter can range from a single line to several
+ paragraphs of explanations.
+
+ The rest of the file is divided into sections, subsections,
+ subsubsections, paragraphs etc.\ using a simple layout via ML
+ comments as follows.
+
+\begin{verbatim}
+(*** section ***)
+
+(** subsection **)
+
+(* subsubsection *)
+
+(*short paragraph*)
+
+(*
+ long paragraph,
+ with more text
+*)
+\end{verbatim}
+
+ As in regular typography, there is some extra space \emph{before}
+ section headings that are adjacent to plain text (not other headings
+ as in the example above).
+
+ \medskip The precise wording of the prose text given in these
+ headings is chosen carefully to introduce the main theme of the
+ subsequent formal ML text.
+*}
+
+
+subsection {* Naming conventions *}
+
+text {* Since ML is the primary medium to express the meaning of the
+ source text, naming of ML entities requires special care.
+
+ \paragraph{Notation.} A name consists of 1--3 \emph{words} (rarely
+ 4, but not more) that are separated by underscore. There are three
+ variants concerning upper or lower case letters, which are used for
+ certain ML categories as follows:
+
+ \medskip
+ \begin{tabular}{lll}
+ variant & example & ML categories \\\hline
+ lower-case & @{ML_text foo_bar} & values, types, record fields \\
+ capitalized & @{ML_text Foo_Bar} & datatype constructors, structures, functors \\
+ upper-case & @{ML_text FOO_BAR} & special values, exception constructors, signatures \\
+ \end{tabular}
+ \medskip
+
+ For historical reasons, many capitalized names omit underscores,
+ e.g.\ old-style @{ML_text FooBar} instead of @{ML_text Foo_Bar}.
+ Genuine mixed-case names are \emph{not} used, because clear division
+ of words is essential for readability.\footnote{Camel-case was
+ invented to workaround the lack of underscore in some early
+ non-ASCII character sets. Later it became habitual in some language
+ communities that are now strong in numbers.}
+
+ A single (capital) character does not count as ``word'' in this
+ respect: some Isabelle/ML names are suffixed by extra markers like
+ this: @{ML_text foo_barT}.
+
+ Name variants are produced by adding 1--3 primes, e.g.\ @{ML_text
+ foo'}, @{ML_text foo''}, or @{ML_text foo'''}, but not @{ML_text
+ foo''''} or more. Decimal digits scale better to larger numbers,
+ e.g.\ @{ML_text foo0}, @{ML_text foo1}, @{ML_text foo42}.
+
+ \paragraph{Scopes.} Apart from very basic library modules, ML
+ structures are not ``opened'', but names are referenced with
+ explicit qualification, as in @{ML Syntax.string_of_term} for
+ example. When devising names for structures and their components it
+ is important aim at eye-catching compositions of both parts, because
+ this is how they are seen in the sources and documentation. For the
+ same reasons, aliases of well-known library functions should be
+ avoided.
+
+ Local names of function abstraction or case/let bindings are
+ typically shorter, sometimes using only rudiments of ``words'',
+ while still avoiding cryptic shorthands. An auxiliary function
+ called @{ML_text helper}, @{ML_text aux}, or @{ML_text f} is
+ considered bad style.
+
+ Example:
+
+ \begin{verbatim}
+ (* RIGHT *)
+
+ fun print_foo ctxt foo =
+ let
+ fun print t = ... Syntax.string_of_term ctxt t ...
+ in ... end;
+
+
+ (* RIGHT *)
+
+ fun print_foo ctxt foo =
+ let
+ val string_of_term = Syntax.string_of_term ctxt;
+ fun print t = ... string_of_term t ...
+ in ... end;
+
+
+ (* WRONG *)
+
+ val string_of_term = Syntax.string_of_term;
+
+ fun print_foo ctxt foo =
+ let
+ fun aux t = ... string_of_term ctxt t ...
+ in ... end;
+
+ \end{verbatim}
+
+
+ \paragraph{Specific conventions.} Here are some specific name forms
+ that occur frequently in the sources.
+
+ \begin{itemize}
+
+ \item A function that maps @{ML_text foo} to @{ML_text bar} is
+ called @{ML_text foo_to_bar} or @{ML_text bar_of_foo} (never
+ @{ML_text foo2bar}, @{ML_text bar_from_foo}, @{ML_text
+ bar_for_foo}, or @{ML_text bar4foo}).
+
+ \item The name component @{ML_text legacy} means that the operation
+ is about to be discontinued soon.
+
+ \item The name component @{ML_text old} means that this is historic
+ material that might disappear at some later stage.
+
+ \item The name component @{ML_text global} means that this works
+ with the background theory instead of the regular local context
+ (\secref{sec:context}), sometimes for historical reasons, sometimes
+ due a genuine lack of locality of the concept involved, sometimes as
+ a fall-back for the lack of a proper context in the application
+ code. Whenever there is a non-global variant available, the
+ application should be migrated to use it with a proper local
+ context.
+
+ \item Variables of the main context types of the Isabelle/Isar
+ framework (\secref{sec:context} and \chref{ch:local-theory}) have
+ firm naming conventions as follows:
+
+ \begin{itemize}
+
+ \item theories are called @{ML_text thy}, rarely @{ML_text theory}
+ (never @{ML_text thry})
+
+ \item proof contexts are called @{ML_text ctxt}, rarely @{ML_text
+ context} (never @{ML_text ctx})
+
+ \item generic contexts are called @{ML_text context}, rarely
+ @{ML_text ctxt}
+
+ \item local theories are called @{ML_text lthy}, except for local
+ theories that are treated as proof context (which is a semantic
+ super-type)
+
+ \end{itemize}
+
+ Variations with primed or decimal numbers are always possible, as
+ well as sematic prefixes like @{ML_text foo_thy} or @{ML_text
+ bar_ctxt}, but the base conventions above need to be preserved.
+ This allows to visualize the their data flow via plain regular
+ expressions in the editor.
+
+ \item The main logical entities (\secref{ch:logic}) have established
+ naming convention as follows:
+
+ \begin{itemize}
+
+ \item sorts are called @{ML_text S}
+
+ \item types are called @{ML_text T}, @{ML_text U}, or @{ML_text
+ ty} (never @{ML_text t})
+
+ \item terms are called @{ML_text t}, @{ML_text u}, or @{ML_text
+ tm} (never @{ML_text trm})
+
+ \item certified types are called @{ML_text cT}, rarely @{ML_text
+ T}, with variants as for types
+
+ \item certified terms are called @{ML_text ct}, rarely @{ML_text
+ t}, with variants as for terms
+
+ \item theorems are called @{ML_text th}, or @{ML_text thm}
+
+ \end{itemize}
+
+ Proper semantic names override these conventions completely. For
+ example, the left-hand side of an equation (as a term) can be called
+ @{ML_text lhs} (not @{ML_text lhs_tm}). Or a term that is known
+ to be a variable can be called @{ML_text v} or @{ML_text x}.
+
+ \item Tactics (\secref{sec:tactics}) are sufficiently important to
+ have specific naming conventions. The name of a basic tactic
+ definition always has a @{ML_text "_tac"} suffix, the subgoal index
+ (if applicable) is always called @{ML_text i}, and the goal state
+ (if made explicit) is usually called @{ML_text st} instead of the
+ somewhat misleading @{ML_text thm}. Any other arguments are given
+ before the latter two, and the general context is given first.
+ Example:
+
+ \begin{verbatim}
+ fun my_tac ctxt arg1 arg2 i st = ...
+ \end{verbatim}
+
+ Note that the goal state @{ML_text st} above is rarely made
+ explicit, if tactic combinators (tacticals) are used as usual.
+
+ \end{itemize}
+*}
+
+
+subsection {* General source layout *}
+
+text {* The general Isabelle/ML source layout imitates regular
+ type-setting to some extent, augmented by the requirements for
+ deeply nested expressions that are commonplace in functional
+ programming.
+
+ \paragraph{Line length} is 80 characters according to ancient
+ standards, but we allow as much as 100 characters (not
+ more).\footnote{Readability requires to keep the beginning of a line
+ in view while watching its end. Modern wide-screen displays do not
+ change the way how the human brain works. Sources also need to be
+ printable on plain paper with reasonable font-size.} The extra 20
+ characters acknowledge the space requirements due to qualified
+ library references in Isabelle/ML.
+
+ \paragraph{White-space} is used to emphasize the structure of
+ expressions, following mostly standard conventions for mathematical
+ typesetting, as can be seen in plain {\TeX} or {\LaTeX}. This
+ defines positioning of spaces for parentheses, punctuation, and
+ infixes as illustrated here:
+
+ \begin{verbatim}
+ val x = y + z * (a + b);
+ val pair = (a, b);
+ val record = {foo = 1, bar = 2};
+ \end{verbatim}
+
+ Lines are normally broken \emph{after} an infix operator or
+ punctuation character. For example:
+
+ \begin{verbatim}
+ val x =
+ a +
+ b +
+ c;
+
+ val tuple =
+ (a,
+ b,
+ c);
+ \end{verbatim}
+
+ Some special infixes (e.g.\ @{ML_text "|>"}) work better at the
+ start of the line, but punctuation is always at the end.
+
+ Function application follows the tradition of @{text "\<lambda>"}-calculus,
+ not informal mathematics. For example: @{ML_text "f a b"} for a
+ curried function, or @{ML_text "g (a, b)"} for a tupled function.
+ Note that the space between @{ML_text g} and the pair @{ML_text
+ "(a, b)"} follows the important principle of
+ \emph{compositionality}: the layout of @{ML_text "g p"} does not
+ change when @{ML_text "p"} is refined to the concrete pair
+ @{ML_text "(a, b)"}.
+
+ \paragraph{Indentation} uses plain spaces, never hard
+ tabulators.\footnote{Tabulators were invented to move the carriage
+ of a type-writer to certain predefined positions. In software they
+ could be used as a primitive run-length compression of consecutive
+ spaces, but the precise result would depend on non-standardized
+ editor configuration.}
+
+ Each level of nesting is indented by 2 spaces, sometimes 1, very
+ rarely 4, never 8 or any other odd number.
+
+ Indentation follows a simple logical format that only depends on the
+ nesting depth, not the accidental length of the text that initiates
+ a level of nesting. Example:
+
+ \begin{verbatim}
+ (* RIGHT *)
+
+ if b then
+ expr1_part1
+ expr1_part2
+ else
+ expr2_part1
+ expr2_part2
+
+
+ (* WRONG *)
+
+ if b then expr1_part1
+ expr1_part2
+ else expr2_part1
+ expr2_part2
+ \end{verbatim}
+
+ The second form has many problems: it assumes a fixed-width font
+ when viewing the sources, it uses more space on the line and thus
+ makes it hard to observe its strict length limit (working against
+ \emph{readability}), it requires extra editing to adapt the layout
+ to changes of the initial text (working against
+ \emph{maintainability}) etc.
+
+ \medskip For similar reasons, any kind of two-dimensional or tabular
+ layouts, ASCII-art with lines or boxes of asterisks etc.\ should be
+ avoided.
+
+ \paragraph{Complex expressions} that consist of multi-clausal
+ function definitions, @{ML_text handle}, @{ML_text case},
+ @{ML_text let} (and combinations) require special attention. The
+ syntax of Standard ML is quite ambitious and admits a lot of
+ variance that can distort the meaning of the text.
+
+ Clauses of @{ML_text fun}, @{ML_text fn}, @{ML_text handle},
+ @{ML_text case} get extra indentation to indicate the nesting
+ clearly. Example:
+
+ \begin{verbatim}
+ (* RIGHT *)
+
+ fun foo p1 =
+ expr1
+ | foo p2 =
+ expr2
+
+
+ (* WRONG *)
+
+ fun foo p1 =
+ expr1
+ | foo p2 =
+ expr2
+ \end{verbatim}
+
+ Body expressions consisting of @{ML_text case} or @{ML_text let}
+ require care to maintain compositionality, to prevent loss of
+ logical indentation where it is especially important to see the
+ structure of the text. Example:
+
+ \begin{verbatim}
+ (* RIGHT *)
+
+ fun foo p1 =
+ (case e of
+ q1 => ...
+ | q2 => ...)
+ | foo p2 =
+ let
+ ...
+ in
+ ...
+ end
+
+
+ (* WRONG *)
+
+ fun foo p1 = case e of
+ q1 => ...
+ | q2 => ...
+ | foo p2 =
+ let
+ ...
+ in
+ ...
+ end
+ \end{verbatim}
+
+ Extra parentheses around @{ML_text case} expressions are optional,
+ but help to analyse the nesting based on character matching in the
+ editor.
+
+ \medskip There are two main exceptions to the overall principle of
+ compositionality in the layout of complex expressions.
+
+ \begin{enumerate}
+
+ \item @{ML_text "if"} expressions are iterated as if there would be
+ a multi-branch conditional in SML, e.g.
+
+ \begin{verbatim}
+ (* RIGHT *)
+
+ if b1 then e1
+ else if b2 then e2
+ else e3
+ \end{verbatim}
+
+ \item @{ML_text fn} abstractions are often layed-out as if they
+ would lack any structure by themselves. This traditional form is
+ motivated by the possibility to shift function arguments back and
+ forth wrt.\ additional combinators. Example:
+
+ \begin{verbatim}
+ (* RIGHT *)
+
+ fun foo x y = fold (fn z =>
+ expr)
+ \end{verbatim}
+
+ Here the visual appearance is that of three arguments @{ML_text x},
+ @{ML_text y}, @{ML_text z}.
+
+ \end{enumerate}
+
+ Such weakly structured layout should be use with great care. Here
+ are some counter-examples involving @{ML_text let} expressions:
+
+ \begin{verbatim}
+ (* WRONG *)
+
+ fun foo x = let
+ val y = ...
+ in ... end
+
+
+ (* WRONG *)
+
+ fun foo x = let
+ val y = ...
+ in ... end
+
+
+ (* WRONG *)
+
+ fun foo x =
+ let
+ val y = ...
+ in ... end
+ \end{verbatim}
+
+ \medskip In general the source layout is meant to emphasize the
+ structure of complex language expressions, not to pretend that SML
+ had a completely different syntax (say that of Haskell or Java).
+*}
+
+
+section {* SML embedded into Isabelle/Isar *}
+
+text {* ML and Isar are intertwined via an open-ended bootstrap
+ process that provides more and more programming facilities and
+ logical content in an alternating manner. Bootstrapping starts from
+ the raw environment of existing implementations of Standard ML
+ (mainly Poly/ML, but also SML/NJ).
+
+ Isabelle/Pure marks the point where the original ML toplevel is
+ superseded by the Isar toplevel that maintains a uniform context for
+ arbitrary ML values (see also \secref{sec:context}). This formal
+ environment holds ML compiler bindings, logical entities, and many
+ other things. Raw SML is never encountered again after the initial
+ bootstrap of Isabelle/Pure.
+
+ Object-logics like Isabelle/HOL are built within the
+ Isabelle/ML/Isar environment by introducing suitable theories with
+ associated ML modules, either inlined or as separate files. Thus
+ Isabelle/HOL is defined as a regular user-space application within
+ the Isabelle framework. Further add-on tools can be implemented in
+ ML within the Isar context in the same manner: ML is part of the
+ standard repertoire of Isabelle, and there is no distinction between
+ ``user'' and ``developer'' in this respect.
+*}
+
+
+subsection {* Isar ML commands *}
+
+text {* The primary Isar source language provides facilities to ``open
+ a window'' to the underlying ML compiler. Especially see the Isar
+ commands @{command_ref "use"} and @{command_ref "ML"}: both work the
+ same way, only the source text is provided via a file vs.\ inlined,
+ respectively. Apart from embedding ML into the main theory
+ definition like that, there are many more commands that refer to ML
+ source, such as @{command_ref setup} or @{command_ref declaration}.
+ Even more fine-grained embedding of ML into Isar is encountered in
+ the proof method @{method_ref tactic}, which refines the pending
+ goal state via a given expression of type @{ML_type tactic}.
+*}
+
+text %mlex {* The following artificial example demonstrates some ML
+ toplevel declarations within the implicit Isar theory context. This
+ is regular functional programming without referring to logical
+ entities yet.
+*}
+
+ML {*
+ fun factorial 0 = 1
+ | factorial n = n * factorial (n - 1)
+*}
+
+text {* Here the ML environment is already managed by Isabelle, i.e.\
+ the @{ML factorial} function is not yet accessible in the preceding
+ paragraph, nor in a different theory that is independent from the
+ current one in the import hierarchy.
+
+ Removing the above ML declaration from the source text will remove
+ any trace of this definition as expected. The Isabelle/ML toplevel
+ environment is managed in a \emph{stateless} way: unlike the raw ML
+ toplevel there are no global side-effects involved
+ here.\footnote{Such a stateless compilation environment is also a
+ prerequisite for robust parallel compilation within independent
+ nodes of the implicit theory development graph.}
+
+ \medskip The next example shows how to embed ML into Isar proofs, using
+ @{command_ref "ML_prf"} instead of Instead of @{command_ref "ML"}.
+ As illustrated below, the effect on the ML environment is local to
+ the whole proof body, ignoring the block structure.
+*}
+
+notepad
+begin
+ ML_prf %"ML" {* val a = 1 *}
+ {
+ ML_prf %"ML" {* val b = a + 1 *}
+ } -- {* Isar block structure ignored by ML environment *}
+ ML_prf %"ML" {* val c = b + 1 *}
+end
+
+text {* By side-stepping the normal scoping rules for Isar proof
+ blocks, embedded ML code can refer to the different contexts and
+ manipulate corresponding entities, e.g.\ export a fact from a block
+ context.
+
+ \medskip Two further ML commands are useful in certain situations:
+ @{command_ref ML_val} and @{command_ref ML_command} are
+ \emph{diagnostic} in the sense that there is no effect on the
+ underlying environment, and can thus used anywhere (even outside a
+ theory). The examples below produce long strings of digits by
+ invoking @{ML factorial}: @{command ML_val} already takes care of
+ printing the ML toplevel result, but @{command ML_command} is silent
+ so we produce an explicit output message. *}
+
+ML_val {* factorial 100 *}
+ML_command {* writeln (string_of_int (factorial 100)) *}
+
+notepad
+begin
+ ML_val {* factorial 100 *} (* FIXME check/fix indentation *)
+ ML_command {* writeln (string_of_int (factorial 100)) *}
+end
+
+
+subsection {* Compile-time context *}
+
+text {* Whenever the ML compiler is invoked within Isabelle/Isar, the
+ formal context is passed as a thread-local reference variable. Thus
+ ML code may access the theory context during compilation, by reading
+ or writing the (local) theory under construction. Note that such
+ direct access to the compile-time context is rare. In practice it
+ is typically done via some derived ML functions instead.
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML ML_Context.the_generic_context: "unit -> Context.generic"} \\
+ @{index_ML "Context.>>": "(Context.generic -> Context.generic) -> unit"} \\
+ @{index_ML bind_thms: "string * thm list -> unit"} \\
+ @{index_ML bind_thm: "string * thm -> unit"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item @{ML "ML_Context.the_generic_context ()"} refers to the theory
+ context of the ML toplevel --- at compile time. ML code needs to
+ take care to refer to @{ML "ML_Context.the_generic_context ()"}
+ correctly. Recall that evaluation of a function body is delayed
+ until actual run-time.
+
+ \item @{ML "Context.>>"}~@{text f} applies context transformation
+ @{text f} to the implicit context of the ML toplevel.
+
+ \item @{ML bind_thms}~@{text "(name, thms)"} stores a list of
+ theorems produced in ML both in the (global) theory context and the
+ ML toplevel, associating it with the provided name. Theorems are
+ put into a global ``standard'' format before being stored.
+
+ \item @{ML bind_thm} is similar to @{ML bind_thms} but refers to a
+ singleton fact.
+
+ \end{description}
+
+ It is important to note that the above functions are really
+ restricted to the compile time, even though the ML compiler is
+ invoked at run-time. The majority of ML code either uses static
+ antiquotations (\secref{sec:ML-antiq}) or refers to the theory or
+ proof context at run-time, by explicit functional abstraction.
+*}
+
+
+subsection {* Antiquotations \label{sec:ML-antiq} *}
+
+text {* A very important consequence of embedding SML into Isar is the
+ concept of \emph{ML antiquotation}. The standard token language of
+ ML is augmented by special syntactic entities of the following form:
+
+ @{rail "
+ @{syntax_def antiquote}: '@{' nameref args '}' | '\<lbrace>' | '\<rbrace>'
+ "}
+
+ Here @{syntax nameref} and @{syntax args} are regular outer syntax
+ categories \cite{isabelle-isar-ref}. Attributes and proof methods
+ use similar syntax.
+
+ \medskip A regular antiquotation @{text "@{name args}"} processes
+ its arguments by the usual means of the Isar source language, and
+ produces corresponding ML source text, either as literal
+ \emph{inline} text (e.g. @{text "@{term t}"}) or abstract
+ \emph{value} (e.g. @{text "@{thm th}"}). This pre-compilation
+ scheme allows to refer to formal entities in a robust manner, with
+ proper static scoping and with some degree of logical checking of
+ small portions of the code.
+
+ Special antiquotations like @{text "@{let \<dots>}"} or @{text "@{note
+ \<dots>}"} augment the compilation context without generating code. The
+ non-ASCII braces @{text "\<lbrace>"} and @{text "\<rbrace>"} allow to delimit the
+ effect by introducing local blocks within the pre-compilation
+ environment.
+
+ \medskip See also \cite{Wenzel-Chaieb:2007b} for a broader
+ perspective on Isabelle/ML antiquotations. *}
+
+text %mlantiq {*
+ \begin{matharray}{rcl}
+ @{ML_antiquotation_def "let"} & : & @{text ML_antiquotation} \\
+ @{ML_antiquotation_def "note"} & : & @{text ML_antiquotation} \\
+ \end{matharray}
+
+ @{rail "
+ @@{ML_antiquotation let} ((term + @'and') '=' term + @'and')
+ ;
+ @@{ML_antiquotation note} (thmdef? thmrefs + @'and')
+ "}
+
+ \begin{description}
+
+ \item @{text "@{let p = t}"} binds schematic variables in the
+ pattern @{text "p"} by higher-order matching against the term @{text
+ "t"}. This is analogous to the regular @{command_ref let} command
+ in the Isar proof language. The pre-compilation environment is
+ augmented by auxiliary term bindings, without emitting ML source.
+
+ \item @{text "@{note a = b\<^sub>1 \<dots> b\<^sub>n}"} recalls existing facts @{text
+ "b\<^sub>1, \<dots>, b\<^sub>n"}, binding the result as @{text a}. This is analogous to
+ the regular @{command_ref note} command in the Isar proof language.
+ The pre-compilation environment is augmented by auxiliary fact
+ bindings, without emitting ML source.
+
+ \end{description}
+*}
+
+text %mlex {* The following artificial example gives some impression
+ about the antiquotation elements introduced so far, together with
+ the important @{text "@{thm}"} antiquotation defined later.
+*}
+
+ML {*
+ \<lbrace>
+ @{let ?t = my_term}
+ @{note my_refl = reflexive [of ?t]}
+ fun foo th = Thm.transitive th @{thm my_refl}
+ \<rbrace>
+*}
+
+text {* The extra block delimiters do not affect the compiled code
+ itself, i.e.\ function @{ML foo} is available in the present context
+ of this paragraph.
+*}
+
+
+section {* Canonical argument order \label{sec:canonical-argument-order} *}
+
+text {* Standard ML is a language in the tradition of @{text
+ "\<lambda>"}-calculus and \emph{higher-order functional programming},
+ similar to OCaml, Haskell, or Isabelle/Pure and HOL as logical
+ languages. Getting acquainted with the native style of representing
+ functions in that setting can save a lot of extra boiler-plate of
+ redundant shuffling of arguments, auxiliary abstractions etc.
+
+ Functions are usually \emph{curried}: the idea of turning arguments
+ of type @{text "\<tau>\<^sub>i"} (for @{text "i \<in> {1, \<dots> n}"}) into a result of
+ type @{text "\<tau>"} is represented by the iterated function space
+ @{text "\<tau>\<^sub>1 \<rightarrow> \<dots> \<rightarrow> \<tau>\<^sub>n \<rightarrow> \<tau>"}. This is isomorphic to the well-known
+ encoding via tuples @{text "\<tau>\<^sub>1 \<times> \<dots> \<times> \<tau>\<^sub>n \<rightarrow> \<tau>"}, but the curried
+ version fits more smoothly into the basic calculus.\footnote{The
+ difference is even more significant in higher-order logic, because
+ the redundant tuple structure needs to be accommodated by formal
+ reasoning.}
+
+ Currying gives some flexiblity due to \emph{partial application}. A
+ function @{text "f: \<tau>\<^sub>1 \<rightarrow> \<tau>\<^bsub>2\<^esub> \<rightarrow> \<tau>"} can be applied to @{text "x: \<tau>\<^sub>1"}
+ and the remaining @{text "(f x): \<tau>\<^sub>2 \<rightarrow> \<tau>"} passed to another function
+ etc. How well this works in practice depends on the order of
+ arguments. In the worst case, arguments are arranged erratically,
+ and using a function in a certain situation always requires some
+ glue code. Thus we would get exponentially many oppurtunities to
+ decorate the code with meaningless permutations of arguments.
+
+ This can be avoided by \emph{canonical argument order}, which
+ observes certain standard patterns and minimizes adhoc permutations
+ in their application. In Isabelle/ML, large portions of text can be
+ written without ever using @{text "swap: \<alpha> \<times> \<beta> \<rightarrow> \<beta> \<times> \<alpha>"}, or the
+ combinator @{text "C: (\<alpha> \<rightarrow> \<beta> \<rightarrow> \<gamma>) \<rightarrow> (\<beta> \<rightarrow> \<alpha> \<rightarrow> \<gamma>)"} that is not even
+ defined in our library.
+
+ \medskip The basic idea is that arguments that vary less are moved
+ further to the left than those that vary more. Two particularly
+ important categories of functions are \emph{selectors} and
+ \emph{updates}.
+
+ The subsequent scheme is based on a hypothetical set-like container
+ of type @{text "\<beta>"} that manages elements of type @{text "\<alpha>"}. Both
+ the names and types of the associated operations are canonical for
+ Isabelle/ML.
+
+ \medskip
+ \begin{tabular}{ll}
+ kind & canonical name and type \\\hline
+ selector & @{text "member: \<beta> \<rightarrow> \<alpha> \<rightarrow> bool"} \\
+ update & @{text "insert: \<alpha> \<rightarrow> \<beta> \<rightarrow> \<beta>"} \\
+ \end{tabular}
+ \medskip
+
+ Given a container @{text "B: \<beta>"}, the partially applied @{text
+ "member B"} is a predicate over elements @{text "\<alpha> \<rightarrow> bool"}, and
+ thus represents the intended denotation directly. It is customary
+ to pass the abstract predicate to further operations, not the
+ concrete container. The argument order makes it easy to use other
+ combinators: @{text "forall (member B) list"} will check a list of
+ elements for membership in @{text "B"} etc. Often the explicit
+ @{text "list"} is pointless and can be contracted to @{text "forall
+ (member B)"} to get directly a predicate again.
+
+ In contrast, an update operation varies the container, so it moves
+ to the right: @{text "insert a"} is a function @{text "\<beta> \<rightarrow> \<beta>"} to
+ insert a value @{text "a"}. These can be composed naturally as
+ @{text "insert c \<circ> insert b \<circ> insert a"}. The slightly awkward
+ inversion of the composition order is due to conventional
+ mathematical notation, which can be easily amended as explained
+ below.
+*}
+
+
+subsection {* Forward application and composition *}
+
+text {* Regular function application and infix notation works best for
+ relatively deeply structured expressions, e.g.\ @{text "h (f x y + g
+ z)"}. The important special case of \emph{linear transformation}
+ applies a cascade of functions @{text "f\<^sub>n (\<dots> (f\<^sub>1 x))"}. This
+ becomes hard to read and maintain if the functions are themselves
+ given as complex expressions. The notation can be significantly
+ improved by introducing \emph{forward} versions of application and
+ composition as follows:
+
+ \medskip
+ \begin{tabular}{lll}
+ @{text "x |> f"} & @{text "\<equiv>"} & @{text "f x"} \\
+ @{text "(f #> g) x"} & @{text "\<equiv>"} & @{text "x |> f |> g"} \\
+ \end{tabular}
+ \medskip
+
+ This enables to write conveniently @{text "x |> f\<^sub>1 |> \<dots> |> f\<^sub>n"} or
+ @{text "f\<^sub>1 #> \<dots> #> f\<^sub>n"} for its functional abstraction over @{text
+ "x"}.
+
+ \medskip There is an additional set of combinators to accommodate
+ multiple results (via pairs) that are passed on as multiple
+ arguments (via currying).
+
+ \medskip
+ \begin{tabular}{lll}
+ @{text "(x, y) |-> f"} & @{text "\<equiv>"} & @{text "f x y"} \\
+ @{text "(f #-> g) x"} & @{text "\<equiv>"} & @{text "x |> f |-> g"} \\
+ \end{tabular}
+ \medskip
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML_op "|> ": "'a * ('a -> 'b) -> 'b"} \\
+ @{index_ML_op "|-> ": "('c * 'a) * ('c -> 'a -> 'b) -> 'b"} \\
+ @{index_ML_op "#> ": "('a -> 'b) * ('b -> 'c) -> 'a -> 'c"} \\
+ @{index_ML_op "#-> ": "('a -> 'c * 'b) * ('c -> 'b -> 'd) -> 'a -> 'd"} \\
+ \end{mldecls}
+
+ %FIXME description!?
+*}
+
+
+subsection {* Canonical iteration *}
+
+text {* As explained above, a function @{text "f: \<alpha> \<rightarrow> \<beta> \<rightarrow> \<beta>"} can be
+ understood as update on a configuration of type @{text "\<beta>"},
+ parametrized by arguments of type @{text "\<alpha>"}. Given @{text "a: \<alpha>"}
+ the partial application @{text "(f a): \<beta> \<rightarrow> \<beta>"} operates
+ homogeneously on @{text "\<beta>"}. This can be iterated naturally over a
+ list of parameters @{text "[a\<^sub>1, \<dots>, a\<^sub>n]"} as @{text "f a\<^sub>1 #> \<dots> #> f
+ a\<^bsub>n\<^esub>\<^bsub>\<^esub>"}. The latter expression is again a function @{text "\<beta> \<rightarrow> \<beta>"}.
+ It can be applied to an initial configuration @{text "b: \<beta>"} to
+ start the iteration over the given list of arguments: each @{text
+ "a"} in @{text "a\<^sub>1, \<dots>, a\<^sub>n"} is applied consecutively by updating a
+ cumulative configuration.
+
+ The @{text fold} combinator in Isabelle/ML lifts a function @{text
+ "f"} as above to its iterated version over a list of arguments.
+ Lifting can be repeated, e.g.\ @{text "(fold \<circ> fold) f"} iterates
+ over a list of lists as expected.
+
+ The variant @{text "fold_rev"} works inside-out over the list of
+ arguments, such that @{text "fold_rev f \<equiv> fold f \<circ> rev"} holds.
+
+ The @{text "fold_map"} combinator essentially performs @{text
+ "fold"} and @{text "map"} simultaneously: each application of @{text
+ "f"} produces an updated configuration together with a side-result;
+ the iteration collects all such side-results as a separate list.
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML fold: "('a -> 'b -> 'b) -> 'a list -> 'b -> 'b"} \\
+ @{index_ML fold_rev: "('a -> 'b -> 'b) -> 'a list -> 'b -> 'b"} \\
+ @{index_ML fold_map: "('a -> 'b -> 'c * 'b) -> 'a list -> 'b -> 'c list * 'b"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item @{ML fold}~@{text f} lifts the parametrized update function
+ @{text "f"} to a list of parameters.
+
+ \item @{ML fold_rev}~@{text "f"} is similar to @{ML fold}~@{text
+ "f"}, but works inside-out.
+
+ \item @{ML fold_map}~@{text "f"} lifts the parametrized update
+ function @{text "f"} (with side-result) to a list of parameters and
+ cumulative side-results.
+
+ \end{description}
+
+ \begin{warn}
+ The literature on functional programming provides a multitude of
+ combinators called @{text "foldl"}, @{text "foldr"} etc. SML97
+ provides its own variations as @{ML List.foldl} and @{ML
+ List.foldr}, while the classic Isabelle library also has the
+ historic @{ML Library.foldl} and @{ML Library.foldr}. To avoid
+ further confusion, all of this should be ignored, and @{ML fold} (or
+ @{ML fold_rev}) used exclusively.
+ \end{warn}
+*}
+
+text %mlex {* The following example shows how to fill a text buffer
+ incrementally by adding strings, either individually or from a given
+ list.
+*}
+
+ML {*
+ val s =
+ Buffer.empty
+ |> Buffer.add "digits: "
+ |> fold (Buffer.add o string_of_int) (0 upto 9)
+ |> Buffer.content;
+
+ @{assert} (s = "digits: 0123456789");
+*}
+
+text {* Note how @{ML "fold (Buffer.add o string_of_int)"} above saves
+ an extra @{ML "map"} over the given list. This kind of peephole
+ optimization reduces both the code size and the tree structures in
+ memory (``deforestation''), but requires some practice to read and
+ write it fluently.
+
+ \medskip The next example elaborates the idea of canonical
+ iteration, demonstrating fast accumulation of tree content using a
+ text buffer.
+*}
+
+ML {*
+ datatype tree = Text of string | Elem of string * tree list;
+
+ fun slow_content (Text txt) = txt
+ | slow_content (Elem (name, ts)) =
+ "<" ^ name ^ ">" ^
+ implode (map slow_content ts) ^
+ "</" ^ name ^ ">"
+
+ fun add_content (Text txt) = Buffer.add txt
+ | add_content (Elem (name, ts)) =
+ Buffer.add ("<" ^ name ^ ">") #>
+ fold add_content ts #>
+ Buffer.add ("</" ^ name ^ ">");
+
+ fun fast_content tree =
+ Buffer.empty |> add_content tree |> Buffer.content;
+*}
+
+text {* The slow part of @{ML slow_content} is the @{ML implode} of
+ the recursive results, because it copies previously produced strings
+ again.
+
+ The incremental @{ML add_content} avoids this by operating on a
+ buffer that is passed through in a linear fashion. Using @{ML_text
+ "#>"} and contraction over the actual buffer argument saves some
+ additional boiler-plate. Of course, the two @{ML "Buffer.add"}
+ invocations with concatenated strings could have been split into
+ smaller parts, but this would have obfuscated the source without
+ making a big difference in allocations. Here we have done some
+ peephole-optimization for the sake of readability.
+
+ Another benefit of @{ML add_content} is its ``open'' form as a
+ function on buffers that can be continued in further linear
+ transformations, folding etc. Thus it is more compositional than
+ the naive @{ML slow_content}. As realistic example, compare the
+ old-style @{ML "Term.maxidx_of_term: term -> int"} with the newer
+ @{ML "Term.maxidx_term: term -> int -> int"} in Isabelle/Pure.
+
+ Note that @{ML fast_content} above is only defined as example. In
+ many practical situations, it is customary to provide the
+ incremental @{ML add_content} only and leave the initialization and
+ termination to the concrete application by the user.
+*}
+
+
+section {* Message output channels \label{sec:message-channels} *}
+
+text {* Isabelle provides output channels for different kinds of
+ messages: regular output, high-volume tracing information, warnings,
+ and errors.
+
+ Depending on the user interface involved, these messages may appear
+ in different text styles or colours. The standard output for
+ terminal sessions prefixes each line of warnings by @{verbatim
+ "###"} and errors by @{verbatim "***"}, but leaves anything else
+ unchanged.
+
+ Messages are associated with the transaction context of the running
+ Isar command. This enables the front-end to manage commands and
+ resulting messages together. For example, after deleting a command
+ from a given theory document version, the corresponding message
+ output can be retracted from the display.
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML writeln: "string -> unit"} \\
+ @{index_ML tracing: "string -> unit"} \\
+ @{index_ML warning: "string -> unit"} \\
+ @{index_ML error: "string -> 'a"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item @{ML writeln}~@{text "text"} outputs @{text "text"} as regular
+ message. This is the primary message output operation of Isabelle
+ and should be used by default.
+
+ \item @{ML tracing}~@{text "text"} outputs @{text "text"} as special
+ tracing message, indicating potential high-volume output to the
+ front-end (hundreds or thousands of messages issued by a single
+ command). The idea is to allow the user-interface to downgrade the
+ quality of message display to achieve higher throughput.
+
+ Note that the user might have to take special actions to see tracing
+ output, e.g.\ switch to a different output window. So this channel
+ should not be used for regular output.
+
+ \item @{ML warning}~@{text "text"} outputs @{text "text"} as
+ warning, which typically means some extra emphasis on the front-end
+ side (color highlighting, icons, etc.).
+
+ \item @{ML error}~@{text "text"} raises exception @{ML ERROR}~@{text
+ "text"} and thus lets the Isar toplevel print @{text "text"} on the
+ error channel, which typically means some extra emphasis on the
+ front-end side (color highlighting, icons, etc.).
+
+ This assumes that the exception is not handled before the command
+ terminates. Handling exception @{ML ERROR}~@{text "text"} is a
+ perfectly legal alternative: it means that the error is absorbed
+ without any message output.
+
+ \begin{warn}
+ The actual error channel is accessed via @{ML Output.error_msg}, but
+ the interaction protocol of Proof~General \emph{crashes} if that
+ function is used in regular ML code: error output and toplevel
+ command failure always need to coincide.
+ \end{warn}
+
+ \end{description}
+
+ \begin{warn}
+ Regular Isabelle/ML code should output messages exclusively by the
+ official channels. Using raw I/O on \emph{stdout} or \emph{stderr}
+ instead (e.g.\ via @{ML TextIO.output}) is apt to cause problems in
+ the presence of parallel and asynchronous processing of Isabelle
+ theories. Such raw output might be displayed by the front-end in
+ some system console log, with a low chance that the user will ever
+ see it. Moreover, as a genuine side-effect on global process
+ channels, there is no proper way to retract output when Isar command
+ transactions are reset by the system.
+ \end{warn}
+
+ \begin{warn}
+ The message channels should be used in a message-oriented manner.
+ This means that multi-line output that logically belongs together is
+ issued by a \emph{single} invocation of @{ML writeln} etc.\ with the
+ functional concatenation of all message constituents.
+ \end{warn}
+*}
+
+text %mlex {* The following example demonstrates a multi-line
+ warning. Note that in some situations the user sees only the first
+ line, so the most important point should be made first.
+*}
+
+ML_command {*
+ warning (cat_lines
+ ["Beware the Jabberwock, my son!",
+ "The jaws that bite, the claws that catch!",
+ "Beware the Jubjub Bird, and shun",
+ "The frumious Bandersnatch!"]);
+*}
+
+
+section {* Exceptions \label{sec:exceptions} *}
+
+text {* The Standard ML semantics of strict functional evaluation
+ together with exceptions is rather well defined, but some delicate
+ points need to be observed to avoid that ML programs go wrong
+ despite static type-checking. Exceptions in Isabelle/ML are
+ subsequently categorized as follows.
+
+ \paragraph{Regular user errors.} These are meant to provide
+ informative feedback about malformed input etc.
+
+ The \emph{error} function raises the corresponding \emph{ERROR}
+ exception, with a plain text message as argument. \emph{ERROR}
+ exceptions can be handled internally, in order to be ignored, turned
+ into other exceptions, or cascaded by appending messages. If the
+ corresponding Isabelle/Isar command terminates with an \emph{ERROR}
+ exception state, the toplevel will print the result on the error
+ channel (see \secref{sec:message-channels}).
+
+ It is considered bad style to refer to internal function names or
+ values in ML source notation in user error messages.
+
+ Grammatical correctness of error messages can be improved by
+ \emph{omitting} final punctuation: messages are often concatenated
+ or put into a larger context (e.g.\ augmented with source position).
+ By not insisting in the final word at the origin of the error, the
+ system can perform its administrative tasks more easily and
+ robustly.
+
+ \paragraph{Program failures.} There is a handful of standard
+ exceptions that indicate general failure situations, or failures of
+ core operations on logical entities (types, terms, theorems,
+ theories, see \chref{ch:logic}).
+
+ These exceptions indicate a genuine breakdown of the program, so the
+ main purpose is to determine quickly what has happened where.
+ Traditionally, the (short) exception message would include the name
+ of an ML function, although this is no longer necessary, because the
+ ML runtime system prints a detailed source position of the
+ corresponding @{ML_text raise} keyword.
+
+ \medskip User modules can always introduce their own custom
+ exceptions locally, e.g.\ to organize internal failures robustly
+ without overlapping with existing exceptions. Exceptions that are
+ exposed in module signatures require extra care, though, and should
+ \emph{not} be introduced by default. Surprise by users of a module
+ can be often minimized by using plain user errors instead.
+
+ \paragraph{Interrupts.} These indicate arbitrary system events:
+ both the ML runtime system and the Isabelle/ML infrastructure signal
+ various exceptional situations by raising the special
+ \emph{Interrupt} exception in user code.
+
+ This is the one and only way that physical events can intrude an
+ Isabelle/ML program. Such an interrupt can mean out-of-memory,
+ stack overflow, timeout, internal signaling of threads, or the user
+ producing a console interrupt manually etc. An Isabelle/ML program
+ that intercepts interrupts becomes dependent on physical effects of
+ the environment. Even worse, exception handling patterns that are
+ too general by accident, e.g.\ by mispelled exception constructors,
+ will cover interrupts unintentionally and thus render the program
+ semantics ill-defined.
+
+ Note that the Interrupt exception dates back to the original SML90
+ language definition. It was excluded from the SML97 version to
+ avoid its malign impact on ML program semantics, but without
+ providing a viable alternative. Isabelle/ML recovers physical
+ interruptibility (which is an indispensable tool to implement
+ managed evaluation of command transactions), but requires user code
+ to be strictly transparent wrt.\ interrupts.
+
+ \begin{warn}
+ Isabelle/ML user code needs to terminate promptly on interruption,
+ without guessing at its meaning to the system infrastructure.
+ Temporary handling of interrupts for cleanup of global resources
+ etc.\ needs to be followed immediately by re-raising of the original
+ exception.
+ \end{warn}
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML try: "('a -> 'b) -> 'a -> 'b option"} \\
+ @{index_ML can: "('a -> 'b) -> 'a -> bool"} \\
+ @{index_ML ERROR: "string -> exn"} \\
+ @{index_ML Fail: "string -> exn"} \\
+ @{index_ML Exn.is_interrupt: "exn -> bool"} \\
+ @{index_ML reraise: "exn -> 'a"} \\
+ @{index_ML exception_trace: "(unit -> 'a) -> 'a"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item @{ML try}~@{text "f x"} makes the partiality of evaluating
+ @{text "f x"} explicit via the option datatype. Interrupts are
+ \emph{not} handled here, i.e.\ this form serves as safe replacement
+ for the \emph{unsafe} version @{ML_text "(SOME"}~@{text "f
+ x"}~@{ML_text "handle _ => NONE)"} that is occasionally seen in
+ books about SML.
+
+ \item @{ML can} is similar to @{ML try} with more abstract result.
+
+ \item @{ML ERROR}~@{text "msg"} represents user errors; this
+ exception is normally raised indirectly via the @{ML error} function
+ (see \secref{sec:message-channels}).
+
+ \item @{ML Fail}~@{text "msg"} represents general program failures.
+
+ \item @{ML Exn.is_interrupt} identifies interrupts robustly, without
+ mentioning concrete exception constructors in user code. Handled
+ interrupts need to be re-raised promptly!
+
+ \item @{ML reraise}~@{text "exn"} raises exception @{text "exn"}
+ while preserving its implicit position information (if possible,
+ depending on the ML platform).
+
+ \item @{ML exception_trace}~@{ML_text "(fn () =>"}~@{text
+ "e"}@{ML_text ")"} evaluates expression @{text "e"} while printing
+ a full trace of its stack of nested exceptions (if possible,
+ depending on the ML platform).\footnote{In versions of Poly/ML the
+ trace will appear on raw stdout of the Isabelle process.}
+
+ Inserting @{ML exception_trace} into ML code temporarily is useful
+ for debugging, but not suitable for production code.
+
+ \end{description}
+*}
+
+text %mlantiq {*
+ \begin{matharray}{rcl}
+ @{ML_antiquotation_def "assert"} & : & @{text ML_antiquotation} \\
+ \end{matharray}
+
+ \begin{description}
+
+ \item @{text "@{assert}"} inlines a function
+ @{ML_type "bool -> unit"} that raises @{ML Fail} if the argument is
+ @{ML false}. Due to inlining the source position of failed
+ assertions is included in the error output.
+
+ \end{description}
+*}
+
+
+section {* Basic data types *}
+
+text {* The basis library proposal of SML97 needs to be treated with
+ caution. Many of its operations simply do not fit with important
+ Isabelle/ML conventions (like ``canonical argument order'', see
+ \secref{sec:canonical-argument-order}), others cause problems with
+ the parallel evaluation model of Isabelle/ML (such as @{ML
+ TextIO.print} or @{ML OS.Process.system}).
+
+ Subsequently we give a brief overview of important operations on
+ basic ML data types.
+*}
+
+
+subsection {* Characters *}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML_type char} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item Type @{ML_type char} is \emph{not} used. The smallest textual
+ unit in Isabelle is represented as a ``symbol'' (see
+ \secref{sec:symbols}).
+
+ \end{description}
+*}
+
+
+subsection {* Integers *}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML_type int} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item Type @{ML_type int} represents regular mathematical integers,
+ which are \emph{unbounded}. Overflow never happens in
+ practice.\footnote{The size limit for integer bit patterns in memory
+ is 64\,MB for 32-bit Poly/ML, and much higher for 64-bit systems.}
+ This works uniformly for all supported ML platforms (Poly/ML and
+ SML/NJ).
+
+ Literal integers in ML text are forced to be of this one true
+ integer type --- overloading of SML97 is disabled.
+
+ Structure @{ML_struct IntInf} of SML97 is obsolete and superseded by
+ @{ML_struct Int}. Structure @{ML_struct Integer} in @{file
+ "~~/src/Pure/General/integer.ML"} provides some additional
+ operations.
+
+ \end{description}
+*}
+
+
+subsection {* Time *}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML_type Time.time} \\
+ @{index_ML seconds: "real -> Time.time"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item Type @{ML_type Time.time} represents time abstractly according
+ to the SML97 basis library definition. This is adequate for
+ internal ML operations, but awkward in concrete time specifications.
+
+ \item @{ML seconds}~@{text "s"} turns the concrete scalar @{text
+ "s"} (measured in seconds) into an abstract time value. Floating
+ point numbers are easy to use as context parameters (e.g.\ via
+ configuration options, see \secref{sec:config-options}) or
+ preferences that are maintained by external tools as well.
+
+ \end{description}
+*}
+
+
+subsection {* Options *}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML Option.map: "('a -> 'b) -> 'a option -> 'b option"} \\
+ @{index_ML is_some: "'a option -> bool"} \\
+ @{index_ML is_none: "'a option -> bool"} \\
+ @{index_ML the: "'a option -> 'a"} \\
+ @{index_ML these: "'a list option -> 'a list"} \\
+ @{index_ML the_list: "'a option -> 'a list"} \\
+ @{index_ML the_default: "'a -> 'a option -> 'a"} \\
+ \end{mldecls}
+*}
+
+text {* Apart from @{ML Option.map} most operations defined in
+ structure @{ML_struct Option} are alien to Isabelle/ML. The
+ operations shown above are defined in @{file
+ "~~/src/Pure/General/basics.ML"}, among others. *}
+
+
+subsection {* Lists *}
+
+text {* Lists are ubiquitous in ML as simple and light-weight
+ ``collections'' for many everyday programming tasks. Isabelle/ML
+ provides important additions and improvements over operations that
+ are predefined in the SML97 library. *}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML cons: "'a -> 'a list -> 'a list"} \\
+ @{index_ML member: "('b * 'a -> bool) -> 'a list -> 'b -> bool"} \\
+ @{index_ML insert: "('a * 'a -> bool) -> 'a -> 'a list -> 'a list"} \\
+ @{index_ML remove: "('b * 'a -> bool) -> 'b -> 'a list -> 'a list"} \\
+ @{index_ML update: "('a * 'a -> bool) -> 'a -> 'a list -> 'a list"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item @{ML cons}~@{text "x xs"} evaluates to @{text "x :: xs"}.
+
+ Tupled infix operators are a historical accident in Standard ML.
+ The curried @{ML cons} amends this, but it should be only used when
+ partial application is required.
+
+ \item @{ML member}, @{ML insert}, @{ML remove}, @{ML update} treat
+ lists as a set-like container that maintains the order of elements.
+ See @{file "~~/src/Pure/library.ML"} for the full specifications
+ (written in ML). There are some further derived operations like
+ @{ML union} or @{ML inter}.
+
+ Note that @{ML insert} is conservative about elements that are
+ already a @{ML member} of the list, while @{ML update} ensures that
+ the latest entry is always put in front. The latter discipline is
+ often more appropriate in declarations of context data
+ (\secref{sec:context-data}) that are issued by the user in Isar
+ source: more recent declarations normally take precedence over
+ earlier ones.
+
+ \end{description}
+*}
+
+text %mlex {* Using canonical @{ML fold} together with @{ML cons}, or
+ similar standard operations, alternates the orientation of data.
+ The is quite natural and should not be altered forcible by inserting
+ extra applications of @{ML rev}. The alternative @{ML fold_rev} can
+ be used in the few situations, where alternation should be
+ prevented.
+*}
+
+ML {*
+ val items = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10];
+
+ val list1 = fold cons items [];
+ @{assert} (list1 = rev items);
+
+ val list2 = fold_rev cons items [];
+ @{assert} (list2 = items);
+*}
+
+text {* The subsequent example demonstrates how to \emph{merge} two
+ lists in a natural way. *}
+
+ML {*
+ fun merge_lists eq (xs, ys) = fold_rev (insert eq) ys xs;
+*}
+
+text {* Here the first list is treated conservatively: only the new
+ elements from the second list are inserted. The inside-out order of
+ insertion via @{ML fold_rev} attempts to preserve the order of
+ elements in the result.
+
+ This way of merging lists is typical for context data
+ (\secref{sec:context-data}). See also @{ML merge} as defined in
+ @{file "~~/src/Pure/library.ML"}.
+*}
+
+
+subsection {* Association lists *}
+
+text {* The operations for association lists interpret a concrete list
+ of pairs as a finite function from keys to values. Redundant
+ representations with multiple occurrences of the same key are
+ implicitly normalized: lookup and update only take the first
+ occurrence into account.
+*}
+
+text {*
+ \begin{mldecls}
+ @{index_ML AList.lookup: "('a * 'b -> bool) -> ('b * 'c) list -> 'a -> 'c option"} \\
+ @{index_ML AList.defined: "('a * 'b -> bool) -> ('b * 'c) list -> 'a -> bool"} \\
+ @{index_ML AList.update: "('a * 'a -> bool) -> 'a * 'b -> ('a * 'b) list -> ('a * 'b) list"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item @{ML AList.lookup}, @{ML AList.defined}, @{ML AList.update}
+ implement the main ``framework operations'' for mappings in
+ Isabelle/ML, following standard conventions for their names and
+ types.
+
+ Note that a function called @{text lookup} is obliged to express its
+ partiality via an explicit option element. There is no choice to
+ raise an exception, without changing the name to something like
+ @{text "the_element"} or @{text "get"}.
+
+ The @{text "defined"} operation is essentially a contraction of @{ML
+ is_some} and @{text "lookup"}, but this is sufficiently frequent to
+ justify its independent existence. This also gives the
+ implementation some opportunity for peep-hole optimization.
+
+ \end{description}
+
+ Association lists are adequate as simple and light-weight
+ implementation of finite mappings in many practical situations. A
+ more heavy-duty table structure is defined in @{file
+ "~~/src/Pure/General/table.ML"}; that version scales easily to
+ thousands or millions of elements.
+*}
+
+
+subsection {* Unsynchronized references *}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML_type "'a Unsynchronized.ref"} \\
+ @{index_ML Unsynchronized.ref: "'a -> 'a Unsynchronized.ref"} \\
+ @{index_ML "!": "'a Unsynchronized.ref -> 'a"} \\
+ @{index_ML_op ":=": "'a Unsynchronized.ref * 'a -> unit"} \\
+ \end{mldecls}
+*}
+
+text {* Due to ubiquitous parallelism in Isabelle/ML (see also
+ \secref{sec:multi-threading}), the mutable reference cells of
+ Standard ML are notorious for causing problems. In a highly
+ parallel system, both correctness \emph{and} performance are easily
+ degraded when using mutable data.
+
+ The unwieldy name of @{ML Unsynchronized.ref} for the constructor
+ for references in Isabelle/ML emphasizes the inconveniences caused by
+ mutability. Existing operations @{ML "!"} and @{ML_op ":="} are
+ unchanged, but should be used with special precautions, say in a
+ strictly local situation that is guaranteed to be restricted to
+ sequential evaluation --- now and in the future.
+
+ \begin{warn}
+ Never @{ML_text "open Unsynchronized"}, not even in a local scope!
+ Pretending that mutable state is no problem is a very bad idea.
+ \end{warn}
+*}
+
+
+section {* Thread-safe programming \label{sec:multi-threading} *}
+
+text {* Multi-threaded execution has become an everyday reality in
+ Isabelle since Poly/ML 5.2.1 and Isabelle2008. Isabelle/ML provides
+ implicit and explicit parallelism by default, and there is no way
+ for user-space tools to ``opt out''. ML programs that are purely
+ functional, output messages only via the official channels
+ (\secref{sec:message-channels}), and do not intercept interrupts
+ (\secref{sec:exceptions}) can participate in the multi-threaded
+ environment immediately without further ado.
+
+ More ambitious tools with more fine-grained interaction with the
+ environment need to observe the principles explained below.
+*}
+
+
+subsection {* Multi-threading with shared memory *}
+
+text {* Multiple threads help to organize advanced operations of the
+ system, such as real-time conditions on command transactions,
+ sub-components with explicit communication, general asynchronous
+ interaction etc. Moreover, parallel evaluation is a prerequisite to
+ make adequate use of the CPU resources that are available on
+ multi-core systems.\footnote{Multi-core computing does not mean that
+ there are ``spare cycles'' to be wasted. It means that the
+ continued exponential speedup of CPU performance due to ``Moore's
+ Law'' follows different rules: clock frequency has reached its peak
+ around 2005, and applications need to be parallelized in order to
+ avoid a perceived loss of performance. See also
+ \cite{Sutter:2005}.}
+
+ Isabelle/Isar exploits the inherent structure of theories and proofs
+ to support \emph{implicit parallelism} to a large extent. LCF-style
+ theorem provides almost ideal conditions for that, see also
+ \cite{Wenzel:2009}. This means, significant parts of theory and
+ proof checking is parallelized by default. A maximum speedup-factor
+ of 3.0 on 4 cores and 5.0 on 8 cores can be
+ expected.\footnote{Further scalability is limited due to garbage
+ collection, which is still sequential in Poly/ML 5.2/5.3/5.4. It
+ helps to provide initial heap space generously, using the
+ \texttt{-H} option. Initial heap size needs to be scaled-up
+ together with the number of CPU cores: approximately 1--2\,GB per
+ core..}
+
+ \medskip ML threads lack the memory protection of separate
+ processes, and operate concurrently on shared heap memory. This has
+ the advantage that results of independent computations are directly
+ available to other threads: abstract values can be passed without
+ copying or awkward serialization that is typically required for
+ separate processes.
+
+ To make shared-memory multi-threading work robustly and efficiently,
+ some programming guidelines need to be observed. While the ML
+ system is responsible to maintain basic integrity of the
+ representation of ML values in memory, the application programmer
+ needs to ensure that multi-threaded execution does not break the
+ intended semantics.
+
+ \begin{warn}
+ To participate in implicit parallelism, tools need to be
+ thread-safe. A single ill-behaved tool can affect the stability and
+ performance of the whole system.
+ \end{warn}
+
+ Apart from observing the principles of thread-safeness passively,
+ advanced tools may also exploit parallelism actively, e.g.\ by using
+ ``future values'' (\secref{sec:futures}) or the more basic library
+ functions for parallel list operations (\secref{sec:parlist}).
+
+ \begin{warn}
+ Parallel computing resources are managed centrally by the
+ Isabelle/ML infrastructure. User programs must not fork their own
+ ML threads to perform computations.
+ \end{warn}
+*}
+
+
+subsection {* Critical shared resources *}
+
+text {* Thread-safeness is mainly concerned about concurrent
+ read/write access to shared resources, which are outside the purely
+ functional world of ML. This covers the following in particular.
+
+ \begin{itemize}
+
+ \item Global references (or arrays), i.e.\ mutable memory cells that
+ persist over several invocations of associated
+ operations.\footnote{This is independent of the visibility of such
+ mutable values in the toplevel scope.}
+
+ \item Global state of the running Isabelle/ML process, i.e.\ raw I/O
+ channels, environment variables, current working directory.
+
+ \item Writable resources in the file-system that are shared among
+ different threads or external processes.
+
+ \end{itemize}
+
+ Isabelle/ML provides various mechanisms to avoid critical shared
+ resources in most situations. As last resort there are some
+ mechanisms for explicit synchronization. The following guidelines
+ help to make Isabelle/ML programs work smoothly in a concurrent
+ environment.
+
+ \begin{itemize}
+
+ \item Avoid global references altogether. Isabelle/Isar maintains a
+ uniform context that incorporates arbitrary data declared by user
+ programs (\secref{sec:context-data}). This context is passed as
+ plain value and user tools can get/map their own data in a purely
+ functional manner. Configuration options within the context
+ (\secref{sec:config-options}) provide simple drop-in replacements
+ for historic reference variables.
+
+ \item Keep components with local state information re-entrant.
+ Instead of poking initial values into (private) global references, a
+ new state record can be created on each invocation, and passed
+ through any auxiliary functions of the component. The state record
+ may well contain mutable references, without requiring any special
+ synchronizations, as long as each invocation gets its own copy.
+
+ \item Avoid raw output on @{text "stdout"} or @{text "stderr"}. The
+ Poly/ML library is thread-safe for each individual output operation,
+ but the ordering of parallel invocations is arbitrary. This means
+ raw output will appear on some system console with unpredictable
+ interleaving of atomic chunks.
+
+ Note that this does not affect regular message output channels
+ (\secref{sec:message-channels}). An official message is associated
+ with the command transaction from where it originates, independently
+ of other transactions. This means each running Isar command has
+ effectively its own set of message channels, and interleaving can
+ only happen when commands use parallelism internally (and only at
+ message boundaries).
+
+ \item Treat environment variables and the current working directory
+ of the running process as strictly read-only.
+
+ \item Restrict writing to the file-system to unique temporary files.
+ Isabelle already provides a temporary directory that is unique for
+ the running process, and there is a centralized source of unique
+ serial numbers in Isabelle/ML. Thus temporary files that are passed
+ to to some external process will be always disjoint, and thus
+ thread-safe.
+
+ \end{itemize}
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML File.tmp_path: "Path.T -> Path.T"} \\
+ @{index_ML serial_string: "unit -> string"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item @{ML File.tmp_path}~@{text "path"} relocates the base
+ component of @{text "path"} into the unique temporary directory of
+ the running Isabelle/ML process.
+
+ \item @{ML serial_string}~@{text "()"} creates a new serial number
+ that is unique over the runtime of the Isabelle/ML process.
+
+ \end{description}
+*}
+
+text %mlex {* The following example shows how to create unique
+ temporary file names.
+*}
+
+ML {*
+ val tmp1 = File.tmp_path (Path.basic ("foo" ^ serial_string ()));
+ val tmp2 = File.tmp_path (Path.basic ("foo" ^ serial_string ()));
+ @{assert} (tmp1 <> tmp2);
+*}
+
+
+subsection {* Explicit synchronization *}
+
+text {* Isabelle/ML also provides some explicit synchronization
+ mechanisms, for the rare situations where mutable shared resources
+ are really required. These are based on the synchronizations
+ primitives of Poly/ML, which have been adapted to the specific
+ assumptions of the concurrent Isabelle/ML environment. User code
+ must not use the Poly/ML primitives directly!
+
+ \medskip The most basic synchronization concept is a single
+ \emph{critical section} (also called ``monitor'' in the literature).
+ A thread that enters the critical section prevents all other threads
+ from doing the same. A thread that is already within the critical
+ section may re-enter it in an idempotent manner.
+
+ Such centralized locking is convenient, because it prevents
+ deadlocks by construction.
+
+ \medskip More fine-grained locking works via \emph{synchronized
+ variables}. An explicit state component is associated with
+ mechanisms for locking and signaling. There are operations to
+ await a condition, change the state, and signal the change to all
+ other waiting threads.
+
+ Here the synchronized access to the state variable is \emph{not}
+ re-entrant: direct or indirect nesting within the same thread will
+ cause a deadlock!
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML NAMED_CRITICAL: "string -> (unit -> 'a) -> 'a"} \\
+ @{index_ML CRITICAL: "(unit -> 'a) -> 'a"} \\
+ \end{mldecls}
+ \begin{mldecls}
+ @{index_ML_type "'a Synchronized.var"} \\
+ @{index_ML Synchronized.var: "string -> 'a -> 'a Synchronized.var"} \\
+ @{index_ML Synchronized.guarded_access: "'a Synchronized.var ->
+ ('a -> ('b * 'a) option) -> 'b"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item @{ML NAMED_CRITICAL}~@{text "name e"} evaluates @{text "e ()"}
+ within the central critical section of Isabelle/ML. No other thread
+ may do so at the same time, but non-critical parallel execution will
+ continue. The @{text "name"} argument is used for tracing and might
+ help to spot sources of congestion.
+
+ Entering the critical section without contention is very fast, and
+ several basic system operations do so frequently. Each thread
+ should stay within the critical section quickly only very briefly,
+ otherwise parallel performance may degrade.
+
+ \item @{ML CRITICAL} is the same as @{ML NAMED_CRITICAL} with empty
+ name argument.
+
+ \item Type @{ML_type "'a Synchronized.var"} represents synchronized
+ variables with state of type @{ML_type 'a}.
+
+ \item @{ML Synchronized.var}~@{text "name x"} creates a synchronized
+ variable that is initialized with value @{text "x"}. The @{text
+ "name"} is used for tracing.
+
+ \item @{ML Synchronized.guarded_access}~@{text "var f"} lets the
+ function @{text "f"} operate within a critical section on the state
+ @{text "x"} as follows: if @{text "f x"} produces @{ML NONE}, it
+ continues to wait on the internal condition variable, expecting that
+ some other thread will eventually change the content in a suitable
+ manner; if @{text "f x"} produces @{ML SOME}~@{text "(y, x')"} it is
+ satisfied and assigns the new state value @{text "x'"}, broadcasts a
+ signal to all waiting threads on the associated condition variable,
+ and returns the result @{text "y"}.
+
+ \end{description}
+
+ There are some further variants of the @{ML
+ Synchronized.guarded_access} combinator, see @{file
+ "~~/src/Pure/Concurrent/synchronized.ML"} for details.
+*}
+
+text %mlex {* The following example implements a counter that produces
+ positive integers that are unique over the runtime of the Isabelle
+ process:
+*}
+
+ML {*
+ local
+ val counter = Synchronized.var "counter" 0;
+ in
+ fun next () =
+ Synchronized.guarded_access counter
+ (fn i =>
+ let val j = i + 1
+ in SOME (j, j) end);
+ end;
+*}
+
+ML {*
+ val a = next ();
+ val b = next ();
+ @{assert} (a <> b);
+*}
+
+text {* \medskip See @{file "~~/src/Pure/Concurrent/mailbox.ML"} how
+ to implement a mailbox as synchronized variable over a purely
+ functional queue. *}
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarImplementation/Prelim.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,1237 @@
+theory Prelim
+imports Base
+begin
+
+chapter {* Preliminaries *}
+
+section {* Contexts \label{sec:context} *}
+
+text {*
+ A logical context represents the background that is required for
+ formulating statements and composing proofs. It acts as a medium to
+ produce formal content, depending on earlier material (declarations,
+ results etc.).
+
+ For example, derivations within the Isabelle/Pure logic can be
+ described as a judgment @{text "\<Gamma> \<turnstile>\<^sub>\<Theta> \<phi>"}, which means that a
+ proposition @{text "\<phi>"} is derivable from hypotheses @{text "\<Gamma>"}
+ within the theory @{text "\<Theta>"}. There are logical reasons for
+ keeping @{text "\<Theta>"} and @{text "\<Gamma>"} separate: theories can be
+ liberal about supporting type constructors and schematic
+ polymorphism of constants and axioms, while the inner calculus of
+ @{text "\<Gamma> \<turnstile> \<phi>"} is strictly limited to Simple Type Theory (with
+ fixed type variables in the assumptions).
+
+ \medskip Contexts and derivations are linked by the following key
+ principles:
+
+ \begin{itemize}
+
+ \item Transfer: monotonicity of derivations admits results to be
+ transferred into a \emph{larger} context, i.e.\ @{text "\<Gamma> \<turnstile>\<^sub>\<Theta>
+ \<phi>"} implies @{text "\<Gamma>' \<turnstile>\<^sub>\<Theta>\<^sub>' \<phi>"} for contexts @{text "\<Theta>'
+ \<supseteq> \<Theta>"} and @{text "\<Gamma>' \<supseteq> \<Gamma>"}.
+
+ \item Export: discharge of hypotheses admits results to be exported
+ into a \emph{smaller} context, i.e.\ @{text "\<Gamma>' \<turnstile>\<^sub>\<Theta> \<phi>"}
+ implies @{text "\<Gamma> \<turnstile>\<^sub>\<Theta> \<Delta> \<Longrightarrow> \<phi>"} where @{text "\<Gamma>' \<supseteq> \<Gamma>"} and
+ @{text "\<Delta> = \<Gamma>' - \<Gamma>"}. Note that @{text "\<Theta>"} remains unchanged here,
+ only the @{text "\<Gamma>"} part is affected.
+
+ \end{itemize}
+
+ \medskip By modeling the main characteristics of the primitive
+ @{text "\<Theta>"} and @{text "\<Gamma>"} above, and abstracting over any
+ particular logical content, we arrive at the fundamental notions of
+ \emph{theory context} and \emph{proof context} in Isabelle/Isar.
+ These implement a certain policy to manage arbitrary \emph{context
+ data}. There is a strongly-typed mechanism to declare new kinds of
+ data at compile time.
+
+ The internal bootstrap process of Isabelle/Pure eventually reaches a
+ stage where certain data slots provide the logical content of @{text
+ "\<Theta>"} and @{text "\<Gamma>"} sketched above, but this does not stop there!
+ Various additional data slots support all kinds of mechanisms that
+ are not necessarily part of the core logic.
+
+ For example, there would be data for canonical introduction and
+ elimination rules for arbitrary operators (depending on the
+ object-logic and application), which enables users to perform
+ standard proof steps implicitly (cf.\ the @{text "rule"} method
+ \cite{isabelle-isar-ref}).
+
+ \medskip Thus Isabelle/Isar is able to bring forth more and more
+ concepts successively. In particular, an object-logic like
+ Isabelle/HOL continues the Isabelle/Pure setup by adding specific
+ components for automated reasoning (classical reasoner, tableau
+ prover, structured induction etc.) and derived specification
+ mechanisms (inductive predicates, recursive functions etc.). All of
+ this is ultimately based on the generic data management by theory
+ and proof contexts introduced here.
+*}
+
+
+subsection {* Theory context \label{sec:context-theory} *}
+
+text {* A \emph{theory} is a data container with explicit name and
+ unique identifier. Theories are related by a (nominal) sub-theory
+ relation, which corresponds to the dependency graph of the original
+ construction; each theory is derived from a certain sub-graph of
+ ancestor theories. To this end, the system maintains a set of
+ symbolic ``identification stamps'' within each theory.
+
+ In order to avoid the full-scale overhead of explicit sub-theory
+ identification of arbitrary intermediate stages, a theory is
+ switched into @{text "draft"} mode under certain circumstances. A
+ draft theory acts like a linear type, where updates invalidate
+ earlier versions. An invalidated draft is called \emph{stale}.
+
+ The @{text "checkpoint"} operation produces a safe stepping stone
+ that will survive the next update without becoming stale: both the
+ old and the new theory remain valid and are related by the
+ sub-theory relation. Checkpointing essentially recovers purely
+ functional theory values, at the expense of some extra internal
+ bookkeeping.
+
+ The @{text "copy"} operation produces an auxiliary version that has
+ the same data content, but is unrelated to the original: updates of
+ the copy do not affect the original, neither does the sub-theory
+ relation hold.
+
+ The @{text "merge"} operation produces the least upper bound of two
+ theories, which actually degenerates into absorption of one theory
+ into the other (according to the nominal sub-theory relation).
+
+ The @{text "begin"} operation starts a new theory by importing
+ several parent theories and entering a special mode of nameless
+ incremental updates, until the final @{text "end"} operation is
+ performed.
+
+ \medskip The example in \figref{fig:ex-theory} below shows a theory
+ graph derived from @{text "Pure"}, with theory @{text "Length"}
+ importing @{text "Nat"} and @{text "List"}. The body of @{text
+ "Length"} consists of a sequence of updates, working mostly on
+ drafts internally, while transaction boundaries of Isar top-level
+ commands (\secref{sec:isar-toplevel}) are guaranteed to be safe
+ checkpoints.
+
+ \begin{figure}[htb]
+ \begin{center}
+ \begin{tabular}{rcccl}
+ & & @{text "Pure"} \\
+ & & @{text "\<down>"} \\
+ & & @{text "FOL"} \\
+ & $\swarrow$ & & $\searrow$ & \\
+ @{text "Nat"} & & & & @{text "List"} \\
+ & $\searrow$ & & $\swarrow$ \\
+ & & @{text "Length"} \\
+ & & \multicolumn{3}{l}{~~@{keyword "imports"}} \\
+ & & \multicolumn{3}{l}{~~@{keyword "begin"}} \\
+ & & $\vdots$~~ \\
+ & & @{text "\<bullet>"}~~ \\
+ & & $\vdots$~~ \\
+ & & @{text "\<bullet>"}~~ \\
+ & & $\vdots$~~ \\
+ & & \multicolumn{3}{l}{~~@{command "end"}} \\
+ \end{tabular}
+ \caption{A theory definition depending on ancestors}\label{fig:ex-theory}
+ \end{center}
+ \end{figure}
+
+ \medskip There is a separate notion of \emph{theory reference} for
+ maintaining a live link to an evolving theory context: updates on
+ drafts are propagated automatically. Dynamic updating stops when
+ the next @{text "checkpoint"} is reached.
+
+ Derived entities may store a theory reference in order to indicate
+ the formal context from which they are derived. This implicitly
+ assumes monotonic reasoning, because the referenced context may
+ become larger without further notice.
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML_type theory} \\
+ @{index_ML Theory.eq_thy: "theory * theory -> bool"} \\
+ @{index_ML Theory.subthy: "theory * theory -> bool"} \\
+ @{index_ML Theory.checkpoint: "theory -> theory"} \\
+ @{index_ML Theory.copy: "theory -> theory"} \\
+ @{index_ML Theory.merge: "theory * theory -> theory"} \\
+ @{index_ML Theory.begin_theory: "string * Position.T -> theory list -> theory"} \\
+ @{index_ML Theory.parents_of: "theory -> theory list"} \\
+ @{index_ML Theory.ancestors_of: "theory -> theory list"} \\
+ \end{mldecls}
+ \begin{mldecls}
+ @{index_ML_type theory_ref} \\
+ @{index_ML Theory.deref: "theory_ref -> theory"} \\
+ @{index_ML Theory.check_thy: "theory -> theory_ref"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item Type @{ML_type theory} represents theory contexts. This is
+ essentially a linear type, with explicit runtime checking.
+ Primitive theory operations destroy the original version, which then
+ becomes ``stale''. This can be prevented by explicit checkpointing,
+ which the system does at least at the boundary of toplevel command
+ transactions \secref{sec:isar-toplevel}.
+
+ \item @{ML "Theory.eq_thy"}~@{text "(thy\<^sub>1, thy\<^sub>2)"} check strict
+ identity of two theories.
+
+ \item @{ML "Theory.subthy"}~@{text "(thy\<^sub>1, thy\<^sub>2)"} compares theories
+ according to the intrinsic graph structure of the construction.
+ This sub-theory relation is a nominal approximation of inclusion
+ (@{text "\<subseteq>"}) of the corresponding content (according to the
+ semantics of the ML modules that implement the data).
+
+ \item @{ML "Theory.checkpoint"}~@{text "thy"} produces a safe
+ stepping stone in the linear development of @{text "thy"}. This
+ changes the old theory, but the next update will result in two
+ related, valid theories.
+
+ \item @{ML "Theory.copy"}~@{text "thy"} produces a variant of @{text
+ "thy"} with the same data. The copy is not related to the original,
+ but the original is unchanged.
+
+ \item @{ML "Theory.merge"}~@{text "(thy\<^sub>1, thy\<^sub>2)"} absorbs one theory
+ into the other, without changing @{text "thy\<^sub>1"} or @{text "thy\<^sub>2"}.
+ This version of ad-hoc theory merge fails for unrelated theories!
+
+ \item @{ML "Theory.begin_theory"}~@{text "name parents"} constructs
+ a new theory based on the given parents. This ML function is
+ normally not invoked directly.
+
+ \item @{ML "Theory.parents_of"}~@{text "thy"} returns the direct
+ ancestors of @{text thy}.
+
+ \item @{ML "Theory.ancestors_of"}~@{text "thy"} returns all
+ ancestors of @{text thy} (not including @{text thy} itself).
+
+ \item Type @{ML_type theory_ref} represents a sliding reference to
+ an always valid theory; updates on the original are propagated
+ automatically.
+
+ \item @{ML "Theory.deref"}~@{text "thy_ref"} turns a @{ML_type
+ "theory_ref"} into an @{ML_type "theory"} value. As the referenced
+ theory evolves monotonically over time, later invocations of @{ML
+ "Theory.deref"} may refer to a larger context.
+
+ \item @{ML "Theory.check_thy"}~@{text "thy"} produces a @{ML_type
+ "theory_ref"} from a valid @{ML_type "theory"} value.
+
+ \end{description}
+*}
+
+text %mlantiq {*
+ \begin{matharray}{rcl}
+ @{ML_antiquotation_def "theory"} & : & @{text ML_antiquotation} \\
+ \end{matharray}
+
+ @{rail "
+ @@{ML_antiquotation theory} nameref?
+ "}
+
+ \begin{description}
+
+ \item @{text "@{theory}"} refers to the background theory of the
+ current context --- as abstract value.
+
+ \item @{text "@{theory A}"} refers to an explicitly named ancestor
+ theory @{text "A"} of the background theory of the current context
+ --- as abstract value.
+
+ \end{description}
+*}
+
+
+subsection {* Proof context \label{sec:context-proof} *}
+
+text {* A proof context is a container for pure data with a
+ back-reference to the theory from which it is derived. The @{text
+ "init"} operation creates a proof context from a given theory.
+ Modifications to draft theories are propagated to the proof context
+ as usual, but there is also an explicit @{text "transfer"} operation
+ to force resynchronization with more substantial updates to the
+ underlying theory.
+
+ Entities derived in a proof context need to record logical
+ requirements explicitly, since there is no separate context
+ identification or symbolic inclusion as for theories. For example,
+ hypotheses used in primitive derivations (cf.\ \secref{sec:thms})
+ are recorded separately within the sequent @{text "\<Gamma> \<turnstile> \<phi>"}, just to
+ make double sure. Results could still leak into an alien proof
+ context due to programming errors, but Isabelle/Isar includes some
+ extra validity checks in critical positions, notably at the end of a
+ sub-proof.
+
+ Proof contexts may be manipulated arbitrarily, although the common
+ discipline is to follow block structure as a mental model: a given
+ context is extended consecutively, and results are exported back
+ into the original context. Note that an Isar proof state models
+ block-structured reasoning explicitly, using a stack of proof
+ contexts internally. For various technical reasons, the background
+ theory of an Isar proof state must not be changed while the proof is
+ still under construction!
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML_type Proof.context} \\
+ @{index_ML Proof_Context.init_global: "theory -> Proof.context"} \\
+ @{index_ML Proof_Context.theory_of: "Proof.context -> theory"} \\
+ @{index_ML Proof_Context.transfer: "theory -> Proof.context -> Proof.context"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item Type @{ML_type Proof.context} represents proof contexts.
+ Elements of this type are essentially pure values, with a sliding
+ reference to the background theory.
+
+ \item @{ML Proof_Context.init_global}~@{text "thy"} produces a proof context
+ derived from @{text "thy"}, initializing all data.
+
+ \item @{ML Proof_Context.theory_of}~@{text "ctxt"} selects the
+ background theory from @{text "ctxt"}, dereferencing its internal
+ @{ML_type theory_ref}.
+
+ \item @{ML Proof_Context.transfer}~@{text "thy ctxt"} promotes the
+ background theory of @{text "ctxt"} to the super theory @{text
+ "thy"}.
+
+ \end{description}
+*}
+
+text %mlantiq {*
+ \begin{matharray}{rcl}
+ @{ML_antiquotation_def "context"} & : & @{text ML_antiquotation} \\
+ \end{matharray}
+
+ \begin{description}
+
+ \item @{text "@{context}"} refers to \emph{the} context at
+ compile-time --- as abstract value. Independently of (local) theory
+ or proof mode, this always produces a meaningful result.
+
+ This is probably the most common antiquotation in interactive
+ experimentation with ML inside Isar.
+
+ \end{description}
+*}
+
+
+subsection {* Generic contexts \label{sec:generic-context} *}
+
+text {*
+ A generic context is the disjoint sum of either a theory or proof
+ context. Occasionally, this enables uniform treatment of generic
+ context data, typically extra-logical information. Operations on
+ generic contexts include the usual injections, partial selections,
+ and combinators for lifting operations on either component of the
+ disjoint sum.
+
+ Moreover, there are total operations @{text "theory_of"} and @{text
+ "proof_of"} to convert a generic context into either kind: a theory
+ can always be selected from the sum, while a proof context might
+ have to be constructed by an ad-hoc @{text "init"} operation, which
+ incurs a small runtime overhead.
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML_type Context.generic} \\
+ @{index_ML Context.theory_of: "Context.generic -> theory"} \\
+ @{index_ML Context.proof_of: "Context.generic -> Proof.context"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item Type @{ML_type Context.generic} is the direct sum of @{ML_type
+ "theory"} and @{ML_type "Proof.context"}, with the datatype
+ constructors @{ML "Context.Theory"} and @{ML "Context.Proof"}.
+
+ \item @{ML Context.theory_of}~@{text "context"} always produces a
+ theory from the generic @{text "context"}, using @{ML
+ "Proof_Context.theory_of"} as required.
+
+ \item @{ML Context.proof_of}~@{text "context"} always produces a
+ proof context from the generic @{text "context"}, using @{ML
+ "Proof_Context.init_global"} as required (note that this re-initializes the
+ context data with each invocation).
+
+ \end{description}
+*}
+
+
+subsection {* Context data \label{sec:context-data} *}
+
+text {* The main purpose of theory and proof contexts is to manage
+ arbitrary (pure) data. New data types can be declared incrementally
+ at compile time. There are separate declaration mechanisms for any
+ of the three kinds of contexts: theory, proof, generic.
+
+ \paragraph{Theory data} declarations need to implement the following
+ SML signature:
+
+ \medskip
+ \begin{tabular}{ll}
+ @{text "\<type> T"} & representing type \\
+ @{text "\<val> empty: T"} & empty default value \\
+ @{text "\<val> extend: T \<rightarrow> T"} & re-initialize on import \\
+ @{text "\<val> merge: T \<times> T \<rightarrow> T"} & join on import \\
+ \end{tabular}
+ \medskip
+
+ The @{text "empty"} value acts as initial default for \emph{any}
+ theory that does not declare actual data content; @{text "extend"}
+ is acts like a unitary version of @{text "merge"}.
+
+ Implementing @{text "merge"} can be tricky. The general idea is
+ that @{text "merge (data\<^sub>1, data\<^sub>2)"} inserts those parts of @{text
+ "data\<^sub>2"} into @{text "data\<^sub>1"} that are not yet present, while
+ keeping the general order of things. The @{ML Library.merge}
+ function on plain lists may serve as canonical template.
+
+ Particularly note that shared parts of the data must not be
+ duplicated by naive concatenation, or a theory graph that is like a
+ chain of diamonds would cause an exponential blowup!
+
+ \paragraph{Proof context data} declarations need to implement the
+ following SML signature:
+
+ \medskip
+ \begin{tabular}{ll}
+ @{text "\<type> T"} & representing type \\
+ @{text "\<val> init: theory \<rightarrow> T"} & produce initial value \\
+ \end{tabular}
+ \medskip
+
+ The @{text "init"} operation is supposed to produce a pure value
+ from the given background theory and should be somehow
+ ``immediate''. Whenever a proof context is initialized, which
+ happens frequently, the the system invokes the @{text "init"}
+ operation of \emph{all} theory data slots ever declared. This also
+ means that one needs to be economic about the total number of proof
+ data declarations in the system, i.e.\ each ML module should declare
+ at most one, sometimes two data slots for its internal use.
+ Repeated data declarations to simulate a record type should be
+ avoided!
+
+ \paragraph{Generic data} provides a hybrid interface for both theory
+ and proof data. The @{text "init"} operation for proof contexts is
+ predefined to select the current data value from the background
+ theory.
+
+ \bigskip Any of the above data declarations over type @{text "T"}
+ result in an ML structure with the following signature:
+
+ \medskip
+ \begin{tabular}{ll}
+ @{text "get: context \<rightarrow> T"} \\
+ @{text "put: T \<rightarrow> context \<rightarrow> context"} \\
+ @{text "map: (T \<rightarrow> T) \<rightarrow> context \<rightarrow> context"} \\
+ \end{tabular}
+ \medskip
+
+ These other operations provide exclusive access for the particular
+ kind of context (theory, proof, or generic context). This interface
+ observes the ML discipline for types and scopes: there is no other
+ way to access the corresponding data slot of a context. By keeping
+ these operations private, an Isabelle/ML module may maintain
+ abstract values authentically. *}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML_functor Theory_Data} \\
+ @{index_ML_functor Proof_Data} \\
+ @{index_ML_functor Generic_Data} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item @{ML_functor Theory_Data}@{text "(spec)"} declares data for
+ type @{ML_type theory} according to the specification provided as
+ argument structure. The resulting structure provides data init and
+ access operations as described above.
+
+ \item @{ML_functor Proof_Data}@{text "(spec)"} is analogous to
+ @{ML_functor Theory_Data} for type @{ML_type Proof.context}.
+
+ \item @{ML_functor Generic_Data}@{text "(spec)"} is analogous to
+ @{ML_functor Theory_Data} for type @{ML_type Context.generic}.
+
+ \end{description}
+*}
+
+text %mlex {*
+ The following artificial example demonstrates theory
+ data: we maintain a set of terms that are supposed to be wellformed
+ wrt.\ the enclosing theory. The public interface is as follows:
+*}
+
+ML {*
+ signature WELLFORMED_TERMS =
+ sig
+ val get: theory -> term list
+ val add: term -> theory -> theory
+ end;
+*}
+
+text {* The implementation uses private theory data internally, and
+ only exposes an operation that involves explicit argument checking
+ wrt.\ the given theory. *}
+
+ML {*
+ structure Wellformed_Terms: WELLFORMED_TERMS =
+ struct
+
+ structure Terms = Theory_Data
+ (
+ type T = term Ord_List.T;
+ val empty = [];
+ val extend = I;
+ fun merge (ts1, ts2) =
+ Ord_List.union Term_Ord.fast_term_ord ts1 ts2;
+ );
+
+ val get = Terms.get;
+
+ fun add raw_t thy =
+ let
+ val t = Sign.cert_term thy raw_t;
+ in
+ Terms.map (Ord_List.insert Term_Ord.fast_term_ord t) thy
+ end;
+
+ end;
+*}
+
+text {* Type @{ML_type "term Ord_List.T"} is used for reasonably
+ efficient representation of a set of terms: all operations are
+ linear in the number of stored elements. Here we assume that users
+ of this module do not care about the declaration order, since that
+ data structure forces its own arrangement of elements.
+
+ Observe how the @{ML_text merge} operation joins the data slots of
+ the two constituents: @{ML Ord_List.union} prevents duplication of
+ common data from different branches, thus avoiding the danger of
+ exponential blowup. Plain list append etc.\ must never be used for
+ theory data merges!
+
+ \medskip Our intended invariant is achieved as follows:
+ \begin{enumerate}
+
+ \item @{ML Wellformed_Terms.add} only admits terms that have passed
+ the @{ML Sign.cert_term} check of the given theory at that point.
+
+ \item Wellformedness in the sense of @{ML Sign.cert_term} is
+ monotonic wrt.\ the sub-theory relation. So our data can move
+ upwards in the hierarchy (via extension or merges), and maintain
+ wellformedness without further checks.
+
+ \end{enumerate}
+
+ Note that all basic operations of the inference kernel (which
+ includes @{ML Sign.cert_term}) observe this monotonicity principle,
+ but other user-space tools don't. For example, fully-featured
+ type-inference via @{ML Syntax.check_term} (cf.\
+ \secref{sec:term-check}) is not necessarily monotonic wrt.\ the
+ background theory, since constraints of term constants can be
+ modified by later declarations, for example.
+
+ In most cases, user-space context data does not have to take such
+ invariants too seriously. The situation is different in the
+ implementation of the inference kernel itself, which uses the very
+ same data mechanisms for types, constants, axioms etc.
+*}
+
+
+subsection {* Configuration options \label{sec:config-options} *}
+
+text {* A \emph{configuration option} is a named optional value of
+ some basic type (Boolean, integer, string) that is stored in the
+ context. It is a simple application of general context data
+ (\secref{sec:context-data}) that is sufficiently common to justify
+ customized setup, which includes some concrete declarations for
+ end-users using existing notation for attributes (cf.\
+ \secref{sec:attributes}).
+
+ For example, the predefined configuration option @{attribute
+ show_types} controls output of explicit type constraints for
+ variables in printed terms (cf.\ \secref{sec:read-print}). Its
+ value can be modified within Isar text like this:
+*}
+
+declare [[show_types = false]]
+ -- {* declaration within (local) theory context *}
+
+notepad
+begin
+ note [[show_types = true]]
+ -- {* declaration within proof (forward mode) *}
+ term x
+
+ have "x = x"
+ using [[show_types = false]]
+ -- {* declaration within proof (backward mode) *}
+ ..
+end
+
+text {* Configuration options that are not set explicitly hold a
+ default value that can depend on the application context. This
+ allows to retrieve the value from another slot within the context,
+ or fall back on a global preference mechanism, for example.
+
+ The operations to declare configuration options and get/map their
+ values are modeled as direct replacements for historic global
+ references, only that the context is made explicit. This allows
+ easy configuration of tools, without relying on the execution order
+ as required for old-style mutable references. *}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML Config.get: "Proof.context -> 'a Config.T -> 'a"} \\
+ @{index_ML Config.map: "'a Config.T -> ('a -> 'a) -> Proof.context -> Proof.context"} \\
+ @{index_ML Attrib.setup_config_bool: "binding -> (Context.generic -> bool) ->
+ bool Config.T"} \\
+ @{index_ML Attrib.setup_config_int: "binding -> (Context.generic -> int) ->
+ int Config.T"} \\
+ @{index_ML Attrib.setup_config_real: "binding -> (Context.generic -> real) ->
+ real Config.T"} \\
+ @{index_ML Attrib.setup_config_string: "binding -> (Context.generic -> string) ->
+ string Config.T"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item @{ML Config.get}~@{text "ctxt config"} gets the value of
+ @{text "config"} in the given context.
+
+ \item @{ML Config.map}~@{text "config f ctxt"} updates the context
+ by updating the value of @{text "config"}.
+
+ \item @{text "config ="}~@{ML Attrib.setup_config_bool}~@{text "name
+ default"} creates a named configuration option of type @{ML_type
+ bool}, with the given @{text "default"} depending on the application
+ context. The resulting @{text "config"} can be used to get/map its
+ value in a given context. There is an implicit update of the
+ background theory that registers the option as attribute with some
+ concrete syntax.
+
+ \item @{ML Attrib.config_int}, @{ML Attrib.config_real}, and @{ML
+ Attrib.config_string} work like @{ML Attrib.config_bool}, but for
+ types @{ML_type int} and @{ML_type string}, respectively.
+
+ \end{description}
+*}
+
+text %mlex {* The following example shows how to declare and use a
+ Boolean configuration option called @{text "my_flag"} with constant
+ default value @{ML false}. *}
+
+ML {*
+ val my_flag =
+ Attrib.setup_config_bool @{binding my_flag} (K false)
+*}
+
+text {* Now the user can refer to @{attribute my_flag} in
+ declarations, while ML tools can retrieve the current value from the
+ context via @{ML Config.get}. *}
+
+ML_val {* @{assert} (Config.get @{context} my_flag = false) *}
+
+declare [[my_flag = true]]
+
+ML_val {* @{assert} (Config.get @{context} my_flag = true) *}
+
+notepad
+begin
+ {
+ note [[my_flag = false]]
+ ML_val {* @{assert} (Config.get @{context} my_flag = false) *}
+ }
+ ML_val {* @{assert} (Config.get @{context} my_flag = true) *}
+end
+
+text {* Here is another example involving ML type @{ML_type real}
+ (floating-point numbers). *}
+
+ML {*
+ val airspeed_velocity =
+ Attrib.setup_config_real @{binding airspeed_velocity} (K 0.0)
+*}
+
+declare [[airspeed_velocity = 10]]
+declare [[airspeed_velocity = 9.9]]
+
+
+section {* Names \label{sec:names} *}
+
+text {* In principle, a name is just a string, but there are various
+ conventions for representing additional structure. For example,
+ ``@{text "Foo.bar.baz"}'' is considered as a long name consisting of
+ qualifier @{text "Foo.bar"} and base name @{text "baz"}. The
+ individual constituents of a name may have further substructure,
+ e.g.\ the string ``\verb,\,\verb,<alpha>,'' encodes as a single
+ symbol.
+
+ \medskip Subsequently, we shall introduce specific categories of
+ names. Roughly speaking these correspond to logical entities as
+ follows:
+ \begin{itemize}
+
+ \item Basic names (\secref{sec:basic-name}): free and bound
+ variables.
+
+ \item Indexed names (\secref{sec:indexname}): schematic variables.
+
+ \item Long names (\secref{sec:long-name}): constants of any kind
+ (type constructors, term constants, other concepts defined in user
+ space). Such entities are typically managed via name spaces
+ (\secref{sec:name-space}).
+
+ \end{itemize}
+*}
+
+
+subsection {* Strings of symbols \label{sec:symbols} *}
+
+text {* A \emph{symbol} constitutes the smallest textual unit in
+ Isabelle --- raw ML characters are normally not encountered at all!
+ Isabelle strings consist of a sequence of symbols, represented as a
+ packed string or an exploded list of strings. Each symbol is in
+ itself a small string, which has either one of the following forms:
+
+ \begin{enumerate}
+
+ \item a single ASCII character ``@{text "c"}'', for example
+ ``\verb,a,'',
+
+ \item a codepoint according to UTF8 (non-ASCII byte sequence),
+
+ \item a regular symbol ``\verb,\,\verb,<,@{text "ident"}\verb,>,'',
+ for example ``\verb,\,\verb,<alpha>,'',
+
+ \item a control symbol ``\verb,\,\verb,<^,@{text "ident"}\verb,>,'',
+ for example ``\verb,\,\verb,<^bold>,'',
+
+ \item a raw symbol ``\verb,\,\verb,<^raw:,@{text text}\verb,>,''
+ where @{text text} consists of printable characters excluding
+ ``\verb,.,'' and ``\verb,>,'', for example
+ ``\verb,\,\verb,<^raw:$\sum_{i = 1}^n$>,'',
+
+ \item a numbered raw control symbol ``\verb,\,\verb,<^raw,@{text
+ n}\verb,>, where @{text n} consists of digits, for example
+ ``\verb,\,\verb,<^raw42>,''.
+
+ \end{enumerate}
+
+ The @{text "ident"} syntax for symbol names is @{text "letter
+ (letter | digit)\<^sup>*"}, where @{text "letter = A..Za..z"} and @{text
+ "digit = 0..9"}. There are infinitely many regular symbols and
+ control symbols, but a fixed collection of standard symbols is
+ treated specifically. For example, ``\verb,\,\verb,<alpha>,'' is
+ classified as a letter, which means it may occur within regular
+ Isabelle identifiers.
+
+ The character set underlying Isabelle symbols is 7-bit ASCII, but
+ 8-bit character sequences are passed-through unchanged. Unicode/UCS
+ data in UTF-8 encoding is processed in a non-strict fashion, such
+ that well-formed code sequences are recognized
+ accordingly.\footnote{Note that ISO-Latin-1 differs from UTF-8 only
+ in some special punctuation characters that even have replacements
+ within the standard collection of Isabelle symbols. Text consisting
+ of ASCII plus accented letters can be processed in either encoding.}
+ Unicode provides its own collection of mathematical symbols, but
+ within the core Isabelle/ML world there is no link to the standard
+ collection of Isabelle regular symbols.
+
+ \medskip Output of Isabelle symbols depends on the print mode
+ (\cite{isabelle-isar-ref}). For example, the standard {\LaTeX}
+ setup of the Isabelle document preparation system would present
+ ``\verb,\,\verb,<alpha>,'' as @{text "\<alpha>"}, and
+ ``\verb,\,\verb,<^bold>,\verb,\,\verb,<alpha>,'' as @{text "\<^bold>\<alpha>"}.
+ On-screen rendering usually works by mapping a finite subset of
+ Isabelle symbols to suitable Unicode characters.
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML_type "Symbol.symbol": string} \\
+ @{index_ML Symbol.explode: "string -> Symbol.symbol list"} \\
+ @{index_ML Symbol.is_letter: "Symbol.symbol -> bool"} \\
+ @{index_ML Symbol.is_digit: "Symbol.symbol -> bool"} \\
+ @{index_ML Symbol.is_quasi: "Symbol.symbol -> bool"} \\
+ @{index_ML Symbol.is_blank: "Symbol.symbol -> bool"} \\
+ \end{mldecls}
+ \begin{mldecls}
+ @{index_ML_type "Symbol.sym"} \\
+ @{index_ML Symbol.decode: "Symbol.symbol -> Symbol.sym"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item Type @{ML_type "Symbol.symbol"} represents individual Isabelle
+ symbols.
+
+ \item @{ML "Symbol.explode"}~@{text "str"} produces a symbol list
+ from the packed form. This function supersedes @{ML
+ "String.explode"} for virtually all purposes of manipulating text in
+ Isabelle!\footnote{The runtime overhead for exploded strings is
+ mainly that of the list structure: individual symbols that happen to
+ be a singleton string do not require extra memory in Poly/ML.}
+
+ \item @{ML "Symbol.is_letter"}, @{ML "Symbol.is_digit"}, @{ML
+ "Symbol.is_quasi"}, @{ML "Symbol.is_blank"} classify standard
+ symbols according to fixed syntactic conventions of Isabelle, cf.\
+ \cite{isabelle-isar-ref}.
+
+ \item Type @{ML_type "Symbol.sym"} is a concrete datatype that
+ represents the different kinds of symbols explicitly, with
+ constructors @{ML "Symbol.Char"}, @{ML "Symbol.Sym"}, @{ML
+ "Symbol.UTF8"}, @{ML "Symbol.Ctrl"}, @{ML "Symbol.Raw"}.
+
+ \item @{ML "Symbol.decode"} converts the string representation of a
+ symbol into the datatype version.
+
+ \end{description}
+
+ \paragraph{Historical note.} In the original SML90 standard the
+ primitive ML type @{ML_type char} did not exists, and the @{ML_text
+ "explode: string -> string list"} operation would produce a list of
+ singleton strings as does @{ML "raw_explode: string -> string list"}
+ in Isabelle/ML today. When SML97 came out, Isabelle did not adopt
+ its slightly anachronistic 8-bit characters, but the idea of
+ exploding a string into a list of small strings was extended to
+ ``symbols'' as explained above. Thus Isabelle sources can refer to
+ an infinite store of user-defined symbols, without having to worry
+ about the multitude of Unicode encodings. *}
+
+
+subsection {* Basic names \label{sec:basic-name} *}
+
+text {*
+ A \emph{basic name} essentially consists of a single Isabelle
+ identifier. There are conventions to mark separate classes of basic
+ names, by attaching a suffix of underscores: one underscore means
+ \emph{internal name}, two underscores means \emph{Skolem name},
+ three underscores means \emph{internal Skolem name}.
+
+ For example, the basic name @{text "foo"} has the internal version
+ @{text "foo_"}, with Skolem versions @{text "foo__"} and @{text
+ "foo___"}, respectively.
+
+ These special versions provide copies of the basic name space, apart
+ from anything that normally appears in the user text. For example,
+ system generated variables in Isar proof contexts are usually marked
+ as internal, which prevents mysterious names like @{text "xaa"} to
+ appear in human-readable text.
+
+ \medskip Manipulating binding scopes often requires on-the-fly
+ renamings. A \emph{name context} contains a collection of already
+ used names. The @{text "declare"} operation adds names to the
+ context.
+
+ The @{text "invents"} operation derives a number of fresh names from
+ a given starting point. For example, the first three names derived
+ from @{text "a"} are @{text "a"}, @{text "b"}, @{text "c"}.
+
+ The @{text "variants"} operation produces fresh names by
+ incrementing tentative names as base-26 numbers (with digits @{text
+ "a..z"}) until all clashes are resolved. For example, name @{text
+ "foo"} results in variants @{text "fooa"}, @{text "foob"}, @{text
+ "fooc"}, \dots, @{text "fooaa"}, @{text "fooab"} etc.; each renaming
+ step picks the next unused variant from this sequence.
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML Name.internal: "string -> string"} \\
+ @{index_ML Name.skolem: "string -> string"} \\
+ \end{mldecls}
+ \begin{mldecls}
+ @{index_ML_type Name.context} \\
+ @{index_ML Name.context: Name.context} \\
+ @{index_ML Name.declare: "string -> Name.context -> Name.context"} \\
+ @{index_ML Name.invent: "Name.context -> string -> int -> string list"} \\
+ @{index_ML Name.variant: "string -> Name.context -> string * Name.context"} \\
+ \end{mldecls}
+ \begin{mldecls}
+ @{index_ML Variable.names_of: "Proof.context -> Name.context"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item @{ML Name.internal}~@{text "name"} produces an internal name
+ by adding one underscore.
+
+ \item @{ML Name.skolem}~@{text "name"} produces a Skolem name by
+ adding two underscores.
+
+ \item Type @{ML_type Name.context} represents the context of already
+ used names; the initial value is @{ML "Name.context"}.
+
+ \item @{ML Name.declare}~@{text "name"} enters a used name into the
+ context.
+
+ \item @{ML Name.invent}~@{text "context name n"} produces @{text
+ "n"} fresh names derived from @{text "name"}.
+
+ \item @{ML Name.variant}~@{text "name context"} produces a fresh
+ variant of @{text "name"}; the result is declared to the context.
+
+ \item @{ML Variable.names_of}~@{text "ctxt"} retrieves the context
+ of declared type and term variable names. Projecting a proof
+ context down to a primitive name context is occasionally useful when
+ invoking lower-level operations. Regular management of ``fresh
+ variables'' is done by suitable operations of structure @{ML_struct
+ Variable}, which is also able to provide an official status of
+ ``locally fixed variable'' within the logical environment (cf.\
+ \secref{sec:variables}).
+
+ \end{description}
+*}
+
+text %mlex {* The following simple examples demonstrate how to produce
+ fresh names from the initial @{ML Name.context}. *}
+
+ML {*
+ val list1 = Name.invent Name.context "a" 5;
+ @{assert} (list1 = ["a", "b", "c", "d", "e"]);
+
+ val list2 =
+ #1 (fold_map Name.variant ["x", "x", "a", "a", "'a", "'a"] Name.context);
+ @{assert} (list2 = ["x", "xa", "a", "aa", "'a", "'aa"]);
+*}
+
+text {* \medskip The same works relatively to the formal context as
+ follows. *}
+
+locale ex = fixes a b c :: 'a
+begin
+
+ML {*
+ val names = Variable.names_of @{context};
+
+ val list1 = Name.invent names "a" 5;
+ @{assert} (list1 = ["d", "e", "f", "g", "h"]);
+
+ val list2 =
+ #1 (fold_map Name.variant ["x", "x", "a", "a", "'a", "'a"] names);
+ @{assert} (list2 = ["x", "xa", "aa", "ab", "'aa", "'ab"]);
+*}
+
+end
+
+
+subsection {* Indexed names \label{sec:indexname} *}
+
+text {*
+ An \emph{indexed name} (or @{text "indexname"}) is a pair of a basic
+ name and a natural number. This representation allows efficient
+ renaming by incrementing the second component only. The canonical
+ way to rename two collections of indexnames apart from each other is
+ this: determine the maximum index @{text "maxidx"} of the first
+ collection, then increment all indexes of the second collection by
+ @{text "maxidx + 1"}; the maximum index of an empty collection is
+ @{text "-1"}.
+
+ Occasionally, basic names are injected into the same pair type of
+ indexed names: then @{text "(x, -1)"} is used to encode the basic
+ name @{text "x"}.
+
+ \medskip Isabelle syntax observes the following rules for
+ representing an indexname @{text "(x, i)"} as a packed string:
+
+ \begin{itemize}
+
+ \item @{text "?x"} if @{text "x"} does not end with a digit and @{text "i = 0"},
+
+ \item @{text "?xi"} if @{text "x"} does not end with a digit,
+
+ \item @{text "?x.i"} otherwise.
+
+ \end{itemize}
+
+ Indexnames may acquire large index numbers after several maxidx
+ shifts have been applied. Results are usually normalized towards
+ @{text "0"} at certain checkpoints, notably at the end of a proof.
+ This works by producing variants of the corresponding basic name
+ components. For example, the collection @{text "?x1, ?x7, ?x42"}
+ becomes @{text "?x, ?xa, ?xb"}.
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML_type indexname: "string * int"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item Type @{ML_type indexname} represents indexed names. This is
+ an abbreviation for @{ML_type "string * int"}. The second component
+ is usually non-negative, except for situations where @{text "(x,
+ -1)"} is used to inject basic names into this type. Other negative
+ indexes should not be used.
+
+ \end{description}
+*}
+
+
+subsection {* Long names \label{sec:long-name} *}
+
+text {* A \emph{long name} consists of a sequence of non-empty name
+ components. The packed representation uses a dot as separator, as
+ in ``@{text "A.b.c"}''. The last component is called \emph{base
+ name}, the remaining prefix is called \emph{qualifier} (which may be
+ empty). The qualifier can be understood as the access path to the
+ named entity while passing through some nested block-structure,
+ although our free-form long names do not really enforce any strict
+ discipline.
+
+ For example, an item named ``@{text "A.b.c"}'' may be understood as
+ a local entity @{text "c"}, within a local structure @{text "b"},
+ within a global structure @{text "A"}. In practice, long names
+ usually represent 1--3 levels of qualification. User ML code should
+ not make any assumptions about the particular structure of long
+ names!
+
+ The empty name is commonly used as an indication of unnamed
+ entities, or entities that are not entered into the corresponding
+ name space, whenever this makes any sense. The basic operations on
+ long names map empty names again to empty names.
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML Long_Name.base_name: "string -> string"} \\
+ @{index_ML Long_Name.qualifier: "string -> string"} \\
+ @{index_ML Long_Name.append: "string -> string -> string"} \\
+ @{index_ML Long_Name.implode: "string list -> string"} \\
+ @{index_ML Long_Name.explode: "string -> string list"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item @{ML Long_Name.base_name}~@{text "name"} returns the base name
+ of a long name.
+
+ \item @{ML Long_Name.qualifier}~@{text "name"} returns the qualifier
+ of a long name.
+
+ \item @{ML Long_Name.append}~@{text "name\<^isub>1 name\<^isub>2"} appends two long
+ names.
+
+ \item @{ML Long_Name.implode}~@{text "names"} and @{ML
+ Long_Name.explode}~@{text "name"} convert between the packed string
+ representation and the explicit list form of long names.
+
+ \end{description}
+*}
+
+
+subsection {* Name spaces \label{sec:name-space} *}
+
+text {* A @{text "name space"} manages a collection of long names,
+ together with a mapping between partially qualified external names
+ and fully qualified internal names (in both directions). Note that
+ the corresponding @{text "intern"} and @{text "extern"} operations
+ are mostly used for parsing and printing only! The @{text
+ "declare"} operation augments a name space according to the accesses
+ determined by a given binding, and a naming policy from the context.
+
+ \medskip A @{text "binding"} specifies details about the prospective
+ long name of a newly introduced formal entity. It consists of a
+ base name, prefixes for qualification (separate ones for system
+ infrastructure and user-space mechanisms), a slot for the original
+ source position, and some additional flags.
+
+ \medskip A @{text "naming"} provides some additional details for
+ producing a long name from a binding. Normally, the naming is
+ implicit in the theory or proof context. The @{text "full"}
+ operation (and its variants for different context types) produces a
+ fully qualified internal name to be entered into a name space. The
+ main equation of this ``chemical reaction'' when binding new
+ entities in a context is as follows:
+
+ \medskip
+ \begin{tabular}{l}
+ @{text "binding + naming \<longrightarrow> long name + name space accesses"}
+ \end{tabular}
+
+ \bigskip As a general principle, there is a separate name space for
+ each kind of formal entity, e.g.\ fact, logical constant, type
+ constructor, type class. It is usually clear from the occurrence in
+ concrete syntax (or from the scope) which kind of entity a name
+ refers to. For example, the very same name @{text "c"} may be used
+ uniformly for a constant, type constructor, and type class.
+
+ There are common schemes to name derived entities systematically
+ according to the name of the main logical entity involved, e.g.\
+ fact @{text "c.intro"} for a canonical introduction rule related to
+ constant @{text "c"}. This technique of mapping names from one
+ space into another requires some care in order to avoid conflicts.
+ In particular, theorem names derived from a type constructor or type
+ class should get an additional suffix in addition to the usual
+ qualification. This leads to the following conventions for derived
+ names:
+
+ \medskip
+ \begin{tabular}{ll}
+ logical entity & fact name \\\hline
+ constant @{text "c"} & @{text "c.intro"} \\
+ type @{text "c"} & @{text "c_type.intro"} \\
+ class @{text "c"} & @{text "c_class.intro"} \\
+ \end{tabular}
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML_type binding} \\
+ @{index_ML Binding.empty: binding} \\
+ @{index_ML Binding.name: "string -> binding"} \\
+ @{index_ML Binding.qualify: "bool -> string -> binding -> binding"} \\
+ @{index_ML Binding.prefix: "bool -> string -> binding -> binding"} \\
+ @{index_ML Binding.conceal: "binding -> binding"} \\
+ @{index_ML Binding.print: "binding -> string"} \\
+ \end{mldecls}
+ \begin{mldecls}
+ @{index_ML_type Name_Space.naming} \\
+ @{index_ML Name_Space.default_naming: Name_Space.naming} \\
+ @{index_ML Name_Space.add_path: "string -> Name_Space.naming -> Name_Space.naming"} \\
+ @{index_ML Name_Space.full_name: "Name_Space.naming -> binding -> string"} \\
+ \end{mldecls}
+ \begin{mldecls}
+ @{index_ML_type Name_Space.T} \\
+ @{index_ML Name_Space.empty: "string -> Name_Space.T"} \\
+ @{index_ML Name_Space.merge: "Name_Space.T * Name_Space.T -> Name_Space.T"} \\
+ @{index_ML Name_Space.declare: "Context.generic -> bool ->
+ binding -> Name_Space.T -> string * Name_Space.T"} \\
+ @{index_ML Name_Space.intern: "Name_Space.T -> string -> string"} \\
+ @{index_ML Name_Space.extern: "Proof.context -> Name_Space.T -> string -> string"} \\
+ @{index_ML Name_Space.is_concealed: "Name_Space.T -> string -> bool"}
+ \end{mldecls}
+
+ \begin{description}
+
+ \item Type @{ML_type binding} represents the abstract concept of
+ name bindings.
+
+ \item @{ML Binding.empty} is the empty binding.
+
+ \item @{ML Binding.name}~@{text "name"} produces a binding with base
+ name @{text "name"}. Note that this lacks proper source position
+ information; see also the ML antiquotation @{ML_antiquotation
+ binding}.
+
+ \item @{ML Binding.qualify}~@{text "mandatory name binding"}
+ prefixes qualifier @{text "name"} to @{text "binding"}. The @{text
+ "mandatory"} flag tells if this name component always needs to be
+ given in name space accesses --- this is mostly @{text "false"} in
+ practice. Note that this part of qualification is typically used in
+ derived specification mechanisms.
+
+ \item @{ML Binding.prefix} is similar to @{ML Binding.qualify}, but
+ affects the system prefix. This part of extra qualification is
+ typically used in the infrastructure for modular specifications,
+ notably ``local theory targets'' (see also \chref{ch:local-theory}).
+
+ \item @{ML Binding.conceal}~@{text "binding"} indicates that the
+ binding shall refer to an entity that serves foundational purposes
+ only. This flag helps to mark implementation details of
+ specification mechanism etc. Other tools should not depend on the
+ particulars of concealed entities (cf.\ @{ML
+ Name_Space.is_concealed}).
+
+ \item @{ML Binding.print}~@{text "binding"} produces a string
+ representation for human-readable output, together with some formal
+ markup that might get used in GUI front-ends, for example.
+
+ \item Type @{ML_type Name_Space.naming} represents the abstract
+ concept of a naming policy.
+
+ \item @{ML Name_Space.default_naming} is the default naming policy.
+ In a theory context, this is usually augmented by a path prefix
+ consisting of the theory name.
+
+ \item @{ML Name_Space.add_path}~@{text "path naming"} augments the
+ naming policy by extending its path component.
+
+ \item @{ML Name_Space.full_name}~@{text "naming binding"} turns a
+ name binding (usually a basic name) into the fully qualified
+ internal name, according to the given naming policy.
+
+ \item Type @{ML_type Name_Space.T} represents name spaces.
+
+ \item @{ML Name_Space.empty}~@{text "kind"} and @{ML Name_Space.merge}~@{text
+ "(space\<^isub>1, space\<^isub>2)"} are the canonical operations for
+ maintaining name spaces according to theory data management
+ (\secref{sec:context-data}); @{text "kind"} is a formal comment
+ to characterize the purpose of a name space.
+
+ \item @{ML Name_Space.declare}~@{text "context strict binding
+ space"} enters a name binding as fully qualified internal name into
+ the name space, using the naming of the context.
+
+ \item @{ML Name_Space.intern}~@{text "space name"} internalizes a
+ (partially qualified) external name.
+
+ This operation is mostly for parsing! Note that fully qualified
+ names stemming from declarations are produced via @{ML
+ "Name_Space.full_name"} and @{ML "Name_Space.declare"}
+ (or their derivatives for @{ML_type theory} and
+ @{ML_type Proof.context}).
+
+ \item @{ML Name_Space.extern}~@{text "ctxt space name"} externalizes a
+ (fully qualified) internal name.
+
+ This operation is mostly for printing! User code should not rely on
+ the precise result too much.
+
+ \item @{ML Name_Space.is_concealed}~@{text "space name"} indicates
+ whether @{text "name"} refers to a strictly private entity that
+ other tools are supposed to ignore!
+
+ \end{description}
+*}
+
+text %mlantiq {*
+ \begin{matharray}{rcl}
+ @{ML_antiquotation_def "binding"} & : & @{text ML_antiquotation} \\
+ \end{matharray}
+
+ @{rail "
+ @@{ML_antiquotation binding} name
+ "}
+
+ \begin{description}
+
+ \item @{text "@{binding name}"} produces a binding with base name
+ @{text "name"} and the source position taken from the concrete
+ syntax of this antiquotation. In many situations this is more
+ appropriate than the more basic @{ML Binding.name} function.
+
+ \end{description}
+*}
+
+text %mlex {* The following example yields the source position of some
+ concrete binding inlined into the text:
+*}
+
+ML {* Binding.pos_of @{binding here} *}
+
+text {* \medskip That position can be also printed in a message as
+ follows: *}
+
+ML_command {*
+ writeln
+ ("Look here" ^ Position.str_of (Binding.pos_of @{binding here}))
+*}
+
+text {* This illustrates a key virtue of formalized bindings as
+ opposed to raw specifications of base names: the system can use this
+ additional information for feedback given to the user (error
+ messages etc.). *}
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarImplementation/Proof.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,497 @@
+theory Proof
+imports Base
+begin
+
+chapter {* Structured proofs *}
+
+section {* Variables \label{sec:variables} *}
+
+text {*
+ Any variable that is not explicitly bound by @{text "\<lambda>"}-abstraction
+ is considered as ``free''. Logically, free variables act like
+ outermost universal quantification at the sequent level: @{text
+ "A\<^isub>1(x), \<dots>, A\<^isub>n(x) \<turnstile> B(x)"} means that the result
+ holds \emph{for all} values of @{text "x"}. Free variables for
+ terms (not types) can be fully internalized into the logic: @{text
+ "\<turnstile> B(x)"} and @{text "\<turnstile> \<And>x. B(x)"} are interchangeable, provided
+ that @{text "x"} does not occur elsewhere in the context.
+ Inspecting @{text "\<turnstile> \<And>x. B(x)"} more closely, we see that inside the
+ quantifier, @{text "x"} is essentially ``arbitrary, but fixed'',
+ while from outside it appears as a place-holder for instantiation
+ (thanks to @{text "\<And>"} elimination).
+
+ The Pure logic represents the idea of variables being either inside
+ or outside the current scope by providing separate syntactic
+ categories for \emph{fixed variables} (e.g.\ @{text "x"}) vs.\
+ \emph{schematic variables} (e.g.\ @{text "?x"}). Incidently, a
+ universal result @{text "\<turnstile> \<And>x. B(x)"} has the HHF normal form @{text
+ "\<turnstile> B(?x)"}, which represents its generality without requiring an
+ explicit quantifier. The same principle works for type variables:
+ @{text "\<turnstile> B(?\<alpha>)"} represents the idea of ``@{text "\<turnstile> \<forall>\<alpha>. B(\<alpha>)"}''
+ without demanding a truly polymorphic framework.
+
+ \medskip Additional care is required to treat type variables in a
+ way that facilitates type-inference. In principle, term variables
+ depend on type variables, which means that type variables would have
+ to be declared first. For example, a raw type-theoretic framework
+ would demand the context to be constructed in stages as follows:
+ @{text "\<Gamma> = \<alpha>: type, x: \<alpha>, a: A(x\<^isub>\<alpha>)"}.
+
+ We allow a slightly less formalistic mode of operation: term
+ variables @{text "x"} are fixed without specifying a type yet
+ (essentially \emph{all} potential occurrences of some instance
+ @{text "x\<^isub>\<tau>"} are fixed); the first occurrence of @{text "x"}
+ within a specific term assigns its most general type, which is then
+ maintained consistently in the context. The above example becomes
+ @{text "\<Gamma> = x: term, \<alpha>: type, A(x\<^isub>\<alpha>)"}, where type @{text
+ "\<alpha>"} is fixed \emph{after} term @{text "x"}, and the constraint
+ @{text "x :: \<alpha>"} is an implicit consequence of the occurrence of
+ @{text "x\<^isub>\<alpha>"} in the subsequent proposition.
+
+ This twist of dependencies is also accommodated by the reverse
+ operation of exporting results from a context: a type variable
+ @{text "\<alpha>"} is considered fixed as long as it occurs in some fixed
+ term variable of the context. For example, exporting @{text "x:
+ term, \<alpha>: type \<turnstile> x\<^isub>\<alpha> \<equiv> x\<^isub>\<alpha>"} produces in the first step @{text "x: term
+ \<turnstile> x\<^isub>\<alpha> \<equiv> x\<^isub>\<alpha>"} for fixed @{text "\<alpha>"}, and only in the second step
+ @{text "\<turnstile> ?x\<^isub>?\<^isub>\<alpha> \<equiv> ?x\<^isub>?\<^isub>\<alpha>"} for schematic @{text "?x"} and @{text "?\<alpha>"}.
+ The following Isar source text illustrates this scenario.
+*}
+
+notepad
+begin
+ {
+ fix x -- {* all potential occurrences of some @{text "x::\<tau>"} are fixed *}
+ {
+ have "x::'a \<equiv> x" -- {* implicit type assigment by concrete occurrence *}
+ by (rule reflexive)
+ }
+ thm this -- {* result still with fixed type @{text "'a"} *}
+ }
+ thm this -- {* fully general result for arbitrary @{text "?x::?'a"} *}
+end
+
+text {* The Isabelle/Isar proof context manages the details of term
+ vs.\ type variables, with high-level principles for moving the
+ frontier between fixed and schematic variables.
+
+ The @{text "add_fixes"} operation explictly declares fixed
+ variables; the @{text "declare_term"} operation absorbs a term into
+ a context by fixing new type variables and adding syntactic
+ constraints.
+
+ The @{text "export"} operation is able to perform the main work of
+ generalizing term and type variables as sketched above, assuming
+ that fixing variables and terms have been declared properly.
+
+ There @{text "import"} operation makes a generalized fact a genuine
+ part of the context, by inventing fixed variables for the schematic
+ ones. The effect can be reversed by using @{text "export"} later,
+ potentially with an extended context; the result is equivalent to
+ the original modulo renaming of schematic variables.
+
+ The @{text "focus"} operation provides a variant of @{text "import"}
+ for nested propositions (with explicit quantification): @{text
+ "\<And>x\<^isub>1 \<dots> x\<^isub>n. B(x\<^isub>1, \<dots>, x\<^isub>n)"} is
+ decomposed by inventing fixed variables @{text "x\<^isub>1, \<dots>,
+ x\<^isub>n"} for the body.
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML Variable.add_fixes: "
+ string list -> Proof.context -> string list * Proof.context"} \\
+ @{index_ML Variable.variant_fixes: "
+ string list -> Proof.context -> string list * Proof.context"} \\
+ @{index_ML Variable.declare_term: "term -> Proof.context -> Proof.context"} \\
+ @{index_ML Variable.declare_constraints: "term -> Proof.context -> Proof.context"} \\
+ @{index_ML Variable.export: "Proof.context -> Proof.context -> thm list -> thm list"} \\
+ @{index_ML Variable.polymorphic: "Proof.context -> term list -> term list"} \\
+ @{index_ML Variable.import: "bool -> thm list -> Proof.context ->
+ (((ctyp * ctyp) list * (cterm * cterm) list) * thm list) * Proof.context"} \\
+ @{index_ML Variable.focus: "term -> Proof.context ->
+ ((string * (string * typ)) list * term) * Proof.context"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item @{ML Variable.add_fixes}~@{text "xs ctxt"} fixes term
+ variables @{text "xs"}, returning the resulting internal names. By
+ default, the internal representation coincides with the external
+ one, which also means that the given variables must not be fixed
+ already. There is a different policy within a local proof body: the
+ given names are just hints for newly invented Skolem variables.
+
+ \item @{ML Variable.variant_fixes} is similar to @{ML
+ Variable.add_fixes}, but always produces fresh variants of the given
+ names.
+
+ \item @{ML Variable.declare_term}~@{text "t ctxt"} declares term
+ @{text "t"} to belong to the context. This automatically fixes new
+ type variables, but not term variables. Syntactic constraints for
+ type and term variables are declared uniformly, though.
+
+ \item @{ML Variable.declare_constraints}~@{text "t ctxt"} declares
+ syntactic constraints from term @{text "t"}, without making it part
+ of the context yet.
+
+ \item @{ML Variable.export}~@{text "inner outer thms"} generalizes
+ fixed type and term variables in @{text "thms"} according to the
+ difference of the @{text "inner"} and @{text "outer"} context,
+ following the principles sketched above.
+
+ \item @{ML Variable.polymorphic}~@{text "ctxt ts"} generalizes type
+ variables in @{text "ts"} as far as possible, even those occurring
+ in fixed term variables. The default policy of type-inference is to
+ fix newly introduced type variables, which is essentially reversed
+ with @{ML Variable.polymorphic}: here the given terms are detached
+ from the context as far as possible.
+
+ \item @{ML Variable.import}~@{text "open thms ctxt"} invents fixed
+ type and term variables for the schematic ones occurring in @{text
+ "thms"}. The @{text "open"} flag indicates whether the fixed names
+ should be accessible to the user, otherwise newly introduced names
+ are marked as ``internal'' (\secref{sec:names}).
+
+ \item @{ML Variable.focus}~@{text B} decomposes the outermost @{text
+ "\<And>"} prefix of proposition @{text "B"}.
+
+ \end{description}
+*}
+
+text %mlex {* The following example shows how to work with fixed term
+ and type parameters and with type-inference. *}
+
+ML {*
+ (*static compile-time context -- for testing only*)
+ val ctxt0 = @{context};
+
+ (*locally fixed parameters -- no type assignment yet*)
+ val ([x, y], ctxt1) = ctxt0 |> Variable.add_fixes ["x", "y"];
+
+ (*t1: most general fixed type; t1': most general arbitrary type*)
+ val t1 = Syntax.read_term ctxt1 "x";
+ val t1' = singleton (Variable.polymorphic ctxt1) t1;
+
+ (*term u enforces specific type assignment*)
+ val u = Syntax.read_term ctxt1 "(x::nat) \<equiv> y";
+
+ (*official declaration of u -- propagates constraints etc.*)
+ val ctxt2 = ctxt1 |> Variable.declare_term u;
+ val t2 = Syntax.read_term ctxt2 "x"; (*x::nat is enforced*)
+*}
+
+text {* In the above example, the starting context is derived from the
+ toplevel theory, which means that fixed variables are internalized
+ literally: @{text "x"} is mapped again to @{text "x"}, and
+ attempting to fix it again in the subsequent context is an error.
+ Alternatively, fixed parameters can be renamed explicitly as
+ follows: *}
+
+ML {*
+ val ctxt0 = @{context};
+ val ([x1, x2, x3], ctxt1) =
+ ctxt0 |> Variable.variant_fixes ["x", "x", "x"];
+*}
+
+text {* The following ML code can now work with the invented names of
+ @{text x1}, @{text x2}, @{text x3}, without depending on
+ the details on the system policy for introducing these variants.
+ Recall that within a proof body the system always invents fresh
+ ``skolem constants'', e.g.\ as follows: *}
+
+notepad
+begin
+ ML_prf %"ML" {*
+ val ctxt0 = @{context};
+
+ val ([x1], ctxt1) = ctxt0 |> Variable.add_fixes ["x"];
+ val ([x2], ctxt2) = ctxt1 |> Variable.add_fixes ["x"];
+ val ([x3], ctxt3) = ctxt2 |> Variable.add_fixes ["x"];
+
+ val ([y1, y2], ctxt4) =
+ ctxt3 |> Variable.variant_fixes ["y", "y"];
+ *}
+end
+
+text {* In this situation @{ML Variable.add_fixes} and @{ML
+ Variable.variant_fixes} are very similar, but identical name
+ proposals given in a row are only accepted by the second version.
+ *}
+
+
+section {* Assumptions \label{sec:assumptions} *}
+
+text {*
+ An \emph{assumption} is a proposition that it is postulated in the
+ current context. Local conclusions may use assumptions as
+ additional facts, but this imposes implicit hypotheses that weaken
+ the overall statement.
+
+ Assumptions are restricted to fixed non-schematic statements, i.e.\
+ all generality needs to be expressed by explicit quantifiers.
+ Nevertheless, the result will be in HHF normal form with outermost
+ quantifiers stripped. For example, by assuming @{text "\<And>x :: \<alpha>. P
+ x"} we get @{text "\<And>x :: \<alpha>. P x \<turnstile> P ?x"} for schematic @{text "?x"}
+ of fixed type @{text "\<alpha>"}. Local derivations accumulate more and
+ more explicit references to hypotheses: @{text "A\<^isub>1, \<dots>,
+ A\<^isub>n \<turnstile> B"} where @{text "A\<^isub>1, \<dots>, A\<^isub>n"} needs to
+ be covered by the assumptions of the current context.
+
+ \medskip The @{text "add_assms"} operation augments the context by
+ local assumptions, which are parameterized by an arbitrary @{text
+ "export"} rule (see below).
+
+ The @{text "export"} operation moves facts from a (larger) inner
+ context into a (smaller) outer context, by discharging the
+ difference of the assumptions as specified by the associated export
+ rules. Note that the discharged portion is determined by the
+ difference of contexts, not the facts being exported! There is a
+ separate flag to indicate a goal context, where the result is meant
+ to refine an enclosing sub-goal of a structured proof state.
+
+ \medskip The most basic export rule discharges assumptions directly
+ by means of the @{text "\<Longrightarrow>"} introduction rule:
+ \[
+ \infer[(@{text "\<Longrightarrow>\<hyphen>intro"})]{@{text "\<Gamma> - A \<turnstile> A \<Longrightarrow> B"}}{@{text "\<Gamma> \<turnstile> B"}}
+ \]
+
+ The variant for goal refinements marks the newly introduced
+ premises, which causes the canonical Isar goal refinement scheme to
+ enforce unification with local premises within the goal:
+ \[
+ \infer[(@{text "#\<Longrightarrow>\<hyphen>intro"})]{@{text "\<Gamma> - A \<turnstile> #A \<Longrightarrow> B"}}{@{text "\<Gamma> \<turnstile> B"}}
+ \]
+
+ \medskip Alternative versions of assumptions may perform arbitrary
+ transformations on export, as long as the corresponding portion of
+ hypotheses is removed from the given facts. For example, a local
+ definition works by fixing @{text "x"} and assuming @{text "x \<equiv> t"},
+ with the following export rule to reverse the effect:
+ \[
+ \infer[(@{text "\<equiv>\<hyphen>expand"})]{@{text "\<Gamma> - (x \<equiv> t) \<turnstile> B t"}}{@{text "\<Gamma> \<turnstile> B x"}}
+ \]
+ This works, because the assumption @{text "x \<equiv> t"} was introduced in
+ a context with @{text "x"} being fresh, so @{text "x"} does not
+ occur in @{text "\<Gamma>"} here.
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML_type Assumption.export} \\
+ @{index_ML Assumption.assume: "cterm -> thm"} \\
+ @{index_ML Assumption.add_assms:
+ "Assumption.export ->
+ cterm list -> Proof.context -> thm list * Proof.context"} \\
+ @{index_ML Assumption.add_assumes: "
+ cterm list -> Proof.context -> thm list * Proof.context"} \\
+ @{index_ML Assumption.export: "bool -> Proof.context -> Proof.context -> thm -> thm"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item Type @{ML_type Assumption.export} represents arbitrary export
+ rules, which is any function of type @{ML_type "bool -> cterm list
+ -> thm -> thm"}, where the @{ML_type "bool"} indicates goal mode,
+ and the @{ML_type "cterm list"} the collection of assumptions to be
+ discharged simultaneously.
+
+ \item @{ML Assumption.assume}~@{text "A"} turns proposition @{text
+ "A"} into a primitive assumption @{text "A \<turnstile> A'"}, where the
+ conclusion @{text "A'"} is in HHF normal form.
+
+ \item @{ML Assumption.add_assms}~@{text "r As"} augments the context
+ by assumptions @{text "As"} with export rule @{text "r"}. The
+ resulting facts are hypothetical theorems as produced by the raw
+ @{ML Assumption.assume}.
+
+ \item @{ML Assumption.add_assumes}~@{text "As"} is a special case of
+ @{ML Assumption.add_assms} where the export rule performs @{text
+ "\<Longrightarrow>\<hyphen>intro"} or @{text "#\<Longrightarrow>\<hyphen>intro"}, depending on goal
+ mode.
+
+ \item @{ML Assumption.export}~@{text "is_goal inner outer thm"}
+ exports result @{text "thm"} from the the @{text "inner"} context
+ back into the @{text "outer"} one; @{text "is_goal = true"} means
+ this is a goal context. The result is in HHF normal form. Note
+ that @{ML "Proof_Context.export"} combines @{ML "Variable.export"}
+ and @{ML "Assumption.export"} in the canonical way.
+
+ \end{description}
+*}
+
+text %mlex {* The following example demonstrates how rules can be
+ derived by building up a context of assumptions first, and exporting
+ some local fact afterwards. We refer to @{theory Pure} equality
+ here for testing purposes.
+*}
+
+ML {*
+ (*static compile-time context -- for testing only*)
+ val ctxt0 = @{context};
+
+ val ([eq], ctxt1) =
+ ctxt0 |> Assumption.add_assumes [@{cprop "x \<equiv> y"}];
+ val eq' = Thm.symmetric eq;
+
+ (*back to original context -- discharges assumption*)
+ val r = Assumption.export false ctxt1 ctxt0 eq';
+*}
+
+text {* Note that the variables of the resulting rule are not
+ generalized. This would have required to fix them properly in the
+ context beforehand, and export wrt.\ variables afterwards (cf.\ @{ML
+ Variable.export} or the combined @{ML "Proof_Context.export"}). *}
+
+
+section {* Structured goals and results \label{sec:struct-goals} *}
+
+text {*
+ Local results are established by monotonic reasoning from facts
+ within a context. This allows common combinations of theorems,
+ e.g.\ via @{text "\<And>/\<Longrightarrow>"} elimination, resolution rules, or equational
+ reasoning, see \secref{sec:thms}. Unaccounted context manipulations
+ should be avoided, notably raw @{text "\<And>/\<Longrightarrow>"} introduction or ad-hoc
+ references to free variables or assumptions not present in the proof
+ context.
+
+ \medskip The @{text "SUBPROOF"} combinator allows to structure a
+ tactical proof recursively by decomposing a selected sub-goal:
+ @{text "(\<And>x. A(x) \<Longrightarrow> B(x)) \<Longrightarrow> \<dots>"} is turned into @{text "B(x) \<Longrightarrow> \<dots>"}
+ after fixing @{text "x"} and assuming @{text "A(x)"}. This means
+ the tactic needs to solve the conclusion, but may use the premise as
+ a local fact, for locally fixed variables.
+
+ The family of @{text "FOCUS"} combinators is similar to @{text
+ "SUBPROOF"}, but allows to retain schematic variables and pending
+ subgoals in the resulting goal state.
+
+ The @{text "prove"} operation provides an interface for structured
+ backwards reasoning under program control, with some explicit sanity
+ checks of the result. The goal context can be augmented by
+ additional fixed variables (cf.\ \secref{sec:variables}) and
+ assumptions (cf.\ \secref{sec:assumptions}), which will be available
+ as local facts during the proof and discharged into implications in
+ the result. Type and term variables are generalized as usual,
+ according to the context.
+
+ The @{text "obtain"} operation produces results by eliminating
+ existing facts by means of a given tactic. This acts like a dual
+ conclusion: the proof demonstrates that the context may be augmented
+ by parameters and assumptions, without affecting any conclusions
+ that do not mention these parameters. See also
+ \cite{isabelle-isar-ref} for the user-level @{command obtain} and
+ @{command guess} elements. Final results, which may not refer to
+ the parameters in the conclusion, need to exported explicitly into
+ the original context. *}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML SELECT_GOAL: "tactic -> int -> tactic"} \\
+ @{index_ML SUBPROOF: "(Subgoal.focus -> tactic) ->
+ Proof.context -> int -> tactic"} \\
+ @{index_ML Subgoal.FOCUS: "(Subgoal.focus -> tactic) ->
+ Proof.context -> int -> tactic"} \\
+ @{index_ML Subgoal.FOCUS_PREMS: "(Subgoal.focus -> tactic) ->
+ Proof.context -> int -> tactic"} \\
+ @{index_ML Subgoal.FOCUS_PARAMS: "(Subgoal.focus -> tactic) ->
+ Proof.context -> int -> tactic"} \\
+ @{index_ML Subgoal.focus: "Proof.context -> int -> thm -> Subgoal.focus * thm"} \\
+ @{index_ML Subgoal.focus_prems: "Proof.context -> int -> thm -> Subgoal.focus * thm"} \\
+ @{index_ML Subgoal.focus_params: "Proof.context -> int -> thm -> Subgoal.focus * thm"} \\
+ \end{mldecls}
+
+ \begin{mldecls}
+ @{index_ML Goal.prove: "Proof.context -> string list -> term list -> term ->
+ ({prems: thm list, context: Proof.context} -> tactic) -> thm"} \\
+ @{index_ML Goal.prove_multi: "Proof.context -> string list -> term list -> term list ->
+ ({prems: thm list, context: Proof.context} -> tactic) -> thm list"} \\
+ \end{mldecls}
+ \begin{mldecls}
+ @{index_ML Obtain.result: "(Proof.context -> tactic) -> thm list ->
+ Proof.context -> ((string * cterm) list * thm list) * Proof.context"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item @{ML SELECT_GOAL}~@{text "tac i"} confines a tactic to the
+ specified subgoal @{text "i"}. This introduces a nested goal state,
+ without decomposing the internal structure of the subgoal yet.
+
+ \item @{ML SUBPROOF}~@{text "tac ctxt i"} decomposes the structure
+ of the specified sub-goal, producing an extended context and a
+ reduced goal, which needs to be solved by the given tactic. All
+ schematic parameters of the goal are imported into the context as
+ fixed ones, which may not be instantiated in the sub-proof.
+
+ \item @{ML Subgoal.FOCUS}, @{ML Subgoal.FOCUS_PREMS}, and @{ML
+ Subgoal.FOCUS_PARAMS} are similar to @{ML SUBPROOF}, but are
+ slightly more flexible: only the specified parts of the subgoal are
+ imported into the context, and the body tactic may introduce new
+ subgoals and schematic variables.
+
+ \item @{ML Subgoal.focus}, @{ML Subgoal.focus_prems}, @{ML
+ Subgoal.focus_params} extract the focus information from a goal
+ state in the same way as the corresponding tacticals above. This is
+ occasionally useful to experiment without writing actual tactics
+ yet.
+
+ \item @{ML Goal.prove}~@{text "ctxt xs As C tac"} states goal @{text
+ "C"} in the context augmented by fixed variables @{text "xs"} and
+ assumptions @{text "As"}, and applies tactic @{text "tac"} to solve
+ it. The latter may depend on the local assumptions being presented
+ as facts. The result is in HHF normal form.
+
+ \item @{ML Goal.prove_multi} is simular to @{ML Goal.prove}, but
+ states several conclusions simultaneously. The goal is encoded by
+ means of Pure conjunction; @{ML Goal.conjunction_tac} will turn this
+ into a collection of individual subgoals.
+
+ \item @{ML Obtain.result}~@{text "tac thms ctxt"} eliminates the
+ given facts using a tactic, which results in additional fixed
+ variables and assumptions in the context. Final results need to be
+ exported explicitly.
+
+ \end{description}
+*}
+
+text %mlex {* The following minimal example illustrates how to access
+ the focus information of a structured goal state. *}
+
+notepad
+begin
+ fix A B C :: "'a \<Rightarrow> bool"
+
+ have "\<And>x. A x \<Longrightarrow> B x \<Longrightarrow> C x"
+ ML_val
+ {*
+ val {goal, context = goal_ctxt, ...} = @{Isar.goal};
+ val (focus as {params, asms, concl, ...}, goal') =
+ Subgoal.focus goal_ctxt 1 goal;
+ val [A, B] = #prems focus;
+ val [(_, x)] = #params focus;
+ *}
+ oops
+
+text {* \medskip The next example demonstrates forward-elimination in
+ a local context, using @{ML Obtain.result}. *}
+
+notepad
+begin
+ assume ex: "\<exists>x. B x"
+
+ ML_prf %"ML" {*
+ val ctxt0 = @{context};
+ val (([(_, x)], [B]), ctxt1) = ctxt0
+ |> Obtain.result (fn _ => etac @{thm exE} 1) [@{thm ex}];
+ *}
+ ML_prf %"ML" {*
+ singleton (Proof_Context.export ctxt1 ctxt0) @{thm refl};
+ *}
+ ML_prf %"ML" {*
+ Proof_Context.export ctxt1 ctxt0 [Thm.reflexive x]
+ handle ERROR msg => (warning msg; []);
+ *}
+end
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarImplementation/Syntax.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,163 @@
+theory Syntax
+imports Base
+begin
+
+chapter {* Concrete syntax and type-checking *}
+
+text {* Pure @{text "\<lambda>"}-calculus as introduced in \chref{ch:logic} is
+ an adequate foundation for logical languages --- in the tradition of
+ \emph{higher-order abstract syntax} --- but end-users require
+ additional means for reading and printing of terms and types. This
+ important add-on outside the logical core is called \emph{inner
+ syntax} in Isabelle jargon, as opposed to the \emph{outer syntax} of
+ the theory and proof language (cf.\ \cite{isabelle-isar-ref}).
+
+ For example, according to \cite{church40} quantifiers are
+ represented as higher-order constants @{text "All :: ('a \<Rightarrow> bool) \<Rightarrow>
+ bool"} such that @{text "All (\<lambda>x::'a. B x)"} faithfully represents
+ the idea that is displayed as @{text "\<forall>x::'a. B x"} via @{keyword
+ "binder"} notation. Moreover, type-inference in the style of
+ Hindley-Milner \cite{hindleymilner} (and extensions) enables users
+ to write @{text "\<forall>x. B x"} concisely, when the type @{text "'a"} is
+ already clear from the context.\footnote{Type-inference taken to the
+ extreme can easily confuse users, though. Beginners often stumble
+ over unexpectedly general types inferred by the system.}
+
+ \medskip The main inner syntax operations are \emph{read} for
+ parsing together with type-checking, and \emph{pretty} for formatted
+ output. See also \secref{sec:read-print}.
+
+ Furthermore, the input and output syntax layers are sub-divided into
+ separate phases for \emph{concrete syntax} versus \emph{abstract
+ syntax}, see also \secref{sec:parse-unparse} and
+ \secref{sec:term-check}, respectively. This results in the
+ following decomposition of the main operations:
+
+ \begin{itemize}
+
+ \item @{text "read = parse; check"}
+
+ \item @{text "pretty = uncheck; unparse"}
+
+ \end{itemize}
+
+ Some specification package might thus intercept syntax processing at
+ a well-defined stage after @{text "parse"}, to a augment the
+ resulting pre-term before full type-reconstruction is performed by
+ @{text "check"}, for example. Note that the formal status of bound
+ variables, versus free variables, versus constants must not be
+ changed here! *}
+
+
+section {* Reading and pretty printing \label{sec:read-print} *}
+
+text {* Read and print operations are roughly dual to each other, such
+ that for the user @{text "s' = pretty (read s)"} looks similar to
+ the original source text @{text "s"}, but the details depend on many
+ side-conditions. There are also explicit options to control
+ suppressing of type information in the output. The default
+ configuration routinely looses information, so @{text "t' = read
+ (pretty t)"} might fail, produce a differently typed term, or a
+ completely different term in the face of syntactic overloading! *}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML Syntax.read_typ: "Proof.context -> string -> typ"} \\
+ @{index_ML Syntax.read_term: "Proof.context -> string -> term"} \\
+ @{index_ML Syntax.read_prop: "Proof.context -> string -> term"} \\
+ @{index_ML Syntax.pretty_typ: "Proof.context -> typ -> Pretty.T"} \\
+ @{index_ML Syntax.pretty_term: "Proof.context -> term -> Pretty.T"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item FIXME
+
+ \end{description}
+*}
+
+
+section {* Parsing and unparsing \label{sec:parse-unparse} *}
+
+text {* Parsing and unparsing converts between actual source text and
+ a certain \emph{pre-term} format, where all bindings and scopes are
+ resolved faithfully. Thus the names of free variables or constants
+ are already determined in the sense of the logical context, but type
+ information might is still missing. Pre-terms support an explicit
+ language of \emph{type constraints} that may be augmented by user
+ code to guide the later \emph{check} phase, for example.
+
+ Actual parsing is based on traditional lexical analysis and Earley
+ parsing for arbitrary context-free grammars. The user can specify
+ this via mixfix annotations. Moreover, there are \emph{syntax
+ translations} that can be augmented by the user, either
+ declaratively via @{command translations} or programmatically via
+ @{command parse_translation}, @{command print_translation} etc. The
+ final scope resolution is performed by the system, according to name
+ spaces for types, constants etc.\ determined by the context.
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML Syntax.parse_typ: "Proof.context -> string -> typ"} \\
+ @{index_ML Syntax.parse_term: "Proof.context -> string -> term"} \\
+ @{index_ML Syntax.parse_prop: "Proof.context -> string -> term"} \\
+ @{index_ML Syntax.unparse_typ: "Proof.context -> typ -> Pretty.T"} \\
+ @{index_ML Syntax.unparse_term: "Proof.context -> term -> Pretty.T"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item FIXME
+
+ \end{description}
+*}
+
+
+section {* Checking and unchecking \label{sec:term-check} *}
+
+text {* These operations define the transition from pre-terms and
+ fully-annotated terms in the sense of the logical core
+ (\chref{ch:logic}).
+
+ The \emph{check} phase is meant to subsume a variety of mechanisms
+ in the manner of ``type-inference'' or ``type-reconstruction'' or
+ ``type-improvement'', not just type-checking in the narrow sense.
+ The \emph{uncheck} phase is roughly dual, it prunes type-information
+ before pretty printing.
+
+ A typical add-on for the check/uncheck syntax layer is the @{command
+ abbreviation} mechanism. Here the user specifies syntactic
+ definitions that are managed by the system as polymorphic @{text
+ "let"} bindings. These are expanded during the @{text "check"}
+ phase, and contracted during the @{text "uncheck"} phase, without
+ affecting the type-assignment of the given terms.
+
+ \medskip The precise meaning of type checking depends on the context
+ --- additional check/uncheck plugins might be defined in user space!
+
+ For example, the @{command class} command defines a context where
+ @{text "check"} treats certain type instances of overloaded
+ constants according to the ``dictionary construction'' of its
+ logical foundation. This involves ``type improvement''
+ (specialization of slightly too general types) and replacement by
+ certain locale parameters. See also \cite{Haftmann-Wenzel:2009}.
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML Syntax.check_typs: "Proof.context -> typ list -> typ list"} \\
+ @{index_ML Syntax.check_terms: "Proof.context -> term list -> term list"} \\
+ @{index_ML Syntax.check_props: "Proof.context -> term list -> term list"} \\
+ @{index_ML Syntax.uncheck_typs: "Proof.context -> typ list -> typ list"} \\
+ @{index_ML Syntax.uncheck_terms: "Proof.context -> term list -> term list"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item FIXME
+
+ \end{description}
+*}
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarImplementation/Tactic.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,861 @@
+theory Tactic
+imports Base
+begin
+
+chapter {* Tactical reasoning *}
+
+text {* Tactical reasoning works by refining an initial claim in a
+ backwards fashion, until a solved form is reached. A @{text "goal"}
+ consists of several subgoals that need to be solved in order to
+ achieve the main statement; zero subgoals means that the proof may
+ be finished. A @{text "tactic"} is a refinement operation that maps
+ a goal to a lazy sequence of potential successors. A @{text
+ "tactical"} is a combinator for composing tactics. *}
+
+
+section {* Goals \label{sec:tactical-goals} *}
+
+text {*
+ Isabelle/Pure represents a goal as a theorem stating that the
+ subgoals imply the main goal: @{text "A\<^sub>1 \<Longrightarrow> \<dots> \<Longrightarrow> A\<^sub>n \<Longrightarrow>
+ C"}. The outermost goal structure is that of a Horn Clause: i.e.\
+ an iterated implication without any quantifiers\footnote{Recall that
+ outermost @{text "\<And>x. \<phi>[x]"} is always represented via schematic
+ variables in the body: @{text "\<phi>[?x]"}. These variables may get
+ instantiated during the course of reasoning.}. For @{text "n = 0"}
+ a goal is called ``solved''.
+
+ The structure of each subgoal @{text "A\<^sub>i"} is that of a
+ general Hereditary Harrop Formula @{text "\<And>x\<^sub>1 \<dots>
+ \<And>x\<^sub>k. H\<^sub>1 \<Longrightarrow> \<dots> \<Longrightarrow> H\<^sub>m \<Longrightarrow> B"}. Here @{text
+ "x\<^sub>1, \<dots>, x\<^sub>k"} are goal parameters, i.e.\
+ arbitrary-but-fixed entities of certain types, and @{text
+ "H\<^sub>1, \<dots>, H\<^sub>m"} are goal hypotheses, i.e.\ facts that may
+ be assumed locally. Together, this forms the goal context of the
+ conclusion @{text B} to be established. The goal hypotheses may be
+ again arbitrary Hereditary Harrop Formulas, although the level of
+ nesting rarely exceeds 1--2 in practice.
+
+ The main conclusion @{text C} is internally marked as a protected
+ proposition, which is represented explicitly by the notation @{text
+ "#C"} here. This ensures that the decomposition into subgoals and
+ main conclusion is well-defined for arbitrarily structured claims.
+
+ \medskip Basic goal management is performed via the following
+ Isabelle/Pure rules:
+
+ \[
+ \infer[@{text "(init)"}]{@{text "C \<Longrightarrow> #C"}}{} \qquad
+ \infer[@{text "(finish)"}]{@{text "C"}}{@{text "#C"}}
+ \]
+
+ \medskip The following low-level variants admit general reasoning
+ with protected propositions:
+
+ \[
+ \infer[@{text "(protect)"}]{@{text "#C"}}{@{text "C"}} \qquad
+ \infer[@{text "(conclude)"}]{@{text "A\<^sub>1 \<Longrightarrow> \<dots> \<Longrightarrow> A\<^sub>n \<Longrightarrow> C"}}{@{text "A\<^sub>1 \<Longrightarrow> \<dots> \<Longrightarrow> A\<^sub>n \<Longrightarrow> #C"}}
+ \]
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML Goal.init: "cterm -> thm"} \\
+ @{index_ML Goal.finish: "Proof.context -> thm -> thm"} \\
+ @{index_ML Goal.protect: "thm -> thm"} \\
+ @{index_ML Goal.conclude: "thm -> thm"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item @{ML "Goal.init"}~@{text C} initializes a tactical goal from
+ the well-formed proposition @{text C}.
+
+ \item @{ML "Goal.finish"}~@{text "ctxt thm"} checks whether theorem
+ @{text "thm"} is a solved goal (no subgoals), and concludes the
+ result by removing the goal protection. The context is only
+ required for printing error messages.
+
+ \item @{ML "Goal.protect"}~@{text "thm"} protects the full statement
+ of theorem @{text "thm"}.
+
+ \item @{ML "Goal.conclude"}~@{text "thm"} removes the goal
+ protection, even if there are pending subgoals.
+
+ \end{description}
+*}
+
+
+section {* Tactics\label{sec:tactics} *}
+
+text {* A @{text "tactic"} is a function @{text "goal \<rightarrow> goal\<^sup>*\<^sup>*"} that
+ maps a given goal state (represented as a theorem, cf.\
+ \secref{sec:tactical-goals}) to a lazy sequence of potential
+ successor states. The underlying sequence implementation is lazy
+ both in head and tail, and is purely functional in \emph{not}
+ supporting memoing.\footnote{The lack of memoing and the strict
+ nature of SML requires some care when working with low-level
+ sequence operations, to avoid duplicate or premature evaluation of
+ results. It also means that modified runtime behavior, such as
+ timeout, is very hard to achieve for general tactics.}
+
+ An \emph{empty result sequence} means that the tactic has failed: in
+ a compound tactic expression other tactics might be tried instead,
+ or the whole refinement step might fail outright, producing a
+ toplevel error message in the end. When implementing tactics from
+ scratch, one should take care to observe the basic protocol of
+ mapping regular error conditions to an empty result; only serious
+ faults should emerge as exceptions.
+
+ By enumerating \emph{multiple results}, a tactic can easily express
+ the potential outcome of an internal search process. There are also
+ combinators for building proof tools that involve search
+ systematically, see also \secref{sec:tacticals}.
+
+ \medskip As explained before, a goal state essentially consists of a
+ list of subgoals that imply the main goal (conclusion). Tactics may
+ operate on all subgoals or on a particularly specified subgoal, but
+ must not change the main conclusion (apart from instantiating
+ schematic goal variables).
+
+ Tactics with explicit \emph{subgoal addressing} are of the form
+ @{text "int \<rightarrow> tactic"} and may be applied to a particular subgoal
+ (counting from 1). If the subgoal number is out of range, the
+ tactic should fail with an empty result sequence, but must not raise
+ an exception!
+
+ Operating on a particular subgoal means to replace it by an interval
+ of zero or more subgoals in the same place; other subgoals must not
+ be affected, apart from instantiating schematic variables ranging
+ over the whole goal state.
+
+ A common pattern of composing tactics with subgoal addressing is to
+ try the first one, and then the second one only if the subgoal has
+ not been solved yet. Special care is required here to avoid bumping
+ into unrelated subgoals that happen to come after the original
+ subgoal. Assuming that there is only a single initial subgoal is a
+ very common error when implementing tactics!
+
+ Tactics with internal subgoal addressing should expose the subgoal
+ index as @{text "int"} argument in full generality; a hardwired
+ subgoal 1 is not acceptable.
+
+ \medskip The main well-formedness conditions for proper tactics are
+ summarized as follows.
+
+ \begin{itemize}
+
+ \item General tactic failure is indicated by an empty result, only
+ serious faults may produce an exception.
+
+ \item The main conclusion must not be changed, apart from
+ instantiating schematic variables.
+
+ \item A tactic operates either uniformly on all subgoals, or
+ specifically on a selected subgoal (without bumping into unrelated
+ subgoals).
+
+ \item Range errors in subgoal addressing produce an empty result.
+
+ \end{itemize}
+
+ Some of these conditions are checked by higher-level goal
+ infrastructure (\secref{sec:struct-goals}); others are not checked
+ explicitly, and violating them merely results in ill-behaved tactics
+ experienced by the user (e.g.\ tactics that insist in being
+ applicable only to singleton goals, or prevent composition via
+ standard tacticals such as @{ML REPEAT}).
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML_type tactic: "thm -> thm Seq.seq"} \\
+ @{index_ML no_tac: tactic} \\
+ @{index_ML all_tac: tactic} \\
+ @{index_ML print_tac: "string -> tactic"} \\[1ex]
+ @{index_ML PRIMITIVE: "(thm -> thm) -> tactic"} \\[1ex]
+ @{index_ML SUBGOAL: "(term * int -> tactic) -> int -> tactic"} \\
+ @{index_ML CSUBGOAL: "(cterm * int -> tactic) -> int -> tactic"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item Type @{ML_type tactic} represents tactics. The
+ well-formedness conditions described above need to be observed. See
+ also @{file "~~/src/Pure/General/seq.ML"} for the underlying
+ implementation of lazy sequences.
+
+ \item Type @{ML_type "int -> tactic"} represents tactics with
+ explicit subgoal addressing, with well-formedness conditions as
+ described above.
+
+ \item @{ML no_tac} is a tactic that always fails, returning the
+ empty sequence.
+
+ \item @{ML all_tac} is a tactic that always succeeds, returning a
+ singleton sequence with unchanged goal state.
+
+ \item @{ML print_tac}~@{text "message"} is like @{ML all_tac}, but
+ prints a message together with the goal state on the tracing
+ channel.
+
+ \item @{ML PRIMITIVE}~@{text rule} turns a primitive inference rule
+ into a tactic with unique result. Exception @{ML THM} is considered
+ a regular tactic failure and produces an empty result; other
+ exceptions are passed through.
+
+ \item @{ML SUBGOAL}~@{text "(fn (subgoal, i) => tactic)"} is the
+ most basic form to produce a tactic with subgoal addressing. The
+ given abstraction over the subgoal term and subgoal number allows to
+ peek at the relevant information of the full goal state. The
+ subgoal range is checked as required above.
+
+ \item @{ML CSUBGOAL} is similar to @{ML SUBGOAL}, but passes the
+ subgoal as @{ML_type cterm} instead of raw @{ML_type term}. This
+ avoids expensive re-certification in situations where the subgoal is
+ used directly for primitive inferences.
+
+ \end{description}
+*}
+
+
+subsection {* Resolution and assumption tactics \label{sec:resolve-assume-tac} *}
+
+text {* \emph{Resolution} is the most basic mechanism for refining a
+ subgoal using a theorem as object-level rule.
+ \emph{Elim-resolution} is particularly suited for elimination rules:
+ it resolves with a rule, proves its first premise by assumption, and
+ finally deletes that assumption from any new subgoals.
+ \emph{Destruct-resolution} is like elim-resolution, but the given
+ destruction rules are first turned into canonical elimination
+ format. \emph{Forward-resolution} is like destruct-resolution, but
+ without deleting the selected assumption. The @{text "r/e/d/f"}
+ naming convention is maintained for several different kinds of
+ resolution rules and tactics.
+
+ Assumption tactics close a subgoal by unifying some of its premises
+ against its conclusion.
+
+ \medskip All the tactics in this section operate on a subgoal
+ designated by a positive integer. Other subgoals might be affected
+ indirectly, due to instantiation of schematic variables.
+
+ There are various sources of non-determinism, the tactic result
+ sequence enumerates all possibilities of the following choices (if
+ applicable):
+
+ \begin{enumerate}
+
+ \item selecting one of the rules given as argument to the tactic;
+
+ \item selecting a subgoal premise to eliminate, unifying it against
+ the first premise of the rule;
+
+ \item unifying the conclusion of the subgoal to the conclusion of
+ the rule.
+
+ \end{enumerate}
+
+ Recall that higher-order unification may produce multiple results
+ that are enumerated here.
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML resolve_tac: "thm list -> int -> tactic"} \\
+ @{index_ML eresolve_tac: "thm list -> int -> tactic"} \\
+ @{index_ML dresolve_tac: "thm list -> int -> tactic"} \\
+ @{index_ML forward_tac: "thm list -> int -> tactic"} \\[1ex]
+ @{index_ML assume_tac: "int -> tactic"} \\
+ @{index_ML eq_assume_tac: "int -> tactic"} \\[1ex]
+ @{index_ML match_tac: "thm list -> int -> tactic"} \\
+ @{index_ML ematch_tac: "thm list -> int -> tactic"} \\
+ @{index_ML dmatch_tac: "thm list -> int -> tactic"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item @{ML resolve_tac}~@{text "thms i"} refines the goal state
+ using the given theorems, which should normally be introduction
+ rules. The tactic resolves a rule's conclusion with subgoal @{text
+ i}, replacing it by the corresponding versions of the rule's
+ premises.
+
+ \item @{ML eresolve_tac}~@{text "thms i"} performs elim-resolution
+ with the given theorems, which are normally be elimination rules.
+
+ Note that @{ML "eresolve_tac [asm_rl]"} is equivalent to @{ML
+ assume_tac}, which facilitates mixing of assumption steps with
+ genuine eliminations.
+
+ \item @{ML dresolve_tac}~@{text "thms i"} performs
+ destruct-resolution with the given theorems, which should normally
+ be destruction rules. This replaces an assumption by the result of
+ applying one of the rules.
+
+ \item @{ML forward_tac} is like @{ML dresolve_tac} except that the
+ selected assumption is not deleted. It applies a rule to an
+ assumption, adding the result as a new assumption.
+
+ \item @{ML assume_tac}~@{text i} attempts to solve subgoal @{text i}
+ by assumption (modulo higher-order unification).
+
+ \item @{ML eq_assume_tac} is similar to @{ML assume_tac}, but checks
+ only for immediate @{text "\<alpha>"}-convertibility instead of using
+ unification. It succeeds (with a unique next state) if one of the
+ assumptions is equal to the subgoal's conclusion. Since it does not
+ instantiate variables, it cannot make other subgoals unprovable.
+
+ \item @{ML match_tac}, @{ML ematch_tac}, and @{ML dmatch_tac} are
+ similar to @{ML resolve_tac}, @{ML eresolve_tac}, and @{ML
+ dresolve_tac}, respectively, but do not instantiate schematic
+ variables in the goal state.
+
+ Flexible subgoals are not updated at will, but are left alone.
+ Strictly speaking, matching means to treat the unknowns in the goal
+ state as constants; these tactics merely discard unifiers that would
+ update the goal state.
+
+ \end{description}
+*}
+
+
+subsection {* Explicit instantiation within a subgoal context *}
+
+text {* The main resolution tactics (\secref{sec:resolve-assume-tac})
+ use higher-order unification, which works well in many practical
+ situations despite its daunting theoretical properties.
+ Nonetheless, there are important problem classes where unguided
+ higher-order unification is not so useful. This typically involves
+ rules like universal elimination, existential introduction, or
+ equational substitution. Here the unification problem involves
+ fully flexible @{text "?P ?x"} schemes, which are hard to manage
+ without further hints.
+
+ By providing a (small) rigid term for @{text "?x"} explicitly, the
+ remaining unification problem is to assign a (large) term to @{text
+ "?P"}, according to the shape of the given subgoal. This is
+ sufficiently well-behaved in most practical situations.
+
+ \medskip Isabelle provides separate versions of the standard @{text
+ "r/e/d/f"} resolution tactics that allow to provide explicit
+ instantiations of unknowns of the given rule, wrt.\ terms that refer
+ to the implicit context of the selected subgoal.
+
+ An instantiation consists of a list of pairs of the form @{text
+ "(?x, t)"}, where @{text ?x} is a schematic variable occurring in
+ the given rule, and @{text t} is a term from the current proof
+ context, augmented by the local goal parameters of the selected
+ subgoal; cf.\ the @{text "focus"} operation described in
+ \secref{sec:variables}.
+
+ Entering the syntactic context of a subgoal is a brittle operation,
+ because its exact form is somewhat accidental, and the choice of
+ bound variable names depends on the presence of other local and
+ global names. Explicit renaming of subgoal parameters prior to
+ explicit instantiation might help to achieve a bit more robustness.
+
+ Type instantiations may be given as well, via pairs like @{text
+ "(?'a, \<tau>)"}. Type instantiations are distinguished from term
+ instantiations by the syntactic form of the schematic variable.
+ Types are instantiated before terms are. Since term instantiation
+ already performs simple type-inference, so explicit type
+ instantiations are seldom necessary.
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML res_inst_tac: "Proof.context -> (indexname * string) list -> thm -> int -> tactic"} \\
+ @{index_ML eres_inst_tac: "Proof.context -> (indexname * string) list -> thm -> int -> tactic"} \\
+ @{index_ML dres_inst_tac: "Proof.context -> (indexname * string) list -> thm -> int -> tactic"} \\
+ @{index_ML forw_inst_tac: "Proof.context -> (indexname * string) list -> thm -> int -> tactic"} \\
+ @{index_ML subgoal_tac: "Proof.context -> string -> int -> tactic"} \\
+ @{index_ML thin_tac: "Proof.context -> string -> int -> tactic"} \\
+ @{index_ML rename_tac: "string list -> int -> tactic"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item @{ML res_inst_tac}~@{text "ctxt insts thm i"} instantiates the
+ rule @{text thm} with the instantiations @{text insts}, as described
+ above, and then performs resolution on subgoal @{text i}.
+
+ \item @{ML eres_inst_tac} is like @{ML res_inst_tac}, but performs
+ elim-resolution.
+
+ \item @{ML dres_inst_tac} is like @{ML res_inst_tac}, but performs
+ destruct-resolution.
+
+ \item @{ML forw_inst_tac} is like @{ML dres_inst_tac} except that
+ the selected assumption is not deleted.
+
+ \item @{ML subgoal_tac}~@{text "ctxt \<phi> i"} adds the proposition
+ @{text "\<phi>"} as local premise to subgoal @{text "i"}, and poses the
+ same as a new subgoal @{text "i + 1"} (in the original context).
+
+ \item @{ML thin_tac}~@{text "ctxt \<phi> i"} deletes the specified
+ premise from subgoal @{text i}. Note that @{text \<phi>} may contain
+ schematic variables, to abbreviate the intended proposition; the
+ first matching subgoal premise will be deleted. Removing useless
+ premises from a subgoal increases its readability and can make
+ search tactics run faster.
+
+ \item @{ML rename_tac}~@{text "names i"} renames the innermost
+ parameters of subgoal @{text i} according to the provided @{text
+ names} (which need to be distinct indentifiers).
+
+ \end{description}
+
+ For historical reasons, the above instantiation tactics take
+ unparsed string arguments, which makes them hard to use in general
+ ML code. The slightly more advanced @{ML Subgoal.FOCUS} combinator
+ of \secref{sec:struct-goals} allows to refer to internal goal
+ structure with explicit context management.
+*}
+
+
+subsection {* Rearranging goal states *}
+
+text {* In rare situations there is a need to rearrange goal states:
+ either the overall collection of subgoals, or the local structure of
+ a subgoal. Various administrative tactics allow to operate on the
+ concrete presentation these conceptual sets of formulae. *}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML rotate_tac: "int -> int -> tactic"} \\
+ @{index_ML distinct_subgoals_tac: tactic} \\
+ @{index_ML flexflex_tac: tactic} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item @{ML rotate_tac}~@{text "n i"} rotates the premises of subgoal
+ @{text i} by @{text n} positions: from right to left if @{text n} is
+ positive, and from left to right if @{text n} is negative.
+
+ \item @{ML distinct_subgoals_tac} removes duplicate subgoals from a
+ proof state. This is potentially inefficient.
+
+ \item @{ML flexflex_tac} removes all flex-flex pairs from the proof
+ state by applying the trivial unifier. This drastic step loses
+ information. It is already part of the Isar infrastructure for
+ facts resulting from goals, and rarely needs to be invoked manually.
+
+ Flex-flex constraints arise from difficult cases of higher-order
+ unification. To prevent this, use @{ML res_inst_tac} to instantiate
+ some variables in a rule. Normally flex-flex constraints can be
+ ignored; they often disappear as unknowns get instantiated.
+
+ \end{description}
+*}
+
+section {* Tacticals \label{sec:tacticals} *}
+
+text {* A \emph{tactical} is a functional combinator for building up
+ complex tactics from simpler ones. Common tacticals perform
+ sequential composition, disjunctive choice, iteration, or goal
+ addressing. Various search strategies may be expressed via
+ tacticals.
+*}
+
+
+subsection {* Combining tactics *}
+
+text {* Sequential composition and alternative choices are the most
+ basic ways to combine tactics, similarly to ``@{verbatim ","}'' and
+ ``@{verbatim "|"}'' in Isar method notation. This corresponds to
+ @{ML_op "THEN"} and @{ML_op "ORELSE"} in ML, but there are further
+ possibilities for fine-tuning alternation of tactics such as @{ML_op
+ "APPEND"}. Further details become visible in ML due to explicit
+ subgoal addressing.
+*}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML_op "THEN": "tactic * tactic -> tactic"} \\
+ @{index_ML_op "ORELSE": "tactic * tactic -> tactic"} \\
+ @{index_ML_op "APPEND": "tactic * tactic -> tactic"} \\
+ @{index_ML "EVERY": "tactic list -> tactic"} \\
+ @{index_ML "FIRST": "tactic list -> tactic"} \\[0.5ex]
+
+ @{index_ML_op "THEN'": "('a -> tactic) * ('a -> tactic) -> 'a -> tactic"} \\
+ @{index_ML_op "ORELSE'": "('a -> tactic) * ('a -> tactic) -> 'a -> tactic"} \\
+ @{index_ML_op "APPEND'": "('a -> tactic) * ('a -> tactic) -> 'a -> tactic"} \\
+ @{index_ML "EVERY'": "('a -> tactic) list -> 'a -> tactic"} \\
+ @{index_ML "FIRST'": "('a -> tactic) list -> 'a -> tactic"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item @{text "tac\<^sub>1"}~@{ML_op THEN}~@{text "tac\<^sub>2"} is the sequential
+ composition of @{text "tac\<^sub>1"} and @{text "tac\<^sub>2"}. Applied to a goal
+ state, it returns all states reachable in two steps by applying
+ @{text "tac\<^sub>1"} followed by @{text "tac\<^sub>2"}. First, it applies @{text
+ "tac\<^sub>1"} to the goal state, getting a sequence of possible next
+ states; then, it applies @{text "tac\<^sub>2"} to each of these and
+ concatenates the results to produce again one flat sequence of
+ states.
+
+ \item @{text "tac\<^sub>1"}~@{ML_op ORELSE}~@{text "tac\<^sub>2"} makes a choice
+ between @{text "tac\<^sub>1"} and @{text "tac\<^sub>2"}. Applied to a state, it
+ tries @{text "tac\<^sub>1"} and returns the result if non-empty; if @{text
+ "tac\<^sub>1"} fails then it uses @{text "tac\<^sub>2"}. This is a deterministic
+ choice: if @{text "tac\<^sub>1"} succeeds then @{text "tac\<^sub>2"} is excluded
+ from the result.
+
+ \item @{text "tac\<^sub>1"}~@{ML_op APPEND}~@{text "tac\<^sub>2"} concatenates the
+ possible results of @{text "tac\<^sub>1"} and @{text "tac\<^sub>2"}. Unlike
+ @{ML_op "ORELSE"} there is \emph{no commitment} to either tactic, so
+ @{ML_op "APPEND"} helps to avoid incompleteness during search, at
+ the cost of potential inefficiencies.
+
+ \item @{ML EVERY}~@{text "[tac\<^sub>1, \<dots>, tac\<^sub>n]"} abbreviates @{text
+ "tac\<^sub>1"}~@{ML_op THEN}~@{text "\<dots>"}~@{ML_op THEN}~@{text "tac\<^sub>n"}.
+ Note that @{ML "EVERY []"} is the same as @{ML all_tac}: it always
+ succeeds.
+
+ \item @{ML FIRST}~@{text "[tac\<^sub>1, \<dots>, tac\<^sub>n]"} abbreviates @{text
+ "tac\<^sub>1"}~@{ML_op ORELSE}~@{text "\<dots>"}~@{ML_op "ORELSE"}~@{text
+ "tac\<^sub>n"}. Note that @{ML "FIRST []"} is the same as @{ML no_tac}: it
+ always fails.
+
+ \item @{ML_op "THEN'"} is the lifted version of @{ML_op "THEN"}, for
+ tactics with explicit subgoal addressing. So @{text
+ "(tac\<^sub>1"}~@{ML_op THEN'}~@{text "tac\<^sub>2) i"} is the same as @{text
+ "(tac\<^sub>1 i"}~@{ML_op THEN}~@{text "tac\<^sub>2 i)"}.
+
+ The other primed tacticals work analogously.
+
+ \end{description}
+*}
+
+
+subsection {* Repetition tacticals *}
+
+text {* These tacticals provide further control over repetition of
+ tactics, beyond the stylized forms of ``@{verbatim "?"}'' and
+ ``@{verbatim "+"}'' in Isar method expressions. *}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML "TRY": "tactic -> tactic"} \\
+ @{index_ML "REPEAT": "tactic -> tactic"} \\
+ @{index_ML "REPEAT1": "tactic -> tactic"} \\
+ @{index_ML "REPEAT_DETERM": "tactic -> tactic"} \\
+ @{index_ML "REPEAT_DETERM_N": "int -> tactic -> tactic"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item @{ML TRY}~@{text "tac"} applies @{text "tac"} to the goal
+ state and returns the resulting sequence, if non-empty; otherwise it
+ returns the original state. Thus, it applies @{text "tac"} at most
+ once.
+
+ Note that for tactics with subgoal addressing, the combinator can be
+ applied via functional composition: @{ML "TRY"}~@{ML_op o}~@{text
+ "tac"}. There is no need for @{verbatim TRY'}.
+
+ \item @{ML REPEAT}~@{text "tac"} applies @{text "tac"} to the goal
+ state and, recursively, to each element of the resulting sequence.
+ The resulting sequence consists of those states that make @{text
+ "tac"} fail. Thus, it applies @{text "tac"} as many times as
+ possible (including zero times), and allows backtracking over each
+ invocation of @{text "tac"}. @{ML REPEAT} is more general than @{ML
+ REPEAT_DETERM}, but requires more space.
+
+ \item @{ML REPEAT1}~@{text "tac"} is like @{ML REPEAT}~@{text "tac"}
+ but it always applies @{text "tac"} at least once, failing if this
+ is impossible.
+
+ \item @{ML REPEAT_DETERM}~@{text "tac"} applies @{text "tac"} to the
+ goal state and, recursively, to the head of the resulting sequence.
+ It returns the first state to make @{text "tac"} fail. It is
+ deterministic, discarding alternative outcomes.
+
+ \item @{ML REPEAT_DETERM_N}~@{text "n tac"} is like @{ML
+ REPEAT_DETERM}~@{text "tac"} but the number of repetitions is bound
+ by @{text "n"} (where @{ML "~1"} means @{text "\<infinity>"}).
+
+ \end{description}
+*}
+
+text %mlex {* The basic tactics and tacticals considered above follow
+ some algebraic laws:
+
+ \begin{itemize}
+
+ \item @{ML all_tac} is the identity element of the tactical @{ML_op
+ "THEN"}.
+
+ \item @{ML no_tac} is the identity element of @{ML_op "ORELSE"} and
+ @{ML_op "APPEND"}. Also, it is a zero element for @{ML_op "THEN"},
+ which means that @{text "tac"}~@{ML_op THEN}~@{ML no_tac} is
+ equivalent to @{ML no_tac}.
+
+ \item @{ML TRY} and @{ML REPEAT} can be expressed as (recursive)
+ functions over more basic combinators (ignoring some internal
+ implementation tricks):
+
+ \end{itemize}
+*}
+
+ML {*
+ fun TRY tac = tac ORELSE all_tac;
+ fun REPEAT tac st = ((tac THEN REPEAT tac) ORELSE all_tac) st;
+*}
+
+text {* If @{text "tac"} can return multiple outcomes then so can @{ML
+ REPEAT}~@{text "tac"}. @{ML REPEAT} uses @{ML_op "ORELSE"} and not
+ @{ML_op "APPEND"}, it applies @{text "tac"} as many times as
+ possible in each outcome.
+
+ \begin{warn}
+ Note the explicit abstraction over the goal state in the ML
+ definition of @{ML REPEAT}. Recursive tacticals must be coded in
+ this awkward fashion to avoid infinite recursion of eager functional
+ evaluation in Standard ML. The following attempt would make @{ML
+ REPEAT}~@{text "tac"} loop:
+ \end{warn}
+*}
+
+ML {*
+ (*BAD -- does not terminate!*)
+ fun REPEAT tac = (tac THEN REPEAT tac) ORELSE all_tac;
+*}
+
+
+subsection {* Applying tactics to subgoal ranges *}
+
+text {* Tactics with explicit subgoal addressing
+ @{ML_type "int -> tactic"} can be used together with tacticals that
+ act like ``subgoal quantifiers'': guided by success of the body
+ tactic a certain range of subgoals is covered. Thus the body tactic
+ is applied to \emph{all} subgoals, \emph{some} subgoal etc.
+
+ Suppose that the goal state has @{text "n \<ge> 0"} subgoals. Many of
+ these tacticals address subgoal ranges counting downwards from
+ @{text "n"} towards @{text "1"}. This has the fortunate effect that
+ newly emerging subgoals are concatenated in the result, without
+ interfering each other. Nonetheless, there might be situations
+ where a different order is desired. *}
+
+text %mlref {*
+ \begin{mldecls}
+ @{index_ML ALLGOALS: "(int -> tactic) -> tactic"} \\
+ @{index_ML SOMEGOAL: "(int -> tactic) -> tactic"} \\
+ @{index_ML FIRSTGOAL: "(int -> tactic) -> tactic"} \\
+ @{index_ML HEADGOAL: "(int -> tactic) -> tactic"} \\
+ @{index_ML REPEAT_SOME: "(int -> tactic) -> tactic"} \\
+ @{index_ML REPEAT_FIRST: "(int -> tactic) -> tactic"} \\
+ @{index_ML RANGE: "(int -> tactic) list -> int -> tactic"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item @{ML ALLGOALS}~@{text "tac"} is equivalent to @{text "tac
+ n"}~@{ML_op THEN}~@{text "\<dots>"}~@{ML_op THEN}~@{text "tac 1"}. It
+ applies the @{text tac} to all the subgoals, counting downwards.
+
+ \item @{ML SOMEGOAL}~@{text "tac"} is equivalent to @{text "tac
+ n"}~@{ML_op ORELSE}~@{text "\<dots>"}~@{ML_op ORELSE}~@{text "tac 1"}. It
+ applies @{text "tac"} to one subgoal, counting downwards.
+
+ \item @{ML FIRSTGOAL}~@{text "tac"} is equivalent to @{text "tac
+ 1"}~@{ML_op ORELSE}~@{text "\<dots>"}~@{ML_op ORELSE}~@{text "tac n"}. It
+ applies @{text "tac"} to one subgoal, counting upwards.
+
+ \item @{ML HEADGOAL}~@{text "tac"} is equivalent to @{text "tac 1"}.
+ It applies @{text "tac"} unconditionally to the first subgoal.
+
+ \item @{ML REPEAT_SOME}~@{text "tac"} applies @{text "tac"} once or
+ more to a subgoal, counting downwards.
+
+ \item @{ML REPEAT_FIRST}~@{text "tac"} applies @{text "tac"} once or
+ more to a subgoal, counting upwards.
+
+ \item @{ML RANGE}~@{text "[tac\<^sub>1, \<dots>, tac\<^sub>k] i"} is equivalent to
+ @{text "tac\<^sub>k (i + k - 1)"}~@{ML_op THEN}~@{text "\<dots>"}~@{ML_op
+ THEN}~@{text "tac\<^sub>1 i"}. It applies the given list of tactics to the
+ corresponding range of subgoals, counting downwards.
+
+ \end{description}
+*}
+
+
+subsection {* Control and search tacticals *}
+
+text {* A predicate on theorems @{ML_type "thm -> bool"} can test
+ whether a goal state enjoys some desirable property --- such as
+ having no subgoals. Tactics that search for satisfactory goal
+ states are easy to express. The main search procedures,
+ depth-first, breadth-first and best-first, are provided as
+ tacticals. They generate the search tree by repeatedly applying a
+ given tactic. *}
+
+
+text %mlref ""
+
+subsubsection {* Filtering a tactic's results *}
+
+text {*
+ \begin{mldecls}
+ @{index_ML FILTER: "(thm -> bool) -> tactic -> tactic"} \\
+ @{index_ML CHANGED: "tactic -> tactic"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item @{ML FILTER}~@{text "sat tac"} applies @{text "tac"} to the
+ goal state and returns a sequence consisting of those result goal
+ states that are satisfactory in the sense of @{text "sat"}.
+
+ \item @{ML CHANGED}~@{text "tac"} applies @{text "tac"} to the goal
+ state and returns precisely those states that differ from the
+ original state (according to @{ML Thm.eq_thm}). Thus @{ML
+ CHANGED}~@{text "tac"} always has some effect on the state.
+
+ \end{description}
+*}
+
+
+subsubsection {* Depth-first search *}
+
+text {*
+ \begin{mldecls}
+ @{index_ML DEPTH_FIRST: "(thm -> bool) -> tactic -> tactic"} \\
+ @{index_ML DEPTH_SOLVE: "tactic -> tactic"} \\
+ @{index_ML DEPTH_SOLVE_1: "tactic -> tactic"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item @{ML DEPTH_FIRST}~@{text "sat tac"} returns the goal state if
+ @{text "sat"} returns true. Otherwise it applies @{text "tac"},
+ then recursively searches from each element of the resulting
+ sequence. The code uses a stack for efficiency, in effect applying
+ @{text "tac"}~@{ML_op THEN}~@{ML DEPTH_FIRST}~@{text "sat tac"} to
+ the state.
+
+ \item @{ML DEPTH_SOLVE}@{text "tac"} uses @{ML DEPTH_FIRST} to
+ search for states having no subgoals.
+
+ \item @{ML DEPTH_SOLVE_1}~@{text "tac"} uses @{ML DEPTH_FIRST} to
+ search for states having fewer subgoals than the given state. Thus,
+ it insists upon solving at least one subgoal.
+
+ \end{description}
+*}
+
+
+subsubsection {* Other search strategies *}
+
+text {*
+ \begin{mldecls}
+ @{index_ML BREADTH_FIRST: "(thm -> bool) -> tactic -> tactic"} \\
+ @{index_ML BEST_FIRST: "(thm -> bool) * (thm -> int) -> tactic -> tactic"} \\
+ @{index_ML THEN_BEST_FIRST: "tactic -> (thm -> bool) * (thm -> int) -> tactic -> tactic"} \\
+ \end{mldecls}
+
+ These search strategies will find a solution if one exists.
+ However, they do not enumerate all solutions; they terminate after
+ the first satisfactory result from @{text "tac"}.
+
+ \begin{description}
+
+ \item @{ML BREADTH_FIRST}~@{text "sat tac"} uses breadth-first
+ search to find states for which @{text "sat"} is true. For most
+ applications, it is too slow.
+
+ \item @{ML BEST_FIRST}~@{text "(sat, dist) tac"} does a heuristic
+ search, using @{text "dist"} to estimate the distance from a
+ satisfactory state (in the sense of @{text "sat"}). It maintains a
+ list of states ordered by distance. It applies @{text "tac"} to the
+ head of this list; if the result contains any satisfactory states,
+ then it returns them. Otherwise, @{ML BEST_FIRST} adds the new
+ states to the list, and continues.
+
+ The distance function is typically @{ML size_of_thm}, which computes
+ the size of the state. The smaller the state, the fewer and simpler
+ subgoals it has.
+
+ \item @{ML THEN_BEST_FIRST}~@{text "tac\<^sub>0 (sat, dist) tac"} is like
+ @{ML BEST_FIRST}, except that the priority queue initially contains
+ the result of applying @{text "tac\<^sub>0"} to the goal state. This
+ tactical permits separate tactics for starting the search and
+ continuing the search.
+
+ \end{description}
+*}
+
+
+subsubsection {* Auxiliary tacticals for searching *}
+
+text {*
+ \begin{mldecls}
+ @{index_ML COND: "(thm -> bool) -> tactic -> tactic -> tactic"} \\
+ @{index_ML IF_UNSOLVED: "tactic -> tactic"} \\
+ @{index_ML SOLVE: "tactic -> tactic"} \\
+ @{index_ML DETERM: "tactic -> tactic"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item @{ML COND}~@{text "sat tac\<^sub>1 tac\<^sub>2"} applies @{text "tac\<^sub>1"} to
+ the goal state if it satisfies predicate @{text "sat"}, and applies
+ @{text "tac\<^sub>2"}. It is a conditional tactical in that only one of
+ @{text "tac\<^sub>1"} and @{text "tac\<^sub>2"} is applied to a goal state.
+ However, both @{text "tac\<^sub>1"} and @{text "tac\<^sub>2"} are evaluated
+ because ML uses eager evaluation.
+
+ \item @{ML IF_UNSOLVED}~@{text "tac"} applies @{text "tac"} to the
+ goal state if it has any subgoals, and simply returns the goal state
+ otherwise. Many common tactics, such as @{ML resolve_tac}, fail if
+ applied to a goal state that has no subgoals.
+
+ \item @{ML SOLVE}~@{text "tac"} applies @{text "tac"} to the goal
+ state and then fails iff there are subgoals left.
+
+ \item @{ML DETERM}~@{text "tac"} applies @{text "tac"} to the goal
+ state and returns the head of the resulting sequence. @{ML DETERM}
+ limits the search space by making its argument deterministic.
+
+ \end{description}
+*}
+
+
+subsubsection {* Predicates and functions useful for searching *}
+
+text {*
+ \begin{mldecls}
+ @{index_ML has_fewer_prems: "int -> thm -> bool"} \\
+ @{index_ML Thm.eq_thm: "thm * thm -> bool"} \\
+ @{index_ML Thm.eq_thm_prop: "thm * thm -> bool"} \\
+ @{index_ML size_of_thm: "thm -> int"} \\
+ \end{mldecls}
+
+ \begin{description}
+
+ \item @{ML has_fewer_prems}~@{text "n thm"} reports whether @{text
+ "thm"} has fewer than @{text "n"} premises.
+
+ \item @{ML Thm.eq_thm}~@{text "(thm\<^sub>1, thm\<^sub>2)"} reports whether @{text
+ "thm\<^sub>1"} and @{text "thm\<^sub>2"} are equal. Both theorems must have
+ compatible background theories. Both theorems must have the same
+ conclusions, the same set of hypotheses, and the same set of sort
+ hypotheses. Names of bound variables are ignored as usual.
+
+ \item @{ML Thm.eq_thm_prop}~@{text "(thm\<^sub>1, thm\<^sub>2)"} reports whether
+ the propositions of @{text "thm\<^sub>1"} and @{text "thm\<^sub>2"} are equal.
+ Names of bound variables are ignored.
+
+ \item @{ML size_of_thm}~@{text "thm"} computes the size of @{text
+ "thm"}, namely the number of variables, constants and abstractions
+ in its conclusion. It may serve as a distance function for
+ @{ML BEST_FIRST}.
+
+ \end{description}
+*}
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarImplementation/document/build Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+set -e
+
+FORMAT="$1"
+VARIANT="$2"
+
+"$ISABELLE_TOOL" logo -o isabelle_isar.pdf Isar
+"$ISABELLE_TOOL" logo -o isabelle_isar.eps Isar
+
+cp "$ISABELLE_HOME/src/Doc/iman.sty" .
+cp "$ISABELLE_HOME/src/Doc/extra.sty" .
+cp "$ISABELLE_HOME/src/Doc/isar.sty" .
+cp "$ISABELLE_HOME/src/Doc/proof.sty" .
+cp "$ISABELLE_HOME/src/Doc/ttbox.sty" .
+cp "$ISABELLE_HOME/src/Doc/underscore.sty" .
+cp "$ISABELLE_HOME/src/Doc/manual.bib" .
+
+"$ISABELLE_HOME/src/Doc/prepare_document" "$FORMAT"
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarImplementation/document/root.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,110 @@
+\documentclass[12pt,a4paper,fleqn]{report}
+\usepackage{latexsym,graphicx}
+\usepackage[refpage]{nomencl}
+\usepackage{iman,extra,isar,proof}
+\usepackage[nohyphen,strings]{underscore}
+\usepackage{isabelle}
+\usepackage{isabellesym}
+\usepackage{railsetup}
+\usepackage{ttbox}
+\usepackage{style}
+\usepackage{pdfsetup}
+
+
+\hyphenation{Isabelle}
+\hyphenation{Isar}
+
+\isadroptag{theory}
+\title{\includegraphics[scale=0.5]{isabelle_isar}
+ \\[4ex] The Isabelle/Isar Implementation}
+\author{\emph{Makarius Wenzel} \\[3ex]
+ With Contributions by
+ Florian Haftmann
+ and Larry Paulson
+}
+
+\makeindex
+
+
+\begin{document}
+
+\maketitle
+
+\begin{abstract}
+ We describe the key concepts underlying the Isabelle/Isar
+ implementation, including ML references for the most important
+ functions. The aim is to give some insight into the overall system
+ architecture, and provide clues on implementing applications within
+ this framework.
+\end{abstract}
+
+\vspace*{2.5cm}
+\begin{quote}
+
+ {\small\em Isabelle was not designed; it evolved. Not everyone
+ likes this idea. Specification experts rightly abhor
+ trial-and-error programming. They suggest that no one should
+ write a program without first writing a complete formal
+ specification. But university departments are not software houses.
+ Programs like Isabelle are not products: when they have served
+ their purpose, they are discarded.}
+
+ Lawrence C. Paulson, ``Isabelle: The Next 700 Theorem Provers''
+
+ \vspace*{1cm}
+
+ {\small\em As I did 20 years ago, I still fervently believe that the
+ only way to make software secure, reliable, and fast is to make it
+ small. Fight features.}
+
+ Andrew S. Tanenbaum
+
+ \vspace*{1cm}
+
+ {\small\em One thing that UNIX does not need is more features. It is
+ successful in part because it has a small number of good ideas
+ that work well together. Merely adding features does not make it
+ easier for users to do things --- it just makes the manual
+ thicker. The right solution in the right place is always more
+ effective than haphazard hacking.}
+
+ Rob Pike and Brian W. Kernighan
+
+\end{quote}
+
+\thispagestyle{empty}\clearpage
+
+\pagenumbering{roman}
+\tableofcontents
+\listoffigures
+\clearfirst
+
+\setcounter{chapter}{-1}
+
+\input{ML.tex}
+\input{Prelim.tex}
+\input{Logic.tex}
+\input{Syntax.tex}
+\input{Tactic.tex}
+\input{Eq.tex}
+\input{Proof.tex}
+\input{Isar.tex}
+\input{Local_Theory.tex}
+\input{Integration.tex}
+
+\begingroup
+\tocentry{\bibname}
+\bibliographystyle{abbrv} \small\raggedright\frenchspacing
+\bibliography{manual}
+\endgroup
+
+\tocentry{\indexname}
+\printindex
+
+\end{document}
+
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: t
+%%% End:
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarImplementation/document/style.sty Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,71 @@
+%% toc
+\newcommand{\tocentry}[1]{\cleardoublepage\phantomsection\addcontentsline{toc}{chapter}{#1}
+\@mkboth{\MakeUppercase{#1}}{\MakeUppercase{#1}}}
+
+%% references
+\newcommand{\secref}[1]{\S\ref{#1}}
+\newcommand{\chref}[1]{chapter~\ref{#1}}
+\newcommand{\figref}[1]{figure~\ref{#1}}
+
+%% math
+\newcommand{\text}[1]{\mbox{#1}}
+\newcommand{\isasymvartheta}{\isamath{\theta}}
+\newcommand{\isactrlvec}[1]{\emph{$\vec{#1}$}}
+\newcommand{\isactrlBG}{\isacharbackquoteopen}
+\newcommand{\isactrlEN}{\isacharbackquoteclose}
+
+\setcounter{secnumdepth}{2} \setcounter{tocdepth}{2}
+
+\pagestyle{headings}
+\sloppy
+\binperiod
+
+\parindent 0pt\parskip 0.5ex
+
+\renewcommand{\isadigit}[1]{\isamath{#1}}
+
+\renewcommand{\isaantiqopen}{\isasymlbrace}
+\renewcommand{\isaantiqclose}{\isasymrbrace}
+
+\newenvironment{mldecls}{\par\noindent\begingroup\footnotesize\def\isanewline{\\}\begin{tabular}{l}}{\end{tabular}\smallskip\endgroup}
+
+\isafoldtag{FIXME}
+
+\isakeeptag{mlref}
+\renewcommand{\isatagmlref}{\subsection*{\makebox[0pt][r]{\fbox{ML}~~}Reference}}
+\renewcommand{\endisatagmlref}{}
+
+\isakeeptag{mlantiq}
+\renewcommand{\isatagmlantiq}{\subsection*{\makebox[0pt][r]{\fbox{ML}~~}Antiquotations}}
+\renewcommand{\endisatagmlantiq}{}
+
+\isakeeptag{mlex}
+\renewcommand{\isatagmlex}{\subsection*{\makebox[0pt][r]{\fbox{ML}~~}Examples}}
+\renewcommand{\endisatagmlex}{}
+
+\renewcommand{\isatagML}{\begingroup\isabellestyle{default}\isastyle\def\isadigit##1{##1}}
+\renewcommand{\endisatagML}{\endgroup}
+
+\newcommand{\minorcmd}[1]{{\sf #1}}
+\newcommand{\isasymtype}{\minorcmd{type}}
+\newcommand{\isasymval}{\minorcmd{val}}
+
+\newcommand{\isasymFIX}{\isakeyword{fix}}
+\newcommand{\isasymASSUME}{\isakeyword{assume}}
+\newcommand{\isasymDEFINE}{\isakeyword{define}}
+\newcommand{\isasymNOTE}{\isakeyword{note}}
+\newcommand{\isasymGUESS}{\isakeyword{guess}}
+\newcommand{\isasymOBTAIN}{\isakeyword{obtain}}
+\newcommand{\isasymTHEORY}{\isakeyword{theory}}
+\newcommand{\isasymUSES}{\isakeyword{uses}}
+\newcommand{\isasymEND}{\isakeyword{end}}
+\newcommand{\isasymCONSTS}{\isakeyword{consts}}
+\newcommand{\isasymDEFS}{\isakeyword{defs}}
+\newcommand{\isasymTHEOREM}{\isakeyword{theorem}}
+\newcommand{\isasymDEFINITION}{\isakeyword{definition}}
+
+\isabellestyle{literal}
+
+\railtermfont{\isabellestyle{tt}}
+\railnontermfont{\isabellestyle{itunderscore}}
+\railnamefont{\isabellestyle{itunderscore}}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarRef/Base.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,8 @@
+theory Base
+imports Pure
+begin
+
+ML_file "../antiquote_setup.ML"
+setup Antiquote_Setup.setup
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarRef/Document_Preparation.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,611 @@
+theory Document_Preparation
+imports Base Main
+begin
+
+chapter {* Document preparation \label{ch:document-prep} *}
+
+text {* Isabelle/Isar provides a simple document preparation system
+ based on regular {PDF-\LaTeX} technology, with full support for
+ hyper-links and bookmarks. Thus the results are well suited for WWW
+ browsing and as printed copies.
+
+ \medskip Isabelle generates {\LaTeX} output while running a
+ \emph{logic session} (see also \cite{isabelle-sys}). Getting
+ started with a working configuration for common situations is quite
+ easy by using the Isabelle @{verbatim mkdir} and @{verbatim make}
+ tools. First invoke
+\begin{ttbox}
+ isabelle mkdir Foo
+\end{ttbox}
+ to initialize a separate directory for session @{verbatim Foo} (it
+ is safe to experiment, since @{verbatim "isabelle mkdir"} never
+ overwrites existing files). Ensure that @{verbatim "Foo/ROOT.ML"}
+ holds ML commands to load all theories required for this session;
+ furthermore @{verbatim "Foo/document/root.tex"} should include any
+ special {\LaTeX} macro packages required for your document (the
+ default is usually sufficient as a start).
+
+ The session is controlled by a separate @{verbatim IsaMakefile}
+ (with crude source dependencies by default). This file is located
+ one level up from the @{verbatim Foo} directory location. Now
+ invoke
+\begin{ttbox}
+ isabelle make Foo
+\end{ttbox}
+ to run the @{verbatim Foo} session, with browser information and
+ document preparation enabled. Unless any errors are reported by
+ Isabelle or {\LaTeX}, the output will appear inside the directory
+ defined by the @{verbatim ISABELLE_BROWSER_INFO} setting (as
+ reported by the batch job in verbose mode).
+
+ \medskip You may also consider to tune the @{verbatim usedir}
+ options in @{verbatim IsaMakefile}, for example to switch the output
+ format between @{verbatim pdf} and @{verbatim dvi}, or activate the
+ @{verbatim "-D"} option to retain a second copy of the generated
+ {\LaTeX} sources (for manual inspection or separate runs of
+ @{executable latex}).
+
+ \medskip See \emph{The Isabelle System Manual} \cite{isabelle-sys}
+ for further details on Isabelle logic sessions and theory
+ presentation. The Isabelle/HOL tutorial \cite{isabelle-hol-book}
+ also covers theory presentation to some extent.
+*}
+
+
+section {* Markup commands \label{sec:markup} *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def "header"} & : & @{text "toplevel \<rightarrow> toplevel"} \\[0.5ex]
+ @{command_def "chapter"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
+ @{command_def "section"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
+ @{command_def "subsection"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
+ @{command_def "subsubsection"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
+ @{command_def "text"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
+ @{command_def "text_raw"} & : & @{text "local_theory \<rightarrow> local_theory"} \\[0.5ex]
+ @{command_def "sect"} & : & @{text "proof \<rightarrow> proof"} \\
+ @{command_def "subsect"} & : & @{text "proof \<rightarrow> proof"} \\
+ @{command_def "subsubsect"} & : & @{text "proof \<rightarrow> proof"} \\
+ @{command_def "txt"} & : & @{text "proof \<rightarrow> proof"} \\
+ @{command_def "txt_raw"} & : & @{text "proof \<rightarrow> proof"} \\
+ \end{matharray}
+
+ Markup commands provide a structured way to insert text into the
+ document generated from a theory. Each markup command takes a
+ single @{syntax text} argument, which is passed as argument to a
+ corresponding {\LaTeX} macro. The default macros provided by
+ @{file "~~/lib/texinputs/isabelle.sty"} can be redefined according
+ to the needs of the underlying document and {\LaTeX} styles.
+
+ Note that formal comments (\secref{sec:comments}) are similar to
+ markup commands, but have a different status within Isabelle/Isar
+ syntax.
+
+ @{rail "
+ (@@{command chapter} | @@{command section} | @@{command subsection} |
+ @@{command subsubsection} | @@{command text}) @{syntax target}? @{syntax text}
+ ;
+ (@@{command header} | @@{command text_raw} | @@{command sect} | @@{command subsect} |
+ @@{command subsubsect} | @@{command txt} | @@{command txt_raw}) @{syntax text}
+ "}
+
+ \begin{description}
+
+ \item @{command header} provides plain text markup just preceding
+ the formal beginning of a theory. The corresponding {\LaTeX} macro
+ is @{verbatim "\\isamarkupheader"}, which acts like @{command
+ section} by default.
+
+ \item @{command chapter}, @{command section}, @{command subsection},
+ and @{command subsubsection} mark chapter and section headings
+ within the main theory body or local theory targets. The
+ corresponding {\LaTeX} macros are @{verbatim "\\isamarkupchapter"},
+ @{verbatim "\\isamarkupsection"}, @{verbatim
+ "\\isamarkupsubsection"} etc.
+
+ \item @{command sect}, @{command subsect}, and @{command subsubsect}
+ mark section headings within proofs. The corresponding {\LaTeX}
+ macros are @{verbatim "\\isamarkupsect"}, @{verbatim
+ "\\isamarkupsubsect"} etc.
+
+ \item @{command text} and @{command txt} specify paragraphs of plain
+ text. This corresponds to a {\LaTeX} environment @{verbatim
+ "\\begin{isamarkuptext}"} @{text "\<dots>"} @{verbatim
+ "\\end{isamarkuptext}"} etc.
+
+ \item @{command text_raw} and @{command txt_raw} insert {\LaTeX}
+ source into the output, without additional markup. Thus the full
+ range of document manipulations becomes available, at the risk of
+ messing up document output.
+
+ \end{description}
+
+ Except for @{command "text_raw"} and @{command "txt_raw"}, the text
+ passed to any of the above markup commands may refer to formal
+ entities via \emph{document antiquotations}, see also
+ \secref{sec:antiq}. These are interpreted in the present theory or
+ proof context, or the named @{text "target"}.
+
+ \medskip The proof markup commands closely resemble those for theory
+ specifications, but have a different formal status and produce
+ different {\LaTeX} macros. The default definitions coincide for
+ analogous commands such as @{command section} and @{command sect}.
+*}
+
+
+section {* Document Antiquotations \label{sec:antiq} *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{antiquotation_def "theory"} & : & @{text antiquotation} \\
+ @{antiquotation_def "thm"} & : & @{text antiquotation} \\
+ @{antiquotation_def "lemma"} & : & @{text antiquotation} \\
+ @{antiquotation_def "prop"} & : & @{text antiquotation} \\
+ @{antiquotation_def "term"} & : & @{text antiquotation} \\
+ @{antiquotation_def term_type} & : & @{text antiquotation} \\
+ @{antiquotation_def typeof} & : & @{text antiquotation} \\
+ @{antiquotation_def const} & : & @{text antiquotation} \\
+ @{antiquotation_def abbrev} & : & @{text antiquotation} \\
+ @{antiquotation_def typ} & : & @{text antiquotation} \\
+ @{antiquotation_def type} & : & @{text antiquotation} \\
+ @{antiquotation_def class} & : & @{text antiquotation} \\
+ @{antiquotation_def "text"} & : & @{text antiquotation} \\
+ @{antiquotation_def goals} & : & @{text antiquotation} \\
+ @{antiquotation_def subgoals} & : & @{text antiquotation} \\
+ @{antiquotation_def prf} & : & @{text antiquotation} \\
+ @{antiquotation_def full_prf} & : & @{text antiquotation} \\
+ @{antiquotation_def ML} & : & @{text antiquotation} \\
+ @{antiquotation_def ML_op} & : & @{text antiquotation} \\
+ @{antiquotation_def ML_type} & : & @{text antiquotation} \\
+ @{antiquotation_def ML_struct} & : & @{text antiquotation} \\
+ @{antiquotation_def "file"} & : & @{text antiquotation} \\
+ \end{matharray}
+
+ The overall content of an Isabelle/Isar theory may alternate between
+ formal and informal text. The main body consists of formal
+ specification and proof commands, interspersed with markup commands
+ (\secref{sec:markup}) or document comments (\secref{sec:comments}).
+ The argument of markup commands quotes informal text to be printed
+ in the resulting document, but may again refer to formal entities
+ via \emph{document antiquotations}.
+
+ For example, embedding of ``@{text [source=false] "@{term [show_types] \"f x = a + x\"}"}''
+ within a text block makes
+ \isa{{\isacharparenleft}f{\isasymColon}{\isacharprime}a\ {\isasymRightarrow}\ {\isacharprime}a{\isacharparenright}\ {\isacharparenleft}x{\isasymColon}{\isacharprime}a{\isacharparenright}\ {\isacharequal}\ {\isacharparenleft}a{\isasymColon}{\isacharprime}a{\isacharparenright}\ {\isacharplus}\ x} appear in the final {\LaTeX} document.
+
+ Antiquotations usually spare the author tedious typing of logical
+ entities in full detail. Even more importantly, some degree of
+ consistency-checking between the main body of formal text and its
+ informal explanation is achieved, since terms and types appearing in
+ antiquotations are checked within the current theory or proof
+ context.
+
+ %% FIXME less monolithic presentation, move to individual sections!?
+ @{rail "
+ '@{' antiquotation '}'
+ ;
+ @{syntax_def antiquotation}:
+ @@{antiquotation theory} options @{syntax name} |
+ @@{antiquotation thm} options styles @{syntax thmrefs} |
+ @@{antiquotation lemma} options @{syntax prop} @'by' @{syntax method} @{syntax method}? |
+ @@{antiquotation prop} options styles @{syntax prop} |
+ @@{antiquotation term} options styles @{syntax term} |
+ @@{antiquotation (HOL) value} options styles @{syntax term} |
+ @@{antiquotation term_type} options styles @{syntax term} |
+ @@{antiquotation typeof} options styles @{syntax term} |
+ @@{antiquotation const} options @{syntax term} |
+ @@{antiquotation abbrev} options @{syntax term} |
+ @@{antiquotation typ} options @{syntax type} |
+ @@{antiquotation type} options @{syntax name} |
+ @@{antiquotation class} options @{syntax name} |
+ @@{antiquotation text} options @{syntax name}
+ ;
+ @{syntax antiquotation}:
+ @@{antiquotation goals} options |
+ @@{antiquotation subgoals} options |
+ @@{antiquotation prf} options @{syntax thmrefs} |
+ @@{antiquotation full_prf} options @{syntax thmrefs} |
+ @@{antiquotation ML} options @{syntax name} |
+ @@{antiquotation ML_op} options @{syntax name} |
+ @@{antiquotation ML_type} options @{syntax name} |
+ @@{antiquotation ML_struct} options @{syntax name} |
+ @@{antiquotation \"file\"} options @{syntax name}
+ ;
+ options: '[' (option * ',') ']'
+ ;
+ option: @{syntax name} | @{syntax name} '=' @{syntax name}
+ ;
+ styles: '(' (style + ',') ')'
+ ;
+ style: (@{syntax name} +)
+ "}
+
+ Note that the syntax of antiquotations may \emph{not} include source
+ comments @{verbatim "(*"}~@{text "\<dots>"}~@{verbatim "*)"} nor verbatim
+ text @{verbatim "{"}@{verbatim "*"}~@{text "\<dots>"}~@{verbatim
+ "*"}@{verbatim "}"}.
+
+ \begin{description}
+
+ \item @{text "@{theory A}"} prints the name @{text "A"}, which is
+ guaranteed to refer to a valid ancestor theory in the current
+ context.
+
+ \item @{text "@{thm a\<^sub>1 \<dots> a\<^sub>n}"} prints theorems @{text "a\<^sub>1 \<dots> a\<^sub>n"}.
+ Full fact expressions are allowed here, including attributes
+ (\secref{sec:syn-att}).
+
+ \item @{text "@{prop \<phi>}"} prints a well-typed proposition @{text
+ "\<phi>"}.
+
+ \item @{text "@{lemma \<phi> by m}"} proves a well-typed proposition
+ @{text "\<phi>"} by method @{text m} and prints the original @{text "\<phi>"}.
+
+ \item @{text "@{term t}"} prints a well-typed term @{text "t"}.
+
+ \item @{text "@{value t}"} evaluates a term @{text "t"} and prints
+ its result, see also @{command_ref (HOL) value}.
+
+ \item @{text "@{term_type t}"} prints a well-typed term @{text "t"}
+ annotated with its type.
+
+ \item @{text "@{typeof t}"} prints the type of a well-typed term
+ @{text "t"}.
+
+ \item @{text "@{const c}"} prints a logical or syntactic constant
+ @{text "c"}.
+
+ \item @{text "@{abbrev c x\<^sub>1 \<dots> x\<^sub>n}"} prints a constant abbreviation
+ @{text "c x\<^sub>1 \<dots> x\<^sub>n \<equiv> rhs"} as defined in the current context.
+
+ \item @{text "@{typ \<tau>}"} prints a well-formed type @{text "\<tau>"}.
+
+ \item @{text "@{type \<kappa>}"} prints a (logical or syntactic) type
+ constructor @{text "\<kappa>"}.
+
+ \item @{text "@{class c}"} prints a class @{text c}.
+
+ \item @{text "@{text s}"} prints uninterpreted source text @{text
+ s}. This is particularly useful to print portions of text according
+ to the Isabelle document style, without demanding well-formedness,
+ e.g.\ small pieces of terms that should not be parsed or
+ type-checked yet.
+
+ \item @{text "@{goals}"} prints the current \emph{dynamic} goal
+ state. This is mainly for support of tactic-emulation scripts
+ within Isar. Presentation of goal states does not conform to the
+ idea of human-readable proof documents!
+
+ When explaining proofs in detail it is usually better to spell out
+ the reasoning via proper Isar proof commands, instead of peeking at
+ the internal machine configuration.
+
+ \item @{text "@{subgoals}"} is similar to @{text "@{goals}"}, but
+ does not print the main goal.
+
+ \item @{text "@{prf a\<^sub>1 \<dots> a\<^sub>n}"} prints the (compact) proof terms
+ corresponding to the theorems @{text "a\<^sub>1 \<dots> a\<^sub>n"}. Note that this
+ requires proof terms to be switched on for the current logic
+ session.
+
+ \item @{text "@{full_prf a\<^sub>1 \<dots> a\<^sub>n}"} is like @{text "@{prf a\<^sub>1 \<dots>
+ a\<^sub>n}"}, but prints the full proof terms, i.e.\ also displays
+ information omitted in the compact proof term, which is denoted by
+ ``@{text _}'' placeholders there.
+
+ \item @{text "@{ML s}"}, @{text "@{ML_op s}"}, @{text "@{ML_type
+ s}"}, and @{text "@{ML_struct s}"} check text @{text s} as ML value,
+ infix operator, type, and structure, respectively. The source is
+ printed verbatim.
+
+ \item @{text "@{file path}"} checks that @{text "path"} refers to a
+ file (or directory) and prints it verbatim.
+
+ \end{description}
+*}
+
+
+subsection {* Styled antiquotations *}
+
+text {* The antiquotations @{text thm}, @{text prop} and @{text
+ term} admit an extra \emph{style} specification to modify the
+ printed result. A style is specified by a name with a possibly
+ empty number of arguments; multiple styles can be sequenced with
+ commas. The following standard styles are available:
+
+ \begin{description}
+
+ \item @{text lhs} extracts the first argument of any application
+ form with at least two arguments --- typically meta-level or
+ object-level equality, or any other binary relation.
+
+ \item @{text rhs} is like @{text lhs}, but extracts the second
+ argument.
+
+ \item @{text "concl"} extracts the conclusion @{text C} from a rule
+ in Horn-clause normal form @{text "A\<^sub>1 \<Longrightarrow> \<dots> A\<^sub>n \<Longrightarrow> C"}.
+
+ \item @{text "prem"} @{text n} extract premise number
+ @{text "n"} from from a rule in Horn-clause
+ normal form @{text "A\<^sub>1 \<Longrightarrow> \<dots> A\<^sub>n \<Longrightarrow> C"}
+
+ \end{description}
+*}
+
+
+subsection {* General options *}
+
+text {* The following options are available to tune the printed output
+ of antiquotations. Note that many of these coincide with global ML
+ flags of the same names.
+
+ \begin{description}
+
+ \item @{antiquotation_option_def show_types}~@{text "= bool"} and
+ @{antiquotation_option_def show_sorts}~@{text "= bool"} control
+ printing of explicit type and sort constraints.
+
+ \item @{antiquotation_option_def show_structs}~@{text "= bool"}
+ controls printing of implicit structures.
+
+ \item @{antiquotation_option_def show_abbrevs}~@{text "= bool"}
+ controls folding of abbreviations.
+
+ \item @{antiquotation_option_def names_long}~@{text "= bool"} forces
+ names of types and constants etc.\ to be printed in their fully
+ qualified internal form.
+
+ \item @{antiquotation_option_def names_short}~@{text "= bool"}
+ forces names of types and constants etc.\ to be printed unqualified.
+ Note that internalizing the output again in the current context may
+ well yield a different result.
+
+ \item @{antiquotation_option_def names_unique}~@{text "= bool"}
+ determines whether the printed version of qualified names should be
+ made sufficiently long to avoid overlap with names declared further
+ back. Set to @{text false} for more concise output.
+
+ \item @{antiquotation_option_def eta_contract}~@{text "= bool"}
+ prints terms in @{text \<eta>}-contracted form.
+
+ \item @{antiquotation_option_def display}~@{text "= bool"} indicates
+ if the text is to be output as multi-line ``display material'',
+ rather than a small piece of text without line breaks (which is the
+ default).
+
+ In this mode the embedded entities are printed in the same style as
+ the main theory text.
+
+ \item @{antiquotation_option_def break}~@{text "= bool"} controls
+ line breaks in non-display material.
+
+ \item @{antiquotation_option_def quotes}~@{text "= bool"} indicates
+ if the output should be enclosed in double quotes.
+
+ \item @{antiquotation_option_def mode}~@{text "= name"} adds @{text
+ name} to the print mode to be used for presentation. Note that the
+ standard setup for {\LaTeX} output is already present by default,
+ including the modes @{text latex} and @{text xsymbols}.
+
+ \item @{antiquotation_option_def margin}~@{text "= nat"} and
+ @{antiquotation_option_def indent}~@{text "= nat"} change the margin
+ or indentation for pretty printing of display material.
+
+ \item @{antiquotation_option_def goals_limit}~@{text "= nat"}
+ determines the maximum number of goals to be printed (for goal-based
+ antiquotation).
+
+ \item @{antiquotation_option_def source}~@{text "= bool"} prints the
+ original source text of the antiquotation arguments, rather than its
+ internal representation. Note that formal checking of
+ @{antiquotation "thm"}, @{antiquotation "term"}, etc. is still
+ enabled; use the @{antiquotation "text"} antiquotation for unchecked
+ output.
+
+ Regular @{text "term"} and @{text "typ"} antiquotations with @{text
+ "source = false"} involve a full round-trip from the original source
+ to an internalized logical entity back to a source form, according
+ to the syntax of the current context. Thus the printed output is
+ not under direct control of the author, it may even fluctuate a bit
+ as the underlying theory is changed later on.
+
+ In contrast, @{antiquotation_option source}~@{text "= true"}
+ admits direct printing of the given source text, with the desirable
+ well-formedness check in the background, but without modification of
+ the printed text.
+
+ \end{description}
+
+ For boolean flags, ``@{text "name = true"}'' may be abbreviated as
+ ``@{text name}''. All of the above flags are disabled by default,
+ unless changed from ML, say in the @{verbatim "ROOT.ML"} of the
+ logic session.
+*}
+
+
+section {* Markup via command tags \label{sec:tags} *}
+
+text {* Each Isabelle/Isar command may be decorated by additional
+ presentation tags, to indicate some modification in the way it is
+ printed in the document.
+
+ @{rail "
+ @{syntax_def tags}: ( tag * )
+ ;
+ tag: '%' (@{syntax ident} | @{syntax string})
+ "}
+
+ Some tags are pre-declared for certain classes of commands, serving
+ as default markup if no tags are given in the text:
+
+ \medskip
+ \begin{tabular}{ll}
+ @{text "theory"} & theory begin/end \\
+ @{text "proof"} & all proof commands \\
+ @{text "ML"} & all commands involving ML code \\
+ \end{tabular}
+
+ \medskip The Isabelle document preparation system
+ \cite{isabelle-sys} allows tagged command regions to be presented
+ specifically, e.g.\ to fold proof texts, or drop parts of the text
+ completely.
+
+ For example ``@{command "by"}~@{text "%invisible auto"}'' causes
+ that piece of proof to be treated as @{text invisible} instead of
+ @{text "proof"} (the default), which may be shown or hidden
+ depending on the document setup. In contrast, ``@{command
+ "by"}~@{text "%visible auto"}'' forces this text to be shown
+ invariably.
+
+ Explicit tag specifications within a proof apply to all subsequent
+ commands of the same level of nesting. For example, ``@{command
+ "proof"}~@{text "%visible \<dots>"}~@{command "qed"}'' forces the whole
+ sub-proof to be typeset as @{text visible} (unless some of its parts
+ are tagged differently).
+
+ \medskip Command tags merely produce certain markup environments for
+ type-setting. The meaning of these is determined by {\LaTeX}
+ macros, as defined in @{file "~~/lib/texinputs/isabelle.sty"} or
+ by the document author. The Isabelle document preparation tools
+ also provide some high-level options to specify the meaning of
+ arbitrary tags to ``keep'', ``drop'', or ``fold'' the corresponding
+ parts of the text. Logic sessions may also specify ``document
+ versions'', where given tags are interpreted in some particular way.
+ Again see \cite{isabelle-sys} for further details.
+*}
+
+
+section {* Railroad diagrams *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{antiquotation_def "rail"} & : & @{text antiquotation} \\
+ \end{matharray}
+
+ @{rail "'rail' string"}
+
+ The @{antiquotation rail} antiquotation allows to include syntax
+ diagrams into Isabelle documents. {\LaTeX} requires the style file
+ @{"file" "~~/lib/texinputs/pdfsetup.sty"}, which can be used via
+ @{verbatim "\\usepackage{pdfsetup}"} in @{verbatim "root.tex"}, for
+ example.
+
+ The rail specification language is quoted here as Isabelle @{syntax
+ string}; it has its own grammar given below.
+
+ @{rail "
+ rule? + ';'
+ ;
+ rule: ((identifier | @{syntax antiquotation}) ':')? body
+ ;
+ body: concatenation + '|'
+ ;
+ concatenation: ((atom '?'?) +) (('*' | '+') atom?)?
+ ;
+ atom: '(' body? ')' | identifier |
+ '@'? (string | @{syntax antiquotation}) |
+ '\\\\\\\\'
+ "}
+
+ The lexical syntax of @{text "identifier"} coincides with that of
+ @{syntax ident} in regular Isabelle syntax, but @{text string} uses
+ single quotes instead of double quotes of the standard @{syntax
+ string} category, to avoid extra escapes.
+
+ Each @{text rule} defines a formal language (with optional name),
+ using a notation that is similar to EBNF or regular expressions with
+ recursion. The meaning and visual appearance of these rail language
+ elements is illustrated by the following representative examples.
+
+ \begin{itemize}
+
+ \item Empty @{verbatim "()"}
+
+ @{rail "()"}
+
+ \item Nonterminal @{verbatim "A"}
+
+ @{rail "A"}
+
+ \item Nonterminal via Isabelle antiquotation
+ @{verbatim "@{syntax method}"}
+
+ @{rail "@{syntax method}"}
+
+ \item Terminal @{verbatim "'xyz'"}
+
+ @{rail "'xyz'"}
+
+ \item Terminal in keyword style @{verbatim "@'xyz'"}
+
+ @{rail "@'xyz'"}
+
+ \item Terminal via Isabelle antiquotation
+ @{verbatim "@@{method rule}"}
+
+ @{rail "@@{method rule}"}
+
+ \item Concatenation @{verbatim "A B C"}
+
+ @{rail "A B C"}
+
+ \item Linebreak @{verbatim "\\\\"} inside
+ concatenation\footnote{Strictly speaking, this is only a single
+ backslash, but the enclosing @{syntax string} syntax requires a
+ second one for escaping.} @{verbatim "A B C \\\\ D E F"}
+
+ @{rail "A B C \\ D E F"}
+
+ \item Variants @{verbatim "A | B | C"}
+
+ @{rail "A | B | C"}
+
+ \item Option @{verbatim "A ?"}
+
+ @{rail "A ?"}
+
+ \item Repetition @{verbatim "A *"}
+
+ @{rail "A *"}
+
+ \item Repetition with separator @{verbatim "A * sep"}
+
+ @{rail "A * sep"}
+
+ \item Strict repetition @{verbatim "A +"}
+
+ @{rail "A +"}
+
+ \item Strict repetition with separator @{verbatim "A + sep"}
+
+ @{rail "A + sep"}
+
+ \end{itemize}
+*}
+
+
+section {* Draft presentation *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def "display_drafts"}@{text "\<^sup>*"} & : & @{text "any \<rightarrow>"} \\
+ @{command_def "print_drafts"}@{text "\<^sup>*"} & : & @{text "any \<rightarrow>"} \\
+ \end{matharray}
+
+ @{rail "
+ (@@{command display_drafts} | @@{command print_drafts}) (@{syntax name} +)
+
+ "}
+
+ \begin{description}
+
+ \item @{command "display_drafts"}~@{text paths} and @{command
+ "print_drafts"}~@{text paths} perform simple output of a given list
+ of raw source files. Only those symbols that do not require
+ additional {\LaTeX} packages are displayed properly, everything else
+ is left verbatim.
+
+ \end{description}
+*}
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarRef/First_Order_Logic.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,520 @@
+
+header {* Example: First-Order Logic *}
+
+theory %visible First_Order_Logic
+imports Base (* FIXME Pure!? *)
+begin
+
+text {*
+ \noindent In order to commence a new object-logic within
+ Isabelle/Pure we introduce abstract syntactic categories @{text "i"}
+ for individuals and @{text "o"} for object-propositions. The latter
+ is embedded into the language of Pure propositions by means of a
+ separate judgment.
+*}
+
+typedecl i
+typedecl o
+
+judgment
+ Trueprop :: "o \<Rightarrow> prop" ("_" 5)
+
+text {*
+ \noindent Note that the object-logic judgement is implicit in the
+ syntax: writing @{prop A} produces @{term "Trueprop A"} internally.
+ From the Pure perspective this means ``@{prop A} is derivable in the
+ object-logic''.
+*}
+
+
+subsection {* Equational reasoning \label{sec:framework-ex-equal} *}
+
+text {*
+ Equality is axiomatized as a binary predicate on individuals, with
+ reflexivity as introduction, and substitution as elimination
+ principle. Note that the latter is particularly convenient in a
+ framework like Isabelle, because syntactic congruences are
+ implicitly produced by unification of @{term "B x"} against
+ expressions containing occurrences of @{term x}.
+*}
+
+axiomatization
+ equal :: "i \<Rightarrow> i \<Rightarrow> o" (infix "=" 50)
+where
+ refl [intro]: "x = x" and
+ subst [elim]: "x = y \<Longrightarrow> B x \<Longrightarrow> B y"
+
+text {*
+ \noindent Substitution is very powerful, but also hard to control in
+ full generality. We derive some common symmetry~/ transitivity
+ schemes of @{term equal} as particular consequences.
+*}
+
+theorem sym [sym]:
+ assumes "x = y"
+ shows "y = x"
+proof -
+ have "x = x" ..
+ with `x = y` show "y = x" ..
+qed
+
+theorem forw_subst [trans]:
+ assumes "y = x" and "B x"
+ shows "B y"
+proof -
+ from `y = x` have "x = y" ..
+ from this and `B x` show "B y" ..
+qed
+
+theorem back_subst [trans]:
+ assumes "B x" and "x = y"
+ shows "B y"
+proof -
+ from `x = y` and `B x`
+ show "B y" ..
+qed
+
+theorem trans [trans]:
+ assumes "x = y" and "y = z"
+ shows "x = z"
+proof -
+ from `y = z` and `x = y`
+ show "x = z" ..
+qed
+
+
+subsection {* Basic group theory *}
+
+text {*
+ As an example for equational reasoning we consider some bits of
+ group theory. The subsequent locale definition postulates group
+ operations and axioms; we also derive some consequences of this
+ specification.
+*}
+
+locale group =
+ fixes prod :: "i \<Rightarrow> i \<Rightarrow> i" (infix "\<circ>" 70)
+ and inv :: "i \<Rightarrow> i" ("(_\<inverse>)" [1000] 999)
+ and unit :: i ("1")
+ assumes assoc: "(x \<circ> y) \<circ> z = x \<circ> (y \<circ> z)"
+ and left_unit: "1 \<circ> x = x"
+ and left_inv: "x\<inverse> \<circ> x = 1"
+begin
+
+theorem right_inv: "x \<circ> x\<inverse> = 1"
+proof -
+ have "x \<circ> x\<inverse> = 1 \<circ> (x \<circ> x\<inverse>)" by (rule left_unit [symmetric])
+ also have "\<dots> = (1 \<circ> x) \<circ> x\<inverse>" by (rule assoc [symmetric])
+ also have "1 = (x\<inverse>)\<inverse> \<circ> x\<inverse>" by (rule left_inv [symmetric])
+ also have "\<dots> \<circ> x = (x\<inverse>)\<inverse> \<circ> (x\<inverse> \<circ> x)" by (rule assoc)
+ also have "x\<inverse> \<circ> x = 1" by (rule left_inv)
+ also have "((x\<inverse>)\<inverse> \<circ> \<dots>) \<circ> x\<inverse> = (x\<inverse>)\<inverse> \<circ> (1 \<circ> x\<inverse>)" by (rule assoc)
+ also have "1 \<circ> x\<inverse> = x\<inverse>" by (rule left_unit)
+ also have "(x\<inverse>)\<inverse> \<circ> \<dots> = 1" by (rule left_inv)
+ finally show "x \<circ> x\<inverse> = 1" .
+qed
+
+theorem right_unit: "x \<circ> 1 = x"
+proof -
+ have "1 = x\<inverse> \<circ> x" by (rule left_inv [symmetric])
+ also have "x \<circ> \<dots> = (x \<circ> x\<inverse>) \<circ> x" by (rule assoc [symmetric])
+ also have "x \<circ> x\<inverse> = 1" by (rule right_inv)
+ also have "\<dots> \<circ> x = x" by (rule left_unit)
+ finally show "x \<circ> 1 = x" .
+qed
+
+text {*
+ \noindent Reasoning from basic axioms is often tedious. Our proofs
+ work by producing various instances of the given rules (potentially
+ the symmetric form) using the pattern ``@{command have}~@{text
+ eq}~@{command "by"}~@{text "(rule r)"}'' and composing the chain of
+ results via @{command also}/@{command finally}. These steps may
+ involve any of the transitivity rules declared in
+ \secref{sec:framework-ex-equal}, namely @{thm trans} in combining
+ the first two results in @{thm right_inv} and in the final steps of
+ both proofs, @{thm forw_subst} in the first combination of @{thm
+ right_unit}, and @{thm back_subst} in all other calculational steps.
+
+ Occasional substitutions in calculations are adequate, but should
+ not be over-emphasized. The other extreme is to compose a chain by
+ plain transitivity only, with replacements occurring always in
+ topmost position. For example:
+*}
+
+(*<*)
+theorem "\<And>A. PROP A \<Longrightarrow> PROP A"
+proof -
+ assume [symmetric, defn]: "\<And>x y. (x \<equiv> y) \<equiv> Trueprop (x = y)"
+(*>*)
+ have "x \<circ> 1 = x \<circ> (x\<inverse> \<circ> x)" unfolding left_inv ..
+ also have "\<dots> = (x \<circ> x\<inverse>) \<circ> x" unfolding assoc ..
+ also have "\<dots> = 1 \<circ> x" unfolding right_inv ..
+ also have "\<dots> = x" unfolding left_unit ..
+ finally have "x \<circ> 1 = x" .
+(*<*)
+qed
+(*>*)
+
+text {*
+ \noindent Here we have re-used the built-in mechanism for unfolding
+ definitions in order to normalize each equational problem. A more
+ realistic object-logic would include proper setup for the Simplifier
+ (\secref{sec:simplifier}), the main automated tool for equational
+ reasoning in Isabelle. Then ``@{command unfolding}~@{thm
+ left_inv}~@{command ".."}'' would become ``@{command "by"}~@{text
+ "(simp only: left_inv)"}'' etc.
+*}
+
+end
+
+
+subsection {* Propositional logic \label{sec:framework-ex-prop} *}
+
+text {*
+ We axiomatize basic connectives of propositional logic: implication,
+ disjunction, and conjunction. The associated rules are modeled
+ after Gentzen's system of Natural Deduction \cite{Gentzen:1935}.
+*}
+
+axiomatization
+ imp :: "o \<Rightarrow> o \<Rightarrow> o" (infixr "\<longrightarrow>" 25) where
+ impI [intro]: "(A \<Longrightarrow> B) \<Longrightarrow> A \<longrightarrow> B" and
+ impD [dest]: "(A \<longrightarrow> B) \<Longrightarrow> A \<Longrightarrow> B"
+
+axiomatization
+ disj :: "o \<Rightarrow> o \<Rightarrow> o" (infixr "\<or>" 30) where
+ disjI\<^isub>1 [intro]: "A \<Longrightarrow> A \<or> B" and
+ disjI\<^isub>2 [intro]: "B \<Longrightarrow> A \<or> B" and
+ disjE [elim]: "A \<or> B \<Longrightarrow> (A \<Longrightarrow> C) \<Longrightarrow> (B \<Longrightarrow> C) \<Longrightarrow> C"
+
+axiomatization
+ conj :: "o \<Rightarrow> o \<Rightarrow> o" (infixr "\<and>" 35) where
+ conjI [intro]: "A \<Longrightarrow> B \<Longrightarrow> A \<and> B" and
+ conjD\<^isub>1: "A \<and> B \<Longrightarrow> A" and
+ conjD\<^isub>2: "A \<and> B \<Longrightarrow> B"
+
+text {*
+ \noindent The conjunctive destructions have the disadvantage that
+ decomposing @{prop "A \<and> B"} involves an immediate decision which
+ component should be projected. The more convenient simultaneous
+ elimination @{prop "A \<and> B \<Longrightarrow> (A \<Longrightarrow> B \<Longrightarrow> C) \<Longrightarrow> C"} can be derived as
+ follows:
+*}
+
+theorem conjE [elim]:
+ assumes "A \<and> B"
+ obtains A and B
+proof
+ from `A \<and> B` show A by (rule conjD\<^isub>1)
+ from `A \<and> B` show B by (rule conjD\<^isub>2)
+qed
+
+text {*
+ \noindent Here is an example of swapping conjuncts with a single
+ intermediate elimination step:
+*}
+
+(*<*)
+lemma "\<And>A. PROP A \<Longrightarrow> PROP A"
+proof -
+(*>*)
+ assume "A \<and> B"
+ then obtain B and A ..
+ then have "B \<and> A" ..
+(*<*)
+qed
+(*>*)
+
+text {*
+ \noindent Note that the analogous elimination rule for disjunction
+ ``@{text "\<ASSUMES> A \<or> B \<OBTAINS> A \<BBAR> B"}'' coincides with
+ the original axiomatization of @{thm disjE}.
+
+ \medskip We continue propositional logic by introducing absurdity
+ with its characteristic elimination. Plain truth may then be
+ defined as a proposition that is trivially true.
+*}
+
+axiomatization
+ false :: o ("\<bottom>") where
+ falseE [elim]: "\<bottom> \<Longrightarrow> A"
+
+definition
+ true :: o ("\<top>") where
+ "\<top> \<equiv> \<bottom> \<longrightarrow> \<bottom>"
+
+theorem trueI [intro]: \<top>
+ unfolding true_def ..
+
+text {*
+ \medskip\noindent Now negation represents an implication towards
+ absurdity:
+*}
+
+definition
+ not :: "o \<Rightarrow> o" ("\<not> _" [40] 40) where
+ "\<not> A \<equiv> A \<longrightarrow> \<bottom>"
+
+theorem notI [intro]:
+ assumes "A \<Longrightarrow> \<bottom>"
+ shows "\<not> A"
+unfolding not_def
+proof
+ assume A
+ then show \<bottom> by (rule `A \<Longrightarrow> \<bottom>`)
+qed
+
+theorem notE [elim]:
+ assumes "\<not> A" and A
+ shows B
+proof -
+ from `\<not> A` have "A \<longrightarrow> \<bottom>" unfolding not_def .
+ from `A \<longrightarrow> \<bottom>` and `A` have \<bottom> ..
+ then show B ..
+qed
+
+
+subsection {* Classical logic *}
+
+text {*
+ Subsequently we state the principle of classical contradiction as a
+ local assumption. Thus we refrain from forcing the object-logic
+ into the classical perspective. Within that context, we may derive
+ well-known consequences of the classical principle.
+*}
+
+locale classical =
+ assumes classical: "(\<not> C \<Longrightarrow> C) \<Longrightarrow> C"
+begin
+
+theorem double_negation:
+ assumes "\<not> \<not> C"
+ shows C
+proof (rule classical)
+ assume "\<not> C"
+ with `\<not> \<not> C` show C ..
+qed
+
+theorem tertium_non_datur: "C \<or> \<not> C"
+proof (rule double_negation)
+ show "\<not> \<not> (C \<or> \<not> C)"
+ proof
+ assume "\<not> (C \<or> \<not> C)"
+ have "\<not> C"
+ proof
+ assume C then have "C \<or> \<not> C" ..
+ with `\<not> (C \<or> \<not> C)` show \<bottom> ..
+ qed
+ then have "C \<or> \<not> C" ..
+ with `\<not> (C \<or> \<not> C)` show \<bottom> ..
+ qed
+qed
+
+text {*
+ \noindent These examples illustrate both classical reasoning and
+ non-trivial propositional proofs in general. All three rules
+ characterize classical logic independently, but the original rule is
+ already the most convenient to use, because it leaves the conclusion
+ unchanged. Note that @{prop "(\<not> C \<Longrightarrow> C) \<Longrightarrow> C"} fits again into our
+ format for eliminations, despite the additional twist that the
+ context refers to the main conclusion. So we may write @{thm
+ classical} as the Isar statement ``@{text "\<OBTAINS> \<not> thesis"}''.
+ This also explains nicely how classical reasoning really works:
+ whatever the main @{text thesis} might be, we may always assume its
+ negation!
+*}
+
+end
+
+
+subsection {* Quantifiers \label{sec:framework-ex-quant} *}
+
+text {*
+ Representing quantifiers is easy, thanks to the higher-order nature
+ of the underlying framework. According to the well-known technique
+ introduced by Church \cite{church40}, quantifiers are operators on
+ predicates, which are syntactically represented as @{text "\<lambda>"}-terms
+ of type @{typ "i \<Rightarrow> o"}. Binder notation turns @{text "All (\<lambda>x. B
+ x)"} into @{text "\<forall>x. B x"} etc.
+*}
+
+axiomatization
+ All :: "(i \<Rightarrow> o) \<Rightarrow> o" (binder "\<forall>" 10) where
+ allI [intro]: "(\<And>x. B x) \<Longrightarrow> \<forall>x. B x" and
+ allD [dest]: "(\<forall>x. B x) \<Longrightarrow> B a"
+
+axiomatization
+ Ex :: "(i \<Rightarrow> o) \<Rightarrow> o" (binder "\<exists>" 10) where
+ exI [intro]: "B a \<Longrightarrow> (\<exists>x. B x)" and
+ exE [elim]: "(\<exists>x. B x) \<Longrightarrow> (\<And>x. B x \<Longrightarrow> C) \<Longrightarrow> C"
+
+text {*
+ \noindent The statement of @{thm exE} corresponds to ``@{text
+ "\<ASSUMES> \<exists>x. B x \<OBTAINS> x \<WHERE> B x"}'' in Isar. In the
+ subsequent example we illustrate quantifier reasoning involving all
+ four rules:
+*}
+
+theorem
+ assumes "\<exists>x. \<forall>y. R x y"
+ shows "\<forall>y. \<exists>x. R x y"
+proof -- {* @{text "\<forall>"} introduction *}
+ obtain x where "\<forall>y. R x y" using `\<exists>x. \<forall>y. R x y` .. -- {* @{text "\<exists>"} elimination *}
+ fix y have "R x y" using `\<forall>y. R x y` .. -- {* @{text "\<forall>"} destruction *}
+ then show "\<exists>x. R x y" .. -- {* @{text "\<exists>"} introduction *}
+qed
+
+
+subsection {* Canonical reasoning patterns *}
+
+text {*
+ The main rules of first-order predicate logic from
+ \secref{sec:framework-ex-prop} and \secref{sec:framework-ex-quant}
+ can now be summarized as follows, using the native Isar statement
+ format of \secref{sec:framework-stmt}.
+
+ \medskip
+ \begin{tabular}{l}
+ @{text "impI: \<ASSUMES> A \<Longrightarrow> B \<SHOWS> A \<longrightarrow> B"} \\
+ @{text "impD: \<ASSUMES> A \<longrightarrow> B \<AND> A \<SHOWS> B"} \\[1ex]
+
+ @{text "disjI\<^isub>1: \<ASSUMES> A \<SHOWS> A \<or> B"} \\
+ @{text "disjI\<^isub>2: \<ASSUMES> B \<SHOWS> A \<or> B"} \\
+ @{text "disjE: \<ASSUMES> A \<or> B \<OBTAINS> A \<BBAR> B"} \\[1ex]
+
+ @{text "conjI: \<ASSUMES> A \<AND> B \<SHOWS> A \<and> B"} \\
+ @{text "conjE: \<ASSUMES> A \<and> B \<OBTAINS> A \<AND> B"} \\[1ex]
+
+ @{text "falseE: \<ASSUMES> \<bottom> \<SHOWS> A"} \\
+ @{text "trueI: \<SHOWS> \<top>"} \\[1ex]
+
+ @{text "notI: \<ASSUMES> A \<Longrightarrow> \<bottom> \<SHOWS> \<not> A"} \\
+ @{text "notE: \<ASSUMES> \<not> A \<AND> A \<SHOWS> B"} \\[1ex]
+
+ @{text "allI: \<ASSUMES> \<And>x. B x \<SHOWS> \<forall>x. B x"} \\
+ @{text "allE: \<ASSUMES> \<forall>x. B x \<SHOWS> B a"} \\[1ex]
+
+ @{text "exI: \<ASSUMES> B a \<SHOWS> \<exists>x. B x"} \\
+ @{text "exE: \<ASSUMES> \<exists>x. B x \<OBTAINS> a \<WHERE> B a"}
+ \end{tabular}
+ \medskip
+
+ \noindent This essentially provides a declarative reading of Pure
+ rules as Isar reasoning patterns: the rule statements tells how a
+ canonical proof outline shall look like. Since the above rules have
+ already been declared as @{attribute (Pure) intro}, @{attribute
+ (Pure) elim}, @{attribute (Pure) dest} --- each according to its
+ particular shape --- we can immediately write Isar proof texts as
+ follows:
+*}
+
+(*<*)
+theorem "\<And>A. PROP A \<Longrightarrow> PROP A"
+proof -
+(*>*)
+
+ txt_raw {*\begin{minipage}[t]{0.4\textwidth}*}(*<*)next(*>*)
+
+ have "A \<longrightarrow> B"
+ proof
+ assume A
+ show B sorry %noproof
+ qed
+
+ txt_raw {*\end{minipage}\qquad\begin{minipage}[t]{0.4\textwidth}*}(*<*)next(*>*)
+
+ have "A \<longrightarrow> B" and A sorry %noproof
+ then have B ..
+
+ txt_raw {*\end{minipage}\\[3ex]\begin{minipage}[t]{0.4\textwidth}*}(*<*)next(*>*)
+
+ have A sorry %noproof
+ then have "A \<or> B" ..
+
+ have B sorry %noproof
+ then have "A \<or> B" ..
+
+ txt_raw {*\end{minipage}\qquad\begin{minipage}[t]{0.4\textwidth}*}(*<*)next(*>*)
+
+ have "A \<or> B" sorry %noproof
+ then have C
+ proof
+ assume A
+ then show C sorry %noproof
+ next
+ assume B
+ then show C sorry %noproof
+ qed
+
+ txt_raw {*\end{minipage}\\[3ex]\begin{minipage}[t]{0.4\textwidth}*}(*<*)next(*>*)
+
+ have A and B sorry %noproof
+ then have "A \<and> B" ..
+
+ txt_raw {*\end{minipage}\qquad\begin{minipage}[t]{0.4\textwidth}*}(*<*)next(*>*)
+
+ have "A \<and> B" sorry %noproof
+ then obtain A and B ..
+
+ txt_raw {*\end{minipage}\\[3ex]\begin{minipage}[t]{0.4\textwidth}*}(*<*)next(*>*)
+
+ have "\<bottom>" sorry %noproof
+ then have A ..
+
+ txt_raw {*\end{minipage}\qquad\begin{minipage}[t]{0.4\textwidth}*}(*<*)next(*>*)
+
+ have "\<top>" ..
+
+ txt_raw {*\end{minipage}\\[3ex]\begin{minipage}[t]{0.4\textwidth}*}(*<*)next(*>*)
+
+ have "\<not> A"
+ proof
+ assume A
+ then show "\<bottom>" sorry %noproof
+ qed
+
+ txt_raw {*\end{minipage}\qquad\begin{minipage}[t]{0.4\textwidth}*}(*<*)next(*>*)
+
+ have "\<not> A" and A sorry %noproof
+ then have B ..
+
+ txt_raw {*\end{minipage}\\[3ex]\begin{minipage}[t]{0.4\textwidth}*}(*<*)next(*>*)
+
+ have "\<forall>x. B x"
+ proof
+ fix x
+ show "B x" sorry %noproof
+ qed
+
+ txt_raw {*\end{minipage}\qquad\begin{minipage}[t]{0.4\textwidth}*}(*<*)next(*>*)
+
+ have "\<forall>x. B x" sorry %noproof
+ then have "B a" ..
+
+ txt_raw {*\end{minipage}\\[3ex]\begin{minipage}[t]{0.4\textwidth}*}(*<*)next(*>*)
+
+ have "\<exists>x. B x"
+ proof
+ show "B a" sorry %noproof
+ qed
+
+ txt_raw {*\end{minipage}\qquad\begin{minipage}[t]{0.4\textwidth}*}(*<*)next(*>*)
+
+ have "\<exists>x. B x" sorry %noproof
+ then obtain a where "B a" ..
+
+ txt_raw {*\end{minipage}*}
+
+(*<*)
+qed
+(*>*)
+
+text {*
+ \bigskip\noindent Of course, these proofs are merely examples. As
+ sketched in \secref{sec:framework-subproof}, there is a fair amount
+ of flexibility in expressing Pure deductions in Isar. Here the user
+ is asked to express himself adequately, aiming at proof texts of
+ literary quality.
+*}
+
+end %visible
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarRef/Framework.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,1016 @@
+theory Framework
+imports Base Main
+begin
+
+chapter {* The Isabelle/Isar Framework \label{ch:isar-framework} *}
+
+text {*
+ Isabelle/Isar
+ \cite{Wenzel:1999:TPHOL,Wenzel-PhD,Nipkow-TYPES02,Wenzel-Paulson:2006,Wenzel:2006:Festschrift}
+ is intended as a generic framework for developing formal
+ mathematical documents with full proof checking. Definitions and
+ proofs are organized as theories. An assembly of theory sources may
+ be presented as a printed document; see also
+ \chref{ch:document-prep}.
+
+ The main objective of Isar is the design of a human-readable
+ structured proof language, which is called the ``primary proof
+ format'' in Isar terminology. Such a primary proof language is
+ somewhere in the middle between the extremes of primitive proof
+ objects and actual natural language. In this respect, Isar is a bit
+ more formalistic than Mizar
+ \cite{Trybulec:1993:MizarFeatures,Rudnicki:1992:MizarOverview,Wiedijk:1999:Mizar},
+ using logical symbols for certain reasoning schemes where Mizar
+ would prefer English words; see \cite{Wenzel-Wiedijk:2002} for
+ further comparisons of these systems.
+
+ So Isar challenges the traditional way of recording informal proofs
+ in mathematical prose, as well as the common tendency to see fully
+ formal proofs directly as objects of some logical calculus (e.g.\
+ @{text "\<lambda>"}-terms in a version of type theory). In fact, Isar is
+ better understood as an interpreter of a simple block-structured
+ language for describing the data flow of local facts and goals,
+ interspersed with occasional invocations of proof methods.
+ Everything is reduced to logical inferences internally, but these
+ steps are somewhat marginal compared to the overall bookkeeping of
+ the interpretation process. Thanks to careful design of the syntax
+ and semantics of Isar language elements, a formal record of Isar
+ instructions may later appear as an intelligible text to the
+ attentive reader.
+
+ The Isar proof language has emerged from careful analysis of some
+ inherent virtues of the existing logical framework of Isabelle/Pure
+ \cite{paulson-found,paulson700}, notably composition of higher-order
+ natural deduction rules, which is a generalization of Gentzen's
+ original calculus \cite{Gentzen:1935}. The approach of generic
+ inference systems in Pure is continued by Isar towards actual proof
+ texts.
+
+ Concrete applications require another intermediate layer: an
+ object-logic. Isabelle/HOL \cite{isa-tutorial} (simply-typed
+ set-theory) is being used most of the time; Isabelle/ZF
+ \cite{isabelle-ZF} is less extensively developed, although it would
+ probably fit better for classical mathematics.
+
+ \medskip In order to illustrate natural deduction in Isar, we shall
+ refer to the background theory and library of Isabelle/HOL. This
+ includes common notions of predicate logic, naive set-theory etc.\
+ using fairly standard mathematical notation. From the perspective
+ of generic natural deduction there is nothing special about the
+ logical connectives of HOL (@{text "\<and>"}, @{text "\<or>"}, @{text "\<forall>"},
+ @{text "\<exists>"}, etc.), only the resulting reasoning principles are
+ relevant to the user. There are similar rules available for
+ set-theory operators (@{text "\<inter>"}, @{text "\<union>"}, @{text "\<Inter>"}, @{text
+ "\<Union>"}, etc.), or any other theory developed in the library (lattice
+ theory, topology etc.).
+
+ Subsequently we briefly review fragments of Isar proof texts
+ corresponding directly to such general deduction schemes. The
+ examples shall refer to set-theory, to minimize the danger of
+ understanding connectives of predicate logic as something special.
+
+ \medskip The following deduction performs @{text "\<inter>"}-introduction,
+ working forwards from assumptions towards the conclusion. We give
+ both the Isar text, and depict the primitive rule involved, as
+ determined by unification of the problem against rules that are
+ declared in the library context.
+*}
+
+text_raw {*\medskip\begin{minipage}{0.6\textwidth}*}
+
+(*<*)
+notepad
+begin
+(*>*)
+ assume "x \<in> A" and "x \<in> B"
+ then have "x \<in> A \<inter> B" ..
+(*<*)
+end
+(*>*)
+
+text_raw {*\end{minipage}\begin{minipage}{0.4\textwidth}*}
+
+text {*
+ \infer{@{prop "x \<in> A \<inter> B"}}{@{prop "x \<in> A"} & @{prop "x \<in> B"}}
+*}
+
+text_raw {*\end{minipage}*}
+
+text {*
+ \medskip\noindent Note that @{command assume} augments the proof
+ context, @{command then} indicates that the current fact shall be
+ used in the next step, and @{command have} states an intermediate
+ goal. The two dots ``@{command ".."}'' refer to a complete proof of
+ this claim, using the indicated facts and a canonical rule from the
+ context. We could have been more explicit here by spelling out the
+ final proof step via the @{command "by"} command:
+*}
+
+(*<*)
+notepad
+begin
+(*>*)
+ assume "x \<in> A" and "x \<in> B"
+ then have "x \<in> A \<inter> B" by (rule IntI)
+(*<*)
+end
+(*>*)
+
+text {*
+ \noindent The format of the @{text "\<inter>"}-introduction rule represents
+ the most basic inference, which proceeds from given premises to a
+ conclusion, without any nested proof context involved.
+
+ The next example performs backwards introduction on @{term "\<Inter>\<A>"},
+ the intersection of all sets within a given set. This requires a
+ nested proof of set membership within a local context, where @{term
+ A} is an arbitrary-but-fixed member of the collection:
+*}
+
+text_raw {*\medskip\begin{minipage}{0.6\textwidth}*}
+
+(*<*)
+notepad
+begin
+(*>*)
+ have "x \<in> \<Inter>\<A>"
+ proof
+ fix A
+ assume "A \<in> \<A>"
+ show "x \<in> A" sorry %noproof
+ qed
+(*<*)
+end
+(*>*)
+
+text_raw {*\end{minipage}\begin{minipage}{0.4\textwidth}*}
+
+text {*
+ \infer{@{prop "x \<in> \<Inter>\<A>"}}{\infer*{@{prop "x \<in> A"}}{@{text "[A][A \<in> \<A>]"}}}
+*}
+
+text_raw {*\end{minipage}*}
+
+text {*
+ \medskip\noindent This Isar reasoning pattern again refers to the
+ primitive rule depicted above. The system determines it in the
+ ``@{command proof}'' step, which could have been spelt out more
+ explicitly as ``@{command proof}~@{text "(rule InterI)"}''. Note
+ that the rule involves both a local parameter @{term "A"} and an
+ assumption @{prop "A \<in> \<A>"} in the nested reasoning. This kind of
+ compound rule typically demands a genuine sub-proof in Isar, working
+ backwards rather than forwards as seen before. In the proof body we
+ encounter the @{command fix}-@{command assume}-@{command show}
+ outline of nested sub-proofs that is typical for Isar. The final
+ @{command show} is like @{command have} followed by an additional
+ refinement of the enclosing claim, using the rule derived from the
+ proof body.
+
+ \medskip The next example involves @{term "\<Union>\<A>"}, which can be
+ characterized as the set of all @{term "x"} such that @{prop "\<exists>A. x
+ \<in> A \<and> A \<in> \<A>"}. The elimination rule for @{prop "x \<in> \<Union>\<A>"} does
+ not mention @{text "\<exists>"} and @{text "\<and>"} at all, but admits to obtain
+ directly a local @{term "A"} such that @{prop "x \<in> A"} and @{prop "A
+ \<in> \<A>"} hold. This corresponds to the following Isar proof and
+ inference rule, respectively:
+*}
+
+text_raw {*\medskip\begin{minipage}{0.6\textwidth}*}
+
+(*<*)
+notepad
+begin
+(*>*)
+ assume "x \<in> \<Union>\<A>"
+ then have C
+ proof
+ fix A
+ assume "x \<in> A" and "A \<in> \<A>"
+ show C sorry %noproof
+ qed
+(*<*)
+end
+(*>*)
+
+text_raw {*\end{minipage}\begin{minipage}{0.4\textwidth}*}
+
+text {*
+ \infer{@{prop "C"}}{@{prop "x \<in> \<Union>\<A>"} & \infer*{@{prop "C"}~}{@{text "[A][x \<in> A, A \<in> \<A>]"}}}
+*}
+
+text_raw {*\end{minipage}*}
+
+text {*
+ \medskip\noindent Although the Isar proof follows the natural
+ deduction rule closely, the text reads not as natural as
+ anticipated. There is a double occurrence of an arbitrary
+ conclusion @{prop "C"}, which represents the final result, but is
+ irrelevant for now. This issue arises for any elimination rule
+ involving local parameters. Isar provides the derived language
+ element @{command obtain}, which is able to perform the same
+ elimination proof more conveniently:
+*}
+
+(*<*)
+notepad
+begin
+(*>*)
+ assume "x \<in> \<Union>\<A>"
+ then obtain A where "x \<in> A" and "A \<in> \<A>" ..
+(*<*)
+end
+(*>*)
+
+text {*
+ \noindent Here we avoid to mention the final conclusion @{prop "C"}
+ and return to plain forward reasoning. The rule involved in the
+ ``@{command ".."}'' proof is the same as before.
+*}
+
+
+section {* The Pure framework \label{sec:framework-pure} *}
+
+text {*
+ The Pure logic \cite{paulson-found,paulson700} is an intuitionistic
+ fragment of higher-order logic \cite{church40}. In type-theoretic
+ parlance, there are three levels of @{text "\<lambda>"}-calculus with
+ corresponding arrows @{text "\<Rightarrow>"}/@{text "\<And>"}/@{text "\<Longrightarrow>"}:
+
+ \medskip
+ \begin{tabular}{ll}
+ @{text "\<alpha> \<Rightarrow> \<beta>"} & syntactic function space (terms depending on terms) \\
+ @{text "\<And>x. B(x)"} & universal quantification (proofs depending on terms) \\
+ @{text "A \<Longrightarrow> B"} & implication (proofs depending on proofs) \\
+ \end{tabular}
+ \medskip
+
+ \noindent Here only the types of syntactic terms, and the
+ propositions of proof terms have been shown. The @{text
+ "\<lambda>"}-structure of proofs can be recorded as an optional feature of
+ the Pure inference kernel \cite{Berghofer-Nipkow:2000:TPHOL}, but
+ the formal system can never depend on them due to \emph{proof
+ irrelevance}.
+
+ On top of this most primitive layer of proofs, Pure implements a
+ generic calculus for nested natural deduction rules, similar to
+ \cite{Schroeder-Heister:1984}. Here object-logic inferences are
+ internalized as formulae over @{text "\<And>"} and @{text "\<Longrightarrow>"}.
+ Combining such rule statements may involve higher-order unification
+ \cite{paulson-natural}.
+*}
+
+
+subsection {* Primitive inferences *}
+
+text {*
+ Term syntax provides explicit notation for abstraction @{text "\<lambda>x ::
+ \<alpha>. b(x)"} and application @{text "b a"}, while types are usually
+ implicit thanks to type-inference; terms of type @{text "prop"} are
+ called propositions. Logical statements are composed via @{text "\<And>x
+ :: \<alpha>. B(x)"} and @{text "A \<Longrightarrow> B"}. Primitive reasoning operates on
+ judgments of the form @{text "\<Gamma> \<turnstile> \<phi>"}, with standard introduction
+ and elimination rules for @{text "\<And>"} and @{text "\<Longrightarrow>"} that refer to
+ fixed parameters @{text "x\<^isub>1, \<dots>, x\<^isub>m"} and hypotheses
+ @{text "A\<^isub>1, \<dots>, A\<^isub>n"} from the context @{text "\<Gamma>"};
+ the corresponding proof terms are left implicit. The subsequent
+ inference rules define @{text "\<Gamma> \<turnstile> \<phi>"} inductively, relative to a
+ collection of axioms:
+
+ \[
+ \infer{@{text "\<turnstile> A"}}{(@{text "A"} \text{~axiom})}
+ \qquad
+ \infer{@{text "A \<turnstile> A"}}{}
+ \]
+
+ \[
+ \infer{@{text "\<Gamma> \<turnstile> \<And>x. B(x)"}}{@{text "\<Gamma> \<turnstile> B(x)"} & @{text "x \<notin> \<Gamma>"}}
+ \qquad
+ \infer{@{text "\<Gamma> \<turnstile> B(a)"}}{@{text "\<Gamma> \<turnstile> \<And>x. B(x)"}}
+ \]
+
+ \[
+ \infer{@{text "\<Gamma> - A \<turnstile> A \<Longrightarrow> B"}}{@{text "\<Gamma> \<turnstile> B"}}
+ \qquad
+ \infer{@{text "\<Gamma>\<^sub>1 \<union> \<Gamma>\<^sub>2 \<turnstile> B"}}{@{text "\<Gamma>\<^sub>1 \<turnstile> A \<Longrightarrow> B"} & @{text "\<Gamma>\<^sub>2 \<turnstile> A"}}
+ \]
+
+ Furthermore, Pure provides a built-in equality @{text "\<equiv> :: \<alpha> \<Rightarrow> \<alpha> \<Rightarrow>
+ prop"} with axioms for reflexivity, substitution, extensionality,
+ and @{text "\<alpha>\<beta>\<eta>"}-conversion on @{text "\<lambda>"}-terms.
+
+ \medskip An object-logic introduces another layer on top of Pure,
+ e.g.\ with types @{text "i"} for individuals and @{text "o"} for
+ propositions, term constants @{text "Trueprop :: o \<Rightarrow> prop"} as
+ (implicit) derivability judgment and connectives like @{text "\<and> :: o
+ \<Rightarrow> o \<Rightarrow> o"} or @{text "\<forall> :: (i \<Rightarrow> o) \<Rightarrow> o"}, and axioms for object-level
+ rules such as @{text "conjI: A \<Longrightarrow> B \<Longrightarrow> A \<and> B"} or @{text "allI: (\<And>x. B
+ x) \<Longrightarrow> \<forall>x. B x"}. Derived object rules are represented as theorems of
+ Pure. After the initial object-logic setup, further axiomatizations
+ are usually avoided; plain definitions and derived principles are
+ used exclusively.
+*}
+
+
+subsection {* Reasoning with rules \label{sec:framework-resolution} *}
+
+text {*
+ Primitive inferences mostly serve foundational purposes. The main
+ reasoning mechanisms of Pure operate on nested natural deduction
+ rules expressed as formulae, using @{text "\<And>"} to bind local
+ parameters and @{text "\<Longrightarrow>"} to express entailment. Multiple
+ parameters and premises are represented by repeating these
+ connectives in a right-associative manner.
+
+ Since @{text "\<And>"} and @{text "\<Longrightarrow>"} commute thanks to the theorem
+ @{prop "(A \<Longrightarrow> (\<And>x. B x)) \<equiv> (\<And>x. A \<Longrightarrow> B x)"}, we may assume w.l.o.g.\
+ that rule statements always observe the normal form where
+ quantifiers are pulled in front of implications at each level of
+ nesting. This means that any Pure proposition may be presented as a
+ \emph{Hereditary Harrop Formula} \cite{Miller:1991} which is of the
+ form @{text "\<And>x\<^isub>1 \<dots> x\<^isub>m. H\<^isub>1 \<Longrightarrow> \<dots> H\<^isub>n \<Longrightarrow>
+ A"} for @{text "m, n \<ge> 0"}, and @{text "A"} atomic, and @{text
+ "H\<^isub>1, \<dots>, H\<^isub>n"} being recursively of the same format.
+ Following the convention that outermost quantifiers are implicit,
+ Horn clauses @{text "A\<^isub>1 \<Longrightarrow> \<dots> A\<^isub>n \<Longrightarrow> A"} are a special
+ case of this.
+
+ For example, @{text "\<inter>"}-introduction rule encountered before is
+ represented as a Pure theorem as follows:
+ \[
+ @{text "IntI:"}~@{prop "x \<in> A \<Longrightarrow> x \<in> B \<Longrightarrow> x \<in> A \<inter> B"}
+ \]
+
+ \noindent This is a plain Horn clause, since no further nesting on
+ the left is involved. The general @{text "\<Inter>"}-introduction
+ corresponds to a Hereditary Harrop Formula with one additional level
+ of nesting:
+ \[
+ @{text "InterI:"}~@{prop "(\<And>A. A \<in> \<A> \<Longrightarrow> x \<in> A) \<Longrightarrow> x \<in> \<Inter>\<A>"}
+ \]
+
+ \medskip Goals are also represented as rules: @{text "A\<^isub>1 \<Longrightarrow>
+ \<dots> A\<^isub>n \<Longrightarrow> C"} states that the sub-goals @{text "A\<^isub>1, \<dots>,
+ A\<^isub>n"} entail the result @{text "C"}; for @{text "n = 0"} the
+ goal is finished. To allow @{text "C"} being a rule statement
+ itself, we introduce the protective marker @{text "# :: prop \<Rightarrow>
+ prop"}, which is defined as identity and hidden from the user. We
+ initialize and finish goal states as follows:
+
+ \[
+ \begin{array}{c@ {\qquad}c}
+ \infer[(@{inference_def init})]{@{text "C \<Longrightarrow> #C"}}{} &
+ \infer[(@{inference_def finish})]{@{text C}}{@{text "#C"}}
+ \end{array}
+ \]
+
+ \noindent Goal states are refined in intermediate proof steps until
+ a finished form is achieved. Here the two main reasoning principles
+ are @{inference resolution}, for back-chaining a rule against a
+ sub-goal (replacing it by zero or more sub-goals), and @{inference
+ assumption}, for solving a sub-goal (finding a short-circuit with
+ local assumptions). Below @{text "\<^vec>x"} stands for @{text
+ "x\<^isub>1, \<dots>, x\<^isub>n"} (@{text "n \<ge> 0"}).
+
+ \[
+ \infer[(@{inference_def resolution})]
+ {@{text "(\<And>\<^vec>x. \<^vec>H \<^vec>x \<Longrightarrow> \<^vec>A (\<^vec>a \<^vec>x))\<vartheta> \<Longrightarrow> C\<vartheta>"}}
+ {\begin{tabular}{rl}
+ @{text "rule:"} &
+ @{text "\<^vec>A \<^vec>a \<Longrightarrow> B \<^vec>a"} \\
+ @{text "goal:"} &
+ @{text "(\<And>\<^vec>x. \<^vec>H \<^vec>x \<Longrightarrow> B' \<^vec>x) \<Longrightarrow> C"} \\
+ @{text "goal unifier:"} &
+ @{text "(\<lambda>\<^vec>x. B (\<^vec>a \<^vec>x))\<vartheta> = B'\<vartheta>"} \\
+ \end{tabular}}
+ \]
+
+ \medskip
+
+ \[
+ \infer[(@{inference_def assumption})]{@{text "C\<vartheta>"}}
+ {\begin{tabular}{rl}
+ @{text "goal:"} &
+ @{text "(\<And>\<^vec>x. \<^vec>H \<^vec>x \<Longrightarrow> A \<^vec>x) \<Longrightarrow> C"} \\
+ @{text "assm unifier:"} & @{text "A\<vartheta> = H\<^sub>i\<vartheta>"}~~\text{(for some~@{text "H\<^sub>i"})} \\
+ \end{tabular}}
+ \]
+
+ The following trace illustrates goal-oriented reasoning in
+ Isabelle/Pure:
+
+ {\footnotesize
+ \medskip
+ \begin{tabular}{r@ {\quad}l}
+ @{text "(A \<and> B \<Longrightarrow> B \<and> A) \<Longrightarrow> #(A \<and> B \<Longrightarrow> B \<and> A)"} & @{text "(init)"} \\
+ @{text "(A \<and> B \<Longrightarrow> B) \<Longrightarrow> (A \<and> B \<Longrightarrow> A) \<Longrightarrow> #\<dots>"} & @{text "(resolution B \<Longrightarrow> A \<Longrightarrow> B \<and> A)"} \\
+ @{text "(A \<and> B \<Longrightarrow> A \<and> B) \<Longrightarrow> (A \<and> B \<Longrightarrow> A) \<Longrightarrow> #\<dots>"} & @{text "(resolution A \<and> B \<Longrightarrow> B)"} \\
+ @{text "(A \<and> B \<Longrightarrow> A) \<Longrightarrow> #\<dots>"} & @{text "(assumption)"} \\
+ @{text "(A \<and> B \<Longrightarrow> A \<and> B) \<Longrightarrow> #\<dots>"} & @{text "(resolution A \<and> B \<Longrightarrow> A)"} \\
+ @{text "#\<dots>"} & @{text "(assumption)"} \\
+ @{text "A \<and> B \<Longrightarrow> B \<and> A"} & @{text "(finish)"} \\
+ \end{tabular}
+ \medskip
+ }
+
+ Compositions of @{inference assumption} after @{inference
+ resolution} occurs quite often, typically in elimination steps.
+ Traditional Isabelle tactics accommodate this by a combined
+ @{inference_def elim_resolution} principle. In contrast, Isar uses
+ a slightly more refined combination, where the assumptions to be
+ closed are marked explicitly, using again the protective marker
+ @{text "#"}:
+
+ \[
+ \infer[(@{inference refinement})]
+ {@{text "(\<And>\<^vec>x. \<^vec>H \<^vec>x \<Longrightarrow> \<^vec>G' (\<^vec>a \<^vec>x))\<vartheta> \<Longrightarrow> C\<vartheta>"}}
+ {\begin{tabular}{rl}
+ @{text "sub\<hyphen>proof:"} &
+ @{text "\<^vec>G \<^vec>a \<Longrightarrow> B \<^vec>a"} \\
+ @{text "goal:"} &
+ @{text "(\<And>\<^vec>x. \<^vec>H \<^vec>x \<Longrightarrow> B' \<^vec>x) \<Longrightarrow> C"} \\
+ @{text "goal unifier:"} &
+ @{text "(\<lambda>\<^vec>x. B (\<^vec>a \<^vec>x))\<vartheta> = B'\<vartheta>"} \\
+ @{text "assm unifiers:"} &
+ @{text "(\<lambda>\<^vec>x. G\<^sub>j (\<^vec>a \<^vec>x))\<vartheta> = #H\<^sub>i\<vartheta>"} \\
+ & \quad (for each marked @{text "G\<^sub>j"} some @{text "#H\<^sub>i"}) \\
+ \end{tabular}}
+ \]
+
+ \noindent Here the @{text "sub\<hyphen>proof"} rule stems from the
+ main @{command fix}-@{command assume}-@{command show} outline of
+ Isar (cf.\ \secref{sec:framework-subproof}): each assumption
+ indicated in the text results in a marked premise @{text "G"} above.
+ The marking enforces resolution against one of the sub-goal's
+ premises. Consequently, @{command fix}-@{command assume}-@{command
+ show} enables to fit the result of a sub-proof quite robustly into a
+ pending sub-goal, while maintaining a good measure of flexibility.
+*}
+
+
+section {* The Isar proof language \label{sec:framework-isar} *}
+
+text {*
+ Structured proofs are presented as high-level expressions for
+ composing entities of Pure (propositions, facts, and goals). The
+ Isar proof language allows to organize reasoning within the
+ underlying rule calculus of Pure, but Isar is not another logical
+ calculus!
+
+ Isar is an exercise in sound minimalism. Approximately half of the
+ language is introduced as primitive, the rest defined as derived
+ concepts. The following grammar describes the core language
+ (category @{text "proof"}), which is embedded into theory
+ specification elements such as @{command theorem}; see also
+ \secref{sec:framework-stmt} for the separate category @{text
+ "statement"}.
+
+ \medskip
+ \begin{tabular}{rcl}
+ @{text "theory\<hyphen>stmt"} & = & @{command "theorem"}~@{text "statement proof |"}~~@{command "definition"}~@{text "\<dots> | \<dots>"} \\[1ex]
+
+ @{text "proof"} & = & @{text "prfx\<^sup>*"}~@{command "proof"}~@{text "method\<^sup>? stmt\<^sup>*"}~@{command "qed"}~@{text "method\<^sup>?"} \\[1ex]
+
+ @{text prfx} & = & @{command "using"}~@{text "facts"} \\
+ & @{text "|"} & @{command "unfolding"}~@{text "facts"} \\
+
+ @{text stmt} & = & @{command "{"}~@{text "stmt\<^sup>*"}~@{command "}"} \\
+ & @{text "|"} & @{command "next"} \\
+ & @{text "|"} & @{command "note"}~@{text "name = facts"} \\
+ & @{text "|"} & @{command "let"}~@{text "term = term"} \\
+ & @{text "|"} & @{command "fix"}~@{text "var\<^sup>+"} \\
+ & @{text "|"} & @{command assume}~@{text "\<guillemotleft>inference\<guillemotright> name: props"} \\
+ & @{text "|"} & @{command "then"}@{text "\<^sup>?"}~@{text goal} \\
+ @{text goal} & = & @{command "have"}~@{text "name: props proof"} \\
+ & @{text "|"} & @{command "show"}~@{text "name: props proof"} \\
+ \end{tabular}
+
+ \medskip Simultaneous propositions or facts may be separated by the
+ @{keyword "and"} keyword.
+
+ \medskip The syntax for terms and propositions is inherited from
+ Pure (and the object-logic). A @{text "pattern"} is a @{text
+ "term"} with schematic variables, to be bound by higher-order
+ matching.
+
+ \medskip Facts may be referenced by name or proposition. For
+ example, the result of ``@{command have}~@{text "a: A \<langle>proof\<rangle>"}''
+ becomes available both as @{text "a"} and
+ \isacharbackquoteopen@{text "A"}\isacharbackquoteclose. Moreover,
+ fact expressions may involve attributes that modify either the
+ theorem or the background context. For example, the expression
+ ``@{text "a [OF b]"}'' refers to the composition of two facts
+ according to the @{inference resolution} inference of
+ \secref{sec:framework-resolution}, while ``@{text "a [intro]"}''
+ declares a fact as introduction rule in the context.
+
+ The special fact called ``@{fact this}'' always refers to the last
+ result, as produced by @{command note}, @{command assume}, @{command
+ have}, or @{command show}. Since @{command note} occurs
+ frequently together with @{command then} we provide some
+ abbreviations:
+
+ \medskip
+ \begin{tabular}{rcl}
+ @{command from}~@{text a} & @{text "\<equiv>"} & @{command note}~@{text a}~@{command then} \\
+ @{command with}~@{text a} & @{text "\<equiv>"} & @{command from}~@{text "a \<AND> this"} \\
+ \end{tabular}
+ \medskip
+
+ The @{text "method"} category is essentially a parameter and may be
+ populated later. Methods use the facts indicated by @{command
+ "then"} or @{command using}, and then operate on the goal state.
+ Some basic methods are predefined: ``@{method "-"}'' leaves the goal
+ unchanged, ``@{method this}'' applies the facts as rules to the
+ goal, ``@{method (Pure) "rule"}'' applies the facts to another rule and the
+ result to the goal (both ``@{method this}'' and ``@{method (Pure) rule}''
+ refer to @{inference resolution} of
+ \secref{sec:framework-resolution}). The secondary arguments to
+ ``@{method (Pure) rule}'' may be specified explicitly as in ``@{text "(rule
+ a)"}'', or picked from the context. In the latter case, the system
+ first tries rules declared as @{attribute (Pure) elim} or
+ @{attribute (Pure) dest}, followed by those declared as @{attribute
+ (Pure) intro}.
+
+ The default method for @{command proof} is ``@{method (Pure) rule}''
+ (arguments picked from the context), for @{command qed} it is
+ ``@{method "-"}''. Further abbreviations for terminal proof steps
+ are ``@{command "by"}~@{text "method\<^sub>1 method\<^sub>2"}'' for
+ ``@{command proof}~@{text "method\<^sub>1"}~@{command qed}~@{text
+ "method\<^sub>2"}'', and ``@{command ".."}'' for ``@{command
+ "by"}~@{method (Pure) rule}, and ``@{command "."}'' for ``@{command
+ "by"}~@{method this}''. The @{command unfolding} element operates
+ directly on the current facts and goal by applying equalities.
+
+ \medskip Block structure can be indicated explicitly by ``@{command
+ "{"}~@{text "\<dots>"}~@{command "}"}'', although the body of a sub-proof
+ already involves implicit nesting. In any case, @{command next}
+ jumps into the next section of a block, i.e.\ it acts like closing
+ an implicit block scope and opening another one; there is no direct
+ correspondence to subgoals here.
+
+ The remaining elements @{command fix} and @{command assume} build up
+ a local context (see \secref{sec:framework-context}), while
+ @{command show} refines a pending sub-goal by the rule resulting
+ from a nested sub-proof (see \secref{sec:framework-subproof}).
+ Further derived concepts will support calculational reasoning (see
+ \secref{sec:framework-calc}).
+*}
+
+
+subsection {* Context elements \label{sec:framework-context} *}
+
+text {*
+ In judgments @{text "\<Gamma> \<turnstile> \<phi>"} of the primitive framework, @{text "\<Gamma>"}
+ essentially acts like a proof context. Isar elaborates this idea
+ towards a higher-level notion, with additional information for
+ type-inference, term abbreviations, local facts, hypotheses etc.
+
+ The element @{command fix}~@{text "x :: \<alpha>"} declares a local
+ parameter, i.e.\ an arbitrary-but-fixed entity of a given type; in
+ results exported from the context, @{text "x"} may become anything.
+ The @{command assume}~@{text "\<guillemotleft>inference\<guillemotright>"} element provides a
+ general interface to hypotheses: ``@{command assume}~@{text
+ "\<guillemotleft>inference\<guillemotright> A"}'' produces @{text "A \<turnstile> A"} locally, while the
+ included inference tells how to discharge @{text A} from results
+ @{text "A \<turnstile> B"} later on. There is no user-syntax for @{text
+ "\<guillemotleft>inference\<guillemotright>"}, i.e.\ it may only occur internally when derived
+ commands are defined in ML.
+
+ At the user-level, the default inference for @{command assume} is
+ @{inference discharge} as given below. The additional variants
+ @{command presume} and @{command def} are defined as follows:
+
+ \medskip
+ \begin{tabular}{rcl}
+ @{command presume}~@{text A} & @{text "\<equiv>"} & @{command assume}~@{text "\<guillemotleft>weak\<hyphen>discharge\<guillemotright> A"} \\
+ @{command def}~@{text "x \<equiv> a"} & @{text "\<equiv>"} & @{command fix}~@{text x}~@{command assume}~@{text "\<guillemotleft>expansion\<guillemotright> x \<equiv> a"} \\
+ \end{tabular}
+ \medskip
+
+ \[
+ \infer[(@{inference_def discharge})]{@{text "\<strut>\<Gamma> - A \<turnstile> #A \<Longrightarrow> B"}}{@{text "\<strut>\<Gamma> \<turnstile> B"}}
+ \]
+ \[
+ \infer[(@{inference_def "weak\<hyphen>discharge"})]{@{text "\<strut>\<Gamma> - A \<turnstile> A \<Longrightarrow> B"}}{@{text "\<strut>\<Gamma> \<turnstile> B"}}
+ \]
+ \[
+ \infer[(@{inference_def expansion})]{@{text "\<strut>\<Gamma> - (x \<equiv> a) \<turnstile> B a"}}{@{text "\<strut>\<Gamma> \<turnstile> B x"}}
+ \]
+
+ \medskip Note that @{inference discharge} and @{inference
+ "weak\<hyphen>discharge"} differ in the marker for @{prop A}, which is
+ relevant when the result of a @{command fix}-@{command
+ assume}-@{command show} outline is composed with a pending goal,
+ cf.\ \secref{sec:framework-subproof}.
+
+ The most interesting derived context element in Isar is @{command
+ obtain} \cite[\S5.3]{Wenzel-PhD}, which supports generalized
+ elimination steps in a purely forward manner. The @{command obtain}
+ command takes a specification of parameters @{text "\<^vec>x"} and
+ assumptions @{text "\<^vec>A"} to be added to the context, together
+ with a proof of a case rule stating that this extension is
+ conservative (i.e.\ may be removed from closed results later on):
+
+ \medskip
+ \begin{tabular}{l}
+ @{text "\<langle>facts\<rangle>"}~~@{command obtain}~@{text "\<^vec>x \<WHERE> \<^vec>A \<^vec>x \<langle>proof\<rangle> \<equiv>"} \\[0.5ex]
+ \quad @{command have}~@{text "case: \<And>thesis. (\<And>\<^vec>x. \<^vec>A \<^vec>x \<Longrightarrow> thesis) \<Longrightarrow> thesis\<rangle>"} \\
+ \quad @{command proof}~@{method "-"} \\
+ \qquad @{command fix}~@{text thesis} \\
+ \qquad @{command assume}~@{text "[intro]: \<And>\<^vec>x. \<^vec>A \<^vec>x \<Longrightarrow> thesis"} \\
+ \qquad @{command show}~@{text thesis}~@{command using}~@{text "\<langle>facts\<rangle> \<langle>proof\<rangle>"} \\
+ \quad @{command qed} \\
+ \quad @{command fix}~@{text "\<^vec>x"}~@{command assume}~@{text "\<guillemotleft>elimination case\<guillemotright> \<^vec>A \<^vec>x"} \\
+ \end{tabular}
+ \medskip
+
+ \[
+ \infer[(@{inference elimination})]{@{text "\<Gamma> \<turnstile> B"}}{
+ \begin{tabular}{rl}
+ @{text "case:"} &
+ @{text "\<Gamma> \<turnstile> \<And>thesis. (\<And>\<^vec>x. \<^vec>A \<^vec>x \<Longrightarrow> thesis) \<Longrightarrow> thesis"} \\[0.2ex]
+ @{text "result:"} &
+ @{text "\<Gamma> \<union> \<^vec>A \<^vec>y \<turnstile> B"} \\[0.2ex]
+ \end{tabular}}
+ \]
+
+ \noindent Here the name ``@{text thesis}'' is a specific convention
+ for an arbitrary-but-fixed proposition; in the primitive natural
+ deduction rules shown before we have occasionally used @{text C}.
+ The whole statement of ``@{command obtain}~@{text x}~@{keyword
+ "where"}~@{text "A x"}'' may be read as a claim that @{text "A x"}
+ may be assumed for some arbitrary-but-fixed @{text "x"}. Also note
+ that ``@{command obtain}~@{text "A \<AND> B"}'' without parameters
+ is similar to ``@{command have}~@{text "A \<AND> B"}'', but the
+ latter involves multiple sub-goals.
+
+ \medskip The subsequent Isar proof texts explain all context
+ elements introduced above using the formal proof language itself.
+ After finishing a local proof within a block, we indicate the
+ exported result via @{command note}.
+*}
+
+(*<*)
+theorem True
+proof
+(*>*)
+ txt_raw {* \begin{minipage}[t]{0.45\textwidth} *}
+ {
+ fix x
+ have "B x" sorry %noproof
+ }
+ note `\<And>x. B x`
+ txt_raw {* \end{minipage}\quad\begin{minipage}[t]{0.45\textwidth} *}(*<*)next(*>*)
+ {
+ assume A
+ have B sorry %noproof
+ }
+ note `A \<Longrightarrow> B`
+ txt_raw {* \end{minipage}\\[3ex]\begin{minipage}[t]{0.45\textwidth} *}(*<*)next(*>*)
+ {
+ def x \<equiv> a
+ have "B x" sorry %noproof
+ }
+ note `B a`
+ txt_raw {* \end{minipage}\quad\begin{minipage}[t]{0.45\textwidth} *}(*<*)next(*>*)
+ {
+ obtain x where "A x" sorry %noproof
+ have B sorry %noproof
+ }
+ note `B`
+ txt_raw {* \end{minipage} *}
+(*<*)
+qed
+(*>*)
+
+text {*
+ \bigskip\noindent This illustrates the meaning of Isar context
+ elements without goals getting in between.
+*}
+
+subsection {* Structured statements \label{sec:framework-stmt} *}
+
+text {*
+ The category @{text "statement"} of top-level theorem specifications
+ is defined as follows:
+
+ \medskip
+ \begin{tabular}{rcl}
+ @{text "statement"} & @{text "\<equiv>"} & @{text "name: props \<AND> \<dots>"} \\
+ & @{text "|"} & @{text "context\<^sup>* conclusion"} \\[0.5ex]
+
+ @{text "context"} & @{text "\<equiv>"} & @{text "\<FIXES> vars \<AND> \<dots>"} \\
+ & @{text "|"} & @{text "\<ASSUMES> name: props \<AND> \<dots>"} \\
+
+ @{text "conclusion"} & @{text "\<equiv>"} & @{text "\<SHOWS> name: props \<AND> \<dots>"} \\
+ & @{text "|"} & @{text "\<OBTAINS> vars \<AND> \<dots> \<WHERE> name: props \<AND> \<dots>"} \\
+ & & \quad @{text "\<BBAR> \<dots>"} \\
+ \end{tabular}
+
+ \medskip\noindent A simple @{text "statement"} consists of named
+ propositions. The full form admits local context elements followed
+ by the actual conclusions, such as ``@{keyword "fixes"}~@{text
+ x}~@{keyword "assumes"}~@{text "A x"}~@{keyword "shows"}~@{text "B
+ x"}''. The final result emerges as a Pure rule after discharging
+ the context: @{prop "\<And>x. A x \<Longrightarrow> B x"}.
+
+ The @{keyword "obtains"} variant is another abbreviation defined
+ below; unlike @{command obtain} (cf.\
+ \secref{sec:framework-context}) there may be several ``cases''
+ separated by ``@{text "\<BBAR>"}'', each consisting of several
+ parameters (@{text "vars"}) and several premises (@{text "props"}).
+ This specifies multi-branch elimination rules.
+
+ \medskip
+ \begin{tabular}{l}
+ @{text "\<OBTAINS> \<^vec>x \<WHERE> \<^vec>A \<^vec>x \<BBAR> \<dots> \<equiv>"} \\[0.5ex]
+ \quad @{text "\<FIXES> thesis"} \\
+ \quad @{text "\<ASSUMES> [intro]: \<And>\<^vec>x. \<^vec>A \<^vec>x \<Longrightarrow> thesis \<AND> \<dots>"} \\
+ \quad @{text "\<SHOWS> thesis"} \\
+ \end{tabular}
+ \medskip
+
+ Presenting structured statements in such an ``open'' format usually
+ simplifies the subsequent proof, because the outer structure of the
+ problem is already laid out directly. E.g.\ consider the following
+ canonical patterns for @{text "\<SHOWS>"} and @{text "\<OBTAINS>"},
+ respectively:
+*}
+
+text_raw {*\begin{minipage}{0.5\textwidth}*}
+
+theorem
+ fixes x and y
+ assumes "A x" and "B y"
+ shows "C x y"
+proof -
+ from `A x` and `B y`
+ show "C x y" sorry %noproof
+qed
+
+text_raw {*\end{minipage}\begin{minipage}{0.5\textwidth}*}
+
+theorem
+ obtains x and y
+ where "A x" and "B y"
+proof -
+ have "A a" and "B b" sorry %noproof
+ then show thesis ..
+qed
+
+text_raw {*\end{minipage}*}
+
+text {*
+ \medskip\noindent Here local facts \isacharbackquoteopen@{text "A
+ x"}\isacharbackquoteclose\ and \isacharbackquoteopen@{text "B
+ y"}\isacharbackquoteclose\ are referenced immediately; there is no
+ need to decompose the logical rule structure again. In the second
+ proof the final ``@{command then}~@{command show}~@{text
+ thesis}~@{command ".."}'' involves the local rule case @{text "\<And>x
+ y. A x \<Longrightarrow> B y \<Longrightarrow> thesis"} for the particular instance of terms @{text
+ "a"} and @{text "b"} produced in the body.
+*}
+
+
+subsection {* Structured proof refinement \label{sec:framework-subproof} *}
+
+text {*
+ By breaking up the grammar for the Isar proof language, we may
+ understand a proof text as a linear sequence of individual proof
+ commands. These are interpreted as transitions of the Isar virtual
+ machine (Isar/VM), which operates on a block-structured
+ configuration in single steps. This allows users to write proof
+ texts in an incremental manner, and inspect intermediate
+ configurations for debugging.
+
+ The basic idea is analogous to evaluating algebraic expressions on a
+ stack machine: @{text "(a + b) \<cdot> c"} then corresponds to a sequence
+ of single transitions for each symbol @{text "(, a, +, b, ), \<cdot>, c"}.
+ In Isar the algebraic values are facts or goals, and the operations
+ are inferences.
+
+ \medskip The Isar/VM state maintains a stack of nodes, each node
+ contains the local proof context, the linguistic mode, and a pending
+ goal (optional). The mode determines the type of transition that
+ may be performed next, it essentially alternates between forward and
+ backward reasoning, with an intermediate stage for chained facts
+ (see \figref{fig:isar-vm}).
+
+ \begin{figure}[htb]
+ \begin{center}
+ \includegraphics[width=0.8\textwidth]{isar-vm}
+ \end{center}
+ \caption{Isar/VM modes}\label{fig:isar-vm}
+ \end{figure}
+
+ For example, in @{text "state"} mode Isar acts like a mathematical
+ scratch-pad, accepting declarations like @{command fix}, @{command
+ assume}, and claims like @{command have}, @{command show}. A goal
+ statement changes the mode to @{text "prove"}, which means that we
+ may now refine the problem via @{command unfolding} or @{command
+ proof}. Then we are again in @{text "state"} mode of a proof body,
+ which may issue @{command show} statements to solve pending
+ sub-goals. A concluding @{command qed} will return to the original
+ @{text "state"} mode one level upwards. The subsequent Isar/VM
+ trace indicates block structure, linguistic mode, goal state, and
+ inferences:
+*}
+
+text_raw {* \begingroup\footnotesize *}
+(*<*)notepad begin
+(*>*)
+ txt_raw {* \begin{minipage}[t]{0.18\textwidth} *}
+ have "A \<longrightarrow> B"
+ proof
+ assume A
+ show B
+ sorry %noproof
+ qed
+ txt_raw {* \end{minipage}\quad
+\begin{minipage}[t]{0.06\textwidth}
+@{text "begin"} \\
+\\
+\\
+@{text "begin"} \\
+@{text "end"} \\
+@{text "end"} \\
+\end{minipage}
+\begin{minipage}[t]{0.08\textwidth}
+@{text "prove"} \\
+@{text "state"} \\
+@{text "state"} \\
+@{text "prove"} \\
+@{text "state"} \\
+@{text "state"} \\
+\end{minipage}\begin{minipage}[t]{0.35\textwidth}
+@{text "(A \<longrightarrow> B) \<Longrightarrow> #(A \<longrightarrow> B)"} \\
+@{text "(A \<Longrightarrow> B) \<Longrightarrow> #(A \<longrightarrow> B)"} \\
+\\
+\\
+@{text "#(A \<longrightarrow> B)"} \\
+@{text "A \<longrightarrow> B"} \\
+\end{minipage}\begin{minipage}[t]{0.4\textwidth}
+@{text "(init)"} \\
+@{text "(resolution impI)"} \\
+\\
+\\
+@{text "(refinement #A \<Longrightarrow> B)"} \\
+@{text "(finish)"} \\
+\end{minipage} *}
+(*<*)
+end
+(*>*)
+text_raw {* \endgroup *}
+
+text {*
+ \noindent Here the @{inference refinement} inference from
+ \secref{sec:framework-resolution} mediates composition of Isar
+ sub-proofs nicely. Observe that this principle incorporates some
+ degree of freedom in proof composition. In particular, the proof
+ body allows parameters and assumptions to be re-ordered, or commuted
+ according to Hereditary Harrop Form. Moreover, context elements
+ that are not used in a sub-proof may be omitted altogether. For
+ example:
+*}
+
+text_raw {*\begin{minipage}{0.5\textwidth}*}
+
+(*<*)
+notepad
+begin
+(*>*)
+ have "\<And>x y. A x \<Longrightarrow> B y \<Longrightarrow> C x y"
+ proof -
+ fix x and y
+ assume "A x" and "B y"
+ show "C x y" sorry %noproof
+ qed
+
+txt_raw {*\end{minipage}\begin{minipage}{0.5\textwidth}*}
+
+(*<*)
+next
+(*>*)
+ have "\<And>x y. A x \<Longrightarrow> B y \<Longrightarrow> C x y"
+ proof -
+ fix x assume "A x"
+ fix y assume "B y"
+ show "C x y" sorry %noproof
+ qed
+
+txt_raw {*\end{minipage}\\[3ex]\begin{minipage}{0.5\textwidth}*}
+
+(*<*)
+next
+(*>*)
+ have "\<And>x y. A x \<Longrightarrow> B y \<Longrightarrow> C x y"
+ proof -
+ fix y assume "B y"
+ fix x assume "A x"
+ show "C x y" sorry
+ qed
+
+txt_raw {*\end{minipage}\begin{minipage}{0.5\textwidth}*}
+(*<*)
+next
+(*>*)
+ have "\<And>x y. A x \<Longrightarrow> B y \<Longrightarrow> C x y"
+ proof -
+ fix y assume "B y"
+ fix x
+ show "C x y" sorry
+ qed
+(*<*)
+end
+(*>*)
+
+text_raw {*\end{minipage}*}
+
+text {*
+ \medskip\noindent Such ``peephole optimizations'' of Isar texts are
+ practically important to improve readability, by rearranging
+ contexts elements according to the natural flow of reasoning in the
+ body, while still observing the overall scoping rules.
+
+ \medskip This illustrates the basic idea of structured proof
+ processing in Isar. The main mechanisms are based on natural
+ deduction rule composition within the Pure framework. In
+ particular, there are no direct operations on goal states within the
+ proof body. Moreover, there is no hidden automated reasoning
+ involved, just plain unification.
+*}
+
+
+subsection {* Calculational reasoning \label{sec:framework-calc} *}
+
+text {*
+ The existing Isar infrastructure is sufficiently flexible to support
+ calculational reasoning (chains of transitivity steps) as derived
+ concept. The generic proof elements introduced below depend on
+ rules declared as @{attribute trans} in the context. It is left to
+ the object-logic to provide a suitable rule collection for mixed
+ relations of @{text "="}, @{text "<"}, @{text "\<le>"}, @{text "\<subset>"},
+ @{text "\<subseteq>"} etc. Due to the flexibility of rule composition
+ (\secref{sec:framework-resolution}), substitution of equals by
+ equals is covered as well, even substitution of inequalities
+ involving monotonicity conditions; see also \cite[\S6]{Wenzel-PhD}
+ and \cite{Bauer-Wenzel:2001}.
+
+ The generic calculational mechanism is based on the observation that
+ rules such as @{text "trans:"}~@{prop "x = y \<Longrightarrow> y = z \<Longrightarrow> x = z"}
+ proceed from the premises towards the conclusion in a deterministic
+ fashion. Thus we may reason in forward mode, feeding intermediate
+ results into rules selected from the context. The course of
+ reasoning is organized by maintaining a secondary fact called
+ ``@{fact calculation}'', apart from the primary ``@{fact this}''
+ already provided by the Isar primitives. In the definitions below,
+ @{attribute OF} refers to @{inference resolution}
+ (\secref{sec:framework-resolution}) with multiple rule arguments,
+ and @{text "trans"} represents to a suitable rule from the context:
+
+ \begin{matharray}{rcl}
+ @{command "also"}@{text "\<^sub>0"} & \equiv & @{command "note"}~@{text "calculation = this"} \\
+ @{command "also"}@{text "\<^sub>n\<^sub>+\<^sub>1"} & \equiv & @{command "note"}~@{text "calculation = trans [OF calculation this]"} \\[0.5ex]
+ @{command "finally"} & \equiv & @{command "also"}~@{command "from"}~@{text calculation} \\
+ \end{matharray}
+
+ \noindent The start of a calculation is determined implicitly in the
+ text: here @{command also} sets @{fact calculation} to the current
+ result; any subsequent occurrence will update @{fact calculation} by
+ combination with the next result and a transitivity rule. The
+ calculational sequence is concluded via @{command finally}, where
+ the final result is exposed for use in a concluding claim.
+
+ Here is a canonical proof pattern, using @{command have} to
+ establish the intermediate results:
+*}
+
+(*<*)
+notepad
+begin
+(*>*)
+ have "a = b" sorry
+ also have "\<dots> = c" sorry
+ also have "\<dots> = d" sorry
+ finally have "a = d" .
+(*<*)
+end
+(*>*)
+
+text {*
+ \noindent The term ``@{text "\<dots>"}'' above is a special abbreviation
+ provided by the Isabelle/Isar syntax layer: it statically refers to
+ the right-hand side argument of the previous statement given in the
+ text. Thus it happens to coincide with relevant sub-expressions in
+ the calculational chain, but the exact correspondence is dependent
+ on the transitivity rules being involved.
+
+ \medskip Symmetry rules such as @{prop "x = y \<Longrightarrow> y = x"} are like
+ transitivities with only one premise. Isar maintains a separate
+ rule collection declared via the @{attribute sym} attribute, to be
+ used in fact expressions ``@{text "a [symmetric]"}'', or single-step
+ proofs ``@{command assume}~@{text "x = y"}~@{command then}~@{command
+ have}~@{text "y = x"}~@{command ".."}''.
+*}
+
+end
\ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarRef/Generic.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,1279 @@
+theory Generic
+imports Base Main
+begin
+
+chapter {* Generic tools and packages \label{ch:gen-tools} *}
+
+section {* Configuration options \label{sec:config} *}
+
+text {* Isabelle/Pure maintains a record of named configuration
+ options within the theory or proof context, with values of type
+ @{ML_type bool}, @{ML_type int}, @{ML_type real}, or @{ML_type
+ string}. Tools may declare options in ML, and then refer to these
+ values (relative to the context). Thus global reference variables
+ are easily avoided. The user may change the value of a
+ configuration option by means of an associated attribute of the same
+ name. This form of context declaration works particularly well with
+ commands such as @{command "declare"} or @{command "using"} like
+ this:
+*}
+
+declare [[show_main_goal = false]]
+
+notepad
+begin
+ note [[show_main_goal = true]]
+end
+
+text {* For historical reasons, some tools cannot take the full proof
+ context into account and merely refer to the background theory.
+ This is accommodated by configuration options being declared as
+ ``global'', which may not be changed within a local context.
+
+ \begin{matharray}{rcll}
+ @{command_def "print_configs"} & : & @{text "context \<rightarrow>"} \\
+ \end{matharray}
+
+ @{rail "
+ @{syntax name} ('=' ('true' | 'false' | @{syntax int} | @{syntax float} | @{syntax name}))?
+ "}
+
+ \begin{description}
+
+ \item @{command "print_configs"} prints the available configuration
+ options, with names, types, and current values.
+
+ \item @{text "name = value"} as an attribute expression modifies the
+ named option, with the syntax of the value depending on the option's
+ type. For @{ML_type bool} the default value is @{text true}. Any
+ attempt to change a global option in a local context is ignored.
+
+ \end{description}
+*}
+
+
+section {* Basic proof tools *}
+
+subsection {* Miscellaneous methods and attributes \label{sec:misc-meth-att} *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{method_def unfold} & : & @{text method} \\
+ @{method_def fold} & : & @{text method} \\
+ @{method_def insert} & : & @{text method} \\[0.5ex]
+ @{method_def erule}@{text "\<^sup>*"} & : & @{text method} \\
+ @{method_def drule}@{text "\<^sup>*"} & : & @{text method} \\
+ @{method_def frule}@{text "\<^sup>*"} & : & @{text method} \\
+ @{method_def intro} & : & @{text method} \\
+ @{method_def elim} & : & @{text method} \\
+ @{method_def succeed} & : & @{text method} \\
+ @{method_def fail} & : & @{text method} \\
+ \end{matharray}
+
+ @{rail "
+ (@@{method fold} | @@{method unfold} | @@{method insert}) @{syntax thmrefs}
+ ;
+ (@@{method erule} | @@{method drule} | @@{method frule})
+ ('(' @{syntax nat} ')')? @{syntax thmrefs}
+ ;
+ (@@{method intro} | @@{method elim}) @{syntax thmrefs}?
+ "}
+
+ \begin{description}
+
+ \item @{method unfold}~@{text "a\<^sub>1 \<dots> a\<^sub>n"} and @{method fold}~@{text
+ "a\<^sub>1 \<dots> a\<^sub>n"} expand (or fold back) the given definitions throughout
+ all goals; any chained facts provided are inserted into the goal and
+ subject to rewriting as well.
+
+ \item @{method insert}~@{text "a\<^sub>1 \<dots> a\<^sub>n"} inserts theorems as facts
+ into all goals of the proof state. Note that current facts
+ indicated for forward chaining are ignored.
+
+ \item @{method erule}~@{text "a\<^sub>1 \<dots> a\<^sub>n"}, @{method
+ drule}~@{text "a\<^sub>1 \<dots> a\<^sub>n"}, and @{method frule}~@{text
+ "a\<^sub>1 \<dots> a\<^sub>n"} are similar to the basic @{method rule}
+ method (see \secref{sec:pure-meth-att}), but apply rules by
+ elim-resolution, destruct-resolution, and forward-resolution,
+ respectively \cite{isabelle-implementation}. The optional natural
+ number argument (default 0) specifies additional assumption steps to
+ be performed here.
+
+ Note that these methods are improper ones, mainly serving for
+ experimentation and tactic script emulation. Different modes of
+ basic rule application are usually expressed in Isar at the proof
+ language level, rather than via implicit proof state manipulations.
+ For example, a proper single-step elimination would be done using
+ the plain @{method rule} method, with forward chaining of current
+ facts.
+
+ \item @{method intro} and @{method elim} repeatedly refine some goal
+ by intro- or elim-resolution, after having inserted any chained
+ facts. Exactly the rules given as arguments are taken into account;
+ this allows fine-tuned decomposition of a proof problem, in contrast
+ to common automated tools.
+
+ \item @{method succeed} yields a single (unchanged) result; it is
+ the identity of the ``@{text ","}'' method combinator (cf.\
+ \secref{sec:proof-meth}).
+
+ \item @{method fail} yields an empty result sequence; it is the
+ identity of the ``@{text "|"}'' method combinator (cf.\
+ \secref{sec:proof-meth}).
+
+ \end{description}
+
+ \begin{matharray}{rcl}
+ @{attribute_def tagged} & : & @{text attribute} \\
+ @{attribute_def untagged} & : & @{text attribute} \\[0.5ex]
+ @{attribute_def THEN} & : & @{text attribute} \\
+ @{attribute_def unfolded} & : & @{text attribute} \\
+ @{attribute_def folded} & : & @{text attribute} \\
+ @{attribute_def abs_def} & : & @{text attribute} \\[0.5ex]
+ @{attribute_def rotated} & : & @{text attribute} \\
+ @{attribute_def (Pure) elim_format} & : & @{text attribute} \\
+ @{attribute_def standard}@{text "\<^sup>*"} & : & @{text attribute} \\
+ @{attribute_def no_vars}@{text "\<^sup>*"} & : & @{text attribute} \\
+ \end{matharray}
+
+ @{rail "
+ @@{attribute tagged} @{syntax name} @{syntax name}
+ ;
+ @@{attribute untagged} @{syntax name}
+ ;
+ @@{attribute THEN} ('[' @{syntax nat} ']')? @{syntax thmref}
+ ;
+ (@@{attribute unfolded} | @@{attribute folded}) @{syntax thmrefs}
+ ;
+ @@{attribute rotated} @{syntax int}?
+ "}
+
+ \begin{description}
+
+ \item @{attribute tagged}~@{text "name value"} and @{attribute
+ untagged}~@{text name} add and remove \emph{tags} of some theorem.
+ Tags may be any list of string pairs that serve as formal comment.
+ The first string is considered the tag name, the second its value.
+ Note that @{attribute untagged} removes any tags of the same name.
+
+ \item @{attribute THEN}~@{text a} composes rules by resolution; it
+ resolves with the first premise of @{text a} (an alternative
+ position may be also specified). See also @{ML_op "RS"} in
+ \cite{isabelle-implementation}.
+
+ \item @{attribute unfolded}~@{text "a\<^sub>1 \<dots> a\<^sub>n"} and @{attribute
+ folded}~@{text "a\<^sub>1 \<dots> a\<^sub>n"} expand and fold back again the given
+ definitions throughout a rule.
+
+ \item @{attribute abs_def} turns an equation of the form @{prop "f x
+ y \<equiv> t"} into @{prop "f \<equiv> \<lambda>x y. t"}, which ensures that @{method
+ simp} or @{method unfold} steps always expand it. This also works
+ for object-logic equality.
+
+ \item @{attribute rotated}~@{text n} rotate the premises of a
+ theorem by @{text n} (default 1).
+
+ \item @{attribute (Pure) elim_format} turns a destruction rule into
+ elimination rule format, by resolving with the rule @{prop "PROP A \<Longrightarrow>
+ (PROP A \<Longrightarrow> PROP B) \<Longrightarrow> PROP B"}.
+
+ Note that the Classical Reasoner (\secref{sec:classical}) provides
+ its own version of this operation.
+
+ \item @{attribute standard} puts a theorem into the standard form of
+ object-rules at the outermost theory level. Note that this
+ operation violates the local proof context (including active
+ locales).
+
+ \item @{attribute no_vars} replaces schematic variables by free
+ ones; this is mainly for tuning output of pretty printed theorems.
+
+ \end{description}
+*}
+
+
+subsection {* Low-level equational reasoning *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{method_def subst} & : & @{text method} \\
+ @{method_def hypsubst} & : & @{text method} \\
+ @{method_def split} & : & @{text method} \\
+ \end{matharray}
+
+ @{rail "
+ @@{method subst} ('(' 'asm' ')')? \\ ('(' (@{syntax nat}+) ')')? @{syntax thmref}
+ ;
+ @@{method split} @{syntax thmrefs}
+ "}
+
+ These methods provide low-level facilities for equational reasoning
+ that are intended for specialized applications only. Normally,
+ single step calculations would be performed in a structured text
+ (see also \secref{sec:calculation}), while the Simplifier methods
+ provide the canonical way for automated normalization (see
+ \secref{sec:simplifier}).
+
+ \begin{description}
+
+ \item @{method subst}~@{text eq} performs a single substitution step
+ using rule @{text eq}, which may be either a meta or object
+ equality.
+
+ \item @{method subst}~@{text "(asm) eq"} substitutes in an
+ assumption.
+
+ \item @{method subst}~@{text "(i \<dots> j) eq"} performs several
+ substitutions in the conclusion. The numbers @{text i} to @{text j}
+ indicate the positions to substitute at. Positions are ordered from
+ the top of the term tree moving down from left to right. For
+ example, in @{text "(a + b) + (c + d)"} there are three positions
+ where commutativity of @{text "+"} is applicable: 1 refers to @{text
+ "a + b"}, 2 to the whole term, and 3 to @{text "c + d"}.
+
+ If the positions in the list @{text "(i \<dots> j)"} are non-overlapping
+ (e.g.\ @{text "(2 3)"} in @{text "(a + b) + (c + d)"}) you may
+ assume all substitutions are performed simultaneously. Otherwise
+ the behaviour of @{text subst} is not specified.
+
+ \item @{method subst}~@{text "(asm) (i \<dots> j) eq"} performs the
+ substitutions in the assumptions. The positions refer to the
+ assumptions in order from left to right. For example, given in a
+ goal of the form @{text "P (a + b) \<Longrightarrow> P (c + d) \<Longrightarrow> \<dots>"}, position 1 of
+ commutativity of @{text "+"} is the subterm @{text "a + b"} and
+ position 2 is the subterm @{text "c + d"}.
+
+ \item @{method hypsubst} performs substitution using some
+ assumption; this only works for equations of the form @{text "x =
+ t"} where @{text x} is a free or bound variable.
+
+ \item @{method split}~@{text "a\<^sub>1 \<dots> a\<^sub>n"} performs single-step case
+ splitting using the given rules. Splitting is performed in the
+ conclusion or some assumption of the subgoal, depending of the
+ structure of the rule.
+
+ Note that the @{method simp} method already involves repeated
+ application of split rules as declared in the current context, using
+ @{attribute split}, for example.
+
+ \end{description}
+*}
+
+
+subsection {* Further tactic emulations \label{sec:tactics} *}
+
+text {*
+ The following improper proof methods emulate traditional tactics.
+ These admit direct access to the goal state, which is normally
+ considered harmful! In particular, this may involve both numbered
+ goal addressing (default 1), and dynamic instantiation within the
+ scope of some subgoal.
+
+ \begin{warn}
+ Dynamic instantiations refer to universally quantified parameters
+ of a subgoal (the dynamic context) rather than fixed variables and
+ term abbreviations of a (static) Isar context.
+ \end{warn}
+
+ Tactic emulation methods, unlike their ML counterparts, admit
+ simultaneous instantiation from both dynamic and static contexts.
+ If names occur in both contexts goal parameters hide locally fixed
+ variables. Likewise, schematic variables refer to term
+ abbreviations, if present in the static context. Otherwise the
+ schematic variable is interpreted as a schematic variable and left
+ to be solved by unification with certain parts of the subgoal.
+
+ Note that the tactic emulation proof methods in Isabelle/Isar are
+ consistently named @{text foo_tac}. Note also that variable names
+ occurring on left hand sides of instantiations must be preceded by a
+ question mark if they coincide with a keyword or contain dots. This
+ is consistent with the attribute @{attribute "where"} (see
+ \secref{sec:pure-meth-att}).
+
+ \begin{matharray}{rcl}
+ @{method_def rule_tac}@{text "\<^sup>*"} & : & @{text method} \\
+ @{method_def erule_tac}@{text "\<^sup>*"} & : & @{text method} \\
+ @{method_def drule_tac}@{text "\<^sup>*"} & : & @{text method} \\
+ @{method_def frule_tac}@{text "\<^sup>*"} & : & @{text method} \\
+ @{method_def cut_tac}@{text "\<^sup>*"} & : & @{text method} \\
+ @{method_def thin_tac}@{text "\<^sup>*"} & : & @{text method} \\
+ @{method_def subgoal_tac}@{text "\<^sup>*"} & : & @{text method} \\
+ @{method_def rename_tac}@{text "\<^sup>*"} & : & @{text method} \\
+ @{method_def rotate_tac}@{text "\<^sup>*"} & : & @{text method} \\
+ @{method_def tactic}@{text "\<^sup>*"} & : & @{text method} \\
+ @{method_def raw_tactic}@{text "\<^sup>*"} & : & @{text method} \\
+ \end{matharray}
+
+ @{rail "
+ (@@{method rule_tac} | @@{method erule_tac} | @@{method drule_tac} |
+ @@{method frule_tac} | @@{method cut_tac} | @@{method thin_tac}) @{syntax goal_spec}? \\
+ ( dynamic_insts @'in' @{syntax thmref} | @{syntax thmrefs} )
+ ;
+ @@{method subgoal_tac} @{syntax goal_spec}? (@{syntax prop} +)
+ ;
+ @@{method rename_tac} @{syntax goal_spec}? (@{syntax name} +)
+ ;
+ @@{method rotate_tac} @{syntax goal_spec}? @{syntax int}?
+ ;
+ (@@{method tactic} | @@{method raw_tactic}) @{syntax text}
+ ;
+
+ dynamic_insts: ((@{syntax name} '=' @{syntax term}) + @'and')
+ "}
+
+\begin{description}
+
+ \item @{method rule_tac} etc. do resolution of rules with explicit
+ instantiation. This works the same way as the ML tactics @{ML
+ res_inst_tac} etc. (see \cite{isabelle-implementation})
+
+ Multiple rules may be only given if there is no instantiation; then
+ @{method rule_tac} is the same as @{ML resolve_tac} in ML (see
+ \cite{isabelle-implementation}).
+
+ \item @{method cut_tac} inserts facts into the proof state as
+ assumption of a subgoal; instantiations may be given as well. Note
+ that the scope of schematic variables is spread over the main goal
+ statement and rule premises are turned into new subgoals. This is
+ in contrast to the regular method @{method insert} which inserts
+ closed rule statements.
+
+ \item @{method thin_tac}~@{text \<phi>} deletes the specified premise
+ from a subgoal. Note that @{text \<phi>} may contain schematic
+ variables, to abbreviate the intended proposition; the first
+ matching subgoal premise will be deleted. Removing useless premises
+ from a subgoal increases its readability and can make search tactics
+ run faster.
+
+ \item @{method subgoal_tac}~@{text "\<phi>\<^sub>1 \<dots> \<phi>\<^sub>n"} adds the propositions
+ @{text "\<phi>\<^sub>1 \<dots> \<phi>\<^sub>n"} as local premises to a subgoal, and poses the same
+ as new subgoals (in the original context).
+
+ \item @{method rename_tac}~@{text "x\<^sub>1 \<dots> x\<^sub>n"} renames parameters of a
+ goal according to the list @{text "x\<^sub>1, \<dots>, x\<^sub>n"}, which refers to the
+ \emph{suffix} of variables.
+
+ \item @{method rotate_tac}~@{text n} rotates the premises of a
+ subgoal by @{text n} positions: from right to left if @{text n} is
+ positive, and from left to right if @{text n} is negative; the
+ default value is 1.
+
+ \item @{method tactic}~@{text "text"} produces a proof method from
+ any ML text of type @{ML_type tactic}. Apart from the usual ML
+ environment and the current proof context, the ML code may refer to
+ the locally bound values @{ML_text facts}, which indicates any
+ current facts used for forward-chaining.
+
+ \item @{method raw_tactic} is similar to @{method tactic}, but
+ presents the goal state in its raw internal form, where simultaneous
+ subgoals appear as conjunction of the logical framework instead of
+ the usual split into several subgoals. While feature this is useful
+ for debugging of complex method definitions, it should not never
+ appear in production theories.
+
+ \end{description}
+*}
+
+
+section {* The Simplifier \label{sec:simplifier} *}
+
+subsection {* Simplification methods *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{method_def simp} & : & @{text method} \\
+ @{method_def simp_all} & : & @{text method} \\
+ \end{matharray}
+
+ @{rail "
+ (@@{method simp} | @@{method simp_all}) opt? (@{syntax simpmod} * )
+ ;
+
+ opt: '(' ('no_asm' | 'no_asm_simp' | 'no_asm_use' | 'asm_lr' ) ')'
+ ;
+ @{syntax_def simpmod}: ('add' | 'del' | 'only' | 'cong' (() | 'add' | 'del') |
+ 'split' (() | 'add' | 'del')) ':' @{syntax thmrefs}
+ "}
+
+ \begin{description}
+
+ \item @{method simp} invokes the Simplifier, after declaring
+ additional rules according to the arguments given. Note that the
+ @{text only} modifier first removes all other rewrite rules,
+ congruences, and looper tactics (including splits), and then behaves
+ like @{text add}.
+
+ \medskip The @{text cong} modifiers add or delete Simplifier
+ congruence rules (see also \secref{sec:simp-cong}), the default is
+ to add.
+
+ \medskip The @{text split} modifiers add or delete rules for the
+ Splitter (see also \cite{isabelle-ref}), the default is to add.
+ This works only if the Simplifier method has been properly setup to
+ include the Splitter (all major object logics such HOL, HOLCF, FOL,
+ ZF do this already).
+
+ \item @{method simp_all} is similar to @{method simp}, but acts on
+ all goals (backwards from the last to the first one).
+
+ \end{description}
+
+ By default the Simplifier methods take local assumptions fully into
+ account, using equational assumptions in the subsequent
+ normalization process, or simplifying assumptions themselves (cf.\
+ @{ML asm_full_simp_tac} in \cite{isabelle-ref}). In structured
+ proofs this is usually quite well behaved in practice: just the
+ local premises of the actual goal are involved, additional facts may
+ be inserted via explicit forward-chaining (via @{command "then"},
+ @{command "from"}, @{command "using"} etc.).
+
+ Additional Simplifier options may be specified to tune the behavior
+ further (mostly for unstructured scripts with many accidental local
+ facts): ``@{text "(no_asm)"}'' means assumptions are ignored
+ completely (cf.\ @{ML simp_tac}), ``@{text "(no_asm_simp)"}'' means
+ assumptions are used in the simplification of the conclusion but are
+ not themselves simplified (cf.\ @{ML asm_simp_tac}), and ``@{text
+ "(no_asm_use)"}'' means assumptions are simplified but are not used
+ in the simplification of each other or the conclusion (cf.\ @{ML
+ full_simp_tac}). For compatibility reasons, there is also an option
+ ``@{text "(asm_lr)"}'', which means that an assumption is only used
+ for simplifying assumptions which are to the right of it (cf.\ @{ML
+ asm_lr_simp_tac}).
+
+ The configuration option @{text "depth_limit"} limits the number of
+ recursive invocations of the simplifier during conditional
+ rewriting.
+
+ \medskip The Splitter package is usually configured to work as part
+ of the Simplifier. The effect of repeatedly applying @{ML
+ split_tac} can be simulated by ``@{text "(simp only: split:
+ a\<^sub>1 \<dots> a\<^sub>n)"}''. There is also a separate @{text split}
+ method available for single-step case splitting.
+*}
+
+
+subsection {* Declaring rules *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def "print_simpset"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ @{attribute_def simp} & : & @{text attribute} \\
+ @{attribute_def split} & : & @{text attribute} \\
+ \end{matharray}
+
+ @{rail "
+ (@@{attribute simp} | @@{attribute split}) (() | 'add' | 'del')
+ "}
+
+ \begin{description}
+
+ \item @{command "print_simpset"} prints the collection of rules
+ declared to the Simplifier, which is also known as ``simpset''
+ internally \cite{isabelle-ref}.
+
+ \item @{attribute simp} declares simplification rules.
+
+ \item @{attribute split} declares case split rules.
+
+ \end{description}
+*}
+
+
+subsection {* Congruence rules\label{sec:simp-cong} *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{attribute_def cong} & : & @{text attribute} \\
+ \end{matharray}
+
+ @{rail "
+ @@{attribute cong} (() | 'add' | 'del')
+ "}
+
+ \begin{description}
+
+ \item @{attribute cong} declares congruence rules to the Simplifier
+ context.
+
+ \end{description}
+
+ Congruence rules are equalities of the form @{text [display]
+ "\<dots> \<Longrightarrow> f ?x\<^sub>1 \<dots> ?x\<^sub>n = f ?y\<^sub>1 \<dots> ?y\<^sub>n"}
+
+ This controls the simplification of the arguments of @{text f}. For
+ example, some arguments can be simplified under additional
+ assumptions: @{text [display] "?P\<^sub>1 \<longleftrightarrow> ?Q\<^sub>1 \<Longrightarrow> (?Q\<^sub>1 \<Longrightarrow> ?P\<^sub>2 \<longleftrightarrow> ?Q\<^sub>2) \<Longrightarrow>
+ (?P\<^sub>1 \<longrightarrow> ?P\<^sub>2) \<longleftrightarrow> (?Q\<^sub>1 \<longrightarrow> ?Q\<^sub>2)"}
+
+ Given this rule, the simplifier assumes @{text "?Q\<^sub>1"} and extracts
+ rewrite rules from it when simplifying @{text "?P\<^sub>2"}. Such local
+ assumptions are effective for rewriting formulae such as @{text "x =
+ 0 \<longrightarrow> y + x = y"}.
+
+ %FIXME
+ %The local assumptions are also provided as theorems to the solver;
+ %see \secref{sec:simp-solver} below.
+
+ \medskip The following congruence rule for bounded quantifiers also
+ supplies contextual information --- about the bound variable:
+ @{text [display] "(?A = ?B) \<Longrightarrow> (\<And>x. x \<in> ?B \<Longrightarrow> ?P x \<longleftrightarrow> ?Q x) \<Longrightarrow>
+ (\<forall>x \<in> ?A. ?P x) \<longleftrightarrow> (\<forall>x \<in> ?B. ?Q x)"}
+
+ \medskip This congruence rule for conditional expressions can
+ supply contextual information for simplifying the arms:
+ @{text [display] "?p = ?q \<Longrightarrow> (?q \<Longrightarrow> ?a = ?c) \<Longrightarrow> (\<not> ?q \<Longrightarrow> ?b = ?d) \<Longrightarrow>
+ (if ?p then ?a else ?b) = (if ?q then ?c else ?d)"}
+
+ A congruence rule can also \emph{prevent} simplification of some
+ arguments. Here is an alternative congruence rule for conditional
+ expressions that conforms to non-strict functional evaluation:
+ @{text [display] "?p = ?q \<Longrightarrow> (if ?p then ?a else ?b) = (if ?q then ?a else ?b)"}
+
+ Only the first argument is simplified; the others remain unchanged.
+ This can make simplification much faster, but may require an extra
+ case split over the condition @{text "?q"} to prove the goal.
+*}
+
+
+subsection {* Simplification procedures *}
+
+text {* Simplification procedures are ML functions that produce proven
+ rewrite rules on demand. They are associated with higher-order
+ patterns that approximate the left-hand sides of equations. The
+ Simplifier first matches the current redex against one of the LHS
+ patterns; if this succeeds, the corresponding ML function is
+ invoked, passing the Simplifier context and redex term. Thus rules
+ may be specifically fashioned for particular situations, resulting
+ in a more powerful mechanism than term rewriting by a fixed set of
+ rules.
+
+ Any successful result needs to be a (possibly conditional) rewrite
+ rule @{text "t \<equiv> u"} that is applicable to the current redex. The
+ rule will be applied just as any ordinary rewrite rule. It is
+ expected to be already in \emph{internal form}, bypassing the
+ automatic preprocessing of object-level equivalences.
+
+ \begin{matharray}{rcl}
+ @{command_def "simproc_setup"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
+ simproc & : & @{text attribute} \\
+ \end{matharray}
+
+ @{rail "
+ @@{command simproc_setup} @{syntax name} '(' (@{syntax term} + '|') ')' '='
+ @{syntax text} \\ (@'identifier' (@{syntax nameref}+))?
+ ;
+
+ @@{attribute simproc} (('add' ':')? | 'del' ':') (@{syntax name}+)
+ "}
+
+ \begin{description}
+
+ \item @{command "simproc_setup"} defines a named simplification
+ procedure that is invoked by the Simplifier whenever any of the
+ given term patterns match the current redex. The implementation,
+ which is provided as ML source text, needs to be of type @{ML_type
+ "morphism -> simpset -> cterm -> thm option"}, where the @{ML_type
+ cterm} represents the current redex @{text r} and the result is
+ supposed to be some proven rewrite rule @{text "r \<equiv> r'"} (or a
+ generalized version), or @{ML NONE} to indicate failure. The
+ @{ML_type simpset} argument holds the full context of the current
+ Simplifier invocation, including the actual Isar proof context. The
+ @{ML_type morphism} informs about the difference of the original
+ compilation context wrt.\ the one of the actual application later
+ on. The optional @{keyword "identifier"} specifies theorems that
+ represent the logical content of the abstract theory of this
+ simproc.
+
+ Morphisms and identifiers are only relevant for simprocs that are
+ defined within a local target context, e.g.\ in a locale.
+
+ \item @{text "simproc add: name"} and @{text "simproc del: name"}
+ add or delete named simprocs to the current Simplifier context. The
+ default is to add a simproc. Note that @{command "simproc_setup"}
+ already adds the new simproc to the subsequent context.
+
+ \end{description}
+*}
+
+
+subsubsection {* Example *}
+
+text {* The following simplification procedure for @{thm
+ [source=false, show_types] unit_eq} in HOL performs fine-grained
+ control over rule application, beyond higher-order pattern matching.
+ Declaring @{thm unit_eq} as @{attribute simp} directly would make
+ the simplifier loop! Note that a version of this simplification
+ procedure is already active in Isabelle/HOL. *}
+
+simproc_setup unit ("x::unit") = {*
+ fn _ => fn _ => fn ct =>
+ if HOLogic.is_unit (term_of ct) then NONE
+ else SOME (mk_meta_eq @{thm unit_eq})
+*}
+
+text {* Since the Simplifier applies simplification procedures
+ frequently, it is important to make the failure check in ML
+ reasonably fast. *}
+
+
+subsection {* Forward simplification *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{attribute_def simplified} & : & @{text attribute} \\
+ \end{matharray}
+
+ @{rail "
+ @@{attribute simplified} opt? @{syntax thmrefs}?
+ ;
+
+ opt: '(' ('no_asm' | 'no_asm_simp' | 'no_asm_use') ')'
+ "}
+
+ \begin{description}
+
+ \item @{attribute simplified}~@{text "a\<^sub>1 \<dots> a\<^sub>n"} causes a theorem to
+ be simplified, either by exactly the specified rules @{text "a\<^sub>1, \<dots>,
+ a\<^sub>n"}, or the implicit Simplifier context if no arguments are given.
+ The result is fully simplified by default, including assumptions and
+ conclusion; the options @{text no_asm} etc.\ tune the Simplifier in
+ the same way as the for the @{text simp} method.
+
+ Note that forward simplification restricts the simplifier to its
+ most basic operation of term rewriting; solver and looper tactics
+ \cite{isabelle-ref} are \emph{not} involved here. The @{text
+ simplified} attribute should be only rarely required under normal
+ circumstances.
+
+ \end{description}
+*}
+
+
+section {* The Classical Reasoner \label{sec:classical} *}
+
+subsection {* Basic concepts *}
+
+text {* Although Isabelle is generic, many users will be working in
+ some extension of classical first-order logic. Isabelle/ZF is built
+ upon theory FOL, while Isabelle/HOL conceptually contains
+ first-order logic as a fragment. Theorem-proving in predicate logic
+ is undecidable, but many automated strategies have been developed to
+ assist in this task.
+
+ Isabelle's classical reasoner is a generic package that accepts
+ certain information about a logic and delivers a suite of automatic
+ proof tools, based on rules that are classified and declared in the
+ context. These proof procedures are slow and simplistic compared
+ with high-end automated theorem provers, but they can save
+ considerable time and effort in practice. They can prove theorems
+ such as Pelletier's \cite{pelletier86} problems 40 and 41 in a few
+ milliseconds (including full proof reconstruction): *}
+
+lemma "(\<exists>y. \<forall>x. F x y \<longleftrightarrow> F x x) \<longrightarrow> \<not> (\<forall>x. \<exists>y. \<forall>z. F z y \<longleftrightarrow> \<not> F z x)"
+ by blast
+
+lemma "(\<forall>z. \<exists>y. \<forall>x. f x y \<longleftrightarrow> f x z \<and> \<not> f x x) \<longrightarrow> \<not> (\<exists>z. \<forall>x. f x z)"
+ by blast
+
+text {* The proof tools are generic. They are not restricted to
+ first-order logic, and have been heavily used in the development of
+ the Isabelle/HOL library and applications. The tactics can be
+ traced, and their components can be called directly; in this manner,
+ any proof can be viewed interactively. *}
+
+
+subsubsection {* The sequent calculus *}
+
+text {* Isabelle supports natural deduction, which is easy to use for
+ interactive proof. But natural deduction does not easily lend
+ itself to automation, and has a bias towards intuitionism. For
+ certain proofs in classical logic, it can not be called natural.
+ The \emph{sequent calculus}, a generalization of natural deduction,
+ is easier to automate.
+
+ A \textbf{sequent} has the form @{text "\<Gamma> \<turnstile> \<Delta>"}, where @{text "\<Gamma>"}
+ and @{text "\<Delta>"} are sets of formulae.\footnote{For first-order
+ logic, sequents can equivalently be made from lists or multisets of
+ formulae.} The sequent @{text "P\<^sub>1, \<dots>, P\<^sub>m \<turnstile> Q\<^sub>1, \<dots>, Q\<^sub>n"} is
+ \textbf{valid} if @{text "P\<^sub>1 \<and> \<dots> \<and> P\<^sub>m"} implies @{text "Q\<^sub>1 \<or> \<dots> \<or>
+ Q\<^sub>n"}. Thus @{text "P\<^sub>1, \<dots>, P\<^sub>m"} represent assumptions, each of which
+ is true, while @{text "Q\<^sub>1, \<dots>, Q\<^sub>n"} represent alternative goals. A
+ sequent is \textbf{basic} if its left and right sides have a common
+ formula, as in @{text "P, Q \<turnstile> Q, R"}; basic sequents are trivially
+ valid.
+
+ Sequent rules are classified as \textbf{right} or \textbf{left},
+ indicating which side of the @{text "\<turnstile>"} symbol they operate on.
+ Rules that operate on the right side are analogous to natural
+ deduction's introduction rules, and left rules are analogous to
+ elimination rules. The sequent calculus analogue of @{text "(\<longrightarrow>I)"}
+ is the rule
+ \[
+ \infer[@{text "(\<longrightarrow>R)"}]{@{text "\<Gamma> \<turnstile> \<Delta>, P \<longrightarrow> Q"}}{@{text "P, \<Gamma> \<turnstile> \<Delta>, Q"}}
+ \]
+ Applying the rule backwards, this breaks down some implication on
+ the right side of a sequent; @{text "\<Gamma>"} and @{text "\<Delta>"} stand for
+ the sets of formulae that are unaffected by the inference. The
+ analogue of the pair @{text "(\<or>I1)"} and @{text "(\<or>I2)"} is the
+ single rule
+ \[
+ \infer[@{text "(\<or>R)"}]{@{text "\<Gamma> \<turnstile> \<Delta>, P \<or> Q"}}{@{text "\<Gamma> \<turnstile> \<Delta>, P, Q"}}
+ \]
+ This breaks down some disjunction on the right side, replacing it by
+ both disjuncts. Thus, the sequent calculus is a kind of
+ multiple-conclusion logic.
+
+ To illustrate the use of multiple formulae on the right, let us
+ prove the classical theorem @{text "(P \<longrightarrow> Q) \<or> (Q \<longrightarrow> P)"}. Working
+ backwards, we reduce this formula to a basic sequent:
+ \[
+ \infer[@{text "(\<or>R)"}]{@{text "\<turnstile> (P \<longrightarrow> Q) \<or> (Q \<longrightarrow> P)"}}
+ {\infer[@{text "(\<longrightarrow>R)"}]{@{text "\<turnstile> (P \<longrightarrow> Q), (Q \<longrightarrow> P)"}}
+ {\infer[@{text "(\<longrightarrow>R)"}]{@{text "P \<turnstile> Q, (Q \<longrightarrow> P)"}}
+ {@{text "P, Q \<turnstile> Q, P"}}}}
+ \]
+
+ This example is typical of the sequent calculus: start with the
+ desired theorem and apply rules backwards in a fairly arbitrary
+ manner. This yields a surprisingly effective proof procedure.
+ Quantifiers add only few complications, since Isabelle handles
+ parameters and schematic variables. See \cite[Chapter
+ 10]{paulson-ml2} for further discussion. *}
+
+
+subsubsection {* Simulating sequents by natural deduction *}
+
+text {* Isabelle can represent sequents directly, as in the
+ object-logic LK. But natural deduction is easier to work with, and
+ most object-logics employ it. Fortunately, we can simulate the
+ sequent @{text "P\<^sub>1, \<dots>, P\<^sub>m \<turnstile> Q\<^sub>1, \<dots>, Q\<^sub>n"} by the Isabelle formula
+ @{text "P\<^sub>1 \<Longrightarrow> \<dots> \<Longrightarrow> P\<^sub>m \<Longrightarrow> \<not> Q\<^sub>2 \<Longrightarrow> ... \<Longrightarrow> \<not> Q\<^sub>n \<Longrightarrow> Q\<^sub>1"} where the order of
+ the assumptions and the choice of @{text "Q\<^sub>1"} are arbitrary.
+ Elim-resolution plays a key role in simulating sequent proofs.
+
+ We can easily handle reasoning on the left. Elim-resolution with
+ the rules @{text "(\<or>E)"}, @{text "(\<bottom>E)"} and @{text "(\<exists>E)"} achieves
+ a similar effect as the corresponding sequent rules. For the other
+ connectives, we use sequent-style elimination rules instead of
+ destruction rules such as @{text "(\<and>E1, 2)"} and @{text "(\<forall>E)"}.
+ But note that the rule @{text "(\<not>L)"} has no effect under our
+ representation of sequents!
+ \[
+ \infer[@{text "(\<not>L)"}]{@{text "\<not> P, \<Gamma> \<turnstile> \<Delta>"}}{@{text "\<Gamma> \<turnstile> \<Delta>, P"}}
+ \]
+
+ What about reasoning on the right? Introduction rules can only
+ affect the formula in the conclusion, namely @{text "Q\<^sub>1"}. The
+ other right-side formulae are represented as negated assumptions,
+ @{text "\<not> Q\<^sub>2, \<dots>, \<not> Q\<^sub>n"}. In order to operate on one of these, it
+ must first be exchanged with @{text "Q\<^sub>1"}. Elim-resolution with the
+ @{text swap} rule has this effect: @{text "\<not> P \<Longrightarrow> (\<not> R \<Longrightarrow> P) \<Longrightarrow> R"}
+
+ To ensure that swaps occur only when necessary, each introduction
+ rule is converted into a swapped form: it is resolved with the
+ second premise of @{text "(swap)"}. The swapped form of @{text
+ "(\<and>I)"}, which might be called @{text "(\<not>\<and>E)"}, is
+ @{text [display] "\<not> (P \<and> Q) \<Longrightarrow> (\<not> R \<Longrightarrow> P) \<Longrightarrow> (\<not> R \<Longrightarrow> Q) \<Longrightarrow> R"}
+
+ Similarly, the swapped form of @{text "(\<longrightarrow>I)"} is
+ @{text [display] "\<not> (P \<longrightarrow> Q) \<Longrightarrow> (\<not> R \<Longrightarrow> P \<Longrightarrow> Q) \<Longrightarrow> R"}
+
+ Swapped introduction rules are applied using elim-resolution, which
+ deletes the negated formula. Our representation of sequents also
+ requires the use of ordinary introduction rules. If we had no
+ regard for readability of intermediate goal states, we could treat
+ the right side more uniformly by representing sequents as @{text
+ [display] "P\<^sub>1 \<Longrightarrow> \<dots> \<Longrightarrow> P\<^sub>m \<Longrightarrow> \<not> Q\<^sub>1 \<Longrightarrow> \<dots> \<Longrightarrow> \<not> Q\<^sub>n \<Longrightarrow> \<bottom>"}
+*}
+
+
+subsubsection {* Extra rules for the sequent calculus *}
+
+text {* As mentioned, destruction rules such as @{text "(\<and>E1, 2)"} and
+ @{text "(\<forall>E)"} must be replaced by sequent-style elimination rules.
+ In addition, we need rules to embody the classical equivalence
+ between @{text "P \<longrightarrow> Q"} and @{text "\<not> P \<or> Q"}. The introduction
+ rules @{text "(\<or>I1, 2)"} are replaced by a rule that simulates
+ @{text "(\<or>R)"}: @{text [display] "(\<not> Q \<Longrightarrow> P) \<Longrightarrow> P \<or> Q"}
+
+ The destruction rule @{text "(\<longrightarrow>E)"} is replaced by @{text [display]
+ "(P \<longrightarrow> Q) \<Longrightarrow> (\<not> P \<Longrightarrow> R) \<Longrightarrow> (Q \<Longrightarrow> R) \<Longrightarrow> R"}
+
+ Quantifier replication also requires special rules. In classical
+ logic, @{text "\<exists>x. P x"} is equivalent to @{text "\<not> (\<forall>x. \<not> P x)"};
+ the rules @{text "(\<exists>R)"} and @{text "(\<forall>L)"} are dual:
+ \[
+ \infer[@{text "(\<exists>R)"}]{@{text "\<Gamma> \<turnstile> \<Delta>, \<exists>x. P x"}}{@{text "\<Gamma> \<turnstile> \<Delta>, \<exists>x. P x, P t"}}
+ \qquad
+ \infer[@{text "(\<forall>L)"}]{@{text "\<forall>x. P x, \<Gamma> \<turnstile> \<Delta>"}}{@{text "P t, \<forall>x. P x, \<Gamma> \<turnstile> \<Delta>"}}
+ \]
+ Thus both kinds of quantifier may be replicated. Theorems requiring
+ multiple uses of a universal formula are easy to invent; consider
+ @{text [display] "(\<forall>x. P x \<longrightarrow> P (f x)) \<and> P a \<longrightarrow> P (f\<^sup>n a)"} for any
+ @{text "n > 1"}. Natural examples of the multiple use of an
+ existential formula are rare; a standard one is @{text "\<exists>x. \<forall>y. P x
+ \<longrightarrow> P y"}.
+
+ Forgoing quantifier replication loses completeness, but gains
+ decidability, since the search space becomes finite. Many useful
+ theorems can be proved without replication, and the search generally
+ delivers its verdict in a reasonable time. To adopt this approach,
+ represent the sequent rules @{text "(\<exists>R)"}, @{text "(\<exists>L)"} and
+ @{text "(\<forall>R)"} by @{text "(\<exists>I)"}, @{text "(\<exists>E)"} and @{text "(\<forall>I)"},
+ respectively, and put @{text "(\<forall>E)"} into elimination form: @{text
+ [display] "\<forall>x. P x \<Longrightarrow> (P t \<Longrightarrow> Q) \<Longrightarrow> Q"}
+
+ Elim-resolution with this rule will delete the universal formula
+ after a single use. To replicate universal quantifiers, replace the
+ rule by @{text [display] "\<forall>x. P x \<Longrightarrow> (P t \<Longrightarrow> \<forall>x. P x \<Longrightarrow> Q) \<Longrightarrow> Q"}
+
+ To replicate existential quantifiers, replace @{text "(\<exists>I)"} by
+ @{text [display] "(\<not> (\<exists>x. P x) \<Longrightarrow> P t) \<Longrightarrow> \<exists>x. P x"}
+
+ All introduction rules mentioned above are also useful in swapped
+ form.
+
+ Replication makes the search space infinite; we must apply the rules
+ with care. The classical reasoner distinguishes between safe and
+ unsafe rules, applying the latter only when there is no alternative.
+ Depth-first search may well go down a blind alley; best-first search
+ is better behaved in an infinite search space. However, quantifier
+ replication is too expensive to prove any but the simplest theorems.
+*}
+
+
+subsection {* Rule declarations *}
+
+text {* The proof tools of the Classical Reasoner depend on
+ collections of rules declared in the context, which are classified
+ as introduction, elimination or destruction and as \emph{safe} or
+ \emph{unsafe}. In general, safe rules can be attempted blindly,
+ while unsafe rules must be used with care. A safe rule must never
+ reduce a provable goal to an unprovable set of subgoals.
+
+ The rule @{text "P \<Longrightarrow> P \<or> Q"} is unsafe because it reduces @{text "P
+ \<or> Q"} to @{text "P"}, which might turn out as premature choice of an
+ unprovable subgoal. Any rule is unsafe whose premises contain new
+ unknowns. The elimination rule @{text "\<forall>x. P x \<Longrightarrow> (P t \<Longrightarrow> Q) \<Longrightarrow> Q"} is
+ unsafe, since it is applied via elim-resolution, which discards the
+ assumption @{text "\<forall>x. P x"} and replaces it by the weaker
+ assumption @{text "P t"}. The rule @{text "P t \<Longrightarrow> \<exists>x. P x"} is
+ unsafe for similar reasons. The quantifier duplication rule @{text
+ "\<forall>x. P x \<Longrightarrow> (P t \<Longrightarrow> \<forall>x. P x \<Longrightarrow> Q) \<Longrightarrow> Q"} is unsafe in a different sense:
+ since it keeps the assumption @{text "\<forall>x. P x"}, it is prone to
+ looping. In classical first-order logic, all rules are safe except
+ those mentioned above.
+
+ The safe~/ unsafe distinction is vague, and may be regarded merely
+ as a way of giving some rules priority over others. One could argue
+ that @{text "(\<or>E)"} is unsafe, because repeated application of it
+ could generate exponentially many subgoals. Induction rules are
+ unsafe because inductive proofs are difficult to set up
+ automatically. Any inference is unsafe that instantiates an unknown
+ in the proof state --- thus matching must be used, rather than
+ unification. Even proof by assumption is unsafe if it instantiates
+ unknowns shared with other subgoals.
+
+ \begin{matharray}{rcl}
+ @{command_def "print_claset"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ @{attribute_def intro} & : & @{text attribute} \\
+ @{attribute_def elim} & : & @{text attribute} \\
+ @{attribute_def dest} & : & @{text attribute} \\
+ @{attribute_def rule} & : & @{text attribute} \\
+ @{attribute_def iff} & : & @{text attribute} \\
+ @{attribute_def swapped} & : & @{text attribute} \\
+ \end{matharray}
+
+ @{rail "
+ (@@{attribute intro} | @@{attribute elim} | @@{attribute dest}) ('!' | () | '?') @{syntax nat}?
+ ;
+ @@{attribute rule} 'del'
+ ;
+ @@{attribute iff} (((() | 'add') '?'?) | 'del')
+ "}
+
+ \begin{description}
+
+ \item @{command "print_claset"} prints the collection of rules
+ declared to the Classical Reasoner, i.e.\ the @{ML_type claset}
+ within the context.
+
+ \item @{attribute intro}, @{attribute elim}, and @{attribute dest}
+ declare introduction, elimination, and destruction rules,
+ respectively. By default, rules are considered as \emph{unsafe}
+ (i.e.\ not applied blindly without backtracking), while ``@{text
+ "!"}'' classifies as \emph{safe}. Rule declarations marked by
+ ``@{text "?"}'' coincide with those of Isabelle/Pure, cf.\
+ \secref{sec:pure-meth-att} (i.e.\ are only applied in single steps
+ of the @{method rule} method). The optional natural number
+ specifies an explicit weight argument, which is ignored by the
+ automated reasoning tools, but determines the search order of single
+ rule steps.
+
+ Introduction rules are those that can be applied using ordinary
+ resolution. Their swapped forms are generated internally, which
+ will be applied using elim-resolution. Elimination rules are
+ applied using elim-resolution. Rules are sorted by the number of
+ new subgoals they will yield; rules that generate the fewest
+ subgoals will be tried first. Otherwise, later declarations take
+ precedence over earlier ones.
+
+ Rules already present in the context with the same classification
+ are ignored. A warning is printed if the rule has already been
+ added with some other classification, but the rule is added anyway
+ as requested.
+
+ \item @{attribute rule}~@{text del} deletes all occurrences of a
+ rule from the classical context, regardless of its classification as
+ introduction~/ elimination~/ destruction and safe~/ unsafe.
+
+ \item @{attribute iff} declares logical equivalences to the
+ Simplifier and the Classical reasoner at the same time.
+ Non-conditional rules result in a safe introduction and elimination
+ pair; conditional ones are considered unsafe. Rules with negative
+ conclusion are automatically inverted (using @{text "\<not>"}-elimination
+ internally).
+
+ The ``@{text "?"}'' version of @{attribute iff} declares rules to
+ the Isabelle/Pure context only, and omits the Simplifier
+ declaration.
+
+ \item @{attribute swapped} turns an introduction rule into an
+ elimination, by resolving with the classical swap principle @{text
+ "\<not> P \<Longrightarrow> (\<not> R \<Longrightarrow> P) \<Longrightarrow> R"} in the second position. This is mainly for
+ illustrative purposes: the Classical Reasoner already swaps rules
+ internally as explained above.
+
+ \end{description}
+*}
+
+
+subsection {* Structured methods *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{method_def rule} & : & @{text method} \\
+ @{method_def contradiction} & : & @{text method} \\
+ \end{matharray}
+
+ @{rail "
+ @@{method rule} @{syntax thmrefs}?
+ "}
+
+ \begin{description}
+
+ \item @{method rule} as offered by the Classical Reasoner is a
+ refinement over the Pure one (see \secref{sec:pure-meth-att}). Both
+ versions work the same, but the classical version observes the
+ classical rule context in addition to that of Isabelle/Pure.
+
+ Common object logics (HOL, ZF, etc.) declare a rich collection of
+ classical rules (even if these would qualify as intuitionistic
+ ones), but only few declarations to the rule context of
+ Isabelle/Pure (\secref{sec:pure-meth-att}).
+
+ \item @{method contradiction} solves some goal by contradiction,
+ deriving any result from both @{text "\<not> A"} and @{text A}. Chained
+ facts, which are guaranteed to participate, may appear in either
+ order.
+
+ \end{description}
+*}
+
+
+subsection {* Automated methods *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{method_def blast} & : & @{text method} \\
+ @{method_def auto} & : & @{text method} \\
+ @{method_def force} & : & @{text method} \\
+ @{method_def fast} & : & @{text method} \\
+ @{method_def slow} & : & @{text method} \\
+ @{method_def best} & : & @{text method} \\
+ @{method_def fastforce} & : & @{text method} \\
+ @{method_def slowsimp} & : & @{text method} \\
+ @{method_def bestsimp} & : & @{text method} \\
+ @{method_def deepen} & : & @{text method} \\
+ \end{matharray}
+
+ @{rail "
+ @@{method blast} @{syntax nat}? (@{syntax clamod} * )
+ ;
+ @@{method auto} (@{syntax nat} @{syntax nat})? (@{syntax clasimpmod} * )
+ ;
+ @@{method force} (@{syntax clasimpmod} * )
+ ;
+ (@@{method fast} | @@{method slow} | @@{method best}) (@{syntax clamod} * )
+ ;
+ (@@{method fastforce} | @@{method slowsimp} | @@{method bestsimp})
+ (@{syntax clasimpmod} * )
+ ;
+ @@{method deepen} (@{syntax nat} ?) (@{syntax clamod} * )
+ ;
+ @{syntax_def clamod}:
+ (('intro' | 'elim' | 'dest') ('!' | () | '?') | 'del') ':' @{syntax thmrefs}
+ ;
+ @{syntax_def clasimpmod}: ('simp' (() | 'add' | 'del' | 'only') |
+ ('cong' | 'split') (() | 'add' | 'del') |
+ 'iff' (((() | 'add') '?'?) | 'del') |
+ (('intro' | 'elim' | 'dest') ('!' | () | '?') | 'del')) ':' @{syntax thmrefs}
+ "}
+
+ \begin{description}
+
+ \item @{method blast} is a separate classical tableau prover that
+ uses the same classical rule declarations as explained before.
+
+ Proof search is coded directly in ML using special data structures.
+ A successful proof is then reconstructed using regular Isabelle
+ inferences. It is faster and more powerful than the other classical
+ reasoning tools, but has major limitations too.
+
+ \begin{itemize}
+
+ \item It does not use the classical wrapper tacticals, such as the
+ integration with the Simplifier of @{method fastforce}.
+
+ \item It does not perform higher-order unification, as needed by the
+ rule @{thm [source=false] rangeI} in HOL. There are often
+ alternatives to such rules, for example @{thm [source=false]
+ range_eqI}.
+
+ \item Function variables may only be applied to parameters of the
+ subgoal. (This restriction arises because the prover does not use
+ higher-order unification.) If other function variables are present
+ then the prover will fail with the message \texttt{Function Var's
+ argument not a bound variable}.
+
+ \item Its proof strategy is more general than @{method fast} but can
+ be slower. If @{method blast} fails or seems to be running forever,
+ try @{method fast} and the other proof tools described below.
+
+ \end{itemize}
+
+ The optional integer argument specifies a bound for the number of
+ unsafe steps used in a proof. By default, @{method blast} starts
+ with a bound of 0 and increases it successively to 20. In contrast,
+ @{text "(blast lim)"} tries to prove the goal using a search bound
+ of @{text "lim"}. Sometimes a slow proof using @{method blast} can
+ be made much faster by supplying the successful search bound to this
+ proof method instead.
+
+ \item @{method auto} combines classical reasoning with
+ simplification. It is intended for situations where there are a lot
+ of mostly trivial subgoals; it proves all the easy ones, leaving the
+ ones it cannot prove. Occasionally, attempting to prove the hard
+ ones may take a long time.
+
+ The optional depth arguments in @{text "(auto m n)"} refer to its
+ builtin classical reasoning procedures: @{text m} (default 4) is for
+ @{method blast}, which is tried first, and @{text n} (default 2) is
+ for a slower but more general alternative that also takes wrappers
+ into account.
+
+ \item @{method force} is intended to prove the first subgoal
+ completely, using many fancy proof tools and performing a rather
+ exhaustive search. As a result, proof attempts may take rather long
+ or diverge easily.
+
+ \item @{method fast}, @{method best}, @{method slow} attempt to
+ prove the first subgoal using sequent-style reasoning as explained
+ before. Unlike @{method blast}, they construct proofs directly in
+ Isabelle.
+
+ There is a difference in search strategy and back-tracking: @{method
+ fast} uses depth-first search and @{method best} uses best-first
+ search (guided by a heuristic function: normally the total size of
+ the proof state).
+
+ Method @{method slow} is like @{method fast}, but conducts a broader
+ search: it may, when backtracking from a failed proof attempt, undo
+ even the step of proving a subgoal by assumption.
+
+ \item @{method fastforce}, @{method slowsimp}, @{method bestsimp}
+ are like @{method fast}, @{method slow}, @{method best},
+ respectively, but use the Simplifier as additional wrapper. The name
+ @{method fastforce}, reflects the behaviour of this popular method
+ better without requiring an understanding of its implementation.
+
+ \item @{method deepen} works by exhaustive search up to a certain
+ depth. The start depth is 4 (unless specified explicitly), and the
+ depth is increased iteratively up to 10. Unsafe rules are modified
+ to preserve the formula they act on, so that it be used repeatedly.
+ This method can prove more goals than @{method fast}, but is much
+ slower, for example if the assumptions have many universal
+ quantifiers.
+
+ \end{description}
+
+ Any of the above methods support additional modifiers of the context
+ of classical (and simplifier) rules, but the ones related to the
+ Simplifier are explicitly prefixed by @{text simp} here. The
+ semantics of these ad-hoc rule declarations is analogous to the
+ attributes given before. Facts provided by forward chaining are
+ inserted into the goal before commencing proof search.
+*}
+
+
+subsection {* Semi-automated methods *}
+
+text {* These proof methods may help in situations when the
+ fully-automated tools fail. The result is a simpler subgoal that
+ can be tackled by other means, such as by manual instantiation of
+ quantifiers.
+
+ \begin{matharray}{rcl}
+ @{method_def safe} & : & @{text method} \\
+ @{method_def clarify} & : & @{text method} \\
+ @{method_def clarsimp} & : & @{text method} \\
+ \end{matharray}
+
+ @{rail "
+ (@@{method safe} | @@{method clarify}) (@{syntax clamod} * )
+ ;
+ @@{method clarsimp} (@{syntax clasimpmod} * )
+ "}
+
+ \begin{description}
+
+ \item @{method safe} repeatedly performs safe steps on all subgoals.
+ It is deterministic, with at most one outcome.
+
+ \item @{method clarify} performs a series of safe steps without
+ splitting subgoals; see also @{ML clarify_step_tac}.
+
+ \item @{method clarsimp} acts like @{method clarify}, but also does
+ simplification. Note that if the Simplifier context includes a
+ splitter for the premises, the subgoal may still be split.
+
+ \end{description}
+*}
+
+
+subsection {* Single-step tactics *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{index_ML safe_step_tac: "Proof.context -> int -> tactic"} \\
+ @{index_ML inst_step_tac: "Proof.context -> int -> tactic"} \\
+ @{index_ML step_tac: "Proof.context -> int -> tactic"} \\
+ @{index_ML slow_step_tac: "Proof.context -> int -> tactic"} \\
+ @{index_ML clarify_step_tac: "Proof.context -> int -> tactic"} \\
+ \end{matharray}
+
+ These are the primitive tactics behind the (semi)automated proof
+ methods of the Classical Reasoner. By calling them yourself, you
+ can execute these procedures one step at a time.
+
+ \begin{description}
+
+ \item @{ML safe_step_tac}~@{text "ctxt i"} performs a safe step on
+ subgoal @{text i}. The safe wrapper tacticals are applied to a
+ tactic that may include proof by assumption or Modus Ponens (taking
+ care not to instantiate unknowns), or substitution.
+
+ \item @{ML inst_step_tac} is like @{ML safe_step_tac}, but allows
+ unknowns to be instantiated.
+
+ \item @{ML step_tac}~@{text "ctxt i"} is the basic step of the proof
+ procedure. The unsafe wrapper tacticals are applied to a tactic
+ that tries @{ML safe_tac}, @{ML inst_step_tac}, or applies an unsafe
+ rule from the context.
+
+ \item @{ML slow_step_tac} resembles @{ML step_tac}, but allows
+ backtracking between using safe rules with instantiation (@{ML
+ inst_step_tac}) and using unsafe rules. The resulting search space
+ is larger.
+
+ \item @{ML clarify_step_tac}~@{text "ctxt i"} performs a safe step
+ on subgoal @{text i}. No splitting step is applied; for example,
+ the subgoal @{text "A \<and> B"} is left as a conjunction. Proof by
+ assumption, Modus Ponens, etc., may be performed provided they do
+ not instantiate unknowns. Assumptions of the form @{text "x = t"}
+ may be eliminated. The safe wrapper tactical is applied.
+
+ \end{description}
+*}
+
+
+section {* Object-logic setup \label{sec:object-logic} *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def "judgment"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{method_def atomize} & : & @{text method} \\
+ @{attribute_def atomize} & : & @{text attribute} \\
+ @{attribute_def rule_format} & : & @{text attribute} \\
+ @{attribute_def rulify} & : & @{text attribute} \\
+ \end{matharray}
+
+ The very starting point for any Isabelle object-logic is a ``truth
+ judgment'' that links object-level statements to the meta-logic
+ (with its minimal language of @{text prop} that covers universal
+ quantification @{text "\<And>"} and implication @{text "\<Longrightarrow>"}).
+
+ Common object-logics are sufficiently expressive to internalize rule
+ statements over @{text "\<And>"} and @{text "\<Longrightarrow>"} within their own
+ language. This is useful in certain situations where a rule needs
+ to be viewed as an atomic statement from the meta-level perspective,
+ e.g.\ @{text "\<And>x. x \<in> A \<Longrightarrow> P x"} versus @{text "\<forall>x \<in> A. P x"}.
+
+ From the following language elements, only the @{method atomize}
+ method and @{attribute rule_format} attribute are occasionally
+ required by end-users, the rest is for those who need to setup their
+ own object-logic. In the latter case existing formulations of
+ Isabelle/FOL or Isabelle/HOL may be taken as realistic examples.
+
+ Generic tools may refer to the information provided by object-logic
+ declarations internally.
+
+ @{rail "
+ @@{command judgment} @{syntax name} '::' @{syntax type} @{syntax mixfix}?
+ ;
+ @@{attribute atomize} ('(' 'full' ')')?
+ ;
+ @@{attribute rule_format} ('(' 'noasm' ')')?
+ "}
+
+ \begin{description}
+
+ \item @{command "judgment"}~@{text "c :: \<sigma> (mx)"} declares constant
+ @{text c} as the truth judgment of the current object-logic. Its
+ type @{text \<sigma>} should specify a coercion of the category of
+ object-level propositions to @{text prop} of the Pure meta-logic;
+ the mixfix annotation @{text "(mx)"} would typically just link the
+ object language (internally of syntactic category @{text logic})
+ with that of @{text prop}. Only one @{command "judgment"}
+ declaration may be given in any theory development.
+
+ \item @{method atomize} (as a method) rewrites any non-atomic
+ premises of a sub-goal, using the meta-level equations declared via
+ @{attribute atomize} (as an attribute) beforehand. As a result,
+ heavily nested goals become amenable to fundamental operations such
+ as resolution (cf.\ the @{method (Pure) rule} method). Giving the ``@{text
+ "(full)"}'' option here means to turn the whole subgoal into an
+ object-statement (if possible), including the outermost parameters
+ and assumptions as well.
+
+ A typical collection of @{attribute atomize} rules for a particular
+ object-logic would provide an internalization for each of the
+ connectives of @{text "\<And>"}, @{text "\<Longrightarrow>"}, and @{text "\<equiv>"}.
+ Meta-level conjunction should be covered as well (this is
+ particularly important for locales, see \secref{sec:locale}).
+
+ \item @{attribute rule_format} rewrites a theorem by the equalities
+ declared as @{attribute rulify} rules in the current object-logic.
+ By default, the result is fully normalized, including assumptions
+ and conclusions at any depth. The @{text "(no_asm)"} option
+ restricts the transformation to the conclusion of a rule.
+
+ In common object-logics (HOL, FOL, ZF), the effect of @{attribute
+ rule_format} is to replace (bounded) universal quantification
+ (@{text "\<forall>"}) and implication (@{text "\<longrightarrow>"}) by the corresponding
+ rule statements over @{text "\<And>"} and @{text "\<Longrightarrow>"}.
+
+ \end{description}
+*}
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarRef/HOL_Specific.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,2366 @@
+theory HOL_Specific
+imports Base Main "~~/src/HOL/Library/Old_Recdef"
+begin
+
+chapter {* Isabelle/HOL \label{ch:hol} *}
+
+section {* Higher-Order Logic *}
+
+text {* Isabelle/HOL is based on Higher-Order Logic, a polymorphic
+ version of Church's Simple Theory of Types. HOL can be best
+ understood as a simply-typed version of classical set theory. The
+ logic was first implemented in Gordon's HOL system
+ \cite{mgordon-hol}. It extends Church's original logic
+ \cite{church40} by explicit type variables (naive polymorphism) and
+ a sound axiomatization scheme for new types based on subsets of
+ existing types.
+
+ Andrews's book \cite{andrews86} is a full description of the
+ original Church-style higher-order logic, with proofs of correctness
+ and completeness wrt.\ certain set-theoretic interpretations. The
+ particular extensions of Gordon-style HOL are explained semantically
+ in two chapters of the 1993 HOL book \cite{pitts93}.
+
+ Experience with HOL over decades has demonstrated that higher-order
+ logic is widely applicable in many areas of mathematics and computer
+ science. In a sense, Higher-Order Logic is simpler than First-Order
+ Logic, because there are fewer restrictions and special cases. Note
+ that HOL is \emph{weaker} than FOL with axioms for ZF set theory,
+ which is traditionally considered the standard foundation of regular
+ mathematics, but for most applications this does not matter. If you
+ prefer ML to Lisp, you will probably prefer HOL to ZF.
+
+ \medskip The syntax of HOL follows @{text "\<lambda>"}-calculus and
+ functional programming. Function application is curried. To apply
+ the function @{text f} of type @{text "\<tau>\<^sub>1 \<Rightarrow> \<tau>\<^sub>2 \<Rightarrow> \<tau>\<^sub>3"} to the
+ arguments @{text a} and @{text b} in HOL, you simply write @{text "f
+ a b"} (as in ML or Haskell). There is no ``apply'' operator; the
+ existing application of the Pure @{text "\<lambda>"}-calculus is re-used.
+ Note that in HOL @{text "f (a, b)"} means ``@{text "f"} applied to
+ the pair @{text "(a, b)"} (which is notation for @{text "Pair a
+ b"}). The latter typically introduces extra formal efforts that can
+ be avoided by currying functions by default. Explicit tuples are as
+ infrequent in HOL formalizations as in good ML or Haskell programs.
+
+ \medskip Isabelle/HOL has a distinct feel, compared to other
+ object-logics like Isabelle/ZF. It identifies object-level types
+ with meta-level types, taking advantage of the default
+ type-inference mechanism of Isabelle/Pure. HOL fully identifies
+ object-level functions with meta-level functions, with native
+ abstraction and application.
+
+ These identifications allow Isabelle to support HOL particularly
+ nicely, but they also mean that HOL requires some sophistication
+ from the user. In particular, an understanding of Hindley-Milner
+ type-inference with type-classes, which are both used extensively in
+ the standard libraries and applications. Beginners can set
+ @{attribute show_types} or even @{attribute show_sorts} to get more
+ explicit information about the result of type-inference. *}
+
+
+section {* Inductive and coinductive definitions \label{sec:hol-inductive} *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def (HOL) "inductive"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
+ @{command_def (HOL) "inductive_set"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
+ @{command_def (HOL) "coinductive"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
+ @{command_def (HOL) "coinductive_set"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
+ @{attribute_def (HOL) mono} & : & @{text attribute} \\
+ \end{matharray}
+
+ An \emph{inductive definition} specifies the least predicate or set
+ @{text R} closed under given rules: applying a rule to elements of
+ @{text R} yields a result within @{text R}. For example, a
+ structural operational semantics is an inductive definition of an
+ evaluation relation.
+
+ Dually, a \emph{coinductive definition} specifies the greatest
+ predicate or set @{text R} that is consistent with given rules:
+ every element of @{text R} can be seen as arising by applying a rule
+ to elements of @{text R}. An important example is using
+ bisimulation relations to formalise equivalence of processes and
+ infinite data structures.
+
+ Both inductive and coinductive definitions are based on the
+ Knaster-Tarski fixed-point theorem for complete lattices. The
+ collection of introduction rules given by the user determines a
+ functor on subsets of set-theoretic relations. The required
+ monotonicity of the recursion scheme is proven as a prerequisite to
+ the fixed-point definition and the resulting consequences. This
+ works by pushing inclusion through logical connectives and any other
+ operator that might be wrapped around recursive occurrences of the
+ defined relation: there must be a monotonicity theorem of the form
+ @{text "A \<le> B \<Longrightarrow> \<M> A \<le> \<M> B"}, for each premise @{text "\<M> R t"} in an
+ introduction rule. The default rule declarations of Isabelle/HOL
+ already take care of most common situations.
+
+ @{rail "
+ (@@{command (HOL) inductive} | @@{command (HOL) inductive_set} |
+ @@{command (HOL) coinductive} | @@{command (HOL) coinductive_set})
+ @{syntax target}? \\
+ @{syntax \"fixes\"} (@'for' @{syntax \"fixes\"})? (@'where' clauses)? \\
+ (@'monos' @{syntax thmrefs})?
+ ;
+ clauses: (@{syntax thmdecl}? @{syntax prop} + '|')
+ ;
+ @@{attribute (HOL) mono} (() | 'add' | 'del')
+ "}
+
+ \begin{description}
+
+ \item @{command (HOL) "inductive"} and @{command (HOL)
+ "coinductive"} define (co)inductive predicates from the introduction
+ rules.
+
+ The propositions given as @{text "clauses"} in the @{keyword
+ "where"} part are either rules of the usual @{text "\<And>/\<Longrightarrow>"} format
+ (with arbitrary nesting), or equalities using @{text "\<equiv>"}. The
+ latter specifies extra-logical abbreviations in the sense of
+ @{command_ref abbreviation}. Introducing abstract syntax
+ simultaneously with the actual introduction rules is occasionally
+ useful for complex specifications.
+
+ The optional @{keyword "for"} part contains a list of parameters of
+ the (co)inductive predicates that remain fixed throughout the
+ definition, in contrast to arguments of the relation that may vary
+ in each occurrence within the given @{text "clauses"}.
+
+ The optional @{keyword "monos"} declaration contains additional
+ \emph{monotonicity theorems}, which are required for each operator
+ applied to a recursive set in the introduction rules.
+
+ \item @{command (HOL) "inductive_set"} and @{command (HOL)
+ "coinductive_set"} are wrappers for to the previous commands for
+ native HOL predicates. This allows to define (co)inductive sets,
+ where multiple arguments are simulated via tuples.
+
+ \item @{attribute (HOL) mono} declares monotonicity rules in the
+ context. These rule are involved in the automated monotonicity
+ proof of the above inductive and coinductive definitions.
+
+ \end{description}
+*}
+
+
+subsection {* Derived rules *}
+
+text {* A (co)inductive definition of @{text R} provides the following
+ main theorems:
+
+ \begin{description}
+
+ \item @{text R.intros} is the list of introduction rules as proven
+ theorems, for the recursive predicates (or sets). The rules are
+ also available individually, using the names given them in the
+ theory file;
+
+ \item @{text R.cases} is the case analysis (or elimination) rule;
+
+ \item @{text R.induct} or @{text R.coinduct} is the (co)induction
+ rule;
+
+ \item @{text R.simps} is the equation unrolling the fixpoint of the
+ predicate one step.
+
+ \end{description}
+
+ When several predicates @{text "R\<^sub>1, \<dots>, R\<^sub>n"} are
+ defined simultaneously, the list of introduction rules is called
+ @{text "R\<^sub>1_\<dots>_R\<^sub>n.intros"}, the case analysis rules are
+ called @{text "R\<^sub>1.cases, \<dots>, R\<^sub>n.cases"}, and the list
+ of mutual induction rules is called @{text
+ "R\<^sub>1_\<dots>_R\<^sub>n.inducts"}.
+*}
+
+
+subsection {* Monotonicity theorems *}
+
+text {* The context maintains a default set of theorems that are used
+ in monotonicity proofs. New rules can be declared via the
+ @{attribute (HOL) mono} attribute. See the main Isabelle/HOL
+ sources for some examples. The general format of such monotonicity
+ theorems is as follows:
+
+ \begin{itemize}
+
+ \item Theorems of the form @{text "A \<le> B \<Longrightarrow> \<M> A \<le> \<M> B"}, for proving
+ monotonicity of inductive definitions whose introduction rules have
+ premises involving terms such as @{text "\<M> R t"}.
+
+ \item Monotonicity theorems for logical operators, which are of the
+ general form @{text "(\<dots> \<longrightarrow> \<dots>) \<Longrightarrow> \<dots> (\<dots> \<longrightarrow> \<dots>) \<Longrightarrow> \<dots> \<longrightarrow> \<dots>"}. For example, in
+ the case of the operator @{text "\<or>"}, the corresponding theorem is
+ \[
+ \infer{@{text "P\<^sub>1 \<or> P\<^sub>2 \<longrightarrow> Q\<^sub>1 \<or> Q\<^sub>2"}}{@{text "P\<^sub>1 \<longrightarrow> Q\<^sub>1"} & @{text "P\<^sub>2 \<longrightarrow> Q\<^sub>2"}}
+ \]
+
+ \item De Morgan style equations for reasoning about the ``polarity''
+ of expressions, e.g.
+ \[
+ @{prop "\<not> \<not> P \<longleftrightarrow> P"} \qquad\qquad
+ @{prop "\<not> (P \<and> Q) \<longleftrightarrow> \<not> P \<or> \<not> Q"}
+ \]
+
+ \item Equations for reducing complex operators to more primitive
+ ones whose monotonicity can easily be proved, e.g.
+ \[
+ @{prop "(P \<longrightarrow> Q) \<longleftrightarrow> \<not> P \<or> Q"} \qquad\qquad
+ @{prop "Ball A P \<equiv> \<forall>x. x \<in> A \<longrightarrow> P x"}
+ \]
+
+ \end{itemize}
+*}
+
+subsubsection {* Examples *}
+
+text {* The finite powerset operator can be defined inductively like this: *}
+
+inductive_set Fin :: "'a set \<Rightarrow> 'a set set" for A :: "'a set"
+where
+ empty: "{} \<in> Fin A"
+| insert: "a \<in> A \<Longrightarrow> B \<in> Fin A \<Longrightarrow> insert a B \<in> Fin A"
+
+text {* The accessible part of a relation is defined as follows: *}
+
+inductive acc :: "('a \<Rightarrow> 'a \<Rightarrow> bool) \<Rightarrow> 'a \<Rightarrow> bool"
+ for r :: "'a \<Rightarrow> 'a \<Rightarrow> bool" (infix "\<prec>" 50)
+where acc: "(\<And>y. y \<prec> x \<Longrightarrow> acc r y) \<Longrightarrow> acc r x"
+
+text {* Common logical connectives can be easily characterized as
+non-recursive inductive definitions with parameters, but without
+arguments. *}
+
+inductive AND for A B :: bool
+where "A \<Longrightarrow> B \<Longrightarrow> AND A B"
+
+inductive OR for A B :: bool
+where "A \<Longrightarrow> OR A B"
+ | "B \<Longrightarrow> OR A B"
+
+inductive EXISTS for B :: "'a \<Rightarrow> bool"
+where "B a \<Longrightarrow> EXISTS B"
+
+text {* Here the @{text "cases"} or @{text "induct"} rules produced by
+ the @{command inductive} package coincide with the expected
+ elimination rules for Natural Deduction. Already in the original
+ article by Gerhard Gentzen \cite{Gentzen:1935} there is a hint that
+ each connective can be characterized by its introductions, and the
+ elimination can be constructed systematically. *}
+
+
+section {* Recursive functions \label{sec:recursion} *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def (HOL) "primrec"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
+ @{command_def (HOL) "fun"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
+ @{command_def (HOL) "function"} & : & @{text "local_theory \<rightarrow> proof(prove)"} \\
+ @{command_def (HOL) "termination"} & : & @{text "local_theory \<rightarrow> proof(prove)"} \\
+ \end{matharray}
+
+ @{rail "
+ @@{command (HOL) primrec} @{syntax target}? @{syntax \"fixes\"} @'where' equations
+ ;
+ (@@{command (HOL) fun} | @@{command (HOL) function}) @{syntax target}? functionopts?
+ @{syntax \"fixes\"} \\ @'where' equations
+ ;
+
+ equations: (@{syntax thmdecl}? @{syntax prop} + '|')
+ ;
+ functionopts: '(' (('sequential' | 'domintros') + ',') ')'
+ ;
+ @@{command (HOL) termination} @{syntax term}?
+ "}
+
+ \begin{description}
+
+ \item @{command (HOL) "primrec"} defines primitive recursive
+ functions over datatypes (see also @{command_ref (HOL) datatype} and
+ @{command_ref (HOL) rep_datatype}). The given @{text equations}
+ specify reduction rules that are produced by instantiating the
+ generic combinator for primitive recursion that is available for
+ each datatype.
+
+ Each equation needs to be of the form:
+
+ @{text [display] "f x\<^sub>1 \<dots> x\<^sub>m (C y\<^sub>1 \<dots> y\<^sub>k) z\<^sub>1 \<dots> z\<^sub>n = rhs"}
+
+ such that @{text C} is a datatype constructor, @{text rhs} contains
+ only the free variables on the left-hand side (or from the context),
+ and all recursive occurrences of @{text "f"} in @{text "rhs"} are of
+ the form @{text "f \<dots> y\<^sub>i \<dots>"} for some @{text i}. At most one
+ reduction rule for each constructor can be given. The order does
+ not matter. For missing constructors, the function is defined to
+ return a default value, but this equation is made difficult to
+ access for users.
+
+ The reduction rules are declared as @{attribute simp} by default,
+ which enables standard proof methods like @{method simp} and
+ @{method auto} to normalize expressions of @{text "f"} applied to
+ datatype constructions, by simulating symbolic computation via
+ rewriting.
+
+ \item @{command (HOL) "function"} defines functions by general
+ wellfounded recursion. A detailed description with examples can be
+ found in \cite{isabelle-function}. The function is specified by a
+ set of (possibly conditional) recursive equations with arbitrary
+ pattern matching. The command generates proof obligations for the
+ completeness and the compatibility of patterns.
+
+ The defined function is considered partial, and the resulting
+ simplification rules (named @{text "f.psimps"}) and induction rule
+ (named @{text "f.pinduct"}) are guarded by a generated domain
+ predicate @{text "f_dom"}. The @{command (HOL) "termination"}
+ command can then be used to establish that the function is total.
+
+ \item @{command (HOL) "fun"} is a shorthand notation for ``@{command
+ (HOL) "function"}~@{text "(sequential)"}, followed by automated
+ proof attempts regarding pattern matching and termination. See
+ \cite{isabelle-function} for further details.
+
+ \item @{command (HOL) "termination"}~@{text f} commences a
+ termination proof for the previously defined function @{text f}. If
+ this is omitted, the command refers to the most recent function
+ definition. After the proof is closed, the recursive equations and
+ the induction principle is established.
+
+ \end{description}
+
+ Recursive definitions introduced by the @{command (HOL) "function"}
+ command accommodate reasoning by induction (cf.\ @{method induct}):
+ rule @{text "f.induct"} refers to a specific induction rule, with
+ parameters named according to the user-specified equations. Cases
+ are numbered starting from 1. For @{command (HOL) "primrec"}, the
+ induction principle coincides with structural recursion on the
+ datatype where the recursion is carried out.
+
+ The equations provided by these packages may be referred later as
+ theorem list @{text "f.simps"}, where @{text f} is the (collective)
+ name of the functions defined. Individual equations may be named
+ explicitly as well.
+
+ The @{command (HOL) "function"} command accepts the following
+ options.
+
+ \begin{description}
+
+ \item @{text sequential} enables a preprocessor which disambiguates
+ overlapping patterns by making them mutually disjoint. Earlier
+ equations take precedence over later ones. This allows to give the
+ specification in a format very similar to functional programming.
+ Note that the resulting simplification and induction rules
+ correspond to the transformed specification, not the one given
+ originally. This usually means that each equation given by the user
+ may result in several theorems. Also note that this automatic
+ transformation only works for ML-style datatype patterns.
+
+ \item @{text domintros} enables the automated generation of
+ introduction rules for the domain predicate. While mostly not
+ needed, they can be helpful in some proofs about partial functions.
+
+ \end{description}
+*}
+
+subsubsection {* Example: evaluation of expressions *}
+
+text {* Subsequently, we define mutual datatypes for arithmetic and
+ boolean expressions, and use @{command primrec} for evaluation
+ functions that follow the same recursive structure. *}
+
+datatype 'a aexp =
+ IF "'a bexp" "'a aexp" "'a aexp"
+ | Sum "'a aexp" "'a aexp"
+ | Diff "'a aexp" "'a aexp"
+ | Var 'a
+ | Num nat
+and 'a bexp =
+ Less "'a aexp" "'a aexp"
+ | And "'a bexp" "'a bexp"
+ | Neg "'a bexp"
+
+
+text {* \medskip Evaluation of arithmetic and boolean expressions *}
+
+primrec evala :: "('a \<Rightarrow> nat) \<Rightarrow> 'a aexp \<Rightarrow> nat"
+ and evalb :: "('a \<Rightarrow> nat) \<Rightarrow> 'a bexp \<Rightarrow> bool"
+where
+ "evala env (IF b a1 a2) = (if evalb env b then evala env a1 else evala env a2)"
+| "evala env (Sum a1 a2) = evala env a1 + evala env a2"
+| "evala env (Diff a1 a2) = evala env a1 - evala env a2"
+| "evala env (Var v) = env v"
+| "evala env (Num n) = n"
+| "evalb env (Less a1 a2) = (evala env a1 < evala env a2)"
+| "evalb env (And b1 b2) = (evalb env b1 \<and> evalb env b2)"
+| "evalb env (Neg b) = (\<not> evalb env b)"
+
+text {* Since the value of an expression depends on the value of its
+ variables, the functions @{const evala} and @{const evalb} take an
+ additional parameter, an \emph{environment} that maps variables to
+ their values.
+
+ \medskip Substitution on expressions can be defined similarly. The
+ mapping @{text f} of type @{typ "'a \<Rightarrow> 'a aexp"} given as a
+ parameter is lifted canonically on the types @{typ "'a aexp"} and
+ @{typ "'a bexp"}, respectively.
+*}
+
+primrec substa :: "('a \<Rightarrow> 'b aexp) \<Rightarrow> 'a aexp \<Rightarrow> 'b aexp"
+ and substb :: "('a \<Rightarrow> 'b aexp) \<Rightarrow> 'a bexp \<Rightarrow> 'b bexp"
+where
+ "substa f (IF b a1 a2) = IF (substb f b) (substa f a1) (substa f a2)"
+| "substa f (Sum a1 a2) = Sum (substa f a1) (substa f a2)"
+| "substa f (Diff a1 a2) = Diff (substa f a1) (substa f a2)"
+| "substa f (Var v) = f v"
+| "substa f (Num n) = Num n"
+| "substb f (Less a1 a2) = Less (substa f a1) (substa f a2)"
+| "substb f (And b1 b2) = And (substb f b1) (substb f b2)"
+| "substb f (Neg b) = Neg (substb f b)"
+
+text {* In textbooks about semantics one often finds substitution
+ theorems, which express the relationship between substitution and
+ evaluation. For @{typ "'a aexp"} and @{typ "'a bexp"}, we can prove
+ such a theorem by mutual induction, followed by simplification.
+*}
+
+lemma subst_one:
+ "evala env (substa (Var (v := a')) a) = evala (env (v := evala env a')) a"
+ "evalb env (substb (Var (v := a')) b) = evalb (env (v := evala env a')) b"
+ by (induct a and b) simp_all
+
+lemma subst_all:
+ "evala env (substa s a) = evala (\<lambda>x. evala env (s x)) a"
+ "evalb env (substb s b) = evalb (\<lambda>x. evala env (s x)) b"
+ by (induct a and b) simp_all
+
+
+subsubsection {* Example: a substitution function for terms *}
+
+text {* Functions on datatypes with nested recursion are also defined
+ by mutual primitive recursion. *}
+
+datatype ('a, 'b) "term" = Var 'a | App 'b "('a, 'b) term list"
+
+text {* A substitution function on type @{typ "('a, 'b) term"} can be
+ defined as follows, by working simultaneously on @{typ "('a, 'b)
+ term list"}: *}
+
+primrec subst_term :: "('a \<Rightarrow> ('a, 'b) term) \<Rightarrow> ('a, 'b) term \<Rightarrow> ('a, 'b) term" and
+ subst_term_list :: "('a \<Rightarrow> ('a, 'b) term) \<Rightarrow> ('a, 'b) term list \<Rightarrow> ('a, 'b) term list"
+where
+ "subst_term f (Var a) = f a"
+| "subst_term f (App b ts) = App b (subst_term_list f ts)"
+| "subst_term_list f [] = []"
+| "subst_term_list f (t # ts) = subst_term f t # subst_term_list f ts"
+
+text {* The recursion scheme follows the structure of the unfolded
+ definition of type @{typ "('a, 'b) term"}. To prove properties of this
+ substitution function, mutual induction is needed:
+*}
+
+lemma "subst_term (subst_term f1 \<circ> f2) t = subst_term f1 (subst_term f2 t)" and
+ "subst_term_list (subst_term f1 \<circ> f2) ts = subst_term_list f1 (subst_term_list f2 ts)"
+ by (induct t and ts) simp_all
+
+
+subsubsection {* Example: a map function for infinitely branching trees *}
+
+text {* Defining functions on infinitely branching datatypes by
+ primitive recursion is just as easy.
+*}
+
+datatype 'a tree = Atom 'a | Branch "nat \<Rightarrow> 'a tree"
+
+primrec map_tree :: "('a \<Rightarrow> 'b) \<Rightarrow> 'a tree \<Rightarrow> 'b tree"
+where
+ "map_tree f (Atom a) = Atom (f a)"
+| "map_tree f (Branch ts) = Branch (\<lambda>x. map_tree f (ts x))"
+
+text {* Note that all occurrences of functions such as @{text ts}
+ above must be applied to an argument. In particular, @{term
+ "map_tree f \<circ> ts"} is not allowed here. *}
+
+text {* Here is a simple composition lemma for @{term map_tree}: *}
+
+lemma "map_tree g (map_tree f t) = map_tree (g \<circ> f) t"
+ by (induct t) simp_all
+
+
+subsection {* Proof methods related to recursive definitions *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{method_def (HOL) pat_completeness} & : & @{text method} \\
+ @{method_def (HOL) relation} & : & @{text method} \\
+ @{method_def (HOL) lexicographic_order} & : & @{text method} \\
+ @{method_def (HOL) size_change} & : & @{text method} \\
+ @{method_def (HOL) induction_schema} & : & @{text method} \\
+ \end{matharray}
+
+ @{rail "
+ @@{method (HOL) relation} @{syntax term}
+ ;
+ @@{method (HOL) lexicographic_order} (@{syntax clasimpmod} * )
+ ;
+ @@{method (HOL) size_change} ( orders (@{syntax clasimpmod} * ) )
+ ;
+ @@{method (HOL) induction_schema}
+ ;
+ orders: ( 'max' | 'min' | 'ms' ) *
+ "}
+
+ \begin{description}
+
+ \item @{method (HOL) pat_completeness} is a specialized method to
+ solve goals regarding the completeness of pattern matching, as
+ required by the @{command (HOL) "function"} package (cf.\
+ \cite{isabelle-function}).
+
+ \item @{method (HOL) relation}~@{text R} introduces a termination
+ proof using the relation @{text R}. The resulting proof state will
+ contain goals expressing that @{text R} is wellfounded, and that the
+ arguments of recursive calls decrease with respect to @{text R}.
+ Usually, this method is used as the initial proof step of manual
+ termination proofs.
+
+ \item @{method (HOL) "lexicographic_order"} attempts a fully
+ automated termination proof by searching for a lexicographic
+ combination of size measures on the arguments of the function. The
+ method accepts the same arguments as the @{method auto} method,
+ which it uses internally to prove local descents. The @{syntax
+ clasimpmod} modifiers are accepted (as for @{method auto}).
+
+ In case of failure, extensive information is printed, which can help
+ to analyse the situation (cf.\ \cite{isabelle-function}).
+
+ \item @{method (HOL) "size_change"} also works on termination goals,
+ using a variation of the size-change principle, together with a
+ graph decomposition technique (see \cite{krauss_phd} for details).
+ Three kinds of orders are used internally: @{text max}, @{text min},
+ and @{text ms} (multiset), which is only available when the theory
+ @{text Multiset} is loaded. When no order kinds are given, they are
+ tried in order. The search for a termination proof uses SAT solving
+ internally.
+
+ For local descent proofs, the @{syntax clasimpmod} modifiers are
+ accepted (as for @{method auto}).
+
+ \item @{method (HOL) induction_schema} derives user-specified
+ induction rules from well-founded induction and completeness of
+ patterns. This factors out some operations that are done internally
+ by the function package and makes them available separately. See
+ @{file "~~/src/HOL/ex/Induction_Schema.thy"} for examples.
+
+ \end{description}
+*}
+
+
+subsection {* Functions with explicit partiality *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def (HOL) "partial_function"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
+ @{attribute_def (HOL) "partial_function_mono"} & : & @{text attribute} \\
+ \end{matharray}
+
+ @{rail "
+ @@{command (HOL) partial_function} @{syntax target}?
+ '(' @{syntax nameref} ')' @{syntax \"fixes\"} \\
+ @'where' @{syntax thmdecl}? @{syntax prop}
+ "}
+
+ \begin{description}
+
+ \item @{command (HOL) "partial_function"}~@{text "(mode)"} defines
+ recursive functions based on fixpoints in complete partial
+ orders. No termination proof is required from the user or
+ constructed internally. Instead, the possibility of non-termination
+ is modelled explicitly in the result type, which contains an
+ explicit bottom element.
+
+ Pattern matching and mutual recursion are currently not supported.
+ Thus, the specification consists of a single function described by a
+ single recursive equation.
+
+ There are no fixed syntactic restrictions on the body of the
+ function, but the induced functional must be provably monotonic
+ wrt.\ the underlying order. The monotonicitity proof is performed
+ internally, and the definition is rejected when it fails. The proof
+ can be influenced by declaring hints using the
+ @{attribute (HOL) partial_function_mono} attribute.
+
+ The mandatory @{text mode} argument specifies the mode of operation
+ of the command, which directly corresponds to a complete partial
+ order on the result type. By default, the following modes are
+ defined:
+
+ \begin{description}
+
+ \item @{text option} defines functions that map into the @{type
+ option} type. Here, the value @{term None} is used to model a
+ non-terminating computation. Monotonicity requires that if @{term
+ None} is returned by a recursive call, then the overall result must
+ also be @{term None}. This is best achieved through the use of the
+ monadic operator @{const "Option.bind"}.
+
+ \item @{text tailrec} defines functions with an arbitrary result
+ type and uses the slightly degenerated partial order where @{term
+ "undefined"} is the bottom element. Now, monotonicity requires that
+ if @{term undefined} is returned by a recursive call, then the
+ overall result must also be @{term undefined}. In practice, this is
+ only satisfied when each recursive call is a tail call, whose result
+ is directly returned. Thus, this mode of operation allows the
+ definition of arbitrary tail-recursive functions.
+
+ \end{description}
+
+ Experienced users may define new modes by instantiating the locale
+ @{const "partial_function_definitions"} appropriately.
+
+ \item @{attribute (HOL) partial_function_mono} declares rules for
+ use in the internal monononicity proofs of partial function
+ definitions.
+
+ \end{description}
+
+*}
+
+
+subsection {* Old-style recursive function definitions (TFL) *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def (HOL) "recdef"} & : & @{text "theory \<rightarrow> theory)"} \\
+ @{command_def (HOL) "recdef_tc"}@{text "\<^sup>*"} & : & @{text "theory \<rightarrow> proof(prove)"} \\
+ \end{matharray}
+
+ The old TFL commands @{command (HOL) "recdef"} and @{command (HOL)
+ "recdef_tc"} for defining recursive are mostly obsolete; @{command
+ (HOL) "function"} or @{command (HOL) "fun"} should be used instead.
+
+ @{rail "
+ @@{command (HOL) recdef} ('(' @'permissive' ')')? \\
+ @{syntax name} @{syntax term} (@{syntax prop} +) hints?
+ ;
+ recdeftc @{syntax thmdecl}? tc
+ ;
+ hints: '(' @'hints' ( recdefmod * ) ')'
+ ;
+ recdefmod: (('recdef_simp' | 'recdef_cong' | 'recdef_wf')
+ (() | 'add' | 'del') ':' @{syntax thmrefs}) | @{syntax clasimpmod}
+ ;
+ tc: @{syntax nameref} ('(' @{syntax nat} ')')?
+ "}
+
+ \begin{description}
+
+ \item @{command (HOL) "recdef"} defines general well-founded
+ recursive functions (using the TFL package), see also
+ \cite{isabelle-HOL}. The ``@{text "(permissive)"}'' option tells
+ TFL to recover from failed proof attempts, returning unfinished
+ results. The @{text recdef_simp}, @{text recdef_cong}, and @{text
+ recdef_wf} hints refer to auxiliary rules to be used in the internal
+ automated proof process of TFL. Additional @{syntax clasimpmod}
+ declarations may be given to tune the context of the Simplifier
+ (cf.\ \secref{sec:simplifier}) and Classical reasoner (cf.\
+ \secref{sec:classical}).
+
+ \item @{command (HOL) "recdef_tc"}~@{text "c (i)"} recommences the
+ proof for leftover termination condition number @{text i} (default
+ 1) as generated by a @{command (HOL) "recdef"} definition of
+ constant @{text c}.
+
+ Note that in most cases, @{command (HOL) "recdef"} is able to finish
+ its internal proofs without manual intervention.
+
+ \end{description}
+
+ \medskip Hints for @{command (HOL) "recdef"} may be also declared
+ globally, using the following attributes.
+
+ \begin{matharray}{rcl}
+ @{attribute_def (HOL) recdef_simp} & : & @{text attribute} \\
+ @{attribute_def (HOL) recdef_cong} & : & @{text attribute} \\
+ @{attribute_def (HOL) recdef_wf} & : & @{text attribute} \\
+ \end{matharray}
+
+ @{rail "
+ (@@{attribute (HOL) recdef_simp} | @@{attribute (HOL) recdef_cong} |
+ @@{attribute (HOL) recdef_wf}) (() | 'add' | 'del')
+ "}
+*}
+
+
+section {* Datatypes \label{sec:hol-datatype} *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def (HOL) "datatype"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{command_def (HOL) "rep_datatype"} & : & @{text "theory \<rightarrow> proof(prove)"} \\
+ \end{matharray}
+
+ @{rail "
+ @@{command (HOL) datatype} (spec + @'and')
+ ;
+ @@{command (HOL) rep_datatype} ('(' (@{syntax name} +) ')')? (@{syntax term} +)
+ ;
+
+ spec: @{syntax typespec_sorts} @{syntax mixfix}? '=' (cons + '|')
+ ;
+ cons: @{syntax name} (@{syntax type} * ) @{syntax mixfix}?
+ "}
+
+ \begin{description}
+
+ \item @{command (HOL) "datatype"} defines inductive datatypes in
+ HOL.
+
+ \item @{command (HOL) "rep_datatype"} represents existing types as
+ datatypes.
+
+ For foundational reasons, some basic types such as @{typ nat}, @{typ
+ "'a \<times> 'b"}, @{typ "'a + 'b"}, @{typ bool} and @{typ unit} are
+ introduced by more primitive means using @{command_ref typedef}. To
+ recover the rich infrastructure of @{command datatype} (e.g.\ rules
+ for @{method cases} and @{method induct} and the primitive recursion
+ combinators), such types may be represented as actual datatypes
+ later. This is done by specifying the constructors of the desired
+ type, and giving a proof of the induction rule, distinctness and
+ injectivity of constructors.
+
+ For example, see @{file "~~/src/HOL/Sum_Type.thy"} for the
+ representation of the primitive sum type as fully-featured datatype.
+
+ \end{description}
+
+ The generated rules for @{method induct} and @{method cases} provide
+ case names according to the given constructors, while parameters are
+ named after the types (see also \secref{sec:cases-induct}).
+
+ See \cite{isabelle-HOL} for more details on datatypes, but beware of
+ the old-style theory syntax being used there! Apart from proper
+ proof methods for case-analysis and induction, there are also
+ emulations of ML tactics @{method (HOL) case_tac} and @{method (HOL)
+ induct_tac} available, see \secref{sec:hol-induct-tac}; these admit
+ to refer directly to the internal structure of subgoals (including
+ internally bound parameters).
+*}
+
+
+subsubsection {* Examples *}
+
+text {* We define a type of finite sequences, with slightly different
+ names than the existing @{typ "'a list"} that is already in @{theory
+ Main}: *}
+
+datatype 'a seq = Empty | Seq 'a "'a seq"
+
+text {* We can now prove some simple lemma by structural induction: *}
+
+lemma "Seq x xs \<noteq> xs"
+proof (induct xs arbitrary: x)
+ case Empty
+ txt {* This case can be proved using the simplifier: the freeness
+ properties of the datatype are already declared as @{attribute
+ simp} rules. *}
+ show "Seq x Empty \<noteq> Empty"
+ by simp
+next
+ case (Seq y ys)
+ txt {* The step case is proved similarly. *}
+ show "Seq x (Seq y ys) \<noteq> Seq y ys"
+ using `Seq y ys \<noteq> ys` by simp
+qed
+
+text {* Here is a more succinct version of the same proof: *}
+
+lemma "Seq x xs \<noteq> xs"
+ by (induct xs arbitrary: x) simp_all
+
+
+section {* Records \label{sec:hol-record} *}
+
+text {*
+ In principle, records merely generalize the concept of tuples, where
+ components may be addressed by labels instead of just position. The
+ logical infrastructure of records in Isabelle/HOL is slightly more
+ advanced, though, supporting truly extensible record schemes. This
+ admits operations that are polymorphic with respect to record
+ extension, yielding ``object-oriented'' effects like (single)
+ inheritance. See also \cite{NaraschewskiW-TPHOLs98} for more
+ details on object-oriented verification and record subtyping in HOL.
+*}
+
+
+subsection {* Basic concepts *}
+
+text {*
+ Isabelle/HOL supports both \emph{fixed} and \emph{schematic} records
+ at the level of terms and types. The notation is as follows:
+
+ \begin{center}
+ \begin{tabular}{l|l|l}
+ & record terms & record types \\ \hline
+ fixed & @{text "\<lparr>x = a, y = b\<rparr>"} & @{text "\<lparr>x :: A, y :: B\<rparr>"} \\
+ schematic & @{text "\<lparr>x = a, y = b, \<dots> = m\<rparr>"} &
+ @{text "\<lparr>x :: A, y :: B, \<dots> :: M\<rparr>"} \\
+ \end{tabular}
+ \end{center}
+
+ \noindent The ASCII representation of @{text "\<lparr>x = a\<rparr>"} is @{text
+ "(| x = a |)"}.
+
+ A fixed record @{text "\<lparr>x = a, y = b\<rparr>"} has field @{text x} of value
+ @{text a} and field @{text y} of value @{text b}. The corresponding
+ type is @{text "\<lparr>x :: A, y :: B\<rparr>"}, assuming that @{text "a :: A"}
+ and @{text "b :: B"}.
+
+ A record scheme like @{text "\<lparr>x = a, y = b, \<dots> = m\<rparr>"} contains fields
+ @{text x} and @{text y} as before, but also possibly further fields
+ as indicated by the ``@{text "\<dots>"}'' notation (which is actually part
+ of the syntax). The improper field ``@{text "\<dots>"}'' of a record
+ scheme is called the \emph{more part}. Logically it is just a free
+ variable, which is occasionally referred to as ``row variable'' in
+ the literature. The more part of a record scheme may be
+ instantiated by zero or more further components. For example, the
+ previous scheme may get instantiated to @{text "\<lparr>x = a, y = b, z =
+ c, \<dots> = m'\<rparr>"}, where @{text m'} refers to a different more part.
+ Fixed records are special instances of record schemes, where
+ ``@{text "\<dots>"}'' is properly terminated by the @{text "() :: unit"}
+ element. In fact, @{text "\<lparr>x = a, y = b\<rparr>"} is just an abbreviation
+ for @{text "\<lparr>x = a, y = b, \<dots> = ()\<rparr>"}.
+
+ \medskip Two key observations make extensible records in a simply
+ typed language like HOL work out:
+
+ \begin{enumerate}
+
+ \item the more part is internalized, as a free term or type
+ variable,
+
+ \item field names are externalized, they cannot be accessed within
+ the logic as first-class values.
+
+ \end{enumerate}
+
+ \medskip In Isabelle/HOL record types have to be defined explicitly,
+ fixing their field names and types, and their (optional) parent
+ record. Afterwards, records may be formed using above syntax, while
+ obeying the canonical order of fields as given by their declaration.
+ The record package provides several standard operations like
+ selectors and updates. The common setup for various generic proof
+ tools enable succinct reasoning patterns. See also the Isabelle/HOL
+ tutorial \cite{isabelle-hol-book} for further instructions on using
+ records in practice.
+*}
+
+
+subsection {* Record specifications *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def (HOL) "record"} & : & @{text "theory \<rightarrow> theory"} \\
+ \end{matharray}
+
+ @{rail "
+ @@{command (HOL) record} @{syntax typespec_sorts} '=' \\
+ (@{syntax type} '+')? (constdecl +)
+ ;
+ constdecl: @{syntax name} '::' @{syntax type} @{syntax mixfix}?
+ "}
+
+ \begin{description}
+
+ \item @{command (HOL) "record"}~@{text "(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>m) t = \<tau> + c\<^sub>1 :: \<sigma>\<^sub>1
+ \<dots> c\<^sub>n :: \<sigma>\<^sub>n"} defines extensible record type @{text "(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>m) t"},
+ derived from the optional parent record @{text "\<tau>"} by adding new
+ field components @{text "c\<^sub>i :: \<sigma>\<^sub>i"} etc.
+
+ The type variables of @{text "\<tau>"} and @{text "\<sigma>\<^sub>i"} need to be
+ covered by the (distinct) parameters @{text "\<alpha>\<^sub>1, \<dots>,
+ \<alpha>\<^sub>m"}. Type constructor @{text t} has to be new, while @{text
+ \<tau>} needs to specify an instance of an existing record type. At
+ least one new field @{text "c\<^sub>i"} has to be specified.
+ Basically, field names need to belong to a unique record. This is
+ not a real restriction in practice, since fields are qualified by
+ the record name internally.
+
+ The parent record specification @{text \<tau>} is optional; if omitted
+ @{text t} becomes a root record. The hierarchy of all records
+ declared within a theory context forms a forest structure, i.e.\ a
+ set of trees starting with a root record each. There is no way to
+ merge multiple parent records!
+
+ For convenience, @{text "(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>m) t"} is made a
+ type abbreviation for the fixed record type @{text "\<lparr>c\<^sub>1 ::
+ \<sigma>\<^sub>1, \<dots>, c\<^sub>n :: \<sigma>\<^sub>n\<rparr>"}, likewise is @{text
+ "(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>m, \<zeta>) t_scheme"} made an abbreviation for
+ @{text "\<lparr>c\<^sub>1 :: \<sigma>\<^sub>1, \<dots>, c\<^sub>n :: \<sigma>\<^sub>n, \<dots> ::
+ \<zeta>\<rparr>"}.
+
+ \end{description}
+*}
+
+
+subsection {* Record operations *}
+
+text {*
+ Any record definition of the form presented above produces certain
+ standard operations. Selectors and updates are provided for any
+ field, including the improper one ``@{text more}''. There are also
+ cumulative record constructor functions. To simplify the
+ presentation below, we assume for now that @{text "(\<alpha>\<^sub>1, \<dots>,
+ \<alpha>\<^sub>m) t"} is a root record with fields @{text "c\<^sub>1 ::
+ \<sigma>\<^sub>1, \<dots>, c\<^sub>n :: \<sigma>\<^sub>n"}.
+
+ \medskip \textbf{Selectors} and \textbf{updates} are available for
+ any field (including ``@{text more}''):
+
+ \begin{matharray}{lll}
+ @{text "c\<^sub>i"} & @{text "::"} & @{text "\<lparr>\<^vec>c :: \<^vec>\<sigma>, \<dots> :: \<zeta>\<rparr> \<Rightarrow> \<sigma>\<^sub>i"} \\
+ @{text "c\<^sub>i_update"} & @{text "::"} & @{text "\<sigma>\<^sub>i \<Rightarrow> \<lparr>\<^vec>c :: \<^vec>\<sigma>, \<dots> :: \<zeta>\<rparr> \<Rightarrow> \<lparr>\<^vec>c :: \<^vec>\<sigma>, \<dots> :: \<zeta>\<rparr>"} \\
+ \end{matharray}
+
+ There is special syntax for application of updates: @{text "r\<lparr>x :=
+ a\<rparr>"} abbreviates term @{text "x_update a r"}. Further notation for
+ repeated updates is also available: @{text "r\<lparr>x := a\<rparr>\<lparr>y := b\<rparr>\<lparr>z :=
+ c\<rparr>"} may be written @{text "r\<lparr>x := a, y := b, z := c\<rparr>"}. Note that
+ because of postfix notation the order of fields shown here is
+ reverse than in the actual term. Since repeated updates are just
+ function applications, fields may be freely permuted in @{text "\<lparr>x
+ := a, y := b, z := c\<rparr>"}, as far as logical equality is concerned.
+ Thus commutativity of independent updates can be proven within the
+ logic for any two fields, but not as a general theorem.
+
+ \medskip The \textbf{make} operation provides a cumulative record
+ constructor function:
+
+ \begin{matharray}{lll}
+ @{text "t.make"} & @{text "::"} & @{text "\<sigma>\<^sub>1 \<Rightarrow> \<dots> \<sigma>\<^sub>n \<Rightarrow> \<lparr>\<^vec>c :: \<^vec>\<sigma>\<rparr>"} \\
+ \end{matharray}
+
+ \medskip We now reconsider the case of non-root records, which are
+ derived of some parent. In general, the latter may depend on
+ another parent as well, resulting in a list of \emph{ancestor
+ records}. Appending the lists of fields of all ancestors results in
+ a certain field prefix. The record package automatically takes care
+ of this by lifting operations over this context of ancestor fields.
+ Assuming that @{text "(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>m) t"} has ancestor
+ fields @{text "b\<^sub>1 :: \<rho>\<^sub>1, \<dots>, b\<^sub>k :: \<rho>\<^sub>k"},
+ the above record operations will get the following types:
+
+ \medskip
+ \begin{tabular}{lll}
+ @{text "c\<^sub>i"} & @{text "::"} & @{text "\<lparr>\<^vec>b :: \<^vec>\<rho>, \<^vec>c :: \<^vec>\<sigma>, \<dots> :: \<zeta>\<rparr> \<Rightarrow> \<sigma>\<^sub>i"} \\
+ @{text "c\<^sub>i_update"} & @{text "::"} & @{text "\<sigma>\<^sub>i \<Rightarrow>
+ \<lparr>\<^vec>b :: \<^vec>\<rho>, \<^vec>c :: \<^vec>\<sigma>, \<dots> :: \<zeta>\<rparr> \<Rightarrow>
+ \<lparr>\<^vec>b :: \<^vec>\<rho>, \<^vec>c :: \<^vec>\<sigma>, \<dots> :: \<zeta>\<rparr>"} \\
+ @{text "t.make"} & @{text "::"} & @{text "\<rho>\<^sub>1 \<Rightarrow> \<dots> \<rho>\<^sub>k \<Rightarrow> \<sigma>\<^sub>1 \<Rightarrow> \<dots> \<sigma>\<^sub>n \<Rightarrow>
+ \<lparr>\<^vec>b :: \<^vec>\<rho>, \<^vec>c :: \<^vec>\<sigma>\<rparr>"} \\
+ \end{tabular}
+ \medskip
+
+ \noindent Some further operations address the extension aspect of a
+ derived record scheme specifically: @{text "t.fields"} produces a
+ record fragment consisting of exactly the new fields introduced here
+ (the result may serve as a more part elsewhere); @{text "t.extend"}
+ takes a fixed record and adds a given more part; @{text
+ "t.truncate"} restricts a record scheme to a fixed record.
+
+ \medskip
+ \begin{tabular}{lll}
+ @{text "t.fields"} & @{text "::"} & @{text "\<sigma>\<^sub>1 \<Rightarrow> \<dots> \<sigma>\<^sub>n \<Rightarrow> \<lparr>\<^vec>c :: \<^vec>\<sigma>\<rparr>"} \\
+ @{text "t.extend"} & @{text "::"} & @{text "\<lparr>\<^vec>b :: \<^vec>\<rho>, \<^vec>c :: \<^vec>\<sigma>\<rparr> \<Rightarrow>
+ \<zeta> \<Rightarrow> \<lparr>\<^vec>b :: \<^vec>\<rho>, \<^vec>c :: \<^vec>\<sigma>, \<dots> :: \<zeta>\<rparr>"} \\
+ @{text "t.truncate"} & @{text "::"} & @{text "\<lparr>\<^vec>b :: \<^vec>\<rho>, \<^vec>c :: \<^vec>\<sigma>, \<dots> :: \<zeta>\<rparr> \<Rightarrow> \<lparr>\<^vec>b :: \<^vec>\<rho>, \<^vec>c :: \<^vec>\<sigma>\<rparr>"} \\
+ \end{tabular}
+ \medskip
+
+ \noindent Note that @{text "t.make"} and @{text "t.fields"} coincide
+ for root records.
+*}
+
+
+subsection {* Derived rules and proof tools *}
+
+text {*
+ The record package proves several results internally, declaring
+ these facts to appropriate proof tools. This enables users to
+ reason about record structures quite conveniently. Assume that
+ @{text t} is a record type as specified above.
+
+ \begin{enumerate}
+
+ \item Standard conversions for selectors or updates applied to
+ record constructor terms are made part of the default Simplifier
+ context; thus proofs by reduction of basic operations merely require
+ the @{method simp} method without further arguments. These rules
+ are available as @{text "t.simps"}, too.
+
+ \item Selectors applied to updated records are automatically reduced
+ by an internal simplification procedure, which is also part of the
+ standard Simplifier setup.
+
+ \item Inject equations of a form analogous to @{prop "(x, y) = (x',
+ y') \<equiv> x = x' \<and> y = y'"} are declared to the Simplifier and Classical
+ Reasoner as @{attribute iff} rules. These rules are available as
+ @{text "t.iffs"}.
+
+ \item The introduction rule for record equality analogous to @{text
+ "x r = x r' \<Longrightarrow> y r = y r' \<dots> \<Longrightarrow> r = r'"} is declared to the Simplifier,
+ and as the basic rule context as ``@{attribute intro}@{text "?"}''.
+ The rule is called @{text "t.equality"}.
+
+ \item Representations of arbitrary record expressions as canonical
+ constructor terms are provided both in @{method cases} and @{method
+ induct} format (cf.\ the generic proof methods of the same name,
+ \secref{sec:cases-induct}). Several variations are available, for
+ fixed records, record schemes, more parts etc.
+
+ The generic proof methods are sufficiently smart to pick the most
+ sensible rule according to the type of the indicated record
+ expression: users just need to apply something like ``@{text "(cases
+ r)"}'' to a certain proof problem.
+
+ \item The derived record operations @{text "t.make"}, @{text
+ "t.fields"}, @{text "t.extend"}, @{text "t.truncate"} are \emph{not}
+ treated automatically, but usually need to be expanded by hand,
+ using the collective fact @{text "t.defs"}.
+
+ \end{enumerate}
+*}
+
+
+subsubsection {* Examples *}
+
+text {* See @{file "~~/src/HOL/ex/Records.thy"}, for example. *}
+
+
+section {* Adhoc tuples *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{attribute_def (HOL) split_format}@{text "\<^sup>*"} & : & @{text attribute} \\
+ \end{matharray}
+
+ @{rail "
+ @@{attribute (HOL) split_format} ('(' 'complete' ')')?
+ "}
+
+ \begin{description}
+
+ \item @{attribute (HOL) split_format}\ @{text "(complete)"} causes
+ arguments in function applications to be represented canonically
+ according to their tuple type structure.
+
+ Note that this operation tends to invent funny names for new local
+ parameters introduced.
+
+ \end{description}
+*}
+
+
+section {* Typedef axiomatization \label{sec:hol-typedef} *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def (HOL) "typedef"} & : & @{text "local_theory \<rightarrow> proof(prove)"} \\
+ \end{matharray}
+
+ A Gordon/HOL-style type definition is a certain axiom scheme that
+ identifies a new type with a subset of an existing type. More
+ precisely, the new type is defined by exhibiting an existing type
+ @{text \<tau>}, a set @{text "A :: \<tau> set"}, and a theorem that proves
+ @{prop "\<exists>x. x \<in> A"}. Thus @{text A} is a non-empty subset of @{text
+ \<tau>}, and the new type denotes this subset. New functions are
+ postulated that establish an isomorphism between the new type and
+ the subset. In general, the type @{text \<tau>} may involve type
+ variables @{text "\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>n"} which means that the type definition
+ produces a type constructor @{text "(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>n) t"} depending on
+ those type arguments.
+
+ The axiomatization can be considered a ``definition'' in the sense
+ of the particular set-theoretic interpretation of HOL
+ \cite{pitts93}, where the universe of types is required to be
+ downwards-closed wrt.\ arbitrary non-empty subsets. Thus genuinely
+ new types introduced by @{command "typedef"} stay within the range
+ of HOL models by construction. Note that @{command_ref
+ type_synonym} from Isabelle/Pure merely introduces syntactic
+ abbreviations, without any logical significance.
+
+ @{rail "
+ @@{command (HOL) typedef} alt_name? abs_type '=' rep_set
+ ;
+
+ alt_name: '(' (@{syntax name} | @'open' | @'open' @{syntax name}) ')'
+ ;
+ abs_type: @{syntax typespec_sorts} @{syntax mixfix}?
+ ;
+ rep_set: @{syntax term} (@'morphisms' @{syntax name} @{syntax name})?
+ "}
+
+ \begin{description}
+
+ \item @{command (HOL) "typedef"}~@{text "(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>n) t = A"}
+ axiomatizes a type definition in the background theory of the
+ current context, depending on a non-emptiness result of the set
+ @{text A} that needs to be proven here. The set @{text A} may
+ contain type variables @{text "\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>n"} as specified on the LHS,
+ but no term variables.
+
+ Even though a local theory specification, the newly introduced type
+ constructor cannot depend on parameters or assumptions of the
+ context: this is structurally impossible in HOL. In contrast, the
+ non-emptiness proof may use local assumptions in unusual situations,
+ which could result in different interpretations in target contexts:
+ the meaning of the bijection between the representing set @{text A}
+ and the new type @{text t} may then change in different application
+ contexts.
+
+ By default, @{command (HOL) "typedef"} defines both a type
+ constructor @{text t} for the new type, and a term constant @{text
+ t} for the representing set within the old type. Use the ``@{text
+ "(open)"}'' option to suppress a separate constant definition
+ altogether. The injection from type to set is called @{text Rep_t},
+ its inverse @{text Abs_t}, unless explicit @{keyword (HOL)
+ "morphisms"} specification provides alternative names.
+
+ The core axiomatization uses the locale predicate @{const
+ type_definition} as defined in Isabelle/HOL. Various basic
+ consequences of that are instantiated accordingly, re-using the
+ locale facts with names derived from the new type constructor. Thus
+ the generic @{thm type_definition.Rep} is turned into the specific
+ @{text "Rep_t"}, for example.
+
+ Theorems @{thm type_definition.Rep}, @{thm
+ type_definition.Rep_inverse}, and @{thm type_definition.Abs_inverse}
+ provide the most basic characterization as a corresponding
+ injection/surjection pair (in both directions). The derived rules
+ @{thm type_definition.Rep_inject} and @{thm
+ type_definition.Abs_inject} provide a more convenient version of
+ injectivity, suitable for automated proof tools (e.g.\ in
+ declarations involving @{attribute simp} or @{attribute iff}).
+ Furthermore, the rules @{thm type_definition.Rep_cases}~/ @{thm
+ type_definition.Rep_induct}, and @{thm type_definition.Abs_cases}~/
+ @{thm type_definition.Abs_induct} provide alternative views on
+ surjectivity. These rules are already declared as set or type rules
+ for the generic @{method cases} and @{method induct} methods,
+ respectively.
+
+ An alternative name for the set definition (and other derived
+ entities) may be specified in parentheses; the default is to use
+ @{text t} directly.
+
+ \end{description}
+
+ \begin{warn}
+ If you introduce a new type axiomatically, i.e.\ via @{command_ref
+ typedecl} and @{command_ref axiomatization}, the minimum requirement
+ is that it has a non-empty model, to avoid immediate collapse of the
+ HOL logic. Moreover, one needs to demonstrate that the
+ interpretation of such free-form axiomatizations can coexist with
+ that of the regular @{command_def typedef} scheme, and any extension
+ that other people might have introduced elsewhere (e.g.\ in HOLCF
+ \cite{MuellerNvOS99}).
+ \end{warn}
+*}
+
+subsubsection {* Examples *}
+
+text {* Type definitions permit the introduction of abstract data
+ types in a safe way, namely by providing models based on already
+ existing types. Given some abstract axiomatic description @{text P}
+ of a type, this involves two steps:
+
+ \begin{enumerate}
+
+ \item Find an appropriate type @{text \<tau>} and subset @{text A} which
+ has the desired properties @{text P}, and make a type definition
+ based on this representation.
+
+ \item Prove that @{text P} holds for @{text \<tau>} by lifting @{text P}
+ from the representation.
+
+ \end{enumerate}
+
+ You can later forget about the representation and work solely in
+ terms of the abstract properties @{text P}.
+
+ \medskip The following trivial example pulls a three-element type
+ into existence within the formal logical environment of HOL. *}
+
+typedef three = "{(True, True), (True, False), (False, True)}"
+ by blast
+
+definition "One = Abs_three (True, True)"
+definition "Two = Abs_three (True, False)"
+definition "Three = Abs_three (False, True)"
+
+lemma three_distinct: "One \<noteq> Two" "One \<noteq> Three" "Two \<noteq> Three"
+ by (simp_all add: One_def Two_def Three_def Abs_three_inject three_def)
+
+lemma three_cases:
+ fixes x :: three obtains "x = One" | "x = Two" | "x = Three"
+ by (cases x) (auto simp: One_def Two_def Three_def Abs_three_inject three_def)
+
+text {* Note that such trivial constructions are better done with
+ derived specification mechanisms such as @{command datatype}: *}
+
+datatype three' = One' | Two' | Three'
+
+text {* This avoids re-doing basic definitions and proofs from the
+ primitive @{command typedef} above. *}
+
+
+section {* Functorial structure of types *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def (HOL) "enriched_type"} & : & @{text "local_theory \<rightarrow> proof(prove)"}
+ \end{matharray}
+
+ @{rail "
+ @@{command (HOL) enriched_type} (@{syntax name} ':')? @{syntax term}
+ ;
+ "}
+
+ \begin{description}
+
+ \item @{command (HOL) "enriched_type"}~@{text "prefix: m"} allows to
+ prove and register properties about the functorial structure of type
+ constructors. These properties then can be used by other packages
+ to deal with those type constructors in certain type constructions.
+ Characteristic theorems are noted in the current local theory. By
+ default, they are prefixed with the base name of the type
+ constructor, an explicit prefix can be given alternatively.
+
+ The given term @{text "m"} is considered as \emph{mapper} for the
+ corresponding type constructor and must conform to the following
+ type pattern:
+
+ \begin{matharray}{lll}
+ @{text "m"} & @{text "::"} &
+ @{text "\<sigma>\<^isub>1 \<Rightarrow> \<dots> \<sigma>\<^isub>k \<Rightarrow> (\<^vec>\<alpha>\<^isub>n) t \<Rightarrow> (\<^vec>\<beta>\<^isub>n) t"} \\
+ \end{matharray}
+
+ \noindent where @{text t} is the type constructor, @{text
+ "\<^vec>\<alpha>\<^isub>n"} and @{text "\<^vec>\<beta>\<^isub>n"} are distinct
+ type variables free in the local theory and @{text "\<sigma>\<^isub>1"},
+ \ldots, @{text "\<sigma>\<^isub>k"} is a subsequence of @{text "\<alpha>\<^isub>1 \<Rightarrow>
+ \<beta>\<^isub>1"}, @{text "\<beta>\<^isub>1 \<Rightarrow> \<alpha>\<^isub>1"}, \ldots,
+ @{text "\<alpha>\<^isub>n \<Rightarrow> \<beta>\<^isub>n"}, @{text "\<beta>\<^isub>n \<Rightarrow>
+ \<alpha>\<^isub>n"}.
+
+ \end{description}
+*}
+
+
+section {* Transfer package *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{method_def (HOL) "transfer"} & : & @{text method} \\
+ @{method_def (HOL) "transfer'"} & : & @{text method} \\
+ @{method_def (HOL) "transfer_prover"} & : & @{text method} \\
+ @{attribute_def (HOL) "transfer_rule"} & : & @{text attribute} \\
+ @{attribute_def (HOL) "relator_eq"} & : & @{text attribute} \\
+ \end{matharray}
+
+ \begin{description}
+
+ \item @{method (HOL) "transfer"} method replaces the current subgoal
+ with a logically equivalent one that uses different types and
+ constants. The replacement of types and constants is guided by the
+ database of transfer rules. Goals are generalized over all free
+ variables by default; this is necessary for variables whose types
+ change, but can be overridden for specific variables with e.g.
+ @{text "transfer fixing: x y z"}.
+
+ \item @{method (HOL) "transfer'"} is a variant of @{method (HOL)
+ transfer} that allows replacing a subgoal with one that is
+ logically stronger (rather than equivalent). For example, a
+ subgoal involving equality on a quotient type could be replaced
+ with a subgoal involving equality (instead of the corresponding
+ equivalence relation) on the underlying raw type.
+
+ \item @{method (HOL) "transfer_prover"} method assists with proving
+ a transfer rule for a new constant, provided the constant is
+ defined in terms of other constants that already have transfer
+ rules. It should be applied after unfolding the constant
+ definitions.
+
+ \item @{attribute (HOL) "transfer_rule"} attribute maintains a
+ collection of transfer rules, which relate constants at two
+ different types. Typical transfer rules may relate different type
+ instances of the same polymorphic constant, or they may relate an
+ operation on a raw type to a corresponding operation on an
+ abstract type (quotient or subtype). For example:
+
+ @{text "((A ===> B) ===> list_all2 A ===> list_all2 B) map map"}\\
+ @{text "(cr_int ===> cr_int ===> cr_int) (\<lambda>(x,y) (u,v). (x+u, y+v)) plus"}
+
+ Lemmas involving predicates on relations can also be registered
+ using the same attribute. For example:
+
+ @{text "bi_unique A \<Longrightarrow> (list_all2 A ===> op =) distinct distinct"}\\
+ @{text "\<lbrakk>bi_unique A; bi_unique B\<rbrakk> \<Longrightarrow> bi_unique (prod_rel A B)"}
+
+ \item @{attribute (HOL) relator_eq} attribute collects identity laws
+ for relators of various type constructors, e.g. @{text "list_all2
+ (op =) = (op =)"}. The @{method (HOL) transfer} method uses these
+ lemmas to infer transfer rules for non-polymorphic constants on
+ the fly.
+
+ \end{description}
+
+*}
+
+
+section {* Lifting package *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def (HOL) "setup_lifting"} & : & @{text "local_theory \<rightarrow> local_theory"}\\
+ @{command_def (HOL) "lift_definition"} & : & @{text "local_theory \<rightarrow> proof(prove)"}\\
+ @{command_def (HOL) "print_quotmaps"} & : & @{text "context \<rightarrow>"}\\
+ @{command_def (HOL) "print_quotients"} & : & @{text "context \<rightarrow>"}\\
+ @{attribute_def (HOL) "quot_map"} & : & @{text attribute} \\
+ @{attribute_def (HOL) "invariant_commute"} & : & @{text attribute} \\
+ \end{matharray}
+
+ @{rail "
+ @@{command (HOL) setup_lifting} ('(' 'no_abs_code' ')')? \\
+ @{syntax thmref} @{syntax thmref}?;
+ "}
+
+ @{rail "
+ @@{command (HOL) lift_definition} @{syntax name} '::' @{syntax type} @{syntax mixfix}? \\
+ 'is' @{syntax term};
+ "}
+
+ \begin{description}
+
+ \item @{command (HOL) "setup_lifting"} Sets up the Lifting package
+ to work with a user-defined type. The user must provide either a
+ quotient theorem @{text "Quotient R Abs Rep T"} or a
+ type_definition theorem @{text "type_definition Rep Abs A"}. The
+ package configures transfer rules for equality and quantifiers on
+ the type, and sets up the @{command_def (HOL) "lift_definition"}
+ command to work with the type. In the case of a quotient theorem,
+ an optional theorem @{text "reflp R"} can be provided as a second
+ argument. This allows the package to generate stronger transfer
+ rules.
+
+ @{command (HOL) "setup_lifting"} is called automatically if a
+ quotient type is defined by the command @{command (HOL)
+ "quotient_type"} from the Quotient package.
+
+ If @{command (HOL) "setup_lifting"} is called with a
+ type_definition theorem, the abstract type implicitly defined by
+ the theorem is declared as an abstract type in the code
+ generator. This allows @{command (HOL) "lift_definition"} to
+ register (generated) code certificate theorems as abstract code
+ equations in the code generator. The option @{text "no_abs_code"}
+ of the command @{command (HOL) "setup_lifting"} can turn off that
+ behavior and causes that code certificate theorems generated by
+ @{command (HOL) "lift_definition"} are not registred as abstract
+ code equations.
+
+ \item @{command (HOL) "lift_definition"} @{text "f :: \<tau> is t"}
+ Defines a new function @{text f} with an abstract type @{text \<tau>}
+ in terms of a corresponding operation @{text t} on a
+ representation type. The term @{text t} doesn't have to be
+ necessarily a constant but it can be any term.
+
+ Users must discharge a respectfulness proof obligation when each
+ constant is defined. For a type copy, i.e. a typedef with @{text
+ UNIV}, the proof is discharged automatically. The obligation is
+ presented in a user-friendly, readable form. A respectfulness
+ theorem in the standard format @{text f.rsp} and a transfer rule
+ @{text f.tranfer} for the Transfer package are generated by the
+ package.
+
+ Integration with code_abstype: For typedefs (e.g. subtypes
+ corresponding to a datatype invariant, such as dlist), @{command
+ (HOL) "lift_definition"} generates a code certificate theorem
+ @{text f.rep_eq} and sets up code generation for each constant.
+
+ \item @{command (HOL) "print_quotmaps"} prints stored quotient map
+ theorems.
+
+ \item @{command (HOL) "print_quotients"} prints stored quotient
+ theorems.
+
+ \item @{attribute (HOL) quot_map} registers a quotient map
+ theorem. For examples see @{file
+ "~~/src/HOL/Library/Quotient_List.thy"} or other Quotient_*.thy
+ files.
+
+ \item @{attribute (HOL) invariant_commute} registers a theorem which
+ shows a relationship between the constant @{text
+ Lifting.invariant} (used for internal encoding of proper subtypes)
+ and a relator. Such theorems allows the package to hide @{text
+ Lifting.invariant} from a user in a user-readable form of a
+ respectfulness theorem. For examples see @{file
+ "~~/src/HOL/Library/Quotient_List.thy"} or other Quotient_*.thy
+ files.
+
+ \end{description}
+*}
+
+
+section {* Quotient types *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def (HOL) "quotient_type"} & : & @{text "local_theory \<rightarrow> proof(prove)"}\\
+ @{command_def (HOL) "quotient_definition"} & : & @{text "local_theory \<rightarrow> proof(prove)"}\\
+ @{command_def (HOL) "print_quotmapsQ3"} & : & @{text "context \<rightarrow>"}\\
+ @{command_def (HOL) "print_quotientsQ3"} & : & @{text "context \<rightarrow>"}\\
+ @{command_def (HOL) "print_quotconsts"} & : & @{text "context \<rightarrow>"}\\
+ @{method_def (HOL) "lifting"} & : & @{text method} \\
+ @{method_def (HOL) "lifting_setup"} & : & @{text method} \\
+ @{method_def (HOL) "descending"} & : & @{text method} \\
+ @{method_def (HOL) "descending_setup"} & : & @{text method} \\
+ @{method_def (HOL) "partiality_descending"} & : & @{text method} \\
+ @{method_def (HOL) "partiality_descending_setup"} & : & @{text method} \\
+ @{method_def (HOL) "regularize"} & : & @{text method} \\
+ @{method_def (HOL) "injection"} & : & @{text method} \\
+ @{method_def (HOL) "cleaning"} & : & @{text method} \\
+ @{attribute_def (HOL) "quot_thm"} & : & @{text attribute} \\
+ @{attribute_def (HOL) "quot_lifted"} & : & @{text attribute} \\
+ @{attribute_def (HOL) "quot_respect"} & : & @{text attribute} \\
+ @{attribute_def (HOL) "quot_preserve"} & : & @{text attribute} \\
+ \end{matharray}
+
+ The quotient package defines a new quotient type given a raw type
+ and a partial equivalence relation. It also includes automation for
+ transporting definitions and theorems. It can automatically produce
+ definitions and theorems on the quotient type, given the
+ corresponding constants and facts on the raw type.
+
+ @{rail "
+ @@{command (HOL) quotient_type} (spec + @'and');
+
+ spec: @{syntax typespec} @{syntax mixfix}? '=' \\
+ @{syntax type} '/' ('partial' ':')? @{syntax term} \\
+ (@'morphisms' @{syntax name} @{syntax name})?;
+ "}
+
+ @{rail "
+ @@{command (HOL) quotient_definition} constdecl? @{syntax thmdecl}? \\
+ @{syntax term} 'is' @{syntax term};
+
+ constdecl: @{syntax name} ('::' @{syntax type})? @{syntax mixfix}?
+ "}
+
+ @{rail "
+ @@{method (HOL) lifting} @{syntax thmrefs}?
+ ;
+
+ @@{method (HOL) lifting_setup} @{syntax thmrefs}?
+ ;
+ "}
+
+ \begin{description}
+
+ \item @{command (HOL) "quotient_type"} defines quotient types. The
+ injection from a quotient type to a raw type is called @{text
+ rep_t}, its inverse @{text abs_t} unless explicit @{keyword (HOL)
+ "morphisms"} specification provides alternative names. @{command
+ (HOL) "quotient_type"} requires the user to prove that the relation
+ is an equivalence relation (predicate @{text equivp}), unless the
+ user specifies explicitely @{text partial} in which case the
+ obligation is @{text part_equivp}. A quotient defined with @{text
+ partial} is weaker in the sense that less things can be proved
+ automatically.
+
+ \item @{command (HOL) "quotient_definition"} defines a constant on
+ the quotient type.
+
+ \item @{command (HOL) "print_quotmapsQ3"} prints quotient map
+ functions.
+
+ \item @{command (HOL) "print_quotientsQ3"} prints quotients.
+
+ \item @{command (HOL) "print_quotconsts"} prints quotient constants.
+
+ \item @{method (HOL) "lifting"} and @{method (HOL) "lifting_setup"}
+ methods match the current goal with the given raw theorem to be
+ lifted producing three new subgoals: regularization, injection and
+ cleaning subgoals. @{method (HOL) "lifting"} tries to apply the
+ heuristics for automatically solving these three subgoals and
+ leaves only the subgoals unsolved by the heuristics to the user as
+ opposed to @{method (HOL) "lifting_setup"} which leaves the three
+ subgoals unsolved.
+
+ \item @{method (HOL) "descending"} and @{method (HOL)
+ "descending_setup"} try to guess a raw statement that would lift
+ to the current subgoal. Such statement is assumed as a new subgoal
+ and @{method (HOL) "descending"} continues in the same way as
+ @{method (HOL) "lifting"} does. @{method (HOL) "descending"} tries
+ to solve the arising regularization, injection and cleaning
+ subgoals with the analoguous method @{method (HOL)
+ "descending_setup"} which leaves the four unsolved subgoals.
+
+ \item @{method (HOL) "partiality_descending"} finds the regularized
+ theorem that would lift to the current subgoal, lifts it and
+ leaves as a subgoal. This method can be used with partial
+ equivalence quotients where the non regularized statements would
+ not be true. @{method (HOL) "partiality_descending_setup"} leaves
+ the injection and cleaning subgoals unchanged.
+
+ \item @{method (HOL) "regularize"} applies the regularization
+ heuristics to the current subgoal.
+
+ \item @{method (HOL) "injection"} applies the injection heuristics
+ to the current goal using the stored quotient respectfulness
+ theorems.
+
+ \item @{method (HOL) "cleaning"} applies the injection cleaning
+ heuristics to the current subgoal using the stored quotient
+ preservation theorems.
+
+ \item @{attribute (HOL) quot_lifted} attribute tries to
+ automatically transport the theorem to the quotient type.
+ The attribute uses all the defined quotients types and quotient
+ constants often producing undesired results or theorems that
+ cannot be lifted.
+
+ \item @{attribute (HOL) quot_respect} and @{attribute (HOL)
+ quot_preserve} attributes declare a theorem as a respectfulness
+ and preservation theorem respectively. These are stored in the
+ local theory store and used by the @{method (HOL) "injection"}
+ and @{method (HOL) "cleaning"} methods respectively.
+
+ \item @{attribute (HOL) quot_thm} declares that a certain theorem
+ is a quotient extension theorem. Quotient extension theorems
+ allow for quotienting inside container types. Given a polymorphic
+ type that serves as a container, a map function defined for this
+ container using @{command (HOL) "enriched_type"} and a relation
+ map defined for for the container type, the quotient extension
+ theorem should be @{term "Quotient3 R Abs Rep \<Longrightarrow> Quotient3
+ (rel_map R) (map Abs) (map Rep)"}. Quotient extension theorems
+ are stored in a database and are used all the steps of lifting
+ theorems.
+
+ \end{description}
+*}
+
+
+section {* Coercive subtyping *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{attribute_def (HOL) coercion} & : & @{text attribute} \\
+ @{attribute_def (HOL) coercion_enabled} & : & @{text attribute} \\
+ @{attribute_def (HOL) coercion_map} & : & @{text attribute} \\
+ \end{matharray}
+
+ Coercive subtyping allows the user to omit explicit type
+ conversions, also called \emph{coercions}. Type inference will add
+ them as necessary when parsing a term. See
+ \cite{traytel-berghofer-nipkow-2011} for details.
+
+ @{rail "
+ @@{attribute (HOL) coercion} (@{syntax term})?
+ ;
+ "}
+ @{rail "
+ @@{attribute (HOL) coercion_map} (@{syntax term})?
+ ;
+ "}
+
+ \begin{description}
+
+ \item @{attribute (HOL) "coercion"}~@{text "f"} registers a new
+ coercion function @{text "f :: \<sigma>\<^isub>1 \<Rightarrow> \<sigma>\<^isub>2"} where @{text "\<sigma>\<^isub>1"} and
+ @{text "\<sigma>\<^isub>2"} are type constructors without arguments. Coercions are
+ composed by the inference algorithm if needed. Note that the type
+ inference algorithm is complete only if the registered coercions
+ form a lattice.
+
+ \item @{attribute (HOL) "coercion_map"}~@{text "map"} registers a
+ new map function to lift coercions through type constructors. The
+ function @{text "map"} must conform to the following type pattern
+
+ \begin{matharray}{lll}
+ @{text "map"} & @{text "::"} &
+ @{text "f\<^isub>1 \<Rightarrow> \<dots> \<Rightarrow> f\<^isub>n \<Rightarrow> (\<alpha>\<^isub>1, \<dots>, \<alpha>\<^isub>n) t \<Rightarrow> (\<beta>\<^isub>1, \<dots>, \<beta>\<^isub>n) t"} \\
+ \end{matharray}
+
+ where @{text "t"} is a type constructor and @{text "f\<^isub>i"} is of type
+ @{text "\<alpha>\<^isub>i \<Rightarrow> \<beta>\<^isub>i"} or @{text "\<beta>\<^isub>i \<Rightarrow> \<alpha>\<^isub>i"}. Registering a map function
+ overwrites any existing map function for this particular type
+ constructor.
+
+ \item @{attribute (HOL) "coercion_enabled"} enables the coercion
+ inference algorithm.
+
+ \end{description}
+*}
+
+
+section {* Arithmetic proof support *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{method_def (HOL) arith} & : & @{text method} \\
+ @{attribute_def (HOL) arith} & : & @{text attribute} \\
+ @{attribute_def (HOL) arith_split} & : & @{text attribute} \\
+ \end{matharray}
+
+ \begin{description}
+
+ \item @{method (HOL) arith} decides linear arithmetic problems (on
+ types @{text nat}, @{text int}, @{text real}). Any current facts
+ are inserted into the goal before running the procedure.
+
+ \item @{attribute (HOL) arith} declares facts that are supplied to
+ the arithmetic provers implicitly.
+
+ \item @{attribute (HOL) arith_split} attribute declares case split
+ rules to be expanded before @{method (HOL) arith} is invoked.
+
+ \end{description}
+
+ Note that a simpler (but faster) arithmetic prover is already
+ invoked by the Simplifier.
+*}
+
+
+section {* Intuitionistic proof search *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{method_def (HOL) iprover} & : & @{text method} \\
+ \end{matharray}
+
+ @{rail "
+ @@{method (HOL) iprover} ( @{syntax rulemod} * )
+ "}
+
+ \begin{description}
+
+ \item @{method (HOL) iprover} performs intuitionistic proof search,
+ depending on specifically declared rules from the context, or given
+ as explicit arguments. Chained facts are inserted into the goal
+ before commencing proof search.
+
+ Rules need to be classified as @{attribute (Pure) intro},
+ @{attribute (Pure) elim}, or @{attribute (Pure) dest}; here the
+ ``@{text "!"}'' indicator refers to ``safe'' rules, which may be
+ applied aggressively (without considering back-tracking later).
+ Rules declared with ``@{text "?"}'' are ignored in proof search (the
+ single-step @{method (Pure) rule} method still observes these). An
+ explicit weight annotation may be given as well; otherwise the
+ number of rule premises will be taken into account here.
+
+ \end{description}
+*}
+
+
+section {* Model Elimination and Resolution *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{method_def (HOL) "meson"} & : & @{text method} \\
+ @{method_def (HOL) "metis"} & : & @{text method} \\
+ \end{matharray}
+
+ @{rail "
+ @@{method (HOL) meson} @{syntax thmrefs}?
+ ;
+
+ @@{method (HOL) metis}
+ ('(' ('partial_types' | 'full_types' | 'no_types' | @{syntax name}) ')')?
+ @{syntax thmrefs}?
+ "}
+
+ \begin{description}
+
+ \item @{method (HOL) meson} implements Loveland's model elimination
+ procedure \cite{loveland-78}. See @{file
+ "~~/src/HOL/ex/Meson_Test.thy"} for examples.
+
+ \item @{method (HOL) metis} combines ordered resolution and ordered
+ paramodulation to find first-order (or mildly higher-order) proofs.
+ The first optional argument specifies a type encoding; see the
+ Sledgehammer manual \cite{isabelle-sledgehammer} for details. The
+ directory @{file "~~/src/HOL/Metis_Examples"} contains several small
+ theories developed to a large extent using @{method (HOL) metis}.
+
+ \end{description}
+*}
+
+
+section {* Coherent Logic *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{method_def (HOL) "coherent"} & : & @{text method} \\
+ \end{matharray}
+
+ @{rail "
+ @@{method (HOL) coherent} @{syntax thmrefs}?
+ "}
+
+ \begin{description}
+
+ \item @{method (HOL) coherent} solves problems of \emph{Coherent
+ Logic} \cite{Bezem-Coquand:2005}, which covers applications in
+ confluence theory, lattice theory and projective geometry. See
+ @{file "~~/src/HOL/ex/Coherent.thy"} for some examples.
+
+ \end{description}
+*}
+
+
+section {* Proving propositions *}
+
+text {*
+ In addition to the standard proof methods, a number of diagnosis
+ tools search for proofs and provide an Isar proof snippet on success.
+ These tools are available via the following commands.
+
+ \begin{matharray}{rcl}
+ @{command_def (HOL) "solve_direct"}@{text "\<^sup>*"} & : & @{text "proof \<rightarrow>"} \\
+ @{command_def (HOL) "try"}@{text "\<^sup>*"} & : & @{text "proof \<rightarrow>"} \\
+ @{command_def (HOL) "try0"}@{text "\<^sup>*"} & : & @{text "proof \<rightarrow>"} \\
+ @{command_def (HOL) "sledgehammer"}@{text "\<^sup>*"} & : & @{text "proof \<rightarrow>"} \\
+ @{command_def (HOL) "sledgehammer_params"} & : & @{text "theory \<rightarrow> theory"}
+ \end{matharray}
+
+ @{rail "
+ @@{command (HOL) try}
+ ;
+
+ @@{command (HOL) try0} ( ( ( 'simp' | 'intro' | 'elim' | 'dest' ) ':' @{syntax thmrefs} ) + ) ?
+ @{syntax nat}?
+ ;
+
+ @@{command (HOL) sledgehammer} ( '[' args ']' )? facts? @{syntax nat}?
+ ;
+
+ @@{command (HOL) sledgehammer_params} ( ( '[' args ']' ) ? )
+ ;
+
+ args: ( @{syntax name} '=' value + ',' )
+ ;
+
+ facts: '(' ( ( ( ( 'add' | 'del' ) ':' ) ? @{syntax thmrefs} ) + ) ? ')'
+ ;
+ "} % FIXME check args "value"
+
+ \begin{description}
+
+ \item @{command (HOL) "solve_direct"} checks whether the current
+ subgoals can be solved directly by an existing theorem. Duplicate
+ lemmas can be detected in this way.
+
+ \item @{command (HOL) "try0"} attempts to prove a subgoal
+ using a combination of standard proof methods (@{method auto},
+ @{method simp}, @{method blast}, etc.). Additional facts supplied
+ via @{text "simp:"}, @{text "intro:"}, @{text "elim:"}, and @{text
+ "dest:"} are passed to the appropriate proof methods.
+
+ \item @{command (HOL) "try"} attempts to prove or disprove a subgoal
+ using a combination of provers and disprovers (@{command (HOL)
+ "solve_direct"}, @{command (HOL) "quickcheck"}, @{command (HOL)
+ "try0"}, @{command (HOL) "sledgehammer"}, @{command (HOL)
+ "nitpick"}).
+
+ \item @{command (HOL) "sledgehammer"} attempts to prove a subgoal
+ using external automatic provers (resolution provers and SMT
+ solvers). See the Sledgehammer manual \cite{isabelle-sledgehammer}
+ for details.
+
+ \item @{command (HOL) "sledgehammer_params"} changes @{command (HOL)
+ "sledgehammer"} configuration options persistently.
+
+ \end{description}
+*}
+
+
+section {* Checking and refuting propositions *}
+
+text {*
+ Identifying incorrect propositions usually involves evaluation of
+ particular assignments and systematic counterexample search. This
+ is supported by the following commands.
+
+ \begin{matharray}{rcl}
+ @{command_def (HOL) "value"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ @{command_def (HOL) "values"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ @{command_def (HOL) "quickcheck"}@{text "\<^sup>*"} & : & @{text "proof \<rightarrow>"} \\
+ @{command_def (HOL) "refute"}@{text "\<^sup>*"} & : & @{text "proof \<rightarrow>"} \\
+ @{command_def (HOL) "nitpick"}@{text "\<^sup>*"} & : & @{text "proof \<rightarrow>"} \\
+ @{command_def (HOL) "quickcheck_params"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{command_def (HOL) "refute_params"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{command_def (HOL) "nitpick_params"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{command_def (HOL) "quickcheck_generator"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{command_def (HOL) "find_unused_assms"} & : & @{text "context \<rightarrow>"}
+ \end{matharray}
+
+ @{rail "
+ @@{command (HOL) value} ( '[' @{syntax name} ']' )? modes? @{syntax term}
+ ;
+
+ @@{command (HOL) values} modes? @{syntax nat}? @{syntax term}
+ ;
+
+ (@@{command (HOL) quickcheck} | @@{command (HOL) refute} | @@{command (HOL) nitpick})
+ ( '[' args ']' )? @{syntax nat}?
+ ;
+
+ (@@{command (HOL) quickcheck_params} | @@{command (HOL) refute_params} |
+ @@{command (HOL) nitpick_params}) ( '[' args ']' )?
+ ;
+
+ @@{command (HOL) quickcheck_generator} @{syntax nameref} \\
+ 'operations:' ( @{syntax term} +)
+ ;
+
+ @@{command (HOL) find_unused_assms} @{syntax name}?
+ ;
+
+ modes: '(' (@{syntax name} +) ')'
+ ;
+
+ args: ( @{syntax name} '=' value + ',' )
+ ;
+ "} % FIXME check "value"
+
+ \begin{description}
+
+ \item @{command (HOL) "value"}~@{text t} evaluates and prints a
+ term; optionally @{text modes} can be specified, which are appended
+ to the current print mode; see \secref{sec:print-modes}.
+ Internally, the evaluation is performed by registered evaluators,
+ which are invoked sequentially until a result is returned.
+ Alternatively a specific evaluator can be selected using square
+ brackets; typical evaluators use the current set of code equations
+ to normalize and include @{text simp} for fully symbolic evaluation
+ using the simplifier, @{text nbe} for \emph{normalization by
+ evaluation} and \emph{code} for code generation in SML.
+
+ \item @{command (HOL) "values"}~@{text t} enumerates a set
+ comprehension by evaluation and prints its values up to the given
+ number of solutions; optionally @{text modes} can be specified,
+ which are appended to the current print mode; see
+ \secref{sec:print-modes}.
+
+ \item @{command (HOL) "quickcheck"} tests the current goal for
+ counterexamples using a series of assignments for its free
+ variables; by default the first subgoal is tested, an other can be
+ selected explicitly using an optional goal index. Assignments can
+ be chosen exhausting the search space upto a given size, or using a
+ fixed number of random assignments in the search space, or exploring
+ the search space symbolically using narrowing. By default,
+ quickcheck uses exhaustive testing. A number of configuration
+ options are supported for @{command (HOL) "quickcheck"}, notably:
+
+ \begin{description}
+
+ \item[@{text tester}] specifies which testing approach to apply.
+ There are three testers, @{text exhaustive}, @{text random}, and
+ @{text narrowing}. An unknown configuration option is treated as
+ an argument to tester, making @{text "tester ="} optional. When
+ multiple testers are given, these are applied in parallel. If no
+ tester is specified, quickcheck uses the testers that are set
+ active, i.e., configurations @{attribute
+ quickcheck_exhaustive_active}, @{attribute
+ quickcheck_random_active}, @{attribute
+ quickcheck_narrowing_active} are set to true.
+
+ \item[@{text size}] specifies the maximum size of the search space
+ for assignment values.
+
+ \item[@{text genuine_only}] sets quickcheck only to return genuine
+ counterexample, but not potentially spurious counterexamples due
+ to underspecified functions.
+
+ \item[@{text abort_potential}] sets quickcheck to abort once it
+ found a potentially spurious counterexample and to not continue
+ to search for a further genuine counterexample.
+ For this option to be effective, the @{text genuine_only} option
+ must be set to false.
+
+ \item[@{text eval}] takes a term or a list of terms and evaluates
+ these terms under the variable assignment found by quickcheck.
+ This option is currently only supported by the default
+ (exhaustive) tester.
+
+ \item[@{text iterations}] sets how many sets of assignments are
+ generated for each particular size.
+
+ \item[@{text no_assms}] specifies whether assumptions in
+ structured proofs should be ignored.
+
+ \item[@{text locale}] specifies how to process conjectures in
+ a locale context, i.e., they can be interpreted or expanded.
+ The option is a whitespace-separated list of the two words
+ @{text interpret} and @{text expand}. The list determines the
+ order they are employed. The default setting is to first use
+ interpretations and then test the expanded conjecture.
+ The option is only provided as attribute declaration, but not
+ as parameter to the command.
+
+ \item[@{text timeout}] sets the time limit in seconds.
+
+ \item[@{text default_type}] sets the type(s) generally used to
+ instantiate type variables.
+
+ \item[@{text report}] if set quickcheck reports how many tests
+ fulfilled the preconditions.
+
+ \item[@{text use_subtype}] if set quickcheck automatically lifts
+ conjectures to registered subtypes if possible, and tests the
+ lifted conjecture.
+
+ \item[@{text quiet}] if set quickcheck does not output anything
+ while testing.
+
+ \item[@{text verbose}] if set quickcheck informs about the current
+ size and cardinality while testing.
+
+ \item[@{text expect}] can be used to check if the user's
+ expectation was met (@{text no_expectation}, @{text
+ no_counterexample}, or @{text counterexample}).
+
+ \end{description}
+
+ These option can be given within square brackets.
+
+ \item @{command (HOL) "quickcheck_params"} changes @{command (HOL)
+ "quickcheck"} configuration options persistently.
+
+ \item @{command (HOL) "quickcheck_generator"} creates random and
+ exhaustive value generators for a given type and operations. It
+ generates values by using the operations as if they were
+ constructors of that type.
+
+ \item @{command (HOL) "refute"} tests the current goal for
+ counterexamples using a reduction to SAT. The following
+ configuration options are supported:
+
+ \begin{description}
+
+ \item[@{text minsize}] specifies the minimum size (cardinality) of
+ the models to search for.
+
+ \item[@{text maxsize}] specifies the maximum size (cardinality) of
+ the models to search for. Nonpositive values mean @{text "\<infinity>"}.
+
+ \item[@{text maxvars}] specifies the maximum number of Boolean
+ variables to use when transforming the term into a propositional
+ formula. Nonpositive values mean @{text "\<infinity>"}.
+
+ \item[@{text satsolver}] specifies the SAT solver to use.
+
+ \item[@{text no_assms}] specifies whether assumptions in
+ structured proofs should be ignored.
+
+ \item[@{text maxtime}] sets the time limit in seconds.
+
+ \item[@{text expect}] can be used to check if the user's
+ expectation was met (@{text genuine}, @{text potential}, @{text
+ none}, or @{text unknown}).
+
+ \end{description}
+
+ These option can be given within square brackets.
+
+ \item @{command (HOL) "refute_params"} changes @{command (HOL)
+ "refute"} configuration options persistently.
+
+ \item @{command (HOL) "nitpick"} tests the current goal for
+ counterexamples using a reduction to first-order relational
+ logic. See the Nitpick manual \cite{isabelle-nitpick} for details.
+
+ \item @{command (HOL) "nitpick_params"} changes @{command (HOL)
+ "nitpick"} configuration options persistently.
+
+ \item @{command (HOL) "find_unused_assms"} finds potentially superfluous
+ assumptions in theorems using quickcheck.
+ It takes the theory name to be checked for superfluous assumptions as
+ optional argument. If not provided, it checks the current theory.
+ Options to the internal quickcheck invocations can be changed with
+ common configuration declarations.
+
+ \end{description}
+*}
+
+
+section {* Unstructured case analysis and induction \label{sec:hol-induct-tac} *}
+
+text {*
+ The following tools of Isabelle/HOL support cases analysis and
+ induction in unstructured tactic scripts; see also
+ \secref{sec:cases-induct} for proper Isar versions of similar ideas.
+
+ \begin{matharray}{rcl}
+ @{method_def (HOL) case_tac}@{text "\<^sup>*"} & : & @{text method} \\
+ @{method_def (HOL) induct_tac}@{text "\<^sup>*"} & : & @{text method} \\
+ @{method_def (HOL) ind_cases}@{text "\<^sup>*"} & : & @{text method} \\
+ @{command_def (HOL) "inductive_cases"}@{text "\<^sup>*"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
+ \end{matharray}
+
+ @{rail "
+ @@{method (HOL) case_tac} @{syntax goal_spec}? @{syntax term} rule?
+ ;
+ @@{method (HOL) induct_tac} @{syntax goal_spec}? (@{syntax insts} * @'and') rule?
+ ;
+ @@{method (HOL) ind_cases} (@{syntax prop}+) (@'for' (@{syntax name}+))?
+ ;
+ @@{command (HOL) inductive_cases} (@{syntax thmdecl}? (@{syntax prop}+) + @'and')
+ ;
+
+ rule: 'rule' ':' @{syntax thmref}
+ "}
+
+ \begin{description}
+
+ \item @{method (HOL) case_tac} and @{method (HOL) induct_tac} admit
+ to reason about inductive types. Rules are selected according to
+ the declarations by the @{attribute cases} and @{attribute induct}
+ attributes, cf.\ \secref{sec:cases-induct}. The @{command (HOL)
+ datatype} package already takes care of this.
+
+ These unstructured tactics feature both goal addressing and dynamic
+ instantiation. Note that named rule cases are \emph{not} provided
+ as would be by the proper @{method cases} and @{method induct} proof
+ methods (see \secref{sec:cases-induct}). Unlike the @{method
+ induct} method, @{method induct_tac} does not handle structured rule
+ statements, only the compact object-logic conclusion of the subgoal
+ being addressed.
+
+ \item @{method (HOL) ind_cases} and @{command (HOL)
+ "inductive_cases"} provide an interface to the internal @{ML_text
+ mk_cases} operation. Rules are simplified in an unrestricted
+ forward manner.
+
+ While @{method (HOL) ind_cases} is a proof method to apply the
+ result immediately as elimination rules, @{command (HOL)
+ "inductive_cases"} provides case split theorems at the theory level
+ for later use. The @{keyword "for"} argument of the @{method (HOL)
+ ind_cases} method allows to specify a list of variables that should
+ be generalized before applying the resulting rule.
+
+ \end{description}
+*}
+
+
+section {* Executable code *}
+
+text {* For validation purposes, it is often useful to \emph{execute}
+ specifications. In principle, execution could be simulated by
+ Isabelle's inference kernel, i.e. by a combination of resolution and
+ simplification. Unfortunately, this approach is rather inefficient.
+ A more efficient way of executing specifications is to translate
+ them into a functional programming language such as ML.
+
+ Isabelle provides a generic framework to support code generation
+ from executable specifications. Isabelle/HOL instantiates these
+ mechanisms in a way that is amenable to end-user applications. Code
+ can be generated for functional programs (including overloading
+ using type classes) targeting SML \cite{SML}, OCaml \cite{OCaml},
+ Haskell \cite{haskell-revised-report} and Scala
+ \cite{scala-overview-tech-report}. Conceptually, code generation is
+ split up in three steps: \emph{selection} of code theorems,
+ \emph{translation} into an abstract executable view and
+ \emph{serialization} to a specific \emph{target language}.
+ Inductive specifications can be executed using the predicate
+ compiler which operates within HOL. See \cite{isabelle-codegen} for
+ an introduction.
+
+ \begin{matharray}{rcl}
+ @{command_def (HOL) "export_code"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ @{attribute_def (HOL) code} & : & @{text attribute} \\
+ @{command_def (HOL) "code_abort"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{command_def (HOL) "code_datatype"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{command_def (HOL) "print_codesetup"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ @{attribute_def (HOL) code_unfold} & : & @{text attribute} \\
+ @{attribute_def (HOL) code_post} & : & @{text attribute} \\
+ @{attribute_def (HOL) code_abbrev} & : & @{text attribute} \\
+ @{command_def (HOL) "print_codeproc"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ @{command_def (HOL) "code_thms"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ @{command_def (HOL) "code_deps"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ @{command_def (HOL) "code_const"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{command_def (HOL) "code_type"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{command_def (HOL) "code_class"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{command_def (HOL) "code_instance"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{command_def (HOL) "code_reserved"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{command_def (HOL) "code_monad"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{command_def (HOL) "code_include"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{command_def (HOL) "code_modulename"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{command_def (HOL) "code_reflect"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{command_def (HOL) "code_pred"} & : & @{text "theory \<rightarrow> proof(prove)"}
+ \end{matharray}
+
+ @{rail "
+ @@{command (HOL) export_code} ( constexpr + ) \\
+ ( ( @'in' target ( @'module_name' @{syntax string} ) ? \\
+ ( @'file' ( @{syntax string} | '-' ) ) ? ( '(' args ')' ) ?) + ) ?
+ ;
+
+ const: @{syntax term}
+ ;
+
+ constexpr: ( const | 'name._' | '_' )
+ ;
+
+ typeconstructor: @{syntax nameref}
+ ;
+
+ class: @{syntax nameref}
+ ;
+
+ target: 'SML' | 'OCaml' | 'Haskell' | 'Scala'
+ ;
+
+ @@{attribute (HOL) code} ( 'del' | 'abstype' | 'abstract' )?
+ ;
+
+ @@{command (HOL) code_abort} ( const + )
+ ;
+
+ @@{command (HOL) code_datatype} ( const + )
+ ;
+
+ @@{attribute (HOL) code_unfold} ( 'del' ) ?
+ ;
+
+ @@{attribute (HOL) code_post} ( 'del' ) ?
+ ;
+
+ @@{attribute (HOL) code_abbrev}
+ ;
+
+ @@{command (HOL) code_thms} ( constexpr + ) ?
+ ;
+
+ @@{command (HOL) code_deps} ( constexpr + ) ?
+ ;
+
+ @@{command (HOL) code_const} (const + @'and') \\
+ ( ( '(' target ( syntax ? + @'and' ) ')' ) + )
+ ;
+
+ @@{command (HOL) code_type} (typeconstructor + @'and') \\
+ ( ( '(' target ( syntax ? + @'and' ) ')' ) + )
+ ;
+
+ @@{command (HOL) code_class} (class + @'and') \\
+ ( ( '(' target \\ ( @{syntax string} ? + @'and' ) ')' ) + )
+ ;
+
+ @@{command (HOL) code_instance} (( typeconstructor '::' class ) + @'and') \\
+ ( ( '(' target ( '-' ? + @'and' ) ')' ) + )
+ ;
+
+ @@{command (HOL) code_reserved} target ( @{syntax string} + )
+ ;
+
+ @@{command (HOL) code_monad} const const target
+ ;
+
+ @@{command (HOL) code_include} target ( @{syntax string} ( @{syntax string} | '-') )
+ ;
+
+ @@{command (HOL) code_modulename} target ( ( @{syntax string} @{syntax string} ) + )
+ ;
+
+ @@{command (HOL) code_reflect} @{syntax string} \\
+ ( @'datatypes' ( @{syntax string} '=' ( '_' | ( @{syntax string} + '|' ) + @'and' ) ) ) ? \\
+ ( @'functions' ( @{syntax string} + ) ) ? ( @'file' @{syntax string} ) ?
+ ;
+
+ @@{command (HOL) code_pred} \\( '(' @'modes' ':' modedecl ')')? \\ const
+ ;
+
+ syntax: @{syntax string} | ( @'infix' | @'infixl' | @'infixr' ) @{syntax nat} @{syntax string}
+ ;
+
+ modedecl: (modes | ((const ':' modes) \\
+ (@'and' ((const ':' modes @'and') +))?))
+ ;
+
+ modes: mode @'as' const
+ "}
+
+ \begin{description}
+
+ \item @{command (HOL) "export_code"} generates code for a given list
+ of constants in the specified target language(s). If no
+ serialization instruction is given, only abstract code is generated
+ internally.
+
+ Constants may be specified by giving them literally, referring to
+ all executable contants within a certain theory by giving @{text
+ "name.*"}, or referring to \emph{all} executable constants currently
+ available by giving @{text "*"}.
+
+ By default, for each involved theory one corresponding name space
+ module is generated. Alternativly, a module name may be specified
+ after the @{keyword "module_name"} keyword; then \emph{all} code is
+ placed in this module.
+
+ For \emph{SML}, \emph{OCaml} and \emph{Scala} the file specification
+ refers to a single file; for \emph{Haskell}, it refers to a whole
+ directory, where code is generated in multiple files reflecting the
+ module hierarchy. Omitting the file specification denotes standard
+ output.
+
+ Serializers take an optional list of arguments in parentheses. For
+ \emph{SML} and \emph{OCaml}, ``@{text no_signatures}`` omits
+ explicit module signatures.
+
+ For \emph{Haskell} a module name prefix may be given using the
+ ``@{text "root:"}'' argument; ``@{text string_classes}'' adds a
+ ``@{verbatim "deriving (Read, Show)"}'' clause to each appropriate
+ datatype declaration.
+
+ \item @{attribute (HOL) code} explicitly selects (or with option
+ ``@{text "del"}'' deselects) a code equation for code generation.
+ Usually packages introducing code equations provide a reasonable
+ default setup for selection. Variants @{text "code abstype"} and
+ @{text "code abstract"} declare abstract datatype certificates or
+ code equations on abstract datatype representations respectively.
+
+ \item @{command (HOL) "code_abort"} declares constants which are not
+ required to have a definition by means of code equations; if needed
+ these are implemented by program abort instead.
+
+ \item @{command (HOL) "code_datatype"} specifies a constructor set
+ for a logical type.
+
+ \item @{command (HOL) "print_codesetup"} gives an overview on
+ selected code equations and code generator datatypes.
+
+ \item @{attribute (HOL) code_unfold} declares (or with option
+ ``@{text "del"}'' removes) theorems which during preprocessing
+ are applied as rewrite rules to any code equation or evaluation
+ input.
+
+ \item @{attribute (HOL) code_post} declares (or with option ``@{text
+ "del"}'' removes) theorems which are applied as rewrite rules to any
+ result of an evaluation.
+
+ \item @{attribute (HOL) code_abbrev} declares equations which are
+ applied as rewrite rules to any result of an evaluation and
+ symmetrically during preprocessing to any code equation or evaluation
+ input.
+
+ \item @{command (HOL) "print_codeproc"} prints the setup of the code
+ generator preprocessor.
+
+ \item @{command (HOL) "code_thms"} prints a list of theorems
+ representing the corresponding program containing all given
+ constants after preprocessing.
+
+ \item @{command (HOL) "code_deps"} visualizes dependencies of
+ theorems representing the corresponding program containing all given
+ constants after preprocessing.
+
+ \item @{command (HOL) "code_const"} associates a list of constants
+ with target-specific serializations; omitting a serialization
+ deletes an existing serialization.
+
+ \item @{command (HOL) "code_type"} associates a list of type
+ constructors with target-specific serializations; omitting a
+ serialization deletes an existing serialization.
+
+ \item @{command (HOL) "code_class"} associates a list of classes
+ with target-specific class names; omitting a serialization deletes
+ an existing serialization. This applies only to \emph{Haskell}.
+
+ \item @{command (HOL) "code_instance"} declares a list of type
+ constructor / class instance relations as ``already present'' for a
+ given target. Omitting a ``@{text "-"}'' deletes an existing
+ ``already present'' declaration. This applies only to
+ \emph{Haskell}.
+
+ \item @{command (HOL) "code_reserved"} declares a list of names as
+ reserved for a given target, preventing it to be shadowed by any
+ generated code.
+
+ \item @{command (HOL) "code_monad"} provides an auxiliary mechanism
+ to generate monadic code for Haskell.
+
+ \item @{command (HOL) "code_include"} adds arbitrary named content
+ (``include'') to generated code. A ``@{text "-"}'' as last argument
+ will remove an already added ``include''.
+
+ \item @{command (HOL) "code_modulename"} declares aliasings from one
+ module name onto another.
+
+ \item @{command (HOL) "code_reflect"} without a ``@{text "file"}''
+ argument compiles code into the system runtime environment and
+ modifies the code generator setup that future invocations of system
+ runtime code generation referring to one of the ``@{text
+ "datatypes"}'' or ``@{text "functions"}'' entities use these
+ precompiled entities. With a ``@{text "file"}'' argument, the
+ corresponding code is generated into that specified file without
+ modifying the code generator setup.
+
+ \item @{command (HOL) "code_pred"} creates code equations for a
+ predicate given a set of introduction rules. Optional mode
+ annotations determine which arguments are supposed to be input or
+ output. If alternative introduction rules are declared, one must
+ prove a corresponding elimination rule.
+
+ \end{description}
+*}
+
+
+section {* Definition by specification \label{sec:hol-specification} *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def (HOL) "specification"} & : & @{text "theory \<rightarrow> proof(prove)"} \\
+ @{command_def (HOL) "ax_specification"} & : & @{text "theory \<rightarrow> proof(prove)"} \\
+ \end{matharray}
+
+ @{rail "
+ (@@{command (HOL) specification} | @@{command (HOL) ax_specification})
+ '(' (decl +) ')' \\ (@{syntax thmdecl}? @{syntax prop} +)
+ ;
+ decl: ((@{syntax name} ':')? @{syntax term} '(' @'overloaded' ')'?)
+ "}
+
+ \begin{description}
+
+ \item @{command (HOL) "specification"}~@{text "decls \<phi>"} sets up a
+ goal stating the existence of terms with the properties specified to
+ hold for the constants given in @{text decls}. After finishing the
+ proof, the theory will be augmented with definitions for the given
+ constants, as well as with theorems stating the properties for these
+ constants.
+
+ \item @{command (HOL) "ax_specification"}~@{text "decls \<phi>"} sets up
+ a goal stating the existence of terms with the properties specified
+ to hold for the constants given in @{text decls}. After finishing
+ the proof, the theory will be augmented with axioms expressing the
+ properties given in the first place.
+
+ \item @{text decl} declares a constant to be defined by the
+ specification given. The definition for the constant @{text c} is
+ bound to the name @{text c_def} unless a theorem name is given in
+ the declaration. Overloaded constants should be declared as such.
+
+ \end{description}
+
+ Whether to use @{command (HOL) "specification"} or @{command (HOL)
+ "ax_specification"} is to some extent a matter of style. @{command
+ (HOL) "specification"} introduces no new axioms, and so by
+ construction cannot introduce inconsistencies, whereas @{command
+ (HOL) "ax_specification"} does introduce axioms, but only after the
+ user has explicitly proven it to be safe. A practical issue must be
+ considered, though: After introducing two constants with the same
+ properties using @{command (HOL) "specification"}, one can prove
+ that the two constants are, in fact, equal. If this might be a
+ problem, one should use @{command (HOL) "ax_specification"}.
+*}
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarRef/Inner_Syntax.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,1574 @@
+theory Inner_Syntax
+imports Base Main
+begin
+
+chapter {* Inner syntax --- the term language \label{ch:inner-syntax} *}
+
+text {* The inner syntax of Isabelle provides concrete notation for
+ the main entities of the logical framework, notably @{text
+ "\<lambda>"}-terms with types and type classes. Applications may either
+ extend existing syntactic categories by additional notation, or
+ define new sub-languages that are linked to the standard term
+ language via some explicit markers. For example @{verbatim
+ FOO}~@{text "foo"} could embed the syntax corresponding for some
+ user-defined nonterminal @{text "foo"} --- within the bounds of the
+ given lexical syntax of Isabelle/Pure.
+
+ The most basic way to specify concrete syntax for logical entities
+ works via mixfix annotations (\secref{sec:mixfix}), which may be
+ usually given as part of the original declaration or via explicit
+ notation commands later on (\secref{sec:notation}). This already
+ covers many needs of concrete syntax without having to understand
+ the full complexity of inner syntax layers.
+
+ Further details of the syntax engine involves the classical
+ distinction of lexical language versus context-free grammar (see
+ \secref{sec:pure-syntax}), and various mechanisms for \emph{syntax
+ transformations} (see \secref{sec:syntax-transformations}).
+*}
+
+
+section {* Printing logical entities *}
+
+subsection {* Diagnostic commands \label{sec:print-diag} *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def "typ"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ @{command_def "term"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ @{command_def "prop"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ @{command_def "thm"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ @{command_def "prf"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ @{command_def "full_prf"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ @{command_def "pr"}@{text "\<^sup>*"} & : & @{text "any \<rightarrow>"} \\
+ \end{matharray}
+
+ These diagnostic commands assist interactive development by printing
+ internal logical entities in a human-readable fashion.
+
+ @{rail "
+ @@{command typ} @{syntax modes}? @{syntax type} ('::' @{syntax sort})?
+ ;
+ @@{command term} @{syntax modes}? @{syntax term}
+ ;
+ @@{command prop} @{syntax modes}? @{syntax prop}
+ ;
+ @@{command thm} @{syntax modes}? @{syntax thmrefs}
+ ;
+ ( @@{command prf} | @@{command full_prf} ) @{syntax modes}? @{syntax thmrefs}?
+ ;
+ @@{command pr} @{syntax modes}? @{syntax nat}?
+ ;
+
+ @{syntax_def modes}: '(' (@{syntax name} + ) ')'
+ "}
+
+ \begin{description}
+
+ \item @{command "typ"}~@{text \<tau>} reads and prints a type expression
+ according to the current context.
+
+ \item @{command "typ"}~@{text "\<tau> :: s"} uses type-inference to
+ determine the most general way to make @{text "\<tau>"} conform to sort
+ @{text "s"}. For concrete @{text "\<tau>"} this checks if the type
+ belongs to that sort. Dummy type parameters ``@{text "_"}''
+ (underscore) are assigned to fresh type variables with most general
+ sorts, according the the principles of type-inference.
+
+ \item @{command "term"}~@{text t} and @{command "prop"}~@{text \<phi>}
+ read, type-check and print terms or propositions according to the
+ current theory or proof context; the inferred type of @{text t} is
+ output as well. Note that these commands are also useful in
+ inspecting the current environment of term abbreviations.
+
+ \item @{command "thm"}~@{text "a\<^sub>1 \<dots> a\<^sub>n"} retrieves
+ theorems from the current theory or proof context. Note that any
+ attributes included in the theorem specifications are applied to a
+ temporary context derived from the current theory or proof; the
+ result is discarded, i.e.\ attributes involved in @{text "a\<^sub>1,
+ \<dots>, a\<^sub>n"} do not have any permanent effect.
+
+ \item @{command "prf"} displays the (compact) proof term of the
+ current proof state (if present), or of the given theorems. Note
+ that this requires proof terms to be switched on for the current
+ object logic (see the ``Proof terms'' section of the Isabelle
+ reference manual for information on how to do this).
+
+ \item @{command "full_prf"} is like @{command "prf"}, but displays
+ the full proof term, i.e.\ also displays information omitted in the
+ compact proof term, which is denoted by ``@{text _}'' placeholders
+ there.
+
+ \item @{command "pr"}~@{text "goals"} prints the current proof state
+ (if present), including current facts and goals. The optional limit
+ arguments affect the number of goals to be displayed, which is
+ initially 10. Omitting limit value leaves the current setting
+ unchanged.
+
+ \end{description}
+
+ All of the diagnostic commands above admit a list of @{text modes}
+ to be specified, which is appended to the current print mode; see
+ also \secref{sec:print-modes}. Thus the output behavior may be
+ modified according particular print mode features. For example,
+ @{command "pr"}~@{text "(latex xsymbols)"} would print the current
+ proof state with mathematical symbols and special characters
+ represented in {\LaTeX} source, according to the Isabelle style
+ \cite{isabelle-sys}.
+
+ Note that antiquotations (cf.\ \secref{sec:antiq}) provide a more
+ systematic way to include formal items into the printed text
+ document.
+*}
+
+
+subsection {* Details of printed content *}
+
+text {*
+ \begin{tabular}{rcll}
+ @{attribute_def show_types} & : & @{text attribute} & default @{text false} \\
+ @{attribute_def show_sorts} & : & @{text attribute} & default @{text false} \\
+ @{attribute_def show_consts} & : & @{text attribute} & default @{text false} \\
+ @{attribute_def show_abbrevs} & : & @{text attribute} & default @{text true} \\
+ @{attribute_def show_brackets} & : & @{text attribute} & default @{text false} \\
+ @{attribute_def names_long} & : & @{text attribute} & default @{text false} \\
+ @{attribute_def names_short} & : & @{text attribute} & default @{text false} \\
+ @{attribute_def names_unique} & : & @{text attribute} & default @{text true} \\
+ @{attribute_def eta_contract} & : & @{text attribute} & default @{text true} \\
+ @{attribute_def goals_limit} & : & @{text attribute} & default @{text 10} \\
+ @{attribute_def show_main_goal} & : & @{text attribute} & default @{text false} \\
+ @{attribute_def show_hyps} & : & @{text attribute} & default @{text false} \\
+ @{attribute_def show_tags} & : & @{text attribute} & default @{text false} \\
+ @{attribute_def show_question_marks} & : & @{text attribute} & default @{text true} \\
+ \end{tabular}
+ \medskip
+
+ These configuration options control the detail of information that
+ is displayed for types, terms, theorems, goals etc. See also
+ \secref{sec:config}.
+
+ \begin{description}
+
+ \item @{attribute show_types} and @{attribute show_sorts} control
+ printing of type constraints for term variables, and sort
+ constraints for type variables. By default, neither of these are
+ shown in output. If @{attribute show_sorts} is enabled, types are
+ always shown as well.
+
+ Note that displaying types and sorts may explain why a polymorphic
+ inference rule fails to resolve with some goal, or why a rewrite
+ rule does not apply as expected.
+
+ \item @{attribute show_consts} controls printing of types of
+ constants when displaying a goal state.
+
+ Note that the output can be enormous, because polymorphic constants
+ often occur at several different type instances.
+
+ \item @{attribute show_abbrevs} controls folding of constant
+ abbreviations.
+
+ \item @{attribute show_brackets} controls bracketing in pretty
+ printed output. If enabled, all sub-expressions of the pretty
+ printing tree will be parenthesized, even if this produces malformed
+ term syntax! This crude way of showing the internal structure of
+ pretty printed entities may occasionally help to diagnose problems
+ with operator priorities, for example.
+
+ \item @{attribute names_long}, @{attribute names_short}, and
+ @{attribute names_unique} control the way of printing fully
+ qualified internal names in external form. See also
+ \secref{sec:antiq} for the document antiquotation options of the
+ same names.
+
+ \item @{attribute eta_contract} controls @{text "\<eta>"}-contracted
+ printing of terms.
+
+ The @{text \<eta>}-contraction law asserts @{prop "(\<lambda>x. f x) \<equiv> f"},
+ provided @{text x} is not free in @{text f}. It asserts
+ \emph{extensionality} of functions: @{prop "f \<equiv> g"} if @{prop "f x \<equiv>
+ g x"} for all @{text x}. Higher-order unification frequently puts
+ terms into a fully @{text \<eta>}-expanded form. For example, if @{text
+ F} has type @{text "(\<tau> \<Rightarrow> \<tau>) \<Rightarrow> \<tau>"} then its expanded form is @{term
+ "\<lambda>h. F (\<lambda>x. h x)"}.
+
+ Enabling @{attribute eta_contract} makes Isabelle perform @{text
+ \<eta>}-contractions before printing, so that @{term "\<lambda>h. F (\<lambda>x. h x)"}
+ appears simply as @{text F}.
+
+ Note that the distinction between a term and its @{text \<eta>}-expanded
+ form occasionally matters. While higher-order resolution and
+ rewriting operate modulo @{text "\<alpha>\<beta>\<eta>"}-conversion, some other tools
+ might look at terms more discretely.
+
+ \item @{attribute goals_limit} controls the maximum number of
+ subgoals to be shown in goal output.
+
+ \item @{attribute show_main_goal} controls whether the main result
+ to be proven should be displayed. This information might be
+ relevant for schematic goals, to inspect the current claim that has
+ been synthesized so far.
+
+ \item @{attribute show_hyps} controls printing of implicit
+ hypotheses of local facts. Normally, only those hypotheses are
+ displayed that are \emph{not} covered by the assumptions of the
+ current context: this situation indicates a fault in some tool being
+ used.
+
+ By enabling @{attribute show_hyps}, output of \emph{all} hypotheses
+ can be enforced, which is occasionally useful for diagnostic
+ purposes.
+
+ \item @{attribute show_tags} controls printing of extra annotations
+ within theorems, such as internal position information, or the case
+ names being attached by the attribute @{attribute case_names}.
+
+ Note that the @{attribute tagged} and @{attribute untagged}
+ attributes provide low-level access to the collection of tags
+ associated with a theorem.
+
+ \item @{attribute show_question_marks} controls printing of question
+ marks for schematic variables, such as @{text ?x}. Only the leading
+ question mark is affected, the remaining text is unchanged
+ (including proper markup for schematic variables that might be
+ relevant for user interfaces).
+
+ \end{description}
+*}
+
+
+subsection {* Alternative print modes \label{sec:print-modes} *}
+
+text {*
+ \begin{mldecls}
+ @{index_ML print_mode_value: "unit -> string list"} \\
+ @{index_ML Print_Mode.with_modes: "string list -> ('a -> 'b) -> 'a -> 'b"} \\
+ \end{mldecls}
+
+ The \emph{print mode} facility allows to modify various operations
+ for printing. Commands like @{command typ}, @{command term},
+ @{command thm} (see \secref{sec:print-diag}) take additional print
+ modes as optional argument. The underlying ML operations are as
+ follows.
+
+ \begin{description}
+
+ \item @{ML "print_mode_value ()"} yields the list of currently
+ active print mode names. This should be understood as symbolic
+ representation of certain individual features for printing (with
+ precedence from left to right).
+
+ \item @{ML Print_Mode.with_modes}~@{text "modes f x"} evaluates
+ @{text "f x"} in an execution context where the print mode is
+ prepended by the given @{text "modes"}. This provides a thread-safe
+ way to augment print modes. It is also monotonic in the set of mode
+ names: it retains the default print mode that certain
+ user-interfaces might have installed for their proper functioning!
+
+ \end{description}
+
+ \begin{warn}
+ The old global reference @{ML print_mode} should never be used
+ directly in applications. Its main reason for being publicly
+ accessible is to support historic versions of Proof~General.
+ \end{warn}
+
+ \medskip The pretty printer for inner syntax maintains alternative
+ mixfix productions for any print mode name invented by the user, say
+ in commands like @{command notation} or @{command abbreviation}.
+ Mode names can be arbitrary, but the following ones have a specific
+ meaning by convention:
+
+ \begin{itemize}
+
+ \item @{verbatim "\"\""} (the empty string): default mode;
+ implicitly active as last element in the list of modes.
+
+ \item @{verbatim input}: dummy print mode that is never active; may
+ be used to specify notation that is only available for input.
+
+ \item @{verbatim internal} dummy print mode that is never active;
+ used internally in Isabelle/Pure.
+
+ \item @{verbatim xsymbols}: enable proper mathematical symbols
+ instead of ASCII art.\footnote{This traditional mode name stems from
+ the ``X-Symbol'' package for old versions Proof~General with XEmacs,
+ although that package has been superseded by Unicode in recent
+ years.}
+
+ \item @{verbatim HTML}: additional mode that is active in HTML
+ presentation of Isabelle theory sources; allows to provide
+ alternative output notation.
+
+ \item @{verbatim latex}: additional mode that is active in {\LaTeX}
+ document preparation of Isabelle theory sources; allows to provide
+ alternative output notation.
+
+ \end{itemize}
+*}
+
+
+subsection {* Printing limits *}
+
+text {*
+ \begin{mldecls}
+ @{index_ML Pretty.margin_default: "int Unsynchronized.ref"} \\
+ @{index_ML print_depth: "int -> unit"} \\
+ \end{mldecls}
+
+ These ML functions set limits for pretty printed text.
+
+ \begin{description}
+
+ \item @{ML Pretty.margin_default} indicates the global default for
+ the right margin of the built-in pretty printer, with initial value
+ 76. Note that user-interfaces typically control margins
+ automatically when resizing windows, or even bypass the formatting
+ engine of Isabelle/ML altogether and do it within the front end via
+ Isabelle/Scala.
+
+ \item @{ML print_depth}~@{text n} limits the printing depth of the
+ ML toplevel pretty printer; the precise effect depends on the ML
+ compiler and run-time system. Typically @{text n} should be less
+ than 10. Bigger values such as 100--1000 are useful for debugging.
+
+ \end{description}
+*}
+
+
+section {* Mixfix annotations \label{sec:mixfix} *}
+
+text {* Mixfix annotations specify concrete \emph{inner syntax} of
+ Isabelle types and terms. Locally fixed parameters in toplevel
+ theorem statements, locale and class specifications also admit
+ mixfix annotations in a fairly uniform manner. A mixfix annotation
+ describes describes the concrete syntax, the translation to abstract
+ syntax, and the pretty printing. Special case annotations provide a
+ simple means of specifying infix operators and binders.
+
+ Isabelle mixfix syntax is inspired by {\OBJ} \cite{OBJ}. It allows
+ to specify any context-free priority grammar, which is more general
+ than the fixity declarations of ML and Prolog.
+
+ @{rail "
+ @{syntax_def mixfix}: '(' mfix ')'
+ ;
+ @{syntax_def struct_mixfix}: '(' ( mfix | @'structure' ) ')'
+ ;
+
+ mfix: @{syntax template} prios? @{syntax nat}? |
+ (@'infix' | @'infixl' | @'infixr') @{syntax template} @{syntax nat} |
+ @'binder' @{syntax template} prios? @{syntax nat}
+ ;
+ template: string
+ ;
+ prios: '[' (@{syntax nat} + ',') ']'
+ "}
+
+ The string given as @{text template} may include literal text,
+ spacing, blocks, and arguments (denoted by ``@{text _}''); the
+ special symbol ``@{verbatim "\<index>"}'' (printed as ``@{text "\<index>"}'')
+ represents an index argument that specifies an implicit structure
+ reference (see also \secref{sec:locale}). Infix and binder
+ declarations provide common abbreviations for particular mixfix
+ declarations. So in practice, mixfix templates mostly degenerate to
+ literal text for concrete syntax, such as ``@{verbatim "++"}'' for
+ an infix symbol.
+*}
+
+
+subsection {* The general mixfix form *}
+
+text {* In full generality, mixfix declarations work as follows.
+ Suppose a constant @{text "c :: \<tau>\<^sub>1 \<Rightarrow> \<dots> \<tau>\<^sub>n \<Rightarrow> \<tau>"} is annotated by
+ @{text "(mixfix [p\<^sub>1, \<dots>, p\<^sub>n] p)"}, where @{text "mixfix"} is a string
+ @{text "d\<^sub>0 _ d\<^sub>1 _ \<dots> _ d\<^sub>n"} consisting of delimiters that surround
+ argument positions as indicated by underscores.
+
+ Altogether this determines a production for a context-free priority
+ grammar, where for each argument @{text "i"} the syntactic category
+ is determined by @{text "\<tau>\<^sub>i"} (with priority @{text "p\<^sub>i"}), and the
+ result category is determined from @{text "\<tau>"} (with priority @{text
+ "p"}). Priority specifications are optional, with default 0 for
+ arguments and 1000 for the result.\footnote{Omitting priorities is
+ prone to syntactic ambiguities unless the delimiter tokens determine
+ fully bracketed notation, as in @{text "if _ then _ else _ fi"}.}
+
+ Since @{text "\<tau>"} may be again a function type, the constant
+ type scheme may have more argument positions than the mixfix
+ pattern. Printing a nested application @{text "c t\<^sub>1 \<dots> t\<^sub>m"} for
+ @{text "m > n"} works by attaching concrete notation only to the
+ innermost part, essentially by printing @{text "(c t\<^sub>1 \<dots> t\<^sub>n) \<dots> t\<^sub>m"}
+ instead. If a term has fewer arguments than specified in the mixfix
+ template, the concrete syntax is ignored.
+
+ \medskip A mixfix template may also contain additional directives
+ for pretty printing, notably spaces, blocks, and breaks. The
+ general template format is a sequence over any of the following
+ entities.
+
+ \begin{description}
+
+ \item @{text "d"} is a delimiter, namely a non-empty sequence of
+ characters other than the following special characters:
+
+ \smallskip
+ \begin{tabular}{ll}
+ @{verbatim "'"} & single quote \\
+ @{verbatim "_"} & underscore \\
+ @{text "\<index>"} & index symbol \\
+ @{verbatim "("} & open parenthesis \\
+ @{verbatim ")"} & close parenthesis \\
+ @{verbatim "/"} & slash \\
+ \end{tabular}
+ \medskip
+
+ \item @{verbatim "'"} escapes the special meaning of these
+ meta-characters, producing a literal version of the following
+ character, unless that is a blank.
+
+ A single quote followed by a blank separates delimiters, without
+ affecting printing, but input tokens may have additional white space
+ here.
+
+ \item @{verbatim "_"} is an argument position, which stands for a
+ certain syntactic category in the underlying grammar.
+
+ \item @{text "\<index>"} is an indexed argument position; this is the place
+ where implicit structure arguments can be attached.
+
+ \item @{text "s"} is a non-empty sequence of spaces for printing.
+ This and the following specifications do not affect parsing at all.
+
+ \item @{verbatim "("}@{text n} opens a pretty printing block. The
+ optional number specifies how much indentation to add when a line
+ break occurs within the block. If the parenthesis is not followed
+ by digits, the indentation defaults to 0. A block specified via
+ @{verbatim "(00"} is unbreakable.
+
+ \item @{verbatim ")"} closes a pretty printing block.
+
+ \item @{verbatim "//"} forces a line break.
+
+ \item @{verbatim "/"}@{text s} allows a line break. Here @{text s}
+ stands for the string of spaces (zero or more) right after the
+ slash. These spaces are printed if the break is \emph{not} taken.
+
+ \end{description}
+
+ The general idea of pretty printing with blocks and breaks is also
+ described in \cite{paulson-ml2}; it goes back to \cite{Oppen:1980}.
+*}
+
+
+subsection {* Infixes *}
+
+text {* Infix operators are specified by convenient short forms that
+ abbreviate general mixfix annotations as follows:
+
+ \begin{center}
+ \begin{tabular}{lll}
+
+ @{verbatim "("}@{keyword_def "infix"}~@{verbatim "\""}@{text sy}@{verbatim "\""} @{text "p"}@{verbatim ")"}
+ & @{text "\<mapsto>"} &
+ @{verbatim "(\"(_ "}@{text sy}@{verbatim "/ _)\" ["}@{text "p + 1"}@{verbatim ", "}@{text "p + 1"}@{verbatim "]"}@{text " p"}@{verbatim ")"} \\
+ @{verbatim "("}@{keyword_def "infixl"}~@{verbatim "\""}@{text sy}@{verbatim "\""} @{text "p"}@{verbatim ")"}
+ & @{text "\<mapsto>"} &
+ @{verbatim "(\"(_ "}@{text sy}@{verbatim "/ _)\" ["}@{text "p"}@{verbatim ", "}@{text "p + 1"}@{verbatim "]"}@{text " p"}@{verbatim ")"} \\
+ @{verbatim "("}@{keyword_def "infixr"}~@{verbatim "\""}@{text sy}@{verbatim "\""} @{text "p"}@{verbatim ")"}
+ & @{text "\<mapsto>"} &
+ @{verbatim "(\"(_ "}@{text sy}@{verbatim "/ _)\" ["}@{text "p + 1"}@{verbatim ", "}@{text "p"}@{verbatim "]"}@{text " p"}@{verbatim ")"} \\
+
+ \end{tabular}
+ \end{center}
+
+ The mixfix template @{verbatim "\"(_ "}@{text sy}@{verbatim "/ _)\""}
+ specifies two argument positions; the delimiter is preceded by a
+ space and followed by a space or line break; the entire phrase is a
+ pretty printing block.
+
+ The alternative notation @{verbatim "op"}~@{text sy} is introduced
+ in addition. Thus any infix operator may be written in prefix form
+ (as in ML), independently of the number of arguments in the term.
+*}
+
+
+subsection {* Binders *}
+
+text {* A \emph{binder} is a variable-binding construct such as a
+ quantifier. The idea to formalize @{text "\<forall>x. b"} as @{text "All
+ (\<lambda>x. b)"} for @{text "All :: ('a \<Rightarrow> bool) \<Rightarrow> bool"} already goes back
+ to \cite{church40}. Isabelle declarations of certain higher-order
+ operators may be annotated with @{keyword_def "binder"} annotations
+ as follows:
+
+ \begin{center}
+ @{text "c :: "}@{verbatim "\""}@{text "(\<tau>\<^sub>1 \<Rightarrow> \<tau>\<^sub>2) \<Rightarrow> \<tau>\<^sub>3"}@{verbatim "\" ("}@{keyword "binder"}@{verbatim " \""}@{text "sy"}@{verbatim "\" ["}@{text "p"}@{verbatim "] "}@{text "q"}@{verbatim ")"}
+ \end{center}
+
+ This introduces concrete binder syntax @{text "sy x. b"}, where
+ @{text x} is a bound variable of type @{text "\<tau>\<^sub>1"}, the body @{text
+ b} has type @{text "\<tau>\<^sub>2"} and the whole term has type @{text "\<tau>\<^sub>3"}.
+ The optional integer @{text p} specifies the syntactic priority of
+ the body; the default is @{text "q"}, which is also the priority of
+ the whole construct.
+
+ Internally, the binder syntax is expanded to something like this:
+ \begin{center}
+ @{text "c_binder :: "}@{verbatim "\""}@{text "idts \<Rightarrow> \<tau>\<^sub>2 \<Rightarrow> \<tau>\<^sub>3"}@{verbatim "\" (\"(3"}@{text sy}@{verbatim "_./ _)\" [0, "}@{text "p"}@{verbatim "] "}@{text "q"}@{verbatim ")"}
+ \end{center}
+
+ Here @{syntax (inner) idts} is the nonterminal symbol for a list of
+ identifiers with optional type constraints (see also
+ \secref{sec:pure-grammar}). The mixfix template @{verbatim
+ "\"(3"}@{text sy}@{verbatim "_./ _)\""} defines argument positions
+ for the bound identifiers and the body, separated by a dot with
+ optional line break; the entire phrase is a pretty printing block of
+ indentation level 3. Note that there is no extra space after @{text
+ "sy"}, so it needs to be included user specification if the binder
+ syntax ends with a token that may be continued by an identifier
+ token at the start of @{syntax (inner) idts}.
+
+ Furthermore, a syntax translation to transforms @{text "c_binder x\<^sub>1
+ \<dots> x\<^sub>n b"} into iterated application @{text "c (\<lambda>x\<^sub>1. \<dots> c (\<lambda>x\<^sub>n. b)\<dots>)"}.
+ This works in both directions, for parsing and printing. *}
+
+
+section {* Explicit notation \label{sec:notation} *}
+
+text {*
+ \begin{matharray}{rcll}
+ @{command_def "type_notation"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
+ @{command_def "no_type_notation"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
+ @{command_def "notation"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
+ @{command_def "no_notation"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
+ @{command_def "write"} & : & @{text "proof(state) \<rightarrow> proof(state)"} \\
+ \end{matharray}
+
+ Commands that introduce new logical entities (terms or types)
+ usually allow to provide mixfix annotations on the spot, which is
+ convenient for default notation. Nonetheless, the syntax may be
+ modified later on by declarations for explicit notation. This
+ allows to add or delete mixfix annotations for of existing logical
+ entities within the current context.
+
+ @{rail "
+ (@@{command type_notation} | @@{command no_type_notation}) @{syntax target}?
+ @{syntax mode}? \\ (@{syntax nameref} @{syntax mixfix} + @'and')
+ ;
+ (@@{command notation} | @@{command no_notation}) @{syntax target}? @{syntax mode}? \\
+ (@{syntax nameref} @{syntax struct_mixfix} + @'and')
+ ;
+ @@{command write} @{syntax mode}? (@{syntax nameref} @{syntax struct_mixfix} + @'and')
+ "}
+
+ \begin{description}
+
+ \item @{command "type_notation"}~@{text "c (mx)"} associates mixfix
+ syntax with an existing type constructor. The arity of the
+ constructor is retrieved from the context.
+
+ \item @{command "no_type_notation"} is similar to @{command
+ "type_notation"}, but removes the specified syntax annotation from
+ the present context.
+
+ \item @{command "notation"}~@{text "c (mx)"} associates mixfix
+ syntax with an existing constant or fixed variable. The type
+ declaration of the given entity is retrieved from the context.
+
+ \item @{command "no_notation"} is similar to @{command "notation"},
+ but removes the specified syntax annotation from the present
+ context.
+
+ \item @{command "write"} is similar to @{command "notation"}, but
+ works within an Isar proof body.
+
+ \end{description}
+*}
+
+
+section {* The Pure syntax \label{sec:pure-syntax} *}
+
+subsection {* Lexical matters \label{sec:inner-lex} *}
+
+text {* The inner lexical syntax vaguely resembles the outer one
+ (\secref{sec:outer-lex}), but some details are different. There are
+ two main categories of inner syntax tokens:
+
+ \begin{enumerate}
+
+ \item \emph{delimiters} --- the literal tokens occurring in
+ productions of the given priority grammar (cf.\
+ \secref{sec:priority-grammar});
+
+ \item \emph{named tokens} --- various categories of identifiers etc.
+
+ \end{enumerate}
+
+ Delimiters override named tokens and may thus render certain
+ identifiers inaccessible. Sometimes the logical context admits
+ alternative ways to refer to the same entity, potentially via
+ qualified names.
+
+ \medskip The categories for named tokens are defined once and for
+ all as follows, reusing some categories of the outer token syntax
+ (\secref{sec:outer-lex}).
+
+ \begin{center}
+ \begin{supertabular}{rcl}
+ @{syntax_def (inner) id} & = & @{syntax_ref ident} \\
+ @{syntax_def (inner) longid} & = & @{syntax_ref longident} \\
+ @{syntax_def (inner) var} & = & @{syntax_ref var} \\
+ @{syntax_def (inner) tid} & = & @{syntax_ref typefree} \\
+ @{syntax_def (inner) tvar} & = & @{syntax_ref typevar} \\
+ @{syntax_def (inner) num_token} & = & @{syntax_ref nat}@{text " | "}@{verbatim "-"}@{syntax_ref nat} \\
+ @{syntax_def (inner) float_token} & = & @{syntax_ref nat}@{verbatim "."}@{syntax_ref nat}@{text " | "}@{verbatim "-"}@{syntax_ref nat}@{verbatim "."}@{syntax_ref nat} \\
+ @{syntax_def (inner) xnum_token} & = & @{verbatim "#"}@{syntax_ref nat}@{text " | "}@{verbatim "#-"}@{syntax_ref nat} \\
+
+ @{syntax_def (inner) str_token} & = & @{verbatim "''"} @{text "\<dots>"} @{verbatim "''"} \\
+ \end{supertabular}
+ \end{center}
+
+ The token categories @{syntax (inner) num_token}, @{syntax (inner)
+ float_token}, @{syntax (inner) xnum_token}, and @{syntax (inner)
+ str_token} are not used in Pure. Object-logics may implement numerals
+ and string constants by adding appropriate syntax declarations,
+ together with some translation functions (e.g.\ see Isabelle/HOL).
+
+ The derived categories @{syntax_def (inner) num_const}, @{syntax_def
+ (inner) float_const}, and @{syntax_def (inner) num_const} provide
+ robust access to the respective tokens: the syntax tree holds a
+ syntactic constant instead of a free variable.
+*}
+
+
+subsection {* Priority grammars \label{sec:priority-grammar} *}
+
+text {* A context-free grammar consists of a set of \emph{terminal
+ symbols}, a set of \emph{nonterminal symbols} and a set of
+ \emph{productions}. Productions have the form @{text "A = \<gamma>"},
+ where @{text A} is a nonterminal and @{text \<gamma>} is a string of
+ terminals and nonterminals. One designated nonterminal is called
+ the \emph{root symbol}. The language defined by the grammar
+ consists of all strings of terminals that can be derived from the
+ root symbol by applying productions as rewrite rules.
+
+ The standard Isabelle parser for inner syntax uses a \emph{priority
+ grammar}. Each nonterminal is decorated by an integer priority:
+ @{text "A\<^sup>(\<^sup>p\<^sup>)"}. In a derivation, @{text "A\<^sup>(\<^sup>p\<^sup>)"} may be rewritten
+ using a production @{text "A\<^sup>(\<^sup>q\<^sup>) = \<gamma>"} only if @{text "p \<le> q"}. Any
+ priority grammar can be translated into a normal context-free
+ grammar by introducing new nonterminals and productions.
+
+ \medskip Formally, a set of context free productions @{text G}
+ induces a derivation relation @{text "\<longrightarrow>\<^sub>G"} as follows. Let @{text
+ \<alpha>} and @{text \<beta>} denote strings of terminal or nonterminal symbols.
+ Then @{text "\<alpha> A\<^sup>(\<^sup>p\<^sup>) \<beta> \<longrightarrow>\<^sub>G \<alpha> \<gamma> \<beta>"} holds if and only if @{text G}
+ contains some production @{text "A\<^sup>(\<^sup>q\<^sup>) = \<gamma>"} for @{text "p \<le> q"}.
+
+ \medskip The following grammar for arithmetic expressions
+ demonstrates how binding power and associativity of operators can be
+ enforced by priorities.
+
+ \begin{center}
+ \begin{tabular}{rclr}
+ @{text "A\<^sup>(\<^sup>1\<^sup>0\<^sup>0\<^sup>0\<^sup>)"} & @{text "="} & @{verbatim "("} @{text "A\<^sup>(\<^sup>0\<^sup>)"} @{verbatim ")"} \\
+ @{text "A\<^sup>(\<^sup>1\<^sup>0\<^sup>0\<^sup>0\<^sup>)"} & @{text "="} & @{verbatim 0} \\
+ @{text "A\<^sup>(\<^sup>0\<^sup>)"} & @{text "="} & @{text "A\<^sup>(\<^sup>0\<^sup>)"} @{verbatim "+"} @{text "A\<^sup>(\<^sup>1\<^sup>)"} \\
+ @{text "A\<^sup>(\<^sup>2\<^sup>)"} & @{text "="} & @{text "A\<^sup>(\<^sup>3\<^sup>)"} @{verbatim "*"} @{text "A\<^sup>(\<^sup>2\<^sup>)"} \\
+ @{text "A\<^sup>(\<^sup>3\<^sup>)"} & @{text "="} & @{verbatim "-"} @{text "A\<^sup>(\<^sup>3\<^sup>)"} \\
+ \end{tabular}
+ \end{center}
+ The choice of priorities determines that @{verbatim "-"} binds
+ tighter than @{verbatim "*"}, which binds tighter than @{verbatim
+ "+"}. Furthermore @{verbatim "+"} associates to the left and
+ @{verbatim "*"} to the right.
+
+ \medskip For clarity, grammars obey these conventions:
+ \begin{itemize}
+
+ \item All priorities must lie between 0 and 1000.
+
+ \item Priority 0 on the right-hand side and priority 1000 on the
+ left-hand side may be omitted.
+
+ \item The production @{text "A\<^sup>(\<^sup>p\<^sup>) = \<alpha>"} is written as @{text "A = \<alpha>
+ (p)"}, i.e.\ the priority of the left-hand side actually appears in
+ a column on the far right.
+
+ \item Alternatives are separated by @{text "|"}.
+
+ \item Repetition is indicated by dots @{text "(\<dots>)"} in an informal
+ but obvious way.
+
+ \end{itemize}
+
+ Using these conventions, the example grammar specification above
+ takes the form:
+ \begin{center}
+ \begin{tabular}{rclc}
+ @{text A} & @{text "="} & @{verbatim "("} @{text A} @{verbatim ")"} \\
+ & @{text "|"} & @{verbatim 0} & \qquad\qquad \\
+ & @{text "|"} & @{text A} @{verbatim "+"} @{text "A\<^sup>(\<^sup>1\<^sup>)"} & @{text "(0)"} \\
+ & @{text "|"} & @{text "A\<^sup>(\<^sup>3\<^sup>)"} @{verbatim "*"} @{text "A\<^sup>(\<^sup>2\<^sup>)"} & @{text "(2)"} \\
+ & @{text "|"} & @{verbatim "-"} @{text "A\<^sup>(\<^sup>3\<^sup>)"} & @{text "(3)"} \\
+ \end{tabular}
+ \end{center}
+*}
+
+
+subsection {* The Pure grammar \label{sec:pure-grammar} *}
+
+text {* The priority grammar of the @{text "Pure"} theory is defined
+ approximately like this:
+
+ \begin{center}
+ \begin{supertabular}{rclr}
+
+ @{syntax_def (inner) any} & = & @{text "prop | logic"} \\\\
+
+ @{syntax_def (inner) prop} & = & @{verbatim "("} @{text prop} @{verbatim ")"} \\
+ & @{text "|"} & @{text "prop\<^sup>(\<^sup>4\<^sup>)"} @{verbatim "::"} @{text type} & @{text "(3)"} \\
+ & @{text "|"} & @{text "any\<^sup>(\<^sup>3\<^sup>)"} @{verbatim "=="} @{text "any\<^sup>(\<^sup>2\<^sup>)"} & @{text "(2)"} \\
+ & @{text "|"} & @{text "any\<^sup>(\<^sup>3\<^sup>)"} @{text "\<equiv>"} @{text "any\<^sup>(\<^sup>2\<^sup>)"} & @{text "(2)"} \\
+ & @{text "|"} & @{text "prop\<^sup>(\<^sup>3\<^sup>)"} @{verbatim "&&&"} @{text "prop\<^sup>(\<^sup>2\<^sup>)"} & @{text "(2)"} \\
+ & @{text "|"} & @{text "prop\<^sup>(\<^sup>2\<^sup>)"} @{verbatim "==>"} @{text "prop\<^sup>(\<^sup>1\<^sup>)"} & @{text "(1)"} \\
+ & @{text "|"} & @{text "prop\<^sup>(\<^sup>2\<^sup>)"} @{text "\<Longrightarrow>"} @{text "prop\<^sup>(\<^sup>1\<^sup>)"} & @{text "(1)"} \\
+ & @{text "|"} & @{verbatim "[|"} @{text prop} @{verbatim ";"} @{text "\<dots>"} @{verbatim ";"} @{text prop} @{verbatim "|]"} @{verbatim "==>"} @{text "prop\<^sup>(\<^sup>1\<^sup>)"} & @{text "(1)"} \\
+ & @{text "|"} & @{text "\<lbrakk>"} @{text prop} @{verbatim ";"} @{text "\<dots>"} @{verbatim ";"} @{text prop} @{text "\<rbrakk>"} @{text "\<Longrightarrow>"} @{text "prop\<^sup>(\<^sup>1\<^sup>)"} & @{text "(1)"} \\
+ & @{text "|"} & @{verbatim "!!"} @{text idts} @{verbatim "."} @{text prop} & @{text "(0)"} \\
+ & @{text "|"} & @{text "\<And>"} @{text idts} @{verbatim "."} @{text prop} & @{text "(0)"} \\
+ & @{text "|"} & @{verbatim OFCLASS} @{verbatim "("} @{text type} @{verbatim ","} @{text logic} @{verbatim ")"} \\
+ & @{text "|"} & @{verbatim SORT_CONSTRAINT} @{verbatim "("} @{text type} @{verbatim ")"} \\
+ & @{text "|"} & @{verbatim TERM} @{text logic} \\
+ & @{text "|"} & @{verbatim PROP} @{text aprop} \\\\
+
+ @{syntax_def (inner) aprop} & = & @{verbatim "("} @{text aprop} @{verbatim ")"} \\
+ & @{text "|"} & @{text "id | longid | var | "}@{verbatim "_"}@{text " | "}@{verbatim "..."} \\
+ & @{text "|"} & @{verbatim CONST} @{text "id | "}@{verbatim CONST} @{text "longid"} \\
+ & @{text "|"} & @{verbatim XCONST} @{text "id | "}@{verbatim XCONST} @{text "longid"} \\
+ & @{text "|"} & @{text "logic\<^sup>(\<^sup>1\<^sup>0\<^sup>0\<^sup>0\<^sup>) any\<^sup>(\<^sup>1\<^sup>0\<^sup>0\<^sup>0\<^sup>) \<dots> any\<^sup>(\<^sup>1\<^sup>0\<^sup>0\<^sup>0\<^sup>)"} & @{text "(999)"} \\\\
+
+ @{syntax_def (inner) logic} & = & @{verbatim "("} @{text logic} @{verbatim ")"} \\
+ & @{text "|"} & @{text "logic\<^sup>(\<^sup>4\<^sup>)"} @{verbatim "::"} @{text type} & @{text "(3)"} \\
+ & @{text "|"} & @{text "id | longid | var | "}@{verbatim "_"}@{text " | "}@{verbatim "..."} \\
+ & @{text "|"} & @{verbatim CONST} @{text "id | "}@{verbatim CONST} @{text "longid"} \\
+ & @{text "|"} & @{verbatim XCONST} @{text "id | "}@{verbatim XCONST} @{text "longid"} \\
+ & @{text "|"} & @{text "logic\<^sup>(\<^sup>1\<^sup>0\<^sup>0\<^sup>0\<^sup>) any\<^sup>(\<^sup>1\<^sup>0\<^sup>0\<^sup>0\<^sup>) \<dots> any\<^sup>(\<^sup>1\<^sup>0\<^sup>0\<^sup>0\<^sup>)"} & @{text "(999)"} \\
+ & @{text "|"} & @{text "\<struct> index\<^sup>(\<^sup>1\<^sup>0\<^sup>0\<^sup>0\<^sup>)"} \\
+ & @{text "|"} & @{verbatim "%"} @{text pttrns} @{verbatim "."} @{text "any\<^sup>(\<^sup>3\<^sup>)"} & @{text "(3)"} \\
+ & @{text "|"} & @{text \<lambda>} @{text pttrns} @{verbatim "."} @{text "any\<^sup>(\<^sup>3\<^sup>)"} & @{text "(3)"} \\
+ & @{text "|"} & @{verbatim op} @{verbatim "=="}@{text " | "}@{verbatim op} @{text "\<equiv>"}@{text " | "}@{verbatim op} @{verbatim "&&&"} \\
+ & @{text "|"} & @{verbatim op} @{verbatim "==>"}@{text " | "}@{verbatim op} @{text "\<Longrightarrow>"} \\
+ & @{text "|"} & @{verbatim TYPE} @{verbatim "("} @{text type} @{verbatim ")"} \\\\
+
+ @{syntax_def (inner) idt} & = & @{verbatim "("} @{text idt} @{verbatim ")"}@{text " | id | "}@{verbatim "_"} \\
+ & @{text "|"} & @{text id} @{verbatim "::"} @{text type} & @{text "(0)"} \\
+ & @{text "|"} & @{verbatim "_"} @{verbatim "::"} @{text type} & @{text "(0)"} \\\\
+
+ @{syntax_def (inner) index} & = & @{verbatim "\<^bsub>"} @{text "logic\<^sup>(\<^sup>0\<^sup>)"} @{verbatim "\<^esub>"}@{text " | | \<index>"} \\\\
+
+ @{syntax_def (inner) idts} & = & @{text "idt | idt\<^sup>(\<^sup>1\<^sup>) idts"} & @{text "(0)"} \\\\
+
+ @{syntax_def (inner) pttrn} & = & @{text idt} \\\\
+
+ @{syntax_def (inner) pttrns} & = & @{text "pttrn | pttrn\<^sup>(\<^sup>1\<^sup>) pttrns"} & @{text "(0)"} \\\\
+
+ @{syntax_def (inner) type} & = & @{verbatim "("} @{text type} @{verbatim ")"} \\
+ & @{text "|"} & @{text "tid | tvar | "}@{verbatim "_"} \\
+ & @{text "|"} & @{text "tid"} @{verbatim "::"} @{text "sort | tvar "}@{verbatim "::"} @{text "sort | "}@{verbatim "_"} @{verbatim "::"} @{text "sort"} \\
+ & @{text "|"} & @{text "type_name | type\<^sup>(\<^sup>1\<^sup>0\<^sup>0\<^sup>0\<^sup>) type_name"} \\
+ & @{text "|"} & @{verbatim "("} @{text type} @{verbatim ","} @{text "\<dots>"} @{verbatim ","} @{text type} @{verbatim ")"} @{text type_name} \\
+ & @{text "|"} & @{text "type\<^sup>(\<^sup>1\<^sup>)"} @{verbatim "=>"} @{text type} & @{text "(0)"} \\
+ & @{text "|"} & @{text "type\<^sup>(\<^sup>1\<^sup>)"} @{text "\<Rightarrow>"} @{text type} & @{text "(0)"} \\
+ & @{text "|"} & @{verbatim "["} @{text type} @{verbatim ","} @{text "\<dots>"} @{verbatim ","} @{text type} @{verbatim "]"} @{verbatim "=>"} @{text type} & @{text "(0)"} \\
+ & @{text "|"} & @{verbatim "["} @{text type} @{verbatim ","} @{text "\<dots>"} @{verbatim ","} @{text type} @{verbatim "]"} @{text "\<Rightarrow>"} @{text type} & @{text "(0)"} \\
+ @{syntax_def (inner) type_name} & = & @{text "id | longid"} \\\\
+
+ @{syntax_def (inner) sort} & = & @{syntax class_name}~@{text " | "}@{verbatim "{}"} \\
+ & @{text "|"} & @{verbatim "{"} @{syntax class_name} @{verbatim ","} @{text "\<dots>"} @{verbatim ","} @{syntax class_name} @{verbatim "}"} \\
+ @{syntax_def (inner) class_name} & = & @{text "id | longid"} \\
+ \end{supertabular}
+ \end{center}
+
+ \medskip Here literal terminals are printed @{verbatim "verbatim"};
+ see also \secref{sec:inner-lex} for further token categories of the
+ inner syntax. The meaning of the nonterminals defined by the above
+ grammar is as follows:
+
+ \begin{description}
+
+ \item @{syntax_ref (inner) any} denotes any term.
+
+ \item @{syntax_ref (inner) prop} denotes meta-level propositions,
+ which are terms of type @{typ prop}. The syntax of such formulae of
+ the meta-logic is carefully distinguished from usual conventions for
+ object-logics. In particular, plain @{text "\<lambda>"}-term notation is
+ \emph{not} recognized as @{syntax (inner) prop}.
+
+ \item @{syntax_ref (inner) aprop} denotes atomic propositions, which
+ are embedded into regular @{syntax (inner) prop} by means of an
+ explicit @{verbatim PROP} token.
+
+ Terms of type @{typ prop} with non-constant head, e.g.\ a plain
+ variable, are printed in this form. Constants that yield type @{typ
+ prop} are expected to provide their own concrete syntax; otherwise
+ the printed version will appear like @{syntax (inner) logic} and
+ cannot be parsed again as @{syntax (inner) prop}.
+
+ \item @{syntax_ref (inner) logic} denotes arbitrary terms of a
+ logical type, excluding type @{typ prop}. This is the main
+ syntactic category of object-logic entities, covering plain @{text
+ \<lambda>}-term notation (variables, abstraction, application), plus
+ anything defined by the user.
+
+ When specifying notation for logical entities, all logical types
+ (excluding @{typ prop}) are \emph{collapsed} to this single category
+ of @{syntax (inner) logic}.
+
+ \item @{syntax_ref (inner) index} denotes an optional index term for
+ indexed syntax. If omitted, it refers to the first @{keyword
+ "structure"} variable in the context. The special dummy ``@{text
+ "\<index>"}'' serves as pattern variable in mixfix annotations that
+ introduce indexed notation.
+
+ \item @{syntax_ref (inner) idt} denotes identifiers, possibly
+ constrained by types.
+
+ \item @{syntax_ref (inner) idts} denotes a sequence of @{syntax_ref
+ (inner) idt}. This is the most basic category for variables in
+ iterated binders, such as @{text "\<lambda>"} or @{text "\<And>"}.
+
+ \item @{syntax_ref (inner) pttrn} and @{syntax_ref (inner) pttrns}
+ denote patterns for abstraction, cases bindings etc. In Pure, these
+ categories start as a merely copy of @{syntax (inner) idt} and
+ @{syntax (inner) idts}, respectively. Object-logics may add
+ additional productions for binding forms.
+
+ \item @{syntax_ref (inner) type} denotes types of the meta-logic.
+
+ \item @{syntax_ref (inner) sort} denotes meta-level sorts.
+
+ \end{description}
+
+ Here are some further explanations of certain syntax features.
+
+ \begin{itemize}
+
+ \item In @{syntax (inner) idts}, note that @{text "x :: nat y"} is
+ parsed as @{text "x :: (nat y)"}, treating @{text y} like a type
+ constructor applied to @{text nat}. To avoid this interpretation,
+ write @{text "(x :: nat) y"} with explicit parentheses.
+
+ \item Similarly, @{text "x :: nat y :: nat"} is parsed as @{text "x ::
+ (nat y :: nat)"}. The correct form is @{text "(x :: nat) (y ::
+ nat)"}, or @{text "(x :: nat) y :: nat"} if @{text y} is last in the
+ sequence of identifiers.
+
+ \item Type constraints for terms bind very weakly. For example,
+ @{text "x < y :: nat"} is normally parsed as @{text "(x < y) ::
+ nat"}, unless @{text "<"} has a very low priority, in which case the
+ input is likely to be ambiguous. The correct form is @{text "x < (y
+ :: nat)"}.
+
+ \item Constraints may be either written with two literal colons
+ ``@{verbatim "::"}'' or the double-colon symbol @{verbatim "\<Colon>"},
+ which actually looks exactly the same in some {\LaTeX} styles.
+
+ \item Dummy variables (written as underscore) may occur in different
+ roles.
+
+ \begin{description}
+
+ \item A type ``@{text "_"}'' or ``@{text "_ :: sort"}'' acts like an
+ anonymous inference parameter, which is filled-in according to the
+ most general type produced by the type-checking phase.
+
+ \item A bound ``@{text "_"}'' refers to a vacuous abstraction, where
+ the body does not refer to the binding introduced here. As in the
+ term @{term "\<lambda>x _. x"}, which is @{text "\<alpha>"}-equivalent to @{text
+ "\<lambda>x y. x"}.
+
+ \item A free ``@{text "_"}'' refers to an implicit outer binding.
+ Higher definitional packages usually allow forms like @{text "f x _
+ = x"}.
+
+ \item A schematic ``@{text "_"}'' (within a term pattern, see
+ \secref{sec:term-decls}) refers to an anonymous variable that is
+ implicitly abstracted over its context of locally bound variables.
+ For example, this allows pattern matching of @{text "{x. f x = g
+ x}"} against @{text "{x. _ = _}"}, or even @{text "{_. _ = _}"} by
+ using both bound and schematic dummies.
+
+ \end{description}
+
+ \item The three literal dots ``@{verbatim "..."}'' may be also
+ written as ellipsis symbol @{verbatim "\<dots>"}. In both cases this
+ refers to a special schematic variable, which is bound in the
+ context. This special term abbreviation works nicely with
+ calculational reasoning (\secref{sec:calculation}).
+
+ \item @{verbatim CONST} ensures that the given identifier is treated
+ as constant term, and passed through the parse tree in fully
+ internalized form. This is particularly relevant for translation
+ rules (\secref{sec:syn-trans}), notably on the RHS.
+
+ \item @{verbatim XCONST} is similar to @{verbatim CONST}, but
+ retains the constant name as given. This is only relevant to
+ translation rules (\secref{sec:syn-trans}), notably on the LHS.
+
+ \end{itemize}
+*}
+
+
+subsection {* Inspecting the syntax *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def "print_syntax"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ \end{matharray}
+
+ \begin{description}
+
+ \item @{command "print_syntax"} prints the inner syntax of the
+ current context. The output can be quite large; the most important
+ sections are explained below.
+
+ \begin{description}
+
+ \item @{text "lexicon"} lists the delimiters of the inner token
+ language; see \secref{sec:inner-lex}.
+
+ \item @{text "prods"} lists the productions of the underlying
+ priority grammar; see \secref{sec:priority-grammar}.
+
+ The nonterminal @{text "A\<^sup>(\<^sup>p\<^sup>)"} is rendered in plain text as @{text
+ "A[p]"}; delimiters are quoted. Many productions have an extra
+ @{text "\<dots> => name"}. These names later become the heads of parse
+ trees; they also guide the pretty printer.
+
+ Productions without such parse tree names are called \emph{copy
+ productions}. Their right-hand side must have exactly one
+ nonterminal symbol (or named token). The parser does not create a
+ new parse tree node for copy productions, but simply returns the
+ parse tree of the right-hand symbol.
+
+ If the right-hand side of a copy production consists of a single
+ nonterminal without any delimiters, then it is called a \emph{chain
+ production}. Chain productions act as abbreviations: conceptually,
+ they are removed from the grammar by adding new productions.
+ Priority information attached to chain productions is ignored; only
+ the dummy value @{text "-1"} is displayed.
+
+ \item @{text "print modes"} lists the alternative print modes
+ provided by this grammar; see \secref{sec:print-modes}.
+
+ \item @{text "parse_rules"} and @{text "print_rules"} relate to
+ syntax translations (macros); see \secref{sec:syn-trans}.
+
+ \item @{text "parse_ast_translation"} and @{text
+ "print_ast_translation"} list sets of constants that invoke
+ translation functions for abstract syntax trees, which are only
+ required in very special situations; see \secref{sec:tr-funs}.
+
+ \item @{text "parse_translation"} and @{text "print_translation"}
+ list the sets of constants that invoke regular translation
+ functions; see \secref{sec:tr-funs}.
+
+ \end{description}
+
+ \end{description}
+*}
+
+
+subsection {* Ambiguity of parsed expressions *}
+
+text {*
+ \begin{tabular}{rcll}
+ @{attribute_def syntax_ambiguity_warning} & : & @{text attribute} & default @{text true} \\
+ @{attribute_def syntax_ambiguity_limit} & : & @{text attribute} & default @{text 10} \\
+ \end{tabular}
+
+ Depending on the grammar and the given input, parsing may be
+ ambiguous. Isabelle lets the Earley parser enumerate all possible
+ parse trees, and then tries to make the best out of the situation.
+ Terms that cannot be type-checked are filtered out, which often
+ leads to a unique result in the end. Unlike regular type
+ reconstruction, which is applied to the whole collection of input
+ terms simultaneously, the filtering stage only treats each given
+ term in isolation. Filtering is also not attempted for individual
+ types or raw ASTs (as required for @{command translations}).
+
+ Certain warning or error messages are printed, depending on the
+ situation and the given configuration options. Parsing ultimately
+ fails, if multiple results remain after the filtering phase.
+
+ \begin{description}
+
+ \item @{attribute syntax_ambiguity_warning} controls output of
+ explicit warning messages about syntax ambiguity.
+
+ \item @{attribute syntax_ambiguity_limit} determines the number of
+ resulting parse trees that are shown as part of the printed message
+ in case of an ambiguity.
+
+ \end{description}
+*}
+
+
+section {* Syntax transformations \label{sec:syntax-transformations} *}
+
+text {* The inner syntax engine of Isabelle provides separate
+ mechanisms to transform parse trees either as rewrite systems on
+ first-order ASTs (\secref{sec:syn-trans}), or ML functions on ASTs
+ or syntactic @{text "\<lambda>"}-terms (\secref{sec:tr-funs}). This works
+ both for parsing and printing, as outlined in
+ \figref{fig:parse-print}.
+
+ \begin{figure}[htbp]
+ \begin{center}
+ \begin{tabular}{cl}
+ string & \\
+ @{text "\<down>"} & lexer + parser \\
+ parse tree & \\
+ @{text "\<down>"} & parse AST translation \\
+ AST & \\
+ @{text "\<down>"} & AST rewriting (macros) \\
+ AST & \\
+ @{text "\<down>"} & parse translation \\
+ --- pre-term --- & \\
+ @{text "\<down>"} & print translation \\
+ AST & \\
+ @{text "\<down>"} & AST rewriting (macros) \\
+ AST & \\
+ @{text "\<down>"} & print AST translation \\
+ string &
+ \end{tabular}
+ \end{center}
+ \caption{Parsing and printing with translations}\label{fig:parse-print}
+ \end{figure}
+
+ These intermediate syntax tree formats eventually lead to a pre-term
+ with all names and binding scopes resolved, but most type
+ information still missing. Explicit type constraints might be given by
+ the user, or implicit position information by the system --- both
+ need to be passed-through carefully by syntax transformations.
+
+ Pre-terms are further processed by the so-called \emph{check} and
+ \emph{unckeck} phases that are intertwined with type-inference (see
+ also \cite{isabelle-implementation}). The latter allows to operate
+ on higher-order abstract syntax with proper binding and type
+ information already available.
+
+ As a rule of thumb, anything that manipulates bindings of variables
+ or constants needs to be implemented as syntax transformation (see
+ below). Anything else is better done via check/uncheck: a prominent
+ example application is the @{command abbreviation} concept of
+ Isabelle/Pure. *}
+
+
+subsection {* Abstract syntax trees \label{sec:ast} *}
+
+text {* The ML datatype @{ML_type Ast.ast} explicitly represents the
+ intermediate AST format that is used for syntax rewriting
+ (\secref{sec:syn-trans}). It is defined in ML as follows:
+ \begin{ttbox}
+ datatype ast =
+ Constant of string |
+ Variable of string |
+ Appl of ast list
+ \end{ttbox}
+
+ An AST is either an atom (constant or variable) or a list of (at
+ least two) subtrees. Occasional diagnostic output of ASTs uses
+ notation that resembles S-expression of LISP. Constant atoms are
+ shown as quoted strings, variable atoms as non-quoted strings and
+ applications as a parenthesized list of subtrees. For example, the
+ AST
+ @{ML [display] "Ast.Appl
+ [Ast.Constant \"_abs\", Ast.Variable \"x\", Ast.Variable \"t\"]"}
+ is pretty-printed as @{verbatim "(\"_abs\" x t)"}. Note that
+ @{verbatim "()"} and @{verbatim "(x)"} are excluded as ASTs, because
+ they have too few subtrees.
+
+ \medskip AST application is merely a pro-forma mechanism to indicate
+ certain syntactic structures. Thus @{verbatim "(c a b)"} could mean
+ either term application or type application, depending on the
+ syntactic context.
+
+ Nested application like @{verbatim "((\"_abs\" x t) u)"} is also
+ possible, but ASTs are definitely first-order: the syntax constant
+ @{verbatim "\"_abs\""} does not bind the @{verbatim x} in any way.
+ Proper bindings are introduced in later stages of the term syntax,
+ where @{verbatim "(\"_abs\" x t)"} becomes an @{ML Abs} node and
+ occurrences of @{verbatim x} in @{verbatim t} are replaced by bound
+ variables (represented as de-Bruijn indices).
+*}
+
+
+subsubsection {* AST constants versus variables *}
+
+text {* Depending on the situation --- input syntax, output syntax,
+ translation patterns --- the distinction of atomic asts as @{ML
+ Ast.Constant} versus @{ML Ast.Variable} serves slightly different
+ purposes.
+
+ Input syntax of a term such as @{text "f a b = c"} does not yet
+ indicate the scopes of atomic entities @{text "f, a, b, c"}: they
+ could be global constants or local variables, even bound ones
+ depending on the context of the term. @{ML Ast.Variable} leaves
+ this choice still open: later syntax layers (or translation
+ functions) may capture such a variable to determine its role
+ specifically, to make it a constant, bound variable, free variable
+ etc. In contrast, syntax translations that introduce already known
+ constants would rather do it via @{ML Ast.Constant} to prevent
+ accidental re-interpretation later on.
+
+ Output syntax turns term constants into @{ML Ast.Constant} and
+ variables (free or schematic) into @{ML Ast.Variable}. This
+ information is precise when printing fully formal @{text "\<lambda>"}-terms.
+
+ In AST translation patterns (\secref{sec:syn-trans}) the system
+ guesses from the current theory context which atoms should be
+ treated as constant versus variable for the matching process.
+ Sometimes this needs to be indicated more explicitly using @{text
+ "CONST c"} inside the term language. It is also possible to use
+ @{command syntax} declarations (without mixfix annotation) to
+ enforce that certain unqualified names are always treated as
+ constant within the syntax machinery.
+
+ \medskip For ASTs that represent the language of types or sorts, the
+ situation is much simpler, since the concrete syntax already
+ distinguishes type variables from type constants (constructors). So
+ @{text "('a, 'b) foo"} corresponds to an AST application of some
+ constant for @{text foo} and variable arguments for @{text "'a"} and
+ @{text "'b"}. Note that the postfix application is merely a feature
+ of the concrete syntax, while in the AST the constructor occurs in
+ head position. *}
+
+
+subsubsection {* Authentic syntax names *}
+
+text {* Naming constant entities within ASTs is another delicate
+ issue. Unqualified names are looked up in the name space tables in
+ the last stage of parsing, after all translations have been applied.
+ Since syntax transformations do not know about this later name
+ resolution yet, there can be surprises in boundary cases.
+
+ \emph{Authentic syntax names} for @{ML Ast.Constant} avoid this
+ problem: the fully-qualified constant name with a special prefix for
+ its formal category (@{text "class"}, @{text "type"}, @{text
+ "const"}, @{text "fixed"}) represents the information faithfully
+ within the untyped AST format. Accidental overlap with free or
+ bound variables is excluded as well. Authentic syntax names work
+ implicitly in the following situations:
+
+ \begin{itemize}
+
+ \item Input of term constants (or fixed variables) that are
+ introduced by concrete syntax via @{command notation}: the
+ correspondence of a particular grammar production to some known term
+ entity is preserved.
+
+ \item Input of type constants (constructors) and type classes ---
+ thanks to explicit syntactic distinction independently on the
+ context.
+
+ \item Output of term constants, type constants, type classes ---
+ this information is already available from the internal term to be
+ printed.
+
+ \end{itemize}
+
+ In other words, syntax transformations that operate on input terms
+ written as prefix applications are difficult to make robust.
+ Luckily, this case rarely occurs in practice, because syntax forms
+ to be translated usually correspond to some bits of concrete
+ notation. *}
+
+
+subsection {* Raw syntax and translations \label{sec:syn-trans} *}
+
+text {*
+ \begin{tabular}{rcll}
+ @{command_def "nonterminal"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{command_def "syntax"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{command_def "no_syntax"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{command_def "translations"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{command_def "no_translations"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{attribute_def syntax_ast_trace} & : & @{text attribute} & default @{text false} \\
+ @{attribute_def syntax_ast_stats} & : & @{text attribute} & default @{text false} \\
+ \end{tabular}
+
+ Unlike mixfix notation for existing formal entities
+ (\secref{sec:notation}), raw syntax declarations provide full access
+ to the priority grammar of the inner syntax, without any sanity
+ checks. This includes additional syntactic categories (via
+ @{command nonterminal}) and free-form grammar productions (via
+ @{command syntax}). Additional syntax translations (or macros, via
+ @{command translations}) are required to turn resulting parse trees
+ into proper representations of formal entities again.
+
+ @{rail "
+ @@{command nonterminal} (@{syntax name} + @'and')
+ ;
+ (@@{command syntax} | @@{command no_syntax}) @{syntax mode}? (constdecl +)
+ ;
+ (@@{command translations} | @@{command no_translations})
+ (transpat ('==' | '=>' | '<=' | '\<rightleftharpoons>' | '\<rightharpoonup>' | '\<leftharpoondown>') transpat +)
+ ;
+
+ constdecl: @{syntax name} '::' @{syntax type} @{syntax mixfix}?
+ ;
+ mode: ('(' ( @{syntax name} | @'output' | @{syntax name} @'output' ) ')')
+ ;
+ transpat: ('(' @{syntax nameref} ')')? @{syntax string}
+ "}
+
+ \begin{description}
+
+ \item @{command "nonterminal"}~@{text c} declares a type
+ constructor @{text c} (without arguments) to act as purely syntactic
+ type: a nonterminal symbol of the inner syntax.
+
+ \item @{command "syntax"}~@{text "(mode) c :: \<sigma> (mx)"} augments the
+ priority grammar and the pretty printer table for the given print
+ mode (default @{verbatim "\"\""}). An optional keyword @{keyword_ref
+ "output"} means that only the pretty printer table is affected.
+
+ Following \secref{sec:mixfix}, the mixfix annotation @{text "mx =
+ template ps q"} together with type @{text "\<sigma> = \<tau>\<^sub>1 \<Rightarrow> \<dots> \<tau>\<^sub>n \<Rightarrow> \<tau>"} and
+ specify a grammar production. The @{text template} contains
+ delimiter tokens that surround @{text "n"} argument positions
+ (@{verbatim "_"}). The latter correspond to nonterminal symbols
+ @{text "A\<^sub>i"} derived from the argument types @{text "\<tau>\<^sub>i"} as
+ follows:
+ \begin{itemize}
+
+ \item @{text "prop"} if @{text "\<tau>\<^sub>i = prop"}
+
+ \item @{text "logic"} if @{text "\<tau>\<^sub>i = (\<dots>)\<kappa>"} for logical type
+ constructor @{text "\<kappa> \<noteq> prop"}
+
+ \item @{text any} if @{text "\<tau>\<^sub>i = \<alpha>"} for type variables
+
+ \item @{text "\<kappa>"} if @{text "\<tau>\<^sub>i = \<kappa>"} for nonterminal @{text "\<kappa>"}
+ (syntactic type constructor)
+
+ \end{itemize}
+
+ Each @{text "A\<^sub>i"} is decorated by priority @{text "p\<^sub>i"} from the
+ given list @{text "ps"}; misssing priorities default to 0.
+
+ The resulting nonterminal of the production is determined similarly
+ from type @{text "\<tau>"}, with priority @{text "q"} and default 1000.
+
+ \medskip Parsing via this production produces parse trees @{text
+ "t\<^sub>1, \<dots>, t\<^sub>n"} for the argument slots. The resulting parse tree is
+ composed as @{text "c t\<^sub>1 \<dots> t\<^sub>n"}, by using the syntax constant @{text
+ "c"} of the syntax declaration.
+
+ Such syntactic constants are invented on the spot, without formal
+ check wrt.\ existing declarations. It is conventional to use plain
+ identifiers prefixed by a single underscore (e.g.\ @{text
+ "_foobar"}). Names should be chosen with care, to avoid clashes
+ with other syntax declarations.
+
+ \medskip The special case of copy production is specified by @{text
+ "c = "}@{verbatim "\"\""} (empty string). It means that the
+ resulting parse tree @{text "t"} is copied directly, without any
+ further decoration.
+
+ \item @{command "no_syntax"}~@{text "(mode) decls"} removes grammar
+ declarations (and translations) resulting from @{text decls}, which
+ are interpreted in the same manner as for @{command "syntax"} above.
+
+ \item @{command "translations"}~@{text rules} specifies syntactic
+ translation rules (i.e.\ macros) as first-order rewrite rules on
+ ASTs (\secref{sec:ast}). The theory context maintains two
+ independent lists translation rules: parse rules (@{verbatim "=>"}
+ or @{text "\<rightharpoonup>"}) and print rules (@{verbatim "<="} or @{text "\<leftharpoondown>"}).
+ For convenience, both can be specified simultaneously as parse~/
+ print rules (@{verbatim "=="} or @{text "\<rightleftharpoons>"}).
+
+ Translation patterns may be prefixed by the syntactic category to be
+ used for parsing; the default is @{text logic} which means that
+ regular term syntax is used. Both sides of the syntax translation
+ rule undergo parsing and parse AST translations
+ \secref{sec:tr-funs}, in order to perform some fundamental
+ normalization like @{text "\<lambda>x y. b \<leadsto> \<lambda>x. \<lambda>y. b"}, but other AST
+ translation rules are \emph{not} applied recursively here.
+
+ When processing AST patterns, the inner syntax lexer runs in a
+ different mode that allows identifiers to start with underscore.
+ This accommodates the usual naming convention for auxiliary syntax
+ constants --- those that do not have a logical counter part --- by
+ allowing to specify arbitrary AST applications within the term
+ syntax, independently of the corresponding concrete syntax.
+
+ Atomic ASTs are distinguished as @{ML Ast.Constant} versus @{ML
+ Ast.Variable} as follows: a qualified name or syntax constant
+ declared via @{command syntax}, or parse tree head of concrete
+ notation becomes @{ML Ast.Constant}, anything else @{ML
+ Ast.Variable}. Note that @{text CONST} and @{text XCONST} within
+ the term language (\secref{sec:pure-grammar}) allow to enforce
+ treatment as constants.
+
+ AST rewrite rules @{text "(lhs, rhs)"} need to obey the following
+ side-conditions:
+
+ \begin{itemize}
+
+ \item Rules must be left linear: @{text "lhs"} must not contain
+ repeated variables.\footnote{The deeper reason for this is that AST
+ equality is not well-defined: different occurrences of the ``same''
+ AST could be decorated differently by accidental type-constraints or
+ source position information, for example.}
+
+ \item Every variable in @{text "rhs"} must also occur in @{text
+ "lhs"}.
+
+ \end{itemize}
+
+ \item @{command "no_translations"}~@{text rules} removes syntactic
+ translation rules, which are interpreted in the same manner as for
+ @{command "translations"} above.
+
+ \item @{attribute syntax_ast_trace} and @{attribute
+ syntax_ast_stats} control diagnostic output in the AST normalization
+ process, when translation rules are applied to concrete input or
+ output.
+
+ \end{description}
+
+ Raw syntax and translations provides a slightly more low-level
+ access to the grammar and the form of resulting parse trees. It is
+ often possible to avoid this untyped macro mechanism, and use
+ type-safe @{command abbreviation} or @{command notation} instead.
+ Some important situations where @{command syntax} and @{command
+ translations} are really need are as follows:
+
+ \begin{itemize}
+
+ \item Iterated replacement via recursive @{command translations}.
+ For example, consider list enumeration @{term "[a, b, c, d]"} as
+ defined in theory @{theory List} in Isabelle/HOL.
+
+ \item Change of binding status of variables: anything beyond the
+ built-in @{keyword "binder"} mixfix annotation requires explicit
+ syntax translations. For example, consider list filter
+ comprehension @{term "[x \<leftarrow> xs . P]"} as defined in theory @{theory
+ List} in Isabelle/HOL.
+
+ \end{itemize}
+*}
+
+subsubsection {* Applying translation rules *}
+
+text {* As a term is being parsed or printed, an AST is generated as
+ an intermediate form according to \figref{fig:parse-print}. The AST
+ is normalized by applying translation rules in the manner of a
+ first-order term rewriting system. We first examine how a single
+ rule is applied.
+
+ Let @{text "t"} be the abstract syntax tree to be normalized and
+ @{text "(lhs, rhs)"} some translation rule. A subtree @{text "u"}
+ of @{text "t"} is called \emph{redex} if it is an instance of @{text
+ "lhs"}; in this case the pattern @{text "lhs"} is said to match the
+ object @{text "u"}. A redex matched by @{text "lhs"} may be
+ replaced by the corresponding instance of @{text "rhs"}, thus
+ \emph{rewriting} the AST @{text "t"}. Matching requires some notion
+ of \emph{place-holders} in rule patterns: @{ML Ast.Variable} serves
+ this purpose.
+
+ More precisely, the matching of the object @{text "u"} against the
+ pattern @{text "lhs"} is performed as follows:
+
+ \begin{itemize}
+
+ \item Objects of the form @{ML Ast.Variable}~@{text "x"} or @{ML
+ Ast.Constant}~@{text "x"} are matched by pattern @{ML
+ Ast.Constant}~@{text "x"}. Thus all atomic ASTs in the object are
+ treated as (potential) constants, and a successful match makes them
+ actual constants even before name space resolution (see also
+ \secref{sec:ast}).
+
+ \item Object @{text "u"} is matched by pattern @{ML
+ Ast.Variable}~@{text "x"}, binding @{text "x"} to @{text "u"}.
+
+ \item Object @{ML Ast.Appl}~@{text "us"} is matched by @{ML
+ Ast.Appl}~@{text "ts"} if @{text "us"} and @{text "ts"} have the
+ same length and each corresponding subtree matches.
+
+ \item In every other case, matching fails.
+
+ \end{itemize}
+
+ A successful match yields a substitution that is applied to @{text
+ "rhs"}, generating the instance that replaces @{text "u"}.
+
+ Normalizing an AST involves repeatedly applying translation rules
+ until none are applicable. This works yoyo-like: top-down,
+ bottom-up, top-down, etc. At each subtree position, rules are
+ chosen in order of appearance in the theory definitions.
+
+ The configuration options @{attribute syntax_ast_trace} and
+ @{attribute syntax_ast_stats} might help to understand this process
+ and diagnose problems.
+
+ \begin{warn}
+ If syntax translation rules work incorrectly, the output of
+ @{command_ref print_syntax} with its \emph{rules} sections reveals the
+ actual internal forms of AST pattern, without potentially confusing
+ concrete syntax. Recall that AST constants appear as quoted strings
+ and variables without quotes.
+ \end{warn}
+
+ \begin{warn}
+ If @{attribute_ref eta_contract} is set to @{text "true"}, terms
+ will be @{text "\<eta>"}-contracted \emph{before} the AST rewriter sees
+ them. Thus some abstraction nodes needed for print rules to match
+ may vanish. For example, @{text "Ball A (\<lambda>x. P x)"} would contract
+ to @{text "Ball A P"} and the standard print rule would fail to
+ apply. This problem can be avoided by hand-written ML translation
+ functions (see also \secref{sec:tr-funs}), which is in fact the same
+ mechanism used in built-in @{keyword "binder"} declarations.
+ \end{warn}
+*}
+
+
+subsection {* Syntax translation functions \label{sec:tr-funs} *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def "parse_ast_translation"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{command_def "parse_translation"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{command_def "print_translation"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{command_def "typed_print_translation"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{command_def "print_ast_translation"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{ML_antiquotation_def "class_syntax"} & : & @{text ML_antiquotation} \\
+ @{ML_antiquotation_def "type_syntax"} & : & @{text ML_antiquotation} \\
+ @{ML_antiquotation_def "const_syntax"} & : & @{text ML_antiquotation} \\
+ @{ML_antiquotation_def "syntax_const"} & : & @{text ML_antiquotation} \\
+ \end{matharray}
+
+ Syntax translation functions written in ML admit almost arbitrary
+ manipulations of inner syntax, at the expense of some complexity and
+ obscurity in the implementation.
+
+ @{rail "
+ ( @@{command parse_ast_translation} | @@{command parse_translation} |
+ @@{command print_translation} | @@{command typed_print_translation} |
+ @@{command print_ast_translation}) ('(' @'advanced' ')')? @{syntax text}
+ ;
+ (@@{ML_antiquotation class_syntax} |
+ @@{ML_antiquotation type_syntax} |
+ @@{ML_antiquotation const_syntax} |
+ @@{ML_antiquotation syntax_const}) name
+ "}
+
+ \begin{description}
+
+ \item @{command parse_translation} etc. declare syntax translation
+ functions to the theory. Any of these commands have a single
+ @{syntax text} argument that refers to an ML expression of
+ appropriate type, which are as follows by default:
+
+ \medskip
+ {\footnotesize
+ \begin{tabular}{ll}
+ @{command parse_ast_translation} & : @{ML_type "(string * (Ast.ast list -> Ast.ast)) list"} \\
+ @{command parse_translation} & : @{ML_type "(string * (term list -> term)) list"} \\
+ @{command print_translation} & : @{ML_type "(string * (term list -> term)) list"} \\
+ @{command typed_print_translation} & : @{ML_type "(string * (typ -> term list -> term)) list"} \\
+ @{command print_ast_translation} & : @{ML_type "(string * (Ast.ast list -> Ast.ast)) list"} \\
+ \end{tabular}}
+ \medskip
+
+ The argument list consists of @{text "(c, tr)"} pairs, where @{text
+ "c"} is the syntax name of the formal entity involved, and @{text
+ "tr"} a function that translates a syntax form @{text "c args"} into
+ @{text "tr args"}. The ML naming convention for parse translations
+ is @{text "c_tr"} and for print translations @{text "c_tr'"}.
+
+ The @{command_ref print_syntax} command displays the sets of names
+ associated with the translation functions of a theory under @{text
+ "parse_ast_translation"} etc.
+
+ If the @{verbatim "("}@{keyword "advanced"}@{verbatim ")"} option is
+ given, the corresponding translation functions depend on the current
+ theory or proof context as additional argument. This allows to
+ implement advanced syntax mechanisms, as translations functions may
+ refer to specific theory declarations or auxiliary proof data.
+
+ \item @{text "@{class_syntax c}"}, @{text "@{type_syntax c}"},
+ @{text "@{const_syntax c}"} inline the authentic syntax name of the
+ given formal entities into the ML source. This is the
+ fully-qualified logical name prefixed by a special marker to
+ indicate its kind: thus different logical name spaces are properly
+ distinguished within parse trees.
+
+ \item @{text "@{const_syntax c}"} inlines the name @{text "c"} of
+ the given syntax constant, having checked that it has been declared
+ via some @{command syntax} commands within the theory context. Note
+ that the usual naming convention makes syntax constants start with
+ underscore, to reduce the chance of accidental clashes with other
+ names occurring in parse trees (unqualified constants etc.).
+
+ \end{description}
+*}
+
+
+subsubsection {* The translation strategy *}
+
+text {* The different kinds of translation functions are invoked during
+ the transformations between parse trees, ASTs and syntactic terms
+ (cf.\ \figref{fig:parse-print}). Whenever a combination of the form
+ @{text "c x\<^sub>1 \<dots> x\<^sub>n"} is encountered, and a translation function
+ @{text "f"} of appropriate kind is declared for @{text "c"}, the
+ result is produced by evaluation of @{text "f [x\<^sub>1, \<dots>, x\<^sub>n]"} in ML.
+
+ For AST translations, the arguments @{text "x\<^sub>1, \<dots>, x\<^sub>n"} are ASTs. A
+ combination has the form @{ML "Ast.Constant"}~@{text "c"} or @{ML
+ "Ast.Appl"}~@{text "["}@{ML Ast.Constant}~@{text "c, x\<^sub>1, \<dots>, x\<^sub>n]"}.
+ For term translations, the arguments are terms and a combination has
+ the form @{ML Const}~@{text "(c, \<tau>)"} or @{ML Const}~@{text "(c, \<tau>)
+ $ x\<^sub>1 $ \<dots> $ x\<^sub>n"}. Terms allow more sophisticated transformations
+ than ASTs do, typically involving abstractions and bound
+ variables. \emph{Typed} print translations may even peek at the type
+ @{text "\<tau>"} of the constant they are invoked on, although that information
+ may be inaccurate.
+
+ Regardless of whether they act on ASTs or terms, translation
+ functions called during the parsing process differ from those for
+ printing in their overall behaviour:
+
+ \begin{description}
+
+ \item [Parse translations] are applied bottom-up. The arguments are
+ already in translated form. The translations must not fail;
+ exceptions trigger an error message. There may be at most one
+ function associated with any syntactic name.
+
+ \item [Print translations] are applied top-down. They are supplied
+ with arguments that are partly still in internal form. The result
+ again undergoes translation; therefore a print translation should
+ not introduce as head the very constant that invoked it. The
+ function may raise exception @{ML Match} to indicate failure; in
+ this event it has no effect. Multiple functions associated with
+ some syntactic name are tried in the order of declaration in the
+ theory.
+
+ \end{description}
+
+ Only constant atoms --- constructor @{ML Ast.Constant} for ASTs and
+ @{ML Const} for terms --- can invoke translation functions. This
+ means that parse translations can only be associated with parse tree
+ heads of concrete syntax, or syntactic constants introduced via
+ other translations. For plain identifiers within the term language,
+ the status of constant versus variable is not yet know during
+ parsing. This is in contrast to print translations, where constants
+ are explicitly known from the given term in its fully internal form.
+*}
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarRef/ML_Tactic.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,180 @@
+theory ML_Tactic
+imports Base Main
+begin
+
+chapter {* ML tactic expressions *}
+
+text {*
+ Isar Proof methods closely resemble traditional tactics, when used
+ in unstructured sequences of @{command "apply"} commands.
+ Isabelle/Isar provides emulations for all major ML tactics of
+ classic Isabelle --- mostly for the sake of easy porting of existing
+ developments, as actual Isar proof texts would demand much less
+ diversity of proof methods.
+
+ Unlike tactic expressions in ML, Isar proof methods provide proper
+ concrete syntax for additional arguments, options, modifiers etc.
+ Thus a typical method text is usually more concise than the
+ corresponding ML tactic. Furthermore, the Isar versions of classic
+ Isabelle tactics often cover several variant forms by a single
+ method with separate options to tune the behavior. For example,
+ method @{method simp} replaces all of @{ML simp_tac}~/ @{ML
+ asm_simp_tac}~/ @{ML full_simp_tac}~/ @{ML asm_full_simp_tac}, there
+ is also concrete syntax for augmenting the Simplifier context (the
+ current ``simpset'') in a convenient way.
+*}
+
+
+section {* Resolution tactics *}
+
+text {*
+ Classic Isabelle provides several variant forms of tactics for
+ single-step rule applications (based on higher-order resolution).
+ The space of resolution tactics has the following main dimensions.
+
+ \begin{enumerate}
+
+ \item The ``mode'' of resolution: intro, elim, destruct, or forward
+ (e.g.\ @{ML resolve_tac}, @{ML eresolve_tac}, @{ML dresolve_tac},
+ @{ML forward_tac}).
+
+ \item Optional explicit instantiation (e.g.\ @{ML resolve_tac} vs.\
+ @{ML res_inst_tac}).
+
+ \item Abbreviations for singleton arguments (e.g.\ @{ML resolve_tac}
+ vs.\ @{ML rtac}).
+
+ \end{enumerate}
+
+ Basically, the set of Isar tactic emulations @{method rule_tac},
+ @{method erule_tac}, @{method drule_tac}, @{method frule_tac} (see
+ \secref{sec:tactics}) would be sufficient to cover the four modes,
+ either with or without instantiation, and either with single or
+ multiple arguments. Although it is more convenient in most cases to
+ use the plain @{method_ref (Pure) rule} method, or any of its
+ ``improper'' variants @{method erule}, @{method drule}, @{method
+ frule}. Note that explicit goal addressing is only supported by the
+ actual @{method rule_tac} version.
+
+ With this in mind, plain resolution tactics correspond to Isar
+ methods as follows.
+
+ \medskip
+ \begin{tabular}{lll}
+ @{ML rtac}~@{text "a 1"} & & @{text "rule a"} \\
+ @{ML resolve_tac}~@{text "[a\<^sub>1, \<dots>] 1"} & & @{text "rule a\<^sub>1 \<dots>"} \\
+ @{ML res_inst_tac}~@{text "ctxt [(x\<^sub>1, t\<^sub>1), \<dots>] a 1"} & &
+ @{text "rule_tac x\<^sub>1 = t\<^sub>1 \<AND> \<dots> \<IN> a"} \\[0.5ex]
+ @{ML rtac}~@{text "a i"} & & @{text "rule_tac [i] a"} \\
+ @{ML resolve_tac}~@{text "[a\<^sub>1, \<dots>] i"} & & @{text "rule_tac [i] a\<^sub>1 \<dots>"} \\
+ @{ML res_inst_tac}~@{text "ctxt [(x\<^sub>1, t\<^sub>1), \<dots>] a i"} & &
+ @{text "rule_tac [i] x\<^sub>1 = t\<^sub>1 \<AND> \<dots> \<IN> a"} \\
+ \end{tabular}
+ \medskip
+
+ Note that explicit goal addressing may be usually avoided by
+ changing the order of subgoals with @{command "defer"} or @{command
+ "prefer"} (see \secref{sec:tactic-commands}).
+*}
+
+
+section {* Simplifier tactics *}
+
+text {*
+ The main Simplifier tactics @{ML simp_tac} and variants (cf.\
+ \cite{isabelle-ref}) are all covered by the @{method simp} and
+ @{method simp_all} methods (see \secref{sec:simplifier}). Note that
+ there is no individual goal addressing available, simplification
+ acts either on the first goal (@{method simp}) or all goals
+ (@{method simp_all}).
+
+ \medskip
+ \begin{tabular}{lll}
+ @{ML asm_full_simp_tac}~@{text "@{simpset} 1"} & & @{method simp} \\
+ @{ML ALLGOALS}~(@{ML asm_full_simp_tac}~@{text "@{simpset}"}) & & @{method simp_all} \\[0.5ex]
+ @{ML simp_tac}~@{text "@{simpset} 1"} & & @{method simp}~@{text "(no_asm)"} \\
+ @{ML asm_simp_tac}~@{text "@{simpset} 1"} & & @{method simp}~@{text "(no_asm_simp)"} \\
+ @{ML full_simp_tac}~@{text "@{simpset} 1"} & & @{method simp}~@{text "(no_asm_use)"} \\
+ @{ML asm_lr_simp_tac}~@{text "@{simpset} 1"} & & @{method simp}~@{text "(asm_lr)"} \\
+ \end{tabular}
+ \medskip
+*}
+
+
+section {* Classical Reasoner tactics *}
+
+text {* The Classical Reasoner provides a rather large number of
+ variations of automated tactics, such as @{ML blast_tac}, @{ML
+ fast_tac}, @{ML clarify_tac} etc. The corresponding Isar methods
+ usually share the same base name, such as @{method blast}, @{method
+ fast}, @{method clarify} etc.\ (see \secref{sec:classical}). *}
+
+
+section {* Miscellaneous tactics *}
+
+text {*
+ There are a few additional tactics defined in various theories of
+ Isabelle/HOL, some of these also in Isabelle/FOL or Isabelle/ZF.
+ The most common ones of these may be ported to Isar as follows.
+
+ \medskip
+ \begin{tabular}{lll}
+ @{ML stac}~@{text "a 1"} & & @{text "subst a"} \\
+ @{ML hyp_subst_tac}~@{text 1} & & @{text hypsubst} \\
+ @{ML strip_tac}~@{text 1} & @{text "\<approx>"} & @{text "intro strip"} \\
+ @{ML split_all_tac}~@{text 1} & & @{text "simp (no_asm_simp) only: split_tupled_all"} \\
+ & @{text "\<approx>"} & @{text "simp only: split_tupled_all"} \\
+ & @{text "\<lless>"} & @{text "clarify"} \\
+ \end{tabular}
+*}
+
+
+section {* Tacticals *}
+
+text {*
+ Classic Isabelle provides a huge amount of tacticals for combination
+ and modification of existing tactics. This has been greatly reduced
+ in Isar, providing the bare minimum of combinators only: ``@{text
+ ","}'' (sequential composition), ``@{text "|"}'' (alternative
+ choices), ``@{text "?"}'' (try), ``@{text "+"}'' (repeat at least
+ once). These are usually sufficient in practice; if all fails,
+ arbitrary ML tactic code may be invoked via the @{method tactic}
+ method (see \secref{sec:tactics}).
+
+ \medskip Common ML tacticals may be expressed directly in Isar as
+ follows:
+
+ \medskip
+ \begin{tabular}{lll}
+ @{text "tac\<^sub>1"}~@{ML_text THEN}~@{text "tac\<^sub>2"} & & @{text "meth\<^sub>1, meth\<^sub>2"} \\
+ @{text "tac\<^sub>1"}~@{ML_text ORELSE}~@{text "tac\<^sub>2"} & & @{text "meth\<^sub>1 | meth\<^sub>2"} \\
+ @{ML TRY}~@{text tac} & & @{text "meth?"} \\
+ @{ML REPEAT1}~@{text tac} & & @{text "meth+"} \\
+ @{ML REPEAT}~@{text tac} & & @{text "(meth+)?"} \\
+ @{ML EVERY}~@{text "[tac\<^sub>1, \<dots>]"} & & @{text "meth\<^sub>1, \<dots>"} \\
+ @{ML FIRST}~@{text "[tac\<^sub>1, \<dots>]"} & & @{text "meth\<^sub>1 | \<dots>"} \\
+ \end{tabular}
+ \medskip
+
+ \medskip @{ML CHANGED} (see \cite{isabelle-implementation}) is
+ usually not required in Isar, since most basic proof methods already
+ fail unless there is an actual change in the goal state.
+ Nevertheless, ``@{text "?"}'' (try) may be used to accept
+ \emph{unchanged} results as well.
+
+ \medskip @{ML ALLGOALS}, @{ML SOMEGOAL} etc.\ (see
+ \cite{isabelle-implementation}) are not available in Isar, since
+ there is no direct goal addressing. Nevertheless, some basic
+ methods address all goals internally, notably @{method simp_all}
+ (see \secref{sec:simplifier}). Also note that @{ML ALLGOALS} can be
+ often replaced by ``@{text "+"}'' (repeat at least once), although
+ this usually has a different operational behavior: subgoals are
+ solved in a different order.
+
+ \medskip Iterated resolution, such as
+ @{ML_text "REPEAT (FIRSTGOAL (resolve_tac ...))"}, is usually better
+ expressed using the @{method intro} and @{method elim} methods of
+ Isar (see \secref{sec:classical}).
+*}
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarRef/Misc.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,151 @@
+theory Misc
+imports Base Main
+begin
+
+chapter {* Other commands *}
+
+section {* Inspecting the context *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def "print_commands"}@{text "\<^sup>*"} & : & @{text "any \<rightarrow>"} \\
+ @{command_def "print_theory"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ @{command_def "print_methods"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ @{command_def "print_attributes"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ @{command_def "print_theorems"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ @{command_def "find_theorems"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ @{command_def "find_consts"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ @{command_def "thm_deps"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ @{command_def "unused_thms"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ @{command_def "print_facts"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ @{command_def "print_binds"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ \end{matharray}
+
+ @{rail "
+ (@@{command print_theory} | @@{command print_theorems}) ('!'?)
+ ;
+
+ @@{command find_theorems} ('(' @{syntax nat}? 'with_dups'? ')')? \\ (thmcriterion * )
+ ;
+ thmcriterion: ('-'?) ('name' ':' @{syntax nameref} | 'intro' | 'elim' | 'dest' |
+ 'solves' | 'simp' ':' @{syntax term} | @{syntax term})
+ ;
+ @@{command find_consts} (constcriterion * )
+ ;
+ constcriterion: ('-'?)
+ ('name' ':' @{syntax nameref} | 'strict' ':' @{syntax type} | @{syntax type})
+ ;
+ @@{command thm_deps} @{syntax thmrefs}
+ ;
+ @@{command unused_thms} ((@{syntax name} +) '-' (@{syntax name} * ))?
+ "}
+
+ These commands print certain parts of the theory and proof context.
+ Note that there are some further ones available, such as for the set
+ of rules declared for simplifications.
+
+ \begin{description}
+
+ \item @{command "print_commands"} prints Isabelle's outer theory
+ syntax, including keywords and command.
+
+ \item @{command "print_theory"} prints the main logical content of
+ the theory context; the ``@{text "!"}'' option indicates extra
+ verbosity.
+
+ \item @{command "print_methods"} prints all proof methods
+ available in the current theory context.
+
+ \item @{command "print_attributes"} prints all attributes
+ available in the current theory context.
+
+ \item @{command "print_theorems"} prints theorems resulting from the
+ last command; the ``@{text "!"}'' option indicates extra verbosity.
+
+ \item @{command "find_theorems"}~@{text criteria} retrieves facts
+ from the theory or proof context matching all of given search
+ criteria. The criterion @{text "name: p"} selects all theorems
+ whose fully qualified name matches pattern @{text p}, which may
+ contain ``@{text "*"}'' wildcards. The criteria @{text intro},
+ @{text elim}, and @{text dest} select theorems that match the
+ current goal as introduction, elimination or destruction rules,
+ respectively. The criterion @{text "solves"} returns all rules
+ that would directly solve the current goal. The criterion
+ @{text "simp: t"} selects all rewrite rules whose left-hand side
+ matches the given term. The criterion term @{text t} selects all
+ theorems that contain the pattern @{text t} -- as usual, patterns
+ may contain occurrences of the dummy ``@{text _}'', schematic
+ variables, and type constraints.
+
+ Criteria can be preceded by ``@{text "-"}'' to select theorems that
+ do \emph{not} match. Note that giving the empty list of criteria
+ yields \emph{all} currently known facts. An optional limit for the
+ number of printed facts may be given; the default is 40. By
+ default, duplicates are removed from the search result. Use
+ @{text with_dups} to display duplicates.
+
+ \item @{command "find_consts"}~@{text criteria} prints all constants
+ whose type meets all of the given criteria. The criterion @{text
+ "strict: ty"} is met by any type that matches the type pattern
+ @{text ty}. Patterns may contain both the dummy type ``@{text _}''
+ and sort constraints. The criterion @{text ty} is similar, but it
+ also matches against subtypes. The criterion @{text "name: p"} and
+ the prefix ``@{text "-"}'' function as described for @{command
+ "find_theorems"}.
+
+ \item @{command "thm_deps"}~@{text "a\<^sub>1 \<dots> a\<^sub>n"}
+ visualizes dependencies of facts, using Isabelle's graph browser
+ tool (see also \cite{isabelle-sys}).
+
+ \item @{command "unused_thms"}~@{text "A\<^isub>1 \<dots> A\<^isub>m - B\<^isub>1 \<dots> B\<^isub>n"}
+ displays all unused theorems in theories @{text "B\<^isub>1 \<dots> B\<^isub>n"}
+ or their parents, but not in @{text "A\<^isub>1 \<dots> A\<^isub>m"} or their parents.
+ If @{text n} is @{text 0}, the end of the range of theories
+ defaults to the current theory. If no range is specified,
+ only the unused theorems in the current theory are displayed.
+
+ \item @{command "print_facts"} prints all local facts of the
+ current context, both named and unnamed ones.
+
+ \item @{command "print_binds"} prints all term abbreviations
+ present in the context.
+
+ \end{description}
+*}
+
+
+section {* System commands *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def "cd"}@{text "\<^sup>*"} & : & @{text "any \<rightarrow>"} \\
+ @{command_def "pwd"}@{text "\<^sup>*"} & : & @{text "any \<rightarrow>"} \\
+ @{command_def "use_thy"}@{text "\<^sup>*"} & : & @{text "any \<rightarrow>"} \\
+ \end{matharray}
+
+ @{rail "
+ (@@{command cd} | @@{command use_thy}) @{syntax name}
+ "}
+
+ \begin{description}
+
+ \item @{command "cd"}~@{text path} changes the current directory
+ of the Isabelle process.
+
+ \item @{command "pwd"} prints the current working directory.
+
+ \item @{command "use_thy"}~@{text A} preload theory @{text A}.
+ These system commands are scarcely used when working interactively,
+ since loading of theories is done automatically as required.
+
+ \end{description}
+
+ %FIXME proper place (!?)
+ Isabelle file specification may contain path variables (e.g.\
+ @{verbatim "$ISABELLE_HOME"}) that are expanded accordingly. Note
+ that @{verbatim "~"} abbreviates @{verbatim "$USER_HOME"}, and
+ @{verbatim "~~"} abbreviates @{verbatim "$ISABELLE_HOME"}. The
+ general syntax for path specifications follows POSIX conventions.
+*}
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarRef/Outer_Syntax.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,427 @@
+theory Outer_Syntax
+imports Base Main
+begin
+
+chapter {* Outer syntax --- the theory language \label{ch:outer-syntax} *}
+
+text {*
+ The rather generic framework of Isabelle/Isar syntax emerges from
+ three main syntactic categories: \emph{commands} of the top-level
+ Isar engine (covering theory and proof elements), \emph{methods} for
+ general goal refinements (analogous to traditional ``tactics''), and
+ \emph{attributes} for operations on facts (within a certain
+ context). Subsequently we give a reference of basic syntactic
+ entities underlying Isabelle/Isar syntax in a bottom-up manner.
+ Concrete theory and proof language elements will be introduced later
+ on.
+
+ \medskip In order to get started with writing well-formed
+ Isabelle/Isar documents, the most important aspect to be noted is
+ the difference of \emph{inner} versus \emph{outer} syntax. Inner
+ syntax is that of Isabelle types and terms of the logic, while outer
+ syntax is that of Isabelle/Isar theory sources (specifications and
+ proofs). As a general rule, inner syntax entities may occur only as
+ \emph{atomic entities} within outer syntax. For example, the string
+ @{verbatim "\"x + y\""} and identifier @{verbatim z} are legal term
+ specifications within a theory, while @{verbatim "x + y"} without
+ quotes is not.
+
+ Printed theory documents usually omit quotes to gain readability
+ (this is a matter of {\LaTeX} macro setup, say via @{verbatim
+ "\\isabellestyle"}, see also \cite{isabelle-sys}). Experienced
+ users of Isabelle/Isar may easily reconstruct the lost technical
+ information, while mere readers need not care about quotes at all.
+
+ \medskip Isabelle/Isar input may contain any number of input
+ termination characters ``@{verbatim ";"}'' (semicolon) to separate
+ commands explicitly. This is particularly useful in interactive
+ shell sessions to make clear where the current command is intended
+ to end. Otherwise, the interpreter loop will continue to issue a
+ secondary prompt ``@{verbatim "#"}'' until an end-of-command is
+ clearly recognized from the input syntax, e.g.\ encounter of the
+ next command keyword.
+
+ More advanced interfaces such as Proof~General \cite{proofgeneral}
+ do not require explicit semicolons, the amount of input text is
+ determined automatically by inspecting the present content of the
+ Emacs text buffer. In the printed presentation of Isabelle/Isar
+ documents semicolons are omitted altogether for readability.
+
+ \begin{warn}
+ Proof~General requires certain syntax classification tables in
+ order to achieve properly synchronized interaction with the
+ Isabelle/Isar process. These tables need to be consistent with
+ the Isabelle version and particular logic image to be used in a
+ running session (common object-logics may well change the outer
+ syntax). The standard setup should work correctly with any of the
+ ``official'' logic images derived from Isabelle/HOL (including
+ HOLCF etc.). Users of alternative logics may need to tell
+ Proof~General explicitly, e.g.\ by giving an option @{verbatim "-k ZF"}
+ (in conjunction with @{verbatim "-l ZF"}, to specify the default
+ logic image). Note that option @{verbatim "-L"} does both
+ of this at the same time.
+ \end{warn}
+*}
+
+
+section {* Lexical matters \label{sec:outer-lex} *}
+
+text {* The outer lexical syntax consists of three main categories of
+ syntax tokens:
+
+ \begin{enumerate}
+
+ \item \emph{major keywords} --- the command names that are available
+ in the present logic session;
+
+ \item \emph{minor keywords} --- additional literal tokens required
+ by the syntax of commands;
+
+ \item \emph{named tokens} --- various categories of identifiers etc.
+
+ \end{enumerate}
+
+ Major keywords and minor keywords are guaranteed to be disjoint.
+ This helps user-interfaces to determine the overall structure of a
+ theory text, without knowing the full details of command syntax.
+ Internally, there is some additional information about the kind of
+ major keywords, which approximates the command type (theory command,
+ proof command etc.).
+
+ Keywords override named tokens. For example, the presence of a
+ command called @{verbatim term} inhibits the identifier @{verbatim
+ term}, but the string @{verbatim "\"term\""} can be used instead.
+ By convention, the outer syntax always allows quoted strings in
+ addition to identifiers, wherever a named entity is expected.
+
+ When tokenizing a given input sequence, the lexer repeatedly takes
+ the longest prefix of the input that forms a valid token. Spaces,
+ tabs, newlines and formfeeds between tokens serve as explicit
+ separators.
+
+ \medskip The categories for named tokens are defined once and for
+ all as follows.
+
+ \begin{center}
+ \begin{supertabular}{rcl}
+ @{syntax_def ident} & = & @{text "letter quasiletter\<^sup>*"} \\
+ @{syntax_def longident} & = & @{text "ident("}@{verbatim "."}@{text "ident)\<^sup>+"} \\
+ @{syntax_def symident} & = & @{text "sym\<^sup>+ | "}@{verbatim "\\"}@{verbatim "<"}@{text ident}@{verbatim ">"} \\
+ @{syntax_def nat} & = & @{text "digit\<^sup>+"} \\
+ @{syntax_def float} & = & @{syntax_ref nat}@{verbatim "."}@{syntax_ref nat}@{text " | "}@{verbatim "-"}@{syntax_ref nat}@{verbatim "."}@{syntax_ref nat} \\
+ @{syntax_def var} & = & @{verbatim "?"}@{text "ident | "}@{verbatim "?"}@{text ident}@{verbatim "."}@{text nat} \\
+ @{syntax_def typefree} & = & @{verbatim "'"}@{text ident} \\
+ @{syntax_def typevar} & = & @{verbatim "?"}@{text "typefree | "}@{verbatim "?"}@{text typefree}@{verbatim "."}@{text nat} \\
+ @{syntax_def string} & = & @{verbatim "\""} @{text "\<dots>"} @{verbatim "\""} \\
+ @{syntax_def altstring} & = & @{verbatim "`"} @{text "\<dots>"} @{verbatim "`"} \\
+ @{syntax_def verbatim} & = & @{verbatim "{*"} @{text "\<dots>"} @{verbatim "*"}@{verbatim "}"} \\[1ex]
+
+ @{text letter} & = & @{text "latin | "}@{verbatim "\\"}@{verbatim "<"}@{text latin}@{verbatim ">"}@{text " | "}@{verbatim "\\"}@{verbatim "<"}@{text "latin latin"}@{verbatim ">"}@{text " | greek |"} \\
+ & & @{verbatim "\<^isub>"}@{text " | "}@{verbatim "\<^isup>"} \\
+ @{text quasiletter} & = & @{text "letter | digit | "}@{verbatim "_"}@{text " | "}@{verbatim "'"} \\
+ @{text latin} & = & @{verbatim a}@{text " | \<dots> | "}@{verbatim z}@{text " | "}@{verbatim A}@{text " | \<dots> | "}@{verbatim Z} \\
+ @{text digit} & = & @{verbatim "0"}@{text " | \<dots> | "}@{verbatim "9"} \\
+ @{text sym} & = & @{verbatim "!"}@{text " | "}@{verbatim "#"}@{text " | "}@{verbatim "$"}@{text " | "}@{verbatim "%"}@{text " | "}@{verbatim "&"}@{text " | "}@{verbatim "*"}@{text " | "}@{verbatim "+"}@{text " | "}@{verbatim "-"}@{text " | "}@{verbatim "/"}@{text " |"} \\
+ & & @{verbatim "<"}@{text " | "}@{verbatim "="}@{text " | "}@{verbatim ">"}@{text " | "}@{verbatim "?"}@{text " | "}@{verbatim "@"}@{text " | "}@{verbatim "^"}@{text " | "}@{verbatim "_"}@{text " | "}@{verbatim "|"}@{text " | "}@{verbatim "~"} \\
+ @{text greek} & = & @{verbatim "\<alpha>"}@{text " | "}@{verbatim "\<beta>"}@{text " | "}@{verbatim "\<gamma>"}@{text " | "}@{verbatim "\<delta>"}@{text " |"} \\
+ & & @{verbatim "\<epsilon>"}@{text " | "}@{verbatim "\<zeta>"}@{text " | "}@{verbatim "\<eta>"}@{text " | "}@{verbatim "\<theta>"}@{text " |"} \\
+ & & @{verbatim "\<iota>"}@{text " | "}@{verbatim "\<kappa>"}@{text " | "}@{verbatim "\<mu>"}@{text " | "}@{verbatim "\<nu>"}@{text " |"} \\
+ & & @{verbatim "\<xi>"}@{text " | "}@{verbatim "\<pi>"}@{text " | "}@{verbatim "\<rho>"}@{text " | "}@{verbatim "\<sigma>"}@{text " | "}@{verbatim "\<tau>"}@{text " |"} \\
+ & & @{verbatim "\<upsilon>"}@{text " | "}@{verbatim "\<phi>"}@{text " | "}@{verbatim "\<chi>"}@{text " | "}@{verbatim "\<psi>"}@{text " |"} \\
+ & & @{verbatim "\<omega>"}@{text " | "}@{verbatim "\<Gamma>"}@{text " | "}@{verbatim "\<Delta>"}@{text " | "}@{verbatim "\<Theta>"}@{text " |"} \\
+ & & @{verbatim "\<Lambda>"}@{text " | "}@{verbatim "\<Xi>"}@{text " | "}@{verbatim "\<Pi>"}@{text " | "}@{verbatim "\<Sigma>"}@{text " |"} \\
+ & & @{verbatim "\<Upsilon>"}@{text " | "}@{verbatim "\<Phi>"}@{text " | "}@{verbatim "\<Psi>"}@{text " | "}@{verbatim "\<Omega>"} \\
+ \end{supertabular}
+ \end{center}
+
+ A @{syntax_ref var} or @{syntax_ref typevar} describes an unknown,
+ which is internally a pair of base name and index (ML type @{ML_type
+ indexname}). These components are either separated by a dot as in
+ @{text "?x.1"} or @{text "?x7.3"} or run together as in @{text
+ "?x1"}. The latter form is possible if the base name does not end
+ with digits. If the index is 0, it may be dropped altogether:
+ @{text "?x"} and @{text "?x0"} and @{text "?x.0"} all refer to the
+ same unknown, with basename @{text "x"} and index 0.
+
+ The syntax of @{syntax_ref string} admits any characters, including
+ newlines; ``@{verbatim "\""}'' (double-quote) and ``@{verbatim
+ "\\"}'' (backslash) need to be escaped by a backslash; arbitrary
+ character codes may be specified as ``@{verbatim "\\"}@{text ddd}'',
+ with three decimal digits. Alternative strings according to
+ @{syntax_ref altstring} are analogous, using single back-quotes
+ instead.
+
+ The body of @{syntax_ref verbatim} may consist of any text not
+ containing ``@{verbatim "*"}@{verbatim "}"}''; this allows
+ convenient inclusion of quotes without further escapes. There is no
+ way to escape ``@{verbatim "*"}@{verbatim "}"}''. If the quoted
+ text is {\LaTeX} source, one may usually add some blank or comment
+ to avoid the critical character sequence.
+
+ Source comments take the form @{verbatim "(*"}~@{text
+ "\<dots>"}~@{verbatim "*)"} and may be nested, although the user-interface
+ might prevent this. Note that this form indicates source comments
+ only, which are stripped after lexical analysis of the input. The
+ Isar syntax also provides proper \emph{document comments} that are
+ considered as part of the text (see \secref{sec:comments}).
+
+ Common mathematical symbols such as @{text \<forall>} are represented in
+ Isabelle as @{verbatim \<forall>}. There are infinitely many Isabelle
+ symbols like this, although proper presentation is left to front-end
+ tools such as {\LaTeX}, Proof~General, or Isabelle/jEdit. A list of
+ predefined Isabelle symbols that work well with these tools is given
+ in \appref{app:symbols}. Note that @{verbatim "\<lambda>"} does not belong
+ to the @{text letter} category, since it is already used differently
+ in the Pure term language. *}
+
+
+section {* Common syntax entities *}
+
+text {*
+ We now introduce several basic syntactic entities, such as names,
+ terms, and theorem specifications, which are factored out of the
+ actual Isar language elements to be described later.
+*}
+
+
+subsection {* Names *}
+
+text {* Entity @{syntax name} usually refers to any name of types,
+ constants, theorems etc.\ that are to be \emph{declared} or
+ \emph{defined} (so qualified identifiers are excluded here). Quoted
+ strings provide an escape for non-identifier names or those ruled
+ out by outer syntax keywords (e.g.\ quoted @{verbatim "\"let\""}).
+ Already existing objects are usually referenced by @{syntax
+ nameref}.
+
+ @{rail "
+ @{syntax_def name}: @{syntax ident} | @{syntax symident} |
+ @{syntax string} | @{syntax nat}
+ ;
+ @{syntax_def parname}: '(' @{syntax name} ')'
+ ;
+ @{syntax_def nameref}: @{syntax name} | @{syntax longident}
+ "}
+*}
+
+
+subsection {* Numbers *}
+
+text {* The outer lexical syntax (\secref{sec:outer-lex}) admits
+ natural numbers and floating point numbers. These are combined as
+ @{syntax int} and @{syntax real} as follows.
+
+ @{rail "
+ @{syntax_def int}: @{syntax nat} | '-' @{syntax nat}
+ ;
+ @{syntax_def real}: @{syntax float} | @{syntax int}
+ "}
+
+ Note that there is an overlap with the category @{syntax name},
+ which also includes @{syntax nat}.
+*}
+
+
+subsection {* Comments \label{sec:comments} *}
+
+text {* Large chunks of plain @{syntax text} are usually given
+ @{syntax verbatim}, i.e.\ enclosed in @{verbatim "{"}@{verbatim
+ "*"}~@{text "\<dots>"}~@{verbatim "*"}@{verbatim "}"}. For convenience,
+ any of the smaller text units conforming to @{syntax nameref} are
+ admitted as well. A marginal @{syntax comment} is of the form
+ @{verbatim "--"}~@{syntax text}. Any number of these may occur
+ within Isabelle/Isar commands.
+
+ @{rail "
+ @{syntax_def text}: @{syntax verbatim} | @{syntax nameref}
+ ;
+ @{syntax_def comment}: '--' @{syntax text}
+ "}
+*}
+
+
+subsection {* Type classes, sorts and arities *}
+
+text {*
+ Classes are specified by plain names. Sorts have a very simple
+ inner syntax, which is either a single class name @{text c} or a
+ list @{text "{c\<^sub>1, \<dots>, c\<^sub>n}"} referring to the
+ intersection of these classes. The syntax of type arities is given
+ directly at the outer level.
+
+ @{rail "
+ @{syntax_def classdecl}: @{syntax name} (('<' | '\<subseteq>') (@{syntax nameref} + ','))?
+ ;
+ @{syntax_def sort}: @{syntax nameref}
+ ;
+ @{syntax_def arity}: ('(' (@{syntax sort} + ',') ')')? @{syntax sort}
+ "}
+*}
+
+
+subsection {* Types and terms \label{sec:types-terms} *}
+
+text {*
+ The actual inner Isabelle syntax, that of types and terms of the
+ logic, is far too sophisticated in order to be modelled explicitly
+ at the outer theory level. Basically, any such entity has to be
+ quoted to turn it into a single token (the parsing and type-checking
+ is performed internally later). For convenience, a slightly more
+ liberal convention is adopted: quotes may be omitted for any type or
+ term that is already atomic at the outer level. For example, one
+ may just write @{verbatim x} instead of quoted @{verbatim "\"x\""}.
+ Note that symbolic identifiers (e.g.\ @{verbatim "++"} or @{text
+ "\<forall>"} are available as well, provided these have not been superseded
+ by commands or other keywords already (such as @{verbatim "="} or
+ @{verbatim "+"}).
+
+ @{rail "
+ @{syntax_def type}: @{syntax nameref} | @{syntax typefree} |
+ @{syntax typevar}
+ ;
+ @{syntax_def term}: @{syntax nameref} | @{syntax var}
+ ;
+ @{syntax_def prop}: @{syntax term}
+ "}
+
+ Positional instantiations are indicated by giving a sequence of
+ terms, or the placeholder ``@{text _}'' (underscore), which means to
+ skip a position.
+
+ @{rail "
+ @{syntax_def inst}: '_' | @{syntax term}
+ ;
+ @{syntax_def insts}: (@{syntax inst} *)
+ "}
+
+ Type declarations and definitions usually refer to @{syntax
+ typespec} on the left-hand side. This models basic type constructor
+ application at the outer syntax level. Note that only plain postfix
+ notation is available here, but no infixes.
+
+ @{rail "
+ @{syntax_def typespec}:
+ (() | @{syntax typefree} | '(' ( @{syntax typefree} + ',' ) ')') @{syntax name}
+ ;
+ @{syntax_def typespec_sorts}:
+ (() | (@{syntax typefree} ('::' @{syntax sort})?) |
+ '(' ( (@{syntax typefree} ('::' @{syntax sort})?) + ',' ) ')') @{syntax name}
+ "}
+*}
+
+
+subsection {* Term patterns and declarations \label{sec:term-decls} *}
+
+text {* Wherever explicit propositions (or term fragments) occur in a
+ proof text, casual binding of schematic term variables may be given
+ specified via patterns of the form ``@{text "(\<IS> p\<^sub>1 \<dots> p\<^sub>n)"}''.
+ This works both for @{syntax term} and @{syntax prop}.
+
+ @{rail "
+ @{syntax_def term_pat}: '(' (@'is' @{syntax term} +) ')'
+ ;
+ @{syntax_def prop_pat}: '(' (@'is' @{syntax prop} +) ')'
+ "}
+
+ \medskip Declarations of local variables @{text "x :: \<tau>"} and
+ logical propositions @{text "a : \<phi>"} represent different views on
+ the same principle of introducing a local scope. In practice, one
+ may usually omit the typing of @{syntax vars} (due to
+ type-inference), and the naming of propositions (due to implicit
+ references of current facts). In any case, Isar proof elements
+ usually admit to introduce multiple such items simultaneously.
+
+ @{rail "
+ @{syntax_def vars}: (@{syntax name} +) ('::' @{syntax type})?
+ ;
+ @{syntax_def props}: @{syntax thmdecl}? (@{syntax prop} @{syntax prop_pat}? +)
+ "}
+
+ The treatment of multiple declarations corresponds to the
+ complementary focus of @{syntax vars} versus @{syntax props}. In
+ ``@{text "x\<^sub>1 \<dots> x\<^sub>n :: \<tau>"}'' the typing refers to all variables, while
+ in @{text "a: \<phi>\<^sub>1 \<dots> \<phi>\<^sub>n"} the naming refers to all propositions
+ collectively. Isar language elements that refer to @{syntax vars}
+ or @{syntax props} typically admit separate typings or namings via
+ another level of iteration, with explicit @{keyword_ref "and"}
+ separators; e.g.\ see @{command "fix"} and @{command "assume"} in
+ \secref{sec:proof-context}.
+*}
+
+
+subsection {* Attributes and theorems \label{sec:syn-att} *}
+
+text {* Attributes have their own ``semi-inner'' syntax, in the sense
+ that input conforming to @{syntax args} below is parsed by the
+ attribute a second time. The attribute argument specifications may
+ be any sequence of atomic entities (identifiers, strings etc.), or
+ properly bracketed argument lists. Below @{syntax atom} refers to
+ any atomic entity, including any @{syntax keyword} conforming to
+ @{syntax symident}.
+
+ @{rail "
+ @{syntax_def atom}: @{syntax nameref} | @{syntax typefree} |
+ @{syntax typevar} | @{syntax var} | @{syntax nat} | @{syntax float} |
+ @{syntax keyword}
+ ;
+ arg: @{syntax atom} | '(' @{syntax args} ')' | '[' @{syntax args} ']'
+ ;
+ @{syntax_def args}: arg *
+ ;
+ @{syntax_def attributes}: '[' (@{syntax nameref} @{syntax args} * ',') ']'
+ "}
+
+ Theorem specifications come in several flavors: @{syntax axmdecl}
+ and @{syntax thmdecl} usually refer to axioms, assumptions or
+ results of goal statements, while @{syntax thmdef} collects lists of
+ existing theorems. Existing theorems are given by @{syntax thmref}
+ and @{syntax thmrefs}, the former requires an actual singleton
+ result.
+
+ There are three forms of theorem references:
+ \begin{enumerate}
+
+ \item named facts @{text "a"},
+
+ \item selections from named facts @{text "a(i)"} or @{text "a(j - k)"},
+
+ \item literal fact propositions using @{syntax_ref altstring} syntax
+ @{verbatim "`"}@{text "\<phi>"}@{verbatim "`"} (see also method
+ @{method_ref fact}).
+
+ \end{enumerate}
+
+ Any kind of theorem specification may include lists of attributes
+ both on the left and right hand sides; attributes are applied to any
+ immediately preceding fact. If names are omitted, the theorems are
+ not stored within the theorem database of the theory or proof
+ context, but any given attributes are applied nonetheless.
+
+ An extra pair of brackets around attributes (like ``@{text
+ "[[simproc a]]"}'') abbreviates a theorem reference involving an
+ internal dummy fact, which will be ignored later on. So only the
+ effect of the attribute on the background context will persist.
+ This form of in-place declarations is particularly useful with
+ commands like @{command "declare"} and @{command "using"}.
+
+ @{rail "
+ @{syntax_def axmdecl}: @{syntax name} @{syntax attributes}? ':'
+ ;
+ @{syntax_def thmdecl}: thmbind ':'
+ ;
+ @{syntax_def thmdef}: thmbind '='
+ ;
+ @{syntax_def thmref}:
+ (@{syntax nameref} selection? | @{syntax altstring}) @{syntax attributes}? |
+ '[' @{syntax attributes} ']'
+ ;
+ @{syntax_def thmrefs}: @{syntax thmref} +
+ ;
+
+ thmbind: @{syntax name} @{syntax attributes} | @{syntax name} | @{syntax attributes}
+ ;
+ selection: '(' ((@{syntax nat} | @{syntax nat} '-' @{syntax nat}?) + ',') ')'
+ "}
+*}
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarRef/Preface.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,70 @@
+theory Preface
+imports Base Main
+begin
+
+chapter {* Preface *}
+
+text {*
+ The \emph{Isabelle} system essentially provides a generic
+ infrastructure for building deductive systems (programmed in
+ Standard ML), with a special focus on interactive theorem proving in
+ higher-order logics. Many years ago, even end-users would refer to
+ certain ML functions (goal commands, tactics, tacticals etc.) to
+ pursue their everyday theorem proving tasks.
+
+ In contrast \emph{Isar} provides an interpreted language environment
+ of its own, which has been specifically tailored for the needs of
+ theory and proof development. Compared to raw ML, the Isabelle/Isar
+ top-level provides a more robust and comfortable development
+ platform, with proper support for theory development graphs, managed
+ transactions with unlimited undo etc. The Isabelle/Isar version of
+ the \emph{Proof~General} user interface
+ \cite{proofgeneral,Aspinall:TACAS:2000} provides a decent front-end
+ for interactive theory and proof development in this advanced
+ theorem proving environment, even though it is somewhat biased
+ towards old-style proof scripts.
+
+ \medskip Apart from the technical advances over bare-bones ML
+ programming, the main purpose of the Isar language is to provide a
+ conceptually different view on machine-checked proofs
+ \cite{Wenzel:1999:TPHOL,Wenzel-PhD}. \emph{Isar} stands for
+ \emph{Intelligible semi-automated reasoning}. Drawing from both the
+ traditions of informal mathematical proof texts and high-level
+ programming languages, Isar offers a versatile environment for
+ structured formal proof documents. Thus properly written Isar
+ proofs become accessible to a broader audience than unstructured
+ tactic scripts (which typically only provide operational information
+ for the machine). Writing human-readable proof texts certainly
+ requires some additional efforts by the writer to achieve a good
+ presentation, both of formal and informal parts of the text. On the
+ other hand, human-readable formal texts gain some value in their own
+ right, independently of the mechanic proof-checking process.
+
+ Despite its grand design of structured proof texts, Isar is able to
+ assimilate the old tactical style as an ``improper'' sub-language.
+ This provides an easy upgrade path for existing tactic scripts, as
+ well as some means for interactive experimentation and debugging of
+ structured proofs. Isabelle/Isar supports a broad range of proof
+ styles, both readable and unreadable ones.
+
+ \medskip The generic Isabelle/Isar framework (see
+ \chref{ch:isar-framework}) works reasonably well for any Isabelle
+ object-logic that conforms to the natural deduction view of the
+ Isabelle/Pure framework. Specific language elements introduced by
+ Isabelle/HOL are described in \chref{ch:hol}. Although the main
+ language elements are already provided by the Isabelle/Pure
+ framework, examples given in the generic parts will usually refer to
+ Isabelle/HOL.
+
+ \medskip Isar commands may be either \emph{proper} document
+ constructors, or \emph{improper commands}. Some proof methods and
+ attributes introduced later are classified as improper as well.
+ Improper Isar language elements, which are marked by ``@{text
+ "\<^sup>*"}'' in the subsequent chapters; they are often helpful
+ when developing proof documents, but their use is discouraged for
+ the final human-readable outcome. Typical examples are diagnostic
+ commands that print terms or theorems according to the current
+ context; other commands emulate old-style tactical theorem proving.
+*}
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarRef/Proof.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,1522 @@
+theory Proof
+imports Base Main
+begin
+
+chapter {* Proofs \label{ch:proofs} *}
+
+text {*
+ Proof commands perform transitions of Isar/VM machine
+ configurations, which are block-structured, consisting of a stack of
+ nodes with three main components: logical proof context, current
+ facts, and open goals. Isar/VM transitions are typed according to
+ the following three different modes of operation:
+
+ \begin{description}
+
+ \item @{text "proof(prove)"} means that a new goal has just been
+ stated that is now to be \emph{proven}; the next command may refine
+ it by some proof method, and enter a sub-proof to establish the
+ actual result.
+
+ \item @{text "proof(state)"} is like a nested theory mode: the
+ context may be augmented by \emph{stating} additional assumptions,
+ intermediate results etc.
+
+ \item @{text "proof(chain)"} is intermediate between @{text
+ "proof(state)"} and @{text "proof(prove)"}: existing facts (i.e.\
+ the contents of the special ``@{fact_ref this}'' register) have been
+ just picked up in order to be used when refining the goal claimed
+ next.
+
+ \end{description}
+
+ The proof mode indicator may be understood as an instruction to the
+ writer, telling what kind of operation may be performed next. The
+ corresponding typings of proof commands restricts the shape of
+ well-formed proof texts to particular command sequences. So dynamic
+ arrangements of commands eventually turn out as static texts of a
+ certain structure.
+
+ \Appref{ap:refcard} gives a simplified grammar of the (extensible)
+ language emerging that way from the different types of proof
+ commands. The main ideas of the overall Isar framework are
+ explained in \chref{ch:isar-framework}.
+*}
+
+
+section {* Proof structure *}
+
+subsection {* Formal notepad *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def "notepad"} & : & @{text "local_theory \<rightarrow> proof(state)"} \\
+ \end{matharray}
+
+ @{rail "
+ @@{command notepad} @'begin'
+ ;
+ @@{command end}
+ "}
+
+ \begin{description}
+
+ \item @{command "notepad"}~@{keyword "begin"} opens a proof state
+ without any goal statement. This allows to experiment with Isar,
+ without producing any persistent result.
+
+ The notepad can be closed by @{command "end"} or discontinued by
+ @{command "oops"}.
+
+ \end{description}
+*}
+
+
+subsection {* Blocks *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def "next"} & : & @{text "proof(state) \<rightarrow> proof(state)"} \\
+ @{command_def "{"} & : & @{text "proof(state) \<rightarrow> proof(state)"} \\
+ @{command_def "}"} & : & @{text "proof(state) \<rightarrow> proof(state)"} \\
+ \end{matharray}
+
+ While Isar is inherently block-structured, opening and closing
+ blocks is mostly handled rather casually, with little explicit
+ user-intervention. Any local goal statement automatically opens
+ \emph{two} internal blocks, which are closed again when concluding
+ the sub-proof (by @{command "qed"} etc.). Sections of different
+ context within a sub-proof may be switched via @{command "next"},
+ which is just a single block-close followed by block-open again.
+ The effect of @{command "next"} is to reset the local proof context;
+ there is no goal focus involved here!
+
+ For slightly more advanced applications, there are explicit block
+ parentheses as well. These typically achieve a stronger forward
+ style of reasoning.
+
+ \begin{description}
+
+ \item @{command "next"} switches to a fresh block within a
+ sub-proof, resetting the local context to the initial one.
+
+ \item @{command "{"} and @{command "}"} explicitly open and close
+ blocks. Any current facts pass through ``@{command "{"}''
+ unchanged, while ``@{command "}"}'' causes any result to be
+ \emph{exported} into the enclosing context. Thus fixed variables
+ are generalized, assumptions discharged, and local definitions
+ unfolded (cf.\ \secref{sec:proof-context}). There is no difference
+ of @{command "assume"} and @{command "presume"} in this mode of
+ forward reasoning --- in contrast to plain backward reasoning with
+ the result exported at @{command "show"} time.
+
+ \end{description}
+*}
+
+
+subsection {* Omitting proofs *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def "oops"} & : & @{text "proof \<rightarrow> local_theory | theory"} \\
+ \end{matharray}
+
+ The @{command "oops"} command discontinues the current proof
+ attempt, while considering the partial proof text as properly
+ processed. This is conceptually quite different from ``faking''
+ actual proofs via @{command_ref "sorry"} (see
+ \secref{sec:proof-steps}): @{command "oops"} does not observe the
+ proof structure at all, but goes back right to the theory level.
+ Furthermore, @{command "oops"} does not produce any result theorem
+ --- there is no intended claim to be able to complete the proof
+ in any way.
+
+ A typical application of @{command "oops"} is to explain Isar proofs
+ \emph{within} the system itself, in conjunction with the document
+ preparation tools of Isabelle described in \chref{ch:document-prep}.
+ Thus partial or even wrong proof attempts can be discussed in a
+ logically sound manner. Note that the Isabelle {\LaTeX} macros can
+ be easily adapted to print something like ``@{text "\<dots>"}'' instead of
+ the keyword ``@{command "oops"}''.
+*}
+
+
+section {* Statements *}
+
+subsection {* Context elements \label{sec:proof-context} *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def "fix"} & : & @{text "proof(state) \<rightarrow> proof(state)"} \\
+ @{command_def "assume"} & : & @{text "proof(state) \<rightarrow> proof(state)"} \\
+ @{command_def "presume"} & : & @{text "proof(state) \<rightarrow> proof(state)"} \\
+ @{command_def "def"} & : & @{text "proof(state) \<rightarrow> proof(state)"} \\
+ \end{matharray}
+
+ The logical proof context consists of fixed variables and
+ assumptions. The former closely correspond to Skolem constants, or
+ meta-level universal quantification as provided by the Isabelle/Pure
+ logical framework. Introducing some \emph{arbitrary, but fixed}
+ variable via ``@{command "fix"}~@{text x}'' results in a local value
+ that may be used in the subsequent proof as any other variable or
+ constant. Furthermore, any result @{text "\<turnstile> \<phi>[x]"} exported from
+ the context will be universally closed wrt.\ @{text x} at the
+ outermost level: @{text "\<turnstile> \<And>x. \<phi>[x]"} (this is expressed in normal
+ form using Isabelle's meta-variables).
+
+ Similarly, introducing some assumption @{text \<chi>} has two effects.
+ On the one hand, a local theorem is created that may be used as a
+ fact in subsequent proof steps. On the other hand, any result
+ @{text "\<chi> \<turnstile> \<phi>"} exported from the context becomes conditional wrt.\
+ the assumption: @{text "\<turnstile> \<chi> \<Longrightarrow> \<phi>"}. Thus, solving an enclosing goal
+ using such a result would basically introduce a new subgoal stemming
+ from the assumption. How this situation is handled depends on the
+ version of assumption command used: while @{command "assume"}
+ insists on solving the subgoal by unification with some premise of
+ the goal, @{command "presume"} leaves the subgoal unchanged in order
+ to be proved later by the user.
+
+ Local definitions, introduced by ``@{command "def"}~@{text "x \<equiv>
+ t"}'', are achieved by combining ``@{command "fix"}~@{text x}'' with
+ another version of assumption that causes any hypothetical equation
+ @{text "x \<equiv> t"} to be eliminated by the reflexivity rule. Thus,
+ exporting some result @{text "x \<equiv> t \<turnstile> \<phi>[x]"} yields @{text "\<turnstile>
+ \<phi>[t]"}.
+
+ @{rail "
+ @@{command fix} (@{syntax vars} + @'and')
+ ;
+ (@@{command assume} | @@{command presume}) (@{syntax props} + @'and')
+ ;
+ @@{command def} (def + @'and')
+ ;
+ def: @{syntax thmdecl}? \\ @{syntax name} ('==' | '\<equiv>') @{syntax term} @{syntax term_pat}?
+ "}
+
+ \begin{description}
+
+ \item @{command "fix"}~@{text x} introduces a local variable @{text
+ x} that is \emph{arbitrary, but fixed.}
+
+ \item @{command "assume"}~@{text "a: \<phi>"} and @{command
+ "presume"}~@{text "a: \<phi>"} introduce a local fact @{text "\<phi> \<turnstile> \<phi>"} by
+ assumption. Subsequent results applied to an enclosing goal (e.g.\
+ by @{command_ref "show"}) are handled as follows: @{command
+ "assume"} expects to be able to unify with existing premises in the
+ goal, while @{command "presume"} leaves @{text \<phi>} as new subgoals.
+
+ Several lists of assumptions may be given (separated by
+ @{keyword_ref "and"}; the resulting list of current facts consists
+ of all of these concatenated.
+
+ \item @{command "def"}~@{text "x \<equiv> t"} introduces a local
+ (non-polymorphic) definition. In results exported from the context,
+ @{text x} is replaced by @{text t}. Basically, ``@{command
+ "def"}~@{text "x \<equiv> t"}'' abbreviates ``@{command "fix"}~@{text
+ x}~@{command "assume"}~@{text "x \<equiv> t"}'', with the resulting
+ hypothetical equation solved by reflexivity.
+
+ The default name for the definitional equation is @{text x_def}.
+ Several simultaneous definitions may be given at the same time.
+
+ \end{description}
+
+ The special name @{fact_ref prems} refers to all assumptions of the
+ current context as a list of theorems. This feature should be used
+ with great care! It is better avoided in final proof texts.
+*}
+
+
+subsection {* Term abbreviations \label{sec:term-abbrev} *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def "let"} & : & @{text "proof(state) \<rightarrow> proof(state)"} \\
+ @{keyword_def "is"} & : & syntax \\
+ \end{matharray}
+
+ Abbreviations may be either bound by explicit @{command
+ "let"}~@{text "p \<equiv> t"} statements, or by annotating assumptions or
+ goal statements with a list of patterns ``@{text "(\<IS> p\<^sub>1 \<dots>
+ p\<^sub>n)"}''. In both cases, higher-order matching is invoked to
+ bind extra-logical term variables, which may be either named
+ schematic variables of the form @{text ?x}, or nameless dummies
+ ``@{variable _}'' (underscore). Note that in the @{command "let"}
+ form the patterns occur on the left-hand side, while the @{keyword
+ "is"} patterns are in postfix position.
+
+ Polymorphism of term bindings is handled in Hindley-Milner style,
+ similar to ML. Type variables referring to local assumptions or
+ open goal statements are \emph{fixed}, while those of finished
+ results or bound by @{command "let"} may occur in \emph{arbitrary}
+ instances later. Even though actual polymorphism should be rarely
+ used in practice, this mechanism is essential to achieve proper
+ incremental type-inference, as the user proceeds to build up the
+ Isar proof text from left to right.
+
+ \medskip Term abbreviations are quite different from local
+ definitions as introduced via @{command "def"} (see
+ \secref{sec:proof-context}). The latter are visible within the
+ logic as actual equations, while abbreviations disappear during the
+ input process just after type checking. Also note that @{command
+ "def"} does not support polymorphism.
+
+ @{rail "
+ @@{command let} ((@{syntax term} + @'and') '=' @{syntax term} + @'and')
+ "}
+
+ The syntax of @{keyword "is"} patterns follows @{syntax term_pat} or
+ @{syntax prop_pat} (see \secref{sec:term-decls}).
+
+ \begin{description}
+
+ \item @{command "let"}~@{text "p\<^sub>1 = t\<^sub>1 \<AND> \<dots> p\<^sub>n = t\<^sub>n"} binds any
+ text variables in patterns @{text "p\<^sub>1, \<dots>, p\<^sub>n"} by simultaneous
+ higher-order matching against terms @{text "t\<^sub>1, \<dots>, t\<^sub>n"}.
+
+ \item @{text "(\<IS> p\<^sub>1 \<dots> p\<^sub>n)"} resembles @{command "let"}, but
+ matches @{text "p\<^sub>1, \<dots>, p\<^sub>n"} against the preceding statement. Also
+ note that @{keyword "is"} is not a separate command, but part of
+ others (such as @{command "assume"}, @{command "have"} etc.).
+
+ \end{description}
+
+ Some \emph{implicit} term abbreviations\index{term abbreviations}
+ for goals and facts are available as well. For any open goal,
+ @{variable_ref thesis} refers to its object-level statement,
+ abstracted over any meta-level parameters (if present). Likewise,
+ @{variable_ref this} is bound for fact statements resulting from
+ assumptions or finished goals. In case @{variable this} refers to
+ an object-logic statement that is an application @{text "f t"}, then
+ @{text t} is bound to the special text variable ``@{variable "\<dots>"}''
+ (three dots). The canonical application of this convenience are
+ calculational proofs (see \secref{sec:calculation}).
+*}
+
+
+subsection {* Facts and forward chaining \label{sec:proof-facts} *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def "note"} & : & @{text "proof(state) \<rightarrow> proof(state)"} \\
+ @{command_def "then"} & : & @{text "proof(state) \<rightarrow> proof(chain)"} \\
+ @{command_def "from"} & : & @{text "proof(state) \<rightarrow> proof(chain)"} \\
+ @{command_def "with"} & : & @{text "proof(state) \<rightarrow> proof(chain)"} \\
+ @{command_def "using"} & : & @{text "proof(prove) \<rightarrow> proof(prove)"} \\
+ @{command_def "unfolding"} & : & @{text "proof(prove) \<rightarrow> proof(prove)"} \\
+ \end{matharray}
+
+ New facts are established either by assumption or proof of local
+ statements. Any fact will usually be involved in further proofs,
+ either as explicit arguments of proof methods, or when forward
+ chaining towards the next goal via @{command "then"} (and variants);
+ @{command "from"} and @{command "with"} are composite forms
+ involving @{command "note"}. The @{command "using"} elements
+ augments the collection of used facts \emph{after} a goal has been
+ stated. Note that the special theorem name @{fact_ref this} refers
+ to the most recently established facts, but only \emph{before}
+ issuing a follow-up claim.
+
+ @{rail "
+ @@{command note} (@{syntax thmdef}? @{syntax thmrefs} + @'and')
+ ;
+ (@@{command from} | @@{command with} | @@{command using} | @@{command unfolding})
+ (@{syntax thmrefs} + @'and')
+ "}
+
+ \begin{description}
+
+ \item @{command "note"}~@{text "a = b\<^sub>1 \<dots> b\<^sub>n"} recalls existing facts
+ @{text "b\<^sub>1, \<dots>, b\<^sub>n"}, binding the result as @{text a}. Note that
+ attributes may be involved as well, both on the left and right hand
+ sides.
+
+ \item @{command "then"} indicates forward chaining by the current
+ facts in order to establish the goal to be claimed next. The
+ initial proof method invoked to refine that will be offered the
+ facts to do ``anything appropriate'' (see also
+ \secref{sec:proof-steps}). For example, method @{method (Pure) rule}
+ (see \secref{sec:pure-meth-att}) would typically do an elimination
+ rather than an introduction. Automatic methods usually insert the
+ facts into the goal state before operation. This provides a simple
+ scheme to control relevance of facts in automated proof search.
+
+ \item @{command "from"}~@{text b} abbreviates ``@{command
+ "note"}~@{text b}~@{command "then"}''; thus @{command "then"} is
+ equivalent to ``@{command "from"}~@{text this}''.
+
+ \item @{command "with"}~@{text "b\<^sub>1 \<dots> b\<^sub>n"} abbreviates ``@{command
+ "from"}~@{text "b\<^sub>1 \<dots> b\<^sub>n \<AND> this"}''; thus the forward chaining
+ is from earlier facts together with the current ones.
+
+ \item @{command "using"}~@{text "b\<^sub>1 \<dots> b\<^sub>n"} augments the facts being
+ currently indicated for use by a subsequent refinement step (such as
+ @{command_ref "apply"} or @{command_ref "proof"}).
+
+ \item @{command "unfolding"}~@{text "b\<^sub>1 \<dots> b\<^sub>n"} is structurally
+ similar to @{command "using"}, but unfolds definitional equations
+ @{text "b\<^sub>1, \<dots> b\<^sub>n"} throughout the goal state and facts.
+
+ \end{description}
+
+ Forward chaining with an empty list of theorems is the same as not
+ chaining at all. Thus ``@{command "from"}~@{text nothing}'' has no
+ effect apart from entering @{text "prove(chain)"} mode, since
+ @{fact_ref nothing} is bound to the empty list of theorems.
+
+ Basic proof methods (such as @{method_ref (Pure) rule}) expect multiple
+ facts to be given in their proper order, corresponding to a prefix
+ of the premises of the rule involved. Note that positions may be
+ easily skipped using something like @{command "from"}~@{text "_
+ \<AND> a \<AND> b"}, for example. This involves the trivial rule
+ @{text "PROP \<psi> \<Longrightarrow> PROP \<psi>"}, which is bound in Isabelle/Pure as
+ ``@{fact_ref "_"}'' (underscore).
+
+ Automated methods (such as @{method simp} or @{method auto}) just
+ insert any given facts before their usual operation. Depending on
+ the kind of procedure involved, the order of facts is less
+ significant here.
+*}
+
+
+subsection {* Goals \label{sec:goals} *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def "lemma"} & : & @{text "local_theory \<rightarrow> proof(prove)"} \\
+ @{command_def "theorem"} & : & @{text "local_theory \<rightarrow> proof(prove)"} \\
+ @{command_def "corollary"} & : & @{text "local_theory \<rightarrow> proof(prove)"} \\
+ @{command_def "schematic_lemma"} & : & @{text "local_theory \<rightarrow> proof(prove)"} \\
+ @{command_def "schematic_theorem"} & : & @{text "local_theory \<rightarrow> proof(prove)"} \\
+ @{command_def "schematic_corollary"} & : & @{text "local_theory \<rightarrow> proof(prove)"} \\
+ @{command_def "have"} & : & @{text "proof(state) | proof(chain) \<rightarrow> proof(prove)"} \\
+ @{command_def "show"} & : & @{text "proof(state) | proof(chain) \<rightarrow> proof(prove)"} \\
+ @{command_def "hence"} & : & @{text "proof(state) \<rightarrow> proof(prove)"} \\
+ @{command_def "thus"} & : & @{text "proof(state) \<rightarrow> proof(prove)"} \\
+ @{command_def "print_statement"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ \end{matharray}
+
+ From a theory context, proof mode is entered by an initial goal
+ command such as @{command "lemma"}, @{command "theorem"}, or
+ @{command "corollary"}. Within a proof, new claims may be
+ introduced locally as well; four variants are available here to
+ indicate whether forward chaining of facts should be performed
+ initially (via @{command_ref "then"}), and whether the final result
+ is meant to solve some pending goal.
+
+ Goals may consist of multiple statements, resulting in a list of
+ facts eventually. A pending multi-goal is internally represented as
+ a meta-level conjunction (@{text "&&&"}), which is usually
+ split into the corresponding number of sub-goals prior to an initial
+ method application, via @{command_ref "proof"}
+ (\secref{sec:proof-steps}) or @{command_ref "apply"}
+ (\secref{sec:tactic-commands}). The @{method_ref induct} method
+ covered in \secref{sec:cases-induct} acts on multiple claims
+ simultaneously.
+
+ Claims at the theory level may be either in short or long form. A
+ short goal merely consists of several simultaneous propositions
+ (often just one). A long goal includes an explicit context
+ specification for the subsequent conclusion, involving local
+ parameters and assumptions. Here the role of each part of the
+ statement is explicitly marked by separate keywords (see also
+ \secref{sec:locale}); the local assumptions being introduced here
+ are available as @{fact_ref assms} in the proof. Moreover, there
+ are two kinds of conclusions: @{element_def "shows"} states several
+ simultaneous propositions (essentially a big conjunction), while
+ @{element_def "obtains"} claims several simultaneous simultaneous
+ contexts of (essentially a big disjunction of eliminated parameters
+ and assumptions, cf.\ \secref{sec:obtain}).
+
+ @{rail "
+ (@@{command lemma} | @@{command theorem} | @@{command corollary} |
+ @@{command schematic_lemma} | @@{command schematic_theorem} |
+ @@{command schematic_corollary}) @{syntax target}? (goal | longgoal)
+ ;
+ (@@{command have} | @@{command show} | @@{command hence} | @@{command thus}) goal
+ ;
+ @@{command print_statement} @{syntax modes}? @{syntax thmrefs}
+ ;
+
+ goal: (@{syntax props} + @'and')
+ ;
+ longgoal: @{syntax thmdecl}? (@{syntax_ref \"includes\"}?) (@{syntax context_elem} * ) conclusion
+ ;
+ conclusion: @'shows' goal | @'obtains' (@{syntax parname}? case + '|')
+ ;
+ case: (@{syntax vars} + @'and') @'where' (@{syntax props} + @'and')
+ "}
+
+ \begin{description}
+
+ \item @{command "lemma"}~@{text "a: \<phi>"} enters proof mode with
+ @{text \<phi>} as main goal, eventually resulting in some fact @{text "\<turnstile>
+ \<phi>"} to be put back into the target context. An additional @{syntax
+ context} specification may build up an initial proof context for the
+ subsequent claim; this includes local definitions and syntax as
+ well, see also @{syntax "includes"} in \secref{sec:bundle} and
+ @{syntax context_elem} in \secref{sec:locale}.
+
+ \item @{command "theorem"}~@{text "a: \<phi>"} and @{command
+ "corollary"}~@{text "a: \<phi>"} are essentially the same as @{command
+ "lemma"}~@{text "a: \<phi>"}, but the facts are internally marked as
+ being of a different kind. This discrimination acts like a formal
+ comment.
+
+ \item @{command "schematic_lemma"}, @{command "schematic_theorem"},
+ @{command "schematic_corollary"} are similar to @{command "lemma"},
+ @{command "theorem"}, @{command "corollary"}, respectively but allow
+ the statement to contain unbound schematic variables.
+
+ Under normal circumstances, an Isar proof text needs to specify
+ claims explicitly. Schematic goals are more like goals in Prolog,
+ where certain results are synthesized in the course of reasoning.
+ With schematic statements, the inherent compositionality of Isar
+ proofs is lost, which also impacts performance, because proof
+ checking is forced into sequential mode.
+
+ \item @{command "have"}~@{text "a: \<phi>"} claims a local goal,
+ eventually resulting in a fact within the current logical context.
+ This operation is completely independent of any pending sub-goals of
+ an enclosing goal statements, so @{command "have"} may be freely
+ used for experimental exploration of potential results within a
+ proof body.
+
+ \item @{command "show"}~@{text "a: \<phi>"} is like @{command
+ "have"}~@{text "a: \<phi>"} plus a second stage to refine some pending
+ sub-goal for each one of the finished result, after having been
+ exported into the corresponding context (at the head of the
+ sub-proof of this @{command "show"} command).
+
+ To accommodate interactive debugging, resulting rules are printed
+ before being applied internally. Even more, interactive execution
+ of @{command "show"} predicts potential failure and displays the
+ resulting error as a warning beforehand. Watch out for the
+ following message:
+
+ %FIXME proper antiquitation
+ \begin{ttbox}
+ Problem! Local statement will fail to solve any pending goal
+ \end{ttbox}
+
+ \item @{command "hence"} abbreviates ``@{command "then"}~@{command
+ "have"}'', i.e.\ claims a local goal to be proven by forward
+ chaining the current facts. Note that @{command "hence"} is also
+ equivalent to ``@{command "from"}~@{text this}~@{command "have"}''.
+
+ \item @{command "thus"} abbreviates ``@{command "then"}~@{command
+ "show"}''. Note that @{command "thus"} is also equivalent to
+ ``@{command "from"}~@{text this}~@{command "show"}''.
+
+ \item @{command "print_statement"}~@{text a} prints facts from the
+ current theory or proof context in long statement form, according to
+ the syntax for @{command "lemma"} given above.
+
+ \end{description}
+
+ Any goal statement causes some term abbreviations (such as
+ @{variable_ref "?thesis"}) to be bound automatically, see also
+ \secref{sec:term-abbrev}.
+
+ The optional case names of @{element_ref "obtains"} have a twofold
+ meaning: (1) during the of this claim they refer to the the local
+ context introductions, (2) the resulting rule is annotated
+ accordingly to support symbolic case splits when used with the
+ @{method_ref cases} method (cf.\ \secref{sec:cases-induct}).
+*}
+
+
+section {* Refinement steps *}
+
+subsection {* Proof method expressions \label{sec:proof-meth} *}
+
+text {* Proof methods are either basic ones, or expressions composed
+ of methods via ``@{verbatim ","}'' (sequential composition),
+ ``@{verbatim "|"}'' (alternative choices), ``@{verbatim "?"}''
+ (try), ``@{verbatim "+"}'' (repeat at least once), ``@{verbatim
+ "["}@{text n}@{verbatim "]"}'' (restriction to first @{text n}
+ sub-goals, with default @{text "n = 1"}). In practice, proof
+ methods are usually just a comma separated list of @{syntax
+ nameref}~@{syntax args} specifications. Note that parentheses may
+ be dropped for single method specifications (with no arguments).
+
+ @{rail "
+ @{syntax_def method}:
+ (@{syntax nameref} | '(' methods ')') (() | '?' | '+' | '[' @{syntax nat}? ']')
+ ;
+ methods: (@{syntax nameref} @{syntax args} | @{syntax method}) + (',' | '|')
+ "}
+
+ Proper Isar proof methods do \emph{not} admit arbitrary goal
+ addressing, but refer either to the first sub-goal or all sub-goals
+ uniformly. The goal restriction operator ``@{text "[n]"}''
+ evaluates a method expression within a sandbox consisting of the
+ first @{text n} sub-goals (which need to exist). For example, the
+ method ``@{text "simp_all[3]"}'' simplifies the first three
+ sub-goals, while ``@{text "(rule foo, simp_all)[]"}'' simplifies all
+ new goals that emerge from applying rule @{text "foo"} to the
+ originally first one.
+
+ Improper methods, notably tactic emulations, offer a separate
+ low-level goal addressing scheme as explicit argument to the
+ individual tactic being involved. Here ``@{text "[!]"}'' refers to
+ all goals, and ``@{text "[n-]"}'' to all goals starting from @{text
+ "n"}.
+
+ @{rail "
+ @{syntax_def goal_spec}:
+ '[' (@{syntax nat} '-' @{syntax nat} | @{syntax nat} '-' | @{syntax nat} | '!' ) ']'
+ "}
+*}
+
+
+subsection {* Initial and terminal proof steps \label{sec:proof-steps} *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def "proof"} & : & @{text "proof(prove) \<rightarrow> proof(state)"} \\
+ @{command_def "qed"} & : & @{text "proof(state) \<rightarrow> proof(state) | local_theory | theory"} \\
+ @{command_def "by"} & : & @{text "proof(prove) \<rightarrow> proof(state) | local_theory | theory"} \\
+ @{command_def ".."} & : & @{text "proof(prove) \<rightarrow> proof(state) | local_theory | theory"} \\
+ @{command_def "."} & : & @{text "proof(prove) \<rightarrow> proof(state) | local_theory | theory"} \\
+ @{command_def "sorry"} & : & @{text "proof(prove) \<rightarrow> proof(state) | local_theory | theory"} \\
+ \end{matharray}
+
+ Arbitrary goal refinement via tactics is considered harmful.
+ Structured proof composition in Isar admits proof methods to be
+ invoked in two places only.
+
+ \begin{enumerate}
+
+ \item An \emph{initial} refinement step @{command_ref
+ "proof"}~@{text "m\<^sub>1"} reduces a newly stated goal to a number
+ of sub-goals that are to be solved later. Facts are passed to
+ @{text "m\<^sub>1"} for forward chaining, if so indicated by @{text
+ "proof(chain)"} mode.
+
+ \item A \emph{terminal} conclusion step @{command_ref "qed"}~@{text
+ "m\<^sub>2"} is intended to solve remaining goals. No facts are
+ passed to @{text "m\<^sub>2"}.
+
+ \end{enumerate}
+
+ The only other (proper) way to affect pending goals in a proof body
+ is by @{command_ref "show"}, which involves an explicit statement of
+ what is to be solved eventually. Thus we avoid the fundamental
+ problem of unstructured tactic scripts that consist of numerous
+ consecutive goal transformations, with invisible effects.
+
+ \medskip As a general rule of thumb for good proof style, initial
+ proof methods should either solve the goal completely, or constitute
+ some well-understood reduction to new sub-goals. Arbitrary
+ automatic proof tools that are prone leave a large number of badly
+ structured sub-goals are no help in continuing the proof document in
+ an intelligible manner.
+
+ Unless given explicitly by the user, the default initial method is
+ @{method_ref (Pure) rule} (or its classical variant @{method_ref
+ rule}), which applies a single standard elimination or introduction
+ rule according to the topmost symbol involved. There is no separate
+ default terminal method. Any remaining goals are always solved by
+ assumption in the very last step.
+
+ @{rail "
+ @@{command proof} method?
+ ;
+ @@{command qed} method?
+ ;
+ @@{command \"by\"} method method?
+ ;
+ (@@{command \".\"} | @@{command \"..\"} | @@{command sorry})
+ "}
+
+ \begin{description}
+
+ \item @{command "proof"}~@{text "m\<^sub>1"} refines the goal by proof
+ method @{text "m\<^sub>1"}; facts for forward chaining are passed if so
+ indicated by @{text "proof(chain)"} mode.
+
+ \item @{command "qed"}~@{text "m\<^sub>2"} refines any remaining goals by
+ proof method @{text "m\<^sub>2"} and concludes the sub-proof by assumption.
+ If the goal had been @{text "show"} (or @{text "thus"}), some
+ pending sub-goal is solved as well by the rule resulting from the
+ result \emph{exported} into the enclosing goal context. Thus @{text
+ "qed"} may fail for two reasons: either @{text "m\<^sub>2"} fails, or the
+ resulting rule does not fit to any pending goal\footnote{This
+ includes any additional ``strong'' assumptions as introduced by
+ @{command "assume"}.} of the enclosing context. Debugging such a
+ situation might involve temporarily changing @{command "show"} into
+ @{command "have"}, or weakening the local context by replacing
+ occurrences of @{command "assume"} by @{command "presume"}.
+
+ \item @{command "by"}~@{text "m\<^sub>1 m\<^sub>2"} is a \emph{terminal
+ proof}\index{proof!terminal}; it abbreviates @{command
+ "proof"}~@{text "m\<^sub>1"}~@{command "qed"}~@{text "m\<^sub>2"}, but with
+ backtracking across both methods. Debugging an unsuccessful
+ @{command "by"}~@{text "m\<^sub>1 m\<^sub>2"} command can be done by expanding its
+ definition; in many cases @{command "proof"}~@{text "m\<^sub>1"} (or even
+ @{text "apply"}~@{text "m\<^sub>1"}) is already sufficient to see the
+ problem.
+
+ \item ``@{command ".."}'' is a \emph{default
+ proof}\index{proof!default}; it abbreviates @{command "by"}~@{text
+ "rule"}.
+
+ \item ``@{command "."}'' is a \emph{trivial
+ proof}\index{proof!trivial}; it abbreviates @{command "by"}~@{text
+ "this"}.
+
+ \item @{command "sorry"} is a \emph{fake proof}\index{proof!fake}
+ pretending to solve the pending claim without further ado. This
+ only works in interactive development, or if the @{ML
+ quick_and_dirty} flag is enabled (in ML). Facts emerging from fake
+ proofs are not the real thing. Internally, each theorem container
+ is tainted by an oracle invocation, which is indicated as ``@{text
+ "[!]"}'' in the printed result.
+
+ The most important application of @{command "sorry"} is to support
+ experimentation and top-down proof development.
+
+ \end{description}
+*}
+
+
+subsection {* Fundamental methods and attributes \label{sec:pure-meth-att} *}
+
+text {*
+ The following proof methods and attributes refer to basic logical
+ operations of Isar. Further methods and attributes are provided by
+ several generic and object-logic specific tools and packages (see
+ \chref{ch:gen-tools} and \chref{ch:hol}).
+
+ \begin{matharray}{rcl}
+ @{method_def "-"} & : & @{text method} \\
+ @{method_def "fact"} & : & @{text method} \\
+ @{method_def "assumption"} & : & @{text method} \\
+ @{method_def "this"} & : & @{text method} \\
+ @{method_def (Pure) "rule"} & : & @{text method} \\
+ @{attribute_def (Pure) "intro"} & : & @{text attribute} \\
+ @{attribute_def (Pure) "elim"} & : & @{text attribute} \\
+ @{attribute_def (Pure) "dest"} & : & @{text attribute} \\
+ @{attribute_def (Pure) "rule"} & : & @{text attribute} \\[0.5ex]
+ @{attribute_def "OF"} & : & @{text attribute} \\
+ @{attribute_def "of"} & : & @{text attribute} \\
+ @{attribute_def "where"} & : & @{text attribute} \\
+ \end{matharray}
+
+ @{rail "
+ @@{method fact} @{syntax thmrefs}?
+ ;
+ @@{method (Pure) rule} @{syntax thmrefs}?
+ ;
+ rulemod: ('intro' | 'elim' | 'dest')
+ ((('!' | () | '?') @{syntax nat}?) | 'del') ':' @{syntax thmrefs}
+ ;
+ (@@{attribute intro} | @@{attribute elim} | @@{attribute dest})
+ ('!' | () | '?') @{syntax nat}?
+ ;
+ @@{attribute (Pure) rule} 'del'
+ ;
+ @@{attribute OF} @{syntax thmrefs}
+ ;
+ @@{attribute of} @{syntax insts} ('concl' ':' @{syntax insts})?
+ ;
+ @@{attribute \"where\"}
+ ((@{syntax name} | @{syntax var} | @{syntax typefree} | @{syntax typevar}) '='
+ (@{syntax type} | @{syntax term}) * @'and')
+ "}
+
+ \begin{description}
+
+ \item ``@{method "-"}'' (minus) does nothing but insert the forward
+ chaining facts as premises into the goal. Note that command
+ @{command_ref "proof"} without any method actually performs a single
+ reduction step using the @{method_ref (Pure) rule} method; thus a plain
+ \emph{do-nothing} proof step would be ``@{command "proof"}~@{text
+ "-"}'' rather than @{command "proof"} alone.
+
+ \item @{method "fact"}~@{text "a\<^sub>1 \<dots> a\<^sub>n"} composes some fact from
+ @{text "a\<^sub>1, \<dots>, a\<^sub>n"} (or implicitly from the current proof context)
+ modulo unification of schematic type and term variables. The rule
+ structure is not taken into account, i.e.\ meta-level implication is
+ considered atomic. This is the same principle underlying literal
+ facts (cf.\ \secref{sec:syn-att}): ``@{command "have"}~@{text
+ "\<phi>"}~@{command "by"}~@{text fact}'' is equivalent to ``@{command
+ "note"}~@{verbatim "`"}@{text \<phi>}@{verbatim "`"}'' provided that
+ @{text "\<turnstile> \<phi>"} is an instance of some known @{text "\<turnstile> \<phi>"} in the
+ proof context.
+
+ \item @{method assumption} solves some goal by a single assumption
+ step. All given facts are guaranteed to participate in the
+ refinement; this means there may be only 0 or 1 in the first place.
+ Recall that @{command "qed"} (\secref{sec:proof-steps}) already
+ concludes any remaining sub-goals by assumption, so structured
+ proofs usually need not quote the @{method assumption} method at
+ all.
+
+ \item @{method this} applies all of the current facts directly as
+ rules. Recall that ``@{command "."}'' (dot) abbreviates ``@{command
+ "by"}~@{text this}''.
+
+ \item @{method (Pure) rule}~@{text "a\<^sub>1 \<dots> a\<^sub>n"} applies some rule given as
+ argument in backward manner; facts are used to reduce the rule
+ before applying it to the goal. Thus @{method (Pure) rule} without facts
+ is plain introduction, while with facts it becomes elimination.
+
+ When no arguments are given, the @{method (Pure) rule} method tries to pick
+ appropriate rules automatically, as declared in the current context
+ using the @{attribute (Pure) intro}, @{attribute (Pure) elim},
+ @{attribute (Pure) dest} attributes (see below). This is the
+ default behavior of @{command "proof"} and ``@{command ".."}''
+ (double-dot) steps (see \secref{sec:proof-steps}).
+
+ \item @{attribute (Pure) intro}, @{attribute (Pure) elim}, and
+ @{attribute (Pure) dest} declare introduction, elimination, and
+ destruct rules, to be used with method @{method (Pure) rule}, and similar
+ tools. Note that the latter will ignore rules declared with
+ ``@{text "?"}'', while ``@{text "!"}'' are used most aggressively.
+
+ The classical reasoner (see \secref{sec:classical}) introduces its
+ own variants of these attributes; use qualified names to access the
+ present versions of Isabelle/Pure, i.e.\ @{attribute (Pure)
+ "Pure.intro"}.
+
+ \item @{attribute (Pure) rule}~@{text del} undeclares introduction,
+ elimination, or destruct rules.
+
+ \item @{attribute OF}~@{text "a\<^sub>1 \<dots> a\<^sub>n"} applies some theorem to all
+ of the given rules @{text "a\<^sub>1, \<dots>, a\<^sub>n"} in canonical right-to-left
+ order, which means that premises stemming from the @{text "a\<^sub>i"}
+ emerge in parallel in the result, without interfering with each
+ other. In many practical situations, the @{text "a\<^sub>i"} do not have
+ premises themselves, so @{text "rule [OF a\<^sub>1 \<dots> a\<^sub>n]"} can be actually
+ read as functional application (modulo unification).
+
+ Argument positions may be effectively skipped by using ``@{text _}''
+ (underscore), which refers to the propositional identity rule in the
+ Pure theory.
+
+ \item @{attribute of}~@{text "t\<^sub>1 \<dots> t\<^sub>n"} performs positional
+ instantiation of term variables. The terms @{text "t\<^sub>1, \<dots>, t\<^sub>n"} are
+ substituted for any schematic variables occurring in a theorem from
+ left to right; ``@{text _}'' (underscore) indicates to skip a
+ position. Arguments following a ``@{text "concl:"}'' specification
+ refer to positions of the conclusion of a rule.
+
+ \item @{attribute "where"}~@{text "x\<^sub>1 = t\<^sub>1 \<AND> \<dots> x\<^sub>n = t\<^sub>n"}
+ performs named instantiation of schematic type and term variables
+ occurring in a theorem. Schematic variables have to be specified on
+ the left-hand side (e.g.\ @{text "?x1.3"}). The question mark may
+ be omitted if the variable name is a plain identifier without index.
+ As type instantiations are inferred from term instantiations,
+ explicit type instantiations are seldom necessary.
+
+ \end{description}
+*}
+
+
+subsection {* Emulating tactic scripts \label{sec:tactic-commands} *}
+
+text {*
+ The Isar provides separate commands to accommodate tactic-style
+ proof scripts within the same system. While being outside the
+ orthodox Isar proof language, these might come in handy for
+ interactive exploration and debugging, or even actual tactical proof
+ within new-style theories (to benefit from document preparation, for
+ example). See also \secref{sec:tactics} for actual tactics, that
+ have been encapsulated as proof methods. Proper proof methods may
+ be used in scripts, too.
+
+ \begin{matharray}{rcl}
+ @{command_def "apply"}@{text "\<^sup>*"} & : & @{text "proof(prove) \<rightarrow> proof(prove)"} \\
+ @{command_def "apply_end"}@{text "\<^sup>*"} & : & @{text "proof(state) \<rightarrow> proof(state)"} \\
+ @{command_def "done"}@{text "\<^sup>*"} & : & @{text "proof(prove) \<rightarrow> proof(state) | local_theory | theory"} \\
+ @{command_def "defer"}@{text "\<^sup>*"} & : & @{text "proof \<rightarrow> proof"} \\
+ @{command_def "prefer"}@{text "\<^sup>*"} & : & @{text "proof \<rightarrow> proof"} \\
+ @{command_def "back"}@{text "\<^sup>*"} & : & @{text "proof \<rightarrow> proof"} \\
+ \end{matharray}
+
+ @{rail "
+ ( @@{command apply} | @@{command apply_end} ) @{syntax method}
+ ;
+ @@{command defer} @{syntax nat}?
+ ;
+ @@{command prefer} @{syntax nat}
+ "}
+
+ \begin{description}
+
+ \item @{command "apply"}~@{text m} applies proof method @{text m} in
+ initial position, but unlike @{command "proof"} it retains ``@{text
+ "proof(prove)"}'' mode. Thus consecutive method applications may be
+ given just as in tactic scripts.
+
+ Facts are passed to @{text m} as indicated by the goal's
+ forward-chain mode, and are \emph{consumed} afterwards. Thus any
+ further @{command "apply"} command would always work in a purely
+ backward manner.
+
+ \item @{command "apply_end"}~@{text "m"} applies proof method @{text
+ m} as if in terminal position. Basically, this simulates a
+ multi-step tactic script for @{command "qed"}, but may be given
+ anywhere within the proof body.
+
+ No facts are passed to @{text m} here. Furthermore, the static
+ context is that of the enclosing goal (as for actual @{command
+ "qed"}). Thus the proof method may not refer to any assumptions
+ introduced in the current body, for example.
+
+ \item @{command "done"} completes a proof script, provided that the
+ current goal state is solved completely. Note that actual
+ structured proof commands (e.g.\ ``@{command "."}'' or @{command
+ "sorry"}) may be used to conclude proof scripts as well.
+
+ \item @{command "defer"}~@{text n} and @{command "prefer"}~@{text n}
+ shuffle the list of pending goals: @{command "defer"} puts off
+ sub-goal @{text n} to the end of the list (@{text "n = 1"} by
+ default), while @{command "prefer"} brings sub-goal @{text n} to the
+ front.
+
+ \item @{command "back"} does back-tracking over the result sequence
+ of the latest proof command. Basically, any proof command may
+ return multiple results.
+
+ \end{description}
+
+ Any proper Isar proof method may be used with tactic script commands
+ such as @{command "apply"}. A few additional emulations of actual
+ tactics are provided as well; these would be never used in actual
+ structured proofs, of course.
+*}
+
+
+subsection {* Defining proof methods *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def "method_setup"} & : & @{text "theory \<rightarrow> theory"} \\
+ \end{matharray}
+
+ @{rail "
+ @@{command method_setup} @{syntax name} '=' @{syntax text} @{syntax text}?
+ ;
+ "}
+
+ \begin{description}
+
+ \item @{command "method_setup"}~@{text "name = text description"}
+ defines a proof method in the current theory. The given @{text
+ "text"} has to be an ML expression of type
+ @{ML_type "(Proof.context -> Proof.method) context_parser"}, cf.\
+ basic parsers defined in structure @{ML_struct Args} and @{ML_struct
+ Attrib}. There are also combinators like @{ML METHOD} and @{ML
+ SIMPLE_METHOD} to turn certain tactic forms into official proof
+ methods; the primed versions refer to tactics with explicit goal
+ addressing.
+
+ Here are some example method definitions:
+
+ \end{description}
+*}
+
+ method_setup my_method1 = {*
+ Scan.succeed (K (SIMPLE_METHOD' (fn i: int => no_tac)))
+ *} "my first method (without any arguments)"
+
+ method_setup my_method2 = {*
+ Scan.succeed (fn ctxt: Proof.context =>
+ SIMPLE_METHOD' (fn i: int => no_tac))
+ *} "my second method (with context)"
+
+ method_setup my_method3 = {*
+ Attrib.thms >> (fn thms: thm list => fn ctxt: Proof.context =>
+ SIMPLE_METHOD' (fn i: int => no_tac))
+ *} "my third method (with theorem arguments and context)"
+
+
+section {* Generalized elimination \label{sec:obtain} *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def "obtain"} & : & @{text "proof(state) | proof(chain) \<rightarrow> proof(prove)"} \\
+ @{command_def "guess"}@{text "\<^sup>*"} & : & @{text "proof(state) | proof(chain) \<rightarrow> proof(prove)"} \\
+ \end{matharray}
+
+ Generalized elimination means that additional elements with certain
+ properties may be introduced in the current context, by virtue of a
+ locally proven ``soundness statement''. Technically speaking, the
+ @{command "obtain"} language element is like a declaration of
+ @{command "fix"} and @{command "assume"} (see also see
+ \secref{sec:proof-context}), together with a soundness proof of its
+ additional claim. According to the nature of existential reasoning,
+ assumptions get eliminated from any result exported from the context
+ later, provided that the corresponding parameters do \emph{not}
+ occur in the conclusion.
+
+ @{rail "
+ @@{command obtain} @{syntax parname}? (@{syntax vars} + @'and')
+ @'where' (@{syntax props} + @'and')
+ ;
+ @@{command guess} (@{syntax vars} + @'and')
+ "}
+
+ The derived Isar command @{command "obtain"} is defined as follows
+ (where @{text "b\<^sub>1, \<dots>, b\<^sub>k"} shall refer to (optional)
+ facts indicated for forward chaining).
+ \begin{matharray}{l}
+ @{text "\<langle>using b\<^sub>1 \<dots> b\<^sub>k\<rangle>"}~~@{command "obtain"}~@{text "x\<^sub>1 \<dots> x\<^sub>m \<WHERE> a: \<phi>\<^sub>1 \<dots> \<phi>\<^sub>n \<langle>proof\<rangle> \<equiv>"} \\[1ex]
+ \quad @{command "have"}~@{text "\<And>thesis. (\<And>x\<^sub>1 \<dots> x\<^sub>m. \<phi>\<^sub>1 \<Longrightarrow> \<dots> \<phi>\<^sub>n \<Longrightarrow> thesis) \<Longrightarrow> thesis"} \\
+ \quad @{command "proof"}~@{method succeed} \\
+ \qquad @{command "fix"}~@{text thesis} \\
+ \qquad @{command "assume"}~@{text "that [Pure.intro?]: \<And>x\<^sub>1 \<dots> x\<^sub>m. \<phi>\<^sub>1 \<Longrightarrow> \<dots> \<phi>\<^sub>n \<Longrightarrow> thesis"} \\
+ \qquad @{command "then"}~@{command "show"}~@{text thesis} \\
+ \quad\qquad @{command "apply"}~@{text -} \\
+ \quad\qquad @{command "using"}~@{text "b\<^sub>1 \<dots> b\<^sub>k \<langle>proof\<rangle>"} \\
+ \quad @{command "qed"} \\
+ \quad @{command "fix"}~@{text "x\<^sub>1 \<dots> x\<^sub>m"}~@{command "assume"}@{text "\<^sup>* a: \<phi>\<^sub>1 \<dots> \<phi>\<^sub>n"} \\
+ \end{matharray}
+
+ Typically, the soundness proof is relatively straight-forward, often
+ just by canonical automated tools such as ``@{command "by"}~@{text
+ simp}'' or ``@{command "by"}~@{text blast}''. Accordingly, the
+ ``@{text that}'' reduction above is declared as simplification and
+ introduction rule.
+
+ In a sense, @{command "obtain"} represents at the level of Isar
+ proofs what would be meta-logical existential quantifiers and
+ conjunctions. This concept has a broad range of useful
+ applications, ranging from plain elimination (or introduction) of
+ object-level existential and conjunctions, to elimination over
+ results of symbolic evaluation of recursive definitions, for
+ example. Also note that @{command "obtain"} without parameters acts
+ much like @{command "have"}, where the result is treated as a
+ genuine assumption.
+
+ An alternative name to be used instead of ``@{text that}'' above may
+ be given in parentheses.
+
+ \medskip The improper variant @{command "guess"} is similar to
+ @{command "obtain"}, but derives the obtained statement from the
+ course of reasoning! The proof starts with a fixed goal @{text
+ thesis}. The subsequent proof may refine this to anything of the
+ form like @{text "\<And>x\<^sub>1 \<dots> x\<^sub>m. \<phi>\<^sub>1 \<Longrightarrow> \<dots>
+ \<phi>\<^sub>n \<Longrightarrow> thesis"}, but must not introduce new subgoals. The
+ final goal state is then used as reduction rule for the obtain
+ scheme described above. Obtained parameters @{text "x\<^sub>1, \<dots>,
+ x\<^sub>m"} are marked as internal by default, which prevents the
+ proof context from being polluted by ad-hoc variables. The variable
+ names and type constraints given as arguments for @{command "guess"}
+ specify a prefix of obtained parameters explicitly in the text.
+
+ It is important to note that the facts introduced by @{command
+ "obtain"} and @{command "guess"} may not be polymorphic: any
+ type-variables occurring here are fixed in the present context!
+*}
+
+
+section {* Calculational reasoning \label{sec:calculation} *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def "also"} & : & @{text "proof(state) \<rightarrow> proof(state)"} \\
+ @{command_def "finally"} & : & @{text "proof(state) \<rightarrow> proof(chain)"} \\
+ @{command_def "moreover"} & : & @{text "proof(state) \<rightarrow> proof(state)"} \\
+ @{command_def "ultimately"} & : & @{text "proof(state) \<rightarrow> proof(chain)"} \\
+ @{command_def "print_trans_rules"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ @{attribute trans} & : & @{text attribute} \\
+ @{attribute sym} & : & @{text attribute} \\
+ @{attribute symmetric} & : & @{text attribute} \\
+ \end{matharray}
+
+ Calculational proof is forward reasoning with implicit application
+ of transitivity rules (such those of @{text "="}, @{text "\<le>"},
+ @{text "<"}). Isabelle/Isar maintains an auxiliary fact register
+ @{fact_ref calculation} for accumulating results obtained by
+ transitivity composed with the current result. Command @{command
+ "also"} updates @{fact calculation} involving @{fact this}, while
+ @{command "finally"} exhibits the final @{fact calculation} by
+ forward chaining towards the next goal statement. Both commands
+ require valid current facts, i.e.\ may occur only after commands
+ that produce theorems such as @{command "assume"}, @{command
+ "note"}, or some finished proof of @{command "have"}, @{command
+ "show"} etc. The @{command "moreover"} and @{command "ultimately"}
+ commands are similar to @{command "also"} and @{command "finally"},
+ but only collect further results in @{fact calculation} without
+ applying any rules yet.
+
+ Also note that the implicit term abbreviation ``@{text "\<dots>"}'' has
+ its canonical application with calculational proofs. It refers to
+ the argument of the preceding statement. (The argument of a curried
+ infix expression happens to be its right-hand side.)
+
+ Isabelle/Isar calculations are implicitly subject to block structure
+ in the sense that new threads of calculational reasoning are
+ commenced for any new block (as opened by a local goal, for
+ example). This means that, apart from being able to nest
+ calculations, there is no separate \emph{begin-calculation} command
+ required.
+
+ \medskip The Isar calculation proof commands may be defined as
+ follows:\footnote{We suppress internal bookkeeping such as proper
+ handling of block-structure.}
+
+ \begin{matharray}{rcl}
+ @{command "also"}@{text "\<^sub>0"} & \equiv & @{command "note"}~@{text "calculation = this"} \\
+ @{command "also"}@{text "\<^sub>n+1"} & \equiv & @{command "note"}~@{text "calculation = trans [OF calculation this]"} \\[0.5ex]
+ @{command "finally"} & \equiv & @{command "also"}~@{command "from"}~@{text calculation} \\[0.5ex]
+ @{command "moreover"} & \equiv & @{command "note"}~@{text "calculation = calculation this"} \\
+ @{command "ultimately"} & \equiv & @{command "moreover"}~@{command "from"}~@{text calculation} \\
+ \end{matharray}
+
+ @{rail "
+ (@@{command also} | @@{command finally}) ('(' @{syntax thmrefs} ')')?
+ ;
+ @@{attribute trans} (() | 'add' | 'del')
+ "}
+
+ \begin{description}
+
+ \item @{command "also"}~@{text "(a\<^sub>1 \<dots> a\<^sub>n)"} maintains the auxiliary
+ @{fact calculation} register as follows. The first occurrence of
+ @{command "also"} in some calculational thread initializes @{fact
+ calculation} by @{fact this}. Any subsequent @{command "also"} on
+ the same level of block-structure updates @{fact calculation} by
+ some transitivity rule applied to @{fact calculation} and @{fact
+ this} (in that order). Transitivity rules are picked from the
+ current context, unless alternative rules are given as explicit
+ arguments.
+
+ \item @{command "finally"}~@{text "(a\<^sub>1 \<dots> a\<^sub>n)"} maintaining @{fact
+ calculation} in the same way as @{command "also"}, and concludes the
+ current calculational thread. The final result is exhibited as fact
+ for forward chaining towards the next goal. Basically, @{command
+ "finally"} just abbreviates @{command "also"}~@{command
+ "from"}~@{fact calculation}. Typical idioms for concluding
+ calculational proofs are ``@{command "finally"}~@{command
+ "show"}~@{text ?thesis}~@{command "."}'' and ``@{command
+ "finally"}~@{command "have"}~@{text \<phi>}~@{command "."}''.
+
+ \item @{command "moreover"} and @{command "ultimately"} are
+ analogous to @{command "also"} and @{command "finally"}, but collect
+ results only, without applying rules.
+
+ \item @{command "print_trans_rules"} prints the list of transitivity
+ rules (for calculational commands @{command "also"} and @{command
+ "finally"}) and symmetry rules (for the @{attribute symmetric}
+ operation and single step elimination patters) of the current
+ context.
+
+ \item @{attribute trans} declares theorems as transitivity rules.
+
+ \item @{attribute sym} declares symmetry rules, as well as
+ @{attribute "Pure.elim"}@{text "?"} rules.
+
+ \item @{attribute symmetric} resolves a theorem with some rule
+ declared as @{attribute sym} in the current context. For example,
+ ``@{command "assume"}~@{text "[symmetric]: x = y"}'' produces a
+ swapped fact derived from that assumption.
+
+ In structured proof texts it is often more appropriate to use an
+ explicit single-step elimination proof, such as ``@{command
+ "assume"}~@{text "x = y"}~@{command "then"}~@{command "have"}~@{text
+ "y = x"}~@{command ".."}''.
+
+ \end{description}
+*}
+
+
+section {* Proof by cases and induction \label{sec:cases-induct} *}
+
+subsection {* Rule contexts *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def "case"} & : & @{text "proof(state) \<rightarrow> proof(state)"} \\
+ @{command_def "print_cases"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ @{attribute_def case_names} & : & @{text attribute} \\
+ @{attribute_def case_conclusion} & : & @{text attribute} \\
+ @{attribute_def params} & : & @{text attribute} \\
+ @{attribute_def consumes} & : & @{text attribute} \\
+ \end{matharray}
+
+ The puristic way to build up Isar proof contexts is by explicit
+ language elements like @{command "fix"}, @{command "assume"},
+ @{command "let"} (see \secref{sec:proof-context}). This is adequate
+ for plain natural deduction, but easily becomes unwieldy in concrete
+ verification tasks, which typically involve big induction rules with
+ several cases.
+
+ The @{command "case"} command provides a shorthand to refer to a
+ local context symbolically: certain proof methods provide an
+ environment of named ``cases'' of the form @{text "c: x\<^sub>1, \<dots>,
+ x\<^sub>m, \<phi>\<^sub>1, \<dots>, \<phi>\<^sub>n"}; the effect of ``@{command
+ "case"}~@{text c}'' is then equivalent to ``@{command "fix"}~@{text
+ "x\<^sub>1 \<dots> x\<^sub>m"}~@{command "assume"}~@{text "c: \<phi>\<^sub>1 \<dots>
+ \<phi>\<^sub>n"}''. Term bindings may be covered as well, notably
+ @{variable ?case} for the main conclusion.
+
+ By default, the ``terminology'' @{text "x\<^sub>1, \<dots>, x\<^sub>m"} of
+ a case value is marked as hidden, i.e.\ there is no way to refer to
+ such parameters in the subsequent proof text. After all, original
+ rule parameters stem from somewhere outside of the current proof
+ text. By using the explicit form ``@{command "case"}~@{text "(c
+ y\<^sub>1 \<dots> y\<^sub>m)"}'' instead, the proof author is able to
+ chose local names that fit nicely into the current context.
+
+ \medskip It is important to note that proper use of @{command
+ "case"} does not provide means to peek at the current goal state,
+ which is not directly observable in Isar! Nonetheless, goal
+ refinement commands do provide named cases @{text "goal\<^sub>i"}
+ for each subgoal @{text "i = 1, \<dots>, n"} of the resulting goal state.
+ Using this extra feature requires great care, because some bits of
+ the internal tactical machinery intrude the proof text. In
+ particular, parameter names stemming from the left-over of automated
+ reasoning tools are usually quite unpredictable.
+
+ Under normal circumstances, the text of cases emerge from standard
+ elimination or induction rules, which in turn are derived from
+ previous theory specifications in a canonical way (say from
+ @{command "inductive"} definitions).
+
+ \medskip Proper cases are only available if both the proof method
+ and the rules involved support this. By using appropriate
+ attributes, case names, conclusions, and parameters may be also
+ declared by hand. Thus variant versions of rules that have been
+ derived manually become ready to use in advanced case analysis
+ later.
+
+ @{rail "
+ @@{command case} (caseref | '(' caseref (('_' | @{syntax name}) +) ')')
+ ;
+ caseref: nameref attributes?
+ ;
+
+ @@{attribute case_names} ((@{syntax name} ( '[' (('_' | @{syntax name}) +) ']' ) ? ) +)
+ ;
+ @@{attribute case_conclusion} @{syntax name} (@{syntax name} * )
+ ;
+ @@{attribute params} ((@{syntax name} * ) + @'and')
+ ;
+ @@{attribute consumes} @{syntax nat}?
+ "}
+
+ \begin{description}
+
+ \item @{command "case"}~@{text "(c x\<^sub>1 \<dots> x\<^sub>m)"} invokes a named local
+ context @{text "c: x\<^sub>1, \<dots>, x\<^sub>m, \<phi>\<^sub>1, \<dots>, \<phi>\<^sub>m"}, as provided by an
+ appropriate proof method (such as @{method_ref cases} and
+ @{method_ref induct}). The command ``@{command "case"}~@{text "(c
+ x\<^sub>1 \<dots> x\<^sub>m)"}'' abbreviates ``@{command "fix"}~@{text "x\<^sub>1 \<dots>
+ x\<^sub>m"}~@{command "assume"}~@{text "c: \<phi>\<^sub>1 \<dots> \<phi>\<^sub>n"}''.
+
+ \item @{command "print_cases"} prints all local contexts of the
+ current state, using Isar proof language notation.
+
+ \item @{attribute case_names}~@{text "c\<^sub>1 \<dots> c\<^sub>k"} declares names for
+ the local contexts of premises of a theorem; @{text "c\<^sub>1, \<dots>, c\<^sub>k"}
+ refers to the \emph{prefix} of the list of premises. Each of the
+ cases @{text "c\<^isub>i"} can be of the form @{text "c[h\<^isub>1 \<dots> h\<^isub>n]"} where
+ the @{text "h\<^isub>1 \<dots> h\<^isub>n"} are the names of the hypotheses in case @{text "c\<^isub>i"}
+ from left to right.
+
+ \item @{attribute case_conclusion}~@{text "c d\<^sub>1 \<dots> d\<^sub>k"} declares
+ names for the conclusions of a named premise @{text c}; here @{text
+ "d\<^sub>1, \<dots>, d\<^sub>k"} refers to the prefix of arguments of a logical formula
+ built by nesting a binary connective (e.g.\ @{text "\<or>"}).
+
+ Note that proof methods such as @{method induct} and @{method
+ coinduct} already provide a default name for the conclusion as a
+ whole. The need to name subformulas only arises with cases that
+ split into several sub-cases, as in common co-induction rules.
+
+ \item @{attribute params}~@{text "p\<^sub>1 \<dots> p\<^sub>m \<AND> \<dots> q\<^sub>1 \<dots> q\<^sub>n"} renames
+ the innermost parameters of premises @{text "1, \<dots>, n"} of some
+ theorem. An empty list of names may be given to skip positions,
+ leaving the present parameters unchanged.
+
+ Note that the default usage of case rules does \emph{not} directly
+ expose parameters to the proof context.
+
+ \item @{attribute consumes}~@{text n} declares the number of ``major
+ premises'' of a rule, i.e.\ the number of facts to be consumed when
+ it is applied by an appropriate proof method. The default value of
+ @{attribute consumes} is @{text "n = 1"}, which is appropriate for
+ the usual kind of cases and induction rules for inductive sets (cf.\
+ \secref{sec:hol-inductive}). Rules without any @{attribute
+ consumes} declaration given are treated as if @{attribute
+ consumes}~@{text 0} had been specified.
+
+ Note that explicit @{attribute consumes} declarations are only
+ rarely needed; this is already taken care of automatically by the
+ higher-level @{attribute cases}, @{attribute induct}, and
+ @{attribute coinduct} declarations.
+
+ \end{description}
+*}
+
+
+subsection {* Proof methods *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{method_def cases} & : & @{text method} \\
+ @{method_def induct} & : & @{text method} \\
+ @{method_def induction} & : & @{text method} \\
+ @{method_def coinduct} & : & @{text method} \\
+ \end{matharray}
+
+ The @{method cases}, @{method induct}, @{method induction},
+ and @{method coinduct}
+ methods provide a uniform interface to common proof techniques over
+ datatypes, inductive predicates (or sets), recursive functions etc.
+ The corresponding rules may be specified and instantiated in a
+ casual manner. Furthermore, these methods provide named local
+ contexts that may be invoked via the @{command "case"} proof command
+ within the subsequent proof text. This accommodates compact proof
+ texts even when reasoning about large specifications.
+
+ The @{method induct} method also provides some additional
+ infrastructure in order to be applicable to structure statements
+ (either using explicit meta-level connectives, or including facts
+ and parameters separately). This avoids cumbersome encoding of
+ ``strengthened'' inductive statements within the object-logic.
+
+ Method @{method induction} differs from @{method induct} only in
+ the names of the facts in the local context invoked by the @{command "case"}
+ command.
+
+ @{rail "
+ @@{method cases} ('(' 'no_simp' ')')? \\
+ (@{syntax insts} * @'and') rule?
+ ;
+ (@@{method induct} | @@{method induction}) ('(' 'no_simp' ')')? (definsts * @'and') \\ arbitrary? taking? rule?
+ ;
+ @@{method coinduct} @{syntax insts} taking rule?
+ ;
+
+ rule: ('type' | 'pred' | 'set') ':' (@{syntax nameref} +) | 'rule' ':' (@{syntax thmref} +)
+ ;
+ definst: @{syntax name} ('==' | '\<equiv>') @{syntax term} | '(' @{syntax term} ')' | @{syntax inst}
+ ;
+ definsts: ( definst * )
+ ;
+ arbitrary: 'arbitrary' ':' ((@{syntax term} * ) @'and' +)
+ ;
+ taking: 'taking' ':' @{syntax insts}
+ "}
+
+ \begin{description}
+
+ \item @{method cases}~@{text "insts R"} applies method @{method
+ rule} with an appropriate case distinction theorem, instantiated to
+ the subjects @{text insts}. Symbolic case names are bound according
+ to the rule's local contexts.
+
+ The rule is determined as follows, according to the facts and
+ arguments passed to the @{method cases} method:
+
+ \medskip
+ \begin{tabular}{llll}
+ facts & & arguments & rule \\\hline
+ & @{method cases} & & classical case split \\
+ & @{method cases} & @{text t} & datatype exhaustion (type of @{text t}) \\
+ @{text "\<turnstile> A t"} & @{method cases} & @{text "\<dots>"} & inductive predicate/set elimination (of @{text A}) \\
+ @{text "\<dots>"} & @{method cases} & @{text "\<dots> rule: R"} & explicit rule @{text R} \\
+ \end{tabular}
+ \medskip
+
+ Several instantiations may be given, referring to the \emph{suffix}
+ of premises of the case rule; within each premise, the \emph{prefix}
+ of variables is instantiated. In most situations, only a single
+ term needs to be specified; this refers to the first variable of the
+ last premise (it is usually the same for all cases). The @{text
+ "(no_simp)"} option can be used to disable pre-simplification of
+ cases (see the description of @{method induct} below for details).
+
+ \item @{method induct}~@{text "insts R"} and
+ @{method induction}~@{text "insts R"} are analogous to the
+ @{method cases} method, but refer to induction rules, which are
+ determined as follows:
+
+ \medskip
+ \begin{tabular}{llll}
+ facts & & arguments & rule \\\hline
+ & @{method induct} & @{text "P x"} & datatype induction (type of @{text x}) \\
+ @{text "\<turnstile> A x"} & @{method induct} & @{text "\<dots>"} & predicate/set induction (of @{text A}) \\
+ @{text "\<dots>"} & @{method induct} & @{text "\<dots> rule: R"} & explicit rule @{text R} \\
+ \end{tabular}
+ \medskip
+
+ Several instantiations may be given, each referring to some part of
+ a mutual inductive definition or datatype --- only related partial
+ induction rules may be used together, though. Any of the lists of
+ terms @{text "P, x, \<dots>"} refers to the \emph{suffix} of variables
+ present in the induction rule. This enables the writer to specify
+ only induction variables, or both predicates and variables, for
+ example.
+
+ Instantiations may be definitional: equations @{text "x \<equiv> t"}
+ introduce local definitions, which are inserted into the claim and
+ discharged after applying the induction rule. Equalities reappear
+ in the inductive cases, but have been transformed according to the
+ induction principle being involved here. In order to achieve
+ practically useful induction hypotheses, some variables occurring in
+ @{text t} need to be fixed (see below). Instantiations of the form
+ @{text t}, where @{text t} is not a variable, are taken as a
+ shorthand for \mbox{@{text "x \<equiv> t"}}, where @{text x} is a fresh
+ variable. If this is not intended, @{text t} has to be enclosed in
+ parentheses. By default, the equalities generated by definitional
+ instantiations are pre-simplified using a specific set of rules,
+ usually consisting of distinctness and injectivity theorems for
+ datatypes. This pre-simplification may cause some of the parameters
+ of an inductive case to disappear, or may even completely delete
+ some of the inductive cases, if one of the equalities occurring in
+ their premises can be simplified to @{text False}. The @{text
+ "(no_simp)"} option can be used to disable pre-simplification.
+ Additional rules to be used in pre-simplification can be declared
+ using the @{attribute_def induct_simp} attribute.
+
+ The optional ``@{text "arbitrary: x\<^sub>1 \<dots> x\<^sub>m"}''
+ specification generalizes variables @{text "x\<^sub>1, \<dots>,
+ x\<^sub>m"} of the original goal before applying induction. One can
+ separate variables by ``@{text "and"}'' to generalize them in other
+ goals then the first. Thus induction hypotheses may become
+ sufficiently general to get the proof through. Together with
+ definitional instantiations, one may effectively perform induction
+ over expressions of a certain structure.
+
+ The optional ``@{text "taking: t\<^sub>1 \<dots> t\<^sub>n"}''
+ specification provides additional instantiations of a prefix of
+ pending variables in the rule. Such schematic induction rules
+ rarely occur in practice, though.
+
+ \item @{method coinduct}~@{text "inst R"} is analogous to the
+ @{method induct} method, but refers to coinduction rules, which are
+ determined as follows:
+
+ \medskip
+ \begin{tabular}{llll}
+ goal & & arguments & rule \\\hline
+ & @{method coinduct} & @{text x} & type coinduction (type of @{text x}) \\
+ @{text "A x"} & @{method coinduct} & @{text "\<dots>"} & predicate/set coinduction (of @{text A}) \\
+ @{text "\<dots>"} & @{method coinduct} & @{text "\<dots> rule: R"} & explicit rule @{text R} \\
+ \end{tabular}
+
+ Coinduction is the dual of induction. Induction essentially
+ eliminates @{text "A x"} towards a generic result @{text "P x"},
+ while coinduction introduces @{text "A x"} starting with @{text "B
+ x"}, for a suitable ``bisimulation'' @{text B}. The cases of a
+ coinduct rule are typically named after the predicates or sets being
+ covered, while the conclusions consist of several alternatives being
+ named after the individual destructor patterns.
+
+ The given instantiation refers to the \emph{suffix} of variables
+ occurring in the rule's major premise, or conclusion if unavailable.
+ An additional ``@{text "taking: t\<^sub>1 \<dots> t\<^sub>n"}''
+ specification may be required in order to specify the bisimulation
+ to be used in the coinduction step.
+
+ \end{description}
+
+ Above methods produce named local contexts, as determined by the
+ instantiated rule as given in the text. Beyond that, the @{method
+ induct} and @{method coinduct} methods guess further instantiations
+ from the goal specification itself. Any persisting unresolved
+ schematic variables of the resulting rule will render the the
+ corresponding case invalid. The term binding @{variable ?case} for
+ the conclusion will be provided with each case, provided that term
+ is fully specified.
+
+ The @{command "print_cases"} command prints all named cases present
+ in the current proof state.
+
+ \medskip Despite the additional infrastructure, both @{method cases}
+ and @{method coinduct} merely apply a certain rule, after
+ instantiation, while conforming due to the usual way of monotonic
+ natural deduction: the context of a structured statement @{text
+ "\<And>x\<^sub>1 \<dots> x\<^sub>m. \<phi>\<^sub>1 \<Longrightarrow> \<dots> \<phi>\<^sub>n \<Longrightarrow> \<dots>"}
+ reappears unchanged after the case split.
+
+ The @{method induct} method is fundamentally different in this
+ respect: the meta-level structure is passed through the
+ ``recursive'' course involved in the induction. Thus the original
+ statement is basically replaced by separate copies, corresponding to
+ the induction hypotheses and conclusion; the original goal context
+ is no longer available. Thus local assumptions, fixed parameters
+ and definitions effectively participate in the inductive rephrasing
+ of the original statement.
+
+ In @{method induct} proofs, local assumptions introduced by cases are split
+ into two different kinds: @{text hyps} stemming from the rule and
+ @{text prems} from the goal statement. This is reflected in the
+ extracted cases accordingly, so invoking ``@{command "case"}~@{text
+ c}'' will provide separate facts @{text c.hyps} and @{text c.prems},
+ as well as fact @{text c} to hold the all-inclusive list.
+
+ In @{method induction} proofs, local assumptions introduced by cases are
+ split into three different kinds: @{text IH}, the induction hypotheses,
+ @{text hyps}, the remaining hypotheses stemming from the rule, and
+ @{text prems}, the assumptions from the goal statement. The names are
+ @{text c.IH}, @{text c.hyps} and @{text c.prems}, as above.
+
+
+ \medskip Facts presented to either method are consumed according to
+ the number of ``major premises'' of the rule involved, which is
+ usually 0 for plain cases and induction rules of datatypes etc.\ and
+ 1 for rules of inductive predicates or sets and the like. The
+ remaining facts are inserted into the goal verbatim before the
+ actual @{text cases}, @{text induct}, or @{text coinduct} rule is
+ applied.
+*}
+
+
+subsection {* Declaring rules *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def "print_induct_rules"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ @{attribute_def cases} & : & @{text attribute} \\
+ @{attribute_def induct} & : & @{text attribute} \\
+ @{attribute_def coinduct} & : & @{text attribute} \\
+ \end{matharray}
+
+ @{rail "
+ @@{attribute cases} spec
+ ;
+ @@{attribute induct} spec
+ ;
+ @@{attribute coinduct} spec
+ ;
+
+ spec: (('type' | 'pred' | 'set') ':' @{syntax nameref}) | 'del'
+ "}
+
+ \begin{description}
+
+ \item @{command "print_induct_rules"} prints cases and induct rules
+ for predicates (or sets) and types of the current context.
+
+ \item @{attribute cases}, @{attribute induct}, and @{attribute
+ coinduct} (as attributes) declare rules for reasoning about
+ (co)inductive predicates (or sets) and types, using the
+ corresponding methods of the same name. Certain definitional
+ packages of object-logics usually declare emerging cases and
+ induction rules as expected, so users rarely need to intervene.
+
+ Rules may be deleted via the @{text "del"} specification, which
+ covers all of the @{text "type"}/@{text "pred"}/@{text "set"}
+ sub-categories simultaneously. For example, @{attribute
+ cases}~@{text del} removes any @{attribute cases} rules declared for
+ some type, predicate, or set.
+
+ Manual rule declarations usually refer to the @{attribute
+ case_names} and @{attribute params} attributes to adjust names of
+ cases and parameters of a rule; the @{attribute consumes}
+ declaration is taken care of automatically: @{attribute
+ consumes}~@{text 0} is specified for ``type'' rules and @{attribute
+ consumes}~@{text 1} for ``predicate'' / ``set'' rules.
+
+ \end{description}
+*}
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarRef/Quick_Reference.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,231 @@
+theory Quick_Reference
+imports Base Main
+begin
+
+chapter {* Isabelle/Isar quick reference \label{ap:refcard} *}
+
+section {* Proof commands *}
+
+subsection {* Primitives and basic syntax *}
+
+text {*
+ \begin{tabular}{ll}
+ @{command "fix"}~@{text x} & augment context by @{text "\<And>x. \<box>"} \\
+ @{command "assume"}~@{text "a: \<phi>"} & augment context by @{text "\<phi> \<Longrightarrow> \<box>"} \\
+ @{command "then"} & indicate forward chaining of facts \\
+ @{command "have"}~@{text "a: \<phi>"} & prove local result \\
+ @{command "show"}~@{text "a: \<phi>"} & prove local result, refining some goal \\
+ @{command "using"}~@{text a} & indicate use of additional facts \\
+ @{command "unfolding"}~@{text a} & unfold definitional equations \\
+ @{command "proof"}~@{text "m\<^sub>1"}~\dots~@{command "qed"}~@{text "m\<^sub>2"} & indicate proof structure and refinements \\
+ @{command "{"}~@{text "\<dots>"}~@{command "}"} & indicate explicit blocks \\
+ @{command "next"} & switch blocks \\
+ @{command "note"}~@{text "a = b"} & reconsider facts \\
+ @{command "let"}~@{text "p = t"} & abbreviate terms by higher-order matching \\
+ @{command "write"}~@{text "c (mx)"} & declare local mixfix syntax \\
+ \end{tabular}
+
+ \medskip
+
+ \begin{tabular}{rcl}
+ @{text "proof"} & = & @{text "prfx\<^sup>*"}~@{command "proof"}~@{text "method\<^sup>? stmt\<^sup>*"}~@{command "qed"}~@{text "method\<^sup>?"} \\
+ & @{text "|"} & @{text "prfx\<^sup>*"}~@{command "done"} \\
+ @{text prfx} & = & @{command "apply"}~@{text method} \\
+ & @{text "|"} & @{command "using"}~@{text "facts"} \\
+ & @{text "|"} & @{command "unfolding"}~@{text "facts"} \\
+ @{text stmt} & = & @{command "{"}~@{text "stmt\<^sup>*"}~@{command "}"} \\
+ & @{text "|"} & @{command "next"} \\
+ & @{text "|"} & @{command "note"}~@{text "name = facts"} \\
+ & @{text "|"} & @{command "let"}~@{text "term = term"} \\
+ & @{text "|"} & @{command "write"}~@{text "name (mixfix)"} \\
+ & @{text "|"} & @{command "fix"}~@{text "var\<^sup>+"} \\
+ & @{text "|"} & @{command "assume"}~@{text "name: props"} \\
+ & @{text "|"} & @{command "then"}@{text "\<^sup>?"}~@{text goal} \\
+ @{text goal} & = & @{command "have"}~@{text "name: props proof"} \\
+ & @{text "|"} & @{command "show"}~@{text "name: props proof"} \\
+ \end{tabular}
+*}
+
+
+subsection {* Abbreviations and synonyms *}
+
+text {*
+ \begin{tabular}{rcl}
+ @{command "by"}~@{text "m\<^sub>1 m\<^sub>2"} & @{text "\<equiv>"} &
+ @{command "proof"}~@{text "m\<^sub>1"}~@{command "qed"}~@{text "m\<^sub>2"} \\
+ @{command ".."} & @{text "\<equiv>"} & @{command "by"}~@{text rule} \\
+ @{command "."} & @{text "\<equiv>"} & @{command "by"}~@{text this} \\
+ @{command "hence"} & @{text "\<equiv>"} & @{command "then"}~@{command "have"} \\
+ @{command "thus"} & @{text "\<equiv>"} & @{command "then"}~@{command "show"} \\
+ @{command "from"}~@{text a} & @{text "\<equiv>"} & @{command "note"}~@{text a}~@{command "then"} \\
+ @{command "with"}~@{text a} & @{text "\<equiv>"} & @{command "from"}~@{text "a \<AND> this"} \\
+ @{command "from"}~@{text this} & @{text "\<equiv>"} & @{command "then"} \\
+ @{command "from"}~@{text this}~@{command "have"} & @{text "\<equiv>"} & @{command "hence"} \\
+ @{command "from"}~@{text this}~@{command "show"} & @{text "\<equiv>"} & @{command "thus"} \\
+ \end{tabular}
+*}
+
+
+subsection {* Derived elements *}
+
+text {*
+ \begin{tabular}{rcl}
+ @{command "also"}@{text "\<^sub>0"} & @{text "\<approx>"} &
+ @{command "note"}~@{text "calculation = this"} \\
+ @{command "also"}@{text "\<^sub>n\<^sub>+\<^sub>1"} & @{text "\<approx>"} &
+ @{command "note"}~@{text "calculation = trans [OF calculation this]"} \\
+ @{command "finally"} & @{text "\<approx>"} &
+ @{command "also"}~@{command "from"}~@{text calculation} \\[0.5ex]
+ @{command "moreover"} & @{text "\<approx>"} &
+ @{command "note"}~@{text "calculation = calculation this"} \\
+ @{command "ultimately"} & @{text "\<approx>"} &
+ @{command "moreover"}~@{command "from"}~@{text calculation} \\[0.5ex]
+ @{command "presume"}~@{text "a: \<phi>"} & @{text "\<approx>"} &
+ @{command "assume"}~@{text "a: \<phi>"} \\
+ @{command "def"}~@{text "a: x \<equiv> t"} & @{text "\<approx>"} &
+ @{command "fix"}~@{text x}~@{command "assume"}~@{text "a: x \<equiv> t"} \\
+ @{command "obtain"}~@{text "x \<WHERE> a: \<phi>"} & @{text "\<approx>"} &
+ @{text "\<dots>"}~@{command "fix"}~@{text x}~@{command "assume"}~@{text "a: \<phi>"} \\
+ @{command "case"}~@{text c} & @{text "\<approx>"} &
+ @{command "fix"}~@{text x}~@{command "assume"}~@{text "c: \<phi>"} \\
+ @{command "sorry"} & @{text "\<approx>"} &
+ @{command "by"}~@{text cheating} \\
+ \end{tabular}
+*}
+
+
+subsection {* Diagnostic commands *}
+
+text {*
+ \begin{tabular}{ll}
+ @{command "pr"} & print current state \\
+ @{command "thm"}~@{text a} & print fact \\
+ @{command "prop"}~@{text \<phi>} & print proposition \\
+ @{command "term"}~@{text t} & print term \\
+ @{command "typ"}~@{text \<tau>} & print type \\
+ \end{tabular}
+*}
+
+
+section {* Proof methods *}
+
+text {*
+ \begin{tabular}{ll}
+ \multicolumn{2}{l}{\textbf{Single steps (forward-chaining facts)}} \\[0.5ex]
+ @{method assumption} & apply some assumption \\
+ @{method this} & apply current facts \\
+ @{method rule}~@{text a} & apply some rule \\
+ @{method rule} & apply standard rule (default for @{command "proof"}) \\
+ @{method contradiction} & apply @{text "\<not>"} elimination rule (any order) \\
+ @{method cases}~@{text t} & case analysis (provides cases) \\
+ @{method induct}~@{text x} & proof by induction (provides cases) \\[2ex]
+
+ \multicolumn{2}{l}{\textbf{Repeated steps (inserting facts)}} \\[0.5ex]
+ @{method "-"} & no rules \\
+ @{method intro}~@{text a} & introduction rules \\
+ @{method intro_classes} & class introduction rules \\
+ @{method elim}~@{text a} & elimination rules \\
+ @{method unfold}~@{text a} & definitional rewrite rules \\[2ex]
+
+ \multicolumn{2}{l}{\textbf{Automated proof tools (inserting facts)}} \\[0.5ex]
+ @{method iprover} & intuitionistic proof search \\
+ @{method blast}, @{method fast} & Classical Reasoner \\
+ @{method simp}, @{method simp_all} & Simplifier (+ Splitter) \\
+ @{method auto}, @{method force} & Simplifier + Classical Reasoner \\
+ @{method arith} & Arithmetic procedures \\
+ \end{tabular}
+*}
+
+
+section {* Attributes *}
+
+text {*
+ \begin{tabular}{ll}
+ \multicolumn{2}{l}{\textbf{Rules}} \\[0.5ex]
+ @{attribute OF}~@{text a} & rule resolved with facts (skipping ``@{text _}'') \\
+ @{attribute of}~@{text t} & rule instantiated with terms (skipping ``@{text _}'') \\
+ @{attribute "where"}~@{text "x = t"} & rule instantiated with terms, by variable name \\
+ @{attribute symmetric} & resolution with symmetry rule \\
+ @{attribute THEN}~@{text b} & resolution with another rule \\
+ @{attribute rule_format} & result put into standard rule format \\
+ @{attribute elim_format} & destruct rule turned into elimination rule format \\[1ex]
+
+ \multicolumn{2}{l}{\textbf{Declarations}} \\[0.5ex]
+ @{attribute simp} & Simplifier rule \\
+ @{attribute intro}, @{attribute elim}, @{attribute dest} & Pure or Classical Reasoner rule \\
+ @{attribute iff} & Simplifier + Classical Reasoner rule \\
+ @{attribute split} & case split rule \\
+ @{attribute trans} & transitivity rule \\
+ @{attribute sym} & symmetry rule \\
+ \end{tabular}
+*}
+
+
+section {* Rule declarations and methods *}
+
+text {*
+ \begin{tabular}{l|lllll}
+ & @{method rule} & @{method iprover} & @{method blast} & @{method simp} & @{method auto} \\
+ & & & @{method fast} & @{method simp_all} & @{method force} \\
+ \hline
+ @{attribute Pure.elim}@{text "!"} @{attribute Pure.intro}@{text "!"}
+ & @{text "\<times>"} & @{text "\<times>"} \\
+ @{attribute Pure.elim} @{attribute Pure.intro}
+ & @{text "\<times>"} & @{text "\<times>"} \\
+ @{attribute elim}@{text "!"} @{attribute intro}@{text "!"}
+ & @{text "\<times>"} & & @{text "\<times>"} & & @{text "\<times>"} \\
+ @{attribute elim} @{attribute intro}
+ & @{text "\<times>"} & & @{text "\<times>"} & & @{text "\<times>"} \\
+ @{attribute iff}
+ & @{text "\<times>"} & & @{text "\<times>"} & @{text "\<times>"} & @{text "\<times>"} \\
+ @{attribute iff}@{text "?"}
+ & @{text "\<times>"} \\
+ @{attribute elim}@{text "?"} @{attribute intro}@{text "?"}
+ & @{text "\<times>"} \\
+ @{attribute simp}
+ & & & & @{text "\<times>"} & @{text "\<times>"} \\
+ @{attribute cong}
+ & & & & @{text "\<times>"} & @{text "\<times>"} \\
+ @{attribute split}
+ & & & & @{text "\<times>"} & @{text "\<times>"} \\
+ \end{tabular}
+*}
+
+
+section {* Emulating tactic scripts *}
+
+subsection {* Commands *}
+
+text {*
+ \begin{tabular}{ll}
+ @{command "apply"}~@{text m} & apply proof method at initial position \\
+ @{command "apply_end"}~@{text m} & apply proof method near terminal position \\
+ @{command "done"} & complete proof \\
+ @{command "defer"}~@{text n} & move subgoal to end \\
+ @{command "prefer"}~@{text n} & move subgoal to beginning \\
+ @{command "back"} & backtrack last command \\
+ \end{tabular}
+*}
+
+
+subsection {* Methods *}
+
+text {*
+ \begin{tabular}{ll}
+ @{method rule_tac}~@{text insts} & resolution (with instantiation) \\
+ @{method erule_tac}~@{text insts} & elim-resolution (with instantiation) \\
+ @{method drule_tac}~@{text insts} & destruct-resolution (with instantiation) \\
+ @{method frule_tac}~@{text insts} & forward-resolution (with instantiation) \\
+ @{method cut_tac}~@{text insts} & insert facts (with instantiation) \\
+ @{method thin_tac}~@{text \<phi>} & delete assumptions \\
+ @{method subgoal_tac}~@{text \<phi>} & new claims \\
+ @{method rename_tac}~@{text x} & rename innermost goal parameters \\
+ @{method rotate_tac}~@{text n} & rotate assumptions of goal \\
+ @{method tactic}~@{text "text"} & arbitrary ML tactic \\
+ @{method case_tac}~@{text t} & exhaustion (datatypes) \\
+ @{method induct_tac}~@{text x} & induction (datatypes) \\
+ @{method ind_cases}~@{text t} & exhaustion + simplification (inductive predicates) \\
+ \end{tabular}
+*}
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarRef/Spec.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,1337 @@
+theory Spec
+imports Base Main
+begin
+
+chapter {* Specifications *}
+
+text {*
+ The Isabelle/Isar theory format integrates specifications and
+ proofs, supporting interactive development with unlimited undo
+ operation. There is an integrated document preparation system (see
+ \chref{ch:document-prep}), for typesetting formal developments
+ together with informal text. The resulting hyper-linked PDF
+ documents can be used both for WWW presentation and printed copies.
+
+ The Isar proof language (see \chref{ch:proofs}) is embedded into the
+ theory language as a proper sub-language. Proof mode is entered by
+ stating some @{command theorem} or @{command lemma} at the theory
+ level, and left again with the final conclusion (e.g.\ via @{command
+ qed}). Some theory specification mechanisms also require a proof,
+ such as @{command typedef} in HOL, which demands non-emptiness of
+ the representing sets.
+*}
+
+
+section {* Defining theories \label{sec:begin-thy} *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def "theory"} & : & @{text "toplevel \<rightarrow> theory"} \\
+ @{command_def (global) "end"} & : & @{text "theory \<rightarrow> toplevel"} \\
+ \end{matharray}
+
+ Isabelle/Isar theories are defined via theory files, which may
+ contain both specifications and proofs; occasionally definitional
+ mechanisms also require some explicit proof. The theory body may be
+ sub-structured by means of \emph{local theory targets}, such as
+ @{command "locale"} and @{command "class"}.
+
+ The first proper command of a theory is @{command "theory"}, which
+ indicates imports of previous theories and optional dependencies on
+ other source files (usually in ML). Just preceding the initial
+ @{command "theory"} command there may be an optional @{command
+ "header"} declaration, which is only relevant to document
+ preparation: see also the other section markup commands in
+ \secref{sec:markup}.
+
+ A theory is concluded by a final @{command (global) "end"} command,
+ one that does not belong to a local theory target. No further
+ commands may follow such a global @{command (global) "end"},
+ although some user-interfaces might pretend that trailing input is
+ admissible.
+
+ @{rail "
+ @@{command theory} @{syntax name} imports \\ keywords? uses? @'begin'
+ ;
+ imports: @'imports' (@{syntax name} +)
+ ;
+ keywords: @'keywords' ((@{syntax string} +) ('::' @{syntax name} @{syntax tags})? + @'and')
+ ;
+ uses: @'uses' ((@{syntax name} | @{syntax parname}) +)
+ "}
+
+ \begin{description}
+
+ \item @{command "theory"}~@{text "A \<IMPORTS> B\<^sub>1 \<dots> B\<^sub>n \<BEGIN>"}
+ starts a new theory @{text A} based on the merge of existing
+ theories @{text "B\<^sub>1 \<dots> B\<^sub>n"}. Due to the possibility to import more
+ than one ancestor, the resulting theory structure of an Isabelle
+ session forms a directed acyclic graph (DAG). Isabelle takes care
+ that sources contributing to the development graph are always
+ up-to-date: changed files are automatically rechecked whenever a
+ theory header specification is processed.
+
+ The optional @{keyword_def "keywords"} specification declares outer
+ syntax (\chref{ch:outer-syntax}) that is introduced in this theory
+ later on (rare in end-user applications). Both minor keywords and
+ major keywords of the Isar command language need to be specified, in
+ order to make parsing of proof documents work properly. Command
+ keywords need to be classified according to their structural role in
+ the formal text. Examples may be seen in Isabelle/HOL sources
+ itself, such as @{keyword "keywords"}~@{verbatim "\"typedef\""}
+ @{text ":: thy_goal"} or @{keyword "keywords"}~@{verbatim
+ "\"datatype\""} @{text ":: thy_decl"} for theory-level declarations
+ with and without proof, respectively. Additional @{syntax tags}
+ provide defaults for document preparation (\secref{sec:tags}).
+
+ The optional @{keyword_def "uses"} specification declares additional
+ dependencies on external files (notably ML sources). Files will be
+ loaded immediately (as ML), unless the name is parenthesized. The
+ latter case records a dependency that needs to be resolved later in
+ the text, usually via explicit @{command_ref "use"} for ML files;
+ other file formats require specific load commands defined by the
+ corresponding tools or packages.
+
+ \item @{command (global) "end"} concludes the current theory
+ definition. Note that some other commands, e.g.\ local theory
+ targets @{command locale} or @{command class} may involve a
+ @{keyword "begin"} that needs to be matched by @{command (local)
+ "end"}, according to the usual rules for nested blocks.
+
+ \end{description}
+*}
+
+
+section {* Local theory targets \label{sec:target} *}
+
+text {*
+ \begin{matharray}{rcll}
+ @{command_def "context"} & : & @{text "theory \<rightarrow> local_theory"} \\
+ @{command_def (local) "end"} & : & @{text "local_theory \<rightarrow> theory"} \\
+ \end{matharray}
+
+ A local theory target is a context managed separately within the
+ enclosing theory. Contexts may introduce parameters (fixed
+ variables) and assumptions (hypotheses). Definitions and theorems
+ depending on the context may be added incrementally later on.
+
+ \emph{Named contexts} refer to locales (cf.\ \secref{sec:locale}) or
+ type classes (cf.\ \secref{sec:class}); the name ``@{text "-"}''
+ signifies the global theory context.
+
+ \emph{Unnamed contexts} may introduce additional parameters and
+ assumptions, and results produced in the context are generalized
+ accordingly. Such auxiliary contexts may be nested within other
+ targets, like @{command "locale"}, @{command "class"}, @{command
+ "instantiation"}, @{command "overloading"}.
+
+ @{rail "
+ @@{command context} @{syntax nameref} @'begin'
+ ;
+ @@{command context} @{syntax_ref \"includes\"}? (@{syntax context_elem} * ) @'begin'
+ ;
+ @{syntax_def target}: '(' @'in' @{syntax nameref} ')'
+ "}
+
+ \begin{description}
+
+ \item @{command "context"}~@{text "c \<BEGIN>"} opens a named
+ context, by recommencing an existing locale or class @{text c}.
+ Note that locale and class definitions allow to include the
+ @{keyword "begin"} keyword as well, in order to continue the local
+ theory immediately after the initial specification.
+
+ \item @{command "context"}~@{text "bundles elements \<BEGIN>"} opens
+ an unnamed context, by extending the enclosing global or local
+ theory target by the given declaration bundles (\secref{sec:bundle})
+ and context elements (@{text "\<FIXES>"}, @{text "\<ASSUMES>"}
+ etc.). This means any results stemming from definitions and proofs
+ in the extended context will be exported into the enclosing target
+ by lifting over extra parameters and premises.
+
+ \item @{command (local) "end"} concludes the current local theory,
+ according to the nesting of contexts. Note that a global @{command
+ (global) "end"} has a different meaning: it concludes the theory
+ itself (\secref{sec:begin-thy}).
+
+ \item @{text "("}@{keyword_def "in"}~@{text "c)"} given after any
+ local theory command specifies an immediate target, e.g.\
+ ``@{command "definition"}~@{text "(\<IN> c) \<dots>"}'' or ``@{command
+ "theorem"}~@{text "(\<IN> c) \<dots>"}''. This works both in a local or
+ global theory context; the current target context will be suspended
+ for this command only. Note that ``@{text "(\<IN> -)"}'' will
+ always produce a global result independently of the current target
+ context.
+
+ \end{description}
+
+ The exact meaning of results produced within a local theory context
+ depends on the underlying target infrastructure (locale, type class
+ etc.). The general idea is as follows, considering a context named
+ @{text c} with parameter @{text x} and assumption @{text "A[x]"}.
+
+ Definitions are exported by introducing a global version with
+ additional arguments; a syntactic abbreviation links the long form
+ with the abstract version of the target context. For example,
+ @{text "a \<equiv> t[x]"} becomes @{text "c.a ?x \<equiv> t[?x]"} at the theory
+ level (for arbitrary @{text "?x"}), together with a local
+ abbreviation @{text "c \<equiv> c.a x"} in the target context (for the
+ fixed parameter @{text x}).
+
+ Theorems are exported by discharging the assumptions and
+ generalizing the parameters of the context. For example, @{text "a:
+ B[x]"} becomes @{text "c.a: A[?x] \<Longrightarrow> B[?x]"}, again for arbitrary
+ @{text "?x"}.
+
+ \medskip The Isabelle/HOL library contains numerous applications of
+ locales and classes, e.g.\ see @{file "~~/src/HOL/Algebra"}. An
+ example for an unnamed auxiliary contexts is given in @{file
+ "~~/src/HOL/Isar_Examples/Group_Context.thy"}. *}
+
+
+section {* Bundled declarations \label{sec:bundle} *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def "bundle"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
+ @{command_def "print_bundles"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow> "} \\
+ @{command_def "include"} & : & @{text "proof(state) \<rightarrow> proof(state)"} \\
+ @{command_def "including"} & : & @{text "proof(prove) \<rightarrow> proof(prove)"} \\
+ @{keyword_def "includes"} & : & syntax \\
+ \end{matharray}
+
+ The outer syntax of fact expressions (\secref{sec:syn-att}) involves
+ theorems and attributes, which are evaluated in the context and
+ applied to it. Attributes may declare theorems to the context, as
+ in @{text "this_rule [intro] that_rule [elim]"} for example.
+ Configuration options (\secref{sec:config}) are special declaration
+ attributes that operate on the context without a theorem, as in
+ @{text "[[show_types = false]]"} for example.
+
+ Expressions of this form may be defined as \emph{bundled
+ declarations} in the context, and included in other situations later
+ on. Including declaration bundles augments a local context casually
+ without logical dependencies, which is in contrast to locales and
+ locale interpretation (\secref{sec:locale}).
+
+ @{rail "
+ @@{command bundle} @{syntax target}? \\
+ @{syntax name} '=' @{syntax thmrefs} (@'for' (@{syntax vars} + @'and'))?
+ ;
+ (@@{command include} | @@{command including}) (@{syntax nameref}+)
+ ;
+ @{syntax_def \"includes\"}: @'includes' (@{syntax nameref}+)
+ "}
+
+ \begin{description}
+
+ \item @{command bundle}~@{text "b = decls"} defines a bundle of
+ declarations in the current context. The RHS is similar to the one
+ of the @{command declare} command. Bundles defined in local theory
+ targets are subject to transformations via morphisms, when moved
+ into different application contexts; this works analogously to any
+ other local theory specification.
+
+ \item @{command print_bundles} prints the named bundles that are
+ available in the current context.
+
+ \item @{command include}~@{text "b\<^sub>1 \<dots> b\<^sub>n"} includes the declarations
+ from the given bundles into the current proof body context. This is
+ analogous to @{command "note"} (\secref{sec:proof-facts}) with the
+ expanded bundles.
+
+ \item @{command including} is similar to @{command include}, but
+ works in proof refinement (backward mode). This is analogous to
+ @{command "using"} (\secref{sec:proof-facts}) with the expanded
+ bundles.
+
+ \item @{keyword "includes"}~@{text "b\<^sub>1 \<dots> b\<^sub>n"} is similar to
+ @{command include}, but works in situations where a specification
+ context is constructed, notably for @{command context} and long
+ statements of @{command theorem} etc.
+
+ \end{description}
+
+ Here is an artificial example of bundling various configuration
+ options: *}
+
+bundle trace = [[simp_trace, blast_trace, linarith_trace, metis_trace, smt_trace]]
+
+lemma "x = x"
+ including trace by metis
+
+
+section {* Basic specification elements *}
+
+text {*
+ \begin{matharray}{rcll}
+ @{command_def "axiomatization"} & : & @{text "theory \<rightarrow> theory"} & (axiomatic!) \\
+ @{command_def "definition"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
+ @{attribute_def "defn"} & : & @{text attribute} \\
+ @{command_def "abbreviation"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
+ @{command_def "print_abbrevs"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow> "} \\
+ \end{matharray}
+
+ These specification mechanisms provide a slightly more abstract view
+ than the underlying primitives of @{command "consts"}, @{command
+ "defs"} (see \secref{sec:consts}), and @{command "axioms"} (see
+ \secref{sec:axms-thms}). In particular, type-inference is commonly
+ available, and result names need not be given.
+
+ @{rail "
+ @@{command axiomatization} @{syntax \"fixes\"}? (@'where' specs)?
+ ;
+ @@{command definition} @{syntax target}? \\
+ (decl @'where')? @{syntax thmdecl}? @{syntax prop}
+ ;
+ @@{command abbreviation} @{syntax target}? @{syntax mode}? \\
+ (decl @'where')? @{syntax prop}
+ ;
+
+ @{syntax_def \"fixes\"}: ((@{syntax name} ('::' @{syntax type})?
+ @{syntax mixfix}? | @{syntax vars}) + @'and')
+ ;
+ specs: (@{syntax thmdecl}? @{syntax props} + @'and')
+ ;
+ decl: @{syntax name} ('::' @{syntax type})? @{syntax mixfix}?
+ "}
+
+ \begin{description}
+
+ \item @{command "axiomatization"}~@{text "c\<^sub>1 \<dots> c\<^sub>m \<WHERE> \<phi>\<^sub>1 \<dots> \<phi>\<^sub>n"}
+ introduces several constants simultaneously and states axiomatic
+ properties for these. The constants are marked as being specified
+ once and for all, which prevents additional specifications being
+ issued later on.
+
+ Note that axiomatic specifications are only appropriate when
+ declaring a new logical system; axiomatic specifications are
+ restricted to global theory contexts. Normal applications should
+ only use definitional mechanisms!
+
+ \item @{command "definition"}~@{text "c \<WHERE> eq"} produces an
+ internal definition @{text "c \<equiv> t"} according to the specification
+ given as @{text eq}, which is then turned into a proven fact. The
+ given proposition may deviate from internal meta-level equality
+ according to the rewrite rules declared as @{attribute defn} by the
+ object-logic. This usually covers object-level equality @{text "x =
+ y"} and equivalence @{text "A \<leftrightarrow> B"}. End-users normally need not
+ change the @{attribute defn} setup.
+
+ Definitions may be presented with explicit arguments on the LHS, as
+ well as additional conditions, e.g.\ @{text "f x y = t"} instead of
+ @{text "f \<equiv> \<lambda>x y. t"} and @{text "y \<noteq> 0 \<Longrightarrow> g x y = u"} instead of an
+ unrestricted @{text "g \<equiv> \<lambda>x y. u"}.
+
+ \item @{command "abbreviation"}~@{text "c \<WHERE> eq"} introduces a
+ syntactic constant which is associated with a certain term according
+ to the meta-level equality @{text eq}.
+
+ Abbreviations participate in the usual type-inference process, but
+ are expanded before the logic ever sees them. Pretty printing of
+ terms involves higher-order rewriting with rules stemming from
+ reverted abbreviations. This needs some care to avoid overlapping
+ or looping syntactic replacements!
+
+ The optional @{text mode} specification restricts output to a
+ particular print mode; using ``@{text input}'' here achieves the
+ effect of one-way abbreviations. The mode may also include an
+ ``@{keyword "output"}'' qualifier that affects the concrete syntax
+ declared for abbreviations, cf.\ @{command "syntax"} in
+ \secref{sec:syn-trans}.
+
+ \item @{command "print_abbrevs"} prints all constant abbreviations
+ of the current context.
+
+ \end{description}
+*}
+
+
+section {* Generic declarations *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def "declaration"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
+ @{command_def "syntax_declaration"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
+ @{command_def "declare"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
+ \end{matharray}
+
+ Arbitrary operations on the background context may be wrapped-up as
+ generic declaration elements. Since the underlying concept of local
+ theories may be subject to later re-interpretation, there is an
+ additional dependency on a morphism that tells the difference of the
+ original declaration context wrt.\ the application context
+ encountered later on. A fact declaration is an important special
+ case: it consists of a theorem which is applied to the context by
+ means of an attribute.
+
+ @{rail "
+ (@@{command declaration} | @@{command syntax_declaration})
+ ('(' @'pervasive' ')')? \\ @{syntax target}? @{syntax text}
+ ;
+ @@{command declare} @{syntax target}? (@{syntax thmrefs} + @'and')
+ "}
+
+ \begin{description}
+
+ \item @{command "declaration"}~@{text d} adds the declaration
+ function @{text d} of ML type @{ML_type declaration}, to the current
+ local theory under construction. In later application contexts, the
+ function is transformed according to the morphisms being involved in
+ the interpretation hierarchy.
+
+ If the @{text "(pervasive)"} option is given, the corresponding
+ declaration is applied to all possible contexts involved, including
+ the global background theory.
+
+ \item @{command "syntax_declaration"} is similar to @{command
+ "declaration"}, but is meant to affect only ``syntactic'' tools by
+ convention (such as notation and type-checking information).
+
+ \item @{command "declare"}~@{text thms} declares theorems to the
+ current local theory context. No theorem binding is involved here,
+ unlike @{command "theorems"} or @{command "lemmas"} (cf.\
+ \secref{sec:axms-thms}), so @{command "declare"} only has the effect
+ of applying attributes as included in the theorem specification.
+
+ \end{description}
+*}
+
+
+section {* Locales \label{sec:locale} *}
+
+text {*
+ Locales are parametric named local contexts, consisting of a list of
+ declaration elements that are modeled after the Isar proof context
+ commands (cf.\ \secref{sec:proof-context}).
+*}
+
+
+subsection {* Locale expressions \label{sec:locale-expr} *}
+
+text {*
+ A \emph{locale expression} denotes a structured context composed of
+ instances of existing locales. The context consists of a list of
+ instances of declaration elements from the locales. Two locale
+ instances are equal if they are of the same locale and the
+ parameters are instantiated with equivalent terms. Declaration
+ elements from equal instances are never repeated, thus avoiding
+ duplicate declarations. More precisely, declarations from instances
+ that are subsumed by earlier instances are omitted.
+
+ @{rail "
+ @{syntax_def locale_expr}: (instance + '+') (@'for' (@{syntax \"fixes\"} + @'and'))?
+ ;
+ instance: (qualifier ':')? @{syntax nameref} (pos_insts | named_insts)
+ ;
+ qualifier: @{syntax name} ('?' | '!')?
+ ;
+ pos_insts: ('_' | @{syntax term})*
+ ;
+ named_insts: @'where' (@{syntax name} '=' @{syntax term} + @'and')
+ "}
+
+ A locale instance consists of a reference to a locale and either
+ positional or named parameter instantiations. Identical
+ instantiations (that is, those that instante a parameter by itself)
+ may be omitted. The notation `@{text "_"}' enables to omit the
+ instantiation for a parameter inside a positional instantiation.
+
+ Terms in instantiations are from the context the locale expressions
+ is declared in. Local names may be added to this context with the
+ optional @{keyword "for"} clause. This is useful for shadowing names
+ bound in outer contexts, and for declaring syntax. In addition,
+ syntax declarations from one instance are effective when parsing
+ subsequent instances of the same expression.
+
+ Instances have an optional qualifier which applies to names in
+ declarations. Names include local definitions and theorem names.
+ If present, the qualifier itself is either optional
+ (``\texttt{?}''), which means that it may be omitted on input of the
+ qualified name, or mandatory (``\texttt{!}''). If neither
+ ``\texttt{?}'' nor ``\texttt{!}'' are present, the command's default
+ is used. For @{command "interpretation"} and @{command "interpret"}
+ the default is ``mandatory'', for @{command "locale"} and @{command
+ "sublocale"} the default is ``optional''.
+*}
+
+
+subsection {* Locale declarations *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def "locale"} & : & @{text "theory \<rightarrow> local_theory"} \\
+ @{command_def "print_locale"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ @{command_def "print_locales"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ @{method_def intro_locales} & : & @{text method} \\
+ @{method_def unfold_locales} & : & @{text method} \\
+ \end{matharray}
+
+ \indexisarelem{fixes}\indexisarelem{constrains}\indexisarelem{assumes}
+ \indexisarelem{defines}\indexisarelem{notes}
+ @{rail "
+ @@{command locale} @{syntax name} ('=' @{syntax locale})? @'begin'?
+ ;
+ @@{command print_locale} '!'? @{syntax nameref}
+ ;
+ @{syntax_def locale}: @{syntax context_elem}+ |
+ @{syntax locale_expr} ('+' (@{syntax context_elem}+))?
+ ;
+ @{syntax_def context_elem}:
+ @'fixes' (@{syntax \"fixes\"} + @'and') |
+ @'constrains' (@{syntax name} '::' @{syntax type} + @'and') |
+ @'assumes' (@{syntax props} + @'and') |
+ @'defines' (@{syntax thmdecl}? @{syntax prop} @{syntax prop_pat}? + @'and') |
+ @'notes' (@{syntax thmdef}? @{syntax thmrefs} + @'and')
+ "}
+
+ \begin{description}
+
+ \item @{command "locale"}~@{text "loc = import + body"} defines a
+ new locale @{text loc} as a context consisting of a certain view of
+ existing locales (@{text import}) plus some additional elements
+ (@{text body}). Both @{text import} and @{text body} are optional;
+ the degenerate form @{command "locale"}~@{text loc} defines an empty
+ locale, which may still be useful to collect declarations of facts
+ later on. Type-inference on locale expressions automatically takes
+ care of the most general typing that the combined context elements
+ may acquire.
+
+ The @{text import} consists of a structured locale expression; see
+ \secref{sec:proof-context} above. Its for clause defines the local
+ parameters of the @{text import}. In addition, locale parameters
+ whose instantance is omitted automatically extend the (possibly
+ empty) for clause: they are inserted at its beginning. This means
+ that these parameters may be referred to from within the expression
+ and also in the subsequent context elements and provides a
+ notational convenience for the inheritance of parameters in locale
+ declarations.
+
+ The @{text body} consists of context elements.
+
+ \begin{description}
+
+ \item @{element "fixes"}~@{text "x :: \<tau> (mx)"} declares a local
+ parameter of type @{text \<tau>} and mixfix annotation @{text mx} (both
+ are optional). The special syntax declaration ``@{text
+ "(\<STRUCTURE>)"}'' means that @{text x} may be referenced
+ implicitly in this context.
+
+ \item @{element "constrains"}~@{text "x :: \<tau>"} introduces a type
+ constraint @{text \<tau>} on the local parameter @{text x}. This
+ element is deprecated. The type constraint should be introduced in
+ the for clause or the relevant @{element "fixes"} element.
+
+ \item @{element "assumes"}~@{text "a: \<phi>\<^sub>1 \<dots> \<phi>\<^sub>n"}
+ introduces local premises, similar to @{command "assume"} within a
+ proof (cf.\ \secref{sec:proof-context}).
+
+ \item @{element "defines"}~@{text "a: x \<equiv> t"} defines a previously
+ declared parameter. This is similar to @{command "def"} within a
+ proof (cf.\ \secref{sec:proof-context}), but @{element "defines"}
+ takes an equational proposition instead of variable-term pair. The
+ left-hand side of the equation may have additional arguments, e.g.\
+ ``@{element "defines"}~@{text "f x\<^sub>1 \<dots> x\<^sub>n \<equiv> t"}''.
+
+ \item @{element "notes"}~@{text "a = b\<^sub>1 \<dots> b\<^sub>n"}
+ reconsiders facts within a local context. Most notably, this may
+ include arbitrary declarations in any attribute specifications
+ included here, e.g.\ a local @{attribute simp} rule.
+
+ The initial @{text import} specification of a locale expression
+ maintains a dynamic relation to the locales being referenced
+ (benefiting from any later fact declarations in the obvious manner).
+
+ \end{description}
+
+ Note that ``@{text "(\<IS> p\<^sub>1 \<dots> p\<^sub>n)"}'' patterns given
+ in the syntax of @{element "assumes"} and @{element "defines"} above
+ are illegal in locale definitions. In the long goal format of
+ \secref{sec:goals}, term bindings may be included as expected,
+ though.
+
+ \medskip Locale specifications are ``closed up'' by
+ turning the given text into a predicate definition @{text
+ loc_axioms} and deriving the original assumptions as local lemmas
+ (modulo local definitions). The predicate statement covers only the
+ newly specified assumptions, omitting the content of included locale
+ expressions. The full cumulative view is only provided on export,
+ involving another predicate @{text loc} that refers to the complete
+ specification text.
+
+ In any case, the predicate arguments are those locale parameters
+ that actually occur in the respective piece of text. Also note that
+ these predicates operate at the meta-level in theory, but the locale
+ packages attempts to internalize statements according to the
+ object-logic setup (e.g.\ replacing @{text \<And>} by @{text \<forall>}, and
+ @{text "\<Longrightarrow>"} by @{text "\<longrightarrow>"} in HOL; see also
+ \secref{sec:object-logic}). Separate introduction rules @{text
+ loc_axioms.intro} and @{text loc.intro} are provided as well.
+
+ \item @{command "print_locale"}~@{text "locale"} prints the
+ contents of the named locale. The command omits @{element "notes"}
+ elements by default. Use @{command "print_locale"}@{text "!"} to
+ have them included.
+
+ \item @{command "print_locales"} prints the names of all locales
+ of the current theory.
+
+ \item @{method intro_locales} and @{method unfold_locales}
+ repeatedly expand all introduction rules of locale predicates of the
+ theory. While @{method intro_locales} only applies the @{text
+ loc.intro} introduction rules and therefore does not decend to
+ assumptions, @{method unfold_locales} is more aggressive and applies
+ @{text loc_axioms.intro} as well. Both methods are aware of locale
+ specifications entailed by the context, both from target statements,
+ and from interpretations (see below). New goals that are entailed
+ by the current context are discharged automatically.
+
+ \end{description}
+*}
+
+
+subsection {* Locale interpretation *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def "interpretation"} & : & @{text "theory \<rightarrow> proof(prove)"} \\
+ @{command_def "interpret"} & : & @{text "proof(state) | proof(chain) \<rightarrow> proof(prove)"} \\
+ @{command_def "sublocale"} & : & @{text "theory \<rightarrow> proof(prove)"} \\
+ @{command_def "print_dependencies"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ @{command_def "print_interps"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ \end{matharray}
+
+ Locale expressions may be instantiated, and the instantiated facts
+ added to the current context. This requires a proof of the
+ instantiated specification and is called \emph{locale
+ interpretation}. Interpretation is possible in locales (command
+ @{command "sublocale"}), theories (command @{command
+ "interpretation"}) and also within proof bodies (command @{command
+ "interpret"}).
+
+ @{rail "
+ @@{command interpretation} @{syntax locale_expr} equations?
+ ;
+ @@{command interpret} @{syntax locale_expr} equations?
+ ;
+ @@{command sublocale} @{syntax nameref} ('<' | '\<subseteq>') @{syntax locale_expr} \\
+ equations?
+ ;
+ @@{command print_dependencies} '!'? @{syntax locale_expr}
+ ;
+ @@{command print_interps} @{syntax nameref}
+ ;
+
+ equations: @'where' (@{syntax thmdecl}? @{syntax prop} + @'and')
+ "}
+
+ \begin{description}
+
+ \item @{command "interpretation"}~@{text "expr \<WHERE> eqns"}
+ interprets @{text expr} in the theory. The command generates proof
+ obligations for the instantiated specifications (assumes and defines
+ elements). Once these are discharged by the user, instantiated
+ facts are added to the theory in a post-processing phase.
+
+ Free variables in the interpreted expression are allowed. They are
+ turned into schematic variables in the generated declarations. In
+ order to use a free variable whose name is already bound in the
+ context --- for example, because a constant of that name exists ---
+ it may be added to the @{keyword "for"} clause.
+
+ Additional equations, which are unfolded during
+ post-processing, may be given after the keyword @{keyword "where"}.
+ This is useful for interpreting concepts introduced through
+ definitions. The equations must be proved.
+
+ The command is aware of interpretations already active in the
+ theory, but does not simplify the goal automatically. In order to
+ simplify the proof obligations use methods @{method intro_locales}
+ or @{method unfold_locales}. Post-processing is not applied to
+ facts of interpretations that are already active. This avoids
+ duplication of interpreted facts, in particular. Note that, in the
+ case of a locale with import, parts of the interpretation may
+ already be active. The command will only process facts for new
+ parts.
+
+ Adding facts to locales has the effect of adding interpreted facts
+ to the theory for all interpretations as well. That is,
+ interpretations dynamically participate in any facts added to
+ locales. Note that if a theory inherits additional facts for a
+ locale through one parent and an interpretation of that locale
+ through another parent, the additional facts will not be
+ interpreted.
+
+ \item @{command "interpret"}~@{text "expr \<WHERE> eqns"} interprets
+ @{text expr} in the proof context and is otherwise similar to
+ interpretation in theories. Note that rewrite rules given to
+ @{command "interpret"} after the @{keyword "where"} keyword should be
+ explicitly universally quantified.
+
+ \item @{command "sublocale"}~@{text "name \<subseteq> expr \<WHERE>
+ eqns"}
+ interprets @{text expr} in the locale @{text name}. A proof that
+ the specification of @{text name} implies the specification of
+ @{text expr} is required. As in the localized version of the
+ theorem command, the proof is in the context of @{text name}. After
+ the proof obligation has been discharged, the facts of @{text expr}
+ become part of locale @{text name} as \emph{derived} context
+ elements and are available when the context @{text name} is
+ subsequently entered. Note that, like import, this is dynamic:
+ facts added to a locale part of @{text expr} after interpretation
+ become also available in @{text name}.
+
+ Only specification fragments of @{text expr} that are not already
+ part of @{text name} (be it imported, derived or a derived fragment
+ of the import) are considered in this process. This enables
+ circular interpretations provided that no infinite chains are
+ generated in the locale hierarchy.
+
+ If interpretations of @{text name} exist in the current theory, the
+ command adds interpretations for @{text expr} as well, with the same
+ qualifier, although only for fragments of @{text expr} that are not
+ interpreted in the theory already.
+
+ Equations given after @{keyword "where"} amend the morphism through
+ which @{text expr} is interpreted. This enables to map definitions
+ from the interpreted locales to entities of @{text name}. This
+ feature is experimental.
+
+ \item @{command "print_dependencies"}~@{text "expr"} is useful for
+ understanding the effect of an interpretation of @{text "expr"}. It
+ lists all locale instances for which interpretations would be added
+ to the current context. Variant @{command
+ "print_dependencies"}@{text "!"} prints all locale instances that
+ would be considered for interpretation, and would be interpreted in
+ an empty context (that is, without interpretations).
+
+ \item @{command "print_interps"}~@{text "locale"} lists all
+ interpretations of @{text "locale"} in the current theory or proof
+ context, including those due to a combination of a @{command
+ "interpretation"} or @{command "interpret"} and one or several
+ @{command "sublocale"} declarations.
+
+ \end{description}
+
+ \begin{warn}
+ Since attributes are applied to interpreted theorems,
+ interpretation may modify the context of common proof tools, e.g.\
+ the Simplifier or Classical Reasoner. As the behavior of such
+ tools is \emph{not} stable under interpretation morphisms, manual
+ declarations might have to be added to the target context of the
+ interpretation to revert such declarations.
+ \end{warn}
+
+ \begin{warn}
+ An interpretation in a theory or proof context may subsume previous
+ interpretations. This happens if the same specification fragment
+ is interpreted twice and the instantiation of the second
+ interpretation is more general than the interpretation of the
+ first. The locale package does not attempt to remove subsumed
+ interpretations.
+ \end{warn}
+*}
+
+
+section {* Classes \label{sec:class} *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def "class"} & : & @{text "theory \<rightarrow> local_theory"} \\
+ @{command_def "instantiation"} & : & @{text "theory \<rightarrow> local_theory"} \\
+ @{command_def "instance"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
+ @{command "instance"} & : & @{text "theory \<rightarrow> proof(prove)"} \\
+ @{command_def "subclass"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
+ @{command_def "print_classes"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ @{command_def "class_deps"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ @{method_def intro_classes} & : & @{text method} \\
+ \end{matharray}
+
+ A class is a particular locale with \emph{exactly one} type variable
+ @{text \<alpha>}. Beyond the underlying locale, a corresponding type class
+ is established which is interpreted logically as axiomatic type
+ class \cite{Wenzel:1997:TPHOL} whose logical content are the
+ assumptions of the locale. Thus, classes provide the full
+ generality of locales combined with the commodity of type classes
+ (notably type-inference). See \cite{isabelle-classes} for a short
+ tutorial.
+
+ @{rail "
+ @@{command class} class_spec @'begin'?
+ ;
+ class_spec: @{syntax name} '='
+ ((@{syntax nameref} '+' (@{syntax context_elem}+)) |
+ @{syntax nameref} | (@{syntax context_elem}+))
+ ;
+ @@{command instantiation} (@{syntax nameref} + @'and') '::' @{syntax arity} @'begin'
+ ;
+ @@{command instance} (() | (@{syntax nameref} + @'and') '::' @{syntax arity} |
+ @{syntax nameref} ('<' | '\<subseteq>') @{syntax nameref} )
+ ;
+ @@{command subclass} @{syntax target}? @{syntax nameref}
+ "}
+
+ \begin{description}
+
+ \item @{command "class"}~@{text "c = superclasses + body"} defines
+ a new class @{text c}, inheriting from @{text superclasses}. This
+ introduces a locale @{text c} with import of all locales @{text
+ superclasses}.
+
+ Any @{element "fixes"} in @{text body} are lifted to the global
+ theory level (\emph{class operations} @{text "f\<^sub>1, \<dots>,
+ f\<^sub>n"} of class @{text c}), mapping the local type parameter
+ @{text \<alpha>} to a schematic type variable @{text "?\<alpha> :: c"}.
+
+ Likewise, @{element "assumes"} in @{text body} are also lifted,
+ mapping each local parameter @{text "f :: \<tau>[\<alpha>]"} to its
+ corresponding global constant @{text "f :: \<tau>[?\<alpha> :: c]"}. The
+ corresponding introduction rule is provided as @{text
+ c_class_axioms.intro}. This rule should be rarely needed directly
+ --- the @{method intro_classes} method takes care of the details of
+ class membership proofs.
+
+ \item @{command "instantiation"}~@{text "t :: (s\<^sub>1, \<dots>, s\<^sub>n)s
+ \<BEGIN>"} opens a theory target (cf.\ \secref{sec:target}) which
+ allows to specify class operations @{text "f\<^sub>1, \<dots>, f\<^sub>n"} corresponding
+ to sort @{text s} at the particular type instance @{text "(\<alpha>\<^sub>1 :: s\<^sub>1,
+ \<dots>, \<alpha>\<^sub>n :: s\<^sub>n) t"}. A plain @{command "instance"} command in the
+ target body poses a goal stating these type arities. The target is
+ concluded by an @{command_ref (local) "end"} command.
+
+ Note that a list of simultaneous type constructors may be given;
+ this corresponds nicely to mutually recursive type definitions, e.g.\
+ in Isabelle/HOL.
+
+ \item @{command "instance"} in an instantiation target body sets
+ up a goal stating the type arities claimed at the opening @{command
+ "instantiation"}. The proof would usually proceed by @{method
+ intro_classes}, and then establish the characteristic theorems of
+ the type classes involved. After finishing the proof, the
+ background theory will be augmented by the proven type arities.
+
+ On the theory level, @{command "instance"}~@{text "t :: (s\<^sub>1, \<dots>,
+ s\<^sub>n)s"} provides a convenient way to instantiate a type class with no
+ need to specify operations: one can continue with the
+ instantiation proof immediately.
+
+ \item @{command "subclass"}~@{text c} in a class context for class
+ @{text d} sets up a goal stating that class @{text c} is logically
+ contained in class @{text d}. After finishing the proof, class
+ @{text d} is proven to be subclass @{text c} and the locale @{text
+ c} is interpreted into @{text d} simultaneously.
+
+ A weakend form of this is available through a further variant of
+ @{command instance}: @{command instance}~@{text "c\<^sub>1 \<subseteq> c\<^sub>2"} opens
+ a proof that class @{text "c\<^isub>2"} implies @{text "c\<^isub>1"} without reference
+ to the underlying locales; this is useful if the properties to prove
+ the logical connection are not sufficent on the locale level but on
+ the theory level.
+
+ \item @{command "print_classes"} prints all classes in the current
+ theory.
+
+ \item @{command "class_deps"} visualizes all classes and their
+ subclass relations as a Hasse diagram.
+
+ \item @{method intro_classes} repeatedly expands all class
+ introduction rules of this theory. Note that this method usually
+ needs not be named explicitly, as it is already included in the
+ default proof step (e.g.\ of @{command "proof"}). In particular,
+ instantiation of trivial (syntactic) classes may be performed by a
+ single ``@{command ".."}'' proof step.
+
+ \end{description}
+*}
+
+
+subsection {* The class target *}
+
+text {*
+ %FIXME check
+
+ A named context may refer to a locale (cf.\ \secref{sec:target}).
+ If this locale is also a class @{text c}, apart from the common
+ locale target behaviour the following happens.
+
+ \begin{itemize}
+
+ \item Local constant declarations @{text "g[\<alpha>]"} referring to the
+ local type parameter @{text \<alpha>} and local parameters @{text "f[\<alpha>]"}
+ are accompanied by theory-level constants @{text "g[?\<alpha> :: c]"}
+ referring to theory-level class operations @{text "f[?\<alpha> :: c]"}.
+
+ \item Local theorem bindings are lifted as are assumptions.
+
+ \item Local syntax refers to local operations @{text "g[\<alpha>]"} and
+ global operations @{text "g[?\<alpha> :: c]"} uniformly. Type inference
+ resolves ambiguities. In rare cases, manual type annotations are
+ needed.
+
+ \end{itemize}
+*}
+
+
+subsection {* Co-regularity of type classes and arities *}
+
+text {* The class relation together with the collection of
+ type-constructor arities must obey the principle of
+ \emph{co-regularity} as defined below.
+
+ \medskip For the subsequent formulation of co-regularity we assume
+ that the class relation is closed by transitivity and reflexivity.
+ Moreover the collection of arities @{text "t :: (\<^vec>s)c"} is
+ completed such that @{text "t :: (\<^vec>s)c"} and @{text "c \<subseteq> c'"}
+ implies @{text "t :: (\<^vec>s)c'"} for all such declarations.
+
+ Treating sorts as finite sets of classes (meaning the intersection),
+ the class relation @{text "c\<^sub>1 \<subseteq> c\<^sub>2"} is extended to sorts as
+ follows:
+ \[
+ @{text "s\<^sub>1 \<subseteq> s\<^sub>2 \<equiv> \<forall>c\<^sub>2 \<in> s\<^sub>2. \<exists>c\<^sub>1 \<in> s\<^sub>1. c\<^sub>1 \<subseteq> c\<^sub>2"}
+ \]
+
+ This relation on sorts is further extended to tuples of sorts (of
+ the same length) in the component-wise way.
+
+ \smallskip Co-regularity of the class relation together with the
+ arities relation means:
+ \[
+ @{text "t :: (\<^vec>s\<^sub>1)c\<^sub>1 \<Longrightarrow> t :: (\<^vec>s\<^sub>2)c\<^sub>2 \<Longrightarrow> c\<^sub>1 \<subseteq> c\<^sub>2 \<Longrightarrow> \<^vec>s\<^sub>1 \<subseteq> \<^vec>s\<^sub>2"}
+ \]
+ \noindent for all such arities. In other words, whenever the result
+ classes of some type-constructor arities are related, then the
+ argument sorts need to be related in the same way.
+
+ \medskip Co-regularity is a very fundamental property of the
+ order-sorted algebra of types. For example, it entails principle
+ types and most general unifiers, e.g.\ see \cite{nipkow-prehofer}.
+*}
+
+
+section {* Unrestricted overloading *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def "overloading"} & : & @{text "theory \<rightarrow> local_theory"} \\
+ \end{matharray}
+
+ Isabelle/Pure's definitional schemes support certain forms of
+ overloading (see \secref{sec:consts}). Overloading means that a
+ constant being declared as @{text "c :: \<alpha> decl"} may be
+ defined separately on type instances
+ @{text "c :: (\<beta>\<^sub>1, \<dots>, \<beta>\<^sub>n) t decl"}
+ for each type constructor @{text t}. At most occassions
+ overloading will be used in a Haskell-like fashion together with
+ type classes by means of @{command "instantiation"} (see
+ \secref{sec:class}). Sometimes low-level overloading is desirable.
+ The @{command "overloading"} target provides a convenient view for
+ end-users.
+
+ @{rail "
+ @@{command overloading} ( spec + ) @'begin'
+ ;
+ spec: @{syntax name} ( '==' | '\<equiv>' ) @{syntax term} ( '(' @'unchecked' ')' )?
+ "}
+
+ \begin{description}
+
+ \item @{command "overloading"}~@{text "x\<^sub>1 \<equiv> c\<^sub>1 :: \<tau>\<^sub>1 \<AND> \<dots> x\<^sub>n \<equiv> c\<^sub>n :: \<tau>\<^sub>n \<BEGIN>"}
+ opens a theory target (cf.\ \secref{sec:target}) which allows to
+ specify constants with overloaded definitions. These are identified
+ by an explicitly given mapping from variable names @{text "x\<^sub>i"} to
+ constants @{text "c\<^sub>i"} at particular type instances. The
+ definitions themselves are established using common specification
+ tools, using the names @{text "x\<^sub>i"} as reference to the
+ corresponding constants. The target is concluded by @{command
+ (local) "end"}.
+
+ A @{text "(unchecked)"} option disables global dependency checks for
+ the corresponding definition, which is occasionally useful for
+ exotic overloading (see \secref{sec:consts} for a precise description).
+ It is at the discretion of the user to avoid
+ malformed theory specifications!
+
+ \end{description}
+*}
+
+
+section {* Incorporating ML code \label{sec:ML} *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def "ML_file"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
+ @{command_def "ML"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
+ @{command_def "ML_prf"} & : & @{text "proof \<rightarrow> proof"} \\
+ @{command_def "ML_val"} & : & @{text "any \<rightarrow>"} \\
+ @{command_def "ML_command"} & : & @{text "any \<rightarrow>"} \\
+ @{command_def "setup"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{command_def "local_setup"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
+ @{command_def "attribute_setup"} & : & @{text "theory \<rightarrow> theory"} \\
+ \end{matharray}
+
+ @{rail "
+ @@{command ML_file} @{syntax name}
+ ;
+ (@@{command ML} | @@{command ML_prf} | @@{command ML_val} |
+ @@{command ML_command} | @@{command setup} | @@{command local_setup}) @{syntax text}
+ ;
+ @@{command attribute_setup} @{syntax name} '=' @{syntax text} @{syntax text}?
+ "}
+
+ \begin{description}
+
+ \item @{command "ML_file"}~@{text "name"} reads and evaluates the
+ given ML file. The current theory context is passed down to the ML
+ toplevel and may be modified, using @{ML "Context.>>"} or derived ML
+ commands. Top-level ML bindings are stored within the (global or
+ local) theory context.
+
+ \item @{command "ML"}~@{text "text"} is similar to @{command
+ "ML_file"}, but evaluates directly the given @{text "text"}.
+ Top-level ML bindings are stored within the (global or local) theory
+ context.
+
+ \item @{command "ML_prf"} is analogous to @{command "ML"} but works
+ within a proof context. Top-level ML bindings are stored within the
+ proof context in a purely sequential fashion, disregarding the
+ nested proof structure. ML bindings introduced by @{command
+ "ML_prf"} are discarded at the end of the proof.
+
+ \item @{command "ML_val"} and @{command "ML_command"} are diagnostic
+ versions of @{command "ML"}, which means that the context may not be
+ updated. @{command "ML_val"} echos the bindings produced at the ML
+ toplevel, but @{command "ML_command"} is silent.
+
+ \item @{command "setup"}~@{text "text"} changes the current theory
+ context by applying @{text "text"}, which refers to an ML expression
+ of type @{ML_type "theory -> theory"}. This enables to initialize
+ any object-logic specific tools and packages written in ML, for
+ example.
+
+ \item @{command "local_setup"} is similar to @{command "setup"} for
+ a local theory context, and an ML expression of type @{ML_type
+ "local_theory -> local_theory"}. This allows to
+ invoke local theory specification packages without going through
+ concrete outer syntax, for example.
+
+ \item @{command "attribute_setup"}~@{text "name = text description"}
+ defines an attribute in the current theory. The given @{text
+ "text"} has to be an ML expression of type
+ @{ML_type "attribute context_parser"}, cf.\ basic parsers defined in
+ structure @{ML_struct Args} and @{ML_struct Attrib}.
+
+ In principle, attributes can operate both on a given theorem and the
+ implicit context, although in practice only one is modified and the
+ other serves as parameter. Here are examples for these two cases:
+
+ \end{description}
+*}
+
+ attribute_setup my_rule = {*
+ Attrib.thms >> (fn ths =>
+ Thm.rule_attribute
+ (fn context: Context.generic => fn th: thm =>
+ let val th' = th OF ths
+ in th' end)) *}
+
+ attribute_setup my_declaration = {*
+ Attrib.thms >> (fn ths =>
+ Thm.declaration_attribute
+ (fn th: thm => fn context: Context.generic =>
+ let val context' = context
+ in context' end)) *}
+
+
+section {* Primitive specification elements *}
+
+subsection {* Type classes and sorts \label{sec:classes} *}
+
+text {*
+ \begin{matharray}{rcll}
+ @{command_def "classes"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{command_def "classrel"} & : & @{text "theory \<rightarrow> theory"} & (axiomatic!) \\
+ @{command_def "default_sort"} & : & @{text "local_theory \<rightarrow> local_theory"}
+ \end{matharray}
+
+ @{rail "
+ @@{command classes} (@{syntax classdecl} +)
+ ;
+ @@{command classrel} (@{syntax nameref} ('<' | '\<subseteq>') @{syntax nameref} + @'and')
+ ;
+ @@{command default_sort} @{syntax sort}
+ "}
+
+ \begin{description}
+
+ \item @{command "classes"}~@{text "c \<subseteq> c\<^sub>1, \<dots>, c\<^sub>n"} declares class
+ @{text c} to be a subclass of existing classes @{text "c\<^sub>1, \<dots>, c\<^sub>n"}.
+ Isabelle implicitly maintains the transitive closure of the class
+ hierarchy. Cyclic class structures are not permitted.
+
+ \item @{command "classrel"}~@{text "c\<^sub>1 \<subseteq> c\<^sub>2"} states subclass
+ relations between existing classes @{text "c\<^sub>1"} and @{text "c\<^sub>2"}.
+ This is done axiomatically! The @{command_ref "subclass"} and
+ @{command_ref "instance"} commands (see \secref{sec:class}) provide
+ a way to introduce proven class relations.
+
+ \item @{command "default_sort"}~@{text s} makes sort @{text s} the
+ new default sort for any type variable that is given explicitly in
+ the text, but lacks a sort constraint (wrt.\ the current context).
+ Type variables generated by type inference are not affected.
+
+ Usually the default sort is only changed when defining a new
+ object-logic. For example, the default sort in Isabelle/HOL is
+ @{class type}, the class of all HOL types.
+
+ When merging theories, the default sorts of the parents are
+ logically intersected, i.e.\ the representations as lists of classes
+ are joined.
+
+ \end{description}
+*}
+
+
+subsection {* Types and type abbreviations \label{sec:types-pure} *}
+
+text {*
+ \begin{matharray}{rcll}
+ @{command_def "type_synonym"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
+ @{command_def "typedecl"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
+ @{command_def "arities"} & : & @{text "theory \<rightarrow> theory"} & (axiomatic!) \\
+ \end{matharray}
+
+ @{rail "
+ @@{command type_synonym} (@{syntax typespec} '=' @{syntax type} @{syntax mixfix}?)
+ ;
+ @@{command typedecl} @{syntax typespec} @{syntax mixfix}?
+ ;
+ @@{command arities} (@{syntax nameref} '::' @{syntax arity} +)
+ "}
+
+ \begin{description}
+
+ \item @{command "type_synonym"}~@{text "(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>n) t = \<tau>"}
+ introduces a \emph{type synonym} @{text "(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>n) t"} for the
+ existing type @{text "\<tau>"}. Unlike actual type definitions, as are
+ available in Isabelle/HOL for example, type synonyms are merely
+ syntactic abbreviations without any logical significance.
+ Internally, type synonyms are fully expanded.
+
+ \item @{command "typedecl"}~@{text "(\<alpha>\<^sub>1, \<dots>, \<alpha>\<^sub>n) t"} declares a new
+ type constructor @{text t}. If the object-logic defines a base sort
+ @{text s}, then the constructor is declared to operate on that, via
+ the axiomatic specification @{command arities}~@{text "t :: (s, \<dots>,
+ s)s"}.
+
+ \item @{command "arities"}~@{text "t :: (s\<^sub>1, \<dots>, s\<^sub>n)s"} augments
+ Isabelle's order-sorted signature of types by new type constructor
+ arities. This is done axiomatically! The @{command_ref "instantiation"}
+ target (see \secref{sec:class}) provides a way to introduce
+ proven type arities.
+
+ \end{description}
+*}
+
+
+subsection {* Constants and definitions \label{sec:consts} *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def "consts"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{command_def "defs"} & : & @{text "theory \<rightarrow> theory"} \\
+ \end{matharray}
+
+ Definitions essentially express abbreviations within the logic. The
+ simplest form of a definition is @{text "c :: \<sigma> \<equiv> t"}, where @{text
+ c} is a newly declared constant. Isabelle also allows derived forms
+ where the arguments of @{text c} appear on the left, abbreviating a
+ prefix of @{text \<lambda>}-abstractions, e.g.\ @{text "c \<equiv> \<lambda>x y. t"} may be
+ written more conveniently as @{text "c x y \<equiv> t"}. Moreover,
+ definitions may be weakened by adding arbitrary pre-conditions:
+ @{text "A \<Longrightarrow> c x y \<equiv> t"}.
+
+ \medskip The built-in well-formedness conditions for definitional
+ specifications are:
+
+ \begin{itemize}
+
+ \item Arguments (on the left-hand side) must be distinct variables.
+
+ \item All variables on the right-hand side must also appear on the
+ left-hand side.
+
+ \item All type variables on the right-hand side must also appear on
+ the left-hand side; this prohibits @{text "0 :: nat \<equiv> length ([] ::
+ \<alpha> list)"} for example.
+
+ \item The definition must not be recursive. Most object-logics
+ provide definitional principles that can be used to express
+ recursion safely.
+
+ \end{itemize}
+
+ The right-hand side of overloaded definitions may mention overloaded constants
+ recursively at type instances corresponding to the immediate
+ argument types @{text "\<beta>\<^sub>1, \<dots>, \<beta>\<^sub>n"}. Incomplete
+ specification patterns impose global constraints on all occurrences,
+ e.g.\ @{text "d :: \<alpha> \<times> \<alpha>"} on the left-hand side means that all
+ corresponding occurrences on some right-hand side need to be an
+ instance of this, general @{text "d :: \<alpha> \<times> \<beta>"} will be disallowed.
+
+ @{rail "
+ @@{command consts} ((@{syntax name} '::' @{syntax type} @{syntax mixfix}?) +)
+ ;
+ @@{command defs} opt? (@{syntax axmdecl} @{syntax prop} +)
+ ;
+ opt: '(' @'unchecked'? @'overloaded'? ')'
+ "}
+
+ \begin{description}
+
+ \item @{command "consts"}~@{text "c :: \<sigma>"} declares constant @{text
+ c} to have any instance of type scheme @{text \<sigma>}. The optional
+ mixfix annotations may attach concrete syntax to the constants
+ declared.
+
+ \item @{command "defs"}~@{text "name: eqn"} introduces @{text eqn}
+ as a definitional axiom for some existing constant.
+
+ The @{text "(unchecked)"} option disables global dependency checks
+ for this definition, which is occasionally useful for exotic
+ overloading. It is at the discretion of the user to avoid malformed
+ theory specifications!
+
+ The @{text "(overloaded)"} option declares definitions to be
+ potentially overloaded. Unless this option is given, a warning
+ message would be issued for any definitional equation with a more
+ special type than that of the corresponding constant declaration.
+
+ \end{description}
+*}
+
+
+section {* Axioms and theorems \label{sec:axms-thms} *}
+
+text {*
+ \begin{matharray}{rcll}
+ @{command_def "axioms"} & : & @{text "theory \<rightarrow> theory"} & (axiomatic!) \\
+ @{command_def "lemmas"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
+ @{command_def "theorems"} & : & @{text "local_theory \<rightarrow> local_theory"} \\
+ \end{matharray}
+
+ @{rail "
+ @@{command axioms} (@{syntax axmdecl} @{syntax prop} +)
+ ;
+ (@@{command lemmas} | @@{command theorems}) @{syntax target}? \\
+ (@{syntax thmdef}? @{syntax thmrefs} + @'and')
+ (@'for' (@{syntax vars} + @'and'))?
+ "}
+
+ \begin{description}
+
+ \item @{command "axioms"}~@{text "a: \<phi>"} introduces arbitrary
+ statements as axioms of the meta-logic. In fact, axioms are
+ ``axiomatic theorems'', and may be referred later just as any other
+ theorem.
+
+ Axioms are usually only introduced when declaring new logical
+ systems. Everyday work is typically done the hard way, with proper
+ definitions and proven theorems.
+
+ \item @{command "lemmas"}~@{text "a = b\<^sub>1 \<dots> b\<^sub>n"}~@{keyword_def
+ "for"}~@{text "x\<^sub>1 \<dots> x\<^sub>m"} evaluates given facts (with attributes) in
+ the current context, which may be augmented by local variables.
+ Results are standardized before being stored, i.e.\ schematic
+ variables are renamed to enforce index @{text "0"} uniformly.
+
+ \item @{command "theorems"} is the same as @{command "lemmas"}, but
+ marks the result as a different kind of facts.
+
+ \end{description}
+*}
+
+
+section {* Oracles *}
+
+text {*
+ \begin{matharray}{rcll}
+ @{command_def "oracle"} & : & @{text "theory \<rightarrow> theory"} & (axiomatic!) \\
+ \end{matharray}
+
+ Oracles allow Isabelle to take advantage of external reasoners such
+ as arithmetic decision procedures, model checkers, fast tautology
+ checkers or computer algebra systems. Invoked as an oracle, an
+ external reasoner can create arbitrary Isabelle theorems.
+
+ It is the responsibility of the user to ensure that the external
+ reasoner is as trustworthy as the application requires. Another
+ typical source of errors is the linkup between Isabelle and the
+ external tool, not just its concrete implementation, but also the
+ required translation between two different logical environments.
+
+ Isabelle merely guarantees well-formedness of the propositions being
+ asserted, and records within the internal derivation object how
+ presumed theorems depend on unproven suppositions.
+
+ @{rail "
+ @@{command oracle} @{syntax name} '=' @{syntax text}
+ "}
+
+ \begin{description}
+
+ \item @{command "oracle"}~@{text "name = text"} turns the given ML
+ expression @{text "text"} of type @{ML_text "'a -> cterm"} into an
+ ML function of type @{ML_text "'a -> thm"}, which is bound to the
+ global identifier @{ML_text name}. This acts like an infinitary
+ specification of axioms! Invoking the oracle only works within the
+ scope of the resulting theory.
+
+ \end{description}
+
+ See @{file "~~/src/HOL/ex/Iff_Oracle.thy"} for a worked example of
+ defining a new primitive rule as oracle, and turning it into a proof
+ method.
+*}
+
+
+section {* Name spaces *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def "hide_class"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{command_def "hide_type"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{command_def "hide_const"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{command_def "hide_fact"} & : & @{text "theory \<rightarrow> theory"} \\
+ \end{matharray}
+
+ @{rail "
+ ( @{command hide_class} | @{command hide_type} |
+ @{command hide_const} | @{command hide_fact} ) ('(' @'open' ')')? (@{syntax nameref} + )
+ "}
+
+ Isabelle organizes any kind of name declarations (of types,
+ constants, theorems etc.) by separate hierarchically structured name
+ spaces. Normally the user does not have to control the behavior of
+ name spaces by hand, yet the following commands provide some way to
+ do so.
+
+ \begin{description}
+
+ \item @{command "hide_class"}~@{text names} fully removes class
+ declarations from a given name space; with the @{text "(open)"}
+ option, only the base name is hidden.
+
+ Note that hiding name space accesses has no impact on logical
+ declarations --- they remain valid internally. Entities that are no
+ longer accessible to the user are printed with the special qualifier
+ ``@{text "??"}'' prefixed to the full internal name.
+
+ \item @{command "hide_type"}, @{command "hide_const"}, and @{command
+ "hide_fact"} are similar to @{command "hide_class"}, but hide types,
+ constants, and facts, respectively.
+
+ \end{description}
+*}
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarRef/Symbols.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,46 @@
+theory Symbols
+imports Base Main
+begin
+
+chapter {* Predefined Isabelle symbols \label{app:symbols} *}
+
+text {*
+ Isabelle supports an infinite number of non-ASCII symbols, which are
+ represented in source text as @{verbatim "\\"}@{verbatim "<"}@{text
+ name}@{verbatim ">"} (where @{text name} may be any identifier). It
+ is left to front-end tools how to present these symbols to the user.
+ The collection of predefined standard symbols given below is
+ available by default for Isabelle document output, due to
+ appropriate definitions of @{verbatim "\\"}@{verbatim isasym}@{text
+ name} for each @{verbatim "\\"}@{verbatim "<"}@{text name}@{verbatim
+ ">"} in the @{verbatim isabellesym.sty} file. Most of these symbols
+ are displayed properly in Proof~General and Isabelle/jEdit.
+
+ Moreover, any single symbol (or ASCII character) may be prefixed by
+ @{verbatim "\\"}@{verbatim "<^sup>"}, for superscript and @{verbatim
+ "\\"}@{verbatim "<^sub>"}, for subscript, such as @{verbatim
+ "A\\"}@{verbatim "<^sup>\<star>"}, for @{text "A\<^sup>\<star>"} the alternative
+ versions @{verbatim "\\"}@{verbatim "<^isub>"} and @{verbatim
+ "\\"}@{verbatim "<^isup>"} are considered as quasi letters and may
+ be used within identifiers. Sub- and superscripts that span a
+ region of text are marked up with @{verbatim "\\"}@{verbatim
+ "<^bsub>"}@{text "\<dots>"}@{verbatim "\\"}@{verbatim "<^esub>"}, and
+ @{verbatim "\\"}@{verbatim "<^bsup>"}@{text "\<dots>"}@{verbatim
+ "\\"}@{verbatim "<^esup>"} respectively. Furthermore, all ASCII
+ characters and most other symbols may be printed in bold by
+ prefixing @{verbatim "\\"}@{verbatim "<^bold>"} such as @{verbatim
+ "\\"}@{verbatim "<^bold>\\"}@{verbatim "<alpha>"} for @{text
+ "\<^bold>\<alpha>"}. Note that @{verbatim "\\"}@{verbatim "<^bold>"}, may
+ \emph{not} be combined with sub- or superscripts for single symbols.
+
+ Further details of Isabelle document preparation are covered in
+ \chref{ch:document-prep}.
+
+ \begin{center}
+ \begin{isabellebody}
+ \input{syms}
+ \end{isabellebody}
+ \end{center}
+*}
+
+end
\ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarRef/Synopsis.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,1108 @@
+theory Synopsis
+imports Base Main
+begin
+
+chapter {* Synopsis *}
+
+section {* Notepad *}
+
+text {*
+ An Isar proof body serves as mathematical notepad to compose logical
+ content, consisting of types, terms, facts.
+*}
+
+
+subsection {* Types and terms *}
+
+notepad
+begin
+ txt {* Locally fixed entities: *}
+ fix x -- {* local constant, without any type information yet *}
+ fix x :: 'a -- {* variant with explicit type-constraint for subsequent use*}
+
+ fix a b
+ assume "a = b" -- {* type assignment at first occurrence in concrete term *}
+
+ txt {* Definitions (non-polymorphic): *}
+ def x \<equiv> "t::'a"
+
+ txt {* Abbreviations (polymorphic): *}
+ let ?f = "\<lambda>x. x"
+ term "?f ?f"
+
+ txt {* Notation: *}
+ write x ("***")
+end
+
+
+subsection {* Facts *}
+
+text {*
+ A fact is a simultaneous list of theorems.
+*}
+
+
+subsubsection {* Producing facts *}
+
+notepad
+begin
+
+ txt {* Via assumption (``lambda''): *}
+ assume a: A
+
+ txt {* Via proof (``let''): *}
+ have b: B sorry
+
+ txt {* Via abbreviation (``let''): *}
+ note c = a b
+
+end
+
+
+subsubsection {* Referencing facts *}
+
+notepad
+begin
+ txt {* Via explicit name: *}
+ assume a: A
+ note a
+
+ txt {* Via implicit name: *}
+ assume A
+ note this
+
+ txt {* Via literal proposition (unification with results from the proof text): *}
+ assume A
+ note `A`
+
+ assume "\<And>x. B x"
+ note `B a`
+ note `B b`
+end
+
+
+subsubsection {* Manipulating facts *}
+
+notepad
+begin
+ txt {* Instantiation: *}
+ assume a: "\<And>x. B x"
+ note a
+ note a [of b]
+ note a [where x = b]
+
+ txt {* Backchaining: *}
+ assume 1: A
+ assume 2: "A \<Longrightarrow> C"
+ note 2 [OF 1]
+ note 1 [THEN 2]
+
+ txt {* Symmetric results: *}
+ assume "x = y"
+ note this [symmetric]
+
+ assume "x \<noteq> y"
+ note this [symmetric]
+
+ txt {* Adhoc-simplification (take care!): *}
+ assume "P ([] @ xs)"
+ note this [simplified]
+end
+
+
+subsubsection {* Projections *}
+
+text {*
+ Isar facts consist of multiple theorems. There is notation to project
+ interval ranges.
+*}
+
+notepad
+begin
+ assume stuff: A B C D
+ note stuff(1)
+ note stuff(2-3)
+ note stuff(2-)
+end
+
+
+subsubsection {* Naming conventions *}
+
+text {*
+ \begin{itemize}
+
+ \item Lower-case identifiers are usually preferred.
+
+ \item Facts can be named after the main term within the proposition.
+
+ \item Facts should \emph{not} be named after the command that
+ introduced them (@{command "assume"}, @{command "have"}). This is
+ misleading and hard to maintain.
+
+ \item Natural numbers can be used as ``meaningless'' names (more
+ appropriate than @{text "a1"}, @{text "a2"} etc.)
+
+ \item Symbolic identifiers are supported (e.g. @{text "*"}, @{text
+ "**"}, @{text "***"}).
+
+ \end{itemize}
+*}
+
+
+subsection {* Block structure *}
+
+text {*
+ The formal notepad is block structured. The fact produced by the last
+ entry of a block is exported into the outer context.
+*}
+
+notepad
+begin
+ {
+ have a: A sorry
+ have b: B sorry
+ note a b
+ }
+ note this
+ note `A`
+ note `B`
+end
+
+text {* Explicit blocks as well as implicit blocks of nested goal
+ statements (e.g.\ @{command have}) automatically introduce one extra
+ pair of parentheses in reserve. The @{command next} command allows
+ to ``jump'' between these sub-blocks. *}
+
+notepad
+begin
+
+ {
+ have a: A sorry
+ next
+ have b: B
+ proof -
+ show B sorry
+ next
+ have c: C sorry
+ next
+ have d: D sorry
+ qed
+ }
+
+ txt {* Alternative version with explicit parentheses everywhere: *}
+
+ {
+ {
+ have a: A sorry
+ }
+ {
+ have b: B
+ proof -
+ {
+ show B sorry
+ }
+ {
+ have c: C sorry
+ }
+ {
+ have d: D sorry
+ }
+ qed
+ }
+ }
+
+end
+
+
+section {* Calculational reasoning \label{sec:calculations-synopsis} *}
+
+text {*
+ For example, see @{file "~~/src/HOL/Isar_Examples/Group.thy"}.
+*}
+
+
+subsection {* Special names in Isar proofs *}
+
+text {*
+ \begin{itemize}
+
+ \item term @{text "?thesis"} --- the main conclusion of the
+ innermost pending claim
+
+ \item term @{text "\<dots>"} --- the argument of the last explicitly
+ stated result (for infix application this is the right-hand side)
+
+ \item fact @{text "this"} --- the last result produced in the text
+
+ \end{itemize}
+*}
+
+notepad
+begin
+ have "x = y"
+ proof -
+ term ?thesis
+ show ?thesis sorry
+ term ?thesis -- {* static! *}
+ qed
+ term "\<dots>"
+ thm this
+end
+
+text {* Calculational reasoning maintains the special fact called
+ ``@{text calculation}'' in the background. Certain language
+ elements combine primary @{text this} with secondary @{text
+ calculation}. *}
+
+
+subsection {* Transitive chains *}
+
+text {* The Idea is to combine @{text this} and @{text calculation}
+ via typical @{text trans} rules (see also @{command
+ print_trans_rules}): *}
+
+thm trans
+thm less_trans
+thm less_le_trans
+
+notepad
+begin
+ txt {* Plain bottom-up calculation: *}
+ have "a = b" sorry
+ also
+ have "b = c" sorry
+ also
+ have "c = d" sorry
+ finally
+ have "a = d" .
+
+ txt {* Variant using the @{text "\<dots>"} abbreviation: *}
+ have "a = b" sorry
+ also
+ have "\<dots> = c" sorry
+ also
+ have "\<dots> = d" sorry
+ finally
+ have "a = d" .
+
+ txt {* Top-down version with explicit claim at the head: *}
+ have "a = d"
+ proof -
+ have "a = b" sorry
+ also
+ have "\<dots> = c" sorry
+ also
+ have "\<dots> = d" sorry
+ finally
+ show ?thesis .
+ qed
+next
+ txt {* Mixed inequalities (require suitable base type): *}
+ fix a b c d :: nat
+
+ have "a < b" sorry
+ also
+ have "b \<le> c" sorry
+ also
+ have "c = d" sorry
+ finally
+ have "a < d" .
+end
+
+
+subsubsection {* Notes *}
+
+text {*
+ \begin{itemize}
+
+ \item The notion of @{text trans} rule is very general due to the
+ flexibility of Isabelle/Pure rule composition.
+
+ \item User applications may declare their own rules, with some care
+ about the operational details of higher-order unification.
+
+ \end{itemize}
+*}
+
+
+subsection {* Degenerate calculations and bigstep reasoning *}
+
+text {* The Idea is to append @{text this} to @{text calculation},
+ without rule composition. *}
+
+notepad
+begin
+ txt {* A vacuous proof: *}
+ have A sorry
+ moreover
+ have B sorry
+ moreover
+ have C sorry
+ ultimately
+ have A and B and C .
+next
+ txt {* Slightly more content (trivial bigstep reasoning): *}
+ have A sorry
+ moreover
+ have B sorry
+ moreover
+ have C sorry
+ ultimately
+ have "A \<and> B \<and> C" by blast
+next
+ txt {* More ambitious bigstep reasoning involving structured results: *}
+ have "A \<or> B \<or> C" sorry
+ moreover
+ { assume A have R sorry }
+ moreover
+ { assume B have R sorry }
+ moreover
+ { assume C have R sorry }
+ ultimately
+ have R by blast -- {* ``big-bang integration'' of proof blocks (occasionally fragile) *}
+end
+
+
+section {* Induction *}
+
+subsection {* Induction as Natural Deduction *}
+
+text {* In principle, induction is just a special case of Natural
+ Deduction (see also \secref{sec:natural-deduction-synopsis}). For
+ example: *}
+
+thm nat.induct
+print_statement nat.induct
+
+notepad
+begin
+ fix n :: nat
+ have "P n"
+ proof (rule nat.induct) -- {* fragile rule application! *}
+ show "P 0" sorry
+ next
+ fix n :: nat
+ assume "P n"
+ show "P (Suc n)" sorry
+ qed
+end
+
+text {*
+ In practice, much more proof infrastructure is required.
+
+ The proof method @{method induct} provides:
+ \begin{itemize}
+
+ \item implicit rule selection and robust instantiation
+
+ \item context elements via symbolic case names
+
+ \item support for rule-structured induction statements, with local
+ parameters, premises, etc.
+
+ \end{itemize}
+*}
+
+notepad
+begin
+ fix n :: nat
+ have "P n"
+ proof (induct n)
+ case 0
+ show ?case sorry
+ next
+ case (Suc n)
+ from Suc.hyps show ?case sorry
+ qed
+end
+
+
+subsubsection {* Example *}
+
+text {*
+ The subsequent example combines the following proof patterns:
+ \begin{itemize}
+
+ \item outermost induction (over the datatype structure of natural
+ numbers), to decompose the proof problem in top-down manner
+
+ \item calculational reasoning (\secref{sec:calculations-synopsis})
+ to compose the result in each case
+
+ \item solving local claims within the calculation by simplification
+
+ \end{itemize}
+*}
+
+lemma
+ fixes n :: nat
+ shows "(\<Sum>i=0..n. i) = n * (n + 1) div 2"
+proof (induct n)
+ case 0
+ have "(\<Sum>i=0..0. i) = (0::nat)" by simp
+ also have "\<dots> = 0 * (0 + 1) div 2" by simp
+ finally show ?case .
+next
+ case (Suc n)
+ have "(\<Sum>i=0..Suc n. i) = (\<Sum>i=0..n. i) + (n + 1)" by simp
+ also have "\<dots> = n * (n + 1) div 2 + (n + 1)" by (simp add: Suc.hyps)
+ also have "\<dots> = (n * (n + 1) + 2 * (n + 1)) div 2" by simp
+ also have "\<dots> = (Suc n * (Suc n + 1)) div 2" by simp
+ finally show ?case .
+qed
+
+text {* This demonstrates how induction proofs can be done without
+ having to consider the raw Natural Deduction structure. *}
+
+
+subsection {* Induction with local parameters and premises *}
+
+text {* Idea: Pure rule statements are passed through the induction
+ rule. This achieves convenient proof patterns, thanks to some
+ internal trickery in the @{method induct} method.
+
+ Important: Using compact HOL formulae with @{text "\<forall>/\<longrightarrow>"} is a
+ well-known anti-pattern! It would produce useless formal noise.
+*}
+
+notepad
+begin
+ fix n :: nat
+ fix P :: "nat \<Rightarrow> bool"
+ fix Q :: "'a \<Rightarrow> nat \<Rightarrow> bool"
+
+ have "P n"
+ proof (induct n)
+ case 0
+ show "P 0" sorry
+ next
+ case (Suc n)
+ from `P n` show "P (Suc n)" sorry
+ qed
+
+ have "A n \<Longrightarrow> P n"
+ proof (induct n)
+ case 0
+ from `A 0` show "P 0" sorry
+ next
+ case (Suc n)
+ from `A n \<Longrightarrow> P n`
+ and `A (Suc n)` show "P (Suc n)" sorry
+ qed
+
+ have "\<And>x. Q x n"
+ proof (induct n)
+ case 0
+ show "Q x 0" sorry
+ next
+ case (Suc n)
+ from `\<And>x. Q x n` show "Q x (Suc n)" sorry
+ txt {* Local quantification admits arbitrary instances: *}
+ note `Q a n` and `Q b n`
+ qed
+end
+
+
+subsection {* Implicit induction context *}
+
+text {* The @{method induct} method can isolate local parameters and
+ premises directly from the given statement. This is convenient in
+ practical applications, but requires some understanding of what is
+ going on internally (as explained above). *}
+
+notepad
+begin
+ fix n :: nat
+ fix Q :: "'a \<Rightarrow> nat \<Rightarrow> bool"
+
+ fix x :: 'a
+ assume "A x n"
+ then have "Q x n"
+ proof (induct n arbitrary: x)
+ case 0
+ from `A x 0` show "Q x 0" sorry
+ next
+ case (Suc n)
+ from `\<And>x. A x n \<Longrightarrow> Q x n` -- {* arbitrary instances can be produced here *}
+ and `A x (Suc n)` show "Q x (Suc n)" sorry
+ qed
+end
+
+
+subsection {* Advanced induction with term definitions *}
+
+text {* Induction over subexpressions of a certain shape are delicate
+ to formalize. The Isar @{method induct} method provides
+ infrastructure for this.
+
+ Idea: sub-expressions of the problem are turned into a defined
+ induction variable; often accompanied with fixing of auxiliary
+ parameters in the original expression. *}
+
+notepad
+begin
+ fix a :: "'a \<Rightarrow> nat"
+ fix A :: "nat \<Rightarrow> bool"
+
+ assume "A (a x)"
+ then have "P (a x)"
+ proof (induct "a x" arbitrary: x)
+ case 0
+ note prem = `A (a x)`
+ and defn = `0 = a x`
+ show "P (a x)" sorry
+ next
+ case (Suc n)
+ note hyp = `\<And>x. n = a x \<Longrightarrow> A (a x) \<Longrightarrow> P (a x)`
+ and prem = `A (a x)`
+ and defn = `Suc n = a x`
+ show "P (a x)" sorry
+ qed
+end
+
+
+section {* Natural Deduction \label{sec:natural-deduction-synopsis} *}
+
+subsection {* Rule statements *}
+
+text {*
+ Isabelle/Pure ``theorems'' are always natural deduction rules,
+ which sometimes happen to consist of a conclusion only.
+
+ The framework connectives @{text "\<And>"} and @{text "\<Longrightarrow>"} indicate the
+ rule structure declaratively. For example: *}
+
+thm conjI
+thm impI
+thm nat.induct
+
+text {*
+ The object-logic is embedded into the Pure framework via an implicit
+ derivability judgment @{term "Trueprop :: bool \<Rightarrow> prop"}.
+
+ Thus any HOL formulae appears atomic to the Pure framework, while
+ the rule structure outlines the corresponding proof pattern.
+
+ This can be made explicit as follows:
+*}
+
+notepad
+begin
+ write Trueprop ("Tr")
+
+ thm conjI
+ thm impI
+ thm nat.induct
+end
+
+text {*
+ Isar provides first-class notation for rule statements as follows.
+*}
+
+print_statement conjI
+print_statement impI
+print_statement nat.induct
+
+
+subsubsection {* Examples *}
+
+text {*
+ Introductions and eliminations of some standard connectives of
+ the object-logic can be written as rule statements as follows. (The
+ proof ``@{command "by"}~@{method blast}'' serves as sanity check.)
+*}
+
+lemma "(P \<Longrightarrow> False) \<Longrightarrow> \<not> P" by blast
+lemma "\<not> P \<Longrightarrow> P \<Longrightarrow> Q" by blast
+
+lemma "P \<Longrightarrow> Q \<Longrightarrow> P \<and> Q" by blast
+lemma "P \<and> Q \<Longrightarrow> (P \<Longrightarrow> Q \<Longrightarrow> R) \<Longrightarrow> R" by blast
+
+lemma "P \<Longrightarrow> P \<or> Q" by blast
+lemma "Q \<Longrightarrow> P \<or> Q" by blast
+lemma "P \<or> Q \<Longrightarrow> (P \<Longrightarrow> R) \<Longrightarrow> (Q \<Longrightarrow> R) \<Longrightarrow> R" by blast
+
+lemma "(\<And>x. P x) \<Longrightarrow> (\<forall>x. P x)" by blast
+lemma "(\<forall>x. P x) \<Longrightarrow> P x" by blast
+
+lemma "P x \<Longrightarrow> (\<exists>x. P x)" by blast
+lemma "(\<exists>x. P x) \<Longrightarrow> (\<And>x. P x \<Longrightarrow> R) \<Longrightarrow> R" by blast
+
+lemma "x \<in> A \<Longrightarrow> x \<in> B \<Longrightarrow> x \<in> A \<inter> B" by blast
+lemma "x \<in> A \<inter> B \<Longrightarrow> (x \<in> A \<Longrightarrow> x \<in> B \<Longrightarrow> R) \<Longrightarrow> R" by blast
+
+lemma "x \<in> A \<Longrightarrow> x \<in> A \<union> B" by blast
+lemma "x \<in> B \<Longrightarrow> x \<in> A \<union> B" by blast
+lemma "x \<in> A \<union> B \<Longrightarrow> (x \<in> A \<Longrightarrow> R) \<Longrightarrow> (x \<in> B \<Longrightarrow> R) \<Longrightarrow> R" by blast
+
+
+subsection {* Isar context elements *}
+
+text {* We derive some results out of the blue, using Isar context
+ elements and some explicit blocks. This illustrates their meaning
+ wrt.\ Pure connectives, without goal states getting in the way. *}
+
+notepad
+begin
+ {
+ fix x
+ have "B x" sorry
+ }
+ have "\<And>x. B x" by fact
+
+next
+
+ {
+ assume A
+ have B sorry
+ }
+ have "A \<Longrightarrow> B" by fact
+
+next
+
+ {
+ def x \<equiv> t
+ have "B x" sorry
+ }
+ have "B t" by fact
+
+next
+
+ {
+ obtain x :: 'a where "B x" sorry
+ have C sorry
+ }
+ have C by fact
+
+end
+
+
+subsection {* Pure rule composition *}
+
+text {*
+ The Pure framework provides means for:
+
+ \begin{itemize}
+
+ \item backward-chaining of rules by @{inference resolution}
+
+ \item closing of branches by @{inference assumption}
+
+ \end{itemize}
+
+ Both principles involve higher-order unification of @{text \<lambda>}-terms
+ modulo @{text "\<alpha>\<beta>\<eta>"}-equivalence (cf.\ Huet and Miller). *}
+
+notepad
+begin
+ assume a: A and b: B
+ thm conjI
+ thm conjI [of A B] -- "instantiation"
+ thm conjI [of A B, OF a b] -- "instantiation and composition"
+ thm conjI [OF a b] -- "composition via unification (trivial)"
+ thm conjI [OF `A` `B`]
+
+ thm conjI [OF disjI1]
+end
+
+text {* Note: Low-level rule composition is tedious and leads to
+ unreadable~/ unmaintainable expressions in the text. *}
+
+
+subsection {* Structured backward reasoning *}
+
+text {* Idea: Canonical proof decomposition via @{command fix}~/
+ @{command assume}~/ @{command show}, where the body produces a
+ natural deduction rule to refine some goal. *}
+
+notepad
+begin
+ fix A B :: "'a \<Rightarrow> bool"
+
+ have "\<And>x. A x \<Longrightarrow> B x"
+ proof -
+ fix x
+ assume "A x"
+ show "B x" sorry
+ qed
+
+ have "\<And>x. A x \<Longrightarrow> B x"
+ proof -
+ {
+ fix x
+ assume "A x"
+ show "B x" sorry
+ } -- "implicit block structure made explicit"
+ note `\<And>x. A x \<Longrightarrow> B x`
+ -- "side exit for the resulting rule"
+ qed
+end
+
+
+subsection {* Structured rule application *}
+
+text {*
+ Idea: Previous facts and new claims are composed with a rule from
+ the context (or background library).
+*}
+
+notepad
+begin
+ assume r1: "A \<Longrightarrow> B \<Longrightarrow> C" -- {* simple rule (Horn clause) *}
+
+ have A sorry -- "prefix of facts via outer sub-proof"
+ then have C
+ proof (rule r1)
+ show B sorry -- "remaining rule premises via inner sub-proof"
+ qed
+
+ have C
+ proof (rule r1)
+ show A sorry
+ show B sorry
+ qed
+
+ have A and B sorry
+ then have C
+ proof (rule r1)
+ qed
+
+ have A and B sorry
+ then have C by (rule r1)
+
+next
+
+ assume r2: "A \<Longrightarrow> (\<And>x. B1 x \<Longrightarrow> B2 x) \<Longrightarrow> C" -- {* nested rule *}
+
+ have A sorry
+ then have C
+ proof (rule r2)
+ fix x
+ assume "B1 x"
+ show "B2 x" sorry
+ qed
+
+ txt {* The compound rule premise @{prop "\<And>x. B1 x \<Longrightarrow> B2 x"} is better
+ addressed via @{command fix}~/ @{command assume}~/ @{command show}
+ in the nested proof body. *}
+end
+
+
+subsection {* Example: predicate logic *}
+
+text {*
+ Using the above principles, standard introduction and elimination proofs
+ of predicate logic connectives of HOL work as follows.
+*}
+
+notepad
+begin
+ have "A \<longrightarrow> B" and A sorry
+ then have B ..
+
+ have A sorry
+ then have "A \<or> B" ..
+
+ have B sorry
+ then have "A \<or> B" ..
+
+ have "A \<or> B" sorry
+ then have C
+ proof
+ assume A
+ then show C sorry
+ next
+ assume B
+ then show C sorry
+ qed
+
+ have A and B sorry
+ then have "A \<and> B" ..
+
+ have "A \<and> B" sorry
+ then have A ..
+
+ have "A \<and> B" sorry
+ then have B ..
+
+ have False sorry
+ then have A ..
+
+ have True ..
+
+ have "\<not> A"
+ proof
+ assume A
+ then show False sorry
+ qed
+
+ have "\<not> A" and A sorry
+ then have B ..
+
+ have "\<forall>x. P x"
+ proof
+ fix x
+ show "P x" sorry
+ qed
+
+ have "\<forall>x. P x" sorry
+ then have "P a" ..
+
+ have "\<exists>x. P x"
+ proof
+ show "P a" sorry
+ qed
+
+ have "\<exists>x. P x" sorry
+ then have C
+ proof
+ fix a
+ assume "P a"
+ show C sorry
+ qed
+
+ txt {* Less awkward version using @{command obtain}: *}
+ have "\<exists>x. P x" sorry
+ then obtain a where "P a" ..
+end
+
+text {* Further variations to illustrate Isar sub-proofs involving
+ @{command show}: *}
+
+notepad
+begin
+ have "A \<and> B"
+ proof -- {* two strictly isolated subproofs *}
+ show A sorry
+ next
+ show B sorry
+ qed
+
+ have "A \<and> B"
+ proof -- {* one simultaneous sub-proof *}
+ show A and B sorry
+ qed
+
+ have "A \<and> B"
+ proof -- {* two subproofs in the same context *}
+ show A sorry
+ show B sorry
+ qed
+
+ have "A \<and> B"
+ proof -- {* swapped order *}
+ show B sorry
+ show A sorry
+ qed
+
+ have "A \<and> B"
+ proof -- {* sequential subproofs *}
+ show A sorry
+ show B using `A` sorry
+ qed
+end
+
+
+subsubsection {* Example: set-theoretic operators *}
+
+text {* There is nothing special about logical connectives (@{text
+ "\<and>"}, @{text "\<or>"}, @{text "\<forall>"}, @{text "\<exists>"} etc.). Operators from
+ set-theory or lattice-theory work analogously. It is only a matter
+ of rule declarations in the library; rules can be also specified
+ explicitly.
+*}
+
+notepad
+begin
+ have "x \<in> A" and "x \<in> B" sorry
+ then have "x \<in> A \<inter> B" ..
+
+ have "x \<in> A" sorry
+ then have "x \<in> A \<union> B" ..
+
+ have "x \<in> B" sorry
+ then have "x \<in> A \<union> B" ..
+
+ have "x \<in> A \<union> B" sorry
+ then have C
+ proof
+ assume "x \<in> A"
+ then show C sorry
+ next
+ assume "x \<in> B"
+ then show C sorry
+ qed
+
+next
+ have "x \<in> \<Inter>A"
+ proof
+ fix a
+ assume "a \<in> A"
+ show "x \<in> a" sorry
+ qed
+
+ have "x \<in> \<Inter>A" sorry
+ then have "x \<in> a"
+ proof
+ show "a \<in> A" sorry
+ qed
+
+ have "a \<in> A" and "x \<in> a" sorry
+ then have "x \<in> \<Union>A" ..
+
+ have "x \<in> \<Union>A" sorry
+ then obtain a where "a \<in> A" and "x \<in> a" ..
+end
+
+
+section {* Generalized elimination and cases *}
+
+subsection {* General elimination rules *}
+
+text {*
+ The general format of elimination rules is illustrated by the
+ following typical representatives:
+*}
+
+thm exE -- {* local parameter *}
+thm conjE -- {* local premises *}
+thm disjE -- {* split into cases *}
+
+text {*
+ Combining these characteristics leads to the following general scheme
+ for elimination rules with cases:
+
+ \begin{itemize}
+
+ \item prefix of assumptions (or ``major premises'')
+
+ \item one or more cases that enable to establish the main conclusion
+ in an augmented context
+
+ \end{itemize}
+*}
+
+notepad
+begin
+ assume r:
+ "A1 \<Longrightarrow> A2 \<Longrightarrow> (* assumptions *)
+ (\<And>x y. B1 x y \<Longrightarrow> C1 x y \<Longrightarrow> R) \<Longrightarrow> (* case 1 *)
+ (\<And>x y. B2 x y \<Longrightarrow> C2 x y \<Longrightarrow> R) \<Longrightarrow> (* case 2 *)
+ R (* main conclusion *)"
+
+ have A1 and A2 sorry
+ then have R
+ proof (rule r)
+ fix x y
+ assume "B1 x y" and "C1 x y"
+ show ?thesis sorry
+ next
+ fix x y
+ assume "B2 x y" and "C2 x y"
+ show ?thesis sorry
+ qed
+end
+
+text {* Here @{text "?thesis"} is used to refer to the unchanged goal
+ statement. *}
+
+
+subsection {* Rules with cases *}
+
+text {*
+ Applying an elimination rule to some goal, leaves that unchanged
+ but allows to augment the context in the sub-proof of each case.
+
+ Isar provides some infrastructure to support this:
+
+ \begin{itemize}
+
+ \item native language elements to state eliminations
+
+ \item symbolic case names
+
+ \item method @{method cases} to recover this structure in a
+ sub-proof
+
+ \end{itemize}
+*}
+
+print_statement exE
+print_statement conjE
+print_statement disjE
+
+lemma
+ assumes A1 and A2 -- {* assumptions *}
+ obtains
+ (case1) x y where "B1 x y" and "C1 x y"
+ | (case2) x y where "B2 x y" and "C2 x y"
+ sorry
+
+
+subsubsection {* Example *}
+
+lemma tertium_non_datur:
+ obtains
+ (T) A
+ | (F) "\<not> A"
+ by blast
+
+notepad
+begin
+ fix x y :: 'a
+ have C
+ proof (cases "x = y" rule: tertium_non_datur)
+ case T
+ from `x = y` show ?thesis sorry
+ next
+ case F
+ from `x \<noteq> y` show ?thesis sorry
+ qed
+end
+
+
+subsubsection {* Example *}
+
+text {*
+ Isabelle/HOL specification mechanisms (datatype, inductive, etc.)
+ provide suitable derived cases rules.
+*}
+
+datatype foo = Foo | Bar foo
+
+notepad
+begin
+ fix x :: foo
+ have C
+ proof (cases x)
+ case Foo
+ from `x = Foo` show ?thesis sorry
+ next
+ case (Bar a)
+ from `x = Bar a` show ?thesis sorry
+ qed
+end
+
+
+subsection {* Obtaining local contexts *}
+
+text {* A single ``case'' branch may be inlined into Isar proof text
+ via @{command obtain}. This proves @{prop "(\<And>x. B x \<Longrightarrow> thesis) \<Longrightarrow>
+ thesis"} on the spot, and augments the context afterwards. *}
+
+notepad
+begin
+ fix B :: "'a \<Rightarrow> bool"
+
+ obtain x where "B x" sorry
+ note `B x`
+
+ txt {* Conclusions from this context may not mention @{term x} again! *}
+ {
+ obtain x where "B x" sorry
+ from `B x` have C sorry
+ }
+ note `C`
+end
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarRef/document/build Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+set -e
+
+FORMAT="$1"
+VARIANT="$2"
+
+"$ISABELLE_TOOL" logo -o isabelle_isar.pdf "Isar"
+"$ISABELLE_TOOL" logo -o isabelle_isar.eps "Isar"
+
+cp "$ISABELLE_HOME/src/Doc/iman.sty" .
+cp "$ISABELLE_HOME/src/Doc/extra.sty" .
+cp "$ISABELLE_HOME/src/Doc/isar.sty" .
+cp "$ISABELLE_HOME/src/Doc/ttbox.sty" .
+cp "$ISABELLE_HOME/src/Doc/isar.sty" .
+cp "$ISABELLE_HOME/src/Doc/underscore.sty" .
+cp "$ISABELLE_HOME/src/Doc/manual.bib" .
+
+./showsymbols "$ISABELLE_HOME/lib/texinputs/isabellesym.sty" > syms.tex
+
+"$ISABELLE_HOME/src/Doc/prepare_document" "$FORMAT"
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarRef/document/isar-vm.eps Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,2694 @@
+%!PS-Adobe-3.0 EPSF-3.0
+%%Creator: inkscape 0.46
+%%Pages: 1
+%%Orientation: Portrait
+%%BoundingBox: 0 0 435 173
+%%HiResBoundingBox: 0 0 435 173
+%%EndComments
+%%BeginSetup
+%%EndSetup
+%%Page: 1 1
+0 173 translate
+0.8 -0.8 scale
+0 0 0 setrgbcolor
+[] 0 setdash
+1 setlinewidth
+0 setlinejoin
+0 setlinecap
+gsave [1 0 0 1 0 0] concat
+gsave [1 0 0 1 -44.641342 -76.87234] concat
+gsave [1 0 0 1 70.838012 79.725562] concat
+0 0 0 setrgbcolor
+[] 0 setdash
+0.99921262 setlinewidth
+1 setlinejoin
+1 setlinecap
+newpath
+229.77649 131.52507 moveto
+265.28729 131.52507 lineto
+275.08072 131.52507 282.96496 139.40931 282.96496 149.20274 curveto
+282.96496 166.99701 lineto
+282.96496 176.79043 275.08072 184.67467 265.28729 184.67467 curveto
+229.77649 184.67467 lineto
+219.98306 184.67467 212.09882 176.79043 212.09882 166.99701 curveto
+212.09882 149.20274 lineto
+212.09882 139.40931 219.98306 131.52507 229.77649 131.52507 curveto
+closepath
+stroke
+gsave
+0 0 0 setrgbcolor
+newpath
+231.92252 155.58815 moveto
+231.92252 157.8694 lineto
+231.5423 157.60899 231.15949 157.41628 230.77408 157.29128 curveto
+230.39386 157.16628 229.99803 157.10378 229.58658 157.10378 curveto
+228.80532 157.10378 228.19595 157.33295 227.75845 157.79128 curveto
+227.32616 158.24441 227.11001 158.87982 227.11002 159.69753 curveto
+227.11001 160.51524 227.32616 161.15326 227.75845 161.61159 curveto
+228.19595 162.06471 228.80532 162.29128 229.58658 162.29128 curveto
+230.02407 162.29128 230.43813 162.22617 230.82877 162.09596 curveto
+231.22459 161.96576 231.58917 161.77305 231.92252 161.51784 curveto
+231.92252 163.8069 lineto
+231.48501 163.96836 231.0397 164.08815 230.58658 164.16628 curveto
+230.13866 164.24961 229.68813 164.29127 229.23502 164.29128 curveto
+227.65689 164.29127 226.42251 163.88763 225.53189 163.08034 curveto
+224.64126 162.26784 224.19595 161.14024 224.19595 159.69753 curveto
+224.19595 158.25482 224.64126 157.12982 225.53189 156.32253 curveto
+226.42251 155.51003 227.65689 155.10378 229.23502 155.10378 curveto
+229.69334 155.10378 230.14386 155.14545 230.58658 155.22878 curveto
+231.03449 155.30691 231.4798 155.4267 231.92252 155.58815 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+243.14908 158.73659 moveto
+243.14908 164.06471 lineto
+240.33658 164.06471 lineto
+240.33658 163.19753 lineto
+240.33658 160.00221 lineto
+240.33657 159.23659 240.31834 158.71055 240.28189 158.42409 curveto
+240.25063 158.13764 240.19334 157.9267 240.11002 157.79128 curveto
+240.00063 157.60899 239.8522 157.46836 239.6647 157.3694 curveto
+239.4772 157.26524 239.26366 157.21316 239.02408 157.21315 curveto
+238.44074 157.21316 237.98241 157.43972 237.64908 157.89284 curveto
+237.31574 158.34076 237.14907 158.96316 237.14908 159.76003 curveto
+237.14908 164.06471 lineto
+234.3522 164.06471 lineto
+234.3522 151.90846 lineto
+237.14908 151.90846 lineto
+237.14908 156.59596 lineto
+237.57095 156.08555 238.01887 155.71055 238.49283 155.47096 curveto
+238.96678 155.22618 239.49022 155.10378 240.06314 155.10378 curveto
+241.07355 155.10378 241.83917 155.41368 242.36002 156.03346 curveto
+242.88605 156.65326 243.14907 157.5543 243.14908 158.73659 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+249.68033 160.12721 moveto
+249.09699 160.12722 248.65689 160.22617 248.36002 160.42409 curveto
+248.06835 160.62201 247.92251 160.91367 247.92252 161.29909 curveto
+247.92251 161.65326 248.0397 161.9319 248.27408 162.13503 curveto
+248.51366 162.33294 248.84439 162.4319 249.26627 162.4319 curveto
+249.7923 162.4319 250.23501 162.2444 250.59439 161.8694 curveto
+250.95376 161.48919 251.13345 161.01524 251.13345 160.44753 curveto
+251.13345 160.12721 lineto
+249.68033 160.12721 lineto
+253.95377 159.07253 moveto
+253.95377 164.06471 lineto
+251.13345 164.06471 lineto
+251.13345 162.76784 lineto
+250.75845 163.29909 250.33657 163.68711 249.86783 163.9319 curveto
+249.39907 164.17148 248.82876 164.29127 248.15689 164.29128 curveto
+247.25064 164.29127 246.51366 164.02825 245.94595 163.50221 curveto
+245.38345 162.97096 245.1022 162.28346 245.1022 161.43971 curveto
+245.1022 160.41367 245.45376 159.66107 246.15689 159.1819 curveto
+246.86522 158.70274 247.9746 158.46316 249.48502 158.46315 curveto
+251.13345 158.46315 lineto
+251.13345 158.2444 lineto
+251.13345 157.8017 250.95897 157.47878 250.61002 157.27565 curveto
+250.26105 157.06732 249.71678 156.96316 248.9772 156.96315 curveto
+248.37824 156.96316 247.82095 157.02305 247.30533 157.14284 curveto
+246.7897 157.26264 246.31053 157.44232 245.86783 157.6819 curveto
+245.86783 155.54909 lineto
+246.46678 155.40326 247.06835 155.29389 247.67252 155.22096 curveto
+248.27668 155.14285 248.88084 155.10378 249.48502 155.10378 curveto
+251.06313 155.10378 252.20115 155.41628 252.89908 156.04128 curveto
+253.60219 156.66107 253.95376 157.67149 253.95377 159.07253 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+256.57095 155.31471 moveto
+259.36783 155.31471 lineto
+259.36783 164.06471 lineto
+256.57095 164.06471 lineto
+256.57095 155.31471 lineto
+256.57095 151.90846 moveto
+259.36783 151.90846 lineto
+259.36783 154.18971 lineto
+256.57095 154.18971 lineto
+256.57095 151.90846 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+270.86783 158.73659 moveto
+270.86783 164.06471 lineto
+268.05533 164.06471 lineto
+268.05533 163.19753 lineto
+268.05533 159.98659 lineto
+268.05532 159.23138 268.03709 158.71055 268.00064 158.42409 curveto
+267.96938 158.13764 267.91209 157.9267 267.82877 157.79128 curveto
+267.71938 157.60899 267.57095 157.46836 267.38345 157.3694 curveto
+267.19595 157.26524 266.98241 157.21316 266.74283 157.21315 curveto
+266.15949 157.21316 265.70116 157.43972 265.36783 157.89284 curveto
+265.03449 158.34076 264.86782 158.96316 264.86783 159.76003 curveto
+264.86783 164.06471 lineto
+262.07095 164.06471 lineto
+262.07095 155.31471 lineto
+264.86783 155.31471 lineto
+264.86783 156.59596 lineto
+265.2897 156.08555 265.73762 155.71055 266.21158 155.47096 curveto
+266.68553 155.22618 267.20897 155.10378 267.78189 155.10378 curveto
+268.7923 155.10378 269.55792 155.41368 270.07877 156.03346 curveto
+270.6048 156.65326 270.86782 157.5543 270.86783 158.73659 curveto
+fill
+grestore
+grestore
+0 0 0 setrgbcolor
+[] 0 setdash
+0.99921262 setlinewidth
+0 setlinejoin
+0 setlinecap
+newpath
+424.72469 236.82544 moveto
+356.83209 236.82544 lineto
+356.83209 236.82544 lineto
+stroke
+gsave [-0.39968505 4.8945685e-17 -4.8945685e-17 -0.39968505 356.83209 236.82544] concat
+gsave
+0 0 0 setrgbcolor
+newpath
+5.77 0 moveto
+-2.88 5 lineto
+-2.88 -5 lineto
+5.77 0 lineto
+closepath
+eofill
+grestore
+0 0 0 setrgbcolor
+[] 0 setdash
+1.25 setlinewidth
+0 setlinejoin
+0 setlinecap
+newpath
+5.77 0 moveto
+-2.88 5 lineto
+-2.88 -5 lineto
+5.77 0 lineto
+closepath
+stroke
+grestore
+0 0 0 setrgbcolor
+[] 0 setdash
+0.99921268 setlinewidth
+0 setlinejoin
+0 setlinecap
+newpath
+282.35183 236.82544 moveto
+215.11403 236.82544 lineto
+215.11403 236.82544 lineto
+stroke
+gsave [-0.39968507 4.8945688e-17 -4.8945688e-17 -0.39968507 215.11403 236.82544] concat
+gsave
+0 0 0 setrgbcolor
+newpath
+5.77 0 moveto
+-2.88 5 lineto
+-2.88 -5 lineto
+5.77 0 lineto
+closepath
+eofill
+grestore
+0 0 0 setrgbcolor
+[] 0 setdash
+1.25 setlinewidth
+0 setlinejoin
+0 setlinecap
+newpath
+5.77 0 moveto
+-2.88 5 lineto
+-2.88 -5 lineto
+5.77 0 lineto
+closepath
+stroke
+grestore
+0 0 0 setrgbcolor
+[] 0 setdash
+0.99999994 setlinewidth
+0 setlinejoin
+0 setlinecap
+newpath
+424.69726 192.5341 moveto
+215.13005 192.5341 lineto
+stroke
+gsave [-0.39999998 4.8984251e-17 -4.8984251e-17 -0.39999998 215.13005 192.5341] concat
+gsave
+0 0 0 setrgbcolor
+newpath
+5.77 0 moveto
+-2.88 5 lineto
+-2.88 -5 lineto
+5.77 0 lineto
+closepath
+eofill
+grestore
+0 0 0 setrgbcolor
+[] 0 setdash
+1.25 setlinewidth
+0 setlinejoin
+0 setlinecap
+newpath
+5.77 0 moveto
+-2.88 5 lineto
+-2.88 -5 lineto
+5.77 0 lineto
+closepath
+stroke
+grestore
+0 0 0 setrgbcolor
+[] 0 setdash
+1 setlinewidth
+0 setlinejoin
+0 setlinecap
+newpath
+211.98429 148.24276 moveto
+422.13162 148.24276 lineto
+stroke
+gsave [0.4 0 0 0.4 422.13162 148.24276] concat
+gsave
+0 0 0 setrgbcolor
+newpath
+5.77 0 moveto
+-2.88 5 lineto
+-2.88 -5 lineto
+5.77 0 lineto
+closepath
+eofill
+grestore
+0 0 0 setrgbcolor
+[] 0 setdash
+1.25 setlinewidth
+0 setlinejoin
+0 setlinecap
+newpath
+5.77 0 moveto
+-2.88 5 lineto
+-2.88 -5 lineto
+5.77 0 lineto
+closepath
+stroke
+grestore
+gsave [1 0 0 1 70.866146 78.725567] concat
+0 0 0 setrgbcolor
+[] 0 setdash
+0.99921262 setlinewidth
+1 setlinejoin
+1 setlinecap
+newpath
+88.044201 42.942394 moveto
+123.555 42.942394 lineto
+133.34843 42.942394 141.23267 50.826635 141.23267 60.620064 curveto
+141.23267 166.99701 lineto
+141.23267 176.79044 133.34843 184.67468 123.555 184.67468 curveto
+88.044201 184.67468 lineto
+78.250772 184.67468 70.366531 176.79044 70.366531 166.99701 curveto
+70.366531 60.620064 lineto
+70.366531 50.826635 78.250772 42.942394 88.044201 42.942394 curveto
+closepath
+stroke
+gsave
+0 0 0 setrgbcolor
+newpath
+83.823044 115.35931 moveto
+83.823044 119.95306 lineto
+81.026169 119.95306 lineto
+81.026169 107.87494 lineto
+83.823044 107.87494 lineto
+83.823044 109.15619 lineto
+84.208456 108.64578 84.635539 108.27078 85.104294 108.03119 curveto
+85.573038 107.78641 86.1121 107.66401 86.721481 107.664 curveto
+87.799598 107.66401 88.685014 108.0937 89.377731 108.95306 curveto
+90.070429 109.80724 90.416783 110.9088 90.416794 112.25775 curveto
+90.416783 113.60671 90.070429 114.71088 89.377731 115.57025 curveto
+88.685014 116.42442 87.799598 116.8515 86.721481 116.8515 curveto
+86.1121 116.8515 85.573038 116.73171 85.104294 116.49213 curveto
+84.635539 116.24734 84.208456 115.86973 83.823044 115.35931 curveto
+85.682419 109.69525 moveto
+85.083455 109.69526 84.622518 109.91661 84.299606 110.35931 curveto
+83.981894 110.79682 83.82304 111.42963 83.823044 112.25775 curveto
+83.82304 113.08588 83.981894 113.7213 84.299606 114.164 curveto
+84.622518 114.6015 85.083455 114.82025 85.682419 114.82025 curveto
+86.281371 114.82025 86.737099 114.6015 87.049606 114.164 curveto
+87.367307 113.7265 87.526161 113.09109 87.526169 112.25775 curveto
+87.526161 111.42442 87.367307 110.78901 87.049606 110.3515 curveto
+86.737099 109.91401 86.281371 109.69526 85.682419 109.69525 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+98.994919 110.25775 moveto
+98.75012 110.14317 98.505328 110.05984 98.260544 110.00775 curveto
+98.020954 109.95047 97.778766 109.92182 97.533981 109.92181 curveto
+96.815226 109.92182 96.260539 110.15359 95.869919 110.61713 curveto
+95.484498 111.07547 95.29179 111.73432 95.291794 112.59369 curveto
+95.291794 116.62494 lineto
+92.494919 116.62494 lineto
+92.494919 107.87494 lineto
+95.291794 107.87494 lineto
+95.291794 109.31244 lineto
+95.651164 108.73953 96.062622 108.32286 96.526169 108.06244 curveto
+96.994913 107.79682 97.554808 107.66401 98.205856 107.664 curveto
+98.299599 107.66401 98.401162 107.66922 98.510544 107.67963 curveto
+98.619911 107.68484 98.778765 107.70047 98.987106 107.7265 curveto
+98.994919 110.25775 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+104.56523 109.664 moveto
+103.94543 109.66401 103.47148 109.88797 103.14336 110.33588 curveto
+102.82044 110.77859 102.65898 111.41922 102.65898 112.25775 curveto
+102.65898 113.0963 102.82044 113.73953 103.14336 114.18744 curveto
+103.47148 114.63015 103.94543 114.8515 104.56523 114.8515 curveto
+105.1746 114.8515 105.64075 114.63015 105.96367 114.18744 curveto
+106.28658 113.73953 106.44804 113.0963 106.44804 112.25775 curveto
+106.44804 111.41922 106.28658 110.77859 105.96367 110.33588 curveto
+105.64075 109.88797 105.1746 109.66401 104.56523 109.664 curveto
+104.56523 107.664 moveto
+106.07043 107.66401 107.24491 108.07026 108.08867 108.88275 curveto
+108.93762 109.69526 109.3621 110.82026 109.36211 112.25775 curveto
+109.3621 113.69525 108.93762 114.82025 108.08867 115.63275 curveto
+107.24491 116.44525 106.07043 116.8515 104.56523 116.8515 curveto
+103.05481 116.8515 101.87252 116.44525 101.01836 115.63275 curveto
+100.1694 114.82025 99.744918 113.69525 99.744919 112.25775 curveto
+99.744918 110.82026 100.1694 109.69526 101.01836 108.88275 curveto
+101.87252 108.07026 103.05481 107.66401 104.56523 107.664 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+110.29961 107.87494 moveto
+113.09648 107.87494 lineto
+115.27617 113.92181 lineto
+117.44804 107.87494 lineto
+120.25273 107.87494 lineto
+116.80742 116.62494 lineto
+113.73711 116.62494 lineto
+110.29961 107.87494 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+130.57304 112.2265 moveto
+130.57304 113.02338 lineto
+124.03398 113.02338 lineto
+124.10169 113.67963 124.33866 114.17182 124.74492 114.49994 curveto
+125.15116 114.82807 125.71887 114.99213 126.44804 114.99213 curveto
+127.03658 114.99213 127.63814 114.90619 128.25273 114.73431 curveto
+128.87251 114.55723 129.50793 114.29161 130.15898 113.93744 curveto
+130.15898 116.09369 lineto
+129.49751 116.34369 128.83606 116.53119 128.17461 116.65619 curveto
+127.51314 116.7864 126.85168 116.8515 126.19023 116.8515 curveto
+124.60689 116.8515 123.37512 116.45046 122.49492 115.64838 curveto
+121.61992 114.84109 121.18242 113.71088 121.18242 112.25775 curveto
+121.18242 110.83067 121.61211 109.70828 122.47148 108.89056 curveto
+123.33606 108.07286 124.52356 107.66401 126.03398 107.664 curveto
+127.40897 107.66401 128.50793 108.07807 129.33086 108.90619 curveto
+130.15897 109.73432 130.57303 110.84109 130.57304 112.2265 curveto
+127.69804 111.29681 moveto
+127.69804 110.76557 127.54179 110.33849 127.22929 110.01556 curveto
+126.922 109.68745 126.51835 109.52338 126.01836 109.52338 curveto
+125.47668 109.52338 125.03658 109.67703 124.69804 109.98431 curveto
+124.3595 110.2864 124.14856 110.7239 124.06523 111.29681 curveto
+127.69804 111.29681 lineto
+fill
+grestore
+grestore
+0 0 0 setrgbcolor
+[] 0 setdash
+1 setlinewidth
+0 setlinejoin
+0 setlinecap
+newpath
+176.66575 92.035445 moveto
+176.66575 118.61025 lineto
+stroke
+gsave [2.4492127e-17 0.4 -0.4 2.4492127e-17 176.66575 118.61025] concat
+gsave
+0 0 0 setrgbcolor
+newpath
+5.77 0 moveto
+-2.88 5 lineto
+-2.88 -5 lineto
+5.77 0 lineto
+closepath
+eofill
+grestore
+0 0 0 setrgbcolor
+[] 0 setdash
+1.25 setlinewidth
+0 setlinejoin
+0 setlinecap
+newpath
+5.77 0 moveto
+-2.88 5 lineto
+-2.88 -5 lineto
+5.77 0 lineto
+closepath
+stroke
+grestore
+gsave [0.2378166 0 0 -0.2269133 90.621413 253.06251] concat
+0 0 0 setrgbcolor
+[] 0 setdash
+4.3013706 setlinewidth
+1 setlinejoin
+1 setlinecap
+newpath
+208.65508 282.05865 moveto
+193.86388 310.15339 141.95677 326.09523 92.790977 317.64312 curveto
+43.625187 309.19101 15.726964 279.5298 30.518156 251.43506 curveto
+45.309349 223.34033 97.216466 207.39848 146.38226 215.85059 curveto
+177.29043 221.16403 199.42278 233.82562 208.68579 251.49353 curveto
+stroke
+gsave [0.79891445 1.5238182 -1.5238182 0.79891445 208.68579 251.49353] concat
+gsave
+0 0 0 setrgbcolor
+newpath
+5.77 0 moveto
+-2.88 5 lineto
+-2.88 -5 lineto
+5.77 0 lineto
+closepath
+eofill
+grestore
+0 0 0 setrgbcolor
+[] 0 setdash
+1.25 setlinewidth
+0 setlinejoin
+0 setlinecap
+newpath
+5.77 0 moveto
+-2.88 5 lineto
+-2.88 -5 lineto
+5.77 0 lineto
+closepath
+stroke
+grestore
+grestore
+gsave [1 0 0 1 70.866151 78.725565] concat
+0 0 0 setrgbcolor
+[] 0 setdash
+0.99921262 setlinewidth
+1 setlinejoin
+1 setlinecap
+newpath
+371.50879 42.942394 moveto
+407.01959 42.942394 lineto
+416.81302 42.942394 424.69726 50.826635 424.69726 60.620064 curveto
+424.69726 166.99701 lineto
+424.69726 176.79044 416.81302 184.67468 407.01959 184.67468 curveto
+371.50879 184.67468 lineto
+361.71536 184.67468 353.83112 176.79044 353.83112 166.99701 curveto
+353.83112 60.620064 lineto
+353.83112 50.826635 361.71536 42.942394 371.50879 42.942394 curveto
+closepath
+stroke
+gsave
+0 0 0 setrgbcolor
+newpath
+374.16263 110.83588 moveto
+374.16263 112.96088 lineto
+373.56366 112.71088 372.98554 112.52338 372.42825 112.39838 curveto
+371.87096 112.27338 371.34491 112.21088 370.85013 112.21088 curveto
+370.31887 112.21088 369.92304 112.27859 369.66263 112.414 curveto
+369.40742 112.54422 369.27981 112.74734 369.27982 113.02338 curveto
+369.27981 113.24734 369.37617 113.41922 369.56888 113.539 curveto
+369.76679 113.6588 370.11835 113.74734 370.62357 113.80463 curveto
+371.11575 113.87494 lineto
+372.54804 114.05724 373.51158 114.35671 374.00638 114.77338 curveto
+374.50116 115.19005 374.74856 115.84369 374.74857 116.73431 curveto
+374.74856 117.66661 374.40481 118.36713 373.71732 118.83588 curveto
+373.02981 119.30463 372.00377 119.539 370.63919 119.539 curveto
+370.06106 119.539 369.4621 119.49213 368.84232 119.39838 curveto
+368.22773 119.30983 367.59492 119.17442 366.94388 118.99213 curveto
+366.94388 116.86713 lineto
+367.50117 117.13796 368.07148 117.34109 368.65482 117.4765 curveto
+369.24335 117.61192 369.83971 117.67963 370.44388 117.67963 curveto
+370.99075 117.67963 371.40221 117.60411 371.67825 117.45306 curveto
+371.95429 117.30202 372.09231 117.07807 372.09232 116.78119 curveto
+372.09231 116.53119 371.99596 116.3463 371.80325 116.2265 curveto
+371.61575 116.1015 371.23814 116.00515 370.67044 115.93744 curveto
+370.17825 115.87494 lineto
+368.93346 115.71869 368.06106 115.42963 367.56107 115.00775 curveto
+367.06106 114.58588 366.81106 113.94526 366.81107 113.08588 curveto
+366.81106 112.1588 367.12877 111.4713 367.76419 111.02338 curveto
+368.3996 110.57547 369.37356 110.35151 370.68607 110.3515 curveto
+371.20169 110.35151 371.74335 110.39057 372.31107 110.46869 curveto
+372.87877 110.54682 373.49595 110.66922 374.16263 110.83588 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+379.91263 108.07806 moveto
+379.91263 110.56244 lineto
+382.79544 110.56244 lineto
+382.79544 112.56244 lineto
+379.91263 112.56244 lineto
+379.91263 116.27338 lineto
+379.91262 116.67963 379.99335 116.95567 380.15482 117.1015 curveto
+380.31627 117.24213 380.63658 117.31244 381.11575 117.31244 curveto
+382.55325 117.31244 lineto
+382.55325 119.31244 lineto
+380.15482 119.31244 lineto
+379.05065 119.31244 378.26679 119.08327 377.80325 118.62494 curveto
+377.34492 118.1614 377.11575 117.37755 377.11575 116.27338 curveto
+377.11575 112.56244 lineto
+375.72513 112.56244 lineto
+375.72513 110.56244 lineto
+377.11575 110.56244 lineto
+377.11575 108.07806 lineto
+379.91263 108.07806 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+388.43607 115.37494 moveto
+387.85273 115.37494 387.41262 115.4739 387.11575 115.67181 curveto
+386.82408 115.86973 386.67825 116.1614 386.67825 116.54681 curveto
+386.67825 116.90098 386.79544 117.17963 387.02982 117.38275 curveto
+387.26939 117.58067 387.60012 117.67963 388.022 117.67963 curveto
+388.54804 117.67963 388.99075 117.49213 389.35013 117.11713 curveto
+389.7095 116.73692 389.88918 116.26296 389.88919 115.69525 curveto
+389.88919 115.37494 lineto
+388.43607 115.37494 lineto
+392.7095 114.32025 moveto
+392.7095 119.31244 lineto
+389.88919 119.31244 lineto
+389.88919 118.01556 lineto
+389.51418 118.54681 389.09231 118.93484 388.62357 119.17963 curveto
+388.15481 119.41921 387.5845 119.539 386.91263 119.539 curveto
+386.00638 119.539 385.2694 119.27598 384.70169 118.74994 curveto
+384.13919 118.21869 383.85794 117.53119 383.85794 116.68744 curveto
+383.85794 115.6614 384.2095 114.9088 384.91263 114.42963 curveto
+385.62096 113.95047 386.73033 113.71088 388.24075 113.71088 curveto
+389.88919 113.71088 lineto
+389.88919 113.49213 lineto
+389.88918 113.04942 389.7147 112.72651 389.36575 112.52338 curveto
+389.01679 112.31505 388.47252 112.21088 387.73294 112.21088 curveto
+387.13398 112.21088 386.57669 112.27078 386.06107 112.39056 curveto
+385.54544 112.51036 385.06627 112.69005 384.62357 112.92963 curveto
+384.62357 110.79681 lineto
+385.22252 110.65099 385.82408 110.54161 386.42825 110.46869 curveto
+387.03242 110.39057 387.63658 110.35151 388.24075 110.3515 curveto
+389.81887 110.35151 390.95689 110.66401 391.65482 111.289 curveto
+392.35793 111.9088 392.70949 112.91922 392.7095 114.32025 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+398.38138 108.07806 moveto
+398.38138 110.56244 lineto
+401.26419 110.56244 lineto
+401.26419 112.56244 lineto
+398.38138 112.56244 lineto
+398.38138 116.27338 lineto
+398.38137 116.67963 398.4621 116.95567 398.62357 117.1015 curveto
+398.78502 117.24213 399.10533 117.31244 399.5845 117.31244 curveto
+401.022 117.31244 lineto
+401.022 119.31244 lineto
+398.62357 119.31244 lineto
+397.5194 119.31244 396.73554 119.08327 396.272 118.62494 curveto
+395.81367 118.1614 395.5845 117.37755 395.5845 116.27338 curveto
+395.5845 112.56244 lineto
+394.19388 112.56244 lineto
+394.19388 110.56244 lineto
+395.5845 110.56244 lineto
+395.5845 108.07806 lineto
+398.38138 108.07806 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+411.71732 114.914 moveto
+411.71732 115.71088 lineto
+405.17825 115.71088 lineto
+405.24596 116.36713 405.48294 116.85932 405.88919 117.18744 curveto
+406.29544 117.51557 406.86314 117.67963 407.59232 117.67963 curveto
+408.18085 117.67963 408.78241 117.59369 409.397 117.42181 curveto
+410.01679 117.24473 410.6522 116.97911 411.30325 116.62494 curveto
+411.30325 118.78119 lineto
+410.64179 119.03119 409.98033 119.21869 409.31888 119.34369 curveto
+408.65741 119.4739 407.99596 119.539 407.3345 119.539 curveto
+405.75117 119.539 404.5194 119.13796 403.63919 118.33588 curveto
+402.76419 117.52859 402.32669 116.39838 402.32669 114.94525 curveto
+402.32669 113.51817 402.75638 112.39578 403.61575 111.57806 curveto
+404.48033 110.76036 405.66783 110.35151 407.17825 110.3515 curveto
+408.55325 110.35151 409.6522 110.76557 410.47513 111.59369 curveto
+411.30324 112.42182 411.71731 113.52859 411.71732 114.914 curveto
+408.84232 113.98431 moveto
+408.84231 113.45307 408.68606 113.02599 408.37357 112.70306 curveto
+408.06627 112.37495 407.66262 112.21088 407.16263 112.21088 curveto
+406.62096 112.21088 406.18085 112.36453 405.84232 112.67181 curveto
+405.50377 112.9739 405.29283 113.4114 405.2095 113.98431 curveto
+408.84232 113.98431 lineto
+fill
+grestore
+grestore
+0 0 0 setrgbcolor
+[] 0 setdash
+1 setlinewidth
+0 setlinejoin
+0 setlinecap
+newpath
+460.13031 263.40024 moveto
+460.13031 289.97505 lineto
+stroke
+gsave [2.4492127e-17 0.4 -0.4 2.4492127e-17 460.13031 289.97505] concat
+gsave
+0 0 0 setrgbcolor
+newpath
+5.77 0 moveto
+-2.88 5 lineto
+-2.88 -5 lineto
+5.77 0 lineto
+closepath
+eofill
+grestore
+0 0 0 setrgbcolor
+[] 0 setdash
+1.25 setlinewidth
+0 setlinejoin
+0 setlinecap
+newpath
+5.77 0 moveto
+-2.88 5 lineto
+-2.88 -5 lineto
+5.77 0 lineto
+closepath
+stroke
+grestore
+gsave [-0.2378166 0 0 0.2269133 546.17466 132.00569] concat
+0 0 0 setrgbcolor
+[] 0 setdash
+4.3013706 setlinewidth
+1 setlinejoin
+1 setlinecap
+newpath
+208.65508 282.05865 moveto
+193.86388 310.15339 141.95677 326.09523 92.790977 317.64312 curveto
+43.625187 309.19101 15.726964 279.5298 30.518156 251.43506 curveto
+45.309349 223.34033 97.216466 207.39848 146.38226 215.85059 curveto
+177.29043 221.16403 199.42278 233.82562 208.68579 251.49353 curveto
+stroke
+gsave [0.79891445 1.5238182 -1.5238182 0.79891445 208.68579 251.49353] concat
+gsave
+0 0 0 setrgbcolor
+newpath
+5.77 0 moveto
+-2.88 5 lineto
+-2.88 -5 lineto
+5.77 0 lineto
+closepath
+eofill
+grestore
+0 0 0 setrgbcolor
+[] 0 setdash
+1.25 setlinewidth
+0 setlinejoin
+0 setlinecap
+newpath
+5.77 0 moveto
+-2.88 5 lineto
+-2.88 -5 lineto
+5.77 0 lineto
+closepath
+stroke
+grestore
+grestore
+gsave [-0.2378166 0 0 0.2269133 546.17465 87.714359] concat
+0 0 0 setrgbcolor
+[] 0 setdash
+4.3013706 setlinewidth
+2 setlinejoin
+1 setlinecap
+newpath
+208.65508 282.05865 moveto
+193.86388 310.15339 141.95677 326.09523 92.790977 317.64312 curveto
+43.625187 309.19101 15.726964 279.5298 30.518156 251.43506 curveto
+45.309349 223.34033 97.216466 207.39848 146.38226 215.85059 curveto
+177.29043 221.16403 199.42278 233.82562 208.68579 251.49353 curveto
+stroke
+gsave [0.79891445 1.5238182 -1.5238182 0.79891445 208.68579 251.49353] concat
+gsave
+0 0 0 setrgbcolor
+newpath
+5.77 0 moveto
+-2.88 5 lineto
+-2.88 -5 lineto
+5.77 0 lineto
+closepath
+eofill
+grestore
+0 0 0 setrgbcolor
+[] 0 setdash
+1.25 setlinewidth
+0 setlinejoin
+0 setlinecap
+newpath
+5.77 0 moveto
+-2.88 5 lineto
+-2.88 -5 lineto
+5.77 0 lineto
+closepath
+stroke
+grestore
+grestore
+gsave [-0.2378166 0 0 0.2269133 546.17465 176.29703] concat
+0 0 0 setrgbcolor
+[] 0 setdash
+4.3013706 setlinewidth
+1 setlinejoin
+1 setlinecap
+newpath
+208.65508 282.05865 moveto
+193.86388 310.15339 141.95677 326.09523 92.790977 317.64312 curveto
+43.625187 309.19101 15.726964 279.5298 30.518156 251.43506 curveto
+45.309349 223.34033 97.216466 207.39848 146.38226 215.85059 curveto
+177.29043 221.16403 199.42278 233.82562 208.68579 251.49353 curveto
+stroke
+gsave [0.79891445 1.5238182 -1.5238182 0.79891445 208.68579 251.49353] concat
+gsave
+0 0 0 setrgbcolor
+newpath
+5.77 0 moveto
+-2.88 5 lineto
+-2.88 -5 lineto
+5.77 0 lineto
+closepath
+eofill
+grestore
+0 0 0 setrgbcolor
+[] 0 setdash
+1.25 setlinewidth
+0 setlinejoin
+0 setlinecap
+newpath
+5.77 0 moveto
+-2.88 5 lineto
+-2.88 -5 lineto
+5.77 0 lineto
+closepath
+stroke
+grestore
+grestore
+gsave [0 0.2378166 0.2269133 0 399.60191 71.056696] concat
+0 0 0 setrgbcolor
+[] 0 setdash
+4.3013706 setlinewidth
+1 setlinejoin
+1 setlinecap
+newpath
+208.65508 282.05865 moveto
+193.86388 310.15339 141.95677 326.09523 92.790977 317.64312 curveto
+43.625187 309.19101 15.726964 279.5298 30.518156 251.43506 curveto
+45.309349 223.34033 97.216466 207.39848 146.38226 215.85059 curveto
+177.29043 221.16403 199.42278 233.82562 208.68579 251.49353 curveto
+stroke
+gsave [0.79891445 1.5238182 -1.5238182 0.79891445 208.68579 251.49353] concat
+gsave
+0 0 0 setrgbcolor
+newpath
+5.77 0 moveto
+-2.88 5 lineto
+-2.88 -5 lineto
+5.77 0 lineto
+closepath
+eofill
+grestore
+0 0 0 setrgbcolor
+[] 0 setdash
+1.25 setlinewidth
+0 setlinejoin
+0 setlinecap
+newpath
+5.77 0 moveto
+-2.88 5 lineto
+-2.88 -5 lineto
+5.77 0 lineto
+closepath
+stroke
+grestore
+grestore
+gsave [1 0 0 1 17.216929 6.5104864] concat
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+187.35507 103.05839 moveto
+187.35507 104.61112 lineto
+189.20566 104.61112 lineto
+189.20566 105.30936 lineto
+187.35507 105.30936 lineto
+187.35507 108.27811 lineto
+187.35507 108.72408 187.41529 109.01054 187.53574 109.13749 curveto
+187.65943 109.26444 187.90846 109.32792 188.28281 109.32792 curveto
+189.20566 109.32792 lineto
+189.20566 110.07987 lineto
+188.28281 110.07987 lineto
+187.58944 110.07987 187.11093 109.95129 186.84726 109.69413 curveto
+186.58359 109.43371 186.45175 108.96171 186.45175 108.27811 curveto
+186.45175 105.30936 lineto
+185.79257 105.30936 lineto
+185.79257 104.61112 lineto
+186.45175 104.61112 lineto
+186.45175 103.05839 lineto
+187.35507 103.05839 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+194.93808 106.77909 moveto
+194.93808 110.07987 lineto
+194.03964 110.07987 lineto
+194.03964 106.80839 lineto
+194.03964 106.29081 193.93873 105.90344 193.73691 105.64628 curveto
+193.53508 105.38912 193.23235 105.26054 192.8287 105.26054 curveto
+192.34368 105.26054 191.96119 105.41516 191.68124 105.7244 curveto
+191.40129 106.03365 191.26132 106.4552 191.26132 106.98905 curveto
+191.26132 110.07987 lineto
+190.358 110.07987 lineto
+190.358 102.48222 lineto
+191.26132 102.48222 lineto
+191.26132 105.46073 lineto
+191.47616 105.13196 191.72844 104.88619 192.01816 104.72343 curveto
+192.31112 104.56067 192.64804 104.47929 193.0289 104.47929 curveto
+193.65715 104.47929 194.13241 104.6746 194.45468 105.06522 curveto
+194.77694 105.4526 194.93807 106.02389 194.93808 106.77909 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+201.41757 107.12089 moveto
+201.41757 107.56034 lineto
+197.28671 107.56034 lineto
+197.32577 108.17883 197.51132 108.65084 197.84335 108.97636 curveto
+198.17864 109.29862 198.64413 109.45976 199.23984 109.45975 curveto
+199.58489 109.45976 199.91854 109.41744 200.24081 109.3328 curveto
+200.56633 109.24817 200.8886 109.12121 201.20761 108.95194 curveto
+201.20761 109.80155 lineto
+200.88534 109.93827 200.55494 110.04244 200.2164 110.11405 curveto
+199.87785 110.18567 199.53443 110.22147 199.18613 110.22147 curveto
+198.31373 110.22147 197.622 109.96757 197.11093 109.45975 curveto
+196.60312 108.95194 196.34921 108.2651 196.34921 107.39921 curveto
+196.34921 106.50403 196.5901 105.79439 197.07187 105.2703 curveto
+197.55689 104.74296 198.20956 104.47929 199.02988 104.47929 curveto
+199.76555 104.47929 200.3466 104.71692 200.77304 105.19218 curveto
+201.20272 105.66419 201.41757 106.30709 201.41757 107.12089 curveto
+200.51913 106.85722 moveto
+200.51262 106.36568 200.37427 105.97343 200.1041 105.68046 curveto
+199.83716 105.38749 199.48235 105.24101 199.03964 105.241 curveto
+198.53834 105.24101 198.13632 105.38261 197.83359 105.66581 curveto
+197.53411 105.94902 197.36158 106.34778 197.31601 106.8621 curveto
+200.51913 106.85722 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+205.01132 105.241 moveto
+204.52955 105.24101 204.14869 105.42981 203.86874 105.80741 curveto
+203.58879 106.18176 203.44882 106.69609 203.44882 107.35038 curveto
+203.44882 108.00468 203.58717 108.52063 203.86386 108.89823 curveto
+204.14381 109.27258 204.52629 109.45976 205.01132 109.45975 curveto
+205.48983 109.45976 205.86907 109.27095 206.14902 108.89335 curveto
+206.42896 108.51575 206.56893 108.00142 206.56894 107.35038 curveto
+206.56893 106.7026 206.42896 106.1899 206.14902 105.81229 curveto
+205.86907 105.43144 205.48983 105.24101 205.01132 105.241 curveto
+205.01132 104.47929 moveto
+205.79257 104.47929 206.40617 104.7332 206.85214 105.241 curveto
+207.2981 105.74882 207.52108 106.45195 207.52109 107.35038 curveto
+207.52108 108.24556 207.2981 108.94869 206.85214 109.45975 curveto
+206.40617 109.96757 205.79257 110.22147 205.01132 110.22147 curveto
+204.22681 110.22147 203.61158 109.96757 203.16562 109.45975 curveto
+202.72291 108.94869 202.50156 108.24556 202.50156 107.35038 curveto
+202.50156 106.45195 202.72291 105.74882 203.16562 105.241 curveto
+203.61158 104.7332 204.22681 104.47929 205.01132 104.47929 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+212.17441 105.45097 moveto
+212.07349 105.39238 211.96282 105.35006 211.84238 105.32401 curveto
+211.72519 105.29472 211.59498 105.28007 211.45175 105.28007 curveto
+210.94394 105.28007 210.55331 105.44609 210.27988 105.77811 curveto
+210.00969 106.10689 209.8746 106.58053 209.8746 107.19901 curveto
+209.8746 110.07987 lineto
+208.97128 110.07987 lineto
+208.97128 104.61112 lineto
+209.8746 104.61112 lineto
+209.8746 105.46073 lineto
+210.0634 105.12871 210.30917 104.88294 210.61191 104.72343 curveto
+210.91464 104.56067 211.28248 104.47929 211.71542 104.47929 curveto
+211.77727 104.47929 211.84563 104.48417 211.9205 104.49393 curveto
+211.99537 104.50045 212.07838 104.51184 212.16953 104.52811 curveto
+212.17441 105.45097 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+217.58945 107.12089 moveto
+217.58945 107.56034 lineto
+213.45859 107.56034 lineto
+213.49765 108.17883 213.6832 108.65084 214.01523 108.97636 curveto
+214.35051 109.29862 214.81601 109.45976 215.41171 109.45975 curveto
+215.75676 109.45976 216.09042 109.41744 216.41269 109.3328 curveto
+216.73821 109.24817 217.06047 109.12121 217.37949 108.95194 curveto
+217.37949 109.80155 lineto
+217.05722 109.93827 216.72681 110.04244 216.38828 110.11405 curveto
+216.04973 110.18567 215.70631 110.22147 215.358 110.22147 curveto
+214.4856 110.22147 213.79387 109.96757 213.28281 109.45975 curveto
+212.77499 108.95194 212.52109 108.2651 212.52109 107.39921 curveto
+212.52109 106.50403 212.76197 105.79439 213.24374 105.2703 curveto
+213.72877 104.74296 214.38144 104.47929 215.20175 104.47929 curveto
+215.93742 104.47929 216.51848 104.71692 216.94492 105.19218 curveto
+217.3746 105.66419 217.58944 106.30709 217.58945 107.12089 curveto
+216.69101 106.85722 moveto
+216.68449 106.36568 216.54615 105.97343 216.27597 105.68046 curveto
+216.00904 105.38749 215.65422 105.24101 215.21152 105.241 curveto
+214.71021 105.24101 214.30819 105.38261 214.00546 105.66581 curveto
+213.70598 105.94902 213.53346 106.34778 213.48788 106.8621 curveto
+216.69101 106.85722 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+223.32187 105.66093 moveto
+223.54647 105.25729 223.81503 104.95943 224.12753 104.76737 curveto
+224.44003 104.57532 224.80786 104.47929 225.23105 104.47929 curveto
+225.8007 104.47929 226.24016 104.67949 226.54941 105.07987 curveto
+226.85864 105.47701 227.01327 106.04342 227.01328 106.77909 curveto
+227.01328 110.07987 lineto
+226.10995 110.07987 lineto
+226.10995 106.80839 lineto
+226.10995 106.2843 226.01717 105.89531 225.83163 105.6414 curveto
+225.64608 105.38749 225.36288 105.26054 224.98203 105.26054 curveto
+224.51652 105.26054 224.14869 105.41516 223.87851 105.7244 curveto
+223.60832 106.03365 223.47323 106.4552 223.47324 106.98905 curveto
+223.47324 110.07987 lineto
+222.56992 110.07987 lineto
+222.56992 106.80839 lineto
+222.56991 106.28105 222.47714 105.89205 222.2916 105.6414 curveto
+222.10604 105.38749 221.81959 105.26054 221.43222 105.26054 curveto
+220.97323 105.26054 220.60865 105.41679 220.33847 105.72929 curveto
+220.06829 106.03854 219.9332 106.45846 219.9332 106.98905 curveto
+219.9332 110.07987 lineto
+219.02988 110.07987 lineto
+219.02988 104.61112 lineto
+219.9332 104.61112 lineto
+219.9332 105.46073 lineto
+220.13827 105.12545 220.38404 104.87805 220.6705 104.71854 curveto
+220.95696 104.55904 221.29713 104.47929 221.69101 104.47929 curveto
+222.08814 104.47929 222.42505 104.5802 222.70175 104.78202 curveto
+222.98169 104.98385 223.1884 105.27682 223.32187 105.66093 curveto
+fill
+grestore
+gsave [1 0 0 1 17.216929 6.5104864] concat
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+470.46808 277.74594 moveto
+470.46808 278.40675 470.60317 278.92596 470.87335 279.30356 curveto
+471.14679 279.67791 471.52114 279.86508 471.9964 279.86508 curveto
+472.47166 279.86508 472.846 279.67791 473.11945 279.30356 curveto
+473.39288 278.92596 473.5296 278.40675 473.5296 277.74594 curveto
+473.5296 277.08514 473.39288 276.56756 473.11945 276.19321 curveto
+472.846 275.81561 472.47166 275.62681 471.9964 275.6268 curveto
+471.52114 275.62681 471.14679 275.81561 470.87335 276.19321 curveto
+470.60317 276.56756 470.46808 277.08514 470.46808 277.74594 curveto
+473.5296 279.65512 moveto
+473.3408 279.98064 473.10154 280.22315 472.81183 280.38266 curveto
+472.52537 280.53891 472.18032 280.61703 471.77667 280.61703 curveto
+471.11586 280.61703 470.57713 280.35336 470.16046 279.82602 curveto
+469.74705 279.29868 469.54034 278.60532 469.54034 277.74594 curveto
+469.54034 276.88657 469.74705 276.19321 470.16046 275.66586 curveto
+470.57713 275.13852 471.11586 274.87485 471.77667 274.87485 curveto
+472.18032 274.87485 472.52537 274.95461 472.81183 275.11411 curveto
+473.10154 275.27036 473.3408 275.51125 473.5296 275.83676 curveto
+473.5296 275.00668 lineto
+474.42804 275.00668 lineto
+474.42804 282.55551 lineto
+473.5296 282.55551 lineto
+473.5296 279.65512 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+480.95636 277.51645 moveto
+480.95636 277.9559 lineto
+476.8255 277.9559 lineto
+476.86456 278.57439 477.05011 279.0464 477.38214 279.37192 curveto
+477.71743 279.69418 478.18292 279.85532 478.77863 279.85532 curveto
+479.12367 279.85532 479.45733 279.813 479.7796 279.72836 curveto
+480.10512 279.64373 480.42738 279.51678 480.7464 279.3475 curveto
+480.7464 280.19711 lineto
+480.42413 280.33383 480.09372 280.438 479.75519 280.50961 curveto
+479.41664 280.58123 479.07322 280.61703 478.72491 280.61703 curveto
+477.85252 280.61703 477.16079 280.36313 476.64972 279.85532 curveto
+476.14191 279.3475 475.888 278.66066 475.888 277.79477 curveto
+475.888 276.89959 476.12889 276.18996 476.61066 275.66586 curveto
+477.09568 275.13852 477.74835 274.87485 478.56866 274.87485 curveto
+479.30434 274.87485 479.88539 275.11248 480.31183 275.58774 curveto
+480.74151 276.05975 480.95635 276.70265 480.95636 277.51645 curveto
+480.05792 277.25278 moveto
+480.05141 276.76124 479.91306 276.36899 479.64288 276.07602 curveto
+479.37595 275.78306 479.02113 275.63657 478.57843 275.63657 curveto
+478.07713 275.63657 477.67511 275.77817 477.37238 276.06137 curveto
+477.07289 276.34458 476.90037 276.74334 476.8548 277.25766 curveto
+480.05792 277.25278 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+486.0296 275.83676 moveto
+486.0296 272.87778 lineto
+486.92804 272.87778 lineto
+486.92804 280.47543 lineto
+486.0296 280.47543 lineto
+486.0296 279.65512 lineto
+485.8408 279.98064 485.60154 280.22315 485.31183 280.38266 curveto
+485.02537 280.53891 484.68032 280.61703 484.27667 280.61703 curveto
+483.61586 280.61703 483.07713 280.35336 482.66046 279.82602 curveto
+482.24705 279.29868 482.04034 278.60532 482.04034 277.74594 curveto
+482.04034 276.88657 482.24705 276.19321 482.66046 275.66586 curveto
+483.07713 275.13852 483.61586 274.87485 484.27667 274.87485 curveto
+484.68032 274.87485 485.02537 274.95461 485.31183 275.11411 curveto
+485.60154 275.27036 485.8408 275.51125 486.0296 275.83676 curveto
+482.96808 277.74594 moveto
+482.96808 278.40675 483.10317 278.92596 483.37335 279.30356 curveto
+483.64679 279.67791 484.02114 279.86508 484.4964 279.86508 curveto
+484.97166 279.86508 485.346 279.67791 485.61945 279.30356 curveto
+485.89288 278.92596 486.0296 278.40675 486.0296 277.74594 curveto
+486.0296 277.08514 485.89288 276.56756 485.61945 276.19321 curveto
+485.346 275.81561 484.97166 275.62681 484.4964 275.6268 curveto
+484.02114 275.62681 483.64679 275.81561 483.37335 276.19321 curveto
+483.10317 276.56756 482.96808 277.08514 482.96808 277.74594 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+550.54895 236.85474 moveto
+550.54895 237.51555 550.68404 238.03475 550.95422 238.41235 curveto
+551.22766 238.7867 551.60201 238.97388 552.07727 238.97388 curveto
+552.55253 238.97388 552.92688 238.7867 553.20032 238.41235 curveto
+553.47375 238.03475 553.61047 237.51555 553.61047 236.85474 curveto
+553.61047 236.19393 553.47375 235.67635 553.20032 235.302 curveto
+552.92688 234.9244 552.55253 234.7356 552.07727 234.7356 curveto
+551.60201 234.7356 551.22766 234.9244 550.95422 235.302 curveto
+550.68404 235.67635 550.54895 236.19393 550.54895 236.85474 curveto
+553.61047 238.76392 moveto
+553.42167 239.08944 553.18241 239.33195 552.8927 239.49146 curveto
+552.60624 239.64771 552.26119 239.72583 551.85754 239.72583 curveto
+551.19673 239.72583 550.658 239.46216 550.24133 238.93481 curveto
+549.82792 238.40747 549.62122 237.71411 549.62122 236.85474 curveto
+549.62122 235.99536 549.82792 235.30201 550.24133 234.77466 curveto
+550.658 234.24732 551.19673 233.98365 551.85754 233.98364 curveto
+552.26119 233.98365 552.60624 234.0634 552.8927 234.2229 curveto
+553.18241 234.37916 553.42167 234.62004 553.61047 234.94556 curveto
+553.61047 234.11548 lineto
+554.50891 234.11548 lineto
+554.50891 241.66431 lineto
+553.61047 241.66431 lineto
+553.61047 238.76392 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+561.03723 236.62524 moveto
+561.03723 237.0647 lineto
+556.90637 237.0647 lineto
+556.94543 237.68319 557.13098 238.15519 557.46301 238.48071 curveto
+557.7983 238.80298 558.26379 238.96411 558.8595 238.96411 curveto
+559.20455 238.96411 559.5382 238.92179 559.86047 238.83716 curveto
+560.18599 238.75252 560.50825 238.62557 560.82727 238.4563 curveto
+560.82727 239.30591 lineto
+560.505 239.44263 560.1746 239.54679 559.83606 239.61841 curveto
+559.49751 239.69002 559.15409 239.72583 558.80579 239.72583 curveto
+557.93339 239.72583 557.24166 239.47192 556.73059 238.96411 curveto
+556.22278 238.4563 555.96887 237.76945 555.96887 236.90356 curveto
+555.96887 236.00839 556.20976 235.29875 556.69153 234.77466 curveto
+557.17655 234.24732 557.82922 233.98365 558.64954 233.98364 curveto
+559.38521 233.98365 559.96626 234.22128 560.3927 234.69653 curveto
+560.82238 235.16854 561.03723 235.81145 561.03723 236.62524 curveto
+560.13879 236.36157 moveto
+560.13228 235.87004 559.99393 235.47779 559.72375 235.18481 curveto
+559.45682 234.89185 559.10201 234.74537 558.6593 234.74536 curveto
+558.158 234.74537 557.75598 234.88697 557.45325 235.17017 curveto
+557.15377 235.45337 556.98124 235.85214 556.93567 236.36646 curveto
+560.13879 236.36157 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+566.11047 234.94556 moveto
+566.11047 231.98657 lineto
+567.00891 231.98657 lineto
+567.00891 239.58423 lineto
+566.11047 239.58423 lineto
+566.11047 238.76392 lineto
+565.92167 239.08944 565.68241 239.33195 565.3927 239.49146 curveto
+565.10624 239.64771 564.76119 239.72583 564.35754 239.72583 curveto
+563.69673 239.72583 563.158 239.46216 562.74133 238.93481 curveto
+562.32792 238.40747 562.12122 237.71411 562.12122 236.85474 curveto
+562.12122 235.99536 562.32792 235.30201 562.74133 234.77466 curveto
+563.158 234.24732 563.69673 233.98365 564.35754 233.98364 curveto
+564.76119 233.98365 565.10624 234.0634 565.3927 234.2229 curveto
+565.68241 234.37916 565.92167 234.62004 566.11047 234.94556 curveto
+563.04895 236.85474 moveto
+563.04895 237.51555 563.18404 238.03475 563.45422 238.41235 curveto
+563.72766 238.7867 564.10201 238.97388 564.57727 238.97388 curveto
+565.05253 238.97388 565.42688 238.7867 565.70032 238.41235 curveto
+565.97375 238.03475 566.11047 237.51555 566.11047 236.85474 curveto
+566.11047 236.19393 565.97375 235.67635 565.70032 235.302 curveto
+565.42688 234.9244 565.05253 234.7356 564.57727 234.7356 curveto
+564.10201 234.7356 563.72766 234.9244 563.45422 235.302 curveto
+563.18404 235.67635 563.04895 236.19393 563.04895 236.85474 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+553.10266 183.66447 moveto
+553.10266 184.41154 lineto
+552.24329 184.41154 lineto
+551.92102 184.41155 551.69641 184.47666 551.56946 184.60686 curveto
+551.44576 184.73707 551.38391 184.97145 551.38391 185.30998 curveto
+551.38391 185.79338 lineto
+552.8634 185.79338 lineto
+552.8634 186.49162 lineto
+551.38391 186.49162 lineto
+551.38391 191.26213 lineto
+550.48059 191.26213 lineto
+550.48059 186.49162 lineto
+549.62122 186.49162 lineto
+549.62122 185.79338 lineto
+550.48059 185.79338 lineto
+550.48059 185.41252 lineto
+550.48059 184.8038 550.62219 184.3611 550.9054 184.0844 curveto
+551.1886 183.80446 551.63782 183.66448 552.25305 183.66447 curveto
+553.10266 183.66447 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+553.84973 185.79338 moveto
+554.74817 185.79338 lineto
+554.74817 191.26213 lineto
+553.84973 191.26213 lineto
+553.84973 185.79338 lineto
+553.84973 183.66447 moveto
+554.74817 183.66447 lineto
+554.74817 184.80217 lineto
+553.84973 184.80217 lineto
+553.84973 183.66447 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+561.16907 185.79338 moveto
+559.19153 188.45451 lineto
+561.27161 191.26213 lineto
+560.21204 191.26213 lineto
+558.62024 189.11369 lineto
+557.02844 191.26213 lineto
+555.96887 191.26213 lineto
+558.0929 188.4008 lineto
+556.14954 185.79338 lineto
+557.20911 185.79338 lineto
+558.6593 187.74162 lineto
+560.1095 185.79338 lineto
+561.16907 185.79338 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+552.81946 198.51311 moveto
+552.09354 198.51311 551.59061 198.59612 551.31067 198.76213 curveto
+551.03072 198.92815 550.89075 199.21135 550.89075 199.61174 curveto
+550.89075 199.93075 550.99491 200.18466 551.20325 200.37346 curveto
+551.41483 200.55901 551.70129 200.65178 552.06262 200.65178 curveto
+552.56067 200.65178 552.95943 200.476 553.25891 200.12444 curveto
+553.56164 199.76962 553.71301 199.29924 553.71301 198.7133 curveto
+553.71301 198.51311 lineto
+552.81946 198.51311 lineto
+554.61145 198.14201 moveto
+554.61145 201.26213 lineto
+553.71301 201.26213 lineto
+553.71301 200.43205 lineto
+553.50793 200.76408 553.2524 201.00985 552.94641 201.16936 curveto
+552.64042 201.32561 552.26607 201.40373 551.82336 201.40373 curveto
+551.26347 201.40373 550.8175 201.24748 550.48547 200.93498 curveto
+550.1567 200.61923 549.99231 200.19768 549.99231 199.67033 curveto
+549.99231 199.0551 550.19739 198.59123 550.60754 198.27873 curveto
+551.02095 197.96624 551.63619 197.80999 552.45325 197.80998 curveto
+553.71301 197.80998 lineto
+553.71301 197.72209 lineto
+553.71301 197.30868 553.57629 196.98967 553.30286 196.76506 curveto
+553.03267 196.5372 552.65181 196.42327 552.16028 196.42326 curveto
+551.84778 196.42327 551.54341 196.4607 551.24719 196.53557 curveto
+550.95097 196.61044 550.66614 196.72275 550.3927 196.87248 curveto
+550.3927 196.0424 lineto
+550.72147 195.91546 551.04049 195.82106 551.34973 195.7592 curveto
+551.65897 195.6941 551.96008 195.66155 552.25305 195.66154 curveto
+553.04406 195.66155 553.63488 195.86663 554.02551 196.27678 curveto
+554.41613 196.68694 554.61144 197.30868 554.61145 198.14201 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+559.95325 195.95451 moveto
+559.95325 196.80412 lineto
+559.69934 196.67392 559.43567 196.57626 559.16223 196.51115 curveto
+558.88879 196.44605 558.60559 196.4135 558.31262 196.4135 curveto
+557.86666 196.4135 557.53137 196.48186 557.30676 196.61858 curveto
+557.08541 196.7553 556.97473 196.96038 556.97473 197.23381 curveto
+556.97473 197.44215 557.05448 197.60654 557.21399 197.72697 curveto
+557.37349 197.84417 557.69413 197.95647 558.1759 198.06389 curveto
+558.48352 198.13225 lineto
+559.12154 198.26897 559.57401 198.46265 559.84094 198.7133 curveto
+560.11112 198.9607 560.24621 199.30738 560.24622 199.75334 curveto
+560.24621 200.26116 560.04439 200.66317 559.64075 200.9594 curveto
+559.24035 201.25562 558.6886 201.40373 557.98547 201.40373 curveto
+557.6925 201.40373 557.38651 201.37444 557.0675 201.31584 curveto
+556.75175 201.2605 556.41809 201.17587 556.06653 201.06194 curveto
+556.06653 200.1342 lineto
+556.39856 200.30673 556.72571 200.43694 557.04797 200.52483 curveto
+557.37024 200.60946 557.68925 200.65178 558.005 200.65178 curveto
+558.42818 200.65178 558.7537 200.58017 558.98157 200.43694 curveto
+559.20943 200.29045 559.32336 200.08537 559.32336 199.8217 curveto
+559.32336 199.57756 559.24035 199.39039 559.07434 199.26018 curveto
+558.91158 199.12997 558.55188 199.00465 557.99524 198.8842 curveto
+557.68274 198.81096 lineto
+557.1261 198.69377 556.72408 198.51474 556.47668 198.27385 curveto
+556.22929 198.02971 556.10559 197.69605 556.10559 197.27287 curveto
+556.10559 196.75855 556.28788 196.36142 556.65247 196.08147 curveto
+557.01705 195.80152 557.53463 195.66155 558.2052 195.66154 curveto
+558.53723 195.66155 558.84973 195.68596 559.1427 195.73479 curveto
+559.43567 195.78362 559.70585 195.85686 559.95325 195.95451 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+565.16809 195.95451 moveto
+565.16809 196.80412 lineto
+564.91418 196.67392 564.65051 196.57626 564.37708 196.51115 curveto
+564.10363 196.44605 563.82043 196.4135 563.52747 196.4135 curveto
+563.0815 196.4135 562.74621 196.48186 562.52161 196.61858 curveto
+562.30025 196.7553 562.18957 196.96038 562.18958 197.23381 curveto
+562.18957 197.44215 562.26933 197.60654 562.42883 197.72697 curveto
+562.58834 197.84417 562.90897 197.95647 563.39075 198.06389 curveto
+563.69836 198.13225 lineto
+564.33638 198.26897 564.78886 198.46265 565.05579 198.7133 curveto
+565.32596 198.9607 565.46105 199.30738 565.46106 199.75334 curveto
+565.46105 200.26116 565.25923 200.66317 564.85559 200.9594 curveto
+564.4552 201.25562 563.90344 201.40373 563.20032 201.40373 curveto
+562.90735 201.40373 562.60136 201.37444 562.28235 201.31584 curveto
+561.96659 201.2605 561.63293 201.17587 561.28137 201.06194 curveto
+561.28137 200.1342 lineto
+561.6134 200.30673 561.94055 200.43694 562.26282 200.52483 curveto
+562.58508 200.60946 562.90409 200.65178 563.21985 200.65178 curveto
+563.64302 200.65178 563.96854 200.58017 564.19641 200.43694 curveto
+564.42427 200.29045 564.5382 200.08537 564.53821 199.8217 curveto
+564.5382 199.57756 564.4552 199.39039 564.28918 199.26018 curveto
+564.12642 199.12997 563.76672 199.00465 563.21008 198.8842 curveto
+562.89758 198.81096 lineto
+562.34094 198.69377 561.93892 198.51474 561.69153 198.27385 curveto
+561.44413 198.02971 561.32043 197.69605 561.32043 197.27287 curveto
+561.32043 196.75855 561.50273 196.36142 561.86731 196.08147 curveto
+562.23189 195.80152 562.74947 195.66155 563.42004 195.66154 curveto
+563.75207 195.66155 564.06457 195.68596 564.35754 195.73479 curveto
+564.65051 195.78362 564.92069 195.85686 565.16809 195.95451 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+566.80383 199.10393 moveto
+566.80383 195.79338 lineto
+567.70227 195.79338 lineto
+567.70227 199.06975 lineto
+567.70227 199.58733 567.80318 199.97632 568.005 200.23674 curveto
+568.20683 200.4939 568.50956 200.62248 568.91321 200.62248 curveto
+569.39823 200.62248 569.78072 200.46786 570.06067 200.15862 curveto
+570.34387 199.84937 570.48547 199.42782 570.48547 198.89397 curveto
+570.48547 195.79338 lineto
+571.38391 195.79338 lineto
+571.38391 201.26213 lineto
+570.48547 201.26213 lineto
+570.48547 200.42229 lineto
+570.26737 200.75432 570.01346 201.00171 569.72375 201.16447 curveto
+569.43729 201.32398 569.10363 201.40373 568.72278 201.40373 curveto
+568.09452 201.40373 567.61763 201.20842 567.29211 200.81779 curveto
+566.96659 200.42717 566.80383 199.85588 566.80383 199.10393 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+577.50208 196.84319 moveto
+577.72668 196.43954 577.99523 196.14169 578.30774 195.94963 curveto
+578.62023 195.75758 578.98807 195.66155 579.41125 195.66154 curveto
+579.98091 195.66155 580.42036 195.86175 580.72961 196.26213 curveto
+581.03885 196.65927 581.19347 197.22568 581.19348 197.96135 curveto
+581.19348 201.26213 lineto
+580.29016 201.26213 lineto
+580.29016 197.99065 lineto
+580.29015 197.46656 580.19738 197.07756 580.01184 196.82365 curveto
+579.82629 196.56975 579.54308 196.4428 579.16223 196.44279 curveto
+578.69673 196.4428 578.32889 196.59742 578.05872 196.90666 curveto
+577.78853 197.21591 577.65344 197.63746 577.65344 198.17131 curveto
+577.65344 201.26213 lineto
+576.75012 201.26213 lineto
+576.75012 197.99065 lineto
+576.75012 197.46331 576.65734 197.07431 576.4718 196.82365 curveto
+576.28625 196.56975 575.99979 196.4428 575.61243 196.44279 curveto
+575.15344 196.4428 574.78886 196.59905 574.51868 196.91154 curveto
+574.24849 197.22079 574.1134 197.64072 574.1134 198.17131 curveto
+574.1134 201.26213 lineto
+573.21008 201.26213 lineto
+573.21008 195.79338 lineto
+574.1134 195.79338 lineto
+574.1134 196.64299 lineto
+574.31848 196.30771 574.56425 196.06031 574.85071 195.9008 curveto
+575.13716 195.7413 575.47733 195.66155 575.87122 195.66154 curveto
+576.26835 195.66155 576.60526 195.76246 576.88196 195.96428 curveto
+577.1619 196.16611 577.36861 196.45908 577.50208 196.84319 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+587.66809 198.30315 moveto
+587.66809 198.7426 lineto
+583.53723 198.7426 lineto
+583.57629 199.36109 583.76184 199.8331 584.09387 200.15862 curveto
+584.42916 200.48088 584.89465 200.64201 585.49036 200.64201 curveto
+585.8354 200.64201 586.16906 200.5997 586.49133 200.51506 curveto
+586.81685 200.43043 587.13911 200.30347 587.45813 200.1342 curveto
+587.45813 200.98381 lineto
+587.13586 201.12053 586.80546 201.2247 586.46692 201.29631 curveto
+586.12837 201.36792 585.78495 201.40373 585.43665 201.40373 curveto
+584.56425 201.40373 583.87252 201.14983 583.36145 200.64201 curveto
+582.85364 200.1342 582.59973 199.44735 582.59973 198.58147 curveto
+582.59973 197.68629 582.84062 196.97665 583.32239 196.45256 curveto
+583.80741 195.92522 584.46008 195.66155 585.2804 195.66154 curveto
+586.01607 195.66155 586.59712 195.89918 587.02356 196.37444 curveto
+587.45324 196.84645 587.66809 197.48935 587.66809 198.30315 curveto
+586.76965 198.03947 moveto
+586.76314 197.54794 586.62479 197.15569 586.35461 196.86272 curveto
+586.08768 196.56975 585.73287 196.42327 585.29016 196.42326 curveto
+584.78886 196.42327 584.38684 196.56487 584.08411 196.84807 curveto
+583.78463 197.13128 583.6121 197.53004 583.56653 198.04436 curveto
+586.76965 198.03947 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+553.82532 147.89853 moveto
+553.82532 148.60165 lineto
+553.52258 148.60165 lineto
+552.71203 148.60165 552.16841 148.48121 551.89172 148.24033 curveto
+551.61828 147.99944 551.48156 147.5193 551.48157 146.7999 curveto
+551.48157 145.6329 lineto
+551.48156 145.14137 551.39367 144.8012 551.2179 144.6124 curveto
+551.04211 144.4236 550.7231 144.3292 550.26086 144.32919 curveto
+549.96301 144.32919 lineto
+549.96301 143.63095 lineto
+550.26086 143.63095 lineto
+550.72636 143.63095 551.04537 143.53818 551.2179 143.35263 curveto
+551.39367 143.16383 551.48156 142.82692 551.48157 142.34189 curveto
+551.48157 141.17001 lineto
+551.48156 140.45062 551.61828 139.9721 551.89172 139.73447 curveto
+552.16841 139.49359 552.71203 139.37315 553.52258 139.37314 curveto
+553.82532 139.37314 lineto
+553.82532 140.07138 lineto
+553.49329 140.07138 lineto
+553.0343 140.07139 552.73482 140.143 552.59485 140.28622 curveto
+552.45487 140.42946 552.38488 140.73057 552.38489 141.18954 curveto
+552.38489 142.40048 lineto
+552.38488 142.91155 552.31001 143.28265 552.16028 143.51376 curveto
+552.01379 143.74489 551.76151 143.90114 551.40344 143.98251 curveto
+551.76477 144.07041 552.01867 144.22991 552.16516 144.46103 curveto
+552.31164 144.69215 552.38488 145.06162 552.38489 145.56943 curveto
+552.38489 146.78036 lineto
+552.38488 147.23935 552.45487 147.54046 552.59485 147.68369 curveto
+552.73482 147.82691 553.0343 147.89853 553.49329 147.89853 curveto
+553.82532 147.89853 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+559.51379 147.89853 moveto
+559.85559 147.89853 lineto
+560.31132 147.89853 560.60754 147.82854 560.74426 147.68857 curveto
+560.88423 147.54859 560.95422 147.24586 560.95422 146.78036 curveto
+560.95422 145.56943 lineto
+560.95422 145.06162 561.02746 144.69215 561.17395 144.46103 curveto
+561.32043 144.22991 561.57434 144.07041 561.93567 143.98251 curveto
+561.57434 143.90114 561.32043 143.74489 561.17395 143.51376 curveto
+561.02746 143.28265 560.95422 142.91155 560.95422 142.40048 curveto
+560.95422 141.18954 lineto
+560.95422 140.72731 560.88423 140.4262 560.74426 140.28622 curveto
+560.60754 140.143 560.31132 140.07139 559.85559 140.07138 curveto
+559.51379 140.07138 lineto
+559.51379 139.37314 lineto
+559.82141 139.37314 lineto
+560.63196 139.37315 561.17232 139.49359 561.4425 139.73447 curveto
+561.71594 139.9721 561.85266 140.45062 561.85266 141.17001 curveto
+561.85266 142.34189 lineto
+561.85266 142.82692 561.94055 143.16383 562.11633 143.35263 curveto
+562.29211 143.53818 562.61112 143.63095 563.07336 143.63095 curveto
+563.3761 143.63095 lineto
+563.3761 144.32919 lineto
+563.07336 144.32919 lineto
+562.61112 144.3292 562.29211 144.4236 562.11633 144.6124 curveto
+561.94055 144.8012 561.85266 145.14137 561.85266 145.6329 curveto
+561.85266 146.7999 lineto
+561.85266 147.5193 561.71594 147.99944 561.4425 148.24033 curveto
+561.17232 148.48121 560.63196 148.60165 559.82141 148.60165 curveto
+559.51379 148.60165 lineto
+559.51379 147.89853 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+554.20129 153.67001 moveto
+554.20129 156.97079 lineto
+553.30286 156.97079 lineto
+553.30286 153.69931 lineto
+553.30285 153.18174 553.20194 152.79437 553.00012 152.5372 curveto
+552.7983 152.28004 552.49556 152.15146 552.09192 152.15146 curveto
+551.60689 152.15146 551.2244 152.30609 550.94446 152.61533 curveto
+550.66451 152.92457 550.52453 153.34612 550.52454 153.87997 curveto
+550.52454 156.97079 lineto
+549.62122 156.97079 lineto
+549.62122 151.50204 lineto
+550.52454 151.50204 lineto
+550.52454 152.35165 lineto
+550.73938 152.02288 550.99166 151.77711 551.28137 151.61435 curveto
+551.57434 151.45159 551.91125 151.37021 552.29211 151.37021 curveto
+552.92037 151.37021 553.39563 151.56553 553.7179 151.95615 curveto
+554.04016 152.34352 554.20129 152.91481 554.20129 153.67001 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+560.68079 154.01181 moveto
+560.68079 154.45126 lineto
+556.54993 154.45126 lineto
+556.58899 155.06975 556.77453 155.54176 557.10657 155.86728 curveto
+557.44185 156.18955 557.90735 156.35068 558.50305 156.35068 curveto
+558.8481 156.35068 559.18176 156.30836 559.50403 156.22372 curveto
+559.82954 156.13909 560.15181 156.01214 560.47083 155.84286 curveto
+560.47083 156.69247 lineto
+560.14855 156.82919 559.81815 156.93336 559.47961 157.00497 curveto
+559.14107 157.07659 558.79764 157.1124 558.44934 157.1124 curveto
+557.57694 157.1124 556.88521 156.85849 556.37415 156.35068 curveto
+555.86633 155.84287 555.61243 155.15602 555.61243 154.29013 curveto
+555.61243 153.39495 555.85331 152.68532 556.33508 152.16122 curveto
+556.82011 151.63389 557.47278 151.37021 558.29309 151.37021 curveto
+559.02876 151.37021 559.60982 151.60784 560.03625 152.0831 curveto
+560.46594 152.55511 560.68078 153.19801 560.68079 154.01181 curveto
+559.78235 153.74814 moveto
+559.77583 153.25661 559.63749 152.86435 559.36731 152.57138 curveto
+559.10038 152.27842 558.74556 152.13193 558.30286 152.13193 curveto
+557.80155 152.13193 557.39953 152.27353 557.0968 152.55673 curveto
+556.79732 152.83994 556.62479 153.2387 556.57922 153.75302 curveto
+559.78235 153.74814 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+566.52551 151.50204 moveto
+564.54797 154.16318 lineto
+566.62805 156.97079 lineto
+565.56848 156.97079 lineto
+563.97668 154.82236 lineto
+562.38489 156.97079 lineto
+561.32532 156.97079 lineto
+563.44934 154.10947 lineto
+561.50598 151.50204 lineto
+562.56555 151.50204 lineto
+564.01575 153.45029 lineto
+565.46594 151.50204 lineto
+566.52551 151.50204 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+568.78625 149.94931 moveto
+568.78625 151.50204 lineto
+570.63684 151.50204 lineto
+570.63684 152.20029 lineto
+568.78625 152.20029 lineto
+568.78625 155.16904 lineto
+568.78625 155.615 568.84647 155.90146 568.96692 156.02841 curveto
+569.09061 156.15537 569.33964 156.21884 569.71399 156.21884 curveto
+570.63684 156.21884 lineto
+570.63684 156.97079 lineto
+569.71399 156.97079 lineto
+569.02063 156.97079 568.54211 156.84221 568.27844 156.58505 curveto
+568.01477 156.32464 567.88293 155.85263 567.88293 155.16904 curveto
+567.88293 152.20029 lineto
+567.22375 152.20029 lineto
+567.22375 151.50204 lineto
+567.88293 151.50204 lineto
+567.88293 149.94931 lineto
+568.78625 149.94931 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+483.33514 94.963516 moveto
+483.33514 98.264297 lineto
+482.43671 98.264297 lineto
+482.43671 94.992813 lineto
+482.4367 94.475239 482.33579 94.087869 482.13397 93.830704 curveto
+481.93215 93.573547 481.62941 93.444966 481.22577 93.444962 curveto
+480.74074 93.444966 480.35825 93.599589 480.07831 93.908829 curveto
+479.79836 94.218078 479.65838 94.639627 479.65839 95.173477 curveto
+479.65839 98.264297 lineto
+478.75507 98.264297 lineto
+478.75507 92.795547 lineto
+479.65839 92.795547 lineto
+479.65839 93.645157 lineto
+479.87323 93.316386 480.12551 93.070618 480.41522 92.907852 curveto
+480.70819 92.745097 481.0451 92.663717 481.42596 92.663712 curveto
+482.05422 92.663717 482.52948 92.859029 482.85175 93.249649 curveto
+483.17401 93.637023 483.33514 94.208312 483.33514 94.963516 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+487.25604 93.42543 moveto
+486.77427 93.425435 486.39341 93.614237 486.11346 93.991837 curveto
+485.83351 94.366189 485.69354 94.880512 485.69354 95.534805 curveto
+485.69354 96.189104 485.83189 96.705054 486.10858 97.082657 curveto
+486.38853 97.457007 486.77101 97.644181 487.25604 97.64418 curveto
+487.73455 97.644181 488.11379 97.455379 488.39374 97.077774 curveto
+488.67368 96.700171 488.81366 96.185849 488.81366 95.534805 curveto
+488.81366 94.887022 488.67368 94.374327 488.39374 93.996719 curveto
+488.11379 93.615865 487.73455 93.425435 487.25604 93.42543 curveto
+487.25604 92.663712 moveto
+488.03729 92.663717 488.65089 92.917623 489.09686 93.42543 curveto
+489.54282 93.933247 489.7658 94.636371 489.76581 95.534805 curveto
+489.7658 96.429989 489.54282 97.133114 489.09686 97.64418 curveto
+488.65089 98.151993 488.03729 98.405899 487.25604 98.405899 curveto
+486.47153 98.405899 485.8563 98.151993 485.41034 97.64418 curveto
+484.96763 97.133114 484.74628 96.429989 484.74628 95.534805 curveto
+484.74628 94.636371 484.96763 93.933247 485.41034 93.42543 curveto
+485.8563 92.917623 486.47153 92.663717 487.25604 92.663712 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+492.13885 91.242813 moveto
+492.13885 92.795547 lineto
+493.98944 92.795547 lineto
+493.98944 93.49379 lineto
+492.13885 93.49379 lineto
+492.13885 96.46254 lineto
+492.13885 96.908505 492.19907 97.194963 492.31952 97.321915 curveto
+492.44321 97.448869 492.69224 97.512345 493.06659 97.512344 curveto
+493.98944 97.512344 lineto
+493.98944 98.264297 lineto
+493.06659 98.264297 lineto
+492.37323 98.264297 491.89471 98.135717 491.63104 97.878555 curveto
+491.36737 97.618139 491.23553 97.146135 491.23553 96.46254 curveto
+491.23553 93.49379 lineto
+490.57635 93.49379 lineto
+490.57635 92.795547 lineto
+491.23553 92.795547 lineto
+491.23553 91.242813 lineto
+492.13885 91.242813 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+499.8537 95.305313 moveto
+499.8537 95.744766 lineto
+495.72284 95.744766 lineto
+495.7619 96.363258 495.94745 96.835262 496.27948 97.160782 curveto
+496.61476 97.483048 497.08026 97.644181 497.67596 97.64418 curveto
+498.02101 97.644181 498.35467 97.601863 498.67694 97.517227 curveto
+499.00246 97.432593 499.32472 97.30564 499.64374 97.136368 curveto
+499.64374 97.985977 lineto
+499.32147 98.122696 498.99106 98.226863 498.65253 98.298477 curveto
+498.31398 98.370092 497.97056 98.405899 497.62225 98.405899 curveto
+496.74986 98.405899 496.05812 98.151993 495.54706 97.64418 curveto
+495.03924 97.136369 494.78534 96.449521 494.78534 95.583633 curveto
+494.78534 94.688455 495.02622 93.97882 495.508 93.454727 curveto
+495.99302 92.927389 496.64569 92.663717 497.466 92.663712 curveto
+498.20168 92.663717 498.78273 92.901347 499.20917 93.376602 curveto
+499.63885 93.848612 499.85369 94.491515 499.8537 95.305313 curveto
+498.95526 95.041641 moveto
+498.94875 94.550108 498.8104 94.157856 498.54022 93.864883 curveto
+498.27329 93.571919 497.91847 93.425435 497.47577 93.42543 curveto
+496.97446 93.425435 496.57245 93.567037 496.26971 93.850235 curveto
+495.97023 94.133442 495.79771 94.532205 495.75214 95.046524 curveto
+498.95526 95.041641 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+478.78925 100.66664 moveto
+479.68768 100.66664 lineto
+479.68768 108.2643 lineto
+478.78925 108.2643 lineto
+478.78925 100.66664 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+486.24042 105.30531 moveto
+486.24042 105.74477 lineto
+482.10956 105.74477 lineto
+482.14862 106.36326 482.33417 106.83526 482.6662 107.16078 curveto
+483.00148 107.48305 483.46698 107.64418 484.06268 107.64418 curveto
+484.40773 107.64418 484.74139 107.60186 485.06366 107.51723 curveto
+485.38918 107.43259 485.71144 107.30564 486.03046 107.13637 curveto
+486.03046 107.98598 lineto
+485.70819 108.1227 485.37778 108.22686 485.03925 108.29848 curveto
+484.7007 108.37009 484.35728 108.4059 484.00897 108.4059 curveto
+483.13657 108.4059 482.44484 108.15199 481.93378 107.64418 curveto
+481.42596 107.13637 481.17206 106.44952 481.17206 105.58363 curveto
+481.17206 104.68845 481.41294 103.97882 481.89471 103.45473 curveto
+482.37974 102.92739 483.03241 102.66372 483.85272 102.66371 curveto
+484.5884 102.66372 485.16945 102.90135 485.59589 103.3766 curveto
+486.02557 103.84861 486.24041 104.49151 486.24042 105.30531 curveto
+485.34198 105.04164 moveto
+485.33546 104.55011 485.19712 104.15786 484.92694 103.86488 curveto
+484.66001 103.57192 484.30519 103.42544 483.86249 103.42543 curveto
+483.36118 103.42544 482.95917 103.56704 482.65643 103.85023 curveto
+482.35695 104.13344 482.18443 104.5322 482.13885 105.04652 curveto
+485.34198 105.04164 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+488.6037 101.24281 moveto
+488.6037 102.79555 lineto
+490.45428 102.79555 lineto
+490.45428 103.49379 lineto
+488.6037 103.49379 lineto
+488.6037 106.46254 lineto
+488.6037 106.9085 488.66392 107.19496 488.78436 107.32191 curveto
+488.90806 107.44887 489.15708 107.51235 489.53143 107.51234 curveto
+490.45428 107.51234 lineto
+490.45428 108.2643 lineto
+489.53143 108.2643 lineto
+488.83807 108.2643 488.35956 108.13572 488.09589 107.87856 curveto
+487.83221 107.61814 487.70038 107.14613 487.70038 106.46254 curveto
+487.70038 103.49379 lineto
+487.0412 103.49379 lineto
+487.0412 102.79555 lineto
+487.70038 102.79555 lineto
+487.70038 101.24281 lineto
+488.6037 101.24281 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+44.641342 188.13469 moveto
+44.641342 184.82414 lineto
+45.53978 184.82414 lineto
+45.53978 188.10051 lineto
+45.539778 188.61809 45.640689 189.00709 45.842514 189.2675 curveto
+46.044335 189.52466 46.347069 189.65324 46.750717 189.65324 curveto
+47.23574 189.65324 47.618226 189.49862 47.898178 189.18938 curveto
+48.181377 188.88013 48.322978 188.45858 48.322983 187.92473 curveto
+48.322983 184.82414 lineto
+49.22142 184.82414 lineto
+49.22142 190.29289 lineto
+48.322983 190.29289 lineto
+48.322983 189.45305 lineto
+48.10488 189.78508 47.850974 190.03248 47.561264 190.19524 curveto
+47.274802 190.35474 46.941144 190.43449 46.560287 190.43449 curveto
+45.93203 190.43449 45.455143 190.23918 45.129623 189.84856 curveto
+44.804102 189.45793 44.641341 188.88664 44.641342 188.13469 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+54.5681 184.98528 moveto
+54.5681 185.83488 lineto
+54.31419 185.70468 54.050518 185.60702 53.777084 185.54192 curveto
+53.503643 185.47682 53.220441 185.44426 52.927475 185.44426 curveto
+52.481509 185.44426 52.146223 185.51262 51.921616 185.64934 curveto
+51.70026 185.78606 51.589583 185.99114 51.589584 186.26457 curveto
+51.589583 186.47291 51.669335 186.6373 51.828842 186.75774 curveto
+51.988346 186.87493 52.308983 186.98723 52.790756 187.09465 curveto
+53.098373 187.16301 lineto
+53.736391 187.29973 54.188864 187.49342 54.455795 187.74406 curveto
+54.725973 187.99146 54.861064 188.33814 54.861069 188.7841 curveto
+54.861064 189.29192 54.659241 189.69393 54.2556 189.99016 curveto
+53.855206 190.28638 53.303448 190.43449 52.600327 190.43449 curveto
+52.307356 190.43449 52.001366 190.4052 51.682358 190.3466 curveto
+51.366601 190.29126 51.032943 190.20663 50.681381 190.0927 curveto
+50.681381 189.16496 lineto
+51.013412 189.33749 51.34056 189.4677 51.662827 189.55559 curveto
+51.98509 189.64022 52.3041 189.68254 52.619858 189.68254 curveto
+53.043032 189.68254 53.368552 189.61093 53.59642 189.4677 curveto
+53.824281 189.32121 53.938213 189.11614 53.938217 188.85246 curveto
+53.938213 188.60832 53.855206 188.42115 53.689194 188.29094 curveto
+53.52643 188.16073 53.16673 188.03541 52.610092 187.91496 curveto
+52.297592 187.84172 lineto
+51.74095 187.72454 51.338932 187.5455 51.091537 187.30461 curveto
+50.844141 187.06047 50.720443 186.72682 50.720444 186.30363 curveto
+50.720443 185.78932 50.902735 185.39218 51.267319 185.11223 curveto
+51.631901 184.83229 52.149478 184.69231 52.820053 184.69231 curveto
+53.152081 184.69231 53.464581 184.71673 53.757553 184.76555 curveto
+54.050518 184.81438 54.3207 184.88762 54.5681 184.98528 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+56.296616 184.82414 moveto
+57.195053 184.82414 lineto
+57.195053 190.29289 lineto
+56.296616 190.29289 lineto
+56.296616 184.82414 lineto
+56.296616 182.69524 moveto
+57.195053 182.69524 lineto
+57.195053 183.83293 lineto
+56.296616 183.83293 lineto
+56.296616 182.69524 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+63.615952 186.99211 moveto
+63.615952 190.29289 lineto
+62.717514 190.29289 lineto
+62.717514 187.02141 lineto
+62.717509 186.50383 62.616598 186.11646 62.41478 185.8593 curveto
+62.212953 185.60214 61.910219 185.47356 61.506577 185.47356 curveto
+61.021548 185.47356 60.639061 185.62818 60.359116 185.93742 curveto
+60.079166 186.24667 59.939192 186.66822 59.939194 187.20207 curveto
+59.939194 190.29289 lineto
+59.035873 190.29289 lineto
+59.035873 184.82414 lineto
+59.939194 184.82414 lineto
+59.939194 185.67375 lineto
+60.154035 185.34498 60.406314 185.09921 60.69603 184.93645 curveto
+60.988996 184.77369 61.325909 184.69231 61.706772 184.69231 curveto
+62.335023 184.69231 62.810283 184.88762 63.132553 185.27824 curveto
+63.454813 185.66562 63.615946 186.23691 63.615952 186.99211 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+69.016342 187.49504 moveto
+69.016338 186.844 68.881247 186.33945 68.611069 185.98137 curveto
+68.344138 185.6233 67.968162 185.44426 67.483139 185.44426 curveto
+67.001366 185.44426 66.625389 185.6233 66.355209 185.98137 curveto
+66.088281 186.33945 65.954817 186.844 65.954819 187.49504 curveto
+65.954817 188.14283 66.088281 188.64576 66.355209 189.00383 curveto
+66.625389 189.3619 67.001366 189.54094 67.483139 189.54094 curveto
+67.968162 189.54094 68.344138 189.3619 68.611069 189.00383 curveto
+68.881247 188.64576 69.016338 188.14283 69.016342 187.49504 curveto
+69.91478 189.61418 moveto
+69.914774 190.54517 69.708069 191.2369 69.294662 191.68938 curveto
+68.881247 192.1451 68.248109 192.37297 67.395248 192.37297 curveto
+67.079491 192.37297 66.781639 192.34855 66.501694 192.29973 curveto
+66.221744 192.25415 65.949934 192.18254 65.686264 192.08488 curveto
+65.686264 191.21086 lineto
+65.949934 191.35409 66.210351 191.45988 66.467514 191.52824 curveto
+66.724673 191.5966 66.986717 191.63078 67.253647 191.63078 curveto
+67.842836 191.63078 68.283916 191.47616 68.576889 191.16692 curveto
+68.869853 190.86093 69.016338 190.39706 69.016342 189.77531 curveto
+69.016342 189.33098 lineto
+68.830791 189.65324 68.593161 189.89413 68.303452 190.05363 curveto
+68.013734 190.21314 67.667055 190.29289 67.263412 190.29289 curveto
+66.592837 190.29289 66.052473 190.03736 65.642319 189.52629 curveto
+65.232162 189.01522 65.027084 188.33814 65.027084 187.49504 curveto
+65.027084 186.64869 65.232162 185.96998 65.642319 185.45891 curveto
+66.052473 184.94785 66.592837 184.69231 67.263412 184.69231 curveto
+67.667055 184.69231 68.013734 184.77206 68.303452 184.93156 curveto
+68.593161 185.09107 68.830791 185.33196 69.016342 185.65422 curveto
+69.016342 184.82414 lineto
+69.91478 184.82414 lineto
+69.91478 189.61418 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+44.641342 198.13469 moveto
+44.641342 194.82414 lineto
+45.53978 194.82414 lineto
+45.53978 198.10051 lineto
+45.539778 198.61809 45.640689 199.00709 45.842514 199.2675 curveto
+46.044335 199.52466 46.347069 199.65324 46.750717 199.65324 curveto
+47.23574 199.65324 47.618226 199.49862 47.898178 199.18938 curveto
+48.181377 198.88013 48.322978 198.45858 48.322983 197.92473 curveto
+48.322983 194.82414 lineto
+49.22142 194.82414 lineto
+49.22142 200.29289 lineto
+48.322983 200.29289 lineto
+48.322983 199.45305 lineto
+48.10488 199.78508 47.850974 200.03248 47.561264 200.19524 curveto
+47.274802 200.35474 46.941144 200.43449 46.560287 200.43449 curveto
+45.93203 200.43449 45.455143 200.23918 45.129623 199.84856 curveto
+44.804102 199.45793 44.641341 198.88664 44.641342 198.13469 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+55.62767 196.99211 moveto
+55.62767 200.29289 lineto
+54.729233 200.29289 lineto
+54.729233 197.02141 lineto
+54.729228 196.50383 54.628317 196.11646 54.426498 195.8593 curveto
+54.224671 195.60214 53.921937 195.47356 53.518295 195.47356 curveto
+53.033266 195.47356 52.65078 195.62818 52.370834 195.93742 curveto
+52.090884 196.24667 51.950911 196.66822 51.950912 197.20207 curveto
+51.950912 200.29289 lineto
+51.047592 200.29289 lineto
+51.047592 194.82414 lineto
+51.950912 194.82414 lineto
+51.950912 195.67375 lineto
+52.165754 195.34498 52.418033 195.09921 52.707748 194.93645 curveto
+53.000714 194.77369 53.337628 194.69231 53.718491 194.69231 curveto
+54.346742 194.69231 54.822002 194.88762 55.144272 195.27824 curveto
+55.466532 195.66562 55.627665 196.23691 55.62767 196.99211 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+60.197983 192.69524 moveto
+60.197983 193.44231 lineto
+59.338608 193.44231 lineto
+59.01634 193.44231 58.79173 193.50742 58.66478 193.63762 curveto
+58.54108 193.76783 58.479231 194.00221 58.479233 194.34074 curveto
+58.479233 194.82414 lineto
+59.958725 194.82414 lineto
+59.958725 195.52238 lineto
+58.479233 195.52238 lineto
+58.479233 200.29289 lineto
+57.575912 200.29289 lineto
+57.575912 195.52238 lineto
+56.716537 195.52238 lineto
+56.716537 194.82414 lineto
+57.575912 194.82414 lineto
+57.575912 194.44328 lineto
+57.575911 193.83457 57.717513 193.39186 58.000717 193.11516 curveto
+58.283918 192.83522 58.733137 192.69524 59.348373 192.69524 curveto
+60.197983 192.69524 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+63.064194 195.45403 moveto
+62.58242 195.45403 62.201561 195.64283 61.921616 196.02043 curveto
+61.641666 196.39478 61.501692 196.90911 61.501694 197.5634 curveto
+61.501692 198.2177 61.640038 198.73365 61.916733 199.11125 curveto
+62.196679 199.4856 62.579165 199.67278 63.064194 199.67278 curveto
+63.542706 199.67278 63.921937 199.48397 64.201889 199.10637 curveto
+64.481832 198.72877 64.621806 198.21444 64.621811 197.5634 curveto
+64.621806 196.91562 64.481832 196.40292 64.201889 196.02531 curveto
+63.921937 195.64446 63.542706 195.45403 63.064194 195.45403 curveto
+63.064194 194.69231 moveto
+63.84544 194.69231 64.459046 194.94622 64.905014 195.45403 curveto
+65.350972 195.96184 65.573954 196.66497 65.573959 197.5634 curveto
+65.573954 198.45858 65.350972 199.16171 64.905014 199.67278 curveto
+64.459046 200.18059 63.84544 200.43449 63.064194 200.43449 curveto
+62.279686 200.43449 61.664452 200.18059 61.218491 199.67278 curveto
+60.775781 199.16171 60.554428 198.45858 60.554428 197.5634 curveto
+60.554428 196.66497 60.775781 195.96184 61.218491 195.45403 curveto
+61.664452 194.94622 62.279686 194.69231 63.064194 194.69231 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+67.058334 192.69524 moveto
+67.956772 192.69524 lineto
+67.956772 200.29289 lineto
+67.058334 200.29289 lineto
+67.058334 192.69524 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+73.430405 195.65422 moveto
+73.430405 192.69524 lineto
+74.328842 192.69524 lineto
+74.328842 200.29289 lineto
+73.430405 200.29289 lineto
+73.430405 199.47258 lineto
+73.241598 199.7981 73.002341 200.04061 72.712631 200.20012 curveto
+72.426169 200.35637 72.081118 200.43449 71.677475 200.43449 curveto
+71.016666 200.43449 70.477929 200.17082 70.061264 199.64348 curveto
+69.647852 199.11614 69.441146 198.42278 69.441147 197.5634 curveto
+69.441146 196.70403 69.647852 196.01067 70.061264 195.48332 curveto
+70.477929 194.95598 71.016666 194.69231 71.677475 194.69231 curveto
+72.081118 194.69231 72.426169 194.77206 72.712631 194.93156 curveto
+73.002341 195.08782 73.241598 195.3287 73.430405 195.65422 curveto
+70.368881 197.5634 moveto
+70.36888 198.22421 70.503971 198.74341 70.774155 199.12102 curveto
+71.04759 199.49537 71.421939 199.68254 71.897202 199.68254 curveto
+72.372458 199.68254 72.746807 199.49537 73.020248 199.12102 curveto
+73.293682 198.74341 73.4304 198.22421 73.430405 197.5634 curveto
+73.4304 196.9026 73.293682 196.38502 73.020248 196.01067 curveto
+72.746807 195.63307 72.372458 195.44426 71.897202 195.44426 curveto
+71.421939 195.44426 71.04759 195.63307 70.774155 196.01067 curveto
+70.503971 196.38502 70.36888 196.9026 70.368881 197.5634 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+76.179428 194.82414 moveto
+77.077866 194.82414 lineto
+77.077866 200.29289 lineto
+76.179428 200.29289 lineto
+76.179428 194.82414 lineto
+76.179428 192.69524 moveto
+77.077866 192.69524 lineto
+77.077866 193.83293 lineto
+76.179428 193.83293 lineto
+76.179428 192.69524 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+83.498764 196.99211 moveto
+83.498764 200.29289 lineto
+82.600327 200.29289 lineto
+82.600327 197.02141 lineto
+82.600322 196.50383 82.499411 196.11646 82.297592 195.8593 curveto
+82.095765 195.60214 81.793031 195.47356 81.389389 195.47356 curveto
+80.90436 195.47356 80.521874 195.62818 80.241928 195.93742 curveto
+79.961978 196.24667 79.822004 196.66822 79.822006 197.20207 curveto
+79.822006 200.29289 lineto
+78.918686 200.29289 lineto
+78.918686 194.82414 lineto
+79.822006 194.82414 lineto
+79.822006 195.67375 lineto
+80.036848 195.34498 80.289126 195.09921 80.578842 194.93645 curveto
+80.871808 194.77369 81.208722 194.69231 81.589584 194.69231 curveto
+82.217835 194.69231 82.693095 194.88762 83.015366 195.27824 curveto
+83.337626 195.66562 83.498759 196.23691 83.498764 196.99211 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+88.899155 197.49504 moveto
+88.89915 196.844 88.764059 196.33945 88.493881 195.98137 curveto
+88.22695 195.6233 87.850974 195.44426 87.365952 195.44426 curveto
+86.884178 195.44426 86.508202 195.6233 86.238022 195.98137 curveto
+85.971093 196.33945 85.83763 196.844 85.837631 197.49504 curveto
+85.83763 198.14283 85.971093 198.64576 86.238022 199.00383 curveto
+86.508202 199.3619 86.884178 199.54094 87.365952 199.54094 curveto
+87.850974 199.54094 88.22695 199.3619 88.493881 199.00383 curveto
+88.764059 198.64576 88.89915 198.14283 88.899155 197.49504 curveto
+89.797592 199.61418 moveto
+89.797587 200.54517 89.590881 201.2369 89.177475 201.68938 curveto
+88.764059 202.1451 88.130922 202.37297 87.278061 202.37297 curveto
+86.962303 202.37297 86.664452 202.34855 86.384506 202.29973 curveto
+86.104557 202.25415 85.832747 202.18254 85.569077 202.08488 curveto
+85.569077 201.21086 lineto
+85.832747 201.35409 86.093163 201.45988 86.350327 201.52824 curveto
+86.607486 201.5966 86.86953 201.63078 87.136459 201.63078 curveto
+87.725649 201.63078 88.166729 201.47616 88.459702 201.16692 curveto
+88.752666 200.86093 88.89915 200.39706 88.899155 199.77531 curveto
+88.899155 199.33098 lineto
+88.713603 199.65324 88.475973 199.89413 88.186264 200.05363 curveto
+87.896547 200.21314 87.549868 200.29289 87.146225 200.29289 curveto
+86.47565 200.29289 85.935286 200.03736 85.525131 199.52629 curveto
+85.114974 199.01522 84.909896 198.33814 84.909897 197.49504 curveto
+84.909896 196.64869 85.114974 195.96998 85.525131 195.45891 curveto
+85.935286 194.94785 86.47565 194.69231 87.146225 194.69231 curveto
+87.549868 194.69231 87.896547 194.77206 88.186264 194.93156 curveto
+88.475973 195.09107 88.713603 195.33196 88.899155 195.65422 curveto
+88.899155 194.82414 lineto
+89.797592 194.82414 lineto
+89.797592 199.61418 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+380.48996 223.50369 moveto
+380.48996 225.05643 lineto
+382.34055 225.05643 lineto
+382.34055 225.75467 lineto
+380.48996 225.75467 lineto
+380.48996 228.72342 lineto
+380.48996 229.16938 380.55018 229.45584 380.67062 229.58279 curveto
+380.79432 229.70975 381.04334 229.77322 381.41769 229.77322 curveto
+382.34055 229.77322 lineto
+382.34055 230.52518 lineto
+381.41769 230.52518 lineto
+380.72433 230.52518 380.24582 230.3966 379.98215 230.13943 curveto
+379.71847 229.87902 379.58664 229.40701 379.58664 228.72342 curveto
+379.58664 225.75467 lineto
+378.92746 225.75467 lineto
+378.92746 225.05643 lineto
+379.58664 225.05643 lineto
+379.58664 223.50369 lineto
+380.48996 223.50369 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+388.07297 227.2244 moveto
+388.07297 230.52518 lineto
+387.17453 230.52518 lineto
+387.17453 227.25369 lineto
+387.17453 226.73612 387.07361 226.34875 386.8718 226.09158 curveto
+386.66997 225.83443 386.36723 225.70585 385.96359 225.70584 curveto
+385.47856 225.70585 385.09608 225.86047 384.81613 226.16971 curveto
+384.53618 226.47896 384.39621 226.90051 384.39621 227.43436 curveto
+384.39621 230.52518 lineto
+383.49289 230.52518 lineto
+383.49289 222.92752 lineto
+384.39621 222.92752 lineto
+384.39621 225.90604 lineto
+384.61105 225.57727 384.86333 225.3315 385.15305 225.16873 curveto
+385.44601 225.00598 385.78293 224.9246 386.16379 224.92459 curveto
+386.79204 224.9246 387.2673 225.11991 387.58957 225.51053 curveto
+387.91183 225.8979 388.07296 226.46919 388.07297 227.2244 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+394.55246 227.56619 moveto
+394.55246 228.00565 lineto
+390.4216 228.00565 lineto
+390.46066 228.62414 390.64621 229.09614 390.97824 229.42166 curveto
+391.31353 229.74393 391.77902 229.90506 392.37473 229.90506 curveto
+392.71977 229.90506 393.05343 229.86274 393.3757 229.77811 curveto
+393.70122 229.69347 394.02348 229.56652 394.3425 229.39725 curveto
+394.3425 230.24686 lineto
+394.02023 230.38358 393.68982 230.48774 393.35129 230.55936 curveto
+393.01274 230.63097 392.66932 230.66678 392.32101 230.66678 curveto
+391.44862 230.66678 390.75688 230.41287 390.24582 229.90506 curveto
+389.73801 229.39725 389.4841 228.7104 389.4841 227.84451 curveto
+389.4841 226.94933 389.72498 226.2397 390.20676 225.71561 curveto
+390.69178 225.18827 391.34445 224.9246 392.16476 224.92459 curveto
+392.90044 224.9246 393.48149 225.16223 393.90793 225.63748 curveto
+394.33761 226.10949 394.55245 226.75239 394.55246 227.56619 curveto
+393.65402 227.30252 moveto
+393.64751 226.81099 393.50916 226.41874 393.23898 226.12576 curveto
+392.97205 225.8328 392.61723 225.68631 392.17453 225.68631 curveto
+391.67323 225.68631 391.27121 225.82792 390.96848 226.11111 curveto
+390.66899 226.39432 390.49647 226.79308 390.4509 227.3074 curveto
+393.65402 227.30252 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+400.57297 227.2244 moveto
+400.57297 230.52518 lineto
+399.67453 230.52518 lineto
+399.67453 227.25369 lineto
+399.67453 226.73612 399.57361 226.34875 399.3718 226.09158 curveto
+399.16997 225.83443 398.86723 225.70585 398.46359 225.70584 curveto
+397.97856 225.70585 397.59608 225.86047 397.31613 226.16971 curveto
+397.03618 226.47896 396.89621 226.90051 396.89621 227.43436 curveto
+396.89621 230.52518 lineto
+395.99289 230.52518 lineto
+395.99289 225.05643 lineto
+396.89621 225.05643 lineto
+396.89621 225.90604 lineto
+397.11105 225.57727 397.36333 225.3315 397.65305 225.16873 curveto
+397.94601 225.00598 398.28293 224.9246 398.66379 224.92459 curveto
+399.29204 224.9246 399.7673 225.11991 400.08957 225.51053 curveto
+400.41183 225.8979 400.57296 226.46919 400.57297 227.2244 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+239.47623 229.75269 moveto
+239.47623 233.05347 lineto
+238.57779 233.05347 lineto
+238.57779 229.78198 lineto
+238.57778 229.26441 238.47687 228.87704 238.27505 228.61987 curveto
+238.07323 228.36272 237.77049 228.23414 237.36685 228.23413 curveto
+236.88182 228.23414 236.49934 228.38876 236.21939 228.698 curveto
+235.93944 229.00725 235.79947 229.4288 235.79947 229.96265 curveto
+235.79947 233.05347 lineto
+234.89615 233.05347 lineto
+234.89615 225.45581 lineto
+235.79947 225.45581 lineto
+235.79947 228.43433 lineto
+236.01431 228.10556 236.26659 227.85979 236.5563 227.69702 curveto
+236.84927 227.53427 237.18618 227.45289 237.56705 227.45288 curveto
+238.1953 227.45289 238.67056 227.6482 238.99283 228.03882 curveto
+239.31509 228.42619 239.47622 228.99748 239.47623 229.75269 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+243.76334 230.30444 moveto
+243.03742 230.30445 242.53449 230.38745 242.25455 230.55347 curveto
+241.9746 230.71948 241.83462 231.00269 241.83463 231.40308 curveto
+241.83462 231.72209 241.93879 231.97599 242.14713 232.16479 curveto
+242.35871 232.35034 242.64517 232.44312 243.0065 232.44312 curveto
+243.50454 232.44312 243.90331 232.26733 244.20279 231.91577 curveto
+244.50552 231.56096 244.65689 231.09058 244.65689 230.50464 curveto
+244.65689 230.30444 lineto
+243.76334 230.30444 lineto
+245.55533 229.93335 moveto
+245.55533 233.05347 lineto
+244.65689 233.05347 lineto
+244.65689 232.22339 lineto
+244.45181 232.55542 244.19628 232.80119 243.89029 232.96069 curveto
+243.5843 233.11694 243.20995 233.19507 242.76724 233.19507 curveto
+242.20734 233.19507 241.76138 233.03882 241.42935 232.72632 curveto
+241.10057 232.41056 240.93619 231.98901 240.93619 231.46167 curveto
+240.93619 230.84644 241.14127 230.38257 241.55142 230.07007 curveto
+241.96483 229.75757 242.58007 229.60132 243.39713 229.60132 curveto
+244.65689 229.60132 lineto
+244.65689 229.51343 lineto
+244.65689 229.10002 244.52017 228.78101 244.24673 228.5564 curveto
+243.97655 228.32854 243.59569 228.2146 243.10416 228.2146 curveto
+242.79165 228.2146 242.48729 228.25204 242.19107 228.3269 curveto
+241.89485 228.40178 241.61001 228.51408 241.33658 228.66382 curveto
+241.33658 227.83374 lineto
+241.66535 227.70679 241.98436 227.61239 242.29361 227.55054 curveto
+242.60285 227.48544 242.90396 227.45289 243.19693 227.45288 curveto
+243.98794 227.45289 244.57876 227.65796 244.96939 228.06812 curveto
+245.36001 228.47828 245.55532 229.10002 245.55533 229.93335 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+246.76627 227.58472 moveto
+247.71841 227.58472 lineto
+249.4274 232.17456 lineto
+251.13638 227.58472 lineto
+252.08853 227.58472 lineto
+250.03775 233.05347 lineto
+248.81705 233.05347 lineto
+246.76627 227.58472 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+258.0065 230.09448 moveto
+258.0065 230.53394 lineto
+253.87564 230.53394 lineto
+253.9147 231.15243 254.10025 231.62443 254.43228 231.94995 curveto
+254.76757 232.27222 255.23306 232.43335 255.82877 232.43335 curveto
+256.17381 232.43335 256.50747 232.39103 256.82974 232.3064 curveto
+257.15526 232.22176 257.47752 232.09481 257.79654 231.92554 curveto
+257.79654 232.77515 lineto
+257.47427 232.91187 257.14387 233.01603 256.80533 233.08765 curveto
+256.46678 233.15926 256.12336 233.19507 255.77505 233.19507 curveto
+254.90266 233.19507 254.21093 232.94116 253.69986 232.43335 curveto
+253.19205 231.92554 252.93814 231.23869 252.93814 230.3728 curveto
+252.93814 229.47762 253.17903 228.76799 253.6608 228.2439 curveto
+254.14582 227.71656 254.79849 227.45289 255.6188 227.45288 curveto
+256.35448 227.45289 256.93553 227.69052 257.36197 228.16577 curveto
+257.79165 228.63778 258.00649 229.28068 258.0065 230.09448 curveto
+257.10806 229.83081 moveto
+257.10155 229.33928 256.9632 228.94703 256.69302 228.65405 curveto
+256.42609 228.36109 256.07128 228.2146 255.62857 228.2146 curveto
+255.12727 228.2146 254.72525 228.35621 254.42252 228.6394 curveto
+254.12303 228.92261 253.95051 229.32137 253.90494 229.83569 curveto
+257.10806 229.83081 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+238.41666 242.74585 moveto
+238.41666 243.59546 lineto
+238.16275 243.46526 237.89907 243.3676 237.62564 243.30249 curveto
+237.3522 243.23739 237.069 243.20484 236.77603 243.20483 curveto
+236.33007 243.20484 235.99478 243.2732 235.77017 243.40991 curveto
+235.54882 243.54664 235.43814 243.75171 235.43814 244.02515 curveto
+235.43814 244.23348 235.51789 244.39787 235.6774 244.51831 curveto
+235.8369 244.6355 236.15754 244.74781 236.63931 244.85522 curveto
+236.94693 244.92358 lineto
+237.58495 245.06031 238.03742 245.25399 238.30435 245.50464 curveto
+238.57453 245.75204 238.70962 246.09872 238.70963 246.54468 curveto
+238.70962 247.05249 238.5078 247.45451 238.10416 247.75073 curveto
+237.70376 248.04696 237.152 248.19507 236.44888 248.19507 curveto
+236.15591 248.19507 235.84992 248.16577 235.53091 248.10718 curveto
+235.21516 248.05184 234.8815 247.9672 234.52994 247.85327 curveto
+234.52994 246.92554 lineto
+234.86197 247.09806 235.18912 247.22827 235.51138 247.31616 curveto
+235.83365 247.4008 236.15266 247.44312 236.46841 247.44312 curveto
+236.89159 247.44312 237.21711 247.3715 237.44498 247.22827 curveto
+237.67284 247.08179 237.78677 246.87671 237.78677 246.61304 curveto
+237.78677 246.3689 237.70376 246.18172 237.53775 246.05151 curveto
+237.37499 245.92131 237.01529 245.79598 236.45865 245.67554 curveto
+236.14615 245.60229 lineto
+235.58951 245.48511 235.18749 245.30607 234.94009 245.06519 curveto
+234.6927 244.82105 234.569 244.48739 234.569 244.06421 curveto
+234.569 243.54989 234.75129 243.15276 235.11588 242.8728 curveto
+235.48046 242.59286 235.99803 242.45289 236.66861 242.45288 curveto
+237.00064 242.45289 237.31314 242.4773 237.60611 242.52612 curveto
+237.89907 242.57496 238.16926 242.6482 238.41666 242.74585 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+244.69107 244.75269 moveto
+244.69107 248.05347 lineto
+243.79263 248.05347 lineto
+243.79263 244.78198 lineto
+243.79263 244.26441 243.69172 243.87704 243.4899 243.61987 curveto
+243.28807 243.36272 242.98534 243.23414 242.5817 243.23413 curveto
+242.09667 243.23414 241.71418 243.38876 241.43423 243.698 curveto
+241.15428 244.00725 241.01431 244.4288 241.01431 244.96265 curveto
+241.01431 248.05347 lineto
+240.11099 248.05347 lineto
+240.11099 240.45581 lineto
+241.01431 240.45581 lineto
+241.01431 243.43433 lineto
+241.22915 243.10556 241.48143 242.85979 241.77115 242.69702 curveto
+242.06411 242.53427 242.40103 242.45289 242.78189 242.45288 curveto
+243.41014 242.45289 243.8854 242.6482 244.20767 243.03882 curveto
+244.52993 243.42619 244.69107 243.99748 244.69107 244.75269 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+248.61197 243.2146 moveto
+248.1302 243.2146 247.74934 243.40341 247.46939 243.78101 curveto
+247.18944 244.15536 247.04947 244.66968 247.04947 245.32397 curveto
+247.04947 245.97827 247.18781 246.49422 247.46451 246.87183 curveto
+247.74445 247.24618 248.12694 247.43335 248.61197 247.43335 curveto
+249.09048 247.43335 249.46971 247.24455 249.74966 246.86694 curveto
+250.02961 246.48934 250.16958 245.97502 250.16959 245.32397 curveto
+250.16958 244.67619 250.02961 244.1635 249.74966 243.78589 curveto
+249.46971 243.40503 249.09048 243.2146 248.61197 243.2146 curveto
+248.61197 242.45288 moveto
+249.39322 242.45289 250.00682 242.70679 250.45279 243.2146 curveto
+250.89875 243.72242 251.12173 244.42554 251.12173 245.32397 curveto
+251.12173 246.21916 250.89875 246.92228 250.45279 247.43335 curveto
+250.00682 247.94116 249.39322 248.19507 248.61197 248.19507 curveto
+247.82746 248.19507 247.21223 247.94116 246.76627 247.43335 curveto
+246.32356 246.92228 246.1022 246.21916 246.1022 245.32397 curveto
+246.1022 244.42554 246.32356 243.72242 246.76627 243.2146 curveto
+247.21223 242.70679 247.82746 242.45289 248.61197 242.45288 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+252.08365 242.58472 moveto
+252.98209 242.58472 lineto
+254.10513 246.85229 lineto
+255.2233 242.58472 lineto
+256.28287 242.58472 lineto
+257.40591 246.85229 lineto
+258.52408 242.58472 lineto
+259.42252 242.58472 lineto
+257.99185 248.05347 lineto
+256.93228 248.05347 lineto
+255.75552 243.57104 lineto
+254.57388 248.05347 lineto
+253.51431 248.05347 lineto
+252.08365 242.58472 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+311.38464 185.46135 moveto
+311.38464 188.76213 lineto
+310.48621 188.76213 lineto
+310.48621 185.49065 lineto
+310.4862 184.97307 310.38529 184.5857 310.18347 184.32854 curveto
+309.98164 184.07138 309.67891 183.9428 309.27527 183.94279 curveto
+308.79024 183.9428 308.40775 184.09742 308.12781 184.40666 curveto
+307.84786 184.71591 307.70788 185.13746 307.70789 185.67131 curveto
+307.70789 188.76213 lineto
+306.80457 188.76213 lineto
+306.80457 181.16447 lineto
+307.70789 181.16447 lineto
+307.70789 184.14299 lineto
+307.92273 183.81422 308.17501 183.56845 308.46472 183.40569 curveto
+308.75769 183.24293 309.0946 183.16155 309.47546 183.16154 curveto
+310.10371 183.16155 310.57897 183.35686 310.90125 183.74748 curveto
+311.22351 184.13486 311.38464 184.70615 311.38464 185.46135 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+315.67175 186.01311 moveto
+314.94584 186.01311 314.44291 186.09612 314.16296 186.26213 curveto
+313.88301 186.42815 313.74304 186.71135 313.74304 187.11174 curveto
+313.74304 187.43075 313.84721 187.68466 314.05554 187.87346 curveto
+314.26713 188.05901 314.55359 188.15178 314.91492 188.15178 curveto
+315.41296 188.15178 315.81172 187.976 316.11121 187.62444 curveto
+316.41394 187.26962 316.5653 186.79924 316.56531 186.2133 curveto
+316.56531 186.01311 lineto
+315.67175 186.01311 lineto
+317.46375 185.64201 moveto
+317.46375 188.76213 lineto
+316.56531 188.76213 lineto
+316.56531 187.93205 lineto
+316.36023 188.26408 316.10469 188.50985 315.79871 188.66936 curveto
+315.49271 188.82561 315.11836 188.90373 314.67566 188.90373 curveto
+314.11576 188.90373 313.6698 188.74748 313.33777 188.43498 curveto
+313.00899 188.11923 312.8446 187.69768 312.8446 187.17033 curveto
+312.8446 186.5551 313.04968 186.09123 313.45984 185.77873 curveto
+313.87325 185.46624 314.48848 185.30999 315.30554 185.30998 curveto
+316.56531 185.30998 lineto
+316.56531 185.22209 lineto
+316.5653 184.80868 316.42858 184.48967 316.15515 184.26506 curveto
+315.88497 184.0372 315.50411 183.92327 315.01257 183.92326 curveto
+314.70007 183.92327 314.39571 183.9607 314.09949 184.03557 curveto
+313.80326 184.11044 313.51843 184.22275 313.245 184.37248 curveto
+313.245 183.5424 lineto
+313.57377 183.41546 313.89278 183.32106 314.20203 183.2592 curveto
+314.51127 183.1941 314.81238 183.16155 315.10535 183.16154 curveto
+315.89636 183.16155 316.48718 183.36663 316.87781 183.77678 curveto
+317.26843 184.18694 317.46374 184.80868 317.46375 185.64201 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+318.67468 183.29338 moveto
+319.62683 183.29338 lineto
+321.33582 187.88322 lineto
+323.0448 183.29338 lineto
+323.99695 183.29338 lineto
+321.94617 188.76213 lineto
+320.72546 188.76213 lineto
+318.67468 183.29338 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+329.91492 185.80315 moveto
+329.91492 186.2426 lineto
+325.78406 186.2426 lineto
+325.82312 186.86109 326.00867 187.3331 326.3407 187.65862 curveto
+326.67598 187.98088 327.14148 188.14201 327.73718 188.14201 curveto
+328.08223 188.14201 328.41589 188.0997 328.73816 188.01506 curveto
+329.06368 187.93043 329.38594 187.80347 329.70496 187.6342 curveto
+329.70496 188.48381 lineto
+329.38269 188.62053 329.05228 188.7247 328.71375 188.79631 curveto
+328.3752 188.86792 328.03178 188.90373 327.68347 188.90373 curveto
+326.81107 188.90373 326.11934 188.64983 325.60828 188.14201 curveto
+325.10046 187.6342 324.84656 186.94735 324.84656 186.08147 curveto
+324.84656 185.18629 325.08744 184.47665 325.56921 183.95256 curveto
+326.05424 183.42522 326.70691 183.16155 327.52722 183.16154 curveto
+328.26289 183.16155 328.84395 183.39918 329.27039 183.87444 curveto
+329.70007 184.34645 329.91491 184.98935 329.91492 185.80315 curveto
+329.01648 185.53947 moveto
+329.00996 185.04794 328.87162 184.65569 328.60144 184.36272 curveto
+328.33451 184.06975 327.97969 183.92327 327.53699 183.92326 curveto
+327.03568 183.92327 326.63366 184.06487 326.33093 184.34807 curveto
+326.03145 184.63128 325.85893 185.03004 325.81335 185.54436 curveto
+329.01648 185.53947 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+310.32507 198.45451 moveto
+310.32507 199.30412 lineto
+310.07116 199.17392 309.80749 199.07626 309.53406 199.01115 curveto
+309.26062 198.94605 308.97741 198.9135 308.68445 198.9135 curveto
+308.23848 198.9135 307.9032 198.98186 307.67859 199.11858 curveto
+307.45723 199.2553 307.34656 199.46038 307.34656 199.73381 curveto
+307.34656 199.94215 307.42631 200.10654 307.58582 200.22697 curveto
+307.74532 200.34417 308.06596 200.45647 308.54773 200.56389 curveto
+308.85535 200.63225 lineto
+309.49336 200.76897 309.94584 200.96265 310.21277 201.2133 curveto
+310.48295 201.4607 310.61804 201.80738 310.61804 202.25334 curveto
+310.61804 202.76116 310.41621 203.16317 310.01257 203.4594 curveto
+309.61218 203.75562 309.06042 203.90373 308.3573 203.90373 curveto
+308.06433 203.90373 307.75834 203.87444 307.43933 203.81584 curveto
+307.12357 203.7605 306.78992 203.67587 306.43835 203.56194 curveto
+306.43835 202.6342 lineto
+306.77038 202.80673 307.09753 202.93694 307.4198 203.02483 curveto
+307.74206 203.10946 308.06107 203.15178 308.37683 203.15178 curveto
+308.80001 203.15178 309.12553 203.08017 309.35339 202.93694 curveto
+309.58125 202.79045 309.69519 202.58537 309.69519 202.3217 curveto
+309.69519 202.07756 309.61218 201.89039 309.44617 201.76018 curveto
+309.2834 201.62997 308.9237 201.50465 308.36707 201.3842 curveto
+308.05457 201.31096 lineto
+307.49792 201.19377 307.09591 201.01474 306.84851 200.77385 curveto
+306.60111 200.52971 306.47742 200.19605 306.47742 199.77287 curveto
+306.47742 199.25855 306.65971 198.86142 307.02429 198.58147 curveto
+307.38887 198.30152 307.90645 198.16155 308.57703 198.16154 curveto
+308.90905 198.16155 309.22155 198.18596 309.51453 198.23479 curveto
+309.80749 198.28362 310.07767 198.35686 310.32507 198.45451 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+316.59949 200.46135 moveto
+316.59949 203.76213 lineto
+315.70105 203.76213 lineto
+315.70105 200.49065 lineto
+315.70105 199.97307 315.60013 199.5857 315.39832 199.32854 curveto
+315.19649 199.07138 314.89375 198.9428 314.49011 198.94279 curveto
+314.00508 198.9428 313.6226 199.09742 313.34265 199.40666 curveto
+313.0627 199.71591 312.92273 200.13746 312.92273 200.67131 curveto
+312.92273 203.76213 lineto
+312.01941 203.76213 lineto
+312.01941 196.16447 lineto
+312.92273 196.16447 lineto
+312.92273 199.14299 lineto
+313.13757 198.81422 313.38985 198.56845 313.67957 198.40569 curveto
+313.97253 198.24293 314.30945 198.16155 314.69031 198.16154 curveto
+315.31856 198.16155 315.79382 198.35686 316.11609 198.74748 curveto
+316.43835 199.13486 316.59948 199.70615 316.59949 200.46135 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+320.52039 198.92326 moveto
+320.03861 198.92327 319.65775 199.11207 319.37781 199.48967 curveto
+319.09786 199.86402 318.95788 200.37835 318.95789 201.03264 curveto
+318.95788 201.68694 319.09623 202.20289 319.37292 202.58049 curveto
+319.65287 202.95484 320.03536 203.14201 320.52039 203.14201 curveto
+320.9989 203.14201 321.37813 202.95321 321.65808 202.57561 curveto
+321.93802 202.198 322.078 201.68368 322.078 201.03264 curveto
+322.078 200.38486 321.93802 199.87216 321.65808 199.49455 curveto
+321.37813 199.1137 320.9989 198.92327 320.52039 198.92326 curveto
+320.52039 198.16154 moveto
+321.30163 198.16155 321.91524 198.41546 322.36121 198.92326 curveto
+322.80716 199.43108 323.03015 200.1342 323.03015 201.03264 curveto
+323.03015 201.92782 322.80716 202.63095 322.36121 203.14201 curveto
+321.91524 203.64983 321.30163 203.90373 320.52039 203.90373 curveto
+319.73588 203.90373 319.12064 203.64983 318.67468 203.14201 curveto
+318.23197 202.63095 318.01062 201.92782 318.01062 201.03264 curveto
+318.01062 200.1342 318.23197 199.43108 318.67468 198.92326 curveto
+319.12064 198.41546 319.73588 198.16155 320.52039 198.16154 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+323.99207 198.29338 moveto
+324.8905 198.29338 lineto
+326.01355 202.56096 lineto
+327.13171 198.29338 lineto
+328.19128 198.29338 lineto
+329.31433 202.56096 lineto
+330.4325 198.29338 lineto
+331.33093 198.29338 lineto
+329.90027 203.76213 lineto
+328.8407 203.76213 lineto
+327.66394 199.27971 lineto
+326.4823 203.76213 lineto
+325.42273 203.76213 lineto
+323.99207 198.29338 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+305.63477 140.25864 moveto
+305.63477 143.15903 lineto
+304.73145 143.15903 lineto
+304.73145 135.6102 lineto
+305.63477 135.6102 lineto
+305.63477 136.44028 lineto
+305.82357 136.11476 306.0612 135.87388 306.34766 135.71762 curveto
+306.63737 135.55812 306.98242 135.47837 307.38281 135.47836 curveto
+308.04687 135.47837 308.58561 135.74204 308.99902 136.26938 curveto
+309.41568 136.79673 309.62402 137.49009 309.62402 138.34946 curveto
+309.62402 139.20883 309.41568 139.90219 308.99902 140.42953 curveto
+308.58561 140.95688 308.04687 141.22055 307.38281 141.22055 curveto
+306.98242 141.22055 306.63737 141.14243 306.34766 140.98618 curveto
+306.0612 140.82667 305.82357 140.58416 305.63477 140.25864 curveto
+308.69141 138.34946 moveto
+308.6914 137.68865 308.55468 137.17108 308.28125 136.79672 curveto
+308.01106 136.41912 307.63834 136.23032 307.16309 136.23032 curveto
+306.68782 136.23032 306.31347 136.41912 306.04004 136.79672 curveto
+305.76985 137.17108 305.63476 137.68865 305.63477 138.34946 curveto
+305.63476 139.01027 305.76985 139.52947 306.04004 139.90707 curveto
+306.31347 140.28142 306.68782 140.4686 307.16309 140.4686 curveto
+307.63834 140.4686 308.01106 140.28142 308.28125 139.90707 curveto
+308.55468 139.52947 308.6914 139.01027 308.69141 138.34946 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+314.28223 136.45004 moveto
+314.18131 136.39145 314.07063 136.34914 313.9502 136.32309 curveto
+313.833 136.2938 313.7028 136.27915 313.55957 136.27914 curveto
+313.05175 136.27915 312.66113 136.44516 312.3877 136.77719 curveto
+312.11751 137.10597 311.98242 137.5796 311.98242 138.19809 curveto
+311.98242 141.07895 lineto
+311.0791 141.07895 lineto
+311.0791 135.6102 lineto
+311.98242 135.6102 lineto
+311.98242 136.45981 lineto
+312.17122 136.12778 312.41699 135.88201 312.71973 135.7225 curveto
+313.02246 135.55975 313.3903 135.47837 313.82324 135.47836 curveto
+313.88509 135.47837 313.95345 135.48325 314.02832 135.49301 curveto
+314.10319 135.49953 314.18619 135.51092 314.27734 135.52719 curveto
+314.28223 136.45004 lineto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+317.13867 136.24008 moveto
+316.6569 136.24009 316.27604 136.42889 315.99609 136.80649 curveto
+315.71614 137.18084 315.57617 137.69516 315.57617 138.34946 curveto
+315.57617 139.00376 315.71452 139.51971 315.99121 139.89731 curveto
+316.27116 140.27166 316.65364 140.45883 317.13867 140.45883 curveto
+317.61718 140.45883 317.99642 140.27003 318.27637 139.89243 curveto
+318.55631 139.51482 318.69628 139.0005 318.69629 138.34946 curveto
+318.69628 137.70167 318.55631 137.18898 318.27637 136.81137 curveto
+317.99642 136.43052 317.61718 136.24009 317.13867 136.24008 curveto
+317.13867 135.47836 moveto
+317.91992 135.47837 318.53352 135.73227 318.97949 136.24008 curveto
+319.42545 136.7479 319.64843 137.45102 319.64844 138.34946 curveto
+319.64843 139.24464 319.42545 139.94777 318.97949 140.45883 curveto
+318.53352 140.96664 317.91992 141.22055 317.13867 141.22055 curveto
+316.35416 141.22055 315.73893 140.96664 315.29297 140.45883 curveto
+314.85026 139.94777 314.62891 139.24464 314.62891 138.34946 curveto
+314.62891 137.45102 314.85026 136.7479 315.29297 136.24008 curveto
+315.73893 135.73227 316.35416 135.47837 317.13867 135.47836 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+323.25195 136.24008 moveto
+322.77018 136.24009 322.38932 136.42889 322.10938 136.80649 curveto
+321.82943 137.18084 321.68945 137.69516 321.68945 138.34946 curveto
+321.68945 139.00376 321.8278 139.51971 322.10449 139.89731 curveto
+322.38444 140.27166 322.76692 140.45883 323.25195 140.45883 curveto
+323.73047 140.45883 324.1097 140.27003 324.38965 139.89243 curveto
+324.66959 139.51482 324.80957 139.0005 324.80957 138.34946 curveto
+324.80957 137.70167 324.66959 137.18898 324.38965 136.81137 curveto
+324.1097 136.43052 323.73047 136.24009 323.25195 136.24008 curveto
+323.25195 135.47836 moveto
+324.0332 135.47837 324.64681 135.73227 325.09277 136.24008 curveto
+325.53873 136.7479 325.76171 137.45102 325.76172 138.34946 curveto
+325.76171 139.24464 325.53873 139.94777 325.09277 140.45883 curveto
+324.64681 140.96664 324.0332 141.22055 323.25195 141.22055 curveto
+322.46745 141.22055 321.85221 140.96664 321.40625 140.45883 curveto
+320.96354 139.94777 320.74219 139.24464 320.74219 138.34946 curveto
+320.74219 137.45102 320.96354 136.7479 321.40625 136.24008 curveto
+321.85221 135.73227 322.46745 135.47837 323.25195 135.47836 curveto
+fill
+grestore
+gsave
+0 0 0 setrgbcolor
+newpath
+330.01465 133.48129 moveto
+330.01465 134.22836 lineto
+329.15527 134.22836 lineto
+328.83301 134.22837 328.6084 134.29347 328.48145 134.42368 curveto
+328.35775 134.55389 328.2959 134.78827 328.2959 135.1268 curveto
+328.2959 135.6102 lineto
+329.77539 135.6102 lineto
+329.77539 136.30844 lineto
+328.2959 136.30844 lineto
+328.2959 141.07895 lineto
+327.39258 141.07895 lineto
+327.39258 136.30844 lineto
+326.5332 136.30844 lineto
+326.5332 135.6102 lineto
+327.39258 135.6102 lineto
+327.39258 135.22934 lineto
+327.39258 134.62062 327.53418 134.17791 327.81738 133.90121 curveto
+328.10058 133.62127 328.5498 133.4813 329.16504 133.48129 curveto
+330.01465 133.48129 lineto
+fill
+grestore
+grestore
+grestore
+showpage
+%%EOF
Binary file src/Doc/IsarRef/document/isar-vm.pdf has changed
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarRef/document/isar-vm.svg Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,460 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+<svg
+ xmlns:dc="http://purl.org/dc/elements/1.1/"
+ xmlns:cc="http://creativecommons.org/ns#"
+ xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+ xmlns:svg="http://www.w3.org/2000/svg"
+ xmlns="http://www.w3.org/2000/svg"
+ xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+ xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+ width="543.02673"
+ height="215.66071"
+ id="svg2"
+ sodipodi:version="0.32"
+ inkscape:version="0.46"
+ version="1.0"
+ sodipodi:docname="isar-vm.svg"
+ inkscape:output_extension="org.inkscape.output.svg.inkscape">
+ <defs
+ id="defs4">
+ <marker
+ inkscape:stockid="TriangleOutM"
+ orient="auto"
+ refY="0"
+ refX="0"
+ id="TriangleOutM"
+ style="overflow:visible">
+ <path
+ id="path4130"
+ d="M 5.77,0 L -2.88,5 L -2.88,-5 L 5.77,0 z"
+ style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;marker-start:none"
+ transform="scale(0.4,0.4)" />
+ </marker>
+ <marker
+ inkscape:stockid="Arrow1Mend"
+ orient="auto"
+ refY="0"
+ refX="0"
+ id="Arrow1Mend"
+ style="overflow:visible">
+ <path
+ id="path3993"
+ d="M 0,0 L 5,-5 L -12.5,0 L 5,5 L 0,0 z"
+ style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;marker-start:none"
+ transform="matrix(-0.4,0,0,-0.4,-4,0)" />
+ </marker>
+ <marker
+ inkscape:stockid="Arrow1Lend"
+ orient="auto"
+ refY="0"
+ refX="0"
+ id="Arrow1Lend"
+ style="overflow:visible">
+ <path
+ id="path3207"
+ d="M 0,0 L 5,-5 L -12.5,0 L 5,5 L 0,0 z"
+ style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;marker-start:none"
+ transform="matrix(-0.8,0,0,-0.8,-10,0)" />
+ </marker>
+ <marker
+ inkscape:stockid="Arrow1Lstart"
+ orient="auto"
+ refY="0"
+ refX="0"
+ id="Arrow1Lstart"
+ style="overflow:visible">
+ <path
+ id="path3204"
+ d="M 0,0 L 5,-5 L -12.5,0 L 5,5 L 0,0 z"
+ style="fill-rule:evenodd;stroke:#000000;stroke-width:1pt;marker-start:none"
+ transform="matrix(0.8,0,0,0.8,10,0)" />
+ </marker>
+ <inkscape:perspective
+ sodipodi:type="inkscape:persp3d"
+ inkscape:vp_x="0 : 526.18109 : 1"
+ inkscape:vp_y="0 : 1000 : 0"
+ inkscape:vp_z="744.09448 : 526.18109 : 1"
+ inkscape:persp3d-origin="372.04724 : 350.78739 : 1"
+ id="perspective10" />
+ </defs>
+ <sodipodi:namedview
+ id="base"
+ pagecolor="#ffffff"
+ bordercolor="#666666"
+ borderopacity="1.0"
+ gridtolerance="10"
+ guidetolerance="10"
+ objecttolerance="10"
+ inkscape:pageopacity="0.0"
+ inkscape:pageshadow="2"
+ inkscape:zoom="1.4142136"
+ inkscape:cx="305.44602"
+ inkscape:cy="38.897723"
+ inkscape:document-units="mm"
+ inkscape:current-layer="layer1"
+ showgrid="true"
+ inkscape:snap-global="true"
+ units="mm"
+ inkscape:window-width="1226"
+ inkscape:window-height="951"
+ inkscape:window-x="28"
+ inkscape:window-y="47">
+ <inkscape:grid
+ type="xygrid"
+ id="grid2383"
+ visible="true"
+ enabled="true"
+ units="mm"
+ spacingx="2.5mm"
+ spacingy="2.5mm"
+ empspacing="2" />
+ </sodipodi:namedview>
+ <metadata
+ id="metadata7">
+ <rdf:RDF>
+ <cc:Work
+ rdf:about="">
+ <dc:format>image/svg+xml</dc:format>
+ <dc:type
+ rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+ </cc:Work>
+ </rdf:RDF>
+ </metadata>
+ <g
+ inkscape:label="Layer 1"
+ inkscape:groupmode="layer"
+ id="layer1"
+ transform="translate(-44.641342,-76.87234)">
+ <g
+ id="g3448"
+ transform="translate(70.838012,79.725562)">
+ <rect
+ ry="17.67767"
+ y="131.52507"
+ x="212.09882"
+ height="53.149605"
+ width="70.866142"
+ id="rect3407"
+ style="fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.99921262;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
+ <text
+ sodipodi:linespacing="100%"
+ id="text3409"
+ y="164.06471"
+ x="223.50845"
+ style="font-size:18px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans"
+ xml:space="preserve"><tspan
+ style="font-size:16px;font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans Bold"
+ y="164.06471"
+ x="223.50845"
+ id="tspan3411"
+ sodipodi:role="line">chain</tspan></text>
+ </g>
+ <path
+ style="fill:none;fill-opacity:0.75;fill-rule:evenodd;stroke:#000000;stroke-width:0.99921262;stroke-linecap:butt;stroke-linejoin:miter;marker-end:url(#TriangleOutM);stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+ d="M 424.72469,236.82544 L 356.83209,236.82544 L 356.83209,236.82544"
+ id="path3458" />
+ <path
+ style="fill:none;fill-opacity:0.75;fill-rule:evenodd;stroke:#000000;stroke-width:0.99921268;stroke-linecap:butt;stroke-linejoin:miter;marker-end:url(#TriangleOutM);stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+ d="M 282.35183,236.82544 L 215.11403,236.82544 L 215.11403,236.82544"
+ id="path4771" />
+ <path
+ style="fill:none;fill-opacity:0.75;fill-rule:evenodd;stroke:#000000;stroke-width:0.99999994px;stroke-linecap:butt;stroke-linejoin:miter;marker-start:none;marker-mid:none;marker-end:url(#TriangleOutM);stroke-opacity:1"
+ d="M 424.69726,192.5341 L 215.13005,192.5341"
+ id="path4773" />
+ <path
+ style="fill:none;fill-opacity:0.75;fill-rule:evenodd;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;marker-end:url(#TriangleOutM);stroke-opacity:1"
+ d="M 211.98429,148.24276 L 422.13162,148.24276"
+ id="path6883" />
+ <g
+ id="g3443"
+ transform="translate(70.866146,78.725567)">
+ <rect
+ ry="17.67767"
+ y="42.942394"
+ x="70.366531"
+ height="141.73228"
+ width="70.866142"
+ id="rect2586"
+ style="fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.99921262;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
+ <text
+ sodipodi:linespacing="100%"
+ id="text3370"
+ y="116.62494"
+ x="79.682419"
+ style="font-size:18px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans"
+ xml:space="preserve"><tspan
+ style="font-size:16px;font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans Bold"
+ y="116.62494"
+ x="79.682419"
+ id="tspan3372"
+ sodipodi:role="line">prove</tspan></text>
+ </g>
+ <path
+ style="fill:none;fill-opacity:0.75;fill-rule:evenodd;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;marker-end:url(#TriangleOutM);stroke-opacity:1"
+ d="M 176.66575,92.035445 L 176.66575,118.61025"
+ id="path7412" />
+ <path
+ sodipodi:type="arc"
+ style="fill:none;fill-opacity:1;stroke:#000000;stroke-width:4.30137062;stroke-linecap:round;stroke-linejoin:round;marker-end:url(#TriangleOutM);stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
+ id="path9011"
+ sodipodi:cx="119.58662"
+ sodipodi:cy="266.74686"
+ sodipodi:rx="93.01181"
+ sodipodi:ry="53.149605"
+ d="M 208.65508,282.05865 A 93.01181,53.149605 0 1 1 208.68579,251.49353"
+ transform="matrix(0.2378166,0,0,-0.2269133,90.621413,253.06251)"
+ sodipodi:start="0.29223018"
+ sodipodi:end="5.9921036"
+ sodipodi:open="true" />
+ <g
+ id="g3453"
+ transform="translate(70.866151,78.725565)">
+ <rect
+ ry="17.67767"
+ y="42.942394"
+ x="353.83112"
+ height="141.73228"
+ width="70.866142"
+ id="rect3381"
+ style="fill:none;fill-opacity:1;stroke:#000000;stroke-width:0.99921262;stroke-linecap:round;stroke-linejoin:round;stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1" />
+ <text
+ sodipodi:linespacing="100%"
+ id="text3383"
+ y="119.31244"
+ x="365.98294"
+ style="font-size:18px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans"
+ xml:space="preserve"><tspan
+ style="font-size:16px;font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans Bold"
+ y="119.31244"
+ x="365.98294"
+ sodipodi:role="line"
+ id="tspan3387">state</tspan></text>
+ </g>
+ <path
+ style="fill:none;fill-opacity:0.75;fill-rule:evenodd;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;marker-end:url(#TriangleOutM);stroke-opacity:1"
+ d="M 460.13031,263.40024 L 460.13031,289.97505"
+ id="path7941" />
+ <path
+ sodipodi:type="arc"
+ style="fill:none;fill-opacity:1;stroke:#000000;stroke-width:4.30137062;stroke-linecap:round;stroke-linejoin:round;marker-end:url(#TriangleOutM);stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
+ id="path10594"
+ sodipodi:cx="119.58662"
+ sodipodi:cy="266.74686"
+ sodipodi:rx="93.01181"
+ sodipodi:ry="53.149605"
+ d="M 208.65508,282.05865 A 93.01181,53.149605 0 1 1 208.68579,251.49353"
+ transform="matrix(-0.2378166,0,0,0.2269133,546.17466,132.00569)"
+ sodipodi:start="0.29223018"
+ sodipodi:end="5.9921036"
+ sodipodi:open="true" />
+ <path
+ sodipodi:type="arc"
+ style="fill:none;fill-opacity:1;stroke:#000000;stroke-width:4.30137062;stroke-linecap:round;stroke-linejoin:bevel;marker-end:url(#TriangleOutM);stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
+ id="path12210"
+ sodipodi:cx="119.58662"
+ sodipodi:cy="266.74686"
+ sodipodi:rx="93.01181"
+ sodipodi:ry="53.149605"
+ d="M 208.65508,282.05865 A 93.01181,53.149605 0 1 1 208.68579,251.49353"
+ transform="matrix(-0.2378166,0,0,0.2269133,546.17465,87.714359)"
+ sodipodi:start="0.29223018"
+ sodipodi:end="5.9921036"
+ sodipodi:open="true" />
+ <path
+ sodipodi:type="arc"
+ style="fill:none;fill-opacity:1;stroke:#000000;stroke-width:4.30137062;stroke-linecap:round;stroke-linejoin:round;marker-start:none;marker-end:url(#TriangleOutM);stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
+ id="path12212"
+ sodipodi:cx="119.58662"
+ sodipodi:cy="266.74686"
+ sodipodi:rx="93.01181"
+ sodipodi:ry="53.149605"
+ d="M 208.65508,282.05865 A 93.01181,53.149605 0 1 1 208.68579,251.49353"
+ transform="matrix(-0.2378166,0,0,0.2269133,546.17465,176.29703)"
+ sodipodi:start="0.29223018"
+ sodipodi:end="5.9921036"
+ sodipodi:open="true" />
+ <path
+ sodipodi:type="arc"
+ style="fill:none;fill-opacity:1;stroke:#000000;stroke-width:4.30137062;stroke-linecap:round;stroke-linejoin:round;marker-end:url(#TriangleOutM);stroke-miterlimit:4;stroke-dasharray:none;stroke-dashoffset:0;stroke-opacity:1"
+ id="path12214"
+ sodipodi:cx="119.58662"
+ sodipodi:cy="266.74686"
+ sodipodi:rx="93.01181"
+ sodipodi:ry="53.149605"
+ d="M 208.65508,282.05865 A 93.01181,53.149605 0 1 1 208.68579,251.49353"
+ transform="matrix(0,0.2378166,0.2269133,0,399.60191,71.056696)"
+ sodipodi:start="0.29223018"
+ sodipodi:end="5.9921036"
+ sodipodi:open="true" />
+ <text
+ xml:space="preserve"
+ style="font-size:12px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans"
+ x="173.49998"
+ y="97.094513"
+ id="text19307"
+ sodipodi:linespacing="100%"
+ transform="translate(17.216929,6.5104864)"><tspan
+ sodipodi:role="line"
+ id="tspan19309"
+ x="173.49998"
+ y="97.094513" /></text>
+ <text
+ xml:space="preserve"
+ style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans"
+ x="185.52402"
+ y="110.07987"
+ id="text19311"
+ sodipodi:linespacing="100%"><tspan
+ sodipodi:role="line"
+ id="tspan19313"
+ x="185.52402"
+ y="110.07987">theorem</tspan></text>
+ <text
+ xml:space="preserve"
+ style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans"
+ x="389.99997"
+ y="11.594519"
+ id="text19315"
+ sodipodi:linespacing="100%"
+ transform="translate(17.216929,6.5104864)"><tspan
+ sodipodi:role="line"
+ id="tspan19317"
+ x="389.99997"
+ y="11.594519" /></text>
+ <text
+ xml:space="preserve"
+ style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans"
+ x="468.98859"
+ y="280.47543"
+ id="text19319"
+ sodipodi:linespacing="100%"><tspan
+ sodipodi:role="line"
+ id="tspan19321"
+ x="468.98859"
+ y="280.47543">qed</tspan></text>
+ <text
+ xml:space="preserve"
+ style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans"
+ x="549.06946"
+ y="239.58423"
+ id="text19323"
+ sodipodi:linespacing="100%"><tspan
+ sodipodi:role="line"
+ id="tspan19325"
+ x="549.06946"
+ y="239.58423">qed</tspan></text>
+ <text
+ xml:space="preserve"
+ style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans"
+ x="549.39172"
+ y="191.26213"
+ id="text19327"
+ sodipodi:linespacing="100%"><tspan
+ sodipodi:role="line"
+ id="tspan19329"
+ x="549.39172"
+ y="191.26213">fix</tspan><tspan
+ sodipodi:role="line"
+ x="549.39172"
+ y="201.26213"
+ id="tspan19331">assume</tspan></text>
+ <text
+ xml:space="preserve"
+ style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans"
+ x="548.71301"
+ y="146.97079"
+ id="text19333"
+ sodipodi:linespacing="100%"><tspan
+ sodipodi:role="line"
+ id="tspan19335"
+ x="548.71301"
+ y="146.97079">{ }</tspan><tspan
+ sodipodi:role="line"
+ x="548.71301"
+ y="156.97079"
+ id="tspan19337">next</tspan></text>
+ <text
+ xml:space="preserve"
+ style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans"
+ x="477.84686"
+ y="98.264297"
+ id="text19339"
+ sodipodi:linespacing="100%"><tspan
+ sodipodi:role="line"
+ x="477.84686"
+ y="98.264297"
+ id="tspan19343">note</tspan><tspan
+ sodipodi:role="line"
+ x="477.84686"
+ y="108.2643"
+ id="tspan19358">let</tspan></text>
+ <text
+ xml:space="preserve"
+ style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans"
+ x="43.791733"
+ y="190.29289"
+ id="text19345"
+ sodipodi:linespacing="100%"><tspan
+ sodipodi:role="line"
+ id="tspan19347"
+ x="43.791733"
+ y="190.29289">using</tspan><tspan
+ sodipodi:role="line"
+ x="43.791733"
+ y="200.29289"
+ id="tspan19349">unfolding</tspan></text>
+ <text
+ xml:space="preserve"
+ style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans"
+ x="378.65891"
+ y="230.52518"
+ id="text19360"
+ sodipodi:linespacing="100%"><tspan
+ sodipodi:role="line"
+ id="tspan19362"
+ x="378.65891"
+ y="230.52518">then</tspan></text>
+ <text
+ xml:space="preserve"
+ style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:150%;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans"
+ x="233.98795"
+ y="233.05347"
+ id="text19364"
+ sodipodi:linespacing="150%"><tspan
+ sodipodi:role="line"
+ x="233.98795"
+ y="233.05347"
+ id="tspan19368">have</tspan><tspan
+ sodipodi:role="line"
+ x="233.98795"
+ y="248.05347"
+ id="tspan19370">show</tspan></text>
+ <text
+ xml:space="preserve"
+ style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:150%;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans"
+ x="305.89636"
+ y="188.76213"
+ id="text19374"
+ sodipodi:linespacing="150%"><tspan
+ sodipodi:role="line"
+ x="305.89636"
+ y="188.76213"
+ id="tspan19376">have</tspan><tspan
+ sodipodi:role="line"
+ x="305.89636"
+ y="203.76213"
+ id="tspan19378">show</tspan></text>
+ <text
+ xml:space="preserve"
+ style="font-size:10px;font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;text-align:start;line-height:100%;writing-mode:lr-tb;text-anchor:start;fill:#000000;fill-opacity:1;stroke:none;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;font-family:Bitstream Vera Sans;-inkscape-font-specification:Bitstream Vera Sans"
+ x="303.82324"
+ y="141.07895"
+ id="text19380"
+ sodipodi:linespacing="100%"><tspan
+ sodipodi:role="line"
+ id="tspan19382"
+ x="303.82324"
+ y="141.07895">proof</tspan></text>
+ </g>
+</svg>
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarRef/document/root.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,91 @@
+\documentclass[12pt,a4paper,fleqn]{report}
+\usepackage{amssymb}
+\usepackage{eurosym}
+\usepackage[english]{babel}
+\usepackage[only,bigsqcap]{stmaryrd}
+\usepackage{textcomp}
+\usepackage{latexsym}
+\usepackage{graphicx}
+\let\intorig=\int %iman.sty redefines \int
+\usepackage{iman,extra,isar,proof}
+\usepackage[nohyphen,strings]{underscore}
+\usepackage{isabelle}
+\usepackage{isabellesym}
+\usepackage{railsetup}
+\usepackage{ttbox}
+\usepackage{supertabular}
+\usepackage{style}
+\usepackage{pdfsetup}
+
+\hyphenation{Isabelle}
+\hyphenation{Isar}
+
+\isadroptag{theory}
+\title{\includegraphics[scale=0.5]{isabelle_isar} \\[4ex] The Isabelle/Isar Reference Manual}
+\author{\emph{Makarius Wenzel} \\[3ex]
+ With Contributions by
+ Clemens Ballarin,
+ Stefan Berghofer, \\
+ Jasmin Blanchette,
+ Timothy Bourke,
+ Lukas Bulwahn, \\
+ Lucas Dixon,
+ Florian Haftmann,
+ Brian Huffman, \\
+ Gerwin Klein,
+ Alexander Krauss,
+ Ond\v{r}ej Kun\v{c}ar, \\
+ Tobias Nipkow,
+ Lars Noschinski,
+ David von Oheimb, \\
+ Larry Paulson,
+ Sebastian Skalberg
+}
+
+\makeindex
+
+\chardef\charbackquote=`\`
+\newcommand{\backquote}{\mbox{\tt\charbackquote}}
+
+
+\begin{document}
+
+\maketitle
+
+\pagenumbering{roman}
+{\def\isamarkupchapter#1{\chapter*{#1}}\input{Preface.tex}}
+\tableofcontents
+\clearfirst
+
+\part{Basic Concepts}
+\input{Synopsis.tex}
+\input{Framework.tex}
+\input{First_Order_Logic.tex}
+\part{General Language Elements}
+\input{Outer_Syntax.tex}
+\input{Document_Preparation.tex}
+\input{Spec.tex}
+\input{Proof.tex}
+\input{Inner_Syntax.tex}
+\input{Misc.tex}
+\input{Generic.tex}
+\part{Object-Logic}
+\input{HOL_Specific.tex}
+
+\part{Appendix}
+\appendix
+\input{Quick_Reference.tex}
+\let\int\intorig
+\input{Symbols.tex}
+\input{ML_Tactic.tex}
+
+\begingroup
+ \tocentry{\bibname}
+ \bibliographystyle{abbrv} \small\raggedright\frenchspacing
+ \bibliography{manual}
+\endgroup
+
+\tocentry{\indexname}
+\printindex
+
+\end{document}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarRef/document/showsymbols Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,26 @@
+#!/usr/bin/env perl
+
+print "\\begin{supertabular}{ll\@{\\qquad}ll}\n";
+
+$eol = "&";
+
+while (<ARGV>) {
+ if (m/^\\newcommand\{\\isasym([A-Za-z]+)\}/) {
+ print "\\verb,\\<$1>, & {\\isasym$1} $eol\n";
+# print "\\verb,\\<$1>, & \\isactrlbold{\\isasym$1}~{\\isasym$1} $eol\n";
+# print "\\verb,\\<$1>, & B\\isactrlsup{\\isasym$1} $eol\n";
+# print "\\verb,\\<$1>, & B\\isactrlsub{\\isasym$1} $eol\n";
+ if ("$eol" eq "&") {
+ $eol = "\\\\";
+ } else {
+ $eol = "&";
+ }
+ }
+}
+
+if ("$eol" eq "\\\\") {
+ print "$eol\n";
+}
+
+print "\\end{supertabular}\n";
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/IsarRef/document/style.sty Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,47 @@
+%% toc
+\newcommand{\tocentry}[1]{\cleardoublepage\phantomsection\addcontentsline{toc}{chapter}{#1}
+\@mkboth{\MakeUppercase{#1}}{\MakeUppercase{#1}}}
+
+\setcounter{secnumdepth}{2} \setcounter{tocdepth}{2}
+
+%% references
+\newcommand{\secref}[1]{\S\ref{#1}}
+\newcommand{\chref}[1]{chapter~\ref{#1}}
+\newcommand{\Chref}[1]{Chapter~\ref{#1}}
+\newcommand{\appref}[1]{appendix~\ref{#1}}
+\newcommand{\Appref}[1]{Appendix~\ref{#1}}
+\newcommand{\figref}[1]{figure~\ref{#1}}
+\newcommand{\Figref}[1]{Figure~\ref{#1}}
+
+%% Isar
+\newcommand{\isasymBBAR}{{\,\newdimen{\tmpheight}\settoheight\tmpheight{\isacharbar}\rule{1pt}{\tmpheight}\,}}
+\isafoldtag{noproof}\def\isafoldnoproof{~\isafold{proof}}
+\newcommand{\isadigitreset}{\def\isadigit##1{##1}}
+\renewcommand{\isacommand}[1]{\isakeyword{\isadigitreset#1}}
+
+%% ML
+\newenvironment{mldecls}{\par\noindent\begingroup\def\isanewline{\\}\begin{tabular}{ll}}{\end{tabular}\medskip\endgroup}
+
+\renewcommand{\isatagML}{\begingroup\isabellestyle{default}\isastyle\isadigitreset}
+\renewcommand{\endisatagML}{\endgroup}
+
+%% math
+\newcommand{\isasymstrut}{\isamath{\mathstrut}}
+\newcommand{\isasymvartheta}{\isamath{\,\theta}}
+\newcommand{\isactrlvec}[1]{\emph{$\overline{#1}$}}
+\renewcommand{\isadigit}[1]{\isamath{#1}}
+\newcommand{\text}[1]{\mbox{#1}}
+
+%% global style options
+\pagestyle{headings}
+\sloppy
+
+\parindent 0pt\parskip 0.5ex
+
+\isabellestyle{literal}
+
+\newcommand{\isasymdash}{\isatext{\mbox{-}}}
+
+\railtermfont{\isabellestyle{tt}}
+\railnontermfont{\isabellestyle{literal}}
+\railnamefont{\isabellestyle{literal}}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/LaTeXsugar/Sugar.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,461 @@
+(*<*)
+theory Sugar
+imports "~~/src/HOL/Library/LaTeXsugar" "~~/src/HOL/Library/OptionalSugar"
+begin
+(*>*)
+
+section "Introduction"
+
+text{* This document is for those Isabelle users who have mastered
+the art of mixing \LaTeX\ text and Isabelle theories and never want to
+typeset a theorem by hand anymore because they have experienced the
+bliss of writing \verb!@!\verb!{thm[display]setsum_cartesian_product[no_vars]}!
+and seeing Isabelle typeset it for them:
+@{thm[display,eta_contract=false] setsum_cartesian_product[no_vars]}
+No typos, no omissions, no sweat.
+If you have not experienced that joy, read Chapter 4, \emph{Presenting
+Theories}, \cite{LNCS2283} first.
+
+If you have mastered the art of Isabelle's \emph{antiquotations},
+i.e.\ things like the above \verb!@!\verb!{thm...}!, beware: in your vanity
+you may be tempted to think that all readers of the stunning ps or pdf
+documents you can now produce at the drop of a hat will be struck with
+awe at the beauty unfolding in front of their eyes. Until one day you
+come across that very critical of readers known as the ``common referee''.
+He has the nasty habit of refusing to understand unfamiliar notation
+like Isabelle's infamous @{text"\<lbrakk> \<rbrakk> \<Longrightarrow>"} no matter how many times you
+explain it in your paper. Even worse, he thinks that using @{text"\<lbrakk>
+\<rbrakk>"} for anything other than denotational semantics is a cardinal sin
+that must be punished by instant rejection.
+
+
+This document shows you how to make Isabelle and \LaTeX\ cooperate to
+produce ordinary looking mathematics that hides the fact that it was
+typeset by a machine. You merely need to load the right files:
+\begin{itemize}
+\item Import theory \texttt{LaTeXsugar} in the header of your own
+theory. You may also want bits of \texttt{OptionalSugar}, which you can
+copy selectively into your own theory or import as a whole. Both
+theories live in \texttt{HOL/Library} and are found automatically.
+
+\item Should you need additional \LaTeX\ packages (the text will tell
+you so), you include them at the beginning of your \LaTeX\ document,
+typically in \texttt{root.tex}. For a start, you should
+\verb!\usepackage{amssymb}! --- otherwise typesetting
+@{prop[source]"\<not>(\<exists>x. P x)"} will fail because the AMS symbol
+@{text"\<nexists>"} is missing.
+\end{itemize}
+*}
+
+section{* HOL syntax*}
+
+subsection{* Logic *}
+
+text{*
+ The formula @{prop[source]"\<not>(\<exists>x. P x)"} is typeset as @{prop"~(EX x. P x)"}.
+
+The predefined constructs @{text"if"}, @{text"let"} and
+@{text"case"} are set in sans serif font to distinguish them from
+other functions. This improves readability:
+\begin{itemize}
+\item @{term"if b then e\<^isub>1 else e\<^isub>2"} instead of @{text"if b then e\<^isub>1 else e\<^isub>2"}.
+\item @{term"let x = e\<^isub>1 in e\<^isub>2"} instead of @{text"let x = e\<^isub>1 in e\<^isub>2"}.
+\item @{term"case x of True \<Rightarrow> e\<^isub>1 | False \<Rightarrow> e\<^isub>2"} instead of\\
+ @{text"case x of True \<Rightarrow> e\<^isub>1 | False \<Rightarrow> e\<^isub>2"}.
+\end{itemize}
+*}
+
+subsection{* Sets *}
+
+text{* Although set syntax in HOL is already close to
+standard, we provide a few further improvements:
+\begin{itemize}
+\item @{term"{x. P}"} instead of @{text"{x. P}"}.
+\item @{term"{}"} instead of @{text"{}"}, where
+ @{term"{}"} is also input syntax.
+\item @{term"insert a (insert b (insert c M))"} instead of @{text"insert a (insert b (insert c M))"}.
+\end{itemize}
+*}
+
+subsection{* Lists *}
+
+text{* If lists are used heavily, the following notations increase readability:
+\begin{itemize}
+\item @{term"x # xs"} instead of @{text"x # xs"},
+ where @{term"x # xs"} is also input syntax.
+If you prefer more space around the $\cdot$ you have to redefine
+\verb!\isasymcdot! in \LaTeX:
+\verb!\renewcommand{\isasymcdot}{\isamath{\,\cdot\,}}!
+
+\item @{term"length xs"} instead of @{text"length xs"}.
+\item @{term"nth xs n"} instead of @{text"nth xs n"},
+ the $n$th element of @{text xs}.
+
+\item Human readers are good at converting automatically from lists to
+sets. Hence \texttt{OptionalSugar} contains syntax for suppressing the
+conversion function @{const set}: for example, @{prop[source]"x \<in> set xs"}
+becomes @{prop"x \<in> set xs"}.
+
+\item The @{text"@"} operation associates implicitly to the right,
+which leads to unpleasant line breaks if the term is too long for one
+line. To avoid this, \texttt{OptionalSugar} contains syntax to group
+@{text"@"}-terms to the left before printing, which leads to better
+line breaking behaviour:
+@{term[display]"term\<^isub>0 @ term\<^isub>1 @ term\<^isub>2 @ term\<^isub>3 @ term\<^isub>4 @ term\<^isub>5 @ term\<^isub>6 @ term\<^isub>7 @ term\<^isub>8 @ term\<^isub>9 @ term\<^isub>1\<^isub>0"}
+
+\end{itemize}
+*}
+
+subsection{* Numbers *}
+
+text{* Coercions between numeric types are alien to mathematicians who
+consider, for example, @{typ nat} as a subset of @{typ int}.
+\texttt{OptionalSugar} contains syntax for suppressing numeric coercions such
+as @{const int} @{text"::"} @{typ"nat \<Rightarrow> int"}. For example,
+@{term[source]"int 5"} is printed as @{term "int 5"}. Embeddings of types
+@{typ nat}, @{typ int}, @{typ real} are covered; non-injective coercions such
+as @{const nat} @{text"::"} @{typ"int \<Rightarrow> nat"} are not and should not be
+hidden. *}
+
+section "Printing theorems"
+
+subsection "Question marks"
+
+text{* If you print anything, especially theorems, containing
+schematic variables they are prefixed with a question mark:
+\verb!@!\verb!{thm conjI}! results in @{thm conjI}. Most of the time
+you would rather not see the question marks. There is an attribute
+\verb!no_vars! that you can attach to the theorem that turns its
+schematic into ordinary free variables: \verb!@!\verb!{thm conjI[no_vars]}!
+results in @{thm conjI[no_vars]}.
+
+This \verb!no_vars! business can become a bit tedious.
+If you would rather never see question marks, simply put
+\begin{quote}
+@{ML "Printer.show_question_marks_default := false"}\verb!;!
+\end{quote}
+at the beginning of your file \texttt{ROOT.ML}.
+The rest of this document is produced with this flag set to \texttt{false}.
+
+Hint: Setting @{ML Printer.show_question_marks_default} to \texttt{false} only
+suppresses question marks; variables that end in digits,
+e.g. @{text"x1"}, are still printed with a trailing @{text".0"},
+e.g. @{text"x1.0"}, their internal index. This can be avoided by
+turning the last digit into a subscript: write \verb!x\<^isub>1! and
+obtain the much nicer @{text"x\<^isub>1"}. *}
+
+(*<*)declare [[show_question_marks = false]](*>*)
+
+subsection {*Qualified names*}
+
+text{* If there are multiple declarations of the same name, Isabelle prints
+the qualified name, for example @{text "T.length"}, where @{text T} is the
+theory it is defined in, to distinguish it from the predefined @{const[source]
+"List.length"}. In case there is no danger of confusion, you can insist on
+short names (no qualifiers) by setting the \verb!names_short!
+configuration option in the context.
+*}
+
+subsection {*Variable names\label{sec:varnames}*}
+
+text{* It sometimes happens that you want to change the name of a
+variable in a theorem before printing it. This can easily be achieved
+with the help of Isabelle's instantiation attribute \texttt{where}:
+@{thm conjI[where P = \<phi> and Q = \<psi>]} is the result of
+\begin{quote}
+\verb!@!\verb!{thm conjI[where P = \<phi> and Q = \<psi>]}!
+\end{quote}
+To support the ``\_''-notation for irrelevant variables
+the constant \texttt{DUMMY} has been introduced:
+@{thm fst_conv[where b = DUMMY]} is produced by
+\begin{quote}
+\verb!@!\verb!{thm fst_conv[where b = DUMMY]}!
+\end{quote}
+Variables that are bound by quantifiers or lambdas cannot be renamed
+like this. Instead, the attribute \texttt{rename\_abs} does the
+job. It expects a list of names or underscores, similar to the
+\texttt{of} attribute:
+\begin{quote}
+\verb!@!\verb!{thm split_paired_All[rename_abs _ l r]}!
+\end{quote}
+produces @{thm split_paired_All[rename_abs _ l r]}.
+*}
+
+subsection "Inference rules"
+
+text{* To print theorems as inference rules you need to include Didier
+R\'emy's \texttt{mathpartir} package~\cite{mathpartir}
+for typesetting inference rules in your \LaTeX\ file.
+
+Writing \verb!@!\verb!{thm[mode=Rule] conjI}! produces
+@{thm[mode=Rule] conjI}, even in the middle of a sentence.
+If you prefer your inference rule on a separate line, maybe with a name,
+\begin{center}
+@{thm[mode=Rule] conjI} {\sc conjI}
+\end{center}
+is produced by
+\begin{quote}
+\verb!\begin{center}!\\
+\verb!@!\verb!{thm[mode=Rule] conjI} {\sc conjI}!\\
+\verb!\end{center}!
+\end{quote}
+It is not recommended to use the standard \texttt{display} option
+together with \texttt{Rule} because centering does not work and because
+the line breaking mechanisms of \texttt{display} and \texttt{mathpartir} can
+clash.
+
+Of course you can display multiple rules in this fashion:
+\begin{quote}
+\verb!\begin{center}!\\
+\verb!@!\verb!{thm[mode=Rule] conjI} {\sc conjI} \\[1ex]!\\
+\verb!@!\verb!{thm[mode=Rule] conjE} {\sc disjI$_1$} \qquad!\\
+\verb!@!\verb!{thm[mode=Rule] disjE} {\sc disjI$_2$}!\\
+\verb!\end{center}!
+\end{quote}
+yields
+\begin{center}\small
+@{thm[mode=Rule] conjI} {\sc conjI} \\[1ex]
+@{thm[mode=Rule] disjI1} {\sc disjI$_1$} \qquad
+@{thm[mode=Rule] disjI2} {\sc disjI$_2$}
+\end{center}
+
+The \texttt{mathpartir} package copes well if there are too many
+premises for one line:
+\begin{center}
+@{prop[mode=Rule] "\<lbrakk> A \<longrightarrow> B; B \<longrightarrow> C; C \<longrightarrow> D; D \<longrightarrow> E; E \<longrightarrow> F; F \<longrightarrow> G;
+ G \<longrightarrow> H; H \<longrightarrow> I; I \<longrightarrow> J; J \<longrightarrow> K \<rbrakk> \<Longrightarrow> A \<longrightarrow> K"}
+\end{center}
+
+Limitations: 1. Premises and conclusion must each not be longer than
+the line. 2. Premises that are @{text"\<Longrightarrow>"}-implications are again
+displayed with a horizontal line, which looks at least unusual.
+
+
+In case you print theorems without premises no rule will be printed by the
+\texttt{Rule} print mode. However, you can use \texttt{Axiom} instead:
+\begin{quote}
+\verb!\begin{center}!\\
+\verb!@!\verb!{thm[mode=Axiom] refl} {\sc refl}! \\
+\verb!\end{center}!
+\end{quote}
+yields
+\begin{center}
+@{thm[mode=Axiom] refl} {\sc refl}
+\end{center}
+*}
+
+subsection "Displays and font sizes"
+
+text{* When displaying theorems with the \texttt{display} option, e.g.
+\verb!@!\verb!{thm[display] refl}! @{thm[display] refl} the theorem is
+set in small font. It uses the \LaTeX-macro \verb!\isastyle!,
+which is also the style that regular theory text is set in, e.g. *}
+
+lemma "t = t"
+(*<*)oops(*>*)
+
+text{* \noindent Otherwise \verb!\isastyleminor! is used,
+which does not modify the font size (assuming you stick to the default
+\verb!\isabellestyle{it}! in \texttt{root.tex}). If you prefer
+normal font size throughout your text, include
+\begin{quote}
+\verb!\renewcommand{\isastyle}{\isastyleminor}!
+\end{quote}
+in \texttt{root.tex}. On the other hand, if you like the small font,
+just put \verb!\isastyle! in front of the text in question,
+e.g.\ at the start of one of the center-environments above.
+
+The advantage of the display option is that you can display a whole
+list of theorems in one go. For example,
+\verb!@!\verb!{thm[display] append.simps}!
+generates @{thm[display] append.simps}
+*}
+
+subsection "If-then"
+
+text{* If you prefer a fake ``natural language'' style you can produce
+the body of
+\newtheorem{theorem}{Theorem}
+\begin{theorem}
+@{thm[mode=IfThen] le_trans}
+\end{theorem}
+by typing
+\begin{quote}
+\verb!@!\verb!{thm[mode=IfThen] le_trans}!
+\end{quote}
+
+In order to prevent odd line breaks, the premises are put into boxes.
+At times this is too drastic:
+\begin{theorem}
+@{prop[mode=IfThen] "longpremise \<Longrightarrow> longerpremise \<Longrightarrow> P(f(f(f(f(f(f(f(f(f(x)))))))))) \<Longrightarrow> longestpremise \<Longrightarrow> conclusion"}
+\end{theorem}
+In which case you should use \texttt{IfThenNoBox} instead of
+\texttt{IfThen}:
+\begin{theorem}
+@{prop[mode=IfThenNoBox] "longpremise \<Longrightarrow> longerpremise \<Longrightarrow> P(f(f(f(f(f(f(f(f(f(x)))))))))) \<Longrightarrow> longestpremise \<Longrightarrow> conclusion"}
+\end{theorem}
+*}
+
+subsection{* Doing it yourself\label{sec:yourself}*}
+
+text{* If for some reason you want or need to present theorems your
+own way, you can extract the premises and the conclusion explicitly
+and combine them as you like:
+\begin{itemize}
+\item \verb!@!\verb!{thm (prem 1)! $thm$\verb!}!
+prints premise 1 of $thm$.
+\item \verb!@!\verb!{thm (concl)! $thm$\verb!}!
+prints the conclusion of $thm$.
+\end{itemize}
+For example, ``from @{thm (prem 2) conjI} and
+@{thm (prem 1) conjI} we conclude @{thm (concl) conjI}''
+is produced by
+\begin{quote}
+\verb!from !\verb!@!\verb!{thm (prem 2) conjI}! \verb!and !\verb!@!\verb!{thm (prem 1) conjI}!\\
+\verb!we conclude !\verb!@!\verb!{thm (concl) conjI}!
+\end{quote}
+Thus you can rearrange or hide premises and typeset the theorem as you like.
+Styles like \verb!(prem 1)! are a general mechanism explained
+in \S\ref{sec:styles}.
+*}
+
+subsection "Patterns"
+
+text {*
+
+ In \S\ref{sec:varnames} we shows how to create patterns containing
+ ``@{term DUMMY}''.
+ You can drive this game even further and extend the syntax of let
+ bindings such that certain functions like @{term fst}, @{term hd},
+ etc.\ are printed as patterns. \texttt{OptionalSugar} provides the
+ following:
+
+ \begin{center}
+ \begin{tabular}{l@ {~~produced by~~}l}
+ @{term "let x = fst p in t"} & \verb!@!\verb!{term "let x = fst p in t"}!\\
+ @{term "let x = snd p in t"} & \verb!@!\verb!{term "let x = snd p in t"}!\\
+ @{term "let x = hd xs in t"} & \verb!@!\verb!{term "let x = hd xs in t"}!\\
+ @{term "let x = tl xs in t"} & \verb!@!\verb!{term "let x = tl xs in t"}!\\
+ @{term "let x = the y in t"} & \verb!@!\verb!{term "let x = the y in t"}!\\
+ \end{tabular}
+ \end{center}
+*}
+
+section "Proofs"
+
+text {* Full proofs, even if written in beautiful Isar style, are
+likely to be too long and detailed to be included in conference
+papers, but some key lemmas might be of interest.
+It is usually easiest to put them in figures like the one in Fig.\
+\ref{fig:proof}. This was achieved with the \isakeyword{text\_raw} command:
+*}
+text_raw {*
+ \begin{figure}
+ \begin{center}\begin{minipage}{0.6\textwidth}
+ \isastyleminor\isamarkuptrue
+*}
+lemma True
+proof -
+ -- "pretty trivial"
+ show True by force
+qed
+text_raw {*
+ \end{minipage}\end{center}
+ \caption{Example proof in a figure.}\label{fig:proof}
+ \end{figure}
+*}
+text {*
+
+\begin{quote}
+\small
+\verb!text_raw {!\verb!*!\\
+\verb! \begin{figure}!\\
+\verb! \begin{center}\begin{minipage}{0.6\textwidth}!\\
+\verb! \isastyleminor\isamarkuptrue!\\
+\verb!*!\verb!}!\\
+\verb!lemma True!\\
+\verb!proof -!\\
+\verb! -- "pretty trivial"!\\
+\verb! show True by force!\\
+\verb!qed!\\
+\verb!text_raw {!\verb!*!\\
+\verb! \end{minipage}\end{center}!\\
+\verb! \caption{Example proof in a figure.}\label{fig:proof}!\\
+\verb! \end{figure}!\\
+\verb!*!\verb!}!
+\end{quote}
+
+Other theory text, e.g.\ definitions, can be put in figures, too.
+*}
+
+section {*Styles\label{sec:styles}*}
+
+text {*
+ The \verb!thm! antiquotation works nicely for single theorems, but
+ sets of equations as used in definitions are more difficult to
+ typeset nicely: people tend to prefer aligned @{text "="} signs.
+
+ To deal with such cases where it is desirable to dive into the structure
+ of terms and theorems, Isabelle offers antiquotations featuring
+ ``styles'':
+
+ \begin{quote}
+ \verb!@!\verb!{thm (style) thm}!\\
+ \verb!@!\verb!{prop (style) thm}!\\
+ \verb!@!\verb!{term (style) term}!\\
+ \verb!@!\verb!{term_type (style) term}!\\
+ \verb!@!\verb!{typeof (style) term}!\\
+ \end{quote}
+
+ A ``style'' is a transformation of a term. There are predefined
+ styles, namely \verb!lhs! and \verb!rhs!, \verb!prem! with one argument, and \verb!concl!.
+ For example,
+ the output
+ \begin{center}
+ \begin{tabular}{l@ {~~@{text "="}~~}l}
+ @{thm (lhs) append_Nil} & @{thm (rhs) append_Nil}\\
+ @{thm (lhs) append_Cons} & @{thm (rhs) append_Cons}
+ \end{tabular}
+ \end{center}
+ is produced by the following code:
+ \begin{quote}
+ \verb!\begin{center}!\\
+ \verb!\begin{tabular}{l@ {~~!\verb!@!\verb!{text "="}~~}l}!\\
+ \verb!@!\verb!{thm (lhs) append_Nil} & @!\verb!{thm (rhs) append_Nil}\\!\\
+ \verb!@!\verb!{thm (lhs) append_Cons} & @!\verb!{thm (rhs) append_Cons}!\\
+ \verb!\end{tabular}!\\
+ \verb!\end{center}!
+ \end{quote}
+ Note the space between \verb!@! and \verb!{! in the tabular argument.
+ It prevents Isabelle from interpreting \verb!@ {~~...~~}!
+ as an antiquotation. The styles \verb!lhs! and \verb!rhs!
+ extract the left hand side (or right hand side respectively) from the
+ conclusion of propositions consisting of a binary operator
+ (e.~g.~@{text "="}, @{text "\<equiv>"}, @{text "<"}).
+
+ Likewise, \verb!concl! may be used as a style to show just the
+ conclusion of a proposition. For example, take \verb!hd_Cons_tl!:
+ \begin{center}
+ @{thm hd_Cons_tl}
+ \end{center}
+ To print just the conclusion,
+ \begin{center}
+ @{thm (concl) hd_Cons_tl}
+ \end{center}
+ type
+ \begin{quote}
+ \verb!\begin{center}!\\
+ \verb!@!\verb!{thm (concl) hd_Cons_tl}!\\
+ \verb!\end{center}!
+ \end{quote}
+ Beware that any options must be placed \emph{before}
+ the style, as in this example.
+
+ Further use cases can be found in \S\ref{sec:yourself}.
+ If you are not afraid of ML, you may also define your own styles.
+ Have a look at module @{ML_struct Term_Style}.
+*}
+
+(*<*)
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/LaTeXsugar/document/build Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+set -e
+
+FORMAT="$1"
+VARIANT="$2"
+
+"$ISABELLE_HOME/src/Doc/prepare_document" "$FORMAT"
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/LaTeXsugar/document/mathpartir.sty Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,388 @@
+% Mathpartir --- Math Paragraph for Typesetting Inference Rules
+%
+% Copyright (C) 2001, 2002, 2003 Didier Rémy
+%
+% Author : Didier Remy
+% Version : 1.1.1
+% Bug Reports : to author
+% Web Site : http://pauillac.inria.fr/~remy/latex/
+%
+% WhizzyTeX is free software; you can redistribute it and/or modify
+% it under the terms of the GNU General Public License as published by
+% the Free Software Foundation; either version 2, or (at your option)
+% any later version.
+%
+% Mathpartir is distributed in the hope that it will be useful,
+% but WITHOUT ANY WARRANTY; without even the implied warranty of
+% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+% GNU General Public License for more details
+% (http://pauillac.inria.fr/~remy/license/GPL).
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+% File mathpartir.sty (LaTeX macros)
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\NeedsTeXFormat{LaTeX2e}
+\ProvidesPackage{mathpartir}
+ [2003/07/10 version 1.1.1 Math Paragraph for Typesetting Inference Rules]
+
+%%
+
+%% Identification
+%% Preliminary declarations
+
+\RequirePackage {keyval}
+
+%% Options
+%% More declarations
+
+%% PART I: Typesetting maths in paragraphe mode
+
+\newdimen \mpr@tmpdim
+
+% To ensure hevea \hva compatibility, \hva should expands to nothing
+% in mathpar or in inferrule
+\let \mpr@hva \empty
+
+%% normal paragraph parametters, should rather be taken dynamically
+\def \mpr@savepar {%
+ \edef \MathparNormalpar
+ {\noexpand \lineskiplimit \the\lineskiplimit
+ \noexpand \lineskip \the\lineskip}%
+ }
+
+\def \mpr@rulelineskip {\lineskiplimit=0.3em\lineskip=0.2em plus 0.1em}
+\def \mpr@lesslineskip {\lineskiplimit=0.6em\lineskip=0.5em plus 0.2em}
+\def \mpr@lineskip {\lineskiplimit=1.2em\lineskip=1.2em plus 0.2em}
+\let \MathparLineskip \mpr@lineskip
+\def \mpr@paroptions {\MathparLineskip}
+\let \mpr@prebindings \relax
+
+\newskip \mpr@andskip \mpr@andskip 2em plus 0.5fil minus 0.5em
+
+\def \mpr@goodbreakand
+ {\hskip -\mpr@andskip \penalty -1000\hskip \mpr@andskip}
+\def \mpr@and {\hskip \mpr@andskip}
+\def \mpr@andcr {\penalty 50\mpr@and}
+\def \mpr@cr {\penalty -10000\mpr@and}
+\def \mpr@eqno #1{\mpr@andcr #1\hskip 0em plus -1fil \penalty 10}
+
+\def \mpr@bindings {%
+ \let \and \mpr@andcr
+ \let \par \mpr@andcr
+ \let \\\mpr@cr
+ \let \eqno \mpr@eqno
+ \let \hva \mpr@hva
+ }
+\let \MathparBindings \mpr@bindings
+
+% \@ifundefined {ignorespacesafterend}
+% {\def \ignorespacesafterend {\aftergroup \ignorespaces}
+
+\newenvironment{mathpar}[1][]
+ {$$\mpr@savepar \parskip 0em \hsize \linewidth \centering
+ \vbox \bgroup \mpr@prebindings \mpr@paroptions #1\ifmmode $\else
+ \noindent $\displaystyle\fi
+ \MathparBindings}
+ {\unskip \ifmmode $\fi\egroup $$\ignorespacesafterend}
+
+% \def \math@mathpar #1{\setbox0 \hbox {$\displaystyle #1$}\ifnum
+% \wd0 < \hsize $$\box0$$\else \bmathpar #1\emathpar \fi}
+
+%%% HOV BOXES
+
+\def \mathvbox@ #1{\hbox \bgroup \mpr@normallineskip
+ \vbox \bgroup \tabskip 0em \let \\ \cr
+ \halign \bgroup \hfil $##$\hfil\cr #1\crcr \egroup \egroup
+ \egroup}
+
+\def \mathhvbox@ #1{\setbox0 \hbox {\let \\\qquad $#1$}\ifnum \wd0 < \hsize
+ \box0\else \mathvbox {#1}\fi}
+
+
+%% Part II -- operations on lists
+
+\newtoks \mpr@lista
+\newtoks \mpr@listb
+
+\long \def\mpr@cons #1\mpr@to#2{\mpr@lista {\\{#1}}\mpr@listb \expandafter
+{#2}\edef #2{\the \mpr@lista \the \mpr@listb}}
+
+\long \def\mpr@snoc #1\mpr@to#2{\mpr@lista {\\{#1}}\mpr@listb \expandafter
+{#2}\edef #2{\the \mpr@listb\the\mpr@lista}}
+
+\long \def \mpr@concat#1=#2\mpr@to#3{\mpr@lista \expandafter {#2}\mpr@listb
+\expandafter {#3}\edef #1{\the \mpr@listb\the\mpr@lista}}
+
+\def \mpr@head #1\mpr@to #2{\expandafter \mpr@head@ #1\mpr@head@ #1#2}
+\long \def \mpr@head@ #1#2\mpr@head@ #3#4{\def #4{#1}\def#3{#2}}
+
+\def \mpr@flatten #1\mpr@to #2{\expandafter \mpr@flatten@ #1\mpr@flatten@ #1#2}
+\long \def \mpr@flatten@ \\#1\\#2\mpr@flatten@ #3#4{\def #4{#1}\def #3{\\#2}}
+
+\def \mpr@makelist #1\mpr@to #2{\def \mpr@all {#1}%
+ \mpr@lista {\\}\mpr@listb \expandafter {\mpr@all}\edef \mpr@all {\the
+ \mpr@lista \the \mpr@listb \the \mpr@lista}\let #2\empty
+ \def \mpr@stripof ##1##2\mpr@stripend{\def \mpr@stripped{##2}}\loop
+ \mpr@flatten \mpr@all \mpr@to \mpr@one
+ \expandafter \mpr@snoc \mpr@one \mpr@to #2\expandafter \mpr@stripof
+ \mpr@all \mpr@stripend
+ \ifx \mpr@stripped \empty \let \mpr@isempty 0\else \let \mpr@isempty 1\fi
+ \ifx 1\mpr@isempty
+ \repeat
+}
+
+%% Part III -- Type inference rules
+
+\def \mpr@rev #1\mpr@to #2{\let \mpr@tmp \empty
+ \def \\##1{\mpr@cons ##1\mpr@to \mpr@tmp}#1\let #2\mpr@tmp}
+
+\newif \if@premisse
+\newbox \mpr@hlist
+\newbox \mpr@vlist
+\newif \ifmpr@center \mpr@centertrue
+\def \mpr@htovlist {%
+ \setbox \mpr@hlist
+ \hbox {\strut
+ \ifmpr@center \hskip -0.5\wd\mpr@hlist\fi
+ \unhbox \mpr@hlist}%
+ \setbox \mpr@vlist
+ \vbox {\if@premisse \box \mpr@hlist \unvbox \mpr@vlist
+ \else \unvbox \mpr@vlist \box \mpr@hlist
+ \fi}%
+}
+% OLD version
+% \def \mpr@htovlist {%
+% \setbox \mpr@hlist
+% \hbox {\strut \hskip -0.5\wd\mpr@hlist \unhbox \mpr@hlist}%
+% \setbox \mpr@vlist
+% \vbox {\if@premisse \box \mpr@hlist \unvbox \mpr@vlist
+% \else \unvbox \mpr@vlist \box \mpr@hlist
+% \fi}%
+% }
+
+\def \mpr@sep{2em}
+\def \mpr@blank { }
+\def \mpr@hovbox #1#2{\hbox
+ \bgroup
+ \ifx #1T\@premissetrue
+ \else \ifx #1B\@premissefalse
+ \else
+ \PackageError{mathpartir}
+ {Premisse orientation should either be P or B}
+ {Fatal error in Package}%
+ \fi \fi
+ \def \@test {#2}\ifx \@test \mpr@blank\else
+ \setbox \mpr@hlist \hbox {}%
+ \setbox \mpr@vlist \vbox {}%
+ \if@premisse \let \snoc \mpr@cons \else \let \snoc \mpr@snoc \fi
+ \let \@hvlist \empty \let \@rev \empty
+ \mpr@tmpdim 0em
+ \expandafter \mpr@makelist #2\mpr@to \mpr@flat
+ \if@premisse \mpr@rev \mpr@flat \mpr@to \@rev \else \let \@rev \mpr@flat \fi
+ \def \\##1{%
+ \def \@test {##1}\ifx \@test \empty
+ \mpr@htovlist
+ \mpr@tmpdim 0em %%% last bug fix not extensively checked
+ \else
+ \setbox0 \hbox{$\displaystyle {##1}$}\relax
+ \advance \mpr@tmpdim by \wd0
+ %\mpr@tmpdim 1.02\mpr@tmpdim
+ \ifnum \mpr@tmpdim < \hsize
+ \ifnum \wd\mpr@hlist > 0
+ \if@premisse
+ \setbox \mpr@hlist
+ \hbox {\unhbox0 \hskip \mpr@sep \unhbox \mpr@hlist}%
+ \else
+ \setbox \mpr@hlist
+ \hbox {\unhbox \mpr@hlist \hskip \mpr@sep \unhbox0}%
+ \fi
+ \else
+ \setbox \mpr@hlist \hbox {\unhbox0}%
+ \fi
+ \else
+ \ifnum \wd \mpr@hlist > 0
+ \mpr@htovlist
+ \mpr@tmpdim \wd0
+ \fi
+ \setbox \mpr@hlist \hbox {\unhbox0}%
+ \fi
+ \advance \mpr@tmpdim by \mpr@sep
+ \fi
+ }%
+ \@rev
+ \mpr@htovlist
+ \ifmpr@center \hskip \wd\mpr@vlist\fi \box \mpr@vlist
+ \fi
+ \egroup
+}
+
+%%% INFERENCE RULES
+
+\@ifundefined{@@over}{%
+ \let\@@over\over % fallback if amsmath is not loaded
+ \let\@@overwithdelims\overwithdelims
+ \let\@@atop\atop \let\@@atopwithdelims\atopwithdelims
+ \let\@@above\above \let\@@abovewithdelims\abovewithdelims
+ }{}
+
+
+\def \mpr@@fraction #1#2{\hbox {\advance \hsize by -0.5em
+ $\displaystyle {#1\@@over #2}$}}
+\let \mpr@fraction \mpr@@fraction
+\def \mpr@@reduce #1#2{\hbox
+ {$\lower 0.01pt \mpr@@fraction {#1}{#2}\mkern -15mu\rightarrow$}}
+\def \mpr@@rewrite #1#2#3{\hbox
+ {$\lower 0.01pt \mpr@@fraction {#2}{#3}\mkern -8mu#1$}}
+\def \mpr@infercenter #1{\vcenter {\mpr@hovbox{T}{#1}}}
+
+\def \mpr@empty {}
+\def \mpr@inferrule
+ {\bgroup
+ \ifnum \linewidth<\hsize \hsize \linewidth\fi
+ \mpr@rulelineskip
+ \let \and \qquad
+ \let \hva \mpr@hva
+ \let \@rulename \mpr@empty
+ \let \@rule@options \mpr@empty
+ \mpr@inferrule@}
+\newcommand {\mpr@inferrule@}[3][]
+ {\everymath={\displaystyle}%
+ \def \@test {#2}\ifx \empty \@test
+ \setbox0 \hbox {$\vcenter {\mpr@hovbox{B}{#3}}$}%
+ \else
+ \def \@test {#3}\ifx \empty \@test
+ \setbox0 \hbox {$\vcenter {\mpr@hovbox{T}{#2}}$}%
+ \else
+ \setbox0 \mpr@fraction {\mpr@hovbox{T}{#2}}{\mpr@hovbox{B}{#3}}%
+ \fi \fi
+ \def \@test {#1}\ifx \@test\empty \box0
+ \else \vbox
+%%% Suggestion de Francois pour les etiquettes longues
+%%% {\hbox to \wd0 {\RefTirName {#1}\hfil}\box0}\fi
+ {\hbox {\RefTirName {#1}}\box0}\fi
+ \egroup}
+
+\def \mpr@vdotfil #1{\vbox to #1{\leaders \hbox{$\cdot$} \vfil}}
+
+% They are two forms
+% \inferrule [label]{[premisses}{conclusions}
+% or
+% \inferrule* [options]{[premisses}{conclusions}
+%
+% Premisses and conclusions are lists of elements separated by \\
+% Each \\ produces a break, attempting horizontal breaks if possible,
+% and vertical breaks if needed.
+%
+% An empty element obtained by \\\\ produces a vertical break in all cases.
+%
+% The former rule is aligned on the fraction bar.
+% The optional label appears on top of the rule
+% The second form to be used in a derivation tree is aligned on the last
+% line of its conclusion
+%
+% The second form can be parameterized, using the key=val interface. The
+% folloiwng keys are recognized:
+%
+% width set the width of the rule to val
+% narrower set the width of the rule to val\hsize
+% before execute val at the beginning/left
+% lab put a label [Val] on top of the rule
+% lskip add negative skip on the right
+% left put a left label [Val]
+% Left put a left label [Val], ignoring its width
+% right put a right label [Val]
+% Right put a right label [Val], ignoring its width
+% leftskip skip negative space on the left-hand side
+% rightskip skip negative space on the right-hand side
+% vdots lift the rule by val and fill vertical space with dots
+% after execute val at the end/right
+%
+% Note that most options must come in this order to avoid strange
+% typesetting (in particular leftskip must preceed left and Left and
+% rightskip must follow Right or right; vdots must come last
+% or be only followed by rightskip.
+%
+
+\define@key {mprset}{flushleft}[]{\mpr@centerfalse}
+\define@key {mprset}{center}[]{\mpr@centertrue}
+\def \mprset #1{\setkeys{mprset}{#1}}
+
+\newbox \mpr@right
+\define@key {mpr}{flushleft}[]{\mpr@centerfalse}
+\define@key {mpr}{center}[]{\mpr@centertrue}
+\define@key {mpr}{left}{\setbox0 \hbox {$\TirName {#1}\;$}\relax
+ \advance \hsize by -\wd0\box0}
+\define@key {mpr}{width}{\hsize #1}
+\define@key {mpr}{sep}{\def\mpr@sep{#1}}
+\define@key {mpr}{before}{#1}
+\define@key {mpr}{lab}{\let \RefTirName \TirName \def \mpr@rulename {#1}}
+\define@key {mpr}{Lab}{\let \RefTirName \TirName \def \mpr@rulename {#1}}
+\define@key {mpr}{narrower}{\hsize #1\hsize}
+\define@key {mpr}{leftskip}{\hskip -#1}
+\define@key {mpr}{reduce}[]{\let \mpr@fraction \mpr@@reduce}
+\define@key {mpr}{rightskip}
+ {\setbox \mpr@right \hbox {\unhbox \mpr@right \hskip -#1}}
+\define@key {mpr}{LEFT}{\setbox0 \hbox {$#1$}\relax
+ \advance \hsize by -\wd0\box0}
+\define@key {mpr}{left}{\setbox0 \hbox {$\TirName {#1}\;$}\relax
+ \advance \hsize by -\wd0\box0}
+\define@key {mpr}{Left}{\llap{$\TirName {#1}\;$}}
+\define@key {mpr}{right}
+ {\setbox0 \hbox {$\;\TirName {#1}$}\relax \advance \hsize by -\wd0
+ \setbox \mpr@right \hbox {\unhbox \mpr@right \unhbox0}}
+\define@key {mpr}{RIGHT}
+ {\setbox0 \hbox {$#1$}\relax \advance \hsize by -\wd0
+ \setbox \mpr@right \hbox {\unhbox \mpr@right \unhbox0}}
+\define@key {mpr}{Right}
+ {\setbox \mpr@right \hbox {\unhbox \mpr@right \rlap {$\;\TirName {#1}$}}}
+\define@key {mpr}{vdots}{\def \mpr@vdots {\@@atop \mpr@vdotfil{#1}}}
+\define@key {mpr}{after}{\edef \mpr@after {\mpr@after #1}}
+
+\newdimen \rule@dimen
+\newcommand \mpr@inferstar@ [3][]{\setbox0
+ \hbox {\let \mpr@rulename \mpr@empty \let \mpr@vdots \relax
+ \setbox \mpr@right \hbox{}%
+ $\setkeys{mpr}{#1}%
+ \ifx \mpr@rulename \mpr@empty \mpr@inferrule {#2}{#3}\else
+ \mpr@inferrule [{\mpr@rulename}]{#2}{#3}\fi
+ \box \mpr@right \mpr@vdots$}
+ \setbox1 \hbox {\strut}
+ \rule@dimen \dp0 \advance \rule@dimen by -\dp1
+ \raise \rule@dimen \box0}
+
+\def \mpr@infer {\@ifnextchar *{\mpr@inferstar}{\mpr@inferrule}}
+\newcommand \mpr@err@skipargs[3][]{}
+\def \mpr@inferstar*{\ifmmode
+ \let \@do \mpr@inferstar@
+ \else
+ \let \@do \mpr@err@skipargs
+ \PackageError {mathpartir}
+ {\string\inferrule* can only be used in math mode}{}%
+ \fi \@do}
+
+
+%%% Exports
+
+% Envirnonment mathpar
+
+\let \inferrule \mpr@infer
+
+% make a short name \infer is not already defined
+\@ifundefined {infer}{\let \infer \mpr@infer}{}
+
+\def \tir@name #1{\hbox {\small \sc #1}}
+\let \TirName \tir@name
+\let \RefTirName \tir@name
+
+%%% Other Exports
+
+% \let \listcons \mpr@cons
+% \let \listsnoc \mpr@snoc
+% \let \listhead \mpr@head
+% \let \listmake \mpr@makelist
+
+
+
+
+\endinput
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/LaTeXsugar/document/root.bib Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,12 @@
+@book{LNCS2283,author={Tobias Nipkow and Lawrence Paulson and Markus Wenzel},
+title="Isabelle/HOL --- A Proof Assistant for Higher-Order Logic",
+publisher=Springer,series=LNCS,volume=2283,year=2002,
+note={\url{http://www.in.tum.de/~nipkow/LNCS2283/}}}
+
+@misc{mathpartir,author={Didier R\'emy},title={mathpartir},
+note={\url{http://cristal.inria.fr/~remy/latex/}}}
+
+@misc{tar,author={Gerwin Klein and Norber Schirmer and Tobias Nipkow},
+title={{LaTeX} sugar theories and support files},
+note={\url{http://isabelle.in.tum.de/sugar.tar.gz}}}
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/LaTeXsugar/document/root.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,43 @@
+\documentclass[11pt,a4paper]{article}
+\usepackage{isabelle,isabellesym}
+
+% further packages required for unusual symbols (see also isabellesym.sty)
+% use only when needed
+\usepackage{amssymb}
+
+\usepackage{mathpartir}
+
+% this should be the last package used
+\usepackage{pdfsetup}
+
+% urls in roman style, theory text in math-similar italics
+\urlstyle{rm}
+\isabellestyle{it}
+
+\hyphenation{Isa-belle}
+\begin{document}
+
+\title{\LaTeX\ Sugar for Isabelle Documents}
+\author{Florian Haftmann, Gerwin Klein, Tobias Nipkow, Norbert Schirmer}
+\maketitle
+
+\begin{abstract}
+This document shows how to typset mathematics in Isabelle-based
+documents in a style close to that in ordinary computer science papers.
+\end{abstract}
+
+%\tableofcontents
+
+% generated text of all theories
+\input{Sugar.tex}
+
+% optional bibliography
+\bibliographystyle{abbrv}
+\bibliography{root}
+
+\end{document}
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: t
+%%% End:
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Locales/Examples.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,768 @@
+theory Examples
+imports Main
+begin
+
+(*
+text {* The following presentation will use notation of
+ Isabelle's meta logic, hence a few sentences to explain this.
+ The logical
+ primitives are universal quantification (@{text "\<And>"}), entailment
+ (@{text "\<Longrightarrow>"}) and equality (@{text "\<equiv>"}). Variables (not bound
+ variables) are sometimes preceded by a question mark. The logic is
+ typed. Type variables are denoted by~@{text "'a"},~@{text "'b"}
+ etc., and~@{text "\<Rightarrow>"} is the function type. Double brackets~@{text
+ "\<lbrakk>"} and~@{text "\<rbrakk>"} are used to abbreviate nested entailment.
+*}
+*)
+
+section {* Introduction *}
+
+text {*
+ Locales are based on contexts. A \emph{context} can be seen as a
+ formula schema
+\[
+ @{text "\<And>x\<^sub>1\<dots>x\<^sub>n. \<lbrakk> A\<^sub>1; \<dots> ;A\<^sub>m \<rbrakk> \<Longrightarrow> \<dots>"}
+\]
+ where the variables~@{text "x\<^sub>1"}, \ldots,~@{text "x\<^sub>n"} are called
+ \emph{parameters} and the premises $@{text "A\<^sub>1"}, \ldots,~@{text
+ "A\<^sub>m"}$ \emph{assumptions}. A formula~@{text "C"}
+ is a \emph{theorem} in the context if it is a conclusion
+\[
+ @{text "\<And>x\<^sub>1\<dots>x\<^sub>n. \<lbrakk> A\<^sub>1; \<dots> ;A\<^sub>m \<rbrakk> \<Longrightarrow> C"}.
+\]
+ Isabelle/Isar's notion of context goes beyond this logical view.
+ Its contexts record, in a consecutive order, proved
+ conclusions along with \emph{attributes}, which can provide context
+ specific configuration information for proof procedures and concrete
+ syntax. From a logical perspective, locales are just contexts that
+ have been made persistent. To the user, though, they provide
+ powerful means for declaring and combining contexts, and for the
+ reuse of theorems proved in these contexts.
+ *}
+
+section {* Simple Locales *}
+
+text {*
+ In its simplest form, a
+ \emph{locale declaration} consists of a sequence of context elements
+ declaring parameters (keyword \isakeyword{fixes}) and assumptions
+ (keyword \isakeyword{assumes}). The following is the specification of
+ partial orders, as locale @{text partial_order}.
+ *}
+
+ locale partial_order =
+ fixes le :: "'a \<Rightarrow> 'a \<Rightarrow> bool" (infixl "\<sqsubseteq>" 50)
+ assumes refl [intro, simp]: "x \<sqsubseteq> x"
+ and anti_sym [intro]: "\<lbrakk> x \<sqsubseteq> y; y \<sqsubseteq> x \<rbrakk> \<Longrightarrow> x = y"
+ and trans [trans]: "\<lbrakk> x \<sqsubseteq> y; y \<sqsubseteq> z \<rbrakk> \<Longrightarrow> x \<sqsubseteq> z"
+
+text (in partial_order) {* The parameter of this locale is~@{text le},
+ which is a binary predicate with infix syntax~@{text \<sqsubseteq>}. The
+ parameter syntax is available in the subsequent
+ assumptions, which are the familiar partial order axioms.
+
+ Isabelle recognises unbound names as free variables. In locale
+ assumptions, these are implicitly universally quantified. That is,
+ @{term "\<lbrakk> x \<sqsubseteq> y; y \<sqsubseteq> z \<rbrakk> \<Longrightarrow> x \<sqsubseteq> z"} in fact means
+ @{term "\<And>x y z. \<lbrakk> x \<sqsubseteq> y; y \<sqsubseteq> z \<rbrakk> \<Longrightarrow> x \<sqsubseteq> z"}.
+
+ Two commands are provided to inspect locales:
+ \isakeyword{print\_locales} lists the names of all locales of the
+ current theory; \isakeyword{print\_locale}~$n$ prints the parameters
+ and assumptions of locale $n$; the variation \isakeyword{print\_locale!}~$n$
+ additionally outputs the conclusions that are stored in the locale.
+ We may inspect the new locale
+ by issuing \isakeyword{print\_locale!} @{term partial_order}. The output
+ is the following list of context elements.
+\begin{small}
+\begin{alltt}
+ \isakeyword{fixes} le :: "'a \(\Rightarrow\) 'a \(\Rightarrow\) bool" (\isakeyword{infixl} "\(\sqsubseteq\)" 50)
+ \isakeyword{assumes} "partial_order op \(\sqsubseteq\)"
+ \isakeyword{notes} assumption
+ refl [intro, simp] = `?x \(\sqsubseteq\) ?x`
+ \isakeyword{and}
+ anti_sym [intro] = `\(\isasymlbrakk\)?x \(\sqsubseteq\) ?y; ?y \(\sqsubseteq\) ?x\(\isasymrbrakk\) \(\Longrightarrow\) ?x = ?y`
+ \isakeyword{and}
+ trans [trans] = `\(\isasymlbrakk\)?x \(\sqsubseteq\) ?y; ?y \(\sqsubseteq\) ?z\(\isasymrbrakk\) \(\Longrightarrow\) ?x \(\sqsubseteq\) ?z`
+\end{alltt}
+\end{small}
+ The keyword \isakeyword{notes} denotes a conclusion element. There
+ is one conclusion, which was added automatically. Instead, there is
+ only one assumption, namely @{term "partial_order le"}. The locale
+ declaration has introduced the predicate @{term
+ partial_order} to the theory. This predicate is the
+ \emph{locale predicate}. Its definition may be inspected by
+ issuing \isakeyword{thm} @{thm [source] partial_order_def}.
+ @{thm [display, indent=2] partial_order_def}
+ In our example, this is a unary predicate over the parameter of the
+ locale. It is equivalent to the original assumptions, which have
+ been turned into conclusions and are
+ available as theorems in the context of the locale. The names and
+ attributes from the locale declaration are associated to these
+ theorems and are effective in the context of the locale.
+
+ Each conclusion has a \emph{foundational theorem} as counterpart
+ in the theory. Technically, this is simply the theorem composed
+ of context and conclusion. For the transitivity theorem, this is
+ @{thm [source] partial_order.trans}:
+ @{thm [display, indent=2] partial_order.trans}
+*}
+
+subsection {* Targets: Extending Locales *}
+
+text {*
+ The specification of a locale is fixed, but its list of conclusions
+ may be extended through Isar commands that take a \emph{target} argument.
+ In the following, \isakeyword{definition} and
+ \isakeyword{theorem} are illustrated.
+ Table~\ref{tab:commands-with-target} lists Isar commands that accept
+ a target. Isar provides various ways of specifying the target. A
+ target for a single command may be indicated with keyword
+ \isakeyword{in} in the following way:
+
+\begin{table}
+\hrule
+\vspace{2ex}
+\begin{center}
+\begin{tabular}{ll}
+ \isakeyword{definition} & definition through an equation \\
+ \isakeyword{inductive} & inductive definition \\
+ \isakeyword{primrec} & primitive recursion \\
+ \isakeyword{fun}, \isakeyword{function} & general recursion \\
+ \isakeyword{abbreviation} & syntactic abbreviation \\
+ \isakeyword{theorem}, etc.\ & theorem statement with proof \\
+ \isakeyword{theorems}, etc.\ & redeclaration of theorems \\
+ \isakeyword{text}, etc.\ & document markup
+\end{tabular}
+\end{center}
+\hrule
+\caption{Isar commands that accept a target.}
+\label{tab:commands-with-target}
+\end{table}
+ *}
+
+ definition (in partial_order)
+ less :: "'a \<Rightarrow> 'a \<Rightarrow> bool" (infixl "\<sqsubset>" 50)
+ where "(x \<sqsubset> y) = (x \<sqsubseteq> y \<and> x \<noteq> y)"
+
+text (in partial_order) {* The strict order @{text less} with infix
+ syntax~@{text \<sqsubset>} is
+ defined in terms of the locale parameter~@{text le} and the general
+ equality of the object logic we work in. The definition generates a
+ \emph{foundational constant}
+ @{term partial_order.less} with definition @{thm [source]
+ partial_order.less_def}:
+ @{thm [display, indent=2] partial_order.less_def}
+ At the same time, the locale is extended by syntax transformations
+ hiding this construction in the context of the locale. Here, the
+ abbreviation @{text less} is available for
+ @{text "partial_order.less le"}, and it is printed
+ and parsed as infix~@{text \<sqsubset>}. Finally, the conclusion @{thm [source]
+ less_def} is added to the locale:
+ @{thm [display, indent=2] less_def}
+*}
+
+text {* The treatment of theorem statements is more straightforward.
+ As an example, here is the derivation of a transitivity law for the
+ strict order relation. *}
+
+ lemma (in partial_order) less_le_trans [trans]:
+ "\<lbrakk> x \<sqsubset> y; y \<sqsubseteq> z \<rbrakk> \<Longrightarrow> x \<sqsubset> z"
+ unfolding %visible less_def by %visible (blast intro: trans)
+
+text {* In the context of the proof, conclusions of the
+ locale may be used like theorems. Attributes are effective: @{text
+ anti_sym} was
+ declared as introduction rule, hence it is in the context's set of
+ rules used by the classical reasoner by default. *}
+
+subsection {* Context Blocks *}
+
+text {* When working with locales, sequences of commands with the same
+ target are frequent. A block of commands, delimited by
+ \isakeyword{begin} and \isakeyword{end}, makes a theory-like style
+ of working possible. All commands inside the block refer to the
+ same target. A block may immediately follow a locale
+ declaration, which makes that locale the target. Alternatively the
+ target for a block may be given with the \isakeyword{context}
+ command.
+
+ This style of working is illustrated in the block below, where
+ notions of infimum and supremum for partial orders are introduced,
+ together with theorems about their uniqueness. *}
+
+ context partial_order
+ begin
+
+ definition
+ is_inf where "is_inf x y i =
+ (i \<sqsubseteq> x \<and> i \<sqsubseteq> y \<and> (\<forall>z. z \<sqsubseteq> x \<and> z \<sqsubseteq> y \<longrightarrow> z \<sqsubseteq> i))"
+
+ definition
+ is_sup where "is_sup x y s =
+ (x \<sqsubseteq> s \<and> y \<sqsubseteq> s \<and> (\<forall>z. x \<sqsubseteq> z \<and> y \<sqsubseteq> z \<longrightarrow> s \<sqsubseteq> z))"
+
+ lemma %invisible is_infI [intro?]: "i \<sqsubseteq> x \<Longrightarrow> i \<sqsubseteq> y \<Longrightarrow>
+ (\<And>z. z \<sqsubseteq> x \<Longrightarrow> z \<sqsubseteq> y \<Longrightarrow> z \<sqsubseteq> i) \<Longrightarrow> is_inf x y i"
+ by (unfold is_inf_def) blast
+
+ lemma %invisible is_inf_lower [elim?]:
+ "is_inf x y i \<Longrightarrow> (i \<sqsubseteq> x \<Longrightarrow> i \<sqsubseteq> y \<Longrightarrow> C) \<Longrightarrow> C"
+ by (unfold is_inf_def) blast
+
+ lemma %invisible is_inf_greatest [elim?]:
+ "is_inf x y i \<Longrightarrow> z \<sqsubseteq> x \<Longrightarrow> z \<sqsubseteq> y \<Longrightarrow> z \<sqsubseteq> i"
+ by (unfold is_inf_def) blast
+
+ theorem is_inf_uniq: "\<lbrakk>is_inf x y i; is_inf x y i'\<rbrakk> \<Longrightarrow> i = i'"
+ proof -
+ assume inf: "is_inf x y i"
+ assume inf': "is_inf x y i'"
+ show ?thesis
+ proof (rule anti_sym)
+ from inf' show "i \<sqsubseteq> i'"
+ proof (rule is_inf_greatest)
+ from inf show "i \<sqsubseteq> x" ..
+ from inf show "i \<sqsubseteq> y" ..
+ qed
+ from inf show "i' \<sqsubseteq> i"
+ proof (rule is_inf_greatest)
+ from inf' show "i' \<sqsubseteq> x" ..
+ from inf' show "i' \<sqsubseteq> y" ..
+ qed
+ qed
+ qed
+
+ theorem %invisible is_inf_related [elim?]: "x \<sqsubseteq> y \<Longrightarrow> is_inf x y x"
+ proof -
+ assume "x \<sqsubseteq> y"
+ show ?thesis
+ proof
+ show "x \<sqsubseteq> x" ..
+ show "x \<sqsubseteq> y" by fact
+ fix z assume "z \<sqsubseteq> x" and "z \<sqsubseteq> y" show "z \<sqsubseteq> x" by fact
+ qed
+ qed
+
+ lemma %invisible is_supI [intro?]: "x \<sqsubseteq> s \<Longrightarrow> y \<sqsubseteq> s \<Longrightarrow>
+ (\<And>z. x \<sqsubseteq> z \<Longrightarrow> y \<sqsubseteq> z \<Longrightarrow> s \<sqsubseteq> z) \<Longrightarrow> is_sup x y s"
+ by (unfold is_sup_def) blast
+
+ lemma %invisible is_sup_least [elim?]:
+ "is_sup x y s \<Longrightarrow> x \<sqsubseteq> z \<Longrightarrow> y \<sqsubseteq> z \<Longrightarrow> s \<sqsubseteq> z"
+ by (unfold is_sup_def) blast
+
+ lemma %invisible is_sup_upper [elim?]:
+ "is_sup x y s \<Longrightarrow> (x \<sqsubseteq> s \<Longrightarrow> y \<sqsubseteq> s \<Longrightarrow> C) \<Longrightarrow> C"
+ by (unfold is_sup_def) blast
+
+ theorem is_sup_uniq: "\<lbrakk>is_sup x y s; is_sup x y s'\<rbrakk> \<Longrightarrow> s = s'"
+ proof -
+ assume sup: "is_sup x y s"
+ assume sup': "is_sup x y s'"
+ show ?thesis
+ proof (rule anti_sym)
+ from sup show "s \<sqsubseteq> s'"
+ proof (rule is_sup_least)
+ from sup' show "x \<sqsubseteq> s'" ..
+ from sup' show "y \<sqsubseteq> s'" ..
+ qed
+ from sup' show "s' \<sqsubseteq> s"
+ proof (rule is_sup_least)
+ from sup show "x \<sqsubseteq> s" ..
+ from sup show "y \<sqsubseteq> s" ..
+ qed
+ qed
+ qed
+
+ theorem %invisible is_sup_related [elim?]: "x \<sqsubseteq> y \<Longrightarrow> is_sup x y y"
+ proof -
+ assume "x \<sqsubseteq> y"
+ show ?thesis
+ proof
+ show "x \<sqsubseteq> y" by fact
+ show "y \<sqsubseteq> y" ..
+ fix z assume "x \<sqsubseteq> z" and "y \<sqsubseteq> z"
+ show "y \<sqsubseteq> z" by fact
+ qed
+ qed
+
+ end
+
+text {* The syntax of the locale commands discussed in this tutorial is
+ shown in Table~\ref{tab:commands}. The grammar is complete with the
+ exception of the context elements \isakeyword{constrains} and
+ \isakeyword{defines}, which are provided for backward
+ compatibility. See the Isabelle/Isar Reference
+ Manual~\cite{IsarRef} for full documentation. *}
+
+
+section {* Import \label{sec:import} *}
+
+text {*
+ Algebraic structures are commonly defined by adding operations and
+ properties to existing structures. For example, partial orders
+ are extended to lattices and total orders. Lattices are extended to
+ distributive lattices. *}
+
+text {*
+ With locales, this kind of inheritance is achieved through
+ \emph{import} of locales. The import part of a locale declaration,
+ if present, precedes the context elements. Here is an example,
+ where partial orders are extended to lattices.
+ *}
+
+ locale lattice = partial_order +
+ assumes ex_inf: "\<exists>inf. is_inf x y inf"
+ and ex_sup: "\<exists>sup. is_sup x y sup"
+ begin
+
+text {* These assumptions refer to the predicates for infimum
+ and supremum defined for @{text partial_order} in the previous
+ section. We now introduce the notions of meet and join. *}
+
+ definition
+ meet (infixl "\<sqinter>" 70) where "x \<sqinter> y = (THE inf. is_inf x y inf)"
+ definition
+ join (infixl "\<squnion>" 65) where "x \<squnion> y = (THE sup. is_sup x y sup)"
+
+ lemma %invisible meet_equality [elim?]: "is_inf x y i \<Longrightarrow> x \<sqinter> y = i"
+ proof (unfold meet_def)
+ assume "is_inf x y i"
+ then show "(THE i. is_inf x y i) = i"
+ by (rule the_equality) (rule is_inf_uniq [OF _ `is_inf x y i`])
+ qed
+
+ lemma %invisible meetI [intro?]:
+ "i \<sqsubseteq> x \<Longrightarrow> i \<sqsubseteq> y \<Longrightarrow> (\<And>z. z \<sqsubseteq> x \<Longrightarrow> z \<sqsubseteq> y \<Longrightarrow> z \<sqsubseteq> i) \<Longrightarrow> x \<sqinter> y = i"
+ by (rule meet_equality, rule is_infI) blast+
+
+ lemma %invisible is_inf_meet [intro?]: "is_inf x y (x \<sqinter> y)"
+ proof (unfold meet_def)
+ from ex_inf obtain i where "is_inf x y i" ..
+ then show "is_inf x y (THE i. is_inf x y i)"
+ by (rule theI) (rule is_inf_uniq [OF _ `is_inf x y i`])
+ qed
+
+ lemma %invisible meet_left [intro?]:
+ "x \<sqinter> y \<sqsubseteq> x"
+ by (rule is_inf_lower) (rule is_inf_meet)
+
+ lemma %invisible meet_right [intro?]:
+ "x \<sqinter> y \<sqsubseteq> y"
+ by (rule is_inf_lower) (rule is_inf_meet)
+
+ lemma %invisible meet_le [intro?]:
+ "\<lbrakk> z \<sqsubseteq> x; z \<sqsubseteq> y \<rbrakk> \<Longrightarrow> z \<sqsubseteq> x \<sqinter> y"
+ by (rule is_inf_greatest) (rule is_inf_meet)
+
+ lemma %invisible join_equality [elim?]: "is_sup x y s \<Longrightarrow> x \<squnion> y = s"
+ proof (unfold join_def)
+ assume "is_sup x y s"
+ then show "(THE s. is_sup x y s) = s"
+ by (rule the_equality) (rule is_sup_uniq [OF _ `is_sup x y s`])
+ qed
+
+ lemma %invisible joinI [intro?]: "x \<sqsubseteq> s \<Longrightarrow> y \<sqsubseteq> s \<Longrightarrow>
+ (\<And>z. x \<sqsubseteq> z \<Longrightarrow> y \<sqsubseteq> z \<Longrightarrow> s \<sqsubseteq> z) \<Longrightarrow> x \<squnion> y = s"
+ by (rule join_equality, rule is_supI) blast+
+
+ lemma %invisible is_sup_join [intro?]: "is_sup x y (x \<squnion> y)"
+ proof (unfold join_def)
+ from ex_sup obtain s where "is_sup x y s" ..
+ then show "is_sup x y (THE s. is_sup x y s)"
+ by (rule theI) (rule is_sup_uniq [OF _ `is_sup x y s`])
+ qed
+
+ lemma %invisible join_left [intro?]:
+ "x \<sqsubseteq> x \<squnion> y"
+ by (rule is_sup_upper) (rule is_sup_join)
+
+ lemma %invisible join_right [intro?]:
+ "y \<sqsubseteq> x \<squnion> y"
+ by (rule is_sup_upper) (rule is_sup_join)
+
+ lemma %invisible join_le [intro?]:
+ "\<lbrakk> x \<sqsubseteq> z; y \<sqsubseteq> z \<rbrakk> \<Longrightarrow> x \<squnion> y \<sqsubseteq> z"
+ by (rule is_sup_least) (rule is_sup_join)
+
+ theorem %invisible meet_assoc: "(x \<sqinter> y) \<sqinter> z = x \<sqinter> (y \<sqinter> z)"
+ proof (rule meetI)
+ show "x \<sqinter> (y \<sqinter> z) \<sqsubseteq> x \<sqinter> y"
+ proof
+ show "x \<sqinter> (y \<sqinter> z) \<sqsubseteq> x" ..
+ show "x \<sqinter> (y \<sqinter> z) \<sqsubseteq> y"
+ proof -
+ have "x \<sqinter> (y \<sqinter> z) \<sqsubseteq> y \<sqinter> z" ..
+ also have "\<dots> \<sqsubseteq> y" ..
+ finally show ?thesis .
+ qed
+ qed
+ show "x \<sqinter> (y \<sqinter> z) \<sqsubseteq> z"
+ proof -
+ have "x \<sqinter> (y \<sqinter> z) \<sqsubseteq> y \<sqinter> z" ..
+ also have "\<dots> \<sqsubseteq> z" ..
+ finally show ?thesis .
+ qed
+ fix w assume "w \<sqsubseteq> x \<sqinter> y" and "w \<sqsubseteq> z"
+ show "w \<sqsubseteq> x \<sqinter> (y \<sqinter> z)"
+ proof
+ show "w \<sqsubseteq> x"
+ proof -
+ have "w \<sqsubseteq> x \<sqinter> y" by fact
+ also have "\<dots> \<sqsubseteq> x" ..
+ finally show ?thesis .
+ qed
+ show "w \<sqsubseteq> y \<sqinter> z"
+ proof
+ show "w \<sqsubseteq> y"
+ proof -
+ have "w \<sqsubseteq> x \<sqinter> y" by fact
+ also have "\<dots> \<sqsubseteq> y" ..
+ finally show ?thesis .
+ qed
+ show "w \<sqsubseteq> z" by fact
+ qed
+ qed
+ qed
+
+ theorem %invisible meet_commute: "x \<sqinter> y = y \<sqinter> x"
+ proof (rule meetI)
+ show "y \<sqinter> x \<sqsubseteq> x" ..
+ show "y \<sqinter> x \<sqsubseteq> y" ..
+ fix z assume "z \<sqsubseteq> y" and "z \<sqsubseteq> x"
+ then show "z \<sqsubseteq> y \<sqinter> x" ..
+ qed
+
+ theorem %invisible meet_join_absorb: "x \<sqinter> (x \<squnion> y) = x"
+ proof (rule meetI)
+ show "x \<sqsubseteq> x" ..
+ show "x \<sqsubseteq> x \<squnion> y" ..
+ fix z assume "z \<sqsubseteq> x" and "z \<sqsubseteq> x \<squnion> y"
+ show "z \<sqsubseteq> x" by fact
+ qed
+
+ theorem %invisible join_assoc: "(x \<squnion> y) \<squnion> z = x \<squnion> (y \<squnion> z)"
+ proof (rule joinI)
+ show "x \<squnion> y \<sqsubseteq> x \<squnion> (y \<squnion> z)"
+ proof
+ show "x \<sqsubseteq> x \<squnion> (y \<squnion> z)" ..
+ show "y \<sqsubseteq> x \<squnion> (y \<squnion> z)"
+ proof -
+ have "y \<sqsubseteq> y \<squnion> z" ..
+ also have "... \<sqsubseteq> x \<squnion> (y \<squnion> z)" ..
+ finally show ?thesis .
+ qed
+ qed
+ show "z \<sqsubseteq> x \<squnion> (y \<squnion> z)"
+ proof -
+ have "z \<sqsubseteq> y \<squnion> z" ..
+ also have "... \<sqsubseteq> x \<squnion> (y \<squnion> z)" ..
+ finally show ?thesis .
+ qed
+ fix w assume "x \<squnion> y \<sqsubseteq> w" and "z \<sqsubseteq> w"
+ show "x \<squnion> (y \<squnion> z) \<sqsubseteq> w"
+ proof
+ show "x \<sqsubseteq> w"
+ proof -
+ have "x \<sqsubseteq> x \<squnion> y" ..
+ also have "\<dots> \<sqsubseteq> w" by fact
+ finally show ?thesis .
+ qed
+ show "y \<squnion> z \<sqsubseteq> w"
+ proof
+ show "y \<sqsubseteq> w"
+ proof -
+ have "y \<sqsubseteq> x \<squnion> y" ..
+ also have "... \<sqsubseteq> w" by fact
+ finally show ?thesis .
+ qed
+ show "z \<sqsubseteq> w" by fact
+ qed
+ qed
+ qed
+
+ theorem %invisible join_commute: "x \<squnion> y = y \<squnion> x"
+ proof (rule joinI)
+ show "x \<sqsubseteq> y \<squnion> x" ..
+ show "y \<sqsubseteq> y \<squnion> x" ..
+ fix z assume "y \<sqsubseteq> z" and "x \<sqsubseteq> z"
+ then show "y \<squnion> x \<sqsubseteq> z" ..
+ qed
+
+ theorem %invisible join_meet_absorb: "x \<squnion> (x \<sqinter> y) = x"
+ proof (rule joinI)
+ show "x \<sqsubseteq> x" ..
+ show "x \<sqinter> y \<sqsubseteq> x" ..
+ fix z assume "x \<sqsubseteq> z" and "x \<sqinter> y \<sqsubseteq> z"
+ show "x \<sqsubseteq> z" by fact
+ qed
+
+ theorem %invisible meet_idem: "x \<sqinter> x = x"
+ proof -
+ have "x \<sqinter> (x \<squnion> (x \<sqinter> x)) = x" by (rule meet_join_absorb)
+ also have "x \<squnion> (x \<sqinter> x) = x" by (rule join_meet_absorb)
+ finally show ?thesis .
+ qed
+
+ theorem %invisible meet_related [elim?]: "x \<sqsubseteq> y \<Longrightarrow> x \<sqinter> y = x"
+ proof (rule meetI)
+ assume "x \<sqsubseteq> y"
+ show "x \<sqsubseteq> x" ..
+ show "x \<sqsubseteq> y" by fact
+ fix z assume "z \<sqsubseteq> x" and "z \<sqsubseteq> y"
+ show "z \<sqsubseteq> x" by fact
+ qed
+
+ theorem %invisible meet_related2 [elim?]: "y \<sqsubseteq> x \<Longrightarrow> x \<sqinter> y = y"
+ by (drule meet_related) (simp add: meet_commute)
+
+ theorem %invisible join_related [elim?]: "x \<sqsubseteq> y \<Longrightarrow> x \<squnion> y = y"
+ proof (rule joinI)
+ assume "x \<sqsubseteq> y"
+ show "y \<sqsubseteq> y" ..
+ show "x \<sqsubseteq> y" by fact
+ fix z assume "x \<sqsubseteq> z" and "y \<sqsubseteq> z"
+ show "y \<sqsubseteq> z" by fact
+ qed
+
+ theorem %invisible join_related2 [elim?]: "y \<sqsubseteq> x \<Longrightarrow> x \<squnion> y = x"
+ by (drule join_related) (simp add: join_commute)
+
+ theorem %invisible meet_connection: "(x \<sqsubseteq> y) = (x \<sqinter> y = x)"
+ proof
+ assume "x \<sqsubseteq> y"
+ then have "is_inf x y x" ..
+ then show "x \<sqinter> y = x" ..
+ next
+ have "x \<sqinter> y \<sqsubseteq> y" ..
+ also assume "x \<sqinter> y = x"
+ finally show "x \<sqsubseteq> y" .
+ qed
+
+ theorem %invisible join_connection: "(x \<sqsubseteq> y) = (x \<squnion> y = y)"
+ proof
+ assume "x \<sqsubseteq> y"
+ then have "is_sup x y y" ..
+ then show "x \<squnion> y = y" ..
+ next
+ have "x \<sqsubseteq> x \<squnion> y" ..
+ also assume "x \<squnion> y = y"
+ finally show "x \<sqsubseteq> y" .
+ qed
+
+ theorem %invisible meet_connection2: "(x \<sqsubseteq> y) = (y \<sqinter> x = x)"
+ using meet_commute meet_connection by simp
+
+ theorem %invisible join_connection2: "(x \<sqsubseteq> y) = (x \<squnion> y = y)"
+ using join_commute join_connection by simp
+
+ text %invisible {* Naming according to Jacobson I, p.\ 459. *}
+ lemmas %invisible L1 = join_commute meet_commute
+ lemmas %invisible L2 = join_assoc meet_assoc
+ (* lemmas L3 = join_idem meet_idem *)
+ lemmas %invisible L4 = join_meet_absorb meet_join_absorb
+
+ end
+
+text {* Locales for total orders and distributive lattices follow to
+ establish a sufficiently rich landscape of locales for
+ further examples in this tutorial. Each comes with an example
+ theorem. *}
+
+ locale total_order = partial_order +
+ assumes total: "x \<sqsubseteq> y \<or> y \<sqsubseteq> x"
+
+ lemma (in total_order) less_total: "x \<sqsubset> y \<or> x = y \<or> y \<sqsubset> x"
+ using total
+ by (unfold less_def) blast
+
+ locale distrib_lattice = lattice +
+ assumes meet_distr: "x \<sqinter> (y \<squnion> z) = x \<sqinter> y \<squnion> x \<sqinter> z"
+
+ lemma (in distrib_lattice) join_distr:
+ "x \<squnion> (y \<sqinter> z) = (x \<squnion> y) \<sqinter> (x \<squnion> z)" (* txt {* Jacobson I, p.\ 462 *} *)
+ proof -
+ have "x \<squnion> (y \<sqinter> z) = (x \<squnion> (x \<sqinter> z)) \<squnion> (y \<sqinter> z)" by (simp add: L4)
+ also have "... = x \<squnion> ((x \<sqinter> z) \<squnion> (y \<sqinter> z))" by (simp add: L2)
+ also have "... = x \<squnion> ((x \<squnion> y) \<sqinter> z)" by (simp add: L1 meet_distr)
+ also have "... = ((x \<squnion> y) \<sqinter> x) \<squnion> ((x \<squnion> y) \<sqinter> z)" by (simp add: L1 L4)
+ also have "... = (x \<squnion> y) \<sqinter> (x \<squnion> z)" by (simp add: meet_distr)
+ finally show ?thesis .
+ qed
+
+text {*
+ The locale hierarchy obtained through these declarations is shown in
+ Figure~\ref{fig:lattices}(a).
+
+\begin{figure}
+\hrule \vspace{2ex}
+\begin{center}
+\subfigure[Declared hierarchy]{
+\begin{tikzpicture}
+ \node (po) at (0,0) {@{text partial_order}};
+ \node (lat) at (-1.5,-1) {@{text lattice}};
+ \node (dlat) at (-1.5,-2) {@{text distrib_lattice}};
+ \node (to) at (1.5,-1) {@{text total_order}};
+ \draw (po) -- (lat);
+ \draw (lat) -- (dlat);
+ \draw (po) -- (to);
+% \draw[->, dashed] (lat) -- (to);
+\end{tikzpicture}
+} \\
+\subfigure[Total orders are lattices]{
+\begin{tikzpicture}
+ \node (po) at (0,0) {@{text partial_order}};
+ \node (lat) at (0,-1) {@{text lattice}};
+ \node (dlat) at (-1.5,-2) {@{text distrib_lattice}};
+ \node (to) at (1.5,-2) {@{text total_order}};
+ \draw (po) -- (lat);
+ \draw (lat) -- (dlat);
+ \draw (lat) -- (to);
+% \draw[->, dashed] (dlat) -- (to);
+\end{tikzpicture}
+} \quad
+\subfigure[Total orders are distributive lattices]{
+\begin{tikzpicture}
+ \node (po) at (0,0) {@{text partial_order}};
+ \node (lat) at (0,-1) {@{text lattice}};
+ \node (dlat) at (0,-2) {@{text distrib_lattice}};
+ \node (to) at (0,-3) {@{text total_order}};
+ \draw (po) -- (lat);
+ \draw (lat) -- (dlat);
+ \draw (dlat) -- (to);
+\end{tikzpicture}
+}
+\end{center}
+\hrule
+\caption{Hierarchy of Lattice Locales.}
+\label{fig:lattices}
+\end{figure}
+ *}
+
+section {* Changing the Locale Hierarchy
+ \label{sec:changing-the-hierarchy} *}
+
+text {*
+ Locales enable to prove theorems abstractly, relative to
+ sets of assumptions. These theorems can then be used in other
+ contexts where the assumptions themselves, or
+ instances of the assumptions, are theorems. This form of theorem
+ reuse is called \emph{interpretation}. Locales generalise
+ interpretation from theorems to conclusions, enabling the reuse of
+ definitions and other constructs that are not part of the
+ specifications of the locales.
+
+ The first form of interpretation we will consider in this tutorial
+ is provided by the \isakeyword{sublocale} command. It enables to
+ modify the import hierarchy to reflect the \emph{logical} relation
+ between locales.
+
+ Consider the locale hierarchy from Figure~\ref{fig:lattices}(a).
+ Total orders are lattices, although this is not reflected here, and
+ definitions, theorems and other conclusions
+ from @{term lattice} are not available in @{term total_order}. To
+ obtain the situation in Figure~\ref{fig:lattices}(b), it is
+ sufficient to add the conclusions of the latter locale to the former.
+ The \isakeyword{sublocale} command does exactly this.
+ The declaration \isakeyword{sublocale} $l_1
+ \subseteq l_2$ causes locale $l_2$ to be \emph{interpreted} in the
+ context of $l_1$. This means that all conclusions of $l_2$ are made
+ available in $l_1$.
+
+ Of course, the change of hierarchy must be supported by a theorem
+ that reflects, in our example, that total orders are indeed
+ lattices. Therefore the \isakeyword{sublocale} command generates a
+ goal, which must be discharged by the user. This is illustrated in
+ the following paragraphs. First the sublocale relation is stated.
+*}
+
+ sublocale %visible total_order \<subseteq> lattice
+
+txt {* \normalsize
+ This enters the context of locale @{text total_order}, in
+ which the goal @{subgoals [display]} must be shown.
+ Now the
+ locale predicate needs to be unfolded --- for example, using its
+ definition or by introduction rules
+ provided by the locale package. For automation, the locale package
+ provides the methods @{text intro_locales} and @{text
+ unfold_locales}. They are aware of the
+ current context and dependencies between locales and automatically
+ discharge goals implied by these. While @{text unfold_locales}
+ always unfolds locale predicates to assumptions, @{text
+ intro_locales} only unfolds definitions along the locale
+ hierarchy, leaving a goal consisting of predicates defined by the
+ locale package. Occasionally the latter is of advantage since the goal
+ is smaller.
+
+ For the current goal, we would like to get hold of
+ the assumptions of @{text lattice}, which need to be shown, hence
+ @{text unfold_locales} is appropriate. *}
+
+ proof unfold_locales
+
+txt {* \normalsize
+ Since the fact that both lattices and total orders are partial
+ orders is already reflected in the locale hierarchy, the assumptions
+ of @{text partial_order} are discharged automatically, and only the
+ assumptions introduced in @{text lattice} remain as subgoals
+ @{subgoals [display]}
+ The proof for the first subgoal is obtained by constructing an
+ infimum, whose existence is implied by totality. *}
+
+ fix x y
+ from total have "is_inf x y (if x \<sqsubseteq> y then x else y)"
+ by (auto simp: is_inf_def)
+ then show "\<exists>inf. is_inf x y inf" ..
+txt {* \normalsize
+ The proof for the second subgoal is analogous and not
+ reproduced here. *}
+ next %invisible
+ fix x y
+ from total have "is_sup x y (if x \<sqsubseteq> y then y else x)"
+ by (auto simp: is_sup_def)
+ then show "\<exists>sup. is_sup x y sup" .. qed %visible
+
+text {* Similarly, we may establish that total orders are distributive
+ lattices with a second \isakeyword{sublocale} statement. *}
+
+ sublocale total_order \<subseteq> distrib_lattice
+ proof unfold_locales
+ fix %"proof" x y z
+ show "x \<sqinter> (y \<squnion> z) = x \<sqinter> y \<squnion> x \<sqinter> z" (is "?l = ?r")
+ txt {* Jacobson I, p.\ 462 *}
+ proof -
+ { assume c: "y \<sqsubseteq> x" "z \<sqsubseteq> x"
+ from c have "?l = y \<squnion> z"
+ by (metis c join_connection2 join_related2 meet_related2 total)
+ also from c have "... = ?r" by (metis meet_related2)
+ finally have "?l = ?r" . }
+ moreover
+ { assume c: "x \<sqsubseteq> y \<or> x \<sqsubseteq> z"
+ from c have "?l = x"
+ by (metis join_connection2 join_related2 meet_connection total trans)
+ also from c have "... = ?r"
+ by (metis join_commute join_related2 meet_connection meet_related2 total)
+ finally have "?l = ?r" . }
+ moreover note total
+ ultimately show ?thesis by blast
+ qed
+ qed
+
+text {* The locale hierarchy is now as shown in
+ Figure~\ref{fig:lattices}(c). *}
+
+text {*
+ Locale interpretation is \emph{dynamic}. The statement
+ \isakeyword{sublocale} $l_1 \subseteq l_2$ will not just add the
+ current conclusions of $l_2$ to $l_1$. Rather the dependency is
+ stored, and conclusions that will be
+ added to $l_2$ in future are automatically propagated to $l_1$.
+ The sublocale relation is transitive --- that is, propagation takes
+ effect along chains of sublocales. Even cycles in the sublocale relation are
+ supported, as long as these cycles do not lead to infinite chains.
+ Details are discussed in the technical report \cite{Ballarin2006a}.
+ See also Section~\ref{sec:infinite-chains} of this tutorial. *}
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Locales/Examples1.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,89 @@
+theory Examples1
+imports Examples
+begin
+text {* \vspace{-5ex} *}
+section {* Use of Locales in Theories and Proofs
+ \label{sec:interpretation} *}
+
+text {*
+ Locales can be interpreted in the contexts of theories and
+ structured proofs. These interpretations are dynamic, too.
+ Conclusions of locales will be propagated to the current theory or
+ the current proof context.%
+\footnote{Strictly speaking, only interpretation in theories is
+ dynamic since it is not possible to change locales or the locale
+ hierarchy from within a proof.}
+ The focus of this section is on
+ interpretation in theories, but we will also encounter
+ interpretations in proofs, in
+ Section~\ref{sec:local-interpretation}.
+
+ As an example, consider the type of integers @{typ int}. The
+ relation @{term "op \<le>"} is a total order over @{typ int}. We start
+ with the interpretation that @{term "op \<le>"} is a partial order. The
+ facilities of the interpretation command are explored gradually in
+ three versions.
+ *}
+
+
+subsection {* First Version: Replacement of Parameters Only
+ \label{sec:po-first} *}
+
+text {*
+ The command \isakeyword{interpretation} is for the interpretation of
+ locale in theories. In the following example, the parameter of locale
+ @{text partial_order} is replaced by @{term "op \<le> :: int \<Rightarrow> int \<Rightarrow>
+ bool"} and the locale instance is interpreted in the current
+ theory. *}
+
+ interpretation %visible int: partial_order "op \<le> :: int \<Rightarrow> int \<Rightarrow> bool"
+txt {* \normalsize
+ The argument of the command is a simple \emph{locale expression}
+ consisting of the name of the interpreted locale, which is
+ preceded by the qualifier @{text "int:"} and succeeded by a
+ white-space-separated list of terms, which provide a full
+ instantiation of the locale parameters. The parameters are referred
+ to by order of declaration, which is also the order in which
+ \isakeyword{print\_locale} outputs them. The locale has only a
+ single parameter, hence the list of instantiation terms is a
+ singleton.
+
+ The command creates the goal
+ @{subgoals [display]} which can be shown easily:
+ *}
+ by unfold_locales auto
+
+text {* The effect of the command is that instances of all
+ conclusions of the locale are available in the theory, where names
+ are prefixed by the qualifier. For example, transitivity for @{typ
+ int} is named @{thm [source] int.trans} and is the following
+ theorem:
+ @{thm [display, indent=2] int.trans}
+ It is not possible to reference this theorem simply as @{text
+ trans}. This prevents unwanted hiding of existing theorems of the
+ theory by an interpretation. *}
+
+
+subsection {* Second Version: Replacement of Definitions *}
+
+text {* Not only does the above interpretation qualify theorem names.
+ The prefix @{text int} is applied to all names introduced in locale
+ conclusions including names introduced in definitions. The
+ qualified name @{text int.less} is short for
+ the interpretation of the definition, which is @{term int.less}.
+ Qualified name and expanded form may be used almost
+ interchangeably.%
+\footnote{Since @{term "op \<le>"} is polymorphic, for @{term int.less} a
+ more general type will be inferred than for @{text int.less} which
+ is over type @{typ int}.}
+ The latter is preferred on output, as for example in the theorem
+ @{thm [source] int.less_le_trans}: @{thm [display, indent=2]
+ int.less_le_trans}
+ Both notations for the strict order are not satisfactory. The
+ constant @{term "op <"} is the strict order for @{typ int}.
+ In order to allow for the desired replacement, interpretation
+ accepts \emph{equations} in addition to the parameter instantiation.
+ These follow the locale expression and are indicated with the
+ keyword \isakeyword{where}. This is the revised interpretation:
+ *}
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Locales/Examples2.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,24 @@
+theory Examples2
+imports Examples
+begin
+text {* \vspace{-5ex} *}
+ interpretation %visible int: partial_order "op \<le> :: [int, int] \<Rightarrow> bool"
+ where "int.less x y = (x < y)"
+ proof -
+ txt {* \normalsize The goals are now:
+ @{subgoals [display]}
+ The proof that~@{text \<le>} is a partial order is as above. *}
+ show "partial_order (op \<le> :: int \<Rightarrow> int \<Rightarrow> bool)"
+ by unfold_locales auto
+ txt {* \normalsize The second goal is shown by unfolding the
+ definition of @{term "partial_order.less"}. *}
+ show "partial_order.less op \<le> x y = (x < y)"
+ unfolding partial_order.less_def [OF `partial_order op \<le>`]
+ by auto
+ qed
+
+text {* Note that the above proof is not in the context of the
+ interpreted locale. Hence, the premise of @{text
+ "partial_order.less_def"} is discharged manually with @{text OF}.
+ *}
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Locales/Examples3.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,659 @@
+theory Examples3
+imports Examples
+begin
+text {* \vspace{-5ex} *}
+subsection {* Third Version: Local Interpretation
+ \label{sec:local-interpretation} *}
+
+text {* In the above example, the fact that @{term "op \<le>"} is a partial
+ order for the integers was used in the second goal to
+ discharge the premise in the definition of @{text "op \<sqsubset>"}. In
+ general, proofs of the equations not only may involve definitions
+ from the interpreted locale but arbitrarily complex arguments in the
+ context of the locale. Therefore it would be convenient to have the
+ interpreted locale conclusions temporarily available in the proof.
+ This can be achieved by a locale interpretation in the proof body.
+ The command for local interpretations is \isakeyword{interpret}. We
+ repeat the example from the previous section to illustrate this. *}
+
+ interpretation %visible int: partial_order "op \<le> :: int \<Rightarrow> int \<Rightarrow> bool"
+ where "int.less x y = (x < y)"
+ proof -
+ show "partial_order (op \<le> :: int \<Rightarrow> int \<Rightarrow> bool)"
+ by unfold_locales auto
+ then interpret int: partial_order "op \<le> :: [int, int] \<Rightarrow> bool" .
+ show "int.less x y = (x < y)"
+ unfolding int.less_def by auto
+ qed
+
+text {* The inner interpretation is immediate from the preceding fact
+ and proved by assumption (Isar short hand ``.''). It enriches the
+ local proof context by the theorems
+ also obtained in the interpretation from Section~\ref{sec:po-first},
+ and @{text int.less_def} may directly be used to unfold the
+ definition. Theorems from the local interpretation disappear after
+ leaving the proof context --- that is, after the succeeding
+ \isakeyword{next} or \isakeyword{qed} statement. *}
+
+
+subsection {* Further Interpretations *}
+
+text {* Further interpretations are necessary for
+ the other locales. In @{text lattice} the operations~@{text \<sqinter>}
+ and~@{text \<squnion>} are substituted by @{term "min :: int \<Rightarrow> int \<Rightarrow> int"}
+ and @{term "max :: int \<Rightarrow> int \<Rightarrow> int"}. The entire proof for the
+ interpretation is reproduced to give an example of a more
+ elaborate interpretation proof. Note that the equations are named
+ so they can be used in a later example. *}
+
+ interpretation %visible int: lattice "op \<le> :: int \<Rightarrow> int \<Rightarrow> bool"
+ where int_min_eq: "int.meet x y = min x y"
+ and int_max_eq: "int.join x y = max x y"
+ proof -
+ show "lattice (op \<le> :: int \<Rightarrow> int \<Rightarrow> bool)"
+ txt {* \normalsize We have already shown that this is a partial
+ order, *}
+ apply unfold_locales
+ txt {* \normalsize hence only the lattice axioms remain to be
+ shown.
+ @{subgoals [display]}
+ By @{text is_inf} and @{text is_sup}, *}
+ apply (unfold int.is_inf_def int.is_sup_def)
+ txt {* \normalsize the goals are transformed to these
+ statements:
+ @{subgoals [display]}
+ This is Presburger arithmetic, which can be solved by the
+ method @{text arith}. *}
+ by arith+
+ txt {* \normalsize In order to show the equations, we put ourselves
+ in a situation where the lattice theorems can be used in a
+ convenient way. *}
+ then interpret int: lattice "op \<le> :: int \<Rightarrow> int \<Rightarrow> bool" .
+ show "int.meet x y = min x y"
+ by (bestsimp simp: int.meet_def int.is_inf_def)
+ show "int.join x y = max x y"
+ by (bestsimp simp: int.join_def int.is_sup_def)
+ qed
+
+text {* Next follows that @{text "op \<le>"} is a total order, again for
+ the integers. *}
+
+ interpretation %visible int: total_order "op \<le> :: int \<Rightarrow> int \<Rightarrow> bool"
+ by unfold_locales arith
+
+text {* Theorems that are available in the theory at this point are shown in
+ Table~\ref{tab:int-lattice}. Two points are worth noting:
+
+\begin{table}
+\hrule
+\vspace{2ex}
+\begin{center}
+\begin{tabular}{l}
+ @{thm [source] int.less_def} from locale @{text partial_order}: \\
+ \quad @{thm int.less_def} \\
+ @{thm [source] int.meet_left} from locale @{text lattice}: \\
+ \quad @{thm int.meet_left} \\
+ @{thm [source] int.join_distr} from locale @{text distrib_lattice}: \\
+ \quad @{thm int.join_distr} \\
+ @{thm [source] int.less_total} from locale @{text total_order}: \\
+ \quad @{thm int.less_total}
+\end{tabular}
+\end{center}
+\hrule
+\caption{Interpreted theorems for~@{text \<le>} on the integers.}
+\label{tab:int-lattice}
+\end{table}
+
+\begin{itemize}
+\item
+ Locale @{text distrib_lattice} was also interpreted. Since the
+ locale hierarchy reflects that total orders are distributive
+ lattices, the interpretation of the latter was inserted
+ automatically with the interpretation of the former. In general,
+ interpretation traverses the locale hierarchy upwards and interprets
+ all encountered locales, regardless whether imported or proved via
+ the \isakeyword{sublocale} command. Existing interpretations are
+ skipped avoiding duplicate work.
+\item
+ The predicate @{term "op <"} appears in theorem @{thm [source]
+ int.less_total}
+ although an equation for the replacement of @{text "op \<sqsubset>"} was only
+ given in the interpretation of @{text partial_order}. The
+ interpretation equations are pushed downwards the hierarchy for
+ related interpretations --- that is, for interpretations that share
+ the instances of parameters they have in common.
+\end{itemize}
+ *}
+
+text {* The interpretations for a locale $n$ within the current
+ theory may be inspected with \isakeyword{print\_interps}~$n$. This
+ prints the list of instances of $n$, for which interpretations exist.
+ For example, \isakeyword{print\_interps} @{term partial_order}
+ outputs the following:
+\begin{small}
+\begin{alltt}
+ int! : partial_order "op \(\le\)"
+\end{alltt}
+\end{small}
+ Of course, there is only one interpretation.
+ The interpretation qualifier on the left is decorated with an
+ exclamation point. This means that it is mandatory. Qualifiers
+ can either be \emph{mandatory} or \emph{optional}, designated by
+ ``!'' or ``?'' respectively. Mandatory qualifiers must occur in a
+ name reference while optional ones need not. Mandatory qualifiers
+ prevent accidental hiding of names, while optional qualifiers can be
+ more convenient to use. For \isakeyword{interpretation}, the
+ default is ``!''.
+*}
+
+
+section {* Locale Expressions \label{sec:expressions} *}
+
+text {*
+ A map~@{term \<phi>} between partial orders~@{text \<sqsubseteq>} and~@{text \<preceq>}
+ is called order preserving if @{text "x \<sqsubseteq> y"} implies @{text "\<phi> x \<preceq>
+ \<phi> y"}. This situation is more complex than those encountered so
+ far: it involves two partial orders, and it is desirable to use the
+ existing locale for both.
+
+ A locale for order preserving maps requires three parameters: @{text
+ le}~(\isakeyword{infixl}~@{text \<sqsubseteq>}) and @{text
+ le'}~(\isakeyword{infixl}~@{text \<preceq>}) for the orders and~@{text \<phi>}
+ for the map.
+
+ In order to reuse the existing locale for partial orders, which has
+ the single parameter~@{text le}, it must be imported twice, once
+ mapping its parameter to~@{text le} from the new locale and once
+ to~@{text le'}. This can be achieved with a compound locale
+ expression.
+
+ In general, a locale expression is a sequence of \emph{locale instances}
+ separated by~``$\textbf{+}$'' and followed by a \isakeyword{for}
+ clause.
+ An instance has the following format:
+\begin{quote}
+ \textit{qualifier} \textbf{:} \textit{locale-name}
+ \textit{parameter-instantiation}
+\end{quote}
+ We have already seen locale instances as arguments to
+ \isakeyword{interpretation} in Section~\ref{sec:interpretation}.
+ As before, the qualifier serves to disambiguate names from
+ different instances of the same locale. While in
+ \isakeyword{interpretation} qualifiers default to mandatory, in
+ import and in the \isakeyword{sublocale} command, they default to
+ optional.
+
+ Since the parameters~@{text le} and~@{text le'} are to be partial
+ orders, our locale for order preserving maps will import the these
+ instances:
+\begin{small}
+\begin{alltt}
+ le: partial_order le
+ le': partial_order le'
+\end{alltt}
+\end{small}
+ For matter of convenience we choose to name parameter names and
+ qualifiers alike. This is an arbitrary decision. Technically, qualifiers
+ and parameters are unrelated.
+
+ Having determined the instances, let us turn to the \isakeyword{for}
+ clause. It serves to declare locale parameters in the same way as
+ the context element \isakeyword{fixes} does. Context elements can
+ only occur after the import section, and therefore the parameters
+ referred to in the instances must be declared in the \isakeyword{for}
+ clause. The \isakeyword{for} clause is also where the syntax of these
+ parameters is declared.
+
+ Two context elements for the map parameter~@{text \<phi>} and the
+ assumptions that it is order preserving complete the locale
+ declaration. *}
+
+ locale order_preserving =
+ le: partial_order le + le': partial_order le'
+ for le (infixl "\<sqsubseteq>" 50) and le' (infixl "\<preceq>" 50) +
+ fixes \<phi>
+ assumes hom_le: "x \<sqsubseteq> y \<Longrightarrow> \<phi> x \<preceq> \<phi> y"
+
+text (in order_preserving) {* Here are examples of theorems that are
+ available in the locale:
+
+ \hspace*{1em}@{thm [source] hom_le}: @{thm hom_le}
+
+ \hspace*{1em}@{thm [source] le.less_le_trans}: @{thm le.less_le_trans}
+
+ \hspace*{1em}@{thm [source] le'.less_le_trans}:
+ @{thm [display, indent=4] le'.less_le_trans}
+ While there is infix syntax for the strict operation associated to
+ @{term "op \<sqsubseteq>"}, there is none for the strict version of @{term
+ "op \<preceq>"}. The abbreviation @{text less} with its infix syntax is only
+ available for the original instance it was declared for. We may
+ introduce the abbreviation @{text less'} with infix syntax~@{text \<prec>}
+ with the following declaration: *}
+
+ abbreviation (in order_preserving)
+ less' (infixl "\<prec>" 50) where "less' \<equiv> partial_order.less le'"
+
+text (in order_preserving) {* Now the theorem is displayed nicely as
+ @{thm [source] le'.less_le_trans}:
+ @{thm [display, indent=2] le'.less_le_trans} *}
+
+text {* There are short notations for locale expressions. These are
+ discussed in the following. *}
+
+
+subsection {* Default Instantiations *}
+
+text {*
+ It is possible to omit parameter instantiations. The
+ instantiation then defaults to the name of
+ the parameter itself. For example, the locale expression @{text
+ partial_order} is short for @{text "partial_order le"}, since the
+ locale's single parameter is~@{text le}. We took advantage of this
+ in the \isakeyword{sublocale} declarations of
+ Section~\ref{sec:changing-the-hierarchy}. *}
+
+
+subsection {* Implicit Parameters \label{sec:implicit-parameters} *}
+
+text {* In a locale expression that occurs within a locale
+ declaration, omitted parameters additionally extend the (possibly
+ empty) \isakeyword{for} clause.
+
+ The \isakeyword{for} clause is a general construct of Isabelle/Isar
+ to mark names occurring in the preceding declaration as ``arbitrary
+ but fixed''. This is necessary for example, if the name is already
+ bound in a surrounding context. In a locale expression, names
+ occurring in parameter instantiations should be bound by a
+ \isakeyword{for} clause whenever these names are not introduced
+ elsewhere in the context --- for example, on the left hand side of a
+ \isakeyword{sublocale} declaration.
+
+ There is an exception to this rule in locale declarations, where the
+ \isakeyword{for} clause serves to declare locale parameters. Here,
+ locale parameters for which no parameter instantiation is given are
+ implicitly added, with their mixfix syntax, at the beginning of the
+ \isakeyword{for} clause. For example, in a locale declaration, the
+ expression @{text partial_order} is short for
+\begin{small}
+\begin{alltt}
+ partial_order le \isakeyword{for} le (\isakeyword{infixl} "\(\sqsubseteq\)" 50)\textrm{.}
+\end{alltt}
+\end{small}
+ This short hand was used in the locale declarations throughout
+ Section~\ref{sec:import}.
+ *}
+
+text{*
+ The following locale declarations provide more examples. A
+ map~@{text \<phi>} is a lattice homomorphism if it preserves meet and
+ join. *}
+
+ locale lattice_hom =
+ le: lattice + le': lattice le' for le' (infixl "\<preceq>" 50) +
+ fixes \<phi>
+ assumes hom_meet: "\<phi> (x \<sqinter> y) = le'.meet (\<phi> x) (\<phi> y)"
+ and hom_join: "\<phi> (x \<squnion> y) = le'.join (\<phi> x) (\<phi> y)"
+
+text {* The parameter instantiation in the first instance of @{term
+ lattice} is omitted. This causes the parameter~@{text le} to be
+ added to the \isakeyword{for} clause, and the locale has
+ parameters~@{text le},~@{text le'} and, of course,~@{text \<phi>}.
+
+ Before turning to the second example, we complete the locale by
+ providing infix syntax for the meet and join operations of the
+ second lattice.
+*}
+
+ context lattice_hom
+ begin
+ abbreviation meet' (infixl "\<sqinter>''" 50) where "meet' \<equiv> le'.meet"
+ abbreviation join' (infixl "\<squnion>''" 50) where "join' \<equiv> le'.join"
+ end
+
+text {* The next example makes radical use of the short hand
+ facilities. A homomorphism is an endomorphism if both orders
+ coincide. *}
+
+ locale lattice_end = lattice_hom _ le
+
+text {* The notation~@{text _} enables to omit a parameter in a
+ positional instantiation. The omitted parameter,~@{text le} becomes
+ the parameter of the declared locale and is, in the following
+ position, used to instantiate the second parameter of @{text
+ lattice_hom}. The effect is that of identifying the first in second
+ parameter of the homomorphism locale. *}
+
+text {* The inheritance diagram of the situation we have now is shown
+ in Figure~\ref{fig:hom}, where the dashed line depicts an
+ interpretation which is introduced below. Parameter instantiations
+ are indicated by $\sqsubseteq \mapsto \preceq$ etc. By looking at
+ the inheritance diagram it would seem
+ that two identical copies of each of the locales @{text
+ partial_order} and @{text lattice} are imported by @{text
+ lattice_end}. This is not the case! Inheritance paths with
+ identical morphisms are automatically detected and
+ the conclusions of the respective locales appear only once.
+
+\begin{figure}
+\hrule \vspace{2ex}
+\begin{center}
+\begin{tikzpicture}
+ \node (o) at (0,0) {@{text partial_order}};
+ \node (oh) at (1.5,-2) {@{text order_preserving}};
+ \node (oh1) at (1.5,-0.7) {$\scriptscriptstyle \sqsubseteq \mapsto \sqsubseteq$};
+ \node (oh2) at (0,-1.3) {$\scriptscriptstyle \sqsubseteq \mapsto \preceq$};
+ \node (l) at (-1.5,-2) {@{text lattice}};
+ \node (lh) at (0,-4) {@{text lattice_hom}};
+ \node (lh1) at (0,-2.7) {$\scriptscriptstyle \sqsubseteq \mapsto \sqsubseteq$};
+ \node (lh2) at (-1.5,-3.3) {$\scriptscriptstyle \sqsubseteq \mapsto \preceq$};
+ \node (le) at (0,-6) {@{text lattice_end}};
+ \node (le1) at (0,-4.8)
+ [anchor=west]{$\scriptscriptstyle \sqsubseteq \mapsto \sqsubseteq$};
+ \node (le2) at (0,-5.2)
+ [anchor=west]{$\scriptscriptstyle \preceq \mapsto \sqsubseteq$};
+ \draw (o) -- (l);
+ \draw[dashed] (oh) -- (lh);
+ \draw (lh) -- (le);
+ \draw (o) .. controls (oh1.south west) .. (oh);
+ \draw (o) .. controls (oh2.north east) .. (oh);
+ \draw (l) .. controls (lh1.south west) .. (lh);
+ \draw (l) .. controls (lh2.north east) .. (lh);
+\end{tikzpicture}
+\end{center}
+\hrule
+\caption{Hierarchy of Homomorphism Locales.}
+\label{fig:hom}
+\end{figure}
+ *}
+
+text {* It can be shown easily that a lattice homomorphism is order
+ preserving. As the final example of this section, a locale
+ interpretation is used to assert this: *}
+
+ sublocale lattice_hom \<subseteq> order_preserving
+ proof unfold_locales
+ fix x y
+ assume "x \<sqsubseteq> y"
+ then have "y = (x \<squnion> y)" by (simp add: le.join_connection)
+ then have "\<phi> y = (\<phi> x \<squnion>' \<phi> y)" by (simp add: hom_join [symmetric])
+ then show "\<phi> x \<preceq> \<phi> y" by (simp add: le'.join_connection)
+ qed
+
+text (in lattice_hom) {*
+ Theorems and other declarations --- syntax, in particular --- from
+ the locale @{text order_preserving} are now active in @{text
+ lattice_hom}, for example
+ @{thm [source] hom_le}:
+ @{thm [display, indent=2] hom_le}
+ This theorem will be useful in the following section.
+ *}
+
+
+section {* Conditional Interpretation *}
+
+text {* There are situations where an interpretation is not possible
+ in the general case since the desired property is only valid if
+ certain conditions are fulfilled. Take, for example, the function
+ @{text "\<lambda>i. n * i"} that scales its argument by a constant factor.
+ This function is order preserving (and even a lattice endomorphism)
+ with respect to @{term "op \<le>"} provided @{text "n \<ge> 0"}.
+
+ It is not possible to express this using a global interpretation,
+ because it is in general unspecified whether~@{term n} is
+ non-negative, but one may make an interpretation in an inner context
+ of a proof where full information is available.
+ This is not fully satisfactory either, since potentially
+ interpretations may be required to make interpretations in many
+ contexts. What is
+ required is an interpretation that depends on the condition --- and
+ this can be done with the \isakeyword{sublocale} command. For this
+ purpose, we introduce a locale for the condition. *}
+
+ locale non_negative =
+ fixes n :: int
+ assumes non_neg: "0 \<le> n"
+
+text {* It is again convenient to make the interpretation in an
+ incremental fashion, first for order preserving maps, the for
+ lattice endomorphisms. *}
+
+ sublocale non_negative \<subseteq>
+ order_preserving "op \<le>" "op \<le>" "\<lambda>i. n * i"
+ using non_neg by unfold_locales (rule mult_left_mono)
+
+text {* While the proof of the previous interpretation
+ is straightforward from monotonicity lemmas for~@{term "op *"}, the
+ second proof follows a useful pattern. *}
+
+ sublocale %visible non_negative \<subseteq> lattice_end "op \<le>" "\<lambda>i. n * i"
+ proof (unfold_locales, unfold int_min_eq int_max_eq)
+ txt {* \normalsize Unfolding the locale predicates \emph{and} the
+ interpretation equations immediately yields two subgoals that
+ reflect the core conjecture.
+ @{subgoals [display]}
+ It is now necessary to show, in the context of @{term
+ non_negative}, that multiplication by~@{term n} commutes with
+ @{term min} and @{term max}. *}
+ qed (auto simp: hom_le)
+
+text (in order_preserving) {* The lemma @{thm [source] hom_le}
+ simplifies a proof that would have otherwise been lengthy and we may
+ consider making it a default rule for the simplifier: *}
+
+ lemmas (in order_preserving) hom_le [simp]
+
+
+subsection {* Avoiding Infinite Chains of Interpretations
+ \label{sec:infinite-chains} *}
+
+text {* Similar situations arise frequently in formalisations of
+ abstract algebra where it is desirable to express that certain
+ constructions preserve certain properties. For example, polynomials
+ over rings are rings, or --- an example from the domain where the
+ illustrations of this tutorial are taken from --- a partial order
+ may be obtained for a function space by point-wise lifting of the
+ partial order of the co-domain. This corresponds to the following
+ interpretation: *}
+
+ sublocale %visible partial_order \<subseteq> f: partial_order "\<lambda>f g. \<forall>x. f x \<sqsubseteq> g x"
+ oops
+
+text {* Unfortunately this is a cyclic interpretation that leads to an
+ infinite chain, namely
+ @{text [display, indent=2] "partial_order \<subseteq> partial_order (\<lambda>f g. \<forall>x. f x \<sqsubseteq> g x) \<subseteq>
+ partial_order (\<lambda>f g. \<forall>x y. f x y \<sqsubseteq> g x y) \<subseteq> \<dots>"}
+ and the interpretation is rejected.
+
+ Instead it is necessary to declare a locale that is logically
+ equivalent to @{term partial_order} but serves to collect facts
+ about functions spaces where the co-domain is a partial order, and
+ to make the interpretation in its context: *}
+
+ locale fun_partial_order = partial_order
+
+ sublocale fun_partial_order \<subseteq>
+ f: partial_order "\<lambda>f g. \<forall>x. f x \<sqsubseteq> g x"
+ by unfold_locales (fast,rule,fast,blast intro: trans)
+
+text {* It is quite common in abstract algebra that such a construction
+ maps a hierarchy of algebraic structures (or specifications) to a
+ related hierarchy. By means of the same lifting, a function space
+ is a lattice if its co-domain is a lattice: *}
+
+ locale fun_lattice = fun_partial_order + lattice
+
+ sublocale fun_lattice \<subseteq> f: lattice "\<lambda>f g. \<forall>x. f x \<sqsubseteq> g x"
+ proof unfold_locales
+ fix f g
+ have "partial_order.is_inf (\<lambda>f g. \<forall>x. f x \<sqsubseteq> g x) f g (\<lambda>x. f x \<sqinter> g x)"
+ apply (rule is_infI) apply rule+ apply (drule spec, assumption)+ done
+ then show "\<exists>inf. partial_order.is_inf (\<lambda>f g. \<forall>x. f x \<sqsubseteq> g x) f g inf"
+ by fast
+ next
+ fix f g
+ have "partial_order.is_sup (\<lambda>f g. \<forall>x. f x \<sqsubseteq> g x) f g (\<lambda>x. f x \<squnion> g x)"
+ apply (rule is_supI) apply rule+ apply (drule spec, assumption)+ done
+ then show "\<exists>sup. partial_order.is_sup (\<lambda>f g. \<forall>x. f x \<sqsubseteq> g x) f g sup"
+ by fast
+ qed
+
+
+section {* Further Reading *}
+
+text {* More information on locales and their interpretation is
+ available. For the locale hierarchy of import and interpretation
+ dependencies see~\cite{Ballarin2006a}; interpretations in theories
+ and proofs are covered in~\cite{Ballarin2006b}. In the latter, I
+ show how interpretation in proofs enables to reason about families
+ of algebraic structures, which cannot be expressed with locales
+ directly.
+
+ Haftmann and Wenzel~\cite{HaftmannWenzel2007} overcome a restriction
+ of axiomatic type classes through a combination with locale
+ interpretation. The result is a Haskell-style class system with a
+ facility to generate ML and Haskell code. Classes are sufficient for
+ simple specifications with a single type parameter. The locales for
+ orders and lattices presented in this tutorial fall into this
+ category. Order preserving maps, homomorphisms and vector spaces,
+ on the other hand, do not.
+
+ The locales reimplementation for Isabelle 2009 provides, among other
+ improvements, a clean integration with Isabelle/Isar's local theory
+ mechanisms, which are described in another paper by Haftmann and
+ Wenzel~\cite{HaftmannWenzel2009}.
+
+ The original work of Kamm\"uller on locales~\cite{KammullerEtAl1999}
+ may be of interest from a historical perspective. My previous
+ report on locales and locale expressions~\cite{Ballarin2004a}
+ describes a simpler form of expressions than available now and is
+ outdated. The mathematical background on orders and lattices is
+ taken from Jacobson's textbook on algebra~\cite[Chapter~8]{Jacobson1985}.
+
+ The sources of this tutorial, which include all proofs, are
+ available with the Isabelle distribution at
+ \url{http://isabelle.in.tum.de}.
+ *}
+
+text {*
+\begin{table}
+\hrule
+\vspace{2ex}
+\begin{center}
+\begin{tabular}{l>$c<$l}
+ \multicolumn{3}{l}{Miscellaneous} \\
+
+ \textit{attr-name} & ::=
+ & \textit{name} $|$ \textit{attribute} $|$
+ \textit{name} \textit{attribute} \\
+ \textit{qualifier} & ::=
+ & \textit{name} [``\textbf{?}'' $|$ ``\textbf{!}''] \\[2ex]
+
+ \multicolumn{3}{l}{Context Elements} \\
+
+ \textit{fixes} & ::=
+ & \textit{name} [ ``\textbf{::}'' \textit{type} ]
+ [ ``\textbf{(}'' \textbf{structure} ``\textbf{)}'' $|$
+ \textit{mixfix} ] \\
+\begin{comment}
+ \textit{constrains} & ::=
+ & \textit{name} ``\textbf{::}'' \textit{type} \\
+\end{comment}
+ \textit{assumes} & ::=
+ & [ \textit{attr-name} ``\textbf{:}'' ] \textit{proposition} \\
+\begin{comment}
+ \textit{defines} & ::=
+ & [ \textit{attr-name} ``\textbf{:}'' ] \textit{proposition} \\
+ \textit{notes} & ::=
+ & [ \textit{attr-name} ``\textbf{=}'' ]
+ ( \textit{qualified-name} [ \textit{attribute} ] )$^+$ \\
+\end{comment}
+
+ \textit{element} & ::=
+ & \textbf{fixes} \textit{fixes} ( \textbf{and} \textit{fixes} )$^*$ \\
+\begin{comment}
+ & |
+ & \textbf{constrains} \textit{constrains}
+ ( \textbf{and} \textit{constrains} )$^*$ \\
+\end{comment}
+ & |
+ & \textbf{assumes} \textit{assumes} ( \textbf{and} \textit{assumes} )$^*$ \\[2ex]
+%\begin{comment}
+% & |
+% & \textbf{defines} \textit{defines} ( \textbf{and} \textit{defines} )$^*$ \\
+% & |
+% & \textbf{notes} \textit{notes} ( \textbf{and} \textit{notes} )$^*$ \\
+%\end{comment}
+
+ \multicolumn{3}{l}{Locale Expressions} \\
+
+ \textit{pos-insts} & ::=
+ & ( \textit{term} $|$ ``\textbf{\_}'' )$^*$ \\
+ \textit{named-insts} & ::=
+ & \textbf{where} \textit{name} ``\textbf{=}'' \textit{term}
+ ( \textbf{and} \textit{name} ``\textbf{=}'' \textit{term} )$^*$ \\
+ \textit{instance} & ::=
+ & [ \textit{qualifier} ``\textbf{:}'' ]
+ \textit{name} ( \textit{pos-insts} $|$ \textit{named-inst} ) \\
+ \textit{expression} & ::=
+ & \textit{instance} ( ``\textbf{+}'' \textit{instance} )$^*$
+ [ \textbf{for} \textit{fixes} ( \textbf{and} \textit{fixes} )$^*$ ] \\[2ex]
+
+ \multicolumn{3}{l}{Declaration of Locales} \\
+
+ \textit{locale} & ::=
+ & \textit{element}$^+$ \\
+ & | & \textit{expression} [ ``\textbf{+}'' \textit{element}$^+$ ] \\
+ \textit{toplevel} & ::=
+ & \textbf{locale} \textit{name} [ ``\textbf{=}''
+ \textit{locale} ] \\[2ex]
+
+ \multicolumn{3}{l}{Interpretation} \\
+
+ \textit{equation} & ::= & [ \textit{attr-name} ``\textbf{:}'' ]
+ \textit{prop} \\
+ \textit{equations} & ::= & \textbf{where} \textit{equation} ( \textbf{and}
+ \textit{equation} )$^*$ \\
+ \textit{toplevel} & ::=
+ & \textbf{sublocale} \textit{name} ( ``$<$'' $|$
+ ``$\subseteq$'' ) \textit{expression} \textit{proof} \\
+ & |
+ & \textbf{interpretation}
+ \textit{expression} [ \textit{equations} ] \textit{proof} \\
+ & |
+ & \textbf{interpret}
+ \textit{expression} \textit{proof} \\[2ex]
+
+ \multicolumn{3}{l}{Diagnostics} \\
+
+ \textit{toplevel} & ::=
+ & \textbf{print\_locales} \\
+ & | & \textbf{print\_locale} [ ``\textbf{!}'' ] \textit{name} \\
+ & | & \textbf{print\_interps} \textit{name}
+\end{tabular}
+\end{center}
+\hrule
+\caption{Syntax of Locale Commands.}
+\label{tab:commands}
+\end{table}
+ *}
+
+text {* \textbf{Revision History.} For the present third revision of
+ the tutorial, much of the explanatory text
+ was rewritten. Inheritance of interpretation equations is
+ available with the forthcoming release of Isabelle, which at the
+ time of editing these notes is expected for the end of 2009.
+ The second revision accommodates changes introduced by the locales
+ reimplementation for Isabelle 2009. Most notably locale expressions
+ have been generalised from renaming to instantiation. *}
+
+text {* \textbf{Acknowledgements.} Alexander Krauss, Tobias Nipkow,
+ Randy Pollack, Andreas Schropp, Christian Sternagel and Makarius Wenzel
+ have made
+ useful comments on earlier versions of this document. The section
+ on conditional interpretation was inspired by a number of e-mail
+ enquiries the author received from locale users, and which suggested
+ that this use case is important enough to deserve explicit
+ explanation. The term \emph{conditional interpretation} is due to
+ Larry Paulson. *}
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Locales/document/build Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+set -e
+
+FORMAT="$1"
+VARIANT="$2"
+
+"$ISABELLE_HOME/src/Doc/prepare_document" "$FORMAT"
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Locales/document/root.bib Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,117 @@
+@unpublished{IsarRef,
+ author = "Markus Wenzel",
+ title = "The {Isabelle/Isar} Reference Manual",
+ note = "Part of the Isabelle distribution, \url{http://isabelle.in.tum.de/doc/isar-ref.pdf}."
+}
+
+@book {Jacobson1985,
+ author = "Nathan Jacobson",
+ title = "Basic Algebra",
+ volume = "I",
+ publisher = "Freeman",
+ edition = "2nd",
+ year = 1985,
+ available = { CB }
+}
+
+% TYPES 2006
+
+@inproceedings{HaftmannWenzel2007,
+ author = "Florian Haftmann and Makarius Wenzel",
+ title = "Constructive Type Classes in {Isabelle}",
+ pages = "160--174",
+ crossref = "AltenkirchMcBride2007",
+ available = { CB }
+}
+
+@proceedings{AltenkirchMcBride2007,
+ editor = "Thorsten Altenkirch and Connor McBride",
+ title = "Types for Proofs and Programs, TYPES 2006, Nottingham, UK",
+ booktitle = "Types for Proofs and Programs, TYPES 2006, Nottingham, UK",
+ publisher = "Springer",
+ series = "LNCS 4502",
+ year = 2007
+}
+
+
+@techreport{Ballarin2006a,
+ author = "Clemens Ballarin",
+ title = "Interpretation of Locales in {Isabelle}: Managing Dependencies between Locales",
+ institution = "Technische Universit{\"a}t M{\"u}nchen",
+ number = "TUM-I0607",
+ year = 2006
+}
+
+% TYPES 2003
+
+@inproceedings{Ballarin2004a,
+ author = "Clemens Ballarin",
+ title = "Locales and Locale Expressions in {Isabelle/Isar}",
+ pages = "34--50",
+ crossref = "BerardiEtAl2004"
+}
+
+@proceedings{BerardiEtAl2004,
+ editor = "Stefano Berardi and Mario Coppo and Ferruccio Damiani",
+ title = "Types for Proofs and Programs, TYPES 2003, Torino, Italy",
+ booktitle = "Types for Proofs and Programs, TYPES 2003, Torino, Italy",
+ publisher = "Springer",
+ series = "LNCS 3085",
+ year = 2004
+}
+
+% TYPES 2008
+
+@inproceedings{HaftmannWenzel2009,
+ author = "Florian Haftmann and Makarius Wenzel",
+ title = "Local theory specifications in {Isabelle}/{Isar}",
+ pages = "153--168",
+ crossref = "BerardiEtAl2009"
+}
+
+@proceedings{BerardiEtAl2009,
+ editor = "Stefano Berardi and Ferruccio Damiani and Ugo de Liguoro",
+ title = "Types for Proofs and Programs, TYPES 2008, Torino, Italy",
+ booktitle = "Types for Proofs and Programs, TYPES 2008, Torino, Italy",
+ series = "LNCS 5497",
+ publisher = "Springer",
+ year = 2009
+}
+
+% MKM 2006
+
+@inproceedings{Ballarin2006b,
+ author = "Clemens Ballarin",
+ title = "Interpretation of Locales in {Isabelle}: Theories and Proof Contexts",
+ pages = "31--43",
+ crossref = "BorweinFarmer2006"
+}
+
+@proceedings{BorweinFarmer2006,
+ editor = "Jonathan M. Borwein and William M. Farmer",
+ title = "Mathematical knowledge management, MKM 2006, Wokingham, UK",
+ booktitle = "Mathematical knowledge management, MKM 2006, Wokingham, UK",
+ series = "LNCS 4108",
+ publisher = "Springer",
+ year = 2006,
+ available = { CB }
+}
+
+% TPHOLs 1999
+
+@inproceedings{KammullerEtAl1999,
+ author = "Florian Kamm{\"u}ller and Markus Wenzel and Lawrence C. Paulson",
+ title = "Locales: A Sectioning Concept for {Isabelle}",
+ pages = "149--165",
+ crossref = "BertotEtAl1999",
+ available = { CB }
+}
+
+@book{BertotEtAl1999,
+ editor = "Y. Bertot and G. Dowek and A. Hirschowitz and C. Paulin and L. Th{\'e}ry",
+ title = "Theorem Proving in Higher Order Logics: TPHOLs'99, Nice, France",
+ booktitle = "Theorem Proving in Higher Order Logics: TPHOLs'99, Nice, France",
+ publisher = "Springer",
+ series = "LNCS 1690",
+ year = 1999
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Locales/document/root.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,62 @@
+\documentclass[11pt,a4paper]{article}
+\usepackage{amsmath}
+\usepackage{isabelle,isabellesym}
+\usepackage{verbatim}
+\usepackage{alltt}
+\usepackage{array}
+
+\usepackage{amssymb}
+
+\usepackage{pdfsetup}
+
+\usepackage{ifpdf}
+\ifpdf\relax\else\def\pgfsysdriver{pgfsys-dvi.def}\fi
+\usepackage{tikz}
+\usepackage{subfigure}
+
+\isadroptag{theory}
+\isafoldtag{proof}
+
+% urls in roman style, theory text in typewriter
+\urlstyle{rm}
+\isabellestyle{tt}
+
+
+\begin{document}
+
+\title{Tutorial to Locales and Locale Interpretation%
+\thanks{Published in L.~Lamb\'an, A.~Romero, J.~Rubio, editors, {\em Contribuciones Cient\'{\i}ficas en honor de Mirian Andr\'es.} Servicio de Publicaciones de la Universidad de La Rioja, Logro\~no, Spain, 2010. Reproduced by permission.}}
+\author{Clemens Ballarin}
+\date{}
+
+\maketitle
+
+\begin{abstract}
+ Locales are Isabelle's approach for dealing with parametric
+ theories. They have been designed as a module system for a
+ theorem prover that can adequately represent the complex
+ inter-dependencies between structures found in abstract algebra, but
+ have proven fruitful also in other applications --- for example,
+ software verification.
+
+ Both design and implementation of locales have evolved considerably
+ since Kamm\"uller did his initial experiments. Today, locales
+ are a simple yet powerful extension of the Isar proof language.
+ The present tutorial covers all major facilities of locales. It is
+ intended for locale novices; familiarity with Isabelle and Isar is
+ presumed.
+\end{abstract}
+
+\parindent 0pt\parskip 0.5ex
+
+\input{session}
+
+\bibliographystyle{abbrv}
+\bibliography{root}
+
+\end{document}
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: t
+%%% End:
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Logics/abstract.txt Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,8 @@
+Isabelle's Object-Logics. Report 286.
+
+This is the third of the Isabelle manuals. It covers Isabelle's built-in
+object logics: first-order logic (FOL), Zermelo-Fraenkel set theory (ZF),
+higher-order logic (HOL), the classical sequent calculus (LK), and
+constructive type theory (CTT). The final chapter discusses how to define
+new logics. This manual assumes familiarity with Report 280, Introduction
+to Isabelle.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Logics/document/CTT.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,1257 @@
+\chapter{Constructive Type Theory}
+\index{Constructive Type Theory|(}
+
+\underscoreoff %this file contains _ in rule names
+
+Martin-L\"of's Constructive Type Theory \cite{martinlof84,nordstrom90} can
+be viewed at many different levels. It is a formal system that embodies
+the principles of intuitionistic mathematics; it embodies the
+interpretation of propositions as types; it is a vehicle for deriving
+programs from proofs.
+
+Thompson's book~\cite{thompson91} gives a readable and thorough account of
+Type Theory. Nuprl is an elaborate implementation~\cite{constable86}.
+{\sc alf} is a more recent tool that allows proof terms to be edited
+directly~\cite{alf}.
+
+Isabelle's original formulation of Type Theory was a kind of sequent
+calculus, following Martin-L\"of~\cite{martinlof84}. It included rules for
+building the context, namely variable bindings with their types. A typical
+judgement was
+\[ a(x@1,\ldots,x@n)\in A(x@1,\ldots,x@n) \;
+ [ x@1\in A@1, x@2\in A@2(x@1), \ldots, x@n\in A@n(x@1,\ldots,x@{n-1}) ]
+\]
+This sequent calculus was not satisfactory because assumptions like
+`suppose $A$ is a type' or `suppose $B(x)$ is a type for all $x$ in $A$'
+could not be formalized.
+
+The theory~\thydx{CTT} implements Constructive Type Theory, using
+natural deduction. The judgement above is expressed using $\Forall$ and
+$\Imp$:
+\[ \begin{array}{r@{}l}
+ \Forall x@1\ldots x@n. &
+ \List{x@1\in A@1;
+ x@2\in A@2(x@1); \cdots \;
+ x@n\in A@n(x@1,\ldots,x@{n-1})} \Imp \\
+ & \qquad\qquad a(x@1,\ldots,x@n)\in A(x@1,\ldots,x@n)
+ \end{array}
+\]
+Assumptions can use all the judgement forms, for instance to express that
+$B$ is a family of types over~$A$:
+\[ \Forall x . x\in A \Imp B(x)\;{\rm type} \]
+To justify the CTT formulation it is probably best to appeal directly to the
+semantic explanations of the rules~\cite{martinlof84}, rather than to the
+rules themselves. The order of assumptions no longer matters, unlike in
+standard Type Theory. Contexts, which are typical of many modern type
+theories, are difficult to represent in Isabelle. In particular, it is
+difficult to enforce that all the variables in a context are distinct.
+\index{assumptions!in CTT}
+
+The theory does not use polymorphism. Terms in CTT have type~\tydx{i}, the
+type of individuals. Types in CTT have type~\tydx{t}.
+
+\begin{figure} \tabcolsep=1em %wider spacing in tables
+\begin{center}
+\begin{tabular}{rrr}
+ \it name & \it meta-type & \it description \\
+ \cdx{Type} & $t \to prop$ & judgement form \\
+ \cdx{Eqtype} & $[t,t]\to prop$ & judgement form\\
+ \cdx{Elem} & $[i, t]\to prop$ & judgement form\\
+ \cdx{Eqelem} & $[i, i, t]\to prop$ & judgement form\\
+ \cdx{Reduce} & $[i, i]\to prop$ & extra judgement form\\[2ex]
+
+ \cdx{N} & $t$ & natural numbers type\\
+ \cdx{0} & $i$ & constructor\\
+ \cdx{succ} & $i\to i$ & constructor\\
+ \cdx{rec} & $[i,i,[i,i]\to i]\to i$ & eliminator\\[2ex]
+ \cdx{Prod} & $[t,i\to t]\to t$ & general product type\\
+ \cdx{lambda} & $(i\to i)\to i$ & constructor\\[2ex]
+ \cdx{Sum} & $[t, i\to t]\to t$ & general sum type\\
+ \cdx{pair} & $[i,i]\to i$ & constructor\\
+ \cdx{split} & $[i,[i,i]\to i]\to i$ & eliminator\\
+ \cdx{fst} \cdx{snd} & $i\to i$ & projections\\[2ex]
+ \cdx{inl} \cdx{inr} & $i\to i$ & constructors for $+$\\
+ \cdx{when} & $[i,i\to i, i\to i]\to i$ & eliminator for $+$\\[2ex]
+ \cdx{Eq} & $[t,i,i]\to t$ & equality type\\
+ \cdx{eq} & $i$ & constructor\\[2ex]
+ \cdx{F} & $t$ & empty type\\
+ \cdx{contr} & $i\to i$ & eliminator\\[2ex]
+ \cdx{T} & $t$ & singleton type\\
+ \cdx{tt} & $i$ & constructor
+\end{tabular}
+\end{center}
+\caption{The constants of CTT} \label{ctt-constants}
+\end{figure}
+
+
+CTT supports all of Type Theory apart from list types, well-ordering types,
+and universes. Universes could be introduced {\em\`a la Tarski}, adding new
+constants as names for types. The formulation {\em\`a la Russell}, where
+types denote themselves, is only possible if we identify the meta-types~{\tt
+ i} and~{\tt t}. Most published formulations of well-ordering types have
+difficulties involving extensionality of functions; I suggest that you use
+some other method for defining recursive types. List types are easy to
+introduce by declaring new rules.
+
+CTT uses the 1982 version of Type Theory, with extensional equality. The
+computation $a=b\in A$ and the equality $c\in Eq(A,a,b)$ are interchangeable.
+Its rewriting tactics prove theorems of the form $a=b\in A$. It could be
+modified to have intensional equality, but rewriting tactics would have to
+prove theorems of the form $c\in Eq(A,a,b)$ and the computation rules might
+require a separate simplifier.
+
+
+\begin{figure} \tabcolsep=1em %wider spacing in tables
+\index{lambda abs@$\lambda$-abstractions!in CTT}
+\begin{center}
+\begin{tabular}{llrrr}
+ \it symbol &\it name &\it meta-type & \it priority & \it description \\
+ \sdx{lam} & \cdx{lambda} & $(i\To o)\To i$ & 10 & $\lambda$-abstraction
+\end{tabular}
+\end{center}
+\subcaption{Binders}
+
+\begin{center}
+\index{*"` symbol}\index{function applications!in CTT}
+\index{*"+ symbol}
+\begin{tabular}{rrrr}
+ \it symbol & \it meta-type & \it priority & \it description \\
+ \tt ` & $[i,i]\to i$ & Left 55 & function application\\
+ \tt + & $[t,t]\to t$ & Right 30 & sum of two types
+\end{tabular}
+\end{center}
+\subcaption{Infixes}
+
+\index{*"* symbol}
+\index{*"-"-"> symbol}
+\begin{center} \tt\frenchspacing
+\begin{tabular}{rrr}
+ \it external & \it internal & \it standard notation \\
+ \sdx{PROD} $x$:$A$ . $B[x]$ & Prod($A$, $\lambda x. B[x]$) &
+ \rm product $\prod@{x\in A}B[x]$ \\
+ \sdx{SUM} $x$:$A$ . $B[x]$ & Sum($A$, $\lambda x. B[x]$) &
+ \rm sum $\sum@{x\in A}B[x]$ \\
+ $A$ --> $B$ & Prod($A$, $\lambda x. B$) &
+ \rm function space $A\to B$ \\
+ $A$ * $B$ & Sum($A$, $\lambda x. B$) &
+ \rm binary product $A\times B$
+\end{tabular}
+\end{center}
+\subcaption{Translations}
+
+\index{*"= symbol}
+\begin{center}
+\dquotes
+\[ \begin{array}{rcl}
+prop & = & type " type" \\
+ & | & type " = " type \\
+ & | & term " : " type \\
+ & | & term " = " term " : " type
+\\[2ex]
+type & = & \hbox{expression of type~$t$} \\
+ & | & "PROD~" id " : " type " . " type \\
+ & | & "SUM~~" id " : " type " . " type
+\\[2ex]
+term & = & \hbox{expression of type~$i$} \\
+ & | & "lam " id~id^* " . " term \\
+ & | & "< " term " , " term " >"
+\end{array}
+\]
+\end{center}
+\subcaption{Grammar}
+\caption{Syntax of CTT} \label{ctt-syntax}
+\end{figure}
+
+%%%%\section{Generic Packages} typedsimp.ML????????????????
+
+
+\section{Syntax}
+The constants are shown in Fig.\ts\ref{ctt-constants}. The infixes include
+the function application operator (sometimes called `apply'), and the 2-place
+type operators. Note that meta-level abstraction and application, $\lambda
+x.b$ and $f(a)$, differ from object-level abstraction and application,
+\hbox{\tt lam $x$. $b$} and $b{\tt`}a$. A CTT function~$f$ is simply an
+individual as far as Isabelle is concerned: its Isabelle type is~$i$, not say
+$i\To i$.
+
+The notation for~CTT (Fig.\ts\ref{ctt-syntax}) is based on that of Nordstr\"om
+et al.~\cite{nordstrom90}. The empty type is called $F$ and the one-element
+type is $T$; other finite types are built as $T+T+T$, etc.
+
+\index{*SUM symbol}\index{*PROD symbol}
+Quantification is expressed by sums $\sum@{x\in A}B[x]$ and
+products $\prod@{x\in A}B[x]$. Instead of {\tt Sum($A$,$B$)} and {\tt
+ Prod($A$,$B$)} we may write \hbox{\tt SUM $x$:$A$.\ $B[x]$} and \hbox{\tt
+ PROD $x$:$A$.\ $B[x]$}. For example, we may write
+\begin{ttbox}
+SUM y:B. PROD x:A. C(x,y) {\rm for} Sum(B, \%y. Prod(A, \%x. C(x,y)))
+\end{ttbox}
+The special cases as \hbox{\tt$A$*$B$} and \hbox{\tt$A$-->$B$} abbreviate
+general sums and products over a constant family.\footnote{Unlike normal
+infix operators, {\tt*} and {\tt-->} merely define abbreviations; there are
+no constants~{\tt op~*} and~\hbox{\tt op~-->}.} Isabelle accepts these
+abbreviations in parsing and uses them whenever possible for printing.
+
+
+\begin{figure}
+\begin{ttbox}
+\tdx{refl_type} A type ==> A = A
+\tdx{refl_elem} a : A ==> a = a : A
+
+\tdx{sym_type} A = B ==> B = A
+\tdx{sym_elem} a = b : A ==> b = a : A
+
+\tdx{trans_type} [| A = B; B = C |] ==> A = C
+\tdx{trans_elem} [| a = b : A; b = c : A |] ==> a = c : A
+
+\tdx{equal_types} [| a : A; A = B |] ==> a : B
+\tdx{equal_typesL} [| a = b : A; A = B |] ==> a = b : B
+
+\tdx{subst_type} [| a : A; !!z. z:A ==> B(z) type |] ==> B(a) type
+\tdx{subst_typeL} [| a = c : A; !!z. z:A ==> B(z) = D(z)
+ |] ==> B(a) = D(c)
+
+\tdx{subst_elem} [| a : A; !!z. z:A ==> b(z):B(z) |] ==> b(a):B(a)
+\tdx{subst_elemL} [| a = c : A; !!z. z:A ==> b(z) = d(z) : B(z)
+ |] ==> b(a) = d(c) : B(a)
+
+\tdx{refl_red} Reduce(a,a)
+\tdx{red_if_equal} a = b : A ==> Reduce(a,b)
+\tdx{trans_red} [| a = b : A; Reduce(b,c) |] ==> a = c : A
+\end{ttbox}
+\caption{General equality rules} \label{ctt-equality}
+\end{figure}
+
+
+\begin{figure}
+\begin{ttbox}
+\tdx{NF} N type
+
+\tdx{NI0} 0 : N
+\tdx{NI_succ} a : N ==> succ(a) : N
+\tdx{NI_succL} a = b : N ==> succ(a) = succ(b) : N
+
+\tdx{NE} [| p: N; a: C(0);
+ !!u v. [| u: N; v: C(u) |] ==> b(u,v): C(succ(u))
+ |] ==> rec(p, a, \%u v. b(u,v)) : C(p)
+
+\tdx{NEL} [| p = q : N; a = c : C(0);
+ !!u v. [| u: N; v: C(u) |] ==> b(u,v)=d(u,v): C(succ(u))
+ |] ==> rec(p, a, \%u v. b(u,v)) = rec(q,c,d) : C(p)
+
+\tdx{NC0} [| a: C(0);
+ !!u v. [| u: N; v: C(u) |] ==> b(u,v): C(succ(u))
+ |] ==> rec(0, a, \%u v. b(u,v)) = a : C(0)
+
+\tdx{NC_succ} [| p: N; a: C(0);
+ !!u v. [| u: N; v: C(u) |] ==> b(u,v): C(succ(u))
+ |] ==> rec(succ(p), a, \%u v. b(u,v)) =
+ b(p, rec(p, a, \%u v. b(u,v))) : C(succ(p))
+
+\tdx{zero_ne_succ} [| a: N; 0 = succ(a) : N |] ==> 0: F
+\end{ttbox}
+\caption{Rules for type~$N$} \label{ctt-N}
+\end{figure}
+
+
+\begin{figure}
+\begin{ttbox}
+\tdx{ProdF} [| A type; !!x. x:A ==> B(x) type |] ==> PROD x:A. B(x) type
+\tdx{ProdFL} [| A = C; !!x. x:A ==> B(x) = D(x) |] ==>
+ PROD x:A. B(x) = PROD x:C. D(x)
+
+\tdx{ProdI} [| A type; !!x. x:A ==> b(x):B(x)
+ |] ==> lam x. b(x) : PROD x:A. B(x)
+\tdx{ProdIL} [| A type; !!x. x:A ==> b(x) = c(x) : B(x)
+ |] ==> lam x. b(x) = lam x. c(x) : PROD x:A. B(x)
+
+\tdx{ProdE} [| p : PROD x:A. B(x); a : A |] ==> p`a : B(a)
+\tdx{ProdEL} [| p=q: PROD x:A. B(x); a=b : A |] ==> p`a = q`b : B(a)
+
+\tdx{ProdC} [| a : A; !!x. x:A ==> b(x) : B(x)
+ |] ==> (lam x. b(x)) ` a = b(a) : B(a)
+
+\tdx{ProdC2} p : PROD x:A. B(x) ==> (lam x. p`x) = p : PROD x:A. B(x)
+\end{ttbox}
+\caption{Rules for the product type $\prod\sb{x\in A}B[x]$} \label{ctt-prod}
+\end{figure}
+
+
+\begin{figure}
+\begin{ttbox}
+\tdx{SumF} [| A type; !!x. x:A ==> B(x) type |] ==> SUM x:A. B(x) type
+\tdx{SumFL} [| A = C; !!x. x:A ==> B(x) = D(x)
+ |] ==> SUM x:A. B(x) = SUM x:C. D(x)
+
+\tdx{SumI} [| a : A; b : B(a) |] ==> <a,b> : SUM x:A. B(x)
+\tdx{SumIL} [| a=c:A; b=d:B(a) |] ==> <a,b> = <c,d> : SUM x:A. B(x)
+
+\tdx{SumE} [| p: SUM x:A. B(x);
+ !!x y. [| x:A; y:B(x) |] ==> c(x,y): C(<x,y>)
+ |] ==> split(p, \%x y. c(x,y)) : C(p)
+
+\tdx{SumEL} [| p=q : SUM x:A. B(x);
+ !!x y. [| x:A; y:B(x) |] ==> c(x,y)=d(x,y): C(<x,y>)
+ |] ==> split(p, \%x y. c(x,y)) = split(q, \%x y. d(x,y)) : C(p)
+
+\tdx{SumC} [| a: A; b: B(a);
+ !!x y. [| x:A; y:B(x) |] ==> c(x,y): C(<x,y>)
+ |] ==> split(<a,b>, \%x y. c(x,y)) = c(a,b) : C(<a,b>)
+
+\tdx{fst_def} fst(a) == split(a, \%x y. x)
+\tdx{snd_def} snd(a) == split(a, \%x y. y)
+\end{ttbox}
+\caption{Rules for the sum type $\sum\sb{x\in A}B[x]$} \label{ctt-sum}
+\end{figure}
+
+
+\begin{figure}
+\begin{ttbox}
+\tdx{PlusF} [| A type; B type |] ==> A+B type
+\tdx{PlusFL} [| A = C; B = D |] ==> A+B = C+D
+
+\tdx{PlusI_inl} [| a : A; B type |] ==> inl(a) : A+B
+\tdx{PlusI_inlL} [| a = c : A; B type |] ==> inl(a) = inl(c) : A+B
+
+\tdx{PlusI_inr} [| A type; b : B |] ==> inr(b) : A+B
+\tdx{PlusI_inrL} [| A type; b = d : B |] ==> inr(b) = inr(d) : A+B
+
+\tdx{PlusE} [| p: A+B;
+ !!x. x:A ==> c(x): C(inl(x));
+ !!y. y:B ==> d(y): C(inr(y))
+ |] ==> when(p, \%x. c(x), \%y. d(y)) : C(p)
+
+\tdx{PlusEL} [| p = q : A+B;
+ !!x. x: A ==> c(x) = e(x) : C(inl(x));
+ !!y. y: B ==> d(y) = f(y) : C(inr(y))
+ |] ==> when(p, \%x. c(x), \%y. d(y)) =
+ when(q, \%x. e(x), \%y. f(y)) : C(p)
+
+\tdx{PlusC_inl} [| a: A;
+ !!x. x:A ==> c(x): C(inl(x));
+ !!y. y:B ==> d(y): C(inr(y))
+ |] ==> when(inl(a), \%x. c(x), \%y. d(y)) = c(a) : C(inl(a))
+
+\tdx{PlusC_inr} [| b: B;
+ !!x. x:A ==> c(x): C(inl(x));
+ !!y. y:B ==> d(y): C(inr(y))
+ |] ==> when(inr(b), \%x. c(x), \%y. d(y)) = d(b) : C(inr(b))
+\end{ttbox}
+\caption{Rules for the binary sum type $A+B$} \label{ctt-plus}
+\end{figure}
+
+
+\begin{figure}
+\begin{ttbox}
+\tdx{FF} F type
+\tdx{FE} [| p: F; C type |] ==> contr(p) : C
+\tdx{FEL} [| p = q : F; C type |] ==> contr(p) = contr(q) : C
+
+\tdx{TF} T type
+\tdx{TI} tt : T
+\tdx{TE} [| p : T; c : C(tt) |] ==> c : C(p)
+\tdx{TEL} [| p = q : T; c = d : C(tt) |] ==> c = d : C(p)
+\tdx{TC} p : T ==> p = tt : T)
+\end{ttbox}
+
+\caption{Rules for types $F$ and $T$} \label{ctt-ft}
+\end{figure}
+
+
+\begin{figure}
+\begin{ttbox}
+\tdx{EqF} [| A type; a : A; b : A |] ==> Eq(A,a,b) type
+\tdx{EqFL} [| A=B; a=c: A; b=d : A |] ==> Eq(A,a,b) = Eq(B,c,d)
+\tdx{EqI} a = b : A ==> eq : Eq(A,a,b)
+\tdx{EqE} p : Eq(A,a,b) ==> a = b : A
+\tdx{EqC} p : Eq(A,a,b) ==> p = eq : Eq(A,a,b)
+\end{ttbox}
+\caption{Rules for the equality type $Eq(A,a,b)$} \label{ctt-eq}
+\end{figure}
+
+
+\begin{figure}
+\begin{ttbox}
+\tdx{replace_type} [| B = A; a : A |] ==> a : B
+\tdx{subst_eqtyparg} [| a=c : A; !!z. z:A ==> B(z) type |] ==> B(a)=B(c)
+
+\tdx{subst_prodE} [| p: Prod(A,B); a: A; !!z. z: B(a) ==> c(z): C(z)
+ |] ==> c(p`a): C(p`a)
+
+\tdx{SumIL2} [| c=a : A; d=b : B(a) |] ==> <c,d> = <a,b> : Sum(A,B)
+
+\tdx{SumE_fst} p : Sum(A,B) ==> fst(p) : A
+
+\tdx{SumE_snd} [| p: Sum(A,B); A type; !!x. x:A ==> B(x) type
+ |] ==> snd(p) : B(fst(p))
+\end{ttbox}
+
+\caption{Derived rules for CTT} \label{ctt-derived}
+\end{figure}
+
+
+\section{Rules of inference}
+The rules obey the following naming conventions. Type formation rules have
+the suffix~{\tt F}\@. Introduction rules have the suffix~{\tt I}\@.
+Elimination rules have the suffix~{\tt E}\@. Computation rules, which
+describe the reduction of eliminators, have the suffix~{\tt C}\@. The
+equality versions of the rules (which permit reductions on subterms) are
+called {\bf long} rules; their names have the suffix~{\tt L}\@.
+Introduction and computation rules are often further suffixed with
+constructor names.
+
+Figure~\ref{ctt-equality} presents the equality rules. Most of them are
+straightforward: reflexivity, symmetry, transitivity and substitution. The
+judgement \cdx{Reduce} does not belong to Type Theory proper; it has
+been added to implement rewriting. The judgement ${\tt Reduce}(a,b)$ holds
+when $a=b:A$ holds. It also holds when $a$ and $b$ are syntactically
+identical, even if they are ill-typed, because rule {\tt refl_red} does
+not verify that $a$ belongs to $A$.
+
+The {\tt Reduce} rules do not give rise to new theorems about the standard
+judgements. The only rule with {\tt Reduce} in a premise is
+{\tt trans_red}, whose other premise ensures that $a$ and~$b$ (and thus
+$c$) are well-typed.
+
+Figure~\ref{ctt-N} presents the rules for~$N$, the type of natural numbers.
+They include \tdx{zero_ne_succ}, which asserts $0\not=n+1$. This is
+the fourth Peano axiom and cannot be derived without universes \cite[page
+91]{martinlof84}.
+
+The constant \cdx{rec} constructs proof terms when mathematical
+induction, rule~\tdx{NE}, is applied. It can also express primitive
+recursion. Since \cdx{rec} can be applied to higher-order functions,
+it can even express Ackermann's function, which is not primitive recursive
+\cite[page~104]{thompson91}.
+
+Figure~\ref{ctt-prod} shows the rules for general product types, which
+include function types as a special case. The rules correspond to the
+predicate calculus rules for universal quantifiers and implication. They
+also permit reasoning about functions, with the rules of a typed
+$\lambda$-calculus.
+
+Figure~\ref{ctt-sum} shows the rules for general sum types, which
+include binary product types as a special case. The rules correspond to the
+predicate calculus rules for existential quantifiers and conjunction. They
+also permit reasoning about ordered pairs, with the projections
+\cdx{fst} and~\cdx{snd}.
+
+Figure~\ref{ctt-plus} shows the rules for binary sum types. They
+correspond to the predicate calculus rules for disjunction. They also
+permit reasoning about disjoint sums, with the injections \cdx{inl}
+and~\cdx{inr} and case analysis operator~\cdx{when}.
+
+Figure~\ref{ctt-ft} shows the rules for the empty and unit types, $F$
+and~$T$. They correspond to the predicate calculus rules for absurdity and
+truth.
+
+Figure~\ref{ctt-eq} shows the rules for equality types. If $a=b\in A$ is
+provable then \cdx{eq} is a canonical element of the type $Eq(A,a,b)$,
+and vice versa. These rules define extensional equality; the most recent
+versions of Type Theory use intensional equality~\cite{nordstrom90}.
+
+Figure~\ref{ctt-derived} presents the derived rules. The rule
+\tdx{subst_prodE} is derived from {\tt prodE}, and is easier to use
+in backwards proof. The rules \tdx{SumE_fst} and \tdx{SumE_snd}
+express the typing of~\cdx{fst} and~\cdx{snd}; together, they are
+roughly equivalent to~{\tt SumE} with the advantage of creating no
+parameters. Section~\ref{ctt-choice} below demonstrates these rules in a
+proof of the Axiom of Choice.
+
+All the rules are given in $\eta$-expanded form. For instance, every
+occurrence of $\lambda u\,v. b(u,v)$ could be abbreviated to~$b$ in the
+rules for~$N$. The expanded form permits Isabelle to preserve bound
+variable names during backward proof. Names of bound variables in the
+conclusion (here, $u$ and~$v$) are matched with corresponding bound
+variables in the premises.
+
+
+\section{Rule lists}
+The Type Theory tactics provide rewriting, type inference, and logical
+reasoning. Many proof procedures work by repeatedly resolving certain Type
+Theory rules against a proof state. CTT defines lists --- each with
+type
+\hbox{\tt thm list} --- of related rules.
+\begin{ttdescription}
+\item[\ttindexbold{form_rls}]
+contains formation rules for the types $N$, $\Pi$, $\Sigma$, $+$, $Eq$,
+$F$, and $T$.
+
+\item[\ttindexbold{formL_rls}]
+contains long formation rules for $\Pi$, $\Sigma$, $+$, and $Eq$. (For
+other types use \tdx{refl_type}.)
+
+\item[\ttindexbold{intr_rls}]
+contains introduction rules for the types $N$, $\Pi$, $\Sigma$, $+$, and
+$T$.
+
+\item[\ttindexbold{intrL_rls}]
+contains long introduction rules for $N$, $\Pi$, $\Sigma$, and $+$. (For
+$T$ use \tdx{refl_elem}.)
+
+\item[\ttindexbold{elim_rls}]
+contains elimination rules for the types $N$, $\Pi$, $\Sigma$, $+$, and
+$F$. The rules for $Eq$ and $T$ are omitted because they involve no
+eliminator.
+
+\item[\ttindexbold{elimL_rls}]
+contains long elimination rules for $N$, $\Pi$, $\Sigma$, $+$, and $F$.
+
+\item[\ttindexbold{comp_rls}]
+contains computation rules for the types $N$, $\Pi$, $\Sigma$, and $+$.
+Those for $Eq$ and $T$ involve no eliminator.
+
+\item[\ttindexbold{basic_defs}]
+contains the definitions of {\tt fst} and {\tt snd}.
+\end{ttdescription}
+
+
+\section{Tactics for subgoal reordering}
+\begin{ttbox}
+test_assume_tac : int -> tactic
+typechk_tac : thm list -> tactic
+equal_tac : thm list -> tactic
+intr_tac : thm list -> tactic
+\end{ttbox}
+Blind application of CTT rules seldom leads to a proof. The elimination
+rules, especially, create subgoals containing new unknowns. These subgoals
+unify with anything, creating a huge search space. The standard tactic
+\ttindex{filt_resolve_tac}
+(see \iflabelundefined{filt_resolve_tac}{the {\em Reference Manual\/}}%
+ {\S\ref{filt_resolve_tac}})
+%
+fails for goals that are too flexible; so does the CTT tactic {\tt
+ test_assume_tac}. Used with the tactical \ttindex{REPEAT_FIRST} they
+achieve a simple kind of subgoal reordering: the less flexible subgoals are
+attempted first. Do some single step proofs, or study the examples below,
+to see why this is necessary.
+\begin{ttdescription}
+\item[\ttindexbold{test_assume_tac} $i$]
+uses {\tt assume_tac} to solve the subgoal by assumption, but only if
+subgoal~$i$ has the form $a\in A$ and the head of $a$ is not an unknown.
+Otherwise, it fails.
+
+\item[\ttindexbold{typechk_tac} $thms$]
+uses $thms$ with formation, introduction, and elimination rules to check
+the typing of constructions. It is designed to solve goals of the form
+$a\in \Var{A}$, where $a$ is rigid and $\Var{A}$ is flexible; thus it
+performs type inference. The tactic can also solve goals of
+the form $A\;\rm type$.
+
+\item[\ttindexbold{equal_tac} $thms$]
+uses $thms$ with the long introduction and elimination rules to solve goals
+of the form $a=b\in A$, where $a$ is rigid. It is intended for deriving
+the long rules for defined constants such as the arithmetic operators. The
+tactic can also perform type-checking.
+
+\item[\ttindexbold{intr_tac} $thms$]
+uses $thms$ with the introduction rules to break down a type. It is
+designed for goals like $\Var{a}\in A$ where $\Var{a}$ is flexible and $A$
+rigid. These typically arise when trying to prove a proposition~$A$,
+expressed as a type.
+\end{ttdescription}
+
+
+
+\section{Rewriting tactics}
+\begin{ttbox}
+rew_tac : thm list -> tactic
+hyp_rew_tac : thm list -> tactic
+\end{ttbox}
+Object-level simplification is accomplished through proof, using the {\tt
+ CTT} equality rules and the built-in rewriting functor
+{\tt TSimpFun}.%
+\footnote{This should not be confused with Isabelle's main simplifier; {\tt
+ TSimpFun} is only useful for CTT and similar logics with type inference
+ rules. At present it is undocumented.}
+%
+The rewrites include the computation rules and other equations. The long
+versions of the other rules permit rewriting of subterms and subtypes.
+Also used are transitivity and the extra judgement form \cdx{Reduce}.
+Meta-level simplification handles only definitional equality.
+\begin{ttdescription}
+\item[\ttindexbold{rew_tac} $thms$]
+applies $thms$ and the computation rules as left-to-right rewrites. It
+solves the goal $a=b\in A$ by rewriting $a$ to $b$. If $b$ is an unknown
+then it is assigned the rewritten form of~$a$. All subgoals are rewritten.
+
+\item[\ttindexbold{hyp_rew_tac} $thms$]
+is like {\tt rew_tac}, but includes as rewrites any equations present in
+the assumptions.
+\end{ttdescription}
+
+
+\section{Tactics for logical reasoning}
+Interpreting propositions as types lets CTT express statements of
+intuitionistic logic. However, Constructive Type Theory is not just another
+syntax for first-order logic. There are fundamental differences.
+
+\index{assumptions!in CTT}
+Can assumptions be deleted after use? Not every occurrence of a type
+represents a proposition, and Type Theory assumptions declare variables.
+In first-order logic, $\disj$-elimination with the assumption $P\disj Q$
+creates one subgoal assuming $P$ and another assuming $Q$, and $P\disj Q$
+can be deleted safely. In Type Theory, $+$-elimination with the assumption
+$z\in A+B$ creates one subgoal assuming $x\in A$ and another assuming $y\in
+B$ (for arbitrary $x$ and $y$). Deleting $z\in A+B$ when other assumptions
+refer to $z$ may render the subgoal unprovable: arguably,
+meaningless.
+
+Isabelle provides several tactics for predicate calculus reasoning in CTT:
+\begin{ttbox}
+mp_tac : int -> tactic
+add_mp_tac : int -> tactic
+safestep_tac : thm list -> int -> tactic
+safe_tac : thm list -> int -> tactic
+step_tac : thm list -> int -> tactic
+pc_tac : thm list -> int -> tactic
+\end{ttbox}
+These are loosely based on the intuitionistic proof procedures
+of~\thydx{FOL}. For the reasons discussed above, a rule that is safe for
+propositional reasoning may be unsafe for type-checking; thus, some of the
+`safe' tactics are misnamed.
+\begin{ttdescription}
+\item[\ttindexbold{mp_tac} $i$]
+searches in subgoal~$i$ for assumptions of the form $f\in\Pi(A,B)$ and
+$a\in A$, where~$A$ may be found by unification. It replaces
+$f\in\Pi(A,B)$ by $z\in B(a)$, where~$z$ is a new parameter. The tactic
+can produce multiple outcomes for each suitable pair of assumptions. In
+short, {\tt mp_tac} performs Modus Ponens among the assumptions.
+
+\item[\ttindexbold{add_mp_tac} $i$]
+is like {\tt mp_tac}~$i$ but retains the assumption $f\in\Pi(A,B)$. It
+avoids information loss but obviously loops if repeated.
+
+\item[\ttindexbold{safestep_tac} $thms$ $i$]
+attacks subgoal~$i$ using formation rules and certain other `safe' rules
+(\tdx{FE}, \tdx{ProdI}, \tdx{SumE}, \tdx{PlusE}), calling
+{\tt mp_tac} when appropriate. It also uses~$thms$,
+which are typically premises of the rule being derived.
+
+\item[\ttindexbold{safe_tac} $thms$ $i$] attempts to solve subgoal~$i$ by
+ means of backtracking, using {\tt safestep_tac}.
+
+\item[\ttindexbold{step_tac} $thms$ $i$]
+tries to reduce subgoal~$i$ using {\tt safestep_tac}, then tries unsafe
+rules. It may produce multiple outcomes.
+
+\item[\ttindexbold{pc_tac} $thms$ $i$]
+tries to solve subgoal~$i$ by backtracking, using {\tt step_tac}.
+\end{ttdescription}
+
+
+
+\begin{figure}
+\index{#+@{\tt\#+} symbol}
+\index{*"- symbol}
+\index{#*@{\tt\#*} symbol}
+\index{*div symbol}
+\index{*mod symbol}
+
+\index{absolute difference}
+\index{"!-"!@{\tt\char124-\char124} symbol}
+%\char124 is vertical bar. We use ! because | stopped working
+
+\begin{constants}
+ \it symbol & \it meta-type & \it priority & \it description \\
+ \tt \#* & $[i,i]\To i$ & Left 70 & multiplication \\
+ \tt div & $[i,i]\To i$ & Left 70 & division\\
+ \tt mod & $[i,i]\To i$ & Left 70 & modulus\\
+ \tt \#+ & $[i,i]\To i$ & Left 65 & addition\\
+ \tt - & $[i,i]\To i$ & Left 65 & subtraction\\
+ \verb'|-|' & $[i,i]\To i$ & Left 65 & absolute difference
+\end{constants}
+
+\begin{ttbox}
+\tdx{add_def} a#+b == rec(a, b, \%u v. succ(v))
+\tdx{diff_def} a-b == rec(b, a, \%u v. rec(v, 0, \%x y. x))
+\tdx{absdiff_def} a|-|b == (a-b) #+ (b-a)
+\tdx{mult_def} a#*b == rec(a, 0, \%u v. b #+ v)
+
+\tdx{mod_def} a mod b ==
+ rec(a, 0, \%u v. rec(succ(v) |-| b, 0, \%x y. succ(v)))
+
+\tdx{div_def} a div b ==
+ rec(a, 0, \%u v. rec(succ(u) mod b, succ(v), \%x y. v))
+
+\tdx{add_typing} [| a:N; b:N |] ==> a #+ b : N
+\tdx{addC0} b:N ==> 0 #+ b = b : N
+\tdx{addC_succ} [| a:N; b:N |] ==> succ(a) #+ b = succ(a #+ b) : N
+
+\tdx{add_assoc} [| a:N; b:N; c:N |] ==>
+ (a #+ b) #+ c = a #+ (b #+ c) : N
+
+\tdx{add_commute} [| a:N; b:N |] ==> a #+ b = b #+ a : N
+
+\tdx{mult_typing} [| a:N; b:N |] ==> a #* b : N
+\tdx{multC0} b:N ==> 0 #* b = 0 : N
+\tdx{multC_succ} [| a:N; b:N |] ==> succ(a) #* b = b #+ (a#*b) : N
+\tdx{mult_commute} [| a:N; b:N |] ==> a #* b = b #* a : N
+
+\tdx{add_mult_dist} [| a:N; b:N; c:N |] ==>
+ (a #+ b) #* c = (a #* c) #+ (b #* c) : N
+
+\tdx{mult_assoc} [| a:N; b:N; c:N |] ==>
+ (a #* b) #* c = a #* (b #* c) : N
+
+\tdx{diff_typing} [| a:N; b:N |] ==> a - b : N
+\tdx{diffC0} a:N ==> a - 0 = a : N
+\tdx{diff_0_eq_0} b:N ==> 0 - b = 0 : N
+\tdx{diff_succ_succ} [| a:N; b:N |] ==> succ(a) - succ(b) = a - b : N
+\tdx{diff_self_eq_0} a:N ==> a - a = 0 : N
+\tdx{add_inverse_diff} [| a:N; b:N; b-a=0 : N |] ==> b #+ (a-b) = a : N
+\end{ttbox}
+\caption{The theory of arithmetic} \label{ctt_arith}
+\end{figure}
+
+
+\section{A theory of arithmetic}
+\thydx{Arith} is a theory of elementary arithmetic. It proves the
+properties of addition, multiplication, subtraction, division, and
+remainder, culminating in the theorem
+\[ a \bmod b + (a/b)\times b = a. \]
+Figure~\ref{ctt_arith} presents the definitions and some of the key
+theorems, including commutative, distributive, and associative laws.
+
+The operators~\verb'#+', \verb'-', \verb'|-|', \verb'#*', \verb'mod'
+and~\verb'div' stand for sum, difference, absolute difference, product,
+remainder and quotient, respectively. Since Type Theory has only primitive
+recursion, some of their definitions may be obscure.
+
+The difference~$a-b$ is computed by taking $b$ predecessors of~$a$, where
+the predecessor function is $\lambda v. {\tt rec}(v, 0, \lambda x\,y. x)$.
+
+The remainder $a\bmod b$ counts up to~$a$ in a cyclic fashion, using 0
+as the successor of~$b-1$. Absolute difference is used to test the
+equality $succ(v)=b$.
+
+The quotient $a/b$ is computed by adding one for every number $x$
+such that $0\leq x \leq a$ and $x\bmod b = 0$.
+
+
+
+\section{The examples directory}
+This directory contains examples and experimental proofs in CTT.
+\begin{ttdescription}
+\item[CTT/ex/typechk.ML]
+contains simple examples of type-checking and type deduction.
+
+\item[CTT/ex/elim.ML]
+contains some examples from Martin-L\"of~\cite{martinlof84}, proved using
+{\tt pc_tac}.
+
+\item[CTT/ex/equal.ML]
+contains simple examples of rewriting.
+
+\item[CTT/ex/synth.ML]
+demonstrates the use of unknowns with some trivial examples of program
+synthesis.
+\end{ttdescription}
+
+
+\section{Example: type inference}
+Type inference involves proving a goal of the form $a\in\Var{A}$, where $a$
+is a term and $\Var{A}$ is an unknown standing for its type. The type,
+initially
+unknown, takes shape in the course of the proof. Our example is the
+predecessor function on the natural numbers.
+\begin{ttbox}
+Goal "lam n. rec(n, 0, \%x y. x) : ?A";
+{\out Level 0}
+{\out lam n. rec(n,0,\%x y. x) : ?A}
+{\out 1. lam n. rec(n,0,\%x y. x) : ?A}
+\end{ttbox}
+Since the term is a Constructive Type Theory $\lambda$-abstraction (not to
+be confused with a meta-level abstraction), we apply the rule
+\tdx{ProdI}, for $\Pi$-introduction. This instantiates~$\Var{A}$ to a
+product type of unknown domain and range.
+\begin{ttbox}
+by (resolve_tac [ProdI] 1);
+{\out Level 1}
+{\out lam n. rec(n,0,\%x y. x) : PROD x:?A1. ?B1(x)}
+{\out 1. ?A1 type}
+{\out 2. !!n. n : ?A1 ==> rec(n,0,\%x y. x) : ?B1(n)}
+\end{ttbox}
+Subgoal~1 is too flexible. It can be solved by instantiating~$\Var{A@1}$
+to any type, but most instantiations will invalidate subgoal~2. We
+therefore tackle the latter subgoal. It asks the type of a term beginning
+with {\tt rec}, which can be found by $N$-elimination.%
+\index{*NE theorem}
+\begin{ttbox}
+by (eresolve_tac [NE] 2);
+{\out Level 2}
+{\out lam n. rec(n,0,\%x y. x) : PROD x:N. ?C2(x,x)}
+{\out 1. N type}
+{\out 2. !!n. 0 : ?C2(n,0)}
+{\out 3. !!n x y. [| x : N; y : ?C2(n,x) |] ==> x : ?C2(n,succ(x))}
+\end{ttbox}
+Subgoal~1 is no longer flexible: we now know~$\Var{A@1}$ is the type of
+natural numbers. However, let us continue proving nontrivial subgoals.
+Subgoal~2 asks, what is the type of~0?\index{*NIO theorem}
+\begin{ttbox}
+by (resolve_tac [NI0] 2);
+{\out Level 3}
+{\out lam n. rec(n,0,\%x y. x) : N --> N}
+{\out 1. N type}
+{\out 2. !!n x y. [| x : N; y : N |] ==> x : N}
+\end{ttbox}
+The type~$\Var{A}$ is now fully determined. It is the product type
+$\prod@{x\in N}N$, which is shown as the function type $N\to N$ because
+there is no dependence on~$x$. But we must prove all the subgoals to show
+that the original term is validly typed. Subgoal~2 is provable by
+assumption and the remaining subgoal falls by $N$-formation.%
+\index{*NF theorem}
+\begin{ttbox}
+by (assume_tac 2);
+{\out Level 4}
+{\out lam n. rec(n,0,\%x y. x) : N --> N}
+{\out 1. N type}
+\ttbreak
+by (resolve_tac [NF] 1);
+{\out Level 5}
+{\out lam n. rec(n,0,\%x y. x) : N --> N}
+{\out No subgoals!}
+\end{ttbox}
+Calling \ttindex{typechk_tac} can prove this theorem in one step.
+
+Even if the original term is ill-typed, one can infer a type for it, but
+unprovable subgoals will be left. As an exercise, try to prove the
+following invalid goal:
+\begin{ttbox}
+Goal "lam n. rec(n, 0, \%x y. tt) : ?A";
+\end{ttbox}
+
+
+
+\section{An example of logical reasoning}
+Logical reasoning in Type Theory involves proving a goal of the form
+$\Var{a}\in A$, where type $A$ expresses a proposition and $\Var{a}$ stands
+for its proof term, a value of type $A$. The proof term is initially
+unknown and takes shape during the proof.
+
+Our example expresses a theorem about quantifiers in a sorted logic:
+\[ \infer{(\ex{x\in A}P(x)) \disj (\ex{x\in A}Q(x))}
+ {\ex{x\in A}P(x)\disj Q(x)}
+\]
+By the propositions-as-types principle, this is encoded
+using~$\Sigma$ and~$+$ types. A special case of it expresses a
+distributive law of Type Theory:
+\[ \infer{(A\times B) + (A\times C)}{A\times(B+C)} \]
+Generalizing this from $\times$ to $\Sigma$, and making the typing
+conditions explicit, yields the rule we must derive:
+\[ \infer{\Var{a} \in (\sum@{x\in A} B(x)) + (\sum@{x\in A} C(x))}
+ {\hbox{$A$ type} &
+ \infer*{\hbox{$B(x)$ type}}{[x\in A]} &
+ \infer*{\hbox{$C(x)$ type}}{[x\in A]} &
+ p\in \sum@{x\in A} B(x)+C(x)}
+\]
+To begin, we bind the rule's premises --- returned by the~{\tt goal}
+command --- to the {\ML} variable~{\tt prems}.
+\begin{ttbox}
+val prems = Goal
+ "[| A type; \ttback
+\ttback !!x. x:A ==> B(x) type; \ttback
+\ttback !!x. x:A ==> C(x) type; \ttback
+\ttback p: SUM x:A. B(x) + C(x) \ttback
+\ttback |] ==> ?a : (SUM x:A. B(x)) + (SUM x:A. C(x))";
+{\out Level 0}
+{\out ?a : (SUM x:A. B(x)) + (SUM x:A. C(x))}
+{\out 1. ?a : (SUM x:A. B(x)) + (SUM x:A. C(x))}
+\ttbreak
+{\out val prems = ["A type [A type]",}
+{\out "?x : A ==> B(?x) type [!!x. x : A ==> B(x) type]",}
+{\out "?x : A ==> C(?x) type [!!x. x : A ==> C(x) type]",}
+{\out "p : SUM x:A. B(x) + C(x) [p : SUM x:A. B(x) + C(x)]"]}
+{\out : thm list}
+\end{ttbox}
+The last premise involves the sum type~$\Sigma$. Since it is a premise
+rather than the assumption of a goal, it cannot be found by {\tt
+ eresolve_tac}. We could insert it (and the other atomic premise) by
+calling
+\begin{ttbox}
+cut_facts_tac prems 1;
+\end{ttbox}
+A forward proof step is more straightforward here. Let us resolve the
+$\Sigma$-elimination rule with the premises using~\ttindex{RL}. This
+inference yields one result, which we supply to {\tt
+ resolve_tac}.\index{*SumE theorem}
+\begin{ttbox}
+by (resolve_tac (prems RL [SumE]) 1);
+{\out Level 1}
+{\out split(p,?c1) : (SUM x:A. B(x)) + (SUM x:A. C(x))}
+{\out 1. !!x y.}
+{\out [| x : A; y : B(x) + C(x) |] ==>}
+{\out ?c1(x,y) : (SUM x:A. B(x)) + (SUM x:A. C(x))}
+\end{ttbox}
+The subgoal has two new parameters, $x$ and~$y$. In the main goal,
+$\Var{a}$ has been instantiated with a \cdx{split} term. The
+assumption $y\in B(x) + C(x)$ is eliminated next, causing a case split and
+creating the parameter~$xa$. This inference also inserts~\cdx{when}
+into the main goal.\index{*PlusE theorem}
+\begin{ttbox}
+by (eresolve_tac [PlusE] 1);
+{\out Level 2}
+{\out split(p,\%x y. when(y,?c2(x,y),?d2(x,y)))}
+{\out : (SUM x:A. B(x)) + (SUM x:A. C(x))}
+{\out 1. !!x y xa.}
+{\out [| x : A; xa : B(x) |] ==>}
+{\out ?c2(x,y,xa) : (SUM x:A. B(x)) + (SUM x:A. C(x))}
+\ttbreak
+{\out 2. !!x y ya.}
+{\out [| x : A; ya : C(x) |] ==>}
+{\out ?d2(x,y,ya) : (SUM x:A. B(x)) + (SUM x:A. C(x))}
+\end{ttbox}
+To complete the proof object for the main goal, we need to instantiate the
+terms $\Var{c@2}(x,y,xa)$ and $\Var{d@2}(x,y,xa)$. We attack subgoal~1 by
+a~$+$-introduction rule; since the goal assumes $xa\in B(x)$, we take the left
+injection~(\cdx{inl}).
+\index{*PlusI_inl theorem}
+\begin{ttbox}
+by (resolve_tac [PlusI_inl] 1);
+{\out Level 3}
+{\out split(p,\%x y. when(y,\%xa. inl(?a3(x,y,xa)),?d2(x,y)))}
+{\out : (SUM x:A. B(x)) + (SUM x:A. C(x))}
+{\out 1. !!x y xa. [| x : A; xa : B(x) |] ==> ?a3(x,y,xa) : SUM x:A. B(x)}
+{\out 2. !!x y xa. [| x : A; xa : B(x) |] ==> SUM x:A. C(x) type}
+\ttbreak
+{\out 3. !!x y ya.}
+{\out [| x : A; ya : C(x) |] ==>}
+{\out ?d2(x,y,ya) : (SUM x:A. B(x)) + (SUM x:A. C(x))}
+\end{ttbox}
+A new subgoal~2 has appeared, to verify that $\sum@{x\in A}C(x)$ is a type.
+Continuing to work on subgoal~1, we apply the $\Sigma$-introduction rule.
+This instantiates the term $\Var{a@3}(x,y,xa)$; the main goal now contains
+an ordered pair, whose components are two new unknowns.%
+\index{*SumI theorem}
+\begin{ttbox}
+by (resolve_tac [SumI] 1);
+{\out Level 4}
+{\out split(p,\%x y. when(y,\%xa. inl(<?a4(x,y,xa),?b4(x,y,xa)>),?d2(x,y)))}
+{\out : (SUM x:A. B(x)) + (SUM x:A. C(x))}
+{\out 1. !!x y xa. [| x : A; xa : B(x) |] ==> ?a4(x,y,xa) : A}
+{\out 2. !!x y xa. [| x : A; xa : B(x) |] ==> ?b4(x,y,xa) : B(?a4(x,y,xa))}
+{\out 3. !!x y xa. [| x : A; xa : B(x) |] ==> SUM x:A. C(x) type}
+{\out 4. !!x y ya.}
+{\out [| x : A; ya : C(x) |] ==>}
+{\out ?d2(x,y,ya) : (SUM x:A. B(x)) + (SUM x:A. C(x))}
+\end{ttbox}
+The two new subgoals both hold by assumption. Observe how the unknowns
+$\Var{a@4}$ and $\Var{b@4}$ are instantiated throughout the proof state.
+\begin{ttbox}
+by (assume_tac 1);
+{\out Level 5}
+{\out split(p,\%x y. when(y,\%xa. inl(<x,?b4(x,y,xa)>),?d2(x,y)))}
+{\out : (SUM x:A. B(x)) + (SUM x:A. C(x))}
+\ttbreak
+{\out 1. !!x y xa. [| x : A; xa : B(x) |] ==> ?b4(x,y,xa) : B(x)}
+{\out 2. !!x y xa. [| x : A; xa : B(x) |] ==> SUM x:A. C(x) type}
+{\out 3. !!x y ya.}
+{\out [| x : A; ya : C(x) |] ==>}
+{\out ?d2(x,y,ya) : (SUM x:A. B(x)) + (SUM x:A. C(x))}
+\ttbreak
+by (assume_tac 1);
+{\out Level 6}
+{\out split(p,\%x y. when(y,\%xa. inl(<x,xa>),?d2(x,y)))}
+{\out : (SUM x:A. B(x)) + (SUM x:A. C(x))}
+{\out 1. !!x y xa. [| x : A; xa : B(x) |] ==> SUM x:A. C(x) type}
+{\out 2. !!x y ya.}
+{\out [| x : A; ya : C(x) |] ==>}
+{\out ?d2(x,y,ya) : (SUM x:A. B(x)) + (SUM x:A. C(x))}
+\end{ttbox}
+Subgoal~1 is an example of a well-formedness subgoal~\cite{constable86}.
+Such subgoals are usually trivial; this one yields to
+\ttindex{typechk_tac}, given the current list of premises.
+\begin{ttbox}
+by (typechk_tac prems);
+{\out Level 7}
+{\out split(p,\%x y. when(y,\%xa. inl(<x,xa>),?d2(x,y)))}
+{\out : (SUM x:A. B(x)) + (SUM x:A. C(x))}
+{\out 1. !!x y ya.}
+{\out [| x : A; ya : C(x) |] ==>}
+{\out ?d2(x,y,ya) : (SUM x:A. B(x)) + (SUM x:A. C(x))}
+\end{ttbox}
+This subgoal is the other case from the $+$-elimination above, and can be
+proved similarly. Quicker is to apply \ttindex{pc_tac}. The main goal
+finally gets a fully instantiated proof object.
+\begin{ttbox}
+by (pc_tac prems 1);
+{\out Level 8}
+{\out split(p,\%x y. when(y,\%xa. inl(<x,xa>),\%y. inr(<x,y>)))}
+{\out : (SUM x:A. B(x)) + (SUM x:A. C(x))}
+{\out No subgoals!}
+\end{ttbox}
+Calling \ttindex{pc_tac} after the first $\Sigma$-elimination above also
+proves this theorem.
+
+
+\section{Example: deriving a currying functional}
+In simply-typed languages such as {\ML}, a currying functional has the type
+\[ (A\times B \to C) \to (A\to (B\to C)). \]
+Let us generalize this to the dependent types~$\Sigma$ and~$\Pi$.
+The functional takes a function~$f$ that maps $z:\Sigma(A,B)$
+to~$C(z)$; the resulting function maps $x\in A$ and $y\in B(x)$ to
+$C(\langle x,y\rangle)$.
+
+Formally, there are three typing premises. $A$ is a type; $B$ is an
+$A$-indexed family of types; $C$ is a family of types indexed by
+$\Sigma(A,B)$. The goal is expressed using \hbox{\tt PROD f} to ensure
+that the parameter corresponding to the functional's argument is really
+called~$f$; Isabelle echoes the type using \verb|-->| because there is no
+explicit dependence upon~$f$.
+\begin{ttbox}
+val prems = Goal
+ "[| A type; !!x. x:A ==> B(x) type; \ttback
+\ttback !!z. z: (SUM x:A. B(x)) ==> C(z) type \ttback
+\ttback |] ==> ?a : PROD f: (PROD z : (SUM x:A . B(x)) . C(z)). \ttback
+\ttback (PROD x:A . PROD y:B(x) . C(<x,y>))";
+\ttbreak
+{\out Level 0}
+{\out ?a : (PROD z:SUM x:A. B(x). C(z)) -->}
+{\out (PROD x:A. PROD y:B(x). C(<x,y>))}
+{\out 1. ?a : (PROD z:SUM x:A. B(x). C(z)) -->}
+{\out (PROD x:A. PROD y:B(x). C(<x,y>))}
+\ttbreak
+{\out val prems = ["A type [A type]",}
+{\out "?x : A ==> B(?x) type [!!x. x : A ==> B(x) type]",}
+{\out "?z : SUM x:A. B(x) ==> C(?z) type}
+{\out [!!z. z : SUM x:A. B(x) ==> C(z) type]"] : thm list}
+\end{ttbox}
+This is a chance to demonstrate \ttindex{intr_tac}. Here, the tactic
+repeatedly applies $\Pi$-introduction and proves the rather
+tiresome typing conditions.
+
+Note that $\Var{a}$ becomes instantiated to three nested
+$\lambda$-abstractions. It would be easier to read if the bound variable
+names agreed with the parameters in the subgoal. Isabelle attempts to give
+parameters the same names as corresponding bound variables in the goal, but
+this does not always work. In any event, the goal is logically correct.
+\begin{ttbox}
+by (intr_tac prems);
+{\out Level 1}
+{\out lam x xa xb. ?b7(x,xa,xb)}
+{\out : (PROD z:SUM x:A. B(x). C(z)) --> (PROD x:A. PROD y:B(x). C(<x,y>))}
+{\out 1. !!f x y.}
+{\out [| f : PROD z:SUM x:A. B(x). C(z); x : A; y : B(x) |] ==>}
+{\out ?b7(f,x,y) : C(<x,y>)}
+\end{ttbox}
+Using $\Pi$-elimination, we solve subgoal~1 by applying the function~$f$.
+\index{*ProdE theorem}
+\begin{ttbox}
+by (eresolve_tac [ProdE] 1);
+{\out Level 2}
+{\out lam x xa xb. x ` <xa,xb>}
+{\out : (PROD z:SUM x:A. B(x). C(z)) --> (PROD x:A. PROD y:B(x). C(<x,y>))}
+{\out 1. !!f x y. [| x : A; y : B(x) |] ==> <x,y> : SUM x:A. B(x)}
+\end{ttbox}
+Finally, we verify that the argument's type is suitable for the function
+application. This is straightforward using introduction rules.
+\index{*intr_tac}
+\begin{ttbox}
+by (intr_tac prems);
+{\out Level 3}
+{\out lam x xa xb. x ` <xa,xb>}
+{\out : (PROD z:SUM x:A. B(x). C(z)) --> (PROD x:A. PROD y:B(x). C(<x,y>))}
+{\out No subgoals!}
+\end{ttbox}
+Calling~\ttindex{pc_tac} would have proved this theorem in one step; it can
+also prove an example by Martin-L\"of, related to $\disj$-elimination
+\cite[page~58]{martinlof84}.
+
+
+\section{Example: proving the Axiom of Choice} \label{ctt-choice}
+Suppose we have a function $h\in \prod@{x\in A}\sum@{y\in B(x)} C(x,y)$,
+which takes $x\in A$ to some $y\in B(x)$ paired with some $z\in C(x,y)$.
+Interpreting propositions as types, this asserts that for all $x\in A$
+there exists $y\in B(x)$ such that $C(x,y)$. The Axiom of Choice asserts
+that we can construct a function $f\in \prod@{x\in A}B(x)$ such that
+$C(x,f{\tt`}x)$ for all $x\in A$, where the latter property is witnessed by a
+function $g\in \prod@{x\in A}C(x,f{\tt`}x)$.
+
+In principle, the Axiom of Choice is simple to derive in Constructive Type
+Theory. The following definitions work:
+\begin{eqnarray*}
+ f & \equiv & {\tt fst} \circ h \\
+ g & \equiv & {\tt snd} \circ h
+\end{eqnarray*}
+But a completely formal proof is hard to find. The rules can be applied in
+countless ways, yielding many higher-order unifiers. The proof can get
+bogged down in the details. But with a careful selection of derived rules
+(recall Fig.\ts\ref{ctt-derived}) and the type-checking tactics, we can
+prove the theorem in nine steps.
+\begin{ttbox}
+val prems = Goal
+ "[| A type; !!x. x:A ==> B(x) type; \ttback
+\ttback !!x y.[| x:A; y:B(x) |] ==> C(x,y) type \ttback
+\ttback |] ==> ?a : PROD h: (PROD x:A. SUM y:B(x). C(x,y)). \ttback
+\ttback (SUM f: (PROD x:A. B(x)). PROD x:A. C(x, f`x))";
+{\out Level 0}
+{\out ?a : (PROD x:A. SUM y:B(x). C(x,y)) -->}
+{\out (SUM f:PROD x:A. B(x). PROD x:A. C(x,f ` x))}
+{\out 1. ?a : (PROD x:A. SUM y:B(x). C(x,y)) -->}
+{\out (SUM f:PROD x:A. B(x). PROD x:A. C(x,f ` x))}
+\ttbreak
+{\out val prems = ["A type [A type]",}
+{\out "?x : A ==> B(?x) type [!!x. x : A ==> B(x) type]",}
+{\out "[| ?x : A; ?y : B(?x) |] ==> C(?x, ?y) type}
+{\out [!!x y. [| x : A; y : B(x) |] ==> C(x, y) type]"]}
+{\out : thm list}
+\end{ttbox}
+First, \ttindex{intr_tac} applies introduction rules and performs routine
+type-checking. This instantiates~$\Var{a}$ to a construction involving
+a $\lambda$-abstraction and an ordered pair. The pair's components are
+themselves $\lambda$-abstractions and there is a subgoal for each.
+\begin{ttbox}
+by (intr_tac prems);
+{\out Level 1}
+{\out lam x. <lam xa. ?b7(x,xa),lam xa. ?b8(x,xa)>}
+{\out : (PROD x:A. SUM y:B(x). C(x,y)) -->}
+{\out (SUM f:PROD x:A. B(x). PROD x:A. C(x,f ` x))}
+\ttbreak
+{\out 1. !!h x.}
+{\out [| h : PROD x:A. SUM y:B(x). C(x,y); x : A |] ==>}
+{\out ?b7(h,x) : B(x)}
+\ttbreak
+{\out 2. !!h x.}
+{\out [| h : PROD x:A. SUM y:B(x). C(x,y); x : A |] ==>}
+{\out ?b8(h,x) : C(x,(lam x. ?b7(h,x)) ` x)}
+\end{ttbox}
+Subgoal~1 asks to find the choice function itself, taking $x\in A$ to some
+$\Var{b@7}(h,x)\in B(x)$. Subgoal~2 asks, given $x\in A$, for a proof
+object $\Var{b@8}(h,x)$ to witness that the choice function's argument and
+result lie in the relation~$C$. This latter task will take up most of the
+proof.
+\index{*ProdE theorem}\index{*SumE_fst theorem}\index{*RS}
+\begin{ttbox}
+by (eresolve_tac [ProdE RS SumE_fst] 1);
+{\out Level 2}
+{\out lam x. <lam xa. fst(x ` xa),lam xa. ?b8(x,xa)>}
+{\out : (PROD x:A. SUM y:B(x). C(x,y)) -->}
+{\out (SUM f:PROD x:A. B(x). PROD x:A. C(x,f ` x))}
+\ttbreak
+{\out 1. !!h x. x : A ==> x : A}
+{\out 2. !!h x.}
+{\out [| h : PROD x:A. SUM y:B(x). C(x,y); x : A |] ==>}
+{\out ?b8(h,x) : C(x,(lam x. fst(h ` x)) ` x)}
+\end{ttbox}
+Above, we have composed {\tt fst} with the function~$h$. Unification
+has deduced that the function must be applied to $x\in A$. We have our
+choice function.
+\begin{ttbox}
+by (assume_tac 1);
+{\out Level 3}
+{\out lam x. <lam xa. fst(x ` xa),lam xa. ?b8(x,xa)>}
+{\out : (PROD x:A. SUM y:B(x). C(x,y)) -->}
+{\out (SUM f:PROD x:A. B(x). PROD x:A. C(x,f ` x))}
+{\out 1. !!h x.}
+{\out [| h : PROD x:A. SUM y:B(x). C(x,y); x : A |] ==>}
+{\out ?b8(h,x) : C(x,(lam x. fst(h ` x)) ` x)}
+\end{ttbox}
+Before we can compose {\tt snd} with~$h$, the arguments of $C$ must be
+simplified. The derived rule \tdx{replace_type} lets us replace a type
+by any equivalent type, shown below as the schematic term $\Var{A@{13}}(h,x)$:
+\begin{ttbox}
+by (resolve_tac [replace_type] 1);
+{\out Level 4}
+{\out lam x. <lam xa. fst(x ` xa),lam xa. ?b8(x,xa)>}
+{\out : (PROD x:A. SUM y:B(x). C(x,y)) -->}
+{\out (SUM f:PROD x:A. B(x). PROD x:A. C(x,f ` x))}
+\ttbreak
+{\out 1. !!h x.}
+{\out [| h : PROD x:A. SUM y:B(x). C(x,y); x : A |] ==>}
+{\out C(x,(lam x. fst(h ` x)) ` x) = ?A13(h,x)}
+\ttbreak
+{\out 2. !!h x.}
+{\out [| h : PROD x:A. SUM y:B(x). C(x,y); x : A |] ==>}
+{\out ?b8(h,x) : ?A13(h,x)}
+\end{ttbox}
+The derived rule \tdx{subst_eqtyparg} lets us simplify a type's
+argument (by currying, $C(x)$ is a unary type operator):
+\begin{ttbox}
+by (resolve_tac [subst_eqtyparg] 1);
+{\out Level 5}
+{\out lam x. <lam xa. fst(x ` xa),lam xa. ?b8(x,xa)>}
+{\out : (PROD x:A. SUM y:B(x). C(x,y)) -->}
+{\out (SUM f:PROD x:A. B(x). PROD x:A. C(x,f ` x))}
+\ttbreak
+{\out 1. !!h x.}
+{\out [| h : PROD x:A. SUM y:B(x). C(x,y); x : A |] ==>}
+{\out (lam x. fst(h ` x)) ` x = ?c14(h,x) : ?A14(h,x)}
+\ttbreak
+{\out 2. !!h x z.}
+{\out [| h : PROD x:A. SUM y:B(x). C(x,y); x : A;}
+{\out z : ?A14(h,x) |] ==>}
+{\out C(x,z) type}
+\ttbreak
+{\out 3. !!h x.}
+{\out [| h : PROD x:A. SUM y:B(x). C(x,y); x : A |] ==>}
+{\out ?b8(h,x) : C(x,?c14(h,x))}
+\end{ttbox}
+Subgoal~1 requires simply $\beta$-contraction, which is the rule
+\tdx{ProdC}. The term $\Var{c@{14}}(h,x)$ in the last subgoal
+receives the contracted result.
+\begin{ttbox}
+by (resolve_tac [ProdC] 1);
+{\out Level 6}
+{\out lam x. <lam xa. fst(x ` xa),lam xa. ?b8(x,xa)>}
+{\out : (PROD x:A. SUM y:B(x). C(x,y)) -->}
+{\out (SUM f:PROD x:A. B(x). PROD x:A. C(x,f ` x))}
+\ttbreak
+{\out 1. !!h x.}
+{\out [| h : PROD x:A. SUM y:B(x). C(x,y); x : A |] ==>}
+{\out x : ?A15(h,x)}
+\ttbreak
+{\out 2. !!h x xa.}
+{\out [| h : PROD x:A. SUM y:B(x). C(x,y); x : A;}
+{\out xa : ?A15(h,x) |] ==>}
+{\out fst(h ` xa) : ?B15(h,x,xa)}
+\ttbreak
+{\out 3. !!h x z.}
+{\out [| h : PROD x:A. SUM y:B(x). C(x,y); x : A;}
+{\out z : ?B15(h,x,x) |] ==>}
+{\out C(x,z) type}
+\ttbreak
+{\out 4. !!h x.}
+{\out [| h : PROD x:A. SUM y:B(x). C(x,y); x : A |] ==>}
+{\out ?b8(h,x) : C(x,fst(h ` x))}
+\end{ttbox}
+Routine type-checking goals proliferate in Constructive Type Theory, but
+\ttindex{typechk_tac} quickly solves them. Note the inclusion of
+\tdx{SumE_fst} along with the premises.
+\begin{ttbox}
+by (typechk_tac (SumE_fst::prems));
+{\out Level 7}
+{\out lam x. <lam xa. fst(x ` xa),lam xa. ?b8(x,xa)>}
+{\out : (PROD x:A. SUM y:B(x). C(x,y)) -->}
+{\out (SUM f:PROD x:A. B(x). PROD x:A. C(x,f ` x))}
+\ttbreak
+{\out 1. !!h x.}
+{\out [| h : PROD x:A. SUM y:B(x). C(x,y); x : A |] ==>}
+{\out ?b8(h,x) : C(x,fst(h ` x))}
+\end{ttbox}
+We are finally ready to compose {\tt snd} with~$h$.
+\index{*ProdE theorem}\index{*SumE_snd theorem}\index{*RS}
+\begin{ttbox}
+by (eresolve_tac [ProdE RS SumE_snd] 1);
+{\out Level 8}
+{\out lam x. <lam xa. fst(x ` xa),lam xa. snd(x ` xa)>}
+{\out : (PROD x:A. SUM y:B(x). C(x,y)) -->}
+{\out (SUM f:PROD x:A. B(x). PROD x:A. C(x,f ` x))}
+\ttbreak
+{\out 1. !!h x. x : A ==> x : A}
+{\out 2. !!h x. x : A ==> B(x) type}
+{\out 3. !!h x xa. [| x : A; xa : B(x) |] ==> C(x,xa) type}
+\end{ttbox}
+The proof object has reached its final form. We call \ttindex{typechk_tac}
+to finish the type-checking.
+\begin{ttbox}
+by (typechk_tac prems);
+{\out Level 9}
+{\out lam x. <lam xa. fst(x ` xa),lam xa. snd(x ` xa)>}
+{\out : (PROD x:A. SUM y:B(x). C(x,y)) -->}
+{\out (SUM f:PROD x:A. B(x). PROD x:A. C(x,f ` x))}
+{\out No subgoals!}
+\end{ttbox}
+It might be instructive to compare this proof with Martin-L\"of's forward
+proof of the Axiom of Choice \cite[page~50]{martinlof84}.
+
+\index{Constructive Type Theory|)}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Logics/document/LK.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,711 @@
+\chapter{First-Order Sequent Calculus}
+\index{sequent calculus|(}
+
+The theory~\thydx{LK} implements classical first-order logic through Gentzen's
+sequent calculus (see Gallier~\cite{gallier86} or Takeuti~\cite{takeuti87}).
+Resembling the method of semantic tableaux, the calculus is well suited for
+backwards proof. Assertions have the form \(\Gamma\turn \Delta\), where
+\(\Gamma\) and \(\Delta\) are lists of formulae. Associative unification,
+simulated by higher-order unification, handles lists
+(\S\ref{sec:assoc-unification} presents details, if you are interested).
+
+The logic is many-sorted, using Isabelle's type classes. The class of
+first-order terms is called \cldx{term}. No types of individuals are
+provided, but extensions can define types such as {\tt nat::term} and type
+constructors such as {\tt list::(term)term}. Below, the type variable
+$\alpha$ ranges over class {\tt term}; the equality symbol and quantifiers
+are polymorphic (many-sorted). The type of formulae is~\tydx{o}, which
+belongs to class {\tt logic}.
+
+LK implements a classical logic theorem prover that is nearly as powerful as
+the generic classical reasoner. The simplifier is now available too.
+
+To work in LK, start up Isabelle specifying \texttt{Sequents} as the
+object-logic. Once in Isabelle, change the context to theory \texttt{LK.thy}:
+\begin{ttbox}
+isabelle Sequents
+context LK.thy;
+\end{ttbox}
+Modal logic and linear logic are also available, but unfortunately they are
+not documented.
+
+
+\begin{figure}
+\begin{center}
+\begin{tabular}{rrr}
+ \it name &\it meta-type & \it description \\
+ \cdx{Trueprop}& $[sobj\To sobj, sobj\To sobj]\To prop$ & coercion to $prop$\\
+ \cdx{Seqof} & $[o,sobj]\To sobj$ & singleton sequence \\
+ \cdx{Not} & $o\To o$ & negation ($\neg$) \\
+ \cdx{True} & $o$ & tautology ($\top$) \\
+ \cdx{False} & $o$ & absurdity ($\bot$)
+\end{tabular}
+\end{center}
+\subcaption{Constants}
+
+\begin{center}
+\begin{tabular}{llrrr}
+ \it symbol &\it name &\it meta-type & \it priority & \it description \\
+ \sdx{ALL} & \cdx{All} & $(\alpha\To o)\To o$ & 10 &
+ universal quantifier ($\forall$) \\
+ \sdx{EX} & \cdx{Ex} & $(\alpha\To o)\To o$ & 10 &
+ existential quantifier ($\exists$) \\
+ \sdx{THE} & \cdx{The} & $(\alpha\To o)\To \alpha$ & 10 &
+ definite description ($\iota$)
+\end{tabular}
+\end{center}
+\subcaption{Binders}
+
+\begin{center}
+\index{*"= symbol}
+\index{&@{\tt\&} symbol}
+\index{"!@{\tt\char124} symbol} %\char124 is vertical bar. We use ! because | stopped working
+\index{*"-"-"> symbol}
+\index{*"<"-"> symbol}
+\begin{tabular}{rrrr}
+ \it symbol & \it meta-type & \it priority & \it description \\
+ \tt = & $[\alpha,\alpha]\To o$ & Left 50 & equality ($=$) \\
+ \tt \& & $[o,o]\To o$ & Right 35 & conjunction ($\conj$) \\
+ \tt | & $[o,o]\To o$ & Right 30 & disjunction ($\disj$) \\
+ \tt --> & $[o,o]\To o$ & Right 25 & implication ($\imp$) \\
+ \tt <-> & $[o,o]\To o$ & Right 25 & biconditional ($\bimp$)
+\end{tabular}
+\end{center}
+\subcaption{Infixes}
+
+\begin{center}
+\begin{tabular}{rrr}
+ \it external & \it internal & \it description \\
+ \tt $\Gamma$ |- $\Delta$ & \tt Trueprop($\Gamma$, $\Delta$) &
+ sequent $\Gamma\turn \Delta$
+\end{tabular}
+\end{center}
+\subcaption{Translations}
+\caption{Syntax of {\tt LK}} \label{lk-syntax}
+\end{figure}
+
+
+\begin{figure}
+\dquotes
+\[\begin{array}{rcl}
+ prop & = & sequence " |- " sequence
+\\[2ex]
+sequence & = & elem \quad (", " elem)^* \\
+ & | & empty
+\\[2ex]
+ elem & = & "\$ " term \\
+ & | & formula \\
+ & | & "<<" sequence ">>"
+\\[2ex]
+ formula & = & \hbox{expression of type~$o$} \\
+ & | & term " = " term \\
+ & | & "\ttilde\ " formula \\
+ & | & formula " \& " formula \\
+ & | & formula " | " formula \\
+ & | & formula " --> " formula \\
+ & | & formula " <-> " formula \\
+ & | & "ALL~" id~id^* " . " formula \\
+ & | & "EX~~" id~id^* " . " formula \\
+ & | & "THE~" id~ " . " formula
+ \end{array}
+\]
+\caption{Grammar of {\tt LK}} \label{lk-grammar}
+\end{figure}
+
+
+
+
+\begin{figure}
+\begin{ttbox}
+\tdx{basic} $H, P, $G |- $E, P, $F
+
+\tdx{contRS} $H |- $E, $S, $S, $F ==> $H |- $E, $S, $F
+\tdx{contLS} $H, $S, $S, $G |- $E ==> $H, $S, $G |- $E
+
+\tdx{thinRS} $H |- $E, $F ==> $H |- $E, $S, $F
+\tdx{thinLS} $H, $G |- $E ==> $H, $S, $G |- $E
+
+\tdx{cut} [| $H |- $E, P; $H, P |- $E |] ==> $H |- $E
+\subcaption{Structural rules}
+
+\tdx{refl} $H |- $E, a=a, $F
+\tdx{subst} $H(a), $G(a) |- $E(a) ==> $H(b), a=b, $G(b) |- $E(b)
+\subcaption{Equality rules}
+\end{ttbox}
+
+\caption{Basic Rules of {\tt LK}} \label{lk-basic-rules}
+\end{figure}
+
+\begin{figure}
+\begin{ttbox}
+\tdx{True_def} True == False-->False
+\tdx{iff_def} P<->Q == (P-->Q) & (Q-->P)
+
+\tdx{conjR} [| $H|- $E, P, $F; $H|- $E, Q, $F |] ==> $H|- $E, P&Q, $F
+\tdx{conjL} $H, P, Q, $G |- $E ==> $H, P & Q, $G |- $E
+
+\tdx{disjR} $H |- $E, P, Q, $F ==> $H |- $E, P|Q, $F
+\tdx{disjL} [| $H, P, $G |- $E; $H, Q, $G |- $E |] ==> $H, P|Q, $G |- $E
+
+\tdx{impR} $H, P |- $E, Q, $F ==> $H |- $E, P-->Q, $F
+\tdx{impL} [| $H,$G |- $E,P; $H, Q, $G |- $E |] ==> $H, P-->Q, $G |- $E
+
+\tdx{notR} $H, P |- $E, $F ==> $H |- $E, ~P, $F
+\tdx{notL} $H, $G |- $E, P ==> $H, ~P, $G |- $E
+
+\tdx{FalseL} $H, False, $G |- $E
+
+\tdx{allR} (!!x. $H|- $E, P(x), $F) ==> $H|- $E, ALL x. P(x), $F
+\tdx{allL} $H, P(x), $G, ALL x. P(x) |- $E ==> $H, ALL x. P(x), $G|- $E
+
+\tdx{exR} $H|- $E, P(x), $F, EX x. P(x) ==> $H|- $E, EX x. P(x), $F
+\tdx{exL} (!!x. $H, P(x), $G|- $E) ==> $H, EX x. P(x), $G|- $E
+
+\tdx{The} [| $H |- $E, P(a), $F; !!x. $H, P(x) |- $E, x=a, $F |] ==>
+ $H |- $E, P(THE x. P(x)), $F
+\subcaption{Logical rules}
+\end{ttbox}
+
+\caption{Rules of {\tt LK}} \label{lk-rules}
+\end{figure}
+
+
+\section{Syntax and rules of inference}
+\index{*sobj type}
+
+Figure~\ref{lk-syntax} gives the syntax for {\tt LK}, which is complicated
+by the representation of sequents. Type $sobj\To sobj$ represents a list
+of formulae.
+
+The \textbf{definite description} operator~$\iota x. P[x]$ stands for some~$a$
+satisfying~$P[a]$, if one exists and is unique. Since all terms in LK denote
+something, a description is always meaningful, but we do not know its value
+unless $P[x]$ defines it uniquely. The Isabelle notation is \hbox{\tt THE
+ $x$.\ $P[x]$}. The corresponding rule (Fig.\ts\ref{lk-rules}) does not
+entail the Axiom of Choice because it requires uniqueness.
+
+Conditional expressions are available with the notation
+\[ \dquotes
+ "if"~formula~"then"~term~"else"~term. \]
+
+Figure~\ref{lk-grammar} presents the grammar of LK. Traditionally,
+\(\Gamma\) and \(\Delta\) are meta-variables for sequences. In Isabelle's
+notation, the prefix~\verb|$| on a term makes it range over sequences.
+In a sequent, anything not prefixed by \verb|$| is taken as a formula.
+
+The notation \texttt{<<$sequence$>>} stands for a sequence of formul\ae{}.
+For example, you can declare the constant \texttt{imps} to consist of two
+implications:
+\begin{ttbox}
+consts P,Q,R :: o
+constdefs imps :: seq'=>seq'
+ "imps == <<P --> Q, Q --> R>>"
+\end{ttbox}
+Then you can use it in axioms and goals, for example
+\begin{ttbox}
+Goalw [imps_def] "P, $imps |- R";
+{\out Level 0}
+{\out P, $imps |- R}
+{\out 1. P, P --> Q, Q --> R |- R}
+by (Fast_tac 1);
+{\out Level 1}
+{\out P, $imps |- R}
+{\out No subgoals!}
+\end{ttbox}
+
+Figures~\ref{lk-basic-rules} and~\ref{lk-rules} present the rules of theory
+\thydx{LK}. The connective $\bimp$ is defined using $\conj$ and $\imp$. The
+axiom for basic sequents is expressed in a form that provides automatic
+thinning: redundant formulae are simply ignored. The other rules are
+expressed in the form most suitable for backward proof; exchange and
+contraction rules are not normally required, although they are provided
+anyway.
+
+
+\begin{figure}
+\begin{ttbox}
+\tdx{thinR} $H |- $E, $F ==> $H |- $E, P, $F
+\tdx{thinL} $H, $G |- $E ==> $H, P, $G |- $E
+
+\tdx{contR} $H |- $E, P, P, $F ==> $H |- $E, P, $F
+\tdx{contL} $H, P, P, $G |- $E ==> $H, P, $G |- $E
+
+\tdx{symR} $H |- $E, $F, a=b ==> $H |- $E, b=a, $F
+\tdx{symL} $H, $G, b=a |- $E ==> $H, a=b, $G |- $E
+
+\tdx{transR} [| $H|- $E, $F, a=b; $H|- $E, $F, b=c |]
+ ==> $H|- $E, a=c, $F
+
+\tdx{TrueR} $H |- $E, True, $F
+
+\tdx{iffR} [| $H, P |- $E, Q, $F; $H, Q |- $E, P, $F |]
+ ==> $H |- $E, P<->Q, $F
+
+\tdx{iffL} [| $H, $G |- $E, P, Q; $H, Q, P, $G |- $E |]
+ ==> $H, P<->Q, $G |- $E
+
+\tdx{allL_thin} $H, P(x), $G |- $E ==> $H, ALL x. P(x), $G |- $E
+\tdx{exR_thin} $H |- $E, P(x), $F ==> $H |- $E, EX x. P(x), $F
+
+\tdx{the_equality} [| $H |- $E, P(a), $F;
+ !!x. $H, P(x) |- $E, x=a, $F |]
+ ==> $H |- $E, (THE x. P(x)) = a, $F
+\end{ttbox}
+
+\caption{Derived rules for {\tt LK}} \label{lk-derived}
+\end{figure}
+
+Figure~\ref{lk-derived} presents derived rules, including rules for
+$\bimp$. The weakened quantifier rules discard each quantification after a
+single use; in an automatic proof procedure, they guarantee termination,
+but are incomplete. Multiple use of a quantifier can be obtained by a
+contraction rule, which in backward proof duplicates a formula. The tactic
+{\tt res_inst_tac} can instantiate the variable~{\tt?P} in these rules,
+specifying the formula to duplicate.
+See theory {\tt Sequents/LK0} in the sources for complete listings of
+the rules and derived rules.
+
+To support the simplifier, hundreds of equivalences are proved for
+the logical connectives and for if-then-else expressions. See the file
+\texttt{Sequents/simpdata.ML}.
+
+\section{Automatic Proof}
+
+LK instantiates Isabelle's simplifier. Both equality ($=$) and the
+biconditional ($\bimp$) may be used for rewriting. The tactic
+\texttt{Simp_tac} refers to the default simpset (\texttt{simpset()}). With
+sequents, the \texttt{full_} and \texttt{asm_} forms of the simplifier are not
+required; all the formulae{} in the sequent will be simplified. The left-hand
+formulae{} are taken as rewrite rules. (Thus, the behaviour is what you would
+normally expect from calling \texttt{Asm_full_simp_tac}.)
+
+For classical reasoning, several tactics are available:
+\begin{ttbox}
+Safe_tac : int -> tactic
+Step_tac : int -> tactic
+Fast_tac : int -> tactic
+Best_tac : int -> tactic
+Pc_tac : int -> tactic
+\end{ttbox}
+These refer not to the standard classical reasoner but to a separate one
+provided for the sequent calculus. Two commands are available for adding new
+sequent calculus rules, safe or unsafe, to the default ``theorem pack'':
+\begin{ttbox}
+Add_safes : thm list -> unit
+Add_unsafes : thm list -> unit
+\end{ttbox}
+To control the set of rules for individual invocations, lower-case versions of
+all these primitives are available. Sections~\ref{sec:thm-pack}
+and~\ref{sec:sequent-provers} give full details.
+
+
+\section{Tactics for the cut rule}
+
+According to the cut-elimination theorem, the cut rule can be eliminated
+from proofs of sequents. But the rule is still essential. It can be used
+to structure a proof into lemmas, avoiding repeated proofs of the same
+formula. More importantly, the cut rule cannot be eliminated from
+derivations of rules. For example, there is a trivial cut-free proof of
+the sequent \(P\conj Q\turn Q\conj P\).
+Noting this, we might want to derive a rule for swapping the conjuncts
+in a right-hand formula:
+\[ \Gamma\turn \Delta, P\conj Q\over \Gamma\turn \Delta, Q\conj P \]
+The cut rule must be used, for $P\conj Q$ is not a subformula of $Q\conj
+P$. Most cuts directly involve a premise of the rule being derived (a
+meta-assumption). In a few cases, the cut formula is not part of any
+premise, but serves as a bridge between the premises and the conclusion.
+In such proofs, the cut formula is specified by calling an appropriate
+tactic.
+
+\begin{ttbox}
+cutR_tac : string -> int -> tactic
+cutL_tac : string -> int -> tactic
+\end{ttbox}
+These tactics refine a subgoal into two by applying the cut rule. The cut
+formula is given as a string, and replaces some other formula in the sequent.
+\begin{ttdescription}
+\item[\ttindexbold{cutR_tac} {\it P\/} {\it i}] reads an LK formula~$P$, and
+ applies the cut rule to subgoal~$i$. It then deletes some formula from the
+ right side of subgoal~$i$, replacing that formula by~$P$.
+
+\item[\ttindexbold{cutL_tac} {\it P\/} {\it i}] reads an LK formula~$P$, and
+ applies the cut rule to subgoal~$i$. It then deletes some formula from the
+ left side of the new subgoal $i+1$, replacing that formula by~$P$.
+\end{ttdescription}
+All the structural rules --- cut, contraction, and thinning --- can be
+applied to particular formulae using {\tt res_inst_tac}.
+
+
+\section{Tactics for sequents}
+\begin{ttbox}
+forms_of_seq : term -> term list
+could_res : term * term -> bool
+could_resolve_seq : term * term -> bool
+filseq_resolve_tac : thm list -> int -> int -> tactic
+\end{ttbox}
+Associative unification is not as efficient as it might be, in part because
+the representation of lists defeats some of Isabelle's internal
+optimisations. The following operations implement faster rule application,
+and may have other uses.
+\begin{ttdescription}
+\item[\ttindexbold{forms_of_seq} {\it t}]
+returns the list of all formulae in the sequent~$t$, removing sequence
+variables.
+
+\item[\ttindexbold{could_res} ($t$,$u$)]
+tests whether two formula lists could be resolved. List $t$ is from a
+premise or subgoal, while $u$ is from the conclusion of an object-rule.
+Assuming that each formula in $u$ is surrounded by sequence variables, it
+checks that each conclusion formula is unifiable (using {\tt could_unify})
+with some subgoal formula.
+
+\item[\ttindexbold{could_resolve_seq} ($t$,$u$)]
+ tests whether two sequents could be resolved. Sequent $t$ is a premise
+ or subgoal, while $u$ is the conclusion of an object-rule. It simply
+ calls {\tt could_res} twice to check that both the left and the right
+ sides of the sequents are compatible.
+
+\item[\ttindexbold{filseq_resolve_tac} {\it thms} {\it maxr} {\it i}]
+uses {\tt filter_thms could_resolve} to extract the {\it thms} that are
+applicable to subgoal~$i$. If more than {\it maxr\/} theorems are
+applicable then the tactic fails. Otherwise it calls {\tt resolve_tac}.
+Thus, it is the sequent calculus analogue of \ttindex{filt_resolve_tac}.
+\end{ttdescription}
+
+
+\section{A simple example of classical reasoning}
+The theorem $\turn\ex{y}\all{x}P(y)\imp P(x)$ is a standard example of the
+classical treatment of the existential quantifier. Classical reasoning is
+easy using~LK, as you can see by comparing this proof with the one given in
+the FOL manual~\cite{isabelle-ZF}. From a logical point of view, the proofs
+are essentially the same; the key step here is to use \tdx{exR} rather than
+the weaker~\tdx{exR_thin}.
+\begin{ttbox}
+Goal "|- EX y. ALL x. P(y)-->P(x)";
+{\out Level 0}
+{\out |- EX y. ALL x. P(y) --> P(x)}
+{\out 1. |- EX y. ALL x. P(y) --> P(x)}
+by (resolve_tac [exR] 1);
+{\out Level 1}
+{\out |- EX y. ALL x. P(y) --> P(x)}
+{\out 1. |- ALL x. P(?x) --> P(x), EX x. ALL xa. P(x) --> P(xa)}
+\end{ttbox}
+There are now two formulae on the right side. Keeping the existential one
+in reserve, we break down the universal one.
+\begin{ttbox}
+by (resolve_tac [allR] 1);
+{\out Level 2}
+{\out |- EX y. ALL x. P(y) --> P(x)}
+{\out 1. !!x. |- P(?x) --> P(x), EX x. ALL xa. P(x) --> P(xa)}
+by (resolve_tac [impR] 1);
+{\out Level 3}
+{\out |- EX y. ALL x. P(y) --> P(x)}
+{\out 1. !!x. P(?x) |- P(x), EX x. ALL xa. P(x) --> P(xa)}
+\end{ttbox}
+Because LK is a sequent calculus, the formula~$P(\Var{x})$ does not become an
+assumption; instead, it moves to the left side. The resulting subgoal cannot
+be instantiated to a basic sequent: the bound variable~$x$ is not unifiable
+with the unknown~$\Var{x}$.
+\begin{ttbox}
+by (resolve_tac [basic] 1);
+{\out by: tactic failed}
+\end{ttbox}
+We reuse the existential formula using~\tdx{exR_thin}, which discards
+it; we shall not need it a third time. We again break down the resulting
+formula.
+\begin{ttbox}
+by (resolve_tac [exR_thin] 1);
+{\out Level 4}
+{\out |- EX y. ALL x. P(y) --> P(x)}
+{\out 1. !!x. P(?x) |- P(x), ALL xa. P(?x7(x)) --> P(xa)}
+by (resolve_tac [allR] 1);
+{\out Level 5}
+{\out |- EX y. ALL x. P(y) --> P(x)}
+{\out 1. !!x xa. P(?x) |- P(x), P(?x7(x)) --> P(xa)}
+by (resolve_tac [impR] 1);
+{\out Level 6}
+{\out |- EX y. ALL x. P(y) --> P(x)}
+{\out 1. !!x xa. P(?x), P(?x7(x)) |- P(x), P(xa)}
+\end{ttbox}
+Subgoal~1 seems to offer lots of possibilities. Actually the only useful
+step is instantiating~$\Var{x@7}$ to $\lambda x. x$,
+transforming~$\Var{x@7}(x)$ into~$x$.
+\begin{ttbox}
+by (resolve_tac [basic] 1);
+{\out Level 7}
+{\out |- EX y. ALL x. P(y) --> P(x)}
+{\out No subgoals!}
+\end{ttbox}
+This theorem can be proved automatically. Because it involves quantifier
+duplication, we employ best-first search:
+\begin{ttbox}
+Goal "|- EX y. ALL x. P(y)-->P(x)";
+{\out Level 0}
+{\out |- EX y. ALL x. P(y) --> P(x)}
+{\out 1. |- EX y. ALL x. P(y) --> P(x)}
+by (best_tac LK_dup_pack 1);
+{\out Level 1}
+{\out |- EX y. ALL x. P(y) --> P(x)}
+{\out No subgoals!}
+\end{ttbox}
+
+
+
+\section{A more complex proof}
+Many of Pelletier's test problems for theorem provers \cite{pelletier86}
+can be solved automatically. Problem~39 concerns set theory, asserting
+that there is no Russell set --- a set consisting of those sets that are
+not members of themselves:
+\[ \turn \neg (\exists x. \forall y. y\in x \bimp y\not\in y) \]
+This does not require special properties of membership; we may generalize
+$x\in y$ to an arbitrary predicate~$F(x,y)$. The theorem, which is trivial
+for \texttt{Fast_tac}, has a short manual proof. See the directory {\tt
+ Sequents/LK} for many more examples.
+
+We set the main goal and move the negated formula to the left.
+\begin{ttbox}
+Goal "|- ~ (EX x. ALL y. F(y,x) <-> ~F(y,y))";
+{\out Level 0}
+{\out |- ~ (EX x. ALL y. F(y,x) <-> ~ F(y,y))}
+{\out 1. |- ~ (EX x. ALL y. F(y,x) <-> ~ F(y,y))}
+by (resolve_tac [notR] 1);
+{\out Level 1}
+{\out |- ~ (EX x. ALL y. F(y,x) <-> ~ F(y,y))}
+{\out 1. EX x. ALL y. F(y,x) <-> ~ F(y,y) |-}
+\end{ttbox}
+The right side is empty; we strip both quantifiers from the formula on the
+left.
+\begin{ttbox}
+by (resolve_tac [exL] 1);
+{\out Level 2}
+{\out |- ~ (EX x. ALL y. F(y,x) <-> ~ F(y,y))}
+{\out 1. !!x. ALL y. F(y,x) <-> ~ F(y,y) |-}
+by (resolve_tac [allL_thin] 1);
+{\out Level 3}
+{\out |- ~ (EX x. ALL y. F(y,x) <-> ~ F(y,y))}
+{\out 1. !!x. F(?x2(x),x) <-> ~ F(?x2(x),?x2(x)) |-}
+\end{ttbox}
+The rule \tdx{iffL} says, if $P\bimp Q$ then $P$ and~$Q$ are either
+both true or both false. It yields two subgoals.
+\begin{ttbox}
+by (resolve_tac [iffL] 1);
+{\out Level 4}
+{\out |- ~ (EX x. ALL y. F(y,x) <-> ~ F(y,y))}
+{\out 1. !!x. |- F(?x2(x),x), ~ F(?x2(x),?x2(x))}
+{\out 2. !!x. ~ F(?x2(x),?x2(x)), F(?x2(x),x) |-}
+\end{ttbox}
+We must instantiate~$\Var{x@2}$, the shared unknown, to satisfy both
+subgoals. Beginning with subgoal~2, we move a negated formula to the left
+and create a basic sequent.
+\begin{ttbox}
+by (resolve_tac [notL] 2);
+{\out Level 5}
+{\out |- ~ (EX x. ALL y. F(y,x) <-> ~ F(y,y))}
+{\out 1. !!x. |- F(?x2(x),x), ~ F(?x2(x),?x2(x))}
+{\out 2. !!x. F(?x2(x),x) |- F(?x2(x),?x2(x))}
+by (resolve_tac [basic] 2);
+{\out Level 6}
+{\out |- ~ (EX x. ALL y. F(y,x) <-> ~ F(y,y))}
+{\out 1. !!x. |- F(x,x), ~ F(x,x)}
+\end{ttbox}
+Thanks to the instantiation of~$\Var{x@2}$, subgoal~1 is obviously true.
+\begin{ttbox}
+by (resolve_tac [notR] 1);
+{\out Level 7}
+{\out |- ~ (EX x. ALL y. F(y,x) <-> ~ F(y,y))}
+{\out 1. !!x. F(x,x) |- F(x,x)}
+by (resolve_tac [basic] 1);
+{\out Level 8}
+{\out |- ~ (EX x. ALL y. F(y,x) <-> ~ F(y,y))}
+{\out No subgoals!}
+\end{ttbox}
+
+\section{*Unification for lists}\label{sec:assoc-unification}
+
+Higher-order unification includes associative unification as a special
+case, by an encoding that involves function composition
+\cite[page~37]{huet78}. To represent lists, let $C$ be a new constant.
+The empty list is $\lambda x. x$, while $[t@1,t@2,\ldots,t@n]$ is
+represented by
+\[ \lambda x. C(t@1,C(t@2,\ldots,C(t@n,x))). \]
+The unifiers of this with $\lambda x.\Var{f}(\Var{g}(x))$ give all the ways
+of expressing $[t@1,t@2,\ldots,t@n]$ as the concatenation of two lists.
+
+Unlike orthodox associative unification, this technique can represent certain
+infinite sets of unifiers by flex-flex equations. But note that the term
+$\lambda x. C(t,\Var{a})$ does not represent any list. Flex-flex constraints
+containing such garbage terms may accumulate during a proof.
+\index{flex-flex constraints}
+
+This technique lets Isabelle formalize sequent calculus rules,
+where the comma is the associative operator:
+\[ \infer[(\conj\hbox{-left})]
+ {\Gamma,P\conj Q,\Delta \turn \Theta}
+ {\Gamma,P,Q,\Delta \turn \Theta} \]
+Multiple unifiers occur whenever this is resolved against a goal containing
+more than one conjunction on the left.
+
+LK exploits this representation of lists. As an alternative, the sequent
+calculus can be formalized using an ordinary representation of lists, with a
+logic program for removing a formula from a list. Amy Felty has applied this
+technique using the language $\lambda$Prolog~\cite{felty91a}.
+
+Explicit formalization of sequents can be tiresome. But it gives precise
+control over contraction and weakening, and is essential to handle relevant
+and linear logics.
+
+
+\section{*Packaging sequent rules}\label{sec:thm-pack}
+
+The sequent calculi come with simple proof procedures. These are incomplete
+but are reasonably powerful for interactive use. They expect rules to be
+classified as \textbf{safe} or \textbf{unsafe}. A rule is safe if applying it to a
+provable goal always yields provable subgoals. If a rule is safe then it can
+be applied automatically to a goal without destroying our chances of finding a
+proof. For instance, all the standard rules of the classical sequent calculus
+{\sc lk} are safe. An unsafe rule may render the goal unprovable; typical
+examples are the weakened quantifier rules {\tt allL_thin} and {\tt exR_thin}.
+
+Proof procedures use safe rules whenever possible, using an unsafe rule as a
+last resort. Those safe rules are preferred that generate the fewest
+subgoals. Safe rules are (by definition) deterministic, while the unsafe
+rules require a search strategy, such as backtracking.
+
+A \textbf{pack} is a pair whose first component is a list of safe rules and
+whose second is a list of unsafe rules. Packs can be extended in an obvious
+way to allow reasoning with various collections of rules. For clarity, LK
+declares \mltydx{pack} as an \ML{} datatype, although is essentially a type
+synonym:
+\begin{ttbox}
+datatype pack = Pack of thm list * thm list;
+\end{ttbox}
+Pattern-matching using constructor {\tt Pack} can inspect a pack's
+contents. Packs support the following operations:
+\begin{ttbox}
+pack : unit -> pack
+pack_of : theory -> pack
+empty_pack : pack
+prop_pack : pack
+LK_pack : pack
+LK_dup_pack : pack
+add_safes : pack * thm list -> pack \hfill\textbf{infix 4}
+add_unsafes : pack * thm list -> pack \hfill\textbf{infix 4}
+\end{ttbox}
+\begin{ttdescription}
+\item[\ttindexbold{pack}] returns the pack attached to the current theory.
+
+\item[\ttindexbold{pack_of $thy$}] returns the pack attached to theory $thy$.
+
+\item[\ttindexbold{empty_pack}] is the empty pack.
+
+\item[\ttindexbold{prop_pack}] contains the propositional rules, namely
+those for $\conj$, $\disj$, $\neg$, $\imp$ and~$\bimp$, along with the
+rules {\tt basic} and {\tt refl}. These are all safe.
+
+\item[\ttindexbold{LK_pack}]
+extends {\tt prop_pack} with the safe rules {\tt allR}
+and~{\tt exL} and the unsafe rules {\tt allL_thin} and
+{\tt exR_thin}. Search using this is incomplete since quantified
+formulae are used at most once.
+
+\item[\ttindexbold{LK_dup_pack}]
+extends {\tt prop_pack} with the safe rules {\tt allR}
+and~{\tt exL} and the unsafe rules \tdx{allL} and~\tdx{exR}.
+Search using this is complete, since quantified formulae may be reused, but
+frequently fails to terminate. It is generally unsuitable for depth-first
+search.
+
+\item[$pack$ \ttindexbold{add_safes} $rules$]
+adds some safe~$rules$ to the pack~$pack$.
+
+\item[$pack$ \ttindexbold{add_unsafes} $rules$]
+adds some unsafe~$rules$ to the pack~$pack$.
+\end{ttdescription}
+
+
+\section{*Proof procedures}\label{sec:sequent-provers}
+
+The LK proof procedure is similar to the classical reasoner described in
+\iflabelundefined{chap:classical}{the {\em Reference Manual\/}}%
+ {Chap.\ts\ref{chap:classical}}.
+%
+In fact it is simpler, since it works directly with sequents rather than
+simulating them. There is no need to distinguish introduction rules from
+elimination rules, and of course there is no swap rule. As always,
+Isabelle's classical proof procedures are less powerful than resolution
+theorem provers. But they are more natural and flexible, working with an
+open-ended set of rules.
+
+Backtracking over the choice of a safe rule accomplishes nothing: applying
+them in any order leads to essentially the same result. Backtracking may
+be necessary over basic sequents when they perform unification. Suppose
+that~0, 1, 2,~3 are constants in the subgoals
+\[ \begin{array}{c}
+ P(0), P(1), P(2) \turn P(\Var{a}) \\
+ P(0), P(2), P(3) \turn P(\Var{a}) \\
+ P(1), P(3), P(2) \turn P(\Var{a})
+ \end{array}
+\]
+The only assignment that satisfies all three subgoals is $\Var{a}\mapsto 2$,
+and this can only be discovered by search. The tactics given below permit
+backtracking only over axioms, such as {\tt basic} and {\tt refl};
+otherwise they are deterministic.
+
+
+\subsection{Method A}
+\begin{ttbox}
+reresolve_tac : thm list -> int -> tactic
+repeat_goal_tac : pack -> int -> tactic
+pc_tac : pack -> int -> tactic
+\end{ttbox}
+These tactics use a method developed by Philippe de Groote. A subgoal is
+refined and the resulting subgoals are attempted in reverse order. For
+some reason, this is much faster than attempting the subgoals in order.
+The method is inherently depth-first.
+
+At present, these tactics only work for rules that have no more than two
+premises. They fail --- return no next state --- if they can do nothing.
+\begin{ttdescription}
+\item[\ttindexbold{reresolve_tac} $thms$ $i$]
+repeatedly applies the $thms$ to subgoal $i$ and the resulting subgoals.
+
+\item[\ttindexbold{repeat_goal_tac} $pack$ $i$]
+applies the safe rules in the pack to a goal and the resulting subgoals.
+If no safe rule is applicable then it applies an unsafe rule and continues.
+
+\item[\ttindexbold{pc_tac} $pack$ $i$]
+applies {\tt repeat_goal_tac} using depth-first search to solve subgoal~$i$.
+\end{ttdescription}
+
+
+\subsection{Method B}
+\begin{ttbox}
+safe_tac : pack -> int -> tactic
+step_tac : pack -> int -> tactic
+fast_tac : pack -> int -> tactic
+best_tac : pack -> int -> tactic
+\end{ttbox}
+These tactics are analogous to those of the generic classical
+reasoner. They use `Method~A' only on safe rules. They fail if they
+can do nothing.
+\begin{ttdescription}
+\item[\ttindexbold{safe_goal_tac} $pack$ $i$]
+applies the safe rules in the pack to a goal and the resulting subgoals.
+It ignores the unsafe rules.
+
+\item[\ttindexbold{step_tac} $pack$ $i$]
+either applies safe rules (using {\tt safe_goal_tac}) or applies one unsafe
+rule.
+
+\item[\ttindexbold{fast_tac} $pack$ $i$]
+applies {\tt step_tac} using depth-first search to solve subgoal~$i$.
+Despite its name, it is frequently slower than {\tt pc_tac}.
+
+\item[\ttindexbold{best_tac} $pack$ $i$]
+applies {\tt step_tac} using best-first search to solve subgoal~$i$. It is
+particularly useful for quantifier duplication (using \ttindex{LK_dup_pack}).
+\end{ttdescription}
+
+
+
+\index{sequent calculus|)}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Logics/document/Sequents.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,200 @@
+\chapter{Defining A Sequent-Based Logic}
+\label{chap:sequents}
+
+\underscoreon %this file contains the @ character
+
+The Isabelle theory \texttt{Sequents.thy} provides facilities for using
+sequent notation in users' object logics. This theory allows users to
+easily interface the surface syntax of sequences with an underlying
+representation suitable for higher-order unification.
+
+\section{Concrete syntax of sequences}
+
+Mathematicians and logicians have used sequences in an informal way
+much before proof systems such as Isabelle were created. It seems
+sensible to allow people using Isabelle to express sequents and
+perform proofs in this same informal way, and without requiring the
+theory developer to spend a lot of time in \ML{} programming.
+
+By using {\tt Sequents.thy}
+appropriately, a logic developer can allow users to refer to sequences
+in several ways:
+%
+\begin{itemize}
+\item A sequence variable is any alphanumeric string with the first
+ character being a \verb%$% sign.
+So, consider the sequent \verb%$A |- B%, where \verb%$A%
+is intended to match a sequence of zero or more items.
+
+\item A sequence with unspecified sub-sequences and unspecified or
+individual items is written as a comma-separated list of regular
+variables (representing items), particular items, and
+sequence variables, as in
+\begin{ttbox}
+$A, B, C, $D(x) |- E
+\end{ttbox}
+Here both \verb%$A% and \verb%$D(x)%
+are allowed to match any subsequences of items on either side of the
+two items that match $B$ and $C$. Moreover, the sequence matching
+\verb%$D(x)% may contain occurrences of~$x$.
+
+\item An empty sequence can be represented by a blank space, as in
+\verb? |- true?.
+\end{itemize}
+
+These syntactic constructs need to be assimilated into the object
+theory being developed. The type that we use for these visible objects
+is given the name {\tt seq}.
+A {\tt seq} is created either by the empty space, a {\tt seqobj} or a
+{\tt seqobj} followed by a {\tt seq}, with a comma between them. A
+{\tt seqobj} is either an item or a variable representing a
+sequence. Thus, a theory designer can specify a function that takes
+two sequences and returns a meta-level proposition by giving it the
+Isabelle type \verb|[seq, seq] => prop|.
+
+This is all part of the concrete syntax, but one may wish to
+exploit Isabelle's higher-order abstract syntax by actually having a
+different, more powerful {\em internal} syntax.
+
+
+
+\section{ Basis}
+
+One could opt to represent sequences as first-order objects (such as
+simple lists), but this would not allow us to use many facilities
+Isabelle provides for matching. By using a slightly more complex
+representation, users of the logic can reap many benefits in
+facilities for proofs and ease of reading logical terms.
+
+A sequence can be represented as a function --- a constructor for
+further sequences --- by defining a binary {\em abstract} function
+\verb|Seq0'| with type \verb|[o,seq']=>seq'|, and translating a
+sequence such as \verb|A, B, C| into
+\begin{ttbox}
+\%s. Seq0'(A, SeqO'(B, SeqO'(C, s)))
+\end{ttbox}
+This sequence can therefore be seen as a constructor
+for further sequences. The constructor \verb|Seq0'| is never given a
+value, and therefore it is not possible to evaluate this expression
+into a basic value.
+
+Furthermore, if we want to represent the sequence \verb|A, $B, C|,
+we note that \verb|$B| already represents a sequence, so we can use
+\verb|B| itself to refer to the function, and therefore the sequence
+can be mapped to the internal form:
+\verb|%s. SeqO'(A, B(SeqO'(C, s)))|.
+
+So, while we wish to continue with the standard, well-liked {\em
+external} representation of sequences, we can represent them {\em
+internally} as functions of type \verb|seq'=>seq'|.
+
+
+\section{Object logics}
+
+Recall that object logics are defined by mapping elements of
+particular types to the Isabelle type \verb|prop|, usually with a
+function called {\tt Trueprop}. So, an object
+logic proposition {\tt P} is matched to the Isabelle proposition
+{\tt Trueprop(P)}\@. The name of the function is often hidden, so the
+user just sees {\tt P}\@. Isabelle is eager to make types match, so it
+inserts {\tt Trueprop} automatically when an object of type {\tt prop}
+is expected. This mechanism can be observed in most of the object
+logics which are direct descendants of {\tt Pure}.
+
+In order to provide the desired syntactic facilities for sequent
+calculi, rather than use just one function that maps object-level
+propositions to meta-level propositions, we use two functions, and
+separate internal from the external representation.
+
+These functions need to be given a type that is appropriate for the particular
+form of sequents required: single or multiple conclusions. So
+multiple-conclusion sequents (used in the LK logic) can be
+specified by the following two definitions, which are lifted from the inbuilt
+{\tt Sequents/LK.thy}:
+\begin{ttbox}
+ Trueprop :: two_seqi
+ "@Trueprop" :: two_seqe ("((_)/ |- (_))" [6,6] 5)
+\end{ttbox}
+%
+where the types used are defined in {\tt Sequents.thy} as
+abbreviations:
+\begin{ttbox}
+ two_seqi = [seq'=>seq', seq'=>seq'] => prop
+ two_seqe = [seq, seq] => prop
+\end{ttbox}
+
+The next step is to actually create links into the low-level parsing
+and pretty-printing mechanisms, which map external and internal
+representations. These functions go below the user level and capture
+the underlying structure of Isabelle terms in \ML{}\@. Fortunately the
+theory developer need not delve in this level; {\tt Sequents.thy}
+provides the necessary facilities. All the theory developer needs to
+add in the \ML{} section is a specification of the two translation
+functions:
+\begin{ttbox}
+ML
+val parse_translation = [("@Trueprop",Sequents.two_seq_tr "Trueprop")];
+val print_translation = [("Trueprop",Sequents.two_seq_tr' "@Trueprop")];
+\end{ttbox}
+
+In summary: in the logic theory being developed, the developer needs
+to specify the types for the internal and external representation of
+the sequences, and use the appropriate parsing and pretty-printing
+functions.
+
+\section{What's in \texttt{Sequents.thy}}
+
+Theory \texttt{Sequents.thy} makes many declarations that you need to know
+about:
+\begin{enumerate}
+\item The Isabelle types given below, which can be used for the
+constants that map object-level sequents and meta-level propositions:
+%
+\begin{ttbox}
+ single_seqe = [seq,seqobj] => prop
+ single_seqi = [seq'=>seq',seq'=>seq'] => prop
+ two_seqi = [seq'=>seq', seq'=>seq'] => prop
+ two_seqe = [seq, seq] => prop
+ three_seqi = [seq'=>seq', seq'=>seq', seq'=>seq'] => prop
+ three_seqe = [seq, seq, seq] => prop
+ four_seqi = [seq'=>seq', seq'=>seq', seq'=>seq', seq'=>seq'] => prop
+ four_seqe = [seq, seq, seq, seq] => prop
+\end{ttbox}
+
+The \verb|single_| and \verb|two_| sets of mappings for internal and
+external representations are the ones used for, say single and
+multiple conclusion sequents. The other functions are provided to
+allow rules that manipulate more than two functions, as can be seen in
+the inbuilt object logics.
+
+\item An auxiliary syntactic constant has been
+defined that directly maps a sequence to its internal representation:
+\begin{ttbox}
+"@Side" :: seq=>(seq'=>seq') ("<<(_)>>")
+\end{ttbox}
+Whenever a sequence (such as \verb|<< A, $B, $C>>|) is entered using this
+syntax, it is translated into the appropriate internal representation. This
+form can be used only where a sequence is expected.
+
+\item The \ML{} functions \texttt{single\_tr}, \texttt{two\_seq\_tr},
+ \texttt{three\_seq\_tr}, \texttt{four\_seq\_tr} for parsing, that is, the
+ translation from external to internal form. Analogously there are
+ \texttt{single\_tr'}, \texttt{two\_seq\_tr'}, \texttt{three\_seq\_tr'},
+ \texttt{four\_seq\_tr'} for pretty-printing, that is, the translation from
+ internal to external form. These functions can be used in the \ML{} section
+ of a theory file to specify the translations to be used. As an example of
+ use, note that in {\tt LK.thy} we declare two identifiers:
+\begin{ttbox}
+val parse_translation =
+ [("@Trueprop",Sequents.two_seq_tr "Trueprop")];
+val print_translation =
+ [("Trueprop",Sequents.two_seq_tr' "@Trueprop")];
+\end{ttbox}
+The given parse translation will be applied whenever a \verb|@Trueprop|
+constant is found, translating using \verb|two_seq_tr| and inserting the
+constant \verb|Trueprop|. The pretty-printing translation is applied
+analogously; a term that contains \verb|Trueprop| is printed as a
+\verb|@Trueprop|.
+\end{enumerate}
+
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Logics/document/build Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+set -e
+
+FORMAT="$1"
+VARIANT="$2"
+
+"$ISABELLE_TOOL" logo -o isabelle.pdf ""
+"$ISABELLE_TOOL" logo -o isabelle.eps ""
+
+cp "$ISABELLE_HOME/src/Doc/iman.sty" .
+cp "$ISABELLE_HOME/src/Doc/extra.sty" .
+cp "$ISABELLE_HOME/src/Doc/ttbox.sty" .
+cp "$ISABELLE_HOME/src/Doc/proof.sty" .
+cp "$ISABELLE_HOME/src/Doc/manual.bib" .
+
+"$ISABELLE_HOME/src/Doc/prepare_document" "$FORMAT"
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Logics/document/preface.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,75 @@
+\chapter*{Preface}
+Several logics come with Isabelle. Many of them are sufficiently developed
+to serve as comfortable reasoning environments. They are also good
+starting points for defining new logics. Each logic is distributed with
+sample proofs, some of which are described in this document.
+
+\texttt{HOL} is currently the best developed Isabelle object-logic, including
+an extensive library of (concrete) mathematics, and various packages for
+advanced definitional concepts (like (co-)inductive sets and types,
+well-founded recursion etc.). The distribution also includes some large
+applications. See the separate manual \emph{Isabelle's Logics: HOL}. There
+is also a comprehensive tutorial on Isabelle/HOL available.
+
+\texttt{ZF} provides another starting point for applications, with a slightly
+less developed library than \texttt{HOL}. \texttt{ZF}'s definitional packages
+are similar to those of \texttt{HOL}. Untyped \texttt{ZF} set theory provides
+more advanced constructions for sets than simply-typed \texttt{HOL}.
+\texttt{ZF} is built on \texttt{FOL} (first-order logic), both are described
+in a separate manual \emph{Isabelle's Logics: FOL and ZF}~\cite{isabelle-ZF}.
+
+\medskip There are some further logics distributed with Isabelle:
+\begin{ttdescription}
+\item[\thydx{CCL}] is Martin Coen's Classical Computational Logic,
+ which is the basis of a preliminary method for deriving programs from
+ proofs~\cite{coen92}. It is built upon classical~FOL.
+
+\item[\thydx{LCF}] is a version of Scott's Logic for Computable
+ Functions, which is also implemented by the~{\sc lcf}
+ system~\cite{paulson87}. It is built upon classical~FOL.
+
+\item[\thydx{HOLCF}] is a version of {\sc lcf}, defined as an extension of
+ \texttt{HOL}\@. See \cite{MuellerNvOS99} for more details on \texttt{HOLCF}.
+
+\item[\thydx{CTT}] is a version of Martin-L\"of's Constructive Type
+Theory~\cite{nordstrom90}, with extensional equality. Universes are not
+included.
+
+\item[\thydx{Cube}] is Barendregt's $\lambda$-cube.
+ \end{ttdescription}
+
+The directory \texttt{Sequents} contains several logics based
+ upon the sequent calculus. Sequents have the form $A@1,\ldots,A@m\turn
+B@1,\ldots,B@n$; rules are applied using associative matching.
+\begin{ttdescription}
+\item[\thydx{LK}] is classical first-order logic as a sequent calculus.
+
+\item[\thydx{Modal}] implements the modal logics $T$, $S4$, and~$S43$.
+
+\item[\thydx{ILL}] implements intuitionistic linear logic.
+\end{ttdescription}
+
+The logics \texttt{CCL}, \texttt{LCF}, \texttt{Modal}, \texttt{ILL} and {\tt
+ Cube} are undocumented. All object-logics' sources are distributed with
+Isabelle (see the directory \texttt{src}). They are also available for
+browsing on the WWW at
+
+\begin{center}\small
+ \begin{tabular}{l}
+ \url{http://www.cl.cam.ac.uk/Research/HVG/Isabelle/library/} \\
+ \url{http://isabelle.in.tum.de/library/} \\
+ \end{tabular}
+\end{center}
+
+Note that this is not necessarily consistent with your local sources!
+
+\medskip Do not read the \emph{Isabelle's Logics} manuals before reading
+\emph{Isabelle/HOL --- The Tutorial} or \emph{Introduction to Isabelle}, and
+performing some Isabelle proofs. Consult the {\em Reference Manual} for more
+information on tactics, packages, etc.
+
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: "logics"
+%%% End:
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Logics/document/root.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,51 @@
+\documentclass[12pt,a4paper]{report}
+\usepackage{graphicx,iman,extra,ttbox,proof,latexsym,pdfsetup}
+
+%%%STILL NEEDS MODAL, LCF
+%%% to index derived rls: ^\([a-zA-Z0-9][a-zA-Z0-9_]*\) \\tdx{\1}
+%%% to index rulenames: ^ *(\([a-zA-Z0-9][a-zA-Z0-9_]*\), \\tdx{\1}
+%%% to index constants: \\tt \([a-zA-Z0-9][a-zA-Z0-9_]*\) \\cdx{\1}
+%%% to deverbify: \\verb|\([^|]*\)| \\ttindex{\1}
+%% run ../sedindex logics to prepare index file
+\title{\includegraphics[scale=0.5]{isabelle} \\[4ex] Isabelle's Logics}
+
+\author{{\em Lawrence C. Paulson}\\
+ Computer Laboratory \\ University of Cambridge \\
+ \texttt{lcp@cl.cam.ac.uk}\\[3ex]
+ With Contributions by Tobias Nipkow and Markus Wenzel%
+ \thanks{Markus Wenzel made numerous improvements. Sara Kalvala
+ contributed Chap.\ts\ref{chap:sequents}. Philippe de Groote
+ wrote the first version of the logic~LK. Tobias Nipkow developed
+ LCF and~Cube. Martin Coen developed~Modal with assistance
+ from Rajeev Gor\'e. The research has been funded by the EPSRC
+ (grants GR/G53279, GR/H40570, GR/K57381, GR/K77051, GR/M75440) and by ESPRIT
+ (projects 3245: Logical Frameworks, and 6453: Types), and by the DFG
+ Schwerpunktprogramm \emph{Deduktion}.} }
+
+\newcommand\subcaption[1]{\par {\centering\normalsize\sc#1\par}\bigskip
+ \hrule\bigskip}
+\newenvironment{constants}{\begin{center}\small\begin{tabular}{rrrr}}{\end{tabular}\end{center}}
+
+\makeindex
+
+\underscoreoff
+
+\setcounter{secnumdepth}{2} \setcounter{tocdepth}{2} %% {secnumdepth}{2}???
+
+\pagestyle{headings}
+\sloppy
+\binperiod %%%treat . like a binary operator
+
+\begin{document}
+\maketitle
+\pagenumbering{roman} \tableofcontents \clearfirst
+\input{preface}
+\input{syntax}
+\input{LK}
+\input{Sequents}
+%%\input{Modal}
+\input{CTT}
+\bibliographystyle{plain}
+\bibliography{manual}
+\printindex
+\end{document}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Logics/document/syntax.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,60 @@
+%% THIS FILE IS COMMON TO ALL LOGIC MANUALS
+
+\chapter{Syntax definitions}
+The syntax of each logic is presented using a context-free grammar.
+These grammars obey the following conventions:
+\begin{itemize}
+\item identifiers denote nonterminal symbols
+\item \texttt{typewriter} font denotes terminal symbols
+\item parentheses $(\ldots)$ express grouping
+\item constructs followed by a Kleene star, such as $id^*$ and $(\ldots)^*$
+can be repeated~0 or more times
+\item alternatives are separated by a vertical bar,~$|$
+\item the symbol for alphanumeric identifiers is~{\it id\/}
+\item the symbol for scheme variables is~{\it var}
+\end{itemize}
+To reduce the number of nonterminals and grammar rules required, Isabelle's
+syntax module employs {\bf priorities},\index{priorities} or precedences.
+Each grammar rule is given by a mixfix declaration, which has a priority,
+and each argument place has a priority. This general approach handles
+infix operators that associate either to the left or to the right, as well
+as prefix and binding operators.
+
+In a syntactically valid expression, an operator's arguments never involve
+an operator of lower priority unless brackets are used. Consider
+first-order logic, where $\exists$ has lower priority than $\disj$,
+which has lower priority than $\conj$. There, $P\conj Q \disj R$
+abbreviates $(P\conj Q) \disj R$ rather than $P\conj (Q\disj R)$. Also,
+$\exists x.P\disj Q$ abbreviates $\exists x.(P\disj Q)$ rather than
+$(\exists x.P)\disj Q$. Note especially that $P\disj(\exists x.Q)$
+becomes syntactically invalid if the brackets are removed.
+
+A {\bf binder} is a symbol associated with a constant of type
+$(\sigma\To\tau)\To\tau'$. For instance, we may declare~$\forall$ as a binder
+for the constant~$All$, which has type $(\alpha\To o)\To o$. This defines the
+syntax $\forall x.t$ to mean $All(\lambda x.t)$. We can also write $\forall
+x@1\ldots x@m.t$ to abbreviate $\forall x@1. \ldots \forall x@m.t$; this is
+possible for any constant provided that $\tau$ and $\tau'$ are the same type.
+The Hilbert description operator $\varepsilon x.P\,x$ has type $(\alpha\To
+bool)\To\alpha$ and normally binds only one variable.
+ZF's bounded quantifier $\forall x\in A.P(x)$ cannot be declared as a
+binder because it has type $[i, i\To o]\To o$. The syntax for binders allows
+type constraints on bound variables, as in
+\[ \forall (x{::}\alpha) \; (y{::}\beta) \; z{::}\gamma. Q(x,y,z) \]
+
+To avoid excess detail, the logic descriptions adopt a semi-formal style.
+Infix operators and binding operators are listed in separate tables, which
+include their priorities. Grammar descriptions do not include numeric
+priorities; instead, the rules appear in order of decreasing priority.
+This should suffice for most purposes; for full details, please consult the
+actual syntax definitions in the {\tt.thy} files.
+
+Each nonterminal symbol is associated with some Isabelle type. For
+example, the formulae of first-order logic have type~$o$. Every
+Isabelle expression of type~$o$ is therefore a formula. These include
+atomic formulae such as $P$, where $P$ is a variable of type~$o$, and more
+generally expressions such as $P(t,u)$, where $P$, $t$ and~$u$ have
+suitable types. Therefore, `expression of type~$o$' is listed as a
+separate possibility in the grammar for formulae.
+
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Main/Main_Doc.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,596 @@
+(*<*)
+theory Main_Doc
+imports Main
+begin
+
+setup {*
+ let
+ fun pretty_term_type_only ctxt (t, T) =
+ (if fastype_of t = Sign.certify_typ (Proof_Context.theory_of ctxt) T then ()
+ else error "term_type_only: type mismatch";
+ Syntax.pretty_typ ctxt T)
+ in
+ Thy_Output.antiquotation @{binding term_type_only}
+ (Args.term -- Args.typ_abbrev)
+ (fn {source, context = ctxt, ...} => fn arg =>
+ Thy_Output.output ctxt
+ (Thy_Output.maybe_pretty_source pretty_term_type_only ctxt source [arg]))
+ end
+*}
+setup {*
+ Thy_Output.antiquotation @{binding expanded_typ} (Args.typ >> single)
+ (fn {source, context, ...} => Thy_Output.output context o
+ Thy_Output.maybe_pretty_source Syntax.pretty_typ context source)
+*}
+(*>*)
+text{*
+
+\begin{abstract}
+This document lists the main types, functions and syntax provided by theory @{theory Main}. It is meant as a quick overview of what is available. The sophisticated class structure is only hinted at. For details see \url{http://isabelle.in.tum.de/library/HOL/}.
+\end{abstract}
+
+\section{HOL}
+
+The basic logic: @{prop "x = y"}, @{const True}, @{const False}, @{prop"Not P"}, @{prop"P & Q"}, @{prop "P | Q"}, @{prop "P --> Q"}, @{prop"ALL x. P"}, @{prop"EX x. P"}, @{prop"EX! x. P"}, @{term"THE x. P"}.
+\smallskip
+
+\begin{tabular}{@ {} l @ {~::~} l @ {}}
+@{const HOL.undefined} & @{typeof HOL.undefined}\\
+@{const HOL.default} & @{typeof HOL.default}\\
+\end{tabular}
+
+\subsubsection*{Syntax}
+
+\begin{supertabular}{@ {} l @ {\quad$\equiv$\quad} l l @ {}}
+@{term"~(x = y)"} & @{term[source]"\<not> (x = y)"} & (\verb$~=$)\\
+@{term[source]"P \<longleftrightarrow> Q"} & @{term"P \<longleftrightarrow> Q"} \\
+@{term"If x y z"} & @{term[source]"If x y z"}\\
+@{term"Let e\<^isub>1 (%x. e\<^isub>2)"} & @{term[source]"Let e\<^isub>1 (\<lambda>x. e\<^isub>2)"}\\
+\end{supertabular}
+
+
+\section{Orderings}
+
+A collection of classes defining basic orderings:
+preorder, partial order, linear order, dense linear order and wellorder.
+\smallskip
+
+\begin{supertabular}{@ {} l @ {~::~} l l @ {}}
+@{const Orderings.less_eq} & @{typeof Orderings.less_eq} & (\verb$<=$)\\
+@{const Orderings.less} & @{typeof Orderings.less}\\
+@{const Orderings.Least} & @{typeof Orderings.Least}\\
+@{const Orderings.min} & @{typeof Orderings.min}\\
+@{const Orderings.max} & @{typeof Orderings.max}\\
+@{const[source] top} & @{typeof Orderings.top}\\
+@{const[source] bot} & @{typeof Orderings.bot}\\
+@{const Orderings.mono} & @{typeof Orderings.mono}\\
+@{const Orderings.strict_mono} & @{typeof Orderings.strict_mono}\\
+\end{supertabular}
+
+\subsubsection*{Syntax}
+
+\begin{supertabular}{@ {} l @ {\quad$\equiv$\quad} l l @ {}}
+@{term[source]"x \<ge> y"} & @{term"x \<ge> y"} & (\verb$>=$)\\
+@{term[source]"x > y"} & @{term"x > y"}\\
+@{term"ALL x<=y. P"} & @{term[source]"\<forall>x. x \<le> y \<longrightarrow> P"}\\
+@{term"EX x<=y. P"} & @{term[source]"\<exists>x. x \<le> y \<and> P"}\\
+\multicolumn{2}{@ {}l@ {}}{Similarly for $<$, $\ge$ and $>$}\\
+@{term"LEAST x. P"} & @{term[source]"Least (\<lambda>x. P)"}\\
+\end{supertabular}
+
+
+\section{Lattices}
+
+Classes semilattice, lattice, distributive lattice and complete lattice (the
+latter in theory @{theory Set}).
+
+\begin{tabular}{@ {} l @ {~::~} l @ {}}
+@{const Lattices.inf} & @{typeof Lattices.inf}\\
+@{const Lattices.sup} & @{typeof Lattices.sup}\\
+@{const Complete_Lattices.Inf} & @{term_type_only Complete_Lattices.Inf "'a set \<Rightarrow> 'a::Inf"}\\
+@{const Complete_Lattices.Sup} & @{term_type_only Complete_Lattices.Sup "'a set \<Rightarrow> 'a::Sup"}\\
+\end{tabular}
+
+\subsubsection*{Syntax}
+
+Available by loading theory @{text Lattice_Syntax} in directory @{text
+Library}.
+
+\begin{supertabular}{@ {} l @ {\quad$\equiv$\quad} l @ {}}
+@{text[source]"x \<sqsubseteq> y"} & @{term"x \<le> y"}\\
+@{text[source]"x \<sqsubset> y"} & @{term"x < y"}\\
+@{text[source]"x \<sqinter> y"} & @{term"inf x y"}\\
+@{text[source]"x \<squnion> y"} & @{term"sup x y"}\\
+@{text[source]"\<Sqinter> A"} & @{term"Sup A"}\\
+@{text[source]"\<Squnion> A"} & @{term"Inf A"}\\
+@{text[source]"\<top>"} & @{term[source] top}\\
+@{text[source]"\<bottom>"} & @{term[source] bot}\\
+\end{supertabular}
+
+
+\section{Set}
+
+%Sets are predicates: @{text[source]"'a set = 'a \<Rightarrow> bool"}
+%\bigskip
+
+\begin{supertabular}{@ {} l @ {~::~} l l @ {}}
+@{const Set.empty} & @{term_type_only "Set.empty" "'a set"}\\
+@{const Set.insert} & @{term_type_only insert "'a\<Rightarrow>'a set\<Rightarrow>'a set"}\\
+@{const Collect} & @{term_type_only Collect "('a\<Rightarrow>bool)\<Rightarrow>'a set"}\\
+@{const Set.member} & @{term_type_only Set.member "'a\<Rightarrow>'a set\<Rightarrow>bool"} & (\texttt{:})\\
+@{const Set.union} & @{term_type_only Set.union "'a set\<Rightarrow>'a set \<Rightarrow> 'a set"} & (\texttt{Un})\\
+@{const Set.inter} & @{term_type_only Set.inter "'a set\<Rightarrow>'a set \<Rightarrow> 'a set"} & (\texttt{Int})\\
+@{const UNION} & @{term_type_only UNION "'a set\<Rightarrow>('a \<Rightarrow> 'b set) \<Rightarrow> 'b set"}\\
+@{const INTER} & @{term_type_only INTER "'a set\<Rightarrow>('a \<Rightarrow> 'b set) \<Rightarrow> 'b set"}\\
+@{const Union} & @{term_type_only Union "'a set set\<Rightarrow>'a set"}\\
+@{const Inter} & @{term_type_only Inter "'a set set\<Rightarrow>'a set"}\\
+@{const Pow} & @{term_type_only Pow "'a set \<Rightarrow>'a set set"}\\
+@{const UNIV} & @{term_type_only UNIV "'a set"}\\
+@{const image} & @{term_type_only image "('a\<Rightarrow>'b)\<Rightarrow>'a set\<Rightarrow>'b set"}\\
+@{const Ball} & @{term_type_only Ball "'a set\<Rightarrow>('a\<Rightarrow>bool)\<Rightarrow>bool"}\\
+@{const Bex} & @{term_type_only Bex "'a set\<Rightarrow>('a\<Rightarrow>bool)\<Rightarrow>bool"}\\
+\end{supertabular}
+
+\subsubsection*{Syntax}
+
+\begin{supertabular}{@ {} l @ {\quad$\equiv$\quad} l l @ {}}
+@{text"{x\<^isub>1,\<dots>,x\<^isub>n}"} & @{text"insert x\<^isub>1 (\<dots> (insert x\<^isub>n {})\<dots>)"}\\
+@{term"x ~: A"} & @{term[source]"\<not>(x \<in> A)"}\\
+@{term"A \<subseteq> B"} & @{term[source]"A \<le> B"}\\
+@{term"A \<subset> B"} & @{term[source]"A < B"}\\
+@{term[source]"A \<supseteq> B"} & @{term[source]"B \<le> A"}\\
+@{term[source]"A \<supset> B"} & @{term[source]"B < A"}\\
+@{term"{x. P}"} & @{term[source]"Collect (\<lambda>x. P)"}\\
+@{term[mode=xsymbols]"UN x:I. A"} & @{term[source]"UNION I (\<lambda>x. A)"} & (\texttt{UN})\\
+@{term[mode=xsymbols]"UN x. A"} & @{term[source]"UNION UNIV (\<lambda>x. A)"}\\
+@{term[mode=xsymbols]"INT x:I. A"} & @{term[source]"INTER I (\<lambda>x. A)"} & (\texttt{INT})\\
+@{term[mode=xsymbols]"INT x. A"} & @{term[source]"INTER UNIV (\<lambda>x. A)"}\\
+@{term"ALL x:A. P"} & @{term[source]"Ball A (\<lambda>x. P)"}\\
+@{term"EX x:A. P"} & @{term[source]"Bex A (\<lambda>x. P)"}\\
+@{term"range f"} & @{term[source]"f ` UNIV"}\\
+\end{supertabular}
+
+
+\section{Fun}
+
+\begin{supertabular}{@ {} l @ {~::~} l l @ {}}
+@{const "Fun.id"} & @{typeof Fun.id}\\
+@{const "Fun.comp"} & @{typeof Fun.comp} & (\texttt{o})\\
+@{const "Fun.inj_on"} & @{term_type_only Fun.inj_on "('a\<Rightarrow>'b)\<Rightarrow>'a set\<Rightarrow>bool"}\\
+@{const "Fun.inj"} & @{typeof Fun.inj}\\
+@{const "Fun.surj"} & @{typeof Fun.surj}\\
+@{const "Fun.bij"} & @{typeof Fun.bij}\\
+@{const "Fun.bij_betw"} & @{term_type_only Fun.bij_betw "('a\<Rightarrow>'b)\<Rightarrow>'a set\<Rightarrow>'b set\<Rightarrow>bool"}\\
+@{const "Fun.fun_upd"} & @{typeof Fun.fun_upd}\\
+\end{supertabular}
+
+\subsubsection*{Syntax}
+
+\begin{tabular}{@ {} l @ {\quad$\equiv$\quad} l @ {}}
+@{term"fun_upd f x y"} & @{term[source]"fun_upd f x y"}\\
+@{text"f(x\<^isub>1:=y\<^isub>1,\<dots>,x\<^isub>n:=y\<^isub>n)"} & @{text"f(x\<^isub>1:=y\<^isub>1)\<dots>(x\<^isub>n:=y\<^isub>n)"}\\
+\end{tabular}
+
+
+\section{Hilbert\_Choice}
+
+Hilbert's selection ($\varepsilon$) operator: @{term"SOME x. P"}.
+\smallskip
+
+\begin{tabular}{@ {} l @ {~::~} l @ {}}
+@{const Hilbert_Choice.inv_into} & @{term_type_only Hilbert_Choice.inv_into "'a set \<Rightarrow> ('a \<Rightarrow> 'b) \<Rightarrow> ('b \<Rightarrow> 'a)"}
+\end{tabular}
+
+\subsubsection*{Syntax}
+
+\begin{tabular}{@ {} l @ {\quad$\equiv$\quad} l @ {}}
+@{term inv} & @{term[source]"inv_into UNIV"}
+\end{tabular}
+
+\section{Fixed Points}
+
+Theory: @{theory Inductive}.
+
+Least and greatest fixed points in a complete lattice @{typ 'a}:
+
+\begin{tabular}{@ {} l @ {~::~} l @ {}}
+@{const Inductive.lfp} & @{typeof Inductive.lfp}\\
+@{const Inductive.gfp} & @{typeof Inductive.gfp}\\
+\end{tabular}
+
+Note that in particular sets (@{typ"'a \<Rightarrow> bool"}) are complete lattices.
+
+\section{Sum\_Type}
+
+Type constructor @{text"+"}.
+
+\begin{tabular}{@ {} l @ {~::~} l @ {}}
+@{const Sum_Type.Inl} & @{typeof Sum_Type.Inl}\\
+@{const Sum_Type.Inr} & @{typeof Sum_Type.Inr}\\
+@{const Sum_Type.Plus} & @{term_type_only Sum_Type.Plus "'a set\<Rightarrow>'b set\<Rightarrow>('a+'b)set"}
+\end{tabular}
+
+
+\section{Product\_Type}
+
+Types @{typ unit} and @{text"\<times>"}.
+
+\begin{supertabular}{@ {} l @ {~::~} l @ {}}
+@{const Product_Type.Unity} & @{typeof Product_Type.Unity}\\
+@{const Pair} & @{typeof Pair}\\
+@{const fst} & @{typeof fst}\\
+@{const snd} & @{typeof snd}\\
+@{const split} & @{typeof split}\\
+@{const curry} & @{typeof curry}\\
+@{const Product_Type.Sigma} & @{term_type_only Product_Type.Sigma "'a set\<Rightarrow>('a\<Rightarrow>'b set)\<Rightarrow>('a*'b)set"}\\
+\end{supertabular}
+
+\subsubsection*{Syntax}
+
+\begin{tabular}{@ {} l @ {\quad$\equiv$\quad} ll @ {}}
+@{term"Pair a b"} & @{term[source]"Pair a b"}\\
+@{term"split (\<lambda>x y. t)"} & @{term[source]"split (\<lambda>x y. t)"}\\
+@{term"A <*> B"} & @{text"Sigma A (\<lambda>\<^raw:\_>. B)"} & (\verb$<*>$)
+\end{tabular}
+
+Pairs may be nested. Nesting to the right is printed as a tuple,
+e.g.\ \mbox{@{term"(a,b,c)"}} is really \mbox{@{text"(a, (b, c))"}.}
+Pattern matching with pairs and tuples extends to all binders,
+e.g.\ \mbox{@{prop"ALL (x,y):A. P"},} @{term"{(x,y). P}"}, etc.
+
+
+\section{Relation}
+
+\begin{tabular}{@ {} l @ {~::~} l @ {}}
+@{const Relation.converse} & @{term_type_only Relation.converse "('a * 'b)set \<Rightarrow> ('b*'a)set"}\\
+@{const Relation.relcomp} & @{term_type_only Relation.relcomp "('a*'b)set\<Rightarrow>('b*'c)set\<Rightarrow>('a*'c)set"}\\
+@{const Relation.Image} & @{term_type_only Relation.Image "('a*'b)set\<Rightarrow>'a set\<Rightarrow>'b set"}\\
+@{const Relation.inv_image} & @{term_type_only Relation.inv_image "('a*'a)set\<Rightarrow>('b\<Rightarrow>'a)\<Rightarrow>('b*'b)set"}\\
+@{const Relation.Id_on} & @{term_type_only Relation.Id_on "'a set\<Rightarrow>('a*'a)set"}\\
+@{const Relation.Id} & @{term_type_only Relation.Id "('a*'a)set"}\\
+@{const Relation.Domain} & @{term_type_only Relation.Domain "('a*'b)set\<Rightarrow>'a set"}\\
+@{const Relation.Range} & @{term_type_only Relation.Range "('a*'b)set\<Rightarrow>'b set"}\\
+@{const Relation.Field} & @{term_type_only Relation.Field "('a*'a)set\<Rightarrow>'a set"}\\
+@{const Relation.refl_on} & @{term_type_only Relation.refl_on "'a set\<Rightarrow>('a*'a)set\<Rightarrow>bool"}\\
+@{const Relation.refl} & @{term_type_only Relation.refl "('a*'a)set\<Rightarrow>bool"}\\
+@{const Relation.sym} & @{term_type_only Relation.sym "('a*'a)set\<Rightarrow>bool"}\\
+@{const Relation.antisym} & @{term_type_only Relation.antisym "('a*'a)set\<Rightarrow>bool"}\\
+@{const Relation.trans} & @{term_type_only Relation.trans "('a*'a)set\<Rightarrow>bool"}\\
+@{const Relation.irrefl} & @{term_type_only Relation.irrefl "('a*'a)set\<Rightarrow>bool"}\\
+@{const Relation.total_on} & @{term_type_only Relation.total_on "'a set\<Rightarrow>('a*'a)set\<Rightarrow>bool"}\\
+@{const Relation.total} & @{term_type_only Relation.total "('a*'a)set\<Rightarrow>bool"}\\
+\end{tabular}
+
+\subsubsection*{Syntax}
+
+\begin{tabular}{@ {} l @ {\quad$\equiv$\quad} l l @ {}}
+@{term"converse r"} & @{term[source]"converse r"} & (\verb$^-1$)
+\end{tabular}
+\medskip
+
+\noindent
+Type synonym \ @{typ"'a rel"} @{text"="} @{expanded_typ "'a rel"}
+
+\section{Equiv\_Relations}
+
+\begin{supertabular}{@ {} l @ {~::~} l @ {}}
+@{const Equiv_Relations.equiv} & @{term_type_only Equiv_Relations.equiv "'a set \<Rightarrow> ('a*'a)set\<Rightarrow>bool"}\\
+@{const Equiv_Relations.quotient} & @{term_type_only Equiv_Relations.quotient "'a set \<Rightarrow> ('a \<times> 'a) set \<Rightarrow> 'a set set"}\\
+@{const Equiv_Relations.congruent} & @{term_type_only Equiv_Relations.congruent "('a*'a)set\<Rightarrow>('a\<Rightarrow>'b)\<Rightarrow>bool"}\\
+@{const Equiv_Relations.congruent2} & @{term_type_only Equiv_Relations.congruent2 "('a*'a)set\<Rightarrow>('b*'b)set\<Rightarrow>('a\<Rightarrow>'b\<Rightarrow>'c)\<Rightarrow>bool"}\\
+%@ {const Equiv_Relations.} & @ {term_type_only Equiv_Relations. ""}\\
+\end{supertabular}
+
+\subsubsection*{Syntax}
+
+\begin{tabular}{@ {} l @ {\quad$\equiv$\quad} l @ {}}
+@{term"congruent r f"} & @{term[source]"congruent r f"}\\
+@{term"congruent2 r r f"} & @{term[source]"congruent2 r r f"}\\
+\end{tabular}
+
+
+\section{Transitive\_Closure}
+
+\begin{tabular}{@ {} l @ {~::~} l @ {}}
+@{const Transitive_Closure.rtrancl} & @{term_type_only Transitive_Closure.rtrancl "('a*'a)set\<Rightarrow>('a*'a)set"}\\
+@{const Transitive_Closure.trancl} & @{term_type_only Transitive_Closure.trancl "('a*'a)set\<Rightarrow>('a*'a)set"}\\
+@{const Transitive_Closure.reflcl} & @{term_type_only Transitive_Closure.reflcl "('a*'a)set\<Rightarrow>('a*'a)set"}\\
+@{const Transitive_Closure.acyclic} & @{term_type_only Transitive_Closure.acyclic "('a*'a)set\<Rightarrow>bool"}\\
+@{const compower} & @{term_type_only "op ^^ :: ('a*'a)set\<Rightarrow>nat\<Rightarrow>('a*'a)set" "('a*'a)set\<Rightarrow>nat\<Rightarrow>('a*'a)set"}\\
+\end{tabular}
+
+\subsubsection*{Syntax}
+
+\begin{tabular}{@ {} l @ {\quad$\equiv$\quad} l l @ {}}
+@{term"rtrancl r"} & @{term[source]"rtrancl r"} & (\verb$^*$)\\
+@{term"trancl r"} & @{term[source]"trancl r"} & (\verb$^+$)\\
+@{term"reflcl r"} & @{term[source]"reflcl r"} & (\verb$^=$)
+\end{tabular}
+
+
+\section{Algebra}
+
+Theories @{theory Groups}, @{theory Rings}, @{theory Fields} and @{theory
+Divides} define a large collection of classes describing common algebraic
+structures from semigroups up to fields. Everything is done in terms of
+overloaded operators:
+
+\begin{supertabular}{@ {} l @ {~::~} l l @ {}}
+@{text "0"} & @{typeof zero}\\
+@{text "1"} & @{typeof one}\\
+@{const plus} & @{typeof plus}\\
+@{const minus} & @{typeof minus}\\
+@{const uminus} & @{typeof uminus} & (\verb$-$)\\
+@{const times} & @{typeof times}\\
+@{const inverse} & @{typeof inverse}\\
+@{const divide} & @{typeof divide}\\
+@{const abs} & @{typeof abs}\\
+@{const sgn} & @{typeof sgn}\\
+@{const dvd_class.dvd} & @{typeof "dvd_class.dvd"}\\
+@{const div_class.div} & @{typeof "div_class.div"}\\
+@{const div_class.mod} & @{typeof "div_class.mod"}\\
+\end{supertabular}
+
+\subsubsection*{Syntax}
+
+\begin{tabular}{@ {} l @ {\quad$\equiv$\quad} l @ {}}
+@{term"abs x"} & @{term[source]"abs x"}
+\end{tabular}
+
+
+\section{Nat}
+
+@{datatype nat}
+\bigskip
+
+\begin{tabular}{@ {} lllllll @ {}}
+@{term "op + :: nat \<Rightarrow> nat \<Rightarrow> nat"} &
+@{term "op - :: nat \<Rightarrow> nat \<Rightarrow> nat"} &
+@{term "op * :: nat \<Rightarrow> nat \<Rightarrow> nat"} &
+@{term "op ^ :: nat \<Rightarrow> nat \<Rightarrow> nat"} &
+@{term "op div :: nat \<Rightarrow> nat \<Rightarrow> nat"}&
+@{term "op mod :: nat \<Rightarrow> nat \<Rightarrow> nat"}&
+@{term "op dvd :: nat \<Rightarrow> nat \<Rightarrow> bool"}\\
+@{term "op \<le> :: nat \<Rightarrow> nat \<Rightarrow> bool"} &
+@{term "op < :: nat \<Rightarrow> nat \<Rightarrow> bool"} &
+@{term "min :: nat \<Rightarrow> nat \<Rightarrow> nat"} &
+@{term "max :: nat \<Rightarrow> nat \<Rightarrow> nat"} &
+@{term "Min :: nat set \<Rightarrow> nat"} &
+@{term "Max :: nat set \<Rightarrow> nat"}\\
+\end{tabular}
+
+\begin{tabular}{@ {} l @ {~::~} l @ {}}
+@{const Nat.of_nat} & @{typeof Nat.of_nat}\\
+@{term "op ^^ :: ('a \<Rightarrow> 'a) \<Rightarrow> nat \<Rightarrow> 'a \<Rightarrow> 'a"} &
+ @{term_type_only "op ^^ :: ('a \<Rightarrow> 'a) \<Rightarrow> nat \<Rightarrow> 'a \<Rightarrow> 'a" "('a \<Rightarrow> 'a) \<Rightarrow> nat \<Rightarrow> 'a \<Rightarrow> 'a"}
+\end{tabular}
+
+\section{Int}
+
+Type @{typ int}
+\bigskip
+
+\begin{tabular}{@ {} llllllll @ {}}
+@{term "op + :: int \<Rightarrow> int \<Rightarrow> int"} &
+@{term "op - :: int \<Rightarrow> int \<Rightarrow> int"} &
+@{term "uminus :: int \<Rightarrow> int"} &
+@{term "op * :: int \<Rightarrow> int \<Rightarrow> int"} &
+@{term "op ^ :: int \<Rightarrow> nat \<Rightarrow> int"} &
+@{term "op div :: int \<Rightarrow> int \<Rightarrow> int"}&
+@{term "op mod :: int \<Rightarrow> int \<Rightarrow> int"}&
+@{term "op dvd :: int \<Rightarrow> int \<Rightarrow> bool"}\\
+@{term "op \<le> :: int \<Rightarrow> int \<Rightarrow> bool"} &
+@{term "op < :: int \<Rightarrow> int \<Rightarrow> bool"} &
+@{term "min :: int \<Rightarrow> int \<Rightarrow> int"} &
+@{term "max :: int \<Rightarrow> int \<Rightarrow> int"} &
+@{term "Min :: int set \<Rightarrow> int"} &
+@{term "Max :: int set \<Rightarrow> int"}\\
+@{term "abs :: int \<Rightarrow> int"} &
+@{term "sgn :: int \<Rightarrow> int"}\\
+\end{tabular}
+
+\begin{tabular}{@ {} l @ {~::~} l l @ {}}
+@{const Int.nat} & @{typeof Int.nat}\\
+@{const Int.of_int} & @{typeof Int.of_int}\\
+@{const Int.Ints} & @{term_type_only Int.Ints "'a::ring_1 set"} & (\verb$Ints$)
+\end{tabular}
+
+\subsubsection*{Syntax}
+
+\begin{tabular}{@ {} l @ {\quad$\equiv$\quad} l @ {}}
+@{term"of_nat::nat\<Rightarrow>int"} & @{term[source]"of_nat"}\\
+\end{tabular}
+
+
+\section{Finite\_Set}
+
+
+\begin{supertabular}{@ {} l @ {~::~} l @ {}}
+@{const Finite_Set.finite} & @{term_type_only Finite_Set.finite "'a set\<Rightarrow>bool"}\\
+@{const Finite_Set.card} & @{term_type_only Finite_Set.card "'a set => nat"}\\
+@{const Finite_Set.fold} & @{term_type_only Finite_Set.fold "('a \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> 'b \<Rightarrow> 'a set \<Rightarrow> 'b"}\\
+@{const Finite_Set.fold_image} & @{typ "('b \<Rightarrow> 'b \<Rightarrow> 'b) \<Rightarrow> ('a \<Rightarrow> 'b) \<Rightarrow> 'b \<Rightarrow> 'a set \<Rightarrow> 'b"}\\
+@{const Big_Operators.setsum} & @{term_type_only Big_Operators.setsum "('a => 'b) => 'a set => 'b::comm_monoid_add"}\\
+@{const Big_Operators.setprod} & @{term_type_only Big_Operators.setprod "('a => 'b) => 'a set => 'b::comm_monoid_mult"}\\
+\end{supertabular}
+
+
+\subsubsection*{Syntax}
+
+\begin{supertabular}{@ {} l @ {\quad$\equiv$\quad} l l @ {}}
+@{term"setsum (%x. x) A"} & @{term[source]"setsum (\<lambda>x. x) A"} & (\verb$SUM$)\\
+@{term"setsum (%x. t) A"} & @{term[source]"setsum (\<lambda>x. t) A"}\\
+@{term[source]"\<Sum>x|P. t"} & @{term"\<Sum>x|P. t"}\\
+\multicolumn{2}{@ {}l@ {}}{Similarly for @{text"\<Prod>"} instead of @{text"\<Sum>"}} & (\verb$PROD$)\\
+\end{supertabular}
+
+
+\section{Wellfounded}
+
+\begin{supertabular}{@ {} l @ {~::~} l @ {}}
+@{const Wellfounded.wf} & @{term_type_only Wellfounded.wf "('a*'a)set\<Rightarrow>bool"}\\
+@{const Wellfounded.acc} & @{term_type_only Wellfounded.acc "('a*'a)set\<Rightarrow>'a set"}\\
+@{const Wellfounded.measure} & @{term_type_only Wellfounded.measure "('a\<Rightarrow>nat)\<Rightarrow>('a*'a)set"}\\
+@{const Wellfounded.lex_prod} & @{term_type_only Wellfounded.lex_prod "('a*'a)set\<Rightarrow>('b*'b)set\<Rightarrow>(('a*'b)*('a*'b))set"}\\
+@{const Wellfounded.mlex_prod} & @{term_type_only Wellfounded.mlex_prod "('a\<Rightarrow>nat)\<Rightarrow>('a*'a)set\<Rightarrow>('a*'a)set"}\\
+@{const Wellfounded.less_than} & @{term_type_only Wellfounded.less_than "(nat*nat)set"}\\
+@{const Wellfounded.pred_nat} & @{term_type_only Wellfounded.pred_nat "(nat*nat)set"}\\
+\end{supertabular}
+
+
+\section{SetInterval}
+
+\begin{supertabular}{@ {} l @ {~::~} l @ {}}
+@{const lessThan} & @{term_type_only lessThan "'a::ord \<Rightarrow> 'a set"}\\
+@{const atMost} & @{term_type_only atMost "'a::ord \<Rightarrow> 'a set"}\\
+@{const greaterThan} & @{term_type_only greaterThan "'a::ord \<Rightarrow> 'a set"}\\
+@{const atLeast} & @{term_type_only atLeast "'a::ord \<Rightarrow> 'a set"}\\
+@{const greaterThanLessThan} & @{term_type_only greaterThanLessThan "'a::ord \<Rightarrow> 'a \<Rightarrow> 'a set"}\\
+@{const atLeastLessThan} & @{term_type_only atLeastLessThan "'a::ord \<Rightarrow> 'a \<Rightarrow> 'a set"}\\
+@{const greaterThanAtMost} & @{term_type_only greaterThanAtMost "'a::ord \<Rightarrow> 'a \<Rightarrow> 'a set"}\\
+@{const atLeastAtMost} & @{term_type_only atLeastAtMost "'a::ord \<Rightarrow> 'a \<Rightarrow> 'a set"}\\
+\end{supertabular}
+
+\subsubsection*{Syntax}
+
+\begin{supertabular}{@ {} l @ {\quad$\equiv$\quad} l @ {}}
+@{term "lessThan y"} & @{term[source] "lessThan y"}\\
+@{term "atMost y"} & @{term[source] "atMost y"}\\
+@{term "greaterThan x"} & @{term[source] "greaterThan x"}\\
+@{term "atLeast x"} & @{term[source] "atLeast x"}\\
+@{term "greaterThanLessThan x y"} & @{term[source] "greaterThanLessThan x y"}\\
+@{term "atLeastLessThan x y"} & @{term[source] "atLeastLessThan x y"}\\
+@{term "greaterThanAtMost x y"} & @{term[source] "greaterThanAtMost x y"}\\
+@{term "atLeastAtMost x y"} & @{term[source] "atLeastAtMost x y"}\\
+@{term[mode=xsymbols] "UN i:{..n}. A"} & @{term[source] "\<Union> i \<in> {..n}. A"}\\
+@{term[mode=xsymbols] "UN i:{..<n}. A"} & @{term[source] "\<Union> i \<in> {..<n}. A"}\\
+\multicolumn{2}{@ {}l@ {}}{Similarly for @{text"\<Inter>"} instead of @{text"\<Union>"}}\\
+@{term "setsum (%x. t) {a..b}"} & @{term[source] "setsum (\<lambda>x. t) {a..b}"}\\
+@{term "setsum (%x. t) {a..<b}"} & @{term[source] "setsum (\<lambda>x. t) {a..<b}"}\\
+@{term "setsum (%x. t) {..b}"} & @{term[source] "setsum (\<lambda>x. t) {..b}"}\\
+@{term "setsum (%x. t) {..<b}"} & @{term[source] "setsum (\<lambda>x. t) {..<b}"}\\
+\multicolumn{2}{@ {}l@ {}}{Similarly for @{text"\<Prod>"} instead of @{text"\<Sum>"}}\\
+\end{supertabular}
+
+
+\section{Power}
+
+\begin{tabular}{@ {} l @ {~::~} l @ {}}
+@{const Power.power} & @{typeof Power.power}
+\end{tabular}
+
+
+\section{Option}
+
+@{datatype option}
+\bigskip
+
+\begin{tabular}{@ {} l @ {~::~} l @ {}}
+@{const Option.the} & @{typeof Option.the}\\
+@{const Option.map} & @{typ[source]"('a \<Rightarrow> 'b) \<Rightarrow> 'a option \<Rightarrow> 'b option"}\\
+@{const Option.set} & @{term_type_only Option.set "'a option \<Rightarrow> 'a set"}\\
+@{const Option.bind} & @{term_type_only Option.bind "'a option \<Rightarrow> ('a \<Rightarrow> 'b option) \<Rightarrow> 'b option"}
+\end{tabular}
+
+\section{List}
+
+@{datatype list}
+\bigskip
+
+\begin{supertabular}{@ {} l @ {~::~} l @ {}}
+@{const List.append} & @{typeof List.append}\\
+@{const List.butlast} & @{typeof List.butlast}\\
+@{const List.concat} & @{typeof List.concat}\\
+@{const List.distinct} & @{typeof List.distinct}\\
+@{const List.drop} & @{typeof List.drop}\\
+@{const List.dropWhile} & @{typeof List.dropWhile}\\
+@{const List.filter} & @{typeof List.filter}\\
+@{const List.find} & @{typeof List.find}\\
+@{const List.fold} & @{typeof List.fold}\\
+@{const List.foldr} & @{typeof List.foldr}\\
+@{const List.foldl} & @{typeof List.foldl}\\
+@{const List.hd} & @{typeof List.hd}\\
+@{const List.last} & @{typeof List.last}\\
+@{const List.length} & @{typeof List.length}\\
+@{const List.lenlex} & @{term_type_only List.lenlex "('a*'a)set\<Rightarrow>('a list * 'a list)set"}\\
+@{const List.lex} & @{term_type_only List.lex "('a*'a)set\<Rightarrow>('a list * 'a list)set"}\\
+@{const List.lexn} & @{term_type_only List.lexn "('a*'a)set\<Rightarrow>nat\<Rightarrow>('a list * 'a list)set"}\\
+@{const List.lexord} & @{term_type_only List.lexord "('a*'a)set\<Rightarrow>('a list * 'a list)set"}\\
+@{const List.listrel} & @{term_type_only List.listrel "('a*'b)set\<Rightarrow>('a list * 'b list)set"}\\
+@{const List.listrel1} & @{term_type_only List.listrel1 "('a*'a)set\<Rightarrow>('a list * 'a list)set"}\\
+@{const List.lists} & @{term_type_only List.lists "'a set\<Rightarrow>'a list set"}\\
+@{const List.listset} & @{term_type_only List.listset "'a set list \<Rightarrow> 'a list set"}\\
+@{const List.listsum} & @{typeof List.listsum}\\
+@{const List.list_all2} & @{typeof List.list_all2}\\
+@{const List.list_update} & @{typeof List.list_update}\\
+@{const List.map} & @{typeof List.map}\\
+@{const List.measures} & @{term_type_only List.measures "('a\<Rightarrow>nat)list\<Rightarrow>('a*'a)set"}\\
+@{const List.nth} & @{typeof List.nth}\\
+@{const List.remdups} & @{typeof List.remdups}\\
+@{const List.removeAll} & @{typeof List.removeAll}\\
+@{const List.remove1} & @{typeof List.remove1}\\
+@{const List.replicate} & @{typeof List.replicate}\\
+@{const List.rev} & @{typeof List.rev}\\
+@{const List.rotate} & @{typeof List.rotate}\\
+@{const List.rotate1} & @{typeof List.rotate1}\\
+@{const List.set} & @{term_type_only List.set "'a list \<Rightarrow> 'a set"}\\
+@{const List.sort} & @{typeof List.sort}\\
+@{const List.sorted} & @{typeof List.sorted}\\
+@{const List.splice} & @{typeof List.splice}\\
+@{const List.sublist} & @{typeof List.sublist}\\
+@{const List.take} & @{typeof List.take}\\
+@{const List.takeWhile} & @{typeof List.takeWhile}\\
+@{const List.tl} & @{typeof List.tl}\\
+@{const List.upt} & @{typeof List.upt}\\
+@{const List.upto} & @{typeof List.upto}\\
+@{const List.zip} & @{typeof List.zip}\\
+\end{supertabular}
+
+\subsubsection*{Syntax}
+
+\begin{supertabular}{@ {} l @ {\quad$\equiv$\quad} l @ {}}
+@{text"[x\<^isub>1,\<dots>,x\<^isub>n]"} & @{text"x\<^isub>1 # \<dots> # x\<^isub>n # []"}\\
+@{term"[m..<n]"} & @{term[source]"upt m n"}\\
+@{term"[i..j]"} & @{term[source]"upto i j"}\\
+@{text"[e. x \<leftarrow> xs]"} & @{term"map (%x. e) xs"}\\
+@{term"[x \<leftarrow> xs. b]"} & @{term[source]"filter (\<lambda>x. b) xs"} \\
+@{term"xs[n := x]"} & @{term[source]"list_update xs n x"}\\
+@{term"\<Sum>x\<leftarrow>xs. e"} & @{term[source]"listsum (map (\<lambda>x. e) xs)"}\\
+\end{supertabular}
+\medskip
+
+List comprehension: @{text"[e. q\<^isub>1, \<dots>, q\<^isub>n]"} where each
+qualifier @{text q\<^isub>i} is either a generator \mbox{@{text"pat \<leftarrow> e"}} or a
+guard, i.e.\ boolean expression.
+
+\section{Map}
+
+Maps model partial functions and are often used as finite tables. However,
+the domain of a map may be infinite.
+
+\begin{supertabular}{@ {} l @ {~::~} l @ {}}
+@{const Map.empty} & @{typeof Map.empty}\\
+@{const Map.map_add} & @{typeof Map.map_add}\\
+@{const Map.map_comp} & @{typeof Map.map_comp}\\
+@{const Map.restrict_map} & @{term_type_only Map.restrict_map "('a\<Rightarrow>'b option)\<Rightarrow>'a set\<Rightarrow>('a\<Rightarrow>'b option)"}\\
+@{const Map.dom} & @{term_type_only Map.dom "('a\<Rightarrow>'b option)\<Rightarrow>'a set"}\\
+@{const Map.ran} & @{term_type_only Map.ran "('a\<Rightarrow>'b option)\<Rightarrow>'b set"}\\
+@{const Map.map_le} & @{typeof Map.map_le}\\
+@{const Map.map_of} & @{typeof Map.map_of}\\
+@{const Map.map_upds} & @{typeof Map.map_upds}\\
+\end{supertabular}
+
+\subsubsection*{Syntax}
+
+\begin{tabular}{@ {} l @ {\quad$\equiv$\quad} l @ {}}
+@{term"Map.empty"} & @{term"\<lambda>x. None"}\\
+@{term"m(x:=Some y)"} & @{term[source]"m(x:=Some y)"}\\
+@{text"m(x\<^isub>1\<mapsto>y\<^isub>1,\<dots>,x\<^isub>n\<mapsto>y\<^isub>n)"} & @{text[source]"m(x\<^isub>1\<mapsto>y\<^isub>1)\<dots>(x\<^isub>n\<mapsto>y\<^isub>n)"}\\
+@{text"[x\<^isub>1\<mapsto>y\<^isub>1,\<dots>,x\<^isub>n\<mapsto>y\<^isub>n]"} & @{text[source]"Map.empty(x\<^isub>1\<mapsto>y\<^isub>1,\<dots>,x\<^isub>n\<mapsto>y\<^isub>n)"}\\
+@{term"map_upds m xs ys"} & @{term[source]"map_upds m xs ys"}\\
+\end{tabular}
+
+*}
+(*<*)
+end
+(*>*)
\ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Main/document/build Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -e
+
+FORMAT="$1"
+VARIANT="$2"
+
+"$ISABELLE_TOOL" latex -o sty
+cp "$ISABELLE_HOME/src/Doc/pdfsetup.sty" .
+
+"$ISABELLE_TOOL" latex -o "$FORMAT"
+"$ISABELLE_TOOL" latex -o "$FORMAT"
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Main/document/root.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,38 @@
+\documentclass[12pt,a4paper]{article}
+
+\oddsidemargin=4.6mm
+\evensidemargin=4.6mm
+\textwidth=150mm
+\topmargin=4.6mm
+\headheight=0mm
+\headsep=0mm
+\textheight=234mm
+
+\usepackage{isabelle,isabellesym}
+\usepackage{amssymb}
+\usepackage[only,bigsqcap]{stmaryrd}
+
+% this should be the last package used
+\usepackage{pdfsetup}
+
+% urls in roman style, theory text in math-similar italics
+\urlstyle{rm}
+\isabellestyle{it}
+
+% for uniform font size
+\renewcommand{\isastyle}{\isastyleminor}
+
+\parindent 0pt\parskip 0.5ex
+
+\usepackage{supertabular}
+
+\begin{document}
+
+\title{What's in Main}
+\author{Tobias Nipkow}
+\date{\today}
+\maketitle
+
+\input{Main_Doc.tex}
+
+\end{document}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Nitpick/document/build Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -e
+
+FORMAT="$1"
+VARIANT="$2"
+
+"$ISABELLE_TOOL" logo -o isabelle_nitpick.pdf "Nitpick"
+"$ISABELLE_TOOL" logo -o isabelle_nitpick.eps "Nitpick"
+
+cp "$ISABELLE_HOME/src/Doc/iman.sty" .
+cp "$ISABELLE_HOME/src/Doc/manual.bib" .
+
+"$ISABELLE_HOME/src/Doc/prepare_document" "$FORMAT"
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Nitpick/document/root.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,2906 @@
+\documentclass[a4paper,12pt]{article}
+\usepackage[T1]{fontenc}
+\usepackage{amsmath}
+\usepackage{amssymb}
+\usepackage[english,french]{babel}
+\usepackage{color}
+\usepackage{footmisc}
+\usepackage{graphicx}
+%\usepackage{mathpazo}
+\usepackage{multicol}
+\usepackage{stmaryrd}
+%\usepackage[scaled=.85]{beramono}
+\usepackage{isabelle,iman,pdfsetup}
+
+%\oddsidemargin=4.6mm
+%\evensidemargin=4.6mm
+%\textwidth=150mm
+%\topmargin=4.6mm
+%\headheight=0mm
+%\headsep=0mm
+%\textheight=234mm
+
+\def\Colon{\mathord{:\mkern-1.5mu:}}
+%\def\lbrakk{\mathopen{\lbrack\mkern-3.25mu\lbrack}}
+%\def\rbrakk{\mathclose{\rbrack\mkern-3.255mu\rbrack}}
+\def\lparr{\mathopen{(\mkern-4mu\mid}}
+\def\rparr{\mathclose{\mid\mkern-4mu)}}
+
+\def\unk{{?}}
+\def\unkef{(\lambda x.\; \unk)}
+\def\undef{(\lambda x.\; \_)}
+%\def\unr{\textit{others}}
+\def\unr{\ldots}
+\def\Abs#1{\hbox{\rm{\flqq}}{\,#1\,}\hbox{\rm{\frqq}}}
+\def\Q{{\smash{\lower.2ex\hbox{$\scriptstyle?$}}}}
+
+\hyphenation{Mini-Sat size-change First-Steps grand-parent nit-pick
+counter-example counter-examples data-type data-types co-data-type
+co-data-types in-duc-tive co-in-duc-tive}
+
+\urlstyle{tt}
+
+\begin{document}
+
+%%% TYPESETTING
+%\renewcommand\labelitemi{$\bullet$}
+\renewcommand\labelitemi{\raise.065ex\hbox{\small\textbullet}}
+
+\selectlanguage{english}
+
+\title{\includegraphics[scale=0.5]{isabelle_nitpick} \\[4ex]
+Picking Nits \\[\smallskipamount]
+\Large A User's Guide to Nitpick for Isabelle/HOL}
+\author{\hbox{} \\
+Jasmin Christian Blanchette \\
+{\normalsize Institut f\"ur Informatik, Technische Universit\"at M\"unchen} \\
+\hbox{}}
+
+\maketitle
+
+\tableofcontents
+
+\setlength{\parskip}{.7em plus .2em minus .1em}
+\setlength{\parindent}{0pt}
+\setlength{\abovedisplayskip}{\parskip}
+\setlength{\abovedisplayshortskip}{.9\parskip}
+\setlength{\belowdisplayskip}{\parskip}
+\setlength{\belowdisplayshortskip}{.9\parskip}
+
+% General-purpose enum environment with correct spacing
+\newenvironment{enum}%
+ {\begin{list}{}{%
+ \setlength{\topsep}{.1\parskip}%
+ \setlength{\partopsep}{.1\parskip}%
+ \setlength{\itemsep}{\parskip}%
+ \advance\itemsep by-\parsep}}
+ {\end{list}}
+
+\def\pre{\begingroup\vskip0pt plus1ex\advance\leftskip by\leftmargin
+\advance\rightskip by\leftmargin}
+\def\post{\vskip0pt plus1ex\endgroup}
+
+\def\prew{\pre\advance\rightskip by-\leftmargin}
+\def\postw{\post}
+
+\section{Introduction}
+\label{introduction}
+
+Nitpick \cite{blanchette-nipkow-2010} is a counterexample generator for
+Isabelle/HOL \cite{isa-tutorial} that is designed to handle formulas
+combining (co)in\-duc\-tive datatypes, (co)in\-duc\-tively defined predicates, and
+quantifiers. It builds on Kodkod \cite{torlak-jackson-2007}, a highly optimized
+first-order relational model finder developed by the Software Design Group at
+MIT. It is conceptually similar to Refute \cite{weber-2008}, from which it
+borrows many ideas and code fragments, but it benefits from Kodkod's
+optimizations and a new encoding scheme. The name Nitpick is shamelessly
+appropriated from a now retired Alloy precursor.
+
+Nitpick is easy to use---you simply enter \textbf{nitpick} after a putative
+theorem and wait a few seconds. Nonetheless, there are situations where knowing
+how it works under the hood and how it reacts to various options helps
+increase the test coverage. This manual also explains how to install the tool on
+your workstation. Should the motivation fail you, think of the many hours of
+hard work Nitpick will save you. Proving non-theorems is \textsl{hard work}.
+
+Another common use of Nitpick is to find out whether the axioms of a locale are
+satisfiable, while the locale is being developed. To check this, it suffices to
+write
+
+\prew
+\textbf{lemma}~``$\textit{False\/}$'' \\
+\textbf{nitpick}~[\textit{show\_all}]
+\postw
+
+after the locale's \textbf{begin} keyword. To falsify \textit{False}, Nitpick
+must find a model for the axioms. If it finds no model, we have an indication
+that the axioms might be unsatisfiable.
+
+You can also invoke Nitpick from the ``Commands'' submenu of the
+``Isabelle'' menu in Proof General or by pressing the Emacs key sequence C-c C-a
+C-n. This is equivalent to entering the \textbf{nitpick} command with no
+arguments in the theory text.
+
+Throughout this manual, we will explicitly invoke the \textbf{nitpick} command.
+Nitpick also provides an automatic mode that can be enabled via the ``Auto
+Nitpick'' option from the ``Isabelle'' menu in Proof General. In this mode,
+Nitpick is run on every newly entered theorem. The time limit for Auto Nitpick
+and other automatic tools can be set using the ``Auto Tools Time Limit'' option.
+
+\newbox\boxA
+\setbox\boxA=\hbox{\texttt{nospam}}
+
+\newcommand\authoremail{\texttt{blan{\color{white}nospam}\kern-\wd\boxA{}chette@\allowbreak
+in.\allowbreak tum.\allowbreak de}}
+
+To run Nitpick, you must also make sure that the theory \textit{Nitpick} is
+imported---this is rarely a problem in practice since it is part of
+\textit{Main}. The examples presented in this manual can be found
+in Isabelle's \texttt{src/HOL/\allowbreak Nitpick\_Examples/Manual\_Nits.thy} theory.
+The known bugs and limitations at the time of writing are listed in
+\S\ref{known-bugs-and-limitations}. Comments and bug reports concerning either
+the tool or the manual should be directed to the author at \authoremail.
+
+\vskip2.5\smallskipamount
+
+\textbf{Acknowledgment.} The author would like to thank Mark Summerfield for
+suggesting several textual improvements.
+% and Perry James for reporting a typo.
+
+\section{Installation}
+\label{installation}
+
+Sledgehammer is part of Isabelle, so you don't need to install it. However, it
+relies on a third-party Kodkod front-end called Kodkodi as well as a Java
+virtual machine called \texttt{java} (version 1.5 or above).
+
+There are two main ways of installing Kodkodi:
+
+\begin{enum}
+\item[\labelitemi] If you installed an official Isabelle package,
+it should already include a properly setup version of Kodkodi.
+
+\item[\labelitemi] If you use a repository or snapshot version of Isabelle, you
+an official Isabelle package, you can download the Isabelle-aware Kodkodi package
+from \url{http://www21.in.tum.de/~blanchet/\#software}. Extract the archive, then add a
+line to your \texttt{\$ISABELLE\_HOME\_USER\slash etc\slash components}%
+\footnote{The variable \texttt{\$ISABELLE\_HOME\_USER} is set by Isabelle at
+startup. Its value can be retrieved by executing \texttt{isabelle}
+\texttt{getenv} \texttt{ISABELLE\_HOME\_USER} on the command line.}
+file with the absolute path to Kodkodi. For example, if the
+\texttt{components} file does not exist yet and you extracted Kodkodi to
+\texttt{/usr/local/kodkodi-1.5.1}, create it with the single line
+
+\prew
+\texttt{/usr/local/kodkodi-1.5.1}
+\postw
+
+(including an invisible newline character) in it.
+\end{enum}
+
+To check whether Kodkodi is successfully installed, you can try out the example
+in \S\ref{propositional-logic}.
+
+\section{First Steps}
+\label{first-steps}
+
+This section introduces Nitpick by presenting small examples. If possible, you
+should try out the examples on your workstation. Your theory file should start
+as follows:
+
+\prew
+\textbf{theory}~\textit{Scratch} \\
+\textbf{imports}~\textit{Main~Quotient\_Product~RealDef} \\
+\textbf{begin}
+\postw
+
+The results presented here were obtained using the JNI (Java Native Interface)
+version of MiniSat and with multithreading disabled to reduce nondeterminism.
+This was done by adding the line
+
+\prew
+\textbf{nitpick\_params} [\textit{sat\_solver}~= \textit{MiniSat\_JNI}, \,\textit{max\_threads}~= 1]
+\postw
+
+after the \textbf{begin} keyword. The JNI version of MiniSat is bundled with
+Kodkodi and is precompiled for Linux, Mac~OS~X, and Windows (Cygwin). Other SAT
+solvers can also be installed, as explained in \S\ref{optimizations}. If you
+have already configured SAT solvers in Isabelle (e.g., for Refute), these will
+also be available to Nitpick.
+
+\subsection{Propositional Logic}
+\label{propositional-logic}
+
+Let's start with a trivial example from propositional logic:
+
+\prew
+\textbf{lemma}~``$P \longleftrightarrow Q$'' \\
+\textbf{nitpick}
+\postw
+
+You should get the following output:
+
+\prew
+\slshape
+Nitpick found a counterexample: \\[2\smallskipamount]
+\hbox{}\qquad Free variables: \nopagebreak \\
+\hbox{}\qquad\qquad $P = \textit{True}$ \\
+\hbox{}\qquad\qquad $Q = \textit{False}$
+\postw
+
+Nitpick can also be invoked on individual subgoals, as in the example below:
+
+\prew
+\textbf{apply}~\textit{auto} \\[2\smallskipamount]
+{\slshape goal (2 subgoals): \\
+\phantom{0}1. $P\,\Longrightarrow\, Q$ \\
+\phantom{0}2. $Q\,\Longrightarrow\, P$} \\[2\smallskipamount]
+\textbf{nitpick}~1 \\[2\smallskipamount]
+{\slshape Nitpick found a counterexample: \\[2\smallskipamount]
+\hbox{}\qquad Free variables: \nopagebreak \\
+\hbox{}\qquad\qquad $P = \textit{True}$ \\
+\hbox{}\qquad\qquad $Q = \textit{False}$} \\[2\smallskipamount]
+\textbf{nitpick}~2 \\[2\smallskipamount]
+{\slshape Nitpick found a counterexample: \\[2\smallskipamount]
+\hbox{}\qquad Free variables: \nopagebreak \\
+\hbox{}\qquad\qquad $P = \textit{False}$ \\
+\hbox{}\qquad\qquad $Q = \textit{True}$} \\[2\smallskipamount]
+\textbf{oops}
+\postw
+
+\subsection{Type Variables}
+\label{type-variables}
+
+If you are left unimpressed by the previous example, don't worry. The next
+one is more mind- and computer-boggling:
+
+\prew
+\textbf{lemma} ``$x \in A\,\Longrightarrow\, (\textrm{THE}~y.\;y \in A) \in A$''
+\postw
+\pagebreak[2] %% TYPESETTING
+
+The putative lemma involves the definite description operator, {THE}, presented
+in section 5.10.1 of the Isabelle tutorial \cite{isa-tutorial}. The
+operator is defined by the axiom $(\textrm{THE}~x.\; x = a) = a$. The putative
+lemma is merely asserting the indefinite description operator axiom with {THE}
+substituted for {SOME}.
+
+The free variable $x$ and the bound variable $y$ have type $'a$. For formulas
+containing type variables, Nitpick enumerates the possible domains for each type
+variable, up to a given cardinality (10 by default), looking for a finite
+countermodel:
+
+\prew
+\textbf{nitpick} [\textit{verbose}] \\[2\smallskipamount]
+\slshape
+Trying 10 scopes: \nopagebreak \\
+\hbox{}\qquad \textit{card}~$'a$~= 1; \\
+\hbox{}\qquad \textit{card}~$'a$~= 2; \\
+\hbox{}\qquad $\qquad\vdots$ \\[.5\smallskipamount]
+\hbox{}\qquad \textit{card}~$'a$~= 10. \\[2\smallskipamount]
+Nitpick found a counterexample for \textit{card} $'a$~= 3: \\[2\smallskipamount]
+\hbox{}\qquad Free variables: \nopagebreak \\
+\hbox{}\qquad\qquad $A = \{a_2,\, a_3\}$ \\
+\hbox{}\qquad\qquad $x = a_3$ \\[2\smallskipamount]
+Total time: 963 ms.
+\postw
+
+Nitpick found a counterexample in which $'a$ has cardinality 3. (For
+cardinalities 1 and 2, the formula holds.) In the counterexample, the three
+values of type $'a$ are written $a_1$, $a_2$, and $a_3$.
+
+The message ``Trying $n$ scopes: {\ldots}''\ is shown only if the option
+\textit{verbose} is enabled. You can specify \textit{verbose} each time you
+invoke \textbf{nitpick}, or you can set it globally using the command
+
+\prew
+\textbf{nitpick\_params} [\textit{verbose}]
+\postw
+
+This command also displays the current default values for all of the options
+supported by Nitpick. The options are listed in \S\ref{option-reference}.
+
+\subsection{Constants}
+\label{constants}
+
+By just looking at Nitpick's output, it might not be clear why the
+counterexample in \S\ref{type-variables} is genuine. Let's invoke Nitpick again,
+this time telling it to show the values of the constants that occur in the
+formula:
+
+\prew
+\textbf{lemma} ``$x \in A\,\Longrightarrow\, (\textrm{THE}~y.\;y \in A) \in A$'' \\
+\textbf{nitpick}~[\textit{show\_consts}] \\[2\smallskipamount]
+\slshape
+Nitpick found a counterexample for \textit{card} $'a$~= 3: \\[2\smallskipamount]
+\hbox{}\qquad Free variables: \nopagebreak \\
+\hbox{}\qquad\qquad $A = \{a_2,\, a_3\}$ \\
+\hbox{}\qquad\qquad $x = a_3$ \\
+\hbox{}\qquad Constant: \nopagebreak \\
+\hbox{}\qquad\qquad $\hbox{\slshape THE}~y.\;y \in A = a_1$
+\postw
+
+As the result of an optimization, Nitpick directly assigned a value to the
+subterm $\textrm{THE}~y.\;y \in A$, rather than to the \textit{The} constant. We
+can disable this optimization by using the command
+
+\prew
+\textbf{nitpick}~[\textit{dont\_specialize},\, \textit{show\_consts}]
+\postw
+
+Our misadventures with THE suggest adding `$\exists!x{.}$' (``there exists a
+unique $x$ such that'') at the front of our putative lemma's assumption:
+
+\prew
+\textbf{lemma} ``$\exists {!}x.\; x \in A\,\Longrightarrow\, (\textrm{THE}~y.\;y \in A) \in A$''
+\postw
+
+The fix appears to work:
+
+\prew
+\textbf{nitpick} \\[2\smallskipamount]
+\slshape Nitpick found no counterexample.
+\postw
+
+We can further increase our confidence in the formula by exhausting all
+cardinalities up to 50:
+
+\prew
+\textbf{nitpick} [\textit{card} $'a$~= 1--50]\footnote{The symbol `--'
+can be entered as \texttt{-} (hyphen) or
+\texttt{\char`\\\char`\<emdash\char`\>}.} \\[2\smallskipamount]
+\slshape Nitpick found no counterexample.
+\postw
+
+Let's see if Sledgehammer can find a proof:
+
+\prew
+\textbf{sledgehammer} \\[2\smallskipamount]
+{\slshape Sledgehammer: ``$e$'' on goal \\
+Try this: \textbf{by}~(\textit{metis~theI}) (42 ms).} \\
+\hbox{}\qquad\vdots \\[2\smallskipamount]
+\textbf{by}~(\textit{metis~theI\/})
+\postw
+
+This must be our lucky day.
+
+\subsection{Skolemization}
+\label{skolemization}
+
+Are all invertible functions onto? Let's find out:
+
+\prew
+\textbf{lemma} ``$\exists g.\; \forall x.~g~(f~x) = x
+ \,\Longrightarrow\, \forall y.\; \exists x.~y = f~x$'' \\
+\textbf{nitpick} \\[2\smallskipamount]
+\slshape
+Nitpick found a counterexample for \textit{card} $'a$~= 2 and \textit{card} $'b$~=~1: \\[2\smallskipamount]
+\hbox{}\qquad Free variable: \nopagebreak \\
+\hbox{}\qquad\qquad $f = \undef{}(b_1 := a_1)$ \\
+\hbox{}\qquad Skolem constants: \nopagebreak \\
+\hbox{}\qquad\qquad $g = \undef{}(a_1 := b_1,\> a_2 := b_1)$ \\
+\hbox{}\qquad\qquad $y = a_2$
+\postw
+
+(The Isabelle/HOL notation $f(x := y)$ denotes the function that maps $x$ to $y$
+and that otherwise behaves like $f$.)
+Although $f$ is the only free variable occurring in the formula, Nitpick also
+displays values for the bound variables $g$ and $y$. These values are available
+to Nitpick because it performs skolemization as a preprocessing step.
+
+In the previous example, skolemization only affected the outermost quantifiers.
+This is not always the case, as illustrated below:
+
+\prew
+\textbf{lemma} ``$\exists x.\; \forall f.\; f~x = x$'' \\
+\textbf{nitpick} \\[2\smallskipamount]
+\slshape
+Nitpick found a counterexample for \textit{card} $'a$~= 2: \\[2\smallskipamount]
+\hbox{}\qquad Skolem constant: \nopagebreak \\
+\hbox{}\qquad\qquad $\lambda x.\; f =
+ \undef{}(\!\begin{aligned}[t]
+ & a_1 := \undef{}(a_1 := a_2,\> a_2 := a_1), \\[-2pt]
+ & a_2 := \undef{}(a_1 := a_1,\> a_2 := a_1))\end{aligned}$
+\postw
+
+The variable $f$ is bound within the scope of $x$; therefore, $f$ depends on
+$x$, as suggested by the notation $\lambda x.\,f$. If $x = a_1$, then $f$ is the
+function that maps $a_1$ to $a_2$ and vice versa; otherwise, $x = a_2$ and $f$
+maps both $a_1$ and $a_2$ to $a_1$. In both cases, $f~x \not= x$.
+
+The source of the Skolem constants is sometimes more obscure:
+
+\prew
+\textbf{lemma} ``$\mathit{refl}~r\,\Longrightarrow\, \mathit{sym}~r$'' \\
+\textbf{nitpick} \\[2\smallskipamount]
+\slshape
+Nitpick found a counterexample for \textit{card} $'a$~= 2: \\[2\smallskipamount]
+\hbox{}\qquad Free variable: \nopagebreak \\
+\hbox{}\qquad\qquad $r = \{(a_1, a_1),\, (a_2, a_1),\, (a_2, a_2)\}$ \\
+\hbox{}\qquad Skolem constants: \nopagebreak \\
+\hbox{}\qquad\qquad $\mathit{sym}.x = a_2$ \\
+\hbox{}\qquad\qquad $\mathit{sym}.y = a_1$
+\postw
+
+What happened here is that Nitpick expanded \textit{sym} to its definition:
+
+\prew
+$\mathit{sym}~r \,\equiv\,
+ \forall x\> y.\,\> (x, y) \in r \longrightarrow (y, x) \in r.$
+\postw
+
+As their names suggest, the Skolem constants $\mathit{sym}.x$ and
+$\mathit{sym}.y$ are simply the bound variables $x$ and $y$
+from \textit{sym}'s definition.
+
+\subsection{Natural Numbers and Integers}
+\label{natural-numbers-and-integers}
+
+Because of the axiom of infinity, the type \textit{nat} does not admit any
+finite models. To deal with this, Nitpick's approach is to consider finite
+subsets $N$ of \textit{nat} and maps all numbers $\notin N$ to the undefined
+value (displayed as `$\unk$'). The type \textit{int} is handled similarly.
+Internally, undefined values lead to a three-valued logic.
+
+Here is an example involving \textit{int\/}:
+
+\prew
+\textbf{lemma} ``$\lbrakk i \le j;\> n \le (m{\Colon}\mathit{int})\rbrakk \,\Longrightarrow\, i * n + j * m \le i * m + j * n$'' \\
+\textbf{nitpick} \\[2\smallskipamount]
+\slshape Nitpick found a counterexample: \\[2\smallskipamount]
+\hbox{}\qquad Free variables: \nopagebreak \\
+\hbox{}\qquad\qquad $i = 0$ \\
+\hbox{}\qquad\qquad $j = 1$ \\
+\hbox{}\qquad\qquad $m = 1$ \\
+\hbox{}\qquad\qquad $n = 0$
+\postw
+
+Internally, Nitpick uses either a unary or a binary representation of numbers.
+The unary representation is more efficient but only suitable for numbers very
+close to zero. By default, Nitpick attempts to choose the more appropriate
+encoding by inspecting the formula at hand. This behavior can be overridden by
+passing either \textit{unary\_ints} or \textit{binary\_ints} as option. For
+binary notation, the number of bits to use can be specified using
+the \textit{bits} option. For example:
+
+\prew
+\textbf{nitpick} [\textit{binary\_ints}, \textit{bits}${} = 16$]
+\postw
+
+With infinite types, we don't always have the luxury of a genuine counterexample
+and must often content ourselves with a potentially spurious one. The tedious
+task of finding out whether the potentially spurious counterexample is in fact
+genuine can be delegated to \textit{auto} by passing \textit{check\_potential}.
+For example:
+
+\prew
+\textbf{lemma} ``$\forall n.\; \textit{Suc}~n \mathbin{\not=} n \,\Longrightarrow\, P$'' \\
+\textbf{nitpick} [\textit{card~nat}~= 50, \textit{check\_potential}] \\[2\smallskipamount]
+\slshape Warning: The conjecture either trivially holds for the given scopes or lies outside Nitpick's supported
+fragment. Only potentially spurious counterexamples may be found. \\[2\smallskipamount]
+Nitpick found a potentially spurious counterexample: \\[2\smallskipamount]
+\hbox{}\qquad Free variable: \nopagebreak \\
+\hbox{}\qquad\qquad $P = \textit{False}$ \\[2\smallskipamount]
+Confirmation by ``\textit{auto}'': The above counterexample is genuine.
+\postw
+
+You might wonder why the counterexample is first reported as potentially
+spurious. The root of the problem is that the bound variable in $\forall n.\;
+\textit{Suc}~n \mathbin{\not=} n$ ranges over an infinite type. If Nitpick finds
+an $n$ such that $\textit{Suc}~n \mathbin{=} n$, it evaluates the assumption to
+\textit{False}; but otherwise, it does not know anything about values of $n \ge
+\textit{card~nat}$ and must therefore evaluate the assumption to~$\unk$, not
+\textit{True}. Since the assumption can never be satisfied, the putative lemma
+can never be falsified.
+
+Incidentally, if you distrust the so-called genuine counterexamples, you can
+enable \textit{check\_\allowbreak genuine} to verify them as well. However, be
+aware that \textit{auto} will usually fail to prove that the counterexample is
+genuine or spurious.
+
+Some conjectures involving elementary number theory make Nitpick look like a
+giant with feet of clay:
+
+\prew
+\textbf{lemma} ``$P~\textit{Suc\/}$'' \\
+\textbf{nitpick} \\[2\smallskipamount]
+\slshape
+Nitpick found no counterexample.
+\postw
+
+On any finite set $N$, \textit{Suc} is a partial function; for example, if $N =
+\{0, 1, \ldots, k\}$, then \textit{Suc} is $\{0 \mapsto 1,\, 1 \mapsto 2,\,
+\ldots,\, k \mapsto \unk\}$, which evaluates to $\unk$ when passed as
+argument to $P$. As a result, $P~\textit{Suc}$ is always $\unk$. The next
+example is similar:
+
+\prew
+\textbf{lemma} ``$P~(\textit{op}~{+}\Colon
+\textit{nat}\mathbin{\Rightarrow}\textit{nat}\mathbin{\Rightarrow}\textit{nat})$'' \\
+\textbf{nitpick} [\textit{card nat} = 1] \\[2\smallskipamount]
+{\slshape Nitpick found a counterexample:} \\[2\smallskipamount]
+\hbox{}\qquad Free variable: \nopagebreak \\
+\hbox{}\qquad\qquad $P = \unkef(\unkef(0 := \unkef(0 := 0)) := \mathit{False})$ \\[2\smallskipamount]
+\textbf{nitpick} [\textit{card nat} = 2] \\[2\smallskipamount]
+{\slshape Nitpick found no counterexample.}
+\postw
+
+The problem here is that \textit{op}~+ is total when \textit{nat} is taken to be
+$\{0\}$ but becomes partial as soon as we add $1$, because
+$1 + 1 \notin \{0, 1\}$.
+
+Because numbers are infinite and are approximated using a three-valued logic,
+there is usually no need to systematically enumerate domain sizes. If Nitpick
+cannot find a genuine counterexample for \textit{card~nat}~= $k$, it is very
+unlikely that one could be found for smaller domains. (The $P~(\textit{op}~{+})$
+example above is an exception to this principle.) Nitpick nonetheless enumerates
+all cardinalities from 1 to 10 for \textit{nat}, mainly because smaller
+cardinalities are fast to handle and give rise to simpler counterexamples. This
+is explained in more detail in \S\ref{scope-monotonicity}.
+
+\subsection{Inductive Datatypes}
+\label{inductive-datatypes}
+
+Like natural numbers and integers, inductive datatypes with recursive
+constructors admit no finite models and must be approximated by a subterm-closed
+subset. For example, using a cardinality of 10 for ${'}a~\textit{list}$,
+Nitpick looks for all counterexamples that can be built using at most 10
+different lists.
+
+Let's see with an example involving \textit{hd} (which returns the first element
+of a list) and $@$ (which concatenates two lists):
+
+\prew
+\textbf{lemma} ``$\textit{hd}~(\textit{xs} \mathbin{@} [y, y]) = \textit{hd}~\textit{xs\/}$'' \\
+\textbf{nitpick} \\[2\smallskipamount]
+\slshape Nitpick found a counterexample for \textit{card} $'a$~= 3: \\[2\smallskipamount]
+\hbox{}\qquad Free variables: \nopagebreak \\
+\hbox{}\qquad\qquad $\textit{xs} = []$ \\
+\hbox{}\qquad\qquad $\textit{y} = a_1$
+\postw
+
+To see why the counterexample is genuine, we enable \textit{show\_consts}
+and \textit{show\_\allowbreak datatypes}:
+
+\prew
+{\slshape Datatype:} \\
+\hbox{}\qquad $'a$~\textit{list}~= $\{[],\, [a_1],\, [a_1, a_1],\, \unr\}$ \\
+{\slshape Constants:} \\
+\hbox{}\qquad $\lambda x_1.\; x_1 \mathbin{@} [y, y] = \unkef([] := [a_1, a_1])$ \\
+\hbox{}\qquad $\textit{hd} = \unkef([] := a_2,\> [a_1] := a_1,\> [a_1, a_1] := a_1)$
+\postw
+
+Since $\mathit{hd}~[]$ is undefined in the logic, it may be given any value,
+including $a_2$.
+
+The second constant, $\lambda x_1.\; x_1 \mathbin{@} [y, y]$, is simply the
+append operator whose second argument is fixed to be $[y, y]$. Appending $[a_1,
+a_1]$ to $[a_1]$ would normally give $[a_1, a_1, a_1]$, but this value is not
+representable in the subset of $'a$~\textit{list} considered by Nitpick, which
+is shown under the ``Datatype'' heading; hence the result is $\unk$. Similarly,
+appending $[a_1, a_1]$ to itself gives $\unk$.
+
+Given \textit{card}~$'a = 3$ and \textit{card}~$'a~\textit{list} = 3$, Nitpick
+considers the following subsets:
+
+\kern-.5\smallskipamount %% TYPESETTING
+
+\prew
+\begin{multicols}{3}
+$\{[],\, [a_1],\, [a_2]\}$; \\
+$\{[],\, [a_1],\, [a_3]\}$; \\
+$\{[],\, [a_2],\, [a_3]\}$; \\
+$\{[],\, [a_1],\, [a_1, a_1]\}$; \\
+$\{[],\, [a_1],\, [a_2, a_1]\}$; \\
+$\{[],\, [a_1],\, [a_3, a_1]\}$; \\
+$\{[],\, [a_2],\, [a_1, a_2]\}$; \\
+$\{[],\, [a_2],\, [a_2, a_2]\}$; \\
+$\{[],\, [a_2],\, [a_3, a_2]\}$; \\
+$\{[],\, [a_3],\, [a_1, a_3]\}$; \\
+$\{[],\, [a_3],\, [a_2, a_3]\}$; \\
+$\{[],\, [a_3],\, [a_3, a_3]\}$.
+\end{multicols}
+\postw
+
+\kern-2\smallskipamount %% TYPESETTING
+
+All subterm-closed subsets of $'a~\textit{list}$ consisting of three values
+are listed and only those. As an example of a non-subterm-closed subset,
+consider $\mathcal{S} = \{[],\, [a_1],\,\allowbreak [a_1, a_2]\}$, and observe
+that $[a_1, a_2]$ (i.e., $a_1 \mathbin{\#} [a_2]$) has $[a_2] \notin
+\mathcal{S}$ as a subterm.
+
+Here's another m\"ochtegern-lemma that Nitpick can refute without a blink:
+
+\prew
+\textbf{lemma} ``$\lbrakk \textit{length}~\textit{xs} = 1;\> \textit{length}~\textit{ys} = 1
+\rbrakk \,\Longrightarrow\, \textit{xs} = \textit{ys\/}$''
+\\
+\textbf{nitpick} [\textit{show\_datatypes}] \\[2\smallskipamount]
+\slshape Nitpick found a counterexample for \textit{card} $'a$~= 3: \\[2\smallskipamount]
+\hbox{}\qquad Free variables: \nopagebreak \\
+\hbox{}\qquad\qquad $\textit{xs} = [a_2]$ \\
+\hbox{}\qquad\qquad $\textit{ys} = [a_1]$ \\
+\hbox{}\qquad Datatypes: \\
+\hbox{}\qquad\qquad $\textit{nat} = \{0,\, 1,\, 2,\, \unr\}$ \\
+\hbox{}\qquad\qquad $'a$~\textit{list} = $\{[],\, [a_1],\, [a_2],\, \unr\}$
+\postw
+
+Because datatypes are approximated using a three-valued logic, there is usually
+no need to systematically enumerate cardinalities: If Nitpick cannot find a
+genuine counterexample for \textit{card}~$'a~\textit{list}$~= 10, it is very
+unlikely that one could be found for smaller cardinalities.
+
+\subsection{Typedefs, Quotient Types, Records, Rationals, and Reals}
+\label{typedefs-quotient-types-records-rationals-and-reals}
+
+Nitpick generally treats types declared using \textbf{typedef} as datatypes
+whose single constructor is the corresponding \textit{Abs\_\kern.1ex} function.
+For example:
+
+\prew
+\textbf{typedef}~\textit{three} = ``$\{0\Colon\textit{nat},\, 1,\, 2\}$'' \\
+\textbf{by}~\textit{blast} \\[2\smallskipamount]
+\textbf{definition}~$A \mathbin{\Colon} \textit{three}$ \textbf{where} ``\kern-.1em$A \,\equiv\, \textit{Abs\_\allowbreak three}~0$'' \\
+\textbf{definition}~$B \mathbin{\Colon} \textit{three}$ \textbf{where} ``$B \,\equiv\, \textit{Abs\_three}~1$'' \\
+\textbf{definition}~$C \mathbin{\Colon} \textit{three}$ \textbf{where} ``$C \,\equiv\, \textit{Abs\_three}~2$'' \\[2\smallskipamount]
+\textbf{lemma} ``$\lbrakk A \in X;\> B \in X\rbrakk \,\Longrightarrow\, c \in X$'' \\
+\textbf{nitpick} [\textit{show\_datatypes}] \\[2\smallskipamount]
+\slshape Nitpick found a counterexample: \\[2\smallskipamount]
+\hbox{}\qquad Free variables: \nopagebreak \\
+\hbox{}\qquad\qquad $X = \{\Abs{0},\, \Abs{1}\}$ \\
+\hbox{}\qquad\qquad $c = \Abs{2}$ \\
+\hbox{}\qquad Datatypes: \\
+\hbox{}\qquad\qquad $\textit{nat} = \{0,\, 1,\, 2,\, \unr\}$ \\
+\hbox{}\qquad\qquad $\textit{three} = \{\Abs{0},\, \Abs{1},\, \Abs{2},\, \unr\}$
+\postw
+
+In the output above, $\Abs{n}$ abbreviates $\textit{Abs\_three}~n$.
+
+Quotient types are handled in much the same way. The following fragment defines
+the integer type \textit{my\_int} by encoding the integer $x$ by a pair of
+natural numbers $(m, n)$ such that $x + n = m$:
+
+\prew
+\textbf{fun} \textit{my\_int\_rel} \textbf{where} \\
+``$\textit{my\_int\_rel}~(x,\, y)~(u,\, v) = (x + v = u + y)$'' \\[2\smallskipamount]
+%
+\textbf{quotient\_type}~\textit{my\_int} = ``$\textit{nat} \times \textit{nat\/}$''$\;{/}\;$\textit{my\_int\_rel} \\
+\textbf{by}~(\textit{auto simp add\/}:\ \textit{equivp\_def fun\_eq\_iff}) \\[2\smallskipamount]
+%
+\textbf{definition}~\textit{add\_raw}~\textbf{where} \\
+``$\textit{add\_raw} \,\equiv\, \lambda(x,\, y)~(u,\, v).\; (x + (u\Colon\textit{nat}), y + (v\Colon\textit{nat}))$'' \\[2\smallskipamount]
+%
+\textbf{quotient\_definition} ``$\textit{add\/}\Colon\textit{my\_int} \Rightarrow \textit{my\_int} \Rightarrow \textit{my\_int\/}$'' \textbf{is} \textit{add\_raw} \\[2\smallskipamount]
+%
+\textbf{lemma} ``$\textit{add}~x~y = \textit{add}~x~x$'' \\
+\textbf{nitpick} [\textit{show\_datatypes}] \\[2\smallskipamount]
+\slshape Nitpick found a counterexample: \\[2\smallskipamount]
+\hbox{}\qquad Free variables: \nopagebreak \\
+\hbox{}\qquad\qquad $x = \Abs{(0,\, 0)}$ \\
+\hbox{}\qquad\qquad $y = \Abs{(0,\, 1)}$ \\
+\hbox{}\qquad Datatypes: \\
+\hbox{}\qquad\qquad $\textit{nat} = \{0,\, 1,\, \unr\}$ \\
+\hbox{}\qquad\qquad $\textit{nat} \times \textit{nat}~[\textsl{boxed\/}] = \{(0,\, 0),\> (1,\, 0),\> \unr\}$ \\
+\hbox{}\qquad\qquad $\textit{my\_int} = \{\Abs{(0,\, 0)},\> \Abs{(0,\, 1)},\> \unr\}$
+\postw
+
+The values $\Abs{(0,\, 0)}$ and $\Abs{(0,\, 1)}$ represent the
+integers $0$ and $-1$, respectively. Other representants would have been
+possible---e.g., $\Abs{(5,\, 5)}$ and $\Abs{(11,\, 12)}$. If we are going to
+use \textit{my\_int} extensively, it pays off to install a term postprocessor
+that converts the pair notation to the standard mathematical notation:
+
+\prew
+$\textbf{ML}~\,\{{*} \\
+\!\begin{aligned}[t]
+%& ({*}~\,\textit{Proof.context} \rightarrow \textit{string} \rightarrow (\textit{typ} \rightarrow \textit{term~list\/}) \rightarrow \textit{typ} \rightarrow \textit{term} \\[-2pt]
+%& \phantom{(*}~\,{\rightarrow}\;\textit{term}~\,{*}) \\[-2pt]
+& \textbf{fun}\,~\textit{my\_int\_postproc}~\_~\_~\_~T~(\textit{Const}~\_~\$~(\textit{Const}~\_~\$~\textit{t1}~\$~\textit{t2\/})) = {} \\[-2pt]
+& \phantom{fun}\,~\textit{HOLogic.mk\_number}~T~(\textit{snd}~(\textit{HOLogic.dest\_number~t1}) \\[-2pt]
+& \phantom{fun\,~\textit{HOLogic.mk\_number}~T~(}{-}~\textit{snd}~(\textit{HOLogic.dest\_number~t2\/})) \\[-2pt]
+& \phantom{fun}\!{\mid}\,~\textit{my\_int\_postproc}~\_~\_~\_~\_~t = t \\[-2pt]
+{*}\}\end{aligned}$ \\[2\smallskipamount]
+$\textbf{declaration}~\,\{{*} \\
+\!\begin{aligned}[t]
+& \textit{Nitpick\_Model.register\_term\_postprocessor}~\!\begin{aligned}[t]
+ & @\{\textrm{typ}~\textit{my\_int}\} \\[-2pt]
+ & \textit{my\_int\_postproc}\end{aligned} \\[-2pt]
+{*}\}\end{aligned}$
+\postw
+
+Records are handled as datatypes with a single constructor:
+
+\prew
+\textbf{record} \textit{point} = \\
+\hbox{}\quad $\textit{Xcoord} \mathbin{\Colon} \textit{int}$ \\
+\hbox{}\quad $\textit{Ycoord} \mathbin{\Colon} \textit{int}$ \\[2\smallskipamount]
+\textbf{lemma} ``$\textit{Xcoord}~(p\Colon\textit{point}) = \textit{Xcoord}~(q\Colon\textit{point})$'' \\
+\textbf{nitpick} [\textit{show\_datatypes}] \\[2\smallskipamount]
+\slshape Nitpick found a counterexample: \\[2\smallskipamount]
+\hbox{}\qquad Free variables: \nopagebreak \\
+\hbox{}\qquad\qquad $p = \lparr\textit{Xcoord} = 1,\> \textit{Ycoord} = 1\rparr$ \\
+\hbox{}\qquad\qquad $q = \lparr\textit{Xcoord} = 0,\> \textit{Ycoord} = 0\rparr$ \\
+\hbox{}\qquad Datatypes: \\
+\hbox{}\qquad\qquad $\textit{int} = \{0,\, 1,\, \unr\}$ \\
+\hbox{}\qquad\qquad $\textit{point} = \{\!\begin{aligned}[t]
+& \lparr\textit{Xcoord} = 0,\> \textit{Ycoord} = 0\rparr, \\[-2pt] %% TYPESETTING
+& \lparr\textit{Xcoord} = 1,\> \textit{Ycoord} = 1\rparr,\, \unr\}\end{aligned}$
+\postw
+
+Finally, Nitpick provides rudimentary support for rationals and reals using a
+similar approach:
+
+\prew
+\textbf{lemma} ``$4 * x + 3 * (y\Colon\textit{real}) \not= 1/2$'' \\
+\textbf{nitpick} [\textit{show\_datatypes}] \\[2\smallskipamount]
+\slshape Nitpick found a counterexample: \\[2\smallskipamount]
+\hbox{}\qquad Free variables: \nopagebreak \\
+\hbox{}\qquad\qquad $x = 1/2$ \\
+\hbox{}\qquad\qquad $y = -1/2$ \\
+\hbox{}\qquad Datatypes: \\
+\hbox{}\qquad\qquad $\textit{nat} = \{0,\, 1,\, 2,\, 3,\, 4,\, 5,\, 6,\, 7,\, \unr\}$ \\
+\hbox{}\qquad\qquad $\textit{int} = \{-3,\, -2,\, -1,\, 0,\, 1,\, 2,\, 3,\, 4,\, \unr\}$ \\
+\hbox{}\qquad\qquad $\textit{real} = \{-3/2,\, -1/2,\, 0,\, 1/2,\, 1,\, 2,\, 3,\, 4,\, \unr\}$
+\postw
+
+\subsection{Inductive and Coinductive Predicates}
+\label{inductive-and-coinductive-predicates}
+
+Inductively defined predicates (and sets) are particularly problematic for
+counterexample generators. They can make Quickcheck~\cite{berghofer-nipkow-2004}
+loop forever and Refute~\cite{weber-2008} run out of resources. The crux of
+the problem is that they are defined using a least fixed-point construction.
+
+Nitpick's philosophy is that not all inductive predicates are equal. Consider
+the \textit{even} predicate below:
+
+\prew
+\textbf{inductive}~\textit{even}~\textbf{where} \\
+``\textit{even}~0'' $\,\mid$ \\
+``\textit{even}~$n\,\Longrightarrow\, \textit{even}~(\textit{Suc}~(\textit{Suc}~n))$''
+\postw
+
+This predicate enjoys the desirable property of being well-founded, which means
+that the introduction rules don't give rise to infinite chains of the form
+
+\prew
+$\cdots\,\Longrightarrow\, \textit{even}~k''
+ \,\Longrightarrow\, \textit{even}~k'
+ \,\Longrightarrow\, \textit{even}~k.$
+\postw
+
+For \textit{even}, this is obvious: Any chain ending at $k$ will be of length
+$k/2 + 1$:
+
+\prew
+$\textit{even}~0\,\Longrightarrow\, \textit{even}~2\,\Longrightarrow\, \cdots
+ \,\Longrightarrow\, \textit{even}~(k - 2)
+ \,\Longrightarrow\, \textit{even}~k.$
+\postw
+
+Wellfoundedness is desirable because it enables Nitpick to use a very efficient
+fixed-point computation.%
+\footnote{If an inductive predicate is
+well-founded, then it has exactly one fixed point, which is simultaneously the
+least and the greatest fixed point. In these circumstances, the computation of
+the least fixed point amounts to the computation of an arbitrary fixed point,
+which can be performed using a straightforward recursive equation.}
+Moreover, Nitpick can prove wellfoundedness of most well-founded predicates,
+just as Isabelle's \textbf{function} package usually discharges termination
+proof obligations automatically.
+
+Let's try an example:
+
+\prew
+\textbf{lemma} ``$\exists n.\; \textit{even}~n \mathrel{\land} \textit{even}~(\textit{Suc}~n)$'' \\
+\textbf{nitpick}~[\textit{card nat}~= 50, \textit{unary\_ints}, \textit{verbose}] \\[2\smallskipamount]
+\slshape The inductive predicate ``\textit{even}'' was proved well-founded.
+Nitpick can compute it efficiently. \\[2\smallskipamount]
+Trying 1 scope: \\
+\hbox{}\qquad \textit{card nat}~= 50. \\[2\smallskipamount]
+Warning: The conjecture either trivially holds for the given scopes or lies outside Nitpick's supported fragment. Only
+potentially spurious counterexamples may be found. \\[2\smallskipamount]
+Nitpick found a potentially spurious counterexample for \textit{card nat}~= 50: \\[2\smallskipamount]
+\hbox{}\qquad Empty assignment \\[2\smallskipamount]
+Nitpick could not find a better counterexample. It checked 1 of 1 scope. \\[2\smallskipamount]
+Total time: 1.62 s.
+\postw
+
+No genuine counterexample is possible because Nitpick cannot rule out the
+existence of a natural number $n \ge 50$ such that both $\textit{even}~n$ and
+$\textit{even}~(\textit{Suc}~n)$ are true. To help Nitpick, we can bound the
+existential quantifier:
+
+\prew
+\textbf{lemma} ``$\exists n \mathbin{\le} 49.\; \textit{even}~n \mathrel{\land} \textit{even}~(\textit{Suc}~n)$'' \\
+\textbf{nitpick}~[\textit{card nat}~= 50, \textit{unary\_ints}] \\[2\smallskipamount]
+\slshape Nitpick found a counterexample: \\[2\smallskipamount]
+\hbox{}\qquad Empty assignment
+\postw
+
+So far we were blessed by the wellfoundedness of \textit{even}. What happens if
+we use the following definition instead?
+
+\prew
+\textbf{inductive} $\textit{even}'$ \textbf{where} \\
+``$\textit{even}'~(0{\Colon}\textit{nat})$'' $\,\mid$ \\
+``$\textit{even}'~2$'' $\,\mid$ \\
+``$\lbrakk\textit{even}'~m;\> \textit{even}'~n\rbrakk \,\Longrightarrow\, \textit{even}'~(m + n)$''
+\postw
+
+This definition is not well-founded: From $\textit{even}'~0$ and
+$\textit{even}'~0$, we can derive that $\textit{even}'~0$. Nonetheless, the
+predicates $\textit{even}$ and $\textit{even}'$ are equivalent.
+
+Let's check a property involving $\textit{even}'$. To make up for the
+foreseeable computational hurdles entailed by non-wellfoundedness, we decrease
+\textit{nat}'s cardinality to a mere 10:
+
+\prew
+\textbf{lemma}~``$\exists n \in \{0, 2, 4, 6, 8\}.\;
+\lnot\;\textit{even}'~n$'' \\
+\textbf{nitpick}~[\textit{card nat}~= 10,\, \textit{verbose},\, \textit{show\_consts}] \\[2\smallskipamount]
+\slshape
+The inductive predicate ``$\textit{even}'\!$'' could not be proved well-founded.
+Nitpick might need to unroll it. \\[2\smallskipamount]
+Trying 6 scopes: \\
+\hbox{}\qquad \textit{card nat}~= 10 and \textit{iter} $\textit{even}'$~= 0; \\
+\hbox{}\qquad \textit{card nat}~= 10 and \textit{iter} $\textit{even}'$~= 1; \\
+\hbox{}\qquad \textit{card nat}~= 10 and \textit{iter} $\textit{even}'$~= 2; \\
+\hbox{}\qquad \textit{card nat}~= 10 and \textit{iter} $\textit{even}'$~= 4; \\
+\hbox{}\qquad \textit{card nat}~= 10 and \textit{iter} $\textit{even}'$~= 8; \\
+\hbox{}\qquad \textit{card nat}~= 10 and \textit{iter} $\textit{even}'$~= 9. \\[2\smallskipamount]
+Nitpick found a counterexample for \textit{card nat}~= 10 and \textit{iter} $\textit{even}'$~= 2: \\[2\smallskipamount]
+\hbox{}\qquad Constant: \nopagebreak \\
+\hbox{}\qquad\qquad $\lambda i.\; \textit{even}'$ = $\unkef(\!\begin{aligned}[t]
+& 0 := \unkef(0 := \textit{True},\, 2 := \textit{True}),\, \\[-2pt]
+& 1 := \unkef(0 := \textit{True},\, 2 := \textit{True},\, 4 := \textit{True}),\, \\[-2pt]
+& 2 := \unkef(0 := \textit{True},\, 2 := \textit{True},\, 4 := \textit{True},\, \\[-2pt]
+& \phantom{2 := \unkef(}6 := \textit{True},\, 8 := \textit{True}))\end{aligned}$ \\[2\smallskipamount]
+Total time: 1.87 s.
+\postw
+
+Nitpick's output is very instructive. First, it tells us that the predicate is
+unrolled, meaning that it is computed iteratively from the empty set. Then it
+lists six scopes specifying different bounds on the numbers of iterations:\ 0,
+1, 2, 4, 8, and~9.
+
+The output also shows how each iteration contributes to $\textit{even}'$. The
+notation $\lambda i.\; \textit{even}'$ indicates that the value of the
+predicate depends on an iteration counter. Iteration 0 provides the basis
+elements, $0$ and $2$. Iteration 1 contributes $4$ ($= 2 + 2$). Iteration 2
+throws $6$ ($= 2 + 4 = 4 + 2$) and $8$ ($= 4 + 4$) into the mix. Further
+iterations would not contribute any new elements.
+The predicate $\textit{even}'$ evaluates to either \textit{True} or $\unk$,
+never \textit{False}.
+
+%Some values are marked with superscripted question
+%marks~(`\lower.2ex\hbox{$^\Q$}'). These are the elements for which the
+%predicate evaluates to $\unk$.
+
+When unrolling a predicate, Nitpick tries 0, 1, 2, 4, 8, 12, 16, 20, 24, and 28
+iterations. However, these numbers are bounded by the cardinality of the
+predicate's domain. With \textit{card~nat}~= 10, no more than 9 iterations are
+ever needed to compute the value of a \textit{nat} predicate. You can specify
+the number of iterations using the \textit{iter} option, as explained in
+\S\ref{scope-of-search}.
+
+In the next formula, $\textit{even}'$ occurs both positively and negatively:
+
+\prew
+\textbf{lemma} ``$\textit{even}'~(n - 2) \,\Longrightarrow\, \textit{even}'~n$'' \\
+\textbf{nitpick} [\textit{card nat} = 10, \textit{show\_consts}] \\[2\smallskipamount]
+\slshape Nitpick found a counterexample: \\[2\smallskipamount]
+\hbox{}\qquad Free variable: \nopagebreak \\
+\hbox{}\qquad\qquad $n = 1$ \\
+\hbox{}\qquad Constants: \nopagebreak \\
+\hbox{}\qquad\qquad $\lambda i.\; \textit{even}'$ = $\unkef(\!\begin{aligned}[t]
+& 0 := \unkef(0 := \mathit{True},\, 2 := \mathit{True}))\end{aligned}$ \\
+\hbox{}\qquad\qquad $\textit{even}' \leq \unkef(\!\begin{aligned}[t]
+& 0 := \mathit{True},\, 1 := \mathit{False},\, 2 := \mathit{True},\, \\[-2pt]
+& 4 := \mathit{True},\, 6 := \mathit{True},\, 8 := \mathit{True})\end{aligned}$
+\postw
+
+Notice the special constraint $\textit{even}' \leq \ldots$ in the output, whose
+right-hand side represents an arbitrary fixed point (not necessarily the least
+one). It is used to falsify $\textit{even}'~n$. In contrast, the unrolled
+predicate is used to satisfy $\textit{even}'~(n - 2)$.
+
+Coinductive predicates are handled dually. For example:
+
+\prew
+\textbf{coinductive} \textit{nats} \textbf{where} \\
+``$\textit{nats}~(x\Colon\textit{nat}) \,\Longrightarrow\, \textit{nats}~x$'' \\[2\smallskipamount]
+\textbf{lemma} ``$\textit{nats} = (\lambda n.\; n \mathbin\in \{0, 1, 2, 3, 4\})$'' \\
+\textbf{nitpick}~[\textit{card nat} = 10,\, \textit{show\_consts}] \\[2\smallskipamount]
+\slshape Nitpick found a counterexample:
+\\[2\smallskipamount]
+\hbox{}\qquad Constants: \nopagebreak \\
+\hbox{}\qquad\qquad $\lambda i.\; \textit{nats} = \unkef(0 := \unkef,\, 1 := \unkef,\, 2 := \unkef)$ \\
+\hbox{}\qquad\qquad $\textit{nats} \geq \unkef(3 := \textit{True},\, 4 := \textit{False},\, 5 := \textit{True})$
+\postw
+
+As a special case, Nitpick uses Kodkod's transitive closure operator to encode
+negative occurrences of non-well-founded ``linear inductive predicates,'' i.e.,
+inductive predicates for which each the predicate occurs in at most one
+assumption of each introduction rule. For example:
+
+\prew
+\textbf{inductive} \textit{odd} \textbf{where} \\
+``$\textit{odd}~1$'' $\,\mid$ \\
+``$\lbrakk \textit{odd}~m;\>\, \textit{even}~n\rbrakk \,\Longrightarrow\, \textit{odd}~(m + n)$'' \\[2\smallskipamount]
+\textbf{lemma}~``$\textit{odd}~n \,\Longrightarrow\, \textit{odd}~(n - 2)$'' \\
+\textbf{nitpick}~[\textit{card nat} = 4,\, \textit{show\_consts}] \\[2\smallskipamount]
+\slshape Nitpick found a counterexample:
+\\[2\smallskipamount]
+\hbox{}\qquad Free variable: \nopagebreak \\
+\hbox{}\qquad\qquad $n = 1$ \\
+\hbox{}\qquad Constants: \nopagebreak \\
+\hbox{}\qquad\qquad $\textit{even} = (λx. ?)(0 := True, 1 := False, 2 := True, 3 := False)$ \\
+\hbox{}\qquad\qquad $\textit{odd}_{\textsl{base}} = {}$ \\
+\hbox{}\qquad\qquad\quad $\unkef(0 := \textit{False},\, 1 := \textit{True},\, 2 := \textit{False},\, 3 := \textit{False})$ \\
+\hbox{}\qquad\qquad $\textit{odd}_{\textsl{step}} = \unkef$\\
+\hbox{}\qquad\qquad\quad $(
+\!\begin{aligned}[t]
+& 0 := \unkef(0 := \textit{True},\, 1 := \textit{False},\, 2 := \textit{True},\, 3 := \textit{False}), \\[-2pt]
+& 1 := \unkef(0 := \textit{False},\, 1 := \textit{True},\, 2 := \textit{False},\, 3 := \textit{True}), \\[-2pt]
+& 2 := \unkef(0 := \textit{False},\, 1 := \textit{False},\, 2 := \textit{True},\, 3 := \textit{False}), \\[-2pt]
+& 3 := \unkef(0 := \textit{False},\, 1 := \textit{False},\, 2 := \textit{False},\, 3 := \textit{True}))
+\end{aligned}$ \\
+\hbox{}\qquad\qquad $\textit{odd} \leq \unkef(0 := \textit{False},\, 1 := \textit{True},\, 2 := \textit{False},\, 3 := \textit{True})$
+\postw
+
+\noindent
+In the output, $\textit{odd}_{\textrm{base}}$ represents the base elements and
+$\textit{odd}_{\textrm{step}}$ is a transition relation that computes new
+elements from known ones. The set $\textit{odd}$ consists of all the values
+reachable through the reflexive transitive closure of
+$\textit{odd}_{\textrm{step}}$ starting with any element from
+$\textit{odd}_{\textrm{base}}$, namely 1 and 3. Using Kodkod's
+transitive closure to encode linear predicates is normally either more thorough
+or more efficient than unrolling (depending on the value of \textit{iter}), but
+you can disable it by passing the \textit{dont\_star\_linear\_preds} option.
+
+\subsection{Coinductive Datatypes}
+\label{coinductive-datatypes}
+
+While Isabelle regrettably lacks a high-level mechanism for defining coinductive
+datatypes, the \textit{Coinductive\_List} theory from Andreas Lochbihler's
+\textit{Coinductive} AFP entry \cite{lochbihler-2010} provides a coinductive
+``lazy list'' datatype, $'a~\textit{llist}$, defined the hard way. Nitpick
+supports these lazy lists seamlessly and provides a hook, described in
+\S\ref{registration-of-coinductive-datatypes}, to register custom coinductive
+datatypes.
+
+(Co)intuitively, a coinductive datatype is similar to an inductive datatype but
+allows infinite objects. Thus, the infinite lists $\textit{ps}$ $=$ $[a, a, a,
+\ldots]$, $\textit{qs}$ $=$ $[a, b, a, b, \ldots]$, and $\textit{rs}$ $=$ $[0,
+1, 2, 3, \ldots]$ can be defined as lazy lists using the
+$\textit{LNil}\mathbin{\Colon}{'}a~\textit{llist}$ and
+$\textit{LCons}\mathbin{\Colon}{'}a \mathbin{\Rightarrow} {'}a~\textit{llist}
+\mathbin{\Rightarrow} {'}a~\textit{llist}$ constructors.
+
+Although it is otherwise no friend of infinity, Nitpick can find counterexamples
+involving cyclic lists such as \textit{ps} and \textit{qs} above as well as
+finite lists:
+
+\prew
+\textbf{lemma} ``$\textit{xs} \not= \textit{LCons}~a~\textit{xs\/}$'' \\
+\textbf{nitpick} \\[2\smallskipamount]
+\slshape Nitpick found a counterexample for {\itshape card}~$'a$ = 1: \\[2\smallskipamount]
+\hbox{}\qquad Free variables: \nopagebreak \\
+\hbox{}\qquad\qquad $\textit{a} = a_1$ \\
+\hbox{}\qquad\qquad $\textit{xs} = \textsl{THE}~\omega.\; \omega = \textit{LCons}~a_1~\omega$
+\postw
+
+The notation $\textrm{THE}~\omega.\; \omega = t(\omega)$ stands
+for the infinite term $t(t(t(\ldots)))$. Hence, \textit{xs} is simply the
+infinite list $[a_1, a_1, a_1, \ldots]$.
+
+The next example is more interesting:
+
+\prew
+\textbf{lemma}~``$\lbrakk\textit{xs} = \textit{LCons}~a~\textit{xs};\>\,
+\textit{ys} = \textit{iterates}~(\lambda b.\> a)~b\rbrakk \,\Longrightarrow\, \textit{xs} = \textit{ys\/}$'' \\
+\textbf{nitpick} [\textit{verbose}] \\[2\smallskipamount]
+\slshape The type $'a$ passed the monotonicity test. Nitpick might be able to skip
+some scopes. \\[2\smallskipamount]
+Trying 10 scopes: \\
+\hbox{}\qquad \textit{card} $'a$~= 1, \textit{card} ``\kern1pt$'a~\textit{list\/}$''~= 1,
+and \textit{bisim\_depth}~= 0. \\
+\hbox{}\qquad $\qquad\vdots$ \\[.5\smallskipamount]
+\hbox{}\qquad \textit{card} $'a$~= 10, \textit{card} ``\kern1pt$'a~\textit{list\/}$''~= 10,
+and \textit{bisim\_depth}~= 9. \\[2\smallskipamount]
+Nitpick found a counterexample for {\itshape card}~$'a$ = 2,
+\textit{card}~``\kern1pt$'a~\textit{llist\/}$''~= 2, and \textit{bisim\_\allowbreak
+depth}~= 1:
+\\[2\smallskipamount]
+\hbox{}\qquad Free variables: \nopagebreak \\
+\hbox{}\qquad\qquad $\textit{a} = a_1$ \\
+\hbox{}\qquad\qquad $\textit{b} = a_2$ \\
+\hbox{}\qquad\qquad $\textit{xs} = \textsl{THE}~\omega.\; \omega = \textit{LCons}~a_1~\omega$ \\
+\hbox{}\qquad\qquad $\textit{ys} = \textit{LCons}~a_2~(\textsl{THE}~\omega.\; \omega = \textit{LCons}~a_1~\omega)$ \\[2\smallskipamount]
+Total time: 1.11 s.
+\postw
+
+The lazy list $\textit{xs}$ is simply $[a_1, a_1, a_1, \ldots]$, whereas
+$\textit{ys}$ is $[a_2, a_1, a_1, a_1, \ldots]$, i.e., a lasso-shaped list with
+$[a_2]$ as its stem and $[a_1]$ as its cycle. In general, the list segment
+within the scope of the {THE} binder corresponds to the lasso's cycle, whereas
+the segment leading to the binder is the stem.
+
+A salient property of coinductive datatypes is that two objects are considered
+equal if and only if they lead to the same observations. For example, the two
+lazy lists
+%
+\begin{gather*}
+\textrm{THE}~\omega.\; \omega = \textit{LCons}~a~(\textit{LCons}~b~\omega) \\
+\textit{LCons}~a~(\textrm{THE}~\omega.\; \omega = \textit{LCons}~b~(\textit{LCons}~a~\omega))
+\end{gather*}
+%
+are identical, because both lead
+to the sequence of observations $a$, $b$, $a$, $b$, \hbox{\ldots} (or,
+equivalently, both encode the infinite list $[a, b, a, b, \ldots]$). This
+concept of equality for coinductive datatypes is called bisimulation and is
+defined coinductively.
+
+Internally, Nitpick encodes the coinductive bisimilarity predicate as part of
+the Kodkod problem to ensure that distinct objects lead to different
+observations. This precaution is somewhat expensive and often unnecessary, so it
+can be disabled by setting the \textit{bisim\_depth} option to $-1$. The
+bisimilarity check is then performed \textsl{after} the counterexample has been
+found to ensure correctness. If this after-the-fact check fails, the
+counterexample is tagged as ``quasi genuine'' and Nitpick recommends to try
+again with \textit{bisim\_depth} set to a nonnegative integer.
+
+The next formula illustrates the need for bisimilarity (either as a Kodkod
+predicate or as an after-the-fact check) to prevent spurious counterexamples:
+
+\prew
+\textbf{lemma} ``$\lbrakk xs = \textit{LCons}~a~\textit{xs};\>\, \textit{ys} = \textit{LCons}~a~\textit{ys}\rbrakk
+\,\Longrightarrow\, \textit{xs} = \textit{ys\/}$'' \\
+\textbf{nitpick} [\textit{bisim\_depth} = $-1$, \textit{show\_datatypes}] \\[2\smallskipamount]
+\slshape Nitpick found a quasi genuine counterexample for $\textit{card}~'a$ = 2: \\[2\smallskipamount]
+\hbox{}\qquad Free variables: \nopagebreak \\
+\hbox{}\qquad\qquad $a = a_1$ \\
+\hbox{}\qquad\qquad $\textit{xs} = \textsl{THE}~\omega.\; \omega =
+\textit{LCons}~a_1~\omega$ \\
+\hbox{}\qquad\qquad $\textit{ys} = \textsl{THE}~\omega.\; \omega = \textit{LCons}~a_1~\omega$ \\
+\hbox{}\qquad Codatatype:\strut \nopagebreak \\
+\hbox{}\qquad\qquad $'a~\textit{llist} =
+\{\!\begin{aligned}[t]
+ & \textsl{THE}~\omega.\; \omega = \textit{LCons}~a_1~\omega, \\[-2pt]
+ & \textsl{THE}~\omega.\; \omega = \textit{LCons}~a_1~\omega,\> \unr\}\end{aligned}$
+\\[2\smallskipamount]
+Try again with ``\textit{bisim\_depth}'' set to a nonnegative value to confirm
+that the counterexample is genuine. \\[2\smallskipamount]
+{\upshape\textbf{nitpick}} \\[2\smallskipamount]
+\slshape Nitpick found no counterexample.
+\postw
+
+In the first \textbf{nitpick} invocation, the after-the-fact check discovered
+that the two known elements of type $'a~\textit{llist}$ are bisimilar, prompting
+Nitpick to label the example ``quasi genuine.''
+
+A compromise between leaving out the bisimilarity predicate from the Kodkod
+problem and performing the after-the-fact check is to specify a lower
+nonnegative \textit{bisim\_depth} value than the default one provided by
+Nitpick. In general, a value of $K$ means that Nitpick will require all lists to
+be distinguished from each other by their prefixes of length $K$. Be aware that
+setting $K$ to a too low value can overconstrain Nitpick, preventing it from
+finding any counterexamples.
+
+\subsection{Boxing}
+\label{boxing}
+
+Nitpick normally maps function and product types directly to the corresponding
+Kodkod concepts. As a consequence, if $'a$ has cardinality 3 and $'b$ has
+cardinality 4, then $'a \times {'}b$ has cardinality 12 ($= 4 \times 3$) and $'a
+\Rightarrow {'}b$ has cardinality 64 ($= 4^3$). In some circumstances, it pays
+off to treat these types in the same way as plain datatypes, by approximating
+them by a subset of a given cardinality. This technique is called ``boxing'' and
+is particularly useful for functions passed as arguments to other functions, for
+high-arity functions, and for large tuples. Under the hood, boxing involves
+wrapping occurrences of the types $'a \times {'}b$ and $'a \Rightarrow {'}b$ in
+isomorphic datatypes, as can be seen by enabling the \textit{debug} option.
+
+To illustrate boxing, we consider a formalization of $\lambda$-terms represented
+using de Bruijn's notation:
+
+\prew
+\textbf{datatype} \textit{tm} = \textit{Var}~\textit{nat}~$\mid$~\textit{Lam}~\textit{tm} $\mid$ \textit{App~tm~tm}
+\postw
+
+The $\textit{lift}~t~k$ function increments all variables with indices greater
+than or equal to $k$ by one:
+
+\prew
+\textbf{primrec} \textit{lift} \textbf{where} \\
+``$\textit{lift}~(\textit{Var}~j)~k = \textit{Var}~(\textrm{if}~j < k~\textrm{then}~j~\textrm{else}~j + 1)$'' $\mid$ \\
+``$\textit{lift}~(\textit{Lam}~t)~k = \textit{Lam}~(\textit{lift}~t~(k + 1))$'' $\mid$ \\
+``$\textit{lift}~(\textit{App}~t~u)~k = \textit{App}~(\textit{lift}~t~k)~(\textit{lift}~u~k)$''
+\postw
+
+The $\textit{loose}~t~k$ predicate returns \textit{True} if and only if
+term $t$ has a loose variable with index $k$ or more:
+
+\prew
+\textbf{primrec}~\textit{loose} \textbf{where} \\
+``$\textit{loose}~(\textit{Var}~j)~k = (j \ge k)$'' $\mid$ \\
+``$\textit{loose}~(\textit{Lam}~t)~k = \textit{loose}~t~(\textit{Suc}~k)$'' $\mid$ \\
+``$\textit{loose}~(\textit{App}~t~u)~k = (\textit{loose}~t~k \mathrel{\lor} \textit{loose}~u~k)$''
+\postw
+
+Next, the $\textit{subst}~\sigma~t$ function applies the substitution $\sigma$
+on $t$:
+
+\prew
+\textbf{primrec}~\textit{subst} \textbf{where} \\
+``$\textit{subst}~\sigma~(\textit{Var}~j) = \sigma~j$'' $\mid$ \\
+``$\textit{subst}~\sigma~(\textit{Lam}~t) = {}$\phantom{''} \\
+\phantom{``}$\textit{Lam}~(\textit{subst}~(\lambda n.\> \textrm{case}~n~\textrm{of}~0 \Rightarrow \textit{Var}~0 \mid \textit{Suc}~m \Rightarrow \textit{lift}~(\sigma~m)~1)~t)$'' $\mid$ \\
+``$\textit{subst}~\sigma~(\textit{App}~t~u) = \textit{App}~(\textit{subst}~\sigma~t)~(\textit{subst}~\sigma~u)$''
+\postw
+
+A substitution is a function that maps variable indices to terms. Observe that
+$\sigma$ is a function passed as argument and that Nitpick can't optimize it
+away, because the recursive call for the \textit{Lam} case involves an altered
+version. Also notice the \textit{lift} call, which increments the variable
+indices when moving under a \textit{Lam}.
+
+A reasonable property to expect of substitution is that it should leave closed
+terms unchanged. Alas, even this simple property does not hold:
+
+\pre
+\textbf{lemma}~``$\lnot\,\textit{loose}~t~0 \,\Longrightarrow\, \textit{subst}~\sigma~t = t$'' \\
+\textbf{nitpick} [\textit{verbose}] \\[2\smallskipamount]
+\slshape
+Trying 10 scopes: \nopagebreak \\
+\hbox{}\qquad \textit{card~nat}~= 1, \textit{card tm}~= 1, and \textit{card} ``$\textit{nat} \Rightarrow \textit{tm\/}$'' = 1; \\
+\hbox{}\qquad \textit{card~nat}~= 2, \textit{card tm}~= 2, and \textit{card} ``$\textit{nat} \Rightarrow \textit{tm\/}$'' = 2; \\
+\hbox{}\qquad $\qquad\vdots$ \\[.5\smallskipamount]
+\hbox{}\qquad \textit{card~nat}~= 10, \textit{card tm}~= 10, and \textit{card} ``$\textit{nat} \Rightarrow \textit{tm\/}$'' = 10. \\[2\smallskipamount]
+Nitpick found a counterexample for \textit{card~nat}~= 6, \textit{card~tm}~= 6,
+and \textit{card}~``$\textit{nat} \Rightarrow \textit{tm\/}$''~= 6: \\[2\smallskipamount]
+\hbox{}\qquad Free variables: \nopagebreak \\
+\hbox{}\qquad\qquad $\sigma = \unkef(\!\begin{aligned}[t]
+& 0 := \textit{Var}~0,\>
+ 1 := \textit{Var}~0,\>
+ 2 := \textit{Var}~0, \\[-2pt]
+& 3 := \textit{Var}~0,\>
+ 4 := \textit{Var}~0,\>
+ 5 := \textit{Lam}~(\textit{Lam}~(\textit{Var}~0)))\end{aligned}$ \\
+\hbox{}\qquad\qquad $t = \textit{Lam}~(\textit{Lam}~(\textit{Var}~1))$ \\[2\smallskipamount]
+Total time: 3.08 s.
+\postw
+
+Using \textit{eval}, we find out that $\textit{subst}~\sigma~t =
+\textit{Lam}~(\textit{Lam}~(\textit{Var}~0))$. Using the traditional
+$\lambda$-calculus notation, $t$ is
+$\lambda x\, y.\> x$ whereas $\textit{subst}~\sigma~t$ is (wrongly) $\lambda x\, y.\> y$.
+The bug is in \textit{subst\/}: The $\textit{lift}~(\sigma~m)~1$ call should be
+replaced with $\textit{lift}~(\sigma~m)~0$.
+
+An interesting aspect of Nitpick's verbose output is that it assigned inceasing
+cardinalities from 1 to 10 to the type $\textit{nat} \Rightarrow \textit{tm}$
+of the higher-order argument $\sigma$ of \textit{subst}.
+For the formula of interest, knowing 6 values of that type was enough to find
+the counterexample. Without boxing, $6^6 = 46\,656$ values must be
+considered, a hopeless undertaking:
+
+\prew
+\textbf{nitpick} [\textit{dont\_box}] \\[2\smallskipamount]
+{\slshape Nitpick ran out of time after checking 3 of 10 scopes.}
+\postw
+
+Boxing can be enabled or disabled globally or on a per-type basis using the
+\textit{box} option. Nitpick usually performs reasonable choices about which
+types should be boxed, but option tweaking sometimes helps.
+
+%A related optimization,
+%``finitization,'' attempts to wrap functions that are constant at all but finitely
+%many points (e.g., finite sets); see the documentation for the \textit{finitize}
+%option in \S\ref{scope-of-search} for details.
+
+\subsection{Scope Monotonicity}
+\label{scope-monotonicity}
+
+The \textit{card} option (together with \textit{iter}, \textit{bisim\_depth},
+and \textit{max}) controls which scopes are actually tested. In general, to
+exhaust all models below a certain cardinality bound, the number of scopes that
+Nitpick must consider increases exponentially with the number of type variables
+(and \textbf{typedecl}'d types) occurring in the formula. Given the default
+cardinality specification of 1--10, no fewer than $10^4 = 10\,000$ scopes must be
+considered for a formula involving $'a$, $'b$, $'c$, and $'d$.
+
+Fortunately, many formulas exhibit a property called \textsl{scope
+monotonicity}, meaning that if the formula is falsifiable for a given scope,
+it is also falsifiable for all larger scopes \cite[p.~165]{jackson-2006}.
+
+Consider the formula
+
+\prew
+\textbf{lemma}~``$\textit{length~xs} = \textit{length~ys} \,\Longrightarrow\, \textit{rev}~(\textit{zip~xs~ys}) = \textit{zip~xs}~(\textit{rev~ys})$''
+\postw
+
+where \textit{xs} is of type $'a~\textit{list}$ and \textit{ys} is of type
+$'b~\textit{list}$. A priori, Nitpick would need to consider $1\,000$ scopes to
+exhaust the specification \textit{card}~= 1--10 (10 cardinalies for $'a$
+$\times$ 10 cardinalities for $'b$ $\times$ 10 cardinalities for the datatypes).
+However, our intuition tells us that any counterexample found with a small scope
+would still be a counterexample in a larger scope---by simply ignoring the fresh
+$'a$ and $'b$ values provided by the larger scope. Nitpick comes to the same
+conclusion after a careful inspection of the formula and the relevant
+definitions:
+
+\prew
+\textbf{nitpick}~[\textit{verbose}] \\[2\smallskipamount]
+\slshape
+The types $'a$ and $'b$ passed the monotonicity test.
+Nitpick might be able to skip some scopes.
+ \\[2\smallskipamount]
+Trying 10 scopes: \\
+\hbox{}\qquad \textit{card} $'a$~= 1, \textit{card} $'b$~= 1,
+\textit{card} \textit{nat}~= 1, \textit{card} ``$('a \times {'}b)$
+\textit{list\/}''~= 1, \\
+\hbox{}\qquad\quad \textit{card} ``\kern1pt$'a$ \textit{list\/}''~= 1, and
+\textit{card} ``\kern1pt$'b$ \textit{list\/}''~= 1. \\
+\hbox{}\qquad \textit{card} $'a$~= 2, \textit{card} $'b$~= 2,
+\textit{card} \textit{nat}~= 2, \textit{card} ``$('a \times {'}b)$
+\textit{list\/}''~= 2, \\
+\hbox{}\qquad\quad \textit{card} ``\kern1pt$'a$ \textit{list\/}''~= 2, and
+\textit{card} ``\kern1pt$'b$ \textit{list\/}''~= 2. \\
+\hbox{}\qquad $\qquad\vdots$ \\[.5\smallskipamount]
+\hbox{}\qquad \textit{card} $'a$~= 10, \textit{card} $'b$~= 10,
+\textit{card} \textit{nat}~= 10, \textit{card} ``$('a \times {'}b)$
+\textit{list\/}''~= 10, \\
+\hbox{}\qquad\quad \textit{card} ``\kern1pt$'a$ \textit{list\/}''~= 10, and
+\textit{card} ``\kern1pt$'b$ \textit{list\/}''~= 10.
+\\[2\smallskipamount]
+Nitpick found a counterexample for
+\textit{card} $'a$~= 5, \textit{card} $'b$~= 5,
+\textit{card} \textit{nat}~= 5, \textit{card} ``$('a \times {'}b)$
+\textit{list\/}''~= 5, \textit{card} ``\kern1pt$'a$ \textit{list\/}''~= 5, and
+\textit{card} ``\kern1pt$'b$ \textit{list\/}''~= 5:
+\\[2\smallskipamount]
+\hbox{}\qquad Free variables: \nopagebreak \\
+\hbox{}\qquad\qquad $\textit{xs} = [a_1, a_2]$ \\
+\hbox{}\qquad\qquad $\textit{ys} = [b_1, b_1]$ \\[2\smallskipamount]
+Total time: 1.63 s.
+\postw
+
+In theory, it should be sufficient to test a single scope:
+
+\prew
+\textbf{nitpick}~[\textit{card}~= 10]
+\postw
+
+However, this is often less efficient in practice and may lead to overly complex
+counterexamples.
+
+If the monotonicity check fails but we believe that the formula is monotonic (or
+we don't mind missing some counterexamples), we can pass the
+\textit{mono} option. To convince yourself that this option is risky,
+simply consider this example from \S\ref{skolemization}:
+
+\prew
+\textbf{lemma} ``$\exists g.\; \forall x\Colon 'b.~g~(f~x) = x
+ \,\Longrightarrow\, \forall y\Colon {'}a.\; \exists x.~y = f~x$'' \\
+\textbf{nitpick} [\textit{mono}] \\[2\smallskipamount]
+{\slshape Nitpick found no counterexample.} \\[2\smallskipamount]
+\textbf{nitpick} \\[2\smallskipamount]
+\slshape
+Nitpick found a counterexample for \textit{card} $'a$~= 2 and \textit{card} $'b$~=~1: \\
+\hbox{}\qquad $\vdots$
+\postw
+
+(It turns out the formula holds if and only if $\textit{card}~'a \le
+\textit{card}~'b$.) Although this is rarely advisable, the automatic
+monotonicity checks can be disabled by passing \textit{non\_mono}
+(\S\ref{optimizations}).
+
+As insinuated in \S\ref{natural-numbers-and-integers} and
+\S\ref{inductive-datatypes}, \textit{nat}, \textit{int}, and inductive datatypes
+are normally monotonic and treated as such. The same is true for record types,
+\textit{rat}, and \textit{real}. Thus, given the
+cardinality specification 1--10, a formula involving \textit{nat}, \textit{int},
+\textit{int~list}, \textit{rat}, and \textit{rat~list} will lead Nitpick to
+consider only 10~scopes instead of $10^4 = 10\,000$. On the other hand,
+\textbf{typedef}s and quotient types are generally nonmonotonic.
+
+\subsection{Inductive Properties}
+\label{inductive-properties}
+
+Inductive properties are a particular pain to prove, because the failure to
+establish an induction step can mean several things:
+%
+\begin{enumerate}
+\item The property is invalid.
+\item The property is valid but is too weak to support the induction step.
+\item The property is valid and strong enough; it's just that we haven't found
+the proof yet.
+\end{enumerate}
+%
+Depending on which scenario applies, we would take the appropriate course of
+action:
+%
+\begin{enumerate}
+\item Repair the statement of the property so that it becomes valid.
+\item Generalize the property and/or prove auxiliary properties.
+\item Work harder on a proof.
+\end{enumerate}
+%
+How can we distinguish between the three scenarios? Nitpick's normal mode of
+operation can often detect scenario 1, and Isabelle's automatic tactics help with
+scenario 3. Using appropriate techniques, it is also often possible to use
+Nitpick to identify scenario 2. Consider the following transition system,
+in which natural numbers represent states:
+
+\prew
+\textbf{inductive\_set}~\textit{reach}~\textbf{where} \\
+``$(4\Colon\textit{nat}) \in \textit{reach\/}$'' $\mid$ \\
+``$\lbrakk n < 4;\> n \in \textit{reach\/}\rbrakk \,\Longrightarrow\, 3 * n + 1 \in \textit{reach\/}$'' $\mid$ \\
+``$n \in \textit{reach} \,\Longrightarrow n + 2 \in \textit{reach\/}$''
+\postw
+
+We will try to prove that only even numbers are reachable:
+
+\prew
+\textbf{lemma}~``$n \in \textit{reach} \,\Longrightarrow\, 2~\textrm{dvd}~n$''
+\postw
+
+Does this property hold? Nitpick cannot find a counterexample within 30 seconds,
+so let's attempt a proof by induction:
+
+\prew
+\textbf{apply}~(\textit{induct~set}{:}~\textit{reach\/}) \\
+\textbf{apply}~\textit{auto}
+\postw
+
+This leaves us in the following proof state:
+
+\prew
+{\slshape goal (2 subgoals): \\
+\phantom{0}1. ${\bigwedge}n.\;\, \lbrakk n \in \textit{reach\/};\, n < 4;\, 2~\textsl{dvd}~n\rbrakk \,\Longrightarrow\, 2~\textsl{dvd}~\textit{Suc}~(3 * n)$ \\
+\phantom{0}2. ${\bigwedge}n.\;\, \lbrakk n \in \textit{reach\/};\, 2~\textsl{dvd}~n\rbrakk \,\Longrightarrow\, 2~\textsl{dvd}~\textit{Suc}~(\textit{Suc}~n)$
+}
+\postw
+
+If we run Nitpick on the first subgoal, it still won't find any
+counterexample; and yet, \textit{auto} fails to go further, and \textit{arith}
+is helpless. However, notice the $n \in \textit{reach}$ assumption, which
+strengthens the induction hypothesis but is not immediately usable in the proof.
+If we remove it and invoke Nitpick, this time we get a counterexample:
+
+\prew
+\textbf{apply}~(\textit{thin\_tac}~``$n \in \textit{reach\/}$'') \\
+\textbf{nitpick} \\[2\smallskipamount]
+\slshape Nitpick found a counterexample: \\[2\smallskipamount]
+\hbox{}\qquad Skolem constant: \nopagebreak \\
+\hbox{}\qquad\qquad $n = 0$
+\postw
+
+Indeed, 0 < 4, 2 divides 0, but 2 does not divide 1. We can use this information
+to strength the lemma:
+
+\prew
+\textbf{lemma}~``$n \in \textit{reach} \,\Longrightarrow\, 2~\textrm{dvd}~n \mathrel{\lor} n \not= 0$''
+\postw
+
+Unfortunately, the proof by induction still gets stuck, except that Nitpick now
+finds the counterexample $n = 2$. We generalize the lemma further to
+
+\prew
+\textbf{lemma}~``$n \in \textit{reach} \,\Longrightarrow\, 2~\textrm{dvd}~n \mathrel{\lor} n \ge 4$''
+\postw
+
+and this time \textit{arith} can finish off the subgoals.
+
+A similar technique can be employed for structural induction. The
+following mini formalization of full binary trees will serve as illustration:
+
+\prew
+\textbf{datatype} $\kern1pt'a$~\textit{bin\_tree} = $\textit{Leaf}~{\kern1pt'a}$ $\mid$ $\textit{Branch}$ ``\kern1pt$'a$ \textit{bin\_tree}'' ``\kern1pt$'a$ \textit{bin\_tree}'' \\[2\smallskipamount]
+\textbf{primrec}~\textit{labels}~\textbf{where} \\
+``$\textit{labels}~(\textit{Leaf}~a) = \{a\}$'' $\mid$ \\
+``$\textit{labels}~(\textit{Branch}~t~u) = \textit{labels}~t \mathrel{\cup} \textit{labels}~u$'' \\[2\smallskipamount]
+\textbf{primrec}~\textit{swap}~\textbf{where} \\
+``$\textit{swap}~(\textit{Leaf}~c)~a~b =$ \\
+\phantom{``}$(\textrm{if}~c = a~\textrm{then}~\textit{Leaf}~b~\textrm{else~if}~c = b~\textrm{then}~\textit{Leaf}~a~\textrm{else}~\textit{Leaf}~c)$'' $\mid$ \\
+``$\textit{swap}~(\textit{Branch}~t~u)~a~b = \textit{Branch}~(\textit{swap}~t~a~b)~(\textit{swap}~u~a~b)$''
+\postw
+
+The \textit{labels} function returns the set of labels occurring on leaves of a
+tree, and \textit{swap} exchanges two labels. Intuitively, if two distinct
+labels $a$ and $b$ occur in a tree $t$, they should also occur in the tree
+obtained by swapping $a$ and $b$:
+
+\prew
+\textbf{lemma} $``\{a, b\} \subseteq \textit{labels}~t \,\Longrightarrow\, \textit{labels}~(\textit{swap}~t~a~b) = \textit{labels}~t$''
+\postw
+
+Nitpick can't find any counterexample, so we proceed with induction
+(this time favoring a more structured style):
+
+\prew
+\textbf{proof}~(\textit{induct}~$t$) \\
+\hbox{}\quad \textbf{case}~\textit{Leaf}~\textbf{thus}~\textit{?case}~\textbf{by}~\textit{simp} \\
+\textbf{next} \\
+\hbox{}\quad \textbf{case}~$(\textit{Branch}~t~u)$~\textbf{thus} \textit{?case}
+\postw
+
+Nitpick can't find any counterexample at this point either, but it makes the
+following suggestion:
+
+\prew
+\slshape
+Hint: To check that the induction hypothesis is general enough, try this command:
+\textbf{nitpick}~[\textit{non\_std}, \textit{show\_all}].
+\postw
+
+If we follow the hint, we get a ``nonstandard'' counterexample for the step:
+
+\prew
+\slshape Nitpick found a nonstandard counterexample for \textit{card} $'a$ = 3: \\[2\smallskipamount]
+\hbox{}\qquad Free variables: \nopagebreak \\
+\hbox{}\qquad\qquad $a = a_1$ \\
+\hbox{}\qquad\qquad $b = a_2$ \\
+\hbox{}\qquad\qquad $t = \xi_1$ \\
+\hbox{}\qquad\qquad $u = \xi_2$ \\
+\hbox{}\qquad Datatype: \nopagebreak \\
+\hbox{}\qquad\qquad $'a~\textit{bin\_tree} =
+\{\!\begin{aligned}[t]
+& \xi_1 \mathbin{=} \textit{Branch}~\xi_1~\xi_1,\> \xi_2 \mathbin{=} \textit{Branch}~\xi_2~\xi_2,\> \\[-2pt]
+& \textit{Branch}~\xi_1~\xi_2,\> \unr\}\end{aligned}$ \\
+\hbox{}\qquad {\slshape Constants:} \nopagebreak \\
+\hbox{}\qquad\qquad $\textit{labels} = \unkef
+ (\!\begin{aligned}[t]%
+ & \xi_1 := \{a_2, a_3\},\> \xi_2 := \{a_1\},\> \\[-2pt]
+ & \textit{Branch}~\xi_1~\xi_2 := \{a_1, a_2, a_3\})\end{aligned}$ \\
+\hbox{}\qquad\qquad $\lambda x_1.\> \textit{swap}~x_1~a~b = \unkef
+ (\!\begin{aligned}[t]%
+ & \xi_1 := \xi_2,\> \xi_2 := \xi_2, \\[-2pt]
+ & \textit{Branch}~\xi_1~\xi_2 := \xi_2)\end{aligned}$ \\[2\smallskipamount]
+The existence of a nonstandard model suggests that the induction hypothesis is not general enough or may even
+be wrong. See the Nitpick manual's ``Inductive Properties'' section for details (``\textit{isabelle doc nitpick}'').
+\postw
+
+Reading the Nitpick manual is a most excellent idea.
+But what's going on? The \textit{non\_std} option told the tool to look for
+nonstandard models of binary trees, which means that new ``nonstandard'' trees
+$\xi_1, \xi_2, \ldots$, are now allowed in addition to the standard trees
+generated by the \textit{Leaf} and \textit{Branch} constructors.%
+\footnote{Notice the similarity between allowing nonstandard trees here and
+allowing unreachable states in the preceding example (by removing the ``$n \in
+\textit{reach\/}$'' assumption). In both cases, we effectively enlarge the
+set of objects over which the induction is performed while doing the step
+in order to test the induction hypothesis's strength.}
+Unlike standard trees, these new trees contain cycles. We will see later that
+every property of acyclic trees that can be proved without using induction also
+holds for cyclic trees. Hence,
+%
+\begin{quote}
+\textsl{If the induction
+hypothesis is strong enough, the induction step will hold even for nonstandard
+objects, and Nitpick won't find any nonstandard counterexample.}
+\end{quote}
+%
+But here the tool find some nonstandard trees $t = \xi_1$
+and $u = \xi_2$ such that $a \notin \textit{labels}~t$, $b \in
+\textit{labels}~t$, $a \in \textit{labels}~u$, and $b \notin \textit{labels}~u$.
+Because neither tree contains both $a$ and $b$, the induction hypothesis tells
+us nothing about the labels of $\textit{swap}~t~a~b$ and $\textit{swap}~u~a~b$,
+and as a result we know nothing about the labels of the tree
+$\textit{swap}~(\textit{Branch}~t~u)~a~b$, which by definition equals
+$\textit{Branch}$ $(\textit{swap}~t~a~b)$ $(\textit{swap}~u~a~b)$, whose
+labels are $\textit{labels}$ $(\textit{swap}~t~a~b) \mathrel{\cup}
+\textit{labels}$ $(\textit{swap}~u~a~b)$.
+
+The solution is to ensure that we always know what the labels of the subtrees
+are in the inductive step, by covering the cases where $a$ and/or~$b$ is not in
+$t$ in the statement of the lemma:
+
+\prew
+\textbf{lemma} ``$\textit{labels}~(\textit{swap}~t~a~b) = {}$ \\
+\phantom{\textbf{lemma} ``}$(\textrm{if}~a \in \textit{labels}~t~\textrm{then}$ \nopagebreak \\
+\phantom{\textbf{lemma} ``(\quad}$\textrm{if}~b \in \textit{labels}~t~\textrm{then}~\textit{labels}~t~\textrm{else}~(\textit{labels}~t - \{a\}) \mathrel{\cup} \{b\}$ \\
+\phantom{\textbf{lemma} ``(}$\textrm{else}$ \\
+\phantom{\textbf{lemma} ``(\quad}$\textrm{if}~b \in \textit{labels}~t~\textrm{then}~(\textit{labels}~t - \{b\}) \mathrel{\cup} \{a\}~\textrm{else}~\textit{labels}~t)$''
+\postw
+
+This time, Nitpick won't find any nonstandard counterexample, and we can perform
+the induction step using \textit{auto}.
+
+\section{Case Studies}
+\label{case-studies}
+
+As a didactic device, the previous section focused mostly on toy formulas whose
+validity can easily be assessed just by looking at the formula. We will now
+review two somewhat more realistic case studies that are within Nitpick's
+reach:\ a context-free grammar modeled by mutually inductive sets and a
+functional implementation of AA trees. The results presented in this
+section were produced with the following settings:
+
+\prew
+\textbf{nitpick\_params} [\textit{max\_potential}~= 0]
+\postw
+
+\subsection{A Context-Free Grammar}
+\label{a-context-free-grammar}
+
+Our first case study is taken from section 7.4 in the Isabelle tutorial
+\cite{isa-tutorial}. The following grammar, originally due to Hopcroft and
+Ullman, produces all strings with an equal number of $a$'s and $b$'s:
+
+\prew
+\begin{tabular}{@{}r@{$\;\,$}c@{$\;\,$}l@{}}
+$S$ & $::=$ & $\epsilon \mid bA \mid aB$ \\
+$A$ & $::=$ & $aS \mid bAA$ \\
+$B$ & $::=$ & $bS \mid aBB$
+\end{tabular}
+\postw
+
+The intuition behind the grammar is that $A$ generates all strings with one more
+$a$ than $b$'s and $B$ generates all strings with one more $b$ than $a$'s.
+
+The alphabet consists exclusively of $a$'s and $b$'s:
+
+\prew
+\textbf{datatype} \textit{alphabet}~= $a$ $\mid$ $b$
+\postw
+
+Strings over the alphabet are represented by \textit{alphabet list}s.
+Nonterminals in the grammar become sets of strings. The production rules
+presented above can be expressed as a mutually inductive definition:
+
+\prew
+\textbf{inductive\_set} $S$ \textbf{and} $A$ \textbf{and} $B$ \textbf{where} \\
+\textit{R1}:\kern.4em ``$[] \in S$'' $\,\mid$ \\
+\textit{R2}:\kern.4em ``$w \in A\,\Longrightarrow\, b \mathbin{\#} w \in S$'' $\,\mid$ \\
+\textit{R3}:\kern.4em ``$w \in B\,\Longrightarrow\, a \mathbin{\#} w \in S$'' $\,\mid$ \\
+\textit{R4}:\kern.4em ``$w \in S\,\Longrightarrow\, a \mathbin{\#} w \in A$'' $\,\mid$ \\
+\textit{R5}:\kern.4em ``$w \in S\,\Longrightarrow\, b \mathbin{\#} w \in S$'' $\,\mid$ \\
+\textit{R6}:\kern.4em ``$\lbrakk v \in B;\> v \in B\rbrakk \,\Longrightarrow\, a \mathbin{\#} v \mathbin{@} w \in B$''
+\postw
+
+The conversion of the grammar into the inductive definition was done manually by
+Joe Blow, an underpaid undergraduate student. As a result, some errors might
+have sneaked in.
+
+Debugging faulty specifications is at the heart of Nitpick's \textsl{raison
+d'\^etre}. A good approach is to state desirable properties of the specification
+(here, that $S$ is exactly the set of strings over $\{a, b\}$ with as many $a$'s
+as $b$'s) and check them with Nitpick. If the properties are correctly stated,
+counterexamples will point to bugs in the specification. For our grammar
+example, we will proceed in two steps, separating the soundness and the
+completeness of the set $S$. First, soundness:
+
+\prew
+\textbf{theorem}~\textit{S\_sound\/}: \\
+``$w \in S \longrightarrow \textit{length}~[x\mathbin{\leftarrow} w.\; x = a] =
+ \textit{length}~[x\mathbin{\leftarrow} w.\; x = b]$'' \\
+\textbf{nitpick} \\[2\smallskipamount]
+\slshape Nitpick found a counterexample: \\[2\smallskipamount]
+\hbox{}\qquad Free variable: \nopagebreak \\
+\hbox{}\qquad\qquad $w = [b]$
+\postw
+
+It would seem that $[b] \in S$. How could this be? An inspection of the
+introduction rules reveals that the only rule with a right-hand side of the form
+$b \mathbin{\#} {\ldots} \in S$ that could have introduced $[b]$ into $S$ is
+\textit{R5}:
+
+\prew
+``$w \in S\,\Longrightarrow\, b \mathbin{\#} w \in S$''
+\postw
+
+On closer inspection, we can see that this rule is wrong. To match the
+production $B ::= bS$, the second $S$ should be a $B$. We fix the typo and try
+again:
+
+\prew
+\textbf{nitpick} \\[2\smallskipamount]
+\slshape Nitpick found a counterexample: \\[2\smallskipamount]
+\hbox{}\qquad Free variable: \nopagebreak \\
+\hbox{}\qquad\qquad $w = [a, a, b]$
+\postw
+
+Some detective work is necessary to find out what went wrong here. To get $[a,
+a, b] \in S$, we need $[a, b] \in B$ by \textit{R3}, which in turn can only come
+from \textit{R6}:
+
+\prew
+``$\lbrakk v \in B;\> v \in B\rbrakk \,\Longrightarrow\, a \mathbin{\#} v \mathbin{@} w \in B$''
+\postw
+
+Now, this formula must be wrong: The same assumption occurs twice, and the
+variable $w$ is unconstrained. Clearly, one of the two occurrences of $v$ in
+the assumptions should have been a $w$.
+
+With the correction made, we don't get any counterexample from Nitpick. Let's
+move on and check completeness:
+
+\prew
+\textbf{theorem}~\textit{S\_complete}: \\
+``$\textit{length}~[x\mathbin{\leftarrow} w.\; x = a] =
+ \textit{length}~[x\mathbin{\leftarrow} w.\; x = b]
+ \longrightarrow w \in S$'' \\
+\textbf{nitpick} \\[2\smallskipamount]
+\slshape Nitpick found a counterexample: \\[2\smallskipamount]
+\hbox{}\qquad Free variable: \nopagebreak \\
+\hbox{}\qquad\qquad $w = [b, b, a, a]$
+\postw
+
+Apparently, $[b, b, a, a] \notin S$, even though it has the same numbers of
+$a$'s and $b$'s. But since our inductive definition passed the soundness check,
+the introduction rules we have are probably correct. Perhaps we simply lack an
+introduction rule. Comparing the grammar with the inductive definition, our
+suspicion is confirmed: Joe Blow simply forgot the production $A ::= bAA$,
+without which the grammar cannot generate two or more $b$'s in a row. So we add
+the rule
+
+\prew
+``$\lbrakk v \in A;\> w \in A\rbrakk \,\Longrightarrow\, b \mathbin{\#} v \mathbin{@} w \in A$''
+\postw
+
+With this last change, we don't get any counterexamples from Nitpick for either
+soundness or completeness. We can even generalize our result to cover $A$ and
+$B$ as well:
+
+\prew
+\textbf{theorem} \textit{S\_A\_B\_sound\_and\_complete}: \\
+``$w \in S \longleftrightarrow \textit{length}~[x \mathbin{\leftarrow} w.\; x = a] = \textit{length}~[x \mathbin{\leftarrow} w.\; x = b]$'' \\
+``$w \in A \longleftrightarrow \textit{length}~[x \mathbin{\leftarrow} w.\; x = a] = \textit{length}~[x \mathbin{\leftarrow} w.\; x = b] + 1$'' \\
+``$w \in B \longleftrightarrow \textit{length}~[x \mathbin{\leftarrow} w.\; x = b] = \textit{length}~[x \mathbin{\leftarrow} w.\; x = a] + 1$'' \\
+\textbf{nitpick} \\[2\smallskipamount]
+\slshape Nitpick found no counterexample.
+\postw
+
+\subsection{AA Trees}
+\label{aa-trees}
+
+AA trees are a kind of balanced trees discovered by Arne Andersson that provide
+similar performance to red-black trees, but with a simpler implementation
+\cite{andersson-1993}. They can be used to store sets of elements equipped with
+a total order $<$. We start by defining the datatype and some basic extractor
+functions:
+
+\prew
+\textbf{datatype} $'a$~\textit{aa\_tree} = \\
+\hbox{}\quad $\Lambda$ $\mid$ $N$ ``\kern1pt$'a\Colon \textit{linorder\/}$'' \textit{nat} ``\kern1pt$'a$ \textit{aa\_tree}'' ``\kern1pt$'a$ \textit{aa\_tree}'' \\[2\smallskipamount]
+\textbf{primrec} \textit{data} \textbf{where} \\
+``$\textit{data}~\Lambda = \unkef$'' $\,\mid$ \\
+``$\textit{data}~(N~x~\_~\_~\_) = x$'' \\[2\smallskipamount]
+\textbf{primrec} \textit{dataset} \textbf{where} \\
+``$\textit{dataset}~\Lambda = \{\}$'' $\,\mid$ \\
+``$\textit{dataset}~(N~x~\_~t~u) = \{x\} \cup \textit{dataset}~t \mathrel{\cup} \textit{dataset}~u$'' \\[2\smallskipamount]
+\textbf{primrec} \textit{level} \textbf{where} \\
+``$\textit{level}~\Lambda = 0$'' $\,\mid$ \\
+``$\textit{level}~(N~\_~k~\_~\_) = k$'' \\[2\smallskipamount]
+\textbf{primrec} \textit{left} \textbf{where} \\
+``$\textit{left}~\Lambda = \Lambda$'' $\,\mid$ \\
+``$\textit{left}~(N~\_~\_~t~\_) = t$'' \\[2\smallskipamount]
+\textbf{primrec} \textit{right} \textbf{where} \\
+``$\textit{right}~\Lambda = \Lambda$'' $\,\mid$ \\
+``$\textit{right}~(N~\_~\_~\_~u) = u$''
+\postw
+
+The wellformedness criterion for AA trees is fairly complex. Wikipedia states it
+as follows \cite{wikipedia-2009-aa-trees}:
+
+\kern.2\parskip %% TYPESETTING
+
+\pre
+Each node has a level field, and the following invariants must remain true for
+the tree to be valid:
+
+\raggedright
+
+\kern-.4\parskip %% TYPESETTING
+
+\begin{enum}
+\item[]
+\begin{enum}
+\item[1.] The level of a leaf node is one.
+\item[2.] The level of a left child is strictly less than that of its parent.
+\item[3.] The level of a right child is less than or equal to that of its parent.
+\item[4.] The level of a right grandchild is strictly less than that of its grandparent.
+\item[5.] Every node of level greater than one must have two children.
+\end{enum}
+\end{enum}
+\post
+
+\kern.4\parskip %% TYPESETTING
+
+The \textit{wf} predicate formalizes this description:
+
+\prew
+\textbf{primrec} \textit{wf} \textbf{where} \\
+``$\textit{wf}~\Lambda = \textit{True\/}$'' $\,\mid$ \\
+``$\textit{wf}~(N~\_~k~t~u) =$ \\
+\phantom{``}$(\textrm{if}~t = \Lambda~\textrm{then}$ \\
+\phantom{``$(\quad$}$k = 1 \mathrel{\land} (u = \Lambda \mathrel{\lor} (\textit{level}~u = 1 \mathrel{\land} \textit{left}~u = \Lambda \mathrel{\land} \textit{right}~u = \Lambda))$ \\
+\phantom{``$($}$\textrm{else}$ \\
+\hbox{}\phantom{``$(\quad$}$\textit{wf}~t \mathrel{\land} \textit{wf}~u
+\mathrel{\land} u \not= \Lambda \mathrel{\land} \textit{level}~t < k
+\mathrel{\land} \textit{level}~u \le k$ \\
+\hbox{}\phantom{``$(\quad$}${\land}\; \textit{level}~(\textit{right}~u) < k)$''
+\postw
+
+Rebalancing the tree upon insertion and removal of elements is performed by two
+auxiliary functions called \textit{skew} and \textit{split}, defined below:
+
+\prew
+\textbf{primrec} \textit{skew} \textbf{where} \\
+``$\textit{skew}~\Lambda = \Lambda$'' $\,\mid$ \\
+``$\textit{skew}~(N~x~k~t~u) = {}$ \\
+\phantom{``}$(\textrm{if}~t \not= \Lambda \mathrel{\land} k =
+\textit{level}~t~\textrm{then}$ \\
+\phantom{``(\quad}$N~(\textit{data}~t)~k~(\textit{left}~t)~(N~x~k~
+(\textit{right}~t)~u)$ \\
+\phantom{``(}$\textrm{else}$ \\
+\phantom{``(\quad}$N~x~k~t~u)$''
+\postw
+
+\prew
+\textbf{primrec} \textit{split} \textbf{where} \\
+``$\textit{split}~\Lambda = \Lambda$'' $\,\mid$ \\
+``$\textit{split}~(N~x~k~t~u) = {}$ \\
+\phantom{``}$(\textrm{if}~u \not= \Lambda \mathrel{\land} k =
+\textit{level}~(\textit{right}~u)~\textrm{then}$ \\
+\phantom{``(\quad}$N~(\textit{data}~u)~(\textit{Suc}~k)~
+(N~x~k~t~(\textit{left}~u))~(\textit{right}~u)$ \\
+\phantom{``(}$\textrm{else}$ \\
+\phantom{``(\quad}$N~x~k~t~u)$''
+\postw
+
+Performing a \textit{skew} or a \textit{split} should have no impact on the set
+of elements stored in the tree:
+
+\prew
+\textbf{theorem}~\textit{dataset\_skew\_split\/}:\\
+``$\textit{dataset}~(\textit{skew}~t) = \textit{dataset}~t$'' \\
+``$\textit{dataset}~(\textit{split}~t) = \textit{dataset}~t$'' \\
+\textbf{nitpick} \\[2\smallskipamount]
+{\slshape Nitpick ran out of time after checking 9 of 10 scopes.}
+\postw
+
+Furthermore, applying \textit{skew} or \textit{split} on a well-formed tree
+should not alter the tree:
+
+\prew
+\textbf{theorem}~\textit{wf\_skew\_split\/}:\\
+``$\textit{wf}~t\,\Longrightarrow\, \textit{skew}~t = t$'' \\
+``$\textit{wf}~t\,\Longrightarrow\, \textit{split}~t = t$'' \\
+\textbf{nitpick} \\[2\smallskipamount]
+{\slshape Nitpick found no counterexample.}
+\postw
+
+Insertion is implemented recursively. It preserves the sort order:
+
+\prew
+\textbf{primrec}~\textit{insort} \textbf{where} \\
+``$\textit{insort}~\Lambda~x = N~x~1~\Lambda~\Lambda$'' $\,\mid$ \\
+``$\textit{insort}~(N~y~k~t~u)~x =$ \\
+\phantom{``}$({*}~(\textit{split} \circ \textit{skew})~{*})~(N~y~k~(\textrm{if}~x < y~\textrm{then}~\textit{insort}~t~x~\textrm{else}~t)$ \\
+\phantom{``$({*}~(\textit{split} \circ \textit{skew})~{*})~(N~y~k~$}$(\textrm{if}~x > y~\textrm{then}~\textit{insort}~u~x~\textrm{else}~u))$''
+\postw
+
+Notice that we deliberately commented out the application of \textit{skew} and
+\textit{split}. Let's see if this causes any problems:
+
+\prew
+\textbf{theorem}~\textit{wf\_insort\/}:\kern.4em ``$\textit{wf}~t\,\Longrightarrow\, \textit{wf}~(\textit{insort}~t~x)$'' \\
+\textbf{nitpick} \\[2\smallskipamount]
+\slshape Nitpick found a counterexample for \textit{card} $'a$ = 4: \\[2\smallskipamount]
+\hbox{}\qquad Free variables: \nopagebreak \\
+\hbox{}\qquad\qquad $t = N~a_1~1~\Lambda~\Lambda$ \\
+\hbox{}\qquad\qquad $x = a_2$
+\postw
+
+It's hard to see why this is a counterexample. To improve readability, we will
+restrict the theorem to \textit{nat}, so that we don't need to look up the value
+of the $\textit{op}~{<}$ constant to find out which element is smaller than the
+other. In addition, we will tell Nitpick to display the value of
+$\textit{insort}~t~x$ using the \textit{eval} option. This gives
+
+\prew
+\textbf{theorem} \textit{wf\_insort\_nat\/}:\kern.4em ``$\textit{wf}~t\,\Longrightarrow\, \textit{wf}~(\textit{insort}~t~(x\Colon\textit{nat}))$'' \\
+\textbf{nitpick} [\textit{eval} = ``$\textit{insort}~t~x$''] \\[2\smallskipamount]
+\slshape Nitpick found a counterexample: \\[2\smallskipamount]
+\hbox{}\qquad Free variables: \nopagebreak \\
+\hbox{}\qquad\qquad $t = N~1~1~\Lambda~\Lambda$ \\
+\hbox{}\qquad\qquad $x = 0$ \\
+\hbox{}\qquad Evaluated term: \\
+\hbox{}\qquad\qquad $\textit{insort}~t~x = N~1~1~(N~0~1~\Lambda~\Lambda)~\Lambda$
+\postw
+
+Nitpick's output reveals that the element $0$ was added as a left child of $1$,
+where both nodes have a level of 1. This violates the second AA tree invariant,
+which states that a left child's level must be less than its parent's. This
+shouldn't come as a surprise, considering that we commented out the tree
+rebalancing code. Reintroducing the code seems to solve the problem:
+
+\prew
+\textbf{theorem}~\textit{wf\_insort\/}:\kern.4em ``$\textit{wf}~t\,\Longrightarrow\, \textit{wf}~(\textit{insort}~t~x)$'' \\
+\textbf{nitpick} \\[2\smallskipamount]
+{\slshape Nitpick ran out of time after checking 8 of 10 scopes.}
+\postw
+
+Insertion should transform the set of elements represented by the tree in the
+obvious way:
+
+\prew
+\textbf{theorem} \textit{dataset\_insort\/}:\kern.4em
+``$\textit{dataset}~(\textit{insort}~t~x) = \{x\} \cup \textit{dataset}~t$'' \\
+\textbf{nitpick} \\[2\smallskipamount]
+{\slshape Nitpick ran out of time after checking 7 of 10 scopes.}
+\postw
+
+We could continue like this and sketch a full-blown theory of AA trees. Once the
+definitions and main theorems are in place and have been thoroughly tested using
+Nitpick, we could start working on the proofs. Developing theories this way
+usually saves time, because faulty theorems and definitions are discovered much
+earlier in the process.
+
+\section{Option Reference}
+\label{option-reference}
+
+\def\defl{\{}
+\def\defr{\}}
+
+\def\flushitem#1{\item[]\noindent\kern-\leftmargin \textbf{#1}}
+\def\qty#1{$\left<\textit{#1}\right>$}
+\def\qtybf#1{$\mathbf{\left<\textbf{\textit{#1}}\right>}$}
+\def\optrue#1#2{\flushitem{\textit{#1} $\bigl[$= \qtybf{bool}$\bigr]$\enskip \defl\textit{true}\defr\hfill (neg.: \textit{#2})}\nopagebreak\\[\parskip]}
+\def\opfalse#1#2{\flushitem{\textit{#1} $\bigl[$= \qtybf{bool}$\bigr]$\enskip \defl\textit{false}\defr\hfill (neg.: \textit{#2})}\nopagebreak\\[\parskip]}
+\def\opsmart#1#2{\flushitem{\textit{#1} $\bigl[$= \qtybf{smart\_bool}$\bigr]$\enskip \defl\textit{smart}\defr\hfill (neg.: \textit{#2})}\nopagebreak\\[\parskip]}
+\def\opnodefault#1#2{\flushitem{\textit{#1} = \qtybf{#2}} \nopagebreak\\[\parskip]}
+\def\opdefault#1#2#3{\flushitem{\textit{#1} = \qtybf{#2}\enskip \defl\textit{#3}\defr} \nopagebreak\\[\parskip]}
+\def\oparg#1#2#3{\flushitem{\textit{#1} \qtybf{#2} = \qtybf{#3}} \nopagebreak\\[\parskip]}
+\def\opargbool#1#2#3{\flushitem{\textit{#1} \qtybf{#2} $\bigl[$= \qtybf{bool}$\bigr]$\hfill (neg.: \textit{#3})}\nopagebreak\\[\parskip]}
+\def\opargboolorsmart#1#2#3{\flushitem{\textit{#1} \qtybf{#2} $\bigl[$= \qtybf{smart\_bool}$\bigr]$\hfill (neg.: \textit{#3})}\nopagebreak\\[\parskip]}
+
+Nitpick's behavior can be influenced by various options, which can be specified
+in brackets after the \textbf{nitpick} command. Default values can be set
+using \textbf{nitpick\_\allowbreak params}. For example:
+
+\prew
+\textbf{nitpick\_params} [\textit{verbose}, \,\textit{timeout} = 60]
+\postw
+
+The options are categorized as follows:\ mode of operation
+(\S\ref{mode-of-operation}), scope of search (\S\ref{scope-of-search}), output
+format (\S\ref{output-format}), automatic counterexample checks
+(\S\ref{authentication}), optimizations
+(\S\ref{optimizations}), and timeouts (\S\ref{timeouts}).
+
+You can instruct Nitpick to run automatically on newly entered theorems by
+enabling the ``Auto Nitpick'' option from the ``Isabelle'' menu in Proof
+General. For automatic runs, \textit{user\_axioms} (\S\ref{mode-of-operation}),
+\textit{assms} (\S\ref{mode-of-operation}), and \textit{mono}
+(\S\ref{scope-of-search}) are implicitly enabled, \textit{blocking}
+(\S\ref{mode-of-operation}), \textit{verbose} (\S\ref{output-format}), and
+\textit{debug} (\S\ref{output-format}) are disabled, \textit{max\_threads}
+(\S\ref{optimizations}) is taken to be 1, \textit{max\_potential}
+(\S\ref{output-format}) is taken to be 0, and \textit{timeout}
+(\S\ref{timeouts}) is superseded by the ``Auto Tools Time Limit'' in
+Proof General's ``Isabelle'' menu. Nitpick's output is also more concise.
+
+The number of options can be overwhelming at first glance. Do not let that worry
+you: Nitpick's defaults have been chosen so that it almost always does the right
+thing, and the most important options have been covered in context in
+\S\ref{first-steps}.
+
+The descriptions below refer to the following syntactic quantities:
+
+\begin{enum}
+\item[\labelitemi] \qtybf{string}: A string.
+\item[\labelitemi] \qtybf{string\_list\/}: A space-separated list of strings
+(e.g., ``\textit{ichi ni san}'').
+\item[\labelitemi] \qtybf{bool\/}: \textit{true} or \textit{false}.
+\item[\labelitemi] \qtybf{smart\_bool\/}: \textit{true}, \textit{false}, or \textit{smart}.
+\item[\labelitemi] \qtybf{int\/}: An integer. Negative integers are prefixed with a hyphen.
+\item[\labelitemi] \qtybf{smart\_int\/}: An integer or \textit{smart}.
+\item[\labelitemi] \qtybf{int\_range}: An integer (e.g., 3) or a range
+of nonnegative integers (e.g., $1$--$4$). The range symbol `--' can be entered as \texttt{-} (hyphen) or \texttt{\char`\\\char`\<emdash\char`\>}.
+\item[\labelitemi] \qtybf{int\_seq}: A comma-separated sequence of ranges of integers (e.g.,~1{,}3{,}\allowbreak6--8).
+\item[\labelitemi] \qtybf{float\_or\_none}: An integer (e.g., 60) or floating-point number
+(e.g., 0.5) expressing a number of seconds, or the keyword \textit{none}
+($\infty$ seconds).
+\item[\labelitemi] \qtybf{const\/}: The name of a HOL constant.
+\item[\labelitemi] \qtybf{term}: A HOL term (e.g., ``$f~x$'').
+\item[\labelitemi] \qtybf{term\_list\/}: A space-separated list of HOL terms (e.g.,
+``$f~x$''~``$g~y$'').
+\item[\labelitemi] \qtybf{type}: A HOL type.
+\end{enum}
+
+Default values are indicated in curly brackets (\textrm{\{\}}). Boolean options
+have a negated counterpart (e.g., \textit{blocking} vs.\
+\textit{non\_blocking}). When setting them, ``= \textit{true}'' may be omitted.
+
+\subsection{Mode of Operation}
+\label{mode-of-operation}
+
+\begin{enum}
+\optrue{blocking}{non\_blocking}
+Specifies whether the \textbf{nitpick} command should operate synchronously.
+The asynchronous (non-blocking) mode lets the user start proving the putative
+theorem while Nitpick looks for a counterexample, but it can also be more
+confusing. For technical reasons, automatic runs currently always block.
+
+\optrue{falsify}{satisfy}
+Specifies whether Nitpick should look for falsifying examples (countermodels) or
+satisfying examples (models). This manual assumes throughout that
+\textit{falsify} is enabled.
+
+\opsmart{user\_axioms}{no\_user\_axioms}
+Specifies whether the user-defined axioms (specified using
+\textbf{axiomatization} and \textbf{axioms}) should be considered. If the option
+is set to \textit{smart}, Nitpick performs an ad hoc axiom selection based on
+the constants that occur in the formula to falsify. The option is implicitly set
+to \textit{true} for automatic runs.
+
+\textbf{Warning:} If the option is set to \textit{true}, Nitpick might
+nonetheless ignore some polymorphic axioms. Counterexamples generated under
+these conditions are tagged as ``quasi genuine.'' The \textit{debug}
+(\S\ref{output-format}) option can be used to find out which axioms were
+considered.
+
+\nopagebreak
+{\small See also \textit{assms} (\S\ref{mode-of-operation}) and \textit{debug}
+(\S\ref{output-format}).}
+
+\optrue{assms}{no\_assms}
+Specifies whether the relevant assumptions in structured proofs should be
+considered. The option is implicitly enabled for automatic runs.
+
+\nopagebreak
+{\small See also \textit{user\_axioms} (\S\ref{mode-of-operation}).}
+
+\opfalse{overlord}{no\_overlord}
+Specifies whether Nitpick should put its temporary files in
+\texttt{\$ISABELLE\_\allowbreak HOME\_\allowbreak USER}, which is useful for
+debugging Nitpick but also unsafe if several instances of the tool are run
+simultaneously. The files are identified by the extensions
+\texttt{.kki}, \texttt{.cnf}, \texttt{.out}, and
+\texttt{.err}; you may safely remove them after Nitpick has run.
+
+\nopagebreak
+{\small See also \textit{debug} (\S\ref{output-format}).}
+\end{enum}
+
+\subsection{Scope of Search}
+\label{scope-of-search}
+
+\begin{enum}
+\oparg{card}{type}{int\_seq}
+Specifies the sequence of cardinalities to use for a given type.
+For free types, and often also for \textbf{typedecl}'d types, it usually makes
+sense to specify cardinalities as a range of the form \textit{$1$--$n$}.
+
+\nopagebreak
+{\small See also \textit{box} (\S\ref{scope-of-search}) and \textit{mono}
+(\S\ref{scope-of-search}).}
+
+\opdefault{card}{int\_seq}{\upshape 1--10}
+Specifies the default sequence of cardinalities to use. This can be overridden
+on a per-type basis using the \textit{card}~\qty{type} option described above.
+
+\oparg{max}{const}{int\_seq}
+Specifies the sequence of maximum multiplicities to use for a given
+(co)in\-duc\-tive datatype constructor. A constructor's multiplicity is the
+number of distinct values that it can construct. Nonsensical values (e.g.,
+\textit{max}~[]~$=$~2) are silently repaired. This option is only available for
+datatypes equipped with several constructors.
+
+\opnodefault{max}{int\_seq}
+Specifies the default sequence of maximum multiplicities to use for
+(co)in\-duc\-tive datatype constructors. This can be overridden on a per-constructor
+basis using the \textit{max}~\qty{const} option described above.
+
+\opsmart{binary\_ints}{unary\_ints}
+Specifies whether natural numbers and integers should be encoded using a unary
+or binary notation. In unary mode, the cardinality fully specifies the subset
+used to approximate the type. For example:
+%
+$$\hbox{\begin{tabular}{@{}rll@{}}%
+\textit{card nat} = 4 & induces & $\{0,\, 1,\, 2,\, 3\}$ \\
+\textit{card int} = 4 & induces & $\{-1,\, 0,\, +1,\, +2\}$ \\
+\textit{card int} = 5 & induces & $\{-2,\, -1,\, 0,\, +1,\, +2\}.$%
+\end{tabular}}$$
+%
+In general:
+%
+$$\hbox{\begin{tabular}{@{}rll@{}}%
+\textit{card nat} = $K$ & induces & $\{0,\, \ldots,\, K - 1\}$ \\
+\textit{card int} = $K$ & induces & $\{-\lceil K/2 \rceil + 1,\, \ldots,\, +\lfloor K/2 \rfloor\}.$%
+\end{tabular}}$$
+%
+In binary mode, the cardinality specifies the number of distinct values that can
+be constructed. Each of these value is represented by a bit pattern whose length
+is specified by the \textit{bits} (\S\ref{scope-of-search}) option. By default,
+Nitpick attempts to choose the more appropriate encoding by inspecting the
+formula at hand, preferring the binary notation for problems involving
+multiplicative operators or large constants.
+
+\textbf{Warning:} For technical reasons, Nitpick always reverts to unary for
+problems that refer to the types \textit{rat} or \textit{real} or the constants
+\textit{Suc}, \textit{gcd}, or \textit{lcm}.
+
+{\small See also \textit{bits} (\S\ref{scope-of-search}) and
+\textit{show\_datatypes} (\S\ref{output-format}).}
+
+\opdefault{bits}{int\_seq}{\upshape 1,2,3,4,6,8,10,12,14,16}
+Specifies the number of bits to use to represent natural numbers and integers in
+binary, excluding the sign bit. The minimum is 1 and the maximum is 31.
+
+{\small See also \textit{binary\_ints} (\S\ref{scope-of-search}).}
+
+\opargboolorsmart{wf}{const}{non\_wf}
+Specifies whether the specified (co)in\-duc\-tively defined predicate is
+well-founded. The option can take the following values:
+
+\begin{enum}
+\item[\labelitemi] \textbf{\textit{true}:} Tentatively treat the (co)in\-duc\-tive
+predicate as if it were well-founded. Since this is generally not sound when the
+predicate is not well-founded, the counterexamples are tagged as ``quasi
+genuine.''
+
+\item[\labelitemi] \textbf{\textit{false}:} Treat the (co)in\-duc\-tive predicate
+as if it were not well-founded. The predicate is then unrolled as prescribed by
+the \textit{star\_linear\_preds}, \textit{iter}~\qty{const}, and \textit{iter}
+options.
+
+\item[\labelitemi] \textbf{\textit{smart}:} Try to prove that the inductive
+predicate is well-founded using Isabelle's \textit{lexicographic\_order} and
+\textit{size\_change} tactics. If this succeeds (or the predicate occurs with an
+appropriate polarity in the formula to falsify), use an efficient fixed-point
+equation as specification of the predicate; otherwise, unroll the predicates
+according to the \textit{iter}~\qty{const} and \textit{iter} options.
+\end{enum}
+
+\nopagebreak
+{\small See also \textit{iter} (\S\ref{scope-of-search}),
+\textit{star\_linear\_preds} (\S\ref{optimizations}), and \textit{tac\_timeout}
+(\S\ref{timeouts}).}
+
+\opsmart{wf}{non\_wf}
+Specifies the default wellfoundedness setting to use. This can be overridden on
+a per-predicate basis using the \textit{wf}~\qty{const} option above.
+
+\oparg{iter}{const}{int\_seq}
+Specifies the sequence of iteration counts to use when unrolling a given
+(co)in\-duc\-tive predicate. By default, unrolling is applied for inductive
+predicates that occur negatively and coinductive predicates that occur
+positively in the formula to falsify and that cannot be proved to be
+well-founded, but this behavior is influenced by the \textit{wf} option. The
+iteration counts are automatically bounded by the cardinality of the predicate's
+domain.
+
+{\small See also \textit{wf} (\S\ref{scope-of-search}) and
+\textit{star\_linear\_preds} (\S\ref{optimizations}).}
+
+\opdefault{iter}{int\_seq}{\upshape 0{,}1{,}2{,}4{,}8{,}12{,}16{,}20{,}24{,}28}
+Specifies the sequence of iteration counts to use when unrolling (co)in\-duc\-tive
+predicates. This can be overridden on a per-predicate basis using the
+\textit{iter} \qty{const} option above.
+
+\opdefault{bisim\_depth}{int\_seq}{\upshape 9}
+Specifies the sequence of iteration counts to use when unrolling the
+bisimilarity predicate generated by Nitpick for coinductive datatypes. A value
+of $-1$ means that no predicate is generated, in which case Nitpick performs an
+after-the-fact check to see if the known coinductive datatype values are
+bidissimilar. If two values are found to be bisimilar, the counterexample is
+tagged as ``quasi genuine.'' The iteration counts are automatically bounded by
+the sum of the cardinalities of the coinductive datatypes occurring in the
+formula to falsify.
+
+\opargboolorsmart{box}{type}{dont\_box}
+Specifies whether Nitpick should attempt to wrap (``box'') a given function or
+product type in an isomorphic datatype internally. Boxing is an effective mean
+to reduce the search space and speed up Nitpick, because the isomorphic datatype
+is approximated by a subset of the possible function or pair values.
+Like other drastic optimizations, it can also prevent the discovery of
+counterexamples. The option can take the following values:
+
+\begin{enum}
+\item[\labelitemi] \textbf{\textit{true}:} Box the specified type whenever
+practicable.
+\item[\labelitemi] \textbf{\textit{false}:} Never box the type.
+\item[\labelitemi] \textbf{\textit{smart}:} Box the type only in contexts where it
+is likely to help. For example, $n$-tuples where $n > 2$ and arguments to
+higher-order functions are good candidates for boxing.
+\end{enum}
+
+\nopagebreak
+{\small See also \textit{finitize} (\S\ref{scope-of-search}), \textit{verbose}
+(\S\ref{output-format}), and \textit{debug} (\S\ref{output-format}).}
+
+\opsmart{box}{dont\_box}
+Specifies the default boxing setting to use. This can be overridden on a
+per-type basis using the \textit{box}~\qty{type} option described above.
+
+\opargboolorsmart{finitize}{type}{dont\_finitize}
+Specifies whether Nitpick should attempt to finitize an infinite datatype. The
+option can then take the following values:
+
+\begin{enum}
+\item[\labelitemi] \textbf{\textit{true}:} Finitize the datatype. Since this is
+unsound, counterexamples generated under these conditions are tagged as ``quasi
+genuine.''
+\item[\labelitemi] \textbf{\textit{false}:} Don't attempt to finitize the datatype.
+\item[\labelitemi] \textbf{\textit{smart}:}
+If the datatype's constructors don't appear in the problem, perform a
+monotonicity analysis to detect whether the datatype can be soundly finitized;
+otherwise, don't finitize it.
+\end{enum}
+
+\nopagebreak
+{\small See also \textit{box} (\S\ref{scope-of-search}), \textit{mono}
+(\S\ref{scope-of-search}), \textit{verbose} (\S\ref{output-format}), and
+\textit{debug} (\S\ref{output-format}).}
+
+\opsmart{finitize}{dont\_finitize}
+Specifies the default finitization setting to use. This can be overridden on a
+per-type basis using the \textit{finitize}~\qty{type} option described above.
+
+\opargboolorsmart{mono}{type}{non\_mono}
+Specifies whether the given type should be considered monotonic when enumerating
+scopes and finitizing types. If the option is set to \textit{smart}, Nitpick
+performs a monotonicity check on the type. Setting this option to \textit{true}
+can reduce the number of scopes tried, but it can also diminish the chance of
+finding a counterexample, as demonstrated in \S\ref{scope-monotonicity}. The
+option is implicitly set to \textit{true} for automatic runs.
+
+\nopagebreak
+{\small See also \textit{card} (\S\ref{scope-of-search}),
+\textit{finitize} (\S\ref{scope-of-search}),
+\textit{merge\_type\_vars} (\S\ref{scope-of-search}), and \textit{verbose}
+(\S\ref{output-format}).}
+
+\opsmart{mono}{non\_mono}
+Specifies the default monotonicity setting to use. This can be overridden on a
+per-type basis using the \textit{mono}~\qty{type} option described above.
+
+\opfalse{merge\_type\_vars}{dont\_merge\_type\_vars}
+Specifies whether type variables with the same sort constraints should be
+merged. Setting this option to \textit{true} can reduce the number of scopes
+tried and the size of the generated Kodkod formulas, but it also diminishes the
+theoretical chance of finding a counterexample.
+
+{\small See also \textit{mono} (\S\ref{scope-of-search}).}
+
+\opargbool{std}{type}{non\_std}
+Specifies whether the given (recursive) datatype should be given standard
+models. Nonstandard models are unsound but can help debug structural induction
+proofs, as explained in \S\ref{inductive-properties}.
+
+\optrue{std}{non\_std}
+Specifies the default standardness to use. This can be overridden on a per-type
+basis using the \textit{std}~\qty{type} option described above.
+\end{enum}
+
+\subsection{Output Format}
+\label{output-format}
+
+\begin{enum}
+\opfalse{verbose}{quiet}
+Specifies whether the \textbf{nitpick} command should explain what it does. This
+option is useful to determine which scopes are tried or which SAT solver is
+used. This option is implicitly disabled for automatic runs.
+
+\opfalse{debug}{no\_debug}
+Specifies whether Nitpick should display additional debugging information beyond
+what \textit{verbose} already displays. Enabling \textit{debug} also enables
+\textit{verbose} and \textit{show\_all} behind the scenes. The \textit{debug}
+option is implicitly disabled for automatic runs.
+
+\nopagebreak
+{\small See also \textit{overlord} (\S\ref{mode-of-operation}) and
+\textit{batch\_size} (\S\ref{optimizations}).}
+
+\opfalse{show\_datatypes}{hide\_datatypes}
+Specifies whether the subsets used to approximate (co)in\-duc\-tive data\-types should
+be displayed as part of counterexamples. Such subsets are sometimes helpful when
+investigating whether a potentially spurious counterexample is genuine, but
+their potential for clutter is real.
+
+\optrue{show\_skolems}{hide\_skolem}
+Specifies whether the values of Skolem constants should be displayed as part of
+counterexamples. Skolem constants correspond to bound variables in the original
+formula and usually help us to understand why the counterexample falsifies the
+formula.
+
+\opfalse{show\_consts}{hide\_consts}
+Specifies whether the values of constants occurring in the formula (including
+its axioms) should be displayed along with any counterexample. These values are
+sometimes helpful when investigating why a counterexample is
+genuine, but they can clutter the output.
+
+\opnodefault{show\_all}{bool}
+Abbreviation for \textit{show\_datatypes}, \textit{show\_skolems}, and
+\textit{show\_consts}.
+
+\opdefault{max\_potential}{int}{\upshape 1}
+Specifies the maximum number of potentially spurious counterexamples to display.
+Setting this option to 0 speeds up the search for a genuine counterexample. This
+option is implicitly set to 0 for automatic runs. If you set this option to a
+value greater than 1, you will need an incremental SAT solver, such as
+\textit{MiniSat\_JNI} (recommended) and \textit{SAT4J}. Be aware that many of
+the counterexamples may be identical.
+
+\nopagebreak
+{\small See also \textit{check\_potential} (\S\ref{authentication}) and
+\textit{sat\_solver} (\S\ref{optimizations}).}
+
+\opdefault{max\_genuine}{int}{\upshape 1}
+Specifies the maximum number of genuine counterexamples to display. If you set
+this option to a value greater than 1, you will need an incremental SAT solver,
+such as \textit{MiniSat\_JNI} (recommended) and \textit{SAT4J}. Be aware that
+many of the counterexamples may be identical.
+
+\nopagebreak
+{\small See also \textit{check\_genuine} (\S\ref{authentication}) and
+\textit{sat\_solver} (\S\ref{optimizations}).}
+
+\opnodefault{eval}{term\_list}
+Specifies the list of terms whose values should be displayed along with
+counterexamples. This option suffers from an ``observer effect'': Nitpick might
+find different counterexamples for different values of this option.
+
+\oparg{atoms}{type}{string\_list}
+Specifies the names to use to refer to the atoms of the given type. By default,
+Nitpick generates names of the form $a_1, \ldots, a_n$, where $a$ is the first
+letter of the type's name.
+
+\opnodefault{atoms}{string\_list}
+Specifies the default names to use to refer to atoms of any type. For example,
+to call the three atoms of type ${'}a$ \textit{ichi}, \textit{ni}, and
+\textit{san} instead of $a_1$, $a_2$, $a_3$, specify the option
+``\textit{atoms}~${'}a$ = \textit{ichi~ni~san}''. The default names can be
+overridden on a per-type basis using the \textit{atoms}~\qty{type} option
+described above.
+
+\oparg{format}{term}{int\_seq}
+Specifies how to uncurry the value displayed for a variable or constant.
+Uncurrying sometimes increases the readability of the output for high-arity
+functions. For example, given the variable $y \mathbin{\Colon} {'a}\Rightarrow
+{'b}\Rightarrow {'c}\Rightarrow {'d}\Rightarrow {'e}\Rightarrow {'f}\Rightarrow
+{'g}$, setting \textit{format}~$y$ = 3 tells Nitpick to group the last three
+arguments, as if the type had been ${'a}\Rightarrow {'b}\Rightarrow
+{'c}\Rightarrow {'d}\times {'e}\times {'f}\Rightarrow {'g}$. In general, a list
+of values $n_1,\ldots,n_k$ tells Nitpick to show the last $n_k$ arguments as an
+$n_k$-tuple, the previous $n_{k-1}$ arguments as an $n_{k-1}$-tuple, and so on;
+arguments that are not accounted for are left alone, as if the specification had
+been $1,\ldots,1,n_1,\ldots,n_k$.
+
+\opdefault{format}{int\_seq}{\upshape 1}
+Specifies the default format to use. Irrespective of the default format, the
+extra arguments to a Skolem constant corresponding to the outer bound variables
+are kept separated from the remaining arguments, the \textbf{for} arguments of
+an inductive definitions are kept separated from the remaining arguments, and
+the iteration counter of an unrolled inductive definition is shown alone. The
+default format can be overridden on a per-variable or per-constant basis using
+the \textit{format}~\qty{term} option described above.
+\end{enum}
+
+\subsection{Authentication}
+\label{authentication}
+
+\begin{enum}
+\opfalse{check\_potential}{trust\_potential}
+Specifies whether potentially spurious counterexamples should be given to
+Isabelle's \textit{auto} tactic to assess their validity. If a potentially
+spurious counterexample is shown to be genuine, Nitpick displays a message to
+this effect and terminates.
+
+\nopagebreak
+{\small See also \textit{max\_potential} (\S\ref{output-format}).}
+
+\opfalse{check\_genuine}{trust\_genuine}
+Specifies whether genuine and quasi genuine counterexamples should be given to
+Isabelle's \textit{auto} tactic to assess their validity. If a ``genuine''
+counterexample is shown to be spurious, the user is kindly asked to send a bug
+report to the author at \authoremail.
+
+\nopagebreak
+{\small See also \textit{max\_genuine} (\S\ref{output-format}).}
+
+\opnodefault{expect}{string}
+Specifies the expected outcome, which must be one of the following:
+
+\begin{enum}
+\item[\labelitemi] \textbf{\textit{genuine}:} Nitpick found a genuine counterexample.
+\item[\labelitemi] \textbf{\textit{quasi\_genuine}:} Nitpick found a ``quasi
+genuine'' counterexample (i.e., a counterexample that is genuine unless
+it contradicts a missing axiom or a dangerous option was used inappropriately).
+\item[\labelitemi] \textbf{\textit{potential}:} Nitpick found a potentially
+spurious counterexample.
+\item[\labelitemi] \textbf{\textit{none}:} Nitpick found no counterexample.
+\item[\labelitemi] \textbf{\textit{unknown}:} Nitpick encountered some problem (e.g.,
+Kodkod ran out of memory).
+\end{enum}
+
+Nitpick emits an error if the actual outcome differs from the expected outcome.
+This option is useful for regression testing.
+\end{enum}
+
+\subsection{Optimizations}
+\label{optimizations}
+
+\def\cpp{C\nobreak\raisebox{.1ex}{+}\nobreak\raisebox{.1ex}{+}}
+
+\sloppy
+
+\begin{enum}
+\opdefault{sat\_solver}{string}{smart}
+Specifies which SAT solver to use. SAT solvers implemented in C or \cpp{} tend
+to be faster than their Java counterparts, but they can be more difficult to
+install. Also, if you set the \textit{max\_potential} (\S\ref{output-format}) or
+\textit{max\_genuine} (\S\ref{output-format}) option to a value greater than 1,
+you will need an incremental SAT solver, such as \textit{MiniSat\_JNI}
+(recommended) or \textit{SAT4J}.
+
+The supported solvers are listed below:
+
+\begin{enum}
+
+\item[\labelitemi] \textbf{\textit{CryptoMiniSat}:} CryptoMiniSat is the winner of
+the 2010 SAT Race. To use CryptoMiniSat, set the environment variable
+\texttt{CRYPTO\-MINISAT\_}\discretionary{}{}{}\texttt{HOME} to the directory that contains the \texttt{crypto\-minisat}
+executable.%
+\footnote{Important note for Cygwin users: The path must be specified using
+native Windows syntax. Make sure to escape backslashes properly.%
+\label{cygwin-paths}}
+The \cpp{} sources and executables for Crypto\-Mini\-Sat are available at
+\url{http://planete.inrialpes.fr/~soos/}\allowbreak\url{CryptoMiniSat2/index.php}.
+Nitpick has been tested with version 2.51.
+
+\item[\labelitemi] \textbf{\textit{CryptoMiniSat\_JNI}:} The JNI (Java Native
+Interface) version of CryptoMiniSat is bundled with Kodkodi and is precompiled
+for Linux and Mac~OS~X. It is also available from the Kodkod web site
+\cite{kodkod-2009}.
+
+\item[\labelitemi] \textbf{\textit{Lingeling\_JNI}:}
+Lingeling is an efficient solver written in C. The JNI (Java Native Interface)
+version of Lingeling is bundled with Kodkodi and is precompiled for Linux and
+Mac~OS~X. It is also available from the Kodkod web site \cite{kodkod-2009}.
+
+\item[\labelitemi] \textbf{\textit{MiniSat}:} MiniSat is an efficient solver
+written in \cpp{}. To use MiniSat, set the environment variable
+\texttt{MINISAT\_HOME} to the directory that contains the \texttt{minisat}
+executable.%
+\footref{cygwin-paths}
+The \cpp{} sources and executables for MiniSat are available at
+\url{http://minisat.se/MiniSat.html}. Nitpick has been tested with versions 1.14
+and 2.2.
+
+\item[\labelitemi] \textbf{\textit{MiniSat\_JNI}:} The JNI
+version of MiniSat is bundled with Kodkodi and is precompiled for Linux,
+Mac~OS~X, and Windows (Cygwin). It is also available from the Kodkod web site
+\cite{kodkod-2009}. Unlike the standard version of MiniSat, the JNI version can
+be used incrementally.
+
+\item[\labelitemi] \textbf{\textit{zChaff}:} zChaff is an older solver written
+in \cpp{}. To use zChaff, set the environment variable \texttt{ZCHAFF\_HOME} to
+the directory that contains the \texttt{zchaff} executable.%
+\footref{cygwin-paths}
+The \cpp{} sources and executables for zChaff are available at
+\url{http://www.princeton.edu/~chaff/zchaff.html}. Nitpick has been tested with
+versions 2004-05-13, 2004-11-15, and 2007-03-12.
+
+\item[\labelitemi] \textbf{\textit{RSat}:} RSat is an efficient solver written in
+\cpp{}. To use RSat, set the environment variable \texttt{RSAT\_HOME} to the
+directory that contains the \texttt{rsat} executable.%
+\footref{cygwin-paths}
+The \cpp{} sources for RSat are available at
+\url{http://reasoning.cs.ucla.edu/rsat/}. Nitpick has been tested with version
+2.01.
+
+\item[\labelitemi] \textbf{\textit{BerkMin}:} BerkMin561 is an efficient solver
+written in C. To use BerkMin, set the environment variable
+\texttt{BERKMIN\_HOME} to the directory that contains the \texttt{BerkMin561}
+executable.\footref{cygwin-paths}
+The BerkMin executables are available at
+\url{http://eigold.tripod.com/BerkMin.html}.
+
+\item[\labelitemi] \textbf{\textit{BerkMin\_Alloy}:} Variant of BerkMin that is
+included with Alloy 4 and calls itself ``sat56'' in its banner text. To use this
+version of BerkMin, set the environment variable
+\texttt{BERKMINALLOY\_HOME} to the directory that contains the \texttt{berkmin}
+executable.%
+\footref{cygwin-paths}
+
+\item[\labelitemi] \textbf{\textit{SAT4J}:} SAT4J is a reasonably efficient solver
+written in Java that can be used incrementally. It is bundled with Kodkodi and
+requires no further installation or configuration steps. Do not attempt to
+install the official SAT4J packages, because their API is incompatible with
+Kodkod.
+
+\item[\labelitemi] \textbf{\textit{SAT4J\_Light}:} Variant of SAT4J that is
+optimized for small problems. It can also be used incrementally.
+
+\item[\labelitemi] \textbf{\textit{smart}:} If \textit{sat\_solver} is set to
+\textit{smart}, Nitpick selects the first solver among the above that is
+recognized by Isabelle. If \textit{verbose} (\S\ref{output-format}) is enabled,
+Nitpick displays which SAT solver was chosen.
+\end{enum}
+\fussy
+
+\opdefault{batch\_size}{smart\_int}{smart}
+Specifies the maximum number of Kodkod problems that should be lumped together
+when invoking Kodkodi. Each problem corresponds to one scope. Lumping problems
+together ensures that Kodkodi is launched less often, but it makes the verbose
+output less readable and is sometimes detrimental to performance. If
+\textit{batch\_size} is set to \textit{smart}, the actual value used is 1 if
+\textit{debug} (\S\ref{output-format}) is set and 50 otherwise.
+
+\optrue{destroy\_constrs}{dont\_destroy\_constrs}
+Specifies whether formulas involving (co)in\-duc\-tive datatype constructors should
+be rewritten to use (automatically generated) discriminators and destructors.
+This optimization can drastically reduce the size of the Boolean formulas given
+to the SAT solver.
+
+\nopagebreak
+{\small See also \textit{debug} (\S\ref{output-format}).}
+
+\optrue{specialize}{dont\_specialize}
+Specifies whether functions invoked with static arguments should be specialized.
+This optimization can drastically reduce the search space, especially for
+higher-order functions.
+
+\nopagebreak
+{\small See also \textit{debug} (\S\ref{output-format}) and
+\textit{show\_consts} (\S\ref{output-format}).}
+
+\optrue{star\_linear\_preds}{dont\_star\_linear\_preds}
+Specifies whether Nitpick should use Kodkod's transitive closure operator to
+encode non-well-founded ``linear inductive predicates,'' i.e., inductive
+predicates for which each the predicate occurs in at most one assumption of each
+introduction rule. Using the reflexive transitive closure is in principle
+equivalent to setting \textit{iter} to the cardinality of the predicate's
+domain, but it is usually more efficient.
+
+{\small See also \textit{wf} (\S\ref{scope-of-search}), \textit{debug}
+(\S\ref{output-format}), and \textit{iter} (\S\ref{scope-of-search}).}
+
+\opnodefault{whack}{term\_list}
+Specifies a list of atomic terms (usually constants, but also free and schematic
+variables) that should be taken as being $\unk$ (unknown). This can be useful to
+reduce the size of the Kodkod problem if you can guess in advance that a
+constant might not be needed to find a countermodel.
+
+{\small See also \textit{debug} (\S\ref{output-format}).}
+
+\opnodefault{need}{term\_list}
+Specifies a list of datatype values (normally ground constructor terms) that
+should be part of the subterm-closed subsets used to approximate datatypes. If
+you know that a value must necessarily belong to the subset of representable
+values that approximates a datatype, specifying it can speed up the search,
+especially for high cardinalities.
+%By default, Nitpick inspects the conjecture to infer needed datatype values.
+
+\opsmart{total\_consts}{partial\_consts}
+Specifies whether constants occurring in the problem other than constructors can
+be assumed to be considered total for the representable values that approximate
+a datatype. This option is highly incomplete; it should be used only for
+problems that do not construct datatype values explicitly. Since this option is
+(in rare cases) unsound, counterexamples generated under these conditions are
+tagged as ``quasi genuine.''
+
+\opdefault{datatype\_sym\_break}{int}{\upshape 5}
+Specifies an upper bound on the number of datatypes for which Nitpick generates
+symmetry breaking predicates. Symmetry breaking can speed up the SAT solver
+considerably, especially for unsatisfiable problems, but too much of it can slow
+it down.
+
+\opdefault{kodkod\_sym\_break}{int}{\upshape 15}
+Specifies an upper bound on the number of relations for which Kodkod generates
+symmetry breaking predicates. Symmetry breaking can speed up the SAT solver
+considerably, especially for unsatisfiable problems, but too much of it can slow
+it down.
+
+\optrue{peephole\_optim}{no\_peephole\_optim}
+Specifies whether Nitpick should simplify the generated Kodkod formulas using a
+peephole optimizer. These optimizations can make a significant difference.
+Unless you are tracking down a bug in Nitpick or distrust the peephole
+optimizer, you should leave this option enabled.
+
+\opdefault{max\_threads}{int}{\upshape 0}
+Specifies the maximum number of threads to use in Kodkod. If this option is set
+to 0, Kodkod will compute an appropriate value based on the number of processor
+cores available. The option is implicitly set to 1 for automatic runs.
+
+\nopagebreak
+{\small See also \textit{batch\_size} (\S\ref{optimizations}) and
+\textit{timeout} (\S\ref{timeouts}).}
+\end{enum}
+
+\subsection{Timeouts}
+\label{timeouts}
+
+\begin{enum}
+\opdefault{timeout}{float\_or\_none}{\upshape 30}
+Specifies the maximum number of seconds that the \textbf{nitpick} command should
+spend looking for a counterexample. Nitpick tries to honor this constraint as
+well as it can but offers no guarantees. For automatic runs,
+\textit{timeout} is ignored; instead, Auto Quickcheck and Auto Nitpick share
+a time slot whose length is specified by the ``Auto Counterexample Time
+Limit'' option in Proof General.
+
+\nopagebreak
+{\small See also \textit{max\_threads} (\S\ref{optimizations}).}
+
+\opdefault{tac\_timeout}{float\_or\_none}{\upshape 0.5}
+Specifies the maximum number of seconds that should be used by internal
+tactics---\textit{lexicographic\_order} and \textit{size\_change} when checking
+whether a (co)in\-duc\-tive predicate is well-founded, \textit{auto} tactic when
+checking a counterexample, or the monotonicity inference. Nitpick tries to honor
+this constraint but offers no guarantees.
+
+\nopagebreak
+{\small See also \textit{wf} (\S\ref{scope-of-search}),
+\textit{mono} (\S\ref{scope-of-search}),
+\textit{check\_potential} (\S\ref{authentication}),
+and \textit{check\_genuine} (\S\ref{authentication}).}
+\end{enum}
+
+\section{Attribute Reference}
+\label{attribute-reference}
+
+Nitpick needs to consider the definitions of all constants occurring in a
+formula in order to falsify it. For constants introduced using the
+\textbf{definition} command, the definition is simply the associated
+\textit{\_def} axiom. In contrast, instead of using the internal representation
+of functions synthesized by Isabelle's \textbf{primrec}, \textbf{function}, and
+\textbf{nominal\_primrec} packages, Nitpick relies on the more natural
+equational specification entered by the user.
+
+Behind the scenes, Isabelle's built-in packages and theories rely on the
+following attributes to affect Nitpick's behavior:
+
+\begin{enum}
+\flushitem{\textit{nitpick\_unfold}}
+
+\nopagebreak
+This attribute specifies an equation that Nitpick should use to expand a
+constant. The equation should be logically equivalent to the constant's actual
+definition and should be of the form
+
+\qquad $c~{?}x_1~\ldots~{?}x_n \,=\, t$,
+
+or
+
+\qquad $c~{?}x_1~\ldots~{?}x_n \,\equiv\, t$,
+
+where ${?}x_1, \ldots, {?}x_n$ are distinct variables and $c$ does not occur in
+$t$. Each occurrence of $c$ in the problem is expanded to $\lambda x_1\,\ldots
+x_n.\; t$.
+
+\flushitem{\textit{nitpick\_simp}}
+
+\nopagebreak
+This attribute specifies the equations that constitute the specification of a
+constant. The \textbf{primrec}, \textbf{function}, and
+\textbf{nominal\_\allowbreak primrec} packages automatically attach this
+attribute to their \textit{simps} rules. The equations must be of the form
+
+\qquad $c~t_1~\ldots\ t_n \;\bigl[{=}\; u\bigr]$
+
+or
+
+\qquad $c~t_1~\ldots\ t_n \,\equiv\, u.$
+
+\flushitem{\textit{nitpick\_psimp}}
+
+\nopagebreak
+This attribute specifies the equations that constitute the partial specification
+of a constant. The \textbf{function} package automatically attaches this
+attribute to its \textit{psimps} rules. The conditional equations must be of the
+form
+
+\qquad $\lbrakk P_1;\> \ldots;\> P_m\rbrakk \,\Longrightarrow\, c\ t_1\ \ldots\ t_n \;\bigl[{=}\; u\bigr]$
+
+or
+
+\qquad $\lbrakk P_1;\> \ldots;\> P_m\rbrakk \,\Longrightarrow\, c\ t_1\ \ldots\ t_n \,\equiv\, u$.
+
+\flushitem{\textit{nitpick\_choice\_spec}}
+
+\nopagebreak
+This attribute specifies the (free-form) specification of a constant defined
+using the \hbox{(\textbf{ax\_})}\allowbreak\textbf{specification} command.
+\end{enum}
+
+When faced with a constant, Nitpick proceeds as follows:
+
+\begin{enum}
+\item[1.] If the \textit{nitpick\_simp} set associated with the constant
+is not empty, Nitpick uses these rules as the specification of the constant.
+
+\item[2.] Otherwise, if the \textit{nitpick\_psimp} set associated with
+the constant is not empty, it uses these rules as the specification of the
+constant.
+
+\item[3.] Otherwise, if the constant was defined using the
+\hbox{(\textbf{ax\_})}\allowbreak\textbf{specification} command and the
+\textit{nitpick\_choice\_spec} set associated with the constant is not empty, it
+uses these theorems as the specification of the constant.
+
+\item[4.] Otherwise, it looks up the definition of the constant. If the
+\textit{nitpick\_unfold} set associated with the constant is not empty, it uses
+the latest rule added to the set as the definition of the constant; otherwise it
+uses the actual definition axiom.
+
+\begin{enum}
+\item[1.] If the definition is of the form
+
+\qquad $c~{?}x_1~\ldots~{?}x_m \,\equiv\, \lambda y_1~\ldots~y_n.\; \textit{lfp}~(\lambda f.\; t)$
+
+or
+
+\qquad $c~{?}x_1~\ldots~{?}x_m \,\equiv\, \lambda y_1~\ldots~y_n.\; \textit{gfp}~(\lambda f.\; t).$
+
+Nitpick assumes that the definition was made using a (co)inductive package
+based on the user-specified introduction rules registered in Isabelle's internal
+\textit{Spec\_Rules} table. The tool uses the introduction rules to ascertain
+whether the definition is well-founded and the definition to generate a
+fixed-point equation or an unrolled equation.
+
+\item[2.] If the definition is compact enough, the constant is \textsl{unfolded}
+wherever it appears; otherwise, it is defined equationally, as with
+the \textit{nitpick\_simp} attribute.
+\end{enum}
+\end{enum}
+
+As an illustration, consider the inductive definition
+
+\prew
+\textbf{inductive}~\textit{odd}~\textbf{where} \\
+``\textit{odd}~1'' $\,\mid$ \\
+``\textit{odd}~$n\,\Longrightarrow\, \textit{odd}~(\textit{Suc}~(\textit{Suc}~n))$''
+\postw
+
+By default, Nitpick uses the \textit{lfp}-based definition in conjunction with
+the introduction rules. To override this, you can specify an alternative
+definition as follows:
+
+\prew
+\textbf{lemma} $\mathit{odd\_alt\_unfold}$ [\textit{nitpick\_unfold}]:\kern.4em ``$\textit{odd}~n \,\equiv\, n~\textrm{mod}~2 = 1$''
+\postw
+
+Nitpick then expands all occurrences of $\mathit{odd}~n$ to $n~\textrm{mod}~2
+= 1$. Alternatively, you can specify an equational specification of the constant:
+
+\prew
+\textbf{lemma} $\mathit{odd\_simp}$ [\textit{nitpick\_simp}]:\kern.4em ``$\textit{odd}~n = (n~\textrm{mod}~2 = 1)$''
+\postw
+
+Such tweaks should be done with great care, because Nitpick will assume that the
+constant is completely defined by its equational specification. For example, if
+you make ``$\textit{odd}~(2 * k + 1)$'' a \textit{nitpick\_simp} rule and neglect to provide rules to handle the $2 * k$ case, Nitpick will define
+$\textit{odd}~n$ arbitrarily for even values of $n$. The \textit{debug}
+(\S\ref{output-format}) option is extremely useful to understand what is going
+on when experimenting with \textit{nitpick\_} attributes.
+
+Because of its internal three-valued logic, Nitpick tends to lose a
+lot of precision in the presence of partially specified constants. For example,
+
+\prew
+\textbf{lemma} \textit{odd\_simp} [\textit{nitpick\_simp}]:\kern.4em ``$\textit{odd~x} = \lnot\, \textit{even}~x$''
+\postw
+
+is superior to
+
+\prew
+\textbf{lemma} \textit{odd\_psimps} [\textit{nitpick\_simp}]: \\
+``$\textit{even~x} \,\Longrightarrow\, \textit{odd~x} = \textit{False\/}$'' \\
+``$\lnot\, \textit{even~x} \,\Longrightarrow\, \textit{odd~x} = \textit{True\/}$''
+\postw
+
+Because Nitpick sometimes unfolds definitions but never simplification rules,
+you can ensure that a constant is defined explicitly using the
+\textit{nitpick\_simp}. For example:
+
+\prew
+\textbf{definition}~\textit{optimum} \textbf{where} [\textit{nitpick\_simp}]: \\
+``$\textit{optimum}~t =
+ (\forall u.\; \textit{consistent}~u \mathrel{\land} \textit{alphabet}~t = \textit{alphabet}~u$ \\
+\phantom{``$\textit{optimum}~t = (\forall u.\;$}${\mathrel{\land}}\; \textit{freq}~t = \textit{freq}~u \longrightarrow
+ \textit{cost}~t \le \textit{cost}~u)$''
+\postw
+
+In some rare occasions, you might want to provide an inductive or coinductive
+view on top of an existing constant $c$. The easiest way to achieve this is to
+define a new constant $c'$ (co)inductively. Then prove that $c$ equals $c'$
+and let Nitpick know about it:
+
+\prew
+\textbf{lemma} \textit{c\_alt\_unfold} [\textit{nitpick\_unfold}]:\kern.4em ``$c \equiv c'$\kern2pt ''
+\postw
+
+This ensures that Nitpick will substitute $c'$ for $c$ and use the (co)inductive
+definition.
+
+\section{Standard ML Interface}
+\label{standard-ml-interface}
+
+Nitpick provides a rich Standard ML interface used mainly for internal purposes
+and debugging. Among the most interesting functions exported by Nitpick are
+those that let you invoke the tool programmatically and those that let you
+register and unregister custom coinductive datatypes as well as term
+postprocessors.
+
+\subsection{Invocation of Nitpick}
+\label{invocation-of-nitpick}
+
+The \textit{Nitpick} structure offers the following functions for invoking your
+favorite counterexample generator:
+
+\prew
+$\textbf{val}\,~\textit{pick\_nits\_in\_term} : \\
+\hbox{}\quad\textit{Proof.state} \rightarrow \textit{params} \rightarrow \textit{mode}
+\rightarrow \textit{int} \rightarrow \textit{int} \rightarrow \textit{int}$ \\
+$\hbox{}\quad{\rightarrow}\; (\textit{term} * \textit{term})~\textit{list}
+\rightarrow \textit{term~list} \rightarrow \textit{term} \rightarrow \textit{string} * \textit{Proof.state}$ \\
+$\textbf{val}\,~\textit{pick\_nits\_in\_subgoal} : \\
+\hbox{}\quad\textit{Proof.state} \rightarrow \textit{params} \rightarrow \textit{mode} \rightarrow \textit{int} \rightarrow \textit{int} \rightarrow \textit{string} * \textit{Proof.state}$
+\postw
+
+The return value is a new proof state paired with an outcome string
+(``genuine'', ``quasi\_genuine'', ``potential'', ``none'', or ``unknown''). The
+\textit{params} type is a large record that lets you set Nitpick's options. The
+current default options can be retrieved by calling the following function
+defined in the \textit{Nitpick\_Isar} structure:
+
+\prew
+$\textbf{val}\,~\textit{default\_params} :\,
+\textit{theory} \rightarrow (\textit{string} * \textit{string})~\textit{list} \rightarrow \textit{params}$
+\postw
+
+The second argument lets you override option values before they are parsed and
+put into a \textit{params} record. Here is an example where Nitpick is invoked
+on subgoal $i$ of $n$ with no time limit:
+
+\prew
+$\textbf{val}\,~\textit{params} = \textit{Nitpick\_Isar.default\_params}~\textit{thy}~[(\textrm{``}\textrm{timeout\/}\textrm{''},\, \textrm{``}\textrm{none}\textrm{''})]$ \\
+$\textbf{val}\,~(\textit{outcome},\, \textit{state}') = {}$ \\
+$\hbox{}\quad\textit{Nitpick.pick\_nits\_in\_subgoal}~\textit{state}~\textit{params}~\textit{Nitpick.Normal}~\textit{i}~\textit{n}$
+\postw
+
+\let\antiq=\textrm
+
+\subsection{Registration of Coinductive Datatypes}
+\label{registration-of-coinductive-datatypes}
+
+If you have defined a custom coinductive datatype, you can tell Nitpick about
+it, so that it can use an efficient Kodkod axiomatization similar to the one it
+uses for lazy lists. The interface for registering and unregistering coinductive
+datatypes consists of the following pair of functions defined in the
+\textit{Nitpick\_HOL} structure:
+
+\prew
+$\textbf{val}\,~\textit{register\_codatatype\/} : {}$ \\
+$\hbox{}\quad\textit{morphism} \rightarrow \textit{typ} \rightarrow \textit{string} \rightarrow (\textit{string} \times \textit{typ})\;\textit{list} \rightarrow \textit{Context.generic} {}$ \\
+$\hbox{}\quad{\rightarrow}\; \textit{Context.generic}$ \\
+$\textbf{val}\,~\textit{unregister\_codatatype\/} : {}$ \\
+$\hbox{}\quad\textit{morphism} \rightarrow \textit{typ} \rightarrow \textit{Context.generic} \rightarrow \textit{Context.generic} {}$
+\postw
+
+The type $'a~\textit{llist}$ of lazy lists is already registered; had it
+not been, you could have told Nitpick about it by adding the following line
+to your theory file:
+
+\prew
+$\textbf{declaration}~\,\{{*}$ \\
+$\hbox{}\quad\textit{Nitpick\_HOL.register\_codatatype}~@\{\antiq{typ}~``\kern1pt'a~\textit{llist\/}\textrm{''}\}$ \\
+$\hbox{}\qquad\quad @\{\antiq{const\_name}~ \textit{llist\_case}\}$ \\
+$\hbox{}\qquad\quad (\textit{map}~\textit{dest\_Const}~[@\{\antiq{term}~\textit{LNil}\},\, @\{\antiq{term}~\textit{LCons}\}])$ \\
+${*}\}$
+\postw
+
+The \textit{register\_codatatype} function takes a coinductive datatype, its
+case function, and the list of its constructors (in addition to the current
+morphism and generic proof context). The case function must take its arguments
+in the order that the constructors are listed. If no case function with the
+correct signature is available, simply pass the empty string.
+
+On the other hand, if your goal is to cripple Nitpick, add the following line to
+your theory file and try to check a few conjectures about lazy lists:
+
+\prew
+$\textbf{declaration}~\,\{{*}$ \\
+$\hbox{}\quad\textit{Nitpick\_HOL.unregister\_codatatype}~@\{\antiq{typ}~``\kern1pt'a~\textit{llist\/}\textrm{''}\}$ \\
+${*}\}$
+\postw
+
+Inductive datatypes can be registered as coinductive datatypes, given
+appropriate coinductive constructors. However, doing so precludes
+the use of the inductive constructors---Nitpick will generate an error if they
+are needed.
+
+\subsection{Registration of Term Postprocessors}
+\label{registration-of-term-postprocessors}
+
+It is possible to change the output of any term that Nitpick considers a
+datatype by registering a term postprocessor. The interface for registering and
+unregistering postprocessors consists of the following pair of functions defined
+in the \textit{Nitpick\_Model} structure:
+
+\prew
+$\textbf{type}\,~\textit{term\_postprocessor}\,~{=} {}$ \\
+$\hbox{}\quad\textit{Proof.context} \rightarrow \textit{string} \rightarrow (\textit{typ} \rightarrow \textit{term~list\/}) \rightarrow \textit{typ} \rightarrow \textit{term} \rightarrow \textit{term}$ \\
+$\textbf{val}\,~\textit{register\_term\_postprocessor} : {}$ \\
+$\hbox{}\quad\textit{typ} \rightarrow \textit{term\_postprocessor} \rightarrow \textit{morphism} \rightarrow \textit{Context.generic}$ \\
+$\hbox{}\quad{\rightarrow}\; \textit{Context.generic}$ \\
+$\textbf{val}\,~\textit{unregister\_term\_postprocessor} : {}$ \\
+$\hbox{}\quad\textit{typ} \rightarrow \textit{morphism} \rightarrow \textit{Context.generic} \rightarrow \textit{Context.generic}$
+\postw
+
+\S\ref{typedefs-quotient-types-records-rationals-and-reals} and
+\texttt{src/HOL/Library/Multiset.thy} illustrate this feature in context.
+
+\section{Known Bugs and Limitations}
+\label{known-bugs-and-limitations}
+
+Here are the known bugs and limitations in Nitpick at the time of writing:
+
+\begin{enum}
+\item[\labelitemi] Underspecified functions defined using the \textbf{primrec},
+\textbf{function}, or \textbf{nominal\_\allowbreak primrec} packages can lead
+Nitpick to generate spurious counterexamples for theorems that refer to values
+for which the function is not defined. For example:
+
+\prew
+\textbf{primrec} \textit{prec} \textbf{where} \\
+``$\textit{prec}~(\textit{Suc}~n) = n$'' \\[2\smallskipamount]
+\textbf{lemma} ``$\textit{prec}~0 = \textit{undefined\/}$'' \\
+\textbf{nitpick} \\[2\smallskipamount]
+\quad{\slshape Nitpick found a counterexample for \textit{card nat}~= 2:
+\nopagebreak
+\\[2\smallskipamount]
+\hbox{}\qquad Empty assignment} \nopagebreak\\[2\smallskipamount]
+\textbf{by}~(\textit{auto simp}:~\textit{prec\_def})
+\postw
+
+Such theorems are generally considered bad style because they rely on the
+internal representation of functions synthesized by Isabelle, an implementation
+detail.
+
+\item[\labelitemi] Similarly, Nitpick might find spurious counterexamples for
+theorems that rely on the use of the indefinite description operator internally
+by \textbf{specification} and \textbf{quot\_type}.
+
+\item[\labelitemi] Axioms or definitions that restrict the possible values of the
+\textit{undefined} constant or other partially specified built-in Isabelle
+constants (e.g., \textit{Abs\_} and \textit{Rep\_} constants) are in general
+ignored. Again, such nonconservative extensions are generally considered bad
+style.
+
+\item[\labelitemi] Nitpick maintains a global cache of wellfoundedness conditions,
+which can become invalid if you change the definition of an inductive predicate
+that is registered in the cache. To clear the cache,
+run Nitpick with the \textit{tac\_timeout} option set to a new value (e.g.,
+$0.51$).
+
+\item[\labelitemi] Nitpick produces spurious counterexamples when invoked after a
+\textbf{guess} command in a structured proof.
+
+\item[\labelitemi] The \textit{nitpick\_xxx} attributes and the
+\textit{Nitpick\_xxx.register\_yyy} functions can cause havoc if used
+improperly.
+
+\item[\labelitemi] Although this has never been observed, arbitrary theorem
+morphisms could possibly confuse Nitpick, resulting in spurious counterexamples.
+
+\item[\labelitemi] All constants, types, free variables, and schematic variables
+whose names start with \textit{Nitpick}{.} are reserved for internal use.
+\end{enum}
+
+\let\em=\sl
+\bibliography{manual}{}
+\bibliographystyle{abbrv}
+
+\end{document}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/ProgProve/Basics.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,149 @@
+(*<*)
+theory Basics
+imports Main
+begin
+(*>*)
+text{*
+This chapter introduces HOL as a functional programming language and shows
+how to prove properties of functional programs by induction.
+
+\section{Basics}
+
+\subsection{Types, Terms and Formulae}
+\label{sec:TypesTermsForms}
+
+HOL is a typed logic whose type system resembles that of functional
+programming languages. Thus there are
+\begin{description}
+\item[base types,]
+in particular @{typ bool}, the type of truth values,
+@{typ nat}, the type of natural numbers ($\mathbb{N}$), and @{typ int},
+the type of mathematical integers ($\mathbb{Z}$).
+\item[type constructors,]
+ in particular @{text list}, the type of
+lists, and @{text set}, the type of sets. Type constructors are written
+postfix, e.g.\ @{typ "nat list"} is the type of lists whose elements are
+natural numbers.
+\item[function types,]
+denoted by @{text"\<Rightarrow>"}.
+\item[type variables,]
+ denoted by @{typ 'a}, @{typ 'b} etc., just like in ML\@.
+\end{description}
+
+\concept{Terms} are formed as in functional programming by
+applying functions to arguments. If @{text f} is a function of type
+@{text"\<tau>\<^isub>1 \<Rightarrow> \<tau>\<^isub>2"} and @{text t} is a term of type
+@{text"\<tau>\<^isub>1"} then @{term"f t"} is a term of type @{text"\<tau>\<^isub>2"}. We write @{text "t :: \<tau>"} to mean that term @{text t} has type @{text \<tau>}.
+
+\begin{warn}
+There are many predefined infix symbols like @{text "+"} and @{text"\<le>"}.
+The name of the corresponding binary function is @{term"op +"},
+not just @{text"+"}. That is, @{term"x + y"} is syntactic sugar for
+\noquotes{@{term[source]"op + x y"}}.
+\end{warn}
+
+HOL also supports some basic constructs from functional programming:
+\begin{quote}
+@{text "(if b then t\<^isub>1 else t\<^isub>2)"}\\
+@{text "(let x = t in u)"}\\
+@{text "(case t of pat\<^isub>1 \<Rightarrow> t\<^isub>1 | \<dots> | pat\<^isub>n \<Rightarrow> t\<^isub>n)"}
+\end{quote}
+\begin{warn}
+The above three constructs must always be enclosed in parentheses
+if they occur inside other constructs.
+\end{warn}
+Terms may also contain @{text "\<lambda>"}-abstractions. For example,
+@{term "\<lambda>x. x"} is the identity function.
+
+\concept{Formulae} are terms of type @{text bool}.
+There are the basic constants @{term True} and @{term False} and
+the usual logical connectives (in decreasing order of precedence):
+@{text"\<not>"}, @{text"\<and>"}, @{text"\<or>"}, @{text"\<longrightarrow>"}.
+
+\concept{Equality} is available in the form of the infix function @{text "="}
+of type @{typ "'a \<Rightarrow> 'a \<Rightarrow> bool"}. It also works for formulas, where
+it means ``if and only if''.
+
+\concept{Quantifiers} are written @{prop"\<forall>x. P"} and @{prop"\<exists>x. P"}.
+
+Isabelle automatically computes the type of each variable in a term. This is
+called \concept{type inference}. Despite type inference, it is sometimes
+necessary to attach explicit \concept{type constraints} (or \concept{type
+annotations}) to a variable or term. The syntax is @{text "t :: \<tau>"} as in
+\mbox{\noquotes{@{prop[source] "m < (n::nat)"}}}. Type constraints may be
+needed to
+disambiguate terms involving overloaded functions such as @{text "+"}, @{text
+"*"} and @{text"\<le>"}.
+
+Finally there are the universal quantifier @{text"\<And>"} and the implication
+@{text"\<Longrightarrow>"}. They are part of the Isabelle framework, not the logic
+HOL. Logically, they agree with their HOL counterparts @{text"\<forall>"} and
+@{text"\<longrightarrow>"}, but operationally they behave differently. This will become
+clearer as we go along.
+\begin{warn}
+Right-arrows of all kinds always associate to the right. In particular,
+the formula
+@{text"A\<^isub>1 \<Longrightarrow> A\<^isub>2 \<Longrightarrow> A\<^isub>3"} means @{text "A\<^isub>1 \<Longrightarrow> (A\<^isub>2 \<Longrightarrow> A\<^isub>3)"}.
+The (Isabelle specific) notation \mbox{@{text"\<lbrakk> A\<^isub>1; \<dots>; A\<^isub>n \<rbrakk> \<Longrightarrow> A"}}
+is short for the iterated implication \mbox{@{text"A\<^isub>1 \<Longrightarrow> \<dots> \<Longrightarrow> A\<^isub>n \<Longrightarrow> A"}}.
+Sometimes we also employ inference rule notation:
+\inferrule{\mbox{@{text "A\<^isub>1"}}\\ \mbox{@{text "\<dots>"}}\\ \mbox{@{text "A\<^isub>n"}}}
+{\mbox{@{text A}}}
+\end{warn}
+
+
+\subsection{Theories}
+\label{sec:Basic:Theories}
+
+Roughly speaking, a \concept{theory} is a named collection of types,
+functions, and theorems, much like a module in a programming language.
+All the Isabelle text that you ever type needs to go into a theory.
+The general format of a theory @{text T} is
+\begin{quote}
+\isacom{theory} @{text T}\\
+\isacom{imports} @{text "T\<^isub>1 \<dots> T\<^isub>n"}\\
+\isacom{begin}\\
+\emph{definitions, theorems and proofs}\\
+\isacom{end}
+\end{quote}
+where @{text "T\<^isub>1 \<dots> T\<^isub>n"} are the names of existing
+theories that @{text T} is based on. The @{text "T\<^isub>i"} are the
+direct \concept{parent theories} of @{text T}.
+Everything defined in the parent theories (and their parents, recursively) is
+automatically visible. Each theory @{text T} must
+reside in a \concept{theory file} named @{text "T.thy"}.
+
+\begin{warn}
+HOL contains a theory @{text Main}, the union of all the basic
+predefined theories like arithmetic, lists, sets, etc.
+Unless you know what you are doing, always include @{text Main}
+as a direct or indirect parent of all your theories.
+\end{warn}
+
+In addition to the theories that come with the Isabelle/HOL distribution
+(see \url{http://isabelle.in.tum.de/library/HOL/})
+there is also the \emph{Archive of Formal Proofs}
+at \url{http://afp.sourceforge.net}, a growing collection of Isabelle theories
+that everybody can contribute to.
+
+\subsection{Quotation Marks}
+
+The textual definition of a theory follows a fixed syntax with keywords like
+\isacommand{begin} and \isacommand{datatype}. Embedded in this syntax are
+the types and formulae of HOL. To distinguish the two levels, everything
+HOL-specific (terms and types) must be enclosed in quotation marks:
+\texttt{"}\dots\texttt{"}. To lessen this burden, quotation marks around a
+single identifier can be dropped. When Isabelle prints a syntax error
+message, it refers to the HOL syntax as the \concept{inner syntax} and the
+enclosing theory language as the \concept{outer syntax}.
+\sem
+\begin{warn}
+For reasons of readability, we almost never show the quotation marks in this
+book. Consult the accompanying theory files to see where they need to go.
+\end{warn}
+\endsem
+%
+*}
+(*<*)
+end
+(*>*)
\ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/ProgProve/Bool_nat_list.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,420 @@
+(*<*)
+theory Bool_nat_list
+imports Main
+begin
+(*>*)
+
+text{*
+\vspace{-4ex}
+\section{\texorpdfstring{Types @{typ bool}, @{typ nat} and @{text list}}{Types bool, nat and list}}
+
+These are the most important predefined types. We go through them one by one.
+Based on examples we learn how to define (possibly recursive) functions and
+prove theorems about them by induction and simplification.
+
+\subsection{Type @{typ bool}}
+
+The type of boolean values is a predefined datatype
+@{datatype[display] bool}
+with the two values @{const True} and @{const False} and
+with many predefined functions: @{text "\<not>"}, @{text "\<and>"}, @{text "\<or>"}, @{text
+"\<longrightarrow>"} etc. Here is how conjunction could be defined by pattern matching:
+*}
+
+fun conj :: "bool \<Rightarrow> bool \<Rightarrow> bool" where
+"conj True True = True" |
+"conj _ _ = False"
+
+text{* Both the datatype and function definitions roughly follow the syntax
+of functional programming languages.
+
+\subsection{Type @{typ nat}}
+
+Natural numbers are another predefined datatype:
+@{datatype[display] nat}
+All values of type @{typ nat} are generated by the constructors
+@{text 0} and @{const Suc}. Thus the values of type @{typ nat} are
+@{text 0}, @{term"Suc 0"}, @{term"Suc(Suc 0)"} etc.
+There are many predefined functions: @{text "+"}, @{text "*"}, @{text
+"\<le>"}, etc. Here is how you could define your own addition:
+*}
+
+fun add :: "nat \<Rightarrow> nat \<Rightarrow> nat" where
+"add 0 n = n" |
+"add (Suc m) n = Suc(add m n)"
+
+text{* And here is a proof of the fact that @{prop"add m 0 = m"}: *}
+
+lemma add_02: "add m 0 = m"
+apply(induction m)
+apply(auto)
+done
+(*<*)
+lemma "add m 0 = m"
+apply(induction m)
+(*>*)
+txt{* The \isacom{lemma} command starts the proof and gives the lemma
+a name, @{text add_02}. Properties of recursively defined functions
+need to be established by induction in most cases.
+Command \isacom{apply}@{text"(induction m)"} instructs Isabelle to
+start a proof by induction on @{text m}. In response, it will show the
+following proof state:
+@{subgoals[display,indent=0]}
+The numbered lines are known as \emph{subgoals}.
+The first subgoal is the base case, the second one the induction step.
+The prefix @{text"\<And>m."} is Isabelle's way of saying ``for an arbitrary but fixed @{text m}''. The @{text"\<Longrightarrow>"} separates assumptions from the conclusion.
+The command \isacom{apply}@{text"(auto)"} instructs Isabelle to try
+and prove all subgoals automatically, essentially by simplifying them.
+Because both subgoals are easy, Isabelle can do it.
+The base case @{prop"add 0 0 = 0"} holds by definition of @{const add},
+and the induction step is almost as simple:
+@{text"add\<^raw:~>(Suc m) 0 = Suc(add m 0) = Suc m"}
+using first the definition of @{const add} and then the induction hypothesis.
+In summary, both subproofs rely on simplification with function definitions and
+the induction hypothesis.
+As a result of that final \isacom{done}, Isabelle associates the lemma
+just proved with its name. You can now inspect the lemma with the command
+*}
+
+thm add_02
+
+txt{* which displays @{thm[show_question_marks,display] add_02} The free
+variable @{text m} has been replaced by the \concept{unknown}
+@{text"?m"}. There is no logical difference between the two but an
+operational one: unknowns can be instantiated, which is what you want after
+some lemma has been proved.
+
+Note that there is also a proof method @{text induct}, which behaves almost
+like @{text induction}; the difference is explained in \autoref{ch:Isar}.
+
+\begin{warn}
+Terminology: We use \concept{lemma}, \concept{theorem} and \concept{rule}
+interchangeably for propositions that have been proved.
+\end{warn}
+\begin{warn}
+ Numerals (@{text 0}, @{text 1}, @{text 2}, \dots) and most of the standard
+ arithmetic operations (@{text "+"}, @{text "-"}, @{text "*"}, @{text"\<le>"},
+ @{text"<"} etc) are overloaded: they are available
+ not just for natural numbers but for other types as well.
+ For example, given the goal @{text"x + 0 = x"}, there is nothing to indicate
+ that you are talking about natural numbers. Hence Isabelle can only infer
+ that @{term x} is of some arbitrary type where @{text 0} and @{text"+"}
+ exist. As a consequence, you will be unable to prove the
+ goal. To alert you to such pitfalls, Isabelle flags numerals without a
+ fixed type in its output: @{prop"x+0 = x"}. In this particular example,
+ you need to include
+ an explicit type constraint, for example @{text"x+0 = (x::nat)"}. If there
+ is enough contextual information this may not be necessary: @{prop"Suc x =
+ x"} automatically implies @{text"x::nat"} because @{term Suc} is not
+ overloaded.
+\end{warn}
+
+\subsubsection{An informal proof}
+
+Above we gave some terse informal explanation of the proof of
+@{prop"add m 0 = m"}. A more detailed informal exposition of the lemma
+might look like this:
+\bigskip
+
+\noindent
+\textbf{Lemma} @{prop"add m 0 = m"}
+
+\noindent
+\textbf{Proof} by induction on @{text m}.
+\begin{itemize}
+\item Case @{text 0} (the base case): @{prop"add 0 0 = 0"}
+ holds by definition of @{const add}.
+\item Case @{term"Suc m"} (the induction step):
+ We assume @{prop"add m 0 = m"}, the induction hypothesis (IH),
+ and we need to show @{text"add (Suc m) 0 = Suc m"}.
+ The proof is as follows:\smallskip
+
+ \begin{tabular}{@ {}rcl@ {\quad}l@ {}}
+ @{term "add (Suc m) 0"} &@{text"="}& @{term"Suc(add m 0)"}
+ & by definition of @{text add}\\
+ &@{text"="}& @{term "Suc m"} & by IH
+ \end{tabular}
+\end{itemize}
+Throughout this book, \concept{IH} will stand for ``induction hypothesis''.
+
+We have now seen three proofs of @{prop"add m 0 = 0"}: the Isabelle one, the
+terse four lines explaining the base case and the induction step, and just now a
+model of a traditional inductive proof. The three proofs differ in the level
+of detail given and the intended reader: the Isabelle proof is for the
+machine, the informal proofs are for humans. Although this book concentrates
+on Isabelle proofs, it is important to be able to rephrase those proofs
+as informal text comprehensible to a reader familiar with traditional
+mathematical proofs. Later on we will introduce an Isabelle proof language
+that is closer to traditional informal mathematical language and is often
+directly readable.
+
+\subsection{Type @{text list}}
+
+Although lists are already predefined, we define our own copy just for
+demonstration purposes:
+*}
+(*<*)
+apply(auto)
+done
+declare [[names_short]]
+(*>*)
+datatype 'a list = Nil | Cons 'a "'a list"
+
+text{*
+\begin{itemize}
+\item Type @{typ "'a list"} is the type of lists over elements of type @{typ 'a}. Because @{typ 'a} is a type variable, lists are in fact \concept{polymorphic}: the elements of a list can be of arbitrary type (but must all be of the same type).
+\item Lists have two constructors: @{const Nil}, the empty list, and @{const Cons}, which puts an element (of type @{typ 'a}) in front of a list (of type @{typ "'a list"}).
+Hence all lists are of the form @{const Nil}, or @{term"Cons x Nil"},
+or @{term"Cons x (Cons y Nil)"} etc.
+\item \isacom{datatype} requires no quotation marks on the
+left-hand side, but on the right-hand side each of the argument
+types of a constructor needs to be enclosed in quotation marks, unless
+it is just an identifier (e.g.\ @{typ nat} or @{typ 'a}).
+\end{itemize}
+We also define two standard functions, append and reverse: *}
+
+fun app :: "'a list \<Rightarrow> 'a list \<Rightarrow> 'a list" where
+"app Nil ys = ys" |
+"app (Cons x xs) ys = Cons x (app xs ys)"
+
+fun rev :: "'a list \<Rightarrow> 'a list" where
+"rev Nil = Nil" |
+"rev (Cons x xs) = app (rev xs) (Cons x Nil)"
+
+text{* By default, variables @{text xs}, @{text ys} and @{text zs} are of
+@{text list} type.
+
+Command \isacom{value} evaluates a term. For example, *}
+
+value "rev(Cons True (Cons False Nil))"
+
+text{* yields the result @{value "rev(Cons True (Cons False Nil))"}. This works symbolically, too: *}
+
+value "rev(Cons a (Cons b Nil))"
+
+text{* yields @{value "rev(Cons a (Cons b Nil))"}.
+\medskip
+
+Figure~\ref{fig:MyList} shows the theory created so far.
+Because @{text list}, @{const Nil}, @{const Cons} etc are already predefined,
+ Isabelle prints qualified (long) names when executing this theory, for example, @{text MyList.Nil}
+ instead of @{const Nil}.
+ To suppress the qualified names you can insert the command
+ \texttt{declare [[names\_short]]}.
+ This is not recommended in general but just for this unusual example.
+% Notice where the
+%quotations marks are needed that we mostly sweep under the carpet. In
+%particular, notice that \isacom{datatype} requires no quotation marks on the
+%left-hand side, but that on the right-hand side each of the argument
+%types of a constructor needs to be enclosed in quotation marks.
+
+\begin{figure}[htbp]
+\begin{alltt}
+\input{MyList.thy}\end{alltt}
+\caption{A Theory of Lists}
+\label{fig:MyList}
+\end{figure}
+
+\subsubsection{Structural Induction for Lists}
+
+Just as for natural numbers, there is a proof principle of induction for
+lists. Induction over a list is essentially induction over the length of
+the list, although the length remains implicit. To prove that some property
+@{text P} holds for all lists @{text xs}, i.e.\ \mbox{@{prop"P(xs)"}},
+you need to prove
+\begin{enumerate}
+\item the base case @{prop"P(Nil)"} and
+\item the inductive case @{prop"P(Cons x xs)"} under the assumption @{prop"P(xs)"}, for some arbitrary but fixed @{text x} and @{text xs}.
+\end{enumerate}
+This is often called \concept{structural induction}.
+
+\subsection{The Proof Process}
+
+We will now demonstrate the typical proof process, which involves
+the formulation and proof of auxiliary lemmas.
+Our goal is to show that reversing a list twice produces the original
+list. *}
+
+theorem rev_rev [simp]: "rev(rev xs) = xs"
+
+txt{* Commands \isacom{theorem} and \isacom{lemma} are
+interchangeable and merely indicate the importance we attach to a
+proposition. Via the bracketed attribute @{text simp} we also tell Isabelle
+to make the eventual theorem a \concept{simplification rule}: future proofs
+involving simplification will replace occurrences of @{term"rev(rev xs)"} by
+@{term"xs"}. The proof is by induction: *}
+
+apply(induction xs)
+
+txt{*
+As explained above, we obtain two subgoals, namely the base case (@{const Nil}) and the induction step (@{const Cons}):
+@{subgoals[display,indent=0,margin=65]}
+Let us try to solve both goals automatically:
+*}
+
+apply(auto)
+
+txt{*Subgoal~1 is proved, and disappears; the simplified version
+of subgoal~2 becomes the new subgoal~1:
+@{subgoals[display,indent=0,margin=70]}
+In order to simplify this subgoal further, a lemma suggests itself.
+
+\subsubsection{A First Lemma}
+
+We insert the following lemma in front of the main theorem:
+*}
+(*<*)
+oops
+(*>*)
+lemma rev_app [simp]: "rev(app xs ys) = app (rev ys) (rev xs)"
+
+txt{* There are two variables that we could induct on: @{text xs} and
+@{text ys}. Because @{const app} is defined by recursion on
+the first argument, @{text xs} is the correct one:
+*}
+
+apply(induction xs)
+
+txt{* This time not even the base case is solved automatically: *}
+apply(auto)
+txt{*
+\vspace{-5ex}
+@{subgoals[display,goals_limit=1]}
+Again, we need to abandon this proof attempt and prove another simple lemma
+first.
+
+\subsubsection{A Second Lemma}
+
+We again try the canonical proof procedure:
+*}
+(*<*)
+oops
+(*>*)
+lemma app_Nil2 [simp]: "app xs Nil = xs"
+apply(induction xs)
+apply(auto)
+done
+
+text{*
+Thankfully, this worked.
+Now we can continue with our stuck proof attempt of the first lemma:
+*}
+
+lemma rev_app [simp]: "rev(app xs ys) = app (rev ys) (rev xs)"
+apply(induction xs)
+apply(auto)
+
+txt{*
+We find that this time @{text"auto"} solves the base case, but the
+induction step merely simplifies to
+@{subgoals[display,indent=0,goals_limit=1]}
+The missing lemma is associativity of @{const app},
+which we insert in front of the failed lemma @{text rev_app}.
+
+\subsubsection{Associativity of @{const app}}
+
+The canonical proof procedure succeeds without further ado:
+*}
+(*<*)oops(*>*)
+lemma app_assoc [simp]: "app (app xs ys) zs = app xs (app ys zs)"
+apply(induction xs)
+apply(auto)
+done
+(*<*)
+lemma rev_app [simp]: "rev(app xs ys) = app (rev ys)(rev xs)"
+apply(induction xs)
+apply(auto)
+done
+
+theorem rev_rev [simp]: "rev(rev xs) = xs"
+apply(induction xs)
+apply(auto)
+done
+(*>*)
+text{*
+Finally the proofs of @{thm[source] rev_app} and @{thm[source] rev_rev}
+succeed, too.
+
+\subsubsection{Another informal proof}
+
+Here is the informal proof of associativity of @{const app}
+corresponding to the Isabelle proof above.
+\bigskip
+
+\noindent
+\textbf{Lemma} @{prop"app (app xs ys) zs = app xs (app ys zs)"}
+
+\noindent
+\textbf{Proof} by induction on @{text xs}.
+\begin{itemize}
+\item Case @{text Nil}: \ @{prop"app (app Nil ys) zs = app ys zs"} @{text"="}
+ \mbox{@{term"app Nil (app ys zs)"}} \ holds by definition of @{text app}.
+\item Case @{text"Cons x xs"}: We assume
+ \begin{center} \hfill @{term"app (app xs ys) zs"} @{text"="}
+ @{term"app xs (app ys zs)"} \hfill (IH) \end{center}
+ and we need to show
+ \begin{center} @{prop"app (app (Cons x xs) ys) zs = app (Cons x xs) (app ys zs)"}.\end{center}
+ The proof is as follows:\smallskip
+
+ \begin{tabular}{@ {}l@ {\quad}l@ {}}
+ @{term"app (app (Cons x xs) ys) zs"}\\
+ @{text"= app (Cons x (app xs ys)) zs"} & by definition of @{text app}\\
+ @{text"= Cons x (app (app xs ys) zs)"} & by definition of @{text app}\\
+ @{text"= Cons x (app xs (app ys zs))"} & by IH\\
+ @{text"= app (Cons x xs) (app ys zs)"} & by definition of @{text app}
+ \end{tabular}
+\end{itemize}
+\medskip
+
+\noindent Didn't we say earlier that all proofs are by simplification? But
+in both cases, going from left to right, the last equality step is not a
+simplification at all! In the base case it is @{prop"app ys zs = app Nil (app
+ys zs)"}. It appears almost mysterious because we suddenly complicate the
+term by appending @{text Nil} on the left. What is really going on is this:
+when proving some equality \mbox{@{prop"s = t"}}, both @{text s} and @{text t} are
+simplified to some common term @{text u}. This heuristic for equality proofs
+works well for a functional programming context like ours. In the base case
+@{text s} is @{term"app (app Nil ys) zs"}, @{text t} is @{term"app Nil (app
+ys zs)"}, and @{text u} is @{term"app ys zs"}.
+
+\subsection{Predefined lists}
+\label{sec:predeflists}
+
+Isabelle's predefined lists are the same as the ones above, but with
+more syntactic sugar:
+\begin{itemize}
+\item @{text "[]"} is @{const Nil},
+\item @{term"x # xs"} is @{term"Cons x xs"},
+\item @{text"[x\<^isub>1, \<dots>, x\<^isub>n]"} is @{text"x\<^isub>1 # \<dots> # x\<^isub>n # []"}, and
+\item @{term "xs @ ys"} is @{term"app xs ys"}.
+\end{itemize}
+There is also a large library of predefined functions.
+The most important ones are the length function
+@{text"length :: 'a list \<Rightarrow> nat"} (with the obvious definition),
+and the map function that applies a function to all elements of a list:
+\begin{isabelle}
+\isacom{fun} @{const map} @{text"::"} @{typ[source] "('a \<Rightarrow> 'b) \<Rightarrow> 'a list \<Rightarrow> 'b list"}\\
+@{text"\""}@{thm map.simps(1)}@{text"\" |"}\\
+@{text"\""}@{thm map.simps(2)}@{text"\""}
+\end{isabelle}
+\sem
+Also useful are the \concept{head} of a list, its first element,
+and the \concept{tail}, the rest of the list:
+\begin{isabelle}
+\isacom{fun} @{text"hd :: 'a list \<Rightarrow> 'a"}\\
+@{prop"hd(x#xs) = x"}
+\end{isabelle}
+\begin{isabelle}
+\isacom{fun} @{text"tl :: 'a list \<Rightarrow> 'a list"}\\
+@{prop"tl [] = []"} @{text"|"}\\
+@{prop"tl(x#xs) = xs"}
+\end{isabelle}
+Note that since HOL is a logic of total functions, @{term"hd []"} is defined,
+but we do now know what the result is. That is, @{term"hd []"} is not undefined
+but underdefined.
+\endsem
+%
+*}
+(*<*)
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/ProgProve/Isar.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,997 @@
+(*<*)
+theory Isar
+imports LaTeXsugar
+begin
+ML{* quick_and_dirty := true *}
+(*>*)
+text{*
+Apply-scripts are unreadable and hard to maintain. The language of choice
+for larger proofs is \concept{Isar}. The two key features of Isar are:
+\begin{itemize}
+\item It is structured, not linear.
+\item It is readable without running it because
+you need to state what you are proving at any given point.
+\end{itemize}
+Whereas apply-scripts are like assembly language programs, Isar proofs
+are like structured programs with comments. A typical Isar proof looks like this:
+*}text{*
+\begin{tabular}{@ {}l}
+\isacom{proof}\\
+\quad\isacom{assume} @{text"\""}$\mathit{formula}_0$@{text"\""}\\
+\quad\isacom{have} @{text"\""}$\mathit{formula}_1$@{text"\""} \quad\isacom{by} @{text simp}\\
+\quad\vdots\\
+\quad\isacom{have} @{text"\""}$\mathit{formula}_n$@{text"\""} \quad\isacom{by} @{text blast}\\
+\quad\isacom{show} @{text"\""}$\mathit{formula}_{n+1}$@{text"\""} \quad\isacom{by} @{text \<dots>}\\
+\isacom{qed}
+\end{tabular}
+*}text{*
+It proves $\mathit{formula}_0 \Longrightarrow \mathit{formula}_{n+1}$
+(provided each proof step succeeds).
+The intermediate \isacom{have} statements are merely stepping stones
+on the way towards the \isacom{show} statement that proves the actual
+goal. In more detail, this is the Isar core syntax:
+\medskip
+
+\begin{tabular}{@ {}lcl@ {}}
+\textit{proof} &=& \isacom{by} \textit{method}\\
+ &$\mid$& \isacom{proof} [\textit{method}] \ \textit{step}$^*$ \ \isacom{qed}
+\end{tabular}
+\medskip
+
+\begin{tabular}{@ {}lcl@ {}}
+\textit{step} &=& \isacom{fix} \textit{variables} \\
+ &$\mid$& \isacom{assume} \textit{proposition} \\
+ &$\mid$& [\isacom{from} \textit{fact}$^+$] (\isacom{have} $\mid$ \isacom{show}) \ \textit{proposition} \ \textit{proof}
+\end{tabular}
+\medskip
+
+\begin{tabular}{@ {}lcl@ {}}
+\textit{proposition} &=& [\textit{name}:] @{text"\""}\textit{formula}@{text"\""}
+\end{tabular}
+\medskip
+
+\begin{tabular}{@ {}lcl@ {}}
+\textit{fact} &=& \textit{name} \ $\mid$ \ \dots
+\end{tabular}
+\medskip
+
+\noindent A proof can either be an atomic \isacom{by} with a single proof
+method which must finish off the statement being proved, for example @{text
+auto}. Or it can be a \isacom{proof}--\isacom{qed} block of multiple
+steps. Such a block can optionally begin with a proof method that indicates
+how to start off the proof, e.g.\ \mbox{@{text"(induction xs)"}}.
+
+A step either assumes a proposition or states a proposition
+together with its proof. The optional \isacom{from} clause
+indicates which facts are to be used in the proof.
+Intermediate propositions are stated with \isacom{have}, the overall goal
+with \isacom{show}. A step can also introduce new local variables with
+\isacom{fix}. Logically, \isacom{fix} introduces @{text"\<And>"}-quantified
+variables, \isacom{assume} introduces the assumption of an implication
+(@{text"\<Longrightarrow>"}) and \isacom{have}/\isacom{show} the conclusion.
+
+Propositions are optionally named formulas. These names can be referred to in
+later \isacom{from} clauses. In the simplest case, a fact is such a name.
+But facts can also be composed with @{text OF} and @{text of} as shown in
+\S\ref{sec:forward-proof}---hence the \dots\ in the above grammar. Note
+that assumptions, intermediate \isacom{have} statements and global lemmas all
+have the same status and are thus collectively referred to as
+\concept{facts}.
+
+Fact names can stand for whole lists of facts. For example, if @{text f} is
+defined by command \isacom{fun}, @{text"f.simps"} refers to the whole list of
+recursion equations defining @{text f}. Individual facts can be selected by
+writing @{text"f.simps(2)"}, whole sublists by @{text"f.simps(2-4)"}.
+
+
+\section{Isar by example}
+
+We show a number of proofs of Cantor's theorem that a function from a set to
+its powerset cannot be surjective, illustrating various features of Isar. The
+constant @{const surj} is predefined.
+*}
+
+lemma "\<not> surj(f :: 'a \<Rightarrow> 'a set)"
+proof
+ assume 0: "surj f"
+ from 0 have 1: "\<forall>A. \<exists>a. A = f a" by(simp add: surj_def)
+ from 1 have 2: "\<exists>a. {x. x \<notin> f x} = f a" by blast
+ from 2 show "False" by blast
+qed
+
+text{*
+The \isacom{proof} command lacks an explicit method how to perform
+the proof. In such cases Isabelle tries to use some standard introduction
+rule, in the above case for @{text"\<not>"}:
+\[
+\inferrule{
+\mbox{@{thm (prem 1) notI}}}
+{\mbox{@{thm (concl) notI}}}
+\]
+In order to prove @{prop"~ P"}, assume @{text P} and show @{text False}.
+Thus we may assume @{prop"surj f"}. The proof shows that names of propositions
+may be (single!) digits---meaningful names are hard to invent and are often
+not necessary. Both \isacom{have} steps are obvious. The second one introduces
+the diagonal set @{term"{x. x \<notin> f x}"}, the key idea in the proof.
+If you wonder why @{text 2} directly implies @{text False}: from @{text 2}
+it follows that @{prop"a \<notin> f a \<longleftrightarrow> a \<in> f a"}.
+
+\subsection{@{text this}, @{text then}, @{text hence} and @{text thus}}
+
+Labels should be avoided. They interrupt the flow of the reader who has to
+scan the context for the point where the label was introduced. Ideally, the
+proof is a linear flow, where the output of one step becomes the input of the
+next step, piping the previously proved fact into the next proof, just like
+in a UNIX pipe. In such cases the predefined name @{text this} can be used
+to refer to the proposition proved in the previous step. This allows us to
+eliminate all labels from our proof (we suppress the \isacom{lemma} statement):
+*}
+(*<*)
+lemma "\<not> surj(f :: 'a \<Rightarrow> 'a set)"
+(*>*)
+proof
+ assume "surj f"
+ from this have "\<exists>a. {x. x \<notin> f x} = f a" by(auto simp: surj_def)
+ from this show "False" by blast
+qed
+
+text{* We have also taken the opportunity to compress the two \isacom{have}
+steps into one.
+
+To compact the text further, Isar has a few convenient abbreviations:
+\medskip
+
+\begin{tabular}{rcl}
+\isacom{then} &=& \isacom{from} @{text this}\\
+\isacom{thus} &=& \isacom{then} \isacom{show}\\
+\isacom{hence} &=& \isacom{then} \isacom{have}
+\end{tabular}
+\medskip
+
+\noindent
+With the help of these abbreviations the proof becomes
+*}
+(*<*)
+lemma "\<not> surj(f :: 'a \<Rightarrow> 'a set)"
+(*>*)
+proof
+ assume "surj f"
+ hence "\<exists>a. {x. x \<notin> f x} = f a" by(auto simp: surj_def)
+ thus "False" by blast
+qed
+text{*
+
+There are two further linguistic variations:
+\medskip
+
+\begin{tabular}{rcl}
+(\isacom{have}$\mid$\isacom{show}) \ \textit{prop} \ \isacom{using} \ \textit{facts}
+&=&
+\isacom{from} \ \textit{facts} \ (\isacom{have}$\mid$\isacom{show}) \ \textit{prop}\\
+\isacom{with} \ \textit{facts} &=& \isacom{from} \ \textit{facts} \isa{this}
+\end{tabular}
+\medskip
+
+\noindent The \isacom{using} idiom de-emphasizes the used facts by moving them
+behind the proposition.
+
+\subsection{Structured lemma statements: \isacom{fixes}, \isacom{assumes}, \isacom{shows}}
+
+Lemmas can also be stated in a more structured fashion. To demonstrate this
+feature with Cantor's theorem, we rephrase @{prop"\<not> surj f"}
+a little:
+*}
+
+lemma
+ fixes f :: "'a \<Rightarrow> 'a set"
+ assumes s: "surj f"
+ shows "False"
+
+txt{* The optional \isacom{fixes} part allows you to state the types of
+variables up front rather than by decorating one of their occurrences in the
+formula with a type constraint. The key advantage of the structured format is
+the \isacom{assumes} part that allows you to name each assumption; multiple
+assumptions can be separated by \isacom{and}. The
+\isacom{shows} part gives the goal. The actual theorem that will come out of
+the proof is @{prop"surj f \<Longrightarrow> False"}, but during the proof the assumption
+@{prop"surj f"} is available under the name @{text s} like any other fact.
+*}
+
+proof -
+ have "\<exists> a. {x. x \<notin> f x} = f a" using s
+ by(auto simp: surj_def)
+ thus "False" by blast
+qed
+
+text{* In the \isacom{have} step the assumption @{prop"surj f"} is now
+referenced by its name @{text s}. The duplication of @{prop"surj f"} in the
+above proofs (once in the statement of the lemma, once in its proof) has been
+eliminated.
+
+\begin{warn}
+Note the dash after the \isacom{proof}
+command. It is the null method that does nothing to the goal. Leaving it out
+would ask Isabelle to try some suitable introduction rule on the goal @{const
+False}---but there is no suitable introduction rule and \isacom{proof}
+would fail.
+\end{warn}
+
+Stating a lemma with \isacom{assumes}-\isacom{shows} implicitly introduces the
+name @{text assms} that stands for the list of all assumptions. You can refer
+to individual assumptions by @{text"assms(1)"}, @{text"assms(2)"} etc,
+thus obviating the need to name them individually.
+
+\section{Proof patterns}
+
+We show a number of important basic proof patterns. Many of them arise from
+the rules of natural deduction that are applied by \isacom{proof} by
+default. The patterns are phrased in terms of \isacom{show} but work for
+\isacom{have} and \isacom{lemma}, too.
+
+We start with two forms of \concept{case analysis}:
+starting from a formula @{text P} we have the two cases @{text P} and
+@{prop"~P"}, and starting from a fact @{prop"P \<or> Q"}
+we have the two cases @{text P} and @{text Q}:
+*}text_raw{*
+\begin{tabular}{@ {}ll@ {}}
+\begin{minipage}[t]{.4\textwidth}
+\isa{%
+*}
+(*<*)lemma "R" proof-(*>*)
+show "R"
+proof cases
+ assume "P"
+ txt_raw{*\\\mbox{}\quad$\vdots$\\\mbox{}\hspace{-1.4ex}*}
+ show "R" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
+next
+ assume "\<not> P"
+ txt_raw{*\\\mbox{}\quad$\vdots$\\\mbox{}\hspace{-1.4ex}*}
+ show "R" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
+qed(*<*)oops(*>*)
+text_raw {* }
+\end{minipage}
+&
+\begin{minipage}[t]{.4\textwidth}
+\isa{%
+*}
+(*<*)lemma "R" proof-(*>*)
+have "P \<or> Q" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
+then show "R"
+proof
+ assume "P"
+ txt_raw{*\\\mbox{}\quad$\vdots$\\\mbox{}\hspace{-1.4ex}*}
+ show "R" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
+next
+ assume "Q"
+ txt_raw{*\\\mbox{}\quad$\vdots$\\\mbox{}\hspace{-1.4ex}*}
+ show "R" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
+qed(*<*)oops(*>*)
+
+text_raw {* }
+\end{minipage}
+\end{tabular}
+\medskip
+\begin{isamarkuptext}%
+How to prove a logical equivalence:
+\end{isamarkuptext}%
+\isa{%
+*}
+(*<*)lemma "P\<longleftrightarrow>Q" proof-(*>*)
+show "P \<longleftrightarrow> Q"
+proof
+ assume "P"
+ txt_raw{*\\\mbox{}\quad$\vdots$\\\mbox{}\hspace{-1.4ex}*}
+ show "Q" (*<*)sorry(*>*) txt_raw{*\ $\dots$\\*}
+next
+ assume "Q"
+ txt_raw{*\\\mbox{}\quad$\vdots$\\\mbox{}\hspace{-1.4ex}*}
+ show "P" (*<*)sorry(*>*) txt_raw{*\ $\dots$\\*}
+qed(*<*)qed(*>*)
+text_raw {* }
+\medskip
+\begin{isamarkuptext}%
+Proofs by contradiction:
+\end{isamarkuptext}%
+\begin{tabular}{@ {}ll@ {}}
+\begin{minipage}[t]{.4\textwidth}
+\isa{%
+*}
+(*<*)lemma "\<not> P" proof-(*>*)
+show "\<not> P"
+proof
+ assume "P"
+ txt_raw{*\\\mbox{}\quad$\vdots$\\\mbox{}\hspace{-1.4ex}*}
+ show "False" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
+qed(*<*)oops(*>*)
+
+text_raw {* }
+\end{minipage}
+&
+\begin{minipage}[t]{.4\textwidth}
+\isa{%
+*}
+(*<*)lemma "P" proof-(*>*)
+show "P"
+proof (rule ccontr)
+ assume "\<not>P"
+ txt_raw{*\\\mbox{}\quad$\vdots$\\\mbox{}\hspace{-1.4ex}*}
+ show "False" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
+qed(*<*)oops(*>*)
+
+text_raw {* }
+\end{minipage}
+\end{tabular}
+\medskip
+\begin{isamarkuptext}%
+The name @{thm[source] ccontr} stands for ``classical contradiction''.
+
+How to prove quantified formulas:
+\end{isamarkuptext}%
+\begin{tabular}{@ {}ll@ {}}
+\begin{minipage}[t]{.4\textwidth}
+\isa{%
+*}
+(*<*)lemma "ALL x. P x" proof-(*>*)
+show "\<forall>x. P(x)"
+proof
+ fix x
+ txt_raw{*\\\mbox{}\quad$\vdots$\\\mbox{}\hspace{-1.4ex}*}
+ show "P(x)" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
+qed(*<*)oops(*>*)
+
+text_raw {* }
+\end{minipage}
+&
+\begin{minipage}[t]{.4\textwidth}
+\isa{%
+*}
+(*<*)lemma "EX x. P(x)" proof-(*>*)
+show "\<exists>x. P(x)"
+proof
+ txt_raw{*\\\mbox{}\quad$\vdots$\\\mbox{}\hspace{-1.4ex}*}
+ show "P(witness)" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
+qed
+(*<*)oops(*>*)
+
+text_raw {* }
+\end{minipage}
+\end{tabular}
+\medskip
+\begin{isamarkuptext}%
+In the proof of \noquotes{@{prop[source]"\<forall>x. P(x)"}},
+the step \isacom{fix}~@{text x} introduces a locally fixed variable @{text x}
+into the subproof, the proverbial ``arbitrary but fixed value''.
+Instead of @{text x} we could have chosen any name in the subproof.
+In the proof of \noquotes{@{prop[source]"\<exists>x. P(x)"}},
+@{text witness} is some arbitrary
+term for which we can prove that it satisfies @{text P}.
+
+How to reason forward from \noquotes{@{prop[source] "\<exists>x. P(x)"}}:
+\end{isamarkuptext}%
+*}
+(*<*)lemma True proof- assume 1: "EX x. P x"(*>*)
+have "\<exists>x. P(x)" (*<*)by(rule 1)(*>*)txt_raw{*\ $\dots$\\*}
+then obtain x where p: "P(x)" by blast
+(*<*)oops(*>*)
+text{*
+After the \isacom{obtain} step, @{text x} (we could have chosen any name)
+is a fixed local
+variable, and @{text p} is the name of the fact
+\noquotes{@{prop[source] "P(x)"}}.
+This pattern works for one or more @{text x}.
+As an example of the \isacom{obtain} command, here is the proof of
+Cantor's theorem in more detail:
+*}
+
+lemma "\<not> surj(f :: 'a \<Rightarrow> 'a set)"
+proof
+ assume "surj f"
+ hence "\<exists>a. {x. x \<notin> f x} = f a" by(auto simp: surj_def)
+ then obtain a where "{x. x \<notin> f x} = f a" by blast
+ hence "a \<notin> f a \<longleftrightarrow> a \<in> f a" by blast
+ thus "False" by blast
+qed
+
+text_raw{*
+\begin{isamarkuptext}%
+
+Finally, how to prove set equality and subset relationship:
+\end{isamarkuptext}%
+\begin{tabular}{@ {}ll@ {}}
+\begin{minipage}[t]{.4\textwidth}
+\isa{%
+*}
+(*<*)lemma "A = (B::'a set)" proof-(*>*)
+show "A = B"
+proof
+ show "A \<subseteq> B" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
+next
+ show "B \<subseteq> A" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
+qed(*<*)qed(*>*)
+
+text_raw {* }
+\end{minipage}
+&
+\begin{minipage}[t]{.4\textwidth}
+\isa{%
+*}
+(*<*)lemma "A <= (B::'a set)" proof-(*>*)
+show "A \<subseteq> B"
+proof
+ fix x
+ assume "x \<in> A"
+ txt_raw{*\\\mbox{}\quad$\vdots$\\\mbox{}\hspace{-1.4ex}*}
+ show "x \<in> B" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
+qed(*<*)qed(*>*)
+
+text_raw {* }
+\end{minipage}
+\end{tabular}
+\begin{isamarkuptext}%
+\section{Streamlining proofs}
+
+\subsection{Pattern matching and quotations}
+
+In the proof patterns shown above, formulas are often duplicated.
+This can make the text harder to read, write and maintain. Pattern matching
+is an abbreviation mechanism to avoid such duplication. Writing
+\begin{quote}
+\isacom{show} \ \textit{formula} @{text"("}\isacom{is} \textit{pattern}@{text")"}
+\end{quote}
+matches the pattern against the formula, thus instantiating the unknowns in
+the pattern for later use. As an example, consider the proof pattern for
+@{text"\<longleftrightarrow>"}:
+\end{isamarkuptext}%
+*}
+(*<*)lemma "formula\<^isub>1 \<longleftrightarrow> formula\<^isub>2" proof-(*>*)
+show "formula\<^isub>1 \<longleftrightarrow> formula\<^isub>2" (is "?L \<longleftrightarrow> ?R")
+proof
+ assume "?L"
+ txt_raw{*\\\mbox{}\quad$\vdots$\\\mbox{}\hspace{-1.4ex}*}
+ show "?R" (*<*)sorry(*>*) txt_raw{*\ $\dots$\\*}
+next
+ assume "?R"
+ txt_raw{*\\\mbox{}\quad$\vdots$\\\mbox{}\hspace{-1.4ex}*}
+ show "?L" (*<*)sorry(*>*) txt_raw{*\ $\dots$\\*}
+qed(*<*)qed(*>*)
+
+text{* Instead of duplicating @{text"formula\<^isub>i"} in the text, we introduce
+the two abbreviations @{text"?L"} and @{text"?R"} by pattern matching.
+Pattern matching works wherever a formula is stated, in particular
+with \isacom{have} and \isacom{lemma}.
+
+The unknown @{text"?thesis"} is implicitly matched against any goal stated by
+\isacom{lemma} or \isacom{show}. Here is a typical example: *}
+
+lemma "formula"
+proof -
+ txt_raw{*\\\mbox{}\quad$\vdots$\\\mbox{}\hspace{-1.4ex}*}
+ show ?thesis (*<*)sorry(*>*) txt_raw{*\ $\dots$\\*}
+qed
+
+text{*
+Unknowns can also be instantiated with \isacom{let} commands
+\begin{quote}
+\isacom{let} @{text"?t"} = @{text"\""}\textit{some-big-term}@{text"\""}
+\end{quote}
+Later proof steps can refer to @{text"?t"}:
+\begin{quote}
+\isacom{have} @{text"\""}\dots @{text"?t"} \dots@{text"\""}
+\end{quote}
+\begin{warn}
+Names of facts are introduced with @{text"name:"} and refer to proved
+theorems. Unknowns @{text"?X"} refer to terms or formulas.
+\end{warn}
+
+Although abbreviations shorten the text, the reader needs to remember what
+they stand for. Similarly for names of facts. Names like @{text 1}, @{text 2}
+and @{text 3} are not helpful and should only be used in short proofs. For
+longer proofs, descriptive names are better. But look at this example:
+\begin{quote}
+\isacom{have} \ @{text"x_gr_0: \"x > 0\""}\\
+$\vdots$\\
+\isacom{from} @{text "x_gr_0"} \dots
+\end{quote}
+The name is longer than the fact it stands for! Short facts do not need names,
+one can refer to them easily by quoting them:
+\begin{quote}
+\isacom{have} \ @{text"\"x > 0\""}\\
+$\vdots$\\
+\isacom{from} @{text "`x>0`"} \dots
+\end{quote}
+Note that the quotes around @{text"x>0"} are \concept{back quotes}.
+They refer to the fact not by name but by value.
+
+\subsection{\isacom{moreover}}
+
+Sometimes one needs a number of facts to enable some deduction. Of course
+one can name these facts individually, as shown on the right,
+but one can also combine them with \isacom{moreover}, as shown on the left:
+*}text_raw{*
+\begin{tabular}{@ {}ll@ {}}
+\begin{minipage}[t]{.4\textwidth}
+\isa{%
+*}
+(*<*)lemma "P" proof-(*>*)
+have "P\<^isub>1" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
+moreover have "P\<^isub>2" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
+moreover
+txt_raw{*\\$\vdots$\\\hspace{-1.4ex}*}(*<*)have "True" ..(*>*)
+moreover have "P\<^isub>n" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
+ultimately have "P" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
+(*<*)oops(*>*)
+
+text_raw {* }
+\end{minipage}
+&
+\qquad
+\begin{minipage}[t]{.4\textwidth}
+\isa{%
+*}
+(*<*)lemma "P" proof-(*>*)
+have lab\<^isub>1: "P\<^isub>1" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
+have lab\<^isub>2: "P\<^isub>2" (*<*)sorry(*>*)txt_raw{*\ $\dots$*}
+txt_raw{*\\$\vdots$\\\hspace{-1.4ex}*}
+have lab\<^isub>n: "P\<^isub>n" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
+from lab\<^isub>1 lab\<^isub>2 txt_raw{*\ $\dots$\\*}
+have "P" (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
+(*<*)oops(*>*)
+
+text_raw {* }
+\end{minipage}
+\end{tabular}
+\begin{isamarkuptext}%
+The \isacom{moreover} version is no shorter but expresses the structure more
+clearly and avoids new names.
+
+\subsection{Raw proof blocks}
+
+Sometimes one would like to prove some lemma locally within a proof.
+A lemma that shares the current context of assumptions but that
+has its own assumptions and is generalized over its locally fixed
+variables at the end. This is what a \concept{raw proof block} does:
+\begin{quote}
+@{text"{"} \isacom{fix} @{text"x\<^isub>1 \<dots> x\<^isub>n"}\\
+\mbox{}\ \ \ \isacom{assume} @{text"A\<^isub>1 \<dots> A\<^isub>m"}\\
+\mbox{}\ \ \ $\vdots$\\
+\mbox{}\ \ \ \isacom{have} @{text"B"}\\
+@{text"}"}
+\end{quote}
+proves @{text"\<lbrakk> A\<^isub>1; \<dots> ; A\<^isub>m \<rbrakk> \<Longrightarrow> B"}
+where all @{text"x\<^isub>i"} have been replaced by unknowns @{text"?x\<^isub>i"}.
+\begin{warn}
+The conclusion of a raw proof block is \emph{not} indicated by \isacom{show}
+but is simply the final \isacom{have}.
+\end{warn}
+
+As an example we prove a simple fact about divisibility on integers.
+The definition of @{text "dvd"} is @{thm dvd_def}.
+\end{isamarkuptext}%
+*}
+
+lemma fixes a b :: int assumes "b dvd (a+b)" shows "b dvd a"
+proof -
+ { fix k assume k: "a+b = b*k"
+ have "\<exists>k'. a = b*k'"
+ proof
+ show "a = b*(k - 1)" using k by(simp add: algebra_simps)
+ qed }
+ then show ?thesis using assms by(auto simp add: dvd_def)
+qed
+
+text{* Note that the result of a raw proof block has no name. In this example
+it was directly piped (via \isacom{then}) into the final proof, but it can
+also be named for later reference: you simply follow the block directly by a
+\isacom{note} command:
+\begin{quote}
+\isacom{note} \ @{text"name = this"}
+\end{quote}
+This introduces a new name @{text name} that refers to @{text this},
+the fact just proved, in this case the preceding block. In general,
+\isacom{note} introduces a new name for one or more facts.
+
+\section{Case analysis and induction}
+
+\subsection{Datatype case analysis}
+
+We have seen case analysis on formulas. Now we want to distinguish
+which form some term takes: is it @{text 0} or of the form @{term"Suc n"},
+is it @{term"[]"} or of the form @{term"x#xs"}, etc. Here is a typical example
+proof by case analysis on the form of @{text xs}:
+*}
+
+lemma "length(tl xs) = length xs - 1"
+proof (cases xs)
+ assume "xs = []"
+ thus ?thesis by simp
+next
+ fix y ys assume "xs = y#ys"
+ thus ?thesis by simp
+qed
+
+text{* Function @{text tl} (''tail'') is defined by @{thm tl.simps(1)} and
+@{thm tl.simps(2)}. Note that the result type of @{const length} is @{typ nat}
+and @{prop"0 - 1 = (0::nat)"}.
+
+This proof pattern works for any term @{text t} whose type is a datatype.
+The goal has to be proved for each constructor @{text C}:
+\begin{quote}
+\isacom{fix} \ @{text"x\<^isub>1 \<dots> x\<^isub>n"} \isacom{assume} @{text"\"t = C x\<^isub>1 \<dots> x\<^isub>n\""}
+\end{quote}
+Each case can be written in a more compact form by means of the \isacom{case}
+command:
+\begin{quote}
+\isacom{case} @{text "(C x\<^isub>1 \<dots> x\<^isub>n)"}
+\end{quote}
+This is equivalent to the explicit \isacom{fix}-\isacom{assume} line
+but also gives the assumption @{text"\"t = C x\<^isub>1 \<dots> x\<^isub>n\""} a name: @{text C},
+like the constructor.
+Here is the \isacom{case} version of the proof above:
+*}
+(*<*)lemma "length(tl xs) = length xs - 1"(*>*)
+proof (cases xs)
+ case Nil
+ thus ?thesis by simp
+next
+ case (Cons y ys)
+ thus ?thesis by simp
+qed
+
+text{* Remember that @{text Nil} and @{text Cons} are the alphanumeric names
+for @{text"[]"} and @{text"#"}. The names of the assumptions
+are not used because they are directly piped (via \isacom{thus})
+into the proof of the claim.
+
+\subsection{Structural induction}
+
+We illustrate structural induction with an example based on natural numbers:
+the sum (@{text"\<Sum>"}) of the first @{text n} natural numbers
+(@{text"{0..n::nat}"}) is equal to \mbox{@{term"n*(n+1) div 2::nat"}}.
+Never mind the details, just focus on the pattern:
+*}
+
+lemma "\<Sum>{0..n::nat} = n*(n+1) div 2"
+proof (induction n)
+ show "\<Sum>{0..0::nat} = 0*(0+1) div 2" by simp
+next
+ fix n assume "\<Sum>{0..n::nat} = n*(n+1) div 2"
+ thus "\<Sum>{0..Suc n} = Suc n*(Suc n+1) div 2" by simp
+qed
+
+text{* Except for the rewrite steps, everything is explicitly given. This
+makes the proof easily readable, but the duplication means it is tedious to
+write and maintain. Here is how pattern
+matching can completely avoid any duplication: *}
+
+lemma "\<Sum>{0..n::nat} = n*(n+1) div 2" (is "?P n")
+proof (induction n)
+ show "?P 0" by simp
+next
+ fix n assume "?P n"
+ thus "?P(Suc n)" by simp
+qed
+
+text{* The first line introduces an abbreviation @{text"?P n"} for the goal.
+Pattern matching @{text"?P n"} with the goal instantiates @{text"?P"} to the
+function @{term"\<lambda>n. \<Sum>{0..n::nat} = n*(n+1) div 2"}. Now the proposition to
+be proved in the base case can be written as @{text"?P 0"}, the induction
+hypothesis as @{text"?P n"}, and the conclusion of the induction step as
+@{text"?P(Suc n)"}.
+
+Induction also provides the \isacom{case} idiom that abbreviates
+the \isacom{fix}-\isacom{assume} step. The above proof becomes
+*}
+(*<*)lemma "\<Sum>{0..n::nat} = n*(n+1) div 2"(*>*)
+proof (induction n)
+ case 0
+ show ?case by simp
+next
+ case (Suc n)
+ thus ?case by simp
+qed
+
+text{*
+The unknown @{text "?case"} is set in each case to the required
+claim, i.e.\ @{text"?P 0"} and \mbox{@{text"?P(Suc n)"}} in the above proof,
+without requiring the user to define a @{text "?P"}. The general
+pattern for induction over @{typ nat} is shown on the left-hand side:
+*}text_raw{*
+\begin{tabular}{@ {}ll@ {}}
+\begin{minipage}[t]{.4\textwidth}
+\isa{%
+*}
+(*<*)lemma "P(n::nat)" proof -(*>*)
+show "P(n)"
+proof (induction n)
+ case 0
+ txt_raw{*\\\mbox{}\ \ $\vdots$\\\mbox{}\hspace{-1ex}*}
+ show ?case (*<*)sorry(*>*) txt_raw{*\ $\dots$\\*}
+next
+ case (Suc n)
+ txt_raw{*\\\mbox{}\ \ $\vdots$\\\mbox{}\hspace{-1ex}*}
+ show ?case (*<*)sorry(*>*) txt_raw{*\ $\dots$\\*}
+qed(*<*)qed(*>*)
+
+text_raw {* }
+\end{minipage}
+&
+\begin{minipage}[t]{.4\textwidth}
+~\\
+~\\
+\isacom{let} @{text"?case = \"P(0)\""}\\
+~\\
+~\\
+~\\[1ex]
+\isacom{fix} @{text n} \isacom{assume} @{text"Suc: \"P(n)\""}\\
+\isacom{let} @{text"?case = \"P(Suc n)\""}\\
+\end{minipage}
+\end{tabular}
+\medskip
+*}
+text{*
+On the right side you can see what the \isacom{case} command
+on the left stands for.
+
+In case the goal is an implication, induction does one more thing: the
+proposition to be proved in each case is not the whole implication but only
+its conclusion; the premises of the implication are immediately made
+assumptions of that case. That is, if in the above proof we replace
+\isacom{show}~@{text"P(n)"} by
+\mbox{\isacom{show}~@{text"A(n) \<Longrightarrow> P(n)"}}
+then \isacom{case}~@{text 0} stands for
+\begin{quote}
+\isacom{assume} \ @{text"0: \"A(0)\""}\\
+\isacom{let} @{text"?case = \"P(0)\""}
+\end{quote}
+and \isacom{case}~@{text"(Suc n)"} stands for
+\begin{quote}
+\isacom{fix} @{text n}\\
+\isacom{assume} @{text"Suc:"}
+ \begin{tabular}[t]{l}@{text"\"A(n) \<Longrightarrow> P(n)\""}\\@{text"\"A(Suc n)\""}\end{tabular}\\
+\isacom{let} @{text"?case = \"P(Suc n)\""}
+\end{quote}
+The list of assumptions @{text Suc} is actually subdivided
+into @{text"Suc.IH"}, the induction hypotheses (here @{text"A(n) \<Longrightarrow> P(n)"})
+and @{text"Suc.prems"}, the premises of the goal being proved
+(here @{text"A(Suc n)"}).
+
+Induction works for any datatype.
+Proving a goal @{text"\<lbrakk> A\<^isub>1(x); \<dots>; A\<^isub>k(x) \<rbrakk> \<Longrightarrow> P(x)"}
+by induction on @{text x} generates a proof obligation for each constructor
+@{text C} of the datatype. The command @{text"case (C x\<^isub>1 \<dots> x\<^isub>n)"}
+performs the following steps:
+\begin{enumerate}
+\item \isacom{fix} @{text"x\<^isub>1 \<dots> x\<^isub>n"}
+\item \isacom{assume} the induction hypotheses (calling them @{text C.IH})
+ and the premises \mbox{@{text"A\<^isub>i(C x\<^isub>1 \<dots> x\<^isub>n)"}} (calling them @{text"C.prems"})
+ and calling the whole list @{text C}
+\item \isacom{let} @{text"?case = \"P(C x\<^isub>1 \<dots> x\<^isub>n)\""}
+\end{enumerate}
+
+\subsection{Rule induction}
+
+Recall the inductive and recursive definitions of even numbers in
+\autoref{sec:inductive-defs}:
+*}
+
+inductive ev :: "nat \<Rightarrow> bool" where
+ev0: "ev 0" |
+evSS: "ev n \<Longrightarrow> ev(Suc(Suc n))"
+
+fun even :: "nat \<Rightarrow> bool" where
+"even 0 = True" |
+"even (Suc 0) = False" |
+"even (Suc(Suc n)) = even n"
+
+text{* We recast the proof of @{prop"ev n \<Longrightarrow> even n"} in Isar. The
+left column shows the actual proof text, the right column shows
+the implicit effect of the two \isacom{case} commands:*}text_raw{*
+\begin{tabular}{@ {}l@ {\qquad}l@ {}}
+\begin{minipage}[t]{.5\textwidth}
+\isa{%
+*}
+
+lemma "ev n \<Longrightarrow> even n"
+proof(induction rule: ev.induct)
+ case ev0
+ show ?case by simp
+next
+ case evSS
+
+
+
+ thus ?case by simp
+qed
+
+text_raw {* }
+\end{minipage}
+&
+\begin{minipage}[t]{.5\textwidth}
+~\\
+~\\
+\isacom{let} @{text"?case = \"even 0\""}\\
+~\\
+~\\
+\isacom{fix} @{text n}\\
+\isacom{assume} @{text"evSS:"}
+ \begin{tabular}[t]{l} @{text"\"ev n\""}\\@{text"\"even n\""}\end{tabular}\\
+\isacom{let} @{text"?case = \"even(Suc(Suc n))\""}\\
+\end{minipage}
+\end{tabular}
+\medskip
+*}
+text{*
+The proof resembles structural induction, but the induction rule is given
+explicitly and the names of the cases are the names of the rules in the
+inductive definition.
+Let us examine the two assumptions named @{thm[source]evSS}:
+@{prop "ev n"} is the premise of rule @{thm[source]evSS}, which we may assume
+because we are in the case where that rule was used; @{prop"even n"}
+is the induction hypothesis.
+\begin{warn}
+Because each \isacom{case} command introduces a list of assumptions
+named like the case name, which is the name of a rule of the inductive
+definition, those rules now need to be accessed with a qualified name, here
+@{thm[source] ev.ev0} and @{thm[source] ev.evSS}
+\end{warn}
+
+In the case @{thm[source]evSS} of the proof above we have pretended that the
+system fixes a variable @{text n}. But unless the user provides the name
+@{text n}, the system will just invent its own name that cannot be referred
+to. In the above proof, we do not need to refer to it, hence we do not give
+it a specific name. In case one needs to refer to it one writes
+\begin{quote}
+\isacom{case} @{text"(evSS m)"}
+\end{quote}
+just like \isacom{case}~@{text"(Suc n)"} in earlier structural inductions.
+The name @{text m} is an arbitrary choice. As a result,
+case @{thm[source] evSS} is derived from a renamed version of
+rule @{thm[source] evSS}: @{text"ev m \<Longrightarrow> ev(Suc(Suc m))"}.
+Here is an example with a (contrived) intermediate step that refers to @{text m}:
+*}
+
+lemma "ev n \<Longrightarrow> even n"
+proof(induction rule: ev.induct)
+ case ev0 show ?case by simp
+next
+ case (evSS m)
+ have "even(Suc(Suc m)) = even m" by simp
+ thus ?case using `even m` by blast
+qed
+
+text{*
+\indent
+In general, let @{text I} be a (for simplicity unary) inductively defined
+predicate and let the rules in the definition of @{text I}
+be called @{text "rule\<^isub>1"}, \dots, @{text "rule\<^isub>n"}. A proof by rule
+induction follows this pattern:
+*}
+
+(*<*)
+inductive I where rule\<^isub>1: "I()" | rule\<^isub>2: "I()" | rule\<^isub>n: "I()"
+lemma "I x \<Longrightarrow> P x" proof-(*>*)
+show "I x \<Longrightarrow> P x"
+proof(induction rule: I.induct)
+ case rule\<^isub>1
+ txt_raw{*\\[-.4ex]\mbox{}\ \ $\vdots$\\[-.4ex]\mbox{}\hspace{-1ex}*}
+ show ?case (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
+next
+ txt_raw{*\\[-.4ex]$\vdots$\\[-.4ex]\mbox{}\hspace{-1ex}*}
+(*<*)
+ case rule\<^isub>2
+ show ?case sorry
+(*>*)
+next
+ case rule\<^isub>n
+ txt_raw{*\\[-.4ex]\mbox{}\ \ $\vdots$\\[-.4ex]\mbox{}\hspace{-1ex}*}
+ show ?case (*<*)sorry(*>*)txt_raw{*\ $\dots$\\*}
+qed(*<*)qed(*>*)
+
+text{*
+One can provide explicit variable names by writing
+\isacom{case}~@{text"(rule\<^isub>i x\<^isub>1 \<dots> x\<^isub>k)"}, thus renaming the first @{text k}
+free variables in rule @{text i} to @{text"x\<^isub>1 \<dots> x\<^isub>k"},
+going through rule @{text i} from left to right.
+
+\subsection{Assumption naming}
+
+In any induction, \isacom{case}~@{text name} sets up a list of assumptions
+also called @{text name}, which is subdivided into three parts:
+\begin{description}
+\item[@{text name.IH}] contains the induction hypotheses.
+\item[@{text name.hyps}] contains all the other hypotheses of this case in the
+induction rule. For rule inductions these are the hypotheses of rule
+@{text name}, for structural inductions these are empty.
+\item[@{text name.prems}] contains the (suitably instantiated) premises
+of the statement being proved, i.e. the @{text A\<^isub>i} when
+proving @{text"\<lbrakk> A\<^isub>1; \<dots>; A\<^isub>n \<rbrakk> \<Longrightarrow> A"}.
+\end{description}
+\begin{warn}
+Proof method @{text induct} differs from @{text induction}
+only in this naming policy: @{text induct} does not distinguish
+@{text IH} from @{text hyps} but subsumes @{text IH} under @{text hyps}.
+\end{warn}
+
+More complicated inductive proofs than the ones we have seen so far
+often need to refer to specific assumptions---just @{text name} or even
+@{text name.prems} and @{text name.IH} can be too unspecific.
+This is where the indexing of fact lists comes in handy, e.g.\
+@{text"name.IH(2)"} or @{text"name.prems(1-2)"}.
+
+\subsection{Rule inversion}
+
+Rule inversion is case analysis of which rule could have been used to
+derive some fact. The name \concept{rule inversion} emphasizes that we are
+reasoning backwards: by which rules could some given fact have been proved?
+For the inductive definition of @{const ev}, rule inversion can be summarized
+like this:
+@{prop[display]"ev n \<Longrightarrow> n = 0 \<or> (EX k. n = Suc(Suc k) \<and> ev k)"}
+The realisation in Isabelle is a case analysis.
+A simple example is the proof that @{prop"ev n \<Longrightarrow> ev (n - 2)"}. We
+already went through the details informally in \autoref{sec:Logic:even}. This
+is the Isar proof:
+*}
+(*<*)
+notepad
+begin fix n
+(*>*)
+ assume "ev n"
+ from this have "ev(n - 2)"
+ proof cases
+ case ev0 thus "ev(n - 2)" by (simp add: ev.ev0)
+ next
+ case (evSS k) thus "ev(n - 2)" by (simp add: ev.evSS)
+ qed
+(*<*)
+end
+(*>*)
+
+text{* The key point here is that a case analysis over some inductively
+defined predicate is triggered by piping the given fact
+(here: \isacom{from}~@{text this}) into a proof by @{text cases}.
+Let us examine the assumptions available in each case. In case @{text ev0}
+we have @{text"n = 0"} and in case @{text evSS} we have @{prop"n = Suc(Suc k)"}
+and @{prop"ev k"}. In each case the assumptions are available under the name
+of the case; there is no fine grained naming schema like for induction.
+
+Sometimes some rules could not have been used to derive the given fact
+because constructors clash. As an extreme example consider
+rule inversion applied to @{prop"ev(Suc 0)"}: neither rule @{text ev0} nor
+rule @{text evSS} can yield @{prop"ev(Suc 0)"} because @{text"Suc 0"} unifies
+neither with @{text 0} nor with @{term"Suc(Suc n)"}. Impossible cases do not
+have to be proved. Hence we can prove anything from @{prop"ev(Suc 0)"}:
+*}
+(*<*)
+notepad begin fix P
+(*>*)
+ assume "ev(Suc 0)" then have P by cases
+(*<*)
+end
+(*>*)
+
+text{* That is, @{prop"ev(Suc 0)"} is simply not provable: *}
+
+lemma "\<not> ev(Suc 0)"
+proof
+ assume "ev(Suc 0)" then show False by cases
+qed
+
+text{* Normally not all cases will be impossible. As a simple exercise,
+prove that \mbox{@{prop"\<not> ev(Suc(Suc(Suc 0)))"}.}
+*}
+
+(*
+lemma "\<not> ev(Suc(Suc(Suc 0)))"
+proof
+ assume "ev(Suc(Suc(Suc 0)))"
+ then show False
+ proof cases
+ case evSS
+ from `ev(Suc 0)` show False by cases
+ qed
+qed
+*)
+
+(*<*)
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/ProgProve/LaTeXsugar.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,47 @@
+(* Title: HOL/Library/LaTeXsugar.thy
+ Author: Gerwin Klain, Tobias Nipkow, Norbert Schirmer
+ Copyright 2005 NICTA and TUM
+*)
+
+(*<*)
+theory LaTeXsugar
+imports Main
+begin
+
+(* DUMMY *)
+consts DUMMY :: 'a ("\<^raw:\_>")
+
+(* THEOREMS *)
+notation (Rule output)
+ "==>" ("\<^raw:\mbox{}\inferrule{\mbox{>_\<^raw:}}>\<^raw:{\mbox{>_\<^raw:}}>")
+
+syntax (Rule output)
+ "_bigimpl" :: "asms \<Rightarrow> prop \<Rightarrow> prop"
+ ("\<^raw:\mbox{}\inferrule{>_\<^raw:}>\<^raw:{\mbox{>_\<^raw:}}>")
+
+ "_asms" :: "prop \<Rightarrow> asms \<Rightarrow> asms"
+ ("\<^raw:\mbox{>_\<^raw:}\\>/ _")
+
+ "_asm" :: "prop \<Rightarrow> asms" ("\<^raw:\mbox{>_\<^raw:}>")
+
+notation (Axiom output)
+ "Trueprop" ("\<^raw:\mbox{}\inferrule{\mbox{}}{\mbox{>_\<^raw:}}>")
+
+notation (IfThen output)
+ "==>" ("\<^raw:{\normalsize{}>If\<^raw:\,}> _/ \<^raw:{\normalsize \,>then\<^raw:\,}>/ _.")
+syntax (IfThen output)
+ "_bigimpl" :: "asms \<Rightarrow> prop \<Rightarrow> prop"
+ ("\<^raw:{\normalsize{}>If\<^raw:\,}> _ /\<^raw:{\normalsize \,>then\<^raw:\,}>/ _.")
+ "_asms" :: "prop \<Rightarrow> asms \<Rightarrow> asms" ("\<^raw:\mbox{>_\<^raw:}> /\<^raw:{\normalsize \,>and\<^raw:\,}>/ _")
+ "_asm" :: "prop \<Rightarrow> asms" ("\<^raw:\mbox{>_\<^raw:}>")
+
+notation (IfThenNoBox output)
+ "==>" ("\<^raw:{\normalsize{}>If\<^raw:\,}> _/ \<^raw:{\normalsize \,>then\<^raw:\,}>/ _.")
+syntax (IfThenNoBox output)
+ "_bigimpl" :: "asms \<Rightarrow> prop \<Rightarrow> prop"
+ ("\<^raw:{\normalsize{}>If\<^raw:\,}> _ /\<^raw:{\normalsize \,>then\<^raw:\,}>/ _.")
+ "_asms" :: "prop \<Rightarrow> asms \<Rightarrow> asms" ("_ /\<^raw:{\normalsize \,>and\<^raw:\,}>/ _")
+ "_asm" :: "prop \<Rightarrow> asms" ("_")
+
+end
+(*>*)
\ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/ProgProve/Logic.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,734 @@
+(*<*)
+theory Logic
+imports LaTeXsugar
+begin
+(*>*)
+text{*
+\vspace{-5ex}
+\section{Logic and proof beyond equality}
+\label{sec:Logic}
+
+\subsection{Formulas}
+
+The core syntax of formulas (\textit{form} below)
+provides the standard logical constructs, in decreasing order of precedence:
+\[
+\begin{array}{rcl}
+
+\mathit{form} & ::= &
+ @{text"(form)"} ~\mid~
+ @{const True} ~\mid~
+ @{const False} ~\mid~
+ @{prop "term = term"}\\
+ &\mid& @{prop"\<not> form"} ~\mid~
+ @{prop "form \<and> form"} ~\mid~
+ @{prop "form \<or> form"} ~\mid~
+ @{prop "form \<longrightarrow> form"}\\
+ &\mid& @{prop"\<forall>x. form"} ~\mid~ @{prop"\<exists>x. form"}
+\end{array}
+\]
+Terms are the ones we have seen all along, built from constants, variables,
+function application and @{text"\<lambda>"}-abstraction, including all the syntactic
+sugar like infix symbols, @{text "if"}, @{text "case"} etc.
+\begin{warn}
+Remember that formulas are simply terms of type @{text bool}. Hence
+@{text "="} also works for formulas. Beware that @{text"="} has a higher
+precedence than the other logical operators. Hence @{prop"s = t \<and> A"} means
+@{text"(s = t) \<and> A"}, and @{prop"A\<and>B = B\<and>A"} means @{text"A \<and> (B = B) \<and> A"}.
+Logical equivalence can also be written with
+@{text "\<longleftrightarrow>"} instead of @{text"="}, where @{text"\<longleftrightarrow>"} has the same low
+precedence as @{text"\<longrightarrow>"}. Hence @{text"A \<and> B \<longleftrightarrow> B \<and> A"} really means
+@{text"(A \<and> B) \<longleftrightarrow> (B \<and> A)"}.
+\end{warn}
+\begin{warn}
+Quantifiers need to be enclosed in parentheses if they are nested within
+other constructs (just like @{text "if"}, @{text case} and @{text let}).
+\end{warn}
+The most frequent logical symbols have the following ASCII representations:
+\begin{center}
+\begin{tabular}{l@ {\qquad}l@ {\qquad}l}
+@{text "\<forall>"} & \xsymbol{forall} & \texttt{ALL}\\
+@{text "\<exists>"} & \xsymbol{exists} & \texttt{EX}\\
+@{text "\<lambda>"} & \xsymbol{lambda} & \texttt{\%}\\
+@{text "\<longrightarrow>"} & \texttt{-{}->}\\
+@{text "\<longleftrightarrow>"} & \texttt{<->}\\
+@{text "\<and>"} & \texttt{/\char`\\} & \texttt{\&}\\
+@{text "\<or>"} & \texttt{\char`\\/} & \texttt{|}\\
+@{text "\<not>"} & \xsymbol{not} & \texttt{\char`~}\\
+@{text "\<noteq>"} & \xsymbol{noteq} & \texttt{\char`~=}
+\end{tabular}
+\end{center}
+The first column shows the symbols, the second column ASCII representations
+that Isabelle interfaces convert into the corresponding symbol,
+and the third column shows ASCII representations that stay fixed.
+\begin{warn}
+The implication @{text"\<Longrightarrow>"} is part of the Isabelle framework. It structures
+theorems and proof states, separating assumptions from conclusions.
+The implication @{text"\<longrightarrow>"} is part of the logic HOL and can occur inside the
+formulas that make up the assumptions and conclusion.
+Theorems should be of the form @{text"\<lbrakk> A\<^isub>1; \<dots>; A\<^isub>n \<rbrakk> \<Longrightarrow> A"},
+not @{text"A\<^isub>1 \<and> \<dots> \<and> A\<^isub>n \<longrightarrow> A"}. Both are logically equivalent
+but the first one works better when using the theorem in further proofs.
+\end{warn}
+
+\subsection{Sets}
+
+Sets of elements of type @{typ 'a} have type @{typ"'a set"}.
+They can be finite or infinite. Sets come with the usual notation:
+\begin{itemize}
+\item @{term"{}"},\quad @{text"{e\<^isub>1,\<dots>,e\<^isub>n}"}
+\item @{prop"e \<in> A"},\quad @{prop"A \<subseteq> B"}
+\item @{term"A \<union> B"},\quad @{term"A \<inter> B"},\quad @{term"A - B"},\quad @{term"-A"}
+\end{itemize}
+and much more. @{const UNIV} is the set of all elements of some type.
+Set comprehension is written @{term"{x. P}"}
+rather than @{text"{x | P}"}, to emphasize the variable binding nature
+of the construct.
+\begin{warn}
+In @{term"{x. P}"} the @{text x} must be a variable. Set comprehension
+involving a proper term @{text t} must be written
+@{term[source]"{t | x y z. P}"},
+where @{text "x y z"} are the free variables in @{text t}.
+This is just a shorthand for @{term"{v. EX x y z. v = t \<and> P}"}, where
+@{text v} is a new variable.
+\end{warn}
+
+Here are the ASCII representations of the mathematical symbols:
+\begin{center}
+\begin{tabular}{l@ {\quad}l@ {\quad}l}
+@{text "\<in>"} & \texttt{\char`\\\char`\<in>} & \texttt{:}\\
+@{text "\<subseteq>"} & \texttt{\char`\\\char`\<subseteq>} & \texttt{<=}\\
+@{text "\<union>"} & \texttt{\char`\\\char`\<union>} & \texttt{Un}\\
+@{text "\<inter>"} & \texttt{\char`\\\char`\<inter>} & \texttt{Int}
+\end{tabular}
+\end{center}
+Sets also allow bounded quantifications @{prop"ALL x : A. P"} and
+@{prop"EX x : A. P"}.
+
+\subsection{Proof automation}
+
+So far we have only seen @{text simp} and @{text auto}: Both perform
+rewriting, both can also prove linear arithmetic facts (no multiplication),
+and @{text auto} is also able to prove simple logical or set-theoretic goals:
+*}
+
+lemma "\<forall>x. \<exists>y. x = y"
+by auto
+
+lemma "A \<subseteq> B \<inter> C \<Longrightarrow> A \<subseteq> B \<union> C"
+by auto
+
+text{* where
+\begin{quote}
+\isacom{by} \textit{proof-method}
+\end{quote}
+is short for
+\begin{quote}
+\isacom{apply} \textit{proof-method}\\
+\isacom{done}
+\end{quote}
+The key characteristics of both @{text simp} and @{text auto} are
+\begin{itemize}
+\item They show you were they got stuck, giving you an idea how to continue.
+\item They perform the obvious steps but are highly incomplete.
+\end{itemize}
+A proof method is \concept{complete} if it can prove all true formulas.
+There is no complete proof method for HOL, not even in theory.
+Hence all our proof methods only differ in how incomplete they are.
+
+A proof method that is still incomplete but tries harder than @{text auto} is
+@{text fastforce}. It either succeeds or fails, it acts on the first
+subgoal only, and it can be modified just like @{text auto}, e.g.\
+with @{text "simp add"}. Here is a typical example of what @{text fastforce}
+can do:
+*}
+
+lemma "\<lbrakk> \<forall>xs \<in> A. \<exists>ys. xs = ys @ ys; us \<in> A \<rbrakk>
+ \<Longrightarrow> \<exists>n. length us = n+n"
+by fastforce
+
+text{* This lemma is out of reach for @{text auto} because of the
+quantifiers. Even @{text fastforce} fails when the quantifier structure
+becomes more complicated. In a few cases, its slow version @{text force}
+succeeds where @{text fastforce} fails.
+
+The method of choice for complex logical goals is @{text blast}. In the
+following example, @{text T} and @{text A} are two binary predicates. It
+is shown that if @{text T} is total, @{text A} is antisymmetric and @{text T} is
+a subset of @{text A}, then @{text A} is a subset of @{text T}:
+*}
+
+lemma
+ "\<lbrakk> \<forall>x y. T x y \<or> T y x;
+ \<forall>x y. A x y \<and> A y x \<longrightarrow> x = y;
+ \<forall>x y. T x y \<longrightarrow> A x y \<rbrakk>
+ \<Longrightarrow> \<forall>x y. A x y \<longrightarrow> T x y"
+by blast
+
+text{*
+We leave it to the reader to figure out why this lemma is true.
+Method @{text blast}
+\begin{itemize}
+\item is (in principle) a complete proof procedure for first-order formulas,
+ a fragment of HOL. In practice there is a search bound.
+\item does no rewriting and knows very little about equality.
+\item covers logic, sets and relations.
+\item either succeeds or fails.
+\end{itemize}
+Because of its strength in logic and sets and its weakness in equality reasoning, it complements the earlier proof methods.
+
+
+\subsubsection{Sledgehammer}
+
+Command \isacom{sledgehammer} calls a number of external automatic
+theorem provers (ATPs) that run for up to 30 seconds searching for a
+proof. Some of these ATPs are part of the Isabelle installation, others are
+queried over the internet. If successful, a proof command is generated and can
+be inserted into your proof. The biggest win of \isacom{sledgehammer} is
+that it will take into account the whole lemma library and you do not need to
+feed in any lemma explicitly. For example,*}
+
+lemma "\<lbrakk> xs @ ys = ys @ xs; length xs = length ys \<rbrakk> \<Longrightarrow> xs = ys"
+
+txt{* cannot be solved by any of the standard proof methods, but
+\isacom{sledgehammer} finds the following proof: *}
+
+by (metis append_eq_conv_conj)
+
+text{* We do not explain how the proof was found but what this command
+means. For a start, Isabelle does not trust external tools (and in particular
+not the translations from Isabelle's logic to those tools!)
+and insists on a proof that it can check. This is what @{text metis} does.
+It is given a list of lemmas and tries to find a proof just using those lemmas
+(and pure logic). In contrast to @{text simp} and friends that know a lot of
+lemmas already, using @{text metis} manually is tedious because one has
+to find all the relevant lemmas first. But that is precisely what
+\isacom{sledgehammer} does for us.
+In this case lemma @{thm[source]append_eq_conv_conj} alone suffices:
+@{thm[display] append_eq_conv_conj}
+We leave it to the reader to figure out why this lemma suffices to prove
+the above lemma, even without any knowledge of what the functions @{const take}
+and @{const drop} do. Keep in mind that the variables in the two lemmas
+are independent of each other, despite the same names, and that you can
+substitute arbitrary values for the free variables in a lemma.
+
+Just as for the other proof methods we have seen, there is no guarantee that
+\isacom{sledgehammer} will find a proof if it exists. Nor is
+\isacom{sledgehammer} superior to the other proof methods. They are
+incomparable. Therefore it is recommended to apply @{text simp} or @{text
+auto} before invoking \isacom{sledgehammer} on what is left.
+
+\subsubsection{Arithmetic}
+
+By arithmetic formulas we mean formulas involving variables, numbers, @{text
+"+"}, @{text"-"}, @{text "="}, @{text "<"}, @{text "\<le>"} and the usual logical
+connectives @{text"\<not>"}, @{text"\<and>"}, @{text"\<or>"}, @{text"\<longrightarrow>"},
+@{text"\<longleftrightarrow>"}. Strictly speaking, this is known as \concept{linear arithmetic}
+because it does not involve multiplication, although multiplication with
+numbers, e.g.\ @{text"2*n"} is allowed. Such formulas can be proved by
+@{text arith}:
+*}
+
+lemma "\<lbrakk> (a::nat) \<le> x + b; 2*x < c \<rbrakk> \<Longrightarrow> 2*a + 1 \<le> 2*b + c"
+by arith
+
+text{* In fact, @{text auto} and @{text simp} can prove many linear
+arithmetic formulas already, like the one above, by calling a weak but fast
+version of @{text arith}. Hence it is usually not necessary to invoke
+@{text arith} explicitly.
+
+The above example involves natural numbers, but integers (type @{typ int})
+and real numbers (type @{text real}) are supported as well. As are a number
+of further operators like @{const min} and @{const max}. On @{typ nat} and
+@{typ int}, @{text arith} can even prove theorems with quantifiers in them,
+but we will not enlarge on that here.
+
+
+\subsubsection{Trying them all}
+
+If you want to try all of the above automatic proof methods you simply type
+\begin{isabelle}
+\isacom{try}
+\end{isabelle}
+You can also add specific simplification and introduction rules:
+\begin{isabelle}
+\isacom{try} @{text"simp: \<dots> intro: \<dots>"}
+\end{isabelle}
+There is also a lightweight variant \isacom{try0} that does not call
+sledgehammer.
+
+\subsection{Single step proofs}
+
+Although automation is nice, it often fails, at least initially, and you need
+to find out why. When @{text fastforce} or @{text blast} simply fail, you have
+no clue why. At this point, the stepwise
+application of proof rules may be necessary. For example, if @{text blast}
+fails on @{prop"A \<and> B"}, you want to attack the two
+conjuncts @{text A} and @{text B} separately. This can
+be achieved by applying \emph{conjunction introduction}
+\[ @{thm[mode=Rule,show_question_marks]conjI}\ @{text conjI}
+\]
+to the proof state. We will now examine the details of this process.
+
+\subsubsection{Instantiating unknowns}
+
+We had briefly mentioned earlier that after proving some theorem,
+Isabelle replaces all free variables @{text x} by so called \concept{unknowns}
+@{text "?x"}. We can see this clearly in rule @{thm[source] conjI}.
+These unknowns can later be instantiated explicitly or implicitly:
+\begin{itemize}
+\item By hand, using @{text of}.
+The expression @{text"conjI[of \"a=b\" \"False\"]"}
+instantiates the unknowns in @{thm[source] conjI} from left to right with the
+two formulas @{text"a=b"} and @{text False}, yielding the rule
+@{thm[display,mode=Rule]conjI[of "a=b" False]}
+
+In general, @{text"th[of string\<^isub>1 \<dots> string\<^isub>n]"} instantiates
+the unknowns in the theorem @{text th} from left to right with the terms
+@{text string\<^isub>1} to @{text string\<^isub>n}.
+
+\item By unification. \concept{Unification} is the process of making two
+terms syntactically equal by suitable instantiations of unknowns. For example,
+unifying @{text"?P \<and> ?Q"} with \mbox{@{prop"a=b \<and> False"}} instantiates
+@{text "?P"} with @{prop "a=b"} and @{text "?Q"} with @{prop False}.
+\end{itemize}
+We need not instantiate all unknowns. If we want to skip a particular one we
+can just write @{text"_"} instead, for example @{text "conjI[of _ \"False\"]"}.
+Unknowns can also be instantiated by name, for example
+@{text "conjI[where ?P = \"a=b\" and ?Q = \"False\"]"}.
+
+
+\subsubsection{Rule application}
+
+\concept{Rule application} means applying a rule backwards to a proof state.
+For example, applying rule @{thm[source]conjI} to a proof state
+\begin{quote}
+@{text"1. \<dots> \<Longrightarrow> A \<and> B"}
+\end{quote}
+results in two subgoals, one for each premise of @{thm[source]conjI}:
+\begin{quote}
+@{text"1. \<dots> \<Longrightarrow> A"}\\
+@{text"2. \<dots> \<Longrightarrow> B"}
+\end{quote}
+In general, the application of a rule @{text"\<lbrakk> A\<^isub>1; \<dots>; A\<^isub>n \<rbrakk> \<Longrightarrow> A"}
+to a subgoal \mbox{@{text"\<dots> \<Longrightarrow> C"}} proceeds in two steps:
+\begin{enumerate}
+\item
+Unify @{text A} and @{text C}, thus instantiating the unknowns in the rule.
+\item
+Replace the subgoal @{text C} with @{text n} new subgoals @{text"A\<^isub>1"} to @{text"A\<^isub>n"}.
+\end{enumerate}
+This is the command to apply rule @{text xyz}:
+\begin{quote}
+\isacom{apply}@{text"(rule xyz)"}
+\end{quote}
+This is also called \concept{backchaining} with rule @{text xyz}.
+
+\subsubsection{Introduction rules}
+
+Conjunction introduction (@{thm[source] conjI}) is one example of a whole
+class of rules known as \concept{introduction rules}. They explain under which
+premises some logical construct can be introduced. Here are some further
+useful introduction rules:
+\[
+\inferrule*[right=\mbox{@{text impI}}]{\mbox{@{text"?P \<Longrightarrow> ?Q"}}}{\mbox{@{text"?P \<longrightarrow> ?Q"}}}
+\qquad
+\inferrule*[right=\mbox{@{text allI}}]{\mbox{@{text"\<And>x. ?P x"}}}{\mbox{@{text"\<forall>x. ?P x"}}}
+\]
+\[
+\inferrule*[right=\mbox{@{text iffI}}]{\mbox{@{text"?P \<Longrightarrow> ?Q"}} \\ \mbox{@{text"?Q \<Longrightarrow> ?P"}}}
+ {\mbox{@{text"?P = ?Q"}}}
+\]
+These rules are part of the logical system of \concept{natural deduction}
+(e.g.\ \cite{HuthRyan}). Although we intentionally de-emphasize the basic rules
+of logic in favour of automatic proof methods that allow you to take bigger
+steps, these rules are helpful in locating where and why automation fails.
+When applied backwards, these rules decompose the goal:
+\begin{itemize}
+\item @{thm[source] conjI} and @{thm[source]iffI} split the goal into two subgoals,
+\item @{thm[source] impI} moves the left-hand side of a HOL implication into the list of assumptions,
+\item and @{thm[source] allI} removes a @{text "\<forall>"} by turning the quantified variable into a fixed local variable of the subgoal.
+\end{itemize}
+Isabelle knows about these and a number of other introduction rules.
+The command
+\begin{quote}
+\isacom{apply} @{text rule}
+\end{quote}
+automatically selects the appropriate rule for the current subgoal.
+
+You can also turn your own theorems into introduction rules by giving them
+the @{text"intro"} attribute, analogous to the @{text simp} attribute. In
+that case @{text blast}, @{text fastforce} and (to a limited extent) @{text
+auto} will automatically backchain with those theorems. The @{text intro}
+attribute should be used with care because it increases the search space and
+can lead to nontermination. Sometimes it is better to use it only in
+specific calls of @{text blast} and friends. For example,
+@{thm[source] le_trans}, transitivity of @{text"\<le>"} on type @{typ nat},
+is not an introduction rule by default because of the disastrous effect
+on the search space, but can be useful in specific situations:
+*}
+
+lemma "\<lbrakk> (a::nat) \<le> b; b \<le> c; c \<le> d; d \<le> e \<rbrakk> \<Longrightarrow> a \<le> e"
+by(blast intro: le_trans)
+
+text{*
+Of course this is just an example and could be proved by @{text arith}, too.
+
+\subsubsection{Forward proof}
+\label{sec:forward-proof}
+
+Forward proof means deriving new theorems from old theorems. We have already
+seen a very simple form of forward proof: the @{text of} operator for
+instantiating unknowns in a theorem. The big brother of @{text of} is @{text
+OF} for applying one theorem to others. Given a theorem @{prop"A \<Longrightarrow> B"} called
+@{text r} and a theorem @{text A'} called @{text r'}, the theorem @{text
+"r[OF r']"} is the result of applying @{text r} to @{text r'}, where @{text
+r} should be viewed as a function taking a theorem @{text A} and returning
+@{text B}. More precisely, @{text A} and @{text A'} are unified, thus
+instantiating the unknowns in @{text B}, and the result is the instantiated
+@{text B}. Of course, unification may also fail.
+\begin{warn}
+Application of rules to other rules operates in the forward direction: from
+the premises to the conclusion of the rule; application of rules to proof
+states operates in the backward direction, from the conclusion to the
+premises.
+\end{warn}
+
+In general @{text r} can be of the form @{text"\<lbrakk> A\<^isub>1; \<dots>; A\<^isub>n \<rbrakk> \<Longrightarrow> A"}
+and there can be multiple argument theorems @{text r\<^isub>1} to @{text r\<^isub>m}
+(with @{text"m \<le> n"}), in which case @{text "r[OF r\<^isub>1 \<dots> r\<^isub>m]"} is obtained
+by unifying and thus proving @{text "A\<^isub>i"} with @{text "r\<^isub>i"}, @{text"i = 1\<dots>m"}.
+Here is an example, where @{thm[source]refl} is the theorem
+@{thm[show_question_marks] refl}:
+*}
+
+thm conjI[OF refl[of "a"] refl[of "b"]]
+
+text{* yields the theorem @{thm conjI[OF refl[of "a"] refl[of "b"]]}.
+The command \isacom{thm} merely displays the result.
+
+Forward reasoning also makes sense in connection with proof states.
+Therefore @{text blast}, @{text fastforce} and @{text auto} support a modifier
+@{text dest} which instructs the proof method to use certain rules in a
+forward fashion. If @{text r} is of the form \mbox{@{text "A \<Longrightarrow> B"}}, the modifier
+\mbox{@{text"dest: r"}}
+allows proof search to reason forward with @{text r}, i.e.\
+to replace an assumption @{text A'}, where @{text A'} unifies with @{text A},
+with the correspondingly instantiated @{text B}. For example, @{thm[source,show_question_marks] Suc_leD} is the theorem \mbox{@{thm Suc_leD}}, which works well for forward reasoning:
+*}
+
+lemma "Suc(Suc(Suc a)) \<le> b \<Longrightarrow> a \<le> b"
+by(blast dest: Suc_leD)
+
+text{* In this particular example we could have backchained with
+@{thm[source] Suc_leD}, too, but because the premise is more complicated than the conclusion this can easily lead to nontermination.
+
+\subsubsection{Finding theorems}
+
+Command \isacom{find\_theorems} searches for specific theorems in the current
+theory. Search criteria include pattern matching on terms and on names.
+For details see the Isabelle/Isar Reference Manual~\cite{IsarRef}.
+\bigskip
+
+\begin{warn}
+To ease readability we will drop the question marks
+in front of unknowns from now on.
+\end{warn}
+
+
+\section{Inductive definitions}
+\label{sec:inductive-defs}
+
+Inductive definitions are the third important definition facility, after
+datatypes and recursive function.
+\sem
+In fact, they are the key construct in the
+definition of operational semantics in the second part of the book.
+\endsem
+
+\subsection{An example: even numbers}
+\label{sec:Logic:even}
+
+Here is a simple example of an inductively defined predicate:
+\begin{itemize}
+\item 0 is even
+\item If $n$ is even, so is $n+2$.
+\end{itemize}
+The operative word ``inductive'' means that these are the only even numbers.
+In Isabelle we give the two rules the names @{text ev0} and @{text evSS}
+and write
+*}
+
+inductive ev :: "nat \<Rightarrow> bool" where
+ev0: "ev 0" |
+evSS: (*<*)"ev n \<Longrightarrow> ev (Suc(Suc n))"(*>*)
+text_raw{* @{prop[source]"ev n \<Longrightarrow> ev (n + 2)"} *}
+
+text{* To get used to inductive definitions, we will first prove a few
+properties of @{const ev} informally before we descend to the Isabelle level.
+
+How do we prove that some number is even, e.g.\ @{prop "ev 4"}? Simply by combining the defining rules for @{const ev}:
+\begin{quote}
+@{text "ev 0 \<Longrightarrow> ev (0 + 2) \<Longrightarrow> ev((0 + 2) + 2) = ev 4"}
+\end{quote}
+
+\subsubsection{Rule induction}
+
+Showing that all even numbers have some property is more complicated. For
+example, let us prove that the inductive definition of even numbers agrees
+with the following recursive one:*}
+
+fun even :: "nat \<Rightarrow> bool" where
+"even 0 = True" |
+"even (Suc 0) = False" |
+"even (Suc(Suc n)) = even n"
+
+text{* We prove @{prop"ev m \<Longrightarrow> even m"}. That is, we
+assume @{prop"ev m"} and by induction on the form of its derivation
+prove @{prop"even m"}. There are two cases corresponding to the two rules
+for @{const ev}:
+\begin{description}
+\item[Case @{thm[source]ev0}:]
+ @{prop"ev m"} was derived by rule @{prop "ev 0"}: \\
+ @{text"\<Longrightarrow>"} @{prop"m=(0::nat)"} @{text"\<Longrightarrow>"} @{text "even m = even 0 = True"}
+\item[Case @{thm[source]evSS}:]
+ @{prop"ev m"} was derived by rule @{prop "ev n \<Longrightarrow> ev(n+2)"}: \\
+@{text"\<Longrightarrow>"} @{prop"m=n+(2::nat)"} and by induction hypothesis @{prop"even n"}\\
+@{text"\<Longrightarrow>"} @{text"even m = even(n + 2) = even n = True"}
+\end{description}
+
+What we have just seen is a special case of \concept{rule induction}.
+Rule induction applies to propositions of this form
+\begin{quote}
+@{prop "ev n \<Longrightarrow> P n"}
+\end{quote}
+That is, we want to prove a property @{prop"P n"}
+for all even @{text n}. But if we assume @{prop"ev n"}, then there must be
+some derivation of this assumption using the two defining rules for
+@{const ev}. That is, we must prove
+\begin{description}
+\item[Case @{thm[source]ev0}:] @{prop"P(0::nat)"}
+\item[Case @{thm[source]evSS}:] @{prop"\<lbrakk> ev n; P n \<rbrakk> \<Longrightarrow> P(n + 2::nat)"}
+\end{description}
+The corresponding rule is called @{thm[source] ev.induct} and looks like this:
+\[
+\inferrule{
+\mbox{@{thm (prem 1) ev.induct[of "n"]}}\\
+\mbox{@{thm (prem 2) ev.induct}}\\
+\mbox{@{prop"!!n. \<lbrakk> ev n; P n \<rbrakk> \<Longrightarrow> P(n+2)"}}}
+{\mbox{@{thm (concl) ev.induct[of "n"]}}}
+\]
+The first premise @{prop"ev n"} enforces that this rule can only be applied
+in situations where we know that @{text n} is even.
+
+Note that in the induction step we may not just assume @{prop"P n"} but also
+\mbox{@{prop"ev n"}}, which is simply the premise of rule @{thm[source]
+evSS}. Here is an example where the local assumption @{prop"ev n"} comes in
+handy: we prove @{prop"ev m \<Longrightarrow> ev(m - 2)"} by induction on @{prop"ev m"}.
+Case @{thm[source]ev0} requires us to prove @{prop"ev(0 - 2)"}, which follows
+from @{prop"ev 0"} because @{prop"0 - 2 = (0::nat)"} on type @{typ nat}. In
+case @{thm[source]evSS} we have \mbox{@{prop"m = n+(2::nat)"}} and may assume
+@{prop"ev n"}, which implies @{prop"ev (m - 2)"} because @{text"m - 2 = (n +
+2) - 2 = n"}. We did not need the induction hypothesis at all for this proof,
+it is just a case analysis of which rule was used, but having @{prop"ev
+n"} at our disposal in case @{thm[source]evSS} was essential.
+This case analysis of rules is also called ``rule inversion''
+and is discussed in more detail in \autoref{ch:Isar}.
+
+\subsubsection{In Isabelle}
+
+Let us now recast the above informal proofs in Isabelle. For a start,
+we use @{const Suc} terms instead of numerals in rule @{thm[source]evSS}:
+@{thm[display] evSS}
+This avoids the difficulty of unifying @{text"n+2"} with some numeral,
+which is not automatic.
+
+The simplest way to prove @{prop"ev(Suc(Suc(Suc(Suc 0))))"} is in a forward
+direction: @{text "evSS[OF evSS[OF ev0]]"} yields the theorem @{thm evSS[OF
+evSS[OF ev0]]}. Alternatively, you can also prove it as a lemma in backwards
+fashion. Although this is more verbose, it allows us to demonstrate how each
+rule application changes the proof state: *}
+
+lemma "ev(Suc(Suc(Suc(Suc 0))))"
+txt{*
+@{subgoals[display,indent=0,goals_limit=1]}
+*}
+apply(rule evSS)
+txt{*
+@{subgoals[display,indent=0,goals_limit=1]}
+*}
+apply(rule evSS)
+txt{*
+@{subgoals[display,indent=0,goals_limit=1]}
+*}
+apply(rule ev0)
+done
+
+text{* \indent
+Rule induction is applied by giving the induction rule explicitly via the
+@{text"rule:"} modifier:*}
+
+lemma "ev m \<Longrightarrow> even m"
+apply(induction rule: ev.induct)
+by(simp_all)
+
+text{* Both cases are automatic. Note that if there are multiple assumptions
+of the form @{prop"ev t"}, method @{text induction} will induct on the leftmost
+one.
+
+As a bonus, we also prove the remaining direction of the equivalence of
+@{const ev} and @{const even}:
+*}
+
+lemma "even n \<Longrightarrow> ev n"
+apply(induction n rule: even.induct)
+
+txt{* This is a proof by computation induction on @{text n} (see
+\autoref{sec:recursive-funs}) that sets up three subgoals corresponding to
+the three equations for @{const even}:
+@{subgoals[display,indent=0]}
+The first and third subgoals follow with @{thm[source]ev0} and @{thm[source]evSS}, and the second subgoal is trivially true because @{prop"even(Suc 0)"} is @{const False}:
+*}
+
+by (simp_all add: ev0 evSS)
+
+text{* The rules for @{const ev} make perfect simplification and introduction
+rules because their premises are always smaller than the conclusion. It
+makes sense to turn them into simplification and introduction rules
+permanently, to enhance proof automation: *}
+
+declare ev.intros[simp,intro]
+
+text{* The rules of an inductive definition are not simplification rules by
+default because, in contrast to recursive functions, there is no termination
+requirement for inductive definitions.
+
+\subsubsection{Inductive versus recursive}
+
+We have seen two definitions of the notion of evenness, an inductive and a
+recursive one. Which one is better? Much of the time, the recursive one is
+more convenient: it allows us to do rewriting in the middle of terms, and it
+expresses both the positive information (which numbers are even) and the
+negative information (which numbers are not even) directly. An inductive
+definition only expresses the positive information directly. The negative
+information, for example, that @{text 1} is not even, has to be proved from
+it (by induction or rule inversion). On the other hand, rule induction is
+tailor-made for proving \mbox{@{prop"ev n \<Longrightarrow> P n"}} because it only asks you
+to prove the positive cases. In the proof of @{prop"even n \<Longrightarrow> P n"} by
+computation induction via @{thm[source]even.induct}, we are also presented
+with the trivial negative cases. If you want the convenience of both
+rewriting and rule induction, you can make two definitions and show their
+equivalence (as above) or make one definition and prove additional properties
+from it, for example rule induction from computation induction.
+
+But many concepts do not admit a recursive definition at all because there is
+no datatype for the recursion (for example, the transitive closure of a
+relation), or the recursion would not terminate (for example,
+an interpreter for a programming language). Even if there is a recursive
+definition, if we are only interested in the positive information, the
+inductive definition may be much simpler.
+
+\subsection{The reflexive transitive closure}
+\label{sec:star}
+
+Evenness is really more conveniently expressed recursively than inductively.
+As a second and very typical example of an inductive definition we define the
+reflexive transitive closure.
+\sem
+It will also be an important building block for
+some of the semantics considered in the second part of the book.
+\endsem
+
+The reflexive transitive closure, called @{text star} below, is a function
+that maps a binary predicate to another binary predicate: if @{text r} is of
+type @{text"\<tau> \<Rightarrow> \<tau> \<Rightarrow> bool"} then @{term "star r"} is again of type @{text"\<tau> \<Rightarrow>
+\<tau> \<Rightarrow> bool"}, and @{prop"star r x y"} means that @{text x} and @{text y} are in
+the relation @{term"star r"}. Think @{term"r^*"} when you see @{term"star
+r"}, because @{text"star r"} is meant to be the reflexive transitive closure.
+That is, @{prop"star r x y"} is meant to be true if from @{text x} we can
+reach @{text y} in finitely many @{text r} steps. This concept is naturally
+defined inductively: *}
+
+inductive star :: "('a \<Rightarrow> 'a \<Rightarrow> bool) \<Rightarrow> 'a \<Rightarrow> 'a \<Rightarrow> bool" for r where
+refl: "star r x x" |
+step: "r x y \<Longrightarrow> star r y z \<Longrightarrow> star r x z"
+
+text{* The base case @{thm[source] refl} is reflexivity: @{term "x=y"}. The
+step case @{thm[source]step} combines an @{text r} step (from @{text x} to
+@{text y}) and a @{term"star r"} step (from @{text y} to @{text z}) into a
+@{term"star r"} step (from @{text x} to @{text z}).
+The ``\isacom{for}~@{text r}'' in the header is merely a hint to Isabelle
+that @{text r} is a fixed parameter of @{const star}, in contrast to the
+further parameters of @{const star}, which change. As a result, Isabelle
+generates a simpler induction rule.
+
+By definition @{term"star r"} is reflexive. It is also transitive, but we
+need rule induction to prove that: *}
+
+lemma star_trans: "star r x y \<Longrightarrow> star r y z \<Longrightarrow> star r x z"
+apply(induction rule: star.induct)
+(*<*)
+defer
+apply(rename_tac u x y)
+defer
+(*>*)
+txt{* The induction is over @{prop"star r x y"} and we try to prove
+\mbox{@{prop"star r y z \<Longrightarrow> star r x z"}},
+which we abbreviate by @{prop"P x y"}. These are our two subgoals:
+@{subgoals[display,indent=0]}
+The first one is @{prop"P x x"}, the result of case @{thm[source]refl},
+and it is trivial.
+*}
+apply(assumption)
+txt{* Let us examine subgoal @{text 2}, case @{thm[source] step}.
+Assumptions @{prop"r u x"} and \mbox{@{prop"star r x y"}}
+are the premises of rule @{thm[source]step}.
+Assumption @{prop"star r y z \<Longrightarrow> star r x z"} is \mbox{@{prop"P x y"}},
+the IH coming from @{prop"star r x y"}. We have to prove @{prop"P u y"},
+which we do by assuming @{prop"star r y z"} and proving @{prop"star r u z"}.
+The proof itself is straightforward: from \mbox{@{prop"star r y z"}} the IH
+leads to @{prop"star r x z"} which, together with @{prop"r u x"},
+leads to \mbox{@{prop"star r u z"}} via rule @{thm[source]step}:
+*}
+apply(metis step)
+done
+
+text{*
+
+\subsection{The general case}
+
+Inductive definitions have approximately the following general form:
+\begin{quote}
+\isacom{inductive} @{text"I :: \"\<tau> \<Rightarrow> bool\""} \isacom{where}
+\end{quote}
+followed by a sequence of (possibly named) rules of the form
+\begin{quote}
+@{text "\<lbrakk> I a\<^isub>1; \<dots>; I a\<^isub>n \<rbrakk> \<Longrightarrow> I a"}
+\end{quote}
+separated by @{text"|"}. As usual, @{text n} can be 0.
+The corresponding rule induction principle
+@{text I.induct} applies to propositions of the form
+\begin{quote}
+@{prop "I x \<Longrightarrow> P x"}
+\end{quote}
+where @{text P} may itself be a chain of implications.
+\begin{warn}
+Rule induction is always on the leftmost premise of the goal.
+Hence @{text "I x"} must be the first premise.
+\end{warn}
+Proving @{prop "I x \<Longrightarrow> P x"} by rule induction means proving
+for every rule of @{text I} that @{text P} is invariant:
+\begin{quote}
+@{text "\<lbrakk> I a\<^isub>1; P a\<^isub>1; \<dots>; I a\<^isub>n; P a\<^isub>n \<rbrakk> \<Longrightarrow> P a"}
+\end{quote}
+
+The above format for inductive definitions is simplified in a number of
+respects. @{text I} can have any number of arguments and each rule can have
+additional premises not involving @{text I}, so-called \concept{side
+conditions}. In rule inductions, these side-conditions appear as additional
+assumptions. The \isacom{for} clause seen in the definition of the reflexive
+transitive closure merely simplifies the form of the induction rule.
+*}
+(*<*)
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/ProgProve/MyList.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,17 @@
+theory MyList
+imports Main
+begin
+
+datatype 'a list = Nil | Cons 'a "'a list"
+
+fun app :: "'a list => 'a list => 'a list" where
+"app Nil ys = ys" |
+"app (Cons x xs) ys = Cons x (app xs ys)"
+
+fun rev :: "'a list => 'a list" where
+"rev Nil = Nil" |
+"rev (Cons x xs) = app (rev xs) (Cons x Nil)"
+
+value "rev(Cons True (Cons False Nil))"
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/ProgProve/Types_and_funs.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,479 @@
+(*<*)
+theory Types_and_funs
+imports Main
+begin
+(*>*)
+text{*
+\vspace{-5ex}
+\section{Type and function definitions}
+
+Type synonyms are abbreviations for existing types, for example
+*}
+
+type_synonym string = "char list"
+
+text{*
+Type synonyms are expanded after parsing and are not present in internal representation and output. They are mere conveniences for the reader.
+
+\subsection{Datatypes}
+
+The general form of a datatype definition looks like this:
+\begin{quote}
+\begin{tabular}{@ {}rclcll}
+\isacom{datatype} @{text "('a\<^isub>1,\<dots>,'a\<^isub>n)t"}
+ & = & $C_1 \ @{text"\""}\tau_{1,1}@{text"\""} \dots @{text"\""}\tau_{1,n_1}@{text"\""}$ \\
+ & $|$ & \dots \\
+ & $|$ & $C_k \ @{text"\""}\tau_{k,1}@{text"\""} \dots @{text"\""}\tau_{k,n_k}@{text"\""}$
+\end{tabular}
+\end{quote}
+It introduces the constructors \
+$C_i :: \tau_{i,1}\Rightarrow \cdots \Rightarrow \tau_{i,n_i} \Rightarrow$~@{text "('a\<^isub>1,\<dots>,'a\<^isub>n)t"} \ and expresses that any value of this type is built from these constructors in a unique manner. Uniqueness is implied by the following
+properties of the constructors:
+\begin{itemize}
+\item \emph{Distinctness:} $C_i\ \ldots \neq C_j\ \dots$ \quad if $i \neq j$
+\item \emph{Injectivity:}
+\begin{tabular}[t]{l}
+ $(C_i \ x_1 \dots x_{n_i} = C_i \ y_1 \dots y_{n_i}) =$\\
+ $(x_1 = y_1 \land \dots \land x_{n_i} = y_{n_i})$
+\end{tabular}
+\end{itemize}
+The fact that any value of the datatype is built from the constructors implies
+the structural induction rule: to show
+$P~x$ for all $x$ of type @{text "('a\<^isub>1,\<dots>,'a\<^isub>n)t"},
+one needs to show $P(C_i\ x_1 \dots x_{n_i})$ (for each $i$) assuming
+$P(x_j)$ for all $j$ where $\tau_{i,j} =$~@{text "('a\<^isub>1,\<dots>,'a\<^isub>n)t"}.
+Distinctness and injectivity are applied automatically by @{text auto}
+and other proof methods. Induction must be applied explicitly.
+
+Datatype values can be taken apart with case-expressions, for example
+\begin{quote}
+\noquotes{@{term[source] "(case xs of [] \<Rightarrow> 0 | x # _ \<Rightarrow> Suc x)"}}
+\end{quote}
+just like in functional programming languages. Case expressions
+must be enclosed in parentheses.
+
+As an example, consider binary trees:
+*}
+
+datatype 'a tree = Tip | Node "'a tree" 'a "'a tree"
+
+text{* with a mirror function: *}
+
+fun mirror :: "'a tree \<Rightarrow> 'a tree" where
+"mirror Tip = Tip" |
+"mirror (Node l a r) = Node (mirror r) a (mirror l)"
+
+text{* The following lemma illustrates induction: *}
+
+lemma "mirror(mirror t) = t"
+apply(induction t)
+
+txt{* yields
+@{subgoals[display]}
+The induction step contains two induction hypotheses, one for each subtree.
+An application of @{text auto} finishes the proof.
+
+A very simple but also very useful datatype is the predefined
+@{datatype[display] option}
+Its sole purpose is to add a new element @{const None} to an existing
+type @{typ 'a}. To make sure that @{const None} is distinct from all the
+elements of @{typ 'a}, you wrap them up in @{const Some} and call
+the new type @{typ"'a option"}. A typical application is a lookup function
+on a list of key-value pairs, often called an association list:
+*}
+(*<*)
+apply auto
+done
+(*>*)
+fun lookup :: "('a * 'b) list \<Rightarrow> 'a \<Rightarrow> 'b option" where
+"lookup [] x = None" |
+"lookup ((a,b) # ps) x = (if a = x then Some b else lookup ps x)"
+
+text{*
+Note that @{text"\<tau>\<^isub>1 * \<tau>\<^isub>2"} is the type of pairs, also written @{text"\<tau>\<^isub>1 \<times> \<tau>\<^isub>2"}.
+
+\subsection{Definitions}
+
+Non recursive functions can be defined as in the following example:
+*}
+
+definition sq :: "nat \<Rightarrow> nat" where
+"sq n = n * n"
+
+text{* Such definitions do not allow pattern matching but only
+@{text"f x\<^isub>1 \<dots> x\<^isub>n = t"}, where @{text f} does not occur in @{text t}.
+
+\subsection{Abbreviations}
+
+Abbreviations are similar to definitions:
+*}
+
+abbreviation sq' :: "nat \<Rightarrow> nat" where
+"sq' n == n * n"
+
+text{* The key difference is that @{const sq'} is only syntactic sugar:
+@{term"sq' t"} is replaced by \mbox{@{term"t*t"}} after parsing, and every
+occurrence of a term @{term"u*u"} is replaced by \mbox{@{term"sq' u"}} before
+printing. Internally, @{const sq'} does not exist. This is also the
+advantage of abbreviations over definitions: definitions need to be expanded
+explicitly (see \autoref{sec:rewr-defs}) whereas abbreviations are already
+expanded upon parsing. However, abbreviations should be introduced sparingly:
+if abused, they can lead to a confusing discrepancy between the internal and
+external view of a term.
+
+\subsection{Recursive functions}
+\label{sec:recursive-funs}
+
+Recursive functions are defined with \isacom{fun} by pattern matching
+over datatype constructors. The order of equations matters. Just as in
+functional programming languages. However, all HOL functions must be
+total. This simplifies the logic---terms are always defined---but means
+that recursive functions must terminate. Otherwise one could define a
+function @{prop"f n = f n + (1::nat)"} and conclude \mbox{@{prop"(0::nat) = 1"}} by
+subtracting @{term"f n"} on both sides.
+
+Isabelle's automatic termination checker requires that the arguments of
+recursive calls on the right-hand side must be strictly smaller than the
+arguments on the left-hand side. In the simplest case, this means that one
+fixed argument position decreases in size with each recursive call. The size
+is measured as the number of constructors (excluding 0-ary ones, e.g.\ @{text
+Nil}). Lexicographic combinations are also recognized. In more complicated
+situations, the user may have to prove termination by hand. For details
+see~\cite{Krauss}.
+
+Functions defined with \isacom{fun} come with their own induction schema
+that mirrors the recursion schema and is derived from the termination
+order. For example,
+*}
+
+fun div2 :: "nat \<Rightarrow> nat" where
+"div2 0 = 0" |
+"div2 (Suc 0) = Suc 0" |
+"div2 (Suc(Suc n)) = Suc(div2 n)"
+
+text{* does not just define @{const div2} but also proves a
+customized induction rule:
+\[
+\inferrule{
+\mbox{@{thm (prem 1) div2.induct}}\\
+\mbox{@{thm (prem 2) div2.induct}}\\
+\mbox{@{thm (prem 3) div2.induct}}}
+{\mbox{@{thm (concl) div2.induct[of _ "m"]}}}
+\]
+This customized induction rule can simplify inductive proofs. For example,
+*}
+
+lemma "div2(n+n) = n"
+apply(induction n rule: div2.induct)
+
+txt{* yields the 3 subgoals
+@{subgoals[display,margin=65]}
+An application of @{text auto} finishes the proof.
+Had we used ordinary structural induction on @{text n},
+the proof would have needed an additional
+case analysis in the induction step.
+
+The general case is often called \concept{computation induction},
+because the induction follows the (terminating!) computation.
+For every defining equation
+\begin{quote}
+@{text "f(e) = \<dots> f(r\<^isub>1) \<dots> f(r\<^isub>k) \<dots>"}
+\end{quote}
+where @{text"f(r\<^isub>i)"}, @{text"i=1\<dots>k"}, are all the recursive calls,
+the induction rule @{text"f.induct"} contains one premise of the form
+\begin{quote}
+@{text"P(r\<^isub>1) \<Longrightarrow> \<dots> \<Longrightarrow> P(r\<^isub>k) \<Longrightarrow> P(e)"}
+\end{quote}
+If @{text "f :: \<tau>\<^isub>1 \<Rightarrow> \<dots> \<Rightarrow> \<tau>\<^isub>n \<Rightarrow> \<tau>"} then @{text"f.induct"} is applied like this:
+\begin{quote}
+\isacom{apply}@{text"(induction x\<^isub>1 \<dots> x\<^isub>n rule: f.induct)"}
+\end{quote}
+where typically there is a call @{text"f x\<^isub>1 \<dots> x\<^isub>n"} in the goal.
+But note that the induction rule does not mention @{text f} at all,
+except in its name, and is applicable independently of @{text f}.
+
+\section{Induction heuristics}
+
+We have already noted that theorems about recursive functions are proved by
+induction. In case the function has more than one argument, we have followed
+the following heuristic in the proofs about the append function:
+\begin{quote}
+\emph{Perform induction on argument number $i$\\
+ if the function is defined by recursion on argument number $i$.}
+\end{quote}
+The key heuristic, and the main point of this section, is to
+\emph{generalize the goal before induction}.
+The reason is simple: if the goal is
+too specific, the induction hypothesis is too weak to allow the induction
+step to go through. Let us illustrate the idea with an example.
+
+Function @{const rev} has quadratic worst-case running time
+because it calls append for each element of the list and
+append is linear in its first argument. A linear time version of
+@{const rev} requires an extra argument where the result is accumulated
+gradually, using only~@{text"#"}:
+*}
+(*<*)
+apply auto
+done
+(*>*)
+fun itrev :: "'a list \<Rightarrow> 'a list \<Rightarrow> 'a list" where
+"itrev [] ys = ys" |
+"itrev (x#xs) ys = itrev xs (x#ys)"
+
+text{* The behaviour of @{const itrev} is simple: it reverses
+its first argument by stacking its elements onto the second argument,
+and it returns that second argument when the first one becomes
+empty. Note that @{const itrev} is tail-recursive: it can be
+compiled into a loop, no stack is necessary for executing it.
+
+Naturally, we would like to show that @{const itrev} does indeed reverse
+its first argument provided the second one is empty:
+*}
+
+lemma "itrev xs [] = rev xs"
+
+txt{* There is no choice as to the induction variable:
+*}
+
+apply(induction xs)
+apply(auto)
+
+txt{*
+Unfortunately, this attempt does not prove
+the induction step:
+@{subgoals[display,margin=70]}
+The induction hypothesis is too weak. The fixed
+argument,~@{term"[]"}, prevents it from rewriting the conclusion.
+This example suggests a heuristic:
+\begin{quote}
+\emph{Generalize goals for induction by replacing constants by variables.}
+\end{quote}
+Of course one cannot do this na\"{\i}vely: @{prop"itrev xs ys = rev xs"} is
+just not true. The correct generalization is
+*};
+(*<*)oops;(*>*)
+lemma "itrev xs ys = rev xs @ ys"
+(*<*)apply(induction xs, auto)(*>*)
+txt{*
+If @{text ys} is replaced by @{term"[]"}, the right-hand side simplifies to
+@{term"rev xs"}, as required.
+In this instance it was easy to guess the right generalization.
+Other situations can require a good deal of creativity.
+
+Although we now have two variables, only @{text xs} is suitable for
+induction, and we repeat our proof attempt. Unfortunately, we are still
+not there:
+@{subgoals[display,margin=65]}
+The induction hypothesis is still too weak, but this time it takes no
+intuition to generalize: the problem is that the @{text ys}
+in the induction hypothesis is fixed,
+but the induction hypothesis needs to be applied with
+@{term"a # ys"} instead of @{text ys}. Hence we prove the theorem
+for all @{text ys} instead of a fixed one. We can instruct induction
+to perform this generalization for us by adding @{text "arbitrary: ys"}.
+*}
+(*<*)oops
+lemma "itrev xs ys = rev xs @ ys"
+(*>*)
+apply(induction xs arbitrary: ys)
+
+txt{* The induction hypothesis in the induction step is now universally quantified over @{text ys}:
+@{subgoals[display,margin=65]}
+Thus the proof succeeds:
+*}
+
+apply auto
+done
+
+text{*
+This leads to another heuristic for generalization:
+\begin{quote}
+\emph{Generalize induction by generalizing all free
+variables\\ {\em(except the induction variable itself)}.}
+\end{quote}
+Generalization is best performed with @{text"arbitrary: y\<^isub>1 \<dots> y\<^isub>k"}.
+This heuristic prevents trivial failures like the one above.
+However, it should not be applied blindly.
+It is not always required, and the additional quantifiers can complicate
+matters in some cases. The variables that need to be quantified are typically
+those that change in recursive calls.
+
+\section{Simplification}
+
+So far we have talked a lot about simplifying terms without explaining the concept. \concept{Simplification} means
+\begin{itemize}
+\item using equations $l = r$ from left to right (only),
+\item as long as possible.
+\end{itemize}
+To emphasize the directionality, equations that have been given the
+@{text"simp"} attribute are called \concept{simplification}
+rules. Logically, they are still symmetric, but proofs by
+simplification use them only in the left-to-right direction. The proof tool
+that performs simplifications is called the \concept{simplifier}. It is the
+basis of @{text auto} and other related proof methods.
+
+The idea of simplification is best explained by an example. Given the
+simplification rules
+\[
+\begin{array}{rcl@ {\quad}l}
+@{term"0 + n::nat"} &@{text"="}& @{text n} & (1) \\
+@{term"(Suc m) + n"} &@{text"="}& @{term"Suc (m + n)"} & (2) \\
+@{text"(Suc m \<le> Suc n)"} &@{text"="}& @{text"(m \<le> n)"} & (3)\\
+@{text"(0 \<le> m)"} &@{text"="}& @{const True} & (4)
+\end{array}
+\]
+the formula @{prop"0 + Suc 0 \<le> Suc 0 + x"} is simplified to @{const True}
+as follows:
+\[
+\begin{array}{r@ {}c@ {}l@ {\quad}l}
+@{text"(0 + Suc 0"} & \leq & @{text"Suc 0 + x)"} & \stackrel{(1)}{=} \\
+@{text"(Suc 0"} & \leq & @{text"Suc 0 + x)"} & \stackrel{(2)}{=} \\
+@{text"(Suc 0"} & \leq & @{text"Suc (0 + x)"} & \stackrel{(3)}{=} \\
+@{text"(0"} & \leq & @{text"0 + x)"} & \stackrel{(4)}{=} \\[1ex]
+ & @{const True}
+\end{array}
+\]
+Simplification is often also called \concept{rewriting}
+and simplification rules \concept{rewrite rules}.
+
+\subsection{Simplification rules}
+
+The attribute @{text"simp"} declares theorems to be simplification rules,
+which the simplifier will use automatically. In addition,
+\isacom{datatype} and \isacom{fun} commands implicitly declare some
+simplification rules: \isacom{datatype} the distinctness and injectivity
+rules, \isacom{fun} the defining equations. Definitions are not declared
+as simplification rules automatically! Nearly any theorem can become a
+simplification rule. The simplifier will try to transform it into an
+equation. For example, the theorem @{prop"\<not> P"} is turned into @{prop"P = False"}.
+
+Only equations that really simplify, like @{prop"rev (rev xs) = xs"} and
+@{prop"xs @ [] = xs"}, should be declared as simplification
+rules. Equations that may be counterproductive as simplification rules
+should only be used in specific proof steps (see \S\ref{sec:simp} below).
+Distributivity laws, for example, alter the structure of terms
+and can produce an exponential blow-up.
+
+\subsection{Conditional simplification rules}
+
+Simplification rules can be conditional. Before applying such a rule, the
+simplifier will first try to prove the preconditions, again by
+simplification. For example, given the simplification rules
+\begin{quote}
+@{prop"p(0::nat) = True"}\\
+@{prop"p(x) \<Longrightarrow> f(x) = g(x)"},
+\end{quote}
+the term @{term"f(0::nat)"} simplifies to @{term"g(0::nat)"}
+but @{term"f(1::nat)"} does not simplify because @{prop"p(1::nat)"}
+is not provable.
+
+\subsection{Termination}
+
+Simplification can run forever, for example if both @{prop"f x = g x"} and
+@{prop"g(x) = f(x)"} are simplification rules. It is the user's
+responsibility not to include simplification rules that can lead to
+nontermination, either on their own or in combination with other
+simplification rules. The right-hand side of a simplification rule should
+always be ``simpler'' than the left-hand side---in some sense. But since
+termination is undecidable, such a check cannot be automated completely
+and Isabelle makes little attempt to detect nontermination.
+
+When conditional simplification rules are applied, their preconditions are
+proved first. Hence all preconditions need to be
+simpler than the left-hand side of the conclusion. For example
+\begin{quote}
+@{prop "n < m \<Longrightarrow> (n < Suc m) = True"}
+\end{quote}
+is suitable as a simplification rule: both @{prop"n<m"} and @{const True}
+are simpler than \mbox{@{prop"n < Suc m"}}. But
+\begin{quote}
+@{prop "Suc n < m \<Longrightarrow> (n < m) = True"}
+\end{quote}
+leads to nontermination: when trying to rewrite @{prop"n<m"} to @{const True}
+one first has to prove \mbox{@{prop"Suc n < m"}}, which can be rewritten to @{const True} provided @{prop"Suc(Suc n) < m"}, \emph{ad infinitum}.
+
+\subsection{The @{text simp} proof method}
+\label{sec:simp}
+
+So far we have only used the proof method @{text auto}. Method @{text simp}
+is the key component of @{text auto}, but @{text auto} can do much more. In
+some cases, @{text auto} is overeager and modifies the proof state too much.
+In such cases the more predictable @{text simp} method should be used.
+Given a goal
+\begin{quote}
+@{text"1. \<lbrakk> P\<^isub>1; \<dots>; P\<^isub>m \<rbrakk> \<Longrightarrow> C"}
+\end{quote}
+the command
+\begin{quote}
+\isacom{apply}@{text"(simp add: th\<^isub>1 \<dots> th\<^isub>n)"}
+\end{quote}
+simplifies the assumptions @{text "P\<^isub>i"} and the conclusion @{text C} using
+\begin{itemize}
+\item all simplification rules, including the ones coming from \isacom{datatype} and \isacom{fun},
+\item the additional lemmas @{text"th\<^isub>1 \<dots> th\<^isub>n"}, and
+\item the assumptions.
+\end{itemize}
+In addition to or instead of @{text add} there is also @{text del} for removing
+simplification rules temporarily. Both are optional. Method @{text auto}
+can be modified similarly:
+\begin{quote}
+\isacom{apply}@{text"(auto simp add: \<dots> simp del: \<dots>)"}
+\end{quote}
+Here the modifiers are @{text"simp add"} and @{text"simp del"}
+instead of just @{text add} and @{text del} because @{text auto}
+does not just perform simplification.
+
+Note that @{text simp} acts only on subgoal 1, @{text auto} acts on all
+subgoals. There is also @{text simp_all}, which applies @{text simp} to
+all subgoals.
+
+\subsection{Rewriting with definitions}
+\label{sec:rewr-defs}
+
+Definitions introduced by the command \isacom{definition}
+can also be used as simplification rules,
+but by default they are not: the simplifier does not expand them
+automatically. Definitions are intended for introducing abstract concepts and
+not merely as abbreviations. Of course, we need to expand the definition
+initially, but once we have proved enough abstract properties of the new
+constant, we can forget its original definition. This style makes proofs more
+robust: if the definition has to be changed, only the proofs of the abstract
+properties will be affected.
+
+The definition of a function @{text f} is a theorem named @{text f_def}
+and can be added to a call of @{text simp} just like any other theorem:
+\begin{quote}
+\isacom{apply}@{text"(simp add: f_def)"}
+\end{quote}
+In particular, let-expressions can be unfolded by
+making @{thm[source] Let_def} a simplification rule.
+
+\subsection{Case splitting with @{text simp}}
+
+Goals containing if-expressions are automatically split into two cases by
+@{text simp} using the rule
+\begin{quote}
+@{prop"P(if A then s else t) = ((A \<longrightarrow> P(s)) \<and> (~A \<longrightarrow> P(t)))"}
+\end{quote}
+For example, @{text simp} can prove
+\begin{quote}
+@{prop"(A \<and> B) = (if A then B else False)"}
+\end{quote}
+because both @{prop"A \<longrightarrow> (A & B) = B"} and @{prop"~A \<longrightarrow> (A & B) = False"}
+simplify to @{const True}.
+
+We can split case-expressions similarly. For @{text nat} the rule looks like this:
+@{prop[display,margin=65,indent=4]"P(case e of 0 \<Rightarrow> a | Suc n \<Rightarrow> b n) = ((e = 0 \<longrightarrow> P a) & (ALL n. e = Suc n \<longrightarrow> P(b n)))"}
+Case expressions are not split automatically by @{text simp}, but @{text simp}
+can be instructed to do so:
+\begin{quote}
+\isacom{apply}@{text"(simp split: nat.split)"}
+\end{quote}
+splits all case-expressions over natural numbers. For an arbitrary
+datatype @{text t} it is @{text "t.split"} instead of @{thm[source] nat.split}.
+Method @{text auto} can be modified in exactly the same way.
+*}
+(*<*)
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/ProgProve/document/bang.eps Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,94 @@
+%!PS-Adobe-3.0 EPSF-3.0
+%%BoundingBox: 0 0 24 40
+%%HiResBoundingBox: 0.000000 0.000000 23.040001 39.420002
+%.............................................
+%%Creator: GPL Ghostscript 871 (epswrite)
+%%CreationDate: 2012/04/02 04:50:05
+%%DocumentData: Clean7Bit
+%%LanguageLevel: 2
+%%EndComments
+%%BeginProlog
+% This copyright applies to everything between here and the %%EndProlog:
+% Copyright (C) 2010 Artifex Software, Inc. All rights reserved.
+%%BeginResource: procset GS_epswrite_2_0_1001 1.001 0
+/GS_epswrite_2_0_1001 80 dict dup begin
+/PageSize 2 array def/setpagesize{ PageSize aload pop 3 index eq exch
+4 index eq and{ pop pop pop}{ PageSize dup 1
+5 -1 roll put 0 4 -1 roll put dup null eq {false} {dup where} ifelse{ exch get exec}
+{ pop/setpagedevice where
+{ pop 1 dict dup /PageSize PageSize put setpagedevice}
+{ /setpage where{ pop PageSize aload pop pageparams 3 {exch pop} repeat
+setpage}if}ifelse}ifelse}ifelse} bind def
+/!{bind def}bind def/#{load def}!/N/counttomark #
+/rG{3{3 -1 roll 255 div}repeat setrgbcolor}!/G{255 div setgray}!/K{0 G}!
+/r6{dup 3 -1 roll rG}!/r5{dup 3 1 roll rG}!/r3{dup rG}!
+/w/setlinewidth #/J/setlinecap #
+/j/setlinejoin #/M/setmiterlimit #/d/setdash #/i/setflat #
+/m/moveto #/l/lineto #/c/rcurveto #
+/p{N 2 idiv{N -2 roll rlineto}repeat}!
+/P{N 0 gt{N -2 roll moveto p}if}!
+/h{p closepath}!/H{P closepath}!
+/lx{0 rlineto}!/ly{0 exch rlineto}!/v{0 0 6 2 roll c}!/y{2 copy c}!
+/re{4 -2 roll m exch dup lx exch ly neg lx h}!
+/^{3 index neg 3 index neg}!
+/f{P fill}!/f*{P eofill}!/s{H stroke}!/S{P stroke}!
+/q/gsave #/Q/grestore #/rf{re fill}!
+/Y{P clip newpath}!/Y*{P eoclip newpath}!/rY{re Y}!
+/|={pop exch 4 1 roll 1 array astore cvx 3 array astore cvx exch 1 index def exec}!
+/|{exch string readstring |=}!
+/+{dup type/nametype eq{2 index 7 add -3 bitshift 2 index mul}if}!
+/@/currentfile #/${+ @ |}!
+/B{{2 copy string{readstring pop}aload pop 4 array astore cvx
+3 1 roll}repeat pop pop true}!
+/Ix{[1 0 0 1 11 -2 roll exch neg exch neg]exch}!
+/,{true exch Ix imagemask}!/If{false exch Ix imagemask}!/I{exch Ix image}!
+/Ic{exch Ix false 3 colorimage}!
+/F{/Columns counttomark 3 add -2 roll/Rows exch/K -1/BlackIs1 true>>
+/CCITTFaxDecode filter}!/FX{<</EndOfBlock false F}!
+/X{/ASCII85Decode filter}!/@X{@ X}!/&2{2 index 2 index}!
+/@F{@ &2<<F}!/@C{@X &2 FX}!
+/$X{+ @X |}!/&4{4 index 4 index}!/$F{+ @ &4<<F |}!/$C{+ @X &4 FX |}!
+/IC{3 1 roll 10 dict begin 1{/ImageType/Interpolate/Decode/DataSource
+/ImageMatrix/BitsPerComponent/Height/Width}{exch def}forall
+currentdict end image}!
+/~{@ read {pop} if}!
+end def
+%%EndResource
+/pagesave null def
+%%EndProlog
+%%Page: 1 1
+%%BeginPageSetup
+GS_epswrite_2_0_1001 begin
+/pagesave save store 197 dict begin
+0.18 0.18 scale
+%%EndPageSetup
+gsave mark
+Q q
+0 0 128 0 0 219 ^ Y
+197 209 208 rG
+0 0 127.777 219.445 re
+f
+Q q
+0 0 128 0 0 219 ^ Y
+K
+46.21 53.45 m
+0 4.82 1.73 8.96 5.18 12.45 c
+3.45 3.48 7.62 5.23 12.5 5.23 c
+4.88 0 9.05 -1.74 12.5 -5.23 c
+3.45 -3.48 5.17 -7.63 5.17 -12.45 c
+0 -4.88 -1.74 -9.05 -5.22 -12.5 c
+-3.48 -3.45 -7.63 -5.18 -12.45 -5.18 c
+-4.82 0 -8.97 1.73 -12.45 5.18 c
+-3.48 3.45 -5.22 7.62 -5.22 12.5 c
+f
+54.73 86.27 -15.52 70.88 P
+-0.99 4.8 -1.49 8.32 -1.49 10.55 c
+0 10.65 8.64 15.97 25.92 15.97 c
+17.61 0 26.42 -4.77 26.42 -14.3 c
+0 -3 -0.5 -6.82 -1.48 -11.48 c
+-15.52 -71.62 p f
+cleartomark end end pagesave restore
+ showpage
+%%PageTrailer
+%%Trailer
+%%Pages: 1
Binary file src/Doc/ProgProve/document/bang.pdf has changed
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/ProgProve/document/build Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -e
+
+FORMAT="$1"
+VARIANT="$2"
+
+"$ISABELLE_TOOL" logo -o isabelle_hol.pdf "HOL"
+"$ISABELLE_TOOL" logo -o isabelle_hol.eps "HOL"
+
+cp "$ISABELLE_HOME/src/Doc/ProgProve/MyList.thy" .
+
+"$ISABELLE_HOME/src/Doc/prepare_document" "$FORMAT"
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/ProgProve/document/intro-isabelle.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,47 @@
+Isabelle is a generic system for
+implementing logical formalisms, and Isabelle/HOL is the specialization
+of Isabelle for HOL, which abbreviates Higher-Order Logic. We introduce
+HOL step by step following the equation
+\[ \mbox{HOL} = \mbox{Functional Programming} + \mbox{Logic}. \]
+We assume that the reader is familiar with the basic concepts of functional
+programming and is used to logical and set theoretic notation.
+
+\autoref{sec:FP} introduces HOL as a functional programming language and
+explains how to write simple inductive proofs of mostly equational properties
+of recursive functions.
+\sem
+\autoref{sec:CaseStudyExp} contains a
+little case study: arithmetic and boolean expressions, their evaluation,
+optimization and compilation.
+\endsem
+\autoref{ch:Logic} introduces the rest of HOL: the
+language of formulas beyond equality, automatic proof tools, single
+step proofs, and inductive definitions, an essential specification construct.
+\autoref{ch:Isar} introduces Isar, Isabelle's language for writing structured
+proofs.
+
+%Further material (slides, demos etc) can be found online at
+%\url{http://www.in.tum.de/~nipkow}.
+
+% Relics:
+% We aim to minimise the amount of background knowledge of logic we expect
+% from the reader
+% We have focussed on the core material
+% in the intersection of computation and logic.
+
+This introduction to the core of Isabelle is intentionally concrete and
+example-based: we concentrate on examples that illustrate the typical cases;
+we do not explain the general case if it can be inferred from the examples.
+For a comprehensive treatment of all things Isabelle we recommend the
+\emph{Isabelle/Isar Reference Manual}~\cite{IsarRef}, which comes with the
+Isabelle distribution.
+The tutorial by Nipkow, Paulson and Wenzel~\cite{LNCS2283} (in its updated version that comes with the Isabelle distribution) is still recommended for the wealth of examples and material, but its proof style is outdated. In particular it fails to cover the structured proof language Isar.
+
+This introduction has grown out of many years of teaching Isabelle courses.
+It tries to cover the essentials (from a functional programming point of
+view) as quickly and compactly as possible. There is also an accompanying
+set of \LaTeX-based slides available from the author on request.
+
+\paragraph{Acknowledgements}
+I wish to thank the following people for their comments on this text:
+Florian Haftmann, Ren\'{e} Thiemann and Christian Sternagel.
\ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/ProgProve/document/mathpartir.sty Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,388 @@
+% Mathpartir --- Math Paragraph for Typesetting Inference Rules
+%
+% Copyright (C) 2001, 2002, 2003 Didier Rémy
+%
+% Author : Didier Remy
+% Version : 1.1.1
+% Bug Reports : to author
+% Web Site : http://pauillac.inria.fr/~remy/latex/
+%
+% WhizzyTeX is free software; you can redistribute it and/or modify
+% it under the terms of the GNU General Public License as published by
+% the Free Software Foundation; either version 2, or (at your option)
+% any later version.
+%
+% Mathpartir is distributed in the hope that it will be useful,
+% but WITHOUT ANY WARRANTY; without even the implied warranty of
+% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+% GNU General Public License for more details
+% (http://pauillac.inria.fr/~remy/license/GPL).
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+% File mathpartir.sty (LaTeX macros)
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\NeedsTeXFormat{LaTeX2e}
+\ProvidesPackage{mathpartir}
+ [2003/07/10 version 1.1.1 Math Paragraph for Typesetting Inference Rules]
+
+%%
+
+%% Identification
+%% Preliminary declarations
+
+\RequirePackage {keyval}
+
+%% Options
+%% More declarations
+
+%% PART I: Typesetting maths in paragraphe mode
+
+\newdimen \mpr@tmpdim
+
+% To ensure hevea \hva compatibility, \hva should expands to nothing
+% in mathpar or in inferrule
+\let \mpr@hva \empty
+
+%% normal paragraph parametters, should rather be taken dynamically
+\def \mpr@savepar {%
+ \edef \MathparNormalpar
+ {\noexpand \lineskiplimit \the\lineskiplimit
+ \noexpand \lineskip \the\lineskip}%
+ }
+
+\def \mpr@rulelineskip {\lineskiplimit=0.3em\lineskip=0.2em plus 0.1em}
+\def \mpr@lesslineskip {\lineskiplimit=0.6em\lineskip=0.5em plus 0.2em}
+\def \mpr@lineskip {\lineskiplimit=1.2em\lineskip=1.2em plus 0.2em}
+\let \MathparLineskip \mpr@lineskip
+\def \mpr@paroptions {\MathparLineskip}
+\let \mpr@prebindings \relax
+
+\newskip \mpr@andskip \mpr@andskip 2em plus 0.5fil minus 0.5em
+
+\def \mpr@goodbreakand
+ {\hskip -\mpr@andskip \penalty -1000\hskip \mpr@andskip}
+\def \mpr@and {\hskip \mpr@andskip}
+\def \mpr@andcr {\penalty 50\mpr@and}
+\def \mpr@cr {\penalty -10000\mpr@and}
+\def \mpr@eqno #1{\mpr@andcr #1\hskip 0em plus -1fil \penalty 10}
+
+\def \mpr@bindings {%
+ \let \and \mpr@andcr
+ \let \par \mpr@andcr
+ \let \\\mpr@cr
+ \let \eqno \mpr@eqno
+ \let \hva \mpr@hva
+ }
+\let \MathparBindings \mpr@bindings
+
+% \@ifundefined {ignorespacesafterend}
+% {\def \ignorespacesafterend {\aftergroup \ignorespaces}
+
+\newenvironment{mathpar}[1][]
+ {$$\mpr@savepar \parskip 0em \hsize \linewidth \centering
+ \vbox \bgroup \mpr@prebindings \mpr@paroptions #1\ifmmode $\else
+ \noindent $\displaystyle\fi
+ \MathparBindings}
+ {\unskip \ifmmode $\fi\egroup $$\ignorespacesafterend}
+
+% \def \math@mathpar #1{\setbox0 \hbox {$\displaystyle #1$}\ifnum
+% \wd0 < \hsize $$\box0$$\else \bmathpar #1\emathpar \fi}
+
+%%% HOV BOXES
+
+\def \mathvbox@ #1{\hbox \bgroup \mpr@normallineskip
+ \vbox \bgroup \tabskip 0em \let \\ \cr
+ \halign \bgroup \hfil $##$\hfil\cr #1\crcr \egroup \egroup
+ \egroup}
+
+\def \mathhvbox@ #1{\setbox0 \hbox {\let \\\qquad $#1$}\ifnum \wd0 < \hsize
+ \box0\else \mathvbox {#1}\fi}
+
+
+%% Part II -- operations on lists
+
+\newtoks \mpr@lista
+\newtoks \mpr@listb
+
+\long \def\mpr@cons #1\mpr@to#2{\mpr@lista {\\{#1}}\mpr@listb \expandafter
+{#2}\edef #2{\the \mpr@lista \the \mpr@listb}}
+
+\long \def\mpr@snoc #1\mpr@to#2{\mpr@lista {\\{#1}}\mpr@listb \expandafter
+{#2}\edef #2{\the \mpr@listb\the\mpr@lista}}
+
+\long \def \mpr@concat#1=#2\mpr@to#3{\mpr@lista \expandafter {#2}\mpr@listb
+\expandafter {#3}\edef #1{\the \mpr@listb\the\mpr@lista}}
+
+\def \mpr@head #1\mpr@to #2{\expandafter \mpr@head@ #1\mpr@head@ #1#2}
+\long \def \mpr@head@ #1#2\mpr@head@ #3#4{\def #4{#1}\def#3{#2}}
+
+\def \mpr@flatten #1\mpr@to #2{\expandafter \mpr@flatten@ #1\mpr@flatten@ #1#2}
+\long \def \mpr@flatten@ \\#1\\#2\mpr@flatten@ #3#4{\def #4{#1}\def #3{\\#2}}
+
+\def \mpr@makelist #1\mpr@to #2{\def \mpr@all {#1}%
+ \mpr@lista {\\}\mpr@listb \expandafter {\mpr@all}\edef \mpr@all {\the
+ \mpr@lista \the \mpr@listb \the \mpr@lista}\let #2\empty
+ \def \mpr@stripof ##1##2\mpr@stripend{\def \mpr@stripped{##2}}\loop
+ \mpr@flatten \mpr@all \mpr@to \mpr@one
+ \expandafter \mpr@snoc \mpr@one \mpr@to #2\expandafter \mpr@stripof
+ \mpr@all \mpr@stripend
+ \ifx \mpr@stripped \empty \let \mpr@isempty 0\else \let \mpr@isempty 1\fi
+ \ifx 1\mpr@isempty
+ \repeat
+}
+
+%% Part III -- Type inference rules
+
+\def \mpr@rev #1\mpr@to #2{\let \mpr@tmp \empty
+ \def \\##1{\mpr@cons ##1\mpr@to \mpr@tmp}#1\let #2\mpr@tmp}
+
+\newif \if@premisse
+\newbox \mpr@hlist
+\newbox \mpr@vlist
+\newif \ifmpr@center \mpr@centertrue
+\def \mpr@htovlist {%
+ \setbox \mpr@hlist
+ \hbox {\strut
+ \ifmpr@center \hskip -0.5\wd\mpr@hlist\fi
+ \unhbox \mpr@hlist}%
+ \setbox \mpr@vlist
+ \vbox {\if@premisse \box \mpr@hlist \unvbox \mpr@vlist
+ \else \unvbox \mpr@vlist \box \mpr@hlist
+ \fi}%
+}
+% OLD version
+% \def \mpr@htovlist {%
+% \setbox \mpr@hlist
+% \hbox {\strut \hskip -0.5\wd\mpr@hlist \unhbox \mpr@hlist}%
+% \setbox \mpr@vlist
+% \vbox {\if@premisse \box \mpr@hlist \unvbox \mpr@vlist
+% \else \unvbox \mpr@vlist \box \mpr@hlist
+% \fi}%
+% }
+
+\def \mpr@sep{1.5em}
+\def \mpr@blank { }
+\def \mpr@hovbox #1#2{\hbox
+ \bgroup
+ \ifx #1T\@premissetrue
+ \else \ifx #1B\@premissefalse
+ \else
+ \PackageError{mathpartir}
+ {Premisse orientation should either be P or B}
+ {Fatal error in Package}%
+ \fi \fi
+ \def \@test {#2}\ifx \@test \mpr@blank\else
+ \setbox \mpr@hlist \hbox {}%
+ \setbox \mpr@vlist \vbox {}%
+ \if@premisse \let \snoc \mpr@cons \else \let \snoc \mpr@snoc \fi
+ \let \@hvlist \empty \let \@rev \empty
+ \mpr@tmpdim 0em
+ \expandafter \mpr@makelist #2\mpr@to \mpr@flat
+ \if@premisse \mpr@rev \mpr@flat \mpr@to \@rev \else \let \@rev \mpr@flat \fi
+ \def \\##1{%
+ \def \@test {##1}\ifx \@test \empty
+ \mpr@htovlist
+ \mpr@tmpdim 0em %%% last bug fix not extensively checked
+ \else
+ \setbox0 \hbox{$\displaystyle {##1}$}\relax
+ \advance \mpr@tmpdim by \wd0
+ %\mpr@tmpdim 1.02\mpr@tmpdim
+ \ifnum \mpr@tmpdim < \hsize
+ \ifnum \wd\mpr@hlist > 0
+ \if@premisse
+ \setbox \mpr@hlist
+ \hbox {\unhbox0 \hskip \mpr@sep \unhbox \mpr@hlist}%
+ \else
+ \setbox \mpr@hlist
+ \hbox {\unhbox \mpr@hlist \hskip \mpr@sep \unhbox0}%
+ \fi
+ \else
+ \setbox \mpr@hlist \hbox {\unhbox0}%
+ \fi
+ \else
+ \ifnum \wd \mpr@hlist > 0
+ \mpr@htovlist
+ \mpr@tmpdim \wd0
+ \fi
+ \setbox \mpr@hlist \hbox {\unhbox0}%
+ \fi
+ \advance \mpr@tmpdim by \mpr@sep
+ \fi
+ }%
+ \@rev
+ \mpr@htovlist
+ \ifmpr@center \hskip \wd\mpr@vlist\fi \box \mpr@vlist
+ \fi
+ \egroup
+}
+
+%%% INFERENCE RULES
+
+\@ifundefined{@@over}{%
+ \let\@@over\over % fallback if amsmath is not loaded
+ \let\@@overwithdelims\overwithdelims
+ \let\@@atop\atop \let\@@atopwithdelims\atopwithdelims
+ \let\@@above\above \let\@@abovewithdelims\abovewithdelims
+ }{}
+
+
+\def \mpr@@fraction #1#2{\hbox {\advance \hsize by -0.5em
+ $\displaystyle {#1\@@over #2}$}}
+\let \mpr@fraction \mpr@@fraction
+\def \mpr@@reduce #1#2{\hbox
+ {$\lower 0.01pt \mpr@@fraction {#1}{#2}\mkern -15mu\rightarrow$}}
+\def \mpr@@rewrite #1#2#3{\hbox
+ {$\lower 0.01pt \mpr@@fraction {#2}{#3}\mkern -8mu#1$}}
+\def \mpr@infercenter #1{\vcenter {\mpr@hovbox{T}{#1}}}
+
+\def \mpr@empty {}
+\def \mpr@inferrule
+ {\bgroup
+ \ifnum \linewidth<\hsize \hsize \linewidth\fi
+ \mpr@rulelineskip
+ \let \and \qquad
+ \let \hva \mpr@hva
+ \let \@rulename \mpr@empty
+ \let \@rule@options \mpr@empty
+ \mpr@inferrule@}
+\newcommand {\mpr@inferrule@}[3][]
+ {\everymath={\displaystyle}%
+ \def \@test {#2}\ifx \empty \@test
+ \setbox0 \hbox {$\vcenter {\mpr@hovbox{B}{#3}}$}%
+ \else
+ \def \@test {#3}\ifx \empty \@test
+ \setbox0 \hbox {$\vcenter {\mpr@hovbox{T}{#2}}$}%
+ \else
+ \setbox0 \mpr@fraction {\mpr@hovbox{T}{#2}}{\mpr@hovbox{B}{#3}}%
+ \fi \fi
+ \def \@test {#1}\ifx \@test\empty \box0
+ \else \vbox
+%%% Suggestion de Francois pour les etiquettes longues
+%%% {\hbox to \wd0 {\RefTirName {#1}\hfil}\box0}\fi
+ {\hbox {\RefTirName {#1}}\box0}\fi
+ \egroup}
+
+\def \mpr@vdotfil #1{\vbox to #1{\leaders \hbox{$\cdot$} \vfil}}
+
+% They are two forms
+% \inferrule [label]{[premisses}{conclusions}
+% or
+% \inferrule* [options]{[premisses}{conclusions}
+%
+% Premisses and conclusions are lists of elements separated by \\
+% Each \\ produces a break, attempting horizontal breaks if possible,
+% and vertical breaks if needed.
+%
+% An empty element obtained by \\\\ produces a vertical break in all cases.
+%
+% The former rule is aligned on the fraction bar.
+% The optional label appears on top of the rule
+% The second form to be used in a derivation tree is aligned on the last
+% line of its conclusion
+%
+% The second form can be parameterized, using the key=val interface. The
+% folloiwng keys are recognized:
+%
+% width set the width of the rule to val
+% narrower set the width of the rule to val\hsize
+% before execute val at the beginning/left
+% lab put a label [Val] on top of the rule
+% lskip add negative skip on the right
+% left put a left label [Val]
+% Left put a left label [Val], ignoring its width
+% right put a right label [Val]
+% Right put a right label [Val], ignoring its width
+% leftskip skip negative space on the left-hand side
+% rightskip skip negative space on the right-hand side
+% vdots lift the rule by val and fill vertical space with dots
+% after execute val at the end/right
+%
+% Note that most options must come in this order to avoid strange
+% typesetting (in particular leftskip must preceed left and Left and
+% rightskip must follow Right or right; vdots must come last
+% or be only followed by rightskip.
+%
+
+\define@key {mprset}{flushleft}[]{\mpr@centerfalse}
+\define@key {mprset}{center}[]{\mpr@centertrue}
+\def \mprset #1{\setkeys{mprset}{#1}}
+
+\newbox \mpr@right
+\define@key {mpr}{flushleft}[]{\mpr@centerfalse}
+\define@key {mpr}{center}[]{\mpr@centertrue}
+\define@key {mpr}{left}{\setbox0 \hbox {$\TirName {#1}\;$}\relax
+ \advance \hsize by -\wd0\box0}
+\define@key {mpr}{width}{\hsize #1}
+\define@key {mpr}{sep}{\def\mpr@sep{#1}}
+\define@key {mpr}{before}{#1}
+\define@key {mpr}{lab}{\let \RefTirName \TirName \def \mpr@rulename {#1}}
+\define@key {mpr}{Lab}{\let \RefTirName \TirName \def \mpr@rulename {#1}}
+\define@key {mpr}{narrower}{\hsize #1\hsize}
+\define@key {mpr}{leftskip}{\hskip -#1}
+\define@key {mpr}{reduce}[]{\let \mpr@fraction \mpr@@reduce}
+\define@key {mpr}{rightskip}
+ {\setbox \mpr@right \hbox {\unhbox \mpr@right \hskip -#1}}
+\define@key {mpr}{LEFT}{\setbox0 \hbox {$#1$}\relax
+ \advance \hsize by -\wd0\box0}
+\define@key {mpr}{left}{\setbox0 \hbox {$\TirName {#1}\;$}\relax
+ \advance \hsize by -\wd0\box0}
+\define@key {mpr}{Left}{\llap{$\TirName {#1}\;$}}
+\define@key {mpr}{right}
+ {\setbox0 \hbox {$\;\TirName {#1}$}\relax \advance \hsize by -\wd0
+ \setbox \mpr@right \hbox {\unhbox \mpr@right \unhbox0}}
+\define@key {mpr}{RIGHT}
+ {\setbox0 \hbox {$#1$}\relax \advance \hsize by -\wd0
+ \setbox \mpr@right \hbox {\unhbox \mpr@right \unhbox0}}
+\define@key {mpr}{Right}
+ {\setbox \mpr@right \hbox {\unhbox \mpr@right \rlap {$\;\TirName {#1}$}}}
+\define@key {mpr}{vdots}{\def \mpr@vdots {\@@atop \mpr@vdotfil{#1}}}
+\define@key {mpr}{after}{\edef \mpr@after {\mpr@after #1}}
+
+\newdimen \rule@dimen
+\newcommand \mpr@inferstar@ [3][]{\setbox0
+ \hbox {\let \mpr@rulename \mpr@empty \let \mpr@vdots \relax
+ \setbox \mpr@right \hbox{}%
+ $\setkeys{mpr}{#1}%
+ \ifx \mpr@rulename \mpr@empty \mpr@inferrule {#2}{#3}\else
+ \mpr@inferrule [{\mpr@rulename}]{#2}{#3}\fi
+ \box \mpr@right \mpr@vdots$}
+ \setbox1 \hbox {\strut}
+ \rule@dimen \dp0 \advance \rule@dimen by -\dp1
+ \raise \rule@dimen \box0}
+
+\def \mpr@infer {\@ifnextchar *{\mpr@inferstar}{\mpr@inferrule}}
+\newcommand \mpr@err@skipargs[3][]{}
+\def \mpr@inferstar*{\ifmmode
+ \let \@do \mpr@inferstar@
+ \else
+ \let \@do \mpr@err@skipargs
+ \PackageError {mathpartir}
+ {\string\inferrule* can only be used in math mode}{}%
+ \fi \@do}
+
+
+%%% Exports
+
+% Envirnonment mathpar
+
+\let \inferrule \mpr@infer
+
+% make a short name \infer is not already defined
+\@ifundefined {infer}{\let \infer \mpr@infer}{}
+
+\def \tir@name #1{\hbox {\small \sc #1}}
+\let \TirName \tir@name
+\let \RefTirName \tir@name
+
+%%% Other Exports
+
+% \let \listcons \mpr@cons
+% \let \listsnoc \mpr@snoc
+% \let \listhead \mpr@head
+% \let \listmake \mpr@makelist
+
+
+
+
+\endinput
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/ProgProve/document/prelude.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,98 @@
+\usepackage{makeidx} % allows index generation
+\usepackage{graphicx} % standard LaTeX graphics tool
+ % when including figure files
+\usepackage{multicol} % used for the two-column index
+\usepackage[bottom]{footmisc}% places footnotes at page bottom
+\usepackage{alltt}
+
+\usepackage[T1]{fontenc}
+\usepackage{ccfonts}
+\usepackage[euler-digits]{eulervm}
+
+\let\bfdefaultold=\bfdefault
+\def\bfdefault{sbc} % make sans serif the default bold font
+
+\usepackage{isabelle,isabellesym}
+\usepackage{mathpartir}
+\usepackage{amssymb}
+
+% Enables fixmes
+\newif \ifDraft \Drafttrue
+
+\ifDraft
+ \newcommand{\FIXME}[1]{\textbf{\textsl{FIXME: #1}}}
+\else
+ \newcommand{\FIXME}[1]{\relax}
+\fi
+
+\renewcommand*\descriptionlabel[1]{\hspace\labelsep \textbf{#1}\hfil}
+
+% this should be the last package used
+\usepackage{color}
+\definecolor{linkcolor}{rgb}{0,0,0.4}
+\usepackage[colorlinks=true,linkcolor=linkcolor,citecolor=linkcolor,
+ filecolor=linkcolor,pagecolor=linkcolor,
+ urlcolor=linkcolor]{hyperref}
+
+% urls in roman style, theory text in math-similar italics
+\urlstyle{tt}
+\isabellestyle{it}
+
+\renewcommand{\isadigit}[1]{\ensuremath{#1}}
+
+% font size
+\renewcommand{\isastyle}{\isastyleminor}
+
+% indexing
+\usepackage{ifthen}
+\newcommand{\indexdef}[3]%
+{\ifthenelse{\equal{}{#1}}{\index{#3 (#2)|bold}}{\index{#3 (#1\ #2)|bold}}}
+
+% section commands
+\renewcommand{\chapterautorefname}{Chapter}
+\renewcommand{\sectionautorefname}{Section}
+
+\renewcommand{\isamarkupheader}[1]{{\rmfamily\subsection{#1}}}
+\renewcommand{\isamarkupsection}[1]{{\rmfamily\subsection{#1}}}
+\renewcommand{\isamarkupsubsection}[1]{{\rmfamily\subsubsection{#1}}}
+% isabelle in-text command font
+\newcommand{\isacom}[1]{\isa{\isacommand{#1}}}
+% isabelle keyword, adapted from isabelle.sty
+\renewcommand{\isakeyword}[1]
+{\emph{\def\isachardot{.}%
+\def\isacharbraceleft{\{}\def\isacharbraceright{\}}\textbf{#1}}}
+\renewcommand{\isacharunderscore}{\_}
+\renewcommand{\isacharunderscorekeyword}{\_}
+
+% add \noindent to text blocks automatically
+\renewenvironment{isamarkuptext}{\par\isastyletext\begin{isapar}\noindent}{\end{isapar}}
+\renewenvironment{isamarkuptxt}{\par\isastyletext\begin{isapar}\noindent}{\end{isapar}}
+
+\newcommand{\noquotes}[1]{{\renewcommand{\isachardoublequote}{}#1}}
+\newcommand{\concept}[1]{\textbf{#1}}
+\newcommand{\xsymbol}[1]{\texttt{\char`\\\char`<#1>}}
+
+\newcommand{\isabox}{\fbox}
+\newcommand{\bigisabox}[1]
+{\isabox{\renewcommand{\isanewline}{\\}%
+ \begin{tabular}{l}#1\end{tabular}}}
+
+%%%% ``WARNING'' environment: 2 ! characters separated by negative thin space
+%\def\warnbang{\vtop to 0pt{\vss\hbox{\let\bfdefault=\bfdefaultold\Huge\textbf{!$\!$!}}\vss}}
+
+\def\warnbang{\vtop to 0pt{\vss\hbox{\includegraphics[width=3ex, height=5.5ex]{bang}}\vss}}
+
+\newenvironment{warn}{\begin{trivlist}\small\item[]\noindent%
+ \begingroup\hangindent=\parindent\hangafter=-2%\clubpenalty=10000%
+ \def\par{\endgraf\endgroup}%
+ \hbox to0pt{\hskip-\hangindent\warnbang\hfill}\ignorespaces}
+ {\par\end{trivlist}}
+
+\chardef\isachardoublequote=`\"%
+\chardef\isachardoublequoteopen=`\"%
+\chardef\isachardoublequoteclose=`\"%
+
+\renewcommand{\isacharbackquoteopen}{\isacharbackquote}
+\renewcommand{\isacharbackquoteclose}{\isacharbackquote}
+
+\hyphenation{Isa-belle}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/ProgProve/document/root.bib Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,19 @@
+@string{CUP="Cambridge University Press"}
+@string{LNCS="Lect.\ Notes in Comp.\ Sci."}
+@string{Springer="Springer-Verlag"}
+
+@book{HuthRyan,author="Michael Huth and Mark Ryan",
+title={Logic in Computer Science},publisher=CUP,year=2004}
+
+@manual{Krauss,author={Alexander Krauss},
+title={Defining Recursive Functions in Isabelle/HOL},
+note={\url{http://isabelle.in.tum.de/doc/functions.pdf}}}
+
+@book{LNCS2283,author={Tobias Nipkow and Lawrence Paulson and Markus Wenzel},
+title="Isabelle/HOL --- A Proof Assistant for Higher-Order Logic",
+publisher=Springer,series=LNCS,volume=2283,year=2002}
+
+@manual{IsarRef,author={Makarius Wenzel},
+title={The Isabelle/Isar Reference Manual},
+note={\url{http://isabelle.in.tum.de/doc/isar-ref.pdf}}}
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/ProgProve/document/root.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,52 @@
+\documentclass[envcountsame,envcountchap]{svmono}
+
+\input{prelude}
+
+\excludecomment{sem}
+
+\begin{document}
+
+\title{Programming and Proving in Isabelle/HOL}
+\subtitle{\includegraphics[scale=.7]{isabelle_hol}}
+\author{Tobias Nipkow}
+\maketitle
+
+\frontmatter%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\setcounter{tocdepth}{1}
+\tableofcontents
+
+
+\mainmatter%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%\part{Isabelle}
+
+\chapter{Introduction}
+\input{intro-isabelle.tex}
+
+\chapter{Programming and Proving}
+\label{sec:FP}
+\input{Basics.tex}
+\input{Bool_nat_list}
+\input{Types_and_funs}
+
+%\chapter{Case Study: IMP Expressions}
+%\label{sec:CaseStudyExp}
+%\input{../generated/Expressions}
+
+\chapter{Logic}
+\label{ch:Logic}
+\input{Logic}
+
+\chapter{Isar: A Language for Structured Proofs}
+\label{ch:Isar}
+\input{Isar}
+
+\backmatter%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\bibliographystyle{plain}
+\bibliography{root}
+
+%\printindex
+
+\end{document}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/ProgProve/document/svmono.cls Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,1691 @@
+% SVMONO DOCUMENT CLASS -- version 4.17 (31-Oct-06)
+% Springer Verlag global LaTeX2e support for monographs
+%%
+%%
+%% \CharacterTable
+%% {Upper-case \A\B\C\D\E\F\G\H\I\J\K\L\M\N\O\P\Q\R\S\T\U\V\W\X\Y\Z
+%% Lower-case \a\b\c\d\e\f\g\h\i\j\k\l\m\n\o\p\q\r\s\t\u\v\w\x\y\z
+%% Digits \0\1\2\3\4\5\6\7\8\9
+%% Exclamation \! Double quote \" Hash (number) \#
+%% Dollar \$ Percent \% Ampersand \&
+%% Acute accent \' Left paren \( Right paren \)
+%% Asterisk \* Plus \+ Comma \,
+%% Minus \- Point \. Solidus \/
+%% Colon \: Semicolon \; Less than \<
+%% Equals \= Greater than \> Question mark \?
+%% Commercial at \@ Left bracket \[ Backslash \\
+%% Right bracket \] Circumflex \^ Underscore \_
+%% Grave accent \` Left brace \{ Vertical bar \|
+%% Right brace \} Tilde \~}
+%%
+\NeedsTeXFormat{LaTeX2e}[1995/12/01]
+\ProvidesClass{svmono}[2006/10/31 v4.17
+^^JSpringer Verlag global LaTeX document class for monographs]
+
+% Options
+% citations
+\DeclareOption{natbib}{\ExecuteOptions{oribibl}%
+\AtEndOfClass{% Loading package 'NATBIB'
+\RequirePackage{natbib}
+% Changing some parameters of NATBIB
+\setlength{\bibhang}{\parindent}
+%\setlength{\bibsep}{0mm}
+\let\bibfont=\small
+\def\@biblabel#1{#1.}
+\newcommand{\etal}{\textit{et al}.}
+%\bibpunct[,]{(}{)}{;}{a}{}{,}}}
+}}
+% Springer environment
+\let\if@spthms\iftrue
+\DeclareOption{nospthms}{\let\if@spthms\iffalse}
+%
+\let\envankh\@empty % no anchor for "theorems"
+%
+\let\if@envcntreset\iffalse % environment counter is not reset
+\let\if@envcntresetsect=\iffalse % reset each section?
+\DeclareOption{envcountresetchap}{\let\if@envcntreset\iftrue}
+\DeclareOption{envcountresetsect}{\let\if@envcntreset\iftrue
+\let\if@envcntresetsect=\iftrue}
+%
+\let\if@envcntsame\iffalse % NOT all environments work like "Theorem",
+ % each using its own counter
+\DeclareOption{envcountsame}{\let\if@envcntsame\iftrue}
+%
+\let\if@envcntshowhiercnt=\iffalse % do not show hierarchy counter at all
+%
+% enhance theorem counter
+\DeclareOption{envcountchap}{\def\envankh{chapter}% show \thechapter along with theorem number
+\let\if@envcntshowhiercnt=\iftrue
+\ExecuteOptions{envcountreset}}
+%
+\DeclareOption{envcountsect}{\def\envankh{section}% show \thesection along with theorem number
+\let\if@envcntshowhiercnt=\iftrue
+\ExecuteOptions{envcountreset}}
+%
+% languages
+\let\switcht@@therlang\relax
+\let\svlanginfo\relax
+\def\ds@deutsch{\def\switcht@@therlang{\switcht@deutsch}%
+\gdef\svlanginfo{\typeout{Man spricht deutsch.}\global\let\svlanginfo\relax}}
+\def\ds@francais{\def\switcht@@therlang{\switcht@francais}%
+\gdef\svlanginfo{\typeout{On parle francais.}\global\let\svlanginfo\relax}}
+%
+\AtBeginDocument{\@ifpackageloaded{babel}{%
+\@ifundefined{extrasamerican}{}{\addto\extrasamerican{\switcht@albion}}%
+\@ifundefined{extrasaustralian}{}{\addto\extrasaustralian{\switcht@albion}}%
+\@ifundefined{extrasbritish}{}{\addto\extrasbritish{\switcht@albion}}%
+\@ifundefined{extrascanadian}{}{\addto\extrascanadian{\switcht@albion}}%
+\@ifundefined{extrasenglish}{}{\addto\extrasenglish{\switcht@albion}}%
+\@ifundefined{extrasnewzealand}{}{\addto\extrasnewzealand{\switcht@albion}}%
+\@ifundefined{extrasUKenglish}{}{\addto\extrasUKenglish{\switcht@albion}}%
+\@ifundefined{extrasUSenglish}{}{\addto\extrasUSenglish{\switcht@albion}}%
+\@ifundefined{captionsfrench}{}{\addto\captionsfrench{\switcht@francais}}%
+\@ifundefined{extrasgerman}{}{\addto\extrasgerman{\switcht@deutsch}}%
+\@ifundefined{extrasngerman}{}{\addto\extrasngerman{\switcht@deutsch}}%
+}{\switcht@@therlang}%
+}
+% numbering style of floats, equations
+\newif\if@numart \@numartfalse
+\DeclareOption{numart}{\@numarttrue}
+\def\set@numbering{\if@numart\else\num@book\fi}
+\AtEndOfClass{\set@numbering}
+% style for vectors
+\DeclareOption{vecphys}{\def\vec@style{phys}}
+\DeclareOption{vecarrow}{\def\vec@style{arrow}}
+% running heads
+\let\if@runhead\iftrue
+\DeclareOption{norunningheads}{\let\if@runhead\iffalse}
+% referee option
+\let\if@referee\iffalse
+\def\makereferee{\def\baselinestretch{2}\selectfont
+\newbox\refereebox
+\setbox\refereebox=\vbox to\z@{\vskip0.5cm%
+ \hbox to\textwidth{\normalsize\tt\hrulefill\lower0.5ex
+ \hbox{\kern5\p@ referee's copy\kern5\p@}\hrulefill}\vss}%
+\def\@oddfoot{\copy\refereebox}\let\@evenfoot=\@oddfoot}
+\DeclareOption{referee}{\let\if@referee\iftrue
+\AtBeginDocument{\makereferee\small\normalsize}}
+% modification of thebibliography
+\let\if@openbib\iffalse
+\DeclareOption{openbib}{\let\if@openbib\iftrue}
+% LaTeX standard, sectionwise references
+\DeclareOption{oribibl}{\let\oribibl=Y}
+\DeclareOption{sectrefs}{\let\secbibl=Y}
+%
+% footinfo option (provides an informatory line on every page)
+\def\SpringerMacroPackageNameA{svmono.cls}
+% \thetime, \thedate and \timstamp are macros to include
+% time, date (or both) of the TeX run in the document
+\def\maketimestamp{\count255=\time
+\divide\count255 by 60\relax
+\edef\thetime{\the\count255:}%
+\multiply\count255 by-60\relax
+\advance\count255 by\time
+\edef\thetime{\thetime\ifnum\count255<10 0\fi\the\count255}
+\edef\thedate{\number\day-\ifcase\month\or Jan\or Feb\or Mar\or
+ Apr\or May\or Jun\or Jul\or Aug\or Sep\or Oct\or
+ Nov\or Dec\fi-\number\year}
+\def\timstamp{\hbox to\hsize{\tt\hfil\thedate\hfil\thetime\hfil}}}
+\maketimestamp
+%
+% \footinfo generates a info footline on every page containing
+% pagenumber, jobname, macroname, and timestamp
+\DeclareOption{footinfo}{\AtBeginDocument{\maketimestamp
+ \def\ps@empty{\let\@mkboth\@gobbletwo
+ \let\@oddhead\@empty\let\@evenhead\@empty}%
+ \def\@oddfoot{\scriptsize\tt Page:\,\thepage\space\hfil
+ job:\,\jobname\space\hfil
+ macro:\,\SpringerMacroPackageNameA\space\hfil
+ date/time:\,\thedate/\thetime}%
+ \let\@evenfoot=\@oddfoot}}
+%
+% start new chapter on any page
+\newif\if@openright \@openrighttrue
+\DeclareOption{openany}{\@openrightfalse}
+%
+% no size changing allowed
+\DeclareOption{11pt}{\OptionNotUsed}
+\DeclareOption{12pt}{\OptionNotUsed}
+% options for the article class
+\def\@rticle@options{10pt,twoside}
+% fleqn
+\DeclareOption{fleqn}{\def\@rticle@options{10pt,twoside,fleqn}%
+\AtEndOfClass{\let\leftlegendglue\relax}%
+\AtBeginDocument{\mathindent\parindent}}
+% hanging sectioning titles
+\let\if@sechang\iffalse
+\DeclareOption{sechang}{\let\if@sechang\iftrue}
+\def\ClassInfoNoLine#1#2{%
+ \ClassInfo{#1}{#2\@gobble}%
+}
+\let\SVMonoOpt\@empty
+\DeclareOption*{\InputIfFileExists{sv\CurrentOption.clo}{%
+\global\let\SVMonoOpt\CurrentOption}{%
+\ClassWarning{Springer-SVMono}{Specified option or subpackage
+"\CurrentOption" \MessageBreak not found
+passing it to article class \MessageBreak
+-}\PassOptionsToClass{\CurrentOption}{article}%
+}}
+\ProcessOptions\relax
+\ifx\SVMonoOpt\@empty\relax
+\ClassInfoNoLine{Springer-SVMono}{extra/valid Springer sub-package
+\MessageBreak not found in option list - using "global" style}{}
+\fi
+\LoadClass[\@rticle@options]{article}
+\raggedbottom
+
+% various sizes and settings for monographs
+
+\setlength{\textwidth}{28pc} % 11.8cm
+%\setlength{\textheight}{12pt}\multiply\textheight by 45\relax
+\setlength{\textheight}{540\p@}
+\setlength{\topmargin}{0cm}
+\setlength\oddsidemargin {63\p@}
+\setlength\evensidemargin {63\p@}
+\setlength\marginparwidth{90\p@}
+\setlength\headsep {12\p@}
+
+\setlength{\parindent}{15\p@}
+\setlength{\parskip}{\z@ \@plus \p@}
+\setlength{\hfuzz}{2\p@}
+\setlength{\arraycolsep}{1.5\p@}
+
+\frenchspacing
+
+\tolerance=500
+
+\predisplaypenalty=0
+\clubpenalty=10000
+\widowpenalty=10000
+
+\setlength\footnotesep{7.7\p@}
+
+\newdimen\betweenumberspace % dimension for space between
+\betweenumberspace=5\p@ % number and text of titles
+\newdimen\headlineindent % dimension for space of
+\headlineindent=2.5cc % number and gap of running heads
+
+% fonts, sizes, and the like
+\renewcommand\small{%
+ \@setfontsize\small\@ixpt{11}%
+ \abovedisplayskip 8.5\p@ \@plus3\p@ \@minus4\p@
+ \abovedisplayshortskip \z@ \@plus2\p@
+ \belowdisplayshortskip 4\p@ \@plus2\p@ \@minus2\p@
+ \def\@listi{\leftmargin\leftmargini
+ \parsep \z@ \@plus\p@ \@minus\p@
+ \topsep 6\p@ \@plus2\p@ \@minus4\p@
+ \itemsep\z@}%
+ \belowdisplayskip \abovedisplayskip
+}
+%
+\let\footnotesize=\small
+%
+\newenvironment{petit}{\par\addvspace{6\p@}\small}{\par\addvspace{6\p@}}
+%
+
+% modification of automatic positioning of floating objects
+\setlength\@fptop{\z@ }
+\setlength\@fpsep{12\p@ }
+\setlength\@fpbot{\z@ \@plus 1fil }
+\def\textfraction{.01}
+\def\floatpagefraction{.8}
+\setlength{\intextsep}{20\p@ \@plus 2\p@ \@minus 2\p@}
+\setcounter{topnumber}{4}
+\def\topfraction{.9}
+\setcounter{bottomnumber}{2}
+\def\bottomfraction{.7}
+\setcounter{totalnumber}{6}
+%
+% size and style of headings
+\newcommand{\partsize}{\Large}
+\newcommand{\partstyle}{\bfseries\boldmath}
+\newcommand{\chapsize}{\Large}
+\newcommand{\chapstyle}{\bfseries\boldmath}
+\newcommand{\chapshooksize}{\small}
+\newcommand{\chapshookstyle}{\itshape\unboldmath}
+\newcommand{\secsize}{\large}
+\newcommand{\secstyle}{\bfseries\boldmath}
+\newcommand{\subsecsize}{\normalsize}
+\newcommand{\subsecstyle}{\bfseries\boldmath}
+%
+\def\cleardoublepage{\clearpage\if@twoside \ifodd\c@page\else
+ \hbox{}\newpage\if@twocolumn\hbox{}\newpage\fi\fi\fi}
+
+\newcommand{\clearemptydoublepage}{%
+ \clearpage{\pagestyle{empty}\cleardoublepage}}
+\newcommand{\startnewpage}{\if@openright\clearemptydoublepage\else\clearpage\fi}
+
+% redefinition of \part
+\renewcommand\part{\clearemptydoublepage
+ \thispagestyle{empty}
+ \if@twocolumn
+ \onecolumn
+ \@tempswatrue
+ \else
+ \@tempswafalse
+ \fi
+ \@ifundefined{thispagecropped}{}{\thispagecropped}
+ \secdef\@part\@spart}
+
+\def\@part[#1]#2{\ifnum \c@secnumdepth >-2\relax
+ \refstepcounter{part}
+ \addcontentsline{toc}{part}{\partname\
+ \thepart\thechapterend\hspace{\betweenumberspace}%
+ #1}\else
+ \addcontentsline{toc}{part}{#1}\fi
+ \markboth{}{}
+ {\raggedleft
+ \ifnum \c@secnumdepth >-2\relax
+ \normalfont\partstyle\partsize\vrule height 34pt width 0pt depth 0pt%
+ \partname\ \thepart\llap{\smash{\lower 5pt\hbox to\textwidth{\hrulefill}}}
+ \par
+ \vskip 128.3\p@ \fi
+ #2\par}\@endpart}
+%
+% \@endpart finishes the part page
+%
+\def\@endpart{\vfil\newpage
+ \if@twoside
+ \hbox{}
+ \thispagestyle{empty}
+ \newpage
+ \fi
+ \if@tempswa
+ \twocolumn
+ \fi}
+%
+\def\@spart#1{{\raggedleft
+ \normalfont\partsize\partstyle
+ #1\par}\@endpart}
+%
+\newenvironment{partbacktext}{\def\@endpart{\vfil\newpage}}
+{\thispagestyle{empty} \newpage \if@tempswa\twocolumn\fi}
+%
+% (re)define sectioning
+\setcounter{secnumdepth}{2}
+
+\def\seccounterend{}
+\def\seccountergap{\hskip\betweenumberspace}
+\def\@seccntformat#1{\csname the#1\endcsname\seccounterend\seccountergap\ignorespaces}
+%
+\let\firstmark=\botmark
+%
+\@ifundefined{thechapterend}{\def\thechapterend{}}{}
+%
+\if@sechang
+ \def\sec@hangfrom#1{\setbox\@tempboxa\hbox{#1}%
+ \hangindent\wd\@tempboxa\noindent\box\@tempboxa}
+\else
+ \def\sec@hangfrom#1{\setbox\@tempboxa\hbox{#1}%
+ \hangindent\z@\noindent\box\@tempboxa}
+\fi
+
+\def\chap@hangfrom#1{\noindent\vrule height 34pt width 0pt depth 0pt
+\rlap{\smash{\lower 5pt\hbox to\textwidth{\hrulefill}}}\hbox{#1}
+\vskip10pt}
+\def\schap@hangfrom{\chap@hangfrom{}}
+
+\newcounter{chapter}
+%
+\@addtoreset{section}{chapter}
+\@addtoreset{footnote}{chapter}
+
+\newif\if@mainmatter \@mainmattertrue
+\newcommand\frontmatter{\startnewpage
+ \@mainmatterfalse\pagenumbering{Roman}
+ \setcounter{page}{5}}
+%
+\newcommand\mainmatter{\clearemptydoublepage
+ \@mainmattertrue\pagenumbering{arabic}}
+%
+\newcommand\backmatter{\clearemptydoublepage\@mainmatterfalse}
+
+\def\@chapapp{\chaptername}
+
+\newdimen\chapstarthookwidth
+\newcommand\chapstarthook[2][0.66\textwidth]{%
+\setlength{\chapstarthookwidth}{#1}%
+\gdef\chapst@rthook{#2}}
+
+\newcommand{\processchapstarthook}{\@ifundefined{chapst@rthook}{}{%
+ \setbox0=\hbox{\vbox{\hyphenpenalty=50
+ \begin{flushright}
+ \begin{minipage}{\chapstarthookwidth}
+ \vrule\@width\z@\@height21\p@\@depth\z@
+ \normalfont\chapshooksize\chapshookstyle\chapst@rthook
+ \end{minipage}
+ \end{flushright}}}%
+ \@tempdima=\pagetotal
+ \advance\@tempdima by\ht0
+ \ifdim\@tempdima<106\p@
+ \multiply\@tempdima by-1
+ \advance\@tempdima by106\p@
+ \vskip\@tempdima
+ \fi
+ \box0\par
+ \global\let\chapst@rthook=\undefined}}
+
+\newcommand\chapter{\startnewpage
+ \@ifundefined{thispagecropped}{}{\thispagecropped}
+ \thispagestyle{empty}%
+ \global\@topnum\z@
+ \@afterindentfalse
+ \secdef\@chapter\@schapter}
+
+\def\@chapter[#1]#2{\ifnum \c@secnumdepth >\m@ne
+ \refstepcounter{chapter}%
+ \if@mainmatter
+ \typeout{\@chapapp\space\thechapter.}%
+ \addcontentsline{toc}{chapter}{\protect
+ \numberline{\thechapter\thechapterend}#1}%
+ \else
+ \addcontentsline{toc}{chapter}{#1}%
+ \fi
+ \else
+ \addcontentsline{toc}{chapter}{#1}%
+ \fi
+ \chaptermark{#1}%
+ \addtocontents{lof}{\protect\addvspace{10\p@}}%
+ \addtocontents{lot}{\protect\addvspace{10\p@}}%
+ \if@twocolumn
+ \@topnewpage[\@makechapterhead{#2}]%
+ \else
+ \@makechapterhead{#2}%
+ \@afterheading
+ \fi}
+
+\def\@schapter#1{\if@twocolumn
+ \@topnewpage[\@makeschapterhead{#1}]%
+ \else
+ \@makeschapterhead{#1}%
+ \@afterheading
+ \fi}
+
+%%changes position and layout of numbered chapter headings
+\def\@makechapterhead#1{{\parindent\z@\raggedright\normalfont
+ \hyphenpenalty \@M
+ \interlinepenalty\@M
+ \chapsize\chapstyle
+ \chap@hangfrom{\thechapter\thechapterend\hskip\betweenumberspace}%!!!
+ \ignorespaces#1\par\nobreak
+ \processchapstarthook
+ \ifdim\pagetotal>157\p@
+ \vskip 11\p@
+ \else
+ \@tempdima=168\p@\advance\@tempdima by-\pagetotal
+ \vskip\@tempdima
+ \fi}}
+
+%%changes position and layout of unnumbered chapter headings
+\def\@makeschapterhead#1{{\parindent \z@ \raggedright\normalfont
+ \hyphenpenalty \@M
+ \interlinepenalty\@M
+ \chapsize\chapstyle
+ \schap@hangfrom
+ \ignorespaces#1\par\nobreak
+ \processchapstarthook
+ \ifdim\pagetotal>157\p@
+ \vskip 11\p@
+ \else
+ \@tempdima=168\p@\advance\@tempdima by-\pagetotal
+ \vskip\@tempdima
+ \fi}}
+
+% predefined unnumbered headings
+\newcommand{\preface}[1][\prefacename]{\chapter*{#1}\markboth{#1}{#1}}
+% same with TOC entry
+\newcommand{\Preface}[1][\prefacename]{\chapter*{#1}\markboth{#1}{#1}%
+\addcontentsline{toc}{chapter}{#1}}
+
+% measures and setting of sections
+\renewcommand\section{\@startsection{section}{1}{\z@}%
+ {-24\p@ \@plus -4\p@ \@minus -4\p@}%
+ {12\p@ \@plus 4\p@ \@minus 4\p@}%
+ {\normalfont\secsize\secstyle
+ \rightskip=\z@ \@plus 8em\pretolerance=10000 }}
+\renewcommand\subsection{\@startsection{subsection}{2}{\z@}%
+ {-17\p@ \@plus -4\p@ \@minus -4\p@}%
+ {10\p@ \@plus 4\p@ \@minus 4\p@}%
+ {\normalfont\subsecsize\subsecstyle
+ \rightskip=\z@ \@plus 8em\pretolerance=10000 }}
+\renewcommand\subsubsection{\@startsection{subsubsection}{3}{\z@}%
+ {-17\p@ \@plus -4\p@ \@minus -4\p@}%
+ {10\p@ \@plus 4\p@ \@minus 4\p@}%
+ {\normalfont\normalsize\subsecstyle
+ \rightskip=\z@ \@plus 8em\pretolerance=10000 }}
+\renewcommand\paragraph{\@startsection{paragraph}{4}{\z@}%
+ {-10\p@ \@plus -4\p@ \@minus -4\p@}%
+ {10\p@ \@plus 4\p@ \@minus 4\p@}%
+ {\normalfont\normalsize\itshape
+ \rightskip=\z@ \@plus 8em\pretolerance=10000 }}
+\def\subparagraph{\@startsection{subparagraph}{5}{\z@}%
+ {-5.388\p@ \@plus-4\p@ \@minus-4\p@}{-5\p@}{\normalfont\normalsize\itshape}}
+
+% Appendix
+\renewcommand\appendix{\par
+ \stepcounter{chapter}
+ \setcounter{chapter}{0}
+ \stepcounter{section}
+ \setcounter{section}{0}
+ \setcounter{equation}{0}
+ \setcounter{figure}{0}
+ \setcounter{table}{0}
+ \setcounter{footnote}{0}
+ \def\@chapapp{\appendixname}%
+ \renewcommand\thechapter{\@Alph\c@chapter}}
+
+% definition of sections
+% \hyphenpenalty and \raggedright added, so that there is no
+% hyphenation and the text is set ragged-right in sectioning
+
+\def\runinsep{}
+\def\aftertext{\unskip\runinsep}
+%
+\def\thesection{\thechapter.\arabic{section}}
+\def\thesubsection{\thesection.\arabic{subsection}}
+\def\thesubsubsection{\thesubsection.\arabic{subsubsection}}
+\def\theparagraph{\thesubsubsection.\arabic{paragraph}}
+\def\thesubparagraph{\theparagraph.\arabic{subparagraph}}
+\def\chaptermark#1{}
+%
+\def\@ssect#1#2#3#4#5{%
+ \@tempskipa #3\relax
+ \ifdim \@tempskipa>\z@
+ \begingroup
+ #4{%
+ \@hangfrom{\hskip #1}%
+ \raggedright
+ \hyphenpenalty \@M
+ \interlinepenalty \@M #5\@@par}%
+ \endgroup
+ \else
+ \def\@svsechd{#4{\hskip #1\relax #5}}%
+ \fi
+ \@xsect{#3}}
+%
+\def\@sect#1#2#3#4#5#6[#7]#8{%
+ \ifnum #2>\c@secnumdepth
+ \let\@svsec\@empty
+ \else
+ \refstepcounter{#1}%
+ \protected@edef\@svsec{\@seccntformat{#1}\relax}%
+ \fi
+ \@tempskipa #5\relax
+ \ifdim \@tempskipa>\z@
+ \begingroup #6\relax
+ \sec@hangfrom{\hskip #3\relax\@svsec}%
+ {\raggedright
+ \hyphenpenalty \@M
+ \interlinepenalty \@M #8\@@par}%
+ \endgroup
+ \csname #1mark\endcsname{#7\seccounterend}%
+ \addcontentsline{toc}{#1}{\ifnum #2>\c@secnumdepth
+ \else
+ \protect\numberline{\csname the#1\endcsname\seccounterend}%
+ \fi
+ #7}%
+ \else
+ \def\@svsechd{%
+ #6\hskip #3\relax
+ \@svsec #8\aftertext\ignorespaces
+ \csname #1mark\endcsname{#7}%
+ \addcontentsline{toc}{#1}{%
+ \ifnum #2>\c@secnumdepth \else
+ \protect\numberline{\csname the#1\endcsname\seccounterend}%
+ \fi
+ #7}}%
+ \fi
+ \@xsect{#5}}
+
+% figures and tables are processed in small print
+\def \@floatboxreset {%
+ \reset@font
+ \small
+ \@setnobreak
+ \@setminipage
+}
+\def\fps@figure{htbp}
+\def\fps@table{htbp}
+
+% Frame for paste-in figures or tables
+\def\mpicplace#1#2{% #1 =width #2 =height
+\vbox{\hbox to #1{\vrule\@width \fboxrule \@height #2\hfill}}}
+
+% labels of enumerate
+\renewcommand\labelenumii{\theenumii)}
+\renewcommand\theenumii{\@alph\c@enumii}
+
+% labels of itemize
+\renewcommand\labelitemi{\textbullet}
+\renewcommand\labelitemii{\textendash}
+\let\labelitemiii=\labelitemiv
+
+% labels of description
+\renewcommand*\descriptionlabel[1]{\hspace\labelsep #1\hfil}
+
+% fixed indentation for standard itemize-environment
+\newdimen\svitemindent \setlength{\svitemindent}{\parindent}
+
+
+% make indentations changeable
+
+\def\setitemindent#1{\settowidth{\labelwidth}{#1}%
+ \let\setit@m=Y%
+ \leftmargini\labelwidth
+ \advance\leftmargini\labelsep
+ \def\@listi{\leftmargin\leftmargini
+ \labelwidth\leftmargini\advance\labelwidth by -\labelsep
+ \parsep=\parskip
+ \topsep=\medskipamount
+ \itemsep=\parskip \advance\itemsep by -\parsep}}
+\def\setitemitemindent#1{\settowidth{\labelwidth}{#1}%
+ \let\setit@m=Y%
+ \leftmarginii\labelwidth
+ \advance\leftmarginii\labelsep
+\def\@listii{\leftmargin\leftmarginii
+ \labelwidth\leftmarginii\advance\labelwidth by -\labelsep
+ \parsep=\parskip
+ \topsep=\z@
+ \itemsep=\parskip \advance\itemsep by -\parsep}}
+%
+% adjusted environment "description"
+% if an optional parameter (at the first two levels of lists)
+% is present, its width is considered to be the widest mark
+% throughout the current list.
+\def\description{\@ifnextchar[{\@describe}{\list{}{\labelwidth\z@
+ \itemindent-\leftmargin \let\makelabel\descriptionlabel}}}
+%
+\def\describelabel#1{#1\hfil}
+\def\@describe[#1]{\relax\ifnum\@listdepth=0
+\setitemindent{#1}\else\ifnum\@listdepth=1
+\setitemitemindent{#1}\fi\fi
+\list{--}{\let\makelabel\describelabel}}
+%
+\def\itemize{%
+ \ifnum \@itemdepth >\thr@@\@toodeep\else
+ \advance\@itemdepth\@ne
+ \ifx\setit@m\undefined
+ \ifnum \@itemdepth=1 \leftmargini=\svitemindent
+ \labelwidth\leftmargini\advance\labelwidth-\labelsep
+ \leftmarginii=\leftmargini \leftmarginiii=\leftmargini
+ \fi
+ \fi
+ \edef\@itemitem{labelitem\romannumeral\the\@itemdepth}%
+ \expandafter\list
+ \csname\@itemitem\endcsname
+ {\def\makelabel##1{\rlap{##1}\hss}}%
+ \fi}
+%
+\newdimen\verbatimindent \verbatimindent\parindent
+\def\verbatim{\advance\@totalleftmargin by\verbatimindent
+\@verbatim \frenchspacing\@vobeyspaces \@xverbatim}
+
+%
+% special signs and characters
+\newcommand{\D}{\mathrm{d}}
+\newcommand{\E}{\mathrm{e}}
+\let\eul=\E
+\newcommand{\I}{{\rm i}}
+\let\imag=\I
+%
+% the definition of uppercase Greek characters
+% Springer likes them as italics to depict variables
+\DeclareMathSymbol{\Gamma}{\mathalpha}{letters}{"00}
+\DeclareMathSymbol{\Delta}{\mathalpha}{letters}{"01}
+\DeclareMathSymbol{\Theta}{\mathalpha}{letters}{"02}
+\DeclareMathSymbol{\Lambda}{\mathalpha}{letters}{"03}
+\DeclareMathSymbol{\Xi}{\mathalpha}{letters}{"04}
+\DeclareMathSymbol{\Pi}{\mathalpha}{letters}{"05}
+\DeclareMathSymbol{\Sigma}{\mathalpha}{letters}{"06}
+\DeclareMathSymbol{\Upsilon}{\mathalpha}{letters}{"07}
+\DeclareMathSymbol{\Phi}{\mathalpha}{letters}{"08}
+\DeclareMathSymbol{\Psi}{\mathalpha}{letters}{"09}
+\DeclareMathSymbol{\Omega}{\mathalpha}{letters}{"0A}
+% the upright forms are defined here as \var<Character>
+\DeclareMathSymbol{\varGamma}{\mathalpha}{operators}{"00}
+\DeclareMathSymbol{\varDelta}{\mathalpha}{operators}{"01}
+\DeclareMathSymbol{\varTheta}{\mathalpha}{operators}{"02}
+\DeclareMathSymbol{\varLambda}{\mathalpha}{operators}{"03}
+\DeclareMathSymbol{\varXi}{\mathalpha}{operators}{"04}
+\DeclareMathSymbol{\varPi}{\mathalpha}{operators}{"05}
+\DeclareMathSymbol{\varSigma}{\mathalpha}{operators}{"06}
+\DeclareMathSymbol{\varUpsilon}{\mathalpha}{operators}{"07}
+\DeclareMathSymbol{\varPhi}{\mathalpha}{operators}{"08}
+\DeclareMathSymbol{\varPsi}{\mathalpha}{operators}{"09}
+\DeclareMathSymbol{\varOmega}{\mathalpha}{operators}{"0A}
+% Upright Lower Case Greek letters without using a new MathAlphabet
+\newcommand{\greeksym}[1]{\usefont{U}{psy}{m}{n}#1}
+\newcommand{\greeksymbold}[1]{{\usefont{U}{psy}{b}{n}#1}}
+\newcommand{\allmodesymb}[2]{\relax\ifmmode{\mathchoice
+{\mbox{\fontsize{\tf@size}{\tf@size}#1{#2}}}
+{\mbox{\fontsize{\tf@size}{\tf@size}#1{#2}}}
+{\mbox{\fontsize{\sf@size}{\sf@size}#1{#2}}}
+{\mbox{\fontsize{\ssf@size}{\ssf@size}#1{#2}}}}
+\else
+\mbox{#1{#2}}\fi}
+% Definition of lower case Greek letters
+\newcommand{\ualpha}{\allmodesymb{\greeksym}{a}}
+\newcommand{\ubeta}{\allmodesymb{\greeksym}{b}}
+\newcommand{\uchi}{\allmodesymb{\greeksym}{c}}
+\newcommand{\udelta}{\allmodesymb{\greeksym}{d}}
+\newcommand{\ugamma}{\allmodesymb{\greeksym}{g}}
+\newcommand{\umu}{\allmodesymb{\greeksym}{m}}
+\newcommand{\unu}{\allmodesymb{\greeksym}{n}}
+\newcommand{\upi}{\allmodesymb{\greeksym}{p}}
+\newcommand{\utau}{\allmodesymb{\greeksym}{t}}
+% redefines the \vec accent to a bold character - if desired
+\def\fig@type{arrow}% temporarily abused
+\ifx\vec@style\fig@type\else
+\@ifundefined{vec@style}{%
+ \def\vec#1{\ensuremath{\mathchoice
+ {\mbox{\boldmath$\displaystyle\mathbf{#1}$}}
+ {\mbox{\boldmath$\textstyle\mathbf{#1}$}}
+ {\mbox{\boldmath$\scriptstyle\mathbf{#1}$}}
+ {\mbox{\boldmath$\scriptscriptstyle\mathbf{#1}$}}}}%
+}
+{\def\vec#1{\ensuremath{\mathchoice
+ {\mbox{\boldmath$\displaystyle#1$}}
+ {\mbox{\boldmath$\textstyle#1$}}
+ {\mbox{\boldmath$\scriptstyle#1$}}
+ {\mbox{\boldmath$\scriptscriptstyle#1$}}}}%
+}
+\fi
+% tensor
+\def\tens#1{\relax\ifmmode\mathsf{#1}\else\textsf{#1}\fi}
+
+% end of proof symbol
+\newcommand\qedsymbol{\hbox{\rlap{$\sqcap$}$\sqcup$}}
+\newcommand\qed{\relax\ifmmode\else\unskip\quad\fi\qedsymbol}
+\newcommand\smartqed{\renewcommand\qed{\relax\ifmmode\qedsymbol\else
+ {\unskip\nobreak\hfil\penalty50\hskip1em\null\nobreak\hfil\qedsymbol
+ \parfillskip=\z@\finalhyphendemerits=0\endgraf}\fi}}
+%
+\def\num@book{%
+\renewcommand\thesection{\thechapter.\@arabic\c@section}%
+\renewcommand\thesubsection{\thesection.\@arabic\c@subsection}%
+\renewcommand\theequation{\thechapter.\@arabic\c@equation}%
+\renewcommand\thefigure{\thechapter.\@arabic\c@figure}%
+\renewcommand\thetable{\thechapter.\@arabic\c@table}%
+\@addtoreset{section}{chapter}%
+\@addtoreset{figure}{chapter}%
+\@addtoreset{table}{chapter}%
+\@addtoreset{equation}{chapter}}
+%
+% Ragged bottom for the actual page
+\def\thisbottomragged{\def\@textbottom{\vskip\z@ \@plus.0001fil
+\global\let\@textbottom\relax}}
+
+% This is texte.tex
+% it defines various texts and their translations
+% called up with documentstyle options
+\def\switcht@albion{%
+\def\abstractname{Summary.}%
+\def\ackname{Acknowledgement.}%
+\def\andname{and}%
+\def\bibname{References}%
+\def\lastandname{, and}%
+\def\appendixname{Appendix}%
+\def\chaptername{Chapter}%
+\def\claimname{Claim}%
+\def\conjecturename{Conjecture}%
+\def\contentsname{Contents}%
+\def\corollaryname{Corollary}%
+\def\definitionname{Definition}%
+\def\examplename{Example}%
+\def\exercisename{Exercise}%
+\def\figurename{Fig.}%
+\def\keywordname{{\bf Key words:}}%
+\def\indexname{Index}%
+\def\lemmaname{Lemma}%
+\def\contriblistname{List of Contributors}%
+\def\listfigurename{List of Figures}%
+\def\listtablename{List of Tables}%
+\def\mailname{{\it Correspondence to\/}:}%
+\def\noteaddname{Note added in proof}%
+\def\notename{Note}%
+\def\partname{Part}%
+\def\prefacename{Preface}%
+\def\problemname{Problem}%
+\def\proofname{Proof}%
+\def\propertyname{Property}%
+\def\propositionname{Proposition}%
+\def\questionname{Question}%
+\def\refname{References}%
+\def\remarkname{Remark}%
+\def\seename{see}%
+\def\solutionname{Solution}%
+\def\subclassname{{\it Subject Classifications\/}:}%
+\def\tablename{Table}%
+\def\theoremname{Theorem}}
+\switcht@albion
+% Names of theorem like environments are already defined
+% but must be translated if another language is chosen
+%
+% French section
+\def\switcht@francais{\svlanginfo
+ \def\abstractname{R\'esum\'e.}%
+ \def\ackname{Remerciements.}%
+ \def\andname{et}%
+ \def\lastandname{ et}%
+ \def\appendixname{Appendice}%
+ \def\bibname{Bibliographie}%
+ \def\chaptername{Chapitre}%
+ \def\claimname{Pr\'etention}%
+ \def\conjecturename{Hypoth\`ese}%
+ \def\contentsname{Table des mati\`eres}%
+ \def\corollaryname{Corollaire}%
+ \def\definitionname{D\'efinition}%
+ \def\examplename{Exemple}%
+ \def\exercisename{Exercice}%
+ \def\figurename{Fig.}%
+ \def\keywordname{{\bf Mots-cl\'e:}}%
+ \def\indexname{Index}%
+ \def\lemmaname{Lemme}%
+ \def\contriblistname{Liste des contributeurs}%
+ \def\listfigurename{Liste des figures}%
+ \def\listtablename{Liste des tables}%
+ \def\mailname{{\it Correspondence to\/}:}%
+ \def\noteaddname{Note ajout\'ee \`a l'\'epreuve}%
+ \def\notename{Remarque}%
+ \def\partname{Partie}%
+ \def\prefacename{Avant-propos}% ou Pr\'eface
+ \def\problemname{Probl\`eme}%
+ \def\proofname{Preuve}%
+ \def\propertyname{Caract\'eristique}%
+%\def\propositionname{Proposition}%
+ \def\questionname{Question}%
+ \def\refname{Litt\'erature}%
+ \def\remarkname{Remarque}%
+ \def\seename{voir}%
+ \def\solutionname{Solution}%
+ \def\subclassname{{\it Subject Classifications\/}:}%
+ \def\tablename{Tableau}%
+ \def\theoremname{Th\'eor\`eme}%
+}
+%
+% German section
+\def\switcht@deutsch{\svlanginfo
+ \def\abstractname{Zusammenfassung.}%
+ \def\ackname{Danksagung.}%
+ \def\andname{und}%
+ \def\lastandname{ und}%
+ \def\appendixname{Anhang}%
+ \def\bibname{Literaturverzeichnis}%
+ \def\chaptername{Kapitel}%
+ \def\claimname{Behauptung}%
+ \def\conjecturename{Hypothese}%
+ \def\contentsname{Inhaltsverzeichnis}%
+ \def\corollaryname{Korollar}%
+%\def\definitionname{Definition}%
+ \def\examplename{Beispiel}%
+ \def\exercisename{\"Ubung}%
+ \def\figurename{Abb.}%
+ \def\keywordname{{\bf Schl\"usselw\"orter:}}%
+ \def\indexname{Sachverzeichnis}%
+%\def\lemmaname{Lemma}%
+ \def\contriblistname{Mitarbeiter}%
+ \def\listfigurename{Abbildungsverzeichnis}%
+ \def\listtablename{Tabellenverzeichnis}%
+ \def\mailname{{\it Correspondence to\/}:}%
+ \def\noteaddname{Nachtrag}%
+ \def\notename{Anmerkung}%
+ \def\partname{Teil}%
+ \def\prefacename{Vorwort}%
+%\def\problemname{Problem}%
+ \def\proofname{Beweis}%
+ \def\propertyname{Eigenschaft}%
+%\def\propositionname{Proposition}%
+ \def\questionname{Frage}%
+ \def\refname{Literaturverzeichnis}%
+ \def\remarkname{Anmerkung}%
+ \def\seename{siehe}%
+ \def\solutionname{L\"osung}%
+ \def\subclassname{{\it Subject Classifications\/}:}%
+ \def\tablename{Tabelle}%
+%\def\theoremname{Theorem}%
+}
+
+\def\getsto{\mathrel{\mathchoice {\vcenter{\offinterlineskip
+\halign{\hfil
+$\displaystyle##$\hfil\cr\gets\cr\to\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr\gets
+\cr\to\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr\gets
+\cr\to\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr
+\gets\cr\to\cr}}}}}
+\def\lid{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil
+$\displaystyle##$\hfil\cr<\cr\noalign{\vskip1.2\p@}=\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr<\cr
+\noalign{\vskip1.2\p@}=\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr<\cr
+\noalign{\vskip\p@}=\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr
+<\cr
+\noalign{\vskip0.9\p@}=\cr}}}}}
+\def\gid{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil
+$\displaystyle##$\hfil\cr>\cr\noalign{\vskip1.2\p@}=\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr>\cr
+\noalign{\vskip1.2\p@}=\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr>\cr
+\noalign{\vskip\p@}=\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr
+>\cr
+\noalign{\vskip0.9\p@}=\cr}}}}}
+\def\grole{\mathrel{\mathchoice {\vcenter{\offinterlineskip
+\halign{\hfil
+$\displaystyle##$\hfil\cr>\cr\noalign{\vskip-\p@}<\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr
+>\cr\noalign{\vskip-\p@}<\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr
+>\cr\noalign{\vskip-0.8\p@}<\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr
+>\cr\noalign{\vskip-0.3\p@}<\cr}}}}}
+\def\bbbr{{\rm I\!R}} %reelle Zahlen
+\def\bbbm{{\rm I\!M}}
+\def\bbbn{{\rm I\!N}} %natuerliche Zahlen
+\def\bbbf{{\rm I\!F}}
+\def\bbbh{{\rm I\!H}}
+\def\bbbk{{\rm I\!K}}
+\def\bbbp{{\rm I\!P}}
+\def\bbbone{{\mathchoice {\rm 1\mskip-4mu l} {\rm 1\mskip-4mu l}
+{\rm 1\mskip-4.5mu l} {\rm 1\mskip-5mu l}}}
+\def\bbbc{{\mathchoice {\setbox0=\hbox{$\displaystyle\rm C$}\hbox{\hbox
+to\z@{\kern0.4\wd0\vrule\@height0.9\ht0\hss}\box0}}
+{\setbox0=\hbox{$\textstyle\rm C$}\hbox{\hbox
+to\z@{\kern0.4\wd0\vrule\@height0.9\ht0\hss}\box0}}
+{\setbox0=\hbox{$\scriptstyle\rm C$}\hbox{\hbox
+to\z@{\kern0.4\wd0\vrule\@height0.9\ht0\hss}\box0}}
+{\setbox0=\hbox{$\scriptscriptstyle\rm C$}\hbox{\hbox
+to\z@{\kern0.4\wd0\vrule\@height0.9\ht0\hss}\box0}}}}
+\def\bbbq{{\mathchoice {\setbox0=\hbox{$\displaystyle\rm
+Q$}\hbox{\raise
+0.15\ht0\hbox to\z@{\kern0.4\wd0\vrule\@height0.8\ht0\hss}\box0}}
+{\setbox0=\hbox{$\textstyle\rm Q$}\hbox{\raise
+0.15\ht0\hbox to\z@{\kern0.4\wd0\vrule\@height0.8\ht0\hss}\box0}}
+{\setbox0=\hbox{$\scriptstyle\rm Q$}\hbox{\raise
+0.15\ht0\hbox to\z@{\kern0.4\wd0\vrule\@height0.7\ht0\hss}\box0}}
+{\setbox0=\hbox{$\scriptscriptstyle\rm Q$}\hbox{\raise
+0.15\ht0\hbox to\z@{\kern0.4\wd0\vrule\@height0.7\ht0\hss}\box0}}}}
+\def\bbbt{{\mathchoice {\setbox0=\hbox{$\displaystyle\rm
+T$}\hbox{\hbox to\z@{\kern0.3\wd0\vrule\@height0.9\ht0\hss}\box0}}
+{\setbox0=\hbox{$\textstyle\rm T$}\hbox{\hbox
+to\z@{\kern0.3\wd0\vrule\@height0.9\ht0\hss}\box0}}
+{\setbox0=\hbox{$\scriptstyle\rm T$}\hbox{\hbox
+to\z@{\kern0.3\wd0\vrule\@height0.9\ht0\hss}\box0}}
+{\setbox0=\hbox{$\scriptscriptstyle\rm T$}\hbox{\hbox
+to\z@{\kern0.3\wd0\vrule\@height0.9\ht0\hss}\box0}}}}
+\def\bbbs{{\mathchoice
+{\setbox0=\hbox{$\displaystyle \rm S$}\hbox{\raise0.5\ht0\hbox
+to\z@{\kern0.35\wd0\vrule\@height0.45\ht0\hss}\hbox
+to\z@{\kern0.55\wd0\vrule\@height0.5\ht0\hss}\box0}}
+{\setbox0=\hbox{$\textstyle \rm S$}\hbox{\raise0.5\ht0\hbox
+to\z@{\kern0.35\wd0\vrule\@height0.45\ht0\hss}\hbox
+to\z@{\kern0.55\wd0\vrule\@height0.5\ht0\hss}\box0}}
+{\setbox0=\hbox{$\scriptstyle \rm S$}\hbox{\raise0.5\ht0\hbox
+to\z@{\kern0.35\wd0\vrule\@height0.45\ht0\hss}\raise0.05\ht0\hbox
+to\z@{\kern0.5\wd0\vrule\@height0.45\ht0\hss}\box0}}
+{\setbox0=\hbox{$\scriptscriptstyle\rm S$}\hbox{\raise0.5\ht0\hbox
+to\z@{\kern0.4\wd0\vrule\@height0.45\ht0\hss}\raise0.05\ht0\hbox
+to\z@{\kern0.55\wd0\vrule\@height0.45\ht0\hss}\box0}}}}
+\def\bbbz{{\mathchoice {\hbox{$\textstyle\sf Z\kern-0.4em Z$}}
+{\hbox{$\textstyle\sf Z\kern-0.4em Z$}}
+{\hbox{$\scriptstyle\sf Z\kern-0.3em Z$}}
+{\hbox{$\scriptscriptstyle\sf Z\kern-0.2em Z$}}}}
+
+\let\ts\,
+
+\setlength \labelsep {5\p@}
+\setlength\leftmargini {17\p@}
+\setlength\leftmargin {\leftmargini}
+\setlength\leftmarginii {\leftmargini}
+\setlength\leftmarginiii {\leftmargini}
+\setlength\leftmarginiv {\leftmargini}
+\setlength\labelwidth {\leftmargini}
+\addtolength\labelwidth{-\labelsep}
+
+\def\@listI{\leftmargin\leftmargini
+ \parsep=\parskip
+ \topsep=\medskipamount
+ \itemsep=\parskip \advance\itemsep by -\parsep}
+\let\@listi\@listI
+\@listi
+
+\def\@listii{\leftmargin\leftmarginii
+ \labelwidth\leftmarginii
+ \advance\labelwidth by -\labelsep
+ \parsep=\parskip
+ \topsep=\z@
+ \itemsep=\parskip
+ \advance\itemsep by -\parsep}
+
+\def\@listiii{\leftmargin\leftmarginiii
+ \labelwidth\leftmarginiii\advance\labelwidth by -\labelsep
+ \parsep=\parskip
+ \topsep=\z@
+ \itemsep=\parskip
+ \advance\itemsep by -\parsep
+ \partopsep=\topsep}
+
+\setlength\arraycolsep{1.5\p@}
+\setlength\tabcolsep{1.5\p@}
+
+\def\tableofcontents{\@restonecolfalse\if@twocolumn\@restonecoltrue\onecolumn
+ \fi\chapter*{\contentsname \@mkboth{{\contentsname}}{{\contentsname}}}
+ \@starttoc{toc}\if@restonecol\twocolumn\fi}
+
+\setcounter{tocdepth}{2}
+
+\def\l@part#1#2{\addpenalty{\@secpenalty}%
+ \addvspace{2em \@plus\p@}%
+ \begingroup
+ \parindent \z@
+ \rightskip \z@ \@plus 5em
+ \hrule\vskip5\p@
+ \bfseries\boldmath
+ \leavevmode
+ #1\par
+ \vskip5\p@
+ \hrule
+ \vskip\p@
+ \nobreak
+ \endgroup}
+
+\def\@dotsep{2}
+
+\def\addnumcontentsmark#1#2#3{%
+\addtocontents{#1}{\protect\contentsline{#2}{\protect\numberline
+ {\thechapter}#3}{\thepage}}}
+\def\addcontentsmark#1#2#3{%
+\addtocontents{#1}{\protect\contentsline{#2}{#3}{\thepage}}}
+\def\addcontentsmarkwop#1#2#3{%
+\addtocontents{#1}{\protect\contentsline{#2}{#3}{0}}}
+
+\def\@adcmk[#1]{\ifcase #1 \or
+\def\@gtempa{\addnumcontentsmark}%
+ \or \def\@gtempa{\addcontentsmark}%
+ \or \def\@gtempa{\addcontentsmarkwop}%
+ \fi\@gtempa{toc}{chapter}}
+\def\addtocmark{\@ifnextchar[{\@adcmk}{\@adcmk[3]}}
+
+\def\l@chapter#1#2{\par\addpenalty{-\@highpenalty}
+ \addvspace{1.0em \@plus \p@}
+ \@tempdima \tocchpnum \begingroup
+ \parindent \z@ \rightskip \@tocrmarg
+ \advance\rightskip by \z@ \@plus 2cm
+ \parfillskip -\rightskip \pretolerance=10000
+ \leavevmode \advance\leftskip\@tempdima \hskip -\leftskip
+ {\bfseries\boldmath#1}\ifx0#2\hfil\null
+ \else
+ \nobreak
+ \leaders\hbox{$\m@th \mkern \@dotsep mu\hbox{.}\mkern
+ \@dotsep mu$}\hfill
+ \nobreak\hbox to\@pnumwidth{\hfil #2}%
+ \fi\par
+ \penalty\@highpenalty \endgroup}
+
+\newdimen\tocchpnum
+\newdimen\tocsecnum
+\newdimen\tocsectotal
+\newdimen\tocsubsecnum
+\newdimen\tocsubsectotal
+\newdimen\tocsubsubsecnum
+\newdimen\tocsubsubsectotal
+\newdimen\tocparanum
+\newdimen\tocparatotal
+\newdimen\tocsubparanum
+\tocchpnum=20\p@ % chapter {\bf 88.} \@plus 5.3\p@
+\tocsecnum=22.5\p@ % section 88.8. plus 4.722\p@
+\tocsubsecnum=30.5\p@ % subsection 88.8.8 plus 4.944\p@
+\tocsubsubsecnum=38\p@ % subsubsection 88.8.8.8 plus 4.666\p@
+\tocparanum=45\p@ % paragraph 88.8.8.8.8 plus 3.888\p@
+\tocsubparanum=53\p@ % subparagraph 88.8.8.8.8.8 plus 4.11\p@
+\def\calctocindent{%
+\tocsectotal=\tocchpnum
+\advance\tocsectotal by\tocsecnum
+\tocsubsectotal=\tocsectotal
+\advance\tocsubsectotal by\tocsubsecnum
+\tocsubsubsectotal=\tocsubsectotal
+\advance\tocsubsubsectotal by\tocsubsubsecnum
+\tocparatotal=\tocsubsubsectotal
+\advance\tocparatotal by\tocparanum}
+\calctocindent
+
+\def\@dottedtocline#1#2#3#4#5{%
+ \ifnum #1>\c@tocdepth \else
+ \vskip \z@ \@plus.2\p@
+ {\leftskip #2\relax \rightskip \@tocrmarg \advance\rightskip by \z@ \@plus 2cm
+ \parfillskip -\rightskip \pretolerance=10000
+ \parindent #2\relax\@afterindenttrue
+ \interlinepenalty\@M
+ \leavevmode
+ \@tempdima #3\relax
+ \advance\leftskip \@tempdima \null\nobreak\hskip -\leftskip
+ {#4}\nobreak
+ \leaders\hbox{$\m@th
+ \mkern \@dotsep mu\hbox{.}\mkern \@dotsep
+ mu$}\hfill
+ \nobreak
+ \hb@xt@\@pnumwidth{\hfil\normalfont \normalcolor #5}%
+ \par}%
+ \fi}
+%
+\def\l@section{\@dottedtocline{1}{\tocchpnum}{\tocsecnum}}
+\def\l@subsection{\@dottedtocline{2}{\tocsectotal}{\tocsubsecnum}}
+\def\l@subsubsection{\@dottedtocline{3}{\tocsubsectotal}{\tocsubsubsecnum}}
+\def\l@paragraph{\@dottedtocline{4}{\tocsubsubsectotal}{\tocparanum}}
+\def\l@subparagraph{\@dottedtocline{5}{\tocparatotal}{\tocsubparanum}}
+
+\renewcommand\listoffigures{%
+ \chapter*{\listfigurename
+ \@mkboth{\listfigurename}{\listfigurename}}%
+ \@starttoc{lof}%
+ }
+
+\renewcommand\listoftables{%
+ \chapter*{\listtablename
+ \@mkboth{\listtablename}{\listtablename}}%
+ \@starttoc{lot}%
+ }
+
+\renewcommand\footnoterule{%
+ \kern-3\p@
+ \hrule\@width 50\p@
+ \kern2.6\p@}
+
+\newdimen\foot@parindent
+\foot@parindent 10.83\p@
+
+\AtBeginDocument{%
+\long\def\@makefntext#1{\@setpar{\@@par\@tempdima \hsize
+ \advance\@tempdima-\foot@parindent\parshape\@ne\foot@parindent
+ \@tempdima}\par
+ \parindent \foot@parindent\noindent \hbox to \z@{%
+ \hss\hss$^{\@thefnmark}$ }#1}}
+
+\if@spthms
+% Definition of the "\spnewtheorem" command.
+%
+% Usage:
+%
+% \spnewtheorem{env_nam}{caption}[within]{cap_font}{body_font}
+% or \spnewtheorem{env_nam}[numbered_like]{caption}{cap_font}{body_font}
+% or \spnewtheorem*{env_nam}{caption}{cap_font}{body_font}
+%
+% New is "cap_font" and "body_font". It stands for
+% fontdefinition of the caption and the text itself.
+%
+% "\spnewtheorem*" gives a theorem without number.
+%
+% A defined spnewthoerem environment is used as described
+% by Lamport.
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\def\@thmcountersep{.}
+\def\@thmcounterend{.}
+\newcommand\nocaption{\noexpand\@gobble}
+\newdimen\spthmsep \spthmsep=3pt
+
+\def\spnewtheorem{\@ifstar{\@sthm}{\@Sthm}}
+
+% definition of \spnewtheorem with number
+
+\def\@spnthm#1#2{%
+ \@ifnextchar[{\@spxnthm{#1}{#2}}{\@spynthm{#1}{#2}}}
+\def\@Sthm#1{\@ifnextchar[{\@spothm{#1}}{\@spnthm{#1}}}
+
+\def\@spxnthm#1#2[#3]#4#5{\expandafter\@ifdefinable\csname #1\endcsname
+ {\@definecounter{#1}\@addtoreset{#1}{#3}%
+ \expandafter\xdef\csname the#1\endcsname{\expandafter\noexpand
+ \csname the#3\endcsname \noexpand\@thmcountersep \@thmcounter{#1}}%
+ \expandafter\xdef\csname #1name\endcsname{#2}%
+ \global\@namedef{#1}{\@spthm{#1}{\csname #1name\endcsname}{#4}{#5}}%
+ \global\@namedef{end#1}{\@endtheorem}}}
+
+\def\@spynthm#1#2#3#4{\expandafter\@ifdefinable\csname #1\endcsname
+ {\@definecounter{#1}%
+ \expandafter\xdef\csname the#1\endcsname{\@thmcounter{#1}}%
+ \expandafter\xdef\csname #1name\endcsname{#2}%
+ \global\@namedef{#1}{\@spthm{#1}{\csname #1name\endcsname}{#3}{#4}}%
+ \global\@namedef{end#1}{\@endtheorem}}}
+
+\def\@spothm#1[#2]#3#4#5{%
+ \@ifundefined{c@#2}{\@latexerr{No theorem environment `#2' defined}\@eha}%
+ {\expandafter\@ifdefinable\csname #1\endcsname
+ {\global\@namedef{the#1}{\@nameuse{the#2}}%
+ \expandafter\xdef\csname #1name\endcsname{#3}%
+ \global\@namedef{#1}{\@spthm{#2}{\csname #1name\endcsname}{#4}{#5}}%
+ \global\@namedef{end#1}{\@endtheorem}}}}
+
+\def\@spthm#1#2#3#4{\topsep 7\p@ \@plus2\p@ \@minus4\p@
+\labelsep=\spthmsep\refstepcounter{#1}%
+\@ifnextchar[{\@spythm{#1}{#2}{#3}{#4}}{\@spxthm{#1}{#2}{#3}{#4}}}
+
+\def\@spxthm#1#2#3#4{\@spbegintheorem{#2}{\csname the#1\endcsname}{#3}{#4}%
+ \ignorespaces}
+
+\def\@spythm#1#2#3#4[#5]{\@spopargbegintheorem{#2}{\csname
+ the#1\endcsname}{#5}{#3}{#4}\ignorespaces}
+
+\def\normalthmheadings{\def\@spbegintheorem##1##2##3##4{\trivlist
+ \item[\hskip\labelsep{##3##1\ ##2\@thmcounterend}]##4}
+\def\@spopargbegintheorem##1##2##3##4##5{\trivlist
+ \item[\hskip\labelsep{##4##1\ ##2}]{##4(##3)\@thmcounterend\ }##5}}
+\normalthmheadings
+
+\def\reversethmheadings{\def\@spbegintheorem##1##2##3##4{\trivlist
+ \item[\hskip\labelsep{##3##2\ ##1\@thmcounterend}]##4}
+\def\@spopargbegintheorem##1##2##3##4##5{\trivlist
+ \item[\hskip\labelsep{##4##2\ ##1}]{##4(##3)\@thmcounterend\ }##5}}
+
+% definition of \spnewtheorem* without number
+
+\def\@sthm#1#2{\@Ynthm{#1}{#2}}
+
+\def\@Ynthm#1#2#3#4{\expandafter\@ifdefinable\csname #1\endcsname
+ {\global\@namedef{#1}{\@Thm{\csname #1name\endcsname}{#3}{#4}}%
+ \expandafter\xdef\csname #1name\endcsname{#2}%
+ \global\@namedef{end#1}{\@endtheorem}}}
+
+\def\@Thm#1#2#3{\topsep 7\p@ \@plus2\p@ \@minus4\p@
+\@ifnextchar[{\@Ythm{#1}{#2}{#3}}{\@Xthm{#1}{#2}{#3}}}
+
+\def\@Xthm#1#2#3{\@Begintheorem{#1}{#2}{#3}\ignorespaces}
+
+\def\@Ythm#1#2#3[#4]{\@Opargbegintheorem{#1}
+ {#4}{#2}{#3}\ignorespaces}
+
+\def\@Begintheorem#1#2#3{#3\trivlist
+ \item[\hskip\labelsep{#2#1\@thmcounterend}]}
+
+\def\@Opargbegintheorem#1#2#3#4{#4\trivlist
+ \item[\hskip\labelsep{#3#1}]{#3(#2)\@thmcounterend\ }}
+
+% initialize theorem environment
+
+\if@envcntshowhiercnt % show hierarchy counter
+ \def\@thmcountersep{.}
+ \spnewtheorem{theorem}{Theorem}[\envankh]{\bfseries}{\itshape}
+ \@addtoreset{theorem}{chapter}
+\else % theorem counter only
+ \spnewtheorem{theorem}{Theorem}{\bfseries}{\itshape}
+ \if@envcntreset
+ \@addtoreset{theorem}{chapter}
+ \if@envcntresetsect
+ \@addtoreset{theorem}{section}
+ \fi
+ \fi
+\fi
+
+%definition of divers theorem environments
+\spnewtheorem*{claim}{Claim}{\itshape}{\rmfamily}
+\spnewtheorem*{proof}{Proof}{\itshape}{\rmfamily}
+%
+\if@envcntsame % all environments like "Theorem" - using its counter
+ \def\spn@wtheorem#1#2#3#4{\@spothm{#1}[theorem]{#2}{#3}{#4}}
+\else % all environments with their own counter
+ \if@envcntshowhiercnt % show hierarchy counter
+ \def\spn@wtheorem#1#2#3#4{\@spxnthm{#1}{#2}[\envankh]{#3}{#4}}
+ \else % environment counter only
+ \if@envcntreset % environment counter is reset each section
+ \if@envcntresetsect
+ \def\spn@wtheorem#1#2#3#4{\@spynthm{#1}{#2}{#3}{#4}
+ \@addtoreset{#1}{chapter}\@addtoreset{#1}{section}}
+ \else
+ \def\spn@wtheorem#1#2#3#4{\@spynthm{#1}{#2}{#3}{#4}
+ \@addtoreset{#1}{chapter}}
+ \fi
+ \else
+ \let\spn@wtheorem=\@spynthm
+ \fi
+ \fi
+\fi
+%
+\let\spdefaulttheorem=\spn@wtheorem
+%
+\spn@wtheorem{case}{Case}{\itshape}{\rmfamily}
+\spn@wtheorem{conjecture}{Conjecture}{\itshape}{\rmfamily}
+\spn@wtheorem{corollary}{Corollary}{\bfseries}{\itshape}
+\spn@wtheorem{definition}{Definition}{\bfseries}{\itshape}
+\spn@wtheorem{example}{Example}{\itshape}{\rmfamily}
+\spn@wtheorem{exercise}{Exercise}{\bfseries}{\rmfamily}
+\spn@wtheorem{lemma}{Lemma}{\bfseries}{\itshape}
+\spn@wtheorem{note}{Note}{\itshape}{\rmfamily}
+\spn@wtheorem{problem}{Problem}{\bfseries}{\rmfamily}
+\spn@wtheorem{property}{Property}{\itshape}{\rmfamily}
+\spn@wtheorem{proposition}{Proposition}{\bfseries}{\itshape}
+\spn@wtheorem{question}{Question}{\itshape}{\rmfamily}
+\spn@wtheorem{solution}{Solution}{\bfseries}{\rmfamily}
+\spn@wtheorem{remark}{Remark}{\itshape}{\rmfamily}
+%
+\newenvironment{theopargself}
+ {\def\@spopargbegintheorem##1##2##3##4##5{\trivlist
+ \item[\hskip\labelsep{##4##1\ ##2}]{##4##3\@thmcounterend\ }##5}
+ \def\@Opargbegintheorem##1##2##3##4{##4\trivlist
+ \item[\hskip\labelsep{##3##1}]{##3##2\@thmcounterend\ }}}{}
+\newenvironment{theopargself*}
+ {\def\@spopargbegintheorem##1##2##3##4##5{\trivlist
+ \item[\hskip\labelsep{##4##1\ ##2}]{\hspace*{-\labelsep}##4##3\@thmcounterend}##5}
+ \def\@Opargbegintheorem##1##2##3##4{##4\trivlist
+ \item[\hskip\labelsep{##3##1}]{\hspace*{-\labelsep}##3##2\@thmcounterend}}}{}
+%
+\spnewtheorem{prob}{\nocaption}[chapter]{\bfseries}{\rmfamily}
+\newcommand{\probref}[1]{\textbf{\ref{#1}} }
+\newenvironment{sol}{\par\addvspace{6pt}\noindent\probref}{\par\addvspace{6pt}}
+%
+\fi
+
+\def\@takefromreset#1#2{%
+ \def\@tempa{#1}%
+ \let\@tempd\@elt
+ \def\@elt##1{%
+ \def\@tempb{##1}%
+ \ifx\@tempa\@tempb\else
+ \@addtoreset{##1}{#2}%
+ \fi}%
+ \expandafter\expandafter\let\expandafter\@tempc\csname cl@#2\endcsname
+ \expandafter\def\csname cl@#2\endcsname{}%
+ \@tempc
+ \let\@elt\@tempd}
+
+% redefininition of the captions for "figure" and "table" environments
+%
+\@ifundefined{floatlegendstyle}{\def\floatlegendstyle{\bfseries}}{}
+\def\floatcounterend{.\ }
+\def\capstrut{\vrule\@width\z@\@height\topskip}
+\@ifundefined{captionstyle}{\def\captionstyle{\normalfont\small}}{}
+\@ifundefined{instindent}{\newdimen\instindent}{}
+
+\long\def\@caption#1[#2]#3{\par\addcontentsline{\csname
+ ext@#1\endcsname}{#1}{\protect\numberline{\csname
+ the#1\endcsname}{\ignorespaces #2}}\begingroup
+ \@parboxrestore\if@minipage\@setminipage\fi
+ \@makecaption{\csname fnum@#1\endcsname}{\ignorespaces #3}\par
+ \endgroup}
+
+\def\twocaptionwidth#1#2{\def\first@capwidth{#1}\def\second@capwidth{#2}}
+% Default: .46\textwidth
+\twocaptionwidth{.46\textwidth}{.46\textwidth}
+
+\def\leftcaption{\refstepcounter\@captype\@dblarg%
+ {\@leftcaption\@captype}}
+
+\def\rightcaption{\refstepcounter\@captype\@dblarg%
+ {\@rightcaption\@captype}}
+
+\long\def\@leftcaption#1[#2]#3{\addcontentsline{\csname
+ ext@#1\endcsname}{#1}{\protect\numberline{\csname
+ the#1\endcsname}{\ignorespaces #2}}\begingroup
+ \@parboxrestore
+ \vskip\figcapgap
+ \@maketwocaptions{\csname fnum@#1\endcsname}{\ignorespaces #3}%
+ {\first@capwidth}\ignorespaces\hspace{.073\textwidth}\hfill%
+ \endgroup}
+
+\long\def\@rightcaption#1[#2]#3{\addcontentsline{\csname
+ ext@#1\endcsname}{#1}{\protect\numberline{\csname
+ the#1\endcsname}{\ignorespaces #2}}\begingroup
+ \@parboxrestore
+ \@maketwocaptions{\csname fnum@#1\endcsname}{\ignorespaces #3}%
+ {\second@capwidth}\par
+ \endgroup}
+
+\long\def\@maketwocaptions#1#2#3{%
+ \parbox[t]{#3}{{\floatlegendstyle #1\floatcounterend}#2}}
+
+\def\fig@pos{l}
+\newcommand{\leftfigure}[2][\fig@pos]{\makebox[.4635\textwidth][#1]{#2}}
+\let\rightfigure\leftfigure
+
+\newdimen\figgap\figgap=0.5cm % hgap between figure and sidecaption
+%
+\long\def\@makesidecaption#1#2{%
+ \setbox0=\vbox{\hsize=\@tempdimb
+ \captionstyle{\floatlegendstyle
+ #1\floatcounterend}#2}%
+ \ifdim\instindent<\z@
+ \ifdim\ht0>-\instindent
+ \advance\instindent by\ht0
+ \typeout{^^JClass-Warning: Legend of \string\sidecaption\space for
+ \@captype\space\csname the\@captype\endcsname
+ ^^Jis \the\instindent\space taller than the corresponding float -
+ ^^Jyou'd better switch the environment. }%
+ \instindent\z@
+ \fi
+ \else
+ \ifdim\ht0<\instindent
+ \advance\instindent by-\ht0
+ \advance\instindent by-\dp0\relax
+ \advance\instindent by\topskip
+ \advance\instindent by-11\p@
+ \else
+ \advance\instindent by-\ht0
+ \instindent=-\instindent
+ \typeout{^^JClass-Warning: Legend of \string\sidecaption\space for
+ \@captype\space\csname the\@captype\endcsname
+ ^^Jis \the\instindent\space taller than the corresponding float -
+ ^^Jyou'd better switch the environment. }%
+ \instindent\z@
+ \fi
+ \fi
+ \parbox[b]{\@tempdimb}{\captionstyle{\floatlegendstyle
+ #1\floatcounterend}#2%
+ \ifdim\instindent>\z@ \\
+ \vrule\@width\z@\@height\instindent
+ \@depth\z@
+ \fi}}
+\def\sidecaption{\@ifnextchar[\sidec@ption{\sidec@ption[b]}}
+\def\sidec@ption[#1]#2\caption{%
+\setbox\@tempboxa=\hbox{\ignorespaces#2\unskip}%
+\if@twocolumn
+ \ifdim\hsize<\textwidth\else
+ \ifdim\wd\@tempboxa<\columnwidth
+ \typeout{Double column float fits into single column -
+ ^^Jyou'd better switch the environment. }%
+ \fi
+ \fi
+\fi
+ \instindent=\ht\@tempboxa
+ \advance\instindent by\dp\@tempboxa
+\if t#1
+\else
+ \instindent=-\instindent
+\fi
+\@tempdimb=\hsize
+\advance\@tempdimb by-\figgap
+\advance\@tempdimb by-\wd\@tempboxa
+\ifdim\@tempdimb<3cm
+ \ClassWarning{SVMono}{\string\sidecaption: No sufficient room for the legend;
+ ^^Jusing normal \string\caption}%
+ \unhbox\@tempboxa
+ \let\@capcommand=\@caption
+\else
+ \ifdim\@tempdimb<4.5cm
+ \ClassWarning{SVMono}{\string\sidecaption: Room for the legend very narrow;
+ ^^Jusing \string\raggedright}%
+ \toks@\expandafter{\captionstyle\sloppy
+ \rightskip=\z@\@plus6mm\relax}%
+ \def\captionstyle{\the\toks@}%
+ \fi
+ \let\@capcommand=\@sidecaption
+ \leavevmode
+ \unhbox\@tempboxa
+ \hfill
+\fi
+\refstepcounter\@captype
+\@dblarg{\@capcommand\@captype}}
+\long\def\@sidecaption#1[#2]#3{\addcontentsline{\csname
+ ext@#1\endcsname}{#1}{\protect\numberline{\csname
+ the#1\endcsname}{\ignorespaces #2}}\begingroup
+ \@parboxrestore
+ \@makesidecaption{\csname fnum@#1\endcsname}{\ignorespaces #3}\par
+ \endgroup}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\def\fig@type{figure}
+
+\def\leftlegendglue{\hfil}
+\newdimen\figcapgap\figcapgap=5\p@ % vgap between figure and caption
+\newdimen\tabcapgap\tabcapgap=5.5\p@ % vgap between caption and table
+
+\long\def\@makecaption#1#2{%
+ \captionstyle
+ \ifx\@captype\fig@type
+ \vskip\figcapgap
+ \fi
+ \setbox\@tempboxa\hbox{{\floatlegendstyle #1\floatcounterend}%
+ \capstrut #2}%
+ \ifdim \wd\@tempboxa >\hsize
+ {\floatlegendstyle #1\floatcounterend}\capstrut #2\par
+ \else
+ \hbox to\hsize{\leftlegendglue\unhbox\@tempboxa\hfil}%
+ \fi
+ \ifx\@captype\fig@type\else
+ \vskip\tabcapgap
+ \fi}
+
+\newcounter{merk}
+
+\def\endfigure{\resetsubfig\end@float}
+
+\@namedef{endfigure*}{\resetsubfig\end@dblfloat}
+
+\def\resetsubfig{\global\let\last@subfig=\undefined}
+
+\def\r@setsubfig{\xdef\last@subfig{\number\value{figure}}%
+\setcounter{figure}{\value{merk}}%
+\setcounter{merk}{0}}
+
+\def\subfigures{\refstepcounter{figure}%
+ \@tempcnta=\value{merk}%
+ \setcounter{merk}{\value{figure}}%
+ \setcounter{figure}{\the\@tempcnta}%
+ \def\thefigure{\if@numart\else\thechapter.\fi
+ \@arabic\c@merk\alph{figure}}%
+ \let\resetsubfig=\r@setsubfig}
+
+\def\samenumber{\addtocounter{\@captype}{-1}%
+\@ifundefined{last@subfig}{}{\setcounter{merk}{\last@subfig}}}
+
+% redefinition of the "bibliography" environment
+%
+\def\biblstarthook#1{\gdef\biblst@rthook{#1}}
+%
+\AtBeginDocument{%
+\ifx\secbibl\undefined
+ \def\bibsection{\chapter*{\refname}\markboth{\refname}{\refname}%
+ \addcontentsline{toc}{chapter}{\refname}%
+ \csname biblst@rthook\endcsname}
+\else
+ \def\bibsection{\section*{\refname}\markright{\refname}%
+ \addcontentsline{toc}{section}{\refname}%
+ \csname biblst@rthook\endcsname}
+\fi}
+\ifx\oribibl\undefined % Springer way of life
+ \renewenvironment{thebibliography}[1]{\bibsection
+ \global\let\biblst@rthook=\undefined
+ \def\@biblabel##1{##1.}
+ \small
+ \list{\@biblabel{\@arabic\c@enumiv}}%
+ {\settowidth\labelwidth{\@biblabel{#1}}%
+ \leftmargin\labelwidth
+ \advance\leftmargin\labelsep
+ \if@openbib
+ \advance\leftmargin\bibindent
+ \itemindent -\bibindent
+ \listparindent \itemindent
+ \parsep \z@
+ \fi
+ \usecounter{enumiv}%
+ \let\p@enumiv\@empty
+ \renewcommand\theenumiv{\@arabic\c@enumiv}}%
+ \if@openbib
+ \renewcommand\newblock{\par}%
+ \else
+ \renewcommand\newblock{\hskip .11em \@plus.33em \@minus.07em}%
+ \fi
+ \sloppy\clubpenalty4000\widowpenalty4000%
+ \sfcode`\.=\@m}
+ {\def\@noitemerr
+ {\@latex@warning{Empty `thebibliography' environment}}%
+ \endlist}
+ \def\@lbibitem[#1]#2{\item[{[#1]}\hfill]\if@filesw
+ {\let\protect\noexpand\immediate
+ \write\@auxout{\string\bibcite{#2}{#1}}}\fi\ignorespaces}
+\else % original bibliography is required
+ \let\bibname=\refname
+ \renewenvironment{thebibliography}[1]
+ {\chapter*{\bibname
+ \@mkboth{\bibname}{\bibname}}%
+ \list{\@biblabel{\@arabic\c@enumiv}}%
+ {\settowidth\labelwidth{\@biblabel{#1}}%
+ \leftmargin\labelwidth
+ \advance\leftmargin\labelsep
+ \@openbib@code
+ \usecounter{enumiv}%
+ \let\p@enumiv\@empty
+ \renewcommand\theenumiv{\@arabic\c@enumiv}}%
+ \sloppy
+ \clubpenalty4000
+ \@clubpenalty \clubpenalty
+ \widowpenalty4000%
+ \sfcode`\.\@m}
+ {\def\@noitemerr
+ {\@latex@warning{Empty `thebibliography' environment}}%
+ \endlist}
+\fi
+
+\let\if@threecolind\iffalse
+\def\threecolindex{\let\if@threecolind\iftrue}
+\def\indexstarthook#1{\gdef\indexst@rthook{#1}}
+\renewenvironment{theindex}
+ {\if@twocolumn
+ \@restonecolfalse
+ \else
+ \@restonecoltrue
+ \fi
+ \columnseprule \z@
+ \columnsep 1cc
+ \@nobreaktrue
+ \if@threecolind
+ \begin{multicols}{3}[\chapter*{\indexname}%
+ \else
+ \begin{multicols}{2}[\chapter*{\indexname}%
+ \fi
+ {\csname indexst@rthook\endcsname}]%
+ \global\let\indexst@rthook=\undefined
+ \markboth{\indexname}{\indexname}%
+ \addcontentsline{toc}{chapter}{\indexname}%
+ \flushbottom
+ \parindent\z@
+ \rightskip\z@ \@plus 40\p@
+ \parskip\z@ \@plus .3\p@\relax
+ \flushbottom
+ \let\item\@idxitem
+ \def\,{\relax\ifmmode\mskip\thinmuskip
+ \else\hskip0.2em\ignorespaces\fi}%
+ \normalfont\small}
+ {\end{multicols}
+ \global\let\if@threecolind\iffalse
+ \if@restonecol\onecolumn\else\clearpage\fi}
+
+\def\idxquad{\hskip 10\p@}% space that divides entry from number
+
+\def\@idxitem{\par\setbox0=\hbox{--\,--\,--\enspace}%
+ \hangindent\wd0\relax}
+
+\def\subitem{\par\noindent\setbox0=\hbox{--\enspace}% second order
+ \kern\wd0\setbox0=\hbox{--\,--\,--\enspace}%
+ \hangindent\wd0\relax}% indexentry
+
+\def\subsubitem{\par\noindent\setbox0=\hbox{--\,--\enspace}% third order
+ \kern\wd0\setbox0=\hbox{--\,--\,--\enspace}%
+ \hangindent\wd0\relax}% indexentry
+
+\def\indexspace{\par \vskip 10\p@ \@plus5\p@ \@minus3\p@\relax}
+
+\def\subtitle#1{\gdef\@subtitle{#1}}
+\def\@subtitle{}
+
+\def\maketitle{\par
+ \begingroup
+ \def\thefootnote{\fnsymbol{footnote}}%
+ \def\@makefnmark{\hbox
+ to\z@{$\m@th^{\@thefnmark}$\hss}}%
+ \if@twocolumn
+ \twocolumn[\@maketitle]%
+ \else \newpage
+ \global\@topnum\z@ % Prevents figures from going at top of page.
+ \@maketitle \fi\thispagestyle{empty}\@thanks
+ \par\penalty -\@M
+ \endgroup
+ \setcounter{footnote}{0}%
+ \let\maketitle\relax
+ \let\@maketitle\relax
+ \gdef\@thanks{}\gdef\@author{}\gdef\@title{}\let\thanks\relax}
+
+\def\@maketitle{\newpage
+ \null
+ \vskip 2em % Vertical space above title.
+\begingroup
+ \def\and{\unskip, }
+ \parindent=\z@
+ \pretolerance=10000
+ \rightskip=\z@ \@plus 3cm
+ {\LARGE % each author set in \LARGE
+ \lineskip .5em
+ \@author
+ \par}%
+ \vskip 2cm % Vertical space after author.
+ {\Huge \@title \par}% % Title set in \Huge size.
+ \vskip 1cm % Vertical space after title.
+ \if!\@subtitle!\else
+ {\LARGE\ignorespaces\@subtitle \par}
+ \vskip 1cm % Vertical space after subtitle.
+ \fi
+ \if!\@date!\else
+ {\large \@date}% % Date set in \large size.
+ \par
+ \vskip 1.5em % Vertical space after date.
+ \fi
+ \vfill
+% {\Large Springer\par}
+%\vskip 5\p@
+%\large
+% Berlin\enspace Heidelberg\enspace New\kern0.1em York\\
+% Hong\thinspace Kong\enspace London\\
+% Milan\enspace Paris\enspace Tokyo\par
+\endgroup}
+
+% Useful environments
+\newenvironment{acknowledgement}{\par\addvspace{17\p@}\small\rm
+\trivlist\item[\hskip\labelsep{\it\ackname}]}
+{\endtrivlist\addvspace{6\p@}}
+%
+\newenvironment{noteadd}{\par\addvspace{17\p@}\small\rm
+\trivlist\item[\hskip\labelsep{\it\noteaddname}]}
+{\endtrivlist\addvspace{6\p@}}
+%
+\renewenvironment{abstract}{%
+ \advance\topsep by0.35cm\relax\small
+ \labelwidth=\z@
+ \listparindent=\z@
+ \itemindent\listparindent
+ \trivlist\item[\hskip\labelsep\bfseries\abstractname]%
+ \if!\abstractname!\hskip-\labelsep\fi
+ }
+ {\endtrivlist}
+
+% define the running headings of a twoside text
+\def\runheadsize{\small}
+\def\runheadstyle{\rmfamily\upshape}
+\def\customizhead{\hspace{\headlineindent}}
+
+\def\ps@headings{\let\@mkboth\markboth
+ \let\@oddfoot\@empty\let\@evenfoot\@empty
+ \def\@evenhead{\runheadsize\runheadstyle\rlap{\thepage}\customizhead
+ \leftmark\hfil}
+ \def\@oddhead{\runheadsize\runheadstyle\hfil\rightmark\customizhead
+ \llap{\thepage}}
+ \def\chaptermark##1{\markboth{{\ifnum\c@secnumdepth>\m@ne
+ \thechapter\thechapterend\hskip\betweenumberspace\fi ##1}}{{\ifnum %!!!
+ \c@secnumdepth>\m@ne\thechapter\thechapterend\hskip\betweenumberspace\fi ##1}}}%!!!
+ \def\sectionmark##1{\markright{{\ifnum\c@secnumdepth>\z@
+ \thesection\seccounterend\hskip\betweenumberspace\fi ##1}}}}
+
+\def\ps@myheadings{\let\@mkboth\@gobbletwo
+ \let\@oddfoot\@empty\let\@evenfoot\@empty
+ \def\@evenhead{\runheadsize\runheadstyle\rlap{\thepage}\customizhead
+ \leftmark\hfil}
+ \def\@oddhead{\runheadsize\runheadstyle\hfil\rightmark\customizhead
+ \llap{\thepage}}
+ \let\chaptermark\@gobble
+ \let\sectionmark\@gobble
+ \let\subsectionmark\@gobble}
+
+
+\ps@headings
+
+\endinput
+%end of file svmono.cls
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/ROOT Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,387 @@
+session Classes (doc) in "Classes" = HOL +
+ options [document_variants = "classes"]
+ theories [document = false] Setup
+ theories Classes
+ files
+ "../prepare_document"
+ "../pdfsetup.sty"
+ "document/build"
+ "document/root.tex"
+ "document/style.sty"
+
+session Codegen (doc) in "Codegen" = "HOL-Library" +
+ options [document_variants = "codegen", print_mode = "no_brackets,iff"]
+ theories [document = false] Setup
+ theories
+ Introduction
+ Foundations
+ Refinement
+ Inductive_Predicate
+ Evaluation
+ Adaptation
+ Further
+ files
+ "../prepare_document"
+ "../pdfsetup.sty"
+ "document/adapt.tex"
+ "document/architecture.tex"
+ "document/build"
+ "document/root.tex"
+ "document/style.sty"
+
+session Functions (doc) in "Functions" = HOL +
+ options [document_variants = "functions"]
+ theories Functions
+ files
+ "../prepare_document"
+ "../pdfsetup.sty"
+ "../iman.sty"
+ "../extra.sty"
+ "../isar.sty"
+ "../manual.bib"
+ "document/build"
+ "document/conclusion.tex"
+ "document/intro.tex"
+ "document/mathpartir.sty"
+ "document/root.tex"
+ "document/style.sty"
+
+session Intro (doc) in "Intro" = Pure +
+ options [document_variants = "intro"]
+ theories
+ files
+ "../prepare_document"
+ "../pdfsetup.sty"
+ "../iman.sty"
+ "../extra.sty"
+ "../ttbox.sty"
+ "../proof.sty"
+ "../manual.bib"
+ "document/build"
+ "document/root.tex"
+
+session IsarImplementation (doc) in "IsarImplementation" = HOL +
+ options [document_variants = "implementation"]
+ theories
+ Eq
+ Integration
+ Isar
+ Local_Theory
+ Logic
+ ML
+ Prelim
+ Proof
+ Syntax
+ Tactic
+ files
+ "../prepare_document"
+ "../pdfsetup.sty"
+ "../iman.sty"
+ "../extra.sty"
+ "../isar.sty"
+ "../proof.sty"
+ "../underscore.sty"
+ "../ttbox.sty"
+ "../manual.bib"
+ "document/build"
+ "document/root.tex"
+ "document/style.sty"
+
+session IsarRef (doc) in "IsarRef" = HOL +
+ options [document_variants = "isar-ref", quick_and_dirty, thy_output_source]
+ theories
+ Preface
+ Synopsis
+ Framework
+ First_Order_Logic
+ Outer_Syntax
+ Document_Preparation
+ Spec
+ Proof
+ Inner_Syntax
+ Misc
+ Generic
+ HOL_Specific
+ Quick_Reference
+ Symbols
+ ML_Tactic
+ files
+ "../prepare_document"
+ "../pdfsetup.sty"
+ "../iman.sty"
+ "../extra.sty"
+ "../ttbox.sty"
+ "../proof.sty"
+ "../isar.sty"
+ "../manual.bib"
+ "document/build"
+ "document/isar-vm.eps"
+ "document/isar-vm.pdf"
+ "document/isar-vm.svg"
+ "document/root.tex"
+ "document/showsymbols"
+ "document/style.sty"
+
+session LaTeXsugar (doc) in "LaTeXsugar" = HOL +
+ options [document_variants = "sugar"]
+ theories [document = ""]
+ "~~/src/HOL/Library/LaTeXsugar"
+ "~~/src/HOL/Library/OptionalSugar"
+ theories Sugar
+ files
+ "../prepare_document"
+ "../pdfsetup.sty"
+ "document/build"
+ "document/mathpartir.sty"
+ "document/root.bib"
+ "document/root.tex"
+
+session Locales (doc) in "Locales" = HOL +
+ options [document_variants = "locales", pretty_margin = 65]
+ theories
+ Examples1
+ Examples2
+ Examples3
+ files
+ "../prepare_document"
+ "../pdfsetup.sty"
+ "document/build"
+ "document/root.tex"
+
+session Logics (doc) in "Logics" = Pure +
+ options [document_variants = "logics"]
+ theories
+ files
+ "../prepare_document"
+ "../pdfsetup.sty"
+ "../iman.sty"
+ "../extra.sty"
+ "../ttbox.sty"
+ "../proof.sty"
+ "../manual.bib"
+ "document/build"
+ "document/root.tex"
+
+session "Logics-HOL" (doc) in "HOL" = Pure +
+ options [document_variants = "logics-HOL"]
+ theories
+ files
+ "../prepare_document"
+ "../pdfsetup.sty"
+ "../iman.sty"
+ "../extra.sty"
+ "../ttbox.sty"
+ "../proof.sty"
+ "../manual.bib"
+ "../Logics/document/syntax.tex"
+ "document/build"
+ "document/root.tex"
+
+session "Logics-ZF" (doc) in "ZF" = ZF +
+ options [document_variants = "logics-ZF", print_mode = "brackets",
+ thy_output_source]
+ theories
+ IFOL_examples
+ FOL_examples
+ ZF_examples
+ If
+ ZF_Isar
+ files
+ "../prepare_document"
+ "../pdfsetup.sty"
+ "../isar.sty"
+ "../ttbox.sty"
+ "../proof.sty"
+ "../manual.bib"
+ "../Logics/document/syntax.tex"
+ "document/build"
+ "document/root.tex"
+
+session Main (doc) in "Main" = HOL +
+ options [document_variants = "main"]
+ theories Main_Doc
+ files
+ "../prepare_document"
+ "../pdfsetup.sty"
+ "document/build"
+ "document/root.tex"
+
+session Nitpick (doc) in "Nitpick" = Pure +
+ options [document_variants = "nitpick"]
+ theories
+ files
+ "../prepare_document"
+ "../pdfsetup.sty"
+ "../iman.sty"
+ "../manual.bib"
+ "document/build"
+ "document/root.tex"
+
+session ProgProve (doc) in "ProgProve" = HOL +
+ options [document_variants = "prog-prove", show_question_marks = false]
+ theories
+ Basics
+ Bool_nat_list
+ MyList
+ Types_and_funs
+ Logic
+ Isar
+ files
+ "../prepare_document"
+ "../pdfsetup.sty"
+ "document/bang.eps"
+ "document/bang.pdf"
+ "document/build"
+ "document/intro-isabelle.tex"
+ "document/mathpartir.sty"
+ "document/prelude.tex"
+ "document/root.bib"
+ "document/root.tex"
+ "document/svmono.cls"
+
+session Ref (doc) in "Ref" = Pure +
+ options [document_variants = "ref"]
+ theories
+ files
+ "../prepare_document"
+ "../pdfsetup.sty"
+ "../iman.sty"
+ "../extra.sty"
+ "../ttbox.sty"
+ "../proof.sty"
+ "../manual.bib"
+ "document/build"
+ "document/classical.tex"
+ "document/root.tex"
+ "document/simplifier.tex"
+ "document/substitution.tex"
+ "document/syntax.tex"
+ "document/tactic.tex"
+ "document/thm.tex"
+
+session Sledgehammer (doc) in "Sledgehammer" = Pure +
+ options [document_variants = "sledgehammer"]
+ theories
+ files
+ "../prepare_document"
+ "../pdfsetup.sty"
+ "../iman.sty"
+ "../manual.bib"
+ "document/build"
+ "document/root.tex"
+
+session System (doc) in "System" = Pure +
+ options [document_variants = "system", thy_output_source]
+ theories
+ Basics
+ Interfaces
+ Sessions
+ Presentation
+ Scala
+ Misc
+ files
+ "../prepare_document"
+ "../IsarRef/document/style.sty"
+ "../pdfsetup.sty"
+ "../iman.sty"
+ "../extra.sty"
+ "../ttbox.sty"
+ "../isar.sty"
+ "../underscore.sty"
+ "../manual.bib"
+ "document/browser_screenshot.eps"
+ "document/browser_screenshot.png"
+ "document/build"
+ "document/root.tex"
+
+session Tutorial (doc) in "Tutorial" = HOL +
+ options [document_variants = "tutorial", print_mode = "brackets"]
+ theories [thy_output_indent = 5]
+ "ToyList/ToyList"
+ "Ifexpr/Ifexpr"
+ "CodeGen/CodeGen"
+ "Trie/Trie"
+ "Datatype/ABexpr"
+ "Datatype/unfoldnested"
+ "Datatype/Nested"
+ "Datatype/Fundata"
+ "Fun/fun0"
+ "Advanced/simp2"
+ "CTL/PDL"
+ "CTL/CTL"
+ "CTL/CTLind"
+ "Inductive/Even"
+ "Inductive/Mutual"
+ "Inductive/Star"
+ "Inductive/AB"
+ "Inductive/Advanced"
+ "Misc/Tree"
+ "Misc/Tree2"
+ "Misc/Plus"
+ "Misc/case_exprs"
+ "Misc/fakenat"
+ "Misc/natsum"
+ "Misc/pairs2"
+ "Misc/Option2"
+ "Misc/types"
+ "Misc/prime_def"
+ "Misc/simp"
+ "Misc/Itrev"
+ "Misc/AdvancedInd"
+ "Misc/appendix"
+ theories
+ "Protocol/NS_Public"
+ "Documents/Documents"
+ theories [document = ""]
+ "Types/Setup"
+ theories [pretty_margin = 64, thy_output_indent = 0]
+ "Types/Numbers"
+ "Types/Pairs"
+ "Types/Records"
+ "Types/Typedefs"
+ "Types/Overloading"
+ "Types/Axioms"
+ "Rules/Basic"
+ "Rules/Blast"
+ "Rules/Force"
+ theories [pretty_margin = 64, thy_output_indent = 5]
+ "Rules/Primes"
+ "Rules/Forward"
+ "Rules/Tacticals"
+ "Rules/find2"
+ "Sets/Examples"
+ "Sets/Functions"
+ "Sets/Relations"
+ "Sets/Recur"
+ files
+ "ToyList/ToyList1"
+ "ToyList/ToyList2"
+ "../pdfsetup.sty"
+ "../proof.sty"
+ "../ttbox.sty"
+ "../manual.bib"
+ "document/advanced0.tex"
+ "document/appendix0.tex"
+ "document/basics.tex"
+ "document/build"
+ "document/cl2emono-modified.sty"
+ "document/ctl0.tex"
+ "document/documents0.tex"
+ "document/fp.tex"
+ "document/inductive0.tex"
+ "document/isa-index"
+ "document/Isa-logics.eps"
+ "document/Isa-logics.pdf"
+ "document/numerics.tex"
+ "document/pghead.eps"
+ "document/pghead.pdf"
+ "document/preface.tex"
+ "document/protocol.tex"
+ "document/root.tex"
+ "document/rules.tex"
+ "document/sets.tex"
+ "document/tutorial.sty"
+ "document/typedef.pdf"
+ "document/typedef.ps"
+ "document/types0.tex"
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Ref/abstract.txt Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,8 @@
+Isabelle Reference Manual. Report 283
+
+This manual is a comprehensive description of Isabelle, including all
+commands, functions and packages. Functions are organized according to the
+task they perform. In each section, basic functions appear before advanced
+ones. The Index provides an alphabetical listing. It is intended as a
+reference, not for casual reading. The manual assumes familiarity with the
+basic concepts explained in Report 280, Introduction to Isabelle.
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Ref/document/build Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+set -e
+
+FORMAT="$1"
+VARIANT="$2"
+
+"$ISABELLE_TOOL" logo -o isabelle.pdf ""
+"$ISABELLE_TOOL" logo -o isabelle.eps ""
+
+cp "$ISABELLE_HOME/src/Doc/iman.sty" .
+cp "$ISABELLE_HOME/src/Doc/extra.sty" .
+cp "$ISABELLE_HOME/src/Doc/ttbox.sty" .
+cp "$ISABELLE_HOME/src/Doc/proof.sty" .
+cp "$ISABELLE_HOME/src/Doc/manual.bib" .
+
+"$ISABELLE_HOME/src/Doc/prepare_document" "$FORMAT"
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Ref/document/classical.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,224 @@
+
+\chapter{The Classical Reasoner}\label{chap:classical}
+\index{classical reasoner|(}
+\newcommand\ainfer[2]{\begin{array}{r@{\,}l}#2\\ \hline#1\end{array}}
+
+\section{Classical rule sets}
+\index{classical sets}
+
+For elimination and destruction rules there are variants of the add operations
+adding a rule in a way such that it is applied only if also its second premise
+can be unified with an assumption of the current proof state:
+\indexbold{*addSE2}\indexbold{*addSD2}\indexbold{*addE2}\indexbold{*addD2}
+\begin{ttbox}
+addSE2 : claset * (string * thm) -> claset \hfill{\bf infix 4}
+addSD2 : claset * (string * thm) -> claset \hfill{\bf infix 4}
+addE2 : claset * (string * thm) -> claset \hfill{\bf infix 4}
+addD2 : claset * (string * thm) -> claset \hfill{\bf infix 4}
+\end{ttbox}
+\begin{warn}
+ A rule to be added in this special way must be given a name, which is used
+ to delete it again -- when desired -- using \texttt{delSWrappers} or
+ \texttt{delWrappers}, respectively. This is because these add operations
+ are implemented as wrappers (see \ref{sec:modifying-search} below).
+\end{warn}
+
+
+\subsection{Modifying the search step}
+\label{sec:modifying-search}
+For a given classical set, the proof strategy is simple. Perform as many safe
+inferences as possible; or else, apply certain safe rules, allowing
+instantiation of unknowns; or else, apply an unsafe rule. The tactics also
+eliminate assumptions of the form $x=t$ by substitution if they have been set
+up to do so (see \texttt{hyp_subst_tacs} in~{\S}\ref{sec:classical-setup} below).
+They may perform a form of Modus Ponens: if there are assumptions $P\imp Q$
+and~$P$, then replace $P\imp Q$ by~$Q$.
+
+The classical reasoning tactics --- except \texttt{blast_tac}! --- allow
+you to modify this basic proof strategy by applying two lists of arbitrary
+{\bf wrapper tacticals} to it.
+The first wrapper list, which is considered to contain safe wrappers only,
+affects \ttindex{safe_step_tac} and all the tactics that call it.
+The second one, which may contain unsafe wrappers, affects the unsafe parts
+of \ttindex{step_tac}, \ttindex{slow_step_tac}, and the tactics that call them.
+A wrapper transforms each step of the search, for example
+by attempting other tactics before or after the original step tactic.
+All members of a wrapper list are applied in turn to the respective step tactic.
+
+Initially the two wrapper lists are empty, which means no modification of the
+step tactics. Safe and unsafe wrappers are added to a claset
+with the functions given below, supplying them with wrapper names.
+These names may be used to selectively delete wrappers.
+
+\begin{ttbox}
+type wrapper = (int -> tactic) -> (int -> tactic);
+
+addSWrapper : claset * (string * wrapper ) -> claset \hfill{\bf infix 4}
+addSbefore : claset * (string * (int -> tactic)) -> claset \hfill{\bf infix 4}
+addSafter : claset * (string * (int -> tactic)) -> claset \hfill{\bf infix 4}
+delSWrapper : claset * string -> claset \hfill{\bf infix 4}
+
+addWrapper : claset * (string * wrapper ) -> claset \hfill{\bf infix 4}
+addbefore : claset * (string * (int -> tactic)) -> claset \hfill{\bf infix 4}
+addafter : claset * (string * (int -> tactic)) -> claset \hfill{\bf infix 4}
+delWrapper : claset * string -> claset \hfill{\bf infix 4}
+
+addSss : claset * simpset -> claset \hfill{\bf infix 4}
+addss : claset * simpset -> claset \hfill{\bf infix 4}
+\end{ttbox}
+%
+
+\begin{ttdescription}
+\item[$cs$ addSWrapper $(name,wrapper)$] \indexbold{*addSWrapper}
+adds a new wrapper, which should yield a safe tactic,
+to modify the existing safe step tactic.
+
+\item[$cs$ addSbefore $(name,tac)$] \indexbold{*addSbefore}
+adds the given tactic as a safe wrapper, such that it is tried
+{\em before} each safe step of the search.
+
+\item[$cs$ addSafter $(name,tac)$] \indexbold{*addSafter}
+adds the given tactic as a safe wrapper, such that it is tried
+when a safe step of the search would fail.
+
+\item[$cs$ delSWrapper $name$] \indexbold{*delSWrapper}
+deletes the safe wrapper with the given name.
+
+\item[$cs$ addWrapper $(name,wrapper)$] \indexbold{*addWrapper}
+adds a new wrapper to modify the existing (unsafe) step tactic.
+
+\item[$cs$ addbefore $(name,tac)$] \indexbold{*addbefore}
+adds the given tactic as an unsafe wrapper, such that it its result is
+concatenated {\em before} the result of each unsafe step.
+
+\item[$cs$ addafter $(name,tac)$] \indexbold{*addafter}
+adds the given tactic as an unsafe wrapper, such that it its result is
+concatenated {\em after} the result of each unsafe step.
+
+\item[$cs$ delWrapper $name$] \indexbold{*delWrapper}
+deletes the unsafe wrapper with the given name.
+
+\item[$cs$ addSss $ss$] \indexbold{*addss}
+adds the simpset~$ss$ to the classical set. The assumptions and goal will be
+simplified, in a rather safe way, after each safe step of the search.
+
+\item[$cs$ addss $ss$] \indexbold{*addss}
+adds the simpset~$ss$ to the classical set. The assumptions and goal will be
+simplified, before the each unsafe step of the search.
+
+\end{ttdescription}
+
+\index{simplification!from classical reasoner}
+Strictly speaking, the operators \texttt{addss} and \texttt{addSss}
+are not part of the classical reasoner.
+, which are used as primitives
+for the automatic tactics described in {\S}\ref{sec:automatic-tactics}, are
+implemented as wrapper tacticals.
+they
+\begin{warn}
+Being defined as wrappers, these operators are inappropriate for adding more
+than one simpset at a time: the simpset added last overwrites any earlier ones.
+When a simpset combined with a claset is to be augmented, this should done
+{\em before} combining it with the claset.
+\end{warn}
+
+
+\section{The classical tactics}
+
+\subsection{Other classical tactics}
+\begin{ttbox}
+slow_best_tac : claset -> int -> tactic
+\end{ttbox}
+
+\begin{ttdescription}
+\item[\ttindexbold{slow_best_tac} $cs$ $i$] applies \texttt{slow_step_tac} with
+best-first search to prove subgoal~$i$.
+\end{ttdescription}
+
+
+\subsection{Other useful tactics}
+\index{tactics!for contradiction}
+\index{tactics!for Modus Ponens}
+\begin{ttbox}
+contr_tac : int -> tactic
+mp_tac : int -> tactic
+eq_mp_tac : int -> tactic
+swap_res_tac : thm list -> int -> tactic
+\end{ttbox}
+These can be used in the body of a specialized search.
+\begin{ttdescription}
+\item[\ttindexbold{contr_tac} {\it i}]\index{assumptions!contradictory}
+ solves subgoal~$i$ by detecting a contradiction among two assumptions of
+ the form $P$ and~$\neg P$, or fail. It may instantiate unknowns. The
+ tactic can produce multiple outcomes, enumerating all possible
+ contradictions.
+
+\item[\ttindexbold{mp_tac} {\it i}]
+is like \texttt{contr_tac}, but also attempts to perform Modus Ponens in
+subgoal~$i$. If there are assumptions $P\imp Q$ and~$P$, then it replaces
+$P\imp Q$ by~$Q$. It may instantiate unknowns. It fails if it can do
+nothing.
+
+\item[\ttindexbold{eq_mp_tac} {\it i}]
+is like \texttt{mp_tac} {\it i}, but may not instantiate unknowns --- thus, it
+is safe.
+
+\item[\ttindexbold{swap_res_tac} {\it thms} {\it i}] refines subgoal~$i$ of
+the proof state using {\it thms}, which should be a list of introduction
+rules. First, it attempts to prove the goal using \texttt{assume_tac} or
+\texttt{contr_tac}. It then attempts to apply each rule in turn, attempting
+resolution and also elim-resolution with the swapped form.
+\end{ttdescription}
+
+
+\section{Setting up the classical reasoner}\label{sec:classical-setup}
+\index{classical reasoner!setting up}
+Isabelle's classical object-logics, including \texttt{FOL} and \texttt{HOL},
+have the classical reasoner already set up.
+When defining a new classical logic, you should set up the reasoner yourself.
+It consists of the \ML{} functor \ttindex{ClassicalFun}, which takes the
+argument signature \texttt{CLASSICAL_DATA}:
+\begin{ttbox}
+signature CLASSICAL_DATA =
+ sig
+ val mp : thm
+ val not_elim : thm
+ val swap : thm
+ val sizef : thm -> int
+ val hyp_subst_tacs : (int -> tactic) list
+ end;
+\end{ttbox}
+Thus, the functor requires the following items:
+\begin{ttdescription}
+\item[\tdxbold{mp}] should be the Modus Ponens rule
+$\List{\Var{P}\imp\Var{Q};\; \Var{P}} \Imp \Var{Q}$.
+
+\item[\tdxbold{not_elim}] should be the contradiction rule
+$\List{\neg\Var{P};\; \Var{P}} \Imp \Var{R}$.
+
+\item[\tdxbold{swap}] should be the swap rule
+$\List{\neg \Var{P}; \; \neg \Var{R}\Imp \Var{P}} \Imp \Var{R}$.
+
+\item[\ttindexbold{sizef}] is the heuristic function used for best-first
+search. It should estimate the size of the remaining subgoals. A good
+heuristic function is \ttindex{size_of_thm}, which measures the size of the
+proof state. Another size function might ignore certain subgoals (say,
+those concerned with type-checking). A heuristic function might simply
+count the subgoals.
+
+\item[\ttindexbold{hyp_subst_tacs}] is a list of tactics for substitution in
+the hypotheses, typically created by \ttindex{HypsubstFun} (see
+Chapter~\ref{substitution}). This list can, of course, be empty. The
+tactics are assumed to be safe!
+\end{ttdescription}
+The functor is not at all sensitive to the formalization of the
+object-logic. It does not even examine the rules, but merely applies
+them according to its fixed strategy. The functor resides in {\tt
+ Provers/classical.ML} in the Isabelle sources.
+
+\index{classical reasoner|)}
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: "ref"
+%%% End:
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Ref/document/root.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,65 @@
+\documentclass[12pt,a4paper]{report}
+\usepackage{graphicx,iman,extra,ttbox,proof,pdfsetup}
+
+%%% to index ids: \[\\tt \([a-zA-Z0-9][a-zA-Z0-9_'.]*\) [\\ttindexbold{\1}
+%%% to delete old ones: \\indexbold{\*[^}]*}
+%% run sedindex ref to prepare index file
+%%% needs chapter on Provers/typedsimp.ML?
+\title{\includegraphics[scale=0.5]{isabelle} \\[4ex] Old Isabelle Reference Manual}
+
+\author{{\em Lawrence C. Paulson}\\
+ Computer Laboratory \\ University of Cambridge \\
+ \texttt{lcp@cl.cam.ac.uk}\\[3ex]
+ With Contributions by Tobias Nipkow and Markus Wenzel}
+
+\makeindex
+
+\setcounter{secnumdepth}{2} \setcounter{tocdepth}{2}
+
+\pagestyle{headings}
+\sloppy
+\binperiod %%%treat . like a binary operator
+
+\begin{document}
+\underscoreoff
+
+\index{definitions|see{rewriting, meta-level}}
+\index{rewriting!object-level|see{simplification}}
+\index{meta-rules|see{meta-rules}}
+
+\maketitle
+\emph{Note}: this document is part of the earlier Isabelle
+documentation and is mostly outdated. Fully obsolete parts of the
+original text have already been removed. The remaining material
+covers some aspects that did not make it into the newer manuals yet.
+
+\subsubsection*{Acknowledgements}
+Tobias Nipkow, of T. U. Munich, wrote most of
+ Chapters~\protect\ref{Defining-Logics} and~\protect\ref{chap:simplification}.
+ Markus Wenzel contributed to Chapter~\protect\ref{chap:syntax}.
+ Jeremy Dawson, Sara Kalvala, Martin
+ Simons and others suggested changes
+ and corrections. The research has been funded by the EPSRC (grants
+ GR/G53279, GR/H40570, GR/K57381, GR/K77051, GR/M75440) and by ESPRIT
+ (projects 3245: Logical Frameworks, and 6453: Types), and by the DFG
+ Schwerpunktprogramm \emph{Deduktion}.
+
+\pagenumbering{roman} \tableofcontents \clearfirst
+
+\input{tactic}
+\input{thm}
+\input{syntax}
+\input{substitution}
+\input{simplifier}
+\input{classical}
+
+%%seealso's must be last so that they appear last in the index entries
+\index{meta-rewriting|seealso{tactics, theorems}}
+
+\begingroup
+ \bibliographystyle{plain} \small\raggedright\frenchspacing
+ \bibliography{manual}
+\endgroup
+
+\printindex
+\end{document}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Ref/document/simplifier.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,1032 @@
+
+\chapter{Simplification}
+\label{chap:simplification}
+\index{simplification|(}
+
+This chapter describes Isabelle's generic simplification package. It performs
+conditional and unconditional rewriting and uses contextual information
+(`local assumptions'). It provides several general hooks, which can provide
+automatic case splits during rewriting, for example. The simplifier is
+already set up for many of Isabelle's logics: FOL, ZF, HOL, HOLCF.
+
+The first section is a quick introduction to the simplifier that
+should be sufficient to get started. The later sections explain more
+advanced features.
+
+
+\section{Simplification for dummies}
+\label{sec:simp-for-dummies}
+
+Basic use of the simplifier is particularly easy because each theory
+is equipped with sensible default information controlling the rewrite
+process --- namely the implicit {\em current
+ simpset}\index{simpset!current}. A suite of simple commands is
+provided that refer to the implicit simpset of the current theory
+context.
+
+\begin{warn}
+ Make sure that you are working within the correct theory context.
+ Executing proofs interactively, or loading them from ML files
+ without associated theories may require setting the current theory
+ manually via the \ttindex{context} command.
+\end{warn}
+
+\subsection{Simplification tactics} \label{sec:simp-for-dummies-tacs}
+\begin{ttbox}
+Simp_tac : int -> tactic
+Asm_simp_tac : int -> tactic
+Full_simp_tac : int -> tactic
+Asm_full_simp_tac : int -> tactic
+trace_simp : bool ref \hfill{\bf initially false}
+debug_simp : bool ref \hfill{\bf initially false}
+\end{ttbox}
+
+\begin{ttdescription}
+\item[\ttindexbold{Simp_tac} $i$] simplifies subgoal~$i$ using the
+ current simpset. It may solve the subgoal completely if it has
+ become trivial, using the simpset's solver tactic.
+
+\item[\ttindexbold{Asm_simp_tac}]\index{assumptions!in simplification}
+ is like \verb$Simp_tac$, but extracts additional rewrite rules from
+ the local assumptions.
+
+\item[\ttindexbold{Full_simp_tac}] is like \verb$Simp_tac$, but also
+ simplifies the assumptions (without using the assumptions to
+ simplify each other or the actual goal).
+
+\item[\ttindexbold{Asm_full_simp_tac}] is like \verb$Asm_simp_tac$,
+ but also simplifies the assumptions. In particular, assumptions can
+ simplify each other.
+\footnote{\texttt{Asm_full_simp_tac} used to process the assumptions from
+ left to right. For backwards compatibilty reasons only there is now
+ \texttt{Asm_lr_simp_tac} that behaves like the old \texttt{Asm_full_simp_tac}.}
+\item[set \ttindexbold{trace_simp};] makes the simplifier output internal
+ operations. This includes rewrite steps, but also bookkeeping like
+ modifications of the simpset.
+\item[set \ttindexbold{debug_simp};] makes the simplifier output some extra
+ information about internal operations. This includes any attempted
+ invocation of simplification procedures.
+\end{ttdescription}
+
+\medskip
+
+As an example, consider the theory of arithmetic in HOL. The (rather trivial)
+goal $0 + (x + 0) = x + 0 + 0$ can be solved by a single call of
+\texttt{Simp_tac} as follows:
+\begin{ttbox}
+context Arith.thy;
+Goal "0 + (x + 0) = x + 0 + 0";
+{\out 1. 0 + (x + 0) = x + 0 + 0}
+by (Simp_tac 1);
+{\out Level 1}
+{\out 0 + (x + 0) = x + 0 + 0}
+{\out No subgoals!}
+\end{ttbox}
+
+The simplifier uses the current simpset of \texttt{Arith.thy}, which
+contains suitable theorems like $\Var{n}+0 = \Var{n}$ and $0+\Var{n} =
+\Var{n}$.
+
+\medskip In many cases, assumptions of a subgoal are also needed in
+the simplification process. For example, \texttt{x = 0 ==> x + x = 0}
+is solved by \texttt{Asm_simp_tac} as follows:
+\begin{ttbox}
+{\out 1. x = 0 ==> x + x = 0}
+by (Asm_simp_tac 1);
+\end{ttbox}
+
+\medskip \texttt{Asm_full_simp_tac} is the most powerful of this quartet
+of tactics but may also loop where some of the others terminate. For
+example,
+\begin{ttbox}
+{\out 1. ALL x. f x = g (f (g x)) ==> f 0 = f 0 + 0}
+\end{ttbox}
+is solved by \texttt{Simp_tac}, but \texttt{Asm_simp_tac} and {\tt
+ Asm_full_simp_tac} loop because the rewrite rule $f\,\Var{x} =
+g\,(f\,(g\,\Var{x}))$ extracted from the assumption does not
+terminate. Isabelle notices certain simple forms of nontermination,
+but not this one. Because assumptions may simplify each other, there can be
+very subtle cases of nontermination. For example, invoking
+{\tt Asm_full_simp_tac} on
+\begin{ttbox}
+{\out 1. [| P (f x); y = x; f x = f y |] ==> Q}
+\end{ttbox}
+gives rise to the infinite reduction sequence
+\[
+P\,(f\,x) \stackrel{f\,x = f\,y}{\longmapsto} P\,(f\,y) \stackrel{y = x}{\longmapsto}
+P\,(f\,x) \stackrel{f\,x = f\,y}{\longmapsto} \cdots
+\]
+whereas applying the same tactic to
+\begin{ttbox}
+{\out 1. [| y = x; f x = f y; P (f x) |] ==> Q}
+\end{ttbox}
+terminates.
+
+\medskip
+
+Using the simplifier effectively may take a bit of experimentation.
+Set the \verb$trace_simp$\index{tracing!of simplification} flag to get
+a better idea of what is going on. The resulting output can be
+enormous, especially since invocations of the simplifier are often
+nested (e.g.\ when solving conditions of rewrite rules).
+
+
+\subsection{Modifying the current simpset}
+\begin{ttbox}
+Addsimps : thm list -> unit
+Delsimps : thm list -> unit
+Addsimprocs : simproc list -> unit
+Delsimprocs : simproc list -> unit
+Addcongs : thm list -> unit
+Delcongs : thm list -> unit
+Addsplits : thm list -> unit
+Delsplits : thm list -> unit
+\end{ttbox}
+
+Depending on the theory context, the \texttt{Add} and \texttt{Del}
+functions manipulate basic components of the associated current
+simpset. Internally, all rewrite rules have to be expressed as
+(conditional) meta-equalities. This form is derived automatically
+from object-level equations that are supplied by the user. Another
+source of rewrite rules are \emph{simplification procedures}, that is
+\ML\ functions that produce suitable theorems on demand, depending on
+the current redex. Congruences are a more advanced feature; see
+{\S}\ref{sec:simp-congs}.
+
+\begin{ttdescription}
+
+\item[\ttindexbold{Addsimps} $thms$;] adds rewrite rules derived from
+ $thms$ to the current simpset.
+
+\item[\ttindexbold{Delsimps} $thms$;] deletes rewrite rules derived
+ from $thms$ from the current simpset.
+
+\item[\ttindexbold{Addsimprocs} $procs$;] adds simplification
+ procedures $procs$ to the current simpset.
+
+\item[\ttindexbold{Delsimprocs} $procs$;] deletes simplification
+ procedures $procs$ from the current simpset.
+
+\item[\ttindexbold{Addcongs} $thms$;] adds congruence rules to the
+ current simpset.
+
+\item[\ttindexbold{Delcongs} $thms$;] deletes congruence rules from the
+ current simpset.
+
+\item[\ttindexbold{Addsplits} $thms$;] adds splitting rules to the
+ current simpset.
+
+\item[\ttindexbold{Delsplits} $thms$;] deletes splitting rules from the
+ current simpset.
+
+\end{ttdescription}
+
+When a new theory is built, its implicit simpset is initialized by the union
+of the respective simpsets of its parent theories. In addition, certain
+theory definition constructs (e.g.\ \ttindex{datatype} and \ttindex{primrec}
+in HOL) implicitly augment the current simpset. Ordinary definitions are not
+added automatically!
+
+It is up the user to manipulate the current simpset further by
+explicitly adding or deleting theorems and simplification procedures.
+
+\medskip
+
+Good simpsets are hard to design. Rules that obviously simplify,
+like $\Var{n}+0 = \Var{n}$, should be added to the current simpset right after
+they have been proved. More specific ones (such as distributive laws, which
+duplicate subterms) should be added only for specific proofs and deleted
+afterwards. Conversely, sometimes a rule needs
+to be removed for a certain proof and restored afterwards. The need of
+frequent additions or deletions may indicate a badly designed
+simpset.
+
+\begin{warn}
+ The union of the parent simpsets (as described above) is not always
+ a good starting point for the new theory. If some ancestors have
+ deleted simplification rules because they are no longer wanted,
+ while others have left those rules in, then the union will contain
+ the unwanted rules. After this union is formed, changes to
+ a parent simpset have no effect on the child simpset.
+\end{warn}
+
+
+\section{Simplification sets}\index{simplification sets}
+
+The simplifier is controlled by information contained in {\bf
+ simpsets}. These consist of several components, including rewrite
+rules, simplification procedures, congruence rules, and the subgoaler,
+solver and looper tactics. The simplifier should be set up with
+sensible defaults so that most simplifier calls specify only rewrite
+rules or simplification procedures. Experienced users can exploit the
+other components to streamline proofs in more sophisticated manners.
+
+\subsection{Inspecting simpsets}
+\begin{ttbox}
+print_ss : simpset -> unit
+rep_ss : simpset -> \{mss : meta_simpset,
+ subgoal_tac: simpset -> int -> tactic,
+ loop_tacs : (string * (int -> tactic))list,
+ finish_tac : solver list,
+ unsafe_finish_tac : solver list\}
+\end{ttbox}
+\begin{ttdescription}
+
+\item[\ttindexbold{print_ss} $ss$;] displays the printable contents of
+ simpset $ss$. This includes the rewrite rules and congruences in
+ their internal form expressed as meta-equalities. The names of the
+ simplification procedures and the patterns they are invoked on are
+ also shown. The other parts, functions and tactics, are
+ non-printable.
+
+\item[\ttindexbold{rep_ss} $ss$;] decomposes $ss$ as a record of its internal
+ components, namely the meta_simpset, the subgoaler, the loop, and the safe
+ and unsafe solvers.
+
+\end{ttdescription}
+
+
+\subsection{Building simpsets}
+\begin{ttbox}
+empty_ss : simpset
+merge_ss : simpset * simpset -> simpset
+\end{ttbox}
+\begin{ttdescription}
+
+\item[\ttindexbold{empty_ss}] is the empty simpset. This is not very useful
+ under normal circumstances because it doesn't contain suitable tactics
+ (subgoaler etc.). When setting up the simplifier for a particular
+ object-logic, one will typically define a more appropriate ``almost empty''
+ simpset. For example, in HOL this is called \ttindexbold{HOL_basic_ss}.
+
+\item[\ttindexbold{merge_ss} ($ss@1$, $ss@2$)] merges simpsets $ss@1$
+ and $ss@2$ by building the union of their respective rewrite rules,
+ simplification procedures and congruences. The other components
+ (tactics etc.) cannot be merged, though; they are taken from either
+ simpset\footnote{Actually from $ss@1$, but it would unwise to count
+ on that.}.
+
+\end{ttdescription}
+
+
+\subsection{Rewrite rules}
+\begin{ttbox}
+addsimps : simpset * thm list -> simpset \hfill{\bf infix 4}
+delsimps : simpset * thm list -> simpset \hfill{\bf infix 4}
+\end{ttbox}
+
+\index{rewrite rules|(} Rewrite rules are theorems expressing some
+form of equality, for example:
+\begin{eqnarray*}
+ Suc(\Var{m}) + \Var{n} &=& \Var{m} + Suc(\Var{n}) \\
+ \Var{P}\conj\Var{P} &\bimp& \Var{P} \\
+ \Var{A} \un \Var{B} &\equiv& \{x.x\in \Var{A} \disj x\in \Var{B}\}
+\end{eqnarray*}
+Conditional rewrites such as $\Var{m}<\Var{n} \Imp \Var{m}/\Var{n} =
+0$ are also permitted; the conditions can be arbitrary formulas.
+
+Internally, all rewrite rules are translated into meta-equalities,
+theorems with conclusion $lhs \equiv rhs$. Each simpset contains a
+function for extracting equalities from arbitrary theorems. For
+example, $\neg(\Var{x}\in \{\})$ could be turned into $\Var{x}\in \{\}
+\equiv False$. This function can be installed using
+\ttindex{setmksimps} but only the definer of a logic should need to do
+this; see {\S}\ref{sec:setmksimps}. The function processes theorems
+added by \texttt{addsimps} as well as local assumptions.
+
+\begin{ttdescription}
+
+\item[$ss$ \ttindexbold{addsimps} $thms$] adds rewrite rules derived
+ from $thms$ to the simpset $ss$.
+
+\item[$ss$ \ttindexbold{delsimps} $thms$] deletes rewrite rules
+ derived from $thms$ from the simpset $ss$.
+
+\end{ttdescription}
+
+\begin{warn}
+ The simplifier will accept all standard rewrite rules: those where
+ all unknowns are of base type. Hence ${\Var{i}+(\Var{j}+\Var{k})} =
+ {(\Var{i}+\Var{j})+\Var{k}}$ is OK.
+
+ It will also deal gracefully with all rules whose left-hand sides
+ are so-called {\em higher-order patterns}~\cite{nipkow-patterns}.
+ \indexbold{higher-order pattern}\indexbold{pattern, higher-order}
+ These are terms in $\beta$-normal form (this will always be the case
+ unless you have done something strange) where each occurrence of an
+ unknown is of the form $\Var{F}(x@1,\dots,x@n)$, where the $x@i$ are
+ distinct bound variables. Hence $(\forall x.\Var{P}(x) \land
+ \Var{Q}(x)) \bimp (\forall x.\Var{P}(x)) \land (\forall
+ x.\Var{Q}(x))$ is also OK, in both directions.
+
+ In some rare cases the rewriter will even deal with quite general
+ rules: for example ${\Var{f}(\Var{x})\in range(\Var{f})} = True$
+ rewrites $g(a) \in range(g)$ to $True$, but will fail to match
+ $g(h(b)) \in range(\lambda x.g(h(x)))$. However, you can replace
+ the offending subterms (in our case $\Var{f}(\Var{x})$, which is not
+ a pattern) by adding new variables and conditions: $\Var{y} =
+ \Var{f}(\Var{x}) \Imp \Var{y}\in range(\Var{f}) = True$ is
+ acceptable as a conditional rewrite rule since conditions can be
+ arbitrary terms.
+
+ There is basically no restriction on the form of the right-hand
+ sides. They may not contain extraneous term or type variables,
+ though.
+\end{warn}
+\index{rewrite rules|)}
+
+
+\subsection{*The subgoaler}\label{sec:simp-subgoaler}
+\begin{ttbox}
+setsubgoaler :
+ simpset * (simpset -> int -> tactic) -> simpset \hfill{\bf infix 4}
+prems_of_ss : simpset -> thm list
+\end{ttbox}
+
+The subgoaler is the tactic used to solve subgoals arising out of
+conditional rewrite rules or congruence rules. The default should be
+simplification itself. Occasionally this strategy needs to be
+changed. For example, if the premise of a conditional rule is an
+instance of its conclusion, as in $Suc(\Var{m}) < \Var{n} \Imp \Var{m}
+< \Var{n}$, the default strategy could loop.
+
+\begin{ttdescription}
+
+\item[$ss$ \ttindexbold{setsubgoaler} $tacf$] sets the subgoaler of
+ $ss$ to $tacf$. The function $tacf$ will be applied to the current
+ simplifier context expressed as a simpset.
+
+\item[\ttindexbold{prems_of_ss} $ss$] retrieves the current set of
+ premises from simplifier context $ss$. This may be non-empty only
+ if the simplifier has been told to utilize local assumptions in the
+ first place, e.g.\ if invoked via \texttt{asm_simp_tac}.
+
+\end{ttdescription}
+
+As an example, consider the following subgoaler:
+\begin{ttbox}
+fun subgoaler ss =
+ assume_tac ORELSE'
+ resolve_tac (prems_of_ss ss) ORELSE'
+ asm_simp_tac ss;
+\end{ttbox}
+This tactic first tries to solve the subgoal by assumption or by
+resolving with with one of the premises, calling simplification only
+if that fails.
+
+
+\subsection{*The solver}\label{sec:simp-solver}
+\begin{ttbox}
+mk_solver : string -> (thm list -> int -> tactic) -> solver
+setSolver : simpset * solver -> simpset \hfill{\bf infix 4}
+addSolver : simpset * solver -> simpset \hfill{\bf infix 4}
+setSSolver : simpset * solver -> simpset \hfill{\bf infix 4}
+addSSolver : simpset * solver -> simpset \hfill{\bf infix 4}
+\end{ttbox}
+
+A solver is a tactic that attempts to solve a subgoal after
+simplification. Typically it just proves trivial subgoals such as
+\texttt{True} and $t=t$. It could use sophisticated means such as {\tt
+ blast_tac}, though that could make simplification expensive.
+To keep things more abstract, solvers are packaged up in type
+\texttt{solver}. The only way to create a solver is via \texttt{mk_solver}.
+
+Rewriting does not instantiate unknowns. For example, rewriting
+cannot prove $a\in \Var{A}$ since this requires
+instantiating~$\Var{A}$. The solver, however, is an arbitrary tactic
+and may instantiate unknowns as it pleases. This is the only way the
+simplifier can handle a conditional rewrite rule whose condition
+contains extra variables. When a simplification tactic is to be
+combined with other provers, especially with the classical reasoner,
+it is important whether it can be considered safe or not. For this
+reason a simpset contains two solvers, a safe and an unsafe one.
+
+The standard simplification strategy solely uses the unsafe solver,
+which is appropriate in most cases. For special applications where
+the simplification process is not allowed to instantiate unknowns
+within the goal, simplification starts with the safe solver, but may
+still apply the ordinary unsafe one in nested simplifications for
+conditional rules or congruences. Note that in this way the overall
+tactic is not totally safe: it may instantiate unknowns that appear also
+in other subgoals.
+
+\begin{ttdescription}
+\item[\ttindexbold{mk_solver} $s$ $tacf$] converts $tacf$ into a new solver;
+ the string $s$ is only attached as a comment and has no other significance.
+
+\item[$ss$ \ttindexbold{setSSolver} $tacf$] installs $tacf$ as the
+ \emph{safe} solver of $ss$.
+
+\item[$ss$ \ttindexbold{addSSolver} $tacf$] adds $tacf$ as an
+ additional \emph{safe} solver; it will be tried after the solvers
+ which had already been present in $ss$.
+
+\item[$ss$ \ttindexbold{setSolver} $tacf$] installs $tacf$ as the
+ unsafe solver of $ss$.
+
+\item[$ss$ \ttindexbold{addSolver} $tacf$] adds $tacf$ as an
+ additional unsafe solver; it will be tried after the solvers which
+ had already been present in $ss$.
+
+\end{ttdescription}
+
+\medskip
+
+\index{assumptions!in simplification} The solver tactic is invoked
+with a list of theorems, namely assumptions that hold in the local
+context. This may be non-empty only if the simplifier has been told
+to utilize local assumptions in the first place, e.g.\ if invoked via
+\texttt{asm_simp_tac}. The solver is also presented the full goal
+including its assumptions in any case. Thus it can use these (e.g.\
+by calling \texttt{assume_tac}), even if the list of premises is not
+passed.
+
+\medskip
+
+As explained in {\S}\ref{sec:simp-subgoaler}, the subgoaler is also used
+to solve the premises of congruence rules. These are usually of the
+form $s = \Var{x}$, where $s$ needs to be simplified and $\Var{x}$
+needs to be instantiated with the result. Typically, the subgoaler
+will invoke the simplifier at some point, which will eventually call
+the solver. For this reason, solver tactics must be prepared to solve
+goals of the form $t = \Var{x}$, usually by reflexivity. In
+particular, reflexivity should be tried before any of the fancy
+tactics like \texttt{blast_tac}.
+
+It may even happen that due to simplification the subgoal is no longer
+an equality. For example $False \bimp \Var{Q}$ could be rewritten to
+$\neg\Var{Q}$. To cover this case, the solver could try resolving
+with the theorem $\neg False$.
+
+\medskip
+
+\begin{warn}
+ If a premise of a congruence rule cannot be proved, then the
+ congruence is ignored. This should only happen if the rule is
+ \emph{conditional} --- that is, contains premises not of the form $t
+ = \Var{x}$; otherwise it indicates that some congruence rule, or
+ possibly the subgoaler or solver, is faulty.
+\end{warn}
+
+
+\subsection{*The looper}\label{sec:simp-looper}
+\begin{ttbox}
+setloop : simpset * (int -> tactic) -> simpset \hfill{\bf infix 4}
+addloop : simpset * (string * (int -> tactic)) -> simpset \hfill{\bf infix 4}
+delloop : simpset * string -> simpset \hfill{\bf infix 4}
+addsplits : simpset * thm list -> simpset \hfill{\bf infix 4}
+delsplits : simpset * thm list -> simpset \hfill{\bf infix 4}
+\end{ttbox}
+
+The looper is a list of tactics that are applied after simplification, in case
+the solver failed to solve the simplified goal. If the looper
+succeeds, the simplification process is started all over again. Each
+of the subgoals generated by the looper is attacked in turn, in
+reverse order.
+
+A typical looper is \index{case splitting}: the expansion of a conditional.
+Another possibility is to apply an elimination rule on the
+assumptions. More adventurous loopers could start an induction.
+
+\begin{ttdescription}
+
+\item[$ss$ \ttindexbold{setloop} $tacf$] installs $tacf$ as the only looper
+ tactic of $ss$.
+
+\item[$ss$ \ttindexbold{addloop} $(name,tacf)$] adds $tacf$ as an additional
+ looper tactic with name $name$; it will be tried after the looper tactics
+ that had already been present in $ss$.
+
+\item[$ss$ \ttindexbold{delloop} $name$] deletes the looper tactic $name$
+ from $ss$.
+
+\item[$ss$ \ttindexbold{addsplits} $thms$] adds
+ split tactics for $thms$ as additional looper tactics of $ss$.
+
+\item[$ss$ \ttindexbold{addsplits} $thms$] deletes the
+ split tactics for $thms$ from the looper tactics of $ss$.
+
+\end{ttdescription}
+
+The splitter replaces applications of a given function; the right-hand side
+of the replacement can be anything. For example, here is a splitting rule
+for conditional expressions:
+\[ \Var{P}(if(\Var{Q},\Var{x},\Var{y})) \bimp (\Var{Q} \imp \Var{P}(\Var{x}))
+\conj (\neg\Var{Q} \imp \Var{P}(\Var{y}))
+\]
+Another example is the elimination operator for Cartesian products (which
+happens to be called~$split$):
+\[ \Var{P}(split(\Var{f},\Var{p})) \bimp (\forall a~b. \Var{p} =
+\langle a,b\rangle \imp \Var{P}(\Var{f}(a,b)))
+\]
+
+For technical reasons, there is a distinction between case splitting in the
+conclusion and in the premises of a subgoal. The former is done by
+\texttt{split_tac} with rules like \texttt{split_if} or \texttt{option.split},
+which do not split the subgoal, while the latter is done by
+\texttt{split_asm_tac} with rules like \texttt{split_if_asm} or
+\texttt{option.split_asm}, which split the subgoal.
+The operator \texttt{addsplits} automatically takes care of which tactic to
+call, analyzing the form of the rules given as argument.
+\begin{warn}
+Due to \texttt{split_asm_tac}, the simplifier may split subgoals!
+\end{warn}
+
+Case splits should be allowed only when necessary; they are expensive
+and hard to control. Here is an example of use, where \texttt{split_if}
+is the first rule above:
+\begin{ttbox}
+by (simp_tac (simpset()
+ addloop ("split if", split_tac [split_if])) 1);
+\end{ttbox}
+Users would usually prefer the following shortcut using \texttt{addsplits}:
+\begin{ttbox}
+by (simp_tac (simpset() addsplits [split_if]) 1);
+\end{ttbox}
+Case-splitting on conditional expressions is usually beneficial, so it is
+enabled by default in the object-logics \texttt{HOL} and \texttt{FOL}.
+
+
+\section{The simplification tactics}\label{simp-tactics}
+\index{simplification!tactics}\index{tactics!simplification}
+\begin{ttbox}
+generic_simp_tac : bool -> bool * bool * bool ->
+ simpset -> int -> tactic
+simp_tac : simpset -> int -> tactic
+asm_simp_tac : simpset -> int -> tactic
+full_simp_tac : simpset -> int -> tactic
+asm_full_simp_tac : simpset -> int -> tactic
+safe_asm_full_simp_tac : simpset -> int -> tactic
+\end{ttbox}
+
+\texttt{generic_simp_tac} is the basic tactic that is underlying any actual
+simplification work. The others are just instantiations of it. The rewriting
+strategy is always strictly bottom up, except for congruence rules,
+which are applied while descending into a term. Conditions in conditional
+rewrite rules are solved recursively before the rewrite rule is applied.
+
+\begin{ttdescription}
+
+\item[\ttindexbold{generic_simp_tac} $safe$ ($simp\_asm$, $use\_asm$, $mutual$)]
+ gives direct access to the various simplification modes:
+ \begin{itemize}
+ \item if $safe$ is {\tt true}, the safe solver is used as explained in
+ {\S}\ref{sec:simp-solver},
+ \item $simp\_asm$ determines whether the local assumptions are simplified,
+ \item $use\_asm$ determines whether the assumptions are used as local rewrite
+ rules, and
+ \item $mutual$ determines whether assumptions can simplify each other rather
+ than being processed from left to right.
+ \end{itemize}
+ This generic interface is intended
+ for building special tools, e.g.\ for combining the simplifier with the
+ classical reasoner. It is rarely used directly.
+
+\item[\ttindexbold{simp_tac}, \ttindexbold{asm_simp_tac},
+ \ttindexbold{full_simp_tac}, \ttindexbold{asm_full_simp_tac}] are
+ the basic simplification tactics that work exactly like their
+ namesakes in {\S}\ref{sec:simp-for-dummies}, except that they are
+ explicitly supplied with a simpset.
+
+\end{ttdescription}
+
+\medskip
+
+Local modifications of simpsets within a proof are often much cleaner
+by using above tactics in conjunction with explicit simpsets, rather
+than their capitalized counterparts. For example
+\begin{ttbox}
+Addsimps \(thms\);
+by (Simp_tac \(i\));
+Delsimps \(thms\);
+\end{ttbox}
+can be expressed more appropriately as
+\begin{ttbox}
+by (simp_tac (simpset() addsimps \(thms\)) \(i\));
+\end{ttbox}
+
+\medskip
+
+Also note that functions depending implicitly on the current theory
+context (like capital \texttt{Simp_tac} and the other commands of
+{\S}\ref{sec:simp-for-dummies}) should be considered harmful outside of
+actual proof scripts. In particular, ML programs like theory
+definition packages or special tactics should refer to simpsets only
+explicitly, via the above tactics used in conjunction with
+\texttt{simpset_of} or the \texttt{SIMPSET} tacticals.
+
+
+\section{Forward rules and conversions}
+\index{simplification!forward rules}\index{simplification!conversions}
+\begin{ttbox}\index{*simplify}\index{*asm_simplify}\index{*full_simplify}\index{*asm_full_simplify}\index{*Simplifier.rewrite}\index{*Simplifier.asm_rewrite}\index{*Simplifier.full_rewrite}\index{*Simplifier.asm_full_rewrite}
+simplify : simpset -> thm -> thm
+asm_simplify : simpset -> thm -> thm
+full_simplify : simpset -> thm -> thm
+asm_full_simplify : simpset -> thm -> thm\medskip
+Simplifier.rewrite : simpset -> cterm -> thm
+Simplifier.asm_rewrite : simpset -> cterm -> thm
+Simplifier.full_rewrite : simpset -> cterm -> thm
+Simplifier.asm_full_rewrite : simpset -> cterm -> thm
+\end{ttbox}
+
+The first four of these functions provide \emph{forward} rules for
+simplification. Their effect is analogous to the corresponding
+tactics described in {\S}\ref{simp-tactics}, but affect the whole
+theorem instead of just a certain subgoal. Also note that the
+looper~/ solver process as described in {\S}\ref{sec:simp-looper} and
+{\S}\ref{sec:simp-solver} is omitted in forward simplification.
+
+The latter four are \emph{conversions}, establishing proven equations
+of the form $t \equiv u$ where the l.h.s.\ $t$ has been given as
+argument.
+
+\begin{warn}
+ Forward simplification rules and conversions should be used rarely
+ in ordinary proof scripts. The main intention is to provide an
+ internal interface to the simplifier for special utilities.
+\end{warn}
+
+
+\section{Permutative rewrite rules}
+\index{rewrite rules!permutative|(}
+
+A rewrite rule is {\bf permutative} if the left-hand side and right-hand
+side are the same up to renaming of variables. The most common permutative
+rule is commutativity: $x+y = y+x$. Other examples include $(x-y)-z =
+(x-z)-y$ in arithmetic and $insert(x,insert(y,A)) = insert(y,insert(x,A))$
+for sets. Such rules are common enough to merit special attention.
+
+Because ordinary rewriting loops given such rules, the simplifier
+employs a special strategy, called {\bf ordered
+ rewriting}\index{rewriting!ordered}. There is a standard
+lexicographic ordering on terms. This should be perfectly OK in most
+cases, but can be changed for special applications.
+
+\begin{ttbox}
+settermless : simpset * (term * term -> bool) -> simpset \hfill{\bf infix 4}
+\end{ttbox}
+\begin{ttdescription}
+
+\item[$ss$ \ttindexbold{settermless} $rel$] installs relation $rel$ as
+ term order in simpset $ss$.
+
+\end{ttdescription}
+
+\medskip
+
+A permutative rewrite rule is applied only if it decreases the given
+term with respect to this ordering. For example, commutativity
+rewrites~$b+a$ to $a+b$, but then stops because $a+b$ is strictly less
+than $b+a$. The Boyer-Moore theorem prover~\cite{bm88book} also
+employs ordered rewriting.
+
+Permutative rewrite rules are added to simpsets just like other
+rewrite rules; the simplifier recognizes their special status
+automatically. They are most effective in the case of
+associative-commutative operators. (Associativity by itself is not
+permutative.) When dealing with an AC-operator~$f$, keep the
+following points in mind:
+\begin{itemize}\index{associative-commutative operators}
+
+\item The associative law must always be oriented from left to right,
+ namely $f(f(x,y),z) = f(x,f(y,z))$. The opposite orientation, if
+ used with commutativity, leads to looping in conjunction with the
+ standard term order.
+
+\item To complete your set of rewrite rules, you must add not just
+ associativity~(A) and commutativity~(C) but also a derived rule, {\bf
+ left-com\-mut\-ativ\-ity} (LC): $f(x,f(y,z)) = f(y,f(x,z))$.
+\end{itemize}
+Ordered rewriting with the combination of A, C, and~LC sorts a term
+lexicographically:
+\[\def\maps#1{\stackrel{#1}{\longmapsto}}
+ (b+c)+a \maps{A} b+(c+a) \maps{C} b+(a+c) \maps{LC} a+(b+c) \]
+Martin and Nipkow~\cite{martin-nipkow} discuss the theory and give many
+examples; other algebraic structures are amenable to ordered rewriting,
+such as boolean rings.
+
+\subsection{Example: sums of natural numbers}
+
+This example is again set in HOL (see \texttt{HOL/ex/NatSum}). Theory
+\thydx{Arith} contains natural numbers arithmetic. Its associated simpset
+contains many arithmetic laws including distributivity of~$\times$ over~$+$,
+while \texttt{add_ac} is a list consisting of the A, C and LC laws for~$+$ on
+type \texttt{nat}. Let us prove the theorem
+\[ \sum@{i=1}^n i = n\times(n+1)/2. \]
+%
+A functional~\texttt{sum} represents the summation operator under the
+interpretation $\texttt{sum} \, f \, (n + 1) = \sum@{i=0}^n f\,i$. We
+extend \texttt{Arith} as follows:
+\begin{ttbox}
+NatSum = Arith +
+consts sum :: [nat=>nat, nat] => nat
+primrec
+ "sum f 0 = 0"
+ "sum f (Suc n) = f(n) + sum f n"
+end
+\end{ttbox}
+The \texttt{primrec} declaration automatically adds rewrite rules for
+\texttt{sum} to the default simpset. We now remove the
+\texttt{nat_cancel} simplification procedures (in order not to spoil
+the example) and insert the AC-rules for~$+$:
+\begin{ttbox}
+Delsimprocs nat_cancel;
+Addsimps add_ac;
+\end{ttbox}
+Our desired theorem now reads $\texttt{sum} \, (\lambda i.i) \, (n+1) =
+n\times(n+1)/2$. The Isabelle goal has both sides multiplied by~$2$:
+\begin{ttbox}
+Goal "2 * sum (\%i.i) (Suc n) = n * Suc n";
+{\out Level 0}
+{\out 2 * sum (\%i. i) (Suc n) = n * Suc n}
+{\out 1. 2 * sum (\%i. i) (Suc n) = n * Suc n}
+\end{ttbox}
+Induction should not be applied until the goal is in the simplest
+form:
+\begin{ttbox}
+by (Simp_tac 1);
+{\out Level 1}
+{\out 2 * sum (\%i. i) (Suc n) = n * Suc n}
+{\out 1. n + (sum (\%i. i) n + sum (\%i. i) n) = n * n}
+\end{ttbox}
+Ordered rewriting has sorted the terms in the left-hand side. The
+subgoal is now ready for induction:
+\begin{ttbox}
+by (induct_tac "n" 1);
+{\out Level 2}
+{\out 2 * sum (\%i. i) (Suc n) = n * Suc n}
+{\out 1. 0 + (sum (\%i. i) 0 + sum (\%i. i) 0) = 0 * 0}
+\ttbreak
+{\out 2. !!n. n + (sum (\%i. i) n + sum (\%i. i) n) = n * n}
+{\out ==> Suc n + (sum (\%i. i) (Suc n) + sum (\%i.\,i) (Suc n)) =}
+{\out Suc n * Suc n}
+\end{ttbox}
+Simplification proves both subgoals immediately:\index{*ALLGOALS}
+\begin{ttbox}
+by (ALLGOALS Asm_simp_tac);
+{\out Level 3}
+{\out 2 * sum (\%i. i) (Suc n) = n * Suc n}
+{\out No subgoals!}
+\end{ttbox}
+Simplification cannot prove the induction step if we omit \texttt{add_ac} from
+the simpset. Observe that like terms have not been collected:
+\begin{ttbox}
+{\out Level 3}
+{\out 2 * sum (\%i. i) (Suc n) = n * Suc n}
+{\out 1. !!n. n + sum (\%i. i) n + (n + sum (\%i. i) n) = n + n * n}
+{\out ==> n + (n + sum (\%i. i) n) + (n + (n + sum (\%i.\,i) n)) =}
+{\out n + (n + (n + n * n))}
+\end{ttbox}
+Ordered rewriting proves this by sorting the left-hand side. Proving
+arithmetic theorems without ordered rewriting requires explicit use of
+commutativity. This is tedious; try it and see!
+
+Ordered rewriting is equally successful in proving
+$\sum@{i=1}^n i^3 = n^2\times(n+1)^2/4$.
+
+
+\subsection{Re-orienting equalities}
+Ordered rewriting with the derived rule \texttt{symmetry} can reverse
+equations:
+\begin{ttbox}
+val symmetry = prove_goal HOL.thy "(x=y) = (y=x)"
+ (fn _ => [Blast_tac 1]);
+\end{ttbox}
+This is frequently useful. Assumptions of the form $s=t$, where $t$ occurs
+in the conclusion but not~$s$, can often be brought into the right form.
+For example, ordered rewriting with \texttt{symmetry} can prove the goal
+\[ f(a)=b \conj f(a)=c \imp b=c. \]
+Here \texttt{symmetry} reverses both $f(a)=b$ and $f(a)=c$
+because $f(a)$ is lexicographically greater than $b$ and~$c$. These
+re-oriented equations, as rewrite rules, replace $b$ and~$c$ in the
+conclusion by~$f(a)$.
+
+Another example is the goal $\neg(t=u) \imp \neg(u=t)$.
+The differing orientations make this appear difficult to prove. Ordered
+rewriting with \texttt{symmetry} makes the equalities agree. (Without
+knowing more about~$t$ and~$u$ we cannot say whether they both go to $t=u$
+or~$u=t$.) Then the simplifier can prove the goal outright.
+
+\index{rewrite rules!permutative|)}
+
+
+\section{*Setting up the Simplifier}\label{sec:setting-up-simp}
+\index{simplification!setting up}
+
+Setting up the simplifier for new logics is complicated in the general case.
+This section describes how the simplifier is installed for intuitionistic
+first-order logic; the code is largely taken from {\tt FOL/simpdata.ML} of the
+Isabelle sources.
+
+The case splitting tactic, which resides on a separate files, is not part of
+Pure Isabelle. It needs to be loaded explicitly by the object-logic as
+follows (below \texttt{\~\relax\~\relax} refers to \texttt{\$ISABELLE_HOME}):
+\begin{ttbox}
+use "\~\relax\~\relax/src/Provers/splitter.ML";
+\end{ttbox}
+
+Simplification requires converting object-equalities to meta-level rewrite
+rules. This demands rules stating that equal terms and equivalent formulae
+are also equal at the meta-level. The rule declaration part of the file
+\texttt{FOL/IFOL.thy} contains the two lines
+\begin{ttbox}\index{*eq_reflection theorem}\index{*iff_reflection theorem}
+eq_reflection "(x=y) ==> (x==y)"
+iff_reflection "(P<->Q) ==> (P==Q)"
+\end{ttbox}
+Of course, you should only assert such rules if they are true for your
+particular logic. In Constructive Type Theory, equality is a ternary
+relation of the form $a=b\in A$; the type~$A$ determines the meaning
+of the equality essentially as a partial equivalence relation. The
+present simplifier cannot be used. Rewriting in \texttt{CTT} uses
+another simplifier, which resides in the file {\tt
+ Provers/typedsimp.ML} and is not documented. Even this does not
+work for later variants of Constructive Type Theory that use
+intensional equality~\cite{nordstrom90}.
+
+
+\subsection{A collection of standard rewrite rules}
+
+We first prove lots of standard rewrite rules about the logical
+connectives. These include cancellation and associative laws. We
+define a function that echoes the desired law and then supplies it the
+prover for intuitionistic FOL:
+\begin{ttbox}
+fun int_prove_fun s =
+ (writeln s;
+ prove_goal IFOL.thy s
+ (fn prems => [ (cut_facts_tac prems 1),
+ (IntPr.fast_tac 1) ]));
+\end{ttbox}
+The following rewrite rules about conjunction are a selection of those
+proved on \texttt{FOL/simpdata.ML}. Later, these will be supplied to the
+standard simpset.
+\begin{ttbox}
+val conj_simps = map int_prove_fun
+ ["P & True <-> P", "True & P <-> P",
+ "P & False <-> False", "False & P <-> False",
+ "P & P <-> P",
+ "P & ~P <-> False", "~P & P <-> False",
+ "(P & Q) & R <-> P & (Q & R)"];
+\end{ttbox}
+The file also proves some distributive laws. As they can cause exponential
+blowup, they will not be included in the standard simpset. Instead they
+are merely bound to an \ML{} identifier, for user reference.
+\begin{ttbox}
+val distrib_simps = map int_prove_fun
+ ["P & (Q | R) <-> P&Q | P&R",
+ "(Q | R) & P <-> Q&P | R&P",
+ "(P | Q --> R) <-> (P --> R) & (Q --> R)"];
+\end{ttbox}
+
+
+\subsection{Functions for preprocessing the rewrite rules}
+\label{sec:setmksimps}
+\begin{ttbox}\indexbold{*setmksimps}
+setmksimps : simpset * (thm -> thm list) -> simpset \hfill{\bf infix 4}
+\end{ttbox}
+The next step is to define the function for preprocessing rewrite rules.
+This will be installed by calling \texttt{setmksimps} below. Preprocessing
+occurs whenever rewrite rules are added, whether by user command or
+automatically. Preprocessing involves extracting atomic rewrites at the
+object-level, then reflecting them to the meta-level.
+
+To start, the function \texttt{gen_all} strips any meta-level
+quantifiers from the front of the given theorem.
+
+The function \texttt{atomize} analyses a theorem in order to extract
+atomic rewrite rules. The head of all the patterns, matched by the
+wildcard~\texttt{_}, is the coercion function \texttt{Trueprop}.
+\begin{ttbox}
+fun atomize th = case concl_of th of
+ _ $ (Const("op &",_) $ _ $ _) => atomize(th RS conjunct1) \at
+ atomize(th RS conjunct2)
+ | _ $ (Const("op -->",_) $ _ $ _) => atomize(th RS mp)
+ | _ $ (Const("All",_) $ _) => atomize(th RS spec)
+ | _ $ (Const("True",_)) => []
+ | _ $ (Const("False",_)) => []
+ | _ => [th];
+\end{ttbox}
+There are several cases, depending upon the form of the conclusion:
+\begin{itemize}
+\item Conjunction: extract rewrites from both conjuncts.
+\item Implication: convert $P\imp Q$ to the meta-implication $P\Imp Q$ and
+ extract rewrites from~$Q$; these will be conditional rewrites with the
+ condition~$P$.
+\item Universal quantification: remove the quantifier, replacing the bound
+ variable by a schematic variable, and extract rewrites from the body.
+\item \texttt{True} and \texttt{False} contain no useful rewrites.
+\item Anything else: return the theorem in a singleton list.
+\end{itemize}
+The resulting theorems are not literally atomic --- they could be
+disjunctive, for example --- but are broken down as much as possible.
+See the file \texttt{ZF/simpdata.ML} for a sophisticated translation of
+set-theoretic formulae into rewrite rules.
+
+For standard situations like the above,
+there is a generic auxiliary function \ttindexbold{mk_atomize} that takes a
+list of pairs $(name, thms)$, where $name$ is an operator name and
+$thms$ is a list of theorems to resolve with in case the pattern matches,
+and returns a suitable \texttt{atomize} function.
+
+
+The simplified rewrites must now be converted into meta-equalities. The
+rule \texttt{eq_reflection} converts equality rewrites, while {\tt
+ iff_reflection} converts if-and-only-if rewrites. The latter possibility
+can arise in two other ways: the negative theorem~$\neg P$ is converted to
+$P\equiv\texttt{False}$, and any other theorem~$P$ is converted to
+$P\equiv\texttt{True}$. The rules \texttt{iff_reflection_F} and {\tt
+ iff_reflection_T} accomplish this conversion.
+\begin{ttbox}
+val P_iff_F = int_prove_fun "~P ==> (P <-> False)";
+val iff_reflection_F = P_iff_F RS iff_reflection;
+\ttbreak
+val P_iff_T = int_prove_fun "P ==> (P <-> True)";
+val iff_reflection_T = P_iff_T RS iff_reflection;
+\end{ttbox}
+The function \texttt{mk_eq} converts a theorem to a meta-equality
+using the case analysis described above.
+\begin{ttbox}
+fun mk_eq th = case concl_of th of
+ _ $ (Const("op =",_)$_$_) => th RS eq_reflection
+ | _ $ (Const("op <->",_)$_$_) => th RS iff_reflection
+ | _ $ (Const("Not",_)$_) => th RS iff_reflection_F
+ | _ => th RS iff_reflection_T;
+\end{ttbox}
+The
+three functions \texttt{gen_all}, \texttt{atomize} and \texttt{mk_eq}
+will be composed together and supplied below to \texttt{setmksimps}.
+
+
+\subsection{Making the initial simpset}
+
+It is time to assemble these items. The list \texttt{IFOL_simps} contains the
+default rewrite rules for intuitionistic first-order logic. The first of
+these is the reflexive law expressed as the equivalence
+$(a=a)\bimp\texttt{True}$; the rewrite rule $a=a$ is clearly useless.
+\begin{ttbox}
+val IFOL_simps =
+ [refl RS P_iff_T] \at conj_simps \at disj_simps \at not_simps \at
+ imp_simps \at iff_simps \at quant_simps;
+\end{ttbox}
+The list \texttt{triv_rls} contains trivial theorems for the solver. Any
+subgoal that is simplified to one of these will be removed.
+\begin{ttbox}
+val notFalseI = int_prove_fun "~False";
+val triv_rls = [TrueI,refl,iff_refl,notFalseI];
+\end{ttbox}
+We also define the function \ttindex{mk_meta_cong} to convert the conclusion
+of congruence rules into meta-equalities.
+\begin{ttbox}
+fun mk_meta_cong rl = standard (mk_meta_eq (mk_meta_prems rl));
+\end{ttbox}
+%
+The basic simpset for intuitionistic FOL is \ttindexbold{FOL_basic_ss}. It
+preprocess rewrites using
+{\tt gen_all}, \texttt{atomize} and \texttt{mk_eq}.
+It solves simplified subgoals using \texttt{triv_rls} and assumptions, and by
+detecting contradictions. It uses \ttindex{asm_simp_tac} to tackle subgoals
+of conditional rewrites.
+
+Other simpsets built from \texttt{FOL_basic_ss} will inherit these items.
+In particular, \ttindexbold{IFOL_ss}, which introduces {\tt
+ IFOL_simps} as rewrite rules. \ttindexbold{FOL_ss} will later
+extend \texttt{IFOL_ss} with classical rewrite rules such as $\neg\neg
+P\bimp P$.
+\index{*setmksimps}\index{*setSSolver}\index{*setSolver}\index{*setsubgoaler}
+\index{*addsimps}\index{*addcongs}
+\begin{ttbox}
+fun unsafe_solver prems = FIRST'[resolve_tac (triv_rls {\at} prems),
+ atac, etac FalseE];
+
+fun safe_solver prems = FIRST'[match_tac (triv_rls {\at} prems),
+ eq_assume_tac, ematch_tac [FalseE]];
+
+val FOL_basic_ss =
+ empty_ss setsubgoaler asm_simp_tac
+ addsimprocs [defALL_regroup, defEX_regroup]
+ setSSolver safe_solver
+ setSolver unsafe_solver
+ setmksimps (map mk_eq o atomize o gen_all)
+ setmkcong mk_meta_cong;
+
+val IFOL_ss =
+ FOL_basic_ss addsimps (IFOL_simps {\at}
+ int_ex_simps {\at} int_all_simps)
+ addcongs [imp_cong];
+\end{ttbox}
+This simpset takes \texttt{imp_cong} as a congruence rule in order to use
+contextual information to simplify the conclusions of implications:
+\[ \List{\Var{P}\bimp\Var{P'};\; \Var{P'} \Imp \Var{Q}\bimp\Var{Q'}} \Imp
+ (\Var{P}\imp\Var{Q}) \bimp (\Var{P'}\imp\Var{Q'})
+\]
+By adding the congruence rule \texttt{conj_cong}, we could obtain a similar
+effect for conjunctions.
+
+
+\index{simplification|)}
+
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: "ref"
+%%% End:
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Ref/document/substitution.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,217 @@
+
+\chapter{Substitution Tactics} \label{substitution}
+\index{tactics!substitution|(}\index{equality|(}
+
+Replacing equals by equals is a basic form of reasoning. Isabelle supports
+several kinds of equality reasoning. {\bf Substitution} means replacing
+free occurrences of~$t$ by~$u$ in a subgoal. This is easily done, given an
+equality $t=u$, provided the logic possesses the appropriate rule. The
+tactic \texttt{hyp_subst_tac} performs substitution even in the assumptions.
+But it works via object-level implication, and therefore must be specially
+set up for each suitable object-logic.
+
+Substitution should not be confused with object-level {\bf rewriting}.
+Given equalities of the form $t=u$, rewriting replaces instances of~$t$ by
+corresponding instances of~$u$, and continues until it reaches a normal
+form. Substitution handles `one-off' replacements by particular
+equalities while rewriting handles general equations.
+Chapter~\ref{chap:simplification} discusses Isabelle's rewriting tactics.
+
+
+\section{Substitution rules}
+\index{substitution!rules}\index{*subst theorem}
+Many logics include a substitution rule of the form
+$$
+\List{\Var{a}=\Var{b}; \Var{P}(\Var{a})} \Imp
+\Var{P}(\Var{b}) \eqno(subst)
+$$
+In backward proof, this may seem difficult to use: the conclusion
+$\Var{P}(\Var{b})$ admits far too many unifiers. But, if the theorem {\tt
+eqth} asserts $t=u$, then \hbox{\tt eqth RS subst} is the derived rule
+\[ \Var{P}(t) \Imp \Var{P}(u). \]
+Provided $u$ is not an unknown, resolution with this rule is
+well-behaved.\footnote{Unifying $\Var{P}(u)$ with a formula~$Q$
+expresses~$Q$ in terms of its dependence upon~$u$. There are still $2^k$
+unifiers, if $Q$ has $k$ occurrences of~$u$, but Isabelle ensures that
+the first unifier includes all the occurrences.} To replace $u$ by~$t$ in
+subgoal~$i$, use
+\begin{ttbox}
+resolve_tac [eqth RS subst] \(i\){\it.}
+\end{ttbox}
+To replace $t$ by~$u$ in
+subgoal~$i$, use
+\begin{ttbox}
+resolve_tac [eqth RS ssubst] \(i\){\it,}
+\end{ttbox}
+where \tdxbold{ssubst} is the `swapped' substitution rule
+$$
+\List{\Var{a}=\Var{b}; \Var{P}(\Var{b})} \Imp
+\Var{P}(\Var{a}). \eqno(ssubst)
+$$
+If \tdx{sym} denotes the symmetry rule
+\(\Var{a}=\Var{b}\Imp\Var{b}=\Var{a}\), then \texttt{ssubst} is just
+\hbox{\tt sym RS subst}. Many logics with equality include the rules {\tt
+subst} and \texttt{ssubst}, as well as \texttt{refl}, \texttt{sym} and \texttt{trans}
+(for the usual equality laws). Examples include \texttt{FOL} and \texttt{HOL},
+but not \texttt{CTT} (Constructive Type Theory).
+
+Elim-resolution is well-behaved with assumptions of the form $t=u$.
+To replace $u$ by~$t$ or $t$ by~$u$ in subgoal~$i$, use
+\begin{ttbox}
+eresolve_tac [subst] \(i\) {\rm or} eresolve_tac [ssubst] \(i\){\it.}
+\end{ttbox}
+
+Logics HOL, FOL and ZF define the tactic \ttindexbold{stac} by
+\begin{ttbox}
+fun stac eqth = CHANGED o rtac (eqth RS ssubst);
+\end{ttbox}
+Now \texttt{stac~eqth} is like \texttt{resolve_tac [eqth RS ssubst]} but with the
+valuable property of failing if the substitution has no effect.
+
+
+\section{Substitution in the hypotheses}
+\index{assumptions!substitution in}
+Substitution rules, like other rules of natural deduction, do not affect
+the assumptions. This can be inconvenient. Consider proving the subgoal
+\[ \List{c=a; c=b} \Imp a=b. \]
+Calling \texttt{eresolve_tac\ts[ssubst]\ts\(i\)} simply discards the
+assumption~$c=a$, since $c$ does not occur in~$a=b$. Of course, we can
+work out a solution. First apply \texttt{eresolve_tac\ts[subst]\ts\(i\)},
+replacing~$a$ by~$c$:
+\[ c=b \Imp c=b \]
+Equality reasoning can be difficult, but this trivial proof requires
+nothing more sophisticated than substitution in the assumptions.
+Object-logics that include the rule~$(subst)$ provide tactics for this
+purpose:
+\begin{ttbox}
+hyp_subst_tac : int -> tactic
+bound_hyp_subst_tac : int -> tactic
+\end{ttbox}
+\begin{ttdescription}
+\item[\ttindexbold{hyp_subst_tac} {\it i}]
+ selects an equality assumption of the form $t=u$ or $u=t$, where $t$ is a
+ free variable or parameter. Deleting this assumption, it replaces $t$
+ by~$u$ throughout subgoal~$i$, including the other assumptions.
+
+\item[\ttindexbold{bound_hyp_subst_tac} {\it i}]
+ is similar but only substitutes for parameters (bound variables).
+ Uses for this are discussed below.
+\end{ttdescription}
+The term being replaced must be a free variable or parameter. Substitution
+for constants is usually unhelpful, since they may appear in other
+theorems. For instance, the best way to use the assumption $0=1$ is to
+contradict a theorem that states $0\not=1$, rather than to replace 0 by~1
+in the subgoal!
+
+Substitution for unknowns, such as $\Var{x}=0$, is a bad idea: we might prove
+the subgoal more easily by instantiating~$\Var{x}$ to~1.
+Substitution for free variables is unhelpful if they appear in the
+premises of a rule being derived: the substitution affects object-level
+assumptions, not meta-level assumptions. For instance, replacing~$a$
+by~$b$ could make the premise~$P(a)$ worthless. To avoid this problem, use
+\texttt{bound_hyp_subst_tac}; alternatively, call \ttindex{cut_facts_tac} to
+insert the atomic premises as object-level assumptions.
+
+
+\section{Setting up the package}
+Many Isabelle object-logics, such as \texttt{FOL}, \texttt{HOL} and their
+descendants, come with \texttt{hyp_subst_tac} already defined. A few others,
+such as \texttt{CTT}, do not support this tactic because they lack the
+rule~$(subst)$. When defining a new logic that includes a substitution
+rule and implication, you must set up \texttt{hyp_subst_tac} yourself. It
+is packaged as the \ML{} functor \ttindex{HypsubstFun}, which takes the
+argument signature~\texttt{HYPSUBST_DATA}:
+\begin{ttbox}
+signature HYPSUBST_DATA =
+ sig
+ structure Simplifier : SIMPLIFIER
+ val dest_Trueprop : term -> term
+ val dest_eq : term -> (term*term)*typ
+ val dest_imp : term -> term*term
+ val eq_reflection : thm (* a=b ==> a==b *)
+ val rev_eq_reflection: thm (* a==b ==> a=b *)
+ val imp_intr : thm (*(P ==> Q) ==> P-->Q *)
+ val rev_mp : thm (* [| P; P-->Q |] ==> Q *)
+ val subst : thm (* [| a=b; P(a) |] ==> P(b) *)
+ val sym : thm (* a=b ==> b=a *)
+ val thin_refl : thm (* [|x=x; P|] ==> P *)
+ end;
+\end{ttbox}
+Thus, the functor requires the following items:
+\begin{ttdescription}
+\item[Simplifier] should be an instance of the simplifier (see
+ Chapter~\ref{chap:simplification}).
+
+\item[\ttindexbold{dest_Trueprop}] should coerce a meta-level formula to the
+ corresponding object-level one. Typically, it should return $P$ when
+ applied to the term $\texttt{Trueprop}\,P$ (see example below).
+
+\item[\ttindexbold{dest_eq}] should return the triple~$((t,u),T)$, where $T$ is
+ the type of~$t$ and~$u$, when applied to the \ML{} term that
+ represents~$t=u$. For other terms, it should raise an exception.
+
+\item[\ttindexbold{dest_imp}] should return the pair~$(P,Q)$ when applied to
+ the \ML{} term that represents the implication $P\imp Q$. For other terms,
+ it should raise an exception.
+
+\item[\tdxbold{eq_reflection}] is the theorem discussed
+ in~\S\ref{sec:setting-up-simp}.
+
+\item[\tdxbold{rev_eq_reflection}] is the reverse of \texttt{eq_reflection}.
+
+\item[\tdxbold{imp_intr}] should be the implies introduction
+rule $(\Var{P}\Imp\Var{Q})\Imp \Var{P}\imp\Var{Q}$.
+
+\item[\tdxbold{rev_mp}] should be the `reversed' implies elimination
+rule $\List{\Var{P}; \;\Var{P}\imp\Var{Q}} \Imp \Var{Q}$.
+
+\item[\tdxbold{subst}] should be the substitution rule
+$\List{\Var{a}=\Var{b};\; \Var{P}(\Var{a})} \Imp \Var{P}(\Var{b})$.
+
+\item[\tdxbold{sym}] should be the symmetry rule
+$\Var{a}=\Var{b}\Imp\Var{b}=\Var{a}$.
+
+\item[\tdxbold{thin_refl}] should be the rule
+$\List{\Var{a}=\Var{a};\; \Var{P}} \Imp \Var{P}$, which is used to erase
+trivial equalities.
+\end{ttdescription}
+%
+The functor resides in file \texttt{Provers/hypsubst.ML} in the Isabelle
+distribution directory. It is not sensitive to the precise formalization
+of the object-logic. It is not concerned with the names of the equality
+and implication symbols, or the types of formula and terms.
+
+Coding the functions \texttt{dest_Trueprop}, \texttt{dest_eq} and
+\texttt{dest_imp} requires knowledge of Isabelle's representation of terms.
+For \texttt{FOL}, they are declared by
+\begin{ttbox}
+fun dest_Trueprop (Const ("Trueprop", _) $ P) = P
+ | dest_Trueprop t = raise TERM ("dest_Trueprop", [t]);
+
+fun dest_eq (Const("op =",T) $ t $ u) = ((t, u), domain_type T)
+
+fun dest_imp (Const("op -->",_) $ A $ B) = (A, B)
+ | dest_imp t = raise TERM ("dest_imp", [t]);
+\end{ttbox}
+Recall that \texttt{Trueprop} is the coercion from type~$o$ to type~$prop$,
+while \hbox{\tt op =} is the internal name of the infix operator~\texttt{=}.
+Function \ttindexbold{domain_type}, given the function type $S\To T$, returns
+the type~$S$. Pattern-matching expresses the function concisely, using
+wildcards~({\tt_}) for the types.
+
+The tactic \texttt{hyp_subst_tac} works as follows. First, it identifies a
+suitable equality assumption, possibly re-orienting it using~\texttt{sym}.
+Then it moves other assumptions into the conclusion of the goal, by repeatedly
+calling \texttt{etac~rev_mp}. Then, it uses \texttt{asm_full_simp_tac} or
+\texttt{ssubst} to substitute throughout the subgoal. (If the equality
+involves unknowns then it must use \texttt{ssubst}.) Then, it deletes the
+equality. Finally, it moves the assumptions back to their original positions
+by calling \hbox{\tt resolve_tac\ts[imp_intr]}.
+
+\index{equality|)}\index{tactics!substitution|)}
+
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: "ref"
+%%% End:
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Ref/document/syntax.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,240 @@
+
+\chapter{Syntax Transformations} \label{chap:syntax}
+\newcommand\ttapp{\mathrel{\hbox{\tt\$}}}
+\newcommand\mtt[1]{\mbox{\tt #1}}
+\newcommand\ttfct[1]{\mathop{\mtt{#1}}\nolimits}
+\newcommand\Constant{\ttfct{Constant}}
+\newcommand\Variable{\ttfct{Variable}}
+\newcommand\Appl[1]{\ttfct{Appl}\,[#1]}
+\index{syntax!transformations|(}
+
+
+\section{Transforming parse trees to ASTs}\label{sec:astofpt}
+\index{ASTs!made from parse trees}
+\newcommand\astofpt[1]{\lbrakk#1\rbrakk}
+
+The parse tree is the raw output of the parser. Translation functions,
+called {\bf parse AST translations}\indexbold{translations!parse AST},
+transform the parse tree into an abstract syntax tree.
+
+The parse tree is constructed by nesting the right-hand sides of the
+productions used to recognize the input. Such parse trees are simply lists
+of tokens and constituent parse trees, the latter representing the
+nonterminals of the productions. Let us refer to the actual productions in
+the form displayed by {\tt print_syntax} (see \S\ref{sec:inspct-thy} for an
+example).
+
+Ignoring parse \AST{} translations, parse trees are transformed to \AST{}s
+by stripping out delimiters and copy productions. More precisely, the
+mapping $\astofpt{-}$ is derived from the productions as follows:
+\begin{itemize}
+\item Name tokens: $\astofpt{t} = \Variable s$, where $t$ is an \ndx{id},
+ \ndx{var}, \ndx{tid}, \ndx{tvar}, \ndx{num}, \ndx{xnum} or \ndx{xstr} token,
+ and $s$ its associated string. Note that for {\tt xstr} this does not
+ include the quotes.
+
+\item Copy productions:\index{productions!copy}
+ $\astofpt{\ldots P \ldots} = \astofpt{P}$. Here $\ldots$ stands for
+ strings of delimiters, which are discarded. $P$ stands for the single
+ constituent that is not a delimiter; it is either a nonterminal symbol or
+ a name token.
+
+ \item 0-ary productions: $\astofpt{\ldots \mtt{=>} c} = \Constant c$.
+ Here there are no constituents other than delimiters, which are
+ discarded.
+
+ \item $n$-ary productions, where $n \ge 1$: delimiters are discarded and
+ the remaining constituents $P@1$, \ldots, $P@n$ are built into an
+ application whose head constant is~$c$:
+ \[ \astofpt{\ldots P@1 \ldots P@n \ldots \mtt{=>} c} =
+ \Appl{\Constant c, \astofpt{P@1}, \ldots, \astofpt{P@n}}
+ \]
+\end{itemize}
+Figure~\ref{fig:parse_ast} presents some simple examples, where {\tt ==},
+{\tt _appl}, {\tt _args}, and so forth name productions of the Pure syntax.
+These examples illustrate the need for further translations to make \AST{}s
+closer to the typed $\lambda$-calculus. The Pure syntax provides
+predefined parse \AST{} translations\index{translations!parse AST} for
+ordinary applications, type applications, nested abstractions, meta
+implications and function types. Figure~\ref{fig:parse_ast_tr} shows their
+effect on some representative input strings.
+
+
+\begin{figure}
+\begin{center}
+\tt\begin{tabular}{ll}
+\rm input string & \rm \AST \\\hline
+"f" & f \\
+"'a" & 'a \\
+"t == u" & ("==" t u) \\
+"f(x)" & ("_appl" f x) \\
+"f(x, y)" & ("_appl" f ("_args" x y)) \\
+"f(x, y, z)" & ("_appl" f ("_args" x ("_args" y z))) \\
+"\%x y.\ t" & ("_lambda" ("_idts" x y) t) \\
+\end{tabular}
+\end{center}
+\caption{Parsing examples using the Pure syntax}\label{fig:parse_ast}
+\end{figure}
+
+\begin{figure}
+\begin{center}
+\tt\begin{tabular}{ll}
+\rm input string & \rm \AST{} \\\hline
+"f(x, y, z)" & (f x y z) \\
+"'a ty" & (ty 'a) \\
+"('a, 'b) ty" & (ty 'a 'b) \\
+"\%x y z.\ t" & ("_abs" x ("_abs" y ("_abs" z t))) \\
+"\%x ::\ 'a.\ t" & ("_abs" ("_constrain" x 'a) t) \\
+"[| P; Q; R |] => S" & ("==>" P ("==>" Q ("==>" R S))) \\
+"['a, 'b, 'c] => 'd" & ("fun" 'a ("fun" 'b ("fun" 'c 'd)))
+\end{tabular}
+\end{center}
+\caption{Built-in parse \AST{} translations}\label{fig:parse_ast_tr}
+\end{figure}
+
+The names of constant heads in the \AST{} control the translation process.
+The list of constants invoking parse \AST{} translations appears in the
+output of {\tt print_syntax} under {\tt parse_ast_translation}.
+
+
+\section{Transforming ASTs to terms}\label{sec:termofast}
+\index{terms!made from ASTs}
+\newcommand\termofast[1]{\lbrakk#1\rbrakk}
+
+The \AST{}, after application of macros (see \S\ref{sec:macros}), is
+transformed into a term. This term is probably ill-typed since type
+inference has not occurred yet. The term may contain type constraints
+consisting of applications with head {\tt "_constrain"}; the second
+argument is a type encoded as a term. Type inference later introduces
+correct types or rejects the input.
+
+Another set of translation functions, namely parse
+translations\index{translations!parse}, may affect this process. If we
+ignore parse translations for the time being, then \AST{}s are transformed
+to terms by mapping \AST{} constants to constants, \AST{} variables to
+schematic or free variables and \AST{} applications to applications.
+
+More precisely, the mapping $\termofast{-}$ is defined by
+\begin{itemize}
+\item Constants: $\termofast{\Constant x} = \ttfct{Const} (x,
+ \mtt{dummyT})$.
+
+\item Schematic variables: $\termofast{\Variable \mtt{"?}xi\mtt"} =
+ \ttfct{Var} ((x, i), \mtt{dummyT})$, where $x$ is the base name and $i$
+ the index extracted from~$xi$.
+
+\item Free variables: $\termofast{\Variable x} = \ttfct{Free} (x,
+ \mtt{dummyT})$.
+
+\item Function applications with $n$ arguments:
+ \[ \termofast{\Appl{f, x@1, \ldots, x@n}} =
+ \termofast{f} \ttapp
+ \termofast{x@1} \ttapp \ldots \ttapp \termofast{x@n}
+ \]
+\end{itemize}
+Here \ttindex{Const}, \ttindex{Var}, \ttindex{Free} and
+\verb|$|\index{$@{\tt\$}} are constructors of the datatype \mltydx{term},
+while \ttindex{dummyT} stands for some dummy type that is ignored during
+type inference.
+
+So far the outcome is still a first-order term. Abstractions and bound
+variables (constructors \ttindex{Abs} and \ttindex{Bound}) are introduced
+by parse translations. Such translations are attached to {\tt "_abs"},
+{\tt "!!"} and user-defined binders.
+
+
+\section{Printing of terms}
+\newcommand\astofterm[1]{\lbrakk#1\rbrakk}\index{ASTs!made from terms}
+
+The output phase is essentially the inverse of the input phase. Terms are
+translated via abstract syntax trees into strings. Finally the strings are
+pretty printed.
+
+Print translations (\S\ref{sec:tr_funs}) may affect the transformation of
+terms into \AST{}s. Ignoring those, the transformation maps
+term constants, variables and applications to the corresponding constructs
+on \AST{}s. Abstractions are mapped to applications of the special
+constant {\tt _abs}.
+
+More precisely, the mapping $\astofterm{-}$ is defined as follows:
+\begin{itemize}
+ \item $\astofterm{\ttfct{Const} (x, \tau)} = \Constant x$.
+
+ \item $\astofterm{\ttfct{Free} (x, \tau)} = constrain (\Variable x,
+ \tau)$.
+
+ \item $\astofterm{\ttfct{Var} ((x, i), \tau)} = constrain (\Variable
+ \mtt{"?}xi\mtt", \tau)$, where $\mtt?xi$ is the string representation of
+ the {\tt indexname} $(x, i)$.
+
+ \item For the abstraction $\lambda x::\tau.t$, let $x'$ be a variant
+ of~$x$ renamed to differ from all names occurring in~$t$, and let $t'$
+ be obtained from~$t$ by replacing all bound occurrences of~$x$ by
+ the free variable $x'$. This replaces corresponding occurrences of the
+ constructor \ttindex{Bound} by the term $\ttfct{Free} (x',
+ \mtt{dummyT})$:
+ \[ \astofterm{\ttfct{Abs} (x, \tau, t)} =
+ \Appl{\Constant \mtt{"_abs"},
+ constrain(\Variable x', \tau), \astofterm{t'}}
+ \]
+
+ \item $\astofterm{\ttfct{Bound} i} = \Variable \mtt{"B.}i\mtt"$.
+ The occurrence of constructor \ttindex{Bound} should never happen
+ when printing well-typed terms; it indicates a de Bruijn index with no
+ matching abstraction.
+
+ \item Where $f$ is not an application,
+ \[ \astofterm{f \ttapp x@1 \ttapp \ldots \ttapp x@n} =
+ \Appl{\astofterm{f}, \astofterm{x@1}, \ldots,\astofterm{x@n}}
+ \]
+\end{itemize}
+%
+Type constraints\index{type constraints} are inserted to allow the printing
+of types. This is governed by the boolean variable \ttindex{show_types}:
+\begin{itemize}
+ \item $constrain(x, \tau) = x$ \ if $\tau = \mtt{dummyT}$ \index{*dummyT} or
+ \ttindex{show_types} is set to {\tt false}.
+
+ \item $constrain(x, \tau) = \Appl{\Constant \mtt{"_constrain"}, x,
+ \astofterm{\tau}}$ \ otherwise.
+
+ Here, $\astofterm{\tau}$ is the \AST{} encoding of $\tau$: type
+ constructors go to {\tt Constant}s; type identifiers go to {\tt
+ Variable}s; type applications go to {\tt Appl}s with the type
+ constructor as the first element. If \ttindex{show_sorts} is set to
+ {\tt true}, some type variables are decorated with an \AST{} encoding
+ of their sort.
+\end{itemize}
+%
+The \AST{}, after application of macros (see \S\ref{sec:macros}), is
+transformed into the final output string. The built-in {\bf print AST
+ translations}\indexbold{translations!print AST} reverse the
+parse \AST{} translations of Fig.\ts\ref{fig:parse_ast_tr}.
+
+For the actual printing process, the names attached to productions
+of the form $\ldots A^{(p@1)}@1 \ldots A^{(p@n)}@n \ldots \mtt{=>} c$ play
+a vital role. Each \AST{} with constant head $c$, namely $\mtt"c\mtt"$ or
+$(\mtt"c\mtt"~ x@1 \ldots x@n)$, is printed according to the production
+for~$c$. Each argument~$x@i$ is converted to a string, and put in
+parentheses if its priority~$(p@i)$ requires this. The resulting strings
+and their syntactic sugar (denoted by \dots{} above) are joined to make a
+single string.
+
+If an application $(\mtt"c\mtt"~ x@1 \ldots x@m)$ has more arguments
+than the corresponding production, it is first split into
+$((\mtt"c\mtt"~ x@1 \ldots x@n) ~ x@{n+1} \ldots x@m)$. Applications
+with too few arguments or with non-constant head or without a
+corresponding production are printed as $f(x@1, \ldots, x@l)$ or
+$(\alpha@1, \ldots, \alpha@l) ty$. Multiple productions associated
+with some name $c$ are tried in order of appearance. An occurrence of
+$\Variable x$ is simply printed as~$x$.
+
+Blanks are {\em not\/} inserted automatically. If blanks are required to
+separate tokens, specify them in the mixfix declaration, possibly preceded
+by a slash~({\tt/}) to allow a line break.
+\index{ASTs|)}
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: "ref"
+%%% End:
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Ref/document/tactic.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,173 @@
+
+\chapter{Tactics} \label{tactics}
+\index{tactics|(}
+
+\section{Other basic tactics}
+
+\subsection{Inserting premises and facts}\label{cut_facts_tac}
+\index{tactics!for inserting facts}\index{assumptions!inserting}
+\begin{ttbox}
+cut_facts_tac : thm list -> int -> tactic
+\end{ttbox}
+These tactics add assumptions to a subgoal.
+\begin{ttdescription}
+\item[\ttindexbold{cut_facts_tac} {\it thms} {\it i}]
+ adds the {\it thms} as new assumptions to subgoal~$i$. Once they have
+ been inserted as assumptions, they become subject to tactics such as {\tt
+ eresolve_tac} and {\tt rewrite_goals_tac}. Only rules with no premises
+ are inserted: Isabelle cannot use assumptions that contain $\Imp$
+ or~$\Forall$. Sometimes the theorems are premises of a rule being
+ derived, returned by~{\tt goal}; instead of calling this tactic, you
+ could state the goal with an outermost meta-quantifier.
+
+\end{ttdescription}
+
+
+\subsection{Composition: resolution without lifting}
+\index{tactics!for composition}
+\begin{ttbox}
+compose_tac: (bool * thm * int) -> int -> tactic
+\end{ttbox}
+{\bf Composing} two rules means resolving them without prior lifting or
+renaming of unknowns. This low-level operation, which underlies the
+resolution tactics, may occasionally be useful for special effects.
+A typical application is \ttindex{res_inst_tac}, which lifts and instantiates a
+rule, then passes the result to {\tt compose_tac}.
+\begin{ttdescription}
+\item[\ttindexbold{compose_tac} ($flag$, $rule$, $m$) $i$]
+refines subgoal~$i$ using $rule$, without lifting. The $rule$ is taken to
+have the form $\List{\psi@1; \ldots; \psi@m} \Imp \psi$, where $\psi$ need
+not be atomic; thus $m$ determines the number of new subgoals. If
+$flag$ is {\tt true} then it performs elim-resolution --- it solves the
+first premise of~$rule$ by assumption and deletes that assumption.
+\end{ttdescription}
+
+
+\section{*Managing lots of rules}
+These operations are not intended for interactive use. They are concerned
+with the processing of large numbers of rules in automatic proof
+strategies. Higher-order resolution involving a long list of rules is
+slow. Filtering techniques can shorten the list of rules given to
+resolution, and can also detect whether a subgoal is too flexible,
+with too many rules applicable.
+
+\subsection{Combined resolution and elim-resolution} \label{biresolve_tac}
+\index{tactics!resolution}
+\begin{ttbox}
+biresolve_tac : (bool*thm)list -> int -> tactic
+bimatch_tac : (bool*thm)list -> int -> tactic
+subgoals_of_brl : bool*thm -> int
+lessb : (bool*thm) * (bool*thm) -> bool
+\end{ttbox}
+{\bf Bi-resolution} takes a list of $\it (flag,rule)$ pairs. For each
+pair, it applies resolution if the flag is~{\tt false} and
+elim-resolution if the flag is~{\tt true}. A single tactic call handles a
+mixture of introduction and elimination rules.
+
+\begin{ttdescription}
+\item[\ttindexbold{biresolve_tac} {\it brls} {\it i}]
+refines the proof state by resolution or elim-resolution on each rule, as
+indicated by its flag. It affects subgoal~$i$ of the proof state.
+
+\item[\ttindexbold{bimatch_tac}]
+is like {\tt biresolve_tac}, but performs matching: unknowns in the
+proof state are never updated (see~{\S}\ref{match_tac}).
+
+\item[\ttindexbold{subgoals_of_brl}({\it flag},{\it rule})]
+returns the number of new subgoals that bi-res\-o\-lu\-tion would yield for the
+pair (if applied to a suitable subgoal). This is $n$ if the flag is
+{\tt false} and $n-1$ if the flag is {\tt true}, where $n$ is the number
+of premises of the rule. Elim-resolution yields one fewer subgoal than
+ordinary resolution because it solves the major premise by assumption.
+
+\item[\ttindexbold{lessb} ({\it brl1},{\it brl2})]
+returns the result of
+\begin{ttbox}
+subgoals_of_brl{\it brl1} < subgoals_of_brl{\it brl2}
+\end{ttbox}
+\end{ttdescription}
+Note that \hbox{\tt sort lessb {\it brls}} sorts a list of $\it
+(flag,rule)$ pairs by the number of new subgoals they will yield. Thus,
+those that yield the fewest subgoals should be tried first.
+
+
+\subsection{Discrimination nets for fast resolution}\label{filt_resolve_tac}
+\index{discrimination nets|bold}
+\index{tactics!resolution}
+\begin{ttbox}
+net_resolve_tac : thm list -> int -> tactic
+net_match_tac : thm list -> int -> tactic
+net_biresolve_tac: (bool*thm) list -> int -> tactic
+net_bimatch_tac : (bool*thm) list -> int -> tactic
+filt_resolve_tac : thm list -> int -> int -> tactic
+could_unify : term*term->bool
+filter_thms : (term*term->bool) -> int*term*thm list -> thm{\ts}list
+\end{ttbox}
+The module {\tt Net} implements a discrimination net data structure for
+fast selection of rules \cite[Chapter 14]{charniak80}. A term is
+classified by the symbol list obtained by flattening it in preorder.
+The flattening takes account of function applications, constants, and free
+and bound variables; it identifies all unknowns and also regards
+\index{lambda abs@$\lambda$-abstractions}
+$\lambda$-abstractions as unknowns, since they could $\eta$-contract to
+anything.
+
+A discrimination net serves as a polymorphic dictionary indexed by terms.
+The module provides various functions for inserting and removing items from
+nets. It provides functions for returning all items whose term could match
+or unify with a target term. The matching and unification tests are
+overly lax (due to the identifications mentioned above) but they serve as
+useful filters.
+
+A net can store introduction rules indexed by their conclusion, and
+elimination rules indexed by their major premise. Isabelle provides
+several functions for `compiling' long lists of rules into fast
+resolution tactics. When supplied with a list of theorems, these functions
+build a discrimination net; the net is used when the tactic is applied to a
+goal. To avoid repeatedly constructing the nets, use currying: bind the
+resulting tactics to \ML{} identifiers.
+
+\begin{ttdescription}
+\item[\ttindexbold{net_resolve_tac} {\it thms}]
+builds a discrimination net to obtain the effect of a similar call to {\tt
+resolve_tac}.
+
+\item[\ttindexbold{net_match_tac} {\it thms}]
+builds a discrimination net to obtain the effect of a similar call to {\tt
+match_tac}.
+
+\item[\ttindexbold{net_biresolve_tac} {\it brls}]
+builds a discrimination net to obtain the effect of a similar call to {\tt
+biresolve_tac}.
+
+\item[\ttindexbold{net_bimatch_tac} {\it brls}]
+builds a discrimination net to obtain the effect of a similar call to {\tt
+bimatch_tac}.
+
+\item[\ttindexbold{filt_resolve_tac} {\it thms} {\it maxr} {\it i}]
+uses discrimination nets to extract the {\it thms} that are applicable to
+subgoal~$i$. If more than {\it maxr\/} theorems are applicable then the
+tactic fails. Otherwise it calls {\tt resolve_tac}.
+
+This tactic helps avoid runaway instantiation of unknowns, for example in
+type inference.
+
+\item[\ttindexbold{could_unify} ({\it t},{\it u})]
+returns {\tt false} if~$t$ and~$u$ are `obviously' non-unifiable, and
+otherwise returns~{\tt true}. It assumes all variables are distinct,
+reporting that {\tt ?a=?a} may unify with {\tt 0=1}.
+
+\item[\ttindexbold{filter_thms} $could\; (limit,prem,thms)$]
+returns the list of potentially resolvable rules (in {\it thms\/}) for the
+subgoal {\it prem}, using the predicate {\it could\/} to compare the
+conclusion of the subgoal with the conclusion of each rule. The resulting list
+is no longer than {\it limit}.
+\end{ttdescription}
+
+\index{tactics|)}
+
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: "ref"
+%%% End:
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Ref/document/thm.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,636 @@
+
+\chapter{Theorems and Forward Proof}
+\index{theorems|(}
+
+Theorems, which represent the axioms, theorems and rules of
+object-logics, have type \mltydx{thm}. This chapter describes
+operations that join theorems in forward proof. Most theorem
+operations are intended for advanced applications, such as programming
+new proof procedures.
+
+
+\subsection{Instantiating unknowns in a theorem} \label{sec:instantiate}
+\index{instantiation}
+\begin{alltt}\footnotesize
+read_instantiate : (string*string) list -> thm -> thm
+read_instantiate_sg : Sign.sg -> (string*string) list -> thm -> thm
+cterm_instantiate : (cterm*cterm) list -> thm -> thm
+instantiate' : ctyp option list -> cterm option list -> thm -> thm
+\end{alltt}
+These meta-rules instantiate type and term unknowns in a theorem. They are
+occasionally useful. They can prevent difficulties with higher-order
+unification, and define specialized versions of rules.
+\begin{ttdescription}
+\item[\ttindexbold{read_instantiate} {\it insts} {\it thm}]
+processes the instantiations {\it insts} and instantiates the rule~{\it
+thm}. The processing of instantiations is described
+in \S\ref{res_inst_tac}, under {\tt res_inst_tac}.
+
+Use {\tt res_inst_tac}, not {\tt read_instantiate}, to instantiate a rule
+and refine a particular subgoal. The tactic allows instantiation by the
+subgoal's parameters, and reads the instantiations using the signature
+associated with the proof state.
+
+Use {\tt read_instantiate_sg} below if {\it insts\/} appears to be treated
+incorrectly.
+
+\item[\ttindexbold{read_instantiate_sg} {\it sg} {\it insts} {\it thm}]
+ is like \texttt{read_instantiate {\it insts}~{\it thm}}, but it reads
+ the instantiations under signature~{\it sg}. This is necessary to
+ instantiate a rule from a general theory, such as first-order logic,
+ using the notation of some specialized theory. Use the function {\tt
+ sign_of} to get a theory's signature.
+
+\item[\ttindexbold{cterm_instantiate} {\it ctpairs} {\it thm}]
+is similar to {\tt read_instantiate}, but the instantiations are provided
+as pairs of certified terms, not as strings to be read.
+
+\item[\ttindexbold{instantiate'} {\it ctyps} {\it cterms} {\it thm}]
+ instantiates {\it thm} according to the positional arguments {\it
+ ctyps} and {\it cterms}. Counting from left to right, schematic
+ variables $?x$ are either replaced by $t$ for any argument
+ \texttt{Some\(\;t\)}, or left unchanged in case of \texttt{None} or
+ if the end of the argument list is encountered. Types are
+ instantiated before terms.
+
+\end{ttdescription}
+
+
+\subsection{Miscellaneous forward rules}\label{MiscellaneousForwardRules}
+\index{theorems!standardizing}
+\begin{ttbox}
+standard : thm -> thm
+zero_var_indexes : thm -> thm
+make_elim : thm -> thm
+rule_by_tactic : tactic -> thm -> thm
+rotate_prems : int -> thm -> thm
+permute_prems : int -> int -> thm -> thm
+rearrange_prems : int list -> thm -> thm
+\end{ttbox}
+\begin{ttdescription}
+\item[\ttindexbold{standard} $thm$] puts $thm$ into the standard form
+ of object-rules. It discharges all meta-assumptions, replaces free
+ variables by schematic variables, renames schematic variables to
+ have subscript zero, also strips outer (meta) quantifiers and
+ removes dangling sort hypotheses.
+
+\item[\ttindexbold{zero_var_indexes} $thm$]
+makes all schematic variables have subscript zero, renaming them to avoid
+clashes.
+
+\item[\ttindexbold{make_elim} $thm$]
+\index{rules!converting destruction to elimination}
+converts $thm$, which should be a destruction rule of the form
+$\List{P@1;\ldots;P@m}\Imp
+Q$, to the elimination rule $\List{P@1; \ldots; P@m; Q\Imp R}\Imp R$. This
+is the basis for destruct-resolution: {\tt dresolve_tac}, etc.
+
+\item[\ttindexbold{rule_by_tactic} {\it tac} {\it thm}]
+ applies {\it tac\/} to the {\it thm}, freezing its variables first, then
+ yields the proof state returned by the tactic. In typical usage, the
+ {\it thm\/} represents an instance of a rule with several premises, some
+ with contradictory assumptions (because of the instantiation). The
+ tactic proves those subgoals and does whatever else it can, and returns
+ whatever is left.
+
+\item[\ttindexbold{rotate_prems} $k$ $thm$] rotates the premises of $thm$ to
+ the left by~$k$ positions (to the right if $k<0$). It simply calls
+ \texttt{permute_prems}, below, with $j=0$. Used with
+ \texttt{eresolve_tac}\index{*eresolve_tac!on other than first premise}, it
+ gives the effect of applying the tactic to some other premise of $thm$ than
+ the first.
+
+\item[\ttindexbold{permute_prems} $j$ $k$ $thm$] rotates the premises of $thm$
+ leaving the first $j$ premises unchanged. It
+ requires $0\leq j\leq n$, where $n$ is the number of premises. If $k$ is
+ positive then it rotates the remaining $n-j$ premises to the left; if $k$ is
+ negative then it rotates the premises to the right.
+
+\item[\ttindexbold{rearrange_prems} $ps$ $thm$] permutes the premises of $thm$
+ where the value at the $i$-th position (counting from $0$) in the list $ps$
+ gives the position within the original thm to be transferred to position $i$.
+ Any remaining trailing positions are left unchanged.
+\end{ttdescription}
+
+
+\subsection{Taking a theorem apart}
+\index{theorems!taking apart}
+\index{flex-flex constraints}
+\begin{ttbox}
+cprop_of : thm -> cterm
+concl_of : thm -> term
+prems_of : thm -> term list
+cprems_of : thm -> cterm list
+nprems_of : thm -> int
+tpairs_of : thm -> (term*term) list
+theory_of_thm : thm -> theory
+\end{ttbox}
+\begin{ttdescription}
+\item[\ttindexbold{cprop_of} $thm$] returns the statement of $thm$ as
+ a certified term.
+
+\item[\ttindexbold{concl_of} $thm$] returns the conclusion of $thm$ as
+ a term.
+
+\item[\ttindexbold{prems_of} $thm$] returns the premises of $thm$ as a
+ list of terms.
+
+\item[\ttindexbold{cprems_of} $thm$] returns the premises of $thm$ as
+ a list of certified terms.
+
+\item[\ttindexbold{nprems_of} $thm$]
+returns the number of premises in $thm$, and is equivalent to {\tt
+ length~(prems_of~$thm$)}.
+
+\item[\ttindexbold{tpairs_of} $thm$] returns the flex-flex constraints
+ of $thm$.
+
+\item[\ttindexbold{theory_of_thm} $thm$] returns the theory associated
+ with $thm$. Note that this does a lookup in Isabelle's global
+ database of loaded theories.
+
+\end{ttdescription}
+
+
+\subsection{*Sort hypotheses} \label{sec:sort-hyps}
+\index{sort hypotheses}
+\begin{ttbox}
+strip_shyps : thm -> thm
+strip_shyps_warning : thm -> thm
+\end{ttbox}
+
+Isabelle's type variables are decorated with sorts, constraining them to
+certain ranges of types. This has little impact when sorts only serve for
+syntactic classification of types --- for example, FOL distinguishes between
+terms and other types. But when type classes are introduced through axioms,
+this may result in some sorts becoming {\em empty\/}: where one cannot exhibit
+a type belonging to it because certain sets of axioms are unsatisfiable.
+
+If a theorem contains a type variable that is constrained by an empty
+sort, then that theorem has no instances. It is basically an instance
+of {\em ex falso quodlibet}. But what if it is used to prove another
+theorem that no longer involves that sort? The latter theorem holds
+only if under an additional non-emptiness assumption.
+
+Therefore, Isabelle's theorems carry around sort hypotheses. The {\tt
+shyps} field is a list of sorts occurring in type variables in the current
+{\tt prop} and {\tt hyps} fields. It may also includes sorts used in the
+theorem's proof that no longer appear in the {\tt prop} or {\tt hyps}
+fields --- so-called {\em dangling\/} sort constraints. These are the
+critical ones, asserting non-emptiness of the corresponding sorts.
+
+Isabelle automatically removes extraneous sorts from the {\tt shyps} field at
+the end of a proof, provided that non-emptiness can be established by looking
+at the theorem's signature: from the {\tt classes} and {\tt arities}
+information. This operation is performed by \texttt{strip_shyps} and
+\texttt{strip_shyps_warning}.
+
+\begin{ttdescription}
+
+\item[\ttindexbold{strip_shyps} $thm$] removes any extraneous sort hypotheses
+ that can be witnessed from the type signature.
+
+\item[\ttindexbold{strip_shyps_warning}] is like \texttt{strip_shyps}, but
+ issues a warning message of any pending sort hypotheses that do not have a
+ (syntactic) witness.
+
+\end{ttdescription}
+
+
+\subsection{Tracing flags for unification}
+\index{tracing!of unification}
+\begin{ttbox}
+Unify.trace_simp : bool ref \hfill\textbf{initially false}
+Unify.trace_types : bool ref \hfill\textbf{initially false}
+Unify.trace_bound : int ref \hfill\textbf{initially 10}
+Unify.search_bound : int ref \hfill\textbf{initially 20}
+\end{ttbox}
+Tracing the search may be useful when higher-order unification behaves
+unexpectedly. Letting {\tt res_inst_tac} circumvent the problem is easier,
+though.
+\begin{ttdescription}
+\item[set Unify.trace_simp;]
+causes tracing of the simplification phase.
+
+\item[set Unify.trace_types;]
+generates warnings of incompleteness, when unification is not considering
+all possible instantiations of type unknowns.
+
+\item[Unify.trace_bound := $n$;]
+causes unification to print tracing information once it reaches depth~$n$.
+Use $n=0$ for full tracing. At the default value of~10, tracing
+information is almost never printed.
+
+\item[Unify.search_bound := $n$;] prevents unification from
+ searching past the depth~$n$. Because of this bound, higher-order
+ unification cannot return an infinite sequence, though it can return
+ an exponentially long one. The search rarely approaches the default value
+ of~20. If the search is cut off, unification prints a warning
+ \texttt{Unification bound exceeded}.
+\end{ttdescription}
+
+
+\section{*Primitive meta-level inference rules}
+\index{meta-rules|(}
+
+\subsection{Logical equivalence rules}
+\index{meta-equality}
+\begin{ttbox}
+equal_intr : thm -> thm -> thm
+equal_elim : thm -> thm -> thm
+\end{ttbox}
+\begin{ttdescription}
+\item[\ttindexbold{equal_intr} $thm@1$ $thm@2$]
+applies $({\equiv}I)$ to $thm@1$ and~$thm@2$. It maps the premises~$\psi$
+and~$\phi$ to the conclusion~$\phi\equiv\psi$; the assumptions are those of
+the first premise with~$\phi$ removed, plus those of
+the second premise with~$\psi$ removed.
+
+\item[\ttindexbold{equal_elim} $thm@1$ $thm@2$]
+applies $({\equiv}E)$ to $thm@1$ and~$thm@2$. It maps the premises
+$\phi\equiv\psi$ and $\phi$ to the conclusion~$\psi$.
+\end{ttdescription}
+
+
+\subsection{Equality rules}
+\index{meta-equality}
+\begin{ttbox}
+reflexive : cterm -> thm
+symmetric : thm -> thm
+transitive : thm -> thm -> thm
+\end{ttbox}
+\begin{ttdescription}
+\item[\ttindexbold{reflexive} $ct$]
+makes the theorem \(ct\equiv ct\).
+
+\item[\ttindexbold{symmetric} $thm$]
+maps the premise $a\equiv b$ to the conclusion $b\equiv a$.
+
+\item[\ttindexbold{transitive} $thm@1$ $thm@2$]
+maps the premises $a\equiv b$ and $b\equiv c$ to the conclusion~${a\equiv c}$.
+\end{ttdescription}
+
+
+\subsection{The $\lambda$-conversion rules}
+\index{lambda calc@$\lambda$-calculus}
+\begin{ttbox}
+beta_conversion : cterm -> thm
+extensional : thm -> thm
+abstract_rule : string -> cterm -> thm -> thm
+combination : thm -> thm -> thm
+\end{ttbox}
+There is no rule for $\alpha$-conversion because Isabelle regards
+$\alpha$-convertible theorems as equal.
+\begin{ttdescription}
+\item[\ttindexbold{beta_conversion} $ct$]
+makes the theorem $((\lambda x.a)(b)) \equiv a[b/x]$, where $ct$ is the
+term $(\lambda x.a)(b)$.
+
+\item[\ttindexbold{extensional} $thm$]
+maps the premise $f(x) \equiv g(x)$ to the conclusion $f\equiv g$.
+Parameter~$x$ is taken from the premise. It may be an unknown or a free
+variable (provided it does not occur in the assumptions); it must not occur
+in $f$ or~$g$.
+
+\item[\ttindexbold{abstract_rule} $v$ $x$ $thm$]
+maps the premise $a\equiv b$ to the conclusion $(\lambda x.a) \equiv
+(\lambda x.b)$, abstracting over all occurrences (if any!) of~$x$.
+Parameter~$x$ is supplied as a cterm. It may be an unknown or a free
+variable (provided it does not occur in the assumptions). In the
+conclusion, the bound variable is named~$v$.
+
+\item[\ttindexbold{combination} $thm@1$ $thm@2$]
+maps the premises $f\equiv g$ and $a\equiv b$ to the conclusion~$f(a)\equiv
+g(b)$.
+\end{ttdescription}
+
+
+\section{Derived rules for goal-directed proof}
+Most of these rules have the sole purpose of implementing particular
+tactics. There are few occasions for applying them directly to a theorem.
+
+\subsection{Resolution}
+\index{resolution}
+\begin{ttbox}
+biresolution : bool -> (bool*thm)list -> int -> thm
+ -> thm Seq.seq
+\end{ttbox}
+\begin{ttdescription}
+\item[\ttindexbold{biresolution} $match$ $rules$ $i$ $state$]
+performs bi-resolution on subgoal~$i$ of $state$, using the list of $\it
+(flag,rule)$ pairs. For each pair, it applies resolution if the flag
+is~{\tt false} and elim-resolution if the flag is~{\tt true}. If $match$
+is~{\tt true}, the $state$ is not instantiated.
+\end{ttdescription}
+
+
+\subsection{Composition: resolution without lifting}
+\index{resolution!without lifting}
+\begin{ttbox}
+compose : thm * int * thm -> thm list
+COMP : thm * thm -> thm
+bicompose : bool -> bool * thm * int -> int -> thm
+ -> thm Seq.seq
+\end{ttbox}
+In forward proof, a typical use of composition is to regard an assertion of
+the form $\phi\Imp\psi$ as atomic. Schematic variables are not renamed, so
+beware of clashes!
+\begin{ttdescription}
+\item[\ttindexbold{compose} ($thm@1$, $i$, $thm@2$)]
+uses $thm@1$, regarded as an atomic formula, to solve premise~$i$
+of~$thm@2$. Let $thm@1$ and $thm@2$ be $\psi$ and $\List{\phi@1; \ldots;
+\phi@n} \Imp \phi$. For each $s$ that unifies~$\psi$ and $\phi@i$, the
+result list contains the theorem
+\[ (\List{\phi@1; \ldots; \phi@{i-1}; \phi@{i+1}; \ldots; \phi@n} \Imp \phi)s.
+\]
+
+\item[$thm@1$ \ttindexbold{COMP} $thm@2$]
+calls \hbox{\tt compose ($thm@1$, 1, $thm@2$)} and returns the result, if
+unique; otherwise, it raises exception~\xdx{THM}\@. It is
+analogous to {\tt RS}\@.
+
+For example, suppose that $thm@1$ is $a=b\Imp b=a$, a symmetry rule, and
+that $thm@2$ is $\List{P\Imp Q; \neg Q} \Imp\neg P$, which is the
+principle of contrapositives. Then the result would be the
+derived rule $\neg(b=a)\Imp\neg(a=b)$.
+
+\item[\ttindexbold{bicompose} $match$ ($flag$, $rule$, $m$) $i$ $state$]
+refines subgoal~$i$ of $state$ using $rule$, without lifting. The $rule$
+is taken to have the form $\List{\psi@1; \ldots; \psi@m} \Imp \psi$, where
+$\psi$ need not be atomic; thus $m$ determines the number of new
+subgoals. If $flag$ is {\tt true} then it performs elim-resolution --- it
+solves the first premise of~$rule$ by assumption and deletes that
+assumption. If $match$ is~{\tt true}, the $state$ is not instantiated.
+\end{ttdescription}
+
+
+\subsection{Other meta-rules}
+\begin{ttbox}
+rename_params_rule : string list * int -> thm -> thm
+\end{ttbox}
+\begin{ttdescription}
+
+\item[\ttindexbold{rename_params_rule} ({\it names}, {\it i}) $thm$]
+uses the $names$ to rename the parameters of premise~$i$ of $thm$. The
+names must be distinct. If there are fewer names than parameters, then the
+rule renames the innermost parameters and may modify the remaining ones to
+ensure that all the parameters are distinct.
+\index{parameters!renaming}
+
+\end{ttdescription}
+\index{meta-rules|)}
+
+
+\section{Proof terms}\label{sec:proofObjects}
+\index{proof terms|(} Isabelle can record the full meta-level proof of each
+theorem. The proof term contains all logical inferences in detail.
+%while
+%omitting bookkeeping steps that have no logical meaning to an outside
+%observer. Rewriting steps are recorded in similar detail as the output of
+%simplifier tracing.
+Resolution and rewriting steps are broken down to primitive rules of the
+meta-logic. The proof term can be inspected by a separate proof-checker,
+for example.
+
+According to the well-known {\em Curry-Howard isomorphism}, a proof can
+be viewed as a $\lambda$-term. Following this idea, proofs
+in Isabelle are internally represented by a datatype similar to the one for
+terms described in \S\ref{sec:terms}.
+\begin{ttbox}
+infix 8 % %%;
+
+datatype proof =
+ PBound of int
+ | Abst of string * typ option * proof
+ | AbsP of string * term option * proof
+ | op % of proof * term option
+ | op %% of proof * proof
+ | Hyp of term
+ | PThm of (string * (string * string list) list) *
+ proof * term * typ list option
+ | PAxm of string * term * typ list option
+ | Oracle of string * term * typ list option
+ | MinProof of proof list;
+\end{ttbox}
+
+\begin{ttdescription}
+\item[\ttindexbold{Abst} ($a$, $\tau$, $prf$)] is the abstraction over
+a {\it term variable} of type $\tau$ in the body $prf$. Logically, this
+corresponds to $\bigwedge$ introduction. The name $a$ is used only for
+parsing and printing.
+\item[\ttindexbold{AbsP} ($a$, $\varphi$, $prf$)] is the abstraction
+over a {\it proof variable} standing for a proof of proposition $\varphi$
+in the body $prf$. This corresponds to $\Longrightarrow$ introduction.
+\item[$prf$ \% $t$] \index{\%@{\tt\%}|bold}
+is the application of proof $prf$ to term $t$
+which corresponds to $\bigwedge$ elimination.
+\item[$prf@1$ \%\% $prf@2$] \index{\%\%@{\tt\%\%}|bold}
+is the application of proof $prf@1$ to
+proof $prf@2$ which corresponds to $\Longrightarrow$ elimination.
+\item[\ttindexbold{PBound} $i$] is a {\em proof variable} with de Bruijn
+\cite{debruijn72} index $i$.
+\item[\ttindexbold{Hyp} $\varphi$] corresponds to the use of a meta level
+hypothesis $\varphi$.
+\item[\ttindexbold{PThm} (($name$, $tags$), $prf$, $\varphi$, $\overline{\tau}$)]
+stands for a pre-proved theorem, where $name$ is the name of the theorem,
+$prf$ is its actual proof, $\varphi$ is the proven proposition,
+and $\overline{\tau}$ is
+a type assignment for the type variables occurring in the proposition.
+\item[\ttindexbold{PAxm} ($name$, $\varphi$, $\overline{\tau}$)]
+corresponds to the use of an axiom with name $name$ and proposition
+$\varphi$, where $\overline{\tau}$ is a type assignment for the type
+variables occurring in the proposition.
+\item[\ttindexbold{Oracle} ($name$, $\varphi$, $\overline{\tau}$)]
+denotes the invocation of an oracle with name $name$ which produced
+a proposition $\varphi$, where $\overline{\tau}$ is a type assignment
+for the type variables occurring in the proposition.
+\item[\ttindexbold{MinProof} $prfs$]
+represents a {\em minimal proof} where $prfs$ is a list of theorems,
+axioms or oracles.
+\end{ttdescription}
+Note that there are no separate constructors
+for abstraction and application on the level of {\em types}, since
+instantiation of type variables is accomplished via the type assignments
+attached to {\tt Thm}, {\tt Axm} and {\tt Oracle}.
+
+Each theorem's derivation is stored as the {\tt der} field of its internal
+record:
+\begin{ttbox}
+#2 (#der (rep_thm conjI));
+{\out PThm (("HOL.conjI", []),}
+{\out AbsP ("H", None, AbsP ("H", None, \dots)), \dots, None) %}
+{\out None % None : Proofterm.proof}
+\end{ttbox}
+This proof term identifies a labelled theorem, {\tt conjI} of theory
+\texttt{HOL}, whose underlying proof is
+{\tt AbsP ("H", None, AbsP ("H", None, $\dots$))}.
+The theorem is applied to two (implicit) term arguments, which correspond
+to the two variables occurring in its proposition.
+
+Isabelle's inference kernel can produce proof objects with different
+levels of detail. This is controlled via the global reference variable
+\ttindexbold{proofs}:
+\begin{ttdescription}
+\item[proofs := 0;] only record uses of oracles
+\item[proofs := 1;] record uses of oracles as well as dependencies
+ on other theorems and axioms
+\item[proofs := 2;] record inferences in full detail
+\end{ttdescription}
+Reconstruction and checking of proofs as described in \S\ref{sec:reconstruct_proofs}
+will not work for proofs constructed with {\tt proofs} set to
+{\tt 0} or {\tt 1}.
+Theorems involving oracles will be printed with a
+suffixed \verb|[!]| to point out the different quality of confidence achieved.
+
+\medskip
+
+The dependencies of theorems can be viewed using the function
+\ttindexbold{thm_deps}\index{theorems!dependencies}:
+\begin{ttbox}
+thm_deps [\(thm@1\), \(\ldots\), \(thm@n\)];
+\end{ttbox}
+generates the dependency graph of the theorems $thm@1$, $\ldots$, $thm@n$ and
+displays it using Isabelle's graph browser. For this to work properly,
+the theorems in question have to be proved with {\tt proofs} set to a value
+greater than {\tt 0}. You can use
+\begin{ttbox}
+ThmDeps.enable : unit -> unit
+ThmDeps.disable : unit -> unit
+\end{ttbox}
+to set \texttt{proofs} appropriately.
+
+\subsection{Reconstructing and checking proof terms}\label{sec:reconstruct_proofs}
+\index{proof terms!reconstructing}
+\index{proof terms!checking}
+
+When looking at the above datatype of proofs more closely, one notices that
+some arguments of constructors are {\it optional}. The reason for this is that
+keeping a full proof term for each theorem would result in enormous memory
+requirements. Fortunately, typical proof terms usually contain quite a lot of
+redundant information that can be reconstructed from the context. Therefore,
+Isabelle's inference kernel creates only {\em partial} (or {\em implicit})
+\index{proof terms!partial} proof terms, in which
+all typing information in terms, all term and type labels of abstractions
+{\tt AbsP} and {\tt Abst}, and (if possible) some argument terms of
+\verb!%! are omitted. The following functions are available for
+reconstructing and checking proof terms:
+\begin{ttbox}
+Reconstruct.reconstruct_proof :
+ Sign.sg -> term -> Proofterm.proof -> Proofterm.proof
+Reconstruct.expand_proof :
+ Sign.sg -> string list -> Proofterm.proof -> Proofterm.proof
+ProofChecker.thm_of_proof : theory -> Proofterm.proof -> thm
+\end{ttbox}
+
+\begin{ttdescription}
+\item[Reconstruct.reconstruct_proof $sg$ $t$ $prf$]
+turns the partial proof $prf$ into a full proof of the
+proposition denoted by $t$, with respect to signature $sg$.
+Reconstruction will fail with an error message if $prf$
+is not a proof of $t$, is ill-formed, or does not contain
+sufficient information for reconstruction by
+{\em higher order pattern unification}
+\cite{nipkow-patterns, Berghofer-Nipkow:2000:TPHOL}.
+The latter may only happen for proofs
+built up ``by hand'' but not for those produced automatically
+by Isabelle's inference kernel.
+\item[Reconstruct.expand_proof $sg$
+ \ttlbrack$name@1$, $\ldots$, $name@n${\ttrbrack} $prf$]
+expands and reconstructs the proofs of all theorems with names
+$name@1$, $\ldots$, $name@n$ in the (full) proof $prf$.
+\item[ProofChecker.thm_of_proof $thy$ $prf$] turns the (full) proof
+$prf$ into a theorem with respect to theory $thy$ by replaying
+it using only primitive rules from Isabelle's inference kernel.
+\end{ttdescription}
+
+\subsection{Parsing and printing proof terms}
+\index{proof terms!parsing}
+\index{proof terms!printing}
+
+Isabelle offers several functions for parsing and printing
+proof terms. The concrete syntax for proof terms is described
+in Fig.\ts\ref{fig:proof_gram}.
+Implicit term arguments in partial proofs are indicated
+by ``{\tt _}''.
+Type arguments for theorems and axioms may be specified using
+\verb!%! or ``$\cdot$'' with an argument of the form {\tt TYPE($type$)}
+(see \S\ref{sec:basic_syntax}).
+They must appear before any other term argument of a theorem
+or axiom. In contrast to term arguments, type arguments may
+be completely omitted.
+\begin{ttbox}
+ProofSyntax.read_proof : theory -> bool -> string -> Proofterm.proof
+ProofSyntax.pretty_proof : Sign.sg -> Proofterm.proof -> Pretty.T
+ProofSyntax.pretty_proof_of : bool -> thm -> Pretty.T
+ProofSyntax.print_proof_of : bool -> thm -> unit
+\end{ttbox}
+\begin{figure}
+\begin{center}
+\begin{tabular}{rcl}
+$proof$ & $=$ & {\tt Lam} $params${\tt .} $proof$ ~~$|$~~
+ $\Lambda params${\tt .} $proof$ \\
+ & $|$ & $proof$ \verb!%! $any$ ~~$|$~~
+ $proof$ $\cdot$ $any$ \\
+ & $|$ & $proof$ \verb!%%! $proof$ ~~$|$~~
+ $proof$ {\boldmath$\cdot$} $proof$ \\
+ & $|$ & $id$ ~~$|$~~ $longid$ \\\\
+$param$ & $=$ & $idt$ ~~$|$~~ $idt$ {\tt :} $prop$ ~~$|$~~
+ {\tt (} $param$ {\tt )} \\\\
+$params$ & $=$ & $param$ ~~$|$~~ $param$ $params$
+\end{tabular}
+\end{center}
+\caption{Proof term syntax}\label{fig:proof_gram}
+\end{figure}
+The function {\tt read_proof} reads in a proof term with
+respect to a given theory. The boolean flag indicates whether
+the proof term to be parsed contains explicit typing information
+to be taken into account.
+Usually, typing information is left implicit and
+is inferred during proof reconstruction. The pretty printing
+functions operating on theorems take a boolean flag as an
+argument which indicates whether the proof term should
+be reconstructed before printing.
+
+The following example (based on Isabelle/HOL) illustrates how
+to parse and check proof terms. We start by parsing a partial
+proof term
+\begin{ttbox}
+val prf = ProofSyntax.read_proof Main.thy false
+ "impI % _ % _ %% (Lam H : _. conjE % _ % _ % _ %% H %%
+ (Lam (H1 : _) H2 : _. conjI % _ % _ %% H2 %% H1))";
+{\out val prf = PThm (("HOL.impI", []), \dots, \dots, None) % None % None %%}
+{\out AbsP ("H", None, PThm (("HOL.conjE", []), \dots, \dots, None) %}
+{\out None % None % None %% PBound 0 %%}
+{\out AbsP ("H1", None, AbsP ("H2", None, \dots))) : Proofterm.proof}
+\end{ttbox}
+The statement to be established by this proof is
+\begin{ttbox}
+val t = term_of
+ (read_cterm (sign_of Main.thy) ("A & B --> B & A", propT));
+{\out val t = Const ("Trueprop", "bool => prop") $}
+{\out (Const ("op -->", "[bool, bool] => bool") $}
+{\out \dots $ \dots : Term.term}
+\end{ttbox}
+Using {\tt t} we can reconstruct the full proof
+\begin{ttbox}
+val prf' = Reconstruct.reconstruct_proof (sign_of Main.thy) t prf;
+{\out val prf' = PThm (("HOL.impI", []), \dots, \dots, Some []) %}
+{\out Some (Const ("op &", \dots) $ Free ("A", \dots) $ Free ("B", \dots)) %}
+{\out Some (Const ("op &", \dots) $ Free ("B", \dots) $ Free ("A", \dots)) %%}
+{\out AbsP ("H", Some (Const ("Trueprop", \dots) $ \dots), \dots)}
+{\out : Proofterm.proof}
+\end{ttbox}
+This proof can finally be turned into a theorem
+\begin{ttbox}
+val thm = ProofChecker.thm_of_proof Main.thy prf';
+{\out val thm = "A & B --> B & A" : Thm.thm}
+\end{ttbox}
+
+\index{proof terms|)}
+\index{theorems|)}
+
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: "ref"
+%%% End:
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Ref/undocumented.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,268 @@
+%%%%Currently UNDOCUMENTED low-level functions! from previous manual
+
+%%%%Low level information about terms and module Logic.
+%%%%Mainly used for implementation of Pure.
+
+%move to ML sources?
+
+\subsection{Basic declarations}
+The implication symbol is {\tt implies}.
+
+The term \verb|all T| is the universal quantifier for type {\tt T}\@.
+
+The term \verb|equals T| is the equality predicate for type {\tt T}\@.
+
+
+There are a number of basic functions on terms and types.
+
+\index{--->}
+\beginprog
+op ---> : typ list * typ -> typ
+\endprog
+Given types \([ \tau_1, \ldots, \tau_n]\) and \(\tau\), it
+forms the type \(\tau_1\to \cdots \to (\tau_n\to\tau)\).
+
+Calling {\prog{}type_of \${t}}\index{type_of} computes the type of the
+term~$t$. Raises exception {\tt TYPE} unless applications are well-typed.
+
+
+Calling \verb|subst_bounds|$([u_{n-1},\ldots,u_0],\,t)$\index{subst_bounds}
+substitutes the $u_i$ for loose bound variables in $t$. This achieves
+\(\beta\)-reduction of \(u_{n-1} \cdots u_0\) into $t$, replacing {\tt
+Bound~i} with $u_i$. For \((\lambda x y.t)(u,v)\), the bound variable
+indices in $t$ are $x:1$ and $y:0$. The appropriate call is
+\verb|subst_bounds([v,u],t)|. Loose bound variables $\geq n$ are reduced
+by $n$ to compensate for the disappearance of $n$ lambdas.
+
+\index{maxidx_of_term}
+\beginprog
+maxidx_of_term: term -> int
+\endprog
+Computes the maximum index of all the {\tt Var}s in a term.
+If there are no {\tt Var}s, the result is \(-1\).
+
+\index{term_match}
+\beginprog
+term_match: (term*term)list * term*term -> (term*term)list
+\endprog
+Calling \verb|term_match(vts,t,u)| instantiates {\tt Var}s in {\tt t} to
+match it with {\tt u}. The resulting list of variable/term pairs extends
+{\tt vts}, which is typically empty. First-order pattern matching is used
+to implement meta-level rewriting.
+
+
+\subsection{The representation of object-rules}
+The module {\tt Logic} contains operations concerned with inference ---
+especially, for constructing and destructing terms that represent
+object-rules.
+
+\index{occs}
+\beginprog
+op occs: term*term -> bool
+\endprog
+Does one term occur in the other?
+(This is a reflexive relation.)
+
+\index{add_term_vars}
+\beginprog
+add_term_vars: term*term list -> term list
+\endprog
+Accumulates the {\tt Var}s in the term, suppressing duplicates.
+The second argument should be the list of {\tt Var}s found so far.
+
+\index{add_term_frees}
+\beginprog
+add_term_frees: term*term list -> term list
+\endprog
+Accumulates the {\tt Free}s in the term, suppressing duplicates.
+The second argument should be the list of {\tt Free}s found so far.
+
+\index{mk_equals}
+\beginprog
+mk_equals: term*term -> term
+\endprog
+Given $t$ and $u$ makes the term $t\equiv u$.
+
+\index{dest_equals}
+\beginprog
+dest_equals: term -> term*term
+\endprog
+Given $t\equiv u$ returns the pair $(t,u)$.
+
+\index{list_implies:}
+\beginprog
+list_implies: term list * term -> term
+\endprog
+Given the pair $([\phi_1,\ldots, \phi_m], \phi)$
+makes the term \([\phi_1;\ldots; \phi_m] \Imp \phi\).
+
+\index{strip_imp_prems}
+\beginprog
+strip_imp_prems: term -> term list
+\endprog
+Given \([\phi_1;\ldots; \phi_m] \Imp \phi\)
+returns the list \([\phi_1,\ldots, \phi_m]\).
+
+\index{strip_imp_concl}
+\beginprog
+strip_imp_concl: term -> term
+\endprog
+Given \([\phi_1;\ldots; \phi_m] \Imp \phi\)
+returns the term \(\phi\).
+
+\index{list_equals}
+\beginprog
+list_equals: (term*term)list * term -> term
+\endprog
+For adding flex-flex constraints to an object-rule.
+Given $([(t_1,u_1),\ldots, (t_k,u_k)], \phi)$,
+makes the term \([t_1\equiv u_1;\ldots; t_k\equiv u_k]\Imp \phi\).
+
+\index{strip_equals}
+\beginprog
+strip_equals: term -> (term*term) list * term
+\endprog
+Given \([t_1\equiv u_1;\ldots; t_k\equiv u_k]\Imp \phi\),
+returns $([(t_1,u_1),\ldots, (t_k,u_k)], \phi)$.
+
+\index{rule_of}
+\beginprog
+rule_of: (term*term)list * term list * term -> term
+\endprog
+Makes an object-rule: given the triple
+\[ ([(t_1,u_1),\ldots, (t_k,u_k)], [\phi_1,\ldots, \phi_m], \phi) \]
+returns the term
+\([t_1\equiv u_1;\ldots; t_k\equiv u_k; \phi_1;\ldots; \phi_m]\Imp \phi\)
+
+\index{strip_horn}
+\beginprog
+strip_horn: term -> (term*term)list * term list * term
+\endprog
+Breaks an object-rule into its parts: given
+\[ [t_1\equiv u_1;\ldots; t_k\equiv u_k; \phi_1;\ldots; \phi_m] \Imp \phi \]
+returns the triple
+\(([(t_k,u_k),\ldots, (t_1,u_1)], [\phi_1,\ldots, \phi_m], \phi).\)
+
+\index{strip_assums}
+\beginprog
+strip_assums: term -> (term*int) list * (string*typ) list * term
+\endprog
+Strips premises of a rule allowing a more general form,
+where $\Forall$ and $\Imp$ may be intermixed.
+This is typical of assumptions of a subgoal in natural deduction.
+Returns additional information about the number, names,
+and types of quantified variables.
+
+
+\index{strip_prems}
+\beginprog
+strip_prems: int * term list * term -> term list * term
+\endprog
+For finding premise (or subgoal) $i$: given the triple
+\( (i, [], \phi_1;\ldots \phi_i\Imp \phi) \)
+it returns another triple,
+\((\phi_i, [\phi_{i-1},\ldots, \phi_1], \phi)\),
+where $\phi$ need not be atomic. Raises an exception if $i$ is out of
+range.
+
+
+\subsection{Environments}
+The module {\tt Envir} (which is normally closed)
+declares a type of environments.
+An environment holds variable assignments
+and the next index to use when generating a variable.
+\par\indent\vbox{\small \begin{verbatim}
+ datatype env = Envir of {asol: term xolist, maxidx: int}
+\end{verbatim}}
+The operations of lookup, update, and generation of variables
+are used during unification.
+
+\beginprog
+empty: int->env
+\endprog
+Creates the environment with no assignments
+and the given index.
+
+\beginprog
+lookup: env * indexname -> term option
+\endprog
+Looks up a variable, specified by its indexname,
+and returns {\tt None} or {\tt Some} as appropriate.
+
+\beginprog
+update: (indexname * term) * env -> env
+\endprog
+Given a variable, term, and environment,
+produces {\em a new environment\/} where the variable has been updated.
+This has no side effect on the given environment.
+
+\beginprog
+genvar: env * typ -> env * term
+\endprog
+Generates a variable of the given type and returns it,
+paired with a new environment (with incremented {\tt maxidx} field).
+
+\beginprog
+alist_of: env -> (indexname * term) list
+\endprog
+Converts an environment into an association list
+containing the assignments.
+
+\beginprog
+norm_term: env -> term -> term
+\endprog
+
+Copies a term,
+following assignments in the environment,
+and performing all possible \(\beta\)-reductions.
+
+\beginprog
+rewrite: (env * (term*term)list) -> term -> term
+\endprog
+Rewrites a term using the given term pairs as rewrite rules. Assignments
+are ignored; the environment is used only with {\tt genvar}, to generate
+unique {\tt Var}s as placeholders for bound variables.
+
+
+\subsection{The unification functions}
+
+
+\beginprog
+unifiers: env * ((term*term)list) -> (env * (term*term)list) Seq.seq
+\endprog
+This is the main unification function.
+Given an environment and a list of disagreement pairs,
+it returns a sequence of outcomes.
+Each outcome consists of an updated environment and
+a list of flex-flex pairs (these are discussed below).
+
+\beginprog
+smash_unifiers: env * (term*term)list -> env Seq.seq
+\endprog
+This unification function maps an environment and a list of disagreement
+pairs to a sequence of updated environments. The function obliterates
+flex-flex pairs by choosing the obvious unifier. It may be used to tidy up
+any flex-flex pairs remaining at the end of a proof.
+
+
+\subsubsection{Multiple unifiers}
+The unification procedure performs Huet's {\sc match} operation
+\cite{huet75} in big steps.
+It solves \(\Var{f}(t_1,\ldots,t_p) \equiv u\) for \(\Var{f}\) by finding
+all ways of copying \(u\), first trying projection on the arguments
+\(t_i\). It never copies below any variable in \(u\); instead it returns a
+new variable, resulting in a flex-flex disagreement pair.
+
+
+\beginprog
+type_assign: cterm -> cterm
+\endprog
+Produces a cterm by updating the signature of its argument
+to include all variable/type assignments.
+Type inference under the resulting signature will assume the
+same type assignments as in the argument.
+This is used in the goal package to give persistence to type assignments
+within each proof.
+(Contrast with {\sc lcf}'s sticky types \cite[page 148]{paulson-book}.)
+
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Sledgehammer/document/build Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -e
+
+FORMAT="$1"
+VARIANT="$2"
+
+"$ISABELLE_TOOL" logo -o isabelle_sledgehammer.pdf "S/H"
+"$ISABELLE_TOOL" logo -o isabelle_sledgehammer.eps "S/H"
+
+cp "$ISABELLE_HOME/src/Doc/iman.sty" .
+cp "$ISABELLE_HOME/src/Doc/manual.bib" .
+
+"$ISABELLE_HOME/src/Doc/prepare_document" "$FORMAT"
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Sledgehammer/document/root.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,1360 @@
+\documentclass[a4paper,12pt]{article}
+\usepackage[T1]{fontenc}
+\usepackage{amsmath}
+\usepackage{amssymb}
+\usepackage[english,french]{babel}
+\usepackage{color}
+\usepackage{footmisc}
+\usepackage{graphicx}
+%\usepackage{mathpazo}
+\usepackage{multicol}
+\usepackage{stmaryrd}
+%\usepackage[scaled=.85]{beramono}
+\usepackage{isabelle,iman,pdfsetup}
+
+\newcommand\download{\url{http://www21.in.tum.de/~blanchet/\#software}}
+
+\def\qty#1{\ensuremath{\left<\mathit{#1\/}\right>}}
+\def\qtybf#1{$\mathbf{\left<\textbf{\textit{#1\/}}\right>}$}
+
+\newcommand\const[1]{\textsf{#1}}
+
+%\oddsidemargin=4.6mm
+%\evensidemargin=4.6mm
+%\textwidth=150mm
+%\topmargin=4.6mm
+%\headheight=0mm
+%\headsep=0mm
+%\textheight=234mm
+
+\def\Colon{\mathord{:\mkern-1.5mu:}}
+%\def\lbrakk{\mathopen{\lbrack\mkern-3.25mu\lbrack}}
+%\def\rbrakk{\mathclose{\rbrack\mkern-3.255mu\rbrack}}
+\def\lparr{\mathopen{(\mkern-4mu\mid}}
+\def\rparr{\mathclose{\mid\mkern-4mu)}}
+
+\def\unk{{?}}
+\def\undef{(\lambda x.\; \unk)}
+%\def\unr{\textit{others}}
+\def\unr{\ldots}
+\def\Abs#1{\hbox{\rm{\flqq}}{\,#1\,}\hbox{\rm{\frqq}}}
+\def\Q{{\smash{\lower.2ex\hbox{$\scriptstyle?$}}}}
+
+\urlstyle{tt}
+
+\begin{document}
+
+%%% TYPESETTING
+%\renewcommand\labelitemi{$\bullet$}
+\renewcommand\labelitemi{\raise.065ex\hbox{\small\textbullet}}
+
+\selectlanguage{english}
+
+\title{\includegraphics[scale=0.5]{isabelle_sledgehammer} \\[4ex]
+Hammering Away \\[\smallskipamount]
+\Large A User's Guide to Sledgehammer for Isabelle/HOL}
+\author{\hbox{} \\
+Jasmin Christian Blanchette \\
+{\normalsize Institut f\"ur Informatik, Technische Universit\"at M\"unchen} \\[4\smallskipamount]
+{\normalsize with contributions from} \\[4\smallskipamount]
+Lawrence C. Paulson \\
+{\normalsize Computer Laboratory, University of Cambridge} \\
+\hbox{}}
+
+\maketitle
+
+\tableofcontents
+
+\setlength{\parskip}{.7em plus .2em minus .1em}
+\setlength{\parindent}{0pt}
+\setlength{\abovedisplayskip}{\parskip}
+\setlength{\abovedisplayshortskip}{.9\parskip}
+\setlength{\belowdisplayskip}{\parskip}
+\setlength{\belowdisplayshortskip}{.9\parskip}
+
+% General-purpose enum environment with correct spacing
+\newenvironment{enum}%
+ {\begin{list}{}{%
+ \setlength{\topsep}{.1\parskip}%
+ \setlength{\partopsep}{.1\parskip}%
+ \setlength{\itemsep}{\parskip}%
+ \advance\itemsep by-\parsep}}
+ {\end{list}}
+
+\def\pre{\begingroup\vskip0pt plus1ex\advance\leftskip by\leftmargin
+\advance\rightskip by\leftmargin}
+\def\post{\vskip0pt plus1ex\endgroup}
+
+\def\prew{\pre\advance\rightskip by-\leftmargin}
+\def\postw{\post}
+
+\section{Introduction}
+\label{introduction}
+
+Sledgehammer is a tool that applies automatic theorem provers (ATPs)
+and satisfiability-modulo-theories (SMT) solvers on the current goal.%
+\footnote{The distinction between ATPs and SMT solvers is convenient but mostly
+historical. The two communities are converging, with more and more ATPs
+supporting typical SMT features such as arithmetic and sorts, and a few SMT
+solvers parsing ATP syntaxes. There is also a strong technological connection
+between instantiation-based ATPs (such as iProver and iProver-Eq) and SMT
+solvers.}
+%
+The supported ATPs are E \cite{schulz-2002}, E-SInE \cite{sine}, E-ToFoF
+\cite{tofof}, iProver \cite{korovin-2009}, iProver-Eq
+\cite{korovin-sticksel-2010}, LEO-II \cite{leo2}, Satallax \cite{satallax},
+SNARK \cite{snark}, SPASS \cite{weidenbach-et-al-2009}, Vampire
+\cite{riazanov-voronkov-2002}, and Waldmeister \cite{waldmeister}. The ATPs are
+run either locally or remotely via the System\-On\-TPTP web service
+\cite{sutcliffe-2000}. In addition to the ATPs, a selection of the SMT solvers
+CVC3 \cite{cvc3}, Yices \cite{yices}, and Z3 \cite{z3} are run by default, and
+you can tell Sledgehammer to try Alt-Ergo \cite{alt-ergo} as well; these are run
+either locally or (for CVC3 and Z3) on a server at the TU M\"unchen.
+
+The problem passed to the automatic provers consists of your current goal
+together with a heuristic selection of hundreds of facts (theorems) from the
+current theory context, filtered by relevance. Because jobs are run in the
+background, you can continue to work on your proof by other means. Provers can
+be run in parallel. Any reply (which may arrive half a minute later) will appear
+in the Proof General response buffer.
+
+The result of a successful proof search is some source text that usually (but
+not always) reconstructs the proof within Isabelle. For ATPs, the reconstructed
+proof relies on the general-purpose \textit{metis} proof method, which
+integrates the Metis ATP in Isabelle/HOL with explicit inferences going through
+the kernel. Thus its results are correct by construction.
+
+In this manual, we will explicitly invoke the \textbf{sledgehammer} command.
+Sledgehammer also provides an automatic mode that can be enabled via the ``Auto
+Sledgehammer'' option in Proof General's ``Isabelle'' menu. In this mode,
+Sledgehammer is run on every newly entered theorem. The time limit for Auto
+Sledgehammer and other automatic tools can be set using the ``Auto Tools Time
+Limit'' option.
+
+\newbox\boxA
+\setbox\boxA=\hbox{\texttt{NOSPAM}}
+
+\newcommand\authoremail{\texttt{blan{\color{white}NOSPAM}\kern-\wd\boxA{}chette@\allowbreak
+in.\allowbreak tum.\allowbreak de}}
+
+To run Sledgehammer, you must make sure that the theory \textit{Sledgehammer} is
+imported---this is rarely a problem in practice since it is part of
+\textit{Main}. Examples of Sledgehammer use can be found in Isabelle's
+\texttt{src/HOL/Metis\_Examples} directory.
+Comments and bug reports concerning Sledgehammer or this manual should be
+directed to the author at \authoremail.
+
+\vskip2.5\smallskipamount
+
+%\textbf{Acknowledgment.} The author would like to thank Mark Summerfield for
+%suggesting several textual improvements.
+
+\section{Installation}
+\label{installation}
+
+Sledgehammer is part of Isabelle, so you do not need to install it. However, it
+relies on third-party automatic provers (ATPs and SMT solvers).
+
+Among the ATPs, E, LEO-II, Satallax, SPASS, and Vampire can be run locally; in
+addition, E, E-SInE, E-ToFoF, iProver, iProver-Eq, LEO-II, Satallax, SNARK,
+Vampire, and Waldmeister are available remotely via System\-On\-TPTP
+\cite{sutcliffe-2000}. If you want better performance, you should at least
+install E and SPASS locally.
+
+The SMT solvers Alt-Ergo, CVC3, Yices, and Z3 can be run locally, and CVC3 and
+Z3 can be run remotely on a TU M\"unchen server. If you want better performance
+and get the ability to replay proofs that rely on the \emph{smt} proof method
+without an Internet connection, you should at least have Z3 locally installed.
+
+There are three main ways to install automatic provers on your machine:
+
+\begin{sloppy}
+\begin{enum}
+\item[\labelitemi] If you installed an official Isabelle package, it should
+already include properly setup executables for CVC3, E, SPASS, and Z3, ready to use.%
+\footnote{Vampire's and Yices's licenses prevent us from doing the same for
+these otherwise remarkable tools.}
+For Z3, you must additionally set the variable
+\texttt{Z3\_NON\_COMMERCIAL} to ``yes'' to confirm that you are a
+noncommercial user, either in the environment in which Isabelle is
+launched or in your
+\texttt{\$ISABELLE\_HOME\_USER/etc/settings} file.
+
+\item[\labelitemi] Alternatively, you can download the Isabelle-aware CVC3, E,
+SPASS, and Z3 binary packages from \download. Extract the archives, then add a
+line to your \texttt{\$ISABELLE\_HOME\_USER\slash etc\slash components}%
+\footnote{The variable \texttt{\$ISABELLE\_HOME\_USER} is set by Isabelle at
+startup. Its value can be retrieved by executing \texttt{isabelle}
+\texttt{getenv} \texttt{ISABELLE\_HOME\_USER} on the command line.}
+file with the absolute path to CVC3, E, SPASS, or Z3. For example, if the
+\texttt{components} file does not exist yet and you extracted SPASS to
+\texttt{/usr/local/spass-3.8ds}, create it with the single line
+
+\prew
+\texttt{/usr/local/spass-3.8ds}
+\postw
+
+in it.
+
+\item[\labelitemi] If you prefer to build E, LEO-II, Satallax, or SPASS
+manually, or found a Vampire executable somewhere (e.g.,
+\url{http://www.vprover.org/}), set the environment variable \texttt{E\_HOME},
+\texttt{LEO2\_HOME}, \texttt{SATALLAX\_HOME}, \texttt{SPASS\_HOME}, or
+\texttt{VAMPIRE\_HOME} to the directory that contains the \texttt{eproof},
+\texttt{leo}, \texttt{satallax}, \texttt{SPASS}, or \texttt{vampire} executable.
+Sledgehammer has been tested with E 1.0 to 1.4, LEO-II 1.3.4, Satallax 2.2, 2.3,
+and 2.4, SPASS 3.8ds, and Vampire 0.6 to 2.6.%
+\footnote{Following the rewrite of Vampire, the counter for version numbers was
+reset to 0; hence the (new) Vampire versions 0.6, 1.0, 1.8, and 2.6 are more
+recent than 9.0 or 11.5.}%
+Since the ATPs' output formats are neither documented nor stable, other
+versions might not work well with Sledgehammer. Ideally,
+you should also set \texttt{E\_VERSION}, \texttt{LEO2\_VERSION},
+\texttt{SATALLAX\_VERSION}, \texttt{SPASS\_VERSION}, or
+\texttt{VAMPIRE\_VERSION} to the prover's version number (e.g., ``1.4'').
+
+Similarly, if you want to build Alt-Ergo or CVC3, or found a
+Yices or Z3 executable somewhere (e.g.,
+\url{http://yices.csl.sri.com/download.shtml} or
+\url{http://research.microsoft.com/en-us/um/redmond/projects/z3/download.html}),
+set the environment variable \texttt{CVC3\_\allowbreak SOLVER},
+\texttt{YICES\_SOLVER}, or \texttt{Z3\_SOLVER} to the complete path of
+the executable, \emph{including the file name};
+for Alt-Ergo, set the
+environment variable \texttt{WHY3\_HOME} to the directory that contains the
+\texttt{why3} executable.
+Sledgehammer has been tested with Alt-Ergo 0.93 and 0.94, CVC3 2.2 and 2.4.1,
+Yices 1.0.28 and 1.0.33, and Z3 3.0 to 4.0. Since the SMT solvers' output
+formats are somewhat unstable, other versions of the solvers might not work well
+with Sledgehammer. Ideally, also set \texttt{CVC3\_VERSION},
+\texttt{YICES\_VERSION}, or \texttt{Z3\_VERSION} to the solver's version number
+(e.g., ``4.0'').
+\end{enum}
+\end{sloppy}
+
+To check whether E, SPASS, Vampire, and/or Z3 are successfully installed, try
+out the example in \S\ref{first-steps}. If the remote versions of any of these
+provers is used (identified by the prefix ``\emph{remote\_\/}''), or if the
+local versions fail to solve the easy goal presented there, something must be
+wrong with the installation.
+
+Remote prover invocation requires Perl with the World Wide Web Library
+(\texttt{libwww-perl}) installed. If you must use a proxy server to access the
+Internet, set the \texttt{http\_proxy} environment variable to the proxy, either
+in the environment in which Isabelle is launched or in your
+\texttt{\$ISABELLE\_HOME\_USER/etc/settings} file. Here are a few
+examples:
+
+\prew
+\texttt{http\_proxy=http://proxy.example.org} \\
+\texttt{http\_proxy=http://proxy.example.org:8080} \\
+\texttt{http\_proxy=http://joeblow:pAsSwRd@proxy.example.org}
+\postw
+
+\section{First Steps}
+\label{first-steps}
+
+To illustrate Sledgehammer in context, let us start a theory file and
+attempt to prove a simple lemma:
+
+\prew
+\textbf{theory}~\textit{Scratch} \\
+\textbf{imports}~\textit{Main} \\
+\textbf{begin} \\[2\smallskipamount]
+%
+\textbf{lemma} ``$[a] = [b] \,\Longrightarrow\, a = b$'' \\
+\textbf{sledgehammer}
+\postw
+
+Instead of issuing the \textbf{sledgehammer} command, you can also find
+Sledgehammer in the ``Commands'' submenu of the ``Isabelle'' menu in Proof
+General or press the Emacs key sequence C-c C-a C-s.
+Either way, Sledgehammer produces the following output after a few seconds:
+
+\prew
+\slshape
+Sledgehammer: ``\textit{e\/}'' on goal \\
+$[a] = [b] \,\Longrightarrow\, a = b$ \\
+Try this: \textbf{by} (\textit{metis last\_ConsL}) (64 ms). \\[3\smallskipamount]
+%
+Sledgehammer: ``\textit{z3\/}'' on goal \\
+$[a] = [b] \,\Longrightarrow\, a = b$ \\
+Try this: \textbf{by} (\textit{metis list.inject}) (20 ms). \\[3\smallskipamount]
+%
+Sledgehammer: ``\textit{vampire\/}'' on goal \\
+$[a] = [b] \,\Longrightarrow\, a = b$ \\
+Try this: \textbf{by} (\textit{metis hd.simps}) (14 ms). \\[3\smallskipamount]
+%
+Sledgehammer: ``\textit{spass\/}'' on goal \\
+$[a] = [b] \,\Longrightarrow\, a = b$ \\
+Try this: \textbf{by} (\textit{metis list.inject}) (17 ms). \\[3\smallskipamount]
+%
+Sledgehammer: ``\textit{remote\_waldmeister\/}'' on goal \\
+$[a] = [b] \,\Longrightarrow\, a = b$ \\
+Try this: \textbf{by} (\textit{metis hd.simps}) (15 ms). \\[3\smallskipamount]
+%
+Sledgehammer: ``\textit{remote\_e\_sine\/}'' on goal \\
+$[a] = [b] \,\Longrightarrow\, a = b$ \\
+Try this: \textbf{by} (\textit{metis hd.simps}) (18 ms).
+\postw
+
+Sledgehammer ran E, E-SInE, SPASS, Vampire, Waldmeister, and Z3 in parallel.
+Depending on which provers are installed and how many processor cores are
+available, some of the provers might be missing or present with a
+\textit{remote\_} prefix. Waldmeister is run only for unit equational problems,
+where the goal's conclusion is a (universally quantified) equation.
+
+For each successful prover, Sledgehammer gives a one-liner \textit{metis} or
+\textit{smt} method call. Rough timings are shown in parentheses, indicating how
+fast the call is. You can click the proof to insert it into the theory text.
+
+In addition, you can ask Sledgehammer for an Isar text proof by passing the
+\textit{isar\_proof} option (\S\ref{output-format}):
+
+\prew
+\textbf{sledgehammer} [\textit{isar\_proof}]
+\postw
+
+When Isar proof construction is successful, it can yield proofs that are more
+readable and also faster than the \textit{metis} or \textit{smt} one-liners.
+This feature is experimental and is only available for ATPs.
+
+\section{Hints}
+\label{hints}
+
+This section presents a few hints that should help you get the most out of
+Sledgehammer. Frequently asked questions are answered in
+\S\ref{frequently-asked-questions}.
+
+%\newcommand\point[1]{\medskip\par{\sl\bfseries#1}\par\nopagebreak}
+\newcommand\point[1]{\subsection{\emph{#1}}}
+
+\point{Presimplify the goal}
+
+For best results, first simplify your problem by calling \textit{auto} or at
+least \textit{safe} followed by \textit{simp\_all}. The SMT solvers provide
+arithmetic decision procedures, but the ATPs typically do not (or if they do,
+Sledgehammer does not use it yet). Apart from Waldmeister, they are not
+especially good at heavy rewriting, but because they regard equations as
+undirected, they often prove theorems that require the reverse orientation of a
+\textit{simp} rule. Higher-order problems can be tackled, but the success rate
+is better for first-order problems. Hence, you may get better results if you
+first simplify the problem to remove higher-order features.
+
+\point{Make sure E, SPASS, Vampire, and Z3 are locally installed}
+
+Locally installed provers are faster and more reliable than those running on
+servers. See \S\ref{installation} for details on how to install them.
+
+\point{Familiarize yourself with the most important options}
+
+Sledgehammer's options are fully documented in \S\ref{command-syntax}. Many of
+the options are very specialized, but serious users of the tool should at least
+familiarize themselves with the following options:
+
+\begin{enum}
+\item[\labelitemi] \textbf{\textit{provers}} (\S\ref{mode-of-operation}) specifies
+the automatic provers (ATPs and SMT solvers) that should be run whenever
+Sledgehammer is invoked (e.g., ``\textit{provers}~= \textit{e spass
+remote\_vampire\/}''). For convenience, you can omit ``\textit{provers}~=''
+and simply write the prover names as a space-separated list (e.g., ``\textit{e
+spass remote\_vampire\/}'').
+
+\item[\labelitemi] \textbf{\textit{max\_facts}} (\S\ref{relevance-filter})
+specifies the maximum number of facts that should be passed to the provers. By
+default, the value is prover-dependent but varies between about 50 and 1000. If
+the provers time out, you can try lowering this value to, say, 25 or 50 and see
+if that helps.
+
+\item[\labelitemi] \textbf{\textit{isar\_proof}} (\S\ref{output-format}) specifies
+that Isar proofs should be generated, instead of one-liner \textit{metis} or
+\textit{smt} proofs. The length of the Isar proofs can be controlled by setting
+\textit{isar\_shrink\_factor} (\S\ref{output-format}).
+
+\item[\labelitemi] \textbf{\textit{timeout}} (\S\ref{timeouts}) controls the
+provers' time limit. It is set to 30 seconds, but since Sledgehammer runs
+asynchronously you should not hesitate to raise this limit to 60 or 120 seconds
+if you are the kind of user who can think clearly while ATPs are active.
+\end{enum}
+
+Options can be set globally using \textbf{sledgehammer\_params}
+(\S\ref{command-syntax}). The command also prints the list of all available
+options with their current value. Fact selection can be influenced by specifying
+``$(\textit{add}{:}~\textit{my\_facts})$'' after the \textbf{sledgehammer} call
+to ensure that certain facts are included, or simply ``$(\textit{my\_facts})$''
+to force Sledgehammer to run only with $\textit{my\_facts}$.
+
+\section{Frequently Asked Questions}
+\label{frequently-asked-questions}
+
+This sections answers frequently (and infrequently) asked questions about
+Sledgehammer. It is a good idea to skim over it now even if you do not have any
+questions at this stage. And if you have any further questions not listed here,
+send them to the author at \authoremail.
+
+\point{Which facts are passed to the automatic provers?}
+
+Sledgehammer heuristically selects a few hundred relevant lemmas from the
+currently loaded libraries. The component that performs this selection is
+called \emph{relevance filter}.
+
+\begin{enum}
+\item[\labelitemi]
+The traditional relevance filter, called \emph{MePo}
+(\underline{Me}ng--\underline{Pau}lson), assigns a score to every available fact
+(lemma, theorem, definition, or axiom) based upon how many constants that fact
+shares with the conjecture. This process iterates to include facts relevant to
+those just accepted. The constants are weighted to give unusual ones greater
+significance. MePo copes best when the conjecture contains some unusual
+constants; if all the constants are common, it is unable to discriminate among
+the hundreds of facts that are picked up. The filter is also memoryless: It has
+no information about how many times a particular fact has been used in a proof,
+and it cannot learn.
+
+\item[\labelitemi]
+An experimental, memoryful alternative to MePo is \emph{MaSh}
+(\underline{Ma}chine Learner for \underline{S}ledge\underline{h}ammer). It
+relies on an external tool called \texttt{mash} that applies machine learning to
+the problem of finding relevant facts.
+
+\item[\labelitemi] The \emph{Mesh} filter combines MePo and MaSh.
+\end{enum}
+
+The default is either MePo or Mesh, depending on whether \texttt{mash} is
+installed and what class of provers the target prover belongs to
+(\S\ref{relevance-filter}).
+
+The number of facts included in a problem varies from prover to prover, since
+some provers get overwhelmed more easily than others. You can show the number of
+facts given using the \textit{verbose} option (\S\ref{output-format}) and the
+actual facts using \textit{debug} (\S\ref{output-format}).
+
+Sledgehammer is good at finding short proofs combining a handful of existing
+lemmas. If you are looking for longer proofs, you must typically restrict the
+number of facts, by setting the \textit{max\_facts} option
+(\S\ref{relevance-filter}) to, say, 25 or 50.
+
+You can also influence which facts are actually selected in a number of ways. If
+you simply want to ensure that a fact is included, you can specify it using the
+``$(\textit{add}{:}~\textit{my\_facts})$'' syntax. For example:
+%
+\prew
+\textbf{sledgehammer} (\textit{add}: \textit{hd.simps} \textit{tl.simps})
+\postw
+%
+The specified facts then replace the least relevant facts that would otherwise be
+included; the other selected facts remain the same.
+If you want to direct the selection in a particular direction, you can specify
+the facts via \textbf{using}:
+%
+\prew
+\textbf{using} \textit{hd.simps} \textit{tl.simps} \\
+\textbf{sledgehammer}
+\postw
+%
+The facts are then more likely to be selected than otherwise, and if they are
+selected at iteration $j$ they also influence which facts are selected at
+iterations $j + 1$, $j + 2$, etc. To give them even more weight, try
+%
+\prew
+\textbf{using} \textit{hd.simps} \textit{tl.simps} \\
+\textbf{apply}~\textbf{--} \\
+\textbf{sledgehammer}
+\postw
+
+\point{Why does Metis fail to reconstruct the proof?}
+
+There are many reasons. If Metis runs seemingly forever, that is a sign that the
+proof is too difficult for it. Metis's search is complete, so it should
+eventually find it, but that's little consolation. There are several possible
+solutions:
+
+\begin{enum}
+\item[\labelitemi] Try the \textit{isar\_proof} option (\S\ref{output-format}) to
+obtain a step-by-step Isar proof where each step is justified by \textit{metis}.
+Since the steps are fairly small, \textit{metis} is more likely to be able to
+replay them.
+
+\item[\labelitemi] Try the \textit{smt} proof method instead of \textit{metis}.
+It is usually stronger, but you need to either have Z3 available to replay the
+proofs, trust the SMT solver, or use certificates. See the documentation in the
+\emph{SMT} theory (\texttt{\$ISABELLE\_HOME/src/HOL/SMT.thy}) for details.
+
+\item[\labelitemi] Try the \textit{blast} or \textit{auto} proof methods, passing
+the necessary facts via \textbf{unfolding}, \textbf{using}, \textit{intro}{:},
+\textit{elim}{:}, \textit{dest}{:}, or \textit{simp}{:}, as appropriate.
+\end{enum}
+
+In some rare cases, \textit{metis} fails fairly quickly, and you get the error
+message
+
+\prew
+\slshape
+One-line proof reconstruction failed.
+\postw
+
+This message indicates that Sledgehammer determined that the goal is provable,
+but the proof is, for technical reasons, beyond \textit{metis}'s power. You can
+then try again with the \textit{strict} option (\S\ref{problem-encoding}).
+
+If the goal is actually unprovable and you did not specify an unsound encoding
+using \textit{type\_enc} (\S\ref{problem-encoding}), this is a bug, and you are
+strongly encouraged to report this to the author at \authoremail.
+
+\point{Why are the generated Isar proofs so ugly/broken?}
+
+The current implementation of the Isar proof feature,
+enabled by the \textit{isar\_proof} option (\S\ref{output-format}),
+is highly experimental. Work on a new implementation has begun. There is a large body of
+research into transforming resolution proofs into natural deduction proofs (such
+as Isar proofs), which we hope to leverage. In the meantime, a workaround is to
+set the \textit{isar\_shrink\_factor} option (\S\ref{output-format}) to a larger
+value or to try several provers and keep the nicest-looking proof.
+
+\point{How can I tell whether a suggested proof is sound?}
+
+Earlier versions of Sledgehammer often suggested unsound proofs---either proofs
+of nontheorems or simply proofs that rely on type-unsound inferences. This
+is a thing of the past, unless you explicitly specify an unsound encoding
+using \textit{type\_enc} (\S\ref{problem-encoding}).
+%
+Officially, the only form of ``unsoundness'' that lurks in the sound
+encodings is related to missing characteristic theorems of datatypes. For
+example,
+
+\prew
+\textbf{lemma}~``$\exists \mathit{xs}.\; \mathit{xs} \neq []$'' \\
+\textbf{sledgehammer} ()
+\postw
+
+suggests an argumentless \textit{metis} call that fails. However, the conjecture
+does actually hold, and the \textit{metis} call can be repaired by adding
+\textit{list.distinct}.
+%
+We hope to address this problem in a future version of Isabelle. In the
+meantime, you can avoid it by passing the \textit{strict} option
+(\S\ref{problem-encoding}).
+
+\point{What are the \textit{full\_types}, \textit{no\_types}, and
+\textit{mono\_tags} arguments to Metis?}
+
+The \textit{metis}~(\textit{full\_types}) proof method
+and its cousin \textit{metis}~(\textit{mono\_tags}) are fully-typed
+version of Metis. It is somewhat slower than \textit{metis}, but the proof
+search is fully typed, and it also includes more powerful rules such as the
+axiom ``$x = \const{True} \mathrel{\lor} x = \const{False}$'' for reasoning in
+higher-order places (e.g., in set comprehensions). The method kicks in
+automatically as a fallback when \textit{metis} fails, and it is sometimes
+generated by Sledgehammer instead of \textit{metis} if the proof obviously
+requires type information or if \textit{metis} failed when Sledgehammer
+preplayed the proof. (By default, Sledgehammer tries to run \textit{metis} with
+various options for up to 3 seconds each time to ensure that the generated
+one-line proofs actually work and to display timing information. This can be
+configured using the \textit{preplay\_timeout} and \textit{dont\_preplay}
+options (\S\ref{timeouts}).)
+%
+At the other end of the soundness spectrum, \textit{metis} (\textit{no\_types})
+uses no type information at all during the proof search, which is more efficient
+but often fails. Calls to \textit{metis} (\textit{no\_types}) are occasionally
+generated by Sledgehammer.
+%
+See the \textit{type\_enc} option (\S\ref{problem-encoding}) for details.
+
+Incidentally, if you ever see warnings such as
+
+\prew
+\slshape
+Metis: Falling back on ``\textit{metis} (\textit{full\_types})''.
+\postw
+
+for a successful \textit{metis} proof, you can advantageously pass the
+\textit{full\_types} option to \textit{metis} directly.
+
+\point{And what are the \textit{lifting} and \textit{hide\_lams} arguments
+to Metis?}
+
+Orthogonally to the encoding of types, it is important to choose an appropriate
+translation of $\lambda$-abstractions. Metis supports three translation schemes,
+in decreasing order of power: Curry combinators (the default),
+$\lambda$-lifting, and a ``hiding'' scheme that disables all reasoning under
+$\lambda$-abstractions. The more powerful schemes also give the automatic
+provers more rope to hang themselves. See the \textit{lam\_trans} option (\S\ref{problem-encoding}) for details.
+
+\point{Are generated proofs minimal?}
+
+Automatic provers frequently use many more facts than are necessary.
+Sledgehammer inclues a minimization tool that takes a set of facts returned by a
+given prover and repeatedly calls the same prover, \textit{metis}, or
+\textit{smt} with subsets of those axioms in order to find a minimal set.
+Reducing the number of axioms typically improves Metis's speed and success rate,
+while also removing superfluous clutter from the proof scripts.
+
+In earlier versions of Sledgehammer, generated proofs were systematically
+accompanied by a suggestion to invoke the minimization tool. This step is now
+performed implicitly if it can be done in a reasonable amount of time (something
+that can be guessed from the number of facts in the original proof and the time
+it took to find or preplay it).
+
+In addition, some provers (e.g., Yices) do not provide proofs or sometimes
+produce incomplete proofs. The minimizer is then invoked to find out which facts
+are actually needed from the (large) set of facts that was initially given to
+the prover. Finally, if a prover returns a proof with lots of facts, the
+minimizer is invoked automatically since Metis would be unlikely to re-find the
+proof.
+%
+Automatic minimization can be forced or disabled using the \textit{minimize}
+option (\S\ref{mode-of-operation}).
+
+\point{A strange error occurred---what should I do?}
+
+Sledgehammer tries to give informative error messages. Please report any strange
+error to the author at \authoremail. This applies double if you get the message
+
+\prew
+\slshape
+The prover found a type-unsound proof involving ``\textit{foo\/}'',
+``\textit{bar\/}'', and ``\textit{baz\/}'' even though a supposedly type-sound
+encoding was used (or, less likely, your axioms are inconsistent). You might
+want to report this to the Isabelle developers.
+\postw
+
+\point{Auto can solve it---why not Sledgehammer?}
+
+Problems can be easy for \textit{auto} and difficult for automatic provers, but
+the reverse is also true, so do not be discouraged if your first attempts fail.
+Because the system refers to all theorems known to Isabelle, it is particularly
+suitable when your goal has a short proof from lemmas that you do not know
+about.
+
+\point{Why are there so many options?}
+
+Sledgehammer's philosophy should work out of the box, without user guidance.
+Many of the options are meant to be used mostly by the Sledgehammer developers
+for experimentation purposes. Of course, feel free to experiment with them if
+you are so inclined.
+
+\section{Command Syntax}
+\label{command-syntax}
+
+\subsection{Sledgehammer}
+
+Sledgehammer can be invoked at any point when there is an open goal by entering
+the \textbf{sledgehammer} command in the theory file. Its general syntax is as
+follows:
+
+\prew
+\textbf{sledgehammer} \qty{subcommand}$^?$ \qty{options}$^?$ \qty{facts\_override}$^?$ \qty{num}$^?$
+\postw
+
+For convenience, Sledgehammer is also available in the ``Commands'' submenu of
+the ``Isabelle'' menu in Proof General or by pressing the Emacs key sequence C-c
+C-a C-s. This is equivalent to entering the \textbf{sledgehammer} command with
+no arguments in the theory text.
+
+In the general syntax, the \qty{subcommand} may be any of the following:
+
+\begin{enum}
+\item[\labelitemi] \textbf{\textit{run} (the default):} Runs Sledgehammer on
+subgoal number \qty{num} (1 by default), with the given options and facts.
+
+\item[\labelitemi] \textbf{\textit{min}:} Attempts to minimize the facts
+specified in the \qty{facts\_override} argument to obtain a simpler proof
+involving fewer facts. The options and goal number are as for \textit{run}.
+
+\item[\labelitemi] \textbf{\textit{messages}:} Redisplays recent messages issued
+by Sledgehammer. This allows you to examine results that might have been lost
+due to Sledgehammer's asynchronous nature. The \qty{num} argument specifies a
+limit on the number of messages to display (10 by default).
+
+\item[\labelitemi] \textbf{\textit{supported\_provers}:} Prints the list of
+automatic provers supported by Sledgehammer. See \S\ref{installation} and
+\S\ref{mode-of-operation} for more information on how to install automatic
+provers.
+
+\item[\labelitemi] \textbf{\textit{running\_provers}:} Prints information about
+currently running automatic provers, including elapsed runtime and remaining
+time until timeout.
+
+\item[\labelitemi] \textbf{\textit{kill\_provers}:} Terminates all running
+automatic provers.
+
+\item[\labelitemi] \textbf{\textit{refresh\_tptp}:} Refreshes the list of remote
+ATPs available at System\-On\-TPTP \cite{sutcliffe-2000}.
+\end{enum}
+
+In addition, the following subcommands provide fine control over machine
+learning with MaSh:
+
+\begin{enum}
+\item[\labelitemi] \textbf{\textit{unlearn}:} Resets MaSh, erasing any
+persistent state.
+
+\item[\labelitemi] \textbf{\textit{learn\_isar}:} Invokes MaSh on the current
+theory to process all the available facts, learning from their Isabelle/Isar
+proofs. This happens automatically at Sledgehammer invocations if the
+\textit{learn} option (\S\ref{relevance-filter}) is enabled.
+
+\item[\labelitemi] \textbf{\textit{learn\_atp}:} Invokes MaSh on the current
+theory to process all the available facts, learning from ATP-generated proofs.
+The ATP to use and its timeout can be set using the
+\textit{prover} (\S\ref{mode-of-operation}) and \textit{timeout}
+(\S\ref{timeouts}) options. It is recommended to perform learning using an
+efficient first-order ATP (such as E, SPASS, and Vampire) as opposed to a
+higher-order ATP or an SMT solver.
+
+\item[\labelitemi] \textbf{\textit{relearn\_isar}:} Same as \textit{unlearn}
+followed by \textit{learn\_isar}.
+
+\item[\labelitemi] \textbf{\textit{relearn\_atp}:} Same as \textit{unlearn}
+followed by \textit{learn\_atp}.
+
+\item[\labelitemi] \textbf{\textit{running\_learners}:} Prints information about
+currently running machine learners, including elapsed runtime and remaining
+time until timeout.
+
+\item[\labelitemi] \textbf{\textit{kill\_learners}:} Terminates all running
+machine learners.
+\end{enum}
+
+Sledgehammer's behavior can be influenced by various \qty{options}, which can be
+specified in brackets after the \textbf{sledgehammer} command. The
+\qty{options} are a list of key--value pairs of the form ``[$k_1 = v_1,
+\ldots, k_n = v_n$]''. For Boolean options, ``= \textit{true\/}'' is optional. For
+example:
+
+\prew
+\textbf{sledgehammer} [\textit{isar\_proof}, \,\textit{timeout} = 120]
+\postw
+
+Default values can be set using \textbf{sledgehammer\_\allowbreak params}:
+
+\prew
+\textbf{sledgehammer\_params} \qty{options}
+\postw
+
+The supported options are described in \S\ref{option-reference}.
+
+The \qty{facts\_override} argument lets you alter the set of facts that go
+through the relevance filter. It may be of the form ``(\qty{facts})'', where
+\qty{facts} is a space-separated list of Isabelle facts (theorems, local
+assumptions, etc.), in which case the relevance filter is bypassed and the given
+facts are used. It may also be of the form ``(\textit{add}:\ \qty{facts\/_{\mathrm{1}}})'',
+``(\textit{del}:\ \qty{facts\/_{\mathrm{2}}})'', or ``(\textit{add}:\ \qty{facts\/_{\mathrm{1}}}\
+\textit{del}:\ \qty{facts\/_{\mathrm{2}}})'', where the relevance filter is instructed to
+proceed as usual except that it should consider \qty{facts\/_{\mathrm{1}}}
+highly-relevant and \qty{facts\/_{\mathrm{2}}} fully irrelevant.
+
+You can instruct Sledgehammer to run automatically on newly entered theorems by
+enabling the ``Auto Sledgehammer'' option in Proof General's ``Isabelle'' menu.
+For automatic runs, only the first prover set using \textit{provers}
+(\S\ref{mode-of-operation}) is considered, fewer facts are passed to the prover,
+\textit{slice} (\S\ref{mode-of-operation}) is disabled, \textit{strict}
+(\S\ref{problem-encoding}) is enabled, \textit{verbose} (\S\ref{output-format})
+and \textit{debug} (\S\ref{output-format}) are disabled, and \textit{timeout}
+(\S\ref{timeouts}) is superseded by the ``Auto Tools Time Limit'' in Proof
+General's ``Isabelle'' menu. Sledgehammer's output is also more concise.
+
+\subsection{Metis}
+
+The \textit{metis} proof method has the syntax
+
+\prew
+\textbf{\textit{metis}}~(\qty{options})${}^?$~\qty{facts}${}^?$
+\postw
+
+where \qty{facts} is a list of arbitrary facts and \qty{options} is a
+comma-separated list consisting of at most one $\lambda$ translation scheme
+specification with the same semantics as Sledgehammer's \textit{lam\_trans}
+option (\S\ref{problem-encoding}) and at most one type encoding specification
+with the same semantics as Sledgehammer's \textit{type\_enc} option
+(\S\ref{problem-encoding}).
+%
+The supported $\lambda$ translation schemes are \textit{hide\_lams},
+\textit{lifting}, and \textit{combs} (the default).
+%
+All the untyped type encodings listed in \S\ref{problem-encoding} are supported.
+For convenience, the following aliases are provided:
+\begin{enum}
+\item[\labelitemi] \textbf{\textit{full\_types}:} Alias for \textit{poly\_guards\_query}.
+\item[\labelitemi] \textbf{\textit{partial\_types}:} Alias for \textit{poly\_args}.
+\item[\labelitemi] \textbf{\textit{no\_types}:} Alias for \textit{erased}.
+\end{enum}
+
+\section{Option Reference}
+\label{option-reference}
+
+\def\defl{\{}
+\def\defr{\}}
+
+\def\flushitem#1{\item[]\noindent\kern-\leftmargin \textbf{#1}}
+\def\optrueonly#1{\flushitem{\textit{#1} $\bigl[$= \textit{true}$\bigr]$\enskip}\nopagebreak\\[\parskip]}
+\def\optrue#1#2{\flushitem{\textit{#1} $\bigl[$= \qtybf{bool}$\bigr]$\enskip \defl\textit{true}\defr\hfill (neg.: \textit{#2})}\nopagebreak\\[\parskip]}
+\def\opfalse#1#2{\flushitem{\textit{#1} $\bigl[$= \qtybf{bool}$\bigr]$\enskip \defl\textit{false}\defr\hfill (neg.: \textit{#2})}\nopagebreak\\[\parskip]}
+\def\opsmart#1#2{\flushitem{\textit{#1} $\bigl[$= \qtybf{smart\_bool}$\bigr]$\enskip \defl\textit{smart}\defr\hfill (neg.: \textit{#2})}\nopagebreak\\[\parskip]}
+\def\opsmartx#1#2{\flushitem{\textit{#1} $\bigl[$= \qtybf{smart\_bool}$\bigr]$\enskip \defl\textit{smart}\defr\\\hbox{}\hfill (neg.: \textit{#2})}\nopagebreak\\[\parskip]}
+\def\opnodefault#1#2{\flushitem{\textit{#1} = \qtybf{#2}} \nopagebreak\\[\parskip]}
+\def\opnodefaultbrk#1#2{\flushitem{$\bigl[$\textit{#1} =$\bigr]$ \qtybf{#2}} \nopagebreak\\[\parskip]}
+\def\opdefault#1#2#3{\flushitem{\textit{#1} = \qtybf{#2}\enskip \defl\textit{#3}\defr} \nopagebreak\\[\parskip]}
+\def\oparg#1#2#3{\flushitem{\textit{#1} \qtybf{#2} = \qtybf{#3}} \nopagebreak\\[\parskip]}
+\def\opargbool#1#2#3{\flushitem{\textit{#1} \qtybf{#2} $\bigl[$= \qtybf{bool}$\bigr]$\hfill (neg.: \textit{#3})}\nopagebreak\\[\parskip]}
+\def\opargboolorsmart#1#2#3{\flushitem{\textit{#1} \qtybf{#2} $\bigl[$= \qtybf{smart\_bool}$\bigr]$\hfill (neg.: \textit{#3})}\nopagebreak\\[\parskip]}
+
+Sledgehammer's options are categorized as follows:\ mode of operation
+(\S\ref{mode-of-operation}), problem encoding (\S\ref{problem-encoding}),
+relevance filter (\S\ref{relevance-filter}), output format
+(\S\ref{output-format}), authentication (\S\ref{authentication}), and timeouts
+(\S\ref{timeouts}).
+
+The descriptions below refer to the following syntactic quantities:
+
+\begin{enum}
+\item[\labelitemi] \qtybf{string}: A string.
+\item[\labelitemi] \qtybf{bool\/}: \textit{true} or \textit{false}.
+\item[\labelitemi] \qtybf{smart\_bool\/}: \textit{true}, \textit{false}, or
+\textit{smart}.
+\item[\labelitemi] \qtybf{int\/}: An integer.
+%\item[\labelitemi] \qtybf{float\/}: A floating-point number (e.g., 2.5).
+\item[\labelitemi] \qtybf{float\_pair\/}: A pair of floating-point numbers
+(e.g., 0.6 0.95).
+\item[\labelitemi] \qtybf{smart\_int\/}: An integer or \textit{smart}.
+\item[\labelitemi] \qtybf{float\_or\_none\/}: A floating-point number (e.g., 60 or
+0.5) expressing a number of seconds, or the keyword \textit{none} ($\infty$
+seconds).
+\end{enum}
+
+Default values are indicated in curly brackets (\textrm{\{\}}). Boolean options
+have a negative counterpart (e.g., \textit{blocking} vs.\
+\textit{non\_blocking}). When setting Boolean options or their negative
+counterparts, ``= \textit{true\/}'' may be omitted.
+
+\subsection{Mode of Operation}
+\label{mode-of-operation}
+
+\begin{enum}
+\opnodefaultbrk{provers}{string}
+Specifies the automatic provers to use as a space-separated list (e.g.,
+``\textit{e}~\textit{spass}~\textit{remote\_vampire\/}'').
+Provers can be run locally or remotely; see \S\ref{installation} for
+installation instructions.
+
+The following local provers are supported:
+
+\begin{sloppy}
+\begin{enum}
+\item[\labelitemi] \textbf{\textit{alt\_ergo}:} Alt-Ergo is a polymorphic
+SMT solver developed by Bobot et al.\ \cite{alt-ergo}.
+It supports the TPTP polymorphic typed first-order format (TFF1) via Why3
+\cite{why3}. It is included for experimental purposes. To use Alt-Ergo, set the
+environment variable \texttt{WHY3\_HOME} to the directory that contains the
+\texttt{why3} executable. Sledgehammer has been tested with Alt-Ergo 0.93 and an
+unidentified development version of Why3.
+
+\item[\labelitemi] \textbf{\textit{cvc3}:} CVC3 is an SMT solver developed by
+Clark Barrett, Cesare Tinelli, and their colleagues \cite{cvc3}. To use CVC3,
+set the environment variable \texttt{CVC3\_SOLVER} to the complete path of the
+executable, including the file name, or install the prebuilt CVC3 package from
+\download. Sledgehammer has been tested with version 2.2 and 2.4.1.
+
+\item[\labelitemi] \textbf{\textit{e}:} E is a first-order resolution prover
+developed by Stephan Schulz \cite{schulz-2002}. To use E, set the environment
+variable \texttt{E\_HOME} to the directory that contains the \texttt{eproof}
+executable and \texttt{E\_VERSION} to the version number (e.g., ``1.4''), or
+install the prebuilt E package from \download. Sledgehammer has been tested with
+versions 1.0 to 1.6.
+
+\item[\labelitemi] \textbf{\textit{e\_males}:} E-MaLeS is a metaprover developed
+by Daniel K\"uhlwein that implements strategy scheduling on top of E. To use
+E-MaLeS, set the environment variable \texttt{E\_MALES\_HOME} to the directory
+that contains the \texttt{emales.py} script. Sledgehammer has been tested with
+version 1.1.
+
+\item[\labelitemi] \textbf{\textit{iprover}:} iProver is a pure
+instantiation-based prover developed by Konstantin Korovin \cite{korovin-2009}.
+To use iProver, set the environment variable \texttt{IPROVER\_HOME} to the
+directory that contains the \texttt{iprover} and \texttt{vclausify\_rel}
+executables. Sledgehammer has been tested with version 0.99.
+
+\item[\labelitemi] \textbf{\textit{iprover\_eq}:} iProver-Eq is an
+instantiation-based prover with native support for equality developed by
+Konstantin Korovin and Christoph Sticksel \cite{korovin-sticksel-2010}. To use
+iProver-Eq, set the environment variable \texttt{IPROVER\_EQ\_HOME} to the
+directory that contains the \texttt{iprover-eq} and \texttt{vclausify\_rel}
+executables. Sledgehammer has been tested with version 0.8.
+
+\item[\labelitemi] \textbf{\textit{leo2}:} LEO-II is an automatic
+higher-order prover developed by Christoph Benzm\"uller et al.\ \cite{leo2},
+with support for the TPTP typed higher-order syntax (THF0). To use LEO-II, set
+the environment variable \texttt{LEO2\_HOME} to the directory that contains the
+\texttt{leo} executable. Sledgehammer requires version 1.2.9 or above.
+
+\item[\labelitemi] \textbf{\textit{metis}:} Although it is less powerful than
+the external provers, Metis itself can be used for proof search.
+
+\item[\labelitemi] \textbf{\textit{satallax}:} Satallax is an automatic
+higher-order prover developed by Chad Brown et al.\ \cite{satallax}, with
+support for the TPTP typed higher-order syntax (THF0). To use Satallax, set the
+environment variable \texttt{SATALLAX\_HOME} to the directory that contains the
+\texttt{satallax} executable. Sledgehammer requires version 2.2 or above.
+
+\item[\labelitemi] \textbf{\textit{smt}:} The \textit{smt} proof method with the
+current settings (usually:\ Z3 with proof reconstruction) can be used for proof
+search.
+
+\item[\labelitemi] \textbf{\textit{spass}:} SPASS is a first-order resolution
+prover developed by Christoph Weidenbach et al.\ \cite{weidenbach-et-al-2009}.
+To use SPASS, set the environment variable \texttt{SPASS\_HOME} to the directory
+that contains the \texttt{SPASS} executable and \texttt{SPASS\_VERSION} to the
+version number (e.g., ``3.8ds''), or install the prebuilt SPASS package from
+\download. Sledgehammer requires version 3.8ds or above.
+
+\item[\labelitemi] \textbf{\textit{vampire}:} Vampire is a first-order
+resolution prover developed by Andrei Voronkov and his colleagues
+\cite{riazanov-voronkov-2002}. To use Vampire, set the environment variable
+\texttt{VAMPIRE\_HOME} to the directory that contains the \texttt{vampire}
+executable and \texttt{VAMPIRE\_VERSION} to the version number (e.g.,
+``1.8rev1435'', ``2.6''). Sledgehammer has been tested with versions 0.6, 1.0,
+and 1.8. Versions strictly above 1.8 (e.g., ``1.8rev1435'') support the TPTP
+typed first-order format (TFF0).
+
+\item[\labelitemi] \textbf{\textit{yices}:} Yices is an SMT solver developed at
+SRI \cite{yices}. To use Yices, set the environment variable
+\texttt{YICES\_SOLVER} to the complete path of the executable, including the
+file name. Sledgehammer has been tested with version 1.0.28.
+
+\item[\labelitemi] \textbf{\textit{z3}:} Z3 is an SMT solver developed at
+Microsoft Research \cite{z3}. To use Z3, set the environment variable
+\texttt{Z3\_SOLVER} to the complete path of the executable, including the file
+name, and set \texttt{Z3\_NON\_COMMERCIAL} to ``yes'' to confirm that you are a
+noncommercial user. Sledgehammer has been tested with versions 3.0, 3.1, 3.2,
+and 4.0.
+\end{enum}
+\end{sloppy}
+
+The following remote provers are supported:
+
+\begin{enum}
+\item[\labelitemi] \textbf{\textit{remote\_cvc3}:} The remote version of CVC3 runs
+on servers at the TU M\"unchen (or wherever \texttt{REMOTE\_SMT\_URL} is set to
+point).
+
+\item[\labelitemi] \textbf{\textit{remote\_e}:} The remote version of E runs
+on Geoff Sutcliffe's Miami servers \cite{sutcliffe-2000}.
+
+\item[\labelitemi] \textbf{\textit{remote\_e\_sine}:} E-SInE is a metaprover
+developed by Kry\v stof Hoder \cite{sine} based on E. It runs on Geoff
+Sutcliffe's Miami servers.
+
+\item[\labelitemi] \textbf{\textit{remote\_e\_tofof}:} E-ToFoF is a metaprover
+developed by Geoff Sutcliffe \cite{tofof} based on E running on his Miami
+servers. This ATP supports the TPTP typed first-order format (TFF0). The
+remote version of E-ToFoF runs on Geoff Sutcliffe's Miami servers.
+
+\item[\labelitemi] \textbf{\textit{remote\_iprover}:} The
+remote version of iProver runs on Geoff Sutcliffe's Miami servers
+\cite{sutcliffe-2000}.
+
+\item[\labelitemi] \textbf{\textit{remote\_iprover\_eq}:} The
+remote version of iProver-Eq runs on Geoff Sutcliffe's Miami servers
+\cite{sutcliffe-2000}.
+
+\item[\labelitemi] \textbf{\textit{remote\_leo2}:} The remote version of LEO-II
+runs on Geoff Sutcliffe's Miami servers \cite{sutcliffe-2000}.
+
+\item[\labelitemi] \textbf{\textit{remote\_satallax}:} The remote version of
+Satallax runs on Geoff Sutcliffe's Miami servers \cite{sutcliffe-2000}.
+
+\item[\labelitemi] \textbf{\textit{remote\_snark}:} SNARK is a first-order
+resolution prover developed by Stickel et al.\ \cite{snark}. It supports the
+TPTP typed first-order format (TFF0). The remote version of SNARK runs on
+Geoff Sutcliffe's Miami servers.
+
+\item[\labelitemi] \textbf{\textit{remote\_vampire}:} The remote version of
+Vampire runs on Geoff Sutcliffe's Miami servers.
+
+\item[\labelitemi] \textbf{\textit{remote\_waldmeister}:} Waldmeister is a unit
+equality prover developed by Hillenbrand et al.\ \cite{waldmeister}. It can be
+used to prove universally quantified equations using unconditional equations,
+corresponding to the TPTP CNF UEQ division. The remote version of Waldmeister
+runs on Geoff Sutcliffe's Miami servers.
+
+\item[\labelitemi] \textbf{\textit{remote\_z3}:} The remote version of Z3 runs on
+servers at the TU M\"unchen (or wherever \texttt{REMOTE\_SMT\_URL} is set to
+point).
+\end{enum}
+
+By default, Sledgehammer runs a selection of CVC3, E, E-SInE, SPASS, Vampire,
+Yices, Z3, and (if appropriate) Waldmeister in parallel---either locally or
+remotely, depending on the number of processor cores available. For historical
+reasons, the default value of this option can be overridden using the option
+``Sledgehammer: Provers'' in Proof General's ``Isabelle'' menu.
+
+It is generally a good idea to run several provers in parallel. Running E,
+SPASS, and Vampire for 5~seconds yields a similar success rate to running the
+most effective of these for 120~seconds \cite{boehme-nipkow-2010}.
+
+For the \textit{min} subcommand, the default prover is \textit{metis}. If
+several provers are set, the first one is used.
+
+\opnodefault{prover}{string}
+Alias for \textit{provers}.
+
+\opfalse{blocking}{non\_blocking}
+Specifies whether the \textbf{sledgehammer} command should operate
+synchronously. The asynchronous (non-blocking) mode lets the user start proving
+the putative theorem manually while Sledgehammer looks for a proof, but it can
+also be more confusing. Irrespective of the value of this option, Sledgehammer
+is always run synchronously for the new jEdit-based user interface or if
+\textit{debug} (\S\ref{output-format}) is enabled.
+
+\optrue{slice}{dont\_slice}
+Specifies whether the time allocated to a prover should be sliced into several
+segments, each of which has its own set of possibly prover-dependent options.
+For SPASS and Vampire, the first slice tries the fast but incomplete
+set-of-support (SOS) strategy, whereas the second slice runs without it. For E,
+up to three slices are tried, with different weighted search strategies and
+number of facts. For SMT solvers, several slices are tried with the same options
+each time but fewer and fewer facts. According to benchmarks with a timeout of
+30 seconds, slicing is a valuable optimization, and you should probably leave it
+enabled unless you are conducting experiments. This option is implicitly
+disabled for (short) automatic runs.
+
+\nopagebreak
+{\small See also \textit{verbose} (\S\ref{output-format}).}
+
+\opsmart{minimize}{dont\_minimize}
+Specifies whether the minimization tool should be invoked automatically after
+proof search. By default, automatic minimization takes place only if
+it can be done in a reasonable amount of time (as determined by
+the number of facts in the original proof and the time it took to find or
+preplay it) or the proof involves an unreasonably large number of facts.
+
+\nopagebreak
+{\small See also \textit{preplay\_timeout} (\S\ref{timeouts})
+and \textit{dont\_preplay} (\S\ref{timeouts}).}
+
+\opfalse{overlord}{no\_overlord}
+Specifies whether Sledgehammer should put its temporary files in
+\texttt{\$ISA\-BELLE\_\allowbreak HOME\_\allowbreak USER}, which is useful for
+debugging Sledgehammer but also unsafe if several instances of the tool are run
+simultaneously. The files are identified by the prefixes \texttt{prob\_} and
+\texttt{mash\_}; you may safely remove them after Sledgehammer has run.
+
+\nopagebreak
+{\small See also \textit{debug} (\S\ref{output-format}).}
+\end{enum}
+
+\subsection{Relevance Filter}
+\label{relevance-filter}
+
+\begin{enum}
+\opdefault{fact\_filter}{string}{smart}
+Specifies the relevance filter to use. The following filters are available:
+
+\begin{enum}
+\item[\labelitemi] \textbf{\textit{mepo}:}
+The traditional memoryless MePo relevance filter.
+
+\item[\labelitemi] \textbf{\textit{mash}:}
+The memoryful MaSh machine learner. MaSh relies on the external program
+\texttt{mash}, which can be obtained from the author at \authoremail. To install
+it, set the environment variable \texttt{MASH\_HOME} to the directory that
+contains the \texttt{mash} executable.
+Persistent data is stored in the \texttt{\$ISABELLE\_HOME\_USER/mash} directory.
+
+\item[\labelitemi] \textbf{\textit{mesh}:} A combination of MePo and MaSh.
+
+\item[\labelitemi] \textbf{\textit{smart}:} Use Mesh if \texttt{mash} is
+installed and the target prover is an ATP; otherwise, use MePo.
+\end{enum}
+
+\opdefault{max\_facts}{smart\_int}{smart}
+Specifies the maximum number of facts that may be returned by the relevance
+filter. If the option is set to \textit{smart}, it is set to a value that was
+empirically found to be appropriate for the prover. Typical values range between
+50 and 1000.
+
+\opdefault{fact\_thresholds}{float\_pair}{\upshape 0.45~0.85}
+Specifies the thresholds above which facts are considered relevant by the
+relevance filter. The first threshold is used for the first iteration of the
+relevance filter and the second threshold is used for the last iteration (if it
+is reached). The effective threshold is quadratically interpolated for the other
+iterations. Each threshold ranges from 0 to 1, where 0 means that all theorems
+are relevant and 1 only theorems that refer to previously seen constants.
+
+\optrue{learn}{dont\_learn}
+Specifies whether MaSh should be run automatically by Sledgehammer to learn the
+available theories (and hence provide more accurate results). Learning only
+takes place if \texttt{mash} is installed.
+
+\opdefault{max\_new\_mono\_instances}{int}{smart}
+Specifies the maximum number of monomorphic instances to generate beyond
+\textit{max\_facts}. The higher this limit is, the more monomorphic instances
+are potentially generated. Whether monomorphization takes place depends on the
+type encoding used. If the option is set to \textit{smart}, it is set to a value
+that was empirically found to be appropriate for the prover. For most provers,
+this value is 200.
+
+\nopagebreak
+{\small See also \textit{type\_enc} (\S\ref{problem-encoding}).}
+
+\opdefault{max\_mono\_iters}{int}{smart}
+Specifies the maximum number of iterations for the monomorphization fixpoint
+construction. The higher this limit is, the more monomorphic instances are
+potentially generated. Whether monomorphization takes place depends on the
+type encoding used. If the option is set to \textit{smart}, it is set to a value
+that was empirically found to be appropriate for the prover. For most provers,
+this value is 3.
+
+\nopagebreak
+{\small See also \textit{type\_enc} (\S\ref{problem-encoding}).}
+\end{enum}
+
+\subsection{Problem Encoding}
+\label{problem-encoding}
+
+\newcommand\comb[1]{\const{#1}}
+
+\begin{enum}
+\opdefault{lam\_trans}{string}{smart}
+Specifies the $\lambda$ translation scheme to use in ATP problems. The supported
+translation schemes are listed below:
+
+\begin{enum}
+\item[\labelitemi] \textbf{\textit{hide\_lams}:} Hide the $\lambda$-abstractions
+by replacing them by unspecified fresh constants, effectively disabling all
+reasoning under $\lambda$-abstractions.
+
+\item[\labelitemi] \textbf{\textit{lifting}:} Introduce a new
+supercombinator \const{c} for each cluster of $n$~$\lambda$-abstractions,
+defined using an equation $\const{c}~x_1~\ldots~x_n = t$ ($\lambda$-lifting).
+
+\item[\labelitemi] \textbf{\textit{combs}:} Rewrite lambdas to the Curry
+combinators (\comb{I}, \comb{K}, \comb{S}, \comb{B}, \comb{C}). Combinators
+enable the ATPs to synthesize $\lambda$-terms but tend to yield bulkier formulas
+than $\lambda$-lifting: The translation is quadratic in the worst case, and the
+equational definitions of the combinators are very prolific in the context of
+resolution.
+
+\item[\labelitemi] \textbf{\textit{combs\_and\_lifting}:} Introduce a new
+supercombinator \const{c} for each cluster of $\lambda$-abstractions and characterize it both using a
+lifted equation $\const{c}~x_1~\ldots~x_n = t$ and via Curry combinators.
+
+\item[\labelitemi] \textbf{\textit{combs\_or\_lifting}:} For each cluster of
+$\lambda$-abstractions, heuristically choose between $\lambda$-lifting and Curry
+combinators.
+
+\item[\labelitemi] \textbf{\textit{keep\_lams}:}
+Keep the $\lambda$-abstractions in the generated problems. This is available
+only with provers that support the THF0 syntax.
+
+\item[\labelitemi] \textbf{\textit{smart}:} The actual translation scheme used
+depends on the ATP and should be the most efficient scheme for that ATP.
+\end{enum}
+
+For SMT solvers, the $\lambda$ translation scheme is always \textit{lifting},
+irrespective of the value of this option.
+
+\opsmartx{uncurried\_aliases}{no\_uncurried\_aliases}
+Specifies whether fresh function symbols should be generated as aliases for
+applications of curried functions in ATP problems.
+
+\opdefault{type\_enc}{string}{smart}
+Specifies the type encoding to use in ATP problems. Some of the type encodings
+are unsound, meaning that they can give rise to spurious proofs
+(unreconstructible using \textit{metis}). The type encodings are
+listed below, with an indication of their soundness in parentheses.
+An asterisk (*) indicates that the encoding is slightly incomplete for
+reconstruction with \textit{metis}, unless the \emph{strict} option (described
+below) is enabled.
+
+\begin{enum}
+\item[\labelitemi] \textbf{\textit{erased} (unsound):} No type information is
+supplied to the ATP, not even to resolve overloading. Types are simply erased.
+
+\item[\labelitemi] \textbf{\textit{poly\_guards} (sound):} Types are encoded using
+a predicate \const{g}$(\tau, t)$ that guards bound
+variables. Constants are annotated with their types, supplied as extra
+arguments, to resolve overloading.
+
+\item[\labelitemi] \textbf{\textit{poly\_tags} (sound):} Each term and subterm is
+tagged with its type using a function $\const{t\/}(\tau, t)$.
+
+\item[\labelitemi] \textbf{\textit{poly\_args} (unsound):}
+Like for \textit{poly\_guards} constants are annotated with their types to
+resolve overloading, but otherwise no type information is encoded. This
+is the default encoding used by the \textit{metis} command.
+
+\item[\labelitemi]
+\textbf{%
+\textit{raw\_mono\_guards}, \textit{raw\_mono\_tags} (sound); \\
+\textit{raw\_mono\_args} (unsound):} \\
+Similar to \textit{poly\_guards}, \textit{poly\_tags}, and \textit{poly\_args},
+respectively, but the problem is additionally monomorphized, meaning that type
+variables are instantiated with heuristically chosen ground types.
+Monomorphization can simplify reasoning but also leads to larger fact bases,
+which can slow down the ATPs.
+
+\item[\labelitemi]
+\textbf{%
+\textit{mono\_guards}, \textit{mono\_tags} (sound);
+\textit{mono\_args} (unsound):} \\
+Similar to
+\textit{raw\_mono\_guards}, \textit{raw\_mono\_tags}, and
+\textit{raw\_mono\_args}, respectively but types are mangled in constant names
+instead of being supplied as ground term arguments. The binary predicate
+$\const{g}(\tau, t)$ becomes a unary predicate
+$\const{g\_}\tau(t)$, and the binary function
+$\const{t}(\tau, t)$ becomes a unary function
+$\const{t\_}\tau(t)$.
+
+\item[\labelitemi] \textbf{\textit{mono\_native} (sound):} Exploits native
+first-order types if the prover supports the TFF0, TFF1, or THF0 syntax;
+otherwise, falls back on \textit{mono\_guards}. The problem is monomorphized.
+
+\item[\labelitemi] \textbf{\textit{mono\_native\_higher} (sound):} Exploits
+native higher-order types if the prover supports the THF0 syntax; otherwise,
+falls back on \textit{mono\_native} or \textit{mono\_guards}. The problem is
+monomorphized.
+
+\item[\labelitemi] \textbf{\textit{poly\_native} (sound):} Exploits native
+first-order polymorphic types if the prover supports the TFF1 syntax; otherwise,
+falls back on \textit{mono\_native}.
+
+\item[\labelitemi]
+\textbf{%
+\textit{poly\_guards}?, \textit{poly\_tags}?, \textit{raw\_mono\_guards}?, \\
+\textit{raw\_mono\_tags}?, \textit{mono\_guards}?, \textit{mono\_tags}?, \\
+\textit{mono\_native}? (sound*):} \\
+The type encodings \textit{poly\_guards}, \textit{poly\_tags},
+\textit{raw\_mono\_guards}, \textit{raw\_mono\_tags}, \textit{mono\_guards},
+\textit{mono\_tags}, and \textit{mono\_native} are fully typed and sound. For
+each of these, Sledgehammer also provides a lighter variant identified by a
+question mark (`\hbox{?}')\ that detects and erases monotonic types, notably
+infinite types. (For \textit{mono\_native}, the types are not actually erased
+but rather replaced by a shared uniform type of individuals.) As argument to the
+\textit{metis} proof method, the question mark is replaced by a
+\hbox{``\textit{\_query\/}''} suffix.
+
+\item[\labelitemi]
+\textbf{%
+\textit{poly\_guards}??, \textit{poly\_tags}??, \textit{raw\_mono\_guards}??, \\
+\textit{raw\_mono\_tags}??, \textit{mono\_guards}??, \textit{mono\_tags}?? \\
+(sound*):} \\
+Even lighter versions of the `\hbox{?}' encodings. As argument to the
+\textit{metis} proof method, the `\hbox{??}' suffix is replaced by
+\hbox{``\textit{\_query\_query\/}''}.
+
+\item[\labelitemi]
+\textbf{%
+\textit{poly\_guards}@, \textit{poly\_tags}@, \textit{raw\_mono\_guards}@, \\
+\textit{raw\_mono\_tags}@ (sound*):} \\
+Alternative versions of the `\hbox{??}' encodings. As argument to the
+\textit{metis} proof method, the `\hbox{@}' suffix is replaced by
+\hbox{``\textit{\_at\/}''}.
+
+\item[\labelitemi] \textbf{\textit{poly\_args}?, \textit{raw\_mono\_args}? (unsound):} \\
+Lighter versions of \textit{poly\_args} and \textit{raw\_mono\_args}.
+
+\item[\labelitemi] \textbf{\textit{smart}:} The actual encoding used depends on
+the ATP and should be the most efficient sound encoding for that ATP.
+\end{enum}
+
+For SMT solvers, the type encoding is always \textit{mono\_native}, irrespective
+of the value of this option.
+
+\nopagebreak
+{\small See also \textit{max\_new\_mono\_instances} (\S\ref{relevance-filter})
+and \textit{max\_mono\_iters} (\S\ref{relevance-filter}).}
+
+\opfalse{strict}{non\_strict}
+Specifies whether Sledgehammer should run in its strict mode. In that mode,
+sound type encodings marked with an asterisk (*) above are made complete
+for reconstruction with \textit{metis}, at the cost of some clutter in the
+generated problems. This option has no effect if \textit{type\_enc} is
+deliberately set to an unsound encoding.
+\end{enum}
+
+\subsection{Output Format}
+\label{output-format}
+
+\begin{enum}
+
+\opfalse{verbose}{quiet}
+Specifies whether the \textbf{sledgehammer} command should explain what it does.
+This option is implicitly disabled for automatic runs.
+
+\opfalse{debug}{no\_debug}
+Specifies whether Sledgehammer should display additional debugging information
+beyond what \textit{verbose} already displays. Enabling \textit{debug} also
+enables \textit{verbose} and \textit{blocking} (\S\ref{mode-of-operation})
+behind the scenes. The \textit{debug} option is implicitly disabled for
+automatic runs.
+
+\nopagebreak
+{\small See also \textit{overlord} (\S\ref{mode-of-operation}).}
+
+\opfalse{isar\_proof}{no\_isar\_proof}
+Specifies whether Isar proofs should be output in addition to one-liner
+\textit{metis} proofs. Isar proof construction is still experimental and often
+fails; however, they are usually faster and sometimes more robust than
+\textit{metis} proofs.
+
+\opdefault{isar\_shrink\_factor}{int}{\upshape 1}
+Specifies the granularity of the Isar proof. A value of $n$ indicates that each
+Isar proof step should correspond to a group of up to $n$ consecutive proof
+steps in the ATP proof.
+\end{enum}
+
+\subsection{Authentication}
+\label{authentication}
+
+\begin{enum}
+\opnodefault{expect}{string}
+Specifies the expected outcome, which must be one of the following:
+
+\begin{enum}
+\item[\labelitemi] \textbf{\textit{some}:} Sledgehammer found a proof.
+\item[\labelitemi] \textbf{\textit{none}:} Sledgehammer found no proof.
+\item[\labelitemi] \textbf{\textit{timeout}:} Sledgehammer timed out.
+\item[\labelitemi] \textbf{\textit{unknown}:} Sledgehammer encountered some
+problem.
+\end{enum}
+
+Sledgehammer emits an error (if \textit{blocking} is enabled) or a warning
+(otherwise) if the actual outcome differs from the expected outcome. This option
+is useful for regression testing.
+
+\nopagebreak
+{\small See also \textit{blocking} (\S\ref{mode-of-operation}) and
+\textit{timeout} (\S\ref{timeouts}).}
+\end{enum}
+
+\subsection{Timeouts}
+\label{timeouts}
+
+\begin{enum}
+\opdefault{timeout}{float\_or\_none}{\upshape 30}
+Specifies the maximum number of seconds that the automatic provers should spend
+searching for a proof. This excludes problem preparation and is a soft limit.
+For historical reasons, the default value of this option can be overridden using
+the option ``Sledgehammer: Time Limit'' in Proof General's ``Isabelle'' menu.
+
+\opdefault{preplay\_timeout}{float\_or\_none}{\upshape 3}
+Specifies the maximum number of seconds that \textit{metis} or \textit{smt}
+should spend trying to ``preplay'' the found proof. If this option is set to 0,
+no preplaying takes place, and no timing information is displayed next to the
+suggested \textit{metis} calls.
+
+\nopagebreak
+{\small See also \textit{minimize} (\S\ref{mode-of-operation}).}
+
+\optrueonly{dont\_preplay}
+Alias for ``\textit{preplay\_timeout} = 0''.
+
+\end{enum}
+
+\let\em=\sl
+\bibliography{manual}{}
+\bibliographystyle{abbrv}
+
+\end{document}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/System/Base.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,8 @@
+theory Base
+imports Pure
+begin
+
+ML_file "../antiquote_setup.ML"
+setup Antiquote_Setup.setup
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/System/Basics.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,554 @@
+theory Basics
+imports Base
+begin
+
+chapter {* The Isabelle system environment *}
+
+text {* This manual describes Isabelle together with related tools and
+ user interfaces as seen from a system oriented view. See also the
+ \emph{Isabelle/Isar Reference Manual}~\cite{isabelle-isar-ref} for
+ the actual Isabelle input language and related concepts, and
+ \emph{The Isabelle/Isar Implementation
+ Manual}~\cite{isabelle-implementation} for the main concepts of the
+ underlying implementation in Isabelle/ML.
+
+ \medskip The Isabelle system environment provides the following
+ basic infrastructure to integrate tools smoothly.
+
+ \begin{enumerate}
+
+ \item The \emph{Isabelle settings} mechanism provides process
+ environment variables to all Isabelle executables (including tools
+ and user interfaces).
+
+ \item The raw \emph{Isabelle process} (@{executable_ref
+ "isabelle-process"}) runs logic sessions either interactively or in
+ batch mode. In particular, this view abstracts over the invocation
+ of the actual ML system to be used. Regular users rarely need to
+ care about the low-level process.
+
+ \item The main \emph{Isabelle tool wrapper} (@{executable_ref
+ isabelle}) provides a generic startup environment Isabelle related
+ utilities, user interfaces etc. Such tools automatically benefit
+ from the settings mechanism.
+
+ \end{enumerate}
+*}
+
+
+section {* Isabelle settings \label{sec:settings} *}
+
+text {*
+ The Isabelle system heavily depends on the \emph{settings
+ mechanism}\indexbold{settings}. Essentially, this is a statically
+ scoped collection of environment variables, such as @{setting
+ ISABELLE_HOME}, @{setting ML_SYSTEM}, @{setting ML_HOME}. These
+ variables are \emph{not} intended to be set directly from the shell,
+ though. Isabelle employs a somewhat more sophisticated scheme of
+ \emph{settings files} --- one for site-wide defaults, another for
+ additional user-specific modifications. With all configuration
+ variables in clearly defined places, this scheme is more
+ maintainable and user-friendly than global shell environment
+ variables.
+
+ In particular, we avoid the typical situation where prospective
+ users of a software package are told to put several things into
+ their shell startup scripts, before being able to actually run the
+ program. Isabelle requires none such administrative chores of its
+ end-users --- the executables can be invoked straight away.
+ Occasionally, users would still want to put the @{file
+ "$ISABELLE_HOME/bin"} directory into their shell's search path, but
+ this is not required.
+*}
+
+
+subsection {* Bootstrapping the environment \label{sec:boot} *}
+
+text {* Isabelle executables need to be run within a proper settings
+ environment. This is bootstrapped as described below, on the first
+ invocation of one of the outer wrapper scripts (such as
+ @{executable_ref isabelle}). This happens only once for each
+ process tree, i.e.\ the environment is passed to subprocesses
+ according to regular Unix conventions.
+
+ \begin{enumerate}
+
+ \item The special variable @{setting_def ISABELLE_HOME} is
+ determined automatically from the location of the binary that has
+ been run.
+
+ You should not try to set @{setting ISABELLE_HOME} manually. Also
+ note that the Isabelle executables either have to be run from their
+ original location in the distribution directory, or via the
+ executable objects created by the @{tool install} tool. Symbolic
+ links are admissible, but a plain copy of the @{file
+ "$ISABELLE_HOME/bin"} files will not work!
+
+ \item The file @{file "$ISABELLE_HOME/etc/settings"} is run as a
+ @{executable_ref bash} shell script with the auto-export option for
+ variables enabled.
+
+ This file holds a rather long list of shell variable assigments,
+ thus providing the site-wide default settings. The Isabelle
+ distribution already contains a global settings file with sensible
+ defaults for most variables. When installing the system, only a few
+ of these may have to be adapted (probably @{setting ML_SYSTEM}
+ etc.).
+
+ \item The file @{verbatim "$ISABELLE_HOME_USER/etc/settings"} (if it
+ exists) is run in the same way as the site default settings. Note
+ that the variable @{setting ISABELLE_HOME_USER} has already been set
+ before --- usually to something like @{verbatim
+ "$USER_HOME/.isabelle/IsabelleXXXX"}.
+
+ Thus individual users may override the site-wide defaults. See also
+ file @{file "$ISABELLE_HOME/etc/user-settings.sample"} in the
+ distribution. Typically, a user settings file would contain only a
+ few lines, just the assigments that are really changed. One should
+ definitely \emph{not} start with a full copy the basic @{file
+ "$ISABELLE_HOME/etc/settings"}. This could cause very annoying
+ maintainance problems later, when the Isabelle installation is
+ updated or changed otherwise.
+
+ \end{enumerate}
+
+ Since settings files are regular GNU @{executable_def bash} scripts,
+ one may use complex shell commands, such as @{verbatim "if"} or
+ @{verbatim "case"} statements to set variables depending on the
+ system architecture or other environment variables. Such advanced
+ features should be added only with great care, though. In
+ particular, external environment references should be kept at a
+ minimum.
+
+ \medskip A few variables are somewhat special:
+
+ \begin{itemize}
+
+ \item @{setting_def ISABELLE_PROCESS} and @{setting_def ISABELLE_TOOL} are set
+ automatically to the absolute path names of the @{executable
+ "isabelle-process"} and @{executable isabelle} executables,
+ respectively.
+
+ \item @{setting_ref ISABELLE_OUTPUT} will have the identifiers of
+ the Isabelle distribution (cf.\ @{setting ISABELLE_IDENTIFIER}) and
+ the ML system (cf.\ @{setting ML_IDENTIFIER}) appended automatically
+ to its value.
+
+ \end{itemize}
+
+ \medskip Note that the settings environment may be inspected with
+ the @{tool getenv} tool. This might help to figure out the effect
+ of complex settings scripts. *}
+
+
+subsection {* Common variables *}
+
+text {*
+ This is a reference of common Isabelle settings variables. Note that
+ the list is somewhat open-ended. Third-party utilities or interfaces
+ may add their own selection. Variables that are special in some
+ sense are marked with @{text "\<^sup>*"}.
+
+ \begin{description}
+
+ \item[@{setting_def USER_HOME}@{text "\<^sup>*"}] Is the cross-platform
+ user home directory. On Unix systems this is usually the same as
+ @{setting HOME}, but on Windows it is the regular home directory of
+ the user, not the one of within the Cygwin root
+ file-system.\footnote{Cygwin itself offers another choice whether
+ its HOME should point to the \texttt{/home} directory tree or the
+ Windows user home.}
+
+ \item[@{setting_def ISABELLE_HOME}@{text "\<^sup>*"}] is the location of the
+ top-level Isabelle distribution directory. This is automatically
+ determined from the Isabelle executable that has been invoked. Do
+ not attempt to set @{setting ISABELLE_HOME} yourself from the shell!
+
+ \item[@{setting_def ISABELLE_HOME_USER}] is the user-specific
+ counterpart of @{setting ISABELLE_HOME}. The default value is
+ relative to @{verbatim "$USER_HOME/.isabelle"}, under rare
+ circumstances this may be changed in the global setting file.
+ Typically, the @{setting ISABELLE_HOME_USER} directory mimics
+ @{setting ISABELLE_HOME} to some extend. In particular, site-wide
+ defaults may be overridden by a private @{verbatim
+ "$ISABELLE_HOME_USER/etc/settings"}.
+
+ \item[@{setting_def ISABELLE_PLATFORM}@{text "\<^sup>*"}] is automatically
+ set to a symbolic identifier for the underlying hardware and
+ operating system. The Isabelle platform identification always
+ refers to the 32 bit variant, even this is a 64 bit machine. Note
+ that the ML or Java runtime may have a different idea, depending on
+ which binaries are actually run.
+
+ \item[@{setting_def ISABELLE_PLATFORM64}@{text "\<^sup>*"}] is similar to
+ @{setting ISABELLE_PLATFORM} but refers to the proper 64 bit variant
+ on a platform that supports this; the value is empty for 32 bit.
+ Note that the following bash expression (including the quotes)
+ prefers the 64 bit platform, if that is available:
+
+ @{verbatim [display] "\"${ISABELLE_PLATFORM64:-$ISABELLE_PLATFORM}\""}
+
+ \item[@{setting_def ISABELLE_PROCESS}@{text "\<^sup>*"}, @{setting
+ ISABELLE_TOOL}@{text "\<^sup>*"}] are automatically set to the full path
+ names of the @{executable "isabelle-process"} and @{executable
+ isabelle} executables, respectively. Thus other tools and scripts
+ need not assume that the @{file "$ISABELLE_HOME/bin"} directory is
+ on the current search path of the shell.
+
+ \item[@{setting_def ISABELLE_IDENTIFIER}@{text "\<^sup>*"}] refers
+ to the name of this Isabelle distribution, e.g.\ ``@{verbatim
+ Isabelle2012}''.
+
+ \item[@{setting_def ML_SYSTEM}, @{setting_def ML_HOME},
+ @{setting_def ML_OPTIONS}, @{setting_def ML_PLATFORM}, @{setting_def
+ ML_IDENTIFIER}@{text "\<^sup>*"}] specify the underlying ML system
+ to be used for Isabelle. There is only a fixed set of admissable
+ @{setting ML_SYSTEM} names (see the @{file
+ "$ISABELLE_HOME/etc/settings"} file of the distribution).
+
+ The actual compiler binary will be run from the directory @{setting
+ ML_HOME}, with @{setting ML_OPTIONS} as first arguments on the
+ command line. The optional @{setting ML_PLATFORM} may specify the
+ binary format of ML heap images, which is useful for cross-platform
+ installations. The value of @{setting ML_IDENTIFIER} is
+ automatically obtained by composing the values of @{setting
+ ML_SYSTEM}, @{setting ML_PLATFORM} and the Isabelle version values.
+
+ \item[@{setting_def ISABELLE_JDK_HOME}] needs to point to a full JDK
+ (Java Development Kit) installation with @{verbatim javac} and
+ @{verbatim jar} executables. This is essential for Isabelle/Scala
+ and other JVM-based tools to work properly. Note that conventional
+ @{verbatim JAVA_HOME} usually points to the JRE (Java Runtime
+ Environment), not JDK.
+
+ \item[@{setting_def ISABELLE_PATH}] is a list of directories
+ (separated by colons) where Isabelle logic images may reside. When
+ looking up heaps files, the value of @{setting ML_IDENTIFIER} is
+ appended to each component internally.
+
+ \item[@{setting_def ISABELLE_OUTPUT}@{text "\<^sup>*"}] is a
+ directory where output heap files should be stored by default. The
+ ML system and Isabelle version identifier is appended here, too.
+
+ \item[@{setting_def ISABELLE_BROWSER_INFO}] is the directory where
+ theory browser information (HTML text, graph data, and printable
+ documents) is stored (see also \secref{sec:info}). The default
+ value is @{verbatim "$ISABELLE_HOME_USER/browser_info"}.
+
+ \item[@{setting_def ISABELLE_LOGIC}] specifies the default logic to
+ load if none is given explicitely by the user. The default value is
+ @{verbatim HOL}.
+
+ \item[@{setting_def ISABELLE_LINE_EDITOR}] specifies the default
+ line editor for the @{tool_ref tty} interface.
+
+ \item[@{setting_def ISABELLE_USEDIR_OPTIONS}] is implicitly prefixed
+ to the command line of any @{tool_ref usedir} invocation. This
+ typically contains compilation options for object-logics --- @{tool
+ usedir} is the basic tool for managing logic sessions (cf.\ the
+ @{verbatim IsaMakefile}s in the distribution).
+
+ \item[@{setting_def ISABELLE_LATEX}, @{setting_def
+ ISABELLE_PDFLATEX}, @{setting_def ISABELLE_BIBTEX}, @{setting_def
+ ISABELLE_DVIPS}] refer to {\LaTeX} related tools for Isabelle
+ document preparation (see also \secref{sec:tool-latex}).
+
+ \item[@{setting_def ISABELLE_TOOLS}] is a colon separated list of
+ directories that are scanned by @{executable isabelle} for external
+ utility programs (see also \secref{sec:isabelle-tool}).
+
+ \item[@{setting_def ISABELLE_DOCS}] is a colon separated list of
+ directories with documentation files.
+
+ \item[@{setting_def ISABELLE_DOC_FORMAT}] specifies the preferred
+ document format, typically @{verbatim dvi} or @{verbatim pdf}.
+
+ \item[@{setting_def DVI_VIEWER}] specifies the command to be used
+ for displaying @{verbatim dvi} files.
+
+ \item[@{setting_def PDF_VIEWER}] specifies the command to be used
+ for displaying @{verbatim pdf} files.
+
+ \item[@{setting_def PRINT_COMMAND}] specifies the standard printer
+ spool command, which is expected to accept @{verbatim ps} files.
+
+ \item[@{setting_def ISABELLE_TMP_PREFIX}@{text "\<^sup>*"}] is the
+ prefix from which any running @{executable "isabelle-process"}
+ derives an individual directory for temporary files. The default is
+ somewhere in @{verbatim "/tmp"}.
+
+ \end{description}
+*}
+
+
+subsection {* Additional components \label{sec:components} *}
+
+text {* Any directory may be registered as an explicit \emph{Isabelle
+ component}. The general layout conventions are that of the main
+ Isabelle distribution itself, and the following two files (both
+ optional) have a special meaning:
+
+ \begin{itemize}
+
+ \item @{verbatim "etc/settings"} holds additional settings that are
+ initialized when bootstrapping the overall Isabelle environment,
+ cf.\ \secref{sec:boot}. As usual, the content is interpreted as a
+ @{verbatim bash} script. It may refer to the component's enclosing
+ directory via the @{verbatim "COMPONENT"} shell variable.
+
+ For example, the following setting allows to refer to files within
+ the component later on, without having to hardwire absolute paths:
+
+\begin{ttbox}
+MY_COMPONENT_HOME="$COMPONENT"
+\end{ttbox}
+
+ Components can also add to existing Isabelle settings such as
+ @{setting_def ISABELLE_TOOLS}, in order to provide
+ component-specific tools that can be invoked by end-users. For
+ example:
+
+\begin{ttbox}
+ISABELLE_TOOLS="$ISABELLE_TOOLS:$COMPONENT/lib/Tools"
+\end{ttbox}
+
+ \item @{verbatim "etc/components"} holds a list of further
+ sub-components of the same structure. The directory specifications
+ given here can be either absolute (with leading @{verbatim "/"}) or
+ relative to the component's main directory.
+
+ \end{itemize}
+
+ The root of component initialization is @{setting ISABELLE_HOME}
+ itself. After initializing all of its sub-components recursively,
+ @{setting ISABELLE_HOME_USER} is included in the same manner (if
+ that directory exists). This allows to install private components
+ via @{verbatim "$ISABELLE_HOME_USER/etc/components"}, although it is
+ often more convenient to do that programmatically via the
+ \verb,init_component, shell function in the \verb,etc/settings,
+ script of \verb,$ISABELLE_HOME_USER, (or any other component
+ directory). For example:
+\begin{ttbox}
+init_component "$HOME/screwdriver-2.0"
+\end{ttbox}
+
+ This is tolerant wrt.\ missing component directories, but might
+ produce a warning.
+
+ \medskip More complex situations may be addressed by initializing
+ components listed in a given catalog file, relatively to some base
+ directory:
+
+\begin{ttbox}
+init_components "$HOME/my_component_store" "some_catalog_file"
+\end{ttbox}
+
+ The component directories listed in the catalog file are treated as
+ relative to the given base directory.
+
+ See also \secref{sec:tool-components} for some tool-support for
+ resolving components that are formally initialized but not installed
+ yet.
+*}
+
+
+section {* The raw Isabelle process *}
+
+text {*
+ The @{executable_def "isabelle-process"} executable runs bare-bones
+ Isabelle logic sessions --- either interactively or in batch mode.
+ It provides an abstraction over the underlying ML system, and over
+ the actual heap file locations. Its usage is:
+
+\begin{ttbox}
+Usage: isabelle-process [OPTIONS] [INPUT] [OUTPUT]
+
+ Options are:
+ -I startup Isar interaction mode
+ -P startup Proof General interaction mode
+ -S secure mode -- disallow critical operations
+ -T ADDR startup process wrapper, with socket address
+ -W IN:OUT startup process wrapper, with input/output fifos
+ -X startup PGIP interaction mode
+ -e MLTEXT pass MLTEXT to the ML session
+ -f pass 'Session.finish();' to the ML session
+ -m MODE add print mode for output
+ -q non-interactive session
+ -r open heap file read-only
+ -u pass 'use"ROOT.ML";' to the ML session
+ -w reset write permissions on OUTPUT
+
+ INPUT (default "\$ISABELLE_LOGIC") and OUTPUT specify in/out heaps.
+ These are either names to be searched in the Isabelle path, or
+ actual file names (containing at least one /).
+ If INPUT is "RAW_ML_SYSTEM", just start the bare bones ML system.
+\end{ttbox}
+
+ Input files without path specifications are looked up in the
+ @{setting ISABELLE_PATH} setting, which may consist of multiple
+ components separated by colons --- these are tried in the given
+ order with the value of @{setting ML_IDENTIFIER} appended
+ internally. In a similar way, base names are relative to the
+ directory specified by @{setting ISABELLE_OUTPUT}. In any case,
+ actual file locations may also be given by including at least one
+ slash (@{verbatim "/"}) in the name (hint: use @{verbatim "./"} to
+ refer to the current directory).
+*}
+
+
+subsubsection {* Options *}
+
+text {*
+ If the input heap file does not have write permission bits set, or
+ the @{verbatim "-r"} option is given explicitely, then the session
+ started will be read-only. That is, the ML world cannot be
+ committed back into the image file. Otherwise, a writable session
+ enables commits into either the input file, or into another output
+ heap file (if that is given as the second argument on the command
+ line).
+
+ The read-write state of sessions is determined at startup only, it
+ cannot be changed intermediately. Also note that heap images may
+ require considerable amounts of disk space (approximately
+ 50--200~MB). Users are responsible for themselves to dispose their
+ heap files when they are no longer needed.
+
+ \medskip The @{verbatim "-w"} option makes the output heap file
+ read-only after terminating. Thus subsequent invocations cause the
+ logic image to be read-only automatically.
+
+ \medskip Using the @{verbatim "-e"} option, arbitrary ML code may be
+ passed to the Isabelle session from the command line. Multiple
+ @{verbatim "-e"}'s are evaluated in the given order. Strange things
+ may happen when errorneous ML code is provided. Also make sure that
+ the ML commands are terminated properly by semicolon.
+
+ \medskip The @{verbatim "-u"} option is a shortcut for @{verbatim
+ "-e"} passing ``@{verbatim "use \"ROOT.ML\";"}'' to the ML session.
+ The @{verbatim "-f"} option passes ``@{verbatim
+ "Session.finish();"}'', which is intended mainly for administrative
+ purposes.
+
+ \medskip The @{verbatim "-m"} option adds identifiers of print modes
+ to be made active for this session. Typically, this is used by some
+ user interface, e.g.\ to enable output of proper mathematical
+ symbols.
+
+ \medskip Isabelle normally enters an interactive top-level loop
+ (after processing the @{verbatim "-e"} texts). The @{verbatim "-q"}
+ option inhibits interaction, thus providing a pure batch mode
+ facility.
+
+ \medskip The @{verbatim "-I"} option makes Isabelle enter Isar
+ interaction mode on startup, instead of the primitive ML top-level.
+ The @{verbatim "-P"} option configures the top-level loop for
+ interaction with the Proof General user interface, and the
+ @{verbatim "-X"} option enables XML-based PGIP communication.
+
+ \medskip The @{verbatim "-T"} or @{verbatim "-W"} option makes
+ Isabelle enter a special process wrapper for interaction via the
+ Isabelle/Scala layer, see also @{file
+ "~~/src/Pure/System/isabelle_process.scala"}. The protocol between
+ the ML and JVM process is private to the implementation.
+
+ \medskip The @{verbatim "-S"} option makes the Isabelle process more
+ secure by disabling some critical operations, notably runtime
+ compilation and evaluation of ML source code.
+*}
+
+
+subsubsection {* Examples *}
+
+text {*
+ Run an interactive session of the default object-logic (as specified
+ by the @{setting ISABELLE_LOGIC} setting) like this:
+\begin{ttbox}
+isabelle-process
+\end{ttbox}
+
+ Usually @{setting ISABELLE_LOGIC} refers to one of the standard
+ logic images, which are read-only by default. A writable session
+ --- based on @{verbatim HOL}, but output to @{verbatim Test} (in the
+ directory specified by the @{setting ISABELLE_OUTPUT} setting) ---
+ may be invoked as follows:
+\begin{ttbox}
+isabelle-process HOL Test
+\end{ttbox}
+ Ending this session normally (e.g.\ by typing control-D) dumps the
+ whole ML system state into @{verbatim Test} (be prepared for more
+ than 100\,MB):
+
+ The @{verbatim Test} session may be continued later (still in
+ writable state) by:
+\begin{ttbox}
+isabelle-process Test
+\end{ttbox}
+ A read-only @{verbatim Test} session may be started by:
+\begin{ttbox}
+isabelle-process -r Test
+\end{ttbox}
+
+ \medskip Note that manual session management like this does
+ \emph{not} provide proper setup for theory presentation. This would
+ require @{tool usedir}.
+
+ \bigskip The next example demonstrates batch execution of Isabelle.
+ We retrieve the @{verbatim Main} theory value from the theory loader
+ within ML (observe the delicate quoting rules for the Bash shell
+ vs.\ ML):
+\begin{ttbox}
+isabelle-process -e 'Thy_Info.get_theory "Main";' -q -r HOL
+\end{ttbox}
+ Note that the output text will be interspersed with additional junk
+ messages by the ML runtime environment. The @{verbatim "-W"} option
+ allows to communicate with the Isabelle process via an external
+ program in a more robust fashion.
+*}
+
+
+section {* The Isabelle tool wrapper \label{sec:isabelle-tool} *}
+
+text {*
+ All Isabelle related tools and interfaces are called via a common
+ wrapper --- @{executable isabelle}:
+
+\begin{ttbox}
+Usage: isabelle TOOL [ARGS ...]
+
+ Start Isabelle tool NAME with ARGS; pass "-?" for tool specific help.
+
+Available tools:
+ \dots
+\end{ttbox}
+
+ In principle, Isabelle tools are ordinary executable scripts that
+ are run within the Isabelle settings environment, see
+ \secref{sec:settings}. The set of available tools is collected by
+ @{executable isabelle} from the directories listed in the @{setting
+ ISABELLE_TOOLS} setting. Do not try to call the scripts directly
+ from the shell. Neither should you add the tool directories to your
+ shell's search path!
+*}
+
+
+subsubsection {* Examples *}
+
+text {* Show the list of available documentation of the Isabelle
+ distribution:
+
+\begin{ttbox}
+ isabelle doc
+\end{ttbox}
+
+ View a certain document as follows:
+\begin{ttbox}
+ isabelle doc system
+\end{ttbox}
+
+ Query the Isabelle settings environment:
+\begin{ttbox}
+ isabelle getenv ISABELLE_HOME_USER
+\end{ttbox}
+*}
+
+end
\ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/System/Interfaces.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,281 @@
+theory Interfaces
+imports Base
+begin
+
+chapter {* User interfaces *}
+
+section {* Isabelle/jEdit Prover IDE \label{sec:tool-jedit} *}
+
+text {* The @{tool_def jedit} tool invokes a version of
+ jEdit\footnote{\url{http://www.jedit.org/}} that has been augmented
+ with some components to provide a fully-featured Prover IDE:
+\begin{ttbox} Usage: isabelle jedit [OPTIONS]
+ [FILES ...]
+
+ Options are:
+ -J OPTION add JVM runtime option (default JEDIT_JAVA_OPTIONS)
+ -b build only
+ -d DIR include session directory
+ -f fresh build
+ -j OPTION add jEdit runtime option (default JEDIT_OPTIONS)
+ -l NAME logic image name (default ISABELLE_LOGIC)
+ -m MODE add print mode for output
+
+Start jEdit with Isabelle plugin setup and opens theory FILES
+(default Scratch.thy).
+\end{ttbox}
+
+ The @{verbatim "-l"} option specifies the session name of the logic
+ image to be used for proof processing. Additional session root
+ directories may be included via option @{verbatim "-d"} to augment
+ that name space (see also \secref{sec:tool-build}).
+
+ The @{verbatim "-m"} option specifies additional print modes.
+
+ The @{verbatim "-J"} and @{verbatim "-j"} options allow to pass
+ additional low-level options to the JVM or jEdit, respectively. The
+ defaults are provided by the Isabelle settings environment
+ (\secref{sec:settings}).
+
+ The @{verbatim "-b"} and @{verbatim "-f"} options control the
+ self-build mechanism of Isabelle/jEdit. This is only relevant for
+ building from sources, which also requires an auxiliary @{verbatim
+ jedit_build}
+ component.\footnote{\url{http://isabelle.in.tum.de/components}} Note
+ that official Isabelle releases already include a version of
+ Isabelle/jEdit that is built properly. *}
+
+
+section {* Proof General / Emacs *}
+
+text {* The @{tool_def emacs} tool invokes a version of Emacs and
+ Proof General\footnote{http://proofgeneral.inf.ed.ac.uk/} within the
+ regular Isabelle settings environment (\secref{sec:settings}). This
+ is more convenient than starting Emacs separately, loading the Proof
+ General LISP files, and then attempting to start Isabelle with
+ dynamic @{setting PATH} lookup etc.
+
+ The actual interface script is part of the Proof General
+ distribution; its usage depends on the particular version. There
+ are some options available, such as @{verbatim "-l"} for passing the
+ logic image to be used by default, or @{verbatim "-m"} to tune the
+ standard print mode. The following Isabelle settings are
+ particularly important for Proof General:
+
+ \begin{description}
+
+ \item[@{setting_def PROOFGENERAL_HOME}] points to the main
+ installation directory of the Proof General distribution. This is
+ implicitly provided for versions of Proof General that are
+ distributed as Isabelle component, see also \secref{sec:components};
+ otherwise it needs to be configured manually.
+
+ \item[@{setting_def PROOFGENERAL_OPTIONS}] is implicitly prefixed to
+ the command line of any invocation of the Proof General @{verbatim
+ interface} script. This allows to provide persistent default
+ options for the invocation of \texttt{isabelle emacs}.
+
+ \end{description}
+*}
+
+
+section {* Plain TTY interaction \label{sec:tool-tty} *}
+
+text {*
+ The @{tool_def tty} tool runs the Isabelle process interactively
+ within a plain terminal session:
+\begin{ttbox}
+Usage: isabelle tty [OPTIONS]
+
+ Options are:
+ -l NAME logic image name (default ISABELLE_LOGIC)
+ -m MODE add print mode for output
+ -p NAME line editor program name (default ISABELLE_LINE_EDITOR)
+
+ Run Isabelle process with plain tty interaction and line editor.
+\end{ttbox}
+
+ The @{verbatim "-l"} option specifies the logic image. The
+ @{verbatim "-m"} option specifies additional print modes. The
+ @{verbatim "-p"} option specifies an alternative line editor (such
+ as the @{executable_def rlwrap} wrapper for GNU readline); the
+ fall-back is to use raw standard input.
+
+ Regular interaction works via the standard Isabelle/Isar toplevel
+ loop. The Isar command @{command exit} drops out into the
+ bare-bones ML system, which is occasionally useful for debugging of
+ the Isar infrastructure itself. Invoking @{ML Isar.loop}~@{verbatim
+ "();"} in ML will return to the Isar toplevel. *}
+
+
+
+section {* Theory graph browser \label{sec:browse} *}
+
+text {* The Isabelle graph browser is a general tool for visualizing
+ dependency graphs. Certain nodes of the graph (i.e.\ theories) can
+ be grouped together in ``directories'', whose contents may be
+ hidden, thus enabling the user to collapse irrelevant portions of
+ information. The browser is written in Java, it can be used both as
+ a stand-alone application and as an applet. *}
+
+
+subsection {* Invoking the graph browser *}
+
+text {* The stand-alone version of the graph browser is wrapped up as
+ @{tool_def browser}:
+\begin{ttbox}
+Usage: isabelle browser [OPTIONS] [GRAPHFILE]
+
+ Options are:
+ -b Admin/build only
+ -c cleanup -- remove GRAPHFILE after use
+ -o FILE output to FILE (ps, eps, pdf)
+\end{ttbox}
+ When no filename is specified, the browser automatically changes to
+ the directory @{setting ISABELLE_BROWSER_INFO}.
+
+ \medskip The @{verbatim "-b"} option indicates that this is for
+ administrative build only, i.e.\ no browser popup if no files are
+ given.
+
+ The @{verbatim "-c"} option causes the input file to be removed
+ after use.
+
+ The @{verbatim "-o"} option indicates batch-mode operation, with the
+ output written to the indicated file; note that @{verbatim pdf}
+ produces an @{verbatim eps} copy as well.
+
+ \medskip The applet version of the browser is part of the standard
+ WWW theory presentation, see the link ``theory dependencies'' within
+ each session index.
+*}
+
+
+subsection {* Using the graph browser *}
+
+text {*
+ The browser's main window, which is shown in
+ \figref{fig:browserwindow}, consists of two sub-windows. In the
+ left sub-window, the directory tree is displayed. The graph itself
+ is displayed in the right sub-window.
+
+ \begin{figure}[ht]
+ \includegraphics[width=\textwidth]{browser_screenshot}
+ \caption{\label{fig:browserwindow} Browser main window}
+ \end{figure}
+*}
+
+
+subsubsection {* The directory tree window *}
+
+text {*
+ We describe the usage of the directory browser and the meaning of
+ the different items in the browser window.
+
+ \begin{itemize}
+
+ \item A red arrow before a directory name indicates that the
+ directory is currently ``folded'', i.e.~the nodes in this directory
+ are collapsed to one single node. In the right sub-window, the names
+ of nodes corresponding to folded directories are enclosed in square
+ brackets and displayed in red color.
+
+ \item A green downward arrow before a directory name indicates that
+ the directory is currently ``unfolded''. It can be folded by
+ clicking on the directory name. Clicking on the name for a second
+ time unfolds the directory again. Alternatively, a directory can
+ also be unfolded by clicking on the corresponding node in the right
+ sub-window.
+
+ \item Blue arrows stand before ordinary node names. When clicking on
+ such a name (i.e.\ that of a theory), the graph display window
+ focuses to the corresponding node. Double clicking invokes a text
+ viewer window in which the contents of the theory file are
+ displayed.
+
+ \end{itemize}
+*}
+
+
+subsubsection {* The graph display window *}
+
+text {*
+ When pointing on an ordinary node, an upward and a downward arrow is
+ shown. Initially, both of these arrows are green. Clicking on the
+ upward or downward arrow collapses all predecessor or successor
+ nodes, respectively. The arrow's color then changes to red,
+ indicating that the predecessor or successor nodes are currently
+ collapsed. The node corresponding to the collapsed nodes has the
+ name ``@{verbatim "[....]"}''. To uncollapse the nodes again, simply
+ click on the red arrow or on the node with the name ``@{verbatim
+ "[....]"}''. Similar to the directory browser, the contents of
+ theory files can be displayed by double clicking on the
+ corresponding node.
+*}
+
+
+subsubsection {* The ``File'' menu *}
+
+text {*
+ Due to Java Applet security restrictions this menu is only available
+ in the full application version. The meaning of the menu items is as
+ follows:
+
+ \begin{description}
+
+ \item[Open \dots] Open a new graph file.
+
+ \item[Export to PostScript] Outputs the current graph in Postscript
+ format, appropriately scaled to fit on one single sheet of A4 paper.
+ The resulting file can be printed directly.
+
+ \item[Export to EPS] Outputs the current graph in Encapsulated
+ Postscript format. The resulting file can be included in other
+ documents.
+
+ \item[Quit] Quit the graph browser.
+
+ \end{description}
+*}
+
+
+subsection {* Syntax of graph definition files *}
+
+text {*
+ A graph definition file has the following syntax:
+
+ \begin{center}\small
+ \begin{tabular}{rcl}
+ @{text graph} & @{text "="} & @{text "{ vertex"}~@{verbatim ";"}~@{text "}+"} \\
+ @{text vertex} & @{text "="} & @{text "vertex_name vertex_ID dir_name ["}~@{verbatim "+"}~@{text "] path ["}~@{verbatim "<"}~@{text "|"}~@{verbatim ">"}~@{text "] { vertex_ID }*"}
+ \end{tabular}
+ \end{center}
+
+ The meaning of the items in a vertex description is as follows:
+
+ \begin{description}
+
+ \item[@{text vertex_name}] The name of the vertex.
+
+ \item[@{text vertex_ID}] The vertex identifier. Note that there may
+ be several vertices with equal names, whereas identifiers must be
+ unique.
+
+ \item[@{text dir_name}] The name of the ``directory'' the vertex
+ should be placed in. A ``@{verbatim "+"}'' sign after @{text
+ dir_name} indicates that the nodes in the directory are initially
+ visible. Directories are initially invisible by default.
+
+ \item[@{text path}] The path of the corresponding theory file. This
+ is specified relatively to the path of the graph definition file.
+
+ \item[List of successor/predecessor nodes] A ``@{verbatim "<"}''
+ sign before the list means that successor nodes are listed, a
+ ``@{verbatim ">"}'' sign means that predecessor nodes are listed. If
+ neither ``@{verbatim "<"}'' nor ``@{verbatim ">"}'' is found, the
+ browser assumes that successor nodes are listed.
+
+ \end{description}
+*}
+
+end
\ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/System/Misc.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,598 @@
+theory Misc
+imports Base
+begin
+
+chapter {* Miscellaneous tools \label{ch:tools} *}
+
+text {*
+ Subsequently we describe various Isabelle related utilities, given
+ in alphabetical order.
+*}
+
+
+section {* Resolving Isabelle components \label{sec:tool-components} *}
+
+text {*
+ The @{tool_def components} tool resolves Isabelle components:
+\begin{ttbox}
+Usage: isabelle components [OPTIONS] [COMPONENTS ...]
+
+ Options are:
+ -R URL component repository
+ (default $ISABELLE_COMPONENT_REPOSITORY)
+ -a all missing components
+ -l list status
+
+ Resolve Isabelle components via download and installation.
+ COMPONENTS are identified via base name.
+
+ ISABELLE_COMPONENT_REPOSITORY="http://isabelle.in.tum.de/components"
+\end{ttbox}
+
+ Components are initialized as described in \secref{sec:components}
+ in a permissive manner, which can mark components as ``missing''.
+ This state is amended by letting @{tool "components"} download and
+ unpack components that are published on the default component
+ repository \url{http://isabelle.in.tum.de/components/} in
+ particular.
+
+ Option @{verbatim "-R"} specifies an alternative component
+ repository. Note that @{verbatim "file:///"} URLs can be used for
+ local directories.
+
+ Option @{verbatim "-a"} selects all missing components to be
+ installed. Explicit components may be named as command
+ line-arguments as well. Note that components are uniquely
+ identified by their base name, while the installation takes place in
+ the location that was specified in the attempt to initialize the
+ component before.
+
+ Option @{verbatim "-l"} lists the current state of available and
+ missing components with their location (full name) within the
+ file-system. *}
+
+
+section {* Displaying documents *}
+
+text {* The @{tool_def display} tool displays documents in DVI or PDF
+ format:
+\begin{ttbox}
+Usage: isabelle display [OPTIONS] FILE
+
+ Options are:
+ -c cleanup -- remove FILE after use
+
+ Display document FILE (in DVI format).
+\end{ttbox}
+
+ \medskip The @{verbatim "-c"} option causes the input file to be
+ removed after use. The program for viewing @{verbatim dvi} files is
+ determined by the @{setting DVI_VIEWER} setting.
+*}
+
+
+section {* Viewing documentation \label{sec:tool-doc} *}
+
+text {*
+ The @{tool_def doc} tool displays online documentation:
+\begin{ttbox}
+Usage: isabelle doc [DOC]
+
+ View Isabelle documentation DOC, or show list of available documents.
+\end{ttbox}
+ If called without arguments, it lists all available documents. Each
+ line starts with an identifier, followed by a short description. Any
+ of these identifiers may be specified as the first argument in order
+ to have the corresponding document displayed.
+
+ \medskip The @{setting ISABELLE_DOCS} setting specifies the list of
+ directories (separated by colons) to be scanned for documentations.
+ The program for viewing @{verbatim dvi} files is determined by the
+ @{setting DVI_VIEWER} setting.
+*}
+
+
+section {* Shell commands within the settings environment \label{sec:tool-env} *}
+
+text {* The @{tool_def env} tool is a direct wrapper for the standard
+ @{verbatim "/usr/bin/env"} command on POSIX systems, running within
+ the Isabelle settings environment (\secref{sec:settings}).
+
+ The command-line arguments are that of the underlying version of
+ @{verbatim env}. For example, the following invokes an instance of
+ the GNU Bash shell within the Isabelle environment:
+\begin{alltt}
+ isabelle env bash
+\end{alltt}
+*}
+
+
+section {* Getting logic images *}
+
+text {* The @{tool_def findlogics} tool traverses all directories
+ specified in @{setting ISABELLE_PATH}, looking for Isabelle logic
+ images. Its usage is:
+\begin{ttbox}
+Usage: isabelle findlogics
+
+ Collect heap file names from ISABELLE_PATH.
+\end{ttbox}
+
+ The base names of all files found on the path are printed --- sorted
+ and with duplicates removed. Also note that lookup in @{setting
+ ISABELLE_PATH} includes the current values of @{setting ML_SYSTEM}
+ and @{setting ML_PLATFORM}. Thus switching to another ML compiler
+ may change the set of logic images available.
+*}
+
+
+section {* Inspecting the settings environment \label{sec:tool-getenv} *}
+
+text {* The Isabelle settings environment --- as provided by the
+ site-default and user-specific settings files --- can be inspected
+ with the @{tool_def getenv} tool:
+\begin{ttbox}
+Usage: isabelle getenv [OPTIONS] [VARNAMES ...]
+
+ Options are:
+ -a display complete environment
+ -b print values only (doesn't work for -a)
+ -d FILE dump complete environment to FILE
+ (null terminated entries)
+
+ Get value of VARNAMES from the Isabelle settings.
+\end{ttbox}
+
+ With the @{verbatim "-a"} option, one may inspect the full process
+ environment that Isabelle related programs are run in. This usually
+ contains much more variables than are actually Isabelle settings.
+ Normally, output is a list of lines of the form @{text
+ name}@{verbatim "="}@{text value}. The @{verbatim "-b"} option
+ causes only the values to be printed.
+
+ Option @{verbatim "-d"} produces a dump of the complete environment
+ to the specified file. Entries are terminated by the ASCII null
+ character, i.e.\ the C string terminator.
+*}
+
+
+subsubsection {* Examples *}
+
+text {* Get the location of @{setting ISABELLE_HOME_USER} where
+ user-specific information is stored:
+\begin{ttbox}
+isabelle getenv ISABELLE_HOME_USER
+\end{ttbox}
+
+ \medskip Get the value only of the same settings variable, which is
+particularly useful in shell scripts:
+\begin{ttbox}
+isabelle getenv -b ISABELLE_OUTPUT
+\end{ttbox}
+*}
+
+
+section {* Installing standalone Isabelle executables \label{sec:tool-install} *}
+
+text {* By default, the main Isabelle binaries (@{executable
+ "isabelle"} etc.) are just run from their location within the
+ distribution directory, probably indirectly by the shell through its
+ @{setting PATH}. Other schemes of installation are supported by the
+ @{tool_def install} tool:
+\begin{ttbox}
+Usage: isabelle install [OPTIONS]
+
+ Options are:
+ -d DISTDIR use DISTDIR as Isabelle distribution
+ (default ISABELLE_HOME)
+ -p DIR install standalone binaries in DIR
+
+ Install Isabelle executables with absolute references to the current
+ distribution directory.
+\end{ttbox}
+
+ The @{verbatim "-d"} option overrides the current Isabelle
+ distribution directory as determined by @{setting ISABELLE_HOME}.
+
+ The @{verbatim "-p"} option installs executable wrapper scripts for
+ @{executable "isabelle-process"}, @{executable isabelle}, containing
+ proper absolute references to the Isabelle distribution directory.
+ A typical @{verbatim DIR} specification would be some directory
+ expected to be in the shell's @{setting PATH}, such as @{verbatim
+ "$HOME/bin"}.
+
+ It is possible to make symbolic links of the main Isabelle
+ executables, but making separate copies outside the Isabelle
+ distribution directory will not work.
+*}
+
+
+section {* Creating instances of the Isabelle logo *}
+
+text {* The @{tool_def logo} tool creates any instance of the generic
+ Isabelle logo as EPS or PDF.
+\begin{ttbox}
+Usage: isabelle logo [OPTIONS] NAME
+
+ Create instance NAME of the Isabelle logo (as EPS or PDF).
+
+ Options are:
+ -o OUTFILE specify output file and format
+ (default "isabelle_name.pdf")
+ -q quiet mode
+\end{ttbox}
+
+ Option @{verbatim "-o"} specifies an explicit output file name and
+ format, e.g.\ @{verbatim "mylogo.eps"} for an EPS logo. The default
+ is @{verbatim "isabelle_"}@{text name}@{verbatim ".pdf"}, with the
+ lower-case version of the given name and PDF output.
+
+ Option @{verbatim "-q"} omits printing of the result file name.
+
+ \medskip Implementors of Isabelle tools and applications are
+ encouraged to make derived Isabelle logos for their own projects
+ using this template. *}
+
+
+section {* Isabelle wrapper for make \label{sec:tool-make} *}
+
+text {* The old @{tool_def make} tool is a very simple wrapper for
+ ordinary Unix @{executable make}:
+\begin{ttbox}
+Usage: isabelle make [ARGS ...]
+
+ Compile the logic in current directory using IsaMakefile.
+ ARGS are directly passed to the system make program.
+\end{ttbox}
+
+ Note that the Isabelle settings environment is also active. Thus one
+ may refer to its values within the @{verbatim IsaMakefile}, e.g.\
+ @{verbatim "$(ISABELLE_HOME)"}. Furthermore, programs started from
+ the make file also inherit this environment.
+*}
+
+
+section {* Creating Isabelle session directories
+ \label{sec:tool-mkdir} *}
+
+text {* The old @{tool_def mkdir} tool prepares Isabelle session
+ source directories, including a sensible default setup of @{verbatim
+ IsaMakefile}, @{verbatim ROOT.ML}, and a @{verbatim document}
+ directory with a minimal @{verbatim root.tex} that is sufficient to
+ print all theories of the session (in the order of appearance); see
+ \secref{sec:tool-document} for further information on Isabelle
+ document preparation. The usage of @{tool mkdir} is:
+
+\begin{ttbox}
+Usage: isabelle mkdir [OPTIONS] [LOGIC] NAME
+
+ Options are:
+ -I FILE alternative IsaMakefile output
+ -P include parent logic target
+ -b setup build mode (session outputs heap image)
+ -q quiet mode
+
+ Prepare session directory, including IsaMakefile and document source,
+ with parent LOGIC (default ISABELLE_LOGIC=\$ISABELLE_LOGIC)
+\end{ttbox}
+
+ The @{tool mkdir} tool is conservative in the sense that any
+ existing @{verbatim IsaMakefile} etc.\ is left unchanged. Thus it
+ is safe to invoke it multiple times, although later runs may not
+ have the desired effect.
+
+ Note that @{tool mkdir} is unable to change @{verbatim IsaMakefile}
+ incrementally --- manual changes are required for multiple
+ sub-sessions. On order to get an initial working session, the only
+ editing needed is to add appropriate @{ML use_thy} calls to the
+ generated @{verbatim ROOT.ML} file.
+*}
+
+
+subsubsection {* Options *}
+
+text {*
+ The @{verbatim "-I"} option specifies an alternative to @{verbatim
+ IsaMakefile} for dependencies. Note that ``@{verbatim "-"}'' refers
+ to \emph{stdout}, i.e.\ ``@{verbatim "-I-"}'' provides an easy way
+ to peek at @{tool mkdir}'s idea of @{tool make} setup required for
+ some particular of Isabelle session.
+
+ \medskip The @{verbatim "-P"} option includes a target for the
+ parent @{verbatim LOGIC} session in the generated @{verbatim
+ IsaMakefile}. The corresponding sources are assumed to be located
+ within the Isabelle distribution.
+
+ \medskip The @{verbatim "-b"} option sets up the current directory
+ as the base for a new session that provides an actual logic image,
+ as opposed to one that only runs several theories based on an
+ existing image. Note that in the latter case, everything except
+ @{verbatim IsaMakefile} would be placed into a separate directory
+ @{verbatim NAME}, rather than the current one. See
+ \secref{sec:tool-usedir} for further information on \emph{build
+ mode} vs.\ \emph{example mode} of @{tool usedir}.
+
+ \medskip The @{verbatim "-q"} option enables quiet mode, suppressing
+ further notes on how to proceed.
+*}
+
+
+section {* Printing documents *}
+
+text {*
+ The @{tool_def print} tool prints documents:
+\begin{ttbox}
+Usage: isabelle print [OPTIONS] FILE
+
+ Options are:
+ -c cleanup -- remove FILE after use
+
+ Print document FILE.
+\end{ttbox}
+
+ The @{verbatim "-c"} option causes the input file to be removed
+ after use. The printer spool command is determined by the @{setting
+ PRINT_COMMAND} setting.
+*}
+
+
+section {* Remove awkward symbol names from theory sources *}
+
+text {*
+ The @{tool_def unsymbolize} tool tunes Isabelle theory sources to
+ improve readability for plain ASCII output (e.g.\ in email
+ communication). Most notably, @{tool unsymbolize} replaces awkward
+ arrow symbols such as @{verbatim "\\"}@{verbatim "<Longrightarrow>"}
+ by @{verbatim "==>"}.
+\begin{ttbox}
+Usage: isabelle unsymbolize [FILES|DIRS...]
+
+ Recursively find .thy/.ML files, removing unreadable symbol names.
+ Note: this is an ad-hoc script; there is no systematic way to replace
+ symbols independently of the inner syntax of a theory!
+
+ Renames old versions of FILES by appending "~~".
+\end{ttbox}
+*}
+
+
+section {* Running Isabelle sessions \label{sec:tool-usedir} *}
+
+text {* The old @{tool_def usedir} tool builds object-logic images, or
+ runs example sessions based on existing logics. Its usage is:
+\begin{ttbox}
+Usage: isabelle usedir [OPTIONS] LOGIC NAME
+
+ Options are:
+ -C BOOL copy existing document directory to -D PATH (default true)
+ -D PATH dump generated document sources into PATH
+ -M MAX multithreading: maximum number of worker threads (default 1)
+ -P PATH set path for remote theory browsing information
+ -Q INT set threshold for sub-proof parallelization (default 50)
+ -T LEVEL multithreading: trace level (default 0)
+ -V VARIANT declare alternative document VARIANT
+ -b build mode (output heap image, using current dir)
+ -d FORMAT build document as FORMAT (default false)
+ -f NAME use ML file NAME (default ROOT.ML)
+ -g BOOL generate session graph image for document (default false)
+ -i BOOL generate theory browser information (default false)
+ -m MODE add print mode for output
+ -p LEVEL set level of detail for proof objects (default 0)
+ -q LEVEL set level of parallel proof checking (default 1)
+ -r reset session path
+ -s NAME override session NAME
+ -t BOOL internal session timing (default false)
+ -v BOOL be verbose (default false)
+
+ Build object-logic or run examples. Also creates browsing
+ information (HTML etc.) according to settings.
+
+ ISABELLE_USEDIR_OPTIONS=...
+
+ ML_PLATFORM=...
+ ML_HOME=...
+ ML_SYSTEM=...
+ ML_OPTIONS=...
+\end{ttbox}
+
+ Note that the value of the @{setting_ref ISABELLE_USEDIR_OPTIONS}
+ setting is implicitly prefixed to \emph{any} @{tool usedir}
+ call. Since the @{verbatim IsaMakefile}s of all object-logics
+ distributed with Isabelle just invoke @{tool usedir} for the real
+ work, one may control compilation options globally via above
+ variable. In particular, generation of \rmindex{HTML} browsing
+ information and document preparation is controlled here.
+*}
+
+
+subsubsection {* Options *}
+
+text {*
+ Basically, there are two different modes of operation: \emph{build
+ mode} (enabled through the @{verbatim "-b"} option) and
+ \emph{example mode} (default).
+
+ Calling @{tool usedir} with @{verbatim "-b"} runs @{executable
+ "isabelle-process"} with input image @{verbatim LOGIC} and output to
+ @{verbatim NAME}, as provided on the command line. This will be a
+ batch session, running @{verbatim ROOT.ML} from the current
+ directory and then quitting. It is assumed that @{verbatim ROOT.ML}
+ contains all ML commands required to build the logic.
+
+ In example mode, @{tool usedir} runs a read-only session of
+ @{verbatim LOGIC} and automatically runs @{verbatim ROOT.ML} from
+ within directory @{verbatim NAME}. It assumes that this file
+ contains appropriate ML commands to run the desired examples.
+
+ \medskip The @{verbatim "-i"} option controls theory browser data
+ generation. It may be explicitly turned on or off --- as usual, the
+ last occurrence of @{verbatim "-i"} on the command line wins.
+
+ The @{verbatim "-P"} option specifies a path (or actual URL) to be
+ prefixed to any \emph{non-local} reference of existing theories.
+ Thus user sessions may easily link to existing Isabelle libraries
+ already present on the WWW.
+
+ The @{verbatim "-m"} options specifies additional print modes to be
+ activated temporarily while the session is processed.
+
+ \medskip The @{verbatim "-d"} option controls document preparation.
+ Valid arguments are @{verbatim false} (do not prepare any document;
+ this is default), or any of @{verbatim dvi}, @{verbatim dvi.gz},
+ @{verbatim ps}, @{verbatim ps.gz}, @{verbatim pdf}. The logic
+ session has to provide a properly setup @{verbatim document}
+ directory. See \secref{sec:tool-document} and
+ \secref{sec:tool-latex} for more details.
+
+ \medskip The @{verbatim "-V"} option declares alternative document
+ variants, consisting of name/tags pairs (cf.\ options @{verbatim
+ "-n"} and @{verbatim "-t"} of @{tool_ref document}). The standard
+ document is equivalent to ``@{verbatim
+ "document=theory,proof,ML"}'', which means that all theory begin/end
+ commands, proof body texts, and ML code will be presented
+ faithfully.
+
+ An alternative variant ``@{verbatim "outline=/proof/ML"}'' would
+ fold proof and ML parts, replacing the original text by a short
+ place-holder. The form ``@{text name}@{verbatim "=-"},'' means to
+ remove document @{text name} from the list of variants to be
+ processed. Any number of @{verbatim "-V"} options may be given;
+ later declarations have precedence over earlier ones.
+
+ Some document variant @{text name} may use an alternative {\LaTeX}
+ entry point called @{verbatim "document/root_"}@{text
+ "name"}@{verbatim ".tex"} if that file exists; otherwise the common
+ @{verbatim "document/root.tex"} is used.
+
+ \medskip The @{verbatim "-g"} option produces images of the theory
+ dependency graph (cf.\ \secref{sec:browse}) for inclusion in the
+ generated document, both as @{verbatim session_graph.eps} and
+ @{verbatim session_graph.pdf} at the same time. To include this in
+ the final {\LaTeX} document one could say @{verbatim
+ "\\includegraphics{session_graph}"} in @{verbatim
+ "document/root.tex"} (omitting the file-name extension enables
+ {\LaTeX} to select to correct version, either for the DVI or PDF
+ output path).
+
+ \medskip The @{verbatim "-D"} option causes the generated document
+ sources to be dumped at location @{verbatim PATH}; this path is
+ relative to the session's main directory. If the @{verbatim "-C"}
+ option is true, this will include a copy of an existing @{verbatim
+ document} directory as provided by the user. For example, @{tool
+ usedir}~@{verbatim "-D generated HOL Foo"} produces a complete set
+ of document sources at @{verbatim "Foo/generated"}. Subsequent
+ invocation of @{tool document}~@{verbatim "Foo/generated"} (see also
+ \secref{sec:tool-document}) will process the final result
+ independently of an Isabelle job. This decoupled mode of operation
+ facilitates debugging of serious {\LaTeX} errors, for example.
+
+ \medskip The @{verbatim "-p"} option determines the level of detail
+ for internal proof objects, see also the \emph{Isabelle Reference
+ Manual}~\cite{isabelle-ref}.
+
+ \medskip The @{verbatim "-q"} option specifies the level of parallel
+ proof checking: @{verbatim 0} no proofs, @{verbatim 1} toplevel
+ proofs (default), @{verbatim 2} toplevel and nested Isar proofs.
+ The option @{verbatim "-Q"} specifies a threshold for @{verbatim
+ "-q2"}: nested proofs are only parallelized when the current number
+ of forked proofs falls below the given value (default 50),
+ multiplied by the number of worker threads (see option @{verbatim
+ "-M"}).
+
+ \medskip The @{verbatim "-t"} option produces a more detailed
+ internal timing report of the session.
+
+ \medskip The @{verbatim "-v"} option causes additional information
+ to be printed while running the session, notably the location of
+ prepared documents.
+
+ \medskip The @{verbatim "-M"} option specifies the maximum number of
+ parallel worker threads used for processing independent tasks when
+ checking theory sources (multithreading only works on suitable ML
+ platforms). The special value of @{verbatim 0} or @{verbatim max}
+ refers to the number of actual CPU cores of the underlying machine,
+ which is a good starting point for optimal performance tuning. The
+ @{verbatim "-T"} option determines the level of detail in tracing
+ output concerning the internal locking and scheduling in
+ multithreaded operation. This may be helpful in isolating
+ performance bottle-necks, e.g.\ due to excessive wait states when
+ locking critical code sections.
+
+ \medskip Any @{tool usedir} session is named by some \emph{session
+ identifier}. These accumulate, documenting the way sessions depend
+ on others. For example, consider @{verbatim "Pure/FOL/ex"}, which
+ refers to the examples of FOL, which in turn is built upon Pure.
+
+ The current session's identifier is by default just the base name of
+ the @{verbatim LOGIC} argument (in build mode), or of the @{verbatim
+ NAME} argument (in example mode). This may be overridden explicitly
+ via the @{verbatim "-s"} option.
+*}
+
+
+section {* Output the version identifier of the Isabelle distribution *}
+
+text {*
+ The @{tool_def version} tool displays Isabelle version information:
+\begin{ttbox}
+Usage: isabelle version [OPTIONS]
+
+ Options are:
+ -i short identification (derived from Mercurial id)
+
+ Display Isabelle version information.
+\end{ttbox}
+
+ \medskip The default is to output the full version string of the
+ Isabelle distribution, e.g.\ ``@{verbatim "Isabelle2012: May 2012"}.
+
+ The @{verbatim "-i"} option produces a short identification derived
+ from the Mercurial id of the @{setting ISABELLE_HOME} directory.
+*}
+
+
+section {* Convert XML to YXML *}
+
+text {*
+ The @{tool_def yxml} tool converts a standard XML document (stdin)
+ to the much simpler and more efficient YXML format of Isabelle
+ (stdout). The YXML format is defined as follows.
+
+ \begin{enumerate}
+
+ \item The encoding is always UTF-8.
+
+ \item Body text is represented verbatim (no escaping, no special
+ treatment of white space, no named entities, no CDATA chunks, no
+ comments).
+
+ \item Markup elements are represented via ASCII control characters
+ @{text "\<^bold>X = 5"} and @{text "\<^bold>Y = 6"} as follows:
+
+ \begin{tabular}{ll}
+ XML & YXML \\\hline
+ @{verbatim "<"}@{text "name attribute"}@{verbatim "="}@{text "value \<dots>"}@{verbatim ">"} &
+ @{text "\<^bold>X\<^bold>Yname\<^bold>Yattribute"}@{verbatim "="}@{text "value\<dots>\<^bold>X"} \\
+ @{verbatim "</"}@{text name}@{verbatim ">"} & @{text "\<^bold>X\<^bold>Y\<^bold>X"} \\
+ \end{tabular}
+
+ There is no special case for empty body text, i.e.\ @{verbatim
+ "<foo/>"} is treated like @{verbatim "<foo></foo>"}. Also note that
+ @{text "\<^bold>X"} and @{text "\<^bold>Y"} may never occur in
+ well-formed XML documents.
+
+ \end{enumerate}
+
+ Parsing YXML is pretty straight-forward: split the text into chunks
+ separated by @{text "\<^bold>X"}, then split each chunk into
+ sub-chunks separated by @{text "\<^bold>Y"}. Markup chunks start
+ with an empty sub-chunk, and a second empty sub-chunk indicates
+ close of an element. Any other non-empty chunk consists of plain
+ text. For example, see @{file "~~/src/Pure/PIDE/yxml.ML"} or
+ @{file "~~/src/Pure/PIDE/yxml.scala"}.
+
+ YXML documents may be detected quickly by checking that the first
+ two characters are @{text "\<^bold>X\<^bold>Y"}.
+*}
+
+end
\ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/System/Presentation.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,319 @@
+theory Presentation
+imports Base
+begin
+
+chapter {* Presenting theories \label{ch:present} *}
+
+text {* Isabelle provides several ways to present the outcome of
+ formal developments, including WWW-based browsable libraries or
+ actual printable documents. Presentation is centered around the
+ concept of \emph{sessions} (\chref{ch:session}). The global session
+ structure is that of a tree, with Isabelle Pure at its root, further
+ object-logics derived (e.g.\ HOLCF from HOL, and HOL from Pure), and
+ application sessions further on in the hierarchy.
+
+ The tools @{tool_ref mkroot} and @{tool_ref build} provide the
+ primary means for managing Isabelle sessions, including proper setup
+ for presentation; @{tool build} takes care to have @{executable_ref
+ "isabelle-process"} run any additional stages required for document
+ preparation, notably the @{tool_ref document} and @{tool_ref latex}.
+ The complete tool chain for managing batch-mode Isabelle sessions is
+ illustrated in \figref{fig:session-tools}.
+
+ \begin{figure}[htbp]
+ \begin{center}
+ \begin{tabular}{lp{0.6\textwidth}}
+
+ @{tool_ref mkroot} & invoked once by the user to initialize the
+ session @{verbatim ROOT} with optional @{verbatim document}
+ directory; \\
+
+ @{tool_ref build} & invoked repeatedly by the user to keep
+ session output up-to-date (HTML, documents etc.); \\
+
+ @{executable "isabelle-process"} & run through @{tool_ref
+ build}; \\
+
+ @{tool_ref document} & run by the Isabelle process if document
+ preparation is enabled; \\
+
+ @{tool_ref latex} & universal {\LaTeX} tool wrapper invoked
+ multiple times by @{tool_ref document}; also useful for manual
+ experiments; \\
+
+ \end{tabular}
+ \caption{The tool chain of Isabelle session presentation} \label{fig:session-tools}
+ \end{center}
+ \end{figure}
+*}
+
+
+section {* Generating theory browser information \label{sec:info} *}
+
+text {*
+ \index{theory browsing information|bold}
+
+ As a side-effect of building sessions, Isabelle is able to generate
+ theory browsing information, including HTML documents that show the
+ theory sources and the relationship with its ancestors and
+ descendants. Besides the HTML file that is generated for every
+ theory, Isabelle stores links to all theories in an index
+ file. These indexes are linked with other indexes to represent the
+ overall tree structure of the sessions.
+
+ Isabelle also generates graph files that represent the theory
+ dependencies within a session. There is a graph browser Java applet
+ embedded in the generated HTML pages, and also a stand-alone
+ application that allows browsing theory graphs without having to
+ start a WWW client first. The latter version also includes features
+ such as generating Postscript files, which are not available in the
+ applet version. See \secref{sec:browse} for further information.
+
+ \medskip
+
+ The easiest way to let Isabelle generate theory browsing information
+ for existing sessions is to invoke @{tool build} with suitable
+ options:
+
+\begin{ttbox}
+isabelle build -o browser_info -v -c FOL
+\end{ttbox}
+
+ The presentation output will appear in @{verbatim
+ "$ISABELLE_BROWSER_INFO/FOL"} as reported by the above verbose
+ invocation of the build process.
+
+ Many Isabelle sessions (such as @{verbatim "HOL-Library"} in @{file
+ "~~/src/HOL/Library"}) also provide actual printable documents.
+ These are prepared automatically as well if enabled like this:
+\begin{ttbox}
+isabelle build -o browser_info -o document=pdf -v -c HOL-Library
+\end{ttbox}
+
+ Enabling both browser info and document preparation simultaneously
+ causes an appropriate ``document'' link to be included in the HTML
+ index. Documents may be generated independently of browser
+ information as well, see \secref{sec:tool-document} for further
+ details.
+
+ \bigskip The theory browsing information is stored in a
+ sub-directory directory determined by the @{setting_ref
+ ISABELLE_BROWSER_INFO} setting plus a prefix corresponding to the
+ session identifier (according to the tree structure of sub-sessions
+ by default). In order to present Isabelle applications on the web,
+ the corresponding subdirectory from @{setting ISABELLE_BROWSER_INFO}
+ can be put on a WWW server.
+*}
+
+section {* Preparing session root directories \label{sec:tool-mkroot} *}
+
+text {* The @{tool_def mkroot} tool configures a given directory as
+ session root, with some @{verbatim ROOT} file and optional document
+ source directory. Its usage is:
+\begin{ttbox}
+Usage: isabelle mkroot [OPTIONS] [DIR]
+
+ Options are:
+ -d enable document preparation
+ -n NAME alternative session name (default: DIR base name)
+
+ Prepare session root DIR (default: current directory).
+\end{ttbox}
+
+ The results are placed in the given directory @{text dir}, which
+ refers to the current directory by default. The @{tool mkroot} tool
+ is conservative in the sense that it does not overwrite existing
+ files or directories. Earlier attempts to generate a session root
+ need to be deleted manually.
+
+ \medskip Option @{verbatim "-d"} indicates that the session shall be
+ accompanied by a formal document, with @{text dir}@{verbatim
+ "/document/root.tex"} as its {\LaTeX} entry point (see also
+ \chref{ch:present}).
+
+ Option @{verbatim "-n"} allows to specify an alternative session
+ name; otherwise the base name of the given directory is used.
+
+ \medskip The implicit Isabelle settings variable @{setting
+ ISABELLE_LOGIC} specifies the parent session, and @{setting
+ ISABELLE_DOCUMENT_FORMAT} the document format to be filled filled
+ into the generated @{verbatim ROOT} file. *}
+
+
+subsubsection {* Examples *}
+
+text {* Produce session @{verbatim Test} (with document preparation)
+ within a separate directory of the same name:
+\begin{ttbox}
+isabelle mkroot -d Test && isabelle build -D Test
+\end{ttbox}
+
+ \medskip Upgrade the current directory into a session ROOT with
+ document preparation, and build it:
+\begin{ttbox}
+isabelle mkroot -d && isabelle build -D .
+\end{ttbox}
+*}
+
+
+section {* Preparing Isabelle session documents
+ \label{sec:tool-document} *}
+
+text {* The @{tool_def document} tool prepares logic session
+ documents, processing the sources both as provided by the user and
+ generated by Isabelle. Its usage is:
+\begin{ttbox}
+Usage: isabelle document [OPTIONS] [DIR]
+
+ Options are:
+ -c cleanup -- be aggressive in removing old stuff
+ -n NAME specify document name (default 'document')
+ -o FORMAT specify output format: dvi (default), dvi.gz, ps,
+ ps.gz, pdf
+ -t TAGS specify tagged region markup
+
+ Prepare the theory session document in DIR (default 'document')
+ producing the specified output format.
+\end{ttbox}
+ This tool is usually run automatically as part of the Isabelle build
+ process, provided document preparation has been enabled via suitable
+ options. It may be manually invoked on the generated browser
+ information document output as well, e.g.\ in case of errors
+ encountered in the batch run.
+
+ \medskip The @{verbatim "-c"} option tells @{tool document} to
+ dispose the document sources after successful operation! This is
+ the right thing to do for sources generated by an Isabelle process,
+ but take care of your files in manual document preparation!
+
+ \medskip The @{verbatim "-n"} and @{verbatim "-o"} option specify
+ the final output file name and format, the default is ``@{verbatim
+ document.dvi}''. Note that the result will appear in the parent of
+ the target @{verbatim DIR}.
+
+ \medskip The @{verbatim "-t"} option tells {\LaTeX} how to interpret
+ tagged Isabelle command regions. Tags are specified as a comma
+ separated list of modifier/name pairs: ``@{verbatim "+"}@{text
+ foo}'' (or just ``@{text foo}'') means to keep, ``@{verbatim
+ "-"}@{text foo}'' to drop, and ``@{verbatim "/"}@{text foo}'' to
+ fold text tagged as @{text foo}. The builtin default is equivalent
+ to the tag specification ``@{verbatim
+ "+theory,+proof,+ML,+visible,-invisible"}''; see also the {\LaTeX}
+ macros @{verbatim "\\isakeeptag"}, @{verbatim "\\isadroptag"}, and
+ @{verbatim "\\isafoldtag"}, in @{file
+ "~~/lib/texinputs/isabelle.sty"}.
+
+ \medskip Document preparation requires a @{verbatim document}
+ directory within the session sources. This directory is supposed to
+ contain all the files needed to produce the final document --- apart
+ from the actual theories which are generated by Isabelle.
+
+ \medskip For most practical purposes, @{tool document} is smart
+ enough to create any of the specified output formats, taking
+ @{verbatim root.tex} supplied by the user as a starting point. This
+ even includes multiple runs of {\LaTeX} to accommodate references
+ and bibliographies (the latter assumes @{verbatim root.bib} within
+ the same directory).
+
+ In more complex situations, a separate @{verbatim build} script for
+ the document sources may be given. It is invoked with command-line
+ arguments for the document format and the document variant name.
+ The script needs to produce corresponding output files, e.g.\
+ @{verbatim root.pdf} for target format @{verbatim pdf} (and default
+ default variants). The main work can be again delegated to @{tool
+ latex}, but it is also possible to harvest generated {\LaTeX}
+ sources and copy them elsewhere, for example.
+
+ \medskip When running the session, Isabelle copies the content of
+ the original @{verbatim document} directory into its proper place
+ within @{setting ISABELLE_BROWSER_INFO}, according to the session
+ path and document variant. Then, for any processed theory @{text A}
+ some {\LaTeX} source is generated and put there as @{text
+ A}@{verbatim ".tex"}. Furthermore, a list of all generated theory
+ files is put into @{verbatim session.tex}. Typically, the root
+ {\LaTeX} file provided by the user would include @{verbatim
+ session.tex} to get a document containing all the theories.
+
+ The {\LaTeX} versions of the theories require some macros defined in
+ @{file "~~/lib/texinputs/isabelle.sty"}. Doing @{verbatim
+ "\\usepackage{isabelle}"} in @{verbatim root.tex} should be fine;
+ the underlying @{tool latex} already includes an appropriate path
+ specification for {\TeX} inputs.
+
+ If the text contains any references to Isabelle symbols (such as
+ @{verbatim "\\"}@{verbatim "<forall>"}) then @{verbatim
+ "isabellesym.sty"} should be included as well. This package
+ contains a standard set of {\LaTeX} macro definitions @{verbatim
+ "\\isasym"}@{text foo} corresponding to @{verbatim "\\"}@{verbatim
+ "<"}@{text foo}@{verbatim ">"}, see \cite{isabelle-implementation} for a
+ complete list of predefined Isabelle symbols. Users may invent
+ further symbols as well, just by providing {\LaTeX} macros in a
+ similar fashion as in @{file "~~/lib/texinputs/isabellesym.sty"} of
+ the distribution.
+
+ For proper setup of DVI and PDF documents (with hyperlinks and
+ bookmarks), we recommend to include @{file
+ "~~/lib/texinputs/pdfsetup.sty"} as well.
+
+ \medskip As a final step of Isabelle document preparation, @{tool
+ document}~@{verbatim "-c"} is run on the resulting copy of the
+ @{verbatim document} directory. Thus the actual output document is
+ built and installed in its proper place. The generated sources are
+ deleted after successful run of {\LaTeX} and friends.
+
+ Some care is needed if the document output location is configured
+ differently, say within a directory whose content is still required
+ afterwards!
+*}
+
+
+section {* Running {\LaTeX} within the Isabelle environment
+ \label{sec:tool-latex} *}
+
+text {* The @{tool_def latex} tool provides the basic interface for
+ Isabelle document preparation. Its usage is:
+\begin{ttbox}
+Usage: isabelle latex [OPTIONS] [FILE]
+
+ Options are:
+ -o FORMAT specify output format: dvi (default), dvi.gz, ps,
+ ps.gz, pdf, bbl, idx, sty, syms
+
+ Run LaTeX (and related tools) on FILE (default root.tex),
+ producing the specified output format.
+\end{ttbox}
+
+ Appropriate {\LaTeX}-related programs are run on the input file,
+ according to the given output format: @{executable latex},
+ @{executable pdflatex}, @{executable dvips}, @{executable bibtex}
+ (for @{verbatim bbl}), and @{executable makeindex} (for @{verbatim
+ idx}). The actual commands are determined from the settings
+ environment (@{setting ISABELLE_LATEX} etc.).
+
+ The @{verbatim sty} output format causes the Isabelle style files to
+ be updated from the distribution. This is useful in special
+ situations where the document sources are to be processed another
+ time by separate tools.
+
+ The @{verbatim syms} output is for internal use; it generates lists
+ of symbols that are available without loading additional {\LaTeX}
+ packages.
+*}
+
+
+subsubsection {* Examples *}
+
+text {* Invoking @{tool latex} by hand may be occasionally useful when
+ debugging failed attempts of the automatic document preparation
+ stage of batch-mode Isabelle. The abortive process leaves the
+ sources at a certain place within @{setting ISABELLE_BROWSER_INFO},
+ see the runtime error message for details. This enables users to
+ inspect {\LaTeX} runs in further detail, e.g.\ like this:
+
+\begin{ttbox}
+ cd ~/.isabelle/IsabelleXXXX/browser_info/HOL/Test/document
+ isabelle latex -o pdf
+\end{ttbox}
+*}
+
+end
\ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/System/Scala.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,72 @@
+theory Scala
+imports Base
+begin
+
+chapter {* Isabelle/Scala development tools *}
+
+text {* Isabelle/ML and Isabelle/Scala are the two main language
+environments for Isabelle tool implementations. There are some basic
+command-line tools to work with the underlying Java Virtual Machine,
+the Scala toplevel and compiler. Note that Isabelle/jEdit
+(\secref{sec:tool-tty}) provides a Scala Console for interactive
+experimentation within the running application. *}
+
+
+section {* Java Runtime Environment within Isabelle \label{sec:tool-java} *}
+
+text {* The @{tool_def java} tool is a direct wrapper for the Java
+ Runtime Environment, within the regular Isabelle settings
+ environment (\secref{sec:settings}). The command line arguments are
+ that of the underlying Java version. It is run in @{verbatim
+ "-server"} mode if possible, to improve performance (at the cost of
+ extra startup time).
+
+ The @{verbatim java} executable is the one within @{setting
+ ISABELLE_JDK_HOME}, according to the standard directory layout for
+ official JDK distributions. The class loader is augmented such that
+ the name space of @{verbatim "Isabelle/Pure.jar"} is available,
+ which is the main Isabelle/Scala module.
+
+ For example, the following command-line invokes the main method of
+ class @{verbatim isabelle.GUI_Setup}, which opens a windows with
+ some diagnostic information about the Isabelle environment:
+\begin{alltt}
+ isabelle java isabelle.GUI_Setup
+\end{alltt}
+*}
+
+
+section {* Scala toplevel \label{sec:tool-scala} *}
+
+text {* The @{tool_def scala} tool is a direct wrapper for the Scala
+ toplevel; see also @{tool java} above. The command line arguments
+ are that of the underlying Scala version.
+
+ This allows to interact with Isabelle/Scala in TTY mode like this:
+\begin{alltt}
+ isabelle scala
+ scala> isabelle.Isabelle_System.getenv("ISABELLE_HOME")
+ scala> val options = isabelle.Options.init()
+ scala> options.bool("browser_info")
+\end{alltt}
+*}
+
+
+section {* Scala compiler \label{sec:tool-scalac} *}
+
+text {* The @{tool_def scalac} tool is a direct wrapper for the Scala
+ compiler; see also @{tool scala} above. The command line arguments
+ are that of the underlying Scala version.
+
+ This allows to compile further Scala modules, depending on existing
+ Isabelle/Scala functionality. The resulting class or jar files can
+ be added to the @{setting CLASSPATH} via the @{verbatim classpath}
+ Bash function that is provided by the Isabelle process environment.
+ Thus add-on components can register themselves in a modular manner,
+ see also \secref{sec:components}.
+
+ Note that jEdit (\secref{sec:tool-jedit}) has its own mechanisms for
+ adding plugin components, which needs special attention since
+ it overrides the standard Java class loader. *}
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/System/Sessions.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,324 @@
+theory Sessions
+imports Base
+begin
+
+chapter {* Isabelle sessions and build management \label{ch:session} *}
+
+text {* An Isabelle \emph{session} consists of a collection of related
+ theories that may be associated with formal documents (see also
+ \chref{ch:present}). There is also a notion of \emph{persistent
+ heap} image to capture the state of a session, similar to
+ object-code in compiled programming languages. Thus the concept of
+ session resembles that of a ``project'' in common IDE environments,
+ but the specific name emphasizes the connection to interactive
+ theorem proving: the session wraps-up the results of
+ user-interaction with the prover in a persistent form.
+
+ Application sessions are built on a given parent session, which may
+ be built recursively on other parents. Following this path in the
+ hierarchy eventually leads to some major object-logic session like
+ @{text "HOL"}, which itself is based on @{text "Pure"} as the common
+ root of all sessions.
+
+ Processing sessions may take considerable time. Isabelle build
+ management helps to organize this efficiently. This includes
+ support for parallel build jobs, in addition to the multithreaded
+ theory and proof checking that is already provided by the prover
+ process itself. *}
+
+
+section {* Session ROOT specifications \label{sec:session-root} *}
+
+text {* Session specifications reside in files called @{verbatim ROOT}
+ within certain directories, such as the home locations of registered
+ Isabelle components or additional project directories given by the
+ user.
+
+ The ROOT file format follows the lexical conventions of the
+ \emph{outer syntax} of Isabelle/Isar, see also
+ \cite{isabelle-isar-ref}. This defines common forms like
+ identifiers, names, quoted strings, verbatim text, nested comments
+ etc. The grammar for a single @{syntax session_entry} is given as
+ syntax diagram below; each ROOT file may contain multiple session
+ specifications like this.
+
+ Isabelle/jEdit (\secref{sec:tool-jedit}) includes a simple editing
+ mode @{verbatim "isabelle-root"} for session ROOT files.
+
+ @{rail "
+ @{syntax_def session_entry}: @'session' spec '=' (@{syntax name} '+')? body
+ ;
+ body: description? options? ( theories + ) files?
+ ;
+ spec: @{syntax name} groups? dir?
+ ;
+ groups: '(' (@{syntax name} +) ')'
+ ;
+ dir: @'in' @{syntax name}
+ ;
+ description: @'description' @{syntax text}
+ ;
+ options: @'options' opts
+ ;
+ opts: '[' ( (@{syntax name} '=' value | @{syntax name}) + ',' ) ']'
+ ;
+ value: @{syntax name} | @{syntax real}
+ ;
+ theories: @'theories' opts? ( @{syntax name} * )
+ ;
+ files: @'files' ( @{syntax name} + )
+ "}
+
+ \begin{description}
+
+ \item \isakeyword{session}~@{text "A = B + body"} defines a new
+ session @{text "A"} based on parent session @{text "B"}, with its
+ content given in @{text body} (theories and auxiliary source files).
+ Note that a parent (like @{text "HOL"}) is mandatory in practical
+ applications: only Isabelle/Pure can bootstrap itself from nothing.
+
+ All such session specifications together describe a hierarchy (tree)
+ of sessions, with globally unique names. The new session name
+ @{text "A"} should be sufficiently long to stand on its own in a
+ potentially large library.
+
+ \item \isakeyword{session}~@{text "A (groups)"} indicates a
+ collection of groups where the new session is a member. Group names
+ are uninterpreted and merely follow certain conventions. For
+ example, the Isabelle distribution tags some important sessions by
+ the group name called ``@{text "main"}''. Other projects may invent
+ their own conventions, but this requires some care to avoid clashes
+ within this unchecked name space.
+
+ \item \isakeyword{session}~@{text "A"}~\isakeyword{in}~@{text "dir"}
+ specifies an explicit directory for this session; by default this is
+ the current directory of the @{verbatim ROOT} file.
+
+ All theories and auxiliary source files are located relatively to
+ the session directory. The prover process is run within the same as
+ its current working directory.
+
+ \item \isakeyword{description}~@{text "text"} is a free-form
+ annotation for this session.
+
+ \item \isakeyword{options}~@{text "[x = a, y = b, z]"} defines
+ separate options (\secref{sec:system-options}) that are used when
+ processing this session, but \emph{without} propagation to child
+ sessions. Note that @{text "z"} abbreviates @{text "z = true"} for
+ Boolean options.
+
+ \item \isakeyword{theories}~@{text "options names"} specifies a
+ block of theories that are processed within an environment that is
+ augmented by the given options, in addition to the global session
+ options given before. Any number of blocks of \isakeyword{theories}
+ may be given. Options are only active for each
+ \isakeyword{theories} block separately.
+
+ \item \isakeyword{files}~@{text "files"} lists additional source
+ files that are involved in the processing of this session. This
+ should cover anything outside the formal content of the theory
+ sources, say some auxiliary {\TeX} files that are required for
+ document processing. In contrast, files that are specified in
+ formal theory headers as @{keyword "uses"} need not be declared
+ again.
+
+ \end{description}
+*}
+
+subsubsection {* Examples *}
+
+text {* See @{file "~~/src/HOL/ROOT"} for a diversity of practically
+ relevant situations, but it uses relatively complex quasi-hierarchic
+ naming conventions like @{text "HOL\<dash>SPARK"}, @{text
+ "HOL\<dash>SPARK\<dash>Examples"}. An alternative is to use
+ unqualified names that are relatively long and descriptive, as in
+ the Archive of Formal Proofs (\url{http://afp.sf.net}), for
+ example. *}
+
+
+section {* System build options \label{sec:system-options} *}
+
+text {* See @{file "~~/etc/options"} for the main defaults provided by
+ the Isabelle distribution. Isabelle/jEdit (\secref{sec:tool-jedit})
+ includes a simple editing mode @{verbatim "isabelle-options"} for
+ this file-format.
+
+ The @{tool_def options} tool prints Isabelle system options. Its
+ command-line usage is:
+\begin{ttbox}
+Usage: isabelle options [OPTIONS] [MORE_OPTIONS ...]
+
+ Options are:
+ -b include $ISABELLE_BUILD_OPTIONS
+ -x FILE export to FILE in YXML format
+
+ Print Isabelle system options, augmented by MORE_OPTIONS given as
+ arguments NAME=VAL or NAME.
+\end{ttbox}
+
+ The command line arguments provide additional system options of the
+ form @{text "name"}@{verbatim "="}@{text "value"} or @{text name}
+ for Boolean options.
+
+ Option @{verbatim "-b"} augments the implicit environment of system
+ options by the ones of @{setting ISABELLE_BUILD_OPTIONS}, cf.\
+ \secref{sec:tool-build}.
+
+ Option @{verbatim "-x"} specifies a file to export the result in
+ YXML format, instead of printing it in human-readable form.
+*}
+
+
+section {* Invoking the build process \label{sec:tool-build} *}
+
+text {* The @{tool_def build} tool invokes the build process for
+ Isabelle sessions. It manages dependencies between sessions,
+ related sources of theories and auxiliary files, and target heap
+ images. Accordingly, it runs instances of the prover process with
+ optional document preparation. Its command-line usage
+ is:\footnote{Isabelle/Scala provides the same functionality via
+ \texttt{isabelle.Build.build}.}
+\begin{ttbox}
+Usage: isabelle build [OPTIONS] [SESSIONS ...]
+
+ Options are:
+ -D DIR include session directory and select its sessions
+ -a select all sessions
+ -b build heap images
+ -c clean build
+ -d DIR include session directory
+ -g NAME select session group NAME
+ -j INT maximum number of parallel jobs (default 1)
+ -l list session source files
+ -n no build -- test dependencies only
+ -o OPTION override session configuration OPTION
+ (via NAME=VAL or NAME)
+ -s system build mode: produce output in ISABELLE_HOME
+ -v verbose
+
+ Build and manage Isabelle sessions, depending on implicit
+ ISABELLE_BUILD_OPTIONS="..."
+
+ ML_PLATFORM="..."
+ ML_HOME="..."
+ ML_SYSTEM="..."
+ ML_OPTIONS="..."
+\end{ttbox}
+
+ \medskip Isabelle sessions are defined via session ROOT files as
+ described in (\secref{sec:session-root}). The totality of sessions
+ is determined by collecting such specifications from all Isabelle
+ component directories (\secref{sec:components}), augmented by more
+ directories given via options @{verbatim "-d"}~@{text "DIR"} on the
+ command line. Each such directory may contain a session
+ \texttt{ROOT} file with several session specifications.
+
+ Any session root directory may refer recursively to further
+ directories of the same kind, by listing them in a catalog file
+ @{verbatim "ROOTS"} line-by-line. This helps to organize large
+ collections of session specifications, or to make @{verbatim "-d"}
+ command line options persistent (say within @{verbatim
+ "$ISABELLE_HOME_USER/ROOTS"}).
+
+ \medskip The subset of sessions to be managed is determined via
+ individual @{text "SESSIONS"} given as command-line arguments, or
+ session groups that are given via one or more options @{verbatim
+ "-g"}~@{text "NAME"}. Option @{verbatim "-a"} selects all sessions.
+ The build tool takes session dependencies into account: the set of
+ selected sessions is completed by including all ancestors.
+
+ \medskip Option @{verbatim "-D"} is similar to @{verbatim "-d"}, but
+ selects all sessions that are defined in the given directories.
+
+ \medskip The build process depends on additional options
+ (\secref{sec:system-options}) that are passed to the prover
+ eventually. The settings variable @{setting_ref
+ ISABELLE_BUILD_OPTIONS} allows to provide additional defaults, e.g.\
+ \texttt{ISABELLE_BUILD_OPTIONS="document=pdf threads=4"}. Moreover,
+ the environment of system build options may be augmented on the
+ command line via @{verbatim "-o"}~@{text "name"}@{verbatim
+ "="}@{text "value"} or @{verbatim "-o"}~@{text "name"}, which
+ abbreviates @{verbatim "-o"}~@{text "name"}@{verbatim"=true"} for
+ Boolean options. Multiple occurrences of @{verbatim "-o"} on the
+ command-line are applied in the given order.
+
+ \medskip Option @{verbatim "-b"} ensures that heap images are
+ produced for all selected sessions. By default, images are only
+ saved for inner nodes of the hierarchy of sessions, as required for
+ other sessions to continue later on.
+
+ \medskip Option @{verbatim "-c"} cleans all descendants of the
+ selected sessions before performing the specified build operation.
+
+ \medskip Option @{verbatim "-n"} omits the actual build process
+ after the preparatory stage (including optional cleanup). Note that
+ the return code always indicates the status of the set of selected
+ sessions.
+
+ \medskip Option @{verbatim "-j"} specifies the maximum number of
+ parallel build jobs (prover processes). Each prover process is
+ subject to a separate limit of parallel worker threads, cf.\ system
+ option @{system_option_ref threads}.
+
+ \medskip Option @{verbatim "-s"} enables \emph{system mode}, which
+ means that resulting heap images and log files are stored in
+ @{verbatim "$ISABELLE_HOME/heaps"} instead of the default location
+ @{setting ISABELLE_OUTPUT} (which is normally in @{setting
+ ISABELLE_HOME_USER}, i.e.\ the user's home directory).
+
+ \medskip Option @{verbatim "-v"} increases the general level of
+ verbosity. Option @{verbatim "-l"} lists the source files that
+ contribute to a session.
+*}
+
+subsubsection {* Examples *}
+
+text {*
+ Build a specific logic image:
+\begin{ttbox}
+isabelle build -b HOLCF
+\end{ttbox}
+
+ \smallskip Build the main group of logic images:
+\begin{ttbox}
+isabelle build -b -g main
+\end{ttbox}
+
+ \smallskip Provide a general overview of the status of all Isabelle
+ sessions, without building anything:
+\begin{ttbox}
+isabelle build -a -n -v
+\end{ttbox}
+
+ \smallskip Build all sessions with HTML browser info and PDF
+ document preparation:
+\begin{ttbox}
+isabelle build -a -o browser_info -o document=pdf
+\end{ttbox}
+
+ \smallskip Build all sessions with a maximum of 8 parallel prover
+ processes and 4 worker threads each (on a machine with many cores):
+\begin{ttbox}
+isabelle build -a -j8 -o threads=4
+\end{ttbox}
+
+ \smallskip Build some session images with cleanup of their
+ descendants, while retaining their ancestry:
+\begin{ttbox}
+isabelle build -b -c HOL-Boogie HOL-SPARK
+\end{ttbox}
+
+ \smallskip Clean all sessions without building anything:
+\begin{ttbox}
+isabelle build -a -n -c
+\end{ttbox}
+
+ \smallskip Build all sessions from some other directory hierarchy,
+ according to the settings variable @{verbatim "AFP"} that happens to
+ be defined inside the Isabelle environment:
+\begin{ttbox}
+isabelle build -D '$AFP'
+\end{ttbox}
+*}
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/System/document/browser_screenshot.eps Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,11222 @@
+%!PS-Adobe-3.0 EPSF-3.0
+%%Creator: (ImageMagick)
+%%Title: (/home/makarius/isabelle/src/Doc/System/browser_screenshot.eps)
+%%CreationDate: (Tue Sep 16 13:50:28 2008)
+%%BoundingBox: 0 0 458 269
+%%HiResBoundingBox: 0 0 458.484 269
+%%DocumentData: Clean7Bit
+%%LanguageLevel: 1
+%%Pages: 1
+%%EndComments
+
+%%BeginDefaults
+%%EndDefaults
+
+%%BeginProlog
+%
+% Display a color image. The image is displayed in color on
+% Postscript viewers or printers that support color, otherwise
+% it is displayed as grayscale.
+%
+/DirectClassPacket
+{
+ %
+ % Get a DirectClass packet.
+ %
+ % Parameters:
+ % red.
+ % green.
+ % blue.
+ % length: number of pixels minus one of this color (optional).
+ %
+ currentfile color_packet readhexstring pop pop
+ compression 0 eq
+ {
+ /number_pixels 3 def
+ }
+ {
+ currentfile byte readhexstring pop 0 get
+ /number_pixels exch 1 add 3 mul def
+ } ifelse
+ 0 3 number_pixels 1 sub
+ {
+ pixels exch color_packet putinterval
+ } for
+ pixels 0 number_pixels getinterval
+} bind def
+
+/DirectClassImage
+{
+ %
+ % Display a DirectClass image.
+ %
+ systemdict /colorimage known
+ {
+ columns rows 8
+ [
+ columns 0 0
+ rows neg 0 rows
+ ]
+ { DirectClassPacket } false 3 colorimage
+ }
+ {
+ %
+ % No colorimage operator; convert to grayscale.
+ %
+ columns rows 8
+ [
+ columns 0 0
+ rows neg 0 rows
+ ]
+ { GrayDirectClassPacket } image
+ } ifelse
+} bind def
+
+/GrayDirectClassPacket
+{
+ %
+ % Get a DirectClass packet; convert to grayscale.
+ %
+ % Parameters:
+ % red
+ % green
+ % blue
+ % length: number of pixels minus one of this color (optional).
+ %
+ currentfile color_packet readhexstring pop pop
+ color_packet 0 get 0.299 mul
+ color_packet 1 get 0.587 mul add
+ color_packet 2 get 0.114 mul add
+ cvi
+ /gray_packet exch def
+ compression 0 eq
+ {
+ /number_pixels 1 def
+ }
+ {
+ currentfile byte readhexstring pop 0 get
+ /number_pixels exch 1 add def
+ } ifelse
+ 0 1 number_pixels 1 sub
+ {
+ pixels exch gray_packet put
+ } for
+ pixels 0 number_pixels getinterval
+} bind def
+
+/GrayPseudoClassPacket
+{
+ %
+ % Get a PseudoClass packet; convert to grayscale.
+ %
+ % Parameters:
+ % index: index into the colormap.
+ % length: number of pixels minus one of this color (optional).
+ %
+ currentfile byte readhexstring pop 0 get
+ /offset exch 3 mul def
+ /color_packet colormap offset 3 getinterval def
+ color_packet 0 get 0.299 mul
+ color_packet 1 get 0.587 mul add
+ color_packet 2 get 0.114 mul add
+ cvi
+ /gray_packet exch def
+ compression 0 eq
+ {
+ /number_pixels 1 def
+ }
+ {
+ currentfile byte readhexstring pop 0 get
+ /number_pixels exch 1 add def
+ } ifelse
+ 0 1 number_pixels 1 sub
+ {
+ pixels exch gray_packet put
+ } for
+ pixels 0 number_pixels getinterval
+} bind def
+
+/PseudoClassPacket
+{
+ %
+ % Get a PseudoClass packet.
+ %
+ % Parameters:
+ % index: index into the colormap.
+ % length: number of pixels minus one of this color (optional).
+ %
+ currentfile byte readhexstring pop 0 get
+ /offset exch 3 mul def
+ /color_packet colormap offset 3 getinterval def
+ compression 0 eq
+ {
+ /number_pixels 3 def
+ }
+ {
+ currentfile byte readhexstring pop 0 get
+ /number_pixels exch 1 add 3 mul def
+ } ifelse
+ 0 3 number_pixels 1 sub
+ {
+ pixels exch color_packet putinterval
+ } for
+ pixels 0 number_pixels getinterval
+} bind def
+
+/PseudoClassImage
+{
+ %
+ % Display a PseudoClass image.
+ %
+ % Parameters:
+ % class: 0-PseudoClass or 1-Grayscale.
+ %
+ currentfile buffer readline pop
+ token pop /class exch def pop
+ class 0 gt
+ {
+ currentfile buffer readline pop
+ token pop /depth exch def pop
+ /grays columns 8 add depth sub depth mul 8 idiv string def
+ columns rows depth
+ [
+ columns 0 0
+ rows neg 0 rows
+ ]
+ { currentfile grays readhexstring pop } image
+ }
+ {
+ %
+ % Parameters:
+ % colors: number of colors in the colormap.
+ % colormap: red, green, blue color packets.
+ %
+ currentfile buffer readline pop
+ token pop /colors exch def pop
+ /colors colors 3 mul def
+ /colormap colors string def
+ currentfile colormap readhexstring pop pop
+ systemdict /colorimage known
+ {
+ columns rows 8
+ [
+ columns 0 0
+ rows neg 0 rows
+ ]
+ { PseudoClassPacket } false 3 colorimage
+ }
+ {
+ %
+ % No colorimage operator; convert to grayscale.
+ %
+ columns rows 8
+ [
+ columns 0 0
+ rows neg 0 rows
+ ]
+ { GrayPseudoClassPacket } image
+ } ifelse
+ } ifelse
+} bind def
+
+/DisplayImage
+{
+ %
+ % Display a DirectClass or PseudoClass image.
+ %
+ % Parameters:
+ % x & y translation.
+ % x & y scale.
+ % label pointsize.
+ % image label.
+ % image columns & rows.
+ % class: 0-DirectClass or 1-PseudoClass.
+ % compression: 0-none or 1-RunlengthEncoded.
+ % hex color packets.
+ %
+ gsave
+ /buffer 512 string def
+ /byte 1 string def
+ /color_packet 3 string def
+ /pixels 768 string def
+
+ currentfile buffer readline pop
+ token pop /x exch def
+ token pop /y exch def pop
+ x y translate
+ currentfile buffer readline pop
+ token pop /x exch def
+ token pop /y exch def pop
+ currentfile buffer readline pop
+ token pop /pointsize exch def pop
+ /Times-Roman findfont pointsize scalefont setfont
+ x y scale
+ currentfile buffer readline pop
+ token pop /columns exch def
+ token pop /rows exch def pop
+ currentfile buffer readline pop
+ token pop /class exch def pop
+ currentfile buffer readline pop
+ token pop /compression exch def pop
+ class 0 gt { PseudoClassImage } { DirectClassImage } ifelse
+ grestore
+} bind def
+%%EndProlog
+%%Page: 1 1
+%%PageBoundingBox: 0 0 458 269
+userdict begin
+DisplayImage
+0 0
+458.484 269.21
+12.000000
+818 481
+1
+0
+0
+12
+000000
+797979
+7F7F7F
+FF0000
+00FF00
+0000FF
+808080
+C0C0C0
+DFDFDF
+E0E0E0
+F2F2F2
+FFFFFF
+0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
+0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
+0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
+0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
+0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
+0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
+0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
+0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
+0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
+0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
+0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
+0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
+0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
+0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
+0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
+0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
+0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
+0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
+0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
+0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
+0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
+0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A
+0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A0A080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808020A08080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808020A0808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808020A080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808020A08080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808020A0808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08020A080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808020A08080808080808
+080808000000000808000808000808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808020A0808080808080808080800080808080808
+080800080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808020A080808080808080808080008080808080008080008080800000008
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808020A08
+080808080808080808000808080808000808000808000808080008080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808020A0808080808080808080800
+000000080800080800080800080808000808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808020A080808080808080808080008080808080008080008
+080000000000080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808020A08080808080808080808000808080808000808000808000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808020A0808080808
+080808080800080808080800080800080800080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808020A080808080808080808080008080808
+080008080008080800000000080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808020A08080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080802
+0A0808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808020A080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808020A08080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808020A0808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808020A080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808020A08080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808020A0202020202020202020202020202020202020202020202
+020202020202020202020202020202020202020202020202020202020202020202020202
+020202020202020202020202020202020202020202020202020202020202020202020202
+020202020202020202020202020202020202020202020202020202020202020202020202
+020202020202020202020202020202020202020202020202020202020202020202020202
+020202020202020202020202020202020202020202020202020202020202020202020202
+020202020202020202020202020202020202020202020202020202020202020202020202
+020202020202020202020202020202020202020202020202020202020202020202020202
+020202020202020202020202020202020202020202020202020202020202020202020202
+020202020202020202020202020202020202020202020202020202020202020202020202
+020202020202020202020202020202020202020202020202020202020202020202020202
+020202020202020202020202020202020202020202020202020202020202020202020202
+020202020202020202020202020202020202020202020202020202020202020202020202
+020202020202020202020202020202020202020202020202020202020202020202020202
+020202020202020202020202020202020202020202020202020202020202020202020202
+020202020202020202020202020202020202020202020202020202020202020202020202
+020202020202020202020202020202020202020202020202020202020202020202020202
+020202020202020202020202020202020202020202020202020202020202020202020202
+020202020202020202020202020202020202020202020202020202020202020202020202
+020202020202020202020202020202020202020202020202020202020202020202020202
+020202020202020202020202020202020202020202020202020202020202020202020202
+020202020202020202020202020202020202020202020202020202020202020202020202
+020202020202020202020202020202020202020202020202020202020202020202020202
+020208080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080809090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090808080808080808080809090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090808080808080808080909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090906080808080808
+080808080909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090906
+080808080808080808090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909060608080808080808080808090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909090909090909090909090909
+090909090909090909090909090909090909090909090909060608080808080808080809
+090908080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080606060808080808080808080809090908080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080606060808080808080808080909090801010101010101
+010101010101010101010101010101010101010101010101010101010101010101010101
+010101010101010101010101010101010101010101010101010101010101010101010101
+010101010101010101010101010101010101010101010101010101010101010101010101
+010101010101010101010101010101010101010101010101010101010101010101010101
+010101010101010101010101010101010101010101010101010101010101010101010101
+010101010101010101010101010101010101010101010101010101010101010101010101
+010101010101010101010101010101010101010101010101010101010101010B08060606
+080808080808080808080909090801010101010101010101010101010101010101010101
+010101010101010101010101010101010101010101010101010101010101010101010101
+010101010101010101010101010101010101010101010101010101010101010101010101
+010101010101010101010101010101010101010101010101010101010101010101010101
+010101010101010101010101010101010101010101010101010101010101010101010101
+010101010101010101010101010101010101010101010101010101010101010101010101
+010101010101010101010101010101010101010101010101010101010101010101010101
+010101010101010101010101010101010101010101010101010101010101010101010101
+010101010101010101010101010101010101010101010101010101010101010101010101
+010101010101010101010101010101010101010101010101010101010101010101010101
+010101010101010101010101010101010101010101010101010101010101010101010101
+010101010101010101010101010101010101010101010101010101010101010101010101
+010101010101010101010101010101010101010101010101010101010101010101010101
+010101010101010101010101010101010101010101010101010101010101010101010101
+010101010101010101010101010101010101010101010101010101010101010101010101
+010B08060606080808080808080808090909080108080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080808
+090909080108080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080809090908010808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080809090908010808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080909090801
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808080909090801080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808090909080108080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080808090909080108080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080809090908010808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080809090908
+010808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080909090801080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808080909090801080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808090909080108080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080808090909080108080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080809090908010808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080809090908010808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080909090801080808080808080804040404040404040404040808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808080909090801080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808090909
+080108080808080808080804040404040404040404080808080808080000000000080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080808090909080108080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080809090908010808080808080808
+080804040404040404040808080808080808000808080800080808080808080808080808
+080808080008080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080809090908010808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080909090801080808080808080808080804040404040408
+080808080808080800080808080008080800000008080808000000080800000008080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808080909
+090801080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808090909080108080808080808080808080404040404080808080808080808080008
+080800080808000808080008080008080800080800080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080808090909080108080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080809090908010808
+080808080808080808080404040808080808080808080808000000000808080800080808
+000808000808080008080008080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080809090908010808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080909090801080808080808080808080808
+080408080808080808080808080800080800080808080008080800080800080808000808
+000808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808080909090801080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808090909080108080808080808080808080808080808080808080808
+080808080008080800080808000808080008080008080800080800080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080808090909080108
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080809
+090908010808080808080808080808080808080808080808080808080808000808080800
+080800080808000808000808080008080008080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080809090908010808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080909090801080808080808
+080808080808080808080808080808080808080800080808080800080800000008080808
+000000080808080008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808080909090801080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808090909080108080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080808
+090909080108080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080809090908010808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080809090908010808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080909090801
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808080909090801080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808090909080108080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080808090909080108080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080800000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000008080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080809090908010808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080809090908
+010808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080007070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707000808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080909090801080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808080909090801080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808000707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070700
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808090909080108080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080808090909080108080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080800
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070008080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080809090908010808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080809090908010808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080007070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707000808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080909090801080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808080909090801080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808000707070707070707070707070707070707070707
+070707070707070707070707030307070303030307070707070707070707070707070707
+070707070707030307070707070707070707070707070707070707070707070707070707
+070707070700080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808090909
+080108080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080808090909080108080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080800070707070707070707070707070707070707070707070707070707070707
+070703070707030707070307070707070707070707070707070707070707070707030707
+070707070707070707070707070707070707070707070707070707070707070008080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080809090908010808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080809090908010808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080007070707
+070707070707070707070707070707070707070707070707070707070307070703070707
+030707030707070307070307030307070303030707070703070707070707070707070707
+070707070707070707070707070707070707070707000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080909090801080808080808080808080808080808080808
+080808080808080808030308080808080808080808080808080808000000000808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808080909
+090801080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808000707070707070707070707070707
+070707070707070707070707070707070707030707070307070703070703070707030707
+030307070703070707030707070307070707070707070707070707070707070707070707
+070707070707070707070700080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808090909080108080808080808080808080808080808080808080808080808080803
+030308080808080808080808080808080800080808000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080808090909080108080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080800070707070707070707070707070707070707070707070707
+070707070707070703070707030303030707070307070703070703070707070307070703
+070707030707070707070707070707070707070707070707070707070707070707070707
+070008080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080809090908010808
+080808080808080808080808080808080808080808080808080303030303080808080808
+080808080808080008080800080800080808000808000800000808000000080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080809090908010808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080007070707070707070707070707070707070707070707070707070707070707070307
+070703070707070707030707070307070307070707030303030307070703070707070707
+070707070707070707070707070707070707070707070707070707000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080909090801080808080808080808080808
+080808080808080808080808080808030303030303080808080808080808080808000808
+080008080008080800080800000808080008080800080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808080909090801080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808000707070707070707
+070707070707070707070707070707070707070707070707030707070307070707070703
+070707030707030707070703070707070707070307070707070707070707070707070707
+070707070707070707070707070707070700080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808090909080108080808080808080808080808080808080808080808
+080808080803030303030303080808080808080808080800000000080808000808080008
+080008080808000808080008080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080808090909080108
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080800070707070707070707070707070707070707
+070707070707070707070707070703070707030707070707070307070303070703070707
+070307070707070707030707070707070707070707070707070707070707070707070707
+070707070707070008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080809
+090908010808080808080808080808080808080808080808080808080808080303030303
+030808080808080808080808080008080808080800080808000808000808080800000000
+000808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080809090908010808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080007070707070707070707070707070707070707070707070707070707
+070707070307070703070707070707070303070307070307070707070303030307070703
+070707070707070707070707070707070707070707070707070707070707070707000808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080909090801080808080808
+080808080808080808080808080808080808080808030303030308080808080808080808
+080808000808080808080008080800080800080808080008080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808080909090801080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808000707
+070707070707070707070707070707070707070707070707070707070707030707070707
+070707070707070707070707070707070707070707070707070307070707070707070707
+070707070707070707070707070707070707070707070700080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808090909080108080808080808080808080808080808
+080808080808080808080803030303080808080808080808080808080800080808080808
+000808000008080008080808000808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080808
+090909080108080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080800070707070707070707070707
+070707070707070707070707070707070707070703030707070707070707070707070707
+070707070707070707070707070703030707070707070707070707070707070707070707
+070707070707070707070707070008080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080809090908010808080808080808080808080808080808080808080808080808
+080303030808080808080808080808080808080008080808080808000008000808000808
+080808000000000808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080809090908010808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080007070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707000808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080909090801
+080808080808080808080808080808080808080808080808080808030308080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808080909090801080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808000707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070700080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808090909080108080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080808090909080108080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080800070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070008080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080809090908010808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080809090908
+010808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080909090801080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808080909090801080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080008080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808090909080108080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080808090909080108080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808000808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080809090908010808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080809090908010808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080800080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080909090801080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808080909090801080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080008080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808090909
+080108080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080808090909080108080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080809090908010808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080809090908010808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080800080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080909090801080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808080909
+090801080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080008
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808090909080108080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080808090909080108080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808000808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080809090908010808
+080808080808080808080808080808080808080808080808080303080808080808080808
+080808080808080008080808080008080808000000080808080008080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080809090908010808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080800080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080909090801080808080808080808080808
+080808080808080808080808080808030303080808080808080808080808080808000808
+080808000808080008080800080808000808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808080909090801080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080008080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808090909080108080808080808080808080808080808080808080808
+080808080803030303030808080808080808080808080800080808080800080800080808
+080800080800080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080808090909080108
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808000808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080809
+090908010808080808080808080808080808080808080808080808080808080303030303
+030808080808080808080808080008080808080008080008080808080008080008080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080809090908010808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080800080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080909090801080808080808
+080808080808080808080808080808080808080808030303030303030808080808080808
+080808000000000000000808000808080808000808000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808080909090801080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080008080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808090909080108080808080808080808080808080808
+080808080808080808080803030303030308080808080808080808080800080808080800
+080800080808080800080800080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080808
+090909080108080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+000808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080809090908010808080808080808080808080808080808080808080808080808
+080303030303080808080808080808080808080008080808080008080008080808080008
+080008080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080809090908010808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080800080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080909090801
+080808080808080808080808080808080808080808080808080808030303030808080808
+080808080808080808000808080808000808080008080800080808000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808080909090801080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080008080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808090909080108080808080808080808
+080808080808080808080808080808080803030308080808080808080808080808080800
+080808080800080808080000000808080800000000000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080808090909080108080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808000808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080809090908010808080808080808080808080808080808080808
+080808080808080303080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080809090908
+010808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080800080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080909090801080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808080909090801080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080008080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808090909080108080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080808090909080108080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808000808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080809090908010808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080809090908010808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080800080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080909090801080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808080909090801080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080008080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808090909
+080108080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080808090909080108080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080809090908010808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080809090908010808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080800080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080909090801080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808080909
+090801080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080008
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808090909080108080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080808090909080108080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808000808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080809090908010808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080809090908010808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080800080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080909090801080808080808080808080808
+080808080808080808080808080808040404040404040404040408080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808080909090801080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080008080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808090909080108080808080808080808080808080808080808080808
+080808080808040404040404040404040808080808080800080808080808080808080808
+080808080808080808080800080808080808080808080808000808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080808090909080108
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808000808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080809
+090908010808080808080808080808080808080808080808080808080808080808040404
+040404040408080808080808080008080808080808080808080808080808080808080808
+080008080808080808080808080800080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080809090908010808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080800080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080909090801080808080808
+080808080808080808080808080808080808080808080808040404040404080808080808
+080808000808080808080000000808080008000008080000080808000800000008080808
+000000080008080800000008080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808080909090801080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080008080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808090909080108080808080808080808080808080808
+080808080808080808080808080804040404040808080808080808080800080808080800
+080808000808000008080000080800080800000808080008080008080800000808000808
+080008080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080808
+090909080108080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+000808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080809090908010808080808080808080808080808080808080808080808080808
+080808080804040408080808080808080808080008080808080808080800080800080808
+000808080008080008080808000808000808080800080808080808000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080809090908010808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080800080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080909090801
+080808080808080808080808080808080808080808080808080808080808080804080808
+080808080808080808000808080808080000000008080008080800080808000808000808
+080800080800080808080008080800000000080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808080909090801080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080008080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808090909080108080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080800
+080808080800080808000808000808080008080800080800080808080008080008080808
+000808000808080008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080808090909080108080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080800000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000008080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080809090908010808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080008080808080008080800
+080800080808000808080008080000080808000808000808080000080800080808000808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080809090908
+010808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080007070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707000808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080909090801080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808000000000008080000000000080008080800080808
+000808000800000008080808000000080008080800000000000808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808080909090801080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808000707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070700
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808090909080108080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080808090909080108080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080800
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070008080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080809090908010808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080809090908010808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080007070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707000808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080909090801080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808080909090801080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808000707070707070707070707070707070707070707
+070707070707070707070707070303070703070707070703070707070303030707070703
+070707070703030707070707070707070707070707070707070707070707070707070707
+070707070700080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808090909
+080108080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080808090909080108080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080800070707070707070707070707070707070707070707070707070707070707
+070707030707070307070707070307070703070707030707070307070707070703070707
+070707070707070707070707070707070707070707070707070707070707070008080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080809090908010808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080809090908010808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080007070707
+070707070707070707070707070707070707070707070707070707070703070707030707
+070707030707030707070707030707030707070707070307070707070707070707070707
+070707070707070707070707070707070707070707000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080909090801080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808080909
+090801080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808000707070707070707070707070707
+070707070707070707070707070707070707070307070703070707070703070703070707
+070703070703070707070707030707070707070707070707070707070707070707070707
+070707070707070707070700080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808090909080108080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080808090909080108080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080800070707070707070707070707070707070707070707070707
+070707070707070707030707070303030303030307070307070707070307070307070707
+070703070707070707070707070707070707070707070707070707070707070707070707
+070008080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080809090908010808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080809090908010808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080007070707070707070707070707070707070707070707070707070707070707070703
+070707030707070707030707030707070707030707030707070707070307070707070707
+070707070707070707070707070707070707070707070707070707000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080909090801080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808080909090801080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808000707070707070707
+070707070707070707070707070707070707070707070707070307070703070707070703
+070703070707070703070703070707070707030707070707070707070707070707070707
+070707070707070707070707070707070700080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808090909080108080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080808090909080108
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080800070707070707070707070707070707070707
+070707070707070707070707070707030707070307070707070307070703070707030707
+070307070707070703070707070707070707070707070707070707070707070707070707
+070707070707070008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080809
+090908010808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080809090908010808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080007070707070707070707070707070707070707070707070707070707
+070707070703070707030707070707030707070703030307070707030303030307070307
+070707070707070707070707070707070707070707070707070707070707070707000808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080909090801080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080505080808080808080808080808080808080808000000000808080808080808
+080808080808000808080808080808080808080808080008080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808080909090801080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808000707
+070707070707070707070707070707070707070707070707070707070707070307070707
+070707070707070707070707070707070707070707070707030707070707070707070707
+070707070707070707070707070707070707070707070700080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808090909080108080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808050505080808
+080808080808080808080808080008080808080808080808080808080808080800080808
+080808080808080808080808000808080808080808080008080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080808
+090909080108080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080800070707070707070707070707
+070707070707070707070707070707070707070707030307070707070707070707070707
+070707070707070707070707070303070707070707070707070707070707070707070707
+070707070707070707070707070008080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080809090908010808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080805050505050808080808080808080808
+080800080808080808080800000008080808000000080008080800000008080808080808
+080800080800080000080800000008080800000008080808000000000808080000000808
+080008000008080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080809090908010808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080007070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707000808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080909090801
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080505050505050808080808080808080808080008080808080808
+000808080008080008080800000808000808080008080808080808080008080000080800
+080800080808000808080008080008080800080800080808000808000008080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808080909090801080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808000707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070700080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808090909080108080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+050505050505050808080808080808080808000808080808080800080808000808000808
+080800080800080808000808080808080808000808000808080008080008080800080808
+000808000808080008080008080800080800080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080808090909080108080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080800070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070008080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080809090908010808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080805050505050508080808
+080808080808080800080808080808080008080800080800080808080008080000000000
+080808080808080800080800080808000808000808080000000000080800080808000808
+000000000008080008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080809090908
+010808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080909090801080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080505050505080808080808080808080808080008
+080808080808000808080008080008080808000808000808080808080808080808080008
+080008080800080800080808000808080808080008080800080800080808080808000808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808080909090801080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808000000000000000800000000000000080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808090909080108080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808050505050808080808080808080808080808080008080808080800080808
+000808000808080000080800080808080808080808080808000808000808080008080008
+080800080808080808000808000008080008080808080800080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080808090909080108080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+000000000008080800000808080808000008080800000000000808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080809090908010808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080805050508
+080808080808080808080808080808080000000008080800000008080808000000080008
+080800000000080808080808080800080800080808000808080008080800000000080808
+000008000808080000000008080008080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080809090908010808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808000000000008080808080808000808
+080808080808080008080808080808000000000008080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080909090801080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080505080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080000
+000008080808080808080808080808080808080808080808080808080800080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808080909090801080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808000000000008080808080808080808000008080808080808080808080000
+080808080808080808080000000000080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808090909
+080108080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808000000000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080808090909080108080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808000000000008080808
+080808080808080808000008080808080808080808080808080800000808080808080808
+080808080800000000000808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080809090908010808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080809090908010808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808000000000008080808080808080808080808080808080008
+080808080808080808080808080808080808000808080808080808080808080808080808
+000000000008080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080909090801080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808080909
+090801080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808000000
+000008080808080808080808080808080808080808080000080808080808080808080808
+080808080808080808000008080808080808080808080808080808080808080000000000
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808090909080108080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080808090909080108080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808000000000008080808080808080808080808
+080808080808080808080000080808080808080808080808080808080808080808080808
+080000080808080808080808080808080808080808080808080800000000000808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080809090908010808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080809090908010808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080800000000000008080808080808080808080808080808080808080808080808080000
+080808080808080808080808080808080808080808080808080808080800000808080808
+080808080808080808080808080808080808080808000000000000080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080909090801080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808080909090801080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080800000000000808080808080808
+080808080808080808080808080808080808080808080800080808080808080808080808
+080808080808080808080808080808080808080808000808080808080808080808080808
+080808080808080808080808080808080800000000000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808090909080108080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080808090909080108
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080800000000000808080808080808080808080808080808080808080808
+080808080808080808080800000808080808080808080808080808080808080808080808
+080808080808080808080808000008080808080808080808080808080808080808080808
+080808080808080808080808000000000008080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080809
+090908010808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080809090908010808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080800000000000808
+080808080808080808080808080808080808080808080808080808080808080808080800
+000808080808080808080808080808080808080808080808080808080808080808080808
+080808080000080808080808080808080808080808080808080808080808080808080808
+080808080808080000000000080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080909090801080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808080909090801080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080800000000000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808000808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080800080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080800000000000808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808090909080108080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080808
+090909080108080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080800
+000000000808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808000008080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080800000808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808000000
+000008080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080809090908010808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080805050808080808080808080808080808
+080800080808080808080808080808080808080808080808080800080808080808080808
+080808000808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080809090908010808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080800000000000808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+000008080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808000008080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080000000000080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080909090801
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080505050808080808080808080808080808080008080808080808
+080808080808080808080808080808080008080808080808080808080800080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808080909090801080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080800000000000808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080008080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080800000000000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808090909080108080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+050505050508080808080808080808080808000808080808080000000808080008000008
+080000080808000800000008080808000000080008080800000008080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080808090909080108080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080800000000000808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080000080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080000
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808000000000008080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080809090908010808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080805050505050508080808
+080808080808080800080808080800080808000808000008080000080800080800000808
+080008080008080800000808000808080008080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080809090908
+010808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080800000000000808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080000080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080800000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080000000000080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080909090801080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080505050505050508080808080808080808080008
+080808080808080800080800080808000808080008080008080808000808000808080800
+080808080808000808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808080909090801080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080800000000
+000808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080800080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080800000000000808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808090909080108080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808050505050505080808080808080808080808000808080808080000000008
+080008080800080808000808000808080800080800080808080008080800000000080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080808090909080108080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080800000000000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080800000808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808000008080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808000000000008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080809090908010808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080805050505
+050808080808080808080808080800080808080800080808000808000808080008080800
+080800080808080008080008080808000808000808080008080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080809090908010808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080800000000000808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080800000808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080000080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080000
+000000080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080909090801080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080505050508080808080808080808
+080808080008080808080008080800080800080808000808080008080000080808000808
+000808080000080800080808000808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808080909090801080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080800000000000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080800080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080800000000000808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808090909
+080108080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808050505080808080808080808080808080808000000000008
+080000000000080008080800080808000808000800000008080808000000080008080800
+000000000808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080808090909080108080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080800000000000808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808000008080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080800000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808000000000008080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080809090908010808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080805050808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080809090908010808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080800000000000808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808000008080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808000008080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080000000000080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080909090801080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808080909
+090801080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080800000000000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080008080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080008080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080800000000000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808090909080108080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080808090909080108080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080000
+000000000808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080000080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080000080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808000000000000080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080809090908010808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080809090908010808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080000000000080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080000080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080800000808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080800000000000808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080909090801080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808080909090801080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080000000000080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080000080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808000008080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+000000000008080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808090909080108080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080808090909080108
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080000000000080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080800080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080000000000
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080809
+090908010808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080809090908010808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080000000000080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080800000808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080000
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080800000000000808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080909090801080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808080909090801080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080000000000
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080800000808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080800000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808000000000008080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808090909080108080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080808
+090909080108080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080000000000080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080000000000080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080809090908010808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080809090908010808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080000000000080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808000008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808000008080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080800000000000808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080909090801
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808080909090801080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080000000000080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808000008080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080000080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808000000000008080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808090909080108080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+050508080808080808080808080808080808080800000000080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080800080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080808090909080108080808080808080808080808080808080808080800000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000008080808080808080808080808
+080808080808000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000080808
+080808080808080808080808080808080000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000808080808080808080808080808080808080800000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000008080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080809090908010808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080805050508080808080808
+080808080808080808000808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080008080808080808080808000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080809090908
+010808080808080808080808080808080808080808080007070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707000808080808080808080808080808080808080800070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070008080808080808080808080808
+080808080808000707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070700080808
+080808080808080808080808080808080007070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707000808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080909090801080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080505050505080808080808080808080808080008
+080808080808080000000808080008000008080000080808000800000808000008080800
+080808000800000008080800000008080000000808000808080000000808080008000008
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808080909090801080808080808080808
+080808080808080808080808000707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070700080808080808080808080808080808080808080007070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707000808080808080808080808080808080808080800070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070008080808080808080808080808
+080808080808000707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070700080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808090909080108080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808050505050505080808080808080808080808000808080808080800080808
+000808000008080000080800080800000808000008080008080008080800080800080808
+000808080008080008080800080800080808000808000008080008080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080808090909080108080808080808080808080808080808080808
+080800070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070008080808080808
+080808080808080808080808000707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070700080808080808080808080808080808080808080007070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707000808080808080808080808080808080808080800070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070008080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080809090908010808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080805050505
+050505080808080808080808080800080808080808080008080800080800080808000808
+080008080008080800080808000808000808080008080008080808080808000808000808
+080008080008080800080800080808000808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080809090908010808080808080808080808080808080808080808080007070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707000808080808080808080808080808080808
+080800070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070008080808080808
+080808080808080808080808000707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070700080808080808080808080808080808080808080007070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707000808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080909090801080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080505050505050808080808080808
+080808080008080808080808000808080008080008080800080808000808000808080008
+080800080800080808000808000808080800000000080800080808000808000808080008
+080008080800080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808080909090801080808
+080808080808080808080808080808080808000707070707070707070707070700000000
+070707070707070707070707070700070707070707070707070707070707000707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070700080808080808080808080808080808080808080007070707070707
+070707070707070707070707070707070707070007070707070707070707070707070707
+070707070707070007070707070707070707070700070707070707070707070707070707
+070707070707070707070707070707070707000808080808080808080808080808080808
+080800070707070707070707070707070000000007070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070007070707070707070707070707070707070707070707070707070008080808080808
+080808080808080808080808000707070707070707070707070707070707070707070707
+000707070707000707070707070707070707070707000000070707070707070707070707
+070700070707070707070707070707070707070707070707070707070707070707070707
+070700080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808090909
+080108080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808050505050508080808080808080808080808000808080808
+080800080808000808000808080008080800080800080808000808080008080008080800
+080800080808000808080008080008080800080800080808000808000808080008080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080808090909080108080808080808080808080808
+080808080808080800070707070707070707070707000707070707070707070707070707
+070707070007070707070707070707070707070700070707070707070707000707070707
+070707070707070707070707070707070707070707070707070707070707070707070008
+080808080808080808080808080808080808000707070707070707070707070707070707
+070707070707070707000707070707070707070707070707070707070707070707000707
+070707070707070707070007070707070707070707070707070707070707070707070707
+070707070707070700080808080808080808080808080808080808080007070707070707
+070707070700070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707000707070707070707070700070707070707070707070707
+070707070707070707070707070707070707000808080808080808080808080808080808
+080800070707070707070707070707070707070707070707070700070707070707070707
+070707070700070707070007070700070707070707070707070707070007070707070707
+070707070707070707070707070707070707070707070707070707070008080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080809090908010808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080805050505080808080808080808080808080808000808080808080008080800080800
+080808000808080008080008080800080808000808000808000008080008080800080808
+000808000808080008080008080800080800080808000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080809090908010808080808080808080808080808080808080808080007
+070707070707070707070007070707070707070000000707070700000007000707070000
+000707070707070707070007070007000007070000000707070000000707070700000000
+070707000000070707000700000707070707070707070707000808080808080808080808
+080808080808080800070707070707070707070707070707070707070707070707070700
+070707070707000000070707000700000707000007070700070000000707070700000007
+000707070000000707070707070707070707070707070707070707070707070707070008
+080808080808080808080808080808080808000707070707070707070707000707070707
+070707000000070707000700000707000007070700070000070700000707070007070700
+070000000707070000000707000000070700070707000000070707000700000707070707
+070707070707070700080808080808080808080808080808080808080007070707070707
+070707070707070707070707070707070007070707070007070700000007000000070700
+070707070700070700070000070700000007000707070000000707070007000007070707
+070707070707070707070707070707070707000808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080909090801080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080505050808080808
+080808080808080808080808000000000808080000000808080008080800080808000808
+000808080008080800080808000008000808080008080800000000000808000808000808
+080000000808080008080800080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808080909
+090801080808080808080808080808080808080808080808000707070707070707070707
+000707070707070700070707000707000707070000070700070707000707070707070707
+000707000007070007070007070700070707000707000707070007070007070700070700
+000707070707070707070707070700080808080808080808080808080808080808080007
+070707070707070707070707070707070707070707070707070007070707070007070700
+070700000707000007070007070000070707000707000707070000070700070707000707
+070707070707070707070707070707070707070707070707000808080808080808080808
+080808080808080800070707070707070707070700070707070707070007070700070700
+000707000007070007070000070700000707000707000707070007070007070700070707
+000707000707070007070007070700070700000707000707070707070707070707070008
+080808080808080808080808080808080808000707070707070707070707070707070707
+070707070707000707070707000707000707070707000707070007070707070007070000
+070707000707070000070700070707000707000007070707070707070707070707070707
+070707070707070700080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808090909080108080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808050508080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080808090909080108080808080808
+080808080808080808080808080800070707070707070707070700070707070707070007
+070700070700070707070007070007070700070707070707070700070700070707000707
+000707070007070700070700070707000707000707070007070007070707070707070707
+070707070008080808080808080808080808080808080808000707070707070707070707
+070707070707070707070707070707000707070707070707070007070007070700070707
+000707000707070700070700070707070007070707070700070707070707070707070707
+070707070707070707070707070700080808080808080808080808080808080808080007
+070707070707070707070007070707070707000707070007070007070700070707000707
+000707070007070700070700070707000707000707070707070700070700070707000707
+000707070007070007070700070707070707070707070707000808080808080808080808
+080808080808080800070707070707070707070707070707070707070707070700070707
+070700070700070707070700070707000707070707000707000707070700070707070007
+070007070700070700070707070707070707070707070707070707070707070707070008
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080809090908010808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080809090908010808080808080808080808080808080808
+080808080007070707070707070707070007070707070707000707070007070007070707
+000707000000000007070707070707070007070007070700070700070707000000000007
+070007070700070700000000000707000707070707070707070707070707000808080808
+080808080808080808080808080800070707070707070707070707070707070707070707
+070707070700070707070707000000000707000707070007070700070700070707070007
+070007070707000707070000000007070707070707070707070707070707070707070707
+070707070008080808080808080808080808080808080808000707070707070707070707
+000707070707070700070707000707000707070007070700070700070707000707070007
+070007070700070700070707070000000007070007070700070700070707000707000707
+070007070707070707070707070700080808080808080808080808080808080808080007
+070707070707070707070707070707070707070707070007070707070007070700000707
+070007070700070707070700070700070707070007070707000707000000000007070007
+070707070707070707070707070707070707070707070707000808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080909090801080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808080909090801080808080808080808080808080808080808080808000707070707
+070707070707000707070707070700070707000707000707070700070700070707070707
+070707070707000707000707070007070007070700070707070707000707070007070007
+070707070700070707070707070707070707070700080808080808080808080808080808
+080808080007070707070707070707070707070707070707070707070707070007070707
+070007070700070700070707000707070007070007070707000707000707070700070700
+070707000707070707070707070707070707070707070707070707070707000808080808
+080808080808080808080808080800070707070707070707070700070707070707070007
+070700070700070707000707070007070007070700070707000707000707070007070007
+070700070707000707000707070007070007070700070700070707000707070707070707
+070707070008080808080808080808080808080808080808000707070707070707070707
+070707070707070707070707000707070707000707070707000707000707070007070707
+070007070007070707000707070700070700070707070707000707070707070707070707
+070707070707070707070707070700080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808090909080108080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080808090909080108
+080808080808080808080808080808080808080800070707070707070707070707000707
+070707070007070700070700070707000007070007070707070707070707070700070700
+070707000707000707070007070707070700070700000707000707070707070007070707
+070707070707070707070008080808080808080808080808080808080808000707070707
+070707070707070707070707070707070707070707000707070707000707070007070007
+070700070707000707000007070700070700070707000007070007070700070707070707
+070707070707070707070707070707070707070700080808080808080808080808080808
+080808080007070707070707070707070700070707070707000707070007070007070700
+070707000707000707070007070700070700070700000707000707070007070700070700
+070707000707000707070007070007070700070707070707070707070707000808080808
+080808080808080808080808080800070707070707070707070707070707070707070707
+070700070707070700070707070700070700070707070007070700070707000707070700
+070707000007070007070707070700070707070707070707070707070707070707070707
+070707070008080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080809
+090908010808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080809090908010808080808080808080808
+080808080808080808080007070707070707070707070707000000000707070000000707
+070700000007000707070000000007070707070707070007070007070700070707000707
+070000000007070700000700070707000000000707000707070707070707070707070707
+000808080808080808080808080808080808080800070707070707070707070707070707
+070707070707070707070700000000000707000000000007000707070007070700070700
+070000000707070700000007000707070000000000070707070707070707070707070707
+070707070707070707070008080808080808080808080808080808080808000707070707
+070707070707070700000000070707000000070707000707070007070700070700070707
+000707070007070700000700070707000707070000000000070700070700070707000000
+070707000707070007070707070707070707070700080808080808080808080808080808
+080808080007070707070707070707070707070707070707070707070000000000070007
+070000000707070700070707070000000707070700070707070700000007000707070000
+000007070007070707070707070707070707070707070707070707070707000808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080909090801080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808080909090801080808080808080808080808080808080808080808
+000707070707070707070707070707070707070707070707070707070707070707070707
+070707070707000000000707070707070707070707070707070707070707070707070707
+070007070707070707070707070707070707070707070707070700080808080808080808
+080808080808080808080007070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+000808080808080808080808080808080808080800070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070008080808080808080808080808080808080808000707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070700080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808090909080108080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080808
+090909080108080808080808080808080808080808080808080800070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070700000000070707070707070707
+070707070707070707070707070707070008080808080808080808080808080808080808
+000707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070700080808080808080808
+080808080808080808080007070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+000808080808080808080808080808080808080800070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070008080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080809090908010808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080809090908010808080808
+080808080808080808080808080808080007070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707000808080808080808080808080808080808080800070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070008080808080808080808080808080808080808
+000707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070700080808080808080808
+080808080808080808080007070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+000808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080909090801
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808080909090801080808080808080808080808080808
+080808080808000707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070700080808
+080808080808080808080808080808080007070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707000808080808080808080808080808080808080800070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070008080808080808080808080808080808080808
+000707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070700080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808090909080108080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080808090909080108080808080808080808080808080808080808080800070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070008080808080808080808080808
+080808080808000707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070700080808
+080808080808080808080808080808080007070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707000808080808080808080808080808080808080800070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070008080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080809090908010808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080809090908
+010808080808080808080808080808080808080808080000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000808080808080808080808080808080808080800000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000008080808080808080808080808
+080808080808000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000080808
+080808080808080808080808080808080000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080909090801080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080505080808080808080808080808080808080000
+000008080808080808080808080808080800000000000808080808080808080808080808
+080008080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808080909090801080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080008080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080008
+080000080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080800080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808090909080108080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808050505080808080808080808080808080808000808080008080808080808
+080808080808080008080808000808080808080808080808080808000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080808090909080108080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808000808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080800080808080800000008080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808000808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080809090908010808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080805050505
+050808080808080808080808080800080808000808080000000808080008000008000808
+080800080808000000080808080000000800080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080809090908010808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080800080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080008080808080808080000080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080800080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080800080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080909090801080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080505050505050808080808080808
+080808080008080800080800080808000808000008080800080808000808080008080800
+080800080808000008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808080909090801080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080008080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080800080808080808080808080800000008080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808000808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808090909
+080108080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808050505050505050808080808080808080808000000000808
+080808080800080800080808080000000008080808000808080008080008080808000808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080808090909080108080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080800080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808000808080808080808
+080808080808080000080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080008080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080800080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080809090908010808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080805050505050508080808080808080808080800080808080808080000000008080008
+080808000808000808080800000000000808000808080800080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080809090908010808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080008080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080008080808080808080808080808080808080800
+000008080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080800080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+000808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080909090801080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080505050505080808
+080808080808080808080008080808080800080808000808000808080800080808000808
+080008080808080800080808080008080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808080909
+090801080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+000808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080800080808080808080808080808080808080808080808080000000808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808000808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080008080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808090909080108080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808050505050808080808080808080808080808
+000808080808080008080800080800080808080008080808000808000808080808080008
+080800000808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080808090909080108080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080800080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808000808080808
+080808080808080808080808080808080808080808000008080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080008080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080800080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080809090908010808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080805050508080808080808080808080808080800080808080808080000
+000000080008080808000808080808000808000000000808080000000800080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080809090908010808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080008080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080800080808080808080808080808080808
+080808080808080808080808080000000808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808000808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808000808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080909090801080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080505
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808080909090801080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808000808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808000808080808080808080808080808080808080808080808080808
+080808080808000008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080008080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080008080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808090909080108080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080808090909080108
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080800080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080008
+080808080808080808080808080808080808080808080808080808080808080808080000
+000808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080800080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080800080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080809
+090908010808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080809090908010808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080008080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080800080808080808080808080808
+080808080808080808080808080808080808080808080808080808000008080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808000808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808000808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080909090801080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808080909090801080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080800080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808000808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080000000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080008080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080800080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808090909080108080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080808
+090909080108080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080008080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080008080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808000008080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080800080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080809090908010808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080809090908010808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080000000808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080008080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080008080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080909090801
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808080909090801080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080800080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080008080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808000008
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080800080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080800
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808090909080108080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080808090909080108080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080800080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080000000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808000808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808000808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080809090908010808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080809090908
+010808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808000808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808000808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808000000080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080008080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080008080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080909090801080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808080909090801080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080800080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080008080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080800000808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080800080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080800000808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808090909080108080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080808090909080108080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808000808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080800080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808000000080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080809090908010808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080805050808
+080808080808080808080808080800000000000008080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080809090908010808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080800080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080008
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080800000808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080800080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080800080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080909090801080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080505050808080808080808080808
+080808080008080808080800080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808080909090801080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080008080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080800080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808000000080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808000808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808000808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808090909
+080108080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808050505050508080808080808080808080808000808080808
+000000080808000000080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080808090909080108080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808000808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080800000808080808080808080808080808080808
+080808080808080808080808080808080808080808080008080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080008080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080809090908010808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080805050505050508080808080808080808080800080808080808000808080008080800
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080809090908010808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080800080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080008080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808000000080808080808080808080808080808080808080808080808
+080808080808080808080800080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080909090801080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080505050505050508
+080808080808080808080000000000080800080808080808080008080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808080909
+090801080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080008
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080800080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080800000808080808080808080808080808080808080808080808080808080808080808
+000808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808000008080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808090909080108080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808050505050505080808080808080808080808
+000808080808080008080808000000000808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080808090909080108080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808000808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808000808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808000000080808
+080808080808080808080808080808080808080808080808080008080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080800
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080809090908010808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080805050505050808080808080808080808080800080808080808000808
+080008080800080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080809090908010808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080008080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080800080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080800000808080808080808080808
+080808080808080808080808080808000808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808000808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080909090801080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080505
+050508080808080808080808080808080008080808080800080808000808080008080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808080909090801080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808000808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808000808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808000000080808080808080808080808080808080808
+080808080008080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080008080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808090909080108080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808050505080808080808080808
+080808080808000000000000080800080808000000000008080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080808090909080108
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080800080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080008080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080800000008080808080808080808080808080808080800080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808000808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080809
+090908010808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080805050808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080809090908010808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080008080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080800080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080000080808080808080808080808080808000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080008080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080909090801080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808080909090801080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808000808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808000808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080800000008080808
+080808080808080008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080800080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808090909080108080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080808
+090909080108080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080800
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080008080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080000080808080808080800080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080809090908010808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080809090908010808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080008080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808000808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080800000008080808080008080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080800080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080909090801
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808080909090801080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080800080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080008080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080000080800080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808090909080108080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080808090909080108080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080008080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000808080808080808080808080808080808080800000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000008080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080800080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080809090908010808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080809090908
+010808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808000808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808000707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070700080808080808
+080808080808080808080808080007070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707000808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+000808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080909090801080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808080909090801080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080800080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080800070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070008080808080808080808080808080808
+080808000707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070700080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080008080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808090909080108080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080808090909080108080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080008080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080007070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707000808080808080808080808080808080808080800070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070008080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808000808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080809090908010808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080809090908010808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+000808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808000707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070700
+080808080808080808080808080808080808080007070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707000808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080008080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080909090801080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808080909090801080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080800080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080800
+070707070707070700070707070700070707070707070707070707070707000707070707
+070707070707070707070707070707000707000707070707070707070707070707070707
+070700070707070707070707070707070707070707070707070008080808080808080808
+080808080808080808000707070707070707070707070707070707070707070707070707
+070700000000070707070707070707070707070707000000000007070707070707070707
+070707070700070707070707070707070707070707070707070707070707070707070700
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080800080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808090909
+080108080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808050508080808080808080808080808080808000808080808
+000808080808080808080808080808080008080808080808080808080808080808080808
+080008080008080808080808080808080808080808080808000808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080808090909080108080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080008080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080007070707070707070007
+070707070707070707070707070007070707070700070707070707070707070707070707
+070707070700070707070707070707070707070707070707000707070707070707070707
+070707070707070707070707070707000808080808080808080808080808080808080800
+070707070707070707070707070707070707070707070707070707070007070700070707
+070707070707070707070700070707070007070707070707070707070707070007070707
+070707070707070707070707070707070707070707070707070008080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080008080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080809090908010808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080805050508080808080808080808080808080800080808080808080808080808080800
+080808080808000808080808080808080808080808080808080808000808080808080808
+080808080808080808080008080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080809090908010808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080800080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808000707070707070707000707070707000707070000
+000700000007070707000700070707000700000007070700070000000707070007070007
+070700000007070700000007070000000707000707070000000707070007000007070707
+070707070700080808080808080808080808080808080808080007070707070707070707
+070707070707070707070707070707070707000707070007070700000007070700070000
+070007070707000707070000000707070700000007000707070707070707070707070707
+070707070707070707070707070707000808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080800080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080909090801080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080505050505080808
+080808080808080808080008080808080008080800000008000000080808080008000808
+080008000000080808000800000008080800080800080808000000080808000000080800
+000008080008080800000008080800080000080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808080909
+090801080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080008080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080800070707070707070700070707070700070700070707070700070707070700
+070007070700000707070007070000070707000707000707000707000707070707000707
+070007070007070700070700070707000707000007070007070707070707070008080808
+080808080808080808080808080808000707070707070707070707070707070707070707
+070707070707070700070707000707000707070007070000070707000707070007070700
+070707000707000707070000070707070707070707070707070707070707070707070707
+070707070700080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808000808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808090909080108080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808050505050505080808080808080808080808
+000808080808000808000808080808000808080808000800080808000008080800080800
+000808080008080008080008080008080808080008080800080800080808000808000808
+080008080000080800080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080808090909080108080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080007070707
+070707070007070707070007070007070707070007070707000707070007070007070707
+000707000707070700070700070700070700070707070707070707000707000707070007
+070007070700070700070707000707070707070707000808080808080808080808080808
+080808080800070707070707070707070707070707070707070707070707070707070000
+000007070707070707000707000707070700000000070707070007070700070700070707
+070007070707070707070707070707070707070707070707070707070707070008080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080800080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080809090908010808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080805050505050505080808080808080808080800080808080800080800
+080808080800080808080008080800080800080808080008080008080808000808000808
+000808000808080808080808080008080008080800080800080808000808000808080008
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080809090908010808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080800080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808000707070707070707000707070707
+000707070000070707000707070700070707000707000707070700070700070707070007
+070007070007070007070707070700000000070700070707000707000707070007070007
+070700070707070707070700080808080808080808080808080808080808080007070707
+070707070707070707070707070707070707070707070707000707070707070700000000
+070700070707070007070007070707000000000007070007070707000707070707070707
+070707070707070707070707070707070707070707000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808000808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080909090801080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080505
+050505050808080808080808080808080008080808080008080800000808080008080808
+000808080008080008080808000808000808080800080800080800080800080808080808
+000000000808000808080008080008080800080800080808000808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808080909090801080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080008080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080800070707070707070700070707070700070707070700070700
+070707000000000000000700070707070007070007070707000707000707000707000707
+070707000707070007070007070700070700070707000707000707070007070707070707
+070008080808080808080808080808080808080808000707070707070707070707070707
+070707070707070707070707070700070707070707000707070007070007070707000707
+070007070700070707070707000707070700070707070707070707070707070707070707
+070707070707070707070700080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080008080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808090909080108080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808050505050508080808080808
+080808080808000808080808000808080808000808000808080000000000000008000808
+080800080800080808080008080008080008080008080808080008080800080800080808
+000808000808080008080008080800080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080808090909080108
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080007070707070707070007070707070007070707070007070007070700070707070700
+070000070707000707000007070700070700070700070700070707070700070707000707
+000707070007070007070700070700070707000707070707070707000808080808080808
+080808080808080808080800070707070707070707070707070707070707070707070707
+070707070007070707070700070707000707000707070700070707070007070007070707
+070700070707000007070707070707070707070707070707070707070707070707070707
+070008080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080809
+090908010808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080805050505080808080808080808080808080800080808
+080800080808080800080800080808000808080808000800000808080008080000080808
+000808000808000808000808080808000808080008080008080800080800080808000808
+000808080008080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080809090908010808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080800080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808000707070707070707
+000000000007000707000000070707070007000707070707070700000700000007070700
+070000000707070007070007070700000007070700000000000707000707000707070000
+000707070007070700070707070707070700080808080808080808080808080808080808
+080007070707070707070707070707070707070707070707070707070707000707070707
+070700000000000700070707070007070707070007070000000007070700000007000707
+070707070707070707070707070707070707070707070707070707000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080008080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080909090801080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080505050808080808080808080808080808080000000000080008080000000808
+080800080008080808080808000008000000080808000800000008080800080800080808
+000000080808000000000008080008080008080800000008080800080808000808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808080909090801080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808000808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080800070707070707070707070707070707070707
+070707070707070707070707070707070700070707070707070007070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070008080808080808080808080808080808080808000707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070700080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080800080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808090909080108080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808050508080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808000808080808080800080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080808
+090909080108080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080800080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080007070707070707070707070707070707070707070707070707070707
+070707070707070007070707070707000707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707000808
+080808080808080808080808080808080800070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080008080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080809090908010808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080800080808080808
+080008080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080809090908010808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080008080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808000707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070700080808080808080808080808
+080808080808080007070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707000808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080800080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080909090801
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808080909090801080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808000808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080800070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070008080808080808080808080808080808080808000707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070700080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080008080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808090909080108080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080808090909080108080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080800080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080007070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707000808080808080808080808080808080808080800070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070008080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080800
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080809090908010808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080809090908
+010808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080008080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000080808080808
+080808080808080808080808080000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080008080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080909090801080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808080909090801080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080800080808000000000000080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808000808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080800080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808090909080108080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080808090909080108080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080800080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808000808080808
+080808080800000000000008080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080008080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808000808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080809090908010808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080809090908010808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080008
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080008080808080808080808080808080808
+080000000000000808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080800080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080800080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080909090801080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808080909090801080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080800080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080800080808080808080808080808080808080808080808080808000000
+000000080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808090909
+080108080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080808090909080108080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080008080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080008
+080808080808080808080808080808080808080808080808080808080800000000000008
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080800080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080809090908010808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080809090908010808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808000808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080800080808080808080808080808
+080808080808080808080808080808080808080808080808080000000000000808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808000808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808000808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080909090801080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080505080808080808
+080808080808080808000000000000000808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808080909
+090801080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080800080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808000808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808000000000008080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080008080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080800080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808090909080108080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808050505080808080808080808080808080808
+080800080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080808090909080108080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080008080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080008080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080000000000000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080800080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808000808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080809090908010808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080805050505050808080808080808080808080808080008080808000808
+080808000008000000080808080000000808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080809090908010808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808000808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080800080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808000000000000080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+000808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080800080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080909090801080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080505
+050505050808080808080808080808080808000808080800080808080800000008080800
+080800080808000808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808080909090801080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080800
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808000808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080800000000000008080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080008080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808090909080108080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808050505050505050808080808
+080808080808080800080808080800080808000800080808080008080008080800080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080808090909080108
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080008080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080008080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080000000000000808080808080808080808080808080808080808080808080808
+080808080808080808080808080800080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080800080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080809
+090908010808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080805050505050508080808080808080808080808080008
+080808080008080800080008080808000808000000000008080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080809090908010808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808000808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080800080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+000000000000080808080808080808080808080808080808080808080808080808080808
+080808000808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808000808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080909090801080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080505050505080808080808080808080808080808000808080808080008000808
+000808080800080800080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808080909090801080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080800080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080800000000
+000008080808080808080808080808080808080808080808080808080008080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080800080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808090909080108080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808050505050808
+080808080808080808080808080800080808080808000800080800000808080008080008
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080808
+090909080108080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080008080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080800080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080000000000080808
+080808080808080808080808080808080808000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080809090908010808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080805050508080808080808080808080808
+080808080008080808080808000808080008000000080808080000000008080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080809090908010808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808000808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080800000000000008080808080808
+080808080808080008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080008080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080909090801
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080505080808080808080808080808080808080808080808080808
+080800080808000808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808080909090801080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080800080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080008080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080000000000000808080808080800080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+000808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808090909080108080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808000808080800080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080808090909080108080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080008080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080800080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808000000000000000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080008080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080809090908010808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080809090908
+010808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+000808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080000000000000008080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808000808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080909090801080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808080909090801080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080800080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080008080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080800
+080808080808080000000000000808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080008080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808090909080108080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080808090909080108080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080800080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808000808080808080808080808
+080808000000000000080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808000808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080809090908010808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080809090908010808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808000808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808000808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080008080808080808080808080808080808080808080800
+000000000808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080008080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080909090801080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808080909090801080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080800080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080800080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808000808080808080808080808080808080808080808080808080808000000000000
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080800080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808090909
+080108080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080808090909080108080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080008080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080008080808080808
+080808080808080808080808080808080808080808080808080800000000000008080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080008
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080809090908010808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080809090908010808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080008080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080800080808080808080808080808080808080808
+080808080808080808080808080808080808080808080000000000000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080800080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080909090801080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808080909
+090801080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808000808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080800080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808000808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808000000000000080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080008080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808090909080108080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080808090909080108080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080800080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080008080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080800000000000008080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080800080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080809090908010808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080805050808080808080808080808080808080800080808080800080808
+080808080808080808080800000008080808080808080808080808080008080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080809090908010808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080008080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080008080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080800080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080000000000000808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080008080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080909090801080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080505
+050808080808080808080808080808080008080808080808080808080808080008080808
+000808080008080808080808080808080808000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808080909090801080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+000808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080800
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808000808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808000000000008080808080808080808080808080808080808080808080808
+080808080808080808080808080808080800080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808090909080108080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808050505050508080808080808
+080808080808000808080808000808080000000800000008080008080808080008080008
+000008080000000800080808000000080808000800000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080808090909080108
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808000808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080008
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080000000000000808080808080808080808080808080808080808080808080808080808
+080808080808000808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080809
+090908010808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080805050505050508080808080808080808080800080808
+080800080800080808080800080808000808080808000808000008080800080808000008
+080008080800080800000808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080809090908010808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080800080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080008080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080800080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808000000
+000000080808080808080808080808080808080808080808080808080808080800080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080909090801080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080505050505050508080808080808080808080008080808080008080008080808
+080008080800080808080800080800080808080008080808000808000808080008080008
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808080909090801080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808000808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080008080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080800000000000008
+080808080808080808080808080808080808080808000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808090909080108080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808050505050505
+080808080808080808080808000808080808000808080000080808000808080008080808
+080008080008080808000808080800080800000000000808000808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080808
+090909080108080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808000808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080008080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080800080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080000000000000808080808
+080808080808080808080800080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080809090908010808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080805050505050808080808080808080808
+080800080808080800080808080800080800080808000808080808000808000808080800
+080808080008080008080808080800080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080809090908010808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808000808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080800080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808000000000000080808080808080808
+000808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080909090801
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080505050508080808080808080808080808080008080808080008
+080808080008080008080808000808080008080800080808080008080800000808000808
+080808080008080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808080909090801080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080800080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808000808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080008080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080800000000000008080800080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808090909080108080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+050505080808080808080808080808080808000000000008000808000000080808080008
+080808000000080808080008080808080000000800080808000000000808000808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080808090909080108080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080800080808080808080808080808000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000080808080808080808080808080808080808080000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000808080808080808080808080808080808
+080800000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000008080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080809090908010808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080805050808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080809090908
+010808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080008080808
+080808080808080800070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070008
+080808080808080808080808080808080808000707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070700080808080808080808080808080808080808080007070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080909090801080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808080909090801080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808000808080808080808080808080007
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707000808080808080808080808
+080808080808080800070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070008
+080808080808080808080808080808080808000707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070700080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808090909080108080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080808090909080108080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808000808080808080808080808000707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070700080808080808080808080808080808080808080007
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707000808080808080808080808
+080808080808080800070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070008
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080809090908010808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080809090908010808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080800080808080808080808080800070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070008080808080808080808080808080808080808000707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070700080808080808080808080808080808080808080007
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707000808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080909090801080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808080909090801080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080800080808080808
+080808080007070707070707070707070707070707070707070707070707070707070707
+070707000000000000000707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707000808080808
+080808080808080808080808080800070707070707070707070707070707070707070707
+070707070707070707070707070707070707070000000000000707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070008080808080808080808080808080808080808000707070707070707070707
+070707070707070707070707070707070007070707070007070707070707070707070700
+000000070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070700080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808090909
+080108080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080808090909080108080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080008080808080808080808000707070707
+070707070707070707070707070707070707070707070707070707070707070700070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070700080808080808080808080808080808
+080808080007070707070707070707070707070707070707070707070707070707070707
+070707070707070707000707070707070007070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707000808080808
+080808080808080808080808080800070707070707070707070707070707070707070707
+070707070707000707070707070707070707070707000707070007070700070707070707
+070707000707070707070707070707070707070707070707070707070707070707070707
+070707070008080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080809090908010808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080809090908010808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080008080808080808080800070707070707070707070707070707
+070707070707070707070707070707070707070707070007070707000707070707000007
+000000070707070000000707070707070707070707070707070707070707070707070707
+070707070707070707070008080808080808080808080808080808080808000707070707
+070707070707070707070707070707070707070707070707070707070707070707070700
+070707070700000007070700000007070707070707070707070707070707070707070707
+070707070707070707070707070707070707070700080808080808080808080808080808
+080808080007070707070707070707070707070707070707070707070707070700070707
+070700070707000000070000000707000707070007070700000007070000000707070000
+000707070707070707070707070707070707070707070707070707070707000808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080909090801080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808080909
+090801080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+000808080808080808080007070707070707070707070707070707070707070707070707
+070707070707070707070707000707070700070707070700000007070700070700070707
+000707070707070707070707070707070707070707070707070707070707070707070707
+000808080808080808080808080808080808080800070707070707070707070707070707
+070707070707070707070707070707070707070707070707070007070707070700070707
+000707070007070707070707070707070707070707070707070707070707070707070707
+070707070707070707070008080808080808080808080808080808080808000707070707
+070707070707070707070707070707070707070707070007070707070007070007070707
+070007070700070707000707000707070007070007070700070707000707070707070707
+070707070707070707070707070707070707070700080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808090909080108080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080808090909080108080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808000808080808080808
+000707070707070707070707070707070707070707070707070707070707070707070707
+070700070707070700070707000700070707070007070007070700070707070707070707
+070707070707070707070707070707070707070707070707070700080808080808080808
+080808080808080808080007070707070707070707070707070707070707070707070707
+070707070707070707070707070707000000000007070007070707070707000707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+000808080808080808080808080808080808080800070707070707070707070707070707
+070707070707070707070707000707070707000707000707070707000707070000000007
+070700070707000707000707070707070700070707070707070707070707070707070707
+070707070707070707070008080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080809090908010808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080809090908010808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080800080808080808080800070707070707070707
+070707070707070707070707070707070707070707070707070707070007070707070007
+070700070007070707000707000000000007070707070707070707070707070707070707
+070707070707070707070707070707070008080808080808080808080808080808080808
+000707070707070707070707070707070707070707070707070707070707070707070707
+070707070700070707070707000707070700000000070707070707070707070707070707
+070707070707070707070707070707070707070707070707070700080808080808080808
+080808080808080808080007070707070707070707070707070707070707070707070707
+070700070707070700070707000007070700070707000707070007070000000000070700
+070707070000000007070707070707070707070707070707070707070707070707070707
+000808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080909090801080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808080909090801080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080800080808080808080007070707070707070707070707070707070707
+070707070707070707070707070707070707000707070707070007000707000707070700
+070700070707070707070707070707070707070707070707070707070707070707070707
+070707070707000808080808080808080808080808080808080800070707070707070707
+070707070707070707070707070707070707070707070707070707070707070007070707
+070700070707000707070007070707070707070707070707070707070707070707070707
+070707070707070707070707070707070008080808080808080808080808080808080808
+000707070707070707070707070707070707070707070707070707070007070707070007
+070707070007070007070700070707000707000707070707070007070700070707000707
+070707070707070707070707070707070707070707070707070700080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808090909080108080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808050508080808080808080808
+080808080808000808080808000808080808080808080808080000000008080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080808090909080108
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080008
+080808080808000707070707070707070707070707070707070707070707070707070707
+070707070707070700070707070707000700070700000707070007070007070707070707
+070707070707070707070707070707070707070707070707070707070707070700080808
+080808080808080808080808080808080007070707070707070707070707070707070707
+070707070707070707070707070707070707070707000707070707070007070700070707
+000707070707070707070707070707070707070707070707070707070707070707070707
+070707070707000808080808080808080808080808080808080800070707070707070707
+070707070707070707070707070707070707000707070707000707070707000707000707
+070007070700070700070707070707000707070007070700070707070707070707070707
+070707070707070707070707070707070008080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080809
+090908010808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080805050508080808080808080808080808080800080808
+080808080808080808080800080808000808080008080808080808080800080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080809090908010808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080008080808080800070707
+070707070707070707070707070707070707070707070707070707070707070707070007
+070707070707000707070007000000070707070000000007070707070707070707070707
+070707070707070707070707070707070707070707070008080808080808080808080808
+080808080808000707070707070707070707070707070707070707070707070707070707
+070707070707070707070700000000000007070007070700000000000707070707070707
+070707070707070707070707070707070707070707070707070707070707070700080808
+080808080808080808080808080808080007070707070707070707070707070707070707
+070707070707070700000000000700070700000007070707000707000000000707070700
+000000070707000707070000000000070707070707070707070707070707070707070707
+070707070707000808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080909090801080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080505050505080808080808080808080808080008080808080008080800000008
+000000080800080808000808080000000808000000080808000000080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808080909090801080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808000808080808080007070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070700070707
+000707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707000808080808080808080808080808080808080800070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070008080808080808080808080808
+080808080808000707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070700080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808090909080108080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808050505050505
+080808080808080808080808000808080808000808000808080808000808080008080800
+080800080808000808000808080008080800080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080808
+090909080108080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808000808080808000707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707000707070700070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070700080808080808080808080808080808080808080007070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707000808080808080808080808080808080808080800070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070008080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080809090908010808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080805050505050505080808080808080808
+080800080808080800080800080808080800080808000000000808080008080800080800
+080808080808080008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080809090908010808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808000808
+080800070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070008080808080808
+080808080808080808080808000707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070700080808080808080808080808080808080808080007070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707000808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080909090801
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080505050505050808080808080808080808080008080808080008
+080800000808080008080800080808000808000000000008080008080808000000000808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808080909090801080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080800080808080007070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707000808080808080808080808080808080808
+080800070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070008080808080808
+080808080808080808080808000707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070700080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808090909080108080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+050505050508080808080808080808080808000808080808000808080808000808000808
+080008080800080800080808080808000808080008080800080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080808090909080108080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080800080808000707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070700080808080808080808080808080808080808080007070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707000808080808080808080808080808080808
+080800070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070008080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080809090908010808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080805050505080808080808
+080808080808080800080808080800080808080800080800080808000808080008080008
+080808080800080808000808080008080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080809090908
+010808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080800080800000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000008
+080808080808080808080808080808080808000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000080808080808080808080808080808080808080000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080909090801080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080505050808080808080808080808080808080000
+000000080008080000000808080800080800000000080808080000000008080800080808
+000000000008080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808080909090801080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080008080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080800080000080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080800000800000808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808090909080108080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808050508080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080808090909080108080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080008080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080800080800000808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080800000808080808000008080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080809090908010808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080809090908010808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080008080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080008080808000008
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808000808080808080808080008080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080909090801080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808080909090801080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080008080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808000808080808080000080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808000008080808
+080808080808080000080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808090909
+080108080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080808090909080108080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080008080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808000808080808080800000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808000008080808080808080808080808080800
+000808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080809090908010808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080809090908010808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080800
+080808080808080808000008080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080008080808080808080808080808080808080808000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080909090801080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808080909
+090801080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808000808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080008080808080808080808
+080000080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080000080808
+080808080808080808080808080808080808000008080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808090909080108080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080808090909080108080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808000808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080008080808080808080808080800000808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080000080808080808080808080808080808
+080808080808080808080000080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080809090908010808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080809090908010808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808000808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808000808080808080808080808080808000000080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080000080808080808080808080808080808080808080808080808080808
+080800000808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080909090801080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808080909090801080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808000808
+080808080808080808080808080800000808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080800080808
+080808080808080808080808080808080808080808080808080808080808000808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808090909080108080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080808090909080108
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080800080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080800080808080808080808080808
+080808080808000008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080800000808080808080808080808080808
+080808080808080808080808080808080808080808000008080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080809
+090908010808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080809090908010808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080800080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080008080808080808080808080808080808080808080000
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080800000808080808080808080808080808080808080808080808080808
+080808080808080808080808080000080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080909090801080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080505080808080808080808080808080808080008080808080808080808080808
+080008080808080808080808080808080808080800000000000000080808080808080808
+080808080808080808080808080808080008080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808080909090801080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080800080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080008080808080808080808080808080808080808080800000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808000808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080800080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808090909080108080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808050505080808
+080808080808080808080808000808080808080808080808080808000808080808080808
+080808080808080008080808080008080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080808
+090909080108080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080800080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808000808080808
+080808080808080808080808080808080808000008080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808000008080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080800000808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080809090908010808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080805050505050808080808080808080808
+080800080800080000080808080000000800080800080808000808080000000800000008
+080808000808080808080000000808080008000008000800000808000008080800080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080809090908010808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080800080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080800080808080808080808080808080808
+080808080808080808080000080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808000008080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808000008080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080909090801
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080505050505050808080808080808080808080008080000080800
+080800080808000008080008080800080800080808080800080808080800080808080800
+080808000808000008080800000808000008080008080008080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808080909090801080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080008080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080800080808080808080808080808080808080808080808080808
+080800000808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080008
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080008080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808090909080108080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+050505050505050808080808080808080808000808000808080008080008080808000808
+000808080008080008080808080008080808080008080808080008080800080800080808
+080008080800080808000808000808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080808090909080108080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080008080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080008080808080808080808080808080808080808080808080808080808000008080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080000080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080000080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080809090908010808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080805050505050508080808
+080808080808080800080800080808000808000808080800080800080808000808000808
+080808000808080808000808080808000000000008080008080808000808080008080800
+080800080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080809090908
+010808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080008080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808000808080808080808
+080808080808080808080808080808080808080808080000080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080000080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080800
+000808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080909090801080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080505050505080808080808080808080808080008
+080008080800080800080808080008080008080800080800080808080800080808080800
+080808080800080808080808000808080800080808000808080008080008080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808080909090801080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080008080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808000808080808080808080808080808080808
+080808080808080808080808080800000808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080800
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808090909080108080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808050505050808080808080808080808080808000808000808080008080008
+080800000808000808000008080008080808080008080808080008080808080008080808
+080800080808080008080800080808000808000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080808090909080108080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080000080808080808080808080808080808080808080808080808080808080808080808
+080808080808080800080808080808080808080808080808080808080808080808080808
+080808080808000008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080800000808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808000008080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080809090908010808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080805050508
+080808080808080808080808080800080800080808000808080000000800080808000008
+000808080000000808080008080808000808080808080000000008080008080808000808
+080008080800080800080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080809090908010808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080008080808080808
+080808080808080808080808080808080808080808080808080808080808080808080008
+080808080808080808080808080808080808080808080808080808080808080808080000
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080800000808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080000080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080909090801080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080505080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808080909090801080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080008080808080808080808080808080808
+080808080808080808080808080808080808080808080808080008080808080808080808
+080808080808080808080808080808080808080808080808080800000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+000808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080800080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808090909
+080108080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080808090909080108080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080008080808080808080808080808080808080808080808080808
+080808080808080808080808080808000808080808080808080808080808080808080808
+080808080808080808080808080808080808000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808000008080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080800000808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080809090908010808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080809090908010808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080008080808080808080808080808080808080808080808080808080808080808080808
+080808080800080808080808080808080808080808080808080808080808080808080808
+080808080808080808000008080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808000008080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808000008080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080909090801080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808080909
+090801080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080008080808080808
+080808080808080808080808080808080808080808080808080808080808080800080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080000080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080008080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080008080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808090909080108080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080808090909080108080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808000808080808080808080808080808080808
+080808080808080808080808080808080808080808080008080808080808080808080808
+080808080808080808080808080808080808080808080808080808080800000808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080000080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080000080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080809090908010808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080809090908010808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808000808080808080808080808080808080808080808080808080808
+080808080808080808080808000808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080000080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080800000808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080909090801080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808080909090801080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+000808080808080808080808080808080808080808080808080808080808080808080808
+080800080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808000008080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080000080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808000008080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808090909080108080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080808090909080108
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808000808080808080808
+080808080808080808080808080808080808080808080808080808080800080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080000080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080800080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080008080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080809
+090908010808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080809090908010808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808000808080808080808080808080808080808
+080808080808080808080808080808080808080008080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080800080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080800000808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080000080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080909090801080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808080909090801080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808000808080808080808080808080808080808080808080808080808
+080808080808080808000808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080800000808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080800000808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080800
+000808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808090909080108080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080808
+090909080108080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080800
+080808080808080808080808080808080808080808080808080808080808080808080808
+000808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808000808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080809090908010808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080805050808080808080808080808080808
+080800000000000808080808080808080808080808080808080808080808080808080808
+080800080808080800080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080809090908010808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080800080808080808080808
+080808080808080808080808080808080808080808080808080800080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808000008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808000008080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808000008080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080909090801
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080505050808080808080808080808080808000808080808080008
+080808080808080808080808080808080808080808080808080808080000080808080008
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808080909090801080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080800080808080808080808080808080808080808
+080808080808080808080808080808080008080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080008
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808000008080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080000080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808090909080108080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+050505050508080808080808080808080800080808080800000008080008000008080000
+000808080008000008080808000000000808000800080808000808080000000808080008
+000008000800000808000008080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080808090909080108080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080800080808080808080808080808080808080808080808080808080808
+080808080808000808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080000080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000080808080808080808080808080808080808080000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080809090908010808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080805050505050508080808
+080808080808080800080808080800080808000008080800080808000808000008080008
+080008080800080800080008080800080800080808000808000008080800000808000008
+080008080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080809090908
+010808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080800
+080808080808080808080808080808080808080808080808080808080808080808000808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080800080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080800070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070008080808
+080808080808080808080808080808000707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070700080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080909090801080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080505050505050508080808080808080808080800
+000808080008080800080808080008080800080800080808000808000808080008080008
+080008080008080008080800080800080808080008080800080808000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808080909090801080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080008080808080808080808
+080808080808080808080808080808080808080808080800080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080800000808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080007070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707000808080808080808080808080808
+080808080800070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070008080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808090909080108080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808050505050505080808080808080808080808080808000808000808080008
+080808000808080008080008080800080800080808000808000808080008000808000808
+080008080008080808000808080008080800080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080808090909080108080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080008080808080808080808080808080808080808
+080808080808080808080808080008080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+000808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808000707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070700080808080808080808080808080808080808080007070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080809090908010808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080805050505
+050808080808080808080808080808080800080800080808000808080800080808000808
+000808080008080008080800080800080808000800080800080808000808000808080800
+080808000808080008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080809090908010808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080008080808080808080808080808080808080808080808080808080808
+080808000808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808000008080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080800070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070008080808080808080808080808080808080808000707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070700080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080909090801080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080505050508080808080808080808
+080808080808080008080008080800080808080008080800080800080808000808000808
+000008080008080808000008080008080800080800080808080008080800080808000808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808080909090801080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080008
+080808080808080808080808080808080808080808080808080808080808000808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080008080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080007070707070707070707070707070700070707070707070707070707070700070707
+070707070707070707070707070707000000000000000707070707070707070707070707
+070707070707070707070700070707070707070707070707070707000808080808080808
+080808080808080808080800070707070707070707070707070700070707070700070707
+070707070707070707070707070707070707070707070707070707070700070700000000
+070707070707070707070707070707070707070707070707070707070707070707070707
+070008080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808090909
+080108080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808050505080808080808080808080808080800000000080808
+080008080008080808080000000808080008080800080808000008000808000808080808
+000808080000000808080008080808000808080008080800080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080808090909080108080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080008080808080808080808
+080808080808080808080808080808080808080800080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080000080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808000707070707070707
+070707070707070007070707070707070707070707070007070707070707070707070707
+070700070707070700070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070700080808080808080808080808080808080808
+080007070707070707070707070707070000070707070007070707070707070707070707
+070707070707070707070707070707070707070007070007070707070707070707070707
+070707070707070707070707070707070707070707070707070707000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080809090908010808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080805050808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080800080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080809090908010808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080008080808080808080808080808080808080808
+080808080808080808080008080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080800080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080800070707070707070707070707070707000707
+000700000707070700000007000707000707070007070700000007000000070707070007
+070707070700000007070700070000070007000007070000070707000707070707070707
+070707070707070008080808080808080808080808080808080808000707070707070707
+070707070707000700070707000707070000000707070007000007000700000707000007
+070707000000070707000707000707070707070000000707070007000007000700000707
+000007070707070707070707070707070700080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080909090801080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808000000000808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808080909
+090801080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808000808080808080808080808080808080808080808080808080808080808
+000808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080800080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080007070707070707070707070707070700070700000707000707000707
+070000070700070707000707000707070707000707070707000707070707000707070007
+070000070707000007070000070700070700070707070707070707070707070707000808
+080808080808080808080808080808080800070707070707070707070707070700070007
+070700070700070707000707000007070700000707000007070007070007070700070700
+070700070707070700070707000707000007070700000707000007070007070707070707
+070707070707070008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808090909080108080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080808090909080108080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808000808
+080808080808080808080808080808080808080808080808080808000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080800000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808000707
+070707070707070707070707070007070007070700070700070707070007070007070700
+070700070707070700070707070700070707070700070707000707000707070700070707
+000707070007070007070707070707070707070707070700080808080808080808080808
+080808080808080007070707070707070707070707070007070007070007070007070700
+070700070707070007070700070707000707070707070007070007070000000007070007
+070700070700070707070007070700070707000707070707070707070707070707000808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080809090908010808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080809090908010808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808000808080808080808080808
+080808080808080808080808080808080800080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808000808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080800070707070707070707070707
+070707000707000707070007070007070707000707000707070007070007070707070007
+070707070007070707070000000000070700070707070007070700070707000707000707
+070707070707070707070707070008080808080808080808080808080808080808000707
+070707070707070707070707000707070007000707000707070007070007070707000707
+070007070700070707000000000707000707000707070707000707070007070007070707
+000707070007070700070707070707070707070707070700080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080909090801080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808080909090801080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808000808080808080808080808080808080808080808
+080808080808080008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808000808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080007070707070707070707070707070700070700070707
+000707000707070700070700070707000707000707070707000707070707000707070707
+000707070707070007070707000707070007070700070700070707070707070707070707
+070707000808080808080808080808080808080808080800070707070707070707070707
+070700070707000700070700070707000707000707070700070707000707070007070007
+070700070700070700070707070700070707000707000707070700070707000707070007
+070707070707070707070707070008080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808090909080108080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080808090909080108
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808000808080808080808080808080808080808080808080808080808000808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808000008080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808000707070707070707070707070707070007070007070700070700070707000007
+070007070000070700070707070700070707070700070707070700070707070707000707
+070700070707000707070007070007070707070707070707070707070700080808080808
+080808080808080808080808080007070707070707070707070707070007070707000007
+070007070700070700070707070007070700070707000707000707070007070007070007
+070707070007070700070700070707070007070700070707000707070707070707070707
+070707000808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080809
+090908010808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080809090908010808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808000808
+080808080808080808080808080808080808080808080808000808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080008080808080808080808080808
+080808080808080808080808080808080808080808080808080808080800070707070707
+070707070707070707000707000707070007070700000007000707070000070007070700
+000007070700070707070007070707070700000000070700070707070007070700070707
+000707000707070707070707070707070707070008080808080808080808080808080808
+080808000707070707070707070707070707000707070707000707070000000707070007
+070707000707070007070700070707000000000007000707000707070707070000000707
+070007070707000707070007070700070707070707070707070707070700080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080909090801080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808080909090801080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080800080808080808080808080808
+080808080808080808080808080800080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080008080808080808080808080808080808080808080808
+080808080808080808080808080808080808080007070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707000808080808080808080808080808080808080800070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070008080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808090909080108080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080808
+090909080108080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080800080808080808080808080808080808080808080808
+080808080008080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080000080808080808080808080808080808080808080808080808080808080808
+080808080808080808000707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070700
+080808080808080808080808080808080808080007070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707000808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080809090908010808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080809090908010808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080800080808080808080808080808080808080808080808080808000808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080800080808
+080808080808080808080808080808080808080808080808080808080808080808080800
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070008080808080808080808
+080808080808080808000707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070700
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080909090801
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808080909090801080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080800080808
+080808080808080808080808080808080808080800080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080800080808080808080808080808
+080808080808080808080808080808080808080808080808080007070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707000808080808080808080808080808080808080800
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070008080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808090909080108080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+050508080808080808080808080808080808000808080808000808080808080808080808
+080808080808080808080808080808080808080808000808000000000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080808090909080108080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080008080808080808080808080808
+080808080808080808080800080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080800000808080808080808080808080808080808080808
+080808080808080808080808080808000707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070700080808080808080808080808080808080808080007070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707000808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080809090908010808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080805050508080808080808
+080808080808080800000808080800080808080808080808080808080808080808080808
+080808080808080808080800080800080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080809090908
+010808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080008080808080808080808080808080808080808080808
+080008080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808000808080808080808080808080808080808080808080808080808080808
+080808080800000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000008080808
+080808080808080808080808080808000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080909090801080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080505050505080808080808080808080808080008
+000808080008080800000008080800080000080008000008080000080808080000000808
+080008080008080808080800000008080800080000080008000008080000080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808080909090801080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080008080808080808080808080808080808080808080808000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808000808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808000000000000080808000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808090909080108080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808050505050505080808080808080808080808000800080808000808000808
+080008080000080808000008080000080800080800080808000808000808000808080808
+000808080008080000080808000008080000080800080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080808090909080108080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808000808080808
+080808080808080808080808080808080800080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808000808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080800080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080000000000000008
+080808080808080800080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080809090908010808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080805050505
+050505080808080808080808080800080800080800080800080808000808000808080800
+080808000808080008080808080800080800080800000000080800080808000808000808
+080800080808000808080008080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080809090908010808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808000808080808080808080808080808
+080808080808080008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808000008080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808000000000000080808080808080808080808080808080008
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080909090801080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080505050505050808080808080808
+080808080008080800080008080008080800080800080808080008080800080808000808
+080000000008080008080008080808080008080800080800080808080008080800080808
+000808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808080909090801080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808000808080808080808080808080808080808080808080008
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080800080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080000000000
+000008080808080808080808080808080808080808080808000808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808090909
+080108080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808050505050508080808080808080808080808000808080008
+000808000808080008080008080808000808080008080800080800080808000808000808
+000808080808000808080008080008080808000808080008080800080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080808090909080108080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808000808080808080808080808080808080808080808000808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080008
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+000808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808000000000000080808080808080808080808080808
+080808080808080808080808080800080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080809090908010808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080805050505080808080808080808080808080800080808080000080800080808000808
+000808080800080808000808080008080008080800080800080800080808080800080808
+000808000808080800080808000808080008080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080809090908010808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808000808080808
+080808080808080808080808080800080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080008080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080008080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080800
+000000000008080808080808080808080808080808080808080808080808080808080808
+080808080008080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080909090801080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080505050808080808
+080808080808080808080008080808080008080800000008080800080808080008080800
+080808000808080000000000080008080008080808080800000008080800080808080008
+080800080808000808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808080909
+090801080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808000808080808080808080808080808
+080808080008080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080008080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080800080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808000000000000000808080808080808080808
+080808080808080808080808080808080808080808080808080808080808000808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808090909080108080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808050508080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080808090909080108080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080800080808080808080808080808080808080808080008080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080000080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808000808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080800000000000008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080800080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080809090908010808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080809090908010808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080800080808080808080808080808080808080808000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080800
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080008080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808000000000000000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080008080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080909090801080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808080909090801080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080800080808080808
+080808080808080808080800080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080800080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080800000000000008080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+000808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808090909080108080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080808090909080108
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080800080808080808080808080808080808
+080008080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080800080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808000000000000000808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080800080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080809
+090908010808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080809090908010808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080800080808080808080808080808080808000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080800080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080800080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080800000000000008080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080008080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080909090801080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808080909090801080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080008080808080808080808080808080808000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080800
+000808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808000000000000000808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808000808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808090909080108080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080808
+090909080108080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080008080808080808
+080808080808080800080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080008080808080808080808080808080808080808080808080808
+080808080808080808080800000000000008080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080800080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080809090908010808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080809090908010808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080008080808080808080808080808080008
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080800
+080808080808080808080808080808080808080808080808080808080808000000000000
+000808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080008080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080909090801
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808080909090801080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080008080808080808080808080808000808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808000808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080008080808080808080808
+080808080808080808080808080800000000000008080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808000808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808090909080108080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080808090909080108080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+000808080808080808080808080800080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+000808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080800080808080808080808080808080808080808080000
+000000000808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080800080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080809090908010808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080809090908
+010808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808000808080808080808
+080808080800080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808000808080808080808080808080800000000000000080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080008080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080909090801080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080505080808080808080808080808080808080000
+000000080808080808080808080808080808080808080808080808000808080808080808
+080808080808080808080800080800080808080808080808080808080808080808080800
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808080909090801080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808000808080808080808080808080008080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080008080808080808
+080000000000000808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808090909080108080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808050505080808080808080808080808080800080808080808000808080808
+080808080808080808080808080808080800080808080808080808080808080808080808
+080008080808080808080808080808080808080808000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080808090909080108080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808000808080808080808080808000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808000008080808080808080808080808080808080808080808080808
+080808080808080808080808080808080800080800000000000000080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080800080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080809090908010808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080805050505
+050808080808080808080808080008080808080000000808080000000808080008000008
+080808000000080008080800000008080800080000080800000008000808000808000000
+000008080800000008080000000808000808080000000808080008000008080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080809090908010808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080800
+080808080808080808080800080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080008080808080808080808080808080808080808080808080808080808080808080808
+080808080000000000000808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080008
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080909090801080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080505050505050808080808080808
+080808080008080808080008080800080808000808000008080008080008080800000808
+000808080008080000080808000808080000080800080808080808000808000808080008
+080008080800080800080808000808000008080008080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808080909090801080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080800080808080808080808
+080008080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080008080808080808
+080808080808080808080808080808080808080808080800000000000000080800080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808000808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808090909
+080108080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808050505050505050808080808080808080808080000080808
+000808080808080800080800080808000808000808080800080808080808000808000808
+080800080808080008080008080808080008080808080808000808000808080008080008
+080800080800080808000808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080808090909080108080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080800080808080808080808000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080008080808080808080808080808080808
+080808080808080000000000000808080808080808000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080800080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080809090908010808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080805050505050508080808080808080808080808080800080800080808080000000008
+080008080800080800080808080008080800000000080800080808080008080808000808
+000808080800080808080800000000080800080808000808000808080008080008080800
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080809090908010808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080800080808080808080808000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080008080808080808080808080808080800000000000000080808
+080808080808080808080008080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080008080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080909090801080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080505050505080808
+080808080808080808080808080008080008080800080808000808000808080008080008
+080808000808000808080008080008080808000808080800080800080808000808080808
+000808080008080008080800080800080808000808000808080008080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808080909
+090801080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080008
+080808080808080800080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080008080808080808080000000000000808080808080808080808080808080808080800
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808000808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808090909080108080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808050505050808080808080808080808080808
+080808000808000808080008080800080800080808000808000808080000080800080808
+000808000808080800080808000008080008080008080808080800080808000808000808
+080008080008080800080800080808000808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080808090909080108080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080008080808080808080008
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080000000000000000
+080808080808080808080808080808080808080808080808000808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080800080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080809090908010808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080805050508080808080808080808080808080000000008080808000808
+080000000000080008080800080808000000080008080800000000000800080808080800
+000008000808000808000000000008080800000000000808000808000808080000000808
+080008080800080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080809090908010808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080008080808080808000808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080000000000000000080808080808080808080808080808
+080808080808080808080808080008080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080008080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080909090801080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080505
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808080909090801080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080008080808080800080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808000000
+000000080808080808080800080808080808080808080808080808080808080808080808
+080808000808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+000808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808090909080108080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080808090909080108
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808000808
+080808080800080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080000000000000008080808080808080808080808
+080800080808080808080808080808080808080808080808080808080008080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080800080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080809
+090908010808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080809090908010808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808000808080808080008080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+000000000000080808080808080808080808080808080808080808080800080808080808
+080808080808080808080808080808080800080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080008080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080909090801080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808080909090801080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808000808080808000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080000000000000008080808080808080808
+080808080808080808080808080808080808080800080808080808080808080808080808
+080808080808000808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808000808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808090909080108080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080808
+090909080108080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808000808080800080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808000000000000080808080808080808080808080808080808080808080808080808
+080808080808080808080800000808080808080808080808080808080808080008080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080800080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080809090908010808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080809090908010808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080800080808
+080008080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080000000000000008080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808000808080808080808080808080808080800080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080008080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080909090801
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808080909090801080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080800080808080008080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808000000000000080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808000808080808
+080808080808080808080008080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808000808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808090909080108080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080808090909080108080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080800080808000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080000000000000008080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808000808080808080808080808080800
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080800080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080809090908010808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080809090908
+010808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080800080800080808080808080808080808080808080808080808080808080808
+080808080808080808000000000000080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808000808080808080808080808000808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080008080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080909090801080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808080909090801080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080008080008
+080808080808080808080808080808080808080808080808080808080800000000000008
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808000808080808080808080008080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808090909080108080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080808090909080108080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080008000808080808080808080808
+080808080808080808080808000000000000000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808000808080808
+080800080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080800080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080809090908010808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080805050808
+080808080808080808080808080800080808000808080008080808080808080808080808
+080800080808080808000808080808000808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080809090908010808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080000080808080808080808080808080808080800000000
+000008080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808000008080808000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080008
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080909090801080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080505050808080808080808080808
+080808080008080800080808000808080808080808080808080808080008080808080800
+000808080800080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808080909090801080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080000080808080808080808000000000000000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080008080800080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808000808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808090909
+080108080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808050505050508080808080808080808080808080008000800
+080008080800000008080808000000080808000808080008080008000808080008080800
+000008080800080000080008000008080000080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080808090909080108080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808000008080800
+000000000008080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080008000808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080800080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080809090908010808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080805050505050508080808080808080808080808000800080008000808000808080008
+080008080800080800080800080808000800080808000808000808080008080000080808
+000008080000080800080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080809090908010808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080800000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000008
+080808080808080808080808080808080808000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080909090801080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080505050505050508
+080808080808080808080800080008000800080800080808000808080808080008080008
+000808080800080800080800080800080808000808000808080800080808000808080008
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808080909
+090801080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080007
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707000808080808080808080808
+080808080808080800070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070008
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080800070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808090909080108080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808050505050505080808080808080808080808
+080008000800080008080000000000080808000000000808000000080808080008080800
+080008080008080800080800080808080008080800080808000808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080808090909080108080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808000707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070700080808080808080808080808080808080808080007
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707000808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080007070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707000808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080809090908010808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080805050505050808080808080808080808080808000800080008000808
+000808080808080008080800080800080800080808000808080008000808000808080008
+080008080808000808080008080800080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080809090908010808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080800070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070008080808080808080808080808080808080808000707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070700080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808000707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070700080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080909090801080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080505
+050508080808080808080808080808080808000808080008080800080808080808000808
+080008080008080800080800080808080000080800080808000808000808080800080808
+000808080008080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808080909090801080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080007070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707000808080808
+080808080808080808080808080800070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070008080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080800070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070008080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808090909080108080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808050505080808080808080808
+080808080808080800080808000808080800000000080808000000000008000808080800
+080008080808080008080800000008080800080808080008080800080808000808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080808090909080108
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808000707070707
+070707070707070707070707070007070700070707000707070707070707070707070707
+070007070707070700070707070700070707070707070707070707070707070707070707
+070707070707070707070707070707070707070700080808080808080808080808080808
+080808080007070707070707070707070707070700000000000707070707070707070707
+070707070707070707070707070707070707070700070707070700070707070707070707
+070707070707070707070707070707070707070707070707070707070707000808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080007070707000000000007070707070707070707070707
+070707070707070707070700070707070707070707070707070707070707070007070007
+070707070707070707070707070707070707070007070707070707070707070707070707
+070707000808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080809
+090908010808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080805050808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080809090908010808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080800070707070707070707070707070707
+070707000707070007070700070707070707070707070707070707000707070707070000
+070707070007070707070707070707070707070707070707070707070707070707070707
+070707070707070707070008080808080808080808080808080808080808000707070707
+070707070707070707000707070707070007070707070707070707070707070707070707
+070707070707070707070000070707070007070707070707070707070707070707070707
+070707070707070707070707070707070707070700080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808000707070007070707070700070707070707070707070707070707070707070707
+070007070707070707070707070707070707070707000707070707070707070707070707
+070707070700070707070707070707070707070707070707070707070700080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080909090801080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808080909090801080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080007070707070707070707070707070707070707000700070007
+000707070000000707070700000007070700070707000707000700070707000707070000
+000707070007000007000700000707000007070707070707070707070707070707070707
+000808080808080808080808080808080808080800070707070707070707070707070700
+070707070700000007070007000007070000000707070007000007070707000000000707
+000700070707000707070000000707070007000007000700000707000007070707070707
+070707070707070707070008080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080800070707000707
+070707000000070707000000070707000700000707070700000007000707070000000707
+070007000007070000000700070700070700000000000707070000000707000000070700
+070707000000070707000700000707070707070008080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808090909080108080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080808
+090909080108080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+000707070707070707070707070707070707070700070007000700070700070707000707
+000707070007070007070007070700070007070700070700070707000707000007070700
+000707000007070007070707070707070707070707070707070700080808080808080808
+080808080808080808080007070707070707070707070707070700070707070700070707
+000007070700070707000707000007070007070007070700070700070007070700070700
+070707000707000007070700000707000007070007070707070707070707070707070707
+000808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080007070707000707070707000707070007
+070700070700000707000707000707070000070700070707000707000007070700070707
+000007070007070707070700070700070707000707000707070007070007070700070700
+000707000707070707000808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080809090908010808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080809090908010808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080800070707070707070707
+070707070707070707070007000700070007070007070700070707070707000707000700
+070707070007070007070007070007070700070700070707070007070700070707000707
+070707070707070707070707070707070008080808080808080808080808080808080808
+000707070707070707070707070707070700000707070007070700070707070007070700
+070700070707000707000707070007070007070007070007070007070700070700070707
+070007070700070707000707070707070707070707070707070700080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808000707070707000007070700070707070707070007070007070700
+070700070707070007070707070700070700070707070007070707000707000707070707
+000707070707070700070700070707000707000707070007070007070700070707070700
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080909090801
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808080909090801080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080007070707070707070707070707070707070707
+000700070007000707000000000007070700000000070700000007070707000707070007
+000707000707070007070007070707000707070007070700070707070707070707070707
+070707070707000808080808080808080808080808080808080800070707070707070707
+070707070707070707000707000707070007070707000707070007070007070700070700
+070707000707000707070007000707000707070007070007070707000707070007070700
+070707070707070707070707070707070008080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080800
+070707070707070007070007070707000000000707000707070007070007070707000707
+070000000007070007070707000707070700070700070707070007070707070000000007
+070007070700070700070707000707000707070007070707070008080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808090909080108080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080808090909080108080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808000707070707070707070707070707070707070700070007000700070700
+070707070707000707070007070007070007070700070707000700070700070707000707
+000707070700070707000707070007070707070707070707070707070707070700080808
+080808080808080808080808080808080007070707070707070707070707070707070700
+070700070707000707070700070707000707000707070007070007070700070700070707
+000700070700070707000707000707070700070707000707070007070707070707070707
+070707070707000808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080007070707070707000707
+000707070007070700070700070707000707000707070700070700070707000707000707
+070700070707070007070007070700070707070700070707000707000707070007070007
+070700070700070707000707070707000808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080809090908010808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080809090908
+010808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080800070707
+070707070707070707070707070707070700070707000707070007070707070700070707
+000707000707070007070007070707000007070007070700070700070707070007070700
+070707000707070707070707070707070707070707070008080808080808080808080808
+080808080808000707070707070707070707070707070707070007070007070700070707
+070007070700070700070707000707000707000007070007070707000007070007070700
+070700070707070007070700070707000707070707070707070707070707070700080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808000707070707070700070700070707000707070007
+070007070700070700070707000007070007070700070700070707070007070700000707
+000707000707070707070007070700070700070707000707000707070007070007070700
+070707070700080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080909090801080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808080909090801080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080007070707070707070707070707
+070707070707070007070700070707070000000007070700000000000700070707070007
+000707070707000707070000000707070007070707000707070007070700070707070707
+070707070707070707070707000808080808080808080808080808080808080800070707
+070707070707070707070700000000070707070007070007070707070000000707070007
+070700070707000007000707000707070707000707070000000707070007070707000707
+070007070700070707070707070707070707070707070008080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080800070707000000000707070700070707000000000007000707070007070700
+000007000707070000000000070007070707070000000700070700070700000000000707
+070000000000070700070700070707000000070707000707070007070707070008080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808090909080108080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080808090909080108080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808000707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070700080808080808080808080808080808080808080007070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070700
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707000808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080007070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707000808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080809090908010808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080809090908010808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080800070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070008080808080808
+080808080808080808080808000707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707000000000707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070700080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808000707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070700080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080909090801080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808080909090801080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080007070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707000808080808080808080808080808080808
+080800070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070008080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080800070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070008080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808090909
+080108080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080808090909080108080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808000707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070700080808080808080808080808080808080808080007070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707000808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080007070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707000808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080809090908010808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080809090908010808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080800070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070008
+080808080808080808080808080808080808000707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070700080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808000707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070707070707070707070707070707070707070707
+070707070707070707070707070707070700080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080909090801080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808080909
+090801080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000808080808080808080808
+080808080808080800000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000008
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080800000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000000000000000000000000000000000000000000000000000000000000
+000000000000000008080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808090909080108080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080808090909080108080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080809090908010808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080809090908010808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080909090801080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808080909090801080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808090909080108080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080808090909080108
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080809
+090908010808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080809090908010808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080909090801080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808080909090801080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808090909080108080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080808
+090909080108080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080809090908010808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080809090908010808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080909090801
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808080909090801080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808090909080108080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080808090909080108080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080809090908010808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080809090908
+010808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080909090801080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808080909090801080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808090909080108080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080808090909080108080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080809090908010808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080809090908010808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080909090801080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808080909090801080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808090909
+080108080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080808090909080108080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080809090908010808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080809090908010808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080909090801080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808080909
+090801080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808090909080108080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080808090909080108080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080809090908010808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080809090908010808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080909090801080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808080909090801080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808090909080108080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080808090909080108
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080809
+090908010808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080809090908010808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080909090801080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808080909090801080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808090909080108080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080808
+090909080108080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080809090908010808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080809090908010808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080909090801
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808080909090801080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808090909080108080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080808090909080108080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080809090908010808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080809090908
+010808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080909090801080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808080909090801080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808090909080108080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080808090909080108080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080809090908010808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080809090908010808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080909090801080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808080909090801080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808090909
+080108080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080808090909080108080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080809090908010808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080809090908010808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080909090801080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808080909
+090801080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808090909080108080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080808090909080108080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080809090908010808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080809090908010808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080909090801080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808080909090801080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808090909080108080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080808090909080108
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080809
+090908010808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080809090908010808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080909090801080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808080909090801080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808090909080108080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080808
+090909080108080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080809090908010808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080809090908010808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080909090801
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808080909090801080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808090909080108080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080808090909080108080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080809090908010808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080809090908
+010808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080909090801080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808080909090801080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808090909080108080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080808090909080108080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080809090908010808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080B080606060808080808080808
+080809090908010808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080909090801080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080B08060606080808080808080808080909090801080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808090909
+080108080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080B0806060608080808080808080808090909080108080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080809090908010808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080B080606060808
+080808080808080809090908010808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080909090801080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080B08060606080808080808080808080909
+090801080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808090909080108080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080B0806060608080808080808080808090909080108080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080809090908010808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080808080808080808080808080808080808080B
+080606060808080808080808080809090908010808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080909090801080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080B08060606080808080808
+080808080909090801080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808090909080108080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080B0806060608080808080808080808090909080108
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080809
+090908010808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080B080606060808080808080808080809090908010808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080909090801080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080B08060606
+080808080808080808080909090801080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808090909080108080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080B0806060608080808080808080808
+090909080108080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080809090908010808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080B080606060808080808080808080809090908010808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+08080808080808080808080808080808080B080606060808080808080808080909090801
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080B08060606080808080808080808080909090801080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080B08060606080808080808080808090909080108080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080B0806060608080808
+080808080808090909080108080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808080808080808080808080808080808080808080B0806
+060608080808080808080809090908010B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
+0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
+0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
+0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
+0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
+0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
+0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
+0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B080606060808080808080808080809090908
+010B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
+0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
+0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
+0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
+0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
+0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
+0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
+0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
+0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
+0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
+0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
+0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
+0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
+0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B
+0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B080606060808080808080808
+080909090808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808060606080808080808080808080909090808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808060606080808080808080808090909060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060608080808080808080808090909060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060608080808080808080809090606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060808080808080808
+080809090606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060808
+080808080808080906060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606080808080808080808080906060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606060606060606060606060606
+060606060606060606060606060606060606060606060606080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+080808080808080808080808080808080808080808080808080808080808080808080808
+0808080808080808080808080808
+end
+%%PageTrailer
+%%Trailer
+%%EOF
Binary file src/Doc/System/document/browser_screenshot.png has changed
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/System/document/build Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,20 @@
+#!/bin/bash
+
+set -e
+
+FORMAT="$1"
+VARIANT="$2"
+
+"$ISABELLE_TOOL" logo -o isabelle.pdf ""
+"$ISABELLE_TOOL" logo -o isabelle.eps ""
+
+cp "$ISABELLE_HOME/src/Doc/IsarRef/document/style.sty" .
+cp "$ISABELLE_HOME/src/Doc/iman.sty" .
+cp "$ISABELLE_HOME/src/Doc/extra.sty" .
+cp "$ISABELLE_HOME/src/Doc/isar.sty" .
+cp "$ISABELLE_HOME/src/Doc/ttbox.sty" .
+cp "$ISABELLE_HOME/src/Doc/underscore.sty" .
+cp "$ISABELLE_HOME/src/Doc/manual.bib" .
+
+"$ISABELLE_HOME/src/Doc/prepare_document" "$FORMAT"
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/System/document/root.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,47 @@
+\documentclass[12pt,a4paper]{report}
+\usepackage{supertabular}
+\usepackage{graphicx}
+\usepackage{iman,extra,isar,ttbox}
+\usepackage[nohyphen,strings]{underscore}
+\usepackage{isabelle,isabellesym}
+\usepackage{railsetup}
+\usepackage{style}
+\usepackage{pdfsetup}
+
+\hyphenation{Isabelle}
+\hyphenation{Isar}
+
+\isadroptag{theory}
+
+\isabellestyle{literal}
+
+\title{\includegraphics[scale=0.5]{isabelle} \\[4ex] The Isabelle System Manual}
+
+\author{\emph{Makarius Wenzel} and \emph{Stefan Berghofer} \\
+ TU M\"unchen}
+
+\makeindex
+
+
+\begin{document}
+
+\maketitle
+\pagenumbering{roman} \tableofcontents \clearfirst
+
+\input{Basics.tex}
+\input{Interfaces.tex}
+\input{Sessions.tex}
+\input{Presentation.tex}
+\input{Scala.tex}
+\input{Misc.tex}
+
+\begingroup
+ \tocentry{\bibname}
+ \bibliographystyle{abbrv} \small\raggedright\frenchspacing
+ \bibliography{manual}
+\endgroup
+
+\tocentry{\indexname}
+\printindex
+
+\end{document}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Advanced/Partial.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,224 @@
+(*<*)theory Partial imports While_Combinator begin(*>*)
+
+text{*\noindent Throughout this tutorial, we have emphasized
+that all functions in HOL are total. We cannot hope to define
+truly partial functions, but must make them total. A straightforward
+method is to lift the result type of the function from $\tau$ to
+$\tau$~@{text option} (see \ref{sec:option}), where @{term None} is
+returned if the function is applied to an argument not in its
+domain. Function @{term assoc} in \S\ref{sec:Trie} is a simple example.
+We do not pursue this schema further because it should be clear
+how it works. Its main drawback is that the result of such a lifted
+function has to be unpacked first before it can be processed
+further. Its main advantage is that you can distinguish if the
+function was applied to an argument in its domain or not. If you do
+not need to make this distinction, for example because the function is
+never used outside its domain, it is easier to work with
+\emph{underdefined}\index{functions!underdefined} functions: for
+certain arguments we only know that a result exists, but we do not
+know what it is. When defining functions that are normally considered
+partial, underdefinedness turns out to be a very reasonable
+alternative.
+
+We have already seen an instance of underdefinedness by means of
+non-exhaustive pattern matching: the definition of @{term last} in
+\S\ref{sec:fun}. The same is allowed for \isacommand{primrec}
+*}
+
+consts hd :: "'a list \<Rightarrow> 'a"
+primrec "hd (x#xs) = x"
+
+text{*\noindent
+although it generates a warning.
+Even ordinary definitions allow underdefinedness, this time by means of
+preconditions:
+*}
+
+definition subtract :: "nat \<Rightarrow> nat \<Rightarrow> nat" where
+"n \<le> m \<Longrightarrow> subtract m n \<equiv> m - n"
+
+text{*
+The rest of this section is devoted to the question of how to define
+partial recursive functions by other means than non-exhaustive pattern
+matching.
+*}
+
+subsubsection{*Guarded Recursion*}
+
+text{*
+\index{recursion!guarded}%
+Neither \isacommand{primrec} nor \isacommand{recdef} allow to
+prefix an equation with a condition in the way ordinary definitions do
+(see @{const subtract} above). Instead we have to move the condition over
+to the right-hand side of the equation. Given a partial function $f$
+that should satisfy the recursion equation $f(x) = t$ over its domain
+$dom(f)$, we turn this into the \isacommand{recdef}
+@{prop[display]"f(x) = (if x \<in> dom(f) then t else arbitrary)"}
+where @{term arbitrary} is a predeclared constant of type @{typ 'a}
+which has no definition. Thus we know nothing about its value,
+which is ideal for specifying underdefined functions on top of it.
+
+As a simple example we define division on @{typ nat}:
+*}
+
+consts divi :: "nat \<times> nat \<Rightarrow> nat"
+recdef divi "measure(\<lambda>(m,n). m)"
+ "divi(m,0) = arbitrary"
+ "divi(m,n) = (if m < n then 0 else divi(m-n,n)+1)"
+
+text{*\noindent Of course we could also have defined
+@{term"divi(m,0)"} to be some specific number, for example 0. The
+latter option is chosen for the predefined @{text div} function, which
+simplifies proofs at the expense of deviating from the
+standard mathematical division function.
+
+As a more substantial example we consider the problem of searching a graph.
+For simplicity our graph is given by a function @{term f} of
+type @{typ"'a \<Rightarrow> 'a"} which
+maps each node to its successor; the graph has out-degree 1.
+The task is to find the end of a chain, modelled by a node pointing to
+itself. Here is a first attempt:
+@{prop[display]"find(f,x) = (if f x = x then x else find(f, f x))"}
+This may be viewed as a fixed point finder or as the second half of the well
+known \emph{Union-Find} algorithm.
+The snag is that it may not terminate if @{term f} has non-trivial cycles.
+Phrased differently, the relation
+*}
+
+definition step1 :: "('a \<Rightarrow> 'a) \<Rightarrow> ('a \<times> 'a)set" where
+ "step1 f \<equiv> {(y,x). y = f x \<and> y \<noteq> x}"
+
+text{*\noindent
+must be well-founded. Thus we make the following definition:
+*}
+
+consts find :: "('a \<Rightarrow> 'a) \<times> 'a \<Rightarrow> 'a"
+recdef find "same_fst (\<lambda>f. wf(step1 f)) step1"
+ "find(f,x) = (if wf(step1 f)
+ then if f x = x then x else find(f, f x)
+ else arbitrary)"
+(hints recdef_simp: step1_def)
+
+text{*\noindent
+The recursion equation itself should be clear enough: it is our aborted
+first attempt augmented with a check that there are no non-trivial loops.
+To express the required well-founded relation we employ the
+predefined combinator @{term same_fst} of type
+@{text[display]"('a \<Rightarrow> bool) \<Rightarrow> ('a \<Rightarrow> ('b\<times>'b)set) \<Rightarrow> (('a\<times>'b) \<times> ('a\<times>'b))set"}
+defined as
+@{thm[display]same_fst_def[no_vars]}
+This combinator is designed for
+recursive functions on pairs where the first component of the argument is
+passed unchanged to all recursive calls. Given a constraint on the first
+component and a relation on the second component, @{term same_fst} builds the
+required relation on pairs. The theorem
+@{thm[display]wf_same_fst[no_vars]}
+is known to the well-foundedness prover of \isacommand{recdef}. Thus
+well-foundedness of the relation given to \isacommand{recdef} is immediate.
+Furthermore, each recursive call descends along that relation: the first
+argument stays unchanged and the second one descends along @{term"step1
+f"}. The proof requires unfolding the definition of @{const step1},
+as specified in the \isacommand{hints} above.
+
+Normally you will then derive the following conditional variant from
+the recursion equation:
+*}
+
+lemma [simp]:
+ "wf(step1 f) \<Longrightarrow> find(f,x) = (if f x = x then x else find(f, f x))"
+by simp
+
+text{*\noindent Then you should disable the original recursion equation:*}
+
+declare find.simps[simp del]
+
+text{*
+Reasoning about such underdefined functions is like that for other
+recursive functions. Here is a simple example of recursion induction:
+*}
+
+lemma "wf(step1 f) \<longrightarrow> f(find(f,x)) = find(f,x)"
+apply(induct_tac f x rule: find.induct);
+apply simp
+done
+
+subsubsection{*The {\tt\slshape while} Combinator*}
+
+text{*If the recursive function happens to be tail recursive, its
+definition becomes a triviality if based on the predefined \cdx{while}
+combinator. The latter lives in the Library theory \thydx{While_Combinator}.
+% which is not part of {text Main} but needs to
+% be included explicitly among the ancestor theories.
+
+Constant @{term while} is of type @{text"('a \<Rightarrow> bool) \<Rightarrow> ('a \<Rightarrow> 'a) \<Rightarrow> 'a"}
+and satisfies the recursion equation @{thm[display]while_unfold[no_vars]}
+That is, @{term"while b c s"} is equivalent to the imperative program
+\begin{verbatim}
+ x := s; while b(x) do x := c(x); return x
+\end{verbatim}
+In general, @{term s} will be a tuple or record. As an example
+consider the following definition of function @{const find}:
+*}
+
+definition find2 :: "('a \<Rightarrow> 'a) \<Rightarrow> 'a \<Rightarrow> 'a" where
+ "find2 f x \<equiv>
+ fst(while (\<lambda>(x,x'). x' \<noteq> x) (\<lambda>(x,x'). (x',f x')) (x,f x))"
+
+text{*\noindent
+The loop operates on two ``local variables'' @{term x} and @{term x'}
+containing the ``current'' and the ``next'' value of function @{term f}.
+They are initialized with the global @{term x} and @{term"f x"}. At the
+end @{term fst} selects the local @{term x}.
+
+Although the definition of tail recursive functions via @{term while} avoids
+termination proofs, there is no free lunch. When proving properties of
+functions defined by @{term while}, termination rears its ugly head
+again. Here is \tdx{while_rule}, the well known proof rule for total
+correctness of loops expressed with @{term while}:
+@{thm[display,margin=50]while_rule[no_vars]} @{term P} needs to be true of
+the initial state @{term s} and invariant under @{term c} (premises 1
+and~2). The post-condition @{term Q} must become true when leaving the loop
+(premise~3). And each loop iteration must descend along a well-founded
+relation @{term r} (premises 4 and~5).
+
+Let us now prove that @{const find2} does indeed find a fixed point. Instead
+of induction we apply the above while rule, suitably instantiated.
+Only the final premise of @{thm[source]while_rule} is left unproved
+by @{text auto} but falls to @{text simp}:
+*}
+
+lemma lem: "wf(step1 f) \<Longrightarrow>
+ \<exists>y. while (\<lambda>(x,x'). x' \<noteq> x) (\<lambda>(x,x'). (x',f x')) (x,f x) = (y,y) \<and>
+ f y = y"
+apply(rule_tac P = "\<lambda>(x,x'). x' = f x" and
+ r = "inv_image (step1 f) fst" in while_rule);
+apply auto
+apply(simp add: inv_image_def step1_def)
+done
+
+text{*
+The theorem itself is a simple consequence of this lemma:
+*}
+
+theorem "wf(step1 f) \<Longrightarrow> f(find2 f x) = find2 f x"
+apply(drule_tac x = x in lem)
+apply(auto simp add: find2_def)
+done
+
+text{* Let us conclude this section on partial functions by a
+discussion of the merits of the @{term while} combinator. We have
+already seen that the advantage of not having to
+provide a termination argument when defining a function via @{term
+while} merely puts off the evil hour. On top of that, tail recursive
+functions tend to be more complicated to reason about. So why use
+@{term while} at all? The only reason is executability: the recursion
+equation for @{term while} is a directly executable functional
+program. This is in stark contrast to guarded recursion as introduced
+above which requires an explicit test @{prop"x \<in> dom f"} in the
+function body. Unless @{term dom} is trivial, this leads to a
+definition that is impossible to execute or prohibitively slow.
+Thus, if you are aiming for an efficiently executable definition
+of a partial function, you are likely to need @{term while}.
+*}
+
+(*<*)end(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Advanced/WFrec.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,119 @@
+(*<*)theory WFrec imports Main begin(*>*)
+
+text{*\noindent
+So far, all recursive definitions were shown to terminate via measure
+functions. Sometimes this can be inconvenient or
+impossible. Fortunately, \isacommand{recdef} supports much more
+general definitions. For example, termination of Ackermann's function
+can be shown by means of the \rmindex{lexicographic product} @{text"<*lex*>"}:
+*}
+
+consts ack :: "nat\<times>nat \<Rightarrow> nat"
+recdef ack "measure(\<lambda>m. m) <*lex*> measure(\<lambda>n. n)"
+ "ack(0,n) = Suc n"
+ "ack(Suc m,0) = ack(m, 1)"
+ "ack(Suc m,Suc n) = ack(m,ack(Suc m,n))"
+
+text{*\noindent
+The lexicographic product decreases if either its first component
+decreases (as in the second equation and in the outer call in the
+third equation) or its first component stays the same and the second
+component decreases (as in the inner call in the third equation).
+
+In general, \isacommand{recdef} supports termination proofs based on
+arbitrary well-founded relations as introduced in \S\ref{sec:Well-founded}.
+This is called \textbf{well-founded
+recursion}\indexbold{recursion!well-founded}. A function definition
+is total if and only if the set of
+all pairs $(r,l)$, where $l$ is the argument on the
+left-hand side of an equation and $r$ the argument of some recursive call on
+the corresponding right-hand side, induces a well-founded relation. For a
+systematic account of termination proofs via well-founded relations see, for
+example, Baader and Nipkow~\cite{Baader-Nipkow}.
+
+Each \isacommand{recdef} definition should be accompanied (after the function's
+name) by a well-founded relation on the function's argument type.
+Isabelle/HOL formalizes some of the most important
+constructions of well-founded relations (see \S\ref{sec:Well-founded}). For
+example, @{term"measure f"} is always well-founded. The lexicographic
+product of two well-founded relations is again well-founded, which we relied
+on when defining Ackermann's function above.
+Of course the lexicographic product can also be iterated:
+*}
+
+consts contrived :: "nat \<times> nat \<times> nat \<Rightarrow> nat"
+recdef contrived
+ "measure(\<lambda>i. i) <*lex*> measure(\<lambda>j. j) <*lex*> measure(\<lambda>k. k)"
+"contrived(i,j,Suc k) = contrived(i,j,k)"
+"contrived(i,Suc j,0) = contrived(i,j,j)"
+"contrived(Suc i,0,0) = contrived(i,i,i)"
+"contrived(0,0,0) = 0"
+
+text{*
+Lexicographic products of measure functions already go a long
+way. Furthermore, you may embed a type in an
+existing well-founded relation via the inverse image construction @{term
+inv_image}. All these constructions are known to \isacommand{recdef}. Thus you
+will never have to prove well-foundedness of any relation composed
+solely of these building blocks. But of course the proof of
+termination of your function definition --- that the arguments
+decrease with every recursive call --- may still require you to provide
+additional lemmas.
+
+It is also possible to use your own well-founded relations with
+\isacommand{recdef}. For example, the greater-than relation can be made
+well-founded by cutting it off at a certain point. Here is an example
+of a recursive function that calls itself with increasing values up to ten:
+*}
+
+consts f :: "nat \<Rightarrow> nat"
+recdef (*<*)(permissive)(*>*)f "{(i,j). j<i \<and> i \<le> (10::nat)}"
+"f i = (if 10 \<le> i then 0 else i * f(Suc i))"
+
+text{*\noindent
+Since \isacommand{recdef} is not prepared for the relation supplied above,
+Isabelle rejects the definition. We should first have proved that
+our relation was well-founded:
+*}
+
+lemma wf_greater: "wf {(i,j). j<i \<and> i \<le> (N::nat)}"
+
+txt{*\noindent
+The proof is by showing that our relation is a subset of another well-founded
+relation: one given by a measure function.\index{*wf_subset (theorem)}
+*}
+
+apply (rule wf_subset [of "measure (\<lambda>k::nat. N-k)"], blast)
+
+txt{*
+@{subgoals[display,indent=0,margin=65]}
+
+\noindent
+The inclusion remains to be proved. After unfolding some definitions,
+we are left with simple arithmetic that is dispatched automatically.
+*}
+
+by (clarify, simp add: measure_def inv_image_def)
+
+text{*\noindent
+
+Armed with this lemma, we use the \attrdx{recdef_wf} attribute to attach a
+crucial hint\cmmdx{hints} to our definition:
+*}
+(*<*)
+consts g :: "nat \<Rightarrow> nat"
+recdef g "{(i,j). j<i \<and> i \<le> (10::nat)}"
+"g i = (if 10 \<le> i then 0 else i * g(Suc i))"
+(*>*)
+(hints recdef_wf: wf_greater)
+
+text{*\noindent
+Alternatively, we could have given @{text "measure (\<lambda>k::nat. 10-k)"} for the
+well-founded relation in our \isacommand{recdef}. However, the arithmetic
+goal in the lemma above would have arisen instead in the \isacommand{recdef}
+termination proof, where we have less control. A tailor-made termination
+relation makes even more sense when it can be used in several function
+declarations.
+*}
+
+(*<*)end(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Advanced/simp2.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,189 @@
+(*<*)
+theory simp2 imports Main begin
+(*>*)
+
+section{*Simplification*}
+
+text{*\label{sec:simplification-II}\index{simplification|(}
+This section describes features not covered until now. It also
+outlines the simplification process itself, which can be helpful
+when the simplifier does not do what you expect of it.
+*}
+
+subsection{*Advanced Features*}
+
+subsubsection{*Congruence Rules*}
+
+text{*\label{sec:simp-cong}
+While simplifying the conclusion $Q$
+of $P \Imp Q$, it is legal to use the assumption $P$.
+For $\Imp$ this policy is hardwired, but
+contextual information can also be made available for other
+operators. For example, @{prop"xs = [] --> xs@xs = xs"} simplifies to @{term
+True} because we may use @{prop"xs = []"} when simplifying @{prop"xs@xs =
+xs"}. The generation of contextual information during simplification is
+controlled by so-called \bfindex{congruence rules}. This is the one for
+@{text"\<longrightarrow>"}:
+@{thm[display]imp_cong[no_vars]}
+It should be read as follows:
+In order to simplify @{prop"P-->Q"} to @{prop"P'-->Q'"},
+simplify @{prop P} to @{prop P'}
+and assume @{prop"P'"} when simplifying @{prop Q} to @{prop"Q'"}.
+
+Here are some more examples. The congruence rules for bounded
+quantifiers supply contextual information about the bound variable:
+@{thm[display,eta_contract=false,margin=60]ball_cong[no_vars]}
+One congruence rule for conditional expressions supplies contextual
+information for simplifying the @{text then} and @{text else} cases:
+@{thm[display]if_cong[no_vars]}
+An alternative congruence rule for conditional expressions
+actually \emph{prevents} simplification of some arguments:
+@{thm[display]if_weak_cong[no_vars]}
+Only the first argument is simplified; the others remain unchanged.
+This makes simplification much faster and is faithful to the evaluation
+strategy in programming languages, which is why this is the default
+congruence rule for @{text "if"}. Analogous rules control the evaluation of
+@{text case} expressions.
+
+You can declare your own congruence rules with the attribute \attrdx{cong},
+either globally, in the usual manner,
+\begin{quote}
+\isacommand{declare} \textit{theorem-name} @{text"[cong]"}
+\end{quote}
+or locally in a @{text"simp"} call by adding the modifier
+\begin{quote}
+@{text"cong:"} \textit{list of theorem names}
+\end{quote}
+The effect is reversed by @{text"cong del"} instead of @{text cong}.
+
+\begin{warn}
+The congruence rule @{thm[source]conj_cong}
+@{thm[display]conj_cong[no_vars]}
+\par\noindent
+is occasionally useful but is not a default rule; you have to declare it explicitly.
+\end{warn}
+*}
+
+subsubsection{*Permutative Rewrite Rules*}
+
+text{*
+\index{rewrite rules!permutative|bold}%
+An equation is a \textbf{permutative rewrite rule} if the left-hand
+side and right-hand side are the same up to renaming of variables. The most
+common permutative rule is commutativity: @{prop"x+y = y+x"}. Other examples
+include @{prop"(x-y)-z = (x-z)-y"} in arithmetic and @{prop"insert x (insert
+y A) = insert y (insert x A)"} for sets. Such rules are problematic because
+once they apply, they can be used forever. The simplifier is aware of this
+danger and treats permutative rules by means of a special strategy, called
+\bfindex{ordered rewriting}: a permutative rewrite
+rule is only applied if the term becomes smaller with respect to a fixed
+lexicographic ordering on terms. For example, commutativity rewrites
+@{term"b+a"} to @{term"a+b"}, but then stops because @{term"a+b"} is strictly
+smaller than @{term"b+a"}. Permutative rewrite rules can be turned into
+simplification rules in the usual manner via the @{text simp} attribute; the
+simplifier recognizes their special status automatically.
+
+Permutative rewrite rules are most effective in the case of
+associative-commutative functions. (Associativity by itself is not
+permutative.) When dealing with an AC-function~$f$, keep the
+following points in mind:
+\begin{itemize}\index{associative-commutative function}
+
+\item The associative law must always be oriented from left to right,
+ namely $f(f(x,y),z) = f(x,f(y,z))$. The opposite orientation, if
+ used with commutativity, can lead to nontermination.
+
+\item To complete your set of rewrite rules, you must add not just
+ associativity~(A) and commutativity~(C) but also a derived rule, {\bf
+ left-com\-mut\-ativ\-ity} (LC): $f(x,f(y,z)) = f(y,f(x,z))$.
+\end{itemize}
+Ordered rewriting with the combination of A, C, and LC sorts a term
+lexicographically:
+\[\def\maps#1{~\stackrel{#1}{\leadsto}~}
+ f(f(b,c),a) \maps{A} f(b,f(c,a)) \maps{C} f(b,f(a,c)) \maps{LC} f(a,f(b,c)) \]
+
+Note that ordered rewriting for @{text"+"} and @{text"*"} on numbers is rarely
+necessary because the built-in arithmetic prover often succeeds without
+such tricks.
+*}
+
+subsection{*How the Simplifier Works*}
+
+text{*\label{sec:SimpHow}
+Roughly speaking, the simplifier proceeds bottom-up: subterms are simplified
+first. A conditional equation is only applied if its condition can be
+proved, again by simplification. Below we explain some special features of
+the rewriting process.
+*}
+
+subsubsection{*Higher-Order Patterns*}
+
+text{*\index{simplification rule|(}
+So far we have pretended the simplifier can deal with arbitrary
+rewrite rules. This is not quite true. For reasons of feasibility,
+the simplifier expects the
+left-hand side of each rule to be a so-called \emph{higher-order
+pattern}~\cite{nipkow-patterns}\indexbold{patterns!higher-order}.
+This restricts where
+unknowns may occur. Higher-order patterns are terms in $\beta$-normal
+form. (This means there are no subterms of the form $(\lambda x. M)(N)$.)
+Each occurrence of an unknown is of the form
+$\Var{f}~x@1~\dots~x@n$, where the $x@i$ are distinct bound
+variables. Thus all ordinary rewrite rules, where all unknowns are
+of base type, for example @{thm add_assoc}, are acceptable: if an unknown is
+of base type, it cannot have any arguments. Additionally, the rule
+@{text"(\<forall>x. ?P x \<and> ?Q x) = ((\<forall>x. ?P x) \<and> (\<forall>x. ?Q x))"} is also acceptable, in
+both directions: all arguments of the unknowns @{text"?P"} and
+@{text"?Q"} are distinct bound variables.
+
+If the left-hand side is not a higher-order pattern, all is not lost.
+The simplifier will still try to apply the rule provided it
+matches directly: without much $\lambda$-calculus hocus
+pocus. For example, @{text"(?f ?x \<in> range ?f) = True"} rewrites
+@{term"g a \<in> range g"} to @{const True}, but will fail to match
+@{text"g(h b) \<in> range(\<lambda>x. g(h x))"}. However, you can
+eliminate the offending subterms --- those that are not patterns ---
+by adding new variables and conditions.
+In our example, we eliminate @{text"?f ?x"} and obtain
+ @{text"?y =
+?f ?x \<Longrightarrow> (?y \<in> range ?f) = True"}, which is fine
+as a conditional rewrite rule since conditions can be arbitrary
+terms. However, this trick is not a panacea because the newly
+introduced conditions may be hard to solve.
+
+There is no restriction on the form of the right-hand
+sides. They may not contain extraneous term or type variables, though.
+*}
+
+subsubsection{*The Preprocessor*}
+
+text{*\label{sec:simp-preprocessor}
+When a theorem is declared a simplification rule, it need not be a
+conditional equation already. The simplifier will turn it into a set of
+conditional equations automatically. For example, @{prop"f x =
+g x & h x = k x"} becomes the two separate
+simplification rules @{prop"f x = g x"} and @{prop"h x = k x"}. In
+general, the input theorem is converted as follows:
+\begin{eqnarray}
+\neg P &\mapsto& P = \hbox{\isa{False}} \nonumber\\
+P \longrightarrow Q &\mapsto& P \Longrightarrow Q \nonumber\\
+P \land Q &\mapsto& P,\ Q \nonumber\\
+\forall x.~P~x &\mapsto& P~\Var{x}\nonumber\\
+\forall x \in A.\ P~x &\mapsto& \Var{x} \in A \Longrightarrow P~\Var{x} \nonumber\\
+@{text "if"}\ P\ @{text then}\ Q\ @{text else}\ R &\mapsto&
+ P \Longrightarrow Q,\ \neg P \Longrightarrow R \nonumber
+\end{eqnarray}
+Once this conversion process is finished, all remaining non-equations
+$P$ are turned into trivial equations $P =\isa{True}$.
+For example, the formula
+\begin{center}@{prop"(p \<longrightarrow> t=u \<and> ~r) \<and> s"}\end{center}
+is converted into the three rules
+\begin{center}
+@{prop"p \<Longrightarrow> t = u"},\quad @{prop"p \<Longrightarrow> r = False"},\quad @{prop"s = True"}.
+\end{center}
+\index{simplification rule|)}
+\index{simplification|)}
+*}
+(*<*)
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/CTL/Base.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,91 @@
+(*<*)theory Base imports Main begin(*>*)
+
+section{*Case Study: Verified Model Checking*}
+
+text{*\label{sec:VMC}
+This chapter ends with a case study concerning model checking for
+Computation Tree Logic (CTL), a temporal logic.
+Model checking is a popular technique for the verification of finite
+state systems (implementations) with respect to temporal logic formulae
+(specifications) \cite{ClarkeGP-book,Huth-Ryan-book}. Its foundations are set theoretic
+and this section will explore them in HOL\@. This is done in two steps. First
+we consider a simple modal logic called propositional dynamic
+logic (PDL)\@. We then proceed to the temporal logic CTL, which is
+used in many real
+model checkers. In each case we give both a traditional semantics (@{text \<Turnstile>}) and a
+recursive function @{term mc} that maps a formula into the set of all states of
+the system where the formula is valid. If the system has a finite number of
+states, @{term mc} is directly executable: it is a model checker, albeit an
+inefficient one. The main proof obligation is to show that the semantics
+and the model checker agree.
+
+\underscoreon
+
+Our models are \emph{transition systems}:\index{transition systems}
+sets of \emph{states} with
+transitions between them. Here is a simple example:
+\begin{center}
+\unitlength.5mm
+\thicklines
+\begin{picture}(100,60)
+\put(50,50){\circle{20}}
+\put(50,50){\makebox(0,0){$p,q$}}
+\put(61,55){\makebox(0,0)[l]{$s_0$}}
+\put(44,42){\vector(-1,-1){26}}
+\put(16,18){\vector(1,1){26}}
+\put(57,43){\vector(1,-1){26}}
+\put(10,10){\circle{20}}
+\put(10,10){\makebox(0,0){$q,r$}}
+\put(-1,15){\makebox(0,0)[r]{$s_1$}}
+\put(20,10){\vector(1,0){60}}
+\put(90,10){\circle{20}}
+\put(90,10){\makebox(0,0){$r$}}
+\put(98, 5){\line(1,0){10}}
+\put(108, 5){\line(0,1){10}}
+\put(108,15){\vector(-1,0){10}}
+\put(91,21){\makebox(0,0)[bl]{$s_2$}}
+\end{picture}
+\end{center}
+Each state has a unique name or number ($s_0,s_1,s_2$), and in each state
+certain \emph{atomic propositions} ($p,q,r$) hold. The aim of temporal logic
+is to formalize statements such as ``there is no path starting from $s_2$
+leading to a state where $p$ or $q$ holds,'' which is true, and ``on all paths
+starting from $s_0$, $q$ always holds,'' which is false.
+
+Abstracting from this concrete example, we assume there is a type of
+states:
+*}
+
+typedecl state
+
+text{*\noindent
+Command \commdx{typedecl} merely declares a new type but without
+defining it (see \S\ref{sec:typedecl}). Thus we know nothing
+about the type other than its existence. That is exactly what we need
+because @{typ state} really is an implicit parameter of our model. Of
+course it would have been more generic to make @{typ state} a type
+parameter of everything but declaring @{typ state} globally as above
+reduces clutter. Similarly we declare an arbitrary but fixed
+transition system, i.e.\ a relation between states:
+*}
+
+consts M :: "(state \<times> state)set";
+
+text{*\noindent
+This is Isabelle's way of declaring a constant without defining it.
+Finally we introduce a type of atomic propositions
+*}
+
+typedecl "atom"
+
+text{*\noindent
+and a \emph{labelling function}
+*}
+
+consts L :: "state \<Rightarrow> atom set"
+
+text{*\noindent
+telling us which atomic propositions are true in each state.
+*}
+
+(*<*)end(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/CTL/CTL.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,449 @@
+(*<*)theory CTL imports Base begin(*>*)
+
+subsection{*Computation Tree Logic --- CTL*};
+
+text{*\label{sec:CTL}
+\index{CTL|(}%
+The semantics of PDL only needs reflexive transitive closure.
+Let us be adventurous and introduce a more expressive temporal operator.
+We extend the datatype
+@{text formula} by a new constructor
+*};
+(*<*)
+datatype formula = Atom "atom"
+ | Neg formula
+ | And formula formula
+ | AX formula
+ | EF formula(*>*)
+ | AF formula;
+
+text{*\noindent
+which stands for ``\emph{A}lways in the \emph{F}uture'':
+on all infinite paths, at some point the formula holds.
+Formalizing the notion of an infinite path is easy
+in HOL: it is simply a function from @{typ nat} to @{typ state}.
+*};
+
+definition Paths :: "state \<Rightarrow> (nat \<Rightarrow> state)set" where
+"Paths s \<equiv> {p. s = p 0 \<and> (\<forall>i. (p i, p(i+1)) \<in> M)}"
+
+text{*\noindent
+This definition allows a succinct statement of the semantics of @{const AF}:
+\footnote{Do not be misled: neither datatypes nor recursive functions can be
+extended by new constructors or equations. This is just a trick of the
+presentation (see \S\ref{sec:doc-prep-suppress}). In reality one has to define
+a new datatype and a new function.}
+*};
+(*<*)
+primrec valid :: "state \<Rightarrow> formula \<Rightarrow> bool" ("(_ \<Turnstile> _)" [80,80] 80) where
+"s \<Turnstile> Atom a = (a \<in> L s)" |
+"s \<Turnstile> Neg f = (~(s \<Turnstile> f))" |
+"s \<Turnstile> And f g = (s \<Turnstile> f \<and> s \<Turnstile> g)" |
+"s \<Turnstile> AX f = (\<forall>t. (s,t) \<in> M \<longrightarrow> t \<Turnstile> f)" |
+"s \<Turnstile> EF f = (\<exists>t. (s,t) \<in> M\<^sup>* \<and> t \<Turnstile> f)" |
+(*>*)
+"s \<Turnstile> AF f = (\<forall>p \<in> Paths s. \<exists>i. p i \<Turnstile> f)"
+
+text{*\noindent
+Model checking @{const AF} involves a function which
+is just complicated enough to warrant a separate definition:
+*};
+
+definition af :: "state set \<Rightarrow> state set \<Rightarrow> state set" where
+"af A T \<equiv> A \<union> {s. \<forall>t. (s, t) \<in> M \<longrightarrow> t \<in> T}"
+
+text{*\noindent
+Now we define @{term "mc(AF f)"} as the least set @{term T} that includes
+@{term"mc f"} and all states all of whose direct successors are in @{term T}:
+*};
+(*<*)
+primrec mc :: "formula \<Rightarrow> state set" where
+"mc(Atom a) = {s. a \<in> L s}" |
+"mc(Neg f) = -mc f" |
+"mc(And f g) = mc f \<inter> mc g" |
+"mc(AX f) = {s. \<forall>t. (s,t) \<in> M \<longrightarrow> t \<in> mc f}" |
+"mc(EF f) = lfp(\<lambda>T. mc f \<union> M\<inverse> `` T)"|(*>*)
+"mc(AF f) = lfp(af(mc f))";
+
+text{*\noindent
+Because @{const af} is monotone in its second argument (and also its first, but
+that is irrelevant), @{term"af A"} has a least fixed point:
+*};
+
+lemma mono_af: "mono(af A)";
+apply(simp add: mono_def af_def);
+apply blast;
+done
+(*<*)
+lemma mono_ef: "mono(\<lambda>T. A \<union> M\<inverse> `` T)";
+apply(rule monoI);
+by(blast);
+
+lemma EF_lemma:
+ "lfp(\<lambda>T. A \<union> M\<inverse> `` T) = {s. \<exists>t. (s,t) \<in> M\<^sup>* \<and> t \<in> A}";
+apply(rule equalityI);
+ apply(rule subsetI);
+ apply(simp);
+ apply(erule lfp_induct_set);
+ apply(rule mono_ef);
+ apply(simp);
+ apply(blast intro: rtrancl_trans);
+apply(rule subsetI);
+apply(simp, clarify);
+apply(erule converse_rtrancl_induct);
+ apply(subst lfp_unfold[OF mono_ef]);
+ apply(blast);
+apply(subst lfp_unfold[OF mono_ef]);
+by(blast);
+(*>*)
+text{*
+All we need to prove now is @{prop"mc(AF f) = {s. s \<Turnstile> AF f}"}, which states
+that @{term mc} and @{text"\<Turnstile>"} agree for @{const AF}\@.
+This time we prove the two inclusions separately, starting
+with the easy one:
+*};
+
+theorem AF_lemma1: "lfp(af A) \<subseteq> {s. \<forall>p \<in> Paths s. \<exists>i. p i \<in> A}"
+
+txt{*\noindent
+In contrast to the analogous proof for @{const EF}, and just
+for a change, we do not use fixed point induction. Park-induction,
+named after David Park, is weaker but sufficient for this proof:
+\begin{center}
+@{thm lfp_lowerbound[of _ "S",no_vars]} \hfill (@{thm[source]lfp_lowerbound})
+\end{center}
+The instance of the premise @{prop"f S \<subseteq> S"} is proved pointwise,
+a decision that \isa{auto} takes for us:
+*};
+apply(rule lfp_lowerbound);
+apply(auto simp add: af_def Paths_def);
+
+txt{*
+@{subgoals[display,indent=0,margin=70,goals_limit=1]}
+In this remaining case, we set @{term t} to @{term"p(1::nat)"}.
+The rest is automatic, which is surprising because it involves
+finding the instantiation @{term"\<lambda>i::nat. p(i+1)"}
+for @{text"\<forall>p"}.
+*};
+
+apply(erule_tac x = "p 1" in allE);
+apply(auto);
+done;
+
+
+text{*
+The opposite inclusion is proved by contradiction: if some state
+@{term s} is not in @{term"lfp(af A)"}, then we can construct an
+infinite @{term A}-avoiding path starting from~@{term s}. The reason is
+that by unfolding @{const lfp} we find that if @{term s} is not in
+@{term"lfp(af A)"}, then @{term s} is not in @{term A} and there is a
+direct successor of @{term s} that is again not in \mbox{@{term"lfp(af
+A)"}}. Iterating this argument yields the promised infinite
+@{term A}-avoiding path. Let us formalize this sketch.
+
+The one-step argument in the sketch above
+is proved by a variant of contraposition:
+*};
+
+lemma not_in_lfp_afD:
+ "s \<notin> lfp(af A) \<Longrightarrow> s \<notin> A \<and> (\<exists> t. (s,t) \<in> M \<and> t \<notin> lfp(af A))";
+apply(erule contrapos_np);
+apply(subst lfp_unfold[OF mono_af]);
+apply(simp add: af_def);
+done;
+
+text{*\noindent
+We assume the negation of the conclusion and prove @{term"s : lfp(af A)"}.
+Unfolding @{const lfp} once and
+simplifying with the definition of @{const af} finishes the proof.
+
+Now we iterate this process. The following construction of the desired
+path is parameterized by a predicate @{term Q} that should hold along the path:
+*};
+
+primrec path :: "state \<Rightarrow> (state \<Rightarrow> bool) \<Rightarrow> (nat \<Rightarrow> state)" where
+"path s Q 0 = s" |
+"path s Q (Suc n) = (SOME t. (path s Q n,t) \<in> M \<and> Q t)"
+
+text{*\noindent
+Element @{term"n+1::nat"} on this path is some arbitrary successor
+@{term t} of element @{term n} such that @{term"Q t"} holds. Remember that @{text"SOME t. R t"}
+is some arbitrary but fixed @{term t} such that @{prop"R t"} holds (see \S\ref{sec:SOME}). Of
+course, such a @{term t} need not exist, but that is of no
+concern to us since we will only use @{const path} when a
+suitable @{term t} does exist.
+
+Let us show that if each state @{term s} that satisfies @{term Q}
+has a successor that again satisfies @{term Q}, then there exists an infinite @{term Q}-path:
+*};
+
+lemma infinity_lemma:
+ "\<lbrakk> Q s; \<forall>s. Q s \<longrightarrow> (\<exists> t. (s,t) \<in> M \<and> Q t) \<rbrakk> \<Longrightarrow>
+ \<exists>p\<in>Paths s. \<forall>i. Q(p i)";
+
+txt{*\noindent
+First we rephrase the conclusion slightly because we need to prove simultaneously
+both the path property and the fact that @{term Q} holds:
+*};
+
+apply(subgoal_tac
+ "\<exists>p. s = p 0 \<and> (\<forall>i::nat. (p i, p(i+1)) \<in> M \<and> Q(p i))");
+
+txt{*\noindent
+From this proposition the original goal follows easily:
+*};
+
+ apply(simp add: Paths_def, blast);
+
+txt{*\noindent
+The new subgoal is proved by providing the witness @{term "path s Q"} for @{term p}:
+*};
+
+apply(rule_tac x = "path s Q" in exI);
+apply(clarsimp);
+
+txt{*\noindent
+After simplification and clarification, the subgoal has the following form:
+@{subgoals[display,indent=0,margin=70,goals_limit=1]}
+It invites a proof by induction on @{term i}:
+*};
+
+apply(induct_tac i);
+ apply(simp);
+
+txt{*\noindent
+After simplification, the base case boils down to
+@{subgoals[display,indent=0,margin=70,goals_limit=1]}
+The conclusion looks exceedingly trivial: after all, @{term t} is chosen such that @{prop"(s,t):M"}
+holds. However, we first have to show that such a @{term t} actually exists! This reasoning
+is embodied in the theorem @{thm[source]someI2_ex}:
+@{thm[display,eta_contract=false]someI2_ex}
+When we apply this theorem as an introduction rule, @{text"?P x"} becomes
+@{prop"(s, x) : M & Q x"} and @{text"?Q x"} becomes @{prop"(s,x) : M"} and we have to prove
+two subgoals: @{prop"EX a. (s, a) : M & Q a"}, which follows from the assumptions, and
+@{prop"(s, x) : M & Q x ==> (s,x) : M"}, which is trivial. Thus it is not surprising that
+@{text fast} can prove the base case quickly:
+*};
+
+ apply(fast intro: someI2_ex);
+
+txt{*\noindent
+What is worth noting here is that we have used \methdx{fast} rather than
+@{text blast}. The reason is that @{text blast} would fail because it cannot
+cope with @{thm[source]someI2_ex}: unifying its conclusion with the current
+subgoal is non-trivial because of the nested schematic variables. For
+efficiency reasons @{text blast} does not even attempt such unifications.
+Although @{text fast} can in principle cope with complicated unification
+problems, in practice the number of unifiers arising is often prohibitive and
+the offending rule may need to be applied explicitly rather than
+automatically. This is what happens in the step case.
+
+The induction step is similar, but more involved, because now we face nested
+occurrences of @{text SOME}. As a result, @{text fast} is no longer able to
+solve the subgoal and we apply @{thm[source]someI2_ex} by hand. We merely
+show the proof commands but do not describe the details:
+*};
+
+apply(simp);
+apply(rule someI2_ex);
+ apply(blast);
+apply(rule someI2_ex);
+ apply(blast);
+apply(blast);
+done;
+
+text{*
+Function @{const path} has fulfilled its purpose now and can be forgotten.
+It was merely defined to provide the witness in the proof of the
+@{thm[source]infinity_lemma}. Aficionados of minimal proofs might like to know
+that we could have given the witness without having to define a new function:
+the term
+@{term[display]"nat_rec s (\<lambda>n t. SOME u. (t,u)\<in>M \<and> Q u)"}
+is extensionally equal to @{term"path s Q"},
+where @{term nat_rec} is the predefined primitive recursor on @{typ nat}.
+*};
+(*<*)
+lemma
+"\<lbrakk> Q s; \<forall> s. Q s \<longrightarrow> (\<exists> t. (s,t)\<in>M \<and> Q t) \<rbrakk> \<Longrightarrow>
+ \<exists> p\<in>Paths s. \<forall> i. Q(p i)";
+apply(subgoal_tac
+ "\<exists> p. s = p 0 \<and> (\<forall> i. (p i,p(Suc i))\<in>M \<and> Q(p i))");
+ apply(simp add: Paths_def);
+ apply(blast);
+apply(rule_tac x = "nat_rec s (\<lambda>n t. SOME u. (t,u)\<in>M \<and> Q u)" in exI);
+apply(simp);
+apply(intro strip);
+apply(induct_tac i);
+ apply(simp);
+ apply(fast intro: someI2_ex);
+apply(simp);
+apply(rule someI2_ex);
+ apply(blast);
+apply(rule someI2_ex);
+ apply(blast);
+by(blast);
+(*>*)
+
+text{*
+At last we can prove the opposite direction of @{thm[source]AF_lemma1}:
+*};
+
+theorem AF_lemma2: "{s. \<forall>p \<in> Paths s. \<exists>i. p i \<in> A} \<subseteq> lfp(af A)";
+
+txt{*\noindent
+The proof is again pointwise and then by contraposition:
+*};
+
+apply(rule subsetI);
+apply(erule contrapos_pp);
+apply simp;
+
+txt{*
+@{subgoals[display,indent=0,goals_limit=1]}
+Applying the @{thm[source]infinity_lemma} as a destruction rule leaves two subgoals, the second
+premise of @{thm[source]infinity_lemma} and the original subgoal:
+*};
+
+apply(drule infinity_lemma);
+
+txt{*
+@{subgoals[display,indent=0,margin=65]}
+Both are solved automatically:
+*};
+
+ apply(auto dest: not_in_lfp_afD);
+done;
+
+text{*
+If you find these proofs too complicated, we recommend that you read
+\S\ref{sec:CTL-revisited}, where we show how inductive definitions lead to
+simpler arguments.
+
+The main theorem is proved as for PDL, except that we also derive the
+necessary equality @{text"lfp(af A) = ..."} by combining
+@{thm[source]AF_lemma1} and @{thm[source]AF_lemma2} on the spot:
+*}
+
+theorem "mc f = {s. s \<Turnstile> f}";
+apply(induct_tac f);
+apply(auto simp add: EF_lemma equalityI[OF AF_lemma1 AF_lemma2]);
+done
+
+text{*
+
+The language defined above is not quite CTL\@. The latter also includes an
+until-operator @{term"EU f g"} with semantics ``there \emph{E}xists a path
+where @{term f} is true \emph{U}ntil @{term g} becomes true''. We need
+an auxiliary function:
+*}
+
+primrec
+until:: "state set \<Rightarrow> state set \<Rightarrow> state \<Rightarrow> state list \<Rightarrow> bool" where
+"until A B s [] = (s \<in> B)" |
+"until A B s (t#p) = (s \<in> A \<and> (s,t) \<in> M \<and> until A B t p)"
+(*<*)definition
+ eusem :: "state set \<Rightarrow> state set \<Rightarrow> state set" where
+"eusem A B \<equiv> {s. \<exists>p. until A B s p}"(*>*)
+
+text{*\noindent
+Expressing the semantics of @{term EU} is now straightforward:
+@{prop[display]"s \<Turnstile> EU f g = (\<exists>p. until {t. t \<Turnstile> f} {t. t \<Turnstile> g} s p)"}
+Note that @{term EU} is not definable in terms of the other operators!
+
+Model checking @{term EU} is again a least fixed point construction:
+@{text[display]"mc(EU f g) = lfp(\<lambda>T. mc g \<union> mc f \<inter> (M\<inverse> `` T))"}
+
+\begin{exercise}
+Extend the datatype of formulae by the above until operator
+and prove the equivalence between semantics and model checking, i.e.\ that
+@{prop[display]"mc(EU f g) = {s. s \<Turnstile> EU f g}"}
+%For readability you may want to annotate {term EU} with its customary syntax
+%{text[display]"| EU formula formula E[_ U _]"}
+%which enables you to read and write {text"E[f U g]"} instead of {term"EU f g"}.
+\end{exercise}
+For more CTL exercises see, for example, Huth and Ryan \cite{Huth-Ryan-book}.
+*}
+
+(*<*)
+definition eufix :: "state set \<Rightarrow> state set \<Rightarrow> state set \<Rightarrow> state set" where
+"eufix A B T \<equiv> B \<union> A \<inter> (M\<inverse> `` T)"
+
+lemma "lfp(eufix A B) \<subseteq> eusem A B"
+apply(rule lfp_lowerbound)
+apply(auto simp add: eusem_def eufix_def)
+ apply(rule_tac x = "[]" in exI)
+ apply simp
+apply(rule_tac x = "xa#xb" in exI)
+apply simp
+done
+
+lemma mono_eufix: "mono(eufix A B)";
+apply(simp add: mono_def eufix_def);
+apply blast;
+done
+
+lemma "eusem A B \<subseteq> lfp(eufix A B)";
+apply(clarsimp simp add: eusem_def);
+apply(erule rev_mp);
+apply(rule_tac x = x in spec);
+apply(induct_tac p);
+ apply(subst lfp_unfold[OF mono_eufix])
+ apply(simp add: eufix_def);
+apply(clarsimp);
+apply(subst lfp_unfold[OF mono_eufix])
+apply(simp add: eufix_def);
+apply blast;
+done
+
+(*
+definition eusem :: "state set \<Rightarrow> state set \<Rightarrow> state set" where
+"eusem A B \<equiv> {s. \<exists>p\<in>Paths s. \<exists>j. p j \<in> B \<and> (\<forall>i < j. p i \<in> A)}"
+
+axioms
+M_total: "\<exists>t. (s,t) \<in> M"
+
+consts apath :: "state \<Rightarrow> (nat \<Rightarrow> state)"
+primrec
+"apath s 0 = s"
+"apath s (Suc i) = (SOME t. (apath s i,t) \<in> M)"
+
+lemma [iff]: "apath s \<in> Paths s";
+apply(simp add: Paths_def);
+apply(blast intro: M_total[THEN someI_ex])
+done
+
+definition pcons :: "state \<Rightarrow> (nat \<Rightarrow> state) \<Rightarrow> (nat \<Rightarrow> state)" where
+"pcons s p == \<lambda>i. case i of 0 \<Rightarrow> s | Suc j \<Rightarrow> p j"
+
+lemma pcons_PathI: "[| (s,t) : M; p \<in> Paths t |] ==> pcons s p \<in> Paths s";
+by(simp add: Paths_def pcons_def split: nat.split);
+
+lemma "lfp(eufix A B) \<subseteq> eusem A B"
+apply(rule lfp_lowerbound)
+apply(clarsimp simp add: eusem_def eufix_def);
+apply(erule disjE);
+ apply(rule_tac x = "apath x" in bexI);
+ apply(rule_tac x = 0 in exI);
+ apply simp;
+ apply simp;
+apply(clarify);
+apply(rule_tac x = "pcons xb p" in bexI);
+ apply(rule_tac x = "j+1" in exI);
+ apply (simp add: pcons_def split: nat.split);
+apply (simp add: pcons_PathI)
+done
+*)
+(*>*)
+
+text{* Let us close this section with a few words about the executability of
+our model checkers. It is clear that if all sets are finite, they can be
+represented as lists and the usual set operations are easily
+implemented. Only @{const lfp} requires a little thought. Fortunately, theory
+@{text While_Combinator} in the Library~\cite{HOL-Library} provides a
+theorem stating that in the case of finite sets and a monotone
+function~@{term F}, the value of \mbox{@{term"lfp F"}} can be computed by
+iterated application of @{term F} to~@{term"{}"} until a fixed point is
+reached. It is actually possible to generate executable functional programs
+from HOL definitions, but that is beyond the scope of the tutorial.%
+\index{CTL|)} *}
+(*<*)end(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/CTL/CTLind.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,148 @@
+(*<*)theory CTLind imports CTL begin(*>*)
+
+subsection{*CTL Revisited*}
+
+text{*\label{sec:CTL-revisited}
+\index{CTL|(}%
+The purpose of this section is twofold: to demonstrate
+some of the induction principles and heuristics discussed above and to
+show how inductive definitions can simplify proofs.
+In \S\ref{sec:CTL} we gave a fairly involved proof of the correctness of a
+model checker for CTL\@. In particular the proof of the
+@{thm[source]infinity_lemma} on the way to @{thm[source]AF_lemma2} is not as
+simple as one might expect, due to the @{text SOME} operator
+involved. Below we give a simpler proof of @{thm[source]AF_lemma2}
+based on an auxiliary inductive definition.
+
+Let us call a (finite or infinite) path \emph{@{term A}-avoiding} if it does
+not touch any node in the set @{term A}. Then @{thm[source]AF_lemma2} says
+that if no infinite path from some state @{term s} is @{term A}-avoiding,
+then @{prop"s \<in> lfp(af A)"}. We prove this by inductively defining the set
+@{term"Avoid s A"} of states reachable from @{term s} by a finite @{term
+A}-avoiding path:
+% Second proof of opposite direction, directly by well-founded induction
+% on the initial segment of M that avoids A.
+*}
+
+inductive_set
+ Avoid :: "state \<Rightarrow> state set \<Rightarrow> state set"
+ for s :: state and A :: "state set"
+where
+ "s \<in> Avoid s A"
+ | "\<lbrakk> t \<in> Avoid s A; t \<notin> A; (t,u) \<in> M \<rbrakk> \<Longrightarrow> u \<in> Avoid s A";
+
+text{*
+It is easy to see that for any infinite @{term A}-avoiding path @{term f}
+with @{prop"f(0::nat) \<in> Avoid s A"} there is an infinite @{term A}-avoiding path
+starting with @{term s} because (by definition of @{const Avoid}) there is a
+finite @{term A}-avoiding path from @{term s} to @{term"f(0::nat)"}.
+The proof is by induction on @{prop"f(0::nat) \<in> Avoid s A"}. However,
+this requires the following
+reformulation, as explained in \S\ref{sec:ind-var-in-prems} above;
+the @{text rule_format} directive undoes the reformulation after the proof.
+*}
+
+lemma ex_infinite_path[rule_format]:
+ "t \<in> Avoid s A \<Longrightarrow>
+ \<forall>f\<in>Paths t. (\<forall>i. f i \<notin> A) \<longrightarrow> (\<exists>p\<in>Paths s. \<forall>i. p i \<notin> A)";
+apply(erule Avoid.induct);
+ apply(blast);
+apply(clarify);
+apply(drule_tac x = "\<lambda>i. case i of 0 \<Rightarrow> t | Suc i \<Rightarrow> f i" in bspec);
+apply(simp_all add: Paths_def split: nat.split);
+done
+
+text{*\noindent
+The base case (@{prop"t = s"}) is trivial and proved by @{text blast}.
+In the induction step, we have an infinite @{term A}-avoiding path @{term f}
+starting from @{term u}, a successor of @{term t}. Now we simply instantiate
+the @{text"\<forall>f\<in>Paths t"} in the induction hypothesis by the path starting with
+@{term t} and continuing with @{term f}. That is what the above $\lambda$-term
+expresses. Simplification shows that this is a path starting with @{term t}
+and that the instantiated induction hypothesis implies the conclusion.
+
+Now we come to the key lemma. Assuming that no infinite @{term A}-avoiding
+path starts from @{term s}, we want to show @{prop"s \<in> lfp(af A)"}. For the
+inductive proof this must be generalized to the statement that every point @{term t}
+``between'' @{term s} and @{term A}, in other words all of @{term"Avoid s A"},
+is contained in @{term"lfp(af A)"}:
+*}
+
+lemma Avoid_in_lfp[rule_format(no_asm)]:
+ "\<forall>p\<in>Paths s. \<exists>i. p i \<in> A \<Longrightarrow> t \<in> Avoid s A \<longrightarrow> t \<in> lfp(af A)";
+
+txt{*\noindent
+The proof is by induction on the ``distance'' between @{term t} and @{term
+A}. Remember that @{prop"lfp(af A) = A \<union> M\<inverse> `` lfp(af A)"}.
+If @{term t} is already in @{term A}, then @{prop"t \<in> lfp(af A)"} is
+trivial. If @{term t} is not in @{term A} but all successors are in
+@{term"lfp(af A)"} (induction hypothesis), then @{prop"t \<in> lfp(af A)"} is
+again trivial.
+
+The formal counterpart of this proof sketch is a well-founded induction
+on~@{term M} restricted to @{term"Avoid s A - A"}, roughly speaking:
+@{term[display]"{(y,x). (x,y) \<in> M \<and> x \<in> Avoid s A \<and> x \<notin> A}"}
+As we shall see presently, the absence of infinite @{term A}-avoiding paths
+starting from @{term s} implies well-foundedness of this relation. For the
+moment we assume this and proceed with the induction:
+*}
+
+apply(subgoal_tac "wf{(y,x). (x,y) \<in> M \<and> x \<in> Avoid s A \<and> x \<notin> A}");
+ apply(erule_tac a = t in wf_induct);
+ apply(clarsimp);
+(*<*)apply(rename_tac t)(*>*)
+
+txt{*\noindent
+@{subgoals[display,indent=0,margin=65]}
+Now the induction hypothesis states that if @{prop"t \<notin> A"}
+then all successors of @{term t} that are in @{term"Avoid s A"} are in
+@{term"lfp (af A)"}. Unfolding @{term lfp} in the conclusion of the first
+subgoal once, we have to prove that @{term t} is in @{term A} or all successors
+of @{term t} are in @{term"lfp (af A)"}. But if @{term t} is not in @{term A},
+the second
+@{const Avoid}-rule implies that all successors of @{term t} are in
+@{term"Avoid s A"}, because we also assume @{prop"t \<in> Avoid s A"}.
+Hence, by the induction hypothesis, all successors of @{term t} are indeed in
+@{term"lfp(af A)"}. Mechanically:
+*}
+
+ apply(subst lfp_unfold[OF mono_af]);
+ apply(simp (no_asm) add: af_def);
+ apply(blast intro: Avoid.intros);
+
+txt{*
+Having proved the main goal, we return to the proof obligation that the
+relation used above is indeed well-founded. This is proved by contradiction: if
+the relation is not well-founded then there exists an infinite @{term
+A}-avoiding path all in @{term"Avoid s A"}, by theorem
+@{thm[source]wf_iff_no_infinite_down_chain}:
+@{thm[display]wf_iff_no_infinite_down_chain[no_vars]}
+From lemma @{thm[source]ex_infinite_path} the existence of an infinite
+@{term A}-avoiding path starting in @{term s} follows, contradiction.
+*}
+
+apply(erule contrapos_pp);
+apply(simp add: wf_iff_no_infinite_down_chain);
+apply(erule exE);
+apply(rule ex_infinite_path);
+apply(auto simp add: Paths_def);
+done
+
+text{*
+The @{text"(no_asm)"} modifier of the @{text"rule_format"} directive in the
+statement of the lemma means
+that the assumption is left unchanged; otherwise the @{text"\<forall>p"}
+would be turned
+into a @{text"\<And>p"}, which would complicate matters below. As it is,
+@{thm[source]Avoid_in_lfp} is now
+@{thm[display]Avoid_in_lfp[no_vars]}
+The main theorem is simply the corollary where @{prop"t = s"},
+when the assumption @{prop"t \<in> Avoid s A"} is trivially true
+by the first @{const Avoid}-rule. Isabelle confirms this:%
+\index{CTL|)}*}
+
+theorem AF_lemma2: "{s. \<forall>p \<in> Paths s. \<exists> i. p i \<in> A} \<subseteq> lfp(af A)";
+by(auto elim: Avoid_in_lfp intro: Avoid.intros);
+
+
+(*<*)end(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/CTL/PDL.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,205 @@
+(*<*)theory PDL imports Base begin(*>*)
+
+subsection{*Propositional Dynamic Logic --- PDL*}
+
+text{*\index{PDL|(}
+The formulae of PDL are built up from atomic propositions via
+negation and conjunction and the two temporal
+connectives @{text AX} and @{text EF}\@. Since formulae are essentially
+syntax trees, they are naturally modelled as a datatype:%
+\footnote{The customary definition of PDL
+\cite{HarelKT-DL} looks quite different from ours, but the two are easily
+shown to be equivalent.}
+*}
+
+datatype formula = Atom "atom"
+ | Neg formula
+ | And formula formula
+ | AX formula
+ | EF formula
+
+text{*\noindent
+This resembles the boolean expression case study in
+\S\ref{sec:boolex}.
+A validity relation between states and formulae specifies the semantics.
+The syntax annotation allows us to write @{text"s \<Turnstile> f"} instead of
+\hbox{@{text"valid s f"}}. The definition is by recursion over the syntax:
+*}
+
+primrec valid :: "state \<Rightarrow> formula \<Rightarrow> bool" ("(_ \<Turnstile> _)" [80,80] 80)
+where
+"s \<Turnstile> Atom a = (a \<in> L s)" |
+"s \<Turnstile> Neg f = (\<not>(s \<Turnstile> f))" |
+"s \<Turnstile> And f g = (s \<Turnstile> f \<and> s \<Turnstile> g)" |
+"s \<Turnstile> AX f = (\<forall>t. (s,t) \<in> M \<longrightarrow> t \<Turnstile> f)" |
+"s \<Turnstile> EF f = (\<exists>t. (s,t) \<in> M\<^sup>* \<and> t \<Turnstile> f)"
+
+text{*\noindent
+The first three equations should be self-explanatory. The temporal formula
+@{term"AX f"} means that @{term f} is true in \emph{A}ll ne\emph{X}t states whereas
+@{term"EF f"} means that there \emph{E}xists some \emph{F}uture state in which @{term f} is
+true. The future is expressed via @{text"\<^sup>*"}, the reflexive transitive
+closure. Because of reflexivity, the future includes the present.
+
+Now we come to the model checker itself. It maps a formula into the
+set of states where the formula is true. It too is defined by
+recursion over the syntax: *}
+
+primrec mc :: "formula \<Rightarrow> state set" where
+"mc(Atom a) = {s. a \<in> L s}" |
+"mc(Neg f) = -mc f" |
+"mc(And f g) = mc f \<inter> mc g" |
+"mc(AX f) = {s. \<forall>t. (s,t) \<in> M \<longrightarrow> t \<in> mc f}" |
+"mc(EF f) = lfp(\<lambda>T. mc f \<union> (M\<inverse> `` T))"
+
+text{*\noindent
+Only the equation for @{term EF} deserves some comments. Remember that the
+postfix @{text"\<inverse>"} and the infix @{text"``"} are predefined and denote the
+converse of a relation and the image of a set under a relation. Thus
+@{term "M\<inverse> `` T"} is the set of all predecessors of @{term T} and the least
+fixed point (@{term lfp}) of @{term"\<lambda>T. mc f \<union> M\<inverse> `` T"} is the least set
+@{term T} containing @{term"mc f"} and all predecessors of @{term T}. If you
+find it hard to see that @{term"mc(EF f)"} contains exactly those states from
+which there is a path to a state where @{term f} is true, do not worry --- this
+will be proved in a moment.
+
+First we prove monotonicity of the function inside @{term lfp}
+in order to make sure it really has a least fixed point.
+*}
+
+lemma mono_ef: "mono(\<lambda>T. A \<union> (M\<inverse> `` T))"
+apply(rule monoI)
+apply blast
+done
+
+text{*\noindent
+Now we can relate model checking and semantics. For the @{text EF} case we need
+a separate lemma:
+*}
+
+lemma EF_lemma:
+ "lfp(\<lambda>T. A \<union> (M\<inverse> `` T)) = {s. \<exists>t. (s,t) \<in> M\<^sup>* \<and> t \<in> A}"
+
+txt{*\noindent
+The equality is proved in the canonical fashion by proving that each set
+includes the other; the inclusion is shown pointwise:
+*}
+
+apply(rule equalityI)
+ apply(rule subsetI)
+ apply(simp)(*<*)apply(rename_tac s)(*>*)
+
+txt{*\noindent
+Simplification leaves us with the following first subgoal
+@{subgoals[display,indent=0,goals_limit=1]}
+which is proved by @{term lfp}-induction:
+*}
+
+ apply(erule lfp_induct_set)
+ apply(rule mono_ef)
+ apply(simp)
+(*pr(latex xsymbols symbols);*)
+txt{*\noindent
+Having disposed of the monotonicity subgoal,
+simplification leaves us with the following goal:
+\begin{isabelle}
+\ {\isadigit{1}}{\isachardot}\ {\isasymAnd}x{\isachardot}\ x\ {\isasymin}\ A\ {\isasymor}\isanewline
+\ \ \ \ \ \ \ \ \ x\ {\isasymin}\ M{\isasyminverse}\ {\isacharbackquote}{\isacharbackquote}\ {\isacharparenleft}lfp\ {\isacharparenleft}\dots{\isacharparenright}\ {\isasyminter}\ {\isacharbraceleft}x{\isachardot}\ {\isasymexists}t{\isachardot}\ {\isacharparenleft}x{\isacharcomma}\ t{\isacharparenright}\ {\isasymin}\ M\isactrlsup {\isacharasterisk}\ {\isasymand}\ t\ {\isasymin}\ A{\isacharbraceright}{\isacharparenright}\isanewline
+\ \ \ \ \ \ \ \ {\isasymLongrightarrow}\ {\isasymexists}t{\isachardot}\ {\isacharparenleft}x{\isacharcomma}\ t{\isacharparenright}\ {\isasymin}\ M\isactrlsup {\isacharasterisk}\ {\isasymand}\ t\ {\isasymin}\ A
+\end{isabelle}
+It is proved by @{text blast}, using the transitivity of
+\isa{M\isactrlsup {\isacharasterisk}}.
+*}
+
+ apply(blast intro: rtrancl_trans)
+
+txt{*
+We now return to the second set inclusion subgoal, which is again proved
+pointwise:
+*}
+
+apply(rule subsetI)
+apply(simp, clarify)
+
+txt{*\noindent
+After simplification and clarification we are left with
+@{subgoals[display,indent=0,goals_limit=1]}
+This goal is proved by induction on @{term"(s,t)\<in>M\<^sup>*"}. But since the model
+checker works backwards (from @{term t} to @{term s}), we cannot use the
+induction theorem @{thm[source]rtrancl_induct}: it works in the
+forward direction. Fortunately the converse induction theorem
+@{thm[source]converse_rtrancl_induct} already exists:
+@{thm[display,margin=60]converse_rtrancl_induct[no_vars]}
+It says that if @{prop"(a,b):r\<^sup>*"} and we know @{prop"P b"} then we can infer
+@{prop"P a"} provided each step backwards from a predecessor @{term z} of
+@{term b} preserves @{term P}.
+*}
+
+apply(erule converse_rtrancl_induct)
+
+txt{*\noindent
+The base case
+@{subgoals[display,indent=0,goals_limit=1]}
+is solved by unrolling @{term lfp} once
+*}
+
+ apply(subst lfp_unfold[OF mono_ef])
+
+txt{*
+@{subgoals[display,indent=0,goals_limit=1]}
+and disposing of the resulting trivial subgoal automatically:
+*}
+
+ apply(blast)
+
+txt{*\noindent
+The proof of the induction step is identical to the one for the base case:
+*}
+
+apply(subst lfp_unfold[OF mono_ef])
+apply(blast)
+done
+
+text{*
+The main theorem is proved in the familiar manner: induction followed by
+@{text auto} augmented with the lemma as a simplification rule.
+*}
+
+theorem "mc f = {s. s \<Turnstile> f}"
+apply(induct_tac f)
+apply(auto simp add: EF_lemma)
+done
+
+text{*
+\begin{exercise}
+@{term AX} has a dual operator @{term EN}
+(``there exists a next state such that'')%
+\footnote{We cannot use the customary @{text EX}: it is reserved
+as the \textsc{ascii}-equivalent of @{text"\<exists>"}.}
+with the intended semantics
+@{prop[display]"(s \<Turnstile> EN f) = (EX t. (s,t) : M & t \<Turnstile> f)"}
+Fortunately, @{term"EN f"} can already be expressed as a PDL formula. How?
+
+Show that the semantics for @{term EF} satisfies the following recursion equation:
+@{prop[display]"(s \<Turnstile> EF f) = (s \<Turnstile> f | s \<Turnstile> EN(EF f))"}
+\end{exercise}
+\index{PDL|)}
+*}
+(*<*)
+theorem main: "mc f = {s. s \<Turnstile> f}"
+apply(induct_tac f)
+apply(auto simp add: EF_lemma)
+done
+
+lemma aux: "s \<Turnstile> f = (s : mc f)"
+apply(simp add: main)
+done
+
+lemma "(s \<Turnstile> EF f) = (s \<Turnstile> f | s \<Turnstile> Neg(AX(Neg(EF f))))"
+apply(simp only: aux)
+apply(simp)
+apply(subst lfp_unfold[OF mono_ef], fast)
+done
+
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/CodeGen/CodeGen.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,135 @@
+(*<*)
+theory CodeGen imports Main begin
+(*>*)
+
+section{*Case Study: Compiling Expressions*}
+
+text{*\label{sec:ExprCompiler}
+\index{compiling expressions example|(}%
+The task is to develop a compiler from a generic type of expressions (built
+from variables, constants and binary operations) to a stack machine. This
+generic type of expressions is a generalization of the boolean expressions in
+\S\ref{sec:boolex}. This time we do not commit ourselves to a particular
+type of variables or values but make them type parameters. Neither is there
+a fixed set of binary operations: instead the expression contains the
+appropriate function itself.
+*}
+
+type_synonym 'v binop = "'v \<Rightarrow> 'v \<Rightarrow> 'v";
+datatype ('a,'v)expr = Cex 'v
+ | Vex 'a
+ | Bex "'v binop" "('a,'v)expr" "('a,'v)expr";
+
+text{*\noindent
+The three constructors represent constants, variables and the application of
+a binary operation to two subexpressions.
+
+The value of an expression with respect to an environment that maps variables to
+values is easily defined:
+*}
+
+primrec "value" :: "('a,'v)expr \<Rightarrow> ('a \<Rightarrow> 'v) \<Rightarrow> 'v" where
+"value (Cex v) env = v" |
+"value (Vex a) env = env a" |
+"value (Bex f e1 e2) env = f (value e1 env) (value e2 env)"
+
+text{*
+The stack machine has three instructions: load a constant value onto the
+stack, load the contents of an address onto the stack, and apply a
+binary operation to the two topmost elements of the stack, replacing them by
+the result. As for @{text"expr"}, addresses and values are type parameters:
+*}
+
+datatype ('a,'v) instr = Const 'v
+ | Load 'a
+ | Apply "'v binop";
+
+text{*
+The execution of the stack machine is modelled by a function
+@{text"exec"} that takes a list of instructions, a store (modelled as a
+function from addresses to values, just like the environment for
+evaluating expressions), and a stack (modelled as a list) of values,
+and returns the stack at the end of the execution --- the store remains
+unchanged:
+*}
+
+primrec exec :: "('a,'v)instr list \<Rightarrow> ('a\<Rightarrow>'v) \<Rightarrow> 'v list \<Rightarrow> 'v list"
+where
+"exec [] s vs = vs" |
+"exec (i#is) s vs = (case i of
+ Const v \<Rightarrow> exec is s (v#vs)
+ | Load a \<Rightarrow> exec is s ((s a)#vs)
+ | Apply f \<Rightarrow> exec is s ((f (hd vs) (hd(tl vs)))#(tl(tl vs))))"
+
+text{*\noindent
+Recall that @{term"hd"} and @{term"tl"}
+return the first element and the remainder of a list.
+Because all functions are total, \cdx{hd} is defined even for the empty
+list, although we do not know what the result is. Thus our model of the
+machine always terminates properly, although the definition above does not
+tell us much about the result in situations where @{term"Apply"} was executed
+with fewer than two elements on the stack.
+
+The compiler is a function from expressions to a list of instructions. Its
+definition is obvious:
+*}
+
+primrec compile :: "('a,'v)expr \<Rightarrow> ('a,'v)instr list" where
+"compile (Cex v) = [Const v]" |
+"compile (Vex a) = [Load a]" |
+"compile (Bex f e1 e2) = (compile e2) @ (compile e1) @ [Apply f]"
+
+text{*
+Now we have to prove the correctness of the compiler, i.e.\ that the
+execution of a compiled expression results in the value of the expression:
+*}
+theorem "exec (compile e) s [] = [value e s]";
+(*<*)oops;(*>*)
+text{*\noindent
+This theorem needs to be generalized:
+*}
+
+theorem "\<forall>vs. exec (compile e) s vs = (value e s) # vs";
+
+txt{*\noindent
+It will be proved by induction on @{term"e"} followed by simplification.
+First, we must prove a lemma about executing the concatenation of two
+instruction sequences:
+*}
+(*<*)oops;(*>*)
+lemma exec_app[simp]:
+ "\<forall>vs. exec (xs@ys) s vs = exec ys s (exec xs s vs)";
+
+txt{*\noindent
+This requires induction on @{term"xs"} and ordinary simplification for the
+base cases. In the induction step, simplification leaves us with a formula
+that contains two @{text"case"}-expressions over instructions. Thus we add
+automatic case splitting, which finishes the proof:
+*}
+apply(induct_tac xs, simp, simp split: instr.split);
+(*<*)done(*>*)
+text{*\noindent
+Note that because both \methdx{simp_all} and \methdx{auto} perform simplification, they can
+be modified in the same way as @{text simp}. Thus the proof can be
+rewritten as
+*}
+(*<*)
+declare exec_app[simp del];
+lemma [simp]: "\<forall>vs. exec (xs@ys) s vs = exec ys s (exec xs s vs)";
+(*>*)
+apply(induct_tac xs, simp_all split: instr.split);
+(*<*)done(*>*)
+text{*\noindent
+Although this is more compact, it is less clear for the reader of the proof.
+
+We could now go back and prove @{prop"exec (compile e) s [] = [value e s]"}
+merely by simplification with the generalized version we just proved.
+However, this is unnecessary because the generalized version fully subsumes
+its instance.%
+\index{compiling expressions example|)}
+*}
+(*<*)
+theorem "\<forall>vs. exec (compile e) s vs = (value e s) # vs";
+by(induct_tac e, auto);
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Datatype/ABexpr.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,163 @@
+(*<*)
+theory ABexpr imports Main begin;
+(*>*)
+
+text{*
+\index{datatypes!mutually recursive}%
+Sometimes it is necessary to define two datatypes that depend on each
+other. This is called \textbf{mutual recursion}. As an example consider a
+language of arithmetic and boolean expressions where
+\begin{itemize}
+\item arithmetic expressions contain boolean expressions because there are
+ conditional expressions like ``if $m<n$ then $n-m$ else $m-n$'',
+ and
+\item boolean expressions contain arithmetic expressions because of
+ comparisons like ``$m<n$''.
+\end{itemize}
+In Isabelle this becomes
+*}
+
+datatype 'a aexp = IF "'a bexp" "'a aexp" "'a aexp"
+ | Sum "'a aexp" "'a aexp"
+ | Diff "'a aexp" "'a aexp"
+ | Var 'a
+ | Num nat
+and 'a bexp = Less "'a aexp" "'a aexp"
+ | And "'a bexp" "'a bexp"
+ | Neg "'a bexp";
+
+text{*\noindent
+Type @{text"aexp"} is similar to @{text"expr"} in \S\ref{sec:ExprCompiler},
+except that we have added an @{text IF} constructor,
+fixed the values to be of type @{typ"nat"} and declared the two binary
+operations @{text Sum} and @{term"Diff"}. Boolean
+expressions can be arithmetic comparisons, conjunctions and negations.
+The semantics is given by two evaluation functions:
+*}
+
+primrec evala :: "'a aexp \<Rightarrow> ('a \<Rightarrow> nat) \<Rightarrow> nat" and
+ evalb :: "'a bexp \<Rightarrow> ('a \<Rightarrow> nat) \<Rightarrow> bool" where
+"evala (IF b a1 a2) env =
+ (if evalb b env then evala a1 env else evala a2 env)" |
+"evala (Sum a1 a2) env = evala a1 env + evala a2 env" |
+"evala (Diff a1 a2) env = evala a1 env - evala a2 env" |
+"evala (Var v) env = env v" |
+"evala (Num n) env = n" |
+
+"evalb (Less a1 a2) env = (evala a1 env < evala a2 env)" |
+"evalb (And b1 b2) env = (evalb b1 env \<and> evalb b2 env)" |
+"evalb (Neg b) env = (\<not> evalb b env)"
+
+text{*\noindent
+
+Both take an expression and an environment (a mapping from variables
+@{typ"'a"} to values @{typ"nat"}) and return its arithmetic/boolean
+value. Since the datatypes are mutually recursive, so are functions
+that operate on them. Hence they need to be defined in a single
+\isacommand{primrec} section. Notice the \isakeyword{and} separating
+the declarations of @{const evala} and @{const evalb}. Their defining
+equations need not be split into two groups;
+the empty line is purely for readability.
+
+In the same fashion we also define two functions that perform substitution:
+*}
+
+primrec substa :: "('a \<Rightarrow> 'b aexp) \<Rightarrow> 'a aexp \<Rightarrow> 'b aexp" and
+ substb :: "('a \<Rightarrow> 'b aexp) \<Rightarrow> 'a bexp \<Rightarrow> 'b bexp" where
+"substa s (IF b a1 a2) =
+ IF (substb s b) (substa s a1) (substa s a2)" |
+"substa s (Sum a1 a2) = Sum (substa s a1) (substa s a2)" |
+"substa s (Diff a1 a2) = Diff (substa s a1) (substa s a2)" |
+"substa s (Var v) = s v" |
+"substa s (Num n) = Num n" |
+
+"substb s (Less a1 a2) = Less (substa s a1) (substa s a2)" |
+"substb s (And b1 b2) = And (substb s b1) (substb s b2)" |
+"substb s (Neg b) = Neg (substb s b)"
+
+text{*\noindent
+Their first argument is a function mapping variables to expressions, the
+substitution. It is applied to all variables in the second argument. As a
+result, the type of variables in the expression may change from @{typ"'a"}
+to @{typ"'b"}. Note that there are only arithmetic and no boolean variables.
+
+Now we can prove a fundamental theorem about the interaction between
+evaluation and substitution: applying a substitution $s$ to an expression $a$
+and evaluating the result in an environment $env$ yields the same result as
+evaluation $a$ in the environment that maps every variable $x$ to the value
+of $s(x)$ under $env$. If you try to prove this separately for arithmetic or
+boolean expressions (by induction), you find that you always need the other
+theorem in the induction step. Therefore you need to state and prove both
+theorems simultaneously:
+*}
+
+lemma "evala (substa s a) env = evala a (\<lambda>x. evala (s x) env) \<and>
+ evalb (substb s b) env = evalb b (\<lambda>x. evala (s x) env)";
+apply(induct_tac a and b);
+
+txt{*\noindent The resulting 8 goals (one for each constructor) are proved in one fell swoop:
+*}
+
+apply simp_all;
+(*<*)done(*>*)
+
+text{*
+In general, given $n$ mutually recursive datatypes $\tau@1$, \dots, $\tau@n$,
+an inductive proof expects a goal of the form
+\[ P@1(x@1)\ \land \dots \land P@n(x@n) \]
+where each variable $x@i$ is of type $\tau@i$. Induction is started by
+\begin{isabelle}
+\isacommand{apply}@{text"(induct_tac"} $x@1$ \isacommand{and} \dots\ \isacommand{and} $x@n$@{text ")"}
+\end{isabelle}
+
+\begin{exercise}
+ Define a function @{text"norma"} of type @{typ"'a aexp => 'a aexp"} that
+ replaces @{term"IF"}s with complex boolean conditions by nested
+ @{term"IF"}s; it should eliminate the constructors
+ @{term"And"} and @{term"Neg"}, leaving only @{term"Less"}.
+ Prove that @{text"norma"}
+ preserves the value of an expression and that the result of @{text"norma"}
+ is really normal, i.e.\ no more @{term"And"}s and @{term"Neg"}s occur in
+ it. ({\em Hint:} proceed as in \S\ref{sec:boolex} and read the discussion
+ of type annotations following lemma @{text subst_id} below).
+\end{exercise}
+*}
+(*<*)
+primrec norma :: "'a aexp \<Rightarrow> 'a aexp" and
+ normb :: "'a bexp \<Rightarrow> 'a aexp \<Rightarrow> 'a aexp \<Rightarrow> 'a aexp" where
+"norma (IF b t e) = (normb b (norma t) (norma e))" |
+"norma (Sum a1 a2) = Sum (norma a1) (norma a2)" |
+"norma (Diff a1 a2) = Diff (norma a1) (norma a2)" |
+"norma (Var v) = Var v" |
+"norma (Num n) = Num n" |
+
+"normb (Less a1 a2) t e = IF (Less (norma a1) (norma a2)) t e" |
+"normb (And b1 b2) t e = normb b1 (normb b2 t e) e" |
+"normb (Neg b) t e = normb b e t"
+
+lemma " evala (norma a) env = evala a env
+ \<and> (\<forall> t e. evala (normb b t e) env = evala (IF b t e) env)"
+apply (induct_tac a and b)
+apply (simp_all)
+done
+
+primrec normala :: "'a aexp \<Rightarrow> bool" and
+ normalb :: "'a bexp \<Rightarrow> bool" where
+"normala (IF b t e) = (normalb b \<and> normala t \<and> normala e)" |
+"normala (Sum a1 a2) = (normala a1 \<and> normala a2)" |
+"normala (Diff a1 a2) = (normala a1 \<and> normala a2)" |
+"normala (Var v) = True" |
+"normala (Num n) = True" |
+
+"normalb (Less a1 a2) = (normala a1 \<and> normala a2)" |
+"normalb (And b1 b2) = False" |
+"normalb (Neg b) = False"
+
+lemma "normala (norma (a::'a aexp)) \<and>
+ (\<forall> (t::'a aexp) e. (normala t \<and> normala e) \<longrightarrow> normala (normb b t e))"
+apply (induct_tac a and b)
+apply (auto)
+done
+
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Datatype/Fundata.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,50 @@
+(*<*)
+theory Fundata imports Main begin
+(*>*)
+datatype ('a,'i)bigtree = Tip | Br 'a "'i \<Rightarrow> ('a,'i)bigtree"
+
+text{*\noindent
+Parameter @{typ"'a"} is the type of values stored in
+the @{term Br}anches of the tree, whereas @{typ"'i"} is the index
+type over which the tree branches. If @{typ"'i"} is instantiated to
+@{typ"bool"}, the result is a binary tree; if it is instantiated to
+@{typ"nat"}, we have an infinitely branching tree because each node
+has as many subtrees as there are natural numbers. How can we possibly
+write down such a tree? Using functional notation! For example, the term
+@{term[display]"Br (0::nat) (\<lambda>i. Br i (\<lambda>n. Tip))"}
+of type @{typ"(nat,nat)bigtree"} is the tree whose
+root is labeled with 0 and whose $i$th subtree is labeled with $i$ and
+has merely @{term"Tip"}s as further subtrees.
+
+Function @{term"map_bt"} applies a function to all labels in a @{text"bigtree"}:
+*}
+
+primrec map_bt :: "('a \<Rightarrow> 'b) \<Rightarrow> ('a,'i)bigtree \<Rightarrow> ('b,'i)bigtree"
+where
+"map_bt f Tip = Tip" |
+"map_bt f (Br a F) = Br (f a) (\<lambda>i. map_bt f (F i))"
+
+text{*\noindent This is a valid \isacommand{primrec} definition because the
+recursive calls of @{term"map_bt"} involve only subtrees of
+@{term"F"}, which is itself a subterm of the left-hand side. Thus termination
+is assured. The seasoned functional programmer might try expressing
+@{term"%i. map_bt f (F i)"} as @{term"map_bt f o F"}, which Isabelle
+however will reject. Applying @{term"map_bt"} to only one of its arguments
+makes the termination proof less obvious.
+
+The following lemma has a simple proof by induction: *}
+
+lemma "map_bt (g o f) T = map_bt g (map_bt f T)";
+apply(induct_tac T, simp_all)
+done
+(*<*)lemma "map_bt (g o f) T = map_bt g (map_bt f T)";
+apply(induct_tac T, rename_tac[2] F)(*>*)
+txt{*\noindent
+Because of the function type, the proof state after induction looks unusual.
+Notice the quantified induction hypothesis:
+@{subgoals[display,indent=0]}
+*}
+(*<*)
+oops
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Datatype/Nested.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,159 @@
+(*<*)
+theory Nested imports ABexpr begin
+(*>*)
+
+text{*
+\index{datatypes!and nested recursion}%
+So far, all datatypes had the property that on the right-hand side of their
+definition they occurred only at the top-level: directly below a
+constructor. Now we consider \emph{nested recursion}, where the recursive
+datatype occurs nested in some other datatype (but not inside itself!).
+Consider the following model of terms
+where function symbols can be applied to a list of arguments:
+*}
+(*<*)hide_const Var(*>*)
+datatype ('v,'f)"term" = Var 'v | App 'f "('v,'f)term list";
+
+text{*\noindent
+Note that we need to quote @{text term} on the left to avoid confusion with
+the Isabelle command \isacommand{term}.
+Parameter @{typ"'v"} is the type of variables and @{typ"'f"} the type of
+function symbols.
+A mathematical term like $f(x,g(y))$ becomes @{term"App f [Var x, App g
+ [Var y]]"}, where @{term f}, @{term g}, @{term x}, @{term y} are
+suitable values, e.g.\ numbers or strings.
+
+What complicates the definition of @{text term} is the nested occurrence of
+@{text term} inside @{text list} on the right-hand side. In principle,
+nested recursion can be eliminated in favour of mutual recursion by unfolding
+the offending datatypes, here @{text list}. The result for @{text term}
+would be something like
+\medskip
+
+\input{unfoldnested.tex}
+\medskip
+
+\noindent
+Although we do not recommend this unfolding to the user, it shows how to
+simulate nested recursion by mutual recursion.
+Now we return to the initial definition of @{text term} using
+nested recursion.
+
+Let us define a substitution function on terms. Because terms involve term
+lists, we need to define two substitution functions simultaneously:
+*}
+
+primrec
+subst :: "('v\<Rightarrow>('v,'f)term) \<Rightarrow> ('v,'f)term \<Rightarrow> ('v,'f)term" and
+substs:: "('v\<Rightarrow>('v,'f)term) \<Rightarrow> ('v,'f)term list \<Rightarrow> ('v,'f)term list"
+where
+"subst s (Var x) = s x" |
+ subst_App:
+"subst s (App f ts) = App f (substs s ts)" |
+
+"substs s [] = []" |
+"substs s (t # ts) = subst s t # substs s ts"
+
+text{*\noindent
+Individual equations in a \commdx{primrec} definition may be
+named as shown for @{thm[source]subst_App}.
+The significance of this device will become apparent below.
+
+Similarly, when proving a statement about terms inductively, we need
+to prove a related statement about term lists simultaneously. For example,
+the fact that the identity substitution does not change a term needs to be
+strengthened and proved as follows:
+*}
+
+lemma subst_id(*<*)(*referred to from ABexpr*)(*>*): "subst Var t = (t ::('v,'f)term) \<and>
+ substs Var ts = (ts::('v,'f)term list)";
+apply(induct_tac t and ts, simp_all);
+done
+
+text{*\noindent
+Note that @{term Var} is the identity substitution because by definition it
+leaves variables unchanged: @{prop"subst Var (Var x) = Var x"}. Note also
+that the type annotations are necessary because otherwise there is nothing in
+the goal to enforce that both halves of the goal talk about the same type
+parameters @{text"('v,'f)"}. As a result, induction would fail
+because the two halves of the goal would be unrelated.
+
+\begin{exercise}
+The fact that substitution distributes over composition can be expressed
+roughly as follows:
+@{text[display]"subst (f \<circ> g) t = subst f (subst g t)"}
+Correct this statement (you will find that it does not type-check),
+strengthen it, and prove it. (Note: @{text"\<circ>"} is function composition;
+its definition is found in theorem @{thm[source]o_def}).
+\end{exercise}
+\begin{exercise}\label{ex:trev-trev}
+ Define a function @{term trev} of type @{typ"('v,'f)term => ('v,'f)term"}
+that recursively reverses the order of arguments of all function symbols in a
+ term. Prove that @{prop"trev(trev t) = t"}.
+\end{exercise}
+
+The experienced functional programmer may feel that our definition of
+@{term subst} is too complicated in that @{const substs} is
+unnecessary. The @{term App}-case can be defined directly as
+@{term[display]"subst s (App f ts) = App f (map (subst s) ts)"}
+where @{term"map"} is the standard list function such that
+@{text"map f [x1,...,xn] = [f x1,...,f xn]"}. This is true, but Isabelle
+insists on the conjunctive format. Fortunately, we can easily \emph{prove}
+that the suggested equation holds:
+*}
+(*<*)
+(* Exercise 1: *)
+lemma "subst ((subst f) \<circ> g) t = subst f (subst g t) \<and>
+ substs ((subst f) \<circ> g) ts = substs f (substs g ts)"
+apply (induct_tac t and ts)
+apply (simp_all)
+done
+
+(* Exercise 2: *)
+
+primrec trev :: "('v,'f) term \<Rightarrow> ('v,'f) term"
+ and trevs:: "('v,'f) term list \<Rightarrow> ('v,'f) term list"
+where
+ "trev (Var v) = Var v"
+| "trev (App f ts) = App f (trevs ts)"
+| "trevs [] = []"
+| "trevs (t#ts) = (trevs ts) @ [(trev t)]"
+
+lemma [simp]: "\<forall> ys. trevs (xs @ ys) = (trevs ys) @ (trevs xs)"
+apply (induct_tac xs, auto)
+done
+
+lemma "trev (trev t) = (t::('v,'f)term) \<and>
+ trevs (trevs ts) = (ts::('v,'f)term list)"
+apply (induct_tac t and ts, simp_all)
+done
+(*>*)
+
+lemma [simp]: "subst s (App f ts) = App f (map (subst s) ts)"
+apply(induct_tac ts, simp_all)
+done
+
+text{*\noindent
+What is more, we can now disable the old defining equation as a
+simplification rule:
+*}
+
+declare subst_App [simp del]
+
+text{*\noindent The advantage is that now we have replaced @{const
+substs} by @{const map}, we can profit from the large number of
+pre-proved lemmas about @{const map}. Unfortunately, inductive proofs
+about type @{text term} are still awkward because they expect a
+conjunction. One could derive a new induction principle as well (see
+\S\ref{sec:derive-ind}), but simpler is to stop using
+\isacommand{primrec} and to define functions with \isacommand{fun}
+instead. Simple uses of \isacommand{fun} are described in
+\S\ref{sec:fun} below. Advanced applications, including functions
+over nested datatypes like @{text term}, are discussed in a
+separate tutorial~\cite{isabelle-function}.
+
+Of course, you may also combine mutual and nested recursion of datatypes. For example,
+constructor @{text Sum} in \S\ref{sec:datatype-mut-rec} could take a list of
+expressions as its argument: @{text Sum}~@{typ[quotes]"'a aexp list"}.
+*}
+(*<*)end(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Datatype/unfoldnested.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,8 @@
+(*<*)
+theory unfoldnested imports Main begin;
+(*>*)
+datatype ('v,'f)"term" = Var 'v | App 'f "('v,'f)term_list"
+and ('v,'f)term_list = Nil | Cons "('v,'f)term" "('v,'f)term_list"
+(*<*)
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Documents/Documents.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,787 @@
+(*<*)
+theory Documents imports Main begin
+(*>*)
+
+section {* Concrete Syntax \label{sec:concrete-syntax} *}
+
+text {*
+ The core concept of Isabelle's framework for concrete syntax is that
+ of \bfindex{mixfix annotations}. Associated with any kind of
+ constant declaration, mixfixes affect both the grammar productions
+ for the parser and output templates for the pretty printer.
+
+ In full generality, parser and pretty printer configuration is a
+ subtle affair~\cite{isabelle-ref}. Your syntax specifications need
+ to interact properly with the existing setup of Isabelle/Pure and
+ Isabelle/HOL\@. To avoid creating ambiguities with existing
+ elements, it is particularly important to give new syntactic
+ constructs the right precedence.
+
+ Below we introduce a few simple syntax declaration
+ forms that already cover many common situations fairly well.
+*}
+
+
+subsection {* Infix Annotations *}
+
+text {*
+ Syntax annotations may be included wherever constants are declared,
+ such as \isacommand{definition} and \isacommand{primrec} --- and also
+ \isacommand{datatype}, which declares constructor operations.
+ Type-constructors may be annotated as well, although this is less
+ frequently encountered in practice (the infix type @{text "\<times>"} comes
+ to mind).
+
+ Infix declarations\index{infix annotations} provide a useful special
+ case of mixfixes. The following example of the exclusive-or
+ operation on boolean values illustrates typical infix declarations.
+*}
+
+definition xor :: "bool \<Rightarrow> bool \<Rightarrow> bool" (infixl "[+]" 60)
+where "A [+] B \<equiv> (A \<and> \<not> B) \<or> (\<not> A \<and> B)"
+
+text {*
+ \noindent Now @{text "xor A B"} and @{text "A [+] B"} refer to the
+ same expression internally. Any curried function with at least two
+ arguments may be given infix syntax. For partial applications with
+ fewer than two operands, there is a notation using the prefix~@{text
+ op}. For instance, @{text xor} without arguments is represented as
+ @{text "op [+]"}; together with ordinary function application, this
+ turns @{text "xor A"} into @{text "op [+] A"}.
+
+ The keyword \isakeyword{infixl} seen above specifies an
+ infix operator that is nested to the \emph{left}: in iterated
+ applications the more complex expression appears on the left-hand
+ side, and @{term "A [+] B [+] C"} stands for @{text "(A [+] B) [+]
+ C"}. Similarly, \isakeyword{infixr} means nesting to the
+ \emph{right}, reading @{term "A [+] B [+] C"} as @{text "A [+] (B
+ [+] C)"}. A \emph{non-oriented} declaration via \isakeyword{infix}
+ would render @{term "A [+] B [+] C"} illegal, but demand explicit
+ parentheses to indicate the intended grouping.
+
+ The string @{text [source] "[+]"} in our annotation refers to the
+ concrete syntax to represent the operator (a literal token), while
+ the number @{text 60} determines the precedence of the construct:
+ the syntactic priorities of the arguments and result. Isabelle/HOL
+ already uses up many popular combinations of ASCII symbols for its
+ own use, including both @{text "+"} and @{text "++"}. Longer
+ character combinations are more likely to be still available for
+ user extensions, such as our~@{text "[+]"}.
+
+ Operator precedences have a range of 0--1000. Very low or high
+ priorities are reserved for the meta-logic. HOL syntax mainly uses
+ the range of 10--100: the equality infix @{text "="} is centered at
+ 50; logical connectives (like @{text "\<or>"} and @{text "\<and>"}) are
+ below 50; algebraic ones (like @{text "+"} and @{text "*"}) are
+ above 50. User syntax should strive to coexist with common HOL
+ forms, or use the mostly unused range 100--900.
+*}
+
+
+subsection {* Mathematical Symbols \label{sec:syntax-symbols} *}
+
+text {*
+ Concrete syntax based on ASCII characters has inherent limitations.
+ Mathematical notation demands a larger repertoire of glyphs.
+ Several standards of extended character sets have been proposed over
+ decades, but none has become universally available so far. Isabelle
+ has its own notion of \bfindex{symbols} as the smallest entities of
+ source text, without referring to internal encodings. There are
+ three kinds of such ``generalized characters'':
+
+ \begin{enumerate}
+
+ \item 7-bit ASCII characters
+
+ \item named symbols: \verb,\,\verb,<,$ident$\verb,>,
+
+ \item named control symbols: \verb,\,\verb,<^,$ident$\verb,>,
+
+ \end{enumerate}
+
+ Here $ident$ is any sequence of letters.
+ This results in an infinite store of symbols, whose
+ interpretation is left to further front-end tools. For example, the
+ user-interface of Proof~General + X-Symbol and the Isabelle document
+ processor (see \S\ref{sec:document-preparation}) display the
+ \verb,\,\verb,<forall>, symbol as~@{text \<forall>}.
+
+ A list of standard Isabelle symbols is given in
+ \cite{isabelle-isar-ref}. You may introduce your own
+ interpretation of further symbols by configuring the appropriate
+ front-end tool accordingly, e.g.\ by defining certain {\LaTeX}
+ macros (see also \S\ref{sec:doc-prep-symbols}). There are also a
+ few predefined control symbols, such as \verb,\,\verb,<^sub>, and
+ \verb,\,\verb,<^sup>, for sub- and superscript of the subsequent
+ printable symbol, respectively. For example, \verb,A\<^sup>\<star>, is
+ output as @{text "A\<^sup>\<star>"}.
+
+ A number of symbols are considered letters by the Isabelle lexer and
+ can be used as part of identifiers. These are the greek letters
+ @{text "\<alpha>"} (\verb+\+\verb+<alpha>+), @{text "\<beta>"}
+ (\verb+\+\verb+<beta>+), etc. (excluding @{text "\<lambda>"}),
+ special letters like @{text "\<A>"} (\verb+\+\verb+<A>+) and @{text
+ "\<AA>"} (\verb+\+\verb+<AA>+), and the control symbols
+ \verb+\+\verb+<^isub>+ and \verb+\+\verb+<^isup>+ for single letter
+ sub and super scripts. This means that the input
+
+ \medskip
+ {\small\noindent \verb,\,\verb,<forall>\,\verb,<alpha>\<^isub>1.,~\verb,\,\verb,<alpha>\<^isub>1 = \,\verb,<Pi>\<^isup>\<A>,}
+
+ \medskip
+ \noindent is recognized as the term @{term "\<forall>\<alpha>\<^isub>1. \<alpha>\<^isub>1 = \<Pi>\<^isup>\<A>"}
+ by Isabelle. Note that @{text "\<Pi>\<^isup>\<A>"} is a single
+ syntactic entity, not an exponentiation.
+
+ Replacing our previous definition of @{text xor} by the
+ following specifies an Isabelle symbol for the new operator:
+*}
+
+(*<*)
+hide_const xor
+setup {* Sign.add_path "version1" *}
+(*>*)
+definition xor :: "bool \<Rightarrow> bool \<Rightarrow> bool" (infixl "\<oplus>" 60)
+where "A \<oplus> B \<equiv> (A \<and> \<not> B) \<or> (\<not> A \<and> B)"
+(*<*)
+setup {* Sign.local_path *}
+(*>*)
+
+text {*
+ \noindent Proof~General provides several input methods to enter
+ @{text \<oplus>} in the text. If all fails one may just type a named
+ entity \verb,\,\verb,<oplus>, by hand; the corresponding symbol will
+ be displayed after further input.
+
+ More flexible is to provide alternative syntax forms
+ through the \bfindex{print mode} concept~\cite{isabelle-ref}. By
+ convention, the mode of ``$xsymbols$'' is enabled whenever
+ Proof~General's X-Symbol mode or {\LaTeX} output is active. Now
+ consider the following hybrid declaration of @{text xor}:
+*}
+
+(*<*)
+hide_const xor
+setup {* Sign.add_path "version2" *}
+(*>*)
+definition xor :: "bool \<Rightarrow> bool \<Rightarrow> bool" (infixl "[+]\<ignore>" 60)
+where "A [+]\<ignore> B \<equiv> (A \<and> \<not> B) \<or> (\<not> A \<and> B)"
+
+notation (xsymbols) xor (infixl "\<oplus>\<ignore>" 60)
+(*<*)
+setup {* Sign.local_path *}
+(*>*)
+
+text {*\noindent
+The \commdx{notation} command associates a mixfix
+annotation with a known constant. The print mode specification,
+here @{text "(xsymbols)"}, is optional.
+
+We may now write @{text "A [+] B"} or @{text "A \<oplus> B"} in input, while
+output uses the nicer syntax of $xsymbols$ whenever that print mode is
+active. Such an arrangement is particularly useful for interactive
+development, where users may type ASCII text and see mathematical
+symbols displayed during proofs. *}
+
+
+subsection {* Prefix Annotations *}
+
+text {*
+ Prefix syntax annotations\index{prefix annotation} are another form
+ of mixfixes \cite{isabelle-ref}, without any template arguments or
+ priorities --- just some literal syntax. The following example
+ associates common symbols with the constructors of a datatype.
+*}
+
+datatype currency =
+ Euro nat ("\<euro>")
+ | Pounds nat ("\<pounds>")
+ | Yen nat ("\<yen>")
+ | Dollar nat ("$")
+
+text {*
+ \noindent Here the mixfix annotations on the rightmost column happen
+ to consist of a single Isabelle symbol each: \verb,\,\verb,<euro>,,
+ \verb,\,\verb,<pounds>,, \verb,\,\verb,<yen>,, and \verb,$,. Recall
+ that a constructor like @{text Euro} actually is a function @{typ
+ "nat \<Rightarrow> currency"}. The expression @{text "Euro 10"} will be
+ printed as @{term "\<euro> 10"}; only the head of the application is
+ subject to our concrete syntax. This rather simple form already
+ achieves conformance with notational standards of the European
+ Commission.
+
+ Prefix syntax works the same way for other commands that introduce new constants, e.g. \isakeyword{primrec}.
+*}
+
+
+subsection {* Abbreviations \label{sec:abbreviations} *}
+
+text{* Mixfix syntax annotations merely decorate particular constant
+application forms with concrete syntax, for instance replacing
+@{text "xor A B"} by @{text "A \<oplus> B"}. Occasionally, the relationship
+between some piece of notation and its internal form is more
+complicated. Here we need \emph{abbreviations}.
+
+Command \commdx{abbreviation} introduces an uninterpreted notational
+constant as an abbreviation for a complex term. Abbreviations are
+unfolded upon parsing and re-introduced upon printing. This provides a
+simple mechanism for syntactic macros.
+
+A typical use of abbreviations is to introduce relational notation for
+membership in a set of pairs, replacing @{text "(x, y) \<in> sim"} by
+@{text "x \<approx> y"}. We assume that a constant @{text sim } of type
+@{typ"('a \<times> 'a) set"} has been introduced at this point. *}
+(*<*)consts sim :: "('a \<times> 'a) set"(*>*)
+abbreviation sim2 :: "'a \<Rightarrow> 'a \<Rightarrow> bool" (infix "\<approx>" 50)
+where "x \<approx> y \<equiv> (x, y) \<in> sim"
+
+text {* \noindent The given meta-equality is used as a rewrite rule
+after parsing (replacing \mbox{@{prop"x \<approx> y"}} by @{text"(x,y) \<in>
+sim"}) and before printing (turning @{text"(x,y) \<in> sim"} back into
+\mbox{@{prop"x \<approx> y"}}). The name of the dummy constant @{text "sim2"}
+does not matter, as long as it is unique.
+
+Another common application of abbreviations is to
+provide variant versions of fundamental relational expressions, such
+as @{text \<noteq>} for negated equalities. The following declaration
+stems from Isabelle/HOL itself:
+*}
+
+abbreviation not_equal :: "'a \<Rightarrow> 'a \<Rightarrow> bool" (infixl "~=\<ignore>" 50)
+where "x ~=\<ignore> y \<equiv> \<not> (x = y)"
+
+notation (xsymbols) not_equal (infix "\<noteq>\<ignore>" 50)
+
+text {* \noindent The notation @{text \<noteq>} is introduced separately to restrict it
+to the \emph{xsymbols} mode.
+
+Abbreviations are appropriate when the defined concept is a
+simple variation on an existing one. But because of the automatic
+folding and unfolding of abbreviations, they do not scale up well to
+large hierarchies of concepts. Abbreviations do not replace
+definitions.
+
+Abbreviations are a simplified form of the general concept of
+\emph{syntax translations}; even heavier transformations may be
+written in ML \cite{isabelle-ref}.
+*}
+
+
+section {* Document Preparation \label{sec:document-preparation} *}
+
+text {*
+ Isabelle/Isar is centered around the concept of \bfindex{formal
+ proof documents}\index{documents|bold}. The outcome of a formal
+ development effort is meant to be a human-readable record, presented
+ as browsable PDF file or printed on paper. The overall document
+ structure follows traditional mathematical articles, with sections,
+ intermediate explanations, definitions, theorems and proofs.
+
+ \medskip The Isabelle document preparation system essentially acts
+ as a front-end to {\LaTeX}. After checking specifications and
+ proofs formally, the theory sources are turned into typesetting
+ instructions in a schematic manner. This lets you write authentic
+ reports on theory developments with little effort: many technical
+ consistency checks are handled by the system.
+
+ Here is an example to illustrate the idea of Isabelle document
+ preparation.
+*}
+
+text_raw {* \begin{quotation} *}
+
+text {*
+ The following datatype definition of @{text "'a bintree"} models
+ binary trees with nodes being decorated by elements of type @{typ
+ 'a}.
+*}
+
+datatype 'a bintree =
+ Leaf | Branch 'a "'a bintree" "'a bintree"
+
+text {*
+ \noindent The datatype induction rule generated here is of the form
+ @{thm [indent = 1, display] bintree.induct [no_vars]}
+*}
+
+text_raw {* \end{quotation} *}
+
+text {*
+ \noindent The above document output has been produced as follows:
+
+ \begin{ttbox}
+ text {\ttlbrace}*
+ The following datatype definition of {\at}{\ttlbrace}text "'a bintree"{\ttrbrace}
+ models binary trees with nodes being decorated by elements
+ of type {\at}{\ttlbrace}typ 'a{\ttrbrace}.
+ *{\ttrbrace}
+
+ datatype 'a bintree =
+ Leaf | Branch 'a "'a bintree" "'a bintree"
+ \end{ttbox}
+ \begin{ttbox}
+ text {\ttlbrace}*
+ {\ttback}noindent The datatype induction rule generated here is
+ of the form {\at}{\ttlbrace}thm [display] bintree.induct [no_vars]{\ttrbrace}
+ *{\ttrbrace}
+ \end{ttbox}\vspace{-\medskipamount}
+
+ \noindent Here we have augmented the theory by formal comments
+ (using \isakeyword{text} blocks), the informal parts may again refer
+ to formal entities by means of ``antiquotations'' (such as
+ \texttt{\at}\verb,{text "'a bintree"}, or
+ \texttt{\at}\verb,{typ 'a},), see also \S\ref{sec:doc-prep-text}.
+*}
+
+
+subsection {* Isabelle Sessions *}
+
+text {*
+ In contrast to the highly interactive mode of Isabelle/Isar theory
+ development, the document preparation stage essentially works in
+ batch-mode. An Isabelle \bfindex{session} consists of a collection
+ of source files that may contribute to an output document. Each
+ session is derived from a single parent, usually an object-logic
+ image like \texttt{HOL}. This results in an overall tree structure,
+ which is reflected by the output location in the file system
+ (usually rooted at \verb,~/.isabelle/IsabelleXXXX/browser_info,).
+
+ \medskip The easiest way to manage Isabelle sessions is via
+ \texttt{isabelle mkdir} (generates an initial session source setup)
+ and \texttt{isabelle make} (run sessions controlled by
+ \texttt{IsaMakefile}). For example, a new session
+ \texttt{MySession} derived from \texttt{HOL} may be produced as
+ follows:
+
+\begin{verbatim}
+ isabelle mkdir HOL MySession
+ isabelle make
+\end{verbatim}
+
+ The \texttt{isabelle make} job also informs about the file-system
+ location of the ultimate results. The above dry run should be able
+ to produce some \texttt{document.pdf} (with dummy title, empty table
+ of contents etc.). Any failure at this stage usually indicates
+ technical problems of the {\LaTeX} installation.
+
+ \medskip The detailed arrangement of the session sources is as
+ follows.
+
+ \begin{itemize}
+
+ \item Directory \texttt{MySession} holds the required theory files
+ $T@1$\texttt{.thy}, \dots, $T@n$\texttt{.thy}.
+
+ \item File \texttt{MySession/ROOT.ML} holds appropriate ML commands
+ for loading all wanted theories, usually just
+ ``\texttt{use_thy"$T@i$";}'' for any $T@i$ in leaf position of the
+ dependency graph.
+
+ \item Directory \texttt{MySession/document} contains everything
+ required for the {\LaTeX} stage; only \texttt{root.tex} needs to be
+ provided initially.
+
+ The latter file holds appropriate {\LaTeX} code to commence a
+ document (\verb,\documentclass, etc.), and to include the generated
+ files $T@i$\texttt{.tex} for each theory. Isabelle will generate a
+ file \texttt{session.tex} holding {\LaTeX} commands to include all
+ generated theory output files in topologically sorted order, so
+ \verb,\input{session}, in the body of \texttt{root.tex} does the job
+ in most situations.
+
+ \item \texttt{IsaMakefile} holds appropriate dependencies and
+ invocations of Isabelle tools to control the batch job. In fact,
+ several sessions may be managed by the same \texttt{IsaMakefile}.
+ See the \emph{Isabelle System Manual} \cite{isabelle-sys}
+ for further details, especially on
+ \texttt{isabelle usedir} and \texttt{isabelle make}.
+
+ \end{itemize}
+
+ One may now start to populate the directory \texttt{MySession}, and
+ the file \texttt{MySession/ROOT.ML} accordingly. The file
+ \texttt{MySession/document/root.tex} should also be adapted at some
+ point; the default version is mostly self-explanatory. Note that
+ \verb,\isabellestyle, enables fine-tuning of the general appearance
+ of characters and mathematical symbols (see also
+ \S\ref{sec:doc-prep-symbols}).
+
+ Especially observe the included {\LaTeX} packages \texttt{isabelle}
+ (mandatory), \texttt{isabellesym} (required for mathematical
+ symbols), and the final \texttt{pdfsetup} (provides sane defaults
+ for \texttt{hyperref}, including URL markup). All three are
+ distributed with Isabelle. Further packages may be required in
+ particular applications, say for unusual mathematical symbols.
+
+ \medskip Any additional files for the {\LaTeX} stage go into the
+ \texttt{MySession/document} directory as well. In particular,
+ adding a file named \texttt{root.bib} causes an automatic run of
+ \texttt{bibtex} to process a bibliographic database; see also
+ \texttt{isabelle document} \cite{isabelle-sys}.
+
+ \medskip Any failure of the document preparation phase in an
+ Isabelle batch session leaves the generated sources in their target
+ location, identified by the accompanying error message. This lets
+ you trace {\LaTeX} problems with the generated files at hand.
+*}
+
+
+subsection {* Structure Markup *}
+
+text {*
+ The large-scale structure of Isabelle documents follows existing
+ {\LaTeX} conventions, with chapters, sections, subsubsections etc.
+ The Isar language includes separate \bfindex{markup commands}, which
+ do not affect the formal meaning of a theory (or proof), but result
+ in corresponding {\LaTeX} elements.
+
+ There are separate markup commands depending on the textual context:
+ in header position (just before \isakeyword{theory}), within the
+ theory body, or within a proof. The header needs to be treated
+ specially here, since ordinary theory and proof commands may only
+ occur \emph{after} the initial \isakeyword{theory} specification.
+
+ \medskip
+
+ \begin{tabular}{llll}
+ header & theory & proof & default meaning \\\hline
+ & \commdx{chapter} & & \verb,\chapter, \\
+ \commdx{header} & \commdx{section} & \commdx{sect} & \verb,\section, \\
+ & \commdx{subsection} & \commdx{subsect} & \verb,\subsection, \\
+ & \commdx{subsubsection} & \commdx{subsubsect} & \verb,\subsubsection, \\
+ \end{tabular}
+
+ \medskip
+
+ From the Isabelle perspective, each markup command takes a single
+ $text$ argument (delimited by \verb,",~@{text \<dots>}~\verb,", or
+ \verb,{,\verb,*,~@{text \<dots>}~\verb,*,\verb,},). After stripping any
+ surrounding white space, the argument is passed to a {\LaTeX} macro
+ \verb,\isamarkupXYZ, for command \isakeyword{XYZ}. These macros are
+ defined in \verb,isabelle.sty, according to the meaning given in the
+ rightmost column above.
+
+ \medskip The following source fragment illustrates structure markup
+ of a theory. Note that {\LaTeX} labels may be included inside of
+ section headings as well.
+
+ \begin{ttbox}
+ header {\ttlbrace}* Some properties of Foo Bar elements *{\ttrbrace}
+
+ theory Foo_Bar
+ imports Main
+ begin
+
+ subsection {\ttlbrace}* Basic definitions *{\ttrbrace}
+
+ definition foo :: \dots
+
+ definition bar :: \dots
+
+ subsection {\ttlbrace}* Derived rules *{\ttrbrace}
+
+ lemma fooI: \dots
+ lemma fooE: \dots
+
+ subsection {\ttlbrace}* Main theorem {\ttback}label{\ttlbrace}sec:main-theorem{\ttrbrace} *{\ttrbrace}
+
+ theorem main: \dots
+
+ end
+ \end{ttbox}\vspace{-\medskipamount}
+
+ You may occasionally want to change the meaning of markup commands,
+ say via \verb,\renewcommand, in \texttt{root.tex}. For example,
+ \verb,\isamarkupheader, is a good candidate for some tuning. We
+ could move it up in the hierarchy to become \verb,\chapter,.
+
+\begin{verbatim}
+ \renewcommand{\isamarkupheader}[1]{\chapter{#1}}
+\end{verbatim}
+
+ \noindent Now we must change the document class given in
+ \texttt{root.tex} to something that supports chapters. A suitable
+ command is \verb,\documentclass{report},.
+
+ \medskip The {\LaTeX} macro \verb,\isabellecontext, is maintained to
+ hold the name of the current theory context. This is particularly
+ useful for document headings:
+
+\begin{verbatim}
+ \renewcommand{\isamarkupheader}[1]
+ {\chapter{#1}\markright{THEORY~\isabellecontext}}
+\end{verbatim}
+
+ \noindent Make sure to include something like
+ \verb,\pagestyle{headings}, in \texttt{root.tex}; the document
+ should have more than two pages to show the effect.
+*}
+
+
+subsection {* Formal Comments and Antiquotations \label{sec:doc-prep-text} *}
+
+text {*
+ Isabelle \bfindex{source comments}, which are of the form
+ \verb,(,\verb,*,~@{text \<dots>}~\verb,*,\verb,),, essentially act like
+ white space and do not really contribute to the content. They
+ mainly serve technical purposes to mark certain oddities in the raw
+ input text. In contrast, \bfindex{formal comments} are portions of
+ text that are associated with formal Isabelle/Isar commands
+ (\bfindex{marginal comments}), or as standalone paragraphs within a
+ theory or proof context (\bfindex{text blocks}).
+
+ \medskip Marginal comments are part of each command's concrete
+ syntax \cite{isabelle-ref}; the common form is ``\verb,--,~$text$''
+ where $text$ is delimited by \verb,",@{text \<dots>}\verb,", or
+ \verb,{,\verb,*,~@{text \<dots>}~\verb,*,\verb,}, as before. Multiple
+ marginal comments may be given at the same time. Here is a simple
+ example:
+*}
+
+lemma "A --> A"
+ -- "a triviality of propositional logic"
+ -- "(should not really bother)"
+ by (rule impI) -- "implicit assumption step involved here"
+
+text {*
+ \noindent The above output has been produced as follows:
+
+\begin{verbatim}
+ lemma "A --> A"
+ -- "a triviality of propositional logic"
+ -- "(should not really bother)"
+ by (rule impI) -- "implicit assumption step involved here"
+\end{verbatim}
+
+ From the {\LaTeX} viewpoint, ``\verb,--,'' acts like a markup
+ command, associated with the macro \verb,\isamarkupcmt, (taking a
+ single argument).
+
+ \medskip Text blocks are introduced by the commands \bfindex{text}
+ and \bfindex{txt}, for theory and proof contexts, respectively.
+ Each takes again a single $text$ argument, which is interpreted as a
+ free-form paragraph in {\LaTeX} (surrounded by some additional
+ vertical space). This behavior may be changed by redefining the
+ {\LaTeX} environments of \verb,isamarkuptext, or
+ \verb,isamarkuptxt,, respectively (via \verb,\renewenvironment,) The
+ text style of the body is determined by \verb,\isastyletext, and
+ \verb,\isastyletxt,; the default setup uses a smaller font within
+ proofs. This may be changed as follows:
+
+\begin{verbatim}
+ \renewcommand{\isastyletxt}{\isastyletext}
+\end{verbatim}
+
+ \medskip The $text$ part of Isabelle markup commands essentially
+ inserts \emph{quoted material} into a formal text, mainly for
+ instruction of the reader. An \bfindex{antiquotation} is again a
+ formal object embedded into such an informal portion. The
+ interpretation of antiquotations is limited to some well-formedness
+ checks, with the result being pretty printed to the resulting
+ document. Quoted text blocks together with antiquotations provide
+ an attractive means of referring to formal entities, with good
+ confidence in getting the technical details right (especially syntax
+ and types).
+
+ The general syntax of antiquotations is as follows:
+ \texttt{{\at}{\ttlbrace}$name$ $arguments${\ttrbrace}}, or
+ \texttt{{\at}{\ttlbrace}$name$ [$options$] $arguments${\ttrbrace}}
+ for a comma-separated list of options consisting of a $name$ or
+ \texttt{$name$=$value$} each. The syntax of $arguments$ depends on
+ the kind of antiquotation, it generally follows the same conventions
+ for types, terms, or theorems as in the formal part of a theory.
+
+ \medskip This sentence demonstrates quotations and antiquotations:
+ @{term "%x y. x"} is a well-typed term.
+
+ \medskip\noindent The output above was produced as follows:
+ \begin{ttbox}
+text {\ttlbrace}*
+ This sentence demonstrates quotations and antiquotations:
+ {\at}{\ttlbrace}term "%x y. x"{\ttrbrace} is a well-typed term.
+*{\ttrbrace}
+ \end{ttbox}\vspace{-\medskipamount}
+
+ The notational change from the ASCII character~\verb,%, to the
+ symbol~@{text \<lambda>} reveals that Isabelle printed this term, after
+ parsing and type-checking. Document preparation enables symbolic
+ output by default.
+
+ \medskip The next example includes an option to show the type of all
+ variables. The antiquotation
+ \texttt{{\at}}\verb,{term [show_types] "%x y. x"}, produces the
+ output @{term [show_types] "%x y. x"}. Type inference has figured
+ out the most general typings in the present theory context. Terms
+ may acquire different typings due to constraints imposed by their
+ environment; within a proof, for example, variables are given the
+ same types as they have in the main goal statement.
+
+ \medskip Several further kinds of antiquotations and options are
+ available \cite{isabelle-isar-ref}. Here are a few commonly used
+ combinations:
+
+ \medskip
+
+ \begin{tabular}{ll}
+ \texttt{\at}\verb,{typ,~$\tau$\verb,}, & print type $\tau$ \\
+ \texttt{\at}\verb,{const,~$c$\verb,}, & check existence of $c$ and print it \\
+ \texttt{\at}\verb,{term,~$t$\verb,}, & print term $t$ \\
+ \texttt{\at}\verb,{prop,~$\phi$\verb,}, & print proposition $\phi$ \\
+ \texttt{\at}\verb,{prop [display],~$\phi$\verb,}, & print large proposition $\phi$ (with linebreaks) \\
+ \texttt{\at}\verb,{prop [source],~$\phi$\verb,}, & check proposition $\phi$, print its input \\
+ \texttt{\at}\verb,{thm,~$a$\verb,}, & print fact $a$ \\
+ \texttt{\at}\verb,{thm,~$a$~\verb,[no_vars]}, & print fact $a$, fixing schematic variables \\
+ \texttt{\at}\verb,{thm [source],~$a$\verb,}, & check availability of fact $a$, print its name \\
+ \texttt{\at}\verb,{text,~$s$\verb,}, & print uninterpreted text $s$ \\
+ \end{tabular}
+
+ \medskip
+
+ Note that \attrdx{no_vars} given above is \emph{not} an
+ antiquotation option, but an attribute of the theorem argument given
+ here. This might be useful with a diagnostic command like
+ \isakeyword{thm}, too.
+
+ \medskip The \texttt{\at}\verb,{text, $s$\verb,}, antiquotation is
+ particularly interesting. Embedding uninterpreted text within an
+ informal body might appear useless at first sight. Here the key
+ virtue is that the string $s$ is processed as Isabelle output,
+ interpreting Isabelle symbols appropriately.
+
+ For example, \texttt{\at}\verb,{text "\<forall>\<exists>"}, produces @{text
+ "\<forall>\<exists>"}, according to the standard interpretation of these symbol
+ (cf.\ \S\ref{sec:doc-prep-symbols}). Thus we achieve consistent
+ mathematical notation in both the formal and informal parts of the
+ document very easily, independently of the term language of
+ Isabelle. Manual {\LaTeX} code would leave more control over the
+ typesetting, but is also slightly more tedious.
+*}
+
+
+subsection {* Interpretation of Symbols \label{sec:doc-prep-symbols} *}
+
+text {*
+ As has been pointed out before (\S\ref{sec:syntax-symbols}),
+ Isabelle symbols are the smallest syntactic entities --- a
+ straightforward generalization of ASCII characters. While Isabelle
+ does not impose any interpretation of the infinite collection of
+ named symbols, {\LaTeX} documents use canonical glyphs for certain
+ standard symbols \cite{isabelle-isar-ref}.
+
+ The {\LaTeX} code produced from Isabelle text follows a simple
+ scheme. You can tune the final appearance by redefining certain
+ macros, say in \texttt{root.tex} of the document.
+
+ \begin{enumerate}
+
+ \item 7-bit ASCII characters: letters \texttt{A\dots Z} and
+ \texttt{a\dots z} are output directly, digits are passed as an
+ argument to the \verb,\isadigit, macro, other characters are
+ replaced by specifically named macros of the form
+ \verb,\isacharXYZ,.
+
+ \item Named symbols: \verb,\,\verb,<XYZ>, is turned into
+ \verb,{\isasymXYZ},; note the additional braces.
+
+ \item Named control symbols: \verb,\,\verb,<^XYZ>, is turned into
+ \verb,\isactrlXYZ,; subsequent symbols may act as arguments if the
+ control macro is defined accordingly.
+
+ \end{enumerate}
+
+ You may occasionally wish to give new {\LaTeX} interpretations of
+ named symbols. This merely requires an appropriate definition of
+ \verb,\isasymXYZ,, for \verb,\,\verb,<XYZ>, (see
+ \texttt{isabelle.sty} for working examples). Control symbols are
+ slightly more difficult to get right, though.
+
+ \medskip The \verb,\isabellestyle, macro provides a high-level
+ interface to tune the general appearance of individual symbols. For
+ example, \verb,\isabellestyle{it}, uses the italics text style to
+ mimic the general appearance of the {\LaTeX} math mode; double
+ quotes are not printed at all. The resulting quality of typesetting
+ is quite good, so this should be the default style for work that
+ gets distributed to a broader audience.
+*}
+
+
+subsection {* Suppressing Output \label{sec:doc-prep-suppress} *}
+
+text {*
+ By default, Isabelle's document system generates a {\LaTeX} file for
+ each theory that gets loaded while running the session. The
+ generated \texttt{session.tex} will include all of these in order of
+ appearance, which in turn gets included by the standard
+ \texttt{root.tex}. Certainly one may change the order or suppress
+ unwanted theories by ignoring \texttt{session.tex} and load
+ individual files directly in \texttt{root.tex}. On the other hand,
+ such an arrangement requires additional maintenance whenever the
+ collection of theories changes.
+
+ Alternatively, one may tune the theory loading process in
+ \texttt{ROOT.ML} itself: traversal of the theory dependency graph
+ may be fine-tuned by adding \verb,use_thy, invocations, although
+ topological sorting still has to be observed. Moreover, the ML
+ operator \verb,no_document, temporarily disables document generation
+ while executing a theory loader command. Its usage is like this:
+
+\begin{verbatim}
+ no_document use_thy "T";
+\end{verbatim}
+
+ \medskip Theory output may be suppressed more selectively, either
+ via \bfindex{tagged command regions} or \bfindex{ignored material}.
+
+ Tagged command regions works by annotating commands with named tags,
+ which correspond to certain {\LaTeX} markup that tells how to treat
+ particular parts of a document when doing the actual type-setting.
+ By default, certain Isabelle/Isar commands are implicitly marked up
+ using the predefined tags ``\emph{theory}'' (for theory begin and
+ end), ``\emph{proof}'' (for proof commands), and ``\emph{ML}'' (for
+ commands involving ML code). Users may add their own tags using the
+ \verb,%,\emph{tag} notation right after a command name. In the
+ subsequent example we hide a particularly irrelevant proof:
+*}
+
+lemma "x = x" by %invisible (simp)
+
+text {*
+ The original source has been ``\verb,lemma "x = x" by %invisible (simp),''.
+ Tags observe the structure of proofs; adjacent commands with the
+ same tag are joined into a single region. The Isabelle document
+ preparation system allows the user to specify how to interpret a
+ tagged region, in order to keep, drop, or fold the corresponding
+ parts of the document. See the \emph{Isabelle System Manual}
+ \cite{isabelle-sys} for further details, especially on
+ \texttt{isabelle usedir} and \texttt{isabelle document}.
+
+ Ignored material is specified by delimiting the original formal
+ source with special source comments
+ \verb,(,\verb,*,\verb,<,\verb,*,\verb,), and
+ \verb,(,\verb,*,\verb,>,\verb,*,\verb,),. These parts are stripped
+ before the type-setting phase, without affecting the formal checking
+ of the theory, of course. For example, we may hide parts of a proof
+ that seem unfit for general public inspection. The following
+ ``fully automatic'' proof is actually a fake:
+*}
+
+lemma "x \<noteq> (0::int) \<Longrightarrow> 0 < x * x"
+ by (auto(*<*)simp add: zero_less_mult_iff(*>*))
+
+text {*
+ \noindent The real source of the proof has been as follows:
+
+\begin{verbatim}
+ by (auto(*<*)simp add: zero_less_mult_iff(*>*))
+\end{verbatim}
+%(*
+
+ \medskip Suppressing portions of printed text demands care. You
+ should not misrepresent the underlying theory development. It is
+ easy to invalidate the visible text by hiding references to
+ questionable axioms, for example.
+*}
+
+(*<*)
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Fun/fun0.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,261 @@
+(*<*)
+theory fun0 imports Main begin
+(*>*)
+
+text{*
+\subsection{Definition}
+\label{sec:fun-examples}
+
+Here is a simple example, the \rmindex{Fibonacci function}:
+*}
+
+fun fib :: "nat \<Rightarrow> nat" where
+"fib 0 = 0" |
+"fib (Suc 0) = 1" |
+"fib (Suc(Suc x)) = fib x + fib (Suc x)"
+
+text{*\noindent
+This resembles ordinary functional programming languages. Note the obligatory
+\isacommand{where} and \isa{|}. Command \isacommand{fun} declares and
+defines the function in one go. Isabelle establishes termination automatically
+because @{const fib}'s argument decreases in every recursive call.
+
+Slightly more interesting is the insertion of a fixed element
+between any two elements of a list:
+*}
+
+fun sep :: "'a \<Rightarrow> 'a list \<Rightarrow> 'a list" where
+"sep a [] = []" |
+"sep a [x] = [x]" |
+"sep a (x#y#zs) = x # a # sep a (y#zs)";
+
+text{*\noindent
+This time the length of the list decreases with the
+recursive call; the first argument is irrelevant for termination.
+
+Pattern matching\index{pattern matching!and \isacommand{fun}}
+need not be exhaustive and may employ wildcards:
+*}
+
+fun last :: "'a list \<Rightarrow> 'a" where
+"last [x] = x" |
+"last (_#y#zs) = last (y#zs)"
+
+text{*
+Overlapping patterns are disambiguated by taking the order of equations into
+account, just as in functional programming:
+*}
+
+fun sep1 :: "'a \<Rightarrow> 'a list \<Rightarrow> 'a list" where
+"sep1 a (x#y#zs) = x # a # sep1 a (y#zs)" |
+"sep1 _ xs = xs"
+
+text{*\noindent
+To guarantee that the second equation can only be applied if the first
+one does not match, Isabelle internally replaces the second equation
+by the two possibilities that are left: @{prop"sep1 a [] = []"} and
+@{prop"sep1 a [x] = [x]"}. Thus the functions @{const sep} and
+@{const sep1} are identical.
+
+Because of its pattern matching syntax, \isacommand{fun} is also useful
+for the definition of non-recursive functions:
+*}
+
+fun swap12 :: "'a list \<Rightarrow> 'a list" where
+"swap12 (x#y#zs) = y#x#zs" |
+"swap12 zs = zs"
+
+text{*
+After a function~$f$ has been defined via \isacommand{fun},
+its defining equations (or variants derived from them) are available
+under the name $f$@{text".simps"} as theorems.
+For example, look (via \isacommand{thm}) at
+@{thm[source]sep.simps} and @{thm[source]sep1.simps} to see that they define
+the same function. What is more, those equations are automatically declared as
+simplification rules.
+
+\subsection{Termination}
+
+Isabelle's automatic termination prover for \isacommand{fun} has a
+fixed notion of the \emph{size} (of type @{typ nat}) of an
+argument. The size of a natural number is the number itself. The size
+of a list is its length. For the general case see \S\ref{sec:general-datatype}.
+A recursive function is accepted if \isacommand{fun} can
+show that the size of one fixed argument becomes smaller with each
+recursive call.
+
+More generally, \isacommand{fun} allows any \emph{lexicographic
+combination} of size measures in case there are multiple
+arguments. For example, the following version of \rmindex{Ackermann's
+function} is accepted: *}
+
+fun ack2 :: "nat \<Rightarrow> nat \<Rightarrow> nat" where
+"ack2 n 0 = Suc n" |
+"ack2 0 (Suc m) = ack2 (Suc 0) m" |
+"ack2 (Suc n) (Suc m) = ack2 (ack2 n (Suc m)) m"
+
+text{* The order of arguments has no influence on whether
+\isacommand{fun} can prove termination of a function. For more details
+see elsewhere~\cite{bulwahnKN07}.
+
+\subsection{Simplification}
+\label{sec:fun-simplification}
+
+Upon a successful termination proof, the recursion equations become
+simplification rules, just as with \isacommand{primrec}.
+In most cases this works fine, but there is a subtle
+problem that must be mentioned: simplification may not
+terminate because of automatic splitting of @{text "if"}.
+\index{*if expressions!splitting of}
+Let us look at an example:
+*}
+
+fun gcd :: "nat \<Rightarrow> nat \<Rightarrow> nat" where
+"gcd m n = (if n=0 then m else gcd n (m mod n))"
+
+text{*\noindent
+The second argument decreases with each recursive call.
+The termination condition
+@{prop[display]"n ~= (0::nat) ==> m mod n < n"}
+is proved automatically because it is already present as a lemma in
+HOL\@. Thus the recursion equation becomes a simplification
+rule. Of course the equation is nonterminating if we are allowed to unfold
+the recursive call inside the @{text else} branch, which is why programming
+languages and our simplifier don't do that. Unfortunately the simplifier does
+something else that leads to the same problem: it splits
+each @{text "if"}-expression unless its
+condition simplifies to @{term True} or @{term False}. For
+example, simplification reduces
+@{prop[display]"gcd m n = k"}
+in one step to
+@{prop[display]"(if n=0 then m else gcd n (m mod n)) = k"}
+where the condition cannot be reduced further, and splitting leads to
+@{prop[display]"(n=0 --> m=k) & (n ~= 0 --> gcd n (m mod n)=k)"}
+Since the recursive call @{term"gcd n (m mod n)"} is no longer protected by
+an @{text "if"}, it is unfolded again, which leads to an infinite chain of
+simplification steps. Fortunately, this problem can be avoided in many
+different ways.
+
+The most radical solution is to disable the offending theorem
+@{thm[source]split_if},
+as shown in \S\ref{sec:AutoCaseSplits}. However, we do not recommend this
+approach: you will often have to invoke the rule explicitly when
+@{text "if"} is involved.
+
+If possible, the definition should be given by pattern matching on the left
+rather than @{text "if"} on the right. In the case of @{term gcd} the
+following alternative definition suggests itself:
+*}
+
+fun gcd1 :: "nat \<Rightarrow> nat \<Rightarrow> nat" where
+"gcd1 m 0 = m" |
+"gcd1 m n = gcd1 n (m mod n)"
+
+text{*\noindent
+The order of equations is important: it hides the side condition
+@{prop"n ~= (0::nat)"}. Unfortunately, not all conditionals can be
+expressed by pattern matching.
+
+A simple alternative is to replace @{text "if"} by @{text case},
+which is also available for @{typ bool} and is not split automatically:
+*}
+
+fun gcd2 :: "nat \<Rightarrow> nat \<Rightarrow> nat" where
+"gcd2 m n = (case n=0 of True \<Rightarrow> m | False \<Rightarrow> gcd2 n (m mod n))"
+
+text{*\noindent
+This is probably the neatest solution next to pattern matching, and it is
+always available.
+
+A final alternative is to replace the offending simplification rules by
+derived conditional ones. For @{term gcd} it means we have to prove
+these lemmas:
+*}
+
+lemma [simp]: "gcd m 0 = m"
+apply(simp)
+done
+
+lemma [simp]: "n \<noteq> 0 \<Longrightarrow> gcd m n = gcd n (m mod n)"
+apply(simp)
+done
+
+text{*\noindent
+Simplification terminates for these proofs because the condition of the @{text
+"if"} simplifies to @{term True} or @{term False}.
+Now we can disable the original simplification rule:
+*}
+
+declare gcd.simps [simp del]
+
+text{*
+\index{induction!recursion|(}
+\index{recursion induction|(}
+
+\subsection{Induction}
+\label{sec:fun-induction}
+
+Having defined a function we might like to prove something about it.
+Since the function is recursive, the natural proof principle is
+again induction. But this time the structural form of induction that comes
+with datatypes is unlikely to work well --- otherwise we could have defined the
+function by \isacommand{primrec}. Therefore \isacommand{fun} automatically
+proves a suitable induction rule $f$@{text".induct"} that follows the
+recursion pattern of the particular function $f$. We call this
+\textbf{recursion induction}. Roughly speaking, it
+requires you to prove for each \isacommand{fun} equation that the property
+you are trying to establish holds for the left-hand side provided it holds
+for all recursive calls on the right-hand side. Here is a simple example
+involving the predefined @{term"map"} functional on lists:
+*}
+
+lemma "map f (sep x xs) = sep (f x) (map f xs)"
+
+txt{*\noindent
+Note that @{term"map f xs"}
+is the result of applying @{term"f"} to all elements of @{term"xs"}. We prove
+this lemma by recursion induction over @{term"sep"}:
+*}
+
+apply(induct_tac x xs rule: sep.induct);
+
+txt{*\noindent
+The resulting proof state has three subgoals corresponding to the three
+clauses for @{term"sep"}:
+@{subgoals[display,indent=0]}
+The rest is pure simplification:
+*}
+
+apply simp_all;
+done
+
+text{*\noindent The proof goes smoothly because the induction rule
+follows the recursion of @{const sep}. Try proving the above lemma by
+structural induction, and you find that you need an additional case
+distinction.
+
+In general, the format of invoking recursion induction is
+\begin{quote}
+\isacommand{apply}@{text"(induct_tac"} $x@1 \dots x@n$ @{text"rule:"} $f$@{text".induct)"}
+\end{quote}\index{*induct_tac (method)}%
+where $x@1~\dots~x@n$ is a list of free variables in the subgoal and $f$ the
+name of a function that takes $n$ arguments. Usually the subgoal will
+contain the term $f x@1 \dots x@n$ but this need not be the case. The
+induction rules do not mention $f$ at all. Here is @{thm[source]sep.induct}:
+\begin{isabelle}
+{\isasymlbrakk}~{\isasymAnd}a.~P~a~[];\isanewline
+~~{\isasymAnd}a~x.~P~a~[x];\isanewline
+~~{\isasymAnd}a~x~y~zs.~P~a~(y~\#~zs)~{\isasymLongrightarrow}~P~a~(x~\#~y~\#~zs){\isasymrbrakk}\isanewline
+{\isasymLongrightarrow}~P~u~v%
+\end{isabelle}
+It merely says that in order to prove a property @{term"P"} of @{term"u"} and
+@{term"v"} you need to prove it for the three cases where @{term"v"} is the
+empty list, the singleton list, and the list with at least two elements.
+The final case has an induction hypothesis: you may assume that @{term"P"}
+holds for the tail of that list.
+\index{induction!recursion|)}
+\index{recursion induction|)}
+*}
+(*<*)
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Ifexpr/Ifexpr.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,221 @@
+(*<*)
+theory Ifexpr imports Main begin;
+(*>*)
+
+subsection{*Case Study: Boolean Expressions*}
+
+text{*\label{sec:boolex}\index{boolean expressions example|(}
+The aim of this case study is twofold: it shows how to model boolean
+expressions and some algorithms for manipulating them, and it demonstrates
+the constructs introduced above.
+*}
+
+subsubsection{*Modelling Boolean Expressions*}
+
+text{*
+We want to represent boolean expressions built up from variables and
+constants by negation and conjunction. The following datatype serves exactly
+that purpose:
+*}
+
+datatype boolex = Const bool | Var nat | Neg boolex
+ | And boolex boolex;
+
+text{*\noindent
+The two constants are represented by @{term"Const True"} and
+@{term"Const False"}. Variables are represented by terms of the form
+@{term"Var n"}, where @{term"n"} is a natural number (type @{typ"nat"}).
+For example, the formula $P@0 \land \neg P@1$ is represented by the term
+@{term"And (Var 0) (Neg(Var 1))"}.
+
+\subsubsection{The Value of a Boolean Expression}
+
+The value of a boolean expression depends on the value of its variables.
+Hence the function @{text"value"} takes an additional parameter, an
+\emph{environment} of type @{typ"nat => bool"}, which maps variables to their
+values:
+*}
+
+primrec "value" :: "boolex \<Rightarrow> (nat \<Rightarrow> bool) \<Rightarrow> bool" where
+"value (Const b) env = b" |
+"value (Var x) env = env x" |
+"value (Neg b) env = (\<not> value b env)" |
+"value (And b c) env = (value b env \<and> value c env)"
+
+text{*\noindent
+\subsubsection{If-Expressions}
+
+An alternative and often more efficient (because in a certain sense
+canonical) representation are so-called \emph{If-expressions} built up
+from constants (@{term"CIF"}), variables (@{term"VIF"}) and conditionals
+(@{term"IF"}):
+*}
+
+datatype ifex = CIF bool | VIF nat | IF ifex ifex ifex;
+
+text{*\noindent
+The evaluation of If-expressions proceeds as for @{typ"boolex"}:
+*}
+
+primrec valif :: "ifex \<Rightarrow> (nat \<Rightarrow> bool) \<Rightarrow> bool" where
+"valif (CIF b) env = b" |
+"valif (VIF x) env = env x" |
+"valif (IF b t e) env = (if valif b env then valif t env
+ else valif e env)"
+
+text{*
+\subsubsection{Converting Boolean and If-Expressions}
+
+The type @{typ"boolex"} is close to the customary representation of logical
+formulae, whereas @{typ"ifex"} is designed for efficiency. It is easy to
+translate from @{typ"boolex"} into @{typ"ifex"}:
+*}
+
+primrec bool2if :: "boolex \<Rightarrow> ifex" where
+"bool2if (Const b) = CIF b" |
+"bool2if (Var x) = VIF x" |
+"bool2if (Neg b) = IF (bool2if b) (CIF False) (CIF True)" |
+"bool2if (And b c) = IF (bool2if b) (bool2if c) (CIF False)"
+
+text{*\noindent
+At last, we have something we can verify: that @{term"bool2if"} preserves the
+value of its argument:
+*}
+
+lemma "valif (bool2if b) env = value b env";
+
+txt{*\noindent
+The proof is canonical:
+*}
+
+apply(induct_tac b);
+apply(auto);
+done
+
+text{*\noindent
+In fact, all proofs in this case study look exactly like this. Hence we do
+not show them below.
+
+More interesting is the transformation of If-expressions into a normal form
+where the first argument of @{term"IF"} cannot be another @{term"IF"} but
+must be a constant or variable. Such a normal form can be computed by
+repeatedly replacing a subterm of the form @{term"IF (IF b x y) z u"} by
+@{term"IF b (IF x z u) (IF y z u)"}, which has the same value. The following
+primitive recursive functions perform this task:
+*}
+
+primrec normif :: "ifex \<Rightarrow> ifex \<Rightarrow> ifex \<Rightarrow> ifex" where
+"normif (CIF b) t e = IF (CIF b) t e" |
+"normif (VIF x) t e = IF (VIF x) t e" |
+"normif (IF b t e) u f = normif b (normif t u f) (normif e u f)"
+
+primrec norm :: "ifex \<Rightarrow> ifex" where
+"norm (CIF b) = CIF b" |
+"norm (VIF x) = VIF x" |
+"norm (IF b t e) = normif b (norm t) (norm e)"
+
+text{*\noindent
+Their interplay is tricky; we leave it to you to develop an
+intuitive understanding. Fortunately, Isabelle can help us to verify that the
+transformation preserves the value of the expression:
+*}
+
+theorem "valif (norm b) env = valif b env";(*<*)oops;(*>*)
+
+text{*\noindent
+The proof is canonical, provided we first show the following simplification
+lemma, which also helps to understand what @{term"normif"} does:
+*}
+
+lemma [simp]:
+ "\<forall>t e. valif (normif b t e) env = valif (IF b t e) env";
+(*<*)
+apply(induct_tac b);
+by(auto);
+
+theorem "valif (norm b) env = valif b env";
+apply(induct_tac b);
+by(auto);
+(*>*)
+text{*\noindent
+Note that the lemma does not have a name, but is implicitly used in the proof
+of the theorem shown above because of the @{text"[simp]"} attribute.
+
+But how can we be sure that @{term"norm"} really produces a normal form in
+the above sense? We define a function that tests If-expressions for normality:
+*}
+
+primrec normal :: "ifex \<Rightarrow> bool" where
+"normal(CIF b) = True" |
+"normal(VIF x) = True" |
+"normal(IF b t e) = (normal t \<and> normal e \<and>
+ (case b of CIF b \<Rightarrow> True | VIF x \<Rightarrow> True | IF x y z \<Rightarrow> False))"
+
+text{*\noindent
+Now we prove @{term"normal(norm b)"}. Of course, this requires a lemma about
+normality of @{term"normif"}:
+*}
+
+lemma [simp]: "\<forall>t e. normal(normif b t e) = (normal t \<and> normal e)";
+(*<*)
+apply(induct_tac b);
+by(auto);
+
+theorem "normal(norm b)";
+apply(induct_tac b);
+by(auto);
+(*>*)
+
+text{*\medskip
+How do we come up with the required lemmas? Try to prove the main theorems
+without them and study carefully what @{text auto} leaves unproved. This
+can provide the clue. The necessity of universal quantification
+(@{text"\<forall>t e"}) in the two lemmas is explained in
+\S\ref{sec:InductionHeuristics}
+
+\begin{exercise}
+ We strengthen the definition of a @{const normal} If-expression as follows:
+ the first argument of all @{term IF}s must be a variable. Adapt the above
+ development to this changed requirement. (Hint: you may need to formulate
+ some of the goals as implications (@{text"\<longrightarrow>"}) rather than
+ equalities (@{text"="}).)
+\end{exercise}
+\index{boolean expressions example|)}
+*}
+(*<*)
+
+primrec normif2 :: "ifex => ifex => ifex => ifex" where
+"normif2 (CIF b) t e = (if b then t else e)" |
+"normif2 (VIF x) t e = IF (VIF x) t e" |
+"normif2 (IF b t e) u f = normif2 b (normif2 t u f) (normif2 e u f)"
+
+primrec norm2 :: "ifex => ifex" where
+"norm2 (CIF b) = CIF b" |
+"norm2 (VIF x) = VIF x" |
+"norm2 (IF b t e) = normif2 b (norm2 t) (norm2 e)"
+
+primrec normal2 :: "ifex => bool" where
+"normal2(CIF b) = True" |
+"normal2(VIF x) = True" |
+"normal2(IF b t e) = (normal2 t & normal2 e &
+ (case b of CIF b => False | VIF x => True | IF x y z => False))"
+
+lemma [simp]:
+ "ALL t e. valif (normif2 b t e) env = valif (IF b t e) env"
+apply(induct b)
+by(auto)
+
+theorem "valif (norm2 b) env = valif b env"
+apply(induct b)
+by(auto)
+
+lemma [simp]: "ALL t e. normal2 t & normal2 e --> normal2(normif2 b t e)"
+apply(induct b)
+by(auto)
+
+theorem "normal2(norm2 b)"
+apply(induct b)
+by(auto)
+
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Inductive/AB.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,309 @@
+(*<*)theory AB imports Main begin(*>*)
+
+section{*Case Study: A Context Free Grammar*}
+
+text{*\label{sec:CFG}
+\index{grammars!defining inductively|(}%
+Grammars are nothing but shorthands for inductive definitions of nonterminals
+which represent sets of strings. For example, the production
+$A \to B c$ is short for
+\[ w \in B \Longrightarrow wc \in A \]
+This section demonstrates this idea with an example
+due to Hopcroft and Ullman, a grammar for generating all words with an
+equal number of $a$'s and~$b$'s:
+\begin{eqnarray}
+S &\to& \epsilon \mid b A \mid a B \nonumber\\
+A &\to& a S \mid b A A \nonumber\\
+B &\to& b S \mid a B B \nonumber
+\end{eqnarray}
+At the end we say a few words about the relationship between
+the original proof \cite[p.\ts81]{HopcroftUllman} and our formal version.
+
+We start by fixing the alphabet, which consists only of @{term a}'s
+and~@{term b}'s:
+*}
+
+datatype alfa = a | b
+
+text{*\noindent
+For convenience we include the following easy lemmas as simplification rules:
+*}
+
+lemma [simp]: "(x \<noteq> a) = (x = b) \<and> (x \<noteq> b) = (x = a)"
+by (case_tac x, auto)
+
+text{*\noindent
+Words over this alphabet are of type @{typ"alfa list"}, and
+the three nonterminals are declared as sets of such words.
+The productions above are recast as a \emph{mutual} inductive
+definition\index{inductive definition!simultaneous}
+of @{term S}, @{term A} and~@{term B}:
+*}
+
+inductive_set
+ S :: "alfa list set" and
+ A :: "alfa list set" and
+ B :: "alfa list set"
+where
+ "[] \<in> S"
+| "w \<in> A \<Longrightarrow> b#w \<in> S"
+| "w \<in> B \<Longrightarrow> a#w \<in> S"
+
+| "w \<in> S \<Longrightarrow> a#w \<in> A"
+| "\<lbrakk> v\<in>A; w\<in>A \<rbrakk> \<Longrightarrow> b#v@w \<in> A"
+
+| "w \<in> S \<Longrightarrow> b#w \<in> B"
+| "\<lbrakk> v \<in> B; w \<in> B \<rbrakk> \<Longrightarrow> a#v@w \<in> B"
+
+text{*\noindent
+First we show that all words in @{term S} contain the same number of @{term
+a}'s and @{term b}'s. Since the definition of @{term S} is by mutual
+induction, so is the proof: we show at the same time that all words in
+@{term A} contain one more @{term a} than @{term b} and all words in @{term
+B} contain one more @{term b} than @{term a}.
+*}
+
+lemma correctness:
+ "(w \<in> S \<longrightarrow> size[x\<leftarrow>w. x=a] = size[x\<leftarrow>w. x=b]) \<and>
+ (w \<in> A \<longrightarrow> size[x\<leftarrow>w. x=a] = size[x\<leftarrow>w. x=b] + 1) \<and>
+ (w \<in> B \<longrightarrow> size[x\<leftarrow>w. x=b] = size[x\<leftarrow>w. x=a] + 1)"
+
+txt{*\noindent
+These propositions are expressed with the help of the predefined @{term
+filter} function on lists, which has the convenient syntax @{text"[x\<leftarrow>xs. P
+x]"}, the list of all elements @{term x} in @{term xs} such that @{prop"P x"}
+holds. Remember that on lists @{text size} and @{text length} are synonymous.
+
+The proof itself is by rule induction and afterwards automatic:
+*}
+
+by (rule S_A_B.induct, auto)
+
+text{*\noindent
+This may seem surprising at first, and is indeed an indication of the power
+of inductive definitions. But it is also quite straightforward. For example,
+consider the production $A \to b A A$: if $v,w \in A$ and the elements of $A$
+contain one more $a$ than~$b$'s, then $bvw$ must again contain one more $a$
+than~$b$'s.
+
+As usual, the correctness of syntactic descriptions is easy, but completeness
+is hard: does @{term S} contain \emph{all} words with an equal number of
+@{term a}'s and @{term b}'s? It turns out that this proof requires the
+following lemma: every string with two more @{term a}'s than @{term
+b}'s can be cut somewhere such that each half has one more @{term a} than
+@{term b}. This is best seen by imagining counting the difference between the
+number of @{term a}'s and @{term b}'s starting at the left end of the
+word. We start with 0 and end (at the right end) with 2. Since each move to the
+right increases or decreases the difference by 1, we must have passed through
+1 on our way from 0 to 2. Formally, we appeal to the following discrete
+intermediate value theorem @{thm[source]nat0_intermed_int_val}
+@{thm[display,margin=60]nat0_intermed_int_val[no_vars]}
+where @{term f} is of type @{typ"nat \<Rightarrow> int"}, @{typ int} are the integers,
+@{text"\<bar>.\<bar>"} is the absolute value function\footnote{See
+Table~\ref{tab:ascii} in the Appendix for the correct \textsc{ascii}
+syntax.}, and @{term"1::int"} is the integer 1 (see \S\ref{sec:numbers}).
+
+First we show that our specific function, the difference between the
+numbers of @{term a}'s and @{term b}'s, does indeed only change by 1 in every
+move to the right. At this point we also start generalizing from @{term a}'s
+and @{term b}'s to an arbitrary property @{term P}. Otherwise we would have
+to prove the desired lemma twice, once as stated above and once with the
+roles of @{term a}'s and @{term b}'s interchanged.
+*}
+
+lemma step1: "\<forall>i < size w.
+ \<bar>(int(size[x\<leftarrow>take (i+1) w. P x])-int(size[x\<leftarrow>take (i+1) w. \<not>P x]))
+ - (int(size[x\<leftarrow>take i w. P x])-int(size[x\<leftarrow>take i w. \<not>P x]))\<bar> \<le> 1"
+
+txt{*\noindent
+The lemma is a bit hard to read because of the coercion function
+@{text"int :: nat \<Rightarrow> int"}. It is required because @{term size} returns
+a natural number, but subtraction on type~@{typ nat} will do the wrong thing.
+Function @{term take} is predefined and @{term"take i xs"} is the prefix of
+length @{term i} of @{term xs}; below we also need @{term"drop i xs"}, which
+is what remains after that prefix has been dropped from @{term xs}.
+
+The proof is by induction on @{term w}, with a trivial base case, and a not
+so trivial induction step. Since it is essentially just arithmetic, we do not
+discuss it.
+*}
+
+apply(induct_tac w)
+apply(auto simp add: abs_if take_Cons split: nat.split)
+done
+
+text{*
+Finally we come to the above-mentioned lemma about cutting in half a word with two more elements of one sort than of the other sort:
+*}
+
+lemma part1:
+ "size[x\<leftarrow>w. P x] = size[x\<leftarrow>w. \<not>P x]+2 \<Longrightarrow>
+ \<exists>i\<le>size w. size[x\<leftarrow>take i w. P x] = size[x\<leftarrow>take i w. \<not>P x]+1"
+
+txt{*\noindent
+This is proved by @{text force} with the help of the intermediate value theorem,
+instantiated appropriately and with its first premise disposed of by lemma
+@{thm[source]step1}:
+*}
+
+apply(insert nat0_intermed_int_val[OF step1, of "P" "w" "1"])
+by force
+
+text{*\noindent
+
+Lemma @{thm[source]part1} tells us only about the prefix @{term"take i w"}.
+An easy lemma deals with the suffix @{term"drop i w"}:
+*}
+
+
+lemma part2:
+ "\<lbrakk>size[x\<leftarrow>take i w @ drop i w. P x] =
+ size[x\<leftarrow>take i w @ drop i w. \<not>P x]+2;
+ size[x\<leftarrow>take i w. P x] = size[x\<leftarrow>take i w. \<not>P x]+1\<rbrakk>
+ \<Longrightarrow> size[x\<leftarrow>drop i w. P x] = size[x\<leftarrow>drop i w. \<not>P x]+1"
+by(simp del: append_take_drop_id)
+
+text{*\noindent
+In the proof we have disabled the normally useful lemma
+\begin{isabelle}
+@{thm append_take_drop_id[no_vars]}
+\rulename{append_take_drop_id}
+\end{isabelle}
+to allow the simplifier to apply the following lemma instead:
+@{text[display]"[x\<in>xs@ys. P x] = [x\<in>xs. P x] @ [x\<in>ys. P x]"}
+
+To dispose of trivial cases automatically, the rules of the inductive
+definition are declared simplification rules:
+*}
+
+declare S_A_B.intros[simp]
+
+text{*\noindent
+This could have been done earlier but was not necessary so far.
+
+The completeness theorem tells us that if a word has the same number of
+@{term a}'s and @{term b}'s, then it is in @{term S}, and similarly
+for @{term A} and @{term B}:
+*}
+
+theorem completeness:
+ "(size[x\<leftarrow>w. x=a] = size[x\<leftarrow>w. x=b] \<longrightarrow> w \<in> S) \<and>
+ (size[x\<leftarrow>w. x=a] = size[x\<leftarrow>w. x=b] + 1 \<longrightarrow> w \<in> A) \<and>
+ (size[x\<leftarrow>w. x=b] = size[x\<leftarrow>w. x=a] + 1 \<longrightarrow> w \<in> B)"
+
+txt{*\noindent
+The proof is by induction on @{term w}. Structural induction would fail here
+because, as we can see from the grammar, we need to make bigger steps than
+merely appending a single letter at the front. Hence we induct on the length
+of @{term w}, using the induction rule @{thm[source]length_induct}:
+*}
+
+apply(induct_tac w rule: length_induct)
+apply(rename_tac w)
+
+txt{*\noindent
+The @{text rule} parameter tells @{text induct_tac} explicitly which induction
+rule to use. For details see \S\ref{sec:complete-ind} below.
+In this case the result is that we may assume the lemma already
+holds for all words shorter than @{term w}. Because the induction step renames
+the induction variable we rename it back to @{text w}.
+
+The proof continues with a case distinction on @{term w},
+on whether @{term w} is empty or not.
+*}
+
+apply(case_tac w)
+ apply(simp_all)
+(*<*)apply(rename_tac x v)(*>*)
+
+txt{*\noindent
+Simplification disposes of the base case and leaves only a conjunction
+of two step cases to be proved:
+if @{prop"w = a#v"} and @{prop[display]"size[x\<in>v. x=a] = size[x\<in>v. x=b]+2"} then
+@{prop"b#v \<in> A"}, and similarly for @{prop"w = b#v"}.
+We only consider the first case in detail.
+
+After breaking the conjunction up into two cases, we can apply
+@{thm[source]part1} to the assumption that @{term w} contains two more @{term
+a}'s than @{term b}'s.
+*}
+
+apply(rule conjI)
+ apply(clarify)
+ apply(frule part1[of "\<lambda>x. x=a", simplified])
+ apply(clarify)
+txt{*\noindent
+This yields an index @{prop"i \<le> length v"} such that
+@{prop[display]"length [x\<leftarrow>take i v . x = a] = length [x\<leftarrow>take i v . x = b] + 1"}
+With the help of @{thm[source]part2} it follows that
+@{prop[display]"length [x\<leftarrow>drop i v . x = a] = length [x\<leftarrow>drop i v . x = b] + 1"}
+*}
+
+ apply(drule part2[of "\<lambda>x. x=a", simplified])
+ apply(assumption)
+
+txt{*\noindent
+Now it is time to decompose @{term v} in the conclusion @{prop"b#v \<in> A"}
+into @{term"take i v @ drop i v"},
+*}
+
+ apply(rule_tac n1=i and t=v in subst[OF append_take_drop_id])
+
+txt{*\noindent
+(the variables @{term n1} and @{term t} are the result of composing the
+theorems @{thm[source]subst} and @{thm[source]append_take_drop_id})
+after which the appropriate rule of the grammar reduces the goal
+to the two subgoals @{prop"take i v \<in> A"} and @{prop"drop i v \<in> A"}:
+*}
+
+ apply(rule S_A_B.intros)
+
+txt{*
+Both subgoals follow from the induction hypothesis because both @{term"take i
+v"} and @{term"drop i v"} are shorter than @{term w}:
+*}
+
+ apply(force simp add: min_less_iff_disj)
+ apply(force split add: nat_diff_split)
+
+txt{*
+The case @{prop"w = b#v"} is proved analogously:
+*}
+
+apply(clarify)
+apply(frule part1[of "\<lambda>x. x=b", simplified])
+apply(clarify)
+apply(drule part2[of "\<lambda>x. x=b", simplified])
+ apply(assumption)
+apply(rule_tac n1=i and t=v in subst[OF append_take_drop_id])
+apply(rule S_A_B.intros)
+ apply(force simp add: min_less_iff_disj)
+by(force simp add: min_less_iff_disj split add: nat_diff_split)
+
+text{*
+We conclude this section with a comparison of our proof with
+Hopcroft\index{Hopcroft, J. E.} and Ullman's\index{Ullman, J. D.}
+\cite[p.\ts81]{HopcroftUllman}.
+For a start, the textbook
+grammar, for no good reason, excludes the empty word, thus complicating
+matters just a little bit: they have 8 instead of our 7 productions.
+
+More importantly, the proof itself is different: rather than
+separating the two directions, they perform one induction on the
+length of a word. This deprives them of the beauty of rule induction,
+and in the easy direction (correctness) their reasoning is more
+detailed than our @{text auto}. For the hard part (completeness), they
+consider just one of the cases that our @{text simp_all} disposes of
+automatically. Then they conclude the proof by saying about the
+remaining cases: ``We do this in a manner similar to our method of
+proof for part (1); this part is left to the reader''. But this is
+precisely the part that requires the intermediate value theorem and
+thus is not at all similar to the other cases (which are automatic in
+Isabelle). The authors are at least cavalier about this point and may
+even have overlooked the slight difficulty lurking in the omitted
+cases. Such errors are found in many pen-and-paper proofs when they
+are scrutinized formally.%
+\index{grammars!defining inductively|)}
+*}
+
+(*<*)end(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Inductive/Advanced.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,407 @@
+(*<*)theory Advanced imports Even begin
+ML_file "../../antiquote_setup.ML"
+setup Antiquote_Setup.setup
+(*>*)
+
+text {*
+The premises of introduction rules may contain universal quantifiers and
+monotone functions. A universal quantifier lets the rule
+refer to any number of instances of
+the inductively defined set. A monotone function lets the rule refer
+to existing constructions (such as ``list of'') over the inductively defined
+set. The examples below show how to use the additional expressiveness
+and how to reason from the resulting definitions.
+*}
+
+subsection{* Universal Quantifiers in Introduction Rules \label{sec:gterm-datatype} *}
+
+text {*
+\index{ground terms example|(}%
+\index{quantifiers!and inductive definitions|(}%
+As a running example, this section develops the theory of \textbf{ground
+terms}: terms constructed from constant and function
+symbols but not variables. To simplify matters further, we regard a
+constant as a function applied to the null argument list. Let us declare a
+datatype @{text gterm} for the type of ground terms. It is a type constructor
+whose argument is a type of function symbols.
+*}
+
+datatype 'f gterm = Apply 'f "'f gterm list"
+
+text {*
+To try it out, we declare a datatype of some integer operations:
+integer constants, the unary minus operator and the addition
+operator.
+*}
+
+datatype integer_op = Number int | UnaryMinus | Plus
+
+text {*
+Now the type @{typ "integer_op gterm"} denotes the ground
+terms built over those symbols.
+
+The type constructor @{text gterm} can be generalized to a function
+over sets. It returns
+the set of ground terms that can be formed over a set @{text F} of function symbols. For
+example, we could consider the set of ground terms formed from the finite
+set @{text "{Number 2, UnaryMinus, Plus}"}.
+
+This concept is inductive. If we have a list @{text args} of ground terms
+over~@{text F} and a function symbol @{text f} in @{text F}, then we
+can apply @{text f} to @{text args} to obtain another ground term.
+The only difficulty is that the argument list may be of any length. Hitherto,
+each rule in an inductive definition referred to the inductively
+defined set a fixed number of times, typically once or twice.
+A universal quantifier in the premise of the introduction rule
+expresses that every element of @{text args} belongs
+to our inductively defined set: is a ground term
+over~@{text F}. The function @{term set} denotes the set of elements in a given
+list.
+*}
+
+inductive_set
+ gterms :: "'f set \<Rightarrow> 'f gterm set"
+ for F :: "'f set"
+where
+step[intro!]: "\<lbrakk>\<forall>t \<in> set args. t \<in> gterms F; f \<in> F\<rbrakk>
+ \<Longrightarrow> (Apply f args) \<in> gterms F"
+
+text {*
+To demonstrate a proof from this definition, let us
+show that the function @{term gterms}
+is \textbf{monotone}. We shall need this concept shortly.
+*}
+
+lemma gterms_mono: "F\<subseteq>G \<Longrightarrow> gterms F \<subseteq> gterms G"
+apply clarify
+apply (erule gterms.induct)
+apply blast
+done
+(*<*)
+lemma gterms_mono: "F\<subseteq>G \<Longrightarrow> gterms F \<subseteq> gterms G"
+apply clarify
+apply (erule gterms.induct)
+(*>*)
+txt{*
+Intuitively, this theorem says that
+enlarging the set of function symbols enlarges the set of ground
+terms. The proof is a trivial rule induction.
+First we use the @{text clarify} method to assume the existence of an element of
+@{term "gterms F"}. (We could have used @{text "intro subsetI"}.) We then
+apply rule induction. Here is the resulting subgoal:
+@{subgoals[display,indent=0]}
+The assumptions state that @{text f} belongs
+to~@{text F}, which is included in~@{text G}, and that every element of the list @{text args} is
+a ground term over~@{text G}. The @{text blast} method finds this chain of reasoning easily.
+*}
+(*<*)oops(*>*)
+text {*
+\begin{warn}
+Why do we call this function @{text gterms} instead
+of @{text gterm}? A constant may have the same name as a type. However,
+name clashes could arise in the theorems that Isabelle generates.
+Our choice of names keeps @{text gterms.induct} separate from
+@{text gterm.induct}.
+\end{warn}
+
+Call a term \textbf{well-formed} if each symbol occurring in it is applied
+to the correct number of arguments. (This number is called the symbol's
+\textbf{arity}.) We can express well-formedness by
+generalizing the inductive definition of
+\isa{gterms}.
+Suppose we are given a function called @{text arity}, specifying the arities
+of all symbols. In the inductive step, we have a list @{text args} of such
+terms and a function symbol~@{text f}. If the length of the list matches the
+function's arity then applying @{text f} to @{text args} yields a well-formed
+term.
+*}
+
+inductive_set
+ well_formed_gterm :: "('f \<Rightarrow> nat) \<Rightarrow> 'f gterm set"
+ for arity :: "'f \<Rightarrow> nat"
+where
+step[intro!]: "\<lbrakk>\<forall>t \<in> set args. t \<in> well_formed_gterm arity;
+ length args = arity f\<rbrakk>
+ \<Longrightarrow> (Apply f args) \<in> well_formed_gterm arity"
+
+text {*
+The inductive definition neatly captures the reasoning above.
+The universal quantification over the
+@{text set} of arguments expresses that all of them are well-formed.%
+\index{quantifiers!and inductive definitions|)}
+*}
+
+subsection{* Alternative Definition Using a Monotone Function *}
+
+text {*
+\index{monotone functions!and inductive definitions|(}%
+An inductive definition may refer to the
+inductively defined set through an arbitrary monotone function. To
+demonstrate this powerful feature, let us
+change the inductive definition above, replacing the
+quantifier by a use of the function @{term lists}. This
+function, from the Isabelle theory of lists, is analogous to the
+function @{term gterms} declared above: if @{text A} is a set then
+@{term "lists A"} is the set of lists whose elements belong to
+@{term A}.
+
+In the inductive definition of well-formed terms, examine the one
+introduction rule. The first premise states that @{text args} belongs to
+the @{text lists} of well-formed terms. This formulation is more
+direct, if more obscure, than using a universal quantifier.
+*}
+
+inductive_set
+ well_formed_gterm' :: "('f \<Rightarrow> nat) \<Rightarrow> 'f gterm set"
+ for arity :: "'f \<Rightarrow> nat"
+where
+step[intro!]: "\<lbrakk>args \<in> lists (well_formed_gterm' arity);
+ length args = arity f\<rbrakk>
+ \<Longrightarrow> (Apply f args) \<in> well_formed_gterm' arity"
+monos lists_mono
+
+text {*
+We cite the theorem @{text lists_mono} to justify
+using the function @{term lists}.%
+\footnote{This particular theorem is installed by default already, but we
+include the \isakeyword{monos} declaration in order to illustrate its syntax.}
+@{named_thms [display,indent=0] lists_mono [no_vars] (lists_mono)}
+Why must the function be monotone? An inductive definition describes
+an iterative construction: each element of the set is constructed by a
+finite number of introduction rule applications. For example, the
+elements of \isa{even} are constructed by finitely many applications of
+the rules
+@{thm [display,indent=0] even.intros [no_vars]}
+All references to a set in its
+inductive definition must be positive. Applications of an
+introduction rule cannot invalidate previous applications, allowing the
+construction process to converge.
+The following pair of rules do not constitute an inductive definition:
+\begin{trivlist}
+\item @{term "0 \<in> even"}
+\item @{term "n \<notin> even \<Longrightarrow> (Suc n) \<in> even"}
+\end{trivlist}
+Showing that 4 is even using these rules requires showing that 3 is not
+even. It is far from trivial to show that this set of rules
+characterizes the even numbers.
+
+Even with its use of the function \isa{lists}, the premise of our
+introduction rule is positive:
+@{thm [display,indent=0] (prem 1) step [no_vars]}
+To apply the rule we construct a list @{term args} of previously
+constructed well-formed terms. We obtain a
+new term, @{term "Apply f args"}. Because @{term lists} is monotone,
+applications of the rule remain valid as new terms are constructed.
+Further lists of well-formed
+terms become available and none are taken away.%
+\index{monotone functions!and inductive definitions|)}
+*}
+
+subsection{* A Proof of Equivalence *}
+
+text {*
+We naturally hope that these two inductive definitions of ``well-formed''
+coincide. The equality can be proved by separate inclusions in
+each direction. Each is a trivial rule induction.
+*}
+
+lemma "well_formed_gterm arity \<subseteq> well_formed_gterm' arity"
+apply clarify
+apply (erule well_formed_gterm.induct)
+apply auto
+done
+(*<*)
+lemma "well_formed_gterm arity \<subseteq> well_formed_gterm' arity"
+apply clarify
+apply (erule well_formed_gterm.induct)
+(*>*)
+txt {*
+The @{text clarify} method gives
+us an element of @{term "well_formed_gterm arity"} on which to perform
+induction. The resulting subgoal can be proved automatically:
+@{subgoals[display,indent=0]}
+This proof resembles the one given in
+{\S}\ref{sec:gterm-datatype} above, especially in the form of the
+induction hypothesis. Next, we consider the opposite inclusion:
+*}
+(*<*)oops(*>*)
+lemma "well_formed_gterm' arity \<subseteq> well_formed_gterm arity"
+apply clarify
+apply (erule well_formed_gterm'.induct)
+apply auto
+done
+(*<*)
+lemma "well_formed_gterm' arity \<subseteq> well_formed_gterm arity"
+apply clarify
+apply (erule well_formed_gterm'.induct)
+(*>*)
+txt {*
+The proof script is virtually identical,
+but the subgoal after applying induction may be surprising:
+@{subgoals[display,indent=0,margin=65]}
+The induction hypothesis contains an application of @{term lists}. Using a
+monotone function in the inductive definition always has this effect. The
+subgoal may look uninviting, but fortunately
+@{term lists} distributes over intersection:
+@{named_thms [display,indent=0] lists_Int_eq [no_vars] (lists_Int_eq)}
+Thanks to this default simplification rule, the induction hypothesis
+is quickly replaced by its two parts:
+\begin{trivlist}
+\item @{term "args \<in> lists (well_formed_gterm' arity)"}
+\item @{term "args \<in> lists (well_formed_gterm arity)"}
+\end{trivlist}
+Invoking the rule @{text well_formed_gterm.step} completes the proof. The
+call to @{text auto} does all this work.
+
+This example is typical of how monotone functions
+\index{monotone functions} can be used. In particular, many of them
+distribute over intersection. Monotonicity implies one direction of
+this set equality; we have this theorem:
+@{named_thms [display,indent=0] mono_Int [no_vars] (mono_Int)}
+*}
+(*<*)oops(*>*)
+
+
+subsection{* Another Example of Rule Inversion *}
+
+text {*
+\index{rule inversion|(}%
+Does @{term gterms} distribute over intersection? We have proved that this
+function is monotone, so @{text mono_Int} gives one of the inclusions. The
+opposite inclusion asserts that if @{term t} is a ground term over both of the
+sets
+@{term F} and~@{term G} then it is also a ground term over their intersection,
+@{term "F \<inter> G"}.
+*}
+
+lemma gterms_IntI:
+ "t \<in> gterms F \<Longrightarrow> t \<in> gterms G \<longrightarrow> t \<in> gterms (F\<inter>G)"
+(*<*)oops(*>*)
+text {*
+Attempting this proof, we get the assumption
+@{term "Apply f args \<in> gterms G"}, which cannot be broken down.
+It looks like a job for rule inversion:\cmmdx{inductive\protect\_cases}
+*}
+
+inductive_cases gterm_Apply_elim [elim!]: "Apply f args \<in> gterms F"
+
+text {*
+Here is the result.
+@{named_thms [display,indent=0,margin=50] gterm_Apply_elim [no_vars] (gterm_Apply_elim)}
+This rule replaces an assumption about @{term "Apply f args"} by
+assumptions about @{term f} and~@{term args}.
+No cases are discarded (there was only one to begin
+with) but the rule applies specifically to the pattern @{term "Apply f args"}.
+It can be applied repeatedly as an elimination rule without looping, so we
+have given the @{text "elim!"} attribute.
+
+Now we can prove the other half of that distributive law.
+*}
+
+lemma gterms_IntI [rule_format, intro!]:
+ "t \<in> gterms F \<Longrightarrow> t \<in> gterms G \<longrightarrow> t \<in> gterms (F\<inter>G)"
+apply (erule gterms.induct)
+apply blast
+done
+(*<*)
+lemma "t \<in> gterms F \<Longrightarrow> t \<in> gterms G \<longrightarrow> t \<in> gterms (F\<inter>G)"
+apply (erule gterms.induct)
+(*>*)
+txt {*
+The proof begins with rule induction over the definition of
+@{term gterms}, which leaves a single subgoal:
+@{subgoals[display,indent=0,margin=65]}
+To prove this, we assume @{term "Apply f args \<in> gterms G"}. Rule inversion,
+in the form of @{text gterm_Apply_elim}, infers
+that every element of @{term args} belongs to
+@{term "gterms G"}; hence (by the induction hypothesis) it belongs
+to @{term "gterms (F \<inter> G)"}. Rule inversion also yields
+@{term "f \<in> G"} and hence @{term "f \<in> F \<inter> G"}.
+All of this reasoning is done by @{text blast}.
+
+\smallskip
+Our distributive law is a trivial consequence of previously-proved results:
+*}
+(*<*)oops(*>*)
+lemma gterms_Int_eq [simp]:
+ "gterms (F \<inter> G) = gterms F \<inter> gterms G"
+by (blast intro!: mono_Int monoI gterms_mono)
+
+text_raw {*
+\index{rule inversion|)}%
+\index{ground terms example|)}
+
+
+\begin{isamarkuptext}
+\begin{exercise}
+A function mapping function symbols to their
+types is called a \textbf{signature}. Given a type
+ranging over type symbols, we can represent a function's type by a
+list of argument types paired with the result type.
+Complete this inductive definition:
+\begin{isabelle}
+*}
+
+inductive_set
+ well_typed_gterm :: "('f \<Rightarrow> 't list * 't) \<Rightarrow> ('f gterm * 't)set"
+ for sig :: "'f \<Rightarrow> 't list * 't"
+(*<*)
+where
+step[intro!]:
+ "\<lbrakk>\<forall>pair \<in> set args. pair \<in> well_typed_gterm sig;
+ sig f = (map snd args, rtype)\<rbrakk>
+ \<Longrightarrow> (Apply f (map fst args), rtype)
+ \<in> well_typed_gterm sig"
+(*>*)
+text_raw {*
+\end{isabelle}
+\end{exercise}
+\end{isamarkuptext}
+*}
+
+(*<*)
+
+text{*the following declaration isn't actually used*}
+primrec
+ integer_arity :: "integer_op \<Rightarrow> nat"
+where
+ "integer_arity (Number n) = 0"
+| "integer_arity UnaryMinus = 1"
+| "integer_arity Plus = 2"
+
+text{* the rest isn't used: too complicated. OK for an exercise though.*}
+
+inductive_set
+ integer_signature :: "(integer_op * (unit list * unit)) set"
+where
+ Number: "(Number n, ([], ())) \<in> integer_signature"
+| UnaryMinus: "(UnaryMinus, ([()], ())) \<in> integer_signature"
+| Plus: "(Plus, ([(),()], ())) \<in> integer_signature"
+
+inductive_set
+ well_typed_gterm' :: "('f \<Rightarrow> 't list * 't) \<Rightarrow> ('f gterm * 't)set"
+ for sig :: "'f \<Rightarrow> 't list * 't"
+where
+step[intro!]:
+ "\<lbrakk>args \<in> lists(well_typed_gterm' sig);
+ sig f = (map snd args, rtype)\<rbrakk>
+ \<Longrightarrow> (Apply f (map fst args), rtype)
+ \<in> well_typed_gterm' sig"
+monos lists_mono
+
+
+lemma "well_typed_gterm sig \<subseteq> well_typed_gterm' sig"
+apply clarify
+apply (erule well_typed_gterm.induct)
+apply auto
+done
+
+lemma "well_typed_gterm' sig \<subseteq> well_typed_gterm sig"
+apply clarify
+apply (erule well_typed_gterm'.induct)
+apply auto
+done
+
+
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Inductive/Even.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,291 @@
+(*<*)theory Even imports Main begin
+ML_file "../../antiquote_setup.ML"
+setup Antiquote_Setup.setup
+(*>*)
+
+section{* The Set of Even Numbers *}
+
+text {*
+\index{even numbers!defining inductively|(}%
+The set of even numbers can be inductively defined as the least set
+containing 0 and closed under the operation $+2$. Obviously,
+\emph{even} can also be expressed using the divides relation (@{text dvd}).
+We shall prove below that the two formulations coincide. On the way we
+shall examine the primary means of reasoning about inductively defined
+sets: rule induction.
+*}
+
+subsection{* Making an Inductive Definition *}
+
+text {*
+Using \commdx{inductive\protect\_set}, we declare the constant @{text even} to be
+a set of natural numbers with the desired properties.
+*}
+
+inductive_set even :: "nat set" where
+zero[intro!]: "0 \<in> even" |
+step[intro!]: "n \<in> even \<Longrightarrow> (Suc (Suc n)) \<in> even"
+
+text {*
+An inductive definition consists of introduction rules. The first one
+above states that 0 is even; the second states that if $n$ is even, then so
+is~$n+2$. Given this declaration, Isabelle generates a fixed point
+definition for @{term even} and proves theorems about it,
+thus following the definitional approach (see {\S}\ref{sec:definitional}).
+These theorems
+include the introduction rules specified in the declaration, an elimination
+rule for case analysis and an induction rule. We can refer to these
+theorems by automatically-generated names. Here are two examples:
+@{named_thms[display,indent=0] even.zero[no_vars] (even.zero) even.step[no_vars] (even.step)}
+
+The introduction rules can be given attributes. Here
+both rules are specified as \isa{intro!},%
+\index{intro"!@\isa {intro"!} (attribute)}
+directing the classical reasoner to
+apply them aggressively. Obviously, regarding 0 as even is safe. The
+@{text step} rule is also safe because $n+2$ is even if and only if $n$ is
+even. We prove this equivalence later.
+*}
+
+subsection{*Using Introduction Rules*}
+
+text {*
+Our first lemma states that numbers of the form $2\times k$ are even.
+Introduction rules are used to show that specific values belong to the
+inductive set. Such proofs typically involve
+induction, perhaps over some other inductive set.
+*}
+
+lemma two_times_even[intro!]: "2*k \<in> even"
+apply (induct_tac k)
+ apply auto
+done
+(*<*)
+lemma "2*k \<in> even"
+apply (induct_tac k)
+(*>*)
+txt {*
+\noindent
+The first step is induction on the natural number @{text k}, which leaves
+two subgoals:
+@{subgoals[display,indent=0,margin=65]}
+Here @{text auto} simplifies both subgoals so that they match the introduction
+rules, which are then applied automatically.
+
+Our ultimate goal is to prove the equivalence between the traditional
+definition of @{text even} (using the divides relation) and our inductive
+definition. One direction of this equivalence is immediate by the lemma
+just proved, whose @{text "intro!"} attribute ensures it is applied automatically.
+*}
+(*<*)oops(*>*)
+lemma dvd_imp_even: "2 dvd n \<Longrightarrow> n \<in> even"
+by (auto simp add: dvd_def)
+
+subsection{* Rule Induction \label{sec:rule-induction} *}
+
+text {*
+\index{rule induction|(}%
+From the definition of the set
+@{term even}, Isabelle has
+generated an induction rule:
+@{named_thms [display,indent=0,margin=40] even.induct [no_vars] (even.induct)}
+A property @{term P} holds for every even number provided it
+holds for~@{text 0} and is closed under the operation
+\isa{Suc(Suc \(\cdot\))}. Then @{term P} is closed under the introduction
+rules for @{term even}, which is the least set closed under those rules.
+This type of inductive argument is called \textbf{rule induction}.
+
+Apart from the double application of @{term Suc}, the induction rule above
+resembles the familiar mathematical induction, which indeed is an instance
+of rule induction; the natural numbers can be defined inductively to be
+the least set containing @{text 0} and closed under~@{term Suc}.
+
+Induction is the usual way of proving a property of the elements of an
+inductively defined set. Let us prove that all members of the set
+@{term even} are multiples of two.
+*}
+
+lemma even_imp_dvd: "n \<in> even \<Longrightarrow> 2 dvd n"
+txt {*
+We begin by applying induction. Note that @{text even.induct} has the form
+of an elimination rule, so we use the method @{text erule}. We get two
+subgoals:
+*}
+apply (erule even.induct)
+txt {*
+@{subgoals[display,indent=0]}
+We unfold the definition of @{text dvd} in both subgoals, proving the first
+one and simplifying the second:
+*}
+apply (simp_all add: dvd_def)
+txt {*
+@{subgoals[display,indent=0]}
+The next command eliminates the existential quantifier from the assumption
+and replaces @{text n} by @{text "2 * k"}.
+*}
+apply clarify
+txt {*
+@{subgoals[display,indent=0]}
+To conclude, we tell Isabelle that the desired value is
+@{term "Suc k"}. With this hint, the subgoal falls to @{text simp}.
+*}
+apply (rule_tac x = "Suc k" in exI, simp)
+(*<*)done(*>*)
+
+text {*
+Combining the previous two results yields our objective, the
+equivalence relating @{term even} and @{text dvd}.
+%
+%we don't want [iff]: discuss?
+*}
+
+theorem even_iff_dvd: "(n \<in> even) = (2 dvd n)"
+by (blast intro: dvd_imp_even even_imp_dvd)
+
+
+subsection{* Generalization and Rule Induction \label{sec:gen-rule-induction} *}
+
+text {*
+\index{generalizing for induction}%
+Before applying induction, we typically must generalize
+the induction formula. With rule induction, the required generalization
+can be hard to find and sometimes requires a complete reformulation of the
+problem. In this example, our first attempt uses the obvious statement of
+the result. It fails:
+*}
+
+lemma "Suc (Suc n) \<in> even \<Longrightarrow> n \<in> even"
+apply (erule even.induct)
+oops
+(*<*)
+lemma "Suc (Suc n) \<in> even \<Longrightarrow> n \<in> even"
+apply (erule even.induct)
+(*>*)
+txt {*
+Rule induction finds no occurrences of @{term "Suc(Suc n)"} in the
+conclusion, which it therefore leaves unchanged. (Look at
+@{text even.induct} to see why this happens.) We have these subgoals:
+@{subgoals[display,indent=0]}
+The first one is hopeless. Rule induction on
+a non-variable term discards information, and usually fails.
+How to deal with such situations
+in general is described in {\S}\ref{sec:ind-var-in-prems} below.
+In the current case the solution is easy because
+we have the necessary inverse, subtraction:
+*}
+(*<*)oops(*>*)
+lemma even_imp_even_minus_2: "n \<in> even \<Longrightarrow> n - 2 \<in> even"
+apply (erule even.induct)
+ apply auto
+done
+(*<*)
+lemma "n \<in> even \<Longrightarrow> n - 2 \<in> even"
+apply (erule even.induct)
+(*>*)
+txt {*
+This lemma is trivially inductive. Here are the subgoals:
+@{subgoals[display,indent=0]}
+The first is trivial because @{text "0 - 2"} simplifies to @{text 0}, which is
+even. The second is trivial too: @{term "Suc (Suc n) - 2"} simplifies to
+@{term n}, matching the assumption.%
+\index{rule induction|)} %the sequel isn't really about induction
+
+\medskip
+Using our lemma, we can easily prove the result we originally wanted:
+*}
+(*<*)oops(*>*)
+lemma Suc_Suc_even_imp_even: "Suc (Suc n) \<in> even \<Longrightarrow> n \<in> even"
+by (drule even_imp_even_minus_2, simp)
+
+text {*
+We have just proved the converse of the introduction rule @{text even.step}.
+This suggests proving the following equivalence. We give it the
+\attrdx{iff} attribute because of its obvious value for simplification.
+*}
+
+lemma [iff]: "((Suc (Suc n)) \<in> even) = (n \<in> even)"
+by (blast dest: Suc_Suc_even_imp_even)
+
+
+subsection{* Rule Inversion \label{sec:rule-inversion} *}
+
+text {*
+\index{rule inversion|(}%
+Case analysis on an inductive definition is called \textbf{rule
+inversion}. It is frequently used in proofs about operational
+semantics. It can be highly effective when it is applied
+automatically. Let us look at how rule inversion is done in
+Isabelle/HOL\@.
+
+Recall that @{term even} is the minimal set closed under these two rules:
+@{thm [display,indent=0] even.intros [no_vars]}
+Minimality means that @{term even} contains only the elements that these
+rules force it to contain. If we are told that @{term a}
+belongs to
+@{term even} then there are only two possibilities. Either @{term a} is @{text 0}
+or else @{term a} has the form @{term "Suc(Suc n)"}, for some suitable @{term n}
+that belongs to
+@{term even}. That is the gist of the @{term cases} rule, which Isabelle proves
+for us when it accepts an inductive definition:
+@{named_thms [display,indent=0,margin=40] even.cases [no_vars] (even.cases)}
+This general rule is less useful than instances of it for
+specific patterns. For example, if @{term a} has the form
+@{term "Suc(Suc n)"} then the first case becomes irrelevant, while the second
+case tells us that @{term n} belongs to @{term even}. Isabelle will generate
+this instance for us:
+*}
+
+inductive_cases Suc_Suc_cases [elim!]: "Suc(Suc n) \<in> even"
+
+text {*
+The \commdx{inductive\protect\_cases} command generates an instance of
+the @{text cases} rule for the supplied pattern and gives it the supplied name:
+@{named_thms [display,indent=0] Suc_Suc_cases [no_vars] (Suc_Suc_cases)}
+Applying this as an elimination rule yields one case where @{text even.cases}
+would yield two. Rule inversion works well when the conclusions of the
+introduction rules involve datatype constructors like @{term Suc} and @{text "#"}
+(list ``cons''); freeness reasoning discards all but one or two cases.
+
+In the \isacommand{inductive\_cases} command we supplied an
+attribute, @{text "elim!"},
+\index{elim"!@\isa {elim"!} (attribute)}%
+indicating that this elimination rule can be
+applied aggressively. The original
+@{term cases} rule would loop if used in that manner because the
+pattern~@{term a} matches everything.
+
+The rule @{text Suc_Suc_cases} is equivalent to the following implication:
+@{term [display,indent=0] "Suc (Suc n) \<in> even \<Longrightarrow> n \<in> even"}
+Just above we devoted some effort to reaching precisely
+this result. Yet we could have obtained it by a one-line declaration,
+dispensing with the lemma @{text even_imp_even_minus_2}.
+This example also justifies the terminology
+\textbf{rule inversion}: the new rule inverts the introduction rule
+@{text even.step}. In general, a rule can be inverted when the set of elements
+it introduces is disjoint from those of the other introduction rules.
+
+For one-off applications of rule inversion, use the \methdx{ind_cases} method.
+Here is an example:
+*}
+
+(*<*)lemma "Suc(Suc n) \<in> even \<Longrightarrow> P"(*>*)
+apply (ind_cases "Suc(Suc n) \<in> even")
+(*<*)oops(*>*)
+
+text {*
+The specified instance of the @{text cases} rule is generated, then applied
+as an elimination rule.
+
+To summarize, every inductive definition produces a @{text cases} rule. The
+\commdx{inductive\protect\_cases} command stores an instance of the
+@{text cases} rule for a given pattern. Within a proof, the
+@{text ind_cases} method applies an instance of the @{text cases}
+rule.
+
+The even numbers example has shown how inductive definitions can be
+used. Later examples will show that they are actually worth using.%
+\index{rule inversion|)}%
+\index{even numbers!defining inductively|)}
+*}
+
+(*<*)end(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Inductive/Mutual.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,80 @@
+(*<*)theory Mutual imports Main begin(*>*)
+
+subsection{*Mutually Inductive Definitions*}
+
+text{*
+Just as there are datatypes defined by mutual recursion, there are sets defined
+by mutual induction. As a trivial example we consider the even and odd
+natural numbers:
+*}
+
+inductive_set
+ Even :: "nat set" and
+ Odd :: "nat set"
+where
+ zero: "0 \<in> Even"
+| EvenI: "n \<in> Odd \<Longrightarrow> Suc n \<in> Even"
+| OddI: "n \<in> Even \<Longrightarrow> Suc n \<in> Odd"
+
+text{*\noindent
+The mutually inductive definition of multiple sets is no different from
+that of a single set, except for induction: just as for mutually recursive
+datatypes, induction needs to involve all the simultaneously defined sets. In
+the above case, the induction rule is called @{thm[source]Even_Odd.induct}
+(simply concatenate the names of the sets involved) and has the conclusion
+@{text[display]"(?x \<in> Even \<longrightarrow> ?P ?x) \<and> (?y \<in> Odd \<longrightarrow> ?Q ?y)"}
+
+If we want to prove that all even numbers are divisible by two, we have to
+generalize the statement as follows:
+*}
+
+lemma "(m \<in> Even \<longrightarrow> 2 dvd m) \<and> (n \<in> Odd \<longrightarrow> 2 dvd (Suc n))"
+
+txt{*\noindent
+The proof is by rule induction. Because of the form of the induction theorem,
+it is applied by @{text rule} rather than @{text erule} as for ordinary
+inductive definitions:
+*}
+
+apply(rule Even_Odd.induct)
+
+txt{*
+@{subgoals[display,indent=0]}
+The first two subgoals are proved by simplification and the final one can be
+proved in the same manner as in \S\ref{sec:rule-induction}
+where the same subgoal was encountered before.
+We do not show the proof script.
+*}
+(*<*)
+ apply simp
+ apply simp
+apply(simp add: dvd_def)
+apply(clarify)
+apply(rule_tac x = "Suc k" in exI)
+apply simp
+done
+(*>*)
+
+subsection{*Inductively Defined Predicates\label{sec:ind-predicates}*}
+
+text{*\index{inductive predicates|(}
+Instead of a set of even numbers one can also define a predicate on @{typ nat}:
+*}
+
+inductive evn :: "nat \<Rightarrow> bool" where
+zero: "evn 0" |
+step: "evn n \<Longrightarrow> evn(Suc(Suc n))"
+
+text{*\noindent Everything works as before, except that
+you write \commdx{inductive} instead of \isacommand{inductive\_set} and
+@{prop"evn n"} instead of @{prop"n : even"}.
+When defining an n-ary relation as a predicate, it is recommended to curry
+the predicate: its type should be \mbox{@{text"\<tau>\<^isub>1 \<Rightarrow> \<dots> \<Rightarrow> \<tau>\<^isub>n \<Rightarrow> bool"}}
+rather than
+@{text"\<tau>\<^isub>1 \<times> \<dots> \<times> \<tau>\<^isub>n \<Rightarrow> bool"}. The curried version facilitates inductions.
+
+When should you choose sets and when predicates? If you intend to combine your notion with set theoretic notation, define it as an inductive set. If not, define it as an inductive predicate, thus avoiding the @{text"\<in>"} notation. But note that predicates of more than one argument cannot be combined with the usual set theoretic operators: @{term"P \<union> Q"} is not well-typed if @{text"P, Q :: \<tau>\<^isub>1 \<Rightarrow> \<tau>\<^isub>2 \<Rightarrow> bool"}, you have to write @{term"%x y. P x y & Q x y"} instead.
+\index{inductive predicates|)}
+*}
+
+(*<*)end(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Inductive/Star.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,176 @@
+(*<*)theory Star imports Main begin(*>*)
+
+section{*The Reflexive Transitive Closure*}
+
+text{*\label{sec:rtc}
+\index{reflexive transitive closure!defining inductively|(}%
+An inductive definition may accept parameters, so it can express
+functions that yield sets.
+Relations too can be defined inductively, since they are just sets of pairs.
+A perfect example is the function that maps a relation to its
+reflexive transitive closure. This concept was already
+introduced in \S\ref{sec:Relations}, where the operator @{text"\<^sup>*"} was
+defined as a least fixed point because inductive definitions were not yet
+available. But now they are:
+*}
+
+inductive_set
+ rtc :: "('a \<times> 'a)set \<Rightarrow> ('a \<times> 'a)set" ("_*" [1000] 999)
+ for r :: "('a \<times> 'a)set"
+where
+ rtc_refl[iff]: "(x,x) \<in> r*"
+| rtc_step: "\<lbrakk> (x,y) \<in> r; (y,z) \<in> r* \<rbrakk> \<Longrightarrow> (x,z) \<in> r*"
+
+text{*\noindent
+The function @{term rtc} is annotated with concrete syntax: instead of
+@{text"rtc r"} we can write @{term"r*"}. The actual definition
+consists of two rules. Reflexivity is obvious and is immediately given the
+@{text iff} attribute to increase automation. The
+second rule, @{thm[source]rtc_step}, says that we can always add one more
+@{term r}-step to the left. Although we could make @{thm[source]rtc_step} an
+introduction rule, this is dangerous: the recursion in the second premise
+slows down and may even kill the automatic tactics.
+
+The above definition of the concept of reflexive transitive closure may
+be sufficiently intuitive but it is certainly not the only possible one:
+for a start, it does not even mention transitivity.
+The rest of this section is devoted to proving that it is equivalent to
+the standard definition. We start with a simple lemma:
+*}
+
+lemma [intro]: "(x,y) \<in> r \<Longrightarrow> (x,y) \<in> r*"
+by(blast intro: rtc_step);
+
+text{*\noindent
+Although the lemma itself is an unremarkable consequence of the basic rules,
+it has the advantage that it can be declared an introduction rule without the
+danger of killing the automatic tactics because @{term"r*"} occurs only in
+the conclusion and not in the premise. Thus some proofs that would otherwise
+need @{thm[source]rtc_step} can now be found automatically. The proof also
+shows that @{text blast} is able to handle @{thm[source]rtc_step}. But
+some of the other automatic tactics are more sensitive, and even @{text
+blast} can be lead astray in the presence of large numbers of rules.
+
+To prove transitivity, we need rule induction, i.e.\ theorem
+@{thm[source]rtc.induct}:
+@{thm[display]rtc.induct}
+It says that @{text"?P"} holds for an arbitrary pair @{thm (prem 1) rtc.induct}
+if @{text"?P"} is preserved by all rules of the inductive definition,
+i.e.\ if @{text"?P"} holds for the conclusion provided it holds for the
+premises. In general, rule induction for an $n$-ary inductive relation $R$
+expects a premise of the form $(x@1,\dots,x@n) \in R$.
+
+Now we turn to the inductive proof of transitivity:
+*}
+
+lemma rtc_trans: "\<lbrakk> (x,y) \<in> r*; (y,z) \<in> r* \<rbrakk> \<Longrightarrow> (x,z) \<in> r*"
+apply(erule rtc.induct)
+
+txt{*\noindent
+Unfortunately, even the base case is a problem:
+@{subgoals[display,indent=0,goals_limit=1]}
+We have to abandon this proof attempt.
+To understand what is going on, let us look again at @{thm[source]rtc.induct}.
+In the above application of @{text erule}, the first premise of
+@{thm[source]rtc.induct} is unified with the first suitable assumption, which
+is @{term"(x,y) \<in> r*"} rather than @{term"(y,z) \<in> r*"}. Although that
+is what we want, it is merely due to the order in which the assumptions occur
+in the subgoal, which it is not good practice to rely on. As a result,
+@{text"?xb"} becomes @{term x}, @{text"?xa"} becomes
+@{term y} and @{text"?P"} becomes @{term"%u v. (u,z) : r*"}, thus
+yielding the above subgoal. So what went wrong?
+
+When looking at the instantiation of @{text"?P"} we see that it does not
+depend on its second parameter at all. The reason is that in our original
+goal, of the pair @{term"(x,y)"} only @{term x} appears also in the
+conclusion, but not @{term y}. Thus our induction statement is too
+general. Fortunately, it can easily be specialized:
+transfer the additional premise @{prop"(y,z):r*"} into the conclusion:*}
+(*<*)oops(*>*)
+lemma rtc_trans[rule_format]:
+ "(x,y) \<in> r* \<Longrightarrow> (y,z) \<in> r* \<longrightarrow> (x,z) \<in> r*"
+
+txt{*\noindent
+This is not an obscure trick but a generally applicable heuristic:
+\begin{quote}\em
+When proving a statement by rule induction on $(x@1,\dots,x@n) \in R$,
+pull all other premises containing any of the $x@i$ into the conclusion
+using $\longrightarrow$.
+\end{quote}
+A similar heuristic for other kinds of inductions is formulated in
+\S\ref{sec:ind-var-in-prems}. The @{text rule_format} directive turns
+@{text"\<longrightarrow>"} back into @{text"\<Longrightarrow>"}: in the end we obtain the original
+statement of our lemma.
+*}
+
+apply(erule rtc.induct)
+
+txt{*\noindent
+Now induction produces two subgoals which are both proved automatically:
+@{subgoals[display,indent=0]}
+*}
+
+ apply(blast);
+apply(blast intro: rtc_step);
+done
+
+text{*
+Let us now prove that @{term"r*"} is really the reflexive transitive closure
+of @{term r}, i.e.\ the least reflexive and transitive
+relation containing @{term r}. The latter is easily formalized
+*}
+
+inductive_set
+ rtc2 :: "('a \<times> 'a)set \<Rightarrow> ('a \<times> 'a)set"
+ for r :: "('a \<times> 'a)set"
+where
+ "(x,y) \<in> r \<Longrightarrow> (x,y) \<in> rtc2 r"
+| "(x,x) \<in> rtc2 r"
+| "\<lbrakk> (x,y) \<in> rtc2 r; (y,z) \<in> rtc2 r \<rbrakk> \<Longrightarrow> (x,z) \<in> rtc2 r"
+
+text{*\noindent
+and the equivalence of the two definitions is easily shown by the obvious rule
+inductions:
+*}
+
+lemma "(x,y) \<in> rtc2 r \<Longrightarrow> (x,y) \<in> r*"
+apply(erule rtc2.induct);
+ apply(blast);
+ apply(blast);
+apply(blast intro: rtc_trans);
+done
+
+lemma "(x,y) \<in> r* \<Longrightarrow> (x,y) \<in> rtc2 r"
+apply(erule rtc.induct);
+ apply(blast intro: rtc2.intros);
+apply(blast intro: rtc2.intros);
+done
+
+text{*
+So why did we start with the first definition? Because it is simpler. It
+contains only two rules, and the single step rule is simpler than
+transitivity. As a consequence, @{thm[source]rtc.induct} is simpler than
+@{thm[source]rtc2.induct}. Since inductive proofs are hard enough
+anyway, we should always pick the simplest induction schema available.
+Hence @{term rtc} is the definition of choice.
+\index{reflexive transitive closure!defining inductively|)}
+
+\begin{exercise}\label{ex:converse-rtc-step}
+Show that the converse of @{thm[source]rtc_step} also holds:
+@{prop[display]"[| (x,y) : r*; (y,z) : r |] ==> (x,z) : r*"}
+\end{exercise}
+\begin{exercise}
+Repeat the development of this section, but starting with a definition of
+@{term rtc} where @{thm[source]rtc_step} is replaced by its converse as shown
+in exercise~\ref{ex:converse-rtc-step}.
+\end{exercise}
+*}
+(*<*)
+lemma rtc_step2[rule_format]: "(x,y) : r* \<Longrightarrow> (y,z) : r --> (x,z) : r*"
+apply(erule rtc.induct);
+ apply blast;
+apply(blast intro: rtc_step)
+done
+
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Misc/AdvancedInd.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,285 @@
+(*<*)
+theory AdvancedInd imports Main begin;
+(*>*)
+
+text{*\noindent
+Now that we have learned about rules and logic, we take another look at the
+finer points of induction. We consider two questions: what to do if the
+proposition to be proved is not directly amenable to induction
+(\S\ref{sec:ind-var-in-prems}), and how to utilize (\S\ref{sec:complete-ind})
+and even derive (\S\ref{sec:derive-ind}) new induction schemas. We conclude
+with an extended example of induction (\S\ref{sec:CTL-revisited}).
+*};
+
+subsection{*Massaging the Proposition*};
+
+text{*\label{sec:ind-var-in-prems}
+Often we have assumed that the theorem to be proved is already in a form
+that is amenable to induction, but sometimes it isn't.
+Here is an example.
+Since @{term"hd"} and @{term"last"} return the first and last element of a
+non-empty list, this lemma looks easy to prove:
+*};
+
+lemma "xs \<noteq> [] \<Longrightarrow> hd(rev xs) = last xs"
+apply(induct_tac xs)
+
+txt{*\noindent
+But induction produces the warning
+\begin{quote}\tt
+Induction variable occurs also among premises!
+\end{quote}
+and leads to the base case
+@{subgoals[display,indent=0,goals_limit=1]}
+Simplification reduces the base case to this:
+\begin{isabelle}
+\ 1.\ xs\ {\isasymnoteq}\ []\ {\isasymLongrightarrow}\ hd\ []\ =\ last\ []
+\end{isabelle}
+We cannot prove this equality because we do not know what @{term hd} and
+@{term last} return when applied to @{term"[]"}.
+
+We should not have ignored the warning. Because the induction
+formula is only the conclusion, induction does not affect the occurrence of @{term xs} in the premises.
+Thus the case that should have been trivial
+becomes unprovable. Fortunately, the solution is easy:\footnote{A similar
+heuristic applies to rule inductions; see \S\ref{sec:rtc}.}
+\begin{quote}
+\emph{Pull all occurrences of the induction variable into the conclusion
+using @{text"\<longrightarrow>"}.}
+\end{quote}
+Thus we should state the lemma as an ordinary
+implication~(@{text"\<longrightarrow>"}), letting
+\attrdx{rule_format} (\S\ref{sec:forward}) convert the
+result to the usual @{text"\<Longrightarrow>"} form:
+*};
+(*<*)oops;(*>*)
+lemma hd_rev [rule_format]: "xs \<noteq> [] \<longrightarrow> hd(rev xs) = last xs";
+(*<*)
+apply(induct_tac xs);
+(*>*)
+
+txt{*\noindent
+This time, induction leaves us with a trivial base case:
+@{subgoals[display,indent=0,goals_limit=1]}
+And @{text"auto"} completes the proof.
+
+If there are multiple premises $A@1$, \dots, $A@n$ containing the
+induction variable, you should turn the conclusion $C$ into
+\[ A@1 \longrightarrow \cdots A@n \longrightarrow C. \]
+Additionally, you may also have to universally quantify some other variables,
+which can yield a fairly complex conclusion. However, @{text rule_format}
+can remove any number of occurrences of @{text"\<forall>"} and
+@{text"\<longrightarrow>"}.
+
+\index{induction!on a term}%
+A second reason why your proposition may not be amenable to induction is that
+you want to induct on a complex term, rather than a variable. In
+general, induction on a term~$t$ requires rephrasing the conclusion~$C$
+as
+\begin{equation}\label{eqn:ind-over-term}
+\forall y@1 \dots y@n.~ x = t \longrightarrow C.
+\end{equation}
+where $y@1 \dots y@n$ are the free variables in $t$ and $x$ is a new variable.
+Now you can perform induction on~$x$. An example appears in
+\S\ref{sec:complete-ind} below.
+
+The very same problem may occur in connection with rule induction. Remember
+that it requires a premise of the form $(x@1,\dots,x@k) \in R$, where $R$ is
+some inductively defined set and the $x@i$ are variables. If instead we have
+a premise $t \in R$, where $t$ is not just an $n$-tuple of variables, we
+replace it with $(x@1,\dots,x@k) \in R$, and rephrase the conclusion $C$ as
+\[ \forall y@1 \dots y@n.~ (x@1,\dots,x@k) = t \longrightarrow C. \]
+For an example see \S\ref{sec:CTL-revisited} below.
+
+Of course, all premises that share free variables with $t$ need to be pulled into
+the conclusion as well, under the @{text"\<forall>"}, again using @{text"\<longrightarrow>"} as shown above.
+
+Readers who are puzzled by the form of statement
+(\ref{eqn:ind-over-term}) above should remember that the
+transformation is only performed to permit induction. Once induction
+has been applied, the statement can be transformed back into something quite
+intuitive. For example, applying wellfounded induction on $x$ (w.r.t.\
+$\prec$) to (\ref{eqn:ind-over-term}) and transforming the result a
+little leads to the goal
+\[ \bigwedge\overline{y}.\
+ \forall \overline{z}.\ t\,\overline{z} \prec t\,\overline{y}\ \longrightarrow\ C\,\overline{z}
+ \ \Longrightarrow\ C\,\overline{y} \]
+where $\overline{y}$ stands for $y@1 \dots y@n$ and the dependence of $t$ and
+$C$ on the free variables of $t$ has been made explicit.
+Unfortunately, this induction schema cannot be expressed as a
+single theorem because it depends on the number of free variables in $t$ ---
+the notation $\overline{y}$ is merely an informal device.
+*}
+(*<*)by auto(*>*)
+
+subsection{*Beyond Structural and Recursion Induction*};
+
+text{*\label{sec:complete-ind}
+So far, inductive proofs were by structural induction for
+primitive recursive functions and recursion induction for total recursive
+functions. But sometimes structural induction is awkward and there is no
+recursive function that could furnish a more appropriate
+induction schema. In such cases a general-purpose induction schema can
+be helpful. We show how to apply such induction schemas by an example.
+
+Structural induction on @{typ"nat"} is
+usually known as mathematical induction. There is also \textbf{complete}
+\index{induction!complete}%
+induction, where you prove $P(n)$ under the assumption that $P(m)$
+holds for all $m<n$. In Isabelle, this is the theorem \tdx{nat_less_induct}:
+@{thm[display]"nat_less_induct"[no_vars]}
+As an application, we prove a property of the following
+function:
+*};
+
+consts f :: "nat \<Rightarrow> nat";
+axioms f_ax: "f(f(n)) < f(Suc(n))";
+
+text{*
+\begin{warn}
+We discourage the use of axioms because of the danger of
+inconsistencies. Axiom @{text f_ax} does
+not introduce an inconsistency because, for example, the identity function
+satisfies it. Axioms can be useful in exploratory developments, say when
+you assume some well-known theorems so that you can quickly demonstrate some
+point about methodology. If your example turns into a substantial proof
+development, you should replace axioms by theorems.
+\end{warn}\noindent
+The axiom for @{term"f"} implies @{prop"n <= f n"}, which can
+be proved by induction on \mbox{@{term"f n"}}. Following the recipe outlined
+above, we have to phrase the proposition as follows to allow induction:
+*};
+
+lemma f_incr_lem: "\<forall>i. k = f i \<longrightarrow> i \<le> f i";
+
+txt{*\noindent
+To perform induction on @{term k} using @{thm[source]nat_less_induct}, we use
+the same general induction method as for recursion induction (see
+\S\ref{sec:fun-induction}):
+*};
+
+apply(induct_tac k rule: nat_less_induct);
+
+txt{*\noindent
+We get the following proof state:
+@{subgoals[display,indent=0,margin=65]}
+After stripping the @{text"\<forall>i"}, the proof continues with a case
+distinction on @{term"i"}. The case @{prop"i = (0::nat)"} is trivial and we focus on
+the other case:
+*}
+
+apply(rule allI)
+apply(case_tac i)
+ apply(simp)
+txt{*
+@{subgoals[display,indent=0]}
+*}
+by(blast intro!: f_ax Suc_leI intro: le_less_trans)
+
+text{*\noindent
+If you find the last step puzzling, here are the two lemmas it employs:
+\begin{isabelle}
+@{thm Suc_leI[no_vars]}
+\rulename{Suc_leI}\isanewline
+@{thm le_less_trans[no_vars]}
+\rulename{le_less_trans}
+\end{isabelle}
+%
+The proof goes like this (writing @{term"j"} instead of @{typ"nat"}).
+Since @{prop"i = Suc j"} it suffices to show
+\hbox{@{prop"j < f(Suc j)"}},
+by @{thm[source]Suc_leI}\@. This is
+proved as follows. From @{thm[source]f_ax} we have @{prop"f (f j) < f (Suc j)"}
+(1) which implies @{prop"f j <= f (f j)"} by the induction hypothesis.
+Using (1) once more we obtain @{prop"f j < f(Suc j)"} (2) by the transitivity
+rule @{thm[source]le_less_trans}.
+Using the induction hypothesis once more we obtain @{prop"j <= f j"}
+which, together with (2) yields @{prop"j < f (Suc j)"} (again by
+@{thm[source]le_less_trans}).
+
+This last step shows both the power and the danger of automatic proofs. They
+will usually not tell you how the proof goes, because it can be hard to
+translate the internal proof into a human-readable format. Automatic
+proofs are easy to write but hard to read and understand.
+
+The desired result, @{prop"i <= f i"}, follows from @{thm[source]f_incr_lem}:
+*};
+
+lemmas f_incr = f_incr_lem[rule_format, OF refl];
+
+text{*\noindent
+The final @{thm[source]refl} gets rid of the premise @{text"?k = f ?i"}.
+We could have included this derivation in the original statement of the lemma:
+*};
+
+lemma f_incr[rule_format, OF refl]: "\<forall>i. k = f i \<longrightarrow> i \<le> f i";
+(*<*)oops;(*>*)
+
+text{*
+\begin{exercise}
+From the axiom and lemma for @{term"f"}, show that @{term"f"} is the
+identity function.
+\end{exercise}
+
+Method \methdx{induct_tac} can be applied with any rule $r$
+whose conclusion is of the form ${?}P~?x@1 \dots ?x@n$, in which case the
+format is
+\begin{quote}
+\isacommand{apply}@{text"(induct_tac"} $y@1 \dots y@n$ @{text"rule:"} $r$@{text")"}
+\end{quote}
+where $y@1, \dots, y@n$ are variables in the conclusion of the first subgoal.
+
+A further useful induction rule is @{thm[source]length_induct},
+induction on the length of a list\indexbold{*length_induct}
+@{thm[display]length_induct[no_vars]}
+which is a special case of @{thm[source]measure_induct}
+@{thm[display]measure_induct[no_vars]}
+where @{term f} may be any function into type @{typ nat}.
+*}
+
+subsection{*Derivation of New Induction Schemas*};
+
+text{*\label{sec:derive-ind}
+\index{induction!deriving new schemas}%
+Induction schemas are ordinary theorems and you can derive new ones
+whenever you wish. This section shows you how, using the example
+of @{thm[source]nat_less_induct}. Assume we only have structural induction
+available for @{typ"nat"} and want to derive complete induction. We
+must generalize the statement as shown:
+*};
+
+lemma induct_lem: "(\<And>n::nat. \<forall>m<n. P m \<Longrightarrow> P n) \<Longrightarrow> \<forall>m<n. P m";
+apply(induct_tac n);
+
+txt{*\noindent
+The base case is vacuously true. For the induction step (@{prop"m <
+Suc n"}) we distinguish two cases: case @{prop"m < n"} is true by induction
+hypothesis and case @{prop"m = n"} follows from the assumption, again using
+the induction hypothesis:
+*};
+ apply(blast);
+by(blast elim: less_SucE)
+
+text{*\noindent
+The elimination rule @{thm[source]less_SucE} expresses the case distinction:
+@{thm[display]"less_SucE"[no_vars]}
+
+Now it is straightforward to derive the original version of
+@{thm[source]nat_less_induct} by manipulating the conclusion of the above
+lemma: instantiate @{term"n"} by @{term"Suc n"} and @{term"m"} by @{term"n"}
+and remove the trivial condition @{prop"n < Suc n"}. Fortunately, this
+happens automatically when we add the lemma as a new premise to the
+desired goal:
+*};
+
+theorem nat_less_induct: "(\<And>n::nat. \<forall>m<n. P m \<Longrightarrow> P n) \<Longrightarrow> P n";
+by(insert induct_lem, blast);
+
+text{*
+HOL already provides the mother of
+all inductions, well-founded induction (see \S\ref{sec:Well-founded}). For
+example theorem @{thm[source]nat_less_induct} is
+a special case of @{thm[source]wf_induct} where @{term r} is @{text"<"} on
+@{typ nat}. The details can be found in theory \isa{Wellfounded_Recursion}.
+*}
+(*<*)end(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Misc/Itrev.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,146 @@
+(*<*)
+theory Itrev
+imports Main
+begin
+declare [[names_unique = false]]
+(*>*)
+
+section{*Induction Heuristics*}
+
+text{*\label{sec:InductionHeuristics}
+\index{induction heuristics|(}%
+The purpose of this section is to illustrate some simple heuristics for
+inductive proofs. The first one we have already mentioned in our initial
+example:
+\begin{quote}
+\emph{Theorems about recursive functions are proved by induction.}
+\end{quote}
+In case the function has more than one argument
+\begin{quote}
+\emph{Do induction on argument number $i$ if the function is defined by
+recursion in argument number $i$.}
+\end{quote}
+When we look at the proof of @{text"(xs@ys) @ zs = xs @ (ys@zs)"}
+in \S\ref{sec:intro-proof} we find
+\begin{itemize}
+\item @{text"@"} is recursive in
+the first argument
+\item @{term xs} occurs only as the first argument of
+@{text"@"}
+\item both @{term ys} and @{term zs} occur at least once as
+the second argument of @{text"@"}
+\end{itemize}
+Hence it is natural to perform induction on~@{term xs}.
+
+The key heuristic, and the main point of this section, is to
+\emph{generalize the goal before induction}.
+The reason is simple: if the goal is
+too specific, the induction hypothesis is too weak to allow the induction
+step to go through. Let us illustrate the idea with an example.
+
+Function \cdx{rev} has quadratic worst-case running time
+because it calls function @{text"@"} for each element of the list and
+@{text"@"} is linear in its first argument. A linear time version of
+@{term"rev"} reqires an extra argument where the result is accumulated
+gradually, using only~@{text"#"}:
+*}
+
+primrec itrev :: "'a list \<Rightarrow> 'a list \<Rightarrow> 'a list" where
+"itrev [] ys = ys" |
+"itrev (x#xs) ys = itrev xs (x#ys)"
+
+text{*\noindent
+The behaviour of \cdx{itrev} is simple: it reverses
+its first argument by stacking its elements onto the second argument,
+and returning that second argument when the first one becomes
+empty. Note that @{term"itrev"} is tail-recursive: it can be
+compiled into a loop.
+
+Naturally, we would like to show that @{term"itrev"} does indeed reverse
+its first argument provided the second one is empty:
+*};
+
+lemma "itrev xs [] = rev xs";
+
+txt{*\noindent
+There is no choice as to the induction variable, and we immediately simplify:
+*};
+
+apply(induct_tac xs, simp_all);
+
+txt{*\noindent
+Unfortunately, this attempt does not prove
+the induction step:
+@{subgoals[display,indent=0,margin=70]}
+The induction hypothesis is too weak. The fixed
+argument,~@{term"[]"}, prevents it from rewriting the conclusion.
+This example suggests a heuristic:
+\begin{quote}\index{generalizing induction formulae}%
+\emph{Generalize goals for induction by replacing constants by variables.}
+\end{quote}
+Of course one cannot do this na\"{\i}vely: @{term"itrev xs ys = rev xs"} is
+just not true. The correct generalization is
+*};
+(*<*)oops;(*>*)
+lemma "itrev xs ys = rev xs @ ys";
+(*<*)apply(induct_tac xs, simp_all)(*>*)
+txt{*\noindent
+If @{term"ys"} is replaced by @{term"[]"}, the right-hand side simplifies to
+@{term"rev xs"}, as required.
+
+In this instance it was easy to guess the right generalization.
+Other situations can require a good deal of creativity.
+
+Although we now have two variables, only @{term"xs"} is suitable for
+induction, and we repeat our proof attempt. Unfortunately, we are still
+not there:
+@{subgoals[display,indent=0,goals_limit=1]}
+The induction hypothesis is still too weak, but this time it takes no
+intuition to generalize: the problem is that @{term"ys"} is fixed throughout
+the subgoal, but the induction hypothesis needs to be applied with
+@{term"a # ys"} instead of @{term"ys"}. Hence we prove the theorem
+for all @{term"ys"} instead of a fixed one:
+*};
+(*<*)oops;(*>*)
+lemma "\<forall>ys. itrev xs ys = rev xs @ ys";
+(*<*)
+by(induct_tac xs, simp_all);
+(*>*)
+
+text{*\noindent
+This time induction on @{term"xs"} followed by simplification succeeds. This
+leads to another heuristic for generalization:
+\begin{quote}
+\emph{Generalize goals for induction by universally quantifying all free
+variables {\em(except the induction variable itself!)}.}
+\end{quote}
+This prevents trivial failures like the one above and does not affect the
+validity of the goal. However, this heuristic should not be applied blindly.
+It is not always required, and the additional quantifiers can complicate
+matters in some cases. The variables that should be quantified are typically
+those that change in recursive calls.
+
+A final point worth mentioning is the orientation of the equation we just
+proved: the more complex notion (@{const itrev}) is on the left-hand
+side, the simpler one (@{term rev}) on the right-hand side. This constitutes
+another, albeit weak heuristic that is not restricted to induction:
+\begin{quote}
+ \emph{The right-hand side of an equation should (in some sense) be simpler
+ than the left-hand side.}
+\end{quote}
+This heuristic is tricky to apply because it is not obvious that
+@{term"rev xs @ ys"} is simpler than @{term"itrev xs ys"}. But see what
+happens if you try to prove @{prop"rev xs @ ys = itrev xs ys"}!
+
+If you have tried these heuristics and still find your
+induction does not go through, and no obvious lemma suggests itself, you may
+need to generalize your proposition even further. This requires insight into
+the problem at hand and is beyond simple rules of thumb.
+Additionally, you can read \S\ref{sec:advanced-ind}
+to learn about some advanced techniques for inductive proofs.%
+\index{induction heuristics|)}
+*}
+(*<*)
+declare [[names_unique = true]]
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Misc/Option2.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,33 @@
+(*<*)
+theory Option2 imports Main begin
+hide_const None Some
+hide_type option
+(*>*)
+
+text{*\indexbold{*option (type)}\indexbold{*None (constant)}%
+\indexbold{*Some (constant)}
+Our final datatype is very simple but still eminently useful:
+*}
+
+datatype 'a option = None | Some 'a;
+
+text{*\noindent
+Frequently one needs to add a distinguished element to some existing type.
+For example, type @{text"t option"} can model the result of a computation that
+may either terminate with an error (represented by @{const None}) or return
+some value @{term v} (represented by @{term"Some v"}).
+Similarly, @{typ nat} extended with $\infty$ can be modeled by type
+@{typ"nat option"}. In both cases one could define a new datatype with
+customized constructors like @{term Error} and @{term Infinity},
+but it is often simpler to use @{text option}. For an application see
+\S\ref{sec:Trie}.
+*}
+(*<*)
+(*
+definition infplus :: "nat option \<Rightarrow> nat option \<Rightarrow> nat option" where
+"infplus x y \<equiv> case x of None \<Rightarrow> None
+ | Some m \<Rightarrow> (case y of None \<Rightarrow> None | Some n \<Rightarrow> Some(m+n))"
+
+*)
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Misc/Plus.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,22 @@
+(*<*)
+theory Plus imports Main begin
+(*>*)
+
+text{*\noindent Define the following addition function *}
+
+primrec add :: "nat \<Rightarrow> nat \<Rightarrow> nat" where
+"add m 0 = m" |
+"add m (Suc n) = add (Suc m) n"
+
+text{*\noindent and prove*}
+(*<*)
+lemma [simp]: "!m. add m n = m+n"
+apply(induct_tac n)
+by(auto)
+(*>*)
+lemma "add m n = m+n"
+(*<*)
+by(simp)
+
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Misc/Tree.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,41 @@
+(*<*)
+theory Tree imports Main begin
+(*>*)
+
+text{*\noindent
+Define the datatype of \rmindex{binary trees}:
+*}
+
+datatype 'a tree = Tip | Node "'a tree" 'a "'a tree";(*<*)
+
+primrec mirror :: "'a tree \<Rightarrow> 'a tree" where
+"mirror Tip = Tip" |
+"mirror (Node l x r) = Node (mirror r) x (mirror l)";(*>*)
+
+text{*\noindent
+Define a function @{term"mirror"} that mirrors a binary tree
+by swapping subtrees recursively. Prove
+*}
+
+lemma mirror_mirror: "mirror(mirror t) = t";
+(*<*)
+apply(induct_tac t);
+by(auto);
+
+primrec flatten :: "'a tree => 'a list" where
+"flatten Tip = []" |
+"flatten (Node l x r) = flatten l @ [x] @ flatten r";
+(*>*)
+
+text{*\noindent
+Define a function @{term"flatten"} that flattens a tree into a list
+by traversing it in infix order. Prove
+*}
+
+lemma "flatten(mirror t) = rev(flatten t)";
+(*<*)
+apply(induct_tac t);
+by(auto);
+
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Misc/Tree2.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,26 @@
+(*<*)
+theory Tree2 imports Tree begin
+(*>*)
+
+text{*\noindent In Exercise~\ref{ex:Tree} we defined a function
+@{term"flatten"} from trees to lists. The straightforward version of
+@{term"flatten"} is based on @{text"@"} and is thus, like @{term"rev"},
+quadratic. A linear time version of @{term"flatten"} again reqires an extra
+argument, the accumulator. Define *}
+(*<*)primrec(*>*)flatten2 :: "'a tree \<Rightarrow> 'a list \<Rightarrow> 'a list"(*<*)where
+"flatten2 Tip xs = xs" |
+"flatten2 (Node l x r) xs = flatten2 l (x#(flatten2 r xs))"
+(*>*)
+
+text{*\noindent and prove*}
+(*<*)
+lemma [simp]: "!xs. flatten2 t xs = flatten t @ xs"
+apply(induct_tac t)
+by(auto);
+(*>*)
+lemma "flatten2 t [] = flatten t"
+(*<*)
+by(simp)
+
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Misc/appendix.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,33 @@
+(*<*)theory appendix
+imports Main
+begin(*>*)
+
+text{*
+\begin{table}[htbp]
+\begin{center}
+\begin{tabular}{lll}
+Constant & Type & Syntax \\
+\hline
+@{term [source] 0} & @{typeof [show_sorts] "0"} \\
+@{term [source] 1} & @{typeof [show_sorts] "1"} \\
+@{term [source] plus} & @{typeof [show_sorts] "plus"} & (infixl $+$ 65) \\
+@{term [source] minus} & @{typeof [show_sorts] "minus"} & (infixl $-$ 65) \\
+@{term [source] uminus} & @{typeof [show_sorts] "uminus"} & $- x$ \\
+@{term [source] times} & @{typeof [show_sorts] "times"} & (infixl $*$ 70) \\
+@{term [source] divide} & @{typeof [show_sorts] "divide"} & (infixl $/$ 70) \\
+@{term [source] Divides.div} & @{typeof [show_sorts] "Divides.div"} & (infixl $div$ 70) \\
+@{term [source] Divides.mod} & @{typeof [show_sorts] "Divides.mod"} & (infixl $mod$ 70) \\
+@{term [source] abs} & @{typeof [show_sorts] "abs"} & ${\mid} x {\mid}$ \\
+@{term [source] sgn} & @{typeof [show_sorts] "sgn"} \\
+@{term [source] less_eq} & @{typeof [show_sorts] "less_eq"} & (infixl $\le$ 50) \\
+@{term [source] less} & @{typeof [show_sorts] "less"} & (infixl $<$ 50) \\
+@{term [source] top} & @{typeof [show_sorts] "top"} \\
+@{term [source] bot} & @{typeof [show_sorts] "bot"}
+\end{tabular}
+\caption{Important Overloaded Constants in Main}
+\label{tab:overloading}
+\end{center}
+\end{table}
+*}
+
+(*<*)end(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Misc/case_exprs.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,88 @@
+(*<*)
+theory case_exprs imports Main begin
+(*>*)
+
+text{*
+\subsection{Case Expressions}
+\label{sec:case-expressions}\index{*case expressions}%
+HOL also features \isa{case}-expressions for analyzing
+elements of a datatype. For example,
+@{term[display]"case xs of [] => [] | y#ys => y"}
+evaluates to @{term"[]"} if @{term"xs"} is @{term"[]"} and to @{term"y"} if
+@{term"xs"} is @{term"y#ys"}. (Since the result in both branches must be of
+the same type, it follows that @{term y} is of type @{typ"'a list"} and hence
+that @{term xs} is of type @{typ"'a list list"}.)
+
+In general, case expressions are of the form
+\[
+\begin{array}{c}
+@{text"case"}~e~@{text"of"}\ pattern@1~@{text"\<Rightarrow>"}~e@1\ @{text"|"}\ \dots\
+ @{text"|"}~pattern@m~@{text"\<Rightarrow>"}~e@m
+\end{array}
+\]
+Like in functional programming, patterns are expressions consisting of
+datatype constructors (e.g. @{term"[]"} and @{text"#"})
+and variables, including the wildcard ``\verb$_$''.
+Not all cases need to be covered and the order of cases matters.
+However, one is well-advised not to wallow in complex patterns because
+complex case distinctions tend to induce complex proofs.
+
+\begin{warn}
+Internally Isabelle only knows about exhaustive case expressions with
+non-nested patterns: $pattern@i$ must be of the form
+$C@i~x@ {i1}~\dots~x@ {ik@i}$ and $C@1, \dots, C@m$ must be exactly the
+constructors of the type of $e$.
+%
+More complex case expressions are automatically
+translated into the simpler form upon parsing but are not translated
+back for printing. This may lead to surprising output.
+\end{warn}
+
+\begin{warn}
+Like @{text"if"}, @{text"case"}-expressions may need to be enclosed in
+parentheses to indicate their scope.
+\end{warn}
+
+\subsection{Structural Induction and Case Distinction}
+\label{sec:struct-ind-case}
+\index{case distinctions}\index{induction!structural}%
+Induction is invoked by \methdx{induct_tac}, as we have seen above;
+it works for any datatype. In some cases, induction is overkill and a case
+distinction over all constructors of the datatype suffices. This is performed
+by \methdx{case_tac}. Here is a trivial example:
+*}
+
+lemma "(case xs of [] \<Rightarrow> [] | y#ys \<Rightarrow> xs) = xs";
+apply(case_tac xs);
+
+txt{*\noindent
+results in the proof state
+@{subgoals[display,indent=0,margin=65]}
+which is solved automatically:
+*}
+
+apply(auto)
+(*<*)done(*>*)
+text{*
+Note that we do not need to give a lemma a name if we do not intend to refer
+to it explicitly in the future.
+Other basic laws about a datatype are applied automatically during
+simplification, so no special methods are provided for them.
+
+\begin{warn}
+ Induction is only allowed on free (or \isasymAnd-bound) variables that
+ should not occur among the assumptions of the subgoal; see
+ \S\ref{sec:ind-var-in-prems} for details. Case distinction
+ (@{text"case_tac"}) works for arbitrary terms, which need to be
+ quoted if they are non-atomic. However, apart from @{text"\<And>"}-bound
+ variables, the terms must not contain variables that are bound outside.
+ For example, given the goal @{prop"\<forall>xs. xs = [] \<or> (\<exists>y ys. xs = y#ys)"},
+ @{text"case_tac xs"} will not work as expected because Isabelle interprets
+ the @{term xs} as a new free variable distinct from the bound
+ @{term xs} in the goal.
+\end{warn}
+*}
+
+(*<*)
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Misc/fakenat.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,13 @@
+(*<*)
+theory fakenat imports Main begin;
+(*>*)
+
+text{*\noindent
+The type \tydx{nat} of natural
+numbers is predefined to have the constructors \cdx{0} and~\cdx{Suc}. It behaves as if it were declared like this:
+*}
+
+datatype nat = 0 | Suc nat
+(*<*)
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Misc/natsum.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,129 @@
+(*<*)
+theory natsum imports Main begin
+(*>*)
+text{*\noindent
+In particular, there are @{text"case"}-expressions, for example
+@{term[display]"case n of 0 => 0 | Suc m => m"}
+primitive recursion, for example
+*}
+
+primrec sum :: "nat \<Rightarrow> nat" where
+"sum 0 = 0" |
+"sum (Suc n) = Suc n + sum n"
+
+text{*\noindent
+and induction, for example
+*}
+
+lemma "sum n + sum n = n*(Suc n)"
+apply(induct_tac n)
+apply(auto)
+done
+
+text{*\newcommand{\mystar}{*%
+}
+\index{arithmetic operations!for \protect\isa{nat}}%
+The arithmetic operations \isadxboldpos{+}{$HOL2arithfun},
+\isadxboldpos{-}{$HOL2arithfun}, \isadxboldpos{\mystar}{$HOL2arithfun},
+\sdx{div}, \sdx{mod}, \cdx{min} and
+\cdx{max} are predefined, as are the relations
+\isadxboldpos{\isasymle}{$HOL2arithrel} and
+\isadxboldpos{<}{$HOL2arithrel}. As usual, @{prop"m-n = (0::nat)"} if
+@{prop"m<n"}. There is even a least number operation
+\sdx{LEAST}\@. For example, @{prop"(LEAST n. 0 < n) = Suc 0"}.
+\begin{warn}\index{overloading}
+ The constants \cdx{0} and \cdx{1} and the operations
+ \isadxboldpos{+}{$HOL2arithfun}, \isadxboldpos{-}{$HOL2arithfun},
+ \isadxboldpos{\mystar}{$HOL2arithfun}, \cdx{min},
+ \cdx{max}, \isadxboldpos{\isasymle}{$HOL2arithrel} and
+ \isadxboldpos{<}{$HOL2arithrel} are overloaded: they are available
+ not just for natural numbers but for other types as well.
+ For example, given the goal @{text"x + 0 = x"}, there is nothing to indicate
+ that you are talking about natural numbers. Hence Isabelle can only infer
+ that @{term x} is of some arbitrary type where @{text 0} and @{text"+"} are
+ declared. As a consequence, you will be unable to prove the
+ goal. To alert you to such pitfalls, Isabelle flags numerals without a
+ fixed type in its output: @{prop"x+0 = x"}. (In the absence of a numeral,
+ it may take you some time to realize what has happened if \pgmenu{Show
+ Types} is not set). In this particular example, you need to include
+ an explicit type constraint, for example @{text"x+0 = (x::nat)"}. If there
+ is enough contextual information this may not be necessary: @{prop"Suc x =
+ x"} automatically implies @{text"x::nat"} because @{term Suc} is not
+ overloaded.
+
+ For details on overloading see \S\ref{sec:overloading}.
+ Table~\ref{tab:overloading} in the appendix shows the most important
+ overloaded operations.
+\end{warn}
+\begin{warn}
+ The symbols \isadxboldpos{>}{$HOL2arithrel} and
+ \isadxboldpos{\isasymge}{$HOL2arithrel} are merely syntax: @{text"x > y"}
+ stands for @{prop"y < x"} and similary for @{text"\<ge>"} and
+ @{text"\<le>"}.
+\end{warn}
+\begin{warn}
+ Constant @{text"1::nat"} is defined to equal @{term"Suc 0"}. This definition
+ (see \S\ref{sec:ConstDefinitions}) is unfolded automatically by some
+ tactics (like @{text auto}, @{text simp} and @{text arith}) but not by
+ others (especially the single step tactics in Chapter~\ref{chap:rules}).
+ If you need the full set of numerals, see~\S\ref{sec:numerals}.
+ \emph{Novices are advised to stick to @{term"0::nat"} and @{term Suc}.}
+\end{warn}
+
+Both @{text auto} and @{text simp}
+(a method introduced below, \S\ref{sec:Simplification}) prove
+simple arithmetic goals automatically:
+*}
+
+lemma "\<lbrakk> \<not> m < n; m < n + (1::nat) \<rbrakk> \<Longrightarrow> m = n"
+(*<*)by(auto)(*>*)
+
+text{*\noindent
+For efficiency's sake, this built-in prover ignores quantified formulae,
+many logical connectives, and all arithmetic operations apart from addition.
+In consequence, @{text auto} and @{text simp} cannot prove this slightly more complex goal:
+*}
+
+lemma "m \<noteq> (n::nat) \<Longrightarrow> m < n \<or> n < m"
+(*<*)by(arith)(*>*)
+
+text{*\noindent The method \methdx{arith} is more general. It attempts to
+prove the first subgoal provided it is a \textbf{linear arithmetic} formula.
+Such formulas may involve the usual logical connectives (@{text"\<not>"},
+@{text"\<and>"}, @{text"\<or>"}, @{text"\<longrightarrow>"}, @{text"="},
+@{text"\<forall>"}, @{text"\<exists>"}), the relations @{text"="},
+@{text"\<le>"} and @{text"<"}, and the operations @{text"+"}, @{text"-"},
+@{term min} and @{term max}. For example, *}
+
+lemma "min i (max j (k*k)) = max (min (k*k) i) (min i (j::nat))"
+apply(arith)
+(*<*)done(*>*)
+
+text{*\noindent
+succeeds because @{term"k*k"} can be treated as atomic. In contrast,
+*}
+
+lemma "n*n = n+1 \<Longrightarrow> n=0"
+(*<*)oops(*>*)
+
+text{*\noindent
+is not proved by @{text arith} because the proof relies
+on properties of multiplication. Only multiplication by numerals (which is
+the same as iterated addition) is taken into account.
+
+\begin{warn} The running time of @{text arith} is exponential in the number
+ of occurrences of \ttindexboldpos{-}{$HOL2arithfun}, \cdx{min} and
+ \cdx{max} because they are first eliminated by case distinctions.
+
+If @{text k} is a numeral, \sdx{div}~@{text k}, \sdx{mod}~@{text k} and
+@{text k}~\sdx{dvd} are also supported, where the former two are eliminated
+by case distinctions, again blowing up the running time.
+
+If the formula involves quantifiers, @{text arith} may take
+super-exponential time and space.
+\end{warn}
+*}
+
+(*<*)
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Misc/pairs2.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,35 @@
+(*<*)
+theory pairs2 imports Main begin;
+(*>*)
+text{*\label{sec:pairs}\index{pairs and tuples}
+HOL also has ordered pairs: \isa{($a@1$,$a@2$)} is of type $\tau@1$
+\indexboldpos{\isasymtimes}{$Isatype} $\tau@2$ provided each $a@i$ is of type
+$\tau@i$. The functions \cdx{fst} and
+\cdx{snd} extract the components of a pair:
+ \isa{fst($x$,$y$) = $x$} and \isa{snd($x$,$y$) = $y$}. Tuples
+are simulated by pairs nested to the right: \isa{($a@1$,$a@2$,$a@3$)} stands
+for \isa{($a@1$,($a@2$,$a@3$))} and $\tau@1 \times \tau@2 \times \tau@3$ for
+$\tau@1 \times (\tau@2 \times \tau@3)$. Therefore we have
+\isa{fst(snd($a@1$,$a@2$,$a@3$)) = $a@2$}.
+
+Remarks:
+\begin{itemize}
+\item
+There is also the type \tydx{unit}, which contains exactly one
+element denoted by~\cdx{()}. This type can be viewed
+as a degenerate product with 0 components.
+\item
+Products, like type @{typ nat}, are datatypes, which means
+in particular that @{text induct_tac} and @{text case_tac} are applicable to
+terms of product type.
+Both split the term into a number of variables corresponding to the tuple structure
+(up to 7 components).
+\item
+Tuples with more than two or three components become unwieldy;
+records are preferable.
+\end{itemize}
+For more information on pairs and records see Chapter~\ref{ch:more-types}.
+*}
+(*<*)
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Misc/prime_def.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,20 @@
+(*<*)
+theory prime_def imports Main begin;
+consts prime :: "nat \<Rightarrow> bool"
+(*>*)
+text{*
+\begin{warn}
+A common mistake when writing definitions is to introduce extra free
+variables on the right-hand side. Consider the following, flawed definition
+(where @{text"dvd"} means ``divides''):
+@{term[display,quotes]"prime(p) == 1 < p & (m dvd p --> (m=1 | m=p))"}
+\par\noindent\hangindent=0pt
+Isabelle rejects this ``definition'' because of the extra @{term"m"} on the
+right-hand side, which would introduce an inconsistency (why?).
+The correct version is
+@{term[display,quotes]"prime(p) == 1 < p & (!m. m dvd p --> (m=1 | m=p))"}
+\end{warn}
+*}
+(*<*)
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Misc/simp.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,518 @@
+(*<*)
+theory simp imports Main begin
+(*>*)
+
+subsection{*Simplification Rules*}
+
+text{*\index{simplification rules}
+To facilitate simplification,
+the attribute @{text"[simp]"}\index{*simp (attribute)}
+declares theorems to be simplification rules, which the simplifier
+will use automatically. In addition, \isacommand{datatype} and
+\isacommand{primrec} declarations (and a few others)
+implicitly declare some simplification rules.
+Explicit definitions are \emph{not} declared as
+simplification rules automatically!
+
+Nearly any theorem can become a simplification
+rule. The simplifier will try to transform it into an equation.
+For example, the theorem
+@{prop"~P"} is turned into @{prop"P = False"}. The details
+are explained in \S\ref{sec:SimpHow}.
+
+The simplification attribute of theorems can be turned on and off:%
+\index{*simp del (attribute)}
+\begin{quote}
+\isacommand{declare} \textit{theorem-name}@{text"[simp]"}\\
+\isacommand{declare} \textit{theorem-name}@{text"[simp del]"}
+\end{quote}
+Only equations that really simplify, like \isa{rev\
+{\isacharparenleft}rev\ xs{\isacharparenright}\ {\isacharequal}\ xs} and
+\isa{xs\ {\isacharat}\ {\isacharbrackleft}{\isacharbrackright}\
+{\isacharequal}\ xs}, should be declared as default simplification rules.
+More specific ones should only be used selectively and should
+not be made default. Distributivity laws, for example, alter
+the structure of terms and can produce an exponential blow-up instead of
+simplification. A default simplification rule may
+need to be disabled in certain proofs. Frequent changes in the simplification
+status of a theorem may indicate an unwise use of defaults.
+\begin{warn}
+ Simplification can run forever, for example if both $f(x) = g(x)$ and
+ $g(x) = f(x)$ are simplification rules. It is the user's responsibility not
+ to include simplification rules that can lead to nontermination, either on
+ their own or in combination with other simplification rules.
+\end{warn}
+\begin{warn}
+ It is inadvisable to toggle the simplification attribute of a
+ theorem from a parent theory $A$ in a child theory $B$ for good.
+ The reason is that if some theory $C$ is based both on $B$ and (via a
+ different path) on $A$, it is not defined what the simplification attribute
+ of that theorem will be in $C$: it could be either.
+\end{warn}
+*}
+
+subsection{*The {\tt\slshape simp} Method*}
+
+text{*\index{*simp (method)|bold}
+The general format of the simplification method is
+\begin{quote}
+@{text simp} \textit{list of modifiers}
+\end{quote}
+where the list of \emph{modifiers} fine tunes the behaviour and may
+be empty. Specific modifiers are discussed below. Most if not all of the
+proofs seen so far could have been performed
+with @{text simp} instead of \isa{auto}, except that @{text simp} attacks
+only the first subgoal and may thus need to be repeated --- use
+\methdx{simp_all} to simplify all subgoals.
+If nothing changes, @{text simp} fails.
+*}
+
+subsection{*Adding and Deleting Simplification Rules*}
+
+text{*
+\index{simplification rules!adding and deleting}%
+If a certain theorem is merely needed in a few proofs by simplification,
+we do not need to make it a global simplification rule. Instead we can modify
+the set of simplification rules used in a simplification step by adding rules
+to it and/or deleting rules from it. The two modifiers for this are
+\begin{quote}
+@{text"add:"} \textit{list of theorem names}\index{*add (modifier)}\\
+@{text"del:"} \textit{list of theorem names}\index{*del (modifier)}
+\end{quote}
+Or you can use a specific list of theorems and omit all others:
+\begin{quote}
+@{text"only:"} \textit{list of theorem names}\index{*only (modifier)}
+\end{quote}
+In this example, we invoke the simplifier, adding two distributive
+laws:
+\begin{quote}
+\isacommand{apply}@{text"(simp add: mod_mult_distrib add_mult_distrib)"}
+\end{quote}
+*}
+
+subsection{*Assumptions*}
+
+text{*\index{simplification!with/of assumptions}
+By default, assumptions are part of the simplification process: they are used
+as simplification rules and are simplified themselves. For example:
+*}
+
+lemma "\<lbrakk> xs @ zs = ys @ xs; [] @ xs = [] @ [] \<rbrakk> \<Longrightarrow> ys = zs"
+apply simp
+done
+
+text{*\noindent
+The second assumption simplifies to @{term"xs = []"}, which in turn
+simplifies the first assumption to @{term"zs = ys"}, thus reducing the
+conclusion to @{term"ys = ys"} and hence to @{term"True"}.
+
+In some cases, using the assumptions can lead to nontermination:
+*}
+
+lemma "\<forall>x. f x = g (f (g x)) \<Longrightarrow> f [] = f [] @ []"
+
+txt{*\noindent
+An unmodified application of @{text"simp"} loops. The culprit is the
+simplification rule @{term"f x = g (f (g x))"}, which is extracted from
+the assumption. (Isabelle notices certain simple forms of
+nontermination but not this one.) The problem can be circumvented by
+telling the simplifier to ignore the assumptions:
+*}
+
+apply(simp (no_asm))
+done
+
+text{*\noindent
+Three modifiers influence the treatment of assumptions:
+\begin{description}
+\item[@{text"(no_asm)"}]\index{*no_asm (modifier)}
+ means that assumptions are completely ignored.
+\item[@{text"(no_asm_simp)"}]\index{*no_asm_simp (modifier)}
+ means that the assumptions are not simplified but
+ are used in the simplification of the conclusion.
+\item[@{text"(no_asm_use)"}]\index{*no_asm_use (modifier)}
+ means that the assumptions are simplified but are not
+ used in the simplification of each other or the conclusion.
+\end{description}
+Only one of the modifiers is allowed, and it must precede all
+other modifiers.
+%\begin{warn}
+%Assumptions are simplified in a left-to-right fashion. If an
+%assumption can help in simplifying one to the left of it, this may get
+%overlooked. In such cases you have to rotate the assumptions explicitly:
+%\isacommand{apply}@ {text"("}\methdx{rotate_tac}~$n$@ {text")"}
+%causes a cyclic shift by $n$ positions from right to left, if $n$ is
+%positive, and from left to right, if $n$ is negative.
+%Beware that such rotations make proofs quite brittle.
+%\end{warn}
+*}
+
+subsection{*Rewriting with Definitions*}
+
+text{*\label{sec:Simp-with-Defs}\index{simplification!with definitions}
+Constant definitions (\S\ref{sec:ConstDefinitions}) can be used as
+simplification rules, but by default they are not: the simplifier does not
+expand them automatically. Definitions are intended for introducing abstract
+concepts and not merely as abbreviations. Of course, we need to expand
+the definition initially, but once we have proved enough abstract properties
+of the new constant, we can forget its original definition. This style makes
+proofs more robust: if the definition has to be changed,
+only the proofs of the abstract properties will be affected.
+
+For example, given *}
+
+definition xor :: "bool \<Rightarrow> bool \<Rightarrow> bool" where
+"xor A B \<equiv> (A \<and> \<not>B) \<or> (\<not>A \<and> B)"
+
+text{*\noindent
+we may want to prove
+*}
+
+lemma "xor A (\<not>A)"
+
+txt{*\noindent
+Typically, we begin by unfolding some definitions:
+\indexbold{definitions!unfolding}
+*}
+
+apply(simp only: xor_def)
+
+txt{*\noindent
+In this particular case, the resulting goal
+@{subgoals[display,indent=0]}
+can be proved by simplification. Thus we could have proved the lemma outright by
+*}(*<*)oops lemma "xor A (\<not>A)"(*>*)
+apply(simp add: xor_def)
+(*<*)done(*>*)
+text{*\noindent
+Of course we can also unfold definitions in the middle of a proof.
+
+\begin{warn}
+ If you have defined $f\,x\,y~\isasymequiv~t$ then you can only unfold
+ occurrences of $f$ with at least two arguments. This may be helpful for unfolding
+ $f$ selectively, but it may also get in the way. Defining
+ $f$~\isasymequiv~\isasymlambda$x\,y.\;t$ allows to unfold all occurrences of $f$.
+\end{warn}
+
+There is also the special method \isa{unfold}\index{*unfold (method)|bold}
+which merely unfolds
+one or several definitions, as in \isacommand{apply}\isa{(unfold xor_def)}.
+This is can be useful in situations where \isa{simp} does too much.
+Warning: \isa{unfold} acts on all subgoals!
+*}
+
+subsection{*Simplifying {\tt\slshape let}-Expressions*}
+
+text{*\index{simplification!of \isa{let}-expressions}\index{*let expressions}%
+Proving a goal containing \isa{let}-expressions almost invariably requires the
+@{text"let"}-con\-structs to be expanded at some point. Since
+@{text"let"}\ldots\isa{=}\ldots@{text"in"}{\ldots} is just syntactic sugar for
+the predefined constant @{term"Let"}, expanding @{text"let"}-constructs
+means rewriting with \tdx{Let_def}: *}
+
+lemma "(let xs = [] in xs@ys@xs) = ys"
+apply(simp add: Let_def)
+done
+
+text{*
+If, in a particular context, there is no danger of a combinatorial explosion
+of nested @{text"let"}s, you could even simplify with @{thm[source]Let_def} by
+default:
+*}
+declare Let_def [simp]
+
+subsection{*Conditional Simplification Rules*}
+
+text{*
+\index{conditional simplification rules}%
+So far all examples of rewrite rules were equations. The simplifier also
+accepts \emph{conditional} equations, for example
+*}
+
+lemma hd_Cons_tl[simp]: "xs \<noteq> [] \<Longrightarrow> hd xs # tl xs = xs"
+apply(case_tac xs, simp, simp)
+done
+
+text{*\noindent
+Note the use of ``\ttindexboldpos{,}{$Isar}'' to string together a
+sequence of methods. Assuming that the simplification rule
+@{term"(rev xs = []) = (xs = [])"}
+is present as well,
+the lemma below is proved by plain simplification:
+*}
+
+lemma "xs \<noteq> [] \<Longrightarrow> hd(rev xs) # tl(rev xs) = rev xs"
+(*<*)
+by(simp)
+(*>*)
+text{*\noindent
+The conditional equation @{thm[source]hd_Cons_tl} above
+can simplify @{term"hd(rev xs) # tl(rev xs)"} to @{term"rev xs"}
+because the corresponding precondition @{term"rev xs ~= []"}
+simplifies to @{term"xs ~= []"}, which is exactly the local
+assumption of the subgoal.
+*}
+
+
+subsection{*Automatic Case Splits*}
+
+text{*\label{sec:AutoCaseSplits}\indexbold{case splits}%
+Goals containing @{text"if"}-expressions\index{*if expressions!splitting of}
+are usually proved by case
+distinction on the boolean condition. Here is an example:
+*}
+
+lemma "\<forall>xs. if xs = [] then rev xs = [] else rev xs \<noteq> []"
+
+txt{*\noindent
+The goal can be split by a special method, \methdx{split}:
+*}
+
+apply(split split_if)
+
+txt{*\noindent
+@{subgoals[display,indent=0]}
+where \tdx{split_if} is a theorem that expresses splitting of
+@{text"if"}s. Because
+splitting the @{text"if"}s is usually the right proof strategy, the
+simplifier does it automatically. Try \isacommand{apply}@{text"(simp)"}
+on the initial goal above.
+
+This splitting idea generalizes from @{text"if"} to \sdx{case}.
+Let us simplify a case analysis over lists:\index{*list.split (theorem)}
+*}(*<*)by simp(*>*)
+lemma "(case xs of [] \<Rightarrow> zs | y#ys \<Rightarrow> y#(ys@zs)) = xs@zs"
+apply(split list.split)
+
+txt{*
+@{subgoals[display,indent=0]}
+The simplifier does not split
+@{text"case"}-expressions, as it does @{text"if"}-expressions,
+because with recursive datatypes it could lead to nontermination.
+Instead, the simplifier has a modifier
+@{text split}\index{*split (modifier)}
+for adding splitting rules explicitly. The
+lemma above can be proved in one step by
+*}
+(*<*)oops
+lemma "(case xs of [] \<Rightarrow> zs | y#ys \<Rightarrow> y#(ys@zs)) = xs@zs"
+(*>*)
+apply(simp split: list.split)
+(*<*)done(*>*)
+text{*\noindent
+whereas \isacommand{apply}@{text"(simp)"} alone will not succeed.
+
+Every datatype $t$ comes with a theorem
+$t$@{text".split"} which can be declared to be a \bfindex{split rule} either
+locally as above, or by giving it the \attrdx{split} attribute globally:
+*}
+
+declare list.split [split]
+
+text{*\noindent
+The @{text"split"} attribute can be removed with the @{text"del"} modifier,
+either locally
+*}
+(*<*)
+lemma "dummy=dummy"
+(*>*)
+apply(simp split del: split_if)
+(*<*)
+oops
+(*>*)
+text{*\noindent
+or globally:
+*}
+declare list.split [split del]
+
+text{*
+Polished proofs typically perform splitting within @{text simp} rather than
+invoking the @{text split} method. However, if a goal contains
+several @{text "if"} and @{text case} expressions,
+the @{text split} method can be
+helpful in selectively exploring the effects of splitting.
+
+The split rules shown above are intended to affect only the subgoal's
+conclusion. If you want to split an @{text"if"} or @{text"case"}-expression
+in the assumptions, you have to apply \tdx{split_if_asm} or
+$t$@{text".split_asm"}: *}
+
+lemma "if xs = [] then ys \<noteq> [] else ys = [] \<Longrightarrow> xs @ ys \<noteq> []"
+apply(split split_if_asm)
+
+txt{*\noindent
+Unlike splitting the conclusion, this step creates two
+separate subgoals, which here can be solved by @{text"simp_all"}:
+@{subgoals[display,indent=0]}
+If you need to split both in the assumptions and the conclusion,
+use $t$@{text".splits"} which subsumes $t$@{text".split"} and
+$t$@{text".split_asm"}. Analogously, there is @{thm[source]if_splits}.
+
+\begin{warn}
+ The simplifier merely simplifies the condition of an
+ \isa{if}\index{*if expressions!simplification of} but not the
+ \isa{then} or \isa{else} parts. The latter are simplified only after the
+ condition reduces to \isa{True} or \isa{False}, or after splitting. The
+ same is true for \sdx{case}-expressions: only the selector is
+ simplified at first, until either the expression reduces to one of the
+ cases or it is split.
+\end{warn}
+*}
+(*<*)
+by(simp_all)
+(*>*)
+
+subsection{*Tracing*}
+text{*\indexbold{tracing the simplifier}
+Using the simplifier effectively may take a bit of experimentation. Set the
+Proof General flag \pgmenu{Isabelle} $>$ \pgmenu{Settings} $>$ \pgmenu{Trace Simplifier} to get a better idea of what is going on:
+*}
+
+lemma "rev [a] = []"
+apply(simp)
+(*<*)oops(*>*)
+
+text{*\noindent
+produces the following trace in Proof General's \pgmenu{Trace} buffer:
+
+\begin{ttbox}\makeatother
+[1]Applying instance of rewrite rule "List.rev.simps_2":
+rev (?x1 # ?xs1) \(\equiv\) rev ?xs1 @ [?x1]
+
+[1]Rewriting:
+rev [a] \(\equiv\) rev [] @ [a]
+
+[1]Applying instance of rewrite rule "List.rev.simps_1":
+rev [] \(\equiv\) []
+
+[1]Rewriting:
+rev [] \(\equiv\) []
+
+[1]Applying instance of rewrite rule "List.op @.append_Nil":
+[] @ ?y \(\equiv\) ?y
+
+[1]Rewriting:
+[] @ [a] \(\equiv\) [a]
+
+[1]Applying instance of rewrite rule
+?x2 # ?t1 = ?t1 \(\equiv\) False
+
+[1]Rewriting:
+[a] = [] \(\equiv\) False
+\end{ttbox}
+The trace lists each rule being applied, both in its general form and
+the instance being used. The \texttt{[}$i$\texttt{]} in front (where
+above $i$ is always \texttt{1}) indicates that we are inside the $i$th
+invocation of the simplifier. Each attempt to apply a
+conditional rule shows the rule followed by the trace of the
+(recursive!) simplification of the conditions, the latter prefixed by
+\texttt{[}$i+1$\texttt{]} instead of \texttt{[}$i$\texttt{]}.
+Another source of recursive invocations of the simplifier are
+proofs of arithmetic formulae. By default, recursive invocations are not shown,
+you must increase the trace depth via \pgmenu{Isabelle} $>$ \pgmenu{Settings} $>$ \pgmenu{Trace Simplifier Depth}.
+
+Many other hints about the simplifier's actions may appear.
+
+In more complicated cases, the trace can be very lengthy. Thus it is
+advisable to reset the \pgmenu{Trace Simplifier} flag after having
+obtained the desired trace.
+Since this is easily forgotten (and may have the unpleasant effect of
+swamping the interface with trace information), here is how you can switch
+the trace on locally in a proof: *}
+
+(*<*)lemma "x=x"
+(*>*)
+using [[simp_trace=true]]
+apply simp
+(*<*)oops(*>*)
+
+text{* \noindent
+Within the current proof, all simplifications in subsequent proof steps
+will be traced, but the text reminds you to remove the \isa{using} clause
+after it has done its job. *}
+
+subsection{*Finding Theorems\label{sec:find}*}
+
+text{*\indexbold{finding theorems}\indexbold{searching theorems}
+Isabelle's large database of proved theorems
+offers a powerful search engine. Its chief limitation is
+its restriction to the theories currently loaded.
+
+\begin{pgnote}
+The search engine is started by clicking on Proof General's \pgmenu{Find} icon.
+You specify your search textually in the input buffer at the bottom
+of the window.
+\end{pgnote}
+
+The simplest form of search finds theorems containing specified
+patterns. A pattern can be any term (even
+a single identifier). It may contain ``\texttt{\_}'', a wildcard standing
+for any term. Here are some
+examples:
+\begin{ttbox}
+length
+"_ # _ = _ # _"
+"_ + _"
+"_ * (_ - (_::nat))"
+\end{ttbox}
+Specifying types, as shown in the last example,
+constrains searches involving overloaded operators.
+
+\begin{warn}
+Always use ``\texttt{\_}'' rather than variable names: searching for
+\texttt{"x + y"} will usually not find any matching theorems
+because they would need to contain \texttt{x} and~\texttt{y} literally.
+When searching for infix operators, do not just type in the symbol,
+such as~\texttt{+}, but a proper term such as \texttt{"_ + _"}.
+This remark applies to more complicated syntaxes, too.
+\end{warn}
+
+If you are looking for rewrite rules (possibly conditional) that could
+simplify some term, prefix the pattern with \texttt{simp:}.
+\begin{ttbox}
+simp: "_ * (_ + _)"
+\end{ttbox}
+This finds \emph{all} equations---not just those with a \isa{simp} attribute---whose conclusion has the form
+@{text[display]"_ * (_ + _) = \<dots>"}
+It only finds equations that can simplify the given pattern
+at the root, not somewhere inside: for example, equations of the form
+@{text"_ + _ = \<dots>"} do not match.
+
+You may also search for theorems by name---you merely
+need to specify a substring. For example, you could search for all
+commutativity theorems like this:
+\begin{ttbox}
+name: comm
+\end{ttbox}
+This retrieves all theorems whose name contains \texttt{comm}.
+
+Search criteria can also be negated by prefixing them with ``\texttt{-}''.
+For example,
+\begin{ttbox}
+-name: List
+\end{ttbox}
+finds theorems whose name does not contain \texttt{List}. You can use this
+to exclude particular theories from the search: the long name of
+a theorem contains the name of the theory it comes from.
+
+Finallly, different search criteria can be combined arbitrarily.
+The effect is conjuctive: Find returns the theorems that satisfy all of
+the criteria. For example,
+\begin{ttbox}
+"_ + _" -"_ - _" -simp: "_ * (_ + _)" name: assoc
+\end{ttbox}
+looks for theorems containing plus but not minus, and which do not simplify
+\mbox{@{text"_ * (_ + _)"}} at the root, and whose name contains \texttt{assoc}.
+
+Further search criteria are explained in \S\ref{sec:find2}.
+
+\begin{pgnote}
+Proof General keeps a history of all your search expressions.
+If you click on \pgmenu{Find}, you can use the arrow keys to scroll
+through previous searches and just modify them. This saves you having
+to type in lengthy expressions again and again.
+\end{pgnote}
+*}
+(*<*)
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Misc/types.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,32 @@
+(*<*)theory "types" imports Main begin(*>*)
+type_synonym number = nat
+type_synonym gate = "bool \<Rightarrow> bool \<Rightarrow> bool"
+type_synonym ('a, 'b) alist = "('a \<times> 'b) list"
+
+text{*\noindent
+Internally all synonyms are fully expanded. As a consequence Isabelle's
+output never contains synonyms. Their main purpose is to improve the
+readability of theories. Synonyms can be used just like any other
+type.
+*}
+
+subsection{*Constant Definitions*}
+
+text{*\label{sec:ConstDefinitions}\indexbold{definitions}%
+Nonrecursive definitions can be made with the \commdx{definition}
+command, for example @{text nand} and @{text xor} gates
+(based on type @{typ gate} above):
+*}
+
+definition nand :: gate where "nand A B \<equiv> \<not>(A \<and> B)"
+definition xor :: gate where "xor A B \<equiv> A \<and> \<not>B \<or> \<not>A \<and> B"
+
+text{*\noindent%
+The symbol \indexboldpos{\isasymequiv}{$IsaEq} is a special form of equality
+that must be used in constant definitions.
+Pattern-matching is not allowed: each definition must be of
+the form $f\,x@1\,\dots\,x@n~\isasymequiv~t$.
+Section~\ref{sec:Simp-with-Defs} explains how definitions are used
+in proofs. The default name of each definition is $f$@{text"_def"}, where
+$f$ is the name of the defined constant.*}
+(*<*)end(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Protocol/Event.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,387 @@
+(* Title: HOL/Auth/Event
+ Author: Lawrence C Paulson, Cambridge University Computer Laboratory
+ Copyright 1996 University of Cambridge
+
+Datatype of events; function "spies"; freshness
+
+"bad" agents have been broken by the Spy; their private keys and internal
+ stores are visible to him
+*)(*<*)
+
+header{*Theory of Events for Security Protocols*}
+
+theory Event imports Message begin
+
+consts (*Initial states of agents -- parameter of the construction*)
+ initState :: "agent => msg set"
+
+datatype
+ event = Says agent agent msg
+ | Gets agent msg
+ | Notes agent msg
+
+consts
+ bad :: "agent set" -- {* compromised agents *}
+
+
+text{*The constant "spies" is retained for compatibility's sake*}
+
+primrec
+ knows :: "agent => event list => msg set"
+where
+ knows_Nil: "knows A [] = initState A"
+| knows_Cons:
+ "knows A (ev # evs) =
+ (if A = Spy then
+ (case ev of
+ Says A' B X => insert X (knows Spy evs)
+ | Gets A' X => knows Spy evs
+ | Notes A' X =>
+ if A' \<in> bad then insert X (knows Spy evs) else knows Spy evs)
+ else
+ (case ev of
+ Says A' B X =>
+ if A'=A then insert X (knows A evs) else knows A evs
+ | Gets A' X =>
+ if A'=A then insert X (knows A evs) else knows A evs
+ | Notes A' X =>
+ if A'=A then insert X (knows A evs) else knows A evs))"
+
+abbreviation (input)
+ spies :: "event list => msg set" where
+ "spies == knows Spy"
+
+text{*Spy has access to his own key for spoof messages, but Server is secure*}
+specification (bad)
+ Spy_in_bad [iff]: "Spy \<in> bad"
+ Server_not_bad [iff]: "Server \<notin> bad"
+ by (rule exI [of _ "{Spy}"], simp)
+
+(*
+ Case A=Spy on the Gets event
+ enforces the fact that if a message is received then it must have been sent,
+ therefore the oops case must use Notes
+*)
+
+primrec
+ (*Set of items that might be visible to somebody:
+ complement of the set of fresh items*)
+ used :: "event list => msg set"
+where
+ used_Nil: "used [] = (UN B. parts (initState B))"
+| used_Cons: "used (ev # evs) =
+ (case ev of
+ Says A B X => parts {X} \<union> used evs
+ | Gets A X => used evs
+ | Notes A X => parts {X} \<union> used evs)"
+ --{*The case for @{term Gets} seems anomalous, but @{term Gets} always
+ follows @{term Says} in real protocols. Seems difficult to change.
+ See @{text Gets_correct} in theory @{text "Guard/Extensions.thy"}. *}
+
+lemma Notes_imp_used [rule_format]: "Notes A X \<in> set evs --> X \<in> used evs"
+apply (induct_tac evs)
+apply (auto split: event.split)
+done
+
+lemma Says_imp_used [rule_format]: "Says A B X \<in> set evs --> X \<in> used evs"
+apply (induct_tac evs)
+apply (auto split: event.split)
+done
+
+
+subsection{*Function @{term knows}*}
+
+(*Simplifying
+ parts(insert X (knows Spy evs)) = parts{X} \<union> parts(knows Spy evs).
+ This version won't loop with the simplifier.*)
+lemmas parts_insert_knows_A = parts_insert [of _ "knows A evs", standard]
+
+lemma knows_Spy_Says [simp]:
+ "knows Spy (Says A B X # evs) = insert X (knows Spy evs)"
+by simp
+
+text{*Letting the Spy see "bad" agents' notes avoids redundant case-splits
+ on whether @{term "A=Spy"} and whether @{term "A\<in>bad"}*}
+lemma knows_Spy_Notes [simp]:
+ "knows Spy (Notes A X # evs) =
+ (if A:bad then insert X (knows Spy evs) else knows Spy evs)"
+by simp
+
+lemma knows_Spy_Gets [simp]: "knows Spy (Gets A X # evs) = knows Spy evs"
+by simp
+
+lemma knows_Spy_subset_knows_Spy_Says:
+ "knows Spy evs \<subseteq> knows Spy (Says A B X # evs)"
+by (simp add: subset_insertI)
+
+lemma knows_Spy_subset_knows_Spy_Notes:
+ "knows Spy evs \<subseteq> knows Spy (Notes A X # evs)"
+by force
+
+lemma knows_Spy_subset_knows_Spy_Gets:
+ "knows Spy evs \<subseteq> knows Spy (Gets A X # evs)"
+by (simp add: subset_insertI)
+
+text{*Spy sees what is sent on the traffic*}
+lemma Says_imp_knows_Spy [rule_format]:
+ "Says A B X \<in> set evs --> X \<in> knows Spy evs"
+apply (induct_tac "evs")
+apply (simp_all (no_asm_simp) split add: event.split)
+done
+
+lemma Notes_imp_knows_Spy [rule_format]:
+ "Notes A X \<in> set evs --> A: bad --> X \<in> knows Spy evs"
+apply (induct_tac "evs")
+apply (simp_all (no_asm_simp) split add: event.split)
+done
+
+
+text{*Elimination rules: derive contradictions from old Says events containing
+ items known to be fresh*}
+lemmas knows_Spy_partsEs =
+ Says_imp_knows_Spy [THEN parts.Inj, elim_format]
+ parts.Body [elim_format]
+
+lemmas Says_imp_analz_Spy = Says_imp_knows_Spy [THEN analz.Inj]
+
+text{*Compatibility for the old "spies" function*}
+lemmas spies_partsEs = knows_Spy_partsEs
+lemmas Says_imp_spies = Says_imp_knows_Spy
+lemmas parts_insert_spies = parts_insert_knows_A [of _ Spy]
+
+
+subsection{*Knowledge of Agents*}
+
+lemma knows_Says: "knows A (Says A B X # evs) = insert X (knows A evs)"
+by simp
+
+lemma knows_Notes: "knows A (Notes A X # evs) = insert X (knows A evs)"
+by simp
+
+lemma knows_Gets:
+ "A \<noteq> Spy --> knows A (Gets A X # evs) = insert X (knows A evs)"
+by simp
+
+
+lemma knows_subset_knows_Says: "knows A evs \<subseteq> knows A (Says A' B X # evs)"
+by (simp add: subset_insertI)
+
+lemma knows_subset_knows_Notes: "knows A evs \<subseteq> knows A (Notes A' X # evs)"
+by (simp add: subset_insertI)
+
+lemma knows_subset_knows_Gets: "knows A evs \<subseteq> knows A (Gets A' X # evs)"
+by (simp add: subset_insertI)
+
+text{*Agents know what they say*}
+lemma Says_imp_knows [rule_format]: "Says A B X \<in> set evs --> X \<in> knows A evs"
+apply (induct_tac "evs")
+apply (simp_all (no_asm_simp) split add: event.split)
+apply blast
+done
+
+text{*Agents know what they note*}
+lemma Notes_imp_knows [rule_format]: "Notes A X \<in> set evs --> X \<in> knows A evs"
+apply (induct_tac "evs")
+apply (simp_all (no_asm_simp) split add: event.split)
+apply blast
+done
+
+text{*Agents know what they receive*}
+lemma Gets_imp_knows_agents [rule_format]:
+ "A \<noteq> Spy --> Gets A X \<in> set evs --> X \<in> knows A evs"
+apply (induct_tac "evs")
+apply (simp_all (no_asm_simp) split add: event.split)
+done
+
+
+text{*What agents DIFFERENT FROM Spy know
+ was either said, or noted, or got, or known initially*}
+lemma knows_imp_Says_Gets_Notes_initState [rule_format]:
+ "[| X \<in> knows A evs; A \<noteq> Spy |] ==> EX B.
+ Says A B X \<in> set evs | Gets A X \<in> set evs | Notes A X \<in> set evs | X \<in> initState A"
+apply (erule rev_mp)
+apply (induct_tac "evs")
+apply (simp_all (no_asm_simp) split add: event.split)
+apply blast
+done
+
+text{*What the Spy knows -- for the time being --
+ was either said or noted, or known initially*}
+lemma knows_Spy_imp_Says_Notes_initState [rule_format]:
+ "[| X \<in> knows Spy evs |] ==> EX A B.
+ Says A B X \<in> set evs | Notes A X \<in> set evs | X \<in> initState Spy"
+apply (erule rev_mp)
+apply (induct_tac "evs")
+apply (simp_all (no_asm_simp) split add: event.split)
+apply blast
+done
+
+lemma parts_knows_Spy_subset_used: "parts (knows Spy evs) \<subseteq> used evs"
+apply (induct_tac "evs", force)
+apply (simp add: parts_insert_knows_A knows_Cons add: event.split, blast)
+done
+
+lemmas usedI = parts_knows_Spy_subset_used [THEN subsetD, intro]
+
+lemma initState_into_used: "X \<in> parts (initState B) ==> X \<in> used evs"
+apply (induct_tac "evs")
+apply (simp_all add: parts_insert_knows_A split add: event.split, blast)
+done
+
+lemma used_Says [simp]: "used (Says A B X # evs) = parts{X} \<union> used evs"
+by simp
+
+lemma used_Notes [simp]: "used (Notes A X # evs) = parts{X} \<union> used evs"
+by simp
+
+lemma used_Gets [simp]: "used (Gets A X # evs) = used evs"
+by simp
+
+lemma used_nil_subset: "used [] \<subseteq> used evs"
+apply simp
+apply (blast intro: initState_into_used)
+done
+
+text{*NOTE REMOVAL--laws above are cleaner, as they don't involve "case"*}
+declare knows_Cons [simp del]
+ used_Nil [simp del] used_Cons [simp del]
+
+
+text{*For proving theorems of the form @{term "X \<notin> analz (knows Spy evs) --> P"}
+ New events added by induction to "evs" are discarded. Provided
+ this information isn't needed, the proof will be much shorter, since
+ it will omit complicated reasoning about @{term analz}.*}
+
+lemmas analz_mono_contra =
+ knows_Spy_subset_knows_Spy_Says [THEN analz_mono, THEN contra_subsetD]
+ knows_Spy_subset_knows_Spy_Notes [THEN analz_mono, THEN contra_subsetD]
+ knows_Spy_subset_knows_Spy_Gets [THEN analz_mono, THEN contra_subsetD]
+
+lemmas analz_impI = impI [where P = "Y \<notin> analz (knows Spy evs)", standard]
+
+ML
+{*
+val analz_mono_contra_tac =
+ rtac @{thm analz_impI} THEN'
+ REPEAT1 o (dresolve_tac @{thms analz_mono_contra})
+ THEN' mp_tac
+*}
+
+lemma knows_subset_knows_Cons: "knows A evs \<subseteq> knows A (e # evs)"
+by (induct e, auto simp: knows_Cons)
+
+lemma initState_subset_knows: "initState A \<subseteq> knows A evs"
+apply (induct_tac evs, simp)
+apply (blast intro: knows_subset_knows_Cons [THEN subsetD])
+done
+
+
+text{*For proving @{text new_keys_not_used}*}
+lemma keysFor_parts_insert:
+ "[| K \<in> keysFor (parts (insert X G)); X \<in> synth (analz H) |]
+ ==> K \<in> keysFor (parts (G \<union> H)) | Key (invKey K) \<in> parts H";
+by (force
+ dest!: parts_insert_subset_Un [THEN keysFor_mono, THEN [2] rev_subsetD]
+ analz_subset_parts [THEN keysFor_mono, THEN [2] rev_subsetD]
+ intro: analz_subset_parts [THEN subsetD] parts_mono [THEN [2] rev_subsetD])
+
+method_setup analz_mono_contra = {*
+ Scan.succeed (K (SIMPLE_METHOD (REPEAT_FIRST analz_mono_contra_tac))) *}
+ "for proving theorems of the form X \<notin> analz (knows Spy evs) --> P"
+
+subsubsection{*Useful for case analysis on whether a hash is a spoof or not*}
+
+lemmas syan_impI = impI [where P = "Y \<notin> synth (analz (knows Spy evs))", standard]
+
+ML
+{*
+val knows_Cons = @{thm knows_Cons};
+val used_Nil = @{thm used_Nil};
+val used_Cons = @{thm used_Cons};
+
+val Notes_imp_used = @{thm Notes_imp_used};
+val Says_imp_used = @{thm Says_imp_used};
+val Says_imp_knows_Spy = @{thm Says_imp_knows_Spy};
+val Notes_imp_knows_Spy = @{thm Notes_imp_knows_Spy};
+val knows_Spy_partsEs = @{thms knows_Spy_partsEs};
+val spies_partsEs = @{thms spies_partsEs};
+val Says_imp_spies = @{thm Says_imp_spies};
+val parts_insert_spies = @{thm parts_insert_spies};
+val Says_imp_knows = @{thm Says_imp_knows};
+val Notes_imp_knows = @{thm Notes_imp_knows};
+val Gets_imp_knows_agents = @{thm Gets_imp_knows_agents};
+val knows_imp_Says_Gets_Notes_initState = @{thm knows_imp_Says_Gets_Notes_initState};
+val knows_Spy_imp_Says_Notes_initState = @{thm knows_Spy_imp_Says_Notes_initState};
+val usedI = @{thm usedI};
+val initState_into_used = @{thm initState_into_used};
+val used_Says = @{thm used_Says};
+val used_Notes = @{thm used_Notes};
+val used_Gets = @{thm used_Gets};
+val used_nil_subset = @{thm used_nil_subset};
+val analz_mono_contra = @{thms analz_mono_contra};
+val knows_subset_knows_Cons = @{thm knows_subset_knows_Cons};
+val initState_subset_knows = @{thm initState_subset_knows};
+val keysFor_parts_insert = @{thm keysFor_parts_insert};
+
+
+val synth_analz_mono = @{thm synth_analz_mono};
+
+val knows_Spy_subset_knows_Spy_Says = @{thm knows_Spy_subset_knows_Spy_Says};
+val knows_Spy_subset_knows_Spy_Notes = @{thm knows_Spy_subset_knows_Spy_Notes};
+val knows_Spy_subset_knows_Spy_Gets = @{thm knows_Spy_subset_knows_Spy_Gets};
+
+
+val synth_analz_mono_contra_tac =
+ rtac @{thm syan_impI} THEN'
+ REPEAT1 o
+ (dresolve_tac
+ [@{thm knows_Spy_subset_knows_Spy_Says} RS @{thm synth_analz_mono} RS @{thm contra_subsetD},
+ @{thm knows_Spy_subset_knows_Spy_Notes} RS @{thm synth_analz_mono} RS @{thm contra_subsetD},
+ @{thm knows_Spy_subset_knows_Spy_Gets} RS @{thm synth_analz_mono} RS @{thm contra_subsetD}])
+ THEN'
+ mp_tac
+*}
+
+method_setup synth_analz_mono_contra = {*
+ Scan.succeed (K (SIMPLE_METHOD (REPEAT_FIRST synth_analz_mono_contra_tac))) *}
+ "for proving theorems of the form X \<notin> synth (analz (knows Spy evs)) --> P"
+(*>*)
+
+section{* Event Traces \label{sec:events} *}
+
+text {*
+The system's behaviour is formalized as a set of traces of
+\emph{events}. The most important event, @{text "Says A B X"}, expresses
+$A\to B : X$, which is the attempt by~$A$ to send~$B$ the message~$X$.
+A trace is simply a list, constructed in reverse
+using~@{text "#"}. Other event types include reception of messages (when
+we want to make it explicit) and an agent's storing a fact.
+
+Sometimes the protocol requires an agent to generate a new nonce. The
+probability that a 20-byte random number has appeared before is effectively
+zero. To formalize this important property, the set @{term "used evs"}
+denotes the set of all items mentioned in the trace~@{text evs}.
+The function @{text used} has a straightforward
+recursive definition. Here is the case for @{text Says} event:
+@{thm [display,indent=5] used_Says [no_vars]}
+
+The function @{text knows} formalizes an agent's knowledge. Mostly we only
+care about the spy's knowledge, and @{term "knows Spy evs"} is the set of items
+available to the spy in the trace~@{text evs}. Already in the empty trace,
+the spy starts with some secrets at his disposal, such as the private keys
+of compromised users. After each @{text Says} event, the spy learns the
+message that was sent:
+@{thm [display,indent=5] knows_Spy_Says [no_vars]}
+Combinations of functions express other important
+sets of messages derived from~@{text evs}:
+\begin{itemize}
+\item @{term "analz (knows Spy evs)"} is everything that the spy could
+learn by decryption
+\item @{term "synth (analz (knows Spy evs))"} is everything that the spy
+could generate
+\end{itemize}
+*}
+
+(*<*)
+end
+(*>*)
\ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Protocol/Message.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,923 @@
+(* Title: HOL/Auth/Message
+ Author: Lawrence C Paulson, Cambridge University Computer Laboratory
+ Copyright 1996 University of Cambridge
+
+Datatypes of agents and messages;
+Inductive relations "parts", "analz" and "synth"
+*)(*<*)
+
+header{*Theory of Agents and Messages for Security Protocols*}
+
+theory Message imports Main begin
+ML_file "../../antiquote_setup.ML"
+setup Antiquote_Setup.setup
+
+(*Needed occasionally with spy_analz_tac, e.g. in analz_insert_Key_newK*)
+lemma [simp] : "A \<union> (B \<union> A) = B \<union> A"
+by blast
+(*>*)
+
+section{* Agents and Messages *}
+
+text {*
+All protocol specifications refer to a syntactic theory of messages.
+Datatype
+@{text agent} introduces the constant @{text Server} (a trusted central
+machine, needed for some protocols), an infinite population of
+friendly agents, and the~@{text Spy}:
+*}
+
+datatype agent = Server | Friend nat | Spy
+
+text {*
+Keys are just natural numbers. Function @{text invKey} maps a public key to
+the matching private key, and vice versa:
+*}
+
+type_synonym key = nat
+consts invKey :: "key \<Rightarrow> key"
+(*<*)
+consts all_symmetric :: bool --{*true if all keys are symmetric*}
+
+specification (invKey)
+ invKey [simp]: "invKey (invKey K) = K"
+ invKey_symmetric: "all_symmetric --> invKey = id"
+ by (rule exI [of _ id], auto)
+
+
+text{*The inverse of a symmetric key is itself; that of a public key
+ is the private key and vice versa*}
+
+definition symKeys :: "key set" where
+ "symKeys == {K. invKey K = K}"
+(*>*)
+
+text {*
+Datatype
+@{text msg} introduces the message forms, which include agent names, nonces,
+keys, compound messages, and encryptions.
+*}
+
+datatype
+ msg = Agent agent
+ | Nonce nat
+ | Key key
+ | MPair msg msg
+ | Crypt key msg
+
+text {*
+\noindent
+The notation $\comp{X\sb 1,\ldots X\sb{n-1},X\sb n}$
+abbreviates
+$\isa{MPair}\,X\sb 1\,\ldots\allowbreak(\isa{MPair}\,X\sb{n-1}\,X\sb n)$.
+
+Since datatype constructors are injective, we have the theorem
+@{thm [display,indent=0] msg.inject(5) [THEN iffD1, of K X K' X']}
+A ciphertext can be decrypted using only one key and
+can yield only one plaintext. In the real world, decryption with the
+wrong key succeeds but yields garbage. Our model of encryption is
+realistic if encryption adds some redundancy to the plaintext, such as a
+checksum, so that garbage can be detected.
+*}
+
+(*<*)
+text{*Concrete syntax: messages appear as {|A,B,NA|}, etc...*}
+syntax
+ "_MTuple" :: "['a, args] => 'a * 'b" ("(2{|_,/ _|})")
+
+syntax (xsymbols)
+ "_MTuple" :: "['a, args] => 'a * 'b" ("(2\<lbrace>_,/ _\<rbrace>)")
+
+translations
+ "{|x, y, z|}" == "{|x, {|y, z|}|}"
+ "{|x, y|}" == "CONST MPair x y"
+
+
+definition keysFor :: "msg set => key set" where
+ --{*Keys useful to decrypt elements of a message set*}
+ "keysFor H == invKey ` {K. \<exists>X. Crypt K X \<in> H}"
+
+
+subsubsection{*Inductive Definition of All Parts" of a Message*}
+
+inductive_set
+ parts :: "msg set => msg set"
+ for H :: "msg set"
+ where
+ Inj [intro]: "X \<in> H ==> X \<in> parts H"
+ | Fst: "{|X,Y|} \<in> parts H ==> X \<in> parts H"
+ | Snd: "{|X,Y|} \<in> parts H ==> Y \<in> parts H"
+ | Body: "Crypt K X \<in> parts H ==> X \<in> parts H"
+
+
+text{*Monotonicity*}
+lemma parts_mono: "G \<subseteq> H ==> parts(G) \<subseteq> parts(H)"
+apply auto
+apply (erule parts.induct)
+apply (blast dest: parts.Fst parts.Snd parts.Body)+
+done
+
+
+text{*Equations hold because constructors are injective.*}
+lemma Friend_image_eq [simp]: "(Friend x \<in> Friend`A) = (x:A)"
+by auto
+
+lemma Key_image_eq [simp]: "(Key x \<in> Key`A) = (x\<in>A)"
+by auto
+
+lemma Nonce_Key_image_eq [simp]: "(Nonce x \<notin> Key`A)"
+by auto
+
+
+subsubsection{*Inverse of keys *}
+
+lemma invKey_eq [simp]: "(invKey K = invKey K') = (K=K')"
+apply safe
+apply (drule_tac f = invKey in arg_cong, simp)
+done
+
+
+subsection{*keysFor operator*}
+
+lemma keysFor_empty [simp]: "keysFor {} = {}"
+by (unfold keysFor_def, blast)
+
+lemma keysFor_Un [simp]: "keysFor (H \<union> H') = keysFor H \<union> keysFor H'"
+by (unfold keysFor_def, blast)
+
+lemma keysFor_UN [simp]: "keysFor (\<Union>i\<in>A. H i) = (\<Union>i\<in>A. keysFor (H i))"
+by (unfold keysFor_def, blast)
+
+text{*Monotonicity*}
+lemma keysFor_mono: "G \<subseteq> H ==> keysFor(G) \<subseteq> keysFor(H)"
+by (unfold keysFor_def, blast)
+
+lemma keysFor_insert_Agent [simp]: "keysFor (insert (Agent A) H) = keysFor H"
+by (unfold keysFor_def, auto)
+
+lemma keysFor_insert_Nonce [simp]: "keysFor (insert (Nonce N) H) = keysFor H"
+by (unfold keysFor_def, auto)
+
+lemma keysFor_insert_Key [simp]: "keysFor (insert (Key K) H) = keysFor H"
+by (unfold keysFor_def, auto)
+
+lemma keysFor_insert_MPair [simp]: "keysFor (insert {|X,Y|} H) = keysFor H"
+by (unfold keysFor_def, auto)
+
+lemma keysFor_insert_Crypt [simp]:
+ "keysFor (insert (Crypt K X) H) = insert (invKey K) (keysFor H)"
+by (unfold keysFor_def, auto)
+
+lemma keysFor_image_Key [simp]: "keysFor (Key`E) = {}"
+by (unfold keysFor_def, auto)
+
+lemma Crypt_imp_invKey_keysFor: "Crypt K X \<in> H ==> invKey K \<in> keysFor H"
+by (unfold keysFor_def, blast)
+
+
+subsection{*Inductive relation "parts"*}
+
+lemma MPair_parts:
+ "[| {|X,Y|} \<in> parts H;
+ [| X \<in> parts H; Y \<in> parts H |] ==> P |] ==> P"
+by (blast dest: parts.Fst parts.Snd)
+
+declare MPair_parts [elim!] parts.Body [dest!]
+text{*NB These two rules are UNSAFE in the formal sense, as they discard the
+ compound message. They work well on THIS FILE.
+ @{text MPair_parts} is left as SAFE because it speeds up proofs.
+ The Crypt rule is normally kept UNSAFE to avoid breaking up certificates.*}
+
+lemma parts_increasing: "H \<subseteq> parts(H)"
+by blast
+
+lemmas parts_insertI = subset_insertI [THEN parts_mono, THEN subsetD, standard]
+
+lemma parts_empty [simp]: "parts{} = {}"
+apply safe
+apply (erule parts.induct, blast+)
+done
+
+lemma parts_emptyE [elim!]: "X\<in> parts{} ==> P"
+by simp
+
+text{*WARNING: loops if H = {Y}, therefore must not be repeated!*}
+lemma parts_singleton: "X\<in> parts H ==> \<exists>Y\<in>H. X\<in> parts {Y}"
+by (erule parts.induct, fast+)
+
+
+subsubsection{*Unions *}
+
+lemma parts_Un_subset1: "parts(G) \<union> parts(H) \<subseteq> parts(G \<union> H)"
+by (intro Un_least parts_mono Un_upper1 Un_upper2)
+
+lemma parts_Un_subset2: "parts(G \<union> H) \<subseteq> parts(G) \<union> parts(H)"
+apply (rule subsetI)
+apply (erule parts.induct, blast+)
+done
+
+lemma parts_Un [simp]: "parts(G \<union> H) = parts(G) \<union> parts(H)"
+by (intro equalityI parts_Un_subset1 parts_Un_subset2)
+
+lemma parts_insert: "parts (insert X H) = parts {X} \<union> parts H"
+apply (subst insert_is_Un [of _ H])
+apply (simp only: parts_Un)
+done
+
+text{*TWO inserts to avoid looping. This rewrite is better than nothing.
+ Not suitable for Addsimps: its behaviour can be strange.*}
+lemma parts_insert2:
+ "parts (insert X (insert Y H)) = parts {X} \<union> parts {Y} \<union> parts H"
+apply (simp add: Un_assoc)
+apply (simp add: parts_insert [symmetric])
+done
+
+lemma parts_UN_subset1: "(\<Union>x\<in>A. parts(H x)) \<subseteq> parts(\<Union>x\<in>A. H x)"
+by (intro UN_least parts_mono UN_upper)
+
+lemma parts_UN_subset2: "parts(\<Union>x\<in>A. H x) \<subseteq> (\<Union>x\<in>A. parts(H x))"
+apply (rule subsetI)
+apply (erule parts.induct, blast+)
+done
+
+lemma parts_UN [simp]: "parts(\<Union>x\<in>A. H x) = (\<Union>x\<in>A. parts(H x))"
+by (intro equalityI parts_UN_subset1 parts_UN_subset2)
+
+text{*Added to simplify arguments to parts, analz and synth.
+ NOTE: the UN versions are no longer used!*}
+
+
+text{*This allows @{text blast} to simplify occurrences of
+ @{term "parts(G\<union>H)"} in the assumption.*}
+lemmas in_parts_UnE = parts_Un [THEN equalityD1, THEN subsetD, THEN UnE]
+declare in_parts_UnE [elim!]
+
+
+lemma parts_insert_subset: "insert X (parts H) \<subseteq> parts(insert X H)"
+by (blast intro: parts_mono [THEN [2] rev_subsetD])
+
+subsubsection{*Idempotence and transitivity *}
+
+lemma parts_partsD [dest!]: "X\<in> parts (parts H) ==> X\<in> parts H"
+by (erule parts.induct, blast+)
+
+lemma parts_idem [simp]: "parts (parts H) = parts H"
+by blast
+
+lemma parts_subset_iff [simp]: "(parts G \<subseteq> parts H) = (G \<subseteq> parts H)"
+apply (rule iffI)
+apply (iprover intro: subset_trans parts_increasing)
+apply (frule parts_mono, simp)
+done
+
+lemma parts_trans: "[| X\<in> parts G; G \<subseteq> parts H |] ==> X\<in> parts H"
+by (drule parts_mono, blast)
+
+text{*Cut*}
+lemma parts_cut:
+ "[| Y\<in> parts (insert X G); X\<in> parts H |] ==> Y\<in> parts (G \<union> H)"
+by (blast intro: parts_trans)
+
+
+lemma parts_cut_eq [simp]: "X\<in> parts H ==> parts (insert X H) = parts H"
+by (force dest!: parts_cut intro: parts_insertI)
+
+
+subsubsection{*Rewrite rules for pulling out atomic messages *}
+
+lemmas parts_insert_eq_I = equalityI [OF subsetI parts_insert_subset]
+
+
+lemma parts_insert_Agent [simp]:
+ "parts (insert (Agent agt) H) = insert (Agent agt) (parts H)"
+apply (rule parts_insert_eq_I)
+apply (erule parts.induct, auto)
+done
+
+lemma parts_insert_Nonce [simp]:
+ "parts (insert (Nonce N) H) = insert (Nonce N) (parts H)"
+apply (rule parts_insert_eq_I)
+apply (erule parts.induct, auto)
+done
+
+lemma parts_insert_Key [simp]:
+ "parts (insert (Key K) H) = insert (Key K) (parts H)"
+apply (rule parts_insert_eq_I)
+apply (erule parts.induct, auto)
+done
+
+lemma parts_insert_Crypt [simp]:
+ "parts (insert (Crypt K X) H) = insert (Crypt K X) (parts (insert X H))"
+apply (rule equalityI)
+apply (rule subsetI)
+apply (erule parts.induct, auto)
+apply (blast intro: parts.Body)
+done
+
+lemma parts_insert_MPair [simp]:
+ "parts (insert {|X,Y|} H) =
+ insert {|X,Y|} (parts (insert X (insert Y H)))"
+apply (rule equalityI)
+apply (rule subsetI)
+apply (erule parts.induct, auto)
+apply (blast intro: parts.Fst parts.Snd)+
+done
+
+lemma parts_image_Key [simp]: "parts (Key`N) = Key`N"
+apply auto
+apply (erule parts.induct, auto)
+done
+
+
+text{*In any message, there is an upper bound N on its greatest nonce.*}
+lemma msg_Nonce_supply: "\<exists>N. \<forall>n. N\<le>n --> Nonce n \<notin> parts {msg}"
+apply (induct_tac "msg")
+apply (simp_all (no_asm_simp) add: exI parts_insert2)
+ txt{*MPair case: blast works out the necessary sum itself!*}
+ prefer 2 apply auto apply (blast elim!: add_leE)
+txt{*Nonce case*}
+apply (rule_tac x = "N + Suc nat" in exI, auto)
+done
+(*>*)
+
+section{* Modelling the Adversary *}
+
+text {*
+The spy is part of the system and must be built into the model. He is
+a malicious user who does not have to follow the protocol. He
+watches the network and uses any keys he knows to decrypt messages.
+Thus he accumulates additional keys and nonces. These he can use to
+compose new messages, which he may send to anybody.
+
+Two functions enable us to formalize this behaviour: @{text analz} and
+@{text synth}. Each function maps a sets of messages to another set of
+messages. The set @{text "analz H"} formalizes what the adversary can learn
+from the set of messages~$H$. The closure properties of this set are
+defined inductively.
+*}
+
+inductive_set
+ analz :: "msg set \<Rightarrow> msg set"
+ for H :: "msg set"
+ where
+ Inj [intro,simp] : "X \<in> H \<Longrightarrow> X \<in> analz H"
+ | Fst: "\<lbrace>X,Y\<rbrace> \<in> analz H \<Longrightarrow> X \<in> analz H"
+ | Snd: "\<lbrace>X,Y\<rbrace> \<in> analz H \<Longrightarrow> Y \<in> analz H"
+ | Decrypt [dest]:
+ "\<lbrakk>Crypt K X \<in> analz H; Key(invKey K) \<in> analz H\<rbrakk>
+ \<Longrightarrow> X \<in> analz H"
+(*<*)
+text{*Monotonicity; Lemma 1 of Lowe's paper*}
+lemma analz_mono: "G\<subseteq>H ==> analz(G) \<subseteq> analz(H)"
+apply auto
+apply (erule analz.induct)
+apply (auto dest: analz.Fst analz.Snd)
+done
+
+text{*Making it safe speeds up proofs*}
+lemma MPair_analz [elim!]:
+ "[| {|X,Y|} \<in> analz H;
+ [| X \<in> analz H; Y \<in> analz H |] ==> P
+ |] ==> P"
+by (blast dest: analz.Fst analz.Snd)
+
+lemma analz_increasing: "H \<subseteq> analz(H)"
+by blast
+
+lemma analz_subset_parts: "analz H \<subseteq> parts H"
+apply (rule subsetI)
+apply (erule analz.induct, blast+)
+done
+
+lemmas analz_into_parts = analz_subset_parts [THEN subsetD, standard]
+
+lemmas not_parts_not_analz = analz_subset_parts [THEN contra_subsetD, standard]
+
+
+lemma parts_analz [simp]: "parts (analz H) = parts H"
+apply (rule equalityI)
+apply (rule analz_subset_parts [THEN parts_mono, THEN subset_trans], simp)
+apply (blast intro: analz_increasing [THEN parts_mono, THEN subsetD])
+done
+
+lemma analz_parts [simp]: "analz (parts H) = parts H"
+apply auto
+apply (erule analz.induct, auto)
+done
+
+lemmas analz_insertI = subset_insertI [THEN analz_mono, THEN [2] rev_subsetD, standard]
+
+subsubsection{*General equational properties *}
+
+lemma analz_empty [simp]: "analz{} = {}"
+apply safe
+apply (erule analz.induct, blast+)
+done
+
+text{*Converse fails: we can analz more from the union than from the
+ separate parts, as a key in one might decrypt a message in the other*}
+lemma analz_Un: "analz(G) \<union> analz(H) \<subseteq> analz(G \<union> H)"
+by (intro Un_least analz_mono Un_upper1 Un_upper2)
+
+lemma analz_insert: "insert X (analz H) \<subseteq> analz(insert X H)"
+by (blast intro: analz_mono [THEN [2] rev_subsetD])
+
+subsubsection{*Rewrite rules for pulling out atomic messages *}
+
+lemmas analz_insert_eq_I = equalityI [OF subsetI analz_insert]
+
+lemma analz_insert_Agent [simp]:
+ "analz (insert (Agent agt) H) = insert (Agent agt) (analz H)"
+apply (rule analz_insert_eq_I)
+apply (erule analz.induct, auto)
+done
+
+lemma analz_insert_Nonce [simp]:
+ "analz (insert (Nonce N) H) = insert (Nonce N) (analz H)"
+apply (rule analz_insert_eq_I)
+apply (erule analz.induct, auto)
+done
+
+text{*Can only pull out Keys if they are not needed to decrypt the rest*}
+lemma analz_insert_Key [simp]:
+ "K \<notin> keysFor (analz H) ==>
+ analz (insert (Key K) H) = insert (Key K) (analz H)"
+apply (unfold keysFor_def)
+apply (rule analz_insert_eq_I)
+apply (erule analz.induct, auto)
+done
+
+lemma analz_insert_MPair [simp]:
+ "analz (insert {|X,Y|} H) =
+ insert {|X,Y|} (analz (insert X (insert Y H)))"
+apply (rule equalityI)
+apply (rule subsetI)
+apply (erule analz.induct, auto)
+apply (erule analz.induct)
+apply (blast intro: analz.Fst analz.Snd)+
+done
+
+text{*Can pull out enCrypted message if the Key is not known*}
+lemma analz_insert_Crypt:
+ "Key (invKey K) \<notin> analz H
+ ==> analz (insert (Crypt K X) H) = insert (Crypt K X) (analz H)"
+apply (rule analz_insert_eq_I)
+apply (erule analz.induct, auto)
+
+done
+
+lemma lemma1: "Key (invKey K) \<in> analz H ==>
+ analz (insert (Crypt K X) H) \<subseteq>
+ insert (Crypt K X) (analz (insert X H))"
+apply (rule subsetI)
+apply (erule_tac x = x in analz.induct, auto)
+done
+
+lemma lemma2: "Key (invKey K) \<in> analz H ==>
+ insert (Crypt K X) (analz (insert X H)) \<subseteq>
+ analz (insert (Crypt K X) H)"
+apply auto
+apply (erule_tac x = x in analz.induct, auto)
+apply (blast intro: analz_insertI analz.Decrypt)
+done
+
+lemma analz_insert_Decrypt:
+ "Key (invKey K) \<in> analz H ==>
+ analz (insert (Crypt K X) H) =
+ insert (Crypt K X) (analz (insert X H))"
+by (intro equalityI lemma1 lemma2)
+
+text{*Case analysis: either the message is secure, or it is not! Effective,
+but can cause subgoals to blow up! Use with @{text "split_if"}; apparently
+@{text "split_tac"} does not cope with patterns such as @{term"analz (insert
+(Crypt K X) H)"} *}
+lemma analz_Crypt_if [simp]:
+ "analz (insert (Crypt K X) H) =
+ (if (Key (invKey K) \<in> analz H)
+ then insert (Crypt K X) (analz (insert X H))
+ else insert (Crypt K X) (analz H))"
+by (simp add: analz_insert_Crypt analz_insert_Decrypt)
+
+
+text{*This rule supposes "for the sake of argument" that we have the key.*}
+lemma analz_insert_Crypt_subset:
+ "analz (insert (Crypt K X) H) \<subseteq>
+ insert (Crypt K X) (analz (insert X H))"
+apply (rule subsetI)
+apply (erule analz.induct, auto)
+done
+
+
+lemma analz_image_Key [simp]: "analz (Key`N) = Key`N"
+apply auto
+apply (erule analz.induct, auto)
+done
+
+
+subsubsection{*Idempotence and transitivity *}
+
+lemma analz_analzD [dest!]: "X\<in> analz (analz H) ==> X\<in> analz H"
+by (erule analz.induct, blast+)
+
+lemma analz_idem [simp]: "analz (analz H) = analz H"
+by blast
+
+lemma analz_subset_iff [simp]: "(analz G \<subseteq> analz H) = (G \<subseteq> analz H)"
+apply (rule iffI)
+apply (iprover intro: subset_trans analz_increasing)
+apply (frule analz_mono, simp)
+done
+
+lemma analz_trans: "[| X\<in> analz G; G \<subseteq> analz H |] ==> X\<in> analz H"
+by (drule analz_mono, blast)
+
+text{*Cut; Lemma 2 of Lowe*}
+lemma analz_cut: "[| Y\<in> analz (insert X H); X\<in> analz H |] ==> Y\<in> analz H"
+by (erule analz_trans, blast)
+
+(*Cut can be proved easily by induction on
+ "Y: analz (insert X H) ==> X: analz H --> Y: analz H"
+*)
+
+text{*This rewrite rule helps in the simplification of messages that involve
+ the forwarding of unknown components (X). Without it, removing occurrences
+ of X can be very complicated. *}
+lemma analz_insert_eq: "X\<in> analz H ==> analz (insert X H) = analz H"
+by (blast intro: analz_cut analz_insertI)
+
+
+text{*A congruence rule for "analz" *}
+
+lemma analz_subset_cong:
+ "[| analz G \<subseteq> analz G'; analz H \<subseteq> analz H' |]
+ ==> analz (G \<union> H) \<subseteq> analz (G' \<union> H')"
+apply simp
+apply (iprover intro: conjI subset_trans analz_mono Un_upper1 Un_upper2)
+done
+
+lemma analz_cong:
+ "[| analz G = analz G'; analz H = analz H' |]
+ ==> analz (G \<union> H) = analz (G' \<union> H')"
+by (intro equalityI analz_subset_cong, simp_all)
+
+lemma analz_insert_cong:
+ "analz H = analz H' ==> analz(insert X H) = analz(insert X H')"
+by (force simp only: insert_def intro!: analz_cong)
+
+text{*If there are no pairs or encryptions then analz does nothing*}
+lemma analz_trivial:
+ "[| \<forall>X Y. {|X,Y|} \<notin> H; \<forall>X K. Crypt K X \<notin> H |] ==> analz H = H"
+apply safe
+apply (erule analz.induct, blast+)
+done
+
+text{*These two are obsolete (with a single Spy) but cost little to prove...*}
+lemma analz_UN_analz_lemma:
+ "X\<in> analz (\<Union>i\<in>A. analz (H i)) ==> X\<in> analz (\<Union>i\<in>A. H i)"
+apply (erule analz.induct)
+apply (blast intro: analz_mono [THEN [2] rev_subsetD])+
+done
+
+lemma analz_UN_analz [simp]: "analz (\<Union>i\<in>A. analz (H i)) = analz (\<Union>i\<in>A. H i)"
+by (blast intro: analz_UN_analz_lemma analz_mono [THEN [2] rev_subsetD])
+(*>*)
+text {*
+Note the @{text Decrypt} rule: the spy can decrypt a
+message encrypted with key~$K$ if he has the matching key,~$K^{-1}$.
+Properties proved by rule induction include the following:
+@{named_thms [display,indent=0] analz_mono [no_vars] (analz_mono) analz_idem [no_vars] (analz_idem)}
+
+The set of fake messages that an intruder could invent
+starting from~@{text H} is @{text "synth(analz H)"}, where @{text "synth H"}
+formalizes what the adversary can build from the set of messages~$H$.
+*}
+
+inductive_set
+ synth :: "msg set \<Rightarrow> msg set"
+ for H :: "msg set"
+ where
+ Inj [intro]: "X \<in> H \<Longrightarrow> X \<in> synth H"
+ | Agent [intro]: "Agent agt \<in> synth H"
+ | MPair [intro]:
+ "\<lbrakk>X \<in> synth H; Y \<in> synth H\<rbrakk> \<Longrightarrow> \<lbrace>X,Y\<rbrace> \<in> synth H"
+ | Crypt [intro]:
+ "\<lbrakk>X \<in> synth H; Key K \<in> H\<rbrakk> \<Longrightarrow> Crypt K X \<in> synth H"
+(*<*)
+lemma synth_mono: "G\<subseteq>H ==> synth(G) \<subseteq> synth(H)"
+ by (auto, erule synth.induct, auto)
+
+inductive_cases Key_synth [elim!]: "Key K \<in> synth H"
+inductive_cases MPair_synth [elim!]: "{|X,Y|} \<in> synth H"
+inductive_cases Crypt_synth [elim!]: "Crypt K X \<in> synth H"
+
+lemma analz_synth_Un [simp]: "analz (synth G \<union> H) = analz (G \<union> H) \<union> synth G"
+apply (rule equalityI)
+apply (rule subsetI)
+apply (erule analz.induct)
+prefer 5 apply (blast intro: analz_mono [THEN [2] rev_subsetD])
+apply (blast intro: analz.Fst analz.Snd analz.Decrypt)+
+done
+
+lemma analz_synth [simp]: "analz (synth H) = analz H \<union> synth H"
+apply (cut_tac H = "{}" in analz_synth_Un)
+apply (simp (no_asm_use))
+done
+(*>*)
+text {*
+The set includes all agent names. Nonces and keys are assumed to be
+unguessable, so none are included beyond those already in~$H$. Two
+elements of @{term "synth H"} can be combined, and an element can be encrypted
+using a key present in~$H$.
+
+Like @{text analz}, this set operator is monotone and idempotent. It also
+satisfies an interesting equation involving @{text analz}:
+@{named_thms [display,indent=0] analz_synth [no_vars] (analz_synth)}
+Rule inversion plays a major role in reasoning about @{text synth}, through
+declarations such as this one:
+*}
+
+inductive_cases Nonce_synth [elim!]: "Nonce n \<in> synth H"
+
+text {*
+\noindent
+The resulting elimination rule replaces every assumption of the form
+@{term "Nonce n \<in> synth H"} by @{term "Nonce n \<in> H"},
+expressing that a nonce cannot be guessed.
+
+A third operator, @{text parts}, is useful for stating correctness
+properties. The set
+@{term "parts H"} consists of the components of elements of~$H$. This set
+includes~@{text H} and is closed under the projections from a compound
+message to its immediate parts.
+Its definition resembles that of @{text analz} except in the rule
+corresponding to the constructor @{text Crypt}:
+@{thm [display,indent=5] parts.Body [no_vars]}
+The body of an encrypted message is always regarded as part of it. We can
+use @{text parts} to express general well-formedness properties of a protocol,
+for example, that an uncompromised agent's private key will never be
+included as a component of any message.
+*}
+(*<*)
+lemma synth_increasing: "H \<subseteq> synth(H)"
+by blast
+
+subsubsection{*Unions *}
+
+text{*Converse fails: we can synth more from the union than from the
+ separate parts, building a compound message using elements of each.*}
+lemma synth_Un: "synth(G) \<union> synth(H) \<subseteq> synth(G \<union> H)"
+by (intro Un_least synth_mono Un_upper1 Un_upper2)
+
+lemma synth_insert: "insert X (synth H) \<subseteq> synth(insert X H)"
+by (blast intro: synth_mono [THEN [2] rev_subsetD])
+
+subsubsection{*Idempotence and transitivity *}
+
+lemma synth_synthD [dest!]: "X\<in> synth (synth H) ==> X\<in> synth H"
+by (erule synth.induct, blast+)
+
+lemma synth_idem: "synth (synth H) = synth H"
+by blast
+
+lemma synth_subset_iff [simp]: "(synth G \<subseteq> synth H) = (G \<subseteq> synth H)"
+apply (rule iffI)
+apply (iprover intro: subset_trans synth_increasing)
+apply (frule synth_mono, simp add: synth_idem)
+done
+
+lemma synth_trans: "[| X\<in> synth G; G \<subseteq> synth H |] ==> X\<in> synth H"
+by (drule synth_mono, blast)
+
+text{*Cut; Lemma 2 of Lowe*}
+lemma synth_cut: "[| Y\<in> synth (insert X H); X\<in> synth H |] ==> Y\<in> synth H"
+by (erule synth_trans, blast)
+
+lemma Agent_synth [simp]: "Agent A \<in> synth H"
+by blast
+
+lemma Nonce_synth_eq [simp]: "(Nonce N \<in> synth H) = (Nonce N \<in> H)"
+by blast
+
+lemma Key_synth_eq [simp]: "(Key K \<in> synth H) = (Key K \<in> H)"
+by blast
+
+lemma Crypt_synth_eq [simp]:
+ "Key K \<notin> H ==> (Crypt K X \<in> synth H) = (Crypt K X \<in> H)"
+by blast
+
+
+lemma keysFor_synth [simp]:
+ "keysFor (synth H) = keysFor H \<union> invKey`{K. Key K \<in> H}"
+by (unfold keysFor_def, blast)
+
+
+subsubsection{*Combinations of parts, analz and synth *}
+
+lemma parts_synth [simp]: "parts (synth H) = parts H \<union> synth H"
+apply (rule equalityI)
+apply (rule subsetI)
+apply (erule parts.induct)
+apply (blast intro: synth_increasing [THEN parts_mono, THEN subsetD]
+ parts.Fst parts.Snd parts.Body)+
+done
+
+lemma analz_analz_Un [simp]: "analz (analz G \<union> H) = analz (G \<union> H)"
+apply (intro equalityI analz_subset_cong)+
+apply simp_all
+done
+
+
+subsubsection{*For reasoning about the Fake rule in traces *}
+
+lemma parts_insert_subset_Un: "X\<in> G ==> parts(insert X H) \<subseteq> parts G \<union> parts H"
+by (rule subset_trans [OF parts_mono parts_Un_subset2], blast)
+
+text{*More specifically for Fake. Very occasionally we could do with a version
+ of the form @{term"parts{X} \<subseteq> synth (analz H) \<union> parts H"} *}
+lemma Fake_parts_insert:
+ "X \<in> synth (analz H) ==>
+ parts (insert X H) \<subseteq> synth (analz H) \<union> parts H"
+apply (drule parts_insert_subset_Un)
+apply (simp (no_asm_use))
+apply blast
+done
+
+lemma Fake_parts_insert_in_Un:
+ "[|Z \<in> parts (insert X H); X: synth (analz H)|]
+ ==> Z \<in> synth (analz H) \<union> parts H";
+by (blast dest: Fake_parts_insert [THEN subsetD, dest])
+
+text{*@{term H} is sometimes @{term"Key ` KK \<union> spies evs"}, so can't put
+ @{term "G=H"}.*}
+lemma Fake_analz_insert:
+ "X\<in> synth (analz G) ==>
+ analz (insert X H) \<subseteq> synth (analz G) \<union> analz (G \<union> H)"
+apply (rule subsetI)
+apply (subgoal_tac "x \<in> analz (synth (analz G) \<union> H) ")
+prefer 2 apply (blast intro: analz_mono [THEN [2] rev_subsetD] analz_mono [THEN synth_mono, THEN [2] rev_subsetD])
+apply (simp (no_asm_use))
+apply blast
+done
+
+lemma analz_conj_parts [simp]:
+ "(X \<in> analz H & X \<in> parts H) = (X \<in> analz H)"
+by (blast intro: analz_subset_parts [THEN subsetD])
+
+lemma analz_disj_parts [simp]:
+ "(X \<in> analz H | X \<in> parts H) = (X \<in> parts H)"
+by (blast intro: analz_subset_parts [THEN subsetD])
+
+text{*Without this equation, other rules for synth and analz would yield
+ redundant cases*}
+lemma MPair_synth_analz [iff]:
+ "({|X,Y|} \<in> synth (analz H)) =
+ (X \<in> synth (analz H) & Y \<in> synth (analz H))"
+by blast
+
+lemma Crypt_synth_analz:
+ "[| Key K \<in> analz H; Key (invKey K) \<in> analz H |]
+ ==> (Crypt K X \<in> synth (analz H)) = (X \<in> synth (analz H))"
+by blast
+
+
+text{*We do NOT want Crypt... messages broken up in protocols!!*}
+declare parts.Body [rule del]
+
+
+text{*Rewrites to push in Key and Crypt messages, so that other messages can
+ be pulled out using the @{text analz_insert} rules*}
+
+lemmas pushKeys [standard] =
+ insert_commute [of "Key K" "Agent C"]
+ insert_commute [of "Key K" "Nonce N"]
+ insert_commute [of "Key K" "Number N"]
+ insert_commute [of "Key K" "Hash X"]
+ insert_commute [of "Key K" "MPair X Y"]
+ insert_commute [of "Key K" "Crypt X K'"]
+
+lemmas pushCrypts [standard] =
+ insert_commute [of "Crypt X K" "Agent C"]
+ insert_commute [of "Crypt X K" "Agent C"]
+ insert_commute [of "Crypt X K" "Nonce N"]
+ insert_commute [of "Crypt X K" "Number N"]
+ insert_commute [of "Crypt X K" "Hash X'"]
+ insert_commute [of "Crypt X K" "MPair X' Y"]
+
+text{*Cannot be added with @{text "[simp]"} -- messages should not always be
+ re-ordered. *}
+lemmas pushes = pushKeys pushCrypts
+
+
+subsection{*Tactics useful for many protocol proofs*}
+ML
+{*
+val invKey = @{thm invKey};
+val keysFor_def = @{thm keysFor_def};
+val symKeys_def = @{thm symKeys_def};
+val parts_mono = @{thm parts_mono};
+val analz_mono = @{thm analz_mono};
+val synth_mono = @{thm synth_mono};
+val analz_increasing = @{thm analz_increasing};
+
+val analz_insertI = @{thm analz_insertI};
+val analz_subset_parts = @{thm analz_subset_parts};
+val Fake_parts_insert = @{thm Fake_parts_insert};
+val Fake_analz_insert = @{thm Fake_analz_insert};
+val pushes = @{thms pushes};
+
+
+(*Analysis of Fake cases. Also works for messages that forward unknown parts,
+ but this application is no longer necessary if analz_insert_eq is used.
+ Abstraction over i is ESSENTIAL: it delays the dereferencing of claset
+ DEPENDS UPON "X" REFERRING TO THE FRADULENT MESSAGE *)
+
+(*Apply rules to break down assumptions of the form
+ Y \<in> parts(insert X H) and Y \<in> analz(insert X H)
+*)
+fun impOfSubs th = th RSN (2, @{thm rev_subsetD})
+
+val Fake_insert_tac =
+ dresolve_tac [impOfSubs Fake_analz_insert,
+ impOfSubs Fake_parts_insert] THEN'
+ eresolve_tac [asm_rl, @{thm synth.Inj}];
+
+fun Fake_insert_simp_tac ss i =
+ REPEAT (Fake_insert_tac i) THEN asm_full_simp_tac ss i;
+
+fun atomic_spy_analz_tac ctxt =
+ SELECT_GOAL
+ (Fake_insert_simp_tac (simpset_of ctxt) 1 THEN
+ IF_UNSOLVED (Blast.depth_tac (ctxt addIs [analz_insertI, impOfSubs analz_subset_parts]) 4 1));
+
+fun spy_analz_tac ctxt i =
+ DETERM
+ (SELECT_GOAL
+ (EVERY
+ [ (*push in occurrences of X...*)
+ (REPEAT o CHANGED)
+ (res_inst_tac ctxt [(("x", 1), "X")] (insert_commute RS ssubst) 1),
+ (*...allowing further simplifications*)
+ simp_tac (simpset_of ctxt) 1,
+ REPEAT (FIRSTGOAL (resolve_tac [allI,impI,notI,conjI,iffI])),
+ DEPTH_SOLVE (atomic_spy_analz_tac ctxt 1)]) i);
+*}
+
+text{*By default only @{text o_apply} is built-in. But in the presence of
+eta-expansion this means that some terms displayed as @{term "f o g"} will be
+rewritten, and others will not!*}
+declare o_def [simp]
+
+
+lemma Crypt_notin_image_Key [simp]: "Crypt K X \<notin> Key ` A"
+by auto
+
+lemma synth_analz_mono: "G\<subseteq>H ==> synth (analz(G)) \<subseteq> synth (analz(H))"
+by (iprover intro: synth_mono analz_mono)
+
+lemma Fake_analz_eq [simp]:
+ "X \<in> synth(analz H) ==> synth (analz (insert X H)) = synth (analz H)"
+apply (drule Fake_analz_insert[of _ _ "H"])
+apply (simp add: synth_increasing[THEN Un_absorb2])
+apply (drule synth_mono)
+apply (simp add: synth_idem)
+apply (rule equalityI)
+apply (simp add: );
+apply (rule synth_analz_mono, blast)
+done
+
+text{*Two generalizations of @{text analz_insert_eq}*}
+lemma gen_analz_insert_eq [rule_format]:
+ "X \<in> analz H ==> ALL G. H \<subseteq> G --> analz (insert X G) = analz G";
+by (blast intro: analz_cut analz_insertI analz_mono [THEN [2] rev_subsetD])
+
+lemma synth_analz_insert_eq [rule_format]:
+ "X \<in> synth (analz H)
+ ==> ALL G. H \<subseteq> G --> (Key K \<in> analz (insert X G)) = (Key K \<in> analz G)";
+apply (erule synth.induct)
+apply (simp_all add: gen_analz_insert_eq subset_trans [OF _ subset_insertI])
+done
+
+lemma Fake_parts_sing:
+ "X \<in> synth (analz H) ==> parts{X} \<subseteq> synth (analz H) \<union> parts H";
+apply (rule subset_trans)
+ apply (erule_tac [2] Fake_parts_insert)
+apply (rule parts_mono, blast)
+done
+
+lemmas Fake_parts_sing_imp_Un = Fake_parts_sing [THEN [2] rev_subsetD]
+
+method_setup spy_analz = {*
+ Scan.succeed (SIMPLE_METHOD' o spy_analz_tac) *}
+ "for proving the Fake case when analz is involved"
+
+method_setup atomic_spy_analz = {*
+ Scan.succeed (SIMPLE_METHOD' o atomic_spy_analz_tac) *}
+ "for debugging spy_analz"
+
+method_setup Fake_insert_simp = {*
+ Scan.succeed (SIMPLE_METHOD' o Fake_insert_simp_tac o simpset_of) *}
+ "for debugging spy_analz"
+
+
+end
+(*>*)
\ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Protocol/NS_Public.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,402 @@
+(* Title: HOL/Auth/NS_Public
+ Author: Lawrence C Paulson, Cambridge University Computer Laboratory
+ Copyright 1996 University of Cambridge
+
+Inductive relation "ns_public" for the Needham-Schroeder Public-Key protocol.
+Version incorporating Lowe's fix (inclusion of B's identity in round 2).
+*)(*<*)
+theory NS_Public imports Public begin(*>*)
+
+section{* Modelling the Protocol \label{sec:modelling} *}
+
+text_raw {*
+\begin{figure}
+\begin{isabelle}
+*}
+
+inductive_set ns_public :: "event list set"
+ where
+
+ Nil: "[] \<in> ns_public"
+
+
+ | Fake: "\<lbrakk>evsf \<in> ns_public; X \<in> synth (analz (knows Spy evsf))\<rbrakk>
+ \<Longrightarrow> Says Spy B X # evsf \<in> ns_public"
+
+
+ | NS1: "\<lbrakk>evs1 \<in> ns_public; Nonce NA \<notin> used evs1\<rbrakk>
+ \<Longrightarrow> Says A B (Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>)
+ # evs1 \<in> ns_public"
+
+
+ | NS2: "\<lbrakk>evs2 \<in> ns_public; Nonce NB \<notin> used evs2;
+ Says A' B (Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs2\<rbrakk>
+ \<Longrightarrow> Says B A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>)
+ # evs2 \<in> ns_public"
+
+
+ | NS3: "\<lbrakk>evs3 \<in> ns_public;
+ Says A B (Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs3;
+ Says B' A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>)
+ \<in> set evs3\<rbrakk>
+ \<Longrightarrow> Says A B (Crypt (pubK B) (Nonce NB)) # evs3 \<in> ns_public"
+
+text_raw {*
+\end{isabelle}
+\caption{An Inductive Protocol Definition}\label{fig:ns_public}
+\end{figure}
+*}
+
+text {*
+Let us formalize the Needham-Schroeder public-key protocol, as corrected by
+Lowe:
+\begin{alignat*%
+}{2}
+ &1.&\quad A\to B &: \comp{Na,A}\sb{Kb} \\
+ &2.&\quad B\to A &: \comp{Na,Nb,B}\sb{Ka} \\
+ &3.&\quad A\to B &: \comp{Nb}\sb{Kb}
+\end{alignat*%
+}
+
+Each protocol step is specified by a rule of an inductive definition. An
+event trace has type @{text "event list"}, so we declare the constant
+@{text ns_public} to be a set of such traces.
+
+Figure~\ref{fig:ns_public} presents the inductive definition. The
+@{text Nil} rule introduces the empty trace. The @{text Fake} rule models the
+adversary's sending a message built from components taken from past
+traffic, expressed using the functions @{text synth} and
+@{text analz}.
+The next three rules model how honest agents would perform the three
+protocol steps.
+
+Here is a detailed explanation of rule @{text NS2}.
+A trace containing an event of the form
+@{term [display,indent=5] "Says A' B (Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>)"}
+may be extended by an event of the form
+@{term [display,indent=5] "Says B A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>)"}
+where @{text NB} is a fresh nonce: @{term "Nonce NB \<notin> used evs2"}.
+Writing the sender as @{text A'} indicates that @{text B} does not
+know who sent the message. Calling the trace variable @{text evs2} rather
+than simply @{text evs} helps us know where we are in a proof after many
+case-splits: every subgoal mentioning @{text evs2} involves message~2 of the
+protocol.
+
+Benefits of this approach are simplicity and clarity. The semantic model
+is set theory, proofs are by induction and the translation from the informal
+notation to the inductive rules is straightforward.
+*}
+
+section{* Proving Elementary Properties \label{sec:regularity} *}
+
+(*<*)
+declare knows_Spy_partsEs [elim]
+declare analz_subset_parts [THEN subsetD, dest]
+declare Fake_parts_insert [THEN subsetD, dest]
+declare image_eq_UN [simp] (*accelerates proofs involving nested images*)
+
+(*A "possibility property": there are traces that reach the end*)
+lemma "\<exists>NB. \<exists>evs \<in> ns_public. Says A B (Crypt (pubK B) (Nonce NB)) \<in> set evs"
+apply (intro exI bexI)
+apply (rule_tac [2] ns_public.Nil [THEN ns_public.NS1, THEN ns_public.NS2,
+ THEN ns_public.NS3])
+by possibility
+
+
+(**** Inductive proofs about ns_public ****)
+
+(** Theorems of the form X \<notin> parts (knows Spy evs) imply that NOBODY
+ sends messages containing X! **)
+
+(*Spy never sees another agent's private key! (unless it's bad at start)*)
+(*>*)
+
+text {*
+Secrecy properties can be hard to prove. The conclusion of a typical
+secrecy theorem is
+@{term "X \<notin> analz (knows Spy evs)"}. The difficulty arises from
+having to reason about @{text analz}, or less formally, showing that the spy
+can never learn~@{text X}. Much easier is to prove that @{text X} can never
+occur at all. Such \emph{regularity} properties are typically expressed
+using @{text parts} rather than @{text analz}.
+
+The following lemma states that @{text A}'s private key is potentially
+known to the spy if and only if @{text A} belongs to the set @{text bad} of
+compromised agents. The statement uses @{text parts}: the very presence of
+@{text A}'s private key in a message, whether protected by encryption or
+not, is enough to confirm that @{text A} is compromised. The proof, like
+nearly all protocol proofs, is by induction over traces.
+*}
+
+lemma Spy_see_priK [simp]:
+ "evs \<in> ns_public
+ \<Longrightarrow> (Key (priK A) \<in> parts (knows Spy evs)) = (A \<in> bad)"
+apply (erule ns_public.induct, simp_all)
+txt {*
+The induction yields five subgoals, one for each rule in the definition of
+@{text ns_public}. The idea is to prove that the protocol property holds initially
+(rule @{text Nil}), is preserved by each of the legitimate protocol steps (rules
+@{text NS1}--@{text 3}), and even is preserved in the face of anything the
+spy can do (rule @{text Fake}).
+
+The proof is trivial. No legitimate protocol rule sends any keys
+at all, so only @{text Fake} is relevant. Indeed, simplification leaves
+only the @{text Fake} case, as indicated by the variable name @{text evsf}:
+@{subgoals[display,indent=0,margin=65]}
+*}
+by blast
+(*<*)
+lemma Spy_analz_priK [simp]:
+ "evs \<in> ns_public \<Longrightarrow> (Key (priK A) \<in> analz (knows Spy evs)) = (A \<in> bad)"
+by auto
+(*>*)
+
+text {*
+The @{text Fake} case is proved automatically. If
+@{term "priK A"} is in the extended trace then either (1) it was already in the
+original trace or (2) it was
+generated by the spy, who must have known this key already.
+Either way, the induction hypothesis applies.
+
+\emph{Unicity} lemmas are regularity lemmas stating that specified items
+can occur only once in a trace. The following lemma states that a nonce
+cannot be used both as $Na$ and as $Nb$ unless
+it is known to the spy. Intuitively, it holds because honest agents
+always choose fresh values as nonces; only the spy might reuse a value,
+and he doesn't know this particular value. The proof script is short:
+induction, simplification, @{text blast}. The first line uses the rule
+@{text rev_mp} to prepare the induction by moving two assumptions into the
+induction formula.
+*}
+
+lemma no_nonce_NS1_NS2:
+ "\<lbrakk>Crypt (pubK C) \<lbrace>NA', Nonce NA, Agent D\<rbrace> \<in> parts (knows Spy evs);
+ Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace> \<in> parts (knows Spy evs);
+ evs \<in> ns_public\<rbrakk>
+ \<Longrightarrow> Nonce NA \<in> analz (knows Spy evs)"
+apply (erule rev_mp, erule rev_mp)
+apply (erule ns_public.induct, simp_all)
+apply (blast intro: analz_insertI)+
+done
+
+text {*
+The following unicity lemma states that, if \isa{NA} is secret, then its
+appearance in any instance of message~1 determines the other components.
+The proof is similar to the previous one.
+*}
+
+lemma unique_NA:
+ "\<lbrakk>Crypt(pubK B) \<lbrace>Nonce NA, Agent A \<rbrace> \<in> parts(knows Spy evs);
+ Crypt(pubK B') \<lbrace>Nonce NA, Agent A'\<rbrace> \<in> parts(knows Spy evs);
+ Nonce NA \<notin> analz (knows Spy evs); evs \<in> ns_public\<rbrakk>
+ \<Longrightarrow> A=A' \<and> B=B'"
+(*<*)
+apply (erule rev_mp, erule rev_mp, erule rev_mp)
+apply (erule ns_public.induct, simp_all)
+(*Fake, NS1*)
+apply (blast intro: analz_insertI)+
+done
+(*>*)
+
+section{* Proving Secrecy Theorems \label{sec:secrecy} *}
+
+(*<*)
+(*Secrecy: Spy does not see the nonce sent in msg NS1 if A and B are secure
+ The major premise "Says A B ..." makes it a dest-rule, so we use
+ (erule rev_mp) rather than rule_format. *)
+theorem Spy_not_see_NA:
+ "\<lbrakk>Says A B (Crypt(pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs;
+ A \<notin> bad; B \<notin> bad; evs \<in> ns_public\<rbrakk>
+ \<Longrightarrow> Nonce NA \<notin> analz (knows Spy evs)"
+apply (erule rev_mp)
+apply (erule ns_public.induct, simp_all)
+apply spy_analz
+apply (blast dest: unique_NA intro: no_nonce_NS1_NS2)+
+done
+
+
+(*Authentication for A: if she receives message 2 and has used NA
+ to start a run, then B has sent message 2.*)
+lemma A_trusts_NS2_lemma [rule_format]:
+ "\<lbrakk>A \<notin> bad; B \<notin> bad; evs \<in> ns_public\<rbrakk>
+ \<Longrightarrow> Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace> \<in> parts (knows Spy evs) \<longrightarrow>
+ Says A B (Crypt(pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs \<longrightarrow>
+ Says B A (Crypt(pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) \<in> set evs"
+apply (erule ns_public.induct, simp_all)
+(*Fake, NS1*)
+apply (blast dest: Spy_not_see_NA)+
+done
+
+theorem A_trusts_NS2:
+ "\<lbrakk>Says A B (Crypt(pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs;
+ Says B' A (Crypt(pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) \<in> set evs;
+ A \<notin> bad; B \<notin> bad; evs \<in> ns_public\<rbrakk>
+ \<Longrightarrow> Says B A (Crypt(pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) \<in> set evs"
+by (blast intro: A_trusts_NS2_lemma)
+
+
+(*If the encrypted message appears then it originated with Alice in NS1*)
+lemma B_trusts_NS1 [rule_format]:
+ "evs \<in> ns_public
+ \<Longrightarrow> Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace> \<in> parts (knows Spy evs) \<longrightarrow>
+ Nonce NA \<notin> analz (knows Spy evs) \<longrightarrow>
+ Says A B (Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs"
+apply (erule ns_public.induct, simp_all)
+(*Fake*)
+apply (blast intro!: analz_insertI)
+done
+
+
+
+(*** Authenticity properties obtained from NS2 ***)
+
+(*Unicity for NS2: nonce NB identifies nonce NA and agents A, B
+ [unicity of B makes Lowe's fix work]
+ [proof closely follows that for unique_NA] *)
+
+lemma unique_NB [dest]:
+ "\<lbrakk>Crypt(pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace> \<in> parts(knows Spy evs);
+ Crypt(pubK A') \<lbrace>Nonce NA', Nonce NB, Agent B'\<rbrace> \<in> parts(knows Spy evs);
+ Nonce NB \<notin> analz (knows Spy evs); evs \<in> ns_public\<rbrakk>
+ \<Longrightarrow> A=A' \<and> NA=NA' \<and> B=B'"
+apply (erule rev_mp, erule rev_mp, erule rev_mp)
+apply (erule ns_public.induct, simp_all)
+(*Fake, NS2*)
+apply (blast intro: analz_insertI)+
+done
+(*>*)
+
+text {*
+The secrecy theorems for Bob (the second participant) are especially
+important because they fail for the original protocol. The following
+theorem states that if Bob sends message~2 to Alice, and both agents are
+uncompromised, then Bob's nonce will never reach the spy.
+*}
+
+theorem Spy_not_see_NB [dest]:
+ "\<lbrakk>Says B A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) \<in> set evs;
+ A \<notin> bad; B \<notin> bad; evs \<in> ns_public\<rbrakk>
+ \<Longrightarrow> Nonce NB \<notin> analz (knows Spy evs)"
+txt {*
+To prove it, we must formulate the induction properly (one of the
+assumptions mentions~@{text evs}), apply induction, and simplify:
+*}
+
+apply (erule rev_mp, erule ns_public.induct, simp_all)
+(*<*)
+apply spy_analz
+defer
+apply (blast intro: no_nonce_NS1_NS2)
+apply (blast intro: no_nonce_NS1_NS2)
+(*>*)
+
+txt {*
+The proof states are too complicated to present in full.
+Let's examine the simplest subgoal, that for message~1. The following
+event has just occurred:
+\[ 1.\quad A'\to B' : \comp{Na',A'}\sb{Kb'} \]
+The variables above have been primed because this step
+belongs to a different run from that referred to in the theorem
+statement --- the theorem
+refers to a past instance of message~2, while this subgoal
+concerns message~1 being sent just now.
+In the Isabelle subgoal, instead of primed variables like $B'$ and $Na'$
+we have @{text Ba} and~@{text NAa}:
+@{subgoals[display,indent=0]}
+The simplifier has used a
+default simplification rule that does a case
+analysis for each encrypted message on whether or not the decryption key
+is compromised.
+@{named_thms [display,indent=0,margin=50] analz_Crypt_if [no_vars] (analz_Crypt_if)}
+The simplifier has also used @{text Spy_see_priK}, proved in
+{\S}\ref{sec:regularity} above, to yield @{term "Ba \<in> bad"}.
+
+Recall that this subgoal concerns the case
+where the last message to be sent was
+\[ 1.\quad A'\to B' : \comp{Na',A'}\sb{Kb'}. \]
+This message can compromise $Nb$ only if $Nb=Na'$ and $B'$ is compromised,
+allowing the spy to decrypt the message. The Isabelle subgoal says
+precisely this, if we allow for its choice of variable names.
+Proving @{term "NB \<noteq> NAa"} is easy: @{text NB} was
+sent earlier, while @{text NAa} is fresh; formally, we have
+the assumption @{term "Nonce NAa \<notin> used evs1"}.
+
+Note that our reasoning concerned @{text B}'s participation in another
+run. Agents may engage in several runs concurrently, and some attacks work
+by interleaving the messages of two runs. With model checking, this
+possibility can cause a state-space explosion, and for us it
+certainly complicates proofs. The biggest subgoal concerns message~2. It
+splits into several cases, such as whether or not the message just sent is
+the very message mentioned in the theorem statement.
+Some of the cases are proved by unicity, others by
+the induction hypothesis. For all those complications, the proofs are
+automatic by @{text blast} with the theorem @{text no_nonce_NS1_NS2}.
+
+The remaining theorems about the protocol are not hard to prove. The
+following one asserts a form of \emph{authenticity}: if
+@{text B} has sent an instance of message~2 to~@{text A} and has received the
+expected reply, then that reply really originated with~@{text A}. The
+proof is a simple induction.
+*}
+
+(*<*)
+by (blast intro: no_nonce_NS1_NS2)
+
+lemma B_trusts_NS3_lemma [rule_format]:
+ "\<lbrakk>A \<notin> bad; B \<notin> bad; evs \<in> ns_public\<rbrakk> \<Longrightarrow>
+ Crypt (pubK B) (Nonce NB) \<in> parts (knows Spy evs) \<longrightarrow>
+ Says B A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) \<in> set evs \<longrightarrow>
+ Says A B (Crypt (pubK B) (Nonce NB)) \<in> set evs"
+by (erule ns_public.induct, auto)
+(*>*)
+theorem B_trusts_NS3:
+ "\<lbrakk>Says B A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) \<in> set evs;
+ Says A' B (Crypt (pubK B) (Nonce NB)) \<in> set evs;
+ A \<notin> bad; B \<notin> bad; evs \<in> ns_public\<rbrakk>
+ \<Longrightarrow> Says A B (Crypt (pubK B) (Nonce NB)) \<in> set evs"
+(*<*)
+by (blast intro: B_trusts_NS3_lemma)
+
+(*** Overall guarantee for B ***)
+
+
+(*If NS3 has been sent and the nonce NB agrees with the nonce B joined with
+ NA, then A initiated the run using NA.*)
+theorem B_trusts_protocol [rule_format]:
+ "\<lbrakk>A \<notin> bad; B \<notin> bad; evs \<in> ns_public\<rbrakk> \<Longrightarrow>
+ Crypt (pubK B) (Nonce NB) \<in> parts (knows Spy evs) \<longrightarrow>
+ Says B A (Crypt (pubK A) \<lbrace>Nonce NA, Nonce NB, Agent B\<rbrace>) \<in> set evs \<longrightarrow>
+ Says A B (Crypt (pubK B) \<lbrace>Nonce NA, Agent A\<rbrace>) \<in> set evs"
+by (erule ns_public.induct, auto)
+(*>*)
+
+text {*
+From similar assumptions, we can prove that @{text A} started the protocol
+run by sending an instance of message~1 involving the nonce~@{text NA}\@.
+For this theorem, the conclusion is
+@{thm [display] (concl) B_trusts_protocol [no_vars]}
+Analogous theorems can be proved for~@{text A}, stating that nonce~@{text NA}
+remains secret and that message~2 really originates with~@{text B}. Even the
+flawed protocol establishes these properties for~@{text A};
+the flaw only harms the second participant.
+
+\medskip
+
+Detailed information on this protocol verification technique can be found
+elsewhere~\cite{paulson-jcs}, including proofs of an Internet
+protocol~\cite{paulson-tls}. We must stress that the protocol discussed
+in this chapter is trivial. There are only three messages; no keys are
+exchanged; we merely have to prove that encrypted data remains secret.
+Real world protocols are much longer and distribute many secrets to their
+participants. To be realistic, the model has to include the possibility
+of keys being lost dynamically due to carelessness. If those keys have
+been used to encrypt other sensitive information, there may be cascading
+losses. We may still be able to establish a bound on the losses and to
+prove that other protocol runs function
+correctly~\cite{paulson-yahalom}. Proofs of real-world protocols follow
+the strategy illustrated above, but the subgoals can
+be much bigger and there are more of them.
+\index{protocols!security|)}
+*}
+
+(*<*)end(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Protocol/Public.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,172 @@
+(* Title: HOL/Auth/Public
+ Author: Lawrence C Paulson, Cambridge University Computer Laboratory
+ Copyright 1996 University of Cambridge
+
+Theory of Public Keys (common to all public-key protocols)
+
+Private and public keys; initial states of agents
+*)(*<*)
+theory Public imports Event
+begin
+(*>*)
+
+text {*
+The function
+@{text pubK} maps agents to their public keys. The function
+@{text priK} maps agents to their private keys. It is merely
+an abbreviation (cf.\ \S\ref{sec:abbreviations}) defined in terms of
+@{text invKey} and @{text pubK}.
+*}
+
+consts pubK :: "agent \<Rightarrow> key"
+abbreviation priK :: "agent \<Rightarrow> key"
+where "priK x \<equiv> invKey(pubK x)"
+(*<*)
+overloading initState \<equiv> initState
+begin
+
+primrec initState where
+ (*Agents know their private key and all public keys*)
+ initState_Server: "initState Server =
+ insert (Key (priK Server)) (Key ` range pubK)"
+| initState_Friend: "initState (Friend i) =
+ insert (Key (priK (Friend i))) (Key ` range pubK)"
+| initState_Spy: "initState Spy =
+ (Key`invKey`pubK`bad) Un (Key ` range pubK)"
+
+end
+(*>*)
+
+text {*
+\noindent
+The set @{text bad} consists of those agents whose private keys are known to
+the spy.
+
+Two axioms are asserted about the public-key cryptosystem.
+No two agents have the same public key, and no private key equals
+any public key.
+*}
+
+axioms
+ inj_pubK: "inj pubK"
+ priK_neq_pubK: "priK A \<noteq> pubK B"
+(*<*)
+lemmas [iff] = inj_pubK [THEN inj_eq]
+
+lemma priK_inj_eq[iff]: "(priK A = priK B) = (A=B)"
+ apply safe
+ apply (drule_tac f=invKey in arg_cong)
+ apply simp
+ done
+
+lemmas [iff] = priK_neq_pubK priK_neq_pubK [THEN not_sym]
+
+lemma not_symKeys_pubK[iff]: "pubK A \<notin> symKeys"
+ by (simp add: symKeys_def)
+
+lemma not_symKeys_priK[iff]: "priK A \<notin> symKeys"
+ by (simp add: symKeys_def)
+
+lemma symKeys_neq_imp_neq: "(K \<in> symKeys) \<noteq> (K' \<in> symKeys) \<Longrightarrow> K \<noteq> K'"
+ by blast
+
+lemma analz_symKeys_Decrypt: "[| Crypt K X \<in> analz H; K \<in> symKeys; Key K \<in> analz H |]
+ ==> X \<in> analz H"
+ by (auto simp add: symKeys_def)
+
+
+(** "Image" equations that hold for injective functions **)
+
+lemma invKey_image_eq[simp]: "(invKey x : invKey`A) = (x:A)"
+ by auto
+
+(*holds because invKey is injective*)
+lemma pubK_image_eq[simp]: "(pubK x : pubK`A) = (x:A)"
+ by auto
+
+lemma priK_pubK_image_eq[simp]: "(priK x ~: pubK`A)"
+ by auto
+
+
+(** Rewrites should not refer to initState(Friend i)
+ -- not in normal form! **)
+
+lemma keysFor_parts_initState[simp]: "keysFor (parts (initState C)) = {}"
+ apply (unfold keysFor_def)
+ apply (induct C)
+ apply (auto intro: range_eqI)
+ done
+
+
+(*** Function "spies" ***)
+
+(*Agents see their own private keys!*)
+lemma priK_in_initState[iff]: "Key (priK A) : initState A"
+ by (induct A) auto
+
+(*All public keys are visible*)
+lemma spies_pubK[iff]: "Key (pubK A) : spies evs"
+ by (induct evs) (simp_all add: imageI knows_Cons split: event.split)
+
+(*Spy sees private keys of bad agents!*)
+lemma Spy_spies_bad[intro!]: "A: bad ==> Key (priK A) : spies evs"
+ by (induct evs) (simp_all add: imageI knows_Cons split: event.split)
+
+lemmas [iff] = spies_pubK [THEN analz.Inj]
+
+
+(*** Fresh nonces ***)
+
+lemma Nonce_notin_initState[iff]: "Nonce N ~: parts (initState B)"
+ by (induct B) auto
+
+lemma Nonce_notin_used_empty[simp]: "Nonce N ~: used []"
+ by (simp add: used_Nil)
+
+
+(*** Supply fresh nonces for possibility theorems. ***)
+
+(*In any trace, there is an upper bound N on the greatest nonce in use.*)
+lemma Nonce_supply_lemma: "EX N. ALL n. N<=n --> Nonce n \<notin> used evs"
+apply (induct_tac "evs")
+apply (rule_tac x = 0 in exI)
+apply (simp_all (no_asm_simp) add: used_Cons split add: event.split)
+apply safe
+apply (rule msg_Nonce_supply [THEN exE], blast elim!: add_leE)+
+done
+
+lemma Nonce_supply1: "EX N. Nonce N \<notin> used evs"
+by (rule Nonce_supply_lemma [THEN exE], blast)
+
+lemma Nonce_supply: "Nonce (@ N. Nonce N \<notin> used evs) \<notin> used evs"
+apply (rule Nonce_supply_lemma [THEN exE])
+apply (rule someI, fast)
+done
+
+
+(*** Specialized rewriting for the analz_image_... theorems ***)
+
+lemma insert_Key_singleton: "insert (Key K) H = Key ` {K} Un H"
+ by blast
+
+lemma insert_Key_image: "insert (Key K) (Key`KK Un C) = Key ` (insert K KK) Un C"
+ by blast
+
+
+(*Specialized methods*)
+
+(*Tactic for possibility theorems*)
+ML {*
+fun possibility_tac ctxt =
+ REPEAT (*omit used_Says so that Nonces start from different traces!*)
+ (ALLGOALS (simp_tac (simpset_of ctxt delsimps [used_Says]))
+ THEN
+ REPEAT_FIRST (eq_assume_tac ORELSE'
+ resolve_tac [refl, conjI, @{thm Nonce_supply}]));
+*}
+
+method_setup possibility = {* Scan.succeed (SIMPLE_METHOD o possibility_tac) *}
+ "for proving possibility theorems"
+
+end
+(*>*)
\ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Recdef/Induction.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,71 @@
+(*<*)
+theory Induction imports examples simplification begin;
+(*>*)
+
+text{*
+Assuming we have defined our function such that Isabelle could prove
+termination and that the recursion equations (or some suitable derived
+equations) are simplification rules, we might like to prove something about
+our function. Since the function is recursive, the natural proof principle is
+again induction. But this time the structural form of induction that comes
+with datatypes is unlikely to work well --- otherwise we could have defined the
+function by \isacommand{primrec}. Therefore \isacommand{recdef} automatically
+proves a suitable induction rule $f$@{text".induct"} that follows the
+recursion pattern of the particular function $f$. We call this
+\textbf{recursion induction}. Roughly speaking, it
+requires you to prove for each \isacommand{recdef} equation that the property
+you are trying to establish holds for the left-hand side provided it holds
+for all recursive calls on the right-hand side. Here is a simple example
+involving the predefined @{term"map"} functional on lists:
+*}
+
+lemma "map f (sep(x,xs)) = sep(f x, map f xs)";
+
+txt{*\noindent
+Note that @{term"map f xs"}
+is the result of applying @{term"f"} to all elements of @{term"xs"}. We prove
+this lemma by recursion induction over @{term"sep"}:
+*}
+
+apply(induct_tac x xs rule: sep.induct);
+
+txt{*\noindent
+The resulting proof state has three subgoals corresponding to the three
+clauses for @{term"sep"}:
+@{subgoals[display,indent=0]}
+The rest is pure simplification:
+*}
+
+apply simp_all;
+done
+
+text{*
+Try proving the above lemma by structural induction, and you find that you
+need an additional case distinction. What is worse, the names of variables
+are invented by Isabelle and have nothing to do with the names in the
+definition of @{term"sep"}.
+
+In general, the format of invoking recursion induction is
+\begin{quote}
+\isacommand{apply}@{text"(induct_tac"} $x@1 \dots x@n$ @{text"rule:"} $f$@{text".induct)"}
+\end{quote}\index{*induct_tac (method)}%
+where $x@1~\dots~x@n$ is a list of free variables in the subgoal and $f$ the
+name of a function that takes an $n$-tuple. Usually the subgoal will
+contain the term $f(x@1,\dots,x@n)$ but this need not be the case. The
+induction rules do not mention $f$ at all. Here is @{thm[source]sep.induct}:
+\begin{isabelle}
+{\isasymlbrakk}~{\isasymAnd}a.~P~a~[];\isanewline
+~~{\isasymAnd}a~x.~P~a~[x];\isanewline
+~~{\isasymAnd}a~x~y~zs.~P~a~(y~\#~zs)~{\isasymLongrightarrow}~P~a~(x~\#~y~\#~zs){\isasymrbrakk}\isanewline
+{\isasymLongrightarrow}~P~u~v%
+\end{isabelle}
+It merely says that in order to prove a property @{term"P"} of @{term"u"} and
+@{term"v"} you need to prove it for the three cases where @{term"v"} is the
+empty list, the singleton list, and the list with at least two elements.
+The final case has an induction hypothesis: you may assume that @{term"P"}
+holds for the tail of that list.
+*}
+
+(*<*)
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Recdef/Nested0.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,24 @@
+(*<*)
+theory Nested0 imports Main begin
+(*>*)
+
+text{*
+\index{datatypes!nested}%
+In \S\ref{sec:nested-datatype} we defined the datatype of terms
+*}
+
+datatype ('a,'b)"term" = Var 'a | App 'b "('a,'b)term list"
+
+text{*\noindent
+and closed with the observation that the associated schema for the definition
+of primitive recursive functions leads to overly verbose definitions. Moreover,
+if you have worked exercise~\ref{ex:trev-trev} you will have noticed that
+you needed to declare essentially the same function as @{term"rev"}
+and prove many standard properties of list reversal all over again.
+We will now show you how \isacommand{recdef} can simplify
+definitions and proofs about nested recursive datatypes. As an example we
+choose exercise~\ref{ex:trev-trev}:
+*}
+
+consts trev :: "('a,'b)term \<Rightarrow> ('a,'b)term"
+(*<*)end(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Recdef/Nested1.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,43 @@
+(*<*)
+theory Nested1 imports Nested0 begin
+(*>*)
+
+text{*\noindent
+Although the definition of @{term trev} below is quite natural, we will have
+to overcome a minor difficulty in convincing Isabelle of its termination.
+It is precisely this difficulty that is the \textit{raison d'\^etre} of
+this subsection.
+
+Defining @{term trev} by \isacommand{recdef} rather than \isacommand{primrec}
+simplifies matters because we are now free to use the recursion equation
+suggested at the end of \S\ref{sec:nested-datatype}:
+*}
+
+recdef (*<*)(permissive)(*>*)trev "measure size"
+ "trev (Var x) = Var x"
+ "trev (App f ts) = App f (rev(map trev ts))"
+
+text{*\noindent
+Remember that function @{term size} is defined for each \isacommand{datatype}.
+However, the definition does not succeed. Isabelle complains about an
+unproved termination condition
+@{prop[display]"t : set ts --> size t < Suc (term_list_size ts)"}
+where @{term set} returns the set of elements of a list
+and @{text"term_list_size :: term list \<Rightarrow> nat"} is an auxiliary
+function automatically defined by Isabelle
+(while processing the declaration of @{text term}). Why does the
+recursive call of @{const trev} lead to this
+condition? Because \isacommand{recdef} knows that @{term map}
+will apply @{const trev} only to elements of @{term ts}. Thus the
+condition expresses that the size of the argument @{prop"t : set ts"} of any
+recursive call of @{const trev} is strictly less than @{term"size(App f ts)"},
+which equals @{term"Suc(term_list_size ts)"}. We will now prove the termination condition and
+continue with our definition. Below we return to the question of how
+\isacommand{recdef} knows about @{term map}.
+
+The termination condition is easily proved by induction:
+*}
+
+(*<*)
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Recdef/Nested2.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,91 @@
+(*<*)
+theory Nested2 imports Nested0 begin
+(*>*)
+
+lemma [simp]: "t \<in> set ts \<longrightarrow> size t < Suc(term_list_size ts)"
+by(induct_tac ts, auto)
+(*<*)
+recdef trev "measure size"
+ "trev (Var x) = Var x"
+ "trev (App f ts) = App f (rev(map trev ts))"
+(*>*)
+text{*\noindent
+By making this theorem a simplification rule, \isacommand{recdef}
+applies it automatically and the definition of @{term"trev"}
+succeeds now. As a reward for our effort, we can now prove the desired
+lemma directly. We no longer need the verbose
+induction schema for type @{text"term"} and can use the simpler one arising from
+@{term"trev"}:
+*}
+
+lemma "trev(trev t) = t"
+apply(induct_tac t rule: trev.induct)
+txt{*
+@{subgoals[display,indent=0]}
+Both the base case and the induction step fall to simplification:
+*}
+
+by(simp_all add: rev_map sym[OF map_compose] cong: map_cong)
+
+text{*\noindent
+If the proof of the induction step mystifies you, we recommend that you go through
+the chain of simplification steps in detail; you will probably need the help of
+@{text"simp_trace"}. Theorem @{thm[source]map_cong} is discussed below.
+%\begin{quote}
+%{term[display]"trev(trev(App f ts))"}\\
+%{term[display]"App f (rev(map trev (rev(map trev ts))))"}\\
+%{term[display]"App f (map trev (rev(rev(map trev ts))))"}\\
+%{term[display]"App f (map trev (map trev ts))"}\\
+%{term[display]"App f (map (trev o trev) ts)"}\\
+%{term[display]"App f (map (%x. x) ts)"}\\
+%{term[display]"App f ts"}
+%\end{quote}
+
+The definition of @{term"trev"} above is superior to the one in
+\S\ref{sec:nested-datatype} because it uses @{term"rev"}
+and lets us use existing facts such as \hbox{@{prop"rev(rev xs) = xs"}}.
+Thus this proof is a good example of an important principle:
+\begin{quote}
+\emph{Chose your definitions carefully\\
+because they determine the complexity of your proofs.}
+\end{quote}
+
+Let us now return to the question of how \isacommand{recdef} can come up with
+sensible termination conditions in the presence of higher-order functions
+like @{term"map"}. For a start, if nothing were known about @{term"map"}, then
+@{term"map trev ts"} might apply @{term"trev"} to arbitrary terms, and thus
+\isacommand{recdef} would try to prove the unprovable @{term"size t < Suc
+(term_list_size ts)"}, without any assumption about @{term"t"}. Therefore
+\isacommand{recdef} has been supplied with the congruence theorem
+@{thm[source]map_cong}:
+@{thm[display,margin=50]"map_cong"[no_vars]}
+Its second premise expresses that in @{term"map f xs"},
+function @{term"f"} is only applied to elements of list @{term"xs"}. Congruence
+rules for other higher-order functions on lists are similar. If you get
+into a situation where you need to supply \isacommand{recdef} with new
+congruence rules, you can append a hint after the end of
+the recursion equations:\cmmdx{hints}
+*}
+(*<*)
+consts dummy :: "nat => nat"
+recdef dummy "{}"
+"dummy n = n"
+(*>*)
+(hints recdef_cong: map_cong)
+
+text{*\noindent
+Or you can declare them globally
+by giving them the \attrdx{recdef_cong} attribute:
+*}
+
+declare map_cong[recdef_cong]
+
+text{*
+The @{text cong} and @{text recdef_cong} attributes are
+intentionally kept apart because they control different activities, namely
+simplification and making recursive definitions.
+%The simplifier's congruence rules cannot be used by recdef.
+%For example the weak congruence rules for if and case would prevent
+%recdef from generating sensible termination conditions.
+*}
+(*<*)end(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Recdef/examples.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,95 @@
+(*<*)
+theory examples imports Main begin;
+(*>*)
+
+text{*
+Here is a simple example, the \rmindex{Fibonacci function}:
+*}
+
+consts fib :: "nat \<Rightarrow> nat";
+recdef fib "measure(\<lambda>n. n)"
+ "fib 0 = 0"
+ "fib (Suc 0) = 1"
+ "fib (Suc(Suc x)) = fib x + fib (Suc x)";
+
+text{*\noindent
+\index{measure functions}%
+The definition of @{term"fib"} is accompanied by a \textbf{measure function}
+@{term"%n. n"} which maps the argument of @{term"fib"} to a
+natural number. The requirement is that in each equation the measure of the
+argument on the left-hand side is strictly greater than the measure of the
+argument of each recursive call. In the case of @{term"fib"} this is
+obviously true because the measure function is the identity and
+@{term"Suc(Suc x)"} is strictly greater than both @{term"x"} and
+@{term"Suc x"}.
+
+Slightly more interesting is the insertion of a fixed element
+between any two elements of a list:
+*}
+
+consts sep :: "'a \<times> 'a list \<Rightarrow> 'a list";
+recdef sep "measure (\<lambda>(a,xs). length xs)"
+ "sep(a, []) = []"
+ "sep(a, [x]) = [x]"
+ "sep(a, x#y#zs) = x # a # sep(a,y#zs)";
+
+text{*\noindent
+This time the measure is the length of the list, which decreases with the
+recursive call; the first component of the argument tuple is irrelevant.
+The details of tupled $\lambda$-abstractions @{text"\<lambda>(x\<^sub>1,\<dots>,x\<^sub>n)"} are
+explained in \S\ref{sec:products}, but for now your intuition is all you need.
+
+Pattern matching\index{pattern matching!and \isacommand{recdef}}
+need not be exhaustive:
+*}
+
+consts last :: "'a list \<Rightarrow> 'a";
+recdef last "measure (\<lambda>xs. length xs)"
+ "last [x] = x"
+ "last (x#y#zs) = last (y#zs)";
+
+text{*
+Overlapping patterns are disambiguated by taking the order of equations into
+account, just as in functional programming:
+*}
+
+consts sep1 :: "'a \<times> 'a list \<Rightarrow> 'a list";
+recdef sep1 "measure (\<lambda>(a,xs). length xs)"
+ "sep1(a, x#y#zs) = x # a # sep1(a,y#zs)"
+ "sep1(a, xs) = xs";
+
+text{*\noindent
+To guarantee that the second equation can only be applied if the first
+one does not match, Isabelle internally replaces the second equation
+by the two possibilities that are left: @{prop"sep1(a,[]) = []"} and
+@{prop"sep1(a, [x]) = [x]"}. Thus the functions @{term sep} and
+@{const sep1} are identical.
+
+\begin{warn}
+ \isacommand{recdef} only takes the first argument of a (curried)
+ recursive function into account. This means both the termination measure
+ and pattern matching can only use that first argument. In general, you will
+ therefore have to combine several arguments into a tuple. In case only one
+ argument is relevant for termination, you can also rearrange the order of
+ arguments as in the following definition:
+\end{warn}
+*}
+consts sep2 :: "'a list \<Rightarrow> 'a \<Rightarrow> 'a list";
+recdef sep2 "measure length"
+ "sep2 (x#y#zs) = (\<lambda>a. x # a # sep2 (y#zs) a)"
+ "sep2 xs = (\<lambda>a. xs)";
+
+text{*
+Because of its pattern-matching syntax, \isacommand{recdef} is also useful
+for the definition of non-recursive functions, where the termination measure
+degenerates to the empty set @{term"{}"}:
+*}
+
+consts swap12 :: "'a list \<Rightarrow> 'a list";
+recdef swap12 "{}"
+ "swap12 (x#y#zs) = y#x#zs"
+ "swap12 zs = zs";
+
+(*<*)
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Recdef/simplification.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,99 @@
+(*<*)
+theory simplification imports Main begin;
+(*>*)
+
+text{*
+Once we have proved all the termination conditions, the \isacommand{recdef}
+recursion equations become simplification rules, just as with
+\isacommand{primrec}. In most cases this works fine, but there is a subtle
+problem that must be mentioned: simplification may not
+terminate because of automatic splitting of @{text "if"}.
+\index{*if expressions!splitting of}
+Let us look at an example:
+*}
+
+consts gcd :: "nat\<times>nat \<Rightarrow> nat";
+recdef gcd "measure (\<lambda>(m,n).n)"
+ "gcd (m, n) = (if n=0 then m else gcd(n, m mod n))";
+
+text{*\noindent
+According to the measure function, the second argument should decrease with
+each recursive call. The resulting termination condition
+@{term[display]"n ~= (0::nat) ==> m mod n < n"}
+is proved automatically because it is already present as a lemma in
+HOL\@. Thus the recursion equation becomes a simplification
+rule. Of course the equation is nonterminating if we are allowed to unfold
+the recursive call inside the @{text else} branch, which is why programming
+languages and our simplifier don't do that. Unfortunately the simplifier does
+something else that leads to the same problem: it splits
+each @{text "if"}-expression unless its
+condition simplifies to @{term True} or @{term False}. For
+example, simplification reduces
+@{term[display]"gcd(m,n) = k"}
+in one step to
+@{term[display]"(if n=0 then m else gcd(n, m mod n)) = k"}
+where the condition cannot be reduced further, and splitting leads to
+@{term[display]"(n=0 --> m=k) & (n ~= 0 --> gcd(n, m mod n)=k)"}
+Since the recursive call @{term"gcd(n, m mod n)"} is no longer protected by
+an @{text "if"}, it is unfolded again, which leads to an infinite chain of
+simplification steps. Fortunately, this problem can be avoided in many
+different ways.
+
+The most radical solution is to disable the offending theorem
+@{thm[source]split_if},
+as shown in \S\ref{sec:AutoCaseSplits}. However, we do not recommend this
+approach: you will often have to invoke the rule explicitly when
+@{text "if"} is involved.
+
+If possible, the definition should be given by pattern matching on the left
+rather than @{text "if"} on the right. In the case of @{term gcd} the
+following alternative definition suggests itself:
+*}
+
+consts gcd1 :: "nat\<times>nat \<Rightarrow> nat";
+recdef gcd1 "measure (\<lambda>(m,n).n)"
+ "gcd1 (m, 0) = m"
+ "gcd1 (m, n) = gcd1(n, m mod n)";
+
+
+text{*\noindent
+The order of equations is important: it hides the side condition
+@{prop"n ~= (0::nat)"}. Unfortunately, in general the case distinction
+may not be expressible by pattern matching.
+
+A simple alternative is to replace @{text "if"} by @{text case},
+which is also available for @{typ bool} and is not split automatically:
+*}
+
+consts gcd2 :: "nat\<times>nat \<Rightarrow> nat";
+recdef gcd2 "measure (\<lambda>(m,n).n)"
+ "gcd2(m,n) = (case n=0 of True \<Rightarrow> m | False \<Rightarrow> gcd2(n,m mod n))";
+
+text{*\noindent
+This is probably the neatest solution next to pattern matching, and it is
+always available.
+
+A final alternative is to replace the offending simplification rules by
+derived conditional ones. For @{term gcd} it means we have to prove
+these lemmas:
+*}
+
+lemma [simp]: "gcd (m, 0) = m";
+apply(simp);
+done
+
+lemma [simp]: "n \<noteq> 0 \<Longrightarrow> gcd(m, n) = gcd(n, m mod n)";
+apply(simp);
+done
+
+text{*\noindent
+Simplification terminates for these proofs because the condition of the @{text
+"if"} simplifies to @{term True} or @{term False}.
+Now we can disable the original simplification rule:
+*}
+
+declare gcd.simps [simp del]
+
+(*<*)
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Recdef/termination.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,70 @@
+(*<*)
+theory "termination" imports examples begin
+(*>*)
+
+text{*
+When a function~$f$ is defined via \isacommand{recdef}, Isabelle tries to prove
+its termination with the help of the user-supplied measure. Each of the examples
+above is simple enough that Isabelle can automatically prove that the
+argument's measure decreases in each recursive call. As a result,
+$f$@{text".simps"} will contain the defining equations (or variants derived
+from them) as theorems. For example, look (via \isacommand{thm}) at
+@{thm[source]sep.simps} and @{thm[source]sep1.simps} to see that they define
+the same function. What is more, those equations are automatically declared as
+simplification rules.
+
+Isabelle may fail to prove the termination condition for some
+recursive call. Let us try to define Quicksort:*}
+
+consts qs :: "nat list \<Rightarrow> nat list"
+recdef(*<*)(permissive)(*>*) qs "measure length"
+ "qs [] = []"
+ "qs(x#xs) = qs(filter (\<lambda>y. y\<le>x) xs) @ [x] @ qs(filter (\<lambda>y. x<y) xs)"
+
+text{*\noindent where @{term filter} is predefined and @{term"filter P xs"}
+is the list of elements of @{term xs} satisfying @{term P}.
+This definition of @{term qs} fails, and Isabelle prints an error message
+showing you what it was unable to prove:
+@{text[display]"length (filter ... xs) < Suc (length xs)"}
+We can either prove this as a separate lemma, or try to figure out which
+existing lemmas may help. We opt for the second alternative. The theory of
+lists contains the simplification rule @{thm length_filter_le[no_vars]},
+which is what we need, provided we turn \mbox{@{text"< Suc"}}
+into
+@{text"\<le>"} so that the rule applies. Lemma
+@{thm[source]less_Suc_eq_le} does just that: @{thm less_Suc_eq_le[no_vars]}.
+
+Now we retry the above definition but supply the lemma(s) just found (or
+proved). Because \isacommand{recdef}'s termination prover involves
+simplification, we include in our second attempt a hint: the
+\attrdx{recdef_simp} attribute says to use @{thm[source]less_Suc_eq_le} as a
+simplification rule.\cmmdx{hints} *}
+
+(*<*)global consts qs :: "nat list \<Rightarrow> nat list" (*>*)
+recdef qs "measure length"
+ "qs [] = []"
+ "qs(x#xs) = qs(filter (\<lambda>y. y\<le>x) xs) @ [x] @ qs(filter (\<lambda>y. x<y) xs)"
+(hints recdef_simp: less_Suc_eq_le)
+(*<*)local(*>*)
+text{*\noindent
+This time everything works fine. Now @{thm[source]qs.simps} contains precisely
+the stated recursion equations for @{text qs} and they have become
+simplification rules.
+Thus we can automatically prove results such as this one:
+*}
+
+theorem "qs[2,3,0] = qs[3,0,2]"
+apply(simp)
+done
+
+text{*\noindent
+More exciting theorems require induction, which is discussed below.
+
+If the termination proof requires a lemma that is of general use, you can
+turn it permanently into a simplification rule, in which case the above
+\isacommand{hint} is not necessary. But in the case of
+@{thm[source]less_Suc_eq_le} this would be of dubious value.
+*}
+(*<*)
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Rules/Basic.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,454 @@
+theory Basic imports Main begin
+
+lemma conj_rule: "\<lbrakk> P; Q \<rbrakk> \<Longrightarrow> P \<and> (Q \<and> P)"
+apply (rule conjI)
+ apply assumption
+apply (rule conjI)
+ apply assumption
+apply assumption
+done
+
+
+lemma disj_swap: "P | Q \<Longrightarrow> Q | P"
+apply (erule disjE)
+ apply (rule disjI2)
+ apply assumption
+apply (rule disjI1)
+apply assumption
+done
+
+lemma conj_swap: "P \<and> Q \<Longrightarrow> Q \<and> P"
+apply (rule conjI)
+ apply (drule conjunct2)
+ apply assumption
+apply (drule conjunct1)
+apply assumption
+done
+
+lemma imp_uncurry: "P \<longrightarrow> Q \<longrightarrow> R \<Longrightarrow> P \<and> Q \<longrightarrow> R"
+apply (rule impI)
+apply (erule conjE)
+apply (drule mp)
+ apply assumption
+apply (drule mp)
+ apply assumption
+ apply assumption
+done
+
+text {*
+by eliminates uses of assumption and done
+*}
+
+lemma imp_uncurry': "P \<longrightarrow> Q \<longrightarrow> R \<Longrightarrow> P \<and> Q \<longrightarrow> R"
+apply (rule impI)
+apply (erule conjE)
+apply (drule mp)
+ apply assumption
+by (drule mp)
+
+
+text {*
+substitution
+
+@{thm[display] ssubst}
+\rulename{ssubst}
+*}
+
+lemma "\<lbrakk> x = f x; P(f x) \<rbrakk> \<Longrightarrow> P x"
+by (erule ssubst)
+
+text {*
+also provable by simp (re-orients)
+*}
+
+text {*
+the subst method
+
+@{thm[display] mult_commute}
+\rulename{mult_commute}
+
+this would fail:
+apply (simp add: mult_commute)
+*}
+
+
+lemma "\<lbrakk>P x y z; Suc x < y\<rbrakk> \<Longrightarrow> f z = x*y"
+txt{*
+@{subgoals[display,indent=0,margin=65]}
+*}
+apply (subst mult_commute)
+txt{*
+@{subgoals[display,indent=0,margin=65]}
+*}
+oops
+
+(*exercise involving THEN*)
+lemma "\<lbrakk>P x y z; Suc x < y\<rbrakk> \<Longrightarrow> f z = x*y"
+apply (rule mult_commute [THEN ssubst])
+oops
+
+
+lemma "\<lbrakk>x = f x; triple (f x) (f x) x\<rbrakk> \<Longrightarrow> triple x x x"
+apply (erule ssubst)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+back --{* @{subgoals[display,indent=0,margin=65]} *}
+back --{* @{subgoals[display,indent=0,margin=65]} *}
+back --{* @{subgoals[display,indent=0,margin=65]} *}
+back --{* @{subgoals[display,indent=0,margin=65]} *}
+apply assumption
+done
+
+lemma "\<lbrakk> x = f x; triple (f x) (f x) x \<rbrakk> \<Longrightarrow> triple x x x"
+apply (erule ssubst, assumption)
+done
+
+text{*
+or better still
+*}
+
+lemma "\<lbrakk> x = f x; triple (f x) (f x) x \<rbrakk> \<Longrightarrow> triple x x x"
+by (erule ssubst)
+
+
+lemma "\<lbrakk> x = f x; triple (f x) (f x) x \<rbrakk> \<Longrightarrow> triple x x x"
+apply (erule_tac P="\<lambda>u. triple u u x" in ssubst)
+apply (assumption)
+done
+
+
+lemma "\<lbrakk> x = f x; triple (f x) (f x) x \<rbrakk> \<Longrightarrow> triple x x x"
+by (erule_tac P="\<lambda>u. triple u u x" in ssubst)
+
+
+text {*
+negation
+
+@{thm[display] notI}
+\rulename{notI}
+
+@{thm[display] notE}
+\rulename{notE}
+
+@{thm[display] classical}
+\rulename{classical}
+
+@{thm[display] contrapos_pp}
+\rulename{contrapos_pp}
+
+@{thm[display] contrapos_pn}
+\rulename{contrapos_pn}
+
+@{thm[display] contrapos_np}
+\rulename{contrapos_np}
+
+@{thm[display] contrapos_nn}
+\rulename{contrapos_nn}
+*}
+
+
+lemma "\<lbrakk>\<not>(P\<longrightarrow>Q); \<not>(R\<longrightarrow>Q)\<rbrakk> \<Longrightarrow> R"
+apply (erule_tac Q="R\<longrightarrow>Q" in contrapos_np)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (intro impI)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+by (erule notE)
+
+text {*
+@{thm[display] disjCI}
+\rulename{disjCI}
+*}
+
+lemma "(P \<or> Q) \<and> R \<Longrightarrow> P \<or> Q \<and> R"
+apply (intro disjCI conjI)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+
+apply (elim conjE disjE)
+ apply assumption
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+
+by (erule contrapos_np, rule conjI)
+text{*
+proof\ {\isacharparenleft}prove{\isacharparenright}{\isacharcolon}\ step\ {\isadigit{6}}\isanewline
+\isanewline
+goal\ {\isacharparenleft}lemma{\isacharparenright}{\isacharcolon}\isanewline
+{\isacharparenleft}P\ {\isasymor}\ Q{\isacharparenright}\ {\isasymand}\ R\ {\isasymLongrightarrow}\ P\ {\isasymor}\ Q\ {\isasymand}\ R\isanewline
+\ {\isadigit{1}}{\isachardot}\ {\isasymlbrakk}R{\isacharsemicolon}\ Q{\isacharsemicolon}\ {\isasymnot}\ P{\isasymrbrakk}\ {\isasymLongrightarrow}\ Q\isanewline
+\ {\isadigit{2}}{\isachardot}\ {\isasymlbrakk}R{\isacharsemicolon}\ Q{\isacharsemicolon}\ {\isasymnot}\ P{\isasymrbrakk}\ {\isasymLongrightarrow}\ R
+*}
+
+
+text{*rule_tac, etc.*}
+
+
+lemma "P&Q"
+apply (rule_tac P=P and Q=Q in conjI)
+oops
+
+
+text{*unification failure trace *}
+
+ML "trace_unify_fail := true"
+
+lemma "P(a, f(b, g(e,a), b), a) \<Longrightarrow> P(a, f(b, g(c,a), b), a)"
+txt{*
+@{subgoals[display,indent=0,margin=65]}
+apply assumption
+Clash: e =/= c
+
+Clash: == =/= Trueprop
+*}
+oops
+
+lemma "\<forall>x y. P(x,y) --> P(y,x)"
+apply auto
+txt{*
+@{subgoals[display,indent=0,margin=65]}
+apply assumption
+
+Clash: bound variable x (depth 1) =/= bound variable y (depth 0)
+
+Clash: == =/= Trueprop
+Clash: == =/= Trueprop
+*}
+oops
+
+ML "trace_unify_fail := false"
+
+
+text{*Quantifiers*}
+
+text {*
+@{thm[display] allI}
+\rulename{allI}
+
+@{thm[display] allE}
+\rulename{allE}
+
+@{thm[display] spec}
+\rulename{spec}
+*}
+
+lemma "\<forall>x. P x \<longrightarrow> P x"
+apply (rule allI)
+by (rule impI)
+
+lemma "(\<forall>x. P \<longrightarrow> Q x) \<Longrightarrow> P \<longrightarrow> (\<forall>x. Q x)"
+apply (rule impI, rule allI)
+apply (drule spec)
+by (drule mp)
+
+text{*rename_tac*}
+lemma "x < y \<Longrightarrow> \<forall>x y. P x (f y)"
+apply (intro allI)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (rename_tac v w)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+oops
+
+
+lemma "\<lbrakk>\<forall>x. P x \<longrightarrow> P (h x); P a\<rbrakk> \<Longrightarrow> P(h (h a))"
+apply (frule spec)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (drule mp, assumption)
+apply (drule spec)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+by (drule mp)
+
+lemma "\<lbrakk>\<forall>x. P x \<longrightarrow> P (f x); P a\<rbrakk> \<Longrightarrow> P(f (f a))"
+by blast
+
+
+text{*
+the existential quantifier*}
+
+text {*
+@{thm[display]"exI"}
+\rulename{exI}
+
+@{thm[display]"exE"}
+\rulename{exE}
+*}
+
+
+text{*
+instantiating quantifiers explicitly by rule_tac and erule_tac*}
+
+lemma "\<lbrakk>\<forall>x. P x \<longrightarrow> P (h x); P a\<rbrakk> \<Longrightarrow> P(h (h a))"
+apply (frule spec)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (drule mp, assumption)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (drule_tac x = "h a" in spec)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+by (drule mp)
+
+text {*
+@{thm[display]"dvd_def"}
+\rulename{dvd_def}
+*}
+
+lemma mult_dvd_mono: "\<lbrakk>i dvd m; j dvd n\<rbrakk> \<Longrightarrow> i*j dvd (m*n :: nat)"
+apply (simp add: dvd_def)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (erule exE)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (erule exE)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (rename_tac l)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (rule_tac x="k*l" in exI)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply simp
+done
+
+text{*
+Hilbert-epsilon theorems*}
+
+text{*
+@{thm[display] the_equality[no_vars]}
+\rulename{the_equality}
+
+@{thm[display] some_equality[no_vars]}
+\rulename{some_equality}
+
+@{thm[display] someI[no_vars]}
+\rulename{someI}
+
+@{thm[display] someI2[no_vars]}
+\rulename{someI2}
+
+@{thm[display] someI_ex[no_vars]}
+\rulename{someI_ex}
+
+needed for examples
+
+@{thm[display] inv_def[no_vars]}
+\rulename{inv_def}
+
+@{thm[display] Least_def[no_vars]}
+\rulename{Least_def}
+
+@{thm[display] order_antisym[no_vars]}
+\rulename{order_antisym}
+*}
+
+
+lemma "inv Suc (Suc n) = n"
+by (simp add: inv_def)
+
+text{*but we know nothing about inv Suc 0*}
+
+theorem Least_equality:
+ "\<lbrakk> P (k::nat); \<forall>x. P x \<longrightarrow> k \<le> x \<rbrakk> \<Longrightarrow> (LEAST x. P(x)) = k"
+apply (simp add: Least_def)
+
+txt{*
+@{subgoals[display,indent=0,margin=65]}
+*}
+
+apply (rule the_equality)
+
+txt{*
+@{subgoals[display,indent=0,margin=65]}
+
+first subgoal is existence; second is uniqueness
+*}
+by (auto intro: order_antisym)
+
+
+theorem axiom_of_choice:
+ "(\<forall>x. \<exists>y. P x y) \<Longrightarrow> \<exists>f. \<forall>x. P x (f x)"
+apply (rule exI, rule allI)
+
+txt{*
+@{subgoals[display,indent=0,margin=65]}
+
+state after intro rules
+*}
+apply (drule spec, erule exE)
+
+txt{*
+@{subgoals[display,indent=0,margin=65]}
+
+applying @text{someI} automatically instantiates
+@{term f} to @{term "\<lambda>x. SOME y. P x y"}
+*}
+
+by (rule someI)
+
+(*both can be done by blast, which however hasn't been introduced yet*)
+lemma "[| P (k::nat); \<forall>x. P x \<longrightarrow> k \<le> x |] ==> (LEAST x. P(x)) = k"
+apply (simp add: Least_def LeastM_def)
+by (blast intro: some_equality order_antisym)
+
+theorem axiom_of_choice': "(\<forall>x. \<exists>y. P x y) \<Longrightarrow> \<exists>f. \<forall>x. P x (f x)"
+apply (rule exI [of _ "\<lambda>x. SOME y. P x y"])
+by (blast intro: someI)
+
+text{*end of Epsilon section*}
+
+
+lemma "(\<exists>x. P x) \<or> (\<exists>x. Q x) \<Longrightarrow> \<exists>x. P x \<or> Q x"
+apply (elim exE disjE)
+ apply (intro exI disjI1)
+ apply assumption
+apply (intro exI disjI2)
+apply assumption
+done
+
+lemma "(P\<longrightarrow>Q) \<or> (Q\<longrightarrow>P)"
+apply (intro disjCI impI)
+apply (elim notE)
+apply (intro impI)
+apply assumption
+done
+
+lemma "(P\<or>Q)\<and>(P\<or>R) \<Longrightarrow> P \<or> (Q\<and>R)"
+apply (intro disjCI conjI)
+apply (elim conjE disjE)
+apply blast
+apply blast
+apply blast
+apply blast
+(*apply elim*)
+done
+
+lemma "(\<exists>x. P \<and> Q x) \<Longrightarrow> P \<and> (\<exists>x. Q x)"
+apply (erule exE)
+apply (erule conjE)
+apply (rule conjI)
+ apply assumption
+apply (rule exI)
+ apply assumption
+done
+
+lemma "(\<exists>x. P x) \<and> (\<exists>x. Q x) \<Longrightarrow> \<exists>x. P x \<and> Q x"
+apply (erule conjE)
+apply (erule exE)
+apply (erule exE)
+apply (rule exI)
+apply (rule conjI)
+ apply assumption
+oops
+
+lemma "\<forall>y. R y y \<Longrightarrow> \<exists>x. \<forall>y. R x y"
+apply (rule exI)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (rule allI)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (drule spec)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+oops
+
+lemma "\<forall>x. \<exists>y. x=y"
+apply (rule allI)
+apply (rule exI)
+apply (rule refl)
+done
+
+lemma "\<exists>x. \<forall>y. x=y"
+apply (rule exI)
+apply (rule allI)
+oops
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Rules/Blast.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,37 @@
+theory Blast imports Main begin
+
+lemma "((\<exists>x. \<forall>y. p(x)=p(y)) = ((\<exists>x. q(x))=(\<forall>y. p(y)))) =
+ ((\<exists>x. \<forall>y. q(x)=q(y)) = ((\<exists>x. p(x))=(\<forall>y. q(y))))"
+by blast
+
+text{*\noindent Until now, we have proved everything using only induction and
+simplification. Substantial proofs require more elaborate types of
+inference.*}
+
+lemma "(\<forall>x. honest(x) \<and> industrious(x) \<longrightarrow> healthy(x)) \<and>
+ \<not> (\<exists>x. grocer(x) \<and> healthy(x)) \<and>
+ (\<forall>x. industrious(x) \<and> grocer(x) \<longrightarrow> honest(x)) \<and>
+ (\<forall>x. cyclist(x) \<longrightarrow> industrious(x)) \<and>
+ (\<forall>x. \<not>healthy(x) \<and> cyclist(x) \<longrightarrow> \<not>honest(x))
+ \<longrightarrow> (\<forall>x. grocer(x) \<longrightarrow> \<not>cyclist(x))";
+by blast
+
+lemma "(\<Union>i\<in>I. A(i)) \<inter> (\<Union>j\<in>J. B(j)) =
+ (\<Union>i\<in>I. \<Union>j\<in>J. A(i) \<inter> B(j))"
+by blast
+
+text {*
+@{thm[display] mult_is_0}
+ \rulename{mult_is_0}}
+
+@{thm[display] finite_Un}
+ \rulename{finite_Un}}
+*};
+
+
+lemma [iff]: "(xs@ys = []) = (xs=[] & ys=[])"
+ apply (induct_tac xs)
+ by (simp_all);
+
+(*ideas for uses of intro, etc.: ex/Primes/is_gcd_unique?*)
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Rules/Force.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,50 @@
+theory Force imports Main begin
+ (*Use Divides rather than Main to experiment with the first proof.
+ Otherwise, it is done by the nat_divide_cancel_factor simprocs.*)
+
+declare div_mult_self_is_m [simp del];
+
+lemma div_mult_self_is_m:
+ "0<n \<Longrightarrow> (m*n) div n = (m::nat)"
+apply (insert mod_div_equality [of "m*n" n])
+apply simp
+done
+
+
+lemma "(\<forall>x. P x) \<and> (\<exists>x. Q x) \<longrightarrow> (\<forall>x. P x \<and> Q x)"
+apply clarify
+oops
+
+text {*
+proof\ {\isacharparenleft}prove{\isacharparenright}{\isacharcolon}\ step\ {\isadigit{1}}\isanewline
+\isanewline
+goal\ {\isacharparenleft}lemma{\isacharparenright}{\isacharcolon}\isanewline
+{\isacharparenleft}{\isasymforall}x{\isachardot}\ P\ x{\isacharparenright}\ {\isasymand}\ {\isacharparenleft}{\isasymexists}x{\isachardot}\ Q\ x{\isacharparenright}\ {\isasymlongrightarrow}\ {\isacharparenleft}{\isasymforall}x{\isachardot}\ P\ x\ {\isasymand}\ Q\ x{\isacharparenright}\isanewline
+\ {\isadigit{1}}{\isachardot}\ {\isasymAnd}x\ xa{\isachardot}\ {\isasymlbrakk}{\isasymforall}x{\isachardot}\ P\ x{\isacharsemicolon}\ Q\ xa{\isasymrbrakk}\ {\isasymLongrightarrow}\ P\ x\ {\isasymand}\ Q\ x
+*};
+
+text {*
+couldn't find a good example of clarsimp
+
+@{thm[display]"someI"}
+\rulename{someI}
+*};
+
+lemma "\<lbrakk>Q a; P a\<rbrakk> \<Longrightarrow> P (SOME x. P x \<and> Q x) \<and> Q (SOME x. P x \<and> Q x)"
+apply (rule someI)
+oops
+
+lemma "\<lbrakk>Q a; P a\<rbrakk> \<Longrightarrow> P (SOME x. P x \<and> Q x) \<and> Q (SOME x. P x \<and> Q x)"
+apply (fast intro!: someI)
+done
+
+text{*
+proof\ {\isacharparenleft}prove{\isacharparenright}{\isacharcolon}\ step\ \isadigit{1}\isanewline
+\isanewline
+goal\ {\isacharparenleft}lemma{\isacharparenright}{\isacharcolon}\isanewline
+{\isasymlbrakk}Q\ a{\isacharsemicolon}\ P\ a{\isasymrbrakk}\ {\isasymLongrightarrow}\ P\ {\isacharparenleft}SOME\ x{\isachardot}\ P\ x\ {\isasymand}\ Q\ x{\isacharparenright}\ {\isasymand}\ Q\ {\isacharparenleft}SOME\ x{\isachardot}\ P\ x\ {\isasymand}\ Q\ x{\isacharparenright}\isanewline
+\ \isadigit{1}{\isachardot}\ {\isasymlbrakk}Q\ a{\isacharsemicolon}\ P\ a{\isasymrbrakk}\ {\isasymLongrightarrow}\ P\ {\isacharquery}x\ {\isasymand}\ Q\ {\isacharquery}x
+*}
+
+end
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Rules/Forward.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,236 @@
+theory Forward imports Primes begin
+
+text{*\noindent
+Forward proof material: of, OF, THEN, simplify, rule_format.
+*}
+
+text{*\noindent
+SKIP most developments...
+*}
+
+(** Commutativity **)
+
+lemma is_gcd_commute: "is_gcd k m n = is_gcd k n m"
+apply (auto simp add: is_gcd_def);
+done
+
+lemma gcd_commute: "gcd m n = gcd n m"
+apply (rule is_gcd_unique)
+apply (rule is_gcd)
+apply (subst is_gcd_commute)
+apply (simp add: is_gcd)
+done
+
+lemma gcd_1 [simp]: "gcd m (Suc 0) = Suc 0"
+apply simp
+done
+
+lemma gcd_1_left [simp]: "gcd (Suc 0) m = Suc 0"
+apply (simp add: gcd_commute [of "Suc 0"])
+done
+
+text{*\noindent
+as far as HERE.
+*}
+
+text{*\noindent
+SKIP THIS PROOF
+*}
+
+lemma gcd_mult_distrib2: "k * gcd m n = gcd (k*m) (k*n)"
+apply (induct_tac m n rule: gcd.induct)
+apply (case_tac "n=0")
+apply simp
+apply (case_tac "k=0")
+apply simp_all
+done
+
+text {*
+@{thm[display] gcd_mult_distrib2}
+\rulename{gcd_mult_distrib2}
+*};
+
+text{*\noindent
+of, simplified
+*}
+
+
+lemmas gcd_mult_0 = gcd_mult_distrib2 [of k 1];
+lemmas gcd_mult_1 = gcd_mult_0 [simplified];
+
+lemmas where1 = gcd_mult_distrib2 [where m=1]
+
+lemmas where2 = gcd_mult_distrib2 [where m=1 and k=1]
+
+lemmas where3 = gcd_mult_distrib2 [where m=1 and k="j+k"]
+
+text {*
+example using ``of'':
+@{thm[display] gcd_mult_distrib2 [of _ 1]}
+
+example using ``where'':
+@{thm[display] gcd_mult_distrib2 [where m=1]}
+
+example using ``where'', ``and'':
+@{thm[display] gcd_mult_distrib2 [where m=1 and k="j+k"]}
+
+@{thm[display] gcd_mult_0}
+\rulename{gcd_mult_0}
+
+@{thm[display] gcd_mult_1}
+\rulename{gcd_mult_1}
+
+@{thm[display] sym}
+\rulename{sym}
+*};
+
+lemmas gcd_mult0 = gcd_mult_1 [THEN sym];
+ (*not quite right: we need ?k but this gives k*)
+
+lemmas gcd_mult0' = gcd_mult_distrib2 [of k 1, simplified, THEN sym];
+ (*better in one step!*)
+
+text {*
+more legible, and variables properly generalized
+*};
+
+lemma gcd_mult [simp]: "gcd k (k*n) = k"
+by (rule gcd_mult_distrib2 [of k 1, simplified, THEN sym])
+
+
+lemmas gcd_self0 = gcd_mult [of k 1, simplified];
+
+
+text {*
+@{thm[display] gcd_mult}
+\rulename{gcd_mult}
+
+@{thm[display] gcd_self0}
+\rulename{gcd_self0}
+*};
+
+text {*
+Rules handy with THEN
+
+@{thm[display] iffD1}
+\rulename{iffD1}
+
+@{thm[display] iffD2}
+\rulename{iffD2}
+*};
+
+
+text {*
+again: more legible, and variables properly generalized
+*};
+
+lemma gcd_self [simp]: "gcd k k = k"
+by (rule gcd_mult [of k 1, simplified])
+
+
+text{*
+NEXT SECTION: Methods for Forward Proof
+
+NEW
+
+theorem arg_cong, useful in forward steps
+@{thm[display] arg_cong[no_vars]}
+\rulename{arg_cong}
+*}
+
+lemma "2 \<le> u \<Longrightarrow> u*m \<noteq> Suc(u*n)"
+apply (intro notI)
+txt{*
+before using arg_cong
+@{subgoals[display,indent=0,margin=65]}
+*};
+apply (drule_tac f="\<lambda>x. x mod u" in arg_cong)
+txt{*
+after using arg_cong
+@{subgoals[display,indent=0,margin=65]}
+*};
+apply (simp add: mod_Suc)
+done
+
+text{*
+have just used this rule:
+@{thm[display] mod_Suc[no_vars]}
+\rulename{mod_Suc}
+
+@{thm[display] mult_le_mono1[no_vars]}
+\rulename{mult_le_mono1}
+*}
+
+
+text{*
+example of "insert"
+*}
+
+lemma relprime_dvd_mult:
+ "\<lbrakk> gcd k n = 1; k dvd m*n \<rbrakk> \<Longrightarrow> k dvd m"
+apply (insert gcd_mult_distrib2 [of m k n])
+txt{*@{subgoals[display,indent=0,margin=65]}*}
+apply simp
+txt{*@{subgoals[display,indent=0,margin=65]}*}
+apply (erule_tac t="m" in ssubst);
+apply simp
+done
+
+
+text {*
+@{thm[display] relprime_dvd_mult}
+\rulename{relprime_dvd_mult}
+
+Another example of "insert"
+
+@{thm[display] mod_div_equality}
+\rulename{mod_div_equality}
+*};
+
+(*MOVED to Force.thy, which now depends only on Divides.thy
+lemma div_mult_self_is_m: "0<n \<Longrightarrow> (m*n) div n = (m::nat)"
+*)
+
+lemma relprime_dvd_mult_iff: "gcd k n = 1 \<Longrightarrow> (k dvd m*n) = (k dvd m)";
+by (auto intro: relprime_dvd_mult elim: dvdE)
+
+lemma relprime_20_81: "gcd 20 81 = 1";
+by (simp add: gcd.simps)
+
+text {*
+Examples of 'OF'
+
+@{thm[display] relprime_dvd_mult}
+\rulename{relprime_dvd_mult}
+
+@{thm[display] relprime_dvd_mult [OF relprime_20_81]}
+
+@{thm[display] dvd_refl}
+\rulename{dvd_refl}
+
+@{thm[display] dvd_add}
+\rulename{dvd_add}
+
+@{thm[display] dvd_add [OF dvd_refl dvd_refl]}
+
+@{thm[display] dvd_add [OF _ dvd_refl]}
+*};
+
+lemma "\<lbrakk>(z::int) < 37; 66 < 2*z; z*z \<noteq> 1225; Q(34); Q(36)\<rbrakk> \<Longrightarrow> Q(z)";
+apply (subgoal_tac "z = 34 \<or> z = 36")
+txt{*
+the tactic leaves two subgoals:
+@{subgoals[display,indent=0,margin=65]}
+*};
+apply blast
+apply (subgoal_tac "z \<noteq> 35")
+txt{*
+the tactic leaves two subgoals:
+@{subgoals[display,indent=0,margin=65]}
+*};
+apply arith
+apply force
+done
+
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Rules/Primes.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,155 @@
+(* EXTRACT from HOL/ex/Primes.thy*)
+
+(*Euclid's algorithm
+ This material now appears AFTER that of Forward.thy *)
+theory Primes imports Main begin
+
+fun gcd :: "nat \<Rightarrow> nat \<Rightarrow> nat" where
+ "gcd m n = (if n=0 then m else gcd n (m mod n))"
+
+
+text {*Now in Basic.thy!
+@{thm[display]"dvd_def"}
+\rulename{dvd_def}
+*};
+
+
+(*** Euclid's Algorithm ***)
+
+lemma gcd_0 [simp]: "gcd m 0 = m"
+apply (simp);
+done
+
+lemma gcd_non_0 [simp]: "0<n \<Longrightarrow> gcd m n = gcd n (m mod n)"
+apply (simp)
+done;
+
+declare gcd.simps [simp del];
+
+(*gcd(m,n) divides m and n. The conjunctions don't seem provable separately*)
+lemma gcd_dvd_both: "(gcd m n dvd m) \<and> (gcd m n dvd n)"
+apply (induct_tac m n rule: gcd.induct)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (case_tac "n=0")
+txt{*subgoals after the case tac
+@{subgoals[display,indent=0,margin=65]}
+*};
+apply (simp_all)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+by (blast dest: dvd_mod_imp_dvd)
+
+
+
+text {*
+@{thm[display] dvd_mod_imp_dvd}
+\rulename{dvd_mod_imp_dvd}
+
+@{thm[display] dvd_trans}
+\rulename{dvd_trans}
+*}
+
+lemmas gcd_dvd1 [iff] = gcd_dvd_both [THEN conjunct1]
+lemmas gcd_dvd2 [iff] = gcd_dvd_both [THEN conjunct2];
+
+
+text {*
+\begin{quote}
+@{thm[display] gcd_dvd1}
+\rulename{gcd_dvd1}
+
+@{thm[display] gcd_dvd2}
+\rulename{gcd_dvd2}
+\end{quote}
+*};
+
+(*Maximality: for all m,n,k naturals,
+ if k divides m and k divides n then k divides gcd(m,n)*)
+lemma gcd_greatest [rule_format]:
+ "k dvd m \<longrightarrow> k dvd n \<longrightarrow> k dvd gcd m n"
+apply (induct_tac m n rule: gcd.induct)
+apply (case_tac "n=0")
+txt{*subgoals after the case tac
+@{subgoals[display,indent=0,margin=65]}
+*};
+apply (simp_all add: dvd_mod)
+done
+
+text {*
+@{thm[display] dvd_mod}
+\rulename{dvd_mod}
+*}
+
+(*just checking the claim that case_tac "n" works too*)
+lemma "k dvd m \<longrightarrow> k dvd n \<longrightarrow> k dvd gcd m n"
+apply (induct_tac m n rule: gcd.induct)
+apply (case_tac "n")
+apply (simp_all add: dvd_mod)
+done
+
+
+theorem gcd_greatest_iff [iff]:
+ "(k dvd gcd m n) = (k dvd m \<and> k dvd n)"
+by (blast intro!: gcd_greatest intro: dvd_trans)
+
+
+(**** The material below was omitted from the book ****)
+
+definition is_gcd :: "[nat,nat,nat] \<Rightarrow> bool" where (*gcd as a relation*)
+ "is_gcd p m n == p dvd m \<and> p dvd n \<and>
+ (ALL d. d dvd m \<and> d dvd n \<longrightarrow> d dvd p)"
+
+(*Function gcd yields the Greatest Common Divisor*)
+lemma is_gcd: "is_gcd (gcd m n) m n"
+apply (simp add: is_gcd_def gcd_greatest);
+done
+
+(*uniqueness of GCDs*)
+lemma is_gcd_unique: "\<lbrakk> is_gcd m a b; is_gcd n a b \<rbrakk> \<Longrightarrow> m=n"
+apply (simp add: is_gcd_def);
+apply (blast intro: dvd_antisym)
+done
+
+
+text {*
+@{thm[display] dvd_antisym}
+\rulename{dvd_antisym}
+
+\begin{isabelle}
+proof\ (prove):\ step\ 1\isanewline
+\isanewline
+goal\ (lemma\ is_gcd_unique):\isanewline
+\isasymlbrakk is_gcd\ m\ a\ b;\ is_gcd\ n\ a\ b\isasymrbrakk \ \isasymLongrightarrow \ m\ =\ n\isanewline
+\ 1.\ \isasymlbrakk m\ dvd\ a\ \isasymand \ m\ dvd\ b\ \isasymand \ (\isasymforall d.\ d\ dvd\ a\ \isasymand \ d\ dvd\ b\ \isasymlongrightarrow \ d\ dvd\ m);\isanewline
+\ \ \ \ \ \ \ n\ dvd\ a\ \isasymand \ n\ dvd\ b\ \isasymand \ (\isasymforall d.\ d\ dvd\ a\ \isasymand \ d\ dvd\ b\ \isasymlongrightarrow \ d\ dvd\ n)\isasymrbrakk \isanewline
+\ \ \ \ \isasymLongrightarrow \ m\ =\ n
+\end{isabelle}
+*};
+
+lemma gcd_assoc: "gcd (gcd k m) n = gcd k (gcd m n)"
+ apply (rule is_gcd_unique)
+ apply (rule is_gcd)
+ apply (simp add: is_gcd_def);
+ apply (blast intro: dvd_trans);
+ done
+
+text{*
+\begin{isabelle}
+proof\ (prove):\ step\ 3\isanewline
+\isanewline
+goal\ (lemma\ gcd_assoc):\isanewline
+gcd\ (gcd\ (k,\ m),\ n)\ =\ gcd\ (k,\ gcd\ (m,\ n))\isanewline
+\ 1.\ gcd\ (k,\ gcd\ (m,\ n))\ dvd\ k\ \isasymand \isanewline
+\ \ \ \ gcd\ (k,\ gcd\ (m,\ n))\ dvd\ m\ \isasymand \ gcd\ (k,\ gcd\ (m,\ n))\ dvd\ n
+\end{isabelle}
+*}
+
+
+lemma gcd_dvd_gcd_mult: "gcd m n dvd gcd (k*m) n"
+ apply (auto intro: dvd_trans [of _ m])
+ done
+
+(*This is half of the proof (by dvd_antisym) of*)
+lemma gcd_mult_cancel: "gcd k n = 1 \<Longrightarrow> gcd (k*m) n = gcd m n"
+ oops
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Rules/Tacticals.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,58 @@
+theory Tacticals imports Main begin
+
+text{*REPEAT*}
+lemma "\<lbrakk>P\<longrightarrow>Q; Q\<longrightarrow>R; R\<longrightarrow>S; P\<rbrakk> \<Longrightarrow> S"
+apply (drule mp, assumption)
+apply (drule mp, assumption)
+apply (drule mp, assumption)
+apply (assumption)
+done
+
+lemma "\<lbrakk>P\<longrightarrow>Q; Q\<longrightarrow>R; R\<longrightarrow>S; P\<rbrakk> \<Longrightarrow> S"
+by (drule mp, assumption)+
+
+text{*ORELSE with REPEAT*}
+lemma "\<lbrakk>Q\<longrightarrow>R; P\<longrightarrow>Q; x<5\<longrightarrow>P; Suc x < 5\<rbrakk> \<Longrightarrow> R"
+by (drule mp, (assumption|arith))+
+
+text{*exercise: what's going on here?*}
+lemma "\<lbrakk>P\<and>Q\<longrightarrow>R; P\<longrightarrow>Q; P\<rbrakk> \<Longrightarrow> R"
+by (drule mp, (intro conjI)?, assumption+)+
+
+text{*defer and prefer*}
+
+lemma "hard \<and> (P \<or> ~P) \<and> (Q\<longrightarrow>Q)"
+apply (intro conjI) --{* @{subgoals[display,indent=0,margin=65]} *}
+defer 1 --{* @{subgoals[display,indent=0,margin=65]} *}
+apply blast+ --{* @{subgoals[display,indent=0,margin=65]} *}
+oops
+
+lemma "ok1 \<and> ok2 \<and> doubtful"
+apply (intro conjI) --{* @{subgoals[display,indent=0,margin=65]} *}
+prefer 3 --{* @{subgoals[display,indent=0,margin=65]} *}
+oops
+
+lemma "bigsubgoal1 \<and> bigsubgoal2 \<and> bigsubgoal3 \<and> bigsubgoal4 \<and> bigsubgoal5 \<and> bigsubgoal6"
+apply (intro conjI) --{* @{subgoals[display,indent=0,margin=65]} *}
+txt{* @{subgoals[display,indent=0,margin=65]}
+A total of 6 subgoals...
+*}
+oops
+
+
+
+(*needed??*)
+
+lemma "(P\<or>Q) \<and> (R\<or>S) \<Longrightarrow> PP"
+apply (elim conjE disjE)
+oops
+
+lemma "((P\<or>Q) \<and> R) \<and> (Q \<and> (P\<or>S)) \<Longrightarrow> PP"
+apply (elim conjE)
+oops
+
+lemma "((P\<or>Q) \<and> R) \<and> (Q \<and> (P\<or>S)) \<Longrightarrow> PP"
+apply (erule conjE)+
+oops
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Rules/find2.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,43 @@
+(*<*)
+theory find2 imports Main begin
+lemma "A \<and> B"
+(*>*)
+
+txt{*\index{finding theorems}\index{searching theorems} In
+\S\ref{sec:find}, we introduced Proof General's \pgmenu{Find} button
+for finding theorems in the database via pattern matching. If we are
+inside a proof, we can be more specific; we can search for introduction,
+elimination and destruction rules \emph{with respect to the current goal}.
+For this purpose, \pgmenu{Find} provides three aditional search criteria:
+\texttt{intro}, \texttt{elim} and \texttt{dest}.
+
+For example, given the goal @{subgoals[display,indent=0,margin=65]}
+you can click on \pgmenu{Find} and type in the search expression
+\texttt{intro}. You will be shown a few rules ending in @{text"\<Longrightarrow> ?P \<and> ?Q"},
+among them @{thm[source]conjI}\@. You may even discover that
+the very theorem you are trying to prove is already in the
+database. Given the goal *}
+(*<*)
+oops
+lemma "A \<longrightarrow> A"
+(*>*)
+txt{*\vspace{-\bigskipamount}
+@{subgoals[display,indent=0,margin=65]}
+the search for \texttt{intro} finds not just @{thm[source] impI}
+but also @{thm[source] imp_refl}: @{thm imp_refl}.
+
+As before, search criteria can be combined freely: for example,
+\begin{ttbox}
+"_ \at\ _" intro
+\end{ttbox}
+searches for all introduction rules that match the current goal and
+mention the @{text"@"} function.
+
+Searching for elimination and destruction rules via \texttt{elim} and
+\texttt{dest} is analogous to \texttt{intro} but takes the assumptions
+into account, too.
+*}
+(*<*)
+oops
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Sets/Examples.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,254 @@
+theory Examples imports Main "~~/src/HOL/Library/Binomial" begin
+
+declare [[eta_contract = false]]
+
+text{*membership, intersection *}
+text{*difference and empty set*}
+text{*complement, union and universal set*}
+
+lemma "(x \<in> A \<inter> B) = (x \<in> A \<and> x \<in> B)"
+by blast
+
+text{*
+@{thm[display] IntI[no_vars]}
+\rulename{IntI}
+
+@{thm[display] IntD1[no_vars]}
+\rulename{IntD1}
+
+@{thm[display] IntD2[no_vars]}
+\rulename{IntD2}
+*}
+
+lemma "(x \<in> -A) = (x \<notin> A)"
+by blast
+
+text{*
+@{thm[display] Compl_iff[no_vars]}
+\rulename{Compl_iff}
+*}
+
+lemma "- (A \<union> B) = -A \<inter> -B"
+by blast
+
+text{*
+@{thm[display] Compl_Un[no_vars]}
+\rulename{Compl_Un}
+*}
+
+lemma "A-A = {}"
+by blast
+
+text{*
+@{thm[display] Diff_disjoint[no_vars]}
+\rulename{Diff_disjoint}
+*}
+
+
+
+lemma "A \<union> -A = UNIV"
+by blast
+
+text{*
+@{thm[display] Compl_partition[no_vars]}
+\rulename{Compl_partition}
+*}
+
+text{*subset relation*}
+
+
+text{*
+@{thm[display] subsetI[no_vars]}
+\rulename{subsetI}
+
+@{thm[display] subsetD[no_vars]}
+\rulename{subsetD}
+*}
+
+lemma "((A \<union> B) \<subseteq> C) = (A \<subseteq> C \<and> B \<subseteq> C)"
+by blast
+
+text{*
+@{thm[display] Un_subset_iff[no_vars]}
+\rulename{Un_subset_iff}
+*}
+
+lemma "(A \<subseteq> -B) = (B \<subseteq> -A)"
+by blast
+
+lemma "(A <= -B) = (B <= -A)"
+ oops
+
+text{*ASCII version: blast fails because of overloading because
+ it doesn't have to be sets*}
+
+lemma "((A:: 'a set) <= -B) = (B <= -A)"
+by blast
+
+text{*A type constraint lets it work*}
+
+text{*An issue here: how do we discuss the distinction between ASCII and
+symbol notation? Here the latter disambiguates.*}
+
+
+text{*
+set extensionality
+
+@{thm[display] set_eqI[no_vars]}
+\rulename{set_eqI}
+
+@{thm[display] equalityI[no_vars]}
+\rulename{equalityI}
+
+@{thm[display] equalityE[no_vars]}
+\rulename{equalityE}
+*}
+
+
+text{*finite sets: insertion and membership relation*}
+text{*finite set notation*}
+
+lemma "insert x A = {x} \<union> A"
+by blast
+
+text{*
+@{thm[display] insert_is_Un[no_vars]}
+\rulename{insert_is_Un}
+*}
+
+lemma "{a,b} \<union> {c,d} = {a,b,c,d}"
+by blast
+
+lemma "{a,b} \<inter> {b,c} = {b}"
+apply auto
+oops
+text{*fails because it isn't valid*}
+
+lemma "{a,b} \<inter> {b,c} = (if a=c then {a,b} else {b})"
+apply simp
+by blast
+
+text{*or just force or auto. blast alone can't handle the if-then-else*}
+
+text{*next: some comprehension examples*}
+
+lemma "(a \<in> {z. P z}) = P a"
+by blast
+
+text{*
+@{thm[display] mem_Collect_eq[no_vars]}
+\rulename{mem_Collect_eq}
+*}
+
+lemma "{x. x \<in> A} = A"
+by blast
+
+text{*
+@{thm[display] Collect_mem_eq[no_vars]}
+\rulename{Collect_mem_eq}
+*}
+
+lemma "{x. P x \<or> x \<in> A} = {x. P x} \<union> A"
+by blast
+
+lemma "{x. P x \<longrightarrow> Q x} = -{x. P x} \<union> {x. Q x}"
+by blast
+
+definition prime :: "nat set" where
+ "prime == {p. 1<p & (ALL m. m dvd p --> m=1 | m=p)}"
+
+lemma "{p*q | p q. p\<in>prime \<and> q\<in>prime} =
+ {z. \<exists>p q. z = p*q \<and> p\<in>prime \<and> q\<in>prime}"
+by (rule refl)
+
+text{*binders*}
+
+text{*bounded quantifiers*}
+
+lemma "(\<exists>x\<in>A. P x) = (\<exists>x. x\<in>A \<and> P x)"
+by blast
+
+text{*
+@{thm[display] bexI[no_vars]}
+\rulename{bexI}
+*}
+
+text{*
+@{thm[display] bexE[no_vars]}
+\rulename{bexE}
+*}
+
+lemma "(\<forall>x\<in>A. P x) = (\<forall>x. x\<in>A \<longrightarrow> P x)"
+by blast
+
+text{*
+@{thm[display] ballI[no_vars]}
+\rulename{ballI}
+*}
+
+text{*
+@{thm[display] bspec[no_vars]}
+\rulename{bspec}
+*}
+
+text{*indexed unions and variations*}
+
+lemma "(\<Union>x. B x) = (\<Union>x\<in>UNIV. B x)"
+by blast
+
+text{*
+@{thm[display] UN_iff[no_vars]}
+\rulename{UN_iff}
+*}
+
+text{*
+@{thm[display] Union_iff[no_vars]}
+\rulename{Union_iff}
+*}
+
+lemma "(\<Union>x\<in>A. B x) = {y. \<exists>x\<in>A. y \<in> B x}"
+by blast
+
+lemma "\<Union>S = (\<Union>x\<in>S. x)"
+by blast
+
+text{*
+@{thm[display] UN_I[no_vars]}
+\rulename{UN_I}
+*}
+
+text{*
+@{thm[display] UN_E[no_vars]}
+\rulename{UN_E}
+*}
+
+text{*indexed intersections*}
+
+lemma "(\<Inter>x. B x) = {y. \<forall>x. y \<in> B x}"
+by blast
+
+text{*
+@{thm[display] INT_iff[no_vars]}
+\rulename{INT_iff}
+*}
+
+text{*
+@{thm[display] Inter_iff[no_vars]}
+\rulename{Inter_iff}
+*}
+
+text{*mention also card, Pow, etc.*}
+
+
+text{*
+@{thm[display] card_Un_Int[no_vars]}
+\rulename{card_Un_Int}
+
+@{thm[display] card_Pow[no_vars]}
+\rulename{card_Pow}
+
+@{thm[display] n_subsets[no_vars]}
+\rulename{n_subsets}
+*}
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Sets/Functions.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,143 @@
+theory Functions imports Main begin
+
+
+text{*
+@{thm[display] id_def[no_vars]}
+\rulename{id_def}
+
+@{thm[display] o_def[no_vars]}
+\rulename{o_def}
+
+@{thm[display] o_assoc[no_vars]}
+\rulename{o_assoc}
+*}
+
+text{*
+@{thm[display] fun_upd_apply[no_vars]}
+\rulename{fun_upd_apply}
+
+@{thm[display] fun_upd_upd[no_vars]}
+\rulename{fun_upd_upd}
+*}
+
+
+text{*
+definitions of injective, surjective, bijective
+
+@{thm[display] inj_on_def[no_vars]}
+\rulename{inj_on_def}
+
+@{thm[display] surj_def[no_vars]}
+\rulename{surj_def}
+
+@{thm[display] bij_def[no_vars]}
+\rulename{bij_def}
+*}
+
+
+
+text{*
+possibly interesting theorems about inv
+*}
+
+text{*
+@{thm[display] inv_f_f[no_vars]}
+\rulename{inv_f_f}
+
+@{thm[display] inj_imp_surj_inv[no_vars]}
+\rulename{inj_imp_surj_inv}
+
+@{thm[display] surj_imp_inj_inv[no_vars]}
+\rulename{surj_imp_inj_inv}
+
+@{thm[display] surj_f_inv_f[no_vars]}
+\rulename{surj_f_inv_f}
+
+@{thm[display] bij_imp_bij_inv[no_vars]}
+\rulename{bij_imp_bij_inv}
+
+@{thm[display] inv_inv_eq[no_vars]}
+\rulename{inv_inv_eq}
+
+@{thm[display] o_inv_distrib[no_vars]}
+\rulename{o_inv_distrib}
+*}
+
+text{*
+small sample proof
+
+@{thm[display] ext[no_vars]}
+\rulename{ext}
+
+@{thm[display] fun_eq_iff[no_vars]}
+\rulename{fun_eq_iff}
+*}
+
+lemma "inj f \<Longrightarrow> (f o g = f o h) = (g = h)";
+ apply (simp add: fun_eq_iff inj_on_def)
+ apply (auto)
+ done
+
+text{*
+\begin{isabelle}
+inj\ f\ \isasymLongrightarrow \ (f\ \isasymcirc \ g\ =\ f\ \isasymcirc \ h)\ =\ (g\ =\ h)\isanewline
+\ 1.\ \isasymforall x\ y.\ f\ x\ =\ f\ y\ \isasymlongrightarrow \ x\ =\ y\ \isasymLongrightarrow \isanewline
+\ \ \ \ (\isasymforall x.\ f\ (g\ x)\ =\ f\ (h\ x))\ =\ (\isasymforall x.\ g\ x\ =\ h\ x)
+\end{isabelle}
+*}
+
+
+text{*image, inverse image*}
+
+text{*
+@{thm[display] image_def[no_vars]}
+\rulename{image_def}
+*}
+
+text{*
+@{thm[display] image_Un[no_vars]}
+\rulename{image_Un}
+*}
+
+text{*
+@{thm[display] image_compose[no_vars]}
+\rulename{image_compose}
+
+@{thm[display] image_Int[no_vars]}
+\rulename{image_Int}
+
+@{thm[display] bij_image_Compl_eq[no_vars]}
+\rulename{bij_image_Compl_eq}
+*}
+
+
+text{*
+illustrates Union as well as image
+*}
+
+lemma "f`A \<union> g`A = (\<Union>x\<in>A. {f x, g x})"
+by blast
+
+lemma "f ` {(x,y). P x y} = {f(x,y) | x y. P x y}"
+by blast
+
+text{*actually a macro!*}
+
+lemma "range f = f`UNIV"
+by blast
+
+
+text{*
+inverse image
+*}
+
+text{*
+@{thm[display] vimage_def[no_vars]}
+\rulename{vimage_def}
+
+@{thm[display] vimage_Compl[no_vars]}
+\rulename{vimage_Compl}
+*}
+
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Sets/Recur.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,80 @@
+theory Recur imports Main begin
+
+
+text{*
+@{thm[display] mono_def[no_vars]}
+\rulename{mono_def}
+
+@{thm[display] monoI[no_vars]}
+\rulename{monoI}
+
+@{thm[display] monoD[no_vars]}
+\rulename{monoD}
+
+@{thm[display] lfp_unfold[no_vars]}
+\rulename{lfp_unfold}
+
+@{thm[display] lfp_induct[no_vars]}
+\rulename{lfp_induct}
+
+@{thm[display] gfp_unfold[no_vars]}
+\rulename{gfp_unfold}
+
+@{thm[display] coinduct[no_vars]}
+\rulename{coinduct}
+*}
+
+text{*\noindent
+A relation $<$ is
+\bfindex{wellfounded} if it has no infinite descending chain $\cdots <
+a@2 < a@1 < a@0$. Clearly, a function definition is total iff the set
+of all pairs $(r,l)$, where $l$ is the argument on the left-hand side
+of an equation and $r$ the argument of some recursive call on the
+corresponding right-hand side, induces a wellfounded relation.
+
+The HOL library formalizes
+some of the theory of wellfounded relations. For example
+@{prop"wf r"}\index{*wf|bold} means that relation @{term[show_types]"r::('a*'a)set"} is
+wellfounded.
+Finally we should mention that HOL already provides the mother of all
+inductions, \textbf{wellfounded
+induction}\indexbold{induction!wellfounded}\index{wellfounded
+induction|see{induction, wellfounded}} (@{thm[source]wf_induct}):
+@{thm[display]wf_induct[no_vars]}
+where @{term"wf r"} means that the relation @{term r} is wellfounded
+
+*}
+
+text{*
+
+@{thm[display] wf_induct[no_vars]}
+\rulename{wf_induct}
+
+@{thm[display] less_than_iff[no_vars]}
+\rulename{less_than_iff}
+
+@{thm[display] inv_image_def[no_vars]}
+\rulename{inv_image_def}
+
+@{thm[display] measure_def[no_vars]}
+\rulename{measure_def}
+
+@{thm[display] wf_less_than[no_vars]}
+\rulename{wf_less_than}
+
+@{thm[display] wf_inv_image[no_vars]}
+\rulename{wf_inv_image}
+
+@{thm[display] wf_measure[no_vars]}
+\rulename{wf_measure}
+
+@{thm[display] lex_prod_def[no_vars]}
+\rulename{lex_prod_def}
+
+@{thm[display] wf_lex_prod[no_vars]}
+\rulename{wf_lex_prod}
+
+*}
+
+end
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Sets/Relations.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,154 @@
+theory Relations imports Main begin
+
+(*Id is only used in UNITY*)
+(*refl, antisym,trans,univalent,\<dots> ho hum*)
+
+text{*
+@{thm[display] Id_def[no_vars]}
+\rulename{Id_def}
+*}
+
+text{*
+@{thm[display] relcomp_unfold[no_vars]}
+\rulename{relcomp_unfold}
+*}
+
+text{*
+@{thm[display] R_O_Id[no_vars]}
+\rulename{R_O_Id}
+*}
+
+text{*
+@{thm[display] relcomp_mono[no_vars]}
+\rulename{relcomp_mono}
+*}
+
+text{*
+@{thm[display] converse_iff[no_vars]}
+\rulename{converse_iff}
+*}
+
+text{*
+@{thm[display] converse_relcomp[no_vars]}
+\rulename{converse_relcomp}
+*}
+
+text{*
+@{thm[display] Image_iff[no_vars]}
+\rulename{Image_iff}
+*}
+
+text{*
+@{thm[display] Image_UN[no_vars]}
+\rulename{Image_UN}
+*}
+
+text{*
+@{thm[display] Domain_iff[no_vars]}
+\rulename{Domain_iff}
+*}
+
+text{*
+@{thm[display] Range_iff[no_vars]}
+\rulename{Range_iff}
+*}
+
+text{*
+@{thm[display] relpow.simps[no_vars]}
+\rulename{relpow.simps}
+
+@{thm[display] rtrancl_refl[no_vars]}
+\rulename{rtrancl_refl}
+
+@{thm[display] r_into_rtrancl[no_vars]}
+\rulename{r_into_rtrancl}
+
+@{thm[display] rtrancl_trans[no_vars]}
+\rulename{rtrancl_trans}
+
+@{thm[display] rtrancl_induct[no_vars]}
+\rulename{rtrancl_induct}
+
+@{thm[display] rtrancl_idemp[no_vars]}
+\rulename{rtrancl_idemp}
+
+@{thm[display] r_into_trancl[no_vars]}
+\rulename{r_into_trancl}
+
+@{thm[display] trancl_trans[no_vars]}
+\rulename{trancl_trans}
+
+@{thm[display] trancl_into_rtrancl[no_vars]}
+\rulename{trancl_into_rtrancl}
+
+@{thm[display] trancl_converse[no_vars]}
+\rulename{trancl_converse}
+*}
+
+text{*Relations. transitive closure*}
+
+lemma rtrancl_converseD: "(x,y) \<in> (r\<inverse>)\<^sup>* \<Longrightarrow> (y,x) \<in> r\<^sup>*"
+apply (erule rtrancl_induct)
+txt{*
+@{subgoals[display,indent=0,margin=65]}
+*};
+ apply (rule rtrancl_refl)
+apply (blast intro: rtrancl_trans)
+done
+
+
+lemma rtrancl_converseI: "(y,x) \<in> r\<^sup>* \<Longrightarrow> (x,y) \<in> (r\<inverse>)\<^sup>*"
+apply (erule rtrancl_induct)
+ apply (rule rtrancl_refl)
+apply (blast intro: rtrancl_trans)
+done
+
+lemma rtrancl_converse: "(r\<inverse>)\<^sup>* = (r\<^sup>*)\<inverse>"
+by (auto intro: rtrancl_converseI dest: rtrancl_converseD)
+
+lemma rtrancl_converse: "(r\<inverse>)\<^sup>* = (r\<^sup>*)\<inverse>"
+apply (intro equalityI subsetI)
+txt{*
+after intro rules
+
+@{subgoals[display,indent=0,margin=65]}
+*};
+apply clarify
+txt{*
+after splitting
+@{subgoals[display,indent=0,margin=65]}
+*};
+oops
+
+
+lemma "(\<forall>u v. (u,v) \<in> A \<longrightarrow> u=v) \<Longrightarrow> A \<subseteq> Id"
+apply (rule subsetI)
+txt{*
+@{subgoals[display,indent=0,margin=65]}
+
+after subsetI
+*};
+apply clarify
+txt{*
+@{subgoals[display,indent=0,margin=65]}
+
+subgoals after clarify
+*};
+by blast
+
+
+
+
+text{*rejects*}
+
+lemma "(a \<in> {z. P z} \<union> {y. Q y}) = P a \<or> Q a"
+apply (blast)
+done
+
+text{*Pow, Inter too little used*}
+
+lemma "(A \<subset> B) = (A \<subseteq> B \<and> A \<noteq> B)"
+apply (simp add: psubset_eq)
+done
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/ToyList/ToyList.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,368 @@
+theory ToyList
+imports Datatype
+begin
+
+(*<*)
+ML {*
+ let
+ val texts =
+ map (File.read o Path.append (Thy_Load.master_directory @{theory}) o Path.explode)
+ ["ToyList1", "ToyList2"];
+ val trs = Outer_Syntax.parse Position.start (implode texts);
+ in @{assert} (Toplevel.is_toplevel (fold Toplevel.command trs Toplevel.toplevel)) end;
+*}
+(*>*)
+
+text{*\noindent
+HOL already has a predefined theory of lists called @{text List} ---
+@{text ToyList} is merely a small fragment of it chosen as an example. In
+contrast to what is recommended in \S\ref{sec:Basic:Theories},
+@{text ToyList} is not based on @{text Main} but on @{text Datatype}, a
+theory that contains pretty much everything but lists, thus avoiding
+ambiguities caused by defining lists twice.
+*}
+
+datatype 'a list = Nil ("[]")
+ | Cons 'a "'a list" (infixr "#" 65);
+
+text{*\noindent
+The datatype\index{datatype@\isacommand {datatype} (command)}
+\tydx{list} introduces two
+constructors \cdx{Nil} and \cdx{Cons}, the
+empty~list and the operator that adds an element to the front of a list. For
+example, the term \isa{Cons True (Cons False Nil)} is a value of
+type @{typ"bool list"}, namely the list with the elements @{term"True"} and
+@{term"False"}. Because this notation quickly becomes unwieldy, the
+datatype declaration is annotated with an alternative syntax: instead of
+@{term[source]Nil} and \isa{Cons x xs} we can write
+@{term"[]"}\index{$HOL2list@\isa{[]}|bold} and
+@{term"x # xs"}\index{$HOL2list@\isa{\#}|bold}. In fact, this
+alternative syntax is the familiar one. Thus the list \isa{Cons True
+(Cons False Nil)} becomes @{term"True # False # []"}. The annotation
+\isacommand{infixr}\index{infixr@\isacommand{infixr} (annotation)}
+means that @{text"#"} associates to
+the right: the term @{term"x # y # z"} is read as @{text"x # (y # z)"}
+and not as @{text"(x # y) # z"}.
+The @{text 65} is the priority of the infix @{text"#"}.
+
+\begin{warn}
+ Syntax annotations can be powerful, but they are difficult to master and
+ are never necessary. You
+ could drop them from theory @{text"ToyList"} and go back to the identifiers
+ @{term[source]Nil} and @{term[source]Cons}. Novices should avoid using
+ syntax annotations in their own theories.
+\end{warn}
+Next, two functions @{text"app"} and \cdx{rev} are defined recursively,
+in this order, because Isabelle insists on definition before use:
+*}
+
+primrec app :: "'a list \<Rightarrow> 'a list \<Rightarrow> 'a list" (infixr "@" 65) where
+"[] @ ys = ys" |
+"(x # xs) @ ys = x # (xs @ ys)"
+
+primrec rev :: "'a list \<Rightarrow> 'a list" where
+"rev [] = []" |
+"rev (x # xs) = (rev xs) @ (x # [])"
+
+text{*\noindent
+Each function definition is of the form
+\begin{center}
+\isacommand{primrec} \textit{name} @{text"::"} \textit{type} \textit{(optional syntax)} \isakeyword{where} \textit{equations}
+\end{center}
+The equations must be separated by @{text"|"}.
+%
+Function @{text"app"} is annotated with concrete syntax. Instead of the
+prefix syntax @{text"app xs ys"} the infix
+@{term"xs @ ys"}\index{$HOL2list@\isa{\at}|bold} becomes the preferred
+form.
+
+\index{*rev (constant)|(}\index{append function|(}
+The equations for @{text"app"} and @{term"rev"} hardly need comments:
+@{text"app"} appends two lists and @{term"rev"} reverses a list. The
+keyword \commdx{primrec} indicates that the recursion is
+of a particularly primitive kind where each recursive call peels off a datatype
+constructor from one of the arguments. Thus the
+recursion always terminates, i.e.\ the function is \textbf{total}.
+\index{functions!total}
+
+The termination requirement is absolutely essential in HOL, a logic of total
+functions. If we were to drop it, inconsistencies would quickly arise: the
+``definition'' $f(n) = f(n)+1$ immediately leads to $0 = 1$ by subtracting
+$f(n)$ on both sides.
+% However, this is a subtle issue that we cannot discuss here further.
+
+\begin{warn}
+ As we have indicated, the requirement for total functions is an essential characteristic of HOL\@. It is only
+ because of totality that reasoning in HOL is comparatively easy. More
+ generally, the philosophy in HOL is to refrain from asserting arbitrary axioms (such as
+ function definitions whose totality has not been proved) because they
+ quickly lead to inconsistencies. Instead, fixed constructs for introducing
+ types and functions are offered (such as \isacommand{datatype} and
+ \isacommand{primrec}) which are guaranteed to preserve consistency.
+\end{warn}
+
+\index{syntax}%
+A remark about syntax. The textual definition of a theory follows a fixed
+syntax with keywords like \isacommand{datatype} and \isacommand{end}.
+% (see Fig.~\ref{fig:keywords} in Appendix~\ref{sec:Appendix} for a full list).
+Embedded in this syntax are the types and formulae of HOL, whose syntax is
+extensible (see \S\ref{sec:concrete-syntax}), e.g.\ by new user-defined infix operators.
+To distinguish the two levels, everything
+HOL-specific (terms and types) should be enclosed in
+\texttt{"}\dots\texttt{"}.
+To lessen this burden, quotation marks around a single identifier can be
+dropped, unless the identifier happens to be a keyword, for example
+\isa{"end"}.
+When Isabelle prints a syntax error message, it refers to the HOL syntax as
+the \textbf{inner syntax} and the enclosing theory language as the \textbf{outer syntax}.
+
+Comments\index{comment} must be in enclosed in \texttt{(* }and\texttt{ *)}.
+
+\section{Evaluation}
+\index{evaluation}
+
+Assuming you have processed the declarations and definitions of
+\texttt{ToyList} presented so far, you may want to test your
+functions by running them. For example, what is the value of
+@{term"rev(True#False#[])"}? Command
+*}
+
+value "rev (True # False # [])"
+
+text{* \noindent yields the correct result @{term"False # True # []"}.
+But we can go beyond mere functional programming and evaluate terms with
+variables in them, executing functions symbolically: *}
+
+value "rev (a # b # c # [])"
+
+text{*\noindent yields @{term"c # b # a # []"}.
+
+\section{An Introductory Proof}
+\label{sec:intro-proof}
+
+Having convinced ourselves (as well as one can by testing) that our
+definitions capture our intentions, we are ready to prove a few simple
+theorems. This will illustrate not just the basic proof commands but
+also the typical proof process.
+
+\subsubsection*{Main Goal.}
+
+Our goal is to show that reversing a list twice produces the original
+list.
+*}
+
+theorem rev_rev [simp]: "rev(rev xs) = xs";
+
+txt{*\index{theorem@\isacommand {theorem} (command)|bold}%
+\noindent
+This \isacommand{theorem} command does several things:
+\begin{itemize}
+\item
+It establishes a new theorem to be proved, namely @{prop"rev(rev xs) = xs"}.
+\item
+It gives that theorem the name @{text"rev_rev"}, for later reference.
+\item
+It tells Isabelle (via the bracketed attribute \attrdx{simp}) to take the eventual theorem as a simplification rule: future proofs involving
+simplification will replace occurrences of @{term"rev(rev xs)"} by
+@{term"xs"}.
+\end{itemize}
+The name and the simplification attribute are optional.
+Isabelle's response is to print the initial proof state consisting
+of some header information (like how many subgoals there are) followed by
+@{subgoals[display,indent=0]}
+For compactness reasons we omit the header in this tutorial.
+Until we have finished a proof, the \rmindex{proof state} proper
+always looks like this:
+\begin{isabelle}
+~1.~$G\sb{1}$\isanewline
+~~\vdots~~\isanewline
+~$n$.~$G\sb{n}$
+\end{isabelle}
+The numbered lines contain the subgoals $G\sb{1}$, \dots, $G\sb{n}$
+that we need to prove to establish the main goal.\index{subgoals}
+Initially there is only one subgoal, which is identical with the
+main goal. (If you always want to see the main goal as well,
+set the flag \isa{Proof.show_main_goal}\index{*show_main_goal (flag)}
+--- this flag used to be set by default.)
+
+Let us now get back to @{prop"rev(rev xs) = xs"}. Properties of recursively
+defined functions are best established by induction. In this case there is
+nothing obvious except induction on @{term"xs"}:
+*}
+
+apply(induct_tac xs);
+
+txt{*\noindent\index{*induct_tac (method)}%
+This tells Isabelle to perform induction on variable @{term"xs"}. The suffix
+@{term"tac"} stands for \textbf{tactic},\index{tactics}
+a synonym for ``theorem proving function''.
+By default, induction acts on the first subgoal. The new proof state contains
+two subgoals, namely the base case (@{term[source]Nil}) and the induction step
+(@{term[source]Cons}):
+@{subgoals[display,indent=0,margin=65]}
+
+The induction step is an example of the general format of a subgoal:\index{subgoals}
+\begin{isabelle}
+~$i$.~{\isasymAnd}$x\sb{1}$~\dots$x\sb{n}$.~{\it assumptions}~{\isasymLongrightarrow}~{\it conclusion}
+\end{isabelle}\index{$IsaAnd@\isasymAnd|bold}
+The prefix of bound variables \isasymAnd$x\sb{1}$~\dots~$x\sb{n}$ can be
+ignored most of the time, or simply treated as a list of variables local to
+this subgoal. Their deeper significance is explained in Chapter~\ref{chap:rules}.
+The {\it assumptions}\index{assumptions!of subgoal}
+are the local assumptions for this subgoal and {\it
+ conclusion}\index{conclusion!of subgoal} is the actual proposition to be proved.
+Typical proof steps
+that add new assumptions are induction and case distinction. In our example
+the only assumption is the induction hypothesis @{term"rev (rev list) =
+ list"}, where @{term"list"} is a variable name chosen by Isabelle. If there
+are multiple assumptions, they are enclosed in the bracket pair
+\indexboldpos{\isasymlbrakk}{$Isabrl} and
+\indexboldpos{\isasymrbrakk}{$Isabrr} and separated by semicolons.
+
+Let us try to solve both goals automatically:
+*}
+
+apply(auto);
+
+txt{*\noindent
+This command tells Isabelle to apply a proof strategy called
+@{text"auto"} to all subgoals. Essentially, @{text"auto"} tries to
+simplify the subgoals. In our case, subgoal~1 is solved completely (thanks
+to the equation @{prop"rev [] = []"}) and disappears; the simplified version
+of subgoal~2 becomes the new subgoal~1:
+@{subgoals[display,indent=0,margin=70]}
+In order to simplify this subgoal further, a lemma suggests itself.
+*}
+(*<*)
+oops
+(*>*)
+
+subsubsection{*First Lemma*}
+
+text{*
+\indexbold{abandoning a proof}\indexbold{proofs!abandoning}
+After abandoning the above proof attempt (at the shell level type
+\commdx{oops}) we start a new proof:
+*}
+
+lemma rev_app [simp]: "rev(xs @ ys) = (rev ys) @ (rev xs)";
+
+txt{*\noindent The keywords \commdx{theorem} and
+\commdx{lemma} are interchangeable and merely indicate
+the importance we attach to a proposition. Therefore we use the words
+\emph{theorem} and \emph{lemma} pretty much interchangeably, too.
+
+There are two variables that we could induct on: @{term"xs"} and
+@{term"ys"}. Because @{text"@"} is defined by recursion on
+the first argument, @{term"xs"} is the correct one:
+*}
+
+apply(induct_tac xs);
+
+txt{*\noindent
+This time not even the base case is solved automatically:
+*}
+
+apply(auto);
+
+txt{*
+@{subgoals[display,indent=0,goals_limit=1]}
+Again, we need to abandon this proof attempt and prove another simple lemma
+first. In the future the step of abandoning an incomplete proof before
+embarking on the proof of a lemma usually remains implicit.
+*}
+(*<*)
+oops
+(*>*)
+
+subsubsection{*Second Lemma*}
+
+text{*
+We again try the canonical proof procedure:
+*}
+
+lemma app_Nil2 [simp]: "xs @ [] = xs";
+apply(induct_tac xs);
+apply(auto);
+
+txt{*
+\noindent
+It works, yielding the desired message @{text"No subgoals!"}:
+@{goals[display,indent=0]}
+We still need to confirm that the proof is now finished:
+*}
+
+done
+
+text{*\noindent
+As a result of that final \commdx{done}, Isabelle associates the lemma just proved
+with its name. In this tutorial, we sometimes omit to show that final \isacommand{done}
+if it is obvious from the context that the proof is finished.
+
+% Instead of \isacommand{apply} followed by a dot, you can simply write
+% \isacommand{by}\indexbold{by}, which we do most of the time.
+Notice that in lemma @{thm[source]app_Nil2},
+as printed out after the final \isacommand{done}, the free variable @{term"xs"} has been
+replaced by the unknown @{text"?xs"}, just as explained in
+\S\ref{sec:variables}.
+
+Going back to the proof of the first lemma
+*}
+
+lemma rev_app [simp]: "rev(xs @ ys) = (rev ys) @ (rev xs)";
+apply(induct_tac xs);
+apply(auto);
+
+txt{*
+\noindent
+we find that this time @{text"auto"} solves the base case, but the
+induction step merely simplifies to
+@{subgoals[display,indent=0,goals_limit=1]}
+Now we need to remember that @{text"@"} associates to the right, and that
+@{text"#"} and @{text"@"} have the same priority (namely the @{text"65"}
+in their \isacommand{infixr} annotation). Thus the conclusion really is
+\begin{isabelle}
+~~~~~(rev~ys~@~rev~list)~@~(a~\#~[])~=~rev~ys~@~(rev~list~@~(a~\#~[]))
+\end{isabelle}
+and the missing lemma is associativity of @{text"@"}.
+*}
+(*<*)oops(*>*)
+
+subsubsection{*Third Lemma*}
+
+text{*
+Abandoning the previous attempt, the canonical proof procedure
+succeeds without further ado.
+*}
+
+lemma app_assoc [simp]: "(xs @ ys) @ zs = xs @ (ys @ zs)";
+apply(induct_tac xs);
+apply(auto);
+done
+
+text{*
+\noindent
+Now we can prove the first lemma:
+*}
+
+lemma rev_app [simp]: "rev(xs @ ys) = (rev ys) @ (rev xs)";
+apply(induct_tac xs);
+apply(auto);
+done
+
+text{*\noindent
+Finally, we prove our main theorem:
+*}
+
+theorem rev_rev [simp]: "rev(rev xs) = xs";
+apply(induct_tac xs);
+apply(auto);
+done
+
+text{*\noindent
+The final \commdx{end} tells Isabelle to close the current theory because
+we are finished with its development:%
+\index{*rev (constant)|)}\index{append function|)}
+*}
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/ToyList/ToyList1 Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,16 @@
+theory ToyList
+imports Datatype
+begin
+
+datatype 'a list = Nil ("[]")
+ | Cons 'a "'a list" (infixr "#" 65)
+
+(* This is the append function: *)
+primrec app :: "'a list => 'a list => 'a list" (infixr "@" 65)
+where
+"[] @ ys = ys" |
+"(x # xs) @ ys = x # (xs @ ys)"
+
+primrec rev :: "'a list => 'a list" where
+"rev [] = []" |
+"rev (x # xs) = (rev xs) @ (x # [])"
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/ToyList/ToyList2 Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,21 @@
+lemma app_Nil2 [simp]: "xs @ [] = xs"
+apply(induct_tac xs)
+apply(auto)
+done
+
+lemma app_assoc [simp]: "(xs @ ys) @ zs = xs @ (ys @ zs)"
+apply(induct_tac xs)
+apply(auto)
+done
+
+lemma rev_app [simp]: "rev(xs @ ys) = (rev ys) @ (rev xs)"
+apply(induct_tac xs)
+apply(auto)
+done
+
+theorem rev_rev [simp]: "rev(rev xs) = xs"
+apply(induct_tac xs)
+apply(auto)
+done
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Trie/Trie.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,245 @@
+(*<*)
+theory Trie imports Main begin;
+(*>*)
+text{*
+To minimize running time, each node of a trie should contain an array that maps
+letters to subtries. We have chosen a
+representation where the subtries are held in an association list, i.e.\ a
+list of (letter,trie) pairs. Abstracting over the alphabet @{typ"'a"} and the
+values @{typ"'v"} we define a trie as follows:
+*};
+
+datatype ('a,'v)trie = Trie "'v option" "('a * ('a,'v)trie)list";
+
+text{*\noindent
+\index{datatypes!and nested recursion}%
+The first component is the optional value, the second component the
+association list of subtries. This is an example of nested recursion involving products,
+which is fine because products are datatypes as well.
+We define two selector functions:
+*};
+
+primrec "value" :: "('a,'v)trie \<Rightarrow> 'v option" where
+"value(Trie ov al) = ov"
+primrec alist :: "('a,'v)trie \<Rightarrow> ('a * ('a,'v)trie)list" where
+"alist(Trie ov al) = al"
+
+text{*\noindent
+Association lists come with a generic lookup function. Its result
+involves type @{text option} because a lookup can fail:
+*};
+
+primrec assoc :: "('key * 'val)list \<Rightarrow> 'key \<Rightarrow> 'val option" where
+"assoc [] x = None" |
+"assoc (p#ps) x =
+ (let (a,b) = p in if a=x then Some b else assoc ps x)"
+
+text{*
+Now we can define the lookup function for tries. It descends into the trie
+examining the letters of the search string one by one. As
+recursion on lists is simpler than on tries, let us express this as primitive
+recursion on the search string argument:
+*};
+
+primrec lookup :: "('a,'v)trie \<Rightarrow> 'a list \<Rightarrow> 'v option" where
+"lookup t [] = value t" |
+"lookup t (a#as) = (case assoc (alist t) a of
+ None \<Rightarrow> None
+ | Some at \<Rightarrow> lookup at as)"
+
+text{*
+As a first simple property we prove that looking up a string in the empty
+trie @{term"Trie None []"} always returns @{const None}. The proof merely
+distinguishes the two cases whether the search string is empty or not:
+*};
+
+lemma [simp]: "lookup (Trie None []) as = None";
+apply(case_tac as, simp_all);
+done
+
+text{*
+Things begin to get interesting with the definition of an update function
+that adds a new (string, value) pair to a trie, overwriting the old value
+associated with that string:
+*};
+
+primrec update:: "('a,'v)trie \<Rightarrow> 'a list \<Rightarrow> 'v \<Rightarrow> ('a,'v)trie" where
+"update t [] v = Trie (Some v) (alist t)" |
+"update t (a#as) v =
+ (let tt = (case assoc (alist t) a of
+ None \<Rightarrow> Trie None [] | Some at \<Rightarrow> at)
+ in Trie (value t) ((a,update tt as v) # alist t))"
+
+text{*\noindent
+The base case is obvious. In the recursive case the subtrie
+@{term tt} associated with the first letter @{term a} is extracted,
+recursively updated, and then placed in front of the association list.
+The old subtrie associated with @{term a} is still in the association list
+but no longer accessible via @{const assoc}. Clearly, there is room here for
+optimizations!
+
+Before we start on any proofs about @{const update} we tell the simplifier to
+expand all @{text let}s and to split all @{text case}-constructs over
+options:
+*};
+
+declare Let_def[simp] option.split[split]
+
+text{*\noindent
+The reason becomes clear when looking (probably after a failed proof
+attempt) at the body of @{const update}: it contains both
+@{text let} and a case distinction over type @{text option}.
+
+Our main goal is to prove the correct interaction of @{const update} and
+@{const lookup}:
+*};
+
+theorem "\<forall>t v bs. lookup (update t as v) bs =
+ (if as=bs then Some v else lookup t bs)";
+
+txt{*\noindent
+Our plan is to induct on @{term as}; hence the remaining variables are
+quantified. From the definitions it is clear that induction on either
+@{term as} or @{term bs} is required. The choice of @{term as} is
+guided by the intuition that simplification of @{const lookup} might be easier
+if @{const update} has already been simplified, which can only happen if
+@{term as} is instantiated.
+The start of the proof is conventional:
+*};
+apply(induct_tac as, auto);
+
+txt{*\noindent
+Unfortunately, this time we are left with three intimidating looking subgoals:
+\begin{isabelle}
+~1.~\dots~{\isasymLongrightarrow}~lookup~\dots~bs~=~lookup~t~bs\isanewline
+~2.~\dots~{\isasymLongrightarrow}~lookup~\dots~bs~=~lookup~t~bs\isanewline
+~3.~\dots~{\isasymLongrightarrow}~lookup~\dots~bs~=~lookup~t~bs
+\end{isabelle}
+Clearly, if we want to make headway we have to instantiate @{term bs} as
+well now. It turns out that instead of induction, case distinction
+suffices:
+*};
+apply(case_tac[!] bs, auto);
+done
+
+text{*\noindent
+\index{subgoal numbering}%
+All methods ending in @{text tac} take an optional first argument that
+specifies the range of subgoals they are applied to, where @{text"[!]"} means
+all subgoals, i.e.\ @{text"[1-3]"} in our case. Individual subgoal numbers,
+e.g. @{text"[2]"} are also allowed.
+
+This proof may look surprisingly straightforward. However, note that this
+comes at a cost: the proof script is unreadable because the intermediate
+proof states are invisible, and we rely on the (possibly brittle) magic of
+@{text auto} (@{text simp_all} will not do --- try it) to split the subgoals
+of the induction up in such a way that case distinction on @{term bs} makes
+sense and solves the proof.
+
+\begin{exercise}
+ Modify @{const update} (and its type) such that it allows both insertion and
+ deletion of entries with a single function. Prove the corresponding version
+ of the main theorem above.
+ Optimize your function such that it shrinks tries after
+ deletion if possible.
+\end{exercise}
+
+\begin{exercise}
+ Write an improved version of @{const update} that does not suffer from the
+ space leak (pointed out above) caused by not deleting overwritten entries
+ from the association list. Prove the main theorem for your improved
+ @{const update}.
+\end{exercise}
+
+\begin{exercise}
+ Conceptually, each node contains a mapping from letters to optional
+ subtries. Above we have implemented this by means of an association
+ list. Replay the development replacing @{typ "('a * ('a,'v)trie)list"}
+ with @{typ"'a \<Rightarrow> ('a,'v)trie option"}.
+\end{exercise}
+
+*};
+
+(*<*)
+
+(* Exercise 1. Solution by Getrud Bauer *)
+
+primrec update1 :: "('a, 'v) trie \<Rightarrow> 'a list \<Rightarrow> 'v option \<Rightarrow> ('a, 'v) trie"
+where
+ "update1 t [] vo = Trie vo (alist t)" |
+ "update1 t (a#as) vo =
+ (let tt = (case assoc (alist t) a of
+ None \<Rightarrow> Trie None []
+ | Some at \<Rightarrow> at)
+ in Trie (value t) ((a, update1 tt as vo) # alist t))"
+
+theorem [simp]: "\<forall>t v bs. lookup (update1 t as v) bs =
+ (if as = bs then v else lookup t bs)";
+apply (induct_tac as, auto);
+apply (case_tac[!] bs, auto);
+done
+
+
+(* Exercise 2. Solution by Getrud Bauer *)
+
+primrec overwrite :: "'a \<Rightarrow> 'b \<Rightarrow> ('a * 'b) list \<Rightarrow> ('a * 'b) list" where
+"overwrite a v [] = [(a,v)]" |
+"overwrite a v (p#ps) = (if a = fst p then (a,v)#ps else p # overwrite a v ps)"
+
+lemma [simp]: "\<forall> a v b. assoc (overwrite a v ps) b = assoc ((a,v)#ps) b"
+apply (induct_tac ps, auto)
+apply (case_tac[!] a)
+done
+
+primrec update2 :: "('a, 'v) trie \<Rightarrow> 'a list \<Rightarrow> 'v option \<Rightarrow> ('a, 'v) trie"
+where
+ "update2 t [] vo = Trie vo (alist t)" |
+ "update2 t (a#as) vo =
+ (let tt = (case assoc (alist t) a of
+ None \<Rightarrow> Trie None []
+ | Some at \<Rightarrow> at)
+ in Trie (value t) (overwrite a (update2 tt as vo) (alist t)))";
+
+theorem "\<forall>t v bs. lookup (update2 t as vo) bs =
+ (if as = bs then vo else lookup t bs)";
+apply (induct_tac as, auto);
+apply (case_tac[!] bs, auto);
+done
+
+
+(* Exercise 3. Solution by Getrud Bauer *)
+datatype ('a,'v) triem = Triem "'v option" "'a \<Rightarrow> ('a,'v) triem option";
+
+primrec valuem :: "('a, 'v) triem \<Rightarrow> 'v option" where
+"valuem (Triem ov m) = ov"
+
+primrec mapping :: "('a,'v) triem \<Rightarrow> 'a \<Rightarrow> ('a, 'v) triem option" where
+"mapping (Triem ov m) = m"
+
+primrec lookupm :: "('a,'v) triem \<Rightarrow> 'a list \<Rightarrow> 'v option" where
+ "lookupm t [] = valuem t" |
+ "lookupm t (a#as) = (case mapping t a of
+ None \<Rightarrow> None
+ | Some at \<Rightarrow> lookupm at as)";
+
+lemma [simp]: "lookupm (Triem None (\<lambda>c. None)) as = None";
+apply (case_tac as, simp_all);
+done
+
+primrec updatem :: "('a,'v)triem \<Rightarrow> 'a list \<Rightarrow> 'v \<Rightarrow> ('a,'v)triem" where
+ "updatem t [] v = Triem (Some v) (mapping t)" |
+ "updatem t (a#as) v =
+ (let tt = (case mapping t a of
+ None \<Rightarrow> Triem None (\<lambda>c. None)
+ | Some at \<Rightarrow> at)
+ in Triem (valuem t)
+ (\<lambda>c. if c = a then Some (updatem tt as v) else mapping t c))";
+
+theorem "\<forall>t v bs. lookupm (updatem t as v) bs =
+ (if as = bs then Some v else lookupm t bs)";
+apply (induct_tac as, auto);
+apply (case_tac[!] bs, auto);
+done
+
+end;
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Types/Axioms.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,261 @@
+(*<*)theory Axioms imports Overloading Setup begin(*>*)
+
+subsection {* Axioms *}
+
+text {* Attaching axioms to our classes lets us reason on the level of
+classes. The results will be applicable to all types in a class, just
+as in axiomatic mathematics.
+
+\begin{warn}
+Proofs in this section use structured \emph{Isar} proofs, which are not
+covered in this tutorial; but see \cite{Nipkow-TYPES02}.%
+\end{warn} *}
+
+subsubsection {* Semigroups *}
+
+text{* We specify \emph{semigroups} as subclass of @{class plus}: *}
+
+class semigroup = plus +
+ assumes assoc: "(x \<oplus> y) \<oplus> z = x \<oplus> (y \<oplus> z)"
+
+text {* \noindent This @{command class} specification requires that
+all instances of @{class semigroup} obey @{fact "assoc:"}~@{prop
+[source] "\<And>x y z \<Colon> 'a\<Colon>semigroup. (x \<oplus> y) \<oplus> z = x \<oplus> (y \<oplus> z)"}.
+
+We can use this class axiom to derive further abstract theorems
+relative to class @{class semigroup}: *}
+
+lemma assoc_left:
+ fixes x y z :: "'a\<Colon>semigroup"
+ shows "x \<oplus> (y \<oplus> z) = (x \<oplus> y) \<oplus> z"
+ using assoc by (rule sym)
+
+text {* \noindent The @{class semigroup} constraint on type @{typ
+"'a"} restricts instantiations of @{typ "'a"} to types of class
+@{class semigroup} and during the proof enables us to use the fact
+@{fact assoc} whose type parameter is itself constrained to class
+@{class semigroup}. The main advantage of classes is that theorems
+can be proved in the abstract and freely reused for each instance.
+
+On instantiation, we have to give a proof that the given operations
+obey the class axioms: *}
+
+instantiation nat :: semigroup
+begin
+
+instance proof
+
+txt {* \noindent The proof opens with a default proof step, which for
+instance judgements invokes method @{method intro_classes}. *}
+
+
+ fix m n q :: nat
+ show "(m \<oplus> n) \<oplus> q = m \<oplus> (n \<oplus> q)"
+ by (induct m) simp_all
+qed
+
+end
+
+text {* \noindent Again, the interesting things enter the stage with
+parametric types: *}
+
+instantiation prod :: (semigroup, semigroup) semigroup
+begin
+
+instance proof
+ fix p\<^isub>1 p\<^isub>2 p\<^isub>3 :: "'a\<Colon>semigroup \<times> 'b\<Colon>semigroup"
+ show "p\<^isub>1 \<oplus> p\<^isub>2 \<oplus> p\<^isub>3 = p\<^isub>1 \<oplus> (p\<^isub>2 \<oplus> p\<^isub>3)"
+ by (cases p\<^isub>1, cases p\<^isub>2, cases p\<^isub>3) (simp add: assoc)
+
+txt {* \noindent Associativity of product semigroups is established
+using the hypothetical associativity @{fact assoc} of the type
+components, which holds due to the @{class semigroup} constraints
+imposed on the type components by the @{command instance} proposition.
+Indeed, this pattern often occurs with parametric types and type
+classes. *}
+
+qed
+
+end
+
+subsubsection {* Monoids *}
+
+text {* We define a subclass @{text monoidl} (a semigroup with a
+left-hand neutral) by extending @{class semigroup} with one additional
+parameter @{text neutral} together with its property: *}
+
+class monoidl = semigroup +
+ fixes neutral :: "'a" ("\<zero>")
+ assumes neutl: "\<zero> \<oplus> x = x"
+
+text {* \noindent Again, we prove some instances, by providing
+suitable parameter definitions and proofs for the additional
+specifications. *}
+
+instantiation nat :: monoidl
+begin
+
+definition
+ neutral_nat_def: "\<zero> = (0\<Colon>nat)"
+
+instance proof
+ fix n :: nat
+ show "\<zero> \<oplus> n = n"
+ unfolding neutral_nat_def by simp
+qed
+
+end
+
+text {* \noindent In contrast to the examples above, we here have both
+specification of class operations and a non-trivial instance proof.
+
+This covers products as well:
+*}
+
+instantiation prod :: (monoidl, monoidl) monoidl
+begin
+
+definition
+ neutral_prod_def: "\<zero> = (\<zero>, \<zero>)"
+
+instance proof
+ fix p :: "'a\<Colon>monoidl \<times> 'b\<Colon>monoidl"
+ show "\<zero> \<oplus> p = p"
+ by (cases p) (simp add: neutral_prod_def neutl)
+qed
+
+end
+
+text {* \noindent Fully-fledged monoids are modelled by another
+subclass which does not add new parameters but tightens the
+specification: *}
+
+class monoid = monoidl +
+ assumes neutr: "x \<oplus> \<zero> = x"
+
+text {* \noindent Corresponding instances for @{typ nat} and products
+are left as an exercise to the reader. *}
+
+subsubsection {* Groups *}
+
+text {* \noindent To finish our small algebra example, we add a @{text
+group} class: *}
+
+class group = monoidl +
+ fixes inv :: "'a \<Rightarrow> 'a" ("\<div> _" [81] 80)
+ assumes invl: "\<div> x \<oplus> x = \<zero>"
+
+text {* \noindent We continue with a further example for abstract
+proofs relative to type classes: *}
+
+lemma left_cancel:
+ fixes x y z :: "'a\<Colon>group"
+ shows "x \<oplus> y = x \<oplus> z \<longleftrightarrow> y = z"
+proof
+ assume "x \<oplus> y = x \<oplus> z"
+ then have "\<div> x \<oplus> (x \<oplus> y) = \<div> x \<oplus> (x \<oplus> z)" by simp
+ then have "(\<div> x \<oplus> x) \<oplus> y = (\<div> x \<oplus> x) \<oplus> z" by (simp add: assoc)
+ then show "y = z" by (simp add: invl neutl)
+next
+ assume "y = z"
+ then show "x \<oplus> y = x \<oplus> z" by simp
+qed
+
+text {* \noindent Any @{text "group"} is also a @{text "monoid"}; this
+can be made explicit by claiming an additional subclass relation,
+together with a proof of the logical difference: *}
+
+instance group \<subseteq> monoid
+proof
+ fix x
+ from invl have "\<div> x \<oplus> x = \<zero>" .
+ then have "\<div> x \<oplus> (x \<oplus> \<zero>) = \<div> x \<oplus> x"
+ by (simp add: neutl invl assoc [symmetric])
+ then show "x \<oplus> \<zero> = x" by (simp add: left_cancel)
+qed
+
+text {* \noindent The proof result is propagated to the type system,
+making @{text group} an instance of @{text monoid} by adding an
+additional edge to the graph of subclass relation; see also
+Figure~\ref{fig:subclass}.
+
+\begin{figure}[htbp]
+ \begin{center}
+ \small
+ \unitlength 0.6mm
+ \begin{picture}(40,60)(0,0)
+ \put(20,60){\makebox(0,0){@{text semigroup}}}
+ \put(20,40){\makebox(0,0){@{text monoidl}}}
+ \put(00,20){\makebox(0,0){@{text monoid}}}
+ \put(40,00){\makebox(0,0){@{text group}}}
+ \put(20,55){\vector(0,-1){10}}
+ \put(15,35){\vector(-1,-1){10}}
+ \put(25,35){\vector(1,-3){10}}
+ \end{picture}
+ \hspace{8em}
+ \begin{picture}(40,60)(0,0)
+ \put(20,60){\makebox(0,0){@{text semigroup}}}
+ \put(20,40){\makebox(0,0){@{text monoidl}}}
+ \put(00,20){\makebox(0,0){@{text monoid}}}
+ \put(40,00){\makebox(0,0){@{text group}}}
+ \put(20,55){\vector(0,-1){10}}
+ \put(15,35){\vector(-1,-1){10}}
+ \put(05,15){\vector(3,-1){30}}
+ \end{picture}
+ \caption{Subclass relationship of monoids and groups:
+ before and after establishing the relationship
+ @{text "group \<subseteq> monoid"}; transitive edges are left out.}
+ \label{fig:subclass}
+ \end{center}
+\end{figure}
+*}
+
+subsubsection {* Inconsistencies *}
+
+text {* The reader may be wondering what happens if we attach an
+inconsistent set of axioms to a class. So far we have always avoided
+to add new axioms to HOL for fear of inconsistencies and suddenly it
+seems that we are throwing all caution to the wind. So why is there no
+problem?
+
+The point is that by construction, all type variables in the axioms of
+a \isacommand{class} are automatically constrained with the class
+being defined (as shown for axiom @{thm[source]refl} above). These
+constraints are always carried around and Isabelle takes care that
+they are never lost, unless the type variable is instantiated with a
+type that has been shown to belong to that class. Thus you may be able
+to prove @{prop False} from your axioms, but Isabelle will remind you
+that this theorem has the hidden hypothesis that the class is
+non-empty.
+
+Even if each individual class is consistent, intersections of
+(unrelated) classes readily become inconsistent in practice. Now we
+know this need not worry us. *}
+
+
+subsubsection{* Syntactic Classes and Predefined Overloading *}
+
+text {* In our algebra example, we have started with a \emph{syntactic
+class} @{class plus} which only specifies operations but no axioms; it
+would have been also possible to start immediately with class @{class
+semigroup}, specifying the @{text "\<oplus>"} operation and associativity at
+the same time.
+
+Which approach is more appropriate depends. Usually it is more
+convenient to introduce operations and axioms in the same class: then
+the type checker will automatically insert the corresponding class
+constraints whenever the operations occur, reducing the need of manual
+annotations. However, when operations are decorated with popular
+syntax, syntactic classes can be an option to re-use the syntax in
+different contexts; this is indeed the way most overloaded constants
+in HOL are introduced, of which the most important are listed in
+Table~\ref{tab:overloading} in the appendix. Section
+\ref{sec:numeric-classes} covers a range of corresponding classes
+\emph{with} axioms.
+
+Further note that classes may contain axioms but \emph{no} operations.
+An example is class @{class finite} from theory @{theory Finite_Set}
+which specifies a type to be finite: @{lemma [source] "finite (UNIV \<Colon> 'a\<Colon>finite
+set)" by (fact finite_UNIV)}. *}
+
+(*<*)end(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Types/Numbers.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,280 @@
+theory Numbers
+imports Complex_Main
+begin
+
+text{*
+
+numeric literals; default simprules; can re-orient
+*}
+
+lemma "2 * m = m + m"
+txt{*
+@{subgoals[display,indent=0,margin=65]}
+*};
+oops
+
+fun h :: "nat \<Rightarrow> nat" where
+"h i = (if i = 3 then 2 else i)"
+
+text{*
+@{term"h 3 = 2"}
+@{term"h i = i"}
+*}
+
+text{*
+@{thm[display] numeral_1_eq_1[no_vars]}
+\rulename{numeral_1_eq_1}
+
+@{thm[display] add_2_eq_Suc[no_vars]}
+\rulename{add_2_eq_Suc}
+
+@{thm[display] add_2_eq_Suc'[no_vars]}
+\rulename{add_2_eq_Suc'}
+
+@{thm[display] add_assoc[no_vars]}
+\rulename{add_assoc}
+
+@{thm[display] add_commute[no_vars]}
+\rulename{add_commute}
+
+@{thm[display] add_left_commute[no_vars]}
+\rulename{add_left_commute}
+
+these form add_ac; similarly there is mult_ac
+*}
+
+lemma "Suc(i + j*l*k + m*n) = f (n*m + i + k*j*l)"
+txt{*
+@{subgoals[display,indent=0,margin=65]}
+*};
+apply (simp add: add_ac mult_ac)
+txt{*
+@{subgoals[display,indent=0,margin=65]}
+*};
+oops
+
+text{*
+
+@{thm[display] div_le_mono[no_vars]}
+\rulename{div_le_mono}
+
+@{thm[display] diff_mult_distrib[no_vars]}
+\rulename{diff_mult_distrib}
+
+@{thm[display] mult_mod_left[no_vars]}
+\rulename{mult_mod_left}
+
+@{thm[display] nat_diff_split[no_vars]}
+\rulename{nat_diff_split}
+*}
+
+
+lemma "(n - 1) * (n + 1) = n * n - (1::nat)"
+apply (clarsimp split: nat_diff_split iff del: less_Suc0)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (subgoal_tac "n=0", force, arith)
+done
+
+
+lemma "(n - 2) * (n + 2) = n * n - (4::nat)"
+apply (simp split: nat_diff_split, clarify)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (subgoal_tac "n=0 | n=1", force, arith)
+done
+
+text{*
+@{thm[display] mod_if[no_vars]}
+\rulename{mod_if}
+
+@{thm[display] mod_div_equality[no_vars]}
+\rulename{mod_div_equality}
+
+
+@{thm[display] div_mult1_eq[no_vars]}
+\rulename{div_mult1_eq}
+
+@{thm[display] mod_mult_right_eq[no_vars]}
+\rulename{mod_mult_right_eq}
+
+@{thm[display] div_mult2_eq[no_vars]}
+\rulename{div_mult2_eq}
+
+@{thm[display] mod_mult2_eq[no_vars]}
+\rulename{mod_mult2_eq}
+
+@{thm[display] div_mult_mult1[no_vars]}
+\rulename{div_mult_mult1}
+
+@{thm[display] div_by_0 [no_vars]}
+\rulename{div_by_0}
+
+@{thm[display] mod_by_0 [no_vars]}
+\rulename{mod_by_0}
+
+@{thm[display] dvd_antisym[no_vars]}
+\rulename{dvd_antisym}
+
+@{thm[display] dvd_add[no_vars]}
+\rulename{dvd_add}
+
+For the integers, I'd list a few theorems that somehow involve negative
+numbers.*}
+
+
+text{*
+Division, remainder of negatives
+
+
+@{thm[display] pos_mod_sign[no_vars]}
+\rulename{pos_mod_sign}
+
+@{thm[display] pos_mod_bound[no_vars]}
+\rulename{pos_mod_bound}
+
+@{thm[display] neg_mod_sign[no_vars]}
+\rulename{neg_mod_sign}
+
+@{thm[display] neg_mod_bound[no_vars]}
+\rulename{neg_mod_bound}
+
+@{thm[display] zdiv_zadd1_eq[no_vars]}
+\rulename{zdiv_zadd1_eq}
+
+@{thm[display] mod_add_eq[no_vars]}
+\rulename{mod_add_eq}
+
+@{thm[display] zdiv_zmult1_eq[no_vars]}
+\rulename{zdiv_zmult1_eq}
+
+@{thm[display] mod_mult_right_eq[no_vars]}
+\rulename{mod_mult_right_eq}
+
+@{thm[display] zdiv_zmult2_eq[no_vars]}
+\rulename{zdiv_zmult2_eq}
+
+@{thm[display] zmod_zmult2_eq[no_vars]}
+\rulename{zmod_zmult2_eq}
+*}
+
+lemma "abs (x+y) \<le> abs x + abs (y :: int)"
+by arith
+
+lemma "abs (2*x) = 2 * abs (x :: int)"
+by (simp add: abs_if)
+
+
+text {*Induction rules for the Integers
+
+@{thm[display] int_ge_induct[no_vars]}
+\rulename{int_ge_induct}
+
+@{thm[display] int_gr_induct[no_vars]}
+\rulename{int_gr_induct}
+
+@{thm[display] int_le_induct[no_vars]}
+\rulename{int_le_induct}
+
+@{thm[display] int_less_induct[no_vars]}
+\rulename{int_less_induct}
+*}
+
+text {*FIELDS
+
+@{thm[display] dense[no_vars]}
+\rulename{dense}
+
+@{thm[display] times_divide_eq_right[no_vars]}
+\rulename{times_divide_eq_right}
+
+@{thm[display] times_divide_eq_left[no_vars]}
+\rulename{times_divide_eq_left}
+
+@{thm[display] divide_divide_eq_right[no_vars]}
+\rulename{divide_divide_eq_right}
+
+@{thm[display] divide_divide_eq_left[no_vars]}
+\rulename{divide_divide_eq_left}
+
+@{thm[display] minus_divide_left[no_vars]}
+\rulename{minus_divide_left}
+
+@{thm[display] minus_divide_right[no_vars]}
+\rulename{minus_divide_right}
+
+This last NOT a simprule
+
+@{thm[display] add_divide_distrib[no_vars]}
+\rulename{add_divide_distrib}
+*}
+
+lemma "3/4 < (7/8 :: real)"
+by simp
+
+lemma "P ((3/4) * (8/15 :: real))"
+txt{*
+@{subgoals[display,indent=0,margin=65]}
+*};
+apply simp
+txt{*
+@{subgoals[display,indent=0,margin=65]}
+*};
+oops
+
+lemma "(3/4) * (8/15) < (x :: real)"
+txt{*
+@{subgoals[display,indent=0,margin=65]}
+*};
+apply simp
+txt{*
+@{subgoals[display,indent=0,margin=65]}
+*};
+oops
+
+text{*
+Ring and Field
+
+Requires a field, or else an ordered ring
+
+@{thm[display] mult_eq_0_iff[no_vars]}
+\rulename{mult_eq_0_iff}
+
+@{thm[display] mult_cancel_right[no_vars]}
+\rulename{mult_cancel_right}
+
+@{thm[display] mult_cancel_left[no_vars]}
+\rulename{mult_cancel_left}
+*}
+
+text{*
+effect of show sorts on the above
+
+@{thm[display,show_sorts] mult_cancel_left[no_vars]}
+\rulename{mult_cancel_left}
+*}
+
+text{*
+absolute value
+
+@{thm[display] abs_mult[no_vars]}
+\rulename{abs_mult}
+
+@{thm[display] abs_le_iff[no_vars]}
+\rulename{abs_le_iff}
+
+@{thm[display] abs_triangle_ineq[no_vars]}
+\rulename{abs_triangle_ineq}
+
+@{thm[display] power_add[no_vars]}
+\rulename{power_add}
+
+@{thm[display] power_mult[no_vars]}
+\rulename{power_mult}
+
+@{thm[display] power_abs[no_vars]}
+\rulename{power_abs}
+
+
+*}
+
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Types/Overloading.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,78 @@
+(*<*)theory Overloading imports Main Setup begin
+
+hide_class (open) plus (*>*)
+
+text {* Type classes allow \emph{overloading}; thus a constant may
+have multiple definitions at non-overlapping types. *}
+
+subsubsection {* Overloading *}
+
+text {* We can introduce a binary infix addition operator @{text "\<otimes>"}
+for arbitrary types by means of a type class: *}
+
+class plus =
+ fixes plus :: "'a \<Rightarrow> 'a \<Rightarrow> 'a" (infixl "\<oplus>" 70)
+
+text {* \noindent This introduces a new class @{class [source] plus},
+along with a constant @{const [source] plus} with nice infix syntax.
+@{const [source] plus} is also named \emph{class operation}. The type
+of @{const [source] plus} carries a class constraint @{typ [source] "'a
+:: plus"} on its type variable, meaning that only types of class
+@{class [source] plus} can be instantiated for @{typ [source] "'a"}.
+To breathe life into @{class [source] plus} we need to declare a type
+to be an \bfindex{instance} of @{class [source] plus}: *}
+
+instantiation nat :: plus
+begin
+
+text {* \noindent Command \isacommand{instantiation} opens a local
+theory context. Here we can now instantiate @{const [source] plus} on
+@{typ nat}: *}
+
+primrec plus_nat :: "nat \<Rightarrow> nat \<Rightarrow> nat" where
+ "(0::nat) \<oplus> n = n"
+ | "Suc m \<oplus> n = Suc (m \<oplus> n)"
+
+text {* \noindent Note that the name @{const [source] plus} carries a
+suffix @{text "_nat"}; by default, the local name of a class operation
+@{text f} to be instantiated on type constructor @{text \<kappa>} is mangled
+as @{text f_\<kappa>}. In case of uncertainty, these names may be inspected
+using the @{command "print_context"} command or the corresponding
+ProofGeneral button.
+
+Although class @{class [source] plus} has no axioms, the instantiation must be
+formally concluded by a (trivial) instantiation proof ``..'': *}
+
+instance ..
+
+text {* \noindent More interesting \isacommand{instance} proofs will
+arise below.
+
+The instantiation is finished by an explicit *}
+
+end
+
+text {* \noindent From now on, terms like @{term "Suc (m \<oplus> 2)"} are
+legal. *}
+
+instantiation prod :: (plus, plus) plus
+begin
+
+text {* \noindent Here we instantiate the product type @{type prod} to
+class @{class [source] plus}, given that its type arguments are of
+class @{class [source] plus}: *}
+
+fun plus_prod :: "'a \<times> 'b \<Rightarrow> 'a \<times> 'b \<Rightarrow> 'a \<times> 'b" where
+ "(x, y) \<oplus> (w, z) = (x \<oplus> w, y \<oplus> z)"
+
+text {* \noindent Obviously, overloaded specifications may include
+recursion over the syntactic structure of types. *}
+
+instance ..
+
+end
+
+text {* \noindent This way we have encoded the canonical lifting of
+binary operations to products by means of type classes. *}
+
+(*<*)end(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Types/Pairs.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,208 @@
+(*<*)theory Pairs imports Main begin(*>*)
+
+section{*Pairs and Tuples*}
+
+text{*\label{sec:products}
+Ordered pairs were already introduced in \S\ref{sec:pairs}, but only with a minimal
+repertoire of operations: pairing and the two projections @{term fst} and
+@{term snd}. In any non-trivial application of pairs you will find that this
+quickly leads to unreadable nests of projections. This
+section introduces syntactic sugar to overcome this
+problem: pattern matching with tuples.
+*}
+
+subsection{*Pattern Matching with Tuples*}
+
+text{*
+Tuples may be used as patterns in $\lambda$-abstractions,
+for example @{text"\<lambda>(x,y,z).x+y+z"} and @{text"\<lambda>((x,y),z).x+y+z"}. In fact,
+tuple patterns can be used in most variable binding constructs,
+and they can be nested. Here are
+some typical examples:
+\begin{quote}
+@{term"let (x,y) = f z in (y,x)"}\\
+@{term"case xs of [] => (0::nat) | (x,y)#zs => x+y"}\\
+@{text"\<forall>(x,y)\<in>A. x=y"}\\
+@{text"{(x,y,z). x=z}"}\\
+@{term"\<Union>(x,y)\<in>A. {x+y}"}
+\end{quote}
+The intuitive meanings of these expressions should be obvious.
+Unfortunately, we need to know in more detail what the notation really stands
+for once we have to reason about it. Abstraction
+over pairs and tuples is merely a convenient shorthand for a more complex
+internal representation. Thus the internal and external form of a term may
+differ, which can affect proofs. If you want to avoid this complication,
+stick to @{term fst} and @{term snd} and write @{term"%p. fst p + snd p"}
+instead of @{text"\<lambda>(x,y). x+y"}. These terms are distinct even though they
+denote the same function.
+
+Internally, @{term"%(x,y). t"} becomes @{text"split (\<lambda>x y. t)"}, where
+\cdx{split} is the uncurrying function of type @{text"('a \<Rightarrow> 'b
+\<Rightarrow> 'c) \<Rightarrow> 'a \<times> 'b \<Rightarrow> 'c"} defined as
+\begin{center}
+@{thm split_def}
+\hfill(@{thm[source]split_def})
+\end{center}
+Pattern matching in
+other variable binding constructs is translated similarly. Thus we need to
+understand how to reason about such constructs.
+*}
+
+subsection{*Theorem Proving*}
+
+text{*
+The most obvious approach is the brute force expansion of @{term split}:
+*}
+
+lemma "(\<lambda>(x,y).x) p = fst p"
+by(simp add: split_def)
+
+text{* \noindent
+This works well if rewriting with @{thm[source]split_def} finishes the
+proof, as it does above. But if it does not, you end up with exactly what
+we are trying to avoid: nests of @{term fst} and @{term snd}. Thus this
+approach is neither elegant nor very practical in large examples, although it
+can be effective in small ones.
+
+If we consider why this lemma presents a problem,
+we realize that we need to replace variable~@{term
+p} by some pair @{term"(a,b)"}. Then both sides of the
+equation would simplify to @{term a} by the simplification rules
+@{thm split_conv[no_vars]} and @{thm fst_conv[no_vars]}.
+To reason about tuple patterns requires some way of
+converting a variable of product type into a pair.
+In case of a subterm of the form @{term"split f p"} this is easy: the split
+rule @{thm[source]split_split} replaces @{term p} by a pair:%
+\index{*split (method)}
+*}
+
+lemma "(\<lambda>(x,y).y) p = snd p"
+apply(split split_split);
+
+txt{*
+@{subgoals[display,indent=0]}
+This subgoal is easily proved by simplification. Thus we could have combined
+simplification and splitting in one command that proves the goal outright:
+*}
+(*<*)
+by simp
+lemma "(\<lambda>(x,y).y) p = snd p"(*>*)
+by(simp split: split_split)
+
+text{*
+Let us look at a second example:
+*}
+
+lemma "let (x,y) = p in fst p = x";
+apply(simp only: Let_def)
+
+txt{*
+@{subgoals[display,indent=0]}
+A paired @{text let} reduces to a paired $\lambda$-abstraction, which
+can be split as above. The same is true for paired set comprehension:
+*}
+
+(*<*)by(simp split: split_split)(*>*)
+lemma "p \<in> {(x,y). x=y} \<longrightarrow> fst p = snd p"
+apply simp
+
+txt{*
+@{subgoals[display,indent=0]}
+Again, simplification produces a term suitable for @{thm[source]split_split}
+as above. If you are worried about the strange form of the premise:
+@{text"split (op =)"} is short for @{term"\<lambda>(x,y). x=y"}.
+The same proof procedure works for
+*}
+
+(*<*)by(simp split: split_split)(*>*)
+lemma "p \<in> {(x,y). x=y} \<Longrightarrow> fst p = snd p"
+
+txt{*\noindent
+except that we now have to use @{thm[source]split_split_asm}, because
+@{term split} occurs in the assumptions.
+
+However, splitting @{term split} is not always a solution, as no @{term split}
+may be present in the goal. Consider the following function:
+*}
+
+(*<*)by(simp split: split_split_asm)(*>*)
+primrec swap :: "'a \<times> 'b \<Rightarrow> 'b \<times> 'a" where "swap (x,y) = (y,x)"
+
+text{*\noindent
+Note that the above \isacommand{primrec} definition is admissible
+because @{text"\<times>"} is a datatype. When we now try to prove
+*}
+
+lemma "swap(swap p) = p"
+
+txt{*\noindent
+simplification will do nothing, because the defining equation for
+@{const[source] swap} expects a pair. Again, we need to turn @{term p}
+into a pair first, but this time there is no @{term split} in sight.
+The only thing we can do is to split the term by hand:
+*}
+apply(case_tac p)
+
+txt{*\noindent
+@{subgoals[display,indent=0]}
+Again, \methdx{case_tac} is applicable because @{text"\<times>"} is a datatype.
+The subgoal is easily proved by @{text simp}.
+
+Splitting by @{text case_tac} also solves the previous examples and may thus
+appear preferable to the more arcane methods introduced first. However, see
+the warning about @{text case_tac} in \S\ref{sec:struct-ind-case}.
+
+Alternatively, you can split \emph{all} @{text"\<And>"}-quantified variables
+in a goal with the rewrite rule @{thm[source]split_paired_all}:
+*}
+
+(*<*)by simp(*>*)
+lemma "\<And>p q. swap(swap p) = q \<longrightarrow> p = q"
+apply(simp only: split_paired_all)
+
+txt{*\noindent
+@{subgoals[display,indent=0,margin=70]}
+*}
+
+apply simp
+done
+
+text{*\noindent
+Note that we have intentionally included only @{thm[source]split_paired_all}
+in the first simplification step, and then we simplify again.
+This time the reason was not merely
+pedagogical:
+@{thm[source]split_paired_all} may interfere with other functions
+of the simplifier.
+The following command could fail (here it does not)
+where two separate \isa{simp} applications succeed.
+*}
+
+(*<*)
+lemma "\<And>p q. swap(swap p) = q \<longrightarrow> p = q"
+(*>*)
+apply(simp add: split_paired_all)
+(*<*)done(*>*)
+text{*\noindent
+Finally, the simplifier automatically splits all @{text"\<forall>"} and
+@{text"\<exists>"}-quantified variables:
+*}
+
+lemma "\<forall>p. \<exists>q. swap p = swap q"
+by simp;
+
+text{*\noindent
+To turn off this automatic splitting, disable the
+responsible simplification rules:
+\begin{center}
+@{thm split_paired_All[no_vars]}
+\hfill
+(@{thm[source]split_paired_All})\\
+@{thm split_paired_Ex[no_vars]}
+\hfill
+(@{thm[source]split_paired_Ex})
+\end{center}
+*}
+(*<*)
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Types/Records.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,408 @@
+
+header {* Records \label{sec:records} *}
+
+(*<*)
+theory Records imports Main begin
+(*>*)
+
+text {*
+ \index{records|(}%
+ Records are familiar from programming languages. A record of $n$
+ fields is essentially an $n$-tuple, but the record's components have
+ names, which can make expressions easier to read and reduces the
+ risk of confusing one field for another.
+
+ A record of Isabelle/HOL covers a collection of fields, with select
+ and update operations. Each field has a specified type, which may
+ be polymorphic. The field names are part of the record type, and
+ the order of the fields is significant --- as it is in Pascal but
+ not in Standard ML. If two different record types have field names
+ in common, then the ambiguity is resolved in the usual way, by
+ qualified names.
+
+ Record types can also be defined by extending other record types.
+ Extensible records make use of the reserved pseudo-field \cdx{more},
+ which is present in every record type. Generic record operations
+ work on all possible extensions of a given type scheme; polymorphism
+ takes care of structural sub-typing behind the scenes. There are
+ also explicit coercion functions between fixed record types.
+*}
+
+
+subsection {* Record Basics *}
+
+text {*
+ Record types are not primitive in Isabelle and have a delicate
+ internal representation \cite{NaraschewskiW-TPHOLs98}, based on
+ nested copies of the primitive product type. A \commdx{record}
+ declaration introduces a new record type scheme by specifying its
+ fields, which are packaged internally to hold up the perception of
+ the record as a distinguished entity. Here is a simple example:
+*}
+
+record point =
+ Xcoord :: int
+ Ycoord :: int
+
+text {*\noindent
+ Records of type @{typ point} have two fields named @{const Xcoord}
+ and @{const Ycoord}, both of type~@{typ int}. We now define a
+ constant of type @{typ point}:
+*}
+
+definition pt1 :: point where
+"pt1 \<equiv> (| Xcoord = 999, Ycoord = 23 |)"
+
+text {*\noindent
+ We see above the ASCII notation for record brackets. You can also
+ use the symbolic brackets @{text \<lparr>} and @{text \<rparr>}. Record type
+ expressions can be also written directly with individual fields.
+ The type name above is merely an abbreviation.
+*}
+
+definition pt2 :: "\<lparr>Xcoord :: int, Ycoord :: int\<rparr>" where
+"pt2 \<equiv> \<lparr>Xcoord = -45, Ycoord = 97\<rparr>"
+
+text {*
+ For each field, there is a \emph{selector}\index{selector!record}
+ function of the same name. For example, if @{text p} has type @{typ
+ point} then @{text "Xcoord p"} denotes the value of the @{text
+ Xcoord} field of~@{text p}. Expressions involving field selection
+ of explicit records are simplified automatically:
+*}
+
+lemma "Xcoord \<lparr>Xcoord = a, Ycoord = b\<rparr> = a"
+ by simp
+
+text {*
+ The \emph{update}\index{update!record} operation is functional. For
+ example, @{term "p\<lparr>Xcoord := 0\<rparr>"} is a record whose @{const Xcoord}
+ value is zero and whose @{const Ycoord} value is copied from~@{text
+ p}. Updates of explicit records are also simplified automatically:
+*}
+
+lemma "\<lparr>Xcoord = a, Ycoord = b\<rparr>\<lparr>Xcoord := 0\<rparr> =
+ \<lparr>Xcoord = 0, Ycoord = b\<rparr>"
+ by simp
+
+text {*
+ \begin{warn}
+ Field names are declared as constants and can no longer be used as
+ variables. It would be unwise, for example, to call the fields of
+ type @{typ point} simply @{text x} and~@{text y}.
+ \end{warn}
+*}
+
+
+subsection {* Extensible Records and Generic Operations *}
+
+text {*
+ \index{records!extensible|(}%
+
+ Now, let us define coloured points (type @{text cpoint}) to be
+ points extended with a field @{text col} of type @{text colour}:
+*}
+
+datatype colour = Red | Green | Blue
+
+record cpoint = point +
+ col :: colour
+
+text {*\noindent
+ The fields of this new type are @{const Xcoord}, @{text Ycoord} and
+ @{text col}, in that order.
+*}
+
+definition cpt1 :: cpoint where
+"cpt1 \<equiv> \<lparr>Xcoord = 999, Ycoord = 23, col = Green\<rparr>"
+
+text {*
+ We can define generic operations that work on arbitrary
+ instances of a record scheme, e.g.\ covering @{typ point}, @{typ
+ cpoint}, and any further extensions. Every record structure has an
+ implicit pseudo-field, \cdx{more}, that keeps the extension as an
+ explicit value. Its type is declared as completely
+ polymorphic:~@{typ 'a}. When a fixed record value is expressed
+ using just its standard fields, the value of @{text more} is
+ implicitly set to @{text "()"}, the empty tuple, which has type
+ @{typ unit}. Within the record brackets, you can refer to the
+ @{text more} field by writing ``@{text "\<dots>"}'' (three dots):
+*}
+
+lemma "Xcoord \<lparr>Xcoord = a, Ycoord = b, \<dots> = p\<rparr> = a"
+ by simp
+
+text {*
+ This lemma applies to any record whose first two fields are @{text
+ Xcoord} and~@{const Ycoord}. Note that @{text "\<lparr>Xcoord = a, Ycoord
+ = b, \<dots> = ()\<rparr>"} is exactly the same as @{text "\<lparr>Xcoord = a, Ycoord
+ = b\<rparr>"}. Selectors and updates are always polymorphic wrt.\ the
+ @{text more} part of a record scheme, its value is just ignored (for
+ select) or copied (for update).
+
+ The @{text more} pseudo-field may be manipulated directly as well,
+ but the identifier needs to be qualified:
+*}
+
+lemma "point.more cpt1 = \<lparr>col = Green\<rparr>"
+ by (simp add: cpt1_def)
+
+text {*\noindent
+ We see that the colour part attached to this @{typ point} is a
+ rudimentary record in its own right, namely @{text "\<lparr>col =
+ Green\<rparr>"}. In order to select or update @{text col}, this fragment
+ needs to be put back into the context of the parent type scheme, say
+ as @{text more} part of another @{typ point}.
+
+ To define generic operations, we need to know a bit more about
+ records. Our definition of @{typ point} above has generated two
+ type abbreviations:
+
+ \medskip
+ \begin{tabular}{l}
+ @{typ point}~@{text "="}~@{text "\<lparr>Xcoord :: int, Ycoord :: int\<rparr>"} \\
+ @{typ "'a point_scheme"}~@{text "="}~@{text "\<lparr>Xcoord :: int, Ycoord :: int, \<dots> :: 'a\<rparr>"} \\
+ \end{tabular}
+ \medskip
+
+\noindent
+ Type @{typ point} is for fixed records having exactly the two fields
+ @{const Xcoord} and~@{text Ycoord}, while the polymorphic type @{typ
+ "'a point_scheme"} comprises all possible extensions to those two
+ fields. Note that @{typ "unit point_scheme"} coincides with @{typ
+ point}, and @{typ "\<lparr>col :: colour\<rparr> point_scheme"} with @{typ
+ cpoint}.
+
+ In the following example we define two operations --- methods, if we
+ regard records as objects --- to get and set any point's @{text
+ Xcoord} field.
+*}
+
+definition getX :: "'a point_scheme \<Rightarrow> int" where
+"getX r \<equiv> Xcoord r"
+definition setX :: "'a point_scheme \<Rightarrow> int \<Rightarrow> 'a point_scheme" where
+"setX r a \<equiv> r\<lparr>Xcoord := a\<rparr>"
+
+text {*
+ Here is a generic method that modifies a point, incrementing its
+ @{const Xcoord} field. The @{text Ycoord} and @{text more} fields
+ are copied across. It works for any record type scheme derived from
+ @{typ point} (including @{typ cpoint} etc.):
+*}
+
+definition incX :: "'a point_scheme \<Rightarrow> 'a point_scheme" where
+"incX r \<equiv>
+ \<lparr>Xcoord = Xcoord r + 1, Ycoord = Ycoord r, \<dots> = point.more r\<rparr>"
+
+text {*
+ Generic theorems can be proved about generic methods. This trivial
+ lemma relates @{const incX} to @{text getX} and @{text setX}:
+*}
+
+lemma "incX r = setX r (getX r + 1)"
+ by (simp add: getX_def setX_def incX_def)
+
+text {*
+ \begin{warn}
+ If you use the symbolic record brackets @{text \<lparr>} and @{text \<rparr>},
+ then you must also use the symbolic ellipsis, ``@{text \<dots>}'', rather
+ than three consecutive periods, ``@{text "..."}''. Mixing the ASCII
+ and symbolic versions causes a syntax error. (The two versions are
+ more distinct on screen than they are on paper.)
+ \end{warn}%
+ \index{records!extensible|)}
+*}
+
+
+subsection {* Record Equality *}
+
+text {*
+ Two records are equal\index{equality!of records} if all pairs of
+ corresponding fields are equal. Concrete record equalities are
+ simplified automatically:
+*}
+
+lemma "(\<lparr>Xcoord = a, Ycoord = b\<rparr> = \<lparr>Xcoord = a', Ycoord = b'\<rparr>) =
+ (a = a' \<and> b = b')"
+ by simp
+
+text {*
+ The following equality is similar, but generic, in that @{text r}
+ can be any instance of @{typ "'a point_scheme"}:
+*}
+
+lemma "r\<lparr>Xcoord := a, Ycoord := b\<rparr> = r\<lparr>Ycoord := b, Xcoord := a\<rparr>"
+ by simp
+
+text {*\noindent
+ We see above the syntax for iterated updates. We could equivalently
+ have written the left-hand side as @{text "r\<lparr>Xcoord := a\<rparr>\<lparr>Ycoord :=
+ b\<rparr>"}.
+
+ Record equality is \emph{extensional}:
+ \index{extensionality!for records} a record is determined entirely
+ by the values of its fields.
+*}
+
+lemma "r = \<lparr>Xcoord = Xcoord r, Ycoord = Ycoord r\<rparr>"
+ by simp
+
+text {*\noindent
+ The generic version of this equality includes the pseudo-field
+ @{text more}:
+*}
+
+lemma "r = \<lparr>Xcoord = Xcoord r, Ycoord = Ycoord r, \<dots> = point.more r\<rparr>"
+ by simp
+
+text {*
+ The simplifier can prove many record equalities
+ automatically, but general equality reasoning can be tricky.
+ Consider proving this obvious fact:
+*}
+
+lemma "r\<lparr>Xcoord := a\<rparr> = r\<lparr>Xcoord := a'\<rparr> \<Longrightarrow> a = a'"
+ apply simp?
+ oops
+
+text {*\noindent
+ Here the simplifier can do nothing, since general record equality is
+ not eliminated automatically. One way to proceed is by an explicit
+ forward step that applies the selector @{const Xcoord} to both sides
+ of the assumed record equality:
+*}
+
+lemma "r\<lparr>Xcoord := a\<rparr> = r\<lparr>Xcoord := a'\<rparr> \<Longrightarrow> a = a'"
+ apply (drule_tac f = Xcoord in arg_cong)
+ txt {* @{subgoals [display, indent = 0, margin = 65]}
+ Now, @{text simp} will reduce the assumption to the desired
+ conclusion. *}
+ apply simp
+ done
+
+text {*
+ The @{text cases} method is preferable to such a forward proof. We
+ state the desired lemma again:
+*}
+
+lemma "r\<lparr>Xcoord := a\<rparr> = r\<lparr>Xcoord := a'\<rparr> \<Longrightarrow> a = a'"
+
+ txt {* The \methdx{cases} method adds an equality to replace the
+ named record term by an explicit record expression, listing all
+ fields. It even includes the pseudo-field @{text more}, since the
+ record equality stated here is generic for all extensions. *}
+
+ apply (cases r)
+
+ txt {* @{subgoals [display, indent = 0, margin = 65]} Again, @{text
+ simp} finishes the proof. Because @{text r} is now represented as
+ an explicit record construction, the updates can be applied and the
+ record equality can be replaced by equality of the corresponding
+ fields (due to injectivity). *}
+
+ apply simp
+ done
+
+text {*
+ The generic cases method does not admit references to locally bound
+ parameters of a goal. In longer proof scripts one might have to
+ fall back on the primitive @{text rule_tac} used together with the
+ internal field representation rules of records. The above use of
+ @{text "(cases r)"} would become @{text "(rule_tac r = r in
+ point.cases_scheme)"}.
+*}
+
+
+subsection {* Extending and Truncating Records *}
+
+text {*
+ Each record declaration introduces a number of derived operations to
+ refer collectively to a record's fields and to convert between fixed
+ record types. They can, for instance, convert between types @{typ
+ point} and @{typ cpoint}. We can add a colour to a point or convert
+ a @{typ cpoint} to a @{typ point} by forgetting its colour.
+
+ \begin{itemize}
+
+ \item Function \cdx{make} takes as arguments all of the record's
+ fields (including those inherited from ancestors). It returns the
+ corresponding record.
+
+ \item Function \cdx{fields} takes the record's very own fields and
+ returns a record fragment consisting of just those fields. This may
+ be filled into the @{text more} part of the parent record scheme.
+
+ \item Function \cdx{extend} takes two arguments: a record to be
+ extended and a record containing the new fields.
+
+ \item Function \cdx{truncate} takes a record (possibly an extension
+ of the original record type) and returns a fixed record, removing
+ any additional fields.
+
+ \end{itemize}
+ These functions provide useful abbreviations for standard
+ record expressions involving constructors and selectors. The
+ definitions, which are \emph{not} unfolded by default, are made
+ available by the collective name of @{text defs} (@{text
+ point.defs}, @{text cpoint.defs}, etc.).
+ For example, here are the versions of those functions generated for
+ record @{typ point}. We omit @{text point.fields}, which happens to
+ be the same as @{text point.make}.
+
+ @{thm [display, indent = 0, margin = 65] point.make_def [no_vars]
+ point.extend_def [no_vars] point.truncate_def [no_vars]}
+ Contrast those with the corresponding functions for record @{typ
+ cpoint}. Observe @{text cpoint.fields} in particular.
+ @{thm [display, indent = 0, margin = 65] cpoint.make_def [no_vars]
+ cpoint.fields_def [no_vars] cpoint.extend_def [no_vars]
+ cpoint.truncate_def [no_vars]}
+
+ To demonstrate these functions, we declare a new coloured point by
+ extending an ordinary point. Function @{text point.extend} augments
+ @{text pt1} with a colour value, which is converted into an
+ appropriate record fragment by @{text cpoint.fields}.
+*}
+
+definition cpt2 :: cpoint where
+"cpt2 \<equiv> point.extend pt1 (cpoint.fields Green)"
+
+text {*
+ The coloured points @{const cpt1} and @{text cpt2} are equal. The
+ proof is trivial, by unfolding all the definitions. We deliberately
+ omit the definition of~@{text pt1} in order to reveal the underlying
+ comparison on type @{typ point}.
+*}
+
+lemma "cpt1 = cpt2"
+ apply (simp add: cpt1_def cpt2_def point.defs cpoint.defs)
+ txt {* @{subgoals [display, indent = 0, margin = 65]} *}
+ apply (simp add: pt1_def)
+ done
+
+text {*
+ In the example below, a coloured point is truncated to leave a
+ point. We use the @{text truncate} function of the target record.
+*}
+
+lemma "point.truncate cpt2 = pt1"
+ by (simp add: pt1_def cpt2_def point.defs)
+
+text {*
+ \begin{exercise}
+ Extend record @{typ cpoint} to have a further field, @{text
+ intensity}, of type~@{typ nat}. Experiment with generic operations
+ (using polymorphic selectors and updates) and explicit coercions
+ (using @{text extend}, @{text truncate} etc.) among the three record
+ types.
+ \end{exercise}
+
+ \begin{exercise}
+ (For Java programmers.)
+ Model a small class hierarchy using records.
+ \end{exercise}
+ \index{records|)}
+*}
+
+(*<*)
+end
+(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Types/Setup.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,10 @@
+theory Setup
+imports Main
+begin
+
+ML_file "../../antiquote_setup.ML"
+ML_file "../../more_antiquote.ML"
+
+setup {* Antiquote_Setup.setup #> More_Antiquote.setup *}
+
+end
\ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/Types/Typedefs.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,242 @@
+(*<*)theory Typedefs imports Main begin(*>*)
+
+section{*Introducing New Types*}
+
+text{*\label{sec:adv-typedef}
+For most applications, a combination of predefined types like @{typ bool} and
+@{text"\<Rightarrow>"} with recursive datatypes and records is quite sufficient. Very
+occasionally you may feel the need for a more advanced type. If you
+are certain that your type is not definable by any of the
+standard means, then read on.
+\begin{warn}
+ Types in HOL must be non-empty; otherwise the quantifier rules would be
+ unsound, because $\exists x.\ x=x$ is a theorem.
+\end{warn}
+*}
+
+subsection{*Declaring New Types*}
+
+text{*\label{sec:typedecl}
+\index{types!declaring|(}%
+\index{typedecl@\isacommand {typedecl} (command)}%
+The most trivial way of introducing a new type is by a \textbf{type
+declaration}: *}
+
+typedecl my_new_type
+
+text{*\noindent
+This does not define @{typ my_new_type} at all but merely introduces its
+name. Thus we know nothing about this type, except that it is
+non-empty. Such declarations without definitions are
+useful if that type can be viewed as a parameter of the theory.
+A typical example is given in \S\ref{sec:VMC}, where we define a transition
+relation over an arbitrary type of states.
+
+In principle we can always get rid of such type declarations by making those
+types parameters of every other type, thus keeping the theory generic. In
+practice, however, the resulting clutter can make types hard to read.
+
+If you are looking for a quick and dirty way of introducing a new type
+together with its properties: declare the type and state its properties as
+axioms. Example:
+*}
+
+axioms
+just_one: "\<exists>x::my_new_type. \<forall>y. x = y"
+
+text{*\noindent
+However, we strongly discourage this approach, except at explorative stages
+of your development. It is extremely easy to write down contradictory sets of
+axioms, in which case you will be able to prove everything but it will mean
+nothing. In the example above, the axiomatic approach is
+unnecessary: a one-element type called @{typ unit} is already defined in HOL.
+\index{types!declaring|)}
+*}
+
+subsection{*Defining New Types*}
+
+text{*\label{sec:typedef}
+\index{types!defining|(}%
+\index{typedecl@\isacommand {typedef} (command)|(}%
+Now we come to the most general means of safely introducing a new type, the
+\textbf{type definition}. All other means, for example
+\isacommand{datatype}, are based on it. The principle is extremely simple:
+any non-empty subset of an existing type can be turned into a new type.
+More precisely, the new type is specified to be isomorphic to some
+non-empty subset of an existing type.
+
+Let us work a simple example, the definition of a three-element type.
+It is easily represented by the first three natural numbers:
+*}
+
+typedef three = "{0::nat, 1, 2}"
+
+txt{*\noindent
+In order to enforce that the representing set on the right-hand side is
+non-empty, this definition actually starts a proof to that effect:
+@{subgoals[display,indent=0]}
+Fortunately, this is easy enough to show, even \isa{auto} could do it.
+In general, one has to provide a witness, in our case 0:
+*}
+
+apply(rule_tac x = 0 in exI)
+by simp
+
+text{*
+This type definition introduces the new type @{typ three} and asserts
+that it is a copy of the set @{term"{0::nat,1,2}"}. This assertion
+is expressed via a bijection between the \emph{type} @{typ three} and the
+\emph{set} @{term"{0::nat,1,2}"}. To this end, the command declares the following
+constants behind the scenes:
+\begin{center}
+\begin{tabular}{rcl}
+@{term three} &::& @{typ"nat set"} \\
+@{term Rep_three} &::& @{typ"three \<Rightarrow> nat"}\\
+@{term Abs_three} &::& @{typ"nat \<Rightarrow> three"}
+\end{tabular}
+\end{center}
+where constant @{term three} is explicitly defined as the representing set:
+\begin{center}
+@{thm three_def}\hfill(@{thm[source]three_def})
+\end{center}
+The situation is best summarized with the help of the following diagram,
+where squares denote types and the irregular region denotes a set:
+\begin{center}
+\includegraphics[scale=.8]{typedef}
+\end{center}
+Finally, \isacommand{typedef} asserts that @{term Rep_three} is
+surjective on the subset @{term three} and @{term Abs_three} and @{term
+Rep_three} are inverses of each other:
+\begin{center}
+\begin{tabular}{@ {}r@ {\qquad\qquad}l@ {}}
+@{thm Rep_three[no_vars]} & (@{thm[source]Rep_three}) \\
+@{thm Rep_three_inverse[no_vars]} & (@{thm[source]Rep_three_inverse}) \\
+@{thm Abs_three_inverse[no_vars]} & (@{thm[source]Abs_three_inverse})
+\end{tabular}
+\end{center}
+%
+From this example it should be clear what \isacommand{typedef} does
+in general given a name (here @{text three}) and a set
+(here @{term"{0::nat,1,2}"}).
+
+Our next step is to define the basic functions expected on the new type.
+Although this depends on the type at hand, the following strategy works well:
+\begin{itemize}
+\item define a small kernel of basic functions that can express all other
+functions you anticipate.
+\item define the kernel in terms of corresponding functions on the
+representing type using @{term Abs} and @{term Rep} to convert between the
+two levels.
+\end{itemize}
+In our example it suffices to give the three elements of type @{typ three}
+names:
+*}
+
+definition A :: three where "A \<equiv> Abs_three 0"
+definition B :: three where "B \<equiv> Abs_three 1"
+definition C :: three where "C \<equiv> Abs_three 2"
+
+text{*
+So far, everything was easy. But it is clear that reasoning about @{typ
+three} will be hell if we have to go back to @{typ nat} every time. Thus our
+aim must be to raise our level of abstraction by deriving enough theorems
+about type @{typ three} to characterize it completely. And those theorems
+should be phrased in terms of @{term A}, @{term B} and @{term C}, not @{term
+Abs_three} and @{term Rep_three}. Because of the simplicity of the example,
+we merely need to prove that @{term A}, @{term B} and @{term C} are distinct
+and that they exhaust the type.
+
+In processing our \isacommand{typedef} declaration,
+Isabelle proves several helpful lemmas. The first two
+express injectivity of @{term Rep_three} and @{term Abs_three}:
+\begin{center}
+\begin{tabular}{@ {}r@ {\qquad}l@ {}}
+@{thm Rep_three_inject[no_vars]} & (@{thm[source]Rep_three_inject}) \\
+\begin{tabular}{@ {}l@ {}}
+@{text"\<lbrakk>x \<in> three; y \<in> three \<rbrakk>"} \\
+@{text"\<Longrightarrow> (Abs_three x = Abs_three y) = (x = y)"}
+\end{tabular} & (@{thm[source]Abs_three_inject}) \\
+\end{tabular}
+\end{center}
+The following ones allow to replace some @{text"x::three"} by
+@{text"Abs_three(y::nat)"}, and conversely @{term y} by @{term"Rep_three x"}:
+\begin{center}
+\begin{tabular}{@ {}r@ {\qquad}l@ {}}
+@{thm Rep_three_cases[no_vars]} & (@{thm[source]Rep_three_cases}) \\
+@{thm Abs_three_cases[no_vars]} & (@{thm[source]Abs_three_cases}) \\
+@{thm Rep_three_induct[no_vars]} & (@{thm[source]Rep_three_induct}) \\
+@{thm Abs_three_induct[no_vars]} & (@{thm[source]Abs_three_induct}) \\
+\end{tabular}
+\end{center}
+These theorems are proved for any type definition, with @{term three}
+replaced by the name of the type in question.
+
+Distinctness of @{term A}, @{term B} and @{term C} follows immediately
+if we expand their definitions and rewrite with the injectivity
+of @{term Abs_three}:
+*}
+
+lemma "A \<noteq> B \<and> B \<noteq> A \<and> A \<noteq> C \<and> C \<noteq> A \<and> B \<noteq> C \<and> C \<noteq> B"
+by(simp add: Abs_three_inject A_def B_def C_def three_def)
+
+text{*\noindent
+Of course we rely on the simplifier to solve goals like @{prop"(0::nat) \<noteq> 1"}.
+
+The fact that @{term A}, @{term B} and @{term C} exhaust type @{typ three} is
+best phrased as a case distinction theorem: if you want to prove @{prop"P x"}
+(where @{term x} is of type @{typ three}) it suffices to prove @{prop"P A"},
+@{prop"P B"} and @{prop"P C"}: *}
+
+lemma three_cases: "\<lbrakk> P A; P B; P C \<rbrakk> \<Longrightarrow> P x"
+
+txt{*\noindent Again this follows easily using the induction principle stemming from the type definition:*}
+
+apply(induct_tac x)
+
+txt{*
+@{subgoals[display,indent=0]}
+Simplification with @{thm[source]three_def} leads to the disjunction @{prop"y
+= 0 \<or> y = 1 \<or> y = (2::nat)"} which \isa{auto} separates into three
+subgoals, each of which is easily solved by simplification: *}
+
+apply(auto simp add: three_def A_def B_def C_def)
+done
+
+text{*\noindent
+This concludes the derivation of the characteristic theorems for
+type @{typ three}.
+
+The attentive reader has realized long ago that the
+above lengthy definition can be collapsed into one line:
+*}
+
+datatype better_three = A | B | C
+
+text{*\noindent
+In fact, the \isacommand{datatype} command performs internally more or less
+the same derivations as we did, which gives you some idea what life would be
+like without \isacommand{datatype}.
+
+Although @{typ three} could be defined in one line, we have chosen this
+example to demonstrate \isacommand{typedef} because its simplicity makes the
+key concepts particularly easy to grasp. If you would like to see a
+non-trivial example that cannot be defined more directly, we recommend the
+definition of \emph{finite multisets} in the Library~\cite{HOL-Library}.
+
+Let us conclude by summarizing the above procedure for defining a new type.
+Given some abstract axiomatic description $P$ of a type $ty$ in terms of a
+set of functions $F$, this involves three steps:
+\begin{enumerate}
+\item Find an appropriate type $\tau$ and subset $A$ which has the desired
+ properties $P$, and make a type definition based on this representation.
+\item Define the required functions $F$ on $ty$ by lifting
+analogous functions on the representation via $Abs_ty$ and $Rep_ty$.
+\item Prove that $P$ holds for $ty$ by lifting $P$ from the representation.
+\end{enumerate}
+You can now forget about the representation and work solely in terms of the
+abstract functions $F$ and properties $P$.%
+\index{typedecl@\isacommand {typedef} (command)|)}%
+\index{types!defining|)}
+*}
+
+(*<*)end(*>*)
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/document/Isa-logics.eps Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,753 @@
+%!PS-Adobe-3.0 EPSF-3.0
+%%BoundingBox: 106 651 274 788
+%%Title: (Isa-logics)
+%%Creator: (ClarisDraw: LaserWriter 8 8.1.1)
+%%CreationDate: (9:19 pm Wednesday, April 24, 1996)
+%%For: (Larry)
+%%Pages: 1
+%%DocumentFonts: Times-Roman
+%%DocumentNeededFonts: Times-Roman
+%%DocumentSuppliedFonts:
+%%DocumentData: Clean7Bit
+%%PageOrder: Ascend
+%%Orientation: Portrait
+%ADO_PaperArea: -124 -112 3244 2268
+%ADO_ImageableArea: 0 0 3124 2152
+%%EndComments
+/md 148 dict def md begin
+/currentpacking where {pop /sc_oldpacking currentpacking def true setpacking}if
+%%BeginFile: adobe_psp_basic
+%%Copyright: Copyright 1990-1993 Adobe Systems Incorporated. All Rights Reserved.
+/bd{bind def}bind def
+/xdf{exch def}bd
+/xs{exch store}bd
+/ld{load def}bd
+/Z{0 def}bd
+/T/true
+/F/false
+/:L/lineto
+/lw/setlinewidth
+/:M/moveto
+/rl/rlineto
+/rm/rmoveto
+/:C/curveto
+/:T/translate
+/:K/closepath
+/:mf/makefont
+/gS/gsave
+/gR/grestore
+/np/newpath
+14{ld}repeat
+/$m matrix def
+/av 81 def
+/por true def
+/normland false def
+/psb-nosave{}bd
+/pse-nosave{}bd
+/us Z
+/psb{/us save store}bd
+/pse{us restore}bd
+/level2
+/languagelevel where
+{
+pop languagelevel 2 ge
+}{
+false
+}ifelse
+def
+/featurecleanup
+{
+stopped
+cleartomark
+countdictstack exch sub dup 0 gt
+{
+{end}repeat
+}{
+pop
+}ifelse
+}bd
+/noload Z
+/startnoload
+{
+{/noload save store}if
+}bd
+/endnoload
+{
+{noload restore}if
+}bd
+level2 startnoload
+/setjob
+{
+statusdict/jobname 3 -1 roll put
+}bd
+/setcopies
+{
+userdict/#copies 3 -1 roll put
+}bd
+level2 endnoload level2 not startnoload
+/setjob
+{
+1 dict begin/JobName xdf currentdict end setuserparams
+}bd
+/setcopies
+{
+1 dict begin/NumCopies xdf currentdict end setpagedevice
+}bd
+level2 not endnoload
+/pm Z
+/mT Z
+/sD Z
+/realshowpage Z
+/initializepage
+{
+/pm save store mT concat
+}bd
+/endp
+{
+pm restore showpage
+}def
+/$c/DeviceRGB def
+/rectclip where
+{
+pop/rC/rectclip ld
+}{
+/rC
+{
+np 4 2 roll
+:M
+1 index 0 rl
+0 exch rl
+neg 0 rl
+:K
+clip np
+}bd
+}ifelse
+/rectfill where
+{
+pop/rF/rectfill ld
+}{
+/rF
+{
+gS
+np
+4 2 roll
+:M
+1 index 0 rl
+0 exch rl
+neg 0 rl
+fill
+gR
+}bd
+}ifelse
+/rectstroke where
+{
+pop/rS/rectstroke ld
+}{
+/rS
+{
+gS
+np
+4 2 roll
+:M
+1 index 0 rl
+0 exch rl
+neg 0 rl
+:K
+stroke
+gR
+}bd
+}ifelse
+%%EndFile
+%%BeginFile: adobe_psp_colorspace_level1
+%%Copyright: Copyright 1991-1993 Adobe Systems Incorporated. All Rights Reserved.
+/G/setgray ld
+/:F/setrgbcolor ld
+%%EndFile
+%%BeginFile: adobe_psp_uniform_graphics
+%%Copyright: Copyright 1990-1993 Adobe Systems Incorporated. All Rights Reserved.
+/@a
+{
+np :M 0 rl :L 0 exch rl 0 rl :L fill
+}bd
+/@b
+{
+np :M 0 rl 0 exch rl :L 0 rl 0 exch rl fill
+}bd
+/arct where
+{
+pop
+}{
+/arct
+{
+arcto pop pop pop pop
+}bd
+}ifelse
+/x1 Z
+/x2 Z
+/y1 Z
+/y2 Z
+/rad Z
+/@q
+{
+/rad xs
+/y2 xs
+/x2 xs
+/y1 xs
+/x1 xs
+np
+x2 x1 add 2 div y1 :M
+x2 y1 x2 y2 rad arct
+x2 y2 x1 y2 rad arct
+x1 y2 x1 y1 rad arct
+x1 y1 x2 y1 rad arct
+fill
+}bd
+/@s
+{
+/rad xs
+/y2 xs
+/x2 xs
+/y1 xs
+/x1 xs
+np
+x2 x1 add 2 div y1 :M
+x2 y1 x2 y2 rad arct
+x2 y2 x1 y2 rad arct
+x1 y2 x1 y1 rad arct
+x1 y1 x2 y1 rad arct
+:K
+stroke
+}bd
+/@i
+{
+np 0 360 arc fill
+}bd
+/@j
+{
+gS
+np
+:T
+scale
+0 0 .5 0 360 arc
+fill
+gR
+}bd
+/@e
+{
+np
+0 360 arc
+:K
+stroke
+}bd
+/@f
+{
+np
+$m currentmatrix
+pop
+:T
+scale
+0 0 .5 0 360 arc
+:K
+$m setmatrix
+stroke
+}bd
+/@k
+{
+gS
+np
+:T
+0 0 :M
+0 0 5 2 roll
+arc fill
+gR
+}bd
+/@l
+{
+gS
+np
+:T
+0 0 :M
+scale
+0 0 .5 5 -2 roll arc
+fill
+gR
+}bd
+/@m
+{
+np
+arc
+stroke
+}bd
+/@n
+{
+np
+$m currentmatrix
+pop
+:T
+scale
+0 0 .5 5 -2 roll arc
+$m setmatrix
+stroke
+}bd
+%%EndFile
+%%BeginFile: adobe_psp_customps
+%%Copyright: Copyright 1990-1993 Adobe Systems Incorporated. All Rights Reserved.
+/$t Z
+/$p Z
+/$s Z
+/$o 1. def
+/2state? false def
+/ps Z
+level2 startnoload
+/pushcolor/currentrgbcolor ld
+/popcolor/setrgbcolor ld
+/setcmykcolor where
+{
+pop/currentcmykcolor where
+{
+pop/pushcolor/currentcmykcolor ld
+/popcolor/setcmykcolor ld
+}if
+}if
+level2 endnoload level2 not startnoload
+/pushcolor
+{
+currentcolorspace $c eq
+{
+currentcolor currentcolorspace true
+}{
+currentcmykcolor false
+}ifelse
+}bd
+/popcolor
+{
+{
+setcolorspace setcolor
+}{
+setcmykcolor
+}ifelse
+}bd
+level2 not endnoload
+/pushstatic
+{
+ps
+2state?
+$o
+$t
+$p
+$s
+}bd
+/popstatic
+{
+/$s xs
+/$p xs
+/$t xs
+/$o xs
+/2state? xs
+/ps xs
+}bd
+/pushgstate
+{
+save errordict/nocurrentpoint{pop 0 0}put
+currentpoint
+3 -1 roll restore
+pushcolor
+currentlinewidth
+currentlinecap
+currentlinejoin
+currentdash exch aload length
+np clippath pathbbox
+$m currentmatrix aload pop
+}bd
+/popgstate
+{
+$m astore setmatrix
+2 index sub exch
+3 index sub exch
+rC
+array astore exch setdash
+setlinejoin
+setlinecap
+lw
+popcolor
+np :M
+}bd
+/bu
+{
+pushgstate
+gR
+pushgstate
+2state?
+{
+gR
+pushgstate
+}if
+pushstatic
+pm restore
+mT concat
+}bd
+/bn
+{
+/pm save store
+popstatic
+popgstate
+gS
+popgstate
+2state?
+{
+gS
+popgstate
+}if
+}bd
+/cpat{pop 64 div G 8{pop}repeat}bd
+%%EndFile
+%%BeginFile: adobe_psp_basic_text
+%%Copyright: Copyright 1990-1993 Adobe Systems Incorporated. All Rights Reserved.
+/S/show ld
+/A{
+0.0 exch ashow
+}bd
+/R{
+0.0 exch 32 exch widthshow
+}bd
+/W{
+0.0 3 1 roll widthshow
+}bd
+/J{
+0.0 32 4 2 roll 0.0 exch awidthshow
+}bd
+/V{
+0.0 4 1 roll 0.0 exch awidthshow
+}bd
+/fcflg true def
+/fc{
+fcflg{
+vmstatus exch sub 50000 lt{
+(%%[ Warning: Running out of memory ]%%\r)print flush/fcflg false store
+}if pop
+}if
+}bd
+/$f[1 0 0 -1 0 0]def
+/:ff{$f :mf}bd
+/MacEncoding StandardEncoding 256 array copy def
+MacEncoding 39/quotesingle put
+MacEncoding 96/grave put
+/Adieresis/Aring/Ccedilla/Eacute/Ntilde/Odieresis/Udieresis/aacute
+/agrave/acircumflex/adieresis/atilde/aring/ccedilla/eacute/egrave
+/ecircumflex/edieresis/iacute/igrave/icircumflex/idieresis/ntilde/oacute
+/ograve/ocircumflex/odieresis/otilde/uacute/ugrave/ucircumflex/udieresis
+/dagger/degree/cent/sterling/section/bullet/paragraph/germandbls
+/registered/copyright/trademark/acute/dieresis/notequal/AE/Oslash
+/infinity/plusminus/lessequal/greaterequal/yen/mu/partialdiff/summation
+/product/pi/integral/ordfeminine/ordmasculine/Omega/ae/oslash
+/questiondown/exclamdown/logicalnot/radical/florin/approxequal/Delta/guillemotleft
+/guillemotright/ellipsis/space/Agrave/Atilde/Otilde/OE/oe
+/endash/emdash/quotedblleft/quotedblright/quoteleft/quoteright/divide/lozenge
+/ydieresis/Ydieresis/fraction/currency/guilsinglleft/guilsinglright/fi/fl
+/daggerdbl/periodcentered/quotesinglbase/quotedblbase/perthousand
+/Acircumflex/Ecircumflex/Aacute/Edieresis/Egrave/Iacute/Icircumflex/Idieresis/Igrave
+/Oacute/Ocircumflex/apple/Ograve/Uacute/Ucircumflex/Ugrave/dotlessi/circumflex/tilde
+/macron/breve/dotaccent/ring/cedilla/hungarumlaut/ogonek/caron
+MacEncoding 128 128 getinterval astore pop
+level2 startnoload
+/copyfontdict
+{
+findfont dup length dict
+begin
+{
+1 index/FID ne{def}{pop pop}ifelse
+}forall
+}bd
+level2 endnoload level2 not startnoload
+/copyfontdict
+{
+findfont dup length dict
+copy
+begin
+}bd
+level2 not endnoload
+md/fontname known not{
+/fontname/customfont def
+}if
+/Encoding Z
+/:mre
+{
+copyfontdict
+/Encoding MacEncoding def
+fontname currentdict
+end
+definefont :ff def
+}bd
+/:bsr
+{
+copyfontdict
+/Encoding Encoding 256 array copy def
+Encoding dup
+}bd
+/pd{put dup}bd
+/:esr
+{
+pop pop
+fontname currentdict
+end
+definefont :ff def
+}bd
+/scf
+{
+scalefont def
+}bd
+/scf-non
+{
+$m scale :mf setfont
+}bd
+/ps Z
+/fz{/ps xs}bd
+/sf/setfont ld
+/cF/currentfont ld
+/mbf
+{
+/makeblendedfont where
+{
+pop
+makeblendedfont
+/ABlend exch definefont
+}{
+pop
+}ifelse
+def
+}def
+%%EndFile
+/currentpacking where {pop sc_oldpacking setpacking}if
+end % md
+%%EndProlog
+%%BeginSetup
+md begin
+/pT[1 0 0 -1 28 811]def/mT[.25 0 0 -.25 28 811]def
+/sD 16 dict def
+%%IncludeFont: Times-Roman
+/f0_1/Times-Roman :mre
+/f0_40 f0_1 40 scf
+/Courier findfont[10 0 0 -10 0 0]:mf setfont
+%PostScript Hack by Mike Brors 12/7/90
+/DisableNextSetRGBColor
+ {
+ userdict begin
+ /setrgbcolor
+ {
+ pop
+ pop
+ pop
+ userdict begin
+ /setrgbcolor systemdict /setrgbcolor get def
+ end
+ } def
+ end
+} bind def
+/bcarray where {
+ pop
+ bcarray 2 {
+ /da 4 ps div def
+ df setfont gsave cs wi
+ 1 index 0 ne{exch da add exch}if grestore setcharwidth
+ cs 0 0 smc da 0 smc da da smc 0 da smc c
+ gray
+ { gl}
+ {1 setgray}ifelse
+ da 2. div dup moveto show
+ }bind put
+} if
+%
+% Used to snap to device pixels, 1/4th of the pixel in.
+/stp { % x y pl x y % Snap To Pixel, pixel (auto stroke adjust)
+ transform
+ 0.25 sub round 0.25 add exch
+ 0.25 sub round 0.25 add exch
+ itransform
+} bind def
+
+/snapmoveto { % x y m - % moveto, auto stroke adjust
+ stp moveto
+} bind def
+
+/snaplineto { % x y l - % lineto, auto stroke adjust
+ stp lineto
+} bind def
+%%EndSetup
+%%Page: 1 1
+%%BeginPageSetup
+initializepage
+%%EndPageSetup
+gS 0 0 2152 3124 rC
+0 0 :M
+.25 0 translate
+/DrawObject_save_matrix_0 matrix currentmatrix def
+0 0 2152 2912 rC
+-40 -12 :M
+DrawObject_save_matrix_0 setmatrix
+/DrawObject_save_matrix_0 matrix currentmatrix def
+-40 -12 :M
+/DrawObject_save_matrix_1 matrix currentmatrix def
+0 0 2152 2911 rC
+-40 -12 :M
+/DrawObject_save_matrix_2 matrix currentmatrix def
+-40 -12 :M
+DrawObject_save_matrix_2 setmatrix
+DrawObject_save_matrix_1 setmatrix
+/DrawObject_save_matrix_1 matrix currentmatrix def
+558 556 208 48 rC
+558 556 :M
+DrawObject_save_matrix_1 setmatrix
+/DrawObject_save_matrix_1 matrix currentmatrix def
+gR
+gS 553 520 218 84 rC
+558 592 :M
+f0_40 sf
+-.055(Pure Isabelle)A
+gR
+gS 0 0 2152 2912 rC
+4 lw
+518 528 806 636 32 @s
+168 24 :M
+DrawObject_save_matrix_1 setmatrix
+/DrawObject_save_matrix_1 matrix currentmatrix def
+426 422 -4 4 538 526 4 426 418 @a
+426 418 :M
+DrawObject_save_matrix_1 setmatrix
+/DrawObject_save_matrix_1 matrix currentmatrix def
+-4 -4 790 530 4 4 894 418 @b
+786 526 :M
+DrawObject_save_matrix_1 setmatrix
+/DrawObject_save_matrix_1 matrix currentmatrix def
+588 422 -4 4 610 526 4 588 418 @a
+588 418 :M
+DrawObject_save_matrix_1 setmatrix
+/DrawObject_save_matrix_1 matrix currentmatrix def
+-4 -4 718 530 4 4 732 418 @b
+714 526 :M
+DrawObject_save_matrix_1 setmatrix
+/DrawObject_save_matrix_1 matrix currentmatrix def
+376 364 92 48 rC
+376 364 :M
+DrawObject_save_matrix_1 setmatrix
+/DrawObject_save_matrix_1 matrix currentmatrix def
+gR
+gS 371 328 102 84 rC
+376 400 :M
+f0_40 sf
+-.286(IFOL)A
+gR
+gS 556 364 76 48 rC
+556 364 :M
+DrawObject_save_matrix_1 setmatrix
+/DrawObject_save_matrix_1 matrix currentmatrix def
+gR
+gS 551 328 86 84 rC
+556 400 :M
+f0_40 sf
+-.273(CTT)A
+gR
+gS 700 364 84 48 rC
+700 364 :M
+DrawObject_save_matrix_1 setmatrix
+/DrawObject_save_matrix_1 matrix currentmatrix def
+gR
+gS 695 328 94 84 rC
+700 400 :M
+f0_40 sf
+-.094(HOL)A
+gR
+gS 880 364 56 48 rC
+880 364 :M
+DrawObject_save_matrix_1 setmatrix
+/DrawObject_save_matrix_1 matrix currentmatrix def
+gR
+gS 875 328 66 84 rC
+880 400 :M
+f0_40 sf
+-.311(LK)A
+gR
+gS 0 0 2152 2912 rC
+-4 -4 916 361 4 4 912 285 @b
+4 lw
+912 357 :M
+DrawObject_save_matrix_1 setmatrix
+/DrawObject_save_matrix_1 matrix currentmatrix def
+320 94 :M
+/DrawObject_save_matrix_2 matrix currentmatrix def
+336 152 -4 4 394 220 4 336 148 @a
+336 148 :M
+DrawObject_save_matrix_2 setmatrix
+/DrawObject_save_matrix_2 matrix currentmatrix def
+-4 -4 430 224 4 4 480 148 @b
+426 220 :M
+DrawObject_save_matrix_2 setmatrix
+/DrawObject_save_matrix_2 matrix currentmatrix def
+320 94 48 48 rC
+320 94 :M
+DrawObject_save_matrix_2 setmatrix
+/DrawObject_save_matrix_2 matrix currentmatrix def
+gR
+gS 315 58 58 84 rC
+320 130 :M
+f0_40 sf
+-.67(ZF)A
+gR
+gS 448 94 76 48 rC
+448 94 :M
+DrawObject_save_matrix_2 setmatrix
+DrawObject_save_matrix_1 setmatrix
+/DrawObject_save_matrix_1 matrix currentmatrix def
+gR
+gS 443 58 86 84 rC
+448 130 :M
+f0_40 sf
+-.175(LCF)A
+gR
+gS 860 178 116 96 rC
+gR
+gS 855 142 126 132 rC
+860 214 :M
+f0_40 sf
+-.106(Modal)A
+975 262 :M
+DrawObject_save_matrix_1 setmatrix
+/DrawObject_save_matrix_1 matrix currentmatrix def
+860 262 :M
+-.077( logics)A
+gR
+gS 0 0 2152 2912 rC
+-4 -4 412 360 4 4 408 284 @b
+4 lw
+408 356 :M
+DrawObject_save_matrix_1 setmatrix
+/DrawObject_save_matrix_1 matrix currentmatrix def
+376 228 76 48 rC
+376 228 :M
+DrawObject_save_matrix_1 setmatrix
+/DrawObject_save_matrix_1 matrix currentmatrix def
+gR
+gS 371 192 86 84 rC
+376 264 :M
+f0_40 sf
+-.273(FOL)A
+gR
+gS 680 230 132 48 rC
+680 230 :M
+DrawObject_save_matrix_1 setmatrix
+/DrawObject_save_matrix_1 matrix currentmatrix def
+gR
+gS 675 194 142 84 rC
+680 266 :M
+f0_40 sf
+-.026(HOLCF)A
+gR
+gS 0 0 2152 2912 rC
+-4 -4 748 361 4 4 744 285 @b
+4 lw
+744 357 :M
+DrawObject_save_matrix_1 setmatrix
+DrawObject_save_matrix_0 setmatrix
+endp
+%%Trailer
+end % md
+%%EOF
Binary file src/Doc/Tutorial/document/Isa-logics.pdf has changed
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/document/advanced0.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,49 @@
+\chapter{Advanced Simplification and Induction}
+
+Although we have already learned a lot about simplification and
+induction, there are some advanced proof techniques that we have not covered
+yet and which are worth learning. The sections of this chapter are
+independent of each other and can be read in any order.
+
+\input{simp2.tex}
+
+\section{Advanced Induction Techniques}
+\label{sec:advanced-ind}
+\index{induction|(}
+\input{AdvancedInd.tex}
+\input{CTLind.tex}
+\index{induction|)}
+
+%\section{Advanced Forms of Recursion}
+%\index{recdef@\isacommand {recdef} (command)|(}
+
+%This section introduces advanced forms of
+%\isacommand{recdef}: how to establish termination by means other than measure
+%functions, how to define recursive functions over nested recursive datatypes
+%and how to deal with partial functions.
+%
+%If, after reading this section, you feel that the definition of recursive
+%functions is overly complicated by the requirement of
+%totality, you should ponder the alternatives. In a logic of partial functions,
+%recursive definitions are always accepted. But there are many
+%such logics, and no clear winner has emerged. And in all of these logics you
+%are (more or less frequently) required to reason about the definedness of
+%terms explicitly. Thus one shifts definedness arguments from definition time to
+%proof time. In HOL you may have to work hard to define a function, but proofs
+%can then proceed unencumbered by worries about undefinedness.
+
+%\subsection{Beyond Measure}
+%\label{sec:beyond-measure}
+%\input{WFrec.tex}
+%
+%\subsection{Recursion Over Nested Datatypes}
+%\label{sec:nested-recdef}
+%\input{Nested0.tex}
+%\input{Nested1.tex}
+%\input{Nested2.tex}
+%
+%\subsection{Partial Functions}
+%\index{functions!partial}
+%\input{Partial.tex}
+%
+%\index{recdef@\isacommand {recdef} (command)|)}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/document/appendix0.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,190 @@
+\appendix
+
+\chapter{Appendix}
+\label{sec:Appendix}
+
+\begin{table}[htbp]
+\begin{center}
+\begin{tabular}{|l|l|l|}
+\hline
+\indexboldpos{\isasymlbrakk}{$Isabrl} &
+\texttt{[|}\index{$Isabrl@\ttlbr|bold} &
+\verb$\<lbrakk>$ \\
+\indexboldpos{\isasymrbrakk}{$Isabrr} &
+\texttt{|]}\index{$Isabrr@\ttrbr|bold} &
+\verb$\<rbrakk>$ \\
+\indexboldpos{\isasymImp}{$IsaImp} &
+\ttindexboldpos{==>}{$IsaImp} &
+\verb$\<Longrightarrow>$ \\
+\isasymAnd\index{$IsaAnd@\isasymAnd|bold}&
+\texttt{!!}\index{$IsaAnd@\ttAnd|bold} &
+\verb$\<And>$ \\
+\indexboldpos{\isasymequiv}{$IsaEq} &
+\ttindexboldpos{==}{$IsaEq} &
+\verb$\<equiv>$ \\
+\indexboldpos{\isasymrightleftharpoons}{$IsaEqTrans} &
+\ttindexboldpos{==}{$IsaEq} &
+\verb$\<rightleftharpoons>$ \\
+\indexboldpos{\isasymrightharpoonup}{$IsaEqTrans1} &
+\ttindexboldpos{=>}{$IsaFun} &
+\verb$\<rightharpoonup>$ \\
+\indexboldpos{\isasymleftharpoondown}{$IsaEqTrans2} &
+\ttindexboldpos{<=}{$IsaFun2} &
+\verb$\<leftharpoondown>$ \\
+\indexboldpos{\isasymlambda}{$Isalam} &
+\texttt{\%}\indexbold{$Isalam@\texttt{\%}} &
+\verb$\<lambda>$ \\
+\indexboldpos{\isasymFun}{$IsaFun} &
+\ttindexboldpos{=>}{$IsaFun} &
+\verb$\<Rightarrow>$ \\
+\indexboldpos{\isasymand}{$HOL0and} &
+\texttt{\&}\indexbold{$HOL0and@{\texttt{\&}}} &
+\verb$\<and>$ \\
+\indexboldpos{\isasymor}{$HOL0or} &
+\texttt{|}\index{$HOL0or@\ttor|bold} &
+\verb$\<or>$ \\
+\indexboldpos{\isasymimp}{$HOL0imp} &
+\ttindexboldpos{-->}{$HOL0imp} &
+\verb$\<longrightarrow>$ \\
+\indexboldpos{\isasymnot}{$HOL0not} &
+\verb$~$\index{$HOL0not@\verb$~$|bold} &
+\verb$\<not>$ \\
+\indexboldpos{\isasymnoteq}{$HOL0noteq} &
+\verb$~=$\index{$HOL0noteq@\verb$~=$|bold} &
+\verb$\<noteq>$ \\
+\indexboldpos{\isasymforall}{$HOL0All} &
+\ttindexbold{ALL}, \texttt{!}\index{$HOL0All@\ttall|bold} &
+\verb$\<forall>$ \\
+\indexboldpos{\isasymexists}{$HOL0Ex} &
+\ttindexbold{EX}, \texttt{?}\index{$HOL0Ex@\texttt{?}|bold} &
+\verb$\<exists>$ \\
+\isasymuniqex\index{$HOL0ExU@\isasymuniqex|bold} &
+\ttEXU\index{EXX@\ttEXU|bold}, \ttuniquex\index{$HOL0ExU@\ttuniquex|bold} &
+\verb$\<exists>!$\\
+\indexboldpos{\isasymepsilon}{$HOL0ExSome} &
+\ttindexbold{SOME}, \isa{\at}\index{$HOL2list@\isa{\at}} &
+\verb$\<epsilon>$\\
+\indexboldpos{\isasymcirc}{$HOL1} &
+\ttindexbold{o} &
+\verb$\<circ>$\\
+\indexboldpos{\isasymbar~\isasymbar}{$HOL2arithfun}&
+\ttindexbold{abs}&
+\verb$\<bar> \<bar>$\\
+\indexboldpos{\isasymle}{$HOL2arithrel}&
+\isadxboldpos{<=}{$HOL2arithrel}&
+\verb$\<le>$\\
+\indexboldpos{\isasymtimes}{$Isatype}&
+\ttindexboldpos{*}{$HOL2arithfun} &
+\verb$\<times>$\\
+\indexboldpos{\isasymin}{$HOL3Set0a}&
+\ttindexboldpos{:}{$HOL3Set0b} &
+\verb$\<in>$\\
+\isasymnotin\index{$HOL3Set0c@\isasymnotin|bold} &
+\verb$~:$\index{$HOL3Set0d@\verb$~:$|bold} &
+\verb$\<notin>$\\
+\indexboldpos{\isasymsubseteq}{$HOL3Set0e}&
+\verb$<=$ & \verb$\<subseteq>$\\
+\indexboldpos{\isasymsubset}{$HOL3Set0f}&
+\verb$<$ & \verb$\<subset>$\\
+\indexboldpos{\isasymunion}{$HOL3Set1}&
+\ttindexbold{Un} &
+\verb$\<union>$\\
+\indexboldpos{\isasyminter}{$HOL3Set1}&
+\ttindexbold{Int} &
+\verb$\<inter>$\\
+\isasymUnion\index{$HOL3Set2@\isasymUnion|bold}&
+\ttindexbold{UN}, \ttindexbold{Union} &
+\verb$\<Union>$\\
+\isasymInter\index{$HOL3Set2@\isasymInter|bold}&
+\ttindexbold{INT}, \ttindexbold{Inter} &
+\verb$\<Inter>$\\
+\isactrlsup{\isacharasterisk}\index{$HOL4star@\isactrlsup{\isacharasterisk}|bold}&
+\verb$^*$\index{$HOL4star@\verb$^$\texttt{*}|bold} &
+\verb$\<^sup>*$\\
+\isasyminverse\index{$HOL4inv@\isasyminverse|bold}&
+\verb$^-1$\index{$HOL4inv@\verb$^-1$|bold} &
+\verb$\<inverse>$\\
+\hline
+\end{tabular}
+\end{center}
+\caption{Mathematical Symbols, Their \textsc{ascii}-Equivalents and Internal Names}
+\label{tab:ascii}
+\end{table}\indexbold{ASCII@\textsc{ascii} symbols}
+
+\input{appendix.tex}
+
+\begin{table}[htbp]
+\begin{center}
+\begin{tabular}{@{}|lllllllll|@{}}
+\hline
+\texttt{ALL} &
+\texttt{BIT} &
+\texttt{CHR} &
+\texttt{EX} &
+\texttt{GREATEST} &
+\texttt{INT} &
+\texttt{Int} &
+\texttt{LEAST} &
+\texttt{O} \\
+\texttt{OFCLASS} &
+\texttt{PI} &
+\texttt{PROP} &
+\texttt{SIGMA} &
+\texttt{SOME} &
+\texttt{THE} &
+\texttt{TYPE} &
+\texttt{UN} &
+\texttt{Un} \\
+\texttt{WRT} &
+\texttt{case} &
+\texttt{choose} &
+\texttt{div} &
+\texttt{dvd} &
+\texttt{else} &
+\texttt{funcset} &
+\texttt{if} &
+\texttt{in} \\
+\texttt{let} &
+\texttt{mem} &
+\texttt{mod} &
+\texttt{o} &
+\texttt{of} &
+\texttt{op} &
+\texttt{then} &&\\
+\hline
+\end{tabular}
+\end{center}
+\caption{Reserved Words in HOL Terms}
+\label{tab:ReservedWords}
+\end{table}
+
+
+%\begin{table}[htbp]
+%\begin{center}
+%\begin{tabular}{|lllll|}
+%\hline
+%\texttt{and} &
+%\texttt{binder} &
+%\texttt{concl} &
+%\texttt{congs} \\
+%\texttt{distinct} &
+%\texttt{files} &
+%\texttt{in} &
+%\texttt{induction} &
+%\texttt{infixl} \\
+%\texttt{infixr} &
+%\texttt{inject} &
+%\texttt{intrs} &
+%\texttt{is} &
+%\texttt{monos} \\
+%\texttt{output} &
+%\texttt{where} &
+% &
+% &
+% \\
+%\hline
+%\end{tabular}
+%\end{center}
+%\caption{Minor Keywords in HOL Theories}
+%\label{tab:keywords}
+%\end{table}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/document/basics.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,350 @@
+\chapter{The Basics}
+
+\section{Introduction}
+
+This book is a tutorial on how to use the theorem prover Isabelle/HOL as a
+specification and verification system. Isabelle is a generic system for
+implementing logical formalisms, and Isabelle/HOL is the specialization
+of Isabelle for HOL, which abbreviates Higher-Order Logic. We introduce
+HOL step by step following the equation
+\[ \mbox{HOL} = \mbox{Functional Programming} + \mbox{Logic}. \]
+We do not assume that you are familiar with mathematical logic.
+However, we do assume that
+you are used to logical and set theoretic notation, as covered
+in a good discrete mathematics course~\cite{Rosen-DMA}, and
+that you are familiar with the basic concepts of functional
+programming~\cite{Bird-Haskell,Hudak-Haskell,paulson-ml2,Thompson-Haskell}.
+Although this tutorial initially concentrates on functional programming, do
+not be misled: HOL can express most mathematical concepts, and functional
+programming is just one particularly simple and ubiquitous instance.
+
+Isabelle~\cite{paulson-isa-book} is implemented in ML~\cite{SML}. This has
+influenced some of Isabelle/HOL's concrete syntax but is otherwise irrelevant
+for us: this tutorial is based on
+Isabelle/Isar~\cite{isabelle-isar-ref}, an extension of Isabelle which hides
+the implementation language almost completely. Thus the full name of the
+system should be Isabelle/Isar/HOL, but that is a bit of a mouthful.
+
+There are other implementations of HOL, in particular the one by Mike Gordon
+\index{Gordon, Mike}%
+\emph{et al.}, which is usually referred to as ``the HOL system''
+\cite{mgordon-hol}. For us, HOL refers to the logical system, and sometimes
+its incarnation Isabelle/HOL\@.
+
+A tutorial is by definition incomplete. Currently the tutorial only
+introduces the rudiments of Isar's proof language. To fully exploit the power
+of Isar, in particular the ability to write readable and structured proofs,
+you should start with Nipkow's overview~\cite{Nipkow-TYPES02} and consult
+the Isabelle/Isar Reference Manual~\cite{isabelle-isar-ref} and Wenzel's
+PhD thesis~\cite{Wenzel-PhD} (which discusses many proof patterns)
+for further details. If you want to use Isabelle's ML level
+directly (for example for writing your own proof procedures) see the Isabelle
+Reference Manual~\cite{isabelle-ref}; for details relating to HOL see the
+Isabelle/HOL manual~\cite{isabelle-HOL}. All manuals have a comprehensive
+index.
+
+\section{Theories}
+\label{sec:Basic:Theories}
+
+\index{theories|(}%
+Working with Isabelle means creating theories. Roughly speaking, a
+\textbf{theory} is a named collection of types, functions, and theorems,
+much like a module in a programming language or a specification in a
+specification language. In fact, theories in HOL can be either. The general
+format of a theory \texttt{T} is
+\begin{ttbox}
+theory T
+imports B\(@1\) \(\ldots\) B\(@n\)
+begin
+{\rmfamily\textit{declarations, definitions, and proofs}}
+end
+\end{ttbox}\cmmdx{theory}\cmmdx{imports}
+where \texttt{B}$@1$ \dots\ \texttt{B}$@n$ are the names of existing
+theories that \texttt{T} is based on and \textit{declarations,
+ definitions, and proofs} represents the newly introduced concepts
+(types, functions etc.) and proofs about them. The \texttt{B}$@i$ are the
+direct \textbf{parent theories}\indexbold{parent theories} of~\texttt{T}\@.
+Everything defined in the parent theories (and their parents, recursively) is
+automatically visible. To avoid name clashes, identifiers can be
+\textbf{qualified}\indexbold{identifiers!qualified}
+by theory names as in \texttt{T.f} and~\texttt{B.f}.
+Each theory \texttt{T} must
+reside in a \textbf{theory file}\index{theory files} named \texttt{T.thy}.
+
+This tutorial is concerned with introducing you to the different linguistic
+constructs that can fill the \textit{declarations, definitions, and
+ proofs} above. A complete grammar of the basic
+constructs is found in the Isabelle/Isar Reference
+Manual~\cite{isabelle-isar-ref}.
+
+\begin{warn}
+ HOL contains a theory \thydx{Main}, the union of all the basic
+ predefined theories like arithmetic, lists, sets, etc.
+ Unless you know what you are doing, always include \isa{Main}
+ as a direct or indirect parent of all your theories.
+\end{warn}
+HOL's theory collection is available online at
+\begin{center}\small
+ \url{http://isabelle.in.tum.de/library/HOL/}
+\end{center}
+and is recommended browsing. In subdirectory \texttt{Library} you find
+a growing library of useful theories that are not part of \isa{Main}
+but can be included among the parents of a theory and will then be
+loaded automatically.
+
+For the more adventurous, there is the \emph{Archive of Formal Proofs},
+a journal-like collection of more advanced Isabelle theories:
+\begin{center}\small
+ \url{http://afp.sourceforge.net/}
+\end{center}
+We hope that you will contribute to it yourself one day.%
+\index{theories|)}
+
+
+\section{Types, Terms and Formulae}
+\label{sec:TypesTermsForms}
+
+Embedded in a theory are the types, terms and formulae of HOL\@. HOL is a typed
+logic whose type system resembles that of functional programming languages
+like ML or Haskell. Thus there are
+\index{types|(}
+\begin{description}
+\item[base types,]
+in particular \tydx{bool}, the type of truth values,
+and \tydx{nat}, the type of natural numbers.
+\item[type constructors,]\index{type constructors}
+ in particular \tydx{list}, the type of
+lists, and \tydx{set}, the type of sets. Type constructors are written
+postfix, e.g.\ \isa{(nat)list} is the type of lists whose elements are
+natural numbers. Parentheses around single arguments can be dropped (as in
+\isa{nat list}), multiple arguments are separated by commas (as in
+\isa{(bool,nat)ty}).
+\item[function types,]\index{function types}
+denoted by \isasymFun\indexbold{$IsaFun@\isasymFun}.
+ In HOL \isasymFun\ represents \emph{total} functions only. As is customary,
+ \isa{$\tau@1$ \isasymFun~$\tau@2$ \isasymFun~$\tau@3$} means
+ \isa{$\tau@1$ \isasymFun~($\tau@2$ \isasymFun~$\tau@3$)}. Isabelle also
+ supports the notation \isa{[$\tau@1,\dots,\tau@n$] \isasymFun~$\tau$}
+ which abbreviates \isa{$\tau@1$ \isasymFun~$\cdots$ \isasymFun~$\tau@n$
+ \isasymFun~$\tau$}.
+\item[type variables,]\index{type variables}\index{variables!type}
+ denoted by \ttindexboldpos{'a}{$Isatype}, \isa{'b} etc., just like in ML\@. They give rise
+ to polymorphic types like \isa{'a \isasymFun~'a}, the type of the identity
+ function.
+\end{description}
+\begin{warn}
+ Types are extremely important because they prevent us from writing
+ nonsense. Isabelle insists that all terms and formulae must be
+ well-typed and will print an error message if a type mismatch is
+ encountered. To reduce the amount of explicit type information that
+ needs to be provided by the user, Isabelle infers the type of all
+ variables automatically (this is called \bfindex{type inference})
+ and keeps quiet about it. Occasionally this may lead to
+ misunderstandings between you and the system. If anything strange
+ happens, we recommend that you ask Isabelle to display all type
+ information via the Proof General menu item \pgmenu{Isabelle} $>$
+ \pgmenu{Settings} $>$ \pgmenu{Show Types} (see \S\ref{sec:interface}
+ for details).
+\end{warn}%
+\index{types|)}
+
+
+\index{terms|(}
+\textbf{Terms} are formed as in functional programming by
+applying functions to arguments. If \isa{f} is a function of type
+\isa{$\tau@1$ \isasymFun~$\tau@2$} and \isa{t} is a term of type
+$\tau@1$ then \isa{f~t} is a term of type $\tau@2$. HOL also supports
+infix functions like \isa{+} and some basic constructs from functional
+programming, such as conditional expressions:
+\begin{description}
+\item[\isa{if $b$ then $t@1$ else $t@2$}]\index{*if expressions}
+Here $b$ is of type \isa{bool} and $t@1$ and $t@2$ are of the same type.
+\item[\isa{let $x$ = $t$ in $u$}]\index{*let expressions}
+is equivalent to $u$ where all free occurrences of $x$ have been replaced by
+$t$. For example,
+\isa{let x = 0 in x+x} is equivalent to \isa{0+0}. Multiple bindings are separated
+by semicolons: \isa{let $x@1$ = $t@1$;\dots; $x@n$ = $t@n$ in $u$}.
+\item[\isa{case $e$ of $c@1$ \isasymFun~$e@1$ |~\dots~| $c@n$ \isasymFun~$e@n$}]
+\index{*case expressions}
+evaluates to $e@i$ if $e$ is of the form $c@i$.
+\end{description}
+
+Terms may also contain
+\isasymlambda-abstractions.\index{lambda@$\lambda$ expressions}
+For example,
+\isa{\isasymlambda{}x.~x+1} is the function that takes an argument \isa{x} and
+returns \isa{x+1}. Instead of
+\isa{\isasymlambda{}x.\isasymlambda{}y.\isasymlambda{}z.~$t$} we can write
+\isa{\isasymlambda{}x~y~z.~$t$}.%
+\index{terms|)}
+
+\index{formulae|(}%
+\textbf{Formulae} are terms of type \tydx{bool}.
+There are the basic constants \cdx{True} and \cdx{False} and
+the usual logical connectives (in decreasing order of priority):
+\indexboldpos{\protect\isasymnot}{$HOL0not}, \indexboldpos{\protect\isasymand}{$HOL0and},
+\indexboldpos{\protect\isasymor}{$HOL0or}, and \indexboldpos{\protect\isasymimp}{$HOL0imp},
+all of which (except the unary \isasymnot) associate to the right. In
+particular \isa{A \isasymimp~B \isasymimp~C} means \isa{A \isasymimp~(B
+ \isasymimp~C)} and is thus logically equivalent to \isa{A \isasymand~B
+ \isasymimp~C} (which is \isa{(A \isasymand~B) \isasymimp~C}).
+
+Equality\index{equality} is available in the form of the infix function
+\isa{=} of type \isa{'a \isasymFun~'a
+ \isasymFun~bool}. Thus \isa{$t@1$ = $t@2$} is a formula provided $t@1$
+and $t@2$ are terms of the same type. If $t@1$ and $t@2$ are of type
+\isa{bool} then \isa{=} acts as \rmindex{if-and-only-if}.
+The formula
+\isa{$t@1$~\isasymnoteq~$t@2$} is merely an abbreviation for
+\isa{\isasymnot($t@1$ = $t@2$)}.
+
+Quantifiers\index{quantifiers} are written as
+\isa{\isasymforall{}x.~$P$} and \isa{\isasymexists{}x.~$P$}.
+There is even
+\isa{\isasymuniqex{}x.~$P$}, which
+means that there exists exactly one \isa{x} that satisfies \isa{$P$}.
+Nested quantifications can be abbreviated:
+\isa{\isasymforall{}x~y~z.~$P$} means
+\isa{\isasymforall{}x.\isasymforall{}y.\isasymforall{}z.~$P$}.%
+\index{formulae|)}
+
+Despite type inference, it is sometimes necessary to attach explicit
+\bfindex{type constraints} to a term. The syntax is
+\isa{$t$::$\tau$} as in \isa{x < (y::nat)}. Note that
+\ttindexboldpos{::}{$Isatype} binds weakly and should therefore be enclosed
+in parentheses. For instance,
+\isa{x < y::nat} is ill-typed because it is interpreted as
+\isa{(x < y)::nat}. Type constraints may be needed to disambiguate
+expressions
+involving overloaded functions such as~\isa{+},
+\isa{*} and~\isa{<}. Section~\ref{sec:overloading}
+discusses overloading, while Table~\ref{tab:overloading} presents the most
+important overloaded function symbols.
+
+In general, HOL's concrete \rmindex{syntax} tries to follow the conventions of
+functional programming and mathematics. Here are the main rules that you
+should be familiar with to avoid certain syntactic traps:
+\begin{itemize}
+\item
+Remember that \isa{f t u} means \isa{(f t) u} and not \isa{f(t u)}!
+\item
+Isabelle allows infix functions like \isa{+}. The prefix form of function
+application binds more strongly than anything else and hence \isa{f~x + y}
+means \isa{(f~x)~+~y} and not \isa{f(x+y)}.
+\item Remember that in HOL if-and-only-if is expressed using equality. But
+ equality has a high priority, as befitting a relation, while if-and-only-if
+ typically has the lowest priority. Thus, \isa{\isasymnot~\isasymnot~P =
+ P} means \isa{\isasymnot\isasymnot(P = P)} and not
+ \isa{(\isasymnot\isasymnot P) = P}. When using \isa{=} to mean
+ logical equivalence, enclose both operands in parentheses, as in \isa{(A
+ \isasymand~B) = (B \isasymand~A)}.
+\item
+Constructs with an opening but without a closing delimiter bind very weakly
+and should therefore be enclosed in parentheses if they appear in subterms, as
+in \isa{(\isasymlambda{}x.~x) = f}. This includes
+\isa{if},\index{*if expressions}
+\isa{let},\index{*let expressions}
+\isa{case},\index{*case expressions}
+\isa{\isasymlambda}, and quantifiers.
+\item
+Never write \isa{\isasymlambda{}x.x} or \isa{\isasymforall{}x.x=x}
+because \isa{x.x} is always taken as a single qualified identifier. Write
+\isa{\isasymlambda{}x.~x} and \isa{\isasymforall{}x.~x=x} instead.
+\item Identifiers\indexbold{identifiers} may contain the characters \isa{_}
+and~\isa{'}, except at the beginning.
+\end{itemize}
+
+For the sake of readability, we use the usual mathematical symbols throughout
+the tutorial. Their \textsc{ascii}-equivalents are shown in table~\ref{tab:ascii} in
+the appendix.
+
+\begin{warn}
+A particular problem for novices can be the priority of operators. If
+you are unsure, use additional parentheses. In those cases where
+Isabelle echoes your input, you can see which parentheses are dropped
+--- they were superfluous. If you are unsure how to interpret
+Isabelle's output because you don't know where the (dropped)
+parentheses go, set the Proof General flag \pgmenu{Isabelle} $>$
+\pgmenu{Settings} $>$ \pgmenu{Show Brackets} (see \S\ref{sec:interface}).
+\end{warn}
+
+
+\section{Variables}
+\label{sec:variables}
+\index{variables|(}
+
+Isabelle distinguishes free and bound variables, as is customary. Bound
+variables are automatically renamed to avoid clashes with free variables. In
+addition, Isabelle has a third kind of variable, called a \textbf{schematic
+ variable}\index{variables!schematic} or \textbf{unknown}\index{unknowns},
+which must have a~\isa{?} as its first character.
+Logically, an unknown is a free variable. But it may be
+instantiated by another term during the proof process. For example, the
+mathematical theorem $x = x$ is represented in Isabelle as \isa{?x = ?x},
+which means that Isabelle can instantiate it arbitrarily. This is in contrast
+to ordinary variables, which remain fixed. The programming language Prolog
+calls unknowns {\em logical\/} variables.
+
+Most of the time you can and should ignore unknowns and work with ordinary
+variables. Just don't be surprised that after you have finished the proof of
+a theorem, Isabelle will turn your free variables into unknowns. It
+indicates that Isabelle will automatically instantiate those unknowns
+suitably when the theorem is used in some other proof.
+Note that for readability we often drop the \isa{?}s when displaying a theorem.
+\begin{warn}
+ For historical reasons, Isabelle accepts \isa{?} as an ASCII representation
+ of the \(\exists\) symbol. However, the \isa{?} character must then be followed
+ by a space, as in \isa{?~x. f(x) = 0}. Otherwise, \isa{?x} is
+ interpreted as a schematic variable. The preferred ASCII representation of
+ the \(\exists\) symbol is \isa{EX}\@.
+\end{warn}%
+\index{variables|)}
+
+\section{Interaction and Interfaces}
+\label{sec:interface}
+
+The recommended interface for Isabelle/Isar is the (X)Emacs-based
+\bfindex{Proof General}~\cite{proofgeneral,Aspinall:TACAS:2000}.
+Interaction with Isabelle at the shell level, although possible,
+should be avoided. Most of the tutorial is independent of the
+interface and is phrased in a neutral language. For example, the
+phrase ``to abandon a proof'' corresponds to the obvious
+action of clicking on the \pgmenu{Undo} symbol in Proof General.
+Proof General specific information is often displayed in paragraphs
+identified by a miniature Proof General icon. Here are two examples:
+\begin{pgnote}
+Proof General supports a special font with mathematical symbols known
+as ``x-symbols''. All symbols have \textsc{ascii}-equivalents: for
+example, you can enter either \verb!&! or \verb!\<and>! to obtain
+$\land$. For a list of the most frequent symbols see table~\ref{tab:ascii}
+in the appendix.
+
+Note that by default x-symbols are not enabled. You have to switch
+them on via the menu item \pgmenu{Proof-General} $>$ \pgmenu{Options} $>$
+\pgmenu{X-Symbols} (and save the option via the top-level
+\pgmenu{Options} menu).
+\end{pgnote}
+
+\begin{pgnote}
+Proof General offers the \pgmenu{Isabelle} menu for displaying
+information and setting flags. A particularly useful flag is
+\pgmenu{Isabelle} $>$ \pgmenu{Settings} $>$ \pgdx{Show Types} which
+causes Isabelle to output the type information that is usually
+suppressed. This is indispensible in case of errors of all kinds
+because often the types reveal the source of the problem. Once you
+have diagnosed the problem you may no longer want to see the types
+because they clutter all output. Simply reset the flag.
+\end{pgnote}
+
+\section{Getting Started}
+
+Assuming you have installed Isabelle and Proof General, you start it by typing
+\texttt{Isabelle} in a shell window. This launches a Proof General window.
+By default, you are in HOL\footnote{This is controlled by the
+\texttt{ISABELLE_LOGIC} setting, see \emph{The Isabelle System Manual}
+for more details.}.
+
+\begin{pgnote}
+You can choose a different logic via the \pgmenu{Isabelle} $>$
+\pgmenu{Logics} menu.
+\end{pgnote}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/document/build Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+set -e
+
+FORMAT="$1"
+VARIANT="$2"
+
+"$ISABELLE_TOOL" logo -o isabelle_hol.pdf "HOL"
+"$ISABELLE_TOOL" logo -o isabelle_hol.eps "HOL"
+
+cp "$ISABELLE_HOME/src/Doc/proof.sty" .
+cp "$ISABELLE_HOME/src/Doc/ttbox.sty" .
+cp "$ISABELLE_HOME/src/Doc/manual.bib" .
+
+cp "$ISABELLE_HOME/src/Doc/Tutorial/ToyList/ToyList1" .
+cp "$ISABELLE_HOME/src/Doc/Tutorial/ToyList/ToyList2" .
+
+"$ISABELLE_TOOL" latex -o sty
+cp "$ISABELLE_HOME/src/Doc/pdfsetup.sty" .
+
+"$ISABELLE_TOOL" latex -o "$FORMAT"
+"$ISABELLE_TOOL" latex -o bbl
+./isa-index root
+"$ISABELLE_TOOL" latex -o "$FORMAT"
+[ -f root.out ] && "$ISABELLE_HOME/src/Doc/fixbookmarks" root.out
+"$ISABELLE_TOOL" latex -o "$FORMAT"
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/document/cl2emono-modified.sty Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,1371 @@
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%% This is cl2emono.sty version 2.2
+%% (intermediate fix also for springer.sty for the use of
+%% LaTeX2e and NFSS2)
+%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% This is ucgreek
+% the definition of versal greek characters
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\mathchardef\Gamma="0100
+\mathchardef\Delta="0101
+\mathchardef\Theta="0102
+\mathchardef\Lambda="0103
+\mathchardef\Xi="0104
+\mathchardef\Pi="0105
+\mathchardef\Sigma="0106
+\mathchardef\Upsilon="0107
+\mathchardef\Phi="0108
+\mathchardef\Psi="0109
+\mathchardef\Omega="010A
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% This is referee.tex
+%
+% It defines the style option "referee"
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\newif\if@referee \@refereefalse
+\def\ds@referee{\@refereetrue
+\typeout{A referee's copy will be produced.}%
+\def\baselinestretch{2}\small
+\normalsize\rm
+\newbox\refereebox
+\setbox\refereebox=\vbox to0pt{\vskip0.5cm%
+ \hbox to\textwidth{\normalsize\tt\hrulefill\lower0.5ex
+ \hbox{\kern5pt referee's copy\kern5pt}\hrulefill}\vss}%
+\def\@oddfoot{\copy\refereebox}\let\@evenfoot=\@oddfoot}
+% This is footinfo.tex
+% it provides an informatory line on every page
+%
+\def\SpringerMacroPackageNameA{\springerstylefile}
+% \thetime, \thedate and \timstamp are macros to include
+% time, date (or both) of the TeX run in the document
+\def\maketimestamp{\count255=\time
+\divide\count255 by 60\relax
+\edef\thetime{\the\count255:}%
+\multiply\count255 by-60\relax
+\advance\count255 by\time
+\edef\thetime{\thetime\ifnum\count255<10 0\fi\the\count255}
+\edef\thedate{\number\day-\ifcase\month\or Jan\or Feb\or Mar\or
+ Apr\or May\or Jun\or Jul\or Aug\or Sep\or Oct\or
+ Nov\or Dec\fi-\number\year}
+\def\timstamp{\hbox to\hsize{\tt\hfil\thedate\hfil\thetime\hfil}}}
+\maketimestamp
+%
+% \footinfo generates a info footline on every page containing
+% pagenumber, jobname, macroname, and timestamp
+\def\ds@footinfo{\maketimestamp
+ \def\@oddfoot{\footnotesize\tt Page: \thepage\hfil job: \jobname\hfil
+ macro: \SpringerMacroPackageNameA\hfil
+ date/time: \thedate/\thetime}%
+ \let\@evenfoot=\@oddfoot}
+\def\footinfo{\maketimestamp
+ \ds@footinfo
+ \typeout{You ordered a foot-info line. }}
+\def\nofootinfo{%
+ \def\@oddfoot{}\def\@evenfoot{}%
+ \typeout{Foot-info has been disabled. }}
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% This is vector.tex
+%
+% It redefines the plain TeX \vec command
+% and adds a \tens command for tensors
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+% ##### (changed by RB)
+\def\vec@style{\relax} % hook to change style of vector
+ % default yields boldface italic
+% \def\vec@style{\bf} % hook to change style of vector
+% % default yields mathstyle i.e. boldface upright
+
+\def\vec#1{\relax\ifmmode\mathchoice
+{\mbox{\boldmath$\vec@style\displaystyle#1$}}
+{\mbox{\boldmath$\vec@style\textstyle#1$}}
+{\mbox{\boldmath$\vec@style\scriptstyle#1$}}
+{\mbox{\boldmath$\vec@style\scriptscriptstyle#1$}}\else
+\hbox{\boldmath$\vec@style\textstyle#1$}\fi}
+
+\def\tens#1{\relax\ifmmode\mathchoice{\mbox{$\sf\displaystyle#1$}}
+{\mbox{$\sf\textstyle#1$}}
+{\mbox{$\sf\scriptstyle#1$}}
+{\mbox{$\sf\scriptscriptstyle#1$}}\else
+\hbox{$\sf\textstyle#1$}\fi}
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% This is vecstyle.tex
+%
+% It enables documentstyle options vecmath and vecphys
+% to change the vectors to upright bold face or
+% to math italic bold respectively
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\def\ds@vecmath{\def\vec@style{\bf}\typeout{Vectors are now represented
+in mathematics style as boldface upright characters.}}
+\def\ds@vecphys{\let\vec@style\relax\typeout{Vectors are now represented
+in physics style as boldface italics.}}
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% This is defaults.tex
+%
+% It sets the switches for twoside printing, numbering
+% of equations and kind of citation.
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\@twosidetrue % twoside is default
+\newif\if@bibay \@bibayfalse % citation with numbers
+ % is default
+\newif\if@numart \@numartfalse % numbering with chapternumbers
+ % is default
+
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% This is misc.xxx
+%
+% It defines various commands not available in "plain LaTeX"
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\newcommand{\ts}{\thinspace{}}
+\newcommand{\sq}{\hbox{\rlap{$\sqcap$}$\sqcup$}}
+\newcommand{\qed}{\ifmmode\sq\else{\unskip\nobreak\hfil
+ \penalty50\hskip1em\null\nobreak\hfil\sq
+ \parfillskip=0pt\finalhyphendemerits=0\endgraf}\fi{}}
+\def\D{{\rm d}}
+\def\E{{\rm e}}
+\let\eul=\E
+\def\I{{\rm i}}
+\let\imag=\I
+\def\strich{\vskip0.5cm\hrule\vskip3ptplus12pt\null}
+
+% Frame for paste-in figures or tables
+%\def\mpicplace#1#2{%#1 = width #2 = height
+%\vbox{\@tempdima=#2\advance\@tempdima by-2\fboxrule
+%\hrule\@height \fboxrule\@width #1
+%\hbox to #1{\vrule\@width \fboxrule\@height\@tempdima\hfil
+%\vrule\@width \fboxrule\@height\@tempdima}\hrule\@height
+%\fboxrule\@width #1}}
+
+% #####
+% Frame for paste-in figures or tables
+\def\mpicplace#1#2{% #1 =width #2 =height
+\vbox{\hbox to #1{\vrule width \fboxrule height #2\hfill}}}
+
+\def\picplace#1{\mpicplace{\hsize}{#1}}
+% Ragged bottom for the actual page
+\def\thisbottomragged{\def\@textbottom{\vskip\z@ plus.0001fil
+\global\let\@textbottom\relax}}
+\flushbottom
+
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% This is layout.m01
+%
+% It defines various sizes and settings for books
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\topmargin=0cm
+\textwidth=11.7cm
+\textheight=18.9cm
+\oddsidemargin=0.7cm
+\evensidemargin=0.7cm
+\headsep=12pt
+
+\baselineskip=12pt
+\parindent=15pt
+\parskip=0pt plus 1pt
+\hfuzz=2pt
+\frenchspacing
+
+\tolerance=500
+
+\abovedisplayskip=3mm plus6pt minus 4pt
+\belowdisplayskip=3mm plus6pt minus 4pt
+\abovedisplayshortskip=0mm plus6pt minus 2pt
+\belowdisplayshortskip=2mm plus4pt minus 4pt
+
+\predisplaypenalty=0
+\clubpenalty=10000
+\widowpenalty=10000
+
+\newdimen\betweenumberspace % dimension for space between
+\betweenumberspace=5pt % number and text of titles.
+\newdimen\headlineindent % dimension for space between
+\headlineindent=2.5cc % number and text of headings.
+
+\intextsep 20pt plus 2pt minus 2pt
+
+\setcounter{topnumber}{4}
+\def\topfraction{.9}
+\setcounter{bottomnumber}{2}
+\def\bottomfraction{.5}
+\setcounter{totalnumber}{6}
+\def\textfraction{.2}
+\def\floatpagefraction{.5}
+
+% Figures and tables are processed in small print
+\def \@floatboxreset {%
+ \reset@font
+ \small
+ \@setnobreak
+ \@setminipage
+}
+\def\figure{\@float{figure}}
+\@namedef{figure*}{\@dblfloat{figure}}
+\def\table{\@float{table}}
+\@namedef{table*}{\@dblfloat{table}}
+\def\fps@figure{htbp}
+\def\fps@table{htbp}
+
+\labelsep=5\p@ % measures for lists
+\leftmargini=17.777\p@
+\labelwidth\leftmargini\advance\labelwidth-\labelsep
+\leftmarginii=\leftmargini
+\leftmarginiii=\leftmargini
+\parsep=\parskip
+
+\def\@listI{\leftmargin\leftmargini
+ \parsep=\parskip
+ \topsep=\medskipamount
+ \itemsep=\parskip \advance\itemsep by -\parsep}
+\let\@listi\@listI
+\@listi
+
+\def\@listii{\leftmargin\leftmarginii
+ \labelwidth\leftmarginii\advance\labelwidth by -\labelsep
+ \parsep=\parskip
+ \topsep=\z@
+ \itemsep=\parskip \advance\itemsep by -\parsep}
+\def\@listiii{\leftmargin\leftmarginiii
+ \labelwidth\leftmarginiii\advance\labelwidth by -\labelsep
+ \parsep=\parskip
+ \topsep=\z@
+ \itemsep=\parskip \advance\itemsep by -\parsep}
+%
+\def\@normalsize{\@setsize\normalsize{12pt}\xpt\@xpt
+\abovedisplayskip=3mm plus6pt minus 4pt
+\belowdisplayskip=3mm plus6pt minus 4pt
+\abovedisplayshortskip=0mm plus6pt minus 2pt
+\belowdisplayshortskip=2mm plus4pt minus 4pt
+\let\@listi\@listI} % Setting of \@listi added 9 Jun 87
+%
+\def\small{\@setsize\small{10pt}\ixpt\@ixpt
+\abovedisplayskip 8.5\p@ plus3\p@ minus4\p@
+\belowdisplayskip \abovedisplayskip
+\abovedisplayshortskip \z@ plus2\p@
+\belowdisplayshortskip 4\p@ plus2\p@ minus2\p@
+\def\@listi{\leftmargin\leftmargini
+\topsep 4pt plus 2pt minus 2pt\parsep\parskip
+\itemsep\parskip}}
+%
+\def\itemize{\ifnum \@itemdepth >3 \@toodeep\else \advance\@itemdepth \@ne
+\ifnum \@itemdepth=1 \leftmargini=10\p@
+\labelwidth\leftmargini\advance\labelwidth-\labelsep
+\leftmarginii=\leftmargini \leftmarginiii=\leftmargini \fi
+\edef\@itemitem{labelitem\romannumeral\the\@itemdepth}%
+\list{\csname\@itemitem\endcsname}{\def\makelabel##1{\rlap{##1}\hss}}\fi}
+%
+\newdimen\verbatimindent \verbatimindent\parindent
+\def\verbatim{\advance\@totalleftmargin by\verbatimindent
+\@verbatim \frenchspacing\@vobeyspaces \@xverbatim}
+%
+\let\footnotesize=\small
+%
+\def\petit{\par\addvspace{6pt}\small}
+\def\endpetit{\par\addvspace{6pt}}
+%
+\raggedbottom
+\normalsize % Choose the normalsize font.
+% This is texte.tex
+% it defines various texts and their translations
+% called up with documentstyle options
+\def\abstractname{Summary.}
+\def\ackname{Acknowledgement.}
+\def\andname{and}
+\def\lastandname{, and}
+\def\appendixname{Appendix}
+\def\chaptername{Chapter}
+\def\claimname{Claim}
+\def\conjecturename{Conjecture}
+\def\contentsname{Table of Contents}
+\def\corollaryname{Corollary}
+\def\definitionname{Definition}
+\def\examplename{Example}
+\def\exercisename{Exercise}
+\def\figurename{Fig.}
+\def\keywordname{{\bf Key words:}}
+\def\indexname{Index}
+\def\lemmaname{Lemma}
+\def\contriblistname{List of Contributors}
+\def\listfigurename{List of Figures}
+\def\listtablename{List of Tables}
+\def\mailname{{\it Correspondence to\/}:}
+\def\noteaddname{Note added in proof}
+\def\notename{Note}
+\def\partname{Part}
+\def\problemname{Problem}
+\def\proofname{Proof}
+\def\propertyname{Property}
+\def\propositionname{Proposition}
+\def\questionname{Question}
+\def\remarkname{Remark}
+\def\seename{see}
+\def\solutionname{Solution}
+\def\subclassname{{\it Subject Classifications\/}:}
+\def\tablename{Table}
+\def\theoremname{Theorem}
+% Names of theorem like environments are already defined
+% but must be translated if another language is chosen
+%
+% French section
+\def\ds@francais{\typeout{On parle francais.}%
+ \def\abstractname{R\'esum\'e.}%
+ \def\ackname{Remerciements.}%
+ \def\andname{et}%
+ \def\lastandname{ et}%
+ \def\appendixname{Appendice}
+ \def\chaptername{Chapitre}%
+ \def\claimname{Pr\'etention}%
+ \def\conjecturename{Hypoth\`ese}%
+ \def\contentsname{Table des mati\`eres}%
+ \def\corollaryname{Corollaire}%
+ \def\definitionname{D\'efinition}%
+ \def\examplename{Exemple}%
+ \def\exercisename{Exercice}%
+ \def\figurename{Fig.}%
+ \def\keywordname{{\bf Mots-cl\'e:}}
+ \def\indexname{Index}
+ \def\lemmaname{Lemme}%
+ \def\contriblistname{Liste des contributeurs}
+ \def\listfigurename{Liste des figures}%
+ \def\listtablename{Liste des tables}%
+ \def\mailname{{\it Correspondence to\/}:}
+ \def\noteaddname{Note ajout\'ee \`a l'\'epreuve}%
+ \def\notename{Remarque}%
+ \def\partname{Partie}%
+ \def\problemname{Probl\`eme}%
+ \def\proofname{\'Epreuve}%
+ \def\propertyname{Caract\'eristique}%
+%\def\propositionname{Proposition}%
+ \def\questionname{Question}%
+ \def\remarkname{Remarque}%
+ \def\seename{voir}
+ \def\solutionname{Solution}%
+ \def\subclassname{{\it Subject Classifications\/}:}
+ \def\tablename{Tableau}%
+ \def\theoremname{Th\'eor\`eme}%
+}
+%
+% German section
+\def\ds@deutsch{\typeout{Man spricht deutsch.}%
+ \def\abstractname{Zusammenfassung.}%
+ \def\ackname{Danksagung.}%
+ \def\andname{und}%
+ \def\lastandname{ und}%
+ \def\appendixname{Anhang}%
+ \def\chaptername{Kapitel}%
+ \def\claimname{Behauptung}%
+ \def\conjecturename{Hypothese}%
+ \def\contentsname{Inhaltsverzeichnis}%
+ \def\corollaryname{Korollar}%
+%\def\definitionname{Definition}%
+ \def\examplename{Beispiel}%
+ \def\exercisename{\"Ubung}%
+ \def\figurename{Abb.}%
+ \def\keywordname{{\bf Schl\"usselw\"orter:}}
+ \def\indexname{Index}
+%\def\lemmaname{Lemma}%
+ \def\contriblistname{Mitarbeiter}
+ \def\listfigurename{Abbildungsverzeichnis}%
+ \def\listtablename{Tabellenverzeichnis}%
+ \def\mailname{{\it Correspondence to\/}:}
+ \def\noteaddname{Nachtrag}%
+ \def\notename{Anmerkung}%
+ \def\partname{Teil}%
+%\def\problemname{Problem}%
+ \def\proofname{Beweis}%
+ \def\propertyname{Eigenschaft}%
+%\def\propositionname{Proposition}%
+ \def\questionname{Frage}%
+ \def\remarkname{Anmerkung}%
+ \def\seename{siehe}
+ \def\solutionname{L\"osung}%
+ \def\subclassname{{\it Subject Classifications\/}:}
+ \def\tablename{Tabelle}%
+%\def\theoremname{Theorem}%
+}
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% This is titneu.xxx
+%
+% It redefines titles. Usage is like Lamport described.
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\setcounter{secnumdepth}{2} % depth of the highest-level
+ % sectioning command
+\newcounter{chapter} % to use chapter together with
+\@addtoreset{section}{chapter} % article.sty
+\@addtoreset{footnote}{chapter}
+
+\def\thechapter{\arabic{chapter}} % how titles will be typeset
+\def\thesection{\thechapter.\arabic{section}}
+\def\thesubsection{\thesection.\arabic{subsection}}
+\def\thesubsubsection{\thesubsection.\arabic{subsubsection}}
+\def\theparagraph{\thesubsubsection.\arabic{paragraph}}
+\def\thesubparagraph{\theparagraph.\arabic{subparagraph}}
+\def\chaptermark#1{}
+\def\sec@hangfrom#1{\setbox\@tempboxa\hbox{#1}%
+ \hangindent \z@\noindent\box\@tempboxa}
+
+% definition of chapter
+
+\def\@chapapp{\chaptername}
+
+\def\@makechapterhead#1{{\parindent0pt\raggedright
+ \hyphenpenalty \@M
+ \Large\bf\boldmath
+ \sec@hangfrom{\thechapter\thechapterend\hskip\betweenumberspace}%!!!
+ \ignorespaces#1\par
+ \ifdim\pagetotal>118pt
+ \vskip 24pt
+ \else
+ \@tempdima=118pt\advance\@tempdima by-\pagetotal
+ \vskip\@tempdima
+ \fi}}
+
+\def\@makeschapterhead#1{{\parindent0pt\raggedright
+ \hyphenpenalty \@M
+ \Large\bf\boldmath
+ \ignorespaces#1\par
+ \ifdim\pagetotal>118pt
+ \vskip 24pt
+ \else
+ \@tempdima=118pt\advance\@tempdima by-\pagetotal
+ \vskip\@tempdima
+ \fi}}
+
+\newcommand{\clearemptydoublepage}{%
+ \newpage{\pagestyle{empty}\cleardoublepage}}
+
+\def\chapter{\clearemptydoublepage\thispagestyle{empty}
+ \global\@topnum\z@\@afterindentfalse
+ \secdef\@chapter\@schapter}
+
+\def\@chapter[#1]#2{\ifnum\c@secnumdepth>\m@ne
+ \refstepcounter{chapter}
+ \typeout{\@chapapp\space\thechapter}
+ \addcontentsline{toc}{chapter}{\protect
+ \numberline{\thechapter\thechapterend}#1}\else %!!!
+ \addcontentsline{toc}{chapter}{#1}
+ \fi
+ \chaptermark{#1}
+ \addtocontents{lof}{\protect\addvspace{10pt}}
+ \addtocontents{lot}{\protect\addvspace{10pt}}
+ \if@twocolumn
+ \@topnewpage[\@makechapterhead{#2}]
+ \else \@makechapterhead{#2}
+ \@afterheading
+ \fi}
+
+\def\@schapter#1{\if@twocolumn\@topnewpage[\@makeschapterhead{#1}]
+ \else \@makeschapterhead{#1}
+ \@afterheading\fi}
+
+% Appendix
+\def\appendix{\par
+ \setcounter{chapter}{0}%
+ \setcounter{section}{0}%
+ \def\@chapapp{\appendixname}%
+ \def\thechapter{\Alph{chapter}}}
+
+% definition of sections
+% \hyphenpenalty and \raggedright added, so that there is no
+% hyphenation and the text is set ragged-right in sectioning
+
+\def\runinsep{.}
+\def\aftertext{\unskip\runinsep}
+
+\def\@sect#1#2#3#4#5#6[#7]#8{\ifnum #2>\c@secnumdepth
+ \let\@svsec\@empty\else
+ \refstepcounter{#1}\edef\@svsec{\csname the#1\endcsname
+ \hskip\betweenumberspace
+ \ignorespaces}\fi
+ \@tempskipa #5\relax
+ \ifdim \@tempskipa>\z@
+ \begingroup #6\relax
+ \sec@hangfrom{\hskip #3\relax\@svsec}{%
+ \raggedright
+ \hyphenpenalty \@M
+ \interlinepenalty \@M #8\par}%
+ \endgroup
+ \csname #1mark\endcsname{#7}\addcontentsline
+ {toc}{#1}{\ifnum #2>\c@secnumdepth \else
+ \protect\numberline{\csname the#1\endcsname}\fi
+ #7}\else
+ \def\@svsechd{#6\hskip #3\relax
+ \@svsec #8\aftertext\ignorespaces
+ \csname #1mark\endcsname
+ {#7}\addcontentsline
+ {toc}{#1}{\ifnum #2>\c@secnumdepth \else
+ \protect\numberline{\csname the#1\endcsname}\fi
+ #7}}\fi
+ \@xsect{#5}}
+
+% measures and setting of sections
+
+\def\section{\@startsection{section}{1}{\z@}%
+ {-25pt plus-4pt minus-4pt}{12.5pt plus4pt
+ minus4pt}{\large\bf\boldmath}}
+\def\subsection{\@startsection{subsection}{2}{\z@}%
+ {-17pt plus-4pt minus-4pt}{10pt plus4pt
+ minus4pt}{\normalsize\bf\boldmath}}
+\def\subsubsection{\@startsection{subsubsection}{3}{\z@}%
+ {-5.388pt plus-4pt minus-4pt}{-5pt}{\normalsize\bf\boldmath}}
+\def\paragraph{\@startsection{paragraph}{4}{\z@}%
+ {-5.388pt plus-4pt minus-4pt}{-5pt}{\normalsize\it}}
+\def\subparagraph{\@startsection{subparagraph}{5}{\z@}%
+ {-5.388pt plus-4pt minus-4pt}{-5pt}{\normalsize\it}}
+
+% definition of \part
+\def\thepart{\Roman{part}}
+\def\part{\clearemptydoublepage % Starts new page.
+ \thispagestyle{empty} % Page style of part page is empty
+ \if@twocolumn % IF two-column style
+ \onecolumn % THEN \onecolumn
+ \@tempswatrue % @tempswa := true
+ \else \@tempswafalse % ELSE @tempswa := false
+ \fi % FI
+% \hbox{}\vfil % Add fil glue to center title
+%% \bgroup \centering % BEGIN centering %% Removed 19 Jan 88
+ \secdef\@part\@spart}
+
+
+\def\@part[#1]#2{\ifnum \c@secnumdepth >-2\relax % IF secnumdepth > -2
+ \refstepcounter{part} % THEN step part counter
+ \addcontentsline{toc}{part}{\partname\ % add toc line
+ \thepart. #1}\else % ELSE add unnumbered line
+ \addcontentsline{toc}{part}{#1}\fi % FI
+ \markboth{}{}
+ {\raggedleft % added 8.1.92 FUH
+ \ifnum \c@secnumdepth >-2\relax % IF secnumdepth > -2
+ \Large\partname\ \thepart % THEN Print 'Part' and number
+ \par % in \Large
+ \vskip 103.3pt \fi % Add space before title.
+ \bf\boldmath % FI
+ #2\par}\@endpart} % Print Title in \Large bold.
+
+
+% \@endpart finishes the part page
+%
+\def\@endpart{\vfil\newpage % End page with 1fil glue.
+ \if@twoside % IF twoside printing
+ \hbox{} % THEN Produce totally blank page
+ \thispagestyle{empty}
+ \newpage
+ \fi % FI
+ \if@tempswa % IF @tempswa = true
+ \twocolumn % THEN \twocolumn
+ \fi} % FI
+
+\def\@spart#1{{\raggedleft % added 8 Jan 92 FUH
+ \Large\bf\boldmath % Print title in \Large-boldface
+ #1\par}\@endpart}
+
+\def\subtitle#1{\gdef\@subtitle{#1}}
+\def\@subtitle{}
+
+\def\maketitle{\par
+ \begingroup
+ \def\thefootnote{\fnsymbol{footnote}}%
+ \def\@makefnmark{\hbox
+ to\z@{$\m@th^{\@thefnmark}$\hss}}%
+ \if@twocolumn
+ \twocolumn[\@maketitle]%
+ \else \newpage
+ \global\@topnum\z@ % Prevents figures from going at top of page.
+ \@maketitle \fi\thispagestyle{empty}\@thanks
+ \par\penalty -\@M
+ \endgroup
+ \setcounter{footnote}{0}%
+ \let\maketitle\relax
+ \let\@maketitle\relax
+ \gdef\@thanks{}\gdef\@author{}\gdef\@title{}\let\thanks\relax}
+
+\def\@maketitle{\newpage
+ \null
+ \vskip 2em % Vertical space above title.
+\begingroup
+ \def\and{\unskip, }
+ \parindent=\z@
+ \pretolerance=10000
+ \rightskip=0pt plus 3cm
+ {\LARGE % each author set in \LARGE
+ \lineskip .5em
+ \@author
+ \par}%
+ \vskip 2cm % Vertical space after author.
+ {\Huge \@title \par}% % Title set in \Huge size.
+ \vskip 1cm % Vertical space after title.
+ \if!\@subtitle!\else
+ {\LARGE\ignorespaces\@subtitle \par}
+ \vskip 1cm % Vertical space after subtitle.
+ \fi
+ \if!\@date!\else
+ {\large \@date}% % Date set in \large size.
+ \par
+ \vskip 1.5em % Vertical space after date.
+ \fi
+ \vfill
+ {\Large Springer-\kern-0.1em Verlag\par}
+ \vskip 5pt
+ \large
+ Berlin\enspace Heidelberg\enspace New\kern0.1em York\\
+ London\enspace Paris\enspace Tokyo\\
+ Hong\thinspace Kong\enspace Barcelona\\
+ Budapest\par
+\endgroup}
+
+\def\abstract{\if@twocolumn
+\section*{\abstractname}%
+\else \small
+\begin{center}%
+{\bf \abstractname\vspace{-.5em}\vspace{\z@}}%
+\end{center}%
+\quotation
+\fi}
+
+\def\endabstract{\if@twocolumn\else\endquotation\fi}
+
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% This is toc.xxx
+%
+% it modifies the appearence of the table of contents
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\def\tableofcontents{\@restonecolfalse\if@twocolumn\@restonecoltrue\onecolumn
+ \fi\chapter*{\contentsname \@mkboth{{\contentsname}}{{\contentsname}}}
+ \@starttoc{toc}\if@restonecol\twocolumn\fi}
+
+\setcounter{tocdepth}{2}
+
+\def\l@part#1#2{\addpenalty{\@secpenalty}%
+ \addvspace{2em plus\p@}% % space above part line
+ \begingroup
+ \parindent \z@
+ \rightskip \z@ plus 5em
+ \hrule\vskip5pt
+ \bf\boldmath % set line in boldface
+ \leavevmode % TeX command to enter horizontal mode.
+ #1\par
+ \vskip5pt
+ \hrule
+ \vskip1pt
+ \nobreak % Never break after part entry
+ \endgroup}
+
+\def\@dotsep{2}
+
+\def\l@chapter#1#2{\addpenalty{-\@highpenalty}
+ \vskip 1.0em plus 1pt \@tempdima \tocchpnum \begingroup
+ \parindent \z@ \rightskip \@pnumwidth
+ \parfillskip -\@pnumwidth
+ \leavevmode \advance\leftskip\@tempdima \hskip -\leftskip
+ {\bf\boldmath#1}\nobreak
+ \leaders\hbox{$\m@th \mkern \@dotsep mu.\mkern
+ \@dotsep mu$}\hfill
+ \nobreak\hbox to\@pnumwidth{\hss #2}\par
+ \penalty\@highpenalty \endgroup}
+
+\newdimen\tocchpnum
+\newdimen\tocsecnum
+\newdimen\tocsectotal
+\newdimen\tocsubsecnum
+\newdimen\tocsubsectotal
+\newdimen\tocsubsubsecnum
+\newdimen\tocsubsubsectotal
+\newdimen\tocparanum
+\newdimen\tocparatotal
+\newdimen\tocsubparanum
+\tocchpnum=20\p@ % chapter {\bf 88.} plus 5.3pt
+\tocsecnum=22.5\p@ % section 88.8. plus 4.722pt
+\tocsubsecnum=30.5\p@ % subsection 88.8.8 plus 4.944pt
+\tocsubsubsecnum=38\p@ % subsubsection 88.8.8.8 plus 4.666pt
+\tocparanum=45\p@ % paragraph 88.8.8.8.8 plus 3.888pt
+\tocsubparanum=53\p@ % subparagraph 88.8.8.8.8.8 plus 4.11pt
+\def\calctocindent{%
+\tocsectotal=\tocchpnum
+\advance\tocsectotal by\tocsecnum
+\tocsubsectotal=\tocsectotal
+\advance\tocsubsectotal by\tocsubsecnum
+\tocsubsubsectotal=\tocsubsectotal
+\advance\tocsubsubsectotal by\tocsubsubsecnum
+\tocparatotal=\tocsubsubsectotal
+\advance\tocparatotal by\tocparanum}
+\calctocindent
+
+\def\l@section{\@dottedtocline{1}{\tocchpnum}{\tocsecnum}}
+\def\l@subsection{\@dottedtocline{2}{\tocsectotal}{\tocsubsecnum}}
+\def\l@subsubsection{\@dottedtocline{3}{\tocsubsectotal}{\tocsubsubsecnum}}
+\def\l@paragraph{\@dottedtocline{4}{\tocsubsubsectotal}{\tocparanum}}
+\def\l@subparagraph{\@dottedtocline{5}{\tocparatotal}{\tocsubparanum}}
+
+\def\listoffigures{\@restonecolfalse\if@twocolumn\@restonecoltrue\onecolumn
+ \fi\chapter*{\listfigurename\@mkboth{{\listfigurename}}{{\listfigurename}}}
+ \@starttoc{lof}\if@restonecol\twocolumn\fi}
+\def\l@figure{\@dottedtocline{1}{0em}{\tocsecnum}}
+
+\def\listoftables{\@restonecolfalse\if@twocolumn\@restonecoltrue\onecolumn
+ \fi\chapter*{\listtablename\@mkboth{{\listtablename}}{{\listtablename}}}
+ \@starttoc{lot}\if@restonecol\twocolumn\fi}
+\let\l@table\l@figure
+
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% This is runnhead.xxx
+%
+% It redefines the headings of a text. There are two
+% pagestyles possible: "\pagestyle{headings}" and
+% "\pagestyle{myheadings}". "\pagestyle{headings}" is
+% default.
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+\@ifundefined{thechapterend}{\def\thechapterend{.}}{}
+\if@twoside
+\def\ps@headings{\let\@mkboth\markboth
+ \def\@oddfoot{}\def\@evenfoot{}
+ \def\@evenhead{\small\rm\rlap{\thepage}\hskip\headlineindent
+ \leftmark\hfil}
+ \def\@oddhead{\hfil\small\rm\rightmark\hskip\headlineindent
+ \llap{\thepage}}
+ \def\chaptermark##1{\markboth{{\ifnum\c@secnumdepth>\m@ne
+ \thechapter\thechapterend\hskip\betweenumberspace\fi ##1}}{{\ifnum %!!!
+ \c@secnumdepth>\m@ne\thechapter\thechapterend\hskip\betweenumberspace\fi ##1}}}%!!!
+ \def\sectionmark##1{\markright{{\ifnum\c@secnumdepth>\z@
+ \thesection\hskip\betweenumberspace\fi ##1}}}}
+\else \def\ps@headings{\let\@mkboth\markboth
+ \def\@oddfoot{}\def\@evenfoot{}
+ \def\@oddhead{\hfil\small\rm\rightmark\hskip\headlineindent
+ \llap{\thepage}}
+ \def\chaptermark##1{\markright{{\ifnum\c@secnumdepth>\m@ne
+ \thechapter\thechapterend\hskip\betweenumberspace\fi ##1}}}} %!!!
+\fi
+\def\ps@myheadings{\let\@mkboth\@gobbletwo
+ \def\@oddfoot{}\def\@evenfoot{}
+ \def\@evenhead{\small\rm\rlap{\thepage}\hskip\headlineindent
+ \leftmark\hfil}
+ \def\@oddhead{\hfil\small\rm\rightmark\hskip\headlineindent
+ \llap{\thepage}}
+ \def\chaptermark##1{}
+ \def\sectionmark##1{}%
+ \def\subsectionmark##1{}}
+\ps@headings
+
+% Definition of the "\spnewtheorem" command.
+%
+% Usage:
+%
+% \spnewtheorem{env_nam}{caption}[within]{cap_font}{body_font}
+% or \spnewtheorem{env_nam}[numbered_like]{caption}{cap_font}{body_font}
+% or \spnewtheorem*{env_nam}{caption}{cap_font}{body_font}
+%
+% New is "cap_font" and "body_font". It stands for
+% fontdefinition of the caption and the text itself.
+%
+% "\spnewtheorem*" gives a theorem without number.
+%
+% A defined spnewthoerem environment is used as described
+% by Lamport.
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\let\if@envcntreset\iffalse % environment counter is reset each chapter
+\DeclareOption{envcountreset}{\let\if@envcntreset\iftrue}
+\let\if@envcntsame\iffalse % NOT all environments like "Theorem",
+ % each using its own counter
+\DeclareOption{envcountsame}{\let\if@envcntsame\iftrue}
+\def\envankh{section} % show \thesection along with theorem number
+\DeclareOption{envcountchap}{\def\envankh{chapter}%
+\ExecuteOptions{envcountsect}}
+\let\if@envcntsect\iftrue % show \csname the\envankh\endcsname along
+ % with environment number
+\DeclareOption{envcountsect}{\let\if@envcntsect\iftrue}
+\ProcessOptions
+
+\def\@thmcountersep{.}
+\def\@thmcounterend{.}
+
+\def\spnewtheorem{\@ifstar{\@sthm}{\@Sthm}}
+
+% definition of \spnewtheorem with number
+
+\def\@spnthm#1#2{%
+ \@ifnextchar[{\@spxnthm{#1}{#2}}{\@spynthm{#1}{#2}}}
+\def\@Sthm#1{\@ifnextchar[{\@spothm{#1}}{\@spnthm{#1}}}
+
+\def\@spxnthm#1#2[#3]#4#5{\expandafter\@ifdefinable\csname #1\endcsname
+ {\@definecounter{#1}\@addtoreset{#1}{#3}%
+ \expandafter\xdef\csname the#1\endcsname{\expandafter\noexpand
+ \csname the#3\endcsname \noexpand\@thmcountersep \@thmcounter{#1}}%
+ \expandafter\xdef\csname #1name\endcsname{#2}%
+ \global\@namedef{#1}{\@spthm{#1}{\csname #1name\endcsname}{#4}{#5}}%
+ \global\@namedef{end#1}{\@endtheorem}}}
+
+\def\@spynthm#1#2#3#4{\expandafter\@ifdefinable\csname #1\endcsname
+ {\@definecounter{#1}%
+ \expandafter\xdef\csname the#1\endcsname{\@thmcounter{#1}}%
+ \expandafter\xdef\csname #1name\endcsname{#2}%
+ \global\@namedef{#1}{\@spthm{#1}{\csname #1name\endcsname}{#3}{#4}}%
+ \global\@namedef{end#1}{\@endtheorem}}}
+
+\def\@spothm#1[#2]#3#4#5{%
+ \@ifundefined{c@#2}{\@latexerr{No theorem environment `#2' defined}\@eha}%
+ {\expandafter\@ifdefinable\csname #1\endcsname
+ {\global\@namedef{the#1}{\@nameuse{the#2}}%
+ \expandafter\xdef\csname #1name\endcsname{#3}%
+ \global\@namedef{#1}{\@spthm{#2}{\csname #1name\endcsname}{#4}{#5}}%
+ \global\@namedef{end#1}{\@endtheorem}}}}
+
+\def\@spthm#1#2#3#4{\topsep 7\p@ \@plus2\p@ \@minus4\p@
+\refstepcounter{#1}%
+\@ifnextchar[{\@spythm{#1}{#2}{#3}{#4}}{\@spxthm{#1}{#2}{#3}{#4}}}
+
+\def\@spxthm#1#2#3#4{\@spbegintheorem{#2}{\csname the#1\endcsname}{#3}{#4}%
+ \ignorespaces}
+
+\def\@spythm#1#2#3#4[#5]{\@spopargbegintheorem{#2}{\csname
+ the#1\endcsname}{#5}{#3}{#4}\ignorespaces}
+
+\def\@spbegintheorem#1#2#3#4{\trivlist
+ \item[\hskip\labelsep{#3#1\ #2\@thmcounterend}]#4}
+
+\def\@spopargbegintheorem#1#2#3#4#5{\trivlist
+ \item[\hskip\labelsep{#4#1\ #2}]{#4(#3)\@thmcounterend\ }#5}
+
+% definition of \spnewtheorem* without number
+
+\def\@sthm#1#2{\@Ynthm{#1}{#2}}
+
+\def\@Ynthm#1#2#3#4{\expandafter\@ifdefinable\csname #1\endcsname
+ {\global\@namedef{#1}{\@Thm{\csname #1name\endcsname}{#3}{#4}}%
+ \expandafter\xdef\csname #1name\endcsname{#2}%
+ \global\@namedef{end#1}{\@endtheorem}}}
+
+\def\@Thm#1#2#3{\topsep 7\p@ \@plus2\p@ \@minus4\p@
+\@ifnextchar[{\@Ythm{#1}{#2}{#3}}{\@Xthm{#1}{#2}{#3}}}
+
+\def\@Xthm#1#2#3{\@Begintheorem{#1}{#2}{#3}\ignorespaces}
+
+\def\@Ythm#1#2#3[#4]{\@Opargbegintheorem{#1}
+ {#4}{#2}{#3}\ignorespaces}
+
+\def\@Begintheorem#1#2#3{#3\trivlist
+ \item[\hskip\labelsep{#2#1\@thmcounterend}]}
+
+\def\@Opargbegintheorem#1#2#3#4{#4\trivlist
+ \item[\hskip\labelsep{#3#1}]{#3(#2)\@thmcounterend\ }}
+
+% initialize theorem environment
+
+\if@envcntsect % show section counter
+ \def\@thmcountersep{.}
+ \spnewtheorem{theorem}{Theorem}[\envankh]{\bfseries}{\itshape}
+\else % theorem counter only
+ \spnewtheorem{theorem}{Theorem}{\bfseries}{\itshape}
+ \if@envcntreset
+ \@addtoreset{theorem}{section}
+ \else
+ \@addtoreset{theorem}{chapter}
+ \fi
+\fi
+
+%definition of divers theorem environments
+\spnewtheorem*{claim}{Claim}{\itshape}{\rmfamily}
+\spnewtheorem*{proof}{Proof}{\itshape}{\rmfamily}
+\if@envcntsame % all environments like "Theorem" - using its counter
+ \def\spn@wtheorem#1#2#3#4{\@spothm{#1}[theorem]{#2}{#3}{#4}}
+\else % all environments with their own counter
+ \if@envcntsect % show section counter
+ \def\spn@wtheorem#1#2#3#4{\@spxnthm{#1}{#2}[\envankh]{#3}{#4}}
+ \else % environment counter only
+ \if@envcntreset % environment counter is reset each section
+ \def\spn@wtheorem#1#2#3#4{\@spynthm{#1}{#2}{#3}{#4}
+ \@addtoreset{#1}{section}}
+ \else
+ \let\spn@wtheorem=\@spynthm
+ \fi
+ \fi
+\fi
+\spn@wtheorem{case}{Case}{\itshape}{\rmfamily}
+\spn@wtheorem{conjecture}{Conjecture}{\itshape}{\rmfamily}
+\spn@wtheorem{corollary}{Corollary}{\bfseries}{\itshape}
+\spn@wtheorem{definition}{Definition}{\bfseries}{\itshape}
+\spn@wtheorem{example}{Example}{\itshape}{\rmfamily}
+%%LCP%% \spn@wtheorem{exercise}{Exercise}{\bfseries}{\rmfamily}
+\spn@wtheorem{lemma}{Lemma}{\bfseries}{\itshape}
+\spn@wtheorem{note}{Note}{\itshape}{\rmfamily}
+\spn@wtheorem{problem}{Problem}{\bfseries}{\rmfamily}
+\spn@wtheorem{property}{Property}{\itshape}{\rmfamily}
+\spn@wtheorem{proposition}{Proposition}{\bfseries}{\itshape}
+\spn@wtheorem{question}{Question}{\itshape}{\rmfamily}
+\spn@wtheorem{solution}{Solution}{\bfseries}{\rmfamily}
+\spn@wtheorem{remark}{Remark}{\itshape}{\rmfamily}
+
+\def\@takefromreset#1#2{%
+ \def\@tempa{#1}%
+ \let\@tempd\@elt
+ \def\@elt##1{%
+ \def\@tempb{##1}%
+ \ifx\@tempa\@tempb\else
+ \@addtoreset{##1}{#2}%
+ \fi}%
+ \expandafter\expandafter\let\expandafter\@tempc\csname cl@#2\endcsname
+ \expandafter\def\csname cl@#2\endcsname{}%
+ \@tempc
+ \let\@elt\@tempd}
+
+\def\theopargself{\def\@spopargbegintheorem##1##2##3##4##5{\trivlist
+ \item[\hskip\labelsep{##4##1\ ##2}]{##4##3\@thmcounterend\ }##5}
+ \def\@Opargbegintheorem##1##2##3##4{##4\trivlist
+ \item[\hskip\labelsep{##3##1}]{##3##2\@thmcounterend\ }}
+ }
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%
+%% This is figure.neu
+%%
+%% It redefines the captions for "figure" and "table"
+%% environments.
+%%
+%% There are three new kind of captions: "\firstcaption"
+%% and "\secondcaption" for captions set side by side.
+%% Usage for those two commands: like "\caption".
+%%
+%% "\sidecaption" with two parms: #1 width of picture
+%% #2 height of picture
+%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\@ifundefined{floatlegendstyle}{\def\floatlegendstyle{\bfseries}}{}
+\def\floatcounterend{.\ }
+\def\capstrut{\vrule\@width\z@\@height\topskip}
+\@ifundefined{captionstyle}{\def\captionstyle{\normalfont\small}}{}
+\@ifundefined{instindent}{\newdimen\instindent}{}
+
+\long\def\@caption#1[#2]#3{\par\addcontentsline{\csname
+ ext@#1\endcsname}{#1}{\protect\numberline{\csname
+ the#1\endcsname}{\ignorespaces #2}}\begingroup
+ \@parboxrestore
+ \@makecaption{\csname fnum@#1\endcsname}{\ignorespaces #3}\par
+ \endgroup}
+
+\def\firstcaption{\refstepcounter\@captype\@dblarg%
+ {\@firstcaption\@captype}}
+
+\def\secondcaption{\refstepcounter\@captype\@dblarg%
+ {\@secondcaption\@captype}}
+
+\long\def\@firstcaption#1[#2]#3{\addcontentsline{\csname
+ ext@#1\endcsname}{#1}{\protect\numberline{\csname
+ the#1\endcsname}{\ignorespaces #2}}\begingroup
+ \@parboxrestore
+ \vskip3pt
+ \@maketwocaptions{\csname fnum@#1\endcsname}{\ignorespaces #3}%
+ \ignorespaces\hspace{.073\textwidth}\hfil%
+ \endgroup}
+
+\long\def\@secondcaption#1[#2]#3{\addcontentsline{\csname
+ ext@#1\endcsname}{#1}{\protect\numberline{\csname
+ the#1\endcsname}{\ignorespaces #2}}\begingroup
+ \@parboxrestore
+ \@maketwocaptions{\csname fnum@#1\endcsname}{\ignorespaces #3}\par
+ \endgroup}
+
+\long\def\@maketwocaptions#1#2{%
+ \parbox[t]{.46\textwidth}{{\floatlegendstyle #1\floatcounterend} #2}}
+
+\newdimen\figgap\figgap=14.2pt
+%
+\long\def\@makesidecaption#1#2{%
+ \setbox0=\vbox{\hsize=\@tempdima
+ \captionstyle{\floatlegendstyle
+ #1\floatcounterend}#2}%
+ \ifdim\instindent<\z@
+ \ifdim\ht0>-\instindent
+ \advance\instindent by\ht0
+ \typeout{^^JClass-Warning: Legend of \string\sidecaption\space for
+ \@captype\space\csname the\@captype\endcsname
+ ^^Jis \the\instindent\space taller than the corresponding float -
+ ^^Jyou'd better switch the environment. }%
+ \instindent\z@
+ \fi
+ \else
+ \ifdim\ht0<\instindent
+ \advance\instindent by-\ht0
+ \advance\instindent by-\dp0\relax
+ \advance\instindent by\topskip
+ \advance\instindent by-11pt
+ \else
+ \advance\instindent by-\ht0
+ \instindent=-\instindent
+ \typeout{^^JClass-Warning: Legend of \string\sidecaption\space for
+ \@captype\space\csname the\@captype\endcsname
+ ^^Jis \the\instindent\space taller than the corresponding float -
+ ^^Jyou'd better switch the environment. }%
+ \instindent\z@
+ \fi
+ \fi
+ \parbox[b]{\@tempdima}{\captionstyle{\floatlegendstyle
+ #1\floatcounterend}#2%
+ \ifdim\instindent>\z@ \\
+ \vrule\@width\z@\@height\instindent
+ \@depth\z@
+ \fi}}
+\def\sidecaption{\@ifnextchar[\sidec@ption{\sidec@ption[b]}}
+\def\sidec@ption[#1]#2\caption{%
+\setbox\@tempboxa=\hbox{\ignorespaces#2\unskip}%
+\if@twocolumn
+ \ifdim\hsize<\textwidth\else
+ \ifdim\wd\@tempboxa<\columnwidth
+ \typeout{Double column float fits into single column -
+ ^^Jyou'd better switch the environment. }%
+ \fi
+ \fi
+\fi
+ \instindent=\ht\@tempboxa
+ \advance\instindent by\dp\@tempboxa
+\if t#1
+\else
+ \instindent=-\instindent
+\fi
+\@tempdima=\hsize
+\advance\@tempdima by-\figgap
+\advance\@tempdima by-\wd\@tempboxa
+\ifdim\@tempdima<3cm
+ \typeout{\string\sidecaption: No sufficient room for the legend;
+ using normal \string\caption. }%
+ \unhbox\@tempboxa
+ \let\@capcommand=\@caption
+\else
+ \ifdim\@tempdima<4.5cm
+ \typeout{\string\sidecaption: Room for the legend very narrow;
+ using \string\raggedright. }%
+ \toks@\expandafter{\captionstyle\sloppy
+ \rightskip=0ptplus6mm\relax}%
+ \def\captionstyle{\the\toks@}%
+ \fi
+ \let\@capcommand=\@sidecaption
+ \leavevmode
+ \unhbox\@tempboxa
+ \hfill
+\fi
+\refstepcounter\@captype
+\@dblarg{\@capcommand\@captype}}
+\long\def\@sidecaption#1[#2]#3{\addcontentsline{\csname
+ ext@#1\endcsname}{#1}{\protect\numberline{\csname
+ the#1\endcsname}{\ignorespaces #2}}\begingroup
+ \@parboxrestore
+ \@makesidecaption{\csname fnum@#1\endcsname}{\ignorespaces #3}\par
+ \endgroup}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\def\fig@type{figure}
+
+\def\leftlegendglue{\hfil}
+\newdimen\figcapgap\figcapgap=3pt
+\newdimen\tabcapgap\tabcapgap=5.5pt
+
+\long\def\@makecaption#1#2{%
+ \captionstyle
+ \ifx\@captype\fig@type
+ \vskip\figcapgap
+ \fi
+ \setbox\@tempboxa\hbox{{\floatlegendstyle #1\floatcounterend}%
+ \capstrut #2}%
+ \ifdim \wd\@tempboxa >\hsize
+ {\floatlegendstyle #1\floatcounterend}\capstrut #2\par
+ \else
+ \hbox to\hsize{\leftlegendglue\unhbox\@tempboxa\hfil}%
+ \fi
+ \ifx\@captype\fig@type\else
+ \vskip\tabcapgap
+ \fi}
+
+\newcounter{merk}
+\def\endfigure{\resetsubfig\end@float}
+\@namedef{endfigure*}{\resetsubfig\end@dblfloat}
+\let\resetsubfig\relax
+\def\subfigures{\stepcounter{figure}\setcounter{merk}{\value{figure}}%
+\setcounter{figure}{0}\def\thefigure{\if@numart\else\thechapter.\fi
+\@arabic\c@merk\alph{figure}}%
+\def\resetsubfig{\setcounter{figure}{\value{merk}}}}
+\let\leftlegendglue\relax
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% Definition of environment thebibliography
+%
+% Borrowed from book.cls
+%
+% by lcp
+
+\newcommand\bibname{Bibliography}
+\setlength\bibindent{1.5em}
+\renewenvironment{thebibliography}[1]
+ {\chapter*{\bibname
+ \@mkboth{\MakeUppercase\bibname}{\MakeUppercase\bibname}}%
+ \list{\@biblabel{\@arabic\c@enumiv}}%
+ {\settowidth\labelwidth{\@biblabel{#1}}%
+ \leftmargin\labelwidth
+ \advance\leftmargin\labelsep
+ \@openbib@code
+ \usecounter{enumiv}%
+ \let\p@enumiv\@empty
+ \renewcommand\theenumiv{\@arabic\c@enumiv}}%
+ \sloppy
+ \clubpenalty4000
+ \@clubpenalty \clubpenalty
+ \widowpenalty4000%
+ \sfcode`\.\@m}
+ {\def\@noitemerr
+ {\@latex@warning{Empty `thebibliography' environment}}%
+ \endlist}
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% This is fonotebk.xxx
+%
+% It redefines how footnotes will be typeset.
+%
+% Usage like described by Lamport.
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\newdimen\footnoterulewidth
+ \footnoterulewidth=1.666cm
+
+\def\footnoterule{\kern-3\p@
+ \hrule width\footnoterulewidth
+ \kern 2.6\p@}
+
+\newdimen\foot@parindent
+\foot@parindent 10.83\p@
+
+%\long\def\@makefntext#1{\parindent\foot@parindent\noindent
+% \hbox to\foot@parindent{\hss$\m@th^{\@thefnmark}$\kern3pt}#1}
+\long\def\@makefntext#1{\@setpar{\@@par\@tempdima \hsize
+ \advance\@tempdima-\foot@parindent\parshape\@ne\foot@parindent
+ \@tempdima}\par
+ \parindent \foot@parindent\noindent \hbox to \z@{%
+ \hss\hss$^{\@thefnmark}$ }#1}
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% This is environ.tex
+%
+% It defines the environment for acknowledgements.
+% and noteadd
+%
+% Usage e.g.: \begin{acknowledgement}
+% Text
+% \end{acknowledgement}
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+% Define `abstract' environment
+\def\acknowledgement{\par\addvspace{17pt}\small\rm
+\trivlist\item[\hskip\labelsep
+{\it\ackname}]}
+\def\endacknowledgement{\endtrivlist\addvspace{6pt}}
+% Define `noteadd' environment
+\def\noteadd{\par\addvspace{17pt}\small\rm
+\trivlist\item[\hskip\labelsep
+{\it\noteaddname}]}
+\def\endnoteadd{\endtrivlist\addvspace{6pt}}
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% This is item.xxx
+%
+% It redefines the kind of label for "itemize", "enumerate"
+% and "description" environment. The last is extended by
+% an optional parameter. Its length is used for overall
+% indentation.
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+% labels of enumerate
+
+\def\labelenumi{\theenumi.}
+\def\labelenumii{\theenumii)}
+\def\theenumii{\alph{enumii}}
+\def\p@enumii{\theenumi}
+
+% labels of itemize
+
+\def\labelitemi{\bf --}
+\def\labelitemii{\bf --}
+\def\labelitemiii{$\bullet$}
+\def\labelitemiv{$\cdot$}
+
+% labels of description
+\def\descriptionlabel#1{\hspace\labelsep #1\hfil}
+
+% make indentations changeable
+
+\def\setitemindent#1{\settowidth{\labelwidth}{#1}%
+ \leftmargini\labelwidth
+ \advance\leftmargini\labelsep
+ \def\@listi{\leftmargin\leftmargini
+ \labelwidth\leftmargini\advance\labelwidth by -\labelsep
+ \parsep=\parskip
+ \topsep=\medskipamount
+ \itemsep=\parskip \advance\itemsep by -\parsep}}
+\def\setitemitemindent#1{\settowidth{\labelwidth}{#1}%
+ \leftmarginii\labelwidth
+ \advance\leftmarginii\labelsep
+\def\@listii{\leftmargin\leftmarginii
+ \labelwidth\leftmarginii\advance\labelwidth by -\labelsep
+ \parsep=\parskip
+ \topsep=\z@
+ \itemsep=\parskip \advance\itemsep by -\parsep}}
+%
+% adjusted environment "description"
+% if an optional parameter (at the first two levels of lists)
+% is present, its width is considered to be the widest mark
+% throughout the current list.
+\def\description{\@ifnextchar[{\@describe}{\list{}{\labelwidth\z@
+ \itemindent-\leftmargin \let\makelabel\descriptionlabel}}}
+%
+\def\describelabel#1{#1\hfil}
+\def\@describe[#1]{\relax\ifnum\@listdepth=0
+\setitemindent{#1}\else\ifnum\@listdepth=1
+\setitemitemindent{#1}\fi\fi
+\list{--}{\let\makelabel\describelabel}}
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% This is index.xxx
+%
+% It defines miscelaneous addons used for the preparation
+% of an index.
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\def\theindex{\@restonecoltrue\if@twocolumn\@restonecolfalse\fi
+\columnseprule \z@
+\columnsep 1cc\twocolumn[\@makeschapterhead{\indexname}%
+ \csname indexstarthook\endcsname]%
+ \@mkboth{\indexname}{\indexname}%
+ \thispagestyle{empty}\parindent\z@
+ \rightskip0\p@ plus 40\p@
+ \parskip\z@ plus .3\p@\relax\let\item\@idxitem
+ \def\,{\relax\ifmmode\mskip\thinmuskip
+ \else\hskip0.2em\ignorespaces\fi}%
+ \small\rm}
+
+\def\idxquad{\hskip 10\p@}% space that divides entry from number
+
+\def\@idxitem{\par\hangindent 10\p@}
+
+\def\subitem{\par\setbox0=\hbox{--\enspace}% second order
+ \noindent\hangindent\wd0\box0}% index entry
+
+\def\subsubitem{\par\setbox0=\hbox{--\,--\enspace}% third
+ \noindent\hangindent\wd0\box0}% order index entry
+
+\def\endtheindex{\if@restonecol\onecolumn\else\clearpage\fi}
+
+\def\indexspace{\par \vskip 10\p@ plus5\p@ minus3\p@\relax}
+
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% This is numberbk.xxx
+%
+% It redefines the kind of numeration for figures,
+% tables and equations. With style option "numart" they
+% are numbered with "no.", otherwise with "kapno.no."
+%
+% e.g. \documentstyle[numart]{article} gives a
+% numbering like in article.sty defined.
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\def\@takefromreset#1#2{%
+ \def\@tempa{#1}%
+ \let\@tempd\@elt
+ \def\@elt##1{%
+ \def\@tempb{##1}%
+ \ifx\@tempa\@tempb\else
+ \@addtoreset{##1}{#2}%
+ \fi}%
+ \expandafter\expandafter\let\expandafter\@tempc\csname cl@#2\endcsname
+ \expandafter\def\csname cl@#2\endcsname{}%
+ \@tempc
+ \let\@elt\@tempd
+}
+%
+\def\ds@numart{\@numarttrue
+ \@takefromreset{figure}{chapter}%
+ \@takefromreset{table}{chapter}%
+ \@takefromreset{equation}{chapter}%
+ \def\thefigure{\@arabic\c@figure}%
+ \def\thetable{\@arabic\c@table}%
+ \def\theequation{\arabic{equation}}}
+%
+\def\thefigure{\thechapter.\@arabic\c@figure}
+\def\thetable{\thechapter.\@arabic\c@table}
+\def\theequation{\thechapter.\arabic{equation}}
+\@addtoreset{figure}{chapter}
+\@addtoreset{table}{chapter}
+\@addtoreset{equation}{chapter}
+\endinput
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/document/ctl0.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,6 @@
+\index{model checking example|(}%
+\index{lfp@{\texttt{lfp}}!applications of|see{CTL}}
+\input{Base.tex}
+\input{PDL.tex}
+\input{CTL.tex}
+\index{model checking example|)}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/document/documents0.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,24 @@
+
+\chapter{Presenting Theories}
+\label{ch:thy-present}
+
+By now the reader should have become sufficiently acquainted with elementary
+theory development in Isabelle/HOL\@. The following interlude describes
+how to present theories in a typographically
+pleasing manner. Isabelle provides a rich infrastructure for concrete syntax
+of the underlying $\lambda$-calculus language (see
+{\S}\ref{sec:concrete-syntax}), as well as document preparation of theory texts
+based on existing PDF-{\LaTeX} technology (see
+{\S}\ref{sec:document-preparation}).
+
+As pointed out by Leibniz\index{Leibniz, Gottfried Wilhelm} more than 300
+years ago, \emph{notions} are in principle more important than
+\emph{notations}, but suggestive textual representation of ideas is vital to
+reduce the mental effort to comprehend and apply them.
+
+\input{Documents.tex}
+
+%%% Local Variables:
+%%% mode: latex
+%%% TeX-master: t
+%%% End:
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/document/fp.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,484 @@
+\chapter{Functional Programming in HOL}
+
+This chapter describes how to write
+functional programs in HOL and how to verify them. However,
+most of the constructs and
+proof procedures introduced are general and recur in any specification
+or verification task. We really should speak of functional
+\emph{modelling} rather than functional \emph{programming}:
+our primary aim is not
+to write programs but to design abstract models of systems. HOL is
+a specification language that goes well beyond what can be expressed as a
+program. However, for the time being we concentrate on the computable.
+
+If you are a purist functional programmer, please note that all functions
+in HOL must be total:
+they must terminate for all inputs. Lazy data structures are not
+directly available.
+
+\section{An Introductory Theory}
+\label{sec:intro-theory}
+
+Functional programming needs datatypes and functions. Both of them can be
+defined in a theory with a syntax reminiscent of languages like ML or
+Haskell. As an example consider the theory in figure~\ref{fig:ToyList}.
+We will now examine it line by line.
+
+\begin{figure}[htbp]
+\begin{ttbox}\makeatother
+\input{ToyList1}\end{ttbox}
+\caption{A Theory of Lists}
+\label{fig:ToyList}
+\end{figure}
+
+\index{*ToyList example|(}
+{\makeatother\medskip\input{ToyList.tex}}
+
+The complete proof script is shown in Fig.\ts\ref{fig:ToyList-proofs}. The
+concatenation of Figs.\ts\ref{fig:ToyList} and~\ref{fig:ToyList-proofs}
+constitutes the complete theory \texttt{ToyList} and should reside in file
+\texttt{ToyList.thy}.
+% It is good practice to present all declarations and
+%definitions at the beginning of a theory to facilitate browsing.%
+\index{*ToyList example|)}
+
+\begin{figure}[htbp]
+\begin{ttbox}\makeatother
+\input{ToyList2}\end{ttbox}
+\caption{Proofs about Lists}
+\label{fig:ToyList-proofs}
+\end{figure}
+
+\subsubsection*{Review}
+
+This is the end of our toy proof. It should have familiarized you with
+\begin{itemize}
+\item the standard theorem proving procedure:
+state a goal (lemma or theorem); proceed with proof until a separate lemma is
+required; prove that lemma; come back to the original goal.
+\item a specific procedure that works well for functional programs:
+induction followed by all-out simplification via \isa{auto}.
+\item a basic repertoire of proof commands.
+\end{itemize}
+
+\begin{warn}
+It is tempting to think that all lemmas should have the \isa{simp} attribute
+just because this was the case in the example above. However, in that example
+all lemmas were equations, and the right-hand side was simpler than the
+left-hand side --- an ideal situation for simplification purposes. Unless
+this is clearly the case, novices should refrain from awarding a lemma the
+\isa{simp} attribute, which has a global effect. Instead, lemmas can be
+applied locally where they are needed, which is discussed in the following
+chapter.
+\end{warn}
+
+\section{Some Helpful Commands}
+\label{sec:commands-and-hints}
+
+This section discusses a few basic commands for manipulating the proof state
+and can be skipped by casual readers.
+
+There are two kinds of commands used during a proof: the actual proof
+commands and auxiliary commands for examining the proof state and controlling
+the display. Simple proof commands are of the form
+\commdx{apply}(\textit{method}), where \textit{method} is typically
+\isa{induct_tac} or \isa{auto}. All such theorem proving operations
+are referred to as \bfindex{methods}, and further ones are
+introduced throughout the tutorial. Unless stated otherwise, you may
+assume that a method attacks merely the first subgoal. An exception is
+\isa{auto}, which tries to solve all subgoals.
+
+The most useful auxiliary commands are as follows:
+\begin{description}
+\item[Modifying the order of subgoals:]
+\commdx{defer} moves the first subgoal to the end and
+\commdx{prefer}~$n$ moves subgoal $n$ to the front.
+\item[Printing theorems:]
+ \commdx{thm}~\textit{name}$@1$~\dots~\textit{name}$@n$
+ prints the named theorems.
+\item[Reading terms and types:] \commdx{term}
+ \textit{string} reads, type-checks and prints the given string as a term in
+ the current context; the inferred type is output as well.
+ \commdx{typ} \textit{string} reads and prints the given
+ string as a type in the current context.
+\end{description}
+Further commands are found in the Isabelle/Isar Reference
+Manual~\cite{isabelle-isar-ref}.
+
+\begin{pgnote}
+Clicking on the \pgmenu{State} button redisplays the current proof state.
+This is helpful in case commands like \isacommand{thm} have overwritten it.
+\end{pgnote}
+
+We now examine Isabelle's functional programming constructs systematically,
+starting with inductive datatypes.
+
+
+\section{Datatypes}
+\label{sec:datatype}
+
+\index{datatypes|(}%
+Inductive datatypes are part of almost every non-trivial application of HOL.
+First we take another look at an important example, the datatype of
+lists, before we turn to datatypes in general. The section closes with a
+case study.
+
+
+\subsection{Lists}
+
+\index{*list (type)}%
+Lists are one of the essential datatypes in computing. We expect that you
+are already familiar with their basic operations.
+Theory \isa{ToyList} is only a small fragment of HOL's predefined theory
+\thydx{List}\footnote{\url{http://isabelle.in.tum.de/library/HOL/List.html}}.
+The latter contains many further operations. For example, the functions
+\cdx{hd} (``head'') and \cdx{tl} (``tail'') return the first
+element and the remainder of a list. (However, pattern matching is usually
+preferable to \isa{hd} and \isa{tl}.)
+Also available are higher-order functions like \isa{map} and \isa{filter}.
+Theory \isa{List} also contains
+more syntactic sugar: \isa{[}$x@1$\isa{,}\dots\isa{,}$x@n$\isa{]} abbreviates
+$x@1$\isa{\#}\dots\isa{\#}$x@n$\isa{\#[]}. In the rest of the tutorial we
+always use HOL's predefined lists by building on theory \isa{Main}.
+\begin{warn}
+Looking ahead to sets and quanifiers in Part II:
+The best way to express that some element \isa{x} is in a list \isa{xs} is
+\isa{x $\in$ set xs}, where \isa{set} is a function that turns a list into the
+set of its elements.
+By the same device you can also write bounded quantifiers like
+\isa{$\forall$x $\in$ set xs} or embed lists in other set expressions.
+\end{warn}
+
+
+\subsection{The General Format}
+\label{sec:general-datatype}
+
+The general HOL \isacommand{datatype} definition is of the form
+\[
+\isacommand{datatype}~(\alpha@1, \dots, \alpha@n) \, t ~=~
+C@1~\tau@{11}~\dots~\tau@{1k@1} ~\mid~ \dots ~\mid~
+C@m~\tau@{m1}~\dots~\tau@{mk@m}
+\]
+where $\alpha@i$ are distinct type variables (the parameters), $C@i$ are distinct
+constructor names and $\tau@{ij}$ are types; it is customary to capitalize
+the first letter in constructor names. There are a number of
+restrictions (such as that the type should not be empty) detailed
+elsewhere~\cite{isabelle-HOL}. Isabelle notifies you if you violate them.
+
+Laws about datatypes, such as \isa{[] \isasymnoteq~x\#xs} and
+\isa{(x\#xs = y\#ys) = (x=y \isasymand~xs=ys)}, are used automatically
+during proofs by simplification. The same is true for the equations in
+primitive recursive function definitions.
+
+Every\footnote{Except for advanced datatypes where the recursion involves
+``\isasymRightarrow'' as in {\S}\ref{sec:nested-fun-datatype}.} datatype $t$
+comes equipped with a \isa{size} function from $t$ into the natural numbers
+(see~{\S}\ref{sec:nat} below). For lists, \isa{size} is just the length, i.e.\
+\isa{size [] = 0} and \isa{size(x \# xs) = size xs + 1}. In general,
+\cdx{size} returns
+\begin{itemize}
+\item zero for all constructors that do not have an argument of type $t$,
+\item one plus the sum of the sizes of all arguments of type~$t$,
+for all other constructors.
+\end{itemize}
+Note that because
+\isa{size} is defined on every datatype, it is overloaded; on lists
+\isa{size} is also called \sdx{length}, which is not overloaded.
+Isabelle will always show \isa{size} on lists as \isa{length}.
+
+
+\subsection{Primitive Recursion}
+
+\index{recursion!primitive}%
+Functions on datatypes are usually defined by recursion. In fact, most of the
+time they are defined by what is called \textbf{primitive recursion} over some
+datatype $t$. This means that the recursion equations must be of the form
+\[ f \, x@1 \, \dots \, (C \, y@1 \, \dots \, y@k)\, \dots \, x@n = r \]
+such that $C$ is a constructor of $t$ and all recursive calls of
+$f$ in $r$ are of the form $f \, \dots \, y@i \, \dots$ for some $i$. Thus
+Isabelle immediately sees that $f$ terminates because one (fixed!) argument
+becomes smaller with every recursive call. There must be at most one equation
+for each constructor. Their order is immaterial.
+A more general method for defining total recursive functions is introduced in
+{\S}\ref{sec:fun}.
+
+\begin{exercise}\label{ex:Tree}
+\input{Tree.tex}%
+\end{exercise}
+
+\input{case_exprs.tex}
+
+\input{Ifexpr.tex}
+\index{datatypes|)}
+
+
+\section{Some Basic Types}
+
+This section introduces the types of natural numbers and ordered pairs. Also
+described is type \isa{option}, which is useful for modelling exceptional
+cases.
+
+\subsection{Natural Numbers}
+\label{sec:nat}\index{natural numbers}%
+\index{linear arithmetic|(}
+
+\input{fakenat.tex}\medskip
+\input{natsum.tex}
+
+\index{linear arithmetic|)}
+
+
+\subsection{Pairs}
+\input{pairs2.tex}
+
+\subsection{Datatype {\tt\slshape option}}
+\label{sec:option}
+\input{Option2.tex}
+
+\section{Definitions}
+\label{sec:Definitions}
+
+A definition is simply an abbreviation, i.e.\ a new name for an existing
+construction. In particular, definitions cannot be recursive. Isabelle offers
+definitions on the level of types and terms. Those on the type level are
+called \textbf{type synonyms}; those on the term level are simply called
+definitions.
+
+
+\subsection{Type Synonyms}
+
+\index{type synonyms}%
+Type synonyms are similar to those found in ML\@. They are created by a
+\commdx{type\protect\_synonym} command:
+
+\medskip
+\input{types.tex}
+
+\input{prime_def.tex}
+
+
+\section{The Definitional Approach}
+\label{sec:definitional}
+
+\index{Definitional Approach}%
+As we pointed out at the beginning of the chapter, asserting arbitrary
+axioms such as $f(n) = f(n) + 1$ can easily lead to contradictions. In order
+to avoid this danger, we advocate the definitional rather than
+the axiomatic approach: introduce new concepts by definitions. However, Isabelle/HOL seems to
+support many richer definitional constructs, such as
+\isacommand{primrec}. The point is that Isabelle reduces such constructs to first principles. For example, each
+\isacommand{primrec} function definition is turned into a proper
+(nonrecursive!) definition from which the user-supplied recursion equations are
+automatically proved. This process is
+hidden from the user, who does not have to understand the details. Other commands described
+later, like \isacommand{fun} and \isacommand{inductive}, work similarly.
+This strict adherence to the definitional approach reduces the risk of
+soundness errors.
+
+\chapter{More Functional Programming}
+
+The purpose of this chapter is to deepen your understanding of the
+concepts encountered so far and to introduce advanced forms of datatypes and
+recursive functions. The first two sections give a structured presentation of
+theorem proving by simplification ({\S}\ref{sec:Simplification}) and discuss
+important heuristics for induction ({\S}\ref{sec:InductionHeuristics}). You can
+skip them if you are not planning to perform proofs yourself.
+We then present a case
+study: a compiler for expressions ({\S}\ref{sec:ExprCompiler}). Advanced
+datatypes, including those involving function spaces, are covered in
+{\S}\ref{sec:advanced-datatypes}; it closes with another case study, search
+trees (``tries''). Finally we introduce \isacommand{fun}, a general
+form of recursive function definition that goes well beyond
+\isacommand{primrec} ({\S}\ref{sec:fun}).
+
+
+\section{Simplification}
+\label{sec:Simplification}
+\index{simplification|(}
+
+So far we have proved our theorems by \isa{auto}, which simplifies
+all subgoals. In fact, \isa{auto} can do much more than that.
+To go beyond toy examples, you
+need to understand the ingredients of \isa{auto}. This section covers the
+method that \isa{auto} always applies first, simplification.
+
+Simplification is one of the central theorem proving tools in Isabelle and
+many other systems. The tool itself is called the \textbf{simplifier}.
+This section introduces the many features of the simplifier
+and is required reading if you intend to perform proofs. Later on,
+{\S}\ref{sec:simplification-II} explains some more advanced features and a
+little bit of how the simplifier works. The serious student should read that
+section as well, in particular to understand why the simplifier did
+something unexpected.
+
+\subsection{What is Simplification?}
+
+In its most basic form, simplification means repeated application of
+equations from left to right. For example, taking the rules for \isa{\at}
+and applying them to the term \isa{[0,1] \at\ []} results in a sequence of
+simplification steps:
+\begin{ttbox}\makeatother
+(0#1#[]) @ [] \(\leadsto\) 0#((1#[]) @ []) \(\leadsto\) 0#(1#([] @ [])) \(\leadsto\) 0#1#[]
+\end{ttbox}
+This is also known as \bfindex{term rewriting}\indexbold{rewriting} and the
+equations are referred to as \bfindex{rewrite rules}.
+``Rewriting'' is more honest than ``simplification'' because the terms do not
+necessarily become simpler in the process.
+
+The simplifier proves arithmetic goals as described in
+{\S}\ref{sec:nat} above. Arithmetic expressions are simplified using built-in
+procedures that go beyond mere rewrite rules. New simplification procedures
+can be coded and installed, but they are definitely not a matter for this
+tutorial.
+
+\input{simp.tex}
+
+\index{simplification|)}
+
+\input{Itrev.tex}
+\begin{exercise}
+\input{Plus.tex}%
+\end{exercise}
+\begin{exercise}
+\input{Tree2.tex}%
+\end{exercise}
+
+\input{CodeGen.tex}
+
+
+\section{Advanced Datatypes}
+\label{sec:advanced-datatypes}
+\index{datatype@\isacommand {datatype} (command)|(}
+\index{primrec@\isacommand {primrec} (command)|(}
+%|)
+
+This section presents advanced forms of datatypes: mutual and nested
+recursion. A series of examples will culminate in a treatment of the trie
+data structure.
+
+
+\subsection{Mutual Recursion}
+\label{sec:datatype-mut-rec}
+
+\input{ABexpr.tex}
+
+\subsection{Nested Recursion}
+\label{sec:nested-datatype}
+
+{\makeatother\input{Nested.tex}}
+
+
+\subsection{The Limits of Nested Recursion}
+\label{sec:nested-fun-datatype}
+
+How far can we push nested recursion? By the unfolding argument above, we can
+reduce nested to mutual recursion provided the nested recursion only involves
+previously defined datatypes. This does not include functions:
+\begin{isabelle}
+\isacommand{datatype} t = C "t \isasymRightarrow\ bool"
+\end{isabelle}
+This declaration is a real can of worms.
+In HOL it must be ruled out because it requires a type
+\isa{t} such that \isa{t} and its power set \isa{t \isasymFun\ bool} have the
+same cardinality --- an impossibility. For the same reason it is not possible
+to allow recursion involving the type \isa{t set}, which is isomorphic to
+\isa{t \isasymFun\ bool}.
+
+Fortunately, a limited form of recursion
+involving function spaces is permitted: the recursive type may occur on the
+right of a function arrow, but never on the left. Hence the above can of worms
+is ruled out but the following example of a potentially
+\index{infinitely branching trees}%
+infinitely branching tree is accepted:
+\smallskip
+
+\input{Fundata.tex}
+
+If you need nested recursion on the left of a function arrow, there are
+alternatives to pure HOL\@. In the Logic for Computable Functions
+(\rmindex{LCF}), types like
+\begin{isabelle}
+\isacommand{datatype} lam = C "lam \isasymrightarrow\ lam"
+\end{isabelle}
+do indeed make sense~\cite{paulson87}. Note the different arrow,
+\isa{\isasymrightarrow} instead of \isa{\isasymRightarrow},
+expressing the type of \emph{continuous} functions.
+There is even a version of LCF on top of HOL,
+called \rmindex{HOLCF}~\cite{MuellerNvOS99}.
+\index{datatype@\isacommand {datatype} (command)|)}
+\index{primrec@\isacommand {primrec} (command)|)}
+
+
+\subsection{Case Study: Tries}
+\label{sec:Trie}
+
+\index{tries|(}%
+Tries are a classic search tree data structure~\cite{Knuth3-75} for fast
+indexing with strings. Figure~\ref{fig:trie} gives a graphical example of a
+trie containing the words ``all'', ``an'', ``ape'', ``can'', ``car'' and
+``cat''. When searching a string in a trie, the letters of the string are
+examined sequentially. Each letter determines which subtrie to search next.
+In this case study we model tries as a datatype, define a lookup and an
+update function, and prove that they behave as expected.
+
+\begin{figure}[htbp]
+\begin{center}
+\unitlength1mm
+\begin{picture}(60,30)
+\put( 5, 0){\makebox(0,0)[b]{l}}
+\put(25, 0){\makebox(0,0)[b]{e}}
+\put(35, 0){\makebox(0,0)[b]{n}}
+\put(45, 0){\makebox(0,0)[b]{r}}
+\put(55, 0){\makebox(0,0)[b]{t}}
+%
+\put( 5, 9){\line(0,-1){5}}
+\put(25, 9){\line(0,-1){5}}
+\put(44, 9){\line(-3,-2){9}}
+\put(45, 9){\line(0,-1){5}}
+\put(46, 9){\line(3,-2){9}}
+%
+\put( 5,10){\makebox(0,0)[b]{l}}
+\put(15,10){\makebox(0,0)[b]{n}}
+\put(25,10){\makebox(0,0)[b]{p}}
+\put(45,10){\makebox(0,0)[b]{a}}
+%
+\put(14,19){\line(-3,-2){9}}
+\put(15,19){\line(0,-1){5}}
+\put(16,19){\line(3,-2){9}}
+\put(45,19){\line(0,-1){5}}
+%
+\put(15,20){\makebox(0,0)[b]{a}}
+\put(45,20){\makebox(0,0)[b]{c}}
+%
+\put(30,30){\line(-3,-2){13}}
+\put(30,30){\line(3,-2){13}}
+\end{picture}
+\end{center}
+\caption{A Sample Trie}
+\label{fig:trie}
+\end{figure}
+
+Proper tries associate some value with each string. Since the
+information is stored only in the final node associated with the string, many
+nodes do not carry any value. This distinction is modeled with the help
+of the predefined datatype \isa{option} (see {\S}\ref{sec:option}).
+\input{Trie.tex}
+\index{tries|)}
+
+\section{Total Recursive Functions: \isacommand{fun}}
+\label{sec:fun}
+\index{fun@\isacommand {fun} (command)|(}\index{functions!total|(}
+
+Although many total functions have a natural primitive recursive definition,
+this is not always the case. Arbitrary total recursive functions can be
+defined by means of \isacommand{fun}: you can use full pattern matching,
+recursion need not involve datatypes, and termination is proved by showing
+that the arguments of all recursive calls are smaller in a suitable sense.
+In this section we restrict ourselves to functions where Isabelle can prove
+termination automatically. More advanced function definitions, including user
+supplied termination proofs, nested recursion and partiality, are discussed
+in a separate tutorial~\cite{isabelle-function}.
+
+\input{fun0.tex}
+
+\index{fun@\isacommand {fun} (command)|)}\index{functions!total|)}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/document/inductive0.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,31 @@
+\chapter{Inductively Defined Sets} \label{chap:inductive}
+\index{inductive definitions|(}
+
+This chapter is dedicated to the most important definition principle after
+recursive functions and datatypes: inductively defined sets.
+
+We start with a simple example: the set of even numbers. A slightly more
+complicated example, the reflexive transitive closure, is the subject of
+{\S}\ref{sec:rtc}. In particular, some standard induction heuristics are
+discussed. Advanced forms of inductive definitions are discussed in
+{\S}\ref{sec:adv-ind-def}. To demonstrate the versatility of inductive
+definitions, the chapter closes with a case study from the realm of
+context-free grammars. The first two sections are required reading for anybody
+interested in mathematical modelling.
+
+\begin{warn}
+Predicates can also be defined inductively.
+See {\S}\ref{sec:ind-predicates}.
+\end{warn}
+
+\input{Even}
+\input{Mutual}
+\input{Star}
+
+\section{Advanced Inductive Definitions}
+\label{sec:adv-ind-def}
+\input{Advanced}
+
+\input{AB}
+
+\index{inductive definitions|)}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/document/isa-index Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,23 @@
+#! /bin/sh
+#
+#sedindex - shell script to create indexes, preprocessing LaTeX's .idx file
+#
+# puts strings prefixed by * into \tt font
+# terminator characters for strings are |!@{}
+#
+# a space terminates the \tt part to allow \index{*notE theorem}, etc.
+#
+# note that makeindex uses a dboule quote (") to delimit special characters.
+#
+# change *"X"Y"Z"W to "X"Y"Z"W@{\tt "X"Y"Z"W}
+# change *"X"Y"Z to "X"Y"Z@{\tt "X"Y"Z}
+# change *"X"Y to "X"Y@{\tt "X"Y}
+# change *"X to "X@{\tt "X}
+# change *IDENT to IDENT@{\tt IDENT}
+# where IDENT is any string not containing | ! or @
+# FOUR backslashes: to escape the shell AND sed
+sed -e "s~\*\(\".\".\".\".\)~\1@\\\\isa {\1}~g
+s~\*\(\".\".\".\)~\1@\\\\isa {\1}~g
+s~\*\(\".\".\)~\1@\\\\isa {\1}~g
+s~\*\(\".\)~\1@\\\\isa {\1}~g
+s~\*\([^ |!@{}][^ |!@{}]*\)~\1@\\\\isa {\1}~g" $1.idx | makeindex -c -q -o $1.ind
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/document/numerics.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,543 @@
+\section{Numbers}
+\label{sec:numbers}
+
+\index{numbers|(}%
+Until now, our numerical examples have used the type of \textbf{natural
+numbers},
+\isa{nat}. This is a recursive datatype generated by the constructors
+zero and successor, so it works well with inductive proofs and primitive
+recursive function definitions. HOL also provides the type
+\isa{int} of \textbf{integers}, which lack induction but support true
+subtraction. With subtraction, arithmetic reasoning is easier, which makes
+the integers preferable to the natural numbers for
+complicated arithmetic expressions, even if they are non-negative. There are also the types
+\isa{rat}, \isa{real} and \isa{complex}: the rational, real and complex numbers. Isabelle has no
+subtyping, so the numeric
+types are distinct and there are functions to convert between them.
+Most numeric operations are overloaded: the same symbol can be
+used at all numeric types. Table~\ref{tab:overloading} in the appendix
+shows the most important operations, together with the priorities of the
+infix symbols. Algebraic properties are organized using type classes
+around algebraic concepts such as rings and fields;
+a property such as the commutativity of addition is a single theorem
+(\isa{add_commute}) that applies to all numeric types.
+
+\index{linear arithmetic}%
+Many theorems involving numeric types can be proved automatically by
+Isabelle's arithmetic decision procedure, the method
+\methdx{arith}. Linear arithmetic comprises addition, subtraction
+and multiplication by constant factors; subterms involving other operators
+are regarded as variables. The procedure can be slow, especially if the
+subgoal to be proved involves subtraction over type \isa{nat}, which
+causes case splits. On types \isa{nat} and \isa{int}, \methdx{arith}
+can deal with quantifiers---this is known as Presburger arithmetic---whereas on type \isa{real} it cannot.
+
+The simplifier reduces arithmetic expressions in other
+ways, such as dividing through by common factors. For problems that lie
+outside the scope of automation, HOL provides hundreds of
+theorems about multiplication, division, etc., that can be brought to
+bear. You can locate them using Proof General's Find
+button. A few lemmas are given below to show what
+is available.
+
+\subsection{Numeric Literals}
+\label{sec:numerals}
+
+\index{numeric literals|(}%
+The constants \cdx{0} and \cdx{1} are overloaded. They denote zero and one,
+respectively, for all numeric types. Other values are expressed by numeric
+literals, which consist of one or more decimal digits optionally preceeded by a minus sign (\isa{-}). Examples are \isa{2}, \isa{-3} and
+\isa{441223334678}. Literals are available for the types of natural
+numbers, integers, rationals, reals, etc.; they denote integer values of
+arbitrary size.
+
+Literals look like constants, but they abbreviate
+terms representing the number in a two's complement binary notation.
+Isabelle performs arithmetic on literals by rewriting rather
+than using the hardware arithmetic. In most cases arithmetic
+is fast enough, even for numbers in the millions. The arithmetic operations
+provided for literals include addition, subtraction, multiplication,
+integer division and remainder. Fractions of literals (expressed using
+division) are reduced to lowest terms.
+
+\begin{warn}\index{overloading!and arithmetic}
+The arithmetic operators are
+overloaded, so you must be careful to ensure that each numeric
+expression refers to a specific type, if necessary by inserting
+type constraints. Here is an example of what can go wrong:
+\par
+\begin{isabelle}
+\isacommand{lemma}\ "2\ *\ m\ =\ m\ +\ m"
+\end{isabelle}
+%
+Carefully observe how Isabelle displays the subgoal:
+\begin{isabelle}
+\ 1.\ (2::'a)\ *\ m\ =\ m\ +\ m
+\end{isabelle}
+The type \isa{'a} given for the literal \isa{2} warns us that no numeric
+type has been specified. The problem is underspecified. Given a type
+constraint such as \isa{nat}, \isa{int} or \isa{real}, it becomes trivial.
+\end{warn}
+
+\begin{warn}
+\index{function@\isacommand {function} (command)!and numeric literals}
+Numeric literals are not constructors and therefore
+must not be used in patterns. For example, this declaration is
+rejected:
+\begin{isabelle}
+\isacommand{function}\ h\ \isakeyword{where}\isanewline
+"h\ 3\ =\ 2"\isanewline
+\isacharbar "h\ i\ \ =\ i"
+\end{isabelle}
+
+You should use a conditional expression instead:
+\begin{isabelle}
+"h\ i\ =\ (if\ i\ =\ 3\ then\ 2\ else\ i)"
+\end{isabelle}
+\index{numeric literals|)}
+\end{warn}
+
+
+\subsection{The Type of Natural Numbers, {\tt\slshape nat}}
+
+\index{natural numbers|(}\index{*nat (type)|(}%
+This type requires no introduction: we have been using it from the
+beginning. Hundreds of theorems about the natural numbers are
+proved in the theories \isa{Nat} and \isa{Divides}.
+Basic properties of addition and multiplication are available through the
+axiomatic type class for semirings (\S\ref{sec:numeric-classes}).
+
+\subsubsection{Literals}
+\index{numeric literals!for type \protect\isa{nat}}%
+The notational options for the natural numbers are confusing. Recall that an
+overloaded constant can be defined independently for each type; the definition
+of \cdx{1} for type \isa{nat} is
+\begin{isabelle}
+1\ \isasymequiv\ Suc\ 0
+\rulename{One_nat_def}
+\end{isabelle}
+This is installed as a simplification rule, so the simplifier will replace
+every occurrence of \isa{1::nat} by \isa{Suc\ 0}. Literals are obviously
+better than nested \isa{Suc}s at expressing large values. But many theorems,
+including the rewrite rules for primitive recursive functions, can only be
+applied to terms of the form \isa{Suc\ $n$}.
+
+The following default simplification rules replace
+small literals by zero and successor:
+\begin{isabelle}
+2\ +\ n\ =\ Suc\ (Suc\ n)
+\rulename{add_2_eq_Suc}\isanewline
+n\ +\ 2\ =\ Suc\ (Suc\ n)
+\rulename{add_2_eq_Suc'}
+\end{isabelle}
+It is less easy to transform \isa{100} into \isa{Suc\ 99} (for example), and
+the simplifier will normally reverse this transformation. Novices should
+express natural numbers using \isa{0} and \isa{Suc} only.
+
+\subsubsection{Division}
+\index{division!for type \protect\isa{nat}}%
+The infix operators \isa{div} and \isa{mod} are overloaded.
+Isabelle/HOL provides the basic facts about quotient and remainder
+on the natural numbers:
+\begin{isabelle}
+m\ mod\ n\ =\ (if\ m\ <\ n\ then\ m\ else\ (m\ -\ n)\ mod\ n)
+\rulename{mod_if}\isanewline
+m\ div\ n\ *\ n\ +\ m\ mod\ n\ =\ m%
+\rulenamedx{mod_div_equality}
+\end{isabelle}
+
+Many less obvious facts about quotient and remainder are also provided.
+Here is a selection:
+\begin{isabelle}
+a\ *\ b\ div\ c\ =\ a\ *\ (b\ div\ c)\ +\ a\ *\ (b\ mod\ c)\ div\ c%
+\rulename{div_mult1_eq}\isanewline
+a\ *\ b\ mod\ c\ =\ a\ *\ (b\ mod\ c)\ mod\ c%
+\rulename{mod_mult_right_eq}\isanewline
+a\ div\ (b*c)\ =\ a\ div\ b\ div\ c%
+\rulename{div_mult2_eq}\isanewline
+a\ mod\ (b*c)\ =\ b * (a\ div\ b\ mod\ c)\ +\ a\ mod\ b%
+\rulename{mod_mult2_eq}\isanewline
+0\ <\ c\ \isasymLongrightarrow \ (c\ *\ a)\ div\ (c\ *\ b)\ =\ a\ div\ b%
+\rulename{div_mult_mult1}\isanewline
+(m\ mod\ n)\ *\ k\ =\ (m\ *\ k)\ mod\ (n\ *\ k)
+\rulenamedx{mod_mult_distrib}\isanewline
+m\ \isasymle \ n\ \isasymLongrightarrow \ m\ div\ k\ \isasymle \ n\ div\ k%
+\rulename{div_le_mono}
+\end{isabelle}
+
+Surprisingly few of these results depend upon the
+divisors' being nonzero.
+\index{division!by zero}%
+That is because division by
+zero yields zero:
+\begin{isabelle}
+a\ div\ 0\ =\ 0
+\rulename{DIVISION_BY_ZERO_DIV}\isanewline
+a\ mod\ 0\ =\ a%
+\rulename{DIVISION_BY_ZERO_MOD}
+\end{isabelle}
+In \isa{div_mult_mult1} above, one of
+the two divisors (namely~\isa{c}) must still be nonzero.
+
+The \textbf{divides} relation\index{divides relation}
+has the standard definition, which
+is overloaded over all numeric types:
+\begin{isabelle}
+m\ dvd\ n\ \isasymequiv\ {\isasymexists}k.\ n\ =\ m\ *\ k
+\rulenamedx{dvd_def}
+\end{isabelle}
+%
+Section~\ref{sec:proving-euclid} discusses proofs involving this
+relation. Here are some of the facts proved about it:
+\begin{isabelle}
+\isasymlbrakk m\ dvd\ n;\ n\ dvd\ m\isasymrbrakk \ \isasymLongrightarrow \ m\ =\ n%
+\rulenamedx{dvd_antisym}\isanewline
+\isasymlbrakk k\ dvd\ m;\ k\ dvd\ n\isasymrbrakk \ \isasymLongrightarrow \ k\ dvd\ (m\ +\ n)
+\rulenamedx{dvd_add}
+\end{isabelle}
+
+\subsubsection{Subtraction}
+
+There are no negative natural numbers, so \isa{m\ -\ n} equals zero unless
+\isa{m} exceeds~\isa{n}. The following is one of the few facts
+about \isa{m\ -\ n} that is not subject to
+the condition \isa{n\ \isasymle \ m}.
+\begin{isabelle}
+(m\ -\ n)\ *\ k\ =\ m\ *\ k\ -\ n\ *\ k%
+\rulenamedx{diff_mult_distrib}
+\end{isabelle}
+Natural number subtraction has few
+nice properties; often you should remove it by simplifying with this split
+rule.
+\begin{isabelle}
+P(a-b)\ =\ ((a<b\ \isasymlongrightarrow \ P\
+0)\ \isasymand \ (\isasymforall d.\ a\ =\ b+d\ \isasymlongrightarrow \ P\
+d))
+\rulename{nat_diff_split}
+\end{isabelle}
+For example, splitting helps to prove the following fact.
+\begin{isabelle}
+\isacommand{lemma}\ "(n\ -\ 2)\ *\ (n\ +\ 2)\ =\ n\ *\ n\ -\ (4::nat)"\isanewline
+\isacommand{apply}\ (simp\ split:\ nat_diff_split,\ clarify)\isanewline
+\ 1.\ \isasymAnd d.\ \isasymlbrakk n\ <\ 2;\ n\ *\ n\ =\ 4\ +\ d\isasymrbrakk \ \isasymLongrightarrow \ d\ =\ 0
+\end{isabelle}
+The result lies outside the scope of linear arithmetic, but
+ it is easily found
+if we explicitly split \isa{n<2} as \isa{n=0} or \isa{n=1}:
+\begin{isabelle}
+\isacommand{apply}\ (subgoal_tac\ "n=0\ |\ n=1",\ force,\ arith)\isanewline
+\isacommand{done}
+\end{isabelle}%%%%%%
+\index{natural numbers|)}\index{*nat (type)|)}
+
+
+\subsection{The Type of Integers, {\tt\slshape int}}
+
+\index{integers|(}\index{*int (type)|(}%
+Reasoning methods for the integers resemble those for the natural numbers,
+but induction and
+the constant \isa{Suc} are not available. HOL provides many lemmas for
+proving inequalities involving integer multiplication and division, similar
+to those shown above for type~\isa{nat}. The laws of addition, subtraction
+and multiplication are available through the axiomatic type class for rings
+(\S\ref{sec:numeric-classes}).
+
+The \rmindex{absolute value} function \cdx{abs} is overloaded, and is
+defined for all types that involve negative numbers, including the integers.
+The \isa{arith} method can prove facts about \isa{abs} automatically,
+though as it does so by case analysis, the cost can be exponential.
+\begin{isabelle}
+\isacommand{lemma}\ "abs\ (x+y)\ \isasymle \ abs\ x\ +\ abs\ (y\ ::\ int)"\isanewline
+\isacommand{by}\ arith
+\end{isabelle}
+
+For division and remainder,\index{division!by negative numbers}
+the treatment of negative divisors follows
+mathematical practice: the sign of the remainder follows that
+of the divisor:
+\begin{isabelle}
+0\ <\ b\ \isasymLongrightarrow \ 0\ \isasymle \ a\ mod\ b%
+\rulename{pos_mod_sign}\isanewline
+0\ <\ b\ \isasymLongrightarrow \ a\ mod\ b\ <\ b%
+\rulename{pos_mod_bound}\isanewline
+b\ <\ 0\ \isasymLongrightarrow \ a\ mod\ b\ \isasymle \ 0
+\rulename{neg_mod_sign}\isanewline
+b\ <\ 0\ \isasymLongrightarrow \ b\ <\ a\ mod\ b%
+\rulename{neg_mod_bound}
+\end{isabelle}
+ML treats negative divisors in the same way, but most computer hardware
+treats signed operands using the same rules as for multiplication.
+Many facts about quotients and remainders are provided:
+\begin{isabelle}
+(a\ +\ b)\ div\ c\ =\isanewline
+a\ div\ c\ +\ b\ div\ c\ +\ (a\ mod\ c\ +\ b\ mod\ c)\ div\ c%
+\rulename{zdiv_zadd1_eq}
+\par\smallskip
+(a\ +\ b)\ mod\ c\ =\ (a\ mod\ c\ +\ b\ mod\ c)\ mod\ c%
+\rulename{mod_add_eq}
+\end{isabelle}
+
+\begin{isabelle}
+(a\ *\ b)\ div\ c\ =\ a\ *\ (b\ div\ c)\ +\ a\ *\ (b\ mod\ c)\ div\ c%
+\rulename{zdiv_zmult1_eq}\isanewline
+(a\ *\ b)\ mod\ c\ =\ a\ *\ (b\ mod\ c)\ mod\ c%
+\rulename{zmod_zmult1_eq}
+\end{isabelle}
+
+\begin{isabelle}
+0\ <\ c\ \isasymLongrightarrow \ a\ div\ (b*c)\ =\ a\ div\ b\ div\ c%
+\rulename{zdiv_zmult2_eq}\isanewline
+0\ <\ c\ \isasymLongrightarrow \ a\ mod\ (b*c)\ =\ b*(a\ div\ b\ mod\
+c)\ +\ a\ mod\ b%
+\rulename{zmod_zmult2_eq}
+\end{isabelle}
+The last two differ from their natural number analogues by requiring
+\isa{c} to be positive. Since division by zero yields zero, we could allow
+\isa{c} to be zero. However, \isa{c} cannot be negative: a counterexample
+is
+$\isa{a} = 7$, $\isa{b} = 2$ and $\isa{c} = -3$, when the left-hand side of
+\isa{zdiv_zmult2_eq} is $-2$ while the right-hand side is~$-1$.
+The prefix~\isa{z} in many theorem names recalls the use of $\mathbb{Z}$ to
+denote the set of integers.%
+\index{integers|)}\index{*int (type)|)}
+
+Induction is less important for integers than it is for the natural numbers, but it can be valuable if the range of integers has a lower or upper bound. There are four rules for integer induction, corresponding to the possible relations of the bound ($\geq$, $>$, $\leq$ and $<$):
+\begin{isabelle}
+\isasymlbrakk k\ \isasymle \ i;\ P\ k;\ \isasymAnd i.\ \isasymlbrakk k\ \isasymle \ i;\ P\ i\isasymrbrakk \ \isasymLongrightarrow \ P(i+1)\isasymrbrakk \ \isasymLongrightarrow \ P\ i%
+\rulename{int_ge_induct}\isanewline
+\isasymlbrakk k\ <\ i;\ P(k+1);\ \isasymAnd i.\ \isasymlbrakk k\ <\ i;\ P\ i\isasymrbrakk \ \isasymLongrightarrow \ P(i+1)\isasymrbrakk \ \isasymLongrightarrow \ P\ i%
+\rulename{int_gr_induct}\isanewline
+\isasymlbrakk i\ \isasymle \ k;\ P\ k;\ \isasymAnd i.\ \isasymlbrakk i\ \isasymle \ k;\ P\ i\isasymrbrakk \ \isasymLongrightarrow \ P(i-1)\isasymrbrakk \ \isasymLongrightarrow \ P\ i%
+\rulename{int_le_induct}\isanewline
+\isasymlbrakk i\ <\ k;\ P(k-1);\ \isasymAnd i.\ \isasymlbrakk i\ <\ k;\ P\ i\isasymrbrakk \ \isasymLongrightarrow \ P(i-1)\isasymrbrakk \ \isasymLongrightarrow \ P\ i%
+\rulename{int_less_induct}
+\end{isabelle}
+
+
+\subsection{The Types of Rational, Real and Complex Numbers}
+\label{sec:real}
+
+\index{rational numbers|(}\index{*rat (type)|(}%
+\index{real numbers|(}\index{*real (type)|(}%
+\index{complex numbers|(}\index{*complex (type)|(}%
+These types provide true division, the overloaded operator \isa{/},
+which differs from the operator \isa{div} of the
+natural numbers and integers. The rationals and reals are
+\textbf{dense}: between every two distinct numbers lies another.
+This property follows from the division laws, since if $x\not=y$ then $(x+y)/2$ lies between them:
+\begin{isabelle}
+a\ <\ b\ \isasymLongrightarrow \ \isasymexists r.\ a\ <\ r\ \isasymand \ r\ <\ b%
+\rulename{dense}
+\end{isabelle}
+
+The real numbers are, moreover, \textbf{complete}: every set of reals that
+is bounded above has a least upper bound. Completeness distinguishes the
+reals from the rationals, for which the set $\{x\mid x^2<2\}$ has no least
+upper bound. (It could only be $\surd2$, which is irrational.) The
+formalization of completeness, which is complicated,
+can be found in theory \texttt{RComplete}.
+
+Numeric literals\index{numeric literals!for type \protect\isa{real}}
+for type \isa{real} have the same syntax as those for type
+\isa{int} and only express integral values. Fractions expressed
+using the division operator are automatically simplified to lowest terms:
+\begin{isabelle}
+\ 1.\ P\ ((3\ /\ 4)\ *\ (8\ /\ 15))\isanewline
+\isacommand{apply} simp\isanewline
+\ 1.\ P\ (2\ /\ 5)
+\end{isabelle}
+Exponentiation can express floating-point values such as
+\isa{2 * 10\isacharcircum6}, which will be simplified to integers.
+
+\begin{warn}
+Types \isa{rat}, \isa{real} and \isa{complex} are provided by theory HOL-Complex, which is
+Main extended with a definitional development of the rational, real and complex
+numbers. Base your theory upon theory \thydx{Complex_Main}, not the
+usual \isa{Main}.%
+\end{warn}
+
+Available in the logic HOL-NSA is the
+theory \isa{Hyperreal}, which define the type \tydx{hypreal} of
+\rmindex{non-standard reals}. These
+\textbf{hyperreals} include infinitesimals, which represent infinitely
+small and infinitely large quantities; they facilitate proofs
+about limits, differentiation and integration~\cite{fleuriot-jcm}. The
+development defines an infinitely large number, \isa{omega} and an
+infinitely small positive number, \isa{epsilon}. The
+relation $x\approx y$ means ``$x$ is infinitely close to~$y$.''
+Theory \isa{Hyperreal} also defines transcendental functions such as sine,
+cosine, exponential and logarithm --- even the versions for type
+\isa{real}, because they are defined using nonstandard limits.%
+\index{rational numbers|)}\index{*rat (type)|)}%
+\index{real numbers|)}\index{*real (type)|)}%
+\index{complex numbers|)}\index{*complex (type)|)}
+
+
+\subsection{The Numeric Type Classes}\label{sec:numeric-classes}
+
+Isabelle/HOL organises its numeric theories using axiomatic type classes.
+Hundreds of basic properties are proved in the theory \isa{Ring_and_Field}.
+These lemmas are available (as simprules if they were declared as such)
+for all numeric types satisfying the necessary axioms. The theory defines
+dozens of type classes, such as the following:
+\begin{itemize}
+\item
+\tcdx{semiring} and \tcdx{ordered_semiring}: a \emph{semiring}
+provides the associative operators \isa{+} and~\isa{*}, with \isa{0} and~\isa{1}
+as their respective identities. The operators enjoy the usual distributive law,
+and addition (\isa{+}) is also commutative.
+An \emph{ordered semiring} is also linearly
+ordered, with addition and multiplication respecting the ordering. Type \isa{nat} is an ordered semiring.
+\item
+\tcdx{ring} and \tcdx{ordered_ring}: a \emph{ring} extends a semiring
+with unary minus (the additive inverse) and subtraction (both
+denoted~\isa{-}). An \emph{ordered ring} includes the absolute value
+function, \cdx{abs}. Type \isa{int} is an ordered ring.
+\item
+\tcdx{field} and \tcdx{ordered_field}: a field extends a ring with the
+multiplicative inverse (called simply \cdx{inverse} and division~(\isa{/})).
+An ordered field is based on an ordered ring. Type \isa{complex} is a field, while type \isa{real} is an ordered field.
+\item
+\tcdx{division_by_zero} includes all types where \isa{inverse 0 = 0}
+and \isa{a / 0 = 0}. These include all of Isabelle's standard numeric types.
+However, the basic properties of fields are derived without assuming
+division by zero.
+\end{itemize}
+
+Hundreds of basic lemmas are proved, each of which
+holds for all types in the corresponding type class. In most
+cases, it is obvious whether a property is valid for a particular type. No
+abstract properties involving subtraction hold for type \isa{nat};
+instead, theorems such as
+\isa{diff_mult_distrib} are proved specifically about subtraction on
+type~\isa{nat}. All abstract properties involving division require a field.
+Obviously, all properties involving orderings required an ordered
+structure.
+
+The class \tcdx{ring_no_zero_divisors} of rings without zero divisors satisfies a number of natural cancellation laws, the first of which characterizes this class:
+\begin{isabelle}
+(a\ *\ b\ =\ (0::'a))\ =\ (a\ =\ (0::'a)\ \isasymor \ b\ =\ (0::'a))
+\rulename{mult_eq_0_iff}\isanewline
+(a\ *\ c\ =\ b\ *\ c)\ =\ (c\ =\ (0::'a)\ \isasymor \ a\ =\ b)
+\rulename{mult_cancel_right}
+\end{isabelle}
+\begin{pgnote}
+Setting the flag \pgmenu{Isabelle} $>$ \pgmenu{Settings} $>$
+\pgmenu{Show Sorts} will display the type classes of all type variables.
+\end{pgnote}
+\noindent
+Here is how the theorem \isa{mult_cancel_left} appears with the flag set.
+\begin{isabelle}
+((c::'a::ring_no_zero_divisors)\ *\ (a::'a::ring_no_zero_divisors) =\isanewline
+\ c\ *\ (b::'a::ring_no_zero_divisors))\ =\isanewline
+(c\ =\ (0::'a::ring_no_zero_divisors)\ \isasymor\ a\ =\ b)
+\end{isabelle}
+
+
+\subsubsection{Simplifying with the AC-Laws}
+Suppose that two expressions are equal, differing only in
+associativity and commutativity of addition. Simplifying with the
+following equations sorts the terms and groups them to the right, making
+the two expressions identical.
+\begin{isabelle}
+a\ +\ b\ +\ c\ =\ a\ +\ (b\ +\ c)
+\rulenamedx{add_assoc}\isanewline
+a\ +\ b\ =\ b\ +\ a%
+\rulenamedx{add_commute}\isanewline
+a\ +\ (b\ +\ c)\ =\ b\ +\ (a\ +\ c)
+\rulename{add_left_commute}
+\end{isabelle}
+The name \isa{add_ac}\index{*add_ac (theorems)}
+refers to the list of all three theorems; similarly
+there is \isa{mult_ac}.\index{*mult_ac (theorems)}
+They are all proved for semirings and therefore hold for all numeric types.
+
+Here is an example of the sorting effect. Start
+with this goal, which involves type \isa{nat}.
+\begin{isabelle}
+\ 1.\ Suc\ (i\ +\ j\ *\ l\ *\ k\ +\ m\ *\ n)\ =\
+f\ (n\ *\ m\ +\ i\ +\ k\ *\ j\ *\ l)
+\end{isabelle}
+%
+Simplify using \isa{add_ac} and \isa{mult_ac}.
+\begin{isabelle}
+\isacommand{apply}\ (simp\ add:\ add_ac\ mult_ac)
+\end{isabelle}
+%
+Here is the resulting subgoal.
+\begin{isabelle}
+\ 1.\ Suc\ (i\ +\ (m\ *\ n\ +\ j\ *\ (k\ *\ l)))\
+=\ f\ (i\ +\ (m\ *\ n\ +\ j\ *\ (k\ *\ l)))%
+\end{isabelle}
+
+
+\subsubsection{Division Laws for Fields}
+
+Here is a selection of rules about the division operator. The following
+are installed as default simplification rules in order to express
+combinations of products and quotients as rational expressions:
+\begin{isabelle}
+a\ *\ (b\ /\ c)\ =\ a\ *\ b\ /\ c
+\rulename{times_divide_eq_right}\isanewline
+b\ /\ c\ *\ a\ =\ b\ *\ a\ /\ c
+\rulename{times_divide_eq_left}\isanewline
+a\ /\ (b\ /\ c)\ =\ a\ *\ c\ /\ b
+\rulename{divide_divide_eq_right}\isanewline
+a\ /\ b\ /\ c\ =\ a\ /\ (b\ *\ c)
+\rulename{divide_divide_eq_left}
+\end{isabelle}
+
+Signs are extracted from quotients in the hope that complementary terms can
+then be cancelled:
+\begin{isabelle}
+-\ (a\ /\ b)\ =\ -\ a\ /\ b
+\rulename{minus_divide_left}\isanewline
+-\ (a\ /\ b)\ =\ a\ /\ -\ b
+\rulename{minus_divide_right}
+\end{isabelle}
+
+The following distributive law is available, but it is not installed as a
+simplification rule.
+\begin{isabelle}
+(a\ +\ b)\ /\ c\ =\ a\ /\ c\ +\ b\ /\ c%
+\rulename{add_divide_distrib}
+\end{isabelle}
+
+
+\subsubsection{Absolute Value}
+
+The \rmindex{absolute value} function \cdx{abs} is available for all
+ordered rings, including types \isa{int}, \isa{rat} and \isa{real}.
+It satisfies many properties,
+such as the following:
+\begin{isabelle}
+\isasymbar x\ *\ y\isasymbar \ =\ \isasymbar x\isasymbar \ *\ \isasymbar y\isasymbar
+\rulename{abs_mult}\isanewline
+(\isasymbar a\isasymbar \ \isasymle \ b)\ =\ (a\ \isasymle \ b\ \isasymand \ -\ a\ \isasymle \ b)
+\rulename{abs_le_iff}\isanewline
+\isasymbar a\ +\ b\isasymbar \ \isasymle \ \isasymbar a\isasymbar \ +\ \isasymbar b\isasymbar
+\rulename{abs_triangle_ineq}
+\end{isabelle}
+
+\begin{warn}
+The absolute value bars shown above cannot be typed on a keyboard. They
+can be entered using the X-symbol package. In \textsc{ascii}, type \isa{abs x} to
+get \isa{\isasymbar x\isasymbar}.
+\end{warn}
+
+
+\subsubsection{Raising to a Power}
+
+Another type class, \tcdx{ordered\_idom}, specifies rings that also have
+exponentation to a natural number power, defined using the obvious primitive
+recursion. Theory \thydx{Power} proves various theorems, such as the
+following.
+\begin{isabelle}
+a\ \isacharcircum \ (m\ +\ n)\ =\ a\ \isacharcircum \ m\ *\ a\ \isacharcircum \ n%
+\rulename{power_add}\isanewline
+a\ \isacharcircum \ (m\ *\ n)\ =\ (a\ \isacharcircum \ m)\ \isacharcircum \ n%
+\rulename{power_mult}\isanewline
+\isasymbar a\ \isacharcircum \ n\isasymbar \ =\ \isasymbar a\isasymbar \ \isacharcircum \ n%
+\rulename{power_abs}
+\end{isabelle}%%%%%%%%%%%%%%%%%%%%%%%%%
+\index{numbers|)}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/document/pghead.eps Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,73 @@
+%!PS-Adobe-3.0 EPSF-3.0
%%Title: (portrait-head copy)
%%Version: 1 6
%%Creator: Adobe Acrobat 7.0
%%CreationDate: 26/05/2005 09:00
%%DocumentData: Clean7Bit
%%LanguageLevel: 2
%%ADO_ContainsXMP: MainFirst
%%BoundingBox: 172 54 468 463
%%HiResBoundingBox: 172.0 54.0 468.0 463.0
%%Pages: 0
%%DocumentProcessColors: Black
%%DocumentSuppliedResources:
%%+ procset (Adobe Acrobat - PDF operators) 1.2 0
%%EndComments
%%BeginProlog
%%EndProlog
%%BeginSetup
%ADOPrintSettings: L2 W0 VM op crd os scsa T h ef bg ucr sf ef r b fa pr seps ttf hb EF t2 irt Printer/PostScript Color Management 0
+
%%BeginResource: procset l2check 6.0 1
%%Copyright: Copyright 1993,2001 Adobe Systems Incorporated. All Rights Reserved.
systemdict /languagelevel known
{ systemdict /languagelevel get 1 eq }
{ true }
ifelse
{
initgraphics /Helvetica findfont 18 scalefont setfont
72 600 moveto (Error: This application does not support) dup show
72 580 moveto (printing to a PostScript Language Level 1 printer.) dup show
exch = =
/Times-Roman findfont 16 scalefont setfont
72 500 moveto (As a workaround, try selecting Print As Image from) show
72 480 moveto (the Advanced Print dialog.) show
showpage
quit
}
if
%%EndResource
/currentpacking where{pop currentpacking true setpacking}if
%%BeginResource: procset pdfvars 6.0 1
%%Copyright: Copyright 1987-2002 Adobe Systems Incorporated. All Rights Reserved.
%%Title: definition of dictionary of variables used by PDF & PDFText procsets
userdict /PDF 162 dict put
userdict /PDFVars 89 dict dup begin put
/docSetupDone false def
/InitAll 0 def
/TermAll 0 def
/DocInitAll 0 def
/DocTermAll 0 def
/_pdfEncodings 2 array def
/_pdf_str1 1 string def
/_pdf_i 0 def
/_pdf_na 0 def
/_pdf_showproc 0 def
/_italMtx [1 0 .212557 1 0 0] def
/_italMtx_WMode1 [1 -.212557 0 1 0 0] def
/_italMtxType0 [1 0 .1062785 1 0 0] def
/_italMtx_WMode1Type0 [1 -.1062785 0 1 0 0] def
/_basefont 0 def
/_basefonto 0 def
/_pdf_oldCIDInit null def
/_pdf_FontDirectory 30 dict def
/_categories 10 dict def
/_sa? true def
/_ColorSep5044? false def
/nulldict 0 dict def
/_processColors 0 def
/overprintstack null def
/_defaulttransfer currenttransfer def
/_defaultflatness currentflat def
/_defaulthalftone null def
/_defaultcolortransfer null def
/_defaultblackgeneration null def
/_defaultundercolorremoval null def
/_defaultcolortransfer null def
PDF begin
[/c/cs/cm/d/d0/f/h/i/j/J/l/m/M/n/q/Q/re/ri/S/sc/sh/Tf/w/W
/applyInterpFunc/applystitchFunc/domainClip/encodeInput
/initgs/int/limit/rangeClip
/defineRes/undefineRes/findRes/setSA/pl
/? /! /| /: /+ /GetGlyphDirectory
/pdf_flushFilters /pdf_readstring /pdf_dictOp /pdf_image /pdf_maskedImage
/pdf_shfill /pdf_sethalftone
] {null def} bind forall
end
end
%%EndResource
PDFVars begin PDF begin
%%BeginResource: procset pdfutil 6.0 1
%%Copyright: Copyright 1993-2001 Adobe Systems Incorporated. All Rights Reserved.
%%Title: Basic utilities used by other PDF procsets
/bd {bind def} bind def
/ld {load def} bd
/bld {
dup length dict begin
{ null def } forall
bind
end
def
} bd
/dd { PDFVars 3 1 roll put } bd
/xdd { exch dd } bd
/Level2?
systemdict /languagelevel known
{ systemdict /languagelevel get 2 ge } { false } ifelse
def
/Level1? Level2? not def
/Level3?
systemdict /languagelevel known
{systemdict /languagelevel get 3 eq } { false } ifelse
def
/getifknown {
2 copy known { get true } { pop pop false } ifelse
} bd
/here {
currentdict exch getifknown
} bd
/isdefined? { where { pop true } { false } ifelse } bd
%%EndResource
%%BeginResource: procset pdf 6.0 1
%%Copyright: Copyright 1998-2003 Adobe Systems Incorporated. All Rights Reserved.
%%Title: General operators for PDF, common to all Language Levels.
/cm { matrix astore concat } bd
/d /setdash ld
/f /fill ld
/h /closepath ld
/i {dup 0 eq {pop _defaultflatness} if setflat} bd
/j /setlinejoin ld
/J /setlinecap ld
/M /setmiterlimit ld
/n /newpath ld
/S /stroke ld
/w /setlinewidth ld
/W /clip ld
/sg /setgray ld
/initgs {
0 setgray
[] 0 d
0 j
0 J
10 M
1 w
false setSA
/_defaulttransfer load settransfer
0 i
/RelativeColorimetric ri
newpath
} bd
/int {
dup 2 index sub 3 index 5 index sub div 6 -2 roll sub mul
exch pop add exch pop
} bd
/limit {
dup 2 index le { exch } if pop
dup 2 index ge { exch } if pop
} bd
/domainClip {
Domain aload pop 3 2 roll
limit
} [/Domain] bld
/applyInterpFunc {
0 1 DimOut 1 sub
{
dup C0 exch get exch
dup C1 exch get exch
3 1 roll
1 index sub
3 index
N exp mul add
exch
currentdict /Range_lo known
{
dup Range_lo exch get exch
Range_hi exch get
3 2 roll limit
}
{
pop
}
ifelse
exch
} for
pop
} [/DimOut /C0 /C1 /N /Range_lo /Range_hi] bld
/encodeInput {
NumParts 1 sub
0 1 2 index
{
dup Bounds exch get
2 index gt
{ exit }
{ dup
3 index eq
{ exit }
{ pop } ifelse
} ifelse
} for
3 2 roll pop
dup Bounds exch get exch
dup 1 add Bounds exch get exch
2 mul
dup Encode exch get exch
1 add Encode exch get
int
} [/NumParts /Bounds /Encode] bld
/rangeClip {
exch dup Range_lo exch get
exch Range_hi exch get
3 2 roll
limit
} [/Range_lo /Range_hi] bld
/applyStitchFunc {
Functions exch get exec
currentdict /Range_lo known {
0 1 DimOut 1 sub {
DimOut 1 add -1 roll
rangeClip
} for
} if
} [/Functions /Range_lo /DimOut] bld
/pdf_flushfilters
{
aload length
{ dup status
1 index currentfile ne and
{ dup flushfile closefile }
{ pop }
ifelse
} repeat
} bd
/pdf_readstring
{
1 index dup length 1 sub get
exch readstring pop
exch pdf_flushfilters
} bind def
/pdf_dictOp
{
3 2 roll
10 dict copy
begin
_Filters dup length 1 sub get def
currentdict exch exec
_Filters pdf_flushfilters
end
} [/_Filters] bld
/pdf_imagemask {{imagemask} /DataSource pdf_dictOp} bd
/pdf_shfill {{sh} /DataSource pdf_dictOp} bd
/pdf_sethalftone {{sethalftone} /Thresholds pdf_dictOp} bd
/masks [ 2#10000000
2#11000000
2#11100000
2#11110000
2#11111000
2#11111100
2#11111110
2#11111111 ] def
/addNBits
{
/numBits exch def
/byte exch def
OutBitOffset numBits add 8 gt
{
byte OutBitOffset 8 sub bitshift
OutBuffer OutByteIndex get or
OutBuffer OutByteIndex 3 -1 roll put
/OutByteIndex OutByteIndex 1 add def
/bitsDoneSoFar OutBitOffset def
/OutBitOffset numBits 8 OutBitOffset sub sub def
OutBitOffset 0 gt
{
byte bitsDoneSoFar bitshift
masks numBits bitsDoneSoFar sub get and
OutBuffer OutByteIndex 3 -1 roll put
} if
}
{
byte masks numBits 1 sub get and
OutBitOffset neg bitshift
OutBuffer OutByteIndex get or
OutBuffer OutByteIndex 3 -1 roll put
/OutBitOffset OutBitOffset numBits add def
OutBitOffset 8 eq
{
/OutBitOffset 0 def
/OutByteIndex OutByteIndex 1 add def
} if
} ifelse
} bind def
/DevNNFilter
{
/InBuffer Width NumComps mul BitsPerComponent mul 7 add 8 idiv string def
AllSource InBuffer readstring pop pop
/outlen Width NewNumComps mul BitsPerComponent mul 7 add 8 idiv def
/OutBuffer outlen string def
0 1 outlen 1 sub { OutBuffer exch 0 put } for
/InByteIndex 0 def
/InBitOffset 0 def
/OutByteIndex 0 def
/OutBitOffset 0 def
/KeepArray NumComps array def
0 1 NumComps 1 sub { KeepArray exch true put } for
DevNNones { KeepArray exch false put } forall
Width {
KeepArray
{
{
/bitsLeft BitsPerComponent def
{
bitsLeft 0 le { exit } if
/bitsToDo 8 InBitOffset sub dup bitsLeft gt { pop bitsLeft } if def
InBuffer InByteIndex get
InBitOffset bitshift
bitsToDo addNBits
/bitsLeft bitsLeft bitsToDo sub def
InBitOffset bitsToDo add
dup 8 mod /InBitOffset exch def
8 idiv InByteIndex add /InByteIndex exch def
} loop
}
{
InBitOffset BitsPerComponent add
dup 8 mod /InBitOffset exch def
8 idiv InByteIndex add /InByteIndex exch def
}
ifelse
}
forall
} repeat
OutBuffer
} bd
/pdf_image
{
20 dict copy
begin
/UnusedNones where { /UnusedNones get}{false} ifelse
{
/NumComps Decode length 2 div cvi def
/OrigDecode Decode def
/NumNones DevNNones length def
/NewNumComps NumComps NumNones sub def
/Decode NewNumComps 2 mul cvi array def
/devNNindx 0 def
/decIndx 0 def
/cmpIndx 0 def
NumComps {
cmpIndx DevNNones devNNindx get eq
{
/devNNindx devNNindx 1 add dup NumNones eq {pop 0} if def
}
{
Decode decIndx OrigDecode cmpIndx 2 mul get put
Decode decIndx 1 add OrigDecode cmpIndx 2 mul 1 add get put
/decIndx decIndx 2 add def
} ifelse
/cmpIndx cmpIndx 1 add def
} repeat
_Filters dup length 1 sub get /AllSource exch def
/DataSource { DevNNFilter } def
}
{ _Filters dup length 1 sub get /DataSource exch def }
ifelse
currentdict image
_Filters pdf_flushfilters
end
} bd
/pdf_maskedImage
{
10 dict copy begin
/miDict currentdict def
/DataDict DataDict 10 dict copy def
DataDict begin
/DataSource
_Filters dup length 1 sub get
def
miDict image
_Filters pdf_flushfilters
end
miDict /InterleaveType get 3 eq
{ MaskDict /DataSource get dup type /filetype eq { closefile } { pop } ifelse }
if
end
} [/miDict /DataDict /_Filters] bld
/RadialShade {
40 dict begin
/background exch def
/ext1 exch def
/ext0 exch def
/BBox exch def
/r2 exch def
/c2y exch def
/c2x exch def
/r1 exch def
/c1y exch def
/c1x exch def
/rampdict exch def
gsave
BBox length 0 gt {
newpath
BBox 0 get BBox 1 get moveto
BBox 2 get BBox 0 get sub 0 rlineto
0 BBox 3 get BBox 1 get sub rlineto
BBox 2 get BBox 0 get sub neg 0 rlineto
closepath
clip
newpath
} if
c1x c2x eq
{
c1y c2y lt {/theta 90 def}{/theta 270 def} ifelse
}
{
/slope c2y c1y sub c2x c1x sub div def
/theta slope 1 atan def
c2x c1x lt c2y c1y ge and { /theta theta 180 sub def} if
c2x c1x lt c2y c1y lt and { /theta theta 180 add def} if
}
ifelse
gsave
clippath
c1x c1y translate
theta rotate
-90 rotate
{ pathbbox } stopped
{ 0 0 0 0 } if
/yMax exch def
/xMax exch def
/yMin exch def
/xMin exch def
grestore
xMax xMin eq yMax yMin eq or
{
grestore
end
}
{
/max { 2 copy gt { pop } {exch pop} ifelse } bind def
/min { 2 copy lt { pop } {exch pop} ifelse } bind def
rampdict begin
40 dict begin
background length 0 gt { background sssetbackground gsave clippath fill grestore } if
gsave
c1x c1y translate
theta rotate
-90 rotate
/c2y c1x c2x sub dup mul c1y c2y sub dup mul add sqrt def
/c1y 0 def
/c1x 0 def
/c2x 0 def
ext0 {
0 getrampcolor
c2y r2 add r1 sub 0.0001 lt
{
c1x c1y r1 360 0 arcn
pathbbox
/aymax exch def
/axmax exch def
/aymin exch def
/axmin exch def
/bxMin xMin axmin min def
/byMin yMin aymin min def
/bxMax xMax axmax max def
/byMax yMax aymax max def
bxMin byMin moveto
bxMax byMin lineto
bxMax byMax lineto
bxMin byMax lineto
bxMin byMin lineto
eofill
}
{
c2y r1 add r2 le
{
c1x c1y r1 0 360 arc
fill
}
{
c2x c2y r2 0 360 arc fill
r1 r2 eq
{
/p1x r1 neg def
/p1y c1y def
/p2x r1 def
/p2y c1y def
p1x p1y moveto p2x p2y lineto p2x yMin lineto p1x yMin lineto
fill
}
{
/AA r2 r1 sub c2y div def
AA -1 eq
{ /theta 89.99 def}
{ /theta AA 1 AA dup mul sub sqrt div 1 atan def}
ifelse
/SS1 90 theta add dup sin exch cos div def
/p1x r1 SS1 SS1 mul SS1 SS1 mul 1 add div sqrt mul neg def
/p1y p1x SS1 div neg def
/SS2 90 theta sub dup sin exch cos div def
/p2x r1 SS2 SS2 mul SS2 SS2 mul 1 add div sqrt mul def
/p2y p2x SS2 div neg def
r1 r2 gt
{
/L1maxX p1x yMin p1y sub SS1 div add def
/L2maxX p2x yMin p2y sub SS2 div add def
}
{
/L1maxX 0 def
/L2maxX 0 def
}ifelse
p1x p1y moveto p2x p2y lineto L2maxX L2maxX p2x sub SS2 mul p2y add lineto
L1maxX L1maxX p1x sub SS1 mul p1y add lineto
fill
}
ifelse
}
ifelse
} ifelse
} if
c1x c2x sub dup mul
c1y c2y sub dup mul
add 0.5 exp
0 dtransform
dup mul exch dup mul add 0.5 exp 72 div
0 72 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt
72 0 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt
1 index 1 index lt { exch } if pop
/hires exch def
hires mul
/numpix exch def
/numsteps NumSamples def
/rampIndxInc 1 def
/subsampling false def
numpix 0 ne
{
NumSamples numpix div 0.5 gt
{
/numsteps numpix 2 div round cvi dup 1 le { pop 2 } if def
/rampIndxInc NumSamples 1 sub numsteps div def
/subsampling true def
} if
} if
/xInc c2x c1x sub numsteps div def
/yInc c2y c1y sub numsteps div def
/rInc r2 r1 sub numsteps div def
/cx c1x def
/cy c1y def
/radius r1 def
newpath
xInc 0 eq yInc 0 eq rInc 0 eq and and
{
0 getrampcolor
cx cy radius 0 360 arc
stroke
NumSamples 1 sub getrampcolor
cx cy radius 72 hires div add 0 360 arc
0 setlinewidth
stroke
}
{
0
numsteps
{
dup
subsampling { round } if
getrampcolor
cx cy radius 0 360 arc
/cx cx xInc add def
/cy cy yInc add def
/radius radius rInc add def
cx cy radius 360 0 arcn
eofill
rampIndxInc add
}
repeat
pop
} ifelse
ext1 {
c2y r2 add r1 lt
{
c2x c2y r2 0 360 arc
fill
}
{
c2y r1 add r2 sub 0.0001 le
{
c2x c2y r2 360 0 arcn
pathbbox
/aymax exch def
/axmax exch def
/aymin exch def
/axmin exch def
/bxMin xMin axmin min def
/byMin yMin aymin min def
/bxMax xMax axmax max def
/byMax yMax aymax max def
bxMin byMin moveto
bxMax byMin lineto
bxMax byMax lineto
bxMin byMax lineto
bxMin byMin lineto
eofill
}
{
c2x c2y r2 0 360 arc fill
r1 r2 eq
{
/p1x r2 neg def
/p1y c2y def
/p2x r2 def
/p2y c2y def
p1x p1y moveto p2x p2y lineto p2x yMax lineto p1x yMax lineto
fill
}
{
/AA r2 r1 sub c2y div def
AA -1 eq
{ /theta 89.99 def}
{ /theta AA 1 AA dup mul sub sqrt div 1 atan def}
ifelse
/SS1 90 theta add dup sin exch cos div def
/p1x r2 SS1 SS1 mul SS1 SS1 mul 1 add div sqrt mul neg def
/p1y c2y p1x SS1 div sub def
/SS2 90 theta sub dup sin exch cos div def
/p2x r2 SS2 SS2 mul SS2 SS2 mul 1 add div sqrt mul def
/p2y c2y p2x SS2 div sub def
r1 r2 lt
{
/L1maxX p1x yMax p1y sub SS1 div add def
/L2maxX p2x yMax p2y sub SS2 div add def
}
{
/L1maxX 0 def
/L2maxX 0 def
}ifelse
p1x p1y moveto p2x p2y lineto L2maxX L2maxX p2x sub SS2 mul p2y add lineto
L1maxX L1maxX p1x sub SS1 mul p1y add lineto
fill
}
ifelse
}
ifelse
} ifelse
} if
grestore
grestore
end
end
end
} ifelse
} bd
/GenStrips {
40 dict begin
/background exch def
/ext1 exch def
/ext0 exch def
/BBox exch def
/y2 exch def
/x2 exch def
/y1 exch def
/x1 exch def
/rampdict exch def
gsave
BBox length 0 gt {
newpath
BBox 0 get BBox 1 get moveto
BBox 2 get BBox 0 get sub 0 rlineto
0 BBox 3 get BBox 1 get sub rlineto
BBox 2 get BBox 0 get sub neg 0 rlineto
closepath
clip
newpath
} if
x1 x2 eq
{
y1 y2 lt {/theta 90 def}{/theta 270 def} ifelse
}
{
/slope y2 y1 sub x2 x1 sub div def
/theta slope 1 atan def
x2 x1 lt y2 y1 ge and { /theta theta 180 sub def} if
x2 x1 lt y2 y1 lt and { /theta theta 180 add def} if
}
ifelse
gsave
clippath
x1 y1 translate
theta rotate
{ pathbbox } stopped
{ 0 0 0 0 } if
/yMax exch def
/xMax exch def
/yMin exch def
/xMin exch def
grestore
xMax xMin eq yMax yMin eq or
{
grestore
end
}
{
rampdict begin
20 dict begin
background length 0 gt { background sssetbackground gsave clippath fill grestore } if
gsave
x1 y1 translate
theta rotate
/xStart 0 def
/xEnd x2 x1 sub dup mul y2 y1 sub dup mul add 0.5 exp def
/ySpan yMax yMin sub def
/numsteps NumSamples def
/rampIndxInc 1 def
/subsampling false def
xStart 0 transform
xEnd 0 transform
3 -1 roll
sub dup mul
3 1 roll
sub dup mul
add 0.5 exp 72 div
0 72 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt
72 0 matrix defaultmatrix dtransform dup mul exch dup mul add sqrt
1 index 1 index lt { exch } if pop
mul
/numpix exch def
numpix 0 ne
{
NumSamples numpix div 0.5 gt
{
/numsteps numpix 2 div round cvi dup 1 le { pop 2 } if def
/rampIndxInc NumSamples 1 sub numsteps div def
/subsampling true def
} if
} if
ext0 {
0 getrampcolor
xMin xStart lt
{ xMin yMin xMin neg ySpan rectfill } if
} if
/xInc xEnd xStart sub numsteps div def
/x xStart def
0
numsteps
{
dup
subsampling { round } if
getrampcolor
x yMin xInc ySpan rectfill
/x x xInc add def
rampIndxInc add
}
repeat
pop
ext1 {
xMax xEnd gt
{ xEnd yMin xMax xEnd sub ySpan rectfill } if
} if
grestore
grestore
end
end
end
} ifelse
} bd
/currentdistillerparams where { pop currentdistillerparams /CoreDistVersion get 5000 lt}{true}ifelse
{
/PDFMark5 {cleartomark} bd
}
{
/PDFMark5 {pdfmark} bd
}ifelse
/ReadByPDFMark5
{
2 dict begin
/makerString exch def string /tmpString exch def
{
currentfile tmpString readline pop
makerString anchorsearch
{
pop pop cleartomark exit
}
{
3 copy /PUT PDFMark5 pop 2 copy (\n) /PUT PDFMark5
} ifelse
}loop
end
}bd
%%EndResource
%%BeginResource: procset pdflev2 6.0 1
%%Copyright: Copyright 1987-2001,2003 Adobe Systems Incorporated. All Rights Reserved.
%%Title: PDF operators, with code specific for Level 2
/docinitialize {
PDF begin
/_defaulthalftone currenthalftone dd
/_defaultblackgeneration currentblackgeneration dd
/_defaultundercolorremoval currentundercolorremoval dd
/_defaultcolortransfer [currentcolortransfer] dd
/_defaulttransfer currenttransfer dd
end
PDFVars /docSetupDone true put
} bd
/initialize {
PDFVars /docSetupDone get {
_defaulthalftone sethalftone
/_defaultblackgeneration load setblackgeneration
/_defaultundercolorremoval load setundercolorremoval
_defaultcolortransfer aload pop setcolortransfer
} if
false setoverprint
} bd
/terminate { } bd
/c /curveto ld
/cs /setcolorspace ld
/l /lineto ld
/m /moveto ld
/q /gsave ld
/Q /grestore ld
/sc /setcolor ld
/setSA/setstrokeadjust ld
/re {
4 2 roll m
1 index 0 rlineto
0 exch rlineto
neg 0 rlineto
h
} bd
/concattransferfuncs {
[ 3 1 roll /exec load exch /exec load ] cvx
} bd
/concatandsettransfer {
/_defaulttransfer load concattransferfuncs settransfer
} bd
/concatandsetcolortransfer {
_defaultcolortransfer aload pop
8 -1 roll 5 -1 roll concattransferfuncs 7 1 roll
6 -1 roll 4 -1 roll concattransferfuncs 5 1 roll
4 -1 roll 3 -1 roll concattransferfuncs 3 1 roll
concattransferfuncs
setcolortransfer
} bd
/defineRes/defineresource ld
/undefineRes/undefineresource ld
/findRes/findresource ld
currentglobal
true systemdict /setglobal get exec
[/Function /ExtGState /Form /Shading /FunctionDictionary /MadePattern /PatternPrototype /DataSource /Image]
{ /Generic /Category findresource dup length dict copy /Category defineresource pop }
forall
systemdict /setglobal get exec
/ri
{
/findcolorrendering isdefined?
{
mark exch
findcolorrendering
counttomark 2 eq
{ type /booleantype eq
{ dup type /nametype eq
{ dup /ColorRendering resourcestatus
{ pop pop
dup /DefaultColorRendering ne
{
/ColorRendering findresource
setcolorrendering
} if
} if
} if
} if
} if
cleartomark
}
{ pop
} ifelse
} bd
/knownColorants? {
pop false
} bd
/getrampcolor {
cvi
/indx exch def
0 1 NumComp 1 sub {
dup
Samples exch get
dup type /stringtype eq { indx get } if
exch
Scaling exch get aload pop
3 1 roll
mul add
} for
setcolor
} bd
/sssetbackground { aload pop setcolor } bd
%%EndResource
%%BeginResource: procset pdftext 6.0 1
%%Copyright: Copyright 1987-2001,2003 Adobe Systems Incorporated. All Rights Reserved.
%%Title: Text operators for PDF
PDF /PDFText 78 dict dup begin put
/docinitialize
{
/resourcestatus where {
pop
/CIDParams /ProcSet resourcestatus {
pop pop
false /CIDParams /ProcSet findresource /SetBuildCompatible get exec
} if
} if
PDF begin
PDFText /_pdfDefineIdentity-H known
{ PDFText /_pdfDefineIdentity-H get exec}
if
end
} bd
/initialize {
PDFText begin
} bd
/terminate { end } bd
Level2?
{
/_safeput
{
3 -1 roll load 3 1 roll put
}
bd
}
{
/_safeput
{
2 index load dup dup length exch maxlength ge
{ dup length 5 add dict copy
3 index xdd
}
{ pop }
ifelse
3 -1 roll load 3 1 roll put
}
bd
}
ifelse
/pdf_has_composefont? systemdict /composefont known def
/CopyFont {
{
1 index /FID ne 2 index /UniqueID ne and
{ def } { pop pop } ifelse
} forall
} bd
/Type0CopyFont
{
exch
dup length dict
begin
CopyFont
[
exch
FDepVector
{
dup /FontType get 0 eq
{
1 index Type0CopyFont
/_pdfType0 exch definefont
}
{
/_pdfBaseFont exch
2 index exec
}
ifelse
exch
}
forall
pop
]
/FDepVector exch def
currentdict
end
} bd
Level2? {currentglobal true setglobal} if
/cHexEncoding
[/c00/c01/c02/c03/c04/c05/c06/c07/c08/c09/c0A/c0B/c0C/c0D/c0E/c0F/c10/c11/c12
/c13/c14/c15/c16/c17/c18/c19/c1A/c1B/c1C/c1D/c1E/c1F/c20/c21/c22/c23/c24/c25
/c26/c27/c28/c29/c2A/c2B/c2C/c2D/c2E/c2F/c30/c31/c32/c33/c34/c35/c36/c37/c38
/c39/c3A/c3B/c3C/c3D/c3E/c3F/c40/c41/c42/c43/c44/c45/c46/c47/c48/c49/c4A/c4B
/c4C/c4D/c4E/c4F/c50/c51/c52/c53/c54/c55/c56/c57/c58/c59/c5A/c5B/c5C/c5D/c5E
/c5F/c60/c61/c62/c63/c64/c65/c66/c67/c68/c69/c6A/c6B/c6C/c6D/c6E/c6F/c70/c71
/c72/c73/c74/c75/c76/c77/c78/c79/c7A/c7B/c7C/c7D/c7E/c7F/c80/c81/c82/c83/c84
/c85/c86/c87/c88/c89/c8A/c8B/c8C/c8D/c8E/c8F/c90/c91/c92/c93/c94/c95/c96/c97
/c98/c99/c9A/c9B/c9C/c9D/c9E/c9F/cA0/cA1/cA2/cA3/cA4/cA5/cA6/cA7/cA8/cA9/cAA
/cAB/cAC/cAD/cAE/cAF/cB0/cB1/cB2/cB3/cB4/cB5/cB6/cB7/cB8/cB9/cBA/cBB/cBC/cBD
/cBE/cBF/cC0/cC1/cC2/cC3/cC4/cC5/cC6/cC7/cC8/cC9/cCA/cCB/cCC/cCD/cCE/cCF/cD0
/cD1/cD2/cD3/cD4/cD5/cD6/cD7/cD8/cD9/cDA/cDB/cDC/cDD/cDE/cDF/cE0/cE1/cE2/cE3
/cE4/cE5/cE6/cE7/cE8/cE9/cEA/cEB/cEC/cED/cEE/cEF/cF0/cF1/cF2/cF3/cF4/cF5/cF6
/cF7/cF8/cF9/cFA/cFB/cFC/cFD/cFE/cFF] def
Level2? {setglobal} if
/modEnc {
/_enc xdd
/_icode 0 dd
counttomark 1 sub -1 0
{
index
dup type /nametype eq
{
_enc _icode 3 -1 roll put
_icode 1 add
}
if
/_icode xdd
} for
cleartomark
_enc
} bd
/trEnc {
/_enc xdd
255 -1 0 {
exch dup -1 eq
{ pop /.notdef }
{ Encoding exch get }
ifelse
_enc 3 1 roll put
} for
pop
_enc
} bd
/TE {
/_i xdd
StandardEncoding 256 array copy modEnc
_pdfEncodings exch _i exch put
} bd
Level2?
{
/pdfPatchCStrings
{
currentdict /CharStrings known currentdict /FontType known and
{
FontType 1 eq CharStrings type /dicttype eq and
{
CharStrings /mu known CharStrings /mu1 known not and CharStrings wcheck and
{
CharStrings /mu get
type /stringtype eq
{
currentglobal
CharStrings /mu1
CharStrings /mu get
dup gcheck setglobal
dup length string copy
put
setglobal
} if
} if
} if
} if
} bd
}
{ /pdfPatchCStrings {} bd }
ifelse
/TZ
{
/_usePDFEncoding xdd
findfont
dup length 6 add dict
begin
{
1 index /FID ne { def } { pop pop } ifelse
} forall
pdfPatchCStrings
/pdf_origFontName FontName def
/FontName exch def
currentdict /PaintType known
{ PaintType 2 eq {/PaintType 0 def} if }
if
_usePDFEncoding 0 ge
{
/Encoding _pdfEncodings _usePDFEncoding get def
pop
}
{
_usePDFEncoding -1 eq
{
counttomark 0 eq
{ pop }
{
Encoding 256 array copy
modEnc /Encoding exch def
}
ifelse
}
{
256 array
trEnc /Encoding exch def
}
ifelse
}
ifelse
pdf_EuroProcSet pdf_origFontName known
{
pdf_origFontName pdf_AddEuroGlyphProc
} if
Level2?
{
currentdict /pdf_origFontName undef
} if
FontName currentdict
end
definefont pop
}
bd
Level2?
{
/TZG
{
currentglobal true setglobal
2 index _pdfFontStatus
{
2 index findfont
false setglobal
3 index findfont
true setglobal
ne
{
2 index findfont dup rcheck
{
dup length dict begin
{
1 index /FID ne { def } { pop pop } ifelse
} forall
pdfPatchCStrings
currentdict end
}
if
3 index exch definefont pop
}
if
} if
setglobal
TZ
} bd
}
{
/TZG {TZ} bd
} ifelse
Level2?
{
currentglobal false setglobal
userdict /pdftext_data 5 dict put
pdftext_data
begin
/saveStacks
{
pdftext_data
begin
/vmmode currentglobal def
false setglobal
count array astore /os exch def
end
countdictstack array dictstack pdftext_data exch /ds exch put
cleardictstack pdftext_data /dscount countdictstack put
pdftext_data /vmmode get setglobal
} bind def
/restoreStacks
{
pdftext_data /vmmode currentglobal put false setglobal
clear cleardictstack
pdftext_data /ds get dup
pdftext_data /dscount get 1 2 index length 1 sub
{ get begin dup } for
pop pop
pdftext_data /os get aload pop
pdftext_data /vmmode get setglobal
} bind def
/testForClonePrinterBug
{
currentglobal true setglobal
/undefinedCategory /Generic /Category findresource
dup length dict copy /Category defineresource pop
setglobal
pdftext_data /saveStacks get exec
pdftext_data /vmmode currentglobal put false setglobal
/undefined /undefinedCategory { resourcestatus } stopped
pdftext_data exch /bugFound exch put
pdftext_data /vmmode get setglobal
pdftext_data /restoreStacks get exec
pdftext_data /bugFound get
} bind def
end
setglobal
/pdf_resourcestatus
pdftext_data /testForClonePrinterBug get exec
{
{
pdftext_data /saveStacks get exec
pdftext_data /os get dup dup length 1 sub
dup 1 sub dup 0 lt { pop 0 } if
exch 1 exch { get exch dup } for
pop pop
{ resourcestatus }
stopped
{
clear cleardictstack pdftext_data /restoreStacks get exec
{ pop pop } stopped pop false
}
{
count array astore pdftext_data exch /results exch put
pdftext_data /restoreStacks get exec pop pop
pdftext_data /results get aload pop
}
ifelse
}
}
{ { resourcestatus } }
ifelse
bd
}
if
Level2?
{
/_pdfUndefineResource
{
currentglobal 3 1 roll
_pdf_FontDirectory 2 index 2 copy known
{undef}
{pop pop}
ifelse
1 index (pdf) exch _pdfConcatNames 1 index
1 index 1 _pdfConcatNames 1 index
5 index 1 _pdfConcatNames 1 index
4
{
2 copy pdf_resourcestatus
{
pop 2 lt
{2 copy findresource gcheck setglobal undefineresource}
{pop pop}
ifelse
}
{ pop pop}
ifelse
} repeat
setglobal
} bd
}
{
/_pdfUndefineResource { pop pop} bd
}
ifelse
Level2?
{
/_pdfFontStatus
{
currentglobal exch
/Font pdf_resourcestatus
{pop pop true}
{false}
ifelse
exch setglobal
} bd
}
{
/_pdfFontStatusString 50 string def
_pdfFontStatusString 0 (fonts/) putinterval
/_pdfFontStatus
{
FontDirectory 1 index known
{ pop true }
{
_pdfFontStatusString 6 42 getinterval
cvs length 6 add
_pdfFontStatusString exch 0 exch getinterval
{ status } stopped
{pop false}
{
{ pop pop pop pop true}
{ false }
ifelse
}
ifelse
}
ifelse
} bd
}
ifelse
Level2?
{
/_pdfCIDFontStatus
{
/CIDFont /Category pdf_resourcestatus
{
pop pop
/CIDFont pdf_resourcestatus
{pop pop true}
{false}
ifelse
}
{ pop false }
ifelse
} bd
}
if
/_pdfString100 100 string def
/_pdfComposeFontName
{
dup length 1 eq
{
0 get
1 index
type /nametype eq
{
_pdfString100 cvs
length dup dup _pdfString100 exch (-) putinterval
_pdfString100 exch 1 add dup _pdfString100 length exch sub getinterval
2 index exch cvs length
add 1 add _pdfString100 exch 0 exch getinterval
exch pop
true
}
{
pop pop
false
}
ifelse
}
{
false
}
ifelse
dup {exch cvn exch} if
} bd
/_pdfConcatNames
{
exch
_pdfString100 cvs
length dup dup _pdfString100 exch (-) putinterval
_pdfString100 exch 1 add dup _pdfString100 length exch sub getinterval
3 -1 roll exch cvs length
add 1 add _pdfString100 exch 0 exch getinterval
cvn
} bind def
/_pdfTextTempString 50 string def
/_pdfRegOrderingArray [(Adobe-Japan1) (Adobe-CNS1) (Adobe-Korea1) (Adobe-GB1)] def
/_pdf_CheckCIDSystemInfo
{
1 index _pdfTextTempString cvs
(Identity) anchorsearch
{
pop pop pop pop true
}
{
false
_pdfRegOrderingArray
{
2 index exch
anchorsearch
{ pop pop pop true exit}
{ pop }
ifelse
}
forall
exch pop
exch /CIDFont findresource
/CIDSystemInfo get
3 -1 roll /CMap findresource
/CIDSystemInfo get
exch
3 -1 roll
{
2 copy
/Supplement get
exch
dup type /dicttype eq
{/Supplement get}
{pop 0 }
ifelse
ge
}
{ true }
ifelse
{
dup /Registry get
2 index /Registry get eq
{
/Ordering get
exch /Ordering get
dup type /arraytype eq
{
1 index type /arraytype eq
{
true
1 index length 1 sub -1 0
{
dup 2 index exch get exch 3 index exch get ne
{ pop false exit}
if
} for
exch pop exch pop
}
{ pop pop false }
ifelse
}
{
eq
}
ifelse
}
{ pop pop false }
ifelse
}
{ pop pop false }
ifelse
}
ifelse
} bind def
pdf_has_composefont?
{
/_pdfComposeFont
{
2 copy _pdfComposeFontName not
{
2 index
}
if
(pdf) exch _pdfConcatNames
dup _pdfFontStatus
{ dup findfont 5 2 roll pop pop pop true}
{
4 1 roll
1 index /CMap pdf_resourcestatus
{
pop pop
true
}
{false}
ifelse
1 index true exch
{
_pdfCIDFontStatus not
{pop false exit}
if
}
forall
and
{
1 index 1 index 0 get _pdf_CheckCIDSystemInfo
{
3 -1 roll pop
2 index 3 1 roll
composefont true
}
{
pop pop exch pop false
}
ifelse
}
{
_pdfComposeFontName
{
dup _pdfFontStatus
{
exch pop
1 index exch
findfont definefont true
}
{
pop exch pop
false
}
ifelse
}
{
exch pop
false
}
ifelse
}
ifelse
{ true }
{
dup _pdfFontStatus
{ dup findfont true }
{ pop false }
ifelse
}
ifelse
}
ifelse
} bd
}
{
/_pdfComposeFont
{
_pdfComposeFontName not
{
dup
}
if
dup
_pdfFontStatus
{exch pop dup findfont true}
{
1 index
dup type /nametype eq
{pop}
{cvn}
ifelse
eq
{pop false}
{
dup _pdfFontStatus
{dup findfont true}
{pop false}
ifelse
}
ifelse
}
ifelse
} bd
}
ifelse
/_pdfStyleDicts 4 dict dup begin
/Adobe-Japan1 4 dict dup begin
Level2?
{
/Serif
/HeiseiMin-W3-83pv-RKSJ-H _pdfFontStatus
{/HeiseiMin-W3}
{
/HeiseiMin-W3 _pdfCIDFontStatus
{/HeiseiMin-W3}
{/Ryumin-Light}
ifelse
}
ifelse
def
/SansSerif
/HeiseiKakuGo-W5-83pv-RKSJ-H _pdfFontStatus
{/HeiseiKakuGo-W5}
{
/HeiseiKakuGo-W5 _pdfCIDFontStatus
{/HeiseiKakuGo-W5}
{/GothicBBB-Medium}
ifelse
}
ifelse
def
/HeiseiMaruGo-W4-83pv-RKSJ-H _pdfFontStatus
{/HeiseiMaruGo-W4}
{
/HeiseiMaruGo-W4 _pdfCIDFontStatus
{/HeiseiMaruGo-W4}
{
/Jun101-Light-RKSJ-H _pdfFontStatus
{ /Jun101-Light }
{ SansSerif }
ifelse
}
ifelse
}
ifelse
/RoundSansSerif exch def
/Default Serif def
}
{
/Serif /Ryumin-Light def
/SansSerif /GothicBBB-Medium def
{
(fonts/Jun101-Light-83pv-RKSJ-H) status
}stopped
{pop}{
{ pop pop pop pop /Jun101-Light }
{ SansSerif }
ifelse
/RoundSansSerif exch def
}ifelse
/Default Serif def
}
ifelse
end
def
/Adobe-Korea1 4 dict dup begin
/Serif /HYSMyeongJo-Medium def
/SansSerif /HYGoThic-Medium def
/RoundSansSerif SansSerif def
/Default Serif def
end
def
/Adobe-GB1 4 dict dup begin
/Serif /STSong-Light def
/SansSerif /STHeiti-Regular def
/RoundSansSerif SansSerif def
/Default Serif def
end
def
/Adobe-CNS1 4 dict dup begin
/Serif /MKai-Medium def
/SansSerif /MHei-Medium def
/RoundSansSerif SansSerif def
/Default Serif def
end
def
end
def
/TZzero
{
/_wmode xdd
/_styleArr xdd
/_regOrdering xdd
3 copy
_pdfComposeFont
{
5 2 roll pop pop pop
}
{
[
0 1 _styleArr length 1 sub
{
_styleArr exch get
_pdfStyleDicts _regOrdering 2 copy known
{
get
exch 2 copy known not
{ pop /Default }
if
get
}
{
pop pop pop /Unknown
}
ifelse
}
for
]
exch pop
2 index 3 1 roll
_pdfComposeFont
{3 -1 roll pop}
{
findfont dup /FontName get exch
}
ifelse
}
ifelse
dup /WMode 2 copy known
{ get _wmode ne }
{ pop pop _wmode 1 eq}
ifelse
{
exch _wmode _pdfConcatNames
dup _pdfFontStatus
{ exch pop dup findfont false}
{ exch true }
ifelse
}
{
dup /FontType get 0 ne
}
ifelse
{
dup /FontType get 3 eq _wmode 1 eq and
{
_pdfVerticalRomanT3Font dup length 10 add dict copy
begin
/_basefont exch
dup length 3 add dict
begin
{1 index /FID ne {def}{pop pop} ifelse }
forall
/Encoding Encoding dup length array copy
dup 16#27 /quotesingle put
dup 16#60 /grave put
_regOrdering /Adobe-Japan1 eq
{dup 16#5c /yen put dup 16#a5 /yen put dup 16#b4 /yen put}
if
def
FontName
currentdict
end
definefont
def
/Encoding _basefont /Encoding get def
/_fauxfont true def
}
{
dup length 3 add dict
begin
{1 index /FID ne {def}{pop pop} ifelse }
forall
FontType 0 ne
{
/Encoding Encoding dup length array copy
dup 16#27 /quotesingle put
dup 16#60 /grave put
_regOrdering /Adobe-Japan1 eq
{dup 16#5c /yen put}
if
def
/_fauxfont true def
} if
} ifelse
/WMode _wmode def
dup dup /FontName exch def
currentdict
end
definefont pop
}
{
pop
}
ifelse
/_pdf_FontDirectory 3 1 roll _safeput
}
bd
Level2?
{
/Tf {
_pdf_FontDirectory 2 index 2 copy known
{get exch 3 -1 roll pop}
{pop pop}
ifelse
selectfont
} bd
}
{
/Tf {
_pdf_FontDirectory 2 index 2 copy known
{get exch 3 -1 roll pop}
{pop pop}
ifelse
exch findfont exch
dup type /arraytype eq
{makefont}
{scalefont}
ifelse
setfont
} bd
}
ifelse
/cshow where
{
pop /pdf_cshow /cshow load dd
/pdf_remove2 {pop pop} dd
}
{
/pdf_cshow {exch forall} dd
/pdf_remove2 {} dd
} ifelse
/pdf_xshow
{
/_pdf_na xdd
/_pdf_i 0 dd
currentpoint
/_pdf_y xdd
/_pdf_x xdd
{
pdf_remove2
_pdf_str1 exch 0 exch put
_pdf_str1 /_pdf_showproc load exec
{_pdf_na _pdf_i get} stopped
{ pop pop }
{
_pdf_x _pdf_y moveto
0
rmoveto
}
ifelse
_pdf_i 1 add /_pdf_i xdd
currentpoint
/_pdf_y xdd
/_pdf_x xdd
}
exch
pdf_cshow
} bd
/pdf_yshow
{
/_pdf_na xdd
/_pdf_i 0 dd
currentpoint
/_pdf_y xdd
/_pdf_x xdd
{
pdf_remove2
_pdf_str1 exch 0 exch put
_pdf_str1 /_pdf_showproc load exec
{_pdf_na _pdf_i get} stopped
{ pop pop }
{
_pdf_x _pdf_y moveto
0 exch
rmoveto
}
ifelse
_pdf_i 1 add /_pdf_i xdd
currentpoint
/_pdf_y xdd
/_pdf_x xdd
}
exch
pdf_cshow
} bd
/pdf_xyshow
{
/_pdf_na xdd
/_pdf_i 0 dd
currentpoint
/_pdf_y xdd
/_pdf_x xdd
{
pdf_remove2
_pdf_str1 exch 0 exch put
_pdf_str1 /_pdf_showproc load exec
{_pdf_na _pdf_i get} stopped
{ pop pop }
{
{_pdf_na _pdf_i 1 add get} stopped
{ pop pop pop}
{
_pdf_x _pdf_y moveto
rmoveto
}
ifelse
}
ifelse
_pdf_i 2 add /_pdf_i xdd
currentpoint
/_pdf_y xdd
/_pdf_x xdd
}
exch
pdf_cshow
} bd
/pdfl1xs {/_pdf_showproc /show load dd pdf_xshow} bd
/pdfl1ys {/_pdf_showproc /show load dd pdf_yshow} bd
/pdfl1xys {/_pdf_showproc /show load dd pdf_xyshow} bd
Level2? _ColorSep5044? not and
{
/pdfxs {{xshow} stopped {pdfl1xs} if} bd
/pdfys {{yshow} stopped {pdfl1ys} if} bd
/pdfxys {{xyshow} stopped {pdfl1xys} if} bd
}
{
/pdfxs /pdfl1xs load dd
/pdfys /pdfl1ys load dd
/pdfxys /pdfl1xys load dd
} ifelse
/pdf_charpath {false charpath} bd
/pdf_xcharpath {/_pdf_showproc /pdf_charpath load dd pdf_xshow} bd
/pdf_ycharpath {/_pdf_showproc /pdf_charpath load dd pdf_yshow} bd
/pdf_xycharpath {/_pdf_showproc /pdf_charpath load dd pdf_xyshow} bd
/pdf_strokepath
{
{
pdf_remove2
_pdf_str1 exch 0 exch put
_pdf_str1 false charpath
currentpoint S moveto
} bind
exch pdf_cshow
} bd
/pdf_xstrokepath {/_pdf_showproc {pdf_charpath S} dd pdf_xshow} bd
/pdf_ystrokepath {/_pdf_showproc {pdf_charpath S} dd pdf_yshow} bd
/pdf_xystrokepath {/_pdf_showproc {pdf_charpath S} dd pdf_xyshow} bd
Level2? {currentglobal true setglobal} if
/d0/setcharwidth ld
/nND {{/.notdef} repeat} bd
/T3Defs {
/BuildChar
{
1 index /Encoding get exch get
1 index /BuildGlyph get exec
}
def
/BuildGlyph {
exch begin
GlyphProcs exch get exec
end
} def
/_pdfT3Font true def
} bd
/_pdfBoldRomanWidthProc
{
stringwidth 1 index 0 ne { exch .03 add exch }if setcharwidth
0 0
} bd
/_pdfType0WidthProc
{
dup stringwidth 0 0 moveto
2 index true charpath pathbbox
0 -1
7 index 2 div .88
setcachedevice2
pop
0 0
} bd
/_pdfType0WMode1WidthProc
{
dup stringwidth
pop 2 div neg -0.88
2 copy
moveto
0 -1
5 -1 roll true charpath pathbbox
setcachedevice
} bd
/_pdfBoldBaseFont
11 dict begin
/FontType 3 def
/FontMatrix[1 0 0 1 0 0]def
/FontBBox[0 0 1 1]def
/Encoding cHexEncoding def
/_setwidthProc /_pdfBoldRomanWidthProc load def
/_bcstr1 1 string def
/BuildChar
{
exch begin
_basefont setfont
_bcstr1 dup 0 4 -1 roll put
dup
_setwidthProc
3 copy
moveto
show
_basefonto setfont
moveto
show
end
}bd
currentdict
end
def
pdf_has_composefont?
{
/_pdfBoldBaseCIDFont
11 dict begin
/CIDFontType 1 def
/CIDFontName /_pdfBoldBaseCIDFont def
/FontMatrix[1 0 0 1 0 0]def
/FontBBox[0 0 1 1]def
/_setwidthProc /_pdfType0WidthProc load def
/_bcstr2 2 string def
/BuildGlyph
{
exch begin
_basefont setfont
_bcstr2 1 2 index 256 mod put
_bcstr2 0 3 -1 roll 256 idiv put
_bcstr2 dup _setwidthProc
3 copy
moveto
show
_basefonto setfont
moveto
show
end
}bd
currentdict
end
def
/_pdfDefineIdentity-H
{
/Identity-H /CMap PDFText /pdf_resourcestatus get exec
{
pop pop
}
{
/CIDInit/ProcSet findresource begin 12 dict begin
begincmap
/CIDSystemInfo
3 dict begin
/Registry (Adobe) def
/Ordering (Identity) def
/Supplement 0 def
currentdict
end
def
/CMapName /Identity-H def
/CMapVersion 1 def
/CMapType 1 def
1 begincodespacerange
<0000> <ffff>
endcodespacerange
1 begincidrange
<0000> <ffff> 0
endcidrange
endcmap
CMapName currentdict/CMap defineresource pop
end
end
} ifelse
} def
} if
/_pdfVerticalRomanT3Font
10 dict begin
/FontType 3 def
/FontMatrix[1 0 0 1 0 0]def
/FontBBox[0 0 1 1]def
/_bcstr1 1 string def
/BuildChar
{
exch begin
_basefont setfont
_bcstr1 dup 0 4 -1 roll put
dup
_pdfType0WidthProc
moveto
show
end
}bd
currentdict
end
def
Level2? {setglobal} if
/MakeBoldFont
{
dup /ct_SyntheticBold known
{
dup length 3 add dict begin
CopyFont
/ct_StrokeWidth .03 0 FontMatrix idtransform pop def
/ct_SyntheticBold true def
currentdict
end
definefont
}
{
dup dup length 3 add dict
begin
CopyFont
/PaintType 2 def
/StrokeWidth .03 0 FontMatrix idtransform pop def
/dummybold currentdict
end
definefont
dup /FontType get dup 9 ge exch 11 le and
{
_pdfBoldBaseCIDFont
dup length 3 add dict copy begin
dup /CIDSystemInfo get /CIDSystemInfo exch def
/_Type0Identity /Identity-H 3 -1 roll [ exch ] composefont
/_basefont exch def
/_Type0Identity /Identity-H 3 -1 roll [ exch ] composefont
/_basefonto exch def
currentdict
end
/CIDFont defineresource
}
{
_pdfBoldBaseFont
dup length 3 add dict copy begin
/_basefont exch def
/_basefonto exch def
currentdict
end
definefont
}
ifelse
}
ifelse
} bd
/MakeBold {
1 index
_pdf_FontDirectory 2 index 2 copy known
{get}
{exch pop}
ifelse
findfont
dup
/FontType get 0 eq
{
dup /WMode known {dup /WMode get 1 eq }{false} ifelse
version length 4 ge
and
{version 0 4 getinterval cvi 2015 ge }
{true}
ifelse
{/_pdfType0WidthProc}
{/_pdfType0WMode1WidthProc}
ifelse
_pdfBoldBaseFont /_setwidthProc 3 -1 roll load put
{MakeBoldFont} Type0CopyFont definefont
}
{
dup /_fauxfont known not 1 index /SubstMaster known not and
{
_pdfBoldBaseFont /_setwidthProc /_pdfBoldRomanWidthProc load put
MakeBoldFont
}
{
2 index 2 index eq
{ exch pop }
{
dup length dict begin
CopyFont
currentdict
end
definefont
}
ifelse
}
ifelse
}
ifelse
pop pop
dup /dummybold ne
{/_pdf_FontDirectory exch dup _safeput }
{ pop }
ifelse
}bd
/MakeItalic {
_pdf_FontDirectory exch 2 copy known
{get}
{exch pop}
ifelse
dup findfont
dup /FontInfo 2 copy known
{
get
/ItalicAngle 2 copy known
{get 0 eq }
{ pop pop true}
ifelse
}
{ pop pop true}
ifelse
{
exch pop
dup /FontType get 0 eq Level2? not and
{ dup /FMapType get 6 eq }
{ false }
ifelse
{
dup /WMode 2 copy known
{
get 1 eq
{ _italMtx_WMode1Type0 }
{ _italMtxType0 }
ifelse
}
{ pop pop _italMtxType0 }
ifelse
}
{
dup /WMode 2 copy known
{
get 1 eq
{ _italMtx_WMode1 }
{ _italMtx }
ifelse
}
{ pop pop _italMtx }
ifelse
}
ifelse
makefont
dup /FontType get 42 eq Level2? not or
{
dup length dict begin
CopyFont
currentdict
end
}
if
1 index exch
definefont pop
/_pdf_FontDirectory exch dup _safeput
}
{
pop
2 copy ne
{
/_pdf_FontDirectory 3 1 roll _safeput
}
{ pop pop }
ifelse
}
ifelse
}bd
/MakeBoldItalic {
/dummybold exch
MakeBold
/dummybold
MakeItalic
}bd
Level2?
{
/pdf_CopyDict
{1 index length add dict copy}
def
}
{
/pdf_CopyDict
{
1 index length add dict
1 index wcheck
{ copy }
{ begin
{def} forall
currentdict
end
}
ifelse
}
def
}
ifelse
/pdf_AddEuroGlyphProc
{
currentdict /CharStrings known
{
CharStrings /Euro known not
{
dup
/CharStrings
CharStrings 1 pdf_CopyDict
begin
/Euro pdf_EuroProcSet 4 -1 roll get def
currentdict
end
def
/pdf_PSBuildGlyph /pdf_PSBuildGlyph load def
/pdf_PathOps /pdf_PathOps load def
/Symbol eq Encoding 160 get /.notdef eq and
{
/Encoding Encoding dup length array copy
dup 160 /Euro put def
}
if
}
{ pop
}
ifelse
}
{ pop
}
ifelse
}
def
Level2? {currentglobal true setglobal} if
/pdf_PathOps 4 dict dup begin
/m {moveto} def
/l {lineto} def
/c {curveto} def
/cp {closepath} def
end
def
/pdf_PSBuildGlyph
{
gsave
8 -1 roll pop
7 1 roll
currentdict /PaintType 2 copy known {get 2 eq}{pop pop false} ifelse
dup 9 1 roll
{
currentdict /StrokeWidth 2 copy known
{
get 2 div
5 1 roll
4 -1 roll 4 index sub
4 1 roll
3 -1 roll 4 index sub
3 1 roll
exch 4 index add exch
4 index add
5 -1 roll pop
}
{
pop pop
}
ifelse
}
if
setcachedevice
pdf_PathOps begin
exec
end
{
currentdict /StrokeWidth 2 copy known
{ get }
{ pop pop 0 }
ifelse
setlinewidth stroke
}
{
fill
}
ifelse
grestore
} def
/pdf_EuroProcSet 13 dict def
pdf_EuroProcSet
begin
/Courier-Bold
{
600 0 6 -12 585 612
{
385 274 m
180 274 l
179 283 179 293 179 303 c
179 310 179 316 180 323 c
398 323 l
423 404 l
197 404 l
219 477 273 520 357 520 c
409 520 466 490 487 454 c
487 389 l
579 389 l
579 612 l
487 612 l
487 560 l
449 595 394 612 349 612 c
222 612 130 529 98 404 c
31 404 l
6 323 l
86 323 l
86 304 l
86 294 86 284 87 274 c
31 274 l
6 193 l
99 193 l
129 77 211 -12 359 -12 c
398 -12 509 8 585 77 c
529 145 l
497 123 436 80 356 80 c
285 80 227 122 198 193 c
360 193 l
cp
600 0 m
}
pdf_PSBuildGlyph
} def
/Courier-BoldOblique /Courier-Bold load def
/Courier
{
600 0 17 -12 578 584
{
17 204 m
97 204 l
126 81 214 -12 361 -12 c
440 -12 517 17 578 62 c
554 109 l
501 70 434 43 366 43 c
266 43 184 101 154 204 c
380 204 l
400 259 l
144 259 l
144 270 143 281 143 292 c
143 299 143 307 144 314 c
418 314 l
438 369 l
153 369 l
177 464 249 529 345 529 c
415 529 484 503 522 463 c
522 391 l
576 391 l
576 584 l
522 584 l
522 531 l
473 566 420 584 348 584 c
216 584 122 490 95 369 c
37 369 l
17 314 l
87 314 l
87 297 l
87 284 88 272 89 259 c
37 259 l
cp
600 0 m
}
pdf_PSBuildGlyph
} def
/Courier-Oblique /Courier load def
/Helvetica
{
556 0 24 -19 541 703
{
541 628 m
510 669 442 703 354 703 c
201 703 117 607 101 444 c
50 444 l
25 372 l
97 372 l
97 301 l
49 301 l
24 229 l
103 229 l
124 67 209 -19 350 -19 c
435 -19 501 25 509 32 c
509 131 l
492 105 417 60 343 60 c
267 60 204 127 197 229 c
406 229 l
430 301 l
191 301 l
191 372 l
455 372 l
479 444 l
194 444 l
201 531 245 624 348 624 c
433 624 484 583 509 534 c
cp
556 0 m
}
pdf_PSBuildGlyph
} def
/Helvetica-Oblique /Helvetica load def
/Helvetica-Bold
{
556 0 12 -19 563 710
{
563 621 m
537 659 463 710 363 710 c
216 710 125 620 101 462 c
51 462 l
12 367 l
92 367 l
92 346 l
92 337 93 328 93 319 c
52 319 l
12 224 l
102 224 l
131 58 228 -19 363 -19 c
417 -19 471 -12 517 18 c
517 146 l
481 115 426 93 363 93 c
283 93 254 166 246 224 c
398 224 l
438 319 l
236 319 l
236 367 l
457 367 l
497 462 l
244 462 l
259 552 298 598 363 598 c
425 598 464 570 486 547 c
507 526 513 517 517 509 c
cp
556 0 m
}
pdf_PSBuildGlyph
} def
/Helvetica-BoldOblique /Helvetica-Bold load def
/Symbol
{
750 0 20 -12 714 685
{
714 581 m
650 645 560 685 465 685 c
304 685 165 580 128 432 c
50 432 l
20 369 l
116 369 l
115 356 115 347 115 337 c
115 328 115 319 116 306 c
50 306 l
20 243 l
128 243 l
165 97 300 -12 465 -12 c
560 -12 635 25 685 65 c
685 155 l
633 91 551 51 465 51 c
340 51 238 131 199 243 c
555 243 l
585 306 l
184 306 l
183 317 182 326 182 336 c
182 346 183 356 184 369 c
614 369 l 644 432 l
199 432 l
233 540 340 622 465 622 c
555 622 636 580 685 520 c
cp
750 0 m
}
pdf_PSBuildGlyph
} def
/Times-Bold
{
500 0 16 -14 478 700
{
367 308 m
224 308 l
224 368 l
375 368 l
380 414 l
225 414 l
230 589 257 653 315 653 c
402 653 431 521 444 457 c
473 457 l
473 698 l
444 697 l
441 679 437 662 418 662 c
393 662 365 700 310 700 c
211 700 97 597 73 414 c
21 414 l
16 368 l
69 368 l
69 359 68 350 68 341 c
68 330 68 319 69 308 c
21 308 l
16 262 l
73 262 l
91 119 161 -14 301 -14 c
380 -14 443 50 478 116 c
448 136 l
415 84 382 40 323 40 c
262 40 231 77 225 262 c
362 262 l
cp
500 0 m
}
pdf_PSBuildGlyph
} def
/Times-BoldItalic
{
500 0 9 -20 542 686
{
542 686 m
518 686 l
513 673 507 660 495 660 c
475 660 457 683 384 683 c
285 683 170 584 122 430 c
58 430 l
34 369 l
105 369 l
101 354 92 328 90 312 c
34 312 l
9 251 l
86 251 l
85 238 84 223 84 207 c
84 112 117 -14 272 -14 c
326 -14 349 9 381 9 c
393 9 393 -10 394 -20 c
420 -20 l
461 148 l
429 148 l
416 109 362 15 292 15 c
227 15 197 55 197 128 c
197 162 204 203 216 251 c
378 251 l
402 312 l
227 312 l
229 325 236 356 241 369 c
425 369 l
450 430 l
255 430 l
257 435 264 458 274 488 c
298 561 337 654 394 654 c
437 654 484 621 484 530 c
484 516 l
516 516 l
cp
500 0 m
}
pdf_PSBuildGlyph
} def
/Times-Italic
{
500 0 23 -10 595 692
{
399 317 m
196 317 l
199 340 203 363 209 386 c
429 386 l
444 424 l
219 424 l
246 514 307 648 418 648 c
448 648 471 638 492 616 c
529 576 524 529 527 479 c
549 475 l
595 687 l
570 687 l
562 674 558 664 542 664 c
518 664 474 692 423 692 c
275 692 162 551 116 424 c
67 424 l
53 386 l
104 386 l
98 363 93 340 90 317 c
37 317 l
23 279 l
86 279 l
85 266 85 253 85 240 c
85 118 137 -10 277 -10 c
370 -10 436 58 488 128 c
466 149 l
424 101 375 48 307 48 c
212 48 190 160 190 234 c
190 249 191 264 192 279 c
384 279 l
cp
500 0 m
}
pdf_PSBuildGlyph
} def
/Times-Roman
{
500 0 10 -12 484 692
{
347 298 m
171 298 l
170 310 170 322 170 335 c
170 362 l
362 362 l
374 403 l
172 403 l
184 580 244 642 308 642 c
380 642 434 574 457 457 c
481 462 l
474 691 l
449 691 l
433 670 429 657 410 657 c
394 657 360 692 299 692 c
204 692 94 604 73 403 c
22 403 l
10 362 l
70 362 l
69 352 69 341 69 330 c
69 319 69 308 70 298 c
22 298 l
10 257 l
73 257 l
97 57 216 -12 295 -12 c
364 -12 427 25 484 123 c
458 142 l
425 101 384 37 316 37 c
256 37 189 84 173 257 c
335 257 l
cp
500 0 m
}
pdf_PSBuildGlyph
} def
end
Level2? {setglobal} if
currentdict readonly pop end
%%EndResource
PDFText begin
[39/quotesingle 96/grave 128/Adieresis/Aring/Ccedilla/Eacute/Ntilde/Odieresis
/Udieresis/aacute/agrave/acircumflex/adieresis/atilde/aring/ccedilla/eacute
/egrave/ecircumflex/edieresis/iacute/igrave/icircumflex/idieresis/ntilde
/oacute/ograve/ocircumflex/odieresis/otilde/uacute/ugrave/ucircumflex
/udieresis/dagger/degree/cent/sterling/section/bullet/paragraph/germandbls
/registered/copyright/trademark/acute/dieresis/.notdef/AE/Oslash
/.notdef/plusminus/.notdef/.notdef/yen/mu/.notdef/.notdef
/.notdef/.notdef/.notdef/ordfeminine/ordmasculine/.notdef/ae/oslash
/questiondown/exclamdown/logicalnot/.notdef/florin/.notdef/.notdef
/guillemotleft/guillemotright/ellipsis/space/Agrave/Atilde/Otilde/OE/oe
/endash/emdash/quotedblleft/quotedblright/quoteleft/quoteright/divide
/.notdef/ydieresis/Ydieresis/fraction/currency/guilsinglleft/guilsinglright
/fi/fl/daggerdbl/periodcentered/quotesinglbase/quotedblbase/perthousand
/Acircumflex/Ecircumflex/Aacute/Edieresis/Egrave/Iacute/Icircumflex
/Idieresis/Igrave/Oacute/Ocircumflex/.notdef/Ograve/Uacute/Ucircumflex
/Ugrave/dotlessi/circumflex/tilde/macron/breve/dotaccent/ring/cedilla
/hungarumlaut/ogonek/caron
0 TE
[1/dotlessi/caron 39/quotesingle 96/grave
127/bullet/Euro/bullet/quotesinglbase/florin/quotedblbase/ellipsis
/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE
/bullet/Zcaron/bullet/bullet/quoteleft/quoteright/quotedblleft
/quotedblright/bullet/endash/emdash/tilde/trademark/scaron
/guilsinglright/oe/bullet/zcaron/Ydieresis/space/exclamdown/cent/sterling
/currency/yen/brokenbar/section/dieresis/copyright/ordfeminine
/guillemotleft/logicalnot/hyphen/registered/macron/degree/plusminus
/twosuperior/threesuperior/acute/mu/paragraph/periodcentered/cedilla
/onesuperior/ordmasculine/guillemotright/onequarter/onehalf/threequarters
/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla
/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis
/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash
/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave
/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute
/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde
/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute
/ucircumflex/udieresis/yacute/thorn/ydieresis
1 TE
end
%%BeginResource: procset pdfasc.prc 6.0 1
%%Copyright: Copyright 1992-2003 Adobe Systems Incorporated. All Rights Reserved.
/ASR {
13 dict begin
/mirV? exch def
/mirH? exch def
/center? exch def
/autorotate? exch def
/angle exch def
/shrink exch def
/Pury exch def
/Purx exch def
/Plly exch def
/Pllx exch def
/Dury exch def
/Durx exch def
/Dlly exch def
/Dllx exch def
Dury 0 eq Durx 0 eq and Dlly 0 eq Dllx 0 eq and and
{ shrink 0 gt { GClipBBox } { GPageBBox } ifelse }
{ ITransDBBox }
ifelse
/PHt Pury Plly sub def
/PW Purx Pllx sub def
/DHt Dury Dlly sub def
/DW Durx Dllx sub def
angle 90 eq angle 270 eq or
{
PHt /PHt PW def /PW exch def
} if
autorotate? PHt PW ne and DHt DW ne and
{
DHt DW ge
PHt PW ge
ne
{ /angle angle 90 add def
PHt /PHt PW def /PW exch def
}
if
} if
angle 0 ne
{
/angle angle 360 mod def
angle rotate
angle 90 eq
{ 0 DW neg translate }
if
angle 180 eq
{ DW neg DHt neg translate }
if
angle 270 eq
{ DHt neg 0 translate }
if
} if
center?
{
ITransBBox
Durx Dllx add 2 div Dury Dlly add 2 div
Purx Pllx add -2 div Pury Plly add -2 div
3 -1 roll add exch
3 -1 roll add exch
translate
}
{
ITransBBox
angle 0 eq
{Dllx Pllx sub Dury Pury sub}
if
angle 90 eq
{Durx Purx sub Dury Pury sub}
if
angle 180 eq
{Durx Purx sub Dlly Plly sub}
if
angle 270 eq
{Dllx Pllx sub Dlly Plly sub}
if
translate
}
ifelse
mirH? mirV? or
{
ITransBBox
mirH?
{
-1 1 scale
Durx Dllx add neg 0 translate
} if
mirV?
{
1 -1 scale
0 Dury Dlly add neg translate
} if
} if
shrink 0 ne
{
ITransBBox
Dury Dlly sub Pury Plly sub div
Durx Dllx sub Purx Pllx sub div
2 copy gt { exch } if pop
shrink 1 eq
{
Durx Dllx add 2 div Dury Dlly add 2 div translate
dup scale
Purx Pllx add -2 div Pury Plly add -2 div translate
}
{
shrink 2 eq 1 index 1.0 lt and
{
Durx Dllx add 2 div Dury Dlly add 2 div translate
dup scale
Purx Pllx add -2 div Pury Plly add -2 div translate
}
{ pop }
ifelse
}
ifelse
} if
end
} [/autorotate? /shrink? /mirH? /mirV? /angle /Pury /Purx /Plly /Pllx /Durx /Dury /Dllx /Dlly /PW /PHt /DW /DHt
/Devurx /Devury /Devllx /Devlly /pdfHt /pdfW]
bld
/GClipBBox
{
gsave newpath clippath pathbbox newpath grestore
/Dury exch def
/Durx exch def
/Dlly exch def
/Dllx exch def
ITransDBBox
} [/Durx /Dury /Dllx /Dlly]
bld
/GPageBBox
{
{
currentpagedevice /PageSize get aload pop
/Devury exch def /Devurx exch def
/Devllx 0 def /Devlly 0 def
ITransBBox
}
stopped
{ GClipBBox }
if
} [/Devurx /Devury /Devllx /Devlly ]
bld
/ITransDBBox
{
Durx Dury transform matrix defaultmatrix itransform
/Devury exch def
/Devurx exch def
Dllx Dlly transform matrix defaultmatrix itransform
/Devlly exch def
/Devllx exch def
Devury Devlly lt {/Devlly Devury /Devury Devlly def def} if
Devurx Devllx lt {/Devllx Devurx /Devurx Devllx def def} if
} [/Durx /Dury /Dllx /Dlly /Devurx /Devury /Devllx /Devlly ]
bld
/ITransBBox
{
/um matrix currentmatrix matrix defaultmatrix matrix invertmatrix matrix concatmatrix def
Devllx Devlly um itransform
Devurx Devury um itransform
/Dury exch def
/Durx exch def
/Dlly exch def
/Dllx exch def
Dury Dlly lt {/Dlly Dury /Dury Dlly def def} if
Durx Dllx lt {/Dllx Durx /Durx Dllx def def} if
} [ /um /Durx /Dury /Dllx /Dlly /Devurx /Devury /Devllx /Devlly ]
bld
%%EndResource
currentdict readonly pop
end end
/currentpacking where {pop setpacking}if
PDFVars/DocInitAll{[PDF PDFText]{/docinitialize get exec}forall }put
+PDFVars/InitAll{[PDF PDFText]{/initialize get exec}forall initgs}put
+PDFVars/TermAll{[PDFText PDF]{/terminate get exec}forall}put
+PDFVars begin PDF begin
PDFVars/DocInitAll get exec PDFVars/InitAll get exec
[/NamespacePush PDFMark5
[/_objdef {Metadata_In_EPS} /type /stream /OBJ PDFMark5
[{Metadata_In_EPS} 17988 (% &end XMP packet& %) ReadByPDFMark5
<?xpacket begin="" id="W5M0MpCehiHzreSzNTczkc9d"?>
+<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="3.1-701">
+ <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">
+ <rdf:Description rdf:about=""
+ xmlns:xap="http://ns.adobe.com/xap/1.0/"
+ xmlns:xapGImg="http://ns.adobe.com/xap/1.0/g/img/">
+ <xap:CreateDate>2005-05-26T09:00:06+01:00</xap:CreateDate>
+ <xap:ModifyDate>2005-05-26T09:00:06+01:00</xap:ModifyDate>
+ <xap:MetadataDate>2005-05-26T09:00:06+01:00</xap:MetadataDate>
+ <xap:Thumbnails>
+ <rdf:Alt>
+ <rdf:li rdf:parseType="Resource">
+ <xapGImg:width>196</xapGImg:width>
+ <xapGImg:height>256</xapGImg:height>
+ <xapGImg:format>JPEG</xapGImg:format>
+ <xapGImg:image>/9j/4AAQSkZJRgABAgEASABIAAD/7QAsUGhvdG9zaG9wIDMuMAA4QklNA+0AAAAAABAASAAAAAEA
AQBIAAAAAQAB/+4ADkFkb2JlAGTAAAAAAf/bAIQABgQEBAUEBgUFBgkGBQYJCwgGBggLDAoKCwoK
DBAMDAwMDAwQDA4PEA8ODBMTFBQTExwbGxscHx8fHx8fHx8fHwEHBwcNDA0YEBAYGhURFRofHx8f
Hx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8fHx8f/8AAEQgBAADEAwER
AAIRAQMRAf/EAaIAAAAHAQEBAQEAAAAAAAAAAAQFAwIGAQAHCAkKCwEAAgIDAQEBAQEAAAAAAAAA
AQACAwQFBgcICQoLEAACAQMDAgQCBgcDBAIGAnMBAgMRBAAFIRIxQVEGE2EicYEUMpGhBxWxQiPB
UtHhMxZi8CRygvElQzRTkqKyY3PCNUQnk6OzNhdUZHTD0uIIJoMJChgZhJRFRqS0VtNVKBry4/PE
1OT0ZXWFlaW1xdXl9WZ2hpamtsbW5vY3R1dnd4eXp7fH1+f3OEhYaHiImKi4yNjo+Ck5SVlpeYmZ
qbnJ2en5KjpKWmp6ipqqusra6voRAAICAQIDBQUEBQYECAMDbQEAAhEDBCESMUEFURNhIgZxgZEy
obHwFMHR4SNCFVJicvEzJDRDghaSUyWiY7LCB3PSNeJEgxdUkwgJChgZJjZFGidkdFU38qOzwygp
0+PzhJSktMTU5PRldYWVpbXF1eX1RlZmdoaWprbG1ub2R1dnd4eXp7fH1+f3OEhYaHiImKi4yNjo
+DlJWWl5iZmpucnZ6fkqOkpaanqKmqq6ytrq+v/aAAwDAQACEQMRAD8A9U4q7FXYq7FXYq7FXYq7
FXYq7FUJdaxpFozrdX1vbtEOUiyyohUEVq3Iim2KsV1X86vyn0q8+p33mnT0uaAlEmEoWppRmi5q
p9icVRFl+bn5W3ppbebdIZq0CNewIx77K7qTirJbLUtOv4vVsbqG7i/35BIsi/epI7YqiMVdirsV
dirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVUL6+stPs576+njtbO2Rpbi4lYJGiKKszM1AA
Bir48/PH/nKbVddkufL3kmZ9P0VHKTazC7pcXaDp6dVjeGM9/wBpvECoKr55nnnuJmmnkaaZzV5J
GLMT7k7nFVPFXYqvjllicPG7I46MpIP3jFX0h+Rv/OVV3oy2vlvz073mlhkhtNaO81tHTiBOAKyx
jb4vtAV+1sAq+vLS7tby1hu7SZLi1uEWWCeJg6OjiqsrCoIINQRiqrirsVdirsVdirsVdirsVdir
sVdirsVdirsVdirsVU7q6t7S2murmRYba3RpZ5nIVURByZmJ6AAVOKvgX86vz+8y/mLcvpyUsPK9
vMzWthFUNMFY+nLcsT8TU6L9keFd8VeU4q7FXYq7FXYq7FXrP5Lf85BeZfy7u4rC5Z9S8qO/+kaa
5q0IY/FJbMfst3KfZb2PxBV96aff2eoWNvf2Uq3FndxpPbTpurxyKGRh7EGuKq+KuxV2KuxV2Kux
V2KuxV2KuxV2KuxV2KuxV2Kvm3/nMj8yf0doVl5I0+cpe6qfrWqemxBWzQlUjanaaTf5J74q+PcV
dirsVZn+Ulh5S1bzvp2heZ7KW6stamTT4ZoJmhkt57hvTilAAIejsuzbUxVIPNGgXfl3zJqmg3ZB
udLuprSVhUBjC5TktezUqPbFUrxV2KuxV9U/84jfnMicfy7124oCWfy7cSHap+J7Sp8d3j+lf5Ri
r6rxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KpL5y826P5R8s3/mLV5PTsbCIyMB9p3OyRIO7yOQ
q+5xV+cPnbzfq3nDzTqPmPVWreahKZCgJKxoBxjiSv7MaAKPliqR4q7FXYqynQobvy7pVt5zpwu2
ung8vVA2uLZUeW6oev1f1Y+Hi5r+wQVWXf8AOSVtHP58s/NFugSz83aVY6xDw+yGkhEbr/rcoqn5
4q8smglhZVlUozKrgHrxdQyn6VIOKqeKuxVUt7i4triK5t5GhuIXWSGaMlXR0NVZWG4IIqDir9Hv
ye85v5y/LXQfMEzc7y4txHfseIJurdjDO3FaBeckZcDwIxVmWKuxV2KuxV2KuxV2KuxV2KuxV2Ku
xV2Kvkv/AJzJ/M6O5vLX8vrBqrZOl9rMg/36yVgh/wBiknNvmvhir5fxV2KuxV2KssS91XzN5f0n
R7i5htrHy4s6WjG2uGVY7mUTSM8ltHOW+Mknkop79lUdq3myzk8s6PoepX0fmBdA9b9ERwQSQwxr
cNzZJrmYRTyIGA/diIezjuqx3RbD/EfmGO1vdSt9Ne9ZuV/dLIIEahIDCBJCi7U2XivsMVVtV8j+
ZtN1HU7CWzaeTSYxc3ctsRNF9VfjwuUdK8oHDqRINqEYqkOKuxV9T/8AOEvm+b19f8oTOWiKLqtk
hOylSsFxT/W5Rfdir6txV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV+dn/OQEc0f5zebFm+2b0sKmvw
sisn/CkYq8+xVdGzJIrJ9pSCu1dx02OKphHf3FlLdmaIPqMxZJ/rUMUvA8wzHjMkhDkrSooRv44q
l7uXcuaAsakKAo+gCgGKu5vw4cjwry412r0rTFVuKpx5U82+YPKetwa3oF2bPUreojmCo44tsysr
hlIPuMVereUfPWkebPNI1vUoZNP83RIy2CWFzHHZTllIeL6lcgJwn5MJY0mJk5HjGSd1WC655GvE
0LUdej0u80tLO+kje1uUk9P6s0npgxSOkfJreUiKUHf4l2HxYqwvFXsf/OJd1ND+demRxmi3NteR
SjfdRA0n/Eoxir7xxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV8I/85W+T9W0T81r3VrleWneYAl1Y
XABAJjjSKWI/5SMtfkQe+KvGcVZPoF5DZQwQaDaS6h5vvnCW9wqFza8jRUtIhyL3D/78I+D9gcvj
CrpvLuiaSSfMWqerf9W0rTClxKrdStxdE/V4j/qeqwOzKuKqLeZNGtiV0vy9aRgGsdxfvLe3FPBq
mK1b/pHGKpheav5/tNGsNbl0+Gx0m+dhp+oQ6XZW0UskJ4twkigQMVK/gffFVC085+eL644wcdQm
RCfTawtbqiVAJ4PDIKVp2xVVn83SLK0fmLyrpd0zVBH1NtLkX3Qae1mgI/ykI9sVXppHkHXlZdGv
5tA1Q/3Om6u6TWkrfypqEawiIk9PXiVB3kxVXvvzA876fpd35V8wRfWFMfpFL5G9eMenwjdXqCaR
misa1SgqVCcVWDYq+gv+cM/KdzqH5g3vmNoyLHRbR0WWmxubr92iiv8AxUJCae3jir7SxV2KuxV2
KuxV2KuxV2KuxV2KuxV2KuxV59+ef5aw+f8A8v77S44wdXtQbvR5Nqi5jU0jqeiyiqH517Yq/PK7
tLuzuZLW7hktrqFik0EqlJEYdVZWAIPzxVlfk3TvPV1omqL5Z0+5mjuf9GurqwtJLi7kBXk1qjxh
nSMr8UvGlV2avwrirDyCDQ9cVaxV9earfeX/AD1/ziJLHokEa3fl+ztjcWEZ5PbT2Mi+s5WvICSE
SOCf2W8a4qy/8j/JWhflL+V36e8xEWmqakkd3q87IzSxq/8AcWqogZyUDbqoqXJ9sVXat/zkV5Xl
Etrd+RvM97p4DetJJpKGFlHfhLKPhpWvIDFWGP5M/wCcbPzhaa18tP8A4X828WZbVIvqcvJQT8Vm
37iUDq3pHl4kYq8J/MzQvOPkhT5E81W8V2tq63OhaoKsyQMWDrbymjGCQ/aib7LiopvyVYRo2j6l
rOq2mk6ZA1zqF9KkFrAnVpHNAN9h7k7DFX6M/lT5As/IfkbTfLsHB7iBPU1C5RQPWupDylcmgJFT
xWu/EAdsVZdirsVdirsVdirsVdirsVdirsVdirsVdirsVeO/np/zjxpH5ir+mNPlGm+aoIvTS441
hulX7EdwBQ1HRZBuBseQAAVY15wsLj8tP+cUUsdLpZaleWtqmoSqQJDPqDIbujKd24syA/yj2xV8
ZYquRijqwpVSCKgEbeINQcVegeV/zH1HRbN7+0jexWCL9HzjTHgtnm+tCRubNNb3dKLGwIWgrxIp
TdVOfNH5x+aG8vWMa6zeapJrMUlxNb6s0V9HZxpNJbJGqtDHFJM/os5kMfwqyhaMC2KvNv8AEvmP
iqDVLsIgoiCeQKorWiqGoBU9BiqZ6J5+1+w1jT9QvLiTUxp80U0C3MjPJH6Th19CYkyQkEVHAgeI
I2xV9k/85G+SE/ML8qYNU0O0e+1a0Nvf6MsSVmlhuSqyRgdaNG4cjxUYqnH5O/kN5U/LqxjuFiXU
PMkihrjVp0UyRlk4tHb9fSTcg0NW7mlAFXp2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KuxV2KsX/M
Typb+cvKmr+WJ/Ui+tWvK2uEd4wJ/i9OvEryCOqllO24rir5k832M+pf84eeWLm3eV10W+P16Loq
f6TcW9XG5+B5FVd6Ubp0oq+bsVV7GxvL+8hsrKFri6uGEcMMYqzMegAxVPNG8lapqepaDp0UsRfz
DfmxtVR+dCkqQ+s1NuHKRuJ/yT2xV7f/AM5P/lpo+m61olj5f0+HT/UsKaXBBGkQupbeQi5gHAAN
NxeKRB1clxuzKMVfNxBBoeuKs6/I/wAm2PnH80dC0LUBy0+WV57yM/txW0bTtHtvST0+B+eKv0YR
FRQiAKqgBVAoAB0AGKt4q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FWG/m5ba5f+QtU0fy9O
IPMWrRNa6T+89FpJOJlljSTYKzQRSUqRirxjzTp2s+Wf+cV9GTTLF5Y7edZPNVpctUywyyTJeB6c
WKtcOvGnxKtGrVeWKvkq8+p/WpfqfqfVSxMIm4+oFPQMV+EkdKiletB0xVOvJNrq2qa9aeXNKmW1
utfni083R2ZUuHEbLzHxBG5fGF+0Num2KvTxZflV5R/OXyM/lXzC2oaRY3UUGtXsrMpju4rgiSQl
0RBA4kXdKrQN8R64q+oPzs/Law/MjylPolvcxQ+YNPKX2lylhWORuSoJKVdYpgrLXxFd+NMVfH3k
fyHrX5qX99bQWZk1ewCm81i0ltqPy5KslxBNLAJizJQzQtX9p1dmrir3H8nf+cVfMfk7zxYeaNX1
62I0wu8FtYq7tKZI2iZXeVUCLxc1oGr7dcVfQHmmbzLDoF5L5Zt7a61xE5WVveu8cDsDuGZATuK0
6CvUgb4qmFp9ZNrCbrj9Z4L6/pghPUoOXEEsaV6b4qq4q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7
FXYqhr+OExLcSQxSyWjevC03ECNgrIzq7A8G9N2FfAkdCcVY7+arWY/LjzDBdSQwxXllJYRPckrC
Jr0fVoAzKG4gyyqOVNuuKvzev9PvtPuntL+3ktbqMKXgmRo3AdQ6kqwB+JWBHtirKPyj84aV5O/M
TRvMWq2f16wsZSZohQuodGj9VAdi8XLmo8R1HXFUNe+c7i3896n5j0ZY7aG61CS7js1QLbtD9aFz
HA8WwMVUSqHwxV9H+Uf+cpPL3mHzvpmo67b23li3tIHtri6a4mkknE0bM8ZRLZ0aJZ0jK8nRl6gm
rLirHpb/AEr8t/8AnI2180WHmGwufKvmh5prx4J4z6NvdDnJHcRRfEgSXi8fw/FQd+QxV9DWf55/
k/dsFi83aapJ4/vp1gFfnLw298VZDa+b/LF/Zz3Wl6rZ6kkEbSv9UuIpvhVS3+62bsMVfPX5u/m7
p+h/85H+VlkvJhpXl+MQa0sUhWJZL1XDMyfErCKOVHbavbrir6dVlZQykFSKgjcEHFXYq7FXYq7F
XYq7FXYq7FXYq7FXYq7FXYq7FXYqxT8x/I9t5t8jX/lZQIIL94C/CihQl1HcOwp3+AnFXxX/AM5P
3i3H51a7FH/cWSWlrCKUoI7SIsN/B2bFXlWKuxV2KuxV2Krkd0dXRirqQVYGhBHQg4qqyy3l9dmS
V5Lq8uH+J2LSSSOx7k1ZmJxV+lX5bWmr2f5e+W7PWUMeqW2mWkN5G32lkSFVIev7Qp8XvirI8Vdi
rsVdirsVdirsVdirsVdirsVdirsVdirsVdir4V/5yw8rxaN+aN3fNMz3GuEXqRFRwW3EMMKHkP2m
njnBWmyhT3xV4rirsVfan5A3v5Wee9Nt77TPLWl6P5s0BYk1KJLKIpIkoIMsdQGPMoaNyLIaAkg0
ZV7TqHk7yhqKenqGh6feJSnC4tYZRQ+zqcVYnd/84+fkzdyyyS+VbNTLx5LD6kCjia/CImTjXvTF
XWP5Cfk9psqG18oWMwlLJIbgNchFZCeVLhpe6gCm4rXFU90P8sfy70K8F9o/lvTrK9X7F1FbRCVf
9R6cl+g4qybFXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYqw+H82/y59F3u/Mem2kkd5PYtDN
dwpIJIbl7fdCwYBinIGlOPxdN8VYj/zkZ+UN7+ZXlSxk0OWM61pDvPYI7AR3EU6qJIg/RWbghVjt
tQ0rUKvhC9sryxupLS9gktrqE8ZYJVKOp8GVqEYqyC68jXkH5cWHnbkxtbzVLjS3jK0CmKGOWJw3
fn+9B8OH3Kvf/wDnB7R3Nz5r1lgwjRLSziNDwYsZJJN+lV4p9+Kvq7FXYqhZNV0yPUYdMku4U1G4
jaaCyaRRM8aEB3SMnkyrXcgYqisVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdir5R/wCcqPz3
1OK/vfy78vSG2hiCLreoxSfHL6iBzaoV+woDUk3qfs7CtVXzNqemyWDW0coIlnt4rkg9lnX1I6fO
NlOKs6/LL8+vzA/L944NPu/r2iqfj0e8LSQAE1PpGvKE7k/AaV6g4qs/PL8wfL3n/wA3W3mbSLGX
T57mwhj1a3mKt/pcTOlVdftr6IjAag6dMVZnN54/LuT/AJxVs/KV3chvNMV3LNaWUQZpFmF48nrS
GnFVNvKU3O/b2VeqfkB+Z35NeTvyy03SbjzLbwanLyu9UjmSRGW5npyXZKNwVVStT0xVluvf85Sf
lJp3GHTr248wahIeMNjplvJI7M32RzkEUe5/lYn2xV5X+YP/ADkF+Zs0Ekk5t/IWnKCYtNZhc65c
kUIj9IgNbq21XdI6CtGcjjiry382tH1Ox0zyx5w1S4ZfNfnF7/XbwRsw9C3neFrOOMliyqELFR+z
Xj2xV9Hf84y/njL540xvLWtKF8waNbRlbovU3kCngZCp3EifDz61rXbpir3TFXYq7FXYq7FXYq7F
XYq7FXYq7FXYqxzVvzI/L3R5ZYNU8zaXZXEAJltpryBJhxFSPSL86+wFcVeRa3/zmh+W9nPJDpmn
alqnAkCcJFBC9DsVLuZKH3QYq8h81f8AOYP5napNdxaOtpo1hLzS39KIyXKRtUKWlkZ19QA/aVRv
2xV4ZNNNPNJNNI0s0rF5ZXJZmZjVmZjuST1OKsn/ADLdW80qEUKkWmaRCgWtOMOlWsYO++4WuKpd
r3lDzDoNnpV9qdo0Flrdst5plzUNHNE1OjKTRlr8SncbdiMVTP8ALb8s/M/5h6+dF0BIhLHE09xd
XLMlvDGu1ZGRZG+JiAAFJP34qlnmW08vWV59S0mW4uXtgsV3dSlBFJOg4zGBVAb0uY+AsaleoGKv
Yfyf/LP8h/Pept5dGo+YG1z6qbgTsttb27FaCQIqrcspQmvxtQj32xV6j5Y/5w08vaVe3E975p1O
eGQFIorEJYNwPVJpKzmQU8AuKpp54/KL8mvy3/LbzHrcOjRG/XT7i3tb29d7mY3NzGYYeAlZkRzI
4+JFBAqcVfG2v+add8wfo/8AS1011+irOLTrHlQenbQV9NBTwr16nFVnlvzHrPlrXLPXNGuWtNSs
ZBLBMviOqsOjKw2ZTsRscVe5+RP+cx/O2n6kF84wx61pT19R7eKO3uozTYpw4RMPFWH04q9g0H/n
L78pdW1KCxlXUtL9dxGtzewRCEM2w5NBNOVFe5FB32xV61Y+avK9/fGwsdYsbu+UFjaQXMUkoAFS
fTVi34YqmmKuxV2KuxV2KrZJI4o2kkYJGgLO7EBQoFSST0AxV8yeaP8AnNvSre+9Hy15dlvrVKh7
q+mW3LMCR8EUQn+GlCGLA/5IxVhXmH/nND8xb74NF06w0eIqAXZXupg9TUhnKR0pTYxn54q8r1z8
2/zO1yd5tT8z6lKXrWJLh4Yd9jSGExxr9C4qxIkk1PXFWsVdirsVR2sarNql4t3MKSCC2tz7i2t0
gB+ZEVcVZf5g/N7VvMH5d6X5I1TTrN7bQzF+idRhDx3MYjUoVkJZ1dXRqEALuAe2KvYY721/KD/n
Gm1nsXEfm/8AMBFlSdac1gmTkHX/ACYbaQAeEklcVfMOKvpL/nC9vLFl5h1i+1LUba21m8jj0/SL
OWVEllUsJJ+CsaklhEFp13p0OKvd/wA2/wA/PJv5bqLS9Emo69LH6tvpNvQNxNQrTSmqxKSPdvBT
ir40/NT86fOP5kXqNq8q22l27FrPSbeogjJ25tXeSSm3JvoArirAcVdirsVdiqM0rV9V0e/i1DSb
yfT7+Cvo3drI8MqcgVbi6FWFVJB9sVZ75c/5yJ/N/QruW5j8w3GoGWMxmHUna7jWpB5oshPFhTqM
Veh+Vf8AnNTznYiRPMmj2uspxPoyW7GylD7fbPGdCvyQH3xV7B+U3/OUPlPz5q6aHeWUmg61PX6n
DLKs8E5ArwSYLEfU60VkFexJ2xV7RirsVfOX/OTH/OQNjo1jrH5f6Ikr69cRC21G9+EQwQ3Eas6o
QSzSNG/HoONetcVfHGKuxV2KuxV2KuxV2KuxV2Kp/wCbPOuteZxpCai6+homnW2lafCgoqQWsYQH
3ZyOTH+AGKpBirasVIZSQwNQR1BxVk3mPXb7zVYW2qXvqXOtaZCttqd6QWM1qhWO1nmbf94vP0WY
9R6f7VSVWMYq7FXYq7FXYq7FXYq7FVayvLqxvIL20laC7tZEmt5kNGSSNgyMp8VYVGKv0A/KX8/P
JXn6xtrZbxLHzL6ai60m4IjdpAo5Nbk/DKpNaBTyA6gYq9OxV+V0sss0ryyu0kshLPI5LMzHckk7
k4qsxV2KuxV2KuxV2KuxV2KuxV2KuxV2KvQfyMg0O78+rYeYruK08uXun6hDrLzOI1Nv9UkccS37
aSoki9wVBHTFWL+bJvLT6uY/LkDxaXbxxwJPKWMlzIgpJcsrE8PVepVB9laDrU4qk2KuxV2Ksz0P
8n/zC1vzRe+VrDS+WvafbLeXVlJNDEVhcRsrc3dUPIToR8XfFUfqn/OP35y6YrNdeVbsqgJZrcxX
IAFCTWB5B3xVjF/5I856cgkv9B1G0jIDB57SeNSpFQQzIAQRvXFUlZWVirAqymjKdiCOxxVrFW1Z
lYMpKspqrDYgjuMVfTX+OPOP/QpX6W/TV7+lP0p9T+v+vJ6/1flw9P1a8+PHbrir5kxV2KuxV2Ku
xV2KuxV2KuxV2Kq5tSLNLr1YyGkaIwhv3q8VDciv8rctj7HFVDFXYq2CR0xVrFXYq7FXYq+t/wAs
tdsovzt8tSu6CfzL5V0qUuxCfHFYOjxiv2iXhGw8PbFXrP59WNzc+QGlW1e/06wv7G+1vTYuXK50
62uFkuouK/aHAciPAYqgNMn8p2eqQ3XkXWoLfy9q7wNq8OmejJb2S+hciG4RSskNsJ5RHHICm7KN
geZxVX/T6a1bSXGvaRYXsNu1nGltNbCV7q3urlrM3UJkLcUeQF4k4n4difjDBVb5+/Ij8s9V8s6u
LLytYW2rNZXH1CazhW2Zbj0mMTAQ+mCQ9Dv174q/PnFX0B/65t/2/P8Ambir5/xV2KuxV2KuxV2K
uxV2KuxV2KuxV2KuxV2KuxV2KuxVPI/Kty2k6Lqj3EaW2t31xp8QNeUb2oty7vsBxIu1pQ9jir2H
zp/zil+YmlaVLrGoeYrC9sNLgROcjX0ksdvHRVSOKOCduKV6LsBviqS+WPyX/PifSLfWfJt1Jc6b
ccjaXWn6j9UDhH4clEz2rUqm23bFUbpvlj/nLDygkkOmWusW8bO8ssds0V2jSftOQjTKzN4/te+K
qmpfmJ/zlDCsR17R766W1dZLea90NQY3i+JXjnS3jYMpFeStXFU2g/5zD/NnTWCaxoOnuoO5eC6t
pDWppUylenT4cVfPl/NBPfXE1vF6FvLK7wwV5cEZiVTlQV4jauKvef8A1zb/ALfn/M3FXz/irsVd
irsVdirsVdirsVdirsVdirsVdirsVdirsVdir0O7h9T8idF1GLaTTfM19blttjc2VrKp6d/QP3Yq
/QSCWLWNEjlVjHDqNsGDRkFlWeOtVJFKgNtUYq+b7PzF5Mt/+cbrjyqNWhuNXsptVsNFjSV/rEk8
FzcS200aWhMhHpFSGpwqRy2OKpZ5a83XFro+kW+ra9qP6BFnqTC+0+9u7BV1ZhFc28D3l66qWS25
KsUsjR+pUbjFWW6Z+ZXnQ6fcatc6+EvLf9D3uj6NLBAq6rpd5DEkiRIA8puJbhnXkshCSDiSErir
1j82NFXWvyy80aaVLvNptyYVH+/o4zJF1/4sRcVfmtir6A/9c2/7fn/M3FXz/irsVdirsVdirsVd
irsVdirsVdirsVdirsVdirsVTzyl5fg1y9vrWWZoWttN1DUIitPiewtJLrga9mWIjb+3FXpvk/8A
KvSNS8m+XBqlzrUSeZdVWz/0JrWSwivGjDWzyRzNEQ7wTbHlXZqdhir1i3/5xn8x2omh0D83L+2e
wBWW3j9VfR5A0V/SvF9MEA/s4qktp/zj9+Zug6+V0L8x9Nj100C+qTHeMrLU1HGeTcfeMVZJJ5L/
AOcxLWMRDzbo+pQNUtFIkL9KEcjNYofl8WKoW6tv+cuzNbT32haDrlxYkS2c06WTPFKP2omMkHB2
4jdaYqlnnT/nIL/nIPyQluvnTyho9pDqHNbenORJAgHqLWK7uF6MOuKvlSUxmVzECsRY8A25C12r
9GKvff8A1zb/ALfn/M3FXz/irsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVZl+UUbT+fbKyUq
G1C21DT1Lgstb3T57YVA95cVey/lprui6X+R2mXd/OkgsPOGk37GEPPJCsUkHqBlVeSuILaRqdOJ
FDvTFXub6Jqc1t5gh01Hm0HzGyOizIl3bql7Nynmh4yxSyW08UzvJCWBR+RXZ8VeT/mh5O803sei
StZ6jL5g03TtT0u81e30i4vTdvpU8M+lyh41keE3TRbShuSkkfZriqUS+WrOa889C90mTR7y5sb+
/wBHsba1vYJ47k2VtqQRJlpbNHDNbSx8aKwc0FQ9FVeiWnnryJfeem1dNcm0vRtd0SbT7iOSe6tD
Fqlq1o3FFZoyJ/QuURTGKsY2AJNcVeS/mdOdc/I2GW71aLVta0bU4J55k1CbUpPq8sTWckkpuPjg
aW5i5ekv7ulCnUnFXz1ir6A/9c2/7fn/ADNxV8/4q7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq
7FVS3ubi2mSe3kaGaM1SWMlWU+II3GKsq8s/ll+ZWu6eureXdEvb2ydmjF1aiqlkPxLUEdDirJbb
8tP+cjbX/eXTNfg24/upZk+EdvhcbYqm1voX/OWtvQRP5qCgcVU3dyygDwVpCBiqZWz/APOYtsVM
f6fbgKD1Qsvtv6nKv04qn1rqX/ObsUSiNLxkPxASwaUzb70JkQv9GKpH+aGu/wDOR9l5G1BPzB0y
3TQNdaC0luClikwnSQXMJ/0RxKD/AKP/ALsUrT3pirwLFX0B/wCubf8Ab8/5m4q+f8VdirsVdirs
VTLSvL+q6rHdS2cPKKzglup5nIjjWOAKXrI1EDfGtAT8RIUVZlBVS3FXYq7FXYq7FXYq7FXYq7FX
Yq7FX27/AM4Z3Bl/KW6j5V+r6vcxgeFYYJKf8PXFXu+Ksf8AIsNxD5dhikvrS+hjYxWbWDSSwRQQ
gQpF60sk0kzr6fxyO1WauwxVH6HqulahBcfoy+hv4bS4ktJmhl9YxzREB4pHLOfUUncHFUJ5Qv7q
9sLt7q8tLuaG+urfhZSGVIEhmKRwyOzOxmCBWk5UoxIApTFWB/8AOU2mpe/klrzkVks2tbmL2K3U
aMTt/vt2xV8B4q+gP/XNv+35/wAzcVfP+KuxV2KuxV2Kpvd+bfMV3odvoU1840a1IaKwjCxQlx0d
0jCiR/8ALere+KpRirsVdirsVdirsVdirsVdirsVdir3X/nH7/nIPS/y50K70DUdPluY7+++tJdC
ThFDzjSJi6qkslP3YJ4qTToDir1bzP8A85h+X9JihS10m31uaf1vUjs76T040RuEZd5bOP8AvR8Q
UAkD7VDtirCfL3/OYOkeXNL/AEbovkMW1sCWRW1V5aHiEWpe1LMERVRRy2VQO2KoLy//AM5bw+Xh
fDSPJNtbfpK6kv70/Xp3LzygBmq6NxFFACrRR2GKusf+cwtQ0prn9DeT7CyjvJTcXKG4nk5SlQpY
bIFHFR8Kin34qg/OH/OW2ueavKOreXNQ8u2kcWqQNALiGaUGOu4fiwbkQQD1GKvA8VfQH/rm3/b8
/wCZuKvn/FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq7FXYq+gP/AFzb
/t+f8zcVfP8AirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVfQH/r
m3/b8/5m4q+f8VdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdirsVdir6A/9
c2/7fn/M3FX/2Q==</xapGImg:image>
+ </rdf:li>
+ </rdf:Alt>
+ </xap:Thumbnails>
+ </rdf:Description>
+ <rdf:Description rdf:about=""
+ xmlns:xapMM="http://ns.adobe.com/xap/1.0/mm/"
+ xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#">
+ <xapMM:DocumentID>uuid:E299AD35CF5611D9931E9E29EC286463</xapMM:DocumentID>
+ <xapMM:InstanceID>uuid:E299AD35CF5611D9931E9E29EC286463</xapMM:InstanceID>
+ <xapMM:DerivedFrom rdf:parseType="Resource">
+ <stRef:instanceID>uuid:e3e3a208-cd3c-11d9-8977-000d936c956e</stRef:instanceID>
+ <stRef:documentID>uuid:AB03F8A6CDD611D982B3C176F4FB2AEE</stRef:documentID>
+ </xapMM:DerivedFrom>
+ </rdf:Description>
+ <rdf:Description rdf:about=""
+ xmlns:dc="http://purl.org/dc/elements/1.1/">
+ <dc:title>
+ <rdf:Alt>
+ <rdf:li xml:lang="x-default">portrait-head copy</rdf:li>
+ </rdf:Alt>
+ </dc:title>
+ <dc:format>application/eps</dc:format>
+ </rdf:Description>
+ <rdf:Description rdf:about=""
+ xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/">
+ <photoshop:ColorMode>3</photoshop:ColorMode>
+ <photoshop:History/>
+ </rdf:Description>
+ </rdf:RDF>
+</x:xmpmeta>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+<?xpacket end="w"?>
% &end XMP packet& %
[{Metadata_In_EPS} 2 dict begin /Type /Metadata def /Subtype /XML def currentdict end /PUT PDFMark5
[/Document 1 dict begin /Metadata {Metadata_In_EPS} def currentdict end /BDC PDFMark5
[/NamespacePop PDFMark5
PDFVars/TermAll get exec end end
PDF /docinitialize get exec
+
%%EndSetup
PDFVars begin PDF begin PDFVars/InitAll get exec
172.0 54.0 296.0 409.0 rectclip
q
172.0 54.0 m
468.0 54.0 l
468.0 463.0 l
172.0 463.0 l
h
W
n
q
n
0.0 480.0 640.0 -480.0 re
W
n
q
true setSA
172.0 54.0 296.0 409.0 re
W
n
n
335.201 367.981 m
333.385 369.335 330.805 369.835 328.2 368.652 c
322.949 374.353 322.186 384.354 319.8 392.8 c
315.154 386.669 307.689 378.628 311.4 368.652 c
308.876 369.681 308.006 368.819 304.399 369.323 c
304.324 380.208 313.847 387.489 318.4 396.154 c
317.73 402.89 317.119 409.683 308.6 408.898 c
311.234 410.792 315.023 413.818 319.8 411.582 c
327.617 399.62 326.688 379.276 335.201 367.981 c
[/DeviceGray] cs 1.0 sc
eofill
n
322.6 357.249 m
318.99 354.59 309.367 354.389 304.399 355.237 c
309.273 356.61 318.049 357.799 322.6 357.249 c
eofill
n
273.598 353.896 m
275.535 354.009 276.001 352.865 274.998 351.883 c
278.4 352.2 281.25 353.047 284.098 353.896 c
283.331 350.815 273.651 348.813 270.098 349.871 c
270.095 352.333 272.549 352.441 273.598 353.896 c
eofill
n
275.698 347.188 m
271.917 344.774 266.738 343.699 262.397 341.821 c
265.361 344.664 271.338 347.885 275.698 347.188 c
eofill
n
246.296 343.163 m
248.1 342.035 245.702 339.313 244.896 338.468 c
244.126 330.771 243.94 342.296 246.296 343.163 c
eofill
n
367.402 342.492 m
382.533 343.126 391.632 332.171 399.604 323.71 c
389.667 328.053 379.82 338.291 367.402 342.492 c
eofill
n
263.797 337.126 m
256.335 330.414 249.26 323.331 240.696 317.674 c
242.625 325.219 252.857 330.614 258.897 336.455 c
261.325 335.917 261.588 337.454 263.797 337.126 c
eofill
n
242.096 334.443 m
243.162 332.5 239.825 329.038 239.996 325.723 c
238.557 328.023 240.96 332.381 242.096 334.443 c
eofill
n
349.901 292.855 m
345.818 290.507 339.01 290.771 332.4 290.843 c
335.809 294.692 344.583 293.494 349.901 292.855 c
0.0 sc
eofill
n
380.003 243.889 m
361.751 227.327 333.626 256.615 328.9 270.049 c
320.358 294.333 372.045 299.295 382.804 283.464 c
383.45 282.512 385.821 277.044 385.604 274.745 c
385.214 270.637 378.237 264.074 377.903 255.963 c
377.744 252.102 378.594 248.677 380.003 243.889 c
eofill
n
303.699 289.501 m
300.093 289.492 299.222 288.63 296.699 290.172 c
298.743 290.818 303.655 292.552 303.699 289.501 c
1.0 sc
eofill
n
405.904 243.889 m
405.44 241.427 405.159 238.79 404.504 236.511 c
400.915 236.201 401.338 239.737 397.504 239.193 c
398.963 243.326 400.66 244.252 405.904 243.889 c
0.0 sc
eofill
n
313.5 231.145 m
316.143 231.441 316.786 229.821 318.4 229.132 c
317.548 228.16 315.604 228.233 315.6 226.449 c
314.251 226.722 315.047 229.05 312.8 228.461 c
312.711 229.664 313.657 229.876 313.5 231.145 c
1.0 sc
eofill
n
234.396 223.766 m
235.994 221.496 236.419 218.103 236.496 214.375 c
235.048 216.789 233.883 219.474 234.396 223.766 c
0.0 sc
eofill
n
236.496 213.704 m
237.603 212.306 238.778 210.972 239.296 209.009 c
239.95 209.501 240.357 210.229 240.696 211.021 c
243.049 209.716 241.634 205.406 242.096 200.96 c
240.518 201.459 241.823 204.722 241.396 206.326 c
241.263 206.869 240.694 206.994 240.696 207.668 c
239.257 207.358 239.345 209.687 236.496 209.68 c
h
eofill
n
240.696 192.91 m
242.821 189.055 239.509 178.342 241.396 172.117 c
239.354 169.795 240.487 182.937 240.696 186.203 c
240.851 188.61 240.575 191.107 240.696 192.91 c
eofill
n
308.6 162.055 m
314.675 154.383 312.125 145.973 317.7 138.578 c
316.42 136.645 316.564 136.48 317.0 133.883 c
313.95 133.228 311.994 131.525 310.0 129.858 c
307.797 129.537 307.263 130.813 305.799 131.2 c
305.191 140.651 304.613 147.547 307.899 154.006 c
303.2 152.07 309.483 158.048 308.6 162.055 c
1.0 sc
eofill
n
244.896 143.273 m
244.156 129.208 241.88 108.192 242.796 92.966 c
236.285 107.105 239.955 130.17 244.896 143.273 c
eofill
n
302.299 118.455 m
306.008 120.202 310.441 116.88 315.6 117.784 c
314.137 116.504 312.257 115.621 310.0 115.102 c
310.43 115.698 310.846 116.301 310.0 116.442 c
306.528 115.744 305.256 112.939 301.599 112.418 c
301.313 110.802 302.878 110.96 302.299 109.064 c
295.729 97.919 290.589 85.405 283.398 74.855 c
276.968 92.139 288.191 102.929 294.599 113.76 c
297.204 114.617 300.502 114.811 303.0 115.772 c
302.941 116.834 303.336 118.33 302.299 118.455 c
eofill
n
261.697 113.76 m
269.896 111.554 271.323 102.86 274.998 96.319 c
272.167 96.234 266.496 98.782 261.697 99.003 c
h
eofill
n
453.507 21.864 m
451.755 21.308 450.758 20.026 448.606 19.852 c
448.186 29.957 446.449 38.803 445.807 48.695 c
446.854 49.48 448.67 49.529 449.307 50.707 c
452.953 43.245 452.55 31.903 453.507 21.864 c
eofill
n
455.606 50.036 m
458.758 41.682 459.65 32.563 459.107 23.206 c
456.895 31.84 456.211 41.077 455.606 50.036 c
eofill
n
508.109 24.547 m
511.355 28.32 510.013 38.014 502.509 37.292 c
500.598 31.98 503.062 25.393 508.109 24.547 c
510.21 23.877 m
501.324 22.965 498.933 28.274 499.009 35.95 c
505.278 45.055 517.523 31.475 510.21 23.877 c
0.0 sc
eofill
n
502.509 37.292 m
510.013 38.014 511.355 28.32 508.109 24.547 c
503.062 25.393 500.598 31.98 502.509 37.292 c
1.0 sc
eofill
n
517.91 35.95 m
514.734 31.577 517.265 22.836 523.51 23.206 c
525.542 27.478 524.332 35.844 517.91 35.95 c
524.91 22.535 m
525.076 20.682 528.859 22.295 528.41 19.852 c
524.141 16.739 520.433 25.449 517.21 21.193 c
516.797 25.973 513.585 27.31 513.71 33.938 c
519.671 43.435 532.165 29.572 524.91 22.535 c
0.0 sc
eofill
n
523.51 23.206 m
517.265 22.836 514.734 31.577 517.91 35.95 c
524.332 35.844 525.542 27.478 523.51 23.206 c
1.0 sc
eofill
n
284.798 30.584 m
287.068 31.878 288.612 30.792 291.099 30.584 c
291.099 24.547 l
288.065 25.665 287.627 29.27 284.798 30.584 c
eofill
n
433.906 12.474 m
434.501 12.597 434.566 12.212 434.605 11.803 c
434.492 11.022 434.761 10.609 435.306 10.461 c
435.139 4.936 436.164 -1.384 436.706 -7.649 c
437.207 -13.44 439.325 -20.188 436.006 -22.406 c
431.935 -20.405 432.173 -13.479 431.806 -8.32 c
431.358 -2.04 432.145 5.144 431.806 11.132 c
432.37 11.709 433.724 11.53 433.906 12.474 c
eofill
n
420.605 -25.761 m
421.2 -25.637 421.266 -26.022 421.305 -26.432 c
421.177 -27.002 421.578 -27.063 422.005 -27.102 c
422.263 -33.01 422.791 -40.389 423.405 -47.225 c
423.912 -52.866 427.445 -61.162 421.305 -63.323 c
419.491 -51.869 419.411 -38.755 417.805 -27.102 c
419.108 -27.01 420.145 -26.661 420.605 -25.761 c
eofill
n
455.606 -37.163 m
455.987 -39.606 456.104 -40.257 457.007 -43.2 c
454.473 -41.866 454.052 -35.555 449.307 -38.505 c
453.136 -43.367 461.496 -48.421 455.606 -55.274 c
452.412 -55.876 451.639 -54.157 449.307 -53.933 c
450.123 -50.738 447.19 -48.917 448.606 -47.225 c
449.906 -49.78 451.392 -52.158 453.507 -53.933 c
455.754 -54.521 454.958 -52.193 456.307 -51.92 c
454.046 -46.284 446.483 -45.169 447.906 -37.834 c
449.713 -35.324 452.823 -35.775 455.606 -37.163 c
0.0 sc
eofill
n
463.308 -47.225 m
464.538 -46.839 467.42 -48.036 467.508 -46.555 c
464.521 -46.487 465.668 -42.06 464.707 -41.859 c
464.017 -43.434 463.479 -45.154 463.308 -47.225 c
464.008 -36.493 m
469.731 -41.293 470.361 -50.975 475.208 -56.616 c
473.366 -55.921 470.912 -55.813 468.207 -55.945 c
468.848 -54.77 468.448 -52.599 469.607 -51.92 c
467.864 -49.391 465.679 -48.632 462.607 -49.908 c
461.353 -53.794 464.99 -52.991 464.707 -55.945 c
463.105 -55.244 460.484 -55.52 459.107 -54.604 c
462.148 -49.915 462.82 -42.957 464.008 -36.493 c
eofill
n
478.708 -39.847 m
481.508 -39.847 l
482.104 -41.735 483.77 -42.599 483.608 -45.213 c
482.284 -46.543 480.301 -45.538 478.708 -45.213 c
480.231 -43.992 477.185 -41.067 478.708 -39.847 c
1.0 sc
eofill
n
428.306 -42.529 m
432.835 -44.021 429.524 -46.889 431.105 -50.579 c
427.428 -48.271 430.559 -45.576 428.306 -42.529 c
eofill
n
479.408 -47.896 m
481.681 -47.507 482.665 -48.353 484.309 -48.566 c
485.405 -51.125 485.772 -52.598 484.309 -55.274 c
479.157 -55.492 479.966 -50.419 479.408 -47.896 c
eofill
n
508.109 -82.775 m
511.609 -82.775 l
511.521 -83.979 512.467 -84.19 512.31 -85.459 c
510.906 -84.757 509.056 -81.867 508.81 -85.459 c
507.859 -85.251 508.229 -83.779 508.109 -82.775 c
0.0 sc
eofill
n
494.108 -86.801 m
495.318 -88.66 492.325 -92.224 489.209 -92.167 c
491.068 -90.595 493.245 -89.326 494.108 -86.801 c
eofill
n
428.306 -87.471 m
429.944 -87.689 428.985 -90.397 430.405 -90.825 c
429.02 -92.962 427.683 -89.473 428.306 -87.471 c
1.0 sc
eofill
n
472.408 -103.569 m
471.546 -103.862 470.971 -104.428 471.008 -105.582 c
468.381 -106.087 469.481 -103.02 467.508 -102.898 c
468.134 -101.71 470.349 -102.044 469.607 -99.545 c
470.46 -100.965 472.242 -101.493 472.408 -103.569 c
eofill
n
489.908 -103.569 m
489.57 -101.457 492.058 -102.051 491.309 -99.545 c
492.63 -100.515 494.412 -101.043 494.108 -103.569 c
492.57 -105.11 491.783 -104.658 489.908 -103.569 c
eofill
n
423.405 -107.595 m
424.647 -105.805 423.915 -111.524 424.105 -112.961 c
422.863 -114.75 423.596 -109.03 423.405 -107.595 c
eofill
n
450.707 -116.985 m
451.855 -117.096 451.855 -112.851 450.707 -112.961 c
451.451 -111.438 455.107 -112.705 457.007 -112.29 c
456.223 -121.449 443.292 -119.499 440.906 -112.961 c
445.277 -113.214 449.114 -111.688 450.707 -116.985 c
eofill
n
440.906 -112.961 m
443.292 -119.499 456.223 -121.449 457.007 -112.29 c
455.107 -112.705 451.451 -111.438 450.707 -112.961 c
451.855 -112.851 451.855 -117.096 450.707 -116.985 c
449.114 -111.688 445.277 -113.214 440.906 -112.961 c
424.105 -112.961 m
423.915 -111.524 424.647 -105.805 423.405 -107.595 c
423.596 -109.03 422.863 -114.75 424.105 -112.961 c
185.394 -103.569 m
185.436 -101.911 184.688 -97.609 183.993 -98.874 c
185.312 -103.715 180.065 -102.266 179.093 -104.911 c
188.182 -106.018 190.452 -100.591 194.494 -96.862 c
192.126 -97.08 190.815 -92.836 188.894 -94.85 c
190.269 -95.992 192.393 -96.416 193.094 -98.203 c
189.207 -98.727 187.533 -101.372 185.394 -103.569 c
430.405 -90.825 m
428.985 -90.397 429.944 -87.689 428.306 -87.471 c
427.683 -89.473 429.02 -92.962 430.405 -90.825 c
540.312 -75.397 m
504.953 -77.282 466.034 -76.428 431.105 -76.739 c
432.544 -88.105 432.56 -100.835 433.906 -112.29 c
462.218 -111.651 511.072 -109.362 545.911 -110.277 c
544.442 -98.493 543.693 -86.02 541.011 -75.397 c
h
431.806 -53.933 m
430.96 -53.791 431.375 -53.188 431.806 -52.591 c
431.263 -52.441 430.425 -52.572 430.405 -51.92 c
430.833 -51.883 431.234 -51.82 431.105 -51.25 c
427.934 -50.69 430.186 -58.35 431.806 -55.274 c
430.668 -55.475 429.917 -54.368 431.105 -53.933 c
431.104 -54.305 431.673 -54.694 431.806 -53.933 c
431.105 -50.579 m
429.524 -46.889 432.835 -44.021 428.306 -42.529 c
430.559 -45.576 427.428 -48.271 431.105 -50.579 c
429.006 -41.859 m
431.135 -40.424 429.522 -34.865 428.306 -32.468 c
426.215 -35.179 429.978 -40.22 429.006 -41.859 c
433.906 -59.299 m
467.277 -61.479 504.295 -63.707 540.312 -65.336 c
542.679 -65.303 543.348 -66.897 544.512 -68.019 c
543.232 -56.276 540.656 -45.776 538.911 -34.48 c
499.032 -31.887 468.391 -29.707 431.105 -26.432 c
431.704 -38.723 432.988 -45.673 433.906 -59.299 c
417.805 -27.102 m
419.411 -38.755 419.491 -51.869 421.305 -63.323 c
427.445 -61.162 423.912 -52.866 423.405 -47.225 c
422.791 -40.389 422.263 -33.01 422.005 -27.102 c
421.578 -27.063 421.177 -27.002 421.305 -26.432 c
421.266 -26.022 421.2 -25.637 420.605 -25.761 c
420.145 -26.661 419.108 -27.01 417.805 -27.102 c
444.406 11.803 m
444.775 2.329 446.709 -9.633 447.206 -19.053 c
481.067 -21.219 507.654 -24.143 548.712 -26.432 c
548.808 -27.681 549.172 -28.673 550.111 -29.114 c
548.047 -18.796 546.644 -7.842 544.512 2.412 c
512.655 5.229 472.271 8.489 444.406 11.803 c
431.806 11.132 m
432.145 5.144 431.358 -2.04 431.806 -8.32 c
432.173 -13.479 431.935 -20.405 436.006 -22.406 c
439.325 -20.188 437.207 -13.44 436.706 -7.649 c
436.164 -1.384 435.139 4.936 435.306 10.461 c
434.761 10.609 434.492 11.022 434.605 11.803 c
434.566 12.212 434.501 12.597 433.906 12.474 c
433.724 11.53 432.37 11.709 431.806 11.132 c
291.099 24.547 m
291.099 30.584 l
288.612 30.792 287.068 31.878 284.798 30.584 c
287.627 29.27 288.065 25.665 291.099 24.547 c
548.712 14.485 m
549.565 14.41 550.369 14.285 550.111 13.145 c
550.081 12.431 550.441 11.44 550.812 12.474 c
549.29 21.523 547.661 30.473 545.911 39.305 c
517.488 43.596 487.951 46.82 458.407 50.036 c
459.174 43.407 460.608 33.383 461.207 24.547 c
489.498 20.354 520.27 18.535 548.712 14.485 c
459.107 23.206 m
459.65 32.563 458.758 41.682 455.606 50.036 c
456.211 41.077 456.895 31.84 459.107 23.206 c
449.307 50.707 m
448.67 49.529 446.854 49.48 445.807 48.695 c
446.449 38.803 448.186 29.957 448.606 19.852 c
450.758 20.026 451.755 21.308 453.507 21.864 c
452.55 31.903 452.953 43.245 449.307 50.707 c
261.697 99.003 m
266.496 98.782 272.167 96.234 274.998 96.319 c
271.323 102.86 269.896 111.554 261.697 113.76 c
h
303.0 115.772 m
300.502 114.811 297.204 114.617 294.599 113.76 c
288.191 102.929 276.968 92.139 283.398 74.855 c
290.589 85.405 295.729 97.919 302.299 109.064 c
302.878 110.96 301.313 110.802 301.599 112.418 c
305.256 112.939 306.528 115.744 310.0 116.442 c
310.846 116.301 310.43 115.698 310.0 115.102 c
312.257 115.621 314.137 116.504 315.6 117.784 c
310.441 116.88 306.008 120.202 302.299 118.455 c
303.336 118.33 302.941 116.834 303.0 115.772 c
356.202 48.695 m
356.612 47.3 357.673 46.527 358.302 45.341 c
357.542 45.181 356.621 44.236 357.602 44.0 c
357.611 45.332 359.512 44.853 359.002 46.683 c
363.245 49.29 372.338 60.687 369.503 59.428 c
369.542 59.837 369.607 60.222 370.203 60.098 c
369.969 56.951 366.326 58.617 364.603 58.757 c
365.335 56.859 363.447 54.155 364.603 54.062 c
364.809 54.657 366.496 56.998 366.702 55.402 c
364.903 55.338 365.701 52.784 363.902 52.72 c
360.545 58.223 357.465 63.991 354.102 69.489 c
354.707 62.384 360.926 58.399 356.202 48.695 c
349.201 88.941 m
362.053 98.986 383.324 100.964 380.703 125.834 c
372.736 121.118 364.62 120.807 356.202 119.126 c
353.471 118.58 351.11 116.456 347.802 116.442 c
344.115 116.428 340.976 119.504 337.301 119.797 c
332.525 120.177 327.116 118.04 322.6 117.113 c
324.914 116.107 321.146 115.474 321.9 113.76 c
328.2 113.76 l
329.125 115.438 325.433 115.859 327.501 116.442 c
330.774 115.108 333.572 113.316 335.901 111.076 c
334.361 103.381 330.914 93.947 329.601 88.271 c
331.902 89.168 330.764 88.077 331.701 90.283 c
342.099 86.468 348.807 79.973 352.702 70.16 c
353.492 75.701 346.735 79.582 347.102 86.929 c
349.868 85.295 346.583 87.678 348.502 88.271 c
349.956 87.52 349.984 87.547 349.201 88.941 c
354.102 125.163 m
365.544 127.169 378.804 131.006 382.104 138.578 c
375.081 131.892 363.15 129.907 354.102 125.163 c
242.796 92.966 m
241.88 108.192 244.156 129.208 244.896 143.273 c
239.955 130.17 236.285 107.105 242.796 92.966 c
388.403 121.139 m
393.903 127.276 393.784 139.751 391.903 144.615 c
392.907 136.637 380.407 129.962 388.403 121.139 c
307.899 154.006 m
304.613 147.547 305.191 140.651 305.799 131.2 c
307.263 130.813 307.797 129.537 310.0 129.858 c
311.994 131.525 313.95 133.228 317.0 133.883 c
316.564 136.48 316.42 136.645 317.7 138.578 c
312.125 145.973 314.675 154.383 308.6 162.055 c
309.483 158.048 303.2 152.07 307.899 154.006 c
312.8 228.461 m
315.047 229.05 314.251 226.722 315.6 226.449 c
315.604 228.233 317.548 228.16 318.4 229.132 c
316.786 229.821 316.143 231.441 313.5 231.145 c
313.657 229.876 312.711 229.664 312.8 228.461 c
300.899 216.388 m
301.256 220.518 302.618 223.684 303.0 227.791 c
295.785 231.439 304.666 240.863 310.0 234.498 c
309.641 239.792 307.21 240.92 307.2 245.901 c
302.201 243.472 295.592 238.216 297.399 229.803 c
295.535 228.251 292.96 223.265 295.999 221.083 c
296.192 222.259 294.028 224.43 295.999 225.107 c
296.472 219.969 298.21 218.106 300.899 216.388 c
289.699 245.23 m
294.173 248.55 300.955 253.22 301.599 257.976 c
299.028 252.832 291.614 248.768 289.699 245.23 c
307.899 250.597 m
308.51 252.941 310.588 257.381 308.6 259.987 c
308.989 257.6 305.037 254.656 308.6 254.621 c
307.443 254.611 308.208 252.761 307.2 252.609 c
307.202 252.981 306.632 253.37 306.5 252.609 c
307.655 252.599 306.891 250.749 307.899 250.597 c
311.4 271.391 m
312.958 273.594 313.662 279.421 311.4 281.452 c
311.106 277.181 310.998 273.175 311.4 271.391 c
326.801 283.464 m
323.645 285.683 311.96 286.438 312.8 282.123 c
315.108 285.945 324.377 282.989 326.801 283.464 c
309.3 283.464 m
309.015 286.491 301.809 289.471 301.599 288.16 c
304.835 287.235 306.922 285.211 309.3 283.464 c
296.699 290.172 m
299.222 288.63 300.093 289.492 303.699 289.501 c
303.655 292.552 298.743 290.818 296.699 290.172 c
254.697 303.587 m
252.251 303.222 249.397 299.756 250.497 298.221 c
250.653 298.742 250.516 299.544 251.197 299.563 c
251.354 299.042 251.216 298.24 251.897 298.221 c
252.015 302.573 253.02 299.924 254.697 303.587 c
387.703 314.991 m
383.931 317.518 379.809 321.193 375.803 323.04 c
337.156 340.858 272.046 333.811 246.997 307.612 c
249.687 307.003 253.665 311.43 256.797 313.649 c
292.652 339.057 370.621 337.958 396.804 304.258 c
398.016 309.765 391.957 312.142 387.703 314.991 c
239.996 325.723 m
239.825 329.038 243.162 332.5 242.096 334.443 c
240.96 332.381 238.557 328.023 239.996 325.723 c
258.897 336.455 m
252.857 330.614 242.625 325.219 240.696 317.674 c
249.26 323.331 256.335 330.414 263.797 337.126 c
261.588 337.454 261.325 335.917 258.897 336.455 c
401.004 326.394 m
399.797 327.266 396.705 332.1 394.004 333.772 c
394.158 334.295 394.59 334.552 395.404 334.443 c
395.325 336.157 394.12 336.791 393.304 337.797 c
391.721 334.498 386.21 338.901 387.703 337.797 c
391.603 334.546 399.437 325.275 401.004 326.394 c
399.604 323.71 m
391.632 332.171 382.533 343.126 367.402 342.492 c
379.82 338.291 389.667 328.053 399.604 323.71 c
244.896 338.468 m
245.702 339.313 248.1 342.035 246.296 343.163 c
243.94 342.296 244.126 330.771 244.896 338.468 c
262.397 341.821 m
266.738 343.699 271.917 344.774 275.698 347.188 c
271.338 347.885 265.361 344.664 262.397 341.821 c
401.704 327.064 m
398.708 335.149 396.251 343.751 389.804 348.529 c
394.293 340.481 397.984 334.951 401.704 327.064 c
270.098 349.871 m
273.651 348.813 283.331 350.815 284.098 353.896 c
281.25 353.047 278.4 352.2 274.998 351.883 c
276.001 352.865 275.535 354.009 273.598 353.896 c
272.549 352.441 270.095 352.333 270.098 349.871 c
257.497 351.883 m
257.699 351.692 261.628 353.248 259.597 352.554 c
259.054 352.704 258.216 352.572 258.197 353.225 c
259.129 353.896 260.31 354.33 260.997 355.237 c
258.894 355.418 256.148 352.788 257.497 351.883 c
377.203 345.846 m
378.514 346.826 381.842 345.873 382.804 347.188 c
380.734 349.4 376.373 349.005 374.403 348.529 c
375.637 347.923 376.57 347.029 377.203 345.846 c
363.902 351.212 m
366.568 350.894 368.272 351.497 368.803 353.225 c
364.142 353.23 362.604 356.229 357.602 355.908 c
359.67 352.818 355.885 354.838 354.802 353.225 c
363.754 348.833 375.564 343.608 384.203 341.151 c
378.763 347.249 370.329 346.707 363.902 351.212 c
304.399 355.237 m
309.367 354.389 318.99 354.59 322.6 357.249 c
318.049 357.799 309.273 356.61 304.399 355.237 c
386.304 344.504 m
383.562 350.378 380.271 359.289 373.703 359.261 c
377.983 354.863 382.952 347.559 386.304 344.504 c
371.603 353.225 m
367.71 354.423 364.802 365.927 356.902 363.286 c
357.662 363.125 358.583 362.182 357.602 361.944 c
356.816 361.876 356.512 362.919 356.202 361.944 c
361.791 360.525 370.078 351.941 371.603 353.225 c
308.6 363.957 m
324.934 355.586 344.37 368.122 347.102 380.726 c
342.493 366.581 323.285 358.619 308.6 363.957 c
319.8 411.582 m
315.023 413.818 311.234 410.792 308.6 408.898 c
317.119 409.683 317.73 402.89 318.4 396.154 c
313.847 387.489 304.324 380.208 304.399 369.323 c
308.006 368.819 308.876 369.681 311.4 368.652 c
307.689 378.628 315.154 386.669 319.8 392.8 c
322.186 384.354 322.949 374.353 328.2 368.652 c
330.805 369.835 333.385 369.335 335.201 367.981 c
326.688 379.276 327.617 399.62 319.8 411.582 c
327.501 269.378 m
322.6 269.378 l
321.13 260.632 316.914 254.621 317.7 247.914 c
317.857 248.435 317.719 249.236 318.4 249.255 c
318.066 246.853 317.262 245.379 318.4 243.219 c
317.698 243.216 317.567 243.762 317.0 243.889 c
318.358 241.653 316.006 236.907 318.4 239.864 c
317.352 235.7 319.959 233.483 322.6 231.145 c
321.516 230.396 321.143 228.964 319.1 229.132 c
318.209 223.359 322.566 222.616 324.7 219.741 c
325.35 221.802 329.084 220.907 330.301 222.425 c
330.279 220.442 333.542 220.153 334.501 221.083 c
332.215 224.93 331.089 229.888 326.801 231.815 c
327.437 233.218 328.866 233.86 331.001 233.827 c
331.932 230.026 339.512 222.925 335.201 222.425 c
335.819 220.78 337.299 219.963 336.601 217.059 c
334.429 216.178 334.604 217.24 331.701 217.059 c
331.73 216.135 331.371 215.585 331.001 215.046 c
332.971 217.131 340.802 213.493 343.602 214.375 c
343.538 212.545 344.768 213.025 343.602 211.692 c
347.513 211.298 348.997 213.229 352.702 213.033 c
349.92 217.076 346.073 220.098 343.602 224.437 c
347.06 224.808 342.873 224.781 342.901 225.778 c
343.019 226.56 344.008 226.507 345.001 226.449 c
344.618 227.424 345.819 229.916 344.302 229.803 c
344.233 229.305 341.568 229.305 341.501 229.803 c
340.95 232.791 341.979 234.264 342.901 235.84 c
333.62 243.046 329.249 254.955 327.501 269.378 c
71.988 63.452 m
75.19 64.854 77.814 66.813 77.588 71.501 c
88.843 73.461 89.955 85.141 94.389 93.637 c
99.289 93.637 l
100.435 99.065 114.086 95.906 120.29 96.99 c
121.11 97.099 120.881 98.214 120.99 99.003 c
133.707 99.115 139.85 105.526 153.192 105.04 c
157.742 108.581 167.309 110.369 172.793 109.064 c
179.777 116.142 188.263 114.573 199.394 116.442 c
192.942 118.949 210.24 121.288 213.395 121.139 c
216.919 125.811 223.365 127.683 223.195 135.896 c
230.365 138.863 231.902 147.229 239.996 149.311 c
240.101 154.104 239.949 155.726 240.696 162.055 c
241.628 160.029 241.277 150.994 245.597 149.981 c
248.687 150.53 251.995 149.833 253.997 152.664 c
264.717 146.168 276.445 140.635 286.898 133.883 c
288.442 140.015 285.188 144.035 284.098 148.64 c
282.085 150.052 279.969 149.369 278.498 149.981 c
279.1 150.522 278.914 151.818 279.898 151.993 c
272.857 157.003 270.389 157.391 268.698 168.763 c
267.877 168.654 268.107 167.54 267.998 166.751 c
265.892 170.24 265.636 174.191 268.698 176.813 c
268.122 178.859 266.729 178.421 267.998 180.837 c
266.171 177.745 266.76 176.318 265.197 172.787 c
261.265 181.377 263.206 199.305 265.197 209.68 c
263.715 209.127 263.383 210.187 263.097 213.033 c
261.504 212.548 262.889 209.209 260.297 209.68 c
259.078 213.482 257.669 213.832 257.497 217.729 c
255.328 214.287 258.865 210.56 260.297 208.338 c
257.133 200.089 256.719 199.613 256.097 190.898 c
255.147 199.59 250.905 209.717 254.697 217.059 c
255.517 216.95 255.287 215.835 255.397 215.046 c
258.126 215.63 254.389 217.795 254.697 219.07 c
254.829 219.615 256.784 220.126 256.797 220.412 c
256.835 221.227 254.701 221.836 254.697 221.754 c
254.748 222.902 256.515 221.827 256.797 222.425 c
256.554 221.91 256.152 226.146 256.097 226.449 c
255.404 230.285 252.718 236.249 250.497 238.522 c
250.917 241.572 250.755 243.198 251.897 246.572 c
248.035 241.922 253.948 250.153 251.197 249.926 c
255.398 249.473 256.996 240.732 263.097 239.864 c
256.299 243.683 249.691 257.859 251.197 266.024 c
250.545 264.189 247.705 264.451 246.296 263.342 c
250.755 267.016 254.723 278.546 251.897 286.147 c
251.906 287.724 253.807 285.902 253.297 284.806 c
254.627 289.65 257.457 293.415 258.897 294.868 c
256.895 296.548 252.736 295.404 249.797 293.526 c
248.231 293.815 249.513 296.832 249.097 298.221 c
246.199 290.817 239.14 287.001 240.696 274.074 c
239.241 274.449 239.213 275.12 239.996 276.086 c
236.154 274.206 242.033 272.992 242.796 271.391 c
242.378 264.876 244.448 262.773 241.396 259.316 c
242.404 259.692 243.104 260.363 243.496 261.329 c
243.853 257.172 244.297 249.94 243.496 243.889 c
242.033 243.605 241.643 244.349 240.696 244.56 c
241.746 239.452 244.62 233.072 239.996 229.803 c
237.942 230.88 236.193 235.81 238.596 237.182 c
238.39 238.776 236.702 236.436 236.496 235.84 c
230.089 238.514 234.56 249.341 235.796 251.938 c
237.492 253.625 237.353 250.587 237.896 249.255 c
240.165 252.384 233.58 275.508 228.795 266.024 c
226.797 262.063 228.462 252.25 228.795 246.572 c
225.05 256.536 225.567 272.131 237.896 272.732 c
239.774 279.764 233.73 282.106 229.496 284.806 c
225.178 287.558 222.336 294.917 217.595 294.868 c
212.686 305.367 206.74 314.875 200.794 324.381 c
201.981 336.655 198.296 346.384 200.794 355.908 c
202.785 363.495 210.137 368.878 210.595 376.702 c
218.609 388.922 226.706 401.063 232.296 415.606 c
237.006 418.248 237.862 424.583 240.696 429.021 c
250.083 432.101 253.288 441.104 262.397 444.449 c
262.397 447.803 l
271.344 449.292 272.312 458.426 282.698 458.535 c
284.896 458.218 284.548 460.341 286.198 460.548 c
294.623 460.524 303.629 459.944 308.6 463.231 c
329.235 463.775 345.591 460.218 363.902 458.535 c
366.289 454.114 372.183 453.054 374.403 448.474 c
375.215 447.911 376.279 447.589 377.903 447.803 c
385.117 439.511 394.755 433.542 403.104 426.338 c
407.774 415.807 419.248 401.453 427.605 390.117 c
427.787 386.937 428.332 384.106 430.405 382.738 c
430.405 378.714 l
439.521 362.954 445.832 329.106 432.506 312.308 c
432.536 310.592 431.985 311.49 431.105 311.637 c
428.293 302.144 423.28 298.4 419.205 290.843 c
412.571 290.715 412.852 283.963 406.604 283.464 c
404.175 281.321 405.457 275.62 401.704 274.745 c
402.15 271.818 405.29 271.473 407.305 270.049 c
410.933 266.431 409.264 266.431 406.604 270.049 c
404.266 270.491 403.181 272.135 401.004 272.732 c
401.51 274.782 400.288 275.177 400.304 276.757 c
399.483 276.648 399.714 275.534 399.604 274.745 c
395.828 304.747 365.267 315.206 334.501 314.991 c
335.927 313.099 332.96 314.154 334.501 311.637 c
333.007 311.323 333.168 312.595 333.101 313.649 c
328.189 307.244 321.906 296.282 320.5 290.843 c
312.896 297.83 319.043 312.756 308.6 317.674 c
303.84 316.645 305.106 309.842 301.599 307.612 c
306.119 300.45 306.033 293.025 317.0 292.185 c
314.397 290.206 308.9 291.001 304.399 290.843 c
306.656 287.192 317.93 292.181 318.4 286.818 c
320.311 287.424 316.271 288.319 318.4 289.501 c
338.001 289.501 l
333.701 287.361 330.055 284.595 326.801 281.452 c
325.453 261.088 348.013 241.605 364.603 237.182 c
363.159 236.328 360.984 236.177 359.702 235.169 c
362.563 239.252 356.666 234.34 354.102 236.511 c
354.34 235.164 353.959 234.412 352.702 234.498 c
354.491 228.909 361.311 221.284 358.302 214.375 c
373.915 214.578 387.628 212.962 400.304 210.351 c
404.061 213.459 401.965 222.175 405.904 225.107 c
403.462 218.644 404.88 214.72 402.404 209.68 c
403.049 208.508 404.593 208.199 406.604 208.338 c
409.308 214.603 414.059 221.266 412.904 229.132 c
414.857 229.72 416.362 230.738 418.505 231.145 c
419.699 228.776 421.743 225.721 419.905 222.425 c
424.084 214.456 428.896 207.888 428.306 196.936 c
423.385 184.104 409.015 184.798 397.504 186.874 c
398.991 181.145 397.844 172.889 398.204 166.08 c
396.625 168.601 397.931 179.674 397.504 185.532 c
390.178 184.465 378.929 184.465 371.603 185.532 c
369.684 185.519 369.94 182.368 370.902 181.508 c
370.03 180.072 369.17 184.266 368.803 185.532 c
353.525 187.353 341.924 191.047 334.501 186.203 c
334.352 182.466 339.798 180.567 340.102 179.495 c
341.099 177.271 332.095 181.212 333.101 185.532 c
330.057 186.455 323.282 186.907 321.2 184.861 c
320.938 182.03 325.963 181.521 324.7 178.153 c
327.806 182.509 327.499 172.85 329.601 175.471 c
332.455 174.976 331.188 168.955 333.801 169.434 c
335.99 168.349 331.019 168.6 332.4 166.08 c
332.41 164.504 334.311 166.325 333.801 167.421 c
332.895 161.781 331.273 157.57 331.001 148.64 c
330.24 148.806 330.525 149.974 329.601 149.981 c
331.038 148.042 325.5 143.503 328.2 140.591 c
325.265 139.363 323.438 135.075 324.7 131.87 c
327.669 132.229 339.268 130.912 339.401 131.2 c
352.32 130.529 375.411 142.27 382.804 145.286 c
384.537 144.224 383.089 140.593 382.804 139.249 c
384.727 140.536 386.058 142.391 385.604 145.957 c
389.419 148.561 395.013 149.462 396.804 154.006 c
398.832 155.117 395.44 152.419 396.104 150.652 c
398.395 149.046 400.019 146.802 404.504 147.298 c
406.847 142.388 409.719 137.984 415.005 135.896 c
414.936 128.227 421.337 126.758 423.405 121.139 c
429.476 122.459 436.398 121.338 440.206 117.113 c
441.187 117.351 440.267 118.295 439.506 118.455 c
440.644 120.145 441.778 116.214 442.307 115.102 c
451.886 114.25 465.622 115.221 466.107 107.723 c
472.891 108.617 480.403 110.39 483.608 105.04 c
482.305 104.398 481.269 107.049 480.809 105.04 c
486.318 101.815 501.291 106.936 501.109 99.674 c
510.051 100.993 517.076 100.198 522.811 95.648 c
539.221 99.815 547.974 87.258 551.512 74.855 c
558.645 69.169 568.117 65.724 576.013 60.769 c
576.013 -184.063 l
71.988 -184.063 l
h
0.0 sc
eofill
n
240.696 186.203 m
240.487 182.937 239.354 169.795 241.396 172.117 c
239.509 178.342 242.821 189.055 240.696 192.91 c
240.575 191.107 240.851 188.61 240.696 186.203 c
236.496 209.68 m
239.345 209.687 239.257 207.358 240.696 207.668 c
240.694 206.994 241.263 206.869 241.396 206.326 c
241.823 204.722 240.518 201.459 242.096 200.96 c
241.634 205.406 243.049 209.716 240.696 211.021 c
240.357 210.229 239.95 209.501 239.296 209.009 c
238.778 210.972 237.603 212.306 236.496 213.704 c
h
236.496 214.375 m
236.419 218.103 235.994 221.496 234.396 223.766 c
233.883 219.474 235.048 216.789 236.496 214.375 c
232.996 228.461 m
231.852 230.294 231.038 235.945 230.196 235.84 c
230.663 232.934 230.372 229.301 232.996 228.461 c
397.504 239.193 m
401.338 239.737 400.915 236.201 404.504 236.511 c
405.159 238.79 405.44 241.427 405.904 243.889 c
400.66 244.252 398.963 243.326 397.504 239.193 c
332.4 290.843 m
339.01 290.771 345.818 290.507 349.901 292.855 c
344.583 293.494 335.809 294.692 332.4 290.843 c
382.104 286.818 m
379.886 300.126 346.105 307.075 335.901 294.197 c
354.41 298.166 372.812 294.284 382.104 286.818 c
377.903 255.963 m
378.237 264.074 385.214 270.637 385.604 274.745 c
385.821 277.044 383.45 282.512 382.804 283.464 c
372.045 299.295 320.358 294.333 328.9 270.049 c
333.626 256.615 361.751 227.327 380.003 243.889 c
378.594 248.677 377.744 252.102 377.903 255.963 c
576.013 60.769 m
568.117 65.724 558.645 69.169 551.512 74.855 c
547.974 87.258 539.221 99.815 522.811 95.648 c
517.076 100.198 510.051 100.993 501.109 99.674 c
501.291 106.936 486.318 101.815 480.809 105.04 c
481.269 107.049 482.305 104.398 483.608 105.04 c
480.403 110.39 472.891 108.617 466.107 107.723 c
465.622 115.221 451.886 114.25 442.307 115.102 c
441.778 116.214 440.644 120.145 439.506 118.455 c
440.267 118.295 441.187 117.351 440.206 117.113 c
436.398 121.338 429.476 122.459 423.405 121.139 c
421.337 126.758 414.936 128.227 415.005 135.896 c
409.719 137.984 406.847 142.388 404.504 147.298 c
400.019 146.802 398.395 149.046 396.104 150.652 c
395.44 152.419 398.832 155.117 396.804 154.006 c
395.013 149.462 389.419 148.561 385.604 145.957 c
386.058 142.391 384.727 140.536 382.804 139.249 c
383.089 140.593 384.537 144.224 382.804 145.286 c
375.411 142.27 352.32 130.529 339.401 131.2 c
339.268 130.912 327.669 132.229 324.7 131.87 c
323.438 135.075 325.265 139.363 328.2 140.591 c
325.5 143.503 331.038 148.042 329.601 149.981 c
330.525 149.974 330.24 148.806 331.001 148.64 c
331.273 157.57 332.895 161.781 333.801 167.421 c
334.311 166.325 332.41 164.504 332.4 166.08 c
331.019 168.6 335.99 168.349 333.801 169.434 c
331.188 168.955 332.455 174.976 329.601 175.471 c
327.499 172.85 327.806 182.509 324.7 178.153 c
325.963 181.521 320.938 182.03 321.2 184.861 c
323.282 186.907 330.057 186.455 333.101 185.532 c
332.095 181.212 341.099 177.271 340.102 179.495 c
339.798 180.567 334.352 182.466 334.501 186.203 c
341.924 191.047 353.525 187.353 368.803 185.532 c
369.17 184.266 370.03 180.072 370.902 181.508 c
369.94 182.368 369.684 185.519 371.603 185.532 c
378.929 184.465 390.178 184.465 397.504 185.532 c
397.931 179.674 396.625 168.601 398.204 166.08 c
397.844 172.889 398.991 181.145 397.504 186.874 c
409.015 184.798 423.385 184.104 428.306 196.936 c
428.896 207.888 424.084 214.456 419.905 222.425 c
421.743 225.721 419.699 228.776 418.505 231.145 c
416.362 230.738 414.857 229.72 412.904 229.132 c
414.059 221.266 409.308 214.603 406.604 208.338 c
404.593 208.199 403.049 208.508 402.404 209.68 c
404.88 214.72 403.462 218.644 405.904 225.107 c
401.965 222.175 404.061 213.459 400.304 210.351 c
387.628 212.962 373.915 214.578 358.302 214.375 c
361.311 221.284 354.491 228.909 352.702 234.498 c
353.959 234.412 354.34 235.164 354.102 236.511 c
356.666 234.34 362.563 239.252 359.702 235.169 c
360.984 236.177 363.159 236.328 364.603 237.182 c
348.013 241.605 325.453 261.088 326.801 281.452 c
330.055 284.595 333.701 287.361 338.001 289.501 c
318.4 289.501 l
316.271 288.319 320.311 287.424 318.4 286.818 c
317.93 292.181 306.656 287.192 304.399 290.843 c
308.9 291.001 314.397 290.206 317.0 292.185 c
306.033 293.025 306.119 300.45 301.599 307.612 c
305.106 309.842 303.84 316.645 308.6 317.674 c
319.043 312.756 312.896 297.83 320.5 290.843 c
321.906 296.282 328.189 307.244 333.101 313.649 c
333.168 312.595 333.007 311.323 334.501 311.637 c
332.96 314.154 335.927 313.099 334.501 314.991 c
365.267 315.206 395.828 304.747 399.604 274.745 c
399.714 275.534 399.483 276.648 400.304 276.757 c
400.288 275.177 401.51 274.782 401.004 272.732 c
403.181 272.135 404.266 270.491 406.604 270.049 c
409.264 266.431 410.933 266.431 407.305 270.049 c
405.29 271.473 402.15 271.818 401.704 274.745 c
405.457 275.62 404.175 281.321 406.604 283.464 c
412.852 283.963 412.571 290.715 419.205 290.843 c
423.28 298.4 428.293 302.144 431.105 311.637 c
431.985 311.49 432.536 310.592 432.506 312.308 c
445.832 329.106 439.521 362.954 430.405 378.714 c
430.405 382.738 l
428.332 384.106 427.787 386.937 427.605 390.117 c
419.248 401.453 407.774 415.807 403.104 426.338 c
394.755 433.542 385.117 439.511 377.903 447.803 c
376.279 447.589 375.215 447.911 374.403 448.474 c
372.183 453.054 366.289 454.114 363.902 458.535 c
345.591 460.218 329.235 463.775 308.6 463.231 c
303.629 459.944 294.623 460.524 286.198 460.548 c
284.548 460.341 284.896 458.218 282.698 458.535 c
272.312 458.426 271.344 449.292 262.397 447.803 c
262.397 444.449 l
253.288 441.104 250.083 432.101 240.696 429.021 c
237.862 424.583 237.006 418.248 232.296 415.606 c
226.706 401.063 218.609 388.922 210.595 376.702 c
210.137 368.878 202.785 363.495 200.794 355.908 c
198.296 346.384 201.981 336.655 200.794 324.381 c
206.74 314.875 212.686 305.367 217.595 294.868 c
222.336 294.917 225.178 287.558 229.496 284.806 c
233.73 282.106 239.774 279.764 237.896 272.732 c
225.567 272.131 225.05 256.536 228.795 246.572 c
228.462 252.25 226.797 262.063 228.795 266.024 c
233.58 275.508 240.165 252.384 237.896 249.255 c
237.353 250.587 237.492 253.625 235.796 251.938 c
234.56 249.341 230.089 238.514 236.496 235.84 c
236.702 236.436 238.39 238.776 238.596 237.182 c
236.193 235.81 237.942 230.88 239.996 229.803 c
244.62 233.072 241.746 239.452 240.696 244.56 c
241.643 244.349 242.033 243.605 243.496 243.889 c
244.297 249.94 243.853 257.172 243.496 261.329 c
243.104 260.363 242.404 259.692 241.396 259.316 c
244.448 262.773 242.378 264.876 242.796 271.391 c
242.033 272.992 236.154 274.206 239.996 276.086 c
239.213 275.12 239.241 274.449 240.696 274.074 c
239.14 287.001 246.199 290.817 249.097 298.221 c
249.513 296.832 248.231 293.815 249.797 293.526 c
252.736 295.404 256.895 296.548 258.897 294.868 c
257.457 293.415 254.627 289.65 253.297 284.806 c
253.807 285.902 251.906 287.724 251.897 286.147 c
254.723 278.546 250.755 267.016 246.296 263.342 c
247.705 264.451 250.545 264.189 251.197 266.024 c
249.691 257.859 256.299 243.683 263.097 239.864 c
256.996 240.732 255.398 249.473 251.197 249.926 c
253.948 250.153 248.035 241.922 251.897 246.572 c
250.755 243.198 250.917 241.572 250.497 238.522 c
252.718 236.249 255.404 230.285 256.097 226.449 c
256.152 226.146 256.554 221.91 256.797 222.425 c
256.515 221.827 254.748 222.902 254.697 221.754 c
254.701 221.836 256.835 221.227 256.797 220.412 c
256.784 220.126 254.829 219.615 254.697 219.07 c
254.389 217.795 258.126 215.63 255.397 215.046 c
255.287 215.835 255.517 216.95 254.697 217.059 c
250.905 209.717 255.147 199.59 256.097 190.898 c
256.719 199.613 257.133 200.089 260.297 208.338 c
258.865 210.56 255.328 214.287 257.497 217.729 c
257.669 213.832 259.078 213.482 260.297 209.68 c
262.889 209.209 261.504 212.548 263.097 213.033 c
263.383 210.187 263.715 209.127 265.197 209.68 c
263.206 199.305 261.265 181.377 265.197 172.787 c
266.76 176.318 266.171 177.745 267.998 180.837 c
266.729 178.421 268.122 178.859 268.698 176.813 c
265.636 174.191 265.892 170.24 267.998 166.751 c
268.107 167.54 267.877 168.654 268.698 168.763 c
270.389 157.391 272.857 157.003 279.898 151.993 c
278.914 151.818 279.1 150.522 278.498 149.981 c
279.969 149.369 282.085 150.052 284.098 148.64 c
285.188 144.035 288.442 140.015 286.898 133.883 c
276.445 140.635 264.717 146.168 253.997 152.664 c
251.995 149.833 248.687 150.53 245.597 149.981 c
241.277 150.994 241.628 160.029 240.696 162.055 c
239.949 155.726 240.101 154.104 239.996 149.311 c
231.902 147.229 230.365 138.863 223.195 135.896 c
223.365 127.683 216.919 125.811 213.395 121.139 c
210.24 121.288 192.942 118.949 199.394 116.442 c
188.263 114.573 179.777 116.142 172.793 109.064 c
167.309 110.369 157.742 108.581 153.192 105.04 c
139.85 105.526 133.707 99.115 120.99 99.003 c
120.881 98.214 121.11 97.099 120.29 96.99 c
114.086 95.906 100.435 99.065 99.289 93.637 c
94.389 93.637 l
89.955 85.141 88.843 73.461 77.588 71.501 c
77.814 66.813 75.19 64.854 71.988 63.452 c
71.988 480.0 l
576.013 480.0 l
h
1.0 sc
eofill
n
342.901 235.84 m
341.979 234.264 340.95 232.791 341.501 229.803 c
341.568 229.305 344.233 229.305 344.302 229.803 c
345.819 229.916 344.618 227.424 345.001 226.449 c
344.008 226.507 343.019 226.56 342.901 225.778 c
342.873 224.781 347.06 224.808 343.602 224.437 c
346.073 220.098 349.92 217.076 352.702 213.033 c
348.997 213.229 347.513 211.298 343.602 211.692 c
344.768 213.025 343.538 212.545 343.602 214.375 c
340.802 213.493 332.971 217.131 331.001 215.046 c
331.371 215.585 331.73 216.135 331.701 217.059 c
334.604 217.24 334.429 216.178 336.601 217.059 c
337.299 219.963 335.819 220.78 335.201 222.425 c
339.512 222.925 331.932 230.026 331.001 233.827 c
328.866 233.86 327.437 233.218 326.801 231.815 c
331.089 229.888 332.215 224.93 334.501 221.083 c
333.542 220.153 330.279 220.442 330.301 222.425 c
329.084 220.907 325.35 221.802 324.7 219.741 c
322.566 222.616 318.209 223.359 319.1 229.132 c
321.143 228.964 321.516 230.396 322.6 231.145 c
319.959 233.483 317.352 235.7 318.4 239.864 c
316.006 236.907 318.358 241.653 317.0 243.889 c
317.567 243.762 317.698 243.216 318.4 243.219 c
317.262 245.379 318.066 246.853 318.4 249.255 c
317.719 249.236 317.857 248.435 317.7 247.914 c
316.914 254.621 321.13 260.632 322.6 269.378 c
327.501 269.378 l
329.249 254.955 333.62 243.046 342.901 235.84 c
eofill
n
347.102 380.726 m
344.37 368.122 324.934 355.586 308.6 363.957 c
323.285 358.619 342.493 366.581 347.102 380.726 c
eofill
n
356.202 361.944 m
356.512 362.919 356.816 361.876 357.602 361.944 c
358.583 362.182 357.662 363.125 356.902 363.286 c
364.802 365.927 367.71 354.423 371.603 353.225 c
370.078 351.941 361.791 360.525 356.202 361.944 c
eofill
n
373.703 359.261 m
380.271 359.289 383.562 350.378 386.304 344.504 c
382.952 347.559 377.983 354.863 373.703 359.261 c
eofill
n
384.203 341.151 m
375.564 343.608 363.754 348.833 354.802 353.225 c
355.885 354.838 359.67 352.818 357.602 355.908 c
362.604 356.229 364.142 353.23 368.803 353.225 c
368.272 351.497 366.568 350.894 363.902 351.212 c
370.329 346.707 378.763 347.249 384.203 341.151 c
eofill
n
374.403 348.529 m
376.373 349.005 380.734 349.4 382.804 347.188 c
381.842 345.873 378.514 346.826 377.203 345.846 c
376.57 347.029 375.637 347.923 374.403 348.529 c
eofill
n
260.997 355.237 m
260.31 354.33 259.129 353.896 258.197 353.225 c
258.216 352.572 259.054 352.704 259.597 352.554 c
261.628 353.248 257.699 351.692 257.497 351.883 c
256.148 352.788 258.894 355.418 260.997 355.237 c
eofill
n
389.804 348.529 m
396.251 343.751 398.708 335.149 401.704 327.064 c
397.984 334.951 394.293 340.481 389.804 348.529 c
eofill
n
387.703 337.797 m
386.21 338.901 391.721 334.498 393.304 337.797 c
394.12 336.791 395.325 336.157 395.404 334.443 c
394.59 334.552 394.158 334.295 394.004 333.772 c
396.705 332.1 399.797 327.266 401.004 326.394 c
399.437 325.275 391.603 334.546 387.703 337.797 c
eofill
n
396.804 304.258 m
370.621 337.958 292.652 339.057 256.797 313.649 c
253.665 311.43 249.687 307.003 246.997 307.612 c
272.046 333.811 337.156 340.858 375.803 323.04 c
379.809 321.193 383.931 317.518 387.703 314.991 c
391.957 312.142 398.016 309.765 396.804 304.258 c
eofill
n
251.897 298.221 m
251.216 298.24 251.354 299.042 251.197 299.563 c
250.516 299.544 250.653 298.742 250.497 298.221 c
249.397 299.756 252.251 303.222 254.697 303.587 c
253.02 299.924 252.015 302.573 251.897 298.221 c
eofill
n
335.901 294.197 m
346.105 307.075 379.886 300.126 382.104 286.818 c
372.812 294.284 354.41 298.166 335.901 294.197 c
0.0 sc
eofill
n
301.599 288.16 m
301.809 289.471 309.015 286.491 309.3 283.464 c
306.922 285.211 304.835 287.235 301.599 288.16 c
1.0 sc
eofill
n
312.8 282.123 m
311.96 286.438 323.645 285.683 326.801 283.464 c
324.377 282.989 315.108 285.945 312.8 282.123 c
eofill
n
311.4 281.452 m
313.662 279.421 312.958 273.594 311.4 271.391 c
310.998 273.175 311.106 277.181 311.4 281.452 c
eofill
n
306.5 252.609 m
306.632 253.37 307.202 252.981 307.2 252.609 c
308.208 252.761 307.443 254.611 308.6 254.621 c
305.037 254.656 308.989 257.6 308.6 259.987 c
310.588 257.381 308.51 252.941 307.899 250.597 c
306.891 250.749 307.655 252.599 306.5 252.609 c
eofill
n
301.599 257.976 m
300.955 253.22 294.173 248.55 289.699 245.23 c
291.614 248.768 299.028 252.832 301.599 257.976 c
eofill
n
295.999 225.107 m
294.028 224.43 296.192 222.259 295.999 221.083 c
292.96 223.265 295.535 228.251 297.399 229.803 c
295.592 238.216 302.201 243.472 307.2 245.901 c
307.21 240.92 309.641 239.792 310.0 234.498 c
304.666 240.863 295.785 231.439 303.0 227.791 c
302.618 223.684 301.256 220.518 300.899 216.388 c
298.21 218.106 296.472 219.969 295.999 225.107 c
eofill
n
230.196 235.84 m
231.038 235.945 231.852 230.294 232.996 228.461 c
230.372 229.301 230.663 232.934 230.196 235.84 c
0.0 sc
eofill
n
391.903 144.615 m
393.784 139.751 393.903 127.276 388.403 121.139 c
380.407 129.962 392.907 136.637 391.903 144.615 c
1.0 sc
eofill
n
382.104 138.578 m
378.804 131.006 365.544 127.169 354.102 125.163 c
363.15 129.907 375.081 131.892 382.104 138.578 c
eofill
n
348.502 88.271 m
346.583 87.678 349.868 85.295 347.102 86.929 c
346.735 79.582 353.492 75.701 352.702 70.16 c
348.807 79.973 342.099 86.468 331.701 90.283 c
330.764 88.077 331.902 89.168 329.601 88.271 c
330.914 93.947 334.361 103.381 335.901 111.076 c
333.572 113.316 330.774 115.108 327.501 116.442 c
325.433 115.859 329.125 115.438 328.2 113.76 c
321.9 113.76 l
321.146 115.474 324.914 116.107 322.6 117.113 c
327.116 118.04 332.525 120.177 337.301 119.797 c
340.976 119.504 344.115 116.428 347.802 116.442 c
351.11 116.456 353.471 118.58 356.202 119.126 c
364.62 120.807 372.736 121.118 380.703 125.834 c
383.324 100.964 362.053 98.986 349.201 88.941 c
349.984 87.547 349.956 87.52 348.502 88.271 c
eofill
n
354.102 69.489 m
357.465 63.991 360.545 58.223 363.902 52.72 c
365.701 52.784 364.903 55.338 366.702 55.402 c
366.496 56.998 364.809 54.657 364.603 54.062 c
363.447 54.155 365.335 56.859 364.603 58.757 c
366.326 58.617 369.969 56.951 370.203 60.098 c
369.607 60.222 369.542 59.837 369.503 59.428 c
372.338 60.687 363.245 49.29 359.002 46.683 c
359.512 44.853 357.611 45.332 357.602 44.0 c
356.621 44.236 357.542 45.181 358.302 45.341 c
357.673 46.527 356.612 47.3 356.202 48.695 c
360.926 58.399 354.707 62.384 354.102 69.489 c
eofill
n
513.71 33.938 m
513.585 27.31 516.797 25.973 517.21 21.193 c
520.433 25.449 524.141 16.739 528.41 19.852 c
528.859 22.295 525.076 20.682 524.91 22.535 c
532.165 29.572 519.671 43.435 513.71 33.938 c
499.009 35.95 m
498.933 28.274 501.324 22.965 510.21 23.877 c
517.523 31.475 505.278 45.055 499.009 35.95 c
483.608 43.329 m
473.862 36.4 489.757 11.258 498.309 27.23 c
495.953 26.805 496.118 23.964 492.709 24.547 c
484.476 24.824 479.798 42.453 489.209 42.658 c
494.111 42.765 494.484 35.844 497.609 35.279 c
496.105 36.745 497.28 40.778 495.509 41.987 c
492.297 42.364 487.997 46.449 483.608 43.329 c
461.207 24.547 m
460.608 33.383 459.174 43.407 458.407 50.036 c
487.951 46.82 517.488 43.596 545.911 39.305 c
547.661 30.473 549.29 21.523 550.812 12.474 c
550.441 11.44 550.081 12.431 550.111 13.145 c
550.369 14.285 549.565 14.41 548.712 14.485 c
520.27 18.535 489.498 20.354 461.207 24.547 c
eofill
n
513.71 -12.345 m
514.29 -14.766 522.841 -25.274 526.311 -16.369 c
526.042 -17.059 525.966 -15.34 526.311 -14.357 c
525.778 -15.878 530.232 -11.084 526.311 -9.662 c
528.308 -0.039 507.711 0.298 513.01 -10.333 c
512.75 -11.035 513.188 -10.168 513.71 -12.345 c
508.109 -14.357 m
508.067 -14.385 505.99 -12.608 508.109 -15.699 c
506.466 -15.913 505.481 -16.759 503.209 -16.369 c
501.104 -13.021 499.115 -9.56 499.709 -3.625 c
503.16 0.303 509.199 -5.246 508.109 -7.649 c
511.438 -7.439 507.689 -4.61 508.81 -2.283 c
495.225 4.92 494.452 -11.113 498.309 -11.004 c
495.951 -17.397 505.944 -20.3 510.909 -16.369 c
510.954 -14.092 510.089 -12.685 508.81 -11.674 c
510.044 -10.411 510.978 -12.592 511.609 -10.333 c
510.106 -9.09 506.481 -9.88 503.909 -9.662 c
505.396 -13.008 509.979 -13.119 508.109 -14.357 c
465.407 -3.625 m
466.97 -3.917 467.903 -4.811 468.207 -6.308 c
465.706 -4.497 467.644 -10.472 468.907 -12.345 c
466.355 -10.606 468.975 -13.419 468.207 -15.699 c
467.092 -15.825 464.534 -17.888 466.107 -18.382 c
470.16 -19.059 482.469 -22.261 483.608 -14.357 c
482.847 -17.136 491.803 -17.475 494.809 -16.369 c
493.89 -15.987 497.907 -12.704 494.809 -11.674 c
494.77 -14.549 489.864 -15.989 488.509 -13.687 c
488.235 -10.549 488.082 -11.458 487.809 -8.32 c
491.104 -7.623 491.329 -9.866 492.709 -11.004 c
492.587 -7.262 492.76 -3.865 490.608 -4.296 c
492.839 -5.624 489.197 -6.904 487.108 -6.308 c
487.525 -4.918 486.243 -1.901 487.809 -1.612 c
490.67 -3.498 488.209 -2.143 490.608 -1.612 c
492.255 -1.824 491.024 -4.792 493.409 -4.296 c
493.971 -1.969 492.366 -1.718 492.709 0.399 c
488.191 -0.451 481.102 3.483 480.108 -0.271 c
483.077 -0.355 483.722 -3.065 485.009 -2.954 c
483.574 -3.797 484.608 -5.908 483.608 -8.32 c
484.432 -8.426 485.596 -8.205 485.708 -8.991 c
482.286 -9.183 485.566 -11.446 486.408 -11.674 c
483.868 -11.028 485.82 -14.688 483.608 -14.357 c
483.46 -13.547 482.831 -13.945 482.208 -14.357 c
482.296 -12.679 483.544 -12.258 481.508 -11.674 c
481.235 -12.402 480.668 -13.285 481.508 -12.345 c
481.661 -14.077 478.034 -17.945 473.107 -17.04 c
470.458 -10.191 471.482 -1.868 469.607 4.424 c
470.708 4.488 472.035 4.334 471.708 5.766 c
471.514 6.73 460.44 8.643 461.907 5.766 c
462.18 6.795 462.747 5.864 461.907 5.095 c
466.096 5.308 466.209 1.615 467.508 -0.942 c
466.482 -0.953 465.289 1.887 465.407 -0.942 c
468.336 -0.688 466.172 -3.38 465.407 -3.625 c
544.512 2.412 m
546.644 -7.842 548.047 -18.796 550.111 -29.114 c
549.172 -28.673 548.808 -27.681 548.712 -26.432 c
507.654 -24.143 481.067 -21.219 447.206 -19.053 c
446.709 -9.633 444.775 2.329 444.406 11.803 c
472.271 8.489 512.655 5.229 544.512 2.412 c
eofill
n
465.407 -0.942 m
465.289 1.887 466.482 -0.953 467.508 -0.942 c
466.209 1.615 466.096 5.308 461.907 5.095 c
462.747 5.864 462.18 6.795 461.907 5.766 c
460.44 8.643 471.514 6.73 471.708 5.766 c
472.035 4.334 470.708 4.488 469.607 4.424 c
471.482 -1.868 470.458 -10.191 473.107 -17.04 c
478.034 -17.945 481.661 -14.077 481.508 -12.345 c
480.668 -13.285 481.235 -12.402 481.508 -11.674 c
483.544 -12.258 482.296 -12.679 482.208 -14.357 c
482.831 -13.945 483.46 -13.547 483.608 -14.357 c
485.82 -14.688 483.868 -11.028 486.408 -11.674 c
485.566 -11.446 482.286 -9.183 485.708 -8.991 c
485.596 -8.205 484.432 -8.426 483.608 -8.32 c
484.608 -5.908 483.574 -3.797 485.009 -2.954 c
483.722 -3.065 483.077 -0.355 480.108 -0.271 c
481.102 3.483 488.191 -0.451 492.709 0.399 c
492.366 -1.718 493.971 -1.969 493.409 -4.296 c
491.024 -4.792 492.255 -1.824 490.608 -1.612 c
488.209 -2.143 490.67 -3.498 487.809 -1.612 c
486.243 -1.901 487.525 -4.918 487.108 -6.308 c
489.197 -6.904 492.839 -5.624 490.608 -4.296 c
492.76 -3.865 492.587 -7.262 492.709 -11.004 c
491.329 -9.866 491.104 -7.623 487.809 -8.32 c
488.082 -11.458 488.235 -10.549 488.509 -13.687 c
489.864 -15.989 494.77 -14.549 494.809 -11.674 c
497.907 -12.704 493.89 -15.987 494.809 -16.369 c
491.803 -17.475 482.847 -17.136 483.608 -14.357 c
482.469 -22.261 470.16 -19.059 466.107 -18.382 c
464.534 -17.888 467.092 -15.825 468.207 -15.699 c
468.975 -13.419 466.355 -10.606 468.907 -12.345 c
467.644 -10.472 465.706 -4.497 468.207 -6.308 c
467.903 -4.811 466.97 -3.917 465.407 -3.625 c
466.172 -3.38 468.336 -0.688 465.407 -0.942 c
0.0 sc
eofill
n
503.909 -9.662 m
506.481 -9.88 510.106 -9.09 511.609 -10.333 c
510.978 -12.592 510.044 -10.411 508.81 -11.674 c
510.089 -12.685 510.954 -14.092 510.909 -16.369 c
505.944 -20.3 495.951 -17.397 498.309 -11.004 c
494.452 -11.113 495.225 4.92 508.81 -2.283 c
507.689 -4.61 511.438 -7.439 508.109 -7.649 c
509.199 -5.246 503.16 0.303 499.709 -3.625 c
499.115 -9.56 501.104 -13.021 503.209 -16.369 c
505.481 -16.759 506.466 -15.913 508.109 -15.699 c
505.99 -12.608 508.067 -14.385 508.109 -14.357 c
509.979 -13.119 505.396 -13.008 503.909 -9.662 c
eofill
n
520.01 -2.954 m
522.51 -5.376 523.174 -9.944 527.011 -11.004 c
524.954 -13.318 524.831 -13.35 524.21 -17.04 c
522.562 -17.025 522.149 -18.195 520.01 -17.711 c
519.215 -16.237 517.669 -15.482 517.21 -13.687 c
517.199 -15.384 515.373 -15.244 515.109 -12.345 c
518.12 -13.974 514.128 -5.783 516.51 -3.625 c
517.527 -3.258 520.128 -4.409 520.01 -2.954 c
1.0 sc
eofill
n
516.51 -3.625 m
514.128 -5.783 518.12 -13.974 515.109 -12.345 c
515.373 -15.244 517.199 -15.384 517.21 -13.687 c
517.669 -15.482 519.215 -16.237 520.01 -17.711 c
522.149 -18.195 522.562 -17.025 524.21 -17.04 c
524.831 -13.35 524.954 -13.318 527.011 -11.004 c
523.174 -9.944 522.51 -5.376 520.01 -2.954 c
520.128 -4.409 517.527 -3.258 516.51 -3.625 c
513.01 -10.333 m
507.711 0.298 528.308 -0.039 526.311 -9.662 c
530.232 -11.084 525.778 -15.878 526.311 -14.357 c
525.966 -15.34 526.042 -17.059 526.311 -16.369 c
522.841 -25.274 514.29 -14.766 513.71 -12.345 c
513.188 -10.168 512.75 -11.035 513.01 -10.333 c
0.0 sc
eofill
n
533.311 -57.957 m
531.124 -56.543 533.923 -54.238 531.211 -53.933 c
529.556 -54.807 529.861 -57.559 529.11 -59.299 c
533.097 -58.833 534.925 -60.436 538.911 -59.97 c
539.607 -57.969 539.688 -55.864 538.911 -55.274 c
538.501 -57.564 536.621 -58.446 533.311 -57.957 c
531.211 -49.237 m
530.808 -48.059 532.057 -45.297 530.511 -45.213 c
530.513 -45.585 529.943 -45.975 529.811 -45.213 c
530.942 -44.062 532.738 -43.547 535.411 -43.871 c
535.303 -44.768 536.511 -47.569 536.811 -45.884 c
535.43 -45.418 536.983 -42.141 535.411 -41.859 c
533.875 -43.528 526.524 -40.004 524.91 -42.529 c
526.494 -43.248 527.988 -44.052 529.11 -45.213 c
527.148 -45.871 530.127 -47.002 528.41 -47.896 c
532.328 -47.169 527.048 -52.794 531.211 -52.591 c
530.783 -52.629 530.382 -52.691 530.511 -53.262 c
531.926 -51.304 535.653 -50.172 536.811 -53.262 c
536.054 -50.916 535.984 -47.044 535.411 -47.896 c
535.333 -49.609 533.066 -49.228 531.211 -49.237 c
517.21 -58.628 m
521.196 -58.162 523.024 -59.765 527.011 -59.299 c
527.667 -58.732 528.506 -55.022 527.011 -54.604 c
526.601 -56.894 524.721 -57.775 521.41 -57.286 c
520.051 -51.876 518.526 -47.809 520.01 -41.188 c
517.195 -41.649 516.014 -40.545 513.71 -40.518 c
513.025 -43.823 516.34 -42.256 516.51 -43.2 c
515.503 -48.569 520.995 -55.437 517.21 -58.628 c
506.01 -48.566 m
504.687 -49.932 506.695 -55.79 505.31 -57.957 c
509.357 -57.433 511.294 -58.931 515.109 -58.628 c
515.107 -57.43 516.995 -54.726 515.109 -53.933 c
514.501 -55.586 513.479 -56.841 510.909 -56.616 c
507.021 -52.478 506.979 -45.906 508.109 -40.518 c
504.169 -40.451 505.05 -39.912 501.109 -39.847 c
503.802 -42.594 504.768 -45.967 506.01 -48.566 c
491.309 -57.286 m
495.507 -56.842 498.141 -57.895 501.81 -57.957 c
502.548 -57.26 503.255 -53.168 501.81 -52.591 c
499.905 -59.398 492.142 -53.92 495.509 -48.566 c
497.876 -48.534 498.546 -50.128 499.709 -51.25 c
498.921 -49.322 499.567 -46.02 498.309 -44.542 c
497.873 -47.376 496.754 -47.006 494.108 -46.555 c
494.625 -43.649 492.525 -42.399 494.809 -41.188 c
497.295 -40.841 498.587 -42.632 500.409 -44.542 c
500.186 -42.967 499.303 -42.024 499.709 -39.847 c
497.789 -39.646 490.268 -38.615 487.809 -39.176 c
489.694 -41.15 490.73 -43.675 492.709 -43.871 c
489.426 -46.578 494.073 -52.155 491.309 -57.286 c
478.008 -52.591 m
475.885 -52.569 476.264 -54.944 475.908 -56.616 c
487.108 -56.616 l
490.347 -52.326 487.916 -49.979 485.708 -45.884 c
488.177 -38.196 479.556 -37.093 472.408 -37.834 c
478.483 -43.708 475.183 -46.119 478.008 -52.591 c
459.107 -54.604 m
460.484 -55.52 463.105 -55.244 464.707 -55.945 c
464.99 -52.991 461.353 -53.794 462.607 -49.908 c
465.679 -48.632 467.864 -49.391 469.607 -51.92 c
468.448 -52.599 468.848 -54.77 468.207 -55.945 c
470.912 -55.813 473.366 -55.921 475.208 -56.616 c
470.361 -50.975 469.731 -41.293 464.008 -36.493 c
462.82 -42.957 462.148 -49.915 459.107 -54.604 c
447.906 -37.834 m
446.483 -45.169 454.046 -46.284 456.307 -51.92 c
454.958 -52.193 455.754 -54.521 453.507 -53.933 c
451.392 -52.158 449.906 -49.78 448.606 -47.225 c
447.19 -48.917 450.123 -50.738 449.307 -53.933 c
451.639 -54.157 452.412 -55.876 455.606 -55.274 c
461.496 -48.421 453.136 -43.367 449.307 -38.505 c
454.052 -35.555 454.473 -41.866 457.007 -43.2 c
456.104 -40.257 455.987 -39.606 455.606 -37.163 c
452.823 -35.775 449.713 -35.324 447.906 -37.834 c
437.406 -57.286 m
440.371 -59.115 442.306 -57.745 447.206 -58.628 c
446.944 -55.432 444.229 -56.3 443.006 -53.262 c
441.3 -49.024 443.648 -39.649 440.906 -34.48 c
441.452 -34.332 441.72 -33.919 441.606 -33.139 c
442.706 -33.075 444.033 -33.229 443.706 -31.797 c
441.124 -30.694 437.121 -30.952 433.906 -30.456 c
436.934 -34.807 439.159 -35.103 438.806 -40.518 c
438.804 -40.145 439.373 -39.756 439.506 -40.518 c
439.196 -41.807 437.896 -46.914 440.206 -47.225 c
438.474 -50.775 442.523 -53.217 437.406 -57.286 c
431.105 -26.432 m
468.391 -29.707 499.032 -31.887 538.911 -34.48 c
540.656 -45.776 543.232 -56.276 544.512 -68.019 c
543.348 -66.897 542.679 -65.303 540.312 -65.336 c
504.295 -63.707 467.277 -61.479 433.906 -59.299 c
432.988 -45.673 431.704 -38.723 431.105 -26.432 c
1.0 sc
eofill
n
428.306 -32.468 m
429.522 -34.865 431.135 -40.424 429.006 -41.859 c
429.978 -40.22 426.215 -35.179 428.306 -32.468 c
eofill
n
535.411 -47.896 m
535.984 -47.044 536.054 -50.916 536.811 -53.262 c
535.653 -50.172 531.926 -51.304 530.511 -53.262 c
530.382 -52.691 530.783 -52.629 531.211 -52.591 c
527.048 -52.794 532.328 -47.169 528.41 -47.896 c
530.127 -47.002 527.148 -45.871 529.11 -45.213 c
527.988 -44.052 526.494 -43.248 524.91 -42.529 c
526.524 -40.004 533.875 -43.528 535.411 -41.859 c
536.983 -42.141 535.43 -45.418 536.811 -45.884 c
536.511 -47.569 535.303 -44.768 535.411 -43.871 c
532.738 -43.547 530.942 -44.062 529.811 -45.213 c
529.943 -45.975 530.513 -45.585 530.511 -45.213 c
532.057 -45.297 530.808 -48.059 531.211 -49.237 c
533.066 -49.228 535.333 -49.609 535.411 -47.896 c
0.0 sc
eofill
n
464.707 -41.859 m
465.668 -42.06 464.521 -46.487 467.508 -46.555 c
467.42 -48.036 464.538 -46.839 463.308 -47.225 c
463.479 -45.154 464.017 -43.434 464.707 -41.859 c
1.0 sc
eofill
n
431.105 -53.933 m
429.917 -54.368 430.668 -55.475 431.806 -55.274 c
430.186 -58.35 427.934 -50.69 431.105 -51.25 c
431.234 -51.82 430.833 -51.883 430.405 -51.92 c
430.425 -52.572 431.263 -52.441 431.806 -52.591 c
431.375 -53.188 430.96 -53.791 431.806 -53.933 c
431.673 -54.694 431.104 -54.305 431.105 -53.933 c
eofill
n
538.911 -55.274 m
539.688 -55.864 539.607 -57.969 538.911 -59.97 c
534.925 -60.436 533.097 -58.833 529.11 -59.299 c
529.861 -57.559 529.556 -54.807 531.211 -53.933 c
533.923 -54.238 531.124 -56.543 533.311 -57.957 c
536.621 -58.446 538.501 -57.564 538.911 -55.274 c
0.0 sc
eofill
n
468.907 -82.105 m
467.16 -82.569 470.207 -83.895 469.607 -85.459 c
468.232 -83.845 466.108 -83.914 465.407 -86.13 c
463.758 -85.563 465.989 -83.188 466.107 -82.105 c
471.093 -79.012 478.185 -89.206 468.907 -82.105 c
eofill
n
509.51 -82.105 m
511.788 -80.185 515.938 -82.177 515.81 -84.788 c
514.552 -83.087 513.049 -81.62 509.51 -82.105 c
eofill
n
487.108 -84.117 m
485.948 -82.813 488.402 -81.903 490.608 -82.775 c
490.52 -83.979 491.466 -84.19 491.309 -85.459 c
489.495 -83.424 488.706 -84.772 486.408 -85.459 c
486.799 -84.863 488.515 -82.522 487.108 -84.117 c
eofill
n
469.607 -106.924 m
471.535 -106.088 473.003 -104.811 473.107 -102.229 c
471.944 -100.884 471.229 -99.11 468.907 -98.874 c
468.448 -100.67 466.902 -101.425 466.107 -102.898 c
466.982 -104.52 469.638 -104.436 469.607 -106.924 c
509.51 -101.558 m
512.524 -102.434 511.724 -99.654 513.01 -98.874 c
513.226 -100.456 515.44 -100.122 515.109 -102.229 c
514.409 -103.121 513.956 -104.253 513.01 -104.911 c
513.195 -103.538 510.294 -101.806 510.21 -102.898 c
512.107 -103.316 511.952 -105.701 514.41 -105.582 c
514.071 -103.469 516.559 -104.063 515.81 -101.558 c
514.94 -100.154 513.773 -99.036 512.31 -98.203 c
511.836 -99.762 509.983 -99.999 509.51 -101.558 c
491.309 -98.203 m
488.066 -98.293 488.341 -104.381 491.309 -106.253 c
497.375 -105.275 494.477 -98.116 491.309 -98.203 c
513.01 -90.154 m
510.521 -91.197 512.587 -87.876 510.909 -88.142 c
510.962 -89.311 510.753 -90.228 510.21 -90.825 c
513.488 -90.907 509.447 -91.802 510.21 -93.508 c
511.414 -93.243 512.004 -94.504 512.31 -93.508 c
511.883 -93.47 511.48 -93.408 511.609 -92.837 c
512.048 -90.549 516.63 -88.738 515.109 -86.801 c
514.579 -89.529 511.547 -88.388 513.01 -90.154 c
489.209 -92.167 m
492.325 -92.224 495.318 -88.66 494.108 -86.801 c
493.245 -89.326 491.068 -90.595 489.209 -92.167 c
470.308 -90.154 m
470.268 -90.563 470.203 -90.948 469.607 -90.825 c
468.905 -90.827 468.774 -90.281 468.207 -90.154 c
468.003 -90.566 466.466 -92.736 468.207 -92.837 c
468.221 -90.572 472.396 -91.906 473.808 -86.801 c
471.348 -89.656 469.983 -87.971 468.207 -89.483 c
469.031 -89.589 470.194 -89.368 470.308 -90.154 c
508.81 -85.459 m
509.056 -81.867 510.906 -84.757 512.31 -85.459 c
512.467 -84.19 511.521 -83.979 511.609 -82.775 c
508.109 -82.775 l
508.229 -83.779 507.859 -85.251 508.81 -85.459 c
515.81 -84.788 m
515.938 -82.177 511.788 -80.185 509.51 -82.105 c
513.049 -81.62 514.552 -83.087 515.81 -84.788 c
466.107 -82.105 m
465.989 -83.188 463.758 -85.563 465.407 -86.13 c
466.108 -83.914 468.232 -83.845 469.607 -85.459 c
470.207 -83.895 467.16 -82.569 468.907 -82.105 c
478.185 -89.206 471.093 -79.012 466.107 -82.105 c
486.408 -85.459 m
488.706 -84.772 489.495 -83.424 491.309 -85.459 c
491.466 -84.19 490.52 -83.979 490.608 -82.775 c
488.402 -81.903 485.948 -82.813 487.108 -84.117 c
488.515 -82.522 486.799 -84.863 486.408 -85.459 c
541.011 -75.397 m
543.693 -86.02 544.442 -98.493 545.911 -110.277 c
511.072 -109.362 462.218 -111.651 433.906 -112.29 c
432.56 -100.835 432.544 -88.105 431.105 -76.739 c
466.034 -76.428 504.953 -77.282 540.312 -75.397 c
h
1.0 sc
eofill
n
468.207 -89.483 m
469.983 -87.971 471.348 -89.656 473.808 -86.801 c
472.396 -91.906 468.221 -90.572 468.207 -92.837 c
466.466 -92.736 468.003 -90.566 468.207 -90.154 c
468.774 -90.281 468.905 -90.827 469.607 -90.825 c
470.203 -90.948 470.268 -90.563 470.308 -90.154 c
470.194 -89.368 469.031 -89.589 468.207 -89.483 c
0.0 sc
eofill
n
515.109 -86.801 m
516.63 -88.738 512.048 -90.549 511.609 -92.837 c
511.48 -93.408 511.883 -93.47 512.31 -93.508 c
512.004 -94.504 511.414 -93.243 510.21 -93.508 c
509.447 -91.802 513.488 -90.907 510.21 -90.825 c
510.753 -90.228 510.962 -89.311 510.909 -88.142 c
512.587 -87.876 510.521 -91.197 513.01 -90.154 c
511.547 -88.388 514.579 -89.529 515.109 -86.801 c
eofill
n
193.094 -98.203 m
192.393 -96.416 190.269 -95.992 188.894 -94.85 c
190.815 -92.836 192.126 -97.08 194.494 -96.862 c
190.452 -100.591 188.182 -106.018 179.093 -104.911 c
180.065 -102.266 185.312 -103.715 183.993 -98.874 c
184.688 -97.609 185.436 -101.911 185.394 -103.569 c
187.533 -101.372 189.207 -98.727 193.094 -98.203 c
1.0 sc
eofill
n
494.108 -103.569 m
494.412 -101.043 492.63 -100.515 491.309 -99.545 c
492.058 -102.051 489.57 -101.457 489.908 -103.569 c
491.783 -104.658 492.57 -105.11 494.108 -103.569 c
491.309 -106.253 m
488.341 -104.381 488.066 -98.293 491.309 -98.203 c
494.477 -98.116 497.375 -105.275 491.309 -106.253 c
0.0 sc
eofill
n
512.31 -98.203 m
513.773 -99.036 514.94 -100.154 515.81 -101.558 c
516.559 -104.063 514.071 -103.469 514.41 -105.582 c
511.952 -105.701 512.107 -103.316 510.21 -102.898 c
510.294 -101.806 513.195 -103.538 513.01 -104.911 c
513.956 -104.253 514.409 -103.121 515.109 -102.229 c
515.44 -100.122 513.226 -100.456 513.01 -98.874 c
511.724 -99.654 512.524 -102.434 509.51 -101.558 c
509.983 -99.999 511.836 -99.762 512.31 -98.203 c
eofill
n
469.607 -99.545 m
470.349 -102.044 468.134 -101.71 467.508 -102.898 c
469.481 -103.02 468.381 -106.087 471.008 -105.582 c
470.971 -104.428 471.546 -103.862 472.408 -103.569 c
472.242 -101.493 470.46 -100.965 469.607 -99.545 c
466.107 -102.898 m
466.902 -101.425 468.448 -100.67 468.907 -98.874 c
471.229 -99.11 471.944 -100.884 473.107 -102.229 c
473.003 -104.811 471.535 -106.088 469.607 -106.924 c
469.638 -104.436 466.982 -104.52 466.107 -102.898 c
eofill
n
495.509 41.987 m
497.28 40.778 496.105 36.745 497.609 35.279 c
494.484 35.844 494.111 42.765 489.209 42.658 c
479.798 42.453 484.476 24.824 492.709 24.547 c
496.118 23.964 495.953 26.805 498.309 27.23 c
489.757 11.258 473.862 36.4 483.608 43.329 c
487.997 46.449 492.297 42.364 495.509 41.987 c
eofill
n
440.206 -47.225 m
437.896 -46.914 439.196 -41.807 439.506 -40.518 c
439.373 -39.756 438.804 -40.145 438.806 -40.518 c
439.159 -35.103 436.934 -34.807 433.906 -30.456 c
437.121 -30.952 441.124 -30.694 443.706 -31.797 c
444.033 -33.229 442.706 -33.075 441.606 -33.139 c
441.72 -33.919 441.452 -34.332 440.906 -34.48 c
443.648 -39.649 441.3 -49.024 443.006 -53.262 c
444.229 -56.3 446.944 -55.432 447.206 -58.628 c
442.306 -57.745 440.371 -59.115 437.406 -57.286 c
442.523 -53.217 438.474 -50.775 440.206 -47.225 c
eofill
n
516.51 -43.2 m
516.34 -42.256 513.025 -43.823 513.71 -40.518 c
516.014 -40.545 517.195 -41.649 520.01 -41.188 c
518.526 -47.809 520.051 -51.876 521.41 -57.286 c
524.721 -57.775 526.601 -56.894 527.011 -54.604 c
528.506 -55.022 527.667 -58.732 527.011 -59.299 c
523.024 -59.765 521.196 -58.162 517.21 -58.628 c
520.995 -55.437 515.503 -48.569 516.51 -43.2 c
eofill
n
484.309 -55.274 m
485.772 -52.598 485.405 -51.125 484.309 -48.566 c
482.665 -48.353 481.681 -47.507 479.408 -47.896 c
479.966 -50.419 479.157 -55.492 484.309 -55.274 c
478.708 -45.213 m
480.301 -45.538 482.284 -46.543 483.608 -45.213 c
483.77 -42.599 482.104 -41.735 481.508 -39.847 c
478.708 -39.847 l
477.185 -41.067 480.231 -43.992 478.708 -45.213 c
472.408 -37.834 m
479.556 -37.093 488.177 -38.196 485.708 -45.884 c
487.916 -49.979 490.347 -52.326 487.108 -56.616 c
475.908 -56.616 l
476.264 -54.944 475.885 -52.569 478.008 -52.591 c
475.183 -46.119 478.483 -43.708 472.408 -37.834 c
eofill
n
492.709 -43.871 m
490.73 -43.675 489.694 -41.15 487.809 -39.176 c
490.268 -38.615 497.789 -39.646 499.709 -39.847 c
499.303 -42.024 500.186 -42.967 500.409 -44.542 c
498.587 -42.632 497.295 -40.841 494.809 -41.188 c
492.525 -42.399 494.625 -43.649 494.108 -46.555 c
496.754 -47.006 497.873 -47.376 498.309 -44.542 c
499.567 -46.02 498.921 -49.322 499.709 -51.25 c
498.546 -50.128 497.876 -48.534 495.509 -48.566 c
492.142 -53.92 499.905 -59.398 501.81 -52.591 c
503.255 -53.168 502.548 -57.26 501.81 -57.957 c
498.141 -57.895 495.507 -56.842 491.309 -57.286 c
494.073 -52.155 489.426 -46.578 492.709 -43.871 c
eofill
n
501.109 -39.847 m
505.05 -39.912 504.169 -40.451 508.109 -40.518 c
506.979 -45.906 507.021 -52.478 510.909 -56.616 c
513.479 -56.841 514.501 -55.586 515.109 -53.933 c
516.995 -54.726 515.107 -57.43 515.109 -58.628 c
511.294 -58.931 509.357 -57.433 505.31 -57.957 c
506.695 -55.79 504.687 -49.932 506.01 -48.566 c
504.768 -45.967 503.802 -42.594 501.109 -39.847 c
eofill
Q
Q
Q
[/EMC PDFMark5
PDFVars/TermAll get exec end end
%%PageTrailer
%%Trailer
%%EOF
\ No newline at end of file
Binary file src/Doc/Tutorial/document/pghead.pdf has changed
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/document/preface.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,56 @@
+\chapter*{Preface}
+\markboth{Preface}{Preface}
+
+This volume is a self-contained introduction to interactive proof
+in higher-order logic (HOL), using the proof assistant Isabelle.
+It is written for potential users rather
+than for our colleagues in the research world.
+
+The book has three parts.
+\begin{itemize}
+\item
+The first part, \textbf{Elementary Techniques},
+shows how to model functional programs in higher-order logic. Early
+examples involve lists and the natural numbers. Most proofs
+are two steps long, consisting of induction on a chosen variable
+followed by the \isa{auto} tactic. But even this elementary part
+covers such advanced topics as nested and mutual recursion.
+\item
+The second part, \textbf{Logic and Sets}, presents a collection of
+lower-level tactics that you can use to apply rules selectively. It
+also describes Isabelle/HOL's treatment of sets, functions and
+relations and explains how to define sets inductively. One of the
+examples concerns the theory of model checking, and another is drawn
+from a classic textbook on formal languages.
+\item
+The third part, \textbf{Advanced Material}, describes a variety of other
+topics. Among these are the real numbers, records and overloading. Advanced
+techniques for induction and recursion are described. A whole chapter is
+devoted to an extended example: the verification of a security protocol.
+\end{itemize}
+
+The typesetting relies on Wenzel's theory presentation tools. An
+annotated source file is run, typesetting the theory
+in the form of a \LaTeX\ source file. This book is derived almost entirely
+from output generated in this way. The final chapter of Part~I explains how
+users may produce their own formal documents in a similar fashion.
+
+Isabelle's \hfootref{http://isabelle.in.tum.de/}{web site} contains
+links to the download area and to documentation and other information.
+The classic Isabelle user interface is Proof~General~/ Emacs by David
+Aspinall's\index{Aspinall, David}. This book says very little about
+Proof General, which has its own documentation.
+
+This tutorial owes a lot to the constant discussions with and the valuable
+feedback from the Isabelle group at Munich: Stefan Berghofer, Olaf
+M{\"u}ller, Wolfgang Naraschewski, David von Oheimb, Leonor Prensa Nieto,
+Cornelia Pusch, Norbert Schirmer and Martin Strecker. Stephan
+Merz was also kind enough to read and comment on a draft version. We
+received comments from Stefano Bistarelli, Gergely Buday, John Matthews
+and Tanja Vos.
+
+The research has been funded by many sources, including the {\sc dfg} grants
+NI~491/2, NI~491/3, NI~491/4, NI~491/6, {\sc bmbf} project Verisoft, the {\sc
+epsrc} grants GR/K57381, GR/K77051, GR/M75440, GR/R01156/01 GR/S57198/01 and
+by the \textsc{esprit} working groups 21900 and IST-1999-29001 (the
+\emph{Types} project).
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/document/protocol.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,135 @@
+\chapter{Case Study: Verifying a Security Protocol}
+\label{chap:crypto}
+
+\index{protocols!security|(}
+
+%crypto primitives
+\def\lbb{\mathopen{\{\kern-.30em|}}
+\def\rbb{\mathclose{|\kern-.32em\}}}
+\def\comp#1{\lbb#1\rbb}
+
+Communications security is an ancient art. Julius Caesar is said to have
+encrypted his messages, shifting each letter three places along the
+alphabet. Mary Queen of Scots was convicted of treason after a cipher used
+in her letters was broken. Today's postal system
+incorporates security features. The envelope provides a degree of
+\emph{secrecy}. The signature provides \emph{authenticity} (proof of
+origin), as do departmental stamps and letterheads.
+
+Networks are vulnerable: messages pass through many computers, any of which
+might be controlled by an adversary, who thus can capture or redirect
+messages. People who wish to communicate securely over such a network can
+use cryptography, but if they are to understand each other, they need to
+follow a
+\emph{protocol}: a pre-arranged sequence of message formats.
+
+Protocols can be attacked in many ways, even if encryption is unbreakable.
+A \emph{splicing attack} involves an adversary's sending a message composed
+of parts of several old messages. This fake message may have the correct
+format, fooling an honest party. The adversary might be able to masquerade
+as somebody else, or he might obtain a secret key.
+
+\emph{Nonces} help prevent splicing attacks. A typical nonce is a 20-byte
+random number. Each message that requires a reply incorporates a nonce. The
+reply must include a copy of that nonce, to prove that it is not a replay of
+a past message. The nonce in the reply must be cryptographically
+protected, since otherwise an adversary could easily replace it by a
+different one. You should be starting to see that protocol design is
+tricky!
+
+Researchers are developing methods for proving the correctness of security
+protocols. The Needham-Schroeder public-key
+protocol~\cite{needham-schroeder} has become a standard test case.
+Proposed in 1978, it was found to be defective nearly two decades
+later~\cite{lowe-fdr}. This toy protocol will be useful in demonstrating
+how to verify protocols using Isabelle.
+
+
+\section{The Needham-Schroeder Public-Key Protocol}\label{sec:ns-protocol}
+
+\index{Needham-Schroeder protocol|(}%
+This protocol uses public-key cryptography. Each person has a private key, known only to
+himself, and a public key, known to everybody. If Alice wants to send Bob a secret message, she
+encrypts it using Bob's public key (which everybody knows), and sends it to Bob. Only Bob has the
+matching private key, which is needed in order to decrypt Alice's message.
+
+The core of the Needham-Schroeder protocol consists of three messages:
+\begin{alignat*}{2}
+ &1.&\quad A\to B &: \comp{Na,A}\sb{Kb} \\
+ &2.&\quad B\to A &: \comp{Na,Nb}\sb{Ka} \\
+ &3.&\quad A\to B &: \comp{Nb}\sb{Kb}
+\end{alignat*}
+First, let's understand the notation. In the first message, Alice
+sends Bob a message consisting of a nonce generated by Alice~($Na$)
+paired with Alice's name~($A$) and encrypted using Bob's public
+key~($Kb$). In the second message, Bob sends Alice a message
+consisting of $Na$ paired with a nonce generated by Bob~($Nb$),
+encrypted using Alice's public key~($Ka$). In the last message, Alice
+returns $Nb$ to Bob, encrypted using his public key.
+
+When Alice receives Message~2, she knows that Bob has acted on her
+message, since only he could have decrypted
+$\comp{Na,A}\sb{Kb}$ and extracted~$Na$. That is precisely what
+nonces are for. Similarly, message~3 assures Bob that Alice is
+active. But the protocol was widely believed~\cite{ban89} to satisfy a
+further property: that
+$Na$ and~$Nb$ were secrets shared by Alice and Bob. (Many
+protocols generate such shared secrets, which can be used
+to lessen the reliance on slow public-key operations.)
+Lowe\index{Lowe, Gavin|(} found this
+claim to be false: if Alice runs the protocol with someone untrustworthy
+(Charlie say), then he can start a new run with another agent (Bob say).
+Charlie uses Alice as an oracle, masquerading as
+Alice to Bob~\cite{lowe-fdr}.
+\begin{alignat*}{4}
+ &1.&\quad A\to C &: \comp{Na,A}\sb{Kc} &&
+ \qquad 1'.&\quad C\to B &: \comp{Na,A}\sb{Kb} \\
+ &2.&\quad B\to A &: \comp{Na,Nb}\sb{Ka} \\
+ &3.&\quad A\to C &: \comp{Nb}\sb{Kc} &&
+ \qquad 3'.&\quad C\to B &: \comp{Nb}\sb{Kb}
+\end{alignat*}
+In messages~1 and~3, Charlie removes the encryption using his private
+key and re-encrypts Alice's messages using Bob's public key. Bob is
+left thinking he has run the protocol with Alice, which was not
+Alice's intention, and Bob is unaware that the ``secret'' nonces are
+known to Charlie. This is a typical man-in-the-middle attack launched
+by an insider.
+
+Whether this counts as an attack has been disputed. In protocols of this
+type, we normally assume that the other party is honest. To be honest
+means to obey the protocol rules, so Alice's running the protocol with
+Charlie does not make her dishonest, just careless. After Lowe's
+attack, Alice has no grounds for complaint: this protocol does not have to
+guarantee anything if you run it with a bad person. Bob does have
+grounds for complaint, however: the protocol tells him that he is
+communicating with Alice (who is honest) but it does not guarantee
+secrecy of the nonces.
+
+Lowe also suggested a correction, namely to include Bob's name in
+message~2:
+\begin{alignat*}{2}
+ &1.&\quad A\to B &: \comp{Na,A}\sb{Kb} \\
+ &2.&\quad B\to A &: \comp{Na,Nb,B}\sb{Ka} \\
+ &3.&\quad A\to B &: \comp{Nb}\sb{Kb}
+\end{alignat*}
+If Charlie tries the same attack, Alice will receive the message
+$\comp{Na,Nb,B}\sb{Ka}$ when she was expecting to receive
+$\comp{Na,Nb,C}\sb{Ka}$. She will abandon the run, and eventually so
+will Bob. Below, we shall look at parts of this protocol's correctness
+proof.
+
+In ground-breaking work, Lowe~\cite{lowe-fdr}\index{Lowe, Gavin|)}
+showed how such attacks
+could be found automatically using a model checker. An alternative,
+which we shall examine below, is to prove protocols correct. Proofs
+can be done under more realistic assumptions because our model does
+not have to be finite. The strategy is to formalize the operational
+semantics of the system and to prove security properties using rule
+induction.%
+\index{Needham-Schroeder protocol|)}
+
+
+\input{Message}
+\input{Event}
+\input{Public}
+\input{NS_Public}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/document/root.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,98 @@
+\documentclass{article}
+\usepackage{cl2emono-modified,isabelle,isabellesym}
+\usepackage{proof,amsmath,amsfonts}
+\usepackage{latexsym,wasysym,verbatim,graphicx,tutorial,ttbox,comment}
+\usepackage{eurosym}
+\usepackage[english]{babel}
+\usepackage{pdfsetup}
+%last package!
+
+\remarkstrue %TRUE causes remarks to be displayed (as marginal notes)
+%\remarksfalse
+
+\makeindex
+
+\index{conditional expressions|see{\isa{if} expressions}}
+\index{primitive recursion|see{recursion, primitive}}
+\index{product type|see{pairs and tuples}}
+\index{structural induction|see{induction, structural}}
+\index{termination|see{functions, total}}
+\index{tuples|see{pairs and tuples}}
+\index{*<*lex*>|see{lexicographic product}}
+
+\underscoreoff
+
+\setcounter{secnumdepth}{2} \setcounter{tocdepth}{2} %% {secnumdepth}{2}???
+
+\pagestyle{headings}
+
+
+\begin{document}
+\title{
+\begin{center}
+\includegraphics[scale=.8]{isabelle_hol}
+ \\ \vspace{0.5cm} A Proof Assistant for Higher-Order Logic
+\end{center}}
+\author{Tobias Nipkow \quad Lawrence C. Paulson \quad Markus Wenzel%\\[1ex]
+%Technische Universit{\"a}t M{\"u}nchen \\
+%Institut f{\"u}r Informatik \\[1ex]
+%University of Cambridge\\
+%Computer Laboratory
+}
+\pagenumbering{roman}
+\maketitle
+\newpage
+
+%\setcounter{page}{5}
+%\vspace*{\fill}
+%\begin{center}
+%\LARGE In memoriam \\[1ex]
+%{\sc Annette Schumann}\\[1ex]
+%1959 -- 2001
+%\end{center}
+%\vspace*{\fill}
+%\vspace*{\fill}
+%\newpage
+
+\input{preface}
+
+\tableofcontents
+
+\cleardoublepage\pagenumbering{arabic}
+
+\part{Elementary Techniques}
+\input{basics}
+\input{fp}
+\input{documents0}
+
+\part{Logic and Sets}
+\input{rules}
+\input{sets}
+\input{inductive0}
+
+\part{Advanced Material}
+\input{types0}
+\input{advanced0}
+\input{protocol}
+
+\markboth{}{}
+\cleardoublepage
+\vspace*{\fill}
+\begin{flushright}
+\begin{tabular}{l}
+{\large\sf\slshape You know my methods. Apply them!}\\[1ex]
+Sherlock Holmes
+\end{tabular}
+\end{flushright}
+\vspace*{\fill}
+\vspace*{\fill}
+
+\underscoreoff
+
+\input{appendix0}
+
+\bibliographystyle{plain}
+\bibliography{manual}
+\underscoreoff
+\printindex
+\end{document}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/document/rules.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,2641 @@
+%!TEX root = ../tutorial.tex
+\chapter{The Rules of the Game}
+\label{chap:rules}
+
+This chapter outlines the concepts and techniques that underlie reasoning
+in Isabelle. Until now, we have proved everything using only induction and
+simplification, but any serious verification project requires more elaborate
+forms of inference. The chapter also introduces the fundamentals of
+predicate logic. The first examples in this chapter will consist of
+detailed, low-level proof steps. Later, we shall see how to automate such
+reasoning using the methods
+\isa{blast},
+\isa{auto} and others. Backward or goal-directed proof is our usual style,
+but the chapter also introduces forward reasoning, where one theorem is
+transformed to yield another.
+
+\section{Natural Deduction}
+
+\index{natural deduction|(}%
+In Isabelle, proofs are constructed using inference rules. The
+most familiar inference rule is probably \emph{modus ponens}:%
+\index{modus ponens@\emph{modus ponens}}
+\[ \infer{Q}{P\imp Q & P} \]
+This rule says that from $P\imp Q$ and $P$ we may infer~$Q$.
+
+\textbf{Natural deduction} is an attempt to formalize logic in a way
+that mirrors human reasoning patterns.
+For each logical symbol (say, $\conj$), there
+are two kinds of rules: \textbf{introduction} and \textbf{elimination} rules.
+The introduction rules allow us to infer this symbol (say, to
+infer conjunctions). The elimination rules allow us to deduce
+consequences from this symbol. Ideally each rule should mention
+one symbol only. For predicate logic this can be
+done, but when users define their own concepts they typically
+have to refer to other symbols as well. It is best not to be dogmatic.
+
+Natural deduction generally deserves its name. It is easy to use. Each
+proof step consists of identifying the outermost symbol of a formula and
+applying the corresponding rule. It creates new subgoals in
+an obvious way from parts of the chosen formula. Expanding the
+definitions of constants can blow up the goal enormously. Deriving natural
+deduction rules for such constants lets us reason in terms of their key
+properties, which might otherwise be obscured by the technicalities of its
+definition. Natural deduction rules also lend themselves to automation.
+Isabelle's
+\textbf{classical reasoner} accepts any suitable collection of natural deduction
+rules and uses them to search for proofs automatically. Isabelle is designed around
+natural deduction and many of its tools use the terminology of introduction
+and elimination rules.%
+\index{natural deduction|)}
+
+
+\section{Introduction Rules}
+
+\index{introduction rules|(}%
+An introduction rule tells us when we can infer a formula
+containing a specific logical symbol. For example, the conjunction
+introduction rule says that if we have $P$ and if we have $Q$ then
+we have $P\conj Q$. In a mathematics text, it is typically shown
+like this:
+\[ \infer{P\conj Q}{P & Q} \]
+The rule introduces the conjunction
+symbol~($\conj$) in its conclusion. In Isabelle proofs we
+mainly reason backwards. When we apply this rule, the subgoal already has
+the form of a conjunction; the proof step makes this conjunction symbol
+disappear.
+
+In Isabelle notation, the rule looks like this:
+\begin{isabelle}
+\isasymlbrakk?P;\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?P\ \isasymand\ ?Q\rulenamedx{conjI}
+\end{isabelle}
+Carefully examine the syntax. The premises appear to the
+left of the arrow and the conclusion to the right. The premises (if
+more than one) are grouped using the fat brackets. The question marks
+indicate \textbf{schematic variables} (also called
+\textbf{unknowns}):\index{unknowns|bold} they may
+be replaced by arbitrary formulas. If we use the rule backwards, Isabelle
+tries to unify the current subgoal with the conclusion of the rule, which
+has the form \isa{?P\ \isasymand\ ?Q}. (Unification is discussed below,
+{\S}\ref{sec:unification}.) If successful,
+it yields new subgoals given by the formulas assigned to
+\isa{?P} and \isa{?Q}.
+
+The following trivial proof illustrates how rules work. It also introduces a
+style of indentation. If a command adds a new subgoal, then the next
+command's indentation is increased by one space; if it proves a subgoal, then
+the indentation is reduced. This provides the reader with hints about the
+subgoal structure.
+\begin{isabelle}
+\isacommand{lemma}\ conj_rule:\ "\isasymlbrakk P;\
+Q\isasymrbrakk\ \isasymLongrightarrow\ P\ \isasymand\
+(Q\ \isasymand\ P)"\isanewline
+\isacommand{apply}\ (rule\ conjI)\isanewline
+\ \isacommand{apply}\ assumption\isanewline
+\isacommand{apply}\ (rule\ conjI)\isanewline
+\ \isacommand{apply}\ assumption\isanewline
+\isacommand{apply}\ assumption
+\end{isabelle}
+At the start, Isabelle presents
+us with the assumptions (\isa{P} and~\isa{Q}) and with the goal to be proved,
+\isa{P\ \isasymand\
+(Q\ \isasymand\ P)}. We are working backwards, so when we
+apply conjunction introduction, the rule removes the outermost occurrence
+of the \isa{\isasymand} symbol. To apply a rule to a subgoal, we apply
+the proof method \isa{rule} --- here with \isa{conjI}, the conjunction
+introduction rule.
+\begin{isabelle}
+%\isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\ P\ \isasymand\ Q\
+%\isasymand\ P\isanewline
+\ 1.\ \isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\ P\isanewline
+\ 2.\ \isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\ Q\ \isasymand\ P
+\end{isabelle}
+Isabelle leaves two new subgoals: the two halves of the original conjunction.
+The first is simply \isa{P}, which is trivial, since \isa{P} is among
+the assumptions. We can apply the \methdx{assumption}
+method, which proves a subgoal by finding a matching assumption.
+\begin{isabelle}
+\ 1.\ \isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\
+Q\ \isasymand\ P
+\end{isabelle}
+We are left with the subgoal of proving
+\isa{Q\ \isasymand\ P} from the assumptions \isa{P} and~\isa{Q}. We apply
+\isa{rule conjI} again.
+\begin{isabelle}
+\ 1.\ \isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\ Q\isanewline
+\ 2.\ \isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\ P
+\end{isabelle}
+We are left with two new subgoals, \isa{Q} and~\isa{P}, each of which can be proved
+using the \isa{assumption} method.%
+\index{introduction rules|)}
+
+
+\section{Elimination Rules}
+
+\index{elimination rules|(}%
+Elimination rules work in the opposite direction from introduction
+rules. In the case of conjunction, there are two such rules.
+From $P\conj Q$ we infer $P$. also, from $P\conj Q$
+we infer $Q$:
+\[ \infer{P}{P\conj Q} \qquad \infer{Q}{P\conj Q} \]
+
+Now consider disjunction. There are two introduction rules, which resemble inverted forms of the
+conjunction elimination rules:
+\[ \infer{P\disj Q}{P} \qquad \infer{P\disj Q}{Q} \]
+
+What is the disjunction elimination rule? The situation is rather different from
+conjunction. From $P\disj Q$ we cannot conclude that $P$ is true and we
+cannot conclude that $Q$ is true; there are no direct
+elimination rules of the sort that we have seen for conjunction. Instead,
+there is an elimination rule that works indirectly. If we are trying to prove
+something else, say $R$, and we know that $P\disj Q$ holds, then we have to consider
+two cases. We can assume that $P$ is true and prove $R$ and then assume that $Q$ is
+true and prove $R$ a second time. Here we see a fundamental concept used in natural
+deduction: that of the \textbf{assumptions}. We have to prove $R$ twice, under
+different assumptions. The assumptions are local to these subproofs and are visible
+nowhere else.
+
+In a logic text, the disjunction elimination rule might be shown
+like this:
+\[ \infer{R}{P\disj Q & \infer*{R}{[P]} & \infer*{R}{[Q]}} \]
+The assumptions $[P]$ and $[Q]$ are bracketed
+to emphasize that they are local to their subproofs. In Isabelle
+notation, the already-familiar \isa{\isasymLongrightarrow} syntax serves the
+same purpose:
+\begin{isabelle}
+\isasymlbrakk?P\ \isasymor\ ?Q;\ ?P\ \isasymLongrightarrow\ ?R;\ ?Q\ \isasymLongrightarrow\ ?R\isasymrbrakk\ \isasymLongrightarrow\ ?R\rulenamedx{disjE}
+\end{isabelle}
+When we use this sort of elimination rule backwards, it produces
+a case split. (We have seen this before, in proofs by induction.) The following proof
+illustrates the use of disjunction elimination.
+\begin{isabelle}
+\isacommand{lemma}\ disj_swap:\ "P\ \isasymor\ Q\
+\isasymLongrightarrow\ Q\ \isasymor\ P"\isanewline
+\isacommand{apply}\ (erule\ disjE)\isanewline
+\ \isacommand{apply}\ (rule\ disjI2)\isanewline
+\ \isacommand{apply}\ assumption\isanewline
+\isacommand{apply}\ (rule\ disjI1)\isanewline
+\isacommand{apply}\ assumption
+\end{isabelle}
+We assume \isa{P\ \isasymor\ Q} and
+must prove \isa{Q\ \isasymor\ P}\@. Our first step uses the disjunction
+elimination rule, \isa{disjE}\@. We invoke it using \methdx{erule}, a
+method designed to work with elimination rules. It looks for an assumption that
+matches the rule's first premise. It deletes the matching assumption,
+regards the first premise as proved and returns subgoals corresponding to
+the remaining premises. When we apply \isa{erule} to \isa{disjE}, only two
+subgoals result. This is better than applying it using \isa{rule}
+to get three subgoals, then proving the first by assumption: the other
+subgoals would have the redundant assumption
+\hbox{\isa{P\ \isasymor\ Q}}.
+Most of the time, \isa{erule} is the best way to use elimination rules, since it
+replaces an assumption by its subformulas; only rarely does the original
+assumption remain useful.
+
+\begin{isabelle}
+%P\ \isasymor\ Q\ \isasymLongrightarrow\ Q\ \isasymor\ P\isanewline
+\ 1.\ P\ \isasymLongrightarrow\ Q\ \isasymor\ P\isanewline
+\ 2.\ Q\ \isasymLongrightarrow\ Q\ \isasymor\ P
+\end{isabelle}
+These are the two subgoals returned by \isa{erule}. The first assumes
+\isa{P} and the second assumes \isa{Q}. Tackling the first subgoal, we
+need to show \isa{Q\ \isasymor\ P}\@. The second introduction rule
+(\isa{disjI2}) can reduce this to \isa{P}, which matches the assumption.
+So, we apply the
+\isa{rule} method with \isa{disjI2} \ldots
+\begin{isabelle}
+\ 1.\ P\ \isasymLongrightarrow\ P\isanewline
+\ 2.\ Q\ \isasymLongrightarrow\ Q\ \isasymor\ P
+\end{isabelle}
+\ldots and finish off with the \isa{assumption}
+method. We are left with the other subgoal, which
+assumes \isa{Q}.
+\begin{isabelle}
+\ 1.\ Q\ \isasymLongrightarrow\ Q\ \isasymor\ P
+\end{isabelle}
+Its proof is similar, using the introduction
+rule \isa{disjI1}.
+
+The result of this proof is a new inference rule \isa{disj_swap}, which is neither
+an introduction nor an elimination rule, but which might
+be useful. We can use it to replace any goal of the form $Q\disj P$
+by one of the form $P\disj Q$.%
+\index{elimination rules|)}
+
+
+\section{Destruction Rules: Some Examples}
+
+\index{destruction rules|(}%
+Now let us examine the analogous proof for conjunction.
+\begin{isabelle}
+\isacommand{lemma}\ conj_swap:\ "P\ \isasymand\ Q\ \isasymLongrightarrow\ Q\ \isasymand\ P"\isanewline
+\isacommand{apply}\ (rule\ conjI)\isanewline
+\ \isacommand{apply}\ (drule\ conjunct2)\isanewline
+\ \isacommand{apply}\ assumption\isanewline
+\isacommand{apply}\ (drule\ conjunct1)\isanewline
+\isacommand{apply}\ assumption
+\end{isabelle}
+Recall that the conjunction elimination rules --- whose Isabelle names are
+\isa{conjunct1} and \isa{conjunct2} --- simply return the first or second half
+of a conjunction. Rules of this sort (where the conclusion is a subformula of a
+premise) are called \textbf{destruction} rules because they take apart and destroy
+a premise.%
+\footnote{This Isabelle terminology has no counterpart in standard logic texts,
+although the distinction between the two forms of elimination rule is well known.
+Girard \cite[page 74]{girard89},\index{Girard, Jean-Yves|fnote}
+for example, writes ``The elimination rules
+[for $\disj$ and $\exists$] are very
+bad. What is catastrophic about them is the parasitic presence of a formula [$R$]
+which has no structural link with the formula which is eliminated.''}
+
+The first proof step applies conjunction introduction, leaving
+two subgoals:
+\begin{isabelle}
+%P\ \isasymand\ Q\ \isasymLongrightarrow\ Q\ \isasymand\ P\isanewline
+\ 1.\ P\ \isasymand\ Q\ \isasymLongrightarrow\ Q\isanewline
+\ 2.\ P\ \isasymand\ Q\ \isasymLongrightarrow\ P
+\end{isabelle}
+
+To invoke the elimination rule, we apply a new method, \isa{drule}.
+Think of the \isa{d} as standing for \textbf{destruction} (or \textbf{direct}, if
+you prefer). Applying the
+second conjunction rule using \isa{drule} replaces the assumption
+\isa{P\ \isasymand\ Q} by \isa{Q}.
+\begin{isabelle}
+\ 1.\ Q\ \isasymLongrightarrow\ Q\isanewline
+\ 2.\ P\ \isasymand\ Q\ \isasymLongrightarrow\ P
+\end{isabelle}
+The resulting subgoal can be proved by applying \isa{assumption}.
+The other subgoal is similarly proved, using the \isa{conjunct1} rule and the
+\isa{assumption} method.
+
+Choosing among the methods \isa{rule}, \isa{erule} and \isa{drule} is up to
+you. Isabelle does not attempt to work out whether a rule
+is an introduction rule or an elimination rule. The
+method determines how the rule will be interpreted. Many rules
+can be used in more than one way. For example, \isa{disj_swap} can
+be applied to assumptions as well as to goals; it replaces any
+assumption of the form
+$P\disj Q$ by a one of the form $Q\disj P$.
+
+Destruction rules are simpler in form than indirect rules such as \isa{disjE},
+but they can be inconvenient. Each of the conjunction rules discards half
+of the formula, when usually we want to take both parts of the conjunction as new
+assumptions. The easiest way to do so is by using an
+alternative conjunction elimination rule that resembles \isa{disjE}\@. It is
+seldom, if ever, seen in logic books. In Isabelle syntax it looks like this:
+\begin{isabelle}
+\isasymlbrakk?P\ \isasymand\ ?Q;\ \isasymlbrakk?P;\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?R\isasymrbrakk\ \isasymLongrightarrow\ ?R\rulenamedx{conjE}
+\end{isabelle}
+\index{destruction rules|)}
+
+\begin{exercise}
+Use the rule \isa{conjE} to shorten the proof above.
+\end{exercise}
+
+
+\section{Implication}
+
+\index{implication|(}%
+At the start of this chapter, we saw the rule \emph{modus ponens}. It is, in fact,
+a destruction rule. The matching introduction rule looks like this
+in Isabelle:
+\begin{isabelle}
+(?P\ \isasymLongrightarrow\ ?Q)\ \isasymLongrightarrow\ ?P\
+\isasymlongrightarrow\ ?Q\rulenamedx{impI}
+\end{isabelle}
+And this is \emph{modus ponens}\index{modus ponens@\emph{modus ponens}}:
+\begin{isabelle}
+\isasymlbrakk?P\ \isasymlongrightarrow\ ?Q;\ ?P\isasymrbrakk\
+\isasymLongrightarrow\ ?Q
+\rulenamedx{mp}
+\end{isabelle}
+
+Here is a proof using the implication rules. This
+lemma performs a sort of uncurrying, replacing the two antecedents
+of a nested implication by a conjunction. The proof illustrates
+how assumptions work. At each proof step, the subgoals inherit the previous
+assumptions, perhaps with additions or deletions. Rules such as
+\isa{impI} and \isa{disjE} add assumptions, while applying \isa{erule} or
+\isa{drule} deletes the matching assumption.
+\begin{isabelle}
+\isacommand{lemma}\ imp_uncurry:\
+"P\ \isasymlongrightarrow\ (Q\
+\isasymlongrightarrow\ R)\ \isasymLongrightarrow\ P\
+\isasymand\ Q\ \isasymlongrightarrow\
+R"\isanewline
+\isacommand{apply}\ (rule\ impI)\isanewline
+\isacommand{apply}\ (erule\ conjE)\isanewline
+\isacommand{apply}\ (drule\ mp)\isanewline
+\ \isacommand{apply}\ assumption\isanewline
+\isacommand{apply}\ (drule\ mp)\isanewline
+\ \ \isacommand{apply}\ assumption\isanewline
+\ \isacommand{apply}\ assumption
+\end{isabelle}
+First, we state the lemma and apply implication introduction (\isa{rule impI}),
+which moves the conjunction to the assumptions.
+\begin{isabelle}
+%P\ \isasymlongrightarrow\ Q\ \isasymlongrightarrow\ R\ \isasymLongrightarrow\ P\
+%\isasymand\ Q\ \isasymlongrightarrow\ R\isanewline
+\ 1.\ \isasymlbrakk P\ \isasymlongrightarrow\ Q\ \isasymlongrightarrow\ R;\ P\ \isasymand\ Q\isasymrbrakk\ \isasymLongrightarrow\ R
+\end{isabelle}
+Next, we apply conjunction elimination (\isa{erule conjE}), which splits this
+conjunction into two parts.
+\begin{isabelle}
+\ 1.\ \isasymlbrakk P\ \isasymlongrightarrow\ Q\ \isasymlongrightarrow\ R;\ P;\
+Q\isasymrbrakk\ \isasymLongrightarrow\ R
+\end{isabelle}
+Now, we work on the assumption \isa{P\ \isasymlongrightarrow\ (Q\
+\isasymlongrightarrow\ R)}, where the parentheses have been inserted for
+clarity. The nested implication requires two applications of
+\textit{modus ponens}: \isa{drule mp}. The first use yields the
+implication \isa{Q\
+\isasymlongrightarrow\ R}, but first we must prove the extra subgoal
+\isa{P}, which we do by assumption.
+\begin{isabelle}
+\ 1.\ \isasymlbrakk P;\ Q\isasymrbrakk\ \isasymLongrightarrow\ P\isanewline
+\ 2.\ \isasymlbrakk P;\ Q;\ Q\ \isasymlongrightarrow\ R\isasymrbrakk\ \isasymLongrightarrow\ R
+\end{isabelle}
+Repeating these steps for \isa{Q\
+\isasymlongrightarrow\ R} yields the conclusion we seek, namely~\isa{R}.
+\begin{isabelle}
+\ 1.\ \isasymlbrakk P;\ Q;\ Q\ \isasymlongrightarrow\ R\isasymrbrakk\
+\isasymLongrightarrow\ R
+\end{isabelle}
+
+The symbols \isa{\isasymLongrightarrow} and \isa{\isasymlongrightarrow}
+both stand for implication, but they differ in many respects. Isabelle
+uses \isa{\isasymLongrightarrow} to express inference rules; the symbol is
+built-in and Isabelle's inference mechanisms treat it specially. On the
+other hand, \isa{\isasymlongrightarrow} is just one of the many connectives
+available in higher-order logic. We reason about it using inference rules
+such as \isa{impI} and \isa{mp}, just as we reason about the other
+connectives. You will have to use \isa{\isasymlongrightarrow} in any
+context that requires a formula of higher-order logic. Use
+\isa{\isasymLongrightarrow} to separate a theorem's preconditions from its
+conclusion.%
+\index{implication|)}
+
+\medskip
+\index{by@\isacommand{by} (command)|(}%
+The \isacommand{by} command is useful for proofs like these that use
+\isa{assumption} heavily. It executes an
+\isacommand{apply} command, then tries to prove all remaining subgoals using
+\isa{assumption}. Since (if successful) it ends the proof, it also replaces the
+\isacommand{done} symbol. For example, the proof above can be shortened:
+\begin{isabelle}
+\isacommand{lemma}\ imp_uncurry:\
+"P\ \isasymlongrightarrow\ (Q\
+\isasymlongrightarrow\ R)\ \isasymLongrightarrow\ P\
+\isasymand\ Q\ \isasymlongrightarrow\
+R"\isanewline
+\isacommand{apply}\ (rule\ impI)\isanewline
+\isacommand{apply}\ (erule\ conjE)\isanewline
+\isacommand{apply}\ (drule\ mp)\isanewline
+\ \isacommand{apply}\ assumption\isanewline
+\isacommand{by}\ (drule\ mp)
+\end{isabelle}
+We could use \isacommand{by} to replace the final \isacommand{apply} and
+\isacommand{done} in any proof, but typically we use it
+to eliminate calls to \isa{assumption}. It is also a nice way of expressing a
+one-line proof.%
+\index{by@\isacommand{by} (command)|)}
+
+
+
+\section{Negation}
+
+\index{negation|(}%
+Negation causes surprising complexity in proofs. Its natural
+deduction rules are straightforward, but additional rules seem
+necessary in order to handle negated assumptions gracefully. This section
+also illustrates the \isa{intro} method: a convenient way of
+applying introduction rules.
+
+Negation introduction deduces $\lnot P$ if assuming $P$ leads to a
+contradiction. Negation elimination deduces any formula in the
+presence of $\lnot P$ together with~$P$:
+\begin{isabelle}
+(?P\ \isasymLongrightarrow\ False)\ \isasymLongrightarrow\ \isasymnot\ ?P%
+\rulenamedx{notI}\isanewline
+\isasymlbrakk{\isasymnot}\ ?P;\ ?P\isasymrbrakk\ \isasymLongrightarrow\ ?R%
+\rulenamedx{notE}
+\end{isabelle}
+%
+Classical logic allows us to assume $\lnot P$
+when attempting to prove~$P$:
+\begin{isabelle}
+(\isasymnot\ ?P\ \isasymLongrightarrow\ ?P)\ \isasymLongrightarrow\ ?P%
+\rulenamedx{classical}
+\end{isabelle}
+
+\index{contrapositives|(}%
+The implications $P\imp Q$ and $\lnot Q\imp\lnot P$ are logically
+equivalent, and each is called the
+\textbf{contrapositive} of the other. Four further rules support
+reasoning about contrapositives. They differ in the placement of the
+negation symbols:
+\begin{isabelle}
+\isasymlbrakk?Q;\ \isasymnot\ ?P\ \isasymLongrightarrow\ \isasymnot\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?P%
+\rulename{contrapos_pp}\isanewline
+\isasymlbrakk?Q;\ ?P\ \isasymLongrightarrow\ \isasymnot\ ?Q\isasymrbrakk\ \isasymLongrightarrow\
+\isasymnot\ ?P%
+\rulename{contrapos_pn}\isanewline
+\isasymlbrakk{\isasymnot}\ ?Q;\ \isasymnot\ ?P\ \isasymLongrightarrow\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?P%
+\rulename{contrapos_np}\isanewline
+\isasymlbrakk{\isasymnot}\ ?Q;\ ?P\ \isasymLongrightarrow\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ \isasymnot\ ?P%
+\rulename{contrapos_nn}
+\end{isabelle}
+%
+These rules are typically applied using the \isa{erule} method, where
+their effect is to form a contrapositive from an
+assumption and the goal's conclusion.%
+\index{contrapositives|)}
+
+The most important of these is \isa{contrapos_np}. It is useful
+for applying introduction rules to negated assumptions. For instance,
+the assumption $\lnot(P\imp Q)$ is equivalent to the conclusion $P\imp Q$ and we
+might want to use conjunction introduction on it.
+Before we can do so, we must move that assumption so that it
+becomes the conclusion. The following proof demonstrates this
+technique:
+\begin{isabelle}
+\isacommand{lemma}\ "\isasymlbrakk{\isasymnot}(P{\isasymlongrightarrow}Q);\
+\isasymnot(R{\isasymlongrightarrow}Q)\isasymrbrakk\ \isasymLongrightarrow\
+R"\isanewline
+\isacommand{apply}\ (erule_tac\ Q = "R{\isasymlongrightarrow}Q"\ \isakeyword{in}\
+contrapos_np)\isanewline
+\isacommand{apply}\ (intro\ impI)\isanewline
+\isacommand{by}\ (erule\ notE)
+\end{isabelle}
+%
+There are two negated assumptions and we need to exchange the conclusion with the
+second one. The method \isa{erule contrapos_np} would select the first assumption,
+which we do not want. So we specify the desired assumption explicitly
+using a new method, \isa{erule_tac}. This is the resulting subgoal:
+\begin{isabelle}
+\ 1.\ \isasymlbrakk{\isasymnot}\ (P\ \isasymlongrightarrow\ Q);\ \isasymnot\
+R\isasymrbrakk\ \isasymLongrightarrow\ R\ \isasymlongrightarrow\ Q%
+\end{isabelle}
+The former conclusion, namely \isa{R}, now appears negated among the assumptions,
+while the negated formula \isa{R\ \isasymlongrightarrow\ Q} becomes the new
+conclusion.
+
+We can now apply introduction rules. We use the \methdx{intro} method, which
+repeatedly applies the given introduction rules. Here its effect is equivalent
+to \isa{rule impI}.
+\begin{isabelle}
+\ 1.\ \isasymlbrakk{\isasymnot}\ (P\ \isasymlongrightarrow\ Q);\ \isasymnot\ R;\
+R\isasymrbrakk\ \isasymLongrightarrow\ Q%
+\end{isabelle}
+We can see a contradiction in the form of assumptions \isa{\isasymnot\ R}
+and~\isa{R}, which suggests using negation elimination. If applied on its own,
+\isa{notE} will select the first negated assumption, which is useless.
+Instead, we invoke the rule using the
+\isa{by} command.
+Now when Isabelle selects the first assumption, it tries to prove \isa{P\
+\isasymlongrightarrow\ Q} and fails; it then backtracks, finds the
+assumption \isa{\isasymnot~R} and finally proves \isa{R} by assumption. That
+concludes the proof.
+
+\medskip
+
+The following example may be skipped on a first reading. It involves a
+peculiar but important rule, a form of disjunction introduction:
+\begin{isabelle}
+(\isasymnot \ ?Q\ \isasymLongrightarrow \ ?P)\ \isasymLongrightarrow \ ?P\ \isasymor \ ?Q%
+\rulenamedx{disjCI}
+\end{isabelle}
+This rule combines the effects of \isa{disjI1} and \isa{disjI2}. Its great
+advantage is that we can remove the disjunction symbol without deciding
+which disjunction to prove. This treatment of disjunction is standard in sequent
+and tableau calculi.
+
+\begin{isabelle}
+\isacommand{lemma}\ "(P\ \isasymor\ Q)\ \isasymand\ R\
+\isasymLongrightarrow\ P\ \isasymor\ (Q\ \isasymand\ R)"\isanewline
+\isacommand{apply}\ (rule\ disjCI)\isanewline
+\isacommand{apply}\ (elim\ conjE\ disjE)\isanewline
+\ \isacommand{apply}\ assumption
+\isanewline
+\isacommand{by}\ (erule\ contrapos_np,\ rule\ conjI)
+\end{isabelle}
+%
+The first proof step to applies the introduction rules \isa{disjCI}.
+The resulting subgoal has the negative assumption
+\hbox{\isa{\isasymnot(Q\ \isasymand\ R)}}.
+
+\begin{isabelle}
+\ 1.\ \isasymlbrakk(P\ \isasymor\ Q)\ \isasymand\ R;\ \isasymnot\ (Q\ \isasymand\
+R)\isasymrbrakk\ \isasymLongrightarrow\ P%
+\end{isabelle}
+Next we apply the \isa{elim} method, which repeatedly applies
+elimination rules; here, the elimination rules given
+in the command. One of the subgoals is trivial (\isa{\isacommand{apply} assumption}),
+leaving us with one other:
+\begin{isabelle}
+\ 1.\ \isasymlbrakk{\isasymnot}\ (Q\ \isasymand\ R);\ R;\ Q\isasymrbrakk\ \isasymLongrightarrow\ P%
+\end{isabelle}
+%
+Now we must move the formula \isa{Q\ \isasymand\ R} to be the conclusion. The
+combination
+\begin{isabelle}
+\ \ \ \ \ (erule\ contrapos_np,\ rule\ conjI)
+\end{isabelle}
+is robust: the \isa{conjI} forces the \isa{erule} to select a
+conjunction. The two subgoals are the ones we would expect from applying
+conjunction introduction to
+\isa{Q~\isasymand~R}:
+\begin{isabelle}
+\ 1.\ \isasymlbrakk R;\ Q;\ \isasymnot\ P\isasymrbrakk\ \isasymLongrightarrow\
+Q\isanewline
+\ 2.\ \isasymlbrakk R;\ Q;\ \isasymnot\ P\isasymrbrakk\ \isasymLongrightarrow\ R%
+\end{isabelle}
+They are proved by assumption, which is implicit in the \isacommand{by}
+command.%
+\index{negation|)}
+
+
+\section{Interlude: the Basic Methods for Rules}
+
+We have seen examples of many tactics that operate on individual rules. It
+may be helpful to review how they work given an arbitrary rule such as this:
+\[ \infer{Q}{P@1 & \ldots & P@n} \]
+Below, we refer to $P@1$ as the \bfindex{major premise}. This concept
+applies only to elimination and destruction rules. These rules act upon an
+instance of their major premise, typically to replace it by subformulas of itself.
+
+Suppose that the rule above is called~\isa{R}\@. Here are the basic rule
+methods, most of which we have already seen:
+\begin{itemize}
+\item
+Method \isa{rule\ R} unifies~$Q$ with the current subgoal, replacing it
+by $n$ new subgoals: instances of $P@1$, \ldots,~$P@n$.
+This is backward reasoning and is appropriate for introduction rules.
+\item
+Method \isa{erule\ R} unifies~$Q$ with the current subgoal and
+simultaneously unifies $P@1$ with some assumption. The subgoal is
+replaced by the $n-1$ new subgoals of proving
+instances of $P@2$,
+\ldots,~$P@n$, with the matching assumption deleted. It is appropriate for
+elimination rules. The method
+\isa{(rule\ R,\ assumption)} is similar, but it does not delete an
+assumption.
+\item
+Method \isa{drule\ R} unifies $P@1$ with some assumption, which it
+then deletes. The subgoal is
+replaced by the $n-1$ new subgoals of proving $P@2$, \ldots,~$P@n$; an
+$n$th subgoal is like the original one but has an additional assumption: an
+instance of~$Q$. It is appropriate for destruction rules.
+\item
+Method \isa{frule\ R} is like \isa{drule\ R} except that the matching
+assumption is not deleted. (See {\S}\ref{sec:frule} below.)
+\end{itemize}
+
+Other methods apply a rule while constraining some of its
+variables. The typical form is
+\begin{isabelle}
+\ \ \ \ \ \methdx{rule_tac}\ $v@1$ = $t@1$ \isakeyword{and} \ldots \isakeyword{and}
+$v@k$ =
+$t@k$ \isakeyword{in} R
+\end{isabelle}
+This method behaves like \isa{rule R}, while instantiating the variables
+$v@1$, \ldots,
+$v@k$ as specified. We similarly have \methdx{erule_tac}, \methdx{drule_tac} and
+\methdx{frule_tac}. These methods also let us specify which subgoal to
+operate on. By default it is the first subgoal, as with nearly all
+methods, but we can specify that rule \isa{R} should be applied to subgoal
+number~$i$:
+\begin{isabelle}
+\ \ \ \ \ rule_tac\ [$i$] R
+\end{isabelle}
+
+
+
+\section{Unification and Substitution}\label{sec:unification}
+
+\index{unification|(}%
+As we have seen, Isabelle rules involve schematic variables, which begin with
+a question mark and act as
+placeholders for terms. \textbf{Unification} --- well known to Prolog programmers --- is the act of
+making two terms identical, possibly replacing their schematic variables by
+terms. The simplest case is when the two terms are already the same. Next
+simplest is \textbf{pattern-matching}, which replaces variables in only one of the
+terms. The
+\isa{rule} method typically matches the rule's conclusion
+against the current subgoal. The
+\isa{assumption} method matches the current subgoal's conclusion
+against each of its assumptions. Unification can instantiate variables in both terms; the \isa{rule} method can do this if the goal
+itself contains schematic variables. Other occurrences of the variables in
+the rule or proof state are updated at the same time.
+
+Schematic variables in goals represent unknown terms. Given a goal such
+as $\exists x.\,P$, they let us proceed with a proof. They can be
+filled in later, sometimes in stages and often automatically.
+
+\begin{pgnote}
+If unification fails when you think it should succeed, try setting the Proof General flag \pgmenu{Isabelle} $>$ \pgmenu{Settings} $>$
+\pgmenu{Trace Unification},
+which makes Isabelle show the cause of unification failures (in Proof
+General's \pgmenu{Trace} buffer).
+\end{pgnote}
+\noindent
+For example, suppose we are trying to prove this subgoal by assumption:
+\begin{isabelle}
+\ 1.\ P\ (a,\ f\ (b,\ g\ (e,\ a),\ b),\ a)\ \isasymLongrightarrow \ P\ (a,\ f\ (b,\ g\ (c,\ a),\ b),\ a)
+\end{isabelle}
+The \isa{assumption} method having failed, we try again with the flag set:
+\begin{isabelle}
+\isacommand{apply} assumption
+\end{isabelle}
+In this trivial case, the output clearly shows that \isa{e} clashes with \isa{c}:
+\begin{isabelle}
+Clash: e =/= c
+\end{isabelle}
+
+Isabelle uses
+\textbf{higher-order} unification, which works in the
+typed $\lambda$-calculus. The procedure requires search and is potentially
+undecidable. For our purposes, however, the differences from ordinary
+unification are straightforward. It handles bound variables
+correctly, avoiding capture. The two terms
+\isa{{\isasymlambda}x.\ f(x,z)} and \isa{{\isasymlambda}y.\ f(y,z)} are
+trivially unifiable because they differ only by a bound variable renaming. The two terms \isa{{\isasymlambda}x.\ ?P} and
+\isa{{\isasymlambda}x.\ t x} are not unifiable; replacing \isa{?P} by
+\isa{t x} is forbidden because the free occurrence of~\isa{x} would become
+bound. Unfortunately, even if \isa{trace_unify_fail} is set, Isabelle displays no information about this type of failure.
+
+\begin{warn}
+Higher-order unification sometimes must invent
+$\lambda$-terms to replace function variables,
+which can lead to a combinatorial explosion. However, Isabelle proofs tend
+to involve easy cases where there are few possibilities for the
+$\lambda$-term being constructed. In the easiest case, the
+function variable is applied only to bound variables,
+as when we try to unify \isa{{\isasymlambda}x\ y.\ f(?h x y)} and
+\isa{{\isasymlambda}x\ y.\ f(x+y+a)}. The only solution is to replace
+\isa{?h} by \isa{{\isasymlambda}x\ y.\ x+y+a}. Such cases admit at most
+one unifier, like ordinary unification. A harder case is
+unifying \isa{?h a} with~\isa{a+b}; it admits two solutions for \isa{?h},
+namely \isa{{\isasymlambda}x.~a+b} and \isa{{\isasymlambda}x.~x+b}.
+Unifying \isa{?h a} with~\isa{a+a+b} admits four solutions; their number is
+exponential in the number of occurrences of~\isa{a} in the second term.
+\end{warn}
+
+
+
+\subsection{Substitution and the {\tt\slshape subst} Method}
+\label{sec:subst}
+
+\index{substitution|(}%
+Isabelle also uses function variables to express \textbf{substitution}.
+A typical substitution rule allows us to replace one term by
+another if we know that two terms are equal.
+\[ \infer{P[t/x]}{s=t & P[s/x]} \]
+The rule uses a notation for substitution: $P[t/x]$ is the result of
+replacing $x$ by~$t$ in~$P$. The rule only substitutes in the positions
+designated by~$x$. For example, it can
+derive symmetry of equality from reflexivity. Using $x=s$ for~$P$
+replaces just the first $s$ in $s=s$ by~$t$:
+\[ \infer{t=s}{s=t & \infer{s=s}{}} \]
+
+The Isabelle version of the substitution rule looks like this:
+\begin{isabelle}
+\isasymlbrakk?t\ =\ ?s;\ ?P\ ?s\isasymrbrakk\ \isasymLongrightarrow\ ?P\
+?t
+\rulenamedx{ssubst}
+\end{isabelle}
+Crucially, \isa{?P} is a function
+variable. It can be replaced by a $\lambda$-term
+with one bound variable, whose occurrences identify the places
+in which $s$ will be replaced by~$t$. The proof above requires \isa{?P}
+to be replaced by \isa{{\isasymlambda}x.~x=s}; the second premise will then
+be \isa{s=s} and the conclusion will be \isa{t=s}.
+
+The \isa{simp} method also replaces equals by equals, but the substitution
+rule gives us more control. Consider this proof:
+\begin{isabelle}
+\isacommand{lemma}\
+"\isasymlbrakk x\ =\ f\ x;\ odd(f\ x)\isasymrbrakk\ \isasymLongrightarrow\
+odd\ x"\isanewline
+\isacommand{by}\ (erule\ ssubst)
+\end{isabelle}
+%
+The assumption \isa{x\ =\ f\ x}, if used for rewriting, would loop,
+replacing \isa{x} by \isa{f x} and then by
+\isa{f(f x)} and so forth. (Here \isa{simp}
+would see the danger and would re-orient the equality, but in more complicated
+cases it can be fooled.) When we apply the substitution rule,
+Isabelle replaces every
+\isa{x} in the subgoal by \isa{f x} just once. It cannot loop. The
+resulting subgoal is trivial by assumption, so the \isacommand{by} command
+proves it implicitly.
+
+We are using the \isa{erule} method in a novel way. Hitherto,
+the conclusion of the rule was just a variable such as~\isa{?R}, but it may
+be any term. The conclusion is unified with the subgoal just as
+it would be with the \isa{rule} method. At the same time \isa{erule} looks
+for an assumption that matches the rule's first premise, as usual. With
+\isa{ssubst} the effect is to find, use and delete an equality
+assumption.
+
+The \methdx{subst} method performs individual substitutions. In simple cases,
+it closely resembles a use of the substitution rule. Suppose a
+proof has reached this point:
+\begin{isabelle}
+\ 1.\ \isasymlbrakk P\ x\ y\ z;\ Suc\ x\ <\ y\isasymrbrakk \ \isasymLongrightarrow \ f\ z\ =\ x\ *\ y%
+\end{isabelle}
+Now we wish to apply a commutative law:
+\begin{isabelle}
+?m\ *\ ?n\ =\ ?n\ *\ ?m%
+\rulename{mult_commute}
+\end{isabelle}
+Isabelle rejects our first attempt:
+\begin{isabelle}
+apply (simp add: mult_commute)
+\end{isabelle}
+The simplifier notices the danger of looping and refuses to apply the
+rule.%
+\footnote{More precisely, it only applies such a rule if the new term is
+smaller under a specified ordering; here, \isa{x\ *\ y}
+is already smaller than
+\isa{y\ *\ x}.}
+%
+The \isa{subst} method applies \isa{mult_commute} exactly once.
+\begin{isabelle}
+\isacommand{apply}\ (subst\ mult_commute)\isanewline
+\ 1.\ \isasymlbrakk P\ x\ y\ z;\ Suc\ x\ <\ y\isasymrbrakk \
+\isasymLongrightarrow \ f\ z\ =\ y\ *\ x%
+\end{isabelle}
+As we wanted, \isa{x\ *\ y} has become \isa{y\ *\ x}.
+
+\medskip
+This use of the \methdx{subst} method has the same effect as the command
+\begin{isabelle}
+\isacommand{apply}\ (rule\ mult_commute [THEN ssubst])
+\end{isabelle}
+The attribute \isa{THEN}, which combines two rules, is described in
+{\S}\ref{sec:THEN} below. The \methdx{subst} method is more powerful than
+applying the substitution rule. It can perform substitutions in a subgoal's
+assumptions. Moreover, if the subgoal contains more than one occurrence of
+the left-hand side of the equality, the \methdx{subst} method lets us specify which occurrence should be replaced.
+
+
+\subsection{Unification and Its Pitfalls}
+
+Higher-order unification can be tricky. Here is an example, which you may
+want to skip on your first reading:
+\begin{isabelle}
+\isacommand{lemma}\ "\isasymlbrakk x\ =\
+f\ x;\ triple\ (f\ x)\ (f\ x)\ x\isasymrbrakk\
+\isasymLongrightarrow\ triple\ x\ x\ x"\isanewline
+\isacommand{apply}\ (erule\ ssubst)\isanewline
+\isacommand{back}\isanewline
+\isacommand{back}\isanewline
+\isacommand{back}\isanewline
+\isacommand{back}\isanewline
+\isacommand{apply}\ assumption\isanewline
+\isacommand{done}
+\end{isabelle}
+%
+By default, Isabelle tries to substitute for all the
+occurrences. Applying \isa{erule\ ssubst} yields this subgoal:
+\begin{isabelle}
+\ 1.\ triple\ (f\ x)\ (f\ x)\ x\ \isasymLongrightarrow\ triple\ (f\ x)\ (f\ x)\ (f\ x)
+\end{isabelle}
+The substitution should have been done in the first two occurrences
+of~\isa{x} only. Isabelle has gone too far. The \commdx{back}
+command allows us to reject this possibility and demand a new one:
+\begin{isabelle}
+\ 1.\ triple\ (f\ x)\ (f\ x)\ x\ \isasymLongrightarrow\ triple\ x\ (f\ x)\ (f\ x)
+\end{isabelle}
+%
+Now Isabelle has left the first occurrence of~\isa{x} alone. That is
+promising but it is not the desired combination. So we use \isacommand{back}
+again:
+\begin{isabelle}
+\ 1.\ triple\ (f\ x)\ (f\ x)\ x\ \isasymLongrightarrow\ triple\ (f\ x)\ x\ (f\ x)
+\end{isabelle}
+%
+This also is wrong, so we use \isacommand{back} again:
+\begin{isabelle}
+\ 1.\ triple\ (f\ x)\ (f\ x)\ x\ \isasymLongrightarrow\ triple\ x\ x\ (f\ x)
+\end{isabelle}
+%
+And this one is wrong too. Looking carefully at the series
+of alternatives, we see a binary countdown with reversed bits: 111,
+011, 101, 001. Invoke \isacommand{back} again:
+\begin{isabelle}
+\ 1.\ triple\ (f\ x)\ (f\ x)\ x\ \isasymLongrightarrow\ triple\ (f\ x)\ (f\ x)\ x%
+\end{isabelle}
+At last, we have the right combination! This goal follows by assumption.%
+\index{unification|)}
+
+\medskip
+This example shows that unification can do strange things with
+function variables. We were forced to select the right unifier using the
+\isacommand{back} command. That is all right during exploration, but \isacommand{back}
+should never appear in the final version of a proof. You can eliminate the
+need for \isacommand{back} by giving Isabelle less freedom when you apply a rule.
+
+One way to constrain the inference is by joining two methods in a
+\isacommand{apply} command. Isabelle applies the first method and then the
+second. If the second method fails then Isabelle automatically backtracks.
+This process continues until the first method produces an output that the
+second method can use. We get a one-line proof of our example:
+\begin{isabelle}
+\isacommand{lemma}\ "\isasymlbrakk x\ =\ f\ x;\ triple\ (f\ x)\ (f\ x)\ x\isasymrbrakk\
+\isasymLongrightarrow\ triple\ x\ x\ x"\isanewline
+\isacommand{apply}\ (erule\ ssubst,\ assumption)\isanewline
+\isacommand{done}
+\end{isabelle}
+
+\noindent
+The \isacommand{by} command works too, since it backtracks when
+proving subgoals by assumption:
+\begin{isabelle}
+\isacommand{lemma}\ "\isasymlbrakk x\ =\ f\ x;\ triple\ (f\ x)\ (f\ x)\ x\isasymrbrakk\
+\isasymLongrightarrow\ triple\ x\ x\ x"\isanewline
+\isacommand{by}\ (erule\ ssubst)
+\end{isabelle}
+
+
+The most general way to constrain unification is
+by instantiating variables in the rule. The method \isa{rule_tac} is
+similar to \isa{rule}, but it
+makes some of the rule's variables denote specified terms.
+Also available are {\isa{drule_tac}} and \isa{erule_tac}. Here we need
+\isa{erule_tac} since above we used \isa{erule}.
+\begin{isabelle}
+\isacommand{lemma}\ "\isasymlbrakk x\ =\ f\ x;\ triple\ (f\ x)\ (f\ x)\ x\isasymrbrakk\ \isasymLongrightarrow\ triple\ x\ x\ x"\isanewline
+\isacommand{by}\ (erule_tac\ P = "\isasymlambda u.\ triple\ u\ u\ x"\
+\isakeyword{in}\ ssubst)
+\end{isabelle}
+%
+To specify a desired substitution
+requires instantiating the variable \isa{?P} with a $\lambda$-expression.
+The bound variable occurrences in \isa{{\isasymlambda}u.\ P\ u\
+u\ x} indicate that the first two arguments have to be substituted, leaving
+the third unchanged. With this instantiation, backtracking is neither necessary
+nor possible.
+
+An alternative to \isa{rule_tac} is to use \isa{rule} with a theorem
+modified using~\isa{of}, described in
+{\S}\ref{sec:forward} below. But \isa{rule_tac}, unlike \isa{of}, can
+express instantiations that refer to
+\isasymAnd-bound variables in the current subgoal.%
+\index{substitution|)}
+
+
+\section{Quantifiers}
+
+\index{quantifiers!universal|(}%
+Quantifiers require formalizing syntactic substitution and the notion of
+arbitrary value. Consider the universal quantifier. In a logic
+book, its introduction rule looks like this:
+\[ \infer{\forall x.\,P}{P} \]
+Typically, a proviso written in English says that $x$ must not
+occur in the assumptions. This proviso guarantees that $x$ can be regarded as
+arbitrary, since it has not been assumed to satisfy any special conditions.
+Isabelle's underlying formalism, called the
+\bfindex{meta-logic}, eliminates the need for English. It provides its own
+universal quantifier (\isasymAnd) to express the notion of an arbitrary value.
+We have already seen another operator of the meta-logic, namely
+\isa\isasymLongrightarrow, which expresses inference rules and the treatment
+of assumptions. The only other operator in the meta-logic is \isa\isasymequiv,
+which can be used to define constants.
+
+\subsection{The Universal Introduction Rule}
+
+Returning to the universal quantifier, we find that having a similar quantifier
+as part of the meta-logic makes the introduction rule trivial to express:
+\begin{isabelle}
+(\isasymAnd x.\ ?P\ x)\ \isasymLongrightarrow\ {\isasymforall}x.\ ?P\ x\rulenamedx{allI}
+\end{isabelle}
+
+
+The following trivial proof demonstrates how the universal introduction
+rule works.
+\begin{isabelle}
+\isacommand{lemma}\ "{\isasymforall}x.\ P\ x\ \isasymlongrightarrow\ P\ x"\isanewline
+\isacommand{apply}\ (rule\ allI)\isanewline
+\isacommand{by}\ (rule\ impI)
+\end{isabelle}
+The first step invokes the rule by applying the method \isa{rule allI}.
+\begin{isabelle}
+\ 1.\ \isasymAnd x.\ P\ x\ \isasymlongrightarrow\ P\ x
+\end{isabelle}
+Note that the resulting proof state has a bound variable,
+namely~\isa{x}. The rule has replaced the universal quantifier of
+higher-order logic by Isabelle's meta-level quantifier. Our goal is to
+prove
+\isa{P\ x\ \isasymlongrightarrow\ P\ x} for arbitrary~\isa{x}; it is
+an implication, so we apply the corresponding introduction rule (\isa{impI}).
+\begin{isabelle}
+\ 1.\ \isasymAnd x.\ P\ x\ \isasymLongrightarrow\ P\ x
+\end{isabelle}
+This last subgoal is implicitly proved by assumption.
+
+\subsection{The Universal Elimination Rule}
+
+Now consider universal elimination. In a logic text,
+the rule looks like this:
+\[ \infer{P[t/x]}{\forall x.\,P} \]
+The conclusion is $P$ with $t$ substituted for the variable~$x$.
+Isabelle expresses substitution using a function variable:
+\begin{isabelle}
+{\isasymforall}x.\ ?P\ x\ \isasymLongrightarrow\ ?P\ ?x\rulenamedx{spec}
+\end{isabelle}
+This destruction rule takes a
+universally quantified formula and removes the quantifier, replacing
+the bound variable \isa{x} by the schematic variable \isa{?x}. Recall that a
+schematic variable starts with a question mark and acts as a
+placeholder: it can be replaced by any term.
+
+The universal elimination rule is also
+available in the standard elimination format. Like \isa{conjE}, it never
+appears in logic books:
+\begin{isabelle}
+\isasymlbrakk \isasymforall x.\ ?P\ x;\ ?P\ ?x\ \isasymLongrightarrow \ ?R\isasymrbrakk \ \isasymLongrightarrow \ ?R%
+\rulenamedx{allE}
+\end{isabelle}
+The methods \isa{drule~spec} and \isa{erule~allE} do precisely the
+same inference.
+
+To see how $\forall$-elimination works, let us derive a rule about reducing
+the scope of a universal quantifier. In mathematical notation we write
+\[ \infer{P\imp\forall x.\,Q}{\forall x.\,P\imp Q} \]
+with the proviso ``$x$ not free in~$P$.'' Isabelle's treatment of
+substitution makes the proviso unnecessary. The conclusion is expressed as
+\isa{P\
+\isasymlongrightarrow\ ({\isasymforall}x.\ Q\ x)}. No substitution for the
+variable \isa{P} can introduce a dependence upon~\isa{x}: that would be a
+bound variable capture. Let us walk through the proof.
+\begin{isabelle}
+\isacommand{lemma}\ "(\isasymforall x.\ P\ \isasymlongrightarrow \ Q\ x)\
+\isasymLongrightarrow \ P\ \isasymlongrightarrow \ (\isasymforall x.\ Q\
+x)"
+\end{isabelle}
+First we apply implies introduction (\isa{impI}),
+which moves the \isa{P} from the conclusion to the assumptions. Then
+we apply universal introduction (\isa{allI}).
+\begin{isabelle}
+\isacommand{apply}\ (rule\ impI,\ rule\ allI)\isanewline
+\ 1.\ \isasymAnd x.\ \isasymlbrakk{\isasymforall}x.\ P\ \isasymlongrightarrow\ Q\
+x;\ P\isasymrbrakk\ \isasymLongrightarrow\ Q\ x
+\end{isabelle}
+As before, it replaces the HOL
+quantifier by a meta-level quantifier, producing a subgoal that
+binds the variable~\isa{x}. The leading bound variables
+(here \isa{x}) and the assumptions (here \isa{{\isasymforall}x.\ P\
+\isasymlongrightarrow\ Q\ x} and \isa{P}) form the \textbf{context} for the
+conclusion, here \isa{Q\ x}. Subgoals inherit the context,
+although assumptions can be added or deleted (as we saw
+earlier), while rules such as \isa{allI} add bound variables.
+
+Now, to reason from the universally quantified
+assumption, we apply the elimination rule using the \isa{drule}
+method. This rule is called \isa{spec} because it specializes a universal formula
+to a particular term.
+\begin{isabelle}
+\isacommand{apply}\ (drule\ spec)\isanewline
+\ 1.\ \isasymAnd x.\ \isasymlbrakk P;\ P\ \isasymlongrightarrow\ Q\ (?x2\
+x)\isasymrbrakk\ \isasymLongrightarrow\ Q\ x
+\end{isabelle}
+Observe how the context has changed. The quantified formula is gone,
+replaced by a new assumption derived from its body. We have
+removed the quantifier and replaced the bound variable
+by the curious term
+\isa{?x2~x}. This term is a placeholder: it may become any term that can be
+built from~\isa{x}. (Formally, \isa{?x2} is an unknown of function type, applied
+to the argument~\isa{x}.) This new assumption is an implication, so we can use
+\emph{modus ponens} on it, which concludes the proof.
+\begin{isabelle}
+\isacommand{by}\ (drule\ mp)
+\end{isabelle}
+Let us take a closer look at this last step. \emph{Modus ponens} yields
+two subgoals: one where we prove the antecedent (in this case \isa{P}) and
+one where we may assume the consequent. Both of these subgoals are proved
+by the
+\isa{assumption} method, which is implicit in the
+\isacommand{by} command. Replacing the \isacommand{by} command by
+\isa{\isacommand{apply} (drule\ mp, assumption)} would have left one last
+subgoal:
+\begin{isabelle}
+\ 1.\ \isasymAnd x.\ \isasymlbrakk P;\ Q\ (?x2\ x)\isasymrbrakk\
+\isasymLongrightarrow\ Q\ x
+\end{isabelle}
+The consequent is \isa{Q} applied to that placeholder. It may be replaced by any
+term built from~\isa{x}, and here
+it should simply be~\isa{x}. The assumption need not
+be identical to the conclusion, provided the two formulas are unifiable.%
+\index{quantifiers!universal|)}
+
+
+\subsection{The Existential Quantifier}
+
+\index{quantifiers!existential|(}%
+The concepts just presented also apply
+to the existential quantifier, whose introduction rule looks like this in
+Isabelle:
+\begin{isabelle}
+?P\ ?x\ \isasymLongrightarrow\ {\isasymexists}x.\ ?P\ x\rulenamedx{exI}
+\end{isabelle}
+If we can exhibit some $x$ such that $P(x)$ is true, then $\exists x.
+P(x)$ is also true. It is a dual of the universal elimination rule, and
+logic texts present it using the same notation for substitution.
+
+The existential
+elimination rule looks like this
+in a logic text:
+\[ \infer{Q}{\exists x.\,P & \infer*{Q}{[P]}} \]
+%
+It looks like this in Isabelle:
+\begin{isabelle}
+\isasymlbrakk{\isasymexists}x.\ ?P\ x;\ \isasymAnd x.\ ?P\ x\ \isasymLongrightarrow\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?Q\rulenamedx{exE}
+\end{isabelle}
+%
+Given an existentially quantified theorem and some
+formula $Q$ to prove, it creates a new assumption by removing the quantifier. As with
+the universal introduction rule, the textbook version imposes a proviso on the
+quantified variable, which Isabelle expresses using its meta-logic. It is
+enough to have a universal quantifier in the meta-logic; we do not need an existential
+quantifier to be built in as well.
+
+
+\begin{exercise}
+Prove the lemma
+\[ \exists x.\, P\conj Q(x)\Imp P\conj(\exists x.\, Q(x)). \]
+\emph{Hint}: the proof is similar
+to the one just above for the universal quantifier.
+\end{exercise}
+\index{quantifiers!existential|)}
+
+
+\subsection{Renaming a Bound Variable: {\tt\slshape rename_tac}}
+
+\index{assumptions!renaming|(}\index{*rename_tac (method)|(}%
+When you apply a rule such as \isa{allI}, the quantified variable
+becomes a new bound variable of the new subgoal. Isabelle tries to avoid
+changing its name, but sometimes it has to choose a new name in order to
+avoid a clash. The result may not be ideal:
+\begin{isabelle}
+\isacommand{lemma}\ "x\ <\ y\ \isasymLongrightarrow \ \isasymforall x\ y.\ P\ x\
+(f\ y)"\isanewline
+\isacommand{apply}\ (intro allI)\isanewline
+\ 1.\ \isasymAnd xa\ ya.\ x\ <\ y\ \isasymLongrightarrow \ P\ xa\ (f\ ya)
+\end{isabelle}
+%
+The names \isa{x} and \isa{y} were already in use, so the new bound variables are
+called \isa{xa} and~\isa{ya}. You can rename them by invoking \isa{rename_tac}:
+
+\begin{isabelle}
+\isacommand{apply}\ (rename_tac\ v\ w)\isanewline
+\ 1.\ \isasymAnd v\ w.\ x\ <\ y\ \isasymLongrightarrow \ P\ v\ (f\ w)
+\end{isabelle}
+Recall that \isa{rule_tac}\index{*rule_tac (method)!and renaming}
+instantiates a
+theorem with specified terms. These terms may involve the goal's bound
+variables, but beware of referring to variables
+like~\isa{xa}. A future change to your theories could change the set of names
+produced at top level, so that \isa{xa} changes to~\isa{xb} or reverts to~\isa{x}.
+It is safer to rename automatically-generated variables before mentioning them.
+
+If the subgoal has more bound variables than there are names given to
+\isa{rename_tac}, the rightmost ones are renamed.%
+\index{assumptions!renaming|)}\index{*rename_tac (method)|)}
+
+
+\subsection{Reusing an Assumption: {\tt\slshape frule}}
+\label{sec:frule}
+
+\index{assumptions!reusing|(}\index{*frule (method)|(}%
+Note that \isa{drule spec} removes the universal quantifier and --- as
+usual with elimination rules --- discards the original formula. Sometimes, a
+universal formula has to be kept so that it can be used again. Then we use a new
+method: \isa{frule}. It acts like \isa{drule} but copies rather than replaces
+the selected assumption. The \isa{f} is for \emph{forward}.
+
+In this example, going from \isa{P\ a} to \isa{P(h(h~a))}
+requires two uses of the quantified assumption, one for each~\isa{h}
+in~\isa{h(h~a)}.
+\begin{isabelle}
+\isacommand{lemma}\ "\isasymlbrakk{\isasymforall}x.\ P\ x\ \isasymlongrightarrow\ P\ (h\ x);
+\ P\ a\isasymrbrakk\ \isasymLongrightarrow\ P(h\ (h\ a))"
+\end{isabelle}
+%
+Examine the subgoal left by \isa{frule}:
+\begin{isabelle}
+\isacommand{apply}\ (frule\ spec)\isanewline
+\ 1.\ \isasymlbrakk{\isasymforall}x.\ P\ x\ \isasymlongrightarrow\ P\ (h\ x);\ P\ a;\ P\ ?x\ \isasymlongrightarrow\ P\ (h\ ?x)\isasymrbrakk\ \isasymLongrightarrow\ P\ (h\ (h\ a))
+\end{isabelle}
+It is what \isa{drule} would have left except that the quantified
+assumption is still present. Next we apply \isa{mp} to the
+implication and the assumption~\isa{P\ a}:
+\begin{isabelle}
+\isacommand{apply}\ (drule\ mp,\ assumption)\isanewline
+\ 1.\ \isasymlbrakk{\isasymforall}x.\ P\ x\ \isasymlongrightarrow\ P\ (h\ x);\ P\ a;\ P\ (h\ a)\isasymrbrakk\ \isasymLongrightarrow\ P\ (h\ (h\ a))
+\end{isabelle}
+%
+We have created the assumption \isa{P(h\ a)}, which is progress. To
+continue the proof, we apply \isa{spec} again. We shall not need it
+again, so we can use
+\isa{drule}.
+\begin{isabelle}
+\isacommand{apply}\ (drule\ spec)\isanewline
+\ 1.\ \isasymlbrakk P\ a;\ P\ (h\ a);\ P\ ?x2\
+\isasymlongrightarrow \ P\ (h\ ?x2)\isasymrbrakk \ \isasymLongrightarrow \
+P\ (h\ (h\ a))
+\end{isabelle}
+%
+The new assumption bridges the gap between \isa{P(h\ a)} and \isa{P(h(h\ a))}.
+\begin{isabelle}
+\isacommand{by}\ (drule\ mp)
+\end{isabelle}
+
+\medskip
+\emph{A final remark}. Replacing this \isacommand{by} command with
+\begin{isabelle}
+\isacommand{apply}\ (drule\ mp,\ assumption)
+\end{isabelle}
+would not work: it would add a second copy of \isa{P(h~a)} instead
+of the desired assumption, \isa{P(h(h~a))}. The \isacommand{by}
+command forces Isabelle to backtrack until it finds the correct one.
+Alternatively, we could have used the \isacommand{apply} command and bundled the
+\isa{drule mp} with \emph{two} calls of \isa{assumption}. Or, of course,
+we could have given the entire proof to \isa{auto}.%
+\index{assumptions!reusing|)}\index{*frule (method)|)}
+
+
+
+\subsection{Instantiating a Quantifier Explicitly}
+\index{quantifiers!instantiating}
+
+We can prove a theorem of the form $\exists x.\,P\, x$ by exhibiting a
+suitable term~$t$ such that $P\,t$ is true. Dually, we can use an
+assumption of the form $\forall x.\,P\, x$ to generate a new assumption $P\,t$ for
+a suitable term~$t$. In many cases,
+Isabelle makes the correct choice automatically, constructing the term by
+unification. In other cases, the required term is not obvious and we must
+specify it ourselves. Suitable methods are \isa{rule_tac}, \isa{drule_tac}
+and \isa{erule_tac}.
+
+We have seen (just above, {\S}\ref{sec:frule}) a proof of this lemma:
+\begin{isabelle}
+\isacommand{lemma}\ "\isasymlbrakk \isasymforall x.\ P\ x\
+\isasymlongrightarrow \ P\ (h\ x);\ P\ a\isasymrbrakk \
+\isasymLongrightarrow \ P(h\ (h\ a))"
+\end{isabelle}
+We had reached this subgoal:
+\begin{isabelle}
+\ 1.\ \isasymlbrakk{\isasymforall}x.\ P\ x\ \isasymlongrightarrow\ P\ (h\
+x);\ P\ a;\ P\ (h\ a)\isasymrbrakk\ \isasymLongrightarrow\ P\ (h\ (h\ a))
+\end{isabelle}
+%
+The proof requires instantiating the quantified assumption with the
+term~\isa{h~a}.
+\begin{isabelle}
+\isacommand{apply}\ (drule_tac\ x\ =\ "h\ a"\ \isakeyword{in}\
+spec)\isanewline
+\ 1.\ \isasymlbrakk P\ a;\ P\ (h\ a);\ P\ (h\ a)\ \isasymlongrightarrow \
+P\ (h\ (h\ a))\isasymrbrakk \ \isasymLongrightarrow \ P\ (h\ (h\ a))
+\end{isabelle}
+We have forced the desired instantiation.
+
+\medskip
+Existential formulas can be instantiated too. The next example uses the
+\textbf{divides} relation\index{divides relation}
+of number theory:
+\begin{isabelle}
+?m\ dvd\ ?n\ \isasymequiv\ {\isasymexists}k.\ ?n\ =\ ?m\ *\ k
+\rulename{dvd_def}
+\end{isabelle}
+
+Let us prove that multiplication of natural numbers is monotone with
+respect to the divides relation:
+\begin{isabelle}
+\isacommand{lemma}\ mult_dvd_mono:\ "{\isasymlbrakk}i\ dvd\ m;\ j\ dvd\
+n\isasymrbrakk\ \isasymLongrightarrow\ i*j\ dvd\ (m*n\ ::\ nat)"\isanewline
+\isacommand{apply}\ (simp\ add:\ dvd_def)
+\end{isabelle}
+%
+Unfolding the definition of divides has left this subgoal:
+\begin{isabelle}
+\ 1.\ \isasymlbrakk \isasymexists k.\ m\ =\ i\ *\ k;\ \isasymexists k.\ n\
+=\ j\ *\ k\isasymrbrakk \ \isasymLongrightarrow \ \isasymexists k.\ m\ *\
+n\ =\ i\ *\ j\ *\ k
+\end{isabelle}
+%
+Next, we eliminate the two existential quantifiers in the assumptions:
+\begin{isabelle}
+\isacommand{apply}\ (erule\ exE)\isanewline
+\ 1.\ \isasymAnd k.\ \isasymlbrakk \isasymexists k.\ n\ =\ j\ *\ k;\ m\ =\
+i\ *\ k\isasymrbrakk \ \isasymLongrightarrow \ \isasymexists k.\ m\ *\ n\
+=\ i\ *\ j\ *\ k%
+\isanewline
+\isacommand{apply}\ (erule\ exE)
+\isanewline
+\ 1.\ \isasymAnd k\ ka.\ \isasymlbrakk m\ =\ i\ *\ k;\ n\ =\ j\ *\
+ka\isasymrbrakk \ \isasymLongrightarrow \ \isasymexists k.\ m\ *\ n\ =\ i\
+*\ j\ *\ k
+\end{isabelle}
+%
+The term needed to instantiate the remaining quantifier is~\isa{k*ka}. But
+\isa{ka} is an automatically-generated name. As noted above, references to
+such variable names makes a proof less resilient to future changes. So,
+first we rename the most recent variable to~\isa{l}:
+\begin{isabelle}
+\isacommand{apply}\ (rename_tac\ l)\isanewline
+\ 1.\ \isasymAnd k\ l.\ \isasymlbrakk m\ =\ i\ *\ k;\ n\ =\ j\ *\ l\isasymrbrakk \
+\isasymLongrightarrow \ \isasymexists k.\ m\ *\ n\ =\ i\ *\ j\ *\ k%
+\end{isabelle}
+
+We instantiate the quantifier with~\isa{k*l}:
+\begin{isabelle}
+\isacommand{apply}\ (rule_tac\ x="k*l"\ \isakeyword{in}\ exI)\ \isanewline
+\ 1.\ \isasymAnd k\ ka.\ \isasymlbrakk m\ =\ i\ *\ k;\ n\ =\ j\ *\
+ka\isasymrbrakk \ \isasymLongrightarrow \ m\ *\ n\ =\ i\
+*\ j\ *\ (k\ *\ ka)
+\end{isabelle}
+%
+The rest is automatic, by arithmetic.
+\begin{isabelle}
+\isacommand{apply}\ simp\isanewline
+\isacommand{done}\isanewline
+\end{isabelle}
+
+
+
+\section{Description Operators}
+\label{sec:SOME}
+
+\index{description operators|(}%
+HOL provides two description operators.
+A \textbf{definite description} formalizes the word ``the,'' as in
+``the greatest divisior of~$n$.''
+It returns an arbitrary value unless the formula has a unique solution.
+An \textbf{indefinite description} formalizes the word ``some,'' as in
+``some member of~$S$.'' It differs from a definite description in not
+requiring the solution to be unique: it uses the axiom of choice to pick any
+solution.
+
+\begin{warn}
+Description operators can be hard to reason about. Novices
+should try to avoid them. Fortunately, descriptions are seldom required.
+\end{warn}
+
+\subsection{Definite Descriptions}
+
+\index{descriptions!definite}%
+A definite description is traditionally written $\iota x. P(x)$. It denotes
+the $x$ such that $P(x)$ is true, provided there exists a unique such~$x$;
+otherwise, it returns an arbitrary value of the expected type.
+Isabelle uses \sdx{THE} for the Greek letter~$\iota$.
+
+%(The traditional notation could be provided, but it is not legible on screen.)
+
+We reason using this rule, where \isa{a} is the unique solution:
+\begin{isabelle}
+\isasymlbrakk P\ a;\ \isasymAnd x.\ P\ x\ \isasymLongrightarrow \ x\ =\ a\isasymrbrakk \
+\isasymLongrightarrow \ (THE\ x.\ P\ x)\ =\ a%
+\rulenamedx{the_equality}
+\end{isabelle}
+For instance, we can define the
+cardinality of a finite set~$A$ to be that
+$n$ such that $A$ is in one-to-one correspondence with $\{1,\ldots,n\}$. We can then
+prove that the cardinality of the empty set is zero (since $n=0$ satisfies the
+description) and proceed to prove other facts.
+
+A more challenging example illustrates how Isabelle/HOL defines the least number
+operator, which denotes the least \isa{x} satisfying~\isa{P}:%
+\index{least number operator|see{\protect\isa{LEAST}}}
+\begin{isabelle}
+(LEAST\ x.\ P\ x)\ = (THE\ x.\ P\ x\ \isasymand \ (\isasymforall y.\
+P\ y\ \isasymlongrightarrow \ x\ \isasymle \ y))
+\end{isabelle}
+%
+Let us prove the analogue of \isa{the_equality} for \sdx{LEAST}\@.
+\begin{isabelle}
+\isacommand{theorem}\ Least_equality:\isanewline
+\ \ \ \ \ "\isasymlbrakk P\ (k::nat);\ \ \isasymforall x.\ P\ x\ \isasymlongrightarrow \ k\ \isasymle \ x\isasymrbrakk \ \isasymLongrightarrow \ (LEAST\ x.\ P\ x)\ =\ k"\isanewline
+\isacommand{apply}\ (simp\ add:\ Least_def)\isanewline
+\isanewline
+\ 1.\ \isasymlbrakk P\ k;\ \isasymforall x.\ P\ x\ \isasymlongrightarrow \ k\ \isasymle \ x\isasymrbrakk \isanewline
+\isaindent{\ 1.\ }\isasymLongrightarrow \ (THE\ x.\ P\ x\ \isasymand \ (\isasymforall y.\ P\ y\ \isasymlongrightarrow \ x\ \isasymle \ y))\ =\ k%
+\end{isabelle}
+The first step has merely unfolded the definition.
+\begin{isabelle}
+\isacommand{apply}\ (rule\ the_equality)\isanewline
+\isanewline
+\ 1.\ \isasymlbrakk P\ k;\ \isasymforall x.\ P\ x\ \isasymlongrightarrow \ k\
+\isasymle \ x\isasymrbrakk \ \isasymLongrightarrow \ P\ k\ \isasymand \
+(\isasymforall y.\ P\ y\ \isasymlongrightarrow \ k\ \isasymle \ y)\isanewline
+\ 2.\ \isasymAnd x.\ \isasymlbrakk P\ k;\ \isasymforall x.\ P\ x\ \isasymlongrightarrow \ k\ \isasymle \ x;\ P\ x\ \isasymand \ (\isasymforall y.\ P\ y\ \isasymlongrightarrow \ x\ \isasymle \ y)\isasymrbrakk \isanewline
+\ \ \ \ \ \ \ \ \isasymLongrightarrow \ x\ =\ k%
+\end{isabelle}
+As always with \isa{the_equality}, we must show existence and
+uniqueness of the claimed solution,~\isa{k}. Existence, the first
+subgoal, is trivial. Uniqueness, the second subgoal, follows by antisymmetry:
+\begin{isabelle}
+\isasymlbrakk x\ \isasymle \ y;\ y\ \isasymle \ x\isasymrbrakk \ \isasymLongrightarrow \ x\ =\ y%
+\rulename{order_antisym}
+\end{isabelle}
+The assumptions imply both \isa{k~\isasymle~x} and \isa{x~\isasymle~k}. One
+call to \isa{auto} does it all:
+\begin{isabelle}
+\isacommand{by}\ (auto\ intro:\ order_antisym)
+\end{isabelle}
+
+
+\subsection{Indefinite Descriptions}
+
+\index{Hilbert's $\varepsilon$-operator}%
+\index{descriptions!indefinite}%
+An indefinite description is traditionally written $\varepsilon x. P(x)$ and is
+known as Hilbert's $\varepsilon$-operator. It denotes
+some $x$ such that $P(x)$ is true, provided one exists.
+Isabelle uses \sdx{SOME} for the Greek letter~$\varepsilon$.
+
+Here is the definition of~\cdx{inv},\footnote{In fact, \isa{inv} is defined via a second constant \isa{inv_into}, which we ignore here.} which expresses inverses of
+functions:
+\begin{isabelle}
+inv\ f\ \isasymequiv \ \isasymlambda y.\ SOME\ x.\ f\ x\ =\ y%
+\rulename{inv_def}
+\end{isabelle}
+Using \isa{SOME} rather than \isa{THE} makes \isa{inv~f} behave well
+even if \isa{f} is not injective. As it happens, most useful theorems about
+\isa{inv} do assume the function to be injective.
+
+The inverse of \isa{f}, when applied to \isa{y}, returns some~\isa{x} such that
+\isa{f~x~=~y}. For example, we can prove \isa{inv~Suc} really is the inverse
+of the \isa{Suc} function
+\begin{isabelle}
+\isacommand{lemma}\ "inv\ Suc\ (Suc\ n)\ =\ n"\isanewline
+\isacommand{by}\ (simp\ add:\ inv_def)
+\end{isabelle}
+
+\noindent
+The proof is a one-liner: the subgoal simplifies to a degenerate application of
+\isa{SOME}, which is then erased. In detail, the left-hand side simplifies
+to \isa{SOME\ x.\ Suc\ x\ =\ Suc\ n}, then to \isa{SOME\ x.\ x\ =\ n} and
+finally to~\isa{n}.
+
+We know nothing about what
+\isa{inv~Suc} returns when applied to zero. The proof above still treats
+\isa{SOME} as a definite description, since it only reasons about
+situations in which the value is described uniquely. Indeed, \isa{SOME}
+satisfies this rule:
+\begin{isabelle}
+\isasymlbrakk P\ a;\ \isasymAnd x.\ P\ x\ \isasymLongrightarrow \ x\ =\ a\isasymrbrakk \
+\isasymLongrightarrow \ (SOME\ x.\ P\ x)\ =\ a%
+\rulenamedx{some_equality}
+\end{isabelle}
+To go further is
+tricky and requires rules such as these:
+\begin{isabelle}
+P\ x\ \isasymLongrightarrow \ P\ (SOME\ x.\ P\ x)
+\rulenamedx{someI}\isanewline
+\isasymlbrakk P\ a;\ \isasymAnd x.\ P\ x\ \isasymLongrightarrow \ Q\
+x\isasymrbrakk \ \isasymLongrightarrow \ Q\ (SOME\ x.\ P\ x)
+\rulenamedx{someI2}
+\end{isabelle}
+Rule \isa{someI} is basic: if anything satisfies \isa{P} then so does
+\hbox{\isa{SOME\ x.\ P\ x}}. The repetition of~\isa{P} in the conclusion makes it
+difficult to apply in a backward proof, so the derived rule \isa{someI2} is
+also provided.
+
+\medskip
+For example, let us prove the \rmindex{axiom of choice}:
+\begin{isabelle}
+\isacommand{theorem}\ axiom_of_choice:
+\ "(\isasymforall x.\ \isasymexists y.\ P\ x\ y)\ \isasymLongrightarrow \
+\isasymexists f.\ \isasymforall x.\ P\ x\ (f\ x)"\isanewline
+\isacommand{apply}\ (rule\ exI,\ rule\ allI)\isanewline
+
+\ 1.\ \isasymAnd x.\ \isasymforall x.\ \isasymexists y.\ P\ x\ y\
+\isasymLongrightarrow \ P\ x\ (?f\ x)
+\end{isabelle}
+%
+We have applied the introduction rules; now it is time to apply the elimination
+rules.
+
+\begin{isabelle}
+\isacommand{apply}\ (drule\ spec,\ erule\ exE)\isanewline
+
+\ 1.\ \isasymAnd x\ y.\ P\ (?x2\ x)\ y\ \isasymLongrightarrow \ P\ x\ (?f\ x)
+\end{isabelle}
+
+\noindent
+The rule \isa{someI} automatically instantiates
+\isa{f} to \hbox{\isa{\isasymlambda x.\ SOME y.\ P\ x\ y}}, which is the choice
+function. It also instantiates \isa{?x2\ x} to \isa{x}.
+\begin{isabelle}
+\isacommand{by}\ (rule\ someI)\isanewline
+\end{isabelle}
+
+\subsubsection{Historical Note}
+The original purpose of Hilbert's $\varepsilon$-operator was to express an
+existential destruction rule:
+\[ \infer{P[(\varepsilon x. P) / \, x]}{\exists x.\,P} \]
+This rule is seldom used for that purpose --- it can cause exponential
+blow-up --- but it is occasionally used as an introduction rule
+for the~$\varepsilon$-operator. Its name in HOL is \tdxbold{someI_ex}.%%
+\index{description operators|)}
+
+
+\section{Some Proofs That Fail}
+
+\index{proofs!examples of failing|(}%
+Most of the examples in this tutorial involve proving theorems. But not every
+conjecture is true, and it can be instructive to see how
+proofs fail. Here we attempt to prove a distributive law involving
+the existential quantifier and conjunction.
+\begin{isabelle}
+\isacommand{lemma}\ "({\isasymexists}x.\ P\ x)\ \isasymand\
+({\isasymexists}x.\ Q\ x)\ \isasymLongrightarrow\ {\isasymexists}x.\ P\ x\
+\isasymand\ Q\ x"
+\end{isabelle}
+The first steps are routine. We apply conjunction elimination to break
+the assumption into two existentially quantified assumptions.
+Applying existential elimination removes one of the quantifiers.
+\begin{isabelle}
+\isacommand{apply}\ (erule\ conjE)\isanewline
+\isacommand{apply}\ (erule\ exE)\isanewline
+\ 1.\ \isasymAnd x.\ \isasymlbrakk{\isasymexists}x.\ Q\ x;\ P\ x\isasymrbrakk\ \isasymLongrightarrow\ {\isasymexists}x.\ P\ x\ \isasymand\ Q\ x
+\end{isabelle}
+%
+When we remove the other quantifier, we get a different bound
+variable in the subgoal. (The name \isa{xa} is generated automatically.)
+\begin{isabelle}
+\isacommand{apply}\ (erule\ exE)\isanewline
+\ 1.\ \isasymAnd x\ xa.\ \isasymlbrakk P\ x;\ Q\ xa\isasymrbrakk\
+\isasymLongrightarrow\ {\isasymexists}x.\ P\ x\ \isasymand\ Q\ x
+\end{isabelle}
+The proviso of the existential elimination rule has forced the variables to
+differ: we can hardly expect two arbitrary values to be equal! There is
+no way to prove this subgoal. Removing the
+conclusion's existential quantifier yields two
+identical placeholders, which can become any term involving the variables \isa{x}
+and~\isa{xa}. We need one to become \isa{x}
+and the other to become~\isa{xa}, but Isabelle requires all instances of a
+placeholder to be identical.
+\begin{isabelle}
+\isacommand{apply}\ (rule\ exI)\isanewline
+\isacommand{apply}\ (rule\ conjI)\isanewline
+\ 1.\ \isasymAnd x\ xa.\ \isasymlbrakk P\ x;\ Q\ xa\isasymrbrakk\
+\isasymLongrightarrow\ P\ (?x3\ x\ xa)\isanewline
+\ 2.\ \isasymAnd x\ xa.\ \isasymlbrakk P\ x;\ Q\ xa\isasymrbrakk\ \isasymLongrightarrow\ Q\ (?x3\ x\ xa)
+\end{isabelle}
+We can prove either subgoal
+using the \isa{assumption} method. If we prove the first one, the placeholder
+changes into~\isa{x}.
+\begin{isabelle}
+\ \isacommand{apply}\ assumption\isanewline
+\ 1.\ \isasymAnd x\ xa.\ \isasymlbrakk P\ x;\ Q\ xa\isasymrbrakk\
+\isasymLongrightarrow\ Q\ x
+\end{isabelle}
+We are left with a subgoal that cannot be proved. Applying the \isa{assumption}
+method results in an error message:
+\begin{isabelle}
+*** empty result sequence -- proof command failed
+\end{isabelle}
+When interacting with Isabelle via the shell interface,
+you can abandon a proof using the \isacommand{oops} command.
+
+\medskip
+
+Here is another abortive proof, illustrating the interaction between
+bound variables and unknowns.
+If $R$ is a reflexive relation,
+is there an $x$ such that $R\,x\,y$ holds for all $y$? Let us see what happens when
+we attempt to prove it.
+\begin{isabelle}
+\isacommand{lemma}\ "\isasymforall y.\ R\ y\ y\ \isasymLongrightarrow
+\ \isasymexists x.\ \isasymforall y.\ R\ x\ y"
+\end{isabelle}
+First, we remove the existential quantifier. The new proof state has an
+unknown, namely~\isa{?x}.
+\begin{isabelle}
+\isacommand{apply}\ (rule\ exI)\isanewline
+\ 1.\ \isasymforall y.\ R\ y\ y\ \isasymLongrightarrow \ \isasymforall y.\ R\ ?x\ y%
+\end{isabelle}
+It looks like we can just apply \isa{assumption}, but it fails. Isabelle
+refuses to substitute \isa{y}, a bound variable, for~\isa{?x}; that would be
+a bound variable capture. We can still try to finish the proof in some
+other way. We remove the universal quantifier from the conclusion, moving
+the bound variable~\isa{y} into the subgoal. But note that it is still
+bound!
+\begin{isabelle}
+\isacommand{apply}\ (rule\ allI)\isanewline
+\ 1.\ \isasymAnd y.\ \isasymforall y.\ R\ y\ y\ \isasymLongrightarrow \ R\ ?x\ y%
+\end{isabelle}
+Finally, we try to apply our reflexivity assumption. We obtain a
+new assumption whose identical placeholders may be replaced by
+any term involving~\isa{y}.
+\begin{isabelle}
+\isacommand{apply}\ (drule\ spec)\isanewline
+\ 1.\ \isasymAnd y.\ R\ (?z2\ y)\ (?z2\ y)\ \isasymLongrightarrow\ R\ ?x\ y
+\end{isabelle}
+This subgoal can only be proved by putting \isa{y} for all the placeholders,
+making the assumption and conclusion become \isa{R\ y\ y}. Isabelle can
+replace \isa{?z2~y} by \isa{y}; this involves instantiating
+\isa{?z2} to the identity function. But, just as two steps earlier,
+Isabelle refuses to substitute~\isa{y} for~\isa{?x}.
+This example is typical of how Isabelle enforces sound quantifier reasoning.
+\index{proofs!examples of failing|)}
+
+\section{Proving Theorems Using the {\tt\slshape blast} Method}
+
+\index{*blast (method)|(}%
+It is hard to prove many theorems using the methods
+described above. A proof may be hundreds of steps long. You
+may need to search among different ways of proving certain
+subgoals. Often a choice that proves one subgoal renders another
+impossible to prove. There are further complications that we have not
+discussed, concerning negation and disjunction. Isabelle's
+\textbf{classical reasoner} is a family of tools that perform such
+proofs automatically. The most important of these is the
+\isa{blast} method.
+
+In this section, we shall first see how to use the classical
+reasoner in its default mode and then how to insert additional
+rules, enabling it to work in new problem domains.
+
+ We begin with examples from pure predicate logic. The following
+example is known as Andrew's challenge. Peter Andrews designed
+it to be hard to prove by automatic means.
+It is particularly hard for a resolution prover, where
+converting the nested biconditionals to
+clause form produces a combinatorial
+explosion~\cite{pelletier86}. However, the
+\isa{blast} method proves it in a fraction of a second.
+\begin{isabelle}
+\isacommand{lemma}\
+"(({\isasymexists}x.\
+{\isasymforall}y.\
+p(x){=}p(y))\
+=\
+(({\isasymexists}x.\
+q(x))=({\isasymforall}y.\
+p(y))))\
+\ \ =\ \ \ \ \isanewline
+\ \ \ \ \ \ \ \
+(({\isasymexists}x.\
+{\isasymforall}y.\
+q(x){=}q(y))\ =\ (({\isasymexists}x.\ p(x))=({\isasymforall}y.\ q(y))))"\isanewline
+\isacommand{by}\ blast
+\end{isabelle}
+The next example is a logic problem composed by Lewis Carroll.
+The \isa{blast} method finds it trivial. Moreover, it turns out
+that not all of the assumptions are necessary. We can
+experiment with variations of this formula and see which ones
+can be proved.
+\begin{isabelle}
+\isacommand{lemma}\
+"({\isasymforall}x.\
+honest(x)\ \isasymand\
+industrious(x)\ \isasymlongrightarrow\
+healthy(x))\
+\isasymand\ \ \isanewline
+\ \ \ \ \ \ \ \ \isasymnot\ ({\isasymexists}x.\
+grocer(x)\ \isasymand\
+healthy(x))\
+\isasymand\ \isanewline
+\ \ \ \ \ \ \ \ ({\isasymforall}x.\
+industrious(x)\ \isasymand\
+grocer(x)\ \isasymlongrightarrow\
+honest(x))\
+\isasymand\ \isanewline
+\ \ \ \ \ \ \ \ ({\isasymforall}x.\
+cyclist(x)\ \isasymlongrightarrow\
+industrious(x))\
+\isasymand\ \isanewline
+\ \ \ \ \ \ \ \ ({\isasymforall}x.\
+{\isasymnot}healthy(x)\ \isasymand\
+cyclist(x)\ \isasymlongrightarrow\
+{\isasymnot}honest(x))\
+\ \isanewline
+\ \ \ \ \ \ \ \ \isasymlongrightarrow\
+({\isasymforall}x.\
+grocer(x)\ \isasymlongrightarrow\
+{\isasymnot}cyclist(x))"\isanewline
+\isacommand{by}\ blast
+\end{isabelle}
+The \isa{blast} method is also effective for set theory, which is
+described in the next chapter. The formula below may look horrible, but
+the \isa{blast} method proves it in milliseconds.
+\begin{isabelle}
+\isacommand{lemma}\ "({\isasymUnion}i{\isasymin}I.\ A(i))\ \isasyminter\ ({\isasymUnion}j{\isasymin}J.\ B(j))\ =\isanewline
+\ \ \ \ \ \ \ \ ({\isasymUnion}i{\isasymin}I.\ {\isasymUnion}j{\isasymin}J.\ A(i)\ \isasyminter\ B(j))"\isanewline
+\isacommand{by}\ blast
+\end{isabelle}
+
+Few subgoals are couched purely in predicate logic and set theory.
+We can extend the scope of the classical reasoner by giving it new rules.
+Extending it effectively requires understanding the notions of
+introduction, elimination and destruction rules. Moreover, there is a
+distinction between safe and unsafe rules. A
+\textbf{safe}\indexbold{safe rules} rule is one that can be applied
+backwards without losing information; an
+\textbf{unsafe}\indexbold{unsafe rules} rule loses information, perhaps
+transforming the subgoal into one that cannot be proved. The safe/unsafe
+distinction affects the proof search: if a proof attempt fails, the
+classical reasoner backtracks to the most recent unsafe rule application
+and makes another choice.
+
+An important special case avoids all these complications. A logical
+equivalence, which in higher-order logic is an equality between
+formulas, can be given to the classical
+reasoner and simplifier by using the attribute \attrdx{iff}. You
+should do so if the right hand side of the equivalence is
+simpler than the left-hand side.
+
+For example, here is a simple fact about list concatenation.
+The result of appending two lists is empty if and only if both
+of the lists are themselves empty. Obviously, applying this equivalence
+will result in a simpler goal. When stating this lemma, we include
+the \attrdx{iff} attribute. Once we have proved the lemma, Isabelle
+will make it known to the classical reasoner (and to the simplifier).
+\begin{isabelle}
+\isacommand{lemma}\
+[iff]:\ "(xs{\isacharat}ys\ =\ [])\ =\
+(xs=[]\ \isasymand\ ys=[])"\isanewline
+\isacommand{apply}\ (induct_tac\ xs)\isanewline
+\isacommand{apply}\ (simp_all)\isanewline
+\isacommand{done}
+\end{isabelle}
+%
+This fact about multiplication is also appropriate for
+the \attrdx{iff} attribute:
+\begin{isabelle}
+(\mbox{?m}\ *\ \mbox{?n}\ =\ 0)\ =\ (\mbox{?m}\ =\ 0\ \isasymor\ \mbox{?n}\ =\ 0)
+\end{isabelle}
+A product is zero if and only if one of the factors is zero. The
+reasoning involves a disjunction. Proving new rules for
+disjunctive reasoning is hard, but translating to an actual disjunction
+works: the classical reasoner handles disjunction properly.
+
+In more detail, this is how the \attrdx{iff} attribute works. It converts
+the equivalence $P=Q$ to a pair of rules: the introduction
+rule $Q\Imp P$ and the destruction rule $P\Imp Q$. It gives both to the
+classical reasoner as safe rules, ensuring that all occurrences of $P$ in
+a subgoal are replaced by~$Q$. The simplifier performs the same
+replacement, since \isa{iff} gives $P=Q$ to the
+simplifier.
+
+Classical reasoning is different from
+simplification. Simplification is deterministic. It applies rewrite rules
+repeatedly, as long as possible, transforming a goal into another goal. Classical
+reasoning uses search and backtracking in order to prove a goal outright.%
+\index{*blast (method)|)}%
+
+
+\section{Other Classical Reasoning Methods}
+
+The \isa{blast} method is our main workhorse for proving theorems
+automatically. Other components of the classical reasoner interact
+with the simplifier. Still others perform classical reasoning
+to a limited extent, giving the user fine control over the proof.
+
+Of the latter methods, the most useful is
+\methdx{clarify}.
+It performs
+all obvious reasoning steps without splitting the goal into multiple
+parts. It does not apply unsafe rules that could render the
+goal unprovable. By performing the obvious
+steps, \isa{clarify} lays bare the difficult parts of the problem,
+where human intervention is necessary.
+
+For example, the following conjecture is false:
+\begin{isabelle}
+\isacommand{lemma}\ "({\isasymforall}x.\ P\ x)\ \isasymand\
+({\isasymexists}x.\ Q\ x)\ \isasymlongrightarrow\ ({\isasymforall}x.\ P\ x\
+\isasymand\ Q\ x)"\isanewline
+\isacommand{apply}\ clarify
+\end{isabelle}
+The \isa{blast} method would simply fail, but \isa{clarify} presents
+a subgoal that helps us see why we cannot continue the proof.
+\begin{isabelle}
+\ 1.\ \isasymAnd x\ xa.\ \isasymlbrakk{\isasymforall}x.\ P\ x;\ Q\
+xa\isasymrbrakk\ \isasymLongrightarrow\ P\ x\ \isasymand\ Q\ x
+\end{isabelle}
+The proof must fail because the assumption \isa{Q\ xa} and conclusion \isa{Q\ x}
+refer to distinct bound variables. To reach this state, \isa{clarify} applied
+the introduction rules for \isa{\isasymlongrightarrow} and \isa{\isasymforall}
+and the elimination rule for \isa{\isasymand}. It did not apply the introduction
+rule for \isa{\isasymand} because of its policy never to split goals.
+
+Also available is \methdx{clarsimp}, a method
+that interleaves \isa{clarify} and \isa{simp}. Also there is \methdx{safe},
+which like \isa{clarify} performs obvious steps but even applies those that
+split goals.
+
+The \methdx{force} method applies the classical
+reasoner and simplifier to one goal.
+Unless it can prove the goal, it fails. Contrast
+that with the \isa{auto} method, which also combines classical reasoning
+with simplification. The latter's purpose is to prove all the
+easy subgoals and parts of subgoals. Unfortunately, it can produce
+large numbers of new subgoals; also, since it proves some subgoals
+and splits others, it obscures the structure of the proof tree.
+The \isa{force} method does not have these drawbacks. Another
+difference: \isa{force} tries harder than {\isa{auto}} to prove
+its goal, so it can take much longer to terminate.
+
+Older components of the classical reasoner have largely been
+superseded by \isa{blast}, but they still have niche applications.
+Most important among these are \isa{fast} and \isa{best}. While \isa{blast}
+searches for proofs using a built-in first-order reasoner, these
+earlier methods search for proofs using standard Isabelle inference.
+That makes them slower but enables them to work in the
+presence of the more unusual features of Isabelle rules, such
+as type classes and function unknowns. For example, recall the introduction rule
+for Hilbert's $\varepsilon$-operator:
+\begin{isabelle}
+?P\ ?x\ \isasymLongrightarrow\ ?P\ (SOME\ x.\ ?P x)
+\rulename{someI}
+\end{isabelle}
+%
+The repeated occurrence of the variable \isa{?P} makes this rule tricky
+to apply. Consider this contrived example:
+\begin{isabelle}
+\isacommand{lemma}\ "\isasymlbrakk Q\ a;\ P\ a\isasymrbrakk\isanewline
+\ \ \ \ \ \ \ \ \,\isasymLongrightarrow\ P\ (SOME\ x.\ P\ x\ \isasymand\ Q\ x)\
+\isasymand\ Q\ (SOME\ x.\ P\ x\ \isasymand\ Q\ x)"\isanewline
+\isacommand{apply}\ (rule\ someI)
+\end{isabelle}
+%
+We can apply rule \isa{someI} explicitly. It yields the
+following subgoal:
+\begin{isabelle}
+\ 1.\ \isasymlbrakk Q\ a;\ P\ a\isasymrbrakk\ \isasymLongrightarrow\ P\ ?x\
+\isasymand\ Q\ ?x%
+\end{isabelle}
+The proof from this point is trivial. Could we have
+proved the theorem with a single command? Not using \isa{blast}: it
+cannot perform the higher-order unification needed here. The
+\methdx{fast} method succeeds:
+\begin{isabelle}
+\isacommand{apply}\ (fast\ intro!:\ someI)
+\end{isabelle}
+
+The \methdx{best} method is similar to
+\isa{fast} but it uses a best-first search instead of depth-first search.
+Accordingly, it is slower but is less susceptible to divergence.
+Transitivity rules usually cause \isa{fast} to loop where \isa{best}
+can often manage.
+
+Here is a summary of the classical reasoning methods:
+\begin{itemize}
+\item \methdx{blast} works automatically and is the fastest
+
+\item \methdx{clarify} and \methdx{clarsimp} perform obvious steps without
+splitting the goal; \methdx{safe} even splits goals
+
+\item \methdx{force} uses classical reasoning and simplification to prove a goal;
+ \methdx{auto} is similar but leaves what it cannot prove
+
+\item \methdx{fast} and \methdx{best} are legacy methods that work well with rules
+involving unusual features
+\end{itemize}
+A table illustrates the relationships among four of these methods.
+\begin{center}
+\begin{tabular}{r|l|l|}
+ & no split & split \\ \hline
+ no simp & \methdx{clarify} & \methdx{safe} \\ \hline
+ simp & \methdx{clarsimp} & \methdx{auto} \\ \hline
+\end{tabular}
+\end{center}
+
+\section{Finding More Theorems}
+\label{sec:find2}
+\input{find2.tex}
+
+
+\section{Forward Proof: Transforming Theorems}\label{sec:forward}
+
+\index{forward proof|(}%
+Forward proof means deriving new facts from old ones. It is the
+most fundamental type of proof. Backward proof, by working from goals to
+subgoals, can help us find a difficult proof. But it is
+not always the best way of presenting the proof thus found. Forward
+proof is particularly good for reasoning from the general
+to the specific. For example, consider this distributive law for
+the greatest common divisor:
+\[ k\times\gcd(m,n) = \gcd(k\times m,k\times n)\]
+
+Putting $m=1$ we get (since $\gcd(1,n)=1$ and $k\times1=k$)
+\[ k = \gcd(k,k\times n)\]
+We have derived a new fact; if re-oriented, it might be
+useful for simplification. After re-orienting it and putting $n=1$, we
+derive another useful law:
+\[ \gcd(k,k)=k \]
+Substituting values for variables --- instantiation --- is a forward step.
+Re-orientation works by applying the symmetry of equality to
+an equation, so it too is a forward step.
+
+\subsection{Modifying a Theorem using {\tt\slshape of}, {\tt\slshape where}
+ and {\tt\slshape THEN}}
+
+\label{sec:THEN}
+
+Let us reproduce our examples in Isabelle. Recall that in
+{\S}\ref{sec:fun-simplification} we declared the recursive function
+\isa{gcd}:\index{*gcd (constant)|(}
+\begin{isabelle}
+\isacommand{fun}\ gcd\ ::\ "nat\ \isasymRightarrow \ nat\ \isasymRightarrow \ nat"\ \isakeyword{where}\isanewline
+\ \ "gcd\ m\ n\ =\ (if\ n=0\ then\ m\ else\ gcd\ n\ (m\ mod\ n))"
+\end{isabelle}
+%
+From this definition, it is possible to prove the distributive law.
+That takes us to the starting point for our example.
+\begin{isabelle}
+?k\ *\ gcd\ ?m\ ?n\ =\ gcd\ (?k\ *\ ?m)\ (?k\ *\ ?n)
+\rulename{gcd_mult_distrib2}
+\end{isabelle}
+%
+The first step in our derivation is to replace \isa{?m} by~1. We instantiate the
+theorem using~\attrdx{of}, which identifies variables in order of their
+appearance from left to right. In this case, the variables are \isa{?k}, \isa{?m}
+and~\isa{?n}. So, the expression
+\hbox{\texttt{[of k 1]}} replaces \isa{?k} by~\isa{k} and \isa{?m}
+by~\isa{1}.
+\begin{isabelle}
+\isacommand{lemmas}\ gcd_mult_0\ =\ gcd_mult_distrib2\ [of\ k\ 1]
+\end{isabelle}
+%
+The keyword \commdx{lemmas} declares a new theorem, which can be derived
+from an existing one using attributes such as \isa{[of~k~1]}.
+The command
+\isa{thm gcd_mult_0}
+displays the result:
+\begin{isabelle}
+\ \ \ \ \ k\ *\ gcd\ 1\ ?n\ =\ gcd\ (k\ *\ 1)\ (k\ *\ ?n)
+\end{isabelle}
+Something is odd: \isa{k} is an ordinary variable, while \isa{?n}
+is schematic. We did not specify an instantiation
+for \isa{?n}. In its present form, the theorem does not allow
+substitution for \isa{k}. One solution is to avoid giving an instantiation for
+\isa{?k}: instead of a term we can put an underscore~(\isa{_}). For example,
+\begin{isabelle}
+\ \ \ \ \ gcd_mult_distrib2\ [of\ _\ 1]
+\end{isabelle}
+replaces \isa{?m} by~\isa{1} but leaves \isa{?k} unchanged.
+
+An equivalent solution is to use the attribute \isa{where}.
+\begin{isabelle}
+\ \ \ \ \ gcd\_mult\_distrib2\ [where\ m=1]
+\end{isabelle}
+While \isa{of} refers to
+variables by their position, \isa{where} refers to variables by name. Multiple
+instantiations are separated by~\isa{and}, as in this example:
+\begin{isabelle}
+\ \ \ \ \ gcd\_mult\_distrib2\ [where\ m=1\ and\ k=1]
+\end{isabelle}
+
+We now continue the present example with the version of \isa{gcd_mult_0}
+shown above, which has \isa{k} instead of \isa{?k}.
+Once we have replaced \isa{?m} by~1, we must next simplify
+the theorem \isa{gcd_mult_0}, performing the steps
+$\gcd(1,n)=1$ and $k\times1=k$. The \attrdx{simplified}
+attribute takes a theorem
+and returns the result of simplifying it, with respect to the default
+simplification rules:
+\begin{isabelle}
+\isacommand{lemmas}\ gcd_mult_1\ =\ gcd_mult_0\
+[simplified]%
+\end{isabelle}
+%
+Again, we display the resulting theorem:
+\begin{isabelle}
+\ \ \ \ \ k\ =\ gcd\ k\ (k\ *\ ?n)
+\end{isabelle}
+%
+To re-orient the equation requires the symmetry rule:
+\begin{isabelle}
+?s\ =\ ?t\
+\isasymLongrightarrow\ ?t\ =\
+?s%
+\rulenamedx{sym}
+\end{isabelle}
+The following declaration gives our equation to \isa{sym}:
+\begin{isabelle}
+\ \ \ \isacommand{lemmas}\ gcd_mult\ =\ gcd_mult_1\ [THEN\ sym]
+\end{isabelle}
+%
+Here is the result:
+\begin{isabelle}
+\ \ \ \ \ gcd\ k\ (k\ *\ ?n)\ =\ k%
+\end{isabelle}
+\isa{THEN~sym}\indexbold{*THEN (attribute)} gives the current theorem to the
+rule \isa{sym} and returns the resulting conclusion. The effect is to
+exchange the two operands of the equality. Typically \isa{THEN} is used
+with destruction rules. Also useful is \isa{THEN~spec}, which removes the
+quantifier from a theorem of the form $\forall x.\,P$, and \isa{THEN~mp},
+which converts the implication $P\imp Q$ into the rule
+$\vcenter{\infer{Q}{P}}$. Similar to \isa{mp} are the following two rules,
+which extract the two directions of reasoning about a boolean equivalence:
+\begin{isabelle}
+\isasymlbrakk?Q\ =\ ?P;\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?P%
+\rulenamedx{iffD1}%
+\isanewline
+\isasymlbrakk?P\ =\ ?Q;\ ?Q\isasymrbrakk\ \isasymLongrightarrow\ ?P%
+\rulenamedx{iffD2}
+\end{isabelle}
+%
+Normally we would never name the intermediate theorems
+such as \isa{gcd_mult_0} and \isa{gcd_mult_1} but would combine
+the three forward steps:
+\begin{isabelle}
+\isacommand{lemmas}\ gcd_mult\ =\ gcd_mult_distrib2\ [of\ k\ 1,\ simplified,\ THEN\ sym]%
+\end{isabelle}
+The directives, or attributes, are processed from left to right. This
+declaration of \isa{gcd_mult} is equivalent to the
+previous one.
+
+Such declarations can make the proof script hard to read. Better
+is to state the new lemma explicitly and to prove it using a single
+\isa{rule} method whose operand is expressed using forward reasoning:
+\begin{isabelle}
+\isacommand{lemma}\ gcd\_mult\ [simp]:\ "gcd\ k\ (k*n)\ =\ k"\isanewline
+\isacommand{by}\ (rule\ gcd_mult_distrib2\ [of\ k\ 1,\ simplified,\ THEN\ sym])
+\end{isabelle}
+Compared with the previous proof of \isa{gcd_mult}, this
+version shows the reader what has been proved. Also, the result will be processed
+in the normal way. In particular, Isabelle generalizes over all variables: the
+resulting theorem will have {\isa{?k}} instead of {\isa{k}}.
+
+At the start of this section, we also saw a proof of $\gcd(k,k)=k$. Here
+is the Isabelle version:\index{*gcd (constant)|)}
+\begin{isabelle}
+\isacommand{lemma}\ gcd\_self\ [simp]:\ "gcd\ k\ k\ =\ k"\isanewline
+\isacommand{by}\ (rule\ gcd_mult\ [of\ k\ 1,\ simplified])
+\end{isabelle}
+
+\begin{warn}
+To give~\isa{of} a nonatomic term, enclose it in quotation marks, as in
+\isa{[of "k*m"]}. The term must not contain unknowns: an
+attribute such as
+\isa{[of "?k*m"]} will be rejected.
+\end{warn}
+
+%Answer is now included in that section! Is a modified version of this
+% exercise worth including? E.g. find a difference between the two ways
+% of substituting.
+%\begin{exercise}
+%In {\S}\ref{sec:subst} the method \isa{subst\ mult_commute} was applied. How
+%can we achieve the same effect using \isa{THEN} with the rule \isa{ssubst}?
+%% answer rule (mult_commute [THEN ssubst])
+%\end{exercise}
+
+\subsection{Modifying a Theorem using {\tt\slshape OF}}
+
+\index{*OF (attribute)|(}%
+Recall that \isa{of} generates an instance of a
+rule by specifying values for its variables. Analogous is \isa{OF}, which
+generates an instance of a rule by specifying facts for its premises.
+
+We again need the divides relation\index{divides relation} of number theory, which
+as we recall is defined by
+\begin{isabelle}
+?m\ dvd\ ?n\ \isasymequiv\ {\isasymexists}k.\ ?n\ =\ ?m\ *\ k
+\rulename{dvd_def}
+\end{isabelle}
+%
+Suppose, for example, that we have proved the following rule.
+It states that if $k$ and $n$ are relatively prime
+and if $k$ divides $m\times n$ then $k$ divides $m$.
+\begin{isabelle}
+\isasymlbrakk gcd ?k ?n {=} 1;\ ?k\ dvd\ ?m * ?n\isasymrbrakk\
+\isasymLongrightarrow\ ?k\ dvd\ ?m
+\rulename{relprime_dvd_mult}
+\end{isabelle}
+We can use \isa{OF} to create an instance of this rule.
+First, we
+prove an instance of its first premise:
+\begin{isabelle}
+\isacommand{lemma}\ relprime\_20\_81:\ "gcd\ 20\ 81\ =\ 1"\isanewline
+\isacommand{by}\ (simp\ add:\ gcd.simps)
+\end{isabelle}
+We have evaluated an application of the \isa{gcd} function by
+simplification. Expression evaluation involving recursive functions is not
+guaranteed to terminate, and it can be slow; Isabelle
+performs arithmetic by rewriting symbolic bit strings. Here,
+however, the simplification takes less than one second. We can
+give this new lemma to \isa{OF}. The expression
+\begin{isabelle}
+\ \ \ \ \ relprime_dvd_mult [OF relprime_20_81]
+\end{isabelle}
+yields the theorem
+\begin{isabelle}
+\ \ \ \ \ 20\ dvd\ (?m\ *\ 81)\ \isasymLongrightarrow\ 20\ dvd\ ?m%
+\end{isabelle}
+%
+\isa{OF} takes any number of operands. Consider
+the following facts about the divides relation:
+\begin{isabelle}
+\isasymlbrakk?k\ dvd\ ?m;\
+?k\ dvd\ ?n\isasymrbrakk\
+\isasymLongrightarrow\ ?k\ dvd\
+?m\ +\ ?n
+\rulename{dvd_add}\isanewline
+?m\ dvd\ ?m%
+\rulename{dvd_refl}
+\end{isabelle}
+Let us supply \isa{dvd_refl} for each of the premises of \isa{dvd_add}:
+\begin{isabelle}
+\ \ \ \ \ dvd_add [OF dvd_refl dvd_refl]
+\end{isabelle}
+Here is the theorem that we have expressed:
+\begin{isabelle}
+\ \ \ \ \ ?k\ dvd\ (?k\ +\ ?k)
+\end{isabelle}
+As with \isa{of}, we can use the \isa{_} symbol to leave some positions
+unspecified:
+\begin{isabelle}
+\ \ \ \ \ dvd_add [OF _ dvd_refl]
+\end{isabelle}
+The result is
+\begin{isabelle}
+\ \ \ \ \ ?k\ dvd\ ?m\ \isasymLongrightarrow\ ?k\ dvd\ ?m\ +\ ?k
+\end{isabelle}
+
+You may have noticed that \isa{THEN} and \isa{OF} are based on
+the same idea, namely to combine two rules. They differ in the
+order of the combination and thus in their effect. We use \isa{THEN}
+typically with a destruction rule to extract a subformula of the current
+theorem. We use \isa{OF} with a list of facts to generate an instance of
+the current theorem.%
+\index{*OF (attribute)|)}
+
+Here is a summary of some primitives for forward reasoning:
+\begin{itemize}
+\item \attrdx{of} instantiates the variables of a rule to a list of terms
+\item \attrdx{OF} applies a rule to a list of theorems
+\item \attrdx{THEN} gives a theorem to a named rule and returns the
+conclusion
+%\item \attrdx{rule_format} puts a theorem into standard form
+% by removing \isa{\isasymlongrightarrow} and~\isa{\isasymforall}
+\item \attrdx{simplified} applies the simplifier to a theorem
+\item \isacommand{lemmas} assigns a name to the theorem produced by the
+attributes above
+\end{itemize}
+
+
+\section{Forward Reasoning in a Backward Proof}
+
+We have seen that the forward proof directives work well within a backward
+proof. There are many ways to achieve a forward style using our existing
+proof methods. We shall also meet some new methods that perform forward
+reasoning.
+
+The methods \isa{drule}, \isa{frule}, \isa{drule_tac}, etc.,
+reason forward from a subgoal. We have seen them already, using rules such as
+\isa{mp} and
+\isa{spec} to operate on formulae. They can also operate on terms, using rules
+such as these:
+\begin{isabelle}
+x\ =\ y\ \isasymLongrightarrow \ f\ x\ =\ f\ y%
+\rulenamedx{arg_cong}\isanewline
+i\ \isasymle \ j\ \isasymLongrightarrow \ i\ *\ k\ \isasymle \ j\ *\ k%
+\rulename{mult_le_mono1}
+\end{isabelle}
+
+For example, let us prove a fact about divisibility in the natural numbers:
+\begin{isabelle}
+\isacommand{lemma}\ "2\ \isasymle \ u\ \isasymLongrightarrow \ u*m\ \isasymnoteq
+\ Suc(u*n)"\isanewline
+\isacommand{apply}\ (intro\ notI)\isanewline
+\ 1.\ \isasymlbrakk 2\ \isasymle \ u;\ u\ *\ m\ =\ Suc\ (u\ *\ n)\isasymrbrakk \ \isasymLongrightarrow \ False%
+\end{isabelle}
+%
+The key step is to apply the function \ldots\isa{mod\ u} to both sides of the
+equation
+\isa{u*m\ =\ Suc(u*n)}:\index{*drule_tac (method)}
+\begin{isabelle}
+\isacommand{apply}\ (drule_tac\ f="\isasymlambda x.\ x\ mod\ u"\ \isakeyword{in}\
+arg_cong)\isanewline
+\ 1.\ \isasymlbrakk 2\ \isasymle \ u;\ u\ *\ m\ mod\ u\ =\ Suc\ (u\ *\ n)\ mod\
+u\isasymrbrakk \ \isasymLongrightarrow \ False
+\end{isabelle}
+%
+Simplification reduces the left side to 0 and the right side to~1, yielding the
+required contradiction.
+\begin{isabelle}
+\isacommand{apply}\ (simp\ add:\ mod_Suc)\isanewline
+\isacommand{done}
+\end{isabelle}
+
+Our proof has used a fact about remainder:
+\begin{isabelle}
+Suc\ m\ mod\ n\ =\isanewline
+(if\ Suc\ (m\ mod\ n)\ =\ n\ then\ 0\ else\ Suc\ (m\ mod\ n))
+\rulename{mod_Suc}
+\end{isabelle}
+
+\subsection{The Method {\tt\slshape insert}}
+
+\index{*insert (method)|(}%
+The \isa{insert} method
+inserts a given theorem as a new assumption of all subgoals. This
+already is a forward step; moreover, we may (as always when using a
+theorem) apply
+\isa{of}, \isa{THEN} and other directives. The new assumption can then
+be used to help prove the subgoals.
+
+For example, consider this theorem about the divides relation. The first
+proof step inserts the distributive law for
+\isa{gcd}. We specify its variables as shown.
+\begin{isabelle}
+\isacommand{lemma}\ relprime\_dvd\_mult:\ \isanewline
+\ \ \ \ \ \ "\isasymlbrakk \ gcd\ k\ n\ =\ 1;\ k\ dvd\ m*n\ \isasymrbrakk \ \isasymLongrightarrow \ k\ dvd\ m"\isanewline
+\isacommand{apply}\ (insert\ gcd_mult_distrib2\ [of\ m\ k\ n])
+\end{isabelle}
+In the resulting subgoal, note how the equation has been
+inserted:
+\begin{isabelle}
+\ 1.\ \isasymlbrakk gcd\ k\ n\ =\ 1;\ k\ dvd\ m\ *\ n;\ m\ *\ gcd\ k\ n\ =\ gcd\ (m\ *\ k)\ (m\ *\ n)\isasymrbrakk \isanewline
+\isaindent{\ 1.\ }\isasymLongrightarrow \ k\ dvd\ m%
+\end{isabelle}
+The next proof step utilizes the assumption \isa{gcd\ k\ n\ =\ 1}
+(note that \isa{Suc\ 0} is another expression for 1):
+\begin{isabelle}
+\isacommand{apply}(simp)\isanewline
+\ 1.\ \isasymlbrakk gcd\ k\ n\ =\ Suc\ 0;\ k\ dvd\ m\ *\ n;\ m\ =\ gcd\ (m\ *\ k)\ (m\ *\ n)\isasymrbrakk \isanewline
+\isaindent{\ 1.\ }\isasymLongrightarrow \ k\ dvd\ m%
+\end{isabelle}
+Simplification has yielded an equation for~\isa{m}. The rest of the proof
+is omitted.
+
+\medskip
+Here is another demonstration of \isa{insert}. Division and
+remainder obey a well-known law:
+\begin{isabelle}
+(?m\ div\ ?n)\ *\ ?n\ +\ ?m\ mod\ ?n\ =\ ?m
+\rulename{mod_div_equality}
+\end{isabelle}
+
+We refer to this law explicitly in the following proof:
+\begin{isabelle}
+\isacommand{lemma}\ div_mult_self_is_m:\ \isanewline
+\ \ \ \ \ \ "0{\isacharless}n\ \isasymLongrightarrow\ (m*n)\ div\ n\ =\
+(m::nat)"\isanewline
+\isacommand{apply}\ (insert\ mod_div_equality\ [of\ "m*n"\ n])\isanewline
+\isacommand{apply}\ (simp)\isanewline
+\isacommand{done}
+\end{isabelle}
+The first step inserts the law, specifying \isa{m*n} and
+\isa{n} for its variables. Notice that non-trivial expressions must be
+enclosed in quotation marks. Here is the resulting
+subgoal, with its new assumption:
+\begin{isabelle}
+%0\ \isacharless\ n\ \isasymLongrightarrow\ (m\
+%*\ n)\ div\ n\ =\ m\isanewline
+\ 1.\ \isasymlbrakk0\ \isacharless\
+n;\ \ (m\ *\ n)\ div\ n\ *\ n\ +\ (m\ *\ n)\ mod\ n\
+=\ m\ *\ n\isasymrbrakk\isanewline
+\ \ \ \ \isasymLongrightarrow\ (m\ *\ n)\ div\ n\
+=\ m
+\end{isabelle}
+Simplification reduces \isa{(m\ *\ n)\ mod\ n} to zero.
+Then it cancels the factor~\isa{n} on both
+sides of the equation \isa{(m\ *\ n)\ div\ n\ *\ n\ =\ m\ *\ n}, proving the
+theorem.
+
+\begin{warn}
+Any unknowns in the theorem given to \methdx{insert} will be universally
+quantified in the new assumption.
+\end{warn}%
+\index{*insert (method)|)}
+
+\subsection{The Method {\tt\slshape subgoal_tac}}
+
+\index{*subgoal_tac (method)}%
+A related method is \isa{subgoal_tac}, but instead
+of inserting a theorem as an assumption, it inserts an arbitrary formula.
+This formula must be proved later as a separate subgoal. The
+idea is to claim that the formula holds on the basis of the current
+assumptions, to use this claim to complete the proof, and finally
+to justify the claim. It gives the proof
+some structure. If you find yourself generating a complex assumption by a
+long series of forward steps, consider using \isa{subgoal_tac} instead: you can
+state the formula you are aiming for, and perhaps prove it automatically.
+
+Look at the following example.
+\begin{isabelle}
+\isacommand{lemma}\ "\isasymlbrakk(z::int)\ <\ 37;\ 66\ <\ 2*z;\ z*z\
+\isasymnoteq\ 1225;\ Q(34);\ Q(36)\isasymrbrakk\isanewline
+\ \ \ \ \ \ \ \ \,\isasymLongrightarrow\ Q(z)"\isanewline
+\isacommand{apply}\ (subgoal_tac\ "z\ =\ 34\ \isasymor\ z\ =\
+36")\isanewline
+\isacommand{apply}\ blast\isanewline
+\isacommand{apply}\ (subgoal_tac\ "z\ \isasymnoteq\ 35")\isanewline
+\isacommand{apply}\ arith\isanewline
+\isacommand{apply}\ force\isanewline
+\isacommand{done}
+\end{isabelle}
+The first assumption tells us
+that \isa{z} is no greater than~36. The second tells us that \isa{z}
+is at least~34. The third assumption tells us that \isa{z} cannot be 35, since
+$35\times35=1225$. So \isa{z} is either 34 or~36, and since \isa{Q} holds for
+both of those values, we have the conclusion.
+
+The Isabelle proof closely follows this reasoning. The first
+step is to claim that \isa{z} is either 34 or 36. The resulting proof
+state gives us two subgoals:
+\begin{isabelle}
+%\isasymlbrakk z\ <\ 37;\ 66\ <\ 2\ *\ z;\ z\ *\ z\ \isasymnoteq\ 1225;\
+%Q\ 34;\ Q\ 36\isasymrbrakk\ \isasymLongrightarrow\ Q\ z\isanewline
+\ 1.\ \isasymlbrakk z\ <\ 37;\ 66\ <\ 2\ *\ z;\ z\ *\ z\ \isasymnoteq\ 1225;\ Q\ 34;\ Q\ 36;\isanewline
+\ \ \ \ \ z\ =\ 34\ \isasymor\ z\ =\ 36\isasymrbrakk\isanewline
+\ \ \ \ \isasymLongrightarrow\ Q\ z\isanewline
+\ 2.\ \isasymlbrakk z\ <\ 37;\ 66\ <\ 2\ *\ z;\ z\ *\ z\ \isasymnoteq\ 1225;\ Q\ 34;\ Q\ 36\isasymrbrakk\isanewline
+\ \ \ \ \isasymLongrightarrow\ z\ =\ 34\ \isasymor\ z\ =\ 36
+\end{isabelle}
+The first subgoal is trivial (\isa{blast}), but for the second Isabelle needs help to eliminate
+the case
+\isa{z}=35. The second invocation of {\isa{subgoal_tac}} leaves two
+subgoals:
+\begin{isabelle}
+\ 1.\ \isasymlbrakk z\ <\ 37;\ 66\ <\ 2\ *\ z;\ z\ *\ z\ \isasymnoteq\
+1225;\ Q\ 34;\ Q\ 36;\isanewline
+\ \ \ \ \ z\ \isasymnoteq\ 35\isasymrbrakk\isanewline
+\ \ \ \ \isasymLongrightarrow\ z\ =\ 34\ \isasymor\ z\ =\ 36\isanewline
+\ 2.\ \isasymlbrakk z\ <\ 37;\ 66\ <\ 2\ *\ z;\ z\ *\ z\ \isasymnoteq\ 1225;\ Q\ 34;\ Q\ 36\isasymrbrakk\isanewline
+\ \ \ \ \isasymLongrightarrow\ z\ \isasymnoteq\ 35
+\end{isabelle}
+
+Assuming that \isa{z} is not 35, the first subgoal follows by linear arithmetic
+(\isa{arith}). For the second subgoal we apply the method \isa{force},
+which proceeds by assuming that \isa{z}=35 and arriving at a contradiction.
+
+
+\medskip
+Summary of these methods:
+\begin{itemize}
+\item \methdx{insert} adds a theorem as a new assumption
+\item \methdx{subgoal_tac} adds a formula as a new assumption and leaves the
+subgoal of proving that formula
+\end{itemize}
+\index{forward proof|)}
+
+
+\section{Managing Large Proofs}
+
+Naturally you should try to divide proofs into manageable parts. Look for lemmas
+that can be proved separately. Sometimes you will observe that they are
+instances of much simpler facts. On other occasions, no lemmas suggest themselves
+and you are forced to cope with a long proof involving many subgoals.
+
+\subsection{Tacticals, or Control Structures}
+
+\index{tacticals|(}%
+If the proof is long, perhaps it at least has some regularity. Then you can
+express it more concisely using \textbf{tacticals}, which provide control
+structures. Here is a proof (it would be a one-liner using
+\isa{blast}, but forget that) that contains a series of repeated
+commands:
+%
+\begin{isabelle}
+\isacommand{lemma}\ "\isasymlbrakk P\isasymlongrightarrow Q;\
+Q\isasymlongrightarrow R;\ R\isasymlongrightarrow S;\ P\isasymrbrakk \
+\isasymLongrightarrow \ S"\isanewline
+\isacommand{apply}\ (drule\ mp,\ assumption)\isanewline
+\isacommand{apply}\ (drule\ mp,\ assumption)\isanewline
+\isacommand{apply}\ (drule\ mp,\ assumption)\isanewline
+\isacommand{apply}\ (assumption)\isanewline
+\isacommand{done}
+\end{isabelle}
+%
+Each of the three identical commands finds an implication and proves its
+antecedent by assumption. The first one finds \isa{P\isasymlongrightarrow Q} and
+\isa{P}, concluding~\isa{Q}; the second one concludes~\isa{R} and the third one
+concludes~\isa{S}. The final step matches the assumption \isa{S} with the goal to
+be proved.
+
+Suffixing a method with a plus sign~(\isa+)\index{*"+ (tactical)}
+expresses one or more repetitions:
+\begin{isabelle}
+\isacommand{lemma}\ "\isasymlbrakk P\isasymlongrightarrow Q;\ Q\isasymlongrightarrow R;\ R\isasymlongrightarrow S;\ P\isasymrbrakk \ \isasymLongrightarrow \ S"\isanewline
+\isacommand{by}\ (drule\ mp,\ assumption)+
+\end{isabelle}
+%
+Using \isacommand{by} takes care of the final use of \isa{assumption}. The new
+proof is more concise. It is also more general: the repetitive method works
+for a chain of implications having any length, not just three.
+
+Choice is another control structure. Separating two methods by a vertical
+% we must use ?? rather than "| as the sorting item because somehow the presence
+% of | (even quoted) stops hyperref from putting |hyperpage at the end of the index
+% entry.
+bar~(\isa|)\index{??@\texttt{"|} (tactical)} gives the effect of applying the
+first method, and if that fails, trying the second. It can be combined with
+repetition, when the choice must be made over and over again. Here is a chain of
+implications in which most of the antecedents are proved by assumption, but one is
+proved by arithmetic:
+\begin{isabelle}
+\isacommand{lemma}\ "\isasymlbrakk Q\isasymlongrightarrow R;\ P\isasymlongrightarrow Q;\ x<5\isasymlongrightarrow P;\
+Suc\ x\ <\ 5\isasymrbrakk \ \isasymLongrightarrow \ R"\ \isanewline
+\isacommand{by}\ (drule\ mp,\ (assumption|arith))+
+\end{isabelle}
+The \isa{arith}
+method can prove $x<5$ from $x+1<5$, but it cannot duplicate the effect of
+\isa{assumption}. Therefore, we combine these methods using the choice
+operator.
+
+A postfixed question mark~(\isa?)\index{*"? (tactical)} expresses zero or one
+repetitions of a method. It can also be viewed as the choice between executing a
+method and doing nothing. It is useless at top level but can be valuable
+within other control structures; for example,
+\isa{($m$+)?} performs zero or more repetitions of method~$m$.%
+\index{tacticals|)}
+
+
+\subsection{Subgoal Numbering}
+
+Another problem in large proofs is contending with huge
+subgoals or many subgoals. Induction can produce a proof state that looks
+like this:
+\begin{isabelle}
+\ 1.\ bigsubgoal1\isanewline
+\ 2.\ bigsubgoal2\isanewline
+\ 3.\ bigsubgoal3\isanewline
+\ 4.\ bigsubgoal4\isanewline
+\ 5.\ bigsubgoal5\isanewline
+\ 6.\ bigsubgoal6
+\end{isabelle}
+If each \isa{bigsubgoal} is 15 lines or so, the proof state will be too big to
+scroll through. By default, Isabelle displays at most 10 subgoals. The
+\commdx{pr} command lets you change this limit:
+\begin{isabelle}
+\isacommand{pr}\ 2\isanewline
+\ 1.\ bigsubgoal1\isanewline
+\ 2.\ bigsubgoal2\isanewline
+A total of 6 subgoals...
+\end{isabelle}
+
+\medskip
+All methods apply to the first subgoal.
+Sometimes, not only in a large proof, you may want to focus on some other
+subgoal. Then you should try the commands \isacommand{defer} or \isacommand{prefer}.
+
+In the following example, the first subgoal looks hard, while the others
+look as if \isa{blast} alone could prove them:
+\begin{isabelle}
+\ 1.\ hard\isanewline
+\ 2.\ \isasymnot \ \isasymnot \ P\ \isasymLongrightarrow \ P\isanewline
+\ 3.\ Q\ \isasymLongrightarrow \ Q%
+\end{isabelle}
+%
+The \commdx{defer} command moves the first subgoal into the last position.
+\begin{isabelle}
+\isacommand{defer}\ 1\isanewline
+\ 1.\ \isasymnot \ \isasymnot \ P\ \isasymLongrightarrow \ P\isanewline
+\ 2.\ Q\ \isasymLongrightarrow \ Q\isanewline
+\ 3.\ hard%
+\end{isabelle}
+%
+Now we apply \isa{blast} repeatedly to the easy subgoals:
+\begin{isabelle}
+\isacommand{apply}\ blast+\isanewline
+\ 1.\ hard%
+\end{isabelle}
+Using \isacommand{defer}, we have cleared away the trivial parts of the proof so
+that we can devote attention to the difficult part.
+
+\medskip
+The \commdx{prefer} command moves the specified subgoal into the
+first position. For example, if you suspect that one of your subgoals is
+invalid (not a theorem), then you should investigate that subgoal first. If it
+cannot be proved, then there is no point in proving the other subgoals.
+\begin{isabelle}
+\ 1.\ ok1\isanewline
+\ 2.\ ok2\isanewline
+\ 3.\ doubtful%
+\end{isabelle}
+%
+We decide to work on the third subgoal.
+\begin{isabelle}
+\isacommand{prefer}\ 3\isanewline
+\ 1.\ doubtful\isanewline
+\ 2.\ ok1\isanewline
+\ 3.\ ok2
+\end{isabelle}
+If we manage to prove \isa{doubtful}, then we can work on the other
+subgoals, confident that we are not wasting our time. Finally we revise the
+proof script to remove the \isacommand{prefer} command, since we needed it only to
+focus our exploration. The previous example is different: its use of
+\isacommand{defer} stops trivial subgoals from cluttering the rest of the
+proof. Even there, we should consider proving \isa{hard} as a preliminary
+lemma. Always seek ways to streamline your proofs.
+
+
+\medskip
+Summary:
+\begin{itemize}
+\item the control structures \isa+, \isa? and \isa| help express complicated proofs
+\item the \isacommand{pr} command can limit the number of subgoals to display
+\item the \isacommand{defer} and \isacommand{prefer} commands move a
+subgoal to the last or first position
+\end{itemize}
+
+\begin{exercise}
+Explain the use of \isa? and \isa+ in this proof.
+\begin{isabelle}
+\isacommand{lemma}\ "\isasymlbrakk P\isasymand Q\isasymlongrightarrow R;\ P\isasymlongrightarrow Q;\ P\isasymrbrakk \ \isasymLongrightarrow \ R"\isanewline
+\isacommand{by}\ (drule\ mp,\ (intro conjI)?,\ assumption+)+
+\end{isabelle}
+\end{exercise}
+
+
+
+\section{Proving the Correctness of Euclid's Algorithm}
+\label{sec:proving-euclid}
+
+\index{Euclid's algorithm|(}\index{*gcd (constant)|(}\index{divides relation|(}%
+A brief development will demonstrate the techniques of this chapter,
+including \isa{blast} applied with additional rules. We shall also see
+\isa{case_tac} used to perform a Boolean case split.
+
+Let us prove that \isa{gcd} computes the greatest common
+divisor of its two arguments.
+%
+We use induction: \isa{gcd.induct} is the
+induction rule returned by \isa{fun}. We simplify using
+rules proved in {\S}\ref{sec:fun-simplification}, since rewriting by the
+definition of \isa{gcd} can loop.
+\begin{isabelle}
+\isacommand{lemma}\ gcd\_dvd\_both:\ "(gcd\ m\ n\ dvd\ m)\ \isasymand \ (gcd\ m\ n\ dvd\ n)"
+\end{isabelle}
+The induction formula must be a conjunction. In the
+inductive step, each conjunct establishes the other.
+\begin{isabelle}
+\ 1.\ \isasymAnd m\ n.\ (n\ \isasymnoteq \ 0\ \isasymLongrightarrow \isanewline
+\isaindent{\ 1.\ \isasymAnd m\ n.\ (}gcd\ n\ (m\ mod\ n)\ dvd\ n\ \isasymand \isanewline
+\isaindent{\ 1.\ \isasymAnd m\ n.\ (}gcd\ n\ (m\ mod\ n)\ dvd\ m\ mod\ n)\ \isasymLongrightarrow \isanewline
+\isaindent{\ 1.\ \isasymAnd m\ n.\ }gcd\ m\ n\ dvd\ m\ \isasymand \ gcd\ m\ n\ dvd\ n%
+\end{isabelle}
+
+The conditional induction hypothesis suggests doing a case
+analysis on \isa{n=0}. We apply \methdx{case_tac} with type
+\isa{bool} --- and not with a datatype, as we have done until now. Since
+\isa{nat} is a datatype, we could have written
+\isa{case_tac~n} instead of \isa{case_tac~"n=0"}. However, the definition
+of \isa{gcd} makes a Boolean decision:
+\begin{isabelle}
+\ \ \ \ "gcd\ m\ n\ =\ (if\ n=0\ then\ m\ else\ gcd\ n\ (m\ mod\ n))"
+\end{isabelle}
+Proofs about a function frequently follow the function's definition, so we perform
+case analysis over the same formula.
+\begin{isabelle}
+\isacommand{apply}\ (case_tac\ "n=0")\isanewline
+\ 1.\ \isasymAnd m\ n.\ \isasymlbrakk n\ \isasymnoteq \ 0\ \isasymLongrightarrow \isanewline
+\isaindent{\ 1.\ \isasymAnd m\ n.\ \isasymlbrakk }gcd\ n\ (m\ mod\ n)\ dvd\ n\ \isasymand \ gcd\ n\ (m\ mod\ n)\ dvd\ m\ mod\ n;\isanewline
+\isaindent{\ 1.\ \isasymAnd m\ n.\ \ }n\ =\ 0\isasymrbrakk \isanewline
+\isaindent{\ 1.\ \isasymAnd m\ n.\ }\isasymLongrightarrow \ gcd\ m\ n\ dvd\ m\ \isasymand \ gcd\ m\ n\ dvd\ n\isanewline
+\ 2.\ \isasymAnd m\ n.\ \isasymlbrakk n\ \isasymnoteq \ 0\ \isasymLongrightarrow \isanewline
+\isaindent{\ 2.\ \isasymAnd m\ n.\ \isasymlbrakk }gcd\ n\ (m\ mod\ n)\ dvd\ n\ \isasymand \ gcd\ n\ (m\ mod\ n)\ dvd\ m\ mod\ n;\isanewline
+\isaindent{\ 2.\ \isasymAnd m\ n.\ \ }n\ \isasymnoteq \ 0\isasymrbrakk \isanewline
+\isaindent{\ 2.\ \isasymAnd m\ n.\ }\isasymLongrightarrow \ gcd\ m\ n\ dvd\ m\ \isasymand \ gcd\ m\ n\ dvd\ n%
+\end{isabelle}
+%
+Simplification leaves one subgoal:
+\begin{isabelle}
+\isacommand{apply}\ (simp_all)\isanewline
+\ 1.\ \isasymAnd m\ n.\ \isasymlbrakk gcd\ n\ (m\ mod\ n)\ dvd\ n\ \isasymand \ gcd\ n\ (m\ mod\ n)\ dvd\ m\ mod\ n;\isanewline
+\isaindent{\ 1.\ \isasymAnd m\ n.\ \ }0\ <\ n\isasymrbrakk \isanewline
+\isaindent{\ 1.\ \isasymAnd m\ n.\ }\isasymLongrightarrow \ gcd\ n\ (m\ mod\ n)\ dvd\ m%
+\end{isabelle}
+%
+Here, we can use \isa{blast}.
+One of the assumptions, the induction hypothesis, is a conjunction.
+The two divides relationships it asserts are enough to prove
+the conclusion, for we have the following theorem at our disposal:
+\begin{isabelle}
+\isasymlbrakk?k\ dvd\ (?m\ mod\ ?n){;}\ ?k\ dvd\ ?n\isasymrbrakk\ \isasymLongrightarrow\ ?k\ dvd\ ?m%
+\rulename{dvd_mod_imp_dvd}
+\end{isabelle}
+%
+This theorem can be applied in various ways. As an introduction rule, it
+would cause backward chaining from the conclusion (namely
+\isa{?k~dvd~?m}) to the two premises, which
+also involve the divides relation. This process does not look promising
+and could easily loop. More sensible is to apply the rule in the forward
+direction; each step would eliminate an occurrence of the \isa{mod} symbol, so the
+process must terminate.
+\begin{isabelle}
+\isacommand{apply}\ (blast\ dest:\ dvd_mod_imp_dvd)\isanewline
+\isacommand{done}
+\end{isabelle}
+Attaching the \attrdx{dest} attribute to \isa{dvd_mod_imp_dvd} tells
+\isa{blast} to use it as destruction rule; that is, in the forward direction.
+
+\medskip
+We have proved a conjunction. Now, let us give names to each of the
+two halves:
+\begin{isabelle}
+\isacommand{lemmas}\ gcd_dvd1\ [iff]\ =\ gcd_dvd_both\ [THEN\ conjunct1]\isanewline
+\isacommand{lemmas}\ gcd_dvd2\ [iff]\ =\ gcd_dvd_both\ [THEN\ conjunct2]%
+\end{isabelle}
+Here we see \commdx{lemmas}
+used with the \attrdx{iff} attribute, which supplies the new theorems to the
+classical reasoner and the simplifier. Recall that \attrdx{THEN} is
+frequently used with destruction rules; \isa{THEN conjunct1} extracts the
+first half of a conjunctive theorem. Given \isa{gcd_dvd_both} it yields
+\begin{isabelle}
+\ \ \ \ \ gcd\ ?m1\ ?n1\ dvd\ ?m1
+\end{isabelle}
+The variable names \isa{?m1} and \isa{?n1} arise because
+Isabelle renames schematic variables to prevent
+clashes. The second \isacommand{lemmas} declaration yields
+\begin{isabelle}
+\ \ \ \ \ gcd\ ?m1\ ?n1\ dvd\ ?n1
+\end{isabelle}
+
+\medskip
+To complete the verification of the \isa{gcd} function, we must
+prove that it returns the greatest of all the common divisors
+of its arguments. The proof is by induction, case analysis and simplification.
+\begin{isabelle}
+\isacommand{lemma}\ gcd\_greatest\ [rule\_format]:\isanewline
+\ \ \ \ \ \ "k\ dvd\ m\ \isasymlongrightarrow \ k\ dvd\ n\ \isasymlongrightarrow \ k\ dvd\ gcd\ m\ n"
+\end{isabelle}
+%
+The goal is expressed using HOL implication,
+\isa{\isasymlongrightarrow}, because the induction affects the two
+preconditions. The directive \isa{rule_format} tells Isabelle to replace
+each \isa{\isasymlongrightarrow} by \isa{\isasymLongrightarrow} before
+storing the eventual theorem. This directive can also remove outer
+universal quantifiers, converting the theorem into the usual format for
+inference rules. It can replace any series of applications of
+\isa{THEN} to the rules \isa{mp} and \isa{spec}. We did not have to
+write this:
+\begin{isabelle}
+\isacommand{lemma}\ gcd_greatest\
+[THEN mp, THEN mp]:\isanewline
+\ \ \ \ \ \ "k\ dvd\ m\ \isasymlongrightarrow \ k\ dvd\ n\ \isasymlongrightarrow \ k\ dvd\ gcd\ m\ n"
+\end{isabelle}
+
+Because we are again reasoning about \isa{gcd}, we perform the same
+induction and case analysis as in the previous proof:
+\begingroup\samepage
+\begin{isabelle}
+\ 1.\ \isasymAnd m\ n.\ \isasymlbrakk n\ \isasymnoteq \ 0\ \isasymLongrightarrow \isanewline
+\isaindent{\ 1.\ \isasymAnd m\ n.\ \isasymlbrakk }k\ dvd\ n\ \isasymlongrightarrow \ k\ dvd\ m\ mod\ n\ \isasymlongrightarrow \ k\ dvd\ gcd\ n\ (m\ mod\ n);\isanewline
+\isaindent{\ 1.\ \isasymAnd m\ n.\ \ }n\ =\ 0\isasymrbrakk \isanewline
+\isaindent{\ 1.\ \isasymAnd m\ n.\ }\isasymLongrightarrow \ k\ dvd\ m\ \isasymlongrightarrow \ k\ dvd\ n\ \isasymlongrightarrow \ k\ dvd\ gcd\ m\ n\isanewline
+\ 2.\ \isasymAnd m\ n.\ \isasymlbrakk n\ \isasymnoteq \ 0\ \isasymLongrightarrow \isanewline
+\isaindent{\ 2.\ \isasymAnd m\ n.\ \isasymlbrakk }k\ dvd\ n\ \isasymlongrightarrow \ k\ dvd\ m\ mod\ n\ \isasymlongrightarrow \ k\ dvd\ gcd\ n\ (m\ mod\ n);\isanewline
+\isaindent{\ 2.\ \isasymAnd m\ n.\ \ }n\ \isasymnoteq \ 0\isasymrbrakk \isanewline
+\isaindent{\ 2.\ \isasymAnd m\ n.\ }\isasymLongrightarrow \ k\ dvd\ m\ \isasymlongrightarrow \ k\ dvd\ n\ \isasymlongrightarrow \ k\ dvd\ gcd\ m\ n%
+\end{isabelle}
+\endgroup
+
+\noindent Simplification proves both subgoals.
+\begin{isabelle}
+\isacommand{apply}\ (simp_all\ add:\ dvd_mod)\isanewline
+\isacommand{done}
+\end{isabelle}
+In the first, where \isa{n=0}, the implication becomes trivial: \isa{k\ dvd\
+gcd\ m\ n} goes to~\isa{k\ dvd\ m}. The second subgoal is proved by
+an unfolding of \isa{gcd}, using this rule about divides:
+\begin{isabelle}
+\isasymlbrakk ?f\ dvd\ ?m;\ ?f\ dvd\ ?n\isasymrbrakk \
+\isasymLongrightarrow \ ?f\ dvd\ ?m\ mod\ ?n%
+\rulename{dvd_mod}
+\end{isabelle}
+
+
+\medskip
+The facts proved above can be summarized as a single logical
+equivalence. This step gives us a chance to see another application
+of \isa{blast}.
+\begin{isabelle}
+\isacommand{theorem}\ gcd\_greatest\_iff\ [iff]:\ \isanewline
+\ \ \ \ \ \ \ \ "(k\ dvd\ gcd\ m\ n)\ =\ (k\ dvd\ m\ \isasymand \ k\ dvd\ n)"\isanewline
+\isacommand{by}\ (blast\ intro!:\ gcd_greatest\ intro:\ dvd_trans)
+\end{isabelle}
+This theorem concisely expresses the correctness of the \isa{gcd}
+function.
+We state it with the \isa{iff} attribute so that
+Isabelle can use it to remove some occurrences of \isa{gcd}.
+The theorem has a one-line
+proof using \isa{blast} supplied with two additional introduction
+rules. The exclamation mark
+({\isa{intro}}{\isa{!}})\ signifies safe rules, which are
+applied aggressively. Rules given without the exclamation mark
+are applied reluctantly and their uses can be undone if
+the search backtracks. Here the unsafe rule expresses transitivity
+of the divides relation:
+\begin{isabelle}
+\isasymlbrakk?m\ dvd\ ?n;\ ?n\ dvd\ ?p\isasymrbrakk\ \isasymLongrightarrow\ ?m\ dvd\ ?p%
+\rulename{dvd_trans}
+\end{isabelle}
+Applying \isa{dvd_trans} as
+an introduction rule entails a risk of looping, for it multiplies
+occurrences of the divides symbol. However, this proof relies
+on transitivity reasoning. The rule {\isa{gcd\_greatest}} is safe to apply
+aggressively because it yields simpler subgoals. The proof implicitly
+uses \isa{gcd_dvd1} and \isa{gcd_dvd2} as safe rules, because they were
+declared using \isa{iff}.%
+\index{Euclid's algorithm|)}\index{*gcd (constant)|)}\index{divides relation|)}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/document/sets.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,1069 @@
+\chapter{Sets, Functions and Relations}
+
+This chapter describes the formalization of typed set theory, which is
+the basis of much else in HOL\@. For example, an
+inductive definition yields a set, and the abstract theories of relations
+regard a relation as a set of pairs. The chapter introduces the well-known
+constants such as union and intersection, as well as the main operations on relations, such as converse, composition and
+transitive closure. Functions are also covered. They are not sets in
+HOL, but many of their properties concern sets: the range of a
+function is a set, and the inverse image of a function maps sets to sets.
+
+This chapter will be useful to anybody who plans to develop a substantial
+proof. Sets are convenient for formalizing computer science concepts such
+as grammars, logical calculi and state transition systems. Isabelle can
+prove many statements involving sets automatically.
+
+This chapter ends with a case study concerning model checking for the
+temporal logic CTL\@. Most of the other examples are simple. The
+chapter presents a small selection of built-in theorems in order to point
+out some key properties of the various constants and to introduce you to
+the notation.
+
+Natural deduction rules are provided for the set theory constants, but they
+are seldom used directly, so only a few are presented here.
+
+
+\section{Sets}
+
+\index{sets|(}%
+HOL's set theory should not be confused with traditional, untyped set
+theory, in which everything is a set. Our sets are typed. In a given set,
+all elements have the same type, say~$\tau$, and the set itself has type
+$\tau$~\tydx{set}.
+
+We begin with \textbf{intersection}, \textbf{union} and
+\textbf{complement}. In addition to the
+\textbf{membership relation}, there is a symbol for its negation. These
+points can be seen below.
+
+Here are the natural deduction rules for \rmindex{intersection}. Note
+the resemblance to those for conjunction.
+\begin{isabelle}
+\isasymlbrakk c\ \isasymin\ A;\ c\ \isasymin\ B\isasymrbrakk\
+\isasymLongrightarrow\ c\ \isasymin\ A\ \isasyminter\ B%
+\rulenamedx{IntI}\isanewline
+c\ \isasymin\ A\ \isasyminter\ B\ \isasymLongrightarrow\ c\ \isasymin\ A
+\rulenamedx{IntD1}\isanewline
+c\ \isasymin\ A\ \isasyminter\ B\ \isasymLongrightarrow\ c\ \isasymin\ B
+\rulenamedx{IntD2}
+\end{isabelle}
+
+Here are two of the many installed theorems concerning set
+complement.\index{complement!of a set}
+Note that it is denoted by a minus sign.
+\begin{isabelle}
+(c\ \isasymin\ -\ A)\ =\ (c\ \isasymnotin\ A)
+\rulenamedx{Compl_iff}\isanewline
+-\ (A\ \isasymunion\ B)\ =\ -\ A\ \isasyminter\ -\ B
+\rulename{Compl_Un}
+\end{isabelle}
+
+Set \textbf{difference}\indexbold{difference!of sets} is the intersection
+of a set with the complement of another set. Here we also see the syntax
+for the empty set and for the universal set.
+\begin{isabelle}
+A\ \isasyminter\ (B\ -\ A)\ =\ \isacharbraceleft\isacharbraceright
+\rulename{Diff_disjoint}\isanewline
+A\ \isasymunion\ -\ A\ =\ UNIV%
+\rulename{Compl_partition}
+\end{isabelle}
+
+The \bfindex{subset relation} holds between two sets just if every element
+of one is also an element of the other. This relation is reflexive. These
+are its natural deduction rules:
+\begin{isabelle}
+({\isasymAnd}x.\ x\ \isasymin\ A\ \isasymLongrightarrow\ x\ \isasymin\ B)\ \isasymLongrightarrow\ A\ \isasymsubseteq\ B%
+\rulenamedx{subsetI}%
+\par\smallskip% \isanewline didn't leave enough space
+\isasymlbrakk A\ \isasymsubseteq\ B;\ c\ \isasymin\
+A\isasymrbrakk\ \isasymLongrightarrow\ c\
+\isasymin\ B%
+\rulenamedx{subsetD}
+\end{isabelle}
+In harder proofs, you may need to apply \isa{subsetD} giving a specific term
+for~\isa{c}. However, \isa{blast} can instantly prove facts such as this
+one:
+\begin{isabelle}
+(A\ \isasymunion\ B\ \isasymsubseteq\ C)\ =\
+(A\ \isasymsubseteq\ C\ \isasymand\ B\ \isasymsubseteq\ C)
+\rulenamedx{Un_subset_iff}
+\end{isabelle}
+Here is another example, also proved automatically:
+\begin{isabelle}
+\isacommand{lemma}\ "(A\
+\isasymsubseteq\ -B)\ =\ (B\ \isasymsubseteq\ -A)"\isanewline
+\isacommand{by}\ blast
+\end{isabelle}
+%
+This is the same example using \textsc{ascii} syntax, illustrating a pitfall:
+\begin{isabelle}
+\isacommand{lemma}\ "(A\ <=\ -B)\ =\ (B\ <=\ -A)"
+\end{isabelle}
+%
+The proof fails. It is not a statement about sets, due to overloading;
+the relation symbol~\isa{<=} can be any relation, not just
+subset.
+In this general form, the statement is not valid. Putting
+in a type constraint forces the variables to denote sets, allowing the
+proof to succeed:
+
+\begin{isabelle}
+\isacommand{lemma}\ "((A::\ {\isacharprime}a\ set)\ <=\ -B)\ =\ (B\ <=\
+-A)"
+\end{isabelle}
+Section~\ref{sec:axclass} below describes overloading. Incidentally,
+\isa{A~\isasymsubseteq~-B} asserts that the sets \isa{A} and \isa{B} are
+disjoint.
+
+\medskip
+Two sets are \textbf{equal}\indexbold{equality!of sets} if they contain the
+same elements. This is
+the principle of \textbf{extensionality}\indexbold{extensionality!for sets}
+for sets.
+\begin{isabelle}
+({\isasymAnd}x.\ (x\ {\isasymin}\ A)\ =\ (x\ {\isasymin}\ B))\
+{\isasymLongrightarrow}\ A\ =\ B
+\rulenamedx{set_ext}
+\end{isabelle}
+Extensionality can be expressed as
+$A=B\iff (A\subseteq B)\conj (B\subseteq A)$.
+The following rules express both
+directions of this equivalence. Proving a set equation using
+\isa{equalityI} allows the two inclusions to be proved independently.
+\begin{isabelle}
+\isasymlbrakk A\ \isasymsubseteq\ B;\ B\ \isasymsubseteq\
+A\isasymrbrakk\ \isasymLongrightarrow\ A\ =\ B
+\rulenamedx{equalityI}
+\par\smallskip% \isanewline didn't leave enough space
+\isasymlbrakk A\ =\ B;\ \isasymlbrakk A\ \isasymsubseteq\ B;\ B\
+\isasymsubseteq\ A\isasymrbrakk\ \isasymLongrightarrow\ P\isasymrbrakk\
+\isasymLongrightarrow\ P%
+\rulenamedx{equalityE}
+\end{isabelle}
+
+
+\subsection{Finite Set Notation}
+
+\indexbold{sets!notation for finite}
+Finite sets are expressed using the constant \cdx{insert}, which is
+a form of union:
+\begin{isabelle}
+insert\ a\ A\ =\ \isacharbraceleft a\isacharbraceright\ \isasymunion\ A
+\rulename{insert_is_Un}
+\end{isabelle}
+%
+The finite set expression \isa{\isacharbraceleft
+a,b\isacharbraceright} abbreviates
+\isa{insert\ a\ (insert\ b\ \isacharbraceleft\isacharbraceright)}.
+Many facts about finite sets can be proved automatically:
+\begin{isabelle}
+\isacommand{lemma}\
+"\isacharbraceleft a,b\isacharbraceright\
+\isasymunion\ \isacharbraceleft c,d\isacharbraceright\ =\
+\isacharbraceleft a,b,c,d\isacharbraceright"\isanewline
+\isacommand{by}\ blast
+\end{isabelle}
+
+
+Not everything that we would like to prove is valid.
+Consider this attempt:
+\begin{isabelle}
+\isacommand{lemma}\ "\isacharbraceleft a,b\isacharbraceright\ \isasyminter\ \isacharbraceleft b,c\isacharbraceright\ =\
+\isacharbraceleft b\isacharbraceright"\isanewline
+\isacommand{apply}\ auto
+\end{isabelle}
+%
+The proof fails, leaving the subgoal \isa{b=c}. To see why it
+fails, consider a correct version:
+\begin{isabelle}
+\isacommand{lemma}\ "\isacharbraceleft a,b\isacharbraceright\ \isasyminter\
+\isacharbraceleft b,c\isacharbraceright\ =\ (if\ a=c\ then\
+\isacharbraceleft a,b\isacharbraceright\ else\ \isacharbraceleft
+b\isacharbraceright)"\isanewline
+\isacommand{apply}\ simp\isanewline
+\isacommand{by}\ blast
+\end{isabelle}
+
+Our mistake was to suppose that the various items were distinct. Another
+remark: this proof uses two methods, namely {\isa{simp}} and
+{\isa{blast}}. Calling {\isa{simp}} eliminates the
+\isa{if}-\isa{then}-\isa{else} expression, which {\isa{blast}}
+cannot break down. The combined methods (namely {\isa{force}} and
+\isa{auto}) can prove this fact in one step.
+
+
+\subsection{Set Comprehension}
+
+\index{set comprehensions|(}%
+The set comprehension \isa{\isacharbraceleft x.\
+P\isacharbraceright} expresses the set of all elements that satisfy the
+predicate~\isa{P}. Two laws describe the relationship between set
+comprehension and the membership relation:
+\begin{isabelle}
+(a\ \isasymin\
+\isacharbraceleft x.\ P\ x\isacharbraceright)\ =\ P\ a
+\rulename{mem_Collect_eq}\isanewline
+\isacharbraceleft x.\ x\ \isasymin\ A\isacharbraceright\ =\ A
+\rulename{Collect_mem_eq}
+\end{isabelle}
+
+\smallskip
+Facts such as these have trivial proofs:
+\begin{isabelle}
+\isacommand{lemma}\ "\isacharbraceleft x.\ P\ x\ \isasymor\
+x\ \isasymin\ A\isacharbraceright\ =\
+\isacharbraceleft x.\ P\ x\isacharbraceright\ \isasymunion\ A"
+\par\smallskip
+\isacommand{lemma}\ "\isacharbraceleft x.\ P\ x\
+\isasymlongrightarrow\ Q\ x\isacharbraceright\ =\
+-\isacharbraceleft x.\ P\ x\isacharbraceright\
+\isasymunion\ \isacharbraceleft x.\ Q\ x\isacharbraceright"
+\end{isabelle}
+
+\smallskip
+Isabelle has a general syntax for comprehension, which is best
+described through an example:
+\begin{isabelle}
+\isacommand{lemma}\ "\isacharbraceleft p*q\ \isacharbar\ p\ q.\
+p{\isasymin}prime\ \isasymand\ q{\isasymin}prime\isacharbraceright\ =\
+\isanewline
+\ \ \ \ \ \ \ \ \isacharbraceleft z.\ \isasymexists p\ q.\ z\ =\ p*q\
+\isasymand\ p{\isasymin}prime\ \isasymand\
+q{\isasymin}prime\isacharbraceright"
+\end{isabelle}
+The left and right hand sides
+of this equation are identical. The syntax used in the
+left-hand side abbreviates the right-hand side: in this case, all numbers
+that are the product of two primes. The syntax provides a neat
+way of expressing any set given by an expression built up from variables
+under specific constraints. The drawback is that it hides the true form of
+the expression, with its existential quantifiers.
+
+\smallskip
+\emph{Remark}. We do not need sets at all. They are essentially equivalent
+to predicate variables, which are allowed in higher-order logic. The main
+benefit of sets is their notation; we can write \isa{x{\isasymin}A}
+and
+\isa{\isacharbraceleft z.\ P\isacharbraceright} where predicates would
+require writing
+\isa{A(x)} and
+\isa{{\isasymlambda}z.\ P}.
+\index{set comprehensions|)}
+
+
+\subsection{Binding Operators}
+
+\index{quantifiers!for sets|(}%
+Universal and existential quantifications may range over sets,
+with the obvious meaning. Here are the natural deduction rules for the
+bounded universal quantifier. Occasionally you will need to apply
+\isa{bspec} with an explicit instantiation of the variable~\isa{x}:
+%
+\begin{isabelle}
+({\isasymAnd}x.\ x\ \isasymin\ A\ \isasymLongrightarrow\ P\ x)\ \isasymLongrightarrow\ {\isasymforall}x\isasymin
+A.\ P\ x%
+\rulenamedx{ballI}%
+\isanewline
+\isasymlbrakk{\isasymforall}x\isasymin A.\
+P\ x;\ x\ \isasymin\
+A\isasymrbrakk\ \isasymLongrightarrow\ P\
+x%
+\rulenamedx{bspec}
+\end{isabelle}
+%
+Dually, here are the natural deduction rules for the
+bounded existential quantifier. You may need to apply
+\isa{bexI} with an explicit instantiation:
+\begin{isabelle}
+\isasymlbrakk P\ x;\
+x\ \isasymin\ A\isasymrbrakk\
+\isasymLongrightarrow\
+\isasymexists x\isasymin A.\ P\
+x%
+\rulenamedx{bexI}%
+\isanewline
+\isasymlbrakk\isasymexists x\isasymin A.\
+P\ x;\ {\isasymAnd}x.\
+{\isasymlbrakk}x\ \isasymin\ A;\
+P\ x\isasymrbrakk\ \isasymLongrightarrow\
+Q\isasymrbrakk\ \isasymLongrightarrow\ Q%
+\rulenamedx{bexE}
+\end{isabelle}
+\index{quantifiers!for sets|)}
+
+\index{union!indexed}%
+Unions can be formed over the values of a given set. The syntax is
+\mbox{\isa{\isasymUnion x\isasymin A.\ B}} or
+\isa{UN x:A.\ B} in \textsc{ascii}. Indexed union satisfies this basic law:
+\begin{isabelle}
+(b\ \isasymin\
+(\isasymUnion x\isasymin A. B\ x)) =\ (\isasymexists x\isasymin A.\
+b\ \isasymin\ B\ x)
+\rulenamedx{UN_iff}
+\end{isabelle}
+It has two natural deduction rules similar to those for the existential
+quantifier. Sometimes \isa{UN_I} must be applied explicitly:
+\begin{isabelle}
+\isasymlbrakk a\ \isasymin\
+A;\ b\ \isasymin\
+B\ a\isasymrbrakk\ \isasymLongrightarrow\
+b\ \isasymin\
+(\isasymUnion x\isasymin A. B\ x)
+\rulenamedx{UN_I}%
+\isanewline
+\isasymlbrakk b\ \isasymin\
+(\isasymUnion x\isasymin A. B\ x);\
+{\isasymAnd}x.\ {\isasymlbrakk}x\ \isasymin\
+A;\ b\ \isasymin\
+B\ x\isasymrbrakk\ \isasymLongrightarrow\
+R\isasymrbrakk\ \isasymLongrightarrow\ R%
+\rulenamedx{UN_E}
+\end{isabelle}
+%
+The following built-in abbreviation (see {\S}\ref{sec:abbreviations})
+lets us express the union over a \emph{type}:
+\begin{isabelle}
+\ \ \ \ \
+({\isasymUnion}x.\ B\ x)\ {\isasymequiv}\
+({\isasymUnion}x{\isasymin}UNIV. B\ x)
+\end{isabelle}
+
+We may also express the union of a set of sets, written \isa{Union\ C} in
+\textsc{ascii}:
+\begin{isabelle}
+(A\ \isasymin\ \isasymUnion C)\ =\ (\isasymexists X\isasymin C.\ A\
+\isasymin\ X)
+\rulenamedx{Union_iff}
+\end{isabelle}
+
+\index{intersection!indexed}%
+Intersections are treated dually, although they seem to be used less often
+than unions. The syntax below would be \isa{INT
+x:\ A.\ B} and \isa{Inter\ C} in \textsc{ascii}. Among others, these
+theorems are available:
+\begin{isabelle}
+(b\ \isasymin\
+(\isasymInter x\isasymin A. B\ x))\
+=\
+({\isasymforall}x\isasymin A.\
+b\ \isasymin\ B\ x)
+\rulenamedx{INT_iff}%
+\isanewline
+(A\ \isasymin\
+\isasymInter C)\ =\
+({\isasymforall}X\isasymin C.\
+A\ \isasymin\ X)
+\rulenamedx{Inter_iff}
+\end{isabelle}
+
+Isabelle uses logical equivalences such as those above in automatic proof.
+Unions, intersections and so forth are not simply replaced by their
+definitions. Instead, membership tests are simplified. For example, $x\in
+A\cup B$ is replaced by $x\in A\lor x\in B$.
+
+The internal form of a comprehension involves the constant
+\cdx{Collect},
+which occasionally appears when a goal or theorem
+is displayed. For example, \isa{Collect\ P} is the same term as
+\isa{\isacharbraceleft x.\ P\ x\isacharbraceright}. The same thing can
+happen with quantifiers: \hbox{\isa{All\ P}}\index{*All (constant)}
+is
+\isa{{\isasymforall}x.\ P\ x} and
+\hbox{\isa{Ex\ P}}\index{*Ex (constant)} is \isa{\isasymexists x.\ P\ x};
+also \isa{Ball\ A\ P}\index{*Ball (constant)} is
+\isa{{\isasymforall}x\isasymin A.\ P\ x} and
+\isa{Bex\ A\ P}\index{*Bex (constant)} is
+\isa{\isasymexists x\isasymin A.\ P\ x}. For indexed unions and
+intersections, you may see the constants
+\cdx{UNION} and \cdx{INTER}\@.
+The internal constant for $\varepsilon x.P(x)$ is~\cdx{Eps}.
+
+We have only scratched the surface of Isabelle/HOL's set theory, which provides
+hundreds of theorems for your use.
+
+
+\subsection{Finiteness and Cardinality}
+
+\index{sets!finite}%
+The predicate \sdx{finite} holds of all finite sets. Isabelle/HOL
+includes many familiar theorems about finiteness and cardinality
+(\cdx{card}). For example, we have theorems concerning the
+cardinalities of unions, intersections and the
+powerset:\index{cardinality}
+%
+\begin{isabelle}
+{\isasymlbrakk}finite\ A;\ finite\ B\isasymrbrakk\isanewline
+\isasymLongrightarrow\ card\ A\ \isacharplus\ card\ B\ =\ card\ (A\ \isasymunion\ B)\ \isacharplus\ card\ (A\ \isasyminter\ B)
+\rulenamedx{card_Un_Int}%
+\isanewline
+\isanewline
+finite\ A\ \isasymLongrightarrow\ card\
+(Pow\ A)\ =\ 2\ \isacharcircum\ card\ A%
+\rulenamedx{card_Pow}%
+\isanewline
+\isanewline
+finite\ A\ \isasymLongrightarrow\isanewline
+card\ \isacharbraceleft B.\ B\ \isasymsubseteq\
+A\ \isasymand\ card\ B\ =\
+k\isacharbraceright\ =\ card\ A\ choose\ k%
+\rulename{n_subsets}
+\end{isabelle}
+Writing $|A|$ as $n$, the last of these theorems says that the number of
+$k$-element subsets of~$A$ is \index{binomial coefficients}
+$\binom{n}{k}$.
+
+%\begin{warn}
+%The term \isa{finite\ A} is defined via a syntax translation as an
+%abbreviation for \isa{A {\isasymin} Finites}, where the constant
+%\cdx{Finites} denotes the set of all finite sets of a given type. There
+%is no constant \isa{finite}.
+%\end{warn}
+\index{sets|)}
+
+
+\section{Functions}
+
+\index{functions|(}%
+This section describes a few concepts that involve
+functions. Some of the more important theorems are given along with the
+names. A few sample proofs appear. Unlike with set theory, however,
+we cannot simply state lemmas and expect them to be proved using
+\isa{blast}.
+
+\subsection{Function Basics}
+
+Two functions are \textbf{equal}\indexbold{equality!of functions}
+if they yield equal results given equal
+arguments. This is the principle of
+\textbf{extensionality}\indexbold{extensionality!for functions} for
+functions:
+\begin{isabelle}
+({\isasymAnd}x.\ f\ x\ =\ g\ x)\ {\isasymLongrightarrow}\ f\ =\ g
+\rulenamedx{ext}
+\end{isabelle}
+
+\indexbold{updating a function}%
+Function \textbf{update} is useful for modelling machine states. It has
+the obvious definition and many useful facts are proved about
+it. In particular, the following equation is installed as a simplification
+rule:
+\begin{isabelle}
+(f(x:=y))\ z\ =\ (if\ z\ =\ x\ then\ y\ else\ f\ z)
+\rulename{fun_upd_apply}
+\end{isabelle}
+Two syntactic points must be noted. In
+\isa{(f(x:=y))\ z} we are applying an updated function to an
+argument; the outer parentheses are essential. A series of two or more
+updates can be abbreviated as shown on the left-hand side of this theorem:
+\begin{isabelle}
+f(x:=y,\ x:=z)\ =\ f(x:=z)
+\rulename{fun_upd_upd}
+\end{isabelle}
+Note also that we can write \isa{f(x:=z)} with only one pair of parentheses
+when it is not being applied to an argument.
+
+\medskip
+The \bfindex{identity function} and function
+\textbf{composition}\indexbold{composition!of functions} are
+defined:
+\begin{isabelle}%
+id\ \isasymequiv\ {\isasymlambda}x.\ x%
+\rulenamedx{id_def}\isanewline
+f\ \isasymcirc\ g\ \isasymequiv\
+{\isasymlambda}x.\ f\
+(g\ x)%
+\rulenamedx{o_def}
+\end{isabelle}
+%
+Many familiar theorems concerning the identity and composition
+are proved. For example, we have the associativity of composition:
+\begin{isabelle}
+f\ \isasymcirc\ (g\ \isasymcirc\ h)\ =\ f\ \isasymcirc\ g\ \isasymcirc\ h
+\rulename{o_assoc}
+\end{isabelle}
+
+\subsection{Injections, Surjections, Bijections}
+
+\index{injections}\index{surjections}\index{bijections}%
+A function may be \textbf{injective}, \textbf{surjective} or \textbf{bijective}:
+\begin{isabelle}
+inj_on\ f\ A\ \isasymequiv\ {\isasymforall}x\isasymin A.\
+{\isasymforall}y\isasymin A.\ f\ x\ =\ f\ y\ \isasymlongrightarrow\ x\
+=\ y%
+\rulenamedx{inj_on_def}\isanewline
+surj\ f\ \isasymequiv\ {\isasymforall}y.\
+\isasymexists x.\ y\ =\ f\ x%
+\rulenamedx{surj_def}\isanewline
+bij\ f\ \isasymequiv\ inj\ f\ \isasymand\ surj\ f
+\rulenamedx{bij_def}
+\end{isabelle}
+The second argument
+of \isa{inj_on} lets us express that a function is injective over a
+given set. This refinement is useful in higher-order logic, where
+functions are total; in some cases, a function's natural domain is a subset
+of its domain type. Writing \isa{inj\ f} abbreviates \isa{inj_on\ f\
+UNIV}, for when \isa{f} is injective everywhere.
+
+The operator \isa{inv} expresses the
+\textbf{inverse}\indexbold{inverse!of a function}
+of a function. In
+general the inverse may not be well behaved. We have the usual laws,
+such as these:
+\begin{isabelle}
+inj\ f\ \ \isasymLongrightarrow\ inv\ f\ (f\ x)\ =\ x%
+\rulename{inv_f_f}\isanewline
+surj\ f\ \isasymLongrightarrow\ f\ (inv\ f\ y)\ =\ y
+\rulename{surj_f_inv_f}\isanewline
+bij\ f\ \ \isasymLongrightarrow\ inv\ (inv\ f)\ =\ f
+\rulename{inv_inv_eq}
+\end{isabelle}
+%
+%Other useful facts are that the inverse of an injection
+%is a surjection and vice versa; the inverse of a bijection is
+%a bijection.
+%\begin{isabelle}
+%inj\ f\ \isasymLongrightarrow\ surj\
+%(inv\ f)
+%\rulename{inj_imp_surj_inv}\isanewline
+%surj\ f\ \isasymLongrightarrow\ inj\ (inv\ f)
+%\rulename{surj_imp_inj_inv}\isanewline
+%bij\ f\ \isasymLongrightarrow\ bij\ (inv\ f)
+%\rulename{bij_imp_bij_inv}
+%\end{isabelle}
+%
+%The converses of these results fail. Unless a function is
+%well behaved, little can be said about its inverse. Here is another
+%law:
+%\begin{isabelle}
+%{\isasymlbrakk}bij\ f;\ bij\ g\isasymrbrakk\ \isasymLongrightarrow\ inv\ (f\ \isasymcirc\ g)\ =\ inv\ g\ \isasymcirc\ inv\ f%
+%\rulename{o_inv_distrib}
+%\end{isabelle}
+
+Theorems involving these concepts can be hard to prove. The following
+example is easy, but it cannot be proved automatically. To begin
+with, we need a law that relates the equality of functions to
+equality over all arguments:
+\begin{isabelle}
+(f\ =\ g)\ =\ ({\isasymforall}x.\ f\ x\ =\ g\ x)
+\rulename{fun_eq_iff}
+\end{isabelle}
+%
+This is just a restatement of
+extensionality.\indexbold{extensionality!for functions}
+Our lemma
+states that an injection can be cancelled from the left side of
+function composition:
+\begin{isabelle}
+\isacommand{lemma}\ "inj\ f\ \isasymLongrightarrow\ (f\ o\ g\ =\ f\ o\ h)\ =\ (g\ =\ h)"\isanewline
+\isacommand{apply}\ (simp\ add:\ fun_eq_iff\ inj_on_def)\isanewline
+\isacommand{apply}\ auto\isanewline
+\isacommand{done}
+\end{isabelle}
+
+The first step of the proof invokes extensionality and the definitions
+of injectiveness and composition. It leaves one subgoal:
+\begin{isabelle}
+\ 1.\ {\isasymforall}x\ y.\ f\ x\ =\ f\ y\ \isasymlongrightarrow\ x\ =\ y\
+\isasymLongrightarrow\isanewline
+\ \ \ \ ({\isasymforall}x.\ f\ (g\ x)\ =\ f\ (h\ x))\ =\ ({\isasymforall}x.\ g\ x\ =\ h\ x)
+\end{isabelle}
+This can be proved using the \isa{auto} method.
+
+
+\subsection{Function Image}
+
+The \textbf{image}\indexbold{image!under a function}
+of a set under a function is a most useful notion. It
+has the obvious definition:
+\begin{isabelle}
+f\ `\ A\ \isasymequiv\ \isacharbraceleft y.\ \isasymexists x\isasymin
+A.\ y\ =\ f\ x\isacharbraceright
+\rulenamedx{image_def}
+\end{isabelle}
+%
+Here are some of the many facts proved about image:
+\begin{isabelle}
+(f\ \isasymcirc\ g)\ `\ r\ =\ f\ `\ g\ `\ r
+\rulename{image_compose}\isanewline
+f`(A\ \isasymunion\ B)\ =\ f`A\ \isasymunion\ f`B
+\rulename{image_Un}\isanewline
+inj\ f\ \isasymLongrightarrow\ f`(A\ \isasyminter\
+B)\ =\ f`A\ \isasyminter\ f`B
+\rulename{image_Int}
+%\isanewline
+%bij\ f\ \isasymLongrightarrow\ f\ `\ (-\ A)\ =\ -\ f\ `\ A%
+%\rulename{bij_image_Compl_eq}
+\end{isabelle}
+
+
+Laws involving image can often be proved automatically. Here
+are two examples, illustrating connections with indexed union and with the
+general syntax for comprehension:
+\begin{isabelle}
+\isacommand{lemma}\ "f`A\ \isasymunion\ g`A\ =\ ({\isasymUnion}x{\isasymin}A.\ \isacharbraceleft f\ x,\ g\
+x\isacharbraceright)"
+\par\smallskip
+\isacommand{lemma}\ "f\ `\ \isacharbraceleft(x,y){.}\ P\ x\ y\isacharbraceright\ =\ \isacharbraceleft f(x,y)\ \isacharbar\ x\ y.\ P\ x\
+y\isacharbraceright"
+\end{isabelle}
+
+\medskip
+\index{range!of a function}%
+A function's \textbf{range} is the set of values that the function can
+take on. It is, in fact, the image of the universal set under
+that function. There is no constant \isa{range}. Instead,
+\sdx{range} abbreviates an application of image to \isa{UNIV}:
+\begin{isabelle}
+\ \ \ \ \ range\ f\
+{\isasymrightleftharpoons}\ f`UNIV
+\end{isabelle}
+%
+Few theorems are proved specifically
+for {\isa{range}}; in most cases, you should look for a more general
+theorem concerning images.
+
+\medskip
+\textbf{Inverse image}\index{inverse image!of a function} is also useful.
+It is defined as follows:
+\begin{isabelle}
+f\ -`\ B\ \isasymequiv\ \isacharbraceleft x.\ f\ x\ \isasymin\ B\isacharbraceright
+\rulenamedx{vimage_def}
+\end{isabelle}
+%
+This is one of the facts proved about it:
+\begin{isabelle}
+f\ -`\ (-\ A)\ =\ -\ f\ -`\ A%
+\rulename{vimage_Compl}
+\end{isabelle}
+\index{functions|)}
+
+
+\section{Relations}
+\label{sec:Relations}
+
+\index{relations|(}%
+A \textbf{relation} is a set of pairs. As such, the set operations apply
+to them. For instance, we may form the union of two relations. Other
+primitives are defined specifically for relations.
+
+\subsection{Relation Basics}
+
+The \bfindex{identity relation}, also known as equality, has the obvious
+definition:
+\begin{isabelle}
+Id\ \isasymequiv\ \isacharbraceleft p.\ \isasymexists x.\ p\ =\ (x,x){\isacharbraceright}%
+\rulenamedx{Id_def}
+\end{isabelle}
+
+\indexbold{composition!of relations}%
+\textbf{Composition} of relations (the infix \sdx{O}) is also
+available:
+\begin{isabelle}
+r\ O\ s\ \isasymequiv\ \isacharbraceleft(x,z).\ \isasymexists y.\ (x,y)\ \isasymin\ s\ \isasymand\ (y,z)\ \isasymin\ r\isacharbraceright
+\rulenamedx{rel_comp_def}
+\end{isabelle}
+%
+This is one of the many lemmas proved about these concepts:
+\begin{isabelle}
+R\ O\ Id\ =\ R
+\rulename{R_O_Id}
+\end{isabelle}
+%
+Composition is monotonic, as are most of the primitives appearing
+in this chapter. We have many theorems similar to the following
+one:
+\begin{isabelle}
+\isasymlbrakk r\isacharprime\ \isasymsubseteq\ r;\ s\isacharprime\
+\isasymsubseteq\ s\isasymrbrakk\ \isasymLongrightarrow\ r\isacharprime\ O\
+s\isacharprime\ \isasymsubseteq\ r\ O\ s%
+\rulename{rel_comp_mono}
+\end{isabelle}
+
+\indexbold{converse!of a relation}%
+\indexbold{inverse!of a relation}%
+The \textbf{converse} or inverse of a
+relation exchanges the roles of the two operands. We use the postfix
+notation~\isa{r\isasyminverse} or
+\isa{r\isacharcircum-1} in ASCII\@.
+\begin{isabelle}
+((a,b)\ \isasymin\ r\isasyminverse)\ =\
+((b,a)\ \isasymin\ r)
+\rulenamedx{converse_iff}
+\end{isabelle}
+%
+Here is a typical law proved about converse and composition:
+\begin{isabelle}
+(r\ O\ s)\isasyminverse\ =\ s\isasyminverse\ O\ r\isasyminverse
+\rulename{converse_rel_comp}
+\end{isabelle}
+
+\indexbold{image!under a relation}%
+The \textbf{image} of a set under a relation is defined
+analogously to image under a function:
+\begin{isabelle}
+(b\ \isasymin\ r\ ``\ A)\ =\ (\isasymexists x\isasymin
+A.\ (x,b)\ \isasymin\ r)
+\rulenamedx{Image_iff}
+\end{isabelle}
+It satisfies many similar laws.
+
+\index{domain!of a relation}%
+\index{range!of a relation}%
+The \textbf{domain} and \textbf{range} of a relation are defined in the
+standard way:
+\begin{isabelle}
+(a\ \isasymin\ Domain\ r)\ =\ (\isasymexists y.\ (a,y)\ \isasymin\
+r)
+\rulenamedx{Domain_iff}%
+\isanewline
+(a\ \isasymin\ Range\ r)\
+\ =\ (\isasymexists y.\
+(y,a)\
+\isasymin\ r)
+\rulenamedx{Range_iff}
+\end{isabelle}
+
+Iterated composition of a relation is available. The notation overloads
+that of exponentiation. Two simplification rules are installed:
+\begin{isabelle}
+R\ \isacharcircum\ \isadigit{0}\ =\ Id\isanewline
+R\ \isacharcircum\ Suc\ n\ =\ R\ O\ R\isacharcircum n
+\end{isabelle}
+
+\subsection{The Reflexive and Transitive Closure}
+
+\index{reflexive and transitive closure|(}%
+The \textbf{reflexive and transitive closure} of the
+relation~\isa{r} is written with a
+postfix syntax. In ASCII we write \isa{r\isacharcircum*} and in
+symbol notation~\isa{r\isactrlsup *}. It is the least solution of the
+equation
+\begin{isabelle}
+r\isactrlsup *\ =\ Id\ \isasymunion \ (r\ O\ r\isactrlsup *)
+\rulename{rtrancl_unfold}
+\end{isabelle}
+%
+Among its basic properties are three that serve as introduction
+rules:
+\begin{isabelle}
+(a,\ a)\ \isasymin \ r\isactrlsup *
+\rulenamedx{rtrancl_refl}\isanewline
+p\ \isasymin \ r\ \isasymLongrightarrow \ p\ \isasymin \ r\isactrlsup *
+\rulenamedx{r_into_rtrancl}\isanewline
+\isasymlbrakk (a,b)\ \isasymin \ r\isactrlsup *;\
+(b,c)\ \isasymin \ r\isactrlsup *\isasymrbrakk \ \isasymLongrightarrow \
+(a,c)\ \isasymin \ r\isactrlsup *
+\rulenamedx{rtrancl_trans}
+\end{isabelle}
+%
+Induction over the reflexive transitive closure is available:
+\begin{isabelle}
+\isasymlbrakk (a,\ b)\ \isasymin \ r\isactrlsup *;\ P\ a;\ \isasymAnd y\ z.\ \isasymlbrakk (a,\ y)\ \isasymin \ r\isactrlsup *;\ (y,\ z)\ \isasymin \ r;\ P\ y\isasymrbrakk \ \isasymLongrightarrow \ P\ z\isasymrbrakk \isanewline
+\isasymLongrightarrow \ P\ b%
+\rulename{rtrancl_induct}
+\end{isabelle}
+%
+Idempotence is one of the laws proved about the reflexive transitive
+closure:
+\begin{isabelle}
+(r\isactrlsup *)\isactrlsup *\ =\ r\isactrlsup *
+\rulename{rtrancl_idemp}
+\end{isabelle}
+
+\smallskip
+The transitive closure is similar. The ASCII syntax is
+\isa{r\isacharcircum+}. It has two introduction rules:
+\begin{isabelle}
+p\ \isasymin \ r\ \isasymLongrightarrow \ p\ \isasymin \ r\isactrlsup +
+\rulenamedx{r_into_trancl}\isanewline
+\isasymlbrakk (a,\ b)\ \isasymin \ r\isactrlsup +;\ (b,\ c)\ \isasymin \ r\isactrlsup +\isasymrbrakk \ \isasymLongrightarrow \ (a,\ c)\ \isasymin \ r\isactrlsup +
+\rulenamedx{trancl_trans}
+\end{isabelle}
+%
+The induction rule resembles the one shown above.
+A typical lemma states that transitive closure commutes with the converse
+operator:
+\begin{isabelle}
+(r\isasyminverse )\isactrlsup +\ =\ (r\isactrlsup +)\isasyminverse
+\rulename{trancl_converse}
+\end{isabelle}
+
+\subsection{A Sample Proof}
+
+The reflexive transitive closure also commutes with the converse
+operator. Let us examine the proof. Each direction of the equivalence
+is proved separately. The two proofs are almost identical. Here
+is the first one:
+\begin{isabelle}
+\isacommand{lemma}\ rtrancl_converseD:\ "(x,y)\ \isasymin \
+(r\isasyminverse)\isactrlsup *\ \isasymLongrightarrow \ (y,x)\ \isasymin
+\ r\isactrlsup *"\isanewline
+\isacommand{apply}\ (erule\ rtrancl_induct)\isanewline
+\ \isacommand{apply}\ (rule\ rtrancl_refl)\isanewline
+\isacommand{apply}\ (blast\ intro:\ rtrancl_trans)\isanewline
+\isacommand{done}
+\end{isabelle}
+%
+The first step of the proof applies induction, leaving these subgoals:
+\begin{isabelle}
+\ 1.\ (x,\ x)\ \isasymin \ r\isactrlsup *\isanewline
+\ 2.\ \isasymAnd y\ z.\ \isasymlbrakk (x,y)\ \isasymin \
+(r\isasyminverse)\isactrlsup *;\ (y,z)\ \isasymin \ r\isasyminverse ;\
+(y,x)\ \isasymin \ r\isactrlsup *\isasymrbrakk \isanewline
+\ \ \ \ \ \ \ \ \ \ \isasymLongrightarrow \ (z,x)\ \isasymin \ r\isactrlsup *
+\end{isabelle}
+%
+The first subgoal is trivial by reflexivity. The second follows
+by first eliminating the converse operator, yielding the
+assumption \isa{(z,y)\
+\isasymin\ r}, and then
+applying the introduction rules shown above. The same proof script handles
+the other direction:
+\begin{isabelle}
+\isacommand{lemma}\ rtrancl_converseI:\ "(y,x)\ \isasymin \ r\isactrlsup *\ \isasymLongrightarrow \ (x,y)\ \isasymin \ (r\isasyminverse)\isactrlsup *"\isanewline
+\isacommand{apply}\ (erule\ rtrancl_induct)\isanewline
+\ \isacommand{apply}\ (rule\ rtrancl_refl)\isanewline
+\isacommand{apply}\ (blast\ intro:\ rtrancl_trans)\isanewline
+\isacommand{done}
+\end{isabelle}
+
+
+Finally, we combine the two lemmas to prove the desired equation:
+\begin{isabelle}
+\isacommand{lemma}\ rtrancl_converse:\ "(r\isasyminverse)\isactrlsup *\ =\ (r\isactrlsup *)\isasyminverse"\isanewline
+\isacommand{by}\ (auto\ intro:\ rtrancl_converseI\ dest:\
+rtrancl_converseD)
+\end{isabelle}
+
+\begin{warn}
+This trivial proof requires \isa{auto} rather than \isa{blast} because
+of a subtle issue involving ordered pairs. Here is a subgoal that
+arises internally after the rules
+\isa{equalityI} and \isa{subsetI} have been applied:
+\begin{isabelle}
+\ 1.\ \isasymAnd x.\ x\ \isasymin \ (r\isasyminverse )\isactrlsup *\ \isasymLongrightarrow \ x\ \isasymin \ (r\isactrlsup
+*)\isasyminverse
+%ignore subgoal 2
+%\ 2.\ \isasymAnd x.\ x\ \isasymin \ (r\isactrlsup *)\isasyminverse \
+%\isasymLongrightarrow \ x\ \isasymin \ (r\isasyminverse )\isactrlsup *
+\end{isabelle}
+\par\noindent
+We cannot apply \isa{rtrancl_converseD}\@. It refers to
+ordered pairs, while \isa{x} is a variable of product type.
+The \isa{simp} and \isa{blast} methods can do nothing, so let us try
+\isa{clarify}:
+\begin{isabelle}
+\ 1.\ \isasymAnd a\ b.\ (a,b)\ \isasymin \ (r\isasyminverse )\isactrlsup *\ \isasymLongrightarrow \ (b,a)\ \isasymin \ r\isactrlsup
+*
+\end{isabelle}
+Now that \isa{x} has been replaced by the pair \isa{(a,b)}, we can
+proceed. Other methods that split variables in this way are \isa{force},
+\isa{auto}, \isa{fast} and \isa{best}. Section~\ref{sec:products} will discuss proof
+techniques for ordered pairs in more detail.
+\end{warn}
+\index{relations|)}\index{reflexive and transitive closure|)}
+
+
+\section{Well-Founded Relations and Induction}
+\label{sec:Well-founded}
+
+\index{relations!well-founded|(}%
+A well-founded relation captures the notion of a terminating
+process. Complex recursive functions definitions must specify a
+well-founded relation that justifies their
+termination~\cite{isabelle-function}. Most of the forms of induction found
+in mathematics are merely special cases of induction over a
+well-founded relation.
+
+Intuitively, the relation~$\prec$ is \textbf{well-founded} if it admits no
+infinite descending chains
+\[ \cdots \prec a@2 \prec a@1 \prec a@0. \]
+Well-foundedness can be hard to show. The various
+formulations are all complicated. However, often a relation
+is well-founded by construction. HOL provides
+theorems concerning ways of constructing a well-founded relation. The
+most familiar way is to specify a
+\index{measure functions}\textbf{measure function}~\isa{f} into
+the natural numbers, when $\isa{x}\prec \isa{y}\iff \isa{f x} < \isa{f y}$;
+we write this particular relation as
+\isa{measure~f}.
+
+\begin{warn}
+You may want to skip the rest of this section until you need to perform a
+complex recursive function definition or induction. The induction rule
+returned by
+\isacommand{fun} is good enough for most purposes. We use an explicit
+well-founded induction only in {\S}\ref{sec:CTL-revisited}.
+\end{warn}
+
+Isabelle/HOL declares \cdx{less_than} as a relation object,
+that is, a set of pairs of natural numbers. Two theorems tell us that this
+relation behaves as expected and that it is well-founded:
+\begin{isabelle}
+((x,y)\ \isasymin\ less_than)\ =\ (x\ <\ y)
+\rulenamedx{less_than_iff}\isanewline
+wf\ less_than
+\rulenamedx{wf_less_than}
+\end{isabelle}
+
+The notion of measure generalizes to the
+\index{inverse image!of a relation}\textbf{inverse image} of
+a relation. Given a relation~\isa{r} and a function~\isa{f}, we express a
+new relation using \isa{f} as a measure. An infinite descending chain on
+this new relation would give rise to an infinite descending chain
+on~\isa{r}. Isabelle/HOL defines this concept and proves a
+theorem stating that it preserves well-foundedness:
+\begin{isabelle}
+inv_image\ r\ f\ \isasymequiv\ \isacharbraceleft(x,y).\ (f\ x,\ f\ y)\
+\isasymin\ r\isacharbraceright
+\rulenamedx{inv_image_def}\isanewline
+wf\ r\ \isasymLongrightarrow\ wf\ (inv_image\ r\ f)
+\rulenamedx{wf_inv_image}
+\end{isabelle}
+
+A measure function involves the natural numbers. The relation \isa{measure
+size} justifies primitive recursion and structural induction over a
+datatype. Isabelle/HOL defines
+\isa{measure} as shown:
+\begin{isabelle}
+measure\ \isasymequiv\ inv_image\ less_than%
+\rulenamedx{measure_def}\isanewline
+wf\ (measure\ f)
+\rulenamedx{wf_measure}
+\end{isabelle}
+
+Of the other constructions, the most important is the
+\bfindex{lexicographic product} of two relations. It expresses the
+standard dictionary ordering over pairs. We write \isa{ra\ <*lex*>\
+rb}, where \isa{ra} and \isa{rb} are the two operands. The
+lexicographic product satisfies the usual definition and it preserves
+well-foundedness:
+\begin{isabelle}
+ra\ <*lex*>\ rb\ \isasymequiv \isanewline
+\ \ \isacharbraceleft ((a,b),(a',b')).\ (a,a')\ \isasymin \ ra\
+\isasymor\isanewline
+\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \,a=a'\ \isasymand \ (b,b')\
+\isasymin \ rb\isacharbraceright
+\rulenamedx{lex_prod_def}%
+\par\smallskip
+\isasymlbrakk wf\ ra;\ wf\ rb\isasymrbrakk \ \isasymLongrightarrow \ wf\ (ra\ <*lex*>\ rb)
+\rulenamedx{wf_lex_prod}
+\end{isabelle}
+
+%These constructions can be used in a
+%\textbf{recdef} declaration ({\S}\ref{sec:recdef-simplification}) to define
+%the well-founded relation used to prove termination.
+
+The \bfindex{multiset ordering}, useful for hard termination proofs, is
+available in the Library~\cite{HOL-Library}.
+Baader and Nipkow \cite[{\S}2.5]{Baader-Nipkow} discuss it.
+
+\medskip
+Induction\index{induction!well-founded|(}
+comes in many forms,
+including traditional mathematical induction, structural induction on
+lists and induction on size. All are instances of the following rule,
+for a suitable well-founded relation~$\prec$:
+\[ \infer{P(a)}{\infer*{P(x)}{[\forall y.\, y\prec x \imp P(y)]}} \]
+To show $P(a)$ for a particular term~$a$, it suffices to show $P(x)$ for
+arbitrary~$x$ under the assumption that $P(y)$ holds for $y\prec x$.
+Intuitively, the well-foundedness of $\prec$ ensures that the chains of
+reasoning are finite.
+
+\smallskip
+In Isabelle, the induction rule is expressed like this:
+\begin{isabelle}
+{\isasymlbrakk}wf\ r;\
+ {\isasymAnd}x.\ {\isasymforall}y.\ (y,x)\ \isasymin\ r\
+\isasymlongrightarrow\ P\ y\ \isasymLongrightarrow\ P\ x\isasymrbrakk\
+\isasymLongrightarrow\ P\ a
+\rulenamedx{wf_induct}
+\end{isabelle}
+Here \isa{wf\ r} expresses that the relation~\isa{r} is well-founded.
+
+Many familiar induction principles are instances of this rule.
+For example, the predecessor relation on the natural numbers
+is well-founded; induction over it is mathematical induction.
+The ``tail of'' relation on lists is well-founded; induction over
+it is structural induction.%
+\index{induction!well-founded|)}%
+\index{relations!well-founded|)}
+
+
+\section{Fixed Point Operators}
+
+\index{fixed points|(}%
+Fixed point operators define sets
+recursively. They are invoked implicitly when making an inductive
+definition, as discussed in Chap.\ts\ref{chap:inductive} below. However,
+they can be used directly, too. The
+\emph{least} or \emph{strongest} fixed point yields an inductive
+definition; the \emph{greatest} or \emph{weakest} fixed point yields a
+coinductive definition. Mathematicians may wish to note that the
+existence of these fixed points is guaranteed by the Knaster-Tarski
+theorem.
+
+\begin{warn}
+Casual readers should skip the rest of this section. We use fixed point
+operators only in {\S}\ref{sec:VMC}.
+\end{warn}
+
+The theory applies only to monotonic functions.\index{monotone functions|bold}
+Isabelle's definition of monotone is overloaded over all orderings:
+\begin{isabelle}
+mono\ f\ \isasymequiv\ {\isasymforall}A\ B.\ A\ \isasymle\ B\ \isasymlongrightarrow\ f\ A\ \isasymle\ f\ B%
+\rulenamedx{mono_def}
+\end{isabelle}
+%
+For fixed point operators, the ordering will be the subset relation: if
+$A\subseteq B$ then we expect $f(A)\subseteq f(B)$. In addition to its
+definition, monotonicity has the obvious introduction and destruction
+rules:
+\begin{isabelle}
+({\isasymAnd}A\ B.\ A\ \isasymle\ B\ \isasymLongrightarrow\ f\ A\ \isasymle\ f\ B)\ \isasymLongrightarrow\ mono\ f%
+\rulename{monoI}%
+\par\smallskip% \isanewline didn't leave enough space
+{\isasymlbrakk}mono\ f;\ A\ \isasymle\ B\isasymrbrakk\
+\isasymLongrightarrow\ f\ A\ \isasymle\ f\ B%
+\rulename{monoD}
+\end{isabelle}
+
+The most important properties of the least fixed point are that
+it is a fixed point and that it enjoys an induction rule:
+\begin{isabelle}
+mono\ f\ \isasymLongrightarrow\ lfp\ f\ =\ f\ (lfp\ f)
+\rulename{lfp_unfold}%
+\par\smallskip% \isanewline didn't leave enough space
+{\isasymlbrakk}a\ \isasymin\ lfp\ f;\ mono\ f;\isanewline
+ \ {\isasymAnd}x.\ x\
+\isasymin\ f\ (lfp\ f\ \isasyminter\ \isacharbraceleft x.\ P\
+x\isacharbraceright)\ \isasymLongrightarrow\ P\ x\isasymrbrakk\
+\isasymLongrightarrow\ P\ a%
+\rulename{lfp_induct}
+\end{isabelle}
+%
+The induction rule shown above is more convenient than the basic
+one derived from the minimality of {\isa{lfp}}. Observe that both theorems
+demand \isa{mono\ f} as a premise.
+
+The greatest fixed point is similar, but it has a \bfindex{coinduction} rule:
+\begin{isabelle}
+mono\ f\ \isasymLongrightarrow\ gfp\ f\ =\ f\ (gfp\ f)
+\rulename{gfp_unfold}%
+\isanewline
+{\isasymlbrakk}mono\ f;\ a\ \isasymin\ X;\ X\ \isasymsubseteq\ f\ (X\
+\isasymunion\ gfp\ f)\isasymrbrakk\ \isasymLongrightarrow\ a\ \isasymin\
+gfp\ f%
+\rulename{coinduct}
+\end{isabelle}
+A \textbf{bisimulation}\index{bisimulations}
+is perhaps the best-known concept defined as a
+greatest fixed point. Exhibiting a bisimulation to prove the equality of
+two agents in a process algebra is an example of coinduction.
+The coinduction rule can be strengthened in various ways.
+\index{fixed points|)}
+
+%The section "Case Study: Verified Model Checking" is part of this chapter
+\input{ctl0}
+\endinput
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/document/tutorial.sty Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,191 @@
+% tutorial.sty : Isabelle Tutorial Page Layout
+%
+\typeout{Document Style tutorial. Released 9 July 2001}
+
+\hyphenation{Isa-belle man-u-script man-u-scripts ap-pen-dix mut-u-al-ly}
+\hyphenation{data-type data-types co-data-type co-data-types }
+
+%usage: \iflabelundefined{LABEL}{if not defined}{if defined}
+\newcommand{\iflabelundefined}[1]{\@ifundefined{r@#1}}
+
+
+%%%INDEXING use isa-index to process the index
+
+\newcommand\seealso[2]{\emph{see also} #1}
+\usepackage{makeidx}
+
+%index, putting page numbers of definitions in boldface
+\def\bold#1{\textbf{#1}}
+\newcommand\fnote[1]{#1n}
+\newcommand\indexbold[1]{\index{#1|bold}}
+
+% The alternative to \protect\isa in the indexing macros is
+% \noexpand\noexpand \noexpand\isa
+% need TWO levels of \noexpand to delay the expansion of \isa:
+% the \noexpand\noexpand will leave one \noexpand, to be given to the
+% (still unexpanded) \isa token. See TeX by Topic, page 122.
+
+%%%% for indexing constants, symbols, theorems, ...
+\newcommand\cdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (constant)}}
+\newcommand\sdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (symbol)}}
+\newcommand\sdxpos[2]{\isa{#1}\index{#2@\protect\isa{#1} (symbol)}}
+
+\newcommand\tdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (theorem)}}
+\newcommand\tdxbold[1]{\isa{#1}\index{#1@\protect\isa{#1} (theorem)|bold}}
+
+\newcommand\cldx[1]{\isa{#1}\index{#1@\protect\isa{#1} (class)}}
+\newcommand\tydx[1]{\isa{#1}\index{#1@\protect\isa{#1} (type)}}
+\newcommand\tcdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (type class)}}
+\newcommand\thydx[1]{\isa{#1}\index{#1@\protect\isa{#1} (theory)}}
+
+\newcommand\attrdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (attribute)}}
+\newcommand\cmmdx[1]{\index{#1@\protect\isacommand{#1} (command)}}
+\newcommand\commdx[1]{\isacommand{#1}\index{#1@\protect\isacommand{#1} (command)}}
+\newcommand\methdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (method)}}
+\newcommand\tooldx[1]{\isa{#1}\index{#1@\protect\isa{#1} (tool)}}
+\newcommand\settdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (setting)}}
+\newcommand\pgdx[1]{\pgmenu{#1}\index{#1@\protect\pgmenu{#1} (Proof General)}}
+
+%set argument in \bf font and index in ROMAN font (for definitions in text!)
+\newcommand\bfindex[1]{{\bf#1}\index{#1|bold}\@}
+
+\newcommand\rmindex[1]{{#1}\index{#1}\@}
+\newcommand\ttindex[1]{\texttt{#1}\index{#1@\texttt{#1}}\@}
+\newcommand\ttindexbold[1]{\texttt{#1}\index{#1@\texttt{#1}|bold}\@}
+
+\newcommand{\isadxpos}[2]{\isa{#1}\index{#2@\protect\isa{#1}}\@}
+\newcommand{\isadxboldpos}[2]{\isa{#1}\index{#2@\protect\isa{#1}|bold}\@}
+
+%Commented-out the original versions to see what the index looks like without them.
+% In any event, they need to use \isa or \protect\isa rather than \texttt.
+%%\newcommand{\indexboldpos}[2]{#1\index{#2@#1|bold}\@}
+%%\newcommand{\ttindexboldpos}[2]{\texttt{#1}\index{#2@\texttt{#1}|bold}\@}
+\newcommand{\indexboldpos}[2]{#1\@}
+\newcommand{\ttindexboldpos}[2]{\isa{#1}\@}
+
+%\newtheorem{theorem}{Theorem}[section]
+\newtheorem{Exercise}{Exercise}[section]
+\newenvironment{exercise}{\begin{Exercise}\rm}{\end{Exercise}}
+\newcommand{\ttlbr}{\texttt{[|}}
+\newcommand{\ttrbr}{\texttt{|]}}
+\newcommand{\ttor}{\texttt{|}}
+\newcommand{\ttall}{\texttt{!}}
+\newcommand{\ttuniquex}{\texttt{?!}}
+\newcommand{\ttEXU}{\texttt{EX!}}
+\newcommand{\ttAnd}{\texttt{!!}}
+
+\newcommand{\isasymignore}{}
+\newcommand{\isasymimp}{\isasymlongrightarrow}
+\newcommand{\isasymImp}{\isasymLongrightarrow}
+\newcommand{\isasymFun}{\isasymRightarrow}
+\newcommand{\isasymuniqex}{\isamath{\exists!\,}}
+\renewcommand{\S}{Sect.\ts}
+
+\renewenvironment{isamarkuptxt}{\begin{isamarkuptext}}{\end{isamarkuptext}}
+
+\newif\ifremarks
+\newcommand{\REMARK}[1]{\ifremarks\marginpar{\raggedright\footnotesize#1}\fi}
+
+%names of Isabelle rules
+\newcommand{\rulename}[1]{\hfill(#1)}
+\newcommand{\rulenamedx}[1]{\hfill(#1\index{#1@\protect\isa{#1} (theorem)|bold})}
+
+%%%% meta-logical connectives
+
+\let\Forall=\bigwedge
+\let\Imp=\Longrightarrow
+\let\To=\Rightarrow
+\newcommand{\Var}[1]{{?\!#1}}
+
+%%% underscores as ordinary characters, not for subscripting
+%% use @ or \sb for subscripting; use \at for @
+%% only works in \tt font
+%% must not make _ an active char; would make \ttindex fail!
+\gdef\underscoreoff{\catcode`\@=8\catcode`\_=\other}
+\gdef\underscoreon{\catcode`\_=8\makeatother}
+\chardef\other=12
+\chardef\at=`\@
+
+% alternative underscore
+\def\_{\leavevmode\kern.06em\vbox{\hrule height.2ex width.3em}\hskip0.1em}
+
+
+%%%% ``WARNING'' environment: 2 ! characters separated by negative thin space
+\def\warnbang{\vtop to 0pt{\vss\hbox{\Huge\bf!\!!}\vss}}
+\newenvironment{warn}{\medskip\medbreak\begingroup \clubpenalty=10000
+ \small %%WAS\baselineskip=0.9\baselineskip
+ \noindent \hangindent\parindent \hangafter=-2
+ \hbox to0pt{\hskip-\hangindent\warnbang\hfill}\ignorespaces}%
+ {\par\endgroup\medbreak}
+
+%%%% ``PROOF GENERAL'' environment
+\def\pghead{\lower3pt\vbox to 0pt{\vss\hbox{\includegraphics[width=12pt]{pghead}}\vss}}
+\newenvironment{pgnote}{\medskip\medbreak\begingroup \clubpenalty=10000
+ \small \noindent \hangindent\parindent \hangafter=-2
+ \hbox to0pt{\hskip-\hangindent \pghead\hfill}\ignorespaces}%
+ {\par\endgroup\medbreak}
+\newcommand{\pgmenu}[1]{\textsf{#1}}
+
+
+%%%% Standard logical symbols
+\let\turn=\vdash
+\let\conj=\wedge
+\let\disj=\vee
+\let\imp=\rightarrow
+\let\bimp=\leftrightarrow
+\newcommand\all[1]{\forall#1.} %quantification
+\newcommand\ex[1]{\exists#1.}
+\newcommand{\pair}[1]{\langle#1\rangle}
+
+\newcommand{\lparr}{\mathopen{(\!|}}
+\newcommand{\rparr}{\mathclose{|\!)}}
+\newcommand{\fs}{\mathpunct{,\,}}
+\newcommand{\ty}{\mathrel{::}}
+\newcommand{\asn}{\mathrel{:=}}
+\newcommand{\more}{\ldots}
+\newcommand{\record}[1]{\lparr #1 \rparr}
+\newcommand{\dtt}{\mathord.}
+
+\newcommand\lbrakk{\mathopen{[\![}}
+\newcommand\rbrakk{\mathclose{]\!]}}
+\newcommand\List[1]{\lbrakk#1\rbrakk} %was \obj
+\newcommand\vpile[1]{\begin{array}{c}#1\end{array}}
+\newenvironment{matharray}[1]{\[\begin{array}{#1}}{\end{array}\]}
+\newcommand{\Text}[1]{\mbox{#1}}
+
+\DeclareMathSymbol{\dshsym}{\mathalpha}{letters}{"2D}
+\newcommand{\dsh}{\mathit{\dshsym}}
+
+\let\int=\cap
+\let\un=\cup
+\let\inter=\bigcap
+\let\union=\bigcup
+
+\def\ML{{\sc ml}}
+\def\AST{{\sc ast}}
+
+%macros to change the treatment of symbols
+\def\relsemicolon{\mathcode`\;="303B} %treat ; like a relation
+\def\binperiod{\mathcode`\.="213A} %treat . like a binary operator
+\def\binvert{\mathcode`\|="226A} %treat | like a binary operator
+
+%redefinition of \sloppy and \fussy to use \emergencystretch
+\def\sloppy{\tolerance2000 \hfuzz.5pt \vfuzz.5pt \emergencystretch=15pt}
+\def\fussy{\tolerance200 \hfuzz.1pt \vfuzz.1pt \emergencystretch=0pt}
+
+%non-bf version of description
+\def\descrlabel#1{\hspace\labelsep #1}
+\def\descr{\list{}{\labelwidth\z@ \itemindent-\leftmargin\let\makelabel\descrlabel}}
+\let\enddescr\endlist
+
+% The mathcodes for the letters A, ..., Z, a, ..., z are changed to
+% generate text italic rather than math italic by default. This makes
+% multi-letter identifiers look better. The mathcode for character c
+% is set to |"7000| (variable family) + |"400| (text italic) + |c|.
+%
+\DeclareSymbolFont{italics}{\encodingdefault}{\rmdefault}{m}{it}%
+\def\@setmcodes#1#2#3{{\count0=#1 \count1=#3
+ \loop \global\mathcode\count0=\count1 \ifnum \count0<#2
+ \advance\count0 by1 \advance\count1 by1 \repeat}}
+\@setmcodes{`A}{`Z}{"7\hexnumber@\symitalics41}
+\@setmcodes{`a}{`z}{"7\hexnumber@\symitalics61}
Binary file src/Doc/Tutorial/document/typedef.pdf has changed
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/document/typedef.ps Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,2461 @@
+%!PS-Adobe-3.0
+%%Title: (new.pdf)
+%%Version: 1 3
+%%DocumentData: Clean7Bit
+%%LanguageLevel: 2
+%%BoundingBox: 155 328 457 464
+%%Pages: 1
+%%DocumentProcessColors: (atend)
+%%DocumentSuppliedResources: (atend)
+%%EndComments
+%%BeginDefaults
+%%EndDefaults
+%%BeginProlog
+%%EndProlog
+%%BeginSetup
+%%BeginResource: l2check
+%%Copyright: Copyright 1993 Adobe Systems Incorporated. All Rights Reserved.
+systemdict /languagelevel known
+{ systemdict /languagelevel get 1 eq }
+{ true }
+ifelse
+{
+initgraphics /Helvetica findfont 18 scalefont setfont
+72 600 moveto (Error: Your printer driver needs to be configured) dup show
+72 580 moveto (for printing to a PostScript Language Level 1 printer.) dup show
+exch = =
+/Helvetica-Bold findfont 16 scalefont setfont
+72 520 moveto (Windows and Unix) show
+/Times-Roman findfont 16 scalefont setfont
+72 500 moveto (Select ªLanguage Level 1º in the PostScript options section) show
+72 480 moveto (of the Acrobat print dialog.) show
+/Helvetica-Bold findfont 16 scalefont setfont
+72 440 moveto (Macintosh) show
+/Times-Roman findfont 16 scalefont setfont
+72 420 moveto (In the Chooser, select your printer driver.) show
+72 400 moveto (Then select your printer and click the Setup button.) show
+72 380 moveto (Follow any on-screen dialogs that may appear.) show
+showpage
+quit
+}
+if
+%%EndResource
+/currentpacking where{pop currentpacking true setpacking}if
+%%BeginResource: procset pdfvars
+%%Copyright: Copyright 1987-1999 Adobe Systems Incorporated. All Rights Reserved.
+%%Version: 4.0 2
+%%Title: definition of dictionary of variables used by PDF & PDFText procsets
+userdict /PDF 160 dict put
+userdict /PDFVars 86 dict dup begin put
+/_save 0 def
+/_cshow 0 def
+/InitAll 0 def
+/TermAll 0 def
+/DocInitAll 0 def
+/DocTermAll 0 def
+/_lp /none def
+/_doClip 0 def
+/sfc 0 def
+/_sfcs 0 def
+/_sfc 0 def
+/ssc 0 def
+/_sscs 0 def
+/_ssc 0 def
+/_fcs 0 def
+/_scs 0 def
+/_fp 0 def
+/_sp 0 def
+/AGM_MAX_CS_COMPONENTS 10 def
+/_fillColors [ 0 1 AGM_MAX_CS_COMPONENTS { array } for ] def
+/_strokeColors [ 0 1 AGM_MAX_CS_COMPONENTS { array } for ] def
+/_fc null def
+/_sc null def
+/DefaultGray [/DeviceGray] def
+/DefaultRGB [/DeviceRGB] def
+/DefaultCMYK [/DeviceCMYK] def
+/_inT false def
+/_tr -1 def
+/_rise 0 def
+/_ax 0 def
+/_cx 0 def
+/_ld 0 def
+/_tm matrix def
+/_ctm matrix def
+/_mtx matrix def
+/_hy (-) def
+/_fScl 0 def
+/_hs 1 def
+/_pdfEncodings 2 array def
+/_baselineadj 0 def
+/_fTzero false def
+/_Tj 0 def
+/_italMtx [1 0 .212557 1 0 0] def
+/_italMtx_WMode1 [1 -.212557 0 1 0 0] def
+/_italMtxType0 [1 0 .1062785 1 0 0] def
+/_italMtx_WMode1Type0 [1 -.1062785 0 1 0 0] def
+/_basefont 0 def
+/_basefonto 0 def
+/_pdf_oldCIDInit null def
+/_pdf_FontDirectory 30 dict def
+/_categories 10 dict def
+/_sa? true def
+/_op? false def
+/_OP? false def
+/_opmode 0 def
+/_ColorSep5044? false def
+/_tmpcolr? [] def
+/_tmpop? {} def
+/_processColors 0 def
+/_defaulttransfer currenttransfer def
+/_defaultflatness currentflat def
+/_defaulthalftone null def
+/_defaultcolortransfer null def
+/_defaultblackgeneration null def
+/_defaultundercolorremoval null def
+/_defaultcolortransfer null def
+end
+%%EndResource
+PDFVars begin PDF begin
+%%BeginResource: procset pdfutil
+%%Copyright: Copyright 1993-1999 Adobe Systems Incorporated. All Rights Reserved.
+%%Version: 4.0 2
+%%Title: Basic utilities used by other PDF procsets
+/bd {bind def} bind def
+/ld {load def} bd
+/bld {
+dup length dict begin
+{ null def } forall
+bind
+end
+def
+} bd
+/dd { PDFVars 3 1 roll put } bd
+/xdd { exch dd } bd
+/Level2?
+systemdict /languagelevel known
+{ systemdict /languagelevel get 2 ge } { false } ifelse
+def
+/Level3?
+systemdict /languagelevel known
+{systemdict /languagelevel get 3 eq } { false } ifelse
+def
+/getifknown {
+2 copy known { get true } { pop pop false } ifelse
+} bd
+/here {
+currentdict exch getifknown
+} bd
+/isdefined? { where { pop true } { false } ifelse } bd
+/StartLoad { dup dup not { /_save save dd } if } bd
+/EndLoad { if not { _save restore } if } bd
+%%EndResource
+%%BeginResource: procset pdf
+%%Version: 4.0 3
+%%Copyright: Copyright 1998-1999 Adobe Systems Incorporated. All Rights Reserved.
+%%Title: General operators for PDF, common to all Language Levels.
+[/b/B/b*/B*/BDC/BI/BMC/BT/BX/c/cm/cs/CS/d/d0/d1/Do/DP/EI/EMC/ET/EX/f/f*/g/G/gs
+/h/i/j/J/k/K/l/m/M/MP/n/q/Q/re/rg/RG/ri/s/S/sc/SC/scn/SCN/sg/Tc/Td/TD/Tf/Tj/TJ
+/TL/Tm/Tr/Ts/Tw/Tz/T*/v/w/W/W*/y/'/"
+/applyInterpFunc/applystitchFunc/domainClip/EF/encodeInput/gsDI/ilp/icl
+/initgs/int/limit/PS/rangeClip/RC/rf/makePat/csfamily
+/? /! /| /: /+ /GetGlyphDirectory
+] {null def} bind forall
+/v { currentpoint 6 2 roll c } bd
+/y { 2 copy c } bd
+/h/closepath ld
+/d/setdash ld
+/j/setlinejoin ld
+/J/setlinecap ld
+/M/setmiterlimit ld
+/w/setlinewidth ld
+/i {
+dup 0 eq { pop _defaultflatness } if
+setflat
+} bd
+/gsDI {
+begin
+/OP here { /_OP? xdd } if
+/op here { /_op? xdd }
+{ /OP here { /_op? xdd } if }
+ifelse
+/OPM here { /_opmode xdd } if
+/Font here { aload pop Tf } if
+/LW here { w } if
+/LC here { J } if
+/LJ here { j } if
+/ML here { M } if
+/D here { aload pop d } if
+end
+} bd
+/ilp { /_lp /none dd } bd
+/icl { /_doClip 0 dd } bd
+/W { /_doClip 1 dd } bd
+/W* { /_doClip 2 dd } bd
+/n {
+{{} {clip} {eoclip}} _doClip get exec
+icl
+newpath
+} bd
+/s { h S } bd
+/B { q f Q S } bd
+/B* { q f* Q S } bd
+/b { h B } bd
+/b* { h B* } bd
+/q/save ld
+/Q { restore ilp } bd
+/GetCSFamily {
+dup type /arraytype eq {0 get} if
+} bd
+/GetCompsDict
+11 dict begin
+/DeviceGray { pop 1 } bd
+/DeviceRGB { pop 3 } bd
+/DeviceCMYK { pop 4 } bd
+/CIEBasedA { pop 1 } bd
+/CIEBasedABC { pop 3 } bd
+/CIEBasedDEF { pop 3 } bd
+/CIEBasedDEFG { pop 4 } bd
+/DeviceN { 1 get length } bd
+/Separation { pop 1 } bd
+/Indexed { pop 1 } bd
+/Pattern { pop 0 } bd
+currentdict
+end
+def
+/GetComps {
+GetCompsDict
+1 index GetCSFamily
+get exec
+} bd
+/cs
+{
+dup _fcs eq
+{ pop }
+{ dup /_fcs xdd
+GetComps
+_fillColors exch get
+/_fc xdd
+/_fp null dd
+} ifelse
+} bd
+/CS
+{
+dup _scs eq
+{ pop }
+{ dup /_scs xdd GetComps _strokeColors exch get /_sc xdd /_sp null dd }
+ifelse
+} bd
+/sc {
+_fc astore pop
+ilp
+} bd
+/SC {
+_sc astore pop
+ilp
+} bd
+/g { DefaultGray cs sc } bd
+/rg { DefaultRGB cs sc } bd
+/k { DefaultCMYK cs sc } bd
+/G { DefaultGray CS SC } bd
+/RG { DefaultRGB CS SC } bd
+/K { DefaultCMYK CS SC } bd
+/cm { _mtx astore concat } bd
+/re {
+4 2 roll m
+1 index 0 rlineto
+0 exch rlineto
+neg 0 rlineto
+h
+} bd
+/RC/rectclip ld
+/EF/execform ld
+/PS { cvx exec } bd
+/initgs {
+/DefaultGray [/DeviceGray] dd
+/DefaultRGB [/DeviceRGB] dd
+/DefaultCMYK [/DeviceCMYK] dd
+0 g 0 G
+[] 0 d
+0 j
+0 J
+10 M
+1 w
+true setSA
+/_op? false dd
+/_OP? false dd
+/_opmode 0 dd
+/_defaulttransfer load settransfer
+0 i
+/RelativeColorimetric ri
+newpath
+} bd
+/int {
+dup 2 index sub 3 index 5 index sub div 6 -2 roll sub mul
+exch pop add exch pop
+} bd
+/limit {
+dup 2 index le { exch } if pop
+dup 2 index ge { exch } if pop
+} bd
+/domainClip {
+Domain aload pop 3 2 roll
+limit
+} [/Domain] bld
+/applyInterpFunc {
+0 1 DimOut 1 sub
+{
+dup C0 exch get exch
+dup C1 exch get exch
+3 1 roll
+1 index sub
+3 index
+N exp mul add
+exch
+currentdict /Range_lo known
+{
+dup Range_lo exch get exch
+Range_hi exch get
+3 2 roll limit
+}
+{
+pop
+}
+ifelse
+exch
+} for
+pop
+} [/DimOut /C0 /C1 /N /Range_lo /Range_hi] bld
+/encodeInput {
+NumParts 1 sub
+0 1 2 index
+{
+dup Bounds exch get
+2 index gt
+{ exit }
+{ dup
+3 index eq
+{ exit }
+{ pop } ifelse
+} ifelse
+} for
+3 2 roll pop
+dup Bounds exch get exch
+dup 1 add Bounds exch get exch
+2 mul
+dup Encode exch get exch
+1 add Encode exch get
+int
+} [/NumParts /Bounds /Encode] bld
+/rangeClip {
+exch dup Range_lo exch get
+exch Range_hi exch get
+3 2 roll
+limit
+} [/Range_lo /Range_hi] bld
+/applyStitchFunc {
+Functions exch get exec
+currentdict /Range_lo known {
+0 1 DimOut 1 sub {
+DimOut 1 add -1 roll
+rangeClip
+} for
+} if
+} [/Functions /Range_lo /DimOut] bld
+%%EndResource
+%%BeginResource: procset pdflev2
+%%Version: 4.0 5
+%%Copyright: Copyright 1987-1999 Adobe Systems Incorporated. All Rights Reserved.
+%%LanguageLevel: 2
+%%Title: PDF operators, with code specific for Level 2
+/_defaulthalftone currenthalftone dd
+/_defaultblackgeneration currentblackgeneration dd
+/_defaultundercolorremoval currentundercolorremoval dd
+/_defaultcolortransfer [currentcolortransfer] dd
+/initialize {
+_defaulthalftone sethalftone
+/_defaultblackgeneration load setblackgeneration
+/_defaultundercolorremoval load setundercolorremoval
+_defaultcolortransfer aload pop setcolortransfer
+false setoverprint
+<</MaxFormItem 0>> setuserparams
+} bd
+/terminate { } bd
+/m/moveto ld
+/l/lineto ld
+/c/curveto ld
+/setSA/setstrokeadjust ld
+/defineRes/defineresource ld
+/findRes/findresource ld
+currentglobal
+true systemdict /setglobal get exec
+[/Function /ExtGState /Form /Shading /FunctionDictionary /MadePattern /PatternPrototype /DataSource]
+{ /Generic /Category findresource dup length dict copy /Category defineresource pop }
+forall
+systemdict /setglobal get exec
+/ri
+{
+/findcolorrendering isdefined?
+{
+mark exch
+findcolorrendering
+counttomark 2 eq
+{ type /booleantype eq
+{ dup type /nametype eq
+{ dup /ColorRendering resourcestatus
+{ pop pop
+dup /DefaultColorRendering ne
+{
+/ColorRendering findresource
+setcolorrendering
+} if
+} if
+} if
+} if
+} if
+cleartomark
+}
+{ pop
+} ifelse
+} bd
+/_sfcs {_fcs setcolorspace} bind dd
+/_sscs {_scs setcolorspace} bind dd
+/_sfc
+{
+_fc aload pop
+_fp null eq
+{ setcolor }
+{ _fp setpattern }
+ifelse
+} bind dd
+/_ssc
+{
+_sc aload pop
+_sp null eq { setcolor} { _sp setpattern } ifelse
+} bind dd
+/scn {
+dup type /dicttype eq
+{ dup /_fp xdd
+/PaintType get 1 eq
+{ /_fc _fillColors 0 get dd ilp }
+{ /_fc _fillColors
+_fcs 1 get
+GetComps get dd
+sc
+}
+ifelse
+}
+{ sc }
+ifelse
+} bd
+/SCN {
+dup type /dicttype eq
+{ dup /_sp xdd
+/PaintType get 1 eq
+{ /_sc _strokeColors 0 get dd ilp }
+{ /_sc _strokeColors _scs 1 get GetComps get dd
+SC
+}
+ifelse
+}
+{ SC }
+ifelse
+} bd
+/gs
+{
+begin
+/SA here { setstrokeadjust } if
+/BG here { setblackgeneration } if
+/UCR here { setundercolorremoval } if
+/FL here { i } if
+/RI here { ri } if
+/TR here
+{
+dup xcheck
+{ settransfer }
+{ aload pop setcolortransfer }
+ifelse
+} if
+/sethalftonephase isdefined? { /HTP here { sethalftonephase } if } if
+/HT here { sethalftone } if
+currentdict gsDI
+end
+} bd
+/sfc {
+_op? setoverprint
+_lp /fill ne {
+_sfcs
+_sfc
+/_lp /fill dd
+} if
+} dd
+/ssc {
+_OP? setoverprint
+_lp /stroke ne {
+_sscs
+_ssc
+/_lp /stroke dd
+} if
+} dd
+/f {
+{ { sfc fill }
+{gsave sfc fill grestore clip newpath icl ilp}
+{gsave sfc fill grestore eoclip newpath icl ilp}
+} _doClip get exec
+} bd
+/f* {
+{ { sfc eofill }
+{gsave sfc eofill grestore clip newpath icl ilp}
+{gsave sfc eofill grestore eoclip newpath icl ilp}
+} _doClip get exec
+} bd
+/S {
+{ { ssc stroke }
+{gsave ssc stroke grestore clip newpath icl ilp}
+{gsave ssc stroke grestore eoclip newpath icl ilp}
+} _doClip get exec
+} bd
+/rf {
+{ { sfc rectfill }
+{gsave sfc rectfill grestore clip newpath icl ilp}
+{gsave sfc rectfill grestore eoclip newpath icl ilp}
+} _doClip get exec
+} bd
+/knownColorants? {
+pop false
+} bd
+/makePat {
+gsave
+dup /Matrix get concat
+matrix makepattern
+grestore
+/MadePattern defineRes pop
+} bd
+%%EndResource
+%%BeginResource: procset spots
+%%Version: 4.0 1
+%%Copyright: Copyright 1987-1999 Adobe Systems Incorporated. All Rights Reserved.
+%%Title: Predefined (named) spot functions for PDF
+21 dict dup begin
+/CosineDot
+{ 180 mul cos exch 180 mul cos add 2 div } bd
+/Cross
+{ abs exch abs 2 copy gt { exch } if pop neg } bd
+/Diamond
+{ abs exch abs 2 copy add .75 le
+{ dup mul exch dup mul add 1 exch sub }
+{ 2 copy add 1.23 le
+{ .85 mul add 1 exch sub }
+{ 1 sub dup mul exch 1 sub dup mul add 1 sub }
+ifelse }
+ifelse } bd
+/Double
+{ exch 2 div exch 2 { 360 mul sin 2 div exch } repeat add } bd
+/DoubleDot
+{ 2 { 360 mul sin 2 div exch } repeat add } bd
+/Ellipse
+{ abs exch abs 2 copy 3 mul exch 4 mul add 3 sub dup 0 lt
+{ pop dup mul exch .75 div dup mul add 4 div
+1 exch sub }
+{ dup 1 gt
+{pop 1 exch sub dup mul exch 1 exch sub
+.75 div dup mul add 4 div 1 sub }
+{ .5 exch sub exch pop exch pop }
+ifelse }
+ifelse } bd
+/EllipseA
+{ dup mul .9 mul exch dup mul add 1 exch sub } bd
+/EllipseB
+{ dup 5 mul 8 div mul exch dup mul exch add sqrt 1 exch sub } bd
+/EllipseC
+{ dup mul exch dup mul .9 mul add 1 exch sub } bd
+/InvertedDouble
+{ exch 2 div exch 2 { 360 mul sin 2 div exch } repeat add neg } bd
+/InvertedDoubleDot
+{ 2 { 360 mul sin 2 div exch } repeat add neg } bd
+/InvertedEllipseA
+{ dup mul .9 mul exch dup mul add 1 sub } bd
+/InvertedEllipseC
+{ dup mul exch dup mul .9 mul add 1 sub } bd
+/InvertedSimpleDot
+{ dup mul exch dup mul add 1 sub } bd
+/Line
+{ exch pop abs neg } bd
+/LineX
+{ pop } bd
+/LineY
+{ exch pop } bd
+/Rhomboid
+{ abs exch abs 0.9 mul add 2 div } bd
+/Round
+{ abs exch abs 2 copy add 1 le
+{ dup mul exch dup mul add 1 exch sub }
+{ 1 sub dup mul exch 1 sub dup mul add 1 sub }
+ifelse } bd
+/SimpleDot
+{ dup mul exch dup mul add 1 exch sub } bd
+/Square
+{ abs exch abs 2 copy lt { exch } if pop neg } bd
+end
+{ /Function defineRes pop } forall
+%%EndResource
+%%BeginResource: procset pdftext
+%%Version: 4.0 2
+%%Copyright: Copyright 1987-1998 Adobe Systems Incorporated. All Rights Reserved.
+%%Title: Text operators for PDF
+PDF /PDFText 75 dict dup begin put
+/docinitialize
+{
+/resourcestatus where {
+pop
+/CIDParams /ProcSet resourcestatus {
+pop pop
+false /CIDParams /ProcSet findresource /SetBuildCompatible get exec
+} if
+} if
+PDF begin
+PDFText /_pdfDefineIdentity-H known
+{ PDFText /_pdfDefineIdentity-H get exec}
+if
+end
+} bd
+/initialize {
+PDFText begin
+/_intT false dd
+0 Tr
+} bd
+/terminate { end } bd
+/_safeput
+{
+Level2? not
+{
+2 index load dup dup length exch maxlength ge
+{ dup length 5 add dict copy
+3 index xdd
+}
+{ pop }
+ifelse
+}
+if
+3 -1 roll load 3 1 roll put
+}
+bd
+/pdf_has_composefont? systemdict /composefont known def
+/CopyFont {
+{
+1 index /FID ne 2 index /UniqueID ne and
+{ def } { pop pop } ifelse
+} forall
+} bd
+/Type0CopyFont
+{
+exch
+dup length dict
+begin
+CopyFont
+[
+exch
+FDepVector
+{
+dup /FontType get 0 eq
+{
+1 index Type0CopyFont
+/_pdfType0 exch definefont
+}
+{
+/_pdfBaseFont exch
+2 index exec
+}
+ifelse
+exch
+}
+forall
+pop
+]
+/FDepVector exch def
+currentdict
+end
+} bd
+/cHexEncoding
+[/c00/c01/c02/c03/c04/c05/c06/c07/c08/c09/c0A/c0B/c0C/c0D/c0E/c0F/c10/c11/c12
+/c13/c14/c15/c16/c17/c18/c19/c1A/c1B/c1C/c1D/c1E/c1F/c20/c21/c22/c23/c24/c25
+/c26/c27/c28/c29/c2A/c2B/c2C/c2D/c2E/c2F/c30/c31/c32/c33/c34/c35/c36/c37/c38
+/c39/c3A/c3B/c3C/c3D/c3E/c3F/c40/c41/c42/c43/c44/c45/c46/c47/c48/c49/c4A/c4B
+/c4C/c4D/c4E/c4F/c50/c51/c52/c53/c54/c55/c56/c57/c58/c59/c5A/c5B/c5C/c5D/c5E
+/c5F/c60/c61/c62/c63/c64/c65/c66/c67/c68/c69/c6A/c6B/c6C/c6D/c6E/c6F/c70/c71
+/c72/c73/c74/c75/c76/c77/c78/c79/c7A/c7B/c7C/c7D/c7E/c7F/c80/c81/c82/c83/c84
+/c85/c86/c87/c88/c89/c8A/c8B/c8C/c8D/c8E/c8F/c90/c91/c92/c93/c94/c95/c96/c97
+/c98/c99/c9A/c9B/c9C/c9D/c9E/c9F/cA0/cA1/cA2/cA3/cA4/cA5/cA6/cA7/cA8/cA9/cAA
+/cAB/cAC/cAD/cAE/cAF/cB0/cB1/cB2/cB3/cB4/cB5/cB6/cB7/cB8/cB9/cBA/cBB/cBC/cBD
+/cBE/cBF/cC0/cC1/cC2/cC3/cC4/cC5/cC6/cC7/cC8/cC9/cCA/cCB/cCC/cCD/cCE/cCF/cD0
+/cD1/cD2/cD3/cD4/cD5/cD6/cD7/cD8/cD9/cDA/cDB/cDC/cDD/cDE/cDF/cE0/cE1/cE2/cE3
+/cE4/cE5/cE6/cE7/cE8/cE9/cEA/cEB/cEC/cED/cEE/cEF/cF0/cF1/cF2/cF3/cF4/cF5/cF6
+/cF7/cF8/cF9/cFA/cFB/cFC/cFD/cFE/cFF] def
+/modEnc {
+/_enc xdd
+/_icode 0 dd
+counttomark 1 sub -1 0
+{
+index
+dup type /nametype eq
+{
+_enc _icode 3 -1 roll put
+_icode 1 add
+}
+if
+/_icode xdd
+} for
+cleartomark
+_enc
+} bd
+/trEnc {
+/_enc xdd
+255 -1 0 {
+exch dup -1 eq
+{ pop /.notdef }
+{ Encoding exch get }
+ifelse
+_enc 3 1 roll put
+} for
+pop
+_enc
+} bd
+/TE {
+/_i xdd
+StandardEncoding 256 array copy modEnc
+_pdfEncodings exch _i exch put
+} bd
+/TZ
+{
+/_usePDFEncoding xdd
+findfont
+dup length 6 add dict
+begin
+{
+1 index /FID ne { def } { pop pop } ifelse
+} forall
+/pdf_origFontName FontName def
+/FontName exch def
+_usePDFEncoding 0 ge
+{
+/Encoding _pdfEncodings _usePDFEncoding get def
+pop
+}
+{
+_usePDFEncoding -1 eq
+{
+counttomark 0 eq
+{ pop }
+{
+Encoding 256 array copy
+modEnc /Encoding exch def
+}
+ifelse
+}
+{
+256 array
+trEnc /Encoding exch def
+}
+ifelse
+}
+ifelse
+pdf_EuroProcSet pdf_origFontName known
+{
+pdf_origFontName pdf_AddEuroGlyphProc
+} if
+FontName currentdict
+end
+definefont pop
+}
+bd
+/Level2?
+systemdict /languagelevel known
+{systemdict /languagelevel get 2 ge}
+{false}
+ifelse
+def
+Level2?
+{
+/_pdfFontStatus
+{
+currentglobal exch
+/Font resourcestatus
+{pop pop true}
+{false}
+ifelse
+exch setglobal
+} bd
+}
+{
+/_pdfFontStatusString 50 string def
+_pdfFontStatusString 0 (fonts/) putinterval
+/_pdfFontStatus
+{
+FontDirectory 1 index known
+{ pop true }
+{
+_pdfFontStatusString 6 42 getinterval
+cvs length 6 add
+_pdfFontStatusString exch 0 exch getinterval
+{ status } stopped
+{pop false}
+{
+{ pop pop pop pop true}
+{ false }
+ifelse
+}
+ifelse
+}
+ifelse
+} bd
+}
+ifelse
+Level2?
+{
+/_pdfCIDFontStatus
+{
+/CIDFont /Category resourcestatus
+{
+pop pop
+/CIDFont resourcestatus
+{pop pop true}
+{false}
+ifelse
+}
+{ pop false }
+ifelse
+} bd
+}
+if
+/_pdfString100 100 string def
+/_pdfComposeFontName
+{
+dup length 1 eq
+{
+0 get
+1 index
+type /nametype eq
+{
+_pdfString100 cvs
+length dup dup _pdfString100 exch (-) putinterval
+_pdfString100 exch 1 add dup _pdfString100 length exch sub getinterval
+2 index exch cvs length
+add 1 add _pdfString100 exch 0 exch getinterval
+exch pop
+true
+}
+{
+pop pop
+false
+}
+ifelse
+}
+{
+false
+}
+ifelse
+dup {exch cvn exch} if
+} bd
+/_pdfConcatNames
+{
+exch
+_pdfString100 cvs
+length dup dup _pdfString100 exch (-) putinterval
+_pdfString100 exch 1 add dup _pdfString100 length exch sub getinterval
+3 -1 roll exch cvs length
+add 1 add _pdfString100 exch 0 exch getinterval
+cvn
+} bind def
+/_pdfTextTempString 50 string def
+/_pdfRegOrderingArray [(Adobe-Japan1) (Adobe-CNS1) (Adobe-Korea1) (Adobe-GB1)] def
+/_pdf_CheckSupplements
+{
+1 index _pdfTextTempString cvs
+false
+_pdfRegOrderingArray
+{
+2 index exch
+anchorsearch
+{ pop pop pop true exit}
+{ pop }
+ifelse
+}
+forall
+exch pop
+{
+/CIDFont findresource
+/CIDSystemInfo get /Supplement get
+exch /CMap findresource
+/CIDSystemInfo get
+dup type /dicttype eq
+{/Supplement get}
+{pop 0 }
+ifelse
+ge
+}
+{ pop pop true }
+ifelse
+} bind def
+pdf_has_composefont?
+{
+/_pdfComposeFont
+{
+2 copy _pdfComposeFontName not
+{
+2 index
+}
+if
+(pdf) exch _pdfConcatNames
+dup _pdfFontStatus
+{ dup findfont 5 2 roll pop pop pop true}
+{
+4 1 roll
+1 index /CMap resourcestatus
+{
+pop pop
+true
+}
+{false}
+ifelse
+1 index true exch
+{
+_pdfCIDFontStatus not
+{pop false exit}
+if
+}
+forall
+and
+{
+1 index 1 index 0 get _pdf_CheckSupplements
+{
+3 -1 roll pop
+2 index 3 1 roll
+composefont true
+}
+{
+pop pop exch pop false
+}
+ifelse
+}
+{
+_pdfComposeFontName
+{
+dup _pdfFontStatus
+{
+exch pop
+1 index exch
+findfont definefont true
+}
+{
+pop exch pop
+false
+}
+ifelse
+}
+{
+exch pop
+false
+}
+ifelse
+}
+ifelse
+{ true }
+{
+dup _pdfFontStatus
+{ dup findfont true }
+{ pop false }
+ifelse
+}
+ifelse
+}
+ifelse
+} bd
+}
+{
+/_pdfComposeFont
+{
+_pdfComposeFontName not
+{
+dup
+}
+if
+dup
+_pdfFontStatus
+{exch pop dup findfont true}
+{
+1 index
+dup type /nametype eq
+{pop}
+{cvn}
+ifelse
+eq
+{pop false}
+{
+dup _pdfFontStatus
+{dup findfont true}
+{pop false}
+ifelse
+}
+ifelse
+}
+ifelse
+} bd
+}
+ifelse
+/_pdfStyleDicts 4 dict dup begin
+/Adobe-Japan1 4 dict dup begin
+Level2?
+{
+/Serif
+/HeiseiMin-W3-83pv-RKSJ-H _pdfFontStatus
+{/HeiseiMin-W3}
+{
+/HeiseiMin-W3 _pdfCIDFontStatus
+{/HeiseiMin-W3}
+{/Ryumin-Light}
+ifelse
+}
+ifelse
+def
+/SansSerif
+/HeiseiKakuGo-W5-83pv-RKSJ-H _pdfFontStatus
+{/HeiseiKakuGo-W5}
+{
+/HeiseiKakuGo-W5 _pdfCIDFontStatus
+{/HeiseiKakuGo-W5}
+{/GothicBBB-Medium}
+ifelse
+}
+ifelse
+def
+/HeiseiMaruGo-W4-83pv-RKSJ-H _pdfFontStatus
+{/HeiseiMaruGo-W4}
+{
+/HeiseiMaruGo-W4 _pdfCIDFontStatus
+{/HeiseiMaruGo-W4}
+{
+/Jun101-Light-RKSJ-H _pdfFontStatus
+{ /Jun101-Light }
+{ SansSerif }
+ifelse
+}
+ifelse
+}
+ifelse
+/RoundSansSerif exch def
+/Default Serif def
+}
+{
+/Serif /Ryumin-Light def
+/SansSerif /GothicBBB-Medium def
+{
+(fonts/Jun101-Light-83pv-RKSJ-H) status
+}stopped
+{pop}{
+{ pop pop pop pop /Jun101-Light }
+{ SansSerif }
+ifelse
+/RoundSansSerif exch def
+}ifelse
+/Default Serif def
+}
+ifelse
+end
+def
+/Adobe-Korea1 4 dict dup begin
+/Serif /HYSMyeongJo-Medium def
+/SansSerif /HYGoThic-Medium def
+/RoundSansSerif SansSerif def
+/Default Serif def
+end
+def
+/Adobe-GB1 4 dict dup begin
+/Serif /STSong-Light def
+/SansSerif /STHeiti-Regular def
+/RoundSansSerif SansSerif def
+/Default Serif def
+end
+def
+/Adobe-CNS1 4 dict dup begin
+/Serif /MKai-Medium def
+/SansSerif /MHei-Medium def
+/RoundSansSerif SansSerif def
+/Default Serif def
+end
+def
+end
+def
+/TZzero
+{
+/_fyAdj xdd
+/_wmode xdd
+/_styleArr xdd
+/_regOrdering xdd
+3 copy
+_pdfComposeFont
+{
+5 2 roll pop pop pop
+}
+{
+[
+0 1 _styleArr length 1 sub
+{
+_styleArr exch get
+_pdfStyleDicts _regOrdering 2 copy known
+{
+get
+exch 2 copy known not
+{ pop /Default }
+if
+get
+}
+{
+pop pop pop /Unknown
+}
+ifelse
+}
+for
+]
+exch pop
+2 index 3 1 roll
+_pdfComposeFont
+{3 -1 roll pop}
+{
+findfont dup /FontName get exch
+}
+ifelse
+}
+ifelse
+dup /WMode 2 copy known
+{ get _wmode ne }
+{ pop pop _wmode 1 eq}
+ifelse
+_fyAdj 0 ne or
+{
+exch _wmode _pdfConcatNames _fyAdj _pdfConcatNames
+dup _pdfFontStatus
+{ exch pop dup findfont false}
+{ exch true }
+ifelse
+}
+{
+dup /FontType get 0 ne
+}
+ifelse
+{
+dup /FontType get 3 eq _wmode 1 eq and
+{
+_pdfVerticalRomanT3Font dup length 10 add dict copy
+begin
+/_basefont exch
+dup length 3 add dict
+begin
+{1 index /FID ne {def}{pop pop} ifelse }
+forall
+/Encoding Encoding dup length array copy
+dup 16#27 /quotesingle put
+dup 16#60 /grave put
+_regOrdering /Adobe-Japan1 eq
+{dup 16#5c /yen put dup 16#a5 /yen put dup 16#b4 /yen put}
+if
+def
+FontName
+currentdict
+end
+definefont
+def
+/Encoding _basefont /Encoding get def
+/_fauxfont true def
+}
+{
+dup length 3 add dict
+begin
+{1 index /FID ne {def}{pop pop} ifelse }
+forall
+FontType 0 ne
+{
+/Encoding Encoding dup length array copy
+dup 16#27 /quotesingle put
+dup 16#60 /grave put
+_regOrdering /Adobe-Japan1 eq
+{dup 16#5c /yen put}
+if
+def
+/_fauxfont true def
+} if
+} ifelse
+/WMode _wmode def
+/BaseLineAdj _fyAdj def
+dup dup /FontName exch def
+currentdict
+end
+definefont pop
+}
+{
+pop
+}
+ifelse
+/_pdf_FontDirectory 3 1 roll _safeput
+}
+bd
+/swj {
+dup 4 1 roll
+dup length exch stringwidth
+exch 5 -1 roll 3 index mul add
+4 1 roll 3 1 roll mul add
+6 2 roll /_cnt 0 dd
+{1 index eq {/_cnt _cnt 1 add dd} if} forall pop
+exch _cnt mul exch _cnt mul 2 index add 4 1 roll 2 index add 4 1 roll pop pop
+} bd
+/jss {
+4 1 roll
+{
+pop pop
+(0) exch 2 copy 0 exch put
+gsave
+exch false charpath currentpoint
+5 index setmatrix stroke
+3 -1 roll
+32 eq
+{
+moveto
+5 index 5 index rmoveto currentpoint
+}
+if
+grestore
+moveto
+2 copy rmoveto
+} exch cshow
+6 {pop} repeat
+} def
+/jsfTzero {
+{
+pop pop
+(0) exch 2 copy 0 exch put
+exch show
+32 eq
+{
+4 index 4 index rmoveto
+}
+if
+2 copy rmoveto
+} exch cshow
+5 {pop} repeat
+} def
+/jsp
+{
+{
+pop pop
+(0) exch 2 copy 0 exch put
+32 eq
+dup {currentfont /Encoding get dup length 33 ge
+{32 get /space eq and}{pop}ifelse
+}if
+{ exch 5 index 5 index 5 index 5 -1 roll widthshow }
+{ false charpath }
+ifelse
+2 copy rmoveto
+} exch cshow
+5 {pop} repeat
+} bd
+/trj { _cx 0 fWModeProc 32 _ax 0 fWModeProc 6 5 roll } bd
+/pjsf { trj sfc fawidthshowProc } bd
+/pjss { trj _ctm ssc jss } bd
+/pjsc { trj jsp } bd
+/_Tjdef [
+/pjsf load
+/pjss load
+{
+dup
+currentpoint 3 2 roll
+pjsf
+newpath moveto
+pjss
+} bind
+{
+trj swj rmoveto
+} bind
+{
+dup currentpoint 4 2 roll gsave
+pjsf
+grestore 3 1 roll moveto
+pjsc
+} bind
+{
+dup currentpoint 4 2 roll
+currentpoint gsave newpath moveto
+pjss
+grestore 3 1 roll moveto
+pjsc
+} bind
+{
+dup currentpoint 4 2 roll gsave
+dup currentpoint 3 2 roll
+pjsf
+newpath moveto
+pjss
+grestore 3 1 roll moveto
+pjsc
+} bind
+/pjsc load
+] def
+/BT
+{
+/_inT true dd
+_ctm currentmatrix pop matrix _tm copy pop
+0 _rise _baselineadj add translate _hs 1 scale
+0 0 moveto
+} bd
+/ET
+{
+/_inT false dd
+_tr 3 gt {clip} if
+_ctm setmatrix newpath
+} bd
+/Tr {
+_inT { _tr 3 le {currentpoint newpath moveto} if } if
+dup /_tr xdd
+_Tjdef exch get /_Tj xdd
+} bd
+/Tj {
+userdict /$$copystring 2 index put
+_Tj
+} bd
+/iTm { _ctm setmatrix _tm concat 0 _rise _baselineadj add translate _hs 1 scale } bd
+/Tm { _tm astore pop iTm 0 0 moveto } bd
+/Td { _mtx translate _tm _tm concatmatrix pop iTm 0 0 moveto } bd
+/TD { dup /_ld xdd Td } bd
+/_nullProc {} bd
+/Tf {
+dup 1000 div /_fScl xdd
+_pdf_FontDirectory 2 index 2 copy known
+{get exch 3 -1 roll pop}
+{pop pop}
+ifelse
+Level2?
+{ selectfont }
+{ exch findfont exch scalefont setfont}
+ifelse
+currentfont dup
+/_nullProc exch
+/WMode known
+{
+1 index /WMode get 1 eq
+{pop /exch}
+if
+}
+if
+load /fWModeProc xdd
+dup
+/FontType get 0 eq dup _cx 0 ne and
+{ /jsfTzero }
+{ /awidthshow }
+ifelse
+load /fawidthshowProc xdd
+/_fTzero xdd
+dup /BaseLineAdj known
+{ dup /BaseLineAdj get _fScl mul }
+{ 0 }
+ifelse
+/_baselineadj xdd
+dup /_pdfT3Font known
+{ 0 }
+{_tr}
+ifelse
+_Tjdef exch get /_Tj xdd
+_intT
+{currentpoint iTm moveto}
+if
+pop
+} bd
+/TL { neg /_ld xdd } bd
+/Tw {
+/_cx xdd
+_cx 0 ne _fTzero and
+{ /jsfTzero }
+{ /awidthshow }
+ifelse
+load /fawidthshowProc xdd
+} bd
+/Tc { /_ax xdd } bd
+/Ts { /_rise xdd currentpoint iTm moveto } bd
+/Tz { 100 div /_hs xdd iTm } bd
+/Tk { exch pop _fScl mul neg 0 fWModeProc rmoveto } bd
+/T* { 0 _ld Td } bd
+/' { T* Tj } bd
+/" { exch Tc exch Tw ' } bd
+/TJ {
+{
+dup type /stringtype eq
+{ Tj }
+{ 0 exch Tk }
+ifelse
+} forall
+} bd
+/T- { _hy Tj } bd
+/d0/setcharwidth ld
+/d1 { setcachedevice /sfc{}dd /ssc{}dd } bd
+/nND {{/.notdef} repeat} bd
+/T3Defs {
+/BuildChar
+{
+1 index /Encoding get exch get
+1 index /BuildGlyph get exec
+}
+def
+/BuildGlyph {
+exch begin
+GlyphProcs exch get exec
+end
+} def
+/_pdfT3Font true def
+} bd
+/_pdfBoldRomanWidthProc
+{
+stringwidth 1 index 0 ne { exch .03 add exch }if setcharwidth
+0 0
+} bd
+/_pdfType0WidthProc
+{
+dup stringwidth 0 0 moveto
+2 index true charpath pathbbox
+0 -1
+7 index 2 div .88
+setcachedevice2
+pop
+0 0
+} bd
+/_pdfType0WMode1WidthProc
+{
+dup stringwidth
+pop 2 div neg -0.88
+2 copy
+moveto
+0 -1
+5 -1 roll true charpath pathbbox
+setcachedevice
+} bd
+/_pdfBoldBaseFont
+11 dict begin
+/FontType 3 def
+/FontMatrix[1 0 0 1 0 0]def
+/FontBBox[0 0 1 1]def
+/Encoding cHexEncoding def
+/_setwidthProc /_pdfBoldRomanWidthProc load def
+/_bcstr1 1 string def
+/BuildChar
+{
+exch begin
+_basefont setfont
+_bcstr1 dup 0 4 -1 roll put
+dup
+_setwidthProc
+3 copy
+moveto
+show
+_basefonto setfont
+moveto
+show
+end
+}bd
+currentdict
+end
+def
+pdf_has_composefont?
+{
+/_pdfBoldBaseCIDFont
+11 dict begin
+/CIDFontType 1 def
+/CIDFontName /_pdfBoldBaseCIDFont def
+/FontMatrix[1 0 0 1 0 0]def
+/FontBBox[0 0 1 1]def
+/_setwidthProc /_pdfType0WidthProc load def
+/_bcstr2 2 string def
+/BuildGlyph
+{
+exch begin
+_basefont setfont
+_bcstr2 1 2 index 256 mod put
+_bcstr2 0 3 -1 roll 256 idiv put
+_bcstr2 dup _setwidthProc
+3 copy
+moveto
+show
+_basefonto setfont
+moveto
+show
+end
+}bd
+currentdict
+end
+def
+/_pdfDefineIdentity-H
+{
+/Identity-H /CMap resourcestatus
+{
+pop pop
+}
+{
+/CIDInit/ProcSet findresource begin 12 dict begin
+begincmap
+/CIDSystemInfo
+3 dict begin
+/Registry (Adobe) def
+/Ordering (Identity) def
+/Supplement 0 def
+currentdict
+end
+def
+/CMapName /Identity-H def
+/CMapVersion 1 def
+/CMapType 1 def
+1 begincodespacerange
+<0000> <ffff>
+endcodespacerange
+1 begincidrange
+<0000> <ffff> 0
+endcidrange
+endcmap
+CMapName currentdict/CMap defineresource pop
+end
+end
+} ifelse
+} def
+} if
+/_pdfVerticalRomanT3Font
+10 dict begin
+/FontType 3 def
+/FontMatrix[1 0 0 1 0 0]def
+/FontBBox[0 0 1 1]def
+/_bcstr1 1 string def
+/BuildChar
+{
+exch begin
+_basefont setfont
+_bcstr1 dup 0 4 -1 roll put
+dup
+_pdfType0WidthProc
+moveto
+show
+end
+}bd
+currentdict
+end
+def
+/MakeBoldFont
+{
+dup /ct_SyntheticBold known
+{
+dup length 3 add dict begin
+CopyFont
+/ct_StrokeWidth .03 0 FontMatrix idtransform pop def
+/ct_SyntheticBold true def
+currentdict
+end
+definefont
+}
+{
+dup dup length 3 add dict
+begin
+CopyFont
+/PaintType 2 def
+/StrokeWidth .03 0 FontMatrix idtransform pop def
+/dummybold currentdict
+end
+definefont
+dup /FontType get dup 9 ge exch 11 le and
+{
+_pdfBoldBaseCIDFont
+dup length 3 add dict copy begin
+dup /CIDSystemInfo get /CIDSystemInfo exch def
+/_Type0Identity /Identity-H 3 -1 roll [ exch ] composefont
+/_basefont exch def
+/_Type0Identity /Identity-H 3 -1 roll [ exch ] composefont
+/_basefonto exch def
+currentdict
+end
+/CIDFont defineresource
+}
+{
+_pdfBoldBaseFont
+dup length 3 add dict copy begin
+/_basefont exch def
+/_basefonto exch def
+currentdict
+end
+definefont
+}
+ifelse
+}
+ifelse
+} bd
+/MakeBold {
+1 index
+_pdf_FontDirectory 2 index 2 copy known
+{get}
+{exch pop}
+ifelse
+findfont
+dup
+/FontType get 0 eq
+{
+dup /WMode known {dup /WMode get 1 eq }{false} ifelse
+version length 4 ge
+and
+{version 0 4 getinterval cvi 2015 ge }
+{true}
+ifelse
+{/_pdfType0WidthProc}
+{/_pdfType0WMode1WidthProc}
+ifelse
+_pdfBoldBaseFont /_setwidthProc 3 -1 roll load put
+{MakeBoldFont} Type0CopyFont definefont
+}
+{
+dup /_fauxfont known not 1 index /SubstMaster known not and
+{
+_pdfBoldBaseFont /_setwidthProc /_pdfBoldRomanWidthProc load put
+MakeBoldFont
+}
+{
+2 index 2 index eq
+{ exch pop }
+{
+dup length dict begin
+CopyFont
+currentdict
+end
+definefont
+}
+ifelse
+}
+ifelse
+}
+ifelse
+pop pop
+dup /dummybold ne
+{/_pdf_FontDirectory exch dup _safeput }
+{ pop }
+ifelse
+}bd
+/MakeItalic {
+_pdf_FontDirectory exch 2 copy known
+{get}
+{exch pop}
+ifelse
+dup findfont
+dup /FontInfo 2 copy known
+{
+get
+/ItalicAngle 2 copy known
+{get 0 eq }
+{ pop pop true}
+ifelse
+}
+{ pop pop true}
+ifelse
+{
+exch pop
+dup /FontType get 0 eq Level2? not and
+{ dup /FMapType get 6 eq }
+{ false }
+ifelse
+{
+dup /WMode 2 copy known
+{
+get 1 eq
+{ _italMtx_WMode1Type0 }
+{ _italMtxType0 }
+ifelse
+}
+{ pop pop _italMtxType0 }
+ifelse
+}
+{
+dup /WMode 2 copy known
+{
+get 1 eq
+{ _italMtx_WMode1 }
+{ _italMtx }
+ifelse
+}
+{ pop pop _italMtx }
+ifelse
+}
+ifelse
+makefont
+dup /FontType get 42 eq Level2? not or
+{
+dup length dict begin
+CopyFont
+currentdict
+end
+}
+if
+1 index exch
+definefont pop
+/_pdf_FontDirectory exch dup _safeput
+}
+{
+pop
+2 copy ne
+{
+/_pdf_FontDirectory 3 1 roll _safeput
+}
+{ pop pop }
+ifelse
+}
+ifelse
+}bd
+/MakeBoldItalic {
+/dummybold exch
+MakeBold
+/dummybold
+MakeItalic
+}bd
+Level2?
+{
+/pdf_CopyDict
+{1 index length add dict copy}
+def
+}
+{
+/pdf_CopyDict
+{
+1 index length add dict
+1 index wcheck
+{ copy }
+{ begin
+{def} forall
+currentdict
+end
+}
+ifelse
+}
+def
+}
+ifelse
+/pdf_AddEuroGlyphProc
+{
+currentdict /CharStrings known
+{
+CharStrings /Euro known not
+{
+dup
+/CharStrings
+CharStrings 1 pdf_CopyDict
+begin
+/Euro pdf_EuroProcSet 4 -1 roll get def
+currentdict
+end
+def
+/pdf_PSBuildGlyph /pdf_PSBuildGlyph load def
+/pdf_PathOps /pdf_PathOps load def
+/Symbol eq
+{
+/Encoding Encoding dup length array copy
+dup 160 /Euro put def
+}
+if
+}
+{ pop
+}
+ifelse
+}
+{ pop
+}
+ifelse
+}
+def
+/pdf_PathOps 4 dict dup begin
+/m {moveto} def
+/l {lineto} def
+/c {curveto} def
+/cp {closepath} def
+end
+def
+/pdf_PSBuildGlyph
+{
+gsave
+8 -1 roll pop
+7 1 roll
+currentdict /PaintType 2 copy known {get 2 eq}{pop pop false} ifelse
+dup 9 1 roll
+{
+currentdict /StrokeWidth 2 copy known
+{
+get 2 div
+5 1 roll
+4 -1 roll 4 index sub
+4 1 roll
+3 -1 roll 4 index sub
+3 1 roll
+exch 4 index add exch
+4 index add
+5 -1 roll pop
+}
+{
+pop pop
+}
+ifelse
+}
+if
+setcachedevice
+pdf_PathOps begin
+exec
+end
+{
+currentdict /StrokeWidth 2 copy known
+{ get }
+{ pop pop 0 }
+ifelse
+setlinewidth stroke
+}
+{
+fill
+}
+ifelse
+grestore
+} def
+/pdf_EuroProcSet 13 dict def
+pdf_EuroProcSet
+begin
+/Courier-Bold
+{
+600 0 6 -12 585 612
+{
+385 274 m
+180 274 l
+179 283 179 293 179 303 c
+179 310 179 316 180 323 c
+398 323 l
+423 404 l
+197 404 l
+219 477 273 520 357 520 c
+409 520 466 490 487 454 c
+487 389 l
+579 389 l
+579 612 l
+487 612 l
+487 560 l
+449 595 394 612 349 612 c
+222 612 130 529 98 404 c
+31 404 l
+6 323 l
+86 323 l
+86 304 l
+86 294 86 284 87 274 c
+31 274 l
+6 193 l
+99 193 l
+129 77 211 -12 359 -12 c
+398 -12 509 8 585 77 c
+529 145 l
+497 123 436 80 356 80 c
+285 80 227 122 198 193 c
+360 193 l
+cp
+600 0 m
+}
+pdf_PSBuildGlyph
+} def
+/Courier-BoldOblique /Courier-Bold load def
+/Courier
+{
+600 0 17 -12 578 584
+{
+17 204 m
+97 204 l
+126 81 214 -12 361 -12 c
+440 -12 517 17 578 62 c
+554 109 l
+501 70 434 43 366 43 c
+266 43 184 101 154 204 c
+380 204 l
+400 259 l
+144 259 l
+144 270 143 281 143 292 c
+143 299 143 307 144 314 c
+418 314 l
+438 369 l
+153 369 l
+177 464 249 529 345 529 c
+415 529 484 503 522 463 c
+522 391 l
+576 391 l
+576 584 l
+522 584 l
+522 531 l
+473 566 420 584 348 584 c
+216 584 122 490 95 369 c
+37 369 l
+17 314 l
+87 314 l
+87 297 l
+87 284 88 272 89 259 c
+37 259 l
+cp
+600 0 m
+}
+pdf_PSBuildGlyph
+} def
+/Courier-Oblique /Courier load def
+/Helvetica
+{
+556 0 24 -19 541 703
+{
+541 628 m
+510 669 442 703 354 703 c
+201 703 117 607 101 444 c
+50 444 l
+25 372 l
+97 372 l
+97 301 l
+49 301 l
+24 229 l
+103 229 l
+124 67 209 -19 350 -19 c
+435 -19 501 25 509 32 c
+509 131 l
+492 105 417 60 343 60 c
+267 60 204 127 197 229 c
+406 229 l
+430 301 l
+191 301 l
+191 372 l
+455 372 l
+479 444 l
+194 444 l
+201 531 245 624 348 624 c
+433 624 484 583 509 534 c
+cp
+556 0 m
+}
+pdf_PSBuildGlyph
+} def
+/Helvetica-Oblique /Helvetica load def
+/Helvetica-Bold
+{
+556 0 12 -19 563 710
+{
+563 621 m
+537 659 463 710 363 710 c
+216 710 125 620 101 462 c
+51 462 l
+12 367 l
+92 367 l
+92 346 l
+92 337 93 328 93 319 c
+52 319 l
+12 224 l
+102 224 l
+131 58 228 -19 363 -19 c
+417 -19 471 -12 517 18 c
+517 146 l
+481 115 426 93 363 93 c
+283 93 254 166 246 224 c
+398 224 l
+438 319 l
+236 319 l
+236 367 l
+457 367 l
+497 462 l
+244 462 l
+259 552 298 598 363 598 c
+425 598 464 570 486 547 c
+507 526 513 517 517 509 c
+cp
+556 0 m
+}
+pdf_PSBuildGlyph
+} def
+/Helvetica-BoldOblique /Helvetica-Bold load def
+/Symbol
+{
+750 0 20 -12 714 685
+{
+714 581 m
+650 645 560 685 465 685 c
+304 685 165 580 128 432 c
+50 432 l
+20 369 l
+116 369 l
+115 356 115 347 115 337 c
+115 328 115 319 116 306 c
+50 306 l
+20 243 l
+128 243 l
+165 97 300 -12 465 -12 c
+560 -12 635 25 685 65 c
+685 155 l
+633 91 551 51 465 51 c
+340 51 238 131 199 243 c
+555 243 l
+585 306 l
+184 306 l
+183 317 182 326 182 336 c
+182 346 183 356 184 369 c
+614 369 l 644 432 l
+199 432 l
+233 540 340 622 465 622 c
+555 622 636 580 685 520 c
+cp
+750 0 m
+}
+pdf_PSBuildGlyph
+} def
+/Times-Bold
+{
+500 0 16 -14 478 700
+{
+367 308 m
+224 308 l
+224 368 l
+375 368 l
+380 414 l
+225 414 l
+230 589 257 653 315 653 c
+402 653 431 521 444 457 c
+473 457 l
+473 698 l
+444 697 l
+441 679 437 662 418 662 c
+393 662 365 700 310 700 c
+211 700 97 597 73 414 c
+21 414 l
+16 368 l
+69 368 l
+69 359 68 350 68 341 c
+68 330 68 319 69 308 c
+21 308 l
+16 262 l
+73 262 l
+91 119 161 -14 301 -14 c
+380 -14 443 50 478 116 c
+448 136 l
+415 84 382 40 323 40 c
+262 40 231 77 225 262 c
+362 262 l
+cp
+500 0 m
+}
+pdf_PSBuildGlyph
+} def
+/Times-BoldItalic
+{
+500 0 9 -20 542 686
+{
+542 686 m
+518 686 l
+513 673 507 660 495 660 c
+475 660 457 683 384 683 c
+285 683 170 584 122 430 c
+58 430 l
+34 369 l
+105 369 l
+101 354 92 328 90 312 c
+34 312 l
+9 251 l
+86 251 l
+85 238 84 223 84 207 c
+84 112 117 -14 272 -14 c
+326 -14 349 9 381 9 c
+393 9 393 -10 394 -20 c
+420 -20 l
+461 148 l
+429 148 l
+416 109 362 15 292 15 c
+227 15 197 55 197 128 c
+197 162 204 203 216 251 c
+378 251 l
+402 312 l
+227 312 l
+229 325 236 356 241 369 c
+425 369 l
+450 430 l
+255 430 l
+257 435 264 458 274 488 c
+298 561 337 654 394 654 c
+437 654 484 621 484 530 c
+484 516 l
+516 516 l
+cp
+500 0 m
+}
+pdf_PSBuildGlyph
+} def
+/Times-Italic
+{
+500 0 23 -10 595 692
+{
+399 317 m
+196 317 l
+199 340 203 363 209 386 c
+429 386 l
+444 424 l
+219 424 l
+246 514 307 648 418 648 c
+448 648 471 638 492 616 c
+529 576 524 529 527 479 c
+549 475 l
+595 687 l
+570 687 l
+562 674 558 664 542 664 c
+518 664 474 692 423 692 c
+275 692 162 551 116 424 c
+67 424 l
+53 386 l
+104 386 l
+98 363 93 340 90 317 c
+37 317 l
+23 279 l
+86 279 l
+85 266 85 253 85 240 c
+85 118 137 -10 277 -10 c
+370 -10 436 58 488 128 c
+466 149 l
+424 101 375 48 307 48 c
+212 48 190 160 190 234 c
+190 249 191 264 192 279 c
+384 279 l
+cp
+500 0 m
+}
+pdf_PSBuildGlyph
+} def
+/Times-Roman
+{
+500 0 10 -12 484 692
+{
+347 298 m
+171 298 l
+170 310 170 322 170 335 c
+170 362 l
+362 362 l
+374 403 l
+172 403 l
+184 580 244 642 308 642 c
+380 642 434 574 457 457 c
+481 462 l
+474 691 l
+449 691 l
+433 670 429 657 410 657 c
+394 657 360 692 299 692 c
+204 692 94 604 73 403 c
+22 403 l
+10 362 l
+70 362 l
+69 352 69 341 69 330 c
+69 319 69 308 70 298 c
+22 298 l
+10 257 l
+73 257 l
+97 57 216 -12 295 -12 c
+364 -12 427 25 484 123 c
+458 142 l
+425 101 384 37 316 37 c
+256 37 189 84 173 257 c
+335 257 l
+cp
+500 0 m
+}
+pdf_PSBuildGlyph
+} def
+end
+currentdict readonly pop end
+%%EndResource
+PDFText begin
+[39/quotesingle 96/grave 128/Adieresis/Aring/Ccedilla/Eacute/Ntilde/Odieresis
+/Udieresis/aacute/agrave/acircumflex/adieresis/atilde/aring/ccedilla/eacute
+/egrave/ecircumflex/edieresis/iacute/igrave/icircumflex/idieresis/ntilde
+/oacute/ograve/ocircumflex/odieresis/otilde/uacute/ugrave/ucircumflex
+/udieresis/dagger/degree/cent/sterling/section/bullet/paragraph/germandbls
+/registered/copyright/trademark/acute/dieresis/.notdef/AE/Oslash
+/.notdef/plusminus/.notdef/.notdef/yen/mu/.notdef/.notdef
+/.notdef/.notdef/.notdef/ordfeminine/ordmasculine/.notdef/ae/oslash
+/questiondown/exclamdown/logicalnot/.notdef/florin/.notdef/.notdef
+/guillemotleft/guillemotright/ellipsis/space/Agrave/Atilde/Otilde/OE/oe
+/endash/emdash/quotedblleft/quotedblright/quoteleft/quoteright/divide
+/.notdef/ydieresis/Ydieresis/fraction/currency/guilsinglleft/guilsinglright
+/fi/fl/daggerdbl/periodcentered/quotesinglbase/quotedblbase/perthousand
+/Acircumflex/Ecircumflex/Aacute/Edieresis/Egrave/Iacute/Icircumflex
+/Idieresis/Igrave/Oacute/Ocircumflex/.notdef/Ograve/Uacute/Ucircumflex
+/Ugrave/dotlessi/circumflex/tilde/macron/breve/dotaccent/ring/cedilla
+/hungarumlaut/ogonek/caron
+0 TE
+[1/dotlessi/caron 39/quotesingle 96/grave
+127/bullet/Euro/bullet/quotesinglbase/florin/quotedblbase/ellipsis
+/dagger/daggerdbl/circumflex/perthousand/Scaron/guilsinglleft/OE
+/bullet/Zcaron/bullet/bullet/quoteleft/quoteright/quotedblleft
+/quotedblright/bullet/endash/emdash/tilde/trademark/scaron
+/guilsinglright/oe/bullet/zcaron/Ydieresis/space/exclamdown/cent/sterling
+/currency/yen/brokenbar/section/dieresis/copyright/ordfeminine
+/guillemotleft/logicalnot/hyphen/registered/macron/degree/plusminus
+/twosuperior/threesuperior/acute/mu/paragraph/periodcentered/cedilla
+/onesuperior/ordmasculine/guillemotright/onequarter/onehalf/threequarters
+/questiondown/Agrave/Aacute/Acircumflex/Atilde/Adieresis/Aring/AE/Ccedilla
+/Egrave/Eacute/Ecircumflex/Edieresis/Igrave/Iacute/Icircumflex/Idieresis
+/Eth/Ntilde/Ograve/Oacute/Ocircumflex/Otilde/Odieresis/multiply/Oslash
+/Ugrave/Uacute/Ucircumflex/Udieresis/Yacute/Thorn/germandbls/agrave
+/aacute/acircumflex/atilde/adieresis/aring/ae/ccedilla/egrave/eacute
+/ecircumflex/edieresis/igrave/iacute/icircumflex/idieresis/eth/ntilde
+/ograve/oacute/ocircumflex/otilde/odieresis/divide/oslash/ugrave/uacute
+/ucircumflex/udieresis/yacute/thorn/ydieresis
+1 TE
+end
+currentdict readonly pop
+end end
+/currentpacking where {pop setpacking}if
+PDFVars/DocInitAll{[ PDFText]{/docinitialize get exec}forall }put
+PDFVars/InitAll{[PDF PDFText]{/initialize get exec}forall initgs}put
+PDFVars/TermAll{[PDFText PDF]{/terminate get exec}forall}put
+PDFVars begin PDF begin
+PDFVars/DocInitAll get exec PDFVars/InitAll get exec
+PDFVars/TermAll get exec end end
+
+%%EndSetup
+%%Page: 1 1
+%%BeginPageSetup
+userdict /pgsave save put
+PDFVars begin PDF begin PDFVars/InitAll get exec
+156 331 translate
+%%BeginResource: font N34
+%!FontType1-1.0: N34
+11 dict begin
+/FontInfo 5 dict dup begin
+/Notice (Copyright \(C\) 1997 American Mathematical Society. All Rights Reserved) def
+/FamilyName (Computer Modern) def
+/FullName (CMTT10) def
+end readonly def
+/FontName /N34 def
+/Encoding 256 array
+0 1 255 {1 index exch /.notdef put} for
+dup 44 /comma put
+dup 48 /zero put
+dup 49 /one put
+dup 50 /two put
+dup 97 /a put
+dup 101 /e put
+dup 104 /h put
+dup 110 /n put
+dup 114 /r put
+dup 116 /t put
+dup 123 /braceleft put
+dup 125 /braceright put
+readonly def
+/FontMatrix [0.001 0 0 0.001 0 0] readonly def
+/FontBBox {-4 -235 731 800} readonly def
+/FontType 1 def
+/PaintType 0 def
+/StrokeWidth 0 def
+currentdict end
+currentfile eexec
+f3e7f93fe0b3c7a88086f982b4b55bdb0f2f559321725d901e33615b89ebc3ed
+b644cbe16c663d6859274d0ce2e86ecfea9f7e1b5970a122f75e9b050df4480e
+56172e8b6a9a7322d8372244fb30b64ec966496b08baae35096817082b1ee90a
+634d662a40353df3516c1402378432ab41d28040059334248c54fc26fbf5fc94
+879f85cd5bfa2b3d6d059c93f11fe5780c1fcf8d5dc00e950018df83ec4928de
+7cec20207ab2cf39abc85a9caa0b0e2c323f501f5962617e99a333fe9738b872
+fcc9a8251b532781309174dc760f25d7636c27db2792bd40f540cb897c86c8fe
+0eda9639093664059ed48c227060d40f39eabac85c47e505de850379e1267e79
+2d6e82c3d67cb2e9f84a7ff7a61df53239fe2625ac170163bf19e528676f0853
+e7abcece7107203958dc0b5bb270a0de82161699a18d4d5b8da383e6c4937d39
+9c20cfb315dd9c8a08d93ee76257cd6a52b6a8800735be153582e40f2f85a432
+7c5527b7e085f60031b66fad2baca496b105ff4cb56629346f3fe9d596a90cd0
+6c125fa5e27179c9b7d4980f2c2d0969fd3f87796a05c1c030bc94ceacdb95fd
+fe11d180104266be31ea0837366a9001d0f54ce82d78e992228606798a6ed75e
+9ad79061031e325d884aa3747b7a4d4e398888c2eb0fd2a7e9c9a88999859ebf
+d10290b74c3dcba000519bd2e4cc03e4f466007d60731bfba66e92bd0e6a367d
+8e706e0b1c606425d4c7ff696440cf4f0a231961f0b9d5636cfb4a5abf263408
+b80f06166d9c533b3b13112cd9cedbc2e9197a4675125022e28d23047a93e6e7
+f3255e2fe972045499c7527fb9f32e1363a60cb2254abf34ab918f5d08f181ce
+c85dbd3408edc656c0bb2dbc47b854aedb2acd8d9fc0d5f7cce1724eb4c93133
+3e496ba69350daeeed903ee17260db986f11afaf68b53d894dd3d679ebe7f703
+b4ae32683591d34ce4137f9abc8dedb065d06ca3470afce541a9b0fe1f4de178
+db038a0a5b0c30a5ac304c5ea38686389f8fdfc9790296ba65b6ea7450659e46
+e17173f120846258b315eed9142ac66063205167a553e47d24547ad2c4a8f702
+fb9bec6b138ac48c5f5465e345d40f455cae3ef6838c2cb147344ecf7da3302d
+e1f8ca2a49e6d6c25d64d76a0007d91183a500f4db07b7232ae944051ec6db95
+c83956967f6e8cc3eb79ba8f6f7f9d9588e0790aa4ef2c8bb1af4bbe40c3e6e9
+c4c2abb5b8955d7f7db4744779ce92f484438d836457bd63a15762120b30d264
+064049f0b4e3f543f275f27d1490e4ec3ab8744cb0d07dd31166f744f9099dba
+9d4c7532182bfe249b19166e5a9c793ad26dfe0a4f6eb4f1f81c7daebfbb4f41
+900682d3f98e1d12d5d2cedf7d5d81f5294253cd05392a6c1b08faf2c937c587
+acb67c282079d5381342090e8f6bc758b6aafa1987e4025a38e0b007b5e734fb
+f7653c6d09bb30c736ed42f6faa6c8be715ee08edeb32e32716e161de47fa740
+2c7520f6a147a3a1ac4008ac7ac47e68ac95dd0e40def0262d7f19420ec9d836
+a83b0a6e8864bc93fb0246b910bd00506ac7e91476ac4f4ea8030c570d74d3c7
+f50ae3960629442be51c34d3d5064d144e4d5882e454f1f70b5db71acb0851ee
+ea8472b8bbf439406e33f3967b4e44371843616eb00bb0bbb2d7b50e64275eb7
+b0bf39d87aeef439b352c5d5549063adaca1807abb74c6d4b369bccf032a3a07
+e38165eb254cf180cb4b4e686f361ced5579846482cc428c7e317c7d35136f92
+2cfc13f1d489c450b84f26bb7ff8bf1751a1fe52be5b11ed2c9b21620b22b7e3
+da6b3bb7f97b07e6e53022f1e8fe751308247716fd05d7b925b7e019962c5ae8
+6f011dd826d13f3f797453ad0250bfb8ff3835b952b3f86d2a84fb4b646d2013
+39841e22dc6111dc48b71ddc930224f2a2cd65518f44c58fc4d0c703ac11aaf5
+e98a735db48973639a28b97b5181afc5129c2521df2369f4091bcad9ec2ecc57
+39a0c3fbc77b7293125db00eed1d7b6075f390b5f9aa84fe48cca11b71e92559
+2d81a03384d3fdfe7d782bc2bbd96e50af51259cd4c1d063629c41d932bf8d39
+aaf0a55979fbe4245b867b23f965abfc16c5fe1ae6dc46fb4341922cdf1e4466
+11c7c9f9c73001469081ced3169c7d55631800b59b5ef77405b3814bff9fd90c
+8a01addc3c525ddfc00f3579cd0e9effe77f4d8f27b6e55a5d18b0c66dfed09b
+ee81795632d12b202f606300f6aad5201cb07634500bba045aef4c198a8b640e
+1f974e4cb6eb54790a3e412b485888ec8931a028bf92647e874c5f69142e61b6
+8cce581e6d79c80eb947fe6eb9cd7c68ed8051c618acca8d0d094105154c891f
+545ddfe32e786f9fb516189571ad8aeb643658c5e7c4d19226166d6b5696ba0b
+d215d3020d2549971e15e2057fb25e27e3ebb8182440a32a8df73bb5a60b48c0
+d1ab1ec93b54b49e3277f0b177d2bbcbb4245dfc78032f7b0aa304ed83b67b2d
+8dba0f9d0d3771a8f89b2255c83248ef3d00600f2a486fff6658539aed4a9f00
+c3c42b10d0f4c244b6469ff45ec83926d3ac4ca1012e8ff7a761db98cd899eea
+80fee257ce8dafa44415d6ff106fc6f387dd1767f1afac6170e732784da4ba20
+5aaa275b9272df543410fc8f8289a6b49f86991912f0d5d087c0d72a43df98a4
+b6d3551660fa557b867f62a22d6bf7956f9c0c929fec10a91c871366a7b22a18
+87d91ac067f1bb24cc26ae2a614235ddaef02c0ce47ec6ea3d625d007ab9b0e3
+f329f0cbc2ff80c1c5338dfa4d46cfb7982b71ba740a2f67171562d81a226906
+ecfd0fffeb67fde9f741a911c33dfecbfb5e6c115948ac90d76bdc3bf1474d9a
+39b6a931f4a6a0b5650f878eefdb8c222f66816e57e4f50c25a30d36ea28
+9e8d92f7230d739034c81f27adc4a9e48b852faf5299636d6d51fabbc0358857
+892f306e6f760c780ee75ccc2e2d976dfc836c7f086fe12970e997dff6ecea59
+9f629f24ed853d4ec5a9872527b8d26bb25bb7c3f612d212447a96f6dc098bae
+c16e6726dd90f6742422e953650c83fd020902f7b460a6de1248c38826fc538b
+e49bab3522d3bca7cd6558fe0cb4f8e488e7bce25eb53d9b498c78180099b809
+0e8bef2f7a97189a65a448895aea28b96e68f2c311db2caadf85281a4ac31723
+1667348978e47ab73d3e23e366ce99481972f7fd6882aaaac15727e6dd93afb3
+89bab7af45d82b56bed628443e6d079e19ede69edbe920538b104a7f062c42a4
+2b793f867529594f9b5d625b5afb30b2ea70e59075808899d3f95b4f68e1ba72
+4082aafb0c1278e4e0b0759e2beaa53d17de4f86
+0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000000000000000000000000000
cleartomark
%%EndResource
+[/N9/N34 -1 TZ
+%%EndPageSetup
+0 0 300 130 RC
+0.09999 0 0 0.09999 0 0 cm
+
+q
+Q
+q
+0 0 m
+0 1300 l
+3000 1300 l
+3000 0 l
+h
+W n
+1 i
+10 w
+4 M
+46.25 377.25 554 554 re
+S
+q
+10 0 0 10 0 0 cm
+
+BT
+/N9 12 Tf
+1 0 0 1 16.60778 62.02688 Tm
+(t)Tj
+6.29998 0 Td
+(h)Tj
+6.29998 0 Td
+(r)Tj
+6.29998 0 Td
+(e)Tj
+6.29998 0 Td
+(e)Tj
+ET
+Q
+1 g
+1707.25 30.25 1244 1243 rf
+1707.25 30.25 1244 1243 re
+S
+0 g
+q
+10 0 0 10 0 0 cm
+
+BT
+/N9 12 Tf
+1 0 0 1 223.47399 106.70199 Tm
+(n)Tj
+6.29998 0 Td
+(a)Tj
+6.29998 0 Td
+(t)Tj
+ET
+Q
+0.85089 g
+2304.25 931.25 m
+2040.67999 931.16799 1898.80999 647.12399 1888.25 476.25 c
+1878.53999 306.24499 1858.27999 90.37599 2061.25 238.25 c
+2263.64999 385.78599 2294.05999 442.61299 2476.25 329.25 c
+2658.89999 215.35699 3023.76998 238.08099 2770.25 601.25 c
+2517.01998 965.24899 2304.19999 931.16799 2304.25 931.25 c
+f
+2304.25 931.25 m
+2040.67999 931.16799 1898.80999 647.12399 1888.25 476.25 c
+1878.53999 306.24499 1858.27999 90.37599 2061.25 238.25 c
+2263.64999 385.78599 2294.05999 442.61299 2476.25 329.25 c
+2658.89999 215.35699 3023.76998 238.08099 2770.25 601.25 c
+2517.01998 965.24899 2304.19999 931.16799 2304.25 931.25 c
+h
+S
+0 g
+q
+10 0 0 10 0 0 cm
+
+BT
+/N9 12 Tf
+1 0 0 1 209.33399 61.78269 Tm
+({)Tj
+6.29998 0 Td
+(0)Tj
+6.29998 0 Td
+(,)Tj
+6.29998 0 Td
+(1)Tj
+6.29998 0 Td
+(,)Tj
+6.29998 0 Td
+(2)Tj
+6.29998 0 Td
+(})Tj
+ET
+Q
+2373.25 821.25 m
+386.25 821.25 l
+S
+356.25 821.25 m
+370.69799 826.43598 388.31399 835.42498 399.25 845.25 c
+390.25 821.25 l
+399.25 797.25 l
+388.31399 806.90899 370.69799 815.89898 356.25 821.25 c
+f
+326.25 821.25 m
+354.72099 831.70498 389.95498 849.68399 412.25 868.25 c
+394.25 821.25 l
+412.25 773.25 l
+389.95498 792.65199 354.72099 810.63499 326.25 821.25 c
+f
+326.25 481.25 m
+2313.25 481.25 l
+S
+2343.25 481.25 m
+2328.95999 486.44099 2311.34999 495.42498 2300.25 505.25 c
+2309.25 481.25 l
+2300.25 457.25 l
+2311.34999 466.90899 2328.95999 475.89399 2343.25 481.25 c
+f
+2373.25 481.25 m
+2344.93998 491.70498 2309.70999 509.68399 2288.25 528.25 c
+2305.25 481.25 l
+2288.25 433.25 l
+2309.70999 452.65199 2344.93998 470.63999 2373.25 481.25 c
+f
+Q
+PDFVars/TermAll get exec end end
+userdict /pgsave get restore
+showpage
+%%PageTrailer
+%%EndPage
+%%Trailer
+%%DocumentProcessColors: Black
+%%DocumentSuppliedResources:
+%%+ font N34
+%%+ procset (Adobe Acrobat - PDF operators) 1.2 0
+%%+ procset (Adobe Acrobat - type operators) 1.2 0
+%%EOF
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/document/types0.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,69 @@
+\chapter{More about Types}
+\label{ch:more-types}
+
+So far we have learned about a few basic types (for example \isa{bool} and
+\isa{nat}), type abbreviations (\isacommand{types}) and recursive datatypes
+(\isacommand{datatype}). This chapter will introduce more
+advanced material:
+\begin{itemize}
+\item Pairs ({\S}\ref{sec:products}) and records ({\S}\ref{sec:records}),
+and how to reason about them.
+\item Type classes: how to specify and reason about axiomatic collections of
+ types ({\S}\ref{sec:axclass}). This section leads on to a discussion of
+ Isabelle's numeric types ({\S}\ref{sec:numbers}).
+\item Introducing your own types: how to define types that
+ cannot be constructed with any of the basic methods
+ ({\S}\ref{sec:adv-typedef}).
+\end{itemize}
+
+The material in this section goes beyond the needs of most novices.
+Serious users should at least skim the sections as far as type classes.
+That material is fairly advanced; read the beginning to understand what it
+is about, but consult the rest only when necessary.
+
+\index{pairs and tuples|(}
+\input{Pairs} %%%Section "Pairs and Tuples"
+\index{pairs and tuples|)}
+
+\input{Records} %%%Section "Records"
+
+
+\section{Type Classes} %%%Section
+\label{sec:axclass}
+\index{axiomatic type classes|(}
+\index{*axclass|(}
+
+The programming language Haskell has popularized the notion of type
+classes: a type class is a set of types with a
+common interface: all types in that class must provide the functions
+in the interface. Isabelle offers a similar type class concept: in
+addition, properties (\emph{class axioms}) can be specified which any
+instance of this type class must obey. Thus we can talk about a type
+$\tau$ being in a class $C$, which is written $\tau :: C$. This is the case
+if $\tau$ satisfies the axioms of $C$. Furthermore, type classes can be
+organized in a hierarchy. Thus there is the notion of a class $D$
+being a subclass\index{subclasses} of a class $C$, written $D
+< C$. This is the case if all axioms of $C$ are also provable in $D$.
+
+In this section we introduce the most important concepts behind type
+classes by means of a running example from algebra. This should give
+you an intuition how to use type classes and to understand
+specifications involving type classes. Type classes are covered more
+deeply in a separate tutorial \cite{isabelle-classes}.
+
+\subsection{Overloading}
+\label{sec:overloading}
+\index{overloading|(}
+
+\input{Overloading}
+
+\index{overloading|)}
+
+\input{Axioms}
+
+\index{type classes|)}
+\index{*class|)}
+
+\input{numerics} %%%Section "Numbers"
+
+\input{Typedefs} %%%Section "Introducing New Types"
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/Tutorial/todo.tobias Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,130 @@
+Implementation
+==============
+
+Add map_cong?? (upto 10% slower)
+
+a simp command for terms
+
+Recdef: Get rid of function name in header.
+Support mutual recursion (Konrad?)
+
+improve solver in simplifier: treat & and ! ...
+
+better 1 point rules:
+!x. !y. x = f y --> P x y should reduce to !y. P (f y) y.
+
+it would be nice if @term could deal with ?-vars.
+then a number of (unchecked!) @texts could be converted to @terms.
+
+it would be nice if one could get id to the enclosing quotes in the [source] option.
+
+More predefined functions for datatypes: map?
+
+Induction rules for int: int_le/ge_induct?
+Needed for ifak example. But is that example worth it?
+
+Komischerweise geht das Splitten von _Annahmen_ auch mit simp_tac, was
+ein generelles Feature ist, das man vielleicht mal abstellen sollte.
+
+proper mutual simplification
+
+defs with = and pattern matching??
+
+
+Minor fixes in the tutorial
+===========================
+
+Appendix: Lexical: long ids.
+
+Warning: infixes automatically become reserved words!
+
+Syntax section: syntax annotations not just for consts but also for constdefs and datatype.
+
+Appendix with list functions.
+
+All theory sources on the web?
+
+Possible exercises
+==================
+
+Exercises
+
+For extensionality (in Sets chapter): prove
+valif o norm = valif
+in If-expression case study (Ifexpr)
+
+Nested inductive datatypes: another example/exercise:
+ size(t) <= size(subst s t)?
+
+insertion sort: primrec, later recdef
+
+OTree:
+ first version only for non-empty trees:
+ Tip 'a | Node tree tree
+ Then real version?
+ First primrec, then recdef?
+
+Ind. sets: define ABC inductively and prove
+ABC = {rep A n @ rep B n @ rep C n. True}
+
+Partial rekursive functions / Nontermination:
+
+Exercise: ?! f. !i. f i = if i=0 then 1 else i*f(i-1)
+(What about sum? Is there one, a unique one?)
+
+Exercise
+Better(?) sum i = fst(while (%(s,i). i=0) (%(s,i). (s+i,i-1)) (0,i))
+Prove 0 <= i ==> sum i = i*(i+1) via while-rule
+
+Possible examples/case studies
+==============================
+
+Trie: Define functional version
+datatype ('a,'b)trie = Trie ('b option) ('a => ('a,'b)trie option)
+lookup t [] = value t
+lookup t (a#as) = case tries t a of None => None | Some s => lookup s as
+Maybe as an exercise?
+
+Trie: function for partial matches (prefixes). Needs sets for spec/proof.
+
+Sets via ordered list of intervals. (Isa/Interval(2))
+
+propositional logic (soundness and completeness?),
+predicate logic (soundness?),
+
+Tautology checker. Based on Ifexpr or prop.logic?
+Include forward reference in relevant section.
+
+Sorting with comp-parameter and with type class (<)
+
+Recdef:more example proofs:
+ if-normalization with measure function,
+ nested if-normalization,
+ quicksort
+ Trie?
+
+New book by Bird?
+
+Steps Towards Mechanizing Program Transformations Using PVS by N. Shankar,
+ Science of Computer Programming, 26(1-3):33-57, 1996.
+You can get it from http://www.csl.sri.com/scp95.html
+
+J Moore article Towards a ...
+Mergesort, JVM
+
+
+Additional topics
+=================
+
+Recdef with nested recursion?
+
+Extensionality: applications in
+- boolean expressions: valif o bool2if = value
+- Advanced datatypes exercise subst (f o g) = subst f o subst g
+
+A look at the library?
+Map.
+
+Prototyping?
+
+==============================================================
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/ZF/FOL_examples.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,34 @@
+header{*Examples of Classical Reasoning*}
+
+theory FOL_examples imports "~~/src/FOL/FOL" begin
+
+lemma "EX y. ALL x. P(y)-->P(x)"
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (rule exCI)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (rule allI)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (rule impI)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (erule allE)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+txt{*see below for @{text allI} combined with @{text swap}*}
+apply (erule allI [THEN [2] swap])
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (rule impI)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (erule notE)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply assumption
+done
+
+text {*
+@{thm[display] allI [THEN [2] swap]}
+*}
+
+lemma "EX y. ALL x. P(y)-->P(x)"
+by blast
+
+end
+
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/ZF/IFOL_examples.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,58 @@
+header{*Examples of Intuitionistic Reasoning*}
+
+theory IFOL_examples imports "~~/src/FOL/IFOL" begin
+
+text{*Quantifier example from the book Logic and Computation*}
+lemma "(EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))"
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (rule impI)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (rule allI)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (rule exI)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (erule exE)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (erule allE)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+txt{*Now @{text "apply assumption"} fails*}
+oops
+
+text{*Trying again, with the same first two steps*}
+lemma "(EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))"
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (rule impI)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (rule allI)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (erule exE)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (rule exI)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (erule allE)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply assumption
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+done
+
+lemma "(EX y. ALL x. Q(x,y)) --> (ALL x. EX y. Q(x,y))"
+by (tactic {*IntPr.fast_tac 1*})
+
+text{*Example of Dyckhoff's method*}
+lemma "~ ~ ((P-->Q) | (Q-->P))"
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (unfold not_def)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (rule impI)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (erule disj_impE)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (erule imp_impE)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+ apply (erule imp_impE)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply assumption
+apply (erule FalseE)+
+done
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/ZF/If.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,85 @@
+(* Title: FOL/ex/If.ML
+ Author: Lawrence C Paulson, Cambridge University Computer Laboratory
+ Copyright 1991 University of Cambridge
+
+First-Order Logic: the 'if' example.
+*)
+
+theory If imports "~~/src/FOL/FOL" begin
+
+definition "if" :: "[o,o,o]=>o" where
+ "if(P,Q,R) == P&Q | ~P&R"
+
+lemma ifI:
+ "[| P ==> Q; ~P ==> R |] ==> if(P,Q,R)"
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (simp add: if_def)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply blast
+done
+
+lemma ifE:
+ "[| if(P,Q,R); [| P; Q |] ==> S; [| ~P; R |] ==> S |] ==> S"
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (simp add: if_def)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply blast
+done
+
+lemma if_commute: "if(P, if(Q,A,B), if(Q,C,D)) <-> if(Q, if(P,A,C), if(P,B,D))"
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (rule iffI)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (erule ifE)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (erule ifE)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (rule ifI)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (rule ifI)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+oops
+
+text{*Trying again from the beginning in order to use @{text blast}*}
+declare ifI [intro!]
+declare ifE [elim!]
+
+lemma if_commute: "if(P, if(Q,A,B), if(Q,C,D)) <-> if(Q, if(P,A,C), if(P,B,D))"
+by blast
+
+
+lemma "if(if(P,Q,R), A, B) <-> if(P, if(Q,A,B), if(R,A,B))"
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+by blast
+
+text{*Trying again from the beginning in order to prove from the definitions*}
+lemma "if(if(P,Q,R), A, B) <-> if(P, if(Q,A,B), if(R,A,B))"
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (simp add: if_def)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply blast
+done
+
+
+text{*An invalid formula. High-level rules permit a simpler diagnosis*}
+lemma "if(if(P,Q,R), A, B) <-> if(P, if(Q,A,B), if(R,B,A))"
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply auto
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+(*The next step will fail unless subgoals remain*)
+apply (tactic all_tac)
+oops
+
+text{*Trying again from the beginning in order to prove from the definitions*}
+lemma "if(if(P,Q,R), A, B) <-> if(P, if(Q,A,B), if(R,B,A))"
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (simp add: if_def)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (auto)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+(*The next step will fail unless subgoals remain*)
+apply (tactic all_tac)
+oops
+
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/ZF/ZF_Isar.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,140 @@
+theory ZF_Isar
+imports Main
+begin
+
+(*<*)
+ML_file "../antiquote_setup.ML"
+setup Antiquote_Setup.setup
+(*>*)
+
+chapter {* Some Isar language elements *}
+
+section {* Type checking *}
+
+text {*
+ The ZF logic is essentially untyped, so the concept of ``type
+ checking'' is performed as logical reasoning about set-membership
+ statements. A special method assists users in this task; a version
+ of this is already declared as a ``solver'' in the standard
+ Simplifier setup.
+
+ \begin{matharray}{rcl}
+ @{command_def (ZF) "print_tcset"}@{text "\<^sup>*"} & : & @{text "context \<rightarrow>"} \\
+ @{method_def (ZF) typecheck} & : & @{text method} \\
+ @{attribute_def (ZF) TC} & : & @{text attribute} \\
+ \end{matharray}
+
+ @{rail "
+ @@{attribute (ZF) TC} (() | 'add' | 'del')
+ "}
+
+ \begin{description}
+
+ \item @{command (ZF) "print_tcset"} prints the collection of
+ typechecking rules of the current context.
+
+ \item @{method (ZF) typecheck} attempts to solve any pending
+ type-checking problems in subgoals.
+
+ \item @{attribute (ZF) TC} adds or deletes type-checking rules from
+ the context.
+
+ \end{description}
+*}
+
+
+section {* (Co)Inductive sets and datatypes *}
+
+subsection {* Set definitions *}
+
+text {*
+ In ZF everything is a set. The generic inductive package also
+ provides a specific view for ``datatype'' specifications.
+ Coinductive definitions are available in both cases, too.
+
+ \begin{matharray}{rcl}
+ @{command_def (ZF) "inductive"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{command_def (ZF) "coinductive"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{command_def (ZF) "datatype"} & : & @{text "theory \<rightarrow> theory"} \\
+ @{command_def (ZF) "codatatype"} & : & @{text "theory \<rightarrow> theory"} \\
+ \end{matharray}
+
+ @{rail "
+ (@@{command (ZF) inductive} | @@{command (ZF) coinductive}) domains intros hints
+ ;
+
+ domains: @'domains' (@{syntax term} + '+') ('<=' | '\<subseteq>') @{syntax term}
+ ;
+ intros: @'intros' (@{syntax thmdecl}? @{syntax prop} +)
+ ;
+ hints: @{syntax (ZF) \"monos\"}? condefs? \\
+ @{syntax (ZF) typeintros}? @{syntax (ZF) typeelims}?
+ ;
+ @{syntax_def (ZF) \"monos\"}: @'monos' @{syntax thmrefs}
+ ;
+ condefs: @'con_defs' @{syntax thmrefs}
+ ;
+ @{syntax_def (ZF) typeintros}: @'type_intros' @{syntax thmrefs}
+ ;
+ @{syntax_def (ZF) typeelims}: @'type_elims' @{syntax thmrefs}
+ "}
+
+ In the following syntax specification @{text "monos"}, @{text
+ typeintros}, and @{text typeelims} are the same as above.
+
+ @{rail "
+ (@@{command (ZF) datatype} | @@{command (ZF) codatatype}) domain? (dtspec + @'and') hints
+ ;
+
+ domain: ('<=' | '\<subseteq>') @{syntax term}
+ ;
+ dtspec: @{syntax term} '=' (con + '|')
+ ;
+ con: @{syntax name} ('(' (@{syntax term} ',' +) ')')?
+ ;
+ hints: @{syntax (ZF) \"monos\"}? @{syntax (ZF) typeintros}? @{syntax (ZF) typeelims}?
+ "}
+
+ See \cite{isabelle-ZF} for further information on inductive
+ definitions in ZF, but note that this covers the old-style theory
+ format.
+*}
+
+
+subsection {* Primitive recursive functions *}
+
+text {*
+ \begin{matharray}{rcl}
+ @{command_def (ZF) "primrec"} & : & @{text "theory \<rightarrow> theory"} \\
+ \end{matharray}
+
+ @{rail "
+ @@{command (ZF) primrec} (@{syntax thmdecl}? @{syntax prop} +)
+ "}
+*}
+
+
+subsection {* Cases and induction: emulating tactic scripts *}
+
+text {*
+ The following important tactical tools of Isabelle/ZF have been
+ ported to Isar. These should not be used in proper proof texts.
+
+ \begin{matharray}{rcl}
+ @{method_def (ZF) case_tac}@{text "\<^sup>*"} & : & @{text method} \\
+ @{method_def (ZF) induct_tac}@{text "\<^sup>*"} & : & @{text method} \\
+ @{method_def (ZF) ind_cases}@{text "\<^sup>*"} & : & @{text method} \\
+ @{command_def (ZF) "inductive_cases"} & : & @{text "theory \<rightarrow> theory"} \\
+ \end{matharray}
+
+ @{rail "
+ (@@{method (ZF) case_tac} | @@{method (ZF) induct_tac}) @{syntax goal_spec}? @{syntax name}
+ ;
+ @@{method (ZF) ind_cases} (@{syntax prop} +)
+ ;
+ @@{command (ZF) inductive_cases} (@{syntax thmdecl}? (@{syntax prop} +) + @'and')
+ ;
+ "}
+*}
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/ZF/ZF_examples.thy Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,202 @@
+header{*Examples of Reasoning in ZF Set Theory*}
+
+theory ZF_examples imports Main_ZFC begin
+
+subsection {* Binary Trees *}
+
+consts
+ bt :: "i => i"
+
+datatype "bt(A)" =
+ Lf | Br ("a \<in> A", "t1 \<in> bt(A)", "t2 \<in> bt(A)")
+
+declare bt.intros [simp]
+
+text{*Induction via tactic emulation*}
+lemma Br_neq_left [rule_format]: "l \<in> bt(A) ==> \<forall>x r. Br(x, l, r) \<noteq> l"
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+ apply (induct_tac l)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+ apply auto
+ done
+
+(*
+ apply (Inductive.case_tac l)
+ apply (tactic {*exhaust_tac "l" 1*})
+*)
+
+text{*The new induction method, which I don't understand*}
+lemma Br_neq_left': "l \<in> bt(A) ==> (!!x r. Br(x, l, r) \<noteq> l)"
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+ apply (induct set: bt)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+ apply auto
+ done
+
+lemma Br_iff: "Br(a,l,r) = Br(a',l',r') <-> a=a' & l=l' & r=r'"
+ -- "Proving a freeness theorem."
+ by (blast elim!: bt.free_elims)
+
+inductive_cases Br_in_bt: "Br(a,l,r) \<in> bt(A)"
+ -- "An elimination rule, for type-checking."
+
+text {*
+@{thm[display] Br_in_bt[no_vars]}
+*};
+
+subsection{*Primitive recursion*}
+
+consts n_nodes :: "i => i"
+primrec
+ "n_nodes(Lf) = 0"
+ "n_nodes(Br(a,l,r)) = succ(n_nodes(l) #+ n_nodes(r))"
+
+lemma n_nodes_type [simp]: "t \<in> bt(A) ==> n_nodes(t) \<in> nat"
+ by (induct_tac t, auto)
+
+consts n_nodes_aux :: "i => i"
+primrec
+ "n_nodes_aux(Lf) = (\<lambda>k \<in> nat. k)"
+ "n_nodes_aux(Br(a,l,r)) =
+ (\<lambda>k \<in> nat. n_nodes_aux(r) ` (n_nodes_aux(l) ` succ(k)))"
+
+lemma n_nodes_aux_eq [rule_format]:
+ "t \<in> bt(A) ==> \<forall>k \<in> nat. n_nodes_aux(t)`k = n_nodes(t) #+ k"
+ by (induct_tac t, simp_all)
+
+definition n_nodes_tail :: "i => i" where
+ "n_nodes_tail(t) == n_nodes_aux(t) ` 0"
+
+lemma "t \<in> bt(A) ==> n_nodes_tail(t) = n_nodes(t)"
+ by (simp add: n_nodes_tail_def n_nodes_aux_eq)
+
+
+subsection {*Inductive definitions*}
+
+consts Fin :: "i=>i"
+inductive
+ domains "Fin(A)" \<subseteq> "Pow(A)"
+ intros
+ emptyI: "0 \<in> Fin(A)"
+ consI: "[| a \<in> A; b \<in> Fin(A) |] ==> cons(a,b) \<in> Fin(A)"
+ type_intros empty_subsetI cons_subsetI PowI
+ type_elims PowD [elim_format]
+
+
+consts acc :: "i => i"
+inductive
+ domains "acc(r)" \<subseteq> "field(r)"
+ intros
+ vimage: "[| r-``{a}: Pow(acc(r)); a \<in> field(r) |] ==> a \<in> acc(r)"
+ monos Pow_mono
+
+
+consts
+ llist :: "i=>i";
+
+codatatype
+ "llist(A)" = LNil | LCons ("a \<in> A", "l \<in> llist(A)")
+
+
+(*Coinductive definition of equality*)
+consts
+ lleq :: "i=>i"
+
+(*Previously used <*> in the domain and variant pairs as elements. But
+ standard pairs work just as well. To use variant pairs, must change prefix
+ a q/Q to the Sigma, Pair and converse rules.*)
+coinductive
+ domains "lleq(A)" \<subseteq> "llist(A) * llist(A)"
+ intros
+ LNil: "<LNil, LNil> \<in> lleq(A)"
+ LCons: "[| a \<in> A; <l,l'> \<in> lleq(A) |]
+ ==> <LCons(a,l), LCons(a,l')> \<in> lleq(A)"
+ type_intros llist.intros
+
+
+subsection{*Powerset example*}
+
+lemma Pow_mono: "A\<subseteq>B ==> Pow(A) \<subseteq> Pow(B)"
+apply (rule subsetI)
+apply (rule PowI)
+apply (drule PowD)
+apply (erule subset_trans, assumption)
+done
+
+lemma "Pow(A Int B) = Pow(A) Int Pow(B)"
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (rule equalityI)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (rule Int_greatest)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (rule Int_lower1 [THEN Pow_mono])
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (rule Int_lower2 [THEN Pow_mono])
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (rule subsetI)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (erule IntE)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (rule PowI)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (drule PowD)+
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (rule Int_greatest)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (assumption+)
+done
+
+text{*Trying again from the beginning in order to use @{text blast}*}
+lemma "Pow(A Int B) = Pow(A) Int Pow(B)"
+by blast
+
+
+lemma "C\<subseteq>D ==> Union(C) \<subseteq> Union(D)"
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (rule subsetI)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (erule UnionE)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (rule UnionI)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (erule subsetD)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply assumption
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply assumption
+done
+
+text{*A more abstract version of the same proof*}
+
+lemma "C\<subseteq>D ==> Union(C) \<subseteq> Union(D)"
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (rule Union_least)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (rule Union_upper)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (erule subsetD, assumption)
+done
+
+
+lemma "[| a \<in> A; f \<in> A->B; g \<in> C->D; A \<inter> C = 0 |] ==> (f \<union> g)`a = f`a"
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (rule apply_equality)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (rule UnI1)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (rule apply_Pair)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply assumption
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply assumption
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply (rule fun_disjoint_Un)
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply assumption
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply assumption
+ --{* @{subgoals[display,indent=0,margin=65]} *}
+apply assumption
+done
+
+end
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/ZF/document/FOL.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,855 @@
+%!TEX root = logics-ZF.tex
+\chapter{First-Order Logic}
+\index{first-order logic|(}
+
+Isabelle implements Gentzen's natural deduction systems {\sc nj} and {\sc
+ nk}. Intuitionistic first-order logic is defined first, as theory
+\thydx{IFOL}. Classical logic, theory \thydx{FOL}, is
+obtained by adding the double negation rule. Basic proof procedures are
+provided. The intuitionistic prover works with derived rules to simplify
+implications in the assumptions. Classical~\texttt{FOL} employs Isabelle's
+classical reasoner, which simulates a sequent calculus.
+
+\section{Syntax and rules of inference}
+The logic is many-sorted, using Isabelle's type classes. The class of
+first-order terms is called \cldx{term} and is a subclass of \isa{logic}.
+No types of individuals are provided, but extensions can define types such
+as \isa{nat::term} and type constructors such as \isa{list::(term)term}
+(see the examples directory, \texttt{FOL/ex}). Below, the type variable
+$\alpha$ ranges over class \isa{term}; the equality symbol and quantifiers
+are polymorphic (many-sorted). The type of formulae is~\tydx{o}, which
+belongs to class~\cldx{logic}. Figure~\ref{fol-syntax} gives the syntax.
+Note that $a$\verb|~=|$b$ is translated to $\neg(a=b)$.
+
+Figure~\ref{fol-rules} shows the inference rules with their names.
+Negation is defined in the usual way for intuitionistic logic; $\neg P$
+abbreviates $P\imp\bot$. The biconditional~($\bimp$) is defined through
+$\conj$ and~$\imp$; introduction and elimination rules are derived for it.
+
+The unique existence quantifier, $\exists!x.P(x)$, is defined in terms
+of~$\exists$ and~$\forall$. An Isabelle binder, it admits nested
+quantifications. For instance, $\exists!x\;y.P(x,y)$ abbreviates
+$\exists!x. \exists!y.P(x,y)$; note that this does not mean that there
+exists a unique pair $(x,y)$ satisfying~$P(x,y)$.
+
+Some intuitionistic derived rules are shown in
+Fig.\ts\ref{fol-int-derived}, again with their names. These include
+rules for the defined symbols $\neg$, $\bimp$ and $\exists!$. Natural
+deduction typically involves a combination of forward and backward
+reasoning, particularly with the destruction rules $(\conj E)$,
+$({\imp}E)$, and~$(\forall E)$. Isabelle's backward style handles these
+rules badly, so sequent-style rules are derived to eliminate conjunctions,
+implications, and universal quantifiers. Used with elim-resolution,
+\tdx{allE} eliminates a universal quantifier while \tdx{all_dupE}
+re-inserts the quantified formula for later use. The rules
+\isa{conj\_impE}, etc., support the intuitionistic proof procedure
+(see~\S\ref{fol-int-prover}).
+
+See the on-line theory library for complete listings of the rules and
+derived rules.
+
+\begin{figure}
+\begin{center}
+\begin{tabular}{rrr}
+ \it name &\it meta-type & \it description \\
+ \cdx{Trueprop}& $o\To prop$ & coercion to $prop$\\
+ \cdx{Not} & $o\To o$ & negation ($\neg$) \\
+ \cdx{True} & $o$ & tautology ($\top$) \\
+ \cdx{False} & $o$ & absurdity ($\bot$)
+\end{tabular}
+\end{center}
+\subcaption{Constants}
+
+\begin{center}
+\begin{tabular}{llrrr}
+ \it symbol &\it name &\it meta-type & \it priority & \it description \\
+ \sdx{ALL} & \cdx{All} & $(\alpha\To o)\To o$ & 10 &
+ universal quantifier ($\forall$) \\
+ \sdx{EX} & \cdx{Ex} & $(\alpha\To o)\To o$ & 10 &
+ existential quantifier ($\exists$) \\
+ \isa{EX!} & \cdx{Ex1} & $(\alpha\To o)\To o$ & 10 &
+ unique existence ($\exists!$)
+\end{tabular}
+\index{*"E"X"! symbol}
+\end{center}
+\subcaption{Binders}
+
+\begin{center}
+\index{*"= symbol}
+\index{&@{\tt\&} symbol}
+\index{"!@{\tt\char124} symbol} %\char124 is vertical bar. We use ! because | stopped working
+\index{*"-"-"> symbol}
+\index{*"<"-"> symbol}
+\begin{tabular}{rrrr}
+ \it symbol & \it meta-type & \it priority & \it description \\
+ \tt = & $[\alpha,\alpha]\To o$ & Left 50 & equality ($=$) \\
+ \tt \& & $[o,o]\To o$ & Right 35 & conjunction ($\conj$) \\
+ \tt | & $[o,o]\To o$ & Right 30 & disjunction ($\disj$) \\
+ \tt --> & $[o,o]\To o$ & Right 25 & implication ($\imp$) \\
+ \tt <-> & $[o,o]\To o$ & Right 25 & biconditional ($\bimp$)
+\end{tabular}
+\end{center}
+\subcaption{Infixes}
+
+\dquotes
+\[\begin{array}{rcl}
+ formula & = & \hbox{expression of type~$o$} \\
+ & | & term " = " term \quad| \quad term " \ttilde= " term \\
+ & | & "\ttilde\ " formula \\
+ & | & formula " \& " formula \\
+ & | & formula " | " formula \\
+ & | & formula " --> " formula \\
+ & | & formula " <-> " formula \\
+ & | & "ALL~" id~id^* " . " formula \\
+ & | & "EX~~" id~id^* " . " formula \\
+ & | & "EX!~" id~id^* " . " formula
+ \end{array}
+\]
+\subcaption{Grammar}
+\caption{Syntax of \texttt{FOL}} \label{fol-syntax}
+\end{figure}
+
+
+\begin{figure}
+\begin{ttbox}
+\tdx{refl} a=a
+\tdx{subst} [| a=b; P(a) |] ==> P(b)
+\subcaption{Equality rules}
+
+\tdx{conjI} [| P; Q |] ==> P&Q
+\tdx{conjunct1} P&Q ==> P
+\tdx{conjunct2} P&Q ==> Q
+
+\tdx{disjI1} P ==> P|Q
+\tdx{disjI2} Q ==> P|Q
+\tdx{disjE} [| P|Q; P ==> R; Q ==> R |] ==> R
+
+\tdx{impI} (P ==> Q) ==> P-->Q
+\tdx{mp} [| P-->Q; P |] ==> Q
+
+\tdx{FalseE} False ==> P
+\subcaption{Propositional rules}
+
+\tdx{allI} (!!x. P(x)) ==> (ALL x.P(x))
+\tdx{spec} (ALL x.P(x)) ==> P(x)
+
+\tdx{exI} P(x) ==> (EX x.P(x))
+\tdx{exE} [| EX x.P(x); !!x. P(x) ==> R |] ==> R
+\subcaption{Quantifier rules}
+
+\tdx{True_def} True == False-->False
+\tdx{not_def} ~P == P-->False
+\tdx{iff_def} P<->Q == (P-->Q) & (Q-->P)
+\tdx{ex1_def} EX! x. P(x) == EX x. P(x) & (ALL y. P(y) --> y=x)
+\subcaption{Definitions}
+\end{ttbox}
+
+\caption{Rules of intuitionistic logic} \label{fol-rules}
+\end{figure}
+
+
+\begin{figure}
+\begin{ttbox}
+\tdx{sym} a=b ==> b=a
+\tdx{trans} [| a=b; b=c |] ==> a=c
+\tdx{ssubst} [| b=a; P(a) |] ==> P(b)
+\subcaption{Derived equality rules}
+
+\tdx{TrueI} True
+
+\tdx{notI} (P ==> False) ==> ~P
+\tdx{notE} [| ~P; P |] ==> R
+
+\tdx{iffI} [| P ==> Q; Q ==> P |] ==> P<->Q
+\tdx{iffE} [| P <-> Q; [| P-->Q; Q-->P |] ==> R |] ==> R
+\tdx{iffD1} [| P <-> Q; P |] ==> Q
+\tdx{iffD2} [| P <-> Q; Q |] ==> P
+
+\tdx{ex1I} [| P(a); !!x. P(x) ==> x=a |] ==> EX! x. P(x)
+\tdx{ex1E} [| EX! x.P(x); !!x.[| P(x); ALL y. P(y) --> y=x |] ==> R
+ |] ==> R
+\subcaption{Derived rules for \(\top\), \(\neg\), \(\bimp\) and \(\exists!\)}
+
+\tdx{conjE} [| P&Q; [| P; Q |] ==> R |] ==> R
+\tdx{impE} [| P-->Q; P; Q ==> R |] ==> R
+\tdx{allE} [| ALL x.P(x); P(x) ==> R |] ==> R
+\tdx{all_dupE} [| ALL x.P(x); [| P(x); ALL x.P(x) |] ==> R |] ==> R
+\subcaption{Sequent-style elimination rules}
+
+\tdx{conj_impE} [| (P&Q)-->S; P-->(Q-->S) ==> R |] ==> R
+\tdx{disj_impE} [| (P|Q)-->S; [| P-->S; Q-->S |] ==> R |] ==> R
+\tdx{imp_impE} [| (P-->Q)-->S; [| P; Q-->S |] ==> Q; S ==> R |] ==> R
+\tdx{not_impE} [| ~P --> S; P ==> False; S ==> R |] ==> R
+\tdx{iff_impE} [| (P<->Q)-->S; [| P; Q-->S |] ==> Q; [| Q; P-->S |] ==> P;
+ S ==> R |] ==> R
+\tdx{all_impE} [| (ALL x.P(x))-->S; !!x.P(x); S ==> R |] ==> R
+\tdx{ex_impE} [| (EX x.P(x))-->S; P(a)-->S ==> R |] ==> R
+\end{ttbox}
+\subcaption{Intuitionistic simplification of implication}
+\caption{Derived rules for intuitionistic logic} \label{fol-int-derived}
+\end{figure}
+
+
+\section{Generic packages}
+FOL instantiates most of Isabelle's generic packages.
+\begin{itemize}
+\item
+It instantiates the simplifier, which is invoked through the method
+\isa{simp}. Both equality ($=$) and the biconditional
+($\bimp$) may be used for rewriting.
+
+\item
+It instantiates the classical reasoner, which is invoked mainly through the
+methods \isa{blast} and \isa{auto}. See~\S\ref{fol-cla-prover}
+for details.
+%
+%\item FOL provides the tactic \ttindex{hyp_subst_tac}, which substitutes for
+% an equality throughout a subgoal and its hypotheses. This tactic uses FOL's
+% general substitution rule.
+\end{itemize}
+
+\begin{warn}\index{simplification!of conjunctions}%
+ Simplifying $a=b\conj P(a)$ to $a=b\conj P(b)$ is often advantageous. The
+ left part of a conjunction helps in simplifying the right part. This effect
+ is not available by default: it can be slow. It can be obtained by
+ including the theorem \isa{conj_cong}\index{*conj_cong (rule)}%
+ as a congruence rule in
+ simplification, \isa{simp cong:\ conj\_cong}.
+\end{warn}
+
+
+\section{Intuitionistic proof procedures} \label{fol-int-prover}
+Implication elimination (the rules~\isa{mp} and~\isa{impE}) pose
+difficulties for automated proof. In intuitionistic logic, the assumption
+$P\imp Q$ cannot be treated like $\neg P\disj Q$. Given $P\imp Q$, we may
+use~$Q$ provided we can prove~$P$; the proof of~$P$ may require repeated
+use of $P\imp Q$. If the proof of~$P$ fails then the whole branch of the
+proof must be abandoned. Thus intuitionistic propositional logic requires
+backtracking.
+
+For an elementary example, consider the intuitionistic proof of $Q$ from
+$P\imp Q$ and $(P\imp Q)\imp P$. The implication $P\imp Q$ is needed
+twice:
+\[ \infer[({\imp}E)]{Q}{P\imp Q &
+ \infer[({\imp}E)]{P}{(P\imp Q)\imp P & P\imp Q}}
+\]
+The theorem prover for intuitionistic logic does not use~\isa{impE}.\@
+Instead, it simplifies implications using derived rules
+(Fig.\ts\ref{fol-int-derived}). It reduces the antecedents of implications
+to atoms and then uses Modus Ponens: from $P\imp Q$ and~$P$ deduce~$Q$.
+The rules \tdx{conj_impE} and \tdx{disj_impE} are
+straightforward: $(P\conj Q)\imp S$ is equivalent to $P\imp (Q\imp S)$, and
+$(P\disj Q)\imp S$ is equivalent to the conjunction of $P\imp S$ and $Q\imp
+S$. The other \ldots\isa{\_impE} rules are unsafe; the method requires
+backtracking. All the rules are derived in the same simple manner.
+
+Dyckhoff has independently discovered similar rules, and (more importantly)
+has demonstrated their completeness for propositional
+logic~\cite{dyckhoff}. However, the tactics given below are not complete
+for first-order logic because they discard universally quantified
+assumptions after a single use. These are \ML{} functions, and are listed
+below with their \ML{} type:
+\begin{ttbox}
+mp_tac : int -> tactic
+eq_mp_tac : int -> tactic
+IntPr.safe_step_tac : int -> tactic
+IntPr.safe_tac : tactic
+IntPr.inst_step_tac : int -> tactic
+IntPr.step_tac : int -> tactic
+IntPr.fast_tac : int -> tactic
+IntPr.best_tac : int -> tactic
+\end{ttbox}
+Most of these belong to the structure \ML{} structure \texttt{IntPr} and resemble the
+tactics of Isabelle's classical reasoner. There are no corresponding
+Isar methods, but you can use the
+\isa{tactic} method to call \ML{} tactics in an Isar script:
+\begin{isabelle}
+\isacommand{apply}\ (tactic\ {* IntPr.fast\_tac 1*})
+\end{isabelle}
+Here is a description of each tactic:
+
+\begin{ttdescription}
+\item[\ttindexbold{mp_tac} {\it i}]
+attempts to use \tdx{notE} or \tdx{impE} within the assumptions in
+subgoal $i$. For each assumption of the form $\neg P$ or $P\imp Q$, it
+searches for another assumption unifiable with~$P$. By
+contradiction with $\neg P$ it can solve the subgoal completely; by Modus
+Ponens it can replace the assumption $P\imp Q$ by $Q$. The tactic can
+produce multiple outcomes, enumerating all suitable pairs of assumptions.
+
+\item[\ttindexbold{eq_mp_tac} {\it i}]
+is like \texttt{mp_tac} {\it i}, but may not instantiate unknowns --- thus, it
+is safe.
+
+\item[\ttindexbold{IntPr.safe_step_tac} $i$] performs a safe step on
+subgoal~$i$. This may include proof by assumption or Modus Ponens (taking
+care not to instantiate unknowns), or \texttt{hyp_subst_tac}.
+
+\item[\ttindexbold{IntPr.safe_tac}] repeatedly performs safe steps on all
+subgoals. It is deterministic, with at most one outcome.
+
+\item[\ttindexbold{IntPr.inst_step_tac} $i$] is like \texttt{safe_step_tac},
+but allows unknowns to be instantiated.
+
+\item[\ttindexbold{IntPr.step_tac} $i$] tries \texttt{safe_tac} or {\tt
+ inst_step_tac}, or applies an unsafe rule. This is the basic step of
+ the intuitionistic proof procedure.
+
+\item[\ttindexbold{IntPr.fast_tac} $i$] applies \texttt{step_tac}, using
+depth-first search, to solve subgoal~$i$.
+
+\item[\ttindexbold{IntPr.best_tac} $i$] applies \texttt{step_tac}, using
+best-first search (guided by the size of the proof state) to solve subgoal~$i$.
+\end{ttdescription}
+Here are some of the theorems that \texttt{IntPr.fast_tac} proves
+automatically. The latter three date from {\it Principia Mathematica}
+(*11.53, *11.55, *11.61)~\cite{principia}.
+\begin{ttbox}
+~~P & ~~(P --> Q) --> ~~Q
+(ALL x y. P(x) --> Q(y)) <-> ((EX x. P(x)) --> (ALL y. Q(y)))
+(EX x y. P(x) & Q(x,y)) <-> (EX x. P(x) & (EX y. Q(x,y)))
+(EX y. ALL x. P(x) --> Q(x,y)) --> (ALL x. P(x) --> (EX y. Q(x,y)))
+\end{ttbox}
+
+
+
+\begin{figure}
+\begin{ttbox}
+\tdx{excluded_middle} ~P | P
+
+\tdx{disjCI} (~Q ==> P) ==> P|Q
+\tdx{exCI} (ALL x. ~P(x) ==> P(a)) ==> EX x.P(x)
+\tdx{impCE} [| P-->Q; ~P ==> R; Q ==> R |] ==> R
+\tdx{iffCE} [| P<->Q; [| P; Q |] ==> R; [| ~P; ~Q |] ==> R |] ==> R
+\tdx{notnotD} ~~P ==> P
+\tdx{swap} ~P ==> (~Q ==> P) ==> Q
+\end{ttbox}
+\caption{Derived rules for classical logic} \label{fol-cla-derived}
+\end{figure}
+
+
+\section{Classical proof procedures} \label{fol-cla-prover}
+The classical theory, \thydx{FOL}, consists of intuitionistic logic plus
+the rule
+$$ \vcenter{\infer{P}{\infer*{P}{[\neg P]}}} \eqno(classical) $$
+\noindent
+Natural deduction in classical logic is not really all that natural. FOL
+derives classical introduction rules for $\disj$ and~$\exists$, as well as
+classical elimination rules for~$\imp$ and~$\bimp$, and the swap rule (see
+Fig.\ts\ref{fol-cla-derived}).
+
+The classical reasoner is installed. The most useful methods are
+\isa{blast} (pure classical reasoning) and \isa{auto} (classical reasoning
+combined with simplification), but the full range of
+methods is available, including \isa{clarify},
+\isa{fast}, \isa{best} and \isa{force}.
+ See the
+\iflabelundefined{chap:classical}{the {\em Reference Manual\/}}%
+ {Chap.\ts\ref{chap:classical}}
+and the \emph{Tutorial}~\cite{isa-tutorial}
+for more discussion of classical proof methods.
+
+
+\section{An intuitionistic example}
+Here is a session similar to one in the book {\em Logic and Computation}
+\cite[pages~222--3]{paulson87}. It illustrates the treatment of
+quantifier reasoning, which is different in Isabelle than it is in
+{\sc lcf}-based theorem provers such as {\sc hol}.
+
+The theory header specifies that we are working in intuitionistic
+logic by designating \isa{IFOL} rather than \isa{FOL} as the parent
+theory:
+\begin{isabelle}
+\isacommand{theory}\ IFOL\_examples\ \isacommand{imports}\ IFOL\isanewline
+\isacommand{begin}
+\end{isabelle}
+The proof begins by entering the goal, then applying the rule $({\imp}I)$.
+\begin{isabelle}
+\isacommand{lemma}\ "(EX\ y.\ ALL\ x.\ Q(x,y))\ -->\ \ (ALL\ x.\ EX\ y.\ Q(x,y))"\isanewline
+\ 1.\ (\isasymexists y.\ \isasymforall x.\ Q(x,\ y))\
+\isasymlongrightarrow \ (\isasymforall x.\ \isasymexists y.\ Q(x,\ y))
+\isanewline
+\isacommand{apply}\ (rule\ impI)\isanewline
+\ 1.\ \isasymexists y.\ \isasymforall x.\ Q(x,\ y)\
+\isasymLongrightarrow \ \isasymforall x.\ \isasymexists y.\ Q(x,\ y)
+\end{isabelle}
+Isabelle's output is shown as it would appear using Proof General.
+In this example, we shall never have more than one subgoal. Applying
+$({\imp}I)$ replaces~\isa{\isasymlongrightarrow}
+by~\isa{\isasymLongrightarrow}, so that
+\(\ex{y}\all{x}Q(x,y)\) becomes an assumption. We have the choice of
+$({\exists}E)$ and $({\forall}I)$; let us try the latter.
+\begin{isabelle}
+\isacommand{apply}\ (rule\ allI)\isanewline
+\ 1.\ \isasymAnd x.\ \isasymexists y.\ \isasymforall x.\ Q(x,\ y)\
+\isasymLongrightarrow \ \isasymexists y.\ Q(x,\ y)\hfill\((*)\)
+\end{isabelle}
+Applying $({\forall}I)$ replaces the \isa{\isasymforall
+x} (in ASCII, \isa{ALL~x}) by \isa{\isasymAnd x}
+(or \isa{!!x}), replacing FOL's universal quantifier by Isabelle's
+meta universal quantifier. The bound variable is a {\bf parameter} of
+the subgoal. We now must choose between $({\exists}I)$ and
+$({\exists}E)$. What happens if the wrong rule is chosen?
+\begin{isabelle}
+\isacommand{apply}\ (rule\ exI)\isanewline
+\ 1.\ \isasymAnd x.\ \isasymexists y.\ \isasymforall x.\ Q(x,\ y)\
+\isasymLongrightarrow \ Q(x,\ ?y2(x))
+\end{isabelle}
+The new subgoal~1 contains the function variable \isa{?y2}. Instantiating
+\isa{?y2} can replace~\isa{?y2(x)} by a term containing~\isa{x}, even
+though~\isa{x} is a bound variable. Now we analyse the assumption
+\(\exists y.\forall x. Q(x,y)\) using elimination rules:
+\begin{isabelle}
+\isacommand{apply}\ (erule\ exE)\isanewline
+\ 1.\ \isasymAnd x\ y.\ \isasymforall x.\ Q(x,\ y)\ \isasymLongrightarrow \ Q(x,\ ?y2(x))
+\end{isabelle}
+Applying $(\exists E)$ has produced the parameter \isa{y} and stripped the
+existential quantifier from the assumption. But the subgoal is unprovable:
+there is no way to unify \isa{?y2(x)} with the bound variable~\isa{y}.
+Using Proof General, we can return to the critical point, marked
+$(*)$ above. This time we apply $({\exists}E)$:
+\begin{isabelle}
+\isacommand{apply}\ (erule\ exE)\isanewline
+\ 1.\ \isasymAnd x\ y.\ \isasymforall x.\ Q(x,\ y)\
+\isasymLongrightarrow \ \isasymexists y.\ Q(x,\ y)
+\end{isabelle}
+We now have two parameters and no scheme variables. Applying
+$({\exists}I)$ and $({\forall}E)$ produces two scheme variables, which are
+applied to those parameters. Parameters should be produced early, as this
+example demonstrates.
+\begin{isabelle}
+\isacommand{apply}\ (rule\ exI)\isanewline
+\ 1.\ \isasymAnd x\ y.\ \isasymforall x.\ Q(x,\ y)\
+\isasymLongrightarrow \ Q(x,\ ?y3(x,\ y))
+\isanewline
+\isacommand{apply}\ (erule\ allE)\isanewline
+\ 1.\ \isasymAnd x\ y.\ Q(?x4(x,\ y),\ y)\ \isasymLongrightarrow \
+Q(x,\ ?y3(x,\ y))
+\end{isabelle}
+The subgoal has variables \isa{?y3} and \isa{?x4} applied to both
+parameters. The obvious projection functions unify \isa{?x4(x,y)} with~\isa{
+x} and \isa{?y3(x,y)} with~\isa{y}.
+\begin{isabelle}
+\isacommand{apply}\ assumption\isanewline
+No\ subgoals!\isanewline
+\isacommand{done}
+\end{isabelle}
+The theorem was proved in six method invocations, not counting the
+abandoned ones. But proof checking is tedious, and the \ML{} tactic
+\ttindex{IntPr.fast_tac} can prove the theorem in one step.
+\begin{isabelle}
+\isacommand{lemma}\ "(EX\ y.\ ALL\ x.\ Q(x,y))\ -->\ \ (ALL\ x.\ EX\ y.\ Q(x,y))"\isanewline
+\ 1.\ (\isasymexists y.\ \isasymforall x.\ Q(x,\ y))\
+\isasymlongrightarrow \ (\isasymforall x.\ \isasymexists y.\ Q(x,\ y))
+\isanewline
+\isacommand{by} (tactic \ttlbrace*IntPr.fast_tac 1*\ttrbrace)\isanewline
+No\ subgoals!
+\end{isabelle}
+
+
+\section{An example of intuitionistic negation}
+The following example demonstrates the specialized forms of implication
+elimination. Even propositional formulae can be difficult to prove from
+the basic rules; the specialized rules help considerably.
+
+Propositional examples are easy to invent. As Dummett notes~\cite[page
+28]{dummett}, $\neg P$ is classically provable if and only if it is
+intuitionistically provable; therefore, $P$ is classically provable if and
+only if $\neg\neg P$ is intuitionistically provable.%
+\footnote{This remark holds only for propositional logic, not if $P$ is
+ allowed to contain quantifiers.}
+%
+Proving $\neg\neg P$ intuitionistically is
+much harder than proving~$P$ classically.
+
+Our example is the double negation of the classical tautology $(P\imp
+Q)\disj (Q\imp P)$. The first step is apply the
+\isa{unfold} method, which expands
+negations to implications using the definition $\neg P\equiv P\imp\bot$
+and allows use of the special implication rules.
+\begin{isabelle}
+\isacommand{lemma}\ "\isachartilde \ \isachartilde \ ((P-->Q)\ |\ (Q-->P))"\isanewline
+\ 1.\ \isasymnot \ \isasymnot \ ((P\ \isasymlongrightarrow \ Q)\ \isasymor \ (Q\ \isasymlongrightarrow \ P))
+\isanewline
+\isacommand{apply}\ (unfold\ not\_def)\isanewline
+\ 1.\ ((P\ \isasymlongrightarrow \ Q)\ \isasymor \ (Q\ \isasymlongrightarrow \ P)\ \isasymlongrightarrow \ False)\ \isasymlongrightarrow \ False%
+\end{isabelle}
+The next step is a trivial use of $(\imp I)$.
+\begin{isabelle}
+\isacommand{apply}\ (rule\ impI)\isanewline
+\ 1.\ (P\ \isasymlongrightarrow \ Q)\ \isasymor \ (Q\ \isasymlongrightarrow \ P)\ \isasymlongrightarrow \ False\ \isasymLongrightarrow \ False%
+\end{isabelle}
+By $(\imp E)$ it would suffice to prove $(P\imp Q)\disj (Q\imp P)$, but
+that formula is not a theorem of intuitionistic logic. Instead, we
+apply the specialized implication rule \tdx{disj_impE}. It splits the
+assumption into two assumptions, one for each disjunct.
+\begin{isabelle}
+\isacommand{apply}\ (erule\ disj\_impE)\isanewline
+\ 1.\ \isasymlbrakk (P\ \isasymlongrightarrow \ Q)\ \isasymlongrightarrow \ False;\ (Q\ \isasymlongrightarrow \ P)\ \isasymlongrightarrow \ False\isasymrbrakk \ \isasymLongrightarrow \
+False
+\end{isabelle}
+We cannot hope to prove $P\imp Q$ or $Q\imp P$ separately, but
+their negations are inconsistent. Applying \tdx{imp_impE} breaks down
+the assumption $\neg(P\imp Q)$, asking to show~$Q$ while providing new
+assumptions~$P$ and~$\neg Q$.
+\begin{isabelle}
+\isacommand{apply}\ (erule\ imp\_impE)\isanewline
+\ 1.\ \isasymlbrakk (Q\ \isasymlongrightarrow \ P)\ \isasymlongrightarrow \ False;\ P;\ Q\ \isasymlongrightarrow \ False\isasymrbrakk \ \isasymLongrightarrow \ Q\isanewline
+\ 2.\ \isasymlbrakk (Q\ \isasymlongrightarrow \ P)\ \isasymlongrightarrow \ False;\ False\isasymrbrakk \ \isasymLongrightarrow \
+False
+\end{isabelle}
+Subgoal~2 holds trivially; let us ignore it and continue working on
+subgoal~1. Thanks to the assumption~$P$, we could prove $Q\imp P$;
+applying \tdx{imp_impE} is simpler.
+\begin{isabelle}
+\ \isacommand{apply}\ (erule\ imp\_impE)\isanewline
+\ 1.\ \isasymlbrakk P;\ Q\ \isasymlongrightarrow \ False;\ Q;\ P\ \isasymlongrightarrow \ False\isasymrbrakk \ \isasymLongrightarrow \ P\isanewline
+\ 2.\ \isasymlbrakk P;\ Q\ \isasymlongrightarrow \ False;\ False\isasymrbrakk \ \isasymLongrightarrow \ Q\isanewline
+\ 3.\ \isasymlbrakk (Q\ \isasymlongrightarrow \ P)\ \isasymlongrightarrow \ False;\ False\isasymrbrakk \ \isasymLongrightarrow \ False%
+\end{isabelle}
+The three subgoals are all trivial.
+\begin{isabelle}
+\isacommand{apply}\ assumption\ \isanewline
+\ 1.\ \isasymlbrakk P;\ Q\ \isasymlongrightarrow \ False;\
+False\isasymrbrakk \ \isasymLongrightarrow \ Q\isanewline
+\ 2.\ \isasymlbrakk (Q\ \isasymlongrightarrow \ P)\
+\isasymlongrightarrow \ False;\ False\isasymrbrakk \
+\isasymLongrightarrow \ False%
+\isanewline
+\isacommand{apply}\ (erule\ FalseE)+\isanewline
+No\ subgoals!\isanewline
+\isacommand{done}
+\end{isabelle}
+This proof is also trivial for the \ML{} tactic \isa{IntPr.fast_tac}.
+
+
+\section{A classical example} \label{fol-cla-example}
+To illustrate classical logic, we shall prove the theorem
+$\ex{y}\all{x}P(y)\imp P(x)$. Informally, the theorem can be proved as
+follows. Choose~$y$ such that~$\neg P(y)$, if such exists; otherwise
+$\all{x}P(x)$ is true. Either way the theorem holds. First, we must
+work in a theory based on classical logic, the theory \isa{FOL}:
+\begin{isabelle}
+\isacommand{theory}\ FOL\_examples\ \isacommand{imports}\ FOL\isanewline
+\isacommand{begin}
+\end{isabelle}
+
+The formal proof does not conform in any obvious way to the sketch given
+above. Its key step is its first rule, \tdx{exCI}, a classical
+version of~$(\exists I)$ that allows multiple instantiation of the
+quantifier.
+\begin{isabelle}
+\isacommand{lemma}\ "EX\ y.\ ALL\ x.\ P(y)-->P(x)"\isanewline
+\ 1.\ \isasymexists y.\ \isasymforall x.\ P(y)\ \isasymlongrightarrow \ P(x)
+\isanewline
+\isacommand{apply}\ (rule\ exCI)\isanewline
+\ 1.\ \isasymforall y.\ \isasymnot \ (\isasymforall x.\ P(y)\ \isasymlongrightarrow \ P(x))\ \isasymLongrightarrow \ \isasymforall x.\ P(?a)\ \isasymlongrightarrow \ P(x)
+\end{isabelle}
+We can either exhibit a term \isa{?a} to satisfy the conclusion of
+subgoal~1, or produce a contradiction from the assumption. The next
+steps are routine.
+\begin{isabelle}
+\isacommand{apply}\ (rule\ allI)\isanewline
+\ 1.\ \isasymAnd x.\ \isasymforall y.\ \isasymnot \ (\isasymforall x.\ P(y)\ \isasymlongrightarrow \ P(x))\ \isasymLongrightarrow \ P(?a)\ \isasymlongrightarrow \ P(x)
+\isanewline
+\isacommand{apply}\ (rule\ impI)\isanewline
+\ 1.\ \isasymAnd x.\ \isasymlbrakk \isasymforall y.\ \isasymnot \ (\isasymforall x.\ P(y)\ \isasymlongrightarrow \ P(x));\ P(?a)\isasymrbrakk \ \isasymLongrightarrow \ P(x)
+\end{isabelle}
+By the duality between $\exists$ and~$\forall$, applying~$(\forall E)$
+is equivalent to applying~$(\exists I)$ again.
+\begin{isabelle}
+\isacommand{apply}\ (erule\ allE)\isanewline
+\ 1.\ \isasymAnd x.\ \isasymlbrakk P(?a);\ \isasymnot \ (\isasymforall xa.\ P(?y3(x))\ \isasymlongrightarrow \ P(xa))\isasymrbrakk \ \isasymLongrightarrow \ P(x)
+\end{isabelle}
+In classical logic, a negated assumption is equivalent to a conclusion. To
+get this effect, we create a swapped version of $(\forall I)$ and apply it
+using \ttindex{erule}.
+\begin{isabelle}
+\isacommand{apply}\ (erule\ allI\ [THEN\ [2]\ swap])\isanewline
+\ 1.\ \isasymAnd x\ xa.\ \isasymlbrakk P(?a);\ \isasymnot \ P(x)\isasymrbrakk \ \isasymLongrightarrow \ P(?y3(x))\ \isasymlongrightarrow \ P(xa)
+\end{isabelle}
+The operand of \isa{erule} above denotes the following theorem:
+\begin{isabelle}
+\ \ \ \ \isasymlbrakk \isasymnot \ (\isasymforall x.\ ?P1(x));\
+\isasymAnd x.\ \isasymnot \ ?P\ \isasymLongrightarrow \
+?P1(x)\isasymrbrakk \
+\isasymLongrightarrow \ ?P%
+\end{isabelle}
+The previous conclusion, \isa{P(x)}, has become a negated assumption.
+\begin{isabelle}
+\isacommand{apply}\ (rule\ impI)\isanewline
+\ 1.\ \isasymAnd x\ xa.\ \isasymlbrakk P(?a);\ \isasymnot \ P(x);\ P(?y3(x))\isasymrbrakk \ \isasymLongrightarrow \ P(xa)
+\end{isabelle}
+The subgoal has three assumptions. We produce a contradiction between the
+\index{assumptions!contradictory} assumptions~\isa{\isasymnot P(x)}
+and~\isa{P(?y3(x))}. The proof never instantiates the
+unknown~\isa{?a}.
+\begin{isabelle}
+\isacommand{apply}\ (erule\ notE)\isanewline
+\ 1.\ \isasymAnd x\ xa.\ \isasymlbrakk P(?a);\ P(?y3(x))\isasymrbrakk \ \isasymLongrightarrow \ P(x)
+\isanewline
+\isacommand{apply}\ assumption\isanewline
+No\ subgoals!\isanewline
+\isacommand{done}
+\end{isabelle}
+The civilised way to prove this theorem is using the
+\methdx{blast} method, which automatically uses the classical form
+of the rule~$(\exists I)$:
+\begin{isabelle}
+\isacommand{lemma}\ "EX\ y.\ ALL\ x.\ P(y)-->P(x)"\isanewline
+\ 1.\ \isasymexists y.\ \isasymforall x.\ P(y)\ \isasymlongrightarrow \ P(x)
+\isanewline
+\isacommand{by}\ blast\isanewline
+No\ subgoals!
+\end{isabelle}
+If this theorem seems counterintuitive, then perhaps you are an
+intuitionist. In constructive logic, proving $\ex{y}\all{x}P(y)\imp P(x)$
+requires exhibiting a particular term~$t$ such that $\all{x}P(t)\imp P(x)$,
+which we cannot do without further knowledge about~$P$.
+
+
+\section{Derived rules and the classical tactics}
+Classical first-order logic can be extended with the propositional
+connective $if(P,Q,R)$, where
+$$ if(P,Q,R) \equiv P\conj Q \disj \neg P \conj R. \eqno(if) $$
+Theorems about $if$ can be proved by treating this as an abbreviation,
+replacing $if(P,Q,R)$ by $P\conj Q \disj \neg P \conj R$ in subgoals. But
+this duplicates~$P$, causing an exponential blowup and an unreadable
+formula. Introducing further abbreviations makes the problem worse.
+
+Natural deduction demands rules that introduce and eliminate $if(P,Q,R)$
+directly, without reference to its definition. The simple identity
+\[ if(P,Q,R) \,\bimp\, (P\imp Q)\conj (\neg P\imp R) \]
+suggests that the
+$if$-introduction rule should be
+\[ \infer[({if}\,I)]{if(P,Q,R)}{\infer*{Q}{[P]} & \infer*{R}{[\neg P]}} \]
+The $if$-elimination rule reflects the definition of $if(P,Q,R)$ and the
+elimination rules for~$\disj$ and~$\conj$.
+\[ \infer[({if}\,E)]{S}{if(P,Q,R) & \infer*{S}{[P,Q]}
+ & \infer*{S}{[\neg P,R]}}
+\]
+Having made these plans, we get down to work with Isabelle. The theory of
+classical logic, \texttt{FOL}, is extended with the constant
+$if::[o,o,o]\To o$. The axiom \tdx{if_def} asserts the
+equation~$(if)$.
+\begin{isabelle}
+\isacommand{theory}\ If\ \isacommand{imports}\ FOL\isanewline
+\isacommand{begin}\isanewline
+\isacommand{constdefs}\isanewline
+\ \ if\ ::\ "[o,o,o]=>o"\isanewline
+\ \ \ "if(P,Q,R)\ ==\ P\&Q\ |\ \isachartilde P\&R"
+\end{isabelle}
+We create the file \texttt{If.thy} containing these declarations. (This file
+is on directory \texttt{FOL/ex} in the Isabelle distribution.) Typing
+\begin{isabelle}
+use_thy "If";
+\end{isabelle}
+loads that theory and sets it to be the current context.
+
+
+\subsection{Deriving the introduction rule}
+
+The derivations of the introduction and elimination rules demonstrate the
+methods for rewriting with definitions. Classical reasoning is required,
+so we use \isa{blast}.
+
+The introduction rule, given the premises $P\Imp Q$ and $\neg P\Imp R$,
+concludes $if(P,Q,R)$. We propose this lemma and immediately simplify
+using \isa{if\_def} to expand the definition of \isa{if} in the
+subgoal.
+\begin{isabelle}
+\isacommand{lemma}\ ifI: "[|\ P\ ==>\ Q;\ \isachartilde P\ ==>\ R\
+|]\ ==>\ if(P,Q,R)"\isanewline
+\ 1.\ \isasymlbrakk P\ \isasymLongrightarrow \ Q;\ \isasymnot \ P\ \isasymLongrightarrow \ R\isasymrbrakk \ \isasymLongrightarrow \ if(P,\ Q,\ R)
+\isanewline
+\isacommand{apply}\ (simp\ add:\ if\_def)\isanewline
+\ 1.\ \isasymlbrakk P\ \isasymLongrightarrow \ Q;\ \isasymnot \ P\ \isasymLongrightarrow \ R\isasymrbrakk \ \isasymLongrightarrow \ P\ \isasymand \ Q\ \isasymor \ \isasymnot \ P\ \isasymand \
+R
+\end{isabelle}
+The rule's premises, although expressed using meta-level implication
+(\isa{\isasymLongrightarrow}) are passed as ordinary implications to
+\methdx{blast}.
+\begin{isabelle}
+\isacommand{apply}\ blast\isanewline
+No\ subgoals!\isanewline
+\isacommand{done}
+\end{isabelle}
+
+
+\subsection{Deriving the elimination rule}
+The elimination rule has three premises, two of which are themselves rules.
+The conclusion is simply $S$.
+\begin{isabelle}
+\isacommand{lemma}\ ifE:\isanewline
+\ \ \ "[|\ if(P,Q,R);\ \ [|P;\ Q|]\ ==>\ S;\ [|\isachartilde P;\ R|]\ ==>\ S\ |]\ ==>\ S"\isanewline
+\ 1.\ \isasymlbrakk if(P,\ Q,\ R);\ \isasymlbrakk P;\ Q\isasymrbrakk \ \isasymLongrightarrow \ S;\ \isasymlbrakk \isasymnot \ P;\ R\isasymrbrakk \ \isasymLongrightarrow \ S\isasymrbrakk \ \isasymLongrightarrow \ S%
+\isanewline
+\isacommand{apply}\ (simp\ add:\ if\_def)\isanewline
+\ 1.\ \isasymlbrakk P\ \isasymand \ Q\ \isasymor \ \isasymnot \ P\ \isasymand \ R;\ \isasymlbrakk P;\ Q\isasymrbrakk \ \isasymLongrightarrow \ S;\ \isasymlbrakk \isasymnot \ P;\ R\isasymrbrakk \ \isasymLongrightarrow \ S\isasymrbrakk \ \isasymLongrightarrow \ S%
+\end{isabelle}
+The proof script is the same as before: \isa{simp} followed by
+\isa{blast}:
+\begin{isabelle}
+\isacommand{apply}\ blast\isanewline
+No\ subgoals!\isanewline
+\isacommand{done}
+\end{isabelle}
+
+
+\subsection{Using the derived rules}
+Our new derived rules, \tdx{ifI} and~\tdx{ifE}, permit natural
+proofs of theorems such as the following:
+\begin{eqnarray*}
+ if(P, if(Q,A,B), if(Q,C,D)) & \bimp & if(Q,if(P,A,C),if(P,B,D)) \\
+ if(if(P,Q,R), A, B) & \bimp & if(P,if(Q,A,B),if(R,A,B))
+\end{eqnarray*}
+Proofs also require the classical reasoning rules and the $\bimp$
+introduction rule (called~\tdx{iffI}: do not confuse with~\isa{ifI}).
+
+To display the $if$-rules in action, let us analyse a proof step by step.
+\begin{isabelle}
+\isacommand{lemma}\ if\_commute:\isanewline
+\ \ \ \ \ "if(P,\ if(Q,A,B),\
+if(Q,C,D))\ <->\ if(Q,\ if(P,A,C),\ if(P,B,D))"\isanewline
+\isacommand{apply}\ (rule\ iffI)\isanewline
+\ 1.\ if(P,\ if(Q,\ A,\ B),\ if(Q,\ C,\ D))\ \isasymLongrightarrow \isanewline
+\isaindent{\ 1.\ }if(Q,\ if(P,\ A,\ C),\ if(P,\ B,\ D))\isanewline
+\ 2.\ if(Q,\ if(P,\ A,\ C),\ if(P,\ B,\ D))\ \isasymLongrightarrow \isanewline
+\isaindent{\ 2.\ }if(P,\ if(Q,\ A,\ B),\ if(Q,\ C,\ D))
+\end{isabelle}
+The $if$-elimination rule can be applied twice in succession.
+\begin{isabelle}
+\isacommand{apply}\ (erule\ ifE)\isanewline
+\ 1.\ \isasymlbrakk P;\ if(Q,\ A,\ B)\isasymrbrakk \ \isasymLongrightarrow \ if(Q,\ if(P,\ A,\ C),\ if(P,\ B,\ D))\isanewline
+\ 2.\ \isasymlbrakk \isasymnot \ P;\ if(Q,\ C,\ D)\isasymrbrakk \ \isasymLongrightarrow \ if(Q,\ if(P,\ A,\ C),\ if(P,\ B,\ D))\isanewline
+\ 3.\ if(Q,\ if(P,\ A,\ C),\ if(P,\ B,\ D))\ \isasymLongrightarrow \isanewline
+\isaindent{\ 3.\ }if(P,\ if(Q,\ A,\ B),\ if(Q,\ C,\ D))
+\isanewline
+\isacommand{apply}\ (erule\ ifE)\isanewline
+\ 1.\ \isasymlbrakk P;\ Q;\ A\isasymrbrakk \ \isasymLongrightarrow \ if(Q,\ if(P,\ A,\ C),\ if(P,\ B,\ D))\isanewline
+\ 2.\ \isasymlbrakk P;\ \isasymnot \ Q;\ B\isasymrbrakk \ \isasymLongrightarrow \ if(Q,\ if(P,\ A,\ C),\ if(P,\ B,\ D))\isanewline
+\ 3.\ \isasymlbrakk \isasymnot \ P;\ if(Q,\ C,\ D)\isasymrbrakk \ \isasymLongrightarrow \ if(Q,\ if(P,\ A,\ C),\ if(P,\ B,\ D))\isanewline
+\ 4.\ if(Q,\ if(P,\ A,\ C),\ if(P,\ B,\ D))\ \isasymLongrightarrow \isanewline
+\isaindent{\ 4.\ }if(P,\ if(Q,\ A,\ B),\ if(Q,\ C,\ D))
+\end{isabelle}
+%
+In the first two subgoals, all assumptions have been reduced to atoms. Now
+$if$-introduction can be applied. Observe how the $if$-rules break down
+occurrences of $if$ when they become the outermost connective.
+\begin{isabelle}
+\isacommand{apply}\ (rule\ ifI)\isanewline
+\ 1.\ \isasymlbrakk P;\ Q;\ A;\ Q\isasymrbrakk \ \isasymLongrightarrow \ if(P,\ A,\ C)\isanewline
+\ 2.\ \isasymlbrakk P;\ Q;\ A;\ \isasymnot \ Q\isasymrbrakk \ \isasymLongrightarrow \ if(P,\ B,\ D)\isanewline
+\ 3.\ \isasymlbrakk P;\ \isasymnot \ Q;\ B\isasymrbrakk \ \isasymLongrightarrow \ if(Q,\ if(P,\ A,\ C),\ if(P,\ B,\ D))\isanewline
+\ 4.\ \isasymlbrakk \isasymnot \ P;\ if(Q,\ C,\ D)\isasymrbrakk \ \isasymLongrightarrow \ if(Q,\ if(P,\ A,\ C),\ if(P,\ B,\ D))\isanewline
+\ 5.\ if(Q,\ if(P,\ A,\ C),\ if(P,\ B,\ D))\ \isasymLongrightarrow \isanewline
+\isaindent{\ 5.\ }if(P,\ if(Q,\ A,\ B),\ if(Q,\ C,\ D))
+\isanewline
+\isacommand{apply}\ (rule\ ifI)\isanewline
+\ 1.\ \isasymlbrakk P;\ Q;\ A;\ Q;\ P\isasymrbrakk \ \isasymLongrightarrow \ A\isanewline
+\ 2.\ \isasymlbrakk P;\ Q;\ A;\ Q;\ \isasymnot \ P\isasymrbrakk \ \isasymLongrightarrow \ C\isanewline
+\ 3.\ \isasymlbrakk P;\ Q;\ A;\ \isasymnot \ Q\isasymrbrakk \ \isasymLongrightarrow \ if(P,\ B,\ D)\isanewline
+\ 4.\ \isasymlbrakk P;\ \isasymnot \ Q;\ B\isasymrbrakk \ \isasymLongrightarrow \ if(Q,\ if(P,\ A,\ C),\ if(P,\ B,\ D))\isanewline
+\ 5.\ \isasymlbrakk \isasymnot \ P;\ if(Q,\ C,\ D)\isasymrbrakk \ \isasymLongrightarrow \ if(Q,\ if(P,\ A,\ C),\ if(P,\ B,\ D))\isanewline
+\ 6.\ if(Q,\ if(P,\ A,\ C),\ if(P,\ B,\ D))\ \isasymLongrightarrow \isanewline
+\isaindent{\ 6.\ }if(P,\ if(Q,\ A,\ B),\ if(Q,\ C,\ D))
+\end{isabelle}
+Where do we stand? The first subgoal holds by assumption; the second and
+third, by contradiction. This is getting tedious. We could use the classical
+reasoner, but first let us extend the default claset with the derived rules
+for~$if$.
+\begin{isabelle}
+\isacommand{declare}\ ifI\ [intro!]\isanewline
+\isacommand{declare}\ ifE\ [elim!]
+\end{isabelle}
+With these declarations, we could have proved this theorem with a single
+call to \isa{blast}. Here is another example:
+\begin{isabelle}
+\isacommand{lemma}\ "if(if(P,Q,R),\ A,\ B)\ <->\ if(P,\ if(Q,A,B),\ if(R,A,B))"\isanewline
+\ 1.\ if(if(P,\ Q,\ R),\ A,\ B)\ \isasymlongleftrightarrow \ if(P,\ if(Q,\ A,\ B),\ if(R,\ A,\ B))
+\isanewline
+\isacommand{by}\ blast
+\end{isabelle}
+
+
+\subsection{Derived rules versus definitions}
+Dispensing with the derived rules, we can treat $if$ as an
+abbreviation, and let \ttindex{blast_tac} prove the expanded formula. Let
+us redo the previous proof:
+\begin{isabelle}
+\isacommand{lemma}\ "if(if(P,Q,R),\ A,\ B)\ <->\ if(P,\ if(Q,A,B),\ if(R,A,B))"\isanewline
+\ 1.\ if(if(P,\ Q,\ R),\ A,\ B)\ \isasymlongleftrightarrow \ if(P,\ if(Q,\ A,\ B),\ if(R,\ A,\ B))
+\end{isabelle}
+This time, we simply unfold using the definition of $if$:
+\begin{isabelle}
+\isacommand{apply}\ (simp\ add:\ if\_def)\isanewline
+\ 1.\ (P\ \isasymand \ Q\ \isasymor \ \isasymnot \ P\ \isasymand \ R)\ \isasymand \ A\ \isasymor \ (\isasymnot \ P\ \isasymor \ \isasymnot \ Q)\ \isasymand \ (P\ \isasymor \ \isasymnot \ R)\ \isasymand \ B\ \isasymlongleftrightarrow \isanewline
+\isaindent{\ 1.\ }P\ \isasymand \ (Q\ \isasymand \ A\ \isasymor \ \isasymnot \ Q\ \isasymand \ B)\ \isasymor \ \isasymnot \ P\ \isasymand \ (R\ \isasymand \ A\ \isasymor \ \isasymnot \ R\ \isasymand \ B)
+\end{isabelle}
+We are left with a subgoal in pure first-order logic, and it falls to
+\isa{blast}:
+\begin{isabelle}
+\isacommand{apply}\ blast\isanewline
+No\ subgoals!
+\end{isabelle}
+Expanding definitions reduces the extended logic to the base logic. This
+approach has its merits, but it can be slow. In these examples, proofs
+using the derived rules for~\isa{if} run about six
+times faster than proofs using just the rules of first-order logic.
+
+Expanding definitions can also make it harder to diagnose errors.
+Suppose we are having difficulties in proving some goal. If by expanding
+definitions we have made it unreadable, then we have little hope of
+diagnosing the problem.
+
+Attempts at program verification often yield invalid assertions.
+Let us try to prove one:
+\begin{isabelle}
+\isacommand{lemma}\ "if(if(P,Q,R),\ A,\ B)\ <->\ if(P,\ if(Q,A,B),\ if(R,B,A))"\isanewline
+\ 1.\ if(if(P,\ Q,\ R),\ A,\ B)\ \isasymlongleftrightarrow \ if(P,\ if(Q,\ A,\ B),\ if(R,\ B,\
+A))
+\end{isabelle}
+Calling \isa{blast} yields an uninformative failure message. We can
+get a closer look at the situation by applying \methdx{auto}.
+\begin{isabelle}
+\isacommand{apply}\ auto\isanewline
+\ 1.\ \isasymlbrakk A;\ \isasymnot \ P;\ R\isasymrbrakk \ \isasymLongrightarrow \ B\isanewline
+\ 2.\ \isasymlbrakk B;\ \isasymnot \ P;\ \isasymnot \ R\isasymrbrakk \ \isasymLongrightarrow \ A\isanewline
+\ 3.\ \isasymlbrakk B;\ \isasymnot \ P;\ R\isasymrbrakk \ \isasymLongrightarrow \ A\isanewline
+\ 4.\ \isasymlbrakk \isasymnot \ R;\ A;\ \isasymnot \ B;\ \isasymnot \ P\isasymrbrakk \ \isasymLongrightarrow \
+False
+\end{isabelle}
+Subgoal~1 is unprovable and yields a countermodel: $P$ and~$B$ are false
+while~$R$ and~$A$ are true. This truth assignment reduces the main goal to
+$true\bimp false$, which is of course invalid.
+
+We can repeat this analysis by expanding definitions, using just the rules of
+first-order logic:
+\begin{isabelle}
+\isacommand{lemma}\ "if(if(P,Q,R),\ A,\ B)\ <->\ if(P,\ if(Q,A,B),\ if(R,B,A))"\isanewline
+\ 1.\ if(if(P,\ Q,\ R),\ A,\ B)\ \isasymlongleftrightarrow \ if(P,\ if(Q,\ A,\ B),\ if(R,\ B,\
+A))
+\isanewline
+\isacommand{apply}\ (simp\ add:\ if\_def)\isanewline
+\ 1.\ (P\ \isasymand \ Q\ \isasymor \ \isasymnot \ P\ \isasymand \ R)\ \isasymand \ A\ \isasymor \ (\isasymnot \ P\ \isasymor \ \isasymnot \ Q)\ \isasymand \ (P\ \isasymor \ \isasymnot \ R)\ \isasymand \ B\ \isasymlongleftrightarrow \isanewline
+\isaindent{\ 1.\ }P\ \isasymand \ (Q\ \isasymand \ A\ \isasymor \ \isasymnot \ Q\ \isasymand \ B)\ \isasymor \ \isasymnot \ P\ \isasymand \ (R\ \isasymand \ B\ \isasymor \ \isasymnot \ R\ \isasymand \ A)
+\end{isabelle}
+Again \isa{blast} would fail, so we try \methdx{auto}:
+\begin{isabelle}
+\isacommand{apply}\ (auto)\ \isanewline
+\ 1.\ \isasymlbrakk A;\ \isasymnot \ P;\ R\isasymrbrakk \ \isasymLongrightarrow \ B\isanewline
+\ 2.\ \isasymlbrakk A;\ \isasymnot \ P;\ R;\ \isasymnot \ B\isasymrbrakk \ \isasymLongrightarrow \ Q\isanewline
+\ 3.\ \isasymlbrakk B;\ \isasymnot \ R;\ \isasymnot \ P;\ \isasymnot \ A\isasymrbrakk \ \isasymLongrightarrow \ False\isanewline
+\ 4.\ \isasymlbrakk B;\ \isasymnot \ P;\ \isasymnot \ A;\ \isasymnot \ R;\ Q\isasymrbrakk \ \isasymLongrightarrow \ False\isanewline
+\ 5.\ \isasymlbrakk B;\ \isasymnot \ Q;\ \isasymnot \ R;\ \isasymnot \ P;\ \isasymnot \ A\isasymrbrakk \ \isasymLongrightarrow \ False\isanewline
+\ 6.\ \isasymlbrakk B;\ \isasymnot \ A;\ \isasymnot \ P;\ R\isasymrbrakk \ \isasymLongrightarrow \ False\isanewline
+\ 7.\ \isasymlbrakk \isasymnot \ P;\ A;\ \isasymnot \ B;\ \isasymnot \ R\isasymrbrakk \ \isasymLongrightarrow \ False\isanewline
+\ 8.\ \isasymlbrakk \isasymnot \ P;\ A;\ \isasymnot \ B;\ \isasymnot \ R\isasymrbrakk \ \isasymLongrightarrow \ Q%
+\end{isabelle}
+Subgoal~1 yields the same countermodel as before. But each proof step has
+taken six times as long, and the final result contains twice as many subgoals.
+
+Expanding your definitions usually makes proofs more difficult. This is
+why the classical prover has been designed to accept derived rules.
+
+\index{first-order logic|)}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/ZF/document/ZF.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,2717 @@
+\chapter{Zermelo-Fraenkel Set Theory}
+\index{set theory|(}
+
+The theory~\thydx{ZF} implements Zermelo-Fraenkel set
+theory~\cite{halmos60,suppes72} as an extension of~\texttt{FOL}, classical
+first-order logic. The theory includes a collection of derived natural
+deduction rules, for use with Isabelle's classical reasoner. Some
+of it is based on the work of No\"el~\cite{noel}.
+
+A tremendous amount of set theory has been formally developed, including the
+basic properties of relations, functions, ordinals and cardinals. Significant
+results have been proved, such as the Schr\"oder-Bernstein Theorem, the
+Wellordering Theorem and a version of Ramsey's Theorem. \texttt{ZF} provides
+both the integers and the natural numbers. General methods have been
+developed for solving recursion equations over monotonic functors; these have
+been applied to yield constructions of lists, trees, infinite lists, etc.
+
+\texttt{ZF} has a flexible package for handling inductive definitions,
+such as inference systems, and datatype definitions, such as lists and
+trees. Moreover it handles coinductive definitions, such as
+bisimulation relations, and codatatype definitions, such as streams. It
+provides a streamlined syntax for defining primitive recursive functions over
+datatypes.
+
+Published articles~\cite{paulson-set-I,paulson-set-II} describe \texttt{ZF}
+less formally than this chapter. Isabelle employs a novel treatment of
+non-well-founded data structures within the standard {\sc zf} axioms including
+the Axiom of Foundation~\cite{paulson-mscs}.
+
+
+\section{Which version of axiomatic set theory?}
+The two main axiom systems for set theory are Bernays-G\"odel~({\sc bg})
+and Zermelo-Fraenkel~({\sc zf}). Resolution theorem provers can use {\sc
+ bg} because it is finite~\cite{boyer86,quaife92}. {\sc zf} does not
+have a finite axiom system because of its Axiom Scheme of Replacement.
+This makes it awkward to use with many theorem provers, since instances
+of the axiom scheme have to be invoked explicitly. Since Isabelle has no
+difficulty with axiom schemes, we may adopt either axiom system.
+
+These two theories differ in their treatment of {\bf classes}, which are
+collections that are `too big' to be sets. The class of all sets,~$V$,
+cannot be a set without admitting Russell's Paradox. In {\sc bg}, both
+classes and sets are individuals; $x\in V$ expresses that $x$ is a set. In
+{\sc zf}, all variables denote sets; classes are identified with unary
+predicates. The two systems define essentially the same sets and classes,
+with similar properties. In particular, a class cannot belong to another
+class (let alone a set).
+
+Modern set theorists tend to prefer {\sc zf} because they are mainly concerned
+with sets, rather than classes. {\sc bg} requires tiresome proofs that various
+collections are sets; for instance, showing $x\in\{x\}$ requires showing that
+$x$ is a set.
+
+
+\begin{figure} \small
+\begin{center}
+\begin{tabular}{rrr}
+ \it name &\it meta-type & \it description \\
+ \cdx{Let} & $[\alpha,\alpha\To\beta]\To\beta$ & let binder\\
+ \cdx{0} & $i$ & empty set\\
+ \cdx{cons} & $[i,i]\To i$ & finite set constructor\\
+ \cdx{Upair} & $[i,i]\To i$ & unordered pairing\\
+ \cdx{Pair} & $[i,i]\To i$ & ordered pairing\\
+ \cdx{Inf} & $i$ & infinite set\\
+ \cdx{Pow} & $i\To i$ & powerset\\
+ \cdx{Union} \cdx{Inter} & $i\To i$ & set union/intersection \\
+ \cdx{split} & $[[i,i]\To i, i] \To i$ & generalized projection\\
+ \cdx{fst} \cdx{snd} & $i\To i$ & projections\\
+ \cdx{converse}& $i\To i$ & converse of a relation\\
+ \cdx{succ} & $i\To i$ & successor\\
+ \cdx{Collect} & $[i,i\To o]\To i$ & separation\\
+ \cdx{Replace} & $[i, [i,i]\To o] \To i$ & replacement\\
+ \cdx{PrimReplace} & $[i, [i,i]\To o] \To i$ & primitive replacement\\
+ \cdx{RepFun} & $[i, i\To i] \To i$ & functional replacement\\
+ \cdx{Pi} \cdx{Sigma} & $[i,i\To i]\To i$ & general product/sum\\
+ \cdx{domain} & $i\To i$ & domain of a relation\\
+ \cdx{range} & $i\To i$ & range of a relation\\
+ \cdx{field} & $i\To i$ & field of a relation\\
+ \cdx{Lambda} & $[i, i\To i]\To i$ & $\lambda$-abstraction\\
+ \cdx{restrict}& $[i, i] \To i$ & restriction of a function\\
+ \cdx{The} & $[i\To o]\To i$ & definite description\\
+ \cdx{if} & $[o,i,i]\To i$ & conditional\\
+ \cdx{Ball} \cdx{Bex} & $[i, i\To o]\To o$ & bounded quantifiers
+\end{tabular}
+\end{center}
+\subcaption{Constants}
+
+\begin{center}
+\index{*"`"` symbol}
+\index{*"-"`"` symbol}
+\index{*"` symbol}\index{function applications}
+\index{*"- symbol}
+\index{*": symbol}
+\index{*"<"= symbol}
+\begin{tabular}{rrrr}
+ \it symbol & \it meta-type & \it priority & \it description \\
+ \tt `` & $[i,i]\To i$ & Left 90 & image \\
+ \tt -`` & $[i,i]\To i$ & Left 90 & inverse image \\
+ \tt ` & $[i,i]\To i$ & Left 90 & application \\
+ \sdx{Int} & $[i,i]\To i$ & Left 70 & intersection ($\int$) \\
+ \sdx{Un} & $[i,i]\To i$ & Left 65 & union ($\un$) \\
+ \tt - & $[i,i]\To i$ & Left 65 & set difference ($-$) \\[1ex]
+ \tt: & $[i,i]\To o$ & Left 50 & membership ($\in$) \\
+ \tt <= & $[i,i]\To o$ & Left 50 & subset ($\subseteq$)
+\end{tabular}
+\end{center}
+\subcaption{Infixes}
+\caption{Constants of ZF} \label{zf-constants}
+\end{figure}
+
+
+\section{The syntax of set theory}
+The language of set theory, as studied by logicians, has no constants. The
+traditional axioms merely assert the existence of empty sets, unions,
+powersets, etc.; this would be intolerable for practical reasoning. The
+Isabelle theory declares constants for primitive sets. It also extends
+\texttt{FOL} with additional syntax for finite sets, ordered pairs,
+comprehension, general union/intersection, general sums/products, and
+bounded quantifiers. In most other respects, Isabelle implements precisely
+Zermelo-Fraenkel set theory.
+
+Figure~\ref{zf-constants} lists the constants and infixes of~ZF, while
+Figure~\ref{zf-trans} presents the syntax translations. Finally,
+Figure~\ref{zf-syntax} presents the full grammar for set theory, including the
+constructs of FOL.
+
+Local abbreviations can be introduced by a \isa{let} construct whose
+syntax appears in Fig.\ts\ref{zf-syntax}. Internally it is translated into
+the constant~\cdx{Let}. It can be expanded by rewriting with its
+definition, \tdx{Let_def}.
+
+Apart from \isa{let}, set theory does not use polymorphism. All terms in
+ZF have type~\tydx{i}, which is the type of individuals and has
+class~\cldx{term}. The type of first-order formulae, remember,
+is~\tydx{o}.
+
+Infix operators include binary union and intersection ($A\un B$ and
+$A\int B$), set difference ($A-B$), and the subset and membership
+relations. Note that $a$\verb|~:|$b$ is translated to $\lnot(a\in b)$,
+which is equivalent to $a\notin b$. The
+union and intersection operators ($\bigcup A$ and $\bigcap A$) form the
+union or intersection of a set of sets; $\bigcup A$ means the same as
+$\bigcup@{x\in A}x$. Of these operators, only $\bigcup A$ is primitive.
+
+The constant \cdx{Upair} constructs unordered pairs; thus \isa{Upair($A$,$B$)} denotes the set~$\{A,B\}$ and
+\isa{Upair($A$,$A$)} denotes the singleton~$\{A\}$. General union is
+used to define binary union. The Isabelle version goes on to define
+the constant
+\cdx{cons}:
+\begin{eqnarray*}
+ A\cup B & \equiv & \bigcup(\isa{Upair}(A,B)) \\
+ \isa{cons}(a,B) & \equiv & \isa{Upair}(a,a) \un B
+\end{eqnarray*}
+The $\{a@1, \ldots\}$ notation abbreviates finite sets constructed in the
+obvious manner using~\isa{cons} and~$\emptyset$ (the empty set) \isasymin \begin{eqnarray*}
+ \{a,b,c\} & \equiv & \isa{cons}(a,\isa{cons}(b,\isa{cons}(c,\emptyset)))
+\end{eqnarray*}
+
+The constant \cdx{Pair} constructs ordered pairs, as in \isa{Pair($a$,$b$)}. Ordered pairs may also be written within angle brackets,
+as {\tt<$a$,$b$>}. The $n$-tuple {\tt<$a@1$,\ldots,$a@{n-1}$,$a@n$>}
+abbreviates the nest of pairs\par\nobreak
+\centerline{\isa{Pair($a@1$,\ldots,Pair($a@{n-1}$,$a@n$)\ldots).}}
+
+In ZF, a function is a set of pairs. A ZF function~$f$ is simply an
+individual as far as Isabelle is concerned: its Isabelle type is~$i$, not say
+$i\To i$. The infix operator~{\tt`} denotes the application of a function set
+to its argument; we must write~$f{\tt`}x$, not~$f(x)$. The syntax for image
+is~$f{\tt``}A$ and that for inverse image is~$f{\tt-``}A$.
+
+
+\begin{figure}
+\index{lambda abs@$\lambda$-abstractions}
+\index{*"-"> symbol}
+\index{*"* symbol}
+\begin{center} \footnotesize\tt\frenchspacing
+\begin{tabular}{rrr}
+ \it external & \it internal & \it description \\
+ $a$ \ttilde: $b$ & \ttilde($a$ : $b$) & \rm negated membership\\
+ \ttlbrace$a@1$, $\ldots$, $a@n$\ttrbrace & cons($a@1$,$\ldots$,cons($a@n$,0)) &
+ \rm finite set \\
+ <$a@1$, $\ldots$, $a@{n-1}$, $a@n$> &
+ Pair($a@1$,\ldots,Pair($a@{n-1}$,$a@n$)\ldots) &
+ \rm ordered $n$-tuple \\
+ \ttlbrace$x$:$A . P[x]$\ttrbrace & Collect($A$,$\lambda x. P[x]$) &
+ \rm separation \\
+ \ttlbrace$y . x$:$A$, $Q[x,y]$\ttrbrace & Replace($A$,$\lambda x\,y. Q[x,y]$) &
+ \rm replacement \\
+ \ttlbrace$b[x] . x$:$A$\ttrbrace & RepFun($A$,$\lambda x. b[x]$) &
+ \rm functional replacement \\
+ \sdx{INT} $x$:$A . B[x]$ & Inter(\ttlbrace$B[x] . x$:$A$\ttrbrace) &
+ \rm general intersection \\
+ \sdx{UN} $x$:$A . B[x]$ & Union(\ttlbrace$B[x] . x$:$A$\ttrbrace) &
+ \rm general union \\
+ \sdx{PROD} $x$:$A . B[x]$ & Pi($A$,$\lambda x. B[x]$) &
+ \rm general product \\
+ \sdx{SUM} $x$:$A . B[x]$ & Sigma($A$,$\lambda x. B[x]$) &
+ \rm general sum \\
+ $A$ -> $B$ & Pi($A$,$\lambda x. B$) &
+ \rm function space \\
+ $A$ * $B$ & Sigma($A$,$\lambda x. B$) &
+ \rm binary product \\
+ \sdx{THE} $x . P[x]$ & The($\lambda x. P[x]$) &
+ \rm definite description \\
+ \sdx{lam} $x$:$A . b[x]$ & Lambda($A$,$\lambda x. b[x]$) &
+ \rm $\lambda$-abstraction\\[1ex]
+ \sdx{ALL} $x$:$A . P[x]$ & Ball($A$,$\lambda x. P[x]$) &
+ \rm bounded $\forall$ \\
+ \sdx{EX} $x$:$A . P[x]$ & Bex($A$,$\lambda x. P[x]$) &
+ \rm bounded $\exists$
+\end{tabular}
+\end{center}
+\caption{Translations for ZF} \label{zf-trans}
+\end{figure}
+
+
+\begin{figure}
+\index{*let symbol}
+\index{*in symbol}
+\dquotes
+\[\begin{array}{rcl}
+ term & = & \hbox{expression of type~$i$} \\
+ & | & "let"~id~"="~term";"\dots";"~id~"="~term~"in"~term \\
+ & | & "if"~term~"then"~term~"else"~term \\
+ & | & "{\ttlbrace} " term\; ("," term)^* " {\ttrbrace}" \\
+ & | & "< " term\; ("," term)^* " >" \\
+ & | & "{\ttlbrace} " id ":" term " . " formula " {\ttrbrace}" \\
+ & | & "{\ttlbrace} " id " . " id ":" term ", " formula " {\ttrbrace}" \\
+ & | & "{\ttlbrace} " term " . " id ":" term " {\ttrbrace}" \\
+ & | & term " `` " term \\
+ & | & term " -`` " term \\
+ & | & term " ` " term \\
+ & | & term " * " term \\
+ & | & term " \isasyminter " term \\
+ & | & term " \isasymunion " term \\
+ & | & term " - " term \\
+ & | & term " -> " term \\
+ & | & "THE~~" id " . " formula\\
+ & | & "lam~~" id ":" term " . " term \\
+ & | & "INT~~" id ":" term " . " term \\
+ & | & "UN~~~" id ":" term " . " term \\
+ & | & "PROD~" id ":" term " . " term \\
+ & | & "SUM~~" id ":" term " . " term \\[2ex]
+ formula & = & \hbox{expression of type~$o$} \\
+ & | & term " : " term \\
+ & | & term " \ttilde: " term \\
+ & | & term " <= " term \\
+ & | & term " = " term \\
+ & | & term " \ttilde= " term \\
+ & | & "\ttilde\ " formula \\
+ & | & formula " \& " formula \\
+ & | & formula " | " formula \\
+ & | & formula " --> " formula \\
+ & | & formula " <-> " formula \\
+ & | & "ALL " id ":" term " . " formula \\
+ & | & "EX~~" id ":" term " . " formula \\
+ & | & "ALL~" id~id^* " . " formula \\
+ & | & "EX~~" id~id^* " . " formula \\
+ & | & "EX!~" id~id^* " . " formula
+ \end{array}
+\]
+\caption{Full grammar for ZF} \label{zf-syntax}
+\end{figure}
+
+
+\section{Binding operators}
+The constant \cdx{Collect} constructs sets by the principle of {\bf
+ separation}. The syntax for separation is
+\hbox{\tt\ttlbrace$x$:$A$.\ $P[x]$\ttrbrace}, where $P[x]$ is a formula
+that may contain free occurrences of~$x$. It abbreviates the set \isa{Collect($A$,$\lambda x. P[x]$)}, which consists of all $x\in A$ that
+satisfy~$P[x]$. Note that \isa{Collect} is an unfortunate choice of
+name: some set theories adopt a set-formation principle, related to
+replacement, called collection.
+
+The constant \cdx{Replace} constructs sets by the principle of {\bf
+ replacement}. The syntax
+\hbox{\tt\ttlbrace$y$.\ $x$:$A$,$Q[x,y]$\ttrbrace} denotes the set
+\isa{Replace($A$,$\lambda x\,y. Q[x,y]$)}, which consists of all~$y$ such
+that there exists $x\in A$ satisfying~$Q[x,y]$. The Replacement Axiom
+has the condition that $Q$ must be single-valued over~$A$: for
+all~$x\in A$ there exists at most one $y$ satisfying~$Q[x,y]$. A
+single-valued binary predicate is also called a {\bf class function}.
+
+The constant \cdx{RepFun} expresses a special case of replacement,
+where $Q[x,y]$ has the form $y=b[x]$. Such a $Q$ is trivially
+single-valued, since it is just the graph of the meta-level
+function~$\lambda x. b[x]$. The resulting set consists of all $b[x]$
+for~$x\in A$. This is analogous to the \ML{} functional \isa{map},
+since it applies a function to every element of a set. The syntax is
+\isa{\ttlbrace$b[x]$.\ $x$:$A$\ttrbrace}, which expands to
+\isa{RepFun($A$,$\lambda x. b[x]$)}.
+
+\index{*INT symbol}\index{*UN symbol}
+General unions and intersections of indexed
+families of sets, namely $\bigcup@{x\in A}B[x]$ and $\bigcap@{x\in A}B[x]$,
+are written \isa{UN $x$:$A$.\ $B[x]$} and \isa{INT $x$:$A$.\ $B[x]$}.
+Their meaning is expressed using \isa{RepFun} as
+\[
+\bigcup(\{B[x]. x\in A\}) \qquad\hbox{and}\qquad
+\bigcap(\{B[x]. x\in A\}).
+\]
+General sums $\sum@{x\in A}B[x]$ and products $\prod@{x\in A}B[x]$ can be
+constructed in set theory, where $B[x]$ is a family of sets over~$A$. They
+have as special cases $A\times B$ and $A\to B$, where $B$ is simply a set.
+This is similar to the situation in Constructive Type Theory (set theory
+has `dependent sets') and calls for similar syntactic conventions. The
+constants~\cdx{Sigma} and~\cdx{Pi} construct general sums and
+products. Instead of \isa{Sigma($A$,$B$)} and \isa{Pi($A$,$B$)} we may
+write
+\isa{SUM $x$:$A$.\ $B[x]$} and \isa{PROD $x$:$A$.\ $B[x]$}.
+\index{*SUM symbol}\index{*PROD symbol}%
+The special cases as \hbox{\tt$A$*$B$} and \hbox{\tt$A$->$B$} abbreviate
+general sums and products over a constant family.\footnote{Unlike normal
+infix operators, {\tt*} and {\tt->} merely define abbreviations; there are
+no constants~\isa{op~*} and~\isa{op~->}.} Isabelle accepts these
+abbreviations in parsing and uses them whenever possible for printing.
+
+\index{*THE symbol} As mentioned above, whenever the axioms assert the
+existence and uniqueness of a set, Isabelle's set theory declares a constant
+for that set. These constants can express the {\bf definite description}
+operator~$\iota x. P[x]$, which stands for the unique~$a$ satisfying~$P[a]$,
+if such exists. Since all terms in ZF denote something, a description is
+always meaningful, but we do not know its value unless $P[x]$ defines it
+uniquely. Using the constant~\cdx{The}, we may write descriptions as
+\isa{The($\lambda x. P[x]$)} or use the syntax \isa{THE $x$.\ $P[x]$}.
+
+\index{*lam symbol}
+Function sets may be written in $\lambda$-notation; $\lambda x\in A. b[x]$
+stands for the set of all pairs $\pair{x,b[x]}$ for $x\in A$. In order for
+this to be a set, the function's domain~$A$ must be given. Using the
+constant~\cdx{Lambda}, we may express function sets as \isa{Lambda($A$,$\lambda x. b[x]$)} or use the syntax \isa{lam $x$:$A$.\ $b[x]$}.
+
+Isabelle's set theory defines two {\bf bounded quantifiers}:
+\begin{eqnarray*}
+ \forall x\in A. P[x] &\hbox{abbreviates}& \forall x. x\in A\imp P[x] \\
+ \exists x\in A. P[x] &\hbox{abbreviates}& \exists x. x\in A\conj P[x]
+\end{eqnarray*}
+The constants~\cdx{Ball} and~\cdx{Bex} are defined
+accordingly. Instead of \isa{Ball($A$,$P$)} and \isa{Bex($A$,$P$)} we may
+write
+\isa{ALL $x$:$A$.\ $P[x]$} and \isa{EX $x$:$A$.\ $P[x]$}.
+
+
+%%%% ZF.thy
+
+\begin{figure}
+\begin{alltt*}\isastyleminor
+\tdx{Let_def}: Let(s, f) == f(s)
+
+\tdx{Ball_def}: Ball(A,P) == {\isasymforall}x. x \isasymin A --> P(x)
+\tdx{Bex_def}: Bex(A,P) == {\isasymexists}x. x \isasymin A & P(x)
+
+\tdx{subset_def}: A \isasymsubseteq B == {\isasymforall}x \isasymin A. x \isasymin B
+\tdx{extension}: A = B <-> A \isasymsubseteq B & B \isasymsubseteq A
+
+\tdx{Union_iff}: A \isasymin Union(C) <-> ({\isasymexists}B \isasymin C. A \isasymin B)
+\tdx{Pow_iff}: A \isasymin Pow(B) <-> A \isasymsubseteq B
+\tdx{foundation}: A=0 | ({\isasymexists}x \isasymin A. {\isasymforall}y \isasymin x. y \isasymnotin A)
+
+\tdx{replacement}: ({\isasymforall}x \isasymin A. {\isasymforall}y z. P(x,y) & P(x,z) --> y=z) ==>
+ b \isasymin PrimReplace(A,P) <-> ({\isasymexists}x{\isasymin}A. P(x,b))
+\subcaption{The Zermelo-Fraenkel Axioms}
+
+\tdx{Replace_def}: Replace(A,P) ==
+ PrimReplace(A, \%x y. (\isasymexists!z. P(x,z)) & P(x,y))
+\tdx{RepFun_def}: RepFun(A,f) == {\ttlbrace}y . x \isasymin A, y=f(x)\ttrbrace
+\tdx{the_def}: The(P) == Union({\ttlbrace}y . x \isasymin {\ttlbrace}0{\ttrbrace}, P(y){\ttrbrace})
+\tdx{if_def}: if(P,a,b) == THE z. P & z=a | ~P & z=b
+\tdx{Collect_def}: Collect(A,P) == {\ttlbrace}y . x \isasymin A, x=y & P(x){\ttrbrace}
+\tdx{Upair_def}: Upair(a,b) ==
+ {\ttlbrace}y. x\isasymin{}Pow(Pow(0)), x=0 & y=a | x=Pow(0) & y=b{\ttrbrace}
+\subcaption{Consequences of replacement}
+
+\tdx{Inter_def}: Inter(A) == {\ttlbrace}x \isasymin Union(A) . {\isasymforall}y \isasymin A. x \isasymin y{\ttrbrace}
+\tdx{Un_def}: A \isasymunion B == Union(Upair(A,B))
+\tdx{Int_def}: A \isasyminter B == Inter(Upair(A,B))
+\tdx{Diff_def}: A - B == {\ttlbrace}x \isasymin A . x \isasymnotin B{\ttrbrace}
+\subcaption{Union, intersection, difference}
+\end{alltt*}
+\caption{Rules and axioms of ZF} \label{zf-rules}
+\end{figure}
+
+
+\begin{figure}
+\begin{alltt*}\isastyleminor
+\tdx{cons_def}: cons(a,A) == Upair(a,a) \isasymunion A
+\tdx{succ_def}: succ(i) == cons(i,i)
+\tdx{infinity}: 0 \isasymin Inf & ({\isasymforall}y \isasymin Inf. succ(y) \isasymin Inf)
+\subcaption{Finite and infinite sets}
+
+\tdx{Pair_def}: <a,b> == {\ttlbrace}{\ttlbrace}a,a{\ttrbrace}, {\ttlbrace}a,b{\ttrbrace}{\ttrbrace}
+\tdx{split_def}: split(c,p) == THE y. {\isasymexists}a b. p=<a,b> & y=c(a,b)
+\tdx{fst_def}: fst(A) == split(\%x y. x, p)
+\tdx{snd_def}: snd(A) == split(\%x y. y, p)
+\tdx{Sigma_def}: Sigma(A,B) == {\isasymUnion}x \isasymin A. {\isasymUnion}y \isasymin B(x). {\ttlbrace}<x,y>{\ttrbrace}
+\subcaption{Ordered pairs and Cartesian products}
+
+\tdx{converse_def}: converse(r) == {\ttlbrace}z. w\isasymin{}r, {\isasymexists}x y. w=<x,y> & z=<y,x>{\ttrbrace}
+\tdx{domain_def}: domain(r) == {\ttlbrace}x. w \isasymin r, {\isasymexists}y. w=<x,y>{\ttrbrace}
+\tdx{range_def}: range(r) == domain(converse(r))
+\tdx{field_def}: field(r) == domain(r) \isasymunion range(r)
+\tdx{image_def}: r `` A == {\ttlbrace}y\isasymin{}range(r) . {\isasymexists}x \isasymin A. <x,y> \isasymin r{\ttrbrace}
+\tdx{vimage_def}: r -`` A == converse(r)``A
+\subcaption{Operations on relations}
+
+\tdx{lam_def}: Lambda(A,b) == {\ttlbrace}<x,b(x)> . x \isasymin A{\ttrbrace}
+\tdx{apply_def}: f`a == THE y. <a,y> \isasymin f
+\tdx{Pi_def}: Pi(A,B) == {\ttlbrace}f\isasymin{}Pow(Sigma(A,B)). {\isasymforall}x\isasymin{}A. \isasymexists!y. <x,y>\isasymin{}f{\ttrbrace}
+\tdx{restrict_def}: restrict(f,A) == lam x \isasymin A. f`x
+\subcaption{Functions and general product}
+\end{alltt*}
+\caption{Further definitions of ZF} \label{zf-defs}
+\end{figure}
+
+
+
+\section{The Zermelo-Fraenkel axioms}
+The axioms appear in Fig.\ts \ref{zf-rules}. They resemble those
+presented by Suppes~\cite{suppes72}. Most of the theory consists of
+definitions. In particular, bounded quantifiers and the subset relation
+appear in other axioms. Object-level quantifiers and implications have
+been replaced by meta-level ones wherever possible, to simplify use of the
+axioms.
+
+The traditional replacement axiom asserts
+\[ y \in \isa{PrimReplace}(A,P) \bimp (\exists x\in A. P(x,y)) \]
+subject to the condition that $P(x,y)$ is single-valued for all~$x\in A$.
+The Isabelle theory defines \cdx{Replace} to apply
+\cdx{PrimReplace} to the single-valued part of~$P$, namely
+\[ (\exists!z. P(x,z)) \conj P(x,y). \]
+Thus $y\in \isa{Replace}(A,P)$ if and only if there is some~$x$ such that
+$P(x,-)$ holds uniquely for~$y$. Because the equivalence is unconditional,
+\isa{Replace} is much easier to use than \isa{PrimReplace}; it defines the
+same set, if $P(x,y)$ is single-valued. The nice syntax for replacement
+expands to \isa{Replace}.
+
+Other consequences of replacement include replacement for
+meta-level functions
+(\cdx{RepFun}) and definite descriptions (\cdx{The}).
+Axioms for separation (\cdx{Collect}) and unordered pairs
+(\cdx{Upair}) are traditionally assumed, but they actually follow
+from replacement~\cite[pages 237--8]{suppes72}.
+
+The definitions of general intersection, etc., are straightforward. Note
+the definition of \isa{cons}, which underlies the finite set notation.
+The axiom of infinity gives us a set that contains~0 and is closed under
+successor (\cdx{succ}). Although this set is not uniquely defined,
+the theory names it (\cdx{Inf}) in order to simplify the
+construction of the natural numbers.
+
+Further definitions appear in Fig.\ts\ref{zf-defs}. Ordered pairs are
+defined in the standard way, $\pair{a,b}\equiv\{\{a\},\{a,b\}\}$. Recall
+that \cdx{Sigma}$(A,B)$ generalizes the Cartesian product of two
+sets. It is defined to be the union of all singleton sets
+$\{\pair{x,y}\}$, for $x\in A$ and $y\in B(x)$. This is a typical usage of
+general union.
+
+The projections \cdx{fst} and~\cdx{snd} are defined in terms of the
+generalized projection \cdx{split}. The latter has been borrowed from
+Martin-L\"of's Type Theory, and is often easier to use than \cdx{fst}
+and~\cdx{snd}.
+
+Operations on relations include converse, domain, range, and image. The
+set $\isa{Pi}(A,B)$ generalizes the space of functions between two sets.
+Note the simple definitions of $\lambda$-abstraction (using
+\cdx{RepFun}) and application (using a definite description). The
+function \cdx{restrict}$(f,A)$ has the same values as~$f$, but only
+over the domain~$A$.
+
+
+%%%% zf.thy
+
+\begin{figure}
+\begin{alltt*}\isastyleminor
+\tdx{ballI}: [| !!x. x\isasymin{}A ==> P(x) |] ==> {\isasymforall}x\isasymin{}A. P(x)
+\tdx{bspec}: [| {\isasymforall}x\isasymin{}A. P(x); x\isasymin{}A |] ==> P(x)
+\tdx{ballE}: [| {\isasymforall}x\isasymin{}A. P(x); P(x) ==> Q; x \isasymnotin A ==> Q |] ==> Q
+
+\tdx{ball_cong}: [| A=A'; !!x. x\isasymin{}A' ==> P(x) <-> P'(x) |] ==>
+ ({\isasymforall}x\isasymin{}A. P(x)) <-> ({\isasymforall}x\isasymin{}A'. P'(x))
+
+\tdx{bexI}: [| P(x); x\isasymin{}A |] ==> {\isasymexists}x\isasymin{}A. P(x)
+\tdx{bexCI}: [| {\isasymforall}x\isasymin{}A. ~P(x) ==> P(a); a\isasymin{}A |] ==> {\isasymexists}x\isasymin{}A. P(x)
+\tdx{bexE}: [| {\isasymexists}x\isasymin{}A. P(x); !!x. [| x\isasymin{}A; P(x) |] ==> Q |] ==> Q
+
+\tdx{bex_cong}: [| A=A'; !!x. x\isasymin{}A' ==> P(x) <-> P'(x) |] ==>
+ ({\isasymexists}x\isasymin{}A. P(x)) <-> ({\isasymexists}x\isasymin{}A'. P'(x))
+\subcaption{Bounded quantifiers}
+
+\tdx{subsetI}: (!!x. x \isasymin A ==> x \isasymin B) ==> A \isasymsubseteq B
+\tdx{subsetD}: [| A \isasymsubseteq B; c \isasymin A |] ==> c \isasymin B
+\tdx{subsetCE}: [| A \isasymsubseteq B; c \isasymnotin A ==> P; c \isasymin B ==> P |] ==> P
+\tdx{subset_refl}: A \isasymsubseteq A
+\tdx{subset_trans}: [| A \isasymsubseteq B; B \isasymsubseteq C |] ==> A \isasymsubseteq C
+
+\tdx{equalityI}: [| A \isasymsubseteq B; B \isasymsubseteq A |] ==> A = B
+\tdx{equalityD1}: A = B ==> A \isasymsubseteq B
+\tdx{equalityD2}: A = B ==> B \isasymsubseteq A
+\tdx{equalityE}: [| A = B; [| A \isasymsubseteq B; B \isasymsubseteq A |] ==> P |] ==> P
+\subcaption{Subsets and extensionality}
+
+\tdx{emptyE}: a \isasymin 0 ==> P
+\tdx{empty_subsetI}: 0 \isasymsubseteq A
+\tdx{equals0I}: [| !!y. y \isasymin A ==> False |] ==> A=0
+\tdx{equals0D}: [| A=0; a \isasymin A |] ==> P
+
+\tdx{PowI}: A \isasymsubseteq B ==> A \isasymin Pow(B)
+\tdx{PowD}: A \isasymin Pow(B) ==> A \isasymsubseteq B
+\subcaption{The empty set; power sets}
+\end{alltt*}
+\caption{Basic derived rules for ZF} \label{zf-lemmas1}
+\end{figure}
+
+
+\section{From basic lemmas to function spaces}
+Faced with so many definitions, it is essential to prove lemmas. Even
+trivial theorems like $A \int B = B \int A$ would be difficult to
+prove from the definitions alone. Isabelle's set theory derives many
+rules using a natural deduction style. Ideally, a natural deduction
+rule should introduce or eliminate just one operator, but this is not
+always practical. For most operators, we may forget its definition
+and use its derived rules instead.
+
+\subsection{Fundamental lemmas}
+Figure~\ref{zf-lemmas1} presents the derived rules for the most basic
+operators. The rules for the bounded quantifiers resemble those for the
+ordinary quantifiers, but note that \tdx{ballE} uses a negated assumption
+in the style of Isabelle's classical reasoner. The \rmindex{congruence
+ rules} \tdx{ball_cong} and \tdx{bex_cong} are required by Isabelle's
+simplifier, but have few other uses. Congruence rules must be specially
+derived for all binding operators, and henceforth will not be shown.
+
+Figure~\ref{zf-lemmas1} also shows rules for the subset and equality
+relations (proof by extensionality), and rules about the empty set and the
+power set operator.
+
+Figure~\ref{zf-lemmas2} presents rules for replacement and separation.
+The rules for \cdx{Replace} and \cdx{RepFun} are much simpler than
+comparable rules for \isa{PrimReplace} would be. The principle of
+separation is proved explicitly, although most proofs should use the
+natural deduction rules for \isa{Collect}. The elimination rule
+\tdx{CollectE} is equivalent to the two destruction rules
+\tdx{CollectD1} and \tdx{CollectD2}, but each rule is suited to
+particular circumstances. Although too many rules can be confusing, there
+is no reason to aim for a minimal set of rules.
+
+Figure~\ref{zf-lemmas3} presents rules for general union and intersection.
+The empty intersection should be undefined. We cannot have
+$\bigcap(\emptyset)=V$ because $V$, the universal class, is not a set. All
+expressions denote something in ZF set theory; the definition of
+intersection implies $\bigcap(\emptyset)=\emptyset$, but this value is
+arbitrary. The rule \tdx{InterI} must have a premise to exclude
+the empty intersection. Some of the laws governing intersections require
+similar premises.
+
+
+%the [p] gives better page breaking for the book
+\begin{figure}[p]
+\begin{alltt*}\isastyleminor
+\tdx{ReplaceI}: [| x\isasymin{}A; P(x,b); !!y. P(x,y) ==> y=b |] ==>
+ b\isasymin{}{\ttlbrace}y. x\isasymin{}A, P(x,y){\ttrbrace}
+
+\tdx{ReplaceE}: [| b\isasymin{}{\ttlbrace}y. x\isasymin{}A, P(x,y){\ttrbrace};
+ !!x. [| x\isasymin{}A; P(x,b); {\isasymforall}y. P(x,y)-->y=b |] ==> R
+ |] ==> R
+
+\tdx{RepFunI}: [| a\isasymin{}A |] ==> f(a)\isasymin{}{\ttlbrace}f(x). x\isasymin{}A{\ttrbrace}
+\tdx{RepFunE}: [| b\isasymin{}{\ttlbrace}f(x). x\isasymin{}A{\ttrbrace};
+ !!x.[| x\isasymin{}A; b=f(x) |] ==> P |] ==> P
+
+\tdx{separation}: a\isasymin{}{\ttlbrace}x\isasymin{}A. P(x){\ttrbrace} <-> a\isasymin{}A & P(a)
+\tdx{CollectI}: [| a\isasymin{}A; P(a) |] ==> a\isasymin{}{\ttlbrace}x\isasymin{}A. P(x){\ttrbrace}
+\tdx{CollectE}: [| a\isasymin{}{\ttlbrace}x\isasymin{}A. P(x){\ttrbrace}; [| a\isasymin{}A; P(a) |] ==> R |] ==> R
+\tdx{CollectD1}: a\isasymin{}{\ttlbrace}x\isasymin{}A. P(x){\ttrbrace} ==> a\isasymin{}A
+\tdx{CollectD2}: a\isasymin{}{\ttlbrace}x\isasymin{}A. P(x){\ttrbrace} ==> P(a)
+\end{alltt*}
+\caption{Replacement and separation} \label{zf-lemmas2}
+\end{figure}
+
+
+\begin{figure}
+\begin{alltt*}\isastyleminor
+\tdx{UnionI}: [| B\isasymin{}C; A\isasymin{}B |] ==> A\isasymin{}Union(C)
+\tdx{UnionE}: [| A\isasymin{}Union(C); !!B.[| A\isasymin{}B; B\isasymin{}C |] ==> R |] ==> R
+
+\tdx{InterI}: [| !!x. x\isasymin{}C ==> A\isasymin{}x; c\isasymin{}C |] ==> A\isasymin{}Inter(C)
+\tdx{InterD}: [| A\isasymin{}Inter(C); B\isasymin{}C |] ==> A\isasymin{}B
+\tdx{InterE}: [| A\isasymin{}Inter(C); A\isasymin{}B ==> R; B \isasymnotin C ==> R |] ==> R
+
+\tdx{UN_I}: [| a\isasymin{}A; b\isasymin{}B(a) |] ==> b\isasymin{}({\isasymUnion}x\isasymin{}A. B(x))
+\tdx{UN_E}: [| b\isasymin{}({\isasymUnion}x\isasymin{}A. B(x)); !!x.[| x\isasymin{}A; b\isasymin{}B(x) |] ==> R
+ |] ==> R
+
+\tdx{INT_I}: [| !!x. x\isasymin{}A ==> b\isasymin{}B(x); a\isasymin{}A |] ==> b\isasymin{}({\isasymInter}x\isasymin{}A. B(x))
+\tdx{INT_E}: [| b\isasymin{}({\isasymInter}x\isasymin{}A. B(x)); a\isasymin{}A |] ==> b\isasymin{}B(a)
+\end{alltt*}
+\caption{General union and intersection} \label{zf-lemmas3}
+\end{figure}
+
+
+%%% upair.thy
+
+\begin{figure}
+\begin{alltt*}\isastyleminor
+\tdx{pairing}: a\isasymin{}Upair(b,c) <-> (a=b | a=c)
+\tdx{UpairI1}: a\isasymin{}Upair(a,b)
+\tdx{UpairI2}: b\isasymin{}Upair(a,b)
+\tdx{UpairE}: [| a\isasymin{}Upair(b,c); a=b ==> P; a=c ==> P |] ==> P
+\end{alltt*}
+\caption{Unordered pairs} \label{zf-upair1}
+\end{figure}
+
+
+\begin{figure}
+\begin{alltt*}\isastyleminor
+\tdx{UnI1}: c\isasymin{}A ==> c\isasymin{}A \isasymunion B
+\tdx{UnI2}: c\isasymin{}B ==> c\isasymin{}A \isasymunion B
+\tdx{UnCI}: (c \isasymnotin B ==> c\isasymin{}A) ==> c\isasymin{}A \isasymunion B
+\tdx{UnE}: [| c\isasymin{}A \isasymunion B; c\isasymin{}A ==> P; c\isasymin{}B ==> P |] ==> P
+
+\tdx{IntI}: [| c\isasymin{}A; c\isasymin{}B |] ==> c\isasymin{}A \isasyminter B
+\tdx{IntD1}: c\isasymin{}A \isasyminter B ==> c\isasymin{}A
+\tdx{IntD2}: c\isasymin{}A \isasyminter B ==> c\isasymin{}B
+\tdx{IntE}: [| c\isasymin{}A \isasyminter B; [| c\isasymin{}A; c\isasymin{}B |] ==> P |] ==> P
+
+\tdx{DiffI}: [| c\isasymin{}A; c \isasymnotin B |] ==> c\isasymin{}A - B
+\tdx{DiffD1}: c\isasymin{}A - B ==> c\isasymin{}A
+\tdx{DiffD2}: c\isasymin{}A - B ==> c \isasymnotin B
+\tdx{DiffE}: [| c\isasymin{}A - B; [| c\isasymin{}A; c \isasymnotin B |] ==> P |] ==> P
+\end{alltt*}
+\caption{Union, intersection, difference} \label{zf-Un}
+\end{figure}
+
+
+\begin{figure}
+\begin{alltt*}\isastyleminor
+\tdx{consI1}: a\isasymin{}cons(a,B)
+\tdx{consI2}: a\isasymin{}B ==> a\isasymin{}cons(b,B)
+\tdx{consCI}: (a \isasymnotin B ==> a=b) ==> a\isasymin{}cons(b,B)
+\tdx{consE}: [| a\isasymin{}cons(b,A); a=b ==> P; a\isasymin{}A ==> P |] ==> P
+
+\tdx{singletonI}: a\isasymin{}{\ttlbrace}a{\ttrbrace}
+\tdx{singletonE}: [| a\isasymin{}{\ttlbrace}b{\ttrbrace}; a=b ==> P |] ==> P
+\end{alltt*}
+\caption{Finite and singleton sets} \label{zf-upair2}
+\end{figure}
+
+
+\begin{figure}
+\begin{alltt*}\isastyleminor
+\tdx{succI1}: i\isasymin{}succ(i)
+\tdx{succI2}: i\isasymin{}j ==> i\isasymin{}succ(j)
+\tdx{succCI}: (i \isasymnotin j ==> i=j) ==> i\isasymin{}succ(j)
+\tdx{succE}: [| i\isasymin{}succ(j); i=j ==> P; i\isasymin{}j ==> P |] ==> P
+\tdx{succ_neq_0}: [| succ(n)=0 |] ==> P
+\tdx{succ_inject}: succ(m) = succ(n) ==> m=n
+\end{alltt*}
+\caption{The successor function} \label{zf-succ}
+\end{figure}
+
+
+\begin{figure}
+\begin{alltt*}\isastyleminor
+\tdx{the_equality}: [| P(a); !!x. P(x) ==> x=a |] ==> (THE x. P(x))=a
+\tdx{theI}: \isasymexists! x. P(x) ==> P(THE x. P(x))
+
+\tdx{if_P}: P ==> (if P then a else b) = a
+\tdx{if_not_P}: ~P ==> (if P then a else b) = b
+
+\tdx{mem_asym}: [| a\isasymin{}b; b\isasymin{}a |] ==> P
+\tdx{mem_irrefl}: a\isasymin{}a ==> P
+\end{alltt*}
+\caption{Descriptions; non-circularity} \label{zf-the}
+\end{figure}
+
+
+\subsection{Unordered pairs and finite sets}
+Figure~\ref{zf-upair1} presents the principle of unordered pairing, along
+with its derived rules. Binary union and intersection are defined in terms
+of ordered pairs (Fig.\ts\ref{zf-Un}). Set difference is also included. The
+rule \tdx{UnCI} is useful for classical reasoning about unions,
+like \isa{disjCI}\@; it supersedes \tdx{UnI1} and
+\tdx{UnI2}, but these rules are often easier to work with. For
+intersection and difference we have both elimination and destruction rules.
+Again, there is no reason to provide a minimal rule set.
+
+Figure~\ref{zf-upair2} is concerned with finite sets: it presents rules
+for~\isa{cons}, the finite set constructor, and rules for singleton
+sets. Figure~\ref{zf-succ} presents derived rules for the successor
+function, which is defined in terms of~\isa{cons}. The proof that
+\isa{succ} is injective appears to require the Axiom of Foundation.
+
+Definite descriptions (\sdx{THE}) are defined in terms of the singleton
+set~$\{0\}$, but their derived rules fortunately hide this
+(Fig.\ts\ref{zf-the}). The rule~\tdx{theI} is difficult to apply
+because of the two occurrences of~$\Var{P}$. However,
+\tdx{the_equality} does not have this problem and the files contain
+many examples of its use.
+
+Finally, the impossibility of having both $a\in b$ and $b\in a$
+(\tdx{mem_asym}) is proved by applying the Axiom of Foundation to
+the set $\{a,b\}$. The impossibility of $a\in a$ is a trivial consequence.
+
+
+%%% subset.thy?
+
+\begin{figure}
+\begin{alltt*}\isastyleminor
+\tdx{Union_upper}: B\isasymin{}A ==> B \isasymsubseteq Union(A)
+\tdx{Union_least}: [| !!x. x\isasymin{}A ==> x \isasymsubseteq C |] ==> Union(A) \isasymsubseteq C
+
+\tdx{Inter_lower}: B\isasymin{}A ==> Inter(A) \isasymsubseteq B
+\tdx{Inter_greatest}: [| a\isasymin{}A; !!x. x\isasymin{}A ==> C \isasymsubseteq x |] ==> C\isasymsubseteq{}Inter(A)
+
+\tdx{Un_upper1}: A \isasymsubseteq A \isasymunion B
+\tdx{Un_upper2}: B \isasymsubseteq A \isasymunion B
+\tdx{Un_least}: [| A \isasymsubseteq C; B \isasymsubseteq C |] ==> A \isasymunion B \isasymsubseteq C
+
+\tdx{Int_lower1}: A \isasyminter B \isasymsubseteq A
+\tdx{Int_lower2}: A \isasyminter B \isasymsubseteq B
+\tdx{Int_greatest}: [| C \isasymsubseteq A; C \isasymsubseteq B |] ==> C \isasymsubseteq A \isasyminter B
+
+\tdx{Diff_subset}: A-B \isasymsubseteq A
+\tdx{Diff_contains}: [| C \isasymsubseteq A; C \isasyminter B = 0 |] ==> C \isasymsubseteq A-B
+
+\tdx{Collect_subset}: Collect(A,P) \isasymsubseteq A
+\end{alltt*}
+\caption{Subset and lattice properties} \label{zf-subset}
+\end{figure}
+
+
+\subsection{Subset and lattice properties}
+The subset relation is a complete lattice. Unions form least upper bounds;
+non-empty intersections form greatest lower bounds. Figure~\ref{zf-subset}
+shows the corresponding rules. A few other laws involving subsets are
+included.
+Reasoning directly about subsets often yields clearer proofs than
+reasoning about the membership relation. Section~\ref{sec:ZF-pow-example}
+below presents an example of this, proving the equation
+${\isa{Pow}(A)\cap \isa{Pow}(B)}= \isa{Pow}(A\cap B)$.
+
+%%% pair.thy
+
+\begin{figure}
+\begin{alltt*}\isastyleminor
+\tdx{Pair_inject1}: <a,b> = <c,d> ==> a=c
+\tdx{Pair_inject2}: <a,b> = <c,d> ==> b=d
+\tdx{Pair_inject}: [| <a,b> = <c,d>; [| a=c; b=d |] ==> P |] ==> P
+\tdx{Pair_neq_0}: <a,b>=0 ==> P
+
+\tdx{fst_conv}: fst(<a,b>) = a
+\tdx{snd_conv}: snd(<a,b>) = b
+\tdx{split}: split(\%x y. c(x,y), <a,b>) = c(a,b)
+
+\tdx{SigmaI}: [| a\isasymin{}A; b\isasymin{}B(a) |] ==> <a,b>\isasymin{}Sigma(A,B)
+
+\tdx{SigmaE}: [| c\isasymin{}Sigma(A,B);
+ !!x y.[| x\isasymin{}A; y\isasymin{}B(x); c=<x,y> |] ==> P |] ==> P
+
+\tdx{SigmaE2}: [| <a,b>\isasymin{}Sigma(A,B);
+ [| a\isasymin{}A; b\isasymin{}B(a) |] ==> P |] ==> P
+\end{alltt*}
+\caption{Ordered pairs; projections; general sums} \label{zf-pair}
+\end{figure}
+
+
+\subsection{Ordered pairs} \label{sec:pairs}
+
+Figure~\ref{zf-pair} presents the rules governing ordered pairs,
+projections and general sums --- in particular, that
+$\{\{a\},\{a,b\}\}$ functions as an ordered pair. This property is
+expressed as two destruction rules,
+\tdx{Pair_inject1} and \tdx{Pair_inject2}, and equivalently
+as the elimination rule \tdx{Pair_inject}.
+
+The rule \tdx{Pair_neq_0} asserts $\pair{a,b}\neq\emptyset$. This
+is a property of $\{\{a\},\{a,b\}\}$, and need not hold for other
+encodings of ordered pairs. The non-standard ordered pairs mentioned below
+satisfy $\pair{\emptyset;\emptyset}=\emptyset$.
+
+The natural deduction rules \tdx{SigmaI} and \tdx{SigmaE}
+assert that \cdx{Sigma}$(A,B)$ consists of all pairs of the form
+$\pair{x,y}$, for $x\in A$ and $y\in B(x)$. The rule \tdx{SigmaE2}
+merely states that $\pair{a,b}\in \isa{Sigma}(A,B)$ implies $a\in A$ and
+$b\in B(a)$.
+
+In addition, it is possible to use tuples as patterns in abstractions:
+\begin{center}
+{\tt\%<$x$,$y$>. $t$} \quad stands for\quad \isa{split(\%$x$ $y$.\ $t$)}
+\end{center}
+Nested patterns are translated recursively:
+{\tt\%<$x$,$y$,$z$>. $t$} $\leadsto$ {\tt\%<$x$,<$y$,$z$>>. $t$} $\leadsto$
+\isa{split(\%$x$.\%<$y$,$z$>. $t$)} $\leadsto$ \isa{split(\%$x$. split(\%$y$
+ $z$.\ $t$))}. The reverse translation is performed upon printing.
+\begin{warn}
+ The translation between patterns and \isa{split} is performed automatically
+ by the parser and printer. Thus the internal and external form of a term
+ may differ, which affects proofs. For example the term \isa{(\%<x,y>.<y,x>)<a,b>} requires the theorem \isa{split} to rewrite to
+ {\tt<b,a>}.
+\end{warn}
+In addition to explicit $\lambda$-abstractions, patterns can be used in any
+variable binding construct which is internally described by a
+$\lambda$-abstraction. Here are some important examples:
+\begin{description}
+\item[Let:] \isa{let {\it pattern} = $t$ in $u$}
+\item[Choice:] \isa{THE~{\it pattern}~.~$P$}
+\item[Set operations:] \isa{\isasymUnion~{\it pattern}:$A$.~$B$}
+\item[Comprehension:] \isa{{\ttlbrace}~{\it pattern}:$A$~.~$P$~{\ttrbrace}}
+\end{description}
+
+
+%%% domrange.thy?
+
+\begin{figure}
+\begin{alltt*}\isastyleminor
+\tdx{domainI}: <a,b>\isasymin{}r ==> a\isasymin{}domain(r)
+\tdx{domainE}: [| a\isasymin{}domain(r); !!y. <a,y>\isasymin{}r ==> P |] ==> P
+\tdx{domain_subset}: domain(Sigma(A,B)) \isasymsubseteq A
+
+\tdx{rangeI}: <a,b>\isasymin{}r ==> b\isasymin{}range(r)
+\tdx{rangeE}: [| b\isasymin{}range(r); !!x. <x,b>\isasymin{}r ==> P |] ==> P
+\tdx{range_subset}: range(A*B) \isasymsubseteq B
+
+\tdx{fieldI1}: <a,b>\isasymin{}r ==> a\isasymin{}field(r)
+\tdx{fieldI2}: <a,b>\isasymin{}r ==> b\isasymin{}field(r)
+\tdx{fieldCI}: (<c,a> \isasymnotin r ==> <a,b>\isasymin{}r) ==> a\isasymin{}field(r)
+
+\tdx{fieldE}: [| a\isasymin{}field(r);
+ !!x. <a,x>\isasymin{}r ==> P;
+ !!x. <x,a>\isasymin{}r ==> P
+ |] ==> P
+
+\tdx{field_subset}: field(A*A) \isasymsubseteq A
+\end{alltt*}
+\caption{Domain, range and field of a relation} \label{zf-domrange}
+\end{figure}
+
+\begin{figure}
+\begin{alltt*}\isastyleminor
+\tdx{imageI}: [| <a,b>\isasymin{}r; a\isasymin{}A |] ==> b\isasymin{}r``A
+\tdx{imageE}: [| b\isasymin{}r``A; !!x.[| <x,b>\isasymin{}r; x\isasymin{}A |] ==> P |] ==> P
+
+\tdx{vimageI}: [| <a,b>\isasymin{}r; b\isasymin{}B |] ==> a\isasymin{}r-``B
+\tdx{vimageE}: [| a\isasymin{}r-``B; !!x.[| <a,x>\isasymin{}r; x\isasymin{}B |] ==> P |] ==> P
+\end{alltt*}
+\caption{Image and inverse image} \label{zf-domrange2}
+\end{figure}
+
+
+\subsection{Relations}
+Figure~\ref{zf-domrange} presents rules involving relations, which are sets
+of ordered pairs. The converse of a relation~$r$ is the set of all pairs
+$\pair{y,x}$ such that $\pair{x,y}\in r$; if $r$ is a function, then
+{\cdx{converse}$(r)$} is its inverse. The rules for the domain
+operation, namely \tdx{domainI} and~\tdx{domainE}, assert that
+\cdx{domain}$(r)$ consists of all~$x$ such that $r$ contains
+some pair of the form~$\pair{x,y}$. The range operation is similar, and
+the field of a relation is merely the union of its domain and range.
+
+Figure~\ref{zf-domrange2} presents rules for images and inverse images.
+Note that these operations are generalisations of range and domain,
+respectively.
+
+
+%%% func.thy
+
+\begin{figure}
+\begin{alltt*}\isastyleminor
+\tdx{fun_is_rel}: f\isasymin{}Pi(A,B) ==> f \isasymsubseteq Sigma(A,B)
+
+\tdx{apply_equality}: [| <a,b>\isasymin{}f; f\isasymin{}Pi(A,B) |] ==> f`a = b
+\tdx{apply_equality2}: [| <a,b>\isasymin{}f; <a,c>\isasymin{}f; f\isasymin{}Pi(A,B) |] ==> b=c
+
+\tdx{apply_type}: [| f\isasymin{}Pi(A,B); a\isasymin{}A |] ==> f`a\isasymin{}B(a)
+\tdx{apply_Pair}: [| f\isasymin{}Pi(A,B); a\isasymin{}A |] ==> <a,f`a>\isasymin{}f
+\tdx{apply_iff}: f\isasymin{}Pi(A,B) ==> <a,b>\isasymin{}f <-> a\isasymin{}A & f`a = b
+
+\tdx{fun_extension}: [| f\isasymin{}Pi(A,B); g\isasymin{}Pi(A,D);
+ !!x. x\isasymin{}A ==> f`x = g`x |] ==> f=g
+
+\tdx{domain_type}: [| <a,b>\isasymin{}f; f\isasymin{}Pi(A,B) |] ==> a\isasymin{}A
+\tdx{range_type}: [| <a,b>\isasymin{}f; f\isasymin{}Pi(A,B) |] ==> b\isasymin{}B(a)
+
+\tdx{Pi_type}: [| f\isasymin{}A->C; !!x. x\isasymin{}A ==> f`x\isasymin{}B(x) |] ==> f\isasymin{}Pi(A,B)
+\tdx{domain_of_fun}: f\isasymin{}Pi(A,B) ==> domain(f)=A
+\tdx{range_of_fun}: f\isasymin{}Pi(A,B) ==> f\isasymin{}A->range(f)
+
+\tdx{restrict}: a\isasymin{}A ==> restrict(f,A) ` a = f`a
+\tdx{restrict_type}: [| !!x. x\isasymin{}A ==> f`x\isasymin{}B(x) |] ==>
+ restrict(f,A)\isasymin{}Pi(A,B)
+\end{alltt*}
+\caption{Functions} \label{zf-func1}
+\end{figure}
+
+
+\begin{figure}
+\begin{alltt*}\isastyleminor
+\tdx{lamI}: a\isasymin{}A ==> <a,b(a)>\isasymin{}(lam x\isasymin{}A. b(x))
+\tdx{lamE}: [| p\isasymin{}(lam x\isasymin{}A. b(x)); !!x.[| x\isasymin{}A; p=<x,b(x)> |] ==> P
+ |] ==> P
+
+\tdx{lam_type}: [| !!x. x\isasymin{}A ==> b(x)\isasymin{}B(x) |] ==> (lam x\isasymin{}A. b(x))\isasymin{}Pi(A,B)
+
+\tdx{beta}: a\isasymin{}A ==> (lam x\isasymin{}A. b(x)) ` a = b(a)
+\tdx{eta}: f\isasymin{}Pi(A,B) ==> (lam x\isasymin{}A. f`x) = f
+\end{alltt*}
+\caption{$\lambda$-abstraction} \label{zf-lam}
+\end{figure}
+
+
+\begin{figure}
+\begin{alltt*}\isastyleminor
+\tdx{fun_empty}: 0\isasymin{}0->0
+\tdx{fun_single}: {\ttlbrace}<a,b>{\ttrbrace}\isasymin{}{\ttlbrace}a{\ttrbrace} -> {\ttlbrace}b{\ttrbrace}
+
+\tdx{fun_disjoint_Un}: [| f\isasymin{}A->B; g\isasymin{}C->D; A \isasyminter C = 0 |] ==>
+ (f \isasymunion g)\isasymin{}(A \isasymunion C) -> (B \isasymunion D)
+
+\tdx{fun_disjoint_apply1}: [| a\isasymin{}A; f\isasymin{}A->B; g\isasymin{}C->D; A\isasyminter{}C = 0 |] ==>
+ (f \isasymunion g)`a = f`a
+
+\tdx{fun_disjoint_apply2}: [| c\isasymin{}C; f\isasymin{}A->B; g\isasymin{}C->D; A\isasyminter{}C = 0 |] ==>
+ (f \isasymunion g)`c = g`c
+\end{alltt*}
+\caption{Constructing functions from smaller sets} \label{zf-func2}
+\end{figure}
+
+
+\subsection{Functions}
+Functions, represented by graphs, are notoriously difficult to reason
+about. The ZF theory provides many derived rules, which overlap more
+than they ought. This section presents the more important rules.
+
+Figure~\ref{zf-func1} presents the basic properties of \cdx{Pi}$(A,B)$,
+the generalized function space. For example, if $f$ is a function and
+$\pair{a,b}\in f$, then $f`a=b$ (\tdx{apply_equality}). Two functions
+are equal provided they have equal domains and deliver equals results
+(\tdx{fun_extension}).
+
+By \tdx{Pi_type}, a function typing of the form $f\in A\to C$ can be
+refined to the dependent typing $f\in\prod@{x\in A}B(x)$, given a suitable
+family of sets $\{B(x)\}@{x\in A}$. Conversely, by \tdx{range_of_fun},
+any dependent typing can be flattened to yield a function type of the form
+$A\to C$; here, $C=\isa{range}(f)$.
+
+Among the laws for $\lambda$-abstraction, \tdx{lamI} and \tdx{lamE}
+describe the graph of the generated function, while \tdx{beta} and
+\tdx{eta} are the standard conversions. We essentially have a
+dependently-typed $\lambda$-calculus (Fig.\ts\ref{zf-lam}).
+
+Figure~\ref{zf-func2} presents some rules that can be used to construct
+functions explicitly. We start with functions consisting of at most one
+pair, and may form the union of two functions provided their domains are
+disjoint.
+
+
+\begin{figure}
+\begin{alltt*}\isastyleminor
+\tdx{Int_absorb}: A \isasyminter A = A
+\tdx{Int_commute}: A \isasyminter B = B \isasyminter A
+\tdx{Int_assoc}: (A \isasyminter B) \isasyminter C = A \isasyminter (B \isasyminter C)
+\tdx{Int_Un_distrib}: (A \isasymunion B) \isasyminter C = (A \isasyminter C) \isasymunion (B \isasyminter C)
+
+\tdx{Un_absorb}: A \isasymunion A = A
+\tdx{Un_commute}: A \isasymunion B = B \isasymunion A
+\tdx{Un_assoc}: (A \isasymunion B) \isasymunion C = A \isasymunion (B \isasymunion C)
+\tdx{Un_Int_distrib}: (A \isasyminter B) \isasymunion C = (A \isasymunion C) \isasyminter (B \isasymunion C)
+
+\tdx{Diff_cancel}: A-A = 0
+\tdx{Diff_disjoint}: A \isasyminter (B-A) = 0
+\tdx{Diff_partition}: A \isasymsubseteq B ==> A \isasymunion (B-A) = B
+\tdx{double_complement}: [| A \isasymsubseteq B; B \isasymsubseteq C |] ==> (B - (C-A)) = A
+\tdx{Diff_Un}: A - (B \isasymunion C) = (A-B) \isasyminter (A-C)
+\tdx{Diff_Int}: A - (B \isasyminter C) = (A-B) \isasymunion (A-C)
+
+\tdx{Union_Un_distrib}: Union(A \isasymunion B) = Union(A) \isasymunion Union(B)
+\tdx{Inter_Un_distrib}: [| a \isasymin A; b \isasymin B |] ==>
+ Inter(A \isasymunion B) = Inter(A) \isasyminter Inter(B)
+
+\tdx{Int_Union_RepFun}: A \isasyminter Union(B) = ({\isasymUnion}C \isasymin B. A \isasyminter C)
+
+\tdx{Un_Inter_RepFun}: b \isasymin B ==>
+ A \isasymunion Inter(B) = ({\isasymInter}C \isasymin B. A \isasymunion C)
+
+\tdx{SUM_Un_distrib1}: (SUM x \isasymin A \isasymunion B. C(x)) =
+ (SUM x \isasymin A. C(x)) \isasymunion (SUM x \isasymin B. C(x))
+
+\tdx{SUM_Un_distrib2}: (SUM x \isasymin C. A(x) \isasymunion B(x)) =
+ (SUM x \isasymin C. A(x)) \isasymunion (SUM x \isasymin C. B(x))
+
+\tdx{SUM_Int_distrib1}: (SUM x \isasymin A \isasyminter B. C(x)) =
+ (SUM x \isasymin A. C(x)) \isasyminter (SUM x \isasymin B. C(x))
+
+\tdx{SUM_Int_distrib2}: (SUM x \isasymin C. A(x) \isasyminter B(x)) =
+ (SUM x \isasymin C. A(x)) \isasyminter (SUM x \isasymin C. B(x))
+\end{alltt*}
+\caption{Equalities} \label{zf-equalities}
+\end{figure}
+
+
+\begin{figure}
+%\begin{constants}
+% \cdx{1} & $i$ & & $\{\emptyset\}$ \\
+% \cdx{bool} & $i$ & & the set $\{\emptyset,1\}$ \\
+% \cdx{cond} & $[i,i,i]\To i$ & & conditional for \isa{bool} \\
+% \cdx{not} & $i\To i$ & & negation for \isa{bool} \\
+% \sdx{and} & $[i,i]\To i$ & Left 70 & conjunction for \isa{bool} \\
+% \sdx{or} & $[i,i]\To i$ & Left 65 & disjunction for \isa{bool} \\
+% \sdx{xor} & $[i,i]\To i$ & Left 65 & exclusive-or for \isa{bool}
+%\end{constants}
+%
+\begin{alltt*}\isastyleminor
+\tdx{bool_def}: bool == {\ttlbrace}0,1{\ttrbrace}
+\tdx{cond_def}: cond(b,c,d) == if b=1 then c else d
+\tdx{not_def}: not(b) == cond(b,0,1)
+\tdx{and_def}: a and b == cond(a,b,0)
+\tdx{or_def}: a or b == cond(a,1,b)
+\tdx{xor_def}: a xor b == cond(a,not(b),b)
+
+\tdx{bool_1I}: 1 \isasymin bool
+\tdx{bool_0I}: 0 \isasymin bool
+\tdx{boolE}: [| c \isasymin bool; c=1 ==> P; c=0 ==> P |] ==> P
+\tdx{cond_1}: cond(1,c,d) = c
+\tdx{cond_0}: cond(0,c,d) = d
+\end{alltt*}
+\caption{The booleans} \label{zf-bool}
+\end{figure}
+
+
+\section{Further developments}
+The next group of developments is complex and extensive, and only
+highlights can be covered here. It involves many theories and proofs.
+
+Figure~\ref{zf-equalities} presents commutative, associative, distributive,
+and idempotency laws of union and intersection, along with other equations.
+
+Theory \thydx{Bool} defines $\{0,1\}$ as a set of booleans, with the usual
+operators including a conditional (Fig.\ts\ref{zf-bool}). Although ZF is a
+first-order theory, you can obtain the effect of higher-order logic using
+\isa{bool}-valued functions, for example. The constant~\isa{1} is
+translated to \isa{succ(0)}.
+
+\begin{figure}
+\index{*"+ symbol}
+\begin{constants}
+ \it symbol & \it meta-type & \it priority & \it description \\
+ \tt + & $[i,i]\To i$ & Right 65 & disjoint union operator\\
+ \cdx{Inl}~~\cdx{Inr} & $i\To i$ & & injections\\
+ \cdx{case} & $[i\To i,i\To i, i]\To i$ & & conditional for $A+B$
+\end{constants}
+\begin{alltt*}\isastyleminor
+\tdx{sum_def}: A+B == {\ttlbrace}0{\ttrbrace}*A \isasymunion {\ttlbrace}1{\ttrbrace}*B
+\tdx{Inl_def}: Inl(a) == <0,a>
+\tdx{Inr_def}: Inr(b) == <1,b>
+\tdx{case_def}: case(c,d,u) == split(\%y z. cond(y, d(z), c(z)), u)
+
+\tdx{InlI}: a \isasymin A ==> Inl(a) \isasymin A+B
+\tdx{InrI}: b \isasymin B ==> Inr(b) \isasymin A+B
+
+\tdx{Inl_inject}: Inl(a)=Inl(b) ==> a=b
+\tdx{Inr_inject}: Inr(a)=Inr(b) ==> a=b
+\tdx{Inl_neq_Inr}: Inl(a)=Inr(b) ==> P
+
+\tdx{sum_iff}: u \isasymin A+B <-> ({\isasymexists}x\isasymin{}A. u=Inl(x)) | ({\isasymexists}y\isasymin{}B. u=Inr(y))
+
+\tdx{case_Inl}: case(c,d,Inl(a)) = c(a)
+\tdx{case_Inr}: case(c,d,Inr(b)) = d(b)
+\end{alltt*}
+\caption{Disjoint unions} \label{zf-sum}
+\end{figure}
+
+
+\subsection{Disjoint unions}
+
+Theory \thydx{Sum} defines the disjoint union of two sets, with
+injections and a case analysis operator (Fig.\ts\ref{zf-sum}). Disjoint
+unions play a role in datatype definitions, particularly when there is
+mutual recursion~\cite{paulson-set-II}.
+
+\begin{figure}
+\begin{alltt*}\isastyleminor
+\tdx{QPair_def}: <a;b> == a+b
+\tdx{qsplit_def}: qsplit(c,p) == THE y. {\isasymexists}a b. p=<a;b> & y=c(a,b)
+\tdx{qfsplit_def}: qfsplit(R,z) == {\isasymexists}x y. z=<x;y> & R(x,y)
+\tdx{qconverse_def}: qconverse(r) == {\ttlbrace}z. w \isasymin r, {\isasymexists}x y. w=<x;y> & z=<y;x>{\ttrbrace}
+\tdx{QSigma_def}: QSigma(A,B) == {\isasymUnion}x \isasymin A. {\isasymUnion}y \isasymin B(x). {\ttlbrace}<x;y>{\ttrbrace}
+
+\tdx{qsum_def}: A <+> B == ({\ttlbrace}0{\ttrbrace} <*> A) \isasymunion ({\ttlbrace}1{\ttrbrace} <*> B)
+\tdx{QInl_def}: QInl(a) == <0;a>
+\tdx{QInr_def}: QInr(b) == <1;b>
+\tdx{qcase_def}: qcase(c,d) == qsplit(\%y z. cond(y, d(z), c(z)))
+\end{alltt*}
+\caption{Non-standard pairs, products and sums} \label{zf-qpair}
+\end{figure}
+
+
+\subsection{Non-standard ordered pairs}
+
+Theory \thydx{QPair} defines a notion of ordered pair that admits
+non-well-founded tupling (Fig.\ts\ref{zf-qpair}). Such pairs are written
+{\tt<$a$;$b$>}. It also defines the eliminator \cdx{qsplit}, the
+converse operator \cdx{qconverse}, and the summation operator
+\cdx{QSigma}. These are completely analogous to the corresponding
+versions for standard ordered pairs. The theory goes on to define a
+non-standard notion of disjoint sum using non-standard pairs. All of these
+concepts satisfy the same properties as their standard counterparts; in
+addition, {\tt<$a$;$b$>} is continuous. The theory supports coinductive
+definitions, for example of infinite lists~\cite{paulson-mscs}.
+
+\begin{figure}
+\begin{alltt*}\isastyleminor
+\tdx{bnd_mono_def}: bnd_mono(D,h) ==
+ h(D)\isasymsubseteq{}D & ({\isasymforall}W X. W\isasymsubseteq{}X --> X\isasymsubseteq{}D --> h(W)\isasymsubseteq{}h(X))
+
+\tdx{lfp_def}: lfp(D,h) == Inter({\ttlbrace}X \isasymin Pow(D). h(X) \isasymsubseteq X{\ttrbrace})
+\tdx{gfp_def}: gfp(D,h) == Union({\ttlbrace}X \isasymin Pow(D). X \isasymsubseteq h(X){\ttrbrace})
+
+
+\tdx{lfp_lowerbound}: [| h(A) \isasymsubseteq A; A \isasymsubseteq D |] ==> lfp(D,h) \isasymsubseteq A
+
+\tdx{lfp_subset}: lfp(D,h) \isasymsubseteq D
+
+\tdx{lfp_greatest}: [| bnd_mono(D,h);
+ !!X. [| h(X) \isasymsubseteq X; X \isasymsubseteq D |] ==> A \isasymsubseteq X
+ |] ==> A \isasymsubseteq lfp(D,h)
+
+\tdx{lfp_Tarski}: bnd_mono(D,h) ==> lfp(D,h) = h(lfp(D,h))
+
+\tdx{induct}: [| a \isasymin lfp(D,h); bnd_mono(D,h);
+ !!x. x \isasymin h(Collect(lfp(D,h),P)) ==> P(x)
+ |] ==> P(a)
+
+\tdx{lfp_mono}: [| bnd_mono(D,h); bnd_mono(E,i);
+ !!X. X \isasymsubseteq D ==> h(X) \isasymsubseteq i(X)
+ |] ==> lfp(D,h) \isasymsubseteq lfp(E,i)
+
+\tdx{gfp_upperbound}: [| A \isasymsubseteq h(A); A \isasymsubseteq D |] ==> A \isasymsubseteq gfp(D,h)
+
+\tdx{gfp_subset}: gfp(D,h) \isasymsubseteq D
+
+\tdx{gfp_least}: [| bnd_mono(D,h);
+ !!X. [| X \isasymsubseteq h(X); X \isasymsubseteq D |] ==> X \isasymsubseteq A
+ |] ==> gfp(D,h) \isasymsubseteq A
+
+\tdx{gfp_Tarski}: bnd_mono(D,h) ==> gfp(D,h) = h(gfp(D,h))
+
+\tdx{coinduct}: [| bnd_mono(D,h); a \isasymin X; X \isasymsubseteq h(X \isasymunion gfp(D,h)); X \isasymsubseteq D
+ |] ==> a \isasymin gfp(D,h)
+
+\tdx{gfp_mono}: [| bnd_mono(D,h); D \isasymsubseteq E;
+ !!X. X \isasymsubseteq D ==> h(X) \isasymsubseteq i(X)
+ |] ==> gfp(D,h) \isasymsubseteq gfp(E,i)
+\end{alltt*}
+\caption{Least and greatest fixedpoints} \label{zf-fixedpt}
+\end{figure}
+
+
+\subsection{Least and greatest fixedpoints}
+
+The Knaster-Tarski Theorem states that every monotone function over a
+complete lattice has a fixedpoint. Theory \thydx{Fixedpt} proves the
+Theorem only for a particular lattice, namely the lattice of subsets of a
+set (Fig.\ts\ref{zf-fixedpt}). The theory defines least and greatest
+fixedpoint operators with corresponding induction and coinduction rules.
+These are essential to many definitions that follow, including the natural
+numbers and the transitive closure operator. The (co)inductive definition
+package also uses the fixedpoint operators~\cite{paulson-CADE}. See
+Davey and Priestley~\cite{davey-priestley} for more on the Knaster-Tarski
+Theorem and my paper~\cite{paulson-set-II} for discussion of the Isabelle
+proofs.
+
+Monotonicity properties are proved for most of the set-forming operations:
+union, intersection, Cartesian product, image, domain, range, etc. These
+are useful for applying the Knaster-Tarski Fixedpoint Theorem. The proofs
+themselves are trivial applications of Isabelle's classical reasoner.
+
+
+\subsection{Finite sets and lists}
+
+Theory \texttt{Finite} (Figure~\ref{zf-fin}) defines the finite set operator;
+$\isa{Fin}(A)$ is the set of all finite sets over~$A$. The theory employs
+Isabelle's inductive definition package, which proves various rules
+automatically. The induction rule shown is stronger than the one proved by
+the package. The theory also defines the set of all finite functions
+between two given sets.
+
+\begin{figure}
+\begin{alltt*}\isastyleminor
+\tdx{Fin.emptyI} 0 \isasymin Fin(A)
+\tdx{Fin.consI} [| a \isasymin A; b \isasymin Fin(A) |] ==> cons(a,b) \isasymin Fin(A)
+
+\tdx{Fin_induct}
+ [| b \isasymin Fin(A);
+ P(0);
+ !!x y. [| x\isasymin{}A; y\isasymin{}Fin(A); x\isasymnotin{}y; P(y) |] ==> P(cons(x,y))
+ |] ==> P(b)
+
+\tdx{Fin_mono}: A \isasymsubseteq B ==> Fin(A) \isasymsubseteq Fin(B)
+\tdx{Fin_UnI}: [| b \isasymin Fin(A); c \isasymin Fin(A) |] ==> b \isasymunion c \isasymin Fin(A)
+\tdx{Fin_UnionI}: C \isasymin Fin(Fin(A)) ==> Union(C) \isasymin Fin(A)
+\tdx{Fin_subset}: [| c \isasymsubseteq b; b \isasymin Fin(A) |] ==> c \isasymin Fin(A)
+\end{alltt*}
+\caption{The finite set operator} \label{zf-fin}
+\end{figure}
+
+\begin{figure}
+\begin{constants}
+ \it symbol & \it meta-type & \it priority & \it description \\
+ \cdx{list} & $i\To i$ && lists over some set\\
+ \cdx{list_case} & $[i, [i,i]\To i, i] \To i$ && conditional for $list(A)$ \\
+ \cdx{map} & $[i\To i, i] \To i$ & & mapping functional\\
+ \cdx{length} & $i\To i$ & & length of a list\\
+ \cdx{rev} & $i\To i$ & & reverse of a list\\
+ \tt \at & $[i,i]\To i$ & Right 60 & append for lists\\
+ \cdx{flat} & $i\To i$ & & append of list of lists
+\end{constants}
+
+\underscoreon %%because @ is used here
+\begin{alltt*}\isastyleminor
+\tdx{NilI}: Nil \isasymin list(A)
+\tdx{ConsI}: [| a \isasymin A; l \isasymin list(A) |] ==> Cons(a,l) \isasymin list(A)
+
+\tdx{List.induct}
+ [| l \isasymin list(A);
+ P(Nil);
+ !!x y. [| x \isasymin A; y \isasymin list(A); P(y) |] ==> P(Cons(x,y))
+ |] ==> P(l)
+
+\tdx{Cons_iff}: Cons(a,l)=Cons(a',l') <-> a=a' & l=l'
+\tdx{Nil_Cons_iff}: Nil \isasymnoteq Cons(a,l)
+
+\tdx{list_mono}: A \isasymsubseteq B ==> list(A) \isasymsubseteq list(B)
+
+\tdx{map_ident}: l\isasymin{}list(A) ==> map(\%u. u, l) = l
+\tdx{map_compose}: l\isasymin{}list(A) ==> map(h, map(j,l)) = map(\%u. h(j(u)), l)
+\tdx{map_app_distrib}: xs\isasymin{}list(A) ==> map(h, xs@ys) = map(h,xs)@map(h,ys)
+\tdx{map_type}
+ [| l\isasymin{}list(A); !!x. x\isasymin{}A ==> h(x)\isasymin{}B |] ==> map(h,l)\isasymin{}list(B)
+\tdx{map_flat}
+ ls: list(list(A)) ==> map(h, flat(ls)) = flat(map(map(h),ls))
+\end{alltt*}
+\caption{Lists} \label{zf-list}
+\end{figure}
+
+
+Figure~\ref{zf-list} presents the set of lists over~$A$, $\isa{list}(A)$. The
+definition employs Isabelle's datatype package, which defines the introduction
+and induction rules automatically, as well as the constructors, case operator
+(\isa{list\_case}) and recursion operator. The theory then defines the usual
+list functions by primitive recursion. See theory \texttt{List}.
+
+
+\subsection{Miscellaneous}
+
+\begin{figure}
+\begin{constants}
+ \it symbol & \it meta-type & \it priority & \it description \\
+ \sdx{O} & $[i,i]\To i$ & Right 60 & composition ($\circ$) \\
+ \cdx{id} & $i\To i$ & & identity function \\
+ \cdx{inj} & $[i,i]\To i$ & & injective function space\\
+ \cdx{surj} & $[i,i]\To i$ & & surjective function space\\
+ \cdx{bij} & $[i,i]\To i$ & & bijective function space
+\end{constants}
+
+\begin{alltt*}\isastyleminor
+\tdx{comp_def}: r O s == {\ttlbrace}xz \isasymin domain(s)*range(r) .
+ {\isasymexists}x y z. xz=<x,z> & <x,y> \isasymin s & <y,z> \isasymin r{\ttrbrace}
+\tdx{id_def}: id(A) == (lam x \isasymin A. x)
+\tdx{inj_def}: inj(A,B) == {\ttlbrace} f\isasymin{}A->B. {\isasymforall}w\isasymin{}A. {\isasymforall}x\isasymin{}A. f`w=f`x --> w=x {\ttrbrace}
+\tdx{surj_def}: surj(A,B) == {\ttlbrace} f\isasymin{}A->B . {\isasymforall}y\isasymin{}B. {\isasymexists}x\isasymin{}A. f`x=y {\ttrbrace}
+\tdx{bij_def}: bij(A,B) == inj(A,B) \isasyminter surj(A,B)
+
+
+\tdx{left_inverse}: [| f\isasymin{}inj(A,B); a\isasymin{}A |] ==> converse(f)`(f`a) = a
+\tdx{right_inverse}: [| f\isasymin{}inj(A,B); b\isasymin{}range(f) |] ==>
+ f`(converse(f)`b) = b
+
+\tdx{inj_converse_inj}: f\isasymin{}inj(A,B) ==> converse(f) \isasymin inj(range(f),A)
+\tdx{bij_converse_bij}: f\isasymin{}bij(A,B) ==> converse(f) \isasymin bij(B,A)
+
+\tdx{comp_type}: [| s \isasymsubseteq A*B; r \isasymsubseteq B*C |] ==> (r O s) \isasymsubseteq A*C
+\tdx{comp_assoc}: (r O s) O t = r O (s O t)
+
+\tdx{left_comp_id}: r \isasymsubseteq A*B ==> id(B) O r = r
+\tdx{right_comp_id}: r \isasymsubseteq A*B ==> r O id(A) = r
+
+\tdx{comp_func}: [| g\isasymin{}A->B; f\isasymin{}B->C |] ==> (f O g) \isasymin A->C
+\tdx{comp_func_apply}: [| g\isasymin{}A->B; f\isasymin{}B->C; a\isasymin{}A |] ==> (f O g)`a = f`(g`a)
+
+\tdx{comp_inj}: [| g\isasymin{}inj(A,B); f\isasymin{}inj(B,C) |] ==> (f O g)\isasymin{}inj(A,C)
+\tdx{comp_surj}: [| g\isasymin{}surj(A,B); f\isasymin{}surj(B,C) |] ==> (f O g)\isasymin{}surj(A,C)
+\tdx{comp_bij}: [| g\isasymin{}bij(A,B); f\isasymin{}bij(B,C) |] ==> (f O g)\isasymin{}bij(A,C)
+
+\tdx{left_comp_inverse}: f\isasymin{}inj(A,B) ==> converse(f) O f = id(A)
+\tdx{right_comp_inverse}: f\isasymin{}surj(A,B) ==> f O converse(f) = id(B)
+
+\tdx{bij_disjoint_Un}:
+ [| f\isasymin{}bij(A,B); g\isasymin{}bij(C,D); A \isasyminter C = 0; B \isasyminter D = 0 |] ==>
+ (f \isasymunion g)\isasymin{}bij(A \isasymunion C, B \isasymunion D)
+
+\tdx{restrict_bij}: [| f\isasymin{}inj(A,B); C\isasymsubseteq{}A |] ==> restrict(f,C)\isasymin{}bij(C, f``C)
+\end{alltt*}
+\caption{Permutations} \label{zf-perm}
+\end{figure}
+
+The theory \thydx{Perm} is concerned with permutations (bijections) and
+related concepts. These include composition of relations, the identity
+relation, and three specialized function spaces: injective, surjective and
+bijective. Figure~\ref{zf-perm} displays many of their properties that
+have been proved. These results are fundamental to a treatment of
+equipollence and cardinality.
+
+Theory \thydx{Univ} defines a `universe' $\isa{univ}(A)$, which is used by
+the datatype package. This set contains $A$ and the
+natural numbers. Vitally, it is closed under finite products:
+$\isa{univ}(A)\times\isa{univ}(A)\subseteq\isa{univ}(A)$. This theory also
+defines the cumulative hierarchy of axiomatic set theory, which
+traditionally is written $V@\alpha$ for an ordinal~$\alpha$. The
+`universe' is a simple generalization of~$V@\omega$.
+
+Theory \thydx{QUniv} defines a `universe' $\isa{quniv}(A)$, which is used by
+the datatype package to construct codatatypes such as streams. It is
+analogous to $\isa{univ}(A)$ (and is defined in terms of it) but is closed
+under the non-standard product and sum.
+
+
+\section{Automatic Tools}
+
+ZF provides the simplifier and the classical reasoner. Moreover it supplies a
+specialized tool to infer `types' of terms.
+
+\subsection{Simplification and Classical Reasoning}
+
+ZF inherits simplification from FOL but adopts it for set theory. The
+extraction of rewrite rules takes the ZF primitives into account. It can
+strip bounded universal quantifiers from a formula; for example, ${\forall
+ x\in A. f(x)=g(x)}$ yields the conditional rewrite rule $x\in A \Imp
+f(x)=g(x)$. Given $a\in\{x\in A. P(x)\}$ it extracts rewrite rules from $a\in
+A$ and~$P(a)$. It can also break down $a\in A\int B$ and $a\in A-B$.
+
+The default simpset used by \isa{simp} contains congruence rules for all of ZF's
+binding operators. It contains all the conversion rules, such as
+\isa{fst} and
+\isa{snd}, as well as the rewrites shown in Fig.\ts\ref{zf-simpdata}.
+
+Classical reasoner methods such as \isa{blast} and \isa{auto} refer to
+a rich collection of built-in axioms for all the set-theoretic
+primitives.
+
+
+\begin{figure}
+\begin{eqnarray*}
+ a\in \emptyset & \bimp & \bot\\
+ a \in A \un B & \bimp & a\in A \disj a\in B\\
+ a \in A \int B & \bimp & a\in A \conj a\in B\\
+ a \in A-B & \bimp & a\in A \conj \lnot (a\in B)\\
+ \pair{a,b}\in \isa{Sigma}(A,B)
+ & \bimp & a\in A \conj b\in B(a)\\
+ a \in \isa{Collect}(A,P) & \bimp & a\in A \conj P(a)\\
+ (\forall x \in \emptyset. P(x)) & \bimp & \top\\
+ (\forall x \in A. \top) & \bimp & \top
+\end{eqnarray*}
+\caption{Some rewrite rules for set theory} \label{zf-simpdata}
+\end{figure}
+
+
+\subsection{Type-Checking Tactics}
+\index{type-checking tactics}
+
+Isabelle/ZF provides simple tactics to help automate those proofs that are
+essentially type-checking. Such proofs are built by applying rules such as
+these:
+\begin{ttbox}\isastyleminor
+[| ?P ==> ?a \isasymin ?A; ~?P ==> ?b \isasymin ?A |]
+==> (if ?P then ?a else ?b) \isasymin ?A
+
+[| ?m \isasymin nat; ?n \isasymin nat |] ==> ?m #+ ?n \isasymin nat
+
+?a \isasymin ?A ==> Inl(?a) \isasymin ?A + ?B
+\end{ttbox}
+In typical applications, the goal has the form $t\in\Var{A}$: in other words,
+we have a specific term~$t$ and need to infer its `type' by instantiating the
+set variable~$\Var{A}$. Neither the simplifier nor the classical reasoner
+does this job well. The if-then-else rule, and many similar ones, can make
+the classical reasoner loop. The simplifier refuses (on principle) to
+instantiate variables during rewriting, so goals such as \isa{i\#+j \isasymin \ ?A}
+are left unsolved.
+
+The simplifier calls the type-checker to solve rewritten subgoals: this stage
+can indeed instantiate variables. If you have defined new constants and
+proved type-checking rules for them, then declare the rules using
+the attribute \isa{TC} and the rest should be automatic. In
+particular, the simplifier will use type-checking to help satisfy
+conditional rewrite rules. Call the method \ttindex{typecheck} to
+break down all subgoals using type-checking rules. You can add new
+type-checking rules temporarily like this:
+\begin{isabelle}
+\isacommand{apply}\ (typecheck add:\ inj_is_fun)
+\end{isabelle}
+
+
+%Though the easiest way to invoke the type-checker is via the simplifier,
+%specialized applications may require more detailed knowledge of
+%the type-checking primitives. They are modelled on the simplifier's:
+%\begin{ttdescription}
+%\item[\ttindexbold{tcset}] is the type of tcsets: sets of type-checking rules.
+%
+%\item[\ttindexbold{addTCs}] is an infix operator to add type-checking rules to
+% a tcset.
+%
+%\item[\ttindexbold{delTCs}] is an infix operator to remove type-checking rules
+% from a tcset.
+%
+%\item[\ttindexbold{typecheck_tac}] is a tactic for attempting to prove all
+% subgoals using the rules given in its argument, a tcset.
+%\end{ttdescription}
+%
+%Tcsets, like simpsets, are associated with theories and are merged when
+%theories are merged. There are further primitives that use the default tcset.
+%\begin{ttdescription}
+%\item[\ttindexbold{tcset}] is a function to return the default tcset; use the
+% expression \isa{tcset()}.
+%
+%\item[\ttindexbold{AddTCs}] adds type-checking rules to the default tcset.
+%
+%\item[\ttindexbold{DelTCs}] removes type-checking rules from the default
+% tcset.
+%
+%\item[\ttindexbold{Typecheck_tac}] calls \isa{typecheck_tac} using the
+% default tcset.
+%\end{ttdescription}
+%
+%To supply some type-checking rules temporarily, using \isa{Addrules} and
+%later \isa{Delrules} is the simplest way. There is also a high-tech
+%approach. Call the simplifier with a new solver expressed using
+%\ttindexbold{type_solver_tac} and your temporary type-checking rules.
+%\begin{ttbox}\isastyleminor
+%by (asm_simp_tac
+% (simpset() setSolver type_solver_tac (tcset() addTCs prems)) 2);
+%\end{ttbox}
+
+
+\section{Natural number and integer arithmetic}
+
+\index{arithmetic|(}
+
+\begin{figure}\small
+\index{#*@{\tt\#*} symbol}
+\index{*div symbol}
+\index{*mod symbol}
+\index{#+@{\tt\#+} symbol}
+\index{#-@{\tt\#-} symbol}
+\begin{constants}
+ \it symbol & \it meta-type & \it priority & \it description \\
+ \cdx{nat} & $i$ & & set of natural numbers \\
+ \cdx{nat_case}& $[i,i\To i,i]\To i$ & & conditional for $nat$\\
+ \tt \#* & $[i,i]\To i$ & Left 70 & multiplication \\
+ \tt div & $[i,i]\To i$ & Left 70 & division\\
+ \tt mod & $[i,i]\To i$ & Left 70 & modulus\\
+ \tt \#+ & $[i,i]\To i$ & Left 65 & addition\\
+ \tt \#- & $[i,i]\To i$ & Left 65 & subtraction
+\end{constants}
+
+\begin{alltt*}\isastyleminor
+\tdx{nat_def}: nat == lfp(lam r \isasymin Pow(Inf). {\ttlbrace}0{\ttrbrace} \isasymunion {\ttlbrace}succ(x). x \isasymin r{\ttrbrace}
+
+\tdx{nat_case_def}: nat_case(a,b,k) ==
+ THE y. k=0 & y=a | ({\isasymexists}x. k=succ(x) & y=b(x))
+
+\tdx{nat_0I}: 0 \isasymin nat
+\tdx{nat_succI}: n \isasymin nat ==> succ(n) \isasymin nat
+
+\tdx{nat_induct}:
+ [| n \isasymin nat; P(0); !!x. [| x \isasymin nat; P(x) |] ==> P(succ(x))
+ |] ==> P(n)
+
+\tdx{nat_case_0}: nat_case(a,b,0) = a
+\tdx{nat_case_succ}: nat_case(a,b,succ(m)) = b(m)
+
+\tdx{add_0_natify}: 0 #+ n = natify(n)
+\tdx{add_succ}: succ(m) #+ n = succ(m #+ n)
+
+\tdx{mult_type}: m #* n \isasymin nat
+\tdx{mult_0}: 0 #* n = 0
+\tdx{mult_succ}: succ(m) #* n = n #+ (m #* n)
+\tdx{mult_commute}: m #* n = n #* m
+\tdx{add_mult_dist}: (m #+ n) #* k = (m #* k) #+ (n #* k)
+\tdx{mult_assoc}: (m #* n) #* k = m #* (n #* k)
+\tdx{mod_div_equality}: m \isasymin nat ==> (m div n)#*n #+ m mod n = m
+\end{alltt*}
+\caption{The natural numbers} \label{zf-nat}
+\end{figure}
+
+\index{natural numbers}
+
+Theory \thydx{Nat} defines the natural numbers and mathematical
+induction, along with a case analysis operator. The set of natural
+numbers, here called \isa{nat}, is known in set theory as the ordinal~$\omega$.
+
+Theory \thydx{Arith} develops arithmetic on the natural numbers
+(Fig.\ts\ref{zf-nat}). Addition, multiplication and subtraction are defined
+by primitive recursion. Division and remainder are defined by repeated
+subtraction, which requires well-founded recursion; the termination argument
+relies on the divisor's being non-zero. Many properties are proved:
+commutative, associative and distributive laws, identity and cancellation
+laws, etc. The most interesting result is perhaps the theorem $a \bmod b +
+(a/b)\times b = a$.
+
+To minimize the need for tedious proofs of $t\in\isa{nat}$, the arithmetic
+operators coerce their arguments to be natural numbers. The function
+\cdx{natify} is defined such that $\isa{natify}(n) = n$ if $n$ is a natural
+number, $\isa{natify}(\isa{succ}(x)) =
+\isa{succ}(\isa{natify}(x))$ for all $x$, and finally
+$\isa{natify}(x)=0$ in all other cases. The benefit is that the addition,
+subtraction, multiplication, division and remainder operators always return
+natural numbers, regardless of their arguments. Algebraic laws (commutative,
+associative, distributive) are unconditional. Occurrences of \isa{natify}
+as operands of those operators are simplified away. Any remaining occurrences
+can either be tolerated or else eliminated by proving that the argument is a
+natural number.
+
+The simplifier automatically cancels common terms on the opposite sides of
+subtraction and of relations ($=$, $<$ and $\le$). Here is an example:
+\begin{isabelle}
+ 1. i \#+ j \#+ k \#- j < k \#+ l\isanewline
+\isacommand{apply}\ simp\isanewline
+ 1. natify(i) < natify(l)
+\end{isabelle}
+Given the assumptions \isa{i \isasymin nat} and \isa{l \isasymin nat}, both occurrences of
+\cdx{natify} would be simplified away.
+
+
+\begin{figure}\small
+\index{$*@{\tt\$*} symbol}
+\index{$+@{\tt\$+} symbol}
+\index{$-@{\tt\$-} symbol}
+\begin{constants}
+ \it symbol & \it meta-type & \it priority & \it description \\
+ \cdx{int} & $i$ & & set of integers \\
+ \tt \$* & $[i,i]\To i$ & Left 70 & multiplication \\
+ \tt \$+ & $[i,i]\To i$ & Left 65 & addition\\
+ \tt \$- & $[i,i]\To i$ & Left 65 & subtraction\\
+ \tt \$< & $[i,i]\To o$ & Left 50 & $<$ on integers\\
+ \tt \$<= & $[i,i]\To o$ & Left 50 & $\le$ on integers
+\end{constants}
+
+\begin{alltt*}\isastyleminor
+\tdx{zadd_0_intify}: 0 $+ n = intify(n)
+
+\tdx{zmult_type}: m $* n \isasymin int
+\tdx{zmult_0}: 0 $* n = 0
+\tdx{zmult_commute}: m $* n = n $* m
+\tdx{zadd_zmult_dist}: (m $+ n) $* k = (m $* k) $+ (n $* k)
+\tdx{zmult_assoc}: (m $* n) $* k = m $* (n $* k)
+\end{alltt*}
+\caption{The integers} \label{zf-int}
+\end{figure}
+
+
+\index{integers}
+
+Theory \thydx{Int} defines the integers, as equivalence classes of natural
+numbers. Figure~\ref{zf-int} presents a tidy collection of laws. In
+fact, a large library of facts is proved, including monotonicity laws for
+addition and multiplication, covering both positive and negative operands.
+
+As with the natural numbers, the need for typing proofs is minimized. All the
+operators defined in Fig.\ts\ref{zf-int} coerce their operands to integers by
+applying the function \cdx{intify}. This function is the identity on integers
+and maps other operands to zero.
+
+Decimal notation is provided for the integers. Numbers, written as
+\isa{\#$nnn$} or \isa{\#-$nnn$}, are represented internally in
+two's-complement binary. Expressions involving addition, subtraction and
+multiplication of numeral constants are evaluated (with acceptable efficiency)
+by simplification. The simplifier also collects similar terms, multiplying
+them by a numerical coefficient. It also cancels occurrences of the same
+terms on the other side of the relational operators. Example:
+\begin{isabelle}
+ 1. y \$+ z \$+ \#-3 \$* x \$+ y \$<= x \$* \#2 \$+
+z\isanewline
+\isacommand{apply}\ simp\isanewline
+ 1. \#2 \$* y \$<= \#5 \$* x
+\end{isabelle}
+For more information on the integers, please see the theories on directory
+\texttt{ZF/Integ}.
+
+\index{arithmetic|)}
+
+
+\section{Datatype definitions}
+\label{sec:ZF:datatype}
+\index{*datatype|(}
+
+The \ttindex{datatype} definition package of ZF constructs inductive datatypes
+similar to \ML's. It can also construct coinductive datatypes
+(codatatypes), which are non-well-founded structures such as streams. It
+defines the set using a fixed-point construction and proves induction rules,
+as well as theorems for recursion and case combinators. It supplies
+mechanisms for reasoning about freeness. The datatype package can handle both
+mutual and indirect recursion.
+
+
+\subsection{Basics}
+\label{subsec:datatype:basics}
+
+A \isa{datatype} definition has the following form:
+\[
+\begin{array}{llcl}
+\mathtt{datatype} & t@1(A@1,\ldots,A@h) & = &
+ constructor^1@1 ~\mid~ \ldots ~\mid~ constructor^1@{k@1} \\
+ & & \vdots \\
+\mathtt{and} & t@n(A@1,\ldots,A@h) & = &
+ constructor^n@1~ ~\mid~ \ldots ~\mid~ constructor^n@{k@n}
+\end{array}
+\]
+Here $t@1$, \ldots,~$t@n$ are identifiers and $A@1$, \ldots,~$A@h$ are
+variables: the datatype's parameters. Each constructor specification has the
+form \dquotesoff
+\[ C \hbox{\tt~( } \hbox{\tt"} x@1 \hbox{\tt:} T@1 \hbox{\tt"},\;
+ \ldots,\;
+ \hbox{\tt"} x@m \hbox{\tt:} T@m \hbox{\tt"}
+ \hbox{\tt~)}
+\]
+Here $C$ is the constructor name, and variables $x@1$, \ldots,~$x@m$ are the
+constructor arguments, belonging to the sets $T@1$, \ldots, $T@m$,
+respectively. Typically each $T@j$ is either a constant set, a datatype
+parameter (one of $A@1$, \ldots, $A@h$) or a recursive occurrence of one of
+the datatypes, say $t@i(A@1,\ldots,A@h)$. More complex possibilities exist,
+but they are much harder to realize. Often, additional information must be
+supplied in the form of theorems.
+
+A datatype can occur recursively as the argument of some function~$F$. This
+is called a {\em nested} (or \emph{indirect}) occurrence. It is only allowed
+if the datatype package is given a theorem asserting that $F$ is monotonic.
+If the datatype has indirect occurrences, then Isabelle/ZF does not support
+recursive function definitions.
+
+A simple example of a datatype is \isa{list}, which is built-in, and is
+defined by
+\begin{alltt*}\isastyleminor
+consts list :: "i=>i"
+datatype "list(A)" = Nil | Cons ("a \isasymin A", "l \isasymin list(A)")
+\end{alltt*}
+Note that the datatype operator must be declared as a constant first.
+However, the package declares the constructors. Here, \isa{Nil} gets type
+$i$ and \isa{Cons} gets type $[i,i]\To i$.
+
+Trees and forests can be modelled by the mutually recursive datatype
+definition
+\begin{alltt*}\isastyleminor
+consts
+ tree :: "i=>i"
+ forest :: "i=>i"
+ tree_forest :: "i=>i"
+datatype "tree(A)" = Tcons ("a{\isasymin}A", "f{\isasymin}forest(A)")
+and "forest(A)" = Fnil | Fcons ("t{\isasymin}tree(A)", "f{\isasymin}forest(A)")
+\end{alltt*}
+Here $\isa{tree}(A)$ is the set of trees over $A$, $\isa{forest}(A)$ is
+the set of forests over $A$, and $\isa{tree_forest}(A)$ is the union of
+the previous two sets. All three operators must be declared first.
+
+The datatype \isa{term}, which is defined by
+\begin{alltt*}\isastyleminor
+consts term :: "i=>i"
+datatype "term(A)" = Apply ("a \isasymin A", "l \isasymin list(term(A))")
+ monos list_mono
+ type_elims list_univ [THEN subsetD, elim_format]
+\end{alltt*}
+is an example of nested recursion. (The theorem \isa{list_mono} is proved
+in theory \isa{List}, and the \isa{term} example is developed in
+theory
+\thydx{Induct/Term}.)
+
+\subsubsection{Freeness of the constructors}
+
+Constructors satisfy {\em freeness} properties. Constructions are distinct,
+for example $\isa{Nil}\not=\isa{Cons}(a,l)$, and they are injective, for
+example $\isa{Cons}(a,l)=\isa{Cons}(a',l') \bimp a=a' \conj l=l'$.
+Because the number of freeness is quadratic in the number of constructors, the
+datatype package does not prove them. Instead, it ensures that simplification
+will prove them dynamically: when the simplifier encounters a formula
+asserting the equality of two datatype constructors, it performs freeness
+reasoning.
+
+Freeness reasoning can also be done using the classical reasoner, but it is
+more complicated. You have to add some safe elimination rules rules to the
+claset. For the \isa{list} datatype, they are called
+\isa{list.free_elims}. Occasionally this exposes the underlying
+representation of some constructor, which can be rectified using the command
+\isa{unfold list.con_defs [symmetric]}.
+
+
+\subsubsection{Structural induction}
+
+The datatype package also provides structural induction rules. For datatypes
+without mutual or nested recursion, the rule has the form exemplified by
+\isa{list.induct} in Fig.\ts\ref{zf-list}. For mutually recursive
+datatypes, the induction rule is supplied in two forms. Consider datatype
+\isa{TF}. The rule \isa{tree_forest.induct} performs induction over a
+single predicate~\isa{P}, which is presumed to be defined for both trees
+and forests:
+\begin{alltt*}\isastyleminor
+[| x \isasymin tree_forest(A);
+ !!a f. [| a \isasymin A; f \isasymin forest(A); P(f) |] ==> P(Tcons(a, f));
+ P(Fnil);
+ !!f t. [| t \isasymin tree(A); P(t); f \isasymin forest(A); P(f) |]
+ ==> P(Fcons(t, f))
+|] ==> P(x)
+\end{alltt*}
+The rule \isa{tree_forest.mutual_induct} performs induction over two
+distinct predicates, \isa{P_tree} and \isa{P_forest}.
+\begin{alltt*}\isastyleminor
+[| !!a f.
+ [| a{\isasymin}A; f{\isasymin}forest(A); P_forest(f) |] ==> P_tree(Tcons(a,f));
+ P_forest(Fnil);
+ !!f t. [| t{\isasymin}tree(A); P_tree(t); f{\isasymin}forest(A); P_forest(f) |]
+ ==> P_forest(Fcons(t, f))
+|] ==> ({\isasymforall}za. za \isasymin tree(A) --> P_tree(za)) &
+ ({\isasymforall}za. za \isasymin forest(A) --> P_forest(za))
+\end{alltt*}
+
+For datatypes with nested recursion, such as the \isa{term} example from
+above, things are a bit more complicated. The rule \isa{term.induct}
+refers to the monotonic operator, \isa{list}:
+\begin{alltt*}\isastyleminor
+[| x \isasymin term(A);
+ !!a l. [| a\isasymin{}A; l\isasymin{}list(Collect(term(A), P)) |] ==> P(Apply(a,l))
+|] ==> P(x)
+\end{alltt*}
+The theory \isa{Induct/Term.thy} derives two higher-level induction rules,
+one of which is particularly useful for proving equations:
+\begin{alltt*}\isastyleminor
+[| t \isasymin term(A);
+ !!x zs. [| x \isasymin A; zs \isasymin list(term(A)); map(f, zs) = map(g, zs) |]
+ ==> f(Apply(x, zs)) = g(Apply(x, zs))
+|] ==> f(t) = g(t)
+\end{alltt*}
+How this can be generalized to other nested datatypes is a matter for future
+research.
+
+
+\subsubsection{The \isa{case} operator}
+
+The package defines an operator for performing case analysis over the
+datatype. For \isa{list}, it is called \isa{list_case} and satisfies
+the equations
+\begin{ttbox}\isastyleminor
+list_case(f_Nil, f_Cons, []) = f_Nil
+list_case(f_Nil, f_Cons, Cons(a, l)) = f_Cons(a, l)
+\end{ttbox}
+Here \isa{f_Nil} is the value to return if the argument is \isa{Nil} and
+\isa{f_Cons} is a function that computes the value to return if the
+argument has the form $\isa{Cons}(a,l)$. The function can be expressed as
+an abstraction, over patterns if desired (\S\ref{sec:pairs}).
+
+For mutually recursive datatypes, there is a single \isa{case} operator.
+In the tree/forest example, the constant \isa{tree_forest_case} handles all
+of the constructors of the two datatypes.
+
+
+\subsection{Defining datatypes}
+
+The theory syntax for datatype definitions is shown in the
+Isabelle/Isar reference manual. In order to be well-formed, a
+datatype definition has to obey the rules stated in the previous
+section. As a result the theory is extended with the new types, the
+constructors, and the theorems listed in the previous section.
+
+Codatatypes are declared like datatypes and are identical to them in every
+respect except that they have a coinduction rule instead of an induction rule.
+Note that while an induction rule has the effect of limiting the values
+contained in the set, a coinduction rule gives a way of constructing new
+values of the set.
+
+Most of the theorems about datatypes become part of the default simpset. You
+never need to see them again because the simplifier applies them
+automatically.
+
+\subsubsection{Specialized methods for datatypes}
+
+Induction and case-analysis can be invoked using these special-purpose
+methods:
+\begin{ttdescription}
+\item[\methdx{induct_tac} $x$] applies structural
+ induction on variable $x$ to subgoal~1, provided the type of $x$ is a
+ datatype. The induction variable should not occur among other assumptions
+ of the subgoal.
+\end{ttdescription}
+%
+% we also have the ind_cases method, but what does it do?
+In some situations, induction is overkill and a case distinction over all
+constructors of the datatype suffices.
+\begin{ttdescription}
+\item[\methdx{case_tac} $x$]
+ performs a case analysis for the variable~$x$.
+\end{ttdescription}
+
+Both tactics can only be applied to a variable, whose typing must be given in
+some assumption, for example the assumption \isa{x \isasymin \ list(A)}. The tactics
+also work for the natural numbers (\isa{nat}) and disjoint sums, although
+these sets were not defined using the datatype package. (Disjoint sums are
+not recursive, so only \isa{case_tac} is available.)
+
+Structured Isar methods are also available. Below, $t$
+stands for the name of the datatype.
+\begin{ttdescription}
+\item[\methdx{induct} \isa{set:}\ $t$] is the Isar induction tactic.
+\item[\methdx{cases} \isa{set:}\ $t$] is the Isar case-analysis tactic.
+\end{ttdescription}
+
+
+\subsubsection{The theorems proved by a datatype declaration}
+
+Here are some more details for the technically minded. Processing the
+datatype declaration of a set~$t$ produces a name space~$t$ containing
+the following theorems:
+\begin{ttbox}\isastyleminor
+intros \textrm{the introduction rules}
+cases \textrm{the case analysis rule}
+induct \textrm{the standard induction rule}
+mutual_induct \textrm{the mutual induction rule, if needed}
+case_eqns \textrm{equations for the case operator}
+recursor_eqns \textrm{equations for the recursor}
+simps \textrm{the union of} case_eqns \textrm{and} recursor_eqns
+con_defs \textrm{definitions of the case operator and constructors}
+free_iffs \textrm{logical equivalences for proving freeness}
+free_elims \textrm{elimination rules for proving freeness}
+defs \textrm{datatype definition(s)}
+\end{ttbox}
+Furthermore there is the theorem $C$ for every constructor~$C$; for
+example, the \isa{list} datatype's introduction rules are bound to the
+identifiers \isa{Nil} and \isa{Cons}.
+
+For a codatatype, the component \isa{coinduct} is the coinduction rule,
+replacing the \isa{induct} component.
+
+See the theories \isa{Induct/Ntree} and \isa{Induct/Brouwer} for examples of
+infinitely branching datatypes. See theory \isa{Induct/LList} for an example
+of a codatatype. Some of these theories illustrate the use of additional,
+undocumented features of the datatype package. Datatype definitions are
+reduced to inductive definitions, and the advanced features should be
+understood in that light.
+
+
+\subsection{Examples}
+
+\subsubsection{The datatype of binary trees}
+
+Let us define the set $\isa{bt}(A)$ of binary trees over~$A$. The theory
+must contain these lines:
+\begin{alltt*}\isastyleminor
+consts bt :: "i=>i"
+datatype "bt(A)" = Lf | Br ("a\isasymin{}A", "t1\isasymin{}bt(A)", "t2\isasymin{}bt(A)")
+\end{alltt*}
+After loading the theory, we can prove some theorem.
+We begin by declaring the constructor's typechecking rules
+as simplification rules:
+\begin{isabelle}
+\isacommand{declare}\ bt.intros\ [simp]%
+\end{isabelle}
+
+Our first example is the theorem that no tree equals its
+left branch. To make the inductive hypothesis strong enough,
+the proof requires a quantified induction formula, but
+the \isa{rule\_format} attribute will remove the quantifiers
+before the theorem is stored.
+\begin{isabelle}
+\isacommand{lemma}\ Br\_neq\_left\ [rule\_format]:\ "l\isasymin bt(A)\ ==>\ \isasymforall x\ r.\ Br(x,l,r)\isasymnoteq{}l"\isanewline
+\ 1.\ l\ \isasymin \ bt(A)\ \isasymLongrightarrow \ \isasymforall x\ r.\ Br(x,\ l,\ r)\ \isasymnoteq \ l%
+\end{isabelle}
+This can be proved by the structural induction tactic:
+\begin{isabelle}
+\ \ \isacommand{apply}\ (induct\_tac\ l)\isanewline
+\ 1.\ \isasymforall x\ r.\ Br(x,\ Lf,\ r)\ \isasymnoteq \ Lf\isanewline
+\ 2.\ \isasymAnd a\ t1\ t2.\isanewline
+\isaindent{\ 2.\ \ \ \ }\isasymlbrakk a\ \isasymin \ A;\ t1\ \isasymin \ bt(A);\ \isasymforall x\ r.\ Br(x,\ t1,\ r)\ \isasymnoteq \ t1;\ t2\ \isasymin \ bt(A);\isanewline
+\isaindent{\ 2.\ \ \ \ \ \ \ }\isasymforall x\ r.\ Br(x,\ t2,\ r)\ \isasymnoteq \ t2\isasymrbrakk \isanewline
+\isaindent{\ 2.\ \ \ \ }\isasymLongrightarrow \ \isasymforall x\ r.\ Br(x,\ Br(a,\ t1,\ t2),\ r)\ \isasymnoteq \ Br(a,\ t1,\ t2)
+\end{isabelle}
+Both subgoals are proved using \isa{auto}, which performs the necessary
+freeness reasoning.
+\begin{isabelle}
+\ \ \isacommand{apply}\ auto\isanewline
+No\ subgoals!\isanewline
+\isacommand{done}
+\end{isabelle}
+
+An alternative proof uses Isar's fancy \isa{induct} method, which
+automatically quantifies over all free variables:
+
+\begin{isabelle}
+\isacommand{lemma}\ Br\_neq\_left':\ "l\ \isasymin \ bt(A)\ ==>\ (!!x\ r.\ Br(x,\ l,\ r)\ \isasymnoteq \ l)"\isanewline
+\ \ \isacommand{apply}\ (induct\ set:\ bt)\isanewline
+\ 1.\ \isasymAnd x\ r.\ Br(x,\ Lf,\ r)\ \isasymnoteq \ Lf\isanewline
+\ 2.\ \isasymAnd a\ t1\ t2\ x\ r.\isanewline
+\isaindent{\ 2.\ \ \ \ }\isasymlbrakk a\ \isasymin \ A;\ t1\ \isasymin \ bt(A);\ \isasymAnd x\ r.\ Br(x,\ t1,\ r)\ \isasymnoteq \ t1;\ t2\ \isasymin \ bt(A);\isanewline
+\isaindent{\ 2.\ \ \ \ \ \ \ }\isasymAnd x\ r.\ Br(x,\ t2,\ r)\ \isasymnoteq \ t2\isasymrbrakk \isanewline
+\isaindent{\ 2.\ \ \ \ }\isasymLongrightarrow \ Br(x,\ Br(a,\ t1,\ t2),\ r)\ \isasymnoteq \ Br(a,\ t1,\ t2)
+\end{isabelle}
+Compare the form of the induction hypotheses with the corresponding ones in
+the previous proof. As before, to conclude requires only \isa{auto}.
+
+When there are only a few constructors, we might prefer to prove the freenness
+theorems for each constructor. This is simple:
+\begin{isabelle}
+\isacommand{lemma}\ Br\_iff:\ "Br(a,l,r)\ =\ Br(a',l',r')\ <->\ a=a'\ \&\ l=l'\ \&\ r=r'"\isanewline
+\ \ \isacommand{by}\ (blast\ elim!:\ bt.free\_elims)
+\end{isabelle}
+Here we see a demonstration of freeness reasoning using
+\isa{bt.free\_elims}, but simpler still is just to apply \isa{auto}.
+
+An \ttindex{inductive\_cases} declaration generates instances of the
+case analysis rule that have been simplified using freeness
+reasoning.
+\begin{isabelle}
+\isacommand{inductive\_cases}\ Br\_in\_bt:\ "Br(a,\ l,\ r)\ \isasymin \ bt(A)"
+\end{isabelle}
+The theorem just created is
+\begin{isabelle}
+\isasymlbrakk Br(a,\ l,\ r)\ \isasymin \ bt(A);\ \isasymlbrakk a\ \isasymin \ A;\ l\ \isasymin \ bt(A);\ r\ \isasymin \ bt(A)\isasymrbrakk \ \isasymLongrightarrow \ Q\isasymrbrakk \ \isasymLongrightarrow \ Q.
+\end{isabelle}
+It is an elimination rule that from $\isa{Br}(a,l,r)\in\isa{bt}(A)$
+lets us infer $a\in A$, $l\in\isa{bt}(A)$ and
+$r\in\isa{bt}(A)$.
+
+
+\subsubsection{Mixfix syntax in datatypes}
+
+Mixfix syntax is sometimes convenient. The theory \isa{Induct/PropLog} makes a
+deep embedding of propositional logic:
+\begin{alltt*}\isastyleminor
+consts prop :: i
+datatype "prop" = Fls
+ | Var ("n \isasymin nat") ("#_" [100] 100)
+ | "=>" ("p \isasymin prop", "q \isasymin prop") (infixr 90)
+\end{alltt*}
+The second constructor has a special $\#n$ syntax, while the third constructor
+is an infixed arrow.
+
+
+\subsubsection{A giant enumeration type}
+
+This example shows a datatype that consists of 60 constructors:
+\begin{alltt*}\isastyleminor
+consts enum :: i
+datatype
+ "enum" = C00 | C01 | C02 | C03 | C04 | C05 | C06 | C07 | C08 | C09
+ | C10 | C11 | C12 | C13 | C14 | C15 | C16 | C17 | C18 | C19
+ | C20 | C21 | C22 | C23 | C24 | C25 | C26 | C27 | C28 | C29
+ | C30 | C31 | C32 | C33 | C34 | C35 | C36 | C37 | C38 | C39
+ | C40 | C41 | C42 | C43 | C44 | C45 | C46 | C47 | C48 | C49
+ | C50 | C51 | C52 | C53 | C54 | C55 | C56 | C57 | C58 | C59
+end
+\end{alltt*}
+The datatype package scales well. Even though all properties are proved
+rather than assumed, full processing of this definition takes around two seconds
+(on a 1.8GHz machine). The constructors have a balanced representation,
+related to binary notation, so freeness properties can be proved fast.
+\begin{isabelle}
+\isacommand{lemma}\ "C00 \isasymnoteq\ C01"\isanewline
+\ \ \isacommand{by}\ simp
+\end{isabelle}
+You need not derive such inequalities explicitly. The simplifier will
+dispose of them automatically.
+
+\index{*datatype|)}
+
+
+\subsection{Recursive function definitions}\label{sec:ZF:recursive}
+\index{recursive functions|see{recursion}}
+\index{*primrec|(}
+\index{recursion!primitive|(}
+
+Datatypes come with a uniform way of defining functions, {\bf primitive
+ recursion}. Such definitions rely on the recursion operator defined by the
+datatype package. Isabelle proves the desired recursion equations as
+theorems.
+
+In principle, one could introduce primitive recursive functions by asserting
+their reduction rules as axioms. Here is a dangerous way of defining a
+recursive function over binary trees:
+\begin{isabelle}
+\isacommand{consts}\ \ n\_nodes\ ::\ "i\ =>\ i"\isanewline
+\isacommand{axioms}\isanewline
+\ \ n\_nodes\_Lf:\ "n\_nodes(Lf)\ =\ 0"\isanewline
+\ \ n\_nodes\_Br:\ "n\_nodes(Br(a,l,r))\ =\ succ(n\_nodes(l)\ \#+\ n\_nodes(r))"
+\end{isabelle}
+Asserting axioms brings the danger of accidentally introducing
+contradictions. It should be avoided whenever possible.
+
+The \ttindex{primrec} declaration is a safe means of defining primitive
+recursive functions on datatypes:
+\begin{isabelle}
+\isacommand{consts}\ \ n\_nodes\ ::\ "i\ =>\ i"\isanewline
+\isacommand{primrec}\isanewline
+\ \ "n\_nodes(Lf)\ =\ 0"\isanewline
+\ \ "n\_nodes(Br(a,\ l,\ r))\ =\ succ(n\_nodes(l)\ \#+\ n\_nodes(r))"
+\end{isabelle}
+Isabelle will now derive the two equations from a low-level definition
+based upon well-founded recursion. If they do not define a legitimate
+recursion, then Isabelle will reject the declaration.
+
+
+\subsubsection{Syntax of recursive definitions}
+
+The general form of a primitive recursive definition is
+\begin{ttbox}\isastyleminor
+primrec
+ {\it reduction rules}
+\end{ttbox}
+where \textit{reduction rules} specify one or more equations of the form
+\[ f \, x@1 \, \dots \, x@m \, (C \, y@1 \, \dots \, y@k) \, z@1 \,
+\dots \, z@n = r \] such that $C$ is a constructor of the datatype, $r$
+contains only the free variables on the left-hand side, and all recursive
+calls in $r$ are of the form $f \, \dots \, y@i \, \dots$ for some $i$.
+There must be at most one reduction rule for each constructor. The order is
+immaterial. For missing constructors, the function is defined to return zero.
+
+All reduction rules are added to the default simpset.
+If you would like to refer to some rule by name, then you must prefix
+the rule with an identifier. These identifiers, like those in the
+\isa{rules} section of a theory, will be visible in proof scripts.
+
+The reduction rules become part of the default simpset, which
+leads to short proof scripts:
+\begin{isabelle}
+\isacommand{lemma}\ n\_nodes\_type\ [simp]:\ "t\ \isasymin \ bt(A)\ ==>\ n\_nodes(t)\ \isasymin \ nat"\isanewline
+\ \ \isacommand{by}\ (induct\_tac\ t,\ auto)
+\end{isabelle}
+
+You can even use the \isa{primrec} form with non-recursive datatypes and
+with codatatypes. Recursion is not allowed, but it provides a convenient
+syntax for defining functions by cases.
+
+
+\subsubsection{Example: varying arguments}
+
+All arguments, other than the recursive one, must be the same in each equation
+and in each recursive call. To get around this restriction, use explict
+$\lambda$-abstraction and function application. For example, let us
+define the tail-recursive version of \isa{n\_nodes}, using an
+accumulating argument for the counter. The second argument, $k$, varies in
+recursive calls.
+\begin{isabelle}
+\isacommand{consts}\ \ n\_nodes\_aux\ ::\ "i\ =>\ i"\isanewline
+\isacommand{primrec}\isanewline
+\ \ "n\_nodes\_aux(Lf)\ =\ (\isasymlambda k\ \isasymin \ nat.\ k)"\isanewline
+\ \ "n\_nodes\_aux(Br(a,l,r))\ =\ \isanewline
+\ \ \ \ \ \ (\isasymlambda k\ \isasymin \ nat.\ n\_nodes\_aux(r)\ `\ \ (n\_nodes\_aux(l)\ `\ succ(k)))"
+\end{isabelle}
+Now \isa{n\_nodes\_aux(t)\ `\ k} is our function in two arguments. We
+can prove a theorem relating it to \isa{n\_nodes}. Note the quantification
+over \isa{k\ \isasymin \ nat}:
+\begin{isabelle}
+\isacommand{lemma}\ n\_nodes\_aux\_eq\ [rule\_format]:\isanewline
+\ \ \ \ \ "t\ \isasymin \ bt(A)\ ==>\ \isasymforall k\ \isasymin \ nat.\ n\_nodes\_aux(t)`k\ =\ n\_nodes(t)\ \#+\ k"\isanewline
+\ \ \isacommand{by}\ (induct\_tac\ t,\ simp\_all)
+\end{isabelle}
+
+Now, we can use \isa{n\_nodes\_aux} to define a tail-recursive version
+of \isa{n\_nodes}:
+\begin{isabelle}
+\isacommand{constdefs}\isanewline
+\ \ n\_nodes\_tail\ ::\ "i\ =>\ i"\isanewline
+\ \ \ "n\_nodes\_tail(t)\ ==\ n\_nodes\_aux(t)\ `\ 0"
+\end{isabelle}
+It is easy to
+prove that \isa{n\_nodes\_tail} is equivalent to \isa{n\_nodes}:
+\begin{isabelle}
+\isacommand{lemma}\ "t\ \isasymin \ bt(A)\ ==>\ n\_nodes\_tail(t)\ =\ n\_nodes(t)"\isanewline
+\ \isacommand{by}\ (simp\ add:\ n\_nodes\_tail\_def\ n\_nodes\_aux\_eq)
+\end{isabelle}
+
+
+
+
+\index{recursion!primitive|)}
+\index{*primrec|)}
+
+
+\section{Inductive and coinductive definitions}
+\index{*inductive|(}
+\index{*coinductive|(}
+
+An {\bf inductive definition} specifies the least set~$R$ closed under given
+rules. (Applying a rule to elements of~$R$ yields a result within~$R$.) For
+example, a structural operational semantics is an inductive definition of an
+evaluation relation. Dually, a {\bf coinductive definition} specifies the
+greatest set~$R$ consistent with given rules. (Every element of~$R$ can be
+seen as arising by applying a rule to elements of~$R$.) An important example
+is using bisimulation relations to formalise equivalence of processes and
+infinite data structures.
+
+A theory file may contain any number of inductive and coinductive
+definitions. They may be intermixed with other declarations; in
+particular, the (co)inductive sets {\bf must} be declared separately as
+constants, and may have mixfix syntax or be subject to syntax translations.
+
+Each (co)inductive definition adds definitions to the theory and also
+proves some theorems. It behaves identially to the analogous
+inductive definition except that instead of an induction rule there is
+a coinduction rule. Its treatment of coinduction is described in
+detail in a separate paper,%
+\footnote{It appeared in CADE~\cite{paulson-CADE}; a longer version is
+ distributed with Isabelle as \emph{A Fixedpoint Approach to
+ (Co)Inductive and (Co)Datatype Definitions}.} %
+which you might refer to for background information.
+
+
+\subsection{The syntax of a (co)inductive definition}
+An inductive definition has the form
+\begin{ttbox}\isastyleminor
+inductive
+ domains {\it domain declarations}
+ intros {\it introduction rules}
+ monos {\it monotonicity theorems}
+ con_defs {\it constructor definitions}
+ type_intros {\it introduction rules for type-checking}
+ type_elims {\it elimination rules for type-checking}
+\end{ttbox}
+A coinductive definition is identical, but starts with the keyword
+\isa{co\-inductive}.
+
+The \isa{monos}, \isa{con\_defs}, \isa{type\_intros} and \isa{type\_elims}
+sections are optional. If present, each is specified as a list of
+theorems, which may contain Isar attributes as usual.
+
+\begin{description}
+\item[\it domain declarations] are items of the form
+ {\it string\/}~\isa{\isasymsubseteq }~{\it string}, associating each recursive set with
+ its domain. (The domain is some existing set that is large enough to
+ hold the new set being defined.)
+
+\item[\it introduction rules] specify one or more introduction rules in
+ the form {\it ident\/}~{\it string}, where the identifier gives the name of
+ the rule in the result structure.
+
+\item[\it monotonicity theorems] are required for each operator applied to
+ a recursive set in the introduction rules. There \textbf{must} be a theorem
+ of the form $A\subseteq B\Imp M(A)\subseteq M(B)$, for each premise $t\in M(R_i)$
+ in an introduction rule!
+
+\item[\it constructor definitions] contain definitions of constants
+ appearing in the introduction rules. The (co)datatype package supplies
+ the constructors' definitions here. Most (co)inductive definitions omit
+ this section; one exception is the primitive recursive functions example;
+ see theory \isa{Induct/Primrec}.
+
+\item[\it type\_intros] consists of introduction rules for type-checking the
+ definition: for demonstrating that the new set is included in its domain.
+ (The proof uses depth-first search.)
+
+\item[\it type\_elims] consists of elimination rules for type-checking the
+ definition. They are presumed to be safe and are applied as often as
+ possible prior to the \isa{type\_intros} search.
+\end{description}
+
+The package has a few restrictions:
+\begin{itemize}
+\item The theory must separately declare the recursive sets as
+ constants.
+
+\item The names of the recursive sets must be identifiers, not infix
+operators.
+
+\item Side-conditions must not be conjunctions. However, an introduction rule
+may contain any number of side-conditions.
+
+\item Side-conditions of the form $x=t$, where the variable~$x$ does not
+ occur in~$t$, will be substituted through the rule \isa{mutual\_induct}.
+\end{itemize}
+
+
+\subsection{Example of an inductive definition}
+
+Below, we shall see how Isabelle/ZF defines the finite powerset
+operator. The first step is to declare the constant~\isa{Fin}. Then we
+must declare it inductively, with two introduction rules:
+\begin{isabelle}
+\isacommand{consts}\ \ Fin\ ::\ "i=>i"\isanewline
+\isacommand{inductive}\isanewline
+\ \ \isakeyword{domains}\ \ \ "Fin(A)"\ \isasymsubseteq\ "Pow(A)"\isanewline
+\ \ \isakeyword{intros}\isanewline
+\ \ \ \ emptyI:\ \ "0\ \isasymin\ Fin(A)"\isanewline
+\ \ \ \ consI:\ \ \ "[|\ a\ \isasymin\ A;\ \ b\ \isasymin\ Fin(A)\ |]\ ==>\ cons(a,b)\ \isasymin\ Fin(A)"\isanewline
+\ \ \isakeyword{type\_intros}\ \ empty\_subsetI\ cons\_subsetI\ PowI\isanewline
+\ \ \isakeyword{type\_elims}\ \ \ PowD\ [THEN\ revcut\_rl]\end{isabelle}
+The resulting theory contains a name space, called~\isa{Fin}.
+The \isa{Fin}$~A$ introduction rules can be referred to collectively as
+\isa{Fin.intros}, and also individually as \isa{Fin.emptyI} and
+\isa{Fin.consI}. The induction rule is \isa{Fin.induct}.
+
+The chief problem with making (co)inductive definitions involves type-checking
+the rules. Sometimes, additional theorems need to be supplied under
+\isa{type_intros} or \isa{type_elims}. If the package fails when trying
+to prove your introduction rules, then set the flag \ttindexbold{trace_induct}
+to \isa{true} and try again. (See the manual \emph{A Fixedpoint Approach
+ \ldots} for more discussion of type-checking.)
+
+In the example above, $\isa{Pow}(A)$ is given as the domain of
+$\isa{Fin}(A)$, for obviously every finite subset of~$A$ is a subset
+of~$A$. However, the inductive definition package can only prove that given a
+few hints.
+Here is the output that results (with the flag set) when the
+\isa{type_intros} and \isa{type_elims} are omitted from the inductive
+definition above:
+\begin{alltt*}\isastyleminor
+Inductive definition Finite.Fin
+Fin(A) ==
+lfp(Pow(A),
+ \%X. {z\isasymin{}Pow(A) . z = 0 | ({\isasymexists}a b. z = cons(a,b) & a\isasymin{}A & b\isasymin{}X)})
+ Proving monotonicity...
+\ttbreak
+ Proving the introduction rules...
+The type-checking subgoal:
+0 \isasymin Fin(A)
+ 1. 0 \isasymin Pow(A)
+\ttbreak
+The subgoal after monos, type_elims:
+0 \isasymin Fin(A)
+ 1. 0 \isasymin Pow(A)
+*** prove_goal: tactic failed
+\end{alltt*}
+We see the need to supply theorems to let the package prove
+$\emptyset\in\isa{Pow}(A)$. Restoring the \isa{type_intros} but not the
+\isa{type_elims}, we again get an error message:
+\begin{alltt*}\isastyleminor
+The type-checking subgoal:
+0 \isasymin Fin(A)
+ 1. 0 \isasymin Pow(A)
+\ttbreak
+The subgoal after monos, type_elims:
+0 \isasymin Fin(A)
+ 1. 0 \isasymin Pow(A)
+\ttbreak
+The type-checking subgoal:
+cons(a, b) \isasymin Fin(A)
+ 1. [| a \isasymin A; b \isasymin Fin(A) |] ==> cons(a, b) \isasymin Pow(A)
+\ttbreak
+The subgoal after monos, type_elims:
+cons(a, b) \isasymin Fin(A)
+ 1. [| a \isasymin A; b \isasymin Pow(A) |] ==> cons(a, b) \isasymin Pow(A)
+*** prove_goal: tactic failed
+\end{alltt*}
+The first rule has been type-checked, but the second one has failed. The
+simplest solution to such problems is to prove the failed subgoal separately
+and to supply it under \isa{type_intros}. The solution actually used is
+to supply, under \isa{type_elims}, a rule that changes
+$b\in\isa{Pow}(A)$ to $b\subseteq A$; together with \isa{cons_subsetI}
+and \isa{PowI}, it is enough to complete the type-checking.
+
+
+
+\subsection{Further examples}
+
+An inductive definition may involve arbitrary monotonic operators. Here is a
+standard example: the accessible part of a relation. Note the use
+of~\isa{Pow} in the introduction rule and the corresponding mention of the
+rule \isa{Pow\_mono} in the \isa{monos} list. If the desired rule has a
+universally quantified premise, usually the effect can be obtained using
+\isa{Pow}.
+\begin{isabelle}
+\isacommand{consts}\ \ acc\ ::\ "i\ =>\ i"\isanewline
+\isacommand{inductive}\isanewline
+\ \ \isakeyword{domains}\ "acc(r)"\ \isasymsubseteq \ "field(r)"\isanewline
+\ \ \isakeyword{intros}\isanewline
+\ \ \ \ vimage:\ \ "[|\ r-``\isacharbraceleft a\isacharbraceright\ \isasymin\ Pow(acc(r));\ a\ \isasymin \ field(r)\ |]
+\isanewline
+\ \ \ \ \ \ \ \ \ \ \ \ \ \ ==>\ a\ \isasymin \ acc(r)"\isanewline
+\ \ \isakeyword{monos}\ \ Pow\_mono
+\end{isabelle}
+
+Finally, here are some coinductive definitions. We begin by defining
+lazy (potentially infinite) lists as a codatatype:
+\begin{isabelle}
+\isacommand{consts}\ \ llist\ \ ::\ "i=>i"\isanewline
+\isacommand{codatatype}\isanewline
+\ \ "llist(A)"\ =\ LNil\ |\ LCons\ ("a\ \isasymin \ A",\ "l\ \isasymin \ llist(A)")\isanewline
+\end{isabelle}
+
+The notion of equality on such lists is modelled as a bisimulation:
+\begin{isabelle}
+\isacommand{consts}\ \ lleq\ ::\ "i=>i"\isanewline
+\isacommand{coinductive}\isanewline
+\ \ \isakeyword{domains}\ "lleq(A)"\ <=\ "llist(A)\ *\ llist(A)"\isanewline
+\ \ \isakeyword{intros}\isanewline
+\ \ \ \ LNil:\ \ "<LNil,\ LNil>\ \isasymin \ lleq(A)"\isanewline
+\ \ \ \ LCons:\ "[|\ a\ \isasymin \ A;\ <l,l'>\ \isasymin \ lleq(A)\ |]\ \isanewline
+\ \ \ \ \ \ \ \ \ \ \ \ ==>\ <LCons(a,l),\ LCons(a,l')>\ \isasymin \ lleq(A)"\isanewline
+\ \ \isakeyword{type\_intros}\ \ llist.intros
+\end{isabelle}
+This use of \isa{type_intros} is typical: the relation concerns the
+codatatype \isa{llist}, so naturally the introduction rules for that
+codatatype will be required for type-checking the rules.
+
+The Isabelle distribution contains many other inductive definitions. Simple
+examples are collected on subdirectory \isa{ZF/Induct}. The directory
+\isa{Coind} and the theory \isa{ZF/Induct/LList} contain coinductive
+definitions. Larger examples may be found on other subdirectories of
+\isa{ZF}, such as \isa{IMP}, and \isa{Resid}.
+
+
+\subsection{Theorems generated}
+
+Each (co)inductive set defined in a theory file generates a name space
+containing the following elements:
+\begin{ttbox}\isastyleminor
+intros \textrm{the introduction rules}
+elim \textrm{the elimination (case analysis) rule}
+induct \textrm{the standard induction rule}
+mutual_induct \textrm{the mutual induction rule, if needed}
+defs \textrm{definitions of inductive sets}
+bnd_mono \textrm{monotonicity property}
+dom_subset \textrm{inclusion in `bounding set'}
+\end{ttbox}
+Furthermore, each introduction rule is available under its declared
+name. For a codatatype, the component \isa{coinduct} is the coinduction rule,
+replacing the \isa{induct} component.
+
+Recall that the \ttindex{inductive\_cases} declaration generates
+simplified instances of the case analysis rule. It is as useful for
+inductive definitions as it is for datatypes. There are many examples
+in the theory
+\isa{Induct/Comb}, which is discussed at length
+elsewhere~\cite{paulson-generic}. The theory first defines the
+datatype
+\isa{comb} of combinators:
+\begin{alltt*}\isastyleminor
+consts comb :: i
+datatype "comb" = K
+ | S
+ | "#" ("p \isasymin comb", "q \isasymin comb") (infixl 90)
+\end{alltt*}
+The theory goes on to define contraction and parallel contraction
+inductively. Then the theory \isa{Induct/Comb.thy} defines special
+cases of contraction, such as this one:
+\begin{isabelle}
+\isacommand{inductive\_cases}\ K\_contractE [elim!]:\ "K -1-> r"
+\end{isabelle}
+The theorem just created is \isa{K -1-> r \ \isasymLongrightarrow \ Q},
+which expresses that the combinator \isa{K} cannot reduce to
+anything. (From the assumption \isa{K-1->r}, we can conclude any desired
+formula \isa{Q}\@.) Similar elimination rules for \isa{S} and application are also
+generated. The attribute \isa{elim!}\ shown above supplies the generated
+theorem to the classical reasoner. This mode of working allows
+effective reasoniung about operational semantics.
+
+\index{*coinductive|)} \index{*inductive|)}
+
+
+
+\section{The outer reaches of set theory}
+
+The constructions of the natural numbers and lists use a suite of
+operators for handling recursive function definitions. I have described
+the developments in detail elsewhere~\cite{paulson-set-II}. Here is a brief
+summary:
+\begin{itemize}
+ \item Theory \isa{Trancl} defines the transitive closure of a relation
+ (as a least fixedpoint).
+
+ \item Theory \isa{WF} proves the well-founded recursion theorem, using an
+ elegant approach of Tobias Nipkow. This theorem permits general
+ recursive definitions within set theory.
+
+ \item Theory \isa{Ord} defines the notions of transitive set and ordinal
+ number. It derives transfinite induction. A key definition is {\bf
+ less than}: $i<j$ if and only if $i$ and $j$ are both ordinals and
+ $i\in j$. As a special case, it includes less than on the natural
+ numbers.
+
+ \item Theory \isa{Epsilon} derives $\varepsilon$-induction and
+ $\varepsilon$-recursion, which are generalisations of transfinite
+ induction and recursion. It also defines \cdx{rank}$(x)$, which is the
+ least ordinal $\alpha$ such that $x$ is constructed at stage $\alpha$ of
+ the cumulative hierarchy (thus $x\in V@{\alpha+1}$).
+\end{itemize}
+
+Other important theories lead to a theory of cardinal numbers. They have
+not yet been written up anywhere. Here is a summary:
+\begin{itemize}
+\item Theory \isa{Rel} defines the basic properties of relations, such as
+ reflexivity, symmetry and transitivity.
+
+\item Theory \isa{EquivClass} develops a theory of equivalence
+ classes, not using the Axiom of Choice.
+
+\item Theory \isa{Order} defines partial orderings, total orderings and
+ wellorderings.
+
+\item Theory \isa{OrderArith} defines orderings on sum and product sets.
+ These can be used to define ordinal arithmetic and have applications to
+ cardinal arithmetic.
+
+\item Theory \isa{OrderType} defines order types. Every wellordering is
+ equivalent to a unique ordinal, which is its order type.
+
+\item Theory \isa{Cardinal} defines equipollence and cardinal numbers.
+
+\item Theory \isa{CardinalArith} defines cardinal addition and
+ multiplication, and proves their elementary laws. It proves that there
+ is no greatest cardinal. It also proves a deep result, namely
+ $\kappa\otimes\kappa=\kappa$ for every infinite cardinal~$\kappa$; see
+ Kunen~\cite[page 29]{kunen80}. None of these results assume the Axiom of
+ Choice, which complicates their proofs considerably.
+\end{itemize}
+
+The following developments involve the Axiom of Choice (AC):
+\begin{itemize}
+\item Theory \isa{AC} asserts the Axiom of Choice and proves some simple
+ equivalent forms.
+
+\item Theory \isa{Zorn} proves Hausdorff's Maximal Principle, Zorn's Lemma
+ and the Wellordering Theorem, following Abrial and
+ Laffitte~\cite{abrial93}.
+
+\item Theory \isa{Cardinal\_AC} uses AC to prove simplified theorems about
+ the cardinals. It also proves a theorem needed to justify
+ infinitely branching datatype declarations: if $\kappa$ is an infinite
+ cardinal and $|X(\alpha)| \le \kappa$ for all $\alpha<\kappa$ then
+ $|\union\sb{\alpha<\kappa} X(\alpha)| \le \kappa$.
+
+\item Theory \isa{InfDatatype} proves theorems to justify infinitely
+ branching datatypes. Arbitrary index sets are allowed, provided their
+ cardinalities have an upper bound. The theory also justifies some
+ unusual cases of finite branching, involving the finite powerset operator
+ and the finite function space operator.
+\end{itemize}
+
+
+
+\section{The examples directories}
+Directory \isa{HOL/IMP} contains a mechanised version of a semantic
+equivalence proof taken from Winskel~\cite{winskel93}. It formalises the
+denotational and operational semantics of a simple while-language, then
+proves the two equivalent. It contains several datatype and inductive
+definitions, and demonstrates their use.
+
+The directory \isa{ZF/ex} contains further developments in ZF set theory.
+Here is an overview; see the files themselves for more details. I describe
+much of this material in other
+publications~\cite{paulson-set-I,paulson-set-II,paulson-fixedpt-milner}.
+\begin{itemize}
+\item File \isa{misc.ML} contains miscellaneous examples such as
+ Cantor's Theorem, the Schr\"oder-Bernstein Theorem and the `Composition
+ of homomorphisms' challenge~\cite{boyer86}.
+
+\item Theory \isa{Ramsey} proves the finite exponent 2 version of
+ Ramsey's Theorem, following Basin and Kaufmann's
+ presentation~\cite{basin91}.
+
+\item Theory \isa{Integ} develops a theory of the integers as
+ equivalence classes of pairs of natural numbers.
+
+\item Theory \isa{Primrec} develops some computation theory. It
+ inductively defines the set of primitive recursive functions and presents a
+ proof that Ackermann's function is not primitive recursive.
+
+\item Theory \isa{Primes} defines the Greatest Common Divisor of two
+ natural numbers and and the ``divides'' relation.
+
+\item Theory \isa{Bin} defines a datatype for two's complement binary
+ integers, then proves rewrite rules to perform binary arithmetic. For
+ instance, $1359\times {-}2468 = {-}3354012$ takes 0.3 seconds.
+
+\item Theory \isa{BT} defines the recursive data structure $\isa{bt}(A)$, labelled binary trees.
+
+\item Theory \isa{Term} defines a recursive data structure for terms
+ and term lists. These are simply finite branching trees.
+
+\item Theory \isa{TF} defines primitives for solving mutually
+ recursive equations over sets. It constructs sets of trees and forests
+ as an example, including induction and recursion rules that handle the
+ mutual recursion.
+
+\item Theory \isa{Prop} proves soundness and completeness of
+ propositional logic~\cite{paulson-set-II}. This illustrates datatype
+ definitions, inductive definitions, structural induction and rule
+ induction.
+
+\item Theory \isa{ListN} inductively defines the lists of $n$
+ elements~\cite{paulin-tlca}.
+
+\item Theory \isa{Acc} inductively defines the accessible part of a
+ relation~\cite{paulin-tlca}.
+
+\item Theory \isa{Comb} defines the datatype of combinators and
+ inductively defines contraction and parallel contraction. It goes on to
+ prove the Church-Rosser Theorem. This case study follows Camilleri and
+ Melham~\cite{camilleri92}.
+
+\item Theory \isa{LList} defines lazy lists and a coinduction
+ principle for proving equations between them.
+\end{itemize}
+
+
+\section{A proof about powersets}\label{sec:ZF-pow-example}
+To demonstrate high-level reasoning about subsets, let us prove the
+equation ${\isa{Pow}(A)\cap \isa{Pow}(B)}= \isa{Pow}(A\cap B)$. Compared
+with first-order logic, set theory involves a maze of rules, and theorems
+have many different proofs. Attempting other proofs of the theorem might
+be instructive. This proof exploits the lattice properties of
+intersection. It also uses the monotonicity of the powerset operation,
+from \isa{ZF/mono.ML}:
+\begin{isabelle}
+\tdx{Pow_mono}: A \isasymsubseteq B ==> Pow(A) \isasymsubseteq Pow(B)
+\end{isabelle}
+We enter the goal and make the first step, which breaks the equation into
+two inclusions by extensionality:\index{*equalityI theorem}
+\begin{isabelle}
+\isacommand{lemma}\ "Pow(A\ Int\ B)\ =\ Pow(A)\ Int\ Pow(B)"\isanewline
+\ 1.\ Pow(A\ \isasyminter \ B)\ =\ Pow(A)\ \isasyminter \ Pow(B)\isanewline
+\isacommand{apply}\ (rule\ equalityI)\isanewline
+\ 1.\ Pow(A\ \isasyminter \ B)\ \isasymsubseteq \ Pow(A)\ \isasyminter \ Pow(B)\isanewline
+\ 2.\ Pow(A)\ \isasyminter \ Pow(B)\ \isasymsubseteq \ Pow(A\ \isasyminter \ B)
+\end{isabelle}
+Both inclusions could be tackled straightforwardly using \isa{subsetI}.
+A shorter proof results from noting that intersection forms the greatest
+lower bound:\index{*Int_greatest theorem}
+\begin{isabelle}
+\isacommand{apply}\ (rule\ Int\_greatest)\isanewline
+\ 1.\ Pow(A\ \isasyminter \ B)\ \isasymsubseteq \ Pow(A)\isanewline
+\ 2.\ Pow(A\ \isasyminter \ B)\ \isasymsubseteq \ Pow(B)\isanewline
+\ 3.\ Pow(A)\ \isasyminter \ Pow(B)\ \isasymsubseteq \ Pow(A\ \isasyminter \ B)
+\end{isabelle}
+Subgoal~1 follows by applying the monotonicity of \isa{Pow} to $A\int
+B\subseteq A$; subgoal~2 follows similarly:
+\index{*Int_lower1 theorem}\index{*Int_lower2 theorem}
+\begin{isabelle}
+\isacommand{apply}\ (rule\ Int\_lower1\ [THEN\ Pow\_mono])\isanewline
+\ 1.\ Pow(A\ \isasyminter \ B)\ \isasymsubseteq \ Pow(B)\isanewline
+\ 2.\ Pow(A)\ \isasyminter \ Pow(B)\ \isasymsubseteq \ Pow(A\ \isasyminter \ B)
+\isanewline
+\isacommand{apply}\ (rule\ Int\_lower2\ [THEN\ Pow\_mono])\isanewline
+\ 1.\ Pow(A)\ \isasyminter \ Pow(B)\ \isasymsubseteq \ Pow(A\ \isasyminter \ B)
+\end{isabelle}
+We are left with the opposite inclusion, which we tackle in the
+straightforward way:\index{*subsetI theorem}
+\begin{isabelle}
+\isacommand{apply}\ (rule\ subsetI)\isanewline
+\ 1.\ \isasymAnd x.\ x\ \isasymin \ Pow(A)\ \isasyminter \ Pow(B)\ \isasymLongrightarrow \ x\ \isasymin \ Pow(A\ \isasyminter \ B)
+\end{isabelle}
+The subgoal is to show $x\in \isa{Pow}(A\cap B)$ assuming $x\in\isa{Pow}(A)\cap \isa{Pow}(B)$; eliminating this assumption produces two
+subgoals. The rule \tdx{IntE} treats the intersection like a conjunction
+instead of unfolding its definition.
+\begin{isabelle}
+\isacommand{apply}\ (erule\ IntE)\isanewline
+\ 1.\ \isasymAnd x.\ \isasymlbrakk x\ \isasymin \ Pow(A);\ x\ \isasymin \ Pow(B)\isasymrbrakk \ \isasymLongrightarrow \ x\ \isasymin \ Pow(A\ \isasyminter \ B)
+\end{isabelle}
+The next step replaces the \isa{Pow} by the subset
+relation~($\subseteq$).\index{*PowI theorem}
+\begin{isabelle}
+\isacommand{apply}\ (rule\ PowI)\isanewline
+\ 1.\ \isasymAnd x.\ \isasymlbrakk x\ \isasymin \ Pow(A);\ x\ \isasymin \ Pow(B)\isasymrbrakk \ \isasymLongrightarrow \ x\ \isasymsubseteq \ A\ \isasyminter \ B%
+\end{isabelle}
+We perform the same replacement in the assumptions. This is a good
+demonstration of the tactic \ttindex{drule}:\index{*PowD theorem}
+\begin{isabelle}
+\isacommand{apply}\ (drule\ PowD)+\isanewline
+\ 1.\ \isasymAnd x.\ \isasymlbrakk x\ \isasymsubseteq \ A;\ x\ \isasymsubseteq \ B\isasymrbrakk \ \isasymLongrightarrow \ x\ \isasymsubseteq \ A\ \isasyminter \ B%
+\end{isabelle}
+The assumptions are that $x$ is a lower bound of both $A$ and~$B$, but
+$A\int B$ is the greatest lower bound:\index{*Int_greatest theorem}
+\begin{isabelle}
+\isacommand{apply}\ (rule\ Int\_greatest)\isanewline
+\ 1.\ \isasymAnd x.\ \isasymlbrakk x\ \isasymsubseteq \ A;\ x\ \isasymsubseteq \ B\isasymrbrakk \ \isasymLongrightarrow \ x\ \isasymsubseteq \ A\isanewline
+\ 2.\ \isasymAnd x.\ \isasymlbrakk x\ \isasymsubseteq \ A;\ x\ \isasymsubseteq \ B\isasymrbrakk \ \isasymLongrightarrow \ x\ \isasymsubseteq \ B%
+\end{isabelle}
+To conclude the proof, we clear up the trivial subgoals:
+\begin{isabelle}
+\isacommand{apply}\ (assumption+)\isanewline
+\isacommand{done}%
+\end{isabelle}
+
+We could have performed this proof instantly by calling
+\ttindex{blast}:
+\begin{isabelle}
+\isacommand{lemma}\ "Pow(A\ Int\ B)\ =\ Pow(A)\ Int\ Pow(B)"\isanewline
+\isacommand{by}
+\end{isabelle}
+Past researchers regarded this as a difficult proof, as indeed it is if all
+the symbols are replaced by their definitions.
+\goodbreak
+
+\section{Monotonicity of the union operator}
+For another example, we prove that general union is monotonic:
+${C\subseteq D}$ implies $\bigcup(C)\subseteq \bigcup(D)$. To begin, we
+tackle the inclusion using \tdx{subsetI}:
+\begin{isabelle}
+\isacommand{lemma}\ "C\isasymsubseteq D\ ==>\ Union(C)\
+\isasymsubseteq \ Union(D)"\isanewline
+\isacommand{apply}\ (rule\ subsetI)\isanewline
+\ 1.\ \isasymAnd x.\ \isasymlbrakk C\ \isasymsubseteq \ D;\ x\ \isasymin \ \isasymUnion C\isasymrbrakk \ \isasymLongrightarrow \ x\ \isasymin \ \isasymUnion D%
+\end{isabelle}
+Big union is like an existential quantifier --- the occurrence in the
+assumptions must be eliminated early, since it creates parameters.
+\index{*UnionE theorem}
+\begin{isabelle}
+\isacommand{apply}\ (erule\ UnionE)\isanewline
+\ 1.\ \isasymAnd x\ B.\ \isasymlbrakk C\ \isasymsubseteq \ D;\ x\ \isasymin \ B;\ B\ \isasymin \ C\isasymrbrakk \ \isasymLongrightarrow \ x\ \isasymin \ \isasymUnion D%
+\end{isabelle}
+Now we may apply \tdx{UnionI}, which creates an unknown involving the
+parameters. To show \isa{x\ \isasymin \ \isasymUnion D} it suffices to show that~\isa{x} belongs
+to some element, say~\isa{?B2(x,B)}, of~\isa{D}\@.
+\begin{isabelle}
+\isacommand{apply}\ (rule\ UnionI)\isanewline
+\ 1.\ \isasymAnd x\ B.\ \isasymlbrakk C\ \isasymsubseteq \ D;\ x\ \isasymin \ B;\ B\ \isasymin \ C\isasymrbrakk \ \isasymLongrightarrow \ ?B2(x,\ B)\ \isasymin \ D\isanewline
+\ 2.\ \isasymAnd x\ B.\ \isasymlbrakk C\ \isasymsubseteq \ D;\ x\ \isasymin \ B;\ B\ \isasymin \ C\isasymrbrakk \ \isasymLongrightarrow \ x\ \isasymin \ ?B2(x,\ B)
+\end{isabelle}
+Combining the rule \tdx{subsetD} with the assumption \isa{C\ \isasymsubseteq \ D} yields
+$\Var{a}\in C \Imp \Var{a}\in D$, which reduces subgoal~1. Note that
+\isa{erule} removes the subset assumption.
+\begin{isabelle}
+\isacommand{apply}\ (erule\ subsetD)\isanewline
+\ 1.\ \isasymAnd x\ B.\ \isasymlbrakk x\ \isasymin \ B;\ B\ \isasymin \ C\isasymrbrakk \ \isasymLongrightarrow \ ?B2(x,\ B)\ \isasymin \ C\isanewline
+\ 2.\ \isasymAnd x\ B.\ \isasymlbrakk C\ \isasymsubseteq \ D;\ x\ \isasymin \ B;\ B\ \isasymin \ C\isasymrbrakk \ \isasymLongrightarrow \ x\ \isasymin \ ?B2(x,\ B)
+\end{isabelle}
+The rest is routine. Observe how the first call to \isa{assumption}
+instantiates \isa{?B2(x,B)} to~\isa{B}\@.
+\begin{isabelle}
+\isacommand{apply}\ assumption\ \isanewline
+\ 1.\ \isasymAnd x\ B.\ \isasymlbrakk C\ \isasymsubseteq \ D;\ x\ \isasymin \ B;\ B\ \isasymin \ C\isasymrbrakk \ \isasymLongrightarrow \ x\ \isasymin \ B%
+\isanewline
+\isacommand{apply}\ assumption\ \isanewline
+No\ subgoals!\isanewline
+\isacommand{done}%
+\end{isabelle}
+Again, \isa{blast} can prove this theorem in one step.
+
+The theory \isa{ZF/equalities.thy} has many similar proofs. Reasoning about
+general intersection can be difficult because of its anomalous behaviour on
+the empty set. However, \isa{blast} copes well with these. Here is
+a typical example, borrowed from Devlin~\cite[page 12]{devlin79}:
+\[ a\in C \,\Imp\, \inter@{x\in C} \Bigl(A(x) \int B(x)\Bigr) =
+ \Bigl(\inter@{x\in C} A(x)\Bigr) \int
+ \Bigl(\inter@{x\in C} B(x)\Bigr) \]
+
+\section{Low-level reasoning about functions}
+The derived rules \isa{lamI}, \isa{lamE}, \isa{lam_type}, \isa{beta}
+and \isa{eta} support reasoning about functions in a
+$\lambda$-calculus style. This is generally easier than regarding
+functions as sets of ordered pairs. But sometimes we must look at the
+underlying representation, as in the following proof
+of~\tdx{fun_disjoint_apply1}. This states that if $f$ and~$g$ are
+functions with disjoint domains~$A$ and~$C$, and if $a\in A$, then
+$(f\un g)`a = f`a$:
+\begin{isabelle}
+\isacommand{lemma}\ "[|\ a\ \isasymin \ A;\ \ f\ \isasymin \ A->B;\ \ g\ \isasymin \ C->D;\ \ A\ \isasyminter \ C\ =\ 0\ |]
+\isanewline
+\ \ \ \ \ \ \ \ ==>\ (f\ \isasymunion \ g)`a\ =\ f`a"
+\end{isabelle}
+Using \tdx{apply_equality}, we reduce the equality to reasoning about
+ordered pairs. The second subgoal is to verify that \isa{f\ \isasymunion \ g} is a function, since
+\isa{Pi(?A,?B)} denotes a dependent function space.
+\begin{isabelle}
+\isacommand{apply}\ (rule\ apply\_equality)\isanewline
+\ 1.\ \isasymlbrakk a\ \isasymin \ A;\ f\ \isasymin \ A\ \isasymrightarrow \ B;\ g\ \isasymin \ C\ \isasymrightarrow \ D;\ A\ \isasyminter \ C\ =\ 0\isasymrbrakk \isanewline
+\isaindent{\ 1.\ }\isasymLongrightarrow \ \isasymlangle a,\ f\ `\ a\isasymrangle \ \isasymin \ f\ \isasymunion \ g\isanewline
+\ 2.\ \isasymlbrakk a\ \isasymin \ A;\ f\ \isasymin \ A\ \isasymrightarrow \ B;\ g\ \isasymin \ C\ \isasymrightarrow \ D;\ A\ \isasyminter \ C\ =\ 0\isasymrbrakk \isanewline
+\isaindent{\ 2.\ }\isasymLongrightarrow \ f\ \isasymunion \ g\ \isasymin \ Pi(?A,\ ?B)
+\end{isabelle}
+We must show that the pair belongs to~$f$ or~$g$; by~\tdx{UnI1} we
+choose~$f$:
+\begin{isabelle}
+\isacommand{apply}\ (rule\ UnI1)\isanewline
+\ 1.\ \isasymlbrakk a\ \isasymin \ A;\ f\ \isasymin \ A\ \isasymrightarrow \ B;\ g\ \isasymin \ C\ \isasymrightarrow \ D;\ A\ \isasyminter \ C\ =\ 0\isasymrbrakk \ \isasymLongrightarrow \ \isasymlangle a,\ f\ `\ a\isasymrangle \ \isasymin \ f\isanewline
+\ 2.\ \isasymlbrakk a\ \isasymin \ A;\ f\ \isasymin \ A\ \isasymrightarrow \ B;\ g\ \isasymin \ C\ \isasymrightarrow \ D;\ A\ \isasyminter \ C\ =\ 0\isasymrbrakk \isanewline
+\isaindent{\ 2.\ }\isasymLongrightarrow \ f\ \isasymunion \ g\ \isasymin \ Pi(?A,\ ?B)
+\end{isabelle}
+To show $\pair{a,f`a}\in f$ we use \tdx{apply_Pair}, which is
+essentially the converse of \tdx{apply_equality}:
+\begin{isabelle}
+\isacommand{apply}\ (rule\ apply\_Pair)\isanewline
+\ 1.\ \isasymlbrakk a\ \isasymin \ A;\ f\ \isasymin \ A\ \isasymrightarrow \ B;\ g\ \isasymin \ C\ \isasymrightarrow \ D;\ A\ \isasyminter \ C\ =\ 0\isasymrbrakk \ \isasymLongrightarrow \ f\ \isasymin \ Pi(?A2,?B2)\isanewline
+\ 2.\ \isasymlbrakk a\ \isasymin \ A;\ f\ \isasymin \ A\ \isasymrightarrow \ B;\ g\ \isasymin \ C\ \isasymrightarrow \ D;\ A\ \isasyminter \ C\ =\ 0\isasymrbrakk \ \isasymLongrightarrow \ a\ \isasymin \ ?A2\isanewline
+\ 3.\ \isasymlbrakk a\ \isasymin \ A;\ f\ \isasymin \ A\ \isasymrightarrow \ B;\ g\ \isasymin \ C\ \isasymrightarrow \ D;\ A\ \isasyminter \ C\ =\ 0\isasymrbrakk \isanewline
+\isaindent{\ 3.\ }\isasymLongrightarrow \ f\ \isasymunion \ g\ \isasymin \ Pi(?A,\ ?B)
+\end{isabelle}
+Using the assumptions $f\in A\to B$ and $a\in A$, we solve the two subgoals
+from \tdx{apply_Pair}. Recall that a $\Pi$-set is merely a generalized
+function space, and observe that~{\tt?A2} gets instantiated to~\isa{A}.
+\begin{isabelle}
+\isacommand{apply}\ assumption\ \isanewline
+\ 1.\ \isasymlbrakk a\ \isasymin \ A;\ f\ \isasymin \ A\ \isasymrightarrow \ B;\ g\ \isasymin \ C\ \isasymrightarrow \ D;\ A\ \isasyminter \ C\ =\ 0\isasymrbrakk \ \isasymLongrightarrow \ a\ \isasymin \ A\isanewline
+\ 2.\ \isasymlbrakk a\ \isasymin \ A;\ f\ \isasymin \ A\ \isasymrightarrow \ B;\ g\ \isasymin \ C\ \isasymrightarrow \ D;\ A\ \isasyminter \ C\ =\ 0\isasymrbrakk \isanewline
+\isaindent{\ 2.\ }\isasymLongrightarrow \ f\ \isasymunion \ g\ \isasymin \ Pi(?A,\ ?B)
+\isanewline
+\isacommand{apply}\ assumption\ \isanewline
+\ 1.\ \isasymlbrakk a\ \isasymin \ A;\ f\ \isasymin \ A\ \isasymrightarrow \ B;\ g\ \isasymin \ C\ \isasymrightarrow \ D;\ A\ \isasyminter \ C\ =\ 0\isasymrbrakk \isanewline
+\isaindent{\ 1.\ }\isasymLongrightarrow \ f\ \isasymunion \ g\ \isasymin \ Pi(?A,\ ?B)
+\end{isabelle}
+To construct functions of the form $f\un g$, we apply
+\tdx{fun_disjoint_Un}:
+\begin{isabelle}
+\isacommand{apply}\ (rule\ fun\_disjoint\_Un)\isanewline
+\ 1.\ \isasymlbrakk a\ \isasymin \ A;\ f\ \isasymin \ A\ \isasymrightarrow \ B;\ g\ \isasymin \ C\ \isasymrightarrow \ D;\ A\ \isasyminter \ C\ =\ 0\isasymrbrakk \ \isasymLongrightarrow \ f\ \isasymin \ ?A3\ \isasymrightarrow \ ?B3\isanewline
+\ 2.\ \isasymlbrakk a\ \isasymin \ A;\ f\ \isasymin \ A\ \isasymrightarrow \ B;\ g\ \isasymin \ C\ \isasymrightarrow \ D;\ A\ \isasyminter \ C\ =\ 0\isasymrbrakk \ \isasymLongrightarrow \ g\ \isasymin \ ?C3\ \isasymrightarrow \ ?D3\isanewline
+\ 3.\ \isasymlbrakk a\ \isasymin \ A;\ f\ \isasymin \ A\ \isasymrightarrow \ B;\ g\ \isasymin \ C\ \isasymrightarrow \ D;\ A\ \isasyminter \ C\ =\ 0\isasymrbrakk \ \isasymLongrightarrow \ ?A3\ \isasyminter \ ?C3\ =\ 0
+\end{isabelle}
+The remaining subgoals are instances of the assumptions. Again, observe how
+unknowns become instantiated:
+\begin{isabelle}
+\isacommand{apply}\ assumption\ \isanewline
+\ 1.\ \isasymlbrakk a\ \isasymin \ A;\ f\ \isasymin \ A\ \isasymrightarrow \ B;\ g\ \isasymin \ C\ \isasymrightarrow \ D;\ A\ \isasyminter \ C\ =\ 0\isasymrbrakk \ \isasymLongrightarrow \ g\ \isasymin \ ?C3\ \isasymrightarrow \ ?D3\isanewline
+\ 2.\ \isasymlbrakk a\ \isasymin \ A;\ f\ \isasymin \ A\ \isasymrightarrow \ B;\ g\ \isasymin \ C\ \isasymrightarrow \ D;\ A\ \isasyminter \ C\ =\ 0\isasymrbrakk \ \isasymLongrightarrow \ A\ \isasyminter \ ?C3\ =\ 0
+\isanewline
+\isacommand{apply}\ assumption\ \isanewline
+\ 1.\ \isasymlbrakk a\ \isasymin \ A;\ f\ \isasymin \ A\ \isasymrightarrow \ B;\ g\ \isasymin \ C\ \isasymrightarrow \ D;\ A\ \isasyminter \ C\ =\ 0\isasymrbrakk \ \isasymLongrightarrow \ A\ \isasyminter \ C\ =\ 0
+\isanewline
+\isacommand{apply}\ assumption\ \isanewline
+No\ subgoals!\isanewline
+\isacommand{done}
+\end{isabelle}
+See the theories \isa{ZF/func.thy} and \isa{ZF/WF.thy} for more
+examples of reasoning about functions.
+
+\index{set theory|)}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/ZF/document/build Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+set -e
+
+FORMAT="$1"
+VARIANT="$2"
+
+"$ISABELLE_TOOL" logo -o isabelle_zf.pdf "ZF"
+"$ISABELLE_TOOL" logo -o isabelle_zf.eps "ZF"
+
+cp "$ISABELLE_HOME/src/Doc/isar.sty" .
+cp "$ISABELLE_HOME/src/Doc/ttbox.sty" .
+cp "$ISABELLE_HOME/src/Doc/proof.sty" .
+cp "$ISABELLE_HOME/src/Doc/manual.bib" .
+cp "$ISABELLE_HOME/src/Doc/Logics/document/syntax.tex" .
+
+"$ISABELLE_HOME/src/Doc/prepare_document" "$FORMAT"
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/ZF/document/logics.sty Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,1 @@
+% logics.sty : Logics Manuals Page Layout
%
\typeout{Document Style logics. Released 18 August 2003}
\hyphenation{Isa-belle man-u-script man-u-scripts ap-pen-dix mut-u-al-ly}
\hyphenation{data-type data-types co-data-type co-data-types }
%usage: \iflabelundefined{LABEL}{if not defined}{if defined}
\newcommand{\iflabelundefined}[1]{\@ifundefined{r@#1}}
%%%INDEXING use isa-index to process the index
\newcommand\seealso[2]{\emph{see also} #1}
\usepackage{makeidx}
%index, putting page numbers of definitions in boldface
\def\bold#1{\textbf{#1}}
\newcommand\fnote[1]{#1n}
\newcommand\indexbold[1]{\index{#1|bold}}
% The alternative to \protect\isa in the indexing macros is
% \noexpand\noexpand \noexpand\isa
% need TWO levels of \noexpand to delay the expansion of \isa:
% the \noexpand\noexpand will leave one \noexpand, to be given to the
% (still unexpanded) \isa token. See TeX by Topic, page 122.
%%%% for indexing constants, symbols, theorems, ...
\newcommand\cdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (constant)}}
\newcommand\sdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (symbol)}}
\newcommand\tdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (theorem)}}
\newcommand\tdxbold[1]{\isa{#1}\index{#1@\protect\isa{#1} (theorem)|bold}}
\newcommand\cldx[1]{\isa{#1}\index{#1@\protect\isa{#1} (class)}}
\newcommand\tydx[1]{\isa{#1}\index{#1@\protect\isa{#1} (type)}}
\newcommand\thydx[1]{\isa{#1}\index{#1@\protect\isa{#1} (theory)}}
\newcommand\attrdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (attribute)}}
\newcommand\cmmdx[1]{\index{#1@\protect\isacommand{#1} (command)}}
\newcommand\commdx[1]{\isacommand{#1}\index{#1@\protect\isacommand{#1} (command)}}
\newcommand\methdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (method)}}
\newcommand\tooldx[1]{\isa{#1}\index{#1@\protect\isa{#1} (tool)}}
\newcommand\settdx[1]{\isa{#1}\index{#1@\protect\isa{#1} (setting)}}
%set argument in \bf font and index in ROMAN font (for definitions in text!)
\newcommand\bfindex[1]{{\bf#1}\index{#1|bold}\@}
\newcommand\rmindex[1]{{#1}\index{#1}\@}
\newcommand\ttindex[1]{\texttt{#1}\index{#1@\texttt{#1}}\@}
\newcommand\ttindexbold[1]{\texttt{#1}\index{#1@\texttt{#1}|bold}\@}
\newcommand{\indexboldpos}[2]{#1\@}
\newcommand{\ttindexboldpos}[2]{\isa{#1}\@}
%\newtheorem{theorem}{Theorem}[section]
\newtheorem{Exercise}{Exercise}[section]
\newenvironment{exercise}{\begin{Exercise}\rm}{\end{Exercise}}
\newcommand{\ttlbr}{\texttt{[|}}
\newcommand{\ttrbr}{\texttt{|]}}
\newcommand{\ttor}{\texttt{|}}
\newcommand{\ttall}{\texttt{!}}
\newcommand{\ttuniquex}{\texttt{?!}}
\newcommand{\ttEXU}{\texttt{EX!}}
\newcommand{\ttAnd}{\texttt{!!}}
\newcommand{\isasymignore}{}
\newcommand{\isasymimp}{\isasymlongrightarrow}
\newcommand{\isasymImp}{\isasymLongrightarrow}
\newcommand{\isasymFun}{\isasymRightarrow}
\newcommand{\isasymuniqex}{\isamath{\exists!\,}}
\renewcommand{\S}{Sect.\ts}
\renewenvironment{isamarkuptxt}{\begin{isamarkuptext}}{\end{isamarkuptext}}
\newif\ifremarks
\newcommand{\REMARK}[1]{\ifremarks\marginpar{\raggedright\footnotesize#1}\fi}
%names of Isabelle rules
\newcommand{\rulename}[1]{\hfill(#1)}
\newcommand{\rulenamedx}[1]{\hfill(#1\index{#1@\protect\isa{#1} (theorem)|bold})}
%%%% meta-logical connectives
\let\Forall=\bigwedge
\let\Imp=\Longrightarrow
\let\To=\Rightarrow
\newcommand{\Var}[1]{{?\!#1}}
%%% underscores as ordinary characters, not for subscripting
%% use @ or \sb for subscripting; use \at for @
%% only works in \tt font
%% must not make _ an active char; would make \ttindex fail!
\gdef\underscoreoff{\catcode`\@=8\catcode`\_=\other}
\gdef\underscoreon{\catcode`\_=8\makeatother}
\chardef\other=12
\chardef\at=`\@
% alternative underscore
\def\_{\leavevmode\kern.06em\vbox{\hrule height.2ex width.3em}\hskip0.1em}
%%%% ``WARNING'' environment
\def\dbend{\vtop to 0pt{\vss\hbox{\Huge\bf!}\vss}}
\newenvironment{warn}{\medskip\medbreak\begingroup \clubpenalty=10000
\small %%WAS\baselineskip=0.9\baselineskip
\noindent \hangindent\parindent \hangafter=-2
\hbox to0pt{\hskip-\hangindent\dbend\hfill}\ignorespaces}%
{\par\endgroup\medbreak}
%%%% Standard logical symbols
\let\turn=\vdash
\let\conj=\wedge
\let\disj=\vee
\let\imp=\rightarrow
\let\bimp=\leftrightarrow
\newcommand\all[1]{\forall#1.} %quantification
\newcommand\ex[1]{\exists#1.}
\newcommand{\pair}[1]{\langle#1\rangle}
\newcommand{\lparr}{\mathopen{(\!|}}
\newcommand{\rparr}{\mathclose{|\!)}}
\newcommand{\fs}{\mathpunct{,\,}}
\newcommand{\ty}{\mathrel{::}}
\newcommand{\asn}{\mathrel{:=}}
\newcommand{\more}{\ldots}
\newcommand{\record}[1]{\lparr #1 \rparr}
\newcommand{\dtt}{\mathord.}
\newcommand\lbrakk{\mathopen{[\![}}
\newcommand\rbrakk{\mathclose{]\!]}}
\newcommand\List[1]{\lbrakk#1\rbrakk} %was \obj
\newcommand\vpile[1]{\begin{array}{c}#1\end{array}}
\newenvironment{matharray}[1]{\[\begin{array}{#1}}{\end{array}\]}
\newcommand{\Text}[1]{\mbox{#1}}
\DeclareMathSymbol{\dshsym}{\mathalpha}{letters}{"2D}
\newcommand{\dsh}{\mathit{\dshsym}}
\let\int=\cap
\let\un=\cup
\let\inter=\bigcap
\let\union=\bigcup
\def\ML{{\sc ml}}
\def\AST{{\sc ast}}
%macros to change the treatment of symbols
\def\relsemicolon{\mathcode`\;="303B} %treat ; like a relation
\def\binperiod{\mathcode`\.="213A} %treat . like a binary operator
\def\binvert{\mathcode`\|="226A} %treat | like a binary operator
%redefinition of \sloppy and \fussy to use \emergencystretch
\def\sloppy{\tolerance2000 \hfuzz.5pt \vfuzz.5pt \emergencystretch=15pt}
\def\fussy{\tolerance200 \hfuzz.1pt \vfuzz.1pt \emergencystretch=0pt}
%non-bf version of description
\def\descrlabel#1{\hspace\labelsep #1}
\def\descr{\list{}{\labelwidth\z@ \itemindent-\leftmargin\let\makelabel\descrlabel}}
\let\enddescr\endlist
% The mathcodes for the letters A, ..., Z, a, ..., z are changed to
% generate text italic rather than math italic by default. This makes
% multi-letter identifiers look better. The mathcode for character c
% is set to |"7000| (variable family) + |"400| (text italic) + |c|.
%
\DeclareSymbolFont{italics}{\encodingdefault}{\rmdefault}{m}{it}%
\def\@setmcodes#1#2#3{{\count0=#1 \count1=#3
\loop \global\mathcode\count0=\count1 \ifnum \count0<#2
\advance\count0 by1 \advance\count1 by1 \repeat}}
\@setmcodes{`A}{`Z}{"7\hexnumber@\symitalics41}
\@setmcodes{`a}{`z}{"7\hexnumber@\symitalics61}
%%% \dquotes permits usage of "..." for \hbox{...}
%%% also taken from under.sty
{\catcode`\"=\active
\gdef\dquotes{\catcode`\"=\active \let"=\@mathText}%
\gdef\@mathText#1"{\hbox{\mathTextFont #1\/}}}
\def\mathTextFont{\frenchspacing\tt}
\def\dquotesoff{\catcode`\"=\other}
\ No newline at end of file
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/ZF/document/root.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,91 @@
+\documentclass[11pt,a4paper]{report}
+\usepackage{isabelle,isabellesym,railsetup}
+\usepackage{graphicx,logics,ttbox,proof,latexsym}
+\usepackage{isar}
+
+\usepackage{pdfsetup}
+%last package!
+
+\remarkstrue
+
+%%% to index derived rls: ^\([a-zA-Z0-9][a-zA-Z0-9_]*\) \\tdx{\1}
+%%% to index rulenames: ^ *(\([a-zA-Z0-9][a-zA-Z0-9_]*\), \\tdx{\1}
+%%% to index constants: \\tt \([a-zA-Z0-9][a-zA-Z0-9_]*\) \\cdx{\1}
+%%% to deverbify: \\verb|\([^|]*\)| \\ttindex{\1}
+
+\title{\includegraphics[scale=0.5]{isabelle_zf} \\[4ex]
+ Isabelle's Logics: FOL and ZF}
+
+\author{{\em Lawrence C. Paulson}\\
+ Computer Laboratory \\ University of Cambridge \\
+ \texttt{lcp@cl.cam.ac.uk}\\[3ex]
+ With Contributions by Tobias Nipkow and Markus Wenzel}
+
+\newcommand\subcaption[1]{\par {\centering\normalsize\sc#1\par}\bigskip
+ \hrule\bigskip}
+\newenvironment{constants}{\begin{center}\small\begin{tabular}{rrrr}}{\end{tabular}\end{center}}
+
+\let\ts=\thinspace
+
+\makeindex
+
+\underscoreoff
+
+\setcounter{secnumdepth}{2} \setcounter{tocdepth}{2} %% {secnumdepth}{2}???
+
+\pagestyle{headings}
+\sloppy
+\binperiod %%%treat . like a binary operator
+
+
+\isadroptag{theory}
+
+\railtermfont{\isabellestyle{tt}}
+\railnontermfont{\isabellestyle{literal}}
+\railnamefont{\isabellestyle{literal}}
+
+
+\begin{document}
+\maketitle
+
+\begin{abstract}
+This manual describes Isabelle's formalizations of many-sorted first-order
+logic (\texttt{FOL}) and Zermelo-Fraenkel set theory (\texttt{ZF}). See the
+\emph{Reference Manual} for general Isabelle commands, and \emph{Introduction
+ to Isabelle} for an overall tutorial.
+
+This manual is part of the earlier Isabelle documentation,
+which is somewhat superseded by the Isabelle/HOL
+\emph{Tutorial}~\cite{isa-tutorial}. However, the present document is the
+only available documentation for Isabelle's versions of first-order logic
+and set theory. Much of it is concerned with
+the primitives for conducting proofs
+using the ML top level. It has been rewritten to use the Isar proof
+language, but evidence of the old \ML{} orientation remains.
+\end{abstract}
+
+
+\subsubsection*{Acknowledgements}
+Markus Wenzel made numerous improvements.
+ Philippe de Groote contributed to~ZF. Philippe No\"el and
+ Martin Coen made many contributions to~ZF. The research has
+ been funded by the EPSRC (grants GR/G53279, GR/H40570, GR/K57381,
+ GR/K77051, GR/M75440) and by ESPRIT (projects 3245:
+ Logical Frameworks, and 6453: Types) and by the DFG Schwerpunktprogramm
+ \emph{Deduktion}.
+
+\pagenumbering{roman} \tableofcontents \cleardoublepage
+\pagenumbering{arabic}
+\setcounter{page}{1}
+\input{syntax}
+\input{FOL}
+\input{ZF}
+
+\isabellestyle{literal}
+\input{ZF_Isar}
+\isabellestyle{tt}
+
+\bibliographystyle{plain}
+\bibliography{manual}
+\printindex
+\end{document}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/antiquote_setup.ML Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,227 @@
+(* Title: Doc/antiquote_setup.ML
+ Author: Makarius
+
+Auxiliary antiquotations for the Isabelle manuals.
+*)
+
+signature ANTIQUOTE_SETUP =
+sig
+ val setup: theory -> theory
+end;
+
+structure Antiquote_Setup: ANTIQUOTE_SETUP =
+struct
+
+(* misc utils *)
+
+fun translate f = Symbol.explode #> map f #> implode;
+
+val clean_string = translate
+ (fn "_" => "\\_"
+ | "#" => "\\#"
+ | "<" => "$<$"
+ | ">" => "$>$"
+ | "{" => "\\{"
+ | "|" => "$\\mid$"
+ | "}" => "\\}"
+ | "\<hyphen>" => "-"
+ | c => c);
+
+fun clean_name "\<dots>" = "dots"
+ | clean_name ".." = "ddot"
+ | clean_name "." = "dot"
+ | clean_name "_" = "underscore"
+ | clean_name "{" = "braceleft"
+ | clean_name "}" = "braceright"
+ | clean_name s = s |> translate (fn "_" => "-" | "\<hyphen>" => "-" | c => c);
+
+
+(* verbatim text *)
+
+val verbatim = space_implode "\\verb,|," o map (enclose "\\verb|" "|") o space_explode "|";
+
+val verbatim_setup =
+ Thy_Output.antiquotation @{binding verbatim} (Scan.lift Args.name)
+ (K (split_lines #> map verbatim #> space_implode "\\isasep\\isanewline%\n"));
+
+
+(* ML text *)
+
+local
+
+fun ml_val (txt1, "") = "fn _ => (" ^ txt1 ^ ");"
+ | ml_val (txt1, txt2) = "fn _ => (" ^ txt1 ^ " : " ^ txt2 ^ ");";
+
+fun ml_op (txt1, "") = "fn _ => (op " ^ txt1 ^ ");"
+ | ml_op (txt1, txt2) = "fn _ => (op " ^ txt1 ^ " : " ^ txt2 ^ ");";
+
+fun ml_type (txt1, "") = "val _ = NONE : (" ^ txt1 ^ ") option;"
+ | ml_type (txt1, txt2) = "val _ = [NONE : (" ^ txt1 ^ ") option, NONE : (" ^ txt2 ^ ") option];";
+
+fun ml_exn (txt1, "") = "fn _ => (" ^ txt1 ^ " : exn);"
+ | ml_exn (txt1, txt2) = "fn _ => (" ^ txt1 ^ " : " ^ txt2 ^ " -> exn);";
+
+fun ml_structure (txt, _) = "functor XXX() = struct structure XX = " ^ txt ^ " end;";
+
+fun ml_functor (txt, _) = "ML_Env.check_functor " ^ ML_Syntax.print_string txt;
+
+val is_name = ML_Lex.kind_of #> (fn kind => kind = ML_Lex.Ident orelse kind = ML_Lex.LongIdent);
+
+fun ml_name txt =
+ (case filter is_name (ML_Lex.tokenize txt) of
+ toks as [_] => ML_Lex.flatten toks
+ | _ => error ("Single ML name expected in input: " ^ quote txt));
+
+fun index_ml name kind ml = Thy_Output.antiquotation name
+ (Scan.lift (Args.name -- Scan.optional (Args.colon |-- Args.name) ""))
+ (fn {context = ctxt, ...} => fn (txt1, txt2) =>
+ let
+ val txt =
+ if txt2 = "" then txt1
+ else if kind = "type" then txt1 ^ " = " ^ txt2
+ else if kind = "exception" then txt1 ^ " of " ^ txt2
+ else if Lexicon.is_identifier (Long_Name.base_name (ml_name txt1))
+ then txt1 ^ ": " ^ txt2
+ else txt1 ^ " : " ^ txt2;
+ val txt' = if kind = "" then txt else kind ^ " " ^ txt;
+ val _ = ML_Context.eval_text_in (SOME ctxt) false Position.none (ml (txt1, txt2)); (* ML_Lex.read (!?) *)
+ val kind' = if kind = "" then "ML" else "ML " ^ kind;
+ in
+ "\\indexdef{}{" ^ kind' ^ "}{" ^ clean_string (ml_name txt1) ^ "}" ^
+ (txt'
+ |> (if Config.get ctxt Thy_Output.quotes then quote else I)
+ |> (if Config.get ctxt Thy_Output.display then enclose "\\begin{verbatim}\n" "\n\\end{verbatim}"
+ else split_lines #> map verbatim #> space_implode "\\isasep\\isanewline%\n"))
+ end);
+
+in
+
+val index_ml_setup =
+ index_ml @{binding index_ML} "" ml_val #>
+ index_ml @{binding index_ML_op} "infix" ml_op #>
+ index_ml @{binding index_ML_type} "type" ml_type #>
+ index_ml @{binding index_ML_exn} "exception" ml_exn #>
+ index_ml @{binding index_ML_structure} "structure" ml_structure #>
+ index_ml @{binding index_ML_functor} "functor" ml_functor;
+
+end;
+
+
+(* named theorems *)
+
+val named_thms_setup =
+ Thy_Output.antiquotation @{binding named_thms}
+ (Scan.repeat (Attrib.thm -- Scan.lift (Args.parens Args.name)))
+ (fn {context = ctxt, ...} =>
+ map (apfst (Thy_Output.pretty_thm ctxt))
+ #> (if Config.get ctxt Thy_Output.quotes then map (apfst Pretty.quote) else I)
+ #> (if Config.get ctxt Thy_Output.display
+ then
+ map (fn (p, name) =>
+ Output.output (Pretty.string_of (Pretty.indent (Config.get ctxt Thy_Output.indent) p)) ^
+ "\\rulename{" ^ Output.output (Pretty.str_of (Thy_Output.pretty_text ctxt name)) ^ "}")
+ #> space_implode "\\par\\smallskip%\n"
+ #> enclose "\\begin{isabelle}%\n" "%\n\\end{isabelle}"
+ else
+ map (fn (p, name) =>
+ Output.output (Pretty.str_of p) ^
+ "\\rulename{" ^ Output.output (Pretty.str_of (Thy_Output.pretty_text ctxt name)) ^ "}")
+ #> space_implode "\\par\\smallskip%\n"
+ #> enclose "\\isa{" "}"));
+
+
+(* theory file *)
+
+val thy_file_setup =
+ Thy_Output.antiquotation @{binding thy_file} (Scan.lift Args.name)
+ (fn {context = ctxt, ...} =>
+ fn name => (Thy_Load.check_thy Path.current name; Thy_Output.output ctxt [Pretty.str name]));
+
+
+(* Isabelle/Isar entities (with index) *)
+
+local
+
+fun no_check _ _ = true;
+
+fun thy_check intern defined ctxt =
+ let val thy = Proof_Context.theory_of ctxt
+ in defined thy o intern thy end;
+
+fun check_tool name =
+ let val tool_dirs = map Path.explode ["~~/lib/Tools", "~~/src/Tools/jEdit/lib/Tools"]
+ in exists (fn dir => File.exists (Path.append dir (Path.basic name))) tool_dirs end;
+
+val arg = enclose "{" "}" o clean_string;
+
+fun entity check markup kind index =
+ Thy_Output.antiquotation
+ (Binding.name (translate (fn " " => "_" | c => c) kind ^
+ (case index of NONE => "" | SOME true => "_def" | SOME false => "_ref")))
+ (Scan.lift (Scan.optional (Args.parens Args.name) "" -- Args.name))
+ (fn {context = ctxt, ...} => fn (logic, name) =>
+ let
+ val hyper_name =
+ "{" ^ Long_Name.append kind (Long_Name.append logic (clean_name name)) ^ "}";
+ val hyper =
+ enclose ("\\hyperlink" ^ hyper_name ^ "{") "}" #>
+ index = SOME true ? enclose ("\\hypertarget" ^ hyper_name ^ "{") "}";
+ val idx =
+ (case index of
+ NONE => ""
+ | SOME is_def =>
+ "\\index" ^ (if is_def then "def" else "ref") ^ arg logic ^ arg kind ^ arg name);
+ in
+ if check ctxt name then
+ idx ^
+ (Output.output name
+ |> (if markup = "" then I else enclose ("\\" ^ markup ^ "{") "}")
+ |> (if Config.get ctxt Thy_Output.quotes then quote else I)
+ |> (if Config.get ctxt Thy_Output.display
+ then enclose "\\begin{isabelle}%\n" "%\n\\end{isabelle}"
+ else hyper o enclose "\\mbox{\\isa{" "}}"))
+ else error ("Bad " ^ kind ^ " " ^ quote name)
+ end);
+
+fun entity_antiqs check markup kind =
+ entity check markup kind NONE #>
+ entity check markup kind (SOME true) #>
+ entity check markup kind (SOME false);
+
+in
+
+val entity_setup =
+ entity_antiqs no_check "" "syntax" #>
+ entity_antiqs (K (is_some o Keyword.command_keyword)) "isacommand" "command" #>
+ entity_antiqs (K Keyword.is_keyword) "isakeyword" "keyword" #>
+ entity_antiqs (K Keyword.is_keyword) "isakeyword" "element" #>
+ entity_antiqs (thy_check Method.intern Method.defined) "" "method" #>
+ entity_antiqs (thy_check Attrib.intern Attrib.defined) "" "attribute" #>
+ entity_antiqs no_check "" "fact" #>
+ entity_antiqs no_check "" "variable" #>
+ entity_antiqs no_check "" "case" #>
+ entity_antiqs (thy_check Thy_Output.intern_command Thy_Output.defined_command)
+ "" "antiquotation" #>
+ entity_antiqs (thy_check Thy_Output.intern_option Thy_Output.defined_option)
+ "" "antiquotation option" #>
+ entity_antiqs no_check "isatt" "setting" #>
+ entity_antiqs no_check "isatt" "system option" #>
+ entity_antiqs no_check "" "inference" #>
+ entity_antiqs no_check "isatt" "executable" #>
+ entity_antiqs (K check_tool) "isatool" "tool" #>
+ entity_antiqs (thy_check ML_Context.intern_antiq ML_Context.defined_antiq)
+ "" Isabelle_Markup.ML_antiquotationN;
+
+end;
+
+
+(* theory setup *)
+
+val setup =
+ verbatim_setup #>
+ index_ml_setup #>
+ named_thms_setup #>
+ thy_file_setup #>
+ entity_setup;
+
+end;
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/extra.sty Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,25 @@
+% extra.sty : Isabelle Manual extra macros for non-Springer version
+%
+\typeout{Document Style extra. Released 17/2/94, version of 22/8/00}
+
+%%Euro-style date: 20 September 1955
+\def\today{\number\day\space\ifcase\month\or
+January\or February\or March\or April\or May\or June\or
+July\or August\or September\or October\or November\or December\fi
+\space\number\year}
+
+%%%Put first chapter on odd page, with arabic numbering; like \cleardoublepage
+\newcommand\clearfirst{\clearpage\ifodd\c@page\else
+ \hbox{}\newpage\if@twocolumn\hbox{}\newpage\fi\fi
+ \pagenumbering{arabic}}
+
+%%%Ruled chapter headings
+\def\@rulehead#1{\hrule height1pt \vskip 14pt \Huge \bf
+ #1 \vskip 14pt\hrule height1pt}
+\def\@makechapterhead#1{ { \parindent 0pt
+ \ifnum\c@secnumdepth >\m@ne \raggedleft\large\bf\@chapapp{} \thechapter \par
+ \vskip 20pt \fi \raggedright \@rulehead{#1} \par \nobreak \vskip 40pt } }
+
+\def\@makeschapterhead#1{ { \parindent 0pt \raggedright
+ \@rulehead{#1} \par \nobreak \vskip 40pt } }
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/fixbookmarks Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+perl -pi -e 's/\\([a-zA-Z]+)\s*/$1/g; s/\$//g; s/^BOOKMARK/\\BOOKMARK/g;' "$@"
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/iman.sty Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,153 @@
+% iman.sty : Isabelle Manual Page Layout
+%
+\typeout{Document Style iman. Released 17 February 1994}
+
+\hyphenation{Isa-belle man-u-script man-u-scripts ap-pen-dix mut-u-al-ly}
+\hyphenation{data-type data-types co-data-type co-data-types }
+
+\let\ts=\thinspace
+
+%usage: \iflabelundefined{LABEL}{if not defined}{if defined}
+\newcommand{\iflabelundefined}[1]{\@ifundefined{r@#1}}
+
+
+%%%INDEXING use sedindex to process the index
+
+\newcommand\seealso[2]{\emph{see also} #1}
+\usepackage{makeidx}
+
+%index, putting page numbers of definitions in boldface
+\def\bold#1{\textbf{#1}}
+\newcommand\fnote[1]{#1n}
+\newcommand\indexbold[1]{\index{#1|bold}}
+
+%for indexing constants, symbols, theorems, ...
+\newcommand\cdx[1]{{\tt#1}\index{#1@{\tt#1} constant}}
+\newcommand\sdx[1]{{\tt#1}\index{#1@{\tt#1} symbol}}
+
+\newcommand\tdx[1]{{\tt#1}\index{#1@{\tt#1} theorem}}
+\newcommand\tdxbold[1]{{\tt#1}\index{#1@{\tt#1} theorem|bold}}
+
+\newcommand\mltydx[1]{{\tt#1}\index{#1@{\tt#1} ML type}}
+\newcommand\xdx[1]{{\tt#1}\index{#1@{\tt#1} exception}}
+
+\newcommand\ndx[1]{{\tt#1}\index{#1@{\tt#1} nonterminal}}
+\newcommand\ndxbold[1]{{\tt#1}\index{#1@{\tt#1} nonterminal|bold}}
+
+\newcommand\cldx[1]{{\tt#1}\index{#1@{\tt#1} class}}
+\newcommand\tydx[1]{\textit{#1}\index{#1@{\textit{#1}} type}}
+\newcommand\thydx[1]{{\tt#1}\index{#1@{\tt#1} theory}}
+
+\newcommand\tooldx[1]{{\tt#1}\index{#1@{\tt#1} tool}}
+\newcommand\settdx[1]{{\tt#1}\index{#1@{\tt#1} setting}}
+
+%set argument in \tt font; at the same time, index using * prefix
+\newcommand\rmindex[1]{{#1}\index{#1}\@}
+\newcommand\ttindex[1]{{\tt#1}\index{*#1}\@}
+\newcommand\ttindexbold[1]{{\tt#1}\index{*#1|bold}\@}
+
+%set argument in \bf font and index in ROMAN font (for definitions in text!)
+\newcommand\bfindex[1]{{\bf#1}\index{#1|bold}\@}
+
+
+%%% underscores as ordinary characters, not for subscripting
+%% use @ or \sb for subscripting; use \at for @
+%% only works in \tt font
+%% must not make _ an active char; would make \ttindex fail!
+\gdef\underscoreoff{\catcode`\@=8\catcode`\_=\other}
+\gdef\underscoreon{\catcode`\_=8\makeatother}
+\chardef\other=12
+\chardef\at=`\@
+
+% alternative underscore
+\def\_{\leavevmode\kern.06em\vbox{\hrule height.2ex width.3em}\hskip0.1em}
+
+%%% \dquotes permits usage of "..." for \hbox{...} -- also taken from under.sty
+{\catcode`\"=\active
+\gdef\dquotes{\catcode`\"=\active \let"=\@mathText}%
+\gdef\@mathText#1"{\hbox{\mathTextFont #1\/}}}
+\def\mathTextFont{\frenchspacing\tt}
+\def\dquotesoff{\catcode`\"=\other}
+
+%%%% meta-logical connectives
+
+\let\Forall=\bigwedge
+\let\Imp=\Longrightarrow
+\let\To=\Rightarrow
+\newcommand{\PROP}{\mathop{\mathrm{PROP}}}
+\newcommand{\Var}[1]{{?\!#1}}
+\newcommand{\All}[1]{\Forall#1.} %quantification
+
+%%%% ``WARNING'' environment
+\def\dbend{\vtop to 0pt{\vss\hbox{\Huge\bf!}\vss}}
+\newenvironment{warn}{\medskip\medbreak\begingroup \clubpenalty=10000
+ \small %%WAS\baselineskip=0.9\baselineskip
+ \noindent \ifdim\parindent > 0pt\hangindent\parindent\else\hangindent1.5em\fi
+ \hangafter=-2
+ \hbox to0pt{\hskip-\hangindent\dbend\hfill}\ignorespaces}%
+ {\par\endgroup\medbreak}
+
+
+%%%% Standard logical symbols
+\let\turn=\vdash
+\let\conj=\wedge
+\let\disj=\vee
+\let\imp=\rightarrow
+\let\bimp=\leftrightarrow
+\newcommand\all[1]{\forall#1.} %quantification
+\newcommand\ex[1]{\exists#1.}
+\newcommand{\pair}[1]{\langle#1\rangle}
+
+\newcommand{\lparr}{\mathopen{(\!|}}
+\newcommand{\rparr}{\mathclose{|\!)}}
+\newcommand{\fs}{\mathpunct{,\,}}
+\newcommand{\ty}{\mathrel{::}}
+\newcommand{\asn}{\mathrel{:=}}
+\newcommand{\more}{\ldots}
+\newcommand{\record}[1]{\lparr #1 \rparr}
+\newcommand{\dtt}{\mathord.}
+
+\newcommand\lbrakk{\mathopen{[\![}}
+\newcommand\rbrakk{\mathclose{]\!]}}
+\newcommand\List[1]{\lbrakk#1\rbrakk} %was \obj
+\newcommand\vpile[1]{\begin{array}{c}#1\end{array}}
+\newenvironment{matharray}[1]{\[\begin{array}{#1}}{\end{array}\]}
+\newcommand{\Text}[1]{\mbox{#1}}
+
+\DeclareMathSymbol{\dshsym}{\mathalpha}{letters}{"2D}
+\newcommand{\dsh}{\mathit{\dshsym}}
+
+\let\int=\cap
+\let\un=\cup
+\let\inter=\bigcap
+\let\union=\bigcup
+
+\def\ML{{\sc ml}}
+\def\OBJ{{\sc obj}}
+\def\AST{{\sc ast}}
+
+%macros to change the treatment of symbols
+\def\relsemicolon{\mathcode`\;="303B} %treat ; like a relation
+\def\binperiod{\mathcode`\.="213A} %treat . like a binary operator
+\def\binvert{\mathcode`\|="226A} %treat | like a binary operator
+
+%redefinition of \sloppy and \fussy to use \emergencystretch
+\def\sloppy{\tolerance2000 \hfuzz.5pt \vfuzz.5pt \emergencystretch=15pt}
+\def\fussy{\tolerance200 \hfuzz.1pt \vfuzz.1pt \emergencystretch=0pt}
+
+%non-bf version of description
+\def\descrlabel#1{\hspace\labelsep #1}
+\def\descr{\list{}{\labelwidth\z@ \itemindent-\leftmargin\let\makelabel\descrlabel}}
+\let\enddescr\endlist
+
+% The mathcodes for the letters A, ..., Z, a, ..., z are changed to
+% generate text italic rather than math italic by default. This makes
+% multi-letter identifiers look better. The mathcode for character c
+% is set to |"7000| (variable family) + |"400| (text italic) + |c|.
+%
+\DeclareSymbolFont{italics}{\encodingdefault}{\rmdefault}{m}{it}%
+\def\@setmcodes#1#2#3{{\count0=#1 \count1=#3
+ \loop \global\mathcode\count0=\count1 \ifnum \count0<#2
+ \advance\count0 by1 \advance\count1 by1 \repeat}}
+\@setmcodes{`A}{`Z}{"7\hexnumber@\symitalics41}
+\@setmcodes{`a}{`z}{"7\hexnumber@\symitalics61}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/isar.sty Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,26 @@
+\usepackage{ifthen}
+
+\newcommand{\indexdef}[3]%
+{\ifthenelse{\equal{}{#1}}{\index{#3 (#2)|bold}}{\index{#3 (#1\ #2)|bold}}}
+\newcommand{\indexref}[3]{\ifthenelse{\equal{}{#1}}{\index{#3 (#2)}}{\index{#3 (#1\ #2)}}}
+
+\newcommand{\isatt}[1]{{\def\isacharminus{-}\def\isacharunderscore{\_}\tt #1}}
+\newcommand{\isatool}[1]{{\def\isacharminus{-}\def\isacharunderscore{\_}\tt isabelle #1}}
+
+\newcommand{\indexoutertoken}[1]{\indexdef{}{syntax}{#1}}
+\newcommand{\indexouternonterm}[1]{\indexdef{}{syntax}{#1}}
+\newcommand{\indexisarelem}[1]{\indexdef{}{element}{#1}}
+
+\newcommand{\isasymAND}{\isakeyword{and}}
+\newcommand{\isasymIS}{\isakeyword{is}}
+\newcommand{\isasymWHERE}{\isakeyword{where}}
+\newcommand{\isasymBEGIN}{\isakeyword{begin}}
+\newcommand{\isasymIMPORTS}{\isakeyword{imports}}
+\newcommand{\isasymIN}{\isakeyword{in}}
+\newcommand{\isasymSTRUCTURE}{\isakeyword{structure}}
+\newcommand{\isasymFIXES}{\isakeyword{fixes}}
+\newcommand{\isasymASSUMES}{\isakeyword{assumes}}
+\newcommand{\isasymSHOWS}{\isakeyword{shows}}
+\newcommand{\isasymOBTAINS}{\isakeyword{obtains}}
+
+\newcommand{\isasymASSM}{\isacommand{assm}}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/manual.bib Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,2074 @@
+% BibTeX database for the Isabelle documentation
+
+%publishers
+@string{AP="Academic Press"}
+@string{CUP="Cambridge University Press"}
+@string{IEEE="IEEE Computer Society Press"}
+@string{LNCS="Lecture Notes in Computer Science"}
+@string{MIT="MIT Press"}
+@string{NH="North-Holland"}
+@string{Prentice="Prentice-Hall"}
+@string{PH="Prentice-Hall"}
+@string{Springer="Springer-Verlag"}
+
+%institutions
+@string{CUCL="Computer Laboratory, University of Cambridge"}
+@string{Edinburgh="Department of Computer Science, University of Edinburgh"}
+@string{TUM="Department of Informatics, Technical University of Munich"}
+
+%journals
+@string{AI="Artificial Intelligence"}
+@string{FAC="Formal Aspects of Computing"}
+@string{JAR="Journal of Automated Reasoning"}
+@string{JCS="Journal of Computer Security"}
+@string{JFP="Journal of Functional Programming"}
+@string{JLC="Journal of Logic and Computation"}
+@string{JLP="Journal of Logic Programming"}
+@string{JSC="Journal of Symbolic Computation"}
+@string{JSL="Journal of Symbolic Logic"}
+@string{PROYAL="Proceedings of the Royal Society of London"}
+@string{SIGPLAN="{SIGPLAN} Notices"}
+@string{TISSEC="ACM Transactions on Information and System Security"}
+
+%conferences
+@string{CADE="International Conference on Automated Deduction"}
+@string{POPL="Symposium on Principles of Programming Languages"}
+@string{TYPES="Types for Proofs and Programs"}
+
+
+%A
+
+@incollection{abramsky90,
+ author = {Samson Abramsky},
+ title = {The Lazy Lambda Calculus},
+ pages = {65-116},
+ editor = {David A. Turner},
+ booktitle = {Research Topics in Functional Programming},
+ publisher = {Addison-Wesley},
+ year = 1990}
+
+@Unpublished{abrial93,
+ author = {J. R. Abrial and G. Laffitte},
+ title = {Towards the Mechanization of the Proofs of Some Classical
+ Theorems of Set Theory},
+ note = {preprint},
+ year = 1993,
+ month = Feb}
+
+@incollection{aczel77,
+ author = {Peter Aczel},
+ title = {An Introduction to Inductive Definitions},
+ pages = {739-782},
+ crossref = {barwise-handbk}}
+
+@Book{aczel88,
+ author = {Peter Aczel},
+ title = {Non-Well-Founded Sets},
+ publisher = {CSLI},
+ year = 1988}
+
+@inproceedings{Aehlig-Haftmann-Nipkow:2008:nbe,
+ author = {Klaus Aehlig and Florian Haftmann and Tobias Nipkow},
+ title = {A Compiled Implementation of Normalization by Evaluation},
+ booktitle = {TPHOLs '08: Proceedings of the 21th International Conference on Theorem Proving in Higher Order Logics},
+ year = {2008},
+ isbn = {978-3-540-71065-3},
+ pages = {352--367},
+ publisher = Springer,
+ series = LNCS,
+ volume = {5170},
+ editor = {Otmane A\"{\i}t Mohamed and C{\'e}sar Mu{\~n}oz and Sofi{\`e}ne Tahar}
+}
+
+@InProceedings{alf,
+ author = {Lena Magnusson and Bengt {Nordstr\"{o}m}},
+ title = {The {ALF} Proof Editor and Its Proof Engine},
+ crossref = {types93},
+ pages = {213-237}}
+
+@inproceedings{andersson-1993,
+ author = "Arne Andersson",
+ title = "Balanced Search Trees Made Simple",
+ editor = "F. K. H. A. Dehne and N. Santoro and S. Whitesides",
+ booktitle = "WADS 1993",
+ series = LNCS,
+ volume = {709},
+ pages = "61--70",
+ year = 1993,
+ publisher = Springer}
+
+@book{andrews86,
+ author = "Peter Andrews",
+ title = "An Introduction to Mathematical Logic and Type Theory: to Truth
+through Proof",
+ publisher = AP,
+ series = "Computer Science and Applied Mathematics",
+ year = 1986}
+
+@InProceedings{Aspinall:2000:eProof,
+ author = {David Aspinall},
+ title = {Protocols for Interactive {e-Proof}},
+ booktitle = {Theorem Proving in Higher Order Logics (TPHOLs)},
+ year = 2000,
+ note = {Unpublished work-in-progress paper,
+ \url{http://homepages.inf.ed.ac.uk/da/papers/drafts/eproof.ps.gz}}
+}
+
+@InProceedings{Aspinall:TACAS:2000,
+ author = {David Aspinall},
+ title = {{P}roof {G}eneral: A Generic Tool for Proof Development},
+ booktitle = {Tools and Algorithms for the Construction and Analysis of
+ Systems (TACAS)},
+ year = 2000,
+ publisher = Springer,
+ series = LNCS,
+ volume = 1785,
+ pages = "38--42"
+}
+
+@Misc{isamode,
+ author = {David Aspinall},
+ title = {Isamode --- {U}sing {I}sabelle with {E}macs},
+ note = {\url{http://homepages.inf.ed.ac.uk/da/Isamode/}}
+}
+
+@Misc{proofgeneral,
+ author = {David Aspinall},
+ title = {{P}roof {G}eneral},
+ note = {\url{http://proofgeneral.inf.ed.ac.uk/}}
+}
+
+%B
+
+@inproceedings{backes-brown-2010,
+ title = "Analytic Tableaux for Higher-Order Logic with Choice",
+ author = "Julian Backes and Chad E. Brown",
+ booktitle={Automated Reasoning: IJCAR 2010},
+ editor={J. Giesl and R. H\"ahnle},
+ publisher = Springer,
+ series = LNCS,
+ volume = 6173,
+ pages = "76--90",
+ year = 2010}
+
+@book{Baader-Nipkow,author={Franz Baader and Tobias Nipkow},
+title="Term Rewriting and All That",publisher=CUP,year=1998}
+
+@manual{isabelle-locale,
+ author = {Clemens Ballarin},
+ title = {Tutorial to Locales and Locale Interpretation},
+ institution = TUM,
+ note = {\url{http://isabelle.in.tum.de/doc/locales.pdf}}
+}
+
+@InCollection{Barendregt-Geuvers:2001,
+ author = {H. Barendregt and H. Geuvers},
+ title = {Proof Assistants using Dependent Type Systems},
+ booktitle = {Handbook of Automated Reasoning},
+ publisher = {Elsevier},
+ year = 2001,
+ editor = {A. Robinson and A. Voronkov}
+}
+
+@inproceedings{cvc3,
+ author = {Clark Barrett and Cesare Tinelli},
+ title = {{CVC3}},
+ booktitle = {CAV},
+ editor = {Werner Damm and Holger Hermanns},
+ volume = {4590},
+ series = LNCS,
+ pages = {298--302},
+ publisher = {Springer},
+ year = {2007}
+}
+
+@incollection{basin91,
+ author = {David Basin and Matt Kaufmann},
+ title = {The {Boyer-Moore} Prover and {Nuprl}: An Experimental
+ Comparison},
+ crossref = {huet-plotkin91},
+ pages = {89-119}}
+
+@Unpublished{HOL-Library,
+ author = {Gertrud Bauer and Tobias Nipkow and Oheimb, David von and
+ Lawrence C Paulson and Thomas M Rasmussen and Christophe Tabacznyj and
+ Markus Wenzel},
+ title = {The Supplemental {Isabelle/HOL} Library},
+ note = {Part of the Isabelle distribution,
+ \url{http://isabelle.in.tum.de/library/HOL/Library/document.pdf}},
+ year = 2002
+}
+
+@InProceedings{Bauer-Wenzel:2000:HB,
+ author = {Gertrud Bauer and Markus Wenzel},
+ title = {Computer-Assisted Mathematics at Work --- The {H}ahn-{B}anach Theorem in
+ {I}sabelle/{I}sar},
+ booktitle = {Types for Proofs and Programs: TYPES'99},
+ editor = {Thierry Coquand and Peter Dybjer and Bengt Nordstr{\"o}m
+ and Jan Smith},
+ series = {LNCS},
+ year = 2000
+}
+
+@InProceedings{Bauer-Wenzel:2001,
+ author = {Gertrud Bauer and Markus Wenzel},
+ title = {Calculational reasoning revisited --- an {Isabelle/Isar} experience},
+ crossref = {tphols2001}}
+
+@inproceedings{leo2,
+ author = "Christoph Benzm{\"u}ller and Lawrence C. Paulson and Frank Theiss and Arnaud Fietzke",
+ title = "{LEO-II}---A Cooperative Automatic Theorem Prover for Higher-Order Logic",
+ editor = "Alessandro Armando and Peter Baumgartner and Gilles Dowek",
+ booktitle = "Automated Reasoning: IJCAR 2008",
+ publisher = Springer,
+ series = LNCS,
+ volume = 5195,
+ pages = "162--170",
+ year = 2008}
+
+@inProceedings{Berghofer-Bulwahn-Haftmann:2009:TPHOL,
+ author = {Berghofer, Stefan and Bulwahn, Lukas and Haftmann, Florian},
+ booktitle = {Theorem Proving in Higher Order Logics},
+ pages = {131--146},
+ title = {Turning Inductive into Equational Specifications},
+ year = {2009}
+}
+
+@INPROCEEDINGS{Berghofer-Nipkow:2000:TPHOL,
+ crossref = "tphols2000",
+ title = "Proof terms for simply typed higher order logic",
+ author = "Stefan Berghofer and Tobias Nipkow",
+ pages = "38--52"}
+
+@inproceedings{berghofer-nipkow-2004,
+ author = {Stefan Berghofer and Tobias Nipkow},
+ title = {Random Testing in {I}sabelle/{HOL}},
+ pages = {230--239},
+ editor = "J. Cuellar and Z. Liu",
+ booktitle = {{SEFM} 2004},
+ publisher = IEEE,
+ year = 2004}
+
+@InProceedings{Berghofer-Nipkow:2002,
+ author = {Stefan Berghofer and Tobias Nipkow},
+ title = {Executing Higher Order Logic},
+ booktitle = {Types for Proofs and Programs: TYPES'2000},
+ editor = {P. Callaghan and Z. Luo and J. McKinna and R. Pollack},
+ series = LNCS,
+ publisher = Springer,
+ volume = 2277,
+ year = 2002}
+
+@InProceedings{Berghofer-Wenzel:1999:TPHOL,
+ author = {Stefan Berghofer and Markus Wenzel},
+ title = {Inductive datatypes in {HOL} --- lessons learned in
+ {F}ormal-{L}ogic {E}ngineering},
+ crossref = {tphols99}}
+
+
+@InProceedings{Bezem-Coquand:2005,
+ author = {M.A. Bezem and T. Coquand},
+ title = {Automating {Coherent Logic}},
+ booktitle = {LPAR-12},
+ editor = {G. Sutcliffe and A. Voronkov},
+ volume = 3835,
+ series = LNCS,
+ publisher = Springer}
+
+@book{Bird-Wadler,author="Richard Bird and Philip Wadler",
+title="Introduction to Functional Programming",publisher=PH,year=1988}
+
+@book{Bird-Haskell,author="Richard Bird",
+title="Introduction to Functional Programming using Haskell",
+publisher=PH,year=1998}
+
+@manual{isabelle-nitpick,
+ author = {Jasmin Christian Blanchette},
+ title = {Picking Nits: A User's Guide to {N}itpick for {I}sabelle/{HOL}},
+ institution = TUM,
+ note = {\url{http://isabelle.in.tum.de/doc/nitpick.pdf}}
+}
+
+@manual{isabelle-sledgehammer,
+ author = {Jasmin Christian Blanchette},
+ title = {Hammering Away: A User's Guide to {S}ledgehammer for {I}sabelle/{HOL}},
+ institution = TUM,
+ note = {\url{http://isabelle.in.tum.de/doc/sledgehammer.pdf}}
+}
+
+@inproceedings{blanchette-nipkow-2010,
+ title = "Nitpick: A Counterexample Generator for Higher-Order Logic Based on a Relational Model Finder",
+ author = "Jasmin Christian Blanchette and Tobias Nipkow",
+ crossref = {itp2010}}
+
+@inproceedings{why3,
+ author = {Fran\c{c}ois Bobot and Jean-Christophe Filli\^atre and Claude March\'e and Andrei Paskevich},
+ title = {{Why3}: Shepherd Your Herd of Provers},
+ editor = "K. Rustan M. Leino and Micha\l{} Moskal",
+ booktitle = {Boogie 2011},
+ pages = "53--64",
+ year = 2011
+}
+
+@inproceedings{alt-ergo,
+ author = {Fran\c{c}ois Bobot and Sylvain Conchon and Evelyne Contejean and St\'ephane Lescuyer},
+ title = {Implementing Polymorphism in {SMT} Solvers},
+ booktitle = {SMT '08},
+ pages = "1--5",
+ publisher = "ACM",
+ series = "ICPS",
+ year = 2008,
+ editor = {Clark Barrett and Leonardo de Moura}}
+% /BPR
+% and Domagoj Babic and Amit Goel
+
+@inproceedings{boehme-nipkow-2010,
+ author={Sascha B\"ohme and Tobias Nipkow},
+ title={Sledgehammer: Judgement Day},
+ booktitle={Automated Reasoning: IJCAR 2010},
+ editor={J. Giesl and R. H\"ahnle},
+ publisher=Springer,
+ series=LNCS,
+ volume = 6173,
+ pages = "107--121",
+ year=2010}
+
+@Article{boyer86,
+ author = {Robert Boyer and Ewing Lusk and William McCune and Ross
+ Overbeek and Mark Stickel and Lawrence Wos},
+ title = {Set Theory in First-Order Logic: Clauses for {G\"{o}del's}
+ Axioms},
+ journal = JAR,
+ year = 1986,
+ volume = 2,
+ number = 3,
+ pages = {287-327}}
+
+@book{bm79,
+ author = {Robert S. Boyer and J Strother Moore},
+ title = {A Computational Logic},
+ publisher = {Academic Press},
+ year = 1979}
+
+@book{bm88book,
+ author = {Robert S. Boyer and J Strother Moore},
+ title = {A Computational Logic Handbook},
+ publisher = {Academic Press},
+ year = 1988}
+
+@inproceedings{satallax,
+ author = "Chad E. Brown",
+ title = "Reducing Higher-Order Theorem Proving to a Sequence of {SAT} Problems",
+ booktitle = {Automated Deduction --- CADE-23},
+ publisher = Springer,
+ series = LNCS,
+ volume = 6803,
+ pages = "147--161",
+ editor = "Nikolaj Bj{\o}rner and Viorica Sofronie-Stokkermans",
+ year = 2011}
+
+@Article{debruijn72,
+ author = {N. G. de Bruijn},
+ title = {Lambda Calculus Notation with Nameless Dummies,
+ a Tool for Automatic Formula Manipulation,
+ with Application to the {Church-Rosser Theorem}},
+ journal = {Indag. Math.},
+ volume = 34,
+ pages = {381-392},
+ year = 1972}
+
+@InProceedings{bulwahnKN07,
+ author = {Lukas Bulwahn and Alexander Krauss and Tobias Nipkow},
+ title = {Finding Lexicographic Orders for Termination Proofs in {Isabelle/HOL}},
+ crossref = {tphols2007},
+ pages = {38--53}
+}
+
+@InProceedings{bulwahn-et-al:2008:imperative,
+ author = {Lukas Bulwahn and Alexander Krauss and Florian Haftmann and Levent Erkök and John Matthews},
+ title = {Imperative Functional Programming with {Isabelle/HOL}},
+ crossref = {tphols2008},
+}
+% pages = {38--53}
+
+@Article{ban89,
+ author = {M. Burrows and M. Abadi and R. M. Needham},
+ title = {A Logic of Authentication},
+ journal = PROYAL,
+ year = 1989,
+ volume = 426,
+ pages = {233-271}}
+
+%C
+
+@InProceedings{Chaieb-Wenzel:2007,
+ author = {Amine Chaieb and Makarius Wenzel},
+ title = {Context aware Calculation and Deduction ---
+ Ring Equalities via {Gr\"obner Bases} in {Isabelle}},
+ booktitle = {Towards Mechanized Mathematical Assistants (CALCULEMUS 2007)},
+ editor = {Manuel Kauers and Manfred Kerber and Robert Miner and Wolfgang Windsteiger},
+ series = LNAI,
+ volume = 4573,
+ year = 2007,
+ publisher = Springer
+}
+
+@TechReport{camilleri92,
+ author = {J. Camilleri and T. F. Melham},
+ title = {Reasoning with Inductively Defined Relations in the
+ {HOL} Theorem Prover},
+ institution = CUCL,
+ year = 1992,
+ number = 265,
+ month = Aug}
+
+@Book{charniak80,
+ author = {E. Charniak and C. K. Riesbeck and D. V. McDermott},
+ title = {Artificial Intelligence Programming},
+ publisher = {Lawrence Erlbaum Associates},
+ year = 1980}
+
+@article{church40,
+ author = "Alonzo Church",
+ title = "A Formulation of the Simple Theory of Types",
+ journal = JSL,
+ year = 1940,
+ volume = 5,
+ pages = "56-68"}
+
+@book{ClarkeGP-book,author="Edmund Clarke and Orna Grumberg and Doron Peled",
+title="Model Checking",publisher=MIT,year=1999}
+
+@PhdThesis{coen92,
+ author = {Martin D. Coen},
+ title = {Interactive Program Derivation},
+ school = {University of Cambridge},
+ note = {Computer Laboratory Technical Report 272},
+ month = nov,
+ year = 1992}
+
+@book{constable86,
+ author = {R. L. Constable and others},
+ title = {Implementing Mathematics with the Nuprl Proof
+ Development System},
+ publisher = Prentice,
+ year = 1986}
+
+%D
+
+@Book{davey-priestley,
+ author = {B. A. Davey and H. A. Priestley},
+ title = {Introduction to Lattices and Order},
+ publisher = CUP,
+ year = 1990}
+
+@Book{devlin79,
+ author = {Keith J. Devlin},
+ title = {Fundamentals of Contemporary Set Theory},
+ publisher = {Springer},
+ year = 1979}
+
+@book{dummett,
+ author = {Michael Dummett},
+ title = {Elements of Intuitionism},
+ year = 1977,
+ publisher = {Oxford University Press}}
+
+@misc{yices,
+ author = {Bruno Dutertre and Leonardo de Moura},
+ title = {The {Yices} {SMT} Solver},
+ howpublished = "\url{http://yices.csl.sri.com/tool-paper.pdf}",
+ year = 2006}
+
+@incollection{dybjer91,
+ author = {Peter Dybjer},
+ title = {Inductive Sets and Families in {Martin-L{\"o}f's} Type
+ Theory and Their Set-Theoretic Semantics},
+ crossref = {huet-plotkin91},
+ pages = {280-306}}
+
+@Article{dyckhoff,
+ author = {Roy Dyckhoff},
+ title = {Contraction-Free Sequent Calculi for Intuitionistic Logic},
+ journal = JSL,
+ year = 1992,
+ volume = 57,
+ number = 3,
+ pages = {795-807}}
+
+%F
+
+@Article{IMPS,
+ author = {William M. Farmer and Joshua D. Guttman and F. Javier
+ Thayer},
+ title = {{IMPS}: An Interactive Mathematical Proof System},
+ journal = JAR,
+ volume = 11,
+ number = 2,
+ year = 1993,
+ pages = {213-248}}
+
+@InProceedings{felty91a,
+ Author = {Amy Felty},
+ Title = {A Logic Program for Transforming Sequent Proofs to Natural
+ Deduction Proofs},
+ crossref = {extensions91},
+ pages = {157-178}}
+
+@Article{fleuriot-jcm,
+ author = {Jacques Fleuriot and Lawrence C. Paulson},
+ title = {Mechanizing Nonstandard Real Analysis},
+ journal = {LMS Journal of Computation and Mathematics},
+ year = 2000,
+ volume = 3,
+ pages = {140-190},
+ note = {\url{http://www.lms.ac.uk/jcm/3/lms1999-027/}}
+}
+
+@TechReport{frost93,
+ author = {Jacob Frost},
+ title = {A Case Study of Co-induction in {Isabelle HOL}},
+ institution = CUCL,
+ number = 308,
+ year = 1993,
+ month = Aug}
+
+%revised version of frost93
+@TechReport{frost95,
+ author = {Jacob Frost},
+ title = {A Case Study of Co-induction in {Isabelle}},
+ institution = CUCL,
+ number = 359,
+ year = 1995,
+ month = Feb}
+
+@inproceedings{OBJ,
+ author = {K. Futatsugi and J.A. Goguen and Jean-Pierre Jouannaud
+ and J. Meseguer},
+ title = {Principles of {OBJ2}},
+ booktitle = POPL,
+ year = 1985,
+ pages = {52-66}}
+
+%G
+
+@book{gallier86,
+ author = {J. H. Gallier},
+ title = {Logic for Computer Science:
+ Foundations of Automatic Theorem Proving},
+ year = 1986,
+ publisher = {Harper \& Row}}
+
+@Book{galton90,
+ author = {Antony Galton},
+ title = {Logic for Information Technology},
+ publisher = {Wiley},
+ year = 1990}
+
+@Article{Gentzen:1935,
+ author = {G. Gentzen},
+ title = {Untersuchungen {\"u}ber das logische {S}chlie{\ss}en},
+ journal = {Math. Zeitschrift},
+ year = 1935
+}
+
+@InProceedings{gimenez-codifying,
+ author = {Eduardo Gim{\'e}nez},
+ title = {Codifying Guarded Definitions with Recursive Schemes},
+ crossref = {types94},
+ pages = {39-59}
+}
+
+@book{girard89,
+ author = {Jean-Yves Girard},
+ title = {Proofs and Types},
+ year = 1989,
+ publisher = CUP,
+ note = {Translated by Yves LaFont and Paul Taylor}}
+
+@Book{mgordon-hol,
+ editor = {M. J. C. Gordon and T. F. Melham},
+ title = {Introduction to {HOL}: A Theorem Proving Environment for Higher Order Logic},
+ publisher = CUP,
+ year = 1993}
+
+@book{mgordon79,
+ author = {Michael J. C. Gordon and Robin Milner and Christopher P.
+ Wadsworth},
+ title = {Edinburgh {LCF}: A Mechanised Logic of Computation},
+ year = 1979,
+ publisher = {Springer},
+ series = {LNCS 78}}
+
+@inproceedings{Gunter-HOL92,author={Elsa L. Gunter},
+title={Why we can't have {SML} style datatype declarations in {HOL}},
+booktitle={Higher Order Logic Theorem Proving and its Applications: Proc.\
+IFIP TC10/WG10.2 Intl. Workshop, 1992},
+editor={L.J.M. Claesen and M.J.C. Gordon},
+publisher=NH,year=1993,pages={561--568}}
+
+@InProceedings{gunter-trees,
+ author = {Elsa L. Gunter},
+ title = {A Broader Class of Trees for Recursive Type Definitions for
+ {HOL}},
+ crossref = {hug93},
+ pages = {141-154}}
+
+%H
+
+@InProceedings{Haftmann-Wenzel:2006:classes,
+ author = {Florian Haftmann and Makarius Wenzel},
+ title = {Constructive Type Classes in {Isabelle}},
+ editor = {T. Altenkirch and C. McBride},
+ booktitle = {Types for Proofs and Programs, TYPES 2006},
+ publisher = {Springer},
+ series = {LNCS},
+ volume = {4502},
+ year = {2007}
+}
+
+@inproceedings{Haftmann-Nipkow:2010:code,
+ author = {Florian Haftmann and Tobias Nipkow},
+ title = {Code Generation via Higher-Order Rewrite Systems},
+ booktitle = {Functional and Logic Programming: 10th International Symposium: FLOPS 2010},
+ year = 2010,
+ publisher = Springer,
+ series = LNCS,
+ editor = {Matthias Blume and Naoki Kobayashi and Germ{\'a}n Vidal},
+ volume = 6009
+}
+
+@InProceedings{Haftmann-Wenzel:2009,
+ author = {Florian Haftmann and Makarius Wenzel},
+ title = {Local theory specifications in {Isabelle/Isar}},
+ editor = {Stefano Berardi and Ferruccio Damiani and de Liguoro, Ugo},
+ booktitle = {Types for Proofs and Programs, TYPES 2008},
+ publisher = {Springer},
+ series = {LNCS},
+ volume = {5497},
+ year = {2009}
+}
+
+@inproceedings{hindleymilner,
+ author = {L. Damas and H. Milner},
+ title = {Principal type schemes for functional programs},
+ booktitle = {ACM Symp. Principles of Programming Languages},
+ year = 1982
+}
+
+@manual{isabelle-classes,
+ author = {Florian Haftmann},
+ title = {Haskell-style type classes with {Isabelle}/{Isar}},
+ institution = TUM,
+ note = {\url{http://isabelle.in.tum.de/doc/classes.pdf}}
+}
+
+@manual{isabelle-codegen,
+ author = {Florian Haftmann},
+ title = {Code generation from Isabelle theories},
+ institution = TUM,
+ note = {\url{http://isabelle.in.tum.de/doc/codegen.pdf}}
+}
+
+@Book{halmos60,
+ author = {Paul R. Halmos},
+ title = {Naive Set Theory},
+ publisher = {Van Nostrand},
+ year = 1960}
+
+@book{HarelKT-DL,author={David Harel and Dexter Kozen and Jerzy Tiuryn},
+title={Dynamic Logic},publisher=MIT,year=2000}
+
+@Book{hennessy90,
+ author = {Matthew Hennessy},
+ title = {The Semantics of Programming Languages: An Elementary
+ Introduction Using Structural Operational Semantics},
+ publisher = {Wiley},
+ year = 1990}
+
+@article{waldmeister,
+ author = {Thomas Hillenbrand and Arnim Buch and Rolan Vogt and Bernd L\"ochner},
+ title = "Waldmeister: High-Performance Equational Deduction",
+ journal = JAR,
+ volume = 18,
+ number = 2,
+ pages = {265--270},
+ year = 1997}
+
+@book{HopcroftUllman,author={John E. Hopcroft and Jeffrey D. Ullman},
+title={Introduction to Automata Theory, Languages, and Computation.},
+publisher={Addison-Wesley},year=1979}
+
+@Article{haskell-report,
+ author = {Paul Hudak and Simon Peyton Jones and Philip Wadler},
+ title = {Report on the Programming Language {Haskell}: A
+ Non-strict, Purely Functional Language},
+ journal = SIGPLAN,
+ year = 1992,
+ volume = 27,
+ number = 5,
+ month = May,
+ note = {Version 1.2}}
+
+@Article{haskell-tutorial,
+ author = {Paul Hudak and Joseph H. Fasel},
+ title = {A Gentle Introduction to {Haskell}},
+ journal = SIGPLAN,
+ year = 1992,
+ volume = 27,
+ number = 5,
+ month = May}
+
+@inproceedings{sine,
+ author = "Kry\v{s}tof Hoder and Andrei Voronkov",
+ title = "Sine Qua Non for Large Theory Reasoning",
+ booktitle = {Automated Deduction --- CADE-23},
+ publisher = Springer,
+ series = LNCS,
+ volume = 6803,
+ pages = "299--314",
+ editor = "Nikolaj Bj{\o}rner and Viorica Sofronie-Stokkermans",
+ year = 2011}
+
+@book{Hudak-Haskell,author={Paul Hudak},
+title={The Haskell School of Expression},publisher=CUP,year=2000}
+
+@article{huet75,
+ author = {G. P. Huet},
+ title = {A Unification Algorithm for Typed $\lambda$-Calculus},
+ journal = TCS,
+ volume = 1,
+ year = 1975,
+ pages = {27-57}}
+
+@article{huet78,
+ author = {G. P. Huet and B. Lang},
+ title = {Proving and Applying Program Transformations Expressed with
+ Second-Order Patterns},
+ journal = acta,
+ volume = 11,
+ year = 1978,
+ pages = {31-55}}
+
+@inproceedings{huet88,
+ author = {G{\'e}rard Huet},
+ title = {Induction Principles Formalized in the {Calculus of
+ Constructions}},
+ booktitle = {Programming of Future Generation Computers},
+ editor = {K. Fuchi and M. Nivat},
+ year = 1988,
+ pages = {205-216},
+ publisher = {Elsevier}}
+
+@Book{Huth-Ryan-book,
+ author = {Michael Huth and Mark Ryan},
+ title = {Logic in Computer Science. Modelling and reasoning about systems},
+ publisher = CUP,
+ year = 2000}
+
+@InProceedings{Harrison:1996:MizarHOL,
+ author = {J. Harrison},
+ title = {A {Mizar} Mode for {HOL}},
+ pages = {203--220},
+ crossref = {tphols96}}
+
+@misc{metis,
+ author = "Joe Hurd",
+ title = "Metis Theorem Prover",
+ note = "\url{http://www.gilith.com/software/metis/}"}
+
+%J
+
+@article{haskell-revised-report,
+ author = {Simon {Peyton Jones} and others},
+ title = {The {Haskell} 98 Language and Libraries: The Revised Report},
+ journal = {Journal of Functional Programming},
+ volume = 13,
+ number = 1,
+ pages = {0--255},
+ month = {Jan},
+ year = 2003,
+ note = {\url{http://www.haskell.org/definition/}}}
+
+@book{jackson-2006,
+ author = "Daniel Jackson",
+ title = "Software Abstractions: Logic, Language, and Analysis",
+ publisher = MIT,
+ year = 2006}
+
+%K
+
+@InProceedings{kammueller-locales,
+ author = {Florian Kamm{\"u}ller and Markus Wenzel and
+ Lawrence C. Paulson},
+ title = {Locales: A Sectioning Concept for {Isabelle}},
+ crossref = {tphols99}}
+
+@book{Knuth3-75,
+ author={Donald E. Knuth},
+ title={The Art of Computer Programming, Volume 3: Sorting and Searching},
+ publisher={Addison-Wesley},
+ year=1975}
+
+@Article{korf85,
+ author = {R. E. Korf},
+ title = {Depth-First Iterative-Deepening: an Optimal Admissible
+ Tree Search},
+ journal = AI,
+ year = 1985,
+ volume = 27,
+ pages = {97-109}}
+
+@inproceedings{korovin-2009,
+ title = "Instantiation-Based Automated Reasoning: From Theory to Practice",
+ author = "Konstantin Korovin",
+ editor = "Renate A. Schmidt",
+ booktitle = {Automated Deduction --- CADE-22},
+ series = "LNAI",
+ volume = {5663},
+ pages = "163--166",
+ year = 2009,
+ publisher = "Springer"}
+
+@inproceedings{korovin-sticksel-2010,
+ author = {Konstantin Korovin and
+ Christoph Sticksel},
+ title = {{iP}rover-{E}q: An Instantiation-Based Theorem Prover with Equality},
+ pages = {196--202},
+ booktitle={Automated Reasoning: IJCAR 2010},
+ editor={J. Giesl and R. H\"ahnle},
+ publisher = Springer,
+ series = LNCS,
+ volume = 6173,
+ year = 2010}
+
+@InProceedings{krauss2006,
+ author = {Alexander Krauss},
+ title = {Partial Recursive Functions in {Higher-Order Logic}},
+ crossref = {ijcar2006},
+ pages = {589--603}}
+
+@PhdThesis{krauss_phd,
+ author = {Alexander Krauss},
+ title = {Automating Recursive Definitions and Termination Proofs in Higher-Order Logic},
+ school = {Institut f{\"u}r Informatik, Technische Universit{\"a}t M{\"u}nchen},
+ year = {2009},
+ address = {Germany}
+}
+
+@manual{isabelle-function,
+ author = {Alexander Krauss},
+ title = {Defining Recursive Functions in {Isabelle/HOL}},
+ institution = TUM,
+ note = {\url{http://isabelle.in.tum.de/doc/functions.pdf}}
+}
+
+@Book{kunen80,
+ author = {Kenneth Kunen},
+ title = {Set Theory: An Introduction to Independence Proofs},
+ publisher = NH,
+ year = 1980}
+
+%L
+
+@manual{OCaml,
+ author = {Xavier Leroy and others},
+ title = {The Objective Caml system -- Documentation and user's manual},
+ note = {\url{http://caml.inria.fr/pub/docs/manual-ocaml/}}}
+
+@incollection{lochbihler-2010,
+ title = "Coinduction",
+ author = "Andreas Lochbihler",
+ booktitle = "The Archive of Formal Proofs",
+ editor = "Gerwin Klein and Tobias Nipkow and Lawrence C. Paulson",
+ publisher = "\url{http://afp.sourceforge.net/entries/Coinductive.shtml}",
+ month = "Feb.",
+ year = 2010}
+
+@book{loveland-78,
+ author = "D. W. Loveland",
+ title = "Automated Theorem Proving: A Logical Basis",
+ year = 1978,
+ publisher = "North-Holland Publishing Co."}
+
+@InProceedings{lowe-fdr,
+ author = {Gavin Lowe},
+ title = {Breaking and Fixing the {Needham}-{Schroeder} Public-Key
+ Protocol using {CSP} and {FDR}},
+ booktitle = {Tools and Algorithms for the Construction and Analysis
+ of Systems: second international workshop, TACAS '96},
+ editor = {T. Margaria and B. Steffen},
+ series = {LNCS 1055},
+ year = 1996,
+ publisher = {Springer},
+ pages = {147-166}}
+
+%M
+
+@Article{mw81,
+ author = {Zohar Manna and Richard Waldinger},
+ title = {Deductive Synthesis of the Unification Algorithm},
+ journal = SCP,
+ year = 1981,
+ volume = 1,
+ number = 1,
+ pages = {5-48}}
+
+@InProceedings{martin-nipkow,
+ author = {Ursula Martin and Tobias Nipkow},
+ title = {Ordered Rewriting and Confluence},
+ crossref = {cade10},
+ pages = {366-380}}
+
+@book{martinlof84,
+ author = {Per Martin-L{\"o}f},
+ title = {Intuitionistic type theory},
+ year = 1984,
+ publisher = {Bibliopolis}}
+
+@incollection{melham89,
+ author = {Thomas F. Melham},
+ title = {Automating Recursive Type Definitions in Higher Order
+ Logic},
+ pages = {341-386},
+ crossref = {birtwistle89}}
+
+@Article{Miller:1991,
+ author = {Dale Miller},
+ title = {A Logic Programming Language with Lambda-Abstraction, Function Variables,
+ and Simple Unification},
+ journal = {Journal of Logic and Computation},
+ year = 1991,
+ volume = 1,
+ number = 4
+}
+
+@Article{miller-mixed,
+ Author = {Dale Miller},
+ Title = {Unification Under a Mixed Prefix},
+ journal = JSC,
+ volume = 14,
+ number = 4,
+ pages = {321-358},
+ Year = 1992}
+
+@Article{milner78,
+ author = {Robin Milner},
+ title = {A Theory of Type Polymorphism in Programming},
+ journal = "J. Comp.\ Sys.\ Sci.",
+ year = 1978,
+ volume = 17,
+ pages = {348-375}}
+
+@TechReport{milner-ind,
+ author = {Robin Milner},
+ title = {How to Derive Inductions in {LCF}},
+ institution = Edinburgh,
+ year = 1980,
+ type = {note}}
+
+@Article{milner-coind,
+ author = {Robin Milner and Mads Tofte},
+ title = {Co-induction in Relational Semantics},
+ journal = TCS,
+ year = 1991,
+ volume = 87,
+ pages = {209-220}}
+
+@Book{milner89,
+ author = {Robin Milner},
+ title = {Communication and Concurrency},
+ publisher = Prentice,
+ year = 1989}
+
+@book{SML,author="Robin Milner and Mads Tofte and Robert Harper",
+title="The Definition of Standard ML",publisher=MIT,year=1990}
+
+@PhdThesis{monahan84,
+ author = {Brian Q. Monahan},
+ title = {Data Type Proofs using Edinburgh {LCF}},
+ school = {University of Edinburgh},
+ year = 1984}
+
+@article{MuellerNvOS99,
+author=
+{Olaf M{\"u}ller and Tobias Nipkow and Oheimb, David von and Oscar Slotosch},
+title={{HOLCF = HOL + LCF}},journal=JFP,year=1999,volume=9,pages={191--223}}
+
+@Manual{Muzalewski:Mizar,
+ title = {An Outline of {PC} {Mizar}},
+ author = {Micha{\l} Muzalewski},
+ organization = {Fondation of Logic, Mathematics and Informatics
+ --- Mizar Users Group},
+ year = 1993,
+ note = {\url{http://www.cs.kun.nl/~freek/mizar/mizarmanual.ps.gz}}
+}
+
+%N
+
+@InProceedings{NaraschewskiW-TPHOLs98,
+ author = {Wolfgang Naraschewski and Markus Wenzel},
+ title =
+{Object-Oriented Verification based on Record Subtyping in
+ Higher-Order Logic},
+ crossref = {tphols98}}
+
+@inproceedings{nazareth-nipkow,
+ author = {Dieter Nazareth and Tobias Nipkow},
+ title = {Formal Verification of Algorithm {W}: The Monomorphic Case},
+ crossref = {tphols96},
+ pages = {331-345},
+ year = 1996}
+
+@Article{needham-schroeder,
+ author = "Roger M. Needham and Michael D. Schroeder",
+ title = "Using Encryption for Authentication in Large Networks
+ of Computers",
+ journal = cacm,
+ volume = 21,
+ number = 12,
+ pages = "993-999",
+ month = dec,
+ year = 1978}
+
+@inproceedings{nipkow-W,
+ author = {Wolfgang Naraschewski and Tobias Nipkow},
+ title = {Type Inference Verified: Algorithm {W} in {Isabelle/HOL}},
+ booktitle = {Types for Proofs and Programs: Intl. Workshop TYPES '96},
+ editor = {E. Gim{\'e}nez and C. Paulin-Mohring},
+ publisher = Springer,
+ series = LNCS,
+ volume = 1512,
+ pages = {317-332},
+ year = 1998}
+
+@InCollection{nipkow-sorts93,
+ author = {T. Nipkow},
+ title = {Order-Sorted Polymorphism in {Isabelle}},
+ booktitle = {Logical Environments},
+ publisher = CUP,
+ year = 1993,
+ editor = {G. Huet and G. Plotkin},
+ pages = {164--188}
+}
+
+@Misc{nipkow-types93,
+ author = {Tobias Nipkow},
+ title = {Axiomatic Type Classes (in {I}sabelle)},
+ howpublished = {Presentation at the workshop \emph{Types for Proof and Programs}, Nijmegen},
+ year = 1993
+}
+
+@inproceedings{Nipkow-CR,
+ author = {Tobias Nipkow},
+ title = {More {Church-Rosser} Proofs (in {Isabelle/HOL})},
+ booktitle = {Automated Deduction --- CADE-13},
+ editor = {M. McRobbie and J.K. Slaney},
+ publisher = Springer,
+ series = LNCS,
+ volume = 1104,
+ pages = {733-747},
+ year = 1996}
+
+% WAS Nipkow-LICS-93
+@InProceedings{nipkow-patterns,
+ title = {Functional Unification of Higher-Order Patterns},
+ author = {Tobias Nipkow},
+ pages = {64-74},
+ crossref = {lics8},
+ url = {\url{ftp://ftp.informatik.tu-muenchen.de/local/lehrstuhl/nipkow/lics93.html}},
+ keywords = {unification}}
+
+@article{nipkow-IMP,
+ author = {Tobias Nipkow},
+ title = {Winskel is (almost) Right: Towards a Mechanized Semantics Textbook},
+ journal = FAC,
+ volume = 10,
+ pages = {171-186},
+ year = 1998}
+
+@inproceedings{Nipkow-TYPES02,
+ author = {Tobias Nipkow},
+ title = {{Structured Proofs in Isar/HOL}},
+ booktitle = {Types for Proofs and Programs (TYPES 2002)},
+ editor = {H. Geuvers and F. Wiedijk},
+ year = 2003,
+ publisher = Springer,
+ series = LNCS,
+ volume = 2646,
+ pages = {259-278}}
+
+@manual{isabelle-HOL,
+ author = {Tobias Nipkow and Lawrence C. Paulson and Markus Wenzel},
+ title = {{Isabelle}'s Logics: {HOL}},
+ institution = {Institut f{\"u}r Informatik, Technische Universi{\"a}t
+ M{\"u}nchen and Computer Laboratory, University of Cambridge},
+ note = {\url{http://isabelle.in.tum.de/doc/logics-HOL.pdf}}}
+
+@article{nipkow-prehofer,
+ author = {Tobias Nipkow and Christian Prehofer},
+ title = {Type Reconstruction for Type Classes},
+ journal = JFP,
+ volume = 5,
+ number = 2,
+ year = 1995,
+ pages = {201-224}}
+
+@InProceedings{Nipkow-Prehofer:1993,
+ author = {T. Nipkow and C. Prehofer},
+ title = {Type checking type classes},
+ booktitle = {ACM Symp.\ Principles of Programming Languages},
+ year = 1993
+}
+
+@Book{isa-tutorial,
+ author = {Tobias Nipkow and Lawrence C. Paulson and Markus Wenzel},
+ title = {Isabelle/{HOL}: A Proof Assistant for Higher-Order Logic},
+ publisher = Springer,
+ year = 2002,
+ series = LNCS,
+ volume = 2283}
+
+@Article{noel,
+ author = {Philippe No{\"e}l},
+ title = {Experimenting with {Isabelle} in {ZF} Set Theory},
+ journal = JAR,
+ volume = 10,
+ number = 1,
+ pages = {15-58},
+ year = 1993}
+
+@book{nordstrom90,
+ author = {Bengt {Nordstr{\"o}m} and Kent Petersson and Jan Smith},
+ title = {Programming in {Martin-L{\"o}f}'s Type Theory. An
+ Introduction},
+ publisher = {Oxford University Press},
+ year = 1990}
+
+%O
+
+@TechReport{scala-overview-tech-report,
+ author = {Martin Odersky and al.},
+ title = {An Overview of the Scala Programming Language},
+ institution = {EPFL Lausanne, Switzerland},
+ year = 2004,
+ number = {IC/2004/64}
+}
+
+@Article{Oppen:1980,
+ author = {D. C. Oppen},
+ title = {Pretty Printing},
+ journal = {ACM Transactions on Programming Languages and Systems},
+ year = 1980,
+ volume = 2,
+ number = 4}
+
+@Manual{pvs-language,
+ title = {The {PVS} specification language},
+ author = {S. Owre and N. Shankar and J. M. Rushby},
+ organization = {Computer Science Laboratory, SRI International},
+ address = {Menlo Park, CA},
+ note = {Beta release},
+ year = 1993,
+ month = apr,
+ url = {\url{http://www.csl.sri.com/reports/pvs-language.dvi.Z}}}
+
+%P
+
+% replaces paulin92
+@InProceedings{paulin-tlca,
+ author = {Christine Paulin-Mohring},
+ title = {Inductive Definitions in the System {Coq}: Rules and
+ Properties},
+ crossref = {tlca93},
+ pages = {328-345}}
+
+@InProceedings{paulson-CADE,
+ author = {Lawrence C. Paulson},
+ title = {A Fixedpoint Approach to Implementing (Co)Inductive
+ Definitions},
+ pages = {148-161},
+ crossref = {cade12}}
+
+@InProceedings{paulson-COLOG,
+ author = {Lawrence C. Paulson},
+ title = {A Formulation of the Simple Theory of Types (for
+ {Isabelle})},
+ pages = {246-274},
+ crossref = {colog88},
+ url = {\url{http://www.cl.cam.ac.uk/Research/Reports/TR175-lcp-simple.dvi.gz}}}
+
+@Article{paulson-coind,
+ author = {Lawrence C. Paulson},
+ title = {Mechanizing Coinduction and Corecursion in Higher-Order
+ Logic},
+ journal = JLC,
+ year = 1997,
+ volume = 7,
+ number = 2,
+ month = mar,
+ pages = {175-204}}
+
+@manual{isabelle-intro,
+ author = {Lawrence C. Paulson},
+ title = {Old Introduction to {Isabelle}},
+ institution = CUCL,
+ note = {\url{http://isabelle.in.tum.de/doc/intro.pdf}}}
+
+@manual{isabelle-logics,
+ author = {Lawrence C. Paulson},
+ title = {{Isabelle's} Logics},
+ institution = CUCL,
+ note = {\url{http://isabelle.in.tum.de/doc/logics.pdf}}}
+
+@manual{isabelle-ref,
+ author = {Lawrence C. Paulson},
+ title = {The Old {Isabelle} Reference Manual},
+ institution = CUCL,
+ note = {\url{http://isabelle.in.tum.de/doc/ref.pdf}}}
+
+@manual{isabelle-ZF,
+ author = {Lawrence C. Paulson},
+ title = {{Isabelle}'s Logics: {FOL} and {ZF}},
+ institution = CUCL,
+ note = {\url{http://isabelle.in.tum.de/doc/logics-ZF.pdf}}}
+
+@article{paulson-found,
+ author = {Lawrence C. Paulson},
+ title = {The Foundation of a Generic Theorem Prover},
+ journal = JAR,
+ volume = 5,
+ number = 3,
+ pages = {363-397},
+ year = 1989,
+ url = {\url{http://www.cl.cam.ac.uk/Research/Reports/TR130-lcp-generic-theorem-prover.dvi.gz}}}
+
+%replaces paulson-final
+@Article{paulson-mscs,
+ author = {Lawrence C. Paulson},
+ title = {Final Coalgebras as Greatest Fixed Points
+ in {ZF} Set Theory},
+ journal = {Mathematical Structures in Computer Science},
+ year = 1999,
+ volume = 9,
+ number = 5,
+ pages = {545-567}}
+
+@InCollection{paulson-generic,
+ author = {Lawrence C. Paulson},
+ title = {Generic Automatic Proof Tools},
+ crossref = {wos-fest},
+ chapter = 3}
+
+@Article{paulson-gr,
+ author = {Lawrence C. Paulson and Krzysztof Gr\c{a}bczewski},
+ title = {Mechanizing Set Theory: Cardinal Arithmetic and the Axiom of
+ Choice},
+ journal = JAR,
+ year = 1996,
+ volume = 17,
+ number = 3,
+ month = dec,
+ pages = {291-323}}
+
+@InCollection{paulson-fixedpt-milner,
+ author = {Lawrence C. Paulson},
+ title = {A Fixedpoint Approach to (Co)inductive and
+ (Co)datatype Definitions},
+ pages = {187-211},
+ crossref = {milner-fest}}
+
+@book{milner-fest,
+ title = {Proof, Language, and Interaction:
+ Essays in Honor of {Robin Milner}},
+ booktitle = {Proof, Language, and Interaction:
+ Essays in Honor of {Robin Milner}},
+ publisher = MIT,
+ year = 2000,
+ editor = {Gordon Plotkin and Colin Stirling and Mads Tofte}}
+
+@InCollection{paulson-handbook,
+ author = {Lawrence C. Paulson},
+ title = {Designing a Theorem Prover},
+ crossref = {handbk-lics2},
+ pages = {415-475}}
+
+@Book{paulson-isa-book,
+ author = {Lawrence C. Paulson},
+ title = {Isabelle: A Generic Theorem Prover},
+ publisher = {Springer},
+ year = 1994,
+ note = {LNCS 828}}
+
+@Book{isabelle-hol-book,
+ author = {Tobias Nipkow and Lawrence C. Paulson and Markus Wenzel},
+ title = {Isabelle/HOL --- A Proof Assistant for Higher-Order Logic},
+ publisher = {Springer},
+ year = 2002,
+ note = {LNCS 2283}}
+
+@InCollection{paulson-markt,
+ author = {Lawrence C. Paulson},
+ title = {Tool Support for Logics of Programs},
+ booktitle = {Mathematical Methods in Program Development:
+ Summer School Marktoberdorf 1996},
+ publisher = {Springer},
+ pages = {461-498},
+ year = {Published 1997},
+ editor = {Manfred Broy},
+ series = {NATO ASI Series F}}
+
+%replaces Paulson-ML and paulson91
+@book{paulson-ml2,
+ author = {Lawrence C. Paulson},
+ title = {{ML} for the Working Programmer},
+ year = 1996,
+ edition = {2nd},
+ publisher = CUP}
+
+@article{paulson-natural,
+ author = {Lawrence C. Paulson},
+ title = {Natural Deduction as Higher-order Resolution},
+ journal = JLP,
+ volume = 3,
+ pages = {237-258},
+ year = 1986,
+ url = {\url{http://www.cl.cam.ac.uk/Research/Reports/TR82-lcp-higher-order-resolution.dvi.gz}}}
+
+@Article{paulson-set-I,
+ author = {Lawrence C. Paulson},
+ title = {Set Theory for Verification: {I}. {From}
+ Foundations to Functions},
+ journal = JAR,
+ volume = 11,
+ number = 3,
+ pages = {353-389},
+ year = 1993,
+ url = {\url{http://www.cl.cam.ac.uk/users/lcp/papers/Sets/set-I.pdf}}}
+
+@Article{paulson-set-II,
+ author = {Lawrence C. Paulson},
+ title = {Set Theory for Verification: {II}. {Induction} and
+ Recursion},
+ journal = JAR,
+ volume = 15,
+ number = 2,
+ pages = {167-215},
+ year = 1995,
+ url = {\url{http://www.cl.cam.ac.uk/Research/Reports/TR312-lcp-set-II.ps.gz}}}
+
+@article{paulson85,
+ author = {Lawrence C. Paulson},
+ title = {Verifying the Unification Algorithm in {LCF}},
+ journal = SCP,
+ volume = 5,
+ pages = {143-170},
+ year = 1985}
+
+%replaces Paulson-LCF
+@book{paulson87,
+ author = {Lawrence C. Paulson},
+ title = {Logic and Computation: Interactive proof with Cambridge
+ LCF},
+ year = 1987,
+ publisher = CUP}
+
+@incollection{paulson700,
+ author = {Lawrence C. Paulson},
+ title = {{Isabelle}: The Next 700 Theorem Provers},
+ crossref = {odifreddi90},
+ pages = {361-386},
+ url = {\url{http://www.cl.cam.ac.uk/Research/Reports/TR143-lcp-experience.dvi.gz}}}
+
+% replaces paulson-ns and paulson-security
+@Article{paulson-jcs,
+ author = {Lawrence C. Paulson},
+ title = {The Inductive Approach to Verifying Cryptographic Protocols},
+ journal = JCS,
+ year = 1998,
+ volume = 6,
+ pages = {85-128}}
+
+@Article{paulson-tls,
+ author = {Lawrence C. Paulson},
+ title = {Inductive Analysis of the {Internet} Protocol {TLS}},
+ journal = TISSEC,
+ month = aug,
+ year = 1999,
+ volume = 2,
+ number = 3,
+ pages = {332-351}}
+
+@Article{paulson-yahalom,
+ author = {Lawrence C. Paulson},
+ title = {Relations Between Secrets:
+ Two Formal Analyses of the {Yahalom} Protocol},
+ journal = JCS,
+ volume = 9,
+ number = 3,
+ pages = {197-216},
+ year = 2001}}
+
+@article{pelletier86,
+ author = {F. J. Pelletier},
+ title = {Seventy-five Problems for Testing Automatic Theorem
+ Provers},
+ journal = JAR,
+ volume = 2,
+ pages = {191-216},
+ year = 1986,
+ note = {Errata, JAR 4 (1988), 235--236 and JAR 18 (1997), 135}}
+
+@InCollection{pitts93,
+ author = {A. Pitts},
+ title = {The {HOL} Logic},
+ editor = {M. J. C. Gordon and T. F. Melham},
+ booktitle = {Introduction to {HOL}: A Theorem Proving Environment for Higher Order Logic},
+ pages = {191--232},
+ publisher = CUP,
+ year = 1993}
+
+@Article{pitts94,
+ author = {Andrew M. Pitts},
+ title = {A Co-induction Principle for Recursively Defined Domains},
+ journal = TCS,
+ volume = 124,
+ pages = {195-219},
+ year = 1994}
+
+@Article{plaisted90,
+ author = {David A. Plaisted},
+ title = {A Sequent-Style Model Elimination Strategy and a Positive
+ Refinement},
+ journal = JAR,
+ year = 1990,
+ volume = 6,
+ number = 4,
+ pages = {389-402}}
+
+%Q
+
+@Article{quaife92,
+ author = {Art Quaife},
+ title = {Automated Deduction in {von Neumann-Bernays-G\"{o}del} Set
+ Theory},
+ journal = JAR,
+ year = 1992,
+ volume = 8,
+ number = 1,
+ pages = {91-147}}
+
+%R
+
+@TechReport{rasmussen95,
+ author = {Ole Rasmussen},
+ title = {The {Church-Rosser} Theorem in {Isabelle}: A Proof Porting
+ Experiment},
+ institution = {Computer Laboratory, University of Cambridge},
+ year = 1995,
+ number = 364,
+ month = may,
+ url = {\url{http://www.cl.cam.ac.uk:80/ftp/papers/reports/TR364-or200-church-rosser-isabelle.ps.gz}}}
+
+@Book{reeves90,
+ author = {Steve Reeves and Michael Clarke},
+ title = {Logic for Computer Science},
+ publisher = {Addison-Wesley},
+ year = 1990}
+
+@article{riazanov-voronkov-2002,
+ author = "Alexander Riazanov and Andrei Voronkov",
+ title = "The Design and Implementation of {Vampire}",
+ journal = "Journal of AI Communications",
+ year = 2002,
+ volume = 15,
+ number ="2/3",
+ pages = "91--110"}
+
+@book{Rosen-DMA,author={Kenneth H. Rosen},
+title={Discrete Mathematics and Its Applications},
+publisher={McGraw-Hill},year=1998}
+
+@InProceedings{Rudnicki:1992:MizarOverview,
+ author = {P. Rudnicki},
+ title = {An Overview of the {MIZAR} Project},
+ booktitle = {1992 Workshop on Types for Proofs and Programs},
+ year = 1992,
+ organization = {Chalmers University of Technology},
+ publisher = {Bastad}
+}
+
+%S
+
+@inproceedings{saaltink-fme,
+ author = {Mark Saaltink and Sentot Kromodimoeljo and Bill Pase and
+ Dan Craigen and Irwin Meisels},
+ title = {An {EVES} Data Abstraction Example},
+ pages = {578-596},
+ crossref = {fme93}}
+
+@Article{Schroeder-Heister:1984,
+ author = {Peter Schroeder-Heister},
+ title = {A Natural Extension of Natural Deduction},
+ journal = {Journal of Symbolic Logic},
+ year = 1984,
+ volume = 49,
+ number = 4
+}
+
+@article{schulz-2002,
+ author = "Stephan Schulz",
+ title = "E---A Brainiac Theorem Prover",
+ journal = "Journal of AI Communications",
+ year = 2002,
+ volume = 15,
+ number ="2/3",
+ pages = "111--126"}
+
+@misc{sledgehammer-2009,
+ key = "Sledgehammer",
+ title = "The {S}ledgehammer: Let Automatic Theorem Provers
+Write Your {I}s\-a\-belle Scripts",
+ note = "\url{http://www.cl.cam.ac.uk/research/hvg/Isabelle/sledgehammer.html}"}
+
+@inproceedings{slind-tfl,
+ author = {Konrad Slind},
+ title = {Function Definition in Higher Order Logic},
+ crossref = {tphols96},
+ pages = {381-397}}
+
+@inproceedings{snark,
+ author = {M. Stickel and R. Waldinger and M. Lowry and T. Pressburger and I. Underwood},
+ title = {Deductive composition of astronomical software from subroutine libraries},
+ pages = "341--355",
+ crossref = {cade12}}
+
+@book{suppes72,
+ author = {Patrick Suppes},
+ title = {Axiomatic Set Theory},
+ year = 1972,
+ publisher = {Dover}}
+
+@inproceedings{sutcliffe-2000,
+ author = "Geoff Sutcliffe",
+ title = "System Description: {SystemOnTPTP}",
+ editor = "David McAllester",
+ booktitle = {Automated Deduction --- {CADE}-17 International Conference},
+ series = "Lecture Notes in Artificial Intelligence",
+ volume = {1831},
+ pages = "406--410",
+ year = 2000,
+ publisher = Springer}
+
+@misc{tofof,
+ author = "Geoff Sutcliffe",
+ title = "{ToFoF}",
+ note = "\url{http://www.cs.miami.edu/~tptp/ATPSystems/ToFoF/}"}
+
+@Article{Sutter:2005,
+ author = {H. Sutter},
+ title = {The Free Lunch Is Over --- A Fundamental Turn Toward Concurrency in Software},
+ journal = {Dr. Dobb's Journal},
+ year = 2005,
+ volume = 30,
+ number = 3}
+
+@InCollection{szasz93,
+ author = {Nora Szasz},
+ title = {A Machine Checked Proof that {Ackermann's} Function is not
+ Primitive Recursive},
+ crossref = {huet-plotkin93},
+ pages = {317-338}}
+
+@TechReport{Syme:1997:DECLARE,
+ author = {D. Syme},
+ title = {{DECLARE}: A Prototype Declarative Proof System for Higher Order Logic},
+ institution = {University of Cambridge Computer Laboratory},
+ year = 1997,
+ number = 416
+}
+
+@PhdThesis{Syme:1998:thesis,
+ author = {D. Syme},
+ title = {Declarative Theorem Proving for Operational Semantics},
+ school = {University of Cambridge},
+ year = 1998,
+ note = {Submitted}
+}
+
+@InProceedings{Syme:1999:TPHOL,
+ author = {D. Syme},
+ title = {Three Tactic Theorem Proving},
+ crossref = {tphols99}}
+
+%T
+
+@book{takeuti87,
+ author = {G. Takeuti},
+ title = {Proof Theory},
+ year = 1987,
+ publisher = NH,
+ edition = {2nd}}
+
+@Book{thompson91,
+ author = {Simon Thompson},
+ title = {Type Theory and Functional Programming},
+ publisher = {Addison-Wesley},
+ year = 1991}
+
+@book{Thompson-Haskell,author={Simon Thompson},
+title={Haskell: The Craft of Functional Programming},
+publisher={Addison-Wesley},year=1999}
+
+@misc{kodkod-2009,
+ author = "Emina Torlak",
+ title = {Kodkod: Constraint Solver for Relational Logic},
+ note = "\url{http://alloy.mit.edu/kodkod/}"}
+
+@misc{kodkod-2009-options,
+ author = "Emina Torlak",
+ title = "Kodkod {API}: Class {Options}",
+ note = "\url{http://alloy.mit.edu/kodkod/docs/kodkod/engine/config/Options.html}"}
+
+@inproceedings{torlak-jackson-2007,
+ title = "Kodkod: A Relational Model Finder",
+ author = "Emina Torlak and Daniel Jackson",
+ editor = "Orna Grumberg and Michael Huth",
+ booktitle = "TACAS 2007",
+ series = LNCS,
+ volume = {4424},
+ pages = "632--647",
+ year = 2007,
+ publisher = Springer}
+
+@unpublished{traytel-berghofer-nipkow-2011,
+ author = {D. Traytel and S. Berghofer and T. Nipkow},
+ title = {Extending Hindley-Milner Type Inference with Coercive
+ Subtyping (long version)},
+ year = 2011,
+ note = {Submitted,
+ \url{http://isabelle.in.tum.de/doc/implementation.pdf}}},
+}
+
+@Unpublished{Trybulec:1993:MizarFeatures,
+ author = {A. Trybulec},
+ title = {Some Features of the {Mizar} Language},
+ note = {Presented at a workshop in Turin, Italy},
+ year = 1993
+}
+
+%V
+
+@Unpublished{voelker94,
+ author = {Norbert V{\"o}lker},
+ title = {The Verification of a Timer Program using {Isabelle/HOL}},
+ url = {\url{ftp://ftp.fernuni-hagen.de/pub/fachb/et/dvt/projects/verification/timer.tar.gz}},
+ year = 1994,
+ month = aug}
+
+%W
+
+@inproceedings{wadler89how,
+ author = {P. Wadler and S. Blott},
+ title = {How to make ad-hoc polymorphism less ad-hoc},
+ booktitle = {ACM Symp.\ Principles of Programming Languages},
+ year = 1989
+}
+
+@phdthesis{weber-2008,
+ author = "Tjark Weber",
+ title = "SAT-Based Finite Model Generation for Higher-Order Logic",
+ school = {Dept.\ of Informatics, T.U. M\"unchen},
+ type = "{Ph.D.}\ thesis",
+ year = 2008}
+
+@Misc{x-symbol,
+ author = {Christoph Wedler},
+ title = {Emacs package ``{X-Symbol}''},
+ note = {\url{http://x-symbol.sourceforge.net}}
+}
+
+@misc{weidenbach-et-al-2009,
+ author = "Christoph Weidenbach and Dilyana Dimova and Arnaud Fietzke and Rohit Kumar and Martin Suda and Patrick Wischnewski",
+ title = "{SPASS} Version 3.5",
+ note = {\url{http://www.spass-prover.org/publications/spass.pdf}}}
+
+@manual{isabelle-sys,
+ author = {Markus Wenzel and Stefan Berghofer},
+ title = {The {Isabelle} System Manual},
+ institution = {TU Munich},
+ note = {\url{http://isabelle.in.tum.de/doc/system.pdf}}}
+
+@manual{isabelle-isar-ref,
+ author = {Makarius Wenzel},
+ title = {The {Isabelle/Isar} Reference Manual},
+ institution = {TU Munich},
+ note = {\url{http://isabelle.in.tum.de/doc/isar-ref.pdf}}}
+
+@manual{isabelle-implementation,
+ author = {Makarius Wenzel},
+ title = {The {Isabelle/Isar} Implementation},
+ institution = {TU Munich},
+ note = {\url{http://isabelle.in.tum.de/doc/implementation.pdf}}}
+
+@InProceedings{Wenzel:1999:TPHOL,
+ author = {Markus Wenzel},
+ title = {{Isar} --- a Generic Interpretative Approach to Readable Formal Proof Documents},
+ crossref = {tphols99}}
+
+@InProceedings{Wenzel:1997:TPHOL,
+ author = {Markus Wenzel},
+ title = {Type Classes and Overloading in Higher-Order Logic},
+ crossref = {tphols97}}
+
+@phdthesis{Wenzel-PhD,
+ author={Markus Wenzel},
+ title={Isabelle/Isar --- a versatile environment for human-readable formal proof documents},
+ school={Institut f{\"u}r Informatik, Technische Universit{\"a}t M{\"u}nchen},
+ year=2002,
+ note = {\url{http://tumb1.biblio.tu-muenchen.de/publ/diss/in/2002/wenzel.html}}}
+
+@Article{Wenzel-Wiedijk:2002,
+ author = {Freek Wiedijk and Markus Wenzel},
+ title = {A comparison of the mathematical proof languages {Mizar} and {Isar}.},
+ journal = {Journal of Automated Reasoning},
+ year = 2002,
+ volume = 29,
+ number = {3-4}
+}
+
+@InCollection{Wenzel-Paulson:2006,
+ author = {Markus Wenzel and Lawrence C. Paulson},
+ title = {{Isabelle/Isar}},
+ booktitle = {The Seventeen Provers of the World},
+ year = 2006,
+ editor = {F. Wiedijk},
+ series = {LNAI 3600}
+}
+
+@InCollection{Wenzel:2006:Festschrift,
+ author = {Makarius Wenzel},
+ title = {{Isabelle/Isar} --- a generic framework for human-readable proof documents},
+ booktitle = {From Insight to Proof --- Festschrift in Honour of Andrzej Trybulec},
+ publisher = {University of Bia{\l}ystok},
+ year = 2007,
+ editor = {R. Matuszewski and A. Zalewska},
+ volume = {10(23)},
+ series = {Studies in Logic, Grammar, and Rhetoric},
+ note = {\url{http://www.in.tum.de/~wenzelm/papers/isar-framework.pdf}}
+}
+
+@InProceedings{Wenzel-Chaieb:2007b,
+ author = {Makarius Wenzel and Amine Chaieb},
+ title = {{SML} with antiquotations embedded into {Isabelle/Isar}},
+ booktitle = {Workshop on Programming Languages for Mechanized Mathematics
+ (satellite of CALCULEMUS 2007). Hagenberg, Austria},
+ editor = {Jacques Carette and Freek Wiedijk},
+ month = {June},
+ year = {2007}
+}
+
+@InProceedings{Wenzel:2009,
+ author = {M. Wenzel},
+ title = {Parallel Proof Checking in {Isabelle/Isar}},
+ booktitle = {ACM SIGSAM Workshop on Programming Languages for Mechanized Mathematics Systems (PLMMS 2009)},
+ year = 2009,
+ editor = {Dos Reis, G. and L. Th\'ery},
+ publisher = {ACM Digital Library}}
+
+@book{principia,
+ author = {A. N. Whitehead and B. Russell},
+ title = {Principia Mathematica},
+ year = 1962,
+ publisher = CUP,
+ note = {Paperback edition to *56,
+ abridged from the 2nd edition (1927)}}
+
+@Misc{Wiedijk:1999:Mizar,
+ author = {Freek Wiedijk},
+ title = {Mizar: An Impression},
+ howpublished = {Unpublished paper},
+ year = 1999,
+ note = {\url{http://www.cs.kun.nl/~freek/mizar/mizarintro.ps.gz}}
+}
+
+@Misc{Wiedijk:2000:MV,
+ author = {Freek Wiedijk},
+ title = {The Mathematical Vernacular},
+ howpublished = {Unpublished paper},
+ year = 2000,
+ note = {\url{http://www.cs.kun.nl/~freek/notes/mv.ps.gz}}
+}
+
+@misc{wikipedia-2009-aa-trees,
+ key = "Wikipedia",
+ title = "Wikipedia: {AA} Tree",
+ note = "\url{http://en.wikipedia.org/wiki/AA_tree}"}
+
+@book{winskel93,
+ author = {Glynn Winskel},
+ title = {The Formal Semantics of Programming Languages},
+ publisher = MIT,year=1993}
+
+@InCollection{wos-bledsoe,
+ author = {Larry Wos},
+ title = {Automated Reasoning and {Bledsoe's} Dream for the Field},
+ crossref = {bledsoe-fest},
+ pages = {297-342}}
+
+@InProceedings{Zammit:1999:TPHOL,
+ author = {Vincent Zammit},
+ title = {On the Implementation of an Extensible Declarative Proof Language},
+ crossref = {tphols99}}
+
+%Z
+
+@misc{z3,
+ key = "Z3",
+ title = "Z3: An Efficient {SMT} Solver",
+ note = "\url{http://research.microsoft.com/en-us/um/redmond/projects/z3/}"}
+
+
+% CROSS REFERENCES
+
+@book{handbk-lics2,
+ editor = {S. Abramsky and D. M. Gabbay and T. S. E. Maibaum},
+ title = {Handbook of Logic in Computer Science},
+ booktitle = {Handbook of Logic in Computer Science},
+ publisher = {Oxford University Press},
+ year = 1992,
+ volume = 2}
+
+@book{types93,
+ editor = {Henk Barendregt and Tobias Nipkow},
+ title = TYPES # {: International Workshop {TYPES '93}},
+ booktitle = TYPES # {: International Workshop {TYPES '93}},
+ year = {published 1994},
+ publisher = {Springer},
+ series = {LNCS 806}}
+
+@book{barwise-handbk,
+ editor = {J. Barwise},
+ title = {Handbook of Mathematical Logic},
+ booktitle = {Handbook of Mathematical Logic},
+ year = 1977,
+ publisher = NH}
+
+@Proceedings{tlca93,
+ title = {Typed Lambda Calculi and Applications},
+ booktitle = {Typed Lambda Calculi and Applications},
+ editor = {M. Bezem and J.F. Groote},
+ year = 1993,
+ publisher = {Springer},
+ series = {LNCS 664}}
+
+@book{birtwistle89,
+ editor = {Graham Birtwistle and P. A. Subrahmanyam},
+ title = {Current Trends in Hardware Verification and Automated
+ Theorem Proving},
+ booktitle = {Current Trends in Hardware Verification and Automated
+ Theorem Proving},
+ publisher = {Springer},
+ year = 1989}
+
+@book{bledsoe-fest,
+ title = {Automated Reasoning: Essays in Honor of {Woody Bledsoe}},
+ booktitle = {Automated Reasoning: Essays in Honor of {Woody Bledsoe}},
+ publisher = {Kluwer Academic Publishers},
+ year = 1991,
+ editor = {Robert S. Boyer}}
+
+@Proceedings{cade12,
+ editor = {Alan Bundy},
+ title = {Automated Deduction --- {CADE}-12
+ International Conference},
+ booktitle = {Automated Deduction --- {CADE}-12
+ International Conference},
+ year = 1994,
+ series = {LNAI 814},
+ publisher = {Springer}}
+
+@book{types94,
+ editor = {Peter Dybjer and Bengt Nordstr{{\"o}m} and Jan Smith},
+ title = TYPES # {: International Workshop {TYPES '94}},
+ booktitle = TYPES # {: International Workshop {TYPES '94}},
+ year = 1995,
+ publisher = {Springer},
+ series = {LNCS 996}}
+
+@book{huet-plotkin91,
+ editor = {{G{\'e}rard} Huet and Gordon Plotkin},
+ title = {Logical Frameworks},
+ booktitle = {Logical Frameworks},
+ publisher = CUP,
+ year = 1991}
+
+@book{huet-plotkin93,
+ editor = {{G{\'e}rard} Huet and Gordon Plotkin},
+ title = {Logical Environments},
+ booktitle = {Logical Environments},
+ publisher = CUP,
+ year = 1993}
+
+@Proceedings{hug93,
+ editor = {J. Joyce and C. Seger},
+ title = {Higher Order Logic Theorem Proving and Its
+ Applications: HUG '93},
+ booktitle = {Higher Order Logic Theorem Proving and Its
+ Applications: HUG '93},
+ year = {Published 1994},
+ publisher = {Springer},
+ series = {LNCS 780}}
+
+@proceedings{colog88,
+ editor = {P. Martin-L{\"o}f and G. Mints},
+ title = {COLOG-88: International Conference on Computer Logic},
+ booktitle = {COLOG-88: International Conference on Computer Logic},
+ year = {Published 1990},
+ publisher = {Springer},
+ organization = {Estonian Academy of Sciences},
+ address = {Tallinn},
+ series = {LNCS 417}}
+
+@book{odifreddi90,
+ editor = {P. Odifreddi},
+ title = {Logic and Computer Science},
+ booktitle = {Logic and Computer Science},
+ publisher = {Academic Press},
+ year = 1990}
+
+@proceedings{extensions91,
+ editor = {Peter Schroeder-Heister},
+ title = {Extensions of Logic Programming},
+ booktitle = {Extensions of Logic Programming},
+ year = 1991,
+ series = {LNAI 475},
+ publisher = {Springer}}
+
+@proceedings{cade10,
+ editor = {Mark E. Stickel},
+ title = {10th } # CADE,
+ booktitle = {10th } # CADE,
+ year = 1990,
+ publisher = {Springer},
+ series = {LNAI 449}}
+
+@Proceedings{lics8,
+ editor = {M. Vardi},
+ title = {Eighth Annual Symposium on Logic in Computer Science},
+ booktitle = {Eighth Annual Symposium on Logic in Computer Science},
+ publisher = IEEE,
+ year = 1993}
+
+@book{wos-fest,
+ title = {Automated Reasoning and its Applications:
+ Essays in Honor of {Larry Wos}},
+ booktitle = {Automated Reasoning and its Applications:
+ Essays in Honor of {Larry Wos}},
+ publisher = MIT,
+ year = 1997,
+ editor = {Robert Veroff}}
+
+@proceedings{fme93,
+ editor = {J. C. P. Woodcock and P. G. Larsen},
+ title = {FME '93: Industrial-Strength Formal Methods},
+ booktitle = {FME '93: Industrial-Strength Formal Methods},
+ year = 1993,
+ publisher = Springer,
+ series = LNCS,
+ volume = 670}
+
+@Proceedings{tphols96,
+ title = {Theorem Proving in Higher Order Logics: {TPHOLs} '96},
+ booktitle = {Theorem Proving in Higher Order Logics: {TPHOLs} '96},
+ editor = {J. von Wright and J. Grundy and J. Harrison},
+ publisher = Springer,
+ series = LNCS,
+ volume = 1125,
+ year = 1996}
+
+@Proceedings{tphols97,
+ title = {Theorem Proving in Higher Order Logics: {TPHOLs} '97},
+ booktitle = {Theorem Proving in Higher Order Logics: {TPHOLs} '97},
+ editor = {Elsa L. Gunter and Amy Felty},
+ publisher = Springer,
+ series = LNCS,
+ volume = 1275,
+ year = 1997}
+
+@Proceedings{tphols98,
+ title = {Theorem Proving in Higher Order Logics: {TPHOLs} '98},
+ booktitle = {Theorem Proving in Higher Order Logics: {TPHOLs} '98},
+ editor = {Jim Grundy and Malcom Newey},
+ publisher = Springer,
+ series = LNCS,
+ volume = 1479,
+ year = 1998}
+
+@Proceedings{tphols99,
+ title = {Theorem Proving in Higher Order Logics: {TPHOLs} '99},
+ booktitle = {Theorem Proving in Higher Order Logics: {TPHOLs} '99},
+ editor = {Bertot, Y. and Dowek, G. and Hirschowitz, A. and
+ Paulin, C. and Thery, L.},
+ publisher = Springer,
+ series = LNCS,
+ volume = 1690,
+ year = 1999}
+
+@Proceedings{tphols2000,
+ title = {Theorem Proving in Higher Order Logics: {TPHOLs} 2000},
+ booktitle = {Theorem Proving in Higher Order Logics: {TPHOLs} 2000},
+ editor = {J. Harrison and M. Aagaard},
+ publisher = Springer,
+ series = LNCS,
+ volume = 1869,
+ year = 2000}
+
+@Proceedings{tphols2001,
+ title = {Theorem Proving in Higher Order Logics: {TPHOLs} 2001},
+ booktitle = {Theorem Proving in Higher Order Logics: {TPHOLs} 2001},
+ editor = {R. J. Boulton and P. B. Jackson},
+ publisher = Springer,
+ series = LNCS,
+ volume = 2152,
+ year = 2001}
+
+@Proceedings{ijcar2006,
+ title = {Automated Reasoning: {IJCAR} 2006},
+ booktitle = {Automated Reasoning: {IJCAR} 2006},
+ editor = {U. Furbach and N. Shankar},
+ publisher = Springer,
+ series = LNCS,
+ volume = 4130,
+ year = 2006}
+
+@Proceedings{tphols2007,
+ title = {Theorem Proving in Higher Order Logics: {TPHOLs} 2007},
+ booktitle = {Theorem Proving in Higher Order Logics: {TPHOLs} 2007},
+ editor = {K. Schneider and J. Brandt},
+ publisher = Springer,
+ series = LNCS,
+ volume = 4732,
+ year = 2007}
+
+@Proceedings{tphols2008,
+ title = {Theorem Proving in Higher Order Logics: {TPHOLs} 2008},
+ booktitle = {Theorem Proving in Higher Order Logics: {TPHOLs} 2008},
+ publisher = Springer,
+ series = LNCS,
+ year = 2008}
+% editor =
+% volume = 4732,
+
+@Proceedings{itp2010,
+ title = {Interactive Theorem Proving: {ITP}-10},
+ booktitle = {Interactive Theorem Proving: {ITP}-10},
+ editor = "Matt Kaufmann and Lawrence Paulson",
+ publisher = Springer,
+ series = LNCS,
+ year = 2010}
+
+@unpublished{classes_modules,
+ title = {{ML} Modules and {Haskell} Type Classes: A Constructive Comparison},
+ author = {Stefan Wehr et. al.}
+}
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/mathsing.sty Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,950 @@
+%% edited by LCP!!
+%% Modified page break penalties
+%% Commented out the change to \newlinechar
+%% Increased space in Contents and List of Figures
+%% Changed \thebibliography to the defn in llncs.sty
+%% Added ttbox
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% MATHSING.STY Version 1.1
+%
+% This LaTeX style option file contains necessary macros for writing
+% camera ready English single author math book manuscripts.
+%
+%
+% Usage:
+%
+% \documentstyle[12pt,mathsing]{book}
+% ...
+%
+% Change log:
+%
+% 90/11/04 pagestyle empty for first page of chapter
+% 90/11/04 distinct figure and table captions
+% 90/11/04 \small for captions and headings
+% 90/11/04 improved definition of theorem-like environments
+% 90/12/01 separation after chapter title changed to 5.1cm
+% 90/12/01 page size changed to 45x14.4+10pt=23.05cm
+% 90/12/01 references
+% 90/12/01 common counter for theorem-like environments
+% 90/12/02 table of contents
+% 90/12/02 final improvements and corrections
+% 90/12/26 two styles for equation numbers
+% 91/02/05 \numberlikebook and \numberlikearticle replace
+% \eqnbook and \eqnarticle
+% 91/10/07 \listoffigures, \listoftables made similar to
+% \tableofcontents,
+% running head of Index changed: Sachverzeichnis -> Index,
+% \newthe now uses \thechapter instead of \arabic{chapter}
+% 91/02/05 binding: \tablebook, \tablearticle
+% \figurebook, \figurearticle added
+% 91/10/07 holzwarth: \listoffigures, \listoftables
+% according to \tableofcontents,
+% \begin{theindex}
+% \newthe to produce correct numbers
+% 91/12/03 \chapter, \section, and \subsection now do not
+% hyphenate the headings any more
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% change the catcode of @ (allows names containing @ after \begin{document})
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\makeatletter
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% page layout and dimensions
+%
+% The following commands are redefined:
+%
+% \ps@headings (cf. BOOK.STY)
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%
+% Layout
+%
+% Note: The following values do not apply for English Springer
+% books on phsics; use \baselineskip=14pt, \textwidth=13.8cm,
+% \textheight=640pt (=45x14pt+10pt=22.5cm) instead!
+%
+
+\baselineskip=14.4pt % LaTeX default
+
+\topmargin=0cm
+\textwidth=14.2cm % 1.2 x 11.833 cm
+\textheight=658pt % 45x14.4pt+10pt = 658pt = 23.0554cm
+%\textheight=23.2502cm % 1.2x19.3752cm=23.2502cm (first version)
+\oddsidemargin=0.7cm
+\evensidemargin=0.7cm
+\headsep=20pt % ?
+
+\parindent=7mm % 1.2 x 5.833mm
+
+\hfuzz=2pt % supress "overfull box" messages below 2pt
+
+\frenchspacing % no large blanks at the end of a sentence
+
+
+\tolerance=500
+
+\abovedisplayskip=3.6 mm plus7.2pt minus 4.8pt
+\belowdisplayskip=3.6 mm plus7.2pt minus 4.8pt
+\abovedisplayshortskip=0.0 mm plus7.2pt minus 2.4pt
+\belowdisplayshortskip=2.4 mm plus4.8pt minus 4.8pt
+
+%%LCP: were 0, 10000, 10000
+\predisplaypenalty=100 % penalties for page break
+\clubpenalty=400 %
+\widowpenalty=400 %
+
+
+%
+% running titles
+%
+
+% binding 5.2.91 \hspace changed to 1.0 cm | |
+% binding 5.2.91 dot deleted after \thesection |
+\def\ps@headings{
+ \let\@mkboth\markboth
+ \def\@oddfoot{}
+ \def\@evenfoot{}
+ \def\@evenhead{\rm\small\thepage\hspace{1.0cm}\leftmark\hfil\hbox{}}
+ \def\@oddhead{\hbox{}\hfil\rm\small\rightmark\hspace{1.0cm}\thepage}
+ \def\chaptermark##1{\markboth
+ {\ifnum \c@secnumdepth >\m@ne \thechapter.\ \fi ##1}{}}
+%hier punkt raus. binding |
+ \def\sectionmark##1{\markright
+ {\ifnum \c@secnumdepth >\z@ \thesection\ \fi ##1}}
+ }
+
+\pagestyle{headings}
+
+
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% Chapters and Sections
+%
+% The following commands are redefined:
+%
+% \@makechapterhead (cf. BK12.STY)
+% \@makeschapterhead (cf. BK12.STY)
+% \chapter (cf. BK12.STY)
+% \@sect (cf. LATEX.TEX)
+% \section (cf. BK12.STY)
+% \subsection (cf. BK12.STY)
+% \subsubsection (cf. BK12.STY)
+% \paragraph (cf. BK12.STY)
+% \subparagraph (cf. BK12.STY)
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%
+% number of numbered section levels
+%
+
+\setcounter{secnumdepth}{3}
+
+
+%
+% Adapt the font size for chapter titles and supress printing of
+% the word "chapter"
+%
+
+\def\@makechapterhead#1{ { \parindent 0pt \raggedright
+% \pretolerance added 12/3/91 fuh
+{\pretolerance=10000\Large \bf \thechapter.\hspace{0.3cm}#1\par}%
+ \nobreak \vskip 4cm \vskip\baselineskip} }
+
+\def\@makeschapterhead#1{ { \parindent 0pt \raggedright
+% \pretolerance added 12/3/91 fuh
+ \pretolerance=10000\Large \bf #1\par
+ \nobreak \vskip 4cm \vskip\baselineskip} }
+
+%
+% define pagestyle=empty for first page of a chapter
+%
+
+\def\chapter{\cleardoublepage \thispagestyle{empty} \global\@topnum\z@
+\@afterindentfalse \secdef\@chapter\@schapter}
+
+%
+% Change the distance between section number and title from 1em to 2mm
+% binding: changed again to 1en=0.5em | 5.2.91
+%
+
+\def\@sect#1#2#3#4#5#6[#7]#8{\ifnum #2>\c@secnumdepth
+ \def\@svsec{}\else
+ \refstepcounter{#1}%
+ \edef\@svsec{\csname the#1\endcsname\hskip 0.5em }\fi
+ \@tempskipa #5\relax
+ \ifdim \@tempskipa>\z@
+ \begingroup #6\relax
+% changed by Binding :) 20.3.91
+% old: \@hangfrom{\hskip #3\relax\@svsec}{\interlinepenalty \@M #8\par}
+% \@hangfrom deleted to avoid hanging indentation \noindent added
+ {\noindent\hskip #3\relax\@svsec}%
+ {\interlinepenalty \@M #8\par}
+ \endgroup
+ \csname #1mark\endcsname{#7}\addcontentsline
+ {toc}{#1}{\ifnum #2>\c@secnumdepth \else
+ \protect\numberline{\csname the#1\endcsname}\fi
+ #7}\else
+ \def\@svsechd{#6\hskip #3\@svsec #8\csname #1mark\endcsname
+ {#7}\addcontentsline
+ {toc}{#1}{\ifnum #2>\c@secnumdepth \else
+ \protect\numberline{\csname the#1\endcsname}\fi
+ #7}}\fi
+ \@xsect{#5}}
+
+
+%
+% Font size for section titles;
+% Increased vertical space before and after sections, subsections
+% and subsubsections by 1ex; run-in headings starting with subsubsection
+%
+% (\@startsection{NAME}{LEVEL}{INDENT}{BEFORESKIP}{AFTERSKIP}{STYLE})
+%
+
+%binding, 18.3.91: \boldmath inserted
+\def\section{\@startsection{section}{1}{\z@}{
+ -4.50ex plus -1ex minus -.2ex}{3.3ex plus .2ex}
+ {\large\bf\boldmath\raggedright\pretolerance=10000}}
+% \raggedright and \pretolerance added 12/3/91 fuh
+\def\subsection{\@startsection{subsection}{2}{\z@}{
+ -4.25ex plus -1ex minus -.2ex}{2.5ex plus .2ex}
+ {\normalsize\bf\boldmath\raggedright\pretolerance=10000}}
+% \raggedright and \pretolerance added 12/3/91 fuh
+\def\subsubsection{\@startsection{subsubsection}{3}{\z@}{
+ -3.25ex plus -1ex minus -.2ex}{-0.5em}
+ {\normalsize\bf\boldmath}}
+\def\paragraph{\@startsection{paragraph}{4}{\z@}{
+ -3.25ex plus -1ex minus -.2ex}{-0.5em}{\normalsize\it}}
+\def\subparagraph{\@startsection{subparagraph}{5}{\@}{
+ -3.25ex plus -1ex minus -.2ex}{-0.5em}{\normalsize\it}}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%20.3.91, binding: \labelitemi changed
+\renewcommand{\labelitemi}{$\bullet$}
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% Tables
+%
+% Change width of horizontal and vertical lines in arrays and tables
+%
+% The following commands are redefined:
+%
+% \arrayrulewidth
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\arrayrulewidth0.15mm
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% Figure and table captions (small)
+%
+% To meet the different requirements for table and figure captions
+% new macros \@makefigurecaption and \@maketablecaption are introduced
+% in addition to \@makecaption (cf. BOOK.STY). The \@caption macro is
+% changed to check for figures and tables.
+%
+% The following commands are redefined:
+%
+% \@caption (cf. LATEX.TEX)
+% \fnum@figure (cf. BOOK.STY)
+% \fnum@table (cf. BOOK.STY)
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\long\def\@caption#1[#2]#3{\addcontentsline{\csname
+ ext@#1\endcsname}{#1}{\protect\numberline{\csname
+ the#1\endcsname}{\ignorespaces #2}}\par
+ \begingroup
+ \@parboxrestore
+ \normalsize
+ \csname @make#1caption\endcsname
+ {\csname fnum@#1\endcsname}{\ignorespaces #3}\par
+ \endgroup}
+
+\long\def\@makefigurecaption#1#2{
+ \vskip 10pt % skip between figure and caption
+ {\small % required here for correct \baselineskip !
+ \setbox\@tempboxa\hbox{\small{\bf#1}#2}
+ \ifdim \wd\@tempboxa >\hsize
+ \unhbox\@tempboxa\par
+ \else
+ \hbox to\hsize{\hfil\box\@tempboxa\hfil} % centered short caption !
+ \fi}
+ \vskip 10pt} % additional space between caption and text
+
+\long\def\@maketablecaption#1#2{
+ \vskip 10pt % additional space between text and caption
+ {\small % required here for correct \baselineskip !
+ \setbox\@tempboxa\hbox{\small{\bf#1}#2}
+ \ifdim \wd\@tempboxa >\hsize
+ \unhbox\@tempboxa\par
+ \else \hbox to\hsize{\box\@tempboxa\hfil} % leftadjusted short caption !
+ \fi}
+ \vskip 10pt} % skip between caption and table
+
+\def\fnum@figure{Fig.$\,$\thefigure.$\;$}
+\def\fnum@table{Table$\,$\thetable.$\;$}
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% Distance between text and floatings (tables, figures)
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\floatsep 14pt plus 2pt minus 4pt % LaTeX defaults values
+\textfloatsep 20pt plus 2pt minus 4pt %
+\intextsep 14pt plus 4pt minus 4pt %
+\@maxsep 20pt %
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% Table of contents
+%
+% The following commands are redefined:
+%
+% \l@chapter (cf. LATEX.STY)
+% \tableofcontents
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%
+% lowest level for table of contents entries
+%
+\setcounter{tocdepth}{3}
+
+%
+% dotted line for chapters in table of contents
+% (cf. definition of \@dottedline in LATEX.STY)
+%
+\def\l@chapter#1#2{\pagebreak[3]
+ \vskip 1.0em plus 1pt \@tempdima 1.5em \begingroup
+ \parindent \z@ \rightskip \@pnumwidth
+ \parfillskip -\@pnumwidth
+ \rm \leavevmode #1
+ \nobreak\leaders\hbox{$\m@th \mkern \@dotsep mu.\mkern \@dotsep mu$}\hfill
+ \nobreak
+ \hbox to\@pnumwidth{\hss \rm #2}\par
+ \endgroup}
+
+%copied from book.sty to leave room for 12.11, etc. -- Frank Holzwarth via LCP
+\def\l@section{\@dottedtocline{1}{1.5em}{2.8em}}
+\def\l@figure{\@dottedtocline{1}{1.5em}{2.8em}}
+
+%
+% Adaption of \tableofcontents (title,headings,pagenumber)
+%
+
+\def\tableofcontents{
+ \@restonecolfalse
+ \if@twocolumn\@restonecoltrue\onecolumn\fi
+ \chapter*{Table of Contents}
+ \markboth{Table of Contents}{Table of Contents} % headline
+ \renewcommand{\thepage}{\Roman{page}} % roman page number
+ \@starttoc{toc}\if@restonecol\twocolumn\fi}
+
+%%%%%%%% added 91/10/07 fuh %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% List of figures
+%
+% The following commands are redefined:
+%
+% \listoffigures
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+\def\listoffigures{
+ \@restonecolfalse
+ \if@twocolumn\@restonecoltrue\onecolumn\fi
+ \chapter*{List of Figures}
+ \markboth{List of Figures}{List of Figures} % headline
+ \renewcommand{\thepage}{\Roman{page}} % roman page number
+ \@starttoc{lof}\if@restonecol\twocolumn\fi}
+
+%%%%%%%% added 91/10/07 fuh %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% List of tables
+%
+% The following commands are redefined:
+%
+% \listoftables
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+\def\listoftables{
+ \@restonecolfalse
+ \if@twocolumn\@restonecoltrue\onecolumn\fi
+ \chapter*{List of Tables}
+ \markboth{List of Tables}{List of Tables} % headline
+ \renewcommand{\thepage}{\Roman{page}} % roman page number
+ \@starttoc{lot}\if@restonecol\twocolumn\fi}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% Index (with table of contents entry)
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\def\theindex{ \cleardoublepage
+ \small
+ \columnseprule \z@
+ \columnsep=0.84cm
+ \twocolumn[\@makeschapterhead{Index}]
+ \addcontentsline{toc}{chapter}{Index}
+ \@mkboth{Index}{Index}
+ \thispagestyle{plain}\parindent\z@
+ \parskip\z@ plus .3pt\relax\let\item\@idxitem}
+\def\@idxitem{\par\hangindent 15pt}
+\def\subitem{\par\hangindent 15pt -- }
+\def\endtheindex{\clearpage}
+\def\indexspace{\par \vskip 10pt plus 5pt minus 3pt\relax}
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% References (Bibliography)
+%
+% Macros for creating a list of references in small print using LaTeX
+% defaults or some special Springer commands.
+%
+% Usage:
+%
+% \begin{thebibliography}{wide-label} % LaTeX standard macros
+% \bibitem[label]{name} ... text ...
+% \bibitem[label]{name} ... text ...
+% \end{thebibliography}
+%
+% or
+%
+% \begin{references}{wide-label} % Springer macros
+% \refer ... text ...
+% \refno{no.} ... text ...
+% \refmark{[label]} ... text ...
+% \end{references}
+%
+% New commands:
+%
+% \refchapter starts an unnumbered chapter "References"; small font
+% \refer unlabeled item with hanging indentation
+% \refno right adjusted label (for numbers)
+% \refmark left adjusted label (for text labels)
+%
+% Changed commands
+%
+% \thebibliography (BOOK.STY) (further edit by LCP!)
+% \endthebibliography (BOOK.STY)
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\def\refchapter{\chapter*{References}
+\parindent0pt\parskip0pt\small
+\addcontentsline{toc}{chapter}{References}
+\markboth{References}{References}}
+
+
+\def\thebibliography#1{\refchapter\small\list
+ {\arabic{enumi}.}{\settowidth\labelwidth{#1.}\leftmargin\labelwidth
+ \advance\leftmargin\labelsep
+ \usecounter{enumi}}
+ \def\newblock{\hskip .11em plus .33em minus -.07em}
+ \sloppy
+ \sfcode`\.=1000\relax}
+\let\endthebibliography=\endlist
+
+
+\newenvironment{references}[1]{\refchapter
+ \settowidth\labelwidth{#1\enspace}
+ \begingroup}{\endgraf\endgroup}
+%
+% The following macros are from REFER.TEX.
+% \refindent is replaced by the predefined dimension \labelwidth
+% that is also used by \thebibliography; \ref is replaced by \refer
+% since \ref is already used for referencing lables!
+
+%%%\newlinechar=`\|
+
+% \refer produces ordinary entries, successive line are indented 1em
+\def\refer{\goodbreak\hangindent1em\hangafter=1\noindent\ignorespaces}
+
+% \refno produces entries with right-aligned marks in the margin
+\def\refno#1{\goodbreak
+\setbox0=\hbox{#1\enspace}\ifdim\labelwidth<\wd0\relax
+\message{|Your reference `#1' is wider than you pretended in using
+\string\begref.}\fi
+\hangindent\labelwidth\hangafter=1\noindent
+\kern\labelwidth\llap{#1\enspace}\ignorespaces}
+
+% \refmark produces entries with left-aligned marks in the margin
+\def\refmark#1{\goodbreak
+\setbox0=\hbox{#1\enspace}\ifdim\labelwidth<\wd0\relax
+\message{|Your reference `#1' is wider than you pretended in using
+\string\begref.}\fi
+\hangindent\labelwidth\hangafter=1\noindent
+\hbox to\labelwidth{#1\hss}\ignorespaces}
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% New environments
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+%
+% The following lines define a new environment 'listing'
+%
+% \begin{listing}
+% ...
+% \end{listing}
+%
+% that prints listings using \footnotesize and takes care to reset
+% the \baselineskip. The macro definition is based on ALLTT.STY that
+% allows various TEX commands to be given within the environment
+% (e.g. '\input', '\index' or '\it'). '%' has been retained as a special
+% character within 'listing', however, to avoid unwanted line breaks.
+%
+%
+
+\def\docspecials{\do\ \do\$\do\&%
+ \do\#\do\^\do\^^K\do\_\do\^^A\do\~}
+
+\newdimen\oldbaselineskip
+\def\listing{\par\noindent\oldbaselineskip=\baselineskip \footnotesize%
+\trivlist \item[]\if@minipage\else\vskip\parskip\fi
+\leftskip\@totalleftmargin\rightskip\z@
+\parindent\z@\parfillskip\@flushglue\parskip\z@
+\@tempswafalse \def\par{\if@tempswa\hbox{}\fi\@tempswatrue\@@par}
+\obeylines \tt \catcode``=13 \@noligs \let\do\@makeother \docspecials
+ \frenchspacing\@vobeyspaces}
+
+\def\endlisting{\endtrivlist\baselineskip=\oldbaselineskip}
+
+%Add ttbox to Springer's macros!! - LCP
+%now redefines \{ and \}
+\newenvironment{ttbox}{\par\nobreak\vskip-2pt%
+ \vbox\bgroup\begin{listing}\chardef\{=`\{\chardef\}=`\}%
+ \leftskip\leftmargini}%
+ {\end{listing}\egroup\vskip-7pt\@endparenv}
+\newcommand\ttbreak{\end{ttbox}\goodbreak\vskip-8pt plus 3pt\begin{ttbox}}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% Acknowledgements ( = acknow.tex)
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\def\ack#1{\vskip11pt\begingroup\noindent{\it Acknowledgements\/}.
+\ignorespaces#1\vskip6pt\endgroup}
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% Definition of versal greek letters ( = ucgreek.tex)
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\mathchardef\Gamma="0100
+\mathchardef\Delta="0101
+\mathchardef\Theta="0102
+\mathchardef\Lambda="0103
+\mathchardef\Xi="0104
+\mathchardef\Pi="0105
+\mathchardef\Sigma="0106
+\mathchardef\Upsilon="0107
+\mathchardef\Phi="0108
+\mathchardef\Psi="0109
+\mathchardef\Omega="010A
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% Vectors ( = vector.tex)
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+% This is vector.tex
+% it redefines the plain TeX \vec command
+% to produce bold characters
+%
+\def\vec#1{\ifmmode
+\mathchoice{\mbox{\boldmath$\displaystyle\bf#1$}}
+{\mbox{\boldmath$\textstyle\bf#1$}}
+{\mbox{\boldmath$\scriptstyle\bf#1$}}
+{\mbox{\boldmath$\scriptscriptstyle\bf#1$}}\else
+{\mbox{\boldmath$\bf#1$}}\fi}
+%
+%\def\vec#1{{\textfont0=\tenbf\scriptfont0=\sevenbf
+%\scriptscriptfont0=\fivebf
+%\textfont1=\tenbf\scriptfont1=\sevenbf
+%\scriptscriptfont1=\fivebf
+%\ifmmode % supply all varieties of math sizes
+% \mathchoice{\hbox{$\displaystyle#1$}}{\hbox{$\textstyle#1$}}
+% {\hbox{$\scriptstyle#1$}}{\hbox{$\scriptscriptstyle#1$}}
+%\else\hbox{$#1$}\fi}}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% Symbols ( = symbols.tex )
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+% This is symbols.tex
+% the symbols not available in plain TeX are constructed
+% by overprinting some characters
+
+\def\sun{{\hbox{$\odot$}}}
+\def\la{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil
+$\displaystyle##$\hfil\cr<\cr\noalign{\vskip1.5pt}\sim\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr<\cr
+\noalign{\vskip1.0pt}\sim\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr<\cr
+\noalign{\vskip0.5pt}\sim\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil
+\cr<\cr\noalign{\vskip0.5pt}\sim\cr}}}}}
+\def\ga{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil
+$\displaystyle##$\hfil\cr>\cr\noalign{\vskip1.5pt}\sim\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr>\cr
+\noalign{\vskip1.0pt}\sim\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr>\cr
+\noalign{\vskip0.5pt}\sim\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil
+\cr>\cr\noalign{\vskip0.5pt}\sim\cr}}}}}
+\def\sq{\hbox{\rlap{$\sqcap$}$\sqcup$}}
+\def\degr{\hbox{$^\circ$}}
+\def\arcmin{\hbox{$^\prime$}}
+\def\arcsec{\hbox{$^{\prime\prime}$}}
+\def\utw{\smash{\rlap{\lower5pt\hbox{$\sim$}}}}
+\def\udtw{\smash{\rlap{\lower6pt\hbox{$\approx$}}}}
+\def\fd{\hbox{$.\!\!^{\rm d}$}}
+\def\fh{\hbox{$.\!\!^{\rm h}$}}
+\def\fm{\hbox{$.\!\!^{\rm m}$}}
+\def\fs{\hbox{$.\!\!^{\rm s}$}}
+\def\fdg{\hbox{$.\!\!^\circ$}}
+\def\farcm{\hbox{$.\mkern-4mu^\prime$}}
+\def\farcs{\hbox{$.\!\!^{\prime\prime}$}}
+\def\fp{\hbox{$.\!\!^{\scriptscriptstyle\rm p}$}}
+\def\getsto{\mathrel{\mathchoice {\vcenter{\offinterlineskip
+\halign{\hfil$\displaystyle##$\hfil\cr\gets\cr\to\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr
+\gets\cr\to\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr
+\gets\cr\to\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr
+\gets\cr\to\cr}}}}}
+\def\cor{\mathrel{\mathchoice {\hbox{$\widehat=$}}{\hbox{$\widehat=$}}
+{\hbox{$\scriptstyle\hat=$}}
+{\hbox{$\scriptscriptstyle\hat=$}}}}
+\def\grole{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil
+$\displaystyle##$\hfil\cr>\cr\noalign{\vskip-1.5pt}<\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr
+>\cr\noalign{\vskip-1.5pt}<\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr
+>\cr\noalign{\vskip-1pt}<\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr
+>\cr\noalign{\vskip-0.5pt}<\cr}}}}}
+\def\lid{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil
+$\displaystyle##$\hfil\cr<\cr\noalign{\vskip1.5pt}=\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr<\cr
+\noalign{\vskip1pt}=\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr<\cr
+\noalign{\vskip0.5pt}=\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr
+<\cr\noalign{\vskip0.5pt}=\cr}}}}}
+\def\gid{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil
+$\displaystyle##$\hfil\cr>\cr\noalign{\vskip1.5pt}=\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr>\cr
+\noalign{\vskip1pt}=\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr>\cr
+\noalign{\vskip0.5pt}=\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr
+>\cr\noalign{\vskip0.5pt}=\cr}}}}}
+\def\sol{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil
+$\displaystyle##$\hfil\cr\sim\cr\noalign{\vskip-0.2mm}<\cr}}}
+{\vcenter{\offinterlineskip
+\halign{\hfil$\textstyle##$\hfil\cr\sim\cr<\cr}}}
+{\vcenter{\offinterlineskip
+\halign{\hfil$\scriptstyle##$\hfil\cr\sim\cr<\cr}}}
+{\vcenter{\offinterlineskip
+\halign{\hfil$\scriptscriptstyle##$\hfil\cr\sim\cr<\cr}}}}}
+\def\sog{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil
+$\displaystyle##$\hfil\cr\sim\cr\noalign{\vskip-0.2mm}>\cr}}}
+{\vcenter{\offinterlineskip
+\halign{\hfil$\textstyle##$\hfil\cr\sim\cr>\cr}}}
+{\vcenter{\offinterlineskip
+\halign{\hfil$\scriptstyle##$\hfil\cr\sim\cr>\cr}}}
+{\vcenter{\offinterlineskip
+\halign{\hfil$\scriptscriptstyle##$\hfil\cr\sim\cr>\cr}}}}}
+\def\lse{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil
+$\displaystyle##$\hfil\cr<\cr\noalign{\vskip1.5pt}\simeq\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr<\cr
+\noalign{\vskip1pt}\simeq\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr<\cr
+\noalign{\vskip0.5pt}\simeq\cr}}}
+{\vcenter{\offinterlineskip
+\halign{\hfil$\scriptscriptstyle##$\hfil\cr<\cr
+\noalign{\vskip0.5pt}\simeq\cr}}}}}
+\def\gse{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil
+$\displaystyle##$\hfil\cr>\cr\noalign{\vskip1.5pt}\simeq\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr>\cr
+\noalign{\vskip1.0pt}\simeq\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr>\cr
+\noalign{\vskip0.5pt}\simeq\cr}}}
+{\vcenter{\offinterlineskip
+\halign{\hfil$\scriptscriptstyle##$\hfil\cr>\cr
+\noalign{\vskip0.5pt}\simeq\cr}}}}}
+\def\grole{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil
+$\displaystyle##$\hfil\cr>\cr\noalign{\vskip-1.5pt}<\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr
+>\cr\noalign{\vskip-1.5pt}<\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr
+>\cr\noalign{\vskip-1pt}<\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr
+>\cr\noalign{\vskip-0.5pt}<\cr}}}}}
+\def\leogr{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil
+$\displaystyle##$\hfil\cr<\cr\noalign{\vskip-1.5pt}>\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr
+<\cr\noalign{\vskip-1.5pt}>\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr
+<\cr\noalign{\vskip-1pt}>\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr
+<\cr\noalign{\vskip-0.5pt}>\cr}}}}}
+\def\loa{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil
+$\displaystyle##$\hfil\cr<\cr\noalign{\vskip1.5pt}\approx\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr<\cr
+\noalign{\vskip1.0pt}\approx\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr<\cr
+\noalign{\vskip0.5pt}\approx\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr
+<\cr\noalign{\vskip0.5pt}\approx\cr}}}}}
+\def\goa{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil
+$\displaystyle##$\hfil\cr>\cr\noalign{\vskip1.5pt}\approx\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr>\cr
+\noalign{\vskip1.0pt}\approx\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr>\cr
+\noalign{\vskip0.5pt}\approx\cr}}}
+{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr
+>\cr\noalign{\vskip0.5pt}\approx\cr}}}}}
+\def\bbbr{{\rm I\!R}} %reelle Zahlen
+\def\bbbn{{\rm I\!N}} %natuerliche Zahlen
+\def\bbbm{{\rm I\!M}}
+\def\bbbh{{\rm I\!H}}
+\def\bbbf{{\rm I\!F}}
+\def\bbbk{{\rm I\!K}}
+\def\bbbp{{\rm I\!P}}
+\def\bbbone{{\mathchoice {\rm 1\mskip-4mu l} {\rm 1\mskip-4mu l}
+{\rm 1\mskip-4.5mu l} {\rm 1\mskip-5mu l}}}
+\def\bbbc{{\mathchoice {\setbox0=\hbox{$\displaystyle\rm C$}\hbox{\hbox
+to0pt{\kern0.4\wd0\vrule height0.9\ht0\hss}\box0}}
+{\setbox0=\hbox{$\textstyle\rm C$}\hbox{\hbox
+to0pt{\kern0.4\wd0\vrule height0.9\ht0\hss}\box0}}
+{\setbox0=\hbox{$\scriptstyle\rm C$}\hbox{\hbox
+to0pt{\kern0.4\wd0\vrule height0.9\ht0\hss}\box0}}
+{\setbox0=\hbox{$\scriptscriptstyle\rm C$}\hbox{\hbox
+to0pt{\kern0.4\wd0\vrule height0.9\ht0\hss}\box0}}}}
+\def\bbbe{{\mathchoice {\setbox0=\hbox{\smalletextfont e}\hbox{\raise
+0.1\ht0\hbox to0pt{\kern0.4\wd0\vrule width0.3pt
+height0.7\ht0\hss}\box0}}
+{\setbox0=\hbox{\smalletextfont e}\hbox{\raise
+0.1\ht0\hbox to0pt{\kern0.4\wd0\vrule width0.3pt
+height0.7\ht0\hss}\box0}}
+{\setbox0=\hbox{\smallescriptfont e}\hbox{\raise
+0.1\ht0\hbox to0pt{\kern0.5\wd0\vrule width0.2pt
+height0.7\ht0\hss}\box0}}
+{\setbox0=\hbox{\smallescriptscriptfont e}\hbox{\raise
+0.1\ht0\hbox to0pt{\kern0.4\wd0\vrule width0.2pt
+height0.7\ht0\hss}\box0}}}}
+\def\bbbq{{\mathchoice {\setbox0=\hbox{$\displaystyle\rm Q$}\hbox{\raise
+0.15\ht0\hbox to0pt{\kern0.4\wd0\vrule height0.8\ht0\hss}\box0}}
+{\setbox0=\hbox{$\textstyle\rm Q$}\hbox{\raise
+0.15\ht0\hbox to0pt{\kern0.4\wd0\vrule height0.8\ht0\hss}\box0}}
+{\setbox0=\hbox{$\scriptstyle\rm Q$}\hbox{\raise
+0.15\ht0\hbox to0pt{\kern0.4\wd0\vrule height0.7\ht0\hss}\box0}}
+{\setbox0=\hbox{$\scriptscriptstyle\rm Q$}\hbox{\raise
+0.15\ht0\hbox to0pt{\kern0.4\wd0\vrule height0.7\ht0\hss}\box0}}}}
+\def\bbbt{{\mathchoice {\setbox0=\hbox{$\displaystyle\rm
+T$}\hbox{\hbox to0pt{\kern0.3\wd0\vrule height0.9\ht0\hss}\box0}}
+{\setbox0=\hbox{$\textstyle\rm T$}\hbox{\hbox
+to0pt{\kern0.3\wd0\vrule height0.9\ht0\hss}\box0}}
+{\setbox0=\hbox{$\scriptstyle\rm T$}\hbox{\hbox
+to0pt{\kern0.3\wd0\vrule height0.9\ht0\hss}\box0}}
+{\setbox0=\hbox{$\scriptscriptstyle\rm T$}\hbox{\hbox
+to0pt{\kern0.3\wd0\vrule height0.9\ht0\hss}\box0}}}}
+\def\bbbs{{\mathchoice
+{\setbox0=\hbox{$\displaystyle \rm S$}\hbox{\raise0.5\ht0\hbox
+to0pt{\kern0.35\wd0\vrule height0.45\ht0\hss}\hbox
+to0pt{\kern0.55\wd0\vrule height0.5\ht0\hss}\box0}}
+{\setbox0=\hbox{$\textstyle \rm S$}\hbox{\raise0.5\ht0\hbox
+to0pt{\kern0.35\wd0\vrule height0.45\ht0\hss}\hbox
+to0pt{\kern0.55\wd0\vrule height0.5\ht0\hss}\box0}}
+{\setbox0=\hbox{$\scriptstyle \rm S$}\hbox{\raise0.5\ht0\hbox
+to0pt{\kern0.35\wd0\vrule height0.45\ht0\hss}\raise0.05\ht0\hbox
+to0pt{\kern0.5\wd0\vrule height0.45\ht0\hss}\box0}}
+{\setbox0=\hbox{$\scriptscriptstyle\rm S$}\hbox{\raise0.5\ht0\hbox
+to0pt{\kern0.4\wd0\vrule height0.45\ht0\hss}\raise0.05\ht0\hbox
+to0pt{\kern0.55\wd0\vrule height0.45\ht0\hss}\box0}}}}
+
+%
+% note: changed \sans to \sf for LaTeX
+%
+
+\def\bbbz{{\mathchoice {\hbox{$\sf\textstyle Z\kern-0.4em Z$}}
+{\hbox{$\sf\textstyle Z\kern-0.4em Z$}}
+{\hbox{$\sf\scriptstyle Z\kern-0.3em Z$}}
+{\hbox{$\sf\scriptscriptstyle Z\kern-0.2em Z$}}}}
+
+\def\diameter{{\ifmmode\oslash\else$\oslash$\fi}}
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% petit (substitute for petit.tex)
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+\newenvironment{petit}{\vskip6pt\begingroup\small}{\endgroup\vskip6pt}
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% New environments
+%
+% lemma, proposition, theorem, corollary (\bf,\it) (numbered)
+% exercise, problem, solution, definition (\bf,\rm)
+% 27.3.91 binding: example, note and question changed to (\bf, \rm)
+%
+% lemma*, proposition*, theorem*, corollary* (\bf,\it) (unnumbered)
+% exercise*, problem*, solution*, definition* (\bf,\rm)
+% example*, note*, question* (\it,\rm)
+%
+% remark, proof (\it,\rm) (unnumbered)
+%
+% usage: \begin{lemma} or \begin{lemma}[COMMENT]
+% ... ...
+% \end{lemma} \end{lemma}
+%
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+% currently one counter is used for all theorem like environments
+
+\newcounter{lemmacount}[chapter]
+\renewcommand{\thelemmacount}{\thechapter.\arabic{lemmacount}}
+
+
+%
+% short form for defininng new theorem like environments:
+% \newthe{NAME}{NAME*}{TITLE}{COUNTER}{FONT1}{FONT2}
+%
+\def\@@begthe#1{\@ifnextchar[{\@optbegthe#1}{\@begthe#1}}
+%27.3.91 binding: dot deleted
+%def\@begthe#1{. #1} old
+\def\@begthe#1{ #1}
+\def\@optbegthe#1[#2]{ {#2} #1}
+\newcommand{\newthe}[6]{
+ \def\nlni{\par\ifvmode\removelastskip\fi\vskip\baselineskip\noindent}
+ \def\xxxend{\endgroup\vskip\baselineskip}
+ \newenvironment{#1}{\nlni\begingroup\refstepcounter{#4}#5#3
+%changed 91/10/7 fuh:\arabic{chapter}.\arabic{#4}\@@begthe{#6}}{\xxxend}
+ \thechapter.\arabic{#4}\@@begthe{#6}}{\xxxend}
+ \newenvironment{#2}{\nlni\begingroup#5#3\@@begthe{#6}}{\xxxend}}
+
+
+% Lemma, Proposition, Theorem, Corollary (\bf,\it)
+
+\newthe{lemma}{lemma*}{Lemma}{lemmacount}{\bf}{\it}
+\newthe{proposition}{proposition*}{Proposition}{lemmacount}{\bf}{\it}
+\newthe{theorem}{theorem*}{Theorem}{lemmacount}{\bf}{\it}
+\newthe{corollary}{corollary*}{Corollary}{lemmacount}{\bf}{\it}
+
+
+% Exercise, Problem, Solution, Definition (\bf,\rm)
+
+\newthe{exercise}{exercise*}{exercise}{lemmacount}{\bf}{\it}
+\newthe{problem}{problem*}{Problem}{lemmacount}{\bf}{\it}
+\newthe{solution}{solution*}{Solution}{lemmacount}{\bf}{\it}
+\newthe{definition}{definition*}{Definition}{lemmacount}{\bf}{\it}
+
+
+% Example, Note, Question (\bf,\rm)
+
+\newthe{example}{example*}{Example}{lemmacount}{\bf}{\rm}
+\newthe{note}{note*}{Note}{lemmacount}{\bf}{\rm}
+\newthe{question}{question*}{Question}{lemmacount}{\bf}{\rm}
+
+
+% Remark, Proof
+
+\newenvironment{remark}{\nlni\begingroup\it Remark. \rm}{
+ \endgroup\vskip\baselineskip}
+\newenvironment{proof}{\nlni\begingroup\it Proof. \rm}{
+ \endgroup\vskip\baselineskip}
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% qed
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\def\qed{\ifmmode\sq\else{\unskip\nobreak\hfil
+\penalty50\hskip1em\null\nobreak\hfil\sq
+\parfillskip=0pt\finalhyphendemerits=0\endgraf}\fi}
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% \eqnarticle simple equation numbers without chapter number
+% \eqnbook structured equation numbers (default)
+% changed by binding 5.2.91: changed to \numberlikearticle and
+% \numberlikebook, changing numbering of
+% figures and tables also.
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\def\numberlikearticle{\global\def\theequation{\arabic{equation}}
+\global\def\thetable{\arabic{table}}
+\global\def\thefigure{\arabic{figure}}}
+\def\numberlikebook{\global\def\theequation{\thechapter.\arabic{equation}}
+\global\def\thetable{\thechapter.\arabic{table}}
+\global\def\thefigure{\thechapter.\arabic{figure}}}
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% Redeclaration of \makeatletter; no @-expressions may be used from now on
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\makeatother
+
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%
+% End of MATHSING.STY
+%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/more_antiquote.ML Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,50 @@
+(* Title: Doc/more_antiquote.ML
+ Author: Florian Haftmann, TU Muenchen
+
+More antiquotations.
+*)
+
+signature MORE_ANTIQUOTE =
+sig
+ val setup: theory -> theory
+end;
+
+structure More_Antiquote : MORE_ANTIQUOTE =
+struct
+
+(* code theorem antiquotation *)
+
+local
+
+fun pretty_term ctxt t = Syntax.pretty_term (Variable.auto_fixes t ctxt) t;
+
+fun pretty_thm ctxt = pretty_term ctxt o Thm.full_prop_of;
+
+fun no_vars ctxt thm =
+ let
+ val ctxt' = Variable.set_body false ctxt;
+ val ((_, [thm]), _) = Variable.import true [thm] ctxt';
+ in thm end;
+
+fun pretty_code_thm src ctxt raw_const =
+ let
+ val thy = Proof_Context.theory_of ctxt;
+ val const = Code.check_const thy raw_const;
+ val (_, eqngr) = Code_Preproc.obtain true thy [const] [];
+ fun holize thm = @{thm meta_eq_to_obj_eq} OF [thm];
+ val thms = Code_Preproc.cert eqngr const
+ |> Code.equations_of_cert thy
+ |> snd
+ |> map_filter (fn (_, (some_thm, proper)) => if proper then some_thm else NONE)
+ |> map (holize o no_vars ctxt o AxClass.overload thy);
+ in Thy_Output.output ctxt (Thy_Output.maybe_pretty_source pretty_thm ctxt src thms) end;
+
+in
+
+val setup =
+ Thy_Output.antiquotation @{binding code_thms} Args.term
+ (fn {source, context, ...} => pretty_code_thm source context);
+
+end;
+
+end;
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/pdfsetup.sty Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,27 @@
+%%
+%% hyperref setup -- special version for Isabelle documentation
+%%
+
+\usepackage{ifpdf}
+
+\usepackage{color}
+\definecolor{linkcolor}{rgb}{0,0,0}
+\usepackage[colorlinks=true,linkcolor=linkcolor,citecolor=linkcolor,filecolor=linkcolor,pagecolor=linkcolor,urlcolor=linkcolor,pdfpagelabels]{hyperref}
+
+\newcommand{\hfootref}[2]{\href{#1}{#2}\footnote{\url{#1}}}
+\gdef\fnote#1{\hyperpage{#1}n}
+\gdef\bold#1{\textbf{\hyperpage{#1}}}
+
+\urlstyle{rm}
+\ifpdf\relax\else\renewcommand{\url}[1]{\nolinkurl{#1}}\fi
+
+\def\isaliteral#1#2{#2}
+\def\isanil{}
+
+%experimental treatment of replacement text
+\iffalse
+\ifnum\pdfminorversion<5\pdfminorversion=5\fi
+\renewcommand{\isaliteral}[2]{%
+\pdfliteral direct{/Span <</ActualText<#1>>> BDC}#2\pdfliteral direct{EMC}}
+\renewcommand{\isanil}{{\color{white}.}}
+\fi
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/preface.tex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,143 @@
+\chapter*{Preface}
+\markboth{Preface}{Preface} %or Preface ?
+%%\addcontentsline{toc}{chapter}{Preface}
+
+Most theorem provers support a fixed logic, such as first-order or
+equational logic. They bring sophisticated proof procedures to bear upon
+the conjectured formula. The resolution prover Otter~\cite{wos-bledsoe} is
+an impressive example.
+
+{\sc alf}~\cite{alf}, Coq~\cite{coq} and Nuprl~\cite{constable86} each
+support a fixed logic too. These are higher-order type theories,
+explicitly concerned with computation and capable of expressing
+developments in constructive mathematics. They are far removed from
+classical first-order logic.
+
+A diverse collection of logics --- type theories, process calculi,
+$\lambda$-calculi --- may be found in the Computer Science literature.
+Such logics require proof support. Few proof procedures are known for
+them, but the theorem prover can at least automate routine steps.
+
+A {\bf generic} theorem prover is one that supports a variety of logics.
+Some generic provers are noteworthy for their user interfaces
+\cite{dawson90,mural,sawamura92}. Most of them work by implementing a
+syntactic framework that can express typical inference rules. Isabelle's
+distinctive feature is its representation of logics within a fragment of
+higher-order logic, called the meta-logic. The proof theory of
+higher-order logic may be used to demonstrate that the representation is
+correct~\cite{paulson89}. The approach has much in common with the
+Edinburgh Logical Framework~\cite{harper-jacm} and with
+Felty's~\cite{felty93} use of $\lambda$Prolog to implement logics.
+
+An inference rule in Isabelle is a generalized Horn clause. Rules are
+joined to make proofs by resolving such clauses. Logical variables in
+goals can be instantiated incrementally. But Isabelle is not a resolution
+theorem prover like Otter. Isabelle's clauses are drawn from a richer
+language and a fully automatic search would be impractical. Isabelle does
+not resolve clauses automatically, but under user direction. You can
+conduct single-step proofs, use Isabelle's built-in proof procedures, or
+develop new proof procedures using tactics and tacticals.
+
+Isabelle's meta-logic is higher-order, based on the simply typed
+$\lambda$-calculus. So resolution cannot use ordinary unification, but
+higher-order unification~\cite{huet75}. This complicated procedure gives
+Isabelle strong support for many logical formalisms involving variable
+binding.
+
+The diagram below illustrates some of the logics distributed with Isabelle.
+These include first-order logic (intuitionistic and classical), the sequent
+calculus, higher-order logic, Zermelo-Fraenkel set theory~\cite{suppes72},
+a version of Constructive Type Theory~\cite{nordstrom90}, several modal
+logics, and a Logic for Computable Functions~\cite{paulson87}. Several
+experimental logics are being developed, such as linear logic.
+
+\centerline{\epsfbox{gfx/Isa-logics.eps}}
+
+
+\section*{How to read this book}
+Isabelle is a complex system, but beginners can get by with a few commands
+and a basic knowledge of how Isabelle works. Some knowledge of
+Standard~\ML{} is essential because \ML{} is Isabelle's user interface.
+Advanced Isabelle theorem proving can involve writing \ML{} code, possibly
+with Isabelle's sources at hand. My book on~\ML{}~\cite{paulson91} covers
+much material connected with Isabelle, including a simple theorem prover.
+
+The Isabelle documentation is divided into three parts, which serve
+distinct purposes:
+\begin{itemize}
+\item {\em Introduction to Isabelle\/} describes the basic features of
+ Isabelle. This part is intended to be read through. If you are
+ impatient to get started, you might skip the first chapter, which
+ describes Isabelle's meta-logic in some detail. The other chapters
+ present on-line sessions of increasing difficulty. It also explains how
+ to derive rules define theories, and concludes with an extended example:
+ a Prolog interpreter.
+
+\item {\em The Isabelle Reference Manual\/} provides detailed information
+ about Isabelle's facilities, excluding the object-logics. This part
+ would make boring reading, though browsing might be useful. Mostly you
+ should use it to locate facts quickly.
+
+\item {\em Isabelle's Object-Logics\/} describes the various logics
+ distributed with Isabelle. The chapters are intended for reference only;
+ they overlap somewhat so that each chapter can be read in isolation.
+\end{itemize}
+This book should not be read from start to finish. Instead you might read
+a couple of chapters from {\em Introduction to Isabelle}, then try some
+examples referring to the other parts, return to the {\em Introduction},
+and so forth. Starred sections discuss obscure matters and may be skipped
+on a first reading.
+
+
+
+\section*{Releases of Isabelle}
+Isabelle was first distributed in 1986. The 1987 version introduced a
+higher-order meta-logic with an improved treatment of quantifiers. The
+1988 version added limited polymorphism and support for natural deduction.
+The 1989 version included a parser and pretty printer generator. The 1992
+version introduced type classes, to support many-sorted and higher-order
+logics. The 1993 version provides greater support for theories and is
+much faster.
+
+Isabelle is still under development. Projects under consideration include
+better support for inductive definitions, some means of recording proofs, a
+graphical user interface, and developments in the standard object-logics.
+I hope but cannot promise to maintain upwards compatibility.
+
+Isabelle can be downloaded from .
+\begin{quote}
+{\tt http://www.cl.cam.ac.uk/Research/HVG/Isabelle/dist/}
+\end{quote}
+The electronic distribution list {\tt isabelle-users\at cl.cam.ac.uk}
+provides a forum for discussing problems and applications involving
+Isabelle. To join, send me a message via {\tt lcp\at cl.cam.ac.uk}.
+Please notify me of any errors you find in this book.
+
+\section*{Acknowledgements}
+Tobias Nipkow has made immense contributions to Isabelle, including the
+parser generator, type classes, the simplifier, and several object-logics.
+He also arranged for several of his students to help. Carsten Clasohm
+implemented the theory database; Markus Wenzel implemented macros; Sonia
+Mahjoub and Karin Nimmermann also contributed.
+
+Nipkow and his students wrote much of the documentation underlying this
+book. Nipkow wrote the first versions of \S\ref{sec:defining-theories},
+\S\ref{sec:ref-defining-theories}, Chap.\ts\ref{Defining-Logics},
+Chap.\ts\ref{simp-chap} and App.\ts\ref{app:TheorySyntax}\@. Carsten
+Clasohm contributed to Chap.\ts\ref{theories}. Markus Wenzel contributed
+to Chap.\ts\ref{chap:syntax}. Nipkow also provided the quotation at
+the front.
+
+David Aspinall, Sara Kalvala, Ina Kraan, Chris Owens, Zhenyu Qian, Norbert
+V{\"o}lker and Markus Wenzel suggested changes and corrections to the
+documentation.
+
+Martin Coen, Rajeev Gor\'e, Philippe de Groote and Philippe No\"el helped
+to develop Isabelle's standard object-logics. David Aspinall performed
+some useful research into theories and implemented an Isabelle Emacs mode.
+Isabelle was developed using Dave Matthews's Standard~{\sc ml} compiler,
+Poly/{\sc ml}.
+
+The research has been funded by numerous SERC grants dating from the Alvey
+programme (grants GR/E0355.7, GR/G53279, GR/H40570) and by ESPRIT (projects
+3245: Logical Frameworks and 6453: Types).
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/prepare_document Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -e
+
+FORMAT="$1"
+
+"$ISABELLE_TOOL" latex -o sty
+cp "$ISABELLE_HOME/src/Doc/pdfsetup.sty" .
+
+"$ISABELLE_TOOL" latex -o "$FORMAT"
+"$ISABELLE_TOOL" latex -o bbl
+[ -f root.idx ] && "$ISABELLE_HOME/src/Doc/sedindex" root
+"$ISABELLE_TOOL" latex -o "$FORMAT"
+[ -f root.out ] && "$ISABELLE_HOME/src/Doc/fixbookmarks" root.out
+"$ISABELLE_TOOL" latex -o "$FORMAT"
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/proof.sty Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,272 @@
+\ProvidesPackage{proof}[1995/05/22]
+% proof.sty (Proof Figure Macros)
+%
+% version 2.0
+% June 24, 1991
+% Copyright (C) 1990,1991 Makoto Tatsuta (tatsuta@riec.tohoku.ac.jp)
+%
+%Modified for LaTeX-2e by L. C. Paulson
+%
+% This program is free software; you can redistribute it or modify
+% it under the terms of the GNU General Public License as published by
+% the Free Software Foundation; either versions 1, or (at your option)
+% any later version.
+%
+% This program is distributed in the hope that it will be useful
+% but WITHOUT ANY WARRANTY; without even the implied warranty of
+% MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+% GNU General Public License for more details.
+%
+% Usage:
+% In \documentstyle, specify an optional style `proof', say,
+% \documentstyle[proof]{article}.
+%
+% The following macros are available:
+%
+% In all the following macros, all the arguments such as
+% <Lowers> and <Uppers> are processed in math mode.
+%
+% \infer<Lower><Uppers>
+% draws an inference.
+%
+% Use & in <Uppers> to delimit upper formulae.
+% <Uppers> consists more than 0 formulae.
+%
+% \infer returns \hbox{ ... } or \vbox{ ... } and
+% sets \@LeftOffset and \@RightOffset globally.
+%
+% \infer[<Label>]<Lower><Uppers>
+% draws an inference labeled with <Label>.
+%
+% \infer*<Lower><Uppers>
+% draws a many step deduction.
+%
+% \infer*[<Label>]<Lower><Uppers>
+% draws a many step deduction labeled with <Label>.
+%
+% \infer=<Lower><Uppers>
+% draws a double-ruled deduction.
+%
+% \infer=[<Label>]<Lower><Uppers>
+% draws a double-ruled deduction labeled with <Label>.
+%
+% \deduce<Lower><Uppers>
+% draws an inference without a rule.
+%
+% \deduce[<Proof>]<Lower><Uppers>
+% draws a many step deduction with a proof name.
+%
+% Example:
+% If you want to write
+% B C
+% -----
+% A D
+% ----------
+% E
+% use
+% \infer{E}{
+% A
+% &
+% \infer{D}{B & C}
+% }
+%
+
+% Style Parameters
+
+\newdimen\inferLineSkip \inferLineSkip=2pt
+\newdimen\inferLabelSkip \inferLabelSkip=5pt
+\def\inferTabSkip{\quad}
+
+% Variables
+
+\newdimen\@LeftOffset % global
+\newdimen\@RightOffset % global
+\newdimen\@SavedLeftOffset % safe from users
+
+\newdimen\UpperWidth
+\newdimen\LowerWidth
+\newdimen\LowerHeight
+\newdimen\UpperLeftOffset
+\newdimen\UpperRightOffset
+\newdimen\UpperCenter
+\newdimen\LowerCenter
+\newdimen\UpperAdjust
+\newdimen\RuleAdjust
+\newdimen\LowerAdjust
+\newdimen\RuleWidth
+\newdimen\HLabelAdjust
+\newdimen\VLabelAdjust
+\newdimen\WidthAdjust
+
+\newbox\@UpperPart
+\newbox\@LowerPart
+\newbox\@LabelPart
+\newbox\ResultBox
+
+% Flags
+
+\newif\if@inferRule % whether \@infer draws a rule.
+\newif\if@DoubleRule % whether \@infer draws doulbe rules.
+\newif\if@ReturnLeftOffset % whether \@infer returns \@LeftOffset.
+\newif\if@MathSaved % whether inner math mode where \infer or
+ % \deduce appears.
+
+% Special Fonts
+
+\def\DeduceSym{\vtop{\baselineskip4\p@ \lineskiplimit\z@
+ \vbox{\hbox{.}\hbox{.}\hbox{.}}\hbox{.}}}
+
+% Math Save Macros
+%
+% \@SaveMath is called in the very begining of toplevel macros
+% which are \infer and \deduce.
+% \@RestoreMath is called in the very last before toplevel macros end.
+% Remark \infer and \deduce ends calling \@infer.
+%TEMPORARILY DELETED BY LCP DUE TO CONFLICT WITH CLASS "amsmath.sty"
+
+\def\@SaveMath{}
+
+\def\@RestoreMath{}
+
+% Macros
+
+\def\@ifEmpty#1#2#3{\def\@tempa{\@empty}\def\@tempb{#1}\relax
+ \ifx \@tempa \@tempb #2\else #3\fi }
+
+\def\infer{\@SaveMath \@ifnextchar *{\@inferSteps}{\relax
+ \@ifnextchar ={\@inferDoubleRule}{\@inferOneStep}}}
+
+\def\@inferOneStep{\@inferRuletrue \@DoubleRulefalse
+ \@ifnextchar [{\@infer}{\@infer[\@empty]}}
+
+\def\@inferDoubleRule={\@inferRuletrue \@DoubleRuletrue
+ \@ifnextchar [{\@infer}{\@infer[\@empty]}}
+
+\def\@inferSteps*{\@ifnextchar [{\@@inferSteps}{\@@inferSteps[\@empty]}}
+
+\def\@@inferSteps[#1]{\@deduce{#1}[\DeduceSym]}
+
+\def\deduce{\@SaveMath \@ifnextchar [{\@deduce{\@empty}}
+ {\@inferRulefalse \@infer[\@empty]}}
+
+% \@deduce<Proof Label>[<Proof>]<Lower><Uppers>
+
+\def\@deduce#1[#2]#3#4{\@inferRulefalse
+ \@infer[\@empty]{#3}{\@SaveMath \@infer[{#1}]{#2}{#4}}}
+
+% \@infer[<Label>]<Lower><Uppers>
+% If \@inferRuletrue, it draws a rule and <Label> is right to
+% a rule. In this case, if \@DoubleRuletrue, it draws
+% double rules.
+%
+% Otherwise, draws no rule and <Label> is right to <Lower>.
+
+\def\@infer[#1]#2#3{\relax
+% Get parameters
+ \if@ReturnLeftOffset \else \@SavedLeftOffset=\@LeftOffset \fi
+ \setbox\@LabelPart=\hbox{$#1$}\relax
+ \setbox\@LowerPart=\hbox{$#2$}\relax
+%
+ \global\@LeftOffset=0pt
+ \setbox\@UpperPart=\vbox{\tabskip=0pt \halign{\relax
+ \global\@RightOffset=0pt \@ReturnLeftOffsettrue $##$&&
+ \inferTabSkip
+ \global\@RightOffset=0pt \@ReturnLeftOffsetfalse $##$\cr
+ #3\cr}}\relax
+% Here is a little trick.
+% \@ReturnLeftOffsettrue(false) influences on \infer or
+% \deduce placed in ## locally
+% because of \@SaveMath and \@RestoreMath.
+ \UpperLeftOffset=\@LeftOffset
+ \UpperRightOffset=\@RightOffset
+% Calculate Adjustments
+ \LowerWidth=\wd\@LowerPart
+ \LowerHeight=\ht\@LowerPart
+ \LowerCenter=0.5\LowerWidth
+%
+ \UpperWidth=\wd\@UpperPart \advance\UpperWidth by -\UpperLeftOffset
+ \advance\UpperWidth by -\UpperRightOffset
+ \UpperCenter=\UpperLeftOffset
+ \advance\UpperCenter by 0.5\UpperWidth
+%
+ \ifdim \UpperWidth > \LowerWidth
+ % \UpperCenter > \LowerCenter
+ \UpperAdjust=0pt
+ \RuleAdjust=\UpperLeftOffset
+ \LowerAdjust=\UpperCenter \advance\LowerAdjust by -\LowerCenter
+ \RuleWidth=\UpperWidth
+ \global\@LeftOffset=\LowerAdjust
+%
+ \else % \UpperWidth <= \LowerWidth
+ \ifdim \UpperCenter > \LowerCenter
+%
+ \UpperAdjust=0pt
+ \RuleAdjust=\UpperCenter \advance\RuleAdjust by -\LowerCenter
+ \LowerAdjust=\RuleAdjust
+ \RuleWidth=\LowerWidth
+ \global\@LeftOffset=\LowerAdjust
+%
+ \else % \UpperWidth <= \LowerWidth
+ % \UpperCenter <= \LowerCenter
+%
+ \UpperAdjust=\LowerCenter \advance\UpperAdjust by -\UpperCenter
+ \RuleAdjust=0pt
+ \LowerAdjust=0pt
+ \RuleWidth=\LowerWidth
+ \global\@LeftOffset=0pt
+%
+ \fi\fi
+% Make a box
+ \if@inferRule
+%
+ \setbox\ResultBox=\vbox{
+ \moveright \UpperAdjust \box\@UpperPart
+ \nointerlineskip \kern\inferLineSkip
+ \if@DoubleRule
+ \moveright \RuleAdjust \vbox{\hrule width\RuleWidth
+ \kern 1pt\hrule width\RuleWidth}\relax
+ \else
+ \moveright \RuleAdjust \vbox{\hrule width\RuleWidth}\relax
+ \fi
+ \nointerlineskip \kern\inferLineSkip
+ \moveright \LowerAdjust \box\@LowerPart }\relax
+%
+ \@ifEmpty{#1}{}{\relax
+%
+ \HLabelAdjust=\wd\ResultBox \advance\HLabelAdjust by -\RuleAdjust
+ \advance\HLabelAdjust by -\RuleWidth
+ \WidthAdjust=\HLabelAdjust
+ \advance\WidthAdjust by -\inferLabelSkip
+ \advance\WidthAdjust by -\wd\@LabelPart
+ \ifdim \WidthAdjust < 0pt \WidthAdjust=0pt \fi
+%
+ \VLabelAdjust=\dp\@LabelPart
+ \advance\VLabelAdjust by -\ht\@LabelPart
+ \VLabelAdjust=0.5\VLabelAdjust \advance\VLabelAdjust by \LowerHeight
+ \advance\VLabelAdjust by \inferLineSkip
+%
+ \setbox\ResultBox=\hbox{\box\ResultBox
+ \kern -\HLabelAdjust \kern\inferLabelSkip
+ \raise\VLabelAdjust \box\@LabelPart \kern\WidthAdjust}\relax
+%
+ }\relax % end @ifEmpty
+%
+ \else % \@inferRulefalse
+%
+ \setbox\ResultBox=\vbox{
+ \moveright \UpperAdjust \box\@UpperPart
+ \nointerlineskip \kern\inferLineSkip
+ \moveright \LowerAdjust \hbox{\unhbox\@LowerPart
+ \@ifEmpty{#1}{}{\relax
+ \kern\inferLabelSkip \unhbox\@LabelPart}}}\relax
+ \fi
+%
+ \global\@RightOffset=\wd\ResultBox
+ \global\advance\@RightOffset by -\@LeftOffset
+ \global\advance\@RightOffset by -\LowerWidth
+ \if@ReturnLeftOffset \else \global\@LeftOffset=\@SavedLeftOffset \fi
+%
+ \box\ResultBox
+ \@RestoreMath
+}
+\endinput
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/sedindex Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,21 @@
+#! /bin/sh
+#
+#sedindex - shell script to create indexes, preprocessing LaTeX's .idx file
+#
+# puts strings prefixed by * into \tt font
+# terminator characters for strings are |!@{}
+#
+# a space terminates the \tt part to allow \index{*NE theorem}, etc.
+#
+# change *"X"Y"Z"W to "X"Y"Z"W@{\tt "X"Y"Z"W}
+# change *"X"Y"Z to "X"Y"Z@{\tt "X"Y"Z}
+# change *"X"Y to "X"Y@{\tt "X"Y}
+# change *"X to "X@{\tt "X}
+# change *IDENT to IDENT@{\tt IDENT}
+# where IDENT is any string not containing | ! or @
+# FOUR backslashes: to escape the shell AND sed
+sed -e "s~\*\(\".\".\".\".\)~\1@{\\\\tt \1}~g
+s~\*\(\".\".\".\)~\1@{\\\\tt \1}~g
+s~\*\(\".\".\)~\1@{\\\\tt \1}~g
+s~\*\(\".\)~\1@{\\\\tt \1}~g
+s~\*\([^ |!@{}][^ |!@{}]*\)~\1@{\\\\tt \1}~g" $1.idx | makeindex -c -q -o $1.ind
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/ttbox.sty Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,40 @@
+\ProvidesPackage{ttbox}[1997/06/25]
+\RequirePackage{alltt}
+
+%%%Boxed terminal sessions
+
+%Redefines \{ and \} to be in \tt font and \| to make a BACKSLASH
+\def\ttbraces{\chardef\{=`\{\chardef\}=`\}\chardef\|=`\\}
+
+%Restores % as the comment character (especially, to suppress line breaks)
+\newcommand\comments{\catcode`\%=14\relax}
+
+%alltt* environment: like alltt but smaller, and with \{ \} and \| as in ttbox
+\newenvironment{alltt*}{\begin{alltt}\footnotesize\ttbraces}{\end{alltt}}
+
+%Indented alltt* environment with small point size
+%NO LINE BREAKS are allowed unless \pagebreak appears at START of a line
+\newenvironment{ttbox}{\begin{quote}\samepage\begin{alltt*}}%
+ {\end{alltt*}\end{quote}}
+
+{\obeylines\gdef\ttbreak
+{\allowbreak}}
+
+%%%% more \tt things
+
+\def\ttdescriptionlabel#1{\hspace\labelsep \tt #1}
+\def\ttdescription{\list{}{\labelwidth\z@ \itemindent-\leftmargin
+ \let\makelabel\ttdescriptionlabel}}
+
+\let\endttdescription\endlist
+
+\chardef\ttilde=`\~ % A tilde for \tt font
+\chardef\ttback=`\\ % A backslash for \tt font
+\chardef\ttlbrace=`\{ % A left brace for \tt font
+\chardef\ttrbrace=`\} % A right brace for \tt font
+\chardef\ttlbrack=`\[ % A left bracket for \tt font
+\chardef\ttrbrack=`\] % A right bracket for \tt font
+
+\newcommand\out{\ \ttfamily\slshape} %% for output from terminal sessions
+
+\endinput
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/src/Doc/underscore.sty Tue Aug 28 18:57:32 2012 +0200
@@ -0,0 +1,248 @@
+% underscore.sty 21-Sep-2005 Donald Arseneau asnd@triumf.ca
+% Make the "_" character print as "\textunderscore" in text.
+% Copyright 1998,2001,2005,2006 Donald Arseneau;
+% License: LPPL version 1.2 or later.
+% Instructions follow after the definitions.
+
+\ProvidesPackage{underscore}[2006/09/13]
+
+\begingroup
+ \catcode`\_=\active
+ \gdef _{% \relax % No relax gives a small vulnerability in alignments
+ \ifx\if@safe@actives\iftrue % must be outermost test!
+ \string_%
+ \else
+ \ifx\protect\@typeset@protect
+ \ifmmode \sb \else \BreakableUnderscore \fi
+ \else
+ \ifx\protect\@unexpandable@protect \noexpand_%
+ \else \protect_%
+ \fi\fi
+ \fi}
+ \global\let\ActiveUnderscore=_
+ \gdef\normalUnderscoreDef{\let_\ActiveUnderscore}
+\endgroup
+
+% At begin: set catcode; fix \long \ttdefault so I can use it in comparisons;
+% reapply definition of active _ in output routine (\@firstofone to strip
+% away braces, so avoiding deeper nesting).
+\AtBeginDocument{%
+ {\immediate\write\@auxout{\catcode\number\string`\_ \string\active}}%
+ \catcode\string`\_\string=\active
+ \edef\ttdefault{\ttdefault}%
+ \output=\expandafter\expandafter\expandafter
+ {\expandafter\expandafter\expandafter\normalUnderscoreDef
+ \expandafter\@firstofone\the\output}%
+}
+
+\newcommand{\BreakableUnderscore}{\leavevmode\nobreak\hskip\z@skip
+ \ifx\f@family\ttdefault \string_\else \textunderscore\fi
+ \usc@dischyph\nobreak\hskip\z@skip}
+
+\DeclareRobustCommand{\_}{%
+ \ifmmode \nfss@text{\textunderscore}\else \BreakableUnderscore \fi}
+
+
+\let\usc@dischyph\@dischyph
+\DeclareOption{nohyphen}{\def\usc@dischyph{\discretionary{}{}{}}}
+\DeclareOption{strings}{\catcode`\_=\active}
+
+\ProcessOptions
+\ifnum\catcode`\_=\active\else \endinput \fi
+
+%%%%%%%% Redefine commands that use character strings %%%%%%%%
+
+\@ifundefined{UnderscoreCommands}{\let\UnderscoreCommands\@empty}{}
+\expandafter\def\expandafter\UnderscoreCommands\expandafter{%
+ \UnderscoreCommands
+ \do\include \do\includeonly
+ \do\@input \do\@iinput \do\InputIfFileExists
+ \do\ref \do\pageref \do\newlabel
+ \do\bibitem \do\@bibitem \do\cite \do\nocite \do\bibcite
+ \do\Ginclude@graphics \do\@setckpt
+}
+
+% Macro to redefine a macro to pre-process its string argument
+% with \protect -> \string.
+\def\do#1{% Avoid double processing if user includes command twice!
+ \@ifundefined{US\string_\expandafter\@gobble\string#1}{%
+ \edef\@tempb{\meaning#1}% Check if macro is just a protection shell...
+ \def\@tempc{\protect}%
+ \edef\@tempc{\meaning\@tempc\string#1\space\space}%
+ \ifx\@tempb\@tempc % just a shell: hook into the protected inner command
+ \expandafter\do
+ \csname \expandafter\@gobble\string#1 \expandafter\endcsname
+ \else % Check if macro takes an optional argument
+ \def\@tempc{\@ifnextchar[}%
+ \edef\@tempa{\def\noexpand\@tempa####1\meaning\@tempc}%
+ \@tempa##2##3\@tempa{##2\relax}%
+ \edef\@tempb{\meaning#1\meaning\@tempc}%
+ \edef\@tempc{\noexpand\@tempd \csname
+ US\string_\expandafter\@gobble\string#1\endcsname}%
+ \if \expandafter\@tempa\@tempb \relax 12\@tempa % then no optional arg
+ \@tempc #1\US@prot
+ \else % There is optional arg
+ \@tempc #1\US@protopt
+ \fi
+ \fi
+ }{}}
+
+\def\@tempd#1#2#3{\let#1#2\def#2{#3#1}}
+
+\def\US@prot#1#2{\let\@@protect\protect \let\protect\string
+ \edef\US@temp##1{##1{#2}}\restore@protect\US@temp#1}
+\def\US@protopt#1{\@ifnextchar[{\US@protarg#1}{\US@prot#1}}
+\def\US@protarg #1[#2]{\US@prot{{#1[#2]}}}
+
+\UnderscoreCommands
+\let\do\relax \let\@tempd\relax % un-do
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\endinput
+
+underscore.sty 13-Sep-2006 Donald Arseneau
+
+Features:
+~~~~~~~~~
+The "\_" command (which normally prints an underscore character or
+facsimile) is altered so that the hyphenation of constituent words
+is not affected, and hyphenation is permitted after the underscore.
+For example, "compound\_fracture" hyphenates as com- pound\_- frac- ture.
+If you prefer the underscore to break without a hyphen (but still with
+the same rules for explicit hyphen-breaks) then use the [nohyphen]
+package option.
+
+A simple "_" acts just like "\_" in text mode, but makes a subscript
+in math mode: activation_energy $E_a$
+
+Both forms use an underscore character if the font encoding contains
+one (e.g., "\usepackage[T1]{fontenc}" or typewriter fonts in any encoding),
+but they use a rule if there is no proper character.
+
+Deficiencies:
+~~~~~~~~~~~~~
+The skips and penalties ruin any kerning with the underscore character
+(when a character is used). However, there doesn't seem to be much, if
+any, such kerning in the ec fonts, and there is never any kerning with
+a rule.
+
+You must avoid "_" in file names and in cite or ref tags, or you must use
+the babel package, with its active-character controls, or you must give
+the [strings] option, which attempts to redefine several commands (and
+may not work perfectly). Even without the [strings] option or babel, you
+can use occasional underscores like: "\include{file\string_name}".
+
+Option: [strings]
+~~~~~~~~~~~~~~~~~
+The default operation is quite simple and needs no customization; but
+you must avoid using "_" in any place where LaTeX uses an argument as
+a string of characters for some control function or as a name. These
+include the tags for "\cite" and "\ref", file names for "\input",
+"\include", and "\includegraphics", environment names, counter names,
+and placement parameters (like "[t]"). The problem with these contexts
+is that they are `moving arguments' but LaTeX does not `switch on' the
+"\protect" mechanism for them.
+
+If you need to use the underscore character in these places, the package
+option [strings] is provided to redefine commands that take such a string
+argument so that protection is applied (with "\protect" being "\string").
+The list of commands is given in "\UnderscoreCommands", with "\do" before
+each; plus several others covering "\input", "\includegraphics, "\cite",
+"\ref", and their variants. Not included are many commands regarding font
+names, everything with counter names, environment names, page styles, and
+versions of "\ref" and "\cite" defined by external packages (e.g., "\vref"
+and "\citeyear").
+
+You can add to the list of supported commands by defining "\UnderscoreCommands"
+before loading this package; e.g.
+
+ \usepackage{chicago}
+ \newcommand{\UnderscoreCommands}{% (\cite already done)
+ \do\citeNP \do\citeA \do\citeANP \do\citeN \do\shortcite
+ \do\shortciteNP \do\shortciteA \do\shortciteANP \do\shortciteN
+ \do\citeyear \do\citeyearNP
+ }
+ \usepackage[strings]{underscore}
+
+Not all commands can be supported this way! Only commands that take a
+string argument *first* can be protected. One optional argument before
+the string argument is also permitted, as exemplified by "\cite": both
+"\cite{tags}" and "\cite[text]{tags}" are allowed. A command like
+"\@addtoreset" which takes two counter names as arguments could not
+be protected by listing it in "\UnderscoreCommands".
+
+*When you use the [strings] option, you must load this package
+last* (or nearly last).
+
+There are two reasons: 1) The redefinitions done for protection must come
+after other packages define their customized versions of those commands.
+2) The [strings] option requires the "_" character to be activated immediately
+in order for the cite and ref tags to be read properly from the .aux file
+as plain strings, and this catcode setting might disrupt other packages.
+
+The babel package implements a protection mechanism for many commands,
+and will be a complete fix for most documents without the [strings] option.
+Many add-on packages are compatible with babel, so they will get the
+strings protection also. However, there are several commands that are
+not covered by babel, but can easily be supported by the [strings] and
+"\UnderscoreCommands" mechanism. Beware that using both [strings] and
+babel might lead to conflicts, but none are seen yet (load babel last).
+
+Implementation Notes:
+~~~~~~~~~~~~~~~~~~~~~
+The first setting of "_" to be an active character is performed in a local
+group so as to not interfere with other packages. The catcode setting
+is repeated with "\AtBeginDocument" so the definition is in effect for the
+text. However, the catcode setting is repeated immediately when the
+[strings] option is detected.
+
+The definition of the active "_" is essentially:
+
+ \ifmmode \sb \else \BreakableUnderscore \fi
+
+where "\sb" retains the normal subscript meaning of "_" and where
+"\BreakableUnderscore" is essentially "\_". The rest of the definition
+handles the "\protect"ion without causing "\relax" to be inserted before
+the character.
+
+"\BreakableUnderscore" uses "\nobreak\hskip\z@skip" to separate the
+underscore from surrounding words, thus allowing TeX to hyphenate them,
+but preventing free breaks around the underscore. Next, it checks the
+current font family, and uses the underscore character from tt fonts or
+otherwise "\textunderscore" (which is a character or rule depending on
+the font encoding). After the underscore, it inserts a discretionary
+hyphenation point as "\usc@dischyph", which is usually just "\-"
+except that it still works in the tabbing environment, although it
+will give "\discretionary{}{}{}" under the [nohyphen] option. After
+that, another piece of non-breaking interword glue is inserted.
+Ordinarily, the comparison "\ifx\f@family\ttdefault" will always fail
+because "\ttdefault" is `long' whereas "\f@family" is not (boooo hisss),
+but "\ttdefault" is redefined to be non-long by "\AtBeginDocument".
+
+The "\_" command is then defined to use "\BreakableUnderscore".
+
+If the [strings] option is not given, then that is all!
+
+Under the [strings] option, the list of special commands is processed to:
+
+ - retain the original command as "\US_"*command* (e.g., "\US_ref")
+ - redefine the command as "\US@prot\US_command" for ordinary commands
+ ("\US@prot\US_ref") or as "\US@protopt\US_command" when an optional
+ argument is possible (e.g., "\US@protopt\US_bibitem").
+ - self-protecting commands ("\cite") retain their self-protection.
+
+Diagnosing the state of the pre-existing command is done by painful
+contortions involving "\meaning".
+
+"\US@prot" and "\US@protopt" read the argument, process it with
+"\protect" enabled, then invoke the saved "\US_command".
+
+Modifications:
+~~~~~~~~~~~~~~
+13-Sep-2006 Reassert my definition in the output routine (listings).
+21-Sep-2005 \includegraphics safe.
+12-Oct-2001 Babel (safe@actives) compatibility and [nohyphen] option.
+
+Test file integrity: ASCII 32-57, 58-126: !"#$%&'()*+,-./0123456789
+:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
